From 7225bab5af2503f2bdb35c063cf8284fab822819 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Aug 10 2018 15:27:11 +0000
Subject: P11: Don't return int failure from a bool function


The functions return bool as per their prototype, but returning EINVAL
on failure meant that EINVAL (typically 22) was converted to 'true', so
a certificate that was not processable was considered valid.

Luckily this code only converts certificates into SSH public keys, so
there are no security implications.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>

---

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 717c7a4..d6a0b80 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -220,7 +220,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
     ret = b64_to_cert(p11_ctx, cert_b64, &cert);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n");
-        return EINVAL;
+        return false;
     }
 
     res = do_verification(p11_ctx, cert);
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 953cd3c..be58726 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -209,7 +209,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
     ret = b64_to_cert(cert_b64, &cert);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n");
-        return EINVAL;
+        return false;
     }
 
     res = do_verification(p11_ctx, cert);