Skip to content

Commit

Permalink
avoid memory leaks on JWT validation errors
Browse files Browse the repository at this point in the history 
also avoid memory leak on cache decrypt introduced by previous commit

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
@zandbelt
zandbelt committed Jun 10, 2021
1 parent 78478d5 commit 3b25745
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 4 deletions.
1 change: 1 addition & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
06/10/2021
- use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV
closes #26; thanks @niebardzo
- avoid memory leaks on JWT validation errors
- release 1.4.3

06/07/2021
Expand Down
12 changes: 10 additions & 2 deletions src/cache.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,7 @@ bool oauth2_cache_get(oauth2_log_t *log, oauth2_cache_t *cache, const char *key,
{
bool rc = false;
char *hashed_key = NULL;
char *encrypted_value = NULL;

oauth2_debug(log, "enter: key=%s, type=%s, decrypt=%d", key,
cache && cache->type ? cache->type->name : "<n/a>",
Expand All @@ -330,9 +331,16 @@ bool oauth2_cache_get(oauth2_log_t *log, oauth2_cache_t *cache, const char *key,
if (cache->type->get(log, cache, hashed_key, value) == false)
goto end;

if ((cache->encrypt) && (*value))
if (oauth2_cache_decrypt(log, cache, *value, value) < 0)
if ((cache->encrypt) && (*value)) {
if (oauth2_cache_decrypt(log, cache, *value, &encrypted_value) <
0) {
oauth2_mem_free(*value);
*value = NULL;
goto end;
}
oauth2_mem_free(*value);
*value = encrypted_value;
}

rc = true;

Expand Down
12 changes: 10 additions & 2 deletions src/jose.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1297,13 +1297,21 @@ bool oauth2_jose_jwt_verify(oauth2_log_t *log,
oauth2_debug(log, "got plaintext (len=%lu): %s", plaintext_len,
*s_payload);

if (oauth2_json_decode_object(log, *s_payload, json_payload) == false)
if (oauth2_json_decode_object(log, *s_payload, json_payload) == false) {
oauth2_mem_free(*s_payload);
*s_payload = NULL;
goto end;
}

if (jwt_verify_ctx) {
if (_oauth2_jose_jwt_payload_validate(
log, jwt_verify_ctx, *json_payload, NULL) == false)
log, jwt_verify_ctx, *json_payload, NULL) == false) {
json_decref(*json_payload);
*json_payload = NULL;
oauth2_mem_free(*s_payload);
*s_payload = NULL;
goto end;
}
}

rc = true;
Expand Down
2 changes: 2 additions & 0 deletions test/check_jose.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,8 @@ START_TEST(test_jwt_verify)
ck_assert_int_eq(rc, false);
oauth2_cfg_token_verify_free(_log, verify);
verify = NULL;

oauth2_mem_free(jwt);
}
END_TEST

Expand Down

0 comments on commit 3b25745

Please sign in to comment.