summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hx509
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/hx509')
-rw-r--r--source4/heimdal/lib/hx509/ca.c10
-rw-r--r--source4/heimdal/lib/hx509/cert.c115
-rw-r--r--source4/heimdal/lib/hx509/char_map.h64
-rw-r--r--source4/heimdal/lib/hx509/cms.c48
-rw-r--r--source4/heimdal/lib/hx509/collector.c11
-rw-r--r--source4/heimdal/lib/hx509/crypto.c97
-rw-r--r--source4/heimdal/lib/hx509/file.c8
-rw-r--r--source4/heimdal/lib/hx509/keyset.c15
-rw-r--r--source4/heimdal/lib/hx509/ks_dir.c4
-rw-r--r--source4/heimdal/lib/hx509/ks_file.c26
-rw-r--r--source4/heimdal/lib/hx509/ks_keychain.c14
-rw-r--r--source4/heimdal/lib/hx509/ks_mem.c2
-rw-r--r--source4/heimdal/lib/hx509/ks_p11.c32
-rw-r--r--source4/heimdal/lib/hx509/ks_p12.c20
-rw-r--r--source4/heimdal/lib/hx509/lock.c2
-rw-r--r--source4/heimdal/lib/hx509/name.c52
-rw-r--r--source4/heimdal/lib/hx509/print.c31
-rw-r--r--source4/heimdal/lib/hx509/revoke.c56
-rw-r--r--source4/heimdal/lib/hx509/sel.c6
-rw-r--r--source4/heimdal/lib/hx509/sel.h2
-rw-r--r--source4/heimdal/lib/hx509/test_name.c2
21 files changed, 346 insertions, 271 deletions
diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c
index 492064d86d..cb5a7be62c 100644
--- a/source4/heimdal/lib/hx509/ca.c
+++ b/source4/heimdal/lib/hx509/ca.c
@@ -266,7 +266,7 @@ hx509_ca_tbs_set_template(hx509_context context,
}
if (flags & HX509_CA_TEMPLATE_EKU) {
ExtKeyUsage eku;
- int i;
+ size_t i;
ret = _hx509_cert_get_eku(context, cert, &eku);
if (ret)
return ret;
@@ -610,7 +610,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context,
const char *str;
char *q;
int n;
-
+
/* count number of component */
n = 1;
for(str = principal; *str != '\0' && *str != '@'; str++){
@@ -633,7 +633,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context,
goto out;
}
p.principalName.name_string.len = n;
-
+
p.principalName.name_type = KRB5_NT_PRINCIPAL;
q = s = strdup(principal);
if (q == NULL) {
@@ -689,7 +689,7 @@ add_utf8_san(hx509_context context,
const heim_oid *oid,
const char *string)
{
- const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
+ const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
heim_octet_string os;
size_t size;
int ret;
@@ -866,7 +866,7 @@ hx509_ca_tbs_set_unique(hx509_context context,
der_free_bit_string(&tbs->subjectUniqueID);
der_free_bit_string(&tbs->issuerUniqueID);
-
+
if (subjectUniqueID) {
ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID);
if (ret)
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index 7f95ea5560..70e5756037 100644
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -327,7 +327,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
void
hx509_cert_free(hx509_cert cert)
{
- int i;
+ size_t i;
if (cert == NULL)
return;
@@ -355,7 +355,7 @@ hx509_cert_free(hx509_cert cert)
free(cert->friendlyname);
if (cert->basename)
hx509_name_free(&cert->basename);
- memset(cert, 0, sizeof(cert));
+ memset(cert, 0, sizeof(*cert));
free(cert);
}
@@ -574,7 +574,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
}
void
-hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
+hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
int boolean)
{
if (boolean)
@@ -584,7 +584,7 @@ hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
}
static const Extension *
-find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
+find_extension(const Certificate *cert, const heim_oid *oid, size_t *idx)
{
const TBSCertificate *c = &cert->tbsCertificate;
@@ -604,7 +604,7 @@ find_extension_auth_key_id(const Certificate *subject,
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(ai, 0, sizeof(*ai));
@@ -623,7 +623,7 @@ _hx509_find_extension_subject_key_id(const Certificate *issuer,
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(si, 0, sizeof(*si));
@@ -642,7 +642,7 @@ find_extension_name_constraints(const Certificate *subject,
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(nc, 0, sizeof(*nc));
@@ -656,7 +656,7 @@ find_extension_name_constraints(const Certificate *subject,
}
static int
-find_extension_subject_alt_name(const Certificate *cert, int *i,
+find_extension_subject_alt_name(const Certificate *cert, size_t *i,
GeneralNames *sa)
{
const Extension *e;
@@ -678,7 +678,7 @@ find_extension_eku(const Certificate *cert, ExtKeyUsage *eku)
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(eku, 0, sizeof(*eku));
@@ -720,7 +720,7 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry)
void
hx509_free_octet_string_list(hx509_octet_string_list *list)
{
- int i;
+ size_t i;
for (i = 0; i < list->len; i++)
der_free_octet_string(&list->val[i]);
free(list->val);
@@ -752,7 +752,8 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context,
hx509_octet_string_list *list)
{
GeneralNames sa;
- int ret, i, j;
+ int ret;
+ size_t i, j;
list->val = NULL;
list->len = 0;
@@ -796,7 +797,8 @@ check_key_usage(hx509_context context, const Certificate *cert,
const Extension *e;
KeyUsage ku;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
unsigned ku_flags;
if (_hx509_cert_get_version(cert) < 3)
@@ -849,12 +851,13 @@ enum certtype { PROXY_CERT, EE_CERT, CA_CERT };
static int
check_basic_constraints(hx509_context context, const Certificate *cert,
- enum certtype type, int depth)
+ enum certtype type, size_t depth)
{
BasicConstraints bc;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
if (_hx509_cert_get_version(cert) < 3)
return 0;
@@ -966,7 +969,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
return -1;
if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
return -1;
-
+
name.element =
ai.authorityCertIssuer->val[0].u.directoryName.element;
name.u.rdnSequence =
@@ -1123,7 +1126,7 @@ find_parent(hx509_context context,
hx509_clear_error_string(context);
return HX509_ISSUER_NOT_FOUND;
}
-
+
hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
"Failed to find issuer for "
"certificate with subject: '%s'", str);
@@ -1144,7 +1147,8 @@ is_proxy_cert(hx509_context context,
ProxyCertInfo info;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
if (rinfo)
memset(rinfo, 0, sizeof(*rinfo));
@@ -1511,7 +1515,7 @@ hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context,
}
static int
-get_x_unique_id(hx509_context context, const char *name,
+get_x_unique_id(hx509_context context, const char *name,
const heim_bit_string *cert, heim_bit_string *subject)
{
int ret;
@@ -1695,7 +1699,7 @@ static int
match_RDN(const RelativeDistinguishedName *c,
const RelativeDistinguishedName *n)
{
- int i;
+ size_t i;
if (c->len != n->len)
return HX509_NAME_CONSTRAINT_ERROR;
@@ -1717,7 +1721,8 @@ match_RDN(const RelativeDistinguishedName *c,
static int
match_X501Name(const Name *c, const Name *n)
{
- int i, ret;
+ size_t i;
+ int ret;
if (c->element != choice_Name_rdnSequence
|| n->element != choice_Name_rdnSequence)
@@ -1824,7 +1829,8 @@ match_alt_name(const GeneralName *n, const Certificate *c,
int *same, int *match)
{
GeneralNames sa;
- int ret, i, j;
+ int ret;
+ size_t i, j;
i = 0;
do {
@@ -1869,7 +1875,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
&& !subject_null_p(c))
{
GeneralName certname;
-
+
memset(&certname, 0, sizeof(certname));
certname.element = choice_GeneralName_directoryName;
certname.u.directoryName.element =
@@ -1898,7 +1904,7 @@ check_name_constraints(hx509_context context,
const Certificate *c)
{
int match, ret;
- int i;
+ size_t i;
for (i = 0 ; i < nc->len; i++) {
GeneralSubtrees gs;
@@ -1941,7 +1947,7 @@ check_name_constraints(hx509_context context,
static void
free_name_constraints(hx509_name_constraints *nc)
{
- int i;
+ size_t i;
for (i = 0 ; i < nc->len; i++)
free_NameConstraints(&nc->val[i]);
@@ -1971,7 +1977,8 @@ hx509_verify_path(hx509_context context,
{
hx509_name_constraints nc;
hx509_path path;
- int ret, i, proxy_cert_depth, selfsigned_depth, diff;
+ int ret, proxy_cert_depth, selfsigned_depth, diff;
+ size_t i, k;
enum certtype type;
Name proxy_issuer;
hx509_certs anchors = NULL;
@@ -1979,7 +1986,7 @@ hx509_verify_path(hx509_context context,
memset(&proxy_issuer, 0, sizeof(proxy_issuer));
ret = init_name_constraints(&nc);
- if (ret)
+ if (ret)
return ret;
path.val = NULL;
@@ -2031,7 +2038,7 @@ hx509_verify_path(hx509_context context,
time_t t;
c = _hx509_get_cert(path.val[i]);
-
+
/*
* Lets do some basic check on issuer like
* keyUsage.keyCertSign and basicConstraints.cA bit depending
@@ -2063,10 +2070,10 @@ hx509_verify_path(hx509_context context,
break;
case PROXY_CERT: {
- ProxyCertInfo info;
+ ProxyCertInfo info;
if (is_proxy_cert(context, c, &info) == 0) {
- int j;
+ size_t j;
if (info.pCPathLenConstraint != NULL &&
*info.pCPathLenConstraint < i)
@@ -2080,7 +2087,7 @@ hx509_verify_path(hx509_context context,
}
/* XXX MUST check info.proxyPolicy */
free_ProxyCertInfo(&info);
-
+
j = 0;
if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) {
ret = HX509_PROXY_CERT_INVALID;
@@ -2098,7 +2105,7 @@ hx509_verify_path(hx509_context context,
"forbidden issuerAltName");
goto out;
}
-
+
/*
* The subject name of the proxy certificate should be
* CN=XXX,<proxy issuer>, prune of CN and check if its
@@ -2189,7 +2196,7 @@ hx509_verify_path(hx509_context context,
}
if (cert->basename)
hx509_name_free(&cert->basename);
-
+
ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename);
if (ret) {
hx509_clear_error_string(context);
@@ -2204,7 +2211,7 @@ hx509_verify_path(hx509_context context,
i - proxy_cert_depth - selfsigned_depth);
if (ret)
goto out;
-
+
/*
* Don't check the trust anchors expiration time since they
* are transported out of band, from RFC3820.
@@ -2236,9 +2243,10 @@ hx509_verify_path(hx509_context context,
* checked in the right order.
*/
- for (ret = 0, i = path.len - 1; i >= 0; i--) {
+ for (ret = 0, k = path.len; k > 0; k--) {
Certificate *c;
int selfsigned;
+ i = k - 1;
c = _hx509_get_cert(path.val[i]);
@@ -2287,7 +2295,7 @@ hx509_verify_path(hx509_context context,
}
for (i = 0; i < path.len - 1; i++) {
- int parent = (i < path.len - 1) ? i + 1 : i;
+ size_t parent = (i < path.len - 1) ? i + 1 : i;
ret = hx509_revoke_verify(context,
ctx->revoke_ctx,
@@ -2308,9 +2316,10 @@ hx509_verify_path(hx509_context context,
* parameter is passed up from the anchor up though the chain.
*/
- for (i = path.len - 1; i >= 0; i--) {
+ for (k = path.len; k > 0; k--) {
hx509_cert signer;
Certificate *c;
+ i = k - 1;
c = _hx509_get_cert(path.val[i]);
@@ -2343,7 +2352,7 @@ hx509_verify_path(hx509_context context,
"Failed to verify signature of certificate");
goto out;
}
- /*
+ /*
* Verify that the sigature algorithm "best-before" date is
* before the creation date of the certificate, do this for
* trust anchors too, since any trust anchor that is created
@@ -2353,7 +2362,7 @@ hx509_verify_path(hx509_context context,
*/
if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
- time_t notBefore =
+ time_t notBefore =
_hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
ret = _hx509_signature_best_before(context,
&c->signatureAlgorithm,
@@ -2450,7 +2459,8 @@ hx509_verify_hostname(hx509_context context,
{
GeneralNames san;
const Name *name;
- int ret, i, j;
+ int ret;
+ size_t i, j, k;
if (sa && sa_size <= 0)
return EINVAL;
@@ -2471,7 +2481,7 @@ hx509_verify_hostname(hx509_context context,
heim_printable_string hn;
hn.data = rk_UNCONST(hostname);
hn.length = strlen(hostname);
-
+
if (der_printable_string_cmp(&san.val[j].u.dNSName, &hn) == 0) {
free_GeneralNames(&san);
return 0;
@@ -2488,7 +2498,8 @@ hx509_verify_hostname(hx509_context context,
name = &cert->data->tbsCertificate.subject;
/* Find first CN= in the name, and try to match the hostname on that */
- for (ret = 0, i = name->u.rdnSequence.len - 1; ret == 0 && i >= 0; i--) {
+ for (ret = 0, k = name->u.rdnSequence.len; ret == 0 && k > 0; k--) {
+ i = k - 1;
for (j = 0; ret == 0 && j < name->u.rdnSequence.val[i].len; j++) {
AttributeTypeAndValue *n = &name->u.rdnSequence.val[i].val[j];
@@ -2579,7 +2590,7 @@ _hx509_set_cert_attribute(hx509_context context,
hx509_cert_attribute
hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < cert->attrs.len; i++)
if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0)
return cert->attrs.val[i];
@@ -2625,7 +2636,8 @@ hx509_cert_get_friendly_name(hx509_cert cert)
hx509_cert_attribute a;
PKCS9_friendlyName n;
size_t sz;
- int ret, i;
+ int ret;
+ size_t i;
if (cert->friendlyname)
return cert->friendlyname;
@@ -2647,7 +2659,7 @@ hx509_cert_get_friendly_name(hx509_cert cert)
ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz);
if (ret)
return NULL;
-
+
if (n.len != 1) {
free_PKCS9_friendlyName(&n);
return NULL;
@@ -3166,7 +3178,8 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
{
rtbl_t t;
FILE *f;
- int type, mask, i, num;
+ int type, mask, num;
+ size_t i;
unsigned long multiqueries = 0, totalqueries = 0;
struct stat_el stats[32];
@@ -3254,7 +3267,8 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
const heim_oid *eku, int allow_any_eku)
{
ExtKeyUsage e;
- int ret, i;
+ int ret;
+ size_t i;
ret = find_extension_eku(_hx509_get_cert(cert), &e);
if (ret) {
@@ -3289,7 +3303,8 @@ _hx509_cert_get_keyusage(hx509_context context,
Certificate *cert;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
memset(ku, 0, sizeof(*ku));
@@ -3455,7 +3470,7 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
else if (ret != 0)
goto out;
else {
- int i;
+ size_t i;
hx509_env enveku = NULL;
for (i = 0; i < eku.len; i++) {
@@ -3509,10 +3524,10 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
"Out of memory");
goto out;
}
-
+
ret = hx509_env_add(context, &envhash, "sha1", buf);
free(buf);
- if (ret)
+ if (ret)
goto out;
ret = hx509_env_add_binding(context, &envcert, "hash", envhash);
diff --git a/source4/heimdal/lib/hx509/char_map.h b/source4/heimdal/lib/hx509/char_map.h
index d2b39d041f..8a3026c7e6 100644
--- a/source4/heimdal/lib/hx509/char_map.h
+++ b/source4/heimdal/lib/hx509/char_map.h
@@ -10,36 +10,36 @@
unsigned char char_map[] = {
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 ,
- 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 ,
- 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
- 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 ,
+ 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21
};
diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c
index 6e4eefaa1c..4e0a2e03fc 100644
--- a/source4/heimdal/lib/hx509/cms.c
+++ b/source4/heimdal/lib/hx509/cms.c
@@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context,
heim_octet_string *params, params_data;
heim_octet_string ivec;
size_t size;
- int ret, i, matched = 0, findflags = 0;
+ int ret, matched = 0, findflags = 0;
+ size_t i;
memset(&key, 0, sizeof(key));
@@ -472,7 +473,7 @@ hx509_cms_unenvelope(hx509_context context,
ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
if (ret)
goto out;
-
+
if (flags & HX509_CMS_UE_ALLOW_WEAK)
hx509_crypto_allow_weak(crypto);
@@ -492,7 +493,7 @@ hx509_cms_unenvelope(hx509_context context,
"of EnvelopedData");
goto out;
}
-
+
ret = hx509_crypto_decrypt(crypto,
enccontent->data,
enccontent->length,
@@ -619,7 +620,7 @@ hx509_cms_envelope_1(hx509_context context,
"Failed to set crypto oid "
"for EnvelopedData");
goto out;
- }
+ }
ALLOC(enc_alg->parameters, 1);
if (enc_alg->parameters == NULL) {
ret = ENOMEM;
@@ -656,7 +657,7 @@ hx509_cms_envelope_1(hx509_context context,
ri->version = 2;
cmsidflag = CMS_ID_SKI;
}
-
+
ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);
if (ret) {
hx509_set_error_string(context, 0, ret,
@@ -718,7 +719,8 @@ out:
static int
any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
{
- int ret, i;
+ int ret;
+ size_t i;
if (sd->certificates == NULL)
return 0;
@@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
static const Attribute *
find_attribute(const CMSAttributes *attr, const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < attr->len; i++)
if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
return &attr->val[i];
@@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context,
hx509_certs certs = NULL;
SignedData sd;
size_t size;
- int ret, i, found_valid_sig;
+ int ret, found_valid_sig;
+ size_t i;
*signer_certs = NULL;
content->data = NULL;
@@ -889,7 +892,7 @@ hx509_cms_verify_signed(hx509_context context,
if (signer_info->signedAttrs) {
const Attribute *attr;
-
+
CMSAttributes sa;
heim_octet_string os;
@@ -913,7 +916,7 @@ hx509_cms_verify_signed(hx509_context context,
"messageDigest (signature)");
goto next_sigature;
}
-
+
ret = decode_MessageDigest(attr->value.val[0].data,
attr->value.val[0].length,
&os,
@@ -1018,7 +1021,7 @@ hx509_cms_verify_signed(hx509_context context,
if (ret)
goto next_sigature;
- /**
+ /**
* If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
* signing certificates and leave that up to the caller.
*/
@@ -1113,7 +1116,7 @@ add_one_attribute(Attribute **attr,
return 0;
}
-
+
/**
* Decode SignedData and verify that the signature is correct.
*
@@ -1212,7 +1215,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
hx509_clear_error_string(context);
} else {
ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
- _hx509_cert_private_key(cert),
+ _hx509_cert_private_key(cert),
sigctx->peer, &digest);
}
if (ret)
@@ -1240,7 +1243,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
if (ret) {
hx509_clear_error_string(context);
goto out;
- }
+ }
signer_info->signedAttrs = NULL;
signer_info->unsignedAttrs = NULL;
@@ -1256,7 +1259,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
*/
if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {
- CMSAttributes sa;
+ CMSAttributes sa;
heim_octet_string sig;
ALLOC(signer_info->signedAttrs, 1);
@@ -1322,7 +1325,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
sa.val = signer_info->signedAttrs->val;
sa.len = signer_info->signedAttrs->len;
-
+
ASN1_MALLOC_ENCODE(CMSAttributes,
sigdata.data,
sigdata.length,
@@ -1409,7 +1412,7 @@ cert_process(hx509_context context, void *ctx, hx509_cert cert)
const unsigned int i = sigctx->sd.certificates->len;
void *ptr;
int ret;
-
+
ptr = realloc(sigctx->sd.certificates->val,
(i + 1) * sizeof(sigctx->sd.certificates->val[0]));
if (ptr == NULL)
@@ -1503,7 +1506,7 @@ hx509_cms_create_signed(hx509_context context,
ret = ENOMEM;
goto out;
}
-
+
sigctx.sd.encapContentInfo.eContent->data = malloc(length);
if (sigctx.sd.encapContentInfo.eContent->data == NULL) {
hx509_clear_error_string(context);
@@ -1525,6 +1528,10 @@ hx509_cms_create_signed(hx509_context context,
}
if (sigctx.sd.signerInfos.len) {
+
+ /*
+ * For each signerInfo, collect all different digest types.
+ */
for (i = 0; i < sigctx.sd.signerInfos.len; i++) {
AlgorithmIdentifier *di =
&sigctx.sd.signerInfos.val[i].digestAlgorithm;
@@ -1532,7 +1539,7 @@ hx509_cms_create_signed(hx509_context context,
for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)
if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)
break;
- if (j < sigctx.sd.digestAlgorithms.len) {
+ if (j == sigctx.sd.digestAlgorithms.len) {
ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);
if (ret) {
hx509_clear_error_string(context);
@@ -1542,6 +1549,9 @@ hx509_cms_create_signed(hx509_context context,
}
}
+ /*
+ * Add certs we think are needed, build as part of sig_process
+ */
if (sigctx.certs) {
ALLOC(sigctx.sd.certificates, 1);
if (sigctx.sd.certificates == NULL) {
diff --git a/source4/heimdal/lib/hx509/collector.c b/source4/heimdal/lib/hx509/collector.c
index 0cb186399f..15f8163f80 100644
--- a/source4/heimdal/lib/hx509/collector.c
+++ b/source4/heimdal/lib/hx509/collector.c
@@ -133,7 +133,7 @@ _hx509_collector_private_key_add(hx509_context context,
return ENOMEM;
}
c->val.data = d;
-
+
ret = copy_AlgorithmIdentifier(alg, &key->alg);
if (ret) {
hx509_set_error_string(context, 0, ret, "Failed to copy "
@@ -192,7 +192,7 @@ match_localkeyid(hx509_context context,
ret = hx509_certs_find(context, certs, &q, &cert);
if (ret == 0) {
-
+
if (value->private_key)
_hx509_cert_assign_key(cert, value->private_key);
hx509_cert_free(cert);
@@ -253,7 +253,8 @@ _hx509_collector_collect_certs(hx509_context context,
hx509_certs *ret_certs)
{
hx509_certs certs;
- int ret, i;
+ int ret;
+ size_t i;
*ret_certs = NULL;
@@ -286,7 +287,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
struct hx509_collector *c,
hx509_private_key **keys)
{
- int i, nkeys;
+ size_t i, nkeys;
*keys = NULL;
@@ -315,7 +316,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
void
_hx509_collector_free(struct hx509_collector *c)
{
- int i;
+ size_t i;
if (c->unenvelop_certs)
hx509_certs_free(&c->unenvelop_certs);
diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c
index c69ddfb5d2..4559a9c493 100644
--- a/source4/heimdal/lib/hx509/crypto.c
+++ b/source4/heimdal/lib/hx509/crypto.c
@@ -286,7 +286,7 @@ heim_oid2ecnid(heim_oid *oid)
}
static int
-parse_ECParameters(hx509_context context,
+parse_ECParameters(hx509_context context,
heim_octet_string *parameters, int *nid)
{
ECParameters ecparam;
@@ -404,7 +404,7 @@ ecdsa_verify_signature(hx509_context context,
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
return ret;
}
-
+
return 0;
}
@@ -552,7 +552,7 @@ rsa_verify_signature(hx509_context context,
p = spi->subjectPublicKey.data;
size = spi->subjectPublicKey.length / 8;
-
+
rsa = d2i_RSAPublicKey(NULL, &p, size);
if (rsa == NULL) {
ret = ENOMEM;
@@ -587,14 +587,14 @@ rsa_verify_signature(hx509_context context,
if (ret) {
goto out;
}
-
+
/* Check for extra data inside the sigature */
- if (size != retsize) {
+ if (size != (size_t)retsize) {
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
goto out;
}
-
+
if (sig_alg->digest_alg &&
der_heim_oid_cmp(&di.digestAlgorithm.algorithm,
&sig_alg->digest_alg->algorithm) != 0)
@@ -603,7 +603,7 @@ rsa_verify_signature(hx509_context context,
hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch");
goto out;
}
-
+
/* verify that the parameters are NULL or the NULL-type */
if (di.digestAlgorithm.parameters != NULL &&
(di.digestAlgorithm.parameters->length != 2 ||
@@ -620,7 +620,7 @@ rsa_verify_signature(hx509_context context,
data,
&di.digest);
} else {
- if (retsize != data->length ||
+ if ((size_t)retsize != data->length ||
ct_memcmp(to, data->data, retsize) != 0)
{
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
@@ -739,7 +739,7 @@ rsa_create_signature(hx509_context context,
"RSA private encrypt failed: %d", ret);
return ret;
}
- if (ret > sig->length)
+ if ((size_t)ret > sig->length)
_hx509_abort("RSA signature prelen longer the output len");
sig->length = ret;
@@ -960,11 +960,11 @@ ecdsa_private_key_import(hx509_context context,
ret = parse_ECParameters(context, keyai->parameters, &groupnid);
if (ret)
return ret;
-
+
key = EC_KEY_new();
if (key == NULL)
return ENOMEM;
-
+
group = EC_GROUP_new_by_curve_name(groupnid);
if (group == NULL) {
EC_KEY_free(key);
@@ -1008,8 +1008,8 @@ ecdsa_generate_private_key(hx509_context context,
}
static BIGNUM *
-ecdsa_get_internal(hx509_context context,
- hx509_private_key key,
+ecdsa_get_internal(hx509_context context,
+ hx509_private_key key,
const char *type)
{
return NULL;
@@ -1162,7 +1162,7 @@ evp_md_create_signature(hx509_context context,
if (ret)
return ret;
}
-
+
sig->data = malloc(sigsize);
if (sig->data == NULL) {
@@ -1256,7 +1256,8 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg pkcs1_rsa_sha1_alg = {
@@ -1269,7 +1270,8 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha512_alg = {
@@ -1282,7 +1284,8 @@ static const struct signature_alg rsa_with_sha512_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha384_alg = {
@@ -1295,7 +1298,8 @@ static const struct signature_alg rsa_with_sha384_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha256_alg = {
@@ -1308,7 +1312,8 @@ static const struct signature_alg rsa_with_sha256_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha1_alg = {
@@ -1321,7 +1326,8 @@ static const struct signature_alg rsa_with_sha1_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha1_alg_secsig = {
@@ -1334,7 +1340,8 @@ static const struct signature_alg rsa_with_sha1_alg_secsig = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_md5_alg = {
@@ -1347,7 +1354,8 @@ static const struct signature_alg rsa_with_md5_alg = {
1230739889,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg dsa_sha1_alg = {
@@ -1361,6 +1369,7 @@ static const struct signature_alg dsa_sha1_alg = {
NULL,
dsa_verify_signature,
/* create_signature */ NULL,
+ 0
};
static const struct signature_alg sha512_alg = {
@@ -1373,7 +1382,8 @@ static const struct signature_alg sha512_alg = {
0,
EVP_sha512,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha384_alg = {
@@ -1386,7 +1396,8 @@ static const struct signature_alg sha384_alg = {
0,
EVP_sha384,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha256_alg = {
@@ -1399,7 +1410,8 @@ static const struct signature_alg sha256_alg = {
0,
EVP_sha256,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha1_alg = {
@@ -1412,7 +1424,8 @@ static const struct signature_alg sha1_alg = {
0,
EVP_sha1,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg md5_alg = {
@@ -1425,7 +1438,8 @@ static const struct signature_alg md5_alg = {
0,
EVP_md5,
evp_md_verify_signature,
- NULL
+ NULL,
+ 0
};
/*
@@ -1481,7 +1495,7 @@ alg_for_privatekey(const hx509_private_key pk, int type)
continue;
if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0)
continue;
- if (pk->ops->available &&
+ if (pk->ops->available &&
pk->ops->available(pk, sig_algs[i]->sig_alg) == 0)
continue;
if (type == HX509_SELECT_PUBLIC_SIG)
@@ -1673,7 +1687,7 @@ _hx509_public_encrypt(hx509_context context,
p = spi->subjectPublicKey.data;
size = spi->subjectPublicKey.length / 8;
-
+
rsa = d2i_RSAPublicKey(NULL, &p, size);
if (rsa == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
@@ -1748,7 +1762,7 @@ hx509_private_key_private_decrypt(hx509_context context,
"Failed to decrypt using private key: %d", ret);
return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
}
- if (cleartext->length < ret)
+ if (cleartext->length < (size_t)ret)
_hx509_abort("internal rsa decryption failure: ret > tosize");
cleartext->length = ret;
@@ -2339,7 +2353,7 @@ static const struct hx509cipher ciphers[] = {
static const struct hx509cipher *
find_cipher_by_oid(const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0)
@@ -2351,7 +2365,7 @@ find_cipher_by_oid(const heim_oid *oid)
static const struct hx509cipher *
find_cipher_by_name(const char *name)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
if (strcasecmp(name, ciphers[i].name) == 0)
@@ -2461,7 +2475,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
int
hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
{
- if (EVP_CIPHER_key_length(crypto->c) > length)
+ if (EVP_CIPHER_key_length(crypto->c) > (int)length)
return HX509_CRYPTO_INTERNAL_ERROR;
if (crypto->key.data) {
@@ -2558,7 +2572,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
(crypto->flags & ALLOW_WEAK) == 0)
return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
- assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length);
+ assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length);
EVP_CIPHER_CTX_init(&evp);
@@ -2595,10 +2609,10 @@ hx509_crypto_encrypt(hx509_crypto crypto,
ret = ENOMEM;
goto out;
}
-
+
memcpy((*ciphertext)->data, data, length);
if (padsize) {
- int i;
+ size_t i;
unsigned char *p = (*ciphertext)->data;
p += length;
for (i = 0; i < padsize; i++)
@@ -2647,7 +2661,7 @@ hx509_crypto_decrypt(hx509_crypto crypto,
(crypto->flags & ALLOW_WEAK) == 0)
return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
- if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length)
+ if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length)
return HX509_CRYPTO_INTERNAL_ERROR;
if (crypto->key.data == NULL)
@@ -2683,7 +2697,7 @@ hx509_crypto_decrypt(hx509_crypto crypto,
unsigned char *p;
int j, bsize = EVP_CIPHER_block_size(crypto->c);
- if (clear->length < bsize) {
+ if ((int)clear->length < bsize) {
ret = HX509_CMS_PADDING_ERROR;
goto out;
}
@@ -2854,7 +2868,8 @@ _hx509_pbe_decrypt(hx509_context context,
const EVP_CIPHER *c;
const EVP_MD *md;
PBE_string2key_func s2k;
- int i, ret = 0;
+ int ret = 0;
+ size_t i;
memset(&key, 0, sizeof(key));
memset(&iv, 0, sizeof(iv));
@@ -2912,7 +2927,7 @@ _hx509_pbe_decrypt(hx509_context context,
hx509_crypto_destroy(crypto);
if (ret == 0)
goto out;
-
+
}
out:
if (key.data)
@@ -3161,7 +3176,7 @@ hx509_crypto_available(hx509_context context,
if (ptr == NULL)
goto out;
*val = ptr;
-
+
ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]);
if (ret)
goto out;
diff --git a/source4/heimdal/lib/hx509/file.c b/source4/heimdal/lib/hx509/file.c
index 56e25766ef..4f7e87f070 100644
--- a/source4/heimdal/lib/hx509/file.c
+++ b/source4/heimdal/lib/hx509/file.c
@@ -93,11 +93,11 @@ hx509_pem_write(hx509_context context, const char *type,
while (size > 0) {
ssize_t l;
-
+
length = size;
if (length > ENCODE_LINE_LENGTH)
length = ENCODE_LINE_LENGTH;
-
+
l = base64_encode(p, length, &line);
if (l < 0) {
hx509_set_error_string(context, 0, ENOMEM,
@@ -211,7 +211,7 @@ hx509_pem_read(hx509_context context,
if (i > 0)
i--;
}
-
+
switch (where) {
case BEFORE:
if (strncmp("-----BEGIN ", buf, 11) == 0) {
@@ -260,7 +260,7 @@ hx509_pem_read(hx509_context context,
free(p);
goto out;
}
-
+
data = erealloc(data, len + i);
memcpy(((char *)data) + len, p, i);
free(p);
diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c
index 77cfd42cd2..c0275d949d 100644
--- a/source4/heimdal/lib/hx509/keyset.c
+++ b/source4/heimdal/lib/hx509/keyset.c
@@ -390,6 +390,21 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert)
return func(cert);
}
+/**
+ * Iterate over all certificates in a keystore and call an block
+ * for each fo them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func block to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_iter(hx509_context context,
hx509_certs certs,
diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c
index 8c8c6e50c8..264b1bf552 100644
--- a/source4/heimdal/lib/hx509/ks_dir.c
+++ b/source4/heimdal/lib/hx509/ks_dir.c
@@ -158,10 +158,10 @@ dir_iter(hx509_context context,
}
if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0)
continue;
-
+
if (asprintf(&fn, "FILE:%s/%s", (char *)data, dir->d_name) == -1)
return ENOMEM;
-
+
ret = hx509_certs_init(context, fn, 0, NULL, &d->certs);
if (ret == 0) {
diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c
index ecd3a6edaa..d21d889287 100644
--- a/source4/heimdal/lib/hx509/ks_file.c
+++ b/source4/heimdal/lib/hx509/ks_file.c
@@ -112,7 +112,7 @@ try_decrypt(hx509_context context,
EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0);
EVP_Cipher(&ctx, clear.data, cipher, len);
EVP_CIPHER_CTX_cleanup(&ctx);
- }
+ }
ret = _hx509_collector_private_key_add(context,
collector,
@@ -138,7 +138,7 @@ parse_pkcs8_private_key(hx509_context context, const char *fn,
{
PKCS8PrivateKeyInfo ki;
heim_octet_string keydata;
-
+
int ret;
ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
@@ -177,7 +177,8 @@ parse_pem_private_key(hx509_context context, const char *fn,
const EVP_CIPHER *cipher;
const struct _hx509_password *pw;
hx509_lock lock;
- int i, decrypted = 0;
+ int decrypted = 0;
+ size_t i;
lock = _hx509_collector_get_lock(c);
if (lock == NULL) {
@@ -252,7 +253,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
"private key file");
return HX509_PARSING_KEY_FAILED;
}
-
+
pw = _hx509_lock_get_passwords(lock);
if (pw != NULL) {
const void *password;
@@ -261,8 +262,8 @@ parse_pem_private_key(hx509_context context, const char *fn,
for (i = 0; i < pw->len; i++) {
password = pw->val[i];
passwordlen = strlen(password);
-
- ret = try_decrypt(context, c, ai, cipher, ivdata,
+
+ ret = try_decrypt(context, c, ai, cipher, ivdata,
password, passwordlen, data, len);
if (ret == 0) {
decrypted = 1;
@@ -283,7 +284,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
ret = hx509_lock_prompt(lock, &prompt);
if (ret == 0)
- ret = try_decrypt(context, c, ai, cipher, ivdata, password,
+ ret = try_decrypt(context, c, ai, cipher, ivdata, password,
strlen(password), data, len);
/* XXX add password to lock password collection ? */
memset(password, 0, sizeof(password));
@@ -329,7 +330,8 @@ pem_func(hx509_context context, const char *type,
const void *data, size_t len, void *ctx)
{
struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
- int ret = 0, j;
+ int ret = 0;
+ size_t j;
for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
const char *q = formats[j].name;
@@ -338,7 +340,7 @@ pem_func(hx509_context context, const char *type,
if (formats[j].ai != NULL)
ai = (*formats[j].ai)();
- ret = (*formats[j].func)(context, NULL, pem_ctx->c,
+ ret = (*formats[j].func)(context, NULL, pem_ctx->c,
header, data, len, ai);
if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
@@ -418,7 +420,7 @@ file_init_common(hx509_context context,
pnext = strchr(p, ',');
if (pnext)
*pnext++ = '\0';
-
+
if ((f = fopen(p, "r")) == NULL) {
ret = ENOENT;
@@ -430,13 +432,13 @@ file_init_common(hx509_context context,
rk_cloexec_file(f);
ret = hx509_pem_read(context, f, pem_func, &pem_ctx);
- fclose(f);
+ fclose(f);
if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
goto out;
else if (ret == HX509_PARSING_KEY_FAILED) {
size_t length;
void *ptr;
- int i;
+ size_t i;
ret = rk_undumpdata(p, &ptr, &length);
if (ret) {
diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c
index e64d83c84d..0552d8f7e9 100644
--- a/source4/heimdal/lib/hx509/ks_keychain.c
+++ b/source4/heimdal/lib/hx509/ks_keychain.c
@@ -50,7 +50,7 @@ OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG,
static int
getAttribute(SecKeychainItemRef itemRef, SecItemAttr item,
SecKeychainAttributeList **attrs)
-{
+{
SecKeychainAttributeInfo attrInfo;
UInt32 attrFormat = 0;
OSStatus ret;
@@ -138,10 +138,10 @@ kc_rsa_private_encrypt(int flen,
in.Data = (uint8 *)from;
in.Length = flen;
-
+
sig.Data = (uint8 *)to;
sig.Length = kc->keysize;
-
+
cret = CSSM_SignData(sigHandle, &in, 1, CSSM_ALGID_NONE, &sig);
if(cret) {
/* cssmErrorString(cret); */
@@ -197,10 +197,10 @@ kc_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
in.Data = (uint8 *)from;
in.Length = flen;
-
+
out.Data = (uint8 *)to;
out.Length = kc->keysize;
-
+
rem.Data = (uint8 *)remdata;
rem.Length = sizeof(remdata);
@@ -485,7 +485,7 @@ keychain_iter(hx509_context context,
return 0;
else if (ret != 0)
return EINVAL;
-
+
/*
* Pick out certificate and matching "keyid"
*/
@@ -517,7 +517,7 @@ keychain_iter(hx509_context context,
attrKeyid.tag = kSecKeyLabel;
attrKeyid.length = attrs->attr[0].length;
attrKeyid.data = attrs->attr[0].data;
-
+
attrList.count = 1;
attrList.attr = &attrKeyid;
diff --git a/source4/heimdal/lib/hx509/ks_mem.c b/source4/heimdal/lib/hx509/ks_mem.c
index 9d3c66b294..684acb0adf 100644
--- a/source4/heimdal/lib/hx509/ks_mem.c
+++ b/source4/heimdal/lib/hx509/ks_mem.c
@@ -171,7 +171,7 @@ mem_getkeys(hx509_context context,
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
return ENOMEM;
}
- }
+ }
(*keys)[i] = NULL;
return 0;
}
diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c
index 30f5343b0e..120bf43ef4 100644
--- a/source4/heimdal/lib/hx509/ks_p11.c
+++ b/source4/heimdal/lib/hx509/ks_p11.c
@@ -152,7 +152,7 @@ p11_rsa_private_encrypt(int flen,
}
ret = P11FUNC(p11rsa->p, Sign,
- (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+ (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
p11_put_session(p11rsa->p, p11rsa->slot, session);
if (ret != CKR_OK)
return -1;
@@ -190,7 +190,7 @@ p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
}
ret = P11FUNC(p11rsa->p, Decrypt,
- (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+ (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
p11_put_session(p11rsa->p, p11rsa->slot, session);
if (ret != CKR_OK)
return -1;
@@ -427,7 +427,7 @@ p11_get_session(hx509_context context,
prompt.type = HX509_PROMPT_TYPE_PASSWORD;
prompt.reply.data = pin;
prompt.reply.length = sizeof(pin);
-
+
ret = hx509_lock_prompt(lock, &prompt);
if (ret) {
free(str);
@@ -513,7 +513,7 @@ iterate_entries(hx509_context context,
}
if (object_count == 0)
break;
-
+
for (i = 0; i < num_query; i++)
query[i].pValue = NULL;
@@ -535,7 +535,7 @@ iterate_entries(hx509_context context,
ret = -1;
goto out;
}
-
+
ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
if (ret)
goto out;
@@ -561,7 +561,7 @@ iterate_entries(hx509_context context,
return ret;
}
-
+
static BIGNUM *
getattr_bn(struct p11_module *p,
struct p11_slot *slot,
@@ -704,10 +704,10 @@ collect_cert(hx509_context context,
{
heim_octet_string data;
-
+
data.data = query[0].pValue;
data.length = query[0].ulValueLen;
-
+
_hx509_set_cert_attribute(context,
cert,
&asn1_oid_id_pkcs_9_at_localKeyId,
@@ -878,7 +878,8 @@ p11_init(hx509_context context,
{
CK_SLOT_ID_PTR slot_ids;
- int i, num_tokens = 0;
+ int num_tokens = 0;
+ size_t i;
slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
if (slot_ids == NULL) {
@@ -905,7 +906,7 @@ p11_init(hx509_context context,
ret = ENOMEM;
goto out;
}
-
+
for (i = 0; i < p->num_slots; i++) {
ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
if (ret)
@@ -933,7 +934,7 @@ p11_init(hx509_context context,
static void
p11_release_module(struct p11_module *p)
{
- int i;
+ size_t i;
if (p->ref == 0)
_hx509_abort("pkcs11 ref to low");
@@ -957,7 +958,7 @@ p11_release_module(struct p11_module *p)
free(p->slot[i].mechs.list);
if (p->slot[i].mechs.infos) {
- int j;
+ size_t j;
for (j = 0 ; j < p->slot[i].mechs.num ; j++)
free(p->slot[i].mechs.infos[j]);
@@ -981,7 +982,7 @@ static int
p11_free(hx509_certs certs, void *data)
{
struct p11_module *p = data;
- int i;
+ size_t i;
for (i = 0; i < p->num_slots; i++) {
if (p->slot[i].certs)
@@ -1002,7 +1003,8 @@ p11_iter_start(hx509_context context,
{
struct p11_module *p = data;
struct p11_cursor *c;
- int ret, i;
+ int ret;
+ size_t i;
c = malloc(sizeof(*c));
if (c == NULL) {
@@ -1103,7 +1105,7 @@ p11_printinfo(hx509_context context,
void *ctx)
{
struct p11_module *p = data;
- int i, j;
+ size_t i, j;
_hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
p->num_slots, p->num_slots > 1 ? "s" : "");
diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c
index 704cf071d7..0ca13de1eb 100644
--- a/source4/heimdal/lib/hx509/ks_p12.c
+++ b/source4/heimdal/lib/hx509/ks_p12.c
@@ -56,7 +56,7 @@ parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
static const PKCS12_Attribute *
find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
{
- int i;
+ size_t i;
if (attrs == NULL)
return NULL;
for (i = 0; i < attrs->len; i++)
@@ -168,7 +168,7 @@ certBag_parser(hx509_context context,
const heim_oid *oids[] = {
&asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName
};
- int i;
+ size_t i;
for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
const heim_oid *oid = oids[i];
@@ -176,7 +176,7 @@ certBag_parser(hx509_context context,
if (attr)
_hx509_set_cert_attribute(context, cert, oid,
&attr->attrValues);
- }
+ }
}
hx509_cert_free(cert);
@@ -190,7 +190,8 @@ parse_safe_content(hx509_context context,
const unsigned char *p, size_t len)
{
PKCS12_SafeContents sc;
- int ret, i;
+ int ret;
+ size_t i;
memset(&sc, 0, sizeof(sc));
@@ -236,7 +237,7 @@ encryptedData_parser(hx509_context context,
heim_octet_string content;
heim_oid contentType;
int ret;
-
+
memset(&contentType, 0, sizeof(contentType));
ret = hx509_cms_decrypt_encrypted(context,
@@ -265,7 +266,7 @@ envelopedData_parser(hx509_context context,
heim_oid contentType;
hx509_lock lock;
int ret;
-
+
memset(&contentType, 0, sizeof(contentType));
lock = _hx509_collector_get_lock(c);
@@ -310,7 +311,7 @@ parse_pkcs12_type(hx509_context context,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
@@ -327,7 +328,8 @@ p12_init(hx509_context context,
void *buf;
PKCS12_PFX pfx;
PKCS12_AuthenticatedSafe as;
- int ret, i;
+ int ret;
+ size_t i;
struct hx509_collector *c;
*data = NULL;
@@ -581,7 +583,7 @@ p12_store(hx509_context context,
free_PKCS12_AuthenticatedSafe(&as);
if (ret)
return ret;
-
+
ret = der_parse_hex_heim_integer("03", &pfx.version);
if (ret) {
free(asdata.data);
diff --git a/source4/heimdal/lib/hx509/lock.c b/source4/heimdal/lib/hx509/lock.c
index 07e9d36125..b72d45962b 100644
--- a/source4/heimdal/lib/hx509/lock.c
+++ b/source4/heimdal/lib/hx509/lock.c
@@ -121,7 +121,7 @@ _hx509_lock_unlock_certs(hx509_lock lock)
void
hx509_lock_reset_passwords(hx509_lock lock)
{
- int i;
+ size_t i;
for (i = 0; i < lock->password.len; i++)
free(lock->password.val[i]);
free(lock->password.val);
diff --git a/source4/heimdal/lib/hx509/name.c b/source4/heimdal/lib/hx509/name.c
index 83b8f86d41..efd7b70342 100644
--- a/source4/heimdal/lib/hx509/name.c
+++ b/source4/heimdal/lib/hx509/name.c
@@ -66,17 +66,17 @@ static const struct {
const heim_oid *o;
wind_profile_flags flags;
} no[] = {
- { "C", &asn1_oid_id_at_countryName },
- { "CN", &asn1_oid_id_at_commonName },
- { "DC", &asn1_oid_id_domainComponent },
- { "L", &asn1_oid_id_at_localityName },
- { "O", &asn1_oid_id_at_organizationName },
- { "OU", &asn1_oid_id_at_organizationalUnitName },
- { "S", &asn1_oid_id_at_stateOrProvinceName },
- { "STREET", &asn1_oid_id_at_streetAddress },
- { "UID", &asn1_oid_id_Userid },
- { "emailAddress", &asn1_oid_id_pkcs9_emailAddress },
- { "serialNumber", &asn1_oid_id_at_serialNumber }
+ { "C", &asn1_oid_id_at_countryName, 0 },
+ { "CN", &asn1_oid_id_at_commonName, 0 },
+ { "DC", &asn1_oid_id_domainComponent, 0 },
+ { "L", &asn1_oid_id_at_localityName, 0 },
+ { "O", &asn1_oid_id_at_organizationName, 0 },
+ { "OU", &asn1_oid_id_at_organizationalUnitName, 0 },
+ { "S", &asn1_oid_id_at_stateOrProvinceName, 0 },
+ { "STREET", &asn1_oid_id_at_streetAddress, 0 },
+ { "UID", &asn1_oid_id_Userid, 0 },
+ { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 },
+ { "serialNumber", &asn1_oid_id_at_serialNumber, 0 }
};
static char *
@@ -159,7 +159,8 @@ oidtostring(const heim_oid *type)
static int
stringtooid(const char *name, size_t len, heim_oid *oid)
{
- int i, ret;
+ int ret;
+ size_t i;
char *s;
memset(oid, 0, sizeof(*oid));
@@ -200,20 +201,22 @@ int
_hx509_Name_to_string(const Name *n, char **str)
{
size_t total_len = 0;
- int i, j, ret;
+ size_t i, j, m;
+ int ret;
*str = strdup("");
if (*str == NULL)
return ENOMEM;
- for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
+ for (m = n->u.rdnSequence.len; m > 0; m--) {
size_t len;
+ i = m - 1;
for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
char *oidname;
char *ss;
-
+
oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
switch(ds->element) {
@@ -237,7 +240,7 @@ _hx509_Name_to_string(const Name *n, char **str)
ret = wind_ucs2utf8_length(bmp, bmplen, &k);
if (ret)
return ret;
-
+
ss = malloc(k + 1);
if (ss == NULL)
_hx509_abort("allocation failure"); /* XXX */
@@ -438,7 +441,8 @@ _hx509_name_ds_cmp(const DirectoryString *ds1,
int
_hx509_name_cmp(const Name *n1, const Name *n2, int *c)
{
- int ret, i, j;
+ int ret;
+ size_t i, j;
*c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
if (*c)
@@ -454,7 +458,7 @@ _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
&n1->u.rdnSequence.val[i].val[j].type);
if (*c)
return 0;
-
+
ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
&n2->u.rdnSequence.val[i].val[j].value,
c);
@@ -533,7 +537,7 @@ _hx509_name_modify(hx509_context context,
&name->u.rdnSequence.val[0],
name->u.rdnSequence.len *
sizeof(name->u.rdnSequence.val[0]));
-
+
rdn = &name->u.rdnSequence.val[0];
}
rdn->val = malloc(sizeof(rdn->val[0]));
@@ -609,8 +613,8 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
"missing name before = in %s", p);
goto out;
}
-
- if ((q - p) > len) {
+
+ if ((size_t)(q - p) > len) {
ret = HX509_PARSING_NAME_FAILED;
hx509_set_error_string(context, 0, ret, " = after , in %s", p);
goto out;
@@ -623,12 +627,12 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
"unknown type: %.*s", (int)(q - p), p);
goto out;
}
-
+
{
size_t pstr_len = len - (q - p) - 1;
const char *pstr = p + (q - p) + 1;
char *r;
-
+
r = malloc(pstr_len + 1);
if (r == NULL) {
der_free_oid(&oid);
@@ -727,7 +731,7 @@ hx509_name_expand(hx509_context context,
hx509_env env)
{
Name *n = &name->der_name;
- int i, j;
+ size_t i, j;
if (env == NULL)
return 0;
diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c
index 56e4f72115..1e8bcabfa7 100644
--- a/source4/heimdal/lib/hx509/print.c
+++ b/source4/heimdal/lib/hx509/print.c
@@ -163,7 +163,7 @@ void
hx509_bitstring_print(const heim_bit_string *b,
hx509_vprint_func func, void *ctx)
{
- int i;
+ size_t i;
print_func(func, ctx, "\tlength: %d\n\t", b->length);
for (i = 0; i < (b->length + 7) / 8; i++)
print_func(func, ctx, "%02x%s%s",
@@ -481,7 +481,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
{
CRLDistributionPoints dp;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
@@ -499,8 +500,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
if (dp.val[i].distributionPoint) {
DistributionPointName dpname;
heim_any *data = dp.val[i].distributionPoint;
- int j;
-
+ size_t j;
+
ret = decode_DistributionPointName(data->data, data->length,
&dpname, NULL);
if (ret) {
@@ -512,7 +513,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
switch (dpname.element) {
case choice_DistributionPointName_fullName:
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
-
+
for (j = 0 ; j < dpname.u.fullName.len; j++) {
char *s;
GeneralName *name = &dpname.u.fullName.val[j];
@@ -565,7 +566,8 @@ check_altName(hx509_validate_ctx ctx,
{
GeneralNames gn;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
@@ -600,7 +602,7 @@ check_altName(hx509_validate_ctx ctx,
if (der_heim_oid_cmp(altname_types[j].oid,
&gn.val[i].u.otherName.type_id) != 0)
continue;
-
+
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
altname_types[j].name);
(*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
@@ -717,7 +719,8 @@ check_authorityInfoAccess(hx509_validate_ctx ctx,
{
AuthorityInfoAccessSyntax aia;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
@@ -773,7 +776,7 @@ struct {
{ ext(certificateIssuer, Null), M_C },
{ ext(nameConstraints, Null), M_C },
{ ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
- { ext(certificatePolicies, Null) },
+ { ext(certificatePolicies, Null), 0 },
{ ext(policyMappings, Null), M_N_C },
{ ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
{ ext(policyConstraints, Null), D_C },
@@ -789,7 +792,7 @@ struct {
check_Null, D_C },
{ "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
check_Null, D_C },
- { NULL }
+ { NULL, NULL, NULL, 0 }
};
/**
@@ -900,7 +903,7 @@ hx509_validate_cert(hx509_context context,
if ((t->version == NULL || *t->version < 2) && t->extensions)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Not version 3 certificate with extensions\n");
-
+
if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Version 3 certificate without extensions\n");
@@ -936,7 +939,7 @@ hx509_validate_cert(hx509_context context,
free(str);
if (t->extensions) {
- int i, j;
+ size_t i, j;
if (t->extensions->len == 0) {
validate_print(ctx,
@@ -975,7 +978,7 @@ hx509_validate_cert(hx509_context context,
}
} else
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
-
+
if (status.isca) {
if (!status.haveSKI)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
@@ -987,7 +990,7 @@ hx509_validate_cert(hx509_context context,
"Is not CA and doesn't have "
"AuthorityKeyIdentifier\n");
}
-
+
if (!status.haveSKI)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c
index 6d2cac4afb..2932280748 100644
--- a/source4/heimdal/lib/hx509/revoke.c
+++ b/source4/heimdal/lib/hx509/revoke.c
@@ -176,9 +176,9 @@ verify_ocsp(hx509_context context,
hx509_cert signer = NULL;
hx509_query q;
int ret;
-
+
_hx509_query_clear(&q);
-
+
/*
* Need to match on issuer too in case there are two CA that have
* issued the same name to a certificate. One example of this is
@@ -198,7 +198,7 @@ verify_ocsp(hx509_context context,
q.keyhash_sha1 = &ocsp->ocsp.tbsResponseData.responderID.u.byKey;
break;
}
-
+
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret && ocsp->certs)
ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
@@ -349,7 +349,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
}
if (basic.certs) {
- int i;
+ size_t i;
ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0,
NULL, &certs);
@@ -360,11 +360,11 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
for (i = 0; i < basic.certs->len; i++) {
hx509_cert c;
-
+
ret = hx509_cert_init(context, &basic.certs->val[i], &c);
if (ret)
continue;
-
+
ret = hx509_certs_add(context, certs, c);
hx509_cert_free(c);
if (ret)
@@ -463,7 +463,7 @@ verify_crl(hx509_context context,
hx509_query q;
time_t t;
int ret;
-
+
t = _hx509_Time2time_t(&crl->tbsCertList.thisUpdate);
if (t > time_now) {
hx509_set_error_string(context, 0, HX509_CRL_USED_BEFORE_TIME,
@@ -485,7 +485,7 @@ verify_crl(hx509_context context,
}
_hx509_query_clear(&q);
-
+
/*
* If it's the signer have CRLSIGN bit set, use that as the signer
* cert for the certificate, otherwise, search for a certificate.
@@ -496,7 +496,7 @@ verify_crl(hx509_context context,
q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
q.match |= HX509_QUERY_KU_CRLSIGN;
q.subject_name = &crl->tbsCertList.issuer;
-
+
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
@@ -526,11 +526,11 @@ verify_crl(hx509_context context,
hx509_cert crl_parent;
_hx509_query_clear(&q);
-
+
q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
q.match |= HX509_QUERY_KU_CRLSIGN;
q.subject_name = &_hx509_get_cert(signer)->tbsCertificate.issuer;
-
+
ret = hx509_certs_find(context, certs, &q, &crl_parent);
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
@@ -718,7 +718,7 @@ hx509_revoke_verify(hx509_context context,
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
@@ -760,8 +760,7 @@ hx509_revoke_verify(hx509_context context,
if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) {
if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now)
continue;
- } else
- /* Should force a refetch, but can we ? */;
+ } /* else should force a refetch, but can we ? */
return 0;
}
@@ -829,12 +828,12 @@ hx509_revoke_verify(hx509_context context,
t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate);
if (t > now)
continue;
-
+
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions)
for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++)
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical)
return HX509_CRL_UNKNOWN_EXTENSION;
-
+
hx509_set_error_string(context, 0,
HX509_CERT_REVOKED,
"Certificate revoked by issuer in CRL");
@@ -1003,7 +1002,7 @@ hx509_ocsp_request(hx509_context context,
}
es = req.tbsRequest.requestExtensions;
-
+
es->val = calloc(es->len, sizeof(es->val[0]));
if (es->val == NULL) {
ret = ENOMEM;
@@ -1022,7 +1021,7 @@ hx509_ocsp_request(hx509_context context,
goto out;
}
es->val[0].extnValue.length = 10;
-
+
ret = RAND_bytes(es->val[0].extnValue.data,
es->val[0].extnValue.length);
if (ret != 1) {
@@ -1055,8 +1054,13 @@ static char *
printable_time(time_t t)
{
static char s[128];
- strlcpy(s, ctime(&t)+ 4, sizeof(s));
- s[20] = 0;
+ char *p;
+ if ((p = ctime(&t)) == NULL)
+ strlcpy(s, "?", sizeof(s));
+ else {
+ strlcpy(s, p + 4, sizeof(s));
+ s[20] = 0;
+ }
return s;
}
@@ -1076,7 +1080,8 @@ int
hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
{
struct revoke_ocsp ocsp;
- int ret, i;
+ int ret;
+ size_t i;
if (out == NULL)
out = stdout;
@@ -1141,7 +1146,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
status = "element unknown";
}
- fprintf(out, "\t%d. status: %s\n", i, status);
+ fprintf(out, "\t%zu. status: %s\n", i, status);
fprintf(out, "\tthisUpdate: %s\n",
printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
@@ -1188,7 +1193,8 @@ hx509_ocsp_verify(hx509_context context,
{
const Certificate *c = _hx509_get_cert(cert);
OCSPBasicOCSPResponse basic;
- int ret, i;
+ int ret;
+ size_t i;
if (now == 0)
now = time(NULL);
@@ -1208,7 +1214,7 @@ hx509_ocsp_verify(hx509_context context,
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
@@ -1248,7 +1254,7 @@ hx509_ocsp_verify(hx509_context context,
{
hx509_name name;
char *subject;
-
+
ret = hx509_cert_get_subject(cert, &name);
if (ret) {
hx509_clear_error_string(context);
diff --git a/source4/heimdal/lib/hx509/sel.c b/source4/heimdal/lib/hx509/sel.c
index 561818c9f1..6930b50f7c 100644
--- a/source4/heimdal/lib/hx509/sel.c
+++ b/source4/heimdal/lib/hx509/sel.c
@@ -101,7 +101,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr)
if (expr->op == comp_TAILEQ) {
size_t len1 = strlen(s1);
size_t len2 = strlen(s2);
-
+
if (len1 < len2)
return 0;
ret = strcmp(s1 + (len1 - len2), s2) == 0;
@@ -133,7 +133,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr)
subenv = find_variable(context, env, subexpr);
if (subenv == NULL)
return FALSE;
-
+
while (subenv) {
if (subenv->type != env_string)
continue;
@@ -223,7 +223,7 @@ _hx509_expr_parse(const char *buf)
}
void
-_hx509_sel_yyerror (char *s)
+_hx509_sel_yyerror (const char *s)
{
if (_hx509_expr_input.error)
free(_hx509_expr_input.error);
diff --git a/source4/heimdal/lib/hx509/sel.h b/source4/heimdal/lib/hx509/sel.h
index 1dfc41818c..177ec0a65b 100644
--- a/source4/heimdal/lib/hx509/sel.h
+++ b/source4/heimdal/lib/hx509/sel.h
@@ -78,5 +78,5 @@ extern struct hx_expr_input _hx509_expr_input;
int _hx509_sel_yyparse(void);
int _hx509_sel_yylex(void);
-void _hx509_sel_yyerror(char *);
+void _hx509_sel_yyerror(const char *);
diff --git a/source4/heimdal/lib/hx509/test_name.c b/source4/heimdal/lib/hx509/test_name.c
index 2cdcdf85f6..d932221ddf 100644
--- a/source4/heimdal/lib/hx509/test_name.c
+++ b/source4/heimdal/lib/hx509/test_name.c
@@ -336,7 +336,7 @@ test_compare(hx509_context context)
if (ret) return 1;
ret = compare_subject(c2, c3, &l3);
if (ret) return 1;
-
+
if (l0 != 0) return 1;
if (l2 < l1) return 1;
if (l3 < l2) return 1;