From ccfdafa311337e176bb1b92dd8755af6777f4780 Mon Sep 17 00:00:00 2001
From: joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845>
Date: Tue, 3 May 2011 12:07:08 +0000
Subject: Merge r1836, r1837, r1838 from trunk:

* src/ne_gnutls.c (ne__ssl_init): Fix for GnuTLS with Nettle.

* src/ne_auth.c (get_cnonce): Likewise.

Submitted by: Arfrever Frehtes Taifersar Arahesis <arfrever.fta gmail.com>

* src/ne_auth.c
  (ah_post_send): Clear SSPI context only after successful authentication.

Submitted by: Ivan Zhakov <ivan visualsvn.com>

Fix some errors flagged by a Coverity scan:

* src/ne_auth.c (verify_negotiate_response): Check for NULL pointer.

* src/ne_gnutls.c (check_certificate): Initiatialize 'failures'.
  (pkcs12_parse): Check for _crt_init failure.

* src/ne_session.c (ne__ssl_set_verify_err): Pass size-1 to strncat.


git-svn-id: http://svn.webdav.org/repos/projects/neon/branches/0.29.x@1839 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
---
 src/ne_auth.c    | 15 ++++++++++++---
 src/ne_gnutls.c  | 11 +++++++++--
 src/ne_session.c |  4 ++--
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/ne_auth.c b/src/ne_auth.c
index 32f2698..df640d5 100644
--- a/src/ne_auth.c
+++ b/src/ne_auth.c
@@ -46,7 +46,12 @@
 #ifdef HAVE_OPENSSL
 #include <openssl/rand.h>
 #elif defined(HAVE_GNUTLS)
+#include <gnutls/gnutls.h>
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b00
 #include <gcrypt.h>
+#else
+#include <gnutls/crypto.h>
+#endif
 #endif
 
 #include <errno.h>
@@ -316,7 +321,11 @@ static char *get_cnonce(void)
 
 #ifdef HAVE_GNUTLS
     if (1) {
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b00
         gcry_create_nonce(data, sizeof data);
+#else
+        gnutls_rnd(GNUTLS_RND_NONCE, data, sizeof data);
+#endif
         ne_md5_process_bytes(data, sizeof data, hash);
     }
     else
@@ -567,7 +576,7 @@ static int verify_negotiate_response(struct auth_request *req, auth_session *ses
     int ret;
     ne_buffer *errmsg = NULL;
 
-    if (strncmp(hdr, "Negotiate", ptr - duphdr) != 0) {
+    if (!ptr || strncmp(hdr, "Negotiate", ptr - duphdr) != 0) {
         ne_set_error(sess->sess, _("Negotiate response verification failed: "
                                    "invalid response header token"));
         ne_free(duphdr);
@@ -1542,8 +1551,8 @@ static int ah_post_send(ne_request *req, void *cookie, const ne_status *status)
     }
 
 #ifdef HAVE_SSPI
-    /* Whatever happens: clear the SSPI context if it exists. */
-    if (sess->sspi_context) {
+    /* Clear the SSPI context after successfull authentication. */
+    if ((status->klass == 2 || status->klass == 3) && sess->sspi_context) {
         ne_sspi_clear_context(sess->sspi_context);
     }
 #endif
diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c
index ef12e2d..eec5655 100644
--- a/src/ne_gnutls.c
+++ b/src/ne_gnutls.c
@@ -38,11 +38,15 @@
 #ifdef NE_HAVE_TS_SSL
 #include <errno.h>
 #include <pthread.h>
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b01
 #include <gcrypt.h>
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
 #else
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b01
 #include <gcrypt.h>
 #endif
+#endif
 
 #ifdef HAVE_ICONV
 #include <iconv.h>
@@ -854,7 +858,7 @@ static int check_chain_expiry(ne_ssl_certificate *chain)
 static int check_certificate(ne_session *sess, gnutls_session sock,
                              ne_ssl_certificate *chain)
 {
-    int ret, failures;
+    int ret, failures = 0;
     ne_uri server;
     unsigned int status;
 
@@ -1083,7 +1087,8 @@ static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
                  * really need to match up keyids. */
                 if (*x5) break;
 
-                gnutls_x509_crt_init(x5);
+                ret = gnutls_x509_crt_init(x5);
+                if (ret < 0) continue;
 
                 ret = gnutls_pkcs12_bag_get_data(bag, j, &data);
                 if (ret < 0) continue;
@@ -1371,10 +1376,12 @@ int ne_ssl_cert_digest(const ne_ssl_certificate *cert, char *digest)
 
 int ne__ssl_init(void)
 {
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b01
 #ifdef NE_HAVE_TS_SSL
     gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
 #endif
     gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
     return gnutls_global_init();
 }
 
diff --git a/src/ne_session.c b/src/ne_session.c
index 1502140..d9a8ed3 100644
--- a/src/ne_session.c
+++ b/src/ne_session.c
@@ -565,8 +565,8 @@ void ne__ssl_set_verify_err(ne_session *sess, int failures)
 
     for (n = 0; reasons[n].bit; n++) {
 	if (failures & reasons[n].bit) {
-	    if (flag) strncat(sess->error, ", ", sizeof sess->error);
-	    strncat(sess->error, _(reasons[n].str), sizeof sess->error);
+	    if (flag) strncat(sess->error, ", ", sizeof sess->error - 1);
+	    strncat(sess->error, _(reasons[n].str), sizeof sess->error - 1);
 	    flag = 1;
 	}
     }
-- 
cgit v1.2.1