rpms/certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 0.79.7

Browse Source 
Also fix rpm warning about embedded % in a comment
This commit is contained in:
Rob Crittenden 2019-02-18 11:31:54 -05:00
parent b7968d8ead
commit 7eca3b6000
18 changed files with 10 additions and 2485 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -123,3 +123,4 @@ certmonger-0.28.tar.gz
/certmonger-0.79.4.tar.gz
/certmonger-0.79.5.tar.gz
/certmonger-0.79.6.tar.gz
/certmonger-0.79.7.tar.gz

1016
0002-Use-the-correct-slot-when-saving-certificates-in-NSS.patch
View File

File diff suppressed because it is too large Load Diff

49
0003-Include-the-token-name-when-a-PIN-is-provided-but-is.patch
View File

@ -1,49 +0,0 @@
From c029b32c04a9a5993b9c8715fb82421fee613137 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 10:37:12 -0400
Subject: [PATCH 2/7] Include the token name when a PIN is provided but is
unused
This improves the output so the user will know which token
the PIN is missing for. Theoretically it should be the token
they asked for but this will show certmogner's view of it.
---
src/certread-n.c | 6 +++---
src/keygen-n.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index f2e78c07..57a38dcf 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -259,9 +259,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to auth to cert "
- "db, though one was provided. "
- "Treating this as an error.\n");
+ cm_log(1, "PIN was not needed to auth to token "
+ "%s, though one was provided. "
+ "Treating this as an error.\n", token);
goto next_slot;
}
}
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 8078a520..84b0bbd3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -400,8 +400,8 @@ next_slot:
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
cm_log(1, "PIN was not needed to auth to key "
- "store, though one was provided. "
- "Treating this as an error.\n");
+ "store token %s, though one was provided. "
+ "Treating this as an error.\n", token);
PK11_FreeSlotList(slotlist);
error = NSS_ShutdownContext(ctx);
if (error != SECSuccess) {
--
2.14.4

134
0004-Add-utility-function-to-get-the-internal-token-name.patch
View File

@ -1,134 +0,0 @@
From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 12:08:35 -0400
Subject: [PATCH 3/7] Add utility function to get the internal token name
The NSS internal token is the default if no token is specified for
the cert or the key.
---
src/certread-n.c | 6 +++++-
src/certsave-n.c | 3 +++
src/keygen-n.c | 3 +++
src/keyiread-n.c | 3 +++
src/submit-n.c | 5 ++++-
src/util-n.c | 6 ++++++
src/util-n.h | 1 +
7 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 57a38dcf..1d9217c6 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error reading PIN for cert db.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to cert db.\n");
+ cm_log(1, "certread-n: Error authenticating to cert db "
+ "slot %s.\n", PK11_GetTokenName(sle->slot));
goto next_slot;
}
if ((pin != NULL) &&
diff --git a/src/certsave-n.c b/src/certsave-n.c
index af176ce5..193309c5 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
sle = sle->next)
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 84b0bbd3..f7fdf6c0 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error locating token for key generation.\n");
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
slot = NULL;
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 89913aa2..b8408bf1 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_key_token == NULL) {
+ entry->cm_key_token = util_internal_token_name();
+ }
n_tokens = 0;
pubkey = NULL;
/* In practice, the internal slot is either a non-storage slot (in
diff --git a/src/submit-n.c b/src/submit-n.c
index 872153ea..da07d253 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
cm_log(1, "Error reading PIN for key storage.\n");
goto done;
}
+ if (args->entry->cm_key_token == NULL) {
+ args->entry->cm_key_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
/* In practice, the internal slot is either a non-storage slot (in
@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
error = PK11_Authenticate(slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to token "
+ cm_log(1, "submit-n: Error authenticating to token "
"\"%s\".\n", token);
goto done;
}
diff --git a/src/util-n.c b/src/util-n.c
index 7805e58e..293e2583 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,
entry->cm_cert_perms);
}
+
+char *
+util_internal_token_name()
+{
+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+}
diff --git a/src/util-n.h b/src/util-n.h
index 8a918d5c..637fd4b1 100644
--- a/src/util-n.h
+++ b/src/util-n.h
@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,
struct cm_store_entry *entry);
void util_set_db_entry_cert_owner(const char *dbdir,
struct cm_store_entry *entry);
+char * util_internal_token_name();
#endif
--
2.14.4

41
0005-Only-de-duplicate-certificates-within-the-same-token.patch
View File

@ -1,41 +0,0 @@
From 6ebe5695a626c6cd254b249bbebf9846bcb936c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 11:06:13 -0400
Subject: [PATCH 4/7] Only de-duplicate certificates within the same token
certmonger may not have read/write access to tokens other than
the one it is examining so don't try to de-duplicate certificates
on other tokens.
---
src/certsave-n.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 193309c5..d0152cad 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -391,8 +391,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
!CERT_LIST_EMPTY(certlist) &&
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
- if (!SECITEM_ItemsAreEqual(&subject,
- &node->cert->derSubject)) {
+ if ((!SECITEM_ItemsAreEqual(&subject,
+ &node->cert->derSubject)) &&
+ (sle->slot == node->cert->slot)) {
cm_log(3, "Found a "
"certificate "
"with the same "
@@ -441,7 +442,8 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
node = CERT_LIST_NEXT(node)) {
if ((node->cert->nickname != NULL) &&
(strcmp(entry->cm_cert_nickname,
- node->cert->nickname) != 0))
+ node->cert->nickname) != 0) &&
+ (sle->slot == node->cert->slot))
{
i++;
cm_log(3, "Found a "
--
2.14.4

30
0006-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch
View File

@ -1,30 +0,0 @@
From 697dd085e7b2ce15eefc454509987270131d7f1e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 16:59:28 -0400
Subject: [PATCH 5/7] Ensure that an OpenSSL random seed file exists when
testing
Otherwise some openssl command-line invocations will fail and
because of the way the tests are done the error message is not
shown.
---
tests/Makefile.am | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4e407434..fe368dc0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -433,6 +433,9 @@ subdirs += \
endif
check: all
+ if [ ! -e $$HOME/.rnd ] ; then \
+ openssl rand -writerand $$HOME/.rnd; \
+ fi
for required in certutil cmsutil pk12util openssl diff cmp mktemp \
dos2unix unix2dos dbus-launch ; do \
which $$required || exit 1; \
--
2.14.4

29
0007-Log-test-failures-of-bad-pin.patch
View File

@ -1,29 +0,0 @@
From e93ecadec7c868f4227e084ffb65c70a6efd7314 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 18:12:18 -0400
Subject: [PATCH 6/7] Log test failures of bad pin
Previously this would show a "don't know why" failure.
---
tests/tools/certsave.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index ac0f73ec..fd86a4c1 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -106,6 +106,11 @@ main(int argc, char **argv)
printf("Failed to save (%s:%s), "
"filesystem permissions error.\n",
ctype, entry->cm_cert_storage_location);
+ } else
+ if (cm_certsave_pin_error(state) == 0) {
+ printf("Failed to save (%s:%s), "
+ "pin error.\n",
+ ctype, entry->cm_cert_storage_location);
} else {
printf("Failed to save (%s:%s), "
"don't know why.\n",
--
2.14.4

95
0008-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch
View File

@ -1,95 +0,0 @@
From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Sep 2018 10:21:28 -0400
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
CERT_ImportCerts
CERT_ImportCerts always imports a given certificate into the
certificate database, whether a token is requested or not.
Using PK11_ImportCert will import the cert, associate the key
properly and will only add the certificate to the appropriate
token.
---
src/certsave-n.c | 37 +++++++++++--------------------------
1 file changed, 11 insertions(+), 26 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index d0152cad..fcb43148 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSSInitContext *ctx;
CERTCertDBHandle *certdb;
CERTCertList *certlist;
- CERTCertificate **returned, *oldcert, cert;
+ CERTCertificate *oldcert, *newcert, cert;
CERTCertTrust trust;
CERTSignedData csdata;
CERTCertListNode *node;
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
- returned = NULL;
- error = CERT_ImportCerts(certdb,
- certUsageUserCertImport,
- 1, &item, &returned,
- PR_TRUE,
- PR_FALSE,
- entry->cm_cert_nickname);
- ec = PORT_GetError();
- if (error == SECSuccess) {
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
- * an incomplete internal state (the cert isn't
- * associated with the private key, and calling
- * PK11_FindKeyByAnyCert returns no result).
- * As a workaround, we import the cert again using
- * PK11_ImportCert, which magically fixes the issue.
- * See rhbz#1532188 */
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
+ if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
- returned[0],
+ newcert,
CK_INVALID_HANDLE,
- returned[0]->nickname,
+ entry->cm_cert_nickname,
PR_FALSE);
}
if (error == SECSuccess) {
- cm_log(1, "Imported certificate \"%s\", got "
+ cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
- entry->cm_cert_nickname,
- returned[0]->nickname);
+ entry->cm_cert_nickname);
status = 0;
/* Set the trust on the new certificate,
* perhaps matching the trust on an
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
trust.objectSigningFlags = CERTDB_USER;
}
error = CERT_ChangeCertTrust(certdb,
- returned[0],
+ newcert,
&trust);
ec = PORT_GetError();
if (error != SECSuccess) {
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we managed to import the certificate, mark its
* key for having its nickname removed. */
- if ((returned != NULL) && (returned[0] != NULL)) {
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
+ if (newcert != NULL) {
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
privkeys = add_privkey_to_list(privkeys, privkey);
- CERT_DestroyCertArray(returned, 1);
+ CERT_DestroyCertificate(newcert);
}
/* In case we're rekeying, but failed, mark the
* candidate key for name-clearing or removal, too. */
--
2.14.4

95
0009-Fix-memory-leak-in-util_internal_token_name.patch
View File

@ -1,95 +0,0 @@
From 5d2554ed31fa6bc121d94efe533f9e4fea3900aa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Oct 2018 08:21:35 -0400
Subject: [PATCH 09/16] Fix memory leak in util_internal_token_name()
Allocate memory using the talloc context instead of relying on
the caller to call free().
---
src/certread-n.c | 2 +-
src/certsave-n.c | 2 +-
src/keygen-n.c | 2 +-
src/keyiread-n.c | 2 +-
src/submit-n.c | 2 +-
src/util-n.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 1d9217c6..d535030b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -191,7 +191,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
diff --git a/src/certsave-n.c b/src/certsave-n.c
index fcb43148..49b28324 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -215,7 +215,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
diff --git a/src/keygen-n.c b/src/keygen-n.c
index f7fdf6c0..76a5c1d3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -273,7 +273,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index b8408bf1..8f46ec0f 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -153,7 +153,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_key_token == NULL) {
- entry->cm_key_token = util_internal_token_name();
+ entry->cm_key_token = talloc_strdup(entry, util_internal_token_name());
}
n_tokens = 0;
pubkey = NULL;
diff --git a/src/submit-n.c b/src/submit-n.c
index da07d253..ee6f3105 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -347,7 +347,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
goto done;
}
if (args->entry->cm_key_token == NULL) {
- args->entry->cm_key_token = util_internal_token_name();
+ args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
diff --git a/src/util-n.c b/src/util-n.c
index 293e2583..4ab3d47b 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -291,5 +291,5 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
char *
util_internal_token_name()
{
- return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+ return PK11_GetTokenName(PK11_GetInternalKeySlot());
}
--
2.14.4

266
0010-clang-Dead-assignment.patch
View File

@ -1,266 +0,0 @@
From 648fe74986f2a84416805cfd73206e9e67166ae2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:40:23 -0400
Subject: [PATCH 10/16] clang: Dead assignment
---
src/casave.c | 4 +++-
src/keygen-n.c | 1 -
src/keyiread-n.c | 1 -
src/store-files.c | 2 --
src/store-gen.c | 3 ---
src/submit-e.c | 54 ++++++++++++++++++++++++++------------------------
src/submit-u.c | 2 --
src/tdbush.c | 8 ++++++--
tests/tools/addcinfo.c | 1 -
tests/tools/certsave.c | 4 +++-
10 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index 5fb31b8d..bde63f99 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -163,7 +163,6 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
decoded = CERT_DecodeCertFromPackage(package,
strlen(package));
p = state->certs[i]->nickname;
- ttrust = ",,";
switch (state->certs[i]->level) {
case root:
case other_root:
@@ -178,6 +177,9 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
ttrust = ",,";
}
break;
+ default:
+ ttrust = ",,";
+ break;
}
memset(&trust, 0, sizeof(trust));
CERT_DecodeTrustString(&trust, ttrust);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 76a5c1d3..061bd2af 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -591,7 +591,6 @@ retry_gen:
break;
}
}
- generated_size = SECKEY_PublicKeyStrengthInBits(pubkey);
cm_log(1, "Ended up with %d bit public key.\n",
SECKEY_PublicKeyStrengthInBits(pubkey));
/* Check for keys with the desired name, selecting a new name if
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 8f46ec0f..91b1be41 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -492,7 +492,6 @@ cm_keyiread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
readwrite = settings->readwrite;
keys = cm_keyiread_n_get_keys(entry, readwrite);
alg = "";
- size = 0;
if (keys != NULL) {
switch (SECKEY_GetPrivateKeyType(keys->privkey)) {
case rsaKey:
diff --git a/src/store-files.c b/src/store-files.c
index 06a17485..df1fa336 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2182,7 +2182,6 @@ cm_store_entry_delete(struct cm_store_entry *entry)
} else {
cm_log(3, "No file to remove for \"%s\".\n",
entry->cm_nickname);
- ret = 0;
}
return 0;
}
@@ -2469,7 +2468,6 @@ cm_store_ca_delete(struct cm_store_ca *ca)
}
} else {
cm_log(3, "No file to remove for \"%s\".\n", ca->cm_nickname);
- ret = 0;
}
return 0;
}
diff --git a/src/store-gen.c b/src/store-gen.c
index 5ce4ab84..da32afc8 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -530,8 +530,6 @@ cm_store_hex_to_bin(const char *serial, unsigned char *buf, int length)
const char *p, *q, *chars = "0123456789abcdef";
unsigned char *b, u;
- p = serial;
- b = buf;
u = 0;
for (p = serial, b = buf;
((*p != '\0') && ((b - buf) < length));
@@ -606,7 +604,6 @@ cm_store_canonicalize_path(void *parent, const char *path)
for (p = tmp; *p != '\0'; p++) {
if ((strncmp(p, "/.", 2) == 0) &&
((p[2] == '/') || (p[2] == '\0'))) {
- q = p - 1;
memmove(p, p + 2, strlen(p + 2) + 1);
}
}
diff --git a/src/submit-e.c b/src/submit-e.c
index 8ba8e44c..d6158d7a 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -587,32 +587,34 @@ cm_submit_e_postprocess_main(int fd, struct cm_store_ca *ca,
estate->msg_length, NULL);
msg = cm_json_new_object(estate);
chain = cm_json_new_array(msg);
- if (leaf != NULL) {
- cert = cm_json_new_string(msg, leaf, -1);
- cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
- }
- for (i = 0;
- (others != NULL) && (others[i] != NULL);
- i++) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, others[i], -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (top!= NULL) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, top, -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (cm_json_array_size(chain) > 0) {
- cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ if (i == 0) {
+ if (leaf != NULL) {
+ cert = cm_json_new_string(msg, leaf, -1);
+ cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
+ }
+ for (i = 0;
+ (others != NULL) && (others[i] != NULL);
+ i++) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, others[i], -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (top!= NULL) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, top, -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (cm_json_array_size(chain) > 0) {
+ cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ }
}
}
/* Get ready to build an output message. */
diff --git a/src/submit-u.c b/src/submit-u.c
index dda2edbc..b0b45baf 100644
--- a/src/submit-u.c
+++ b/src/submit-u.c
@@ -120,14 +120,12 @@ cm_submit_u_from_file_single(const char *filename)
if (csr == NULL) {
return NULL;
}
- p = csr;
for (i = 0; i < sizeof(strip) / sizeof(strip[0]); i++) {
while ((p = strstr(csr, strip[i])) != NULL) {
q = p + strcspn(p, "\r\n");
memmove(p, q, strlen(q) + 1);
}
}
- p = csr;
q = strdup(csr);
for (p = csr, i = 0; *p != '\0'; p++) {
if (strchr("\r\n\t ", *p) == NULL) {
diff --git a/src/tdbush.c b/src/tdbush.c
index 1d487222..3184e67a 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2911,7 +2911,6 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
rep = dbus_message_new_method_return(msg);
- type = "UNKNOWN";
switch (entry->cm_key_type.cm_key_algorithm) {
case cm_key_unspecified:
type = "UNKNOWN";
@@ -2929,6 +2928,9 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
type = "EC";
break;
#endif
+ default:
+ type = "UNKNOWN";
+ break;
}
if (rep != NULL) {
size = entry->cm_key_type.cm_key_size;
@@ -4790,7 +4792,6 @@ cm_tdbush_introspect_method(void *parent,
method->cm_name);
arg = method->cm_args;
while (arg != NULL) {
- direction = "unknown";
switch (arg->cm_direction) {
case cm_tdbush_method_arg_in:
direction = "in";
@@ -4798,6 +4799,9 @@ cm_tdbush_introspect_method(void *parent,
case cm_tdbush_method_arg_out:
direction = "out";
break;
+ default:
+ direction = "unknown";
+ break;
}
ret = talloc_asprintf(parent,
"%s\n <arg name=\"%s\" type=\"%s\" "
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index d3cea2ca..f016acb4 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -98,7 +98,6 @@ main(int argc, char **argv)
PR_ErrorToName(PORT_GetError()));
return 1;
}
- n = encoded.len;
j = 0;
while ((i = write(STDOUT_FILENO, encoded.data + j, encoded.len - j)) > 0) {
j += i;
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index fd86a4c1..8ec60ddd 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -83,7 +83,6 @@ main(int argc, char **argv)
if (cm_certsave_saved(state) == 0) {
ret = 0;
} else {
- ctype = "unknown";
switch (entry->cm_cert_storage_type) {
case cm_cert_storage_file:
ctype = "FILE";
@@ -91,6 +90,9 @@ main(int argc, char **argv)
case cm_cert_storage_nssdb:
ctype = "NSS";
break;
+ default:
+ ctype = "unknown";
+ break;
}
if (cm_certsave_conflict_subject(state) == 0) {
printf("Failed to save (%s:%s), "
--
2.14.4

437
0011-clang-Memory-leak.patch
View File

@ -1,437 +0,0 @@
From 3310a25181e94f5e05e671acc12d008cbac339ab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:50:53 -0400
Subject: [PATCH 11/16] clang: Memory leak
---
src/certmaster.c | 3 +++
src/certsave-o.c | 1 +
src/dogtag.c | 3 +++
src/ipa.c | 9 ++++++++-
src/local.c | 5 +++++
src/scep.c | 5 +++++
src/srvloc.c | 1 +
src/store-files.c | 2 +-
src/submit-x.c | 22 ++++++++++++++++++++++
src/util.c | 8 +++++++-
tests/tools/addcinfo.c | 3 +++
tests/tools/base2pem.c | 1 +
tests/tools/pem2base.c | 1 +
13 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/src/certmaster.c b/src/certmaster.c
index 7e0bed90..4a5cf6af 100644
--- a/src/certmaster.c
+++ b/src/certmaster.c
@@ -160,6 +160,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -185,11 +186,13 @@ main(int argc, const char **argv)
if (ctx == NULL) {
fprintf(stderr, "Error setting up for XMLRPC.\n");
printf(_("Error setting up for XMLRPC.\n"));
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Add the CSR as the sole argument. */
cm_submit_x_add_arg_s(ctx, csr);
+ free(csr);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
diff --git a/src/certsave-o.c b/src/certsave-o.c
index 77f54d7e..3d4018d8 100644
--- a/src/certsave-o.c
+++ b/src/certsave-o.c
@@ -258,6 +258,7 @@ cm_certsave_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if (bin != NULL) {
BN_bn2bin(bn, bin);
serial = cm_store_hex_from_bin(NULL, bin, BN_num_bytes(bn));
+ free(bin);
}
}
if (serial != NULL) {
diff --git a/src/dogtag.c b/src/dogtag.c
index cd0b38b7..55607f3d 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -536,6 +536,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
csr = cm_submit_u_url_encode(csr);
@@ -588,6 +589,8 @@ main(int argc, const char **argv)
params = talloc_asprintf(ctx,
"%s&%s=%s",
params, p, q);
+ free(p);
+ free(q);
}
use_agent_approval = FALSE;
break;
diff --git a/src/ipa.c b/src/ipa.c
index 67a0c651..acd1a4e2 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -226,6 +226,7 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -526,6 +527,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -802,6 +804,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request from environment variable \"%s\".\n"),
CM_SUBMIT_CSR_ENV);
}
+ free(csr);
poptPrintUsage(pctx, stdout, 0);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -903,12 +906,16 @@ main(int argc, const char **argv)
if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) ||
(strcasecmp(mode, CM_OP_POLL) == 0)) {
- return submit_or_poll(uri, cainfo, capath, server,
+ int ret;
+ ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
issuer);
+ free(csr);
+ return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
+ free(csr);
return fetch_roots(server, ldap_uri_cmd, ldap_uri, host,
uid, pwd, domain, basedn);
}
diff --git a/src/local.c b/src/local.c
index f437d62e..92bea144 100644
--- a/src/local.c
+++ b/src/local.c
@@ -559,6 +559,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request.\n"));
cm_log(1, "Unable to read signing request.\n");
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Take the lock. */
@@ -568,6 +569,7 @@ main(int argc, const char **argv)
&signer, &key);
if ((i != 0) || (signer == NULL)) {
cm_log(1, "Error reading signer info.\n");
+ free(csr);
/* Try again sometime later. */
return CM_SUBMIT_STATUS_UNREACHABLE;
}
@@ -577,11 +579,13 @@ main(int argc, const char **argv)
if ((fp == NULL) && (errno != ENOENT)) {
cm_log(1, "Error reading '%s': %s.\n", serial,
strerror(errno));
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (fp != NULL) {
if (fgets(buf, sizeof(buf), fp) == NULL) {
fclose(fp);
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
buf[strcspn(buf, "\r\n")] = '\0';
@@ -601,6 +605,7 @@ main(int argc, const char **argv)
/* Actually sign the request. */
i = cm_submit_o_sign(parent, csr, signer, key, hexserial,
now, 0, &cert);
+ free(csr);
if ((i == 0) && (cert != NULL)) {
/* Roll the serial number up. */
hexserial = cm_store_increment_serial(parent,
diff --git a/src/scep.c b/src/scep.c
index 72dff3d5..68eae788 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -338,6 +338,7 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -386,6 +387,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -405,6 +407,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -416,6 +419,7 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -492,6 +496,7 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
+ free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
diff --git a/src/srvloc.c b/src/srvloc.c
index acab55bf..e8f3f5a5 100644
--- a/src/srvloc.c
+++ b/src/srvloc.c
@@ -189,6 +189,7 @@ cm_srvloc_resolve(void *parent, const char *name, const char *udomain,
domain = strdup(udomain);
#endif
i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
+ free(domain);
if (i == -1) {
return -1;
}
diff --git a/src/store-files.c b/src/store-files.c
index df1fa336..b97ba5ff 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -558,8 +558,8 @@ cm_store_file_read_lines(void *parent, FILE *fp)
case ';':
break;
}
+ free(buf);
}
- free(buf);
/* If we were reading a line, append it to the list. */
if (s != NULL) {
tlines = talloc_realloc(parent, lines, char *, n_lines + 2);
diff --git a/src/submit-x.c b/src/submit-x.c
index 60bcf78a..fa81e9aa 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -75,6 +75,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -84,6 +86,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -93,6 +97,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -139,6 +145,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -152,6 +160,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -163,6 +173,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -174,6 +186,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -195,6 +209,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -213,6 +229,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -227,6 +245,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -237,6 +257,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
diff --git a/src/util.c b/src/util.c
index 67143d52..373bb533 100644
--- a/src/util.c
+++ b/src/util.c
@@ -98,7 +98,7 @@ read_config_file(const char *filename)
char *
get_config_entry(char * in_data, const char *section, const char *key)
{
- char *ptr = NULL, *p, *tmp;
+ char *ptr = NULL, *p, *tmp = NULL;
char *line;
int in_section = 0;
char * data = strdup(in_data);
@@ -129,9 +129,12 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
if (strcmp(section, tmp) == 0) {
free(tmp);
+ tmp = NULL;
in_section = 1;
continue;
}
+ free(tmp);
+ tmp = NULL;
}
} /* [ */
@@ -145,8 +148,10 @@ get_config_entry(char * in_data, const char *section, const char *key)
tmp = strndup(line, p - line);
if (strcmp(key, tmp) != 0) {
free(tmp);
+ tmp = NULL;
} else {
free(tmp);
+ tmp = NULL;
/* Skip over any whitespace after the equal sign. */
line = strchr(line, '=');
@@ -168,5 +173,6 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
}
free(data);
+ free(tmp);
return NULL;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index f016acb4..939005c2 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -86,6 +86,7 @@ main(int argc, char **argv)
if (enveloped == NULL) {
cm_log(0, "Internal error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
ci.content_type = enveloped->oid;
@@ -96,6 +97,7 @@ main(int argc, char **argv)
content_info_template) != &encoded) {
cm_log(0, "Encoding error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
j = 0;
@@ -105,5 +107,6 @@ main(int argc, char **argv)
break;
}
}
+ free(buffer);
return 0;
}
diff --git a/tests/tools/base2pem.c b/tests/tools/base2pem.c
index 40e74201..31359684 100644
--- a/tests/tools/base2pem.c
+++ b/tests/tools/base2pem.c
@@ -76,5 +76,6 @@ main(int argc, const char **argv)
}
}
printf("%s", cm_submit_u_pem_from_base64(type, dos, p));
+ free(p);
return 0;
}
diff --git a/tests/tools/pem2base.c b/tests/tools/pem2base.c
index 0607c162..bb686c0e 100644
--- a/tests/tools/pem2base.c
+++ b/tests/tools/pem2base.c
@@ -46,5 +46,6 @@ main(int argc, char **argv)
}
}
printf("%s\n", cm_submit_u_base64_from_text(p));
+ free(p);
return 0;
}
--
2.14.4

25
0012-clang-Uninitialized-initial-value.patch
View File

@ -1,25 +0,0 @@
From db0f835829b739cf843d44b08c22407194aadd71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 17:57:21 -0400
Subject: [PATCH 12/16] clang: Uninitialized initial value
---
src/submit-n.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/submit-n.c b/src/submit-n.c
index ee6f3105..b07ea23a 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -281,7 +281,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
PLArenaPool *arena = NULL;
SECStatus error;
NSSInitContext *ctx = NULL;
- PK11SlotInfo *slot;
+ PK11SlotInfo *slot = NULL;
PK11SlotList *slotlist = NULL;
PK11SlotListElement *sle;
SECKEYPrivateKeyList *keylist = NULL;
--
2.14.4

99
0013-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch
View File

@ -1,99 +0,0 @@
From 753d98b3e70f34a52caabbe8db30bf06fc917f38 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 11:46:51 -0400
Subject: [PATCH 13/16] clang: Null pointer passed as an argument to a
'nonnull' parameter
---
src/certsave-n.c | 3 ++-
src/getcert.c | 7 ++++---
src/scep.c | 8 ++++----
src/submit-sn.c | 7 +++++--
4 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 49b28324..972a1dfa 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -72,7 +72,8 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key)
if ((list == NULL) || (list[i] == NULL)) {
newlist = malloc(sizeof(newlist[0]) * (i + 2));
if (newlist != NULL) {
- memcpy(newlist, list, sizeof(newlist[0]) * i);
+ if (list != NULL)
+ memcpy(newlist, list, sizeof(newlist[0]) * i);
newlist[i] = key;
newlist[i + 1] = NULL;
list = newlist;
diff --git a/src/getcert.c b/src/getcert.c
index 6417cd44..ddb28de2 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -291,7 +291,8 @@ add_string(void *parent, char ***dest, const char *value)
printf(_("Out of memory.\n"));
exit(1);
}
- memcpy(tmp, *dest, sizeof(tmp[0]) * i);
+ if (*dest)
+ memcpy(tmp, *dest, sizeof(tmp[0]) * i);
tmp[i] = talloc_strdup(tmp, value);
i++;
tmp[i] = NULL;
@@ -1582,8 +1583,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
{
DBusMessage *req, *rep;
int i;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
dbus_bool_t b;
const char *capath;
char *p;
diff --git a/src/scep.c b/src/scep.c
index 68eae788..b0bd214b 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -793,8 +793,8 @@ main(int argc, const char **argv)
fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx));
syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2);
}
- if (strcasecmp(content_type2,
- "application/x-x509-ca-cert") != 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-x509-ca-cert") != 0)) {
if (verbose > 0) {
fprintf(stderr, "Content is not "
"\"application/x-x509-ca-cert\""
@@ -882,8 +882,8 @@ main(int argc, const char **argv)
break;
case op_get_cert_initial:
case op_pkcsreq:
- if (strcasecmp(content_type2,
- "application/x-pki-message") == 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-pki-message") == 0)) {
memset(&cacerts, 0, sizeof(cacerts));
cacerts[0] = cacert ? cacert : racert;
cacerts[1] = cacert ? racert : NULL;
diff --git a/src/submit-sn.c b/src/submit-sn.c
index e9c62b22..ecd78dc0 100644
--- a/src/submit-sn.c
+++ b/src/submit-sn.c
@@ -258,8 +258,11 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Allocate space for one more extension. */
extensions = PORT_ArenaZAlloc(arena, (i + 2) * sizeof(extensions[0]));
if (extensions != NULL) {
- memcpy(extensions, ucert->extensions,
- i * sizeof(extensions[0]));
+ if (i != 0) {
+ /* Note that C99 says copy of 0 items is ok, quieting clang */
+ memcpy(extensions, ucert->extensions,
+ i * sizeof(extensions[0]));
+ }
if (found_basic) {
extensions[i] = NULL;
} else {
--
2.14.4

24
0014-clang-Dead-increment.patch
View File

@ -1,24 +0,0 @@
From 9e44680dbd207cef48beb7598114ea59aa457055 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:15:23 -0400
Subject: [PATCH 14/16] clang: Dead increment
---
src/store-gen.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/store-gen.c b/src/store-gen.c
index da32afc8..653767a1 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -363,7 +363,6 @@ cm_store_time_from_timestamp(const char *timestamp)
buf[2] = '\0';
stamp.tm_min = atoi(buf);
memcpy(buf, timestamp + i, 2);
- i += 2;
buf[2] = '\0';
stamp.tm_sec = atoi(buf);
t = timegm(&stamp);
--
2.14.4

83
0015-clang-Dereference-of-null-pointer.patch
View File

@ -1,83 +0,0 @@
From 319858127df42c1a95b9b3282705c90ecd6754a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:16:55 -0400
Subject: [PATCH 15/16] clang: Dereference of null pointer
---
src/tdbush.c | 56 +++++++++++++++++++++++++++++---------------------------
1 file changed, 29 insertions(+), 27 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index 3184e67a..d1bbe4da 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -3655,37 +3655,39 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
break;
}
}
- if (d[i] == NULL) {
- new_request_path = talloc_asprintf(parent, "%s/%s",
- CM_DBUS_REQUEST_PATH,
- entry->cm_busname);
- if ((n_propname > 0) &&
- (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
- propname[n_propname] = NULL;
- cm_tdbush_property_emit_changed(ctx, new_request_path,
- CM_DBUS_REQUEST_INTERFACE,
- propname);
- }
- cm_tdbusm_set_bp(rep,
- cm_restart_entry(ctx,
- entry->cm_nickname),
- new_request_path);
- dbus_connection_send(conn, rep, NULL);
- dbus_message_unref(rep);
- talloc_free(new_request_path);
- return DBUS_HANDLER_RESULT_HANDLED;
- } else {
- dbus_message_unref(rep);
- rep = dbus_message_new_error(msg,
- CM_DBUS_ERROR_REQUEST_BAD_ARG,
- _("Unrecognized parameter or wrong value type."));
- if (rep != NULL) {
- cm_tdbusm_set_s(rep, d[i]->key);
+ if (d != NULL) {
+ if (d[i] == NULL) {
+ new_request_path = talloc_asprintf(parent, "%s/%s",
+ CM_DBUS_REQUEST_PATH,
+ entry->cm_busname);
+ if ((n_propname > 0) &&
+ (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
+ propname[n_propname] = NULL;
+ cm_tdbush_property_emit_changed(ctx, new_request_path,
+ CM_DBUS_REQUEST_INTERFACE,
+ propname);
+ }
+ cm_tdbusm_set_bp(rep,
+ cm_restart_entry(ctx,
+ entry->cm_nickname),
+ new_request_path);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
+ talloc_free(new_request_path);
return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ dbus_message_unref(rep);
+ rep = dbus_message_new_error(msg,
+ CM_DBUS_ERROR_REQUEST_BAD_ARG,
+ _("Unrecognized parameter or wrong value type."));
+ if (rep != NULL) {
+ cm_tdbusm_set_s(rep, d[i]->key);
+ dbus_connection_send(conn, rep, NULL);
+ dbus_message_unref(rep);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
- return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
} else {
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
--
2.14.4

26
0016-Add-missing-case-for-cm_prefs_aes192.patch
View File

@ -1,26 +0,0 @@
From f17b7c0a22f4d49dca001d984673046e133577d1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:41:19 -0400
Subject: [PATCH 16/16] Add missing case for cm_prefs_aes192
---
src/prefs-o.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/prefs-o.c b/src/prefs-o.c
index 64542f85..ac68164d 100644
--- a/src/prefs-o.c
+++ b/src/prefs-o.c
@@ -75,6 +75,9 @@ cm_prefs_ossl_cipher_by_pref(enum cm_prefs_cipher cipher)
case cm_prefs_aes128:
return EVP_aes_128_cbc();
break;
+ case cm_prefs_aes192:
+ return EVP_aes_192_cbc();
+ break;
case cm_prefs_aes256:
return EVP_aes_256_cbc();
break;
--
2.14.4

43
certmonger.spec
View File

@ -25,14 +25,14 @@
%endif
Name: certmonger
Version: 0.79.6
Release: 5%{?dist}
Version: 0.79.7
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
BuildRequires: autoconf
@ -43,9 +43,9 @@ BuildRequires: openldap-devel
BuildRequires: libidn2-devel
BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: libuuid-devel
BuildRequires: libuuid-devel
%else
BuildRequires: e2fsprogs-devel
BuildRequires: e2fsprogs-devel
%endif
BuildRequires: libtalloc-devel, libtevent-devel
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
@ -111,21 +111,6 @@ Conflicts: libtevent < 0.9.13
%endif
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
Patch2: 0002-Use-the-correct-slot-when-saving-certificates-in-NSS.patch
Patch3: 0003-Include-the-token-name-when-a-PIN-is-provided-but-is.patch
Patch4: 0004-Add-utility-function-to-get-the-internal-token-name.patch
Patch5: 0005-Only-de-duplicate-certificates-within-the-same-token.patch
Patch6: 0006-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch
Patch7: 0007-Log-test-failures-of-bad-pin.patch
Patch8: 0008-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch
Patch9: 0009-Fix-memory-leak-in-util_internal_token_name.patch
Patch10: 0010-clang-Dead-assignment.patch
Patch11: 0011-clang-Memory-leak.patch
Patch12: 0012-clang-Uninitialized-initial-value.patch
Patch13: 0013-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch
Patch14: 0014-clang-Dead-increment.patch
Patch15: 0015-clang-Dereference-of-null-pointer.patch
Patch16: 0016-Add-missing-case-for-cm_prefs_aes192.patch
%description
Certmonger is a service which is primarily concerned with getting your
@ -134,21 +119,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%if 0%{?rhel} > 0
# Enabled by default for RHEL for bug #765600, still disabled by default for
@ -276,6 +246,9 @@ exit 0
%endif
%changelog
* Mon Feb 18 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-1
- Update to upstream 0.79.7
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (certmonger-0.79.6.tar.gz) = 55721a114d874d484bbde01a31f72b8d2a6d3ce0a676c73a217019c5da96aa28d4c0a32abb962abe996bf55b47050b7e0558fffbef6dd4d13ab922e0de5d8224
SHA512 (certmonger-0.79.7.tar.gz) = eca748cc28a3d9e3a1d5871848e1c22a6025b86a07ffc166bbca59f0945e2d461d6fc8201bd0e6b94d13680e86bbd29a501c5c38763484640b5b8f70ca470980