rpms
/
pesign
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix various bugs from 0.99-1 

- Don't make the database unreadable just yet.
This commit is contained in:
Peter Jones 2012-10-17 09:59:14 -04:00
parent 428f873263
commit 70aaeb7aa3
5 changed files with 194 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch Normal file
View File

@ -0,0 +1,55 @@
From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:53:07 -0400
Subject: [PATCH 1/4] Use PK11_TraverseCertsForNicknameInSlot after all.
As of 76bc13c it doesn't appear to be leaky any more, and it does a
better job of disinguishing between certificates with the same nickname
than we did when doing it by hand.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 644b44c..2d51979 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -465,23 +465,23 @@ err_slots:
goto err_slots_errmsg;
}
+ SECItem nickname = {
+ .data = (void *)cms->certname,
+ .len = strlen(cms->certname) + 1,
+ .type = siUTF8String,
+ };
struct cbdata cbdata = {
.cert = NULL,
.psle = psle,
.pwdata = pwdata,
};
- CERTCertListNode *node = NULL;
- for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist);
- node = CERT_LIST_NEXT(node)) {
- if (strcmp(cms->certname, node->cert->nickname))
- continue;
+ status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot,
+ is_valid_cert, &cbdata);
+ if (cbdata.cert == NULL)
+ goto err_slots;
- if (is_valid_cert(node->cert, &cbdata) == SECSuccess) {
- cms->cert = CERT_DupCertificate(cbdata.cert);
- break;
- }
- }
+ cms->cert = CERT_DupCertificate(cbdata.cert);
PK11_DestroySlotListElement(slots, &psle);
PK11_FreeSlotList(slots);
--
1.7.12.1

38
0002-Remove-an-unused-field.patch Normal file
View File

@ -0,0 +1,38 @@
From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:54:10 -0400
Subject: [PATCH 2/4] Remove an unused field.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign_context.c | 1 -
src/pesign_context.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/src/pesign_context.c b/src/pesign_context.c
index b4b201d..c6afda6 100644
--- a/src/pesign_context.c
+++ b/src/pesign_context.c
@@ -88,7 +88,6 @@ pesign_context_fini(pesign_context *ctx)
ctx->cms_ctx = NULL;
}
- xfree(ctx->certname);
xfree(ctx->privkeyfile);
if (ctx->outpe) {
diff --git a/src/pesign_context.h b/src/pesign_context.h
index cabccf3..8f4e45a 100644
--- a/src/pesign_context.h
+++ b/src/pesign_context.h
@@ -58,7 +58,6 @@ typedef struct {
Pe *outpe;
char *privkeyfile;
- char *certname;
cms_context *cms_ctx;
int flags;
--
1.7.12.1

26
0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch Normal file
View File

@ -0,0 +1,26 @@
From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:54:37 -0400
Subject: [PATCH 3/4] Free the certificate list we make once we're done using
it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/wincert.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/wincert.c b/src/wincert.c
index fe666c5..b487dc5 100644
--- a/src/wincert.c
+++ b/src/wincert.c
@@ -74,6 +74,7 @@ finalize_signatures(cms_context *cms, Pe *pe)
free(clist);
return -1;
}
+ free(clist);
return 0;
}
--
1.7.12.1

63
0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch Normal file
View File

@ -0,0 +1,63 @@
From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:55:02 -0400
Subject: [PATCH 4/4] Make sure we actually look up the certificate when not
in daemon mode.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index 108994e..4ddf636 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -500,12 +500,6 @@ main(int argc, char *argv[])
POPT_TABLEEND
};
- tokenname = strdup(tokenname);
- if (!tokenname) {
- fprintf(stderr, "could not allocate memory: %m\n");
- exit(1);
- }
-
if (!daemon) {
SECStatus status = NSS_Init("/etc/pki/pesign");
if (status != SECSuccess) {
@@ -521,8 +515,6 @@ main(int argc, char *argv[])
exit(1);
}
- ctx.cms_ctx->certname = certname ? strdup(certname) : NULL;
-
optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
rc = poptReadDefaultConfig(optCon, 0);
@@ -559,7 +551,21 @@ main(int argc, char *argv[])
exit(!is_help);
}
- ctx.cms_ctx->tokenname = tokenname;
+ ctx.cms_ctx->tokenname = tokenname ?
+ PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL;
+ if (!ctx.cms_ctx->tokenname) {
+ fprintf(stderr, "could not allocate token name: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+
+ ctx.cms_ctx->certname = certname ?
+ PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL;
+ if (!ctx.cms_ctx->certname) {
+ fprintf(stderr, "could not allocate certificate name: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
int action = 0;
if (daemon)
--
1.7.12.1

15
pesign.spec
View File

@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Name: pesign Name: pesign
Version: 0.99 Version: 0.99
Release: 1%{?dist} Release: 2%{?dist}
Group: Development/System Group: Development/System
License: GPLv2 License: GPLv2
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
@ -17,6 +17,11 @@ ExclusiveArch: i686 x86_64 ia64
Source0: pesign-%{version}.tar.bz2 Source0: pesign-%{version}.tar.bz2
Source1: rh-test-certs.tar.bz2 Source1: rh-test-certs.tar.bz2
Patch0: 0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
Patch1: 0002-Remove-an-unused-field.patch
Patch2: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
Patch3: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as
well as other associated tools. well as other associated tools.
@ -72,13 +77,17 @@ exit 0
%{_mandir}/man*/* %{_mandir}/man*/*
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
%{_prefix}/lib/tmpfiles.d/pesign.conf %{_prefix}/lib/tmpfiles.d/pesign.conf
%dir %attr(0770,pesign,pesign) /etc/pki/pesign %dir %attr(0775,pesign,pesign) /etc/pki/pesign
%attr(0660,pesign,pesign) /etc/pki/pesign/* %attr(0664,pesign,pesign) /etc/pki/pesign/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} %dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%changelog %changelog
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
- Fix various bugs from 0.99-1
- Don't make the database unreadable just yet.
* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1 * Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
- Update to 0.99 - Update to 0.99
- Add documentation for client/server mode. - Add documentation for client/server mode.