rpms/p11-kit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 0.25.5

Browse Source 
Resolves: RHEL-46898

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2024-07-10 16:36:31 +02:00
parent 637e88b4a4
commit e8ce0b704a
7 changed files with 5 additions and 510 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -44,3 +44,5 @@
/p11-kit-0.25.2.tar.xz.sig
/p11-kit-0.25.3.tar.xz
/p11-kit-0.25.3.tar.xz.sig
/p11-kit-0.25.5.tar.xz
/p11-kit-0.25.5.tar.xz.sig

59
p11-kit-0.25.3-generate-keypair-eddsa.patch
View File

@ -1,59 +0,0 @@
diff --color -ruNp a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
--- a/doc/manual/p11-kit.xml 2023-10-26 11:56:44.000000000 +0200
+++ b/doc/manual/p11-kit.xml 2024-05-15 16:49:22.058423419 +0200
@@ -211,7 +211,7 @@ $ p11-kit generate-keypair --type=algori
<varlistentry>
<term><option>--type=&lt;algorithm&gt;</option></term>
<listitem><para>Specify the type of keys to generate.
- Supported values are rsa, ecdsa and ed25519.
+ Supported values are rsa, ecdsa and eddsa.
This option is required.</para></listitem>
</varlistentry>
<varlistentry>
diff --color -ruNp a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
--- a/p11-kit/generate-keypair.c 2024-05-15 16:45:43.883280385 +0200
+++ b/p11-kit/generate-keypair.c 2024-05-15 16:48:40.499637246 +0200
@@ -84,8 +84,7 @@ get_mechanism (const char *type)
m.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
else if (p11_ascii_strcaseeq (type, "ecdsa"))
m.mechanism = CKM_ECDSA_KEY_PAIR_GEN;
- else if (p11_ascii_strcaseeq (type, "ed25519") ||
- p11_ascii_strcaseeq (type, "ed448"))
+ else if (p11_ascii_strcaseeq (type, "eddsa"))
m.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
return m;
diff --color -ruNp a/p11-kit/test-generate-keypair.sh b/p11-kit/test-generate-keypair.sh
--- a/p11-kit/test-generate-keypair.sh 2023-10-31 09:47:26.000000000 +0100
+++ b/p11-kit/test-generate-keypair.sh 2024-05-15 16:48:40.499637246 +0200
@@ -42,8 +42,8 @@ test_generate_keypair_ecdsa() {
if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
assert_fail "expected to fail: p11-kit generate-keypair"
fi
+ assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
done
- assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
assert_fail "p11-kit generate-keypair succeeded for unknown ecdsa curve"
@@ -54,16 +54,16 @@ test_generate_keypair_ecdsa() {
test_generate_keypair_eddsa() {
for curve in ed25519 ed448; do
if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
- assert_fail "unable to run: p11-kit generate-keypair"
+ assert_fail "expected to fail: p11-kit generate-keypair"
fi
+ assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
done
- assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
- if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo"; then
+ if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
assert_fail "p11-kit generate-keypair succeeded for unknown eddsa curve"
fi
assert_contains err.out "unknown curve name: unknown"
}
run test_generate_keypair_mock test_generate_keypair_rsa \
- test_generate_keypair_ecdsa test_generate_keypair_ecdsa
+ test_generate_keypair_ecdsa test_generate_keypair_eddsa

109
p11-kit-0.25.3-import-object.patch
View File

@ -1,109 +0,0 @@
From d49c92c8420db6ee4c88515bdb014f68f4d471d9 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sat, 2 Dec 2023 09:24:01 +0900
Subject: [PATCH] import-object: Avoid integer truncation on 32-bit platforms
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The build fails when compiling for 32-bit platforms with
-Werror=incompatible-pointer-types:
CFLAGS="-m32 -march=i686 -Werror=incompatible-pointer-types -Werror=implicit -Werror=int-conversion" setarch i686 -- meson setup _build
setarch i686 -- meson compile -C _build -v
...
../p11-kit/import-object.c: In function add_attrs_pubkey_rsa:
../p11-kit/import-object.c:223:62: error: passing argument 3 of p11_asn1_read from incompatible pointer type [-Werror=incompatible-pointer-types]
223 | attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
| ^~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int *
Reported by Sam James in:
https://github.com/p11-glue/p11-kit/issues/608
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
p11-kit/import-object.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index feee076..fb47b96 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -55,6 +55,7 @@
#endif
#include <assert.h>
+#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
@@ -201,6 +202,7 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE attr_encrypt = { CKA_ENCRYPT, &tval, sizeof (tval) };
CK_ATTRIBUTE attr_modulus = { CKA_MODULUS, };
CK_ATTRIBUTE attr_exponent = { CKA_PUBLIC_EXPONENT, };
+ size_t len = 0;
pubkey = p11_asn1_read (info, "subjectPublicKey", &pubkey_len);
if (pubkey == NULL) {
@@ -220,17 +222,31 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
goto cleanup;
}
- attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
+ attr_modulus.pValue = p11_asn1_read (asn, "modulus", &len);
if (attr_modulus.pValue == NULL) {
p11_message (_("failed to obtain modulus"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain modulus"));
+ goto cleanup;
+ }
+#endif
+ attr_modulus.ulValueLen = len;
- attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &attr_exponent.ulValueLen);
+ attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &len);
if (attr_exponent.pValue == NULL) {
p11_message (_("failed to obtain exponent"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain exponent"));
+ goto cleanup;
+ }
+#endif
+ attr_exponent.ulValueLen = len;
result = p11_attrs_build (attrs, &attr_key_type, &attr_encrypt, &attr_modulus, &attr_exponent, NULL);
if (result == NULL) {
@@ -260,12 +276,20 @@ add_attrs_pubkey_ec (CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE attr_key_type = { CKA_KEY_TYPE, &key_type, sizeof (key_type) };
CK_ATTRIBUTE attr_ec_params = { CKA_EC_PARAMS, };
CK_ATTRIBUTE attr_ec_point = { CKA_EC_POINT, };
+ size_t len = 0;
- attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &attr_ec_params.ulValueLen);
+ attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &len);
if (attr_ec_params.pValue == NULL) {
p11_message (_("failed to obtain EC parameters"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain EC parameters"));
+ goto cleanup;
+ }
+#endif
+ attr_ec_params.ulValueLen = len;
/* subjectPublicKey is read as BIT STRING value which contains
* EC point data. We need to DER encode this data as OCTET STRING.
--
2.43.0

37
p11-kit-0.25.3-list-tokens-message.patch
View File

@ -1,37 +0,0 @@
From 8e46359a68deab9112a1e262d5384986ce87b5d8 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 16 Nov 2023 14:43:21 +0100
Subject: [PATCH] Fix usage message in p11-kit list-tokens command
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
p11-kit/list-tokens.c | 2 +-
p11-kit/test-list-tokens.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/p11-kit/list-tokens.c b/p11-kit/list-tokens.c
index 48616cae..a9101945 100644
--- a/p11-kit/list-tokens.c
+++ b/p11-kit/list-tokens.c
@@ -151,7 +151,7 @@ p11_kit_list_tokens (int argc,
};
p11_tool_desc usages[] = {
- { 0, "usage: p11-kit list-tokens" },
+ { 0, "usage: p11-kit list-tokens [--only-uris] pkcs11:token" },
{ opt_verbose, "show verbose debug output", },
{ opt_quiet, "suppress command output", },
{ opt_only_urls, "only print token URIs", },
diff --git a/p11-kit/test-list-tokens.sh b/p11-kit/test-list-tokens.sh
index f61e241d..f933792e 100755
--- a/p11-kit/test-list-tokens.sh
+++ b/p11-kit/test-list-tokens.sh
@@ -21,7 +21,7 @@ teardown() {
test_list_tokens_without_uri() {
cat > list.exp <<EOF
-usage: p11-kit list-tokens
+usage: p11-kit list-tokens [--only-uris] pkcs11:token
-v, --verbose show verbose debug output
-q, --quiet suppress command output

298
p11-kit-0.25.3-static-analysis.patch
View File

@ -1,298 +0,0 @@
From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 16 Nov 2023 10:12:14 +0100
Subject: [PATCH] Fix issues found by static analysis
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
common/frob-getprogname.c | 4 ++--
common/test.c | 4 +---
p11-kit/generate-keypair.c | 25 +++++++++----------------
p11-kit/import-object.c | 22 +++++-----------------
p11-kit/lists.c | 1 +
p11-kit/print-config.c | 4 +++-
p11-kit/rpc-client.c | 6 ++++--
p11-kit/test-uri.c | 4 ++--
trust/test-trust.c | 2 +-
9 files changed, 28 insertions(+), 44 deletions(-)
diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c
index ead658cc8..46e3b7fd3 100644
--- a/common/frob-getprogname.c
+++ b/common/frob-getprogname.c
@@ -76,14 +76,14 @@ main (int argc,
execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args);
} else {
int status;
- char buffer[1024];
+ char buffer[1024] = { 0 };
size_t offset = 0;
ssize_t nread;
char *p;
close (pfds[1]);
while (1) {
- nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset);
+ nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1);
if (nread < 0) {
perror ("read");
exit (EXIT_FAILURE);
diff --git a/common/test.c b/common/test.c
index 3ed98da01..6cdbd1fa2 100644
--- a/common/test.c
+++ b/common/test.c
@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *),
test_item item = { TEST, };
va_list va;
- item.type = TEST;
item.x.test.func = function;
item.x.test.argument = argument;
@@ -287,9 +286,8 @@ void
p11_fixture (void (* setup) (void *),
void (* teardown) (void *))
{
- test_item item;
+ test_item item = { FIXTURE, };
- item.type = FIXTURE;
item.x.fix.setup = setup;
item.x.fix.teardown = teardown;
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
index 49dc11830..695103d1d 100644
--- a/p11-kit/generate-keypair.c
+++ b/p11-kit/generate-keypair.c
@@ -351,7 +351,7 @@ int
p11_kit_generate_keypair (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
CK_ULONG bits = 0;
const uint8_t *ec_params = NULL;
@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_type:
mechanism = get_mechanism (optarg);
if (mechanism.mechanism == CKA_INVALID) {
p11_message (_("unknown mechanism type: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_bits:
bits = strtol (optarg, NULL, 10);
if (bits == 0) {
p11_message (_("failed to parse bits value: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_curve:
ec_params = get_ec_params (optarg, &ec_params_len);
if (ec_params == NULL) {
p11_message (_("unknown curve name: %s"), optarg);
- goto cleanup;
+ return 2;
}
break;
case opt_login:
@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc,
break;
case opt_help:
p11_tool_usage (usages, options);
- ret = 0;
- goto cleanup;
+ return 0;
case '?':
- goto cleanup;
+ return 2;
default:
assert_not_reached ();
break;
@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (!check_args (mechanism.mechanism, bits, ec_params))
- goto cleanup;
+ return 2;
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc,
ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login);
-cleanup:
#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
- free (label);
return ret;
}
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index 270a0e027..feee07659 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -500,7 +500,7 @@ int
p11_kit_import_object (int argc,
char *argv[])
{
- int opt, ret = 2;
+ int opt, ret;
char *label = NULL;
char *file = NULL;
bool login = false;
@@ -536,18 +536,10 @@ p11_kit_import_object (int argc,
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_label:
- label = strdup (optarg);
- if (label == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ label = optarg;
break;
case opt_file:
- file = strdup (optarg);
- if (file == NULL) {
- p11_message (_("failed to allocate memory"));
- goto cleanup;
- }
+ file = optarg;
break;
case opt_login:
login = true;
@@ -574,12 +566,12 @@ p11_kit_import_object (int argc,
if (argc != 1) {
p11_tool_usage (usages, options);
- goto cleanup;
+ return 2;
}
if (file == NULL) {
p11_message (_("no file specified"));
- goto cleanup;
+ return 2;
}
#ifdef OS_UNIX
@@ -595,10 +587,6 @@ p11_kit_import_object (int argc,
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
-cleanup:
- free (label);
- free (file);
-
return ret;
}
diff --git a/p11-kit/lists.c b/p11-kit/lists.c
index df58beb3f..007bb0f12 100644
--- a/p11-kit/lists.c
+++ b/p11-kit/lists.c
@@ -295,6 +295,7 @@ print_modules (void)
if (rv != CKR_OK) {
p11_message (_("couldn't load module info: %s"),
p11_kit_strerror (rv));
+ p11_kit_modules_finalize_and_release (module_list);
return 1;
}
diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c
index 173b55feb..29daf3871 100644
--- a/p11-kit/print-config.c
+++ b/p11-kit/print-config.c
@@ -74,8 +74,10 @@ print_config (void)
P11_PACKAGE_CONFIG_MODULES,
P11_SYSTEM_CONFIG_MODULES,
P11_USER_CONFIG_MODULES);
- if (modules_conf == NULL)
+ if (modules_conf == NULL) {
+ p11_dict_free (global_conf);
return 1;
+ }
printf ("[global]\n");
p11_dict_iterate (global_conf, &i);
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index fb39103eb..19b628b1a 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -173,6 +173,8 @@ call_done (rpc_client *module,
p11_rpc_message *msg,
CK_RV ret)
{
+ p11_buffer *buf;
+
assert (module != NULL);
assert (msg != NULL);
@@ -189,9 +191,9 @@ call_done (rpc_client *module,
/* We used the same buffer for input/output, so this frees both */
assert (msg->input == msg->output);
- p11_rpc_buffer_free (msg->input);
-
+ buf = msg->input;
p11_rpc_message_clear (msg);
+ p11_rpc_buffer_free (buf);
return ret;
}
diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c
index 32e8da703..18b7a108a 100644
--- a/p11-kit/test-uri.c
+++ b/p11-kit/test-uri.c
@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void)
static void
test_uri_match_token (void)
{
- CK_TOKEN_INFO token;
+ CK_TOKEN_INFO token = { 0 };
P11KitUri *uri;
int ret;
@@ -1056,7 +1056,7 @@ test_uri_match_token (void)
static void
test_uri_match_module (void)
{
- CK_INFO info;
+ CK_INFO info = { 0 };
P11KitUri *uri;
int ret;
diff --git a/trust/test-trust.c b/trust/test-trust.c
index 29b2797b5..3b27a1f31 100644
--- a/trust/test-trust.c
+++ b/trust/test-trust.c
@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file,
if (asprintf (&filename, "%s/%s", directory, name) < 0)
assert_not_reached ();
- if (readlink (filename, buf, sizeof (buf)) < 0)
+ if (readlink (filename, buf, sizeof (buf) - 1) < 0)
p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename);
if (strcmp (destination, buf) != 0)

6
p11-kit.spec
View File

@ -1,5 +1,5 @@
# This spec file has been automatically updated
Version: 0.25.3
Version: 0.25.5
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
@ -11,10 +11,6 @@ Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}
Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyring.gpg
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch: p11-kit-0.25.3-import-object.patch
Patch: p11-kit-0.25.3-list-tokens-message.patch
Patch: p11-kit-0.25.3-static-analysis.patch
Patch: p11-kit-0.25.3-generate-keypair-eddsa.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (p11-kit-0.25.3.tar.xz) = ad2d393bf122526cbba18dc9d5a13f2c1cad7d70125ec90ffd02059dfa5ef30ac59dfc0bb9bc6380c8f317e207c9e87e895f1945634f56ddf910c2958868fb4c
SHA512 (p11-kit-0.25.3.tar.xz.sig) = 189a40b12e40818daff4aa6869d7e0fa342a42f3901d85fc52bb40f7023bb17790967be5ab9a183473fe8bb3e335a0d4d8c2b6345ccf811e90f8495009c085b8
SHA512 (p11-kit-0.25.5.tar.xz) = 177ec6ff5eb891901078306dce2bf3f5c1a0e5c2a8c493bdf5a08ae1ff1240fdf6952961e973c373f80ac3d1d5a9927e07f4da49e4ff92269d992e744889fc94
SHA512 (p11-kit-0.25.5.tar.xz.sig) = 2be5aa4ccbb889e32aed88fc1f7926c3ccaadc90cc6b15a187358c812eee4ce1712068d1f271766ac51366112c0619aad46cff345ed2edd009fb2fe7fb804493
SHA512 (p11-kit-release-keyring.gpg) = 9a832a8ac3a139cbbf1ecb66573f0709847ebfef4975777cf82b4dca09af1ad8e6400f0af0bcdb92860e7ed4fc05082ba1edda0238a21fe24d49555a1069e881