From 9890c6917997101f094bb48d5954105ec643c06e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 19:37:17 +0000 Subject: import certmonger-0.79.7-3.el8 --- diff --git a/.certmonger.metadata b/.certmonger.metadata index c19e22f..a647082 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -7eac3ce49718df4be8f47ec92ae3a951eb4ac435 SOURCES/certmonger-0.79.6.tar.gz +f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz diff --git a/.gitignore b/.gitignore index f7a6717..fe7ff44 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.79.6.tar.gz +SOURCES/certmonger-0.79.7.tar.gz diff --git a/SOURCES/0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch b/SOURCES/0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch deleted file mode 100644 index a5a897f..0000000 --- a/SOURCES/0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch +++ /dev/null @@ -1,1016 +0,0 @@ -From 3da0e186904ad81dd87cf74bfae88270f14bb770 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 21 Aug 2018 17:25:21 -0400 -Subject: [PATCH 1/7] Use the correct slot when saving certificates in NSS - -Certificates were always stored in the NSS certdb. ---- - src/certsave-n.c | 915 ++++++++++++++++++++++++++++--------------------------- - 1 file changed, 474 insertions(+), 441 deletions(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 8e15a18a..af176ce5 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -92,7 +92,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - SECStatus error; - SECItem *item, subject; - char *p, *q, *pin; -+ const char *token; - const char *es; -+ PK11SlotList *slotlist; -+ PK11SlotListElement *sle; -+ CK_MECHANISM_TYPE mech; - NSSInitContext *ctx; - CERTCertDBHandle *certdb; - CERTCertList *certlist; -@@ -192,231 +196,253 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); - } -- /* Be ready to count our uses of a PIN. */ -- memset(&cb_data, 0, sizeof(cb_data)); -- cb_data.entry = entry; -- cb_data.n_attempts = 0; -- pin = NULL; -- if (cm_pin_read_for_key(entry, &pin) != 0) { -- cm_log(1, "Error reading PIN for key store, " -- "failing to save certificate.\n"); -+ /* Find the tokens that we might use for cert storage. */ -+ mech = CKM_RSA_X_509; -+ slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL); -+ if (slotlist == NULL) { -+ cm_log(1, "Error getting list of tokens.\n"); - PORT_FreeArena(arena, PR_TRUE); -- error = NSS_ShutdownContext(ctx); -- if (error != SECSuccess) { -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -- _exit(CM_CERTSAVE_STATUS_AUTH); -+ _exit(2); - } -- /* Set a PIN if we're supposed to be using one and aren't using -- * one yet in this database. */ -- if (PK11_NeedUserInit(PK11_GetInternalKeySlot())) { -- PK11_InitPin(PK11_GetInternalKeySlot(), NULL, -- pin ? pin : ""); -- ec = PORT_GetError(); -- if (ec != 0) { -- es = PR_ErrorToName(ec); -+ /* Walk the list looking for the requested slot, or the first one if -+ * none was requested. */ -+ if (cm_pin_read_for_cert(entry, &pin) != 0) { -+ cm_log(1, "Error reading PIN for cert db.\n"); -+ _exit(CM_SUB_STATUS_ERROR_AUTH); -+ } -+ PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); -+ for (sle = slotlist->head; -+ ((sle != NULL) && (sle->slot != NULL)); -+ sle = sle->next) -+ { -+ /* Log the slot's name. */ -+ token = PK11_GetTokenName(sle->slot); -+ if (token != NULL) { -+ cm_log(3, "Found token '%s'.\n", token); - } else { -- es = NULL; -+ cm_log(3, "Found unnamed token.\n"); - } -- if (PK11_NeedUserInit(PK11_GetInternalKeySlot())) { -- if (es != NULL) { -- cm_log(1, "Key storage slot still " -- "needs user PIN to be set: " -- "%s.\n", es); -- } else { -- cm_log(1, "Key storage slot still " -- "needs user PIN to be set.\n"); -- } -+ /* If we're looking for a specific slot, and this isn't it, -+ * keep going. */ -+ if ((entry->cm_cert_token != NULL) && -+ ((token == NULL) || -+ (strcmp(entry->cm_cert_token, token) != 0))) { -+ if (token != NULL) { -+ cm_log(1, -+ "Token is named \"%s\", not \"%s\", " -+ "skipping.\n", -+ token, entry->cm_cert_token); -+ } else { -+ cm_log(1, -+ "Token is unnamed, not \"%s\", " -+ "skipping.\n", -+ entry->cm_cert_token); -+ } -+ goto next_slot; -+ } -+ /* Be ready to count our uses of a PIN. */ -+ memset(&cb_data, 0, sizeof(cb_data)); -+ cb_data.entry = entry; -+ cb_data.n_attempts = 0; -+ pin = NULL; -+ if (cm_pin_read_for_key(entry, &pin) != 0) { -+ cm_log(1, "Error reading PIN for key store, " -+ "failing to save certificate.\n"); - PORT_FreeArena(arena, PR_TRUE); - error = NSS_ShutdownContext(ctx); - if (error != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -- switch (ec) { -- case PR_NO_ACCESS_RIGHTS_ERROR: /* EACCES or EPERM */ -- _exit(CM_CERTSAVE_STATUS_PERMS); -- break; -- default: -- _exit(CM_CERTSAVE_STATUS_AUTH); -- break; -- } -+ _exit(CM_CERTSAVE_STATUS_AUTH); - } -- /* We're authenticated now, so count this as a use of -- * the PIN. */ -- if ((pin != NULL) && (strlen(pin) > 0)) { -- cb_data.n_attempts++; -- } -- } -- /* Log in, if case we need to muck around with the key -- * database. */ -- PK11_SetPasswordFunc(&cm_pin_read_for_key_nss_cb); -- error = PK11_Authenticate(PK11_GetInternalKeySlot(), PR_TRUE, -- &cb_data); -- ec = PORT_GetError(); -- if (error != SECSuccess) { -- if (ec != 0) { -+ if (PK11_NeedUserInit(sle->slot)) { -+ PK11_InitPin(sle->slot, NULL, pin ? pin : ""); -+ ec = PORT_GetError(); - es = PR_ErrorToName(ec); -- } else { -- es = NULL; -- } -- if (es != NULL) { -- cm_log(1, "Error authenticating to key store: %s.\n", -- es); -- } else { -- cm_log(1, "Error authenticating to key store.\n"); -- } -- PORT_FreeArena(arena, PR_TRUE); -- error = NSS_ShutdownContext(ctx); -- if (error != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -- } -- _exit(CM_CERTSAVE_STATUS_AUTH); -- } -- if ((pin != NULL) && -- (strlen(pin) > 0) && -- (cb_data.n_attempts == 0)) { -- cm_log(1, "PIN was not needed to auth to key " -- "store, though one was provided. " -- "Treating this as an error.\n"); -- PORT_FreeArena(arena, PR_TRUE); -- error = NSS_ShutdownContext(ctx); -- if (error != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -- } -- _exit(CM_CERTSAVE_STATUS_AUTH); -- } -- certdb = CERT_GetDefaultCertDB(); -- if (certdb != NULL) { -- /* Strip the header and footer. */ -- p = entry->cm_cert; -- q = NULL; -- if (p != NULL) { -- while (strncmp(p, "-----BEGIN ", 11) == 0) { -- p += strcspn(p, "\r\n"); -- p += strspn(p, "\r\n"); -+ if (PK11_NeedUserInit(sle->slot)) { -+ if (es != NULL) { -+ cm_log(1, "Key storage slot still " -+ "needs user PIN to be set: " -+ "%s.\n", es); -+ } else { -+ cm_log(1, "Key storage slot still " -+ "needs user PIN to be set.\n"); -+ } -+ PORT_FreeArena(arena, PR_TRUE); -+ error = NSS_ShutdownContext(ctx); -+ if (error != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ switch (ec) { -+ case PR_NO_ACCESS_RIGHTS_ERROR: /* EACCES or EPERM */ -+ _exit(CM_CERTSAVE_STATUS_PERMS); -+ break; -+ default: -+ _exit(CM_CERTSAVE_STATUS_AUTH); -+ break; -+ } - } -- q = strstr(p, "-----END"); -+ /* count this as use of the PIN */ -+ cb_data.n_attempts++; - } -- if ((q == NULL) || (*p == '\0')) { -- cm_log(1, "Unable to parse certificate.\n"); -- PORT_FreeArena(arena, PR_TRUE); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -+ if (PK11_NeedLogin(sle->slot)) { -+ error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data); -+ if (error != SECSuccess) { -+ cm_log(1, "Error authenticating to cert db for token " -+ "%s.\n", token); -+ goto next_slot; - } -- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -+ cb_data.n_attempts++; - } -- /* Handle the base64 decode. */ -- item = NSSBase64_DecodeBuffer(arena, NULL, p, q - p); -- if (item == NULL) { -- cm_log(1, "Unable to decode certificate " -- "into buffer.\n"); -+ if ((pin != NULL) && -+ (strlen(pin) > 0) && -+ (cb_data.n_attempts == 0)) { -+ cm_log(1, "PIN was not needed to auth to key " -+ "store, though one was provided. " -+ "Treating this as an error.\n"); - PORT_FreeArena(arena, PR_TRUE); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ error = NSS_ShutdownContext(ctx); -+ if (error != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -+ _exit(CM_CERTSAVE_STATUS_AUTH); - } -- /* Do a "shallow" decode to pull out the subject name -- * so that we can check for a conflict. */ -- memset(&csdata, 0, sizeof(csdata)); -- if (SEC_ASN1DecodeItem(arena, &csdata, -- CERT_SignedDataTemplate, -- item) != SECSuccess) { -- cm_log(1, "Unable to decode certificate " -- "signed data into buffer.\n"); -- PORT_FreeArena(arena, PR_TRUE); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -+ certdb = CERT_GetDefaultCertDB(); -+ if (certdb != NULL) { -+ /* Strip the header and footer. */ -+ p = entry->cm_cert; -+ q = NULL; -+ if (p != NULL) { -+ while (strncmp(p, "-----BEGIN ", 11) == 0) { -+ p += strcspn(p, "\r\n"); -+ p += strspn(p, "\r\n"); -+ } -+ q = strstr(p, "-----END"); - } -- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -- } -- memset(&cert, 0, sizeof(cert)); -- if (SEC_ASN1DecodeItem(arena, &cert, -- CERT_CertificateTemplate, -- &csdata.data) != SECSuccess) { -- cm_log(1, "Unable to decode certificate " -- "data into buffer.\n"); -- PORT_FreeArena(arena, PR_TRUE); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -+ if ((q == NULL) || (*p == '\0')) { -+ cm_log(1, "Unable to parse certificate.\n"); -+ PORT_FreeArena(arena, PR_TRUE); -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); - } -- _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -- } -- subject = cert.derSubject; -- /* Ask NSS if there would be a conflict. */ -- have_trust = PR_FALSE; -- if (SEC_CertNicknameConflict(entry->cm_cert_nickname, -- &subject, -- certdb)) { -- /* Delete the certificate that's already there -- * with the nickname we want, otherwise our -- * cert with a different subject name will be -- * discarded. */ -- certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname, -- NULL); -+ /* Handle the base64 decode. */ -+ item = NSSBase64_DecodeBuffer(arena, NULL, p, q - p); -+ if (item == NULL) { -+ cm_log(1, "Unable to decode certificate " -+ "into buffer.\n"); -+ PORT_FreeArena(arena, PR_TRUE); -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -+ } -+ /* Do a "shallow" decode to pull out the subject name -+ * so that we can check for a conflict. */ -+ memset(&csdata, 0, sizeof(csdata)); -+ if (SEC_ASN1DecodeItem(arena, &csdata, -+ CERT_SignedDataTemplate, -+ item) != SECSuccess) { -+ cm_log(1, "Unable to decode certificate " -+ "signed data into buffer.\n"); -+ PORT_FreeArena(arena, PR_TRUE); -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -+ } -+ memset(&cert, 0, sizeof(cert)); -+ if (SEC_ASN1DecodeItem(arena, &cert, -+ CERT_CertificateTemplate, -+ &csdata.data) != SECSuccess) { -+ cm_log(1, "Unable to decode certificate " -+ "data into buffer.\n"); -+ PORT_FreeArena(arena, PR_TRUE); -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR); -+ } -+ subject = cert.derSubject; -+ /* Ask NSS if there would be a conflict. */ -+ have_trust = PR_FALSE; -+ if (SEC_CertNicknameConflict(entry->cm_cert_nickname, -+ &subject, -+ certdb)) { -+ /* Delete the certificate that's already there -+ * with the nickname we want, otherwise our -+ * cert with a different subject name will be -+ * discarded. */ -+ certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname, -+ NULL); -+ if (certlist != NULL) { -+ /* Look for certs with different -+ * subject names but the same nickname, -+ * because they've got to go. */ -+ for (node = CERT_LIST_HEAD(certlist); -+ (node != NULL) && -+ !CERT_LIST_EMPTY(certlist) && -+ !CERT_LIST_END(node, certlist); -+ node = CERT_LIST_NEXT(node)) { -+ if (!SECITEM_ItemsAreEqual(&subject, -+ &node->cert->derSubject)) { -+ cm_log(3, "Found a " -+ "certificate " -+ "with the same " -+ "nickname but " -+ "different " -+ "subject, " -+ "removing " -+ "certificate " -+ "\"%s\" with " -+ "subject " -+ "\"%s\".\n", -+ node->cert->nickname, -+ node->cert->subjectName ? -+ node->cert->subjectName : -+ ""); -+ /* Get a handle for -+ * this certificate's -+ * private key, in case -+ * we need to remove -+ * it. */ -+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -+ privkeys = add_privkey_to_list(privkeys, privkey); -+ SEC_DeletePermCertificate(node->cert); -+ } -+ } -+ CERT_DestroyCertList(certlist); -+ } -+ } else { -+ cm_log(3, "No duplicate nickname entries.\n"); -+ } -+ /* This certificate's subject may already be present -+ * with a different nickname. Delete those, too. */ -+ certlist = CERT_CreateSubjectCertList(NULL, certdb, -+ &subject, -+ PR_FALSE, -+ PR_FALSE); - if (certlist != NULL) { -- /* Look for certs with different -- * subject names but the same nickname, -- * because they've got to go. */ -+ /* Look for certs with different nicknames but -+ * the same subject name, because those have -+ * got to go. */ -+ i = 0; - for (node = CERT_LIST_HEAD(certlist); - (node != NULL) && - !CERT_LIST_EMPTY(certlist) && - !CERT_LIST_END(node, certlist); - node = CERT_LIST_NEXT(node)) { -- if (!SECITEM_ItemsAreEqual(&subject, -- &node->cert->derSubject)) { -+ if ((node->cert->nickname != NULL) && -+ (strcmp(entry->cm_cert_nickname, -+ node->cert->nickname) != 0)) -+ { -+ i++; - cm_log(3, "Found a " -- "certificate " -- "with the same " -- "nickname but " -- "different " -- "subject, " -- "removing " -- "certificate " -- "\"%s\" with " -- "subject " -- "\"%s\".\n", -- node->cert->nickname, -- node->cert->subjectName ? -- node->cert->subjectName : -- ""); -- /* Get a handle for -- * this certificate's -- * private key, in case -- * we need to remove -- * it. */ -- privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -- privkeys = add_privkey_to_list(privkeys, privkey); -- SEC_DeletePermCertificate(node->cert); -- } -- } -- CERT_DestroyCertList(certlist); -- } -- } else { -- cm_log(3, "No duplicate nickname entries.\n"); -- } -- /* This certificate's subject may already be present -- * with a different nickname. Delete those, too. */ -- certlist = CERT_CreateSubjectCertList(NULL, certdb, -- &subject, -- PR_FALSE, -- PR_FALSE); -- if (certlist != NULL) { -- /* Look for certs with different nicknames but -- * the same subject name, because those have -- * got to go. */ -- i = 0; -- for (node = CERT_LIST_HEAD(certlist); -- (node != NULL) && -- !CERT_LIST_EMPTY(certlist) && -- !CERT_LIST_END(node, certlist); -- node = CERT_LIST_NEXT(node)) { -- if ((node->cert->nickname != NULL) && -- (strcmp(entry->cm_cert_nickname, -- node->cert->nickname) != 0)) { -- i++; -- cm_log(3, "Found a " -- "certificate with a " -+ "certificate with a " - "different nickname but " - "the same subject, " - "removing certificate " -@@ -426,284 +452,291 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - node->cert->subjectName ? - node->cert->subjectName : - ""); -- /* Get a handle for this -- * certificate's private key, -- * in case we need to remove -- * it. */ -- privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -- privkeys = add_privkey_to_list(privkeys, privkey); -- SEC_DeletePermCertificate(node->cert); -- } else { -- /* Same nickname, and we -- * already know it has the same -- * subject name. Save its -- * trust. */ -- if (!have_trust) { -- if (CERT_GetCertTrust(node->cert, -+ /* Get a handle for this -+ * certificate's private key, -+ * in case we need to remove -+ * it. */ -+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -+ privkeys = add_privkey_to_list(privkeys, privkey); -+ SEC_DeletePermCertificate(node->cert); -+ } else { -+ /* Same nickname, and we -+ * already know it has the same -+ * subject name. Save its -+ * trust. */ -+ if (!have_trust) { -+ if (CERT_GetCertTrust(node->cert, - &trust) == SECSuccess) { -- have_trust = PR_TRUE; -+ have_trust = PR_TRUE; -+ } - } - } - } -- } -- if (i == 0) { -- cm_log(3, "No duplicate subject name entries.\n"); -- } -- CERT_DestroyCertList(certlist); -- } else { -- cm_log(3, "No duplicate subject name entries.\n"); -- } -- /* Make one more attempt at finding an existing trust -- * value. */ -- if (!have_trust) { -- oldcert = PK11_FindCertFromNickname(entry->cm_cert_nickname, NULL); -- if (oldcert != NULL) { -- if (CERT_GetCertTrust(oldcert, -- &trust) == SECSuccess) { -- have_trust = PR_TRUE; -+ if (i == 0) { -+ cm_log(3, "No duplicate subject name entries.\n"); - } -- CERT_DestroyCertificate(oldcert); -+ CERT_DestroyCertList(certlist); -+ } else { -+ cm_log(3, "No duplicate subject name entries.\n"); - } -- } -- /* Import the certificate. */ -- returned = NULL; -- error = CERT_ImportCerts(certdb, -- certUsageUserCertImport, -- 1, &item, &returned, -- PR_TRUE, -- PR_FALSE, -- entry->cm_cert_nickname); -- ec = PORT_GetError(); -- if (error == SECSuccess) { -- /* If NSS uses SQL DB storage, CERT_ImportCerts creates -- * an incomplete internal state (the cert isn't -- * associated with the private key, and calling -- * PK11_FindKeyByAnyCert returns no result). -- * As a workaround, we import the cert again using -- * PK11_ImportCert, which magically fixes the issue. -- * See rhbz#1532188 */ -- error = PK11_ImportCert(PK11_GetInternalKeySlot(), -- returned[0], -- CK_INVALID_HANDLE, -- returned[0]->nickname, -- PR_FALSE); -- } -- if (error == SECSuccess) { -- cm_log(1, "Imported certificate \"%s\", got " -- "nickname \"%s\".\n", -- entry->cm_cert_nickname, -- returned[0]->nickname); -- status = 0; -- /* Set the trust on the new certificate, -- * perhaps matching the trust on an -- * already-present certificate with the same -- * nickname. */ -+ /* Make one more attempt at finding an existing trust -+ * value. */ - if (!have_trust) { -- memset(&trust, 0, sizeof(trust)); -- trust.sslFlags = CERTDB_USER; -- trust.emailFlags = CERTDB_USER; -- trust.objectSigningFlags = CERTDB_USER; -+ oldcert = PK11_FindCertFromNickname(entry->cm_cert_nickname, NULL); -+ if (oldcert != NULL) { -+ if (CERT_GetCertTrust(oldcert, -+ &trust) == SECSuccess) { -+ have_trust = PR_TRUE; -+ } -+ CERT_DestroyCertificate(oldcert); -+ } - } -- error = CERT_ChangeCertTrust(certdb, -- returned[0], -- &trust); -+ /* Import the certificate. */ -+ returned = NULL; -+ error = CERT_ImportCerts(certdb, -+ certUsageUserCertImport, -+ 1, &item, &returned, -+ PR_TRUE, -+ PR_FALSE, -+ entry->cm_cert_nickname); - ec = PORT_GetError(); -- if (error != SECSuccess) { -+ if (error == SECSuccess) { -+ /* If NSS uses SQL DB storage, CERT_ImportCerts creates -+ * an incomplete internal state (the cert isn't -+ * associated with the private key, and calling -+ * PK11_FindKeyByAnyCert returns no result). -+ * As a workaround, we import the cert again using -+ * PK11_ImportCert, which magically fixes the issue. -+ * See rhbz#1532188 */ -+ error = PK11_ImportCert(sle->slot, -+ returned[0], -+ CK_INVALID_HANDLE, -+ returned[0]->nickname, -+ PR_FALSE); -+ } -+ if (error == SECSuccess) { -+ cm_log(1, "Imported certificate \"%s\", got " -+ "nickname \"%s\".\n", -+ entry->cm_cert_nickname, -+ returned[0]->nickname); -+ status = 0; -+ /* Set the trust on the new certificate, -+ * perhaps matching the trust on an -+ * already-present certificate with the same -+ * nickname. */ -+ if (!have_trust) { -+ memset(&trust, 0, sizeof(trust)); -+ trust.sslFlags = CERTDB_USER; -+ trust.emailFlags = CERTDB_USER; -+ trust.objectSigningFlags = CERTDB_USER; -+ } -+ error = CERT_ChangeCertTrust(certdb, -+ returned[0], -+ &trust); -+ ec = PORT_GetError(); -+ if (error != SECSuccess) { -+ if (ec != 0) { -+ es = PR_ErrorToName(ec); -+ } else { -+ es = NULL; -+ } -+ if (es != NULL) { -+ cm_log(0, "Error setting trust " -+ "on certificate \"%s\": " -+ "%s.\n", -+ entry->cm_cert_nickname, es); -+ } else { -+ cm_log(0, "Error setting trust " -+ "on certificate \"%s\".\n", -+ entry->cm_cert_nickname); -+ } -+ } -+ /* Delete any other certificates that are there -+ * with the same nickname. While NSS's -+ * database allows duplicates so long as they -+ * have the same subject name and nickname, -+ * several APIs and many applications can't -+ * dependably find the right one among more -+ * than one. So bye-bye, old certificates. */ -+ certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname, -+ NULL); -+ if (certlist != NULL) { -+ /* Look for certs with contents. */ -+ for (node = CERT_LIST_HEAD(certlist); -+ (node != NULL) && -+ !CERT_LIST_EMPTY(certlist) && -+ !CERT_LIST_END(node, certlist); -+ node = CERT_LIST_NEXT(node)) { -+ if (!SECITEM_ItemsAreEqual(item, -+ &node->cert->derCert)) { -+ cm_log(3, "Found a " -+ "certificate " -+ "with the same " -+ "nickname and " -+ "subject, but " -+ "different " -+ "contents, " -+ "removing it.\n"); -+ /* Get a handle for -+ * this certificate's -+ * private key, in case -+ * we need to remove -+ * it. */ -+ privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -+ privkeys = add_privkey_to_list(privkeys, privkey); -+ SEC_DeletePermCertificate(node->cert); -+ } -+ } -+ CERT_DestroyCertList(certlist); -+ } -+ } else { - if (ec != 0) { - es = PR_ErrorToName(ec); - } else { - es = NULL; - } - if (es != NULL) { -- cm_log(0, "Error setting trust " -- "on certificate \"%s\": " -- "%s.\n", -- entry->cm_cert_nickname, es); -+ cm_log(0, "Error importing certificate " -+ "into NSSDB \"%s\": %s.\n", -+ entry->cm_cert_storage_location, -+ es); - } else { -- cm_log(0, "Error setting trust " -- "on certificate \"%s\".\n", -- entry->cm_cert_nickname); -+ cm_log(0, "Error importing certificate " -+ "into NSSDB \"%s\".\n", -+ entry->cm_cert_storage_location); - } -- } -- /* Delete any other certificates that are there -- * with the same nickname. While NSS's -- * database allows duplicates so long as they -- * have the same subject name and nickname, -- * several APIs and many applications can't -- * dependably find the right one among more -- * than one. So bye-bye, old certificates. */ -- certlist = PK11_FindCertsFromNickname(entry->cm_cert_nickname, -- NULL); -- if (certlist != NULL) { -- /* Look for certs with contents. */ -- for (node = CERT_LIST_HEAD(certlist); -- (node != NULL) && -- !CERT_LIST_EMPTY(certlist) && -- !CERT_LIST_END(node, certlist); -- node = CERT_LIST_NEXT(node)) { -- if (!SECITEM_ItemsAreEqual(item, -- &node->cert->derCert)) { -- cm_log(3, "Found a " -- "certificate " -- "with the same " -- "nickname and " -- "subject, but " -- "different " -- "contents, " -- "removing it.\n"); -- /* Get a handle for -- * this certificate's -- * private key, in case -- * we need to remove -- * it. */ -- privkey = PK11_FindKeyByAnyCert(node->cert, NULL); -- privkeys = add_privkey_to_list(privkeys, privkey); -- SEC_DeletePermCertificate(node->cert); -- } -+ switch (ec) { -+ case PR_NO_ACCESS_RIGHTS_ERROR: /* ACCES/PERM */ -+ status = CM_CERTSAVE_STATUS_PERMS; -+ break; -+ default: -+ status = CM_CERTSAVE_STATUS_INTERNAL_ERROR; -+ break; - } -- CERT_DestroyCertList(certlist); -- } -- } else { -- if (ec != 0) { -- es = PR_ErrorToName(ec); -- } else { -- es = NULL; - } -- if (es != NULL) { -- cm_log(0, "Error importing certificate " -- "into NSSDB \"%s\": %s.\n", -- entry->cm_cert_storage_location, -- es); -- } else { -- cm_log(0, "Error importing certificate " -- "into NSSDB \"%s\".\n", -- entry->cm_cert_storage_location); -- } -- switch (ec) { -- case PR_NO_ACCESS_RIGHTS_ERROR: /* ACCES/PERM */ -- status = CM_CERTSAVE_STATUS_PERMS; -- break; -- default: -- status = CM_CERTSAVE_STATUS_INTERNAL_ERROR; -- break; -+ /* If we managed to import the certificate, mark its -+ * key for having its nickname removed. */ -+ if ((returned != NULL) && (returned[0] != NULL)) { -+ privkey = PK11_FindKeyByAnyCert(returned[0], NULL); -+ privkeys = add_privkey_to_list(privkeys, privkey); -+ CERT_DestroyCertArray(returned, 1); - } -- } -- /* If we managed to import the certificate, mark its -- * key for having its nickname removed. */ -- if ((returned != NULL) && (returned[0] != NULL)) { -- privkey = PK11_FindKeyByAnyCert(returned[0], NULL); -- privkeys = add_privkey_to_list(privkeys, privkey); -- CERT_DestroyCertArray(returned, 1); -- } -- /* In case we're rekeying, but failed, mark the -- * candidate key for name-clearing or removal, too. */ -- if ((entry->cm_key_next_marker != NULL) && -- (strlen(entry->cm_key_next_marker) > 0)) { -- p = util_build_next_nickname(entry->cm_key_nickname, -- entry->cm_key_next_marker); -- privkeylist = PK11_ListPrivKeysInSlot(PK11_GetInternalKeySlot(), p, NULL); -- if (privkeylist != NULL) { -- for (knode = PRIVKEY_LIST_HEAD(privkeylist); -- !PRIVKEY_LIST_EMPTY(privkeylist) && -- !PRIVKEY_LIST_END(knode, privkeylist); -- knode = PRIVKEY_LIST_NEXT(knode)) { -- q = PK11_GetPrivateKeyNickname(knode->key); -- if ((q != NULL) && -- (strcmp(p, q) == 0)) { -- privkey = SECKEY_CopyPrivateKey(knode->key); -- privkeys = add_privkey_to_list(privkeys, privkey); -- break; -+ /* In case we're rekeying, but failed, mark the -+ * candidate key for name-clearing or removal, too. */ -+ if ((entry->cm_key_next_marker != NULL) && -+ (strlen(entry->cm_key_next_marker) > 0)) { -+ p = util_build_next_nickname(entry->cm_key_nickname, -+ entry->cm_key_next_marker); -+ privkeylist = PK11_ListPrivKeysInSlot(sle->slot, p, NULL); -+ if (privkeylist != NULL) { -+ for (knode = PRIVKEY_LIST_HEAD(privkeylist); -+ !PRIVKEY_LIST_EMPTY(privkeylist) && -+ !PRIVKEY_LIST_END(knode, privkeylist); -+ knode = PRIVKEY_LIST_NEXT(knode)) { -+ q = PK11_GetPrivateKeyNickname(knode->key); -+ if ((q != NULL) && -+ (strcmp(p, q) == 0)) { -+ privkey = SECKEY_CopyPrivateKey(knode->key); -+ privkeys = add_privkey_to_list(privkeys, privkey); -+ break; -+ } - } -+ SECKEY_DestroyPrivateKeyList(privkeylist); - } -- SECKEY_DestroyPrivateKeyList(privkeylist); - } -- } -- if (privkeys != NULL) { -- /* Check if any certificates are still using -- * the keys that correspond to certificates -- * that we removed. */ -- for (i = 0; privkeys[i] != NULL; i++) { -- privkey = privkeys[i]; -- oldcert = PK11_GetCertFromPrivateKey(privkey); -- if (!entry->cm_key_preserve && (oldcert == NULL)) { -- /* We're not preserving -- * orphaned keys, so remove -- * this one. No need to mess -- * with its nickname first. */ -- PK11_DeleteTokenPrivateKey(privkey, PR_FALSE); -- if (error == SECSuccess) { -- cm_log(3, "Removed old key.\n"); -- } else { -- ec = PORT_GetError(); -- if (ec != 0) { -- es = PR_ErrorToName(ec); -+ if (privkeys != NULL) { -+ /* Check if any certificates are still using -+ * the keys that correspond to certificates -+ * that we removed. */ -+ for (i = 0; privkeys[i] != NULL; i++) { -+ privkey = privkeys[i]; -+ oldcert = PK11_GetCertFromPrivateKey(privkey); -+ if (!entry->cm_key_preserve && (oldcert == NULL)) { -+ /* We're not preserving -+ * orphaned keys, so remove -+ * this one. No need to mess -+ * with its nickname first. */ -+ PK11_DeleteTokenPrivateKey(privkey, PR_FALSE); -+ if (error == SECSuccess) { -+ cm_log(3, "Removed old key.\n"); - } else { -- es = NULL; -+ ec = PORT_GetError(); -+ if (ec != 0) { -+ es = PR_ErrorToName(ec); -+ } else { -+ es = NULL; -+ } -+ if (es != NULL) { -+ cm_log(0, "Failed " -+ "to remove " -+ "old key: " -+ "%s.\n", es); -+ } else { -+ cm_log(0, "Failed " -+ "to remove " -+ "old key.\n"); -+ } - } -- if (es != NULL) { -- cm_log(0, "Failed " -- "to remove " -- "old key: " -- "%s.\n", es); -- } else { -- cm_log(0, "Failed " -- "to remove " -- "old key.\n"); -- } -- } -- } else { -- /* Remove the explicit -- * nickname, so that the key -- * will have to be found using -- * the certificate's nickname, -- * and certutil will display -- * the matching certificate's -- * nickname when it's asked to -- * list the keys in the -- * database. */ -- error = PK11_SetPrivateKeyNickname(privkey, ""); -- if (error == SECSuccess) { -- cm_log(3, "Removed " -- "name from old " -- "key.\n"); - } else { -- ec = PORT_GetError(); -- if (ec != 0) { -- es = PR_ErrorToName(ec); -+ /* Remove the explicit -+ * nickname, so that the key -+ * will have to be found using -+ * the certificate's nickname, -+ * and certutil will display -+ * the matching certificate's -+ * nickname when it's asked to -+ * list the keys in the -+ * database. */ -+ error = PK11_SetPrivateKeyNickname(privkey, ""); -+ if (error == SECSuccess) { -+ cm_log(3, "Removed " -+ "name from old " -+ "key.\n"); - } else { -- es = NULL; -- } -- if (es != NULL) { -- cm_log(0, "Failed " -- "to unname " -- "old key: " -- "%s.\n", es); -- } else { -- cm_log(0, "Failed " -- "to unname " -- "old key.\n"); -+ ec = PORT_GetError(); -+ if (ec != 0) { -+ es = PR_ErrorToName(ec); -+ } else { -+ es = NULL; -+ } -+ if (es != NULL) { -+ cm_log(0, "Failed " -+ "to unname " -+ "old key: " -+ "%s.\n", es); -+ } else { -+ cm_log(0, "Failed " -+ "to unname " -+ "old key.\n"); -+ } - } -+ SECKEY_DestroyPrivateKey(privkey); -+ } -+ if (oldcert != NULL) { -+ CERT_DestroyCertificate(oldcert); - } -- SECKEY_DestroyPrivateKey(privkey); -- } -- if (oldcert != NULL) { -- CERT_DestroyCertificate(oldcert); - } -+ free(privkeys); - } -- free(privkeys); -+ } else { -+ cm_log(1, "Error getting handle to default NSS DB.\n"); - } -- } else { -- cm_log(1, "Error getting handle to default NSS DB.\n"); -- } -- PORT_FreeArena(arena, PR_TRUE); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -- } -- /* Fixup the ownership and permissions on the key and -- * certificate databases. */ -- util_set_db_entry_key_owner(entry->cm_key_storage_location, entry); -- util_set_db_entry_cert_owner(entry->cm_cert_storage_location, entry); -- } -+ PORT_FreeArena(arena, PR_TRUE); -+ if (NSS_ShutdownContext(ctx) != SECSuccess) { -+ cm_log(1, "Error shutting down NSS.\n"); -+ } -+ /* Fixup the ownership and permissions on the key and -+ * certificate databases. */ -+ util_set_db_entry_key_owner(entry->cm_key_storage_location, entry); -+ util_set_db_entry_cert_owner(entry->cm_cert_storage_location, entry); -+ break; -+next_slot: -+ if (sle == slotlist->tail) { -+ break; -+ } -+ } /* for slot loop */ -+ } /* ctx == NULL */ -+ - if (status != 0) { - _exit(status); - } --- -2.14.4 - diff --git a/SOURCES/0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch b/SOURCES/0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch deleted file mode 100644 index bba736c..0000000 --- a/SOURCES/0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c029b32c04a9a5993b9c8715fb82421fee613137 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 31 Aug 2018 10:37:12 -0400 -Subject: [PATCH 2/7] Include the token name when a PIN is provided but is - unused - -This improves the output so the user will know which token -the PIN is missing for. Theoretically it should be the token -they asked for but this will show certmogner's view of it. ---- - src/certread-n.c | 6 +++--- - src/keygen-n.c | 4 ++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/certread-n.c b/src/certread-n.c -index f2e78c07..57a38dcf 100644 ---- a/src/certread-n.c -+++ b/src/certread-n.c -@@ -259,9 +259,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - if ((pin != NULL) && - (strlen(pin) > 0) && - (cb_data.n_attempts == 0)) { -- cm_log(1, "PIN was not needed to auth to cert " -- "db, though one was provided. " -- "Treating this as an error.\n"); -+ cm_log(1, "PIN was not needed to auth to token " -+ "%s, though one was provided. " -+ "Treating this as an error.\n", token); - goto next_slot; - } - } -diff --git a/src/keygen-n.c b/src/keygen-n.c -index 8078a520..84b0bbd3 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -400,8 +400,8 @@ next_slot: - (strlen(pin) > 0) && - (cb_data.n_attempts == 0)) { - cm_log(1, "PIN was not needed to auth to key " -- "store, though one was provided. " -- "Treating this as an error.\n"); -+ "store token %s, though one was provided. " -+ "Treating this as an error.\n", token); - PK11_FreeSlotList(slotlist); - error = NSS_ShutdownContext(ctx); - if (error != SECSuccess) { --- -2.14.4 - diff --git a/SOURCES/0005-Add-utility-function-to-get-the-internal-token-name.patch b/SOURCES/0005-Add-utility-function-to-get-the-internal-token-name.patch deleted file mode 100644 index ed3abde..0000000 --- a/SOURCES/0005-Add-utility-function-to-get-the-internal-token-name.patch +++ /dev/null @@ -1,134 +0,0 @@ -From f396b19b2c222fa0a50e9bb9704059af4578e678 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 31 Aug 2018 12:08:35 -0400 -Subject: [PATCH 3/7] Add utility function to get the internal token name - -The NSS internal token is the default if no token is specified for -the cert or the key. ---- - src/certread-n.c | 6 +++++- - src/certsave-n.c | 3 +++ - src/keygen-n.c | 3 +++ - src/keyiread-n.c | 3 +++ - src/submit-n.c | 5 ++++- - src/util-n.c | 6 ++++++ - src/util-n.h | 1 + - 7 files changed, 25 insertions(+), 2 deletions(-) - -diff --git a/src/certread-n.c b/src/certread-n.c -index 57a38dcf..1d9217c6 100644 ---- a/src/certread-n.c -+++ b/src/certread-n.c -@@ -190,6 +190,9 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - cm_log(1, "Error reading PIN for cert db.\n"); - _exit(CM_SUB_STATUS_ERROR_AUTH); - } -+ if (entry->cm_cert_token == NULL) { -+ entry->cm_cert_token = util_internal_token_name(); -+ } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - for (sle = slotlist->head; - ((sle != NULL) && (sle->slot != NULL)); -@@ -253,7 +256,8 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - error = PK11_Authenticate(sle->slot, PR_TRUE, &cb_data); - if (error != SECSuccess) { -- cm_log(1, "Error authenticating to cert db.\n"); -+ cm_log(1, "certread-n: Error authenticating to cert db " -+ "slot %s.\n", PK11_GetTokenName(sle->slot)); - goto next_slot; - } - if ((pin != NULL) && -diff --git a/src/certsave-n.c b/src/certsave-n.c -index af176ce5..193309c5 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -214,6 +214,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - _exit(CM_SUB_STATUS_ERROR_AUTH); - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); -+ if (entry->cm_cert_token == NULL) { -+ entry->cm_cert_token = util_internal_token_name(); -+ } - for (sle = slotlist->head; - ((sle != NULL) && (sle->slot != NULL)); - sle = sle->next) -diff --git a/src/keygen-n.c b/src/keygen-n.c -index 84b0bbd3..f7fdf6c0 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -272,6 +272,9 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - cm_log(1, "Error locating token for key generation.\n"); - _exit(CM_SUB_STATUS_ERROR_NO_TOKEN); - } -+ if (entry->cm_cert_token == NULL) { -+ entry->cm_cert_token = util_internal_token_name(); -+ } - /* Walk the list looking for the requested slot, or the first one if - * none was requested. */ - slot = NULL; -diff --git a/src/keyiread-n.c b/src/keyiread-n.c -index 89913aa2..b8408bf1 100644 ---- a/src/keyiread-n.c -+++ b/src/keyiread-n.c -@@ -152,6 +152,9 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) - _exit(CM_SUB_STATUS_ERROR_AUTH); - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); -+ if (entry->cm_key_token == NULL) { -+ entry->cm_key_token = util_internal_token_name(); -+ } - n_tokens = 0; - pubkey = NULL; - /* In practice, the internal slot is either a non-storage slot (in -diff --git a/src/submit-n.c b/src/submit-n.c -index 872153ea..da07d253 100644 ---- a/src/submit-n.c -+++ b/src/submit-n.c -@@ -346,6 +346,9 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, - cm_log(1, "Error reading PIN for key storage.\n"); - goto done; - } -+ if (args->entry->cm_key_token == NULL) { -+ args->entry->cm_key_token = util_internal_token_name(); -+ } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - n_tokens = 0; - /* In practice, the internal slot is either a non-storage slot (in -@@ -402,7 +405,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, - } - error = PK11_Authenticate(slot, PR_TRUE, &cb_data); - if (error != SECSuccess) { -- cm_log(1, "Error authenticating to token " -+ cm_log(1, "submit-n: Error authenticating to token " - "\"%s\".\n", token); - goto done; - } -diff --git a/src/util-n.c b/src/util-n.c -index 7805e58e..293e2583 100644 ---- a/src/util-n.c -+++ b/src/util-n.c -@@ -287,3 +287,9 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry) - util_set_db_owner_perms(dbdir, secmoddb, entry->cm_cert_owner, - entry->cm_cert_perms); - } -+ -+char * -+util_internal_token_name() -+{ -+ return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot())); -+} -diff --git a/src/util-n.h b/src/util-n.h -index 8a918d5c..637fd4b1 100644 ---- a/src/util-n.h -+++ b/src/util-n.h -@@ -29,5 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir, - struct cm_store_entry *entry); - void util_set_db_entry_cert_owner(const char *dbdir, - struct cm_store_entry *entry); -+char * util_internal_token_name(); - - #endif --- -2.14.4 - diff --git a/SOURCES/0006-Only-de-duplicate-certificates-within-the-same-token.patch b/SOURCES/0006-Only-de-duplicate-certificates-within-the-same-token.patch deleted file mode 100644 index fb892c6..0000000 --- a/SOURCES/0006-Only-de-duplicate-certificates-within-the-same-token.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6ebe5695a626c6cd254b249bbebf9846bcb936c0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 4 Sep 2018 11:06:13 -0400 -Subject: [PATCH 4/7] Only de-duplicate certificates within the same token - -certmonger may not have read/write access to tokens other than -the one it is examining so don't try to de-duplicate certificates -on other tokens. ---- - src/certsave-n.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 193309c5..d0152cad 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -391,8 +391,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - !CERT_LIST_EMPTY(certlist) && - !CERT_LIST_END(node, certlist); - node = CERT_LIST_NEXT(node)) { -- if (!SECITEM_ItemsAreEqual(&subject, -- &node->cert->derSubject)) { -+ if ((!SECITEM_ItemsAreEqual(&subject, -+ &node->cert->derSubject)) && -+ (sle->slot == node->cert->slot)) { - cm_log(3, "Found a " - "certificate " - "with the same " -@@ -441,7 +442,8 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - node = CERT_LIST_NEXT(node)) { - if ((node->cert->nickname != NULL) && - (strcmp(entry->cm_cert_nickname, -- node->cert->nickname) != 0)) -+ node->cert->nickname) != 0) && -+ (sle->slot == node->cert->slot)) - { - i++; - cm_log(3, "Found a " --- -2.14.4 - diff --git a/SOURCES/0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch b/SOURCES/0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch deleted file mode 100644 index 184a651..0000000 --- a/SOURCES/0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 697dd085e7b2ce15eefc454509987270131d7f1e Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 4 Sep 2018 16:59:28 -0400 -Subject: [PATCH 5/7] Ensure that an OpenSSL random seed file exists when - testing - -Otherwise some openssl command-line invocations will fail and -because of the way the tests are done the error message is not -shown. ---- - tests/Makefile.am | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 4e407434..fe368dc0 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -433,6 +433,9 @@ subdirs += \ - endif - - check: all -+ if [ ! -e $$HOME/.rnd ] ; then \ -+ openssl rand -writerand $$HOME/.rnd; \ -+ fi - for required in certutil cmsutil pk12util openssl diff cmp mktemp \ - dos2unix unix2dos dbus-launch ; do \ - which $$required || exit 1; \ --- -2.14.4 - diff --git a/SOURCES/0008-Log-test-failures-of-bad-pin.patch b/SOURCES/0008-Log-test-failures-of-bad-pin.patch deleted file mode 100644 index 45fa77b..0000000 --- a/SOURCES/0008-Log-test-failures-of-bad-pin.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e93ecadec7c868f4227e084ffb65c70a6efd7314 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 4 Sep 2018 18:12:18 -0400 -Subject: [PATCH 6/7] Log test failures of bad pin - -Previously this would show a "don't know why" failure. ---- - tests/tools/certsave.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c -index ac0f73ec..fd86a4c1 100644 ---- a/tests/tools/certsave.c -+++ b/tests/tools/certsave.c -@@ -106,6 +106,11 @@ main(int argc, char **argv) - printf("Failed to save (%s:%s), " - "filesystem permissions error.\n", - ctype, entry->cm_cert_storage_location); -+ } else -+ if (cm_certsave_pin_error(state) == 0) { -+ printf("Failed to save (%s:%s), " -+ "pin error.\n", -+ ctype, entry->cm_cert_storage_location); - } else { - printf("Failed to save (%s:%s), " - "don't know why.\n", --- -2.14.4 - diff --git a/SOURCES/0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch b/SOURCES/0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch deleted file mode 100644 index dd0c3fc..0000000 --- a/SOURCES/0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 15d406ee3afbb52832d5c61a1afb735724d109a2 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 18 Sep 2018 10:21:28 -0400 -Subject: [PATCH 7/7] Use only PK11_ImportCert to import certs, not - CERT_ImportCerts - -CERT_ImportCerts always imports a given certificate into the -certificate database, whether a token is requested or not. - -Using PK11_ImportCert will import the cert, associate the key -properly and will only add the certificate to the appropriate -token. ---- - src/certsave-n.c | 37 +++++++++++-------------------------- - 1 file changed, 11 insertions(+), 26 deletions(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index d0152cad..fcb43148 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -100,7 +100,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - NSSInitContext *ctx; - CERTCertDBHandle *certdb; - CERTCertList *certlist; -- CERTCertificate **returned, *oldcert, cert; -+ CERTCertificate *oldcert, *newcert, cert; - CERTCertTrust trust; - CERTSignedData csdata; - CERTCertListNode *node; -@@ -497,33 +497,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - } - /* Import the certificate. */ -- returned = NULL; -- error = CERT_ImportCerts(certdb, -- certUsageUserCertImport, -- 1, &item, &returned, -- PR_TRUE, -- PR_FALSE, -- entry->cm_cert_nickname); -- ec = PORT_GetError(); -- if (error == SECSuccess) { -- /* If NSS uses SQL DB storage, CERT_ImportCerts creates -- * an incomplete internal state (the cert isn't -- * associated with the private key, and calling -- * PK11_FindKeyByAnyCert returns no result). -- * As a workaround, we import the cert again using -- * PK11_ImportCert, which magically fixes the issue. -- * See rhbz#1532188 */ -+ newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len); -+ if (newcert != NULL) { - error = PK11_ImportCert(sle->slot, -- returned[0], -+ newcert, - CK_INVALID_HANDLE, -- returned[0]->nickname, -+ entry->cm_cert_nickname, - PR_FALSE); - } - if (error == SECSuccess) { -- cm_log(1, "Imported certificate \"%s\", got " -+ cm_log(1, "Imported certificate with " - "nickname \"%s\".\n", -- entry->cm_cert_nickname, -- returned[0]->nickname); -+ entry->cm_cert_nickname); - status = 0; - /* Set the trust on the new certificate, - * perhaps matching the trust on an -@@ -536,7 +521,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - trust.objectSigningFlags = CERTDB_USER; - } - error = CERT_ChangeCertTrust(certdb, -- returned[0], -+ newcert, - &trust); - ec = PORT_GetError(); - if (error != SECSuccess) { -@@ -621,10 +606,10 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - /* If we managed to import the certificate, mark its - * key for having its nickname removed. */ -- if ((returned != NULL) && (returned[0] != NULL)) { -- privkey = PK11_FindKeyByAnyCert(returned[0], NULL); -+ if (newcert != NULL) { -+ privkey = PK11_FindKeyByAnyCert(newcert, NULL); - privkeys = add_privkey_to_list(privkeys, privkey); -- CERT_DestroyCertArray(returned, 1); -+ CERT_DestroyCertificate(newcert); - } - /* In case we're rekeying, but failed, mark the - * candidate key for name-clearing or removal, too. */ --- -2.14.4 - diff --git a/SOURCES/0010-Fix-memory-leak-in-util_internal_token_name.patch b/SOURCES/0010-Fix-memory-leak-in-util_internal_token_name.patch deleted file mode 100644 index 57bb556..0000000 --- a/SOURCES/0010-Fix-memory-leak-in-util_internal_token_name.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 5d2554ed31fa6bc121d94efe533f9e4fea3900aa Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Oct 2018 08:21:35 -0400 -Subject: [PATCH 10/17] Fix memory leak in util_internal_token_name() - -Allocate memory using the talloc context instead of relying on -the caller to call free(). ---- - src/certread-n.c | 2 +- - src/certsave-n.c | 2 +- - src/keygen-n.c | 2 +- - src/keyiread-n.c | 2 +- - src/submit-n.c | 2 +- - src/util-n.c | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/certread-n.c b/src/certread-n.c -index 1d9217c6..d535030b 100644 ---- a/src/certread-n.c -+++ b/src/certread-n.c -@@ -191,7 +191,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - _exit(CM_SUB_STATUS_ERROR_AUTH); - } - if (entry->cm_cert_token == NULL) { -- entry->cm_cert_token = util_internal_token_name(); -+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - for (sle = slotlist->head; -diff --git a/src/certsave-n.c b/src/certsave-n.c -index fcb43148..49b28324 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -215,7 +215,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - if (entry->cm_cert_token == NULL) { -- entry->cm_cert_token = util_internal_token_name(); -+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); - } - for (sle = slotlist->head; - ((sle != NULL) && (sle->slot != NULL)); -diff --git a/src/keygen-n.c b/src/keygen-n.c -index f7fdf6c0..76a5c1d3 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -273,7 +273,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - _exit(CM_SUB_STATUS_ERROR_NO_TOKEN); - } - if (entry->cm_cert_token == NULL) { -- entry->cm_cert_token = util_internal_token_name(); -+ entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); - } - /* Walk the list looking for the requested slot, or the first one if - * none was requested. */ -diff --git a/src/keyiread-n.c b/src/keyiread-n.c -index b8408bf1..8f46ec0f 100644 ---- a/src/keyiread-n.c -+++ b/src/keyiread-n.c -@@ -153,7 +153,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - if (entry->cm_key_token == NULL) { -- entry->cm_key_token = util_internal_token_name(); -+ entry->cm_key_token = talloc_strdup(entry, util_internal_token_name()); - } - n_tokens = 0; - pubkey = NULL; -diff --git a/src/submit-n.c b/src/submit-n.c -index da07d253..ee6f3105 100644 ---- a/src/submit-n.c -+++ b/src/submit-n.c -@@ -347,7 +347,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, - goto done; - } - if (args->entry->cm_key_token == NULL) { -- args->entry->cm_key_token = util_internal_token_name(); -+ args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name()); - } - PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); - n_tokens = 0; -diff --git a/src/util-n.c b/src/util-n.c -index 293e2583..4ab3d47b 100644 ---- a/src/util-n.c -+++ b/src/util-n.c -@@ -291,5 +291,5 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry) - char * - util_internal_token_name() - { -- return strdup(PK11_GetTokenName(PK11_GetInternalKeySlot())); -+ return PK11_GetTokenName(PK11_GetInternalKeySlot()); - } --- -2.14.4 - diff --git a/SOURCES/0011-clang-Dead-assignment.patch b/SOURCES/0011-clang-Dead-assignment.patch deleted file mode 100644 index 8aa4645..0000000 --- a/SOURCES/0011-clang-Dead-assignment.patch +++ /dev/null @@ -1,266 +0,0 @@ -From 648fe74986f2a84416805cfd73206e9e67166ae2 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 13 Sep 2018 15:40:23 -0400 -Subject: [PATCH 11/17] clang: Dead assignment - ---- - src/casave.c | 4 +++- - src/keygen-n.c | 1 - - src/keyiread-n.c | 1 - - src/store-files.c | 2 -- - src/store-gen.c | 3 --- - src/submit-e.c | 54 ++++++++++++++++++++++++++------------------------ - src/submit-u.c | 2 -- - src/tdbush.c | 8 ++++++-- - tests/tools/addcinfo.c | 1 - - tests/tools/certsave.c | 4 +++- - 10 files changed, 40 insertions(+), 40 deletions(-) - -diff --git a/src/casave.c b/src/casave.c -index 5fb31b8d..bde63f99 100644 ---- a/src/casave.c -+++ b/src/casave.c -@@ -163,7 +163,6 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, - decoded = CERT_DecodeCertFromPackage(package, - strlen(package)); - p = state->certs[i]->nickname; -- ttrust = ",,"; - switch (state->certs[i]->level) { - case root: - case other_root: -@@ -178,6 +177,9 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, - ttrust = ",,"; - } - break; -+ default: -+ ttrust = ",,"; -+ break; - } - memset(&trust, 0, sizeof(trust)); - CERT_DecodeTrustString(&trust, ttrust); -diff --git a/src/keygen-n.c b/src/keygen-n.c -index 76a5c1d3..061bd2af 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -591,7 +591,6 @@ retry_gen: - break; - } - } -- generated_size = SECKEY_PublicKeyStrengthInBits(pubkey); - cm_log(1, "Ended up with %d bit public key.\n", - SECKEY_PublicKeyStrengthInBits(pubkey)); - /* Check for keys with the desired name, selecting a new name if -diff --git a/src/keyiread-n.c b/src/keyiread-n.c -index 8f46ec0f..91b1be41 100644 ---- a/src/keyiread-n.c -+++ b/src/keyiread-n.c -@@ -492,7 +492,6 @@ cm_keyiread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - readwrite = settings->readwrite; - keys = cm_keyiread_n_get_keys(entry, readwrite); - alg = ""; -- size = 0; - if (keys != NULL) { - switch (SECKEY_GetPrivateKeyType(keys->privkey)) { - case rsaKey: -diff --git a/src/store-files.c b/src/store-files.c -index 06a17485..df1fa336 100644 ---- a/src/store-files.c -+++ b/src/store-files.c -@@ -2182,7 +2182,6 @@ cm_store_entry_delete(struct cm_store_entry *entry) - } else { - cm_log(3, "No file to remove for \"%s\".\n", - entry->cm_nickname); -- ret = 0; - } - return 0; - } -@@ -2469,7 +2468,6 @@ cm_store_ca_delete(struct cm_store_ca *ca) - } - } else { - cm_log(3, "No file to remove for \"%s\".\n", ca->cm_nickname); -- ret = 0; - } - return 0; - } -diff --git a/src/store-gen.c b/src/store-gen.c -index 5ce4ab84..da32afc8 100644 ---- a/src/store-gen.c -+++ b/src/store-gen.c -@@ -530,8 +530,6 @@ cm_store_hex_to_bin(const char *serial, unsigned char *buf, int length) - const char *p, *q, *chars = "0123456789abcdef"; - unsigned char *b, u; - -- p = serial; -- b = buf; - u = 0; - for (p = serial, b = buf; - ((*p != '\0') && ((b - buf) < length)); -@@ -606,7 +604,6 @@ cm_store_canonicalize_path(void *parent, const char *path) - for (p = tmp; *p != '\0'; p++) { - if ((strncmp(p, "/.", 2) == 0) && - ((p[2] == '/') || (p[2] == '\0'))) { -- q = p - 1; - memmove(p, p + 2, strlen(p + 2) + 1); - } - } -diff --git a/src/submit-e.c b/src/submit-e.c -index 8ba8e44c..d6158d7a 100644 ---- a/src/submit-e.c -+++ b/src/submit-e.c -@@ -587,32 +587,34 @@ cm_submit_e_postprocess_main(int fd, struct cm_store_ca *ca, - estate->msg_length, NULL); - msg = cm_json_new_object(estate); - chain = cm_json_new_array(msg); -- if (leaf != NULL) { -- cert = cm_json_new_string(msg, leaf, -1); -- cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert); -- } -- for (i = 0; -- (others != NULL) && (others[i] != NULL); -- i++) { -- cert = cm_json_new_object(chain); -- val = cm_json_new_string(cert, others[i], -1); -- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val); -- nthnick = talloc_asprintf(cert, "chain #%d", i + 1); -- nick = cm_json_new_string(cert, nthnick, -1); -- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick); -- cm_json_append(chain, cert); -- } -- if (top!= NULL) { -- cert = cm_json_new_object(chain); -- val = cm_json_new_string(cert, top, -1); -- cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val); -- nthnick = talloc_asprintf(cert, "chain #%d", i + 1); -- nick = cm_json_new_string(cert, nthnick, -1); -- cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick); -- cm_json_append(chain, cert); -- } -- if (cm_json_array_size(chain) > 0) { -- cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain); -+ if (i == 0) { -+ if (leaf != NULL) { -+ cert = cm_json_new_string(msg, leaf, -1); -+ cm_json_set(msg, CM_SUBMIT_E_CERTIFICATE, cert); -+ } -+ for (i = 0; -+ (others != NULL) && (others[i] != NULL); -+ i++) { -+ cert = cm_json_new_object(chain); -+ val = cm_json_new_string(cert, others[i], -1); -+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val); -+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1); -+ nick = cm_json_new_string(cert, nthnick, -1); -+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick); -+ cm_json_append(chain, cert); -+ } -+ if (top!= NULL) { -+ cert = cm_json_new_object(chain); -+ val = cm_json_new_string(cert, top, -1); -+ cm_json_set(cert, CM_SUBMIT_E_CERTIFICATE, val); -+ nthnick = talloc_asprintf(cert, "chain #%d", i + 1); -+ nick = cm_json_new_string(cert, nthnick, -1); -+ cm_json_set(cert, CM_SUBMIT_E_NICKNAME, nick); -+ cm_json_append(chain, cert); -+ } -+ if (cm_json_array_size(chain) > 0) { -+ cm_json_set(msg, CM_SUBMIT_E_CHAIN, chain); -+ } - } - } - /* Get ready to build an output message. */ -diff --git a/src/submit-u.c b/src/submit-u.c -index dda2edbc..b0b45baf 100644 ---- a/src/submit-u.c -+++ b/src/submit-u.c -@@ -120,14 +120,12 @@ cm_submit_u_from_file_single(const char *filename) - if (csr == NULL) { - return NULL; - } -- p = csr; - for (i = 0; i < sizeof(strip) / sizeof(strip[0]); i++) { - while ((p = strstr(csr, strip[i])) != NULL) { - q = p + strcspn(p, "\r\n"); - memmove(p, q, strlen(q) + 1); - } - } -- p = csr; - q = strdup(csr); - for (p = csr, i = 0; *p != '\0'; p++) { - if (strchr("\r\n\t ", *p) == NULL) { -diff --git a/src/tdbush.c b/src/tdbush.c -index 1d487222..3184e67a 100644 ---- a/src/tdbush.c -+++ b/src/tdbush.c -@@ -2911,7 +2911,6 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg, - return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; - } - rep = dbus_message_new_method_return(msg); -- type = "UNKNOWN"; - switch (entry->cm_key_type.cm_key_algorithm) { - case cm_key_unspecified: - type = "UNKNOWN"; -@@ -2929,6 +2928,9 @@ request_get_key_type_and_size(DBusConnection *conn, DBusMessage *msg, - type = "EC"; - break; - #endif -+ default: -+ type = "UNKNOWN"; -+ break; - } - if (rep != NULL) { - size = entry->cm_key_type.cm_key_size; -@@ -4790,7 +4792,6 @@ cm_tdbush_introspect_method(void *parent, - method->cm_name); - arg = method->cm_args; - while (arg != NULL) { -- direction = "unknown"; - switch (arg->cm_direction) { - case cm_tdbush_method_arg_in: - direction = "in"; -@@ -4798,6 +4799,9 @@ cm_tdbush_introspect_method(void *parent, - case cm_tdbush_method_arg_out: - direction = "out"; - break; -+ default: -+ direction = "unknown"; -+ break; - } - ret = talloc_asprintf(parent, - "%s\n 0) { - j += i; -diff --git a/tests/tools/certsave.c b/tests/tools/certsave.c -index fd86a4c1..8ec60ddd 100644 ---- a/tests/tools/certsave.c -+++ b/tests/tools/certsave.c -@@ -83,7 +83,6 @@ main(int argc, char **argv) - if (cm_certsave_saved(state) == 0) { - ret = 0; - } else { -- ctype = "unknown"; - switch (entry->cm_cert_storage_type) { - case cm_cert_storage_file: - ctype = "FILE"; -@@ -91,6 +90,9 @@ main(int argc, char **argv) - case cm_cert_storage_nssdb: - ctype = "NSS"; - break; -+ default: -+ ctype = "unknown"; -+ break; - } - if (cm_certsave_conflict_subject(state) == 0) { - printf("Failed to save (%s:%s), " --- -2.14.4 - diff --git a/SOURCES/0012-clang-Memory-leak.patch b/SOURCES/0012-clang-Memory-leak.patch deleted file mode 100644 index d2fc9e0..0000000 --- a/SOURCES/0012-clang-Memory-leak.patch +++ /dev/null @@ -1,437 +0,0 @@ -From 3310a25181e94f5e05e671acc12d008cbac339ab Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 13 Sep 2018 15:50:53 -0400 -Subject: [PATCH 12/17] clang: Memory leak - ---- - src/certmaster.c | 3 +++ - src/certsave-o.c | 1 + - src/dogtag.c | 3 +++ - src/ipa.c | 9 ++++++++- - src/local.c | 5 +++++ - src/scep.c | 5 +++++ - src/srvloc.c | 1 + - src/store-files.c | 2 +- - src/submit-x.c | 22 ++++++++++++++++++++++ - src/util.c | 8 +++++++- - tests/tools/addcinfo.c | 3 +++ - tests/tools/base2pem.c | 1 + - tests/tools/pem2base.c | 1 + - 13 files changed, 61 insertions(+), 3 deletions(-) - -diff --git a/src/certmaster.c b/src/certmaster.c -index 7e0bed90..4a5cf6af 100644 ---- a/src/certmaster.c -+++ b/src/certmaster.c -@@ -160,6 +160,7 @@ main(int argc, const char **argv) - CM_SUBMIT_CSR_ENV); - } - poptPrintUsage(pctx, stdout, 0); -+ free(csr); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - -@@ -185,11 +186,13 @@ main(int argc, const char **argv) - if (ctx == NULL) { - fprintf(stderr, "Error setting up for XMLRPC.\n"); - printf(_("Error setting up for XMLRPC.\n")); -+ free(csr); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - - /* Add the CSR as the sole argument. */ - cm_submit_x_add_arg_s(ctx, csr); -+ free(csr); - - /* Submit the request. */ - fprintf(stderr, "Submitting request to \"%s\".\n", uri); -diff --git a/src/certsave-o.c b/src/certsave-o.c -index 77f54d7e..3d4018d8 100644 ---- a/src/certsave-o.c -+++ b/src/certsave-o.c -@@ -258,6 +258,7 @@ cm_certsave_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - if (bin != NULL) { - BN_bn2bin(bn, bin); - serial = cm_store_hex_from_bin(NULL, bin, BN_num_bytes(bn)); -+ free(bin); - } - } - if (serial != NULL) { -diff --git a/src/dogtag.c b/src/dogtag.c -index cd0b38b7..55607f3d 100644 ---- a/src/dogtag.c -+++ b/src/dogtag.c -@@ -536,6 +536,7 @@ main(int argc, const char **argv) - CM_SUBMIT_CSR_ENV); - } - poptPrintUsage(pctx, stdout, 0); -+ free(csr); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - csr = cm_submit_u_url_encode(csr); -@@ -588,6 +589,8 @@ main(int argc, const char **argv) - params = talloc_asprintf(ctx, - "%s&%s=%s", - params, p, q); -+ free(p); -+ free(q); - } - use_agent_approval = FALSE; - break; -diff --git a/src/ipa.c b/src/ipa.c -index 67a0c651..acd1a4e2 100644 ---- a/src/ipa.c -+++ b/src/ipa.c -@@ -226,6 +226,7 @@ cm_locate_xmlrpc_service(const char *server, - if (basedn == NULL) { - i = cm_find_default_naming_context(ld, &basedn); - if (i != 0) { -+ free(basedn); - return i; - } - } -@@ -526,6 +527,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, - if (basedn == NULL) { - i = cm_find_default_naming_context(ld, &basedn); - if (i != 0) { -+ free(basedn); - return i; - } - } -@@ -802,6 +804,7 @@ main(int argc, const char **argv) - printf(_("Unable to read signing request from environment variable \"%s\".\n"), - CM_SUBMIT_CSR_ENV); - } -+ free(csr); - poptPrintUsage(pctx, stdout, 0); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } -@@ -903,12 +906,16 @@ main(int argc, const char **argv) - - if ((strcasecmp(mode, CM_OP_SUBMIT) == 0) || - (strcasecmp(mode, CM_OP_POLL) == 0)) { -- return submit_or_poll(uri, cainfo, capath, server, -+ int ret; -+ ret = submit_or_poll(uri, cainfo, capath, server, - ldap_uri_cmd, ldap_uri, host, domain, - basedn, uid, pwd, csr, reqprinc, profile, - issuer); -+ free(csr); -+ return ret; - } else - if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) { -+ free(csr); - return fetch_roots(server, ldap_uri_cmd, ldap_uri, host, - uid, pwd, domain, basedn); - } -diff --git a/src/local.c b/src/local.c -index f437d62e..92bea144 100644 ---- a/src/local.c -+++ b/src/local.c -@@ -559,6 +559,7 @@ main(int argc, const char **argv) - printf(_("Unable to read signing request.\n")); - cm_log(1, "Unable to read signing request.\n"); - poptPrintUsage(pctx, stdout, 0); -+ free(csr); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - /* Take the lock. */ -@@ -568,6 +569,7 @@ main(int argc, const char **argv) - &signer, &key); - if ((i != 0) || (signer == NULL)) { - cm_log(1, "Error reading signer info.\n"); -+ free(csr); - /* Try again sometime later. */ - return CM_SUBMIT_STATUS_UNREACHABLE; - } -@@ -577,11 +579,13 @@ main(int argc, const char **argv) - if ((fp == NULL) && (errno != ENOENT)) { - cm_log(1, "Error reading '%s': %s.\n", serial, - strerror(errno)); -+ free(csr); - return CM_SUBMIT_STATUS_UNREACHABLE; - } - if (fp != NULL) { - if (fgets(buf, sizeof(buf), fp) == NULL) { - fclose(fp); -+ free(csr); - return CM_SUBMIT_STATUS_UNREACHABLE; - } - buf[strcspn(buf, "\r\n")] = '\0'; -@@ -601,6 +605,7 @@ main(int argc, const char **argv) - /* Actually sign the request. */ - i = cm_submit_o_sign(parent, csr, signer, key, hexserial, - now, 0, &cert); -+ free(csr); - if ((i == 0) && (cert != NULL)) { - /* Roll the serial number up. */ - hexserial = cm_store_increment_serial(parent, -diff --git a/src/scep.c b/src/scep.c -index 72dff3d5..68eae788 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -338,6 +338,7 @@ main(int argc, const char **argv) - } - if (c != -1) { - poptPrintUsage(pctx, stdout, 0); -+ free(cainfo); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - -@@ -386,6 +387,7 @@ main(int argc, const char **argv) - } - if ((message == NULL) || (strlen(message) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); -+ free(cainfo); - return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; - } - /* First step: read capabilities for our use. */ -@@ -405,6 +407,7 @@ main(int argc, const char **argv) - } - if ((message == NULL) || (strlen(message) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n")); -+ free(cainfo); - return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; - } - /* First step: read capabilities for our use. */ -@@ -416,6 +419,7 @@ main(int argc, const char **argv) - /* Supply help output, if it's needed. */ - if (missing_args) { - poptPrintUsage(pctx, stdout, 0); -+ free(cainfo); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - -@@ -492,6 +496,7 @@ main(int argc, const char **argv) - verbose > 1 ? - cm_submit_h_curl_verbose_on : - cm_submit_h_curl_verbose_off); -+ free(cainfo); - cm_submit_h_run(hctx); - content_type = cm_submit_h_result_type(hctx); - if (content_type == NULL) { -diff --git a/src/srvloc.c b/src/srvloc.c -index acab55bf..e8f3f5a5 100644 ---- a/src/srvloc.c -+++ b/src/srvloc.c -@@ -189,6 +189,7 @@ cm_srvloc_resolve(void *parent, const char *name, const char *udomain, - domain = strdup(udomain); - #endif - i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len); -+ free(domain); - if (i == -1) { - return -1; - } -diff --git a/src/store-files.c b/src/store-files.c -index df1fa336..b97ba5ff 100644 ---- a/src/store-files.c -+++ b/src/store-files.c -@@ -558,8 +558,8 @@ cm_store_file_read_lines(void *parent, FILE *fp) - case ';': - break; - } -+ free(buf); - } -- free(buf); - /* If we were reading a line, append it to the list. */ - if (s != NULL) { - tlines = talloc_realloc(parent, lines, char *, n_lines + 2); -diff --git a/src/submit-x.c b/src/submit-x.c -index 60bcf78a..fa81e9aa 100644 ---- a/src/submit-x.c -+++ b/src/submit-x.c -@@ -75,6 +75,8 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return NULL; - } -@@ -84,6 +86,8 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return NULL; - } -@@ -93,6 +97,8 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return NULL; - } -@@ -139,6 +145,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - fprintf(stderr, "Error initializing Kerberos: %s.\n", ret); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -152,6 +160,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -163,6 +173,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - principal, ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -174,6 +186,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -195,6 +209,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -213,6 +229,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -227,6 +245,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -@@ -237,6 +257,8 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -+ } else { -+ free(ret); - } - return kret; - } -diff --git a/src/util.c b/src/util.c -index 67143d52..373bb533 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -98,7 +98,7 @@ read_config_file(const char *filename) - char * - get_config_entry(char * in_data, const char *section, const char *key) - { -- char *ptr = NULL, *p, *tmp; -+ char *ptr = NULL, *p, *tmp = NULL; - char *line; - int in_section = 0; - char * data = strdup(in_data); -@@ -129,9 +129,12 @@ get_config_entry(char * in_data, const char *section, const char *key) - } - if (strcmp(section, tmp) == 0) { - free(tmp); -+ tmp = NULL; - in_section = 1; - continue; - } -+ free(tmp); -+ tmp = NULL; - } - } /* [ */ - -@@ -145,8 +148,10 @@ get_config_entry(char * in_data, const char *section, const char *key) - tmp = strndup(line, p - line); - if (strcmp(key, tmp) != 0) { - free(tmp); -+ tmp = NULL; - } else { - free(tmp); -+ tmp = NULL; - - /* Skip over any whitespace after the equal sign. */ - line = strchr(line, '='); -@@ -168,5 +173,6 @@ get_config_entry(char * in_data, const char *section, const char *key) - } - } - free(data); -+ free(tmp); - return NULL; - } -diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c -index f016acb4..939005c2 100644 ---- a/tests/tools/addcinfo.c -+++ b/tests/tools/addcinfo.c -@@ -86,6 +86,7 @@ main(int argc, char **argv) - if (enveloped == NULL) { - cm_log(0, "Internal error: %s.\n", - PR_ErrorToName(PORT_GetError())); -+ free(buffer); - return 1; - } - ci.content_type = enveloped->oid; -@@ -96,6 +97,7 @@ main(int argc, char **argv) - content_info_template) != &encoded) { - cm_log(0, "Encoding error: %s.\n", - PR_ErrorToName(PORT_GetError())); -+ free(buffer); - return 1; - } - j = 0; -@@ -105,5 +107,6 @@ main(int argc, char **argv) - break; - } - } -+ free(buffer); - return 0; - } -diff --git a/tests/tools/base2pem.c b/tests/tools/base2pem.c -index 40e74201..31359684 100644 ---- a/tests/tools/base2pem.c -+++ b/tests/tools/base2pem.c -@@ -76,5 +76,6 @@ main(int argc, const char **argv) - } - } - printf("%s", cm_submit_u_pem_from_base64(type, dos, p)); -+ free(p); - return 0; - } -diff --git a/tests/tools/pem2base.c b/tests/tools/pem2base.c -index 0607c162..bb686c0e 100644 ---- a/tests/tools/pem2base.c -+++ b/tests/tools/pem2base.c -@@ -46,5 +46,6 @@ main(int argc, char **argv) - } - } - printf("%s\n", cm_submit_u_base64_from_text(p)); -+ free(p); - return 0; - } --- -2.14.4 - diff --git a/SOURCES/0013-clang-Uninitialized-initial-value.patch b/SOURCES/0013-clang-Uninitialized-initial-value.patch deleted file mode 100644 index aee4628..0000000 --- a/SOURCES/0013-clang-Uninitialized-initial-value.patch +++ /dev/null @@ -1,25 +0,0 @@ -From db0f835829b739cf843d44b08c22407194aadd71 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 13 Sep 2018 17:57:21 -0400 -Subject: [PATCH 13/17] clang: Uninitialized initial value - ---- - src/submit-n.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/submit-n.c b/src/submit-n.c -index ee6f3105..b07ea23a 100644 ---- a/src/submit-n.c -+++ b/src/submit-n.c -@@ -281,7 +281,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, - PLArenaPool *arena = NULL; - SECStatus error; - NSSInitContext *ctx = NULL; -- PK11SlotInfo *slot; -+ PK11SlotInfo *slot = NULL; - PK11SlotList *slotlist = NULL; - PK11SlotListElement *sle; - SECKEYPrivateKeyList *keylist = NULL; --- -2.14.4 - diff --git a/SOURCES/0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch b/SOURCES/0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch deleted file mode 100644 index 49e488f..0000000 --- a/SOURCES/0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 753d98b3e70f34a52caabbe8db30bf06fc917f38 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 13 Sep 2018 11:46:51 -0400 -Subject: [PATCH 14/17] clang: Null pointer passed as an argument to a - 'nonnull' parameter - ---- - src/certsave-n.c | 3 ++- - src/getcert.c | 7 ++++--- - src/scep.c | 8 ++++---- - src/submit-sn.c | 7 +++++-- - 4 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 49b28324..972a1dfa 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -72,7 +72,8 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key) - if ((list == NULL) || (list[i] == NULL)) { - newlist = malloc(sizeof(newlist[0]) * (i + 2)); - if (newlist != NULL) { -- memcpy(newlist, list, sizeof(newlist[0]) * i); -+ if (list != NULL) -+ memcpy(newlist, list, sizeof(newlist[0]) * i); - newlist[i] = key; - newlist[i + 1] = NULL; - list = newlist; -diff --git a/src/getcert.c b/src/getcert.c -index 6417cd44..ddb28de2 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -291,7 +291,8 @@ add_string(void *parent, char ***dest, const char *value) - printf(_("Out of memory.\n")); - exit(1); - } -- memcpy(tmp, *dest, sizeof(tmp[0]) * i); -+ if (*dest) -+ memcpy(tmp, *dest, sizeof(tmp[0]) * i); - tmp[i] = talloc_strdup(tmp, value); - i++; - tmp[i] = NULL; -@@ -1582,8 +1583,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id, - { - DBusMessage *req, *rep; - int i; -- struct cm_tdbusm_dict param[28]; -- const struct cm_tdbusm_dict *params[29]; -+ struct cm_tdbusm_dict param[30]; -+ const struct cm_tdbusm_dict *params[30]; - dbus_bool_t b; - const char *capath; - char *p; -diff --git a/src/scep.c b/src/scep.c -index 68eae788..b0bd214b 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -793,8 +793,8 @@ main(int argc, const char **argv) - fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx)); - syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params2); - } -- if (strcasecmp(content_type2, -- "application/x-x509-ca-cert") != 0) { -+ if ((content_type2 != NULL) && (strcasecmp(content_type2, -+ "application/x-x509-ca-cert") != 0)) { - if (verbose > 0) { - fprintf(stderr, "Content is not " - "\"application/x-x509-ca-cert\"" -@@ -882,8 +882,8 @@ main(int argc, const char **argv) - break; - case op_get_cert_initial: - case op_pkcsreq: -- if (strcasecmp(content_type2, -- "application/x-pki-message") == 0) { -+ if ((content_type2 != NULL) && (strcasecmp(content_type2, -+ "application/x-pki-message") == 0)) { - memset(&cacerts, 0, sizeof(cacerts)); - cacerts[0] = cacert ? cacert : racert; - cacerts[1] = cacert ? racert : NULL; -diff --git a/src/submit-sn.c b/src/submit-sn.c -index e9c62b22..ecd78dc0 100644 ---- a/src/submit-sn.c -+++ b/src/submit-sn.c -@@ -258,8 +258,11 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - /* Allocate space for one more extension. */ - extensions = PORT_ArenaZAlloc(arena, (i + 2) * sizeof(extensions[0])); - if (extensions != NULL) { -- memcpy(extensions, ucert->extensions, -- i * sizeof(extensions[0])); -+ if (i != 0) { -+ /* Note that C99 says copy of 0 items is ok, quieting clang */ -+ memcpy(extensions, ucert->extensions, -+ i * sizeof(extensions[0])); -+ } - if (found_basic) { - extensions[i] = NULL; - } else { --- -2.14.4 - diff --git a/SOURCES/0015-clang-Dead-increment.patch b/SOURCES/0015-clang-Dead-increment.patch deleted file mode 100644 index 783b366..0000000 --- a/SOURCES/0015-clang-Dead-increment.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9e44680dbd207cef48beb7598114ea59aa457055 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 14 Sep 2018 16:15:23 -0400 -Subject: [PATCH 15/17] clang: Dead increment - ---- - src/store-gen.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/store-gen.c b/src/store-gen.c -index da32afc8..653767a1 100644 ---- a/src/store-gen.c -+++ b/src/store-gen.c -@@ -363,7 +363,6 @@ cm_store_time_from_timestamp(const char *timestamp) - buf[2] = '\0'; - stamp.tm_min = atoi(buf); - memcpy(buf, timestamp + i, 2); -- i += 2; - buf[2] = '\0'; - stamp.tm_sec = atoi(buf); - t = timegm(&stamp); --- -2.14.4 - diff --git a/SOURCES/0016-clang-Dereference-of-null-pointer.patch b/SOURCES/0016-clang-Dereference-of-null-pointer.patch deleted file mode 100644 index af96433..0000000 --- a/SOURCES/0016-clang-Dereference-of-null-pointer.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 319858127df42c1a95b9b3282705c90ecd6754a5 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 14 Sep 2018 16:16:55 -0400 -Subject: [PATCH 16/17] clang: Dereference of null pointer - ---- - src/tdbush.c | 56 +++++++++++++++++++++++++++++--------------------------- - 1 file changed, 29 insertions(+), 27 deletions(-) - -diff --git a/src/tdbush.c b/src/tdbush.c -index 3184e67a..d1bbe4da 100644 ---- a/src/tdbush.c -+++ b/src/tdbush.c -@@ -3655,37 +3655,39 @@ request_modify(DBusConnection *conn, DBusMessage *msg, - break; - } - } -- if (d[i] == NULL) { -- new_request_path = talloc_asprintf(parent, "%s/%s", -- CM_DBUS_REQUEST_PATH, -- entry->cm_busname); -- if ((n_propname > 0) && -- (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) { -- propname[n_propname] = NULL; -- cm_tdbush_property_emit_changed(ctx, new_request_path, -- CM_DBUS_REQUEST_INTERFACE, -- propname); -- } -- cm_tdbusm_set_bp(rep, -- cm_restart_entry(ctx, -- entry->cm_nickname), -- new_request_path); -- dbus_connection_send(conn, rep, NULL); -- dbus_message_unref(rep); -- talloc_free(new_request_path); -- return DBUS_HANDLER_RESULT_HANDLED; -- } else { -- dbus_message_unref(rep); -- rep = dbus_message_new_error(msg, -- CM_DBUS_ERROR_REQUEST_BAD_ARG, -- _("Unrecognized parameter or wrong value type.")); -- if (rep != NULL) { -- cm_tdbusm_set_s(rep, d[i]->key); -+ if (d != NULL) { -+ if (d[i] == NULL) { -+ new_request_path = talloc_asprintf(parent, "%s/%s", -+ CM_DBUS_REQUEST_PATH, -+ entry->cm_busname); -+ if ((n_propname > 0) && -+ (n_propname + 1 < sizeof(propname) / sizeof(propname[0]))) { -+ propname[n_propname] = NULL; -+ cm_tdbush_property_emit_changed(ctx, new_request_path, -+ CM_DBUS_REQUEST_INTERFACE, -+ propname); -+ } -+ cm_tdbusm_set_bp(rep, -+ cm_restart_entry(ctx, -+ entry->cm_nickname), -+ new_request_path); - dbus_connection_send(conn, rep, NULL); - dbus_message_unref(rep); -+ talloc_free(new_request_path); - return DBUS_HANDLER_RESULT_HANDLED; -+ } else { -+ dbus_message_unref(rep); -+ rep = dbus_message_new_error(msg, -+ CM_DBUS_ERROR_REQUEST_BAD_ARG, -+ _("Unrecognized parameter or wrong value type.")); -+ if (rep != NULL) { -+ cm_tdbusm_set_s(rep, d[i]->key); -+ dbus_connection_send(conn, rep, NULL); -+ dbus_message_unref(rep); -+ return DBUS_HANDLER_RESULT_HANDLED; -+ } -+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; - } -- return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; - } - } else { - return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; --- -2.14.4 - diff --git a/SOURCES/0017-Add-missing-case-for-cm_prefs_aes192.patch b/SOURCES/0017-Add-missing-case-for-cm_prefs_aes192.patch deleted file mode 100644 index f6a2e8a..0000000 --- a/SOURCES/0017-Add-missing-case-for-cm_prefs_aes192.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f17b7c0a22f4d49dca001d984673046e133577d1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 14 Sep 2018 16:41:19 -0400 -Subject: [PATCH 17/17] Add missing case for cm_prefs_aes192 - ---- - src/prefs-o.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/prefs-o.c b/src/prefs-o.c -index 64542f85..ac68164d 100644 ---- a/src/prefs-o.c -+++ b/src/prefs-o.c -@@ -75,6 +75,9 @@ cm_prefs_ossl_cipher_by_pref(enum cm_prefs_cipher cipher) - case cm_prefs_aes128: - return EVP_aes_128_cbc(); - break; -+ case cm_prefs_aes192: -+ return EVP_aes_192_cbc(); -+ break; - case cm_prefs_aes256: - return EVP_aes_256_cbc(); - break; --- -2.14.4 - diff --git a/SOURCES/0018-clang-more-Dead-assignment.patch b/SOURCES/0018-clang-more-Dead-assignment.patch index 0cb3021..951841b 100644 --- a/SOURCES/0018-clang-more-Dead-assignment.patch +++ b/SOURCES/0018-clang-more-Dead-assignment.patch @@ -1,7 +1,7 @@ -From 20d569b57edf2f859aeb48d32bbb91801a45fb91 Mon Sep 17 00:00:00 2001 +From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 12:48:41 -0400 -Subject: [PATCH 18/26] clang: more Dead assignment +Subject: [PATCH 18/25] clang: more Dead assignment --- src/submit-x.c | 5 ++--- @@ -37,5 +37,5 @@ index cb0a8ad7..a81b5349 100644 dbus_error_init(error); } -- -2.14.4 +2.21.0 diff --git a/SOURCES/0019-clang-more-Memory-leaks.patch b/SOURCES/0019-clang-more-Memory-leaks.patch index ea6d709..2434547 100644 --- a/SOURCES/0019-clang-more-Memory-leaks.patch +++ b/SOURCES/0019-clang-more-Memory-leaks.patch @@ -1,7 +1,7 @@ -From 83a701de85a6b22cc5ad3cec8cb2ddb54d0b2aae Mon Sep 17 00:00:00 2001 +From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 12:53:57 -0400 -Subject: [PATCH 19/26] clang: more Memory leaks +Subject: [PATCH 19/25] clang: more Memory leaks Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c --- @@ -317,5 +317,5 @@ index 939005c2..e34612a5 100644 n += i; } -- -2.14.4 +2.21.0 diff --git a/SOURCES/0020-clang-Avoid-buffer-overflow.patch b/SOURCES/0020-clang-Avoid-buffer-overflow.patch index 4f7294d..8c4607c 100644 --- a/SOURCES/0020-clang-Avoid-buffer-overflow.patch +++ b/SOURCES/0020-clang-Avoid-buffer-overflow.patch @@ -1,7 +1,7 @@ -From e9f16cf50ab3438a6e9ea50669854c93c8a399f2 Mon Sep 17 00:00:00 2001 +From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 13:16:08 -0400 -Subject: [PATCH 20/26] clang: Avoid buffer overflow +Subject: [PATCH 20/25] clang: Avoid buffer overflow This shouldn't be possible because the caller would never allow it all to be passed in but quiet static analyzers. @@ -25,5 +25,5 @@ index 0d527ab0..bbc45479 100644 char **anchor_dbs = NULL, **anchor_files = NULL; char *id = NULL, *new_id = NULL, *new_request; -- -2.14.4 +2.21.0 diff --git a/SOURCES/0021-clang-Garbage-value-possible.patch b/SOURCES/0021-clang-Garbage-value-possible.patch index 8bb7bfd..622072e 100644 --- a/SOURCES/0021-clang-Garbage-value-possible.patch +++ b/SOURCES/0021-clang-Garbage-value-possible.patch @@ -1,7 +1,7 @@ -From bfe2b956c1a9f83bd3d998924788942716767a65 Mon Sep 17 00:00:00 2001 +From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 14:44:05 -0400 -Subject: [PATCH 21/26] clang: Garbage value possible +Subject: [PATCH 21/25] clang: Garbage value possible Need to add guard so that error was only considered if the certificate was decodable and an import was attempted. @@ -39,5 +39,5 @@ index 972a1dfa..30e242c1 100644 es = PR_ErrorToName(ec); } else { -- -2.14.4 +2.21.0 diff --git a/SOURCES/0022-Uninitialized-variable.patch b/SOURCES/0022-Uninitialized-variable.patch index 6eb7583..f6ba508 100644 --- a/SOURCES/0022-Uninitialized-variable.patch +++ b/SOURCES/0022-Uninitialized-variable.patch @@ -1,19 +1,19 @@ -From a5fef9f676334c6b373f9739a2687dc64ad2c0c0 Mon Sep 17 00:00:00 2001 +From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 14:48:43 -0400 -Subject: [PATCH 22/26] Uninitialized variable +Subject: [PATCH 22/25] Uninitialized variable --- src/csrgen-o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/csrgen-o.c b/src/csrgen-o.c -index 55b0a598..7ca7065d 100644 +index 402284ff..41b4f014 100644 --- a/src/csrgen-o.c +++ b/src/csrgen-o.c -@@ -94,7 +94,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, +@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, BIGNUM *serialbn; - char buf[LINE_MAX], *p, *q, *s, *nickname, *pin, *password, *filename; + char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename; unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX]; - char *spkidec, *mcb64, *nows; + char *spkidec = NULL, *mcb64, *nows; @@ -21,5 +21,5 @@ index 55b0a598..7ca7065d 100644 const unsigned char *nametmp; struct tm *now; -- -2.14.4 +2.21.0 diff --git a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch b/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch index 6a47651..ff1606d 100644 --- a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch +++ b/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch @@ -1,7 +1,7 @@ -From b0766cfdfd8bbac9109a2846c6ac3802e60cb56f Mon Sep 17 00:00:00 2001 +From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 15:43:02 -0400 -Subject: [PATCH 23/26] merge into clang: more Memory leaks +Subject: [PATCH 23/25] merge into clang: more Memory leaks --- src/getcert.c | 2 +- @@ -35,5 +35,5 @@ index 58d007ef..467e67e4 100644 if (ctx) { const char *msg = krb5_get_error_message(ctx, kcode); -- -2.14.4 +2.21.0 diff --git a/SOURCES/0024-Add-missing-return-type-declaration.patch b/SOURCES/0024-Add-missing-return-type-declaration.patch index e0455b5..e434c8b 100644 --- a/SOURCES/0024-Add-missing-return-type-declaration.patch +++ b/SOURCES/0024-Add-missing-return-type-declaration.patch @@ -1,7 +1,7 @@ -From daaca020810962c568caa49514f5159e1592aaf0 Mon Sep 17 00:00:00 2001 +From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 15:44:07 -0400 -Subject: [PATCH 24/26] Add missing return type declaration +Subject: [PATCH 24/25] Add missing return type declaration --- src/tdbush.c | 1 + @@ -20,5 +20,5 @@ index d1bbe4da..a10a1aff 100644 struct cm_client_info *ci, struct cm_context *ctx) { -- -2.14.4 +2.21.0 diff --git a/SOURCES/0025-Discards-const-qualifier.patch b/SOURCES/0025-Discards-const-qualifier.patch index 954edae..dafefa2 100644 --- a/SOURCES/0025-Discards-const-qualifier.patch +++ b/SOURCES/0025-Discards-const-qualifier.patch @@ -1,7 +1,7 @@ -From b12dfc9d43128f05b7e0b9e83c2a6100f808fe94 Mon Sep 17 00:00:00 2001 +From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 8 Oct 2018 15:46:50 -0400 -Subject: [PATCH 25/26] Discards const qualifier +Subject: [PATCH 25/25] Discards const qualifier --- src/dogtag.c | 3 ++- @@ -39,5 +39,5 @@ index b0bd214b..b37711cf 100644 char *message = NULL, *rekey_message = NULL; const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; -- -2.14.4 +2.21.0 diff --git a/SOURCES/0026-Add-missing-case-for-cm_prefs_aes192.patch b/SOURCES/0026-Add-missing-case-for-cm_prefs_aes192.patch deleted file mode 100644 index 4801a46..0000000 --- a/SOURCES/0026-Add-missing-case-for-cm_prefs_aes192.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f1a328159d46149513e32950284e5dd33525e8e1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 15:57:35 -0400 -Subject: [PATCH 26/26] Add missing case for cm_prefs_aes192 - ---- - src/prefs.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/prefs.c b/src/prefs.c -index ab363bbc..20e2ecf8 100644 ---- a/src/prefs.c -+++ b/src/prefs.c -@@ -102,6 +102,11 @@ cm_prefs_preferred_cipher(void) - free(cipher); - return cm_prefs_aes128; - } -+ if ((strcasecmp(cipher, "aes192") == 0) || -+ (strcasecmp(cipher, "aes-192") == 0)) { -+ free(cipher); -+ return cm_prefs_aes192; -+ } - if ((strcasecmp(cipher, "aes256") == 0) || - (strcasecmp(cipher, "aes-256") == 0)) { - free(cipher); --- -2.14.4 - diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 846284d..39d1896 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -8,8 +8,8 @@ %global sysvinitdir %{_initddir} Name: certmonger -Version: 0.79.6 -Release: 5%{?dist} +Version: 0.79.7 +Release: 3%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -51,6 +51,7 @@ BuildRequires: /usr/bin/which BuildRequires: popt-devel # for make check BuildRequires: python3-devel +BuildRequires: krb5-devel # we need a running system bus Requires: dbus @@ -81,21 +82,6 @@ Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch Patch2: 0002-Convert-tests-to-use-python3.patch -Patch3: 0003-Use-the-correct-slot-when-saving-certificates-in-NSS.patch -Patch4: 0004-Include-the-token-name-when-a-PIN-is-provided-but-is.patch -Patch5: 0005-Add-utility-function-to-get-the-internal-token-name.patch -Patch6: 0006-Only-de-duplicate-certificates-within-the-same-token.patch -Patch7: 0007-Ensure-that-an-OpenSSL-random-seed-file-exists-when-.patch -Patch8: 0008-Log-test-failures-of-bad-pin.patch -Patch9: 0009-Use-only-PK11_ImportCert-to-import-certs-not-CERT_Im.patch -Patch10: 0010-Fix-memory-leak-in-util_internal_token_name.patch -Patch11: 0011-clang-Dead-assignment.patch -Patch12: 0012-clang-Memory-leak.patch -Patch13: 0013-clang-Uninitialized-initial-value.patch -Patch14: 0014-clang-Null-pointer-passed-as-an-argument-to-a-nonnul.patch -Patch15: 0015-clang-Dead-increment.patch -Patch16: 0016-clang-Dereference-of-null-pointer.patch -Patch17: 0017-Add-missing-case-for-cm_prefs_aes192.patch Patch18: 0018-clang-more-Dead-assignment.patch Patch19: 0019-clang-more-Memory-leaks.patch Patch20: 0020-clang-Avoid-buffer-overflow.patch @@ -104,7 +90,6 @@ Patch22: 0022-Uninitialized-variable.patch Patch23: 0023-merge-into-clang-more-Memory-leaks.patch Patch24: 0024-Add-missing-return-type-declaration.patch Patch25: 0025-Discards-const-qualifier.patch -Patch26: 0026-Add-missing-case-for-cm_prefs_aes192.patch %description Certmonger is a service which is primarily concerned with getting your @@ -114,21 +99,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %setup -q %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 @@ -137,7 +107,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %patch23 -p1 %patch24 -p1 %patch25 -p1 -%patch26 -p1 %build autoreconf -i -f @@ -264,6 +233,15 @@ exit 0 %endif %changelog +* Tue May 14 2019 Rob Crittenden - 0.79.7-3 +- Rebuild for new annobin (#1708095) + +* Fri May 10 2019 Rob Crittenden - 0.79.7-2 +- Rebuild for new annobin (#1708095) + +* Thu May 9 2019 Alexander Bokovoy - 0.79.7-1 +- Rebase to 0.79.7 (#1708095) + * Mon Oct 8 2018 Rob Crittenden - 0.79.6-5 - Address more issues uncovered by static analysis (#1632449)