diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-10-17 13:07:41 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-10-17 13:07:41 +0000 |
| commit | 07f60f3329fa38df0cc1f05e15807d16fda60079 (patch) | |
| tree | 958f3c86ee71b66482d4fb8b5c5519ec414875c8 | |
| parent | d32fcf535ee5a5c8290167afc053e635f8ee65d3 (diff) | |
| parent | e3584fbf2a9760238c3279275e963cf121b3ed0b (diff) | |
| download | gnutls-07f60f3329fa38df0cc1f05e15807d16fda60079.tar.gz | |
Merge branch 'tmp-fix-coverity' into 'master'
Fix coverity in lib/
See merge request gnutls/gnutls!1092
| -rw-r--r-- | lib/auth/srp_passwd.c | 6 | ||||
| -rw-r--r-- | lib/buffers.c | 26 | ||||
| -rw-r--r-- | lib/buffers.h | 2 | ||||
| -rw-r--r-- | lib/cipher-cbc.c | 2 | ||||
| -rw-r--r-- | lib/cipher.c | 28 | ||||
| -rw-r--r-- | lib/cipher.h | 6 | ||||
| -rw-r--r-- | lib/cipher_int.h | 4 | ||||
| -rw-r--r-- | lib/dtls-sw.c | 2 | ||||
| -rw-r--r-- | lib/dtls.h | 2 | ||||
| -rw-r--r-- | lib/handshake.c | 40 | ||||
| -rw-r--r-- | lib/libgnutls.map | 4 | ||||
| -rw-r--r-- | lib/record.c | 70 | ||||
| -rw-r--r-- | lib/sslv2_compat.c | 10 | ||||
| -rw-r--r-- | lib/str.c | 25 | ||||
| -rw-r--r-- | lib/x509/output.c | 11 | ||||
| -rw-r--r-- | lib/x509/x509.c | 66 | ||||
| -rw-r--r-- | tests/Makefile.am | 6 | ||||
| -rw-r--r-- | tests/buffer.c | 78 | ||||
| -rw-r--r-- | tests/dtls-sliding-window.c | 2 | ||||
| -rw-r--r-- | tests/utils.h | 3 |
20 files changed, 244 insertions, 149 deletions
diff --git a/lib/auth/srp_passwd.c b/lib/auth/srp_passwd.c index 6cd3f7e524..baa4086e77 100644 --- a/lib/auth/srp_passwd.c +++ b/lib/auth/srp_passwd.c @@ -368,8 +368,10 @@ cleanup: _gnutls_srp_entry_free(entry); found: - zeroize_key(line, line_size); - free(line); + if (line) { + zeroize_key(line, line_size); + free(line); + } if (fd) fclose(fd); return ret; diff --git a/lib/buffers.c b/lib/buffers.c index f3749b70e2..1ca8b3705a 100644 --- a/lib/buffers.c +++ b/lib/buffers.c @@ -20,11 +20,11 @@ * */ -/* +/* * This file holds all the buffering code used in gnutls. * The buffering code works as: * - * RECORD LAYER: + * RECORD LAYER: * 1. uses a buffer to hold data (application/handshake), * we got but they were not requested, yet. * (see gnutls_record_buffer_put(), gnutls_record_buffer_get_size() etc.) @@ -32,7 +32,7 @@ * 2. uses a buffer to hold data that were incomplete (ie the read/write * was interrupted) * (see _gnutls_io_read_buffered(), _gnutls_io_write_buffered() etc.) - * + * * HANDSHAKE LAYER: * 1. Uses buffer to hold the last received handshake message. * (see _gnutls_handshake_hash_buffer_put() etc.) @@ -67,7 +67,7 @@ */ void _gnutls_record_buffer_put(gnutls_session_t session, - content_type_t type, gnutls_uint64 * seq, + content_type_t type, const gnutls_uint64 * seq, mbuffer_st * bufel) { @@ -102,7 +102,7 @@ size_t gnutls_record_check_pending(gnutls_session_t session) * @session: is a #gnutls_session_t type. * * This function checks if there pending corked - * data in the gnutls buffers --see gnutls_record_cork(). + * data in the gnutls buffers --see gnutls_record_cork(). * * Returns: Returns the size of the corked data or zero. * @@ -517,13 +517,13 @@ _gnutls_writev(gnutls_session_t session, const giovec_t * giovec, return i; } -/* +/* * @ms: a pointer to the number of milliseconds to wait for data. Use zero or NULL for indefinite. * * This function is like recv(with MSG_PEEK). But it does not return -1 on error. * It does return gnutls_errno instead. * This function reads data from the socket and keeps them in a buffer, of up to - * max_record_recv_size. + * max_record_recv_size. * * This is not a general purpose function. It returns EXACTLY the data requested, * which are stored in a local (in the session) buffer. @@ -763,7 +763,7 @@ int _gnutls_io_check_recv(gnutls_session_t session, unsigned int ms) return GNUTLS_E_TIMEDOUT; } -/* HANDSHAKE buffers part +/* HANDSHAKE buffers part */ /* This function writes the data that are left in the @@ -823,7 +823,7 @@ ssize_t _gnutls_handshake_io_write_flush(gnutls_session_t session) } -/* This is a send function for the gnutls handshake +/* This is a send function for the gnutls handshake * protocol. Just makes sure that all data have been sent. * */ @@ -1173,7 +1173,7 @@ static int get_last_packet(gnutls_session_t session, RETURN_DTLS_EAGAIN_OR_TIMEOUT(session, 0); } -/* This is a receive function for the gnutls handshake +/* This is a receive function for the gnutls handshake * protocol. Makes sure that we have received all data. * * htype is the next handshake packet expected. @@ -1303,7 +1303,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session) handshake_buffer_st tmp; do { - /* we now + /* we now * 0. parse headers * 1. insert to handshake_recv_buffer * 2. sort handshake_recv_buffer on sequence numbers @@ -1391,7 +1391,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session) } } -/* This is a receive function for the gnutls handshake +/* This is a receive function for the gnutls handshake * protocol. Makes sure that we have received all data. */ ssize_t @@ -1437,7 +1437,7 @@ _gnutls_handshake_io_recv_int(gnutls_session_t session, } do { - /* if we don't have a complete message waiting for us, try + /* if we don't have a complete message waiting for us, try * receiving more */ ret = _gnutls_recv_in_buffers(session, GNUTLS_HANDSHAKE, htype, diff --git a/lib/buffers.h b/lib/buffers.h index 7f30b0ade1..ef5171a0ce 100644 --- a/lib/buffers.h +++ b/lib/buffers.h @@ -29,7 +29,7 @@ void _gnutls_record_buffer_put(gnutls_session_t session, - content_type_t type, gnutls_uint64 * seq, + content_type_t type, const gnutls_uint64 * seq, mbuffer_st * bufel); inline static int _gnutls_record_buffer_get_size(gnutls_session_t session) diff --git a/lib/cipher-cbc.c b/lib/cipher-cbc.c index 5f6868587c..26f72d7ea4 100644 --- a/lib/cipher-cbc.c +++ b/lib/cipher-cbc.c @@ -72,7 +72,7 @@ static void dummy_wait(record_parameters_st *params, int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params, uint8_t preamble[MAX_PREAMBLE_SIZE], content_type_t type, - gnutls_uint64 *sequence, + const gnutls_uint64 *sequence, const uint8_t *data, size_t data_size, size_t tag_size) { diff --git a/lib/cipher.c b/lib/cipher.c index 991dc8b6b5..679a5807c1 100644 --- a/lib/cipher.c +++ b/lib/cipher.c @@ -54,14 +54,14 @@ static int decrypt_packet(gnutls_session_t session, gnutls_datum_t * plain, content_type_t type, record_parameters_st * params, - gnutls_uint64 * sequence); + const gnutls_uint64 * sequence); static int decrypt_packet_tls13(gnutls_session_t session, gnutls_datum_t * ciphertext, gnutls_datum_t * plain, content_type_t *type, record_parameters_st * params, - gnutls_uint64 * sequence); + const gnutls_uint64 * sequence); static int encrypt_packet_tls13(gnutls_session_t session, @@ -73,7 +73,7 @@ encrypt_packet_tls13(gnutls_session_t session, /* returns ciphertext which contains the headers too. This also * calculates the size in the header field. - * + * */ int _gnutls_encrypt(gnutls_session_t session, @@ -138,7 +138,7 @@ _gnutls_decrypt(gnutls_session_t session, gnutls_datum_t *output, content_type_t *type, record_parameters_st *params, - gnutls_uint64 *sequence) + const gnutls_uint64 *sequence) { int ret; const version_entry_st *vers = get_version(session); @@ -213,7 +213,7 @@ calc_enc_length_stream(gnutls_session_t session, int data_size, * and are not to be sent). Returns their size. */ int -_gnutls_make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length, +_gnutls_make_preamble(const uint8_t * uint64_data, uint8_t type, unsigned int length, const version_entry_st * ver, uint8_t preamble[MAX_PREAMBLE_SIZE]) { uint8_t *p = preamble; @@ -239,7 +239,7 @@ _gnutls_make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length, return p - preamble; } -/* This is the actual encryption +/* This is the actual encryption * Encrypts the given plaintext datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. @@ -322,9 +322,11 @@ encrypt_packet(gnutls_session_t session, /* copy the random IV. */ memcpy(data_ptr, nonce, blocksize); - _gnutls_auth_cipher_setiv(¶ms->write. + ret = _gnutls_auth_cipher_setiv(¶ms->write. ctx.tls12, data_ptr, blocksize); + if (ret < 0) + return gnutls_assert_val(ret); /*data_ptr += blocksize;*/ cipher_data += blocksize; @@ -524,7 +526,7 @@ decrypt_packet(gnutls_session_t session, gnutls_datum_t * ciphertext, gnutls_datum_t * plain, content_type_t type, record_parameters_st * params, - gnutls_uint64 * sequence) + const gnutls_uint64 * sequence) { uint8_t tag[MAX_HASH_SIZE]; uint8_t nonce[MAX_CIPHER_IV_SIZE]; @@ -578,7 +580,7 @@ decrypt_packet(gnutls_session_t session, ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); - + if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) { /* HMAC was not the same. */ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); @@ -734,10 +736,12 @@ decrypt_packet(gnutls_session_t session, /* ignore the IV in TLS 1.1+ */ if (explicit_iv) { - _gnutls_auth_cipher_setiv(¶ms->read. + ret = _gnutls_auth_cipher_setiv(¶ms->read. ctx.tls12, ciphertext->data, blocksize); + if (ret < 0) + return gnutls_assert_val(ret); memcpy(nonce, ciphertext->data, blocksize); ciphertext->size -= blocksize; @@ -786,7 +790,7 @@ decrypt_packet(gnutls_session_t session, pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */ length = ciphertext->size - tag_size - pad - 1; - + if (unlikely(length < 0)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } @@ -804,7 +808,7 @@ decrypt_packet_tls13(gnutls_session_t session, gnutls_datum_t *ciphertext, gnutls_datum_t *plain, content_type_t *type, record_parameters_st *params, - gnutls_uint64 *sequence) + const gnutls_uint64 *sequence) { uint8_t nonce[MAX_CIPHER_IV_SIZE]; size_t length, length_to_decrypt; diff --git a/lib/cipher.h b/lib/cipher.h index 4b32eef9fa..ada9929369 100644 --- a/lib/cipher.h +++ b/lib/cipher.h @@ -32,18 +32,18 @@ int _gnutls_encrypt(gnutls_session_t session, int _gnutls_decrypt(gnutls_session_t session, gnutls_datum_t * ciphertext, gnutls_datum_t * output, content_type_t *type, record_parameters_st * params, - gnutls_uint64 * sequence); + const gnutls_uint64 * sequence); #define MAX_PREAMBLE_SIZE 16 int -_gnutls_make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length, +_gnutls_make_preamble(const uint8_t * uint64_data, uint8_t type, unsigned int length, const version_entry_st * ver, uint8_t preamble[MAX_PREAMBLE_SIZE]); int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params, uint8_t preamble[MAX_PREAMBLE_SIZE], content_type_t type, - gnutls_uint64 *sequence, + const gnutls_uint64 *sequence, const uint8_t *data, size_t data_size, size_t tag_size); diff --git a/lib/cipher_int.h b/lib/cipher_int.h index a0951f18c5..36c9385fbf 100644 --- a/lib/cipher_int.h +++ b/lib/cipher_int.h @@ -241,11 +241,11 @@ int _gnutls_auth_cipher_decrypt2(auth_cipher_hd_st * handle, int _gnutls_auth_cipher_tag(auth_cipher_hd_st * handle, void *tag, int tag_size); -inline static void _gnutls_auth_cipher_setiv(const auth_cipher_hd_st * +inline static int _gnutls_auth_cipher_setiv(const auth_cipher_hd_st * handle, const void *iv, size_t ivlen) { - _gnutls_cipher_setiv(&handle->cipher, iv, ivlen); + return _gnutls_cipher_setiv(&handle->cipher, iv, ivlen); } inline static size_t _gnutls_auth_cipher_tag_len(auth_cipher_hd_st * diff --git a/lib/dtls-sw.c b/lib/dtls-sw.c index 1e46e299e2..f0fc5a6ef5 100644 --- a/lib/dtls-sw.c +++ b/lib/dtls-sw.c @@ -63,7 +63,7 @@ void _dtls_reset_window(struct record_parameters_st *rp) * packet is detected it returns a negative value (but no sensible error code). * Otherwise zero. */ -int _dtls_record_check(struct record_parameters_st *rp, gnutls_uint64 * _seq) +int _dtls_record_check(struct record_parameters_st *rp, const gnutls_uint64 * _seq) { uint64_t seq_num = 0; diff --git a/lib/dtls.h b/lib/dtls.h index 26df8b9831..53de44621a 100644 --- a/lib/dtls.h +++ b/lib/dtls.h @@ -30,7 +30,7 @@ #include <constate.h> int _dtls_transmit(gnutls_session_t session); -int _dtls_record_check(struct record_parameters_st *rp, gnutls_uint64 * _seq); +int _dtls_record_check(struct record_parameters_st *rp, const gnutls_uint64 * _seq); void _dtls_reset_hsk_state(gnutls_session_t session); void _dtls_reset_window(struct record_parameters_st *rp); diff --git a/lib/handshake.c b/lib/handshake.c index 1e6164cabe..ea48c93b88 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -173,7 +173,7 @@ static int tls12_resume_copy_required_vals(gnutls_session_t session, unsigned ti client_random, session->security_parameters.client_random, GNUTLS_RANDOM_SIZE); - /* keep the ciphersuite and compression + /* keep the ciphersuite and compression * That is because the client must see these in our * hello message. */ @@ -295,6 +295,8 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) } max = _gnutls_version_max(session); + if (max == NULL) + return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES); if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 && version <= GNUTLS_TLS1_2) { @@ -584,7 +586,7 @@ static int set_auth_types(gnutls_session_t session) return 0; } -/* Read a client hello packet. +/* Read a client hello packet. * A client hello must be a known version client hello * or version 2.0 client hello (only for compatibility * since SSL version 2.0 is not supported). @@ -640,7 +642,7 @@ read_client_hello(gnutls_session_t session, uint8_t * data, DECR_LEN(len, 1); session_id_len = data[pos++]; - /* RESUME SESSION + /* RESUME SESSION */ if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) { gnutls_assert(); @@ -931,7 +933,7 @@ int _gnutls_send_finished(gnutls_session_t session, int again) } /* This is to be called after sending our finished message. If everything - * went fine we have negotiated a secure connection + * went fine we have negotiated a secure connection */ int _gnutls_recv_finished(gnutls_session_t session) { @@ -1150,7 +1152,7 @@ check_if_null_comp_present(gnutls_session_t session, /* This function sends an empty handshake packet. (like hello request). * If the previous _gnutls_send_empty_handshake() returned - * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again + * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ static int @@ -1219,7 +1221,7 @@ _gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel, /* This function sends a handshake message of type 'type' containing the * data specified here. If the previous _gnutls_send_handshake() returned - * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again + * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again * (until it returns ok), with NULL parameters. */ int @@ -2036,7 +2038,7 @@ read_server_hello(gnutls_session_t session, return 0; } -/* This function copies the appropriate compression methods, to a locally allocated buffer +/* This function copies the appropriate compression methods, to a locally allocated buffer * Needed in hello messages. Returns the new data length. */ static int @@ -2161,7 +2163,7 @@ static int send_client_hello(gnutls_session_t session, int again) */ session->security_parameters.timestamp = gnutls_time(NULL); - /* Generate random data + /* Generate random data */ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) { @@ -2200,7 +2202,7 @@ static int send_client_hello(gnutls_session_t session, int again) /* Copy the Session ID - if any */ - ret = _gnutls_buffer_append_data_prefix(&extdata, 8, + ret = _gnutls_buffer_append_data_prefix(&extdata, 8, session->internals.resumed_security_parameters.session_id, session_id_len); if (ret < 0) { @@ -2485,7 +2487,7 @@ recv_hello_verify_request(gnutls_session_t session, * <-------- Finished * [ChangeCipherSpec] * Finished --------> - * + * */ /** @@ -2494,7 +2496,7 @@ recv_hello_verify_request(gnutls_session_t session, * * This function can only be called in server side, and * instructs a TLS 1.2 or earlier client to renegotiate - * parameters (perform a handshake), by sending a + * parameters (perform a handshake), by sending a * hello request message. * * If this function succeeds, the calling application @@ -2510,7 +2512,7 @@ recv_hello_verify_request(gnutls_session_t session, * gnutls_handshake() to negotiate the new * parameters. * - * If the client does not wish to renegotiate parameters he + * If the client does not wish to renegotiate parameters he * may reply with an alert message, and in that case the return code seen * by subsequent gnutls_record_recv() will be * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being @@ -2633,7 +2635,7 @@ static int _gnutls_recv_supplemental(gnutls_session_t session) * initializes the TLS session parameters. * * The non-fatal errors expected by this function are: - * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN, + * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN, * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called * for re-handshake under TLS 1.2 or earlier, the non-fatal error code * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned. @@ -2874,7 +2876,7 @@ static bool can_send_false_start(gnutls_session_t session) } /* - * handshake_client + * handshake_client * This function performs the client side of the handshake of the TLS/SSL protocol. */ static int handshake_client(gnutls_session_t session) @@ -2980,7 +2982,7 @@ static int handshake_client(gnutls_session_t session) IMED_RET("recv server kx message", ret, 1); FALLTHROUGH; case STATE10: - /* receive the server certificate request - if any + /* receive the server certificate request - if any */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ @@ -3101,7 +3103,7 @@ static int handshake_client(gnutls_session_t session) -/* This function is to be called if the handshake was successfully +/* This function is to be called if the handshake was successfully * completed. This sends a Change Cipher Spec packet to the peer. */ ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again) @@ -3172,7 +3174,7 @@ ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again) return 0; } -/* This function sends the final handshake packets and initializes connection +/* This function sends the final handshake packets and initializes connection */ static int send_handshake_final(gnutls_session_t session, int init) { @@ -3190,7 +3192,7 @@ static int send_handshake_final(gnutls_session_t session, int init) gnutls_assert(); return ret; } - /* Initialize the connection session (start encryption) - in case of client + /* Initialize the connection session (start encryption) - in case of client */ if (init == TRUE) { ret = _gnutls_connection_state_init(session); @@ -3225,7 +3227,7 @@ static int send_handshake_final(gnutls_session_t session, int init) return 0; } -/* This function receives the final handshake packets +/* This function receives the final handshake packets * And executes the appropriate function to initialize the * read session. */ diff --git a/lib/libgnutls.map b/lib/libgnutls.map index d6973f72ef..6e1da857f6 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1395,4 +1395,8 @@ GNUTLS_PRIVATE_3_4 { _gnutls_iov_iter_init; _gnutls_iov_iter_next; _gnutls_iov_iter_sync; + # needed by tests/buffer: + _gnutls_buffer_unescape; + _gnutls_buffer_pop_datum; + _gnutls_buffer_clear; } GNUTLS_3_4; diff --git a/lib/record.c b/lib/record.c index a610662ac0..5105c13fdd 100644 --- a/lib/record.c +++ b/lib/record.c @@ -70,7 +70,7 @@ struct tls_record_st { }; /** - * gnutls_record_disable_padding: + * gnutls_record_disable_padding: * @session: is a #gnutls_session_t type. * * Used to disabled padding in TLS 1.0 and above. Normally you do not @@ -95,7 +95,7 @@ void gnutls_record_disable_padding(gnutls_session_t session) * Used to set the first argument of the transport function (for push * and pull callbacks). In berkeley style sockets this function will set the * connection descriptor. - * + * **/ void gnutls_transport_set_ptr(gnutls_session_t session, @@ -166,7 +166,7 @@ gnutls_transport_set_int2(gnutls_session_t session, * with the descriptor, but requires no casts. * * Since: 3.1.9 - * + * **/ void gnutls_transport_set_int(gnutls_session_t session, int fd) { @@ -273,8 +273,8 @@ int gnutls_transport_get_int(gnutls_session_t session) * Note that not all implementations will properly terminate a TLS * connection. Some of them, usually for performance reasons, will * terminate only the underlying transport layer, and thus not - * distinguishing between a malicious party prematurely terminating - * the connection and normal termination. + * distinguishing between a malicious party prematurely terminating + * the connection and normal termination. * * This function may also return %GNUTLS_E_AGAIN or * %GNUTLS_E_INTERRUPTED; cf. gnutls_record_get_direction(). @@ -354,7 +354,7 @@ inline static int session_is_valid(gnutls_session_t session) return 0; } -/* Copies the record version into the headers. The +/* Copies the record version into the headers. The * version must have 2 bytes at least. */ inline static int @@ -402,7 +402,7 @@ sequence_increment(gnutls_session_t session, gnutls_uint64 * value) /* This function behaves exactly like write(). The only difference is * that it accepts, the gnutls_session_t and the content_type_t of data to * send (if called by the user the Content is specific) - * It is intended to transfer data, under the current session. + * It is intended to transfer data, under the current session. * * @type: The content type to send * @htype: If this is a handshake message then the handshake type @@ -477,7 +477,7 @@ _gnutls_send_tlen_int(gnutls_session_t session, content_type_t type, } else send_data_size = data_size; - /* Only encrypt if we don't have data to send + /* Only encrypt if we don't have data to send * from the previous run. - probably interrupted. */ if (mflags != 0 @@ -497,7 +497,7 @@ _gnutls_send_tlen_int(gnutls_session_t session, content_type_t type, */ cipher_size = MAX_RECORD_SEND_SIZE(session); - bufel = _mbuffer_alloc_align16(cipher_size + CIPHER_SLACK_SIZE, + bufel = _mbuffer_alloc_align16(cipher_size + CIPHER_SLACK_SIZE, get_total_headers2(session, record_params)); if (bufel == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); @@ -798,7 +798,7 @@ static int record_add_to_buffers(gnutls_session_t session, struct tls_record_st *recv, content_type_t type, gnutls_handshake_description_t htype, - gnutls_uint64 * seq, mbuffer_st * bufel) + const gnutls_uint64 * seq, mbuffer_st * bufel) { int ret; @@ -837,7 +837,7 @@ record_add_to_buffers(gnutls_session_t session, * deactivate the async timer */ _dtls_async_timer_delete(session); } else { - /* if the expected type is different than the received + /* if the expected type is different than the received */ switch (recv->type) { case GNUTLS_ALERT: @@ -868,7 +868,7 @@ record_add_to_buffers(gnutls_session_t session, */ if (bufel->msg.data[1] == GNUTLS_A_CLOSE_NOTIFY && bufel->msg.data[0] != GNUTLS_AL_FATAL) { - /* If we have been expecting for an alert do + /* If we have been expecting for an alert do */ session->internals.read_eof = 1; ret = GNUTLS_E_SESSION_EOF; @@ -1075,8 +1075,8 @@ record_read_headers(gnutls_session_t session, struct tls_record_st *record) { - /* Read the first two bytes to determine if this is a - * version 2 message + /* Read the first two bytes to determine if this is a + * version 2 message */ #ifdef ENABLE_SSL2 @@ -1085,7 +1085,7 @@ record_read_headers(gnutls_session_t session, && !(IS_DTLS(session))) { /* if msb set and expecting handshake message - * it should be SSL 2 hello + * it should be SSL 2 hello */ record->version[0] = 3; /* assume SSL 3.0 */ record->version[1] = 0; @@ -1146,7 +1146,7 @@ record_read_headers(gnutls_session_t session, } -static int recv_headers(gnutls_session_t session, +static int recv_headers(gnutls_session_t session, record_parameters_st *record_params, content_type_t type, gnutls_handshake_description_t htype, @@ -1173,7 +1173,7 @@ static int recv_headers(gnutls_session_t session, return gnutls_assert_val(ret); } - ret = _mbuffer_linearize_align16(&session->internals.record_recv_buffer, + ret = _mbuffer_linearize_align16(&session->internals.record_recv_buffer, get_total_headers2(session, record_params)); if (ret < 0) return gnutls_assert_val(ret); @@ -1205,7 +1205,7 @@ static int recv_headers(gnutls_session_t session, } /* Here we check if the Type of the received packet is - * ok. + * ok. */ if ((ret = check_recv_type(session, record->type)) < 0) return gnutls_assert_val(ret); @@ -1249,7 +1249,7 @@ static int recv_headers(gnutls_session_t session, /* @ms: is the number of milliseconds to wait for data. Use zero for indefinite. * - * This will receive record layer packets and add them to + * This will receive record layer packets and add them to * application_data_buffer and handshake_data_buffer. * * If the htype is not -1 then handshake timeouts @@ -1260,7 +1260,7 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, gnutls_handshake_description_t htype, unsigned int ms) { - gnutls_uint64 *packet_sequence; + const gnutls_uint64 *packet_sequence; gnutls_datum_t ciphertext; mbuffer_st *bufel = NULL, *decrypted = NULL; gnutls_datum_t t; @@ -1323,7 +1323,7 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, /* ok now we are sure that we have read all the data - so * move on ! */ - ret = _mbuffer_linearize_align16(&session->internals.record_recv_buffer, + ret = _mbuffer_linearize_align16(&session->internals.record_recv_buffer, get_total_headers2(session, record_params)); if (ret < 0) return gnutls_assert_val(ret); @@ -1368,7 +1368,7 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, (uint8_t *) _mbuffer_get_udata_ptr(bufel) + record.header_size; ciphertext.size = record.length; - /* decrypt the data we got. + /* decrypt the data we got. */ t.data = _mbuffer_get_udata_ptr(decrypted); t.size = _mbuffer_get_udata_size(decrypted); @@ -1507,7 +1507,7 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, /* store the last valid sequence number. We don't use that internally but * callers of gnutls_record_get_state() could take advantage of it. */ - memcpy(&record_state->sequence_number, packet_sequence, 8); + record_state->sequence_number = record.sequence; } else { _gnutls_record_log ("REC[%p]: Decrypted Packet[%u] %s(%d) with length: %d\n", @@ -1530,7 +1530,7 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, goto sanity_check_error; } -/* (originally for) TLS 1.0 CBC protection. +/* (originally for) TLS 1.0 CBC protection. * Actually this code is called if we just received * an empty packet. An empty TLS packet is usually * sent to protect some vulnerabilities in the CBC mode. @@ -1861,17 +1861,17 @@ gnutls_record_discard_queued(gnutls_session_t session) * memory copy, and is intended to be used by applications seeking high * performance. * - * The received packet is accessed using gnutls_packet_get() and + * The received packet is accessed using gnutls_packet_get() and * must be deinitialized using gnutls_packet_deinit(). The returned * packet will be %NULL if the return value is zero (EOF). * * Returns: The number of bytes received and zero on EOF (for stream - * connections). A negative error code is returned in case of an error. + * connections). A negative error code is returned in case of an error. * * Since: 3.3.5 **/ ssize_t -gnutls_record_recv_packet(gnutls_session_t session, +gnutls_record_recv_packet(gnutls_session_t session, gnutls_packet_t *packet) { int ret; @@ -1927,12 +1927,12 @@ ssize_t append_data_to_corked(gnutls_session_t session, const void *data, size_t * difference is that it accepts a GnuTLS session, and uses different * error codes. * Note that if the send buffer is full, send() will block this - * function. See the send() documentation for more information. + * function. See the send() documentation for more information. * * You can replace the default push function which is send(), by using * gnutls_transport_set_push_function(). * - * If the EINTR is returned by the internal push function + * If the EINTR is returned by the internal push function * then %GNUTLS_E_INTERRUPTED will be returned. If * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must * call this function again with the exact same parameters, or provide a @@ -1941,12 +1941,12 @@ ssize_t append_data_to_corked(gnutls_session_t session, const void *data, size_t * of retrying, you must call gnutls_record_discard_queued() before * calling this function with different parameters. Note that the latter * works only on special transports (e.g., UDP). - * cf. gnutls_record_get_direction(). + * cf. gnutls_record_get_direction(). * * Note that in DTLS this function will return the %GNUTLS_E_LARGE_PACKET * error code if the send data exceed the data MTU value - as returned * by gnutls_dtls_get_data_mtu(). The errno value EMSGSIZE - * also maps to %GNUTLS_E_LARGE_PACKET. + * also maps to %GNUTLS_E_LARGE_PACKET. * Note that since 3.2.13 this function can be called under cork in DTLS * mode, and will refuse to send data over the MTU size by returning * %GNUTLS_E_LARGE_PACKET. @@ -2195,8 +2195,8 @@ void gnutls_record_cork(gnutls_session_t session) * errors will be returned. To obtain the data left in the corked * buffer use gnutls_record_check_corked(). * - * Returns: On success the number of transmitted data is returned, or - * otherwise a negative error code. + * Returns: On success the number of transmitted data is returned, or + * otherwise a negative error code. * * Since: 3.1.9 **/ @@ -2273,7 +2273,7 @@ int gnutls_record_uncork(gnutls_session_t session, unsigned int flags) * gnutls_record_get_direction(). * * Returns: The number of bytes received and zero on EOF (for stream - * connections). A negative error code is returned in case of an error. + * connections). A negative error code is returned in case of an error. * The number of bytes received might be less than the requested @data_size. **/ ssize_t @@ -2305,7 +2305,7 @@ gnutls_record_recv(gnutls_session_t session, void *data, size_t data_size) * This is useful in DTLS where record packets might be received * out-of-order. The returned 8-byte sequence number is an * integer in big-endian format and should be - * treated as a unique message identification. + * treated as a unique message identification. * * Returns: The number of bytes received and zero on EOF. A negative * error code is returned in case of an error. The number of bytes diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c index 9d247ba4cb..4dd62d01c1 100644 --- a/lib/sslv2_compat.c +++ b/lib/sslv2_compat.c @@ -241,10 +241,12 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, session->internals.resumed = RESUME_TRUE; return 0; } else { - _gnutls_generate_session_id(session->security_parameters. - session_id, - &session->security_parameters. - session_id_size); + ret = _gnutls_generate_session_id( + session->security_parameters.session_id, + &session->security_parameters.session_id_size); + if (ret < 0) + return gnutls_assert_val(ret); + session->internals.resumed = RESUME_FALSE; } @@ -231,7 +231,7 @@ _gnutls_buffer_pop_datum(gnutls_buffer_st * str, gnutls_datum_t * data, return; } -/* converts the buffer to a datum if possible. After this call +/* converts the buffer to a datum if possible. After this call * (failed or not) the buffer should be considered deinitialized. */ int _gnutls_buffer_to_datum(gnutls_buffer_st * str, gnutls_datum_t * data, unsigned is_str) @@ -399,20 +399,17 @@ int _gnutls_buffer_unescape(gnutls_buffer_st * dest) while (pos < dest->length) { if (dest->data[pos] == '%') { - char b[3]; - unsigned int u; - unsigned char x; + if (pos + 1 < dest->length && dest->data[pos + 1] == '%') { + // %% -> % + _gnutls_buffer_delete_data(dest, pos, 1); + } else if (pos + 2 < dest->length && c_isxdigit(dest->data[pos + 1]) && c_isxdigit(dest->data[pos + 2])) { + unsigned char x; - b[0] = dest->data[pos + 1]; - b[1] = dest->data[pos + 2]; - b[2] = 0; + hex_decode((char *) dest->data + pos + 1, 2, &x, 1); - sscanf(b, "%02x", &u); - - x = u; - - _gnutls_buffer_delete_data(dest, pos, 3); - _gnutls_buffer_insert_data(dest, pos, &x, 1); + _gnutls_buffer_delete_data(dest, pos, 3); + _gnutls_buffer_insert_data(dest, pos, &x, 1); + } } pos++; } @@ -656,7 +653,7 @@ gnutls_hex_encode2(const gnutls_datum_t * data, gnutls_datum_t *result) return GNUTLS_E_MEMORY_ERROR; } - ret = hex_encode((char*)data->data, data->size, (char*)result->data, size); + ret = hex_encode((char*)data->data, data->size, (char*)result->data, size); if (ret == 0) { gnutls_free(result->data); return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); diff --git a/lib/x509/output.c b/lib/x509/output.c index 78a0e5c5e8..da45917753 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -373,7 +373,7 @@ static void print_aia(gnutls_buffer_st * str, const gnutls_datum_t *der) gnutls_datum_t san = { NULL, 0 }, oid = {NULL, 0}; gnutls_x509_aia_t aia; unsigned int san_type; - + err = gnutls_x509_aia_init(&aia); if (err < 0) return; @@ -491,7 +491,7 @@ static void print_aki(gnutls_buffer_st * str, gnutls_datum_t *der) gnutls_strerror(err)); goto cleanup; } - + adds(str, "\t\t\t"); _gnutls_buffer_hexprint(str, id.data, id.size); adds(str, "\n"); @@ -624,7 +624,7 @@ print_key_purpose(gnutls_buffer_st * str, const char *prefix, gnutls_datum_t *de char *p; int err; gnutls_x509_key_purposes_t purposes; - + err = gnutls_x509_key_purpose_init(&purposes); if (err < 0) { addf(str, "error: gnutls_x509_key_purpose_init: %s\n", @@ -1659,8 +1659,7 @@ print_crt_pubkey(gnutls_buffer_st * str, gnutls_x509_crt_t crt, ret = 0; cleanup: - if (pubkey) - gnutls_pubkey_deinit(pubkey); + gnutls_pubkey_deinit(pubkey); return ret; } @@ -2907,7 +2906,7 @@ gnutls_pubkey_print(gnutls_pubkey_t pubkey, * @format: Indicate the format to use * @out: Newly allocated datum with null terminated string. * - * This function will pretty print X.509 certificate extensions, + * This function will pretty print X.509 certificate extensions, * suitable for display to a human. * * The output @out needs to be deallocated using gnutls_free(). diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 48ab2a7526..62e7abe8e9 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -357,7 +357,7 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert) _gnutls_free_datum(&sp2); } - if (empty1 != empty2 || + if (empty1 != empty2 || sp1.size != sp2.size || safe_memcmp(sp1.data, sp2.data, sp1.size) != 0) { gnutls_assert(); ret = GNUTLS_E_CERTIFICATE_ERROR; @@ -622,7 +622,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string * will be ASCII or UTF-8 encoded, depending on the certificate data. * - * If @buf is null then only the size will be filled. + * If @buf is null then only the size will be filled. * * This function does not output a fully RFC4514 compliant string, if * that is required see gnutls_x509_crt_get_issuer_dn3(). @@ -736,7 +736,7 @@ gnutls_x509_crt_get_issuer_dn3(gnutls_x509_crt_t cert, gnutls_datum_t *dn, unsig * * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the @buf_size will be updated with - * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there + * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there * are no data in the current index. On success 0 is returned. **/ int @@ -778,7 +778,7 @@ gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, * * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the @buf_size will be updated with - * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there + * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there * are no data in the current index. On success 0 is returned. **/ int @@ -806,7 +806,7 @@ gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert, * described in RFC4514. The output string will be ASCII or UTF-8 * encoded, depending on the certificate data. * - * If @buf is null then only the size will be filled. + * If @buf is null then only the size will be filled. * * This function does not output a fully RFC4514 compliant string, if * that is required see gnutls_x509_crt_get_dn3(). @@ -918,7 +918,7 @@ int gnutls_x509_crt_get_dn3(gnutls_x509_crt_t cert, gnutls_datum_t *dn, unsigned * * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the @buf_size will be updated with - * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there + * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there * are no data in the current index. On success 0 is returned. **/ int @@ -959,7 +959,7 @@ gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, const char *oid, * * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not * long enough, and in that case the @buf_size will be updated with - * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there + * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there * are no data in the current index. On success 0 is returned. **/ int @@ -1362,11 +1362,11 @@ inline static int is_type_printable(int type) * @critical: will be non-zero if the extension is marked as critical (may be null) * * This function will return the X.509 authority key - * identifier when stored as a general name (authorityCertIssuer) + * identifier when stored as a general name (authorityCertIssuer) * and serial number. * * Because more than one general names might be stored - * @seq can be used as a counter to request them all until + * @seq can be used as a counter to request them all until * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE @@ -1634,7 +1634,7 @@ gnutls_x509_crt_get_spki(gnutls_x509_crt_t cert, gnutls_x509_spki_t spki, unsign */ int _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, - int seq, gnutls_datum_t *dname, + int seq, gnutls_datum_t *dname, unsigned int *ret_type, int othername_oid) { int len, ret; @@ -1817,7 +1817,7 @@ get_alt_name(gnutls_subject_alt_names_t san, goto cleanup; } - if (othername_oid && type == GNUTLS_SAN_OTHERNAME) { + if (othername_oid && type == GNUTLS_SAN_OTHERNAME && ooid.data) { unsigned vtype; ret = gnutls_x509_othername_to_virtual((char*)ooid.data, &oname, &vtype, &virt); if (ret >= 0) { @@ -2369,8 +2369,8 @@ void gnutls_x509_policy_release(struct gnutls_x509_policy_st *policy) * @policy: A pointer to a policy structure. * @critical: will be non-zero if the extension is marked as critical * - * This function will extract the certificate policy (extension 2.5.29.32) - * specified by the given index. + * This function will extract the certificate policy (extension 2.5.29.32) + * specified by the given index. * * The policy returned by this function must be deinitialized by using * gnutls_x509_policy_release(). @@ -2523,7 +2523,7 @@ gnutls_x509_crt_get_extension_by_oid2(gnutls_x509_crt_t cert, unsigned int *critical) { int ret; - + if (cert == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; @@ -2599,7 +2599,7 @@ gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, unsigned indx, * * If the buffer provided is not long enough to hold the output, then * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be - * returned. The @oid returned will be null terminated, although + * returned. The @oid returned will be null terminated, although * @oid_size will not account for the trailing null (the latter is not * true for GnuTLS prior to 3.6.0). * @@ -2786,9 +2786,9 @@ get_dn(gnutls_x509_crt_t cert, const char *whom, gnutls_x509_dn_t * dn, unsigned * @dn: output variable with pointer to uint8_t DN. * * Return the Certificate's Subject DN as a %gnutls_x509_dn_t data type, - * that can be decoded using gnutls_x509_dn_get_rdn_ava(). + * that can be decoded using gnutls_x509_dn_get_rdn_ava(). * - * Note that @dn should be treated as constant. Because it points + * Note that @dn should be treated as constant. Because it points * into the @cert object, you should not use @dn after @cert is * deallocated. * @@ -2806,9 +2806,9 @@ gnutls_x509_crt_get_subject(gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) * @dn: output variable with pointer to uint8_t DN * * Return the Certificate's Issuer DN as a %gnutls_x509_dn_t data type, - * that can be decoded using gnutls_x509_dn_get_rdn_ava(). + * that can be decoded using gnutls_x509_dn_get_rdn_ava(). * - * Note that @dn should be treated as constant. Because it points + * Note that @dn should be treated as constant. Because it points * into the @cert object, you should not use @dn after @cert is * deallocated. * @@ -3243,13 +3243,13 @@ gnutls_x509_crt_get_preferred_hash_algorithm(gnutls_x509_crt_t crt, return gnutls_assert_val(ret); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_get_preferred_hash_algorithm(pubkey, hash, mand); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } @@ -3461,13 +3461,13 @@ gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, return gnutls_assert_val(ret); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_export_rsa_raw(pubkey, m, e); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } @@ -3513,13 +3513,13 @@ gnutls_x509_crt_get_pk_ecc_raw(gnutls_x509_crt_t crt, return gnutls_assert_val(ret); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_export_ecc_raw(pubkey, curve, x, y); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } @@ -3615,13 +3615,13 @@ gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, return gnutls_assert_val(ret); ret = gnutls_pubkey_import_x509(pubkey, crt, 0); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_export_dsa_raw(pubkey, p, q, g, y); - if (ret < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } @@ -3801,7 +3801,7 @@ gnutls_x509_crt_list_import(gnutls_x509_crt_t * certs, copied++; } - /* now we move ptr after the pem header + /* now we move ptr after the pem header */ ptr++; /* find the next certificate (if any) @@ -4071,7 +4071,7 @@ legacy_parse_aia(ASN1_TYPE src, * * Note that a simpler API to access the authority info data is provided * by gnutls_x509_aia_get() and gnutls_x509_ext_import_aia(). - * + * * This function extracts the Authority Information Access (AIA) * extension, see RFC 5280 section 4.2.2.1 for more information. The * AIA extension holds a sequence of AccessDescription (AD) data. @@ -4093,7 +4093,7 @@ legacy_parse_aia(ASN1_TYPE src, * * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI * data. Requesting this @what value leads to an error if the - * accessLocation is not of the "uniformResourceIdentifier" type. + * accessLocation is not of the "uniformResourceIdentifier" type. * * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI. * Requesting this @what value leads to an error if the accessMethod @@ -4189,7 +4189,7 @@ gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t crt, * @userdata: data associated with the callback * * This function will set a callback function to be used when - * it is required to access a protected object. This function overrides + * it is required to access a protected object. This function overrides * the global function set using gnutls_pkcs11_set_pin_function(). * * Note that this callback is currently used only during the import @@ -4370,7 +4370,7 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs, * This function will verify the given signed data, using the * parameters from the certificate. * - * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED * is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired * or not yet activated certificate and zero or positive code on success. * @@ -4452,7 +4452,7 @@ gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt, * This function will verify the given signed data, using the * parameters from the certificate. * - * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED + * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED * is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired * or not yet activated certificate and zero or positive code on success. * diff --git a/tests/Makefile.am b/tests/Makefile.am index c462b54e41..0f488867de 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -215,7 +215,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei resume-with-stek-expiration resume-with-previous-stek rawpk-api \ tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ - tls13-without-timeout-func + tls13-without-timeout-func buffer if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp @@ -465,6 +465,10 @@ iov_CPPFLAGS = $(AM_CPPFLAGS) \ -I$(top_srcdir)/gl \ -I$(top_builddir)/gl +buffer_CPPFLAGS = $(AM_CPPFLAGS) \ + -I$(top_srcdir)/gl \ + -I$(top_builddir)/gl + if ENABLE_PKCS11 if !WINDOWS ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key diff --git a/tests/buffer.c b/tests/buffer.c new file mode 100644 index 0000000000..a6fb476ae0 --- /dev/null +++ b/tests/buffer.c @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2019 Tim Rühsen + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <gnutls_int.h> +#include "utils.h" + +void doit(void) +{ + static const struct test_data { + const char * + input; + const char * + output; + } test_data[] = { + { "%20%20", " ", }, + { "%20", " ", }, + { "%2z", "%2z", }, + { "%2", "%2", }, + { "%", "%", }, + { "", "", }, + }; + + for (unsigned it = 0; it < countof(test_data); it++) { + const struct test_data *t = &test_data[it]; + gnutls_buffer_st str; + int ret; + + _gnutls_buffer_init(&str); + + ret = _gnutls_buffer_append_data(&str, t->input, strlen(t->input)); + if (ret < 0) + fail("_gnutls_buffer_append_str: %s\n", gnutls_strerror(ret)); + + ret = _gnutls_buffer_unescape(&str); + if (ret < 0) + fail("_gnutls_buffer_unescape: %s\n", gnutls_strerror(ret)); + + ret = _gnutls_buffer_append_data(&str, "", 1); + if (ret < 0) + fail("_gnutls_buffer_append_data: %s\n", gnutls_strerror(ret)); + + /* using malloc() instead of stack memory for better buffer overflow detection */ + gnutls_datum output; + + _gnutls_buffer_pop_datum(&str, &output, strlen(t->output) + 1); + + if (strcmp(t->output, (char *) output.data)) + fail("output differs [%d]: expected '%s', seen '%s'\n", it, t->output, (char *) output.data); + + _gnutls_buffer_clear(&str); + } +} + diff --git a/tests/dtls-sliding-window.c b/tests/dtls-sliding-window.c index 59efdb1689..f26112401a 100644 --- a/tests/dtls-sliding-window.c +++ b/tests/dtls-sliding-window.c @@ -47,7 +47,7 @@ typedef struct { #define gnutls_assert_val(x) x void _dtls_reset_window(struct record_parameters_st *rp); -int _dtls_record_check(struct record_parameters_st *rp, gnutls_uint64 * _seq); +int _dtls_record_check(struct record_parameters_st *rp, const gnutls_uint64 * _seq); /* taken from nettle */ #ifdef WORDS_BIGENDIAN diff --git a/tests/utils.h b/tests/utils.h index e36e4f3b6b..61d6dc9f9e 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -49,6 +49,9 @@ # define FALLTHROUGH #endif +/* number of elements within an array */ +#define countof(a) (sizeof(a)/sizeof(*(a))) + inline static int global_init(void) { #ifdef ENABLE_PKCS11 |