From: Martin Willi <martin@revosec.ch>
Date: Fri, 6 Feb 2015 12:58:58 +0000 (+0100)
Subject: x509: Fix public key reference leak if authority key identifier does not match
X-Git-Tag: 5.3.0dr1~89
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=b851f0a1051f8c50d5eb4cf45d4f03d96e3f3de4;p=thirdparty%2Fstrongswan.git

x509: Fix public key reference leak if authority key identifier does not match
---

diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d171ec2c4e..1f3f60daab 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -462,17 +462,26 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 
-	/* get the public key of the issuer */
+	scheme = signature_scheme_from_oid(this->algorithm);
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
 	key = issuer->get_public_key(issuer);
+	if (!key)
+	{
+		return FALSE;
+	}
 
 	/* compare keyIdentifiers if available, otherwise use DNs */
-	if (this->authKeyIdentifier.ptr && key)
+	if (this->authKeyIdentifier.ptr)
 	{
 		chunk_t fingerprint;
 
 		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
 			!chunk_equals(fingerprint, this->authKeyIdentifier))
 		{
+			key->destroy(key);
 			return FALSE;
 		}
 	}
@@ -480,17 +489,10 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
+			key->destroy(key);
 			return FALSE;
 		}
 	}
-
-	/* determine signature scheme */
-	scheme = signature_scheme_from_oid(this->algorithm);
-
-	if (scheme == SIGN_UNKNOWN || key == NULL)
-	{
-		return FALSE;
-	}
 	valid = key->verify(key, scheme, this->tbsCertList, this->signature);
 	key->destroy(key);
 	if (valid && schemep)