Accepting request 156902 from home:gary_lin:branches:Base:System

- Update pesign-bnc805166-fix-signature-list.patch to avoid the potential crash when inserting a signature (bnc#805166) - Add pwdutils to PreReq OBS-URL: https://build.opensuse.org/request/show/156902 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=14
2013-03-01 03:31:27 +00:00 · 2013-03-01 03:31:27 +00:00 · 97cd6275b9
commit 97cd6275b9
parent ed0b396886
3 changed files with 21 additions and 287 deletions
--- a/pesign-bnc805166-fix-signature-list.patch
+++ b/pesign-bnc805166-fix-signature-list.patch
@ -1,7 +1,7 @@
-From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001
+From ee3ab396e8bc167d3b63f475c463cd4103b1ca6e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <chingpang@gmail.com>
-Date: Fri, 22 Feb 2013 15:13:08 +0800
+Date: Wed, 27 Feb 2013 15:48:06 +0800
-Subject: [PATCH 1/2] Backport patches to fix signature list
+Subject: [PATCH] Backport patches to fix signature list
 Get cms_context out of wincert functions.
 ee357451be9968cedda57ce13b103eb82c590e67
@ -18,36 +18,21 @@ Include old signatures in new space calculations.
 Make implanting extracted certificates work again.
 5ceddd2f80dfea70d211236190943746c2d2f77b
 Add error handling macros to make code simpler.
 0bafa814b49a9556550cfbc373e0ea5b9edb929e
 Add is_issuer_of(cert, cert) helper function.
 7750aaeceb2655807788f8e45417e84cb5404a8e
 Add "find_named_certificate()" helper function.
 c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c
 Make generate_certificate_list include the issuing certificate.
 8c3d82ceb5029bedfee1577682fec5ff3669ff3c
 Fix a casting problem on 32-bit.
 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
 ---
 libdpe/pe_addcert.c    |    2 +-
- libdpe/pe_updatefile.c |   13 ++++++-
+ libdpe/pe_updatefile.c |   13 +++++++++-
- src/actions.c          |   12 +------
+ src/actions.c          |   12 +--------
 src/actions.h          |    2 +-
- src/cms_common.c       |   93 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/daemon.c           |    6 +++--
- src/cms_common.h       |   32 ++++++++++++++++-
+ src/pesign.c           |   35 ++++++++++++++++++++++----
- src/daemon.c           |    6 ++--
+ src/peverify.c         |    7 ++++--
- src/pesign.c           |   35 +++++++++++++++---
+ src/siglist.c          |   46 ++++++++++++++++++++++++++++------
- src/peverify.c         |    7 ++--
+ src/siglist.h          |    3 ++-
- src/siglist.c          |   46 +++++++++++++++++++-----
+ src/wincert.c          |   65 ++++++++++++++++++++++++++++++++++--------------
- src/siglist.h          |    3 +-
+ src/wincert.h          |    8 +++---
- src/signed_data.c      |   53 +++++++++++++++++++++------
+ 11 files changed, 146 insertions(+), 53 deletions(-)
 src/wincert.c          |   65 +++++++++++++++++++++++----------
 src/wincert.h          |    8 +++--
 14 files changed, 312 insertions(+), 65 deletions(-)
 diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c
 index e391242..b6ba969 100644
@ -155,169 +140,6 @@ index 400876f..4ecaad8 100644
 extern void insert_signature(cms_context *cms, int signum);
 #endif /* PESIGN_CRYPTO_H */
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 9ab2021..3b2e71a 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data)
 	return SECFailure;
 }
 +int
 +is_issuer_of(CERTCertificate *c0, CERTCertificate *c1)
 +{
 +	if (c0->derSubject.len != c1->derIssuer.len)
 +		return 0;
 +
 +	if (memcmp(c0->derSubject.data, c1->derIssuer.data, c0->derSubject.len))
 +		return 0;
 +	return 1;
 +}
 +
 /* This is the dumbest function ever, but we need it anyway, because nss
  * is garbage. */
 static void
@@ -448,6 +459,88 @@ err_slots:
 	return 0;
 }
 +int
 +find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 +{
 +	if (!name) {
 +		cms->log(cms, LOG_ERR, "no certificate name specified");
 +		return -1;
 +	}
 +
 +	secuPWData pwdata_val = { 0, 0 };
 +	void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val;
 +	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 +
 +	PK11SlotList *slots = NULL;
 +	slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata);
 +	if (!slots)
 +		cmsreterr(-1, cms, "could not get pk11 token list");
 +
 +	PK11SlotListElement *psle = NULL;
 +	psle = PK11_GetFirstSafe(slots);
 +	if (!psle) {
 +		save_port_err(PK11_FreeSlotList(slots));
 +		cmsreterr(-1, cms, "could not get pk11 safe");
 +	}
 +
 +	while (psle) {
 +		if (!strcmp(cms->tokenname, PK11_GetTokenName(psle->slot)))
 +			break;
 +
 +		psle = PK11_GetNextSafe(slots, psle, PR_FALSE);
 +	}
 +
 +	if (!psle) {
 +		save_port_err(PK11_FreeSlotList(slots));
 +		cms->log(cms, LOG_ERR, "could not find token \"%s\"",
 +			cms->tokenname);
 +		return -1;
 +	}
 +
 +	SECStatus status;
 +	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 +		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
 +		if (status != SECSuccess) {
 +			PK11_DestroySlotListElement(slots, &psle);
 +			PK11_FreeSlotList(slots);
 +			cms->log(cms, LOG_ERR, "authentication failed for "
 +				"token \"%s\"", cms->tokenname);
 +			return -1;
 +		}
 +	}
 +
 +	CERTCertList *certlist = NULL;
 +	certlist = PK11_ListCertsInSlot(psle->slot);
 +	if (!certlist) {
 +		save_port_err(
 +			PK11_DestroySlotListElement(slots, &psle);
 +			PK11_FreeSlotList(slots));
 +		cmsreterr(-1, cms, "could not get certificate list");
 +	}
 +
 +	CERTCertListNode *node = NULL;
 +        for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist);
 +						node = CERT_LIST_NEXT(node)) {
 +		if (!strcmp(node->cert->subjectName, name))
 +			break;
 +	}
 +	if (!node) {
 +		PK11_DestroySlotListElement(slots, &psle);
 +		PK11_FreeSlotList(slots);
 +		CERT_DestroyCertList(certlist);
 +
 +		return -1;
 +	}
 +
 +	*cert = CERT_DupCertificate(node->cert);
 +
 +	PK11_DestroySlotListElement(slots, &psle);
 +	PK11_FreeSlotList(slots);
 +	CERT_DestroyCertList(certlist);
 +
 +	return 0;
 +}
 +
 static SEC_ASN1Template EmptySequenceTemplate[] = {
 	{
 	.kind = SEC_ASN1_SEQUENCE,
 diff --git a/src/cms_common.h b/src/cms_common.h
 index a3848cd..2b2d619 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -19,9 +19,35 @@
 #ifndef CMS_COMMON_H
 #define CMS_COMMON_H 1
 -#include <stdarg.h>
 +#include <errno.h>
 #include <nss3/cert.h>
 #include <nss3/secpkcs7.h>
 +#include <signal.h>
 +#include <stdarg.h>
 +#include <syslog.h>
 +#include <time.h>
 +#include <unistd.h>
 +
 +#define save_port_err(x)				\
 +	({						\
 +		int __saved_errno = PORT_GetError();	\
 +		x;					\
 +		PORT_SetError(__saved_errno);		\
 +	})
 +
 +#define cmserr(rv, cms, fmt, args...) ({					\
 +		(cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s",	\
 +			__FILE__, __func__, __LINE__, ## args,		\
 +			PORT_ErrorToString(PORT_GetError()));		\
 +		exit(rv);						\
 +	})
 +#define cmsreterr(rv, cms, fmt, args...) ({				\
 +		(cms)->log((cms), LOG_ERR, "%s:%s:%d: " fmt ": %s",	\
 +			__FILE__, __func__, __LINE__, ## args,		\
 +			PORT_ErrorToString(PORT_GetError()));		\
 +		return rv;						\
 +	})
 +
 struct digest {
 	PK11Context *pk11ctx;
@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe);
 extern int generate_signature(cms_context *ctx);
 extern int unlock_nss_token(cms_context *ctx);
 extern int find_certificate(cms_context *ctx);
 +extern int is_issuer_of(CERTCertificate *c0, CERTCertificate *c1);
 +
 +extern int find_named_certificate(cms_context *cms, char *name,
 +				CERTCertificate **cert);
 extern SECOidTag digest_get_digest_oid(cms_context *cms);
 extern SECOidTag digest_get_encryption_oid(cms_context *cms);
 diff --git a/src/daemon.c b/src/daemon.c
 index 4a9af87..92ae856 100644
 --- a/src/daemon.c
@ -551,73 +373,6 @@ index 2961a39..a576ffd 100644
 extern void signature_list_free(signature_list *sl);
 #endif /* SIGLIST_H */
 diff --git a/src/signed_data.c b/src/signed_data.c
 index e676cb3..83957d6 100644
 --- a/src/signed_data.c
 +++ b/src/signed_data.c
@@ -76,20 +76,51 @@ static int
 generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
 {
 	SECItem **certificates = NULL;
 +	void *mark = PORT_ArenaMark(cms->arena);
 -	certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 2);
 -	if (!certificates)
 -		return -1;
 -	
 -	certificates[0] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
 -	if (!certificates[0]) {
 -		int err = PORT_GetError();
 -		PORT_ZFree(certificates, sizeof (SECItem) * 2);
 -		PORT_SetError(err);
 -		return -1;
 +	certificates = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem *) * 3);
 +	if (!certificates) {
 +		save_port_err(PORT_ArenaRelease(cms->arena, mark));
 +		cmsreterr(-1, cms, "could not allocate certificate list");
 +	}
 +	int i = 0;
 +
 +	certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
 +	if (!certificates[i]) {
 +		save_port_err(PORT_ArenaRelease(cms->arena, mark));
 +		cmsreterr(-1, cms, "could not allocate certificate entry");
 +	}
 +	SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert);
 +
 +	if (!is_issuer_of(cms->cert, cms->cert)) {
 +		CERTCertificate *signer = NULL;
 +		int rc = find_named_certificate(cms, cms->cert->issuerName,
 +						&signer);
 +		if (rc < 0) {
 +			PORT_ArenaRelease(cms->arena, mark);
 +			return -1;
 +		}
 +
 +		if (signer) {
 +			if (signer->derCert.len != cms->cert->derCert.len ||
 +					memcmp(signer->derCert.data,
 +						cms->cert->derCert.data,
 +						signer->derCert.len)) {
 +				certificates[i] = PORT_ArenaZAlloc(cms->arena,
 +							sizeof (SECItem));
 +				if (!certificates[i]) {
 +					save_port_err(
 +						PORT_ArenaRelease(cms->arena, mark));
 +					cmsreterr(-1, cms,"could not allocate "
 +						"certificate entry");
 +				}
 +				SECITEM_CopyItem(cms->arena, certificates[i++],
 +						&signer->derCert);
 +			}
 +			CERT_DestroyCertificate(signer);
 +		}
 	}
 -	SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert);
 	*certificate_list_p = certificates;
 	return 0;
 }
 diff --git a/src/wincert.c b/src/wincert.c
 index 4b5ba45..4197a87 100644
 --- a/src/wincert.c
@ -796,30 +551,3 @@ index 4309915..ed7e15c 100644
 -- 
 1.7.10.4
 From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <chingpang@gmail.com>
 Date: Mon, 25 Feb 2013 10:43:09 +0800
 Subject: [PATCH 2/2] Don't request the private key in
 find_named_certificate() when importing a raw signature
 ---
 src/cms_common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 3b2e71a..642cc86 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 	}
 	SECStatus status;
 -	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 +	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
 		if (status != SECSuccess) {
 			PK11_DestroySlotListElement(slots, &psle);
 -- 
 1.7.10.4
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Fri Mar  1 03:04:35 UTC 2013 - glin@suse.com
 - Update pesign-bnc805166-fix-signature-list.patch to avoid the
  potential crash when inserting a signature (bnc#805166)
 - Add pwdutils to PreReq
 -------------------------------------------------------------------
 Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com
--- a/pesign.spec
+++ b/pesign.spec
@ -53,8 +53,7 @@ BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %define has_systemd 1
 %endif
-BuildRequires:  pwdutils
+PreReq:         pwdutils
 Requires:       pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  ia64 %ix86 x86_64