Bug Summary

File:s/cmd/p7verify/p7verify.c
Warning:line 182, column 13
Although the value stored to 'status' is used in the enclosing expression, the value is never actually read from 'status'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name p7verify.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/var/lib/jenkins/workspace/nss-scan-build/nss/cmd/p7verify -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/var/lib/jenkins/workspace/nss-scan-build/nss/cmd/p7verify -resource-dir /usr/lib/llvm-18/lib/clang/18 -D HAVE_STRERROR -D LINUX -D linux -D XP_UNIX -D XP_UNIX -D DEBUG -U NDEBUG -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D _REENTRANT -D DEBUG -U NDEBUG -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D _REENTRANT -D NSS_DISABLE_SSE3 -D NSS_NO_INIT_SUPPORT -D USE_UTIL_DIRECTLY -D NO_NSPR_10_SUPPORT -D SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I ../../../dist/Linux4.19_x86_64_gcc_glibc_PTH_64_DBG.OBJ/include -I ../../../dist/public/nss -I ../../../dist/private/nss -I ../../../dist/public/seccmd -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -std=c99 -ferror-limit 19 -fgnuc-version=4.2.1 -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2024-05-18-082241-28900-1 -x c p7verify.c
1/* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5/*
6 * p7verify -- A command to do a verification of a *detached* pkcs7 signature.
7 */
8
9#include "nspr.h"
10#include "secutil.h"
11#include "plgetopt.h"
12#include "secpkcs7.h"
13#include "cert.h"
14#include "certdb.h"
15#include "secoid.h"
16#include "sechash.h" /* for HASH_GetHashObject() */
17#include "nss.h"
18
19#if defined(XP_UNIX1)
20#include <unistd.h>
21#endif
22
23#include <stdio.h>
24#include <string.h>
25
26#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
27extern int fread(char *, size_t, size_t, FILE *);
28extern int fprintf(FILE *, char *, ...);
29#endif
30
31static int
32DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen,
33 FILE *inFile, HASH_HashType hashType)
34{
35 int nb;
36 unsigned char ibuf[4096];
37 const SECHashObject *hashObj;
38 void *hashcx;
39
40 hashObj = HASH_GetHashObject(hashType);
41
42 hashcx = (*hashObj->create)();
43 if (hashcx == NULL((void*)0))
44 return -1;
45
46 (*hashObj->begin)(hashcx);
47
48 for (;;) {
49 if (feof(inFile))
50 break;
51 nb = fread(ibuf, 1, sizeof(ibuf), inFile);
52 if (nb != sizeof(ibuf)) {
53 if (nb == 0) {
54 if (ferror(inFile)) {
55 PORT_SetErrorPORT_SetError_Util(SEC_ERROR_IO);
56 (*hashObj->destroy)(hashcx, PR_TRUE1);
57 return -1;
58 }
59 /* eof */
60 break;
61 }
62 }
63 (*hashObj->update)(hashcx, ibuf, nb);
64 }
65
66 (*hashObj->end)(hashcx, digest, len, maxLen);
67 (*hashObj->destroy)(hashcx, PR_TRUE1);
68
69 return 0;
70}
71
72static void
73Usage(char *progName)
74{
75 fprintf(stderrstderr,
76 "Usage: %s -c content -s signature [-d dbdir] [-u certusage]\n",
77 progName);
78 fprintf(stderrstderr, "%-20s content file that was signed\n",
79 "-c content");
80 fprintf(stderrstderr, "%-20s file containing signature for that content\n",
81 "-s signature");
82 fprintf(stderrstderr,
83 "%-20s Key/Cert database directory (default is ~/.netscape)\n",
84 "-d dbdir");
85 fprintf(stderrstderr, "%-20s Define the type of certificate usage (default is certUsageEmailSigner)\n",
86 "-u certusage");
87 fprintf(stderrstderr, "%-25s 0 - certUsageSSLClient\n", " ");
88 fprintf(stderrstderr, "%-25s 1 - certUsageSSLServer\n", " ");
89 fprintf(stderrstderr, "%-25s 2 - certUsageSSLServerWithStepUp\n", " ");
90 fprintf(stderrstderr, "%-25s 3 - certUsageSSLCA\n", " ");
91 fprintf(stderrstderr, "%-25s 4 - certUsageEmailSigner\n", " ");
92 fprintf(stderrstderr, "%-25s 5 - certUsageEmailRecipient\n", " ");
93 fprintf(stderrstderr, "%-25s 6 - certUsageObjectSigner\n", " ");
94 fprintf(stderrstderr, "%-25s 7 - certUsageUserCertImport\n", " ");
95 fprintf(stderrstderr, "%-25s 8 - certUsageVerifyCA\n", " ");
96 fprintf(stderrstderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
97 fprintf(stderrstderr, "%-25s 10 - certUsageStatusResponder\n", " ");
98 fprintf(stderrstderr, "%-25s 11 - certUsageAnyCA\n", " ");
99 fprintf(stderrstderr, "%-25s 12 - certUsageIPsec\n", " ");
100
101 exit(-1);
102}
103
104static int
105HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
106 SECCertUsage usage, char *progName)
107{
108 SECItem derdata;
109 SEC_PKCS7ContentInfo *cinfo;
110 SEC_PKCS7SignedData *signedData;
111 HASH_HashType digestType;
112 SECItem digest;
113 unsigned char buffer[32];
114
115 if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE0,
116 PR_FALSE0) != SECSuccess) {
117 SECU_PrintError(progName, "error reading signature file");
118 return -1;
119 }
120
121 cinfo = SEC_PKCS7DecodeItem(&derdata, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0),
122 NULL((void*)0), NULL((void*)0), NULL((void*)0));
123 if (cinfo == NULL((void*)0))
124 return -1;
125
126 if (!SEC_PKCS7ContentIsSigned(cinfo)) {
127 fprintf(out, "Signature file is pkcs7 data, but not signed.\n");
128 return -1;
129 }
130
131 signedData = cinfo->content.signedData;
132
133 /* assume that there is only one digest algorithm for now */
134 digestType = HASH_GetHashTypeByOidTag(
135 SECOID_GetAlgorithmTagSECOID_GetAlgorithmTag_Util(signedData->digestAlgorithms[0]));
136 if (digestType == HASH_AlgNULL) {
137 fprintf(out, "Invalid hash algorithmID\n");
138 return -1;
139 }
140
141 digest.data = buffer;
142 if (DigestFile(digest.data, &digest.len, 32, content, digestType)) {
143 SECU_PrintError(progName, "problem computing message digest");
144 return -1;
145 }
146
147 fprintf(out, "Signature is ");
148 if (SEC_PKCS7VerifyDetachedSignature(cinfo, usage, &digest, digestType,
149 PR_FALSE0))
150 fprintf(out, "valid.\n");
151 else
152 fprintf(out, "invalid (Reason: %s).\n",
153 SECU_Strerror(PORT_GetError())PR_ErrorToString((PORT_GetError_Util()), 0));
154
155 SECITEM_FreeItemSECITEM_FreeItem_Util(&derdata, PR_FALSE0);
156 SEC_PKCS7DestroyContentInfo(cinfo);
157 return 0;
158}
159
160int
161main(int argc, char **argv)
162{
163 char *progName;
164 FILE *contentFile, *outFile;
165 PRFileDesc *signatureFile;
166 SECCertUsage certUsage = certUsageEmailSigner;
167 PLOptState *optstate;
168 PLOptStatus status;
169 SECStatus rv;
170
171 progName = strrchr(argv[0], '/');
172 progName = progName ? progName + 1 : argv[0];
173
174 contentFile = NULL((void*)0);
175 signatureFile = NULL((void*)0);
176 outFile = NULL((void*)0);
177
178 /*
179 * Parse command line arguments
180 */
181 optstate = PL_CreateOptState(argc, argv, "c:d:o:s:u:");
182 while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
Although the value stored to 'status' is used in the enclosing expression, the value is never actually read from 'status'
183 switch (optstate->option) {
184 case '?':
185 Usage(progName);
186 break;
187
188 case 'c':
189 contentFile = fopen(optstate->value, "r");
190 if (!contentFile) {
191 fprintf(stderrstderr, "%s: unable to open \"%s\" for reading\n",
192 progName, optstate->value);
193 return -1;
194 }
195 break;
196
197 case 'd':
198 SECU_ConfigDirectory(optstate->value);
199 break;
200
201 case 'o':
202 outFile = fopen(optstate->value, "w");
203 if (!outFile) {
204 fprintf(stderrstderr, "%s: unable to open \"%s\" for writing\n",
205 progName, optstate->value);
206 return -1;
207 }
208 break;
209
210 case 's':
211 signatureFile = PR_Open(optstate->value, PR_RDONLY0x01, 0);
212 if (!signatureFile) {
213 fprintf(stderrstderr, "%s: unable to open \"%s\" for reading\n",
214 progName, optstate->value);
215 return -1;
216 }
217 break;
218
219 case 'u': {
220 int usageType;
221
222 usageType = atoi(optstate->value);
223 if (usageType < certUsageSSLClient || usageType > certUsageIPsec)
224 return -1;
225 certUsage = (SECCertUsage)usageType;
226 break;
227 }
228 }
229 }
230 PL_DestroyOptState(optstate);
231
232 if (!contentFile)
233 Usage(progName);
234 if (!signatureFile)
235 Usage(progName);
236 if (!outFile)
237 outFile = stdoutstdout;
238
239 /* Call the NSS initialization routines */
240 PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
241 rv = NSS_Init(SECU_ConfigDirectory(NULL((void*)0)));
242 if (rv != SECSuccess) {
243 SECU_PrintPRandOSError(progName);
244 return -1;
245 }
246
247 if (HashDecodeAndVerify(outFile, contentFile, signatureFile,
248 certUsage, progName)) {
249 SECU_PrintError(progName, "problem decoding/verifying signature");
250 return -1;
251 }
252
253 fclose(contentFile);
254 PR_Close(signatureFile);
255 if (outFile && outFile != stdoutstdout) {
256 fclose(outFile);
257 }
258
259 if (NSS_Shutdown() != SECSuccess) {
260 exit(1);
261 }
262
263 return 0;
264}