Mercurial > illumos > illumos-gate
changeset 4315:01095076999d
6558467 memory leak in kcfd
author | wyllys |
---|---|
date | Thu, 24 May 2007 18:15:44 -0700 |
parents | a4df46918bfa |
children | 8f314c0ecee2 |
files | usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c |
diffstat | 1 files changed, 151 insertions(+), 156 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c Thu May 24 12:54:42 2007 -0700 +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c Thu May 24 18:15:44 2007 -0700 @@ -316,15 +316,15 @@ * openssl default set. */ (void) OBJ_create("2.5.29.30", "nameConstraints", - "X509v3 Name Constraints"); + "X509v3 Name Constraints"); (void) OBJ_create("2.5.29.33", "policyMappings", - "X509v3 Policy Mappings"); + "X509v3 Policy Mappings"); (void) OBJ_create("2.5.29.36", "policyConstraints", - "X509v3 Policy Constraints"); + "X509v3 Policy Constraints"); (void) OBJ_create("2.5.29.46", "freshestCRL", - "X509v3 Freshest CRL"); + "X509v3 Freshest CRL"); (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy", - "X509v3 Inhibit Any-Policy"); + "X509v3 Inhibit Any-Policy"); /* * Set up for thread-safe operation. */ @@ -367,7 +367,7 @@ /* Convert to raw DER format */ derdata.Length = i2d_X509_NAME(sslDN, NULL); if ((tmp = derdata.Data = (uchar_t *)OPENSSL_malloc(derdata.Length)) - == NULL) { + == NULL) { return (KMF_ERR_MEMORY); } (void) i2d_X509_NAME(sslDN, &tmp); @@ -508,8 +508,8 @@ } bnlen = BN_bn2bin(bn, a); *match = !memcmp(a, - params->serial->val, - params->serial->len); + params->serial->val, + params->serial->len); rv = KMF_OK; free(a); } @@ -668,12 +668,11 @@ /* We need a credential to access a PKCS#12 file */ rv = KMF_ERR_BAD_CERT_FORMAT; } else if (format == KMF_FORMAT_PEM || - format != KMF_FORMAT_PEM_KEYPAIR) { + format != KMF_FORMAT_PEM_KEYPAIR) { /* This function only works on PEM files */ rv = extract_objects(kmfh, params, pathname, - (uchar_t *)NULL, 0, NULL, - &certs, &nc); + (uchar_t *)NULL, 0, NULL, &certs, &nc); } else { return (KMF_ERR_ENCODING); } @@ -785,8 +784,8 @@ } if (kmfber_scanf(asn1, "{{Dn{IIIIII}}}", - &OID, &Mod, &PubExp, &PriExp, &Prime1, - &Prime2, &Coef) == -1) { + &OID, &Mod, &PubExp, &PriExp, &Prime1, + &Prime2, &Coef) == -1) { ret = KMF_ERR_ENCODING; goto out; } @@ -943,15 +942,15 @@ keyfile = NULL; /* Try odd ASN.1 variations */ rv = KMF_ReadInputFile(kmfh, (char *)file, - &filedata); + &filedata); if (rv == KMF_OK) { (void) readAltFormatPrivateKey(&filedata, - &pkey); + &pkey); KMF_FreeData(&filedata); } } } else if (format == KMF_FORMAT_PEM || - format == KMF_FORMAT_PEM_KEYPAIR) { + format == KMF_FORMAT_PEM_KEYPAIR) { pkey = PEM_read_bio_PrivateKey(keyfile, NULL, NULL, NULL); if (pkey == NULL) { KMF_DATA derdata; @@ -960,17 +959,17 @@ * RSA private key file. */ rv = KMF_ReadInputFile(kmfh, (char *)file, - &filedata); + &filedata); if (rv == KMF_OK) { uchar_t *d = NULL; int len; rv = KMF_Pem2Der(filedata.Data, - filedata.Length, &d, &len); + filedata.Length, &d, &len); if (rv == KMF_OK && d != NULL) { derdata.Data = d; derdata.Length = (size_t)len; (void) readAltFormatPrivateKey( - &derdata, &pkey); + &derdata, &pkey); free(d); } KMF_FreeData(&filedata); @@ -1009,7 +1008,7 @@ *num_certs = 0; fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.certfile); + params->sslparms.certfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -1032,11 +1031,10 @@ strcmp(dp->d_name, "..") == 0) continue; - fname = get_fullpath(fullpath, - (char *)&dp->d_name); + fname = get_fullpath(fullpath, (char *)&dp->d_name); rv = load_certs(kmfh, params, fname, &certlist, - &loaded_certs); + &loaded_certs); if (rv != KMF_OK) { free(fname); @@ -1053,16 +1051,16 @@ for (i = 0; i < loaded_certs && n < maxcerts; i++) { kmf_cert[n].certificate.Data = - certlist[i].Data; + certlist[i].Data; kmf_cert[n].certificate.Length = - certlist[i].Length; + certlist[i].Length; kmf_cert[n].kmf_private.keystore_type = - KMF_KEYSTORE_OPENSSL; + KMF_KEYSTORE_OPENSSL; kmf_cert[n].kmf_private.flags = - KMF_FLAG_CERT_VALID; + KMF_FLAG_CERT_VALID; kmf_cert[n].kmf_private.label = - strdup(fname); + strdup(fname); n++; } /* @@ -1091,7 +1089,7 @@ uint32_t loaded_certs = 0; rv = load_certs(kmfh, params, fullpath, - &certlist, &loaded_certs); + &certlist, &loaded_certs); if (rv != KMF_OK) { free(fullpath); return (rv); @@ -1101,15 +1099,15 @@ if (kmf_cert != NULL && certlist != NULL) { for (i = 0; i < loaded_certs && i < maxcerts; i++) { kmf_cert[n].certificate.Data = - certlist[i].Data; + certlist[i].Data; kmf_cert[n].certificate.Length = - certlist[i].Length; + certlist[i].Length; kmf_cert[n].kmf_private.keystore_type = - KMF_KEYSTORE_OPENSSL; + KMF_KEYSTORE_OPENSSL; kmf_cert[n].kmf_private.flags = - KMF_FLAG_CERT_VALID; + KMF_FLAG_CERT_VALID; kmf_cert[n].kmf_private.label = - strdup(fullpath); + strdup(fullpath); n++; } /* If maxcerts < loaded_certs, clean up */ @@ -1177,7 +1175,7 @@ fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.certfile); + params->sslparms.certfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -1198,8 +1196,7 @@ } (void) memcpy(outbuf, pcert->Data, pcert->Length); - if ((fp = fopen(fullpath, "w")) == - NULL) { + if ((fp = fopen(fullpath, "w")) == NULL) { SET_SYS_ERROR(kmfh, errno); ret = KMF_ERR_INTERNAL; goto out; @@ -1270,7 +1267,7 @@ } fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.certfile); + params->sslparms.certfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -1290,7 +1287,7 @@ char *fname; fname = get_fullpath(fullpath, - (char *)&dp->d_name); + (char *)&dp->d_name); if (fname == NULL) { rv = KMF_ERR_MEMORY; @@ -1373,7 +1370,7 @@ } DSA_free(pubkey); } else { - return (KMF_ERR_BAD_PARAMETER); + return (KMF_ERR_BAD_PARAMETER); } keydata->Length = n; @@ -1417,18 +1414,14 @@ if (pkey->type == EVP_PKEY_RSA) { rsa = EVP_PKEY_get1_RSA(pkey); rv = PEM_write_bio_RSAPrivateKey(out, - rsa, - NULL /* encryption type */, - NULL, 0, NULL, - cred->cred); + rsa, NULL /* encryption type */, + NULL, 0, NULL, cred->cred); RSA_free(rsa); } else if (pkey->type == EVP_PKEY_DSA) { dsa = EVP_PKEY_get1_DSA(pkey); rv = PEM_write_bio_DSAPrivateKey(out, - dsa, - NULL /* encryption type */, - NULL, 0, NULL, - cred->cred); + dsa, NULL /* encryption type */, + NULL, 0, NULL, cred->cred); DSA_free(dsa); } @@ -1466,7 +1459,7 @@ } fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.keyfile); + params->sslparms.keyfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -1497,13 +1490,13 @@ eValue = *(uint32_t *)params->rsa_exponent.val; sslPrivKey = RSA_generate_key(params->keylength, eValue, - NULL, NULL); + NULL, NULL); if (sslPrivKey == NULL) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; } else { if (privkey != NULL && - EVP_PKEY_set1_RSA(eprikey, sslPrivKey)) { + EVP_PKEY_set1_RSA(eprikey, sslPrivKey)) { privkey->kstype = KMF_KEYSTORE_OPENSSL; privkey->keyalg = KMF_RSA; privkey->keyclass = KMF_ASYM_PRI; @@ -1513,7 +1506,7 @@ } /* OpenSSL derives the public key from the private */ if (pubkey != NULL && - EVP_PKEY_set1_RSA(epubkey, sslPrivKey)) { + EVP_PKEY_set1_RSA(epubkey, sslPrivKey)) { pubkey->kstype = KMF_KEYSTORE_OPENSSL; pubkey->keyalg = KMF_RSA; pubkey->israw = FALSE; @@ -1530,19 +1523,19 @@ } if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) == - NULL) { + NULL) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; } if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) == - NULL) { + NULL) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; } if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) == - NULL) { + NULL) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; @@ -1691,9 +1684,9 @@ const EVP_MD *md; if (key == NULL || AlgOID == NULL || - tobesigned == NULL || output == NULL || - tobesigned->Data == NULL || - output->Data == NULL) + tobesigned == NULL || output == NULL || + tobesigned->Data == NULL || + output->Data == NULL) return (KMF_ERR_BAD_PARAMETER); /* Map the OID to an OpenSSL algorithm */ @@ -1721,8 +1714,8 @@ p = output->Data; if ((len = RSA_private_encrypt(tobesigned->Length, - tobesigned->Data, p, rsa, - RSA_PKCS1_PADDING)) <= 0) { + tobesigned->Data, p, rsa, + RSA_PKCS1_PADDING)) <= 0) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_INTERNAL; } @@ -1731,7 +1724,7 @@ (void) EVP_MD_CTX_init(&ctx); (void) EVP_SignInit_ex(&ctx, md, NULL); (void) EVP_SignUpdate(&ctx, tobesigned->Data, - (uint32_t)tobesigned->Length); + (uint32_t)tobesigned->Length); len = (uint32_t)output->Length; p = output->Data; if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) { @@ -1761,7 +1754,7 @@ EVP_MD_CTX_init(&ctx); (void) EVP_DigestInit_ex(&ctx, md, NULL); (void) EVP_DigestUpdate(&ctx, tobesigned->Data, - tobesigned->Length); + tobesigned->Length); (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen); (void) EVP_MD_CTX_cleanup(&ctx); @@ -1770,7 +1763,7 @@ int i; output->Length = i = BN_bn2bin(dsasig->r, output->Data); output->Length += BN_bn2bin(dsasig->s, - &output->Data[i]); + &output->Data[i]); DSA_SIG_free(dsasig); } else { SET_ERROR(kmfh, ERR_get_error()); @@ -1792,8 +1785,8 @@ return (KMF_ERR_BAD_PARAMETER); if (key->keyclass != KMF_ASYM_PUB && - key->keyclass != KMF_ASYM_PRI && - key->keyclass != KMF_SYMMETRIC) + key->keyclass != KMF_ASYM_PRI && + key->keyclass != KMF_SYMMETRIC) return (KMF_ERR_BAD_KEY_CLASS); if (key->keyclass == KMF_SYMMETRIC) { @@ -1856,7 +1849,7 @@ } outcrlfile = get_fullpath(params->sslparms.dirpath, - params->sslparms.outcrlfile); + params->sslparms.outcrlfile); if (outcrlfile == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -2004,7 +1997,7 @@ } crlfile = get_fullpath(params->sslparms.dirpath, - params->sslparms.crlfile); + params->sslparms.crlfile); if (crlfile == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -2097,7 +2090,7 @@ } crlfile = get_fullpath(params->sslparms.dirpath, - params->sslparms.crlfile); + params->sslparms.crlfile); if (crlfile == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -2360,7 +2353,7 @@ if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) { (void) strcpy(resultStr, "0x"); len = BIO_gets(mem, &resultStr[2], - KMF_CERT_PRINTABLE_LEN - 2); + KMF_CERT_PRINTABLE_LEN - 2); } break; @@ -2385,16 +2378,16 @@ if (pkey->type == EVP_PKEY_RSA) { (void) BIO_printf(mem, - "RSA Public Key: (%d bit)\n", - BN_num_bits(pkey->pkey.rsa->n)); + "RSA Public Key: (%d bit)\n", + BN_num_bits(pkey->pkey.rsa->n)); (void) RSA_print(mem, pkey->pkey.rsa, 0); } else if (pkey->type == EVP_PKEY_DSA) { (void) BIO_printf(mem, - "%12sDSA Public Key:\n", ""); + "%12sDSA Public Key:\n", ""); (void) DSA_print(mem, pkey->pkey.dsa, 0); } else { (void) BIO_printf(mem, - "%12sUnknown Public Key:\n", ""); + "%12sUnknown Public Key:\n", ""); } (void) BIO_printf(mem, "\n"); EVP_PKEY_free(pkey); @@ -2405,15 +2398,15 @@ case KMF_CERT_PUBKEY_ALG: if (flag == KMF_CERT_SIGNATURE_ALG) { len = i2a_ASN1_OBJECT(mem, - xcert->sig_alg->algorithm); + xcert->sig_alg->algorithm); } else { len = i2a_ASN1_OBJECT(mem, - xcert->cert_info->key->algor->algorithm); + xcert->cert_info->key->algor->algorithm); } if (len > 0) { len = BIO_read(mem, resultStr, - KMF_CERT_PRINTABLE_LEN); + KMF_CERT_PRINTABLE_LEN); } break; @@ -2459,8 +2452,8 @@ (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex)); if (BIO_printf(mem, ": %s\n", - X509_EXTENSION_get_critical(ex) ? "critical" : "") <= - 0) { + X509_EXTENSION_get_critical(ex) ? "critical" : "") <= + 0) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_ENCODING; goto out; @@ -2560,7 +2553,7 @@ for (i = 0; i < blocks; i++) { out_len = RSA_private_decrypt(in_len, - in_data, out_data, rsa, RSA_PKCS1_PADDING); + in_data, out_data, rsa, RSA_PKCS1_PADDING); if (out_len == 0) { ret = KMF_ERR_INTERNAL; @@ -2605,7 +2598,7 @@ /* convert the DER-encoded issuer cert to an internal X509 */ ptmp = issuer_cert->Data; issuer = d2i_X509(NULL, (const uchar_t **)&ptmp, - issuer_cert->Length); + issuer_cert->Length); if (issuer == NULL) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_OCSP_BAD_ISSUER; @@ -2615,7 +2608,7 @@ /* convert the DER-encoded user cert to an internal X509 */ ptmp = user_cert->Data; cert = d2i_X509(NULL, (const uchar_t **)&ptmp, - user_cert->Length); + user_cert->Length); if (cert == NULL) { SET_ERROR(kmfh, ERR_get_error()); @@ -2799,7 +2792,7 @@ */ ptmp = issuer_cert->Data; issuer = d2i_X509(NULL, (const uchar_t **)&ptmp, - issuer_cert->Length); + issuer_cert->Length); if (issuer == NULL) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_OCSP_BAD_ISSUER; @@ -3100,12 +3093,12 @@ return (KMF_ERR_BAD_PARAMETER); if (params->keyclass != KMF_ASYM_PUB && - params->keyclass != KMF_ASYM_PRI && - params->keyclass != KMF_SYMMETRIC) + params->keyclass != KMF_ASYM_PRI && + params->keyclass != KMF_SYMMETRIC) return (KMF_ERR_BAD_KEY_CLASS); fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.keyfile); + params->sslparms.keyfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -3132,11 +3125,11 @@ char *fname; fname = get_fullpath(fullpath, - (char *)&dp->d_name); + (char *)&dp->d_name); rv = fetch_key(handle, fname, - params->keyclass, - key ? &key[n] : NULL); + params->keyclass, + key ? &key[n] : NULL); if (rv == KMF_OK) n++; @@ -3206,7 +3199,7 @@ if (sslcert != NULL && pkey != NULL) { if (X509_check_private_key(sslcert, pkey)) { (void) X509_digest(sslcert, EVP_sha1(), keyid, - &keyidlen); + &keyidlen); } else { /* The key doesn't match the cert */ HANDLE_PK12_ERROR @@ -3226,7 +3219,7 @@ /* Add the key id to the certificate bag. */ if (keyidlen > 0 && - !PKCS12_add_localkeyid(bag, keyid, keyidlen)) { + !PKCS12_add_localkeyid(bag, keyid, keyidlen)) { HANDLE_PK12_ERROR } @@ -3244,7 +3237,7 @@ uchar_t *p = (uchar_t *)c->certificate.Data; ca = d2i_X509(NULL, &p, - c->certificate.Length); + c->certificate.Length); if (ca == NULL) { HANDLE_PK12_ERROR } @@ -3264,11 +3257,9 @@ #endif /* Turn bag_stack of certs into encrypted authsafe. */ cert_authsafe = PKCS12_pack_p7encdata( - NID_pbe_WithSHA1And40BitRC2_CBC, - cred->cred, - cred->credlen, NULL, 0, - PKCS12_DEFAULT_ITER, - bag_stack); + NID_pbe_WithSHA1And40BitRC2_CBC, + cred->cred, cred->credlen, NULL, 0, + PKCS12_DEFAULT_ITER, bag_stack); /* Clear away this bag_stack, we're done with it. */ sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free); @@ -3294,9 +3285,9 @@ } /* Put the shrouded key into a PKCS#12 bag. */ bag = PKCS12_MAKE_SHKEYBAG( - NID_pbe_WithSHA1And3_Key_TripleDES_CBC, - cred->cred, cred->credlen, - NULL, 0, PKCS12_DEFAULT_ITER, p8); + NID_pbe_WithSHA1And3_Key_TripleDES_CBC, + cred->cred, cred->credlen, + NULL, 0, PKCS12_DEFAULT_ITER, p8); /* Clean up the PKCS#8 shrouded key, don't need it now. */ PKCS8_PRIV_KEY_INFO_free(p8); @@ -3306,12 +3297,12 @@ HANDLE_PK12_ERROR } if (keyidlen && - !PKCS12_add_localkeyid(bag, keyid, keyidlen)) { + !PKCS12_add_localkeyid(bag, keyid, keyidlen)) { HANDLE_PK12_ERROR } if (lab != NULL) { if (!PKCS12_add_friendlyname(bag, - (char *)lab, lab_len)) { + (char *)lab, lab_len)) { HANDLE_PK12_ERROR } } @@ -3374,7 +3365,7 @@ /* Set the integrity MAC on the PKCS#12 element. */ if (!PKCS12_set_mac(p12_elem, cred->cred, cred->credlen, - NULL, 0, PKCS12_DEFAULT_ITER, NULL)) { + NULL, 0, PKCS12_DEFAULT_ITER, NULL)) { HANDLE_PK12_ERROR } @@ -3406,37 +3397,37 @@ return (NULL); if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) == - NULL) + NULL) return (NULL); if (key->priexp.val != NULL) if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len, - rsa->d)) == NULL) + rsa->d)) == NULL) return (NULL); if (key->prime1.val != NULL) if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len, - rsa->p)) == NULL) + rsa->p)) == NULL) return (NULL); if (key->prime2.val != NULL) if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len, - rsa->q)) == NULL) + rsa->q)) == NULL) return (NULL); if (key->exp1.val != NULL) if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, - rsa->dmp1)) == NULL) + rsa->dmp1)) == NULL) return (NULL); if (key->exp2.val != NULL) if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, - rsa->dmq1)) == NULL) + rsa->dmq1)) == NULL) return (NULL); if (key->coef.val != NULL) if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len, - rsa->iqmp)) == NULL) + rsa->iqmp)) == NULL) return (NULL); if ((newkey = EVP_PKEY_new()) == NULL) @@ -3460,19 +3451,19 @@ return (NULL); if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len, - dsa->p)) == NULL) + dsa->p)) == NULL) return (NULL); if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len, - dsa->q)) == NULL) + dsa->q)) == NULL) return (NULL); if ((dsa->g = BN_bin2bn(key->base.val, key->base.len, - dsa->g)) == NULL) + dsa->g)) == NULL) return (NULL); if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len, - dsa->priv_key)) == NULL) + dsa->priv_key)) == NULL) return (NULL); if ((newkey = EVP_PKEY_new()) == NULL) @@ -3519,10 +3510,10 @@ if (key->keytype == KMF_RSA) { pkey = ImportRawRSAKey( - &key->rawdata.rsa); + &key->rawdata.rsa); } else if (key->keytype == KMF_DSA) { pkey = ImportRawDSAKey( - &key->rawdata.dsa); + &key->rawdata.dsa); } else { rv = KMF_ERR_BAD_PARAMETER; } @@ -3580,16 +3571,14 @@ */ if (certlist != NULL || keylist != NULL) { rv = ExportPK12FromRawData(handle, - ¶ms->p12cred, - numcerts, certlist, - numkeys, keylist, - filename); + ¶ms->p12cred, numcerts, certlist, + numkeys, keylist, filename); return (rv); } if (params->sslparms.certfile != NULL) { fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.certfile); + params->sslparms.certfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -3620,7 +3609,7 @@ */ if (params->sslparms.keyfile != NULL) { fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.keyfile); + params->sslparms.keyfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -3648,7 +3637,7 @@ /* Stick the key and the cert into a PKCS#12 file */ rv = write_pkcs12(kmfh, bio, ¶ms->p12cred, - pkey, xcert); + pkey, xcert); end: if (fullpath) @@ -3679,7 +3668,7 @@ { KMF_RETURN rv = KMF_OK; FILE *fp; - STACK_OF(X509_INFO) *x509_info_stack; + STACK_OF(X509_INFO) *x509_info_stack = NULL; int i, ncerts = 0, matchcerts = 0; EVP_PKEY *pkey = NULL; X509_INFO *info; @@ -3701,16 +3690,18 @@ return (KMF_ERR_ENCODING); } - /*LINTED*/ - while ((info = sk_X509_INFO_pop(x509_info_stack)) != NULL && - info->x509 != NULL && ncerts < MAX_CHAIN_LENGTH) { - cert_infos[ncerts] = info; + for (i = 0; + i < sk_X509_INFO_num(x509_info_stack) && i < MAX_CHAIN_LENGTH; + i++) { + /*LINTED*/ + cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i); ncerts++; } if (ncerts == 0) { (void) fclose(fp); - return (KMF_ERR_CERT_NOT_FOUND); + rv = KMF_ERR_CERT_NOT_FOUND; + goto err; } if (priv_key != NULL) { @@ -3725,15 +3716,16 @@ */ if (pkey != NULL && !X509_check_private_key(x, pkey)) { EVP_PKEY_free(pkey); - return (KMF_ERR_KEY_MISMATCH); + rv = KMF_ERR_KEY_MISMATCH; + goto err; } certlist = (KMF_DATA *)malloc(ncerts * sizeof (KMF_DATA)); if (certlist == NULL) { if (pkey != NULL) EVP_PKEY_free(pkey); - X509_INFO_free(info); - return (KMF_ERR_MEMORY); + rv = KMF_ERR_MEMORY; + goto err; } /* @@ -3747,7 +3739,6 @@ if (params != NULL) { rv = check_cert(info->x509, params, &match); if (rv != KMF_OK || match != TRUE) { - X509_INFO_free(info); rv = KMF_OK; continue; } @@ -3761,8 +3752,6 @@ certlist = NULL; ncerts = matchcerts = 0; } - - X509_INFO_free(info); } if (numcerts != NULL) @@ -3775,6 +3764,16 @@ else if (priv_key != NULL && pkey != NULL) *priv_key = pkey; +err: + /* Cleanup the stack of X509 info records */ + for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) { + /*LINTED*/ + info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i); + X509_INFO_free(info); + } + if (x509_info_stack) + sk_X509_INFO_free(x509_info_stack); + return (rv); } @@ -3970,7 +3969,7 @@ list = (KMF_RAW_KEY_DATA *)malloc(sizeof (KMF_RAW_KEY_DATA)); } else { list = (KMF_RAW_KEY_DATA *)realloc(list, - sizeof (KMF_RAW_KEY_DATA) * (n + 1)); + sizeof (KMF_RAW_KEY_DATA) * (n + 1)); } if (list == NULL) @@ -4001,14 +4000,14 @@ switch (sslkey->type) { case EVP_PKEY_RSA: rv = exportRawRSAKey(EVP_PKEY_get1_RSA(sslkey), - &key); + &key); if (rv != KMF_OK) return (rv); break; case EVP_PKEY_DSA: rv = exportRawDSAKey(EVP_PKEY_get1_DSA(sslkey), - &key); + &key); if (rv != KMF_OK) return (rv); @@ -4073,15 +4072,13 @@ *ncerts = 0; *nkeys = 0; - rv = extract_pkcs12(bio, - (uchar_t *)cred->cred, - (uint32_t)cred->credlen, - &privkey, &cert, &cacerts); + rv = extract_pkcs12(bio, (uchar_t *)cred->cred, + (uint32_t)cred->credlen, &privkey, &cert, &cacerts); if (rv == KMF_OK) /* Convert keys and certs to exportable format */ rv = convertPK12Objects(kmfh, privkey, cert, cacerts, - keylist, nkeys, certlist, ncerts); + keylist, nkeys, certlist, ncerts); end: if (bio != NULL) @@ -4122,7 +4119,7 @@ /* This function only works on PEM files */ if (format != KMF_FORMAT_PEM && - format != KMF_FORMAT_PEM_KEYPAIR) + format != KMF_FORMAT_PEM_KEYPAIR) return (KMF_ERR_ENCODING); *certlist = NULL; @@ -4130,15 +4127,14 @@ *ncerts = 0; *nkeys = 0; rv = extract_objects(kmfh, NULL, filename, - (uchar_t *)cred->cred, - (uint32_t)cred->credlen, - &privkey, certlist, ncerts); + (uchar_t *)cred->cred, (uint32_t)cred->credlen, + &privkey, certlist, ncerts); /* Reached end of import file? */ if (rv == KMF_OK) /* Convert keys and certs to exportable format */ rv = convertPK12Objects(kmfh, privkey, NULL, NULL, - keylist, nkeys, NULL, NULL); + keylist, nkeys, NULL, NULL); end: if (privkey) @@ -4172,7 +4168,7 @@ return (rv); fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.keyfile); + params->sslparms.keyfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -4190,9 +4186,8 @@ goto cleanup; } - rv = ssl_write_private_key(kmfh, - params->sslparms.format, - bio, ¶ms->cred, pkey); + rv = ssl_write_private_key(kmfh, params->sslparms.format, + bio, ¶ms->cred, pkey); cleanup: if (fullpath) @@ -4347,7 +4342,7 @@ } fullpath = get_fullpath(params->sslparms.dirpath, - params->sslparms.keyfile); + params->sslparms.keyfile); if (fullpath == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -4687,7 +4682,7 @@ if ((*pformat) == KMF_FORMAT_PEM) { if ((xcert = PEM_read_bio_X509(bio, NULL, - NULL, NULL)) == NULL) { + NULL, NULL)) == NULL) { ret = KMF_ERR_BAD_CERTFILE; } } else if ((*pformat) == KMF_FORMAT_ASN1) { @@ -4884,7 +4879,7 @@ /* Decrypt the input signature */ len = RSA_public_decrypt(insig->Length, - insig->Data, rsaout, pkey->pkey.rsa, RSA_PKCS1_PADDING); + insig->Data, rsaout, pkey->pkey.rsa, RSA_PKCS1_PADDING); if (len < 1) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_BAD_PARAMETER; @@ -4911,11 +4906,11 @@ } (void) EVP_DigestInit(&ctx, md); (void) EVP_DigestUpdate(&ctx, indata->Data, - indata->Length); + indata->Length); /* Add the digest AFTER the ASN1 prefix */ (void) EVP_DigestFinal(&ctx, - (uchar_t *)digest + pfxlen, &dlen); + (uchar_t *)digest + pfxlen, &dlen); dlen += pfxlen; } else {