Accepting request 185349 from home:gary_lin:branches:devel:openSUSE:Factory

- Update shim-mokmanager-ui-revamp.patch to include fixes for MokManager + reboot the system after clearing MOK password + fetch more info from X509 name + check the suffix of the key file OBS-URL: https://build.opensuse.org/request/show/185349 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=30
2013-08-01 02:49:52 +00:00 · 2013-08-01 02:49:52 +00:00 · 125b3129ee
commit 125b3129ee
parent 16ab868efc
2 changed files with 235 additions and 8 deletions
--- a/shim-mokmanager-ui-revamp.patch
+++ b/shim-mokmanager-ui-revamp.patch
@ -1,7 +1,7 @@
 From a6436443a82b23de4c5dfe83f3c8389f8b554ad3 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 30 May 2013 14:22:43 +0800
-Subject: [PATCH 1/8] MokManager: Remove the unnecessary string duplication
+Subject: [PATCH 01/11] MokManager: Remove the unnecessary string duplication
 ---
 MokManager.c | 19 ++++++++-----------
@ -82,7 +82,7 @@ index b05a52f..918d96b 100644
 From ef8fdc597fd532cc4c91c3d2ee638ef339002618 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 18 Apr 2013 17:13:12 +0800
-Subject: [PATCH 2/8] MokManager: draw the countdown screen
+Subject: [PATCH 02/11] MokManager: draw the countdown screen
 ---
 MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@ -173,7 +173,7 @@ index 918d96b..6b8c79b 100644
 From 9ff682d251b3d30fae63c026aa0105c49db7db16 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Wed, 26 Jun 2013 12:23:26 +0800
-Subject: [PATCH 3/8] MokManager: remove the duplicate get_keystroke()
+Subject: [PATCH 03/11] MokManager: remove the duplicate get_keystroke()
 ---
 MokManager.c | 14 +-------------
@ -218,7 +218,7 @@ index 6b8c79b..6555a06 100644
 From 4c9f6b0b2100f5e878d8578db3ee232c20440735 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Wed, 26 Jun 2013 15:21:35 +0800
-Subject: [PATCH 4/8] MokManager: enhance the password prompt
+Subject: [PATCH 04/11] MokManager: enhance the password prompt
 ---
 MokManager.c | 106 +++++++++++++++++++++++++++++++++++++++++++++--------------
@ -429,7 +429,7 @@ index 6555a06..4393aec 100644
 From 6e71cb7900b99482c7b51a6076f8392022ba15a6 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 11:59:09 +0800
-Subject: [PATCH 5/8] Enable openssl bio_printf()
+Subject: [PATCH 05/11] Enable openssl bio_printf()
 bio_printf() was replaced with a dummy function and this made
 several openssl functions useless. This commit adds the print
@ -1330,7 +1330,7 @@ index fb446b6..5a8322d 100644
 From 0b5a0362d6bd3fd1a0721e05353046e387ef2a22 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 12:03:14 +0800
-Subject: [PATCH 6/8] Disable floating points in b_print
+Subject: [PATCH 06/11] Disable floating points in b_print
 The long double declaration will enable SSE and cause a compilation
 error. Disabling everything related to floating points avoids the
@ -1403,7 +1403,7 @@ index 3a87b0e..b8b630c 100644
 From bb29385b30d6958fa99e43bfcf64815ca4bc4a53 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 12:28:08 +0800
-Subject: [PATCH 7/8] MokManager: rearrange the output of MOK info
+Subject: [PATCH 07/11] MokManager: rearrange the output of MOK info
 ---
 MokManager.c | 239 ++++++++++++++++++++---------------------------------------
@ -1758,7 +1758,7 @@ index 4393aec..8b770ff 100644
 From 139e31d514772f7aa74cf130ac1e4f2d548734ca Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 27 Jun 2013 15:04:07 +0800
-Subject: [PATCH 8/8] MokManager: enhance the password prompt for SB state
+Subject: [PATCH 08/11] MokManager: enhance the password prompt for SB state
 ---
 MokManager.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
@ -1862,3 +1862,221 @@ index 8b770ff..b832e40 100644
 -- 
 1.8.1.4
 From f6102590b773cef0825eb707a793e70b54b882e9 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Wed, 24 Jul 2013 14:39:39 +0800
 Subject: [PATCH 09/11] MokManager: reboot the system after clearing MOK
 password
 ---
 MokManager.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/MokManager.c b/MokManager.c
 index b832e40..bef4d8c 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -1107,7 +1107,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 		LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
 		LibDeleteVariable(L"MokPW", &shim_lock_guid);
 -		return 0;
 +		console_notify(L"The system must now be rebooted");
 +		uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
 +				  NULL);
 +		console_notify(L"Failed to reboot");
 +		return -1;
 	}
 	if (MokPWSize == PASSWORD_CRYPT_SIZE) {
 -- 
 1.8.1.4
 From 05eeef80e4ae2bac8f0f27a8c1bc6c3869e030ce Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 26 Jul 2013 12:44:42 +0800
 Subject: [PATCH 10/11] MokManager: fetch more info from X509 name
 ---
 MokManager.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 56 insertions(+), 7 deletions(-)
 diff --git a/MokManager.c b/MokManager.c
 index bef4d8c..911c510 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -14,6 +14,8 @@
 #define PASSWORD_MIN 1
 #define SB_PASSWORD_LEN 16
 +#define NAME_LINE_MAX 70
 +
 #ifndef SHIM_VENDOR
 #define SHIM_VENDOR L"Shim"
 #endif
@@ -180,14 +182,61 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
 	return list;
 }
 -static CHAR16* get_x509_common_name (X509_NAME *X509Name)
 +typedef struct {
 +	int nid;
 +	CHAR16 *name;
 +} NidName;
 +
 +static NidName nidname[] = {
 +	{NID_commonName, L"CN"},
 +	{NID_organizationName, L"O"},
 +	{NID_countryName, L"C"},
 +	{NID_stateOrProvinceName, L"ST"},
 +	{NID_localityName, L"L"},
 +	{-1, NULL}
 +};
 +
 +static CHAR16* get_x509_name (X509_NAME *X509Name)
 {
 -	char str[80];
 +	CHAR16 name[NAME_LINE_MAX+1];
 +	CHAR16 part[NAME_LINE_MAX+1];
 +	char str[NAME_LINE_MAX];
 +	int i, len, rest, first;
 +
 +	name[0] = '\0';
 +	rest = NAME_LINE_MAX;
 +	first = 1;
 +	for (i = 0; nidname[i].name != NULL; i++) {
 +		int add;
 +		len = X509_NAME_get_text_by_NID (X509Name, nidname[i].nid,
 +						 str, NAME_LINE_MAX);
 +		if (len <= 0)
 +			continue;
 -	ZeroMem(str, 80);
 -	X509_NAME_get_text_by_NID (X509Name, NID_commonName, str, 80);
 +		if (first)
 +			add = len + (int)StrLen(nidname[i].name) + 1;
 +		else
 +			add = len + (int)StrLen(nidname[i].name) + 3;
 -	return PoolPrint(L"%a", str);
 +		if (add > rest)
 +			continue;
 +
 +		if (first) {
 +			SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L"%s=%a",
 +			       nidname[i].name, str);
 +		} else {
 +			SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L", %s=%a",
 +			       nidname[i].name, str);
 +		}
 +		StrCat(name, part);
 +		rest -= add;
 +		first = 0;
 +	}
 +
 +	if (rest >= 0 && rest < NAME_LINE_MAX)
 +		return PoolPrint(L"%s", name);
 +
 +	return NULL;
 }
 static CHAR16* get_x509_time (ASN1_TIME *time)
@@ -243,14 +292,14 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
 	X509Name = X509_get_issuer_name(X509Cert);
 	if (X509Name) {
 -		issuer = get_x509_common_name(X509Name);
 +		issuer = get_x509_name(X509Name);
 		if (issuer)
 			fields++;
 	}
 	X509Name = X509_get_subject_name(X509Cert);
 	if (X509Name) {
 -		subject = get_x509_common_name(X509Name);
 +		subject = get_x509_name(X509Name);
 		if (subject)
 			fields++;
 	}
 -- 
 1.8.1.4
 From 6d6df739005169333734ee04fc379a28d213ab8c Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 26 Jul 2013 15:44:49 +0800
 Subject: [PATCH 11/11] MokManager: check the suffix of the key file
 ---
 MokManager.c | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)
 diff --git a/MokManager.c b/MokManager.c
 index 911c510..604129f 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -1199,7 +1199,7 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 	return -1;
 }
 -static UINTN verify_certificate(void *cert, UINTN size)
 +static BOOLEAN verify_certificate(void *cert, UINTN size)
 {
 	X509 *X509Cert;
 	if (!cert || size == 0)
@@ -1341,6 +1341,34 @@ static void mok_hash_enroll(void)
 	FreePool(data);
 }
 +static CHAR16 *der_suffix[] = {
 +	L".cer",
 +	L".der",
 +	L".crt",
 +	NULL
 +};
 +
 +static BOOLEAN check_der_suffix (CHAR16 *file_name)
 +{
 +	CHAR16 suffix[5];
 +	int i;
 +
 +	if (!file_name || StrLen(file_name) <= 4)
 +		return FALSE;
 +
 +	suffix[0] = '\0';
 +	StrCat(suffix, file_name + StrLen(file_name) - 4);
 +
 +	StrLwr (suffix);
 +	for (i = 0; der_suffix[i] != NULL; i++) {
 +		if (StrCmp(suffix, der_suffix[i]) == 0) {
 +			return TRUE;
 +		}
 +	}
 +
 +	return FALSE;
 +}
 +
 static void mok_key_enroll(void)
 {
 	EFI_STATUS efi_status;
@@ -1362,6 +1390,15 @@ static void mok_key_enroll(void)
 	if (!file_name)
 		return;
 +	if (!check_der_suffix(file_name)) {
 +		console_alertbox((CHAR16 *[]){
 +			L"Unsupported Format",
 +			L"",
 +			L"Only DER encoded certificate (*.cer/der/crt) is supported",
 +			NULL});
 +		return;
 +	}
 +
 	efi_status = simple_file_open(im, file_name, &file, EFI_FILE_MODE_READ);
 	if (efi_status != EFI_SUCCESS) {
 -- 
 1.8.1.4
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
 - Update shim-mokmanager-ui-revamp.patch to include fixes for
  MokManager
  + reboot the system after clearing MOK password
  + fetch more info from X509 name
  + check the suffix of the key file
 -------------------------------------------------------------------
 Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com