From: Dorjoy Chowdhury <dorjoychy111@gmail.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
qemu-devel@nongnu.org, "Hyman Huang" <yong.huang@smartx.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Hanna Reitz" <hreitz@redhat.com>,
qemu-block@nongnu.org, qemu-stable@nongnu.org,
"Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>
Subject: Re: [PULL 10/10] crypto: Introduce x509 utils
Date: Tue, 18 Mar 2025 23:01:40 +0600 [thread overview]
Message-ID: <CAFfO_h6ANSUP_Y3UTFOf3RPGk0s5VPiqoFpy47sDrCnJgrwvfA@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA_xCa4NjyDt6M+n6KdXTUWRfdSkymW-AqupXRQC97DKcQ@mail.gmail.com>
On Tue, Mar 18, 2025 at 10:44 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Mon, 9 Sept 2024 at 15:21, Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > From: Dorjoy Chowdhury <dorjoychy111@gmail.com>
> >
> > An utility function for getting fingerprint from X.509 certificate
> > has been introduced. Implementation only provided using gnutls.
>
> Hi; recent changes in the codebase mean that one of Coverity's
> "maybe this needs an error check" heuristics is now triggering
> for this code (CID 1593155):
>
> > +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
> > + QCryptoHashAlgorithm alg,
> > + uint8_t *result,
> > + size_t *resultlen,
> > + Error **errp)
> > +{
> > + int ret = -1;
> > + int hlen;
> > + gnutls_x509_crt_t crt;
> > + gnutls_datum_t datum = {.data = cert, .size = size};
> > +
> > + if (alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
> > + error_setg(errp, "Unknown hash algorithm");
> > + return -1;
> > + }
> > +
> > + if (result == NULL) {
> > + error_setg(errp, "No valid buffer given");
> > + return -1;
> > + }
> > +
> > + gnutls_x509_crt_init(&crt);
>
> gnutls_x509_crt_init() can fail and return a negative value
> on error -- should we be checking for and handling this
> error case ?
>
Yes, I think so. It should be probably something like below:
if (gnutls_x509_crt_init(&crt) < 0) {
error_setg(errp, "Failed to initialize certificate");
return -1;
}
Regards,
Dorjoy
next prev parent reply other threads:[~2025-03-18 17:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-09 14:16 [PULL 00/10] Crypto fixes patches Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 01/10] iotests: fix expected output from gnutls Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 02/10] crypto: run qcrypto_pbkdf2_count_iters in a new thread Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 03/10] crypto: check gnutls & gcrypt support the requested pbkdf hash Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 04/10] tests/unit: always build the pbkdf crypto unit test Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 05/10] tests/unit: build pbkdf test on macOS Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 06/10] crypto: avoid leak of ctx when bad cipher mode is given Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 07/10] crypto: use consistent error reporting pattern for unsupported cipher modes Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 08/10] crypto: Define macros for hash algorithm digest lengths Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 09/10] crypto: Support SHA384 hash when using glib Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 10/10] crypto: Introduce x509 utils Daniel P. Berrangé
2025-03-18 16:44 ` Peter Maydell
2025-03-18 17:01 ` Dorjoy Chowdhury [this message]
2024-09-09 16:06 ` [PULL 00/10] Crypto fixes patches Peter Maydell
2024-09-11 5:59 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFfO_h6ANSUP_Y3UTFOf3RPGk0s5VPiqoFpy47sDrCnJgrwvfA@mail.gmail.com \
--to=dorjoychy111@gmail.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=thuth@redhat.com \
--cc=yong.huang@smartx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).