From ae01dec634d03b1e207491357488400c11660c07 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 8 Sep 2011 17:57:21 -0400 Subject: [PATCH 137/150] - remove most of the braces that aren't strictly necessary - fix a logic bug in cert_load_certs_with_keys_from_slot --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 631 ++++++++--------------- 1 files changed, 220 insertions(+), 411 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index c4cf646..0132759 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -436,9 +436,8 @@ get_pkinit_data_auth_data_tag(void) CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION, }; - if (oid_pkinit_auth_data.offset == SEC_OID_UNKNOWN) { + if (oid_pkinit_auth_data.offset == SEC_OID_UNKNOWN) oid_pkinit_auth_data.offset = SECOID_AddEntry(&oid_pkinit_auth_data); - } return oid_pkinit_auth_data.offset; } @@ -458,9 +457,8 @@ get_pkinit_data_auth_data9_tag(void) CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION, }; - if (oid_pkinit_auth_data9.offset == SEC_OID_UNKNOWN) { + if (oid_pkinit_auth_data9.offset == SEC_OID_UNKNOWN) oid_pkinit_auth_data9.offset = SECOID_AddEntry(&oid_pkinit_auth_data9); - } return oid_pkinit_auth_data9.offset; } @@ -480,9 +478,8 @@ get_pkinit_data_rkey_data_tag(void) CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION, }; - if (oid_pkinit_rkey_data.offset == SEC_OID_UNKNOWN) { + if (oid_pkinit_rkey_data.offset == SEC_OID_UNKNOWN) oid_pkinit_rkey_data.offset = SECOID_AddEntry(&oid_pkinit_rkey_data); - } return oid_pkinit_rkey_data.offset; } @@ -502,9 +499,8 @@ get_pkinit_data_dhkey_data_tag(void) CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION, }; - if (oid_pkinit_dhkey_data.offset == SEC_OID_UNKNOWN) { + if (oid_pkinit_dhkey_data.offset == SEC_OID_UNKNOWN) oid_pkinit_dhkey_data.offset = SECOID_AddEntry(&oid_pkinit_dhkey_data); - } return oid_pkinit_dhkey_data.offset; } @@ -513,11 +509,10 @@ get_oid_from_tag(SECOidTag tag) { SECOidData *data; data = SECOID_FindOIDByTag(tag); - if (data != NULL) { + if (data != NULL) return &data->oid; - } else { + else return NULL; - } } #ifdef DEBUG_DER @@ -560,17 +555,14 @@ crypto_pwfn(const char *what, PRBool retry, void *arg) void *data; /* We only want to be called once. */ - if (retry) { + if (retry) return NULL; - } /* We need our callback arguments. */ - if (arg == NULL) { + if (arg == NULL) return NULL; - } id = arg; - if (id->pwcb_args.prompter == NULL) { + if (id->pwcb_args.prompter == NULL) return NULL; - } /* Set up the prompt. */ text = PORT_ArenaZAlloc(id->pool, strlen(what) + 100); @@ -608,9 +600,8 @@ crypto_pwfn(const char *what, PRBool retry, void *arg) #endif } - if (reply.data == data) { + if (reply.data == data) free(reply.data); - } return answer; } @@ -640,9 +631,8 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) pkiDebug("%s\n", __FUNCTION__); pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } id = PORT_ArenaZAlloc(pool, sizeof(*id)); if (id == NULL) { PORT_FreeArena(pool, PR_TRUE); @@ -655,12 +645,10 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) *id_cryptoctx = id; return 0; } - if (id->ca_certs != NULL) { + if (id->ca_certs != NULL) CERT_DestroyCertList(id->ca_certs); - } - if (id->id_certs != NULL) { + if (id->id_certs != NULL) CERT_DestroyCertList(id->id_certs); - } PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } @@ -686,9 +674,8 @@ crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) break; } else { free(spec); - if (errno != EEXIST) { + if (errno != EEXIST) break; - } } attempts++; } @@ -698,11 +685,10 @@ crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) strlen("configDir='' flags=readOnly") + strlen(configdir) + 1); if (spec != NULL) { - if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) { + if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) sprintf(spec, "configDir='%s'", configdir); - } else { + else sprintf(spec, "configDir='%s' flags=readOnly", configdir); - } id->id_p12_slot = SECMOD_OpenUserDB(spec); } #ifdef PKCS12_HACK @@ -711,17 +697,15 @@ crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) struct dirent *ent; char *path; /* First, initialize the slot. */ - if (id->id_p12_slot != NULL) { - if (PK11_NeedUserInit(id->id_p12_slot)) { + if (id->id_p12_slot != NULL) + if (PK11_NeedUserInit(id->id_p12_slot)) PK11_InitPin(id->id_p12_slot, "", ""); - } - } /* Scan the directory, deleting all of the contents. */ dir = opendir(configdir); - if (dir == NULL) { + if (dir == NULL) pkiDebug("%s: error removing directory \"%s\": %s\n", __FUNCTION__, configdir, strerror(errno)); - } else { + else { while ((ent = readdir(dir)) != NULL) { path = PORT_Alloc(strlen(configdir) + 1 + strlen(ent->d_name) + 1); @@ -759,40 +743,28 @@ pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) pkiDebug("%s\n", __FUNCTION__); /* The order of cleanup here is intended to ensure that nothing gets * freed before anything that might have a reference to it. */ - if (id_cryptoctx->id_cert != NULL) { + if (id_cryptoctx->id_cert != NULL) CERT_DestroyCertificate(id_cryptoctx->id_cert); - } CERT_DestroyCertList(id_cryptoctx->ca_certs); CERT_DestroyCertList(id_cryptoctx->id_certs); - if (id_cryptoctx->id_objects != NULL) { - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) { + if (id_cryptoctx->id_objects != NULL) + for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) PK11_DestroyGenericObjects(id_cryptoctx->id_objects[i]); - } - } - if (id_cryptoctx->id_p12_slot != NULL) { - if ((i = crypto_close_p12_slot(id_cryptoctx)) != 0) { + if (id_cryptoctx->id_p12_slot != NULL) + if ((i = crypto_close_p12_slot(id_cryptoctx)) != 0) pkiDebug("%s: error closing pkcs12 slot: %s\n", __FUNCTION__, strerror(i)); - } - } - if (id_cryptoctx->id_userdbs != NULL) { - for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) { + if (id_cryptoctx->id_userdbs != NULL) + for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) SECMOD_CloseUserDB(id_cryptoctx->id_userdbs[i]); - } - } - if (id_cryptoctx->id_modules != NULL) { - for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { + if (id_cryptoctx->id_modules != NULL) + for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) SECMOD_UnloadUserModule(id_cryptoctx->id_modules[i]); - } - } - if (id_cryptoctx->id_crls != NULL) { - for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) { + if (id_cryptoctx->id_crls != NULL) + for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) CERT_UncacheCRL(CERT_GetDefaultCertDB(), id_cryptoctx->id_crls[i]); - } - } - if (id_cryptoctx->pem_module != NULL) { + if (id_cryptoctx->pem_module != NULL) SECMOD_UnloadUserModule(id_cryptoctx->pem_module); - } PORT_FreeArena(id_cryptoctx->pool, PR_TRUE); } @@ -807,9 +779,8 @@ crypto_register_any(SECOidTag tag) NULL, NULL, NULL, - NULL, NULL, PR_TRUE) != SECSuccess) { + NULL, NULL, PR_TRUE) != SECSuccess) return ENOMEM; - } return 0; } @@ -866,12 +837,10 @@ void pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx) { pkiDebug("%s\n", __FUNCTION__); - if (plg_cryptoctx == NULL) { + if (plg_cryptoctx == NULL) return; - } - if (NSS_ShutdownContext(plg_cryptoctx->ncontext) != SECSuccess) { + if (NSS_ShutdownContext(plg_cryptoctx->ncontext) != SECSuccess) pkiDebug("%s: error shutting down context\n", __FUNCTION__); - } PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE); } @@ -897,15 +866,12 @@ void pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) { pkiDebug("%s\n", __FUNCTION__); - if (req_cryptoctx->client_dh_privkey != NULL) { + if (req_cryptoctx->client_dh_privkey != NULL) SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); - } - if (req_cryptoctx->client_dh_pubkey != NULL) { + if (req_cryptoctx->client_dh_pubkey != NULL) SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); - } - if (req_cryptoctx->peer_cert != NULL) { + if (req_cryptoctx->peer_cert != NULL) CERT_DestroyCertificate(req_cryptoctx->peer_cert); - } PORT_FreeArena(req_cryptoctx->pool, PR_TRUE); } @@ -914,9 +880,8 @@ static int secitem_to_buf_len(SECItem *item, unsigned char **out, unsigned int *len) { *out = malloc(item->len); - if (*out == NULL) { + if (*out == NULL) return ENOMEM; - } memcpy(*out, item->data, item->len); *len = item->len; return 0; @@ -933,9 +898,8 @@ secitem_to_dh_pubval(SECItem *item, unsigned char **out, unsigned int *len) int i; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } if (item->data[0] & 0x80) { uval = SECITEM_AllocItem(pool, NULL, item->len + 1); @@ -976,15 +940,13 @@ secitem_from_dh_pubval(PLArenaPool *pool, memset(&uinteger, 0, sizeof(uinteger)); if (SEC_ASN1DecodeItem(pool, &uinteger, SEC_ASN1_GET(SEC_BitStringTemplate), - &tmp) != SECSuccess) { + &tmp) != SECSuccess) return ENOMEM; - } memset(bits_out, 0, sizeof(*bits_out)); if (SEC_ASN1DecodeItem(pool, bits_out, SEC_ASN1_GET(SEC_IntegerTemplate), - &uinteger) != SECSuccess) { + &uinteger) != SECSuccess) return ENOMEM; - } return 0; } @@ -1007,9 +969,8 @@ secitem_from_file(PLArenaPool *pool, const char *filename, memset(item_out, 0, sizeof(*item_out)); fd = open(filename, O_RDONLY); - if (fd == -1) { + if (fd == -1) return errno; - } if (fstat(fd, &st) == -1) { i = errno; close(fd); @@ -1024,15 +985,13 @@ secitem_from_file(PLArenaPool *pool, const char *filename, n = 0; while (n < st.st_size) { i = read(fd, tmp.data + n, st.st_size - n); - if (i <= 0) { + if (i <= 0) break; - } n += i; } close(fd); - if (n < st.st_size) { + if (n < st.st_size) return ENOMEM; - } tmp.data[n] = '\0'; tmp.len = n; encoded = (const char *) tmp.data; @@ -1040,9 +999,8 @@ secitem_from_file(PLArenaPool *pool, const char *filename, (tmp.len > 11) && ((strncmp(encoded, "-----BEGIN ", 11) == 0) || ((encoded = strstr((char *)tmp.data, "\n-----BEGIN")) != NULL))) { - if (encoded[0] == '\n') { + if (encoded[0] == '\n') encoded++; - } /* find the beginning of the next line */ p = encoded; p += strcspn(p, "\r\n"); @@ -1059,9 +1017,8 @@ secitem_from_file(PLArenaPool *pool, const char *filename, if (q != NULL) { *q = '\0'; decoded = NSSBase64_DecodeBuffer(pool, NULL, p, q - p); - if (decoded != NULL) { + if (decoded != NULL) tmp = *decoded; - } } } *item_out = tmp; @@ -1071,8 +1028,10 @@ secitem_from_file(PLArenaPool *pool, const char *filename, static struct oakley_group { int identifier; - int bits; /* shortest prime first, so that a sequential - * search will find the entry with the shortest + int bits; /* shortest prime first, so that a + * sequential search for a set with a + * length that exceeds the minimum will + * find the entry with the shortest * suitable prime */ char name[32]; char prime[4096]; /* large enough to hold that prime */ @@ -1268,19 +1227,17 @@ hex_to_secitem(const char *hex, SECItem *item) count = 0; acc = 0; for (i = 0; hex[i] != '\0'; i++) { - if ((count % 2) == 0) { + if ((count % 2) == 0) acc = 0; - } c = hex[i]; - if ((c >= '0') && (c <= '9')) { + if ((c >= '0') && (c <= '9')) acc = (acc << 4) | (c - '0'); - } else if ((c >= 'a') && (c <= 'f')) { + else if ((c >= 'a') && (c <= 'f')) acc = (acc << 4) | (c - 'a' + 10); - } else if ((c >= 'A') && (c <= 'F')) { + else if ((c >= 'A') && (c <= 'F')) acc = (acc << 4) | (c - 'A' + 10); - } else { + else continue; - } count++; if ((count % 2) == 0) { item->data[j] = acc & 0xff; @@ -1293,10 +1250,8 @@ hex_to_secitem(const char *hex, SECItem *item) break; } } - if (hex[i] != '\0') { - /* unused bytes */ + if (hex[i] != '\0') /* unused bytes? */ return NULL; - } item->len = j; return item; } @@ -1310,35 +1265,29 @@ oakley_parse_group(PLArenaPool *pool, struct oakley_group *group, SECItem *t; params = PORT_ArenaZAlloc(pool, sizeof(*params)); - if (params == NULL) { + if (params == NULL) return ENOMEM; - } /* Allocate more memory than we'll probably need. */ bytes = group->bits; /* Encode the prime (p). */ t = SECITEM_AllocItem(pool, NULL, bytes); - if (t == NULL) { + if (t == NULL) return ENOMEM; - } - if (hex_to_secitem(group->prime, t) != t) { + if (hex_to_secitem(group->prime, t) != t) return ENOMEM; - } params->p = *t; /* Encode the generator. */ if (SEC_ASN1EncodeInteger(pool, ¶ms->g, - group->generator) != ¶ms->g) { + group->generator) != ¶ms->g) return ENOMEM; - } /* Encode the subprime. */ t = SECITEM_AllocItem(pool, NULL, bytes); - if (t == NULL) { + if (t == NULL) return ENOMEM; - } - if (hex_to_secitem(group->subprime, t) != t) { + if (hex_to_secitem(group->subprime, t) != t) return ENOMEM; - } params->q = *t; *domain_params_out = params; return 0; @@ -1351,16 +1300,12 @@ oakley_get_group(PLArenaPool *pool, int minimum_prime_size) struct domain_parameters *params; params = PORT_ArenaZAlloc(pool, sizeof(*params)); - if (params == NULL) { + if (params == NULL) return NULL; - } - for (i = 0; i < sizeof(oakley_groups) / sizeof(oakley_groups[0]); i++) { - if (oakley_groups[i].bits >= minimum_prime_size) { - if (oakley_parse_group(pool, &oakley_groups[i], ¶ms) == 0) { + for (i = 0; i < sizeof(oakley_groups) / sizeof(oakley_groups[0]); i++) + if (oakley_groups[i].bits >= minimum_prime_size) + if (oakley_parse_group(pool, &oakley_groups[i], ¶ms) == 0) return params; - } - } - } return NULL; } @@ -1389,9 +1334,8 @@ client_create_dh(krb5_context context, SECItem encoded; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } memset(¶ms, 0, sizeof(params)); /* Find suitable domain parameters. */ @@ -1446,13 +1390,11 @@ client_create_dh(krb5_context context, } /* Save our private and public keys for reuse later. */ - if (req_cryptoctx->client_dh_privkey != NULL) { + if (req_cryptoctx->client_dh_privkey != NULL) SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); - } req_cryptoctx->client_dh_privkey = priv; - if (req_cryptoctx->client_dh_pubkey != NULL) { + if (req_cryptoctx->client_dh_pubkey != NULL) SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); - } req_cryptoctx->client_dh_pubkey = pub; PK11_FreeSlot(slot); @@ -1479,9 +1421,8 @@ client_process_dh(krb5_context context, SECItem *bits; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } /* Rebuild the KDC's public key using our parameters and the supplied * public value (subjectPublicKey). */ @@ -1572,9 +1513,8 @@ server_check_dh(krb5_context context, SECItem item; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } item.data = dh_params->data; item.len = dh_params->length; @@ -1622,9 +1562,8 @@ server_process_dh(krb5_context context, PK11SlotInfo *slot; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } /* Store the client's public value. */ pubval.data = received_pubkey; @@ -1722,15 +1661,13 @@ create_issuerAndSerial(krb5_context context, SECItem item; /* Check if we have a peer cert. If we don't have one, that's okay. */ - if (req_cryptoctx->peer_cert == NULL) { + if (req_cryptoctx->peer_cert == NULL) return 0; - } /* Scratch arena. */ pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } /* Encode the peer's issuer/serial. */ isn.issuer = req_cryptoctx->peer_cert->derIssuer; @@ -1784,9 +1721,8 @@ create_krb5_supportedCMSTypes(krb5_context context, unsigned int i; ids = malloc(sizeof(id) * ((sizeof(oids) / sizeof(oids[0])) + 1)); - if (ids == NULL) { + if (ids == NULL) return ENOMEM; - } for (i = 0; i < (sizeof(oids) / sizeof(oids[0])); i++) { id = malloc(sizeof(*id)); @@ -1865,9 +1801,8 @@ create_krb5_trustedCertifiers(krb5_context context, /* Build the result list. */ if (n > 0) { ids = malloc((n + 1) * sizeof(id)); - if (ids == NULL) { + if (ids == NULL) return ENOMEM; - } node = CERT_LIST_HEAD(id_cryptoctx->ca_certs); for (i = 0; i < n; i++) { id = malloc(sizeof(*id)); @@ -1975,21 +1910,18 @@ cert_load_ca_certs_from_slot(krb5_context context, } #endif /* Skip it if we don't trust it to issue certificates. */ - if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess) { + if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess) continue; - } if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) & (CERTDB_TRUSTED_CA | - CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA)) == 0) { + CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA)) == 0) continue; - } /* DestroyCertList frees all of the certs in the list, * so we need to create a copy that it can own. */ cert = CERT_DupCertificate(node->cert); /* Add it to the list. */ - if (cert_maybe_add_to_list(id->ca_certs, cert) != SECSuccess) { + if (cert_maybe_add_to_list(id->ca_certs, cert) != SECSuccess) status = SECFailure; - } } CERT_DestroyCertList(list); return status; @@ -2044,20 +1976,17 @@ cert_load_certs_with_keys_from_slot(krb5_context context, (cnode->cert != NULL) && !CERT_LIST_END(cnode, clist); cnode = CERT_LIST_NEXT(cnode)) { - if (cnode->cert->nickname == NULL) { - if ((label == NULL) && (id == NULL)) { + if (cnode->cert->nickname != NULL) { + if ((label != NULL) && (id != NULL)) { if ((strcmp(id, cnode->cert->nickname) != 0) && - (strcmp(label, cnode->cert->nickname) != 0)) { + (strcmp(label, cnode->cert->nickname) != 0)) continue; - } - } else if (label == NULL) { - if (strcmp(label, cnode->cert->nickname) != 0) { + } else if (label != NULL) { + if (strcmp(label, cnode->cert->nickname) != 0) continue; - } - } else if (id == NULL) { - if (strcmp(id, cnode->cert->nickname) != 0) { + } else if (id != NULL) { + if (strcmp(id, cnode->cert->nickname) != 0) continue; - } } } key = PK11_FindPrivateKeyFromCert(slot, cnode->cert, @@ -2077,9 +2006,8 @@ cert_load_certs_with_keys_from_slot(krb5_context context, * so we need to create a copy that it can own. */ cert = CERT_DupCertificate(cnode->cert); if (cert_maybe_add_to_list(id_cryptoctx->id_certs, - cert) != SECSuccess) { + cert) != SECSuccess) status = ENOMEM; - } /* We don't need this reference to the key. */ SECKEY_DestroyPrivateKey(key); } @@ -2101,23 +2029,20 @@ crypto_load_pkcs11(krb5_context context, SECStatus status; int i, j; - if (idopts == NULL) { + if (idopts == NULL) return SECFailure; - } /* Build the module spec. */ spec = PORT_ArenaZAlloc(id_cryptoctx->pool, strlen("library=''") + strlen(idopts->p11_module_name) * 2 + 1); - if (spec == NULL) { + if (spec == NULL) return SECFailure; - } strcpy(spec, "library=\""); j = strlen(spec); for (i = 0; idopts->p11_module_name[i] != '\0'; i++) { - if (strchr("\"", idopts->p11_module_name[i]) != NULL) { + if (strchr("\"", idopts->p11_module_name[i]) != NULL) spec[j++] = '\\'; - } spec[j++] = idopts->p11_module_name[i]; } spec[j++] = '\0'; @@ -2125,19 +2050,16 @@ crypto_load_pkcs11(krb5_context context, /* Count the number of modules we've already loaded. */ if (id_cryptoctx->id_modules != NULL) { - for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { + for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) continue; - } - } else { + } else i = 0; - } /* Allocate a bigger list. */ id_modules = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(id_modules[0]) * (i + 2)); - for (j = 0; j < i; j++) { + for (j = 0; j < i; j++) id_modules[j] = id_cryptoctx->id_modules[j]; - } /* Actually load the module. */ module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE); @@ -2166,26 +2088,22 @@ crypto_load_pkcs11(krb5_context context, tokenname = PK11_GetTokenName(slot); if ((slotname != NULL) && (tokenname != NULL)) { if ((strcmp(label, slotname) != 0) && - (strcmp(label, tokenname) != 0)) { + (strcmp(label, tokenname) != 0)) continue; - } } else if (slotname != NULL) { - if (strcmp(label, slotname) != 0) { + if (strcmp(label, slotname) != 0) continue; - } } else if (tokenname != NULL) { - if (strcmp(label, tokenname) != 0) { + if (strcmp(label, tokenname) != 0) continue; - } } } /* Load private keys and their certs from this slot. */ label = idopts->cert_label; id = idopts->cert_id_string; if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, - slot, label, id) == 0) { + slot, label, id) == 0) status = SECSuccess; - } } return status; } @@ -2200,21 +2118,18 @@ crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) if (id->pem_module == NULL) { id->pem_module = SECMOD_LoadUserModule("library=libnsspem.so", NULL, PR_FALSE); - if (id->pem_module == NULL) { + if (id->pem_module == NULL) pkiDebug("%s: error loading libnsspem.so\n", __FUNCTION__); - } else { + else SECMOD_UpdateSlotList(id->pem_module); - } } if (id->pem_module != NULL) { - if (id->pem_module->slotCount != 0) { + if (id->pem_module->slotCount != 0) slot = id->pem_module->slots[0]; - } else { + else slot = NULL; - } - if (slot == NULL) { + if (slot == NULL) pkiDebug("%s: no slots in libnsspem.so?\n", __FUNCTION__); - } } else { slot = NULL; } @@ -2234,14 +2149,13 @@ crypto_nickname_c_cb(SECItem *old_nickname, PRBool *cancel, void *arg) int i; leaf = arg; - if (old_nickname != NULL) { + if (old_nickname != NULL) pkiDebug("%s: warning: nickname collision on \"%.*s\", " "generating a new nickname\n", __FUNCTION__, old_nickname->len, old_nickname->data); - } else { + else pkiDebug("%s: warning: nickname collision, generating a new " "nickname\n", __FUNCTION__); - } new_nickname = NULL; if (old_nickname == NULL) { old_name = leaf->subjectName; @@ -2365,9 +2279,8 @@ crypto_load_pkcs12(krb5_context context, &ucs2s, &n_ucs2s) == 0) { PR_Free(newpass); ucs2 = (krb5_ucs2 *) ucs2s; - for (i = 0; i < n_ucs2s / 2; i++) { + for (i = 0; i < n_ucs2s / 2; i++) ucs2[i] = SWAP16(ucs2[i]); - } password.data = (void *) ucs2s; password.len = n_ucs2s + 2; PORT_SetError(0); @@ -2393,9 +2306,8 @@ crypto_load_pkcs12(krb5_context context, "error validating bags: %d\n", __FUNCTION__, name, PORT_GetError()); SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) { + if (password.data != emptypwd) free(password.data); - } return SECFailure; } if (SEC_PKCS12DecoderImportBags(ctx) != SECSuccess) { @@ -2403,22 +2315,19 @@ crypto_load_pkcs12(krb5_context context, "error importing data: %d\n", __FUNCTION__, name, PORT_GetError()); SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) { + if (password.data != emptypwd) free(password.data); - } return SECFailure; } pkiDebug("%s: imported PKCS12 bundle \"%s\"\n", __FUNCTION__, name); SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) { + if (password.data != emptypwd) free(password.data); - } if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, slot, - NULL, NULL) == 0) { + NULL, NULL) == 0) return SECSuccess; - } else { + else return SECFailure; - } } /* Helper to fill out a CK_ATTRIBUTE. */ @@ -2458,23 +2367,19 @@ crypto_load_files(krb5_context context, int i, j, n_attrs, n_objs, n_crls; if ((slot = crypto_get_pem_slot(id_cryptoctx)) == NULL) { - if (certfile != NULL) { + if (certfile != NULL) pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", __FUNCTION__, certfile); - } - if (keyfile != NULL) { + if (keyfile != NULL) pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", __FUNCTION__, keyfile); - } - if (crlfile != NULL) { + if (crlfile != NULL) pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", __FUNCTION__, crlfile); - } return SECFailure; } - if ((certfile == NULL) && (crlfile == NULL)) { + if ((certfile == NULL) && (crlfile == NULL)) return SECFailure; - } /* If we're told to load a key, then we know for sure that it's a * key+cert combination, so go ahead and try to load the key first. * That way, if we're just guessing that there's a key, and we're @@ -2497,20 +2402,17 @@ crypto_load_files(krb5_context context, pkiDebug("%s: loaded key \"%s\"\n", __FUNCTION__, keyfile); status = SECSuccess; /* Add it to the list of objects that we're keeping. */ - if (id_cryptoctx->id_objects != NULL) { - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) { + if (id_cryptoctx->id_objects != NULL) + for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) continue; - } - } else { + else i = 0; - } id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(id_objects[0]) * (i + 2)); if (id_objects != NULL) { n_objs = i; - for (i = 0; i < n_objs; i++) { + for (i = 0; i < n_objs; i++) id_objects[i] = id_cryptoctx->id_objects[i]; - } id_objects[i++] = obj; id_objects[i++] = NULL; id_cryptoctx->id_objects = id_objects; @@ -2543,20 +2445,17 @@ crypto_load_files(krb5_context context, __FUNCTION__, cert_mark_trusted ? "CA " : "", certfile); status = SECSuccess; /* Add it to the list of objects that we're keeping. */ - if (id_cryptoctx->id_objects != NULL) { - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) { + if (id_cryptoctx->id_objects != NULL) + for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) continue; - } - } else { + else i = 0; - } id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(id_objects[0]) * (i + 2)); if (id_objects != NULL) { n_objs = i; - for (i = 0; i < n_objs; i++) { + for (i = 0; i < n_objs; i++) id_objects[i] = id_cryptoctx->id_objects[i]; - } id_objects[i++] = obj; id_objects[i++] = NULL; id_cryptoctx->id_objects = id_objects; @@ -2624,9 +2523,8 @@ crypto_load_files(krb5_context context, crl = SECITEM_ArenaDupItem(id_cryptoctx->pool, &tmp); /* Count the CRLs. */ if (id_cryptoctx->id_crls != NULL) { - for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) { + for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) continue; - } } else { i = 0; } @@ -2634,25 +2532,22 @@ crypto_load_files(krb5_context context, /* Allocate a bigger list. */ crls = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(crls[0]) * (n_crls + 2)); - for (j = 0; j < n_crls; j++) { + for (j = 0; j < n_crls; j++) crls[j] = id_cryptoctx->id_crls[j]; - } if (crl != NULL) { status = CERT_CacheCRL(CERT_GetDefaultCertDB(), crl); if (status == SECSuccess) { crls[j++] = crl; pkiDebug("%s: cached CRL from \"%s\"\n", __FUNCTION__, crlfile); - } else { + } else pkiDebug("%s: error loading CRL from \"%s\": %d\n", __FUNCTION__, crlfile, PORT_GetError()); - } } crls[j++] = NULL; id_cryptoctx->id_crls = crls; - } else { + } else status = SECFailure; - } } return status; } @@ -2677,9 +2572,8 @@ crypto_load_dir(krb5_context context, "not loading directory \"%s\"\n", __FUNCTION__, dirname); return SECFailure; } - if (dirname == NULL) { + if (dirname == NULL) return SECFailure; - } dir = opendir(dirname); if (dir == NULL) { pkiDebug("%s: error loading directory \"%s\": %s\n", @@ -2699,14 +2593,12 @@ crypto_load_dir(krb5_context context, } /* Construct a path to the file. */ certcrl = PORT_Alloc(strlen(dirname) + 1 + i + 1); - if (certcrl == NULL) { + if (certcrl == NULL) continue; - } sprintf(certcrl, "%s/%s", dirname, ent->d_name); - if (load_crl || !cert_self) { - /* No key. */ + if (load_crl || !cert_self) /* No key. */ key = NULL; - } else { + else { /* Construct the matching key name. */ key = PORT_Alloc(strlen(dirname) + 1 + i + 1); if (key == NULL) { @@ -2725,13 +2617,11 @@ crypto_load_dir(krb5_context context, key, load_crl ? certcrl : NULL, cert_self, cert_mark_trusted, - id_cryptoctx) == SECSuccess) { + id_cryptoctx) == SECSuccess) status = SECSuccess; - } PORT_Free(certcrl); - if (key != NULL) { + if (key != NULL) PORT_Free(key); - } } closedir(dir); return status; @@ -2749,24 +2639,21 @@ crypto_load_nssdb(krb5_context context, char *p; int i, j; - if (configdir == NULL) { + if (configdir == NULL) return ENOENT; - } /* Build the spec. */ p = PORT_ArenaZAlloc(id_cryptoctx->pool, strlen("configDir='' flags=readOnly") + strlen(configdir) * 2 + 1); - if (p == NULL) { + if (p == NULL) return ENOMEM; - } strcpy(p, "configDir='"); j = strlen(p); for (i = 0; configdir[i] != '\0'; i++) { - if (configdir[i] == '\'') { + if (configdir[i] == '\'') p[j++] = '\\'; /* Is this the right way to do * escaping? */ - } p[j++] = configdir[i]; } p[j++] = '\0'; @@ -2774,19 +2661,16 @@ crypto_load_nssdb(krb5_context context, /* Count the number of modules we've already loaded. */ if (id_cryptoctx->id_userdbs != NULL) { - for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) { + for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) continue; - } - } else { + } else i = 0; - } /* Allocate a bigger list. */ id_userdbs = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(id_userdbs[0]) * (i + 2)); - for (j = 0; j < i; j++) { + for (j = 0; j < i; j++) id_userdbs[j] = id_cryptoctx->id_userdbs[j]; - } /* Actually load the module. */ userdb = SECMOD_OpenUserDB(p); @@ -2913,15 +2797,13 @@ crypto_cert_get_count(krb5_context context, CERTCertListNode *node; *cert_count = 0; - if (!CERT_LIST_EMPTY(id_cryptoctx->id_certs)) { + if (!CERT_LIST_EMPTY(id_cryptoctx->id_certs)) for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs); (node != NULL) && (node->cert != NULL) && !CERT_LIST_END(node, id_cryptoctx->id_certs); - node = CERT_LIST_NEXT(node)) { + node = CERT_LIST_NEXT(node)) (*cert_count)++; - } - } pkiDebug("%s: %d candidate key/certificate pairs found\n", __FUNCTION__, *cert_count); return 0; @@ -2938,13 +2820,11 @@ crypto_cert_iteration_begin(krb5_context context, PLArenaPool *pool; struct _pkinit_cert_iter_info *handle; - if (CERT_LIST_EMPTY(id_cryptoctx->id_certs)) { + if (CERT_LIST_EMPTY(id_cryptoctx->id_certs)) return ENOENT; - } pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } handle = PORT_ArenaZAlloc(pool, sizeof(*handle)); if (handle == NULL) { PORT_FreeArena(pool, PR_TRUE); @@ -2985,9 +2865,8 @@ crypto_cert_iteration_next(krb5_context context, } /* Create a pool to hold info about this certificate. */ pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } *cert_handle = PORT_ArenaZAlloc(pool, sizeof(**cert_handle)); if (*cert_handle == NULL) { PORT_FreeArena(pool, PR_TRUE); @@ -3012,11 +2891,9 @@ cert_get_ext_by_tag(CERTCertificate *cert, SECOidTag tag) oid = SECOID_FindOIDByTag(tag); for (i = 0; (cert->extensions != NULL) && (cert->extensions[i] != NULL); - i++) { - if (SECITEM_ItemsAreEqual(&cert->extensions[i]->id, &oid->oid)) { + i++) + if (SECITEM_ItemsAreEqual(&cert->extensions[i]->id, &oid->oid)) return &cert->extensions[i]->value; - } - } return NULL; } @@ -3028,12 +2905,10 @@ cert_get_ku_bits(krb5_context context, CERTCertificate *cert) { unsigned int ku = 0; - if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { + if (cert->keyUsage & KU_DIGITAL_SIGNATURE) ku |= PKINIT_KU_DIGITALSIGNATURE; - } - if (cert->keyUsage & KU_KEY_ENCIPHERMENT) { + if (cert->keyUsage & KU_KEY_ENCIPHERMENT) ku |= PKINIT_KU_KEYENCIPHERMENT; - } return ku; } @@ -3048,9 +2923,8 @@ cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc) /* Pull out the extension. */ ext = cert_get_ext_by_tag(cert, SEC_OID_X509_EXT_KEY_USAGE); - if (ext == NULL) { + if (ext == NULL) return 0; - } /* Look up the well-known OIDs. */ clientauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); @@ -3068,27 +2942,21 @@ cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc) } eku = 0; for (i = 0; (oids != NULL) && (oids[i] != NULL); i++) { - if (SECITEM_ItemsAreEqual(oids[i], &email->oid)) { + if (SECITEM_ItemsAreEqual(oids[i], &email->oid)) eku |= PKINIT_EKU_EMAILPROTECTION; - } if (kdc) { - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_kdc)) { + if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_kdc)) eku |= PKINIT_EKU_PKINIT; - } - if (SECITEM_ItemsAreEqual(oids[i], &serverauth->oid)) { + if (SECITEM_ItemsAreEqual(oids[i], &serverauth->oid)) eku |= PKINIT_EKU_CLIENTAUTH; - } } else { - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_client)) { + if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_client)) eku |= PKINIT_EKU_PKINIT; - } - if (SECITEM_ItemsAreEqual(oids[i], &clientauth->oid)) { + if (SECITEM_ItemsAreEqual(oids[i], &clientauth->oid)) eku |= PKINIT_EKU_CLIENTAUTH; - } } - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_mssclogin)) { + if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_mssclogin)) eku |= PKINIT_EKU_MSSCLOGIN; - } } PORT_FreeArena(pool, PR_TRUE); return eku; @@ -3152,9 +3020,8 @@ crypto_cert_select(krb5_context context, pkinit_cert_matching_data *data) CERTCertificate *cert; cert = CERT_DupCertificate(data->ch->cert); - if (data->ch->id_cryptoctx->id_cert != NULL) { + if (data->ch->id_cryptoctx->id_cert != NULL) CERT_DestroyCertificate(data->ch->id_cryptoctx->id_cert); - } data->ch->id_cryptoctx->id_cert = cert; return 0; } @@ -3177,13 +3044,12 @@ crypto_cert_select_default(krb5_context context, result = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, &count); - if (result != 0) { + if (result != 0) return result; - } - if (count == 1) { + if (count == 1) /* use the only cert */ cert = (CERT_LIST_HEAD(id_cryptoctx->id_certs))->cert; - } else { + else { pkiDebug("%s: searching for a KDC certificate\n", __FUNCTION__); /* look for a cert that includes a TGS principal name */ cert = NULL; @@ -3214,17 +3080,14 @@ crypto_cert_select_default(krb5_context context, free(sans); sans = NULL; } - if (cert != NULL) { + if (cert != NULL) break; - } } - if (cert == NULL) { + if (cert == NULL) return ENOENT; - } } - if (id_cryptoctx->id_cert != NULL) { + if (id_cryptoctx->id_cert != NULL) CERT_DestroyCertificate(id_cryptoctx->id_cert); - } id_cryptoctx->id_cert = CERT_DupCertificate(cert); return 0; } @@ -3375,25 +3238,21 @@ pkinit_create_td_dh_parameters(krb5_context context, /* Fetch the algorithm OID. */ oid = get_oid_from_tag(SEC_OID_X942_DIFFIE_HELMAN_KEY); - if (oid == NULL) { + if (oid == NULL) return ENOMEM; - } /* Walk the lists of parameters that we know. */ for (i = 0, j = 0; i < sizeof(id) / sizeof(id[0]); i++) { - if (oakley_groups[i].bits < opts->dh_min_bits) { + if (oakley_groups[i].bits < opts->dh_min_bits) continue; - } /* Encode these parameters for use as algorithm parameters. */ if (oakley_parse_group(req_cryptoctx->pool, &oakley_groups[i], - ¶ms) != 0) { + ¶ms) != 0) continue; - } memset(¶ms, 0, sizeof(params)); if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &tmp, params, - domain_parameters_template) != SECSuccess) { + domain_parameters_template) != SECSuccess) continue; - } /* Add it to the list. */ memset(&id[j], 0, sizeof(id[j])); id[j].algorithm.data = oid->data; @@ -3403,16 +3262,14 @@ pkinit_create_td_dh_parameters(krb5_context context, ids[j] = &id[j]; j++; } - if (j == 0) { + if (j == 0) return ENOENT; - } ids[j] = NULL; /* Pass it back up. */ data = NULL; code = (*k5int_encode_krb5_td_dh_parameters)(ids, &data); - if (code != 0) { + if (code != 0) return code; - } memset(&typed_datum, 0, sizeof(typed_datum)); typed_datum.type = TD_DH_PARAMETERS; typed_datum.length = data->length; @@ -3448,17 +3305,15 @@ pkinit_process_td_dh_params(krb5_context context, memset(¶ms, 0, sizeof(params)); if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms, domain_parameters_template, - &item) != SECSuccess) { + &item) != SECSuccess) continue; - } /* Count the size of the prime by finding the first non-zero * byte and working out the size of the integer. */ size = get_integer_bits(¶ms.p); /* If this is the first parameter set, or the current parameter * size is lower than our previous guess, use it. */ - if ((i == 0) || (size < *new_dh_size)) { + if ((i == 0) || (size < *new_dh_size)) *new_dh_size = size; - } } return 0; } @@ -3483,9 +3338,8 @@ pkinit_create_td_invalid_certificate(krb5_context context, /* We didn't trust the peer's certificate. FIXME: or was it a * certificate that was somewhere in its certifying chain? */ - if (req_cryptoctx->peer_cert == NULL) { + if (req_cryptoctx->peer_cert == NULL) return ENOENT; - } invalid = req_cryptoctx->peer_cert; /* Fill in the identifier. */ @@ -3494,9 +3348,8 @@ pkinit_create_td_invalid_certificate(krb5_context context, isn.issuer = invalid->derIssuer; isn.serial = invalid->serialNumber; if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn, - issuer_and_serial_number_template) != &item) { + issuer_and_serial_number_template) != &item) return ENOMEM; - } id.issuerAndSerialNumber.data = item.data; id.issuerAndSerialNumber.length = item.len; } else { @@ -3510,9 +3363,8 @@ pkinit_create_td_invalid_certificate(krb5_context context, /* Pass it back up. */ data = NULL; code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data); - if (code != 0) { + if (code != 0) return code; - } memset(&typed_datum, 0, sizeof(typed_datum)); typed_datum.type = TD_INVALID_CERTIFICATES; typed_datum.length = data->length; @@ -3551,9 +3403,8 @@ pkinit_create_td_trusted_certifiers(krb5_context context, /* Build the list of trusted roots. */ clist = CERT_NewCertList(); - if (clist == NULL) { + if (clist == NULL) return ENOMEM; - } /* Get the list of tokens. All of them. */ slist = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, @@ -3598,26 +3449,22 @@ pkinit_create_td_trusted_certifiers(krb5_context context, !CERT_LIST_END(node, sclist); node = CERT_LIST_NEXT(node)) { /* If it's not a root, we can't trust it. Right? */ - if (!cert->isRoot) { + if (!cert->isRoot) continue; - } /* If we have no trust for it, we can't trust it. */ - if (cert->trust == NULL) { + if (cert->trust == NULL) continue; - } /* We need to trust it to issue client certs. */ trustf = SEC_GET_TRUST_FLAGS(cert->trust, trustSSL); - if (!(trustf & CERTDB_TRUSTED_CLIENT_CA)) { + if (!(trustf & CERTDB_TRUSTED_CLIENT_CA)) continue; - } /* DestroyCertList frees all of the certs in the list, * so we need to create a copy that it can own. */ cert = CERT_DupCertificate(node->cert); - if (cert_maybe_add_to_list(clist, cert) != SECSuccess) { + if (cert_maybe_add_to_list(clist, cert) != SECSuccess) status = ENOMEM; - } else { + else i++; - } } CERT_DestroyCertList(sclist); } @@ -3667,9 +3514,8 @@ pkinit_create_td_trusted_certifiers(krb5_context context, data = NULL; code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data); CERT_DestroyCertList(clist); - if (code != 0) { + if (code != 0) return code; - } memset(&typed_datum, 0, sizeof(typed_datum)); typed_datum.type = TD_TRUSTED_CERTIFIERS; typed_datum.length = data->length; @@ -3711,15 +3557,13 @@ pkinit_check_kdc_pkid(krb5_context context, struct issuer_and_serial_number isn; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } /* Verify that we have selected a certificate for our (the KDC's) own * use. */ - if (id_cryptoctx->id_cert == NULL) { + if (id_cryptoctx->id_cert == NULL) return ENOENT; - } cert = id_cryptoctx->id_cert; /* Decode the pair. */ @@ -3959,19 +3803,16 @@ cert_add_kpn(PLArenaPool * pool, krb5_context context, SECItem *name, memset(&kname, 0, sizeof(kname)); if (SEC_ASN1DecodeItem(pool, &kname, kerberos_principal_name_template, - name) != SECSuccess) { + name) != SECSuccess) return ENOMEM; - } /* Recover the name type and count the components. */ if (SEC_ASN1DecodeInteger(&kname.principal_name.name_type, - &name_type) != SECSuccess) { + &name_type) != SECSuccess) return ENOMEM; - } names = kname.principal_name.name_string; - for (i = 0; (names != NULL) && (names[i] != NULL); i++) { + for (i = 0; (names != NULL) && (names[i] != NULL); i++) continue; - } comps = malloc(sizeof(comps[0]) * i); /* Fake up a principal structure. */ @@ -4006,15 +3847,13 @@ cert_retrieve_cert_sans(krb5_context context, /* Pull out the extension. */ ext = cert_get_ext_by_tag(cert, SEC_OID_X509_SUBJECT_ALT_NAME); - if (ext == NULL) { + if (ext == NULL) return ENOENT; - } /* Split up the list of names. */ pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } encoded_names = NULL; if (SEC_ASN1DecodeItem(pool, &encoded_names, SEC_ASN1_GET(SEC_SequenceOfAnyTemplate), @@ -4058,9 +3897,8 @@ cert_retrieve_cert_sans(krb5_context context, return ENOMEM; } /* If both lists are the same, fix the count. */ - if (pkinit_sans_out == upn_sans_out) { + if (pkinit_sans_out == upn_sans_out) n_upn_sans = n_pkinit_sans; - } } else /* possibly a user principal name */ if (SECITEM_ItemsAreEqual(&name.name.OthName.oid, @@ -4073,9 +3911,8 @@ cert_retrieve_cert_sans(krb5_context context, return ENOMEM; } /* If both lists are the same, fix the count. */ - if (upn_sans_out == pkinit_sans_out) { + if (upn_sans_out == pkinit_sans_out) n_pkinit_sans = n_upn_sans; - } } break; default: @@ -4236,15 +4073,13 @@ crypto_signeddata_common_create(krb5_context context, /* Create a signed-data object. */ sdata = NSS_CMSSignedData_Create(msg); - if (sdata == NULL) { + if (sdata == NULL) return ENOMEM; - } /* Create a signer and add it to the signed-data pointer. */ signer = NSS_CMSSignerInfo_Create(msg, id_cryptoctx->id_cert, digest); - if (signer == NULL) { + if (signer == NULL) return ENOMEM; - } if (NSS_CMSSignerInfo_IncludeCerts(signer, (include_certchain == signeddata_common_create_with_chain) ? @@ -4253,18 +4088,16 @@ crypto_signeddata_common_create(krb5_context context, pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); return ENOMEM; } - if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess) { + if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess) return ENOMEM; - } - if (add_signedattrs == signeddata_common_create_with_signed_attrs) { + if (add_signedattrs == signeddata_common_create_with_signed_attrs) /* The presence of any signed attribute means the digest * becomes a signed attribute, too. */ if (NSS_CMSSignerInfo_AddSigningTime(signer, PR_Now()) != SECSuccess) { pkiDebug("%s: error adding signing time\n", __FUNCTION__); return ENOMEM; } - } *signed_data_out = sdata; return 0; @@ -4515,64 +4348,57 @@ crypto_signeddata_common_verify(krb5_context context, pkiDebug("%s: parsed plain-data (length=%ld) as signed-data\n", __FUNCTION__, (long) edata->len); cinfo = ecinfo; - } else { + } else /* Okay, it's a normal signed-data blob. */ ecmsg = NULL; - } /* Check that we have signed data, that it has exactly one signature, * and fish out the signer information. */ if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA) { pkiDebug("%s: content type mismatch\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return EINVAL; } sdata = NSS_CMSContentInfo_GetContent(cinfo); if (sdata == NULL) { pkiDebug("%s: decoding error? content-info was NULL\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOENT; } n_signers = NSS_CMSSignedData_SignerInfoCount(sdata); if (n_signers > 1) { pkiDebug("%s: wrong number of signers (%d, not 0 or 1)\n", __FUNCTION__, n_signers); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOENT; } - if (n_signers < 1) { + if (n_signers < 1) signer = NULL; - } else { + else { /* Import the bundle's certs and locate the signerInfo. */ if (NSS_CMSSignedData_ImportCerts(sdata, certdb, usage, PR_FALSE) != SECSuccess) { pkiDebug("%s: error importing signer certs\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOENT; } signer = NSS_CMSSignedData_GetSignerInfo(sdata, 0); if (signer == NULL) { pkiDebug("%s: no signers?\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOENT; } /* Verify the signer's certificate. */ if (!NSS_CMSSignedData_HasDigests(sdata)) { pkiDebug("%s: no digests?\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOENT; } status = CERT_EnableOCSPChecking(certdb); @@ -4581,9 +4407,8 @@ crypto_signeddata_common_verify(krb5_context context, PR_ErrorToString(status == SECFailure ? PORT_GetError() : status, PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOMEM; } /* FIXME: NSS will use OCSP if there's no applicable CRL cached, and if @@ -4599,9 +4424,8 @@ crypto_signeddata_common_verify(krb5_context context, PR_ErrorToString(status == SECFailure ? PORT_GetError() : status, PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOMEM; } status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb, usage); @@ -4610,9 +4434,8 @@ crypto_signeddata_common_verify(krb5_context context, PR_ErrorToString(status == SECFailure ? PORT_GetError() : status, PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } switch (cms_msg_type) { case CMS_SIGN_DRAFT9: case CMS_SIGN_CLIENT: @@ -4647,9 +4470,8 @@ crypto_signeddata_common_verify(krb5_context context, ecinfo = NSS_CMSSignedData_GetContentInfo(sdata); if (ecinfo == NULL) { pkiDebug("%s: error getting encapsulated content\n", __FUNCTION__); - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return ENOMEM; } encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(ecinfo); @@ -4658,11 +4480,10 @@ crypto_signeddata_common_verify(krb5_context context, (encapsulated_tag != expected_type2))) { pkiDebug("%s: wrong encapsulated content type\n", __FUNCTION__); expected = SECOID_FindOIDByTag(expected_type); - if (encapsulated_tag != SEC_OID_UNKNOWN) { + if (encapsulated_tag != SEC_OID_UNKNOWN) received = SECOID_FindOIDByTag(encapsulated_tag); - } else { + else received = NULL; - } if (expected != NULL) { if (received != NULL) { pkiDebug("%s: was expecting \"%s\"(%d), but got \"%s\"(%d)\n", @@ -4676,22 +4497,19 @@ crypto_signeddata_common_verify(krb5_context context, expected->desc, expected->offset, encapsulated_tag); } } - if (ecmsg != NULL) { + if (ecmsg != NULL) NSS_CMSMessage_Destroy(ecmsg); - } return EINVAL; } *plain_out = NSS_CMSContentInfo_GetContent(ecinfo); - if ((*plain_out != NULL) && ((*plain_out)->len == 0)) { + if ((*plain_out != NULL) && ((*plain_out)->len == 0)) pkiDebug("%s: warning: encapsulated content appears empty\n", __FUNCTION__); - } if (signer != NULL) { /* Save the peer cert -- we'll need it later. */ pkiDebug("%s: saving peer certificate\n", __FUNCTION__); - if (req_cryptoctx->peer_cert != NULL) { + if (req_cryptoctx->peer_cert != NULL) CERT_DestroyCertificate(req_cryptoctx->peer_cert); - } cert = NSS_CMSSignerInfo_GetSigningCertificate(signer, certdb); req_cryptoctx->peer_cert = CERT_DupCertificate(cert); } @@ -4726,9 +4544,8 @@ cms_envelopeddata_verify(krb5_context context, int is_signed, ret; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } certdb = CERT_GetDefaultCertDB(); /* Decode the message. */ @@ -4742,9 +4559,8 @@ cms_envelopeddata_verify(krb5_context context, crypto_pwcb, crypto_pwcb_prep(id_cryptoctx, context), NULL, NULL); - if (msg == NULL) { + if (msg == NULL) return ENOMEM; - } /* Make sure it's enveloped-data. */ info = NSS_CMSMessage_GetContentInfo(msg); @@ -4851,9 +4667,8 @@ cms_signeddata_create(krb5_context context, } pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } /* Create the containing message. */ msg = NSS_CMSMessage_Create(pool); @@ -4985,9 +4800,8 @@ cms_signeddata_verify(krb5_context context, expected_tag2 = SEC_OID_UNKNOWN; pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { + if (pool == NULL) return ENOMEM; - } certdb = CERT_GetDefaultCertDB(); #ifdef DEBUG_DER @@ -5001,16 +4815,15 @@ cms_signeddata_verify(krb5_context context, /* Take a quick look at what it claims to be. */ memset(&simple_content_info, 0, sizeof(simple_content_info)); if (SEC_ASN1DecodeItem(pool, &simple_content_info, - content_info_template, &encoded) == SECSuccess) { + content_info_template, &encoded) == SECSuccess) /* If it's unsigned data of the right type... */ if (SECOID_FindOIDTag(&simple_content_info.content_type) == expected_tag) { /* Pull out the payload -- it's not wrapped in a * SignedData. */ pkiDebug("%s: data is not signed\n", __FUNCTION__); - if (is_signed != NULL) { + if (is_signed != NULL) *is_signed = 0; - } if (secitem_to_buf_len(&simple_content_info.content, payload, payload_len) != 0) { PORT_FreeArena(pool, PR_TRUE); @@ -5018,7 +4831,6 @@ cms_signeddata_verify(krb5_context context, } return 0; } - } /* Decode the message. */ msg = NSS_CMSMessage_CreateFromDER(&encoded, @@ -5026,9 +4838,8 @@ cms_signeddata_verify(krb5_context context, crypto_pwcb, crypto_pwcb_prep(id_cryptoctx, context), NULL, NULL); - if (msg == NULL) { + if (msg == NULL) return ENOMEM; - } /* Double-check that it's signed. */ info = NSS_CMSMessage_GetContentInfo(msg); @@ -5062,16 +4873,14 @@ cms_signeddata_verify(krb5_context context, PORT_FreeArena(pool, PR_TRUE); return ret ? ret : ENOMEM; } - if (is_signed != NULL) { + if (is_signed != NULL) *is_signed = was_signed; - } break; case SEC_OID_PKCS7_DATA: /* It's not signed: try to pull out the payload. */ pkiDebug("%s: data is not signed\n", __FUNCTION__); - if (is_signed != NULL) { + if (is_signed != NULL) *is_signed = 0; - } plain = NSS_CMSContentInfo_GetContent(info); break; default: -- 1.7.6.4