From ead03f7985e51fed72b1a9920a2b8e83bf6b4839 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:49:15 +0000 Subject: import nss-pem-1.0.3-5.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..481d1a3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/nss-pem-1.0.3.tar.xz diff --git a/.nss-pem.metadata b/.nss-pem.metadata new file mode 100644 index 0000000..030c3d3 --- /dev/null +++ b/.nss-pem.metadata @@ -0,0 +1 @@ +3ce117a9400c9c0487fe6a1afad6edf8eb7fb832 SOURCES/nss-pem-1.0.3.tar.xz diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-nss-pem-1.0.3-drop-wait-for-slot-event-cb.patch b/SOURCES/0001-nss-pem-1.0.3-drop-wait-for-slot-event-cb.patch new file mode 100644 index 0000000..5bf7023 --- /dev/null +++ b/SOURCES/0001-nss-pem-1.0.3-drop-wait-for-slot-event-cb.patch @@ -0,0 +1,102 @@ +From c7783ffebee147c3491c58656d9b77c74cdf3667 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 21 Apr 2017 13:32:25 +0200 +Subject: [PATCH] remove implementation of the WaitForSlotEvent callback + +This reverts commit eefef2286183f1c895f408202367a0e4cb3b44c8. +--- + src/ckpem.h | 1 - + src/pinst.c | 13 +------------ + src/pobject.c | 19 ++++++++++++------- + 3 files changed, 13 insertions(+), 20 deletions(-) + +diff --git a/src/ckpem.h b/src/ckpem.h +index b4fff2c..e6ecc5f 100644 +--- a/src/ckpem.h ++++ b/src/ckpem.h +@@ -211,7 +211,6 @@ struct pemInternalObjectStr { + NSS_EXTERN_DATA pemInternalObject **pem_objs; + NSS_EXTERN_DATA int pem_nobjs; + NSS_EXTERN_DATA int token_needsLogin[]; +-NSS_EXTERN_DATA NSSCKMDSlot *lastEventSlot; + + struct pemTokenStr { + PRBool logged_in; +diff --git a/src/pinst.c b/src/pinst.c +index 9cfbf45..5ac0ff3 100644 +--- a/src/pinst.c ++++ b/src/pinst.c +@@ -53,7 +53,6 @@ static PRBool pemInitialized = PR_FALSE; + pemInternalObject **pem_objs; + int pem_nobjs = 0; + int token_needsLogin[NUM_SLOTS]; +-NSSCKMDSlot *lastEventSlot; + + /* + * simple cert decoder to avoid the cost of asn1 engine +@@ -833,16 +832,6 @@ pem_mdInstance_ModuleHandlesSessionObjects + return CK_TRUE; + } + +-static NSSCKMDSlot * +-pem_mdInstance_WaitForSlotEvent( +- NSSCKMDInstance * mdInstance, +- NSSCKFWInstance * fwInstance, +- CK_BBOOL block, +- CK_RV * pError) +-{ +- return lastEventSlot; +-} +- + NSS_IMPLEMENT_DATA const NSSCKMDInstance + pem_mdInstance = { + (void *) NULL, /* etc */ +@@ -855,6 +844,6 @@ pem_mdInstance = { + pem_mdInstance_GetLibraryVersion, + pem_mdInstance_ModuleHandlesSessionObjects, + pem_mdInstance_GetSlots, +- pem_mdInstance_WaitForSlotEvent, ++ NULL, /* WaitForSlotEvent */ + (void *) NULL /* null terminator */ + }; +diff --git a/src/pobject.c b/src/pobject.c +index 6551d06..1227737 100644 +--- a/src/pobject.c ++++ b/src/pobject.c +@@ -1212,6 +1212,7 @@ pem_CreateObject + /* Brute force: find the id of the certificate, if any, in this slot */ + int i; + SECItem certDER; ++ CK_SESSION_HANDLE hSession; + PRBool added; + + nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */); +@@ -1259,14 +1260,18 @@ pem_CreateObject + * the token was removed so we can force a login. + */ + if (cipher && added) { +- /* remember the slot for pem_mdInstance_WaitForSlotEvent() */ +- lastEventSlot = NSSCKFWSlot_GetMDSlot(fwSlot); +- ++ /* FIXME: Why 1.0s? Is it enough? Isn't it too much? ++ * What about e.g. 3.14s? */ ++ PRIntervalTime onesec = PR_SecondsToInterval(1); + token_needsLogin[slotID - 1] = PR_TRUE; +- /* FIXME: dirty hack relying on NSS internals */ +- CK_SESSION_HANDLE hSession = +- NSSCKFWInstance_FindSessionHandle(fwInstance, fwSession); +- NSSCKFWInstance_DestroySessionHandle(fwInstance, hSession); ++ ++ /* We have to sleep so that NSS will notice that the token was ++ * removed. ++ */ ++ PR_Sleep(onesec); ++ hSession = ++ NSSCKFWInstance_FindSessionHandle(fwInstance, fwSession); ++ NSSCKFWInstance_DestroySessionHandle(fwInstance, hSession); + } else { + *pError = CKR_KEY_UNEXTRACTABLE; + } +-- +2.9.3 + diff --git a/SOURCES/0002-nss-pem-1.0.3-key-reload.patch b/SOURCES/0002-nss-pem-1.0.3-key-reload.patch new file mode 100644 index 0000000..bdbaafa --- /dev/null +++ b/SOURCES/0002-nss-pem-1.0.3-key-reload.patch @@ -0,0 +1,246 @@ +From 31eddc5b70ff2158102af6c72849c3a500c4d002 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 3 Aug 2018 15:05:22 +0200 +Subject: [PATCH 1/5] pem_CreateObject: rewrite the conditions in the cert + search loop + +... to make the code more readable. No changes in behavior are intended +by this commit. + +Upstream-commit: 1d51c2337bc7156e3dfd7a8087ac4328f71174e3 +Signed-off-by: Kamil Dudka +--- + src/pobject.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/pobject.c b/src/pobject.c +index e8891d0..c8539f2 100644 +--- a/src/pobject.c ++++ b/src/pobject.c +@@ -1209,7 +1209,6 @@ pem_CreateObject + goto loser; + } + } else if (objClass == CKO_PRIVATE_KEY) { +- /* Brute force: find the id of the certificate, if any, in this slot */ + int i; + SECItem certDER; + CK_SESSION_HANDLE hSession; +@@ -1222,24 +1221,28 @@ pem_CreateObject + certDER.len = 0; /* in case there is no equivalent cert */ + certDER.data = NULL; + ++ /* Brute force: find the id of the certificate, if any, in this slot */ + objid = -1; + for (i = 0; i < pem_nobjs; i++) { + if (NULL == pem_objs[i]) + continue; + +- if ((slotID == pem_objs[i]->slotID) && (pem_objs[i]->type == pemCert)) { +- objid = atoi(pem_objs[i]->id.data); +- certDER.data = +- (void *) NSS_ZAlloc(NULL, pem_objs[i]->derCert->len); ++ if (slotID != pem_objs[i]->slotID) ++ continue; + +- if (certDER.data == NULL) +- goto loser; ++ if (pem_objs[i]->type != pemCert) ++ continue; + +- certDER.len = pem_objs[i]->derCert->len; +- memcpy(certDER.data, +- pem_objs[i]->derCert->data, +- pem_objs[i]->derCert->len); +- } ++ objid = atoi(pem_objs[i]->id.data); ++ certDER.data = NSS_ZAlloc(NULL, pem_objs[i]->derCert->len); ++ ++ if (certDER.data == NULL) ++ goto loser; ++ ++ certDER.len = pem_objs[i]->derCert->len; ++ memcpy(certDER.data, ++ pem_objs[i]->derCert->data, ++ pem_objs[i]->derCert->len); + } + + /* We're just adding a key, we'll assume the cert is next */ +-- +2.17.1 + + +From 476e1a7db2b35146db6c1fb5c0cd230f84778583 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 3 Aug 2018 15:09:01 +0200 +Subject: [PATCH 2/5] pem_CreateObject: fix memory leak in the cert search loop + +If we search the array in reverse direction and stop on the first match, +we end up with the same results but without leaking certDER.data in each +iteration after the first match. + +Upstream-commit: e85b6f903fa38a34672428be114741d397f17fe2 +Signed-off-by: Kamil Dudka +--- + src/pobject.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/pobject.c b/src/pobject.c +index c8539f2..34d0b5a 100644 +--- a/src/pobject.c ++++ b/src/pobject.c +@@ -1223,7 +1223,7 @@ pem_CreateObject + + /* Brute force: find the id of the certificate, if any, in this slot */ + objid = -1; +- for (i = 0; i < pem_nobjs; i++) { ++ for (i = pem_nobjs - 1; 0 <= i; i--) { + if (NULL == pem_objs[i]) + continue; + +@@ -1243,6 +1243,7 @@ pem_CreateObject + memcpy(certDER.data, + pem_objs[i]->derCert->data, + pem_objs[i]->derCert->len); ++ break; + } + + /* We're just adding a key, we'll assume the cert is next */ +-- +2.17.1 + + +From dddc9331e35520b772b499475f5f2a67eeac8fef Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 3 Aug 2018 15:12:46 +0200 +Subject: [PATCH 3/5] pem_CreateObject: check object ID in the cert search loop + +We need to find a certificate that refers to the key being added, +which is not necessarily the last certificate added to the slot. + +Bug: https://bugzilla.redhat.com/1610998 + +Upstream-commit: 5e6d9ce0d638eb6c9f25f31366960db2f8031716 +Signed-off-by: Kamil Dudka +--- + src/pobject.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/pobject.c b/src/pobject.c +index 34d0b5a..918b327 100644 +--- a/src/pobject.c ++++ b/src/pobject.c +@@ -1233,7 +1233,11 @@ pem_CreateObject + if (pem_objs[i]->type != pemCert) + continue; + +- objid = atoi(pem_objs[i]->id.data); ++ if (atoi(pem_objs[i]->id.data) != pem_nobjs) ++ /* not a certificate that refers to the key being added */ ++ continue; ++ ++ objid = pem_nobjs; + certDER.data = NSS_ZAlloc(NULL, pem_objs[i]->derCert->len); + + if (certDER.data == NULL) +-- +2.17.1 + + +From ed88392c385d7a8733891fb736e9b7456331b617 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 3 Aug 2018 15:22:23 +0200 +Subject: [PATCH 4/5] AddObjectIfNeeded: use a pointer to avoid code + duplication + +No changes in behavior intended by this commit. + +Upstream-commit: 0eafa24fdf0b54e5a63a76a7c63dc4000253c971 +Signed-off-by: Kamil Dudka +--- + src/pinst.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/pinst.c b/src/pinst.c +index 5ac0ff3..c54cbe2 100644 +--- a/src/pinst.c ++++ b/src/pinst.c +@@ -401,16 +401,17 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, + + /* first look for the object in pem_objs, it might be already there */ + for (i = 0; i < pem_nobjs; i++) { +- if (NULL == pem_objs[i]) ++ pemInternalObject *const curObj = pem_objs[i]; ++ if (NULL == curObj) + continue; + + /* Comparing DER encodings is dependable and frees the PEM module + * from having to require clients to provide unique nicknames. + */ +- if ((pem_objs[i]->objClass == objClass) +- && (pem_objs[i]->type == type) +- && (pem_objs[i]->slotID == slotID) +- && derEncodingsMatch(objClass, pem_objs[i], certDER, keyDER)) { ++ if ((curObj->objClass == objClass) ++ && (curObj->type == type) ++ && (curObj->slotID == slotID) ++ && derEncodingsMatch(objClass, curObj, certDER, keyDER)) { + + /* While adding a client certificate we (wrongly?) assumed that the + * key object will follow right after the cert object. However, if +@@ -420,8 +421,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, + LinkSharedKeyObject(pem_nobjs, i); + + plog("AddObjectIfNeeded: re-using internal object #%i\n", i); +- pem_objs[i]->refCount ++; +- return pem_objs[i]; ++ curObj->refCount ++; ++ return curObj; + } + } + +-- +2.17.1 + + +From 9f0b5facee73afe5578e98010128a72236e6c370 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 3 Aug 2018 16:00:50 +0200 +Subject: [PATCH 5/5] AddObjectIfNeeded: update object ID while reusing a + certificate + +... in case it refers to an object that has already been removed + +Bug: https://bugzilla.redhat.com/1610998 + +Upstream-commit: e14465a1238dcf7364dc07a1438d24111ccad3b1 +Signed-off-by: Kamil Dudka +--- + src/pinst.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/pinst.c b/src/pinst.c +index c54cbe2..25485b1 100644 +--- a/src/pinst.c ++++ b/src/pinst.c +@@ -420,6 +420,18 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, + */ + LinkSharedKeyObject(pem_nobjs, i); + ++ if (CKO_CERTIFICATE == objClass) { ++ const int ref = atoi(curObj->id.data); ++ if (0 < ref && ref < pem_nobjs && !pem_objs[ref]) { ++ /* The certificate we are going to reuse refers to an ++ * object that has already been removed. Make it refer ++ * to the object that will be added next (private key). ++ */ ++ NSS_ZFreeIf(curObj->id.data); ++ assignObjectID(curObj, pem_nobjs); ++ } ++ } ++ + plog("AddObjectIfNeeded: re-using internal object #%i\n", i); + curObj->refCount ++; + return curObj; +-- +2.17.1 + diff --git a/SPECS/nss-pem.spec b/SPECS/nss-pem.spec new file mode 100644 index 0000000..80266bb --- /dev/null +++ b/SPECS/nss-pem.spec @@ -0,0 +1,70 @@ +Name: nss-pem +Version: 1.0.3 +Release: 5%{?dist} +Summary: PEM file reader for Network Security Services (NSS) + +License: MPLv1.1 +URL: https://github.com/kdudka/nss-pem +Source0: https://github.com/kdudka/nss-pem/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz +Patch1: 0001-nss-pem-1.0.3-drop-wait-for-slot-event-cb.patch + +# update object ID while reusing a certificate (#1610998) +Patch2: 0002-nss-pem-1.0.3-key-reload.patch + +BuildRequires: cmake +BuildRequires: nss-pkcs11-devel + +# require at least the version of nss that nss-pem was built against (#1428965) +Requires: nss%{?_isa} >= %(nss-config --version 2>/dev/null || echo 0) + +# make the nss-pem pkg conflict with all nss builds with bundled nss-pem +Conflicts: nss%{?_isa} < 3.28.2-2.el7 + +%description +PEM file reader for Network Security Services (NSS), implemented as a PKCS#11 +module. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 + +%build +mkdir build +cd build +%cmake ../src +make %{?_smp_mflags} VERBOSE=yes + +%install +cd build +make install DESTDIR=%{buildroot} + +%check +cd build +ctest %{?_smp_mflags} --output-on-failure + +%files +%{_libdir}/libnsspem.so +%license COPYING + +%changelog +* Wed Aug 08 2018 Kamil Dudka 1.0.3-5 +- update object ID while reusing a certificate (#1610998) + +* Wed Apr 26 2017 Kamil Dudka 1.0.3-4 +- fix missing prototypes detected by Covscan + +* Tue Apr 25 2017 Kamil Dudka 1.0.3-3 +- remove implementation of the WaitForSlotEvent callback (#1445384) + +* Mon Mar 06 2017 Kamil Dudka 1.0.3-2 +- require at least the version of nss that nss-pem was built against (#1428965) + +* Wed Mar 01 2017 Kamil Dudka 1.0.3-1 +- update to latest upstream bugfix release (#1427917) + +* Tue Feb 14 2017 Kamil Dudka 1.0.2-2 +- explicitly conflict with all nss builds with bundled nss-pem + +* Tue Jan 24 2017 Kamil Dudka 1.0.2-1 +- imported into RHEL-7