forked from pool/pesign
Accepting request 183190 from home:gary_lin:branches:Base:System
Update to 0.106 OBS-URL: https://build.opensuse.org/request/show/183190 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=18
This commit is contained in:
parent
5e7dc4bc7e
commit
b0787edea1
3
pesign-0.106.tar.bz2
Normal file
3
pesign-0.106.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e99e59abfd6bde19c97867105fa0a30ce39f195bb930a44803607c3fd5c34c9c
|
||||
size 82751
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:476d2cb79104167fa9147d1fee954e8545fe902931d2e449bf7c410963f2bbb1
|
||||
size 72907
|
@ -1,51 +0,0 @@
|
||||
commit ed689613e93f3121048d6c922c90aafd6bf10880
|
||||
Author: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue Nov 27 11:37:05 2012 -0500
|
||||
|
||||
Hopefully make teardown_digests() work better...
|
||||
|
||||
Freeing nss constructs continues to be weird.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
|
||||
---
|
||||
src/cms_common.c | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -110,8 +110,6 @@ teardown_digests(cms_context *ctx)
|
||||
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
|
||||
}
|
||||
if (digests[i].pe_digest) {
|
||||
- free_poison(digests[i].pe_digest->data,
|
||||
- digests[i].pe_digest->len);
|
||||
/* XXX sure seems like we should be freeing it here,
|
||||
* but that's segfaulting, and we know it'll get
|
||||
* cleaned up with PORT_FreeArena a couple of lines
|
||||
@@ -120,7 +118,7 @@ teardown_digests(cms_context *ctx)
|
||||
digests[i].pe_digest = NULL;
|
||||
}
|
||||
}
|
||||
- free(digests);
|
||||
+ PORT_Free(digests);
|
||||
ctx->digests = NULL;
|
||||
}
|
||||
|
||||
@@ -184,7 +182,6 @@ cms_context_fini(cms_context *cms)
|
||||
memset(&cms->newsig, '\0', sizeof (cms->newsig));
|
||||
}
|
||||
|
||||
- teardown_digests(cms);
|
||||
cms->selected_digest = -1;
|
||||
|
||||
if (cms->ci_digest) {
|
||||
@@ -708,7 +705,7 @@ generate_digest_begin(cms_context *cms)
|
||||
if (cms->digests) {
|
||||
digests = cms->digests;
|
||||
} else {
|
||||
- digests = calloc(n_digest_params, sizeof (*digests));
|
||||
+ digests = PORT_ZAlloc(n_digest_params * sizeof (*digests));
|
||||
if (!digests) {
|
||||
cms->log(cms, LOG_ERR, "cannot allocate memory: %m");
|
||||
return -1;
|
@ -1,553 +0,0 @@
|
||||
From ee3ab396e8bc167d3b63f475c463cd4103b1ca6e Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <chingpang@gmail.com>
|
||||
Date: Wed, 27 Feb 2013 15:48:06 +0800
|
||||
Subject: [PATCH] Backport patches to fix signature list
|
||||
|
||||
Get cms_context out of wincert functions.
|
||||
ee357451be9968cedda57ce13b103eb82c590e67
|
||||
|
||||
Rework siglist to be somewhat more useful.
|
||||
a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8
|
||||
|
||||
Don't allow our signature list iterator to walk off the end of the file.
|
||||
18980866e7952100d98510297c0e1cc25fca8fc8
|
||||
|
||||
Include old signatures in new space calculations.
|
||||
77d334d77435d64e88fcc772b5b58440b394584a
|
||||
|
||||
Make implanting extracted certificates work again.
|
||||
5ceddd2f80dfea70d211236190943746c2d2f77b
|
||||
|
||||
Fix a casting problem on 32-bit.
|
||||
9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
|
||||
---
|
||||
libdpe/pe_addcert.c | 2 +-
|
||||
libdpe/pe_updatefile.c | 13 +++++++++-
|
||||
src/actions.c | 12 +--------
|
||||
src/actions.h | 2 +-
|
||||
src/daemon.c | 6 +++--
|
||||
src/pesign.c | 35 ++++++++++++++++++++++----
|
||||
src/peverify.c | 7 ++++--
|
||||
src/siglist.c | 46 ++++++++++++++++++++++++++++------
|
||||
src/siglist.h | 3 ++-
|
||||
src/wincert.c | 65 ++++++++++++++++++++++++++++++++++--------------
|
||||
src/wincert.h | 8 +++---
|
||||
11 files changed, 146 insertions(+), 53 deletions(-)
|
||||
|
||||
diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c
|
||||
index e391242..b6ba969 100644
|
||||
--- a/libdpe/pe_addcert.c
|
||||
+++ b/libdpe/pe_addcert.c
|
||||
@@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size)
|
||||
memset(addr, '\0', size);
|
||||
|
||||
dd->certs.virtual_address = compute_file_addr(pe, addr);
|
||||
- dd->certs.size = size;
|
||||
+ dd->certs.size += size;
|
||||
|
||||
#if 0
|
||||
pe_set_image_size(pe);
|
||||
diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c
|
||||
index 7a29757..a8fe769 100644
|
||||
--- a/libdpe/pe_updatefile.c
|
||||
+++ b/libdpe/pe_updatefile.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <sys/mman.h>
|
||||
|
||||
static struct section_header *
|
||||
+__attribute__((unused))
|
||||
__get_last_section(Pe *pe)
|
||||
{
|
||||
Pe_Scn *scn = NULL;
|
||||
@@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b)
|
||||
}
|
||||
|
||||
static void
|
||||
+__attribute__((unused))
|
||||
sort_sections (Pe_Scn **scns, Pe_ScnList *list)
|
||||
{
|
||||
Pe_Scn **scnp = scns;
|
||||
@@ -131,7 +133,16 @@ __pe_updatemmap(Pe *pe, size_t shnum)
|
||||
msync(msync_start, msync_end - msync_start, MS_SYNC);
|
||||
|
||||
#warning this is not done yet.
|
||||
- struct section_header *sh = __get_last_section(pe);
|
||||
+ //struct section_header *sh = __get_last_section(pe);
|
||||
+
|
||||
+ size_t dd_size = sizeof (*dd) / sizeof (dd->exports);
|
||||
+ data_dirent *dde = &dd->exports;
|
||||
+ for (int i = 0; i < dd_size; i++, dde++) {
|
||||
+ if (dde->size != 0) {
|
||||
+ char *addr = compute_mem_addr(pe, dde->virtual_address);
|
||||
+ msync(addr, dde->size, MS_SYNC);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/actions.c b/src/actions.c
|
||||
index 9e4ac59..5c5dd89 100644
|
||||
--- a/src/actions.c
|
||||
+++ b/src/actions.c
|
||||
@@ -268,7 +268,7 @@ failure:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static void
|
||||
+void
|
||||
parse_signature(pesign_context *ctx)
|
||||
{
|
||||
int rc;
|
||||
@@ -396,8 +396,6 @@ generate_sattr_blob(pesign_context *ctx)
|
||||
void
|
||||
check_signature_space(pesign_context *ctx)
|
||||
{
|
||||
- parse_signature(ctx);
|
||||
-
|
||||
ssize_t available = available_cert_space(ctx->outpe);
|
||||
|
||||
if (available < ctx->cms_ctx->newsig.len) {
|
||||
@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx)
|
||||
}
|
||||
}
|
||||
|
||||
-int
|
||||
-import_signature(pesign_context *ctx)
|
||||
-{
|
||||
- insert_signature(ctx->cms_ctx, ctx->signum);
|
||||
-
|
||||
- return finalize_signatures(ctx->cms_ctx, ctx->outpe);
|
||||
-}
|
||||
-
|
||||
void
|
||||
allocate_signature_space(Pe *pe, ssize_t sigspace)
|
||||
{
|
||||
diff --git a/src/actions.h b/src/actions.h
|
||||
index 400876f..4ecaad8 100644
|
||||
--- a/src/actions.h
|
||||
+++ b/src/actions.h
|
||||
@@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx);
|
||||
extern void check_signature_space(pesign_context *ctx);
|
||||
extern void allocate_signature_space(Pe *pe, ssize_t sigspace);
|
||||
extern off_t export_signature(cms_context *cms, int fd, int ascii_armor);
|
||||
-extern int import_signature(pesign_context *ctx);
|
||||
extern void import_raw_signature(pesign_context *pctx);
|
||||
extern void remove_signature(pesign_context *ctx);
|
||||
extern void export_pubkey(pesign_context *ctx);
|
||||
extern void export_cert(pesign_context *ctx);
|
||||
extern int generate_sattr_blob(pesign_context *pctx);
|
||||
+extern void parse_signature(pesign_context *ctx);
|
||||
extern void insert_signature(cms_context *cms, int signum);
|
||||
|
||||
#endif /* PESIGN_CRYPTO_H */
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 4a9af87..92ae856 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- int rc = parse_signatures(ctx->cms, *pe);
|
||||
+ int rc = parse_signatures(&ctx->cms->signatures,
|
||||
+ &ctx->cms->num_signatures, *pe);
|
||||
if (rc < 0) {
|
||||
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
|
||||
"pesignd: could not parse signature list");
|
||||
@@ -454,7 +455,8 @@ err_attached:
|
||||
if (rc < 0)
|
||||
goto err_attached;
|
||||
insert_signature(ctx->cms, ctx->cms->num_signatures);
|
||||
- finalize_signatures(ctx->cms, outpe);
|
||||
+ finalize_signatures(ctx->cms->signatures,
|
||||
+ ctx->cms->num_signatures, outpe);
|
||||
pe_end(outpe);
|
||||
} else {
|
||||
if (ftruncate(outfd, 0) != 0) {
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index bfda33b..fcb2dca 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -104,7 +104,8 @@ open_input(pesign_context *ctx)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- int rc = parse_signatures(ctx->cms_ctx, ctx->inpe);
|
||||
+ int rc = parse_signatures(&ctx->cms_ctx->signatures,
|
||||
+ &ctx->cms_ctx->num_signatures, ctx->inpe);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr, "pesign: could not parse signature data\n");
|
||||
exit(1);
|
||||
@@ -126,7 +127,8 @@ close_output(pesign_context *ctx)
|
||||
{
|
||||
Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP;
|
||||
|
||||
- finalize_signatures(ctx->cms_ctx, ctx->outpe);
|
||||
+ finalize_signatures(ctx->cms_ctx->signatures,
|
||||
+ ctx->cms_ctx->num_signatures, ctx->outpe);
|
||||
pe_update(ctx->outpe, cmd);
|
||||
pe_end(ctx->outpe);
|
||||
ctx->outpe = NULL;
|
||||
@@ -673,7 +675,9 @@ main(int argc, char *argv[])
|
||||
allocate_signature_space(ctxp->outpe, sigspace);
|
||||
generate_signature(ctxp->cms_ctx);
|
||||
insert_signature(ctxp->cms_ctx, ctxp->signum);
|
||||
- finalize_signatures(ctxp->cms_ctx, ctxp->outpe);
|
||||
+ finalize_signatures(ctxp->cms_ctx->signatures,
|
||||
+ ctxp->cms_ctx->num_signatures,
|
||||
+ ctxp->outpe);
|
||||
close_output(ctxp);
|
||||
break;
|
||||
case EXPORT_SATTRS:
|
||||
@@ -687,12 +691,27 @@ main(int argc, char *argv[])
|
||||
/* add a signature from a file */
|
||||
case IMPORT_SIGNATURE:
|
||||
check_inputs(ctxp);
|
||||
+ if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) {
|
||||
+ fprintf(stderr, "Invalid signature number.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
open_input(ctxp);
|
||||
open_output(ctxp);
|
||||
close_input(ctxp);
|
||||
open_sig_input(ctxp);
|
||||
+ parse_signature(ctxp);
|
||||
+ sigspace =
|
||||
+ calculate_signature_overhead(
|
||||
+ ctxp->cms_ctx->newsig.len) +
|
||||
+ ctxp->cms_ctx->newsig.len +
|
||||
+ get_reserved_sig_space(ctxp->cms_ctx,
|
||||
+ ctxp->outpe);
|
||||
+ allocate_signature_space(ctxp->outpe, sigspace);
|
||||
check_signature_space(ctxp);
|
||||
- import_signature(ctxp);
|
||||
+ insert_signature(ctxp->cms_ctx, ctxp->signum);
|
||||
+ finalize_signatures(ctxp->cms_ctx->signatures,
|
||||
+ ctxp->cms_ctx->num_signatures,
|
||||
+ ctxp->outpe);
|
||||
close_sig_input(ctxp);
|
||||
close_output(ctxp);
|
||||
break;
|
||||
@@ -788,6 +807,10 @@ main(int argc, char *argv[])
|
||||
ctxp->cms_ctx->certname);
|
||||
exit(1);
|
||||
}
|
||||
+ if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) {
|
||||
+ fprintf(stderr, "Invalid signature number.\n");
|
||||
+ exit(1);
|
||||
+ }
|
||||
open_input(ctxp);
|
||||
open_output(ctxp);
|
||||
close_input(ctxp);
|
||||
@@ -798,7 +821,9 @@ main(int argc, char *argv[])
|
||||
generate_digest(ctxp->cms_ctx, ctxp->outpe);
|
||||
generate_signature(ctxp->cms_ctx);
|
||||
insert_signature(ctxp->cms_ctx, ctxp->signum);
|
||||
- finalize_signatures(ctxp->cms_ctx, ctxp->outpe);
|
||||
+ finalize_signatures(ctxp->cms_ctx->signatures,
|
||||
+ ctxp->cms_ctx->num_signatures,
|
||||
+ ctxp->outpe);
|
||||
close_output(ctxp);
|
||||
break;
|
||||
case DAEMONIZE:
|
||||
diff --git a/src/peverify.c b/src/peverify.c
|
||||
index 08aad27..e010d87 100644
|
||||
--- a/src/peverify.c
|
||||
+++ b/src/peverify.c
|
||||
@@ -55,9 +55,12 @@ open_input(peverify_context *ctx)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- int rc = parse_signatures(&ctx->cms_ctx, ctx->inpe);
|
||||
+ int rc = parse_signatures(&ctx->cms_ctx->signatures,
|
||||
+ &ctx->cms_ctx->num_signatures,
|
||||
+ ctx->inpe);
|
||||
if (rc < 0) {
|
||||
- fprintf(stderr, "pesign: could not parse signature data\n");
|
||||
+ fprintf(stderr, "pesign: could not parse signature list in "
|
||||
+ "EFI binary\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
diff --git a/src/siglist.c b/src/siglist.c
|
||||
index 1a933e7..ca097e6 100644
|
||||
--- a/src/siglist.c
|
||||
+++ b/src/siglist.c
|
||||
@@ -17,11 +17,15 @@
|
||||
* Author(s): Peter Jones <pjones@redhat.com>
|
||||
*/
|
||||
|
||||
+#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
#include <sys/param.h>
|
||||
#include <errno.h>
|
||||
|
||||
-#include "authvar.h"
|
||||
+#include "efitypes.h"
|
||||
+#include "siglist.h"
|
||||
|
||||
struct efi_signature_data {
|
||||
efi_guid_t SignatureOwner;
|
||||
@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
|
||||
if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) {
|
||||
if (sigsize > sl->SignatureSize)
|
||||
resize_entries(sl, sigsize);
|
||||
- } else if (sigsize != sl->SignatureSize) {
|
||||
+ } else if (sigsize != get_sig_type_size(sl->SignatureType)) {
|
||||
+ fprintf(stderr, "sigsize: %d sl->SignatureSize: %d\n",
|
||||
+ sigsize, sl->SignatureSize);
|
||||
+ errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-void *
|
||||
-signature_list_realize(signature_list *sl)
|
||||
+#if 0
|
||||
+int
|
||||
+signature_list_parse(signature_list *sl, uint8_t *data, size_t len)
|
||||
{
|
||||
- if (sl->realized)
|
||||
- return sl->realized;
|
||||
+ if (!sl)
|
||||
+ return -1;
|
||||
+
|
||||
+ if (sl->realized) {
|
||||
+ free(sl->realized);
|
||||
+ sl->realized = NULL;
|
||||
+ }
|
||||
+
|
||||
+ efi_signature_list *esl = data;
|
||||
+ efi_signature_data *esd = NULL;
|
||||
+
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+int
|
||||
+signature_list_realize(signature_list *sl, void **out, size_t *outsize)
|
||||
+{
|
||||
+ if (sl->realized) {
|
||||
+ free(sl->realized);
|
||||
+ sl->realized = NULL;
|
||||
+ }
|
||||
|
||||
struct efi_signature_list *esl = NULL;
|
||||
uint32_t size = sizeof (*esl) +
|
||||
@@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl)
|
||||
|
||||
void *ret = calloc(1, size);
|
||||
if (!ret)
|
||||
- return NULL;
|
||||
+ return -1;
|
||||
esl = ret;
|
||||
|
||||
memcpy(esl, sl, sizeof (*esl));
|
||||
@@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl)
|
||||
}
|
||||
|
||||
sl->realized = ret;
|
||||
- return ret;
|
||||
+
|
||||
+ *out = ret;
|
||||
+ *outsize = size;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/src/siglist.h b/src/siglist.h
|
||||
index 2961a39..a576ffd 100644
|
||||
--- a/src/siglist.h
|
||||
+++ b/src/siglist.h
|
||||
@@ -24,7 +24,8 @@ typedef struct signature_list signature_list;
|
||||
extern signature_list *signature_list_new(efi_guid_t SignatureType);
|
||||
extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner,
|
||||
uint8_t *sig, uint32_t sigsize);
|
||||
-extern void *signature_list_realize(signature_list *sl);
|
||||
+extern int signature_list_realize(signature_list *sl,
|
||||
+ void **out, size_t *outsize);
|
||||
extern void signature_list_free(signature_list *sl);
|
||||
|
||||
#endif /* SIGLIST_H */
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index 4b5ba45..4197a87 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -25,13 +25,13 @@ struct cert_list_entry {
|
||||
};
|
||||
|
||||
static int
|
||||
-generate_cert_list(cms_context *cms, void **cert_list,
|
||||
- size_t *cert_list_size)
|
||||
+generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
+ void **cert_list, size_t *cert_list_size)
|
||||
{
|
||||
size_t cl_size = 0;
|
||||
- for (int i = 0; i < cms->num_signatures; i++) {
|
||||
+ for (int i = 0; i < num_signatures; i++) {
|
||||
cl_size += sizeof (win_certificate);
|
||||
- cl_size += cms->signatures[i]->len;
|
||||
+ cl_size += signatures[i]->len;
|
||||
}
|
||||
|
||||
uint8_t *data = malloc(cl_size);
|
||||
@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list,
|
||||
*cert_list = (void *)data;
|
||||
*cert_list_size = cl_size;
|
||||
|
||||
- for (int i = 0; i < cms->num_signatures; i++) {
|
||||
+ for (int i = 0; i < num_signatures; i++) {
|
||||
struct cert_list_entry *cle = (struct cert_list_entry *)data;
|
||||
- cle->wc.length = cms->signatures[i]->len +
|
||||
+ cle->wc.length = signatures[i]->len +
|
||||
sizeof (win_certificate);
|
||||
cle->wc.revision = WIN_CERT_REVISION_2_0;
|
||||
cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA;
|
||||
- memcpy(&cle->data[0], cms->signatures[i]->data,
|
||||
- cms->signatures[i]->len);
|
||||
- data += sizeof (win_certificate) + cms->signatures[i]->len;
|
||||
+ memcpy(&cle->data[0], signatures[i]->data,
|
||||
+ signatures[i]->len);
|
||||
+ data += sizeof (win_certificate) + signatures[i]->len;
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size)
|
||||
}
|
||||
|
||||
int
|
||||
-finalize_signatures(cms_context *cms, Pe *pe)
|
||||
+finalize_signatures(SECItem **sigs, int num_sigs, Pe *pe)
|
||||
{
|
||||
void *clist = NULL;
|
||||
size_t clist_size = 0;
|
||||
|
||||
- if (generate_cert_list(cms, &clist, &clist_size) < 0)
|
||||
+ if (generate_cert_list(sigs, num_sigs,
|
||||
+ &clist, &clist_size) < 0)
|
||||
return -1;
|
||||
|
||||
if (implant_cert_list(pe, clist, clist_size) < 0) {
|
||||
@@ -126,6 +127,13 @@ done:
|
||||
void *certs = iter->certs;
|
||||
size_t size = iter->size;
|
||||
|
||||
+ void *map = NULL;
|
||||
+ size_t map_size = 0;
|
||||
+
|
||||
+ map = pe_rawfile(iter->pe, &map_size);
|
||||
+ if (!map || map_size < 1)
|
||||
+ return 0;
|
||||
+
|
||||
while (1) {
|
||||
win_certificate *tmpcert;
|
||||
if (n + sizeof (*tmpcert) >= size)
|
||||
@@ -133,6 +141,9 @@ done:
|
||||
|
||||
tmpcert = (win_certificate *)((uint8_t *)certs + n);
|
||||
|
||||
+ if ((intptr_t)tmpcert > (intptr_t)map + map_size)
|
||||
+ return -1;
|
||||
+
|
||||
/* length _includes_ the size of the structure. */
|
||||
uint32_t length = le32_to_cpu(tmpcert->length);
|
||||
|
||||
@@ -193,7 +204,23 @@ available_cert_space(Pe *pe)
|
||||
return totalsize - foundsize;
|
||||
}
|
||||
|
||||
-ssize_t calculate_signature_space(cms_context *cms, Pe *pe)
|
||||
+size_t
|
||||
+get_reserved_sig_space(cms_context *cms, Pe *pe)
|
||||
+{
|
||||
+ size_t ret = 0;
|
||||
+ for (int i = 0; i < cms->num_signatures; i++)
|
||||
+ ret += cms->signatures[i]->len + sizeof (win_certificate);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+ssize_t
|
||||
+calculate_signature_overhead(ssize_t size)
|
||||
+{
|
||||
+ return sizeof(win_certificate);
|
||||
+}
|
||||
+
|
||||
+ssize_t
|
||||
+calculate_signature_space(cms_context *cms, Pe *pe)
|
||||
{
|
||||
int rc;
|
||||
|
||||
@@ -209,7 +236,9 @@ err:
|
||||
if (rc < 0)
|
||||
goto err;
|
||||
|
||||
- ssize_t ret = sig.len + dd->certs.size + sizeof(win_certificate) -
|
||||
+ size_t res = get_reserved_sig_space(cms, pe);
|
||||
+
|
||||
+ ssize_t ret = res + sig.len + sizeof(win_certificate) -
|
||||
available_cert_space(pe);
|
||||
|
||||
//free(sig.data);
|
||||
@@ -218,7 +247,7 @@ err:
|
||||
}
|
||||
|
||||
int
|
||||
-parse_signatures(cms_context *cms, Pe *pe)
|
||||
+parse_signatures(SECItem ***sigs, int *num_sigs, Pe *pe)
|
||||
{
|
||||
cert_iter iter;
|
||||
int rc = cert_iter_init(&iter, pe);
|
||||
@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe)
|
||||
}
|
||||
|
||||
if (nsigs == 0) {
|
||||
- cms->num_signatures = 0;
|
||||
- cms->signatures = NULL;
|
||||
+ *num_sigs = 0;
|
||||
+ *sigs = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe)
|
||||
i++;
|
||||
}
|
||||
|
||||
- cms->num_signatures = nsigs;
|
||||
- cms->signatures = signatures;
|
||||
+ *num_sigs = nsigs;
|
||||
+ *sigs = signatures;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
diff --git a/src/wincert.h b/src/wincert.h
|
||||
index 4309915..ed7e15c 100644
|
||||
--- a/src/wincert.h
|
||||
+++ b/src/wincert.h
|
||||
@@ -32,8 +32,6 @@ typedef struct win_certificate {
|
||||
uint16_t cert_type;
|
||||
} win_certificate;
|
||||
|
||||
-extern int finalize_signatures(cms_context *cms, Pe *pe);
|
||||
-
|
||||
typedef struct cert_iter {
|
||||
Pe *pe;
|
||||
off_t n;
|
||||
@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe);
|
||||
extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size);
|
||||
extern ssize_t available_cert_space(Pe *pe);
|
||||
extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe);
|
||||
-extern int parse_signatures(cms_context *cms, Pe *pe);
|
||||
+extern int parse_signatures(SECItem ***sigs, int *num_sigs, Pe *pe);
|
||||
+extern int finalize_signatures(SECItem **sigs, int num_sigs, Pe *pe);
|
||||
+extern size_t get_reserved_sig_space(cms_context *cms, Pe *pe);
|
||||
+extern ssize_t calculate_signature_overhead(ssize_t size);
|
||||
+
|
||||
|
||||
#endif /* PESIGN_WINCERT_H */
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,598 +0,0 @@
|
||||
From 21cec8feac92a8cda788eaf3f9e9aee9d1b92672 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 25 Mar 2013 11:34:45 -0400
|
||||
Subject: [PATCH 1/8] If the last hunk of the file isn't 16-byte aligned, pad
|
||||
before digesting.
|
||||
|
||||
When we (or MS) create a data directory section, we pad it to 16-bytes.
|
||||
This means that when you add that and then hash, you'll have that
|
||||
0-extension before the data directory (in this case, the cert list) in
|
||||
the checksum.
|
||||
|
||||
If we do -h without embedding the signature in the binary, we still need
|
||||
to take that into account.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 9ab2021..306d53e 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -795,6 +795,12 @@ err:
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#if 1
|
||||
+#define dprintf(fmt, ...)
|
||||
+#else
|
||||
+#define dprintf(fmt, args...) printf(fmt, ## args)
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
generate_digest(cms_context *cms, Pe *pe)
|
||||
{
|
||||
@@ -860,6 +866,8 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
cms->log(cms, LOG_ERR, "Pe header is invalid");
|
||||
goto error;
|
||||
}
|
||||
+ dprintf("beginning of hash\n");
|
||||
+ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
|
||||
generate_digest_step(cms, hash_base, hash_size);
|
||||
|
||||
/* 5. Skip over the image checksum
|
||||
@@ -882,6 +890,7 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
goto error;
|
||||
}
|
||||
generate_digest_step(cms, hash_base, hash_size);
|
||||
+ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
|
||||
|
||||
/* 8. Skip over the crt dir
|
||||
* 9. Hash everything up to the end of the image header. */
|
||||
@@ -895,6 +904,7 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
goto error;
|
||||
}
|
||||
generate_digest_step(cms, hash_base, hash_size);
|
||||
+ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
|
||||
|
||||
/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
|
||||
hashed_bytes = pe32opthdr ? pe32opthdr->header_size
|
||||
@@ -926,6 +936,7 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
}
|
||||
|
||||
generate_digest_step(cms, hash_base, hash_size);
|
||||
+ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
|
||||
|
||||
hashed_bytes += hash_size;
|
||||
}
|
||||
@@ -938,8 +949,19 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
|
||||
goto error_shdrs;
|
||||
}
|
||||
- generate_digest_step(cms, hash_base, hash_size);
|
||||
+ if (hash_size % 16 != 0) {
|
||||
+ size_t tmp_size = hash_size + (16 - (hash_size % 16));
|
||||
+ uint8_t tmp_array[tmp_size];
|
||||
+ memset(tmp_array, '\0', tmp_size);
|
||||
+ memcpy(tmp_array, hash_base, hash_size);
|
||||
+ generate_digest_step(cms, tmp_array, tmp_size);
|
||||
+ dprintf("digesting %lx + %lx\n", (unsigned long)tmp_array, tmp_size);
|
||||
+ } else {
|
||||
+ generate_digest_step(cms, hash_base, hash_size);
|
||||
+ dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
|
||||
+ }
|
||||
}
|
||||
+ dprintf("end of hash\n");
|
||||
|
||||
rc = generate_digest_finish(cms);
|
||||
if (rc < 0)
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From d07c91cffaeaaa1b0f0a0dbc684e073d976ee9f3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 25 Mar 2013 12:53:05 -0400
|
||||
Subject: [PATCH 2/8] Pad signatures everywhere /except/ -h.
|
||||
|
||||
If you run -h, you may be using that hash in a db/dbx variable, in which
|
||||
case the padding isn't appropriate. Everywhere else, it's for
|
||||
implanting at some stage.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 4 ++--
|
||||
src/cms_common.h | 2 +-
|
||||
src/daemon.c | 6 +++---
|
||||
src/pesign.c | 15 ++++++++-------
|
||||
4 files changed, 14 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 306d53e..f2ee684 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -802,7 +802,7 @@ err:
|
||||
#endif
|
||||
|
||||
int
|
||||
-generate_digest(cms_context *cms, Pe *pe)
|
||||
+generate_digest(cms_context *cms, Pe *pe, int padded)
|
||||
{
|
||||
void *hash_base;
|
||||
size_t hash_size;
|
||||
@@ -949,7 +949,7 @@ generate_digest(cms_context *cms, Pe *pe)
|
||||
cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
|
||||
goto error_shdrs;
|
||||
}
|
||||
- if (hash_size % 16 != 0) {
|
||||
+ if (hash_size % 16 != 0 && padded) {
|
||||
size_t tmp_size = hash_size + (16 - (hash_size % 16));
|
||||
uint8_t tmp_array[tmp_size];
|
||||
memset(tmp_array, '\0', tmp_size);
|
||||
diff --git a/src/cms_common.h b/src/cms_common.h
|
||||
index a3848cd..d819aab 100644
|
||||
--- a/src/cms_common.h
|
||||
+++ b/src/cms_common.h
|
||||
@@ -105,7 +105,7 @@ extern int generate_spc_link(cms_context *cms, SpcLink *slp,
|
||||
|
||||
extern int generate_spc_string(cms_context *cms, SECItem *ssp, char *str,
|
||||
int len);
|
||||
-extern int generate_digest(cms_context *cms, Pe *pe);
|
||||
+extern int generate_digest(cms_context *cms, Pe *pe, int padded);
|
||||
extern int generate_signature(cms_context *ctx);
|
||||
extern int unlock_nss_token(cms_context *ctx);
|
||||
extern int find_certificate(cms_context *ctx);
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 92ae856..69821ba 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -433,7 +433,7 @@ malformed:
|
||||
if (rc < 0)
|
||||
goto finish;
|
||||
|
||||
- rc = generate_digest(ctx->cms, outpe);
|
||||
+ rc = generate_digest(ctx->cms, outpe, 1);
|
||||
if (rc < 0) {
|
||||
err_attached:
|
||||
pe_end(outpe);
|
||||
@@ -448,7 +448,7 @@ err_attached:
|
||||
if (sigspace < 0)
|
||||
goto err_attached;
|
||||
allocate_signature_space(outpe, sigspace);
|
||||
- rc = generate_digest(ctx->cms, outpe);
|
||||
+ rc = generate_digest(ctx->cms, outpe, 1);
|
||||
if (rc < 0)
|
||||
goto err_attached;
|
||||
rc = generate_signature(ctx->cms);
|
||||
@@ -463,7 +463,7 @@ err_attached:
|
||||
ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
|
||||
"pesignd: could not truncate output file: %m");
|
||||
}
|
||||
- rc = generate_digest(ctx->cms, inpe);
|
||||
+ rc = generate_digest(ctx->cms, inpe, 1);
|
||||
if (rc < 0) {
|
||||
err_detached:
|
||||
if (ftruncate(outfd, 0) != 0) {
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index fcb2dca..81515d2 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -473,7 +473,8 @@ main(int argc, char *argv[])
|
||||
"force overwriting of output file", NULL },
|
||||
{"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1,
|
||||
"create a new signature", NULL },
|
||||
- {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL },
|
||||
+ {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1,
|
||||
+ "hash binary", NULL },
|
||||
{"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
|
||||
&digest_name, 0, "digest type to use for pe hash" },
|
||||
{"import-signed-certificate", 'm',
|
||||
@@ -669,7 +670,7 @@ main(int argc, char *argv[])
|
||||
open_input(ctxp);
|
||||
open_output(ctxp);
|
||||
close_input(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->outpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
|
||||
sigspace = calculate_signature_space(ctxp->cms_ctx,
|
||||
ctxp->outpe);
|
||||
allocate_signature_space(ctxp->outpe, sigspace);
|
||||
@@ -683,7 +684,7 @@ main(int argc, char *argv[])
|
||||
case EXPORT_SATTRS:
|
||||
open_input(ctxp);
|
||||
open_sattr_output(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->inpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
|
||||
generate_sattr_blob(ctxp);
|
||||
close_sattr_output(ctxp);
|
||||
close_input(ctxp);
|
||||
@@ -779,7 +780,7 @@ main(int argc, char *argv[])
|
||||
break;
|
||||
case GENERATE_DIGEST|PRINT_DIGEST:
|
||||
open_input(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->inpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->inpe, 0);
|
||||
print_digest(ctxp);
|
||||
break;
|
||||
/* generate a signature and save it in a separate file */
|
||||
@@ -793,7 +794,7 @@ main(int argc, char *argv[])
|
||||
}
|
||||
open_input(ctxp);
|
||||
open_sig_output(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->inpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
|
||||
generate_signature(ctxp->cms_ctx);
|
||||
export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
|
||||
break;
|
||||
@@ -814,11 +815,11 @@ main(int argc, char *argv[])
|
||||
open_input(ctxp);
|
||||
open_output(ctxp);
|
||||
close_input(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->outpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
|
||||
sigspace = calculate_signature_space(ctxp->cms_ctx,
|
||||
ctxp->outpe);
|
||||
allocate_signature_space(ctxp->outpe, sigspace);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->outpe);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
|
||||
generate_signature(ctxp->cms_ctx);
|
||||
insert_signature(ctxp->cms_ctx, ctxp->signum);
|
||||
finalize_signatures(ctxp->cms_ctx->signatures,
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 29a593849964bb89c29bb40dd6a1f4bb5a90e675 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 21 Mar 2013 11:02:43 -0400
|
||||
Subject: [PATCH 3/8] Deal with PE-COFF 8.2+ alignment restrictions for the
|
||||
certificate list.
|
||||
|
||||
PE-COFF 8.2 and newer finally specify the certificate list as a proper
|
||||
array, but they kindly made a new rule that each entry has to be 8-byte
|
||||
aligned. So align them now :/
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/wincert.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index 4197a87..3686918 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -42,6 +42,11 @@ generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
*cert_list_size = cl_size;
|
||||
|
||||
for (int i = 0; i < num_signatures; i++) {
|
||||
+ /* pe-coff 8.2 adds some text that says each cert list
|
||||
+ * entry is 8-byte aligned, so that means we need to align
|
||||
+ * them here. */
|
||||
+ if ((intptr_t)data % 8 != 0)
|
||||
+ data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8)));
|
||||
struct cert_list_entry *cle = (struct cert_list_entry *)data;
|
||||
cle->wc.length = signatures[i]->len +
|
||||
sizeof (win_certificate);
|
||||
@@ -170,6 +175,11 @@ done:
|
||||
|
||||
iter->n += sizeof (*tmpcert) + length;
|
||||
|
||||
+ /* each cert list entry must be aligned to an 8-byte
|
||||
+ * boundary */
|
||||
+ if (iter->n % 8 != 0)
|
||||
+ iter->n += 8 - (iter->n % 8);
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@@ -208,8 +218,13 @@ size_t
|
||||
get_reserved_sig_space(cms_context *cms, Pe *pe)
|
||||
{
|
||||
size_t ret = 0;
|
||||
- for (int i = 0; i < cms->num_signatures; i++)
|
||||
+ for (int i = 0; i < cms->num_signatures; i++) {
|
||||
ret += cms->signatures[i]->len + sizeof (win_certificate);
|
||||
+ /* each certificate list entry must be 8-byte aligned,
|
||||
+ * so we need to account for that in our space calculation */
|
||||
+ if (ret % 8 != 0)
|
||||
+ ret += 8 - (ret % 8);
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -238,6 +253,11 @@ err:
|
||||
|
||||
size_t res = get_reserved_sig_space(cms, pe);
|
||||
|
||||
+ /* pe-coff 8.2 adds some text that says each cert list entry is
|
||||
+ * 8-byte aligned, so that means we need alignment space here. */
|
||||
+ if (res % 8 != 0)
|
||||
+ res += 8 - (res % 8);
|
||||
+
|
||||
ssize_t ret = res + sig.len + sizeof(win_certificate) -
|
||||
available_cert_space(pe);
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 731aa2ac9012a39fd4ccee813c77a9e75235606c Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 22 Mar 2013 09:56:23 -0400
|
||||
Subject: [PATCH 4/8] More certificate list alignment fixups (based on work by
|
||||
Gary Lin)
|
||||
|
||||
There was still some chance the first entry wasn't aligned right, and
|
||||
doing it ad-hoc every time wasn't that great. So fix that.
|
||||
|
||||
This is really all Gary's work, I've just reformatted it a little bit.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
libdpe/common.h | 2 ++
|
||||
libdpe/pe_allocspace.c | 4 ++--
|
||||
src/wincert.c | 24 ++++++++++--------------
|
||||
3 files changed, 14 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/libdpe/common.h b/libdpe/common.h
|
||||
index 5d379e8..be42738 100644
|
||||
--- a/libdpe/common.h
|
||||
+++ b/libdpe/common.h
|
||||
@@ -31,6 +31,8 @@
|
||||
|
||||
#define is_64_bit(pe) ((pe)->flags & IMAGE_FILE_32BIT_MACHINE)
|
||||
|
||||
+#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align)
|
||||
+
|
||||
#define xfree(x) ({if (x) { free(x); x = NULL; }})
|
||||
#define xmunmap(addr, size) ({if (addr) { munmap(addr,size); addr = NULL; }})
|
||||
|
||||
diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
|
||||
index 0ae1f5d..716373c 100644
|
||||
--- a/libdpe/pe_allocspace.c
|
||||
+++ b/libdpe/pe_allocspace.c
|
||||
@@ -86,7 +86,7 @@ pe_extend_file(Pe *pe, size_t size, uint32_t *new_space, int align)
|
||||
void *new = NULL;
|
||||
|
||||
if (align)
|
||||
- align = (pe->maximum_size + size) % align;
|
||||
+ align = ALIGNMENT_PADDING(pe->maximum_size, align);
|
||||
int extra = size + align;
|
||||
|
||||
int rc = ftruncate(pe->fildes, pe->maximum_size + extra);
|
||||
@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
|
||||
|
||||
/* XXX PJFIX TODO: this should try to find space in the already
|
||||
* mapped regions. */
|
||||
- rc = pe_extend_file(pe, size, offset, 0);
|
||||
+ rc = pe_extend_file(pe, size, offset, 8);
|
||||
if (rc < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index 3686918..cc612b6 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -19,6 +19,8 @@
|
||||
|
||||
#include "pesign.h"
|
||||
|
||||
+#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align)
|
||||
+
|
||||
struct cert_list_entry {
|
||||
win_certificate wc;
|
||||
uint8_t data[];
|
||||
@@ -32,6 +34,7 @@ generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
for (int i = 0; i < num_signatures; i++) {
|
||||
cl_size += sizeof (win_certificate);
|
||||
cl_size += signatures[i]->len;
|
||||
+ cl_size += ALIGNMENT_PADDING(cl_size, 8);
|
||||
}
|
||||
|
||||
uint8_t *data = malloc(cl_size);
|
||||
@@ -45,16 +48,16 @@ generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
/* pe-coff 8.2 adds some text that says each cert list
|
||||
* entry is 8-byte aligned, so that means we need to align
|
||||
* them here. */
|
||||
- if ((intptr_t)data % 8 != 0)
|
||||
- data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8)));
|
||||
struct cert_list_entry *cle = (struct cert_list_entry *)data;
|
||||
cle->wc.length = signatures[i]->len +
|
||||
+ ALIGNMENT_PADDING(signatures[i]->len, 8) +
|
||||
sizeof (win_certificate);
|
||||
cle->wc.revision = WIN_CERT_REVISION_2_0;
|
||||
cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA;
|
||||
memcpy(&cle->data[0], signatures[i]->data,
|
||||
signatures[i]->len);
|
||||
data += sizeof (win_certificate) + signatures[i]->len;
|
||||
+ data += ALIGNMENT_PADDING(signatures[i]->len, 8);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -175,11 +178,6 @@ done:
|
||||
|
||||
iter->n += sizeof (*tmpcert) + length;
|
||||
|
||||
- /* each cert list entry must be aligned to an 8-byte
|
||||
- * boundary */
|
||||
- if (iter->n % 8 != 0)
|
||||
- iter->n += 8 - (iter->n % 8);
|
||||
-
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@@ -222,8 +220,7 @@ get_reserved_sig_space(cms_context *cms, Pe *pe)
|
||||
ret += cms->signatures[i]->len + sizeof (win_certificate);
|
||||
/* each certificate list entry must be 8-byte aligned,
|
||||
* so we need to account for that in our space calculation */
|
||||
- if (ret % 8 != 0)
|
||||
- ret += 8 - (ret % 8);
|
||||
+ ret += ALIGNMENT_PADDING(ret, 8);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
@@ -253,14 +250,13 @@ err:
|
||||
|
||||
size_t res = get_reserved_sig_space(cms, pe);
|
||||
|
||||
- /* pe-coff 8.2 adds some text that says each cert list entry is
|
||||
- * 8-byte aligned, so that means we need alignment space here. */
|
||||
- if (res % 8 != 0)
|
||||
- res += 8 - (res % 8);
|
||||
-
|
||||
ssize_t ret = res + sig.len + sizeof(win_certificate) -
|
||||
available_cert_space(pe);
|
||||
|
||||
+ /* pe-coff 8.2 adds some text that says each cert list entry is
|
||||
+ * 8-byte aligned, so that means we need alignment space here. */
|
||||
+ ret += ALIGNMENT_PADDING(ret, 8);
|
||||
+
|
||||
//free(sig.data);
|
||||
|
||||
return ret;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 12595de05a873712a76e6118f00f324fd257d0f6 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 26 Mar 2013 11:28:57 +0800
|
||||
Subject: [PATCH 5/8] Pad the file to be 16-byte aligned, instead of 8-byte
|
||||
|
||||
---
|
||||
libdpe/pe_allocspace.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
|
||||
index 716373c..8b09153 100644
|
||||
--- a/libdpe/pe_allocspace.c
|
||||
+++ b/libdpe/pe_allocspace.c
|
||||
@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
|
||||
|
||||
/* XXX PJFIX TODO: this should try to find space in the already
|
||||
* mapped regions. */
|
||||
- rc = pe_extend_file(pe, size, offset, 8);
|
||||
+ rc = pe_extend_file(pe, size, offset, 16);
|
||||
if (rc < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From deb5811f7e718d8d0d9c41ad18d2302876334e7a Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 26 Mar 2013 11:34:33 +0800
|
||||
Subject: [PATCH 6/8] Add an option, -padding, for -h to pad signatures
|
||||
|
||||
We are using "-h" to check the integrity of the file after inserting
|
||||
a raw signature. Add this option to make the digests consistent.
|
||||
---
|
||||
src/pesign.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index 81515d2..57fe96e 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -440,6 +440,7 @@ main(int argc, char *argv[])
|
||||
int remove = 0;
|
||||
int daemon = 0;
|
||||
int fork = 1;
|
||||
+ int padding = 0;
|
||||
|
||||
char *digest_name = "sha256";
|
||||
char *tokenname = "NSS Certificate DB";
|
||||
@@ -518,6 +519,8 @@ main(int argc, char *argv[])
|
||||
"run as a daemon process", NULL },
|
||||
{"nofork", 'N', POPT_ARG_VAL, &fork, 0,
|
||||
"don't fork when daemonizing", NULL },
|
||||
+ {"padding", 'P', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN,
|
||||
+ &padding, 1, "pad data section", NULL },
|
||||
POPT_AUTOALIAS
|
||||
POPT_AUTOHELP
|
||||
POPT_TABLEEND
|
||||
@@ -780,7 +783,7 @@ main(int argc, char *argv[])
|
||||
break;
|
||||
case GENERATE_DIGEST|PRINT_DIGEST:
|
||||
open_input(ctxp);
|
||||
- generate_digest(ctxp->cms_ctx, ctxp->inpe, 0);
|
||||
+ generate_digest(ctxp->cms_ctx, ctxp->inpe, padding);
|
||||
print_digest(ctxp);
|
||||
break;
|
||||
/* generate a signature and save it in a separate file */
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 63221e01d0a857ce844b4b17798b5da1ea6a6be1 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 26 Mar 2013 18:30:58 +0800
|
||||
Subject: [PATCH 7/8] Clear the space for the certificate list
|
||||
|
||||
Make sure the aligned bytes are '\0'
|
||||
|
||||
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
||||
---
|
||||
src/wincert.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index cc612b6..75fdceb 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
cl_size += ALIGNMENT_PADDING(cl_size, 8);
|
||||
}
|
||||
|
||||
- uint8_t *data = malloc(cl_size);
|
||||
+ uint8_t *data = calloc(1, cl_size);
|
||||
if (!data)
|
||||
return -1;
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 18080ba4acb235fd3b2e679f0308992255e6ca52 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <chingpang@gmail.com>
|
||||
Date: Wed, 27 Mar 2013 10:49:38 +0800
|
||||
Subject: [PATCH 8/8] The file should be 8-byte aligned, actually...
|
||||
|
||||
---
|
||||
libdpe/pe_allocspace.c | 2 +-
|
||||
src/cms_common.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
|
||||
index 8b09153..716373c 100644
|
||||
--- a/libdpe/pe_allocspace.c
|
||||
+++ b/libdpe/pe_allocspace.c
|
||||
@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
|
||||
|
||||
/* XXX PJFIX TODO: this should try to find space in the already
|
||||
* mapped regions. */
|
||||
- rc = pe_extend_file(pe, size, offset, 16);
|
||||
+ rc = pe_extend_file(pe, size, offset, 8);
|
||||
if (rc < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index f2ee684..2c998d9 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -949,8 +949,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
|
||||
cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
|
||||
goto error_shdrs;
|
||||
}
|
||||
- if (hash_size % 16 != 0 && padded) {
|
||||
- size_t tmp_size = hash_size + (16 - (hash_size % 16));
|
||||
+ if (hash_size % 8 != 0 && padded) {
|
||||
+ size_t tmp_size = hash_size + (8 - (hash_size % 8));
|
||||
uint8_t tmp_array[tmp_size];
|
||||
memset(tmp_array, '\0', tmp_size);
|
||||
memcpy(tmp_array, hash_base, hash_size);
|
||||
--
|
||||
1.7.10.4
|
||||
|
28
pesign-clear-padding-bits.patch
Normal file
28
pesign-clear-padding-bits.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From edd9cc0e677b35498e974d9a4137feac5bd4b323 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 26 Mar 2013 18:30:58 +0800
|
||||
Subject: [PATCH] Clear the space for the certificate list
|
||||
|
||||
Make sure the aligned bytes are '\0'
|
||||
|
||||
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
||||
---
|
||||
src/wincert.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/wincert.c b/src/wincert.c
|
||||
index 942fa26..5e23b04 100644
|
||||
--- a/src/wincert.c
|
||||
+++ b/src/wincert.c
|
||||
@@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures,
|
||||
cl_size += ALIGNMENT_PADDING(cl_size, 8);
|
||||
}
|
||||
|
||||
- uint8_t *data = malloc(cl_size);
|
||||
+ uint8_t *data = calloc(1, cl_size);
|
||||
if (!data)
|
||||
return -1;
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,26 +0,0 @@
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 1ec582b..dcc5257 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -435,7 +435,7 @@ main(int argc, char *argv[])
|
||||
char *certname = NULL;
|
||||
poptContext optCon;
|
||||
int rc;
|
||||
- int action;
|
||||
+ int action = 0;
|
||||
char *infile = NULL;
|
||||
char *outfile = NULL;
|
||||
char *exportfile = NULL;
|
||||
@@ -500,6 +500,12 @@ main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ if (action == NO_FLAGS) {
|
||||
+ poptPrintUsage(optCon, stdout, 0);
|
||||
+ poptFreeContext(optCon);
|
||||
+ exit(0);
|
||||
+ }
|
||||
+
|
||||
if (action & SIGN_BINARY && (!outfile && !exportfile)) {
|
||||
fprintf(stderr, "pesign-client: neither --outfile nor --export "
|
||||
"specified\n");
|
@ -1,14 +0,0 @@
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index dcc5257..9bcaf3e 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -201,7 +201,8 @@ get_token_pin(int pinfd, char *pinfile, char *envname)
|
||||
if (!pinf)
|
||||
return NULL;
|
||||
|
||||
- ssize_t n = getline(&pin, 0, pinf);
|
||||
+ size_t pin_n;
|
||||
+ ssize_t n = getline(&pin, &pin_n, pinf);
|
||||
if (n < 0 || !pin) {
|
||||
fclose(pinf);
|
||||
return NULL;
|
@ -1,12 +1,20 @@
|
||||
---
|
||||
src/daemon.c | 35 ++++++++++++++++++++++++++++-------
|
||||
src/password.c | 3 ++-
|
||||
src/pesign.c | 10 ++++++++--
|
||||
3 files changed, 38 insertions(+), 10 deletions(-)
|
||||
From 4e03c90bb48e6f9c9d9c9aed491fbcc5be684e7b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 9 Jul 2013 12:17:31 +0800
|
||||
Subject: [PATCH] Fix build errors
|
||||
|
||||
---
|
||||
src/daemon.c | 36 +++++++++++++++++++++++++++++-------
|
||||
src/efikeygen.c | 3 ++-
|
||||
src/password.c | 3 ++-
|
||||
src/pesign.c | 10 ++++++++--
|
||||
4 files changed, 41 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index b2801b9..832a0ea 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -436,7 +436,11 @@ malformed:
|
||||
@@ -432,7 +432,11 @@ malformed:
|
||||
if (rc < 0) {
|
||||
err_attached:
|
||||
pe_end(outpe);
|
||||
@ -19,16 +27,17 @@
|
||||
goto finish;
|
||||
}
|
||||
ssize_t sigspace = calculate_signature_space(ctx->cms, outpe);
|
||||
@@ -453,21 +457,33 @@ err_attached:
|
||||
finalize_signatures(ctx->cms, outpe);
|
||||
@@ -450,21 +454,34 @@ err_attached:
|
||||
ctx->cms->num_signatures, outpe);
|
||||
pe_end(outpe);
|
||||
} else {
|
||||
- ftruncate(outfd, 0);
|
||||
+ if (ftruncate(outfd, 0) != 0) {
|
||||
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
|
||||
+ "pesignd: could not truncate output file: %m");
|
||||
+ "pesignd: could not truncate output "
|
||||
+ "file: %m");
|
||||
+ }
|
||||
rc = generate_digest(ctx->cms, inpe);
|
||||
rc = generate_digest(ctx->cms, inpe, 1);
|
||||
if (rc < 0) {
|
||||
err_detached:
|
||||
- ftruncate(outfd, 0);
|
||||
@ -58,7 +67,7 @@
|
||||
}
|
||||
|
||||
finish:
|
||||
@@ -979,7 +995,12 @@ daemonize(cms_context *cms_ctx, int do_f
|
||||
@@ -996,7 +1013,12 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -72,9 +81,28 @@
|
||||
|
||||
if (getuid() == 0) {
|
||||
/* process is running as root, drop privileges */
|
||||
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||
index ac27acc..8c3e814 100644
|
||||
--- a/src/efikeygen.c
|
||||
+++ b/src/efikeygen.c
|
||||
@@ -330,10 +330,11 @@ populate_extensions(cms_context *cms, CERTCertificate *cert,
|
||||
{
|
||||
CERTAttribute *attr = NULL;
|
||||
SECOidData *oid;
|
||||
+ int i;
|
||||
|
||||
oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
|
||||
|
||||
- for (int i; crq->attributes[i]; i++) {
|
||||
+ for (i = 0; crq->attributes[i]; i++) {
|
||||
attr = crq->attributes[i];
|
||||
if (attr->attrType.len != oid->oid.len)
|
||||
continue;
|
||||
diff --git a/src/password.c b/src/password.c
|
||||
index 43186df..9a9c911 100644
|
||||
--- a/src/password.c
|
||||
+++ b/src/password.c
|
||||
@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input
|
||||
@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
|
||||
echoOff(infd);
|
||||
}
|
||||
|
||||
@ -84,9 +112,11 @@
|
||||
|
||||
if (isTTY) {
|
||||
fprintf(output, "\n");
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index 890ebfc..fe77c9d 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -161,9 +161,15 @@ open_output(pesign_context *ctx)
|
||||
@@ -164,9 +164,15 @@ open_output(pesign_context *ctx)
|
||||
|
||||
addr = pe_rawfile(ctx->inpe, &size);
|
||||
|
||||
@ -104,3 +134,6 @@
|
||||
|
||||
Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP;
|
||||
ctx->outpe = pe_begin(ctx->outfd, cmd, NULL);
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 8376d873bf72c06b5efaa9dad812eb783cda5d41 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 25 Jan 2013 10:34:55 -0500
|
||||
Subject: [PATCH] Fix up "-E", which apparently broke during some refactoring.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/actions.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/actions.c b/src/actions.c
|
||||
index 6c32819..5c5dd89 100644
|
||||
--- a/src/actions.c
|
||||
+++ b/src/actions.c
|
||||
@@ -373,6 +373,15 @@ generate_sattr_blob(pesign_context *ctx)
|
||||
{
|
||||
int rc;
|
||||
SECItem sa;
|
||||
+ SpcContentInfo ci;
|
||||
+
|
||||
+ memset(&ci, '\0', sizeof (ci));
|
||||
+ rc = generate_spc_content_info(ctx->cms_ctx, &ci);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr, "Could not generate content info: %s\n",
|
||||
+ PORT_ErrorToString(PORT_GetError()));
|
||||
+ exit(1);
|
||||
+ }
|
||||
|
||||
rc = generate_signed_attributes(ctx->cms_ctx, &sa);
|
||||
if (rc < 0) {
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,85 +0,0 @@
|
||||
commit 21439f502b16cd168950cc2e38bfd6b6353ee428
|
||||
Author: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Tue Nov 27 10:11:36 2012 -0500
|
||||
|
||||
Add support for local certificate database directories
|
||||
|
||||
Users may wish to use a certificate database other than the systemwide
|
||||
one. Add an option for that.
|
||||
|
||||
---
|
||||
src/daemon.c | 4 ++--
|
||||
src/daemon.h | 2 +-
|
||||
src/pesign.c | 9 +++++++--
|
||||
3 files changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -877,7 +877,7 @@ err:
|
||||
}
|
||||
|
||||
int
|
||||
-daemonize(cms_context *cms_ctx, int do_fork)
|
||||
+daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
|
||||
{
|
||||
int rc = 0;
|
||||
context ctx = {
|
||||
@@ -913,7 +913,7 @@ daemonize(cms_context *cms_ctx, int do_f
|
||||
"pesignd starting (pid %d)", ctx.pid);
|
||||
|
||||
|
||||
- SECStatus status = NSS_Init("/etc/pki/pesign");
|
||||
+ SECStatus status = NSS_Init(certdir);
|
||||
if (status != SECSuccess) {
|
||||
fprintf(stderr, "Could not initialize nss: %s\n",
|
||||
PORT_ErrorToString(PORT_GetError()));
|
||||
--- a/src/daemon.h
|
||||
+++ b/src/daemon.h
|
||||
@@ -19,7 +19,7 @@
|
||||
#ifndef DAEMON_H
|
||||
#define DAEMON_H 1
|
||||
|
||||
-extern int daemonize(cms_context *ctx, int do_fork);
|
||||
+extern int daemonize(cms_context *ctx, char *certdir, int do_fork);
|
||||
|
||||
typedef struct {
|
||||
uint32_t version;
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -443,6 +443,7 @@ main(int argc, char *argv[])
|
||||
char *tokenname = "NSS Certificate DB";
|
||||
char *origtoken = tokenname;
|
||||
char *certname = NULL;
|
||||
+ char *certdir = "/etc/pki/pesign";
|
||||
|
||||
rc = pesign_context_new(&ctxp);
|
||||
if (rc < 0) {
|
||||
@@ -460,6 +461,10 @@ main(int argc, char *argv[])
|
||||
{"certficate", 'c', POPT_ARG_STRING, &certname, 0,
|
||||
"specify certificate nickname",
|
||||
"<certificate nickname>" },
|
||||
+ {"certdir", 'n', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
|
||||
+ &certdir, 0,
|
||||
+ "specify nss certificate database directory",
|
||||
+ "<certificate directory path>" },
|
||||
{"privkey", 'p', POPT_ARG_STRING, &ctxp->privkeyfile, 0,
|
||||
"specify private key file", "<privkey>" },
|
||||
{"force", 'f', POPT_ARG_VAL, &ctxp->force, 1,
|
||||
@@ -542,7 +547,7 @@ main(int argc, char *argv[])
|
||||
poptFreeContext(optCon);
|
||||
|
||||
if (!daemon) {
|
||||
- SECStatus status = NSS_Init("/etc/pki/pesign");
|
||||
+ SECStatus status = NSS_Init(certdir);
|
||||
if (status != SECSuccess) {
|
||||
fprintf(stderr, "Could not initialize nss: %s\n",
|
||||
PORT_ErrorToString(PORT_GetError()));
|
||||
@@ -796,7 +801,7 @@ main(int argc, char *argv[])
|
||||
close_output(ctxp);
|
||||
break;
|
||||
case DAEMONIZE:
|
||||
- rc = daemonize(ctxp->cms_ctx, fork);
|
||||
+ rc = daemonize(ctxp->cms_ctx, certdir, fork);
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "Incompatible flags (0x%08x): ", action);
|
@ -1,12 +0,0 @@
|
||||
--- a/libdpe/pe_addcert.c 2013-02-12 14:30:49.000000000 +0000
|
||||
+++ b/libdpe/pe_addcert.c 2013-02-12 14:30:55.000000000 +0000
|
||||
@@ -61,7 +61,9 @@ pe_alloccert(Pe *pe, size_t size)
|
||||
dd->certs.virtual_address = compute_file_addr(pe, addr);
|
||||
dd->certs.size = size;
|
||||
|
||||
+#if 0
|
||||
pe_set_image_size(pe);
|
||||
+#endif
|
||||
|
||||
return 0;
|
||||
}
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
src/cms_common.c | 9 ++++++++-
|
||||
src/cms_common.c | 10 +++++++++-
|
||||
src/cms_common.h | 1 +
|
||||
src/pesign.c | 1 +
|
||||
3 files changed, 10 insertions(+), 1 deletion(-)
|
||||
3 files changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -276,6 +276,7 @@ struct cbdata {
|
||||
@@ -272,6 +272,7 @@ struct cbdata {
|
||||
CERTCertificate *cert;
|
||||
PK11SlotListElement *psle;
|
||||
secuPWData *pwdata;
|
||||
@ -14,10 +14,11 @@
|
||||
};
|
||||
|
||||
static SECStatus
|
||||
@@ -288,6 +289,11 @@ is_valid_cert(CERTCertificate *cert, voi
|
||||
@@ -283,6 +284,12 @@ is_valid_cert(CERTCertificate *cert, voi
|
||||
void *pwdata = cbdata->pwdata;
|
||||
|
||||
SECKEYPrivateKey *privkey = NULL;
|
||||
|
||||
+
|
||||
+ if (cbdata->privkey_unneeded) {
|
||||
+ cbdata->cert = cert;
|
||||
+ return SECSuccess;
|
||||
@ -26,26 +27,26 @@
|
||||
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
|
||||
if (privkey != NULL) {
|
||||
cbdata->cert = cert;
|
||||
@@ -398,7 +404,7 @@ err_slots:
|
||||
goto err_slots_errmsg;
|
||||
@@ -413,7 +420,7 @@ find_certificate(cms_context *cms, int n
|
||||
}
|
||||
|
||||
SECStatus status;
|
||||
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
|
||||
if (status != SECSuccess) {
|
||||
cms->log(cms, LOG_ERR, "Authentication failed on "
|
||||
@@ -425,6 +431,7 @@ err_slots:
|
||||
PK11_DestroySlotListElement(slots, &psle);
|
||||
@@ -442,6 +449,7 @@ find_certificate(cms_context *cms, int n
|
||||
.cert = NULL,
|
||||
.psle = psle,
|
||||
.pwdata = pwdata,
|
||||
+ .privkey_unneeded = cms->privkey_unneeded,
|
||||
};
|
||||
|
||||
status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot,
|
||||
if (needs_private_key) {
|
||||
--- a/src/cms_common.h
|
||||
+++ b/src/cms_common.h
|
||||
@@ -37,6 +37,7 @@ typedef int (*cms_common_logger)(struct
|
||||
@@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct
|
||||
typedef struct cms_context {
|
||||
PRArenaPool *arena;
|
||||
void *privkey;
|
||||
@ -55,11 +56,11 @@
|
||||
char *certname;
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -650,6 +650,7 @@ main(int argc, char *argv[])
|
||||
@@ -626,6 +626,7 @@ main(int argc, char *argv[])
|
||||
*/
|
||||
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
|
||||
check_inputs(ctxp);
|
||||
+ ctxp->cms_ctx->privkey_unneeded = 1;
|
||||
rc = find_certificate(ctxp->cms_ctx);
|
||||
rc = find_certificate(ctxp->cms_ctx, 0);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr, "pesign: Could not find "
|
||||
|
@ -1,16 +1,14 @@
|
||||
---
|
||||
Make.defaults | 5 +++--
|
||||
Make.rules | 4 ++--
|
||||
Makefile | 6 +++---
|
||||
src/Makefile | 10 +++++-----
|
||||
Makefile | 4 ++--
|
||||
src/Makefile | 9 +++++----
|
||||
src/pesign.sysvinit | 12 ++++++++----
|
||||
util/Makefile | 6 +++---
|
||||
6 files changed, 24 insertions(+), 19 deletions(-)
|
||||
6 files changed, 23 insertions(+), 17 deletions(-)
|
||||
|
||||
Index: pesign-0.99/Make.defaults
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/Make.defaults
|
||||
+++ pesign-0.99/Make.defaults
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -5,7 +5,8 @@ HOSTARCH = $(shell uname -m | sed s,i[
|
||||
ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
|
||||
INCDIR = -I$(TOPDIR)/include
|
||||
@ -30,16 +28,14 @@ Index: pesign-0.99/Make.defaults
|
||||
endif
|
||||
|
||||
ifeq ($(ARCH), ia32)
|
||||
Index: pesign-0.99/Make.rules
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/Make.rules
|
||||
+++ pesign-0.99/Make.rules
|
||||
--- a/Make.rules
|
||||
+++ b/Make.rules
|
||||
@@ -2,10 +2,10 @@
|
||||
$(AR) -cvqs $@ $^
|
||||
|
||||
% : %.o
|
||||
- $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib))
|
||||
+ $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS)
|
||||
- $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread
|
||||
+ $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread
|
||||
|
||||
%.so :
|
||||
- $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
|
||||
@ -47,46 +43,17 @@ Index: pesign-0.99/Make.rules
|
||||
|
||||
%.o: %.c
|
||||
$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
|
||||
Index: pesign-0.99/Makefile
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/Makefile
|
||||
+++ pesign-0.99/Makefile
|
||||
@@ -2,7 +2,7 @@ TOPDIR = $(shell echo $$PWD)
|
||||
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
-SUBDIRS := include libdpe src util
|
||||
+SUBDIRS := include libdpe src
|
||||
DOCDIR := /share/doc/
|
||||
VERSION = 0.99
|
||||
|
||||
@@ -16,8 +16,8 @@ clean :
|
||||
|
||||
install :
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
|
||||
install_systemd:
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
Index: pesign-0.99/src/Makefile
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/src/Makefile
|
||||
+++ pesign-0.99/src/Makefile
|
||||
@@ -7,8 +7,9 @@ LIBS = popt
|
||||
STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
|
||||
PKLIBS = nss
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -9,6 +9,7 @@ STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
|
||||
LDFLAGS =
|
||||
-CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib)))
|
||||
+CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib))) -lpthread
|
||||
CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
|
||||
CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
|
||||
+UNITDIR = /lib/systemd/system
|
||||
|
||||
TARGETS = pesign authvar client
|
||||
TARGETS = pesign authvar client efisiglist efikeygen
|
||||
|
||||
@@ -60,12 +61,12 @@ clean : depclean
|
||||
@@ -70,12 +71,12 @@ clean : depclean
|
||||
install_systemd:
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/
|
||||
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
|
||||
@ -103,10 +70,8 @@ Index: pesign-0.99/src/Makefile
|
||||
|
||||
install :
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||
Index: pesign-0.99/util/Makefile
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/util/Makefile
|
||||
+++ pesign-0.99/util/Makefile
|
||||
--- a/util/Makefile
|
||||
+++ b/util/Makefile
|
||||
@@ -4,7 +4,7 @@ TOPDIR = $(SRCDIR)/..
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
@ -127,10 +92,8 @@ Index: pesign-0.99/util/Makefile
|
||||
|
||||
.PHONY: all clean install
|
||||
|
||||
Index: pesign-0.99/src/pesign.sysvinit
|
||||
===================================================================
|
||||
--- pesign-0.99.orig/src/pesign.sysvinit
|
||||
+++ pesign-0.99/src/pesign.sysvinit
|
||||
--- a/src/pesign.sysvinit
|
||||
+++ b/src/pesign.sysvinit
|
||||
@@ -6,21 +6,25 @@
|
||||
# processname: /usr/bin/pesign
|
||||
# pidfile: /var/run/pesign.pid
|
||||
@ -161,3 +124,16 @@ Index: pesign-0.99/src/pesign.sysvinit
|
||||
RETVAL=$?
|
||||
echo
|
||||
touch /var/lock/subsys/pesign
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -16,8 +16,8 @@ clean :
|
||||
|
||||
install :
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
|
||||
install_systemd:
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 9 04:44:44 UTC 2013 - glin@suse.com
|
||||
|
||||
- Update to 0.106
|
||||
- Add pesign-clear-padding-bits.patch to clear the padding bits
|
||||
- Rebase patches:
|
||||
+ pesign-suse-build.patch
|
||||
+ pesign-fix-build-errors.patch
|
||||
+ pesign-privkey_unneeded.diff
|
||||
- Drop upstreamed patches
|
||||
+ pesign-client-initialize-action.patch
|
||||
+ pesign-bnc808594-align-signatures.patch
|
||||
+ pesign-upstream-fixes.patch
|
||||
+ pesign-fix-export-attributes.patch
|
||||
+ pesign-no-set-image-size.patch
|
||||
+ pesign-client-read-pin-file.patch
|
||||
+ pesign-local-database.patch
|
||||
+ pesign-bnc801653-teardown-segfault.patch
|
||||
+ pesign-bnc805166-fix-signature-list.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com
|
||||
|
||||
|
32
pesign.spec
32
pesign.spec
@ -17,36 +17,21 @@
|
||||
|
||||
|
||||
Name: pesign
|
||||
Version: 0.99
|
||||
Version: 0.106
|
||||
Release: 0
|
||||
Summary: Signing tool for PE-COFF binaries
|
||||
License: GPL-2.0
|
||||
Group: Productivity/Security
|
||||
Url: https://github.com/vathpela/pesign
|
||||
Source: %{name}-%{version}.tar.bz2
|
||||
# PATCH-FIX-UPSTREAM pesign-upstream-fixes.patch glin@suse.com -- fixes from upstream
|
||||
Patch0: pesign-upstream-fixes.patch
|
||||
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
||||
Patch1: pesign-suse-build.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch glin@suse.com -- Fix gcc warnings
|
||||
Patch2: pesign-fix-build-errors.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-client-initialize-action.patch glin@suse.com -- Initialize the actions variable
|
||||
Patch3: pesign-client-initialize-action.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-client-read-pin-file.patch glin@suse.com -- Fix pin file reading error
|
||||
Patch4: pesign-client-read-pin-file.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-local-database.patch glin@suse.com -- Support local certificate database
|
||||
Patch5: pesign-local-database.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-bnc801653-teardown-segfault.patch glin@suse.com -- Fix crash when freeing digests
|
||||
Patch7: pesign-bnc801653-teardown-segfault.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-fix-export-attributes.patch glin@suse.com -- Fix crash when exporting attributes
|
||||
Patch9: pesign-fix-export-attributes.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
|
||||
Patch10: pesign-privkey_unneeded.diff
|
||||
Patch11: pesign-no-set-image-size.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-bnc805166-fix-signature-list.patch bnc#805166 glin@suse.com -- Fix the broken signature list when inserting a new signature into a signed EFI binary.
|
||||
Patch12: pesign-bnc805166-fix-signature-list.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-bnc808594-align-signatures.patch bnc#808594,bnc#811325 glin@suse.com -- Align the signatures to 8-bytes
|
||||
Patch13: pesign-bnc808594-align-signatures.patch
|
||||
Patch3: pesign-privkey_unneeded.diff
|
||||
# PATCH-FIX-UPSTREAM pesign-clear-padding-bits.patch glin@suse.com -- Clear the allocated space before inserting the certificate list
|
||||
Patch4: pesign-clear-padding-bits.patch
|
||||
BuildRequires: mozilla-nss-devel
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: popt-devel
|
||||
@ -71,18 +56,10 @@ Authors:
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch7 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
|
||||
%build
|
||||
make OPTFLAGS="$RPM_OPT_FLAGS"
|
||||
@ -140,6 +117,7 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/pesign.conf
|
||||
%doc COPYING
|
||||
%{_bindir}/pesign
|
||||
%{_bindir}/pesign-client
|
||||
%{_bindir}/efikeygen
|
||||
%dir %{_sysconfdir}/popt.d
|
||||
%config %{_sysconfdir}/popt.d/pesign.popt
|
||||
%{_sysconfdir}/pki/
|
||||
|
Loading…
Reference in New Issue
Block a user