pool/pesign
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 151539 from home:gary_lin:branches:Base:System

Browse Source 
- Merge patches for FATE#314552
  + pesign-fix-export-attributes.patch: fix crash when exporting
    the signed attributes
  + pesign-privkey_unneeded.diff: Don't check the private key when
    importing the raw signature
- Add pesign-bnc801653-teardown-segfault.patch to fix crash when
  freeing digests (bnc801653)
- Drop pesign-digestdata.diff which is no longer needed.

OBS-URL: https://build.opensuse.org/request/show/151539
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=5
This commit is contained in:
Gary Ching-Pang Lin 2013-02-07 02:04:33 +00:00 committed by Git OBS Bridge
parent 996fffcf04
commit fa50606847
6 changed files with 170 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
pesign-bnc801653-teardown-segfault.patch Normal file
View File

@ -0,0 +1,51 @@
commit ed689613e93f3121048d6c922c90aafd6bf10880
Author: Peter Jones <pjones@redhat.com>
Date: Tue Nov 27 11:37:05 2012 -0500
Hopefully make teardown_digests() work better...
Freeing nss constructs continues to be weird.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -110,8 +110,6 @@ teardown_digests(cms_context *ctx)
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
}
if (digests[i].pe_digest) {
- free_poison(digests[i].pe_digest->data,
- digests[i].pe_digest->len);
/* XXX sure seems like we should be freeing it here,
* but that's segfaulting, and we know it'll get
* cleaned up with PORT_FreeArena a couple of lines
@@ -120,7 +118,7 @@ teardown_digests(cms_context *ctx)
digests[i].pe_digest = NULL;
}
}
- free(digests);
+ PORT_Free(digests);
ctx->digests = NULL;
}
@@ -184,7 +182,6 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- teardown_digests(cms);
cms->selected_digest = -1;
if (cms->ci_digest) {
@@ -708,7 +705,7 @@ generate_digest_begin(cms_context *cms)
if (cms->digests) {
digests = cms->digests;
} else {
- digests = calloc(n_digest_params, sizeof (*digests));
+ digests = PORT_ZAlloc(n_digest_params * sizeof (*digests));
if (!digests) {
cms->log(cms, LOG_ERR, "cannot allocate memory: %m");
return -1;

128
pesign-digestdata.diff
View File

@ -1,128 +0,0 @@
--- src/cms_common.c.orig 2013-01-18 14:32:01.000000000 +0000
+++ src/cms_common.c 2013-01-18 14:34:25.000000000 +0000
@@ -155,6 +155,7 @@ cms_context_init(cms_context *cms)
}
cms->selected_digest = -1;
+ cms->digestdatafd = -1;
return 0;
}
@@ -746,6 +747,11 @@ generate_digest_step(cms_context *cms, v
{
for (int i = 0; i < n_digest_params; i++)
PK11_DigestOp(cms->digests[i].pk11ctx, data, len);
+ if (cms->digestdatafd >= 0 && len != 0) {
+ if (write(cms->digestdatafd, data, len) != len) {
+ cms->log(cms, LOG_ERR, "digestdata write: %m");
+ }
+ }
}
int
--- src/cms_common.h.orig 2013-01-18 14:31:32.000000000 +0000
+++ src/cms_common.h 2013-01-18 14:31:54.000000000 +0000
@@ -59,6 +59,8 @@ typedef struct cms_context {
cms_common_logger log;
void *log_priv;
+
+ int digestdatafd;
} cms_context;
typedef struct {
--- src/pesign.c.orig 2013-01-18 14:20:47.000000000 +0000
+++ src/pesign.c 2013-01-18 14:35:03.000000000 +0000
@@ -177,6 +177,24 @@ open_output(pesign_context *ctx)
}
static void
+open_digestdata(pesign_context *ctx)
+{
+ ctx->digestdatafd = open(ctx->digestdatafile, O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC,
+ 0666);
+ if (ctx->digestdatafd < 0) {
+ fprintf(stderr, "pesign: Error opening digest data file: %m\n");
+ exit(1);
+ }
+}
+
+static void
+close_digestdata(pesign_context *ctx)
+{
+ close(ctx->digestdatafd);
+ ctx->digestdatafd = -1;
+}
+
+static void
open_rawsig_input(pesign_context *ctx)
{
if (!ctx->rawsig) {
@@ -461,6 +479,7 @@ main(int argc, char *argv[])
{"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1,
"create a new signature", NULL },
{"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL },
+ {"digestdata", 'H', POPT_ARG_STRING, &ctxp->digestdatafile, 0, "write digest data in file", "<outfile>"},
{"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
&digest_name, 0, "digest type to use for pe hash" },
{"import-signed-certificate", 'm',
@@ -623,7 +642,7 @@ main(int argc, char *argv[])
}
}
- if (ctxp->hash)
+ if (ctxp->hash || ctxp->digestdatafile)
action |= GENERATE_DIGEST|PRINT_DIGEST;
ssize_t sigspace = 0;
@@ -748,7 +767,15 @@ main(int argc, char *argv[])
break;
case GENERATE_DIGEST|PRINT_DIGEST:
open_input(ctxp);
+ if (ctxp->digestdatafile) {
+ open_digestdata(ctxp);
+ ctxp->cms_ctx->digestdatafd = ctxp->digestdatafd;
+ }
generate_digest(ctxp->cms_ctx, ctxp->inpe);
+ if (ctxp->digestdatafile) {
+ close_digestdata(ctxp);
+ ctxp->cms_ctx->digestdatafd = -1;
+ }
print_digest(ctxp);
break;
/* generate a signature and save it in a separate file */
--- src/pesign_context.c.orig 2013-01-18 14:30:08.000000000 +0000
+++ src/pesign_context.c 2013-01-18 14:30:55.000000000 +0000
@@ -68,6 +68,8 @@ pesign_context_init(pesign_context *ctx)
ctx->outkeyfd = -1;
ctx->outcertfd = -1;
+ ctx->digestdatafd = -1;
+
ctx->signum = -1;
ctx->ascii = 0;
@@ -165,6 +167,11 @@ pesign_context_fini(pesign_context *ctx)
ctx->infd = -1;
}
+ if (ctx->digestdatafd >= 0) {
+ close(ctx->digestdatafd);
+ ctx->digestdatafd = -1;
+ }
+
ctx->signum = -1;
if (!(ctx->flags & PESIGN_C_ALLOCATED))
--- src/pesign_context.h.orig 2013-01-18 14:23:14.000000000 +0000
+++ src/pesign_context.h 2013-01-18 14:29:52.000000000 +0000
@@ -67,6 +67,9 @@ typedef struct {
int ascii;
int sign;
int hash;
+
+ int digestdatafd;
+ char *digestdatafile;
} pesign_context;
extern int pesign_context_new(pesign_context **ctx);

33
pesign-fix-export-attributes.patch Normal file
View File

@ -0,0 +1,33 @@
From 8376d873bf72c06b5efaa9dad812eb783cda5d41 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 25 Jan 2013 10:34:55 -0500
Subject: [PATCH] Fix up "-E", which apparently broke during some refactoring.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/actions.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/actions.c b/src/actions.c
index 6c32819..5c5dd89 100644
--- a/src/actions.c
+++ b/src/actions.c
@@ -373,6 +373,15 @@ generate_sattr_blob(pesign_context *ctx)
{
int rc;
SECItem sa;
+ SpcContentInfo ci;
+
+ memset(&ci, '\0', sizeof (ci));
+ rc = generate_spc_content_info(ctx->cms_ctx, &ci);
+ if (rc < 0) {
+ fprintf(stderr, "Could not generate content info: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
rc = generate_signed_attributes(ctx->cms_ctx, &sa);
if (rc < 0) {
--
1.7.10.4

65
pesign-privkey_unneeded.diff Normal file
View File

@ -0,0 +1,65 @@
---
src/cms_common.c | 9 ++++++++-
src/cms_common.h | 1 +
src/pesign.c | 1 +
3 files changed, 10 insertions(+), 1 deletion(-)
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -276,6 +276,7 @@ struct cbdata {
CERTCertificate *cert;
PK11SlotListElement *psle;
secuPWData *pwdata;
+ int privkey_unneeded;
};
static SECStatus
@@ -288,6 +289,11 @@ is_valid_cert(CERTCertificate *cert, voi
SECKEYPrivateKey *privkey = NULL;
+ if (cbdata->privkey_unneeded) {
+ cbdata->cert = cert;
+ return SECSuccess;
+ }
+
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
if (privkey != NULL) {
cbdata->cert = cert;
@@ -398,7 +404,7 @@ err_slots:
goto err_slots_errmsg;
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
cms->log(cms, LOG_ERR, "Authentication failed on "
@@ -425,6 +431,7 @@ err_slots:
.cert = NULL,
.psle = psle,
.pwdata = pwdata,
+ .privkey_unneeded = cms->privkey_unneeded,
};
status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot,
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -37,6 +37,7 @@ typedef int (*cms_common_logger)(struct
typedef struct cms_context {
PRArenaPool *arena;
void *privkey;
+ int privkey_unneeded;
char *tokenname;
char *certname;
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -650,6 +650,7 @@ main(int argc, char *argv[])
*/
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp);
+ ctxp->cms_ctx->privkey_unneeded = 1;
rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "

12
pesign.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Feb 6 10:44:48 UTC 2013 - glin@suse.com
- Merge patches for FATE#314552
+ pesign-fix-export-attributes.patch: fix crash when exporting
the signed attributes
+ pesign-privkey_unneeded.diff: Don't check the private key when
importing the raw signature
- Add pesign-bnc801653-teardown-segfault.patch to fix crash when
freeing digests (bnc801653)
- Drop pesign-digestdata.diff which is no longer needed.
-------------------------------------------------------------------
Mon Jan 21 10:17:28 UTC 2013 - glin@suse.com

12
pesign.spec
View File

@ -36,8 +36,12 @@ Patch3: pesign-client-initialize-action.patch
Patch4: pesign-client-read-pin-file.patch
# PATCH-FIX-UPSTREAM pesign-local-database.patch glin@suse.com -- Support local certificate database
Patch5: pesign-local-database.patch
# PATCH-FIX-UPSTREAM pesign-digestdata.diff glin@suse.com -- Generate digestdata
Patch6: pesign-digestdata.diff
# PATCH-FIX-UPSTREAM pesign-bnc801653-teardown-segfault.patch glin@suse.com -- Fix crash when freeing digests
Patch7: pesign-bnc801653-teardown-segfault.patch
# PATCH-FIX-UPSTREAM pesign-fix-export-attributes.patch glin@suse.com -- Fix crash when exporting attributes
Patch9: pesign-fix-export-attributes.patch
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
Patch10: pesign-privkey_unneeded.diff
BuildRequires: mozilla-nss-devel
BuildRequires: pkg-config
BuildRequires: popt-devel
@ -69,7 +73,9 @@ Authors:
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p0
%patch7 -p1
%patch9 -p1
%patch10 -p1
%build
make OPTFLAGS="$RPM_OPT_FLAGS"