Avoid double-free of bio. Better error code for ca cert parsing failure.

diff --git a/mech_eap/gsseap_err.et b/mech_eap/gsseap_err.et
index 2f0774b..4074cc8 100644 (file)
--- a/mech_eap/gsseap_err.et
+++ b/mech_eap/gsseap_err.et
@@ -86,6 +86,7 @@ error_code GSSEAP_BAD_CRED_OPTION,              "Bad credential option"
 error_code GSSEAP_NO_DEFAULT_IDENTITY,          "Default credentials identity unavailable"
 error_code GSSEAP_NO_DEFAULT_CRED,              "Missing default password or other credentials"
 error_code GSSEAP_CRED_RESOLVED,                "Credential is already fully resolved"
+error_code GSSEAP_BAD_CACERTIFICATE,            "CA Certificate could not be parsed by openssl"
 
 #
 # Local identity service errors

diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c
index 79594da..b73b765 100644 (file)
--- a/mech_eap/util_moonshot.c
+++ b/mech_eap/util_moonshot.c
@@ -34,6 +34,7 @@
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include <stdio.h>
 
 #ifdef HAVE_MOONSHOT_GET_IDENTITY
 #include <libmoonshot.h>
@@ -240,15 +241,15 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
         }
         cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
         if (cert == NULL) {
-            major = GSS_S_FAILURE;
-            *minor = ENOMEM;
+            major = GSS_S_DEFECTIVE_CREDENTIAL;
+            *minor = GSSEAP_BAD_CACERTIFICATE;
             goto cleanup;
         }
         BIO_free(bio);
         bio = BIO_new(BIO_s_mem());
         if (i2d_X509_bio(bio, cert) < 0) {
-            major = GSS_S_FAILURE;
-            *minor = ENOMEM; /* TODO */
+            major = GSS_S_DEFECTIVE_CREDENTIAL;
+            *minor = GSSEAP_BAD_CACERTIFICATE;
             goto cleanup;
         }
         BIO_get_mem_ptr(bio, &bptr);
@@ -259,6 +260,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
             goto cleanup;
         }
         BIO_free(bio);
+        bio = NULL;
         makeStringBufferOrCleanup("blob://ca-cert", &cred->caCertificate);
     }