rpms
/
p11-kit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import p11-kit-0.23.22-1.el8

This commit is contained in:
CentOS Sources 2021-01-12 08:11:51 +00:00 committed by Andrew Lukoshko
parent 33d1549ffc
commit 2ce0b769d5
9 changed files with 53 additions and 479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
SOURCES/p11-kit-0.23.21.tar.xz
SOURCES/p11-kit-0.23.22.tar.xz

2
.p11-kit.metadata
View File

@ -1,2 +1,2 @@
526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
5c550cc2a192d5a3ede74862b22ef0b139c911a4 SOURCES/p11-kit-0.23.21.tar.xz
339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz

BIN
SOURCES/p11-kit-0.23.21.tar.xz.sig
View File

Binary file not shown.

BIN
SOURCES/p11-kit-0.23.22.tar.xz.sig Normal file
View File

Binary file not shown.

34
SOURCES/p11-kit-anchor-persist.patch
View File

@ -1,34 +0,0 @@
From 1d79c02be61874cd4598d60c18331e2d70228a40 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 6 Nov 2020 17:46:28 +0100
Subject: [PATCH] anchor: Prefer persistent format when storing anchor
When a new certificate is stored with "trust anchor --store" from a
.p11-kit file, the command treated it as a PEM file, while it should
preserve extra fields in the file.
---
trust/anchor.c | 7 ++++---
trust/test-extract.sh | 27 ++++++++++++++++++++++++---
2 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/trust/anchor.c b/trust/anchor.c
index fab9cf6..5ba5065 100644
--- a/trust/anchor.c
+++ b/trust/anchor.c
@@ -64,9 +64,10 @@ create_arg_file_parser (void)
return_val_if_fail (parser != NULL, NULL);
p11_parser_formats (parser,
- p11_parser_format_x509,
- p11_parser_format_pem,
- NULL);
+ p11_parser_format_persist,
+ p11_parser_format_x509,
+ p11_parser_format_pem,
+ NULL);
return parser;
}
--
2.26.2

42
SOURCES/p11-kit-dt-needed.patch Normal file
View File

@ -0,0 +1,42 @@
From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 18 Dec 2020 13:37:10 +0100
Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
This adds the -ldl link flag missing in the meson build, but present
in the autotools build. Although the use-case is unlikely, this
allows those modules to be linked as a normal shared library to a
program.
---
p11-kit/meson.build | 1 +
trust/meson.build | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 7d57cd7..02147a9 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -92,6 +92,7 @@ if host_system != 'windows'
'client.c', 'client-init.c',
name_prefix: '',
include_directories: [configinc, commoninc],
+ dependencies: dlopen_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
diff --git a/trust/meson.build b/trust/meson.build
index 482a3c1..d4a8e15 100644
--- a/trust/meson.build
+++ b/trust/meson.build
@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
'module-init.c',
name_prefix: '',
c_args: p11_kit_trust_c_args,
- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
+ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
--
2.29.2

331
SOURCES/p11-kit-invalid-config.patch
View File

@ -1,331 +0,0 @@
From de661c41a1e7e52296c91b9caa0bff8e4885c751 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 22 Oct 2020 14:06:53 +0200
Subject: [PATCH 1/4] common: Fix infloop in p11_path_build
If p11_path_build is called with 2 or more arguments and the non-first
argument is an empty string (""), it previously fell into an infloop.
Reported by Karel Srot.
---
common/path.c | 4 +++-
common/test-path.c | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/common/path.c b/common/path.c
index 17a6230..53d394f 100644
--- a/common/path.c
+++ b/common/path.c
@@ -241,8 +241,10 @@ p11_path_build (const char *path,
num--;
if (at != 0) {
- if (num == 0)
+ if (num == 0) {
+ path = va_arg (va, const char *);
continue;
+ }
built[at++] = delim;
}
diff --git a/common/test-path.c b/common/test-path.c
index 2eb5444..f137a0c 100644
--- a/common/test-path.c
+++ b/common/test-path.c
@@ -88,6 +88,8 @@ static void
test_build (void)
{
#ifdef OS_UNIX
+ assert_str_eq_free ("/root",
+ p11_path_build ("/root", "", NULL));
assert_str_eq_free ("/root/second",
p11_path_build ("/root", "second", NULL));
assert_str_eq_free ("/root/second",
@@ -99,6 +101,8 @@ test_build (void)
assert_str_eq_free ("/root/second/third",
p11_path_build ("/root", "/second/third", NULL));
#else /* OS_WIN32 */
+ assert_str_eq_free ("C:\\root",
+ p11_path_build ("C:\\root", "", NULL));
assert_str_eq_free ("C:\\root\\second",
p11_path_build ("C:\\root", "second", NULL));
assert_str_eq_free ("C:\\root\\second",
--
2.26.2
From 1eac9a1c41828d5da4b640746e0002c7ab964e8e Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 27 Oct 2020 11:08:53 +0100
Subject: [PATCH 2/4] Remove more duplicate separators in p11_path_build
Makes p11_path_build remove duplicate separators more thoroughly,
e.g., after a "" or in the first argument.
---
common/path.c | 26 +++++++++++++++++++-------
common/test-path.c | 22 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 7 deletions(-)
diff --git a/common/path.c b/common/path.c
index 53d394f..0ad176c 100644
--- a/common/path.c
+++ b/common/path.c
@@ -94,15 +94,21 @@ p11_path_base (const char *path)
}
static inline bool
-is_path_component_or_null (char ch)
+is_path_component (char ch)
{
- return (ch == '\0' || ch == '/'
+ return (ch == '/'
#ifdef OS_WIN32
|| ch == '\\'
#endif
);
}
+static inline bool
+is_path_component_or_null (char ch)
+{
+ return is_path_component (ch) || ch == '\0';
+}
+
static char *
expand_homedir (const char *remainder)
{
@@ -235,6 +241,15 @@ p11_path_build (const char *path,
while (path != NULL) {
num = strlen (path);
+ /* Trim beginning of path */
+ while (is_path_component (path[0])) {
+ /* But preserve the leading path component */
+ if (!at && !is_path_component (path[1]))
+ break;
+ path++;
+ num--;
+ }
+
/* Trim end of the path */
until = (at > 0) ? 0 : 1;
while (num > until && is_path_component_or_null (path[num - 1]))
@@ -245,7 +260,8 @@ p11_path_build (const char *path,
path = va_arg (va, const char *);
continue;
}
- built[at++] = delim;
+ if (built[at - 1] != delim)
+ built[at++] = delim;
}
assert (at + num < len);
@@ -253,10 +269,6 @@ p11_path_build (const char *path,
at += num;
path = va_arg (va, const char *);
-
- /* Trim beginning of path */
- while (path && path[0] && is_path_component_or_null (path[0]))
- path++;
}
va_end (va);
diff --git a/common/test-path.c b/common/test-path.c
index f137a0c..cf4a8e3 100644
--- a/common/test-path.c
+++ b/common/test-path.c
@@ -88,6 +88,16 @@ static void
test_build (void)
{
#ifdef OS_UNIX
+ assert_str_eq_free ("/",
+ p11_path_build ("/", NULL));
+ assert_str_eq_free ("/",
+ p11_path_build ("", "//", NULL));
+ assert_str_eq_free ("/root",
+ p11_path_build ("///root///", NULL));
+ assert_str_eq_free ("/root",
+ p11_path_build ("/", "root", NULL));
+ assert_str_eq_free ("/root",
+ p11_path_build ("", "/root", NULL));
assert_str_eq_free ("/root",
p11_path_build ("/root", "", NULL));
assert_str_eq_free ("/root/second",
@@ -96,11 +106,19 @@ test_build (void)
p11_path_build ("/root", "/second", NULL));
assert_str_eq_free ("/root/second",
p11_path_build ("/root/", "second", NULL));
+ assert_str_eq_free ("/root/second",
+ p11_path_build ("/root//", "//second/", NULL));
+ assert_str_eq_free ("/root/second",
+ p11_path_build ("/root//", "", "//second/", NULL));
assert_str_eq_free ("/root/second/third",
p11_path_build ("/root", "second", "third", NULL));
assert_str_eq_free ("/root/second/third",
p11_path_build ("/root", "/second/third", NULL));
#else /* OS_WIN32 */
+ assert_str_eq_free ("C:\\root",
+ p11_path_build ("C:\\", "root", NULL));
+ assert_str_eq_free ("C:\\root",
+ p11_path_build ("", "C:\\root", NULL));
assert_str_eq_free ("C:\\root",
p11_path_build ("C:\\root", "", NULL));
assert_str_eq_free ("C:\\root\\second",
@@ -109,6 +127,10 @@ test_build (void)
p11_path_build ("C:\\root", "\\second", NULL));
assert_str_eq_free ("C:\\root\\second",
p11_path_build ("C:\\root\\", "second", NULL));
+ assert_str_eq_free ("C:\\root\\second",
+ p11_path_build ("C:\\root\\\\", "\\\\second", NULL));
+ assert_str_eq_free ("C:\\root\\second",
+ p11_path_build ("C:\\root\\\\", "", "\\\\second", NULL));
assert_str_eq_free ("C:\\root\\second\\third",
p11_path_build ("C:\\root", "second", "third", NULL));
assert_str_eq_free ("C:\\root\\second/third",
--
2.26.2
From e5a1f444b7d299e77dd57862f3cc5783e697a10e Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 27 Oct 2020 13:33:34 +0100
Subject: [PATCH 3/4] Use is_path_component in one more place
---
common/path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/path.c b/common/path.c
index 0ad176c..8f57ec6 100644
--- a/common/path.c
+++ b/common/path.c
@@ -119,7 +119,7 @@ expand_homedir (const char *remainder)
return NULL;
}
- while (remainder[0] && is_path_component_or_null (remainder[0]))
+ while (is_path_component (remainder[0]))
remainder++;
if (remainder[0] == '\0')
remainder = NULL;
--
2.26.2
From ce66cf00b6b207c1d452af23cb062ca0adf57dac Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 27 Oct 2020 16:01:32 +0100
Subject: [PATCH 4/4] Rename is_path_component to is_path_separator
Thanks to Daiki Ueno for noticing the misnaming.
---
common/path.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/common/path.c b/common/path.c
index 8f57ec6..d0d1893 100644
--- a/common/path.c
+++ b/common/path.c
@@ -94,7 +94,7 @@ p11_path_base (const char *path)
}
static inline bool
-is_path_component (char ch)
+is_path_separator (char ch)
{
return (ch == '/'
#ifdef OS_WIN32
@@ -104,9 +104,9 @@ is_path_component (char ch)
}
static inline bool
-is_path_component_or_null (char ch)
+is_path_separator_or_null (char ch)
{
- return is_path_component (ch) || ch == '\0';
+ return is_path_separator (ch) || ch == '\0';
}
static char *
@@ -119,7 +119,7 @@ expand_homedir (const char *remainder)
return NULL;
}
- while (is_path_component (remainder[0]))
+ while (is_path_separator (remainder[0]))
remainder++;
if (remainder[0] == '\0')
remainder = NULL;
@@ -127,7 +127,7 @@ expand_homedir (const char *remainder)
/* Expand $XDG_CONFIG_HOME */
if (remainder != NULL &&
strncmp (remainder, ".config", 7) == 0 &&
- is_path_component_or_null (remainder[7])) {
+ is_path_separator_or_null (remainder[7])) {
env = getenv ("XDG_CONFIG_HOME");
if (env && env[0])
return p11_path_build (env, remainder + 8, NULL);
@@ -180,7 +180,7 @@ p11_path_expand (const char *path)
return_val_if_fail (path != NULL, NULL);
if (strncmp (path, "~", 1) == 0 &&
- is_path_component_or_null (path[1])) {
+ is_path_separator_or_null (path[1])) {
return expand_homedir (path + 1);
} else {
@@ -242,9 +242,9 @@ p11_path_build (const char *path,
num = strlen (path);
/* Trim beginning of path */
- while (is_path_component (path[0])) {
+ while (is_path_separator (path[0])) {
/* But preserve the leading path component */
- if (!at && !is_path_component (path[1]))
+ if (!at && !is_path_separator (path[1]))
break;
path++;
num--;
@@ -252,7 +252,7 @@ p11_path_build (const char *path,
/* Trim end of the path */
until = (at > 0) ? 0 : 1;
- while (num > until && is_path_component_or_null (path[num - 1]))
+ while (num > until && is_path_separator_or_null (path[num - 1]))
num--;
if (at != 0) {
@@ -288,17 +288,17 @@ p11_path_parent (const char *path)
/* Find the end of the last component */
e = path + strlen (path);
- while (e != path && is_path_component_or_null (*e))
+ while (e != path && is_path_separator_or_null (*e))
e--;
/* Find the beginning of the last component */
- while (e != path && !is_path_component_or_null (*e)) {
+ while (e != path && !is_path_separator_or_null (*e)) {
had = true;
e--;
}
/* Find the end of the last component */
- while (e != path && is_path_component_or_null (*e))
+ while (e != path && is_path_separator_or_null (*e))
e--;
if (e == path) {
@@ -327,7 +327,7 @@ p11_path_prefix (const char *string,
return a > b &&
strncmp (string, prefix, b) == 0 &&
- is_path_component_or_null (string[b]);
+ is_path_separator_or_null (string[b]);
}
void
--
2.26.2

107
SOURCES/p11-kit-realloc-zero.patch
View File

@ -1,107 +0,0 @@
From 08fcec713c1d3038f706d049910bd13a8c811fb5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 08:49:48 +0200
Subject: [PATCH 1/2] build: Use calloc in a consistent manner
---
common/dict.c | 6 +++---
p11-kit/proxy.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/common/dict.c b/common/dict.c
index b7ab00d..62a7816 100644
--- a/common/dict.c
+++ b/common/dict.c
@@ -122,7 +122,7 @@ lookup_or_create_bucket (p11_dict *dict,
return bucketp;
/* add a new entry for non-NULL val */
- (*bucketp) = calloc (sizeof (dictbucket), 1);
+ (*bucketp) = calloc (1, sizeof (dictbucket));
if (*bucketp != NULL) {
(*bucketp)->key = (void*)key;
@@ -175,7 +175,7 @@ p11_dict_set (p11_dict *dict,
/* check that the collision rate isn't too high */
if (dict->num_items > dict->num_buckets) {
num_buckets = dict->num_buckets * 2 + 1;
- new_buckets = (dictbucket **)calloc (sizeof (dictbucket *), num_buckets);
+ new_buckets = (dictbucket **)calloc (num_buckets, sizeof (dictbucket *));
/* Ignore failures, maybe we can expand later */
if(new_buckets) {
@@ -283,7 +283,7 @@ p11_dict_new (p11_dict_hasher hash_func,
dict->value_destroy_func = value_destroy_func;
dict->num_buckets = 9;
- dict->buckets = (dictbucket **)calloc (sizeof (dictbucket *), dict->num_buckets);
+ dict->buckets = (dictbucket **)calloc (dict->num_buckets, sizeof (dictbucket *));
if (!dict->buckets) {
free (dict);
return NULL;
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index 97c9b09..d70462a 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -265,7 +265,7 @@ proxy_list_slots (Proxy *py, Mapping *mappings, unsigned int n_mappings)
/* Ask module for its slots */
rv = (funcs->C_GetSlotList) (FALSE, NULL, &count);
if (rv == CKR_OK && count) {
- slots = calloc (sizeof (CK_SLOT_ID), count);
+ slots = calloc (count, sizeof (CK_SLOT_ID));
rv = (funcs->C_GetSlotList) (FALSE, slots, &count);
}
@@ -756,7 +756,7 @@ proxy_C_CloseAllSessions (CK_X_FUNCTION_LIST *self,
rv = CKR_CRYPTOKI_NOT_INITIALIZED;
} else {
assert (state->px->sessions != NULL);
- to_close = calloc (sizeof (CK_SESSION_HANDLE), p11_dict_size (state->px->sessions));
+ to_close = calloc (p11_dict_size (state->px->sessions), sizeof (CK_SESSION_HANDLE));
if (!to_close) {
rv = CKR_HOST_MEMORY;
} else {
--
2.26.2
From 0a1263a41d4c482f50aa5c4643f9de38fda44bbd Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 5 Oct 2020 08:52:52 +0200
Subject: [PATCH 2/2] proxy: C_CloseAllSessions: Make sure that calloc args are
non-zero
This prevents efence warning if either of the calloc arguments is
zero. While it is is safe on glibc systems, POSIX says the behavior
is implementation-defined.
Reported by Paul Wouters.
---
p11-kit/proxy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index d70462a..df18ac0 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -744,7 +744,7 @@ proxy_C_CloseAllSessions (CK_X_FUNCTION_LIST *self,
CK_SLOT_ID id)
{
State *state = (State *)self;
- CK_SESSION_HANDLE_PTR to_close;
+ CK_SESSION_HANDLE_PTR to_close = NULL;
CK_RV rv = CKR_OK;
Session *sess;
CK_ULONG i, count = 0;
@@ -756,7 +756,7 @@ proxy_C_CloseAllSessions (CK_X_FUNCTION_LIST *self,
rv = CKR_CRYPTOKI_NOT_INITIALIZED;
} else {
assert (state->px->sessions != NULL);
- to_close = calloc (p11_dict_size (state->px->sessions), sizeof (CK_SESSION_HANDLE));
+ to_close = calloc (p11_dict_size (state->px->sessions) + 1, sizeof (CK_SESSION_HANDLE));
if (!to_close) {
rv = CKR_HOST_MEMORY;
} else {
--
2.26.2

14
SPECS/p11-kit.spec
View File

@ -1,6 +1,6 @@
# This spec file has been automatically updated
Version: 0.23.21
Release: 4%{?dist}
Version: 0.23.22
Release: 1%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
@ -12,9 +12,7 @@ Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch1: p11-kit-invalid-config.patch
Patch2: p11-kit-realloc-zero.patch
Patch3: p11-kit-anchor-persist.patch
Patch1: p11-kit-dt-needed.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
@ -29,6 +27,7 @@ BuildRequires: bash-completion
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: gnupg2
BuildRequires: /usr/bin/xsltproc
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
@ -156,6 +155,11 @@ fi
%changelog
* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
- Add xsltproc to BR
* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
- Fix realloc usage on proxy cleanup (#1894979)
- Make 'trust anchor --store' preserve all attributes from .p11-kit files