diff --git a/.gitignore b/.gitignore
index bb75f38..f181ddb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/p11-kit-0.23.14.tar.gz
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+SOURCES/p11-kit-0.23.22.tar.xz
diff --git a/.p11-kit.metadata b/.p11-kit.metadata
index a336cc3..4e41b67 100644
--- a/.p11-kit.metadata
+++ b/.p11-kit.metadata
@@ -1 +1,2 @@
-30cab1d4b716022e6918f9a49976609c425f9cfc SOURCES/p11-kit-0.23.14.tar.gz
+526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
diff --git a/SOURCES/p11-kit-0.23.22.tar.xz.sig b/SOURCES/p11-kit-0.23.22.tar.xz.sig
new file mode 100644
index 0000000..6ef001e
Binary files /dev/null and b/SOURCES/p11-kit-0.23.22.tar.xz.sig differ
diff --git a/SOURCES/p11-kit-coverity.patch b/SOURCES/p11-kit-coverity.patch
deleted file mode 100644
index f07f616..0000000
--- a/SOURCES/p11-kit-coverity.patch
+++ /dev/null
@@ -1,623 +0,0 @@
-From 8a8db182af533a43b4d478d28af8623035475d68 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:05:10 +0200
-Subject: [PATCH 01/10] debug: Work around cppcheck false-positives
-
-https://trac.cppcheck.net/ticket/8794
----
- common/debug.h | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/common/debug.h b/common/debug.h
-index 255c62c..7ea36f3 100644
---- a/common/debug.h
-+++ b/common/debug.h
-@@ -71,13 +71,13 @@ void p11_debug_precond (const char *format,
- #endif
-
- #define return_val_if_fail(x, v) \
-- do { if (!(x)) { \
-+ do { if (x) { } else { \
- p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
- return v; \
- } } while (false)
-
- #define return_if_fail(x) \
-- do { if (!(x)) { \
-+ do { if (x) { } else { \
- p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
- return; \
- } } while (false)
-@@ -100,7 +100,7 @@ void p11_debug_precond (const char *format,
- } while (false)
-
- #define warn_if_fail(x) \
-- do { if (!(x)) { \
-+ do { if (x) { } else { \
- p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
- } } while (false)
-
---
-2.17.2
-
-
-From c76197ddbbd0c29adc2bceff2ee9f740f71d134d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:06:56 +0200
-Subject: [PATCH 02/10] build: Call va_end() always when leaving the function
-
----
- common/attrs.c | 4 +++-
- common/compat.c | 5 ++++-
- common/path.c | 5 ++++-
- trust/parser.c | 4 +++-
- 4 files changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/common/attrs.c b/common/attrs.c
-index aa91891..a387a66 100644
---- a/common/attrs.c
-+++ b/common/attrs.c
-@@ -538,8 +538,10 @@ buffer_append_printf (p11_buffer *buffer,
- va_list va;
-
- va_start (va, format);
-- if (vasprintf (&string, format, va) < 0)
-+ if (vasprintf (&string, format, va) < 0) {
-+ va_end (va);
- return_if_reached ();
-+ }
- va_end (va);
-
- p11_buffer_add (buffer, string, -1);
-diff --git a/common/compat.c b/common/compat.c
-index 5a9702d..48614fa 100644
---- a/common/compat.c
-+++ b/common/compat.c
-@@ -525,7 +525,10 @@ strconcat (const char *first,
- for (arg = first; arg; arg = va_arg (va, const char*)) {
- size_t old_length = length;
- length += strlen (arg);
-- return_val_if_fail (length >= old_length, NULL);
-+ if (length < old_length) {
-+ va_end (va);
-+ return_val_if_reached (NULL);
-+ }
- }
-
- va_end (va);
-diff --git a/common/path.c b/common/path.c
-index 5cf0e1a..17a6230 100644
---- a/common/path.c
-+++ b/common/path.c
-@@ -218,7 +218,10 @@ p11_path_build (const char *path,
- while (path != NULL) {
- size_t old_len = len;
- len += strlen (path) + 1;
-- return_val_if_fail (len >= old_len, NULL);
-+ if (len < old_len) {
-+ va_end (va);
-+ return_val_if_reached (NULL);
-+ }
- path = va_arg (va, const char *);
- }
- va_end (va);
-diff --git a/trust/parser.c b/trust/parser.c
-index f92cdc9..e912c3a 100644
---- a/trust/parser.c
-+++ b/trust/parser.c
-@@ -697,8 +697,10 @@ p11_parser_formats (p11_parser *parser,
- func = va_arg (va, parser_func);
- if (func == NULL)
- break;
-- if (!p11_array_push (formats, func))
-+ if (!p11_array_push (formats, func)) {
-+ va_end (va);
- return_if_reached ();
-+ }
- }
- va_end (va);
-
---
-2.17.2
-
-
-From b10dadce5a3c921149b2c9fe0dec614f8076ebda Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:10:05 +0200
-Subject: [PATCH 03/10] build: Free memory before return{,_val}_if_* macros
-
----
- p11-kit/iter.c | 5 ++++-
- p11-kit/proxy.c | 10 ++++++++--
- trust/asn1.c | 15 ++++++++++++---
- trust/builder.c | 5 ++++-
- trust/index.c | 10 ++++++++--
- trust/persist.c | 5 ++++-
- trust/save.c | 29 +++++++++++++++++++++++++----
- trust/session.c | 10 ++++++++--
- trust/token.c | 5 ++++-
- 9 files changed, 77 insertions(+), 17 deletions(-)
-
-diff --git a/p11-kit/iter.c b/p11-kit/iter.c
-index 0e4ca6e..d1ffd91 100644
---- a/p11-kit/iter.c
-+++ b/p11-kit/iter.c
-@@ -157,7 +157,10 @@ p11_kit_iter_new (P11KitUri *uri,
- return_val_if_fail (iter != NULL, NULL);
-
- iter->modules = p11_array_new (NULL);
-- return_val_if_fail (iter->modules != NULL, NULL);
-+ if (iter->modules == NULL) {
-+ p11_kit_iter_free (iter);
-+ return_val_if_reached (NULL);
-+ }
-
- iter->want_writable = !!(behavior & P11_KIT_ITER_WANT_WRITABLE);
- iter->preload_results = !(behavior & P11_KIT_ITER_BUSY_SESSIONS);
-diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
-index b7fb63d..abe7935 100644
---- a/p11-kit/proxy.c
-+++ b/p11-kit/proxy.c
-@@ -267,7 +267,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
- py->forkid = p11_forkid;
-
- py->inited = modules_dup (loaded);
-- return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY);
-+ if (py->inited == NULL) {
-+ proxy_free (py, 0);
-+ return_val_if_reached (CKR_HOST_MEMORY);
-+ }
-
- rv = p11_kit_modules_initialize (py->inited, NULL);
-
-@@ -320,7 +323,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
- }
-
- py->sessions = p11_dict_new (p11_dict_ulongptr_hash, p11_dict_ulongptr_equal, NULL, free);
-- return_val_if_fail (py->sessions != NULL, CKR_HOST_MEMORY);
-+ if (py->sessions == NULL) {
-+ proxy_free (py, 1);
-+ return_val_if_reached (CKR_HOST_MEMORY);
-+ }
- py->refs = 1;
-
- *res = py;
-diff --git a/trust/asn1.c b/trust/asn1.c
-index dd1812d..5ce682d 100644
---- a/trust/asn1.c
-+++ b/trust/asn1.c
-@@ -285,11 +285,17 @@ p11_asn1_cache_new (void)
- return_val_if_fail (cache != NULL, NULL);
-
- cache->defs = p11_asn1_defs_load ();
-- return_val_if_fail (cache->defs != NULL, NULL);
-+ if (cache->defs == NULL) {
-+ p11_asn1_cache_free (cache);
-+ return_val_if_reached (NULL);
-+ }
-
- cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal,
- NULL, free_asn1_item);
-- return_val_if_fail (cache->items != NULL, NULL);
-+ if (cache->items == NULL) {
-+ p11_asn1_cache_free (cache);
-+ return_val_if_reached (NULL);
-+ }
-
- return cache;
- }
-@@ -342,7 +348,10 @@ p11_asn1_cache_take (p11_asn1_cache *cache,
- item->length = der_len;
- item->node = node;
- item->struct_name = strdup (struct_name);
-- return_if_fail (item->struct_name != NULL);
-+ if (item->struct_name == NULL) {
-+ free_asn1_item (item);
-+ return_if_reached ();
-+ }
-
- if (!p11_dict_set (cache->items, (void *)der, item))
- return_if_reached ();
-diff --git a/trust/builder.c b/trust/builder.c
-index 742c544..d819dc8 100644
---- a/trust/builder.c
-+++ b/trust/builder.c
-@@ -187,7 +187,10 @@ p11_builder_new (int flags)
- return_val_if_fail (builder != NULL, NULL);
-
- builder->asn1_cache = p11_asn1_cache_new ();
-- return_val_if_fail (builder->asn1_cache, NULL);
-+ if (builder->asn1_cache == NULL) {
-+ p11_builder_free (builder);
-+ return_val_if_reached (NULL);
-+ }
- builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache);
-
- builder->flags = flags;
-diff --git a/trust/index.c b/trust/index.c
-index f4b6b4b..6a8e535 100644
---- a/trust/index.c
-+++ b/trust/index.c
-@@ -170,10 +170,16 @@ p11_index_new (p11_index_build_cb build,
- index->objects = p11_dict_new (p11_dict_ulongptr_hash,
- p11_dict_ulongptr_equal,
- NULL, free_object);
-- return_val_if_fail (index->objects != NULL, NULL);
-+ if (index->objects == NULL) {
-+ p11_index_free (index);
-+ return_val_if_reached (NULL);
-+ }
-
- index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket));
-- return_val_if_fail (index->buckets != NULL, NULL);
-+ if (index->buckets == NULL) {
-+ p11_index_free (index);
-+ return_val_if_reached (NULL);
-+ }
-
- return index;
- }
-diff --git a/trust/persist.c b/trust/persist.c
-index 887b316..569cea1 100644
---- a/trust/persist.c
-+++ b/trust/persist.c
-@@ -89,7 +89,10 @@ p11_persist_new (void)
- return_val_if_fail (persist != NULL, NULL);
-
- persist->constants = p11_constant_reverse (true);
-- return_val_if_fail (persist->constants != NULL, NULL);
-+ if (persist->constants == NULL) {
-+ free (persist);
-+ return_val_if_reached (NULL);
-+ }
-
- return persist;
- }
-diff --git a/trust/save.c b/trust/save.c
-index abff864..8184e13 100644
---- a/trust/save.c
-+++ b/trust/save.c
-@@ -68,6 +68,8 @@ static char * make_unique_name (const char *bare,
- const char *extension,
- int (*check) (void *, char *),
- void *data);
-+static void filo_free (p11_save_file *file);
-+static void dir_free (p11_save_dir *dir);
-
- bool
- p11_save_write_and_finish (p11_save_file *file,
-@@ -114,9 +116,15 @@ p11_save_open_file (const char *path,
- return_val_if_fail (file != NULL, NULL);
- file->temp = temp;
- file->bare = strdup (path);
-- return_val_if_fail (file->bare != NULL, NULL);
-+ if (file->bare == NULL) {
-+ filo_free (file);
-+ return_val_if_reached (NULL);
-+ }
- file->extension = strdup (extension);
-- return_val_if_fail (file->extension != NULL, NULL);
-+ if (file->extension == NULL) {
-+ filo_free (file);
-+ return_val_if_reached (NULL);
-+ }
- file->flags = flags;
- file->fd = fd;
-
-@@ -166,6 +174,13 @@ filo_free (p11_save_file *file)
- free (file);
- }
-
-+static void
-+dir_free (p11_save_dir *dir) {
-+ p11_dict_free (dir->cache);
-+ free (dir->path);
-+ free (dir);
-+}
-+
- #ifdef OS_UNIX
-
- static int
-@@ -349,10 +364,16 @@ p11_save_open_directory (const char *path,
- return_val_if_fail (dir != NULL, NULL);
-
- dir->path = strdup (path);
-- return_val_if_fail (dir->path != NULL, NULL);
-+ if (dir->path == NULL) {
-+ dir_free (dir);
-+ return_val_if_reached (NULL);
-+ }
-
- dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL);
-- return_val_if_fail (dir->cache != NULL, NULL);
-+ if (dir->cache == NULL) {
-+ dir_free (dir);
-+ return_val_if_reached (NULL);
-+ }
-
- dir->flags = flags;
- return dir;
-diff --git a/trust/session.c b/trust/session.c
-index b93a5c3..d464394 100644
---- a/trust/session.c
-+++ b/trust/session.c
-@@ -59,12 +59,18 @@ p11_session_new (p11_token *token)
- session->handle = p11_module_next_id ();
-
- session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE);
-- return_val_if_fail (session->builder, NULL);
-+ if (session->builder == NULL) {
-+ p11_session_free (session);
-+ return_val_if_reached (NULL);
-+ }
-
- session->index = p11_index_new (p11_builder_build, NULL, NULL,
- p11_builder_changed,
- session->builder);
-- return_val_if_fail (session->index != NULL, NULL);
-+ if (session->index == NULL) {
-+ p11_session_free (session);
-+ return_val_if_reached (NULL);
-+ }
-
- session->token = token;
-
-diff --git a/trust/token.c b/trust/token.c
-index 4cbcc77..fd3b043 100644
---- a/trust/token.c
-+++ b/trust/token.c
-@@ -829,7 +829,10 @@ p11_token_new (CK_SLOT_ID slot,
- return_val_if_fail (token != NULL, NULL);
-
- token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN);
-- return_val_if_fail (token->builder != NULL, NULL);
-+ if (token->builder == NULL) {
-+ p11_token_free (token);
-+ return_val_if_reached (NULL);
-+ }
-
- token->index = p11_index_new (on_index_build,
- on_index_store,
---
-2.17.2
-
-
-From 06323aed926ddc67bd18ed98e5af92035a8e3d39 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:14:46 +0200
-Subject: [PATCH 04/10] build: Check return value of p11_dict_set
-
----
- p11-kit/proxy.c | 3 ++-
- p11-kit/rpc-server.c | 6 +++++-
- trust/module.c | 3 ++-
- 3 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
-index abe7935..11e6165 100644
---- a/p11-kit/proxy.c
-+++ b/p11-kit/proxy.c
-@@ -612,7 +612,8 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self,
- sess->wrap_slot = map.wrap_slot;
- sess->real_session = *handle;
- sess->wrap_session = ++state->last_handle; /* TODO: Handle wrapping, and then collisions */
-- p11_dict_set (state->px->sessions, &sess->wrap_session, sess);
-+ if (!p11_dict_set (state->px->sessions, &sess->wrap_session, sess))
-+ warn_if_reached ();
- *handle = sess->wrap_session;
- }
-
-diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
-index 2db3524..3a8991d 100644
---- a/p11-kit/rpc-server.c
-+++ b/p11-kit/rpc-server.c
-@@ -2226,7 +2226,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
- p11_message_err (error, "couldn't subclass filter");
- goto out;
- }
-- p11_dict_set (filters, module, filter);
-+ if (!p11_dict_set (filters, module, filter)) {
-+ error = EINVAL;
-+ p11_message_err (error, "couldn't register filter");
-+ goto out;
-+ }
- }
-
- for (i = 0; i < n_tokens; i++) {
-diff --git a/trust/module.c b/trust/module.c
-index e09113b..24cda87 100644
---- a/trust/module.c
-+++ b/trust/module.c
-@@ -1321,7 +1321,8 @@ find_objects_match (CK_ATTRIBUTE *attrs,
- }
- value = memdup (oid->pValue, oid->ulValueLen);
- return_val_if_fail (value != NULL, false);
-- p11_dict_set (find->extensions, value, value);
-+ if (!p11_dict_set (find->extensions, value, value))
-+ warn_if_reached ();
- }
- }
-
---
-2.17.2
-
-
-From 213ea0815ef45411bf6c134918b79d2aad69c1dc Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:16:12 +0200
-Subject: [PATCH 05/10] build: Check return value of p11_rpc_buffer_get_uint64
-
----
- p11-kit/rpc-client.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
-index 0dd4525..e202e37 100644
---- a/p11-kit/rpc-client.c
-+++ b/p11-kit/rpc-client.c
-@@ -371,7 +371,8 @@ proto_read_ulong_array (p11_rpc_message *msg, CK_ULONG_PTR arr,
-
- /* We need to go ahead and read everything in all cases */
- for (i = 0; i < num; ++i) {
-- p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val);
-+ if (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val))
-+ return PARSE_ERROR;
- if (arr)
- arr[i] = (CK_ULONG)val;
- }
---
-2.17.2
-
-
-From 1f78cb0b4dd193ec1f1b2b424a497a6c2edec043 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:16:51 +0200
-Subject: [PATCH 06/10] rpc-server: p11_kit_remote_serve_tokens: Fix memleak
-
----
- p11-kit/rpc-server.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
-index 3a8991d..5b3dbf0 100644
---- a/p11-kit/rpc-server.c
-+++ b/p11-kit/rpc-server.c
-@@ -2285,6 +2285,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
- p11_kit_modules_release (modules);
- if (error != 0)
- errno = error;
-+ if (uris) {
-+ for (i = 0; i < n_tokens; i++)
-+ p11_kit_uri_free (uris[i]);
-+ free (uris);
-+ }
-
- return ret;
- }
---
-2.17.2
-
-
-From 033cd90806cb1e2eab7e799703757abc2f07052e Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:18:05 +0200
-Subject: [PATCH 07/10] proxy: Fix null dereference when reusing slots
-
----
- p11-kit/proxy.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
-index 11e6165..8eaf205 100644
---- a/p11-kit/proxy.c
-+++ b/p11-kit/proxy.c
-@@ -307,7 +307,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
- break;
- }
- py->mappings[py->n_mappings].funcs = funcs;
-- py->mappings[py->n_mappings].wrap_slot = j == n_mappings ? py->n_mappings + MAPPING_OFFSET : mappings[j].wrap_slot;
-+ py->mappings[py->n_mappings].wrap_slot =
-+ (n_mappings == 0 || j == n_mappings) ?
-+ py->n_mappings + MAPPING_OFFSET :
-+ mappings[j].wrap_slot;
- py->mappings[py->n_mappings].real_slot = slots[i];
- ++py->n_mappings;
- }
---
-2.17.2
-
-
-From da73c2804b3ca962fa51473bb4c303a5ed32d4a1 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 16 Oct 2018 18:20:12 +0200
-Subject: [PATCH 08/10] trust: Set umask before calling mkstemp
-
----
- trust/save.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/trust/save.c b/trust/save.c
-index 8184e13..bb77348 100644
---- a/trust/save.c
-+++ b/trust/save.c
-@@ -95,6 +95,7 @@ p11_save_open_file (const char *path,
- {
- p11_save_file *file;
- char *temp;
-+ mode_t mode;
- int fd;
-
- return_val_if_fail (path != NULL, NULL);
-@@ -105,7 +106,9 @@ p11_save_open_file (const char *path,
- if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0)
- return_val_if_reached (NULL);
-
-+ mode = umask (0077);
- fd = mkstemp (temp);
-+ umask (mode);
- if (fd < 0) {
- p11_message_err (errno, "couldn't create file: %s%s", path, extension);
- free (temp);
---
-2.17.2
-
-
-From 6417780ebbbbb0f01ddb001b239347655fb98578 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 17 Oct 2018 09:53:27 +0200
-Subject: [PATCH 09/10] rpc-server: Check calloc failure
-
----
- p11-kit/rpc-server.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
-index 5b3dbf0..3216742 100644
---- a/p11-kit/rpc-server.c
-+++ b/p11-kit/rpc-server.c
-@@ -2219,6 +2219,10 @@ p11_kit_remote_serve_tokens (const char **tokens,
- filter = p11_dict_get (filters, module);
- if (filter == NULL) {
- lower = calloc (1, sizeof (p11_virtual));
-+ if (lower == NULL) {
-+ error = ENOMEM;
-+ goto out;
-+ }
- p11_virtual_init (lower, &p11_virtual_base, module, NULL);
- filter = p11_filter_subclass (lower, NULL);
- if (filter == NULL) {
---
-2.17.2
-
-
-From 83e92c2f9575707083d8b0c70ef330e285d70836 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 17 Oct 2018 09:53:46 +0200
-Subject: [PATCH 10/10] trust: Check index->buckets is allocated on cleanup
-
----
- trust/index.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/trust/index.c b/trust/index.c
-index 6a8e535..2d1da29 100644
---- a/trust/index.c
-+++ b/trust/index.c
-@@ -193,9 +193,11 @@ p11_index_free (p11_index *index)
-
- p11_dict_free (index->objects);
- p11_dict_free (index->changes);
-- for (i = 0; i < NUM_BUCKETS; i++)
-- free (index->buckets[i].elem);
-- free (index->buckets);
-+ if (index->buckets) {
-+ for (i = 0; i < NUM_BUCKETS; i++)
-+ free (index->buckets[i].elem);
-+ free (index->buckets);
-+ }
- free (index);
- }
-
---
-2.17.2
-
diff --git a/SOURCES/p11-kit-dt-needed.patch b/SOURCES/p11-kit-dt-needed.patch
new file mode 100644
index 0000000..9c07b87
--- /dev/null
+++ b/SOURCES/p11-kit-dt-needed.patch
@@ -0,0 +1,42 @@
+From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 18 Dec 2020 13:37:10 +0100
+Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
+
+This adds the -ldl link flag missing in the meson build, but present
+in the autotools build. Although the use-case is unlikely, this
+allows those modules to be linked as a normal shared library to a
+program.
+---
+ p11-kit/meson.build | 1 +
+ trust/meson.build | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/p11-kit/meson.build b/p11-kit/meson.build
+index 7d57cd7..02147a9 100644
+--- a/p11-kit/meson.build
++++ b/p11-kit/meson.build
+@@ -92,6 +92,7 @@ if host_system != 'windows'
+ 'client.c', 'client-init.c',
+ name_prefix: '',
+ include_directories: [configinc, commoninc],
++ dependencies: dlopen_deps,
+ link_args: p11_module_ldflags,
+ link_depends: [p11_module_symbol_map,
+ p11_module_symbol_def],
+diff --git a/trust/meson.build b/trust/meson.build
+index 482a3c1..d4a8e15 100644
+--- a/trust/meson.build
++++ b/trust/meson.build
+@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
+ 'module-init.c',
+ name_prefix: '',
+ c_args: p11_kit_trust_c_args,
+- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
++ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
+ link_args: p11_module_ldflags,
+ link_depends: [p11_module_symbol_map,
+ p11_module_symbol_def],
+--
+2.29.2
+
diff --git a/SOURCES/p11-kit-lower-libffi-priority.patch b/SOURCES/p11-kit-lower-libffi-priority.patch
deleted file mode 100644
index e5021b6..0000000
--- a/SOURCES/p11-kit-lower-libffi-priority.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 6e1046de2233fba7875d3d6a1b260192678dd0ad Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 19 Oct 2018 10:21:36 +0200
-Subject: [PATCH] virtual: Prefer fixed closures to libffi closures
-
-On some circumstances (such as when loading p11-kit-proxy from httpd),
-it is known that creation of libffi closure always fails, due to
-SELinux policy. Although this is harmless, it pollutes the journal
-and gives wrong hints when troubleshooting. This patch changes the
-order of preference of libffi vs pre-compiled closures to avoid that.
----
- p11-kit/virtual.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c
-index 6abfe7a..338239f 100644
---- a/p11-kit/virtual.c
-+++ b/p11-kit/virtual.c
-@@ -2832,9 +2832,14 @@ p11_virtual_wrap (p11_virtual *virt,
- p11_destroyer destroyer)
- {
- Wrapper *wrapper;
-+ CK_FUNCTION_LIST *result;
-
- return_val_if_fail (virt != NULL, NULL);
-
-+ result = p11_virtual_wrap_fixed (virt, destroyer);
-+ if (result)
-+ return result;
-+
- wrapper = calloc (1, sizeof (Wrapper));
- return_val_if_fail (wrapper != NULL, NULL);
-
-@@ -2844,8 +2849,10 @@ p11_virtual_wrap (p11_virtual *virt,
- wrapper->bound.version.minor = CRYPTOKI_VERSION_MINOR;
- wrapper->fixed_index = -1;
-
-- if (!init_wrapper_funcs (wrapper))
-- return p11_virtual_wrap_fixed (virt, destroyer);
-+ if (!init_wrapper_funcs (wrapper)) {
-+ free (wrapper);
-+ return_val_if_reached (NULL);
-+ }
-
- assert ((void *)wrapper == (void *)&wrapper->bound);
- assert (p11_virtual_is_wrapper (&wrapper->bound));
-@@ -2859,7 +2866,11 @@ CK_FUNCTION_LIST *
- p11_virtual_wrap (p11_virtual *virt,
- p11_destroyer destroyer)
- {
-- return p11_virtual_wrap_fixed (virt, destroyer);
-+ CK_FUNCTION_LIST *result;
-+
-+ result = p11_virtual_wrap_fixed (virt, destroyer);
-+ return_val_if_fail (result != NULL, NULL);
-+ return result;
- }
-
- #endif /* !FFI_CLOSURES */
-@@ -3068,8 +3079,6 @@ p11_virtual_wrap_fixed (p11_virtual *virt,
- }
- p11_mutex_unlock (&p11_virtual_mutex);
-
-- return_val_if_fail (result != NULL, NULL);
--
- return result;
- }
-
---
-2.17.2
-
diff --git a/SOURCES/p11-kit-unloading-fix.patch b/SOURCES/p11-kit-unloading-fix.patch
deleted file mode 100644
index 189ef46..0000000
--- a/SOURCES/p11-kit-unloading-fix.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 4a925177a81c2566d2a81a0a450607a5ff4d9048 Mon Sep 17 00:00:00 2001
-From: Stefano Garzarella <sgarzare@redhat.com>
-Date: Wed, 27 Feb 2019 12:25:20 +0100
-Subject: [PATCH] modules: check gl.modules before iterates on it when freeing
-
-In some circumstances, as described in the BZ, can happen that
-free_modules_when_no_refs_unlocked() is called multiple times
-when the module destructor is invoked.
-We should check gl.modules before iterates on it in the
-free_modules_when_no_refs_unlocked() functions, to avoid
-a SIGSEGV.
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1680963
----
- p11-kit/modules.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/p11-kit/modules.c b/p11-kit/modules.c
-index 0299eda..891ce4c 100644
---- a/p11-kit/modules.c
-+++ b/p11-kit/modules.c
-@@ -797,14 +797,16 @@ init_globals_unlocked (void)
- static void
- free_modules_when_no_refs_unlocked (void)
- {
-- Module *mod;
-- p11_dictiter iter;
--
-- /* Check if any modules have a ref count */
-- p11_dict_iterate (gl.modules, &iter);
-- while (p11_dict_next (&iter, (void **)&mod, NULL)) {
-- if (mod->ref_count)
-- return;
-+ if (gl.modules) {
-+ Module *mod;
-+ p11_dictiter iter;
-+
-+ /* Check if any modules have a ref count */
-+ p11_dict_iterate (gl.modules, &iter);
-+ while (p11_dict_next (&iter, (void **)&mod, NULL)) {
-+ if (mod->ref_count)
-+ return;
-+ }
- }
-
- p11_dict_free (gl.unmanaged_by_funcs);
---
-2.20.1
-
diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec
index f8563fc..7d0e73b 100644
--- a/SPECS/p11-kit.spec
+++ b/SPECS/p11-kit.spec
@@ -1,26 +1,33 @@
# This spec file has been automatically updated
-Version: 0.23.14
-Release: 5%{?dist}
+Version: 0.23.22
+Release: 1%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
License: BSD
URL: http://p11-glue.freedesktop.org/p11-kit.html
-Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz
-Source1: trust-extract-compat
-Source2: p11-kit-client.service
-Patch1: p11-kit-coverity.patch
-Patch2: p11-kit-lower-libffi-priority.patch
-Patch3: p11-kit-unloading-fix.patch
+Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
+Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
+Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+Source3: trust-extract-compat
+Source4: p11-kit-client.service
+
+Patch1: p11-kit-dt-needed.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
+BuildRequires: libtasn1-tools
BuildRequires: libffi-devel
+BuildRequires: gettext
BuildRequires: gtk-doc
-BuildRequires: systemd-devel
+BuildRequires: meson
+BuildRequires: systemd-devel
+BuildRequires: bash-completion
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
+BuildRequires: gnupg2
+BuildRequires: /usr/bin/xsltproc
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
@@ -38,11 +45,11 @@ developing applications that use %{name}.
%package trust
-Summary: System trust module from %{name}
-Requires: %{name}%{?_isa} = %{version}-%{release}
-Requires(post): %{_sbindir}/update-alternatives
-Requires(postun): %{_sbindir}/update-alternatives
-Conflicts: nss < 3.14.3-9
+Summary: System trust module from %{name}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Conflicts: nss < 3.14.3-9
%description trust
The %{name}-trust package contains a system trust PKCS#11 module which
@@ -69,37 +76,35 @@ feature is still experimental.
%prep
+gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
-%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --disable-silent-rules
-make %{?_smp_mflags} V=1
+%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
+%meson_build
%install
-make install DESTDIR=$RPM_BUILD_ROOT
+%meson_install
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules
-rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
-rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la
-install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
+install -p -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
# Install the example conf with %%doc instead
-rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example
+mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name}
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example $RPM_BUILD_ROOT%{_docdir}/%{name}/pkcs11.conf.example
mkdir -p $RPM_BUILD_ROOT%{_userunitdir}
-install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_userunitdir}
+install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
+%find_lang %{name}
%check
-make check
+%meson_test
-%post -p /sbin/ldconfig
-
%post trust
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
%{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
-%postun -p /sbin/ldconfig
-
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
@@ -107,11 +112,11 @@ if [ $1 -eq 0 ] ; then
fi
-%files
+%files -f %{name}.lang
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc AUTHORS NEWS README
-%doc p11-kit/pkcs11.conf.example
+%{_docdir}/%{name}/pkcs11.conf.example
%dir %{_sysconfdir}/pkcs11
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
@@ -124,6 +129,7 @@ fi
%{_mandir}/man1/trust.1.gz
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
+%{_datadir}/bash-completion/completions/p11-kit
%files devel
%{_includedir}/p11-kit-1/
@@ -138,6 +144,7 @@ fi
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
+%{_datadir}/bash-completion/completions/trust
%files server
%{_libdir}/pkcs11/p11-kit-client.so
@@ -148,6 +155,25 @@ fi
%changelog
+* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
+- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
+- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
+- Add xsltproc to BR
+
+* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
+- Fix realloc usage on proxy cleanup (#1894979)
+- Make 'trust anchor --store' preserve all attributes from .p11-kit files
+
+* Tue Nov 3 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-3
+- Restore clobbered changelog entry
+
+* Mon Nov 2 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-2
+- Update p11-kit-invalid-config.patch to be more thorough (thanks to
+ Alexander Sosedkin)
+
+* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-1
+- Update to upstream 0.23.21 release
+
* Fri Mar 29 2019 Daiki Ueno <dueno@redhat.com> - 0.23.14-5
- Fix crash on unloading the library, when it is both linked and dlopen'ed