nss-pem package creation

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
6 years ago · 59f7388cbe
2 changed files with 254 additions and 1 deletions
--- a/SOURCES/0002-nss-pem-1.0.3-key-reload.patch
+++ b/SOURCES/0002-nss-pem-1.0.3-key-reload.patch
@ -0,0 +1,246 @@
				@@ -0,0 +1,246 @@
+From 31eddc5b70ff2158102af6c72849c3a500c4d002 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 3 Aug 2018 15:05:22 +0200
+Subject: [PATCH 1/5] pem_CreateObject: rewrite the conditions in the cert
+ search loop
+
+... to make the code more readable.  No changes in behavior are intended
+by this commit.
+
+Upstream-commit: 1d51c2337bc7156e3dfd7a8087ac4328f71174e3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/pobject.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/pobject.c b/src/pobject.c
+index e8891d0..c8539f2 100644
+--- a/src/pobject.c
+++ b/src/pobject.c
+@@ -1209,7 +1209,6 @@ pem_CreateObject
+                 goto loser;
+         }
+     } else if (objClass == CKO_PRIVATE_KEY) {
+-        /* Brute force: find the id of the certificate, if any, in this slot */
+         int i;
+         SECItem certDER;
+         CK_SESSION_HANDLE hSession;
+@@ -1222,24 +1221,28 @@ pem_CreateObject
+         certDER.len = 0; /* in case there is no equivalent cert */
+         certDER.data = NULL;
+ 
+        /* Brute force: find the id of the certificate, if any, in this slot */
+         objid = -1;
+         for (i = 0; i < pem_nobjs; i++) {
+             if (NULL == pem_objs[i])
+                 continue;
+ 
+-            if ((slotID == pem_objs[i]->slotID) && (pem_objs[i]->type == pemCert)) {
+-                objid = atoi(pem_objs[i]->id.data);
+-                certDER.data =
+-                    (void *) NSS_ZAlloc(NULL, pem_objs[i]->derCert->len);
+            if (slotID != pem_objs[i]->slotID)
+                continue;
+ 
+-                if (certDER.data == NULL)
+-                    goto loser;
+            if (pem_objs[i]->type != pemCert)
+                continue;
+ 
+-                certDER.len = pem_objs[i]->derCert->len;
+-                memcpy(certDER.data,
+-                        pem_objs[i]->derCert->data,
+-                        pem_objs[i]->derCert->len);
+-            }
+            objid = atoi(pem_objs[i]->id.data);
+            certDER.data = NSS_ZAlloc(NULL, pem_objs[i]->derCert->len);
+
+            if (certDER.data == NULL)
+                goto loser;
+
+            certDER.len = pem_objs[i]->derCert->len;
+            memcpy(certDER.data,
+                    pem_objs[i]->derCert->data,
+                    pem_objs[i]->derCert->len);
+         }
+ 
+         /* We're just adding a key, we'll assume the cert is next */
+-- 
+2.17.1
+
+
+From 476e1a7db2b35146db6c1fb5c0cd230f84778583 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 3 Aug 2018 15:09:01 +0200
+Subject: [PATCH 2/5] pem_CreateObject: fix memory leak in the cert search loop
+
+If we search the array in reverse direction and stop on the first match,
+we end up with the same results but without leaking certDER.data in each
+iteration after the first match.
+
+Upstream-commit: e85b6f903fa38a34672428be114741d397f17fe2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/pobject.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/pobject.c b/src/pobject.c
+index c8539f2..34d0b5a 100644
+--- a/src/pobject.c
+++ b/src/pobject.c
+@@ -1223,7 +1223,7 @@ pem_CreateObject
+ 
+         /* Brute force: find the id of the certificate, if any, in this slot */
+         objid = -1;
+-        for (i = 0; i < pem_nobjs; i++) {
+        for (i = pem_nobjs - 1; 0 <= i; i--) {
+             if (NULL == pem_objs[i])
+                 continue;
+ 
+@@ -1243,6 +1243,7 @@ pem_CreateObject
+             memcpy(certDER.data,
+                     pem_objs[i]->derCert->data,
+                     pem_objs[i]->derCert->len);
+            break;
+         }
+ 
+         /* We're just adding a key, we'll assume the cert is next */
+-- 
+2.17.1
+
+
+From dddc9331e35520b772b499475f5f2a67eeac8fef Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 3 Aug 2018 15:12:46 +0200
+Subject: [PATCH 3/5] pem_CreateObject: check object ID in the cert search loop
+
+We need to find a certificate that refers to the key being added,
+which is not necessarily the last certificate added to the slot.
+
+Bug: https://bugzilla.redhat.com/1610998
+
+Upstream-commit: 5e6d9ce0d638eb6c9f25f31366960db2f8031716
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/pobject.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/pobject.c b/src/pobject.c
+index 34d0b5a..918b327 100644
+--- a/src/pobject.c
+++ b/src/pobject.c
+@@ -1233,7 +1233,11 @@ pem_CreateObject
+             if (pem_objs[i]->type != pemCert)
+                 continue;
+ 
+-            objid = atoi(pem_objs[i]->id.data);
+            if (atoi(pem_objs[i]->id.data) != pem_nobjs)
+                /* not a certificate that refers to the key being added */
+                continue;
+
+            objid = pem_nobjs;
+             certDER.data = NSS_ZAlloc(NULL, pem_objs[i]->derCert->len);
+ 
+             if (certDER.data == NULL)
+-- 
+2.17.1
+
+
+From ed88392c385d7a8733891fb736e9b7456331b617 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 3 Aug 2018 15:22:23 +0200
+Subject: [PATCH 4/5] AddObjectIfNeeded: use a pointer to avoid code
+ duplication
+
+No changes in behavior intended by this commit.
+
+Upstream-commit: 0eafa24fdf0b54e5a63a76a7c63dc4000253c971
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/pinst.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/pinst.c b/src/pinst.c
+index 5ac0ff3..c54cbe2 100644
+--- a/src/pinst.c
+++ b/src/pinst.c
+@@ -401,16 +401,17 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
+ 
+     /* first look for the object in pem_objs, it might be already there */
+     for (i = 0; i < pem_nobjs; i++) {
+-        if (NULL == pem_objs[i])
+        pemInternalObject *const curObj = pem_objs[i];
+        if (NULL == curObj)
+             continue;
+ 
+         /* Comparing DER encodings is dependable and frees the PEM module
+          * from having to require clients to provide unique nicknames.
+          */
+-        if ((pem_objs[i]->objClass == objClass)
+-                && (pem_objs[i]->type == type)
+-                && (pem_objs[i]->slotID == slotID)
+-                && derEncodingsMatch(objClass, pem_objs[i], certDER, keyDER)) {
+        if ((curObj->objClass == objClass)
+                && (curObj->type == type)
+                && (curObj->slotID == slotID)
+                && derEncodingsMatch(objClass, curObj, certDER, keyDER)) {
+ 
+             /* While adding a client certificate we (wrongly?) assumed that the
+              * key object will follow right after the cert object.  However, if
+@@ -420,8 +421,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
+             LinkSharedKeyObject(pem_nobjs, i);
+ 
+             plog("AddObjectIfNeeded: re-using internal object #%i\n", i);
+-            pem_objs[i]->refCount ++;
+-            return pem_objs[i];
+            curObj->refCount ++;
+            return curObj;
+         }
+     }
+ 
+-- 
+2.17.1
+
+
+From 9f0b5facee73afe5578e98010128a72236e6c370 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 3 Aug 2018 16:00:50 +0200
+Subject: [PATCH 5/5] AddObjectIfNeeded: update object ID while reusing a
+ certificate
+
+... in case it refers to an object that has already been removed
+
+Bug: https://bugzilla.redhat.com/1610998
+
+Upstream-commit: e14465a1238dcf7364dc07a1438d24111ccad3b1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/pinst.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/pinst.c b/src/pinst.c
+index c54cbe2..25485b1 100644
+--- a/src/pinst.c
+++ b/src/pinst.c
+@@ -420,6 +420,18 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
+              */
+             LinkSharedKeyObject(pem_nobjs, i);
+ 
+            if (CKO_CERTIFICATE == objClass) {
+                const int ref = atoi(curObj->id.data);
+                if (0 < ref && ref < pem_nobjs && !pem_objs[ref]) {
+                    /* The certificate we are going to reuse refers to an
+                     * object that has already been removed.  Make it refer
+                     * to the object that will be added next (private key).
+                     */
+                    NSS_ZFreeIf(curObj->id.data);
+                    assignObjectID(curObj, pem_nobjs);
+                }
+            }
+
+             plog("AddObjectIfNeeded: re-using internal object #%i\n", i);
+             curObj->refCount ++;
+             return curObj;
+-- 
+2.17.1
+
--- a/SPECS/nss-pem.spec
+++ b/SPECS/nss-pem.spec
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 Name:       nss-pem
 Version:    1.0.3
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    PEM file reader for Network Security Services (NSS)

 License:    MPLv1.1
@ -8,6 +8,9 @@ URL:        https://github.com/kdudka/nss-pem
				@@ -8,6 +8,9 @@ URL:        https://github.com/kdudka/nss-pem
 Source0:    https://github.com/kdudka/nss-pem/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz
 Patch1:     0001-nss-pem-1.0.3-drop-wait-for-slot-event-cb.patch

+# update object ID while reusing a certificate (#1610998)
+Patch2:     0002-nss-pem-1.0.3-key-reload.patch
+
 BuildRequires: cmake
 BuildRequires: nss-pkcs11-devel

@ -24,6 +27,7 @@ module.
				@@ -24,6 +27,7 @@ module.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1

 %build
 mkdir build
@ -44,6 +48,9 @@ ctest %{?_smp_mflags} --output-on-failure
				@@ -44,6 +48,9 @@ ctest %{?_smp_mflags} --output-on-failure
 %license COPYING

 %changelog
+* Wed Aug 08 2018 Kamil Dudka <kdudka@redhat.com> 1.0.3-5
+- update object ID while reusing a certificate (#1610998)
+
 * Wed Apr 26 2017 Kamil Dudka <kdudka@redhat.com> 1.0.3-4
 - fix missing prototypes detected by Covscan