Skip Menu |

To: krb5-bugs@MIT.EDU
Subject: cms_signeddata_verify has unsafe error handling
Date: Sat, 10 Sep 2011 09:09:51 -0400 (EDT)
From: hartmans@MIT.EDU (Sam Hartman)

I felt the need to add the following comment to cms_signeddata_verify

* Warning: Since most openssl functions do not set retval, large chunks of
* this function assume that retval is always a failure and may go to
* cleanup without setting retval explicitly. Make sure retval is not set
* to 0 or errors such as signature verification failure may be converted
* to success with significant security consequences.

If anyone accidentally inserted a k5alloc or anything else that set retval, it would be really bad.
I'd recommend refactoring that function.
Since I'm not doing that now I'm opening a bug to track.