pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 418859 from devel:openSUSE:Factory

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/418859
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=50
This commit is contained in:
Dominique Leuenberger 2016-08-17 09:59:46 +00:00 committed by Git OBS Bridge
commit f1cb4c950c
12 changed files with 17330 additions and 384 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
shim-bsc950569-fix-cryptlib-va-functions.patch
View File

@ -1,283 +0,0 @@
From b74c635bfd5d131f2848ce2cd2ffc838dc616ee8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 27 Oct 2015 12:00:13 +0800
Subject: [PATCH] Cryptlib: Define the va functions for EFIAPI
It turned out that my previous crash fix(*) was wrong.
We actually always used the gcc built-in va functions instead of
the "real" va functions for EFIAPI, and we are just lucky that
ERR_add_error_data didn't crash before.
This commit copies the va functions from MdePkg/Include/Base.h
in edk2 and introdues NO_BUILTIN_VA_FUNCS for x86_64, so that all
the x86_64 build will adopt the new va functions. For safety,
I also added EFIAPI to all the functions which use va_* to avoid
the potential trouble.
(*) a7f4b26cc35204165bd04e75c34e8e7aa2a87ecc
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
Cryptlib/Include/OpenSslSupport.h | 75 +++++++++++++++++++++++++++++++++++
Cryptlib/Include/openssl/bio.h | 8 ++++
Cryptlib/Include/openssl/err.h | 4 --
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 3 +-
Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 ++++
Cryptlib/OpenSSL/crypto/cryptlib.c | 4 ++
Cryptlib/OpenSSL/crypto/cryptlib.h | 4 ++
Cryptlib/OpenSSL/crypto/err/err.c | 4 --
Makefile | 1 +
10 files changed, 103 insertions(+), 10 deletions(-)
diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
index e5e1adc..004c3e8 100644
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -47,6 +47,9 @@ typedef VOID *FILE;
#define va_arg VA_ARG
#define va_start VA_START
#define va_end VA_END
+
+# if !defined(NO_BUILTIN_VA_FUNCS)
+
typedef __builtin_va_list VA_LIST;
#define VA_START(Marker, Parameter) __builtin_va_start (Marker, Parameter)
@@ -57,6 +60,78 @@ typedef __builtin_va_list VA_LIST;
#define VA_COPY(Dest, Start) __builtin_va_copy (Dest, Start)
+# else
+
+#define _INT_SIZE_OF(n) ((sizeof (n) + sizeof (UINTN) - 1) &~(sizeof (UINTN) - 1))
+///
+/// Variable used to traverse the list of arguments. This type can vary by
+/// implementation and could be an array or structure.
+///
+typedef CHAR8 *VA_LIST;
+
+/**
+ Retrieves a pointer to the beginning of a variable argument list, based on
+ the name of the parameter that immediately precedes the variable argument list.
+
+ This function initializes Marker to point to the beginning of the variable
+ argument list that immediately follows Parameter. The method for computing the
+ pointer to the next argument in the argument list is CPU-specific following the
+ EFIAPI ABI.
+
+ @param Marker The VA_LIST used to traverse the list of arguments.
+ @param Parameter The name of the parameter that immediately precedes
+ the variable argument list.
+
+ @return A pointer to the beginning of a variable argument list.
+
+**/
+#define VA_START(Marker, Parameter) (Marker = (VA_LIST) ((UINTN) & (Parameter) + _INT_SIZE_OF (Parameter)))
+
+/**
+ Returns an argument of a specified type from a variable argument list and updates
+ the pointer to the variable argument list to point to the next argument.
+
+ This function returns an argument of the type specified by TYPE from the beginning
+ of the variable argument list specified by Marker. Marker is then updated to point
+ to the next argument in the variable argument list. The method for computing the
+ pointer to the next argument in the argument list is CPU-specific following the EFIAPI ABI.
+
+ @param Marker VA_LIST used to traverse the list of arguments.
+ @param TYPE The type of argument to retrieve from the beginning
+ of the variable argument list.
+
+ @return An argument of the type specified by TYPE.
+
+**/
+#define VA_ARG(Marker, TYPE) (*(TYPE *) ((Marker += _INT_SIZE_OF (TYPE)) - _INT_SIZE_OF (TYPE)))
+
+/**
+ Terminates the use of a variable argument list.
+
+ This function initializes Marker so it can no longer be used with VA_ARG().
+ After this macro is used, the only way to access the variable argument list is
+ by using VA_START() again.
+
+ @param Marker VA_LIST used to traverse the list of arguments.
+
+**/
+#define VA_END(Marker) (Marker = (VA_LIST) 0)
+
+/**
+ Initializes a VA_LIST as a copy of an existing VA_LIST.
+
+ This macro initializes Dest as a copy of Start, as if the VA_START macro had been applied to Dest
+ followed by the same sequence of uses of the VA_ARG macro as had previously been used to reach
+ the present state of Start.
+
+ @param Dest VA_LIST used to traverse the list of arguments.
+ @param Start VA_LIST used to traverse the list of arguments.
+
+**/
+#define VA_COPY(Dest, Start) ((void)((Dest) = (Start)))
+
+# endif
+
#else // __CC_ARM
#define va_start(Marker, Parameter) __va_start(Marker, Parameter)
#define va_arg(Marker, TYPE) __va_arg(Marker, TYPE)
diff --git a/Cryptlib/Include/openssl/bio.h b/Cryptlib/Include/openssl/bio.h
index 561ae2f..69bd48c 100644
--- a/Cryptlib/Include/openssl/bio.h
+++ b/Cryptlib/Include/openssl/bio.h
@@ -787,11 +787,19 @@ void BIO_copy_next_retry(BIO *b);
# else
# define __bio_h__attr__(x)
# endif
+# if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
+# else
int BIO_printf(BIO *bio, const char *format, ...)
+# endif
__bio_h__attr__((__format__(__printf__, 2, 3)));
int BIO_vprintf(BIO *bio, const char *format, va_list args)
__bio_h__attr__((__format__(__printf__, 2, 0)));
+# if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
+# else
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+# endif
__bio_h__attr__((__format__(__printf__, 3, 4)));
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
__bio_h__attr__((__format__(__printf__, 3, 0)));
diff --git a/Cryptlib/Include/openssl/err.h b/Cryptlib/Include/openssl/err.h
index da589f8..bbfdb95 100644
--- a/Cryptlib/Include/openssl/err.h
+++ b/Cryptlib/Include/openssl/err.h
@@ -352,11 +352,7 @@ void EFIAPI ERR_add_error_data(int num, ...);
void ERR_add_error_data(int num, ...);
#endif
-#if defined(OPENSSL_SYS_UEFI)
-void EFIAPI ERR_add_error_vdata(int num, va_list args);
-#else
void ERR_add_error_vdata(int num, va_list args);
-#endif
void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
void ERR_unload_strings(int lib, ERR_STRING_DATA str[]);
void ERR_load_ERR_strings(void);
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 9a92304..c9cf379 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -7,7 +7,7 @@ CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
+ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index ab6e7dd..f8055fd 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -7,7 +7,8 @@ CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-st
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG
+ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG \
+ -DNO_BUILTIN_VA_FUNCS
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c
index 9091d56..4695827 100644
--- a/Cryptlib/OpenSSL/crypto/bio/b_print.c
+++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c
@@ -751,7 +751,11 @@ doapr_outch(char **sbuffer,
/***************************************************************************/
+#if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
+#else
int BIO_printf(BIO *bio, const char *format, ...)
+#endif
{
va_list args;
int ret;
@@ -795,7 +799,11 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
* closely related to BIO_printf, and we need *some* name prefix ... (XXX the
* function should be renamed, but to what?)
*/
+#if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
+#else
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+#endif
{
va_list args;
int ret;
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c
index ca0e3cc..0a59342 100644
--- a/Cryptlib/OpenSSL/crypto/cryptlib.c
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.c
@@ -962,7 +962,11 @@ void OPENSSL_showfatal(const char *fmta, ...)
MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
}
#else
+# if defined(OPENSSL_SYS_UEFI)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...)
+# else
void OPENSSL_showfatal(const char *fmta, ...)
+# endif
{
va_list ap;
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.h b/Cryptlib/OpenSSL/crypto/cryptlib.h
index fba180a..7ca4c99 100644
--- a/Cryptlib/OpenSSL/crypto/cryptlib.h
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.h
@@ -100,7 +100,11 @@ extern "C" {
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
+# if defined(OPENSSL_SYS_UEFI)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...);
+# else
void OPENSSL_showfatal(const char *fmta, ...);
+# endif
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c
index 108b83a..f98cce6 100644
--- a/Cryptlib/OpenSSL/crypto/err/err.c
+++ b/Cryptlib/OpenSSL/crypto/err/err.c
@@ -1085,11 +1085,7 @@ void ERR_add_error_data(int num, ...)
va_end(args);
}
-#if defined(OPENSSL_SYS_UEFI)
-void EFIAPI ERR_add_error_vdata(int num, va_list args)
-#else
void ERR_add_error_vdata(int num, va_list args)
-#endif
{
int i, n, s;
char *str, *p, *a;
diff --git a/Makefile b/Makefile
index 2449fe4..b36e2a3 100644
--- a/Makefile
+++ b/Makefile
@@ -42,6 +42,7 @@ ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
+ -DNO_BUILTIN_VA_FUNCS \
"-DEFI_ARCH=L\"x64\"" \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
endif
--
2.6.2

141
shim-bsc973496-mokmanager-no-append-write.patch Normal file
View File

@ -0,0 +1,141 @@
From 3bd098ea88d36cdaa550cdd384f7a08d3586d7e5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 28 Jul 2016 15:11:14 +0800
Subject: [PATCH 1/2] MokManager: Remove the usage of APPEND_WRITE
We got the bug report about the usage of APPEND_WRITE that may cause the
failure when writing a variable in Lenovo machines. Although
EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years,
unfortunately, some vendors just ignore it and never implement the
attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to
make MokManager work on those machines.
https://github.com/rhinstaller/shim/issues/55
Signed-off-by: Gary Lin <glin@suse.com>
---
MokManager.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 48 insertions(+), 8 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 2de6853..9ed7b4b 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -23,8 +23,6 @@
#define SHIM_VENDOR L"Shim"
#endif
-#define EFI_VARIABLE_APPEND_WRITE 0x00000040
-
EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
@@ -863,6 +861,53 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt,
return EFI_SUCCESS;
}
+static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+ UINT32 attributes;
+ void *old_data = NULL;
+ void *new_data = NULL;
+ UINTN old_size;
+ UINTN new_size;
+
+ status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
+ shim_lock_guid, &attributes);
+ if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
+ return status;
+ }
+
+ /* Check if the old db is compromised or not */
+ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ FreePool(old_data);
+ old_data = NULL;
+ old_size = 0;
+ }
+
+ new_size = old_size + MokNewSize;
+ new_data = AllocatePool(new_size);
+ if (new_data == NULL) {
+ status = EFI_OUT_OF_RESOURCES;
+ goto out;
+ }
+
+ CopyMem(new_data, old_data, old_size);
+ CopyMem(new_data + old_size, MokNew, MokNewSize);
+
+ status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ new_size, new_data);
+
+out:
+ if (old_size > 0) {
+ FreePool(old_data);
+ }
+
+ return status;
+}
+
static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
BOOLEAN MokX)
{
@@ -917,12 +962,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
0, NULL);
} else {
/* Write new MOK */
- efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
- &shim_lock_guid,
- EFI_VARIABLE_NON_VOLATILE
- | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_APPEND_WRITE,
- MokNewSize, MokNew);
+ efi_status = write_db(db_name, MokNew, MokNewSize);
}
if (efi_status != EFI_SUCCESS) {
--
2.9.2
From 3c000e67cc9c5ddd84f5a34b77e6ee8df4fe3ae5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 3 Aug 2016 16:53:51 +0800
Subject: [PATCH 2/2] MokManager: Try APPEND_WRITE first
Try to append the MOK/MOKX list first and then fallback to the normal
SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE.
Signed-off-by: Gary Lin <glin@suse.com>
---
MokManager.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/MokManager.c b/MokManager.c
index 9ed7b4b..3933ee0 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -871,6 +871,16 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize)
UINTN old_size;
UINTN new_size;
+ status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_APPEND_WRITE,
+ MokNewSize, MokNew);
+ if (status == EFI_SUCCESS || status != EFI_INVALID_PARAMETER) {
+ return status;
+ }
+
status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
shim_lock_guid, &attributes);
if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
--
2.9.2

65
shim-bsc991885-fix-sig-length.patch Normal file
View File

@ -0,0 +1,65 @@
From 6c12c7bf522d032922abb799cdf0d6f525de3c38 Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Tue, 2 Aug 2016 16:46:31 -0700
Subject: [PATCH] Use authenticode signature length from WIN_CERTIFICATE
structure.
Authenticode Certificate length is available in Certificate Table
(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
Code in 'check_backlist()' method uses length from signature header,
whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
the length in signature header. This causes a security vulnerability issue :
Good Scenario : Assume shim1.crt is used for signing grub.efi and
shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
compromised and therefore it was added in 'dbx' database. Now, when
shim.efi will attempt to load grub.efi, it will fail loading with
log message "Binary is blacklisted" because 'check_blacklist' call
will detect the presence of 'shim1.crt' in 'dbx'.
Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
WIN_CERTIFICATE.dwLength.
(Open grub.efi/vmlinuz signed binary with hex editor.
Go to 0x128 address and read out the address from 0x128 until
0x12B in little Indian order from right to left.
Jump to the address from 0x128 address area.
First 8bytes are the signature header area which consist of
signature size(4bytes), revision(2bytes) and type(2bytes).
So tamper the first 4 bytes for signature size and save the binary.
)
With this tampered grub.efi, shim.efi loads it successfully because
'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
database.
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
shim.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index ed01899..03a5604 100644
--- a/shim.c
+++ b/shim.c
@@ -966,7 +966,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
*/
if (sizeof(shim_cert) &&
AuthenticodeVerify(cert->CertData,
- context->SecDir->Size - sizeof(cert->Hdr),
+ cert->Hdr.dwLength - sizeof(cert->Hdr),
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
@@ -977,7 +977,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
* And finally, check against shim's built-in key
*/
if (vendor_cert_size && AuthenticodeVerify(cert->CertData,
- context->SecDir->Size - sizeof(cert->Hdr),
+ cert->Hdr.dwLength - sizeof(cert->Hdr),
vendor_cert, vendor_cert_size, sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
--
2.9.2

4
shim-change-debug-file-path.patch
View File

@ -12,9 +12,9 @@ Index: shim-0.9/Makefile
===================================================================
--- shim-0.9.orig/Makefile
+++ shim-0.9/Makefile
@@ -44,7 +44,7 @@ ifeq ($(ARCH),x86_64)
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
@@ -45,7 +45,7 @@ ifeq ($(ARCH),x86_64)
-DNO_BUILTIN_VA_FUNCS \
-DMDE_CPU_X64 \
"-DEFI_ARCH=L\"x64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+ "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""

13
shim-fix-aarch64.patch
View File

@ -1,13 +0,0 @@
Index: shim-0.9/Makefile
===================================================================
--- shim-0.9.orig/Makefile
+++ shim-0.9/Makefile
@@ -53,7 +53,7 @@ ifeq ($(ARCH),ia32)
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
endif
ifeq ($(ARCH),aarch64)
- CFLAGS += "-DEFI_ARCH=L\"aa64\""
+ CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
endif

62
shim-gcc5.patch
View File

@ -1,62 +0,0 @@
From a508082e41339d929ae598c964562946287c1938 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 13 Jul 2015 16:33:52 +0800
Subject: [PATCH] Specify the gnu89 standard
According to the gcc5 porting guideline (*), gcc5 defaults to
-std=gnu11 instead of -std=gnu89. Append -std=gnu89 to CFLAGS
to avoid the potential problems.
(*) https://gcc.gnu.org/gcc-5/porting_to.html
Based on the patch from Cristian Rodriguez <crrodriguez@opensuse.org>
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index cb18440..9a92304 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -2,7 +2,7 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES) \
+ -Wall $(EFI_INCLUDES) -std=gnu89 \
-ffreestanding -I$(shell $(CC) -print-file-name=include)
ifeq ($(ARCH),x86_64)
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 3f87a94..ab6e7dd 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -2,7 +2,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Icrypto/asn1 -Icrypto/evp -Icrypto/modes
CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
- -ffreestanding -I$(shell $(CC) -print-file-name=include) \
+ -ffreestanding -std=gnu89 -I$(shell $(CC) -print-file-name=include) \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
diff --git a/Makefile b/Makefile
index 1181b8a..48e2a7d 100644
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grub.efi
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare -ffreestanding \
+ -Werror=sign-compare -ffreestanding -std=gnu89 \
-I$(shell $(CC) -print-file-name=include) \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
--
2.1.4

2219
shim-httpboot-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

19
shim-install
View File

@ -47,17 +47,17 @@ esac
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
echo "Install Secure Boot Loaders on your drive.\n"
echo "Install Secure Boot Loaders on your drive."
echo
echo "--directory=DIR use images from DIR.\n"
echo "--grub-probe=FILE use FILE as grub-probe.\n"
echo "--removable the installation device is removable.\n"
echo "--bootloader-id=ID the ID of bootloader.\n"
echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n"
echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n"
echo "--clean remove all installed files and configs.\n"
echo "--directory=DIR use images from DIR."
echo "--grub-probe=FILE use FILE as grub-probe."
echo "--removable the installation device is removable."
echo "--bootloader-id=ID the ID of bootloader."
echo "--efi-directory=DIR use DIR as the EFI System Partition root."
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
echo "--clean remove all installed files and configs."
echo
echo "INSTALL_DEVICE must be system device filename.\n"
echo "INSTALL_DEVICE must be system device filename."
}
argument () {
@ -192,6 +192,7 @@ if test -n "$efidir"; then
efidir="$efidir/EFI/$efi_distributor"
mkdir -p "$efidir" || exit 1
else
echo "No valid EFI partition" 1>&2
exit 1;
fi

14015
shim-update-openssl-1.0.2d.patch → shim-update-openssl-1.0.2g.patch
View File

File diff suppressed because it is too large Load Diff

834
shim-update-openssl-1.0.2h.patch Normal file
View File

@ -0,0 +1,834 @@
From 12cfe049c6b6bfce580737ef4da9556ecd07260a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 21 Jul 2016 12:28:11 +0800
Subject: [PATCH 1/2] Update to openssl 1.0.2h
Signed-off-by: Gary Lin <glin@suse.com>
---
Cryptlib/Include/openssl/comp.h | 4 +++
Cryptlib/Include/openssl/conf.h | 12 ++++----
Cryptlib/Include/openssl/opensslv.h | 6 ++--
Cryptlib/Include/openssl/pem.h | 1 +
Cryptlib/Include/openssl/srp.h | 1 +
Cryptlib/Include/openssl/ssl.h | 4 +--
Cryptlib/Include/openssl/x509.h | 1 +
Cryptlib/OpenSSL/crypto/asn1/a_bytes.c | 4 +--
Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c | 36 ++++++++++++++++------
Cryptlib/OpenSSL/crypto/asn1/a_type.c | 2 --
Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c | 18 +++++------
Cryptlib/OpenSSL/crypto/asn1/asn1_par.c | 17 +++++++---
Cryptlib/OpenSSL/crypto/asn1/t_x509.c | 3 +-
Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c | 2 --
Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c | 2 --
Cryptlib/OpenSSL/crypto/asn1/x_name.c | 11 +++++++
Cryptlib/OpenSSL/crypto/asn1/x_x509.c | 16 ++++++++--
Cryptlib/OpenSSL/crypto/bn/bn_prime.c | 2 +-
Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c | 1 -
Cryptlib/OpenSSL/crypto/evp/digest.c | 4 ++-
Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c | 3 ++
.../OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c | 3 ++
Cryptlib/OpenSSL/crypto/evp/encode.c | 12 ++++++--
Cryptlib/OpenSSL/crypto/evp/evp_enc.c | 2 +-
Cryptlib/OpenSSL/crypto/pem/pem_lib.c | 2 +-
Cryptlib/OpenSSL/crypto/pem/pem_pk8.c | 2 +-
Cryptlib/OpenSSL/crypto/pem/pvkfmt.c | 7 +++++
Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c | 2 +-
Cryptlib/OpenSSL/crypto/x509/x509_err.c | 1 +
Cryptlib/OpenSSL/crypto/x509/x509_obj.c | 26 +++++++++++++---
30 files changed, 145 insertions(+), 62 deletions(-)
diff --git a/Cryptlib/Include/openssl/comp.h b/Cryptlib/Include/openssl/comp.h
index 406c428..60a0734 100644
--- a/Cryptlib/Include/openssl/comp.h
+++ b/Cryptlib/Include/openssl/comp.h
@@ -4,6 +4,10 @@
# include <openssl/crypto.h>
+# ifdef OPENSSL_NO_COMP
+# error COMP is disabled.
+# endif
+
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/Cryptlib/Include/openssl/conf.h b/Cryptlib/Include/openssl/conf.h
index 41cf38e..c29e97d 100644
--- a/Cryptlib/Include/openssl/conf.h
+++ b/Cryptlib/Include/openssl/conf.h
@@ -135,9 +135,9 @@ char *CONF_get_string(LHASH_OF(CONF_VALUE) *conf, const char *group,
long CONF_get_number(LHASH_OF(CONF_VALUE) *conf, const char *group,
const char *name);
void CONF_free(LHASH_OF(CONF_VALUE) *conf);
-#ifndef OPENSSL_NO_FP_API
+# ifndef OPENSSL_NO_FP_API
int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out);
-#endif
+# endif
int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out);
void OPENSSL_config(const char *config_name);
@@ -176,9 +176,9 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,
char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
long *result);
-#ifndef OPENSSL_NO_FP_API
+# ifndef OPENSSL_NO_FP_API
int NCONF_dump_fp(const CONF *conf, FILE *out);
-#endif
+# endif
int NCONF_dump_bio(const CONF *conf, BIO *out);
# if 0 /* The following function has no error
@@ -192,10 +192,10 @@ long NCONF_get_number(CONF *conf, char *group, char *name);
int CONF_modules_load(const CONF *cnf, const char *appname,
unsigned long flags);
-#ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_STDIO
int CONF_modules_load_file(const char *filename, const char *appname,
unsigned long flags);
-#endif
+# endif
void CONF_modules_unload(int all);
void CONF_modules_finish(void);
void CONF_modules_free(void);
diff --git a/Cryptlib/Include/openssl/opensslv.h b/Cryptlib/Include/openssl/opensslv.h
index 4334fd1..13fe440 100644
--- a/Cryptlib/Include/openssl/opensslv.h
+++ b/Cryptlib/Include/openssl/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1000207fL
+# define OPENSSL_VERSION_NUMBER 0x1000208fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/Cryptlib/Include/openssl/pem.h b/Cryptlib/Include/openssl/pem.h
index 87b0b6a..5df6ffd 100644
--- a/Cryptlib/Include/openssl/pem.h
+++ b/Cryptlib/Include/openssl/pem.h
@@ -515,6 +515,7 @@ int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
char *kstr, int klen, pem_password_cb *cd,
void *u);
#endif
+
EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);
diff --git a/Cryptlib/Include/openssl/srp.h b/Cryptlib/Include/openssl/srp.h
index 713fc54..4ed4bfe 100644
--- a/Cryptlib/Include/openssl/srp.h
+++ b/Cryptlib/Include/openssl/srp.h
@@ -122,6 +122,7 @@ int SRP_VBASE_free(SRP_VBASE *vb);
#ifndef OPENSSL_NO_STDIO
int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
#endif
+
/* This method ignores the configured seed and fails for an unknown user. */
SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
diff --git a/Cryptlib/Include/openssl/ssl.h b/Cryptlib/Include/openssl/ssl.h
index 04d4007..5ef56fa 100644
--- a/Cryptlib/Include/openssl/ssl.h
+++ b/Cryptlib/Include/openssl/ssl.h
@@ -338,7 +338,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
@@ -2345,7 +2345,7 @@ const char *SSL_get_version(const SSL *s);
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
diff --git a/Cryptlib/Include/openssl/x509.h b/Cryptlib/Include/openssl/x509.h
index 99337b8..fc613ce 100644
--- a/Cryptlib/Include/openssl/x509.h
+++ b/Cryptlib/Include/openssl/x509.h
@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
# define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124
+# define X509_R_NAME_TOO_LONG 134
# define X509_R_NEWER_CRL_NOT_NEWER 132
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_NO_CRL_NUMBER 130
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c
index 12715a7..385b539 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c
@@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
} else {
if (len != 0) {
if ((ret->length < len) || (ret->data == NULL)) {
- if (ret->data != NULL)
- OPENSSL_free(ret->data);
s = (unsigned char *)OPENSSL_malloc((int)len + 1);
if (s == NULL) {
i = ERR_R_MALLOC_FAILURE;
goto err;
}
+ if (ret->data != NULL)
+ OPENSSL_free(ret->data);
} else
s = ret->data;
memcpy(s, p, (int)len);
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
index a1864b4..51b6f24 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
#endif
#define HEADER_SIZE 8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
BUF_MEM *b;
@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
/* suck in c.slen bytes of data */
want = c.slen;
if (want > (len - off)) {
+ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
want -= (len - off);
if (want > INT_MAX /* BIO_read takes an int length */ ||
len + want < len) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
goto err;
}
- if (!BUF_MEM_grow_clean(b, len + want)) {
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
- goto err;
- }
while (want > 0) {
- i = BIO_read(in, &(b->data[len]), want);
- if (i <= 0) {
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
- ASN1_R_NOT_ENOUGH_DATA);
+ /*
+ * Read content in chunks of increasing size
+ * so we can return an error for EOF without
+ * having to allocate the entire content length
+ * in one go.
+ */
+ size_t chunk = want > chunk_max ? chunk_max : want;
+
+ if (!BUF_MEM_grow_clean(b, len + chunk)) {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
+ want -= chunk;
+ while (chunk > 0) {
+ i = BIO_read(in, &(b->data[len]), chunk);
+ if (i <= 0) {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+ ASN1_R_NOT_ENOUGH_DATA);
+ goto err;
+ }
/*
* This can't overflow because |len+want| didn't
* overflow.
*/
- len += i;
- want -= i;
+ len += i;
+ chunk -= i;
+ }
+ if (chunk_max < INT_MAX/2)
+ chunk_max *= 2;
}
}
if (off + c.slen < off) {
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_type.c b/Cryptlib/OpenSSL/crypto/asn1/a_type.c
index af79530..bb166e8 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_type.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_type.c
@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
index 0b61fc9..874b1af 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
@@ -63,7 +63,7 @@
#include <openssl/asn1_mac.h>
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- int max);
+ long max);
static void asn1_put_length(unsigned char **pp, int length);
const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
}
*ptag = tag;
*pclass = xclass;
- if (!asn1_get_length(&p, &inf, plength, (int)max))
+ if (!asn1_get_length(&p, &inf, plength, max))
goto err;
if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
}
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- int max)
+ long max)
{
const unsigned char *p = *pp;
unsigned long ret = 0;
- unsigned int i;
+ unsigned long i;
if (max-- < 1)
- return (0);
+ return 0;
if (*p == 0x80) {
*inf = 1;
ret = 0;
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
*inf = 0;
i = *p & 0x7f;
if (*(p++) & 0x80) {
- if (i > sizeof(long))
+ if (i > sizeof(ret) || max < (long)i)
return 0;
- if (max-- == 0)
- return (0);
while (i-- > 0) {
ret <<= 8L;
ret |= *(p++);
- if (max-- == 0)
- return (0);
}
} else
ret = i;
@@ -192,7 +188,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
return 0;
*pp = p;
*rl = (long)ret;
- return (1);
+ return 1;
}
/*
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
index 0ca985a..e85e339 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
@@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
goto end;
if (j & V_ASN1_CONSTRUCTED) {
+ const unsigned char *sp;
+
ep = p + len;
if (BIO_write(bp, "\n", 1) <= 0)
goto end;
@@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
goto end;
}
if ((j == 0x21) && (len == 0)) {
+ sp = p;
for (;;) {
r = asn1_parse2(bp, &p, (long)(tot - p),
offset + (p - *pp), depth + 1,
@@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
ret = 0;
goto end;
}
- if ((r == 2) || (p >= tot))
+ if ((r == 2) || (p >= tot)) {
+ len = p - sp;
break;
+ }
}
- } else
+ } else {
+ long tmp = len;
+
while (p < ep) {
- r = asn1_parse2(bp, &p, (long)len,
- offset + (p - *pp), depth + 1,
+ sp = p;
+ r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
indent, dump);
if (r == 0) {
ret = 0;
goto end;
}
+ tmp -= p - sp;
}
+ }
} else if (xclass != 0) {
p += len;
if (BIO_write(bp, "\n", 1) <= 0)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c
index 8aab551..8888396 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c
@@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
goto err;
bs = X509_get_serialNumber(x);
- if (bs->length <= (int)sizeof(long)) {
+ if (bs->length < (int)sizeof(long)
+ || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
l = ASN1_INTEGER_get(bs);
if (bs->type == V_ASN1_NEG_INTEGER) {
l = -l;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
index 5a50796..6bdcd5c 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
@@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
index f04a689..f7f83e5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_name.c b/Cryptlib/OpenSSL/crypto/asn1/x_name.c
index 737c426..a858c29 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_name.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_name.c
@@ -66,6 +66,13 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
int i, j, ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
+ if (len > X509_NAME_MAX) {
+ ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+ return 0;
+ }
q = p;
/* Get internal representation of Name */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c
index e2cac83..e31e1e7 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c
@@ -201,10 +201,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
int i2d_X509_AUX(X509 *a, unsigned char **pp)
{
- int length;
+ int length, tmplen;
+ unsigned char *start = pp != NULL ? *pp : NULL;
length = i2d_X509(a, pp);
- if (a)
- length += i2d_X509_CERT_AUX(a->aux, pp);
+ if (length < 0 || a == NULL)
+ return length;
+
+ tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+ if (tmplen < 0) {
+ if (start != NULL)
+ *pp = start;
+ return tmplen;
+ }
+ length += tmplen;
+
return length;
}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
index e933ead..ad641c3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
@@ -172,7 +172,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES);
if (mods == NULL)
- goto err;
+ goto err;
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c b/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
index c6288f6..926be98 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
@@ -455,7 +455,6 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
}
#ifndef OPENSSL_NO_CMS
else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
-
unsigned char *Z = NULL;
size_t Zlen = 0;
if (!dctx->kdf_outlen || !dctx->kdf_oid)
diff --git a/Cryptlib/OpenSSL/crypto/evp/digest.c b/Cryptlib/OpenSSL/crypto/evp/digest.c
index f2643f3..5b642b2 100644
--- a/Cryptlib/OpenSSL/crypto/evp/digest.c
+++ b/Cryptlib/OpenSSL/crypto/evp/digest.c
@@ -212,8 +212,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
}
#endif
if (ctx->digest != type) {
- if (ctx->digest && ctx->digest->ctx_size)
+ if (ctx->digest && ctx->digest->ctx_size) {
OPENSSL_free(ctx->md_data);
+ ctx->md_data = NULL;
+ }
ctx->digest = type;
if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
ctx->update = type->update;
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
index 8330964..6dfd590 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -60,6 +60,7 @@
# include <openssl/sha.h>
# include <openssl/rand.h>
# include "modes_lcl.h"
+# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -578,6 +579,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
index 3780021..46c9d03 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -60,6 +60,7 @@
# include <openssl/sha.h>
# include <openssl/rand.h>
# include "modes_lcl.h"
+# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -589,6 +590,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
diff --git a/Cryptlib/OpenSSL/crypto/evp/encode.c b/Cryptlib/OpenSSL/crypto/evp/encode.c
index c6abc4a..c6c775e 100644
--- a/Cryptlib/OpenSSL/crypto/evp/encode.c
+++ b/Cryptlib/OpenSSL/crypto/evp/encode.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
int i, j;
- unsigned int total = 0;
+ size_t total = 0;
*outl = 0;
if (inl <= 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;
@@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
*out = '\0';
total = j + 1;
}
- while (inl >= ctx->length) {
+ while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
inl -= ctx->length;
@@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
*out = '\0';
total += j + 1;
}
+ if (total > INT_MAX) {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl;
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
index 65f0e02..7d7be24 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
@@ -347,7 +347,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
index 5525efd..e25cc68 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
@@ -348,7 +348,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
if (enc != NULL) {
objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
- if (objstr == NULL) {
+ if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
index fe465cc..9edca4d 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
@@ -69,12 +69,12 @@
static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
int nid, const EVP_CIPHER *enc,
char *kstr, int klen, pem_password_cb *cb, void *u);
-
#ifndef OPENSSL_NO_FP_API
static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
int nid, const EVP_CIPHER *enc,
char *kstr, int klen, pem_password_cb *cb, void *u);
#endif
+
/*
* These functions write a private key in PKCS#8 format: it is a "drop in"
* replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
diff --git a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
index 82d4527..6186446 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
@@ -131,6 +131,10 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
# define MS_PVKMAGIC 0xb0b5f11eL
/* Salt length for PVK files */
# define PVK_SALTLEN 0x10
+/* Maximum length in PVK header */
+# define PVK_MAX_KEYLEN 102400
+/* Maximum salt length */
+# define PVK_MAX_SALTLEN 10240
static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
unsigned int bitlen, int ispub);
@@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
*psaltlen = read_ledword(&p);
*pkeylen = read_ledword(&p);
+ if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
+ return 0;
+
if (is_encrypted && !*psaltlen) {
PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
return 0;
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
index 0bc3d43..e75c4b2 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
@@ -64,7 +64,6 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
-
#define BUFFERSIZE 4096
static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
@@ -596,6 +595,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
break;
}
}
+
err:
OPENSSL_free(buf);
BIO_free_all(tmpmem);
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_err.c b/Cryptlib/OpenSSL/crypto/x509/x509_err.c
index 43cde18..1e779fe 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_err.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_err.c
@@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
{ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
+ {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
{ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"},
{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
"no cert set for us to verify"},
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
index d317f3a..3de3ac7 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
@@ -63,6 +63,13 @@
#include <openssl/x509.h>
#include <openssl/buffer.h>
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX (1024 * 1024)
+
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
goto err;
b->data[0] = '\0';
len = 200;
+ } else if (len == 0) {
+ return NULL;
}
if (a == NULL) {
if (b) {
@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type;
num = ne->value->length;
+ if (num > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
q = ne->value->data;
#ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING ||
@@ -117,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+ if (num > (int)sizeof(ebcdic_buf))
+ num = sizeof(ebcdic_buf);
+ ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf;
}
#endif
@@ -154,6 +168,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l;
l += 1 + l1 + 1 + l2;
+ if (l > NAME_ONELINE_MAX) {
+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1))
goto err;
@@ -206,7 +224,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p);
err:
X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
- if (b != NULL)
- BUF_MEM_free(b);
+ end:
+ BUF_MEM_free(b);
return (NULL);
}
--
2.9.2
From 7d7b9e9bfc6730eb5aa608d7901e36468ace2361 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 21 Jul 2016 12:32:45 +0800
Subject: [PATCH 2/2] Update the CryptLib
Update to the edk2 commit 8ff7187cfd998d2b6db43075a4a7908281b6da00
Signed-off-by: Gary Lin <glin@suse.com>
---
Cryptlib/Pk/CryptPkcs7Verify.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
index 559610d..efa3796 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -489,6 +489,8 @@ Pkcs7GetCertificatesList (
OldBuf = NULL;
Signers = NULL;
+ ZeroMem (&CertCtx, sizeof (CertCtx));
+
//
// Parameter Checking
//
--
2.9.2

37
shim.changes
View File

@ -1,3 +1,40 @@
-------------------------------------------------------------------
Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
length passed to Authenticode (bsc#991885)
-------------------------------------------------------------------
Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
append write first
-------------------------------------------------------------------
Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
- Bump the requirement of gnu-efi due to the HTTPBoot support
-------------------------------------------------------------------
Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com
- Add shim-httpboot-support.patch to support HTTPBoot
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
- Drop patches since they are merged into
shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2d.patch
+ shim-gcc5.patch
+ shim-bsc950569-fix-cryptlib-va-functions.patch
+ shim-fix-aarch64.patch
- Refresh shim-change-debug-file-path.patch
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
around the firmware that doesn't support APPEND_WRITE (bsc973496)
- shim-install : remove '\n' from the help message (bsc#991188)
- shim-install : print a message if there is no valid EFI partition
(bsc#991187)
-------------------------------------------------------------------
Mon May 9 11:20:56 UTC 2016 - rw@suse.com

22
shim.spec
View File

@ -44,18 +44,21 @@ Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch1: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch glin@suse.com -- Update openssl to 1.0.2d
Patch4: shim-update-openssl-1.0.2d.patch
# PATCH-FIX-UPSTREAM shim-gcc5.patch glin@suse.com -- Specify the gnu89 standard
Patch5: shim-gcc5.patch
# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 glin@suse.com -- Fix the definition of the va functions to avoid the potential crash
Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch
Patch7: shim-fix-aarch64.patch
# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch glin@suse.com -- Add HTTPBoot support
Patch2: shim-httpboot-support.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch glin@suse.com -- Update openssl to 1.0.2g
Patch3: shim-update-openssl-1.0.2g.patch
# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch glin@suse.com -- Work around the firmware that doesn't support APPEND_WRITE
Patch4: shim-bsc973496-mokmanager-no-append-write.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch glin@suse.com -- Update openssl to 1.0.2h
Patch5: shim-update-openssl-1.0.2h.patch
# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch glin@suse.com -- Fix the signature length passed to Authenticode
Patch6: shim-bsc991885-fix-sig-length.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: gnu-efi >= 3.0.3
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
BuildRequires: pesign
@ -91,10 +94,11 @@ Authors:
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch50 -p1
%patch100 -p1
%build