Fix gcc 8 warnings

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

6 files changed, 63 insertions, 31 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3910b8ebdd..0055df28a3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -440,7 +440,7 @@ ubsan-Werror.Fedora.x86_64:
   - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
   - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
   - make -j$(nproc) -C src/gl
-  - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2"
+  - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches"
   - make -j$(nproc)
   - make check -j$(nproc)
   - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c
index a3ce796ad8..99a0b366e7 100644
--- a/lib/cert-cred-x509.c
+++ b/lib/cert-cred-x509.c
@@ -252,7 +252,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res,
 		}
 		count++;
 
-		/* now we move ptr after the pem header 
+		/* now we move ptr after the pem header
 		 */
 		ptr++;
 		size--;
@@ -1016,8 +1016,8 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
  * entity certificate (e.g., also an intermediate CA cert), the full
  * certificate chain must be provided in @pcert_list.
  *
- * Note that the @key and the elements of @pcert_list will become part of the credentials 
- * structure and must not be deallocated. They will be automatically deallocated 
+ * Note that the @key and the elements of @pcert_list will become part of the credentials
+ * structure and must not be deallocated. They will be automatically deallocated
  * when the @res structure is deinitialized.
  *
  * If that function fails to load the @res structure is at an undefined state, it must
@@ -1126,10 +1126,10 @@ gnutls_certificate_set_key(gnutls_certificate_credentials_t res,
  * @tlist: is a #gnutls_x509_trust_list_t type
  * @flags: must be zero
  *
- * This function sets a trust list in the gnutls_certificate_credentials_t type. 
+ * This function sets a trust list in the gnutls_certificate_credentials_t type.
  *
- * Note that the @tlist will become part of the credentials 
- * structure and must not be deallocated. It will be automatically deallocated 
+ * Note that the @tlist will become part of the credentials
+ * structure and must not be deallocated. It will be automatically deallocated
  * when the @res structure is deinitialized.
  *
  * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
@@ -1309,7 +1309,7 @@ gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res,
 {
 int ret;
 
-	ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, 
+	ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL,
 					type, GNUTLS_TL_USE_IN_TLS, 0);
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
 		return 0;
@@ -1344,7 +1344,10 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
 				  int ca_list_size)
 {
 	int ret, i, j;
-	gnutls_x509_crt_t new_list[ca_list_size];
+	gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t));
+
+	if (!new_list)
+		return GNUTLS_E_MEMORY_ERROR;
 
 	for (i = 0; i < ca_list_size; i++) {
 		ret = gnutls_x509_crt_init(&new_list[i]);
@@ -1368,11 +1371,13 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
 		goto cleanup;
 	}
 
+	gnutls_free(new_list);
 	return ret;
 
       cleanup:
 	for (j = 0; j < i; j++)
 		gnutls_x509_crt_deinit(new_list[j]);
+	gnutls_free(new_list);
 
 	return ret;
 }
@@ -1407,7 +1412,7 @@ gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t
 {
 int ret;
 
-	ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, 
+	ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL,
 						type, GNUTLS_TL_USE_IN_TLS, 0);
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
 		return 0;
@@ -1421,7 +1426,7 @@ int ret;
  * @ca_dir: is a directory containing the list of trusted CAs (DER or PEM list)
  * @type: is PEM or DER
  *
- * This function adds the trusted CAs present in the directory in order to 
+ * This function adds the trusted CAs present in the directory in order to
  * verify client or server certificates. This function is identical
  * to gnutls_certificate_set_x509_trust_file() but loads all certificates
  * in a directory.
@@ -1438,7 +1443,7 @@ gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred,
 {
 int ret;
 
-	ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, 
+	ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL,
 						type, GNUTLS_TL_USE_IN_TLS, 0);
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
 		return 0;
@@ -1465,7 +1470,7 @@ int
 gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t
 					 cred)
 {
-	return gnutls_x509_trust_list_add_system_trust(cred->tlist, 
+	return gnutls_x509_trust_list_add_system_trust(cred->tlist,
 					GNUTLS_TL_USE_IN_TLS, 0);
 }
 
@@ -1490,7 +1495,7 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res,
 {
 int ret;
 
-	ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, 
+	ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL,
 					type, GNUTLS_TL_USE_IN_TLS, 0);
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
 		return 0;
@@ -1520,7 +1525,10 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
 				int crl_list_size)
 {
 	int ret, i, j;
-	gnutls_x509_crl_t new_crl[crl_list_size];
+	gnutls_x509_crl_t *new_crl = gnutls_malloc(crl_list_size * sizeof(gnutls_x509_crl_t));
+
+	if (!new_crl)
+		return GNUTLS_E_MEMORY_ERROR;
 
 	for (i = 0; i < crl_list_size; i++) {
 		ret = gnutls_x509_crl_init(&new_crl[i]);
@@ -1544,11 +1552,13 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
 		goto cleanup;
 	}
 
+	free(new_crl);
 	return ret;
 
       cleanup:
 	for (j = 0; j < i; j++)
 		gnutls_x509_crl_deinit(new_crl[j]);
+	free(new_crl);
 
 	return ret;
 }
@@ -1574,7 +1584,7 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res,
 {
 int ret;
 
-	ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, 
+	ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile,
 						type, GNUTLS_TL_USE_IN_TLS, 0);
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
 		return 0;
diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c
index 23e75c1440..585cd031e0 100644
--- a/lib/nettle/int/provable-prime.c
+++ b/lib/nettle/int/provable-prime.c
@@ -4,17 +4,17 @@
  */
 
 /* Copyright (C) 2013 Red Hat
- *  
+ *
  * The nettle library is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as published by
  * the Free Software Foundation; either version 2.1 of the License, or (at your
  * option) any later version.
- * 
+ *
  * The nettle library is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
  * License for more details.
- * 
+ *
  * You should have received a copy of the GNU Lesser General Public License
  * along with the nettle library; see the file COPYING.LIB.  If not, write to
  * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
@@ -1102,10 +1102,10 @@ static int st_provable_prime_small(mpz_t p,
 	return 0;
 }
 
-/* The Shawe-Taylor algorithm described in FIPS 186-4. 
- * 
+/* The Shawe-Taylor algorithm described in FIPS 186-4.
+ *
  * p: (output) the prime
- * prime_seed_length: (output) the length of prime_seed. Initially 
+ * prime_seed_length: (output) the length of prime_seed. Initially
  *   must hold the maximum size of prime_seed. The size should be a
  *   byte more than seed_length.
  * prime_seed: (output) the prime_seed (may be NULL)
@@ -1113,7 +1113,7 @@ static int st_provable_prime_small(mpz_t p,
  * bits: The requested number of bits for prime
  * seed_length: The length of seed. It is limited by MAX_PVP_SEED_SIZE.
  * seed: The initial seed
- * 
+ *
  * Returns non zero on success.
  */
 int
@@ -1129,7 +1129,7 @@ st_provable_prime(mpz_t p,
 	uint8_t tseed[MAX_PVP_SEED_SIZE+1];
 	int ret;
 	unsigned pseed_length, iterations;
-	uint8_t pseed[seed_length + 2];
+	uint8_t *pseed;
 	unsigned old_counter, i;
 	mpz_t s, tmp, r, dc0, c0, c, t, z;
 	uint8_t *storage = NULL;
@@ -1151,7 +1151,12 @@ st_provable_prime(mpz_t p,
 	mpz_init(c0);
 	mpz_init(dc0);
 
-	pseed_length = sizeof(pseed);
+	pseed_length = seed_length + 2;
+
+	pseed = gnutls_malloc(pseed_length);
+	if (pseed == NULL)
+		goto fail;
+
 	ret = st_provable_prime(c0, &pseed_length, pseed, &gen_counter,
 				1+div_ceil(bits, 2), seed_length, seed,
 				progress_ctx, progress);
@@ -1302,6 +1307,7 @@ st_provable_prime(mpz_t p,
 	mpz_clear(t);
 	mpz_clear(tmp);
 	mpz_clear(c);
+	free(pseed);
 	free(storage);
 	return ret;
 }
diff --git a/libdane/dane.c b/libdane/dane.c
index 42c98933a4..d7191de273 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -851,7 +851,7 @@ dane_verify_crt_raw(dane_state_t s,
  *
  * Note that this function is designed to be run in addition to
  * PKIX - certificate chain - verification. To be run independently
- * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; 
+ * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified;
  * then the function will check whether the key of the peer matches the
  * key advertized in the DANE entry.
  *
@@ -946,7 +946,6 @@ dane_verify_session_crt(dane_state_t s,
 
 	/* this list may be incomplete, try to get the self-signed CA if any */
 	if (cert_list_size > 0) {
-		gnutls_datum_t new_cert_list[cert_list_size+1];
 		gnutls_x509_crt_t crt, ca;
 		gnutls_certificate_credentials_t sc;
 
@@ -987,11 +986,21 @@ dane_verify_session_crt(dane_state_t s,
 		}
 
 		/* make the new list */
+		gnutls_datum_t *new_cert_list;
+
+		new_cert_list = gnutls_malloc((cert_list_size + 1) * sizeof(gnutls_datum_t));
+		if (new_cert_list == NULL) {
+			gnutls_assert();
+			gnutls_x509_crt_deinit(crt);
+			goto failsafe;
+		}
+
 		memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t));
 
 		ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]);
 		if (ret < 0) {
 			gnutls_assert();
+			free(new_cert_list);
 			gnutls_x509_crt_deinit(crt);
 			goto failsafe;
 		}
@@ -1003,6 +1012,7 @@ dane_verify_session_crt(dane_state_t s,
 			gnutls_assert();
 		}
 		gnutls_free(new_cert_list[cert_list_size].data);
+		free(new_cert_list);
 		return ret;
 	}
 
diff --git a/src/cli.c b/src/cli.c
index 17869250e7..0284f3b9b8 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -620,8 +620,14 @@ gnutls_session_t init_tls_session(const char *host)
 	if (HAVE_OPT(ALPN)) {
 		unsigned proto_n = STACKCT_OPT(ALPN);
 		char **protos = (void *) STACKLST_OPT(ALPN);
-		gnutls_datum_t p[proto_n];
 
+		if (proto_n > 1024) {
+			fprintf(stderr, "Number of ALPN protocols too large (%d)\n",
+					proto_n);
+			exit(1);
+		}
+
+		gnutls_datum_t p[1024];
 		for (i = 0; i < proto_n; i++) {
 			p[i].data = (void *) protos[i];
 			p[i].size = strlen(protos[i]);
@@ -1000,7 +1006,7 @@ int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes,
 
       continue_inline_processing:
 	/* parse_for_inline_commands_in_buffer hunts for start of an inline command
-	 * sequence. The function maintains state information in inline_cmds. 
+	 * sequence. The function maintains state information in inline_cmds.
 	 */
 	inline_cmd_start_found =
 	    parse_for_inline_commands_in_buffer(buffer_ptr, bytes,
@@ -1854,7 +1860,7 @@ static void init_global_tls_stuff(void)
 
 }
 
-/* OCSP check for the peer's certificate. Should be called 
+/* OCSP check for the peer's certificate. Should be called
  * only after the certificate list verification is complete.
  * Returns:
  * -1: certificate chain could not be checked fully
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 6a872de397..fd7b219dc7 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -1216,7 +1216,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 		if (ret < 0) {
 			fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret));
 			if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) ||
-			     (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) && 
+			     (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) &&
 			    (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0)
 				fprintf(stderr, "note: some tokens may require security officer login for this operation\n");
 			app_exit(1);