Fix various bugs from 0.99-1
- Don't make the database unreadable just yet.
This commit is contained in:
Peter Jones
parent
428f873263
commit
70aaeb7aa3
55
0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
Normal file
55
0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:53:07 -0400
|
||||
Subject: [PATCH 1/4] Use PK11_TraverseCertsForNicknameInSlot after all.
|
||||
|
||||
As of 76bc13c it doesn't appear to be leaky any more, and it does a
|
||||
better job of disinguishing between certificates with the same nickname
|
||||
than we did when doing it by hand.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 644b44c..2d51979 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -465,23 +465,23 @@ err_slots:
|
||||
goto err_slots_errmsg;
|
||||
}
|
||||
|
||||
+ SECItem nickname = {
|
||||
+ .data = (void *)cms->certname,
|
||||
+ .len = strlen(cms->certname) + 1,
|
||||
+ .type = siUTF8String,
|
||||
+ };
|
||||
struct cbdata cbdata = {
|
||||
.cert = NULL,
|
||||
.psle = psle,
|
||||
.pwdata = pwdata,
|
||||
};
|
||||
|
||||
- CERTCertListNode *node = NULL;
|
||||
- for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist);
|
||||
- node = CERT_LIST_NEXT(node)) {
|
||||
- if (strcmp(cms->certname, node->cert->nickname))
|
||||
- continue;
|
||||
+ status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot,
|
||||
+ is_valid_cert, &cbdata);
|
||||
+ if (cbdata.cert == NULL)
|
||||
+ goto err_slots;
|
||||
|
||||
- if (is_valid_cert(node->cert, &cbdata) == SECSuccess) {
|
||||
- cms->cert = CERT_DupCertificate(cbdata.cert);
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
+ cms->cert = CERT_DupCertificate(cbdata.cert);
|
||||
|
||||
PK11_DestroySlotListElement(slots, &psle);
|
||||
PK11_FreeSlotList(slots);
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
38
0002-Remove-an-unused-field.patch
Normal file
38
0002-Remove-an-unused-field.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:54:10 -0400
|
||||
Subject: [PATCH 2/4] Remove an unused field.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign_context.c | 1 -
|
||||
src/pesign_context.h | 1 -
|
||||
2 files changed, 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesign_context.c b/src/pesign_context.c
|
||||
index b4b201d..c6afda6 100644
|
||||
--- a/src/pesign_context.c
|
||||
+++ b/src/pesign_context.c
|
||||
@@ -88,7 +88,6 @@ pesign_context_fini(pesign_context *ctx)
|
||||
ctx->cms_ctx = NULL;
|
||||
}
|
||||
|
||||
- xfree(ctx->certname);
|
||||
xfree(ctx->privkeyfile);
|
||||
|
||||
if (ctx->outpe) {
|
||||
diff --git a/src/pesign_context.h b/src/pesign_context.h
|
||||
index cabccf3..8f4e45a 100644
|
||||
--- a/src/pesign_context.h
|
||||
+++ b/src/pesign_context.h
|
||||
@@ -58,7 +58,6 @@ typedef struct {
|
||||
Pe *outpe;
|
||||
|
||||
char *privkeyfile;
|
||||
- char *certname;
|
||||
cms_context *cms_ctx;
|
||||
|
||||
int flags;
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
@ -0,0 +1,26 @@
|
||||
From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:54:37 -0400
|
||||
Subject: [PATCH 3/4] Free the certificate list we make once we're done using
|
||||
it.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/wincert.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index fe666c5..b487dc5 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -74,6 +74,7 @@ finalize_signatures(cms_context *cms, Pe *pe)
|
||||
free(clist);
|
||||
return -1;
|
||||
}
|
||||
+ free(clist);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
@ -0,0 +1,63 @@
|
||||
From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Oct 2012 09:55:02 -0400
|
||||
Subject: [PATCH 4/4] Make sure we actually look up the certificate when not
|
||||
in daemon mode.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign.c | 24 +++++++++++++++---------
|
||||
1 file changed, 15 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index 108994e..4ddf636 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -500,12 +500,6 @@ main(int argc, char *argv[])
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
- tokenname = strdup(tokenname);
|
||||
- if (!tokenname) {
|
||||
- fprintf(stderr, "could not allocate memory: %m\n");
|
||||
- exit(1);
|
||||
- }
|
||||
-
|
||||
if (!daemon) {
|
||||
SECStatus status = NSS_Init("/etc/pki/pesign");
|
||||
if (status != SECSuccess) {
|
||||
@@ -521,8 +515,6 @@ main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- ctx.cms_ctx->certname = certname ? strdup(certname) : NULL;
|
||||
-
|
||||
optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
|
||||
|
||||
rc = poptReadDefaultConfig(optCon, 0);
|
||||
@@ -559,7 +551,21 @@ main(int argc, char *argv[])
|
||||
exit(!is_help);
|
||||
}
|
||||
|
||||
- ctx.cms_ctx->tokenname = tokenname;
|
||||
+ ctx.cms_ctx->tokenname = tokenname ?
|
||||
+ PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL;
|
||||
+ if (!ctx.cms_ctx->tokenname) {
|
||||
+ fprintf(stderr, "could not allocate token name: %s\n",
|
||||
+ PORT_ErrorToString(PORT_GetError()));
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ ctx.cms_ctx->certname = certname ?
|
||||
+ PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL;
|
||||
+ if (!ctx.cms_ctx->certname) {
|
||||
+ fprintf(stderr, "could not allocate certificate name: %s\n",
|
||||
+ PORT_ErrorToString(PORT_GetError()));
|
||||
+ exit(1);
|
||||
+ }
|
||||
|
||||
int action = 0;
|
||||
if (daemon)
|
||||
--
|
||||
1.7.12.1
|
||||
|
||||
15
pesign.spec
15
pesign.spec
@ -1,7 +1,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.99
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
@ -17,6 +17,11 @@ ExclusiveArch: i686 x86_64 ia64
|
||||
Source0: pesign-%{version}.tar.bz2
|
||||
Source1: rh-test-certs.tar.bz2
|
||||
|
||||
Patch0: 0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
|
||||
Patch1: 0002-Remove-an-unused-field.patch
|
||||
Patch2: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
|
||||
Patch3: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
well as other associated tools.
|
||||
@ -72,13 +77,17 @@ exit 0
|
||||
%{_mandir}/man*/*
|
||||
%{_unitdir}/pesign.service
|
||||
%{_prefix}/lib/tmpfiles.d/pesign.conf
|
||||
%dir %attr(0770,pesign,pesign) /etc/pki/pesign
|
||||
%attr(0660,pesign,pesign) /etc/pki/pesign/*
|
||||
%dir %attr(0775,pesign,pesign) /etc/pki/pesign
|
||||
%attr(0664,pesign,pesign) /etc/pki/pesign/*
|
||||
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
|
||||
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
|
||||
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
|
||||
|
||||
%changelog
|
||||
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
|
||||
- Fix various bugs from 0.99-1
|
||||
- Don't make the database unreadable just yet.
|
||||
|
||||
* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
|
||||
- Update to 0.99
|
||||
- Add documentation for client/server mode.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user