genkey: escape passwords properly (#980859)

- genkey: escape commas in subject (#803305)
- keyutil: fix crashes when printing errors (#1045354)
- drop requirement on mod_ssl/mod_nss again (#1057858)
Resolves: rhbz#1057858
Resolves: rhbz#1045354
Resolves: rhbz#803305
Resolves: rhbz#980859

crypto-utils.spec

@@ -4,7 +4,7 @@
 Summary: SSL certificate and key management utilities
 Name: crypto-utils
 Version: 2.4.1
-Release: 46%{?dist}
+Release: 47%{?dist}
 Group: Applications/System
 # certwatch.c is GPLv2
 # pemutil.c etc are (MPLv1.1+ or GPLv2+ or LPGLv2+)
@@ -31,7 +31,7 @@ Source18: copying
 
 BuildRequires: nss-devel >= 3.13.1, nss-util-devel >= 3.13.1, pkgconfig, newt-devel, xmlto
 BuildRequires: perl-devel, perl(Newt), perl(ExtUtils::MakeMaker)
-Requires: mod_nss, mod_ssl, perl(Newt), nss >= 3.13.1, nss-util >= 3.13.1
+Requires: perl(Newt), nss >= 3.13.1, nss-util >= 3.13.1
 Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)")
 Requires: crontabs
 
@@ -53,11 +53,11 @@ pushd srcs
     cp -p $RPM_SOURCE_DIR/$f $f
  done
 
- cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \
+ cc $RPM_OPT_FLAGS -Wall -Werror=implicit-function-declaration -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \
      certwatch.c pemutil.c \
     -o certwatch -lnspr4 -lnss3
 
- cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \
+ cc $RPM_OPT_FLAGS -Wall -Werror=implicit-function-declaration -Werror -I/usr/include/nspr4 -I/usr/include/nss3 \
      keyutil.c certext.c secutil.c \
    -o keyutil -lplc4 -lnspr4 -lnss3
 
@@ -135,6 +135,12 @@ chmod -R u+w $RPM_BUILD_ROOT
 %{perl_vendorarch}/auto/Crypt
 
 %changelog
+* Mon Jan 27 2014 Joe Orton <jorton@redhat.com> - 2.4.1-47
+- genkey: escape passwords properly (#980859)
+- genkey: escape commas in subject (#803305)
+- keyutil: fix crashes when printing errors (#1045354)
+- drop requirement on mod_ssl/mod_nss again (#1057858)
+
 * Wed Jan 22 2014 Joe Orton <jorton@redhat.com> - 2.4.1-46
 - genkey: further tweaks to wording around key sizes
 

genkey.pl

@@ -918,7 +918,9 @@ EOT
 
     return $ret if ($ret eq "Back" or $ret eq "Cancel");
 
-    $keyEncPassword = $pass1;
+    # FIXME: Ugly, should use perl system() correctly.
+    $pass1 =~ s/"/\\\"/g;
+    $keyEncPassword = "\"". $pass1. "\"";
 
     return "Next";
 }
@@ -1284,6 +1286,11 @@ sub getCertDetails
     $cert{'OU'} = $ents{'OU'}->Get();
     $cert{'CN'} = $ents{'CN'}->Get();
 
+    # Escape commas
+    foreach my $part (keys %cert) {
+        $cert{$part} =~ s/,/\\\\,/g;
+    }
+
     # Build the subject from the details
     
     $SEP     = ", ";

keyutil.c

@@ -270,7 +270,7 @@ static SECStatus nss_Init_Tokens(secuPWData *pwdata)
         if (SECSuccess != ret) {
             if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) {
         	    SECU_PrintError(progName ? progName : "keyutil",
-        	    "%s: The password for token '%s' is incorrect\n",
+        	    "The password for token '%s' is incorrect\n",
         	    PK11_GetTokenName(slot));
             }
             status = SECFailure;
@@ -337,7 +337,7 @@ static SECStatus loadCert(
             cert = PK11_FindCertFromNickname((char *)nickname, NULL);
             if (!cert) {
             	SECU_PrintError(progName ? progName : "keyutil",
-                    "%s: Can't find cert named (%s), bailing out\n", nickname);
+                    "Can't find cert named (%s), bailing out\n", nickname);
                 rv = 255;
         	    break;
         	} else {
@@ -404,7 +404,7 @@ static SECStatus loadKey(
         rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
         if (rv != SECSuccess) {
             SECU_PrintError(progName ? progName : "keyutil",
-                "Can't authenticate\n", PORT_ErrorToString(rv));
+                "Can't authenticate\n");
             break;
         }
 
@@ -1484,7 +1484,7 @@ static int keyutil_main(
             goto shutdown;
         }
 
-        subject = CERT_AsciiToName((char *)subjectstr);
+        subject = CERT_AsciiToName(subjectstr);
         if (!subject) {
             SECU_PrintError(progName,
                 "Improperly formatted name: \"%s\"\n", subjectstr);
@@ -1497,7 +1497,7 @@ static int keyutil_main(
     outFile = PR_Open(certreqfile, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
     if (!outFile) {
         SECU_PrintError(progName,
-               "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
+               "-o: unable to open \"%s\" for writing (%d, %d)\n",
                certreqfile, PR_GetError(), PR_GetOSError());
         return 255;
     }
@@ -1560,7 +1560,7 @@ static int keyutil_main(
         inFile  = PR_Open(certreqfile, PR_RDONLY, 0);
         assert(inFile);
         if (!inFile) {
-            SECU_PrintError(progName, "Failed to open file \"%s\" (%ld, %ld) for reading.\n",
+            SECU_PrintError(progName, "Failed to open file \"%s\" (%d, %d) for reading.\n",
                   certreqfile, PR_GetError(), PR_GetOSError());
             rv = SECFailure;
             goto shutdown;
@@ -1568,7 +1568,7 @@ static int keyutil_main(
 
         outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
         if (!outFile) {
-            SECU_PrintError(progName, "Failed to open file \"%s\" (%ld, %ld).\n",
+            SECU_PrintError(progName, "Failed to open file \"%s\" (%d, %d).\n",
                        certfile, PR_GetError(), PR_GetOSError());
             rv = SECFailure;
             goto    shutdown;
@@ -1588,8 +1588,8 @@ static int keyutil_main(
           ASCIIForIO,SelfSign,certutil_extns, thecert
          */
          if (rv) {
-             SECU_PrintError(progName, "Failed to create certificate \"%s\" (%ld).\n",
-                   outFile, PR_GetError());
+             SECU_PrintError(progName, "Failed to create certificate \"%s\" (%d).\n",
+                   certreqfile, PR_GetError());
              rv = SECFailure;
              goto shutdown;
          }
@@ -1681,6 +1681,8 @@ int main(int argc, char **argv)
     CommandType cmd = cmd_CertReq;
     PRBool initialized = PR_FALSE;
 
+    progName = argv[0];
+
     while ((optc = getopt_long(argc, argv, "atc:rs:g:v:e:f:d:z:i:p:o:k:h", options, NULL)) != -1) {
         switch (optc) {
         case 'a':

secutil.c

@@ -116,15 +116,12 @@ SECU_GetString(int16 error_number)
     return errString;
 }
 
-void 
-SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
+static void 
+SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, va_list args)
 {
-    va_list args;
     PRErrorCode err = PORT_GetError();
     const char * errString = PORT_ErrorToString(err);
 
-    va_start(args, msg);
-
     SECU_Indent(out, level);
     fprintf(out, "%s: ", progName);
     vfprintf(out, msg, args);
@@ -132,13 +129,15 @@ SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
     fprintf(out, ": %s\n", errString);
     else
     fprintf(out, ": error %d\n", (int)err);
-
-    va_end(args);
 }
 
 void SECU_PrintError(char *progName, char *msg, ...)
 {
-    SECU_PrintErrMsg(stderr, 0, progName, msg);
+    va_list args;
+
+    va_start(args, msg);
+    SECU_PrintErrMsg(stderr, 0, progName, msg, args);
+    va_end(args);
 }
 
 #define INDENT_MULT 4

secutil.h

@@ -89,10 +89,13 @@ extern char *SECU_NoPassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 
 /* print out an error message */
-extern void SECU_PrintError(char *progName, char *msg, ...);
+
+extern void SECU_PrintError(char *progName, char *msg, ...)
+    __attribute__((format(printf, 2, 3)));
 
 /* print out a system error message */
-extern void SECU_PrintSystemError(char *progName, char *msg, ...);
+extern void SECU_PrintSystemError(char *progName, char *msg, ...)
+    __attribute__((format(printf, 2, 3)));
 
 /* Read the contents of a file into a SECItem */
 extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);