rpms/pesign
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix some more bugs found by valgrind and coverity.

Browse Source 
- Don't build utils/ ; we're not using them and they're not ready anyway.
This commit is contained in:
Peter Jones 2012-10-18 11:38:53 -04:00
parent 0d40135ec1
commit 18bcd8bfc2
31 changed files with 3123 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
View File

@ -1,7 +1,7 @@
From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001 From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:53:07 -0400 Date: Wed, 17 Oct 2012 09:53:07 -0400
Subject: [PATCH 1/4] Use PK11_TraverseCertsForNicknameInSlot after all. Subject: [PATCH 01/30] Use PK11_TraverseCertsForNicknameInSlot after all.
As of 76bc13c it doesn't appear to be leaky any more, and it does a As of 76bc13c it doesn't appear to be leaky any more, and it does a
better job of disinguishing between certificates with the same nickname better job of disinguishing between certificates with the same nickname

2
0002-Remove-an-unused-field.patch
View File

@ -1,7 +1,7 @@
From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001 From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:54:10 -0400 Date: Wed, 17 Oct 2012 09:54:10 -0400
Subject: [PATCH 2/4] Remove an unused field. Subject: [PATCH 02/30] Remove an unused field.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---

4
0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
View File

@ -1,8 +1,8 @@
From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001 From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:54:37 -0400 Date: Wed, 17 Oct 2012 09:54:37 -0400
Subject: [PATCH 3/4] Free the certificate list we make once we're done using Subject: [PATCH 03/30] Free the certificate list we make once we're done
it. using it.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---

2
0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
View File

@ -1,7 +1,7 @@
From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001 From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 09:55:02 -0400 Date: Wed, 17 Oct 2012 09:55:02 -0400
Subject: [PATCH 4/4] Make sure we actually look up the certificate when not Subject: [PATCH 04/30] Make sure we actually look up the certificate when not
in daemon mode. in daemon mode.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>

2
0005-Fix-check-for-allocations-on-tokenname-certname.patch
View File

@ -1,7 +1,7 @@
From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001 From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 10:35:41 -0400 Date: Wed, 17 Oct 2012 10:35:41 -0400
Subject: [PATCH 5/5] Fix check for allocations on tokenname,certname. Subject: [PATCH 05/30] Fix check for allocations on tokenname,certname.
If we didn't have anything to start with, we won't have anything when If we didn't have anything to start with, we won't have anything when
we're done... we're done...

812
0006-Update-valgrind.supp-for-newer-codepaths.patch Normal file
View File

@ -0,0 +1,812 @@
From 682233d107460b49071017b4d88c0430373dbd35 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 10:55:25 -0400
Subject: [PATCH 06/30] Update valgrind.supp for newer codepaths.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/valgrind.supp | 361 ++++++++++++++++++++++++++++++++++++------------------
1 file changed, 245 insertions(+), 116 deletions(-)
diff --git a/src/valgrind.supp b/src/valgrind.supp
index 3a51293..0a8edd9 100644
--- a/src/valgrind.supp
+++ b/src/valgrind.supp
@@ -1,23 +1,43 @@
{
<insert_a_suppression_name_here>
- Memcheck:Leak
- fun:malloc
- fun:NSSRWLock_New_Util
- fun:NSSTrustDomain_Create
- fun:STAN_LoadDefaultNSS3TrustDomain
- fun:nss_Init
- fun:NSS_Init
- fun:main
+ Memcheck:Param
+ socketcall.sendto(msg)
+ fun:send
+ fun:MessageSend
+ fun:MessageSendWithHeader
+ fun:SCardConnect
+ fun:CKYCardConnection_Connect
+ fun:_ZN4Slot14connectToTokenEv
+ fun:_ZN4Slot17refreshTokenStateEv
+ fun:_ZN4Slot14isTokenPresentEv
+ fun:_ZN8SlotList11getSlotListEhPmS0_
+ fun:C_GetSlotList
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
}
{
<insert_a_suppression_name_here>
- Memcheck:Leak
- fun:_Znwm
- obj:*
- fun:secmod_ModuleInit
+ Memcheck:Cond
+ fun:SCardStatus
+ fun:CKYCardConnection_GetStatus
+ fun:_ZN4Slot23cardStateMayHaveChangedEv
+ fun:_ZN4Slot17refreshTokenStateEv
+ fun:_ZN4Slot14isTokenPresentEv
+ fun:_ZN8SlotList11getSlotListEhPmS0_
+ fun:C_GetSlotList
fun:secmod_LoadPKCS11Module
fun:SECMOD_LoadModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
+ fun:nss_Init
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:malloc
+ fun:NSSRWLock_New_Util
+ fun:NSSTrustDomain_Create
+ fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
fun:main
@@ -25,12 +45,15 @@
{
<insert_a_suppression_name_here>
Memcheck:Leak
- fun:_Znwm
- obj:*
- fun:secmod_ModuleInit
+ fun:malloc
+ fun:PORT_Alloc_Util
+ fun:PK11_ReadMechanismList
+ fun:PK11_InitToken
+ fun:PK11_InitSlot
fun:secmod_LoadPKCS11Module
fun:SECMOD_LoadModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -223,12 +246,10 @@
{
<insert_a_suppression_name_here>
Memcheck:Leak
- fun:_Znwm
- obj:*
- fun:secmod_ModuleInit
- fun:secmod_LoadPKCS11Module
- fun:SECMOD_LoadModule
- fun:SECMOD_LoadModule
+ fun:calloc
+ fun:NSSRWLock_New_Util
+ fun:NSSTrustDomain_Create
+ fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
fun:main
@@ -237,10 +258,10 @@
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
- fun:PKIX_PL_Malloc
- fun:PKIX_PL_Object_Alloc
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
+ fun:PR_NewCondVar
+ fun:NSSRWLock_New_Util
+ fun:NSSTrustDomain_Create
+ fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
fun:main
@@ -249,18 +270,7 @@
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
- fun:PKIX_PL_Malloc
- fun:PKIX_PL_Object_Alloc
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
- fun:nss_Init
- fun:NSS_Init
- fun:main
-}
-{
- <insert_a_suppression_name_here>
- Memcheck:Leak
- fun:calloc
+ fun:PR_NewCondVar
fun:NSSRWLock_New_Util
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -272,10 +282,10 @@
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
- fun:PR_NewCondVar
- fun:NSSRWLock_New_Util
- fun:NSSTrustDomain_Create
- fun:STAN_LoadDefaultNSS3TrustDomain
+ fun:PKIX_PL_Malloc
+ fun:PKIX_PL_Object_Alloc
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
fun:nss_Init
fun:NSS_Init
fun:main
@@ -284,10 +294,10 @@
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
- fun:PR_NewCondVar
- fun:NSSRWLock_New_Util
- fun:NSSTrustDomain_Create
- fun:STAN_LoadDefaultNSS3TrustDomain
+ fun:PKIX_PL_Malloc
+ fun:PKIX_PL_Object_Alloc
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
fun:nss_Init
fun:NSS_Init
fun:main
@@ -357,8 +367,10 @@
fun:calloc
fun:PORT_ZAlloc_Util
fun:PORT_NewArena_Util
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -368,8 +380,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -382,8 +396,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -396,8 +412,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -410,8 +428,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -424,28 +444,32 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
- fun:NSS_Init
- fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
- fun:NSS_Init
- fun:main
}
{
<insert_a_suppression_name_here>
@@ -466,6 +490,7 @@
fun:calloc
fun:nss_ZAlloc
fun:nssArena_Create
+ fun:NSSArena_Create
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
@@ -505,7 +530,10 @@
fun:calloc
fun:nss_ZAlloc
fun:nssArena_Create
+ fun:NSSArena_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -514,14 +542,12 @@
{
<insert_a_suppression_name_here>
Memcheck:Leak
- fun:malloc
- obj:*
- obj:*
- obj:*
- fun:secmod_ModuleInit
- fun:secmod_LoadPKCS11Module
- fun:SECMOD_LoadModule
- fun:SECMOD_LoadModule
+ fun:calloc
+ fun:nss_ZAlloc
+ fun:nssTokenObjectCache_Create
+ fun:nssToken_CreateFromPK11SlotInfo
+ fun:STAN_InitTokenForSlotInfo
+ fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
fun:main
@@ -531,28 +557,32 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
- fun:NSS_Init
- fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
- fun:NSS_Init
- fun:main
}
{
<insert_a_suppression_name_here>
@@ -560,35 +590,11 @@
fun:calloc
fun:PORT_ZAlloc_Util
fun:PORT_NewArena_Util
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
fun:SECMOD_LoadModule
- fun:nss_Init
- fun:NSS_Init
- fun:main
-}
-{
- <insert_a_suppression_name_here>
- Memcheck:Leak
- fun:calloc
- fun:nss_ZAlloc
- fun:nssArena_Create
- fun:nssToken_CreateFromPK11SlotInfo
- fun:STAN_InitTokenForSlotInfo
- fun:STAN_LoadDefaultNSS3TrustDomain
- fun:nss_Init
- fun:NSS_Init
- fun:main
-}
-{
- <insert_a_suppression_name_here>
- Memcheck:Leak
- fun:calloc
- fun:nss_ZAlloc
- fun:nssArena_Create
- fun:nssToken_CreateFromPK11SlotInfo
- fun:STAN_InitTokenForSlotInfo
- fun:STAN_LoadDefaultNSS3TrustDomain
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -599,8 +605,10 @@
fun:calloc
fun:PR_NewLock
fun:PORT_NewArena_Util
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -610,8 +618,10 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -621,22 +631,11 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:PKIX_PL_Object_Alloc
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
- fun:nss_Init
- fun:NSS_Init
- fun:main
-}
-{
- <insert_a_suppression_name_here>
- Memcheck:Leak
- fun:calloc
- fun:PR_NewLock
- fun:PKIX_PL_Object_Alloc
- fun:PKIX_PL_Mutex_Create
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
+ fun:PK11_NewSlotInfo
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
+ fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -646,9 +645,11 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:PKIX_PL_Mutex_Create
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
+ fun:PK11_NewSlotInfo
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
+ fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -658,9 +659,10 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:PKIX_PL_Object_Alloc
- fun:PKIX_PL_HashTable_Create
- fun:PKIX_Initialize
+ fun:nssArena_Create
+ fun:NSSArena_Create
+ fun:NSSTrustDomain_Create
+ fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
fun:main
@@ -670,7 +672,7 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:nssArena_Create
+ fun:NSSRWLock_New_Util
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
@@ -682,7 +684,8 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:NSSRWLock_New_Util
+ fun:nssArena_Create
+ fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
@@ -694,7 +697,6 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:nssArena_Create
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -707,6 +709,8 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
+ fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -720,6 +724,7 @@
fun:calloc
fun:PR_NewLock
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -733,6 +738,7 @@
fun:calloc
fun:PR_NewLock
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -746,6 +752,7 @@
fun:calloc
fun:PR_NewLock
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -758,9 +765,7 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:nssHash_Create
- fun:nssTrustDomain_InitializeCache
- fun:NSSTrustDomain_Create
+ fun:nssList_Create
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -771,7 +776,9 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
- fun:nssList_Create
+ fun:nssTokenObjectCache_Create
+ fun:nssToken_CreateFromPK11SlotInfo
+ fun:STAN_InitTokenForSlotInfo
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -821,7 +828,10 @@
fun:calloc
fun:PR_NewLock
fun:nssArena_Create
+ fun:NSSArena_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -834,6 +844,8 @@
fun:PR_NewLock
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -845,8 +857,11 @@
fun:calloc
fun:PR_NewLock
fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -858,8 +873,11 @@
fun:calloc
fun:PR_NewLock
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssCertificateStore_Create
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -871,6 +889,55 @@
fun:calloc
fun:PR_NewLock
fun:PKIX_PL_Object_Alloc
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:PR_NewLock
+ fun:PKIX_PL_Object_Alloc
+ fun:PKIX_PL_Mutex_Create
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:PR_NewLock
+ fun:PKIX_PL_Mutex_Create
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:PR_NewLock
+ fun:PKIX_PL_Object_Alloc
+ fun:PKIX_PL_HashTable_Create
+ fun:PKIX_Initialize
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:PR_NewLock
+ fun:PKIX_PL_Object_Alloc
fun:PKIX_PL_Mutex_Create
fun:PKIX_PL_HashTable_Create
fun:PKIX_Initialize
@@ -1064,6 +1131,33 @@
{
<insert_a_suppression_name_here>
Memcheck:Leak
+ fun:calloc
+ fun:nss_ZAlloc
+ fun:nssArena_Create
+ fun:nssToken_CreateFromPK11SlotInfo
+ fun:STAN_InitTokenForSlotInfo
+ fun:STAN_LoadDefaultNSS3TrustDomain
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:nss_ZAlloc
+ fun:nssArena_Create
+ fun:nssSlot_CreateFromPK11SlotInfo
+ fun:nssToken_CreateFromPK11SlotInfo
+ fun:STAN_InitTokenForSlotInfo
+ fun:STAN_LoadDefaultNSS3TrustDomain
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
fun:malloc
fun:PKIX_PL_Malloc
fun:pkix_pl_PrimHashTable_Create
@@ -1126,8 +1220,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateCertificate
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1140,8 +1236,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateItem
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1154,8 +1252,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1168,8 +1268,10 @@
Memcheck:Leak
fun:calloc
fun:nss_ZAlloc
+ fun:nss_arena_hash_alloc_table
fun:PL_NewHashTable
fun:nssHash_Create
+ fun:nssHash_CreateString
fun:nssTrustDomain_InitializeCache
fun:NSSTrustDomain_Create
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1183,9 +1285,11 @@
fun:calloc
fun:PR_NewLock
fun:PORT_NewArena_Util
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -1195,9 +1299,11 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -1233,6 +1339,7 @@
fun:calloc
fun:PR_NewLock
fun:nssArena_Create
+ fun:nssSlot_CreateFromPK11SlotInfo
fun:nssToken_CreateFromPK11SlotInfo
fun:STAN_InitTokenForSlotInfo
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1245,6 +1352,7 @@
Memcheck:Leak
fun:calloc
fun:PR_NewLock
+ fun:nssSlot_CreateFromPK11SlotInfo
fun:nssToken_CreateFromPK11SlotInfo
fun:STAN_InitTokenForSlotInfo
fun:STAN_LoadDefaultNSS3TrustDomain
@@ -1258,8 +1366,24 @@
fun:malloc
fun:PL_ArenaAllocate
fun:PORT_ArenaAlloc_Util
+ fun:secmod_NewModule
fun:SECMOD_CreateModule
fun:SECMOD_LoadModule
+ fun:nss_InitModules
+ fun:nss_Init
+ fun:NSS_Init
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:malloc
+ fun:PORT_Alloc_Util
+ fun:PK11_NewSlotInfo
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
+ fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -1273,7 +1397,9 @@
fun:legacy_ReadSecmodDB
fun:sftkdb_ReadSecmodDB
fun:NSC_ModuleDBFunc
+ fun:SECMOD_GetModuleSpecList
fun:SECMOD_LoadModule
+ fun:nss_InitModules
fun:nss_Init
fun:NSS_Init
fun:main
@@ -1349,6 +1475,8 @@
fun:nss_zalloc_arena_locked
fun:nss_ZAlloc
fun:nssCryptoContext_Create
+ fun:nssTrustDomain_CreateCryptoContext
+ fun:NSSTrustDomain_CreateCryptoContext
fun:STAN_LoadDefaultNSS3TrustDomain
fun:nss_Init
fun:NSS_Init
@@ -1375,6 +1503,7 @@
fun:PL_ArenaAllocate
fun:nss_zalloc_arena_locked
fun:nss_ZAlloc
+ fun:nssSlot_CreateFromPK11SlotInfo
fun:nssToken_CreateFromPK11SlotInfo
fun:STAN_InitTokenForSlotInfo
fun:STAN_LoadDefaultNSS3TrustDomain
--
1.7.12.1

25
0007-Free-the-pid-string-once-we-re-done-writing-it.patch Normal file
View File

@ -0,0 +1,25 @@
From 81bf0e36a82a3d746a01aee50d8ee460dc794b19 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 10:57:20 -0400
Subject: [PATCH 07/30] Free the pid string once we're done writing it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/daemon.c b/src/daemon.c
index daa2dbf..245491f 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -842,6 +842,7 @@ err:
if (rc < 0)
goto err;
+ free(pidstr);
close(fd);
}
--
1.7.12.1

38
0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch Normal file
View File

@ -0,0 +1,38 @@
From 50c50c8fbebab3d8b5efff35dc1a7ca4b44d6b19 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 11:08:30 -0400
Subject: [PATCH 08/30] [valgrind] Don't complain about unlocking a key and
keeping the handle.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/valgrind.supp | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/valgrind.supp b/src/valgrind.supp
index 0a8edd9..62934e8 100644
--- a/src/valgrind.supp
+++ b/src/valgrind.supp
@@ -1511,3 +1511,19 @@
fun:NSS_Init
fun:main
}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:calloc
+ fun:nss_ZAlloc
+ fun:nssArena_Create
+ fun:nssList_Create
+ fun:nssTrustDomain_UpdateCachedTokenCerts
+ fun:PK11_DoPassword
+ fun:PK11_Authenticate
+ fun:unlock_nss_token
+ fun:handle_unlock_token
+ fun:handle_event
+ fun:handle_events
+ fun:daemonize
+}
--
1.7.12.1

36
0009-Only-try-to-register-OIDs-once.patch Normal file
View File

@ -0,0 +1,36 @@
From b71f1d2e8f7ad6853e5e68134a66baf9dea2471b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 11:26:04 -0400
Subject: [PATCH 09/30] Only try to register OIDs once.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 2d51979..6219a2a 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -179,11 +179,15 @@ cms_common_log(cms_context *ctx, int priority, char *fmt, ...)
int
cms_context_init(cms_context *cms)
{
+ static int first_time = 1;
memset(cms, '\0', sizeof (*cms));
- SECStatus status = register_oids(cms);
- if (status != SECSuccess)
- return -1;
+ if (first_time) {
+ SECStatus status = register_oids(cms);
+ if (status != SECSuccess)
+ return -1;
+ first_time = 0;
+ }
cms->log = cms_common_log;
--
1.7.12.1

30
0010-Check-for-NSS_Shutdown-failure.patch Normal file
View File

@ -0,0 +1,30 @@
From f966137c17f74fc3e343dfb6e04300a9d179de03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 12:05:29 -0400
Subject: [PATCH 10/30] Check for NSS_Shutdown() failure.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/daemon.c b/src/daemon.c
index 245491f..77fff90 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -967,6 +967,11 @@ daemonize(cms_context *cms_ctx, int do_fork)
rc = handle_events(&ctx);
- NSS_Shutdown();
+ status = NSS_Shutdown();
+ if (status != SECSuccess) {
+ fprintf(stderr, "NSS_Shutdown failed: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
return rc;
}
--
1.7.12.1

100
0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch Normal file
View File

@ -0,0 +1,100 @@
From 0dddfd5e738232403220b0d18888f94fa0032a59 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 12:17:39 -0400
Subject: [PATCH 11/30] Don't destroy stdin/stdout/stderr if we don't fork.
I like being able to read my error messages.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 77fff90..a31c063 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -890,33 +890,38 @@ daemonize(cms_context *cms_ctx, int do_fork)
exit(1);
}
- int fd = open("/dev/zero", O_RDONLY);
- close(STDIN_FILENO);
- rc = dup2(fd, STDIN_FILENO);
- if (rc < 0) {
- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
- "pesignd: could not set up standard input: %m");
- exit(1);
- }
- close(fd);
+ if (do_fork) {
+ int fd = open("/dev/zero", O_RDONLY);
+ close(STDIN_FILENO);
+ rc = dup2(fd, STDIN_FILENO);
+ if (rc < 0) {
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_ERR,
+ "pesignd: could not set up standard input: %m");
+ exit(1);
+ }
+ close(fd);
- fd = open("/dev/null", O_WRONLY);
- close(STDOUT_FILENO);
- rc = dup2(fd, STDOUT_FILENO);
- if (rc < 0) {
- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
- "pesignd: could not set up standard output: %m");
- exit(1);
- }
+ fd = open("/dev/null", O_WRONLY);
+ close(STDOUT_FILENO);
+ rc = dup2(fd, STDOUT_FILENO);
+ if (rc < 0) {
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_ERR,
+ "pesignd: could not set up standard output: %m");
+ exit(1);
+ }
- close(STDERR_FILENO);
- rc = dup2(fd, STDERR_FILENO);
- if (rc < 0) {
- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
- "pesignd: could not set up standard error: %m");
- exit(1);
+ close(STDERR_FILENO);
+ rc = dup2(fd, STDERR_FILENO);
+ if (rc < 0) {
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_ERR,
+ "pesignd: could not set up standard error: %m");
+ exit(1);
+ }
+ close(fd);
}
- close(fd);
prctl(PR_SET_NAME, "pesignd", 0, 0, 0);
@@ -963,13 +968,15 @@ daemonize(cms_context *cms_ctx, int do_fork)
cms_set_pw_callback(ctx.backup_cms, get_password_fail);
cms_set_pw_data(ctx.backup_cms, NULL);
- ctx.backup_cms->log = daemon_logger;
+ if (do_fork)
+ ctx.backup_cms->log = daemon_logger;
rc = handle_events(&ctx);
status = NSS_Shutdown();
if (status != SECSuccess) {
- fprintf(stderr, "NSS_Shutdown failed: %s\n",
+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
+ "NSS_Shutdown failed: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
--
1.7.12.1

54
0012-valgrind-Add-SECMOD_LoadModule-codepath.patch Normal file
View File

@ -0,0 +1,54 @@
From 19c8e797d092e17f2882d249d5446728a76db050 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 14:29:30 -0400
Subject: [PATCH 12/30] [valgrind] Add SECMOD_LoadModule codepath.
This is called once when we initialize the database.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/valgrind.supp | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/src/valgrind.supp b/src/valgrind.supp
index 62934e8..783bdad 100644
--- a/src/valgrind.supp
+++ b/src/valgrind.supp
@@ -1527,3 +1527,34 @@
fun:handle_events
fun:daemonize
}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:_Znwm
+ obj:*
+ fun:secmod_ModuleInit
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
+ fun:SECMOD_LoadModule
+ fun:nss_InitModules
+ fun:nss_Init
+ fun:NSS_Init
+ fun:daemonize
+ fun:main
+}
+{
+ <insert_a_suppression_name_here>
+ Memcheck:Leak
+ fun:malloc
+ obj:*
+ obj:*
+ obj:*
+ fun:secmod_ModuleInit
+ fun:secmod_LoadPKCS11Module
+ fun:SECMOD_LoadModule
+ fun:SECMOD_LoadModule
+ fun:nss_InitModules
+ fun:nss_Init
+ fun:NSS_Init
+ fun:daemonize
+}
--
1.7.12.1

119
0013-Don-t-set-up-digests-in-cms_context_init.patch Normal file
View File

@ -0,0 +1,119 @@
From 186b6d5d39a1feeaa5f9493d28dc4f53015d551d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 14:33:35 -0400
Subject: [PATCH 13/30] Don't set up digests in cms_context_init.
Move digest setup out of cms_context_init, so we can avoid leaking the
reference to the digests by not having them in ctx->backup_cms in the
daemon.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 9 ++-------
src/cms_common.h | 3 +++
src/daemon.c | 27 +++++++++++++++++++++++++++
3 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6219a2a..a8e34dd 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -97,7 +97,7 @@ digest_get_digest_size(cms_context *cms)
}
-static int
+int
setup_digests(cms_context *cms)
{
struct digest *digests = NULL;
@@ -133,7 +133,7 @@ err:
return -1;
}
-static void
+void
teardown_digests(cms_context *ctx)
{
struct digest *digests = ctx->digests;
@@ -199,11 +199,6 @@ cms_context_init(cms_context *cms)
return -1;
}
- int rc = setup_digests(cms);
- if (rc < 0) {
- PORT_FreeArena(cms->arena, PR_TRUE);
- return -1;
- }
cms->selected_digest = -1;
return 0;
diff --git a/src/cms_common.h b/src/cms_common.h
index fc80fa3..830427e 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -86,6 +86,9 @@ extern int cms_context_alloc(cms_context **ctxp);
extern int cms_context_init(cms_context *ctx);
extern void cms_context_fini(cms_context *ctx);
+extern int setup_digests(cms_context *cms);
+extern void teardown_digests(cms_context *ctx);
+
extern int generate_octet_string(cms_context *ctx, SECItem *encoded,
SECItem *original);
extern int generate_object_id(cms_context *ctx, SECItem *encoded,
diff --git a/src/daemon.c b/src/daemon.c
index a31c063..f44f069 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -143,6 +143,15 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
return;
}
+ rc = setup_digests(ctx->cms);
+ if (rc < 0) {
+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
+ "Could not initialize digests: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ send_response(ctx, ctx->backup_cms, pollfd, rc);
+ return;
+ }
+
steal_from_cms(ctx->backup_cms, ctx->cms);
if (!buffer) {
@@ -491,6 +500,15 @@ handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
if (rc < 0)
return;
+ rc = setup_digests(ctx->cms);
+ if (rc < 0) {
+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
+ "Could not initialize digests: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ send_response(ctx, ctx->backup_cms, pollfd, rc);
+ return;
+ }
+
steal_from_cms(ctx->backup_cms, ctx->cms);
handle_signing(ctx, pollfd, size, 1);
@@ -506,6 +524,15 @@ handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
if (rc < 0)
return;
+ rc = setup_digests(ctx->cms);
+ if (rc < 0) {
+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
+ "Could not initialize digests: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ send_response(ctx, ctx->backup_cms, pollfd, rc);
+ return;
+ }
+
steal_from_cms(ctx->backup_cms, ctx->cms);
handle_signing(ctx, pollfd, size, 0);
--
1.7.12.1

53
0014-Do-register_oids-where-we-re-doing-NSS_Init.patch Normal file
View File

@ -0,0 +1,53 @@
From e1f8d4e38f4ad08fb407691a3f59edc19a1f15e2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 14:41:18 -0400
Subject: [PATCH 14/30] Do register_oids() where we're doing NSS_Init()
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 8 --------
src/daemon.c | 7 +++++++
2 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index a8e34dd..6188e6e 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -179,16 +179,8 @@ cms_common_log(cms_context *ctx, int priority, char *fmt, ...)
int
cms_context_init(cms_context *cms)
{
- static int first_time = 1;
memset(cms, '\0', sizeof (*cms));
- if (first_time) {
- SECStatus status = register_oids(cms);
- if (status != SECSuccess)
- return -1;
- first_time = 0;
- }
-
cms->log = cms_common_log;
cms->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
diff --git a/src/daemon.c b/src/daemon.c
index f44f069..085cfec 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -917,6 +917,13 @@ daemonize(cms_context *cms_ctx, int do_fork)
exit(1);
}
+ status = register_oids(ctx.backup_cms);
+ if (status != SECSuccess) {
+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
+ "Could not register OIDs\n");
+ exit(1);
+ }
+
if (do_fork) {
int fd = open("/dev/zero", O_RDONLY);
close(STDIN_FILENO);
--
1.7.12.1

61
0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch Normal file
View File

@ -0,0 +1,61 @@
From 092e3f81233655849156b0948a53f3b5f51b8c97 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 14:43:58 -0400
Subject: [PATCH 15/30] Make daemon shutdown actually close the NSS databases
and whatnot.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 085cfec..dd215f8 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -125,8 +125,7 @@ handle_kill_daemon(context *ctx, struct pollfd *pollfd, socklen_t size)
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
"pesignd exiting (pid %d)", getpid());
- cms_context_fini(ctx->backup_cms);
- exit(0);
+ should_exit = 1;
}
static void
@@ -625,6 +624,16 @@ handle_event(context *ctx, struct pollfd *pollfd)
return 0;
}
+static void
+do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
+{
+ for (int i = 0; i < nsockets; i++)
+ close(pollfds[i].fd);
+ free(pollfds);
+
+ xfree(ctx->errstr);
+}
+
static int
handle_events(context *ctx)
{
@@ -643,9 +652,14 @@ handle_events(context *ctx)
pollfds[0].events = POLLIN|POLLPRI|POLLHUP;
while (1) {
+ if (should_exit != 0) {
+shutdown:
+ do_shutdown(ctx, nsockets, pollfds);
+ return 0;
+ }
rc = ppoll(pollfds, nsockets, NULL, NULL);
if (should_exit != 0)
- exit(0);
+ goto shutdown;
if (rc < 0) {
ctx->backup_cms->log(ctx->backup_cms,
ctx->priority|LOG_WARNING,
--
1.7.12.1

425
0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch Normal file
View File

@ -0,0 +1,425 @@
From b6ff405da1bf4627a40fc104457a539788c9f470 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:18:08 -0400
Subject: [PATCH 16/30] Reformat a bunch of error messages to be vaguely
consistent.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 6 ++--
src/daemon.c | 102 ++++++++++++++++++++++++++++---------------------------
2 files changed, 55 insertions(+), 53 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6188e6e..a1ed460 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -410,7 +410,7 @@ find_certificate(cms_context *cms)
PK11SlotList *slots = NULL;
slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata);
if (!slots) {
- cms->log(cms, LOG_ERR, "Could not find certificate \"%s:%s\"",
+ cms->log(cms, LOG_ERR, "could not find certificate \"%s:%s\"",
cms->tokenname, cms->certname);
err:
return -1;
@@ -420,7 +420,7 @@ err:
psle = PK11_GetFirstSafe(slots);
if (!psle) {
err_slots_errmsg:
- cms->log(cms, LOG_ERR, "Could not find certificate \"%s:%s\"",
+ cms->log(cms, LOG_ERR, "could not find certificate \"%s:%s\"",
cms->tokenname, cms->certname);
err_slots:
PK11_FreeSlotList(slots);
@@ -441,7 +441,7 @@ err_slots:
if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
- cms->log(cms, LOG_ERR, "Authentication failed on "
+ cms->log(cms, LOG_ERR, "authentication failed for "
"certificate \"%s:%s\"", cms->tokenname,
cms->certname);
PK11_DestroySlotListElement(slots, &psle);
diff --git a/src/daemon.c b/src/daemon.c
index dd215f8..07aaf6c 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -82,7 +82,7 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc)
void *buffer = calloc(1, iov.iov_len);
if (!buffer) {
cms->log(cms, ctx->priority|LOG_ERR,
- "pesignd: could not allocate memory: %m");
+ "could not allocate memory: %m");
exit(1);
}
@@ -108,7 +108,7 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc)
n = sendmsg(pollfd->fd, &msg, 0);
if (n < 0)
cms->log(cms, ctx->priority|LOG_WARNING,
- "pesignd: could not send response to client: %m");
+ "could not send response to client: %m");
free(buffer);
}
@@ -156,7 +156,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
if (!buffer) {
oom:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to allocate memory: %m");
+ "unable to allocate memory: %m");
exit(1);
}
@@ -173,9 +173,9 @@ oom:
if (n < sizeof(tn->size)) {
malformed:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unlock-token: invalid data");
+ "unlock-token: invalid data");
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: possible exploit attempt. closing.");
+ "possible exploit attempt. closing.");
close(pollfd->fd);
return;
}
@@ -202,7 +202,7 @@ malformed:
goto malformed;
ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE,
- "pesignd: unlocking token \"%s\"", tn->value);
+ "unlocking token \"%s\"", tn->value);
/* authenticating with nss frees this ... best API ever. */
ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena,
@@ -223,9 +223,13 @@ malformed:
cms_set_pw_callback(ctx->cms, get_password_fail);
cms_set_pw_data(ctx->cms, NULL);
- if (rc == 0)
- ctx->cms->log(ctx->cms, LOG_NOTICE, "pesignd: Authentication "
- "succeeded for token \"%s\"", tn->value);
+ if (rc < 0)
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "could not find token \"%s\"", tn->value);
+ else
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE,
+ "authentication succeeded for token \"%s\"",
+ tn->value);
send_response(ctx, ctx->cms, pollfd, rc);
free(buffer);
@@ -245,7 +249,7 @@ socket_get_fd(context *ctx, int sd, int *fd)
struct cmsghdr *cm = malloc(controllen);
if (!cm) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to allocate memory: %m");
+ "unable to allocate memory: %m");
exit(1);
}
@@ -262,9 +266,9 @@ socket_get_fd(context *ctx, int sd, int *fd)
if (n < 0) {
malformed:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unlock-token: invalid data");
+ "unlock-token: invalid data");
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: possible exploit attempt. closing.");
+ "possible exploit attempt. closing.");
close(sd);
return;
}
@@ -293,7 +297,7 @@ set_up_inpe(context *ctx, int fd, Pe **pe)
*pe = pe_begin(fd, PE_C_READ, NULL);
if (!*pe) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not parse PE binary: %s",
+ "could not parse PE binary: %s",
pe_errmsg(pe_errno()));
return -1;
}
@@ -301,7 +305,7 @@ set_up_inpe(context *ctx, int fd, Pe **pe)
int rc = parse_signatures(ctx->cms, *pe);
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not parse signature list");
+ "could not parse signature list");
pe_end(*pe);
*pe = NULL;
return -1;
@@ -320,20 +324,20 @@ set_up_outpe(context *ctx, int fd, Pe *inpe, Pe **outpe)
off_t offset = lseek(fd, 0, SEEK_SET);
if (offset < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not read output file: %m");
+ "could not read output file: %m");
return -1;
}
int rc = ftruncate(fd, size);
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not extend output file: %m");
+ "could not extend output file: %m");
return -1;
}
rc = write(fd, addr, size);
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not write to output file: %m");
+ "could not write to output file: %m");
return -1;
}
@@ -342,7 +346,7 @@ set_up_outpe(context *ctx, int fd, Pe *inpe, Pe **outpe)
*outpe = pe_begin(fd, PE_C_RDWR, NULL);
if (!*outpe) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not set up output: %s",
+ "could not set up output: %s",
pe_errmsg(pe_errno()));
return -1;
}
@@ -363,7 +367,7 @@ handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
if (!buffer) {
oom:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to allocate memory: %m");
+ "unable to allocate memory: %m");
exit(1);
}
@@ -380,9 +384,9 @@ oom:
if (n < sizeof(tn->size)) {
malformed:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unlock-token: invalid data");
+ "unlock-token: invalid data");
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: possible exploit attempt. closing.");
+ "possible exploit attempt. closing.");
close(pollfd->fd);
return;
}
@@ -423,7 +427,7 @@ malformed:
socket_get_fd(ctx, pollfd->fd, &outfd);
ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE,
- "pesignd: attempting to sign with key \"%s:%s\"",
+ "attempting to sign with key \"%s:%s\"",
tn->value, cn->value);
free(buffer);
@@ -548,9 +552,9 @@ handle_invalid_input(pesignd_cmd cmd, context *ctx, struct pollfd *pollfd,
socklen_t size)
{
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: got unexpected command 0x%x", cmd);
+ "got unexpected command 0x%x", cmd);
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: possible exploit attempt");
+ "possible exploit attempt");
}
typedef void (*cmd_handler)(context *ctx, struct pollfd *pollfd,
@@ -593,16 +597,16 @@ handle_event(context *ctx, struct pollfd *pollfd)
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
if (n < 0) {
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_WARNING,
- "pesignd: recvmsg failed: %m");
+ "recvmsg failed: %m");
return n;
}
if (pm.version != PESIGND_VERSION) {
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: got version %d, expected version %d",
+ "got version %d, expected version %d",
pm.version, PESIGND_VERSION);
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: possible exploit attempt. closing.");
+ "possible exploit attempt. closing.");
close(pollfd->fd);
return -1;
}
@@ -644,7 +648,7 @@ handle_events(context *ctx)
if (!pollfds) {
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: could not allocate memory: %m");
+ "could not allocate memory: %m");
exit(1);
}
@@ -663,7 +667,7 @@ shutdown:
if (rc < 0) {
ctx->backup_cms->log(ctx->backup_cms,
ctx->priority|LOG_WARNING,
- "pesignd: ppoll: %m");
+ "ppoll: %m");
continue;
}
@@ -675,8 +679,7 @@ shutdown:
if (!newpollfds) {
ctx->backup_cms->log(ctx->backup_cms,
ctx->priority|LOG_ERR,
- "pesignd: could not allocate memory: "
- "%m");
+ "could not allocate memory: %m");
exit(1);
}
pollfds = newpollfds;
@@ -729,8 +732,8 @@ get_uid_and_gid(context *ctx, char **homedir)
if (ctx->uid == 0 || ctx->gid == 0) {
ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR,
- "pesignd: cowardly refusing to start with uid = %d "
- "and gid = %d", ctx->uid, ctx->gid);
+ "cowardly refusing to start with uid = %d and gid = %d",
+ ctx->uid, ctx->gid);
errno = EINVAL;
return -1;
}
@@ -752,7 +755,7 @@ set_up_socket(context *ctx)
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to create socket: %m");
+ "unable to create socket: %m");
exit(1);
}
@@ -760,7 +763,7 @@ set_up_socket(context *ctx)
int rc = setsockopt(sd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to set socket options: %m");
+ "unable to set socket options: %m");
exit(1);
}
@@ -772,14 +775,14 @@ set_up_socket(context *ctx)
rc = bind(sd, &addr_un, sizeof(addr_un));
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to bind to \"%s\": %m",
+ "unable to bind to \"%s\": %m",
addr_un.sun_path);
exit(1);
}
rc = chmod(SOCKPATH, 0660);
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: could not set permissions for \"%s\": %m",
+ "could not set permissions for \"%s\": %m",
SOCKPATH);
exit(1);
}
@@ -787,7 +790,7 @@ set_up_socket(context *ctx)
rc = listen(sd, 5);
if (rc < 0) {
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
- "pesignd: unable to listen on socket: %m");
+ "unable to listen on socket: %m");
exit(1);
}
@@ -809,8 +812,7 @@ check_socket(context *ctx)
int sd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
if (sd < 0) {
- fprintf(stderr, "pesignd: unable to create socket: "
- "%m");
+ fprintf(stderr, "unable to create socket: %m");
exit(1);
}
@@ -829,7 +831,7 @@ check_socket(context *ctx)
if (rc < 0) {
return;
} else {
- fprintf(stderr, "pesignd: already running");
+ fprintf(stderr, "already running");
exit(1);
}
} else {
@@ -871,7 +873,7 @@ write_pid_file(int pid)
int fd = open("/var/run/pesign.pid", O_WRONLY|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
err:
- fprintf(stderr, "pesignd: couldn't open pidfile: %m\n");
+ fprintf(stderr, "couldn't open pidfile: %m\n");
exit(1);
}
char *pidstr = NULL;
@@ -923,10 +925,10 @@ daemonize(cms_context *cms_ctx, int do_fork)
daemon_logger(ctx.backup_cms, ctx.priority|LOG_NOTICE,
"pesignd starting (pid %d)", ctx.pid);
-
SECStatus status = NSS_Init("/etc/pki/pesign");
if (status != SECSuccess) {
- fprintf(stderr, "Could not initialize nss: %s\n",
+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
+ "Could not initialize nss: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
@@ -945,7 +947,7 @@ daemonize(cms_context *cms_ctx, int do_fork)
if (rc < 0) {
ctx.backup_cms->log(ctx.backup_cms,
ctx.priority|LOG_ERR,
- "pesignd: could not set up standard input: %m");
+ "could not set up standard input: %m");
exit(1);
}
close(fd);
@@ -956,7 +958,7 @@ daemonize(cms_context *cms_ctx, int do_fork)
if (rc < 0) {
ctx.backup_cms->log(ctx.backup_cms,
ctx.priority|LOG_ERR,
- "pesignd: could not set up standard output: %m");
+ "could not set up standard output: %m");
exit(1);
}
@@ -965,7 +967,7 @@ daemonize(cms_context *cms_ctx, int do_fork)
if (rc < 0) {
ctx.backup_cms->log(ctx.backup_cms,
ctx.priority|LOG_ERR,
- "pesignd: could not set up standard error: %m");
+ "could not set up standard error: %m");
exit(1);
}
close(fd);
@@ -989,7 +991,7 @@ daemonize(cms_context *cms_ctx, int do_fork)
rc = get_uid_and_gid(&ctx, &homedir);
if (rc < 0) {
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
- "pesignd: could not get group and user information "
+ "could not get group and user information "
"for pesign: %m");
exit(1);
}
@@ -1001,13 +1003,13 @@ daemonize(cms_context *cms_ctx, int do_fork)
if (setgid(ctx.gid) != 0) {
ctx.backup_cms->log(ctx.backup_cms,
ctx.priority|LOG_ERR,
- "pesignd: unable to drop group privileges: %m");
+ "unable to drop group privileges: %m");
exit(1);
}
if (setuid(ctx.uid) != 0) {
ctx.backup_cms->log(ctx.backup_cms,
ctx.priority|LOG_ERR,
- "pesignd: unable to drop user privileges: %m");
+ "unable to drop user privileges: %m");
exit(1);
}
}
--
1.7.12.1

82
0017-Use-PORT_ArenaStrdup-where-appropriate.patch Normal file
View File

@ -0,0 +1,82 @@
From 8ffe6943f04d42314f81eb8b5e3350d4ccc41895 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:26:23 -0400
Subject: [PATCH 17/30] Use PORT_ArenaStrdup() where appropriate.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 15 ++++++---------
src/pesign.c | 12 ++++++------
2 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 07aaf6c..73fd924 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -205,9 +205,8 @@ malformed:
"unlocking token \"%s\"", tn->value);
/* authenticating with nss frees this ... best API ever. */
- ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena,
- strlen((char *)tn->value));
- strcpy(ctx->cms->tokenname, (char *)tn->value);
+ ctx->cms->tokenname = PORT_ArenaStrdup(ctx->cms->arena,
+ (char *)tn->value);
if (!ctx->cms->tokenname)
goto oom;
@@ -397,9 +396,8 @@ malformed:
n -= tn->size;
/* authenticating with nss frees these ... best API ever. */
- ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena,
- strlen((char *)tn->value));
- strcpy(ctx->cms->tokenname, (char *)tn->value);
+ ctx->cms->tokenname = PORT_ArenaStrdup(ctx->cms->arena,
+ (char *)tn->value);
if (!ctx->cms->tokenname)
goto oom;
@@ -410,9 +408,8 @@ malformed:
if (n < cn->size)
goto malformed;
- ctx->cms->certname = PORT_ArenaZAlloc(ctx->cms->arena,
- strlen((char *)cn->value));
- strcpy(ctx->cms->certname, (char *)cn->value);
+ ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
+ (char *)cn->value);
if (!ctx->cms->certname)
goto oom;
diff --git a/src/pesign.c b/src/pesign.c
index c7b23cf..819cee0 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -551,17 +551,17 @@ main(int argc, char *argv[])
exit(!is_help);
}
- ctx.cms_ctx->tokenname = tokenname ?
- PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL;
- if (tokenname && !ctx.cms_ctx->tokenname) {
+ ctxp->cms_ctx->tokenname = tokenname ?
+ PORT_ArenaStrdup(ctxp->cms_ctx->arena, tokenname) : NULL;
+ if (tokenname && !ctxp->cms_ctx->tokenname) {
fprintf(stderr, "could not allocate token name: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
- ctx.cms_ctx->certname = certname ?
- PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL;
- if (certname && !ctx.cms_ctx->certname) {
+ ctxp->cms_ctx->certname = certname ?
+ PORT_ArenaStrdup(ctxp->cms_ctx->arena, certname) : NULL;
+ if (certname && !ctxp->cms_ctx->certname) {
fprintf(stderr, "could not allocate certificate name: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
--
1.7.12.1

58
0018-Minor-whitespace-fixes.patch Normal file
View File

@ -0,0 +1,58 @@
From c196b462ad5267e8ed20c0b855b9921268b22a7b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:26:47 -0400
Subject: [PATCH 18/30] Minor whitespace fixes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 6 +++---
src/pesign.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 73fd924..69aea4b 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -70,7 +70,7 @@ hide_stolen_goods_from_cms(cms_context *new, cms_context *old)
static void
send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc)
-{
+{
struct msghdr msg;
struct iovec iov;
ssize_t n;
@@ -890,7 +890,7 @@ int
daemonize(cms_context *cms_ctx, int do_fork)
{
int rc = 0;
- context ctx = {
+ context ctx = {
.backup_cms = cms_ctx,
.priority = do_fork ? LOG_PID
: LOG_PID|LOG_PERROR,
@@ -904,7 +904,7 @@ daemonize(cms_context *cms_ctx, int do_fork)
fprintf(stderr, "pesignd must be started as root");
exit(1);
}
-
+
check_socket(&ctx);
openlog("pesignd", LOG_PID, LOG_DAEMON);
diff --git a/src/pesign.c b/src/pesign.c
index 819cee0..2ba5ef1 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -88,7 +88,7 @@ open_input(pesign_context *ctx)
struct stat statbuf;
ctx->infd = open(ctx->infile, O_RDONLY|O_CLOEXEC);
- stat(ctx->infile, &statbuf);
+ stat(ctx->infile, &statbuf);
ctx->outmode = statbuf.st_mode;
if (ctx->infd < 0) {
--
1.7.12.1

38
0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch Normal file
View File

@ -0,0 +1,38 @@
From 7a8c50f620c7484af9d750f484df8a6837e6b2a5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:27:03 -0400
Subject: [PATCH 19/30] [daemon] Make sure inpe is initialized before all
error handling.
find_certificate() and set_up_inpe() errors wind up being at the same
place, which means when find_certificate is called, inpe already must be
NULL.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon.c b/src/daemon.c
index 69aea4b..534fb23 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -362,6 +362,7 @@ handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
struct iovec iov;
ssize_t n;
char *buffer = malloc(size);
+ Pe *inpe = NULL;
if (!buffer) {
oom:
@@ -433,7 +434,6 @@ malformed:
goto finish;
}
- Pe *inpe = NULL;
rc = set_up_inpe(ctx, infd, &inpe);
if (rc < 0)
goto finish;
--
1.7.12.1

360
0020-Allocate-pesign_context-rather-than-having-it-on-the.patch Normal file
View File

@ -0,0 +1,360 @@
From 66d3353e6d24c9e69ce71735c5aa4741717a6d68 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:31:15 -0400
Subject: [PATCH 20/30] Allocate pesign_context rather than having it on the
stack.
This way it won't try to re-initialize cms_context when it's cleaned up.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 152 ++++++++++++++++++++++++++++++-----------------------------
1 file changed, 77 insertions(+), 75 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index 2ba5ef1..e22e814 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -426,7 +426,7 @@ main(int argc, char *argv[])
{
int rc;
- pesign_context ctx, *ctxp = &ctx;
+ pesign_context *ctxp;
int list = 0;
int remove = 0;
@@ -437,40 +437,47 @@ main(int argc, char *argv[])
char *tokenname = "NSS Certificate DB";
char *certname = NULL;
+ rc = pesign_context_new(&ctxp);
+ if (rc < 0) {
+ fprintf(stderr, "Could not initialize context: %m\n");
+ exit(1);
+ }
+
poptContext optCon;
struct poptOption options[] = {
{NULL, '\0', POPT_ARG_INTL_DOMAIN, "pesign" },
- {"in", 'i', POPT_ARG_STRING, &ctx.infile, 0,
+ {"in", 'i', POPT_ARG_STRING, &ctxp->infile, 0,
"specify input file", "<infile>"},
- {"out", 'o', POPT_ARG_STRING, &ctx.outfile, 0,
+ {"out", 'o', POPT_ARG_STRING, &ctxp->outfile, 0,
"specify output file", "<outfile>" },
{"certficate", 'c', POPT_ARG_STRING, &certname, 0,
"specify certificate nickname",
"<certificate nickname>" },
- {"privkey", 'p', POPT_ARG_STRING, &ctx.privkeyfile, 0,
+ {"privkey", 'p', POPT_ARG_STRING, &ctxp->privkeyfile, 0,
"specify private key file", "<privkey>" },
- {"force", 'f', POPT_ARG_VAL, &ctx.force, 1,
+ {"force", 'f', POPT_ARG_VAL, &ctxp->force, 1,
"force overwriting of output file", NULL },
- {"sign", 's', POPT_ARG_VAL, &ctx.sign, 1,
+ {"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1,
"create a new signature", NULL },
- {"hash", 'h', POPT_ARG_VAL, &ctx.hash, 1, "hash binary", NULL },
+ {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL },
{"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
&digest_name, 0, "digest type to use for pe hash" },
{"import-signed-certificate", 'm',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
- &ctx.insig, 0,"import signature from file", "<insig>" },
+ &ctxp->insig, 0,"import signature from file", "<insig>" },
{"export-signed-attributes", 'E',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
- &ctx.outsattrs, 0, "export signed attributes to file",
+ &ctxp->outsattrs, 0, "export signed attributes to file",
"<signed_attributes_file>" },
{"import-signed-attributes", 'I',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
- &ctx.insattrs, 0, "import signed attributes from file",
+ &ctxp->insattrs, 0,
+ "import signed attributes from file",
"<signed_attributes_file>" },
{"import-raw-signature", 'R',
- POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctx.rawsig,
+ POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctxp->rawsig,
0, "import raw signature from file", "<inraw>" },
- {"signature-number", 'u', POPT_ARG_INT, &ctx.signum, -1,
+ {"signature-number", 'u', POPT_ARG_INT, &ctxp->signum, -1,
"specify which signature to operate on","<sig-number>"},
{"list-signatures", 'l',
POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN,
@@ -483,13 +490,14 @@ main(int argc, char *argv[])
"remove signature" },
{"export-signature", 'e',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
- &ctx.outsig, 0,"export signature to file", "<outsig>" },
+ &ctxp->outsig, 0,
+ "export signature to file", "<outsig>" },
{"export-pubkey", 'K', POPT_ARG_STRING,
- &ctx.outkey, 0, "export pubkey to file", "<outkey>" },
+ &ctxp->outkey, 0, "export pubkey to file", "<outkey>" },
{"export-cert", 'C', POPT_ARG_STRING,
- &ctx.outcert, 0, "export signing cert to file",
+ &ctxp->outcert, 0, "export signing cert to file",
"<outcert>" },
- {"ascii-armor", 'a', POPT_ARG_VAL, &ctx.ascii, 1,
+ {"ascii-armor", 'a', POPT_ARG_VAL, &ctxp->ascii, 1,
"use ascii armoring", NULL },
{"daemonize", 'D', POPT_ARG_VAL, &daemon, 1,
"run as a daemon process", NULL },
@@ -509,12 +517,6 @@ main(int argc, char *argv[])
}
}
- rc = pesign_context_init(ctxp);
- if (rc < 0) {
- fprintf(stderr, "Could not initialize context: %m\n");
- exit(1);
- }
-
optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
rc = poptReadDefaultConfig(optCon, 0);
@@ -571,25 +573,25 @@ main(int argc, char *argv[])
if (daemon)
action |= DAEMONIZE;
- if (ctx.rawsig)
+ if (ctxp->rawsig)
action |= IMPORT_RAW_SIGNATURE;
- if (ctx.insattrs)
+ if (ctxp->insattrs)
action |= IMPORT_SATTRS;
- if (ctx.outsattrs)
+ if (ctxp->outsattrs)
action |= EXPORT_SATTRS;
-
- if (ctx.insig)
+
+ if (ctxp->insig)
action |= IMPORT_SIGNATURE;
- if (ctx.outkey)
+ if (ctxp->outkey)
action |= EXPORT_PUBKEY;
- if (ctx.outcert)
+ if (ctxp->outcert)
action |= EXPORT_CERT;
- if (ctx.outsig)
+ if (ctxp->outsig)
action |= EXPORT_SIGNATURE;
if (remove != 0)
@@ -598,13 +600,13 @@ main(int argc, char *argv[])
if (list != 0)
action |= LIST_SIGNATURES;
- if (ctx.sign) {
+ if (ctxp->sign) {
action |= GENERATE_SIGNATURE;
if (!(action & EXPORT_SIGNATURE))
action |= IMPORT_SIGNATURE;
}
- if (ctx.hash)
+ if (ctxp->hash)
action |= GENERATE_DIGEST|PRINT_DIGEST;
ssize_t sigspace = 0;
@@ -620,11 +622,11 @@ main(int argc, char *argv[])
*/
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp);
- rc = find_certificate(ctx.cms_ctx);
+ rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
- ctx.cms_ctx->certname);
+ ctxp->cms_ctx->certname);
exit(1);
}
open_rawsig_input(ctxp);
@@ -636,19 +638,19 @@ main(int argc, char *argv[])
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
- generate_digest(ctx.cms_ctx, ctx.outpe);
- sigspace = calculate_signature_space(ctx.cms_ctx,
- ctx.outpe);
- allocate_signature_space(ctx.outpe, sigspace);
- generate_signature(ctx.cms_ctx);
- insert_signature(ctx.cms_ctx, ctx.signum);
- finalize_signatures(ctx.cms_ctx, ctx.outpe);
+ generate_digest(ctxp->cms_ctx, ctxp->outpe);
+ sigspace = calculate_signature_space(ctxp->cms_ctx,
+ ctxp->outpe);
+ allocate_signature_space(ctxp->outpe, sigspace);
+ generate_signature(ctxp->cms_ctx);
+ insert_signature(ctxp->cms_ctx, ctxp->signum);
+ finalize_signatures(ctxp->cms_ctx, ctxp->outpe);
close_output(ctxp);
break;
case EXPORT_SATTRS:
open_input(ctxp);
open_sattr_output(ctxp);
- generate_digest(ctx.cms_ctx, ctx.inpe);
+ generate_digest(ctxp->cms_ctx, ctxp->inpe);
generate_sattr_blob(ctxp);
close_sattr_output(ctxp);
close_input(ctxp);
@@ -666,22 +668,22 @@ main(int argc, char *argv[])
close_output(ctxp);
break;
case EXPORT_PUBKEY:
- rc = find_certificate(ctx.cms_ctx);
+ rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
- ctx.cms_ctx->certname);
+ ctxp->cms_ctx->certname);
exit(1);
}
open_pubkey_output(ctxp);
export_pubkey(ctxp);
break;
case EXPORT_CERT:
- rc = find_certificate(ctx.cms_ctx);
+ rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
- ctx.cms_ctx->certname);
+ ctxp->cms_ctx->certname);
exit(1);
}
open_cert_output(ctxp);
@@ -691,21 +693,21 @@ main(int argc, char *argv[])
case EXPORT_SIGNATURE:
open_input(ctxp);
open_sig_output(ctxp);
- if (ctx.signum > ctx.cms_ctx->num_signatures) {
+ if (ctxp->signum > ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "Invalid signature number.\n");
exit(1);
}
- if (ctx.signum < 0)
- ctx.signum = 0;
- if (ctx.signum >= ctx.cms_ctx->num_signatures) {
+ if (ctxp->signum < 0)
+ ctxp->signum = 0;
+ if (ctxp->signum >= ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "No valid signature #%d.\n",
- ctx.signum);
+ ctxp->signum);
exit(1);
}
- memcpy(&ctx.cms_ctx->newsig,
- ctx.cms_ctx->signatures[ctx.signum],
- sizeof (ctx.cms_ctx->newsig));
- export_signature(ctx.cms_ctx, ctx.outsigfd, ctx.ascii);
+ memcpy(&ctxp->cms_ctx->newsig,
+ ctxp->cms_ctx->signatures[ctxp->signum],
+ sizeof (ctxp->cms_ctx->newsig));
+ export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
close_input(ctxp);
close_sig_output(ctxp);
break;
@@ -715,11 +717,11 @@ main(int argc, char *argv[])
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
- if (ctx.signum > ctx.cms_ctx->num_signatures) {
+ if (ctxp->signum > ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "Invalid signature number.\n");
exit(1);
}
- remove_signature(&ctx);
+ remove_signature(ctxp);
close_output(ctxp);
break;
/* list signatures in the binary */
@@ -729,49 +731,49 @@ main(int argc, char *argv[])
break;
case GENERATE_DIGEST|PRINT_DIGEST:
open_input(ctxp);
- generate_digest(ctx.cms_ctx, ctx.inpe);
+ generate_digest(ctxp->cms_ctx, ctxp->inpe);
print_digest(ctxp);
break;
/* generate a signature and save it in a separate file */
case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
- rc = find_certificate(ctx.cms_ctx);
+ rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
- ctx.cms_ctx->certname);
+ ctxp->cms_ctx->certname);
exit(1);
}
open_input(ctxp);
open_sig_output(ctxp);
- generate_digest(ctx.cms_ctx, ctx.inpe);
- generate_signature(ctx.cms_ctx);
- export_signature(ctx.cms_ctx, ctx.outsigfd, ctx.ascii);
+ generate_digest(ctxp->cms_ctx, ctxp->inpe);
+ generate_signature(ctxp->cms_ctx);
+ export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
break;
/* generate a signature and embed it in the binary */
case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
check_inputs(ctxp);
- rc = find_certificate(ctx.cms_ctx);
+ rc = find_certificate(ctxp->cms_ctx);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
- ctx.cms_ctx->certname);
+ ctxp->cms_ctx->certname);
exit(1);
}
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
- generate_digest(ctx.cms_ctx, ctx.outpe);
- sigspace = calculate_signature_space(ctx.cms_ctx,
- ctx.outpe);
- allocate_signature_space(ctx.outpe, sigspace);
- generate_digest(ctx.cms_ctx, ctx.outpe);
- generate_signature(ctx.cms_ctx);
- insert_signature(ctx.cms_ctx, ctx.signum);
- finalize_signatures(ctx.cms_ctx, ctx.outpe);
+ generate_digest(ctxp->cms_ctx, ctxp->outpe);
+ sigspace = calculate_signature_space(ctxp->cms_ctx,
+ ctxp->outpe);
+ allocate_signature_space(ctxp->outpe, sigspace);
+ generate_digest(ctxp->cms_ctx, ctxp->outpe);
+ generate_signature(ctxp->cms_ctx);
+ insert_signature(ctxp->cms_ctx, ctxp->signum);
+ finalize_signatures(ctxp->cms_ctx, ctxp->outpe);
close_output(ctxp);
break;
case DAEMONIZE:
- rc = daemonize(ctx.cms_ctx, fork);
+ rc = daemonize(ctxp->cms_ctx, fork);
break;
default:
fprintf(stderr, "Incompatible flags (0x%08x): ", action);
@@ -782,7 +784,7 @@ main(int argc, char *argv[])
fprintf(stderr, "\n");
exit(1);
}
- pesign_context_fini(&ctx);
+ pesign_context_free(ctxp);
NSS_Shutdown();
return (rc < 0);
--
1.7.12.1

67
0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch Normal file
View File

@ -0,0 +1,67 @@
From 444a514e1a7c9a27953f914cf416d559ef5be083 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:32:57 -0400
Subject: [PATCH 21/30] [pesign] initialize nss only if we're not a daemon.
If it's a deamon, NSS_Init, register_oids, and setup_digests will be
done in the daemon code, not in the normal tool code.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index e22e814..aa09bf5 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -508,15 +508,6 @@ main(int argc, char *argv[])
POPT_TABLEEND
};
- if (!daemon) {
- SECStatus status = NSS_Init("/etc/pki/pesign");
- if (status != SECSuccess) {
- fprintf(stderr, "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
- exit(1);
- }
- }
-
optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
rc = poptReadDefaultConfig(optCon, 0);
@@ -543,7 +534,29 @@ main(int argc, char *argv[])
poptFreeContext(optCon);
- rc = set_digest_parameters(ctx.cms_ctx, digest_name);
+ if (!daemon) {
+ SECStatus status = NSS_Init("/etc/pki/pesign");
+ if (status != SECSuccess) {
+ fprintf(stderr, "Could not initialize nss: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+
+ status = register_oids(ctxp->cms_ctx);
+ if (status != SECSuccess) {
+ fprintf(stderr, "Could not register OIDs\n");
+ exit(1);
+ }
+
+ rc = setup_digests(ctxp->cms_ctx);
+ if (rc < 0) {
+ fprintf(stderr, "Could not initialize digests: %s\n",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+
+ rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
int is_help = strcmp(digest_name, "help") ? 0 : 1;
if (rc < 0) {
if (!is_help) {
--
1.7.12.1

28
0022-Handle-errors-on-pesign_context_init.patch Normal file
View File

@ -0,0 +1,28 @@
From a1ce809e199c7fbbd6f5c0e75f27a4234fcbd2bc Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 15:34:00 -0400
Subject: [PATCH 22/30] Handle errors on pesign_context_init()
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign_context.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pesign_context.c b/src/pesign_context.c
index c6afda6..cbd929f 100644
--- a/src/pesign_context.c
+++ b/src/pesign_context.c
@@ -37,7 +37,9 @@ pesign_context_new(pesign_context **ctx)
if (!context)
return -1;
- pesign_context_init(context);
+ rc = pesign_context_init(context);
+ if (rc < 0)
+ return rc;
context->flags |= PESIGN_C_ALLOCATED;
*ctx = context;
--
1.7.12.1

119
0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch Normal file
View File

@ -0,0 +1,119 @@
From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 16:35:43 -0400
Subject: [PATCH 23/30] Add sanity checking to make sure we don't emit
uninitialized hashes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 15 ++++++++++++++-
src/content_info.c | 11 +++++++++++
src/signer_info.c | 5 +++++
src/util.h | 13 +++++++++++++
4 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index a1ed460..ab5a066 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -532,6 +532,10 @@ generate_empty_sequence(cms_context *cms, SECItem *encoded)
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
+ if (content_is_empty(original->data, original->len)) {
+ cms->log(cms, LOG_ERR, "content is empty, not encoding");
+ return -1;
+ }
if (SEC_ASN1EncodeItem(cms->arena, encoded, original,
SEC_OctetStringTemplate) == NULL)
return -1;
@@ -942,7 +946,16 @@ generate_signature(cms_context *cms)
{
int rc = 0;
- assert(cms->digests[cms->selected_digest].pe_digest != NULL);
+ if (cms->digests[cms->selected_digest].pe_digest == NULL) {
+ cms->log(cms, LOG_ERR, "pe digest has not been allocated");
+ return -1;
+ }
+
+ if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
+ cms->digests[cms->selected_digest].pe_digest->len)) {
+ cms->log(cms, LOG_ERR, "pe binary has not been digested");
+ return -1;
+ }
SECItem sd_der;
memset(&sd_der, '\0', sizeof(sd_der));
diff --git a/src/content_info.c b/src/content_info.c
index 044e85e..7246d20 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -197,6 +197,11 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
int i = cms->selected_digest;
memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
+ if (content_is_empty(di.digest.data, di.digest.len)) {
+ cms->log(cms, LOG_ERR, "got empty digest");
+ return -1;
+ }
+
if (SEC_ASN1EncodeItem(cms->arena, dip, &di,
DigestInfoTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode DigestInfo: %s",
@@ -327,6 +332,12 @@ generate_cinfo_digest(cms_context *cms, SpcContentInfo *cip)
&cms->ci_digest->len,
digest_get_digest_size(cms)) != SECSuccess)
goto err;
+
+ if (content_is_empty(cms->ci_digest->data, cms->ci_digest->len)) {
+ cms->log(cms, LOG_ERR, "generated empty digest");
+ goto err;
+ }
+
if (cms->ci_digest->len > digest_get_digest_size(cms))
goto err;
diff --git a/src/signer_info.c b/src/signer_info.c
index 7a73c26..932b896 100644
--- a/src/signer_info.c
+++ b/src/signer_info.c
@@ -207,6 +207,11 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
if (!sign_content)
return -1;
+ if (content_is_empty(sign_content->data, sign_content->len)) {
+ cms->log(cms, LOG_ERR, "not signing empty digest");
+ return -1;
+ }
+
SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
if (!oid)
goto err;
diff --git a/src/util.h b/src/util.h
index f495a0b..5e0ea34 100644
--- a/src/util.h
+++ b/src/util.h
@@ -110,6 +110,19 @@ free_poison(void *addrv, ssize_t len)
addr[x] = poison_pills[x % 2];
}
+static int
+__attribute__ ((unused))
+content_is_empty(uint8_t *data, ssize_t len)
+{
+ if (len < 1)
+ return 1;
+
+ for (int i = 0; i < len; i++)
+ if (data[i] != 0)
+ return 0;
+ return 1;
+}
+
#if defined(DAEMON_H)
static inline uint32_t
__attribute__ ((unused))
--
1.7.12.1

47
0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch Normal file
View File

@ -0,0 +1,47 @@
From d8ead122f34375a496d280bcc803f730542ca78d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 17:47:49 -0400
Subject: [PATCH 24/30] Make sure we free the token/cert we get from the
command line.
This probably needs some further examination, but valgrind likes what's
here currently.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/pesign.c b/src/pesign.c
index aa09bf5..be6494e 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -435,6 +435,7 @@ main(int argc, char *argv[])
char *digest_name = "sha256";
char *tokenname = "NSS Certificate DB";
+ char *origtoken = tokenname;
char *certname = NULL;
rc = pesign_context_new(&ctxp);
@@ -573,6 +574,8 @@ main(int argc, char *argv[])
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
+ if (tokenname != origtoken)
+ free(tokenname);
ctxp->cms_ctx->certname = certname ?
PORT_ArenaStrdup(ctxp->cms_ctx->arena, certname) : NULL;
@@ -581,6 +584,8 @@ main(int argc, char *argv[])
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
+ if (certname)
+ free(certname);
int action = 0;
if (daemon)
--
1.7.12.1

36
0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch Normal file
View File

@ -0,0 +1,36 @@
From 2030d382b49a1b957de829a67f74d9cc127c55ee Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 17:48:44 -0400
Subject: [PATCH 25/30] [pesign] Only shut down nss in pesign.c if we're not
the daemon.
The daemon does its own init and shutdown.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index be6494e..6c10b6d 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -804,6 +804,14 @@ main(int argc, char *argv[])
}
pesign_context_free(ctxp);
- NSS_Shutdown();
+ if (!daemon) {
+ SECStatus status = NSS_Shutdown();
+ if (status != SECSuccess) {
+ fprintf(stderr, "could not shut down NSS: %s",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+
return (rc < 0);
}
--
1.7.12.1

233
0026-Rework-setup_digests-and-teardown_digests.patch Normal file
View File

@ -0,0 +1,233 @@
From 4efe979d6b781e064fe1afa946753ead9e3bbb9d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 17:49:17 -0400
Subject: [PATCH 26/30] Rework setup_digests() and teardown_digests()
This fixes the problem I was seeing with empty content_info digests, and
makes the code a /little/ bit cleaner in some ways.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 92 +++++++++++++++++++++++++++++++++-----------------------
src/cms_common.h | 1 -
src/daemon.c | 28 +----------------
src/pesign.c | 7 -----
4 files changed, 55 insertions(+), 73 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index ab5a066..6b3f5ec 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -96,43 +96,6 @@ digest_get_digest_size(cms_context *cms)
return digest_params[i].size;
}
-
-int
-setup_digests(cms_context *cms)
-{
- struct digest *digests = NULL;
-
- digests = calloc(n_digest_params, sizeof (*digests));
- if (!digests) {
- cms->log(cms, LOG_ERR, "cannot allocate memory: %m");
- return -1;
- }
-
- for (int i = 0; i < n_digest_params; i++) {
- digests[i].pk11ctx = PK11_CreateDigestContext(
- digest_params[i].digest_tag);
- if (!digests[i].pk11ctx) {
- cms->log(cms, LOG_ERR, "could not create digest "
- "context: %s",
- PORT_ErrorToString(PORT_GetError()));
- goto err;
- }
-
- PK11_DigestBegin(digests[i].pk11ctx);
- }
-
- cms->digests = digests;
- return 0;
-err:
- for (int i = 0; i < n_digest_params; i++) {
- if (digests[i].pk11ctx)
- PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
- }
-
- free(digests);
- return -1;
-}
-
void
teardown_digests(cms_context *ctx)
{
@@ -733,6 +696,46 @@ check_pointer_and_size(Pe *pe, void *ptr, size_t size)
return 1;
}
+int
+generate_digest_begin(cms_context *cms)
+{
+ struct digest *digests = NULL;
+
+ if (cms->digests) {
+ digests = cms->digests;
+ } else {
+ digests = calloc(n_digest_params, sizeof (*digests));
+ if (!digests) {
+ cms->log(cms, LOG_ERR, "cannot allocate memory: %m");
+ return -1;
+ }
+ }
+
+ for (int i = 0; i < n_digest_params; i++) {
+ digests[i].pk11ctx = PK11_CreateDigestContext(
+ digest_params[i].digest_tag);
+ if (!digests[i].pk11ctx) {
+ cms->log(cms, LOG_ERR, "could not create digest "
+ "context: %s",
+ PORT_ErrorToString(PORT_GetError()));
+ goto err;
+ }
+
+ PK11_DigestBegin(digests[i].pk11ctx);
+ }
+
+ cms->digests = digests;
+ return 0;
+err:
+ for (int i = 0; i < n_digest_params; i++) {
+ if (digests[i].pk11ctx)
+ PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
+ }
+
+ free(digests);
+ return -1;
+}
+
void
generate_digest_step(cms_context *cms, void *data, size_t len)
{
@@ -762,6 +765,12 @@ generate_digest_finish(cms_context *cms)
PK11_DigestFinal(cms->digests[i].pk11ctx,
digest->data, &digest->len, digest_params[i].size);
+ PK11_Finalize(cms->digests[i].pk11ctx);
+ PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE);
+ cms->digests[i].pk11ctx = NULL;
+ if (cms->digests[i].pe_digest)
+ free_poison(cms->digests[i].pe_digest->data,
+ cms->digests[i].pe_digest->len);
cms->digests[i].pe_digest = digest;
}
@@ -791,7 +800,14 @@ generate_digest(cms_context *cms, Pe *pe)
if (!pe) {
cms->log(cms, LOG_ERR, "no output pe ready");
- exit(1);
+ return -1;
+ }
+
+ rc = generate_digest_begin(cms);
+ if (rc < 0) {
+ cms->log(cms, LOG_ERR, "could not initialize digests: %s",
+ PORT_ErrorToString(PORT_GetError()));
+ return rc;
}
struct pe_hdr pehdr;
diff --git a/src/cms_common.h b/src/cms_common.h
index 830427e..5cbda62 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -86,7 +86,6 @@ extern int cms_context_alloc(cms_context **ctxp);
extern int cms_context_init(cms_context *ctx);
extern void cms_context_fini(cms_context *ctx);
-extern int setup_digests(cms_context *cms);
extern void teardown_digests(cms_context *ctx);
extern int generate_octet_string(cms_context *ctx, SECItem *encoded,
diff --git a/src/daemon.c b/src/daemon.c
index 534fb23..df20763 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -142,15 +142,6 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
return;
}
- rc = setup_digests(ctx->cms);
- if (rc < 0) {
- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
- "Could not initialize digests: %s\n",
- PORT_ErrorToString(PORT_GetError()));
- send_response(ctx, ctx->backup_cms, pollfd, rc);
- return;
- }
-
steal_from_cms(ctx->backup_cms, ctx->cms);
if (!buffer) {
@@ -491,6 +482,7 @@ finish:
close(outfd);
send_response(ctx, ctx->cms, pollfd, rc);
+ teardown_digests(ctx->cms);
}
static void
@@ -500,15 +492,6 @@ handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
if (rc < 0)
return;
- rc = setup_digests(ctx->cms);
- if (rc < 0) {
- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
- "Could not initialize digests: %s\n",
- PORT_ErrorToString(PORT_GetError()));
- send_response(ctx, ctx->backup_cms, pollfd, rc);
- return;
- }
-
steal_from_cms(ctx->backup_cms, ctx->cms);
handle_signing(ctx, pollfd, size, 1);
@@ -524,15 +507,6 @@ handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
if (rc < 0)
return;
- rc = setup_digests(ctx->cms);
- if (rc < 0) {
- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
- "Could not initialize digests: %s\n",
- PORT_ErrorToString(PORT_GetError()));
- send_response(ctx, ctx->backup_cms, pollfd, rc);
- return;
- }
-
steal_from_cms(ctx->backup_cms, ctx->cms);
handle_signing(ctx, pollfd, size, 0);
diff --git a/src/pesign.c b/src/pesign.c
index 6c10b6d..2c98600 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -548,13 +548,6 @@ main(int argc, char *argv[])
fprintf(stderr, "Could not register OIDs\n");
exit(1);
}
-
- rc = setup_digests(ctxp->cms_ctx);
- if (rc < 0) {
- fprintf(stderr, "Could not initialize digests: %s\n",
- PORT_ErrorToString(PORT_GetError()));
- exit(1);
- }
}
rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
--
1.7.12.1

25
0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch Normal file
View File

@ -0,0 +1,25 @@
From 15cd554d35c5ea8d31671b346dffd84e27e7c6ec Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 17:52:57 -0400
Subject: [PATCH 27/30] We shouldn't need
Environment=NSS_STRICT_NOFORK=DISABLED any more.
Since NSS_Init is called from the daemon now, we should get past its
checking.
---
src/pesign.service | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/pesign.service b/src/pesign.service
index 4f6d63f..75a73c3 100644
--- a/src/pesign.service
+++ b/src/pesign.service
@@ -5,5 +5,4 @@ Description=Pesign signing daemon
PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
-Environment=NSS_STRICT_NOFORK=DISABLED
ExecStart=/usr/bin/pesign --daemonize
--
1.7.12.1

174
0028-Fix-errors-found-by-coverity.patch Normal file
View File

@ -0,0 +1,174 @@
From 1b94dd90f5a1c65df16ffe3b0619ce5dc0ca1f06 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Oct 2012 19:59:49 -0400
Subject: [PATCH 28/30] Fix errors found by coverity.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/actions.c | 4 ++--
src/cms_common.c | 17 ++++++++++-------
src/daemon.c | 16 +++++++++++++++-
src/password.c | 1 +
src/pesign_context.c | 4 +++-
src/wincert.c | 2 +-
6 files changed, 32 insertions(+), 12 deletions(-)
diff --git a/src/actions.c b/src/actions.c
index 76a311c..9cf4f45 100644
--- a/src/actions.c
+++ b/src/actions.c
@@ -70,7 +70,7 @@ insert_signature(cms_context *cms, int signum)
if (signum != cms->num_signatures) {
memmove(cms->signatures[signum+1],
cms->signatures[signum],
- sizeof(SECItem *) * (cms->num_signatures - signum));
+ sizeof(SECItem) * (cms->num_signatures - signum));
}
cms->signatures[signum] = sig;
cms->num_signatures++;
@@ -430,7 +430,7 @@ remove_signature(pesign_context *p_ctx)
if (p_ctx->signum != ctx->num_signatures - 1)
memmove(ctx->signatures[p_ctx->signum],
ctx->signatures[p_ctx->signum+1],
- sizeof(SECItem *) *
+ sizeof(SECItem) *
(ctx->num_signatures - p_ctx->signum));
ctx->num_signatures--;
diff --git a/src/cms_common.c b/src/cms_common.c
index 6b3f5ec..898ddfb 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -598,16 +598,19 @@ generate_spc_string(cms_context *cms, SECItem *ssp, char *str, int len)
memset(&ss, '\0', sizeof (ss));
SECITEM_AllocItem(cms->arena, &ss.unicode, len);
- if (!ss.unicode.data && len != 0) {
- cms->log(cms, LOG_ERR, "could not allocate memory: %s",
- PORT_ErrorToString(PORT_GetError()));
- return -1;
+ if (len != 0) {
+ if (!ss.unicode.data) {
+ cms->log(cms, LOG_ERR, "could not allocate memory: %s",
+ PORT_ErrorToString(PORT_GetError()));
+ return -1;
+ }
+
+ memcpy(ss.unicode.data, str, len);
}
-
- memcpy(ss.unicode.data, str, len);
ss.unicode.type = siBMPString;
- if (SEC_ASN1EncodeItem(cms->arena, ssp, &ss, SpcStringTemplate) == NULL) {
+ if (SEC_ASN1EncodeItem(cms->arena, ssp, &ss, SpcStringTemplate)
+ == NULL) {
cms->log(cms, LOG_ERR, "could not encode SpcString: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
diff --git a/src/daemon.c b/src/daemon.c
index df20763..7ad036c 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -134,7 +134,6 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
struct msghdr msg;
struct iovec iov;
ssize_t n;
- char *buffer = malloc(size);
int rc = cms_context_alloc(&ctx->cms);
if (rc < 0) {
@@ -144,6 +143,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
steal_from_cms(ctx->backup_cms, ctx->cms);
+ char *buffer = malloc(size);
if (!buffer) {
oom:
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
@@ -792,6 +792,7 @@ check_socket(context *ctx)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
+ close(sd);
unlink(SOCKPATH);
return;
}
@@ -800,6 +801,7 @@ check_socket(context *ctx)
socklen_t size = sizeof(remote);
rc = getpeername(sd, &remote, &size);
if (rc < 0) {
+ close(sd);
return;
} else {
fprintf(stderr, "already running");
@@ -913,6 +915,12 @@ daemonize(cms_context *cms_ctx, int do_fork)
if (do_fork) {
int fd = open("/dev/zero", O_RDONLY);
+ if (fd < 0) {
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_ERR,
+ "could not open /dev/zero: %m");
+ exit(1);
+ }
close(STDIN_FILENO);
rc = dup2(fd, STDIN_FILENO);
if (rc < 0) {
@@ -924,6 +932,12 @@ daemonize(cms_context *cms_ctx, int do_fork)
close(fd);
fd = open("/dev/null", O_WRONLY);
+ if (fd < 0) {
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_ERR,
+ "could not open /dev/null: %m");
+ exit(1);
+ }
close(STDOUT_FILENO);
rc = dup2(fd, STDOUT_FILENO);
if (rc < 0) {
diff --git a/src/password.c b/src/password.c
index 5ee15f8..100c584 100644
--- a/src/password.c
+++ b/src/password.c
@@ -114,6 +114,7 @@ SECU_GetPasswordString(void *arg, char *prompt)
output = fopen(consoleName, "w");
if (output == NULL) {
+ fclose(input);
fprintf(stderr, "Error opening output terminal for write\n");
return NULL;
}
diff --git a/src/pesign_context.c b/src/pesign_context.c
index cbd929f..033e8de 100644
--- a/src/pesign_context.c
+++ b/src/pesign_context.c
@@ -38,8 +38,10 @@ pesign_context_new(pesign_context **ctx)
return -1;
rc = pesign_context_init(context);
- if (rc < 0)
+ if (rc < 0) {
+ free(context);
return rc;
+ }
context->flags |= PESIGN_C_ALLOCATED;
*ctx = context;
diff --git a/src/wincert.c b/src/wincert.c
index b487dc5..4b5ba45 100644
--- a/src/wincert.c
+++ b/src/wincert.c
@@ -257,7 +257,7 @@ parse_signatures(cms_context *cms, Pe *pe)
if (rc <= 0)
break;
- signatures[i] = calloc(1, sizeof (SECItem *));
+ signatures[i] = calloc(1, sizeof (SECItem));
if (!signatures[i])
goto err;
--
1.7.12.1

41
0029-Don-t-keep-the-DEPS-list-twice.patch Normal file
View File

@ -0,0 +1,41 @@
From 95c0fe1d512fcdf3b397359fb0f54dc44e5947c2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 18 Oct 2012 09:12:25 -0400
Subject: [PATCH 29/30] Don't keep the DEPS list twice.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index cd06158..cb74c12 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -39,14 +39,20 @@ client_OBJECTS = $(foreach source,$(client_SOURCES),$(patsubst %.c,%,$(source)).
client_DEPS = $(foreach source,$(client_SOURCES),.$(patsubst %.c,%,$(source)).P)
client : $(client_OBJECTS) $(STATIC_LIBS)
-deps : $(generic_DEPS)$(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \
+fuzzsocket_SOURCES = fuzzsocket.c
+fuzzsocket_OBJECTS = $(foreach source,$(fuzzsocket_SOURCES),$(patsubst %.c,%,$(source)).o)
+fuzzsocket_DEPS = $(foreach source,$(fuzzsocket_SOURCES),.$(patsubst %.c,%,$(source)).P)
+fuzzsocket : $(fuzzsocket_OBJECTS)
+
+DEPS = $(generic_DEPS)$(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \
$(peverify_DEPS)
+deps : $(DEPS)
+
depclean :
@rm -fv .*.P
--include $(generic_DEPS) $(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \
- $(peverify_DEPS)
+-include $(DEPS)
clean : depclean
@rm -rfv *.o *.a *.so $(TARGETS)
--
1.7.12.1

26
0030-Don-t-build-util-right-now.patch Normal file
View File

@ -0,0 +1,26 @@
From 44aad110fd3f0a12e1817d95047f882c4d8b0fce Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 18 Oct 2012 11:36:10 -0400
Subject: [PATCH 30/30] Don't build util/ right now.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 531c865..5e9bd31 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ TOPDIR = $(shell echo $$PWD)
include $(TOPDIR)/Make.defaults
-SUBDIRS := include libdpe src util
+SUBDIRS := include libdpe src
DOCDIR := /share/doc/
VERSION = 0.99
--
1.7.12.1

31
pesign.spec
View File

@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Name: pesign Name: pesign
Version: 0.99 Version: 0.99
Release: 3%{?dist} Release: 4%{?dist}
Group: Development/System Group: Development/System
License: GPLv2 License: GPLv2
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
@ -22,6 +22,31 @@ Patch1: 0002-Remove-an-unused-field.patch
Patch2: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch Patch2: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
Patch3: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch Patch3: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
Patch4: 0005-Fix-check-for-allocations-on-tokenname-certname.patch Patch4: 0005-Fix-check-for-allocations-on-tokenname-certname.patch
Patch5: 0006-Update-valgrind.supp-for-newer-codepaths.patch
Patch6: 0007-Free-the-pid-string-once-we-re-done-writing-it.patch
Patch7: 0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
Patch8: 0009-Only-try-to-register-OIDs-once.patch
Patch9: 0010-Check-for-NSS_Shutdown-failure.patch
Patch10: 0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
Patch11: 0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
Patch12: 0013-Don-t-set-up-digests-in-cms_context_init.patch
Patch13: 0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
Patch14: 0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
Patch15: 0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
Patch16: 0017-Use-PORT_ArenaStrdup-where-appropriate.patch
Patch17: 0018-Minor-whitespace-fixes.patch
Patch18: 0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
Patch19: 0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
Patch20: 0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
Patch21: 0022-Handle-errors-on-pesign_context_init.patch
Patch22: 0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
Patch23: 0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
Patch24: 0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
Patch25: 0026-Rework-setup_digests-and-teardown_digests.patch
Patch26: 0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
Patch27: 0028-Fix-errors-found-by-coverity.patch
Patch28: 0029-Don-t-keep-the-DEPS-list-twice.patch
Patch30: 0030-Don-t-build-util-right-now.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as
@ -85,6 +110,10 @@ exit 0
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%changelog %changelog
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
- Fix some more bugs found by valgrind and coverity.
- Don't build utils/ ; we're not using them and they're not ready anyway.
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3 * Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
- Fix daemon startup bug from 0.99-2 - Fix daemon startup bug from 0.99-2