Avoid enumerating certificates with non-matching key type

If the key type was specified but the ID was NULL or matched a subject, it was possible that a certificate was returned that didn't actually match the requested key type. Closes strongswan/strongswan#141.
2025-10-06 00:00:47 -04:00 · 2019-05-21 09:28:21 +08:00 · 2019-05-21 09:28:21 +08:00 · 3aa7b2dc3a
commit 3aa7b2dc3a
parent 55dd0361b8
2 changed files with 10 additions and 0 deletions
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@ -208,6 +208,11 @@ CALLBACK(certs_filter, bool,
 					return TRUE;
 				}
 			}
+			else
+			{
+				public->destroy(public);
+				continue;
+			}
 			public->destroy(public);
 		}
 		else if (data->key != KEY_ANY)
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@ -108,6 +108,11 @@ CALLBACK(certs_filter, bool,
 					return TRUE;
 				}
 			}
+			else
+			{
+				public->destroy(public);
+				continue;
+			}
 			public->destroy(public);
 		}
 		else if (data->key != KEY_ANY)