summaryrefslogtreecommitdiff
path: root/third_party/heimdal/lib/hx509
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/lib/hx509')
-rw-r--r--third_party/heimdal/lib/hx509/Makefile.am3
-rw-r--r--third_party/heimdal/lib/hx509/ca.c21
-rw-r--r--third_party/heimdal/lib/hx509/cert.c42
-rw-r--r--third_party/heimdal/lib/hx509/cms.c6
-rw-r--r--third_party/heimdal/lib/hx509/collector.c3
-rw-r--r--third_party/heimdal/lib/hx509/crypto.c4
-rw-r--r--third_party/heimdal/lib/hx509/error.c66
-rw-r--r--third_party/heimdal/lib/hx509/file.c12
-rw-r--r--third_party/heimdal/lib/hx509/hxtool.c28
-rw-r--r--third_party/heimdal/lib/hx509/keyset.c5
-rw-r--r--third_party/heimdal/lib/hx509/ks_file.c29
-rw-r--r--third_party/heimdal/lib/hx509/name.c71
-rw-r--r--third_party/heimdal/lib/hx509/print.c5
-rw-r--r--third_party/heimdal/lib/hx509/req.c22
-rw-r--r--third_party/heimdal/lib/hx509/revoke.c4
-rw-r--r--third_party/heimdal/lib/hx509/sel-gram.y4
-rw-r--r--third_party/heimdal/lib/hx509/softp11.c8
17 files changed, 190 insertions, 143 deletions
diff --git a/third_party/heimdal/lib/hx509/Makefile.am b/third_party/heimdal/lib/hx509/Makefile.am
index e32da3b93c3..214dabf0e83 100644
--- a/third_party/heimdal/lib/hx509/Makefile.am
+++ b/third_party/heimdal/lib/hx509/Makefile.am
@@ -11,7 +11,7 @@ BUILT_SOURCES = \
hx509_err.c \
hx509_err.h
-AM_YFLAGS = -d
+AM_YFLAGS = -o sel-gram.c
dist_libhx509_la_SOURCES = \
ca.c \
@@ -50,6 +50,7 @@ dist_libhx509_la_SOURCES = \
dist_libhx509template_la_SOURCES = $(dist_libhx509_la_SOURCES)
+sel-gram.h: sel-gram.c
sel-lex.c: sel-gram.h
libhx509_la_DEPENDENCIES = version-script.map
diff --git a/third_party/heimdal/lib/hx509/ca.c b/third_party/heimdal/lib/hx509/ca.c
index 807621c21d1..3d62b93fa57 100644
--- a/third_party/heimdal/lib/hx509/ca.c
+++ b/third_party/heimdal/lib/hx509/ca.c
@@ -2353,7 +2353,6 @@ count_sans(hx509_request req, size_t *n)
for (i = 0; ret == 0; i++) {
hx509_san_type san_type;
- frees(&s);
ret = hx509_request_get_san(req, i, &san_type, &s);
if (ret)
break;
@@ -2370,6 +2369,7 @@ count_sans(hx509_request req, size_t *n)
}
frees(&s);
}
+ free(s);
return ret == HX509_NO_ITEM ? 0 : ret;
}
@@ -2565,9 +2565,9 @@ get_cf(hx509_context context,
}
*out = heim_config_get_list(context->hcontext, cf, label, svc, NULL);
- if (*out)
+ if (*out) {
ret = 0;
- if (ret) {
+ } else {
heim_log_msg(context->hcontext, logf, 3, NULL,
"No configuration for %s %s certificate's realm "
"-> %s -> kx509 -> %s%s%s", def, label, realm, label,
@@ -2741,7 +2741,8 @@ set_tbs(hx509_context context,
realm);
/* Populate requested certificate extensions from CSR/CSRPlus if allowed */
- ret = hx509_ca_tbs_set_from_csr(context, tbs, req);
+ if (ret == 0)
+ ret = hx509_ca_tbs_set_from_csr(context, tbs, req);
if (ret == 0)
ret = set_template(context, logf, cf, tbs);
@@ -2939,6 +2940,8 @@ _hx509_ca_issue_certificate(hx509_context context,
hx509_request_authorize_ku(req, ku);
ret = get_cf(context, cf, logf, req, cprinc, &cf);
+ if (ret)
+ return ret;
if ((ca = heim_config_get_string(context->hcontext, cf,
"ca", NULL)) == NULL) {
@@ -3050,9 +3053,8 @@ _hx509_ca_issue_certificate(hx509_context context,
hx509_env_free(&env);
/* All done with the TBS, sign/issue the certificate */
- ret = hx509_ca_sign(context, tbs, signer, &cert);
- if (ret)
- goto out;
+ if (ret == 0)
+ ret = hx509_ca_sign(context, tbs, signer, &cert);
/*
* Gather the certificate and chain into a MEMORY store, being careful not
@@ -3063,8 +3065,9 @@ _hx509_ca_issue_certificate(hx509_context context,
* the full chain in the issuer credential store and copying only the certs
* (but not the private keys) is safer and easier to configure.
*/
- ret = hx509_certs_init(context, "MEMORY:certs",
- HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
+ if (ret == 0)
+ ret = hx509_certs_init(context, "MEMORY:certs",
+ HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
if (ret == 0)
ret = hx509_certs_add(context, *out, cert);
if (ret == 0 && send_chain) {
diff --git a/third_party/heimdal/lib/hx509/cert.c b/third_party/heimdal/lib/hx509/cert.c
index 0d99a748fc6..33805b8ed1a 100644
--- a/third_party/heimdal/lib/hx509/cert.c
+++ b/third_party/heimdal/lib/hx509/cert.c
@@ -893,9 +893,12 @@ HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_free_octet_string_list(hx509_octet_string_list *list)
{
size_t i;
- for (i = 0; i < list->len; i++)
- der_free_octet_string(&list->val[i]);
- free(list->val);
+
+ if (list->val) {
+ for (i = 0; i < list->len; i++)
+ der_free_octet_string(&list->val[i]);
+ free(list->val);
+ }
list->val = NULL;
list->len = 0;
}
@@ -2438,10 +2441,9 @@ hx509_verify_path(hx509_context context,
* EE checking below.
*/
type = EE_CERT;
- /* FALLTHROUGH */
}
}
- /* FALLTHROUGH */
+ fallthrough;
case EE_CERT:
/*
* If there where any proxy certificates in the chain
@@ -2808,6 +2810,12 @@ _hx509_set_cert_attribute(hx509_context context,
{
hx509_cert_attribute a;
void *d;
+ int ret;
+
+ /*
+ * TODO: Rewrite this (and hx509_cert_attribute, and _hx509_cert_attrs) to
+ * use the add_AttributeValues() util generated by asn1_compile.
+ */
if (hx509_cert_get_attribute(cert, oid) != NULL)
return 0;
@@ -2824,13 +2832,18 @@ _hx509_set_cert_attribute(hx509_context context,
if (a == NULL)
return ENOMEM;
- der_copy_octet_string(attr, &a->data);
- der_copy_oid(oid, &a->oid);
-
- cert->attrs.val[cert->attrs.len] = a;
- cert->attrs.len++;
+ ret = der_copy_octet_string(attr, &a->data);
+ if (ret == 0)
+ ret = der_copy_oid(oid, &a->oid);
+ if (ret == 0) {
+ cert->attrs.val[cert->attrs.len] = a;
+ cert->attrs.len++;
+ } else {
+ der_free_octet_string(&a->data);
+ free(a);
+ }
- return 0;
+ return ret;
}
/**
@@ -3705,13 +3718,12 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
goto out;
ret = hx509_name_to_string(name, &buf);
- if (ret) {
- hx509_name_free(&name);
+ hx509_name_free(&name);
+ if (ret)
goto out;
- }
ret = hx509_env_add(context, &envcert, "subject", buf);
- hx509_name_free(&name);
+ hx509_xfree(buf);
if (ret)
goto out;
diff --git a/third_party/heimdal/lib/hx509/cms.c b/third_party/heimdal/lib/hx509/cms.c
index 453762bd10f..d2728a38c2f 100644
--- a/third_party/heimdal/lib/hx509/cms.c
+++ b/third_party/heimdal/lib/hx509/cms.c
@@ -182,7 +182,7 @@ fill_CMSIdentifier(const hx509_cert cert,
&id->u.subjectKeyIdentifier);
if (ret == 0)
break;
- /* FALLTHROUGH */
+ fallthrough;
case CMS_ID_NAME: {
hx509_name name;
@@ -1565,7 +1565,9 @@ hx509_cms_create_signed(hx509_context context,
sigctx.sd.version = cMSVersion_v3;
- der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+ ret = der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+ if (ret)
+ goto out;
/**
* Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.
diff --git a/third_party/heimdal/lib/hx509/collector.c b/third_party/heimdal/lib/hx509/collector.c
index dd6222687af..7b46809816c 100644
--- a/third_party/heimdal/lib/hx509/collector.c
+++ b/third_party/heimdal/lib/hx509/collector.c
@@ -191,8 +191,9 @@ match_localkeyid(hx509_context context,
q.local_key_id = &value->localKeyId;
ret = hx509_certs_find(context, certs, &q, &cert);
+ if (ret == 0 && cert == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret == 0) {
-
if (value->private_key)
_hx509_cert_assign_key(cert, value->private_key);
hx509_cert_free(cert);
diff --git a/third_party/heimdal/lib/hx509/crypto.c b/third_party/heimdal/lib/hx509/crypto.c
index 77e721064ef..8d368ed9c4d 100644
--- a/third_party/heimdal/lib/hx509/crypto.c
+++ b/third_party/heimdal/lib/hx509/crypto.c
@@ -436,6 +436,8 @@ rsa_private_key2SPKI(hx509_context context,
memset(spki, 0, sizeof(*spki));
len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
+ if (len < 0)
+ return -1;
spki->subjectPublicKey.data = malloc(len);
if (spki->subjectPublicKey.data == NULL) {
@@ -1625,6 +1627,8 @@ _hx509_private_key_export(hx509_context context,
hx509_key_format_t format,
heim_octet_string *data)
{
+ data->length = 0;
+ data->data = NULL;
if (key->ops->export == NULL) {
hx509_clear_error_string(context);
return HX509_UNIMPLEMENTED_OPERATION;
diff --git a/third_party/heimdal/lib/hx509/error.c b/third_party/heimdal/lib/hx509/error.c
index d3ebd1bf648..aee4f79e747 100644
--- a/third_party/heimdal/lib/hx509/error.c
+++ b/third_party/heimdal/lib/hx509/error.c
@@ -147,48 +147,28 @@ hx509_enomem(hx509_context context)
HX509_LIB_FUNCTION char * HX509_LIB_CALL
hx509_get_error_string(hx509_context context, int error_code)
{
- heim_error_t msg;
- heim_string_t s;
- char *str = NULL;
-
- if (context == NULL) {
- const char *sys_err_msg;
-
- /* This case should only happen on hx509_context_init() failure */
- if ((sys_err_msg = strerror(error_code))) {
- if (asprintf(&str, "hx509_context_init system error: %s (%d)",
- sys_err_msg, error_code) == -1)
- return NULL;
- return str;
- }
- if (asprintf(&str, "hx509_context_init unknown error: %d",
- error_code) == -1)
- return NULL;
- return str;
- }
+ heim_string_t s = NULL;
+ const char *cstr = NULL;
+ char *str;
- msg = context->error;
- if (msg == NULL || heim_error_get_code(msg) != error_code) {
- const char *cstr;
-
- cstr = com_right(context->et_list, error_code);
- if (cstr)
- return strdup(cstr);
- cstr = strerror(error_code);
- if (cstr)
- return strdup(cstr);
- if (asprintf(&str, "<unknown error: %d>", error_code) == -1)
- return NULL;
- return str;
- }
+ if (context) {
+ if (context->error &&
+ heim_error_get_code(context->error) == error_code &&
+ (s = heim_error_copy_string(context->error)))
+ cstr = heim_string_get_utf8(s);
- s = heim_error_copy_string(msg);
- if (s) {
- const char *cstr = heim_string_get_utf8(s);
- if (cstr)
- str = strdup(cstr);
- heim_release(s);
- }
+ if (cstr == NULL)
+ cstr = com_right(context->et_list, error_code);
+
+ if (cstr == NULL && error_code > -1)
+ cstr = strerror(error_code);
+ } /* else this could be an error in hx509_context_init() */
+
+ if (cstr == NULL)
+ cstr = error_message(error_code); /* never returns NULL */
+
+ str = strdup(cstr);
+ heim_release(s);
return str;
}
@@ -218,9 +198,11 @@ hx509_free_error_string(char *str)
* @ingroup hx509_error
*/
-HX509_LIB_FUNCTION void HX509_LIB_CALL
+HX509_LIB_NORETURN_FUNCTION
+ __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)))
+void HX509_LIB_CALL
hx509_err(hx509_context context, int exit_code,
- int error_code, const char *fmt, ...)
+ int error_code, const char *fmt, ...)
{
va_list ap;
const char *msg;
diff --git a/third_party/heimdal/lib/hx509/file.c b/third_party/heimdal/lib/hx509/file.c
index 1b5ca3eae71..a22f6252cfa 100644
--- a/third_party/heimdal/lib/hx509/file.c
+++ b/third_party/heimdal/lib/hx509/file.c
@@ -230,7 +230,7 @@ hx509_pem_read(hx509_context context,
where = INDATA;
goto indata;
}
- /* FALLTHROUGH */
+ fallthrough;
case INHEADER:
if (buf[0] == '\0') {
where = INDATA;
@@ -342,17 +342,15 @@ _hx509_erase_file(hx509_context context, const char *fn)
if (ret == -1 && errno == ENOENT)
return 0;
if (ret == -1) {
- hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
- "stat of \"%s\": %s", fn, strerror(ret));
+ hx509_set_error_string(context, 0, errno, "hx509_certs_destroy: "
+ "stat of \"%s\": %s", fn, strerror(errno));
return errno;
}
fd = open(fn, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
+ if (fd < 0)
+ return errno == ENOENT ? 0 : errno;
rk_cloexec(fd);
- if (ret == -1 && errno == ENOENT)
- return 0;
- if (ret == -1)
- return errno;
if (unlink(fn) < 0) {
ret = errno;
diff --git a/third_party/heimdal/lib/hx509/hxtool.c b/third_party/heimdal/lib/hx509/hxtool.c
index 43c4713d116..1bcfdfa44e9 100644
--- a/third_party/heimdal/lib/hx509/hxtool.c
+++ b/third_party/heimdal/lib/hx509/hxtool.c
@@ -412,17 +412,19 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
size_t sz;
void *p;
int ret, flags = 0;
- char *infile, *outfile = NULL;
+ const char *outfile = NULL;
+ char *infile, *freeme = NULL;
memset(&contentType, 0, sizeof(contentType));
infile = argv[0];
if (argc < 2) {
- ret = asprintf(&outfile, "%s.%s", infile,
+ ret = asprintf(&freeme, "%s.%s", infile,
opt->pem_flag ? "pem" : "cms-signeddata");
- if (ret == -1 || outfile == NULL)
+ if (ret == -1 || freeme == NULL)
errx(1, "out of memory");
+ outfile = freeme;
} else
outfile = argv[1];
@@ -549,6 +551,7 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
hx509_certs_free(&signer);
free(o.data);
+ free(freeme);
return 0;
}
@@ -843,6 +846,7 @@ pcert_validate(struct validate_options *opt, int argc, char **argv)
hx509_certs_iter_f(context, certs, validate_f, ctx);
hx509_certs_free(&certs);
argv++;
+ free(sn);
}
hx509_validate_ctx_free(ctx);
@@ -1263,6 +1267,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
if (ret)
warnx("hx509_revoke_print: %d", ret);
+ hx509_revoke_free(&revoke_ctx);
return ret;
}
@@ -1363,7 +1368,7 @@ get_key(const char *fn, const char *type, int optbits,
int ret = 0;
if (type) {
- struct hx509_generate_private_context *gen_ctx;
+ struct hx509_generate_private_context *gen_ctx = NULL;
if (strcasecmp(type, "rsa") != 0)
errx(1, "can only handle rsa keys for now");
@@ -1375,6 +1380,7 @@ get_key(const char *fn, const char *type, int optbits,
ret = _hx509_generate_private_key_bits(context, gen_ctx, optbits);
if (ret == 0)
ret = _hx509_generate_private_key(context, gen_ctx, signer);
+ _hx509_generate_private_key_free(&gen_ctx);
if (ret)
hx509_err(context, 1, ret, "failed to generate private key of type %s", type);
@@ -1420,6 +1426,7 @@ generate_key(struct generate_key_options *opt, int argc, char **argv)
const char *type = opt->type_string ? opt->type_string : "rsa";
int bits = opt->key_bits_integer ? opt->key_bits_integer : 2048;
+ memset(&signer, 0, sizeof(signer));
get_key(argv[0], type, bits, &signer);
hx509_private_key_free(&signer);
return 0;
@@ -1436,6 +1443,7 @@ request_create(struct request_create_options *opt, int argc, char **argv)
const char *outfile = argv[0];
memset(&key, 0, sizeof(key));
+ memset(&signer, 0, sizeof(signer));
get_key(opt->key_string,
opt->generate_key_string,
@@ -2416,6 +2424,7 @@ test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
hx509_err(context, 1, ret, "hx509_cert_iter");
hx509_certs_free(&certs);
+ hx509_verify_destroy_ctx(vctx);
return 0;
}
@@ -2507,6 +2516,7 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
ret = hx509_certs_append(context, revoked, lock, sn);
if (ret)
hx509_err(context, 1, ret, "hx509_certs_append: %s", sn);
+ free(sn);
}
hx509_crl_add_revoked_certs(context, crl, revoked);
@@ -2775,9 +2785,12 @@ acert1_kus(struct acert_options *opt,
size_t unwanted = 0;
size_t wanted = opt->has_ku_strings.num_strings;
size_t i, k, sz;
+ int ret;
memset(&ku, 0, sizeof(ku));
- decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &sz);
+ ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &sz);
+ if (ret)
+ return ret;
ku_num = KeyUsage2int(ku);
/* Validate requested key usage values */
@@ -2983,7 +2996,7 @@ acert1(struct acert_options *opt, size_t cert_num, hx509_cert cert, int *matched
ekus_wanted = opt->has_eku_strings.num_strings;
kus_wanted = opt->has_ku_strings.num_strings;
wanted = sans_wanted + ekus_wanted + kus_wanted;
- found = sans_found = ekus_found = kus_found = 0;
+ sans_found = ekus_found = kus_found = 0;
if (e == NULL) {
if (wanted)
@@ -3080,6 +3093,8 @@ acert(struct acert_options *opt, int argc, char **argv)
ret = acert1(opt, n++, cert, &matched);
if (matched)
break;
+ hx509_cert_free(cert);
+ cert = NULL;
}
if (cursor)
(void) hx509_certs_end_seq(context, certs, cursor);
@@ -3093,6 +3108,7 @@ acert(struct acert_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "Matching certificate did not meet "
"requirements");
+ hx509_cert_free(cert);
free(sn);
return 0;
}
diff --git a/third_party/heimdal/lib/hx509/keyset.c b/third_party/heimdal/lib/hx509/keyset.c
index ef346505022..f25cdf4e419 100644
--- a/third_party/heimdal/lib/hx509/keyset.c
+++ b/third_party/heimdal/lib/hx509/keyset.c
@@ -561,11 +561,14 @@ hx509_certs_find(hx509_context context,
break;
if (_hx509_query_match_cert(context, q, c)) {
*r = c;
+ c = NULL;
break;
}
hx509_cert_free(c);
+ c = NULL;
}
+ hx509_cert_free(c);
hx509_certs_end_seq(context, certs, cursor);
if (ret)
return ret;
@@ -573,7 +576,7 @@ hx509_certs_find(hx509_context context,
* Return HX509_CERT_NOT_FOUND if no certificate in certs matched
* the query.
*/
- if (c == NULL) {
+ if (*r == NULL) {
hx509_clear_error_string(context);
return HX509_CERT_NOT_FOUND;
}
diff --git a/third_party/heimdal/lib/hx509/ks_file.c b/third_party/heimdal/lib/hx509/ks_file.c
index b22093cd452..880668b4561 100644
--- a/third_party/heimdal/lib/hx509/ks_file.c
+++ b/third_party/heimdal/lib/hx509/ks_file.c
@@ -548,7 +548,7 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
{
struct store_ctx *sc = ctx;
heim_octet_string data;
- int ret;
+ int ret = 0;
if (hx509_cert_have_private_key_only(c)) {
data.length = 0;
@@ -564,15 +564,17 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
/* Can't store both. Well, we could, but nothing will support it */
if (data.data) {
fwrite(data.data, data.length, 1, sc->f);
- free(data.data);
} else if (_hx509_cert_private_key_exportable(c) &&
!(sc->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
hx509_private_key key = _hx509_cert_private_key(c);
+ free(data.data);
+ data.length = 0;
+ data.data = NULL;
ret = _hx509_private_key_export(context, key,
HX509_KEY_FORMAT_DER, &data);
- fwrite(data.data, data.length, 1, sc->f);
- free(data.data);
+ if (ret == 0 && data.length)
+ fwrite(data.data, data.length, 1, sc->f);
}
break;
case USE_PEM:
@@ -583,23 +585,20 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
ret = _hx509_private_key_export(context, key,
HX509_KEY_FORMAT_DER, &priv_key);
- if (ret) {
- free(data.data);
- break;
- }
- hx509_pem_write(context, _hx509_private_pem_name(key), NULL, sc->f,
- priv_key.data, priv_key.length);
+ if (ret == 0)
+ ret = hx509_pem_write(context, _hx509_private_pem_name(key), NULL,
+ sc->f, priv_key.data, priv_key.length);
free(priv_key.data);
}
- if (data.data) {
- hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
- data.data, data.length);
- free(data.data);
+ if (ret == 0 && data.data) {
+ ret = hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
+ data.data, data.length);
}
break;
}
- return 0;
+ free(data.data);
+ return ret;
}
static int
diff --git a/third_party/heimdal/lib/hx509/name.c b/third_party/heimdal/lib/hx509/name.c
index 9b6a156af6c..7d67716b953 100644
--- a/third_party/heimdal/lib/hx509/name.c
+++ b/third_party/heimdal/lib/hx509/name.c
@@ -358,29 +358,29 @@ _hx509_Name_to_string(const Name *n, char **str)
return 0;
}
-#define COPYCHARARRAY(_ds,_el,_l,_n) \
- (_l) = strlen(_ds->u._el); \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYCHARARRAY(_ds,_el,_l,_n) \
+ (_l) = strlen(_ds->u._el); \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = _ds->u._el[i]
-#define COPYVALARRAY(_ds,_el,_l,_n) \
- (_l) = _ds->u._el.length; \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYVALARRAY(_ds,_el,_l,_n) \
+ (_l) = _ds->u._el.length; \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = _ds->u._el.data[i]
-#define COPYVOIDARRAY(_ds,_el,_l,_n) \
- (_l) = _ds->u._el.length; \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYVOIDARRAY(_ds,_el,_l,_n) \
+ (_l) = _ds->u._el.length; \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
@@ -423,7 +423,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
if (ret)
return ret;
- name = malloc(len * sizeof(name[0]));
+ name = malloc((len + 1) * sizeof(name[0]));
if (name == NULL)
return ENOMEM;
ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
@@ -440,7 +440,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
/* try a couple of times to get the length right, XXX gross */
for (i = 0; i < 4; i++) {
*rlen = *rlen * 2;
- if ((*rname = malloc(*rlen * sizeof((*rname)[0]))) == NULL) {
+ if ((*rname = malloc((rlen[0] + 1) * sizeof((*rname)[0]))) == NULL) {
ret = ENOMEM;
break;
}
@@ -579,9 +579,9 @@ _hx509_name_modify(hx509_context context,
{
RelativeDistinguishedName rdn;
size_t max_len = oidtomaxlen(oid);
- int type_choice, ret;
- const char *a = oidtostring(oid, &type_choice);
char *s = NULL;
+ int type_choice = choice_DirectoryString_printableString;
+ int ret;
/*
* Check string length upper bounds.
@@ -591,10 +591,13 @@ _hx509_name_modify(hx509_context context,
* here.
*/
if (max_len && strlen(str) > max_len) {
+ char *a = oidtostring(oid, &type_choice);
+
ret = HX509_PARSING_NAME_FAILED;
hx509_set_error_string(context, 0, ret, "RDN attribute %s value too "
"long (max %llu): %s", a ? a : "<unknown>",
max_len, str);
+ free(a);
return ret;
}
@@ -622,7 +625,7 @@ _hx509_name_modify(hx509_context context,
*/
rdn.val[0].value.element = type_choice;
if ((s = strdup(str)) == NULL ||
- (ret = der_copy_oid(oid, &rdn.val[0].type))) {
+ der_copy_oid(oid, &rdn.val[0].type)) {
free(rdn.val);
free(s);
return hx509_enomem(context);
@@ -934,9 +937,6 @@ hx509_name_expand(hx509_context context,
return ENOMEM;
}
}
- free(s);
- sval = NULL;
- s = NULL;
while (p != NULL) {
/* expand variables */
@@ -945,6 +945,7 @@ hx509_name_expand(hx509_context context,
if (p2 == NULL) {
hx509_set_error_string(context, 0, EINVAL, "missing }");
rk_strpoolfree(strpool);
+ free(s);
return EINVAL;
}
p += 2;
@@ -954,11 +955,13 @@ hx509_name_expand(hx509_context context,
"variable %.*s missing",
(int)(p2 - p), p);
rk_strpoolfree(strpool);
+ free(s);
return EINVAL;
}
strpool = rk_strpoolprintf(strpool, "%s", value);
if (strpool == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ free(s);
return ENOMEM;
}
p2++;
@@ -971,9 +974,14 @@ hx509_name_expand(hx509_context context,
strpool = rk_strpoolprintf(strpool, "%s", p2);
if (strpool == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ free(s);
return ENOMEM;
}
}
+
+ free(s);
+ s = NULL;
+
if (strpool) {
size_t max_bytes;
@@ -1392,7 +1400,9 @@ hx509_general_name_unparse(GeneralName *name, char **str)
if ((ret = hx509_context_init(&context)))
return ret;
- return hx509_general_name_unparse2(context, name, str);
+ ret = hx509_general_name_unparse2(context, name, str);
+ hx509_context_free(&context);
+ return ret;
}
/**
@@ -1511,8 +1521,9 @@ hx509_general_name_unparse2(hx509_context context,
default:
return EINVAL;
}
- if (strpool == NULL ||
- (*str = rk_strpoolcollect(strpool)) == NULL)
+ if (ret)
+ rk_strpoolfree(strpool);
+ else if (strpool == NULL || (*str = rk_strpoolcollect(strpool)) == NULL)
return ENOMEM;
- return 0;
+ return ret;
}
diff --git a/third_party/heimdal/lib/hx509/print.c b/third_party/heimdal/lib/hx509/print.c
index 544001ebc0d..3309913f357 100644
--- a/third_party/heimdal/lib/hx509/print.c
+++ b/third_party/heimdal/lib/hx509/print.c
@@ -361,6 +361,7 @@ check_authorityKeyIdentifier(hx509_validate_ctx ctx,
}
}
+ free_AuthorityKeyIdentifier(&ai);
return 0;
}
@@ -771,6 +772,7 @@ check_certificatePolicies(hx509_validate_ctx ctx,
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
" Unknown:%s", qoid);
}
+ free_UserNotice(&un);
}
} else {
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
@@ -842,8 +844,11 @@ check_policyMappings(hx509_validate_ctx ctx,
else
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"ret=%d while decoding PolicyMappings\n", ret);
+ free(sdpoid);
+ free(idpoid);
}
+ free_PolicyMappings(&pm);
return 0;
}
diff --git a/third_party/heimdal/lib/hx509/req.c b/third_party/heimdal/lib/hx509/req.c
index f0a7c218657..2b3f46d532a 100644
--- a/third_party/heimdal/lib/hx509/req.c
+++ b/third_party/heimdal/lib/hx509/req.c
@@ -518,14 +518,13 @@ get_exts(hx509_context context,
const hx509_request req,
Extensions *exts)
{
- uint64_t ku_num;
size_t size;
int ret = 0;
exts->val = NULL;
exts->len = 0;
- if ((ku_num = KeyUsage2int(req->ku))) {
+ if (KeyUsage2int(req->ku)) {
Extension e;
memset(&e, 0, sizeof(e));
@@ -718,6 +717,7 @@ hx509_request_to_pkcs10(hx509_context context,
abort();
free_CertificationRequest(&r);
+ free_Extensions(&exts);
return ret;
}
@@ -899,9 +899,9 @@ hx509_request_parse_der(hx509_context context,
out:
free_CertificationRequest(&r);
+ free_Extensions(&exts);
if (ret)
hx509_request_free(req);
- free_CertificationRequest(&r);
return ret;
}
@@ -1046,7 +1046,7 @@ authorize_feat(hx509_request req, abitstring a, size_t n, int idx)
switch (ret) {
case 0:
req->nauthorized++;
- /*fallthrough*/
+ fallthrough;
case -1:
return 0;
default:
@@ -1063,7 +1063,7 @@ reject_feat(hx509_request req, abitstring a, size_t n, int idx)
switch (ret) {
case 0:
req->nauthorized--;
- /*fallthrough*/
+ fallthrough;
case -1:
return 0;
default:
@@ -1245,7 +1245,7 @@ san_map_type(GeneralName *san)
if (der_heim_oid_cmp(&san->u.otherName.type_id, map[i].oid) == 0)
return map[i].type;
}
- /*fallthrough*/
+ fallthrough;
default: return HX509_SAN_TYPE_UNSUPPORTED;
}
}
@@ -1360,14 +1360,13 @@ hx509_request_get_san(hx509_request req,
case HX509_SAN_TYPE_REGISTERED_ID:
return der_print_heim_oid(&san->u.registeredID, '.', out);
case HX509_SAN_TYPE_XMPP:
- /*fallthrough*/
+ fallthrough;
case HX509_SAN_TYPE_MS_UPN: {
int ret;
ret = _hx509_unparse_utf8_string_name(req->context, &pool,
&san->u.otherName.value);
- if (ret == 0 &&
- (*out = rk_strpoolcollect(pool)) == NULL)
+ if ((*out = rk_strpoolcollect(pool)) == NULL)
return hx509_enomem(req->context);
return ret;
}
@@ -1376,10 +1375,9 @@ hx509_request_get_san(hx509_request req,
ret = _hx509_unparse_KRB5PrincipalName(req->context, &pool,
&san->u.otherName.value);
- if (ret == 0 &&
- (*out = rk_strpoolcollect(pool)) == NULL)
+ if ((*out = rk_strpoolcollect(pool)) == NULL)
return hx509_enomem(req->context);
- return 0;
+ return ret;
}
default:
*type = HX509_SAN_TYPE_UNSUPPORTED;
diff --git a/third_party/heimdal/lib/hx509/revoke.c b/third_party/heimdal/lib/hx509/revoke.c
index c2f2e00cc29..18b2f8f8f96 100644
--- a/third_party/heimdal/lib/hx509/revoke.c
+++ b/third_party/heimdal/lib/hx509/revoke.c
@@ -202,6 +202,8 @@ verify_ocsp(hx509_context context,
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret && ocsp->certs)
ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
+ if (ret == 0 && signer == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret)
goto out;
@@ -500,6 +502,8 @@ verify_crl(hx509_context context,
q.subject_name = &crl->tbsCertList.issuer;
ret = hx509_certs_find(context, certs, &q, &signer);
+ if (ret == 0 && signer == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
"Failed to find certificate for CRL");
diff --git a/third_party/heimdal/lib/hx509/sel-gram.y b/third_party/heimdal/lib/hx509/sel-gram.y
index 7e9d4f26d9c..09f641d7c05 100644
--- a/third_party/heimdal/lib/hx509/sel-gram.y
+++ b/third_party/heimdal/lib/hx509/sel-gram.y
@@ -78,6 +78,10 @@
%token <string> STRING
%token <string> IDENTIFIER
+%left '!'
+%left kw_AND
+%left kw_OR
+
%start start
%%
diff --git a/third_party/heimdal/lib/hx509/softp11.c b/third_party/heimdal/lib/hx509/softp11.c
index 0a1445ba523..75f675579c7 100644
--- a/third_party/heimdal/lib/hx509/softp11.c
+++ b/third_party/heimdal/lib/hx509/softp11.c
@@ -311,7 +311,7 @@ add_st_object(void)
return NULL;
for (i = 0; i < soft_token.object.num_objs; i++) {
- if (soft_token.object.objs == NULL) {
+ if (soft_token.object.objs[i] == NULL) {
soft_token.object.objs[i] = o;
break;
}
@@ -342,6 +342,9 @@ add_object_attribute(struct st_object *o,
struct st_attr *a;
int i;
+ if (pValue == NULL && ulValueLen)
+ return CKR_ARGUMENTS_BAD;
+
i = o->num_attributes;
a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));
if (a == NULL)
@@ -352,7 +355,8 @@ add_object_attribute(struct st_object *o,
o->attrs[i].attribute.pValue = malloc(ulValueLen);
if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)
return CKR_DEVICE_MEMORY;
- memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
+ if (ulValueLen)
+ memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
o->attrs[i].attribute.ulValueLen = ulValueLen;
o->num_attributes++;
View Lorry Controller Status