Browse Source

[multiple] fix coverity warnings

master
Glenn Strauss 5 months ago
parent
commit
0e2a14921e
  1. 15
      src/mod_gnutls.c
  2. 16
      src/mod_mbedtls.c
  3. 7
      src/mod_nss.c
  4. 11
      src/mod_wolfssl.c

15
src/mod_gnutls.c

@ -350,7 +350,16 @@ mod_gnutls_session_ticket_key_file (const char *fn)
if (buf[0] == 0) { /*(format version 0)*/
session_ticket_keys[0].active_ts = buf[1];
session_ticket_keys[0].expire_ts = buf[2];
#ifndef __COVERITY__
memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80);
#else
memcpy(&session_ticket_keys[0].tick_key_name,
buf+3, TLSEXT_KEYNAME_LENGTH);
memcpy(&session_ticket_keys[0].tick_hmac_key,
buf+7, TLSEXT_TICK_KEY_LENGTH);
memcpy(&session_ticket_keys[0].tick_aes_key,
buf+15, TLSEXT_TICK_KEY_LENGTH);
#endif
rc = 1;
}
@ -378,7 +387,13 @@ mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const ti
}
memcpy(session_ticket_key.data,
stek->tick_key_name, TICKET_MASTER_KEY_SIZE);
#ifndef __COVERITY__
gnutls_memset(stek->tick_key_name, 0, TICKET_MASTER_KEY_SIZE);
#else
gnutls_memset(stek->tick_key_name, 0, TLSEXT_KEYNAME_LENGTH);
gnutls_memset(stek->tick_hmac_key, 0, TLSEXT_TICK_KEY_LENGTH);
gnutls_memset(stek->tick_aes_key, 0, TLSEXT_TICK_KEY_LENGTH);
#endif
}
if (stek->expire_ts < cur_ts)
mod_gnutls_session_ticket_key_free();

16
src/mod_mbedtls.c

@ -313,7 +313,16 @@ mod_mbedtls_session_ticket_key_file (const char *fn)
if (buf[0] == 0) { /*(format version 0)*/
session_ticket_keys[0].active_ts = buf[1];
session_ticket_keys[0].expire_ts = buf[2];
#ifndef __COVERITY__
memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80);
#else
memcpy(&session_ticket_keys[0].tick_key_name,
buf+3, TLSEXT_KEYNAME_LENGTH);
memcpy(&session_ticket_keys[0].tick_hmac_key,
buf+7, TLSEXT_TICK_KEY_LENGTH);
memcpy(&session_ticket_keys[0].tick_aes_key,
buf+15, TLSEXT_TICK_KEY_LENGTH);
#endif
rc = 1;
}
@ -2292,7 +2301,10 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
s = cipher_info->name;
http_header_env_set(r, CONST_STR_LEN("SSL_CIPHER"), s, strlen(s));
if (cipher_info != NULL) {
#if 0 /*(for use with mbedtls_cipher_info_from_type() above)*/
if (cipher_info != NULL)
#endif
{
/* SSL_CIPHER_ALGKEYSIZE - Number of cipher bits (possible) */
/* SSL_CIPHER_USEKEYSIZE - Number of cipher bits (actually used) */
/* XXX: is usekeysize correct? XXX: reaching into ssl_internal.h here */
@ -3598,7 +3610,7 @@ mod_mbedtls_ssl_conf_proto (server *srv, plugin_config_socket *s, const buffer *
#ifdef MBEDTLS_SSL_MINOR_VERSION_4
v = max ? MBEDTLS_SSL_MINOR_VERSION_4 : MBEDTLS_SSL_MINOR_VERSION_3;
#else
v = max ? MBEDTLS_SSL_MINOR_VERSION_3 : MBEDTLS_SSL_MINOR_VERSION_3;
v = MBEDTLS_SSL_MINOR_VERSION_3;
#endif
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("None"))) /*"disable" limit*/
v = max

7
src/mod_nss.c

@ -2228,8 +2228,10 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
/* the other end closed the connection -> KEEP-ALIVE */
return -2;
#ifndef __COVERITY__
} else {
return 0;
#endif
}
}
@ -3490,10 +3492,9 @@ mod_nss_ssl_conf_ciphersuites (server *srv, plugin_config_socket *s, buffer *cip
char *ciphers = strdup(cipherstring->ptr);/*(string modified during parse)*/
if (NULL == ciphers) return 0;
if (nss_parse_ciphers(srv->errh, ciphers, cipher_state) == -1)
return 0;
int rc = nss_parse_ciphers(srv->errh, ciphers, cipher_state);
free(ciphers);
if (-1 == rc) return 0;
if (((s->protos.min && s->protos.min <= SSL_LIBRARY_VERSION_3_0)
|| s->ssl_use_sslv3)

11
src/mod_wolfssl.c

@ -744,6 +744,7 @@ mod_wolfssl_evp_pkey_load_pem_file (const char *fn, log_error_st *errh)
if (rc < 0) {
log_error(errh, __FILE__, __LINE__, "%s() %s", __func__, fn);
buffer_free(pkey);
return NULL;
}
@ -783,7 +784,7 @@ mod_wolfssl_load_client_CA_file (const buffer *ssl_ca_file, log_error_st *errh)
/* similar to wolfSSL_load_client_CA_file(), plus some processing */
buffer **certs = NULL;
if (NULL == mod_wolfssl_load_pem_file(ssl_ca_file->ptr, errh, &certs)) {
#ifdef __clang_analyzer__
#if defined(__clang_analyzer__) || defined(__COVERITY__)
mod_wolfssl_free_der_certs(certs); /*unnecessary; quiet clang analyzer*/
#endif
return NULL;
@ -831,7 +832,7 @@ mod_wolfssl_load_cacerts (const buffer *ssl_ca_file, log_error_st *errh)
/* similar to wolfSSL_load_client_CA_file(), plus some processing */
buffer **certs = NULL;
if (NULL == mod_wolfssl_load_pem_file(ssl_ca_file->ptr, errh, &certs)) {
#ifdef __clang_analyzer__
#if defined(__clang_analyzer__) || defined(__COVERITY__)
mod_wolfssl_free_der_certs(certs); /*unnecessary; quiet clang analyzer*/
#endif
return NULL;
@ -1527,8 +1528,12 @@ network_openssl_load_pemfile (server *srv, const buffer *pemfile, const buffer *
buffer **ssl_pemfile_chain = NULL;
buffer *ssl_pemfile_x509 =
mod_wolfssl_load_pem_file(pemfile->ptr, srv->errh, &ssl_pemfile_chain);
if (NULL == ssl_pemfile_x509)
if (NULL == ssl_pemfile_x509) {
#if defined(__clang_analyzer__) || defined(__COVERITY__)
mod_wolfssl_free_der_certs(ssl_pemfile_chain); /*unnecessary*/
#endif
return NULL;
}
buffer *ssl_pemfile_pkey =
mod_wolfssl_evp_pkey_load_pem_file(privkey->ptr, srv->errh);

Loading…
Cancel
Save