commit 73ad82a74a70b6d29f30ffcdd3a60158dbd26dd4 Author: CentOS Sources Date: Tue May 7 08:19:48 2019 -0400 import p11-kit-0.23.14-4.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bb75f38 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/p11-kit-0.23.14.tar.gz diff --git a/.p11-kit.metadata b/.p11-kit.metadata new file mode 100644 index 0000000..a336cc3 --- /dev/null +++ b/.p11-kit.metadata @@ -0,0 +1 @@ +30cab1d4b716022e6918f9a49976609c425f9cfc SOURCES/p11-kit-0.23.14.tar.gz diff --git a/SOURCES/p11-kit-client.service b/SOURCES/p11-kit-client.service new file mode 100644 index 0000000..c9b8e30 --- /dev/null +++ b/SOURCES/p11-kit-client.service @@ -0,0 +1,11 @@ +[Unit] +Description=p11-kit client + +[Service] +Type=oneshot +RemainAfterExit=true +RuntimeDirectory=p11-kit +ExecStart=/usr/bin/true + +[Install] +WantedBy=default.target diff --git a/SOURCES/p11-kit-coverity.patch b/SOURCES/p11-kit-coverity.patch new file mode 100644 index 0000000..f07f616 --- /dev/null +++ b/SOURCES/p11-kit-coverity.patch @@ -0,0 +1,623 @@ +From 8a8db182af533a43b4d478d28af8623035475d68 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:05:10 +0200 +Subject: [PATCH 01/10] debug: Work around cppcheck false-positives + +https://trac.cppcheck.net/ticket/8794 +--- + common/debug.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/debug.h b/common/debug.h +index 255c62c..7ea36f3 100644 +--- a/common/debug.h ++++ b/common/debug.h +@@ -71,13 +71,13 @@ void p11_debug_precond (const char *format, + #endif + + #define return_val_if_fail(x, v) \ +- do { if (!(x)) { \ ++ do { if (x) { } else { \ + p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ + return v; \ + } } while (false) + + #define return_if_fail(x) \ +- do { if (!(x)) { \ ++ do { if (x) { } else { \ + p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ + return; \ + } } while (false) +@@ -100,7 +100,7 @@ void p11_debug_precond (const char *format, + } while (false) + + #define warn_if_fail(x) \ +- do { if (!(x)) { \ ++ do { if (x) { } else { \ + p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ + } } while (false) + +-- +2.17.2 + + +From c76197ddbbd0c29adc2bceff2ee9f740f71d134d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:06:56 +0200 +Subject: [PATCH 02/10] build: Call va_end() always when leaving the function + +--- + common/attrs.c | 4 +++- + common/compat.c | 5 ++++- + common/path.c | 5 ++++- + trust/parser.c | 4 +++- + 4 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/attrs.c b/common/attrs.c +index aa91891..a387a66 100644 +--- a/common/attrs.c ++++ b/common/attrs.c +@@ -538,8 +538,10 @@ buffer_append_printf (p11_buffer *buffer, + va_list va; + + va_start (va, format); +- if (vasprintf (&string, format, va) < 0) ++ if (vasprintf (&string, format, va) < 0) { ++ va_end (va); + return_if_reached (); ++ } + va_end (va); + + p11_buffer_add (buffer, string, -1); +diff --git a/common/compat.c b/common/compat.c +index 5a9702d..48614fa 100644 +--- a/common/compat.c ++++ b/common/compat.c +@@ -525,7 +525,10 @@ strconcat (const char *first, + for (arg = first; arg; arg = va_arg (va, const char*)) { + size_t old_length = length; + length += strlen (arg); +- return_val_if_fail (length >= old_length, NULL); ++ if (length < old_length) { ++ va_end (va); ++ return_val_if_reached (NULL); ++ } + } + + va_end (va); +diff --git a/common/path.c b/common/path.c +index 5cf0e1a..17a6230 100644 +--- a/common/path.c ++++ b/common/path.c +@@ -218,7 +218,10 @@ p11_path_build (const char *path, + while (path != NULL) { + size_t old_len = len; + len += strlen (path) + 1; +- return_val_if_fail (len >= old_len, NULL); ++ if (len < old_len) { ++ va_end (va); ++ return_val_if_reached (NULL); ++ } + path = va_arg (va, const char *); + } + va_end (va); +diff --git a/trust/parser.c b/trust/parser.c +index f92cdc9..e912c3a 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -697,8 +697,10 @@ p11_parser_formats (p11_parser *parser, + func = va_arg (va, parser_func); + if (func == NULL) + break; +- if (!p11_array_push (formats, func)) ++ if (!p11_array_push (formats, func)) { ++ va_end (va); + return_if_reached (); ++ } + } + va_end (va); + +-- +2.17.2 + + +From b10dadce5a3c921149b2c9fe0dec614f8076ebda Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:10:05 +0200 +Subject: [PATCH 03/10] build: Free memory before return{,_val}_if_* macros + +--- + p11-kit/iter.c | 5 ++++- + p11-kit/proxy.c | 10 ++++++++-- + trust/asn1.c | 15 ++++++++++++--- + trust/builder.c | 5 ++++- + trust/index.c | 10 ++++++++-- + trust/persist.c | 5 ++++- + trust/save.c | 29 +++++++++++++++++++++++++---- + trust/session.c | 10 ++++++++-- + trust/token.c | 5 ++++- + 9 files changed, 77 insertions(+), 17 deletions(-) + +diff --git a/p11-kit/iter.c b/p11-kit/iter.c +index 0e4ca6e..d1ffd91 100644 +--- a/p11-kit/iter.c ++++ b/p11-kit/iter.c +@@ -157,7 +157,10 @@ p11_kit_iter_new (P11KitUri *uri, + return_val_if_fail (iter != NULL, NULL); + + iter->modules = p11_array_new (NULL); +- return_val_if_fail (iter->modules != NULL, NULL); ++ if (iter->modules == NULL) { ++ p11_kit_iter_free (iter); ++ return_val_if_reached (NULL); ++ } + + iter->want_writable = !!(behavior & P11_KIT_ITER_WANT_WRITABLE); + iter->preload_results = !(behavior & P11_KIT_ITER_BUSY_SESSIONS); +diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c +index b7fb63d..abe7935 100644 +--- a/p11-kit/proxy.c ++++ b/p11-kit/proxy.c +@@ -267,7 +267,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, + py->forkid = p11_forkid; + + py->inited = modules_dup (loaded); +- return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY); ++ if (py->inited == NULL) { ++ proxy_free (py, 0); ++ return_val_if_reached (CKR_HOST_MEMORY); ++ } + + rv = p11_kit_modules_initialize (py->inited, NULL); + +@@ -320,7 +323,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, + } + + py->sessions = p11_dict_new (p11_dict_ulongptr_hash, p11_dict_ulongptr_equal, NULL, free); +- return_val_if_fail (py->sessions != NULL, CKR_HOST_MEMORY); ++ if (py->sessions == NULL) { ++ proxy_free (py, 1); ++ return_val_if_reached (CKR_HOST_MEMORY); ++ } + py->refs = 1; + + *res = py; +diff --git a/trust/asn1.c b/trust/asn1.c +index dd1812d..5ce682d 100644 +--- a/trust/asn1.c ++++ b/trust/asn1.c +@@ -285,11 +285,17 @@ p11_asn1_cache_new (void) + return_val_if_fail (cache != NULL, NULL); + + cache->defs = p11_asn1_defs_load (); +- return_val_if_fail (cache->defs != NULL, NULL); ++ if (cache->defs == NULL) { ++ p11_asn1_cache_free (cache); ++ return_val_if_reached (NULL); ++ } + + cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal, + NULL, free_asn1_item); +- return_val_if_fail (cache->items != NULL, NULL); ++ if (cache->items == NULL) { ++ p11_asn1_cache_free (cache); ++ return_val_if_reached (NULL); ++ } + + return cache; + } +@@ -342,7 +348,10 @@ p11_asn1_cache_take (p11_asn1_cache *cache, + item->length = der_len; + item->node = node; + item->struct_name = strdup (struct_name); +- return_if_fail (item->struct_name != NULL); ++ if (item->struct_name == NULL) { ++ free_asn1_item (item); ++ return_if_reached (); ++ } + + if (!p11_dict_set (cache->items, (void *)der, item)) + return_if_reached (); +diff --git a/trust/builder.c b/trust/builder.c +index 742c544..d819dc8 100644 +--- a/trust/builder.c ++++ b/trust/builder.c +@@ -187,7 +187,10 @@ p11_builder_new (int flags) + return_val_if_fail (builder != NULL, NULL); + + builder->asn1_cache = p11_asn1_cache_new (); +- return_val_if_fail (builder->asn1_cache, NULL); ++ if (builder->asn1_cache == NULL) { ++ p11_builder_free (builder); ++ return_val_if_reached (NULL); ++ } + builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache); + + builder->flags = flags; +diff --git a/trust/index.c b/trust/index.c +index f4b6b4b..6a8e535 100644 +--- a/trust/index.c ++++ b/trust/index.c +@@ -170,10 +170,16 @@ p11_index_new (p11_index_build_cb build, + index->objects = p11_dict_new (p11_dict_ulongptr_hash, + p11_dict_ulongptr_equal, + NULL, free_object); +- return_val_if_fail (index->objects != NULL, NULL); ++ if (index->objects == NULL) { ++ p11_index_free (index); ++ return_val_if_reached (NULL); ++ } + + index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket)); +- return_val_if_fail (index->buckets != NULL, NULL); ++ if (index->buckets == NULL) { ++ p11_index_free (index); ++ return_val_if_reached (NULL); ++ } + + return index; + } +diff --git a/trust/persist.c b/trust/persist.c +index 887b316..569cea1 100644 +--- a/trust/persist.c ++++ b/trust/persist.c +@@ -89,7 +89,10 @@ p11_persist_new (void) + return_val_if_fail (persist != NULL, NULL); + + persist->constants = p11_constant_reverse (true); +- return_val_if_fail (persist->constants != NULL, NULL); ++ if (persist->constants == NULL) { ++ free (persist); ++ return_val_if_reached (NULL); ++ } + + return persist; + } +diff --git a/trust/save.c b/trust/save.c +index abff864..8184e13 100644 +--- a/trust/save.c ++++ b/trust/save.c +@@ -68,6 +68,8 @@ static char * make_unique_name (const char *bare, + const char *extension, + int (*check) (void *, char *), + void *data); ++static void filo_free (p11_save_file *file); ++static void dir_free (p11_save_dir *dir); + + bool + p11_save_write_and_finish (p11_save_file *file, +@@ -114,9 +116,15 @@ p11_save_open_file (const char *path, + return_val_if_fail (file != NULL, NULL); + file->temp = temp; + file->bare = strdup (path); +- return_val_if_fail (file->bare != NULL, NULL); ++ if (file->bare == NULL) { ++ filo_free (file); ++ return_val_if_reached (NULL); ++ } + file->extension = strdup (extension); +- return_val_if_fail (file->extension != NULL, NULL); ++ if (file->extension == NULL) { ++ filo_free (file); ++ return_val_if_reached (NULL); ++ } + file->flags = flags; + file->fd = fd; + +@@ -166,6 +174,13 @@ filo_free (p11_save_file *file) + free (file); + } + ++static void ++dir_free (p11_save_dir *dir) { ++ p11_dict_free (dir->cache); ++ free (dir->path); ++ free (dir); ++} ++ + #ifdef OS_UNIX + + static int +@@ -349,10 +364,16 @@ p11_save_open_directory (const char *path, + return_val_if_fail (dir != NULL, NULL); + + dir->path = strdup (path); +- return_val_if_fail (dir->path != NULL, NULL); ++ if (dir->path == NULL) { ++ dir_free (dir); ++ return_val_if_reached (NULL); ++ } + + dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); +- return_val_if_fail (dir->cache != NULL, NULL); ++ if (dir->cache == NULL) { ++ dir_free (dir); ++ return_val_if_reached (NULL); ++ } + + dir->flags = flags; + return dir; +diff --git a/trust/session.c b/trust/session.c +index b93a5c3..d464394 100644 +--- a/trust/session.c ++++ b/trust/session.c +@@ -59,12 +59,18 @@ p11_session_new (p11_token *token) + session->handle = p11_module_next_id (); + + session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE); +- return_val_if_fail (session->builder, NULL); ++ if (session->builder == NULL) { ++ p11_session_free (session); ++ return_val_if_reached (NULL); ++ } + + session->index = p11_index_new (p11_builder_build, NULL, NULL, + p11_builder_changed, + session->builder); +- return_val_if_fail (session->index != NULL, NULL); ++ if (session->index == NULL) { ++ p11_session_free (session); ++ return_val_if_reached (NULL); ++ } + + session->token = token; + +diff --git a/trust/token.c b/trust/token.c +index 4cbcc77..fd3b043 100644 +--- a/trust/token.c ++++ b/trust/token.c +@@ -829,7 +829,10 @@ p11_token_new (CK_SLOT_ID slot, + return_val_if_fail (token != NULL, NULL); + + token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN); +- return_val_if_fail (token->builder != NULL, NULL); ++ if (token->builder == NULL) { ++ p11_token_free (token); ++ return_val_if_reached (NULL); ++ } + + token->index = p11_index_new (on_index_build, + on_index_store, +-- +2.17.2 + + +From 06323aed926ddc67bd18ed98e5af92035a8e3d39 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:14:46 +0200 +Subject: [PATCH 04/10] build: Check return value of p11_dict_set + +--- + p11-kit/proxy.c | 3 ++- + p11-kit/rpc-server.c | 6 +++++- + trust/module.c | 3 ++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c +index abe7935..11e6165 100644 +--- a/p11-kit/proxy.c ++++ b/p11-kit/proxy.c +@@ -612,7 +612,8 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self, + sess->wrap_slot = map.wrap_slot; + sess->real_session = *handle; + sess->wrap_session = ++state->last_handle; /* TODO: Handle wrapping, and then collisions */ +- p11_dict_set (state->px->sessions, &sess->wrap_session, sess); ++ if (!p11_dict_set (state->px->sessions, &sess->wrap_session, sess)) ++ warn_if_reached (); + *handle = sess->wrap_session; + } + +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index 2db3524..3a8991d 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -2226,7 +2226,11 @@ p11_kit_remote_serve_tokens (const char **tokens, + p11_message_err (error, "couldn't subclass filter"); + goto out; + } +- p11_dict_set (filters, module, filter); ++ if (!p11_dict_set (filters, module, filter)) { ++ error = EINVAL; ++ p11_message_err (error, "couldn't register filter"); ++ goto out; ++ } + } + + for (i = 0; i < n_tokens; i++) { +diff --git a/trust/module.c b/trust/module.c +index e09113b..24cda87 100644 +--- a/trust/module.c ++++ b/trust/module.c +@@ -1321,7 +1321,8 @@ find_objects_match (CK_ATTRIBUTE *attrs, + } + value = memdup (oid->pValue, oid->ulValueLen); + return_val_if_fail (value != NULL, false); +- p11_dict_set (find->extensions, value, value); ++ if (!p11_dict_set (find->extensions, value, value)) ++ warn_if_reached (); + } + } + +-- +2.17.2 + + +From 213ea0815ef45411bf6c134918b79d2aad69c1dc Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:16:12 +0200 +Subject: [PATCH 05/10] build: Check return value of p11_rpc_buffer_get_uint64 + +--- + p11-kit/rpc-client.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index 0dd4525..e202e37 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -371,7 +371,8 @@ proto_read_ulong_array (p11_rpc_message *msg, CK_ULONG_PTR arr, + + /* We need to go ahead and read everything in all cases */ + for (i = 0; i < num; ++i) { +- p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val); ++ if (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val)) ++ return PARSE_ERROR; + if (arr) + arr[i] = (CK_ULONG)val; + } +-- +2.17.2 + + +From 1f78cb0b4dd193ec1f1b2b424a497a6c2edec043 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:16:51 +0200 +Subject: [PATCH 06/10] rpc-server: p11_kit_remote_serve_tokens: Fix memleak + +--- + p11-kit/rpc-server.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index 3a8991d..5b3dbf0 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -2285,6 +2285,11 @@ p11_kit_remote_serve_tokens (const char **tokens, + p11_kit_modules_release (modules); + if (error != 0) + errno = error; ++ if (uris) { ++ for (i = 0; i < n_tokens; i++) ++ p11_kit_uri_free (uris[i]); ++ free (uris); ++ } + + return ret; + } +-- +2.17.2 + + +From 033cd90806cb1e2eab7e799703757abc2f07052e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:18:05 +0200 +Subject: [PATCH 07/10] proxy: Fix null dereference when reusing slots + +--- + p11-kit/proxy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c +index 11e6165..8eaf205 100644 +--- a/p11-kit/proxy.c ++++ b/p11-kit/proxy.c +@@ -307,7 +307,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, + break; + } + py->mappings[py->n_mappings].funcs = funcs; +- py->mappings[py->n_mappings].wrap_slot = j == n_mappings ? py->n_mappings + MAPPING_OFFSET : mappings[j].wrap_slot; ++ py->mappings[py->n_mappings].wrap_slot = ++ (n_mappings == 0 || j == n_mappings) ? ++ py->n_mappings + MAPPING_OFFSET : ++ mappings[j].wrap_slot; + py->mappings[py->n_mappings].real_slot = slots[i]; + ++py->n_mappings; + } +-- +2.17.2 + + +From da73c2804b3ca962fa51473bb4c303a5ed32d4a1 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 16 Oct 2018 18:20:12 +0200 +Subject: [PATCH 08/10] trust: Set umask before calling mkstemp + +--- + trust/save.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/trust/save.c b/trust/save.c +index 8184e13..bb77348 100644 +--- a/trust/save.c ++++ b/trust/save.c +@@ -95,6 +95,7 @@ p11_save_open_file (const char *path, + { + p11_save_file *file; + char *temp; ++ mode_t mode; + int fd; + + return_val_if_fail (path != NULL, NULL); +@@ -105,7 +106,9 @@ p11_save_open_file (const char *path, + if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0) + return_val_if_reached (NULL); + ++ mode = umask (0077); + fd = mkstemp (temp); ++ umask (mode); + if (fd < 0) { + p11_message_err (errno, "couldn't create file: %s%s", path, extension); + free (temp); +-- +2.17.2 + + +From 6417780ebbbbb0f01ddb001b239347655fb98578 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Oct 2018 09:53:27 +0200 +Subject: [PATCH 09/10] rpc-server: Check calloc failure + +--- + p11-kit/rpc-server.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index 5b3dbf0..3216742 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -2219,6 +2219,10 @@ p11_kit_remote_serve_tokens (const char **tokens, + filter = p11_dict_get (filters, module); + if (filter == NULL) { + lower = calloc (1, sizeof (p11_virtual)); ++ if (lower == NULL) { ++ error = ENOMEM; ++ goto out; ++ } + p11_virtual_init (lower, &p11_virtual_base, module, NULL); + filter = p11_filter_subclass (lower, NULL); + if (filter == NULL) { +-- +2.17.2 + + +From 83e92c2f9575707083d8b0c70ef330e285d70836 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 17 Oct 2018 09:53:46 +0200 +Subject: [PATCH 10/10] trust: Check index->buckets is allocated on cleanup + +--- + trust/index.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/trust/index.c b/trust/index.c +index 6a8e535..2d1da29 100644 +--- a/trust/index.c ++++ b/trust/index.c +@@ -193,9 +193,11 @@ p11_index_free (p11_index *index) + + p11_dict_free (index->objects); + p11_dict_free (index->changes); +- for (i = 0; i < NUM_BUCKETS; i++) +- free (index->buckets[i].elem); +- free (index->buckets); ++ if (index->buckets) { ++ for (i = 0; i < NUM_BUCKETS; i++) ++ free (index->buckets[i].elem); ++ free (index->buckets); ++ } + free (index); + } + +-- +2.17.2 + diff --git a/SOURCES/p11-kit-lower-libffi-priority.patch b/SOURCES/p11-kit-lower-libffi-priority.patch new file mode 100644 index 0000000..e5021b6 --- /dev/null +++ b/SOURCES/p11-kit-lower-libffi-priority.patch @@ -0,0 +1,71 @@ +From 6e1046de2233fba7875d3d6a1b260192678dd0ad Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 19 Oct 2018 10:21:36 +0200 +Subject: [PATCH] virtual: Prefer fixed closures to libffi closures + +On some circumstances (such as when loading p11-kit-proxy from httpd), +it is known that creation of libffi closure always fails, due to +SELinux policy. Although this is harmless, it pollutes the journal +and gives wrong hints when troubleshooting. This patch changes the +order of preference of libffi vs pre-compiled closures to avoid that. +--- + p11-kit/virtual.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c +index 6abfe7a..338239f 100644 +--- a/p11-kit/virtual.c ++++ b/p11-kit/virtual.c +@@ -2832,9 +2832,14 @@ p11_virtual_wrap (p11_virtual *virt, + p11_destroyer destroyer) + { + Wrapper *wrapper; ++ CK_FUNCTION_LIST *result; + + return_val_if_fail (virt != NULL, NULL); + ++ result = p11_virtual_wrap_fixed (virt, destroyer); ++ if (result) ++ return result; ++ + wrapper = calloc (1, sizeof (Wrapper)); + return_val_if_fail (wrapper != NULL, NULL); + +@@ -2844,8 +2849,10 @@ p11_virtual_wrap (p11_virtual *virt, + wrapper->bound.version.minor = CRYPTOKI_VERSION_MINOR; + wrapper->fixed_index = -1; + +- if (!init_wrapper_funcs (wrapper)) +- return p11_virtual_wrap_fixed (virt, destroyer); ++ if (!init_wrapper_funcs (wrapper)) { ++ free (wrapper); ++ return_val_if_reached (NULL); ++ } + + assert ((void *)wrapper == (void *)&wrapper->bound); + assert (p11_virtual_is_wrapper (&wrapper->bound)); +@@ -2859,7 +2866,11 @@ CK_FUNCTION_LIST * + p11_virtual_wrap (p11_virtual *virt, + p11_destroyer destroyer) + { +- return p11_virtual_wrap_fixed (virt, destroyer); ++ CK_FUNCTION_LIST *result; ++ ++ result = p11_virtual_wrap_fixed (virt, destroyer); ++ return_val_if_fail (result != NULL, NULL); ++ return result; + } + + #endif /* !FFI_CLOSURES */ +@@ -3068,8 +3079,6 @@ p11_virtual_wrap_fixed (p11_virtual *virt, + } + p11_mutex_unlock (&p11_virtual_mutex); + +- return_val_if_fail (result != NULL, NULL); +- + return result; + } + +-- +2.17.2 + diff --git a/SOURCES/trust-extract-compat b/SOURCES/trust-extract-compat new file mode 100755 index 0000000..1976f22 --- /dev/null +++ b/SOURCES/trust-extract-compat @@ -0,0 +1,15 @@ +#!/usr/bin/bash + +set -e + +if test "$UID" != "0"; then + echo "p11-kit: the 'extract-trust' command must be run as root" >&2 + exit 2 +fi + +if test $# -gt 1; then + echo "p11-kit: no additional arguments are supported for this command" >&2 + exit 2 +fi + +exec /usr/bin/update-ca-trust diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec new file mode 100644 index 0000000..571ca10 --- /dev/null +++ b/SPECS/p11-kit.spec @@ -0,0 +1,392 @@ +# This spec file has been automatically updated +Version: 0.23.14 +Release: 4%{?dist} +Name: p11-kit +Summary: Library for loading and sharing PKCS#11 modules + +License: BSD +URL: http://p11-glue.freedesktop.org/p11-kit.html +Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz +Source1: trust-extract-compat +Source2: p11-kit-client.service +Patch1: p11-kit-coverity.patch +Patch2: p11-kit-lower-libffi-priority.patch + +BuildRequires: gcc +BuildRequires: libtasn1-devel >= 2.3 +BuildRequires: libffi-devel +BuildRequires: gtk-doc +BuildRequires: systemd-devel +# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147 +# Remove this once it is fixed +BuildRequires: pkgconfig(glib-2.0) + +%description +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%package trust +Summary: System trust module from %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Conflicts: nss < 3.14.3-9 + +%description trust +The %{name}-trust package contains a system trust PKCS#11 module which +contains certificate anchors and black lists. + + +%package server +Summary: Server and client commands for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description server +The %{name}-server package contains command line tools that enable to +export PKCS#11 modules through a Unix domain socket. Note that this +feature is still experimental. + + +# solution taken from icedtea-web.spec +%define multilib_arches ppc64 sparc64 x86_64 ppc64le +%ifarch %{multilib_arches} +%define alt_ckbi libnssckbi.so.%{_arch} +%else +%define alt_ckbi libnssckbi.so +%endif + + +%prep +%autosetup -p1 + +%build +# These paths are the source paths that come from the plan here: +# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks +%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --disable-silent-rules +make %{?_smp_mflags} V=1 + +%install +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la +install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ +# Install the example conf with %%doc instead +rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example +mkdir -p $RPM_BUILD_ROOT%{_userunitdir} +install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_userunitdir} + +%check +make check + + +%post -p /sbin/ldconfig + +%post trust +%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ + %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 + +%postun -p /sbin/ldconfig + +%postun trust +if [ $1 -eq 0 ] ; then + # package removal + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so +fi + + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS NEWS README +%doc p11-kit/pkcs11.conf.example +%dir %{_sysconfdir}/pkcs11 +%dir %{_sysconfdir}/pkcs11/modules +%dir %{_datadir}/p11-kit +%dir %{_datadir}/p11-kit/modules +%dir %{_libexecdir}/p11-kit +%{_bindir}/p11-kit +%{_libdir}/libp11-kit.so.* +%{_libdir}/p11-kit-proxy.so +%{_libexecdir}/p11-kit/p11-kit-remote +%{_mandir}/man1/trust.1.gz +%{_mandir}/man8/p11-kit.8.gz +%{_mandir}/man5/pkcs11.conf.5.gz + +%files devel +%{_includedir}/p11-kit-1/ +%{_libdir}/libp11-kit.so +%{_libdir}/pkgconfig/p11-kit-1.pc +%doc %{_datadir}/gtk-doc/ + +%files trust +%{_bindir}/trust +%dir %{_libdir}/pkcs11 +%ghost %{_libdir}/libnssckbi.so +%{_libdir}/pkcs11/p11-kit-trust.so +%{_datadir}/p11-kit/modules/p11-kit-trust.module +%{_libexecdir}/p11-kit/trust-extract-compat + +%files server +%{_libdir}/pkcs11/p11-kit-client.so +%{_userunitdir}/p11-kit-client.service +%{_libexecdir}/p11-kit/p11-kit-server +%{_userunitdir}/p11-kit-server.service +%{_userunitdir}/p11-kit-server.socket + + +%changelog +* Mon Oct 29 2018 Daiki Ueno - 0.23.14-4 +- Prefer fixed closures to libffi closures + +* Wed Oct 17 2018 Daiki Ueno - 0.23.14-3 +- Update p11-kit-coverity.patch + +* Tue Oct 16 2018 Daiki Ueno - 0.23.14-2 +- Fix issues spotted by coverity + +* Wed Oct 10 2018 Daiki Ueno - 0.23.14-1 +- Update to upstream 0.23.14 release + +* Wed May 30 2018 Daiki Ueno - 0.23.12-1 +- Update to upstream 0.23.11 release + +* Wed Feb 28 2018 Daiki Ueno - 0.23.10-1 +- Update to upstream 0.23.10 release + +* Thu Feb 08 2018 Fedora Release Engineering - 0.23.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Oct 05 2017 Daiki Ueno - 0.23.9-2 +- server: Make it possible to eval envvar settings + +* Wed Oct 04 2017 Daiki Ueno - 0.23.9-1 +- Update to upstream 0.23.9 + +* Fri Aug 25 2017 Kai Engert - 0.23.8-2 +- Fix a regression caused by a recent nss.rpm change, add a %%ghost file + for %%{_libdir}/libnssckbi.so that p11-kit-trust scripts install. + +* Tue Aug 15 2017 Daiki Ueno - 0.23.8-1 +- Update to 0.23.8 release + +* Thu Aug 03 2017 Fedora Release Engineering - 0.23.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.23.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 2 2017 Daiki Ueno - 0.23.7-1 +- Update to 0.23.7 release + +* Thu May 18 2017 Daiki Ueno - 0.23.5-3 +- Update p11-kit-modifiable.patch to simplify the logic + +* Thu May 18 2017 Daiki Ueno - 0.23.5-2 +- Make "trust anchor --remove" work again + +* Thu Mar 2 2017 Daiki Ueno - 0.23.5-1 +- Update to 0.23.5 release +- Rename -tools subpackage to -server and remove systemd unit files + +* Fri Feb 24 2017 Daiki Ueno - 0.23.4-3 +- Move p11-kit command back to main package + +* Fri Feb 24 2017 Daiki Ueno - 0.23.4-2 +- Split out command line tools to -tools subpackage, to avoid a + multilib issue with the main package. Suggested by Yanko Kaneti. + +* Wed Feb 22 2017 Daiki Ueno - 0.23.4-1 +- Update to 0.23.4 release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.23.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 6 2017 Daiki Ueno - 0.23.3-2 +- Use internal hash implementation instead of NSS (#1390598) + +* Tue Dec 20 2016 Daiki Ueno - 0.23.3-1 +- Update to 0.23.3 release +- Adjust executables location from %%libdir to %%libexecdir + +* Thu Feb 04 2016 Fedora Release Engineering - 0.23.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 12 2016 Martin Preisler - 0.23.2-1 +- Update to stable 0.23.2 release + +* Tue Jun 30 2015 Martin Preisler - 0.23.1-4 +- In proxy module don't call C_Finalize on a forked process [#1217915] +- Do not deinitialize libffi's wrapper functions [#1217915] + +* Thu Jun 18 2015 Fedora Release Engineering - 0.23.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 0.23.1-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Fri Feb 20 2015 Stef Walter - 0.23.1-1 +- Update to 0.23.1 release + +* Thu Oct 09 2014 Stef Walter - 0.22.1-1 +- Update to 0.22.1 release +- Use SubjectKeyIdentifier as a CKA_ID if possible rhbz#1148895 + +* Sat Oct 04 2014 Stef Walter 0.22.0-1 +- Update to 0.22.0 release + +* Wed Sep 17 2014 Stef Walter 0.21.3-1 +- Update to 0.21.3 release +- Includes definitions for trust extensions rhbz#1136817 + +* Fri Sep 05 2014 Stef Walter 0.21.2-1 +- Update to 0.21.2 release +- Fix problems with erroneous messages printed rhbz#1133857 + +* Sun Aug 17 2014 Fedora Release Engineering - 0.21.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 07 2014 Stef Walter - 0.21.1-1 +- Update to 0.21.1 release + +* Wed Jul 30 2014 Tom Callaway - 0.20.3-3 +- fix license handling + +* Fri Jul 04 2014 Stef Walter - 0.20.3-2 +- Update to stable 0.20.3 release + +* Fri Jun 06 2014 Fedora Release Engineering - 0.20.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Jan 25 2014 Ville Skyttä - 0.20.2-2 +- Own the %%{_libdir}/pkcs11 dir in -trust. + +* Tue Jan 14 2014 Stef Walter - 0.20.2-1 +- Update to upstream stable 0.20.2 release +- Fix regression involving blacklisted anchors [#1041328] +- Support ppc64le in build [#1052707] + +* Mon Sep 09 2013 Stef Walter - 0.20.1-1 +- Update to upstream stable 0.20.1 release +- Extract compat trust data after we've changes +- Skip compat extraction if running as non-root +- Better failure messages when removing anchors + +* Thu Aug 29 2013 Stef Walter - 0.19.4-1 +- Update to new upstream 0.19.4 release + +* Sat Aug 03 2013 Fedora Release Engineering - 0.19.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 24 2013 Stef Walter - 0.19.3-1 +- Update to new upstream 0.19.3 release (#967822) + +* Wed Jun 05 2013 Stef Walter - 0.18.3-1 +- Update to new upstream stable release +- Fix intermittent firefox cert validation issues (#960230) +- Include the manual pages in the package + +* Tue May 14 2013 Stef Walter - 0.18.2-1 +- Update to new upstream stable release +- Reduce the libtasn1 dependency minimum version + +* Thu May 02 2013 Stef Walter - 0.18.1-1 +- Update to new upstream stable release +- 'p11-kit extract-trust' lives in libdir + +* Thu Apr 04 2013 Stef Walter - 0.18.0-1 +- Update to new upstream stable release +- Various logging tweaks (#928914, #928750) +- Make the 'p11-kit extract-trust' explicitly reject + additional arguments + +* Thu Mar 28 2013 Stef Walter - 0.17.5-1 +- Make 'p11-kit extract-trust' call update-ca-trust +- Work around 32-bit oveflow of certificate dates +- Build fixes + +* Tue Mar 26 2013 Stef Walter - 0.17.4-2 +- Pull in patch from upstream to fix build on ppc (#927394) + +* Wed Mar 20 2013 Stef Walter - 0.17.4-1 +- Update to upstream version 0.17.4 + +* Mon Mar 18 2013 Stef Walter - 0.17.3-1 +- Update to upstream version 0.17.3 +- Put the trust input paths in the right order + +* Tue Mar 12 2013 Stef Walter - 0.16.4-1 +- Update to upstream version 0.16.4 + +* Fri Mar 08 2013 Stef Walter - 0.16.3-1 +- Update to upstream version 0.16.3 +- Split out system trust module into its own package. +- p11-kit-trust provides an alternative to an nss module + +* Tue Mar 05 2013 Stef Walter - 0.16.1-1 +- Update to upstream version 0.16.1 +- Setup source directories as appropriate for Shared System Certificates feature + +* Tue Mar 05 2013 Stef Walter - 0.16.0-1 +- Update to upstream version 0.16.0 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Sep 17 2012 Kalev Lember - 0.14-1 +- Update to 0.14 + +* Fri Jul 20 2012 Fedora Release Engineering - 0.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jul 16 2012 Kalev Lember - 0.13-1 +- Update to 0.13 + +* Tue Mar 27 2012 Kalev Lember - 0.12-1 +- Update to 0.12 +- Run self tests in %%check + +* Sat Feb 11 2012 Kalev Lember - 0.11-1 +- Update to 0.11 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Dec 20 2011 Matthias Clasen - 0.9-1 +- Update to 0.9 + +* Wed Oct 26 2011 Kalev Lember - 0.8-1 +- Update to 0.8 + +* Mon Sep 19 2011 Matthias Clasen - 0.6-1 +- Update to 0.6 + +* Sun Sep 04 2011 Kalev Lember - 0.5-1 +- Update to 0.5 + +* Sun Aug 21 2011 Kalev Lember - 0.4-1 +- Update to 0.4 +- Install the example config file to documentation directory + +* Wed Aug 17 2011 Kalev Lember - 0.3-2 +- Tighten -devel subpackage deps (#725905) + +* Fri Jul 29 2011 Kalev Lember - 0.3-1 +- Update to 0.3 +- Upstream rewrote the ASL 2.0 bits, which makes the whole package + BSD-licensed + +* Tue Jul 12 2011 Kalev Lember - 0.2-1 +- Initial RPM release