rpms
/
p11-kit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import p11-kit-0.23.14-4.el8

This commit is contained in:
CentOS Sources 2019-05-07 08:19:48 -04:00 committed by Andrew Lukoshko
commit 73ad82a74a
7 changed files with 1114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/p11-kit-0.23.14.tar.gz

1
.p11-kit.metadata Normal file
View File

@ -0,0 +1 @@
30cab1d4b716022e6918f9a49976609c425f9cfc SOURCES/p11-kit-0.23.14.tar.gz

11
SOURCES/p11-kit-client.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=p11-kit client
[Service]
Type=oneshot
RemainAfterExit=true
RuntimeDirectory=p11-kit
ExecStart=/usr/bin/true
[Install]
WantedBy=default.target

623
SOURCES/p11-kit-coverity.patch Normal file
View File

@ -0,0 +1,623 @@
From 8a8db182af533a43b4d478d28af8623035475d68 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:05:10 +0200
Subject: [PATCH 01/10] debug: Work around cppcheck false-positives
https://trac.cppcheck.net/ticket/8794
---
common/debug.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/common/debug.h b/common/debug.h
index 255c62c..7ea36f3 100644
--- a/common/debug.h
+++ b/common/debug.h
@@ -71,13 +71,13 @@ void p11_debug_precond (const char *format,
#endif
#define return_val_if_fail(x, v) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
return v; \
} } while (false)
#define return_if_fail(x) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
return; \
} } while (false)
@@ -100,7 +100,7 @@ void p11_debug_precond (const char *format,
} while (false)
#define warn_if_fail(x) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
} } while (false)
--
2.17.2
From c76197ddbbd0c29adc2bceff2ee9f740f71d134d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:06:56 +0200
Subject: [PATCH 02/10] build: Call va_end() always when leaving the function
---
common/attrs.c | 4 +++-
common/compat.c | 5 ++++-
common/path.c | 5 ++++-
trust/parser.c | 4 +++-
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/common/attrs.c b/common/attrs.c
index aa91891..a387a66 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -538,8 +538,10 @@ buffer_append_printf (p11_buffer *buffer,
va_list va;
va_start (va, format);
- if (vasprintf (&string, format, va) < 0)
+ if (vasprintf (&string, format, va) < 0) {
+ va_end (va);
return_if_reached ();
+ }
va_end (va);
p11_buffer_add (buffer, string, -1);
diff --git a/common/compat.c b/common/compat.c
index 5a9702d..48614fa 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -525,7 +525,10 @@ strconcat (const char *first,
for (arg = first; arg; arg = va_arg (va, const char*)) {
size_t old_length = length;
length += strlen (arg);
- return_val_if_fail (length >= old_length, NULL);
+ if (length < old_length) {
+ va_end (va);
+ return_val_if_reached (NULL);
+ }
}
va_end (va);
diff --git a/common/path.c b/common/path.c
index 5cf0e1a..17a6230 100644
--- a/common/path.c
+++ b/common/path.c
@@ -218,7 +218,10 @@ p11_path_build (const char *path,
while (path != NULL) {
size_t old_len = len;
len += strlen (path) + 1;
- return_val_if_fail (len >= old_len, NULL);
+ if (len < old_len) {
+ va_end (va);
+ return_val_if_reached (NULL);
+ }
path = va_arg (va, const char *);
}
va_end (va);
diff --git a/trust/parser.c b/trust/parser.c
index f92cdc9..e912c3a 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -697,8 +697,10 @@ p11_parser_formats (p11_parser *parser,
func = va_arg (va, parser_func);
if (func == NULL)
break;
- if (!p11_array_push (formats, func))
+ if (!p11_array_push (formats, func)) {
+ va_end (va);
return_if_reached ();
+ }
}
va_end (va);
--
2.17.2
From b10dadce5a3c921149b2c9fe0dec614f8076ebda Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:10:05 +0200
Subject: [PATCH 03/10] build: Free memory before return{,_val}_if_* macros
---
p11-kit/iter.c | 5 ++++-
p11-kit/proxy.c | 10 ++++++++--
trust/asn1.c | 15 ++++++++++++---
trust/builder.c | 5 ++++-
trust/index.c | 10 ++++++++--
trust/persist.c | 5 ++++-
trust/save.c | 29 +++++++++++++++++++++++++----
trust/session.c | 10 ++++++++--
trust/token.c | 5 ++++-
9 files changed, 77 insertions(+), 17 deletions(-)
diff --git a/p11-kit/iter.c b/p11-kit/iter.c
index 0e4ca6e..d1ffd91 100644
--- a/p11-kit/iter.c
+++ b/p11-kit/iter.c
@@ -157,7 +157,10 @@ p11_kit_iter_new (P11KitUri *uri,
return_val_if_fail (iter != NULL, NULL);
iter->modules = p11_array_new (NULL);
- return_val_if_fail (iter->modules != NULL, NULL);
+ if (iter->modules == NULL) {
+ p11_kit_iter_free (iter);
+ return_val_if_reached (NULL);
+ }
iter->want_writable = !!(behavior & P11_KIT_ITER_WANT_WRITABLE);
iter->preload_results = !(behavior & P11_KIT_ITER_BUSY_SESSIONS);
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index b7fb63d..abe7935 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -267,7 +267,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
py->forkid = p11_forkid;
py->inited = modules_dup (loaded);
- return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY);
+ if (py->inited == NULL) {
+ proxy_free (py, 0);
+ return_val_if_reached (CKR_HOST_MEMORY);
+ }
rv = p11_kit_modules_initialize (py->inited, NULL);
@@ -320,7 +323,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
}
py->sessions = p11_dict_new (p11_dict_ulongptr_hash, p11_dict_ulongptr_equal, NULL, free);
- return_val_if_fail (py->sessions != NULL, CKR_HOST_MEMORY);
+ if (py->sessions == NULL) {
+ proxy_free (py, 1);
+ return_val_if_reached (CKR_HOST_MEMORY);
+ }
py->refs = 1;
*res = py;
diff --git a/trust/asn1.c b/trust/asn1.c
index dd1812d..5ce682d 100644
--- a/trust/asn1.c
+++ b/trust/asn1.c
@@ -285,11 +285,17 @@ p11_asn1_cache_new (void)
return_val_if_fail (cache != NULL, NULL);
cache->defs = p11_asn1_defs_load ();
- return_val_if_fail (cache->defs != NULL, NULL);
+ if (cache->defs == NULL) {
+ p11_asn1_cache_free (cache);
+ return_val_if_reached (NULL);
+ }
cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal,
NULL, free_asn1_item);
- return_val_if_fail (cache->items != NULL, NULL);
+ if (cache->items == NULL) {
+ p11_asn1_cache_free (cache);
+ return_val_if_reached (NULL);
+ }
return cache;
}
@@ -342,7 +348,10 @@ p11_asn1_cache_take (p11_asn1_cache *cache,
item->length = der_len;
item->node = node;
item->struct_name = strdup (struct_name);
- return_if_fail (item->struct_name != NULL);
+ if (item->struct_name == NULL) {
+ free_asn1_item (item);
+ return_if_reached ();
+ }
if (!p11_dict_set (cache->items, (void *)der, item))
return_if_reached ();
diff --git a/trust/builder.c b/trust/builder.c
index 742c544..d819dc8 100644
--- a/trust/builder.c
+++ b/trust/builder.c
@@ -187,7 +187,10 @@ p11_builder_new (int flags)
return_val_if_fail (builder != NULL, NULL);
builder->asn1_cache = p11_asn1_cache_new ();
- return_val_if_fail (builder->asn1_cache, NULL);
+ if (builder->asn1_cache == NULL) {
+ p11_builder_free (builder);
+ return_val_if_reached (NULL);
+ }
builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache);
builder->flags = flags;
diff --git a/trust/index.c b/trust/index.c
index f4b6b4b..6a8e535 100644
--- a/trust/index.c
+++ b/trust/index.c
@@ -170,10 +170,16 @@ p11_index_new (p11_index_build_cb build,
index->objects = p11_dict_new (p11_dict_ulongptr_hash,
p11_dict_ulongptr_equal,
NULL, free_object);
- return_val_if_fail (index->objects != NULL, NULL);
+ if (index->objects == NULL) {
+ p11_index_free (index);
+ return_val_if_reached (NULL);
+ }
index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket));
- return_val_if_fail (index->buckets != NULL, NULL);
+ if (index->buckets == NULL) {
+ p11_index_free (index);
+ return_val_if_reached (NULL);
+ }
return index;
}
diff --git a/trust/persist.c b/trust/persist.c
index 887b316..569cea1 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -89,7 +89,10 @@ p11_persist_new (void)
return_val_if_fail (persist != NULL, NULL);
persist->constants = p11_constant_reverse (true);
- return_val_if_fail (persist->constants != NULL, NULL);
+ if (persist->constants == NULL) {
+ free (persist);
+ return_val_if_reached (NULL);
+ }
return persist;
}
diff --git a/trust/save.c b/trust/save.c
index abff864..8184e13 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -68,6 +68,8 @@ static char * make_unique_name (const char *bare,
const char *extension,
int (*check) (void *, char *),
void *data);
+static void filo_free (p11_save_file *file);
+static void dir_free (p11_save_dir *dir);
bool
p11_save_write_and_finish (p11_save_file *file,
@@ -114,9 +116,15 @@ p11_save_open_file (const char *path,
return_val_if_fail (file != NULL, NULL);
file->temp = temp;
file->bare = strdup (path);
- return_val_if_fail (file->bare != NULL, NULL);
+ if (file->bare == NULL) {
+ filo_free (file);
+ return_val_if_reached (NULL);
+ }
file->extension = strdup (extension);
- return_val_if_fail (file->extension != NULL, NULL);
+ if (file->extension == NULL) {
+ filo_free (file);
+ return_val_if_reached (NULL);
+ }
file->flags = flags;
file->fd = fd;
@@ -166,6 +174,13 @@ filo_free (p11_save_file *file)
free (file);
}
+static void
+dir_free (p11_save_dir *dir) {
+ p11_dict_free (dir->cache);
+ free (dir->path);
+ free (dir);
+}
+
#ifdef OS_UNIX
static int
@@ -349,10 +364,16 @@ p11_save_open_directory (const char *path,
return_val_if_fail (dir != NULL, NULL);
dir->path = strdup (path);
- return_val_if_fail (dir->path != NULL, NULL);
+ if (dir->path == NULL) {
+ dir_free (dir);
+ return_val_if_reached (NULL);
+ }
dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL);
- return_val_if_fail (dir->cache != NULL, NULL);
+ if (dir->cache == NULL) {
+ dir_free (dir);
+ return_val_if_reached (NULL);
+ }
dir->flags = flags;
return dir;
diff --git a/trust/session.c b/trust/session.c
index b93a5c3..d464394 100644
--- a/trust/session.c
+++ b/trust/session.c
@@ -59,12 +59,18 @@ p11_session_new (p11_token *token)
session->handle = p11_module_next_id ();
session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE);
- return_val_if_fail (session->builder, NULL);
+ if (session->builder == NULL) {
+ p11_session_free (session);
+ return_val_if_reached (NULL);
+ }
session->index = p11_index_new (p11_builder_build, NULL, NULL,
p11_builder_changed,
session->builder);
- return_val_if_fail (session->index != NULL, NULL);
+ if (session->index == NULL) {
+ p11_session_free (session);
+ return_val_if_reached (NULL);
+ }
session->token = token;
diff --git a/trust/token.c b/trust/token.c
index 4cbcc77..fd3b043 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -829,7 +829,10 @@ p11_token_new (CK_SLOT_ID slot,
return_val_if_fail (token != NULL, NULL);
token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN);
- return_val_if_fail (token->builder != NULL, NULL);
+ if (token->builder == NULL) {
+ p11_token_free (token);
+ return_val_if_reached (NULL);
+ }
token->index = p11_index_new (on_index_build,
on_index_store,
--
2.17.2
From 06323aed926ddc67bd18ed98e5af92035a8e3d39 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:14:46 +0200
Subject: [PATCH 04/10] build: Check return value of p11_dict_set
---
p11-kit/proxy.c | 3 ++-
p11-kit/rpc-server.c | 6 +++++-
trust/module.c | 3 ++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index abe7935..11e6165 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -612,7 +612,8 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self,
sess->wrap_slot = map.wrap_slot;
sess->real_session = *handle;
sess->wrap_session = ++state->last_handle; /* TODO: Handle wrapping, and then collisions */
- p11_dict_set (state->px->sessions, &sess->wrap_session, sess);
+ if (!p11_dict_set (state->px->sessions, &sess->wrap_session, sess))
+ warn_if_reached ();
*handle = sess->wrap_session;
}
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 2db3524..3a8991d 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2226,7 +2226,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
p11_message_err (error, "couldn't subclass filter");
goto out;
}
- p11_dict_set (filters, module, filter);
+ if (!p11_dict_set (filters, module, filter)) {
+ error = EINVAL;
+ p11_message_err (error, "couldn't register filter");
+ goto out;
+ }
}
for (i = 0; i < n_tokens; i++) {
diff --git a/trust/module.c b/trust/module.c
index e09113b..24cda87 100644
--- a/trust/module.c
+++ b/trust/module.c
@@ -1321,7 +1321,8 @@ find_objects_match (CK_ATTRIBUTE *attrs,
}
value = memdup (oid->pValue, oid->ulValueLen);
return_val_if_fail (value != NULL, false);
- p11_dict_set (find->extensions, value, value);
+ if (!p11_dict_set (find->extensions, value, value))
+ warn_if_reached ();
}
}
--
2.17.2
From 213ea0815ef45411bf6c134918b79d2aad69c1dc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:16:12 +0200
Subject: [PATCH 05/10] build: Check return value of p11_rpc_buffer_get_uint64
---
p11-kit/rpc-client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index 0dd4525..e202e37 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -371,7 +371,8 @@ proto_read_ulong_array (p11_rpc_message *msg, CK_ULONG_PTR arr,
/* We need to go ahead and read everything in all cases */
for (i = 0; i < num; ++i) {
- p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val);
+ if (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val))
+ return PARSE_ERROR;
if (arr)
arr[i] = (CK_ULONG)val;
}
--
2.17.2
From 1f78cb0b4dd193ec1f1b2b424a497a6c2edec043 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:16:51 +0200
Subject: [PATCH 06/10] rpc-server: p11_kit_remote_serve_tokens: Fix memleak
---
p11-kit/rpc-server.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 3a8991d..5b3dbf0 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2285,6 +2285,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
p11_kit_modules_release (modules);
if (error != 0)
errno = error;
+ if (uris) {
+ for (i = 0; i < n_tokens; i++)
+ p11_kit_uri_free (uris[i]);
+ free (uris);
+ }
return ret;
}
--
2.17.2
From 033cd90806cb1e2eab7e799703757abc2f07052e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:18:05 +0200
Subject: [PATCH 07/10] proxy: Fix null dereference when reusing slots
---
p11-kit/proxy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index 11e6165..8eaf205 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -307,7 +307,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
break;
}
py->mappings[py->n_mappings].funcs = funcs;
- py->mappings[py->n_mappings].wrap_slot = j == n_mappings ? py->n_mappings + MAPPING_OFFSET : mappings[j].wrap_slot;
+ py->mappings[py->n_mappings].wrap_slot =
+ (n_mappings == 0 || j == n_mappings) ?
+ py->n_mappings + MAPPING_OFFSET :
+ mappings[j].wrap_slot;
py->mappings[py->n_mappings].real_slot = slots[i];
++py->n_mappings;
}
--
2.17.2
From da73c2804b3ca962fa51473bb4c303a5ed32d4a1 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:20:12 +0200
Subject: [PATCH 08/10] trust: Set umask before calling mkstemp
---
trust/save.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/trust/save.c b/trust/save.c
index 8184e13..bb77348 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -95,6 +95,7 @@ p11_save_open_file (const char *path,
{
p11_save_file *file;
char *temp;
+ mode_t mode;
int fd;
return_val_if_fail (path != NULL, NULL);
@@ -105,7 +106,9 @@ p11_save_open_file (const char *path,
if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0)
return_val_if_reached (NULL);
+ mode = umask (0077);
fd = mkstemp (temp);
+ umask (mode);
if (fd < 0) {
p11_message_err (errno, "couldn't create file: %s%s", path, extension);
free (temp);
--
2.17.2
From 6417780ebbbbb0f01ddb001b239347655fb98578 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 17 Oct 2018 09:53:27 +0200
Subject: [PATCH 09/10] rpc-server: Check calloc failure
---
p11-kit/rpc-server.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 5b3dbf0..3216742 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2219,6 +2219,10 @@ p11_kit_remote_serve_tokens (const char **tokens,
filter = p11_dict_get (filters, module);
if (filter == NULL) {
lower = calloc (1, sizeof (p11_virtual));
+ if (lower == NULL) {
+ error = ENOMEM;
+ goto out;
+ }
p11_virtual_init (lower, &p11_virtual_base, module, NULL);
filter = p11_filter_subclass (lower, NULL);
if (filter == NULL) {
--
2.17.2
From 83e92c2f9575707083d8b0c70ef330e285d70836 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 17 Oct 2018 09:53:46 +0200
Subject: [PATCH 10/10] trust: Check index->buckets is allocated on cleanup
---
trust/index.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/trust/index.c b/trust/index.c
index 6a8e535..2d1da29 100644
--- a/trust/index.c
+++ b/trust/index.c
@@ -193,9 +193,11 @@ p11_index_free (p11_index *index)
p11_dict_free (index->objects);
p11_dict_free (index->changes);
- for (i = 0; i < NUM_BUCKETS; i++)
- free (index->buckets[i].elem);
- free (index->buckets);
+ if (index->buckets) {
+ for (i = 0; i < NUM_BUCKETS; i++)
+ free (index->buckets[i].elem);
+ free (index->buckets);
+ }
free (index);
}
--
2.17.2

71
SOURCES/p11-kit-lower-libffi-priority.patch Normal file
View File

@ -0,0 +1,71 @@
From 6e1046de2233fba7875d3d6a1b260192678dd0ad Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 19 Oct 2018 10:21:36 +0200
Subject: [PATCH] virtual: Prefer fixed closures to libffi closures
On some circumstances (such as when loading p11-kit-proxy from httpd),
it is known that creation of libffi closure always fails, due to
SELinux policy. Although this is harmless, it pollutes the journal
and gives wrong hints when troubleshooting. This patch changes the
order of preference of libffi vs pre-compiled closures to avoid that.
---
p11-kit/virtual.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c
index 6abfe7a..338239f 100644
--- a/p11-kit/virtual.c
+++ b/p11-kit/virtual.c
@@ -2832,9 +2832,14 @@ p11_virtual_wrap (p11_virtual *virt,
p11_destroyer destroyer)
{
Wrapper *wrapper;
+ CK_FUNCTION_LIST *result;
return_val_if_fail (virt != NULL, NULL);
+ result = p11_virtual_wrap_fixed (virt, destroyer);
+ if (result)
+ return result;
+
wrapper = calloc (1, sizeof (Wrapper));
return_val_if_fail (wrapper != NULL, NULL);
@@ -2844,8 +2849,10 @@ p11_virtual_wrap (p11_virtual *virt,
wrapper->bound.version.minor = CRYPTOKI_VERSION_MINOR;
wrapper->fixed_index = -1;
- if (!init_wrapper_funcs (wrapper))
- return p11_virtual_wrap_fixed (virt, destroyer);
+ if (!init_wrapper_funcs (wrapper)) {
+ free (wrapper);
+ return_val_if_reached (NULL);
+ }
assert ((void *)wrapper == (void *)&wrapper->bound);
assert (p11_virtual_is_wrapper (&wrapper->bound));
@@ -2859,7 +2866,11 @@ CK_FUNCTION_LIST *
p11_virtual_wrap (p11_virtual *virt,
p11_destroyer destroyer)
{
- return p11_virtual_wrap_fixed (virt, destroyer);
+ CK_FUNCTION_LIST *result;
+
+ result = p11_virtual_wrap_fixed (virt, destroyer);
+ return_val_if_fail (result != NULL, NULL);
+ return result;
}
#endif /* !FFI_CLOSURES */
@@ -3068,8 +3079,6 @@ p11_virtual_wrap_fixed (p11_virtual *virt,
}
p11_mutex_unlock (&p11_virtual_mutex);
- return_val_if_fail (result != NULL, NULL);
-
return result;
}
--
2.17.2

15
SOURCES/trust-extract-compat Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/bash
set -e
if test "$UID" != "0"; then
echo "p11-kit: the 'extract-trust' command must be run as root" >&2
exit 2
fi
if test $# -gt 1; then
echo "p11-kit: no additional arguments are supported for this command" >&2
exit 2
fi
exec /usr/bin/update-ca-trust

392
SPECS/p11-kit.spec Normal file
View File

@ -0,0 +1,392 @@
# This spec file has been automatically updated
Version: 0.23.14
Release: 4%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
License: BSD
URL: http://p11-glue.freedesktop.org/p11-kit.html
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz
Source1: trust-extract-compat
Source2: p11-kit-client.service
Patch1: p11-kit-coverity.patch
Patch2: p11-kit-lower-libffi-priority.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
BuildRequires: libffi-devel
BuildRequires: gtk-doc
BuildRequires: systemd-devel
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%package trust
Summary: System trust module from %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
Conflicts: nss < 3.14.3-9
%description trust
The %{name}-trust package contains a system trust PKCS#11 module which
contains certificate anchors and black lists.
%package server
Summary: Server and client commands for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description server
The %{name}-server package contains command line tools that enable to
export PKCS#11 modules through a Unix domain socket. Note that this
feature is still experimental.
# solution taken from icedtea-web.spec
%define multilib_arches ppc64 sparc64 x86_64 ppc64le
%ifarch %{multilib_arches}
%define alt_ckbi libnssckbi.so.%{_arch}
%else
%define alt_ckbi libnssckbi.so
%endif
%prep
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --disable-silent-rules
make %{?_smp_mflags} V=1
%install
make install DESTDIR=$RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la
install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
# Install the example conf with %%doc instead
rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example
mkdir -p $RPM_BUILD_ROOT%{_userunitdir}
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_userunitdir}
%check
make check
%post -p /sbin/ldconfig
%post trust
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
%{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun -p /sbin/ldconfig
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
fi
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc AUTHORS NEWS README
%doc p11-kit/pkcs11.conf.example
%dir %{_sysconfdir}/pkcs11
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
%dir %{_datadir}/p11-kit/modules
%dir %{_libexecdir}/p11-kit
%{_bindir}/p11-kit
%{_libdir}/libp11-kit.so.*
%{_libdir}/p11-kit-proxy.so
%{_libexecdir}/p11-kit/p11-kit-remote
%{_mandir}/man1/trust.1.gz
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
%files devel
%{_includedir}/p11-kit-1/
%{_libdir}/libp11-kit.so
%{_libdir}/pkgconfig/p11-kit-1.pc
%doc %{_datadir}/gtk-doc/
%files trust
%{_bindir}/trust
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/libnssckbi.so
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
%files server
%{_libdir}/pkcs11/p11-kit-client.so
%{_userunitdir}/p11-kit-client.service
%{_libexecdir}/p11-kit/p11-kit-server
%{_userunitdir}/p11-kit-server.service
%{_userunitdir}/p11-kit-server.socket
%changelog
* Mon Oct 29 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-4
- Prefer fixed closures to libffi closures
* Wed Oct 17 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-3
- Update p11-kit-coverity.patch
* Tue Oct 16 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-2
- Fix issues spotted by coverity
* Wed Oct 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
- Update to upstream 0.23.14 release
* Wed May 30 2018 Daiki Ueno <dueno@redhat.com> - 0.23.12-1
- Update to upstream 0.23.11 release
* Wed Feb 28 2018 Daiki Ueno <dueno@redhat.com> - 0.23.10-1
- Update to upstream 0.23.10 release
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Oct 05 2017 Daiki Ueno <dueno@redhat.com> - 0.23.9-2
- server: Make it possible to eval envvar settings
* Wed Oct 04 2017 Daiki Ueno <dueno@redhat.com> - 0.23.9-1
- Update to upstream 0.23.9
* Fri Aug 25 2017 Kai Engert <kaie@redhat.com> - 0.23.8-2
- Fix a regression caused by a recent nss.rpm change, add a %%ghost file
for %%{_libdir}/libnssckbi.so that p11-kit-trust scripts install.
* Tue Aug 15 2017 Daiki Ueno <dueno@redhat.com> - 0.23.8-1
- Update to 0.23.8 release
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jun 2 2017 Daiki Ueno <dueno@redhat.com> - 0.23.7-1
- Update to 0.23.7 release
* Thu May 18 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-3
- Update p11-kit-modifiable.patch to simplify the logic
* Thu May 18 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-2
- Make "trust anchor --remove" work again
* Thu Mar 2 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-1
- Update to 0.23.5 release
- Rename -tools subpackage to -server and remove systemd unit files
* Fri Feb 24 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-3
- Move p11-kit command back to main package
* Fri Feb 24 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-2
- Split out command line tools to -tools subpackage, to avoid a
multilib issue with the main package. Suggested by Yanko Kaneti.
* Wed Feb 22 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-1
- Update to 0.23.4 release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 6 2017 Daiki Ueno <dueno@redhat.com> - 0.23.3-2
- Use internal hash implementation instead of NSS (#1390598)
* Tue Dec 20 2016 Daiki Ueno <dueno@redhat.com> - 0.23.3-1
- Update to 0.23.3 release
- Adjust executables location from %%libdir to %%libexecdir
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 12 2016 Martin Preisler <mpreisle@redhat.com> - 0.23.2-1
- Update to stable 0.23.2 release
* Tue Jun 30 2015 Martin Preisler <mpreisle@redhat.com> - 0.23.1-4
- In proxy module don't call C_Finalize on a forked process [#1217915]
- Do not deinitialize libffi's wrapper functions [#1217915]
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 0.23.1-2
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
* Fri Feb 20 2015 Stef Walter <stefw@redhat.com> - 0.23.1-1
- Update to 0.23.1 release
* Thu Oct 09 2014 Stef Walter <stefw@redhat.com> - 0.22.1-1
- Update to 0.22.1 release
- Use SubjectKeyIdentifier as a CKA_ID if possible rhbz#1148895
* Sat Oct 04 2014 Stef Walter <stefw@redhat.com> 0.22.0-1
- Update to 0.22.0 release
* Wed Sep 17 2014 Stef Walter <stefw@redhat.com> 0.21.3-1
- Update to 0.21.3 release
- Includes definitions for trust extensions rhbz#1136817
* Fri Sep 05 2014 Stef Walter <stefw@redhat.com> 0.21.2-1
- Update to 0.21.2 release
- Fix problems with erroneous messages printed rhbz#1133857
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.21.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Aug 07 2014 Stef Walter <stefw@redhat.com> - 0.21.1-1
- Update to 0.21.1 release
* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 0.20.3-3
- fix license handling
* Fri Jul 04 2014 Stef Walter <stefw@redhat.com> - 0.20.3-2
- Update to stable 0.20.3 release
* Fri Jun 06 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.20.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 0.20.2-2
- Own the %%{_libdir}/pkcs11 dir in -trust.
* Tue Jan 14 2014 Stef Walter <stefw@redhat.com> - 0.20.2-1
- Update to upstream stable 0.20.2 release
- Fix regression involving blacklisted anchors [#1041328]
- Support ppc64le in build [#1052707]
* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.20.1-1
- Update to upstream stable 0.20.1 release
- Extract compat trust data after we've changes
- Skip compat extraction if running as non-root
- Better failure messages when removing anchors
* Thu Aug 29 2013 Stef Walter <stefw@redhat.com> - 0.19.4-1
- Update to new upstream 0.19.4 release
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 24 2013 Stef Walter <stefw@redhat.com> - 0.19.3-1
- Update to new upstream 0.19.3 release (#967822)
* Wed Jun 05 2013 Stef Walter <stefw@redhat.com> - 0.18.3-1
- Update to new upstream stable release
- Fix intermittent firefox cert validation issues (#960230)
- Include the manual pages in the package
* Tue May 14 2013 Stef Walter <stefw@redhat.com> - 0.18.2-1
- Update to new upstream stable release
- Reduce the libtasn1 dependency minimum version
* Thu May 02 2013 Stef Walter <stefw@redhat.com> - 0.18.1-1
- Update to new upstream stable release
- 'p11-kit extract-trust' lives in libdir
* Thu Apr 04 2013 Stef Walter <stefw@redhat.com> - 0.18.0-1
- Update to new upstream stable release
- Various logging tweaks (#928914, #928750)
- Make the 'p11-kit extract-trust' explicitly reject
additional arguments
* Thu Mar 28 2013 Stef Walter <stefw@redhat.com> - 0.17.5-1
- Make 'p11-kit extract-trust' call update-ca-trust
- Work around 32-bit oveflow of certificate dates
- Build fixes
* Tue Mar 26 2013 Stef Walter <stefw@redhat.com> - 0.17.4-2
- Pull in patch from upstream to fix build on ppc (#927394)
* Wed Mar 20 2013 Stef Walter <stefw@redhat.com> - 0.17.4-1
- Update to upstream version 0.17.4
* Mon Mar 18 2013 Stef Walter <stefw@redhat.com> - 0.17.3-1
- Update to upstream version 0.17.3
- Put the trust input paths in the right order
* Tue Mar 12 2013 Stef Walter <stefw@redhat.com> - 0.16.4-1
- Update to upstream version 0.16.4
* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.16.3-1
- Update to upstream version 0.16.3
- Split out system trust module into its own package.
- p11-kit-trust provides an alternative to an nss module
* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.1-1
- Update to upstream version 0.16.1
- Setup source directories as appropriate for Shared System Certificates feature
* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.0-1
- Update to upstream version 0.16.0
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Sep 17 2012 Kalev Lember <kalevlember@gmail.com> - 0.14-1
- Update to 0.14
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jul 16 2012 Kalev Lember <kalevlember@gmail.com> - 0.13-1
- Update to 0.13
* Tue Mar 27 2012 Kalev Lember <kalevlember@gmail.com> - 0.12-1
- Update to 0.12
- Run self tests in %%check
* Sat Feb 11 2012 Kalev Lember <kalevlember@gmail.com> - 0.11-1
- Update to 0.11
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Dec 20 2011 Matthias Clasen <mclasen@redhat.com> - 0.9-1
- Update to 0.9
* Wed Oct 26 2011 Kalev Lember <kalevlember@gmail.com> - 0.8-1
- Update to 0.8
* Mon Sep 19 2011 Matthias Clasen <mclasen@redhat.com> - 0.6-1
- Update to 0.6
* Sun Sep 04 2011 Kalev Lember <kalevlember@gmail.com> - 0.5-1
- Update to 0.5
* Sun Aug 21 2011 Kalev Lember <kalevlember@gmail.com> - 0.4-1
- Update to 0.4
- Install the example config file to documentation directory
* Wed Aug 17 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-2
- Tighten -devel subpackage deps (#725905)
* Fri Jul 29 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-1
- Update to 0.3
- Upstream rewrote the ASL 2.0 bits, which makes the whole package
BSD-licensed
* Tue Jul 12 2011 Kalev Lember <kalevlember@gmail.com> - 0.2-1
- Initial RPM release