diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-08-11 18:29:49 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-08-11 18:29:49 +0000 |
commit | f8c5c05a58933e12843b7e4145b0ed6d565345c2 (patch) | |
tree | 262afef6775c4d1e7ec81d0636fc5594caef7e31 | |
parent | 5201ca6996cd2085292f15c67f4f53ec805a1b3e (diff) | |
download | gnutls-f8c5c05a58933e12843b7e4145b0ed6d565345c2.tar.gz |
still more patches by Arne Thomassen
35 files changed, 125 insertions, 133 deletions
diff --git a/doc/tex/alert.tex b/doc/tex/alert.tex index 74c6740de7..3c1f13df27 100644 --- a/doc/tex/alert.tex +++ b/doc/tex/alert.tex @@ -13,8 +13,8 @@ fatal or warning. Fatal alerts always terminate the current connection, and prevent future renegotiations using the current session ID. \par The alert messages are protected by the record protocol, thus -the information that it's included does not leak. You must take -extreme care for the alert information not to leak, to a possible attacker +the information that is included does not leak. You must take +extreme care for the alert information not to leak to a possible attacker (via public log files etc). \par @@ -28,5 +28,3 @@ returns the last received alert. \item \printfunc{gnutls_alert_get_name}{gnutls\_alert\_get\_name}: returns the name (in a character array) of the given alert. \end{itemize} - - diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex index 29031304ad..65dda77442 100644 --- a/doc/tex/ciphersuites.tex +++ b/doc/tex/ciphersuites.tex @@ -13,12 +13,10 @@ be described as a keyed hash algorithm. See RFC2104.} algorithm used for authent MAC\_SHA is used in the above example. \end{itemize} -The cipher suite negotiated in the handshake protocol, will affect +The cipher suite negotiated in the handshake protocol will affect the Record Protocol, by enabling encryption and data authentication. Note that you should not over rely on \tls{} to negotiate the strongest available cipher suite. Do not enable ciphers and algorithms that you consider weak. \addvspace{1.5cm} - - diff --git a/doc/tex/ex-cert-select.tex b/doc/tex/ex-cert-select.tex index 0c8fe78ab8..a24ab350ad 100644 --- a/doc/tex/ex-cert-select.tex +++ b/doc/tex/ex-cert-select.tex @@ -34,7 +34,7 @@ static int cert_callback(gnutls_session session, } } - /* Select a certificate from the client_certs and return it's + /* Select a certificate from the client_certs and return its * index. */ diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex index 6621a2a59f..73d8d4e2e5 100644 --- a/doc/tex/howto.tex +++ b/doc/tex/howto.tex @@ -18,7 +18,7 @@ with this method is a denial of service one. The most famous example of this method is the famous ``HTTP over TLS'' or HTTPS\footnote{RFC2818} protocol. \par -Despite it's wide use, this method is not as good as it seems. +Despite its wide use, this method is not as good as it seems. This approach starts the \tls{} Handshake procedure just after the client connects on the --so called-- secure port. That way the \tls{} protocol does not know anything diff --git a/doc/tex/record.tex b/doc/tex/record.tex index 32ebf036b4..19defc52e9 100644 --- a/doc/tex/record.tex +++ b/doc/tex/record.tex @@ -1,6 +1,6 @@ \section{The TLS record protocol\index{TLS protocols!Record}} -The Record protocol is the secure communications provider. It's purpose +The Record protocol is the secure communications provider. Its purpose is to encrypt, authenticate and --optionally-- compress packets. The following functions are available: \par diff --git a/doc/tex/record_weaknesses.tex b/doc/tex/record_weaknesses.tex index e2a3280d18..75c5696a11 100644 --- a/doc/tex/record_weaknesses.tex +++ b/doc/tex/record_weaknesses.tex @@ -3,10 +3,10 @@ Some weaknesses that may affect the security of the Record layer have been found in \tlsI{} protocol. These weaknesses can be exploited by active attackers, -and exploit the facts that \tls{} +and exploit the facts that \begin{enumerate} -\item has separate alerts for ``decryption\_failed'' and ``bad\_record\_mac'' -\item the decryption failure reason can be detected by timing the responce time +\item \tls{} has separate alerts for ``decryption\_failed'' and ``bad\_record\_mac'' +\item the decryption failure reason can be detected by timing the response time \item the IV for CBC encrypted packets is the last block of the previous encrypted packet \end{enumerate} diff --git a/doc/tex/srp.tex b/doc/tex/srp.tex index 5499267c59..a71e7643cf 100644 --- a/doc/tex/srp.tex +++ b/doc/tex/srp.tex @@ -1,8 +1,8 @@ \section{Authentication using SRP\index{SRP authentication}} -Authentication using the SRP\footnote{SRP stands for Secure Password Protocol and +Authentication using the SRP\footnote{SRP stands for Secure Remote Password and is described in \cite{RFC2945}. The SRP key exchange is not a part of the \tlsI{} protocol} -is actually password authentication, since the two peers are identified by the knowledge of a password. +protocol is actually password authentication, since the two peers are identified by the knowledge of a password. This protocol also offers protection against off-line attacks, such as password file stealing. This is achieved since SRP does not use the plain password to perform authentication, diff --git a/doc/tex/translayer.tex b/doc/tex/translayer.tex index 0348626a15..8ab54a3b44 100644 --- a/doc/tex/translayer.tex +++ b/doc/tex/translayer.tex @@ -1,9 +1,9 @@ \section{The transport layer} \par -\tls{} is not limited to any transport layer, it -can be used above any transport layer, as long as, it is a reliable -one. A set of functions is provided and its purpose is to load -to gnutls the required callbacks to access the transport layer. +\tls{} is not limited to one transport layer, it +can be used above any transport layer, as long as it is a reliable +one. A set of functions is provided and their purpose is to load +to \gnutls{} the required callbacks to access the transport layer. \begin{itemize} \item \printfunc{gnutls_transport_set_push_function}{gnutls\_transport\_set\_push\_function} @@ -16,16 +16,16 @@ The callback functions should return the number of bytes written, or -1 on error and should set errno appropriately. \par \gnutls{} currently only interprets the EINTR and EAGAIN errno values and -returns the corresponding gnutls error codes GNUTLS\_E\_INTERRUPTED and +returns the corresponding \gnutls{} error codes GNUTLS\_E\_INTERRUPTED and GNUTLS\_E\_AGAIN. These values are usually returned by interrupted system calls, or when non blocking IO is used. All \gnutls{} functions can be resumed (called again), if any of these error codes is returned. The error codes above refer to the system call, not the \gnutls{} function, -since signals do not interrupt gnutls' functions. +since signals do not interrupt \gnutls{}' functions. \par By default, if the transport functions are not set, \gnutls{} will use the Berkeley Sockets functions. In this case -gnutls will use some hacks in order for \emph{select()} to work, thus -making easy to add \tls{} support to existing TCP/IP servers. +\gnutls{} will use some hacks in order for \emph{select()} to work, thus +making it easy to add \tls{} support to existing TCP/IP servers. diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 1163c0c326..d0bef0f2cb 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1213,7 +1213,7 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session, if (session->security_parameters.cert_type == GNUTLS_CRT_X509 && session->internals.ignore_rdn_sequence == 0) { _gnutls_write_datum16(pdata, cred->x509_rdn_sequence); - pdata += cred->x509_rdn_sequence.size + 2; + /* pdata += cred->x509_rdn_sequence.size + 2; */ } return size; @@ -1333,10 +1333,9 @@ static int _gnutls_server_find_cert_list_index(gnutls_session session, requested_algo) { uint i, j; - int index = -1; + int index; const gnutls_certificate_credentials cred; int my_certs_length; - int *ij_map = NULL; cred = _gnutls_get_cred(session->key, GNUTLS_CRD_CERTIFICATE, NULL); @@ -1365,17 +1364,19 @@ static int _gnutls_server_find_cert_list_index(gnutls_session session, if (session->internals.server_cert_callback != NULL && cred->ncerts > 0) { /* use the callback to get certificate */ - gnutls_datum *my_certs = NULL; + gnutls_datum *my_certs; + int *ij_map; + my_certs_length = cred->ncerts; my_certs = - gnutls_malloc(cred->ncerts * sizeof(gnutls_datum)); + gnutls_malloc(my_certs_length * sizeof(gnutls_datum)); if (my_certs == NULL) - goto clear; - my_certs_length = cred->ncerts; + goto out; /* put our certificate's issuer and dn into cdn, idn */ - ij_map = gnutls_malloc(sizeof(int) * cred->ncerts); + ij_map = gnutls_malloc(my_certs_length * sizeof(int)); + if (ij_map == NULL) goto cleanup_certs; j = 0; for (i = 0; i < cred->ncerts; i++) { @@ -1405,11 +1406,13 @@ static int _gnutls_server_find_cert_list_index(gnutls_session session, if (index != -1) index = ij_map[index]; - clear: - gnutls_free(my_certs); gnutls_free(ij_map); + cleanup_certs: + gnutls_free(my_certs); + } + out: /* store the index for future use, in the handshake. * (This will allow not calling this callback again.) */ diff --git a/lib/auth_cert.h b/lib/auth_cert.h index a667aa394e..a9760ab0ec 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -4,7 +4,7 @@ # include "gnutls_auth.h" # include "x509/x509.h" -/* This structure may be complex but, it's the only way to +/* This structure may be complex, but it's the only way to * support a server that has multiple certificates */ typedef struct { diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c index ddb61b7176..287c5c4191 100644 --- a/lib/auth_dh_common.c +++ b/lib/auth_dh_common.c @@ -127,6 +127,7 @@ int _gnutls_gen_dh_common_client_kx(gnutls_session session, opaque ** data) _gnutls_mpi_release(&x); if (session->key->KEY == NULL) { gnutls_assert(); + gnutls_free(*data); *data = NULL; return GNUTLS_E_MEMORY_ERROR; } @@ -134,6 +135,8 @@ int _gnutls_gen_dh_common_client_kx(gnutls_session session, opaque ** data) session->key->client_Y)); if (ret<0) { gnutls_assert(); + failed: + gnutls_free(*data); *data = NULL; return ret; } @@ -147,7 +150,7 @@ int _gnutls_gen_dh_common_client_kx(gnutls_session session, opaque ** data) _gnutls_mpi_release(&session->key->KEY); if (ret < 0) { - return ret; + goto failed; } return n_X + 2; diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index 8c4e4ca8a1..66d4f25280 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -152,7 +152,7 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data) apr_pkey, &ddata, &signature)) < 0) { gnutls_assert(); - gnutls_free(*data); + gnutls_free(*data); *data = NULL; return ret; } } else { @@ -219,6 +219,7 @@ CERTIFICATE_AUTH_INFO info = _gnutls_get_auth_info( session); if (peer_cert.subject_pk_algorithm != GNUTLS_PK_RSA) { gnutls_assert(); + _gnutls_free_cert( &peer_cert); return 0; } @@ -349,7 +350,6 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data, _gnutls_free_cert( &peer_cert); if (ret < 0) { gnutls_assert(); - return ret; } return ret; diff --git a/lib/dh_compat.c b/lib/dh_compat.c index f1bec80adf..30c25ba428 100644 --- a/lib/dh_compat.c +++ b/lib/dh_compat.c @@ -125,6 +125,7 @@ int gnutls_dh_params_generate(gnutls_datum * prime, prime->data = gnutls_malloc(siz); if (prime->data == NULL) { gnutls_free(generator->data); + generator->data = NULL; generator->size = 0; _gnutls_mpi_release(&tmp_g); _gnutls_mpi_release(&tmp_prime); return GNUTLS_E_MEMORY_ERROR; diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index cb316c51fb..ecbe4c5a65 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -85,7 +85,7 @@ static const gnutls_pk_map pk_mappings[] = { #define GNUTLS_PK_MAP_LOOP(b) \ const gnutls_pk_map *p; \ - for(p = pk_mappings; p->kx_algorithm != 0; p++) { b ; } + for(p = pk_mappings; p->kx_algorithm != 0; p++) { b } #define GNUTLS_PK_MAP_ALG_LOOP(a) \ GNUTLS_PK_MAP_LOOP( if(p->kx_algorithm == kx_algorithm) { a; break; }) @@ -1183,25 +1183,22 @@ _gnutls_supported_ciphersuites(gnutls_session session, GNUTLS_CipherSuite* ciphers; gnutls_protocol_version version; - *_ciphers = NULL; - if (count == 0) { return 0; } - version = gnutls_protocol_get_version( session); - tmp_ciphers = gnutls_alloca(count * sizeof(GNUTLS_CipherSuite)); if ( tmp_ciphers==NULL) return GNUTLS_E_MEMORY_ERROR; ciphers = gnutls_malloc(count * sizeof(GNUTLS_CipherSuite)); - if ( ciphers==NULL) { gnutls_afree( tmp_ciphers); return GNUTLS_E_MEMORY_ERROR; } + version = gnutls_protocol_get_version( session); + for (i = 0; i < count; i++) { memcpy( &tmp_ciphers[i], &cs_algorithms[i].id, sizeof( GNUTLS_CipherSuite)); } @@ -1252,12 +1249,7 @@ _gnutls_supported_ciphersuites(gnutls_session session, } } #endif - if (ret_count == 0) { - gnutls_free(ciphers); - ciphers = NULL; - } - *_ciphers = ciphers; gnutls_afree(tmp_ciphers); /* This function can no longer return 0 cipher suites. @@ -1265,9 +1257,10 @@ _gnutls_supported_ciphersuites(gnutls_session session, */ if (ret_count == 0) { gnutls_assert(); - gnutls_free( ciphers); + gnutls_free(ciphers); return GNUTLS_E_NO_CIPHER_SUITES; } + *_ciphers = ciphers; return ret_count; } @@ -1282,15 +1275,14 @@ _gnutls_supported_ciphersuites(gnutls_session session, int _gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) { - unsigned int i, j=0; - int tmp; + unsigned int i, j; *comp = gnutls_malloc( sizeof(uint8) * SUPPORTED_COMPRESSION_METHODS); if (*comp == NULL) return GNUTLS_E_MEMORY_ERROR; - for (i = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { - tmp = _gnutls_compression_get_num(session->internals. + for (i = j = 0; i < SUPPORTED_COMPRESSION_METHODS; i++) { + int tmp = _gnutls_compression_get_num(session->internals. compression_method_priority. priority[i]); @@ -1309,7 +1301,7 @@ _gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) if (j==0) { gnutls_assert(); - gnutls_free( *comp); + gnutls_free( *comp); *comp = NULL; return GNUTLS_E_NO_COMPRESSION_ALGORITHMS; } return j; @@ -1319,7 +1311,7 @@ _gnutls_supported_compression_methods(gnutls_session session, uint8 ** comp) * gnutls_certificate_type_get_name - Returns a string with the name of the specified certificate type * @type: is a certificate type * - * Returns a string that contains the name + * Returns a string (or NULL) that contains the name * of the specified certificate type. **/ const char *gnutls_certificate_type_get_name( gnutls_certificate_type type) @@ -1339,7 +1331,7 @@ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) { gnutls_pk_algorithm ret = -1; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm); + GNUTLS_PK_MAP_ALG_LOOP(ret = p->pk_algorithm) return ret; } @@ -1351,7 +1343,7 @@ gnutls_pk_algorithm _gnutls_map_pk_get_pk(gnutls_kx_algorithm kx_algorithm) enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm kx_algorithm) { int ret = CIPHER_IGN; - GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type); + GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) return ret; } diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 7c3910e7c8..a52c64c737 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -19,10 +19,10 @@ * */ -#ifdef ENABLE_ANON - #include "gnutls_int.h" +#ifdef ENABLE_ANON + #include "gnutls_errors.h" #include "auth_anon.h" #include "gnutls_auth_int.h" diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index 05dddc6199..2c5bef6f9a 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -208,7 +208,7 @@ void* _gnutls_get_auth_info( gnutls_session session) { * _gnutls_free_auth_info - Frees the auth info structure * @session: is a &gnutls_session structure. * - * this function frees the auth info structure and sets it to + * This function frees the auth info structure and sets it to * null. It must be called since some structures contain malloced * elements. -*/ diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index c99b67cb25..32ffc4d8d5 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -295,7 +295,7 @@ OPENPGP_VERIFY_KEY_FUNC _E_gnutls_openpgp_verify_key = NULL; * _gnutls_openpgp_cert_verify_peers - This function returns the peer's certificate status * @session: is a gnutls session * - * This function will try to verify the peer's certificate and return it's status (TRUSTED, INVALID etc.). + * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.). * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ @@ -353,7 +353,7 @@ int _gnutls_openpgp_cert_verify_peers(gnutls_session session) * gnutls_certificate_verify_peers - This function returns the peer's certificate verification status * @session: is a gnutls session * - * This function will try to verify the peer's certificate and return it's status (trusted, invalid etc.). + * This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). * However you must also check the peer's name in order to check if the verified certificate belongs to the * actual peer. * diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index e5a96bb192..216b7f328a 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -68,6 +68,8 @@ int err; ret->handle = gnutls_malloc( sizeof( z_stream)); if (ret->handle==NULL) { gnutls_assert(); + cleanup_ret: + gnutls_free(ret); return NULL; } @@ -87,8 +89,7 @@ int err; if (err!=Z_OK) { gnutls_assert(); gnutls_free( ret->handle); - gnutls_free( ret); - return NULL; + goto cleanup_ret; } break; } @@ -101,7 +102,7 @@ int err; if (ret->handle==NULL) { gnutls_assert(); - return NULL; + goto cleanup_ret; } } @@ -164,7 +165,7 @@ int err; if (err!=LZO_E_OK) { gnutls_assert(); - gnutls_free( *compressed); + gnutls_free( *compressed); *compressed = NULL; return GNUTLS_E_COMPRESSION_FAILED; } @@ -194,7 +195,7 @@ int err; if (err!=Z_OK || zhandle->avail_in != 0) { gnutls_assert(); - gnutls_free( *compressed); + gnutls_free( *compressed); *compressed = NULL; return GNUTLS_E_COMPRESSION_FAILED; } @@ -212,7 +213,7 @@ int err; #endif if ((size_t)compressed_size > max_comp_size) { - gnutls_free(*compressed); + gnutls_free(*compressed); *compressed = NULL; return GNUTLS_E_COMPRESSION_FAILED; } @@ -263,7 +264,7 @@ int cur_pos; if (err!=LZO_E_OK) { gnutls_assert(); - gnutls_free( *plain); + gnutls_free( *plain); *plain = NULL; return GNUTLS_E_DECOMPRESSION_FAILED; } @@ -307,7 +308,7 @@ int cur_pos; if (err!=Z_OK) { gnutls_assert(); - gnutls_free( *plain); + gnutls_free( *plain); *plain = NULL; return GNUTLS_E_DECOMPRESSION_FAILED; } @@ -322,7 +323,7 @@ int cur_pos; if ((size_t)plain_size > max_record_size) { gnutls_assert(); - gnutls_free( *plain); + gnutls_free( *plain); *plain = NULL; return GNUTLS_E_DECOMPRESSION_FAILED; } diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index d5bedaafcb..e0932b16e2 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -498,7 +498,7 @@ int gnutls_dh_params_export_raw(gnutls_dh_params params, prime->data = gnutls_malloc(size); if (prime->data == NULL) { - gnutls_free(generator->data); + gnutls_free(generator->data); generator->data = NULL; return GNUTLS_E_MEMORY_ERROR; } prime->size = size; diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index d570bea753..349bd87fbc 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -158,7 +158,7 @@ static gnutls_error_entry error_algorithms[] = { * If a function returns a negative value you may feed that value * to this function to see if it is fatal. Returns 1 for a fatal * error 0 otherwise. However you may want to check the - * error code manualy, since some non-fatal errors to the protocol + * error code manually, since some non-fatal errors to the protocol * may be fatal for you (your program). * * This is only useful if you are dealing with errors from the diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 3525addf68..95a3e60863 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -213,7 +213,7 @@ int (*ext_func_send)( gnutls_session, opaque*, int); _gnutls_extension_list_add( session, next); } else if (size < 0) { gnutls_assert(); - gnutls_free(*data); + gnutls_free(*data); *data = NULL; return size; } diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index df2642d658..0297e0d7da 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -154,21 +154,19 @@ static int _gnutls_init = 0; * Returns zero on success. * * Note that this function will also initialize libgcrypt, if it has not - * been initialized before. Thus if you want to manualy initialize libgcrypt + * been initialized before. Thus if you want to manually initialize libgcrypt * you must do it before calling this function. This is useful in cases you * want to disable libgcrypt's internal lockings etc. * **/ int gnutls_global_init( void) { - int result; + static int result = 0; + int res; + if (_gnutls_init) goto out; _gnutls_init++; - if (_gnutls_init!=1) { - return 0; - } - if (gcry_control( GCRYCTL_ANY_INITIALIZATION_P) == 0) { /* for gcrypt in order to be able to allocate memory */ gcry_set_allocation_handler(gnutls_malloc, gnutls_secure_malloc, _gnutls_is_secure_memory, gnutls_realloc, gnutls_free); @@ -188,7 +186,7 @@ int gnutls_global_init( void) result = _gnutls_register_rc2_cipher(); if (result < 0) { gnutls_assert(); - return result; + goto out; } /* set default recv/send functions @@ -202,18 +200,21 @@ int gnutls_global_init( void) * version. */ - result=asn1_array2tree( pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); - if (result != ASN1_SUCCESS) { - return _gnutls_asn2err(result); + res=asn1_array2tree( pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); + if (res != ASN1_SUCCESS) { + result = _gnutls_asn2err(res); + goto out; } - result=asn1_array2tree( gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); - if (result != ASN1_SUCCESS) { + res=asn1_array2tree( gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); + if (res != ASN1_SUCCESS) { asn1_delete_structure(&_gnutls_pkix1_asn); - return _gnutls_asn2err(result); + result = _gnutls_asn2err(res); + goto out; } - return 0; + out: + return result; } /** @@ -226,9 +227,8 @@ int gnutls_global_init( void) void gnutls_global_deinit( void) { - _gnutls_init--; - - if (_gnutls_init==0) { + if (_gnutls_init==1) { + _gnutls_init--; asn1_delete_structure(&_gnutls_gnutls_asn); asn1_delete_structure(&_gnutls_pkix1_asn); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 7df65edcfc..c6303a7d5e 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1006,9 +1006,6 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, } } - - ret = GNUTLS_E_INTERNAL_ERROR; - if (data != NULL && length32 > 0) *data = dataptr; @@ -1035,6 +1032,7 @@ int _gnutls_recv_handshake(gnutls_session session, uint8 ** data, /* dataptr is freed because the caller does not * need it */ gnutls_free(dataptr); + if (data!=NULL) *data = NULL; break; case GNUTLS_SERVER_HELLO_DONE: if (length32==0) ret = 0; @@ -1417,11 +1415,11 @@ static int _gnutls_copy_comp_methods(gnutls_session session, */ static int _gnutls_send_client_hello(gnutls_session session, int again) { - opaque *data; + opaque *data = NULL; opaque *extdata = NULL; int extdatalen; int pos = 0; - int datalen, ret = 0; + int datalen = 0, ret = 0; opaque random[TLS_RANDOM_SIZE]; gnutls_protocol_version hver; @@ -1431,13 +1429,9 @@ static int _gnutls_send_client_hello(gnutls_session session, int again) session->internals.resumed_security_parameters. session_id_size; - if (SessionID == NULL || session_id_len == 0) { - session_id_len = 0; - SessionID = NULL; - } + if (SessionID == NULL) session_id_len = 0; + else if (session_id_len == 0) SessionID = NULL; - data = NULL; - datalen = 0; if (again == 0) { datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE; @@ -1576,7 +1570,6 @@ static int _gnutls_send_client_hello(gnutls_session session, int again) gnutls_free(extdata); } else if (extdatalen < 0) { gnutls_assert(); - gnutls_free(extdata); gnutls_free(data); return extdatalen; } @@ -1614,7 +1607,6 @@ static int _gnutls_send_server_hello(gnutls_session session, int again) if (extdatalen < 0) { gnutls_assert(); - gnutls_free(extdata); return extdatalen; } diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index ebfb683b04..4f836108fb 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -57,7 +57,7 @@ GNUTLS_HASH_HANDLE _gnutls_hash_init(gnutls_mac_algorithm algorithm) break; default: - ret = GNUTLS_HASH_FAILED; + ret = GNUTLS_HASH_FAILED; break; } if (ret != GNUTLS_HASH_FAILED) @@ -78,7 +78,7 @@ int _gnutls_hash_get_algo_len(gnutls_mac_algorithm algorithm) ret = gcry_md_get_algo_dlen(GCRY_MD_MD5); break; default: - ret = 0; + ret = 0; break; } return ret; diff --git a/lib/gnutls_mem.c b/lib/gnutls_mem.c index 9621442830..836287e74a 100644 --- a/lib/gnutls_mem.c +++ b/lib/gnutls_mem.c @@ -73,16 +73,11 @@ void *ret; } char* _gnutls_strdup( const char* str) { -size_t siz = strlen( str); +size_t siz = strlen( str) + 1; char* ret; - ret = gnutls_malloc( siz + 1); - if (ret == NULL) - return ret; - - memcpy( ret, str, siz); - ret[ siz] = 0; - + ret = gnutls_malloc( siz); + if (ret != NULL) memcpy( ret, str, siz); return ret; } diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index 7729722c00..b0856ca7ad 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -27,9 +27,6 @@ #include <gnutls_num.h> #include <gnutls_errors.h> -/* This function will set the uint64 x to zero - */ - /* This function will add one to uint64 x. * Returns 0 on success, or -1 if the uint64 max limit * has been reached. diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 5b523fb06e..84554ac522 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -84,11 +84,13 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, /* using public key */ if (params_len < RSA_PUBLIC_PARAMS) { gnutls_assert(); + gnutls_free(edata); return GNUTLS_E_INTERNAL_ERROR; } if ( (ret=_gnutls_get_random(ps, psize, GNUTLS_STRONG_RANDOM)) < 0) { gnutls_assert(); + gnutls_free(edata); return ret; } for (i = 0; i < psize; i++) { @@ -99,6 +101,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, */ if ( (ret=_gnutls_get_random( rnd, 3, GNUTLS_STRONG_RANDOM)) < 0) { gnutls_assert(); + gnutls_free(edata); return ret; } /* use non zero values for @@ -123,6 +126,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, if (params_len < RSA_PRIVATE_PARAMS) { gnutls_assert(); + gnutls_free(edata); return GNUTLS_E_INTERNAL_ERROR; } @@ -131,6 +135,7 @@ int _gnutls_pkcs1_rsa_encrypt(gnutls_datum * ciphertext, break; default: gnutls_assert(); + gnutls_free(edata); return GNUTLS_E_INTERNAL_ERROR; } @@ -282,6 +287,7 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, break; default: gnutls_assert(); + gnutls_free(edata); return GNUTLS_E_INTERNAL_ERROR; } i++; @@ -409,7 +415,7 @@ int _gnutls_dsa_sign(gnutls_datum * signature, const gnutls_datum *hash, } ret = _gnutls_pk_sign(GCRY_PK_DSA, rs, mdata, params, params_len); - /* res now holds r,s */ + /* rs[0], rs[1] now hold r,s */ _gnutls_mpi_release(&mdata); if (ret < 0) { diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index e58fdd2218..75e64bd4df 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -479,7 +479,7 @@ static int _gnutls_check_recv_type( ContentType recv_type) { */ static int _gnutls_check_buffers( gnutls_session session, ContentType type, opaque* data, int sizeofdata) { if ( (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE) && _gnutls_record_buffer_get_size(type, session) > 0) { - int ret = 0, ret2=0; + int ret, ret2; ret = _gnutls_record_buffer_get(type, session, data, sizeofdata); if (ret < 0) { gnutls_assert(); diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 0bbb497519..e8a7c65d25 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -193,7 +193,8 @@ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end) (*session)->key = gnutls_calloc(1, sizeof(struct GNUTLS_KEY_INT)); if ( (*session)->key == NULL) { - gnutls_free( *session); + cleanup_session: + gnutls_free( *session); *session = NULL; return GNUTLS_E_MEMORY_ERROR; } @@ -206,10 +207,14 @@ int gnutls_init(gnutls_session * session, gnutls_connection_end con_end) gnutls_handshake_set_max_packet_length( (*session), MAX_HANDSHAKE_PACKET_SIZE); /* Allocate a minimum size for recv_data - * This is allocated in order to avoid small messages, makeing + * This is allocated in order to avoid small messages, making * the receive procedure slow. */ (*session)->internals.record_recv_buffer.data = gnutls_malloc(INITIAL_RECV_BUFFER_SIZE); + if ( (*session)->internals.record_recv_buffer.data == NULL) { + gnutls_free((*session)->key); + goto cleanup_session; + } /* set the socket pointers to -1; */ @@ -534,7 +539,7 @@ void gnutls_record_set_cbc_protection(gnutls_session session, int prot) * are not yet defined in any RFC or even internet draft. * * Enabling the private ciphersuites when talking to other than gnutls - * servers and clients, may cause interoperability problems. + * servers and clients may cause interoperability problems. * **/ void gnutls_handshake_set_private_extensions(gnutls_session session, int allow) diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 50b00a7c92..b90c70dfef 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -62,7 +62,7 @@ * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status * @session: is a gnutls session * - * This function will try to verify the peer's certificate and return it's status (TRUSTED, REVOKED etc.). + * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). * The return value (status) should be one of the gnutls_certificate_status enumerated elements. * However you must also check the peer's name in order to check if the verified certificate belongs to the * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. diff --git a/lib/io_debug.h b/lib/io_debug.h index 3b2e9ee4a5..2c3e2ff8ab 100644 --- a/lib/io_debug.h +++ b/lib/io_debug.h @@ -18,7 +18,7 @@ /* This debug file was contributed by * Paul Sheer <psheer@icon.co.za>. Some changes were made by nmav. - * It's purpose it to debug non blocking behaviour of gnutls. The included + * Its purpose is to debug non blocking behaviour of gnutls. The included * send() and recv() functions return EAGAIN errors in random. * */ diff --git a/lib/x509/compat.c b/lib/x509/compat.c index a87de7d5eb..f80d590d68 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -501,7 +501,7 @@ int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf * @CRL_list: not used * @CRL_list_length: not used * - * This function will try to verify the given certificate list and return it's status (TRUSTED, EXPIRED etc.). + * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.). * The return value (status) should be one or more of the gnutls_certificate_status * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked * by this function, you should check them using the appropriate functions. diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 1363dcc744..25715652a1 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -459,7 +459,7 @@ int ret, issuer_params_size, i; * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * - * This function will try to verify the given certificate list and return it's status (TRUSTED, REVOKED etc.). + * This function will try to verify the given certificate list and return its status (TRUSTED, REVOKED etc.). * The return value (status) should be one or more of the gnutls_certificate_status * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked * by this function, you should check them using the appropriate functions. @@ -511,7 +511,7 @@ int gnutls_x509_crt_list_verify( gnutls_x509_crt* cert_list, int cert_list_lengt * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the certificate verification output. * - * This function will try to verify the given certificate and return it's status. + * This function will try to verify the given certificate and return its status. * See gnutls_x509_crt_list_verify() for a detailed description of * return values. * @@ -577,7 +577,7 @@ int gnutls_x509_crl_check_issuer( gnutls_x509_crl cert, * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. * @verify: will hold the crl verification output. * - * This function will try to verify the given crl and return it's status. + * This function will try to verify the given crl and return its status. * See gnutls_x509_crt_list_verify() for a detailed description of * return values. * diff --git a/libextra/auth_srp_sb64.c b/libextra/auth_srp_sb64.c index 44b8043cb8..58e47c794d 100644 --- a/libextra/auth_srp_sb64.c +++ b/libextra/auth_srp_sb64.c @@ -25,7 +25,7 @@ #ifdef ENABLE_SRP /* this a modified base64 for srp !!! - * It seems that everybody makes it's own base64 convertion. + * It seems that everybody makes an own base64 conversion. */ static const uint8 b64table[64] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; @@ -248,7 +248,7 @@ int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, uint8 ** result) tmp = decode( tmpres, datrev); if (tmp < 0) { - gnutls_free( (*result)); + gnutls_free( (*result)); *result = NULL; return tmp; } @@ -261,7 +261,7 @@ int _gnutls_sbase64_decode(uint8 * data, size_t idata_size, uint8 ** result) for (i = left, j = tmp; i < idata_size; i += 4) { tmp = decode(tmpres, &data[i]); if (tmp < 0) { - gnutls_free( (*result)); + gnutls_free( (*result)); *result = NULL; return tmp; } memcpy(&(*result)[j], tmpres, tmp); diff --git a/src/retcodes.c b/src/retcodes.c index 3f1adcfaee..3f3dbff8ff 100644 --- a/src/retcodes.c +++ b/src/retcodes.c @@ -30,8 +30,9 @@ typedef struct { } error_name; -static int compar( const error_name* n1, const error_name* n2) -{ +static int compar( const void* _n1, const void* _n2) +{ const error_name* n1 = (const error_name*) _n1, + * n2 = (const error_name*) _n2; return strcmp( n1->name, n2->name); } |