From 5e7dc4bc7e946d5b886d97c48f86cdfaf45d0a3ee0406e7fe6d48ed69393b0c2 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 28 Mar 2013 03:56:52 +0000 Subject: [PATCH] Accepting request 161509 from home:gary_lin:branches:Base:System bnc#808594: fix the alignment of the signature list OBS-URL: https://build.opensuse.org/request/show/161509 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=16 --- pesign-bnc808594-align-signatures.patch | 598 ++++++++++++++++++++++++ pesign.changes | 6 + pesign.spec | 3 + 3 files changed, 607 insertions(+) create mode 100644 pesign-bnc808594-align-signatures.patch diff --git a/pesign-bnc808594-align-signatures.patch b/pesign-bnc808594-align-signatures.patch new file mode 100644 index 0000000..c712f8f --- /dev/null +++ b/pesign-bnc808594-align-signatures.patch @@ -0,0 +1,598 @@ +From 21cec8feac92a8cda788eaf3f9e9aee9d1b92672 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 25 Mar 2013 11:34:45 -0400 +Subject: [PATCH 1/8] If the last hunk of the file isn't 16-byte aligned, pad + before digesting. + +When we (or MS) create a data directory section, we pad it to 16-bytes. +This means that when you add that and then hash, you'll have that +0-extension before the data directory (in this case, the cert list) in +the checksum. + +If we do -h without embedding the signature in the binary, we still need +to take that into account. + +Signed-off-by: Peter Jones +--- + src/cms_common.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 9ab2021..306d53e 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -795,6 +795,12 @@ err: + return -1; + } + ++#if 1 ++#define dprintf(fmt, ...) ++#else ++#define dprintf(fmt, args...) printf(fmt, ## args) ++#endif ++ + int + generate_digest(cms_context *cms, Pe *pe) + { +@@ -860,6 +866,8 @@ generate_digest(cms_context *cms, Pe *pe) + cms->log(cms, LOG_ERR, "Pe header is invalid"); + goto error; + } ++ dprintf("beginning of hash\n"); ++ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); + generate_digest_step(cms, hash_base, hash_size); + + /* 5. Skip over the image checksum +@@ -882,6 +890,7 @@ generate_digest(cms_context *cms, Pe *pe) + goto error; + } + generate_digest_step(cms, hash_base, hash_size); ++ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); + + /* 8. Skip over the crt dir + * 9. Hash everything up to the end of the image header. */ +@@ -895,6 +904,7 @@ generate_digest(cms_context *cms, Pe *pe) + goto error; + } + generate_digest_step(cms, hash_base, hash_size); ++ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); + + /* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */ + hashed_bytes = pe32opthdr ? pe32opthdr->header_size +@@ -926,6 +936,7 @@ generate_digest(cms_context *cms, Pe *pe) + } + + generate_digest_step(cms, hash_base, hash_size); ++ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); + + hashed_bytes += hash_size; + } +@@ -938,8 +949,19 @@ generate_digest(cms_context *cms, Pe *pe) + cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); + goto error_shdrs; + } +- generate_digest_step(cms, hash_base, hash_size); ++ if (hash_size % 16 != 0) { ++ size_t tmp_size = hash_size + (16 - (hash_size % 16)); ++ uint8_t tmp_array[tmp_size]; ++ memset(tmp_array, '\0', tmp_size); ++ memcpy(tmp_array, hash_base, hash_size); ++ generate_digest_step(cms, tmp_array, tmp_size); ++ dprintf("digesting %lx + %lx\n", (unsigned long)tmp_array, tmp_size); ++ } else { ++ generate_digest_step(cms, hash_base, hash_size); ++ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); ++ } + } ++ dprintf("end of hash\n"); + + rc = generate_digest_finish(cms); + if (rc < 0) +-- +1.7.10.4 + + +From d07c91cffaeaaa1b0f0a0dbc684e073d976ee9f3 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 25 Mar 2013 12:53:05 -0400 +Subject: [PATCH 2/8] Pad signatures everywhere /except/ -h. + +If you run -h, you may be using that hash in a db/dbx variable, in which +case the padding isn't appropriate. Everywhere else, it's for +implanting at some stage. + +Signed-off-by: Peter Jones +--- + src/cms_common.c | 4 ++-- + src/cms_common.h | 2 +- + src/daemon.c | 6 +++--- + src/pesign.c | 15 ++++++++------- + 4 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 306d53e..f2ee684 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -802,7 +802,7 @@ err: + #endif + + int +-generate_digest(cms_context *cms, Pe *pe) ++generate_digest(cms_context *cms, Pe *pe, int padded) + { + void *hash_base; + size_t hash_size; +@@ -949,7 +949,7 @@ generate_digest(cms_context *cms, Pe *pe) + cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); + goto error_shdrs; + } +- if (hash_size % 16 != 0) { ++ if (hash_size % 16 != 0 && padded) { + size_t tmp_size = hash_size + (16 - (hash_size % 16)); + uint8_t tmp_array[tmp_size]; + memset(tmp_array, '\0', tmp_size); +diff --git a/src/cms_common.h b/src/cms_common.h +index a3848cd..d819aab 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -105,7 +105,7 @@ extern int generate_spc_link(cms_context *cms, SpcLink *slp, + + extern int generate_spc_string(cms_context *cms, SECItem *ssp, char *str, + int len); +-extern int generate_digest(cms_context *cms, Pe *pe); ++extern int generate_digest(cms_context *cms, Pe *pe, int padded); + extern int generate_signature(cms_context *ctx); + extern int unlock_nss_token(cms_context *ctx); + extern int find_certificate(cms_context *ctx); +diff --git a/src/daemon.c b/src/daemon.c +index 92ae856..69821ba 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -433,7 +433,7 @@ malformed: + if (rc < 0) + goto finish; + +- rc = generate_digest(ctx->cms, outpe); ++ rc = generate_digest(ctx->cms, outpe, 1); + if (rc < 0) { + err_attached: + pe_end(outpe); +@@ -448,7 +448,7 @@ err_attached: + if (sigspace < 0) + goto err_attached; + allocate_signature_space(outpe, sigspace); +- rc = generate_digest(ctx->cms, outpe); ++ rc = generate_digest(ctx->cms, outpe, 1); + if (rc < 0) + goto err_attached; + rc = generate_signature(ctx->cms); +@@ -463,7 +463,7 @@ err_attached: + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output file: %m"); + } +- rc = generate_digest(ctx->cms, inpe); ++ rc = generate_digest(ctx->cms, inpe, 1); + if (rc < 0) { + err_detached: + if (ftruncate(outfd, 0) != 0) { +diff --git a/src/pesign.c b/src/pesign.c +index fcb2dca..81515d2 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -473,7 +473,8 @@ main(int argc, char *argv[]) + "force overwriting of output file", NULL }, + {"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1, + "create a new signature", NULL }, +- {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL }, ++ {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, ++ "hash binary", NULL }, + {"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, + &digest_name, 0, "digest type to use for pe hash" }, + {"import-signed-certificate", 'm', +@@ -669,7 +670,7 @@ main(int argc, char *argv[]) + open_input(ctxp); + open_output(ctxp); + close_input(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->outpe); ++ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); + sigspace = calculate_signature_space(ctxp->cms_ctx, + ctxp->outpe); + allocate_signature_space(ctxp->outpe, sigspace); +@@ -683,7 +684,7 @@ main(int argc, char *argv[]) + case EXPORT_SATTRS: + open_input(ctxp); + open_sattr_output(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->inpe); ++ generate_digest(ctxp->cms_ctx, ctxp->inpe, 1); + generate_sattr_blob(ctxp); + close_sattr_output(ctxp); + close_input(ctxp); +@@ -779,7 +780,7 @@ main(int argc, char *argv[]) + break; + case GENERATE_DIGEST|PRINT_DIGEST: + open_input(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->inpe); ++ generate_digest(ctxp->cms_ctx, ctxp->inpe, 0); + print_digest(ctxp); + break; + /* generate a signature and save it in a separate file */ +@@ -793,7 +794,7 @@ main(int argc, char *argv[]) + } + open_input(ctxp); + open_sig_output(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->inpe); ++ generate_digest(ctxp->cms_ctx, ctxp->inpe, 1); + generate_signature(ctxp->cms_ctx); + export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii); + break; +@@ -814,11 +815,11 @@ main(int argc, char *argv[]) + open_input(ctxp); + open_output(ctxp); + close_input(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->outpe); ++ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); + sigspace = calculate_signature_space(ctxp->cms_ctx, + ctxp->outpe); + allocate_signature_space(ctxp->outpe, sigspace); +- generate_digest(ctxp->cms_ctx, ctxp->outpe); ++ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); + generate_signature(ctxp->cms_ctx); + insert_signature(ctxp->cms_ctx, ctxp->signum); + finalize_signatures(ctxp->cms_ctx->signatures, +-- +1.7.10.4 + + +From 29a593849964bb89c29bb40dd6a1f4bb5a90e675 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 21 Mar 2013 11:02:43 -0400 +Subject: [PATCH 3/8] Deal with PE-COFF 8.2+ alignment restrictions for the + certificate list. + +PE-COFF 8.2 and newer finally specify the certificate list as a proper +array, but they kindly made a new rule that each entry has to be 8-byte +aligned. So align them now :/ + +Signed-off-by: Peter Jones +--- + src/wincert.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/wincert.c b/src/wincert.c +index 4197a87..3686918 100644 +--- a/src/wincert.c ++++ b/src/wincert.c +@@ -42,6 +42,11 @@ generate_cert_list(SECItem **signatures, int num_signatures, + *cert_list_size = cl_size; + + for (int i = 0; i < num_signatures; i++) { ++ /* pe-coff 8.2 adds some text that says each cert list ++ * entry is 8-byte aligned, so that means we need to align ++ * them here. */ ++ if ((intptr_t)data % 8 != 0) ++ data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8))); + struct cert_list_entry *cle = (struct cert_list_entry *)data; + cle->wc.length = signatures[i]->len + + sizeof (win_certificate); +@@ -170,6 +175,11 @@ done: + + iter->n += sizeof (*tmpcert) + length; + ++ /* each cert list entry must be aligned to an 8-byte ++ * boundary */ ++ if (iter->n % 8 != 0) ++ iter->n += 8 - (iter->n % 8); ++ + return 1; + } + } +@@ -208,8 +218,13 @@ size_t + get_reserved_sig_space(cms_context *cms, Pe *pe) + { + size_t ret = 0; +- for (int i = 0; i < cms->num_signatures; i++) ++ for (int i = 0; i < cms->num_signatures; i++) { + ret += cms->signatures[i]->len + sizeof (win_certificate); ++ /* each certificate list entry must be 8-byte aligned, ++ * so we need to account for that in our space calculation */ ++ if (ret % 8 != 0) ++ ret += 8 - (ret % 8); ++ } + return ret; + } + +@@ -238,6 +253,11 @@ err: + + size_t res = get_reserved_sig_space(cms, pe); + ++ /* pe-coff 8.2 adds some text that says each cert list entry is ++ * 8-byte aligned, so that means we need alignment space here. */ ++ if (res % 8 != 0) ++ res += 8 - (res % 8); ++ + ssize_t ret = res + sig.len + sizeof(win_certificate) - + available_cert_space(pe); + +-- +1.7.10.4 + + +From 731aa2ac9012a39fd4ccee813c77a9e75235606c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 22 Mar 2013 09:56:23 -0400 +Subject: [PATCH 4/8] More certificate list alignment fixups (based on work by + Gary Lin) + +There was still some chance the first entry wasn't aligned right, and +doing it ad-hoc every time wasn't that great. So fix that. + +This is really all Gary's work, I've just reformatted it a little bit. + +Signed-off-by: Peter Jones +--- + libdpe/common.h | 2 ++ + libdpe/pe_allocspace.c | 4 ++-- + src/wincert.c | 24 ++++++++++-------------- + 3 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/libdpe/common.h b/libdpe/common.h +index 5d379e8..be42738 100644 +--- a/libdpe/common.h ++++ b/libdpe/common.h +@@ -31,6 +31,8 @@ + + #define is_64_bit(pe) ((pe)->flags & IMAGE_FILE_32BIT_MACHINE) + ++#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align) ++ + #define xfree(x) ({if (x) { free(x); x = NULL; }}) + #define xmunmap(addr, size) ({if (addr) { munmap(addr,size); addr = NULL; }}) + +diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c +index 0ae1f5d..716373c 100644 +--- a/libdpe/pe_allocspace.c ++++ b/libdpe/pe_allocspace.c +@@ -86,7 +86,7 @@ pe_extend_file(Pe *pe, size_t size, uint32_t *new_space, int align) + void *new = NULL; + + if (align) +- align = (pe->maximum_size + size) % align; ++ align = ALIGNMENT_PADDING(pe->maximum_size, align); + int extra = size + align; + + int rc = ftruncate(pe->fildes, pe->maximum_size + extra); +@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) + + /* XXX PJFIX TODO: this should try to find space in the already + * mapped regions. */ +- rc = pe_extend_file(pe, size, offset, 0); ++ rc = pe_extend_file(pe, size, offset, 8); + if (rc < 0) + return -1; + return 0; +diff --git a/src/wincert.c b/src/wincert.c +index 3686918..cc612b6 100644 +--- a/src/wincert.c ++++ b/src/wincert.c +@@ -19,6 +19,8 @@ + + #include "pesign.h" + ++#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align) ++ + struct cert_list_entry { + win_certificate wc; + uint8_t data[]; +@@ -32,6 +34,7 @@ generate_cert_list(SECItem **signatures, int num_signatures, + for (int i = 0; i < num_signatures; i++) { + cl_size += sizeof (win_certificate); + cl_size += signatures[i]->len; ++ cl_size += ALIGNMENT_PADDING(cl_size, 8); + } + + uint8_t *data = malloc(cl_size); +@@ -45,16 +48,16 @@ generate_cert_list(SECItem **signatures, int num_signatures, + /* pe-coff 8.2 adds some text that says each cert list + * entry is 8-byte aligned, so that means we need to align + * them here. */ +- if ((intptr_t)data % 8 != 0) +- data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8))); + struct cert_list_entry *cle = (struct cert_list_entry *)data; + cle->wc.length = signatures[i]->len + ++ ALIGNMENT_PADDING(signatures[i]->len, 8) + + sizeof (win_certificate); + cle->wc.revision = WIN_CERT_REVISION_2_0; + cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA; + memcpy(&cle->data[0], signatures[i]->data, + signatures[i]->len); + data += sizeof (win_certificate) + signatures[i]->len; ++ data += ALIGNMENT_PADDING(signatures[i]->len, 8); + } + + return 0; +@@ -175,11 +178,6 @@ done: + + iter->n += sizeof (*tmpcert) + length; + +- /* each cert list entry must be aligned to an 8-byte +- * boundary */ +- if (iter->n % 8 != 0) +- iter->n += 8 - (iter->n % 8); +- + return 1; + } + } +@@ -222,8 +220,7 @@ get_reserved_sig_space(cms_context *cms, Pe *pe) + ret += cms->signatures[i]->len + sizeof (win_certificate); + /* each certificate list entry must be 8-byte aligned, + * so we need to account for that in our space calculation */ +- if (ret % 8 != 0) +- ret += 8 - (ret % 8); ++ ret += ALIGNMENT_PADDING(ret, 8); + } + return ret; + } +@@ -253,14 +250,13 @@ err: + + size_t res = get_reserved_sig_space(cms, pe); + +- /* pe-coff 8.2 adds some text that says each cert list entry is +- * 8-byte aligned, so that means we need alignment space here. */ +- if (res % 8 != 0) +- res += 8 - (res % 8); +- + ssize_t ret = res + sig.len + sizeof(win_certificate) - + available_cert_space(pe); + ++ /* pe-coff 8.2 adds some text that says each cert list entry is ++ * 8-byte aligned, so that means we need alignment space here. */ ++ ret += ALIGNMENT_PADDING(ret, 8); ++ + //free(sig.data); + + return ret; +-- +1.7.10.4 + + +From 12595de05a873712a76e6118f00f324fd257d0f6 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 26 Mar 2013 11:28:57 +0800 +Subject: [PATCH 5/8] Pad the file to be 16-byte aligned, instead of 8-byte + +--- + libdpe/pe_allocspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c +index 716373c..8b09153 100644 +--- a/libdpe/pe_allocspace.c ++++ b/libdpe/pe_allocspace.c +@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) + + /* XXX PJFIX TODO: this should try to find space in the already + * mapped regions. */ +- rc = pe_extend_file(pe, size, offset, 8); ++ rc = pe_extend_file(pe, size, offset, 16); + if (rc < 0) + return -1; + return 0; +-- +1.7.10.4 + + +From deb5811f7e718d8d0d9c41ad18d2302876334e7a Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 26 Mar 2013 11:34:33 +0800 +Subject: [PATCH 6/8] Add an option, -padding, for -h to pad signatures + +We are using "-h" to check the integrity of the file after inserting +a raw signature. Add this option to make the digests consistent. +--- + src/pesign.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/pesign.c b/src/pesign.c +index 81515d2..57fe96e 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -440,6 +440,7 @@ main(int argc, char *argv[]) + int remove = 0; + int daemon = 0; + int fork = 1; ++ int padding = 0; + + char *digest_name = "sha256"; + char *tokenname = "NSS Certificate DB"; +@@ -518,6 +519,8 @@ main(int argc, char *argv[]) + "run as a daemon process", NULL }, + {"nofork", 'N', POPT_ARG_VAL, &fork, 0, + "don't fork when daemonizing", NULL }, ++ {"padding", 'P', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN, ++ &padding, 1, "pad data section", NULL }, + POPT_AUTOALIAS + POPT_AUTOHELP + POPT_TABLEEND +@@ -780,7 +783,7 @@ main(int argc, char *argv[]) + break; + case GENERATE_DIGEST|PRINT_DIGEST: + open_input(ctxp); +- generate_digest(ctxp->cms_ctx, ctxp->inpe, 0); ++ generate_digest(ctxp->cms_ctx, ctxp->inpe, padding); + print_digest(ctxp); + break; + /* generate a signature and save it in a separate file */ +-- +1.7.10.4 + + +From 63221e01d0a857ce844b4b17798b5da1ea6a6be1 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 26 Mar 2013 18:30:58 +0800 +Subject: [PATCH 7/8] Clear the space for the certificate list + +Make sure the aligned bytes are '\0' + +Signed-off-by: Gary Ching-Pang Lin +--- + src/wincert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wincert.c b/src/wincert.c +index cc612b6..75fdceb 100644 +--- a/src/wincert.c ++++ b/src/wincert.c +@@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures, + cl_size += ALIGNMENT_PADDING(cl_size, 8); + } + +- uint8_t *data = malloc(cl_size); ++ uint8_t *data = calloc(1, cl_size); + if (!data) + return -1; + +-- +1.7.10.4 + + +From 18080ba4acb235fd3b2e679f0308992255e6ca52 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Wed, 27 Mar 2013 10:49:38 +0800 +Subject: [PATCH 8/8] The file should be 8-byte aligned, actually... + +--- + libdpe/pe_allocspace.c | 2 +- + src/cms_common.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c +index 8b09153..716373c 100644 +--- a/libdpe/pe_allocspace.c ++++ b/libdpe/pe_allocspace.c +@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) + + /* XXX PJFIX TODO: this should try to find space in the already + * mapped regions. */ +- rc = pe_extend_file(pe, size, offset, 16); ++ rc = pe_extend_file(pe, size, offset, 8); + if (rc < 0) + return -1; + return 0; +diff --git a/src/cms_common.c b/src/cms_common.c +index f2ee684..2c998d9 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -949,8 +949,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); + goto error_shdrs; + } +- if (hash_size % 16 != 0 && padded) { +- size_t tmp_size = hash_size + (16 - (hash_size % 16)); ++ if (hash_size % 8 != 0 && padded) { ++ size_t tmp_size = hash_size + (8 - (hash_size % 8)); + uint8_t tmp_array[tmp_size]; + memset(tmp_array, '\0', tmp_size); + memcpy(tmp_array, hash_base, hash_size); +-- +1.7.10.4 + diff --git a/pesign.changes b/pesign.changes index 7cfb788..2500fa3 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com + +- Add pesign-bnc808594-align-signatures.patch to align signatures + (bnc#808594, bnc#811325) + ------------------------------------------------------------------- Fri Mar 1 03:04:35 UTC 2013 - glin@suse.com diff --git a/pesign.spec b/pesign.spec index e8aad53..9885da5 100644 --- a/pesign.spec +++ b/pesign.spec @@ -45,6 +45,8 @@ Patch10: pesign-privkey_unneeded.diff Patch11: pesign-no-set-image-size.patch # PATCH-FIX-UPSTREAM pesign-bnc805166-fix-signature-list.patch bnc#805166 glin@suse.com -- Fix the broken signature list when inserting a new signature into a signed EFI binary. Patch12: pesign-bnc805166-fix-signature-list.patch +# PATCH-FIX-UPSTREAM pesign-bnc808594-align-signatures.patch bnc#808594,bnc#811325 glin@suse.com -- Align the signatures to 8-bytes +Patch13: pesign-bnc808594-align-signatures.patch BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel @@ -80,6 +82,7 @@ Authors: %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS"