diff options
| -rw-r--r-- | .gitlab-ci.yml | 2 | ||||
| -rw-r--r-- | lib/cert-cred-x509.c | 40 | ||||
| -rw-r--r-- | lib/nettle/int/provable-prime.c | 24 | ||||
| -rw-r--r-- | libdane/dane.c | 14 | ||||
| -rw-r--r-- | src/cli.c | 12 | ||||
| -rw-r--r-- | src/pkcs11.c | 2 |
6 files changed, 63 insertions, 31 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3910b8ebdd..0055df28a3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -440,7 +440,7 @@ ubsan-Werror.Fedora.x86_64: - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - make -j$(nproc) -C src/gl - - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2" + - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" - make -j$(nproc) - make check -j$(nproc) - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c index a3ce796ad8..99a0b366e7 100644 --- a/lib/cert-cred-x509.c +++ b/lib/cert-cred-x509.c @@ -252,7 +252,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, } count++; - /* now we move ptr after the pem header + /* now we move ptr after the pem header */ ptr++; size--; @@ -1016,8 +1016,8 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, * entity certificate (e.g., also an intermediate CA cert), the full * certificate chain must be provided in @pcert_list. * - * Note that the @key and the elements of @pcert_list will become part of the credentials - * structure and must not be deallocated. They will be automatically deallocated + * Note that the @key and the elements of @pcert_list will become part of the credentials + * structure and must not be deallocated. They will be automatically deallocated * when the @res structure is deinitialized. * * If that function fails to load the @res structure is at an undefined state, it must @@ -1126,10 +1126,10 @@ gnutls_certificate_set_key(gnutls_certificate_credentials_t res, * @tlist: is a #gnutls_x509_trust_list_t type * @flags: must be zero * - * This function sets a trust list in the gnutls_certificate_credentials_t type. + * This function sets a trust list in the gnutls_certificate_credentials_t type. * - * Note that the @tlist will become part of the credentials - * structure and must not be deallocated. It will be automatically deallocated + * Note that the @tlist will become part of the credentials + * structure and must not be deallocated. It will be automatically deallocated * when the @res structure is deinitialized. * * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. @@ -1309,7 +1309,7 @@ gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res, { int ret; - ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, + ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1344,7 +1344,10 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, int ca_list_size) { int ret, i, j; - gnutls_x509_crt_t new_list[ca_list_size]; + gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); + + if (!new_list) + return GNUTLS_E_MEMORY_ERROR; for (i = 0; i < ca_list_size; i++) { ret = gnutls_x509_crt_init(&new_list[i]); @@ -1368,11 +1371,13 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, goto cleanup; } + gnutls_free(new_list); return ret; cleanup: for (j = 0; j < i; j++) gnutls_x509_crt_deinit(new_list[j]); + gnutls_free(new_list); return ret; } @@ -1407,7 +1412,7 @@ gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t { int ret; - ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, + ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1421,7 +1426,7 @@ int ret; * @ca_dir: is a directory containing the list of trusted CAs (DER or PEM list) * @type: is PEM or DER * - * This function adds the trusted CAs present in the directory in order to + * This function adds the trusted CAs present in the directory in order to * verify client or server certificates. This function is identical * to gnutls_certificate_set_x509_trust_file() but loads all certificates * in a directory. @@ -1438,7 +1443,7 @@ gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, { int ret; - ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, + ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1465,7 +1470,7 @@ int gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t cred) { - return gnutls_x509_trust_list_add_system_trust(cred->tlist, + return gnutls_x509_trust_list_add_system_trust(cred->tlist, GNUTLS_TL_USE_IN_TLS, 0); } @@ -1490,7 +1495,7 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, { int ret; - ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, + ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1520,7 +1525,10 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, int crl_list_size) { int ret, i, j; - gnutls_x509_crl_t new_crl[crl_list_size]; + gnutls_x509_crl_t *new_crl = gnutls_malloc(crl_list_size * sizeof(gnutls_x509_crl_t)); + + if (!new_crl) + return GNUTLS_E_MEMORY_ERROR; for (i = 0; i < crl_list_size; i++) { ret = gnutls_x509_crl_init(&new_crl[i]); @@ -1544,11 +1552,13 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, goto cleanup; } + free(new_crl); return ret; cleanup: for (j = 0; j < i; j++) gnutls_x509_crl_deinit(new_crl[j]); + free(new_crl); return ret; } @@ -1574,7 +1584,7 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, { int ret; - ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, + ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c index 23e75c1440..585cd031e0 100644 --- a/lib/nettle/int/provable-prime.c +++ b/lib/nettle/int/provable-prime.c @@ -4,17 +4,17 @@ */ /* Copyright (C) 2013 Red Hat - * + * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation; either version 2.1 of the License, or (at your * option) any later version. - * + * * The nettle library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public * License for more details. - * + * * You should have received a copy of the GNU Lesser General Public License * along with the nettle library; see the file COPYING.LIB. If not, write to * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, @@ -1102,10 +1102,10 @@ static int st_provable_prime_small(mpz_t p, return 0; } -/* The Shawe-Taylor algorithm described in FIPS 186-4. - * +/* The Shawe-Taylor algorithm described in FIPS 186-4. + * * p: (output) the prime - * prime_seed_length: (output) the length of prime_seed. Initially + * prime_seed_length: (output) the length of prime_seed. Initially * must hold the maximum size of prime_seed. The size should be a * byte more than seed_length. * prime_seed: (output) the prime_seed (may be NULL) @@ -1113,7 +1113,7 @@ static int st_provable_prime_small(mpz_t p, * bits: The requested number of bits for prime * seed_length: The length of seed. It is limited by MAX_PVP_SEED_SIZE. * seed: The initial seed - * + * * Returns non zero on success. */ int @@ -1129,7 +1129,7 @@ st_provable_prime(mpz_t p, uint8_t tseed[MAX_PVP_SEED_SIZE+1]; int ret; unsigned pseed_length, iterations; - uint8_t pseed[seed_length + 2]; + uint8_t *pseed; unsigned old_counter, i; mpz_t s, tmp, r, dc0, c0, c, t, z; uint8_t *storage = NULL; @@ -1151,7 +1151,12 @@ st_provable_prime(mpz_t p, mpz_init(c0); mpz_init(dc0); - pseed_length = sizeof(pseed); + pseed_length = seed_length + 2; + + pseed = gnutls_malloc(pseed_length); + if (pseed == NULL) + goto fail; + ret = st_provable_prime(c0, &pseed_length, pseed, &gen_counter, 1+div_ceil(bits, 2), seed_length, seed, progress_ctx, progress); @@ -1302,6 +1307,7 @@ st_provable_prime(mpz_t p, mpz_clear(t); mpz_clear(tmp); mpz_clear(c); + free(pseed); free(storage); return ret; } diff --git a/libdane/dane.c b/libdane/dane.c index 42c98933a4..d7191de273 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -851,7 +851,7 @@ dane_verify_crt_raw(dane_state_t s, * * Note that this function is designed to be run in addition to * PKIX - certificate chain - verification. To be run independently - * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; + * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; * then the function will check whether the key of the peer matches the * key advertized in the DANE entry. * @@ -946,7 +946,6 @@ dane_verify_session_crt(dane_state_t s, /* this list may be incomplete, try to get the self-signed CA if any */ if (cert_list_size > 0) { - gnutls_datum_t new_cert_list[cert_list_size+1]; gnutls_x509_crt_t crt, ca; gnutls_certificate_credentials_t sc; @@ -987,11 +986,21 @@ dane_verify_session_crt(dane_state_t s, } /* make the new list */ + gnutls_datum_t *new_cert_list; + + new_cert_list = gnutls_malloc((cert_list_size + 1) * sizeof(gnutls_datum_t)); + if (new_cert_list == NULL) { + gnutls_assert(); + gnutls_x509_crt_deinit(crt); + goto failsafe; + } + memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t)); ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]); if (ret < 0) { gnutls_assert(); + free(new_cert_list); gnutls_x509_crt_deinit(crt); goto failsafe; } @@ -1003,6 +1012,7 @@ dane_verify_session_crt(dane_state_t s, gnutls_assert(); } gnutls_free(new_cert_list[cert_list_size].data); + free(new_cert_list); return ret; } @@ -620,8 +620,14 @@ gnutls_session_t init_tls_session(const char *host) if (HAVE_OPT(ALPN)) { unsigned proto_n = STACKCT_OPT(ALPN); char **protos = (void *) STACKLST_OPT(ALPN); - gnutls_datum_t p[proto_n]; + if (proto_n > 1024) { + fprintf(stderr, "Number of ALPN protocols too large (%d)\n", + proto_n); + exit(1); + } + + gnutls_datum_t p[1024]; for (i = 0; i < proto_n; i++) { p[i].data = (void *) protos[i]; p[i].size = strlen(protos[i]); @@ -1000,7 +1006,7 @@ int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes, continue_inline_processing: /* parse_for_inline_commands_in_buffer hunts for start of an inline command - * sequence. The function maintains state information in inline_cmds. + * sequence. The function maintains state information in inline_cmds. */ inline_cmd_start_found = parse_for_inline_commands_in_buffer(buffer_ptr, bytes, @@ -1854,7 +1860,7 @@ static void init_global_tls_stuff(void) } -/* OCSP check for the peer's certificate. Should be called +/* OCSP check for the peer's certificate. Should be called * only after the certificate list verification is complete. * Returns: * -1: certificate chain could not be checked fully diff --git a/src/pkcs11.c b/src/pkcs11.c index 6a872de397..fd7b219dc7 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -1216,7 +1216,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, if (ret < 0) { fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret)); if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) || - (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) && + (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) && (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0) fprintf(stderr, "note: some tokens may require security officer login for this operation\n"); app_exit(1); |