summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsangwan.kwon <sangwan.kwon@samsung.com>2016-07-29 15:41:26 +0900
committersangwan.kwon <sangwan.kwon@samsung.com>2016-08-01 13:42:07 +0900
commitf732baaeb6fc2e9872696cb381b90b8c523d0c53 (patch)
treef60b7f7af36fd3892dfbbb9e5934ea6ca4b4cc71
parent0f64042b733dfc42709af8a38d21679060c239af (diff)
downloadxmlsec1-f732baaeb6fc2e9872696cb381b90b8c523d0c53.tar.gz
xmlsec1-f732baaeb6fc2e9872696cb381b90b8c523d0c53.tar.bz2
xmlsec1-f732baaeb6fc2e9872696cb381b90b8c523d0c53.zip
Replace vulnerable function to thread safety
* rand() -> rand_r() * strcpy() -> strncpy() * sprintf() -> snprintf() * strerror() -> strerror_r() Change-Id: Ib6d91ac0f5c75a54b3be5546ba281c53b1844828 Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
-rw-r--r--src/errors.c2
-rw-r--r--src/io.c8
-rw-r--r--src/openssl/app.c3
-rw-r--r--src/templates.c2
-rw-r--r--src/transforms.c2
-rw-r--r--src/xmldsig.c330
-rw-r--r--src/xmltree.c4
-rw-r--r--src/xpath.c7
8 files changed, 181 insertions, 177 deletions
diff --git a/src/errors.c b/src/errors.c
index 1c7e989e..2cb0801d 100644
--- a/src/errors.c
+++ b/src/errors.c
@@ -236,7 +236,7 @@ xmlSecError(const char* file, int line, const char* func,
for(i = 0; (i < XMLSEC_ERRORS_MAX_NUMBER) && (xmlSecErrorsGetMsg(i) != NULL); ++i) {
if(xmlSecErrorsGetCode(i) == reason) {
e_msg = xmlSecErrorsGetMsg(i);
- sprintf(error_msg , "%s] [", e_msg);
+ snprintf(error_msg, sizeof(error_msg), "%s] [", e_msg);
len = strlen(error_msg);
break;
}
diff --git a/src/io.c b/src/io.c
index ee538d3d..dcebfc01 100644
--- a/src/io.c
+++ b/src/io.c
@@ -33,6 +33,8 @@
#include <xmlsec/io.h>
#include <xmlsec/errors.h>
+#define ERR_BUF_SIZE 1024
+
/*******************************************************************
*
* Input I/O callback sets
@@ -419,6 +421,7 @@ xmlSecTransformInputURIOpen(xmlSecTransformPtr transform, const xmlChar *uri) {
}
}
+ char buf[ERR_BUF_SIZE];
if((ctx->clbks == NULL) || (ctx->clbksCtx == NULL)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -426,7 +429,7 @@ xmlSecTransformInputURIOpen(xmlSecTransformPtr transform, const xmlChar *uri) {
XMLSEC_ERRORS_R_IO_FAILED,
"uri=%s;error=%s",
xmlSecErrorsSafeString(uri),
- strerror(errno));
+ strerror_r(errno, buf, sizeof(buf)));
return(-1);
}
@@ -519,11 +522,12 @@ xmlSecTransformInputURIPopBin(xmlSecTransformPtr transform, xmlSecByte* data,
if((ctx->clbksCtx != NULL) && (ctx->clbks != NULL) && (ctx->clbks->readcallback != NULL)) {
ret = (ctx->clbks->readcallback)(ctx->clbksCtx, (char*)data, (int)maxDataSize);
if(ret < 0) {
+ char buf[ERR_BUF_SIZE];
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
"readcallback",
XMLSEC_ERRORS_R_IO_FAILED,
- "error=%s", strerror(errno));
+ "error=%s", strerror_r(errno, buf, sizeof(buf)));
return(-1);
}
(*dataSize) = ret;
diff --git a/src/openssl/app.c b/src/openssl/app.c
index 373e03a8..8e519883 100644
--- a/src/openssl/app.c
+++ b/src/openssl/app.c
@@ -1631,7 +1631,8 @@ xmlSecOpenSSLDummyPasswordCallback(char *buf, int bufsize,
return(-1);
}
- strcpy(buf, password);
+ strncpy(buf, password, strlen(password) + 1);
+
return (strlen(buf));
}
diff --git a/src/templates.c b/src/templates.c
index 374917c9..8764da40 100644
--- a/src/templates.c
+++ b/src/templates.c
@@ -1772,7 +1772,7 @@ xmlSecTmplTransformAddHmacOutputLength(xmlNodePtr transformNode, xmlSecSize bits
return(-1);
}
- sprintf(buf, "%u", bitsLen);
+ snprintf(buf, sizeof(buf), "%u", bitsLen);
xmlNodeSetContent(cur, BAD_CAST buf);
return(0);
}
diff --git a/src/transforms.c b/src/transforms.c
index b1f16f74..2761929f 100644
--- a/src/transforms.c
+++ b/src/transforms.c
@@ -925,7 +925,7 @@ xmlSecTransformCtxSetUri(xmlSecTransformCtxPtr ctx, const xmlChar* uri, xmlNodeP
"size=%d", size);
return(-1);
}
- sprintf((char*)buf, tmpl, xptr + 1);
+ snprintf((char*)buf, size * sizeof(xmlChar), tmpl, xptr + 1);
xptr = buf;
nodeSetType = xmlSecNodeSetTreeWithoutComments;
}
diff --git a/src/xmldsig.c b/src/xmldsig.c
index 1c45fd0e..7d8760b7 100644
--- a/src/xmldsig.c
+++ b/src/xmldsig.c
@@ -1657,7 +1657,7 @@ xmlSecDSigReferenceCtxProcessNode(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNodeP
/* finally get transforms results */
ret = xmlSecTransformCtxExecute(transformCtx, node->doc);
if(ret < 0) {
- sprintf(logMsg, "uri:%s", (char*)dsigRefCtx->uri);
+ snprintf(logMsg, sizeof(logMsg), "uri:%s", (char*)dsigRefCtx->uri);
logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1690,7 +1690,7 @@ xmlSecDSigReferenceCtxProcessNode(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNodeP
ret = xmlSecTransformVerifyNodeContent(dsigRefCtx->digestMethod,
digestValueNode, transformCtx);
if(ret < 0) {
- sprintf(logMsg, "uri:%s", (char*)dsigRefCtx->uri);
+ snprintf(logMsg, sizeof(logMsg), "uri:%s", (char*)dsigRefCtx->uri);
logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1928,7 +1928,8 @@ xmlSecDSigCtxProcessSignatureNodeEx (xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
_start
xmlSecAssert2(dsigCtx != NULL, -1);
- xmlSecAssert2((dsigCtx->operation == xmlSecTransformOperationSign) || (dsigCtx->operation == xmlSecTransformOperationVerify), -1);
+ xmlSecAssert2((dsigCtx->operation == xmlSecTransformOperationSign) ||
+ (dsigCtx->operation == xmlSecTransformOperationVerify), -1);
xmlSecAssert2(dsigCtx->status == xmlSecDSigStatusUnknown, -1);
xmlSecAssert2(dsigCtx->signValueNode == NULL, -1);
xmlSecAssert2(dsigCtx->signMethod == NULL, -1);
@@ -1943,7 +1944,7 @@ xmlSecDSigCtxProcessSignatureNodeEx (xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
"expected=%s",
xmlSecErrorsSafeString(xmlSecNodeSignature));
return(-1);
- }
+ }
/* read node data */
xmlSecAssert2(dsigCtx->id == NULL, -1);
@@ -2132,7 +2133,7 @@ xmlSecDSigCtxProcessSignedInfoNodeEx(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
ret = -1;
goto error;
}
- } else if(dsigCtx->defC14NMethodId != xmlSecTransformIdUnknown) {
+ } else if(dsigCtx->defC14NMethodId != xmlSecTransformIdUnknown) {
/* the dsig spec does require CanonicalizationMethod node
* to be present but in some case it application might decide to
* minimize traffic */
@@ -2228,47 +2229,47 @@ xmlSecDSigCtxProcessSignedInfoNodeEx(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
XMLSEC_ERRORS_NO_MESSAGE);
ret = -1;
goto error;
- }
-
- /* add to the list */
- ret = xmlSecPtrListAdd(&(dsigCtx->signedInfoReferences), dsigRefCtx);
- if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecPtrListAdd",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- xmlSecDSigReferenceCtxDestroy(dsigRefCtx);
- ret = -1;
- goto error;
}
- /* process */
- if(noHash != 1){ //if 0, then partial ///if 1, then no_hash
- ret = xmlSecDSigReferenceCtxProcessNodeEx(dsigRefCtx, cur, noHash, pList);
+ /* add to the list */
+ ret = xmlSecPtrListAdd(&(dsigCtx->signedInfoReferences), dsigRefCtx);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "xmlSecDSigReferenceCtxProcessNode",
+ "xmlSecPtrListAdd",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "node=%s",
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
-
+ XMLSEC_ERRORS_NO_MESSAGE);
+ xmlSecDSigReferenceCtxDestroy(dsigRefCtx);
ret = -1;
goto error;
+ }
+
+ /* process */
+ if(noHash != 1) { //if 0, then partial ///if 1, then no_hash
+ ret = xmlSecDSigReferenceCtxProcessNodeEx(dsigRefCtx, cur, noHash, pList);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecDSigReferenceCtxProcessNode",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "node=%s",
+ xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
+
+ ret = -1;
+ goto error;
}
- }
+ }
- dsigRefCtx->status = xmlSecDSigStatusSucceeded;
+ dsigRefCtx->status = xmlSecDSigStatusSucceeded;
- /* bail out if next Reference processing failed */
- if(dsigRefCtx->status != xmlSecDSigStatusSucceeded) {
- xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_MAX_NUMBER, "###### false");
- dsigCtx->status = xmlSecDSigStatusInvalid;
- ret = -1;
- goto error;
+ /* bail out if next Reference processing failed */
+ if(dsigRefCtx->status != xmlSecDSigStatusSucceeded) {
+ xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_MAX_NUMBER, "###### false");
+ dsigCtx->status = xmlSecDSigStatusInvalid;
+ ret = -1;
+ goto error;
}
- cur = xmlSecGetNextElementNode(cur->next);
+ cur = xmlSecGetNextElementNode(cur->next);
}
/* check that we have at least one Reference */
@@ -2280,7 +2281,7 @@ xmlSecDSigCtxProcessSignedInfoNodeEx(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
XMLSEC_ERRORS_NO_MESSAGE);
ret = -1;
goto error;
- }
+ }
/* if there is something left than it's an error */
if(cur != NULL) {
@@ -2291,7 +2292,7 @@ xmlSecDSigCtxProcessSignedInfoNodeEx(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node,
XMLSEC_ERRORS_NO_MESSAGE);
ret = -1;
goto error;
- }
+ }
_end
error:
return(ret);
@@ -2321,28 +2322,27 @@ xmlSecDSigReferenceCtxProcessNodeEx(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNod
transformCtx = &(dsigRefCtx->transformCtx);
- if(pList == NULL){
+ if(pList == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
NULL,
XMLSEC_ERRORS_R_UNEXPECTED_NODE,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
- }
+ }
/* read attributes first */
dsigRefCtx->uri = xmlGetProp(node, xmlSecAttrURI);
- while(pNextTmp[i] != NULL)
- {
- len = strlen(pNextTmp[i]);
- cmpResult = strncmp((const char *)dsigRefCtx->uri, (const char *)pNextTmp[i], len);
- if( cmpResult == 0 ) {
- sprintf(logMsg, "uri: %s", (char*)pNextTmp[i]);
- xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_MAX_NUMBER, logMsg);
- break;
- }
- ++i;
+ while(pNextTmp[i] != NULL) {
+ len = strlen(pNextTmp[i]);
+ cmpResult = strncmp((const char *)dsigRefCtx->uri, (const char *)pNextTmp[i], len);
+ if(cmpResult == 0) {
+ snprintf(logMsg, sizeof(logMsg), "uri: %s", (char*)pNextTmp[i]);
+ xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_MAX_NUMBER, logMsg);
+ break;
+ }
+ ++i;
}
if(cmpResult != 0) {
@@ -2363,31 +2363,30 @@ xmlSecDSigReferenceCtxProcessNodeEx(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNod
"uri=%s",
xmlSecErrorsSafeString(dsigRefCtx->uri));
return(-1);
- }
+ }
/* first is optional Transforms node */
cur = xmlSecGetNextElementNode(node->children);
if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeTransforms, xmlSecDSigNs))) {
- ret = xmlSecTransformCtxNodesListRead(transformCtx,
- cur, xmlSecTransformUsageDSigTransform);
- if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
+ ret = xmlSecTransformCtxNodesListRead(transformCtx,
+ cur, xmlSecTransformUsageDSigTransform);
+ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "xmlSecTransformCtxNodesListRead",
+ "xmlSecTransformCtxNodesListRead",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
return(-1);
- }
-
- cur = xmlSecGetNextElementNode(cur->next);
- }
+ }
+ cur = xmlSecGetNextElementNode(cur->next);
+ }
/* insert membuf if requested */
if(((dsigRefCtx->origin == xmlSecDSigReferenceOriginSignedInfo) &&
- ((dsigRefCtx->dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_SIGNEDINFO_REFERENCES) != 0)) ||
- ((dsigRefCtx->origin == xmlSecDSigReferenceOriginManifest) &&
- ((dsigRefCtx->dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES) != 0))) {
+ ((dsigRefCtx->dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_SIGNEDINFO_REFERENCES) != 0)) ||
+ ((dsigRefCtx->origin == xmlSecDSigReferenceOriginManifest) &&
+ ((dsigRefCtx->dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES) != 0))) {
xmlSecAssert2(dsigRefCtx->preDigestMemBufMethod == NULL, -1);
dsigRefCtx->preDigestMemBufMethod = xmlSecTransformCtxCreateAndAppend(
transformCtx,
@@ -2400,8 +2399,8 @@ xmlSecDSigReferenceCtxProcessNodeEx(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNod
"transform=%s",
xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecTransformMemBufId)));
return(-1);
- }
}
+ }
/* next node is required DigestMethod. */
if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeDigestMethod, xmlSecDSigNs))) {
@@ -2415,140 +2414,139 @@ xmlSecDSigReferenceCtxProcessNodeEx(xmlSecDSigReferenceCtxPtr dsigRefCtx, xmlNod
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
return(-1);
- }
- cur = xmlSecGetNextElementNode(cur->next);
- } else if(dsigRefCtx->dsigCtx->defSignMethodId != xmlSecTransformIdUnknown) {
- /* the dsig spec does require DigestMethod node
- * to be present but in some case it application might decide to
- * minimize traffic */
- dsigRefCtx->digestMethod = xmlSecTransformCtxCreateAndAppend(&(dsigRefCtx->transformCtx),
- dsigRefCtx->dsigCtx->defSignMethodId);
- if(dsigRefCtx->digestMethod == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecTransformCtxAppend",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
- }
- } else {
+ }
+ cur = xmlSecGetNextElementNode(cur->next);
+ } else if(dsigRefCtx->dsigCtx->defSignMethodId != xmlSecTransformIdUnknown) {
+ /* the dsig spec does require DigestMethod node
+ * to be present but in some case it application might decide to
+ * minimize traffic */
+ dsigRefCtx->digestMethod = xmlSecTransformCtxCreateAndAppend(&(dsigRefCtx->transformCtx),
+ dsigRefCtx->dsigCtx->defSignMethodId);
+ if(dsigRefCtx->digestMethod == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
- XMLSEC_ERRORS_R_INVALID_NODE,
- "expected=%s",
- xmlSecErrorsSafeString(xmlSecNodeDigestMethod));
+ "xmlSecTransformCtxAppend",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
+ } else {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
+ XMLSEC_ERRORS_R_INVALID_NODE,
+ "expected=%s",
+ xmlSecErrorsSafeString(xmlSecNodeDigestMethod));
+ return(-1);
+ }
- dsigRefCtx->digestMethod->operation = dsigRefCtx->dsigCtx->operation;
+ dsigRefCtx->digestMethod->operation = dsigRefCtx->dsigCtx->operation;
- /* last node is required DigestValue */
- if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeDigestValue, xmlSecDSigNs))) {
- digestValueNode = cur;
- cur = xmlSecGetNextElementNode(cur->next);
- } else {
+ /* last node is required DigestValue */
+ if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeDigestValue, xmlSecDSigNs))) {
+ digestValueNode = cur;
+ cur = xmlSecGetNextElementNode(cur->next);
+ } else {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "node=%s",
+ xmlSecErrorsSafeString(xmlSecNodeDigestValue));
+ return(-1);
+ }
+
+ /* if we have something else then it's an error */
+ if(cur != NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
+ XMLSEC_ERRORS_R_UNEXPECTED_NODE,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ return(-1);
+ }
+
+ /* if we need to write result to xml node then we need base64 encode result */
+ if(dsigRefCtx->dsigCtx->operation == xmlSecTransformOperationSign) {
+ xmlSecTransformPtr base64Encode;
+
+ /* we need to add base64 encode transform */
+ base64Encode = xmlSecTransformCtxCreateAndAppend(transformCtx, xmlSecTransformBase64Id);
+ if(base64Encode == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
+ "xmlSecTransformCtxCreateAndAppend",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "node=%s",
- xmlSecErrorsSafeString(xmlSecNodeDigestValue));
+ XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
+ base64Encode->operation = xmlSecTransformOperationEncode;
+ }
- /* if we have something else then it's an error */
- if(cur != NULL) {
+ /* finally get transforms results */
+ ret = xmlSecTransformCtxExecute(transformCtx, node->doc);
+ if(ret < 0) {
+ snprintf(logMsg, sizeof(logMsg), "uri:%s", (char*)dsigRefCtx->uri);
+ logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecTransformCtxExecute",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ logMsg);
+ return(-1);
+ }
+
+ dsigRefCtx->result = transformCtx->result;
+
+ if(dsigRefCtx->dsigCtx->operation == xmlSecTransformOperationSign) {
+ if((dsigRefCtx->result == NULL) || (xmlSecBufferGetData(dsigRefCtx->result) == NULL)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
- XMLSEC_ERRORS_R_UNEXPECTED_NODE,
+ "xmlSecTransformCtxExecute",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
- }
-
- /* if we need to write result to xml node then we need base64 encode result */
- if(dsigRefCtx->dsigCtx->operation == xmlSecTransformOperationSign) {
- xmlSecTransformPtr base64Encode;
-
- /* we need to add base64 encode transform */
- base64Encode = xmlSecTransformCtxCreateAndAppend(transformCtx, xmlSecTransformBase64Id);
- if(base64Encode == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecTransformCtxCreateAndAppend",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
- }
- base64Encode->operation = xmlSecTransformOperationEncode;
}
- /* finally get transforms results */
- ret = xmlSecTransformCtxExecute(transformCtx, node->doc);
+ /* write signed data to xml */
+ xmlNodeSetContentLen(digestValueNode,
+ xmlSecBufferGetData(dsigRefCtx->result),
+ xmlSecBufferGetSize(dsigRefCtx->result));
+
+ /* set success status and we are done */
+ dsigRefCtx->status = xmlSecDSigStatusSucceeded;
+ } else {
+ /* verify SignatureValue node content */
+ ret = xmlSecTransformVerifyNodeContent(dsigRefCtx->digestMethod,
+ digestValueNode, transformCtx);
if(ret < 0) {
- sprintf(logMsg, "uri:%s", (char*)dsigRefCtx->uri);
- logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecTransformCtxExecute",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- logMsg);
- return(-1);
+ snprintf(logMsg, sizeof(logMsg), "uri:%s", (char*)dsigRefCtx->uri);
+ logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecTransformVerifyNodeContent",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED, logMsg);
+ return(-1);
}
- dsigRefCtx->result = transformCtx->result;
-
- if(dsigRefCtx->dsigCtx->operation == xmlSecTransformOperationSign) {
- if((dsigRefCtx->result == NULL) || (xmlSecBufferGetData(dsigRefCtx->result) == NULL)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecTransformCtxExecute",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
- }
-
- /* write signed data to xml */
- xmlNodeSetContentLen(digestValueNode,
- xmlSecBufferGetData(dsigRefCtx->result),
- xmlSecBufferGetSize(dsigRefCtx->result));
-
- /* set success status and we are done */
+ /* set status and we are done */
+ if(dsigRefCtx->digestMethod->status == xmlSecTransformStatusOk) {
dsigRefCtx->status = xmlSecDSigStatusSucceeded;
} else {
- /* verify SignatureValue node content */
- ret = xmlSecTransformVerifyNodeContent(dsigRefCtx->digestMethod,
- digestValueNode, transformCtx);
- if(ret < 0) {
- sprintf(logMsg, "uri:%s", (char*)dsigRefCtx->uri);
- logMsg[strlen(dsigRefCtx->uri)+5] = '\0';
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "xmlSecTransformVerifyNodeContent",
- XMLSEC_ERRORS_R_XMLSEC_FAILED, logMsg);
- return(-1);
- }
-
- /* set status and we are done */
- if(dsigRefCtx->digestMethod->status == xmlSecTransformStatusOk) {
- dsigRefCtx->status = xmlSecDSigStatusSucceeded;
- } else {
- dsigRefCtx->status = xmlSecDSigStatusInvalid;
- }
+ dsigRefCtx->status = xmlSecDSigStatusInvalid;
}
+ }
- if(dsigRefCtx->digestMethod->status == xmlSecTransformStatusOk) {
- dsigRefCtx->status = xmlSecDSigStatusSucceeded;
- }
+ if(dsigRefCtx->digestMethod->status == xmlSecTransformStatusOk) {
+ dsigRefCtx->status = xmlSecDSigStatusSucceeded;
+ }
- _end
+ _end
partial:
return(0);
}
-
/**************************************************************************
*
* xmlSecDSigReferenceCtxListKlass
@@ -2575,5 +2573,3 @@ xmlSecDSigReferenceCtxListGetKlass(void) {
}
#endif /* XMLSEC_NO_XMLDSIG */
-
-
diff --git a/src/xmltree.c b/src/xmltree.c
index 7084f696..a675cbc9 100644
--- a/src/xmltree.c
+++ b/src/xmltree.c
@@ -13,6 +13,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <time.h>
#include <errno.h>
#include <libxml/tree.h>
@@ -793,8 +794,9 @@ xmlSecGenerateID(const xmlChar* prefix, xmlSecSize len) {
xmlSecAssert2(xmlSecBufferGetSize(&buffer) == binLen, NULL);
/* create random bytes */
+ unsigned int seed = time(NULL);
for(i = 0; i < binLen; i++) {
- (xmlSecBufferGetData(&buffer)) [i] = (xmlSecByte) (256.0 * rand() / (RAND_MAX + 1.0));
+ (xmlSecBufferGetData(&buffer)) [i] = (xmlSecByte) (256.0 * rand_r(&seed) / (RAND_MAX + 1.0));
}
/* base64 encode random bytes */
diff --git a/src/xpath.c b/src/xpath.c
index 8b0cf799..2419f133 100644
--- a/src/xpath.c
+++ b/src/xpath.c
@@ -605,8 +605,9 @@ xmlSecTransformXPathNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlS
/* create full XPath expression */
xmlSecAssert2(data->expr != NULL, -1);
- tmp = (xmlChar*) xmlMalloc(sizeof(xmlChar) * (xmlStrlen(data->expr) +
- strlen(xpathPattern) + 1));
+ size_t tmpSize = sizeof(xmlChar) * (xmlStrlen(data->expr) +
+ strlen(xpathPattern) + 1);
+ tmp = (xmlChar*) xmlMalloc(tmpSize);
if(tmp == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -616,7 +617,7 @@ xmlSecTransformXPathNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlS
(int)(xmlStrlen(data->expr) + strlen(xpathPattern) + 1));
return(-1);
}
- sprintf((char*)tmp, xpathPattern, (char*)data->expr);
+ snprintf((char*)tmp, tmpSize, xpathPattern, (char*)data->expr);
xmlFree(data->expr);
data->expr = tmp;