summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml2
-rw-r--r--lib/cert-cred-x509.c40
-rw-r--r--lib/nettle/int/provable-prime.c24
-rw-r--r--libdane/dane.c14
-rw-r--r--src/cli.c12
-rw-r--r--src/pkcs11.c2
6 files changed, 63 insertions, 31 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3910b8ebdd..0055df28a3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -440,7 +440,7 @@ ubsan-Werror.Fedora.x86_64:
- make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
- make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2"
- make -j$(nproc) -C src/gl
- - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2"
+ - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches"
- make -j$(nproc)
- make check -j$(nproc)
- CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure
diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c
index a3ce796ad8..99a0b366e7 100644
--- a/lib/cert-cred-x509.c
+++ b/lib/cert-cred-x509.c
@@ -252,7 +252,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res,
}
count++;
- /* now we move ptr after the pem header
+ /* now we move ptr after the pem header
*/
ptr++;
size--;
@@ -1016,8 +1016,8 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
* entity certificate (e.g., also an intermediate CA cert), the full
* certificate chain must be provided in @pcert_list.
*
- * Note that the @key and the elements of @pcert_list will become part of the credentials
- * structure and must not be deallocated. They will be automatically deallocated
+ * Note that the @key and the elements of @pcert_list will become part of the credentials
+ * structure and must not be deallocated. They will be automatically deallocated
* when the @res structure is deinitialized.
*
* If that function fails to load the @res structure is at an undefined state, it must
@@ -1126,10 +1126,10 @@ gnutls_certificate_set_key(gnutls_certificate_credentials_t res,
* @tlist: is a #gnutls_x509_trust_list_t type
* @flags: must be zero
*
- * This function sets a trust list in the gnutls_certificate_credentials_t type.
+ * This function sets a trust list in the gnutls_certificate_credentials_t type.
*
- * Note that the @tlist will become part of the credentials
- * structure and must not be deallocated. It will be automatically deallocated
+ * Note that the @tlist will become part of the credentials
+ * structure and must not be deallocated. It will be automatically deallocated
* when the @res structure is deinitialized.
*
* Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
@@ -1309,7 +1309,7 @@ gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res,
{
int ret;
- ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL,
+ ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
@@ -1344,7 +1344,10 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
int ca_list_size)
{
int ret, i, j;
- gnutls_x509_crt_t new_list[ca_list_size];
+ gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t));
+
+ if (!new_list)
+ return GNUTLS_E_MEMORY_ERROR;
for (i = 0; i < ca_list_size; i++) {
ret = gnutls_x509_crt_init(&new_list[i]);
@@ -1368,11 +1371,13 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
goto cleanup;
}
+ gnutls_free(new_list);
return ret;
cleanup:
for (j = 0; j < i; j++)
gnutls_x509_crt_deinit(new_list[j]);
+ gnutls_free(new_list);
return ret;
}
@@ -1407,7 +1412,7 @@ gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t
{
int ret;
- ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL,
+ ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
@@ -1421,7 +1426,7 @@ int ret;
* @ca_dir: is a directory containing the list of trusted CAs (DER or PEM list)
* @type: is PEM or DER
*
- * This function adds the trusted CAs present in the directory in order to
+ * This function adds the trusted CAs present in the directory in order to
* verify client or server certificates. This function is identical
* to gnutls_certificate_set_x509_trust_file() but loads all certificates
* in a directory.
@@ -1438,7 +1443,7 @@ gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred,
{
int ret;
- ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL,
+ ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
@@ -1465,7 +1470,7 @@ int
gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t
cred)
{
- return gnutls_x509_trust_list_add_system_trust(cred->tlist,
+ return gnutls_x509_trust_list_add_system_trust(cred->tlist,
GNUTLS_TL_USE_IN_TLS, 0);
}
@@ -1490,7 +1495,7 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res,
{
int ret;
- ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL,
+ ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
@@ -1520,7 +1525,10 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
int crl_list_size)
{
int ret, i, j;
- gnutls_x509_crl_t new_crl[crl_list_size];
+ gnutls_x509_crl_t *new_crl = gnutls_malloc(crl_list_size * sizeof(gnutls_x509_crl_t));
+
+ if (!new_crl)
+ return GNUTLS_E_MEMORY_ERROR;
for (i = 0; i < crl_list_size; i++) {
ret = gnutls_x509_crl_init(&new_crl[i]);
@@ -1544,11 +1552,13 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
goto cleanup;
}
+ free(new_crl);
return ret;
cleanup:
for (j = 0; j < i; j++)
gnutls_x509_crl_deinit(new_crl[j]);
+ free(new_crl);
return ret;
}
@@ -1574,7 +1584,7 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res,
{
int ret;
- ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile,
+ ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c
index 23e75c1440..585cd031e0 100644
--- a/lib/nettle/int/provable-prime.c
+++ b/lib/nettle/int/provable-prime.c
@@ -4,17 +4,17 @@
*/
/* Copyright (C) 2013 Red Hat
- *
+ *
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
- *
+ *
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
- *
+ *
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
@@ -1102,10 +1102,10 @@ static int st_provable_prime_small(mpz_t p,
return 0;
}
-/* The Shawe-Taylor algorithm described in FIPS 186-4.
- *
+/* The Shawe-Taylor algorithm described in FIPS 186-4.
+ *
* p: (output) the prime
- * prime_seed_length: (output) the length of prime_seed. Initially
+ * prime_seed_length: (output) the length of prime_seed. Initially
* must hold the maximum size of prime_seed. The size should be a
* byte more than seed_length.
* prime_seed: (output) the prime_seed (may be NULL)
@@ -1113,7 +1113,7 @@ static int st_provable_prime_small(mpz_t p,
* bits: The requested number of bits for prime
* seed_length: The length of seed. It is limited by MAX_PVP_SEED_SIZE.
* seed: The initial seed
- *
+ *
* Returns non zero on success.
*/
int
@@ -1129,7 +1129,7 @@ st_provable_prime(mpz_t p,
uint8_t tseed[MAX_PVP_SEED_SIZE+1];
int ret;
unsigned pseed_length, iterations;
- uint8_t pseed[seed_length + 2];
+ uint8_t *pseed;
unsigned old_counter, i;
mpz_t s, tmp, r, dc0, c0, c, t, z;
uint8_t *storage = NULL;
@@ -1151,7 +1151,12 @@ st_provable_prime(mpz_t p,
mpz_init(c0);
mpz_init(dc0);
- pseed_length = sizeof(pseed);
+ pseed_length = seed_length + 2;
+
+ pseed = gnutls_malloc(pseed_length);
+ if (pseed == NULL)
+ goto fail;
+
ret = st_provable_prime(c0, &pseed_length, pseed, &gen_counter,
1+div_ceil(bits, 2), seed_length, seed,
progress_ctx, progress);
@@ -1302,6 +1307,7 @@ st_provable_prime(mpz_t p,
mpz_clear(t);
mpz_clear(tmp);
mpz_clear(c);
+ free(pseed);
free(storage);
return ret;
}
diff --git a/libdane/dane.c b/libdane/dane.c
index 42c98933a4..d7191de273 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -851,7 +851,7 @@ dane_verify_crt_raw(dane_state_t s,
*
* Note that this function is designed to be run in addition to
* PKIX - certificate chain - verification. To be run independently
- * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified;
+ * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified;
* then the function will check whether the key of the peer matches the
* key advertized in the DANE entry.
*
@@ -946,7 +946,6 @@ dane_verify_session_crt(dane_state_t s,
/* this list may be incomplete, try to get the self-signed CA if any */
if (cert_list_size > 0) {
- gnutls_datum_t new_cert_list[cert_list_size+1];
gnutls_x509_crt_t crt, ca;
gnutls_certificate_credentials_t sc;
@@ -987,11 +986,21 @@ dane_verify_session_crt(dane_state_t s,
}
/* make the new list */
+ gnutls_datum_t *new_cert_list;
+
+ new_cert_list = gnutls_malloc((cert_list_size + 1) * sizeof(gnutls_datum_t));
+ if (new_cert_list == NULL) {
+ gnutls_assert();
+ gnutls_x509_crt_deinit(crt);
+ goto failsafe;
+ }
+
memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t));
ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]);
if (ret < 0) {
gnutls_assert();
+ free(new_cert_list);
gnutls_x509_crt_deinit(crt);
goto failsafe;
}
@@ -1003,6 +1012,7 @@ dane_verify_session_crt(dane_state_t s,
gnutls_assert();
}
gnutls_free(new_cert_list[cert_list_size].data);
+ free(new_cert_list);
return ret;
}
diff --git a/src/cli.c b/src/cli.c
index 17869250e7..0284f3b9b8 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -620,8 +620,14 @@ gnutls_session_t init_tls_session(const char *host)
if (HAVE_OPT(ALPN)) {
unsigned proto_n = STACKCT_OPT(ALPN);
char **protos = (void *) STACKLST_OPT(ALPN);
- gnutls_datum_t p[proto_n];
+ if (proto_n > 1024) {
+ fprintf(stderr, "Number of ALPN protocols too large (%d)\n",
+ proto_n);
+ exit(1);
+ }
+
+ gnutls_datum_t p[1024];
for (i = 0; i < proto_n; i++) {
p[i].data = (void *) protos[i];
p[i].size = strlen(protos[i]);
@@ -1000,7 +1006,7 @@ int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes,
continue_inline_processing:
/* parse_for_inline_commands_in_buffer hunts for start of an inline command
- * sequence. The function maintains state information in inline_cmds.
+ * sequence. The function maintains state information in inline_cmds.
*/
inline_cmd_start_found =
parse_for_inline_commands_in_buffer(buffer_ptr, bytes,
@@ -1854,7 +1860,7 @@ static void init_global_tls_stuff(void)
}
-/* OCSP check for the peer's certificate. Should be called
+/* OCSP check for the peer's certificate. Should be called
* only after the certificate list verification is complete.
* Returns:
* -1: certificate chain could not be checked fully
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 6a872de397..fd7b219dc7 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -1216,7 +1216,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
if (ret < 0) {
fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret));
if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) ||
- (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) &&
+ (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) &&
(flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0)
fprintf(stderr, "note: some tokens may require security officer login for this operation\n");
app_exit(1);