[pesign/f18] Fix various bugs from 0.99-1
Peter Jones
pjones at fedoraproject.org
Wed Oct 17 13:59:21 UTC 2012
commit 70aaeb7aa3ada0355d65414be2ed56493c3cac51
Author: Peter Jones <pjones at redhat.com>
Date: Wed Oct 17 09:59:14 2012 -0400
Fix various bugs from 0.99-1
- Don't make the database unreadable just yet.
..._TraverseCertsForNicknameInSlot-after-all.patch | 55 +++++++++++++++++
0002-Remove-an-unused-field.patch | 38 ++++++++++++
...rtificate-list-we-make-once-we-re-done-us.patch | 26 ++++++++
...e-actually-look-up-the-certificate-when-n.patch | 63 ++++++++++++++++++++
pesign.spec | 15 ++++-
5 files changed, 194 insertions(+), 3 deletions(-)
---
diff --git a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
new file mode 100644
index 0000000..16854d5
--- /dev/null
+++ b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
@@ -0,0 +1,55 @@
+From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 17 Oct 2012 09:53:07 -0400
+Subject: [PATCH 1/4] Use PK11_TraverseCertsForNicknameInSlot after all.
+
+As of 76bc13c it doesn't appear to be leaky any more, and it does a
+better job of disinguishing between certificates with the same nickname
+than we did when doing it by hand.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/cms_common.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 644b44c..2d51979 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -465,23 +465,23 @@ err_slots:
+ goto err_slots_errmsg;
+ }
+
++ SECItem nickname = {
++ .data = (void *)cms->certname,
++ .len = strlen(cms->certname) + 1,
++ .type = siUTF8String,
++ };
+ struct cbdata cbdata = {
+ .cert = NULL,
+ .psle = psle,
+ .pwdata = pwdata,
+ };
+
+- CERTCertListNode *node = NULL;
+- for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist);
+- node = CERT_LIST_NEXT(node)) {
+- if (strcmp(cms->certname, node->cert->nickname))
+- continue;
++ status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot,
++ is_valid_cert, &cbdata);
++ if (cbdata.cert == NULL)
++ goto err_slots;
+
+- if (is_valid_cert(node->cert, &cbdata) == SECSuccess) {
+- cms->cert = CERT_DupCertificate(cbdata.cert);
+- break;
+- }
+- }
++ cms->cert = CERT_DupCertificate(cbdata.cert);
+
+ PK11_DestroySlotListElement(slots, &psle);
+ PK11_FreeSlotList(slots);
+--
+1.7.12.1
+
diff --git a/0002-Remove-an-unused-field.patch b/0002-Remove-an-unused-field.patch
new file mode 100644
index 0000000..07407fe
--- /dev/null
+++ b/0002-Remove-an-unused-field.patch
@@ -0,0 +1,38 @@
+From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 17 Oct 2012 09:54:10 -0400
+Subject: [PATCH 2/4] Remove an unused field.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/pesign_context.c | 1 -
+ src/pesign_context.h | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/src/pesign_context.c b/src/pesign_context.c
+index b4b201d..c6afda6 100644
+--- a/src/pesign_context.c
++++ b/src/pesign_context.c
+@@ -88,7 +88,6 @@ pesign_context_fini(pesign_context *ctx)
+ ctx->cms_ctx = NULL;
+ }
+
+- xfree(ctx->certname);
+ xfree(ctx->privkeyfile);
+
+ if (ctx->outpe) {
+diff --git a/src/pesign_context.h b/src/pesign_context.h
+index cabccf3..8f4e45a 100644
+--- a/src/pesign_context.h
++++ b/src/pesign_context.h
+@@ -58,7 +58,6 @@ typedef struct {
+ Pe *outpe;
+
+ char *privkeyfile;
+- char *certname;
+ cms_context *cms_ctx;
+
+ int flags;
+--
+1.7.12.1
+
diff --git a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
new file mode 100644
index 0000000..c812edc
--- /dev/null
+++ b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
@@ -0,0 +1,26 @@
+From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 17 Oct 2012 09:54:37 -0400
+Subject: [PATCH 3/4] Free the certificate list we make once we're done using
+ it.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/wincert.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/wincert.c b/src/wincert.c
+index fe666c5..b487dc5 100644
+--- a/src/wincert.c
++++ b/src/wincert.c
+@@ -74,6 +74,7 @@ finalize_signatures(cms_context *cms, Pe *pe)
+ free(clist);
+ return -1;
+ }
++ free(clist);
+ return 0;
+ }
+
+--
+1.7.12.1
+
diff --git a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
new file mode 100644
index 0000000..85f1ef9
--- /dev/null
+++ b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
@@ -0,0 +1,63 @@
+From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 17 Oct 2012 09:55:02 -0400
+Subject: [PATCH 4/4] Make sure we actually look up the certificate when not
+ in daemon mode.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/pesign.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index 108994e..4ddf636 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -500,12 +500,6 @@ main(int argc, char *argv[])
+ POPT_TABLEEND
+ };
+
+- tokenname = strdup(tokenname);
+- if (!tokenname) {
+- fprintf(stderr, "could not allocate memory: %m\n");
+- exit(1);
+- }
+-
+ if (!daemon) {
+ SECStatus status = NSS_Init("/etc/pki/pesign");
+ if (status != SECSuccess) {
+@@ -521,8 +515,6 @@ main(int argc, char *argv[])
+ exit(1);
+ }
+
+- ctx.cms_ctx->certname = certname ? strdup(certname) : NULL;
+-
+ optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
+
+ rc = poptReadDefaultConfig(optCon, 0);
+@@ -559,7 +551,21 @@ main(int argc, char *argv[])
+ exit(!is_help);
+ }
+
+- ctx.cms_ctx->tokenname = tokenname;
++ ctx.cms_ctx->tokenname = tokenname ?
++ PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL;
++ if (!ctx.cms_ctx->tokenname) {
++ fprintf(stderr, "could not allocate token name: %s\n",
++ PORT_ErrorToString(PORT_GetError()));
++ exit(1);
++ }
++
++ ctx.cms_ctx->certname = certname ?
++ PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL;
++ if (!ctx.cms_ctx->certname) {
++ fprintf(stderr, "could not allocate certificate name: %s\n",
++ PORT_ErrorToString(PORT_GetError()));
++ exit(1);
++ }
+
+ int action = 0;
+ if (daemon)
+--
+1.7.12.1
+
diff --git a/pesign.spec b/pesign.spec
index d215946..a4f10f7 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.99
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
@@ -17,6 +17,11 @@ ExclusiveArch: i686 x86_64 ia64
Source0: pesign-%{version}.tar.bz2
Source1: rh-test-certs.tar.bz2
+Patch0: 0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
+Patch1: 0002-Remove-an-unused-field.patch
+Patch2: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
+Patch3: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
+
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
@@ -72,13 +77,17 @@ exit 0
%{_mandir}/man*/*
%{_unitdir}/pesign.service
%{_prefix}/lib/tmpfiles.d/pesign.conf
-%dir %attr(0770,pesign,pesign) /etc/pki/pesign
-%attr(0660,pesign,pesign) /etc/pki/pesign/*
+%dir %attr(0775,pesign,pesign) /etc/pki/pesign
+%attr(0664,pesign,pesign) /etc/pki/pesign/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%changelog
+* Wed Oct 17 2012 Peter Jones <pjones at redhat.com> - 0.99-2
+- Fix various bugs from 0.99-1
+- Don't make the database unreadable just yet.
+
* Mon Oct 15 2012 Peter Jones <pjones at redhat.com> - 0.99-1
- Update to 0.99
- Add documentation for client/server mode.
More information about the scm-commits
mailing list