re: PKCS#7: Verify internal certificate chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello David Howells,

This is a semi-automatic email about new static checker warnings.

The patch 8c76d79393cc: "PKCS#7: Verify internal certificate chain" 
from Jul 1, 2014, leads to the following Smatch complaint:

crypto/asymmetric_keys/pkcs7_verify.c:200 pkcs7_verify_sig_chain()
	 error: we previously assumed 'x509->issuer' could be null (see line 193)

crypto/asymmetric_keys/pkcs7_verify.c
   192	
   193			if (x509->issuer)
                            ^^^^^^^^^^^^
Check.

   194				pr_debug("- issuer %s\n", x509->issuer);
   195			if (x509->authority)
   196				pr_debug("- authkeyid %s\n", x509->authority);
   197	
   198			if (!x509->authority ||
   199			    (x509->subject &&
   200			     strcmp(x509->subject, x509->issuer) == 0)) {
                                                   ^^^^^^^^^^^^
Unchecked dereference.  But maybe a non-NULL ->subject implies ->issuer
is non-NULL?

   201				/* If there's no authority certificate specified, then
   202				 * the certificate must be self-signed and is the root
   203                           * of the chain.  Likewise if the cert is its own
   204                           * authority.
   205                           */
   206                          pr_debug("- no auth?\n");
   207                          if (x509->raw_subject_size != x509->raw_issuer_size ||
   208                              memcmp(x509->raw_subject, x509->raw_issuer,
   209                                     x509->raw_issuer_size) != 0)
   210                                  return 0;
   211  
   212                          ret = x509_check_signature(x509->pub, x509);
   213                          if (ret < 0)
   214                                  return ret;
   215                          x509->signer = x509;
   216                          pr_debug("- self-signed\n");
   217                          return 0;
   218                  }
   219  
   220                  /* Look through the X.509 certificates in the PKCS#7 message's
   221                   * list to see if the next one is there.
   222                   */
   223                  pr_debug("- want %s\n", x509->authority);
   224                  for (p = pkcs7->certs; p; p = p->next) {
   225                          pr_debug("- cmp [%u] %s\n", p->index, p->fingerprint);
   226                          if (p->raw_subject_size == x509->raw_issuer_size &&
   227                              strcmp(p->fingerprint, x509->authority) == 0 &&
   228                              memcmp(p->raw_subject, x509->raw_issuer,
   229                                     x509->raw_issuer_size) == 0)
   230                                  goto found_issuer;
   231                  }
   232  
   233                  /* We didn't find the root of this chain */
   234                  pr_debug("- top\n");
   235                  return 0;
   236  
   237          found_issuer:
   238                  pr_debug("- issuer %s\n", p->subject);
                                    ^^^^^^
Also this looks like it should be "subject" instead of "issuer" but
maybe they are the same?

   239                  if (p->seen) {
   240                          pr_warn("Sig %u: X.509 chain contains loop\n",
   241                                  sinfo->index);


regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux