summaryrefslogtreecommitdiff
path: root/security/nss/lib/certhigh
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certhigh')
-rw-r--r--security/nss/lib/certhigh/certhigh.c18
-rw-r--r--security/nss/lib/certhigh/certhtml.c25
-rw-r--r--security/nss/lib/certhigh/ocsp.c4
3 files changed, 37 insertions, 10 deletions
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
index 55259898b6..7ae80b193e 100644
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -11,6 +11,7 @@
#include "cert.h"
#include "certxutl.h"
+#include "certi.h"
#include "nsspki.h"
#include "pki.h"
#include "pkit.h"
@@ -289,7 +290,7 @@ CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
goto loser;
}
- if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) {
+ if (!CERT_LIST_EMPTY(certList)) {
cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
}
@@ -872,6 +873,7 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool
PRBool isca;
char *nickname;
unsigned int certtype;
+ PRBool istemp = PR_FALSE;
handle = CERT_GetDefaultCertDB();
@@ -949,7 +951,11 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool
}
/* if the cert is temp, make it perm; otherwise we're done */
- if (cert->istemp) {
+ rv = CERT_GetCertIsTemp(cert, &istemp);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ if (istemp) {
/* get a default nickname for it */
nickname = CERT_MakeCANickname(cert);
@@ -963,9 +969,6 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool
rv = SECSuccess;
}
- CERT_DestroyCertificate(cert);
- cert = NULL;
-
if (rv != SECSuccess) {
goto loser;
}
@@ -1080,7 +1083,10 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
derCert.len = (unsigned int)stanCert->encoding.size;
derCert.data = (unsigned char *)stanCert->encoding.data;
derCert.type = siBuffer;
- SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
+ if (SECITEM_CopyItem(arena, &chain->certs[i], &derCert) != SECSuccess) {
+ CERT_DestroyCertificate(cCert);
+ goto loser;
+ }
stanCert = stanChain[++i];
if (!stanCert && !cCert->isRoot) {
/* reached the end of the chain, but the final cert is
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
index a522f69255..2d708cc950 100644
--- a/security/nss/lib/certhigh/certhtml.c
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -102,6 +102,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += cn->len;
+ // cn will always have BREAK after it
+ len += BREAKLEN;
break;
case SEC_OID_AVA_COUNTRY_NAME:
if (country) {
@@ -112,6 +114,10 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += country->len;
+ // country may have COMMA after it (if we over-count len,
+ // that's fine - we'll just allocate a buffer larger than we
+ // need)
+ len += COMMALEN;
break;
case SEC_OID_AVA_LOCALITY:
if (loc) {
@@ -122,6 +128,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += loc->len;
+ // loc may have COMMA after it
+ len += COMMALEN;
break;
case SEC_OID_AVA_STATE_OR_PROVINCE:
if (state) {
@@ -132,6 +140,9 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += state->len;
+ // state currently won't have COMMA after it, but this is a
+ // (probably vain) attempt to future-proof this code
+ len += COMMALEN;
break;
case SEC_OID_AVA_ORGANIZATION_NAME:
if (org) {
@@ -142,6 +153,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += org->len;
+ // org will have BREAK after it
+ len += BREAKLEN;
break;
case SEC_OID_AVA_DN_QUALIFIER:
if (dq) {
@@ -152,6 +165,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += dq->len;
+ // dq will have BREAK after it
+ len += BREAKLEN;
break;
case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
if (ou_count < MAX_OUS) {
@@ -160,6 +175,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += orgunit[ou_count++]->len;
+ // each ou will have BREAK after it
+ len += BREAKLEN;
}
break;
case SEC_OID_AVA_DC:
@@ -169,6 +186,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += dc[dc_count++]->len;
+ // each dc will have BREAK after it
+ len += BREAKLEN;
}
break;
case SEC_OID_PKCS9_EMAIL_ADDRESS:
@@ -181,6 +200,8 @@ CERT_FormatName(CERTName *name)
goto loser;
}
len += email->len;
+ // email will have BREAK after it
+ len += BREAKLEN;
break;
default:
break;
@@ -188,8 +209,8 @@ CERT_FormatName(CERTName *name)
}
}
- /* XXX - add some for formatting */
- len += 128;
+ // there may be a final BREAK
+ len += BREAKLEN;
/* allocate buffer */
buf = (char *)PORT_Alloc(len);
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index 10485137b4..cea8456606 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2195,7 +2195,7 @@ SetRequestExts(void *object, CERTCertExtension **exts)
request->tbsRequest->requestExtensions = exts;
}
-#if defined(__GNUC__)
+#if defined(__GNUC__) && !defined(NSS_NO_GCC48)
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wvarargs"
#endif
@@ -2265,7 +2265,7 @@ loser:
(void)CERT_FinishExtensions(extHandle);
return rv;
}
-#if defined(__GNUC__)
+#if defined(__GNUC__) && !defined(NSS_NO_GCC48)
#pragma GCC diagnostic pop
#endif