security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-05-31 22:18:03 +02:00
Code Activity

sm: Fix issuer certificate look error due to legacy error code.

Browse Source 
* sm/certchain.c (find_up): Get rid of the legacy return code -1 and
chnage var name rc to err.
(gpgsm_walk_cert_chain): Change var name rc to err.
(do_validate_chain): Get rid of the legacy return code -1.
--

This was detected while fixing
GnuPG-bug-id: 4757
This commit is contained in:
Werner Koch 2021-02-25 09:00:38 +01:00
parent d763548f2e
commit 473b83d1b9
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 69 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
sm/certchain.c
View File

@ -830,14 +830,14 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
issuer. The certificate itself is not directly returned but a issuer. The certificate itself is not directly returned but a
keydb_get_cert on the keydb context KH will return it. Returns 0 keydb_get_cert on the keydb context KH will return it. Returns 0
on success, GPG_ERR_NOT_FOUND if not found or another error code. */ on success, GPG_ERR_NOT_FOUND if not found or another error code. */
static int static gpg_error_t
find_up (ctrl_t ctrl, KEYDB_HANDLE kh, find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
ksba_cert_t cert, const char *issuer, int find_next) ksba_cert_t cert, const char *issuer, int find_next)
{ {
ksba_name_t authid; ksba_name_t authid;
ksba_sexp_t authidno; ksba_sexp_t authidno;
ksba_sexp_t keyid; ksba_sexp_t keyid;
int rc = -1; gpg_error_t err = gpg_error (GPG_ERR_NOT_FOUND);
if (DBG_X509) if (DBG_X509)
log_debug ("looking for parent certificate\n"); log_debug ("looking for parent certificate\n");
@ -846,11 +846,11 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
const char *s = ksba_name_enum (authid, 0); const char *s = ksba_name_enum (authid, 0);
if (s && *authidno) if (s && *authidno)
{ {
rc = keydb_search_issuer_sn (ctrl, kh, s, authidno); err = keydb_search_issuer_sn (ctrl, kh, s, authidno);
if (rc) if (err)
keydb_search_reset (kh); keydb_search_reset (kh);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and sn+issuer\n"); log_debug (" found via authid and sn+issuer\n");
/* In case of an error, try to get the certificate from the /* In case of an error, try to get the certificate from the
@ -858,78 +858,78 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
into the ephemeral DB and let the code below do the into the ephemeral DB and let the code below do the
actual retrieve. Thus there is no error checking. actual retrieve. Thus there is no error checking.
Skipped in find_next mode as usual. */ Skipped in find_next mode as usual. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && !find_next) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
find_up_dirmngr (ctrl, kh, authidno, s, 0); find_up_dirmngr (ctrl, kh, authidno, s, 0);
/* In case of an error try the ephemeral DB. We can't do /* In case of an error try the ephemeral DB. We can't do
that in find_next mode because we can't keep the search that in find_next mode because we can't keep the search
state then. */ state then. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && !find_next) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
{ {
int old = keydb_set_ephemeral (kh, 1); int old = keydb_set_ephemeral (kh, 1);
if (!old) if (!old)
{ {
rc = keydb_search_issuer_sn (ctrl, kh, s, authidno); err = keydb_search_issuer_sn (ctrl, kh, s, authidno);
if (rc) if (err)
keydb_search_reset (kh); keydb_search_reset (kh);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and sn+issuer (ephem)\n"); log_debug (" found via authid and sn+issuer (ephem)\n");
} }
keydb_set_ephemeral (kh, old); keydb_set_ephemeral (kh, old);
} }
if (rc) /* Need to make sure to have this error code. */ if (err) /* Need to make sure to have this error code. */
rc = gpg_error (GPG_ERR_NOT_FOUND); err = gpg_error (GPG_ERR_NOT_FOUND);
} }
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && keyid && !find_next) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && keyid && !find_next)
{ {
/* Not found by AKI.issuer_sn. Lets try the AKI.ki /* Not found by AKI.issuer_sn. Lets try the AKI.ki
instead. Loop over all certificates with that issuer as instead. Loop over all certificates with that issuer as
subject and stop for the one with a matching subject and stop for the one with a matching
subjectKeyIdentifier. */ subjectKeyIdentifier. */
/* Fixme: Should we also search in the dirmngr? */ /* Fixme: Should we also search in the dirmngr? */
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid); err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and keyid\n"); log_debug (" found via authid and keyid\n");
if (rc) if (err)
{ {
int old = keydb_set_ephemeral (kh, 1); int old = keydb_set_ephemeral (kh, 1);
if (!old) if (!old)
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid); err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and keyid (ephem)\n"); log_debug (" found via authid and keyid (ephem)\n");
keydb_set_ephemeral (kh, old); keydb_set_ephemeral (kh, old);
} }
if (rc) /* Need to make sure to have this error code. */ if (err) /* Need to make sure to have this error code. */
rc = gpg_error (GPG_ERR_NOT_FOUND); err = gpg_error (GPG_ERR_NOT_FOUND);
} }
/* If we still didn't found it, try to find it via the subject /* If we still didn't found it, try to find it via the subject
from the dirmngr-cache. */ from the dirmngr-cache. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && !find_next) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
{ {
if (!find_up_dirmngr (ctrl, kh, NULL, issuer, 1)) if (!find_up_dirmngr (ctrl, kh, NULL, issuer, 1))
{ {
int old = keydb_set_ephemeral (kh, 1); int old = keydb_set_ephemeral (kh, 1);
if (keyid) if (keyid)
rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid); err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
else else
{ {
keydb_search_reset (kh); keydb_search_reset (kh);
rc = keydb_search_subject (ctrl, kh, issuer); err = keydb_search_subject (ctrl, kh, issuer);
} }
keydb_set_ephemeral (kh, old); keydb_set_ephemeral (kh, old);
} }
if (rc) /* Need to make sure to have this error code. */ if (err) /* Need to make sure to have this error code. */
rc = gpg_error (GPG_ERR_NOT_FOUND); err = gpg_error (GPG_ERR_NOT_FOUND);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and issuer from dirmngr cache\n"); log_debug (" found via authid and issuer from dirmngr cache\n");
} }
/* If we still didn't found it, try an external lookup. */ /* If we still didn't found it, try an external lookup. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND if (gpg_err_code (err) == GPG_ERR_NOT_FOUND
&& !find_next && !ctrl->offline) && !find_next && !ctrl->offline)
{ {
/* We allow AIA also if CRLs are enabled; both can be used /* We allow AIA also if CRLs are enabled; both can be used
@ -940,12 +940,12 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
{ {
if (DBG_X509) if (DBG_X509)
log_debug (" found via authorityInfoAccess.caIssuers\n"); log_debug (" found via authorityInfoAccess.caIssuers\n");
rc = 0; err = 0;
} }
else if (opt.auto_issuer_key_retrieve) else if (opt.auto_issuer_key_retrieve)
{ {
rc = find_up_external (ctrl, kh, issuer, keyid); err = find_up_external (ctrl, kh, issuer, keyid);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via authid and external lookup\n"); log_debug (" found via authid and external lookup\n");
} }
} }
@ -954,9 +954,9 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
/* Print a note so that the user does not feel too helpless when /* Print a note so that the user does not feel too helpless when
an issuer certificate was found and gpgsm prints BAD an issuer certificate was found and gpgsm prints BAD
signature because it is not the correct one. */ signature because it is not the correct one. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && opt.quiet) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && opt.quiet)
; ;
else if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND) else if (gpg_err_code (err) == GPG_ERR_NOT_FOUND)
{ {
log_info ("%sissuer certificate ", find_next?"next ":""); log_info ("%sissuer certificate ", find_next?"next ":"");
if (keyid) if (keyid)
@ -975,16 +975,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
} }
log_printf ("not found using authorityKeyIdentifier\n"); log_printf ("not found using authorityKeyIdentifier\n");
} }
else if (rc) else if (err)
log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc); log_error ("failed to find authorityKeyIdentifier: err=%d\n", err);
xfree (keyid); xfree (keyid);
ksba_name_release (authid); ksba_name_release (authid);
xfree (authidno); xfree (authidno);
} }
if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */ if (err) /* Not found via authorithyKeyIdentifier, try regular issuer name. */
rc = keydb_search_subject (ctrl, kh, issuer); err = keydb_search_subject (ctrl, kh, issuer);
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && !find_next) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
{ {
int old; int old;
@ -997,33 +997,33 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
if (!old) if (!old)
{ {
keydb_search_reset (kh); keydb_search_reset (kh);
rc = keydb_search_subject (ctrl, kh, issuer); err = keydb_search_subject (ctrl, kh, issuer);
} }
keydb_set_ephemeral (kh, old); keydb_set_ephemeral (kh, old);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via issuer\n"); log_debug (" found via issuer\n");
} }
/* Still not found. If enabled, try an external lookup. */ /* Still not found. If enabled, try an external lookup. */
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND && !find_next && !ctrl->offline) if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next && !ctrl->offline)
{ {
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check) if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
&& !find_up_via_auth_info_access (ctrl, kh, cert)) && !find_up_via_auth_info_access (ctrl, kh, cert))
{ {
if (DBG_X509) if (DBG_X509)
log_debug (" found via authorityInfoAccess.caIssuers\n"); log_debug (" found via authorityInfoAccess.caIssuers\n");
rc = 0; err = 0;
} }
else if (opt.auto_issuer_key_retrieve) else if (opt.auto_issuer_key_retrieve)
{ {
rc = find_up_external (ctrl, kh, issuer, NULL); err = find_up_external (ctrl, kh, issuer, NULL);
if (!rc && DBG_X509) if (!err && DBG_X509)
log_debug (" found via issuer and external lookup\n"); log_debug (" found via issuer and external lookup\n");
} }
} }
return rc; return err;
} }
@ -1032,7 +1032,7 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
gpg_error_t gpg_error_t
gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
{ {
int rc = 0; gpg_error_t err = 0;
char *issuer = NULL; char *issuer = NULL;
char *subject = NULL; char *subject = NULL;
KEYDB_HANDLE kh = keydb_new (ctrl); KEYDB_HANDLE kh = keydb_new (ctrl);
@ -1041,7 +1041,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
if (!kh) if (!kh)
{ {
log_error (_("failed to allocate keyDB handle\n")); log_error (_("failed to allocate keyDB handle\n"));
rc = gpg_error (GPG_ERR_GENERAL); err = gpg_error (GPG_ERR_GENERAL);
goto leave; goto leave;
} }
@ -1050,45 +1050,47 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
if (!issuer) if (!issuer)
{ {
log_error ("no issuer found in certificate\n"); log_error ("no issuer found in certificate\n");
rc = gpg_error (GPG_ERR_BAD_CERT); err = gpg_error (GPG_ERR_BAD_CERT);
goto leave; goto leave;
} }
if (!subject) if (!subject)
{ {
log_error ("no subject found in certificate\n"); log_error ("no subject found in certificate\n");
rc = gpg_error (GPG_ERR_BAD_CERT); err = gpg_error (GPG_ERR_BAD_CERT);
goto leave; goto leave;
} }
if (is_root_cert (start, issuer, subject)) if (is_root_cert (start, issuer, subject))
{ {
rc = gpg_error (GPG_ERR_NOT_FOUND); /* we are at the root */ err = gpg_error (GPG_ERR_NOT_FOUND); /* we are at the root */
goto leave; goto leave;
} }
rc = find_up (ctrl, kh, start, issuer, 0); err = find_up (ctrl, kh, start, issuer, 0);
if (rc) if (err)
{ {
/* It is quite common not to have a certificate, so better don't /* It is quite common not to have a certificate, so better don't
print an error here. */ print an error here. */
if (gpg_err_code (rc) != GPG_ERR_NOT_FOUND && opt.verbose > 1) if (gpg_err_code (err) != GPG_ERR_NOT_FOUND && opt.verbose > 1)
log_error ("failed to find issuer's certificate: rc=%d\n", rc); log_error ("failed to find issuer's certificate: %s <%s>\n",
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT); gpg_strerror (err), gpg_strsource (err));
err = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
goto leave; goto leave;
} }
rc = keydb_get_cert (kh, r_next); err = keydb_get_cert (kh, r_next);
if (rc) if (err)
{ {
log_error ("keydb_get_cert() failed: rc=%d\n", rc); log_error ("keydb_get_cert() failed: %s <%s>\n",
rc = gpg_error (GPG_ERR_GENERAL); gpg_strerror (err), gpg_strsource (err));
err = gpg_error (GPG_ERR_GENERAL);
} }
leave: leave:
xfree (issuer); xfree (issuer);
xfree (subject); xfree (subject);
keydb_release (kh); keydb_release (kh);
return rc; return err;
} }
@ -1569,7 +1571,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
for (;;) for (;;)
{ {
int is_root; int is_root;
gpg_error_t istrusted_rc = -1; gpg_error_t istrusted_rc = gpg_error (GPG_ERR_NOT_TRUSTED);
/* Put the certificate on our list. */ /* Put the certificate on our list. */
{ {
@ -1798,7 +1800,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
rc = find_up (ctrl, kh, subject_cert, issuer, 0); rc = find_up (ctrl, kh, subject_cert, issuer, 0);
if (rc) if (rc)
{ {
if (rc == -1) if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
{ {
do_list (0, listmode, listfp, _("issuer certificate not found")); do_list (0, listmode, listfp, _("issuer certificate not found"));
if (!listmode) if (!listmode)
@ -1809,7 +1811,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
} }
} }
else else
log_error ("failed to find issuer's certificate: rc=%d\n", rc); log_error ("failed to find issuer's certificate: %s <%s>\n",
gpg_strerror (rc), gpg_strsource (rc));
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT); rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
goto leave; goto leave;
} }
@ -1881,7 +1884,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
} }
is_root = gpgsm_is_root_cert (issuer_cert); is_root = gpgsm_is_root_cert (issuer_cert);
istrusted_rc = -1; istrusted_rc = gpg_error (GPG_ERR_NOT_TRUSTED);
/* Check that a CA is allowed to issue certificates. */ /* Check that a CA is allowed to issue certificates. */
@ -2227,14 +2230,15 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert)
rc = find_up (ctrl, kh, cert, issuer, 0); rc = find_up (ctrl, kh, cert, issuer, 0);
if (rc) if (rc)
{ {
if (rc == -1) if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
{ {
log_info ("issuer certificate (#/"); log_info ("issuer certificate (#/");
gpgsm_dump_string (issuer); gpgsm_dump_string (issuer);
log_printf (") not found\n"); log_printf (") not found\n");
} }
else else
log_error ("failed to find issuer's certificate: rc=%d\n", rc); log_error ("failed to find issuer's certificate: %s <%s>\n",
gpg_strerror (rc), gpg_strsource (rc));
rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT); rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
goto leave; goto leave;
} }