From 125b3129eea075788e9edac6871767d1a7845f0839131c488963fedccc1ae7d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 1 Aug 2013 02:49:52 +0000
Subject: [PATCH] Accepting request 185349 from
 home:gary_lin:branches:devel:openSUSE:Factory

- Update shim-mokmanager-ui-revamp.patch to include fixes for
  MokManager
  + reboot the system after clearing MOK password
  + fetch more info from X509 name
  + check the suffix of the key file

OBS-URL: https://build.opensuse.org/request/show/185349
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=30
---
 shim-mokmanager-ui-revamp.patch | 234 ++++++++++++++++++++++++++++++--
 shim.changes                    |   9 ++
 2 files changed, 235 insertions(+), 8 deletions(-)

diff --git a/shim-mokmanager-ui-revamp.patch b/shim-mokmanager-ui-revamp.patch
index 4fbb106..80c4251 100644
--- a/shim-mokmanager-ui-revamp.patch
+++ b/shim-mokmanager-ui-revamp.patch
@@ -1,7 +1,7 @@
 From a6436443a82b23de4c5dfe83f3c8389f8b554ad3 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 30 May 2013 14:22:43 +0800
-Subject: [PATCH 1/8] MokManager: Remove the unnecessary string duplication
+Subject: [PATCH 01/11] MokManager: Remove the unnecessary string duplication
 
 ---
  MokManager.c | 19 ++++++++-----------
@@ -82,7 +82,7 @@ index b05a52f..918d96b 100644
 From ef8fdc597fd532cc4c91c3d2ee638ef339002618 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 18 Apr 2013 17:13:12 +0800
-Subject: [PATCH 2/8] MokManager: draw the countdown screen
+Subject: [PATCH 02/11] MokManager: draw the countdown screen
 
 ---
  MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -173,7 +173,7 @@ index 918d96b..6b8c79b 100644
 From 9ff682d251b3d30fae63c026aa0105c49db7db16 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Wed, 26 Jun 2013 12:23:26 +0800
-Subject: [PATCH 3/8] MokManager: remove the duplicate get_keystroke()
+Subject: [PATCH 03/11] MokManager: remove the duplicate get_keystroke()
 
 ---
  MokManager.c | 14 +-------------
@@ -218,7 +218,7 @@ index 6b8c79b..6555a06 100644
 From 4c9f6b0b2100f5e878d8578db3ee232c20440735 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Wed, 26 Jun 2013 15:21:35 +0800
-Subject: [PATCH 4/8] MokManager: enhance the password prompt
+Subject: [PATCH 04/11] MokManager: enhance the password prompt
 
 ---
  MokManager.c | 106 +++++++++++++++++++++++++++++++++++++++++++++--------------
@@ -429,7 +429,7 @@ index 6555a06..4393aec 100644
 From 6e71cb7900b99482c7b51a6076f8392022ba15a6 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 11:59:09 +0800
-Subject: [PATCH 5/8] Enable openssl bio_printf()
+Subject: [PATCH 05/11] Enable openssl bio_printf()
 
 bio_printf() was replaced with a dummy function and this made
 several openssl functions useless. This commit adds the print
@@ -1330,7 +1330,7 @@ index fb446b6..5a8322d 100644
 From 0b5a0362d6bd3fd1a0721e05353046e387ef2a22 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 12:03:14 +0800
-Subject: [PATCH 6/8] Disable floating points in b_print
+Subject: [PATCH 06/11] Disable floating points in b_print
 
 The long double declaration will enable SSE and cause a compilation
 error. Disabling everything related to floating points avoids the
@@ -1403,7 +1403,7 @@ index 3a87b0e..b8b630c 100644
 From bb29385b30d6958fa99e43bfcf64815ca4bc4a53 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 12:28:08 +0800
-Subject: [PATCH 7/8] MokManager: rearrange the output of MOK info
+Subject: [PATCH 07/11] MokManager: rearrange the output of MOK info
 
 ---
  MokManager.c | 239 ++++++++++++++++++++---------------------------------------
@@ -1758,7 +1758,7 @@ index 4393aec..8b770ff 100644
 From 139e31d514772f7aa74cf130ac1e4f2d548734ca Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 15:04:07 +0800
-Subject: [PATCH 8/8] MokManager: enhance the password prompt for SB state
+Subject: [PATCH 08/11] MokManager: enhance the password prompt for SB state
 
 ---
  MokManager.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
@@ -1862,3 +1862,221 @@ index 8b770ff..b832e40 100644
 -- 
 1.8.1.4
 
+
+From f6102590b773cef0825eb707a793e70b54b882e9 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 24 Jul 2013 14:39:39 +0800
+Subject: [PATCH 09/11] MokManager: reboot the system after clearing MOK
+ password
+
+---
+ MokManager.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index b832e40..bef4d8c 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1107,7 +1107,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+ 
+ 		LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
+ 		LibDeleteVariable(L"MokPW", &shim_lock_guid);
+-		return 0;
++		console_notify(L"The system must now be rebooted");
++		uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
++				  NULL);
++		console_notify(L"Failed to reboot");
++		return -1;
+ 	}
+ 
+ 	if (MokPWSize == PASSWORD_CRYPT_SIZE) {
+-- 
+1.8.1.4
+
+
+From 05eeef80e4ae2bac8f0f27a8c1bc6c3869e030ce Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 26 Jul 2013 12:44:42 +0800
+Subject: [PATCH 10/11] MokManager: fetch more info from X509 name
+
+---
+ MokManager.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 56 insertions(+), 7 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index bef4d8c..911c510 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -14,6 +14,8 @@
+ #define PASSWORD_MIN 1
+ #define SB_PASSWORD_LEN 16
+ 
++#define NAME_LINE_MAX 70
++
+ #ifndef SHIM_VENDOR
+ #define SHIM_VENDOR L"Shim"
+ #endif
+@@ -180,14 +182,61 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
+ 	return list;
+ }
+ 
+-static CHAR16* get_x509_common_name (X509_NAME *X509Name)
++typedef struct {
++	int nid;
++	CHAR16 *name;
++} NidName;
++
++static NidName nidname[] = {
++	{NID_commonName, L"CN"},
++	{NID_organizationName, L"O"},
++	{NID_countryName, L"C"},
++	{NID_stateOrProvinceName, L"ST"},
++	{NID_localityName, L"L"},
++	{-1, NULL}
++};
++
++static CHAR16* get_x509_name (X509_NAME *X509Name)
+ {
+-	char str[80];
++	CHAR16 name[NAME_LINE_MAX+1];
++	CHAR16 part[NAME_LINE_MAX+1];
++	char str[NAME_LINE_MAX];
++	int i, len, rest, first;
++
++	name[0] = '\0';
++	rest = NAME_LINE_MAX;
++	first = 1;
++	for (i = 0; nidname[i].name != NULL; i++) {
++		int add;
++		len = X509_NAME_get_text_by_NID (X509Name, nidname[i].nid,
++						 str, NAME_LINE_MAX);
++		if (len <= 0)
++			continue;
+ 
+-	ZeroMem(str, 80);
+-	X509_NAME_get_text_by_NID (X509Name, NID_commonName, str, 80);
++		if (first)
++			add = len + (int)StrLen(nidname[i].name) + 1;
++		else
++			add = len + (int)StrLen(nidname[i].name) + 3;
+ 
+-	return PoolPrint(L"%a", str);
++		if (add > rest)
++			continue;
++
++		if (first) {
++			SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L"%s=%a",
++			       nidname[i].name, str);
++		} else {
++			SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L", %s=%a",
++			       nidname[i].name, str);
++		}
++		StrCat(name, part);
++		rest -= add;
++		first = 0;
++	}
++
++	if (rest >= 0 && rest < NAME_LINE_MAX)
++		return PoolPrint(L"%s", name);
++
++	return NULL;
+ }
+ 
+ static CHAR16* get_x509_time (ASN1_TIME *time)
+@@ -243,14 +292,14 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
+ 
+ 	X509Name = X509_get_issuer_name(X509Cert);
+ 	if (X509Name) {
+-		issuer = get_x509_common_name(X509Name);
++		issuer = get_x509_name(X509Name);
+ 		if (issuer)
+ 			fields++;
+ 	}
+ 
+ 	X509Name = X509_get_subject_name(X509Cert);
+ 	if (X509Name) {
+-		subject = get_x509_common_name(X509Name);
++		subject = get_x509_name(X509Name);
+ 		if (subject)
+ 			fields++;
+ 	}
+-- 
+1.8.1.4
+
+
+From 6d6df739005169333734ee04fc379a28d213ab8c Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 26 Jul 2013 15:44:49 +0800
+Subject: [PATCH 11/11] MokManager: check the suffix of the key file
+
+---
+ MokManager.c | 39 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 911c510..604129f 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1199,7 +1199,7 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+ 	return -1;
+ }
+ 
+-static UINTN verify_certificate(void *cert, UINTN size)
++static BOOLEAN verify_certificate(void *cert, UINTN size)
+ {
+ 	X509 *X509Cert;
+ 	if (!cert || size == 0)
+@@ -1341,6 +1341,34 @@ static void mok_hash_enroll(void)
+ 	FreePool(data);
+ }
+ 
++static CHAR16 *der_suffix[] = {
++	L".cer",
++	L".der",
++	L".crt",
++	NULL
++};
++
++static BOOLEAN check_der_suffix (CHAR16 *file_name)
++{
++	CHAR16 suffix[5];
++	int i;
++
++	if (!file_name || StrLen(file_name) <= 4)
++		return FALSE;
++
++	suffix[0] = '\0';
++	StrCat(suffix, file_name + StrLen(file_name) - 4);
++
++	StrLwr (suffix);
++	for (i = 0; der_suffix[i] != NULL; i++) {
++		if (StrCmp(suffix, der_suffix[i]) == 0) {
++			return TRUE;
++		}
++	}
++
++	return FALSE;
++}
++
+ static void mok_key_enroll(void)
+ {
+ 	EFI_STATUS efi_status;
+@@ -1362,6 +1390,15 @@ static void mok_key_enroll(void)
+ 	if (!file_name)
+ 		return;
+ 
++	if (!check_der_suffix(file_name)) {
++		console_alertbox((CHAR16 *[]){
++			L"Unsupported Format",
++			L"",
++			L"Only DER encoded certificate (*.cer/der/crt) is supported",
++			NULL});
++		return;
++	}
++
+ 	efi_status = simple_file_open(im, file_name, &file, EFI_FILE_MODE_READ);
+ 
+ 	if (efi_status != EFI_SUCCESS) {
+-- 
+1.8.1.4
+
diff --git a/shim.changes b/shim.changes
index 3695a84..18b3e31 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
+
+- Update shim-mokmanager-ui-revamp.patch to include fixes for
+  MokManager
+  + reboot the system after clearing MOK password
+  + fetch more info from X509 name
+  + check the suffix of the key file
+
 -------------------------------------------------------------------
 Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com