diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-15 09:10:30 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-07-15 11:15:05 +0200 |
commit | 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 (patch) | |
tree | a2933c88f38e8dd7fe612be8dd458d05918b1f15 /source4/heimdal/lib/hx509/cert.c | |
parent | 70da27838bb3f6ed9c36add06ce0ccdf467ab1c3 (diff) | |
download | samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.tar.gz samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.tar.bz2 samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.zip |
s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b)
Diffstat (limited to 'source4/heimdal/lib/hx509/cert.c')
-rw-r--r-- | source4/heimdal/lib/hx509/cert.c | 115 |
1 files changed, 65 insertions, 50 deletions
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c index 7f95ea5560..70e5756037 100644 --- a/source4/heimdal/lib/hx509/cert.c +++ b/source4/heimdal/lib/hx509/cert.c @@ -327,7 +327,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key) void hx509_cert_free(hx509_cert cert) { - int i; + size_t i; if (cert == NULL) return; @@ -355,7 +355,7 @@ hx509_cert_free(hx509_cert cert) free(cert->friendlyname); if (cert->basename) hx509_name_free(&cert->basename); - memset(cert, 0, sizeof(cert)); + memset(cert, 0, sizeof(*cert)); free(cert); } @@ -574,7 +574,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean) } void -hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, +hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, int boolean) { if (boolean) @@ -584,7 +584,7 @@ hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, } static const Extension * -find_extension(const Certificate *cert, const heim_oid *oid, int *idx) +find_extension(const Certificate *cert, const heim_oid *oid, size_t *idx) { const TBSCertificate *c = &cert->tbsCertificate; @@ -604,7 +604,7 @@ find_extension_auth_key_id(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(ai, 0, sizeof(*ai)); @@ -623,7 +623,7 @@ _hx509_find_extension_subject_key_id(const Certificate *issuer, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(si, 0, sizeof(*si)); @@ -642,7 +642,7 @@ find_extension_name_constraints(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(nc, 0, sizeof(*nc)); @@ -656,7 +656,7 @@ find_extension_name_constraints(const Certificate *subject, } static int -find_extension_subject_alt_name(const Certificate *cert, int *i, +find_extension_subject_alt_name(const Certificate *cert, size_t *i, GeneralNames *sa) { const Extension *e; @@ -678,7 +678,7 @@ find_extension_eku(const Certificate *cert, ExtKeyUsage *eku) { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(eku, 0, sizeof(*eku)); @@ -720,7 +720,7 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry) void hx509_free_octet_string_list(hx509_octet_string_list *list) { - int i; + size_t i; for (i = 0; i < list->len; i++) der_free_octet_string(&list->val[i]); free(list->val); @@ -752,7 +752,8 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context, hx509_octet_string_list *list) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; list->val = NULL; list->len = 0; @@ -796,7 +797,8 @@ check_key_usage(hx509_context context, const Certificate *cert, const Extension *e; KeyUsage ku; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; unsigned ku_flags; if (_hx509_cert_get_version(cert) < 3) @@ -849,12 +851,13 @@ enum certtype { PROXY_CERT, EE_CERT, CA_CERT }; static int check_basic_constraints(hx509_context context, const Certificate *cert, - enum certtype type, int depth) + enum certtype type, size_t depth) { BasicConstraints bc; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (_hx509_cert_get_version(cert) < 3) return 0; @@ -966,7 +969,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject, return -1; if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName) return -1; - + name.element = ai.authorityCertIssuer->val[0].u.directoryName.element; name.u.rdnSequence = @@ -1123,7 +1126,7 @@ find_parent(hx509_context context, hx509_clear_error_string(context); return HX509_ISSUER_NOT_FOUND; } - + hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND, "Failed to find issuer for " "certificate with subject: '%s'", str); @@ -1144,7 +1147,8 @@ is_proxy_cert(hx509_context context, ProxyCertInfo info; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (rinfo) memset(rinfo, 0, sizeof(*rinfo)); @@ -1511,7 +1515,7 @@ hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context, } static int -get_x_unique_id(hx509_context context, const char *name, +get_x_unique_id(hx509_context context, const char *name, const heim_bit_string *cert, heim_bit_string *subject) { int ret; @@ -1695,7 +1699,7 @@ static int match_RDN(const RelativeDistinguishedName *c, const RelativeDistinguishedName *n) { - int i; + size_t i; if (c->len != n->len) return HX509_NAME_CONSTRAINT_ERROR; @@ -1717,7 +1721,8 @@ match_RDN(const RelativeDistinguishedName *c, static int match_X501Name(const Name *c, const Name *n) { - int i, ret; + size_t i; + int ret; if (c->element != choice_Name_rdnSequence || n->element != choice_Name_rdnSequence) @@ -1824,7 +1829,8 @@ match_alt_name(const GeneralName *n, const Certificate *c, int *same, int *match) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; i = 0; do { @@ -1869,7 +1875,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match) && !subject_null_p(c)) { GeneralName certname; - + memset(&certname, 0, sizeof(certname)); certname.element = choice_GeneralName_directoryName; certname.u.directoryName.element = @@ -1898,7 +1904,7 @@ check_name_constraints(hx509_context context, const Certificate *c) { int match, ret; - int i; + size_t i; for (i = 0 ; i < nc->len; i++) { GeneralSubtrees gs; @@ -1941,7 +1947,7 @@ check_name_constraints(hx509_context context, static void free_name_constraints(hx509_name_constraints *nc) { - int i; + size_t i; for (i = 0 ; i < nc->len; i++) free_NameConstraints(&nc->val[i]); @@ -1971,7 +1977,8 @@ hx509_verify_path(hx509_context context, { hx509_name_constraints nc; hx509_path path; - int ret, i, proxy_cert_depth, selfsigned_depth, diff; + int ret, proxy_cert_depth, selfsigned_depth, diff; + size_t i, k; enum certtype type; Name proxy_issuer; hx509_certs anchors = NULL; @@ -1979,7 +1986,7 @@ hx509_verify_path(hx509_context context, memset(&proxy_issuer, 0, sizeof(proxy_issuer)); ret = init_name_constraints(&nc); - if (ret) + if (ret) return ret; path.val = NULL; @@ -2031,7 +2038,7 @@ hx509_verify_path(hx509_context context, time_t t; c = _hx509_get_cert(path.val[i]); - + /* * Lets do some basic check on issuer like * keyUsage.keyCertSign and basicConstraints.cA bit depending @@ -2063,10 +2070,10 @@ hx509_verify_path(hx509_context context, break; case PROXY_CERT: { - ProxyCertInfo info; + ProxyCertInfo info; if (is_proxy_cert(context, c, &info) == 0) { - int j; + size_t j; if (info.pCPathLenConstraint != NULL && *info.pCPathLenConstraint < i) @@ -2080,7 +2087,7 @@ hx509_verify_path(hx509_context context, } /* XXX MUST check info.proxyPolicy */ free_ProxyCertInfo(&info); - + j = 0; if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) { ret = HX509_PROXY_CERT_INVALID; @@ -2098,7 +2105,7 @@ hx509_verify_path(hx509_context context, "forbidden issuerAltName"); goto out; } - + /* * The subject name of the proxy certificate should be * CN=XXX,<proxy issuer>, prune of CN and check if its @@ -2189,7 +2196,7 @@ hx509_verify_path(hx509_context context, } if (cert->basename) hx509_name_free(&cert->basename); - + ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename); if (ret) { hx509_clear_error_string(context); @@ -2204,7 +2211,7 @@ hx509_verify_path(hx509_context context, i - proxy_cert_depth - selfsigned_depth); if (ret) goto out; - + /* * Don't check the trust anchors expiration time since they * are transported out of band, from RFC3820. @@ -2236,9 +2243,10 @@ hx509_verify_path(hx509_context context, * checked in the right order. */ - for (ret = 0, i = path.len - 1; i >= 0; i--) { + for (ret = 0, k = path.len; k > 0; k--) { Certificate *c; int selfsigned; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2287,7 +2295,7 @@ hx509_verify_path(hx509_context context, } for (i = 0; i < path.len - 1; i++) { - int parent = (i < path.len - 1) ? i + 1 : i; + size_t parent = (i < path.len - 1) ? i + 1 : i; ret = hx509_revoke_verify(context, ctx->revoke_ctx, @@ -2308,9 +2316,10 @@ hx509_verify_path(hx509_context context, * parameter is passed up from the anchor up though the chain. */ - for (i = path.len - 1; i >= 0; i--) { + for (k = path.len; k > 0; k--) { hx509_cert signer; Certificate *c; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2343,7 +2352,7 @@ hx509_verify_path(hx509_context context, "Failed to verify signature of certificate"); goto out; } - /* + /* * Verify that the sigature algorithm "best-before" date is * before the creation date of the certificate, do this for * trust anchors too, since any trust anchor that is created @@ -2353,7 +2362,7 @@ hx509_verify_path(hx509_context context, */ if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) { - time_t notBefore = + time_t notBefore = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore); ret = _hx509_signature_best_before(context, &c->signatureAlgorithm, @@ -2450,7 +2459,8 @@ hx509_verify_hostname(hx509_context context, { GeneralNames san; const Name *name; - int ret, i, j; + int ret; + size_t i, j, k; if (sa && sa_size <= 0) return EINVAL; @@ -2471,7 +2481,7 @@ hx509_verify_hostname(hx509_context context, heim_printable_string hn; hn.data = rk_UNCONST(hostname); hn.length = strlen(hostname); - + if (der_printable_string_cmp(&san.val[j].u.dNSName, &hn) == 0) { free_GeneralNames(&san); return 0; @@ -2488,7 +2498,8 @@ hx509_verify_hostname(hx509_context context, name = &cert->data->tbsCertificate.subject; /* Find first CN= in the name, and try to match the hostname on that */ - for (ret = 0, i = name->u.rdnSequence.len - 1; ret == 0 && i >= 0; i--) { + for (ret = 0, k = name->u.rdnSequence.len; ret == 0 && k > 0; k--) { + i = k - 1; for (j = 0; ret == 0 && j < name->u.rdnSequence.val[i].len; j++) { AttributeTypeAndValue *n = &name->u.rdnSequence.val[i].val[j]; @@ -2579,7 +2590,7 @@ _hx509_set_cert_attribute(hx509_context context, hx509_cert_attribute hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < cert->attrs.len; i++) if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0) return cert->attrs.val[i]; @@ -2625,7 +2636,8 @@ hx509_cert_get_friendly_name(hx509_cert cert) hx509_cert_attribute a; PKCS9_friendlyName n; size_t sz; - int ret, i; + int ret; + size_t i; if (cert->friendlyname) return cert->friendlyname; @@ -2647,7 +2659,7 @@ hx509_cert_get_friendly_name(hx509_cert cert) ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz); if (ret) return NULL; - + if (n.len != 1) { free_PKCS9_friendlyName(&n); return NULL; @@ -3166,7 +3178,8 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out) { rtbl_t t; FILE *f; - int type, mask, i, num; + int type, mask, num; + size_t i; unsigned long multiqueries = 0, totalqueries = 0; struct stat_el stats[32]; @@ -3254,7 +3267,8 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert, const heim_oid *eku, int allow_any_eku) { ExtKeyUsage e; - int ret, i; + int ret; + size_t i; ret = find_extension_eku(_hx509_get_cert(cert), &e); if (ret) { @@ -3289,7 +3303,8 @@ _hx509_cert_get_keyusage(hx509_context context, Certificate *cert; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; memset(ku, 0, sizeof(*ku)); @@ -3455,7 +3470,7 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) else if (ret != 0) goto out; else { - int i; + size_t i; hx509_env enveku = NULL; for (i = 0; i < eku.len; i++) { @@ -3509,10 +3524,10 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) "Out of memory"); goto out; } - + ret = hx509_env_add(context, &envhash, "sha1", buf); free(buf); - if (ret) + if (ret) goto out; ret = hx509_env_add_binding(context, &envcert, "hash", envhash); |