From fa50606847fafe19499ae78b02d954be67985d3b8083b658fd8674b1378f386a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 7 Feb 2013 02:04:33 +0000 Subject: [PATCH] Accepting request 151539 from home:gary_lin:branches:Base:System - Merge patches for FATE#314552 + pesign-fix-export-attributes.patch: fix crash when exporting the signed attributes + pesign-privkey_unneeded.diff: Don't check the private key when importing the raw signature - Add pesign-bnc801653-teardown-segfault.patch to fix crash when freeing digests (bnc801653) - Drop pesign-digestdata.diff which is no longer needed. OBS-URL: https://build.opensuse.org/request/show/151539 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=5 --- pesign-bnc801653-teardown-segfault.patch | 51 +++++++++ pesign-digestdata.diff | 128 ----------------------- pesign-fix-export-attributes.patch | 33 ++++++ pesign-privkey_unneeded.diff | 65 ++++++++++++ pesign.changes | 12 +++ pesign.spec | 12 ++- 6 files changed, 170 insertions(+), 131 deletions(-) create mode 100644 pesign-bnc801653-teardown-segfault.patch delete mode 100644 pesign-digestdata.diff create mode 100644 pesign-fix-export-attributes.patch create mode 100644 pesign-privkey_unneeded.diff diff --git a/pesign-bnc801653-teardown-segfault.patch b/pesign-bnc801653-teardown-segfault.patch new file mode 100644 index 0000000..1e9ec70 --- /dev/null +++ b/pesign-bnc801653-teardown-segfault.patch @@ -0,0 +1,51 @@ +commit ed689613e93f3121048d6c922c90aafd6bf10880 +Author: Peter Jones +Date: Tue Nov 27 11:37:05 2012 -0500 + + Hopefully make teardown_digests() work better... + + Freeing nss constructs continues to be weird. + + Signed-off-by: Peter Jones + +--- + src/cms_common.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -110,8 +110,6 @@ teardown_digests(cms_context *ctx) + PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE); + } + if (digests[i].pe_digest) { +- free_poison(digests[i].pe_digest->data, +- digests[i].pe_digest->len); + /* XXX sure seems like we should be freeing it here, + * but that's segfaulting, and we know it'll get + * cleaned up with PORT_FreeArena a couple of lines +@@ -120,7 +118,7 @@ teardown_digests(cms_context *ctx) + digests[i].pe_digest = NULL; + } + } +- free(digests); ++ PORT_Free(digests); + ctx->digests = NULL; + } + +@@ -184,7 +182,6 @@ cms_context_fini(cms_context *cms) + memset(&cms->newsig, '\0', sizeof (cms->newsig)); + } + +- teardown_digests(cms); + cms->selected_digest = -1; + + if (cms->ci_digest) { +@@ -708,7 +705,7 @@ generate_digest_begin(cms_context *cms) + if (cms->digests) { + digests = cms->digests; + } else { +- digests = calloc(n_digest_params, sizeof (*digests)); ++ digests = PORT_ZAlloc(n_digest_params * sizeof (*digests)); + if (!digests) { + cms->log(cms, LOG_ERR, "cannot allocate memory: %m"); + return -1; diff --git a/pesign-digestdata.diff b/pesign-digestdata.diff deleted file mode 100644 index be7b1f8..0000000 --- a/pesign-digestdata.diff +++ /dev/null @@ -1,128 +0,0 @@ ---- src/cms_common.c.orig 2013-01-18 14:32:01.000000000 +0000 -+++ src/cms_common.c 2013-01-18 14:34:25.000000000 +0000 -@@ -155,6 +155,7 @@ cms_context_init(cms_context *cms) - } - - cms->selected_digest = -1; -+ cms->digestdatafd = -1; - - return 0; - } -@@ -746,6 +747,11 @@ generate_digest_step(cms_context *cms, v - { - for (int i = 0; i < n_digest_params; i++) - PK11_DigestOp(cms->digests[i].pk11ctx, data, len); -+ if (cms->digestdatafd >= 0 && len != 0) { -+ if (write(cms->digestdatafd, data, len) != len) { -+ cms->log(cms, LOG_ERR, "digestdata write: %m"); -+ } -+ } - } - - int ---- src/cms_common.h.orig 2013-01-18 14:31:32.000000000 +0000 -+++ src/cms_common.h 2013-01-18 14:31:54.000000000 +0000 -@@ -59,6 +59,8 @@ typedef struct cms_context { - - cms_common_logger log; - void *log_priv; -+ -+ int digestdatafd; - } cms_context; - - typedef struct { ---- src/pesign.c.orig 2013-01-18 14:20:47.000000000 +0000 -+++ src/pesign.c 2013-01-18 14:35:03.000000000 +0000 -@@ -177,6 +177,24 @@ open_output(pesign_context *ctx) - } - - static void -+open_digestdata(pesign_context *ctx) -+{ -+ ctx->digestdatafd = open(ctx->digestdatafile, O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, -+ 0666); -+ if (ctx->digestdatafd < 0) { -+ fprintf(stderr, "pesign: Error opening digest data file: %m\n"); -+ exit(1); -+ } -+} -+ -+static void -+close_digestdata(pesign_context *ctx) -+{ -+ close(ctx->digestdatafd); -+ ctx->digestdatafd = -1; -+} -+ -+static void - open_rawsig_input(pesign_context *ctx) - { - if (!ctx->rawsig) { -@@ -461,6 +479,7 @@ main(int argc, char *argv[]) - {"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1, - "create a new signature", NULL }, - {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL }, -+ {"digestdata", 'H', POPT_ARG_STRING, &ctxp->digestdatafile, 0, "write digest data in file", ""}, - {"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, - &digest_name, 0, "digest type to use for pe hash" }, - {"import-signed-certificate", 'm', -@@ -623,7 +642,7 @@ main(int argc, char *argv[]) - } - } - -- if (ctxp->hash) -+ if (ctxp->hash || ctxp->digestdatafile) - action |= GENERATE_DIGEST|PRINT_DIGEST; - - ssize_t sigspace = 0; -@@ -748,7 +767,15 @@ main(int argc, char *argv[]) - break; - case GENERATE_DIGEST|PRINT_DIGEST: - open_input(ctxp); -+ if (ctxp->digestdatafile) { -+ open_digestdata(ctxp); -+ ctxp->cms_ctx->digestdatafd = ctxp->digestdatafd; -+ } - generate_digest(ctxp->cms_ctx, ctxp->inpe); -+ if (ctxp->digestdatafile) { -+ close_digestdata(ctxp); -+ ctxp->cms_ctx->digestdatafd = -1; -+ } - print_digest(ctxp); - break; - /* generate a signature and save it in a separate file */ ---- src/pesign_context.c.orig 2013-01-18 14:30:08.000000000 +0000 -+++ src/pesign_context.c 2013-01-18 14:30:55.000000000 +0000 -@@ -68,6 +68,8 @@ pesign_context_init(pesign_context *ctx) - ctx->outkeyfd = -1; - ctx->outcertfd = -1; - -+ ctx->digestdatafd = -1; -+ - ctx->signum = -1; - - ctx->ascii = 0; -@@ -165,6 +167,11 @@ pesign_context_fini(pesign_context *ctx) - ctx->infd = -1; - } - -+ if (ctx->digestdatafd >= 0) { -+ close(ctx->digestdatafd); -+ ctx->digestdatafd = -1; -+ } -+ - ctx->signum = -1; - - if (!(ctx->flags & PESIGN_C_ALLOCATED)) ---- src/pesign_context.h.orig 2013-01-18 14:23:14.000000000 +0000 -+++ src/pesign_context.h 2013-01-18 14:29:52.000000000 +0000 -@@ -67,6 +67,9 @@ typedef struct { - int ascii; - int sign; - int hash; -+ -+ int digestdatafd; -+ char *digestdatafile; - } pesign_context; - - extern int pesign_context_new(pesign_context **ctx); diff --git a/pesign-fix-export-attributes.patch b/pesign-fix-export-attributes.patch new file mode 100644 index 0000000..98fa3df --- /dev/null +++ b/pesign-fix-export-attributes.patch @@ -0,0 +1,33 @@ +From 8376d873bf72c06b5efaa9dad812eb783cda5d41 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 25 Jan 2013 10:34:55 -0500 +Subject: [PATCH] Fix up "-E", which apparently broke during some refactoring. + +Signed-off-by: Peter Jones +--- + src/actions.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/actions.c b/src/actions.c +index 6c32819..5c5dd89 100644 +--- a/src/actions.c ++++ b/src/actions.c +@@ -373,6 +373,15 @@ generate_sattr_blob(pesign_context *ctx) + { + int rc; + SECItem sa; ++ SpcContentInfo ci; ++ ++ memset(&ci, '\0', sizeof (ci)); ++ rc = generate_spc_content_info(ctx->cms_ctx, &ci); ++ if (rc < 0) { ++ fprintf(stderr, "Could not generate content info: %s\n", ++ PORT_ErrorToString(PORT_GetError())); ++ exit(1); ++ } + + rc = generate_signed_attributes(ctx->cms_ctx, &sa); + if (rc < 0) { +-- +1.7.10.4 + diff --git a/pesign-privkey_unneeded.diff b/pesign-privkey_unneeded.diff new file mode 100644 index 0000000..5582203 --- /dev/null +++ b/pesign-privkey_unneeded.diff @@ -0,0 +1,65 @@ +--- + src/cms_common.c | 9 ++++++++- + src/cms_common.h | 1 + + src/pesign.c | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -276,6 +276,7 @@ struct cbdata { + CERTCertificate *cert; + PK11SlotListElement *psle; + secuPWData *pwdata; ++ int privkey_unneeded; + }; + + static SECStatus +@@ -288,6 +289,11 @@ is_valid_cert(CERTCertificate *cert, voi + + SECKEYPrivateKey *privkey = NULL; + ++ if (cbdata->privkey_unneeded) { ++ cbdata->cert = cert; ++ return SECSuccess; ++ } ++ + privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); + if (privkey != NULL) { + cbdata->cert = cert; +@@ -398,7 +404,7 @@ err_slots: + goto err_slots_errmsg; + + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { ++ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); + if (status != SECSuccess) { + cms->log(cms, LOG_ERR, "Authentication failed on " +@@ -425,6 +431,7 @@ err_slots: + .cert = NULL, + .psle = psle, + .pwdata = pwdata, ++ .privkey_unneeded = cms->privkey_unneeded, + }; + + status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot, +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -37,6 +37,7 @@ typedef int (*cms_common_logger)(struct + typedef struct cms_context { + PRArenaPool *arena; + void *privkey; ++ int privkey_unneeded; + + char *tokenname; + char *certname; +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -650,6 +650,7 @@ main(int argc, char *argv[]) + */ + case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: + check_inputs(ctxp); ++ ctxp->cms_ctx->privkey_unneeded = 1; + rc = find_certificate(ctxp->cms_ctx); + if (rc < 0) { + fprintf(stderr, "pesign: Could not find " diff --git a/pesign.changes b/pesign.changes index 2532fda..33a7224 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Feb 6 10:44:48 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314552 + + pesign-fix-export-attributes.patch: fix crash when exporting + the signed attributes + + pesign-privkey_unneeded.diff: Don't check the private key when + importing the raw signature +- Add pesign-bnc801653-teardown-segfault.patch to fix crash when + freeing digests (bnc801653) +- Drop pesign-digestdata.diff which is no longer needed. + ------------------------------------------------------------------- Mon Jan 21 10:17:28 UTC 2013 - glin@suse.com diff --git a/pesign.spec b/pesign.spec index abd5276..cde4287 100644 --- a/pesign.spec +++ b/pesign.spec @@ -36,8 +36,12 @@ Patch3: pesign-client-initialize-action.patch Patch4: pesign-client-read-pin-file.patch # PATCH-FIX-UPSTREAM pesign-local-database.patch glin@suse.com -- Support local certificate database Patch5: pesign-local-database.patch -# PATCH-FIX-UPSTREAM pesign-digestdata.diff glin@suse.com -- Generate digestdata -Patch6: pesign-digestdata.diff +# PATCH-FIX-UPSTREAM pesign-bnc801653-teardown-segfault.patch glin@suse.com -- Fix crash when freeing digests +Patch7: pesign-bnc801653-teardown-segfault.patch +# PATCH-FIX-UPSTREAM pesign-fix-export-attributes.patch glin@suse.com -- Fix crash when exporting attributes +Patch9: pesign-fix-export-attributes.patch +# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature +Patch10: pesign-privkey_unneeded.diff BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel @@ -69,7 +73,9 @@ Authors: %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p0 +%patch7 -p1 +%patch9 -p1 +%patch10 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS"