rpms/certmonger
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.6-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2019-05-07 09:10:24 -04:00 committed by Andrew Lukoshko
commit 94b42d705f
29 changed files with 5456 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.certmonger.metadata Normal file
View File

@ -0,0 +1 @@
7eac3ce49718df4be8f47ec92ae3a951eb4ac435 SOURCES/certmonger-0.79.6.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/certmonger-0.79.6.tar.gz

293
SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch Normal file
View File

@ -0,0 +1,293 @@
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 23 Feb 2018 10:43:44 -0500
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
Remove keys < 2048 for the NSS tests. This affects some of the
OpenSSL tests as well where they run in a combined loop.
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
---
tests/001-keyiread-dsa/expected.out | 6 +++---
tests/001-keyiread-dsa/run.sh | 2 +-
tests/001-keyiread-rsa/expected.out | 2 --
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/expected.out | 2 --
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-rsa/expected.out | 6 ------
tests/002-keygen-rsa/run.sh | 2 +-
tests/002-keygen/expected.out | 18 ------------------
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-rsa/expected.out | 6 ------
tests/003-csrgen-rsa/run.sh | 4 ++--
tests/003-csrgen/expected.out | 8 --------
tests/003-csrgen/run.sh | 4 ++--
tests/004-selfsign-rsa/expected.out | 2 --
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/expected.out | 2 --
tests/004-selfsign/run.sh | 2 +-
18 files changed, 14 insertions(+), 60 deletions(-)
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
index b09db0ae..50643176 100644
--- a/tests/001-keyiread-dsa/expected.out
+++ b/tests/001-keyiread-dsa/expected.out
@@ -1,4 +1,4 @@
-OK (DSA:1024).
-OK (DSA:1024).
-OK (DSA:1024).
+OK (DSA:2048).
+OK (DSA:2048).
+OK (DSA:2048).
Test complete.
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
index 9f96b3bc..68f6d1c3 100755
--- a/tests/001-keyiread-dsa/run.sh
+++ b/tests/001-keyiread-dsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 ; do
+for size in 2048 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread-rsa/expected.out
+++ b/tests/001-keyiread-rsa/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c7b77686..ec31c7c7 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread/expected.out
+++ b/tests/001-keyiread/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index ce1428ed..0b31df95 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
index 3e6e9f3c..f7c146d0 100644
--- a/tests/002-keygen-rsa/expected.out
+++ b/tests/002-keygen-rsa/expected.out
@@ -1,9 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-[nss:1536]
-OK.
-OK (RSA:1536).
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
index 476f4127..c0c59249 100755
--- a/tests/002-keygen-rsa/run.sh
+++ b/tests/002-keygen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
index dcd1af06..b8fbea56 100644
--- a/tests/002-keygen/expected.out
+++ b/tests/002-keygen/expected.out
@@ -1,21 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-keyi1024
-keyi1024 (candidate (next))
-[nss:1536]
-OK.
-OK (RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-keyi1536
-keyi1536 (candidate (next))
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 08af1523..94230e6f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index c9dec729..def53fe4 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -1,10 +1,4 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
-1024 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
-1536 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
2048 OK.
Signature OK
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index 4cd84084..bb8ebecb 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -147,7 +147,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
done
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 8e6cac6e..04342c0f 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -1,13 +1,5 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
Signature OK
-minicert.openssl.1024.pem: OK
-1024 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
-minicert.openssl.1536.pem: OK
-1536 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
minicert.openssl.2048.pem: OK
2048 OK.
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index 7c169ed9..31466b5c 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -199,7 +199,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
done
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign-rsa/expected.out
+++ b/tests/004-selfsign-rsa/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index 6f9285b6..c1dd4c80 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -33,7 +33,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign/expected.out
+++ b/tests/004-selfsign/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index 7bb368ec..eb1df4ee 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -43,7 +43,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
--
2.16.2

788
SOURCES/0002-Convert-tests-to-use-python3.patch Normal file
View File

@ -0,0 +1,788 @@
From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 31 Jul 2018 13:09:02 -0400
Subject: [PATCH] Convert tests to use python3
---
tests/028-dbus/expected.out | 32 +-
tests/028-dbus/expected.out.nodsa | 22 +-
tests/028-dbus/prequal.sh | 8 +-
tests/028-dbus/run.sh | 9 +-
tests/028-dbus/runsub.sh | 2 +-
tests/028-dbus/simpleprop.py | 14 +-
tests/028-dbus/walk.py | 392 ++++++++++----------
tests/038-ms-v2-template/extract-extdata.py | 5 +-
8 files changed, 243 insertions(+), 241 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca3179e..1d8bec4 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -1,5 +1,3 @@
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
[[ getcert ]]
State MONITORING, stuck: no.
Number of certificates and requests being tracked: 1.
@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -433,19 +431,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -454,19 +452,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -482,7 +480,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236
+$tmpdir/cas/date
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
SelfSign
@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-1
+$tmpdir/cas/date-1
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
IPA
@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/date-2
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
certmaster
@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
+$tmpdir/cas/date-3
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
dogtag-ipa-renew-agent
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
index a23af40..5082ee0 100644
--- a/tests/028-dbus/expected.out.nodsa
+++ b/tests/028-dbus/expected.out.nodsa
@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -432,19 +432,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -453,19 +453,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -481,7 +481,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh
index e645c19..4fe79c8 100755
--- a/tests/028-dbus/prequal.sh
+++ b/tests/028-dbus/prequal.sh
@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then
echo dbus-daemon not found
exit 1
fi
-if ! python -c 'import os' 2> /dev/null ; then
+if ! python3 -c 'import os' 2> /dev/null ; then
echo python not found
exit 1
fi
-if ! python -c 'import dbus' 2> /dev/null ; then
+if ! python3 -c 'import dbus' 2> /dev/null ; then
echo python-dbus not found
exit 1
fi
-if ! python -c 'import xml' 2> /dev/null ; then
+if ! python3 -c 'import xml' 2> /dev/null ; then
echo python-xml not found
exit 1
fi
-if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then
+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then
echo python-xml does not include etree.ElementTree
exit 1
fi
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index c468d51..ee90875 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -23,7 +23,7 @@ EOF
$DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid
if test -s $tmpdir/pid ; then
env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \
- $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh
+ $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null
fi
kill `cat $tmpdir/pid`
@@ -33,8 +33,8 @@ now=`date +%s`
for i in `seq 240` ; do
recently=$(($now-$i))
tomorrow=$(($now-$i+24*60*60))
- sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \
- -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out
+ sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \
+ -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out
done
cat $tmpdir/runsub.out | \
@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
-e "s|expires:.*|expires: sometime|g" \
- -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g'
+ -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
+ -e "s|cas\/[0-9]{14}|cas\/date|g"
diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh
index 3510d79..fe6766c 100755
--- a/tests/028-dbus/runsub.sh
+++ b/tests/028-dbus/runsub.sh
@@ -22,5 +22,5 @@ echo ""
echo "[[ API ]]"
for i in ./*.py ; do
echo "[" `basename "$i"` "]"
- python $i
+ python3 $i
done
diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py
index e4f937e..35d9591 100644
--- a/tests/028-dbus/simpleprop.py
+++ b/tests/028-dbus/simpleprop.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
# Get a handle for the main certmonger interface.
@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
# Toggle the helper a couple of times.
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -28,7 +28,7 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -37,20 +37,20 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h
+print(ca_ext_h)
# Toggle the "is-default" value a couple of times.
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef
+print(isdef)
cm.remove_known_ca(path)
diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py
index f60ca93..683d94e 100644
--- a/tests/028-dbus/walk.py
+++ b/tests/028-dbus/walk.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
import xml.etree.ElementTree
import os
@@ -9,217 +9,219 @@ bus = dbus.SessionBus()
# Check that reading a property directly produces the same value as reading it via GetAll().
def check_props(objpath, interface):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- props = i.GetAll(interface)
- for prop in props.keys():
- value = props[prop]
- if value != i.Get(interface, prop):
- print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ props = i.GetAll(interface)
+ for prop in props.keys():
+ value = props[prop]
+ if value != i.Get(interface, prop):
+ print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
+ return False
+ return True
# Try to call the method.
def examine_method(objpath, interface, method, idata):
- in_args = 0
- out_args = 0
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, interface)
- for child in idata.getchildren():
- if child.tag == 'arg':
- if child.get('direction') != 'out':
- in_args = in_args + 1
- else:
- out_args = out_args + 1
- if in_args == 0:
- # Takes no inputs, so just call it.
- m = i.get_dbus_method(method)
- if out_args == 0:
- m()
- print("[ %s: %s.%s ]\n" % (objpath, interface, method))
- elif out_args == 1:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- else:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- elif method == 'Get' or method == 'Set' or method == 'GetAll':
- # We check on properties elsewhere.
- return True
- # Per-method exercise.
- elif method == 'add_known_ca' or method == 'remove_known_ca':
- (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
- if not result:
- print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
- return False
- result = i.remove_known_ca(path)
- if not result:
- print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'add_request' or method == 'remove_request':
- tmpdir = os.getenv('TMPDIR')
- if not tmpdir or tmpdir == '':
- tmpdir = '/tmp'
- properties = {
- 'nickname': 'foo',
- 'cert-storage': 'file',
- 'cert-file': tmpdir + "/028-certfile",
- 'key-storage': 'file',
- 'key-file': tmpdir + "/028-keyfile",
- 'template-email': ['root@localhost', 'toor@localhost'],
- }
- (result, path) = i.add_request(properties)
- if not result:
- print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
- return False
- result = i.remove_request(path)
- if not result:
- print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_ca_by_nickname':
- capath = i.find_ca_by_nickname('local')
- o = bus.get_object('org.fedorahosted.certmonger', capath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_request_by_nickname':
- reqpath = i.find_request_by_nickname('Buddy')
- o = bus.get_object('org.fedorahosted.certmonger', reqpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'modify':
- mods = {}
- propname = "template-eku"
- propval = '1.2.3.4.5.6.7.8.9.10'
- mods[propname] = [propval,]
- status, path = i.modify(mods)
- if not status:
- print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
- props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- prop = props.Get(interface, 'template-eku')
- print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
- else:
- # We're in FIXME territory.
- print('FIXME: need support for "%s"' % method)
- return False
- # If we caused things to start churning, wait for them to settle.
+ in_args = 0
+ out_args = 0
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, interface)
+ for child in idata.getchildren():
+ if child.tag == 'arg':
+ if child.get('direction') != 'out':
+ in_args = in_args + 1
+ else:
+ out_args = out_args + 1
+ if in_args == 0:
+ # Takes no inputs, so just call it.
+ m = i.get_dbus_method(method)
+ if out_args == 0:
+ m()
+ print("[ %s: %s.%s ]\n" % (objpath, interface, method))
+ elif out_args == 1:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ else:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ elif method == 'Get' or method == 'Set' or method == 'GetAll':
+ # We check on properties elsewhere.
+ return True
+ # Per-method exercise.
+ elif method == 'add_known_ca' or method == 'remove_known_ca':
+ (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
+ if not result:
+ print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_known_ca(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'add_request' or method == 'remove_request':
+ tmpdir = os.getenv('TMPDIR')
+ if not tmpdir or tmpdir == '':
+ tmpdir = '/tmp'
+ properties = {
+ 'nickname': 'foo',
+ 'cert-storage': 'file',
+ 'cert-file': tmpdir + "/028-certfile",
+ 'key-storage': 'file',
+ 'key-file': tmpdir + "/028-keyfile",
+ 'template-email': ['root@localhost', 'toor@localhost'],
+ }
+ (result, path) = i.add_request(properties)
+ if not result:
+ print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_request(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_ca_by_nickname':
+ capath = i.find_ca_by_nickname('local')
+ o = bus.get_object('org.fedorahosted.certmonger', capath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_request_by_nickname':
+ reqpath = i.find_request_by_nickname('Buddy')
+ if not reqpath:
+ return False
+ o = bus.get_object('org.fedorahosted.certmonger', reqpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'modify':
+ mods = {}
+ propname = "template-eku"
+ propval = '1.2.3.4.5.6.7.8.9.10'
+ mods[propname] = [propval,]
+ status, path = i.modify(mods)
+ if not status:
+ print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
+ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ prop = props.Get(interface, 'template-eku')
+ print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
+ else:
+ # We're in FIXME territory.
+ print('FIXME: need support for "%s"' % method)
+ return False
+ # If we caused things to start churning, wait for them to settle.
if method == 'resubmit':
props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
prop = props.Get(interface, 'status')
while prop != 'MONITORING':
time.sleep(1)
prop = props.Get(interface, 'status')
- return True
+ return True
def iget(child, proxy, interface, prop):
- value = proxy.Get(interface, prop)
- if not value:
- if child.get('type') == 'b':
- value = False
- elif child.get('type') == 'n' or child.get('type') == 'x':
- value = 0
- elif child.get('type') == 's':
- value = ''
- elif child.get('type') == 'as':
- value = ['']
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- return value
+ value = proxy.Get(interface, prop)
+ if not value:
+ if child.get('type') == 'b':
+ value = False
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ value = 0
+ elif child.get('type') == 's':
+ value = ''
+ elif child.get('type') == 'as':
+ value = ['']
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ return value
def examine_interface(objpath, interface, idata):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- for child in idata.getchildren():
- if child.tag == 'property':
- prop = child.get('name')
- if child.get('access') == 'read':
- # Check that we can read it.
- value = i.Get(interface, prop)
- elif child.get('access') == 'readwrite':
- if prop == 'external-helper' or prop == 'scep-ca-identifier':
- cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
- if cai.get_type() != 'EXTERNAL':
- print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
- continue
- # Check that we can read it, tweak it, and then reset it.
- value = iget(child, i, interface, prop)
- i.Set(interface, prop, value)
- newvalue = None
- if child.get('type') == 'b':
- newvalue = not value
- elif child.get('type') == 'n' or child.get('type') == 'x':
- newvalue = value + 1
- elif child.get('type') == 's':
- newvalue = 'x' + value
- elif child.get('type') == 'as':
- newvalue = ['x'] + value
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- if newvalue:
- if newvalue == value:
- print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
- return False
- i.Set(interface, prop, newvalue)
- if newvalue != iget(child, i, interface, prop):
- print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
- return False
- i.Set(interface, prop, value)
- if value != iget(child, i, interface, prop):
- print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
- return False
- elif child.tag == 'method':
- method = child.get('name')
- if not examine_method(objpath, interface, method, child):
- return False
- elif child.tag == 'signal':
- continue
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ for child in idata.getchildren():
+ if child.tag == 'property':
+ prop = child.get('name')
+ if child.get('access') == 'read':
+ # Check that we can read it.
+ value = i.Get(interface, prop)
+ elif child.get('access') == 'readwrite':
+ if prop == 'external-helper' or prop == 'scep-ca-identifier':
+ cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
+ if cai.get_type() != 'EXTERNAL':
+ print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
+ continue
+ # Check that we can read it, tweak it, and then reset it.
+ value = iget(child, i, interface, prop)
+ i.Set(interface, prop, value)
+ newvalue = None
+ if child.get('type') == 'b':
+ newvalue = not value
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ newvalue = value + 1
+ elif child.get('type') == 's':
+ newvalue = 'x' + value
+ elif child.get('type') == 'as':
+ newvalue = ['x'] + value
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ if newvalue:
+ if newvalue == value:
+ print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
+ return False
+ i.Set(interface, prop, newvalue)
+ if newvalue != iget(child, i, interface, prop):
+ print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
+ return False
+ i.Set(interface, prop, value)
+ if value != iget(child, i, interface, prop):
+ print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
+ return False
+ elif child.tag == 'method':
+ method = child.get('name')
+ if not examine_method(objpath, interface, method, child):
+ return False
+ elif child.tag == 'signal':
+ continue
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
def examine_object(objpath):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
- idata = i.Introspect()
- x = xml.etree.ElementTree.XML(idata)
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
+ idata = i.Introspect()
+ x = xml.etree.ElementTree.XML(idata)
- # Check if the object supports properties interfaces.
- props = False
- for child in x.getchildren():
- if child.tag == 'interface':
- if child.get('name') == 'org.freedesktop.DBus.Properties':
- props = True
+ # Check if the object supports properties interfaces.
+ props = False
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if child.get('name') == 'org.freedesktop.DBus.Properties':
+ props = True
- # Look at the interfaces and child nodes.
- for child in x.getchildren():
- if child.tag == 'interface':
- if props and not check_props(objpath, child.get('name')):
- return False
- if not examine_interface(objpath, child.get('name'), child):
- return False
- elif child.tag == 'node':
- if objpath == '/':
- childpath = '/' + child.get('name')
- else:
- childpath = objpath + '/' + child.get('name')
- examine_object(childpath)
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ # Look at the interfaces and child nodes.
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if props and not check_props(objpath, child.get('name')):
+ return False
+ if not examine_interface(objpath, child.get('name'), child):
+ return False
+ elif child.tag == 'node':
+ if objpath == '/':
+ childpath = '/' + child.get('name')
+ else:
+ childpath = objpath + '/' + child.get('name')
+ examine_object(childpath)
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
if not examine_object('/'):
- sys.exit(1)
+ sys.exit(1)
sys.exit(0)
diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
index 1a845fd..9f9d910 100755
--- a/tests/038-ms-v2-template/extract-extdata.py
+++ b/tests/038-ms-v2-template/extract-extdata.py
@@ -1,10 +1,11 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
# Given `openssl asn1parse` output of a CSR, look for the V2 Template
# extension and output its data if found. Nonzero exit status if
# not found.
import binascii
+import os
import re
import sys
@@ -21,7 +22,7 @@ for line in sys.stdin:
#
if state == STATE_FOUND and 'OCTET STRING' in line:
result = re.search(r'\[HEX DUMP\]:(\w*)', line)
- sys.stdout.write(binascii.unhexlify(result.group(1)))
+ os.write(1, binascii.unhexlify(result.group(1)))
state = STATE_DONE
break
--
2.17.0

1016
SOURCES/0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch Normal file
View File

File diff suppressed because it is too large Load Diff

49
SOURCES/0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch Normal file
View File

@ -0,0 +1,49 @@
From c029b32c04a9a5993b9c8715fb82421fee613137 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 10:37:12 -0400
Subject: [PATCH 2/7] Include the token name when a PIN is provided but is
unused
This improves the output so the user will know which token
the PIN is missing for. Theoretically it should be the token
they asked for but this will show certmogner's view of it.
---
src/certread-n.c | 6 +++---
src/keygen-n.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index f2e78c07..57a38dcf 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -259,9 +259,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to auth to cert "
- "db, though one was provided. "
- "Treating this as an error.\n");
+ cm_log(1, "PIN was not needed to auth to token "
+ "%s, though one was provided. "
+ "Treating this as an error.\n", token);
goto next_slot;
}
}
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 8078a520..84b0bbd3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -400,8 +400,8 @@ next_slot:
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
cm_log(1, "PIN was not needed to auth to key "
- "store, though one was provided. "
- "Treating this as an error.\n");
+ "store token %s, though one was provided. "
+ "Treating this as an error.\n", token);
PK11_FreeSlotList(slotlist);
error = NSS_ShutdownContext(ctx);
if (error != SECSuccess) {
--
2.14.4

134
SOURCES/0005-Add-utility-function-to-get-the-internal-token-name.patch Normal file
View File

@ -0,0 +1,134 @@
From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 31 Aug 2018 12:08:35 -0400
Subject: [PATCH 3/7] Add utility function to get the internal token name
The NSS internal token is the default if no token is specified for
the cert or the key.
---
src/certread-n.c | 6 +++++-
src/certsave-n.c | 3 +++
src/keygen-n.c | 3 +++
src/keyiread-n.c | 3 +++
src/submit-n.c | 5 ++++-
src/util-n.c | 6 ++++++
src/util-n.h | 1 +
7 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 57a38dcf..1d9217c6 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error reading PIN for cert db.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to cert db.\n");
+ cm_log(1, "certread-n: Error authenticating to cert db "
+ "slot %s.\n", PK11_GetTokenName(sle->slot));
goto next_slot;
}
if ((pin != NULL) &&
diff --git a/src/certsave-n.c b/src/certsave-n.c
index af176ce5..193309c5 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
sle = sle->next)
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 84b0bbd3..f7fdf6c0 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Error locating token for key generation.\n");
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
+ if (entry->cm_cert_token == NULL) {
+ entry->cm_cert_token = util_internal_token_name();
+ }
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
slot = NULL;
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 89913aa2..b8408bf1 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
+ if (entry->cm_key_token == NULL) {
+ entry->cm_key_token = util_internal_token_name();
+ }
n_tokens = 0;
pubkey = NULL;
/* In practice, the internal slot is either a non-storage slot (in
diff --git a/src/submit-n.c b/src/submit-n.c
index 872153ea..da07d253 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
cm_log(1, "Error reading PIN for key storage.\n");
goto done;
}
+ if (args->entry->cm_key_token == NULL) {
+ args->entry->cm_key_token = util_internal_token_name();
+ }
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
/* In practice, the internal slot is either a non-storage slot (in
@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
error = PK11_Authenticate(slot, PR_TRUE, &cb_data);
if (error != SECSuccess) {
- cm_log(1, "Error authenticating to token "
+ cm_log(1, "submit-n: Error authenticating to token "
"\"%s\".\n", token);
goto done;
}
diff --git a/src/util-n.c b/src/util-n.c
index 7805e58e..293e2583 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner,
entry->cm_cert_perms);
}
+
+char *
+util_internal_token_name()
+{
+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+}
diff --git a/src/util-n.h b/src/util-n.h
index 8a918d5c..637fd4b1 100644
--- a/src/util-n.h
+++ b/src/util-n.h
@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir,
struct cm_store_entry *entry);
void util_set_db_entry_cert_owner(const char *dbdir,
struct cm_store_entry *entry);
+char * util_internal_token_name();
#endif
--
2.14.4

41
SOURCES/0006-Only-de-duplicate-certificates-within-the-same-token.patch Normal file
View File

@ -0,0 +1,41 @@
From 6ebe5695a626c6cd254b249bbebf9846bcb936c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 11:06:13 -0400
Subject: [PATCH 4/7] Only de-duplicate certificates within the same token
certmonger may not have read/write access to tokens other than
the one it is examining so don't try to de-duplicate certificates
on other tokens.
---
src/certsave-n.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 193309c5..d0152cad 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -391,8 +391,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
!CERT_LIST_EMPTY(certlist) &&
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
- if (!SECITEM_ItemsAreEqual(&subject,
- &node->cert->derSubject)) {
+ if ((!SECITEM_ItemsAreEqual(&subject,
+ &node->cert->derSubject)) &&
+ (sle->slot == node->cert->slot)) {
cm_log(3, "Found a "
"certificate "
"with the same "
@@ -441,7 +442,8 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
node = CERT_LIST_NEXT(node)) {
if ((node->cert->nickname != NULL) &&
(strcmp(entry->cm_cert_nickname,
- node->cert->nickname) != 0))
+ node->cert->nickname) != 0) &&
+ (sle->slot == node->cert->slot))
{
i++;
cm_log(3, "Found a "
--
2.14.4

30
SOURCES/0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch Normal file
View File

@ -0,0 +1,30 @@
From 697dd085e7b2ce15eefc454509987270131d7f1e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 16:59:28 -0400
Subject: [PATCH 5/7] Ensure that an OpenSSL random seed file exists when
testing
Otherwise some openssl command-line invocations will fail and
because of the way the tests are done the error message is not
shown.
---
tests/Makefile.am | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4e407434..fe368dc0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -433,6 +433,9 @@ subdirs += \
endif
check: all
+ if [ ! -e $$HOME/.rnd ] ; then \
+ openssl rand -writerand $$HOME/.rnd; \
+ fi
for required in certutil cmsutil pk12util openssl diff cmp mktemp \
dos2unix unix2dos dbus-launch ; do \
which $$required || exit 1; \
--
2.14.4

29
SOURCES/0008-Log-test-failures-of-bad-pin.patch Normal file
View File

@ -0,0 +1,29 @@
From e93ecadec7c868f4227e084ffb65c70a6efd7314 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Sep 2018 18:12:18 -0400
Subject: [PATCH 6/7] Log test failures of bad pin
Previously this would show a "don't know why" failure.
---
tests/tools/certsave.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index ac0f73ec..fd86a4c1 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -106,6 +106,11 @@ main(int argc, char **argv)
printf("Failed to save (%s:%s), "
"filesystem permissions error.\n",
ctype, entry->cm_cert_storage_location);
+ } else
+ if (cm_certsave_pin_error(state) == 0) {
+ printf("Failed to save (%s:%s), "
+ "pin error.\n",
+ ctype, entry->cm_cert_storage_location);
} else {
printf("Failed to save (%s:%s), "
"don't know why.\n",
--
2.14.4

95
SOURCES/0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch Normal file
View File

@ -0,0 +1,95 @@
From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Sep 2018 10:21:28 -0400
Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not
CERT_ImportCerts
CERT_ImportCerts always imports a given certificate into the
certificate database, whether a token is requested or not.
Using PK11_ImportCert will import the cert, associate the key
properly and will only add the certificate to the appropriate
token.
---
src/certsave-n.c | 37 +++++++++++--------------------------
1 file changed, 11 insertions(+), 26 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index d0152cad..fcb43148 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSSInitContext *ctx;
CERTCertDBHandle *certdb;
CERTCertList *certlist;
- CERTCertificate **returned, *oldcert, cert;
+ CERTCertificate *oldcert, *newcert, cert;
CERTCertTrust trust;
CERTSignedData csdata;
CERTCertListNode *node;
@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
- returned = NULL;
- error = CERT_ImportCerts(certdb,
- certUsageUserCertImport,
- 1, &item, &returned,
- PR_TRUE,
- PR_FALSE,
- entry->cm_cert_nickname);
- ec = PORT_GetError();
- if (error == SECSuccess) {
- /* If NSS uses SQL DB storage, CERT_ImportCerts creates
- * an incomplete internal state (the cert isn't
- * associated with the private key, and calling
- * PK11_FindKeyByAnyCert returns no result).
- * As a workaround, we import the cert again using
- * PK11_ImportCert, which magically fixes the issue.
- * See rhbz#1532188 */
+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
+ if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
- returned[0],
+ newcert,
CK_INVALID_HANDLE,
- returned[0]->nickname,
+ entry->cm_cert_nickname,
PR_FALSE);
}
if (error == SECSuccess) {
- cm_log(1, "Imported certificate \"%s\", got "
+ cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
- entry->cm_cert_nickname,
- returned[0]->nickname);
+ entry->cm_cert_nickname);
status = 0;
/* Set the trust on the new certificate,
* perhaps matching the trust on an
@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
trust.objectSigningFlags = CERTDB_USER;
}
error = CERT_ChangeCertTrust(certdb,
- returned[0],
+ newcert,
&trust);
ec = PORT_GetError();
if (error != SECSuccess) {
@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we managed to import the certificate, mark its
* key for having its nickname removed. */
- if ((returned != NULL) && (returned[0] != NULL)) {
- privkey = PK11_FindKeyByAnyCert(returned[0], NULL);
+ if (newcert != NULL) {
+ privkey = PK11_FindKeyByAnyCert(newcert, NULL);
privkeys = add_privkey_to_list(privkeys, privkey);
- CERT_DestroyCertArray(returned, 1);
+ CERT_DestroyCertificate(newcert);
}
/* In case we're rekeying, but failed, mark the
* candidate key for name-clearing or removal, too. */
--
2.14.4

95
SOURCES/0010-Fix-memory-leak-in-util_internal_token_name.patch Normal file
View File

@ -0,0 +1,95 @@
From 5d2554ed31fa6bc121d94efe533f9e4fea3900aa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Oct 2018 08:21:35 -0400
Subject: [PATCH 10/17] Fix memory leak in util_internal_token_name()
Allocate memory using the talloc context instead of relying on
the caller to call free().
---
src/certread-n.c | 2 +-
src/certsave-n.c | 2 +-
src/keygen-n.c | 2 +-
src/keyiread-n.c | 2 +-
src/submit-n.c | 2 +-
src/util-n.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/certread-n.c b/src/certread-n.c
index 1d9217c6..d535030b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -191,7 +191,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
for (sle = slotlist->head;
diff --git a/src/certsave-n.c b/src/certsave-n.c
index fcb43148..49b28324 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -215,7 +215,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
for (sle = slotlist->head;
((sle != NULL) && (sle->slot != NULL));
diff --git a/src/keygen-n.c b/src/keygen-n.c
index f7fdf6c0..76a5c1d3 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -273,7 +273,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
}
if (entry->cm_cert_token == NULL) {
- entry->cm_cert_token = util_internal_token_name();
+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
}
/* Walk the list looking for the requested slot, or the first one if
* none was requested. */
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index b8408bf1..8f46ec0f 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -153,7 +153,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
if (entry->cm_key_token == NULL) {
- entry->cm_key_token = util_internal_token_name();
+ entry->cm_key_token = talloc_strdup(entry, util_internal_token_name());
}
n_tokens = 0;
pubkey = NULL;
diff --git a/src/submit-n.c b/src/submit-n.c
index da07d253..ee6f3105 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -347,7 +347,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
goto done;
}
if (args->entry->cm_key_token == NULL) {
- args->entry->cm_key_token = util_internal_token_name();
+ args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name());
}
PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
n_tokens = 0;
diff --git a/src/util-n.c b/src/util-n.c
index 293e2583..4ab3d47b 100644
--- a/src/util-n.c
+++ b/src/util-n.c
@@ -291,5 +291,5 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry)
char *
util_internal_token_name()
{
- return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot()));
+ return PK11_GetTokenName(PK11_GetInternalKeySlot());
}
--
2.14.4

266
SOURCES/0011-clang-Dead-assignment.patch Normal file
View File

@ -0,0 +1,266 @@
From 648fe74986f2a84416805cfd73206e9e67166ae2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:40:23 -0400
Subject: [PATCH 11/17] clang: Dead assignment
---
src/casave.c | 4 +++-
src/keygen-n.c | 1 -
src/keyiread-n.c | 1 -
src/store-files.c | 2 --
src/store-gen.c | 3 ---
src/submit-e.c | 54 ++++++++++++++++++++++++++------------------------
src/submit-u.c | 2 --
src/tdbush.c | 8 ++++++--
tests/tools/addcinfo.c | 1 -
tests/tools/certsave.c | 4 +++-
10 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index 5fb31b8d..bde63f99 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -163,7 +163,6 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
decoded = CERT_DecodeCertFromPackage(package,
strlen(package));
p = state->certs[i]->nickname;
- ttrust = ",,";
switch (state->certs[i]->level) {
case root:
case other_root:
@@ -178,6 +177,9 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
ttrust = ",,";
}
break;
+ default:
+ ttrust = ",,";
+ break;
}
memset(&trust, 0, sizeof(trust));
CERT_DecodeTrustString(&trust, ttrust);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 76a5c1d3..061bd2af 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -591,7 +591,6 @@ retry_gen:
break;
}
}
- generated_size = SECKEY_PublicKeyStrengthInBits(pubkey);
cm_log(1, "Ended up with %d bit public key.\n",
SECKEY_PublicKeyStrengthInBits(pubkey));
/* Check for keys with the desired name, selecting a new name if
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 8f46ec0f..91b1be41 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -492,7 +492,6 @@ cm_keyiread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
readwrite = settings->readwrite;
keys = cm_keyiread_n_get_keys(entry, readwrite);
alg = "";
- size = 0;
if (keys != NULL) {
switch (SECKEY_GetPrivateKeyType(keys->privkey)) {
case rsaKey:
diff --git a/src/store-files.c b/src/store-files.c
index 06a17485..df1fa336 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2182,7 +2182,6 @@ cm_store_entry_delete(struct cm_store_entry *entry)
} else {
cm_log(3, "No file to remove for \"%s\".\n",
entry->cm_nickname);
- ret = 0;
}
return 0;
}
@@ -2469,7 +2468,6 @@ cm_store_ca_delete(struct cm_store_ca *ca)
}
} else {
cm_log(3, "No file to remove for \"%s\".\n", ca->cm_nickname);
- ret = 0;
}
return 0;
}
diff --git a/src/store-gen.c b/src/store-gen.c
index 5ce4ab84..da32afc8 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -530,8 +530,6 @@ cm_store_hex_to_bin(const char *serial, unsigned char *buf, int length)
const char *p, *q, *chars = "0123456789abcdef";
unsigned char *b, u;
- p = serial;
- b = buf;
u = 0;
for (p = serial, b = buf;
((*p != '\0') && ((b - buf) < length));
@@ -606,7 +604,6 @@ cm_store_canonicalize_path(void *parent, const char *path)
for (p = tmp; *p != '\0'; p++) {
if ((strncmp(p, "/.", 2) == 0) &&
((p[2] == '/') || (p[2] == '\0'))) {
- q = p - 1;
memmove(p, p + 2, strlen(p + 2) + 1);
}
}
diff --git a/src/submit-e.c b/src/submit-e.c
index 8ba8e44c..d6158d7a 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -587,32 +587,34 @@ cm_submit_e_postprocess_main(int fd, struct cm_store_ca *ca,
estate->msg_length, NULL);
msg = cm_json_new_object(estate);
chain = cm_json_new_array(msg);
- if (leaf != NULL) {
- cert = cm_json_new_string(msg, leaf, -1);
- cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
- }
- for (i = 0;
- (others != NULL) && (others[i] != NULL);
- i++) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, others[i], -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (top!= NULL) {
- cert = cm_json_new_object(chain);
- val = cm_json_new_string(cert, top, -1);
- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
- nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
- nick = cm_json_new_string(cert, nthnick, -1);
- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
- cm_json_append(chain, cert);
- }
- if (cm_json_array_size(chain) > 0) {
- cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ if (i == 0) {
+ if (leaf != NULL) {
+ cert = cm_json_new_string(msg, leaf, -1);
+ cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert);
+ }
+ for (i = 0;
+ (others != NULL) && (others[i] != NULL);
+ i++) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, others[i], -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (top!= NULL) {
+ cert = cm_json_new_object(chain);
+ val = cm_json_new_string(cert, top, -1);
+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val);
+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1);
+ nick = cm_json_new_string(cert, nthnick, -1);
+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick);
+ cm_json_append(chain, cert);
+ }
+ if (cm_json_array_size(chain) > 0) {
+ cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain);
+ }
}
}
/* Get ready to build an output message. */
diff --git a/src/submit-u.c b/src/submit-u.c
index dda2edbc..b0b45baf 100644
--- a/src/submit-u.c
+++ b/src/submit-u.c
@@ -120,14 +120,12 @@ cm_submit_u_from_file_single(const char *filename)
if (csr == NULL) {
return NULL;
}
- p = csr;
for (i = 0; i < sizeof(strip) / sizeof(strip[0]); i++) {
while ((p = strstr(csr, strip[i])) != NULL) {
q = p + strcspn(p, "\r\n");
memmove(p, q, strlen(q) + 1);
}
}
- p = csr;
q = strdup(csr);
for (p = csr, i = 0; *p != '\0'; p++) {
if (strchr("\r\n\t ", *p) == NULL) {
diff --git a/src/tdbush.c b/src/tdbush.c
index 1d487222..3184e67a 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2911,7 +2911,6 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
rep = dbus_message_new_method_return(msg);
- type = "UNKNOWN";
switch (entry->cm_key_type.cm_key_algorithm) {
case cm_key_unspecified:
type = "UNKNOWN";
@@ -2929,6 +2928,9 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg,
type = "EC";
break;
#endif
+ default:
+ type = "UNKNOWN";
+ break;
}
if (rep != NULL) {
size = entry->cm_key_type.cm_key_size;
@@ -4790,7 +4792,6 @@ cm_tdbush_introspect_method(void *parent,
method->cm_name);
arg = method->cm_args;
while (arg != NULL) {
- direction = "unknown";
switch (arg->cm_direction) {
case cm_tdbush_method_arg_in:
direction = "in";
@@ -4798,6 +4799,9 @@ cm_tdbush_introspect_method(void *parent,
case cm_tdbush_method_arg_out:
direction = "out";
break;
+ default:
+ direction = "unknown";
+ break;
}
ret = talloc_asprintf(parent,
"%s\n <arg name=\"%s\" type=\"%s\" "
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index d3cea2ca..f016acb4 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -98,7 +98,6 @@ main(int argc, char **argv)
PR_ErrorToName(PORT_GetError()));
return 1;
}
- n = encoded.len;
j = 0;
while ((i = write(STDOUT_FILENO, encoded.data + j, encoded.len - j)) > 0) {
j += i;
diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c
index fd86a4c1..8ec60ddd 100644
--- a/tests/tools/certsave.c
+++ b/tests/tools/certsave.c
@@ -83,7 +83,6 @@ main(int argc, char **argv)
if (cm_certsave_saved(state) == 0) {
ret = 0;
} else {
- ctype = "unknown";
switch (entry->cm_cert_storage_type) {
case cm_cert_storage_file:
ctype = "FILE";
@@ -91,6 +90,9 @@ main(int argc, char **argv)
case cm_cert_storage_nssdb:
ctype = "NSS";
break;
+ default:
+ ctype = "unknown";
+ break;
}
if (cm_certsave_conflict_subject(state) == 0) {
printf("Failed to save (%s:%s), "
--
2.14.4

437
SOURCES/0012-clang-Memory-leak.patch Normal file
View File

@ -0,0 +1,437 @@
From 3310a25181e94f5e05e671acc12d008cbac339ab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 15:50:53 -0400
Subject: [PATCH 12/17] clang: Memory leak
---
src/certmaster.c | 3 +++
src/certsave-o.c | 1 +
src/dogtag.c | 3 +++
src/ipa.c | 9 ++++++++-
src/local.c | 5 +++++
src/scep.c | 5 +++++
src/srvloc.c | 1 +
src/store-files.c | 2 +-
src/submit-x.c | 22 ++++++++++++++++++++++
src/util.c | 8 +++++++-
tests/tools/addcinfo.c | 3 +++
tests/tools/base2pem.c | 1 +
tests/tools/pem2base.c | 1 +
13 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/src/certmaster.c b/src/certmaster.c
index 7e0bed90..4a5cf6af 100644
--- a/src/certmaster.c
+++ b/src/certmaster.c
@@ -160,6 +160,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -185,11 +186,13 @@ main(int argc, const char **argv)
if (ctx == NULL) {
fprintf(stderr, "Error setting up for XMLRPC.\n");
printf(_("Error setting up for XMLRPC.\n"));
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Add the CSR as the sole argument. */
cm_submit_x_add_arg_s(ctx, csr);
+ free(csr);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
diff --git a/src/certsave-o.c b/src/certsave-o.c
index 77f54d7e..3d4018d8 100644
--- a/src/certsave-o.c
+++ b/src/certsave-o.c
@@ -258,6 +258,7 @@ cm_certsave_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if (bin != NULL) {
BN_bn2bin(bn, bin);
serial = cm_store_hex_from_bin(NULL, bin, BN_num_bytes(bn));
+ free(bin);
}
}
if (serial != NULL) {
diff --git a/src/dogtag.c b/src/dogtag.c
index cd0b38b7..55607f3d 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -536,6 +536,7 @@ main(int argc, const char **argv)
CM_SUBMIT_CSR_ENV);
}
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
csr = cm_submit_u_url_encode(csr);
@@ -588,6 +589,8 @@ main(int argc, const char **argv)
params = talloc_asprintf(ctx,
"%s&%s=%s",
params, p, q);
+ free(p);
+ free(q);
}
use_agent_approval = FALSE;
break;
diff --git a/src/ipa.c b/src/ipa.c
index 67a0c651..acd1a4e2 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -226,6 +226,7 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -526,6 +527,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
+ free(basedn);
return i;
}
}
@@ -802,6 +804,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request from environment variable \"%s\".\n"),
CM_SUBMIT_CSR_ENV);
}
+ free(csr);
poptPrintUsage(pctx, stdout, 0);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -903,12 +906,16 @@ main(int argc, const char **argv)
if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) ||
(strcasecmp(mode, CM_OP_POLL) == 0)) {
- return submit_or_poll(uri, cainfo, capath, server,
+ int ret;
+ ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
issuer);
+ free(csr);
+ return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
+ free(csr);
return fetch_roots(server, ldap_uri_cmd, ldap_uri, host,
uid, pwd, domain, basedn);
}
diff --git a/src/local.c b/src/local.c
index f437d62e..92bea144 100644
--- a/src/local.c
+++ b/src/local.c
@@ -559,6 +559,7 @@ main(int argc, const char **argv)
printf(_("Unable to read signing request.\n"));
cm_log(1, "Unable to read signing request.\n");
poptPrintUsage(pctx, stdout, 0);
+ free(csr);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Take the lock. */
@@ -568,6 +569,7 @@ main(int argc, const char **argv)
&signer, &key);
if ((i != 0) || (signer == NULL)) {
cm_log(1, "Error reading signer info.\n");
+ free(csr);
/* Try again sometime later. */
return CM_SUBMIT_STATUS_UNREACHABLE;
}
@@ -577,11 +579,13 @@ main(int argc, const char **argv)
if ((fp == NULL) && (errno != ENOENT)) {
cm_log(1, "Error reading '%s': %s.\n", serial,
strerror(errno));
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (fp != NULL) {
if (fgets(buf, sizeof(buf), fp) == NULL) {
fclose(fp);
+ free(csr);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
buf[strcspn(buf, "\r\n")] = '\0';
@@ -601,6 +605,7 @@ main(int argc, const char **argv)
/* Actually sign the request. */
i = cm_submit_o_sign(parent, csr, signer, key, hexserial,
now, 0, &cert);
+ free(csr);
if ((i == 0) && (cert != NULL)) {
/* Roll the serial number up. */
hexserial = cm_store_increment_serial(parent,
diff --git a/src/scep.c b/src/scep.c
index 72dff3d5..68eae788 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -338,6 +338,7 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -386,6 +387,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -405,6 +407,7 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
+ free(cainfo);
return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
}
/* First step: read capabilities for our use. */
@@ -416,6 +419,7 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
+ free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -492,6 +496,7 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
+ free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
diff --git a/src/srvloc.c b/src/srvloc.c
index acab55bf..e8f3f5a5 100644
--- a/src/srvloc.c
+++ b/src/srvloc.c
@@ -189,6 +189,7 @@ cm_srvloc_resolve(void *parent, const char *name, const char *udomain,
domain = strdup(udomain);
#endif
i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
+ free(domain);
if (i == -1) {
return -1;
}
diff --git a/src/store-files.c b/src/store-files.c
index df1fa336..b97ba5ff 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -558,8 +558,8 @@ cm_store_file_read_lines(void *parent, FILE *fp)
case ';':
break;
}
+ free(buf);
}
- free(buf);
/* If we were reading a line, append it to the list. */
if (s != NULL) {
tlines = talloc_realloc(parent, lines, char *, n_lines + 2);
diff --git a/src/submit-x.c b/src/submit-x.c
index 60bcf78a..fa81e9aa 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -75,6 +75,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -84,6 +86,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -93,6 +97,8 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return NULL;
}
@@ -139,6 +145,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -152,6 +160,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -163,6 +173,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -174,6 +186,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -195,6 +209,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -213,6 +229,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -227,6 +245,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
@@ -237,6 +257,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
+ } else {
+ free(ret);
}
return kret;
}
diff --git a/src/util.c b/src/util.c
index 67143d52..373bb533 100644
--- a/src/util.c
+++ b/src/util.c
@@ -98,7 +98,7 @@ read_config_file(const char *filename)
char *
get_config_entry(char * in_data, const char *section, const char *key)
{
- char *ptr = NULL, *p, *tmp;
+ char *ptr = NULL, *p, *tmp = NULL;
char *line;
int in_section = 0;
char * data = strdup(in_data);
@@ -129,9 +129,12 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
if (strcmp(section, tmp) == 0) {
free(tmp);
+ tmp = NULL;
in_section = 1;
continue;
}
+ free(tmp);
+ tmp = NULL;
}
} /* [ */
@@ -145,8 +148,10 @@ get_config_entry(char * in_data, const char *section, const char *key)
tmp = strndup(line, p - line);
if (strcmp(key, tmp) != 0) {
free(tmp);
+ tmp = NULL;
} else {
free(tmp);
+ tmp = NULL;
/* Skip over any whitespace after the equal sign. */
line = strchr(line, '=');
@@ -168,5 +173,6 @@ get_config_entry(char * in_data, const char *section, const char *key)
}
}
free(data);
+ free(tmp);
return NULL;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index f016acb4..939005c2 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -86,6 +86,7 @@ main(int argc, char **argv)
if (enveloped == NULL) {
cm_log(0, "Internal error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
ci.content_type = enveloped->oid;
@@ -96,6 +97,7 @@ main(int argc, char **argv)
content_info_template) != &encoded) {
cm_log(0, "Encoding error: %s.\n",
PR_ErrorToName(PORT_GetError()));
+ free(buffer);
return 1;
}
j = 0;
@@ -105,5 +107,6 @@ main(int argc, char **argv)
break;
}
}
+ free(buffer);
return 0;
}
diff --git a/tests/tools/base2pem.c b/tests/tools/base2pem.c
index 40e74201..31359684 100644
--- a/tests/tools/base2pem.c
+++ b/tests/tools/base2pem.c
@@ -76,5 +76,6 @@ main(int argc, const char **argv)
}
}
printf("%s", cm_submit_u_pem_from_base64(type, dos, p));
+ free(p);
return 0;
}
diff --git a/tests/tools/pem2base.c b/tests/tools/pem2base.c
index 0607c162..bb686c0e 100644
--- a/tests/tools/pem2base.c
+++ b/tests/tools/pem2base.c
@@ -46,5 +46,6 @@ main(int argc, char **argv)
}
}
printf("%s\n", cm_submit_u_base64_from_text(p));
+ free(p);
return 0;
}
--
2.14.4

25
SOURCES/0013-clang-Uninitialized-initial-value.patch Normal file
View File

@ -0,0 +1,25 @@
From db0f835829b739cf843d44b08c22407194aadd71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 17:57:21 -0400
Subject: [PATCH 13/17] clang: Uninitialized initial value
---
src/submit-n.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/submit-n.c b/src/submit-n.c
index ee6f3105..b07ea23a 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -281,7 +281,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
PLArenaPool *arena = NULL;
SECStatus error;
NSSInitContext *ctx = NULL;
- PK11SlotInfo *slot;
+ PK11SlotInfo *slot = NULL;
PK11SlotList *slotlist = NULL;
PK11SlotListElement *sle;
SECKEYPrivateKeyList *keylist = NULL;
--
2.14.4

99
SOURCES/0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch Normal file
View File

@ -0,0 +1,99 @@
From 753d98b3e70f34a52caabbe8db30bf06fc917f38 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 13 Sep 2018 11:46:51 -0400
Subject: [PATCH 14/17] clang: Null pointer passed as an argument to a
'nonnull' parameter
---
src/certsave-n.c | 3 ++-
src/getcert.c | 7 ++++---
src/scep.c | 8 ++++----
src/submit-sn.c | 7 +++++--
4 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 49b28324..972a1dfa 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -72,7 +72,8 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key)
if ((list == NULL) || (list[i] == NULL)) {
newlist = malloc(sizeof(newlist[0]) * (i + 2));
if (newlist != NULL) {
- memcpy(newlist, list, sizeof(newlist[0]) * i);
+ if (list != NULL)
+ memcpy(newlist, list, sizeof(newlist[0]) * i);
newlist[i] = key;
newlist[i + 1] = NULL;
list = newlist;
diff --git a/src/getcert.c b/src/getcert.c
index 6417cd44..ddb28de2 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -291,7 +291,8 @@ add_string(void *parent, char ***dest, const char *value)
printf(_("Out of memory.\n"));
exit(1);
}
- memcpy(tmp, *dest, sizeof(tmp[0]) * i);
+ if (*dest)
+ memcpy(tmp, *dest, sizeof(tmp[0]) * i);
tmp[i] = talloc_strdup(tmp, value);
i++;
tmp[i] = NULL;
@@ -1582,8 +1583,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
{
DBusMessage *req, *rep;
int i;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
dbus_bool_t b;
const char *capath;
char *p;
diff --git a/src/scep.c b/src/scep.c
index 68eae788..b0bd214b 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -793,8 +793,8 @@ main(int argc, const char **argv)
fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx));
syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2);
}
- if (strcasecmp(content_type2,
- "application/x-x509-ca-cert") != 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-x509-ca-cert") != 0)) {
if (verbose > 0) {
fprintf(stderr, "Content is not "
"\"application/x-x509-ca-cert\""
@@ -882,8 +882,8 @@ main(int argc, const char **argv)
break;
case op_get_cert_initial:
case op_pkcsreq:
- if (strcasecmp(content_type2,
- "application/x-pki-message") == 0) {
+ if ((content_type2 != NULL) && (strcasecmp(content_type2,
+ "application/x-pki-message") == 0)) {
memset(&cacerts, 0, sizeof(cacerts));
cacerts[0] = cacert ? cacert : racert;
cacerts[1] = cacert ? racert : NULL;
diff --git a/src/submit-sn.c b/src/submit-sn.c
index e9c62b22..ecd78dc0 100644
--- a/src/submit-sn.c
+++ b/src/submit-sn.c
@@ -258,8 +258,11 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Allocate space for one more extension. */
extensions = PORT_ArenaZAlloc(arena, (i + 2) * sizeof(extensions[0]));
if (extensions != NULL) {
- memcpy(extensions, ucert->extensions,
- i * sizeof(extensions[0]));
+ if (i != 0) {
+ /* Note that C99 says copy of 0 items is ok, quieting clang */
+ memcpy(extensions, ucert->extensions,
+ i * sizeof(extensions[0]));
+ }
if (found_basic) {
extensions[i] = NULL;
} else {
--
2.14.4

24
SOURCES/0015-clang-Dead-increment.patch Normal file
View File

@ -0,0 +1,24 @@
From 9e44680dbd207cef48beb7598114ea59aa457055 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:15:23 -0400
Subject: [PATCH 15/17] clang: Dead increment
---
src/store-gen.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/store-gen.c b/src/store-gen.c
index da32afc8..653767a1 100644
--- a/src/store-gen.c
+++ b/src/store-gen.c
@@ -363,7 +363,6 @@ cm_store_time_from_timestamp(const char *timestamp)
buf[2] = '\0';
stamp.tm_min = atoi(buf);
memcpy(buf, timestamp + i, 2);
- i += 2;
buf[2] = '\0';
stamp.tm_sec = atoi(buf);
t = timegm(&stamp);
--
2.14.4

83
SOURCES/0016-clang-Dereference-of-null-pointer.patch Normal file
View File

@ -0,0 +1,83 @@
From 319858127df42c1a95b9b3282705c90ecd6754a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:16:55 -0400
Subject: [PATCH 16/17] clang: Dereference of null pointer
---
src/tdbush.c | 56 +++++++++++++++++++++++++++++---------------------------
1 file changed, 29 insertions(+), 27 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index 3184e67a..d1bbe4da 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -3655,37 +3655,39 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
break;
}
}
- if (d[i] == NULL) {
- new_request_path = talloc_asprintf(parent, "%s/%s",
- CM_DBUS_REQUEST_PATH,
- entry->cm_busname);
- if ((n_propname > 0) &&
- (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
- propname[n_propname] = NULL;
- cm_tdbush_property_emit_changed(ctx, new_request_path,
- CM_DBUS_REQUEST_INTERFACE,
- propname);
- }
- cm_tdbusm_set_bp(rep,
- cm_restart_entry(ctx,
- entry->cm_nickname),
- new_request_path);
- dbus_connection_send(conn, rep, NULL);
- dbus_message_unref(rep);
- talloc_free(new_request_path);
- return DBUS_HANDLER_RESULT_HANDLED;
- } else {
- dbus_message_unref(rep);
- rep = dbus_message_new_error(msg,
- CM_DBUS_ERROR_REQUEST_BAD_ARG,
- _("Unrecognized parameter or wrong value type."));
- if (rep != NULL) {
- cm_tdbusm_set_s(rep, d[i]->key);
+ if (d != NULL) {
+ if (d[i] == NULL) {
+ new_request_path = talloc_asprintf(parent, "%s/%s",
+ CM_DBUS_REQUEST_PATH,
+ entry->cm_busname);
+ if ((n_propname > 0) &&
+ (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) {
+ propname[n_propname] = NULL;
+ cm_tdbush_property_emit_changed(ctx, new_request_path,
+ CM_DBUS_REQUEST_INTERFACE,
+ propname);
+ }
+ cm_tdbusm_set_bp(rep,
+ cm_restart_entry(ctx,
+ entry->cm_nickname),
+ new_request_path);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
+ talloc_free(new_request_path);
return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ dbus_message_unref(rep);
+ rep = dbus_message_new_error(msg,
+ CM_DBUS_ERROR_REQUEST_BAD_ARG,
+ _("Unrecognized parameter or wrong value type."));
+ if (rep != NULL) {
+ cm_tdbusm_set_s(rep, d[i]->key);
+ dbus_connection_send(conn, rep, NULL);
+ dbus_message_unref(rep);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
- return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
} else {
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
--
2.14.4

26
SOURCES/0017-Add-missing-case-for-cm_prefs_aes192.patch Normal file
View File

@ -0,0 +1,26 @@
From f17b7c0a22f4d49dca001d984673046e133577d1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 14 Sep 2018 16:41:19 -0400
Subject: [PATCH 17/17] Add missing case for cm_prefs_aes192
---
src/prefs-o.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/prefs-o.c b/src/prefs-o.c
index 64542f85..ac68164d 100644
--- a/src/prefs-o.c
+++ b/src/prefs-o.c
@@ -75,6 +75,9 @@ cm_prefs_ossl_cipher_by_pref(enum cm_prefs_cipher cipher)
case cm_prefs_aes128:
return EVP_aes_128_cbc();
break;
+ case cm_prefs_aes192:
+ return EVP_aes_192_cbc();
+ break;
case cm_prefs_aes256:
return EVP_aes_256_cbc();
break;
--
2.14.4

41
SOURCES/0018-clang-more-Dead-assignment.patch Normal file
View File

@ -0,0 +1,41 @@
From 20d569b57edf2f859aeb48d32bbb91801a45fb91 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:48:41 -0400
Subject: [PATCH 18/26] clang: more Dead assignment
---
src/submit-x.c | 5 ++---
src/tdbus.c | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/submit-x.c b/src/submit-x.c
index fa81e9aa..abebc610 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -914,9 +914,8 @@ main(int argc, const char **argv)
/* Maybe we need a ccache. */
if (k5 || (kpname != NULL) || (ktname != NULL)) {
- if (!make_ccache ||
- (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) {
- k5 = TRUE;
+ if (make_ccache) {
+ cm_submit_x_make_ccache(ktname, kpname, NULL);
}
}
diff --git a/src/tdbus.c b/src/tdbus.c
index cb0a8ad7..a81b5349 100644
--- a/src/tdbus.c
+++ b/src/tdbus.c
@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
/* Connect to the right bus. */
bus_desc = NULL;
conn = NULL;
- exit_on_disconnect = TRUE;
if (error != NULL) {
dbus_error_init(error);
}
--
2.14.4

321
SOURCES/0019-clang-more-Memory-leaks.patch Normal file
View File

@ -0,0 +1,321 @@
From 83a701de85a6b22cc5ad3cec8cb2ddb54d0b2aae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:53:57 -0400
Subject: [PATCH 19/26] clang: more Memory leaks
Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
---
src/dogtag.c | 17 +++++++++++++----
src/getcert.c | 3 ++-
src/store-files.c | 1 +
src/submit-d.c | 6 ++++++
src/submit-x.c | 39 ++++++++++-----------------------------
tests/tools/addcinfo.c | 8 +++++---
6 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..8e3890a5 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,7 +117,7 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *serial = NULL, *template = NULL;
+ const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
char *poptarg;
@@ -127,7 +127,7 @@ main(int argc, const char **argv)
} *aoptions = NULL, *soptions = NULL;
size_t num_aoptions = 0, num_soptions = 0, j;
char *savedstate = NULL;
- char *p, *q, *params = NULL, *params2 = NULL;
+ char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL;
const char *lasturl = NULL, *lastparams = NULL;
const char *tmp = NULL, *results = NULL;
struct cm_submit_h_context *hctx;
@@ -537,16 +537,19 @@ main(int argc, const char **argv)
}
poptPrintUsage(pctx, stdout, 0);
free(csr);
+ free(p);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- csr = cm_submit_u_url_encode(csr);
+ csre = cm_submit_u_url_encode(csr);
params = talloc_asprintf(ctx,
"profileId=%s&"
"cert_request_type=pkcs10&"
"cert_request=%s&"
"xml=true",
template,
- csr);
+ csre);
+ free(csr);
+ free(csre);
}
/* Check for creds specified as options. */
for (j = 0; j < num_soptions; j++) {
@@ -608,12 +611,16 @@ main(int argc, const char **argv)
printf(_("No agent URL (-A) given, and no default "
"known.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
if ((sslcert == NULL) || (strlen(sslcert) == 0)) {
printf(_("No agent credentials (-n) given, but they "
"are needed.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Reading profile defaults for this certificate, then applying
@@ -778,12 +785,14 @@ main(int argc, const char **argv)
lasturl);
}
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
lasturl, lastparams);
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_REJECTED;
}
switch (op) {
diff --git a/src/getcert.c b/src/getcert.c
index ddb28de2..0d527ab0 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits)
}
u = malloc(length);
if (u == NULL) {
+ free(t);
goto done;
}
length = cm_store_base64_to_bin(t, -1, u, length);
+ free(t);
if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) {
- free(t);
t = malloc(bits / 4 + howmany(bits, 32));
if (t != NULL) {
ret = t;
diff --git a/src/store-files.c b/src/store-files.c
index b97ba5ff..4e57ae16 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp)
lines = tlines;
}
}
+ free(buf);
return lines;
}
diff --git a/src/submit-d.c b/src/submit-d.c
index 5a4edb3f..36cc9828 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1204,6 +1204,9 @@ restart:
} else {
printf("Error %d.\n", c);
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 1;
}
result = cm_submit_h_results(hctx, NULL) ?: "";
@@ -1365,6 +1368,9 @@ restart:
/* never reached */
break;
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 0;
}
#endif
diff --git a/src/submit-x.c b/src/submit-x.c
index abebc610..58d007ef 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode)
{
const char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
- ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
- if (ret == NULL) {
- ret = error_message(kcode);
+ if (ctx) {
+ const char *msg = krb5_get_error_message(ctx, kcode);
+ ret = strdup(msg);
+ krb5_free_error_message(ctx, msg);
+ } else {
+ ret = strdup(error_message(kcode));
}
#else
- ret = error_message(kcode);
+ ret = strdup(error_message(kcode));
#endif
- return strdup(ret);
+ return ret;
}
char *
@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg)
if (data == NULL) {
fprintf(stderr, "Error retrieving principal realm.\n");
if (msg != NULL) {
- *msg = "Error retrieving principal realm.\n";
+ *msg = strdup("Error retrieving principal realm.\n");
}
return NULL;
}
@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg)
if (ret == NULL) {
fprintf(stderr, "Out of memory for principal realm.\n");
if (msg != NULL) {
- *msg = "Out of memory for principal realm.\n";
+ *msg = strdup("Out of memory for principal realm.\n");
}
return NULL;
}
@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index 939005c2..e34612a5 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -63,7 +63,7 @@ content_info_template[] = {
int
main(int argc, char **argv)
{
- unsigned char *buffer = NULL, buf[BUFSIZ];
+ unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ];
int i, n = 0;
unsigned int j;
SECItem encoded;
@@ -73,11 +73,13 @@ main(int argc, char **argv)
cm_log_set_method(cm_log_stderr);
cm_log_set_level(3);
while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) {
- buffer = realloc(buffer, n + i);
- if (buffer == NULL) {
+ newbuffer = realloc(buffer, n + i);
+ if (newbuffer == NULL) {
+ free(buffer);
cm_log(0, "Out of memory.\n");
return 1;
}
+ buffer = newbuffer;
memcpy(buffer + n, buf, i);
n += i;
}
--
2.14.4

29
SOURCES/0020-clang-Avoid-buffer-overflow.patch Normal file
View File

@ -0,0 +1,29 @@
From e9f16cf50ab3438a6e9ea50669854c93c8a399f2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 13:16:08 -0400
Subject: [PATCH 20/26] clang: Avoid buffer overflow
This shouldn't be possible because the caller would never allow
it all to be passed in but quiet static analyzers.
---
src/getcert.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 0d527ab0..bbc45479 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category,
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
DBusMessage *req, *rep;
const char *request, *capath;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
char **anchor_dbs = NULL, **anchor_files = NULL;
char *id = NULL, *new_id = NULL, *new_request;
--
2.14.4

43
SOURCES/0021-clang-Garbage-value-possible.patch Normal file
View File

@ -0,0 +1,43 @@
From bfe2b956c1a9f83bd3d998924788942716767a65 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:44:05 -0400
Subject: [PATCH 21/26] clang: Garbage value possible
Need to add guard so that error was only considered if the
certificate was decodable and an import was attempted.
---
src/certsave-n.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..30e242c1 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
+ error = SECFailure;
newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
entry->cm_cert_nickname,
PR_FALSE);
}
- if (error == SECSuccess) {
+ if ((newcert != NULL) && (error == SECSuccess)) {
cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
entry->cm_cert_nickname);
@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
CERT_DestroyCertList(certlist);
}
} else {
+ ec = PORT_GetError();
if (ec != 0) {
es = PR_ErrorToName(ec);
} else {
--
2.14.4

25
SOURCES/0022-Uninitialized-variable.patch Normal file
View File

@ -0,0 +1,25 @@
From a5fef9f676334c6b373f9739a2687dc64ad2c0c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:48:43 -0400
Subject: [PATCH 22/26] Uninitialized variable
---
src/csrgen-o.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
index 55b0a598..7ca7065d 100644
--- a/src/csrgen-o.c
+++ b/src/csrgen-o.c
@@ -94,7 +94,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
BIGNUM *serialbn;
char buf[LINE_MAX], *p, *q, *s, *nickname, *pin, *password, *filename;
unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
- char *spkidec, *mcb64, *nows;
+ char *spkidec = NULL, *mcb64, *nows;
const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL;
const unsigned char *nametmp;
struct tm *now;
--
2.14.4

39
SOURCES/0023-merge-into-clang-more-Memory-leaks.patch Normal file
View File

@ -0,0 +1,39 @@
From b0766cfdfd8bbac9109a2846c6ac3802e60cb56f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:43:02 -0400
Subject: [PATCH 23/26] merge into clang: more Memory leaks
---
src/getcert.c | 2 +-
src/submit-x.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index bbc45479..4713dd15 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits)
if (length == 0) {
goto done;
}
- u = malloc(length);
+ u = malloc(length+1);
if (u == NULL) {
free(t);
goto done;
diff --git a/src/submit-x.c b/src/submit-x.c
index 58d007ef..467e67e4 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -43,7 +43,7 @@
static char *
get_error_message(krb5_context ctx, krb5_error_code kcode)
{
- const char *ret;
+ char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
if (ctx) {
const char *msg = krb5_get_error_message(ctx, kcode);
--
2.14.4

24
SOURCES/0024-Add-missing-return-type-declaration.patch Normal file
View File

@ -0,0 +1,24 @@
From daaca020810962c568caa49514f5159e1592aaf0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:44:07 -0400
Subject: [PATCH 24/26] Add missing return type declaration
---
src/tdbush.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tdbush.c b/src/tdbush.c
index d1bbe4da..a10a1aff 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
}
/* org.fedorahosted.certonger.ca.get_config_file_path */
+static DBusHandlerResult
ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
struct cm_client_info *ci, struct cm_context *ctx)
{
--
2.14.4

43
SOURCES/0025-Discards-const-qualifier.patch Normal file
View File

@ -0,0 +1,43 @@
From b12dfc9d43128f05b7e0b9e83c2a6100f808fe94 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:46:50 -0400
Subject: [PATCH 25/26] Discards const qualifier
---
src/dogtag.c | 3 ++-
src/scep.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 8e3890a5..962a8bf4 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,9 +117,10 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
+ const char *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
+ char *csr = NULL, *csre = NULL;
char *poptarg;
struct {
char *name;
diff --git a/src/scep.c b/src/scep.c
index b0bd214b..b37711cf 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -204,7 +204,8 @@ main(int argc, const char **argv)
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
enum known_ops op = op_unset;
- const char *id = NULL, *cainfo = NULL;
+ const char *id = NULL;
+ char *cainfo = NULL;
char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
--
2.14.4

28
SOURCES/0026-Add-missing-case-for-cm_prefs_aes192.patch Normal file
View File

@ -0,0 +1,28 @@
From f1a328159d46149513e32950284e5dd33525e8e1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:57:35 -0400
Subject: [PATCH 26/26] Add missing case for cm_prefs_aes192
---
src/prefs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/prefs.c b/src/prefs.c
index ab363bbc..20e2ecf8 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -102,6 +102,11 @@ cm_prefs_preferred_cipher(void)
free(cipher);
return cm_prefs_aes128;
}
+ if ((strcasecmp(cipher, "aes192") == 0) ||
+ (strcasecmp(cipher, "aes-192") == 0)) {
+ free(cipher);
+ return cm_prefs_aes192;
+ }
if ((strcasecmp(cipher, "aes256") == 0) ||
(strcasecmp(cipher, "aes-256") == 0)) {
free(cipher);
--
2.14.4

1331
SPECS/certmonger.spec Normal file
View File

File diff suppressed because it is too large Load Diff