From 5e00099eb876612483353717c6f0ee8761261161 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Tue, 1 Apr 2008 07:49:50 +0000 Subject: [PATCH] Rediff NSS patch to fight off fuzz --- rpm-4.4.2.3-nss.patch | 684 +++++++++++++++++------------------------- 1 file changed, 276 insertions(+), 408 deletions(-) diff --git a/rpm-4.4.2.3-nss.patch b/rpm-4.4.2.3-nss.patch index 3d52b67..b574863 100644 --- a/rpm-4.4.2.3-nss.patch +++ b/rpm-4.4.2.3-nss.patch @@ -1,7 +1,14 @@ -diff -r ec9e6c427068 Makefile.am ---- a/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/Makefile.am Thu Nov 01 10:56:58 2007 +0100 -@@ -10,14 +10,14 @@ EXTRA_DIST = CHANGES ChangeLog CREDITS D +commit c8173f26908886f7b02f7f88a7a2aed9498839da +Author: Panu Matilainen +Date: Tue Apr 1 10:42:49 2008 +0300 + + NSS support + +diff --git a/Makefile.am b/Makefile.am +index 0495836..4c68c4c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -10,14 +10,14 @@ EXTRA_DIST = CHANGES ChangeLog CREDITS Doxyheader GROUPS README.amiga INSTALL \ po/*.in po/*.po po/rpm.pot \ rpm.magic rpmpopt-$(VERSION) rpmqv.c @@ -52,10 +59,11 @@ diff -r ec9e6c427068 Makefile.am `make -s sources -C file/src` \ `make -s sources -C popt` -diff -r ec9e6c427068 autogen.sh ---- a/autogen.sh Wed Oct 24 16:02:51 2007 +0300 -+++ b/autogen.sh Thu Nov 01 10:56:58 2007 +0100 -@@ -48,9 +48,6 @@ if [ -d zlib ]; then +diff --git a/autogen.sh b/autogen.sh +index 27d4118..63bfbe1 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -48,9 +48,6 @@ fi if [ -d zlib ]; then (echo "--- zlib"; cd zlib; ./autogen.sh --noconfigure "$@") fi @@ -65,9 +73,10 @@ diff -r ec9e6c427068 autogen.sh if [ -d elfutils ]; then (echo "--- elfutils"; cd elfutils; ./autogen.sh --noconfigure "$@") fi -diff -r ec9e6c427068 build/Makefile.am ---- a/build/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/build/Makefile.am Thu Nov 01 10:56:58 2007 +0100 +diff --git a/build/Makefile.am b/build/Makefile.am +index 83d2dee..75b41c2 100644 +--- a/build/Makefile.am ++++ b/build/Makefile.am @@ -9,7 +9,7 @@ INCLUDES = -I. \ -I$(top_srcdir)/lib \ -I$(top_srcdir)/rpmdb \ @@ -77,10 +86,11 @@ diff -r ec9e6c427068 build/Makefile.am @WITH_MAGIC_INCLUDE@ \ @WITH_POPT_INCLUDE@ \ @WITH_LIBELF_INCLUDE@ \ -diff -r ec9e6c427068 configure.ac ---- a/configure.ac Wed Oct 24 16:02:51 2007 +0300 -+++ b/configure.ac Thu Nov 01 10:56:58 2007 +0100 -@@ -463,34 +463,32 @@ AC_SUBST(WITH_LIBDWARF_DEBUGEDIT) +diff --git a/configure.ac b/configure.ac +index b004391..c98c86d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -463,34 +463,32 @@ AC_SUBST(WITH_LIBDWARF_INCLUDE) AC_SUBST(WITH_LIBDWARF_DEBUGEDIT) #================= @@ -127,21 +137,21 @@ diff -r ec9e6c427068 configure.ac - if test -z "${WITH_BEECRYPT_LIB}" ; then - AC_MSG_ERROR([rpm requires beecrypt]) - fi --]) ++ AC_MSG_ERROR([rpm requires NSS]) + ]) -AC_SUBST(WITH_BEECRYPT_SUBDIR) -AC_SUBST(WITH_BEECRYPT_INCLUDE) -AC_SUBST(WITH_BEECRYPT_LIB) -+ AC_MSG_ERROR([rpm requires NSS]) -+]) +CPPFLAGS="$save_CPPFLAGS" +AC_SUBST(WITH_NSS_INCLUDE) +AC_SUBST(WITH_NSS_LIB) #================= # Check for neon library. Prefer external, otherwise internal. -diff -r ec9e6c427068 lib/Makefile.am ---- a/lib/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/Makefile.am Thu Nov 01 10:56:58 2007 +0100 +diff --git a/lib/Makefile.am b/lib/Makefile.am +index d433b75..fe761da 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am @@ -9,7 +9,7 @@ INCLUDES = -I. \ -I$(top_srcdir)/build \ -I$(top_srcdir)/rpmdb \ @@ -151,10 +161,11 @@ diff -r ec9e6c427068 lib/Makefile.am @WITH_POPT_INCLUDE@ \ -I$(top_srcdir)/misc \ @INCPATH@ -diff -r ec9e6c427068 lib/formats.c ---- a/lib/formats.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/formats.c Thu Nov 01 10:56:58 2007 +0100 -@@ -210,23 +210,17 @@ static /*@only@*/ char * base64Format(in +diff --git a/lib/formats.c b/lib/formats.c +index 59f953a..e4354ff 100644 +--- a/lib/formats.c ++++ b/lib/formats.c +@@ -210,23 +210,17 @@ static /*@only@*/ char * base64Format(int_32 type, const void * data, int lc; /* XXX HACK ALERT: element field abused as no. bytes of binary data. */ size_t ns = element; @@ -182,7 +193,7 @@ diff -r ec9e6c427068 lib/formats.c t = stpcpy(t, enc); enc = _free(enc); } -@@ -310,16 +304,13 @@ static /*@only@*/ char * xmlFormat(int_3 +@@ -310,16 +304,13 @@ static /*@only@*/ char * xmlFormat(int_32 type, const void * data, xtag = "string"; break; case RPM_BIN_TYPE: @@ -206,10 +217,11 @@ diff -r ec9e6c427068 lib/formats.c xtag = "base64"; } break; case RPM_CHAR_TYPE: -diff -r ec9e6c427068 lib/package.c ---- a/lib/package.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/package.c Thu Nov 01 10:56:58 2007 +0100 -@@ -1008,11 +1008,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t +diff --git a/lib/package.c b/lib/package.c +index 09571b0..8458b02 100644 +--- a/lib/package.c ++++ b/lib/package.c +@@ -1008,11 +1008,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp) fddig->hashctx = NULL; /*@switchbreak@*/ break; case PGPHASHALGO_SHA1: @@ -221,10 +233,11 @@ diff -r ec9e6c427068 lib/package.c dig->sha1ctx = fddig->hashctx; fddig->hashctx = NULL; /*@switchbreak@*/ break; -diff -r ec9e6c427068 lib/rpmchecksig.c ---- a/lib/rpmchecksig.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/rpmchecksig.c Thu Nov 01 10:56:58 2007 +0100 -@@ -447,7 +447,7 @@ rpmRC rpmcliImportPubkey(const rpmts ts, +diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c +index b4d377e..83b2d2e 100644 +--- a/lib/rpmchecksig.c ++++ b/lib/rpmchecksig.c +@@ -447,7 +447,7 @@ rpmRC rpmcliImportPubkey(const rpmts ts, const unsigned char * pkt, ssize_t pktl if (rpmtsOpenDB(ts, (O_RDWR|O_CREAT))) return RPMRC_FAIL; @@ -245,9 +258,25 @@ diff -r ec9e6c427068 lib/rpmchecksig.c assert(dig->sha1ctx == NULL); dig->sha1ctx = fddig->hashctx; fddig->hashctx = NULL; -diff -r ec9e6c427068 lib/rpmts.c ---- a/lib/rpmts.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/rpmts.c Thu Nov 01 10:56:58 2007 +0100 +diff --git a/lib/rpmrc.c b/lib/rpmrc.c +index d402a1e..07e604a 100644 +--- a/lib/rpmrc.c ++++ b/lib/rpmrc.c +@@ -1884,6 +1884,10 @@ int rpmReadConfigFiles(const char * file, const char * target) + /* Reset umask to its default umask(2) value. */ + mode = umask(mode); + ++ /* Initialize crypto engine as early as possible */ ++ if (rpmInitCrypto() < 0) { ++ return -1; ++ } + /* Preset target macros */ + /*@-nullstate@*/ /* FIX: target can be NULL */ + rpmRebuildTargetVars(&target, NULL); +diff --git a/lib/rpmts.c b/lib/rpmts.c +index ef791c6..8423957 100644 +--- a/lib/rpmts.c ++++ b/lib/rpmts.c @@ -4,7 +4,7 @@ */ #include "system.h" @@ -257,10 +286,11 @@ diff -r ec9e6c427068 lib/rpmts.c #include #include /* XXX rpmtsOpenDB() needs rpmGetPath */ -diff -r ec9e6c427068 lib/signature.c ---- a/lib/signature.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/lib/signature.c Thu Nov 01 10:56:58 2007 +0100 -@@ -1215,9 +1215,10 @@ verifyRSASignature(rpmts ts, /*@out@*/ c +diff --git a/lib/signature.c b/lib/signature.c +index 5617e32..0db1349 100644 +--- a/lib/signature.c ++++ b/lib/signature.c +@@ -1215,9 +1215,10 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t, int_32 sigtag = rpmtsSigtag(ts); pgpDig dig = rpmtsDig(ts); pgpDigParams sigp = rpmtsSignature(ts); @@ -272,7 +302,7 @@ diff -r ec9e6c427068 lib/signature.c *t = '\0'; if (dig != NULL && dig->hdrmd5ctx == md5ctx) -@@ -1248,43 +1249,40 @@ verifyRSASignature(rpmts ts, /*@out@*/ c +@@ -1248,43 +1249,40 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t, switch (sigp->hash_algo) { case PGPHASHALGO_MD5: t = stpcpy(t, " RSA/MD5"); @@ -323,7 +353,7 @@ diff -r ec9e6c427068 lib/signature.c break; } -@@ -1295,8 +1293,6 @@ verifyRSASignature(rpmts ts, /*@out@*/ c +@@ -1295,8 +1293,6 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t, (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0); { DIGEST_CTX ctx = rpmDigestDup(md5ctx); @@ -332,7 +362,7 @@ diff -r ec9e6c427068 lib/signature.c if (sigp->hash != NULL) xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen); -@@ -1313,40 +1309,18 @@ verifyRSASignature(rpmts ts, /*@out@*/ c +@@ -1313,40 +1309,18 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t, } #endif @@ -392,7 +422,7 @@ diff -r ec9e6c427068 lib/signature.c res = RPMRC_OK; else res = RPMRC_FAIL; -@@ -1401,6 +1370,7 @@ verifyDSASignature(rpmts ts, /*@out@*/ c +@@ -1401,6 +1370,7 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t, pgpDigParams sigp = rpmtsSignature(ts); rpmRC res; int xx; @@ -400,7 +430,7 @@ diff -r ec9e6c427068 lib/signature.c *t = '\0'; if (dig != NULL && dig->hdrsha1ctx == sha1ctx) -@@ -1428,7 +1398,6 @@ verifyDSASignature(rpmts ts, /*@out@*/ c +@@ -1428,7 +1398,6 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t, (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0); { DIGEST_CTX ctx = rpmDigestDup(sha1ctx); @@ -408,7 +438,7 @@ diff -r ec9e6c427068 lib/signature.c if (sigp->hash != NULL) xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen); -@@ -1442,19 +1411,18 @@ verifyDSASignature(rpmts ts, /*@out@*/ c +@@ -1442,19 +1411,18 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t, memcpy(trailer+2, &nb, sizeof(nb)); xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer)); } @@ -433,7 +463,7 @@ diff -r ec9e6c427068 lib/signature.c } /* Retrieve the matching public key. */ -@@ -1463,8 +1431,8 @@ verifyDSASignature(rpmts ts, /*@out@*/ c +@@ -1463,8 +1431,8 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t, goto exit; (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0); @@ -444,9 +474,10 @@ diff -r ec9e6c427068 lib/signature.c res = RPMRC_OK; else res = RPMRC_FAIL; -diff -r ec9e6c427068 python/Makefile.am ---- a/python/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/python/Makefile.am Thu Nov 01 10:56:58 2007 +0100 +diff --git a/python/Makefile.am b/python/Makefile.am +index 1b8c83a..c1da992 100644 +--- a/python/Makefile.am ++++ b/python/Makefile.am @@ -17,7 +17,7 @@ INCLUDES = -I. \ -I$(top_srcdir)/rpmdb \ -I$(top_srcdir)/rpmio \ @@ -456,7 +487,7 @@ diff -r ec9e6c427068 python/Makefile.am @WITH_POPT_INCLUDE@ \ -I$(top_srcdir)/misc \ -I$(pyincdir) \ -@@ -42,7 +42,7 @@ rpm_LTLIBRARIES = _rpmmodule.la +@@ -42,7 +42,7 @@ rpmdir = $(pylibdir)/site-packages/rpm rpm_LTLIBRARIES = _rpmmodule.la _rpmmodule_la_LDFLAGS = $(mylibs) $(LIBS) -module -avoid-version @@ -465,9 +496,10 @@ diff -r ec9e6c427068 python/Makefile.am _rpmmodule_la_SOURCES = rpmmodule.c header-py.c \ rpmal-py.c rpmds-py.c rpmdb-py.c rpmfd-py.c rpmfts-py.c \ -diff -r ec9e6c427068 rpmdb/Makefile.am ---- a/rpmdb/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmdb/Makefile.am Thu Nov 01 10:56:58 2007 +0100 +diff --git a/rpmdb/Makefile.am b/rpmdb/Makefile.am +index 0f017f9..2393dd7 100644 +--- a/rpmdb/Makefile.am ++++ b/rpmdb/Makefile.am @@ -9,7 +9,7 @@ INCLUDES = -I. \ -I$(top_srcdir)/build \ -I$(top_srcdir)/lib \ @@ -477,10 +509,11 @@ diff -r ec9e6c427068 rpmdb/Makefile.am @WITH_POPT_INCLUDE@ \ -I$(top_srcdir)/misc \ @WITH_SQLITE3_INCLUDE@ \ -diff -r ec9e6c427068 rpmio/Makefile.am ---- a/rpmio/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/Makefile.am Thu Nov 01 10:56:58 2007 +0100 -@@ -10,7 +10,7 @@ EXTRA_PROGRAMS = tax tdigest tdir tfts t +diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am +index 2d26dcc..44e4096 100644 +--- a/rpmio/Makefile.am ++++ b/rpmio/Makefile.am +@@ -10,7 +10,7 @@ EXTRA_PROGRAMS = tax tdigest tdir tfts tget thkp tput tglob tinv tkey tring trpm INCLUDES = -I. \ -I$(top_srcdir) \ @@ -498,9 +531,9 @@ diff -r ec9e6c427068 rpmio/Makefile.am rpmio.h rpmurl.h rpmmacro.h rpmlog.h rpmmessages.h rpmerr.h rpmpgp.h \ rpmsq.h rpmsw.h ugid.h noinst_HEADERS = rpmio_internal.h rpmlua.h rpmhook.h -- --BEECRYPTLOBJS = $(shell test X"@WITH_BEECRYPT_SUBDIR@" != X && cat $(top_builddir)/@WITH_BEECTYPT_SUBDIR@/listobjs) +-BEECRYPTLOBJS = $(shell test X"@WITH_BEECRYPT_SUBDIR@" != X && cat $(top_builddir)/@WITH_BEECTYPT_SUBDIR@/listobjs) +- LDFLAGS = -L$(RPM_BUILD_ROOT)$(usrlibdir) -L$(DESTDIR)$(usrlibdir) usrlibdir = $(libdir)@MARK64@ @@ -516,7 +549,7 @@ diff -r ec9e6c427068 rpmio/Makefile.am @WITH_NEON_LIB@ \ @WITH_LUA_LIB@ \ @WITH_MAGIC_LIB@ \ -@@ -44,22 +42,10 @@ librpmio_la_LIBADD = # $(BEECRYPTLOBJS) +@@ -44,22 +42,10 @@ librpmio_la_LDFLAGS = -release 4.4 $(LDFLAGS) \ librpmio_la_LIBADD = # $(BEECRYPTLOBJS) librpmio_la_DEPENDENCIES = # .created @@ -540,7 +573,7 @@ diff -r ec9e6c427068 rpmio/Makefile.am .PHONY: sources sources: -@@ -105,7 +91,6 @@ tinv_LDADD = librpmio.la $(top_builddir) +@@ -105,7 +91,6 @@ tinv_LDFLAGS = @LDFLAGS_STATIC@ tinv_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la tkey_SOURCES = tkey.c @@ -548,10 +581,12 @@ diff -r ec9e6c427068 rpmio/Makefile.am tkey_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la tring_SOURCES = tring.c -diff -r ec9e6c427068 rpmio/base64.c ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/rpmio/base64.c Thu Nov 01 10:56:58 2007 +0100 -@@ -0,0 +1,254 @@ +diff --git a/rpmio/base64.c b/rpmio/base64.c +new file mode 100644 +index 0000000..b11b381 +--- /dev/null ++++ b/rpmio/base64.c +@@ -0,0 +1,253 @@ +/* base64 encoder/decoder based on public domain implementation + * by Chris Venter */ + @@ -652,21 +687,20 @@ diff -r ec9e6c427068 rpmio/base64.c + return output; +} + -+static int base64_decode_value(char value_in) ++static int base64_decode_value(unsigned char value_in) +{ -+ static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; -+ static const char decoding_size = sizeof(decoding); ++ static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; + value_in -= 43; -+ if (value_in < 0 || value_in > decoding_size) ++ if (value_in > sizeof(decoding)/sizeof(int)) + return -1; -+ return decoding[(int)value_in]; ++ return decoding[value_in]; +} + +static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out) +{ + const char *codechar = code_in; + char *plainchar = plaintext_out; -+ char fragment; ++ int fragment; + + *plainchar = 0; + @@ -677,38 +711,38 @@ diff -r ec9e6c427068 rpmio/base64.c + { + return plainchar - plaintext_out; + } -+ fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); -+ *plainchar = (fragment & 0x03f) << 2; ++ *plainchar = (char)((fragment & 0x03f) << 2); + + do { + if (codechar == code_in+length_in) + { + return plainchar - plaintext_out; + } -+ fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); -+ *plainchar++ |= (fragment & 0x030) >> 4; -+ *plainchar = (fragment & 0x00f) << 4; ++ *plainchar++ |= (char)((fragment & 0x030) >> 4); ++ *plainchar = (char)((fragment & 0x00f) << 4); + + do { + if (codechar == code_in+length_in) + { + return plainchar - plaintext_out; + } -+ fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); -+ *plainchar++ |= (fragment & 0x03c) >> 2; -+ *plainchar = (fragment & 0x003) << 6; ++ *plainchar++ |= (char)((fragment & 0x03c) >> 2); ++ *plainchar = (char)((fragment & 0x003) << 6); + + do { + if (codechar == code_in+length_in) + { + return plainchar - plaintext_out; + } -+ fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); -+ *plainchar++ |= (fragment & 0x03f); ++ *plainchar++ |= (char)(fragment & 0x03f); + } + /* control should not reach here */ + return plainchar - plaintext_out; @@ -806,9 +840,11 @@ diff -r ec9e6c427068 rpmio/base64.c +} +#endif + -diff -r ec9e6c427068 rpmio/base64.h ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/rpmio/base64.h Thu Nov 01 10:56:58 2007 +0100 +diff --git a/rpmio/base64.h b/rpmio/base64.h +new file mode 100644 +index 0000000..79ae0b6 +--- /dev/null ++++ b/rpmio/base64.h @@ -0,0 +1,29 @@ +/* base64 encoder/decoder based on public domain implementation + * by Chris Venter */ @@ -839,9 +875,10 @@ diff -r ec9e6c427068 rpmio/base64.h + * returns NULL on failures + */ +char *b64crc(const unsigned char *data, size_t len); -diff -r ec9e6c427068 rpmio/digest.c ---- a/rpmio/digest.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/digest.c Thu Nov 01 10:56:58 2007 +0100 +diff --git a/rpmio/digest.c b/rpmio/digest.c +index 5b4cde8..894cf82 100644 +--- a/rpmio/digest.c ++++ b/rpmio/digest.c @@ -19,16 +19,7 @@ */ struct DIGEST_CTX_s { @@ -860,7 +897,7 @@ diff -r ec9e6c427068 rpmio/digest.c }; /*@-boundsread@*/ -@@ -37,115 +28,101 @@ rpmDigestDup(DIGEST_CTX octx) +@@ -37,115 +28,98 @@ rpmDigestDup(DIGEST_CTX octx) { DIGEST_CTX nctx; nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx)); @@ -979,9 +1016,6 @@ diff -r ec9e6c427068 rpmio/digest.c + HASH_HashType type; + DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx)); + -+ if (NSS_NoDB_Init(NULL) != SECSuccess) -+ return NULL; -+ + ctx->flags = flags; + + type = getHashType(hashalgo); @@ -1035,7 +1069,7 @@ diff -r ec9e6c427068 rpmio/digest.c /*@=boundsread@*/ } /*@=mustmod@*/ -@@ -154,35 +131,37 @@ int +@@ -154,35 +128,37 @@ DPRINTF((stderr, "*** Update(%p,%p,%d) param %p \"%s\"\n", ctx, data, len, ctx-> int rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii) { @@ -1082,7 +1116,7 @@ diff -r ec9e6c427068 rpmio/digest.c *t++ = hex[ (unsigned)((*s >> 4) & 0x0f) ]; *t++ = hex[ (unsigned)((*s++ ) & 0x0f) ]; } -@@ -191,11 +170,10 @@ DPRINTF((stderr, "*** Final(%p,%p,%p,%d) +@@ -191,11 +167,10 @@ DPRINTF((stderr, "*** Final(%p,%p,%p,%d) param %p digest %p\n", ctx, datap, lenp } /*@=branchstate@*/ if (digest) { @@ -1096,9 +1130,10 @@ diff -r ec9e6c427068 rpmio/digest.c memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ free(ctx); return 0; -diff -r ec9e6c427068 rpmio/rpmio_internal.h ---- a/rpmio/rpmio_internal.h Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/rpmio_internal.h Thu Nov 01 10:56:58 2007 +0100 +diff --git a/rpmio/rpmio_internal.h b/rpmio/rpmio_internal.h +index c2906e8..f92ee8a 100644 +--- a/rpmio/rpmio_internal.h ++++ b/rpmio/rpmio_internal.h @@ -9,30 +9,14 @@ #include #include @@ -1163,10 +1198,20 @@ diff -r ec9e6c427068 rpmio/rpmio_internal.h }; /** \ingroup rpmio -diff -r ec9e6c427068 rpmio/rpmpgp.c ---- a/rpmio/rpmpgp.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/rpmpgp.c Thu Nov 01 10:56:58 2007 +0100 -@@ -260,38 +260,100 @@ const char * pgpMpiHex(const byte *p) +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index 5d2c6f4..2cc03f8 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -17,6 +17,8 @@ static int _debug = 0; + /*@unchecked@*/ + static int _print = 0; + ++static int _crypto_initialized = 0; ++ + /*@unchecked@*/ /*@null@*/ + static pgpDig _dig = NULL; + +@@ -260,39 +262,101 @@ const char * pgpMpiHex(const byte *p) /** * @return 0 on success */ @@ -1245,7 +1290,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c + return item; +} /*@=boundswrite@*/ -+ + +static SECKEYPublicKey *pgpNewPublicKey(KeyType type) +{ + PRArenaPool *arena; @@ -1278,10 +1323,11 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c +{ + return pgpNewPublicKey(dsaKey); +} - ++ int pgpPrtSubType(const byte *h, unsigned int hlen, pgpSigType sigtype) { -@@ -407,6 +469,10 @@ static const char * pgpSigDSA[] = { + const byte *p = h; +@@ -407,6 +471,10 @@ static const char * pgpSigDSA[] = { }; /*@=varuse =readonlytrans @*/ @@ -1292,14 +1338,13 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c static int pgpPrtSigParams(/*@unused@*/ pgpTag tag, byte pubkey_algo, byte sigtype, const byte *p, const byte *h, unsigned int hlen) /*@globals fileSystem @*/ -@@ -414,7 +480,13 @@ static int pgpPrtSigParams(/*@unused@*/ +@@ -414,7 +482,13 @@ static int pgpPrtSigParams(/*@unused@*/ pgpTag tag, byte pubkey_algo, byte sigty { const byte * pend = h + hlen; int i; -- + SECItem dsaraw; + unsigned char dsabuf[2*DSA_SUBPRIME_LEN]; -+ + + dsaraw.type = 0; + dsaraw.data = dsabuf; + dsaraw.len = sizeof(dsabuf); @@ -1307,7 +1352,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c for (i = 0; p < pend; i++, p += pgpMpiLen(p)) { if (pubkey_algo == PGPPUBKEYALGO_RSA) { if (i >= 1) break; -@@ -423,9 +495,9 @@ static int pgpPrtSigParams(/*@unused@*/ +@@ -423,9 +497,9 @@ static int pgpPrtSigParams(/*@unused@*/ pgpTag tag, byte pubkey_algo, byte sigty { switch (i) { case 0: /* m**d */ @@ -1320,7 +1365,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c /*@switchbreak@*/ break; default: /*@switchbreak@*/ break; -@@ -440,11 +512,21 @@ fprintf(stderr, "\t m**d = "), mpfprin +@@ -440,11 +514,21 @@ fprintf(stderr, "\t m**d = "), mpfprintln(stderr, _dig->c.size, _dig->c.data); int xx; xx = 0; switch (i) { @@ -1345,7 +1390,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c /*@switchbreak@*/ break; default: xx = 1; -@@ -629,16 +711,17 @@ static const byte * pgpPrtPubkeyParams(b +@@ -629,16 +713,17 @@ static const byte * pgpPrtPubkeyParams(byte pubkey_algo, if (pubkey_algo == PGPPUBKEYALGO_RSA) { if (i >= 2) break; if (_dig) { @@ -1369,7 +1414,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c /*@switchbreak@*/ break; default: /*@switchbreak@*/ break; -@@ -648,26 +731,23 @@ fprintf(stderr, "\t e = "), mpfprin +@@ -648,26 +733,23 @@ fprintf(stderr, "\t e = "), mpfprintln(stderr, _dig->rsa_pk.e.size, _dig->r } else if (pubkey_algo == PGPPUBKEYALGO_DSA) { if (i >= 4) break; if (_dig) { @@ -1405,16 +1450,15 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c /*@switchbreak@*/ break; default: /*@switchbreak@*/ break; -@@ -1014,6 +1094,8 @@ pgpDig pgpNewDig(void) +@@ -1023,6 +1105,7 @@ int pgpPrtPkt(const byte *pkt, unsigned int pleft) pgpDig pgpNewDig(void) { pgpDig dig = xcalloc(1, sizeof(*dig)); -+ NSS_NoDB_Init(NULL); + return dig; } -@@ -1038,14 +1120,27 @@ void pgpCleanDig(pgpDig dig) +@@ -1047,14 +1130,27 @@ void pgpCleanDig(pgpDig dig) dig->md5 = _free(dig->md5); dig->sha1 = _free(dig->sha1); @@ -1450,11 +1494,10 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c } /*@-nullstate@*/ return; -@@ -1072,14 +1167,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ - (void) rpmDigestFinal(dig->sha1ctx, NULL, NULL, 0); +@@ -1082,14 +1178,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ pgpDig dig) /*@=branchstate@*/ dig->sha1ctx = NULL; -- + - mpbfree(&dig->p); - mpbfree(&dig->q); - mpnfree(&dig->g); @@ -1462,23 +1505,24 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c - mpnfree(&dig->hm); - mpnfree(&dig->r); - mpnfree(&dig->s); - +- #ifdef NOTYET /*@-branchstate@*/ -@@ -1094,12 +1181,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ - (void) rpmDigestFinal(dig->md5ctx, NULL, NULL, 0); + if (dig->hdrmd5ctx != NULL) +@@ -1104,12 +1192,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ pgpDig dig) /*@=branchstate@*/ dig->md5ctx = NULL; -- + - mpbfree(&dig->rsa_pk.n); - mpnfree(&dig->rsa_pk.e); - mpnfree(&dig->m); - mpnfree(&dig->c); - mpnfree(&dig->hm); - +- dig = _free(dig); } -@@ -1286,20 +1367,13 @@ char * pgpArmorWrap(int atype, const uns + return dig; +@@ -1295,20 +1377,13 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns) { const char * enc; char * t; @@ -1486,7 +1530,7 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c + size_t nt = 0; char * val; - int lc; -- + - nt = ((ns + 2) / 3) * 4; - /*@-globs@*/ - /* Add additional bytes necessary for eol string(s). */ @@ -1495,32 +1539,50 @@ diff -r ec9e6c427068 rpmio/rpmpgp.c - if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0) - ++lc; - nt += lc * strlen(b64encode_eolstr); -- } -- /*@=globs@*/ -+ + enc = b64encode(s, ns, -1); + if (enc != NULL) { + nt = strlen(enc); -+ } + } +- /*@=globs@*/ nt += 512; /* XXX slop for armor and crc */ -@@ -1311,9 +1385,9 @@ char * pgpArmorWrap(int atype, const uns +@@ -1320,9 +1395,9 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns) /*@-globs@*/ t = stpcpy( stpcpy(t, "-----\nVersion: rpm-"), VERSION); /*@=globs@*/ - t = stpcpy(t, " (beecrypt-4.1.2)\n\n"); -- -- if ((enc = b64encode(s, ns)) != NULL) { + t = stpcpy(t, " (NSS-3)\n\n"); -+ + +- if ((enc = b64encode(s, ns)) != NULL) { + if (enc != NULL) { t = stpcpy(t, enc); enc = _free(enc); if ((enc = b64crc(s, ns)) != NULL) { -diff -r ec9e6c427068 rpmio/rpmpgp.h ---- a/rpmio/rpmpgp.h Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/rpmpgp.h Thu Nov 01 10:56:58 2007 +0100 +@@ -1339,5 +1414,18 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns) + + return val; + } +- + /*@=boundsread@*/ ++ ++int rpmInitCrypto(void) { ++ int rc = 0; ++ ++ if (!_crypto_initialized && NSS_NoDB_Init(NULL) != SECSuccess) { ++ rc = -1; ++ } else { ++ _crypto_initialized = 1; ++ } ++ ++ return rc; ++} ++ ++ +diff --git a/rpmio/rpmpgp.h b/rpmio/rpmpgp.h +index d90d4e7..c1e2db5 100644 +--- a/rpmio/rpmpgp.h ++++ b/rpmio/rpmpgp.h @@ -12,11 +12,7 @@ #include @@ -1533,7 +1595,23 @@ diff -r ec9e6c427068 rpmio/rpmpgp.h /** */ -@@ -1393,6 +1389,15 @@ DIGEST_CTX rpmDigestDup(DIGEST_CTX octx) +@@ -1384,6 +1380,15 @@ unsigned int pgpCRC(const byte *octets, size_t len) + } + + /** \ingroup rpmio ++ * Perform cryptography initialization. ++ * It must be called before any cryptography can be used within rpm. ++ * It's not normally necessary to call it directly as it's called in ++ * general rpm initialization routines. ++ * @return 0 on success, -1 on failure ++ */ ++int rpmInitCrypto(void); ++ ++/** \ingroup rpmio + * Duplicate a digest context. + * @param octx existing digest context + * @return duplicated digest context +@@ -1393,6 +1398,15 @@ DIGEST_CTX rpmDigestDup(DIGEST_CTX octx) /*@*/; /** \ingroup rpmio @@ -1549,10 +1627,11 @@ diff -r ec9e6c427068 rpmio/rpmpgp.h * Initialize digest. * Set bit count to 0 and buffer to mysterious initialization constants. * @param hashalgo type of digest -diff -r ec9e6c427068 rpmio/tkey.c ---- a/rpmio/tkey.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/rpmio/tkey.c Thu Nov 01 10:56:58 2007 +0100 -@@ -31,7 +31,7 @@ fprintf(stderr, "*** sig is\n%s\n", sig) +diff --git a/rpmio/tkey.c b/rpmio/tkey.c +index e03dba0..9fb7805 100644 +--- a/rpmio/tkey.c ++++ b/rpmio/tkey.c +@@ -31,7 +31,7 @@ fprintf(stderr, "*** sig is\n%s\n", sig); return rc; } @@ -1561,7 +1640,7 @@ diff -r ec9e6c427068 rpmio/tkey.c fprintf(stderr, "*** b64encode failed\n"); return rc; } -@@ -51,52 +51,40 @@ fprintf(stderr, "??? %5d %02x != %02x '% +@@ -51,52 +51,40 @@ fprintf(stderr, "??? %5d %02x != %02x '%c' != '%c'\n", i, (*s & 0xff), (*t & 0xf return rc; } @@ -1641,11 +1720,10 @@ diff -r ec9e6c427068 rpmio/tkey.c "; int -@@ -107,28 +95,6 @@ main (int argc, char *argv[]) - int rc; +@@ -108,28 +96,6 @@ main (int argc, char *argv[]) dig = pgpNewDig(); -- + - mpbzero(&dig->p); mpbsethex(&dig->p, fips_p); - mpbzero(&dig->q); mpbsethex(&dig->q, fips_q); - mpnzero(&dig->g); mpnsethex(&dig->g, fips_g); @@ -1667,10 +1745,11 @@ diff -r ec9e6c427068 rpmio/tkey.c - mpnfree(&dig->hm); - mpnfree(&dig->r); - mpnfree(&dig->s); - +- fprintf(stderr, "=============================== GPG Secret Key\n"); if ((rc = doit(jbjSecretDSA, dig, printing)) != 0) -@@ -144,39 +110,33 @@ fprintf(stderr, "======================= + fprintf(stderr, "==> FAILED: rc %d\n", rc); +@@ -144,39 +110,33 @@ fprintf(stderr, "=============================== GPG Signature of \"abc\"\n"); { DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE); struct pgpDigParams_s * dsig = &dig->signature; @@ -1705,7 +1784,7 @@ diff -r ec9e6c427068 rpmio/tkey.c - &dig->y, &dig->r, &dig->s); fprintf(stderr, "=============================== DSA verify: rc %d\n", rc); -- + - mpbfree(&dig->p); - mpbfree(&dig->q); - mpnfree(&dig->g); @@ -1714,15 +1793,16 @@ diff -r ec9e6c427068 rpmio/tkey.c - mpnfree(&dig->hm); - mpnfree(&dig->r); - mpnfree(&dig->s); - +- dig = pgpFreeDig(dig); return rc; } + -diff -r ec9e6c427068 tools/Makefile.am ---- a/tools/Makefile.am Wed Oct 24 16:02:51 2007 +0300 -+++ b/tools/Makefile.am Thu Nov 01 10:56:58 2007 +0100 +diff --git a/tools/Makefile.am b/tools/Makefile.am +index 72bfd0b..053a02a 100644 +--- a/tools/Makefile.am ++++ b/tools/Makefile.am @@ -8,7 +8,7 @@ INCLUDES = -I. \ -I$(top_srcdir)/lib \ -I$(top_srcdir)/rpmdb \ @@ -1732,7 +1812,7 @@ diff -r ec9e6c427068 tools/Makefile.am @WITH_POPT_INCLUDE@ \ @WITH_LIBELF_INCLUDE@ \ @WITH_LIBDWARF_INCLUDE@ \ -@@ -36,10 +36,10 @@ convertdb1_SOURCES = convertdb1.c +@@ -36,10 +36,10 @@ bin_PROGRAMS = rpmgraph convertdb1_SOURCES = convertdb1.c debugedit_SOURCES = debugedit.c hashtab.c @@ -1746,9 +1826,10 @@ diff -r ec9e6c427068 tools/Makefile.am @WITH_POPT_LIB@ javadeps_SOURCES = javadeps.c -diff -r ec9e6c427068 tools/debugedit.c ---- a/tools/debugedit.c Wed Oct 24 16:02:51 2007 +0300 -+++ b/tools/debugedit.c Thu Nov 01 10:56:58 2007 +0100 +diff --git a/tools/debugedit.c b/tools/debugedit.c +index f6e27b6..e69ff3d 100644 +--- a/tools/debugedit.c ++++ b/tools/debugedit.c @@ -36,8 +36,8 @@ #include #include @@ -1760,7 +1841,7 @@ diff -r ec9e6c427068 tools/debugedit.c #include "hashtab.h" #define DW_TAG_partial_unit 0x3c -@@ -1304,22 +1304,27 @@ error_out: +@@ -1304,22 +1304,29 @@ error_out: return NULL; } @@ -1780,6 +1861,8 @@ diff -r ec9e6c427068 tools/debugedit.c + int i = sizeof(algorithms)/sizeof(algorithms[0]); + void *digest = NULL; + size_t len; ++ ++ rpmInitCrypto(); while (i-- > 0) { @@ -1794,7 +1877,7 @@ diff -r ec9e6c427068 tools/debugedit.c { fprintf (stderr, "Cannot handle %Zu-byte build ID\n", build_id_size); exit (1); -@@ -1335,7 +1340,7 @@ handle_build_id (DSO *dso, Elf_Data *bui +@@ -1335,7 +1342,7 @@ handle_build_id (DSO *dso, Elf_Data *build_id, /* Clear the old bits so they do not affect the new hash. */ memset ((char *) build_id->d_buf + build_id_offset, 0, build_id_size); @@ -1803,17 +1886,44 @@ diff -r ec9e6c427068 tools/debugedit.c /* Slurp the relevant header bits and section contents and feed them into the hash function. The only bits we ignore are the offset -@@ -1349,8 +1354,7 @@ handle_build_id (DSO *dso, Elf_Data *bui - inline void process (const void *data, size_t size); - inline void process (const void *data, size_t size) - { +@@ -1346,13 +1353,6 @@ handle_build_id (DSO *dso, Elf_Data *build_id, + or Elf64 object, only that we are consistent in what bits feed the + hash so it comes out the same for the same file contents. */ + { +- inline void process (const void *data, size_t size); +- inline void process (const void *data, size_t size) +- { - memchunk chunk = { .data = (void *) data, .size = size }; - hashFunctionContextUpdateMC (&ctx, &chunk); -+ rpmDigestUpdate(ctx, data, size); - } - +- } +- union -@@ -1405,22 +1409,17 @@ handle_build_id (DSO *dso, Elf_Data *bui + { + GElf_Ehdr ehdr; +@@ -1381,7 +1381,7 @@ handle_build_id (DSO *dso, Elf_Data *build_id, + goto bad; + if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL) + goto bad; +- process (x.d_buf, x.d_size); ++ rpmDigestUpdate(ctx, x.d_buf, x.d_size); + } + + x.d_type = ELF_T_SHDR; +@@ -1393,34 +1393,29 @@ handle_build_id (DSO *dso, Elf_Data *build_id, + u.shdr.sh_offset = 0; + if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL) + goto bad; +- process (x.d_buf, x.d_size); ++ rpmDigestUpdate(ctx, x.d_buf, x.d_size); + + if (u.shdr.sh_type != SHT_NOBITS) + { + Elf_Data *d = elf_rawdata (dso->scn[i], NULL); + if (d == NULL) + goto bad; +- process (d->d_buf, d->d_size); ++ rpmDigestUpdate(ctx, d->d_buf, d->d_size); + } } } @@ -1841,245 +1951,3 @@ diff -r ec9e6c427068 tools/debugedit.c puts (hex); } } -diff -r 39cb695c7c8b rpmio/base64.c ---- a/rpmio/base64.c Thu Nov 01 10:42:01 2007 +0100 -+++ b/rpmio/base64.c Wed Nov 14 18:16:51 2007 +0100 -@@ -98,21 +98,20 @@ char *b64encode(const void *data, size_t - return output; - } - --static int base64_decode_value(char value_in) --{ -- static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; -- static const char decoding_size = sizeof(decoding); -+static int base64_decode_value(unsigned char value_in) -+{ -+ static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; - value_in -= 43; -- if (value_in < 0 || value_in > decoding_size) -+ if (value_in > sizeof(decoding)/sizeof(int)) - return -1; -- return decoding[(int)value_in]; -+ return decoding[value_in]; - } - - static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out) - { - const char *codechar = code_in; - char *plainchar = plaintext_out; -- char fragment; -+ int fragment; - - *plainchar = 0; - -@@ -123,38 +122,38 @@ static size_t base64_decode_block(const - { - return plainchar - plaintext_out; - } -- fragment = (char)base64_decode_value(*codechar++); -- } while (fragment < 0); -- *plainchar = (fragment & 0x03f) << 2; -- -- do { -- if (codechar == code_in+length_in) -- { -- return plainchar - plaintext_out; -- } -- fragment = (char)base64_decode_value(*codechar++); -- } while (fragment < 0); -- *plainchar++ |= (fragment & 0x030) >> 4; -- *plainchar = (fragment & 0x00f) << 4; -- -- do { -- if (codechar == code_in+length_in) -- { -- return plainchar - plaintext_out; -- } -- fragment = (char)base64_decode_value(*codechar++); -- } while (fragment < 0); -- *plainchar++ |= (fragment & 0x03c) >> 2; -- *plainchar = (fragment & 0x003) << 6; -- -- do { -- if (codechar == code_in+length_in) -- { -- return plainchar - plaintext_out; -- } -- fragment = (char)base64_decode_value(*codechar++); -- } while (fragment < 0); -- *plainchar++ |= (fragment & 0x03f); -+ fragment = base64_decode_value(*codechar++); -+ } while (fragment < 0); -+ *plainchar = (char)((fragment & 0x03f) << 2); -+ -+ do { -+ if (codechar == code_in+length_in) -+ { -+ return plainchar - plaintext_out; -+ } -+ fragment = base64_decode_value(*codechar++); -+ } while (fragment < 0); -+ *plainchar++ |= (char)((fragment & 0x030) >> 4); -+ *plainchar = (char)((fragment & 0x00f) << 4); -+ -+ do { -+ if (codechar == code_in+length_in) -+ { -+ return plainchar - plaintext_out; -+ } -+ fragment = base64_decode_value(*codechar++); -+ } while (fragment < 0); -+ *plainchar++ |= (char)((fragment & 0x03c) >> 2); -+ *plainchar = (char)((fragment & 0x003) << 6); -+ -+ do { -+ if (codechar == code_in+length_in) -+ { -+ return plainchar - plaintext_out; -+ } -+ fragment = base64_decode_value(*codechar++); -+ } while (fragment < 0); -+ *plainchar++ |= (char)(fragment & 0x03f); - } - /* control should not reach here */ - return plainchar - plaintext_out; -diff -up rpm-4.4.2.2/rpmio/digest.c.nss-init rpm-4.4.2.2/rpmio/digest.c ---- rpm-4.4.2.2/rpmio/digest.c.nss-init 2007-11-15 15:00:41.000000000 +0200 -+++ rpm-4.4.2.2/rpmio/digest.c 2007-11-15 15:00:41.000000000 +0200 -@@ -78,9 +78,6 @@ rpmDigestInit(pgpHashAlgo hashalgo, rpmD - HASH_HashType type; - DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx)); - -- if (NSS_NoDB_Init(NULL) != SECSuccess) -- return NULL; -- - ctx->flags = flags; - - type = getHashType(hashalgo); -diff -up rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init rpm-4.4.2.2/rpmio/rpmpgp.h ---- rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init 2007-11-15 15:00:41.000000000 +0200 -+++ rpm-4.4.2.2/rpmio/rpmpgp.h 2007-11-15 15:00:41.000000000 +0200 -@@ -1380,6 +1380,15 @@ unsigned int pgpCRC(const byte *octets, - } - - /** \ingroup rpmio -+ * Perform cryptography initialization. -+ * It must be called before any cryptography can be used within rpm. -+ * It's not normally necessary to call it directly as it's called in -+ * general rpm initialization routines. -+ * @return 0 on success, -1 on failure -+ */ -+int rpmInitCrypto(void); -+ -+/** \ingroup rpmio - * Duplicate a digest context. - * @param octx existing digest context - * @return duplicated digest context -diff -up rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init rpm-4.4.2.2/rpmio/rpmpgp.c ---- rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init 2007-11-15 15:00:41.000000000 +0200 -+++ rpm-4.4.2.2/rpmio/rpmpgp.c 2007-11-15 15:00:41.000000000 +0200 -@@ -17,6 +17,8 @@ static int _debug = 0; - /*@unchecked@*/ - static int _print = 0; - -+static int _crypto_initialized = 0; -+ - /*@unchecked@*/ /*@null@*/ - static pgpDig _dig = NULL; - -@@ -1094,7 +1096,6 @@ int pgpPrtPkt(const byte *pkt, unsigned - pgpDig pgpNewDig(void) - { - pgpDig dig = xcalloc(1, sizeof(*dig)); -- NSS_NoDB_Init(NULL); - - return dig; - } -@@ -1404,5 +1405,18 @@ char * pgpArmorWrap(int atype, const uns - - return val; - } -- - /*@=boundsread@*/ -+ -+int rpmInitCrypto(void) { -+ int rc = 0; -+ -+ if (!_crypto_initialized && NSS_NoDB_Init(NULL) != SECSuccess) { -+ rc = -1; -+ } else { -+ _crypto_initialized = 1; -+ } -+ -+ return rc; -+} -+ -+ -diff -up rpm-4.4.2.2/tools/debugedit.c.nss-init rpm-4.4.2.2/tools/debugedit.c ---- rpm-4.4.2.2/tools/debugedit.c.nss-init 2007-11-15 15:01:42.000000000 +0200 -+++ rpm-4.4.2.2/tools/debugedit.c 2007-11-15 15:02:23.000000000 +0200 -@@ -1318,6 +1318,8 @@ handle_build_id (DSO *dso, Elf_Data *bui - void *digest = NULL; - size_t len; - -+ rpmInitCrypto(); -+ - while (i-- > 0) - { - algorithm = algorithms[i]; -diff -up rpm-4.4.2.2/lib/rpmrc.c.nss-init rpm-4.4.2.2/lib/rpmrc.c ---- rpm-4.4.2.2/lib/rpmrc.c.nss-init 2007-09-11 09:28:15.000000000 +0300 -+++ rpm-4.4.2.2/lib/rpmrc.c 2007-11-15 15:00:41.000000000 +0200 -@@ -1850,6 +1850,10 @@ static int rpmReadRC(/*@null@*/ const ch - - int rpmReadConfigFiles(const char * file, const char * target) - { -+ /* Initialize crypto engine as early as possible */ -+ if (rpmInitCrypto() < 0) { -+ return -1; -+ } - - /* Preset target macros */ - /*@-nullstate@*/ /* FIX: target can be NULL */ -diff -up rpm-4.4.2.2/tools/debugedit.c.gcc43 rpm-4.4.2.2/tools/debugedit.c ---- rpm-4.4.2.2/tools/debugedit.c.gcc43 2008-01-04 08:57:09.000000000 +0200 -+++ rpm-4.4.2.2/tools/debugedit.c 2008-01-04 08:58:40.000000000 +0200 -@@ -1353,12 +1353,6 @@ handle_build_id (DSO *dso, Elf_Data *bui - or Elf64 object, only that we are consistent in what bits feed the - hash so it comes out the same for the same file contents. */ - { -- inline void process (const void *data, size_t size); -- inline void process (const void *data, size_t size) -- { -- rpmDigestUpdate(ctx, data, size); -- } -- - union - { - GElf_Ehdr ehdr; -@@ -1387,7 +1381,7 @@ handle_build_id (DSO *dso, Elf_Data *bui - goto bad; - if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL) - goto bad; -- process (x.d_buf, x.d_size); -+ rpmDigestUpdate(ctx, x.d_buf, x.d_size); - } - - x.d_type = ELF_T_SHDR; -@@ -1399,14 +1393,14 @@ handle_build_id (DSO *dso, Elf_Data *bui - u.shdr.sh_offset = 0; - if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL) - goto bad; -- process (x.d_buf, x.d_size); -+ rpmDigestUpdate(ctx, x.d_buf, x.d_size); - - if (u.shdr.sh_type != SHT_NOBITS) - { - Elf_Data *d = elf_rawdata (dso->scn[i], NULL); - if (d == NULL) - goto bad; -- process (d->d_buf, d->d_size); -+ rpmDigestUpdate(ctx, d->d_buf, d->d_size); - } - } - }