Accepting request 156902 from home:gary_lin:branches:Base:System

- Update pesign-bnc805166-fix-signature-list.patch to avoid the potential crash when inserting a signature (bnc#805166) - Add pwdutils to PreReq OBS-URL: https://build.opensuse.org/request/show/156902 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=14
2013-03-01 03:31:27 +00:00 · 2013-03-01 03:31:27 +00:00 · 97cd6275b9
commit 97cd6275b9
parent ed0b396886
3 changed files with 21 additions and 287 deletions
--- a/pesign-bnc805166-fix-signature-list.patch
+++ b/pesign-bnc805166-fix-signature-list.patch
@ -1,7 +1,7 @@
-From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001
+From ee3ab396e8bc167d3b63f475c463cd4103b1ca6e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <chingpang@gmail.com>
-Date: Fri, 22 Feb 2013 15:13:08 +0800
-Subject: [PATCH 1/2] Backport patches to fix signature list
+Date: Wed, 27 Feb 2013 15:48:06 +0800
+Subject: [PATCH] Backport patches to fix signature list

 Get cms_context out of wincert functions.
 ee357451be9968cedda57ce13b103eb82c590e67
@ -18,36 +18,21 @@ Include old signatures in new space calculations.
 Make implanting extracted certificates work again.
 5ceddd2f80dfea70d211236190943746c2d2f77b

-Add error handling macros to make code simpler.
-0bafa814b49a9556550cfbc373e0ea5b9edb929e
-
-Add is_issuer_of(cert, cert) helper function.
-7750aaeceb2655807788f8e45417e84cb5404a8e
-
-Add "find_named_certificate()" helper function.
-c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c
-
-Make generate_certificate_list include the issuing certificate.
-8c3d82ceb5029bedfee1577682fec5ff3669ff3c
-
 Fix a casting problem on 32-bit.
 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
 ---
 libdpe/pe_addcert.c    |    2 +-
- libdpe/pe_updatefile.c |   13 ++++++-
- src/actions.c          |   12 +------
+ libdpe/pe_updatefile.c |   13 +++++++++-
+ src/actions.c          |   12 +--------
 src/actions.h          |    2 +-
- src/cms_common.c       |   93 ++++++++++++++++++++++++++++++++++++++++++++++++
- src/cms_common.h       |   32 ++++++++++++++++-
- src/daemon.c           |    6 ++--
- src/pesign.c           |   35 +++++++++++++++---
- src/peverify.c         |    7 ++--
- src/siglist.c          |   46 +++++++++++++++++++-----
- src/siglist.h          |    3 +-
- src/signed_data.c      |   53 +++++++++++++++++++++------
- src/wincert.c          |   65 +++++++++++++++++++++++----------
- src/wincert.h          |    8 +++--
- 14 files changed, 312 insertions(+), 65 deletions(-)
+ src/daemon.c           |    6 +++--
+ src/pesign.c           |   35 ++++++++++++++++++++++----
+ src/peverify.c         |    7 ++++--
+ src/siglist.c          |   46 ++++++++++++++++++++++++++++------
+ src/siglist.h          |    3 ++-
+ src/wincert.c          |   65 ++++++++++++++++++++++++++++++++++--------------
+ src/wincert.h          |    8 +++---
+ 11 files changed, 146 insertions(+), 53 deletions(-)

 diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c
 index e391242..b6ba969 100644
@ -155,169 +140,6 @@ index 400876f..4ecaad8 100644
 extern void insert_signature(cms_context *cms, int signum);
 
 #endif /* PESIGN_CRYPTO_H */
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 9ab2021..3b2e71a 100644
--- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data)
- 	return SECFailure;
- }
- 
-+int
-+is_issuer_of(CERTCertificate *c0, CERTCertificate *c1)
-+{
-+	if (c0->derSubject.len != c1->derIssuer.len)
-+		return 0;
-+
-+	if (memcmp(c0->derSubject.data, c1->derIssuer.data, c0->derSubject.len))
-+		return 0;
-+	return 1;
-+}
-+
- /* This is the dumbest function ever, but we need it anyway, because nss
-  * is garbage. */
- static void
-@@ -448,6 +459,88 @@ err_slots:
- 	return 0;
- }
- 
-+int
-+find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
-+{
-+	if (!name) {
-+		cms->log(cms, LOG_ERR, "no certificate name specified");
-+		return -1;
-+	}
-+
-+	secuPWData pwdata_val = { 0, 0 };
-+	void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val;
-+	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
-+
-+	PK11SlotList *slots = NULL;
-+	slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata);
-+	if (!slots)
-+		cmsreterr(-1, cms, "could not get pk11 token list");
-+
-+	PK11SlotListElement *psle = NULL;
-+	psle = PK11_GetFirstSafe(slots);
-+	if (!psle) {
-+		save_port_err(PK11_FreeSlotList(slots));
-+		cmsreterr(-1, cms, "could not get pk11 safe");
-+	}
-+
-+	while (psle) {
-+		if (!strcmp(cms->tokenname, PK11_GetTokenName(psle->slot)))
-+			break;
-+
-+		psle = PK11_GetNextSafe(slots, psle, PR_FALSE);
-+	}
-+
-+	if (!psle) {
-+		save_port_err(PK11_FreeSlotList(slots));
-+		cms->log(cms, LOG_ERR, "could not find token \"%s\"",
-+			cms->tokenname);
-+		return -1;
-+	}
-+
-+	SECStatus status;
-+	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
-+		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
-+		if (status != SECSuccess) {
-+			PK11_DestroySlotListElement(slots, &psle);
-+			PK11_FreeSlotList(slots);
-+			cms->log(cms, LOG_ERR, "authentication failed for "
-+				"token \"%s\"", cms->tokenname);
-+			return -1;
-+		}
-+	}
-+
-+	CERTCertList *certlist = NULL;
-+	certlist = PK11_ListCertsInSlot(psle->slot);
-+	if (!certlist) {
-+		save_port_err(
-+			PK11_DestroySlotListElement(slots, &psle);
-+			PK11_FreeSlotList(slots));
-+		cmsreterr(-1, cms, "could not get certificate list");
-+	}
-+
-+	CERTCertListNode *node = NULL;
-+        for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist);
-+						node = CERT_LIST_NEXT(node)) {
-+		if (!strcmp(node->cert->subjectName, name))
-+			break;
-+	}
-+	if (!node) {
-+		PK11_DestroySlotListElement(slots, &psle);
-+		PK11_FreeSlotList(slots);
-+		CERT_DestroyCertList(certlist);
-+
-+		return -1;
-+	}
-+
-+	*cert = CERT_DupCertificate(node->cert);
-+
-+	PK11_DestroySlotListElement(slots, &psle);
-+	PK11_FreeSlotList(slots);
-+	CERT_DestroyCertList(certlist);
-+
-+	return 0;
-+}
-+
- static SEC_ASN1Template EmptySequenceTemplate[] = {
- 	{
- 	.kind = SEC_ASN1_SEQUENCE,
-diff --git a/src/cms_common.h b/src/cms_common.h
-index a3848cd..2b2d619 100644
--- a/src/cms_common.h
-+++ b/src/cms_common.h
-@@ -19,9 +19,35 @@
- #ifndef CMS_COMMON_H
- #define CMS_COMMON_H 1
- 
-#include <stdarg.h>
-+#include <errno.h>
- #include <nss3/cert.h>
- #include <nss3/secpkcs7.h>
-+#include <signal.h>
-+#include <stdarg.h>
-+#include <syslog.h>
-+#include <time.h>
-+#include <unistd.h>
-+
-+#define save_port_err(x)				\
-+	({						\
-+		int __saved_errno = PORT_GetError();	\
-+		x;					\
-+		PORT_SetError(__saved_errno);		\
-+	})
-+
-+#define cmserr(rv, cms, fmt, args...) ({					\
-+		(cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s",	\
-+			__FILE__, __func__, __LINE__, ## args,		\
-+			PORT_ErrorToString(PORT_GetError()));		\
-+		exit(rv);						\
-+	})
-+#define cmsreterr(rv, cms, fmt, args...) ({				\
-+		(cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s",	\
-+			__FILE__, __func__, __LINE__, ## args,		\
-+			PORT_ErrorToString(PORT_GetError()));		\
-+		return rv;						\
-+	})
-+
- 
- struct digest {
- 	PK11Context *pk11ctx;
-@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe);
- extern int generate_signature(cms_context *ctx);
- extern int unlock_nss_token(cms_context *ctx);
- extern int find_certificate(cms_context *ctx);
-+extern int is_issuer_of(CERTCertificate *c0, CERTCertificate *c1);
-+
-+extern int find_named_certificate(cms_context *cms, char *name,
-+				CERTCertificate **cert);
- 
- extern SECOidTag digest_get_digest_oid(cms_context *cms);
- extern SECOidTag digest_get_encryption_oid(cms_context *cms);
 diff --git a/src/daemon.c b/src/daemon.c
 index 4a9af87..92ae856 100644
 --- a/src/daemon.c
@ -551,73 +373,6 @@ index 2961a39..a576ffd 100644
 extern void signature_list_free(signature_list *sl);
 
 #endif /* SIGLIST_H */
-diff --git a/src/signed_data.c b/src/signed_data.c
-index e676cb3..83957d6 100644
--- a/src/signed_data.c
-+++ b/src/signed_data.c
-@@ -76,20 +76,51 @@ static int
- generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
- {
- 	SECItem **certificates = NULL;
-+	void *mark = PORT_ArenaMark(cms->arena);
- 
-	certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 2);
-	if (!certificates)
-		return -1;
-	
-	certificates[0] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
-	if (!certificates[0]) {
-		int err = PORT_GetError();
-		PORT_ZFree(certificates, sizeof (SECItem) * 2);
-		PORT_SetError(err);
-		return -1;
-+	certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 3);
-+	if (!certificates) {
-+		save_port_err(PORT_ArenaRelease(cms->arena, mark));
-+		cmsreterr(-1, cms, "could not allocate certificate list");
-+	}
-+	int i = 0;
-+
-+	certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
-+	if (!certificates[i]) {
-+		save_port_err(PORT_ArenaRelease(cms->arena, mark));
-+		cmsreterr(-1, cms, "could not allocate certificate entry");
-+	}
-+	SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert);
-+
-+	if (!is_issuer_of(cms->cert, cms->cert)) {
-+		CERTCertificate *signer = NULL;
-+		int rc = find_named_certificate(cms, cms->cert->issuerName,
-+						&signer);
-+		if (rc < 0) {
-+			PORT_ArenaRelease(cms->arena, mark);
-+			return -1;
-+		}
-+
-+		if (signer) {
-+			if (signer->derCert.len != cms->cert->derCert.len ||
-+					memcmp(signer->derCert.data,
-+						cms->cert->derCert.data,
-+						signer->derCert.len)) {
-+				certificates[i] = PORT_ArenaZAlloc(cms->arena,
-+							sizeof (SECItem));
-+				if (!certificates[i]) {
-+					save_port_err(
-+						PORT_ArenaRelease(cms->arena, mark));
-+					cmsreterr(-1, cms,"could not allocate "
-+						"certificate entry");
-+				}
-+				SECITEM_CopyItem(cms->arena, certificates[i++],
-+						&signer->derCert);
-+			}
-+			CERT_DestroyCertificate(signer);
-+		}
- 	}
- 
-	SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert);
- 	*certificate_list_p = certificates;
- 	return 0;
- }
 diff --git a/src/wincert.c b/src/wincert.c
 index 4b5ba45..4197a87 100644
 --- a/src/wincert.c
@ -796,30 +551,3 @@ index 4309915..ed7e15c 100644
 -- 
 1.7.10.4

-
-From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <chingpang@gmail.com>
-Date: Mon, 25 Feb 2013 10:43:09 +0800
-Subject: [PATCH 2/2] Don't request the private key in
- find_named_certificate() when importing a raw signature
-
---
- src/cms_common.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 3b2e71a..642cc86 100644
--- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
- 	}
- 
- 	SECStatus status;
-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
-+	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
- 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
- 		if (status != SECSuccess) {
- 			PK11_DestroySlotListElement(slots, &psle);
-- 
-1.7.10.4
-
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Mar  1 03:04:35 UTC 2013 - glin@suse.com
+
+- Update pesign-bnc805166-fix-signature-list.patch to avoid the
+  potential crash when inserting a signature (bnc#805166)
+- Add pwdutils to PreReq
+
 -------------------------------------------------------------------
 Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com

--- a/pesign.spec
+++ b/pesign.spec
@ -53,8 +53,7 @@ BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %define has_systemd 1
 %endif
-BuildRequires:  pwdutils
-Requires:       pwdutils
+PreReq:         pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  ia64 %ix86 x86_64