From 69dd0f7551349975683f4363b7d19d38e223a4bf Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Aug 2018 16:05:47 +0200 Subject: _gnutls_send_change_cipher_spec: removed unnecessary test Signed-off-by: Nikos Mavrogiannopoulos --- lib/handshake.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/handshake.c b/lib/handshake.c index 99967a2ffd..ebea926aa5 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -3070,7 +3070,7 @@ ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again) /* under TLS 1.3, CCS may be immediately followed by * receiving ClientHello thus cannot be cached */ - if (vers && vers->tls13_sem) { + if (vers->tls13_sem) { ret = _gnutls_handshake_io_write_flush(session); if (ret < 0) return gnutls_assert_val(ret); -- cgit v1.2.1 From 7a28392f96414629d166adb4bd54f8649e080000 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Aug 2018 16:09:21 +0200 Subject: privkey_sign_raw_data: use assert to mark code which always succeeds Signed-off-by: Nikos Mavrogiannopoulos --- lib/privkey.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/privkey.c b/lib/privkey.c index ab2f2771b6..26e3cee893 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -1488,6 +1488,7 @@ privkey_sign_raw_data(gnutls_privkey_t key, if (se->pk == GNUTLS_PK_RSA) { se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW); + assert(se != NULL); } /* se may not be set here if we are doing legacy RSA */ -- cgit v1.2.1 From 4a011043e2fd26e5d34763a706b5165fb55e1c13 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Aug 2018 16:12:36 +0200 Subject: pubkey_verify_hashed_data: apply algorithm checks Signed-off-by: Nikos Mavrogiannopoulos --- lib/pubkey.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/pubkey.c b/lib/pubkey.c index ae6fb5cb2b..ad8986f6f2 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -2143,7 +2143,6 @@ pubkey_verify_hashed_data(const gnutls_sign_entry_st *se, return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - return 1; break; case GNUTLS_PK_ECDSA: @@ -2157,7 +2156,6 @@ pubkey_verify_hashed_data(const gnutls_sign_entry_st *se, return GNUTLS_E_PK_SIG_VERIFY_FAILED; } - return 1; break; default: gnutls_assert(); -- cgit v1.2.1 From c1fb3da244730e934cc29d572d84e436d4746378 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Aug 2018 16:13:50 +0200 Subject: gnutls_session_set_premaster: corrected error checks Signed-off-by: Nikos Mavrogiannopoulos --- lib/session_pack.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/session_pack.c b/lib/session_pack.c index a8659b5a2d..9fbd5b3ae8 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -1126,13 +1126,16 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity, return gnutls_assert_val(ret); session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs); - if (cs == NULL) + if (session->internals.resumed_security_parameters.cs == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); session->internals.resumed_security_parameters.cert_type = DEFAULT_CERT_TYPE; session->internals.resumed_security_parameters.pversion = version_to_entry(version); + if (session->internals.resumed_security_parameters.pversion == + NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); if (session->internals.resumed_security_parameters.pversion->selectable_prf) session->internals.resumed_security_parameters.prf = mac_to_entry(session->internals.resumed_security_parameters.cs->prf); @@ -1141,10 +1144,6 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity, if (session->internals.resumed_security_parameters.prf == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (session->internals.resumed_security_parameters.pversion == - NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - if (master->size != GNUTLS_MASTER_SIZE) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -- cgit v1.2.1 From c7336c3fee7e0ae6c6d4ef5dbfbdcebc920b9a0b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 13 Aug 2018 20:19:55 +0200 Subject: write_oid_and_params: moved nullity check of params earlier Signed-off-by: Nikos Mavrogiannopoulos --- lib/x509/mpi.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 2c301d321d..20a64690a3 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -284,10 +284,14 @@ static int write_oid_and_params(ASN1_TYPE dst, const char *dst_name, const char int result; char name[128]; + if (params == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + _gnutls_str_cpy(name, sizeof(name), dst_name); _gnutls_str_cat(name, sizeof(name), ".algorithm"); - /* write the OID. */ result = asn1_write_value(dst, name, oid, 1); @@ -305,11 +309,6 @@ static int write_oid_and_params(ASN1_TYPE dst, const char *dst_name, const char else if (params->pk == GNUTLS_PK_RSA_PSS) { gnutls_datum_t tmp = { NULL, 0 }; - if (params == NULL) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - result = _gnutls_x509_write_rsa_pss_params(params, &tmp); if (result < 0) return gnutls_assert_val(result); -- cgit v1.2.1 From 826f41e582f1c1a7f5e3dd30ae03b2fa23a2ef4f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 13 Aug 2018 20:22:48 +0200 Subject: tools: check output of called functions Signed-off-by: Nikos Mavrogiannopoulos --- src/benchmark-tls.c | 6 +++++- src/certtool-common.c | 14 ++++++++++---- src/certtool.c | 18 +++++++++++++++--- src/common.c | 5 ++++- src/danetool.c | 8 +++++++- src/pkcs11.c | 21 +++++++++++++++++---- 6 files changed, 58 insertions(+), 14 deletions(-) diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c index 285010ae1f..b0004cf1af 100644 --- a/src/benchmark-tls.c +++ b/src/benchmark-tls.c @@ -301,7 +301,11 @@ static void test_ciphersuite(const char *cipher_prio, int size) gnutls_protocol_get_version(server))); fflush(stdout); - gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer)); + ret = gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer)); + if (ret < 0) { + fprintf(stderr, "Error in %s\n", str); + exit(1); + } start_benchmark(&st); diff --git a/src/certtool-common.c b/src/certtool-common.c index d6f668b61f..e44ed5d5aa 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -809,14 +809,20 @@ static void print_head(FILE * out, const char *txt, unsigned int size, { unsigned i; char *p, *ntxt; + int ret; if (cprint != 0) { if (size > 0) - asprintf(&ntxt, "const unsigned char %s[%u] =", - txt, size); + ret = asprintf(&ntxt, "const unsigned char %s[%u] =", + txt, size); else - asprintf(&ntxt, "const unsigned char %s[] =\n", - txt); + ret = asprintf(&ntxt, "const unsigned char %s[] =\n", + txt); + + if (ret == -1) { + fprintf(stderr, "memory error\n"); + app_exit(1); + } p = strstr(ntxt, "char"); p += 5; diff --git a/src/certtool.c b/src/certtool.c index 382765e78a..908cff3722 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -884,7 +884,11 @@ static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * gnutls_pubkey_t pubkey; int result; - gnutls_pubkey_init(&pubkey); + result = gnutls_pubkey_init(&pubkey); + if (result < 0) { + fprintf(stderr, "memory error\n"); + app_exit(1); + } result = gnutls_pubkey_import_x509(pubkey, crt, 0); if (result < 0) { @@ -1682,7 +1686,11 @@ void privkey_info(common_info_st * cinfo) size = fread(lbuffer, 1, lbuffer_size - 1, infile); lbuffer[size] = 0; - gnutls_x509_privkey_init(&key); + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) { + fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret)); + app_exit(1); + } pem.data = lbuffer; pem.size = size; @@ -1736,7 +1744,11 @@ static void privkey_to_rsa(common_info_st * cinfo) size = fread(lbuffer, 1, lbuffer_size - 1, infile); lbuffer[size] = 0; - gnutls_x509_privkey_init(&key); + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) { + fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret)); + app_exit(1); + } pem.data = lbuffer; pem.size = size; diff --git a/src/common.c b/src/common.c index ee6c47e01c..a376fdacd8 100644 --- a/src/common.c +++ b/src/common.c @@ -1113,7 +1113,10 @@ token_callback(void *user, const char *label, const unsigned retry) } printf("Please insert token '%s' in slot and press enter\n", label); - fgets(buf, sizeof(buf), stdin); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + fprintf(stderr, "error reading input\n"); + return -1; + } return 0; } diff --git a/src/danetool.c b/src/danetool.c index 3b4fe6046b..b04d92b70e 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -645,7 +645,13 @@ gnutls_session_t init_tls_session(const char *hostname) } gnutls_session_set_ptr(session, &priv); - gnutls_set_default_priority(session); + ret = gnutls_set_default_priority(session); + if (ret < 0) { + fprintf(stderr, "error[%d]: %s\n", __LINE__, + gnutls_strerror(ret)); + app_exit(1); + } + if (hostname && is_ip(hostname)==0) { gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, strlen(hostname)); } diff --git a/src/pkcs11.c b/src/pkcs11.c index 30c188dda1..0dc2c563fe 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -127,7 +127,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl switch (otype) { case GNUTLS_PKCS11_OBJ_X509_CRT: - gnutls_x509_crt_init(&crt); + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + goto fail; + ret = gnutls_x509_crt_import_url(crt, objurl, flags); if (ret < 0) goto fail; @@ -153,7 +156,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl gnutls_x509_crt_deinit(crt); return p; case GNUTLS_PKCS11_OBJ_PUBKEY: - gnutls_pubkey_init(&pubkey); + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + goto fail; + ret = gnutls_pubkey_import_url(pubkey, objurl, flags); if (ret < 0) goto fail; @@ -176,7 +182,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl gnutls_pubkey_deinit(pubkey); return p; case GNUTLS_PKCS11_OBJ_PRIVKEY: - gnutls_privkey_init(&privkey); + ret = gnutls_privkey_init(&privkey); + if (ret < 0) + goto fail; + ret = gnutls_privkey_import_url(privkey, objurl, flags); if (ret < 0) goto fail; @@ -230,7 +239,11 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags, FIX(url, outfile, detailed, info); - gnutls_pkcs11_token_get_flags(url, &flags); + ret = gnutls_pkcs11_token_get_flags(url, &flags); + if (ret < 0) { + flags = 0; + } + if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED) print_exts = 1; -- cgit v1.2.1