From f996c2d2f1523495a9e3fd83f8578a8f61780cd9 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: May 16 2013 14:50:32 +0000 Subject: Merge branch 'f19' into el6 Conflicts: pesign.spec --- diff --git a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch deleted file mode 100644 index 35b19b7..0000000 --- a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 09:53:07 -0400 -Subject: [PATCH 01/41] Use PK11_TraverseCertsForNicknameInSlot after all. - -As of 76bc13c it doesn't appear to be leaky any more, and it does a -better job of disinguishing between certificates with the same nickname -than we did when doing it by hand. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 644b44c..2d51979 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -465,23 +465,23 @@ err_slots: - goto err_slots_errmsg; - } - -+ SECItem nickname = { -+ .data = (void *)cms->certname, -+ .len = strlen(cms->certname) + 1, -+ .type = siUTF8String, -+ }; - struct cbdata cbdata = { - .cert = NULL, - .psle = psle, - .pwdata = pwdata, - }; - -- CERTCertListNode *node = NULL; -- for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node,certlist); -- node = CERT_LIST_NEXT(node)) { -- if (strcmp(cms->certname, node->cert->nickname)) -- continue; -+ status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot, -+ is_valid_cert, &cbdata); -+ if (cbdata.cert == NULL) -+ goto err_slots; - -- if (is_valid_cert(node->cert, &cbdata) == SECSuccess) { -- cms->cert = CERT_DupCertificate(cbdata.cert); -- break; -- } -- } -+ cms->cert = CERT_DupCertificate(cbdata.cert); - - PK11_DestroySlotListElement(slots, &psle); - PK11_FreeSlotList(slots); --- -1.7.12.1 - diff --git a/0002-Remove-an-unused-field.patch b/0002-Remove-an-unused-field.patch deleted file mode 100644 index 7fa6b72..0000000 --- a/0002-Remove-an-unused-field.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 09:54:10 -0400 -Subject: [PATCH 02/41] Remove an unused field. - -Signed-off-by: Peter Jones ---- - src/pesign_context.c | 1 - - src/pesign_context.h | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/src/pesign_context.c b/src/pesign_context.c -index b4b201d..c6afda6 100644 ---- a/src/pesign_context.c -+++ b/src/pesign_context.c -@@ -88,7 +88,6 @@ pesign_context_fini(pesign_context *ctx) - ctx->cms_ctx = NULL; - } - -- xfree(ctx->certname); - xfree(ctx->privkeyfile); - - if (ctx->outpe) { -diff --git a/src/pesign_context.h b/src/pesign_context.h -index cabccf3..8f4e45a 100644 ---- a/src/pesign_context.h -+++ b/src/pesign_context.h -@@ -58,7 +58,6 @@ typedef struct { - Pe *outpe; - - char *privkeyfile; -- char *certname; - cms_context *cms_ctx; - - int flags; --- -1.7.12.1 - diff --git a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch deleted file mode 100644 index e82eba1..0000000 --- a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch +++ /dev/null @@ -1,26 +0,0 @@ -From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 09:54:37 -0400 -Subject: [PATCH 03/41] Free the certificate list we make once we're done - using it. - -Signed-off-by: Peter Jones ---- - src/wincert.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/wincert.c b/src/wincert.c -index fe666c5..b487dc5 100644 ---- a/src/wincert.c -+++ b/src/wincert.c -@@ -74,6 +74,7 @@ finalize_signatures(cms_context *cms, Pe *pe) - free(clist); - return -1; - } -+ free(clist); - return 0; - } - --- -1.7.12.1 - diff --git a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch deleted file mode 100644 index 4a0fb36..0000000 --- a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch +++ /dev/null @@ -1,63 +0,0 @@ -From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 09:55:02 -0400 -Subject: [PATCH 04/41] Make sure we actually look up the certificate when not - in daemon mode. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - -diff --git a/src/pesign.c b/src/pesign.c -index 108994e..4ddf636 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -500,12 +500,6 @@ main(int argc, char *argv[]) - POPT_TABLEEND - }; - -- tokenname = strdup(tokenname); -- if (!tokenname) { -- fprintf(stderr, "could not allocate memory: %m\n"); -- exit(1); -- } -- - if (!daemon) { - SECStatus status = NSS_Init("/etc/pki/pesign"); - if (status != SECSuccess) { -@@ -521,8 +515,6 @@ main(int argc, char *argv[]) - exit(1); - } - -- ctx.cms_ctx->certname = certname ? strdup(certname) : NULL; -- - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - rc = poptReadDefaultConfig(optCon, 0); -@@ -559,7 +551,21 @@ main(int argc, char *argv[]) - exit(!is_help); - } - -- ctx.cms_ctx->tokenname = tokenname; -+ ctx.cms_ctx->tokenname = tokenname ? -+ PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL; -+ if (!ctx.cms_ctx->tokenname) { -+ fprintf(stderr, "could not allocate token name: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } -+ -+ ctx.cms_ctx->certname = certname ? -+ PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL; -+ if (!ctx.cms_ctx->certname) { -+ fprintf(stderr, "could not allocate certificate name: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } - - int action = 0; - if (daemon) --- -1.7.12.1 - diff --git a/0005-Fix-check-for-allocations-on-tokenname-certname.patch b/0005-Fix-check-for-allocations-on-tokenname-certname.patch deleted file mode 100644 index 6fca165..0000000 --- a/0005-Fix-check-for-allocations-on-tokenname-certname.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 10:35:41 -0400 -Subject: [PATCH 05/41] Fix check for allocations on tokenname,certname. - -If we didn't have anything to start with, we won't have anything when -we're done... - -Signed-off-by: Peter Jones ---- - src/pesign.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/pesign.c b/src/pesign.c -index 4ddf636..c7b23cf 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -553,7 +553,7 @@ main(int argc, char *argv[]) - - ctx.cms_ctx->tokenname = tokenname ? - PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL; -- if (!ctx.cms_ctx->tokenname) { -+ if (tokenname && !ctx.cms_ctx->tokenname) { - fprintf(stderr, "could not allocate token name: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); -@@ -561,7 +561,7 @@ main(int argc, char *argv[]) - - ctx.cms_ctx->certname = certname ? - PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL; -- if (!ctx.cms_ctx->certname) { -+ if (certname && !ctx.cms_ctx->certname) { - fprintf(stderr, "could not allocate certificate name: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); --- -1.7.12.1 - diff --git a/0006-Update-valgrind.supp-for-newer-codepaths.patch b/0006-Update-valgrind.supp-for-newer-codepaths.patch deleted file mode 100644 index 54aa698..0000000 --- a/0006-Update-valgrind.supp-for-newer-codepaths.patch +++ /dev/null @@ -1,812 +0,0 @@ -From 682233d107460b49071017b4d88c0430373dbd35 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 10:55:25 -0400 -Subject: [PATCH 06/41] Update valgrind.supp for newer codepaths. - -Signed-off-by: Peter Jones ---- - src/valgrind.supp | 361 ++++++++++++++++++++++++++++++++++++------------------ - 1 file changed, 245 insertions(+), 116 deletions(-) - -diff --git a/src/valgrind.supp b/src/valgrind.supp -index 3a51293..0a8edd9 100644 ---- a/src/valgrind.supp -+++ b/src/valgrind.supp -@@ -1,23 +1,43 @@ - { - -- Memcheck:Leak -- fun:malloc -- fun:NSSRWLock_New_Util -- fun:NSSTrustDomain_Create -- fun:STAN_LoadDefaultNSS3TrustDomain -- fun:nss_Init -- fun:NSS_Init -- fun:main -+ Memcheck:Param -+ socketcall.sendto(msg) -+ fun:send -+ fun:MessageSend -+ fun:MessageSendWithHeader -+ fun:SCardConnect -+ fun:CKYCardConnection_Connect -+ fun:_ZN4Slot14connectToTokenEv -+ fun:_ZN4Slot17refreshTokenStateEv -+ fun:_ZN4Slot14isTokenPresentEv -+ fun:_ZN8SlotList11getSlotListEhPmS0_ -+ fun:C_GetSlotList -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule - } - { - -- Memcheck:Leak -- fun:_Znwm -- obj:* -- fun:secmod_ModuleInit -+ Memcheck:Cond -+ fun:SCardStatus -+ fun:CKYCardConnection_GetStatus -+ fun:_ZN4Slot23cardStateMayHaveChangedEv -+ fun:_ZN4Slot17refreshTokenStateEv -+ fun:_ZN4Slot14isTokenPresentEv -+ fun:_ZN8SlotList11getSlotListEhPmS0_ -+ fun:C_GetSlotList - fun:secmod_LoadPKCS11Module - fun:SECMOD_LoadModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules -+ fun:nss_Init -+} -+{ -+ -+ Memcheck:Leak -+ fun:malloc -+ fun:NSSRWLock_New_Util -+ fun:NSSTrustDomain_Create -+ fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init - fun:main -@@ -25,12 +45,15 @@ - { - - Memcheck:Leak -- fun:_Znwm -- obj:* -- fun:secmod_ModuleInit -+ fun:malloc -+ fun:PORT_Alloc_Util -+ fun:PK11_ReadMechanismList -+ fun:PK11_InitToken -+ fun:PK11_InitSlot - fun:secmod_LoadPKCS11Module - fun:SECMOD_LoadModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -223,12 +246,10 @@ - { - - Memcheck:Leak -- fun:_Znwm -- obj:* -- fun:secmod_ModuleInit -- fun:secmod_LoadPKCS11Module -- fun:SECMOD_LoadModule -- fun:SECMOD_LoadModule -+ fun:calloc -+ fun:NSSRWLock_New_Util -+ fun:NSSTrustDomain_Create -+ fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init - fun:main -@@ -237,10 +258,10 @@ - - Memcheck:Leak - fun:malloc -- fun:PKIX_PL_Malloc -- fun:PKIX_PL_Object_Alloc -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -+ fun:PR_NewCondVar -+ fun:NSSRWLock_New_Util -+ fun:NSSTrustDomain_Create -+ fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init - fun:main -@@ -249,18 +270,7 @@ - - Memcheck:Leak - fun:malloc -- fun:PKIX_PL_Malloc -- fun:PKIX_PL_Object_Alloc -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -- fun:nss_Init -- fun:NSS_Init -- fun:main --} --{ -- -- Memcheck:Leak -- fun:calloc -+ fun:PR_NewCondVar - fun:NSSRWLock_New_Util - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -272,10 +282,10 @@ - - Memcheck:Leak - fun:malloc -- fun:PR_NewCondVar -- fun:NSSRWLock_New_Util -- fun:NSSTrustDomain_Create -- fun:STAN_LoadDefaultNSS3TrustDomain -+ fun:PKIX_PL_Malloc -+ fun:PKIX_PL_Object_Alloc -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize - fun:nss_Init - fun:NSS_Init - fun:main -@@ -284,10 +294,10 @@ - - Memcheck:Leak - fun:malloc -- fun:PR_NewCondVar -- fun:NSSRWLock_New_Util -- fun:NSSTrustDomain_Create -- fun:STAN_LoadDefaultNSS3TrustDomain -+ fun:PKIX_PL_Malloc -+ fun:PKIX_PL_Object_Alloc -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize - fun:nss_Init - fun:NSS_Init - fun:main -@@ -357,8 +367,10 @@ - fun:calloc - fun:PORT_ZAlloc_Util - fun:PORT_NewArena_Util -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -368,8 +380,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -382,8 +396,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -396,8 +412,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -410,8 +428,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -424,28 +444,32 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -- fun:NSS_Init -- fun:main - } - { - - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -- fun:NSS_Init -- fun:main - } - { - -@@ -466,6 +490,7 @@ - fun:calloc - fun:nss_ZAlloc - fun:nssArena_Create -+ fun:NSSArena_Create - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -@@ -505,7 +530,10 @@ - fun:calloc - fun:nss_ZAlloc - fun:nssArena_Create -+ fun:NSSArena_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -514,14 +542,12 @@ - { - - Memcheck:Leak -- fun:malloc -- obj:* -- obj:* -- obj:* -- fun:secmod_ModuleInit -- fun:secmod_LoadPKCS11Module -- fun:SECMOD_LoadModule -- fun:SECMOD_LoadModule -+ fun:calloc -+ fun:nss_ZAlloc -+ fun:nssTokenObjectCache_Create -+ fun:nssToken_CreateFromPK11SlotInfo -+ fun:STAN_InitTokenForSlotInfo -+ fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init - fun:main -@@ -531,28 +557,32 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -- fun:NSS_Init -- fun:main - } - { - - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -- fun:NSS_Init -- fun:main - } - { - -@@ -560,35 +590,11 @@ - fun:calloc - fun:PORT_ZAlloc_Util - fun:PORT_NewArena_Util -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule - fun:SECMOD_LoadModule -- fun:nss_Init -- fun:NSS_Init -- fun:main --} --{ -- -- Memcheck:Leak -- fun:calloc -- fun:nss_ZAlloc -- fun:nssArena_Create -- fun:nssToken_CreateFromPK11SlotInfo -- fun:STAN_InitTokenForSlotInfo -- fun:STAN_LoadDefaultNSS3TrustDomain -- fun:nss_Init -- fun:NSS_Init -- fun:main --} --{ -- -- Memcheck:Leak -- fun:calloc -- fun:nss_ZAlloc -- fun:nssArena_Create -- fun:nssToken_CreateFromPK11SlotInfo -- fun:STAN_InitTokenForSlotInfo -- fun:STAN_LoadDefaultNSS3TrustDomain -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -599,8 +605,10 @@ - fun:calloc - fun:PR_NewLock - fun:PORT_NewArena_Util -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -610,8 +618,10 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -621,22 +631,11 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:PKIX_PL_Object_Alloc -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -- fun:nss_Init -- fun:NSS_Init -- fun:main --} --{ -- -- Memcheck:Leak -- fun:calloc -- fun:PR_NewLock -- fun:PKIX_PL_Object_Alloc -- fun:PKIX_PL_Mutex_Create -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -+ fun:PK11_NewSlotInfo -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule -+ fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -646,9 +645,11 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:PKIX_PL_Mutex_Create -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -+ fun:PK11_NewSlotInfo -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule -+ fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -658,9 +659,10 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:PKIX_PL_Object_Alloc -- fun:PKIX_PL_HashTable_Create -- fun:PKIX_Initialize -+ fun:nssArena_Create -+ fun:NSSArena_Create -+ fun:NSSTrustDomain_Create -+ fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init - fun:main -@@ -670,7 +672,7 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:nssArena_Create -+ fun:NSSRWLock_New_Util - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -@@ -682,7 +684,8 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:NSSRWLock_New_Util -+ fun:nssArena_Create -+ fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init -@@ -694,7 +697,6 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:nssArena_Create - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -707,6 +709,8 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -+ fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -720,6 +724,7 @@ - fun:calloc - fun:PR_NewLock - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -733,6 +738,7 @@ - fun:calloc - fun:PR_NewLock - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -746,6 +752,7 @@ - fun:calloc - fun:PR_NewLock - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -758,9 +765,7 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:nssHash_Create -- fun:nssTrustDomain_InitializeCache -- fun:NSSTrustDomain_Create -+ fun:nssList_Create - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -771,7 +776,9 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -- fun:nssList_Create -+ fun:nssTokenObjectCache_Create -+ fun:nssToken_CreateFromPK11SlotInfo -+ fun:STAN_InitTokenForSlotInfo - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -821,7 +828,10 @@ - fun:calloc - fun:PR_NewLock - fun:nssArena_Create -+ fun:NSSArena_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -834,6 +844,8 @@ - fun:PR_NewLock - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -845,8 +857,11 @@ - fun:calloc - fun:PR_NewLock - fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -858,8 +873,11 @@ - fun:calloc - fun:PR_NewLock - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssCertificateStore_Create - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -871,6 +889,55 @@ - fun:calloc - fun:PR_NewLock - fun:PKIX_PL_Object_Alloc -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:PR_NewLock -+ fun:PKIX_PL_Object_Alloc -+ fun:PKIX_PL_Mutex_Create -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:PR_NewLock -+ fun:PKIX_PL_Mutex_Create -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:PR_NewLock -+ fun:PKIX_PL_Object_Alloc -+ fun:PKIX_PL_HashTable_Create -+ fun:PKIX_Initialize -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:PR_NewLock -+ fun:PKIX_PL_Object_Alloc - fun:PKIX_PL_Mutex_Create - fun:PKIX_PL_HashTable_Create - fun:PKIX_Initialize -@@ -1064,6 +1131,33 @@ - { - - Memcheck:Leak -+ fun:calloc -+ fun:nss_ZAlloc -+ fun:nssArena_Create -+ fun:nssToken_CreateFromPK11SlotInfo -+ fun:STAN_InitTokenForSlotInfo -+ fun:STAN_LoadDefaultNSS3TrustDomain -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:nss_ZAlloc -+ fun:nssArena_Create -+ fun:nssSlot_CreateFromPK11SlotInfo -+ fun:nssToken_CreateFromPK11SlotInfo -+ fun:STAN_InitTokenForSlotInfo -+ fun:STAN_LoadDefaultNSS3TrustDomain -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak - fun:malloc - fun:PKIX_PL_Malloc - fun:pkix_pl_PrimHashTable_Create -@@ -1126,8 +1220,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateCertificate - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1140,8 +1236,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateItem - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1154,8 +1252,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1168,8 +1268,10 @@ - Memcheck:Leak - fun:calloc - fun:nss_ZAlloc -+ fun:nss_arena_hash_alloc_table - fun:PL_NewHashTable - fun:nssHash_Create -+ fun:nssHash_CreateString - fun:nssTrustDomain_InitializeCache - fun:NSSTrustDomain_Create - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1183,9 +1285,11 @@ - fun:calloc - fun:PR_NewLock - fun:PORT_NewArena_Util -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -1195,9 +1299,11 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -1233,6 +1339,7 @@ - fun:calloc - fun:PR_NewLock - fun:nssArena_Create -+ fun:nssSlot_CreateFromPK11SlotInfo - fun:nssToken_CreateFromPK11SlotInfo - fun:STAN_InitTokenForSlotInfo - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1245,6 +1352,7 @@ - Memcheck:Leak - fun:calloc - fun:PR_NewLock -+ fun:nssSlot_CreateFromPK11SlotInfo - fun:nssToken_CreateFromPK11SlotInfo - fun:STAN_InitTokenForSlotInfo - fun:STAN_LoadDefaultNSS3TrustDomain -@@ -1258,8 +1366,24 @@ - fun:malloc - fun:PL_ArenaAllocate - fun:PORT_ArenaAlloc_Util -+ fun:secmod_NewModule - fun:SECMOD_CreateModule - fun:SECMOD_LoadModule -+ fun:nss_InitModules -+ fun:nss_Init -+ fun:NSS_Init -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:malloc -+ fun:PORT_Alloc_Util -+ fun:PK11_NewSlotInfo -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule -+ fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -1273,7 +1397,9 @@ - fun:legacy_ReadSecmodDB - fun:sftkdb_ReadSecmodDB - fun:NSC_ModuleDBFunc -+ fun:SECMOD_GetModuleSpecList - fun:SECMOD_LoadModule -+ fun:nss_InitModules - fun:nss_Init - fun:NSS_Init - fun:main -@@ -1349,6 +1475,8 @@ - fun:nss_zalloc_arena_locked - fun:nss_ZAlloc - fun:nssCryptoContext_Create -+ fun:nssTrustDomain_CreateCryptoContext -+ fun:NSSTrustDomain_CreateCryptoContext - fun:STAN_LoadDefaultNSS3TrustDomain - fun:nss_Init - fun:NSS_Init -@@ -1375,6 +1503,7 @@ - fun:PL_ArenaAllocate - fun:nss_zalloc_arena_locked - fun:nss_ZAlloc -+ fun:nssSlot_CreateFromPK11SlotInfo - fun:nssToken_CreateFromPK11SlotInfo - fun:STAN_InitTokenForSlotInfo - fun:STAN_LoadDefaultNSS3TrustDomain --- -1.7.12.1 - diff --git a/0007-Free-the-pid-string-once-we-re-done-writing-it.patch b/0007-Free-the-pid-string-once-we-re-done-writing-it.patch deleted file mode 100644 index d02d84f..0000000 --- a/0007-Free-the-pid-string-once-we-re-done-writing-it.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 81bf0e36a82a3d746a01aee50d8ee460dc794b19 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 10:57:20 -0400 -Subject: [PATCH 07/41] Free the pid string once we're done writing it. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/daemon.c b/src/daemon.c -index daa2dbf..245491f 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -842,6 +842,7 @@ err: - if (rc < 0) - goto err; - -+ free(pidstr); - close(fd); - } - --- -1.7.12.1 - diff --git a/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch b/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch deleted file mode 100644 index b6a8f0d..0000000 --- a/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 50c50c8fbebab3d8b5efff35dc1a7ca4b44d6b19 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 11:08:30 -0400 -Subject: [PATCH 08/41] [valgrind] Don't complain about unlocking a key and - keeping the handle. - -Signed-off-by: Peter Jones ---- - src/valgrind.supp | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/valgrind.supp b/src/valgrind.supp -index 0a8edd9..62934e8 100644 ---- a/src/valgrind.supp -+++ b/src/valgrind.supp -@@ -1511,3 +1511,19 @@ - fun:NSS_Init - fun:main - } -+{ -+ -+ Memcheck:Leak -+ fun:calloc -+ fun:nss_ZAlloc -+ fun:nssArena_Create -+ fun:nssList_Create -+ fun:nssTrustDomain_UpdateCachedTokenCerts -+ fun:PK11_DoPassword -+ fun:PK11_Authenticate -+ fun:unlock_nss_token -+ fun:handle_unlock_token -+ fun:handle_event -+ fun:handle_events -+ fun:daemonize -+} --- -1.7.12.1 - diff --git a/0009-Only-try-to-register-OIDs-once.patch b/0009-Only-try-to-register-OIDs-once.patch deleted file mode 100644 index 25843ba..0000000 --- a/0009-Only-try-to-register-OIDs-once.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b71f1d2e8f7ad6853e5e68134a66baf9dea2471b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 11:26:04 -0400 -Subject: [PATCH 09/41] Only try to register OIDs once. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 2d51979..6219a2a 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -179,11 +179,15 @@ cms_common_log(cms_context *ctx, int priority, char *fmt, ...) - int - cms_context_init(cms_context *cms) - { -+ static int first_time = 1; - memset(cms, '\0', sizeof (*cms)); - -- SECStatus status = register_oids(cms); -- if (status != SECSuccess) -- return -1; -+ if (first_time) { -+ SECStatus status = register_oids(cms); -+ if (status != SECSuccess) -+ return -1; -+ first_time = 0; -+ } - - cms->log = cms_common_log; - --- -1.7.12.1 - diff --git a/0010-Check-for-NSS_Shutdown-failure.patch b/0010-Check-for-NSS_Shutdown-failure.patch deleted file mode 100644 index 2e6042c..0000000 --- a/0010-Check-for-NSS_Shutdown-failure.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f966137c17f74fc3e343dfb6e04300a9d179de03 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 12:05:29 -0400 -Subject: [PATCH 10/41] Check for NSS_Shutdown() failure. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 245491f..77fff90 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -967,6 +967,11 @@ daemonize(cms_context *cms_ctx, int do_fork) - - rc = handle_events(&ctx); - -- NSS_Shutdown(); -+ status = NSS_Shutdown(); -+ if (status != SECSuccess) { -+ fprintf(stderr, "NSS_Shutdown failed: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } - return rc; - } --- -1.7.12.1 - diff --git a/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch b/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch deleted file mode 100644 index 333df42..0000000 --- a/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0dddfd5e738232403220b0d18888f94fa0032a59 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 12:17:39 -0400 -Subject: [PATCH 11/41] Don't destroy stdin/stdout/stderr if we don't fork. - -I like being able to read my error messages. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 59 +++++++++++++++++++++++++++++++++-------------------------- - 1 file changed, 33 insertions(+), 26 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 77fff90..a31c063 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -890,33 +890,38 @@ daemonize(cms_context *cms_ctx, int do_fork) - exit(1); - } - -- int fd = open("/dev/zero", O_RDONLY); -- close(STDIN_FILENO); -- rc = dup2(fd, STDIN_FILENO); -- if (rc < 0) { -- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, -- "pesignd: could not set up standard input: %m"); -- exit(1); -- } -- close(fd); -+ if (do_fork) { -+ int fd = open("/dev/zero", O_RDONLY); -+ close(STDIN_FILENO); -+ rc = dup2(fd, STDIN_FILENO); -+ if (rc < 0) { -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_ERR, -+ "pesignd: could not set up standard input: %m"); -+ exit(1); -+ } -+ close(fd); - -- fd = open("/dev/null", O_WRONLY); -- close(STDOUT_FILENO); -- rc = dup2(fd, STDOUT_FILENO); -- if (rc < 0) { -- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, -- "pesignd: could not set up standard output: %m"); -- exit(1); -- } -+ fd = open("/dev/null", O_WRONLY); -+ close(STDOUT_FILENO); -+ rc = dup2(fd, STDOUT_FILENO); -+ if (rc < 0) { -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_ERR, -+ "pesignd: could not set up standard output: %m"); -+ exit(1); -+ } - -- close(STDERR_FILENO); -- rc = dup2(fd, STDERR_FILENO); -- if (rc < 0) { -- ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, -- "pesignd: could not set up standard error: %m"); -- exit(1); -+ close(STDERR_FILENO); -+ rc = dup2(fd, STDERR_FILENO); -+ if (rc < 0) { -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_ERR, -+ "pesignd: could not set up standard error: %m"); -+ exit(1); -+ } -+ close(fd); - } -- close(fd); - - prctl(PR_SET_NAME, "pesignd", 0, 0, 0); - -@@ -963,13 +968,15 @@ daemonize(cms_context *cms_ctx, int do_fork) - - cms_set_pw_callback(ctx.backup_cms, get_password_fail); - cms_set_pw_data(ctx.backup_cms, NULL); -- ctx.backup_cms->log = daemon_logger; -+ if (do_fork) -+ ctx.backup_cms->log = daemon_logger; - - rc = handle_events(&ctx); - - status = NSS_Shutdown(); - if (status != SECSuccess) { -- fprintf(stderr, "NSS_Shutdown failed: %s\n", -+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, -+ "NSS_Shutdown failed: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); - } --- -1.7.12.1 - diff --git a/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch b/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch deleted file mode 100644 index d0bc3c4..0000000 --- a/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 19c8e797d092e17f2882d249d5446728a76db050 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 14:29:30 -0400 -Subject: [PATCH 12/41] [valgrind] Add SECMOD_LoadModule codepath. - -This is called once when we initialize the database. - -Signed-off-by: Peter Jones ---- - src/valgrind.supp | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/src/valgrind.supp b/src/valgrind.supp -index 62934e8..783bdad 100644 ---- a/src/valgrind.supp -+++ b/src/valgrind.supp -@@ -1527,3 +1527,34 @@ - fun:handle_events - fun:daemonize - } -+{ -+ -+ Memcheck:Leak -+ fun:_Znwm -+ obj:* -+ fun:secmod_ModuleInit -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule -+ fun:SECMOD_LoadModule -+ fun:nss_InitModules -+ fun:nss_Init -+ fun:NSS_Init -+ fun:daemonize -+ fun:main -+} -+{ -+ -+ Memcheck:Leak -+ fun:malloc -+ obj:* -+ obj:* -+ obj:* -+ fun:secmod_ModuleInit -+ fun:secmod_LoadPKCS11Module -+ fun:SECMOD_LoadModule -+ fun:SECMOD_LoadModule -+ fun:nss_InitModules -+ fun:nss_Init -+ fun:NSS_Init -+ fun:daemonize -+} --- -1.7.12.1 - diff --git a/0013-Don-t-set-up-digests-in-cms_context_init.patch b/0013-Don-t-set-up-digests-in-cms_context_init.patch deleted file mode 100644 index b471ba0..0000000 --- a/0013-Don-t-set-up-digests-in-cms_context_init.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 186b6d5d39a1feeaa5f9493d28dc4f53015d551d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 14:33:35 -0400 -Subject: [PATCH 13/41] Don't set up digests in cms_context_init. - -Move digest setup out of cms_context_init, so we can avoid leaking the -reference to the digests by not having them in ctx->backup_cms in the -daemon. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 9 ++------- - src/cms_common.h | 3 +++ - src/daemon.c | 27 +++++++++++++++++++++++++++ - 3 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 6219a2a..a8e34dd 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -97,7 +97,7 @@ digest_get_digest_size(cms_context *cms) - } - - --static int -+int - setup_digests(cms_context *cms) - { - struct digest *digests = NULL; -@@ -133,7 +133,7 @@ err: - return -1; - } - --static void -+void - teardown_digests(cms_context *ctx) - { - struct digest *digests = ctx->digests; -@@ -199,11 +199,6 @@ cms_context_init(cms_context *cms) - return -1; - } - -- int rc = setup_digests(cms); -- if (rc < 0) { -- PORT_FreeArena(cms->arena, PR_TRUE); -- return -1; -- } - cms->selected_digest = -1; - - return 0; -diff --git a/src/cms_common.h b/src/cms_common.h -index fc80fa3..830427e 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -86,6 +86,9 @@ extern int cms_context_alloc(cms_context **ctxp); - extern int cms_context_init(cms_context *ctx); - extern void cms_context_fini(cms_context *ctx); - -+extern int setup_digests(cms_context *cms); -+extern void teardown_digests(cms_context *ctx); -+ - extern int generate_octet_string(cms_context *ctx, SECItem *encoded, - SECItem *original); - extern int generate_object_id(cms_context *ctx, SECItem *encoded, -diff --git a/src/daemon.c b/src/daemon.c -index a31c063..f44f069 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -143,6 +143,15 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) - return; - } - -+ rc = setup_digests(ctx->cms); -+ if (rc < 0) { -+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -+ "Could not initialize digests: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ send_response(ctx, ctx->backup_cms, pollfd, rc); -+ return; -+ } -+ - steal_from_cms(ctx->backup_cms, ctx->cms); - - if (!buffer) { -@@ -491,6 +500,15 @@ handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size) - if (rc < 0) - return; - -+ rc = setup_digests(ctx->cms); -+ if (rc < 0) { -+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -+ "Could not initialize digests: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ send_response(ctx, ctx->backup_cms, pollfd, rc); -+ return; -+ } -+ - steal_from_cms(ctx->backup_cms, ctx->cms); - - handle_signing(ctx, pollfd, size, 1); -@@ -506,6 +524,15 @@ handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size) - if (rc < 0) - return; - -+ rc = setup_digests(ctx->cms); -+ if (rc < 0) { -+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -+ "Could not initialize digests: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ send_response(ctx, ctx->backup_cms, pollfd, rc); -+ return; -+ } -+ - steal_from_cms(ctx->backup_cms, ctx->cms); - - handle_signing(ctx, pollfd, size, 0); --- -1.7.12.1 - diff --git a/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch b/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch deleted file mode 100644 index 76c5deb..0000000 --- a/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch +++ /dev/null @@ -1,53 +0,0 @@ -From e1f8d4e38f4ad08fb407691a3f59edc19a1f15e2 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 14:41:18 -0400 -Subject: [PATCH 14/41] Do register_oids() where we're doing NSS_Init() - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 8 -------- - src/daemon.c | 7 +++++++ - 2 files changed, 7 insertions(+), 8 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index a8e34dd..6188e6e 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -179,16 +179,8 @@ cms_common_log(cms_context *ctx, int priority, char *fmt, ...) - int - cms_context_init(cms_context *cms) - { -- static int first_time = 1; - memset(cms, '\0', sizeof (*cms)); - -- if (first_time) { -- SECStatus status = register_oids(cms); -- if (status != SECSuccess) -- return -1; -- first_time = 0; -- } -- - cms->log = cms_common_log; - - cms->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -diff --git a/src/daemon.c b/src/daemon.c -index f44f069..085cfec 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -917,6 +917,13 @@ daemonize(cms_context *cms_ctx, int do_fork) - exit(1); - } - -+ status = register_oids(ctx.backup_cms); -+ if (status != SECSuccess) { -+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE, -+ "Could not register OIDs\n"); -+ exit(1); -+ } -+ - if (do_fork) { - int fd = open("/dev/zero", O_RDONLY); - close(STDIN_FILENO); --- -1.7.12.1 - diff --git a/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch b/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch deleted file mode 100644 index aa173f4..0000000 --- a/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 092e3f81233655849156b0948a53f3b5f51b8c97 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 14:43:58 -0400 -Subject: [PATCH 15/41] Make daemon shutdown actually close the NSS databases - and whatnot. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 085cfec..dd215f8 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -125,8 +125,7 @@ handle_kill_daemon(context *ctx, struct pollfd *pollfd, socklen_t size) - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, - "pesignd exiting (pid %d)", getpid()); - -- cms_context_fini(ctx->backup_cms); -- exit(0); -+ should_exit = 1; - } - - static void -@@ -625,6 +624,16 @@ handle_event(context *ctx, struct pollfd *pollfd) - return 0; - } - -+static void -+do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds) -+{ -+ for (int i = 0; i < nsockets; i++) -+ close(pollfds[i].fd); -+ free(pollfds); -+ -+ xfree(ctx->errstr); -+} -+ - static int - handle_events(context *ctx) - { -@@ -643,9 +652,14 @@ handle_events(context *ctx) - pollfds[0].events = POLLIN|POLLPRI|POLLHUP; - - while (1) { -+ if (should_exit != 0) { -+shutdown: -+ do_shutdown(ctx, nsockets, pollfds); -+ return 0; -+ } - rc = ppoll(pollfds, nsockets, NULL, NULL); - if (should_exit != 0) -- exit(0); -+ goto shutdown; - if (rc < 0) { - ctx->backup_cms->log(ctx->backup_cms, - ctx->priority|LOG_WARNING, --- -1.7.12.1 - diff --git a/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch b/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch deleted file mode 100644 index 41fbdc9..0000000 --- a/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch +++ /dev/null @@ -1,425 +0,0 @@ -From b6ff405da1bf4627a40fc104457a539788c9f470 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:18:08 -0400 -Subject: [PATCH 16/41] Reformat a bunch of error messages to be vaguely - consistent. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 6 ++-- - src/daemon.c | 102 ++++++++++++++++++++++++++++--------------------------- - 2 files changed, 55 insertions(+), 53 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 6188e6e..a1ed460 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -410,7 +410,7 @@ find_certificate(cms_context *cms) - PK11SlotList *slots = NULL; - slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata); - if (!slots) { -- cms->log(cms, LOG_ERR, "Could not find certificate \"%s:%s\"", -+ cms->log(cms, LOG_ERR, "could not find certificate \"%s:%s\"", - cms->tokenname, cms->certname); - err: - return -1; -@@ -420,7 +420,7 @@ err: - psle = PK11_GetFirstSafe(slots); - if (!psle) { - err_slots_errmsg: -- cms->log(cms, LOG_ERR, "Could not find certificate \"%s:%s\"", -+ cms->log(cms, LOG_ERR, "could not find certificate \"%s:%s\"", - cms->tokenname, cms->certname); - err_slots: - PK11_FreeSlotList(slots); -@@ -441,7 +441,7 @@ err_slots: - if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { - status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); - if (status != SECSuccess) { -- cms->log(cms, LOG_ERR, "Authentication failed on " -+ cms->log(cms, LOG_ERR, "authentication failed for " - "certificate \"%s:%s\"", cms->tokenname, - cms->certname); - PK11_DestroySlotListElement(slots, &psle); -diff --git a/src/daemon.c b/src/daemon.c -index dd215f8..07aaf6c 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -82,7 +82,7 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc) - void *buffer = calloc(1, iov.iov_len); - if (!buffer) { - cms->log(cms, ctx->priority|LOG_ERR, -- "pesignd: could not allocate memory: %m"); -+ "could not allocate memory: %m"); - exit(1); - } - -@@ -108,7 +108,7 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc) - n = sendmsg(pollfd->fd, &msg, 0); - if (n < 0) - cms->log(cms, ctx->priority|LOG_WARNING, -- "pesignd: could not send response to client: %m"); -+ "could not send response to client: %m"); - - free(buffer); - } -@@ -156,7 +156,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) - if (!buffer) { - oom: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to allocate memory: %m"); -+ "unable to allocate memory: %m"); - exit(1); - } - -@@ -173,9 +173,9 @@ oom: - if (n < sizeof(tn->size)) { - malformed: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unlock-token: invalid data"); -+ "unlock-token: invalid data"); - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: possible exploit attempt. closing."); -+ "possible exploit attempt. closing."); - close(pollfd->fd); - return; - } -@@ -202,7 +202,7 @@ malformed: - goto malformed; - - ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE, -- "pesignd: unlocking token \"%s\"", tn->value); -+ "unlocking token \"%s\"", tn->value); - - /* authenticating with nss frees this ... best API ever. */ - ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena, -@@ -223,9 +223,13 @@ malformed: - cms_set_pw_callback(ctx->cms, get_password_fail); - cms_set_pw_data(ctx->cms, NULL); - -- if (rc == 0) -- ctx->cms->log(ctx->cms, LOG_NOTICE, "pesignd: Authentication " -- "succeeded for token \"%s\"", tn->value); -+ if (rc < 0) -+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -+ "could not find token \"%s\"", tn->value); -+ else -+ ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE, -+ "authentication succeeded for token \"%s\"", -+ tn->value); - - send_response(ctx, ctx->cms, pollfd, rc); - free(buffer); -@@ -245,7 +249,7 @@ socket_get_fd(context *ctx, int sd, int *fd) - struct cmsghdr *cm = malloc(controllen); - if (!cm) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to allocate memory: %m"); -+ "unable to allocate memory: %m"); - exit(1); - } - -@@ -262,9 +266,9 @@ socket_get_fd(context *ctx, int sd, int *fd) - if (n < 0) { - malformed: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unlock-token: invalid data"); -+ "unlock-token: invalid data"); - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: possible exploit attempt. closing."); -+ "possible exploit attempt. closing."); - close(sd); - return; - } -@@ -293,7 +297,7 @@ set_up_inpe(context *ctx, int fd, Pe **pe) - *pe = pe_begin(fd, PE_C_READ, NULL); - if (!*pe) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not parse PE binary: %s", -+ "could not parse PE binary: %s", - pe_errmsg(pe_errno())); - return -1; - } -@@ -301,7 +305,7 @@ set_up_inpe(context *ctx, int fd, Pe **pe) - int rc = parse_signatures(ctx->cms, *pe); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not parse signature list"); -+ "could not parse signature list"); - pe_end(*pe); - *pe = NULL; - return -1; -@@ -320,20 +324,20 @@ set_up_outpe(context *ctx, int fd, Pe *inpe, Pe **outpe) - off_t offset = lseek(fd, 0, SEEK_SET); - if (offset < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not read output file: %m"); -+ "could not read output file: %m"); - return -1; - } - - int rc = ftruncate(fd, size); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not extend output file: %m"); -+ "could not extend output file: %m"); - return -1; - } - rc = write(fd, addr, size); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not write to output file: %m"); -+ "could not write to output file: %m"); - return -1; - } - -@@ -342,7 +346,7 @@ set_up_outpe(context *ctx, int fd, Pe *inpe, Pe **outpe) - *outpe = pe_begin(fd, PE_C_RDWR, NULL); - if (!*outpe) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not set up output: %s", -+ "could not set up output: %s", - pe_errmsg(pe_errno())); - return -1; - } -@@ -363,7 +367,7 @@ handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, - if (!buffer) { - oom: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to allocate memory: %m"); -+ "unable to allocate memory: %m"); - exit(1); - } - -@@ -380,9 +384,9 @@ oom: - if (n < sizeof(tn->size)) { - malformed: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unlock-token: invalid data"); -+ "unlock-token: invalid data"); - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: possible exploit attempt. closing."); -+ "possible exploit attempt. closing."); - close(pollfd->fd); - return; - } -@@ -423,7 +427,7 @@ malformed: - socket_get_fd(ctx, pollfd->fd, &outfd); - - ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE, -- "pesignd: attempting to sign with key \"%s:%s\"", -+ "attempting to sign with key \"%s:%s\"", - tn->value, cn->value); - free(buffer); - -@@ -548,9 +552,9 @@ handle_invalid_input(pesignd_cmd cmd, context *ctx, struct pollfd *pollfd, - socklen_t size) - { - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: got unexpected command 0x%x", cmd); -+ "got unexpected command 0x%x", cmd); - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: possible exploit attempt"); -+ "possible exploit attempt"); - } - - typedef void (*cmd_handler)(context *ctx, struct pollfd *pollfd, -@@ -593,16 +597,16 @@ handle_event(context *ctx, struct pollfd *pollfd) - n = recvmsg(pollfd->fd, &msg, MSG_WAITALL); - if (n < 0) { - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_WARNING, -- "pesignd: recvmsg failed: %m"); -+ "recvmsg failed: %m"); - return n; - } - - if (pm.version != PESIGND_VERSION) { - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: got version %d, expected version %d", -+ "got version %d, expected version %d", - pm.version, PESIGND_VERSION); - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: possible exploit attempt. closing."); -+ "possible exploit attempt. closing."); - close(pollfd->fd); - return -1; - } -@@ -644,7 +648,7 @@ handle_events(context *ctx) - - if (!pollfds) { - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: could not allocate memory: %m"); -+ "could not allocate memory: %m"); - exit(1); - } - -@@ -663,7 +667,7 @@ shutdown: - if (rc < 0) { - ctx->backup_cms->log(ctx->backup_cms, - ctx->priority|LOG_WARNING, -- "pesignd: ppoll: %m"); -+ "ppoll: %m"); - continue; - } - -@@ -675,8 +679,7 @@ shutdown: - if (!newpollfds) { - ctx->backup_cms->log(ctx->backup_cms, - ctx->priority|LOG_ERR, -- "pesignd: could not allocate memory: " -- "%m"); -+ "could not allocate memory: %m"); - exit(1); - } - pollfds = newpollfds; -@@ -729,8 +732,8 @@ get_uid_and_gid(context *ctx, char **homedir) - - if (ctx->uid == 0 || ctx->gid == 0) { - ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_ERR, -- "pesignd: cowardly refusing to start with uid = %d " -- "and gid = %d", ctx->uid, ctx->gid); -+ "cowardly refusing to start with uid = %d and gid = %d", -+ ctx->uid, ctx->gid); - errno = EINVAL; - return -1; - } -@@ -752,7 +755,7 @@ set_up_socket(context *ctx) - int sd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sd < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to create socket: %m"); -+ "unable to create socket: %m"); - exit(1); - } - -@@ -760,7 +763,7 @@ set_up_socket(context *ctx) - int rc = setsockopt(sd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to set socket options: %m"); -+ "unable to set socket options: %m"); - exit(1); - } - -@@ -772,14 +775,14 @@ set_up_socket(context *ctx) - rc = bind(sd, &addr_un, sizeof(addr_un)); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to bind to \"%s\": %m", -+ "unable to bind to \"%s\": %m", - addr_un.sun_path); - exit(1); - } - rc = chmod(SOCKPATH, 0660); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: could not set permissions for \"%s\": %m", -+ "could not set permissions for \"%s\": %m", - SOCKPATH); - exit(1); - } -@@ -787,7 +790,7 @@ set_up_socket(context *ctx) - rc = listen(sd, 5); - if (rc < 0) { - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -- "pesignd: unable to listen on socket: %m"); -+ "unable to listen on socket: %m"); - exit(1); - } - -@@ -809,8 +812,7 @@ check_socket(context *ctx) - - int sd = socket(AF_UNIX, SOCK_SEQPACKET, 0); - if (sd < 0) { -- fprintf(stderr, "pesignd: unable to create socket: " -- "%m"); -+ fprintf(stderr, "unable to create socket: %m"); - exit(1); - } - -@@ -829,7 +831,7 @@ check_socket(context *ctx) - if (rc < 0) { - return; - } else { -- fprintf(stderr, "pesignd: already running"); -+ fprintf(stderr, "already running"); - exit(1); - } - } else { -@@ -871,7 +873,7 @@ write_pid_file(int pid) - int fd = open("/var/run/pesign.pid", O_WRONLY|O_CREAT|O_TRUNC, 0644); - if (fd < 0) { - err: -- fprintf(stderr, "pesignd: couldn't open pidfile: %m\n"); -+ fprintf(stderr, "couldn't open pidfile: %m\n"); - exit(1); - } - char *pidstr = NULL; -@@ -923,10 +925,10 @@ daemonize(cms_context *cms_ctx, int do_fork) - daemon_logger(ctx.backup_cms, ctx.priority|LOG_NOTICE, - "pesignd starting (pid %d)", ctx.pid); - -- - SECStatus status = NSS_Init("/etc/pki/pesign"); - if (status != SECSuccess) { -- fprintf(stderr, "Could not initialize nss: %s\n", -+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE, -+ "Could not initialize nss: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); - } -@@ -945,7 +947,7 @@ daemonize(cms_context *cms_ctx, int do_fork) - if (rc < 0) { - ctx.backup_cms->log(ctx.backup_cms, - ctx.priority|LOG_ERR, -- "pesignd: could not set up standard input: %m"); -+ "could not set up standard input: %m"); - exit(1); - } - close(fd); -@@ -956,7 +958,7 @@ daemonize(cms_context *cms_ctx, int do_fork) - if (rc < 0) { - ctx.backup_cms->log(ctx.backup_cms, - ctx.priority|LOG_ERR, -- "pesignd: could not set up standard output: %m"); -+ "could not set up standard output: %m"); - exit(1); - } - -@@ -965,7 +967,7 @@ daemonize(cms_context *cms_ctx, int do_fork) - if (rc < 0) { - ctx.backup_cms->log(ctx.backup_cms, - ctx.priority|LOG_ERR, -- "pesignd: could not set up standard error: %m"); -+ "could not set up standard error: %m"); - exit(1); - } - close(fd); -@@ -989,7 +991,7 @@ daemonize(cms_context *cms_ctx, int do_fork) - rc = get_uid_and_gid(&ctx, &homedir); - if (rc < 0) { - ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, -- "pesignd: could not get group and user information " -+ "could not get group and user information " - "for pesign: %m"); - exit(1); - } -@@ -1001,13 +1003,13 @@ daemonize(cms_context *cms_ctx, int do_fork) - if (setgid(ctx.gid) != 0) { - ctx.backup_cms->log(ctx.backup_cms, - ctx.priority|LOG_ERR, -- "pesignd: unable to drop group privileges: %m"); -+ "unable to drop group privileges: %m"); - exit(1); - } - if (setuid(ctx.uid) != 0) { - ctx.backup_cms->log(ctx.backup_cms, - ctx.priority|LOG_ERR, -- "pesignd: unable to drop user privileges: %m"); -+ "unable to drop user privileges: %m"); - exit(1); - } - } --- -1.7.12.1 - diff --git a/0017-Use-PORT_ArenaStrdup-where-appropriate.patch b/0017-Use-PORT_ArenaStrdup-where-appropriate.patch deleted file mode 100644 index 393518e..0000000 --- a/0017-Use-PORT_ArenaStrdup-where-appropriate.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 8ffe6943f04d42314f81eb8b5e3350d4ccc41895 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:26:23 -0400 -Subject: [PATCH 17/41] Use PORT_ArenaStrdup() where appropriate. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 15 ++++++--------- - src/pesign.c | 12 ++++++------ - 2 files changed, 12 insertions(+), 15 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 07aaf6c..73fd924 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -205,9 +205,8 @@ malformed: - "unlocking token \"%s\"", tn->value); - - /* authenticating with nss frees this ... best API ever. */ -- ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena, -- strlen((char *)tn->value)); -- strcpy(ctx->cms->tokenname, (char *)tn->value); -+ ctx->cms->tokenname = PORT_ArenaStrdup(ctx->cms->arena, -+ (char *)tn->value); - if (!ctx->cms->tokenname) - goto oom; - -@@ -397,9 +396,8 @@ malformed: - n -= tn->size; - - /* authenticating with nss frees these ... best API ever. */ -- ctx->cms->tokenname = PORT_ArenaZAlloc(ctx->cms->arena, -- strlen((char *)tn->value)); -- strcpy(ctx->cms->tokenname, (char *)tn->value); -+ ctx->cms->tokenname = PORT_ArenaStrdup(ctx->cms->arena, -+ (char *)tn->value); - if (!ctx->cms->tokenname) - goto oom; - -@@ -410,9 +408,8 @@ malformed: - if (n < cn->size) - goto malformed; - -- ctx->cms->certname = PORT_ArenaZAlloc(ctx->cms->arena, -- strlen((char *)cn->value)); -- strcpy(ctx->cms->certname, (char *)cn->value); -+ ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena, -+ (char *)cn->value); - if (!ctx->cms->certname) - goto oom; - -diff --git a/src/pesign.c b/src/pesign.c -index c7b23cf..819cee0 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -551,17 +551,17 @@ main(int argc, char *argv[]) - exit(!is_help); - } - -- ctx.cms_ctx->tokenname = tokenname ? -- PORT_ArenaStrdup(ctx.cms_ctx->arena, tokenname) : NULL; -- if (tokenname && !ctx.cms_ctx->tokenname) { -+ ctxp->cms_ctx->tokenname = tokenname ? -+ PORT_ArenaStrdup(ctxp->cms_ctx->arena, tokenname) : NULL; -+ if (tokenname && !ctxp->cms_ctx->tokenname) { - fprintf(stderr, "could not allocate token name: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); - } - -- ctx.cms_ctx->certname = certname ? -- PORT_ArenaStrdup(ctx.cms_ctx->arena, certname) : NULL; -- if (certname && !ctx.cms_ctx->certname) { -+ ctxp->cms_ctx->certname = certname ? -+ PORT_ArenaStrdup(ctxp->cms_ctx->arena, certname) : NULL; -+ if (certname && !ctxp->cms_ctx->certname) { - fprintf(stderr, "could not allocate certificate name: %s\n", - PORT_ErrorToString(PORT_GetError())); - exit(1); --- -1.7.12.1 - diff --git a/0018-Minor-whitespace-fixes.patch b/0018-Minor-whitespace-fixes.patch deleted file mode 100644 index d64c9a5..0000000 --- a/0018-Minor-whitespace-fixes.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c196b462ad5267e8ed20c0b855b9921268b22a7b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:26:47 -0400 -Subject: [PATCH 18/41] Minor whitespace fixes. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 6 +++--- - src/pesign.c | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 73fd924..69aea4b 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -70,7 +70,7 @@ hide_stolen_goods_from_cms(cms_context *new, cms_context *old) - - static void - send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc) --{ -+{ - struct msghdr msg; - struct iovec iov; - ssize_t n; -@@ -890,7 +890,7 @@ int - daemonize(cms_context *cms_ctx, int do_fork) - { - int rc = 0; -- context ctx = { -+ context ctx = { - .backup_cms = cms_ctx, - .priority = do_fork ? LOG_PID - : LOG_PID|LOG_PERROR, -@@ -904,7 +904,7 @@ daemonize(cms_context *cms_ctx, int do_fork) - fprintf(stderr, "pesignd must be started as root"); - exit(1); - } -- -+ - check_socket(&ctx); - - openlog("pesignd", LOG_PID, LOG_DAEMON); -diff --git a/src/pesign.c b/src/pesign.c -index 819cee0..2ba5ef1 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -88,7 +88,7 @@ open_input(pesign_context *ctx) - - struct stat statbuf; - ctx->infd = open(ctx->infile, O_RDONLY|O_CLOEXEC); -- stat(ctx->infile, &statbuf); -+ stat(ctx->infile, &statbuf); - ctx->outmode = statbuf.st_mode; - - if (ctx->infd < 0) { --- -1.7.12.1 - diff --git a/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch b/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch deleted file mode 100644 index 1686740..0000000 --- a/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 7a8c50f620c7484af9d750f484df8a6837e6b2a5 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:27:03 -0400 -Subject: [PATCH 19/41] [daemon] Make sure inpe is initialized before all - error handling. - -find_certificate() and set_up_inpe() errors wind up being at the same -place, which means when find_certificate is called, inpe already must be -NULL. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 69aea4b..534fb23 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -362,6 +362,7 @@ handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, - struct iovec iov; - ssize_t n; - char *buffer = malloc(size); -+ Pe *inpe = NULL; - - if (!buffer) { - oom: -@@ -433,7 +434,6 @@ malformed: - goto finish; - } - -- Pe *inpe = NULL; - rc = set_up_inpe(ctx, infd, &inpe); - if (rc < 0) - goto finish; --- -1.7.12.1 - diff --git a/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch b/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch deleted file mode 100644 index f8172f7..0000000 --- a/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch +++ /dev/null @@ -1,360 +0,0 @@ -From 66d3353e6d24c9e69ce71735c5aa4741717a6d68 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:31:15 -0400 -Subject: [PATCH 20/41] Allocate pesign_context rather than having it on the - stack. - -This way it won't try to re-initialize cms_context when it's cleaned up. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 152 ++++++++++++++++++++++++++++++----------------------------- - 1 file changed, 77 insertions(+), 75 deletions(-) - -diff --git a/src/pesign.c b/src/pesign.c -index 2ba5ef1..e22e814 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -426,7 +426,7 @@ main(int argc, char *argv[]) - { - int rc; - -- pesign_context ctx, *ctxp = &ctx; -+ pesign_context *ctxp; - - int list = 0; - int remove = 0; -@@ -437,40 +437,47 @@ main(int argc, char *argv[]) - char *tokenname = "NSS Certificate DB"; - char *certname = NULL; - -+ rc = pesign_context_new(&ctxp); -+ if (rc < 0) { -+ fprintf(stderr, "Could not initialize context: %m\n"); -+ exit(1); -+ } -+ - poptContext optCon; - struct poptOption options[] = { - {NULL, '\0', POPT_ARG_INTL_DOMAIN, "pesign" }, -- {"in", 'i', POPT_ARG_STRING, &ctx.infile, 0, -+ {"in", 'i', POPT_ARG_STRING, &ctxp->infile, 0, - "specify input file", ""}, -- {"out", 'o', POPT_ARG_STRING, &ctx.outfile, 0, -+ {"out", 'o', POPT_ARG_STRING, &ctxp->outfile, 0, - "specify output file", "" }, - {"certficate", 'c', POPT_ARG_STRING, &certname, 0, - "specify certificate nickname", - "" }, -- {"privkey", 'p', POPT_ARG_STRING, &ctx.privkeyfile, 0, -+ {"privkey", 'p', POPT_ARG_STRING, &ctxp->privkeyfile, 0, - "specify private key file", "" }, -- {"force", 'f', POPT_ARG_VAL, &ctx.force, 1, -+ {"force", 'f', POPT_ARG_VAL, &ctxp->force, 1, - "force overwriting of output file", NULL }, -- {"sign", 's', POPT_ARG_VAL, &ctx.sign, 1, -+ {"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1, - "create a new signature", NULL }, -- {"hash", 'h', POPT_ARG_VAL, &ctx.hash, 1, "hash binary", NULL }, -+ {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL }, - {"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, - &digest_name, 0, "digest type to use for pe hash" }, - {"import-signed-certificate", 'm', - POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, -- &ctx.insig, 0,"import signature from file", "" }, -+ &ctxp->insig, 0,"import signature from file", "" }, - {"export-signed-attributes", 'E', - POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, -- &ctx.outsattrs, 0, "export signed attributes to file", -+ &ctxp->outsattrs, 0, "export signed attributes to file", - "" }, - {"import-signed-attributes", 'I', - POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, -- &ctx.insattrs, 0, "import signed attributes from file", -+ &ctxp->insattrs, 0, -+ "import signed attributes from file", - "" }, - {"import-raw-signature", 'R', -- POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctx.rawsig, -+ POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctxp->rawsig, - 0, "import raw signature from file", "" }, -- {"signature-number", 'u', POPT_ARG_INT, &ctx.signum, -1, -+ {"signature-number", 'u', POPT_ARG_INT, &ctxp->signum, -1, - "specify which signature to operate on",""}, - {"list-signatures", 'l', - POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN, -@@ -483,13 +490,14 @@ main(int argc, char *argv[]) - "remove signature" }, - {"export-signature", 'e', - POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, -- &ctx.outsig, 0,"export signature to file", "" }, -+ &ctxp->outsig, 0, -+ "export signature to file", "" }, - {"export-pubkey", 'K', POPT_ARG_STRING, -- &ctx.outkey, 0, "export pubkey to file", "" }, -+ &ctxp->outkey, 0, "export pubkey to file", "" }, - {"export-cert", 'C', POPT_ARG_STRING, -- &ctx.outcert, 0, "export signing cert to file", -+ &ctxp->outcert, 0, "export signing cert to file", - "" }, -- {"ascii-armor", 'a', POPT_ARG_VAL, &ctx.ascii, 1, -+ {"ascii-armor", 'a', POPT_ARG_VAL, &ctxp->ascii, 1, - "use ascii armoring", NULL }, - {"daemonize", 'D', POPT_ARG_VAL, &daemon, 1, - "run as a daemon process", NULL }, -@@ -509,12 +517,6 @@ main(int argc, char *argv[]) - } - } - -- rc = pesign_context_init(ctxp); -- if (rc < 0) { -- fprintf(stderr, "Could not initialize context: %m\n"); -- exit(1); -- } -- - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - rc = poptReadDefaultConfig(optCon, 0); -@@ -571,25 +573,25 @@ main(int argc, char *argv[]) - if (daemon) - action |= DAEMONIZE; - -- if (ctx.rawsig) -+ if (ctxp->rawsig) - action |= IMPORT_RAW_SIGNATURE; - -- if (ctx.insattrs) -+ if (ctxp->insattrs) - action |= IMPORT_SATTRS; - -- if (ctx.outsattrs) -+ if (ctxp->outsattrs) - action |= EXPORT_SATTRS; -- -- if (ctx.insig) -+ -+ if (ctxp->insig) - action |= IMPORT_SIGNATURE; - -- if (ctx.outkey) -+ if (ctxp->outkey) - action |= EXPORT_PUBKEY; - -- if (ctx.outcert) -+ if (ctxp->outcert) - action |= EXPORT_CERT; - -- if (ctx.outsig) -+ if (ctxp->outsig) - action |= EXPORT_SIGNATURE; - - if (remove != 0) -@@ -598,13 +600,13 @@ main(int argc, char *argv[]) - if (list != 0) - action |= LIST_SIGNATURES; - -- if (ctx.sign) { -+ if (ctxp->sign) { - action |= GENERATE_SIGNATURE; - if (!(action & EXPORT_SIGNATURE)) - action |= IMPORT_SIGNATURE; - } - -- if (ctx.hash) -+ if (ctxp->hash) - action |= GENERATE_DIGEST|PRINT_DIGEST; - - ssize_t sigspace = 0; -@@ -620,11 +622,11 @@ main(int argc, char *argv[]) - */ - case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: - check_inputs(ctxp); -- rc = find_certificate(ctx.cms_ctx); -+ rc = find_certificate(ctxp->cms_ctx); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " - "certificate %s\n", -- ctx.cms_ctx->certname); -+ ctxp->cms_ctx->certname); - exit(1); - } - open_rawsig_input(ctxp); -@@ -636,19 +638,19 @@ main(int argc, char *argv[]) - open_input(ctxp); - open_output(ctxp); - close_input(ctxp); -- generate_digest(ctx.cms_ctx, ctx.outpe); -- sigspace = calculate_signature_space(ctx.cms_ctx, -- ctx.outpe); -- allocate_signature_space(ctx.outpe, sigspace); -- generate_signature(ctx.cms_ctx); -- insert_signature(ctx.cms_ctx, ctx.signum); -- finalize_signatures(ctx.cms_ctx, ctx.outpe); -+ generate_digest(ctxp->cms_ctx, ctxp->outpe); -+ sigspace = calculate_signature_space(ctxp->cms_ctx, -+ ctxp->outpe); -+ allocate_signature_space(ctxp->outpe, sigspace); -+ generate_signature(ctxp->cms_ctx); -+ insert_signature(ctxp->cms_ctx, ctxp->signum); -+ finalize_signatures(ctxp->cms_ctx, ctxp->outpe); - close_output(ctxp); - break; - case EXPORT_SATTRS: - open_input(ctxp); - open_sattr_output(ctxp); -- generate_digest(ctx.cms_ctx, ctx.inpe); -+ generate_digest(ctxp->cms_ctx, ctxp->inpe); - generate_sattr_blob(ctxp); - close_sattr_output(ctxp); - close_input(ctxp); -@@ -666,22 +668,22 @@ main(int argc, char *argv[]) - close_output(ctxp); - break; - case EXPORT_PUBKEY: -- rc = find_certificate(ctx.cms_ctx); -+ rc = find_certificate(ctxp->cms_ctx); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " - "certificate %s\n", -- ctx.cms_ctx->certname); -+ ctxp->cms_ctx->certname); - exit(1); - } - open_pubkey_output(ctxp); - export_pubkey(ctxp); - break; - case EXPORT_CERT: -- rc = find_certificate(ctx.cms_ctx); -+ rc = find_certificate(ctxp->cms_ctx); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " - "certificate %s\n", -- ctx.cms_ctx->certname); -+ ctxp->cms_ctx->certname); - exit(1); - } - open_cert_output(ctxp); -@@ -691,21 +693,21 @@ main(int argc, char *argv[]) - case EXPORT_SIGNATURE: - open_input(ctxp); - open_sig_output(ctxp); -- if (ctx.signum > ctx.cms_ctx->num_signatures) { -+ if (ctxp->signum > ctxp->cms_ctx->num_signatures) { - fprintf(stderr, "Invalid signature number.\n"); - exit(1); - } -- if (ctx.signum < 0) -- ctx.signum = 0; -- if (ctx.signum >= ctx.cms_ctx->num_signatures) { -+ if (ctxp->signum < 0) -+ ctxp->signum = 0; -+ if (ctxp->signum >= ctxp->cms_ctx->num_signatures) { - fprintf(stderr, "No valid signature #%d.\n", -- ctx.signum); -+ ctxp->signum); - exit(1); - } -- memcpy(&ctx.cms_ctx->newsig, -- ctx.cms_ctx->signatures[ctx.signum], -- sizeof (ctx.cms_ctx->newsig)); -- export_signature(ctx.cms_ctx, ctx.outsigfd, ctx.ascii); -+ memcpy(&ctxp->cms_ctx->newsig, -+ ctxp->cms_ctx->signatures[ctxp->signum], -+ sizeof (ctxp->cms_ctx->newsig)); -+ export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii); - close_input(ctxp); - close_sig_output(ctxp); - break; -@@ -715,11 +717,11 @@ main(int argc, char *argv[]) - open_input(ctxp); - open_output(ctxp); - close_input(ctxp); -- if (ctx.signum > ctx.cms_ctx->num_signatures) { -+ if (ctxp->signum > ctxp->cms_ctx->num_signatures) { - fprintf(stderr, "Invalid signature number.\n"); - exit(1); - } -- remove_signature(&ctx); -+ remove_signature(ctxp); - close_output(ctxp); - break; - /* list signatures in the binary */ -@@ -729,49 +731,49 @@ main(int argc, char *argv[]) - break; - case GENERATE_DIGEST|PRINT_DIGEST: - open_input(ctxp); -- generate_digest(ctx.cms_ctx, ctx.inpe); -+ generate_digest(ctxp->cms_ctx, ctxp->inpe); - print_digest(ctxp); - break; - /* generate a signature and save it in a separate file */ - case EXPORT_SIGNATURE|GENERATE_SIGNATURE: -- rc = find_certificate(ctx.cms_ctx); -+ rc = find_certificate(ctxp->cms_ctx); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " - "certificate %s\n", -- ctx.cms_ctx->certname); -+ ctxp->cms_ctx->certname); - exit(1); - } - open_input(ctxp); - open_sig_output(ctxp); -- generate_digest(ctx.cms_ctx, ctx.inpe); -- generate_signature(ctx.cms_ctx); -- export_signature(ctx.cms_ctx, ctx.outsigfd, ctx.ascii); -+ generate_digest(ctxp->cms_ctx, ctxp->inpe); -+ generate_signature(ctxp->cms_ctx); -+ export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii); - break; - /* generate a signature and embed it in the binary */ - case IMPORT_SIGNATURE|GENERATE_SIGNATURE: - check_inputs(ctxp); -- rc = find_certificate(ctx.cms_ctx); -+ rc = find_certificate(ctxp->cms_ctx); - if (rc < 0) { - fprintf(stderr, "pesign: Could not find " - "certificate %s\n", -- ctx.cms_ctx->certname); -+ ctxp->cms_ctx->certname); - exit(1); - } - open_input(ctxp); - open_output(ctxp); - close_input(ctxp); -- generate_digest(ctx.cms_ctx, ctx.outpe); -- sigspace = calculate_signature_space(ctx.cms_ctx, -- ctx.outpe); -- allocate_signature_space(ctx.outpe, sigspace); -- generate_digest(ctx.cms_ctx, ctx.outpe); -- generate_signature(ctx.cms_ctx); -- insert_signature(ctx.cms_ctx, ctx.signum); -- finalize_signatures(ctx.cms_ctx, ctx.outpe); -+ generate_digest(ctxp->cms_ctx, ctxp->outpe); -+ sigspace = calculate_signature_space(ctxp->cms_ctx, -+ ctxp->outpe); -+ allocate_signature_space(ctxp->outpe, sigspace); -+ generate_digest(ctxp->cms_ctx, ctxp->outpe); -+ generate_signature(ctxp->cms_ctx); -+ insert_signature(ctxp->cms_ctx, ctxp->signum); -+ finalize_signatures(ctxp->cms_ctx, ctxp->outpe); - close_output(ctxp); - break; - case DAEMONIZE: -- rc = daemonize(ctx.cms_ctx, fork); -+ rc = daemonize(ctxp->cms_ctx, fork); - break; - default: - fprintf(stderr, "Incompatible flags (0x%08x): ", action); -@@ -782,7 +784,7 @@ main(int argc, char *argv[]) - fprintf(stderr, "\n"); - exit(1); - } -- pesign_context_fini(&ctx); -+ pesign_context_free(ctxp); - - NSS_Shutdown(); - return (rc < 0); --- -1.7.12.1 - diff --git a/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch b/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch deleted file mode 100644 index 666dcd6..0000000 --- a/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 444a514e1a7c9a27953f914cf416d559ef5be083 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:32:57 -0400 -Subject: [PATCH 21/41] [pesign] initialize nss only if we're not a daemon. - -If it's a deamon, NSS_Init, register_oids, and setup_digests will be -done in the daemon code, not in the normal tool code. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 33 +++++++++++++++++++++++---------- - 1 file changed, 23 insertions(+), 10 deletions(-) - -diff --git a/src/pesign.c b/src/pesign.c -index e22e814..aa09bf5 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -508,15 +508,6 @@ main(int argc, char *argv[]) - POPT_TABLEEND - }; - -- if (!daemon) { -- SECStatus status = NSS_Init("/etc/pki/pesign"); -- if (status != SECSuccess) { -- fprintf(stderr, "Could not initialize nss: %s\n", -- PORT_ErrorToString(PORT_GetError())); -- exit(1); -- } -- } -- - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - rc = poptReadDefaultConfig(optCon, 0); -@@ -543,7 +534,29 @@ main(int argc, char *argv[]) - - poptFreeContext(optCon); - -- rc = set_digest_parameters(ctx.cms_ctx, digest_name); -+ if (!daemon) { -+ SECStatus status = NSS_Init("/etc/pki/pesign"); -+ if (status != SECSuccess) { -+ fprintf(stderr, "Could not initialize nss: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } -+ -+ status = register_oids(ctxp->cms_ctx); -+ if (status != SECSuccess) { -+ fprintf(stderr, "Could not register OIDs\n"); -+ exit(1); -+ } -+ -+ rc = setup_digests(ctxp->cms_ctx); -+ if (rc < 0) { -+ fprintf(stderr, "Could not initialize digests: %s\n", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } -+ } -+ -+ rc = set_digest_parameters(ctxp->cms_ctx, digest_name); - int is_help = strcmp(digest_name, "help") ? 0 : 1; - if (rc < 0) { - if (!is_help) { --- -1.7.12.1 - diff --git a/0022-Handle-errors-on-pesign_context_init.patch b/0022-Handle-errors-on-pesign_context_init.patch deleted file mode 100644 index 6ed0b8c..0000000 --- a/0022-Handle-errors-on-pesign_context_init.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a1ce809e199c7fbbd6f5c0e75f27a4234fcbd2bc Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 15:34:00 -0400 -Subject: [PATCH 22/41] Handle errors on pesign_context_init() - -Signed-off-by: Peter Jones ---- - src/pesign_context.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/pesign_context.c b/src/pesign_context.c -index c6afda6..cbd929f 100644 ---- a/src/pesign_context.c -+++ b/src/pesign_context.c -@@ -37,7 +37,9 @@ pesign_context_new(pesign_context **ctx) - if (!context) - return -1; - -- pesign_context_init(context); -+ rc = pesign_context_init(context); -+ if (rc < 0) -+ return rc; - context->flags |= PESIGN_C_ALLOCATED; - - *ctx = context; --- -1.7.12.1 - diff --git a/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch b/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch deleted file mode 100644 index 6c1aca1..0000000 --- a/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 16:35:43 -0400 -Subject: [PATCH 23/41] Add sanity checking to make sure we don't emit - uninitialized hashes. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 15 ++++++++++++++- - src/content_info.c | 11 +++++++++++ - src/signer_info.c | 5 +++++ - src/util.h | 13 +++++++++++++ - 4 files changed, 43 insertions(+), 1 deletion(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index a1ed460..ab5a066 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -532,6 +532,10 @@ generate_empty_sequence(cms_context *cms, SECItem *encoded) - int - generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original) - { -+ if (content_is_empty(original->data, original->len)) { -+ cms->log(cms, LOG_ERR, "content is empty, not encoding"); -+ return -1; -+ } - if (SEC_ASN1EncodeItem(cms->arena, encoded, original, - SEC_OctetStringTemplate) == NULL) - return -1; -@@ -942,7 +946,16 @@ generate_signature(cms_context *cms) - { - int rc = 0; - -- assert(cms->digests[cms->selected_digest].pe_digest != NULL); -+ if (cms->digests[cms->selected_digest].pe_digest == NULL) { -+ cms->log(cms, LOG_ERR, "pe digest has not been allocated"); -+ return -1; -+ } -+ -+ if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data, -+ cms->digests[cms->selected_digest].pe_digest->len)) { -+ cms->log(cms, LOG_ERR, "pe binary has not been digested"); -+ return -1; -+ } - - SECItem sd_der; - memset(&sd_der, '\0', sizeof(sd_der)); -diff --git a/src/content_info.c b/src/content_info.c -index 044e85e..7246d20 100644 ---- a/src/content_info.c -+++ b/src/content_info.c -@@ -197,6 +197,11 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip) - int i = cms->selected_digest; - memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest)); - -+ if (content_is_empty(di.digest.data, di.digest.len)) { -+ cms->log(cms, LOG_ERR, "got empty digest"); -+ return -1; -+ } -+ - if (SEC_ASN1EncodeItem(cms->arena, dip, &di, - DigestInfoTemplate) == NULL) { - cms->log(cms, LOG_ERR, "could not encode DigestInfo: %s", -@@ -327,6 +332,12 @@ generate_cinfo_digest(cms_context *cms, SpcContentInfo *cip) - &cms->ci_digest->len, - digest_get_digest_size(cms)) != SECSuccess) - goto err; -+ -+ if (content_is_empty(cms->ci_digest->data, cms->ci_digest->len)) { -+ cms->log(cms, LOG_ERR, "generated empty digest"); -+ goto err; -+ } -+ - if (cms->ci_digest->len > digest_get_digest_size(cms)) - goto err; - -diff --git a/src/signer_info.c b/src/signer_info.c -index 7a73c26..932b896 100644 ---- a/src/signer_info.c -+++ b/src/signer_info.c -@@ -207,6 +207,11 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) - if (!sign_content) - return -1; - -+ if (content_is_empty(sign_content->data, sign_content->len)) { -+ cms->log(cms, LOG_ERR, "not signing empty digest"); -+ return -1; -+ } -+ - SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms)); - if (!oid) - goto err; -diff --git a/src/util.h b/src/util.h -index f495a0b..5e0ea34 100644 ---- a/src/util.h -+++ b/src/util.h -@@ -110,6 +110,19 @@ free_poison(void *addrv, ssize_t len) - addr[x] = poison_pills[x % 2]; - } - -+static int -+__attribute__ ((unused)) -+content_is_empty(uint8_t *data, ssize_t len) -+{ -+ if (len < 1) -+ return 1; -+ -+ for (int i = 0; i < len; i++) -+ if (data[i] != 0) -+ return 0; -+ return 1; -+} -+ - #if defined(DAEMON_H) - static inline uint32_t - __attribute__ ((unused)) --- -1.7.12.1 - diff --git a/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch b/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch deleted file mode 100644 index 61e0493..0000000 --- a/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d8ead122f34375a496d280bcc803f730542ca78d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 17:47:49 -0400 -Subject: [PATCH 24/41] Make sure we free the token/cert we get from the - command line. - -This probably needs some further examination, but valgrind likes what's -here currently. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/pesign.c b/src/pesign.c -index aa09bf5..be6494e 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -435,6 +435,7 @@ main(int argc, char *argv[]) - - char *digest_name = "sha256"; - char *tokenname = "NSS Certificate DB"; -+ char *origtoken = tokenname; - char *certname = NULL; - - rc = pesign_context_new(&ctxp); -@@ -573,6 +574,8 @@ main(int argc, char *argv[]) - PORT_ErrorToString(PORT_GetError())); - exit(1); - } -+ if (tokenname != origtoken) -+ free(tokenname); - - ctxp->cms_ctx->certname = certname ? - PORT_ArenaStrdup(ctxp->cms_ctx->arena, certname) : NULL; -@@ -581,6 +584,8 @@ main(int argc, char *argv[]) - PORT_ErrorToString(PORT_GetError())); - exit(1); - } -+ if (certname) -+ free(certname); - - int action = 0; - if (daemon) --- -1.7.12.1 - diff --git a/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch b/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch deleted file mode 100644 index d5b6b92..0000000 --- a/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2030d382b49a1b957de829a67f74d9cc127c55ee Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 17:48:44 -0400 -Subject: [PATCH 25/41] [pesign] Only shut down nss in pesign.c if we're not - the daemon. - -The daemon does its own init and shutdown. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/pesign.c b/src/pesign.c -index be6494e..6c10b6d 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -804,6 +804,14 @@ main(int argc, char *argv[]) - } - pesign_context_free(ctxp); - -- NSS_Shutdown(); -+ if (!daemon) { -+ SECStatus status = NSS_Shutdown(); -+ if (status != SECSuccess) { -+ fprintf(stderr, "could not shut down NSS: %s", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } -+ } -+ - return (rc < 0); - } --- -1.7.12.1 - diff --git a/0026-Rework-setup_digests-and-teardown_digests.patch b/0026-Rework-setup_digests-and-teardown_digests.patch deleted file mode 100644 index 91adea6..0000000 --- a/0026-Rework-setup_digests-and-teardown_digests.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 4efe979d6b781e064fe1afa946753ead9e3bbb9d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 17:49:17 -0400 -Subject: [PATCH 26/41] Rework setup_digests() and teardown_digests() - -This fixes the problem I was seeing with empty content_info digests, and -makes the code a /little/ bit cleaner in some ways. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 92 +++++++++++++++++++++++++++++++++----------------------- - src/cms_common.h | 1 - - src/daemon.c | 28 +---------------- - src/pesign.c | 7 ----- - 4 files changed, 55 insertions(+), 73 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index ab5a066..6b3f5ec 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -96,43 +96,6 @@ digest_get_digest_size(cms_context *cms) - return digest_params[i].size; - } - -- --int --setup_digests(cms_context *cms) --{ -- struct digest *digests = NULL; -- -- digests = calloc(n_digest_params, sizeof (*digests)); -- if (!digests) { -- cms->log(cms, LOG_ERR, "cannot allocate memory: %m"); -- return -1; -- } -- -- for (int i = 0; i < n_digest_params; i++) { -- digests[i].pk11ctx = PK11_CreateDigestContext( -- digest_params[i].digest_tag); -- if (!digests[i].pk11ctx) { -- cms->log(cms, LOG_ERR, "could not create digest " -- "context: %s", -- PORT_ErrorToString(PORT_GetError())); -- goto err; -- } -- -- PK11_DigestBegin(digests[i].pk11ctx); -- } -- -- cms->digests = digests; -- return 0; --err: -- for (int i = 0; i < n_digest_params; i++) { -- if (digests[i].pk11ctx) -- PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE); -- } -- -- free(digests); -- return -1; --} -- - void - teardown_digests(cms_context *ctx) - { -@@ -733,6 +696,46 @@ check_pointer_and_size(Pe *pe, void *ptr, size_t size) - return 1; - } - -+int -+generate_digest_begin(cms_context *cms) -+{ -+ struct digest *digests = NULL; -+ -+ if (cms->digests) { -+ digests = cms->digests; -+ } else { -+ digests = calloc(n_digest_params, sizeof (*digests)); -+ if (!digests) { -+ cms->log(cms, LOG_ERR, "cannot allocate memory: %m"); -+ return -1; -+ } -+ } -+ -+ for (int i = 0; i < n_digest_params; i++) { -+ digests[i].pk11ctx = PK11_CreateDigestContext( -+ digest_params[i].digest_tag); -+ if (!digests[i].pk11ctx) { -+ cms->log(cms, LOG_ERR, "could not create digest " -+ "context: %s", -+ PORT_ErrorToString(PORT_GetError())); -+ goto err; -+ } -+ -+ PK11_DigestBegin(digests[i].pk11ctx); -+ } -+ -+ cms->digests = digests; -+ return 0; -+err: -+ for (int i = 0; i < n_digest_params; i++) { -+ if (digests[i].pk11ctx) -+ PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE); -+ } -+ -+ free(digests); -+ return -1; -+} -+ - void - generate_digest_step(cms_context *cms, void *data, size_t len) - { -@@ -762,6 +765,12 @@ generate_digest_finish(cms_context *cms) - - PK11_DigestFinal(cms->digests[i].pk11ctx, - digest->data, &digest->len, digest_params[i].size); -+ PK11_Finalize(cms->digests[i].pk11ctx); -+ PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE); -+ cms->digests[i].pk11ctx = NULL; -+ if (cms->digests[i].pe_digest) -+ free_poison(cms->digests[i].pe_digest->data, -+ cms->digests[i].pe_digest->len); - cms->digests[i].pe_digest = digest; - } - -@@ -791,7 +800,14 @@ generate_digest(cms_context *cms, Pe *pe) - - if (!pe) { - cms->log(cms, LOG_ERR, "no output pe ready"); -- exit(1); -+ return -1; -+ } -+ -+ rc = generate_digest_begin(cms); -+ if (rc < 0) { -+ cms->log(cms, LOG_ERR, "could not initialize digests: %s", -+ PORT_ErrorToString(PORT_GetError())); -+ return rc; - } - - struct pe_hdr pehdr; -diff --git a/src/cms_common.h b/src/cms_common.h -index 830427e..5cbda62 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -86,7 +86,6 @@ extern int cms_context_alloc(cms_context **ctxp); - extern int cms_context_init(cms_context *ctx); - extern void cms_context_fini(cms_context *ctx); - --extern int setup_digests(cms_context *cms); - extern void teardown_digests(cms_context *ctx); - - extern int generate_octet_string(cms_context *ctx, SECItem *encoded, -diff --git a/src/daemon.c b/src/daemon.c -index 534fb23..df20763 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -142,15 +142,6 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) - return; - } - -- rc = setup_digests(ctx->cms); -- if (rc < 0) { -- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -- "Could not initialize digests: %s\n", -- PORT_ErrorToString(PORT_GetError())); -- send_response(ctx, ctx->backup_cms, pollfd, rc); -- return; -- } -- - steal_from_cms(ctx->backup_cms, ctx->cms); - - if (!buffer) { -@@ -491,6 +482,7 @@ finish: - close(outfd); - - send_response(ctx, ctx->cms, pollfd, rc); -+ teardown_digests(ctx->cms); - } - - static void -@@ -500,15 +492,6 @@ handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size) - if (rc < 0) - return; - -- rc = setup_digests(ctx->cms); -- if (rc < 0) { -- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -- "Could not initialize digests: %s\n", -- PORT_ErrorToString(PORT_GetError())); -- send_response(ctx, ctx->backup_cms, pollfd, rc); -- return; -- } -- - steal_from_cms(ctx->backup_cms, ctx->cms); - - handle_signing(ctx, pollfd, size, 1); -@@ -524,15 +507,6 @@ handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size) - if (rc < 0) - return; - -- rc = setup_digests(ctx->cms); -- if (rc < 0) { -- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -- "Could not initialize digests: %s\n", -- PORT_ErrorToString(PORT_GetError())); -- send_response(ctx, ctx->backup_cms, pollfd, rc); -- return; -- } -- - steal_from_cms(ctx->backup_cms, ctx->cms); - - handle_signing(ctx, pollfd, size, 0); -diff --git a/src/pesign.c b/src/pesign.c -index 6c10b6d..2c98600 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -548,13 +548,6 @@ main(int argc, char *argv[]) - fprintf(stderr, "Could not register OIDs\n"); - exit(1); - } -- -- rc = setup_digests(ctxp->cms_ctx); -- if (rc < 0) { -- fprintf(stderr, "Could not initialize digests: %s\n", -- PORT_ErrorToString(PORT_GetError())); -- exit(1); -- } - } - - rc = set_digest_parameters(ctxp->cms_ctx, digest_name); --- -1.7.12.1 - diff --git a/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch b/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch deleted file mode 100644 index d8bba7d..0000000 --- a/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 15cd554d35c5ea8d31671b346dffd84e27e7c6ec Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 17:52:57 -0400 -Subject: [PATCH 27/41] We shouldn't need - Environment=NSS_STRICT_NOFORK=DISABLED any more. - -Since NSS_Init is called from the daemon now, we should get past its -checking. ---- - src/pesign.service | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/pesign.service b/src/pesign.service -index 4f6d63f..75a73c3 100644 ---- a/src/pesign.service -+++ b/src/pesign.service -@@ -5,5 +5,4 @@ Description=Pesign signing daemon - PrivateTmp=true - Type=forking - PIDFile=/var/run/pesign.pid --Environment=NSS_STRICT_NOFORK=DISABLED - ExecStart=/usr/bin/pesign --daemonize --- -1.7.12.1 - diff --git a/0028-Fix-errors-found-by-coverity.patch b/0028-Fix-errors-found-by-coverity.patch deleted file mode 100644 index 9c77d62..0000000 --- a/0028-Fix-errors-found-by-coverity.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 1b94dd90f5a1c65df16ffe3b0619ce5dc0ca1f06 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Oct 2012 19:59:49 -0400 -Subject: [PATCH 28/41] Fix errors found by coverity. - -Signed-off-by: Peter Jones ---- - src/actions.c | 4 ++-- - src/cms_common.c | 17 ++++++++++------- - src/daemon.c | 16 +++++++++++++++- - src/password.c | 1 + - src/pesign_context.c | 4 +++- - src/wincert.c | 2 +- - 6 files changed, 32 insertions(+), 12 deletions(-) - -diff --git a/src/actions.c b/src/actions.c -index 76a311c..9cf4f45 100644 ---- a/src/actions.c -+++ b/src/actions.c -@@ -70,7 +70,7 @@ insert_signature(cms_context *cms, int signum) - if (signum != cms->num_signatures) { - memmove(cms->signatures[signum+1], - cms->signatures[signum], -- sizeof(SECItem *) * (cms->num_signatures - signum)); -+ sizeof(SECItem) * (cms->num_signatures - signum)); - } - cms->signatures[signum] = sig; - cms->num_signatures++; -@@ -430,7 +430,7 @@ remove_signature(pesign_context *p_ctx) - if (p_ctx->signum != ctx->num_signatures - 1) - memmove(ctx->signatures[p_ctx->signum], - ctx->signatures[p_ctx->signum+1], -- sizeof(SECItem *) * -+ sizeof(SECItem) * - (ctx->num_signatures - p_ctx->signum)); - - ctx->num_signatures--; -diff --git a/src/cms_common.c b/src/cms_common.c -index 6b3f5ec..898ddfb 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -598,16 +598,19 @@ generate_spc_string(cms_context *cms, SECItem *ssp, char *str, int len) - memset(&ss, '\0', sizeof (ss)); - - SECITEM_AllocItem(cms->arena, &ss.unicode, len); -- if (!ss.unicode.data && len != 0) { -- cms->log(cms, LOG_ERR, "could not allocate memory: %s", -- PORT_ErrorToString(PORT_GetError())); -- return -1; -+ if (len != 0) { -+ if (!ss.unicode.data) { -+ cms->log(cms, LOG_ERR, "could not allocate memory: %s", -+ PORT_ErrorToString(PORT_GetError())); -+ return -1; -+ } -+ -+ memcpy(ss.unicode.data, str, len); - } -- -- memcpy(ss.unicode.data, str, len); - ss.unicode.type = siBMPString; - -- if (SEC_ASN1EncodeItem(cms->arena, ssp, &ss, SpcStringTemplate) == NULL) { -+ if (SEC_ASN1EncodeItem(cms->arena, ssp, &ss, SpcStringTemplate) -+ == NULL) { - cms->log(cms, LOG_ERR, "could not encode SpcString: %s", - PORT_ErrorToString(PORT_GetError())); - return -1; -diff --git a/src/daemon.c b/src/daemon.c -index df20763..7ad036c 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -134,7 +134,6 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) - struct msghdr msg; - struct iovec iov; - ssize_t n; -- char *buffer = malloc(size); - - int rc = cms_context_alloc(&ctx->cms); - if (rc < 0) { -@@ -144,6 +143,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) - - steal_from_cms(ctx->backup_cms, ctx->cms); - -+ char *buffer = malloc(size); - if (!buffer) { - oom: - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, -@@ -792,6 +792,7 @@ check_socket(context *ctx) - - rc = connect(sd, (struct sockaddr *)&addr_un, len); - if (rc < 0) { -+ close(sd); - unlink(SOCKPATH); - return; - } -@@ -800,6 +801,7 @@ check_socket(context *ctx) - socklen_t size = sizeof(remote); - rc = getpeername(sd, &remote, &size); - if (rc < 0) { -+ close(sd); - return; - } else { - fprintf(stderr, "already running"); -@@ -913,6 +915,12 @@ daemonize(cms_context *cms_ctx, int do_fork) - - if (do_fork) { - int fd = open("/dev/zero", O_RDONLY); -+ if (fd < 0) { -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_ERR, -+ "could not open /dev/zero: %m"); -+ exit(1); -+ } - close(STDIN_FILENO); - rc = dup2(fd, STDIN_FILENO); - if (rc < 0) { -@@ -924,6 +932,12 @@ daemonize(cms_context *cms_ctx, int do_fork) - close(fd); - - fd = open("/dev/null", O_WRONLY); -+ if (fd < 0) { -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_ERR, -+ "could not open /dev/null: %m"); -+ exit(1); -+ } - close(STDOUT_FILENO); - rc = dup2(fd, STDOUT_FILENO); - if (rc < 0) { -diff --git a/src/password.c b/src/password.c -index 5ee15f8..100c584 100644 ---- a/src/password.c -+++ b/src/password.c -@@ -114,6 +114,7 @@ SECU_GetPasswordString(void *arg, char *prompt) - - output = fopen(consoleName, "w"); - if (output == NULL) { -+ fclose(input); - fprintf(stderr, "Error opening output terminal for write\n"); - return NULL; - } -diff --git a/src/pesign_context.c b/src/pesign_context.c -index cbd929f..033e8de 100644 ---- a/src/pesign_context.c -+++ b/src/pesign_context.c -@@ -38,8 +38,10 @@ pesign_context_new(pesign_context **ctx) - return -1; - - rc = pesign_context_init(context); -- if (rc < 0) -+ if (rc < 0) { -+ free(context); - return rc; -+ } - context->flags |= PESIGN_C_ALLOCATED; - - *ctx = context; -diff --git a/src/wincert.c b/src/wincert.c -index b487dc5..4b5ba45 100644 ---- a/src/wincert.c -+++ b/src/wincert.c -@@ -257,7 +257,7 @@ parse_signatures(cms_context *cms, Pe *pe) - if (rc <= 0) - break; - -- signatures[i] = calloc(1, sizeof (SECItem *)); -+ signatures[i] = calloc(1, sizeof (SECItem)); - if (!signatures[i]) - goto err; - --- -1.7.12.1 - diff --git a/0029-Don-t-keep-the-DEPS-list-twice.patch b/0029-Don-t-keep-the-DEPS-list-twice.patch deleted file mode 100644 index e3ae001..0000000 --- a/0029-Don-t-keep-the-DEPS-list-twice.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 95c0fe1d512fcdf3b397359fb0f54dc44e5947c2 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 09:12:25 -0400 -Subject: [PATCH 29/41] Don't keep the DEPS list twice. - -Signed-off-by: Peter Jones ---- - src/Makefile | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/Makefile b/src/Makefile -index cd06158..cb74c12 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -39,14 +39,20 @@ client_OBJECTS = $(foreach source,$(client_SOURCES),$(patsubst %.c,%,$(source)). - client_DEPS = $(foreach source,$(client_SOURCES),.$(patsubst %.c,%,$(source)).P) - client : $(client_OBJECTS) $(STATIC_LIBS) - --deps : $(generic_DEPS)$(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \ -+fuzzsocket_SOURCES = fuzzsocket.c -+fuzzsocket_OBJECTS = $(foreach source,$(fuzzsocket_SOURCES),$(patsubst %.c,%,$(source)).o) -+fuzzsocket_DEPS = $(foreach source,$(fuzzsocket_SOURCES),.$(patsubst %.c,%,$(source)).P) -+fuzzsocket : $(fuzzsocket_OBJECTS) -+ -+DEPS = $(generic_DEPS)$(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \ - $(peverify_DEPS) - -+deps : $(DEPS) -+ - depclean : - @rm -fv .*.P - ---include $(generic_DEPS) $(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \ -- $(peverify_DEPS) -+-include $(DEPS) - - clean : depclean - @rm -rfv *.o *.a *.so $(TARGETS) --- -1.7.12.1 - diff --git a/0030-Don-t-build-util-right-now.patch b/0030-Don-t-build-util-right-now.patch deleted file mode 100644 index 6ac8bf2..0000000 --- a/0030-Don-t-build-util-right-now.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 44aad110fd3f0a12e1817d95047f882c4d8b0fce Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 11:36:10 -0400 -Subject: [PATCH 30/41] Don't build util/ right now. - -Signed-off-by: Peter Jones ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 531c865..5e9bd31 100644 ---- a/Makefile -+++ b/Makefile -@@ -2,7 +2,7 @@ TOPDIR = $(shell echo $$PWD) - - include $(TOPDIR)/Make.defaults - --SUBDIRS := include libdpe src util -+SUBDIRS := include libdpe src - DOCDIR := /share/doc/ - VERSION = 0.99 - --- -1.7.12.1 - diff --git a/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch b/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch deleted file mode 100644 index 7a91b6c..0000000 --- a/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 4c13f6d393db0aa5ff5b327cb5e842ee21522236 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 13:09:58 -0400 -Subject: [PATCH 31/41] Make "install_systemd" and "install_sysvinit" separate - targets - -Signed-off-by: Peter Jones ---- - Makefile | 6 ++++ - src/Makefile | 16 +++++++---- - src/pesign.sysvinit | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 99 insertions(+), 5 deletions(-) - create mode 100644 src/pesign.sysvinit - -diff --git a/Makefile b/Makefile -index 5e9bd31..12e0dbb 100644 ---- a/Makefile -+++ b/Makefile -@@ -19,6 +19,12 @@ install : - $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ - $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ - -+install_systemd: -+ @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done -+ -+install_sysvinit: -+ @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done -+ - .PHONY: $(SUBDIRS) clean install - - include $(TOPDIR)/Make.rules -diff --git a/src/Makefile b/src/Makefile -index cb74c12..7e611c8 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -42,7 +42,7 @@ client : $(client_OBJECTS) $(STATIC_LIBS) - fuzzsocket_SOURCES = fuzzsocket.c - fuzzsocket_OBJECTS = $(foreach source,$(fuzzsocket_SOURCES),$(patsubst %.c,%,$(source)).o) - fuzzsocket_DEPS = $(foreach source,$(fuzzsocket_SOURCES),.$(patsubst %.c,%,$(source)).P) --fuzzsocket : $(fuzzsocket_OBJECTS) -+fuzzsocket : $(fuzzsocket_OBJECTS) -lrt - - DEPS = $(generic_DEPS)$(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \ - $(peverify_DEPS) -@@ -57,6 +57,16 @@ depclean : - clean : depclean - @rm -rfv *.o *.a *.so $(TARGETS) - -+install_systemd: -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/ -+ $(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/ -+ $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/ -+ -+install_sysvinit: -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ -+ $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign -+ - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -@@ -72,10 +82,6 @@ install : - #$(INSTALL) -m 644 peverify.1 $(INSTALLROOT)/usr/share/man/man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ -- $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/ -- $(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf -- $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/ -- $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/ - - .PHONY: all deps clean install - -diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit -new file mode 100644 -index 0000000..f955e01 ---- /dev/null -+++ b/src/pesign.sysvinit -@@ -0,0 +1,82 @@ -+#! /bin/sh -+# -+# pesign This starts the pesign PE signing daemon -+# -+# chkconfig: - 50 50 -+# processname: /usr/bin/pesign -+# pidfile: /var/run/pesign.pid -+### BEGIN INIT INFO -+# Provides: pesign -+# Default-Start: -+# Default-Stop: -+# Short-Description: The pesign PE signing daemon -+# Description: The pesign PE signing daemon -+### END INIT INFO -+ -+. /etc/init.d/functions -+[ -f /usr/bin/pesign ] || exit 1 -+ -+RETVAL=0 -+ -+start(){ -+ echo -n "Starting pesign: " -+ daemon /usr/bin/pesign --daemonize -+ RETVAL=$? -+ echo -+ touch /var/lock/subsys/pesign -+} -+ -+stop(){ -+ echo -n "Stopping pesign: " -+ killproc -p /var/run/pesign.pid pesignd -+ RETVAL=$? -+ echo -+ rm -f /var/lock/subsys/pesign -+} -+ -+restart(){ -+ stop -+ start -+} -+ -+reload(){ -+ stop -+ start -+} -+ -+condrestart(){ -+ [ -e /var/lock/subsys/pesign ] && restart -+} -+ -+# See how we were called. -+case "$1" in -+ start) -+ start -+ ;; -+ stop) -+ stop -+ ;; -+ status) -+ status /usr/bin/pesign -+ ;; -+ restart) -+ restart -+ ;; -+ reload) -+ reload -+ ;; -+ force-reload) -+ reload -+ ;; -+ condrestart) -+ condrestart -+ ;; -+ try-restart) -+ condrestart -+ ;; -+ *) -+ echo "Usage: pesign {start|stop|status|restart|condrestart|reload}" -+ RETVAL=1 -+esac -+ -+exit $RETVAL --- -1.7.12.1 - diff --git a/0032-Get-rid-of-an-unnecessary-allocation.patch b/0032-Get-rid-of-an-unnecessary-allocation.patch deleted file mode 100644 index 15a6166..0000000 --- a/0032-Get-rid-of-an-unnecessary-allocation.patch +++ /dev/null @@ -1,75 +0,0 @@ -From df1b69e304f2a7eb82e2f94e50f07099afbf4578 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 13:10:28 -0400 -Subject: [PATCH 32/41] Get rid of an unnecessary allocation. - -Signed-off-by: Peter Jones ---- - src/client.c | 32 ++++++++++++++------------------ - 1 file changed, 14 insertions(+), 18 deletions(-) - -diff --git a/src/client.c b/src/client.c -index 8336749..df1c8f2 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -223,25 +223,17 @@ unlock_token(int sd, char *tokenname, char *pin) - { - struct msghdr msg; - struct iovec iov[2]; -- pesignd_msghdr *pm; -+ pesignd_msghdr pm; - - uint32_t size0 = pesignd_string_size(tokenname); - - uint32_t size1 = pesignd_string_size(pin); - -- pm = calloc(1, sizeof(*pm)); -- if (!pm) { --oom: -- fprintf(stderr, "pesign-client: could not allocate memory: " -- "%m\n"); -- exit(1); -- } -- -- pm->version = PESIGND_VERSION; -- pm->command = CMD_UNLOCK_TOKEN; -- pm->size = size0 + size1; -- iov[0].iov_base = pm; -- iov[0].iov_len = sizeof (*pm); -+ pm.version = PESIGND_VERSION; -+ pm.command = CMD_UNLOCK_TOKEN; -+ pm.size = size0 + size1; -+ iov[0].iov_base = ± -+ iov[0].iov_len = sizeof (pm); - - memset(&msg, '\0', sizeof(msg)); - msg.msg_iov = iov; -@@ -257,8 +249,11 @@ oom: - - uint8_t *buffer = NULL; - buffer = calloc(1, size0 + size1); -- if (!buffer) -- goto oom; -+ if (!buffer) { -+ fprintf(stderr, "pesign-client: could not allocate memory: " -+ "%m\n"); -+ exit(1); -+ } - - pesignd_string *tn = (pesignd_string *)buffer; - pesignd_string_set(tn, tokenname); -@@ -478,8 +473,9 @@ main(int argc, char *argv[]) - - rc = poptReadDefaultConfig(optCon, 0); - if (rc < 0) { -- fprintf(stderr, "pesign: poprReadDefaultConfig failed: %s\n", -- poptStrerror(rc)); -+ fprintf(stderr, -+ "pesign-client: poptReadDefaultConfig failed: %s\n", -+ poptStrerror(rc)); - exit(1); - } - --- -1.7.12.1 - diff --git a/0033-Allow-use-of-e-from-rpm-macro.patch b/0033-Allow-use-of-e-from-rpm-macro.patch deleted file mode 100644 index 90f68f8..0000000 --- a/0033-Allow-use-of-e-from-rpm-macro.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 24a63eab7ddbe2be3ab6b25b04602d8e3fe5d775 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 14:28:36 -0400 -Subject: [PATCH 33/41] Allow use of -e from rpm macro. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 703edbb..7706050 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -11,9 +11,9 @@ - - %_pesign /usr/bin/pesign - --%pesign(i:o:C:s) \ -+%pesign(i:o:C:e:s) \ - if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ -- %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-s} \ -+ %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \ - else \ - if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ - mv %{-i*} %{-o*} \ --- -1.7.12.1 - diff --git a/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch b/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch deleted file mode 100644 index 4a2eaea..0000000 --- a/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch +++ /dev/null @@ -1,81 +0,0 @@ -From e5c632516a2a31f3e184d0ca9d8ac5ceba1f9015 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 14:55:07 -0400 -Subject: [PATCH 34/41] Make client use -e like pesign does, rather than - --detached. - -This way we can use the same macros for them. - -Signed-off-by: Peter Jones ---- - src/client.c | 22 ++++++++++++++++++++-- - src/pesign-client.1 | 3 ++- - 2 files changed, 22 insertions(+), 3 deletions(-) - -diff --git a/src/client.c b/src/client.c -index df1c8f2..5e5399d 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -434,6 +434,7 @@ main(int argc, char *argv[]) - int action; - char *infile = NULL; - char *outfile = NULL; -+ char *exportfile = NULL; - int attached = 1; - int pinfd = -1; - char *pinfile = NULL; -@@ -456,8 +457,9 @@ main(int argc, char *argv[]) - &infile, 0, "input filename", "" }, - {"outfile", 'o', POPT_ARG_STRING, - &outfile, 0, "output filename", "" }, -- {"detached", 'd', POPT_ARG_VAL, &attached, 0, -- "create detached signature", NULL }, -+ {"export", 'e', POPT_ARG_STRING, -+ &exportfile, 0, "create detached signature", -+ "" }, - {"pinfd", 'f', POPT_ARG_INT, &pinfd, -1, - "read file descriptor for pin information", - "" }, -@@ -494,6 +496,22 @@ main(int argc, char *argv[]) - exit(1); - } - -+ if (!outfile && !exportfile) { -+ fprintf(stderr, "pesign-client: neither --outfile nor --export " -+ "specified\n"); -+ exit(1); -+ } -+ -+ if (outfile && exportfile) { -+ fprintf(stderr, "pesign-client: both --outfile and --export " -+ "specified\n"); -+ exit(1); -+ } -+ if (exportfile) { -+ outfile = exportfile; -+ attached = 0; -+ } -+ - poptFreeContext(optCon); - - int sd = connect_to_server(); -diff --git a/src/pesign-client.1 b/src/pesign-client.1 -index 686383e..1ccfbb3 100644 ---- a/src/pesign-client.1 -+++ b/src/pesign-client.1 -@@ -5,10 +5,11 @@ pesign-client \- command line tool for signing UEFI applications - .SH SYNOPSIS - \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR] - [--out=\fIoutfile\fR | -o \fIoutfile\fR] -+ [--export=\fIexportfile\fR | -e \fIexportfile\fR] - [--token=\fItoken\fR | -t \fItoken\fR] - [--certificate=\fInickname\fR | -c \fInickname\fR] - [--unlock | -u] [--kill | -k] [--sign | -s] -- [--detached | -d] [--pinfd=\fIpinfd\fR | -f \fIpinfd\fR] -+ [--pinfd=\fIpinfd\fR | -f \fIpinfd\fR] - [--pinfile=\fIpinfile\fR | -F \fIpinfile\fR] - - .SH DESCRIPTION --- -1.7.12.1 - diff --git a/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch b/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch deleted file mode 100644 index c97a79b..0000000 --- a/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch +++ /dev/null @@ -1,93 +0,0 @@ -From f1a2f097cfb290951702251703abcd34ca0bf9e6 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 15:13:11 -0400 -Subject: [PATCH 35/41] Fix shutdown by systemd to remove socket and pidfile. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 33 +++++++++++++++------------------ - src/daemon.h | 1 + - 2 files changed, 16 insertions(+), 18 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 7ad036c..974a559 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -116,15 +116,6 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc) - static void - handle_kill_daemon(context *ctx, struct pollfd *pollfd, socklen_t size) - { -- if (ctx->sd >= 0) { -- close(ctx->sd); -- unlink(SOCKPATH); -- } -- xfree(ctx->errstr); -- -- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -- "pesignd exiting (pid %d)", getpid()); -- - should_exit = 1; - } - -@@ -602,11 +593,17 @@ handle_event(context *ctx, struct pollfd *pollfd) - static void - do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds) - { -+ unlink(SOCKPATH); -+ unlink(PIDFILE); -+ -+ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE, -+ "pesignd exiting (pid %d)", getpid()); -+ -+ xfree(ctx->errstr); -+ - for (int i = 0; i < nsockets; i++) - close(pollfds[i].fd); - free(pollfds); -- -- xfree(ctx->errstr); - } - - static int -@@ -843,7 +840,7 @@ daemon_logger(cms_context *cms, int priority, char *fmt, ...) - static void - write_pid_file(int pid) - { -- int fd = open("/var/run/pesign.pid", O_WRONLY|O_CREAT|O_TRUNC, 0644); -+ int fd = open(PIDFILE, O_WRONLY|O_CREAT|O_TRUNC, 0644); - if (fd < 0) { - err: - fprintf(stderr, "couldn't open pidfile: %m\n"); -@@ -963,12 +960,12 @@ daemonize(cms_context *cms_ctx, int do_fork) - setsid(); - - if (do_fork) { -- signal(SIGTTOU, SIG_IGN); -- signal(SIGTTIN, SIG_IGN); -- signal(SIGTSTP, SIG_IGN); -- signal(SIGQUIT, quit_handler); -- signal(SIGINT, quit_handler); -- signal(SIGTERM, quit_handler); -+ struct sigaction sa = { -+ .sa_handler = quit_handler, -+ }; -+ sigaction(SIGQUIT, &sa, NULL); -+ sigaction(SIGINT, &sa, NULL); -+ sigaction(SIGTERM, &sa, NULL); - } - - char *homedir = NULL; -diff --git a/src/daemon.h b/src/daemon.h -index 56cef17..5485e60 100644 ---- a/src/daemon.h -+++ b/src/daemon.h -@@ -48,5 +48,6 @@ typedef enum { - - #define PESIGND_VERSION 0xa3cf41cb - #define SOCKPATH "/var/run/pesign/socket" -+#define PIDFILE "/var/run/pesign.pid" - - #endif /* DAEMON_H */ --- -1.7.12.1 - diff --git a/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch b/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch deleted file mode 100644 index 9766d3e..0000000 --- a/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 22308fbfb540b5215efb9ce96a4dfdce08ef9165 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 18 Oct 2012 15:16:05 -0400 -Subject: [PATCH 36/41] Make the macros use the default (fedora) signer if - there's a daemon running. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 7706050..fb9d21e 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -10,13 +10,22 @@ - %__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"} - - %_pesign /usr/bin/pesign -+%_pesign_client /usr/bin/pesign-client - - %pesign(i:o:C:e:s) \ - if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ -- %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \ -+ if [ -e /var/run/pesign/socket ]; then \ -+ %{_pesign_client} -t "OpenSC Card (Fedora Signing CA)" \\\ -+ -c "/CN=Fedora Secure Boot Signer" \\\ -+ %{-i} %{-o} %{-e} %{-s} \ -+ else \ -+ %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \ -+ fi \ - else \ - if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ - mv %{-i*} %{-o*} \ -+ elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ -+ touch %{-e*} \ - fi \ - fi ; - --- -1.7.12.1 - diff --git a/0037-Fix-command-line-checking-for-s.patch b/0037-Fix-command-line-checking-for-s.patch deleted file mode 100644 index 67d7cac..0000000 --- a/0037-Fix-command-line-checking-for-s.patch +++ /dev/null @@ -1,28 +0,0 @@ -From abe7981ba049b23ae9c42da92559576c6e0cc53b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 19 Oct 2012 10:07:40 -0400 -Subject: [PATCH 37/41] Fix command line checking for -s. - -Accidentally applied when not using -s. Woops. - -Signed-off-by: Peter Jones ---- - src/client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/client.c b/src/client.c -index 5e5399d..777197a 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -496,7 +496,7 @@ main(int argc, char *argv[]) - exit(1); - } - -- if (!outfile && !exportfile) { -+ if (action & SIGN_BINARY && (!outfile && !exportfile)) { - fprintf(stderr, "pesign-client: neither --outfile nor --export " - "specified\n"); - exit(1); --- -1.7.12.1 - diff --git a/0038-Add-support-to-read-the-pin-from-stdin-in-client.patch b/0038-Add-support-to-read-the-pin-from-stdin-in-client.patch deleted file mode 100644 index cca71f2..0000000 --- a/0038-Add-support-to-read-the-pin-from-stdin-in-client.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 8067d9bace148a254528fdf752f083d2a0debada Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 19 Oct 2012 10:08:26 -0400 -Subject: [PATCH 38/41] Add support to read the pin from stdin in client. - -Signed-off-by: Peter Jones ---- - src/client.c | 10 +++++++--- - src/password.c | 41 +++++++++++++++++++++++++++++++++++++++++ - src/password.h | 1 + - src/signer_info.c | 45 +-------------------------------------------- - 4 files changed, 50 insertions(+), 47 deletions(-) - -diff --git a/src/client.c b/src/client.c -index 777197a..1ec582b 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -212,10 +212,14 @@ get_token_pin(int pinfd, char *pinfile, char *envname) - - fclose(pinf); - return pin; -- } else -- return strdup(getenv(envname)); -+ } else { -+ pin = getenv(envname); -+ if (pin) -+ return strdup(pin); -+ } - -- return NULL; -+ pin = readpw(NULL, PR_FALSE, NULL); -+ return pin; - } - - static void -diff --git a/src/password.c b/src/password.c -index 100c584..c663955 100644 ---- a/src/password.c -+++ b/src/password.c -@@ -17,6 +17,7 @@ - * Author(s): Peter Jones - */ - -+#include - #include - #include - #include -@@ -289,4 +290,44 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) - return NULL; - } - -+#if 0 -+#warning investigate killing readpw -+#endif -+char * -+readpw(PK11SlotInfo *slot, PRBool retry, void *arg) -+{ -+ struct termios sio, tio; -+ char line[LINE_MAX], *p; - -+ if (tcgetattr(fileno(stdin), &sio) < 0) { -+ fprintf(stderr, "Could not read password from standard input.\n"); -+ return NULL; -+ } -+ tio = sio; -+ tio.c_lflag &= ~ECHO; -+ if (tcsetattr(fileno(stdin), 0, &tio) < 0) { -+ fprintf(stderr, "Could not read password from standard input.\n"); -+ return NULL; -+ } -+ -+ fprintf(stdout, "Enter passphrase for private key: "); -+ if (fgets(line, sizeof(line), stdin) == NULL) { -+ fprintf(stdout, "\n"); -+ tcsetattr(fileno(stdin), 0, &sio); -+ return NULL; -+ } -+ fprintf(stdout, "\n"); -+ tcsetattr(fileno(stdin), 0, &sio); -+ -+ p = line + strcspn(line, "\r\n"); -+ if (p != NULL) -+ *p = '\0'; -+ -+ char *ret = strdup(line); -+ memset(line, '\0', sizeof (line)); -+ if (!ret) { -+ fprintf(stderr, "Could not read passphrase.\n"); -+ return NULL; -+ } -+ return ret; -+} -diff --git a/src/password.h b/src/password.h -index 853bd5a..bcbac44 100644 ---- a/src/password.h -+++ b/src/password.h -@@ -22,5 +22,6 @@ - extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); - extern char *get_password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg); - extern char *get_password_fail(PK11SlotInfo *slot, PRBool retry, void *arg); -+extern char *readpw(PK11SlotInfo *slot, PRBool retry, void *arg); - - #endif /* PASSWORD_H */ -diff --git a/src/signer_info.c b/src/signer_info.c -index 932b896..f755bf6 100644 ---- a/src/signer_info.c -+++ b/src/signer_info.c -@@ -19,10 +19,8 @@ - - #include "pesign.h" - --#include - #include - #include --#include - #include - #include - -@@ -159,47 +157,6 @@ err: - return -1; - } - --#if 0 --#warning investigate killing getpw --#endif --static char *getpw(PK11SlotInfo *slot, PRBool retry, void *arg) --{ -- struct termios sio, tio; -- char line[LINE_MAX], *p; -- -- if (tcgetattr(fileno(stdin), &sio) < 0) { -- fprintf(stderr, "Could not read password from standard input.\n"); -- return NULL; -- } -- tio = sio; -- tio.c_lflag &= ~ECHO; -- if (tcsetattr(fileno(stdin), 0, &tio) < 0) { -- fprintf(stderr, "Could not read password from standard input.\n"); -- return NULL; -- } -- -- fprintf(stdout, "Enter passphrase for private key: "); -- if (fgets(line, sizeof(line), stdin) == NULL) { -- fprintf(stdout, "\n"); -- tcsetattr(fileno(stdin), 0, &sio); -- return NULL; -- } -- fprintf(stdout, "\n"); -- tcsetattr(fileno(stdin), 0, &sio); -- -- p = line + strcspn(line, "\r\n"); -- if (p != NULL) -- *p = '\0'; -- -- char *ret = strdup(line); -- memset(line, '\0', sizeof (line)); -- if (!ret) { -- fprintf(stderr, "Could not read passphrase.\n"); -- return NULL; -- } -- return ret; --} -- - static int - sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) - { -@@ -216,7 +173,7 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) - if (!oid) - goto err; - -- PK11_SetPasswordFunc(cms->func ? cms->func : getpw); -+ PK11_SetPasswordFunc(cms->func ? cms->func : readpw); - SECKEYPrivateKey *privkey = PK11_FindKeyByAnyCert(cms->cert, - cms->pwdata ? cms->pwdata : NULL); - if (!privkey) { --- -1.7.12.1 - diff --git a/0039-Fix-token-auth-authentication-failure-error-reportin.patch b/0039-Fix-token-auth-authentication-failure-error-reportin.patch deleted file mode 100644 index fb243c8..0000000 --- a/0039-Fix-token-auth-authentication-failure-error-reportin.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 3ceb3eb5b1c36ead2a862bcec5e527f74dc91381 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 19 Oct 2012 10:08:49 -0400 -Subject: [PATCH 39/41] Fix token auth authentication failure error reporting. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 4 +++- - src/daemon.c | 4 ++-- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 898ddfb..2f3683e 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -316,6 +316,7 @@ unlock_nss_token(cms_context *cms) - secuPWData pwdata_val = { 0, 0 }; - void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val; - PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword); -+ int rc = -1; - - PK11SlotList *slots = NULL; - slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata); -@@ -323,7 +324,7 @@ unlock_nss_token(cms_context *cms) - cms->log(cms, LOG_ERR, "Could not find certificate \"%s\"", - cms->tokenname); - err: -- return -1; -+ return rc; - } - - PK11SlotListElement *psle = NULL; -@@ -351,6 +352,7 @@ err_slots: - cms->log(cms, LOG_ERR, "Authentication failed for " - "token \"%s\"", cms->tokenname); - PK11_DestroySlotListElement(slots, &psle); -+ rc = -2; - goto err_slots; - } - } -diff --git a/src/daemon.c b/src/daemon.c -index 974a559..bf7485f 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -204,10 +204,10 @@ malformed: - cms_set_pw_callback(ctx->cms, get_password_fail); - cms_set_pw_data(ctx->cms, NULL); - -- if (rc < 0) -+ if (rc == -1) - ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, - "could not find token \"%s\"", tn->value); -- else -+ else if (rc == 0) - ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE, - "authentication succeeded for token \"%s\"", - tn->value); --- -1.7.12.1 - diff --git a/0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch b/0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch deleted file mode 100644 index e613be2..0000000 --- a/0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 9c2daa8d3761b49961498cb9a9bbc8a37e05b0da Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 19 Oct 2012 10:19:39 -0400 -Subject: [PATCH 40/41] Use setfacl in sysvinit script to allow kojibuilder - access. - ---- - src/pesign.sysvinit | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit -index f955e01..ea37c58 100644 ---- a/src/pesign.sysvinit -+++ b/src/pesign.sysvinit -@@ -24,6 +24,10 @@ start(){ - RETVAL=$? - echo - touch /var/lock/subsys/pesign -+ setfacl -m u:kojibuilder:x /var/run/pesign -+ setfacl -m u:kojibuilder:rw /var/run/pesign/socket -+ setfacl -m g:kojibuilder:x /var/run/pesign -+ setfacl -m g:kojibuilder:rw /var/run/pesign/socket - } - - stop(){ --- -1.7.12.1 - diff --git a/0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch b/0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch deleted file mode 100644 index f98027f..0000000 --- a/0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2bd84dcfbdf084bcfb3e6d7c26756ca3783cdae4 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 19 Oct 2012 10:20:40 -0400 -Subject: [PATCH 41/41] Don't return quite so immediately if we're the parent - pid when daemonizing. - -Long term we probably want to look for the socket and/or sigchld instead -of this. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/daemon.c b/src/daemon.c -index bf7485f..6951f0a 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -885,8 +885,10 @@ daemonize(cms_context *cms_ctx, int do_fork) - if (do_fork) { - pid_t pid; - -- if ((pid = fork())) -+ if ((pid = fork())) { -+ sleep(2); - return 0; -+ } - } - ctx.pid = getpid(); - write_pid_file(ctx.pid); --- -1.7.12.1 - diff --git a/pesign.spec b/pesign.spec index 3a0ae48..45e5bbd 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ Summary: Signing utility for UEFI binaries Name: pesign -Version: 0.99 -Release: 7%{?dist} +Version: 0.104 +Release: 1%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -9,6 +9,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: git gnu-efi nspr nspr-devel nss nss-devel nss-util popt-devel BuildRequires: coolkey opensc nss-tools Requires: nspr nss nss-util popt rpm acl coolkey opensc +BuildRequires: nspr-devel >= 4.9.2-1 +BuildRequires: nss-devel >= 3.13.6-1 Requires(pre): shadow-utils ExclusiveArch: i686 x86_64 ia64 @@ -18,48 +20,6 @@ ExclusiveArch: i686 x86_64 ia64 Source0: pesign-%{version}.tar.bz2 Source1: rh-test-certs.tar.bz2 -Patch1: 0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch -Patch2: 0002-Remove-an-unused-field.patch -Patch3: 0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch -Patch4: 0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch -Patch5: 0005-Fix-check-for-allocations-on-tokenname-certname.patch -Patch6: 0006-Update-valgrind.supp-for-newer-codepaths.patch -Patch7: 0007-Free-the-pid-string-once-we-re-done-writing-it.patch -Patch8: 0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch -Patch9: 0009-Only-try-to-register-OIDs-once.patch -Patch10: 0010-Check-for-NSS_Shutdown-failure.patch -Patch11: 0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch -Patch12: 0012-valgrind-Add-SECMOD_LoadModule-codepath.patch -Patch13: 0013-Don-t-set-up-digests-in-cms_context_init.patch -Patch14: 0014-Do-register_oids-where-we-re-doing-NSS_Init.patch -Patch15: 0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch -Patch16: 0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch -Patch17: 0017-Use-PORT_ArenaStrdup-where-appropriate.patch -Patch18: 0018-Minor-whitespace-fixes.patch -Patch19: 0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch -Patch20: 0020-Allocate-pesign_context-rather-than-having-it-on-the.patch -Patch21: 0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch -Patch22: 0022-Handle-errors-on-pesign_context_init.patch -Patch23: 0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch -Patch24: 0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch -Patch25: 0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch -Patch26: 0026-Rework-setup_digests-and-teardown_digests.patch -Patch27: 0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch -Patch28: 0028-Fix-errors-found-by-coverity.patch -Patch29: 0029-Don-t-keep-the-DEPS-list-twice.patch -Patch30: 0030-Don-t-build-util-right-now.patch -Patch31: 0031-Make-install_systemd-and-install_sysvinit-separate-t.patch -Patch32: 0032-Get-rid-of-an-unnecessary-allocation.patch -Patch33: 0033-Allow-use-of-e-from-rpm-macro.patch -Patch34: 0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch -Patch35: 0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch -Patch36: 0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch -Patch37: 0037-Fix-command-line-checking-for-s.patch -Patch38: 0038-Add-support-to-read-the-pin-from-stdin-in-client.patch -Patch39: 0039-Fix-token-auth-authentication-failure-error-reportin.patch -Patch40: 0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch -Patch41: 0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch - %description This package contains the pesign utility for signing UEFI binaries as well as other associated tools. @@ -87,10 +47,12 @@ rm -rf %{buildroot}/boot %{buildroot}/usr/include rm -rf %{buildroot}%{_libdir}/libdpe* mv rh-test-certs/etc/pki/pesign/* %{buildroot}/etc/pki/pesign/ -modutil -dbdir /etc/pki/pesign -add coolkey \ - -libfile %{_libdir}pkcs11/libcoolkeypk11.so -modutil -dbdir /etc/pki/pesign -add opensc \ - -libfile %{_libdir}/pkcs11/opensc-pkcs11.so + + +#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add coolkey \ +# -libfile %{_libdir}/pkcs11/libcoolkeypk11.so +#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add opensc \ +# -libfile %{_libdir}/pkcs11/opensc-pkcs11.so %clean rm -rf %{buildroot} @@ -121,6 +83,7 @@ fi %doc README TODO COPYING %{_bindir}/pesign %{_bindir}/pesign-client +%{_bindir}/efikeygen %{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/rpm/macros.pesign %{_mandir}/man*/* @@ -130,8 +93,38 @@ fi %dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%{_prefix}/lib/tmpfiles.d/pesign.conf +%{_unitdir}/pesign.service +%endif %changelog +* Wed May 15 2013 Peter Jones - 0.104-1 +- Make sure alignment is correct on signature list entries + Resolves: rhbz#963361 +- Make sure section alignment is correct if we have to extend the file + +* Wed Feb 06 2013 Peter Jones - 0.103-2 +- Conditionalize systemd bits so they don't show up in RHEL 6 builds + +* Tue Feb 05 2013 Peter Jones - 0.103-1 +- One more compiler problem. Let's expect a few more, shall we? + +* Tue Feb 05 2013 Peter Jones - 0.102-1 +- Don't use --std=gnu11 because we have to work on RHEL 6 builders. + +* Mon Feb 04 2013 Peter Jones - 0.101-1 +- Update to 0.101 to fix more "pesign -E" issues. + +* Fri Nov 30 2012 Peter Jones - 0.100-1 +- Fix insertion of signatures from a file. + +* Mon Nov 26 2012 Matthew Garrett - 0.99-9 +- Add a patch needed for new shim builds + +* Fri Oct 19 2012 Peter Jones - 0.99-8 +- Get the Fedora signing token name right. + * Fri Oct 19 2012 Peter Jones - Add coolkey and opensc modules to pki database during %%install. diff --git a/sources b/sources index 53736e2..c06862d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 328db7cb27847cb610b7cf8f9c470455 rh-test-certs.tar.bz2 -99a5e8d3c9e7ac103595afec1160838b pesign-0.99.tar.bz2 +386de71bf2dd5db5a1c0d9e3f37469dd pesign-0.104.tar.bz2