Merge branch 'tmp-fixes-cov' into 'master'

Fixes for issues identified by static analyzers

Closes #518

See merge request gnutls/gnutls!729

11 files changed, 69 insertions, 28 deletions

diff --git a/lib/handshake.c b/lib/handshake.c
index 99967a2ffd..ebea926aa5 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -3070,7 +3070,7 @@ ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
 
 		/* under TLS 1.3, CCS may be immediately followed by
 		 * receiving ClientHello thus cannot be cached */
-		if (vers && vers->tls13_sem) {
+		if (vers->tls13_sem) {
 			ret = _gnutls_handshake_io_write_flush(session);
 			if (ret < 0)
 				return gnutls_assert_val(ret);
diff --git a/lib/privkey.c b/lib/privkey.c
index ab2f2771b6..26e3cee893 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -1488,6 +1488,7 @@ privkey_sign_raw_data(gnutls_privkey_t key,
 
 			if (se->pk == GNUTLS_PK_RSA) {
 				se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW);
+				assert(se != NULL);
 			}
 
 			/* se may not be set here if we are doing legacy RSA */
diff --git a/lib/pubkey.c b/lib/pubkey.c
index ae6fb5cb2b..ad8986f6f2 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -2143,7 +2143,6 @@ pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
 			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
 		}
 
-		return 1;
 		break;
 
 	case GNUTLS_PK_ECDSA:
@@ -2157,7 +2156,6 @@ pubkey_verify_hashed_data(const gnutls_sign_entry_st *se,
 			return GNUTLS_E_PK_SIG_VERIFY_FAILED;
 		}
 
-		return 1;
 		break;
 	default:
 		gnutls_assert();
diff --git a/lib/session_pack.c b/lib/session_pack.c
index a8659b5a2d..9fbd5b3ae8 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -1126,13 +1126,16 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity,
 		return gnutls_assert_val(ret);
 
 	session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs);
-	if (cs == NULL)
+	if (session->internals.resumed_security_parameters.cs == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	session->internals.resumed_security_parameters.cert_type =
 	    DEFAULT_CERT_TYPE;
 	session->internals.resumed_security_parameters.pversion =
 	    version_to_entry(version);
+	if (session->internals.resumed_security_parameters.pversion ==
+	    NULL)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
 	if (session->internals.resumed_security_parameters.pversion->selectable_prf)
 		session->internals.resumed_security_parameters.prf = mac_to_entry(session->internals.resumed_security_parameters.cs->prf);
@@ -1141,10 +1144,6 @@ gnutls_session_set_premaster(gnutls_session_t session, unsigned int entity,
 	if (session->internals.resumed_security_parameters.prf == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	if (session->internals.resumed_security_parameters.pversion ==
-	    NULL)
-		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
 	if (master->size != GNUTLS_MASTER_SIZE)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 2c301d321d..20a64690a3 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -284,10 +284,14 @@ static int write_oid_and_params(ASN1_TYPE dst, const char *dst_name, const char
 	int result;
 	char name[128];
 
+	if (params == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
 	_gnutls_str_cpy(name, sizeof(name), dst_name);
 	_gnutls_str_cat(name, sizeof(name), ".algorithm");
 
-
 	/* write the OID.
 	 */
 	result = asn1_write_value(dst, name, oid, 1);
@@ -305,11 +309,6 @@ static int write_oid_and_params(ASN1_TYPE dst, const char *dst_name, const char
 	else if (params->pk == GNUTLS_PK_RSA_PSS) {
 		gnutls_datum_t tmp = { NULL, 0 };
 
-		if (params == NULL) {
-			gnutls_assert();
-			return GNUTLS_E_INVALID_REQUEST;
-		}
-
 		result = _gnutls_x509_write_rsa_pss_params(params, &tmp);
 		if (result < 0)
 			return gnutls_assert_val(result);
diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c
index 285010ae1f..b0004cf1af 100644
--- a/src/benchmark-tls.c
+++ b/src/benchmark-tls.c
@@ -301,7 +301,11 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 		gnutls_protocol_get_version(server)));
 	fflush(stdout);
 
-	gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
+	ret = gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
+	if (ret < 0) {
+		fprintf(stderr, "Error in %s\n", str);
+		exit(1);
+	}
 
 	start_benchmark(&st);
 
diff --git a/src/certtool-common.c b/src/certtool-common.c
index d6f668b61f..e44ed5d5aa 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -809,14 +809,20 @@ static void print_head(FILE * out, const char *txt, unsigned int size,
 {
 	unsigned i;
 	char *p, *ntxt;
+	int ret;
 
 	if (cprint != 0) {
 		if (size > 0)
-			asprintf(&ntxt, "const unsigned char %s[%u] =",
-				 txt, size);
+			ret = asprintf(&ntxt, "const unsigned char %s[%u] =",
+				       txt, size);
 		else
-			asprintf(&ntxt, "const unsigned char %s[] =\n",
-				 txt);
+			ret = asprintf(&ntxt, "const unsigned char %s[] =\n",
+				       txt);
+
+		if (ret == -1) {
+			fprintf(stderr, "memory error\n");
+			app_exit(1);
+		}
 
 		p = strstr(ntxt, "char");
 		p += 5;
diff --git a/src/certtool.c b/src/certtool.c
index 382765e78a..908cff3722 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -884,7 +884,11 @@ static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st *
 	gnutls_pubkey_t pubkey;
 	int result;
 
-	gnutls_pubkey_init(&pubkey);
+	result = gnutls_pubkey_init(&pubkey);
+	if (result < 0) {
+		fprintf(stderr, "memory error\n");
+		app_exit(1);
+	}
 
 	result = gnutls_pubkey_import_x509(pubkey, crt, 0);
 	if (result < 0) {
@@ -1682,7 +1686,11 @@ void privkey_info(common_info_st * cinfo)
 	size = fread(lbuffer, 1, lbuffer_size - 1, infile);
 	lbuffer[size] = 0;
 
-	gnutls_x509_privkey_init(&key);
+	ret = gnutls_x509_privkey_init(&key);
+	if (ret < 0) {
+		fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret));
+		app_exit(1);
+	}
 
 	pem.data = lbuffer;
 	pem.size = size;
@@ -1736,7 +1744,11 @@ static void privkey_to_rsa(common_info_st * cinfo)
 	size = fread(lbuffer, 1, lbuffer_size - 1, infile);
 	lbuffer[size] = 0;
 
-	gnutls_x509_privkey_init(&key);
+	ret = gnutls_x509_privkey_init(&key);
+	if (ret < 0) {
+		fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret));
+		app_exit(1);
+	}
 
 	pem.data = lbuffer;
 	pem.size = size;
diff --git a/src/common.c b/src/common.c
index ee6c47e01c..a376fdacd8 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1113,7 +1113,10 @@ token_callback(void *user, const char *label, const unsigned retry)
 	}
 	printf("Please insert token '%s' in slot and press enter\n",
 	       label);
-	fgets(buf, sizeof(buf), stdin);
+	if (fgets(buf, sizeof(buf), stdin) == NULL) {
+		fprintf(stderr, "error reading input\n");
+		return -1;
+	}
 
 	return 0;
 }
diff --git a/src/danetool.c b/src/danetool.c
index 3b4fe6046b..b04d92b70e 100644
--- a/src/danetool.c
+++ b/src/danetool.c
@@ -645,7 +645,13 @@ gnutls_session_t init_tls_session(const char *hostname)
 	}
 	gnutls_session_set_ptr(session, &priv);
 
-	gnutls_set_default_priority(session);
+	ret = gnutls_set_default_priority(session);
+	if (ret < 0) {
+		fprintf(stderr, "error[%d]: %s\n", __LINE__,
+			gnutls_strerror(ret));
+		app_exit(1);
+	}
+
 	if (hostname && is_ip(hostname)==0) {
 		gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, strlen(hostname));
 	}
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 30c188dda1..0dc2c563fe 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -127,7 +127,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl
 
 	switch (otype) {
 		case GNUTLS_PKCS11_OBJ_X509_CRT:
-			gnutls_x509_crt_init(&crt);
+			ret = gnutls_x509_crt_init(&crt);
+			if (ret < 0)
+				goto fail;
+
 			ret = gnutls_x509_crt_import_url(crt, objurl, flags);
 			if (ret < 0)
 				goto fail;
@@ -153,7 +156,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl
 			gnutls_x509_crt_deinit(crt);
 			return p;
 		case GNUTLS_PKCS11_OBJ_PUBKEY:
-			gnutls_pubkey_init(&pubkey);
+			ret = gnutls_pubkey_init(&pubkey);
+			if (ret < 0)
+				goto fail;
+
 			ret = gnutls_pubkey_import_url(pubkey, objurl, flags);
 			if (ret < 0)
 				goto fail;
@@ -176,7 +182,10 @@ const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl
 			gnutls_pubkey_deinit(pubkey);
 			return p;
 		case GNUTLS_PKCS11_OBJ_PRIVKEY:
-			gnutls_privkey_init(&privkey);
+			ret = gnutls_privkey_init(&privkey);
+			if (ret < 0)
+				goto fail;
+
 			ret = gnutls_privkey_import_url(privkey, objurl, flags);
 			if (ret < 0)
 				goto fail;
@@ -230,7 +239,11 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags,
 
 	FIX(url, outfile, detailed, info);
 
-	gnutls_pkcs11_token_get_flags(url, &flags);
+	ret = gnutls_pkcs11_token_get_flags(url, &flags);
+	if (ret < 0) {
+		flags = 0;
+	}
+
 	if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED)
 		print_exts = 1;