rpms/p11-kit
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 0.25.10

Browse Source 
Resolves: RHEL-115453

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2025-09-22 16:14:21 +02:00
parent 90854f55b9
commit 0a7be848da
6 changed files with 35 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -43,3 +43,5 @@
/p11-kit-release-keyring.gpg
/p11-kit-0.25.3.tar.xz
/p11-kit-0.25.3.tar.xz.sig
/p11-kit-0.25.10.tar.xz
/p11-kit-0.25.10.tar.xz.sig

298
001-static-analysis.patch
View File

@ -1,298 +0,0 @@
From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 16 Nov 2023 10:12:14 +0100
Subject: [PATCH] Fix issues found by static analysis
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
common/frob-getprogname.c | 4 ++--
common/test.c | 4 +---
p11-kit/generate-keypair.c | 25 +++++++++----------------
p11-kit/import-object.c | 22 +++++-----------------
p11-kit/lists.c | 1 +
p11-kit/print-config.c | 4 +++-
p11-kit/rpc-client.c | 6 ++++--
p11-kit/test-uri.c | 4 ++--
trust/test-trust.c | 2 +-
9 files changed, 28 insertions(+), 44 deletions(-)
diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c
index ead658cc8..46e3b7fd3 100644
--- a/common/frob-getprogname.c
+++ b/common/frob-getprogname.c
@@ -76,14 +76,14 @@ main (int argc,
execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args);
} else {
int status;
- char buffer[1024];
+ char buffer[1024] = { 0 };
size_t offset = 0;
ssize_t nread;
char *p;
close (pfds[1]);
while (1) {
- nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset);
+ nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1);
if (nread < 0) {
perror ("read");
exit (EXIT_FAILURE);
diff --git a/common/test.c b/common/test.c
index 3ed98da01..6cdbd1fa2 100644
--- a/common/test.c
+++ b/common/test.c
@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *),
test_item item = { TEST, };
va_list va;
- item.type = TEST;
item.x.test.func = function;
item.x.test.argument = argument;
@@ -287,9 +286,8 @@ void
p11_fixture (void (* setup) (void *),
void (* teardown) (void *))
{
- test_item item;
+ test_item item = { FIXTURE, };
- item.type = FIXTURE;
item.x.fix.setup = setup;
item.x.fix.teardown = teardown;
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
index 49dc11830..695103d1d 100644
--- a/p11-kit/generate-keypair.c
+++ b/p11-kit/generate-keypair.c
@@ -351,7 +351,7 @@ int
p11_kit_generate_keypair (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
CK_ULONG bits = 0;
const uint8_t *ec_params = NULL;
@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_type:
mechanism = get_mechanism (optarg);
if (mechanism.mechanism == CKA_INVALID) {
p11_message (_("unknown mechanism type: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_bits:
bits = strtol (optarg, NULL, 10);
if (bits == 0) {
p11_message (_("failed to parse bits value: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_curve:
ec_params = get_ec_params (optarg, &ec_params_len);
if (ec_params == NULL) {
p11_message (_("unknown curve name: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_login:
@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc,
break;
case opt_help:
p11_tool_usage (usages, options);
- ret = 0;
- goto cleanup;
+ return 0;
case '?':
- goto cleanup;
+ return 2;
default:
assert_not_reached ();
break;
@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (!check_args (mechanism.mechanism, bits, ec_params))
- goto cleanup;
+ return 2;
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc,
ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login);
-cleanup:
#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
- free (label);
return ret;
}
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index 270a0e027..feee07659 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -500,7 +500,7 @@ int
p11_kit_import_object (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
char *file = NULL;
bool login = false;
@@ -536,18 +536,10 @@ p11_kit_import_object (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_file:
- file = strdup (optarg);
- if (file == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ file = optarg;
break;
case opt_login:
login = true;
@@ -574,12 +566,12 @@ p11_kit_import_object (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (file == NULL) {
p11_message (_("no file specified"));
- goto cleanup;
+ return 2;
}
#ifdef OS_UNIX
@@ -595,10 +587,6 @@ p11_kit_import_object (int argc,
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
-cleanup:
- free (label);
- free (file);
-
return ret;
}
diff --git a/p11-kit/lists.c b/p11-kit/lists.c
index df58beb3f..007bb0f12 100644
--- a/p11-kit/lists.c
+++ b/p11-kit/lists.c
@@ -295,6 +295,7 @@ print_modules (void)
if (rv != CKR_OK) {
p11_message (_("couldn't load module info: %s"),
p11_kit_strerror (rv));
+ p11_kit_modules_finalize_and_release (module_list);
return 1;
}
diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c
index 173b55feb..29daf3871 100644
--- a/p11-kit/print-config.c
+++ b/p11-kit/print-config.c
@@ -74,8 +74,10 @@ print_config (void)
P11_PACKAGE_CONFIG_MODULES,
P11_SYSTEM_CONFIG_MODULES,
P11_USER_CONFIG_MODULES);
- if (modules_conf == NULL)
+ if (modules_conf == NULL) {
+ p11_dict_free (global_conf);
return 1;
+ }
printf ("[global]\n");
p11_dict_iterate (global_conf, &i);
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index fb39103eb..19b628b1a 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -173,6 +173,8 @@ call_done (rpc_client *module,
p11_rpc_message *msg,
CK_RV ret)
{
+ p11_buffer *buf;
+
assert (module != NULL);
assert (msg != NULL);
@@ -189,9 +191,9 @@ call_done (rpc_client *module,
/* We used the same buffer for input/output, so this frees both */
assert (msg->input == msg->output);
- p11_rpc_buffer_free (msg->input);
-
+ buf = msg->input;
p11_rpc_message_clear (msg);
+ p11_rpc_buffer_free (buf);
return ret;
}
diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c
index 32e8da703..18b7a108a 100644
--- a/p11-kit/test-uri.c
+++ b/p11-kit/test-uri.c
@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void)
static void
test_uri_match_token (void)
{
- CK_TOKEN_INFO token;
+ CK_TOKEN_INFO token = { 0 };
P11KitUri *uri;
int ret;
@@ -1056,7 +1056,7 @@ test_uri_match_token (void)
static void
test_uri_match_module (void)
{
- CK_INFO info;
+ CK_INFO info = { 0 };
P11KitUri *uri;
int ret;
diff --git a/trust/test-trust.c b/trust/test-trust.c
index 29b2797b5..3b27a1f31 100644
--- a/trust/test-trust.c
+++ b/trust/test-trust.c
@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file,
if (asprintf (&filename, "%s/%s", directory, name) < 0)
assert_not_reached ();
- if (readlink (filename, buf, sizeof (buf)) < 0)
+ if (readlink (filename, buf, sizeof (buf) - 1) < 0)
p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename);
if (strcmp (destination, buf) != 0)

37
p11-kit-0.25.3-usage-msg.patch
View File

@ -1,37 +0,0 @@
From 8e46359a68deab9112a1e262d5384986ce87b5d8 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 16 Nov 2023 14:43:21 +0100
Subject: [PATCH] Fix usage message in p11-kit list-tokens command
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
p11-kit/list-tokens.c | 2 +-
p11-kit/test-list-tokens.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/p11-kit/list-tokens.c b/p11-kit/list-tokens.c
index 48616cae..a9101945 100644
--- a/p11-kit/list-tokens.c
+++ b/p11-kit/list-tokens.c
@@ -151,7 +151,7 @@ p11_kit_list_tokens (int argc,
};
p11_tool_desc usages[] = {
- { 0, "usage: p11-kit list-tokens" },
+ { 0, "usage: p11-kit list-tokens [--only-uris] pkcs11:token" },
{ opt_verbose, "show verbose debug output", },
{ opt_quiet, "suppress command output", },
{ opt_only_urls, "only print token URIs", },
diff --git a/p11-kit/test-list-tokens.sh b/p11-kit/test-list-tokens.sh
index f61e241d..f933792e 100755
--- a/p11-kit/test-list-tokens.sh
+++ b/p11-kit/test-list-tokens.sh
@@ -21,7 +21,7 @@ teardown() {
test_list_tokens_without_uri() {
cat > list.exp <<EOF
-usage: p11-kit list-tokens
+usage: p11-kit list-tokens [--only-uris] pkcs11:token
-v, --verbose show verbose debug output
-q, --quiet suppress command output

73
p11-kit-0.25.5-trust-file-length.patch
View File

@ -1,73 +0,0 @@
From a8b94642dbe6d52aa7a7805fbb60b64c4cfd7245 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 3 Oct 2024 11:34:14 +0200
Subject: [PATCH] trust: don't create file names longer then 255
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
trust/save.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/trust/save.c b/trust/save.c
index 057a9c5e3..acabcbf6d 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -61,6 +61,8 @@
#define O_DIRECTORY 0
#endif
+#define MAX_FILE_NAME 255
+
struct _p11_save_file {
char *bare;
char *extension;
@@ -414,12 +416,23 @@ make_unique_name (const char *bare,
p11_buffer buf;
int ret;
int i;
+ int bare_len, ext_len, diff;
assert (bare != NULL);
assert (check != NULL);
p11_buffer_init_null (&buf, 0);
+ /*
+ * Make sure the name will not be longer then MAX_FILE_NAME
+ */
+ bare_len = strlen (bare);
+ ext_len = extension ? strlen (extension) : 0;
+ diff = bare_len + ext_len + sizeof (unique) - MAX_FILE_NAME;
+ if (diff > 0)
+ bare_len -= diff;
+ return_val_if_fail (bare_len > 0, NULL);
+
for (i = 0; true; i++) {
p11_buffer_reset (&buf, 64);
@@ -431,7 +444,7 @@ make_unique_name (const char *bare,
* provided by the caller.
*/
case 0:
- p11_buffer_add (&buf, bare, -1);
+ p11_buffer_add (&buf, bare, bare_len);
break;
/*
@@ -448,14 +461,14 @@ make_unique_name (const char *bare,
/* fall through */
default:
- p11_buffer_add (&buf, bare, -1);
+ p11_buffer_add (&buf, bare, bare_len);
snprintf (unique, sizeof (unique), ".%d", i);
p11_buffer_add (&buf, unique, -1);
break;
}
if (extension)
- p11_buffer_add (&buf, extension, -1);
+ p11_buffer_add (&buf, extension, ext_len);
return_val_if_fail (p11_buffer_ok (&buf), NULL);

44
p11-kit.spec
View File

@ -1,6 +1,6 @@
# This spec file has been automatically updated
Version: 0.25.3
Release: 3%{?dist}
Version: 0.25.10
Release: 1%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
@ -12,10 +12,6 @@ Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyr
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch: 001-static-analysis.patch
Patch: p11-kit-0.25.5-trust-file-length.patch
Patch: p11-kit-0.25.3-usage-msg.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
BuildRequires: libffi-devel
@ -23,7 +19,7 @@ BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: meson
BuildRequires: systemd-devel
BuildRequires: bash-completion
BuildRequires: pkgconfig(bash-completion)
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
@ -58,9 +54,21 @@ The %{name}-trust package contains a system trust PKCS#11 module which
contains certificate anchors and blocklists.
%package server
Summary: Server and client commands for %{name}
%package client
Summary: Client module from %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description client
The %{name}-client package contains a PKCS#11 module that enables
accessing other PKCS#11 modules over a Unix domain socket. Note that
this feature is still experimental.
%package server
Summary: Server command for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-server < 0.25.5-8
%description server
The %{name}-server package contains command line tools that enable to
@ -83,7 +91,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
%meson_build
@ -104,12 +112,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
%post trust
%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
%{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
fi
@ -122,6 +130,7 @@ fi
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
%dir %{_datadir}/p11-kit/modules
%dir %{_libdir}/pkcs11
%dir %{_libexecdir}/p11-kit
%{_bindir}/p11-kit
%{_libdir}/libp11-kit.so.*
@ -131,6 +140,7 @@ fi
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
%{_datadir}/bash-completion/completions/p11-kit
%{_datadir}/zsh/site-functions/_p11-kit
%files devel
%{_includedir}/p11-kit-1/
@ -140,22 +150,28 @@ fi
%files trust
%{_bindir}/trust
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/libnssckbi.so
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
%{_datadir}/bash-completion/completions/trust
%{_datadir}/zsh/site-functions/_trust
%files server
%files client
%{_libdir}/pkcs11/p11-kit-client.so
%{_userunitdir}/p11-kit-client.service
%files server
%{_libexecdir}/p11-kit/p11-kit-server
%{_userunitdir}/p11-kit-server.service
%{_userunitdir}/p11-kit-server.socket
%changelog
* Mon Sep 22 2025 Zoltan Fridrich <zfridric@redhat.com> - 0.25.10-1
- Update to new upstream release 0.25.10
Resolves: RHEL-115453
* Fri Oct 25 2024 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-3
- Fix regression in trust where file creation fails for long cert labels
Resolves: RHEL-58899

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (p11-kit-release-keyring.gpg) = 9a832a8ac3a139cbbf1ecb66573f0709847ebfef4975777cf82b4dca09af1ad8e6400f0af0bcdb92860e7ed4fc05082ba1edda0238a21fe24d49555a1069e881
SHA512 (p11-kit-0.25.3.tar.xz) = ad2d393bf122526cbba18dc9d5a13f2c1cad7d70125ec90ffd02059dfa5ef30ac59dfc0bb9bc6380c8f317e207c9e87e895f1945634f56ddf910c2958868fb4c
SHA512 (p11-kit-0.25.3.tar.xz.sig) = 189a40b12e40818daff4aa6869d7e0fa342a42f3901d85fc52bb40f7023bb17790967be5ab9a183473fe8bb3e335a0d4d8c2b6345ccf811e90f8495009c085b8
SHA512 (p11-kit-0.25.10.tar.xz) = c5a5dfb6bd46e8964a70f2fc601bd5b61bf88f79d1011c70e6f37a62130c4aad692d8bac83aff2fd2728543274e198d2946ded7a53636835aefb13b9a3155527
SHA512 (p11-kit-0.25.10.tar.xz.sig) = c6271ad03454bd44faff7675d5ac305afa40aefabf492df90f4624a241537869029829f43a4a90c3d6b5b83886f009a33b24f097c21cf8745a30cb3263010dbe
SHA512 (p11-kit-release-keyring.gpg) = f7e0dc5147820100727f52b00aa863175449c5f370a24c83cda49a3a25b74ecf9913ff535bbb90d64b38512a51fadb6886ef0c18aa976c6aacb1385da3128d69