Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | 941acef772 | |
Daiki Ueno | 74f534411e | |
Daiki Ueno | efd69a0abe | |
Daiki Ueno | e7539200ef | |
Daiki Ueno | 61ebbb0716 | |
Tomas Mraz | 681bf8d74b | |
Daiki Ueno | b25dab0464 |
|
@ -8,3 +8,15 @@
|
|||
/p11-kit-client.service
|
||||
/trust-extract-compat
|
||||
/p11-kit-0.23.9.tar.gz
|
||||
/p11-kit-client.service
|
||||
/trust-extract-compat
|
||||
/p11-kit-0.23.10.tar.gz
|
||||
/p11-kit-client.service
|
||||
/trust-extract-compat
|
||||
/p11-kit-0.23.12.tar.gz
|
||||
/p11-kit-client.service
|
||||
/trust-extract-compat
|
||||
/p11-kit-0.23.14.tar.gz
|
||||
/p11-kit-client.service
|
||||
/trust-extract-compat
|
||||
/p11-kit-0.23.15.tar.gz
|
||||
|
|
|
@ -0,0 +1,181 @@
|
|||
From e2170b295992cb7fdf115227a78028ac3780619f Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Mon, 18 Feb 2019 14:53:49 +0100
|
||||
Subject: [PATCH] trust: Ignore unreadable content in anchors
|
||||
|
||||
This amends eb503f3a1467f21a5ecc9ae84ae23b216afc102f. Instead of
|
||||
failing C_FindObjectsInit, treat any errors internally and accumulates
|
||||
the successfully loaded certificates.
|
||||
|
||||
Reported by Andrej Kvasnica in:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1675441
|
||||
---
|
||||
trust/module.c | 3 +-
|
||||
trust/test-module.c | 77 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
trust/token.c | 23 ++++++--------
|
||||
3 files changed, 88 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/trust/module.c b/trust/module.c
|
||||
index 1722340..ec3333d 100644
|
||||
--- a/trust/module.c
|
||||
+++ b/trust/module.c
|
||||
@@ -1198,8 +1198,7 @@ sys_C_FindObjectsInit (CK_SESSION_HANDLE handle,
|
||||
indices[n++] = session->index;
|
||||
if (want_token_objects) {
|
||||
if (!session->loaded)
|
||||
- if (p11_token_load (session->token) < 0)
|
||||
- rv = CKR_FUNCTION_FAILED;
|
||||
+ p11_token_load (session->token);
|
||||
if (rv == CKR_OK) {
|
||||
session->loaded = CK_TRUE;
|
||||
indices[n++] = p11_token_index (session->token);
|
||||
diff --git a/trust/test-module.c b/trust/test-module.c
|
||||
index 1e8d812..4024d81 100644
|
||||
--- a/trust/test-module.c
|
||||
+++ b/trust/test-module.c
|
||||
@@ -163,6 +163,80 @@ setup_writable (void *unused)
|
||||
p11_parser_formats (test.parser, p11_parser_format_persist, NULL);
|
||||
}
|
||||
|
||||
+/* This is similar to setup(), but it adds an unreadable content in
|
||||
+ * the anchor directory. */
|
||||
+static void
|
||||
+setup_unreadable (void *unused)
|
||||
+{
|
||||
+ CK_C_INITIALIZE_ARGS args;
|
||||
+ const char *paths;
|
||||
+ char *p, *pp, *anchors;
|
||||
+ FILE *f, *ff;
|
||||
+ char buffer[4096];
|
||||
+ char *arguments;
|
||||
+ CK_ULONG count;
|
||||
+ CK_RV rv;
|
||||
+
|
||||
+ memset (&test, 0, sizeof (test));
|
||||
+
|
||||
+ /* This is the entry point of the trust module, linked to this test */
|
||||
+ rv = C_GetFunctionList (&test.module);
|
||||
+ assert (rv == CKR_OK);
|
||||
+
|
||||
+ test.directory = p11_test_directory ("test-module");
|
||||
+ anchors = p11_path_build (test.directory, "anchors", NULL);
|
||||
+#ifdef OS_UNIX
|
||||
+ if (mkdir (anchors, S_IRWXU) < 0)
|
||||
+#else
|
||||
+ if (mkdir (anchors) < 0)
|
||||
+#endif
|
||||
+ assert_fail ("mkdir()", anchors);
|
||||
+
|
||||
+ p = p11_path_build (anchors, "unreadable", NULL);
|
||||
+ f = fopen (p, "w");
|
||||
+ fwrite ("foo", 3, 1, f);
|
||||
+ fclose (f);
|
||||
+ chmod (p, 0);
|
||||
+ free (p);
|
||||
+
|
||||
+ pp = p11_path_build (anchors, "thawte", NULL);
|
||||
+ ff = fopen (pp, "w");
|
||||
+ f = fopen (SRCDIR "/trust/fixtures/thawte.pem", "r");
|
||||
+ while (!feof (f)) {
|
||||
+ size_t size;
|
||||
+ size = fread (buffer, 1, sizeof (buffer), f);
|
||||
+ if (ferror (f))
|
||||
+ assert_fail ("fread()",
|
||||
+ SRCDIR "/trust/fixtures/thawte.pem");
|
||||
+ fwrite (buffer, 1, size, ff);
|
||||
+ if (ferror (ff))
|
||||
+ assert_fail ("write()", pp);
|
||||
+ }
|
||||
+ free (pp);
|
||||
+ fclose (ff);
|
||||
+ fclose (f);
|
||||
+ free (anchors);
|
||||
+
|
||||
+ memset (&args, 0, sizeof (args));
|
||||
+ paths = SRCDIR "/trust/input" P11_PATH_SEP \
|
||||
+ SRCDIR "/trust/fixtures/self-signed-with-ku.der";
|
||||
+ if (asprintf (&arguments, "paths='%s%c%s'",
|
||||
+ paths, P11_PATH_SEP_C, test.directory) < 0)
|
||||
+ assert (false && "not reached");
|
||||
+ args.pReserved = arguments;
|
||||
+ args.flags = CKF_OS_LOCKING_OK;
|
||||
+
|
||||
+ rv = test.module->C_Initialize (&args);
|
||||
+ assert (rv == CKR_OK);
|
||||
+
|
||||
+ free (arguments);
|
||||
+
|
||||
+ count = NUM_SLOTS;
|
||||
+ rv = test.module->C_GetSlotList (CK_TRUE, test.slots, &count);
|
||||
+ assert (rv == CKR_OK);
|
||||
+ assert (count == NUM_SLOTS);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
test_get_slot_list (void)
|
||||
{
|
||||
@@ -1324,5 +1398,8 @@ main (int argc,
|
||||
p11_fixture (NULL, NULL);
|
||||
p11_test (test_token_write_protected, "/module/token-write-protected");
|
||||
|
||||
+ p11_fixture (setup_unreadable, teardown);
|
||||
+ p11_test (test_find_certificates, "/module/unreadable");
|
||||
+
|
||||
return p11_test_run (argc, argv);
|
||||
}
|
||||
diff --git a/trust/token.c b/trust/token.c
|
||||
index b91a1d0..8c75d06 100644
|
||||
--- a/trust/token.c
|
||||
+++ b/trust/token.c
|
||||
@@ -266,8 +266,8 @@ loader_load_directory (p11_token *token,
|
||||
return_val_if_fail (path != NULL, -1);
|
||||
|
||||
ret = loader_load_if_file (token, path);
|
||||
- return_val_if_fail (ret >=0, -1);
|
||||
- total += ret;
|
||||
+ if (ret >= 0)
|
||||
+ total += ret;
|
||||
|
||||
/* Make note that this file was seen */
|
||||
p11_dict_remove (present, path);
|
||||
@@ -328,8 +328,8 @@ loader_load_path (p11_token *token,
|
||||
p11_dict_iterate (present, &iter);
|
||||
while (p11_dict_next (&iter, (void **)&filename, NULL)) {
|
||||
ret = loader_load_if_file (token, filename);
|
||||
- return_val_if_fail (ret >= 0, ret);
|
||||
- total += ret;
|
||||
+ if (ret >= 0)
|
||||
+ total += ret;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -377,20 +377,17 @@ p11_token_load (p11_token *token)
|
||||
int ret;
|
||||
|
||||
ret = loader_load_path (token, token->path, &is_dir);
|
||||
- if (ret < 0)
|
||||
- return -1;
|
||||
- total += ret;
|
||||
+ if (ret >= 0)
|
||||
+ total += ret;
|
||||
|
||||
if (is_dir) {
|
||||
ret = loader_load_path (token, token->anchors, &is_dir);
|
||||
- if (ret < 0)
|
||||
- return -1;
|
||||
- total += ret;
|
||||
+ if (ret >= 0)
|
||||
+ total += ret;
|
||||
|
||||
ret = loader_load_path (token, token->blacklist, &is_dir);
|
||||
- if (ret < 0)
|
||||
- return -1;
|
||||
- total += ret;
|
||||
+ if (ret >= 0)
|
||||
+ total += ret;
|
||||
}
|
||||
|
||||
return total;
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From 031912fa844c4f3da327c8b2578d9d9ce2a6473e Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 10:59:02 +0200
|
||||
Subject: [PATCH] server: Make it possible to eval envvar settings
|
||||
|
||||
Previously, calling "eval $(p11-kit server)" from shell hung because
|
||||
the program didn't properly close stdout before forking.
|
||||
---
|
||||
p11-kit/server.c | 20 +++++++++++---------
|
||||
1 file changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/p11-kit/server.c b/p11-kit/server.c
|
||||
index 97e18e2..96c77ec 100644
|
||||
--- a/p11-kit/server.c
|
||||
+++ b/p11-kit/server.c
|
||||
@@ -346,6 +346,17 @@ server_loop (Server *server,
|
||||
if (server->socket == -1)
|
||||
return 1;
|
||||
|
||||
+ if (!quiet) {
|
||||
+ char *path;
|
||||
+
|
||||
+ path = p11_path_encode (server->socket_name);
|
||||
+ printf ("P11_KIT_SERVER_ADDRESS=unix:path=%s\n", path);
|
||||
+ free (path);
|
||||
+ printf ("P11_KIT_SERVER_PID=%d\n", getpid ());
|
||||
+ fflush (stdout);
|
||||
+ close (STDOUT_FILENO);
|
||||
+ }
|
||||
+
|
||||
/* run as daemon */
|
||||
if (!foreground) {
|
||||
pid = fork ();
|
||||
@@ -372,15 +383,6 @@ server_loop (Server *server,
|
||||
|
||||
sigprocmask (SIG_BLOCK, &blockset, NULL);
|
||||
|
||||
- if (!quiet) {
|
||||
- char *path;
|
||||
-
|
||||
- path = p11_path_encode (server->socket_name);
|
||||
- printf ("P11_KIT_SERVER_ADDRESS=unix:path=%s\n", path);
|
||||
- free (path);
|
||||
- printf ("P11_KIT_SERVER_PID=%d\n", getpid ());
|
||||
- }
|
||||
-
|
||||
/* accept connections */
|
||||
ret = 0;
|
||||
for (;;) {
|
||||
--
|
||||
2.13.6
|
||||
|
22
p11-kit.spec
22
p11-kit.spec
|
@ -1,7 +1,6 @@
|
|||
# This spec file has been automatically updated
|
||||
Version: 0.23.9
|
||||
Release: 3%{?dist}
|
||||
Patch1: p11-kit-server-eval-env.patch
|
||||
Version: 0.23.15
|
||||
Release: 2%{?dist}
|
||||
Name: p11-kit
|
||||
Summary: Library for loading and sharing PKCS#11 modules
|
||||
|
||||
|
@ -10,7 +9,9 @@ URL: http://p11-glue.freedesktop.org/p11-kit.html
|
|||
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz
|
||||
Source1: trust-extract-compat
|
||||
Source2: p11-kit-client.service
|
||||
Patch0: 0001-trust-Ignore-unreadable-content-in-anchors.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libtasn1-devel >= 2.3
|
||||
BuildRequires: libffi-devel
|
||||
BuildRequires: gtk-doc
|
||||
|
@ -143,6 +144,21 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Feb 18 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-2
|
||||
- trust: Ignore unreadable content in anchors
|
||||
|
||||
* Mon Jan 21 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-1
|
||||
- Update to upstream 0.23.15 release
|
||||
|
||||
* Mon Sep 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
|
||||
- Update to upstream 0.23.14 release
|
||||
|
||||
* Wed May 30 2018 Daiki Ueno <dueno@redhat.com> - 0.23.12-1
|
||||
- Update to upstream 0.23.11 release
|
||||
|
||||
* Wed Feb 28 2018 Daiki Ueno <dueno@redhat.com> - 0.23.10-1
|
||||
- Update to upstream 0.23.10 release
|
||||
|
||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.9-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (p11-kit-client.service) = 0f08618851c6eafb35c630957044fc96324be4d3828cdd2aa9b5d6e1245549197ca5b969d6a2f735c893d73c02e885cdc3205bd43e37f6124ebc6cfa61970d3b
|
||||
SHA512 (trust-extract-compat) = 91210705f9bcf1a13c0de1ca9943e3ac68296bfcb7953fc59241de060247b470b39be6e914dd4d92e38a78d5df0962c83315ad78f8c0eade8e62d884b05fdd42
|
||||
SHA512 (p11-kit-0.23.9.tar.gz) = 6a8a569483763d3ffacadf669b8ba9b9be38a77dd8dc366ca0cb91c44753517fa1879d4422e4e8dfbcac594565727839a619566a170c0f94f8e112f18b0086ed
|
||||
SHA512 (p11-kit-0.23.15.tar.gz) = d703eec12626b79551ce337521f7ea7b1a0b64c211d7a93d831dd28ec1de77c7b58358c1588bf82d70f047c01ad9433fa8a286d1a25ae3f6b0ee6016b8c42950
|
||||
|
|
Loading…
Reference in New Issue