diff options
Diffstat (limited to 'source4/heimdal/lib/hx509')
| -rw-r--r-- | source4/heimdal/lib/hx509/ca.c | 10 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/cert.c | 115 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/char_map.h | 64 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/cms.c | 48 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/collector.c | 11 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/crypto.c | 97 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/file.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/keyset.c | 15 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_dir.c | 4 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_file.c | 26 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_keychain.c | 14 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_mem.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_p11.c | 32 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/ks_p12.c | 20 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/lock.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/name.c | 52 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/print.c | 31 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/revoke.c | 56 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/sel.c | 6 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/sel.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/lib/hx509/test_name.c | 2 |
21 files changed, 346 insertions, 271 deletions
diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c index 492064d86d..cb5a7be62c 100644 --- a/source4/heimdal/lib/hx509/ca.c +++ b/source4/heimdal/lib/hx509/ca.c @@ -266,7 +266,7 @@ hx509_ca_tbs_set_template(hx509_context context, } if (flags & HX509_CA_TEMPLATE_EKU) { ExtKeyUsage eku; - int i; + size_t i; ret = _hx509_cert_get_eku(context, cert, &eku); if (ret) return ret; @@ -610,7 +610,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context, const char *str; char *q; int n; - + /* count number of component */ n = 1; for(str = principal; *str != '\0' && *str != '@'; str++){ @@ -633,7 +633,7 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context, goto out; } p.principalName.name_string.len = n; - + p.principalName.name_type = KRB5_NT_PRINCIPAL; q = s = strdup(principal); if (q == NULL) { @@ -689,7 +689,7 @@ add_utf8_san(hx509_context context, const heim_oid *oid, const char *string) { - const PKIXXmppAddr ustring = (const PKIXXmppAddr)string; + const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string; heim_octet_string os; size_t size; int ret; @@ -866,7 +866,7 @@ hx509_ca_tbs_set_unique(hx509_context context, der_free_bit_string(&tbs->subjectUniqueID); der_free_bit_string(&tbs->issuerUniqueID); - + if (subjectUniqueID) { ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID); if (ret) diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c index 7f95ea5560..70e5756037 100644 --- a/source4/heimdal/lib/hx509/cert.c +++ b/source4/heimdal/lib/hx509/cert.c @@ -327,7 +327,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key) void hx509_cert_free(hx509_cert cert) { - int i; + size_t i; if (cert == NULL) return; @@ -355,7 +355,7 @@ hx509_cert_free(hx509_cert cert) free(cert->friendlyname); if (cert->basename) hx509_name_free(&cert->basename); - memset(cert, 0, sizeof(cert)); + memset(cert, 0, sizeof(*cert)); free(cert); } @@ -574,7 +574,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean) } void -hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, +hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, int boolean) { if (boolean) @@ -584,7 +584,7 @@ hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx, } static const Extension * -find_extension(const Certificate *cert, const heim_oid *oid, int *idx) +find_extension(const Certificate *cert, const heim_oid *oid, size_t *idx) { const TBSCertificate *c = &cert->tbsCertificate; @@ -604,7 +604,7 @@ find_extension_auth_key_id(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(ai, 0, sizeof(*ai)); @@ -623,7 +623,7 @@ _hx509_find_extension_subject_key_id(const Certificate *issuer, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(si, 0, sizeof(*si)); @@ -642,7 +642,7 @@ find_extension_name_constraints(const Certificate *subject, { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(nc, 0, sizeof(*nc)); @@ -656,7 +656,7 @@ find_extension_name_constraints(const Certificate *subject, } static int -find_extension_subject_alt_name(const Certificate *cert, int *i, +find_extension_subject_alt_name(const Certificate *cert, size_t *i, GeneralNames *sa) { const Extension *e; @@ -678,7 +678,7 @@ find_extension_eku(const Certificate *cert, ExtKeyUsage *eku) { const Extension *e; size_t size; - int i = 0; + size_t i = 0; memset(eku, 0, sizeof(*eku)); @@ -720,7 +720,7 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry) void hx509_free_octet_string_list(hx509_octet_string_list *list) { - int i; + size_t i; for (i = 0; i < list->len; i++) der_free_octet_string(&list->val[i]); free(list->val); @@ -752,7 +752,8 @@ hx509_cert_find_subjectAltName_otherName(hx509_context context, hx509_octet_string_list *list) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; list->val = NULL; list->len = 0; @@ -796,7 +797,8 @@ check_key_usage(hx509_context context, const Certificate *cert, const Extension *e; KeyUsage ku; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; unsigned ku_flags; if (_hx509_cert_get_version(cert) < 3) @@ -849,12 +851,13 @@ enum certtype { PROXY_CERT, EE_CERT, CA_CERT }; static int check_basic_constraints(hx509_context context, const Certificate *cert, - enum certtype type, int depth) + enum certtype type, size_t depth) { BasicConstraints bc; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (_hx509_cert_get_version(cert) < 3) return 0; @@ -966,7 +969,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject, return -1; if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName) return -1; - + name.element = ai.authorityCertIssuer->val[0].u.directoryName.element; name.u.rdnSequence = @@ -1123,7 +1126,7 @@ find_parent(hx509_context context, hx509_clear_error_string(context); return HX509_ISSUER_NOT_FOUND; } - + hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND, "Failed to find issuer for " "certificate with subject: '%s'", str); @@ -1144,7 +1147,8 @@ is_proxy_cert(hx509_context context, ProxyCertInfo info; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; if (rinfo) memset(rinfo, 0, sizeof(*rinfo)); @@ -1511,7 +1515,7 @@ hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context, } static int -get_x_unique_id(hx509_context context, const char *name, +get_x_unique_id(hx509_context context, const char *name, const heim_bit_string *cert, heim_bit_string *subject) { int ret; @@ -1695,7 +1699,7 @@ static int match_RDN(const RelativeDistinguishedName *c, const RelativeDistinguishedName *n) { - int i; + size_t i; if (c->len != n->len) return HX509_NAME_CONSTRAINT_ERROR; @@ -1717,7 +1721,8 @@ match_RDN(const RelativeDistinguishedName *c, static int match_X501Name(const Name *c, const Name *n) { - int i, ret; + size_t i; + int ret; if (c->element != choice_Name_rdnSequence || n->element != choice_Name_rdnSequence) @@ -1824,7 +1829,8 @@ match_alt_name(const GeneralName *n, const Certificate *c, int *same, int *match) { GeneralNames sa; - int ret, i, j; + int ret; + size_t i, j; i = 0; do { @@ -1869,7 +1875,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match) && !subject_null_p(c)) { GeneralName certname; - + memset(&certname, 0, sizeof(certname)); certname.element = choice_GeneralName_directoryName; certname.u.directoryName.element = @@ -1898,7 +1904,7 @@ check_name_constraints(hx509_context context, const Certificate *c) { int match, ret; - int i; + size_t i; for (i = 0 ; i < nc->len; i++) { GeneralSubtrees gs; @@ -1941,7 +1947,7 @@ check_name_constraints(hx509_context context, static void free_name_constraints(hx509_name_constraints *nc) { - int i; + size_t i; for (i = 0 ; i < nc->len; i++) free_NameConstraints(&nc->val[i]); @@ -1971,7 +1977,8 @@ hx509_verify_path(hx509_context context, { hx509_name_constraints nc; hx509_path path; - int ret, i, proxy_cert_depth, selfsigned_depth, diff; + int ret, proxy_cert_depth, selfsigned_depth, diff; + size_t i, k; enum certtype type; Name proxy_issuer; hx509_certs anchors = NULL; @@ -1979,7 +1986,7 @@ hx509_verify_path(hx509_context context, memset(&proxy_issuer, 0, sizeof(proxy_issuer)); ret = init_name_constraints(&nc); - if (ret) + if (ret) return ret; path.val = NULL; @@ -2031,7 +2038,7 @@ hx509_verify_path(hx509_context context, time_t t; c = _hx509_get_cert(path.val[i]); - + /* * Lets do some basic check on issuer like * keyUsage.keyCertSign and basicConstraints.cA bit depending @@ -2063,10 +2070,10 @@ hx509_verify_path(hx509_context context, break; case PROXY_CERT: { - ProxyCertInfo info; + ProxyCertInfo info; if (is_proxy_cert(context, c, &info) == 0) { - int j; + size_t j; if (info.pCPathLenConstraint != NULL && *info.pCPathLenConstraint < i) @@ -2080,7 +2087,7 @@ hx509_verify_path(hx509_context context, } /* XXX MUST check info.proxyPolicy */ free_ProxyCertInfo(&info); - + j = 0; if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) { ret = HX509_PROXY_CERT_INVALID; @@ -2098,7 +2105,7 @@ hx509_verify_path(hx509_context context, "forbidden issuerAltName"); goto out; } - + /* * The subject name of the proxy certificate should be * CN=XXX,<proxy issuer>, prune of CN and check if its @@ -2189,7 +2196,7 @@ hx509_verify_path(hx509_context context, } if (cert->basename) hx509_name_free(&cert->basename); - + ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename); if (ret) { hx509_clear_error_string(context); @@ -2204,7 +2211,7 @@ hx509_verify_path(hx509_context context, i - proxy_cert_depth - selfsigned_depth); if (ret) goto out; - + /* * Don't check the trust anchors expiration time since they * are transported out of band, from RFC3820. @@ -2236,9 +2243,10 @@ hx509_verify_path(hx509_context context, * checked in the right order. */ - for (ret = 0, i = path.len - 1; i >= 0; i--) { + for (ret = 0, k = path.len; k > 0; k--) { Certificate *c; int selfsigned; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2287,7 +2295,7 @@ hx509_verify_path(hx509_context context, } for (i = 0; i < path.len - 1; i++) { - int parent = (i < path.len - 1) ? i + 1 : i; + size_t parent = (i < path.len - 1) ? i + 1 : i; ret = hx509_revoke_verify(context, ctx->revoke_ctx, @@ -2308,9 +2316,10 @@ hx509_verify_path(hx509_context context, * parameter is passed up from the anchor up though the chain. */ - for (i = path.len - 1; i >= 0; i--) { + for (k = path.len; k > 0; k--) { hx509_cert signer; Certificate *c; + i = k - 1; c = _hx509_get_cert(path.val[i]); @@ -2343,7 +2352,7 @@ hx509_verify_path(hx509_context context, "Failed to verify signature of certificate"); goto out; } - /* + /* * Verify that the sigature algorithm "best-before" date is * before the creation date of the certificate, do this for * trust anchors too, since any trust anchor that is created @@ -2353,7 +2362,7 @@ hx509_verify_path(hx509_context context, */ if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) { - time_t notBefore = + time_t notBefore = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore); ret = _hx509_signature_best_before(context, &c->signatureAlgorithm, @@ -2450,7 +2459,8 @@ hx509_verify_hostname(hx509_context context, { GeneralNames san; const Name *name; - int ret, i, j; + int ret; + size_t i, j, k; if (sa && sa_size <= 0) return EINVAL; @@ -2471,7 +2481,7 @@ hx509_verify_hostname(hx509_context context, heim_printable_string hn; hn.data = rk_UNCONST(hostname); hn.length = strlen(hostname); - + if (der_printable_string_cmp(&san.val[j].u.dNSName, &hn) == 0) { free_GeneralNames(&san); return 0; @@ -2488,7 +2498,8 @@ hx509_verify_hostname(hx509_context context, name = &cert->data->tbsCertificate.subject; /* Find first CN= in the name, and try to match the hostname on that */ - for (ret = 0, i = name->u.rdnSequence.len - 1; ret == 0 && i >= 0; i--) { + for (ret = 0, k = name->u.rdnSequence.len; ret == 0 && k > 0; k--) { + i = k - 1; for (j = 0; ret == 0 && j < name->u.rdnSequence.val[i].len; j++) { AttributeTypeAndValue *n = &name->u.rdnSequence.val[i].val[j]; @@ -2579,7 +2590,7 @@ _hx509_set_cert_attribute(hx509_context context, hx509_cert_attribute hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < cert->attrs.len; i++) if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0) return cert->attrs.val[i]; @@ -2625,7 +2636,8 @@ hx509_cert_get_friendly_name(hx509_cert cert) hx509_cert_attribute a; PKCS9_friendlyName n; size_t sz; - int ret, i; + int ret; + size_t i; if (cert->friendlyname) return cert->friendlyname; @@ -2647,7 +2659,7 @@ hx509_cert_get_friendly_name(hx509_cert cert) ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz); if (ret) return NULL; - + if (n.len != 1) { free_PKCS9_friendlyName(&n); return NULL; @@ -3166,7 +3178,8 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out) { rtbl_t t; FILE *f; - int type, mask, i, num; + int type, mask, num; + size_t i; unsigned long multiqueries = 0, totalqueries = 0; struct stat_el stats[32]; @@ -3254,7 +3267,8 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert, const heim_oid *eku, int allow_any_eku) { ExtKeyUsage e; - int ret, i; + int ret; + size_t i; ret = find_extension_eku(_hx509_get_cert(cert), &e); if (ret) { @@ -3289,7 +3303,8 @@ _hx509_cert_get_keyusage(hx509_context context, Certificate *cert; const Extension *e; size_t size; - int ret, i = 0; + int ret; + size_t i = 0; memset(ku, 0, sizeof(*ku)); @@ -3455,7 +3470,7 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) else if (ret != 0) goto out; else { - int i; + size_t i; hx509_env enveku = NULL; for (i = 0; i < eku.len; i++) { @@ -3509,10 +3524,10 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env) "Out of memory"); goto out; } - + ret = hx509_env_add(context, &envhash, "sha1", buf); free(buf); - if (ret) + if (ret) goto out; ret = hx509_env_add_binding(context, &envcert, "hash", envhash); diff --git a/source4/heimdal/lib/hx509/char_map.h b/source4/heimdal/lib/hx509/char_map.h index d2b39d041f..8a3026c7e6 100644 --- a/source4/heimdal/lib/hx509/char_map.h +++ b/source4/heimdal/lib/hx509/char_map.h @@ -10,36 +10,36 @@ unsigned char char_map[] = { - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 , - 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 , - 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , - 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , - 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , - 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 , + 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , + 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , + 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , + 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 }; diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c index 6e4eefaa1c..4e0a2e03fc 100644 --- a/source4/heimdal/lib/hx509/cms.c +++ b/source4/heimdal/lib/hx509/cms.c @@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context, heim_octet_string *params, params_data; heim_octet_string ivec; size_t size; - int ret, i, matched = 0, findflags = 0; + int ret, matched = 0, findflags = 0; + size_t i; memset(&key, 0, sizeof(key)); @@ -472,7 +473,7 @@ hx509_cms_unenvelope(hx509_context context, ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto); if (ret) goto out; - + if (flags & HX509_CMS_UE_ALLOW_WEAK) hx509_crypto_allow_weak(crypto); @@ -492,7 +493,7 @@ hx509_cms_unenvelope(hx509_context context, "of EnvelopedData"); goto out; } - + ret = hx509_crypto_decrypt(crypto, enccontent->data, enccontent->length, @@ -619,7 +620,7 @@ hx509_cms_envelope_1(hx509_context context, "Failed to set crypto oid " "for EnvelopedData"); goto out; - } + } ALLOC(enc_alg->parameters, 1); if (enc_alg->parameters == NULL) { ret = ENOMEM; @@ -656,7 +657,7 @@ hx509_cms_envelope_1(hx509_context context, ri->version = 2; cmsidflag = CMS_ID_SKI; } - + ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid); if (ret) { hx509_set_error_string(context, 0, ret, @@ -718,7 +719,8 @@ out: static int any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) { - int ret, i; + int ret; + size_t i; if (sd->certificates == NULL) return 0; @@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) static const Attribute * find_attribute(const CMSAttributes *attr, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < attr->len; i++) if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0) return &attr->val[i]; @@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context, hx509_certs certs = NULL; SignedData sd; size_t size; - int ret, i, found_valid_sig; + int ret, found_valid_sig; + size_t i; *signer_certs = NULL; content->data = NULL; @@ -889,7 +892,7 @@ hx509_cms_verify_signed(hx509_context context, if (signer_info->signedAttrs) { const Attribute *attr; - + CMSAttributes sa; heim_octet_string os; @@ -913,7 +916,7 @@ hx509_cms_verify_signed(hx509_context context, "messageDigest (signature)"); goto next_sigature; } - + ret = decode_MessageDigest(attr->value.val[0].data, attr->value.val[0].length, &os, @@ -1018,7 +1021,7 @@ hx509_cms_verify_signed(hx509_context context, if (ret) goto next_sigature; - /** + /** * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the * signing certificates and leave that up to the caller. */ @@ -1113,7 +1116,7 @@ add_one_attribute(Attribute **attr, return 0; } - + /** * Decode SignedData and verify that the signature is correct. * @@ -1212,7 +1215,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) hx509_clear_error_string(context); } else { ret = hx509_crypto_select(context, HX509_SELECT_DIGEST, - _hx509_cert_private_key(cert), + _hx509_cert_private_key(cert), sigctx->peer, &digest); } if (ret) @@ -1240,7 +1243,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) if (ret) { hx509_clear_error_string(context); goto out; - } + } signer_info->signedAttrs = NULL; signer_info->unsignedAttrs = NULL; @@ -1256,7 +1259,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) */ if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) { - CMSAttributes sa; + CMSAttributes sa; heim_octet_string sig; ALLOC(signer_info->signedAttrs, 1); @@ -1322,7 +1325,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) sa.val = signer_info->signedAttrs->val; sa.len = signer_info->signedAttrs->len; - + ASN1_MALLOC_ENCODE(CMSAttributes, sigdata.data, sigdata.length, @@ -1409,7 +1412,7 @@ cert_process(hx509_context context, void *ctx, hx509_cert cert) const unsigned int i = sigctx->sd.certificates->len; void *ptr; int ret; - + ptr = realloc(sigctx->sd.certificates->val, (i + 1) * sizeof(sigctx->sd.certificates->val[0])); if (ptr == NULL) @@ -1503,7 +1506,7 @@ hx509_cms_create_signed(hx509_context context, ret = ENOMEM; goto out; } - + sigctx.sd.encapContentInfo.eContent->data = malloc(length); if (sigctx.sd.encapContentInfo.eContent->data == NULL) { hx509_clear_error_string(context); @@ -1525,6 +1528,10 @@ hx509_cms_create_signed(hx509_context context, } if (sigctx.sd.signerInfos.len) { + + /* + * For each signerInfo, collect all different digest types. + */ for (i = 0; i < sigctx.sd.signerInfos.len; i++) { AlgorithmIdentifier *di = &sigctx.sd.signerInfos.val[i].digestAlgorithm; @@ -1532,7 +1539,7 @@ hx509_cms_create_signed(hx509_context context, for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++) if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0) break; - if (j < sigctx.sd.digestAlgorithms.len) { + if (j == sigctx.sd.digestAlgorithms.len) { ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di); if (ret) { hx509_clear_error_string(context); @@ -1542,6 +1549,9 @@ hx509_cms_create_signed(hx509_context context, } } + /* + * Add certs we think are needed, build as part of sig_process + */ if (sigctx.certs) { ALLOC(sigctx.sd.certificates, 1); if (sigctx.sd.certificates == NULL) { diff --git a/source4/heimdal/lib/hx509/collector.c b/source4/heimdal/lib/hx509/collector.c index 0cb186399f..15f8163f80 100644 --- a/source4/heimdal/lib/hx509/collector.c +++ b/source4/heimdal/lib/hx509/collector.c @@ -133,7 +133,7 @@ _hx509_collector_private_key_add(hx509_context context, return ENOMEM; } c->val.data = d; - + ret = copy_AlgorithmIdentifier(alg, &key->alg); if (ret) { hx509_set_error_string(context, 0, ret, "Failed to copy " @@ -192,7 +192,7 @@ match_localkeyid(hx509_context context, ret = hx509_certs_find(context, certs, &q, &cert); if (ret == 0) { - + if (value->private_key) _hx509_cert_assign_key(cert, value->private_key); hx509_cert_free(cert); @@ -253,7 +253,8 @@ _hx509_collector_collect_certs(hx509_context context, hx509_certs *ret_certs) { hx509_certs certs; - int ret, i; + int ret; + size_t i; *ret_certs = NULL; @@ -286,7 +287,7 @@ _hx509_collector_collect_private_keys(hx509_context context, struct hx509_collector *c, hx509_private_key **keys) { - int i, nkeys; + size_t i, nkeys; *keys = NULL; @@ -315,7 +316,7 @@ _hx509_collector_collect_private_keys(hx509_context context, void _hx509_collector_free(struct hx509_collector *c) { - int i; + size_t i; if (c->unenvelop_certs) hx509_certs_free(&c->unenvelop_certs); diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index c69ddfb5d2..4559a9c493 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -286,7 +286,7 @@ heim_oid2ecnid(heim_oid *oid) } static int -parse_ECParameters(hx509_context context, +parse_ECParameters(hx509_context context, heim_octet_string *parameters, int *nid) { ECParameters ecparam; @@ -404,7 +404,7 @@ ecdsa_verify_signature(hx509_context context, ret = HX509_CRYPTO_SIG_INVALID_FORMAT; return ret; } - + return 0; } @@ -552,7 +552,7 @@ rsa_verify_signature(hx509_context context, p = spi->subjectPublicKey.data; size = spi->subjectPublicKey.length / 8; - + rsa = d2i_RSAPublicKey(NULL, &p, size); if (rsa == NULL) { ret = ENOMEM; @@ -587,14 +587,14 @@ rsa_verify_signature(hx509_context context, if (ret) { goto out; } - + /* Check for extra data inside the sigature */ - if (size != retsize) { + if (size != (size_t)retsize) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; hx509_set_error_string(context, 0, ret, "size from decryption mismatch"); goto out; } - + if (sig_alg->digest_alg && der_heim_oid_cmp(&di.digestAlgorithm.algorithm, &sig_alg->digest_alg->algorithm) != 0) @@ -603,7 +603,7 @@ rsa_verify_signature(hx509_context context, hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch"); goto out; } - + /* verify that the parameters are NULL or the NULL-type */ if (di.digestAlgorithm.parameters != NULL && (di.digestAlgorithm.parameters->length != 2 || @@ -620,7 +620,7 @@ rsa_verify_signature(hx509_context context, data, &di.digest); } else { - if (retsize != data->length || + if ((size_t)retsize != data->length || ct_memcmp(to, data->data, retsize) != 0) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; @@ -739,7 +739,7 @@ rsa_create_signature(hx509_context context, "RSA private encrypt failed: %d", ret); return ret; } - if (ret > sig->length) + if ((size_t)ret > sig->length) _hx509_abort("RSA signature prelen longer the output len"); sig->length = ret; @@ -960,11 +960,11 @@ ecdsa_private_key_import(hx509_context context, ret = parse_ECParameters(context, keyai->parameters, &groupnid); if (ret) return ret; - + key = EC_KEY_new(); if (key == NULL) return ENOMEM; - + group = EC_GROUP_new_by_curve_name(groupnid); if (group == NULL) { EC_KEY_free(key); @@ -1008,8 +1008,8 @@ ecdsa_generate_private_key(hx509_context context, } static BIGNUM * -ecdsa_get_internal(hx509_context context, - hx509_private_key key, +ecdsa_get_internal(hx509_context context, + hx509_private_key key, const char *type) { return NULL; @@ -1162,7 +1162,7 @@ evp_md_create_signature(hx509_context context, if (ret) return ret; } - + sig->data = malloc(sigsize); if (sig->data == NULL) { @@ -1256,7 +1256,8 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg pkcs1_rsa_sha1_alg = { @@ -1269,7 +1270,8 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha512_alg = { @@ -1282,7 +1284,8 @@ static const struct signature_alg rsa_with_sha512_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha384_alg = { @@ -1295,7 +1298,8 @@ static const struct signature_alg rsa_with_sha384_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha256_alg = { @@ -1308,7 +1312,8 @@ static const struct signature_alg rsa_with_sha256_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg = { @@ -1321,7 +1326,8 @@ static const struct signature_alg rsa_with_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg_secsig = { @@ -1334,7 +1340,8 @@ static const struct signature_alg rsa_with_sha1_alg_secsig = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_md5_alg = { @@ -1347,7 +1354,8 @@ static const struct signature_alg rsa_with_md5_alg = { 1230739889, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg dsa_sha1_alg = { @@ -1361,6 +1369,7 @@ static const struct signature_alg dsa_sha1_alg = { NULL, dsa_verify_signature, /* create_signature */ NULL, + 0 }; static const struct signature_alg sha512_alg = { @@ -1373,7 +1382,8 @@ static const struct signature_alg sha512_alg = { 0, EVP_sha512, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha384_alg = { @@ -1386,7 +1396,8 @@ static const struct signature_alg sha384_alg = { 0, EVP_sha384, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha256_alg = { @@ -1399,7 +1410,8 @@ static const struct signature_alg sha256_alg = { 0, EVP_sha256, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha1_alg = { @@ -1412,7 +1424,8 @@ static const struct signature_alg sha1_alg = { 0, EVP_sha1, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg md5_alg = { @@ -1425,7 +1438,8 @@ static const struct signature_alg md5_alg = { 0, EVP_md5, evp_md_verify_signature, - NULL + NULL, + 0 }; /* @@ -1481,7 +1495,7 @@ alg_for_privatekey(const hx509_private_key pk, int type) continue; if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0) continue; - if (pk->ops->available && + if (pk->ops->available && pk->ops->available(pk, sig_algs[i]->sig_alg) == 0) continue; if (type == HX509_SELECT_PUBLIC_SIG) @@ -1673,7 +1687,7 @@ _hx509_public_encrypt(hx509_context context, p = spi->subjectPublicKey.data; size = spi->subjectPublicKey.length / 8; - + rsa = d2i_RSAPublicKey(NULL, &p, size); if (rsa == NULL) { hx509_set_error_string(context, 0, ENOMEM, "out of memory"); @@ -1748,7 +1762,7 @@ hx509_private_key_private_decrypt(hx509_context context, "Failed to decrypt using private key: %d", ret); return HX509_CRYPTO_RSA_PRIVATE_DECRYPT; } - if (cleartext->length < ret) + if (cleartext->length < (size_t)ret) _hx509_abort("internal rsa decryption failure: ret > tosize"); cleartext->length = ret; @@ -2339,7 +2353,7 @@ static const struct hx509cipher ciphers[] = { static const struct hx509cipher * find_cipher_by_oid(const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0) @@ -2351,7 +2365,7 @@ find_cipher_by_oid(const heim_oid *oid) static const struct hx509cipher * find_cipher_by_name(const char *name) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (strcasecmp(name, ciphers[i].name) == 0) @@ -2461,7 +2475,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type) int hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length) { - if (EVP_CIPHER_key_length(crypto->c) > length) + if (EVP_CIPHER_key_length(crypto->c) > (int)length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data) { @@ -2558,7 +2572,7 @@ hx509_crypto_encrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length); + assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length); EVP_CIPHER_CTX_init(&evp); @@ -2595,10 +2609,10 @@ hx509_crypto_encrypt(hx509_crypto crypto, ret = ENOMEM; goto out; } - + memcpy((*ciphertext)->data, data, length); if (padsize) { - int i; + size_t i; unsigned char *p = (*ciphertext)->data; p += length; for (i = 0; i < padsize; i++) @@ -2647,7 +2661,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length) + if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data == NULL) @@ -2683,7 +2697,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, unsigned char *p; int j, bsize = EVP_CIPHER_block_size(crypto->c); - if (clear->length < bsize) { + if ((int)clear->length < bsize) { ret = HX509_CMS_PADDING_ERROR; goto out; } @@ -2854,7 +2868,8 @@ _hx509_pbe_decrypt(hx509_context context, const EVP_CIPHER *c; const EVP_MD *md; PBE_string2key_func s2k; - int i, ret = 0; + int ret = 0; + size_t i; memset(&key, 0, sizeof(key)); memset(&iv, 0, sizeof(iv)); @@ -2912,7 +2927,7 @@ _hx509_pbe_decrypt(hx509_context context, hx509_crypto_destroy(crypto); if (ret == 0) goto out; - + } out: if (key.data) @@ -3161,7 +3176,7 @@ hx509_crypto_available(hx509_context context, if (ptr == NULL) goto out; *val = ptr; - + ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]); if (ret) goto out; diff --git a/source4/heimdal/lib/hx509/file.c b/source4/heimdal/lib/hx509/file.c index 56e25766ef..4f7e87f070 100644 --- a/source4/heimdal/lib/hx509/file.c +++ b/source4/heimdal/lib/hx509/file.c @@ -93,11 +93,11 @@ hx509_pem_write(hx509_context context, const char *type, while (size > 0) { ssize_t l; - + length = size; if (length > ENCODE_LINE_LENGTH) length = ENCODE_LINE_LENGTH; - + l = base64_encode(p, length, &line); if (l < 0) { hx509_set_error_string(context, 0, ENOMEM, @@ -211,7 +211,7 @@ hx509_pem_read(hx509_context context, if (i > 0) i--; } - + switch (where) { case BEFORE: if (strncmp("-----BEGIN ", buf, 11) == 0) { @@ -260,7 +260,7 @@ hx509_pem_read(hx509_context context, free(p); goto out; } - + data = erealloc(data, len + i); memcpy(((char *)data) + len, p, i); free(p); diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c index 77cfd42cd2..c0275d949d 100644 --- a/source4/heimdal/lib/hx509/keyset.c +++ b/source4/heimdal/lib/hx509/keyset.c @@ -390,6 +390,21 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert) return func(cert); } +/** + * Iterate over all certificates in a keystore and call an block + * for each fo them. + * + * @param context a hx509 context. + * @param certs certificate store to iterate over. + * @param func block to call for each certificate. The function + * should return non-zero to abort the iteration, that value is passed + * back to the caller of hx509_certs_iter(). + * + * @return Returns an hx509 error code. + * + * @ingroup hx509_keyset + */ + int hx509_certs_iter(hx509_context context, hx509_certs certs, diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c index 8c8c6e50c8..264b1bf552 100644 --- a/source4/heimdal/lib/hx509/ks_dir.c +++ b/source4/heimdal/lib/hx509/ks_dir.c @@ -158,10 +158,10 @@ dir_iter(hx509_context context, } if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0) continue; - + if (asprintf(&fn, "FILE:%s/%s", (char *)data, dir->d_name) == -1) return ENOMEM; - + ret = hx509_certs_init(context, fn, 0, NULL, &d->certs); if (ret == 0) { diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c index ecd3a6edaa..d21d889287 100644 --- a/source4/heimdal/lib/hx509/ks_file.c +++ b/source4/heimdal/lib/hx509/ks_file.c @@ -112,7 +112,7 @@ try_decrypt(hx509_context context, EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0); EVP_Cipher(&ctx, clear.data, cipher, len); EVP_CIPHER_CTX_cleanup(&ctx); - } + } ret = _hx509_collector_private_key_add(context, collector, @@ -138,7 +138,7 @@ parse_pkcs8_private_key(hx509_context context, const char *fn, { PKCS8PrivateKeyInfo ki; heim_octet_string keydata; - + int ret; ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL); @@ -177,7 +177,8 @@ parse_pem_private_key(hx509_context context, const char *fn, const EVP_CIPHER *cipher; const struct _hx509_password *pw; hx509_lock lock; - int i, decrypted = 0; + int decrypted = 0; + size_t i; lock = _hx509_collector_get_lock(c); if (lock == NULL) { @@ -252,7 +253,7 @@ parse_pem_private_key(hx509_context context, const char *fn, "private key file"); return HX509_PARSING_KEY_FAILED; } - + pw = _hx509_lock_get_passwords(lock); if (pw != NULL) { const void *password; @@ -261,8 +262,8 @@ parse_pem_private_key(hx509_context context, const char *fn, for (i = 0; i < pw->len; i++) { password = pw->val[i]; passwordlen = strlen(password); - - ret = try_decrypt(context, c, ai, cipher, ivdata, + + ret = try_decrypt(context, c, ai, cipher, ivdata, password, passwordlen, data, len); if (ret == 0) { decrypted = 1; @@ -283,7 +284,7 @@ parse_pem_private_key(hx509_context context, const char *fn, ret = hx509_lock_prompt(lock, &prompt); if (ret == 0) - ret = try_decrypt(context, c, ai, cipher, ivdata, password, + ret = try_decrypt(context, c, ai, cipher, ivdata, password, strlen(password), data, len); /* XXX add password to lock password collection ? */ memset(password, 0, sizeof(password)); @@ -329,7 +330,8 @@ pem_func(hx509_context context, const char *type, const void *data, size_t len, void *ctx) { struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx; - int ret = 0, j; + int ret = 0; + size_t j; for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) { const char *q = formats[j].name; @@ -338,7 +340,7 @@ pem_func(hx509_context context, const char *type, if (formats[j].ai != NULL) ai = (*formats[j].ai)(); - ret = (*formats[j].func)(context, NULL, pem_ctx->c, + ret = (*formats[j].func)(context, NULL, pem_ctx->c, header, data, len, ai); if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -418,7 +420,7 @@ file_init_common(hx509_context context, pnext = strchr(p, ','); if (pnext) *pnext++ = '\0'; - + if ((f = fopen(p, "r")) == NULL) { ret = ENOENT; @@ -430,13 +432,13 @@ file_init_common(hx509_context context, rk_cloexec_file(f); ret = hx509_pem_read(context, f, pem_func, &pem_ctx); - fclose(f); + fclose(f); if (ret != 0 && ret != HX509_PARSING_KEY_FAILED) goto out; else if (ret == HX509_PARSING_KEY_FAILED) { size_t length; void *ptr; - int i; + size_t i; ret = rk_undumpdata(p, &ptr, &length); if (ret) { diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c index e64d83c84d..0552d8f7e9 100644 --- a/source4/heimdal/lib/hx509/ks_keychain.c +++ b/source4/heimdal/lib/hx509/ks_keychain.c @@ -50,7 +50,7 @@ OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG, static int getAttribute(SecKeychainItemRef itemRef, SecItemAttr item, SecKeychainAttributeList **attrs) -{ +{ SecKeychainAttributeInfo attrInfo; UInt32 attrFormat = 0; OSStatus ret; @@ -138,10 +138,10 @@ kc_rsa_private_encrypt(int flen, in.Data = (uint8 *)from; in.Length = flen; - + sig.Data = (uint8 *)to; sig.Length = kc->keysize; - + cret = CSSM_SignData(sigHandle, &in, 1, CSSM_ALGID_NONE, &sig); if(cret) { /* cssmErrorString(cret); */ @@ -197,10 +197,10 @@ kc_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, in.Data = (uint8 *)from; in.Length = flen; - + out.Data = (uint8 *)to; out.Length = kc->keysize; - + rem.Data = (uint8 *)remdata; rem.Length = sizeof(remdata); @@ -485,7 +485,7 @@ keychain_iter(hx509_context context, return 0; else if (ret != 0) return EINVAL; - + /* * Pick out certificate and matching "keyid" */ @@ -517,7 +517,7 @@ keychain_iter(hx509_context context, attrKeyid.tag = kSecKeyLabel; attrKeyid.length = attrs->attr[0].length; attrKeyid.data = attrs->attr[0].data; - + attrList.count = 1; attrList.attr = &attrKeyid; diff --git a/source4/heimdal/lib/hx509/ks_mem.c b/source4/heimdal/lib/hx509/ks_mem.c index 9d3c66b294..684acb0adf 100644 --- a/source4/heimdal/lib/hx509/ks_mem.c +++ b/source4/heimdal/lib/hx509/ks_mem.c @@ -171,7 +171,7 @@ mem_getkeys(hx509_context context, hx509_set_error_string(context, 0, ENOMEM, "out of memory"); return ENOMEM; } - } + } (*keys)[i] = NULL; return 0; } diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c index 30f5343b0e..120bf43ef4 100644 --- a/source4/heimdal/lib/hx509/ks_p11.c +++ b/source4/heimdal/lib/hx509/ks_p11.c @@ -152,7 +152,7 @@ p11_rsa_private_encrypt(int flen, } ret = P11FUNC(p11rsa->p, Sign, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -190,7 +190,7 @@ p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, } ret = P11FUNC(p11rsa->p, Decrypt, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -427,7 +427,7 @@ p11_get_session(hx509_context context, prompt.type = HX509_PROMPT_TYPE_PASSWORD; prompt.reply.data = pin; prompt.reply.length = sizeof(pin); - + ret = hx509_lock_prompt(lock, &prompt); if (ret) { free(str); @@ -513,7 +513,7 @@ iterate_entries(hx509_context context, } if (object_count == 0) break; - + for (i = 0; i < num_query; i++) query[i].pValue = NULL; @@ -535,7 +535,7 @@ iterate_entries(hx509_context context, ret = -1; goto out; } - + ret = (*func)(context, p, slot, session, object, ptr, query, num_query); if (ret) goto out; @@ -561,7 +561,7 @@ iterate_entries(hx509_context context, return ret; } - + static BIGNUM * getattr_bn(struct p11_module *p, struct p11_slot *slot, @@ -704,10 +704,10 @@ collect_cert(hx509_context context, { heim_octet_string data; - + data.data = query[0].pValue; data.length = query[0].ulValueLen; - + _hx509_set_cert_attribute(context, cert, &asn1_oid_id_pkcs_9_at_localKeyId, @@ -878,7 +878,8 @@ p11_init(hx509_context context, { CK_SLOT_ID_PTR slot_ids; - int i, num_tokens = 0; + int num_tokens = 0; + size_t i; slot_ids = malloc(p->num_slots * sizeof(*slot_ids)); if (slot_ids == NULL) { @@ -905,7 +906,7 @@ p11_init(hx509_context context, ret = ENOMEM; goto out; } - + for (i = 0; i < p->num_slots; i++) { ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]); if (ret) @@ -933,7 +934,7 @@ p11_init(hx509_context context, static void p11_release_module(struct p11_module *p) { - int i; + size_t i; if (p->ref == 0) _hx509_abort("pkcs11 ref to low"); @@ -957,7 +958,7 @@ p11_release_module(struct p11_module *p) free(p->slot[i].mechs.list); if (p->slot[i].mechs.infos) { - int j; + size_t j; for (j = 0 ; j < p->slot[i].mechs.num ; j++) free(p->slot[i].mechs.infos[j]); @@ -981,7 +982,7 @@ static int p11_free(hx509_certs certs, void *data) { struct p11_module *p = data; - int i; + size_t i; for (i = 0; i < p->num_slots; i++) { if (p->slot[i].certs) @@ -1002,7 +1003,8 @@ p11_iter_start(hx509_context context, { struct p11_module *p = data; struct p11_cursor *c; - int ret, i; + int ret; + size_t i; c = malloc(sizeof(*c)); if (c == NULL) { @@ -1103,7 +1105,7 @@ p11_printinfo(hx509_context context, void *ctx) { struct p11_module *p = data; - int i, j; + size_t i, j; _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s", p->num_slots, p->num_slots > 1 ? "s" : ""); diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c index 704cf071d7..0ca13de1eb 100644 --- a/source4/heimdal/lib/hx509/ks_p12.c +++ b/source4/heimdal/lib/hx509/ks_p12.c @@ -56,7 +56,7 @@ parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *, static const PKCS12_Attribute * find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid) { - int i; + size_t i; if (attrs == NULL) return NULL; for (i = 0; i < attrs->len; i++) @@ -168,7 +168,7 @@ certBag_parser(hx509_context context, const heim_oid *oids[] = { &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName }; - int i; + size_t i; for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) { const heim_oid *oid = oids[i]; @@ -176,7 +176,7 @@ certBag_parser(hx509_context context, if (attr) _hx509_set_cert_attribute(context, cert, oid, &attr->attrValues); - } + } } hx509_cert_free(cert); @@ -190,7 +190,8 @@ parse_safe_content(hx509_context context, const unsigned char *p, size_t len) { PKCS12_SafeContents sc; - int ret, i; + int ret; + size_t i; memset(&sc, 0, sizeof(sc)); @@ -236,7 +237,7 @@ encryptedData_parser(hx509_context context, heim_octet_string content; heim_oid contentType; int ret; - + memset(&contentType, 0, sizeof(contentType)); ret = hx509_cms_decrypt_encrypted(context, @@ -265,7 +266,7 @@ envelopedData_parser(hx509_context context, heim_oid contentType; hx509_lock lock; int ret; - + memset(&contentType, 0, sizeof(contentType)); lock = _hx509_collector_get_lock(c); @@ -310,7 +311,7 @@ parse_pkcs12_type(hx509_context context, const void *data, size_t length, const PKCS12_Attributes *attrs) { - int i; + size_t i; for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++) if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0) @@ -327,7 +328,8 @@ p12_init(hx509_context context, void *buf; PKCS12_PFX pfx; PKCS12_AuthenticatedSafe as; - int ret, i; + int ret; + size_t i; struct hx509_collector *c; *data = NULL; @@ -581,7 +583,7 @@ p12_store(hx509_context context, free_PKCS12_AuthenticatedSafe(&as); if (ret) return ret; - + ret = der_parse_hex_heim_integer("03", &pfx.version); if (ret) { free(asdata.data); diff --git a/source4/heimdal/lib/hx509/lock.c b/source4/heimdal/lib/hx509/lock.c index 07e9d36125..b72d45962b 100644 --- a/source4/heimdal/lib/hx509/lock.c +++ b/source4/heimdal/lib/hx509/lock.c @@ -121,7 +121,7 @@ _hx509_lock_unlock_certs(hx509_lock lock) void hx509_lock_reset_passwords(hx509_lock lock) { - int i; + size_t i; for (i = 0; i < lock->password.len; i++) free(lock->password.val[i]); free(lock->password.val); diff --git a/source4/heimdal/lib/hx509/name.c b/source4/heimdal/lib/hx509/name.c index 83b8f86d41..efd7b70342 100644 --- a/source4/heimdal/lib/hx509/name.c +++ b/source4/heimdal/lib/hx509/name.c @@ -66,17 +66,17 @@ static const struct { const heim_oid *o; wind_profile_flags flags; } no[] = { - { "C", &asn1_oid_id_at_countryName }, - { "CN", &asn1_oid_id_at_commonName }, - { "DC", &asn1_oid_id_domainComponent }, - { "L", &asn1_oid_id_at_localityName }, - { "O", &asn1_oid_id_at_organizationName }, - { "OU", &asn1_oid_id_at_organizationalUnitName }, - { "S", &asn1_oid_id_at_stateOrProvinceName }, - { "STREET", &asn1_oid_id_at_streetAddress }, - { "UID", &asn1_oid_id_Userid }, - { "emailAddress", &asn1_oid_id_pkcs9_emailAddress }, - { "serialNumber", &asn1_oid_id_at_serialNumber } + { "C", &asn1_oid_id_at_countryName, 0 }, + { "CN", &asn1_oid_id_at_commonName, 0 }, + { "DC", &asn1_oid_id_domainComponent, 0 }, + { "L", &asn1_oid_id_at_localityName, 0 }, + { "O", &asn1_oid_id_at_organizationName, 0 }, + { "OU", &asn1_oid_id_at_organizationalUnitName, 0 }, + { "S", &asn1_oid_id_at_stateOrProvinceName, 0 }, + { "STREET", &asn1_oid_id_at_streetAddress, 0 }, + { "UID", &asn1_oid_id_Userid, 0 }, + { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 }, + { "serialNumber", &asn1_oid_id_at_serialNumber, 0 } }; static char * @@ -159,7 +159,8 @@ oidtostring(const heim_oid *type) static int stringtooid(const char *name, size_t len, heim_oid *oid) { - int i, ret; + int ret; + size_t i; char *s; memset(oid, 0, sizeof(*oid)); @@ -200,20 +201,22 @@ int _hx509_Name_to_string(const Name *n, char **str) { size_t total_len = 0; - int i, j, ret; + size_t i, j, m; + int ret; *str = strdup(""); if (*str == NULL) return ENOMEM; - for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) { + for (m = n->u.rdnSequence.len; m > 0; m--) { size_t len; + i = m - 1; for (j = 0; j < n->u.rdnSequence.val[i].len; j++) { DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value; char *oidname; char *ss; - + oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type); switch(ds->element) { @@ -237,7 +240,7 @@ _hx509_Name_to_string(const Name *n, char **str) ret = wind_ucs2utf8_length(bmp, bmplen, &k); if (ret) return ret; - + ss = malloc(k + 1); if (ss == NULL) _hx509_abort("allocation failure"); /* XXX */ @@ -438,7 +441,8 @@ _hx509_name_ds_cmp(const DirectoryString *ds1, int _hx509_name_cmp(const Name *n1, const Name *n2, int *c) { - int ret, i, j; + int ret; + size_t i, j; *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len; if (*c) @@ -454,7 +458,7 @@ _hx509_name_cmp(const Name *n1, const Name *n2, int *c) &n1->u.rdnSequence.val[i].val[j].type); if (*c) return 0; - + ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value, &n2->u.rdnSequence.val[i].val[j].value, c); @@ -533,7 +537,7 @@ _hx509_name_modify(hx509_context context, &name->u.rdnSequence.val[0], name->u.rdnSequence.len * sizeof(name->u.rdnSequence.val[0])); - + rdn = &name->u.rdnSequence.val[0]; } rdn->val = malloc(sizeof(rdn->val[0])); @@ -609,8 +613,8 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name) "missing name before = in %s", p); goto out; } - - if ((q - p) > len) { + + if ((size_t)(q - p) > len) { ret = HX509_PARSING_NAME_FAILED; hx509_set_error_string(context, 0, ret, " = after , in %s", p); goto out; @@ -623,12 +627,12 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name) "unknown type: %.*s", (int)(q - p), p); goto out; } - + { size_t pstr_len = len - (q - p) - 1; const char *pstr = p + (q - p) + 1; char *r; - + r = malloc(pstr_len + 1); if (r == NULL) { der_free_oid(&oid); @@ -727,7 +731,7 @@ hx509_name_expand(hx509_context context, hx509_env env) { Name *n = &name->der_name; - int i, j; + size_t i, j; if (env == NULL) return 0; diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c index 56e4f72115..1e8bcabfa7 100644 --- a/source4/heimdal/lib/hx509/print.c +++ b/source4/heimdal/lib/hx509/print.c @@ -163,7 +163,7 @@ void hx509_bitstring_print(const heim_bit_string *b, hx509_vprint_func func, void *ctx) { - int i; + size_t i; print_func(func, ctx, "\tlength: %d\n\t", b->length); for (i = 0; i < (b->length + 7) / 8; i++) print_func(func, ctx, "%02x%s%s", @@ -481,7 +481,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, { CRLDistributionPoints dp; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -499,8 +500,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, if (dp.val[i].distributionPoint) { DistributionPointName dpname; heim_any *data = dp.val[i].distributionPoint; - int j; - + size_t j; + ret = decode_DistributionPointName(data->data, data->length, &dpname, NULL); if (ret) { @@ -512,7 +513,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, switch (dpname.element) { case choice_DistributionPointName_fullName: validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); - + for (j = 0 ; j < dpname.u.fullName.len; j++) { char *s; GeneralName *name = &dpname.u.fullName.val[j]; @@ -565,7 +566,8 @@ check_altName(hx509_validate_ctx ctx, { GeneralNames gn; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -600,7 +602,7 @@ check_altName(hx509_validate_ctx ctx, if (der_heim_oid_cmp(altname_types[j].oid, &gn.val[i].u.otherName.type_id) != 0) continue; - + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", altname_types[j].name); (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value); @@ -717,7 +719,8 @@ check_authorityInfoAccess(hx509_validate_ctx ctx, { AuthorityInfoAccessSyntax aia; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -773,7 +776,7 @@ struct { { ext(certificateIssuer, Null), M_C }, { ext(nameConstraints, Null), M_C }, { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, - { ext(certificatePolicies, Null) }, + { ext(certificatePolicies, Null), 0 }, { ext(policyMappings, Null), M_N_C }, { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, { ext(policyConstraints, Null), D_C }, @@ -789,7 +792,7 @@ struct { check_Null, D_C }, { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, check_Null, D_C }, - { NULL } + { NULL, NULL, NULL, 0 } }; /** @@ -900,7 +903,7 @@ hx509_validate_cert(hx509_context context, if ((t->version == NULL || *t->version < 2) && t->extensions) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Not version 3 certificate with extensions\n"); - + if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Version 3 certificate without extensions\n"); @@ -936,7 +939,7 @@ hx509_validate_cert(hx509_context context, free(str); if (t->extensions) { - int i, j; + size_t i, j; if (t->extensions->len == 0) { validate_print(ctx, @@ -975,7 +978,7 @@ hx509_validate_cert(hx509_context context, } } else validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n"); - + if (status.isca) { if (!status.haveSKI) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, @@ -987,7 +990,7 @@ hx509_validate_cert(hx509_context context, "Is not CA and doesn't have " "AuthorityKeyIdentifier\n"); } - + if (!status.haveSKI) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c index 6d2cac4afb..2932280748 100644 --- a/source4/heimdal/lib/hx509/revoke.c +++ b/source4/heimdal/lib/hx509/revoke.c @@ -176,9 +176,9 @@ verify_ocsp(hx509_context context, hx509_cert signer = NULL; hx509_query q; int ret; - + _hx509_query_clear(&q); - + /* * Need to match on issuer too in case there are two CA that have * issued the same name to a certificate. One example of this is @@ -198,7 +198,7 @@ verify_ocsp(hx509_context context, q.keyhash_sha1 = &ocsp->ocsp.tbsResponseData.responderID.u.byKey; break; } - + ret = hx509_certs_find(context, certs, &q, &signer); if (ret && ocsp->certs) ret = hx509_certs_find(context, ocsp->certs, &q, &signer); @@ -349,7 +349,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp) } if (basic.certs) { - int i; + size_t i; ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0, NULL, &certs); @@ -360,11 +360,11 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp) for (i = 0; i < basic.certs->len; i++) { hx509_cert c; - + ret = hx509_cert_init(context, &basic.certs->val[i], &c); if (ret) continue; - + ret = hx509_certs_add(context, certs, c); hx509_cert_free(c); if (ret) @@ -463,7 +463,7 @@ verify_crl(hx509_context context, hx509_query q; time_t t; int ret; - + t = _hx509_Time2time_t(&crl->tbsCertList.thisUpdate); if (t > time_now) { hx509_set_error_string(context, 0, HX509_CRL_USED_BEFORE_TIME, @@ -485,7 +485,7 @@ verify_crl(hx509_context context, } _hx509_query_clear(&q); - + /* * If it's the signer have CRLSIGN bit set, use that as the signer * cert for the certificate, otherwise, search for a certificate. @@ -496,7 +496,7 @@ verify_crl(hx509_context context, q.match = HX509_QUERY_MATCH_SUBJECT_NAME; q.match |= HX509_QUERY_KU_CRLSIGN; q.subject_name = &crl->tbsCertList.issuer; - + ret = hx509_certs_find(context, certs, &q, &signer); if (ret) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -526,11 +526,11 @@ verify_crl(hx509_context context, hx509_cert crl_parent; _hx509_query_clear(&q); - + q.match = HX509_QUERY_MATCH_SUBJECT_NAME; q.match |= HX509_QUERY_KU_CRLSIGN; q.subject_name = &_hx509_get_cert(signer)->tbsCertificate.issuer; - + ret = hx509_certs_find(context, certs, &q, &crl_parent); if (ret) { hx509_set_error_string(context, HX509_ERROR_APPEND, ret, @@ -718,7 +718,7 @@ hx509_revoke_verify(hx509_context context, &c->tbsCertificate.serialNumber); if (ret != 0) continue; - + /* verify issuer hashes hash */ ret = _hx509_verify_signature(context, NULL, @@ -760,8 +760,7 @@ hx509_revoke_verify(hx509_context context, if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) { if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now) continue; - } else - /* Should force a refetch, but can we ? */; + } /* else should force a refetch, but can we ? */ return 0; } @@ -829,12 +828,12 @@ hx509_revoke_verify(hx509_context context, t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate); if (t > now) continue; - + if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions) for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++) if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical) return HX509_CRL_UNKNOWN_EXTENSION; - + hx509_set_error_string(context, 0, HX509_CERT_REVOKED, "Certificate revoked by issuer in CRL"); @@ -1003,7 +1002,7 @@ hx509_ocsp_request(hx509_context context, } es = req.tbsRequest.requestExtensions; - + es->val = calloc(es->len, sizeof(es->val[0])); if (es->val == NULL) { ret = ENOMEM; @@ -1022,7 +1021,7 @@ hx509_ocsp_request(hx509_context context, goto out; } es->val[0].extnValue.length = 10; - + ret = RAND_bytes(es->val[0].extnValue.data, es->val[0].extnValue.length); if (ret != 1) { @@ -1055,8 +1054,13 @@ static char * printable_time(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; + char *p; + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else { + strlcpy(s, p + 4, sizeof(s)); + s[20] = 0; + } return s; } @@ -1076,7 +1080,8 @@ int hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) { struct revoke_ocsp ocsp; - int ret, i; + int ret; + size_t i; if (out == NULL) out = stdout; @@ -1141,7 +1146,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) status = "element unknown"; } - fprintf(out, "\t%d. status: %s\n", i, status); + fprintf(out, "\t%zu. status: %s\n", i, status); fprintf(out, "\tthisUpdate: %s\n", printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate)); @@ -1188,7 +1193,8 @@ hx509_ocsp_verify(hx509_context context, { const Certificate *c = _hx509_get_cert(cert); OCSPBasicOCSPResponse basic; - int ret, i; + int ret; + size_t i; if (now == 0) now = time(NULL); @@ -1208,7 +1214,7 @@ hx509_ocsp_verify(hx509_context context, &c->tbsCertificate.serialNumber); if (ret != 0) continue; - + /* verify issuer hashes hash */ ret = _hx509_verify_signature(context, NULL, @@ -1248,7 +1254,7 @@ hx509_ocsp_verify(hx509_context context, { hx509_name name; char *subject; - + ret = hx509_cert_get_subject(cert, &name); if (ret) { hx509_clear_error_string(context); diff --git a/source4/heimdal/lib/hx509/sel.c b/source4/heimdal/lib/hx509/sel.c index 561818c9f1..6930b50f7c 100644 --- a/source4/heimdal/lib/hx509/sel.c +++ b/source4/heimdal/lib/hx509/sel.c @@ -101,7 +101,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr) if (expr->op == comp_TAILEQ) { size_t len1 = strlen(s1); size_t len2 = strlen(s2); - + if (len1 < len2) return 0; ret = strcmp(s1 + (len1 - len2), s2) == 0; @@ -133,7 +133,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr) subenv = find_variable(context, env, subexpr); if (subenv == NULL) return FALSE; - + while (subenv) { if (subenv->type != env_string) continue; @@ -223,7 +223,7 @@ _hx509_expr_parse(const char *buf) } void -_hx509_sel_yyerror (char *s) +_hx509_sel_yyerror (const char *s) { if (_hx509_expr_input.error) free(_hx509_expr_input.error); diff --git a/source4/heimdal/lib/hx509/sel.h b/source4/heimdal/lib/hx509/sel.h index 1dfc41818c..177ec0a65b 100644 --- a/source4/heimdal/lib/hx509/sel.h +++ b/source4/heimdal/lib/hx509/sel.h @@ -78,5 +78,5 @@ extern struct hx_expr_input _hx509_expr_input; int _hx509_sel_yyparse(void); int _hx509_sel_yylex(void); -void _hx509_sel_yyerror(char *); +void _hx509_sel_yyerror(const char *); diff --git a/source4/heimdal/lib/hx509/test_name.c b/source4/heimdal/lib/hx509/test_name.c index 2cdcdf85f6..d932221ddf 100644 --- a/source4/heimdal/lib/hx509/test_name.c +++ b/source4/heimdal/lib/hx509/test_name.c @@ -336,7 +336,7 @@ test_compare(hx509_context context) if (ret) return 1; ret = compare_subject(c2, c3, &l3); if (ret) return 1; - + if (l0 != 0) return 1; if (l2 < l1) return 1; if (l3 < l2) return 1; |