From 97cd6275b9fa9448ac4e190c71e3ec79ad310204a06c8e9f3a36863f084705df Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 1 Mar 2013 03:31:27 +0000 Subject: [PATCH] Accepting request 156902 from home:gary_lin:branches:Base:System - Update pesign-bnc805166-fix-signature-list.patch to avoid the potential crash when inserting a signature (bnc#805166) - Add pwdutils to PreReq OBS-URL: https://build.opensuse.org/request/show/156902 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=14 --- pesign-bnc805166-fix-signature-list.patch | 298 +--------------------- pesign.changes | 7 + pesign.spec | 3 +- 3 files changed, 21 insertions(+), 287 deletions(-) diff --git a/pesign-bnc805166-fix-signature-list.patch b/pesign-bnc805166-fix-signature-list.patch index 0506bad..4dbb46c 100644 --- a/pesign-bnc805166-fix-signature-list.patch +++ b/pesign-bnc805166-fix-signature-list.patch @@ -1,7 +1,7 @@ -From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001 +From ee3ab396e8bc167d3b63f475c463cd4103b1ca6e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin -Date: Fri, 22 Feb 2013 15:13:08 +0800 -Subject: [PATCH 1/2] Backport patches to fix signature list +Date: Wed, 27 Feb 2013 15:48:06 +0800 +Subject: [PATCH] Backport patches to fix signature list Get cms_context out of wincert functions. ee357451be9968cedda57ce13b103eb82c590e67 @@ -18,36 +18,21 @@ Include old signatures in new space calculations. Make implanting extracted certificates work again. 5ceddd2f80dfea70d211236190943746c2d2f77b -Add error handling macros to make code simpler. -0bafa814b49a9556550cfbc373e0ea5b9edb929e - -Add is_issuer_of(cert, cert) helper function. -7750aaeceb2655807788f8e45417e84cb5404a8e - -Add "find_named_certificate()" helper function. -c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c - -Make generate_certificate_list include the issuing certificate. -8c3d82ceb5029bedfee1577682fec5ff3669ff3c - Fix a casting problem on 32-bit. 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53 --- libdpe/pe_addcert.c | 2 +- - libdpe/pe_updatefile.c | 13 ++++++- - src/actions.c | 12 +------ + libdpe/pe_updatefile.c | 13 +++++++++- + src/actions.c | 12 +-------- src/actions.h | 2 +- - src/cms_common.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++ - src/cms_common.h | 32 ++++++++++++++++- - src/daemon.c | 6 ++-- - src/pesign.c | 35 +++++++++++++++--- - src/peverify.c | 7 ++-- - src/siglist.c | 46 +++++++++++++++++++----- - src/siglist.h | 3 +- - src/signed_data.c | 53 +++++++++++++++++++++------ - src/wincert.c | 65 +++++++++++++++++++++++---------- - src/wincert.h | 8 +++-- - 14 files changed, 312 insertions(+), 65 deletions(-) + src/daemon.c | 6 +++-- + src/pesign.c | 35 ++++++++++++++++++++++---- + src/peverify.c | 7 ++++-- + src/siglist.c | 46 ++++++++++++++++++++++++++++------ + src/siglist.h | 3 ++- + src/wincert.c | 65 ++++++++++++++++++++++++++++++++++-------------- + src/wincert.h | 8 +++--- + 11 files changed, 146 insertions(+), 53 deletions(-) diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c index e391242..b6ba969 100644 @@ -155,169 +140,6 @@ index 400876f..4ecaad8 100644 extern void insert_signature(cms_context *cms, int signum); #endif /* PESIGN_CRYPTO_H */ -diff --git a/src/cms_common.c b/src/cms_common.c -index 9ab2021..3b2e71a 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data) - return SECFailure; - } - -+int -+is_issuer_of(CERTCertificate *c0, CERTCertificate *c1) -+{ -+ if (c0->derSubject.len != c1->derIssuer.len) -+ return 0; -+ -+ if (memcmp(c0->derSubject.data, c1->derIssuer.data, c0->derSubject.len)) -+ return 0; -+ return 1; -+} -+ - /* This is the dumbest function ever, but we need it anyway, because nss - * is garbage. */ - static void -@@ -448,6 +459,88 @@ err_slots: - return 0; - } - -+int -+find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) -+{ -+ if (!name) { -+ cms->log(cms, LOG_ERR, "no certificate name specified"); -+ return -1; -+ } -+ -+ secuPWData pwdata_val = { 0, 0 }; -+ void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val; -+ PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword); -+ -+ PK11SlotList *slots = NULL; -+ slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata); -+ if (!slots) -+ cmsreterr(-1, cms, "could not get pk11 token list"); -+ -+ PK11SlotListElement *psle = NULL; -+ psle = PK11_GetFirstSafe(slots); -+ if (!psle) { -+ save_port_err(PK11_FreeSlotList(slots)); -+ cmsreterr(-1, cms, "could not get pk11 safe"); -+ } -+ -+ while (psle) { -+ if (!strcmp(cms->tokenname, PK11_GetTokenName(psle->slot))) -+ break; -+ -+ psle = PK11_GetNextSafe(slots, psle, PR_FALSE); -+ } -+ -+ if (!psle) { -+ save_port_err(PK11_FreeSlotList(slots)); -+ cms->log(cms, LOG_ERR, "could not find token \"%s\"", -+ cms->tokenname); -+ return -1; -+ } -+ -+ SECStatus status; -+ if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { -+ status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); -+ if (status != SECSuccess) { -+ PK11_DestroySlotListElement(slots, &psle); -+ PK11_FreeSlotList(slots); -+ cms->log(cms, LOG_ERR, "authentication failed for " -+ "token \"%s\"", cms->tokenname); -+ return -1; -+ } -+ } -+ -+ CERTCertList *certlist = NULL; -+ certlist = PK11_ListCertsInSlot(psle->slot); -+ if (!certlist) { -+ save_port_err( -+ PK11_DestroySlotListElement(slots, &psle); -+ PK11_FreeSlotList(slots)); -+ cmsreterr(-1, cms, "could not get certificate list"); -+ } -+ -+ CERTCertListNode *node = NULL; -+ for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist); -+ node = CERT_LIST_NEXT(node)) { -+ if (!strcmp(node->cert->subjectName, name)) -+ break; -+ } -+ if (!node) { -+ PK11_DestroySlotListElement(slots, &psle); -+ PK11_FreeSlotList(slots); -+ CERT_DestroyCertList(certlist); -+ -+ return -1; -+ } -+ -+ *cert = CERT_DupCertificate(node->cert); -+ -+ PK11_DestroySlotListElement(slots, &psle); -+ PK11_FreeSlotList(slots); -+ CERT_DestroyCertList(certlist); -+ -+ return 0; -+} -+ - static SEC_ASN1Template EmptySequenceTemplate[] = { - { - .kind = SEC_ASN1_SEQUENCE, -diff --git a/src/cms_common.h b/src/cms_common.h -index a3848cd..2b2d619 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -19,9 +19,35 @@ - #ifndef CMS_COMMON_H - #define CMS_COMMON_H 1 - --#include -+#include - #include - #include -+#include -+#include -+#include -+#include -+#include -+ -+#define save_port_err(x) \ -+ ({ \ -+ int __saved_errno = PORT_GetError(); \ -+ x; \ -+ PORT_SetError(__saved_errno); \ -+ }) -+ -+#define cmserr(rv, cms, fmt, args...) ({ \ -+ (cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s", \ -+ __FILE__, __func__, __LINE__, ## args, \ -+ PORT_ErrorToString(PORT_GetError())); \ -+ exit(rv); \ -+ }) -+#define cmsreterr(rv, cms, fmt, args...) ({ \ -+ (cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s", \ -+ __FILE__, __func__, __LINE__, ## args, \ -+ PORT_ErrorToString(PORT_GetError())); \ -+ return rv; \ -+ }) -+ - - struct digest { - PK11Context *pk11ctx; -@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe); - extern int generate_signature(cms_context *ctx); - extern int unlock_nss_token(cms_context *ctx); - extern int find_certificate(cms_context *ctx); -+extern int is_issuer_of(CERTCertificate *c0, CERTCertificate *c1); -+ -+extern int find_named_certificate(cms_context *cms, char *name, -+ CERTCertificate **cert); - - extern SECOidTag digest_get_digest_oid(cms_context *cms); - extern SECOidTag digest_get_encryption_oid(cms_context *cms); diff --git a/src/daemon.c b/src/daemon.c index 4a9af87..92ae856 100644 --- a/src/daemon.c @@ -551,73 +373,6 @@ index 2961a39..a576ffd 100644 extern void signature_list_free(signature_list *sl); #endif /* SIGLIST_H */ -diff --git a/src/signed_data.c b/src/signed_data.c -index e676cb3..83957d6 100644 ---- a/src/signed_data.c -+++ b/src/signed_data.c -@@ -76,20 +76,51 @@ static int - generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) - { - SECItem **certificates = NULL; -+ void *mark = PORT_ArenaMark(cms->arena); - -- certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 2); -- if (!certificates) -- return -1; -- -- certificates[0] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem)); -- if (!certificates[0]) { -- int err = PORT_GetError(); -- PORT_ZFree(certificates, sizeof (SECItem) * 2); -- PORT_SetError(err); -- return -1; -+ certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 3); -+ if (!certificates) { -+ save_port_err(PORT_ArenaRelease(cms->arena, mark)); -+ cmsreterr(-1, cms, "could not allocate certificate list"); -+ } -+ int i = 0; -+ -+ certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem)); -+ if (!certificates[i]) { -+ save_port_err(PORT_ArenaRelease(cms->arena, mark)); -+ cmsreterr(-1, cms, "could not allocate certificate entry"); -+ } -+ SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert); -+ -+ if (!is_issuer_of(cms->cert, cms->cert)) { -+ CERTCertificate *signer = NULL; -+ int rc = find_named_certificate(cms, cms->cert->issuerName, -+ &signer); -+ if (rc < 0) { -+ PORT_ArenaRelease(cms->arena, mark); -+ return -1; -+ } -+ -+ if (signer) { -+ if (signer->derCert.len != cms->cert->derCert.len || -+ memcmp(signer->derCert.data, -+ cms->cert->derCert.data, -+ signer->derCert.len)) { -+ certificates[i] = PORT_ArenaZAlloc(cms->arena, -+ sizeof (SECItem)); -+ if (!certificates[i]) { -+ save_port_err( -+ PORT_ArenaRelease(cms->arena, mark)); -+ cmsreterr(-1, cms,"could not allocate " -+ "certificate entry"); -+ } -+ SECITEM_CopyItem(cms->arena, certificates[i++], -+ &signer->derCert); -+ } -+ CERT_DestroyCertificate(signer); -+ } - } - -- SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert); - *certificate_list_p = certificates; - return 0; - } diff --git a/src/wincert.c b/src/wincert.c index 4b5ba45..4197a87 100644 --- a/src/wincert.c @@ -796,30 +551,3 @@ index 4309915..ed7e15c 100644 -- 1.7.10.4 - -From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001 -From: Gary Ching-Pang Lin -Date: Mon, 25 Feb 2013 10:43:09 +0800 -Subject: [PATCH 2/2] Don't request the private key in - find_named_certificate() when importing a raw signature - ---- - src/cms_common.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 3b2e71a..642cc86 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) - } - - SECStatus status; -- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { -+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { - status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); - if (status != SECSuccess) { - PK11_DestroySlotListElement(slots, &psle); --- -1.7.10.4 - diff --git a/pesign.changes b/pesign.changes index a273d7b..7cfb788 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Mar 1 03:04:35 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to avoid the + potential crash when inserting a signature (bnc#805166) +- Add pwdutils to PreReq + ------------------------------------------------------------------- Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com diff --git a/pesign.spec b/pesign.spec index b02c2f6..e8aad53 100644 --- a/pesign.spec +++ b/pesign.spec @@ -53,8 +53,7 @@ BuildRequires: pkgconfig(systemd) %{?systemd_requires} %define has_systemd 1 %endif -BuildRequires: pwdutils -Requires: pwdutils +PreReq: pwdutils BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: ia64 %ix86 x86_64