rpms/certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.7-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2019-11-05 14:37:17 -05:00 committed by Andrew Lukoshko
parent 94b42d705f
commit 434855d374
27 changed files with 41 additions and 2540 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.certmonger.metadata
View File

@ -1 +1 @@
7eac3ce49718df4be8f47ec92ae3a951eb4ac435 SOURCES/certmonger-0.79.6.tar.gz
f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/certmonger-0.79.6.tar.gz
SOURCES/certmonger-0.79.7.tar.gz

1016
SOURCES/0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch
View File

File diff suppressed because it is too large Load Diff

49
SOURCES/0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch
View File

@ -1,49 +0,0 @@
From c029b32c04a9a5993b9c8715fb82421fee613137 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 10:37:12 -0400
Subject: [PATCH 2/7] Include the token name when a PIN is provided but is
unused
This improves the output so the user will know which token
the PIN is missing for. Theoretically it should be the token
they asked for but this will show certmogner's view of it.
---
src/certread-n.c | 6 +++---
src/keygen-n.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index f2e78c07..57a38dcf 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -259,9 +259,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to auth to cert "
- "db, though one was provided. "
- "Treating this as an error.\n");
+ cm_log(1, "PIN was not needed to auth to token "
+ "%s, though one was provided. "
+ "Treating this as an error.\n", token);
goto next_slot;
}
}
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 8078a520..84b0bbd3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -400,8 +400,8 @@ next_slot:
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
cm_log(1, "PIN was not needed to auth to key "
- "store, though one was provided. "
- "Treating this as an error.\n");
+ "store token %s, though one was provided. "
+ "Treating this as an error.\n", token);
PK11_FreeSlotList(slotlist);
error = NSS_ShutdownContext(ctx);
if (error != SECSuccess) {
--
2.14.4

134
SOURCES/0005-Add-utility-function-to-get-the-internal-token-name.patch
View File

@ -1,134 +0,0 @@
From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 12:08:35 -0400
Subject: [PATCH 3/7] Add utility function to get the internal token name
The NSS internal token is the default if no token is specified for
the cert or the key.
---
src/certread-n.c | 6 +++++-
src/certsave-n.c | 3 +++
src/keygen-n.c | 3 +++
src/keyiread-n.c | 3 +++
src/submit-n.c | 5 ++++-
src/util-n.c | 6 ++++++
src/util-n.h | 1 +
7 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 57a38dcf..1d9217c6 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error reading PIN for cert db.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to cert db.\n");
+ cm_log(1, "certread-n: Error authenticating to cert db "
+ "slot %s.\n", PK11_GetTokenName(sle->slot));
goto next_slot;
}
if ((pin != NULL) &&
diff --git a/src/certsave-n.c b/src/certsave-n.c
index af176ce5..193309c5 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
sle = sle->next)
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 84b0bbd3..f7fdf6c0 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error locating token for key generation.\n");
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
slot = NULL;
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 89913aa2..b8408bf1 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_key_token == NULL) {
+ entry->cm_key_token = util_internal_token_name();
+ }
n_tokens = 0;
pubkey = NULL;
/* In practice, the internal slot is either a non-storage slot (in
diff --git a/src/submit-n.c b/src/submit-n.c
index 872153ea..da07d253 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
cm_log(1, "Error reading PIN for key storage.\n");
goto done;
}
+ if (args->entry->cm_key_token == NULL) {
+ args->entry->cm_key_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
/* In practice, the internal slot is either a non-storage slot (in
@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
error = PK11_Authenticate(slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to token "
+ cm_log(1, "submit-n: Error authenticating to token "
"\"%s\".\n", token);
goto done;
}
diff --git a/src/util-n.c b/src/util-n.c
index 7805e58e..293e2583 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,
entry->cm_cert_perms);
}
+
+char *
+util_internal_token_name()
+{
+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+}
diff --git a/src/util-n.h b/src/util-n.h
index 8a918d5c..637fd4b1 100644
--- a/src/util-n.h
+++ b/src/util-n.h
@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,
struct cm_store_entry *entry);
void util_set_db_entry_cert_owner(const char *dbdir,
struct cm_store_entry *entry);
+char * util_internal_token_name();
#endif
--
2.14.4

41
SOURCES/0006-Only-de-duplicate-certificates-within-the-same-token.patch
View File

@ -1,41 +0,0 @@
From 6ebe5695a626c6cd254b249bbebf9846bcb936c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 11:06:13 -0400
Subject: [PATCH 4/7] Only de-duplicate certificates within the same token
certmonger may not have read/write access to tokens other than
the one it is examining so don't try to de-duplicate certificates
on other tokens.
---
src/certsave-n.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 193309c5..d0152cad 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -391,8 +391,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
!CERT_LIST_EMPTY(certlist) &&
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
- if (!SECITEM_ItemsAreEqual(&subject,
- &node->cert->derSubject)) {
+ if ((!SECITEM_ItemsAreEqual(&subject,
+ &node->cert->derSubject)) &&
+ (sle->slot == node->cert->slot)) {
cm_log(3, "Found a "
"certificate "
"with the same "
@@ -441,7 +442,8 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
node = CERT_LIST_NEXT(node)) {
if ((node->cert->nickname != NULL) &&
(strcmp(entry->cm_cert_nickname,
- node->cert->nickname) != 0))
+ node->cert->nickname) != 0) &&
+ (sle->slot == node->cert->slot))
{
i++;
cm_log(3, "Found a "
--
2.14.4

30
SOURCES/0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch
View File

@ -1,30 +0,0 @@
From 697dd085e7b2ce15eefc454509987270131d7f1e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 16:59:28 -0400
Subject: [PATCH 5/7] Ensure that an OpenSSL random seed file exists when
testing
Otherwise some openssl command-line invocations will fail and
because of the way the tests are done the error message is not
shown.
---
tests/Makefile.am | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4e407434..fe368dc0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -433,6 +433,9 @@ subdirs += \
endif
check: all
+ if [ ! -e $$HOME/.rnd ] ; then \
+ openssl rand -writerand $$HOME/.rnd; \
+ fi
for required in certutil cmsutil pk12util openssl diff cmp mktemp \
dos2unix unix2dos dbus-launch ; do \
which $$required || exit 1; \
--
2.14.4

29
SOURCES/0008-Log-test-failures-of-bad-pin.patch
View File

@ -1,29 +0,0 @@
From e93ecadec7c868f4227e084ffb65c70a6efd7314 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 18:12:18 -0400
Subject: [PATCH 6/7] Log test failures of bad pin
Previously this would show a "don't know why" failure.
---
tests/tools/certsave.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index ac0f73ec..fd86a4c1 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -106,6 +106,11 @@ main(int argc, char **argv)
printf("Failed to save (%s:%s), "
"filesystem permissions error.\n",
ctype, entry->cm_cert_storage_location);
+ } else
+ if (cm_certsave_pin_error(state) == 0) {
+ printf("Failed to save (%s:%s), "
+ "pin error.\n",
+ ctype, entry->cm_cert_storage_location);
} else {
printf("Failed to save (%s:%s), "
"don't know why.\n",
--
2.14.4

95
SOURCES/0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch
View File

@ -1,95 +0,0 @@
From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Sep 2018 10:21:28 -0400
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
CERT_ImportCerts
CERT_ImportCerts always imports a given certificate into the
certificate database, whether a token is requested or not.
Using PK11_ImportCert will import the cert, associate the key
properly and will only add the certificate to the appropriate
token.
---
src/certsave-n.c | 37 +++++++++++--------------------------
1 file changed, 11 insertions(+), 26 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index d0152cad..fcb43148 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSSInitContext *ctx;
CERTCertDBHandle *certdb;
CERTCertList *certlist;
- CERTCertificate **returned, *oldcert, cert;
+ CERTCertificate *oldcert, *newcert, cert;
CERTCertTrust trust;
CERTSignedData csdata;
CERTCertListNode *node;
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
- returned = NULL;
- error = CERT_ImportCerts(certdb,
- certUsageUserCertImport,
- 1, &item, &returned,
- PR_TRUE,
- PR_FALSE,
- entry->cm_cert_nickname);
- ec = PORT_GetError();
- if (error == SECSuccess) {
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
- * an incomplete internal state (the cert isn't
- * associated with the private key, and calling
- * PK11_FindKeyByAnyCert returns no result).
- * As a workaround, we import the cert again using
- * PK11_ImportCert, which magically fixes the issue.
- * See rhbz#1532188 */
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
+ if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
- returned[0],
+ newcert,
CK_INVALID_HANDLE,
- returned[0]->nickname,
+ entry->cm_cert_nickname,
PR_FALSE);
}
if (error == SECSuccess) {
- cm_log(1, "Imported certificate \"%s\", got "
+ cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
- entry->cm_cert_nickname,
- returned[0]->nickname);
+ entry->cm_cert_nickname);
status = 0;
/* Set the trust on the new certificate,
* perhaps matching the trust on an
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
trust.objectSigningFlags = CERTDB_USER;
}
error = CERT_ChangeCertTrust(certdb,
- returned[0],
+ newcert,
&trust);
ec = PORT_GetError();
if (error != SECSuccess) {
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we managed to import the certificate, mark its
* key for having its nickname removed. */
- if ((returned != NULL) && (returned[0] != NULL)) {
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
+ if (newcert != NULL) {
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
privkeys = add_privkey_to_list(privkeys, privkey);
- CERT_DestroyCertArray(returned, 1);
+ CERT_DestroyCertificate(newcert);
}
/* In case we're rekeying, but failed, mark the
* candidate key for name-clearing or removal, too. */
--
2.14.4

95
SOURCES/0010-Fix-memory-leak-in-util_internal_token_name.patch
View File

@ -1,95 +0,0 @@
From 5d2554ed31fa6bc121d94efe533f9e4fea3900aa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Oct 2018 08:21:35 -0400
Subject: [PATCH 10/17] Fix memory leak in util_internal_token_name()
Allocate memory using the talloc context instead of relying on
the caller to call free().
---
src/certread-n.c | 2 +-
src/certsave-n.c | 2 +-
src/keygen-n.c | 2 +-
src/keyiread-n.c | 2 +-
src/submit-n.c | 2 +-
src/util-n.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 1d9217c6..d535030b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -191,7 +191,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
diff --git a/src/certsave-n.c b/src/certsave-n.c
index fcb43148..49b28324 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -215,7 +215,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
diff --git a/src/keygen-n.c b/src/keygen-n.c
index f7fdf6c0..76a5c1d3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -273,7 +273,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index b8408bf1..8f46ec0f 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -153,7 +153,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_key_token == NULL) {
- entry->cm_key_token = util_internal_token_name();
+ entry->cm_key_token = talloc_strdup(entry, util_internal_token_name());
}
n_tokens = 0;
pubkey = NULL;
diff --git a/src/submit-n.c b/src/submit-n.c
index da07d253..ee6f3105 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -347,7 +347,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
goto done;
}
if (args->entry->cm_key_token == NULL) {
- args->entry->cm_key_token = util_internal_token_name();
+ args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
diff --git a/src/util-n.c b/src/util-n.c
index 293e2583..4ab3d47b 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -291,5 +291,5 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
char *
util_internal_token_name()
{
- return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+ return PK11_GetTokenName(PK11_GetInternalKeySlot());
}
--
2.14.4

266
SOURCES/0011-clang-Dead-assignment.patch
View File

@ -1,266 +0,0 @@
From 648fe74986f2a84416805cfd73206e9e67166ae2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:40:23 -0400
Subject: [PATCH 11/17] clang: Dead assignment
---
src/casave.c | 4 +++-
src/keygen-n.c | 1 -
src/keyiread-n.c | 1 -
src/store-files.c | 2 --
src/store-gen.c | 3 ---
src/submit-e.c | 54 ++++++++++++++++++++++++++------------------------
src/submit-u.c | 2 --
src/tdbush.c | 8 ++++++--
tests/tools/addcinfo.c | 1 -
tests/tools/certsave.c | 4 +++-
10 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index 5fb31b8d..bde63f99 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -163,7 +163,6 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
decoded = CERT_DecodeCertFromPackage(package,
strlen(package));
p = state->certs[i]->nickname;
- ttrust = ",,";
switch (state->certs[i]->level) {
case root:
case other_root:
@@ -178,6 +177,9 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
ttrust = ",,";
}
break;
+ default:
+ ttrust = ",,";
+ break;
}
memset(&trust, 0, sizeof(trust));
CERT_DecodeTrustString(&trust, ttrust);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 76a5c1d3..061bd2af 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -591,7 +591,6 @@ retry_gen:
break;
}
}
- generated_size = SECKEY_PublicKeyStrengthInBits(pubkey);
cm_log(1, "Ended up with %d bit public key.\n",
SECKEY_PublicKeyStrengthInBits(pubkey));
/* Check for keys with the desired name, selecting a new name if
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 8f46ec0f..91b1be41 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -492,7 +492,6 @@ cm_keyiread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
readwrite = settings->readwrite;
keys = cm_keyiread_n_get_keys(entry, readwrite);
alg = "";
- size = 0;
if (keys != NULL) {
switch (SECKEY_GetPrivateKeyType(keys->privkey)) {
case rsaKey:
diff --git a/src/store-files.c b/src/store-files.c
index 06a17485..df1fa336 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2182,7 +2182,6 @@ cm_store_entry_delete(struct cm_store_entry *entry)
} else {
cm_log(3, "No file to remove for \"%s\".\n",
entry->cm_nickname);
- ret = 0;
}
return 0;
}
@@ -2469,7 +2468,6 @@ cm_store_ca_delete(struct cm_store_ca *ca)
}
} else {
cm_log(3, "No file to remove for \"%s\".\n", ca->cm_nickname);
- ret = 0;
}
return 0;
}
diff --git a/src/store-gen.c b/src/store-gen.c
index 5ce4ab84..da32afc8 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -530,8 +530,6 @@ cm_store_hex_to_bin(const char *serial, unsigned char *buf, int length)
const char *p, *q, *chars = "0123456789abcdef";
unsigned char *b, u;
- p = serial;
- b = buf;
u = 0;
for (p = serial, b = buf;
((*p != '\0') && ((b - buf) < length));
@@ -606,7 +604,6 @@ cm_store_canonicalize_path(void *parent, const char *path)
for (p = tmp; *p != '\0'; p++) {
if ((strncmp(p, "/.", 2) == 0) &&
((p[2] == '/') || (p[2] == '\0'))) {
- q = p - 1;
memmove(p, p + 2, strlen(p + 2) + 1);
}
}
diff --git a/src/submit-e.c b/src/submit-e.c
index 8ba8e44c..d6158d7a 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -587,32 +587,34 @@ cm_submit_e_postprocess_main(int fd, struct cm_store_ca *ca,
estate->msg_length, NULL);
msg = cm_json_new_object(estate);
chain = cm_json_new_array(msg);
- if (leaf != NULL) {
- cert = cm_json_new_string(msg, leaf, -1);
- cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
- }
- for (i = 0;
- (others != NULL) && (others[i] != NULL);
- i++) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, others[i], -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (top!= NULL) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, top, -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (cm_json_array_size(chain) > 0) {
- cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ if (i == 0) {
+ if (leaf != NULL) {
+ cert = cm_json_new_string(msg, leaf, -1);
+ cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
+ }
+ for (i = 0;
+ (others != NULL) && (others[i] != NULL);
+ i++) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, others[i], -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (top!= NULL) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, top, -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (cm_json_array_size(chain) > 0) {
+ cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ }
}
}
/* Get ready to build an output message. */
diff --git a/src/submit-u.c b/src/submit-u.c
index dda2edbc..b0b45baf 100644
--- a/src/submit-u.c
+++ b/src/submit-u.c
@@ -120,14 +120,12 @@ cm_submit_u_from_file_single(const char *filename)
if (csr == NULL) {
return NULL;
}
- p = csr;
for (i = 0; i < sizeof(strip) / sizeof(strip[0]); i++) {
while ((p = strstr(csr, strip[i])) != NULL) {
q = p + strcspn(p, "\r\n");
memmove(p, q, strlen(q) + 1);
}
}
- p = csr;
q = strdup(csr);
for (p = csr, i = 0; *p != '\0'; p++) {
if (strchr("\r\n\t ", *p) == NULL) {
diff --git a/src/tdbush.c b/src/tdbush.c
index 1d487222..3184e67a 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2911,7 +2911,6 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
rep = dbus_message_new_method_return(msg);
- type = "UNKNOWN";
switch (entry->cm_key_type.cm_key_algorithm) {
case cm_key_unspecified:
type = "UNKNOWN";
@@ -2929,6 +2928,9 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
type = "EC";
break;
#endif
+ default:
+ type = "UNKNOWN";
+ break;
}
if (rep != NULL) {
size = entry->cm_key_type.cm_key_size;
@@ -4790,7 +4792,6 @@ cm_tdbush_introspect_method(void *parent,
method->cm_name);
arg = method->cm_args;
while (arg != NULL) {
- direction = "unknown";
switch (arg->cm_direction) {
case cm_tdbush_method_arg_in:
direction = "in";
@@ -4798,6 +4799,9 @@ cm_tdbush_introspect_method(void *parent,
case cm_tdbush_method_arg_out:
direction = "out";
break;
+ default:
+ direction = "unknown";
+ break;
}
ret = talloc_asprintf(parent,
"%s\n <arg name=\"%s\" type=\"%s\" "
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index d3cea2ca..f016acb4 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -98,7 +98,6 @@ main(int argc, char **argv)
PR_ErrorToName(PORT_GetError()));
return 1;
}
- n = encoded.len;
j = 0;
while ((i = write(STDOUT_FILENO, encoded.data + j, encoded.len - j)) > 0) {
j += i;
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index fd86a4c1..8ec60ddd 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -83,7 +83,6 @@ main(int argc, char **argv)
if (cm_certsave_saved(state) == 0) {
ret = 0;
} else {
- ctype = "unknown";
switch (entry->cm_cert_storage_type) {
case cm_cert_storage_file:
ctype = "FILE";
@@ -91,6 +90,9 @@ main(int argc, char **argv)
case cm_cert_storage_nssdb:
ctype = "NSS";
break;
+ default:
+ ctype = "unknown";
+ break;
}
if (cm_certsave_conflict_subject(state) == 0) {
printf("Failed to save (%s:%s), "
--
2.14.4

437
SOURCES/0012-clang-Memory-leak.patch
View File

@ -1,437 +0,0 @@
From 3310a25181e94f5e05e671acc12d008cbac339ab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:50:53 -0400
Subject: [PATCH 12/17] clang: Memory leak
---
src/certmaster.c | 3 +++
src/certsave-o.c | 1 +
src/dogtag.c | 3 +++
src/ipa.c | 9 ++++++++-
src/local.c | 5 +++++
src/scep.c | 5 +++++
src/srvloc.c | 1 +
src/store-files.c | 2 +-
src/submit-x.c | 22 ++++++++++++++++++++++
src/util.c | 8 +++++++-
tests/tools/addcinfo.c | 3 +++
tests/tools/base2pem.c | 1 +
tests/tools/pem2base.c | 1 +
13 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/src/certmaster.c b/src/certmaster.c
index 7e0bed90..4a5cf6af 100644
--- a/src/certmaster.c
+++ b/src/certmaster.c
@@ -160,6 +160,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -185,11 +186,13 @@ main(int argc, const char **argv)
if (ctx == NULL) {
fprintf(stderr, "Error setting up for XMLRPC.\n");
printf(_("Error setting up for XMLRPC.\n"));
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Add the CSR as the sole argument. */
cm_submit_x_add_arg_s(ctx, csr);
+ free(csr);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
diff --git a/src/certsave-o.c b/src/certsave-o.c
index 77f54d7e..3d4018d8 100644
--- a/src/certsave-o.c
+++ b/src/certsave-o.c
@@ -258,6 +258,7 @@ cm_certsave_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if (bin != NULL) {
BN_bn2bin(bn, bin);
serial = cm_store_hex_from_bin(NULL, bin, BN_num_bytes(bn));
+ free(bin);
}
}
if (serial != NULL) {
diff --git a/src/dogtag.c b/src/dogtag.c
index cd0b38b7..55607f3d 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -536,6 +536,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
csr = cm_submit_u_url_encode(csr);
@@ -588,6 +589,8 @@ main(int argc, const char **argv)
params = talloc_asprintf(ctx,
"%s&%s=%s",
params, p, q);
+ free(p);
+ free(q);
}
use_agent_approval = FALSE;
break;
diff --git a/src/ipa.c b/src/ipa.c
index 67a0c651..acd1a4e2 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -226,6 +226,7 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -526,6 +527,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -802,6 +804,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request from environment variable \"%s\".\n"),
CM_SUBMIT_CSR_ENV);
}
+ free(csr);
poptPrintUsage(pctx, stdout, 0);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -903,12 +906,16 @@ main(int argc, const char **argv)
if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) ||
(strcasecmp(mode, CM_OP_POLL) == 0)) {
- return submit_or_poll(uri, cainfo, capath, server,
+ int ret;
+ ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
issuer);
+ free(csr);
+ return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
+ free(csr);
return fetch_roots(server, ldap_uri_cmd, ldap_uri, host,
uid, pwd, domain, basedn);
}
diff --git a/src/local.c b/src/local.c
index f437d62e..92bea144 100644
--- a/src/local.c
+++ b/src/local.c
@@ -559,6 +559,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request.\n"));
cm_log(1, "Unable to read signing request.\n");
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Take the lock. */
@@ -568,6 +569,7 @@ main(int argc, const char **argv)
&signer, &key);
if ((i != 0) || (signer == NULL)) {
cm_log(1, "Error reading signer info.\n");
+ free(csr);
/* Try again sometime later. */
return CM_SUBMIT_STATUS_UNREACHABLE;
}
@@ -577,11 +579,13 @@ main(int argc, const char **argv)
if ((fp == NULL) && (errno != ENOENT)) {
cm_log(1, "Error reading '%s': %s.\n", serial,
strerror(errno));
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (fp != NULL) {
if (fgets(buf, sizeof(buf), fp) == NULL) {
fclose(fp);
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
buf[strcspn(buf, "\r\n")] = '\0';
@@ -601,6 +605,7 @@ main(int argc, const char **argv)
/* Actually sign the request. */
i = cm_submit_o_sign(parent, csr, signer, key, hexserial,
now, 0, &cert);
+ free(csr);
if ((i == 0) && (cert != NULL)) {
/* Roll the serial number up. */
hexserial = cm_store_increment_serial(parent,
diff --git a/src/scep.c b/src/scep.c
index 72dff3d5..68eae788 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -338,6 +338,7 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -386,6 +387,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -405,6 +407,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -416,6 +419,7 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -492,6 +496,7 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
+ free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
diff --git a/src/srvloc.c b/src/srvloc.c
index acab55bf..e8f3f5a5 100644
--- a/src/srvloc.c
+++ b/src/srvloc.c
@@ -189,6 +189,7 @@ cm_srvloc_resolve(void *parent, const char *name, const char *udomain,
domain = strdup(udomain);
#endif
i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
+ free(domain);
if (i == -1) {
return -1;
}
diff --git a/src/store-files.c b/src/store-files.c
index df1fa336..b97ba5ff 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -558,8 +558,8 @@ cm_store_file_read_lines(void *parent, FILE *fp)
case ';':
break;
}
+ free(buf);
}
- free(buf);
/* If we were reading a line, append it to the list. */
if (s != NULL) {
tlines = talloc_realloc(parent, lines, char *, n_lines + 2);
diff --git a/src/submit-x.c b/src/submit-x.c
index 60bcf78a..fa81e9aa 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -75,6 +75,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -84,6 +86,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -93,6 +97,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -139,6 +145,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -152,6 +160,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -163,6 +173,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -174,6 +186,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -195,6 +209,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -213,6 +229,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -227,6 +245,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -237,6 +257,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
diff --git a/src/util.c b/src/util.c
index 67143d52..373bb533 100644
--- a/src/util.c
+++ b/src/util.c
@@ -98,7 +98,7 @@ read_config_file(const char *filename)
char *
get_config_entry(char * in_data, const char *section, const char *key)
{
- char *ptr = NULL, *p, *tmp;
+ char *ptr = NULL, *p, *tmp = NULL;
char *line;
int in_section = 0;
char * data = strdup(in_data);
@@ -129,9 +129,12 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
if (strcmp(section, tmp) == 0) {
free(tmp);
+ tmp = NULL;
in_section = 1;
continue;
}
+ free(tmp);
+ tmp = NULL;
}
} /* [ */
@@ -145,8 +148,10 @@ get_config_entry(char * in_data, const char *section, const char *key)
tmp = strndup(line, p - line);
if (strcmp(key, tmp) != 0) {
free(tmp);
+ tmp = NULL;
} else {
free(tmp);
+ tmp = NULL;
/* Skip over any whitespace after the equal sign. */
line = strchr(line, '=');
@@ -168,5 +173,6 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
}
free(data);
+ free(tmp);
return NULL;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index f016acb4..939005c2 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -86,6 +86,7 @@ main(int argc, char **argv)
if (enveloped == NULL) {
cm_log(0, "Internal error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
ci.content_type = enveloped->oid;
@@ -96,6 +97,7 @@ main(int argc, char **argv)
content_info_template) != &encoded) {
cm_log(0, "Encoding error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
j = 0;
@@ -105,5 +107,6 @@ main(int argc, char **argv)
break;
}
}
+ free(buffer);
return 0;
}
diff --git a/tests/tools/base2pem.c b/tests/tools/base2pem.c
index 40e74201..31359684 100644
--- a/tests/tools/base2pem.c
+++ b/tests/tools/base2pem.c
@@ -76,5 +76,6 @@ main(int argc, const char **argv)
}
}
printf("%s", cm_submit_u_pem_from_base64(type, dos, p));
+ free(p);
return 0;
}
diff --git a/tests/tools/pem2base.c b/tests/tools/pem2base.c
index 0607c162..bb686c0e 100644
--- a/tests/tools/pem2base.c
+++ b/tests/tools/pem2base.c
@@ -46,5 +46,6 @@ main(int argc, char **argv)
}
}
printf("%s\n", cm_submit_u_base64_from_text(p));
+ free(p);
return 0;
}
--
2.14.4

25
SOURCES/0013-clang-Uninitialized-initial-value.patch
View File

@ -1,25 +0,0 @@
From db0f835829b739cf843d44b08c22407194aadd71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 17:57:21 -0400
Subject: [PATCH 13/17] clang: Uninitialized initial value
---
src/submit-n.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/submit-n.c b/src/submit-n.c
index ee6f3105..b07ea23a 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -281,7 +281,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
PLArenaPool *arena = NULL;
SECStatus error;
NSSInitContext *ctx = NULL;
- PK11SlotInfo *slot;
+ PK11SlotInfo *slot = NULL;
PK11SlotList *slotlist = NULL;
PK11SlotListElement *sle;
SECKEYPrivateKeyList *keylist = NULL;
--
2.14.4

99
SOURCES/0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch
View File

@ -1,99 +0,0 @@
From 753d98b3e70f34a52caabbe8db30bf06fc917f38 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 11:46:51 -0400
Subject: [PATCH 14/17] clang: Null pointer passed as an argument to a
'nonnull' parameter
---
src/certsave-n.c | 3 ++-
src/getcert.c | 7 ++++---
src/scep.c | 8 ++++----
src/submit-sn.c | 7 +++++--
4 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 49b28324..972a1dfa 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -72,7 +72,8 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key)
if ((list == NULL) || (list[i] == NULL)) {
newlist = malloc(sizeof(newlist[0]) * (i + 2));
if (newlist != NULL) {
- memcpy(newlist, list, sizeof(newlist[0]) * i);
+ if (list != NULL)
+ memcpy(newlist, list, sizeof(newlist[0]) * i);
newlist[i] = key;
newlist[i + 1] = NULL;
list = newlist;
diff --git a/src/getcert.c b/src/getcert.c
index 6417cd44..ddb28de2 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -291,7 +291,8 @@ add_string(void *parent, char ***dest, const char *value)
printf(_("Out of memory.\n"));
exit(1);
}
- memcpy(tmp, *dest, sizeof(tmp[0]) * i);
+ if (*dest)
+ memcpy(tmp, *dest, sizeof(tmp[0]) * i);
tmp[i] = talloc_strdup(tmp, value);
i++;
tmp[i] = NULL;
@@ -1582,8 +1583,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
{
DBusMessage *req, *rep;
int i;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
dbus_bool_t b;
const char *capath;
char *p;
diff --git a/src/scep.c b/src/scep.c
index 68eae788..b0bd214b 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -793,8 +793,8 @@ main(int argc, const char **argv)
fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx));
syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2);
}
- if (strcasecmp(content_type2,
- "application/x-x509-ca-cert") != 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-x509-ca-cert") != 0)) {
if (verbose > 0) {
fprintf(stderr, "Content is not "
"\"application/x-x509-ca-cert\""
@@ -882,8 +882,8 @@ main(int argc, const char **argv)
break;
case op_get_cert_initial:
case op_pkcsreq:
- if (strcasecmp(content_type2,
- "application/x-pki-message") == 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-pki-message") == 0)) {
memset(&cacerts, 0, sizeof(cacerts));
cacerts[0] = cacert ? cacert : racert;
cacerts[1] = cacert ? racert : NULL;
diff --git a/src/submit-sn.c b/src/submit-sn.c
index e9c62b22..ecd78dc0 100644
--- a/src/submit-sn.c
+++ b/src/submit-sn.c
@@ -258,8 +258,11 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Allocate space for one more extension. */
extensions = PORT_ArenaZAlloc(arena, (i + 2) * sizeof(extensions[0]));
if (extensions != NULL) {
- memcpy(extensions, ucert->extensions,
- i * sizeof(extensions[0]));
+ if (i != 0) {
+ /* Note that C99 says copy of 0 items is ok, quieting clang */
+ memcpy(extensions, ucert->extensions,
+ i * sizeof(extensions[0]));
+ }
if (found_basic) {
extensions[i] = NULL;
} else {
--
2.14.4

24
SOURCES/0015-clang-Dead-increment.patch
View File

@ -1,24 +0,0 @@
From 9e44680dbd207cef48beb7598114ea59aa457055 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:15:23 -0400
Subject: [PATCH 15/17] clang: Dead increment
---
src/store-gen.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/store-gen.c b/src/store-gen.c
index da32afc8..653767a1 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -363,7 +363,6 @@ cm_store_time_from_timestamp(const char *timestamp)
buf[2] = '\0';
stamp.tm_min = atoi(buf);
memcpy(buf, timestamp + i, 2);
- i += 2;
buf[2] = '\0';
stamp.tm_sec = atoi(buf);
t = timegm(&stamp);
--
2.14.4

83
SOURCES/0016-clang-Dereference-of-null-pointer.patch
View File

@ -1,83 +0,0 @@
From 319858127df42c1a95b9b3282705c90ecd6754a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:16:55 -0400
Subject: [PATCH 16/17] clang: Dereference of null pointer
---
src/tdbush.c | 56 +++++++++++++++++++++++++++++---------------------------
1 file changed, 29 insertions(+), 27 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index 3184e67a..d1bbe4da 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -3655,37 +3655,39 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
break;
}
}
- if (d[i] == NULL) {
- new_request_path = talloc_asprintf(parent, "%s/%s",
- CM_DBUS_REQUEST_PATH,
- entry->cm_busname);
- if ((n_propname > 0) &&
- (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
- propname[n_propname] = NULL;
- cm_tdbush_property_emit_changed(ctx, new_request_path,
- CM_DBUS_REQUEST_INTERFACE,
- propname);
- }
- cm_tdbusm_set_bp(rep,
- cm_restart_entry(ctx,
- entry->cm_nickname),
- new_request_path);
- dbus_connection_send(conn, rep, NULL);
- dbus_message_unref(rep);
- talloc_free(new_request_path);
- return DBUS_HANDLER_RESULT_HANDLED;
- } else {
- dbus_message_unref(rep);
- rep = dbus_message_new_error(msg,
- CM_DBUS_ERROR_REQUEST_BAD_ARG,
- _("Unrecognized parameter or wrong value type."));
- if (rep != NULL) {
- cm_tdbusm_set_s(rep, d[i]->key);
+ if (d != NULL) {
+ if (d[i] == NULL) {
+ new_request_path = talloc_asprintf(parent, "%s/%s",
+ CM_DBUS_REQUEST_PATH,
+ entry->cm_busname);
+ if ((n_propname > 0) &&
+ (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
+ propname[n_propname] = NULL;
+ cm_tdbush_property_emit_changed(ctx, new_request_path,
+ CM_DBUS_REQUEST_INTERFACE,
+ propname);
+ }
+ cm_tdbusm_set_bp(rep,
+ cm_restart_entry(ctx,
+ entry->cm_nickname),
+ new_request_path);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
+ talloc_free(new_request_path);
return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ dbus_message_unref(rep);
+ rep = dbus_message_new_error(msg,
+ CM_DBUS_ERROR_REQUEST_BAD_ARG,
+ _("Unrecognized parameter or wrong value type."));
+ if (rep != NULL) {
+ cm_tdbusm_set_s(rep, d[i]->key);
+ dbus_connection_send(conn, rep, NULL);
+ dbus_message_unref(rep);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
- return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
} else {
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
--
2.14.4

26
SOURCES/0017-Add-missing-case-for-cm_prefs_aes192.patch
View File

@ -1,26 +0,0 @@
From f17b7c0a22f4d49dca001d984673046e133577d1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:41:19 -0400
Subject: [PATCH 17/17] Add missing case for cm_prefs_aes192
---
src/prefs-o.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/prefs-o.c b/src/prefs-o.c
index 64542f85..ac68164d 100644
--- a/src/prefs-o.c
+++ b/src/prefs-o.c
@@ -75,6 +75,9 @@ cm_prefs_ossl_cipher_by_pref(enum cm_prefs_cipher cipher)
case cm_prefs_aes128:
return EVP_aes_128_cbc();
break;
+ case cm_prefs_aes192:
+ return EVP_aes_192_cbc();
+ break;
case cm_prefs_aes256:
return EVP_aes_256_cbc();
break;
--
2.14.4

6
SOURCES/0018-clang-more-Dead-assignment.patch
View File

@ -1,7 +1,7 @@
From 20d569b57edf2f859aeb48d32bbb91801a45fb91 Mon Sep 17 00:00:00 2001
From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:48:41 -0400
Subject: [PATCH 18/26] clang: more Dead assignment
Subject: [PATCH 18/25] clang: more Dead assignment
---
src/submit-x.c | 5 ++---
@ -37,5 +37,5 @@ index cb0a8ad7..a81b5349 100644
dbus_error_init(error);
}
--
2.14.4
2.21.0

6
SOURCES/0019-clang-more-Memory-leaks.patch
View File

@ -1,7 +1,7 @@
From 83a701de85a6b22cc5ad3cec8cb2ddb54d0b2aae Mon Sep 17 00:00:00 2001
From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:53:57 -0400
Subject: [PATCH 19/26] clang: more Memory leaks
Subject: [PATCH 19/25] clang: more Memory leaks
Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
---
@ -317,5 +317,5 @@ index 939005c2..e34612a5 100644
n += i;
}
--
2.14.4
2.21.0

6
SOURCES/0020-clang-Avoid-buffer-overflow.patch
View File

@ -1,7 +1,7 @@
From e9f16cf50ab3438a6e9ea50669854c93c8a399f2 Mon Sep 17 00:00:00 2001
From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 13:16:08 -0400
Subject: [PATCH 20/26] clang: Avoid buffer overflow
Subject: [PATCH 20/25] clang: Avoid buffer overflow
This shouldn't be possible because the caller would never allow
it all to be passed in but quiet static analyzers.
@ -25,5 +25,5 @@ index 0d527ab0..bbc45479 100644
char **anchor_dbs = NULL, **anchor_files = NULL;
char *id = NULL, *new_id = NULL, *new_request;
--
2.14.4
2.21.0

6
SOURCES/0021-clang-Garbage-value-possible.patch
View File

@ -1,7 +1,7 @@
From bfe2b956c1a9f83bd3d998924788942716767a65 Mon Sep 17 00:00:00 2001
From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:44:05 -0400
Subject: [PATCH 21/26] clang: Garbage value possible
Subject: [PATCH 21/25] clang: Garbage value possible
Need to add guard so that error was only considered if the
certificate was decodable and an import was attempted.
@ -39,5 +39,5 @@ index 972a1dfa..30e242c1 100644
es = PR_ErrorToName(ec);
} else {
--
2.14.4
2.21.0

12
SOURCES/0022-Uninitialized-variable.patch
View File

@ -1,19 +1,19 @@
From a5fef9f676334c6b373f9739a2687dc64ad2c0c0 Mon Sep 17 00:00:00 2001
From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:48:43 -0400
Subject: [PATCH 22/26] Uninitialized variable
Subject: [PATCH 22/25] Uninitialized variable
---
src/csrgen-o.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
index 55b0a598..7ca7065d 100644
index 402284ff..41b4f014 100644
--- a/src/csrgen-o.c
+++ b/src/csrgen-o.c
@@ -94,7 +94,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
BIGNUM *serialbn;
char buf[LINE_MAX], *p, *q, *s, *nickname, *pin, *password, *filename;
char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename;
unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
- char *spkidec, *mcb64, *nows;
+ char *spkidec = NULL, *mcb64, *nows;
@ -21,5 +21,5 @@ index 55b0a598..7ca7065d 100644
const unsigned char *nametmp;
struct tm *now;
--
2.14.4
2.21.0

6
SOURCES/0023-merge-into-clang-more-Memory-leaks.patch
View File

@ -1,7 +1,7 @@
From b0766cfdfd8bbac9109a2846c6ac3802e60cb56f Mon Sep 17 00:00:00 2001
From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:43:02 -0400
Subject: [PATCH 23/26] merge into clang: more Memory leaks
Subject: [PATCH 23/25] merge into clang: more Memory leaks
---
src/getcert.c | 2 +-
@ -35,5 +35,5 @@ index 58d007ef..467e67e4 100644
if (ctx) {
const char *msg = krb5_get_error_message(ctx, kcode);
--
2.14.4
2.21.0

6
SOURCES/0024-Add-missing-return-type-declaration.patch
View File

@ -1,7 +1,7 @@
From daaca020810962c568caa49514f5159e1592aaf0 Mon Sep 17 00:00:00 2001
From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:44:07 -0400
Subject: [PATCH 24/26] Add missing return type declaration
Subject: [PATCH 24/25] Add missing return type declaration
---
src/tdbush.c | 1 +
@ -20,5 +20,5 @@ index d1bbe4da..a10a1aff 100644
struct cm_client_info *ci, struct cm_context *ctx)
{
--
2.14.4
2.21.0

6
SOURCES/0025-Discards-const-qualifier.patch
View File

@ -1,7 +1,7 @@
From b12dfc9d43128f05b7e0b9e83c2a6100f808fe94 Mon Sep 17 00:00:00 2001
From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:46:50 -0400
Subject: [PATCH 25/26] Discards const qualifier
Subject: [PATCH 25/25] Discards const qualifier
---
src/dogtag.c | 3 ++-
@ -39,5 +39,5 @@ index b0bd214b..b37711cf 100644
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
--
2.14.4
2.21.0

28
SOURCES/0026-Add-missing-case-for-cm_prefs_aes192.patch
View File

@ -1,28 +0,0 @@
From f1a328159d46149513e32950284e5dd33525e8e1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:57:35 -0400
Subject: [PATCH 26/26] Add missing case for cm_prefs_aes192
---
src/prefs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/prefs.c b/src/prefs.c
index ab363bbc..20e2ecf8 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -102,6 +102,11 @@ cm_prefs_preferred_cipher(void)
free(cipher);
return cm_prefs_aes128;
}
+ if ((strcasecmp(cipher, "aes192") == 0) ||
+ (strcasecmp(cipher, "aes-192") == 0)) {
+ free(cipher);
+ return cm_prefs_aes192;
+ }
if ((strcasecmp(cipher, "aes256") == 0) ||
(strcasecmp(cipher, "aes-256") == 0)) {
free(cipher);
--
2.14.4

46
SPECS/certmonger.spec
View File

@ -8,8 +8,8 @@
%global sysvinitdir %{_initddir}
Name: certmonger
Version: 0.79.6
Release: 5%{?dist}
Version: 0.79.7
Release: 3%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@ -51,6 +51,7 @@ BuildRequires: /usr/bin/which
BuildRequires: popt-devel
# for make check
BuildRequires: python3-devel
BuildRequires: krb5-devel
# we need a running system bus
Requires: dbus
@ -81,21 +82,6 @@ Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
Patch2: 0002-Convert-tests-to-use-python3.patch
Patch3: 0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch
Patch4: 0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch
Patch5: 0005-Add-utility-function-to-get-the-internal-token-name.patch
Patch6: 0006-Only-de-duplicate-certificates-within-the-same-token.patch
Patch7: 0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch
Patch8: 0008-Log-test-failures-of-bad-pin.patch
Patch9: 0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch
Patch10: 0010-Fix-memory-leak-in-util_internal_token_name.patch
Patch11: 0011-clang-Dead-assignment.patch
Patch12: 0012-clang-Memory-leak.patch
Patch13: 0013-clang-Uninitialized-initial-value.patch
Patch14: 0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch
Patch15: 0015-clang-Dead-increment.patch
Patch16: 0016-clang-Dereference-of-null-pointer.patch
Patch17: 0017-Add-missing-case-for-cm_prefs_aes192.patch
Patch18: 0018-clang-more-Dead-assignment.patch
Patch19: 0019-clang-more-Memory-leaks.patch
Patch20: 0020-clang-Avoid-buffer-overflow.patch
@ -104,7 +90,6 @@ Patch22: 0022-Uninitialized-variable.patch
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
Patch24: 0024-Add-missing-return-type-declaration.patch
Patch25: 0025-Discards-const-qualifier.patch
Patch26: 0026-Add-missing-case-for-cm_prefs_aes192.patch
%description
Certmonger is a service which is primarily concerned with getting your
@ -114,21 +99,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
@ -137,7 +107,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%build
autoreconf -i -f
@ -264,6 +233,15 @@ exit 0
%endif
%changelog
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
- Rebuild for new annobin (#1708095)
* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
- Rebuild for new annobin (#1708095)
* Thu May 9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1
- Rebase to 0.79.7 (#1708095)
* Mon Oct 8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5
- Address more issues uncovered by static analysis (#1632449)