From 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 15 Jul 2011 09:10:30 +0200
Subject: s4:heimdal: import lorikeet-heimdal-201107150856 (commit
 48936803fae4a2fb362c79365d31f420c917b85b)

---
 source4/heimdal/lib/hx509/cms.c | 48 +++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 19 deletions(-)

(limited to 'source4/heimdal/lib/hx509/cms.c')

diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c
index 6e4eefaa1c..4e0a2e03fc 100644
--- a/source4/heimdal/lib/hx509/cms.c
+++ b/source4/heimdal/lib/hx509/cms.c
@@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context,
     heim_octet_string *params, params_data;
     heim_octet_string ivec;
     size_t size;
-    int ret, i, matched = 0, findflags = 0;
+    int ret, matched = 0, findflags = 0;
+    size_t i;
 
 
     memset(&key, 0, sizeof(key));
@@ -472,7 +473,7 @@ hx509_cms_unenvelope(hx509_context context,
 	ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
 	if (ret)
 	    goto out;
-	
+
 	if (flags & HX509_CMS_UE_ALLOW_WEAK)
 	    hx509_crypto_allow_weak(crypto);
 
@@ -492,7 +493,7 @@ hx509_cms_unenvelope(hx509_context context,
 				   "of EnvelopedData");
 	    goto out;
 	}
-	
+
 	ret = hx509_crypto_decrypt(crypto,
 				   enccontent->data,
 				   enccontent->length,
@@ -619,7 +620,7 @@ hx509_cms_envelope_1(hx509_context context,
 				   "Failed to set crypto oid "
 				   "for EnvelopedData");
 	    goto out;
-	}	
+	}
 	ALLOC(enc_alg->parameters, 1);
 	if (enc_alg->parameters == NULL) {
 	    ret = ENOMEM;
@@ -656,7 +657,7 @@ hx509_cms_envelope_1(hx509_context context,
 	ri->version = 2;
 	cmsidflag = CMS_ID_SKI;
     }
-	
+
     ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);
     if (ret) {
 	hx509_set_error_string(context, 0, ret,
@@ -718,7 +719,8 @@ out:
 static int
 any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
 {
-    int ret, i;
+    int ret;
+    size_t i;
 
     if (sd->certificates == NULL)
 	return 0;
@@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
 static const Attribute *
 find_attribute(const CMSAttributes *attr, const heim_oid *oid)
 {
-    int i;
+    size_t i;
     for (i = 0; i < attr->len; i++)
 	if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
 	    return &attr->val[i];
@@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context,
     hx509_certs certs = NULL;
     SignedData sd;
     size_t size;
-    int ret, i, found_valid_sig;
+    int ret, found_valid_sig;
+    size_t i;
 
     *signer_certs = NULL;
     content->data = NULL;
@@ -889,7 +892,7 @@ hx509_cms_verify_signed(hx509_context context,
 
 	if (signer_info->signedAttrs) {
 	    const Attribute *attr;
-	
+
 	    CMSAttributes sa;
 	    heim_octet_string os;
 
@@ -913,7 +916,7 @@ hx509_cms_verify_signed(hx509_context context,
 				       "messageDigest (signature)");
 		goto next_sigature;
 	    }
-	
+
 	    ret = decode_MessageDigest(attr->value.val[0].data,
 				       attr->value.val[0].length,
 				       &os,
@@ -1018,7 +1021,7 @@ hx509_cms_verify_signed(hx509_context context,
 	if (ret)
 	    goto next_sigature;
 
-	/** 
+	/**
 	 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
 	 * signing certificates and leave that up to the caller.
 	 */
@@ -1113,7 +1116,7 @@ add_one_attribute(Attribute **attr,
 
     return 0;
 }
-	
+
 /**
  * Decode SignedData and verify that the signature is correct.
  *
@@ -1212,7 +1215,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
 	    hx509_clear_error_string(context);
     } else {
 	ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
-				  _hx509_cert_private_key(cert), 
+				  _hx509_cert_private_key(cert),
 				  sigctx->peer, &digest);
     }
     if (ret)
@@ -1240,7 +1243,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
     if (ret) {
 	hx509_clear_error_string(context);
 	goto out;
-    }			
+    }
 
     signer_info->signedAttrs = NULL;
     signer_info->unsignedAttrs = NULL;
@@ -1256,7 +1259,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
      */
 
     if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {
-	CMSAttributes sa;	
+	CMSAttributes sa;
 	heim_octet_string sig;
 
 	ALLOC(signer_info->signedAttrs, 1);
@@ -1322,7 +1325,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
 
 	sa.val = signer_info->signedAttrs->val;
 	sa.len = signer_info->signedAttrs->len;
-	
+
 	ASN1_MALLOC_ENCODE(CMSAttributes,
 			   sigdata.data,
 			   sigdata.length,
@@ -1409,7 +1412,7 @@ cert_process(hx509_context context, void *ctx, hx509_cert cert)
     const unsigned int i = sigctx->sd.certificates->len;
     void *ptr;
     int ret;
-    
+
     ptr = realloc(sigctx->sd.certificates->val,
 		  (i + 1) * sizeof(sigctx->sd.certificates->val[0]));
     if (ptr == NULL)
@@ -1503,7 +1506,7 @@ hx509_cms_create_signed(hx509_context context,
 	    ret = ENOMEM;
 	    goto out;
 	}
-	
+
 	sigctx.sd.encapContentInfo.eContent->data = malloc(length);
 	if (sigctx.sd.encapContentInfo.eContent->data == NULL) {
 	    hx509_clear_error_string(context);
@@ -1525,6 +1528,10 @@ hx509_cms_create_signed(hx509_context context,
     }
 
     if (sigctx.sd.signerInfos.len) {
+
+	/*
+	 * For each signerInfo, collect all different digest types.
+	 */
 	for (i = 0; i < sigctx.sd.signerInfos.len; i++) {
 	    AlgorithmIdentifier *di =
 		&sigctx.sd.signerInfos.val[i].digestAlgorithm;
@@ -1532,7 +1539,7 @@ hx509_cms_create_signed(hx509_context context,
 	    for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)
 		if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)
 		    break;
-	    if (j < sigctx.sd.digestAlgorithms.len) {
+	    if (j == sigctx.sd.digestAlgorithms.len) {
 		ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);
 		if (ret) {
 		    hx509_clear_error_string(context);
@@ -1542,6 +1549,9 @@ hx509_cms_create_signed(hx509_context context,
 	}
     }
 
+    /*
+     * Add certs we think are needed, build as part of sig_process
+     */
     if (sigctx.certs) {
 	ALLOC(sigctx.sd.certificates, 1);
 	if (sigctx.sd.certificates == NULL) {
-- 
cgit