From 8c87d6ff34dbf71bba0d3b776cdf3b43419d78cf Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 7 Sep 2020 09:52:09 +0200 Subject: .gitlab-ci.yml: bump build environment to Fedora 32 Signed-off-by: Daiki Ueno --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 095662bea8..82f52e5365 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -39,7 +39,7 @@ variables: DEBIAN_CROSS_BUILD: buildenv-debian-cross DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross FEDORA28_BUILD: buildenv-f28 - FEDORA_BUILD: buildenv-fedora31 + FEDORA_BUILD: buildenv-fedora32 MINGW_BUILD: buildenv-mingw ALPINE_BASE_BUILD: buildenv-alpine-base CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'" -- cgit v1.2.1 From 60101150f3963104f3fb2362f646d2a203775799 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 7 Sep 2020 09:52:52 +0200 Subject: tests: allow clock_nanosleep in seccomp tests The nanosleep wrapper in glibc has changed the implementation using the clock_nanosleep syscall: https://sourceware.org/git/?p=glibc.git;a=commit;h=3537ecb49cf7177274607004c562d6f9ecc99474 Signed-off-by: Daiki Ueno --- tests/seccomp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/seccomp.c b/tests/seccomp.c index 7137c87b29..ed14d00298 100644 --- a/tests/seccomp.c +++ b/tests/seccomp.c @@ -52,6 +52,7 @@ int disable_system_calls(void) } ADD_SYSCALL(nanosleep, 0); + ADD_SYSCALL(clock_nanosleep, 0); ADD_SYSCALL(time, 0); ADD_SYSCALL(getpid, 0); ADD_SYSCALL(gettimeofday, 0); -- cgit v1.2.1 From 887ee6ab7aef1187d23c440f464e40d6bb09e088 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 8 Sep 2020 19:51:07 +0200 Subject: tls13/session_ticket: remove _gnutls13_session_ticket_unset The function was not really useful because _gnutls_free_datum() has a NULL check as in free(). This also makes GCC 10 happy if -Warray-bounds=2 is specified: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96984 Signed-off-by: Daiki Ueno --- lib/ext/pre_shared_key.c | 36 +++++++++++++++++------------------- lib/state.c | 2 +- lib/tls13/session_ticket.h | 17 ++++------------- 3 files changed, 22 insertions(+), 33 deletions(-) diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index 240be21625..7965ee760d 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -277,6 +277,7 @@ client_send_params(gnutls_session_t session, psk_auth_info_t info = NULL; unsigned psk_id_len = 0; unsigned binders_len, binders_pos; + tls13_ticket_st *ticket = &session->internals.tls13_ticket; if (((session->internals.flags & GNUTLS_NO_TICKETS) || session->internals.tls13_ticket.ticket.data == NULL) && @@ -295,47 +296,44 @@ client_send_params(gnutls_session_t session, /* First, let's see if we have a session ticket to send */ if (!(session->internals.flags & GNUTLS_NO_TICKETS) && - session->internals.tls13_ticket.ticket.data != NULL) { + ticket->ticket.data != NULL) { + /* We found a session ticket */ - if (unlikely(session->internals.tls13_ticket.prf == NULL)) { - _gnutls13_session_ticket_unset(session); + if (unlikely(ticket->prf == NULL)) { + tls13_ticket_deinit(ticket); ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); goto cleanup; } - prf_res = session->internals.tls13_ticket.prf; + prf_res = ticket->prf; gnutls_gettime(&cur_time); if (unlikely(_gnutls_timespec_cmp(&cur_time, - &session->internals. - tls13_ticket. - arrival_time) < 0)) { + &ticket->arrival_time) < 0)) { gnutls_assert(); - _gnutls13_session_ticket_unset(session); + tls13_ticket_deinit(ticket); goto ignore_ticket; } /* Check whether the ticket is stale */ - ticket_age = timespec_sub_ms(&cur_time, - &session->internals.tls13_ticket. - arrival_time); - if (ticket_age / 1000 > session->internals.tls13_ticket.lifetime) { - _gnutls13_session_ticket_unset(session); + ticket_age = timespec_sub_ms(&cur_time, &ticket->arrival_time); + if (ticket_age / 1000 > ticket->lifetime) { + tls13_ticket_deinit(ticket); goto ignore_ticket; } - ret = compute_psk_from_ticket(&session->internals.tls13_ticket, &rkey); + ret = compute_psk_from_ticket(ticket, &rkey); if (ret < 0) { - _gnutls13_session_ticket_unset(session); + tls13_ticket_deinit(ticket); goto ignore_ticket; } /* Calculate obfuscated ticket age, in milliseconds, mod 2^32 */ - ob_ticket_age = ticket_age + session->internals.tls13_ticket.age_add; + ob_ticket_age = ticket_age + ticket->age_add; if ((ret = _gnutls_buffer_append_data_prefix(extdata, 16, - session->internals.tls13_ticket.ticket.data, - session->internals.tls13_ticket.ticket.size)) < 0) { + ticket->ticket.data, + ticket->ticket.size)) < 0) { gnutls_assert(); goto cleanup; } @@ -346,7 +344,7 @@ client_send_params(gnutls_session_t session, goto cleanup; } - psk_id_len += 6 + session->internals.tls13_ticket.ticket.size; + psk_id_len += 6 + ticket->ticket.size; binders_len += 1 + _gnutls_mac_get_algo_len(prf_res); } diff --git a/lib/state.c b/lib/state.c index 817a7b8cd8..03e76522ec 100644 --- a/lib/state.c +++ b/lib/state.c @@ -706,7 +706,7 @@ void gnutls_deinit(gnutls_session_t session) _gnutls_selected_certs_deinit(session); /* destroy any session ticket we may have received */ - _gnutls13_session_ticket_unset(session); + tls13_ticket_deinit(&session->internals.tls13_ticket); /* we rely on priorities' internal reference counting */ gnutls_priority_deinit(session->internals.priorities); diff --git a/lib/tls13/session_ticket.h b/lib/tls13/session_ticket.h index cd65327e5a..39d05c150f 100644 --- a/lib/tls13/session_ticket.h +++ b/lib/tls13/session_ticket.h @@ -33,20 +33,11 @@ int _gnutls13_unpack_session_ticket(gnutls_session_t session, inline static void tls13_ticket_deinit(tls13_ticket_st *ticket) { - if (ticket) { - zeroize_temp_key(&ticket->resumption_master_secret, - sizeof(ticket->resumption_master_secret)); + zeroize_temp_key(&ticket->resumption_master_secret, + sizeof(ticket->resumption_master_secret)); - _gnutls_free_datum(&ticket->ticket); - memset(ticket, 0, sizeof(tls13_ticket_st)); - } -} - -inline static -void _gnutls13_session_ticket_unset(gnutls_session_t session) -{ - if (session->internals.tls13_ticket.ticket.data != NULL) - tls13_ticket_deinit(&session->internals.tls13_ticket); + _gnutls_free_datum(&ticket->ticket); + memset(ticket, 0, sizeof(tls13_ticket_st)); } #endif /* GNUTLS_LIB_TLS13_SESSION_TICKET_H */ -- cgit v1.2.1 From 6750b147fefd6c6824669613c0051cff218d6e3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 8 Sep 2020 19:55:14 +0200 Subject: spki: work around GCC 10 -Warray-bounds false-positive Suggested by Martin Sebor in: https://bugzilla.redhat.com/show_bug.cgi?id=1876801#c1 Signed-off-by: Daiki Ueno --- lib/privkey.c | 6 ++++-- lib/pubkey.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/privkey.c b/lib/privkey.c index 4114e2ca18..9f02c5b062 100644 --- a/lib/privkey.c +++ b/lib/privkey.c @@ -1879,15 +1879,17 @@ int gnutls_privkey_verify_params(gnutls_privkey_t key) int gnutls_privkey_get_spki(gnutls_privkey_t privkey, gnutls_x509_spki_t spki, unsigned int flags) { + gnutls_x509_spki_t p = &privkey->key.x509->params.spki; + if (privkey == NULL || privkey->type != GNUTLS_PRIVKEY_X509) { gnutls_assert(); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (privkey->key.x509->params.spki.pk == GNUTLS_PK_UNKNOWN) + if (p->pk == GNUTLS_PK_UNKNOWN) return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - memcpy(spki, &privkey->key.x509->params.spki, sizeof(gnutls_x509_spki_st)); + memcpy(spki, p, sizeof(gnutls_x509_spki_st)); return 0; } diff --git a/lib/pubkey.c b/lib/pubkey.c index 6f9d54f119..e03aea709e 100644 --- a/lib/pubkey.c +++ b/lib/pubkey.c @@ -2581,15 +2581,17 @@ int gnutls_pubkey_verify_params(gnutls_pubkey_t key) int gnutls_pubkey_get_spki(gnutls_pubkey_t pubkey, gnutls_x509_spki_t spki, unsigned int flags) { + gnutls_x509_spki_t p = &pubkey->params.spki; + if (pubkey == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } - if (pubkey->params.spki.pk == GNUTLS_PK_UNKNOWN) + if (p->pk == GNUTLS_PK_UNKNOWN) return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - memcpy(spki, &pubkey->params.spki, sizeof(gnutls_x509_spki_st)); + memcpy(spki, p, sizeof(gnutls_x509_spki_st)); return 0; } -- cgit v1.2.1 From 14045b9be6c8b16544c6ea3fa28d3d26f5eefa61 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 13 Sep 2020 17:19:32 +0200 Subject: build: remove dead assignments Signed-off-by: Daiki Ueno --- lib/auth/psk_passwd.c | 2 +- lib/auth/srp_passwd.c | 4 +-- lib/ext/pre_shared_key.c | 2 +- lib/x509/key_decode.c | 18 +++++------ lib/x509/output.c | 8 ++--- lib/x509/privkey.c | 77 ++++++++++++++++++++---------------------------- lib/x509/verify.c | 7 ++--- lib/x509_b64.c | 2 +- libdane/dane.c | 9 +++--- src/certtool-common.c | 2 +- src/srptool.c | 4 +-- 11 files changed, 57 insertions(+), 78 deletions(-) diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c index 9a9d68c488..2953c2d8ad 100644 --- a/lib/auth/psk_passwd.c +++ b/lib/auth/psk_passwd.c @@ -105,7 +105,7 @@ static bool username_matches(const gnutls_datum_t *username, hexline.data = (void *) &line[1]; hexline.size = i - 1; - if ((retval = gnutls_hex_decode2(&hexline, &hex_username)) < 0) + if (gnutls_hex_decode2(&hexline, &hex_username) < 0) return gnutls_assert_val(0); if (hex_username.size == username->size) diff --git a/lib/auth/srp_passwd.c b/lib/auth/srp_passwd.c index 49039a66e7..e7d8d602e6 100644 --- a/lib/auth/srp_passwd.c +++ b/lib/auth/srp_passwd.c @@ -218,9 +218,7 @@ pwd_read_conf(const char *pconf_file, SRP_PWD_ENTRY * entry, int idx) } if (strncmp(indexstr, line, MAX(i, len)) == 0) { - if ((idx = - parse_tpasswd_conf_values(entry, - line)) >= 0) { + if (parse_tpasswd_conf_values(entry, line) >= 0) { ret = 0; goto cleanup; } else { diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index 7965ee760d..b5a86b7db1 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -575,7 +575,7 @@ static int server_recv_params(gnutls_session_t session, /* This will unpack the session ticket if it is well * formed and has the expected name */ if (!(session->internals.flags & GNUTLS_NO_TICKETS) && - (ret = _gnutls13_unpack_session_ticket(session, &psk.identity, &ticket_data)) == 0) { + _gnutls13_unpack_session_ticket(session, &psk.identity, &ticket_data) == 0) { prf = ticket_data.prf; session->internals.resumption_requested = 1; diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c index c79f6eee37..00378af94d 100644 --- a/lib/x509/key_decode.c +++ b/lib/x509/key_decode.c @@ -76,16 +76,15 @@ _gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize, } - if ((result = - _gnutls_x509_read_int(spk, "modulus", - ¶ms->params[0])) < 0) { + if (_gnutls_x509_read_int(spk, "modulus", + ¶ms->params[0]) < 0) { gnutls_assert(); asn1_delete_structure(&spk); return GNUTLS_E_ASN1_GENERIC_ERROR; } - if ((result = _gnutls_x509_read_int(spk, "publicExponent", - ¶ms->params[1])) < 0) { + if (_gnutls_x509_read_int(spk, "publicExponent", + ¶ms->params[1]) < 0) { gnutls_assert(); _gnutls_mpi_release(¶ms->params[0]); asn1_delete_structure(&spk); @@ -200,8 +199,7 @@ _gnutls_x509_read_dsa_params(uint8_t * der, int dersize, /* Read p */ - if ((result = - _gnutls_x509_read_int(spk, "p", ¶ms->params[0])) < 0) { + if (_gnutls_x509_read_int(spk, "p", ¶ms->params[0]) < 0) { gnutls_assert(); asn1_delete_structure(&spk); return GNUTLS_E_ASN1_GENERIC_ERROR; @@ -209,8 +207,7 @@ _gnutls_x509_read_dsa_params(uint8_t * der, int dersize, /* Read q */ - if ((result = - _gnutls_x509_read_int(spk, "q", ¶ms->params[1])) < 0) { + if (_gnutls_x509_read_int(spk, "q", ¶ms->params[1]) < 0) { gnutls_assert(); asn1_delete_structure(&spk); _gnutls_mpi_release(¶ms->params[0]); @@ -219,8 +216,7 @@ _gnutls_x509_read_dsa_params(uint8_t * der, int dersize, /* Read g */ - if ((result = - _gnutls_x509_read_int(spk, "g", ¶ms->params[2])) < 0) { + if (_gnutls_x509_read_int(spk, "g", ¶ms->params[2]) < 0) { gnutls_assert(); asn1_delete_structure(&spk); _gnutls_mpi_release(¶ms->params[0]); diff --git a/lib/x509/output.c b/lib/x509/output.c index 705e8babfa..b669b86b22 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -897,18 +897,18 @@ static void print_subject_sign_tool(gnutls_buffer_st * str, const char *prefix, static void print_issuer_sign_tool(gnutls_buffer_st * str, const char *prefix, const gnutls_datum_t *der) { - int ret, result; + int ret; ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; gnutls_datum_t tmp; - if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.IssuerSignTool", - &tmpasn)) != ASN1_SUCCESS) { + if (asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.IssuerSignTool", + &tmpasn) != ASN1_SUCCESS) { gnutls_assert(); goto hexdump; } - if ((result = _asn1_strict_der_decode(&tmpasn, der->data, der->size, asn1_err)) != ASN1_SUCCESS) { + if (_asn1_strict_der_decode(&tmpasn, der->data, der->size, asn1_err) != ASN1_SUCCESS) { gnutls_assert(); _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); goto hexdump; diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 3852064648..f35575be9a 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -135,10 +135,9 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, gnutls_pk_params_init(&pkey->params); - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.RSAPrivateKey", - &pkey_asn)) != ASN1_SUCCESS) { + if (asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.RSAPrivateKey", + &pkey_asn) != ASN1_SUCCESS) { gnutls_assert(); return NULL; } @@ -151,65 +150,58 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, goto error; } - if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", - &pkey->params.params[0])) < 0) + if (_gnutls_x509_read_int(pkey_asn, "modulus", + &pkey->params.params[0]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = - _gnutls_x509_read_int(pkey_asn, "publicExponent", - &pkey->params.params[1])) < 0) { + if (_gnutls_x509_read_int(pkey_asn, "publicExponent", + &pkey->params.params[1]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = - _gnutls_x509_read_key_int(pkey_asn, "privateExponent", - &pkey->params.params[2])) < 0) { + if (_gnutls_x509_read_key_int(pkey_asn, "privateExponent", + &pkey->params.params[2]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(pkey_asn, "prime1", - &pkey->params.params[3])) < 0) - { + if (_gnutls_x509_read_key_int(pkey_asn, "prime1", + &pkey->params.params[3]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(pkey_asn, "prime2", - &pkey->params.params[4])) < 0) - { + if (_gnutls_x509_read_key_int(pkey_asn, "prime2", + &pkey->params.params[4]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(pkey_asn, "coefficient", - &pkey->params.params[5])) < 0) - { + if (_gnutls_x509_read_key_int(pkey_asn, "coefficient", + &pkey->params.params[5]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(pkey_asn, "exponent1", - &pkey->params.params[6])) < 0) - { + if (_gnutls_x509_read_key_int(pkey_asn, "exponent1", + &pkey->params.params[6]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(pkey_asn, "exponent2", - &pkey->params.params[7])) < 0) - { + if (_gnutls_x509_read_key_int(pkey_asn, "exponent2", + &pkey->params.params[7]) < 0) { gnutls_assert(); goto error; } @@ -353,10 +345,9 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) char oid[MAX_OID_SIZE]; int oid_size; - if ((result = - asn1_create_element(_gnutls_get_gnutls_asn(), - "GNUTLS.DSAPrivateKey", - &dsa_asn)) != ASN1_SUCCESS) { + if (asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSAPrivateKey", + &dsa_asn) != ASN1_SUCCESS) { gnutls_assert(); return NULL; } @@ -372,40 +363,36 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) goto error; } - if ((result = - _gnutls_x509_read_int(dsa_asn, "p", - &pkey->params.params[0])) < 0) { + if (_gnutls_x509_read_int(dsa_asn, "p", + &pkey->params.params[0]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = - _gnutls_x509_read_int(dsa_asn, "q", - &pkey->params.params[1])) < 0) { + if (_gnutls_x509_read_int(dsa_asn, "q", + &pkey->params.params[1]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = - _gnutls_x509_read_int(dsa_asn, "g", - &pkey->params.params[2])) < 0) { + if (_gnutls_x509_read_int(dsa_asn, "g", + &pkey->params.params[2]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = - _gnutls_x509_read_int(dsa_asn, "Y", - &pkey->params.params[3])) < 0) { + if (_gnutls_x509_read_int(dsa_asn, "Y", + &pkey->params.params[3]) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_key_int(dsa_asn, "priv", - &pkey->params.params[4])) < 0) + if (_gnutls_x509_read_key_int(dsa_asn, "priv", + &pkey->params.params[4]) < 0) { gnutls_assert(); goto error; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 4363e818b1..bab223ceca 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1074,13 +1074,12 @@ _gnutls_verify_crt_status(gnutls_x509_trust_list_t tlist, flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; } - if ((ret = - verify_crt(tlist, - certificate_list[i - 1], + if (!verify_crt(tlist, + certificate_list[i - 1], &certificate_list[i], 1, flags, &output, &vparams, - i==1?1:0)) != 1) { + i==1?1:0)) { gnutls_assert(); status |= output; status |= GNUTLS_CERT_INVALID; diff --git a/lib/x509_b64.c b/lib/x509_b64.c index fcace95a6f..668760a0b3 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -86,7 +86,7 @@ _gnutls_fbase64_encode(const char *msg, const uint8_t * data, return GNUTLS_E_MEMORY_ERROR; } - bytes = pos = 0; + bytes = 0; INCR(bytes, top_len, max); pos = top_len; diff --git a/libdane/dane.c b/libdane/dane.c index f05f3ce92c..a7236f9f7b 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -248,13 +248,13 @@ int dane_state_init(dane_state_t * s, unsigned int flags) ub_ctx_debugout(ctx, stderr); if (!(flags & DANE_F_IGNORE_LOCAL_RESOLVER)) { - if ((ret = ub_ctx_resolvconf(ctx, NULL)) != 0) { + if (ub_ctx_resolvconf(ctx, NULL) != 0) { gnutls_assert(); ret = DANE_E_INITIALIZATION_ERROR; goto cleanup; } - if ((ret = ub_ctx_hosts(ctx, NULL)) != 0) { + if (ub_ctx_hosts(ctx, NULL) != 0) { gnutls_assert(); ret = DANE_E_INITIALIZATION_ERROR; goto cleanup; @@ -263,9 +263,8 @@ int dane_state_init(dane_state_t * s, unsigned int flags) /* read public keys for DNSSEC verification */ if (!(flags & DANE_F_IGNORE_DNSSEC)) { - if ((ret = - ub_ctx_add_ta_file(ctx, - (char *) UNBOUND_ROOT_KEY_FILE)) != + if (ub_ctx_add_ta_file(ctx, + (char *) UNBOUND_ROOT_KEY_FILE) != 0) { gnutls_assert(); ret = DANE_E_INITIALIZATION_ERROR; diff --git a/src/certtool-common.c b/src/certtool-common.c index 3af2d08080..31e1c2619f 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -698,7 +698,7 @@ gnutls_pubkey_t load_public_key_or_import(int mand, app_exit(1); } - if (!privkey || (ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0)) < 0) { /* could not get (e.g. on PKCS #11 */ + if (!privkey || gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0) < 0) { /* could not get (e.g. on PKCS #11) */ gnutls_pubkey_deinit(pubkey); pubkey = load_pubkey(0, info); if (pubkey == NULL && mand) { diff --git a/src/srptool.c b/src/srptool.c index 7939f6bfab..7da14afa6c 100644 --- a/src/srptool.c +++ b/src/srptool.c @@ -318,7 +318,7 @@ verify_passwd(const char *conffile, const char *tpasswd, fclose(fp); - if ((iindex = read_conf_values(&g, &n, line)) < 0) { + if (read_conf_values(&g, &n, line) < 0) { fprintf(stderr, "Cannot parse conf file '%s'\n", conffile); return -1; } @@ -528,7 +528,7 @@ crypt_int(const char *username, const char *passwd, int salt_size, do { /* find the specified uindex in file */ p = fgets(line, sizeof(line) - 1, fp); } - while (p != NULL && (iindex = atoi(p)) != uindex); + while (p != NULL && atoi(p) != uindex); if (p == NULL) { fprintf(stderr, "Cannot find entry in %s\n", tpasswd_conf); -- cgit v1.2.1 From ec1e2b5df5f391b3af9f2a0f25d4e70a98ad44a3 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 14 Sep 2020 08:31:17 +0200 Subject: inih: remove unused code This avoids -fanalyzer false-positive in GCC 10: https://bugzilla.redhat.com/show_bug.cgi?id=1878600 as well as the cppcheck warning: "variableScope:lib/inih/ini.c:99,style,The scope of the variable 'start' can be reduced." Signed-off-by: Daiki Ueno --- lib/inih/ini.c | 72 ++++------------------------------------------------------ lib/inih/ini.h | 26 --------------------- 2 files changed, 4 insertions(+), 94 deletions(-) diff --git a/lib/inih/ini.c b/lib/inih/ini.c index 81df6a037f..0393625b71 100644 --- a/lib/inih/ini.c +++ b/lib/inih/ini.c @@ -24,12 +24,6 @@ https://github.com/benhoyt/inih #define MAX_SECTION 50 #define MAX_NAME 50 -/* Used by ini_parse_string() to keep track of string parsing state. */ -typedef struct { - const char* ptr; - size_t num_left; -} ini_parse_string_ctx; - /* Strip whitespace chars off end of given string, in place. Return s. */ static char* rstrip(char* s) { @@ -76,8 +70,7 @@ static char* strncpy0(char* dest, const char* src, size_t size) } /* See documentation in header file. */ -int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, - void* user) +int ini_parse_file(FILE* file, ini_handler handler, void* user) { /* Uses a fair bit of stack (use heap instead if you need to) */ #if INI_USE_STACK @@ -94,7 +87,6 @@ int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, char section[MAX_SECTION] = ""; char prev_name[MAX_NAME] = ""; - char* start; char* end; char* name; char* value; @@ -115,7 +107,8 @@ int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, #endif /* Scan through stream line by line */ - while (reader(line, max_line, stream) != NULL) { + while (fgets(line, max_line, file) != NULL) { + char* start; #if INI_ALLOW_REALLOC && !INI_USE_STACK offset = strlen(line); while (offset == max_line - 1 && line[offset - 1] != '\n') { @@ -128,7 +121,7 @@ int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, return -2; } line = new_line; - if (reader(line + offset, max_line - offset, stream) == NULL) + if (fgets(line + offset, max_line - offset, file) == NULL) break; if (max_line >= INI_MAX_LINE) break; @@ -210,60 +203,3 @@ int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, return error; } - -/* See documentation in header file. */ -int ini_parse_file(FILE* file, ini_handler handler, void* user) -{ - return ini_parse_stream((ini_reader)fgets, file, handler, user); -} - -/* See documentation in header file. */ -int ini_parse(const char* filename, ini_handler handler, void* user) -{ - FILE* file; - int error; - - file = fopen(filename, "r"); - if (!file) - return -1; - error = ini_parse_file(file, handler, user); - fclose(file); - return error; -} - -/* An ini_reader function to read the next line from a string buffer. This - is the fgets() equivalent used by ini_parse_string(). */ -static char* ini_reader_string(char* str, int num, void* stream) { - ini_parse_string_ctx* ctx = (ini_parse_string_ctx*)stream; - const char* ctx_ptr = ctx->ptr; - size_t ctx_num_left = ctx->num_left; - char* strp = str; - char c; - - if (ctx_num_left == 0 || num < 2) - return NULL; - - while (num > 1 && ctx_num_left != 0) { - c = *ctx_ptr++; - ctx_num_left--; - *strp++ = c; - if (c == '\n') - break; - num--; - } - - *strp = '\0'; - ctx->ptr = ctx_ptr; - ctx->num_left = ctx_num_left; - return str; -} - -/* See documentation in header file. */ -int ini_parse_string(const char* string, ini_handler handler, void* user) { - ini_parse_string_ctx ctx; - - ctx.ptr = string; - ctx.num_left = strlen(string); - return ini_parse_stream((ini_reader)ini_reader_string, &ctx, handler, - user); -} diff --git a/lib/inih/ini.h b/lib/inih/ini.h index 6c3d664d2e..a8fef27f85 100644 --- a/lib/inih/ini.h +++ b/lib/inih/ini.h @@ -36,36 +36,10 @@ typedef int (*ini_handler)(void* user, const char* section, /* Typedef for prototype of fgets-style reader function. */ typedef char* (*ini_reader)(char* str, int num, void* stream); -/* Parse given INI-style file. May have [section]s, name=value pairs - (whitespace stripped), and comments starting with ';' (semicolon). Section - is "" if name=value pair parsed before any section heading. name:value - pairs are also supported as a concession to Python's configparser. - - For each name=value pair parsed, call handler function with given user - pointer as well as section, name, and value (data only valid for duration - of handler call). Handler should return nonzero on success, zero on error. - - Returns 0 on success, line number of first error on parse error (doesn't - stop on first error), -1 on file open error, or -2 on memory allocation - error (only when INI_USE_STACK is zero). -*/ -int ini_parse(const char* filename, ini_handler handler, void* user); - /* Same as ini_parse(), but takes a FILE* instead of filename. This doesn't close the file when it's finished -- the caller must do that. */ int ini_parse_file(FILE* file, ini_handler handler, void* user); -/* Same as ini_parse(), but takes an ini_reader function pointer instead of - filename. Used for implementing custom or string-based I/O (see also - ini_parse_string). */ -int ini_parse_stream(ini_reader reader, void* stream, ini_handler handler, - void* user); - -/* Same as ini_parse(), but takes a zero-terminated string with the INI data -instead of a file. Useful for parsing INI data from a network socket or -already in memory. */ -int ini_parse_string(const char* string, ini_handler handler, void* user); - /* Nonzero to allow multi-line value parsing, in the style of Python's configparser. If allowed, ini_parse() will call the handler with the same name for each subsequent line parsed. */ -- cgit v1.2.1 From 23958322865a8a77c2f924f569484e5fd150a24b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 14 Sep 2020 17:59:00 +0200 Subject: testcompat-openssl: specify -sigalgs The default selection of signature schemes is also affected by the crypto-policies, and needs to be explicitly enabled with -sigalgs. Suggested by Tomas Mraz. Signed-off-by: Daiki Ueno --- tests/suite/testcompat-main-openssl | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index 9c50a652b5..ce87a4ba5e 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -53,6 +53,7 @@ PORT="${PORT:-${RPORT}}" SERV=openssl OPENSSL_CLI="$SERV" +SIGALGS=RSA+SHA1:RSA+SHA256 echo "Compatibility checks using "`${SERV} version` ${SERV} version|grep -e '1\.[0-9]\..' >/dev/null 2>&1 @@ -88,6 +89,7 @@ if test $NO_DSS != 0;then echo "Disabling interop tests for DSS ciphersuites" else DSA_PARAMS="-dkey ${DSA_KEY} -dcert ${DSA_CERT}" + SIGALGS="$SIGALGS:DSA+SHA1:DSA+SHA256" fi ${SERV} ciphers -v ALL 2>&1|grep -e CAMELLIA >/dev/null 2>&1 @@ -154,7 +156,7 @@ run_client_suite() { # It seems debian disabled SSL 3.0 completely on openssl eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher ALL -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -ssl3 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -211,7 +213,7 @@ run_client_suite() { #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -334,7 +336,7 @@ run_client_suite() { # Tests requiring openssl 1.0.1 - TLS 1.2 #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -634,7 +636,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -sigalgs "$SIGALGS" -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -756,7 +758,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -sigalgs "$SIGALGS" -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" &1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} -- cgit v1.2.1