commit pesign.1510 for openSUSE:12.3:Update

Hello community, here is the log from the commit of package pesign.1510 for openSUSE:12.3:Update checked in at 2013-04-02 16:33:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/pesign.1510 (Old) and /work/SRC/openSUSE:12.3:Update/.pesign.1510.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pesign.1510", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.3:Update/.pesign.1510.new/pesign.changes 2013-04-02 16:33:20.000000000 +0200 @@ -0,0 +1,211 @@ +------------------------------------------------------------------- +Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com + +- Add pesign-bnc808594-align-signatures.patch to align signatures + (bnc#808594, bnc#811325) + +------------------------------------------------------------------- +Fri Mar 1 03:04:35 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to avoid the + potential crash when inserting a signature (bnc#805166) +- Add pwdutils to PreReq + +------------------------------------------------------------------- +Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to skip the + unneeded private key request. (bnc#805166c#17) + +------------------------------------------------------------------- +Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com + +- Modified pesign-bnc805166-fix-signature-list.patch, block out the + source code for find/attach Issuer certificate + (bnc#805166 comment#13) + +------------------------------------------------------------------- +Fri Feb 22 08:44:43 UTC 2013 - glin@suse.com + +- Add pesign-bnc805166-fix-signature-list.patch to fix the broken + signature list when inserting signature into a signed EFI binary + (bnc#805166) + +------------------------------------------------------------------- +Tue Feb 12 15:32:11 CET 2013 - mls@suse.de + +- do not try to recalculate the image size, it is included in the + hash and therefore must not change. + +------------------------------------------------------------------- +Wed Feb 6 10:44:48 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314552 + + pesign-fix-export-attributes.patch: fix crash when exporting + the signed attributes + + pesign-privkey_unneeded.diff: Don't check the private key when + importing the raw signature +- Add pesign-bnc801653-teardown-segfault.patch to fix crash when + freeing digests (bnc801653) +- Drop pesign-digestdata.diff which is no longer needed. + +------------------------------------------------------------------- +Mon Jan 21 10:17:28 UTC 2013 - glin@suse.com + +- Add pesign-digestdata.diff to generate digestdata (FATE#314552) + +------------------------------------------------------------------- +Wed Dec 12 13:18:40 UTC 2012 - fcrozat@suse.com + +- Don't call sysv RPM post/pre macros when building for systemd +- Ship rcpesign for systemd, link to /sbin/service +- Update pesign-suse-build.patch to allow change systemd unit + install directory. +- Don't hardcode systemd unit directory, since it changed in + Factory. + +------------------------------------------------------------------- +Tue Dec 11 07:10:04 UTC 2012 - glin@suse.com + +- Add Requires: pwdutils + +------------------------------------------------------------------- +Wed Nov 28 07:42:09 UTC 2012 - glin@suse.com + +- Add pesign-local-database.patch to support the local certificate + database +- Amend the spec file to build on openSUSE:Factory + +------------------------------------------------------------------- +Thu Nov 8 06:32:32 UTC 2012 - glin@suse.com + +- Version bump to 0.99 (FATE#314484) + + Add documentation for --daemonize and --nofork + + Make popt aliases work + + Add documentation for pesign-client + + Add --pinfd and --pinfile to the client +- Update pesign-suse-build.patch and pesign-fix-build-errors.patch +- Add pesign-upstream-fixes.patch to backport fixes from git head + and add sysvinit script +- Add pesign-client-initialize-action.patch to initialize client + action to avoid undetermined flags. +- Add pesign-client-read-pin-file.patch to fix pin file reading + +------------------------------------------------------------------- +Mon Oct 15 09:33:19 UTC 2012 - glin@suse.com + +- Version bump to 0.98 + + close the socket immediately on invalid input + + Slightly better error messages + + Log an error if digest initialization fails + + Add systemd bits for pesignd + + Add actual signing code to the daemon + + Add input and output setup for sign functionality in the daemon + + Audit allocation of CERTCertificateList/PK11SlotList and + friends + + Fix memory leaks +- Refresh pesign-suse-build.patch and pesign-fix-build-errors.patch + +------------------------------------------------------------------- +Mon Aug 13 06:50:35 UTC 2012 - glin@suse.com + +- Version bump to 0.9 + + Add NSS "token" support for smartcards. + + Allocate space for the section header variable +- Refresh pesign-fix-build-errors.patch to fix the warning +- Drop upstreamed pesign-allocate-shdr.patch + +------------------------------------------------------------------- +Fri Aug 10 10:12:53 UTC 2012 - glin@suse.com + +- Add pesign-allocate-shdr.patch to allocate space for the section + header variable + +------------------------------------------------------------------- +Thu Aug 9 03:53:45 UTC 2012 - glin@suse.com + +- Version bump to 0.8 + + Don't open the DB r/w, read-only is fine. + + Attempt to do a better job setting the image size. + + Emit correct OID for encryption type. +- Drop pesign-fix-image-size.patch which is already in 0.8 + +------------------------------------------------------------------- +Tue Aug 7 03:03:17 UTC 2012 - glin@suse.com + +- Add upstream patch pesign-fix-image-size.patch to set the image + size correctly. +- Drop pesign-elilo-workaround.patch + +------------------------------------------------------------------- +Mon Aug 6 08:03:05 UTC 2012 - glin@suse.com + +- Version bump to 0.7 + + Fix incorrect initialization error in (undocumented) -e option. + + Use SEC_OID_PKCS1_RSA_ENCRYPTION like MS + + Initialize the index variable of loop + + Adjust the buffer size to avoid overflow + + Make sure pe_populatecert() always returns a value + +------------------------------------------------------------------- +Mon Jul 23 08:49:13 UTC 2012 - glin@suse.com + +- Add pesign-elilo-workaround.patch to workaround the section + header corruption in some EFI image (elilo for example) + +------------------------------------------------------------------- +Mon Jul 23 03:32:18 UTC 2012 - glin@suse.com + +- Add pesign-fix-build-errors.patch to fix build error/warning +- Don't install the util efi images +- Fix the RPM_OPT_FLAGS warning + +------------------------------------------------------------------- +Thu Jul 12 09:37:55 UTC 2012 - glin@suse.com + +- Version bump to 0.5 + + Handle and report mremap() failure + + Man page should be in section 1. + + Add some basic signature list management. + + Add some more efi-defined constants, flesh out efi_guid_t. + + authver: Find a guid for 'namespace'. + + Add some basic ucs2 functions :( + + Support multiple signatures correctly. + + Add ascii_to_ucs2() + + Add file formats and some code for variables-on-disk. + + Allow the memory map to move when we're allocating space in the + binary. + + Remove extra call to ftruncate() + + Adjust section addresses when we remap the pecoff binary. + + Correctly set win_certificate.length to /include/ + win_certificate. + + Move certificate space iterator to wincert.c so other stuff can + get it. + + Split allocating space for certs and filling it in. + + Put the new signature into the cms ctx instead of keeping it + locally. + + Actually calculate space and extend the file before hashing the + binary. + + Bounds-check everything we're hashing so we don't segfault on a + bad bin. +- Add pesign-always-return-value.patch to fix + no-return-in-nonvoid-function +- Drop upsreamed patch pesign-mem-reallocation.patch + +------------------------------------------------------------------- +Fri Jun 29 07:08:11 UTC 2012 - glin@suse.com + ++++ 14 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.pesign.1510.new/pesign.changes New: ---- pesign-0.99.tar.bz2 pesign-bnc801653-teardown-segfault.patch pesign-bnc805166-fix-signature-list.patch pesign-bnc808594-align-signatures.patch pesign-client-initialize-action.patch pesign-client-read-pin-file.patch pesign-fix-build-errors.patch pesign-fix-export-attributes.patch pesign-local-database.patch pesign-no-set-image-size.patch pesign-privkey_unneeded.diff pesign-suse-build.patch pesign-upstream-fixes.patch pesign.changes pesign.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ # # spec file for package pesign # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: pesign Version: 0.99 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-2.0 Group: Productivity/Security Url: https://github.com/vathpela/pesign Source: %{name}-%{version}.tar.bz2 # PATCH-FIX-UPSTREAM pesign-upstream-fixes.patch glin@suse.com -- fixes from upstream Patch0: pesign-upstream-fixes.patch # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch # PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch glin@suse.com -- Fix gcc warnings Patch2: pesign-fix-build-errors.patch # PATCH-FIX-UPSTREAM pesign-client-initialize-action.patch glin@suse.com -- Initialize the actions variable Patch3: pesign-client-initialize-action.patch # PATCH-FIX-UPSTREAM pesign-client-read-pin-file.patch glin@suse.com -- Fix pin file reading error Patch4: pesign-client-read-pin-file.patch # PATCH-FIX-UPSTREAM pesign-local-database.patch glin@suse.com -- Support local certificate database Patch5: pesign-local-database.patch # PATCH-FIX-UPSTREAM pesign-bnc801653-teardown-segfault.patch glin@suse.com -- Fix crash when freeing digests Patch7: pesign-bnc801653-teardown-segfault.patch # PATCH-FIX-UPSTREAM pesign-fix-export-attributes.patch glin@suse.com -- Fix crash when exporting attributes Patch9: pesign-fix-export-attributes.patch # PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature Patch10: pesign-privkey_unneeded.diff Patch11: pesign-no-set-image-size.patch # PATCH-FIX-UPSTREAM pesign-bnc805166-fix-signature-list.patch bnc#805166 glin@suse.com -- Fix the broken signature list when inserting a new signature into a signed EFI binary. Patch12: pesign-bnc805166-fix-signature-list.patch # PATCH-FIX-UPSTREAM pesign-bnc808594-align-signatures.patch bnc#808594,bnc#811325 glin@suse.com -- Align the signatures to 8-bytes Patch13: pesign-bnc808594-align-signatures.patch BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel %if 0%{?suse_version} > 1140 BuildRequires: pkgconfig(systemd) %{?systemd_requires} %define has_systemd 1 %endif PreReq: pwdutils BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: ia64 %ix86 x86_64 %description Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with the PE and Authenticode specifications. Authors: -------- Peter Jones %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch7 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS" %install make INSTALLROOT=%{buildroot} PREFIX=/usr DOCDIR=/share/doc/packages install mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/pesign mkdir -p $RPM_BUILD_ROOT%{_sbindir} %if 0%{?has_systemd} make INSTALLROOT=%{buildroot} UNITDIR=%{_unitdir} install_systemd ln -sf /sbin/service $RPM_BUILD_ROOT/%{_sbindir}/rcpesign %else make INSTALLROOT=%{buildroot} install_sysvinit ln -sf %{_sysconfdir}/init.d/pesign $RPM_BUILD_ROOT/%{_sbindir}/rcpesign %endif # there's some stuff that's not really meant to be shipped yet rm -rf %{buildroot}/boot %{buildroot}/usr/include rm -rf %{buildroot}%{_libdir}/libdpe* %clean %{?buildroot:%__rm -rf "%{buildroot}"} %pre getent group pesign >/dev/null || groupadd -r pesign getent passwd pesign >/dev/null || useradd -r -g pesign -d /var/lib/pesign -s /bin/false -c "PE-COFF signing daemon" pesign %if 0%{?has_systemd} %service_add_pre pesign.service %endif %preun %if 0%{?has_systemd} %service_del_preun pesign.service %else %stop_on_removal pesign %endif %post %if 0%{?has_systemd} %service_add_post pesign.service systemd-tmpfiles --create /usr/lib/tmpfiles.d/pesign.conf %endif %postun %if 0%{?has_systemd} %service_del_preun pesign.service %else %restart_on_update pesign %insserv_cleanup %endif %files %defattr(-,root,root) %doc COPYING %{_bindir}/pesign %{_bindir}/pesign-client %dir %{_sysconfdir}/popt.d %config %{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/pki/ %config %{_sysconfdir}/rpm/macros.pesign %{_mandir}/man?/* /var/lib/pesign %if 0%{?has_systemd} %{_unitdir}/pesign.service /usr/lib/tmpfiles.d/pesign.conf %else %{_sysconfdir}/init.d/pesign %endif %{_sbindir}/rcpesign %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %dir %attr(0770,pesign,pesign) %{_localstatedir}/run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} %changelog ++++++ pesign-bnc801653-teardown-segfault.patch ++++++ commit ed689613e93f3121048d6c922c90aafd6bf10880 Author: Peter Jones Date: Tue Nov 27 11:37:05 2012 -0500 Hopefully make teardown_digests() work better... Freeing nss constructs continues to be weird. Signed-off-by: Peter Jones --- src/cms_common.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) --- a/src/cms_common.c +++ b/src/cms_common.c @@ -110,8 +110,6 @@ teardown_digests(cms_context *ctx) PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE); } if (digests[i].pe_digest) { - free_poison(digests[i].pe_digest->data, - digests[i].pe_digest->len); /* XXX sure seems like we should be freeing it here, * but that's segfaulting, and we know it'll get * cleaned up with PORT_FreeArena a couple of lines @@ -120,7 +118,7 @@ teardown_digests(cms_context *ctx) digests[i].pe_digest = NULL; } } - free(digests); + PORT_Free(digests); ctx->digests = NULL; } @@ -184,7 +182,6 @@ cms_context_fini(cms_context *cms) memset(&cms->newsig, '\0', sizeof (cms->newsig)); } - teardown_digests(cms); cms->selected_digest = -1; if (cms->ci_digest) { @@ -708,7 +705,7 @@ generate_digest_begin(cms_context *cms) if (cms->digests) { digests = cms->digests; } else { - digests = calloc(n_digest_params, sizeof (*digests)); + digests = PORT_ZAlloc(n_digest_params * sizeof (*digests)); if (!digests) { cms->log(cms, LOG_ERR, "cannot allocate memory: %m"); return -1; ++++++ pesign-bnc805166-fix-signature-list.patch ++++++

From ee3ab396e8bc167d3b63f475c463cd4103b1ca6e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 27 Feb 2013 15:48:06 +0800 Subject: [PATCH] Backport patches to fix signature list

Get cms_context out of wincert functions. ee357451be9968cedda57ce13b103eb82c590e67 Rework siglist to be somewhat more useful. a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8 Don't allow our signature list iterator to walk off the end of the file. 18980866e7952100d98510297c0e1cc25fca8fc8 Include old signatures in new space calculations. 77d334d77435d64e88fcc772b5b58440b394584a Make implanting extracted certificates work again. 5ceddd2f80dfea70d211236190943746c2d2f77b Fix a casting problem on 32-bit. 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53 --- libdpe/pe_addcert.c | 2 +- libdpe/pe_updatefile.c | 13 +++++++++- src/actions.c | 12 +-------- src/actions.h | 2 +- src/daemon.c | 6 +++-- src/pesign.c | 35 ++++++++++++++++++++++---- src/peverify.c | 7 ++++-- src/siglist.c | 46 ++++++++++++++++++++++++++++------ src/siglist.h | 3 ++- src/wincert.c | 65 ++++++++++++++++++++++++++++++++++-------------- src/wincert.h | 8 +++--- 11 files changed, 146 insertions(+), 53 deletions(-) diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c index e391242..b6ba969 100644 --- a/libdpe/pe_addcert.c +++ b/libdpe/pe_addcert.c @@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size) memset(addr, '\0', size); dd->certs.virtual_address = compute_file_addr(pe, addr); - dd->certs.size = size; + dd->certs.size += size; #if 0 pe_set_image_size(pe); diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c index 7a29757..a8fe769 100644 --- a/libdpe/pe_updatefile.c +++ b/libdpe/pe_updatefile.c @@ -24,6 +24,7 @@ #include static struct section_header * +__attribute__((unused)) __get_last_section(Pe *pe) { Pe_Scn *scn = NULL; @@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b) } static void +__attribute__((unused)) sort_sections (Pe_Scn **scns, Pe_ScnList *list) { Pe_Scn **scnp = scns; @@ -131,7 +133,16 @@ __pe_updatemmap(Pe *pe, size_t shnum) msync(msync_start, msync_end - msync_start, MS_SYNC); #warning this is not done yet. - struct section_header *sh = __get_last_section(pe); + //struct section_header *sh = __get_last_section(pe); + + size_t dd_size = sizeof (*dd) / sizeof (dd->exports); + data_dirent *dde = &dd->exports; + for (int i = 0; i < dd_size; i++, dde++) { + if (dde->size != 0) { + char *addr = compute_mem_addr(pe, dde->virtual_address); + msync(addr, dde->size, MS_SYNC); + } + } return 0; } diff --git a/src/actions.c b/src/actions.c index 9e4ac59..5c5dd89 100644 --- a/src/actions.c +++ b/src/actions.c @@ -268,7 +268,7 @@ failure: return ret; } -static void +void parse_signature(pesign_context *ctx) { int rc; @@ -396,8 +396,6 @@ generate_sattr_blob(pesign_context *ctx) void check_signature_space(pesign_context *ctx) { - parse_signature(ctx); - ssize_t available = available_cert_space(ctx->outpe); if (available < ctx->cms_ctx->newsig.len) { @@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx) } } -int -import_signature(pesign_context *ctx) -{ - insert_signature(ctx->cms_ctx, ctx->signum); - - return finalize_signatures(ctx->cms_ctx, ctx->outpe); -} - void allocate_signature_space(Pe *pe, ssize_t sigspace) { diff --git a/src/actions.h b/src/actions.h index 400876f..4ecaad8 100644 --- a/src/actions.h +++ b/src/actions.h @@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx); extern void check_signature_space(pesign_context *ctx); extern void allocate_signature_space(Pe *pe, ssize_t sigspace); extern off_t export_signature(cms_context *cms, int fd, int ascii_armor); -extern int import_signature(pesign_context *ctx); extern void import_raw_signature(pesign_context *pctx); extern void remove_signature(pesign_context *ctx); extern void export_pubkey(pesign_context *ctx); extern void export_cert(pesign_context *ctx); extern int generate_sattr_blob(pesign_context *pctx); +extern void parse_signature(pesign_context *ctx); extern void insert_signature(cms_context *cms, int signum); #endif /* PESIGN_CRYPTO_H */ diff --git a/src/daemon.c b/src/daemon.c index 4a9af87..92ae856 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe) return -1; } - int rc = parse_signatures(ctx->cms, *pe); + int rc = parse_signatures(&ctx->cms->signatures, + &ctx->cms->num_signatures, *pe); if (rc < 0) { ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, "pesignd: could not parse signature list"); @@ -454,7 +455,8 @@ err_attached: if (rc < 0) goto err_attached; insert_signature(ctx->cms, ctx->cms->num_signatures); - finalize_signatures(ctx->cms, outpe); + finalize_signatures(ctx->cms->signatures, + ctx->cms->num_signatures, outpe); pe_end(outpe); } else { if (ftruncate(outfd, 0) != 0) { diff --git a/src/pesign.c b/src/pesign.c index bfda33b..fcb2dca 100644 --- a/src/pesign.c +++ b/src/pesign.c @@ -104,7 +104,8 @@ open_input(pesign_context *ctx) exit(1); } - int rc = parse_signatures(ctx->cms_ctx, ctx->inpe); + int rc = parse_signatures(&ctx->cms_ctx->signatures, + &ctx->cms_ctx->num_signatures, ctx->inpe); if (rc < 0) { fprintf(stderr, "pesign: could not parse signature data\n"); exit(1); @@ -126,7 +127,8 @@ close_output(pesign_context *ctx) { Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP; - finalize_signatures(ctx->cms_ctx, ctx->outpe); + finalize_signatures(ctx->cms_ctx->signatures, + ctx->cms_ctx->num_signatures, ctx->outpe); pe_update(ctx->outpe, cmd); pe_end(ctx->outpe); ctx->outpe = NULL; @@ -673,7 +675,9 @@ main(int argc, char *argv[]) allocate_signature_space(ctxp->outpe, sigspace); generate_signature(ctxp->cms_ctx); insert_signature(ctxp->cms_ctx, ctxp->signum); - finalize_signatures(ctxp->cms_ctx, ctxp->outpe); + finalize_signatures(ctxp->cms_ctx->signatures, + ctxp->cms_ctx->num_signatures, + ctxp->outpe); close_output(ctxp); break; case EXPORT_SATTRS: @@ -687,12 +691,27 @@ main(int argc, char *argv[]) /* add a signature from a file */ case IMPORT_SIGNATURE: check_inputs(ctxp); + if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) { + fprintf(stderr, "Invalid signature number.\n"); + exit(1); + } open_input(ctxp); open_output(ctxp); close_input(ctxp); open_sig_input(ctxp); + parse_signature(ctxp); + sigspace = + calculate_signature_overhead( + ctxp->cms_ctx->newsig.len) + + ctxp->cms_ctx->newsig.len + + get_reserved_sig_space(ctxp->cms_ctx, + ctxp->outpe); + allocate_signature_space(ctxp->outpe, sigspace); check_signature_space(ctxp); - import_signature(ctxp); + insert_signature(ctxp->cms_ctx, ctxp->signum); + finalize_signatures(ctxp->cms_ctx->signatures, + ctxp->cms_ctx->num_signatures, + ctxp->outpe); close_sig_input(ctxp); close_output(ctxp); break; @@ -788,6 +807,10 @@ main(int argc, char *argv[]) ctxp->cms_ctx->certname); exit(1); } + if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) { + fprintf(stderr, "Invalid signature number.\n"); + exit(1); + } open_input(ctxp); open_output(ctxp); close_input(ctxp); @@ -798,7 +821,9 @@ main(int argc, char *argv[]) generate_digest(ctxp->cms_ctx, ctxp->outpe); generate_signature(ctxp->cms_ctx); insert_signature(ctxp->cms_ctx, ctxp->signum); - finalize_signatures(ctxp->cms_ctx, ctxp->outpe); + finalize_signatures(ctxp->cms_ctx->signatures, + ctxp->cms_ctx->num_signatures, + ctxp->outpe); close_output(ctxp); break; case DAEMONIZE: diff --git a/src/peverify.c b/src/peverify.c index 08aad27..e010d87 100644 --- a/src/peverify.c +++ b/src/peverify.c @@ -55,9 +55,12 @@ open_input(peverify_context *ctx) exit(1); } - int rc = parse_signatures(&ctx->cms_ctx, ctx->inpe); + int rc = parse_signatures(&ctx->cms_ctx->signatures, + &ctx->cms_ctx->num_signatures, + ctx->inpe); if (rc < 0) { - fprintf(stderr, "pesign: could not parse signature data\n"); + fprintf(stderr, "pesign: could not parse signature list in " + "EFI binary\n"); exit(1); } } diff --git a/src/siglist.c b/src/siglist.c index 1a933e7..ca097e6 100644 --- a/src/siglist.c +++ b/src/siglist.c @@ -17,11 +17,15 @@ * Author(s): Peter Jones */ +#include #include +#include +#include #include #include -#include "authvar.h" +#include "efitypes.h" +#include "siglist.h" struct efi_signature_data { efi_guid_t SignatureOwner; @@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) { if (sigsize > sl->SignatureSize) resize_entries(sl, sigsize); - } else if (sigsize != sl->SignatureSize) { + } else if (sigsize != get_sig_type_size(sl->SignatureType)) { + fprintf(stderr, "sigsize: %d sl->SignatureSize: %d\n", + sigsize, sl->SignatureSize); + errno = EINVAL; return -1; } @@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, return 0; } -void * -signature_list_realize(signature_list *sl) +#if 0 +int +signature_list_parse(signature_list *sl, uint8_t *data, size_t len) { - if (sl->realized) - return sl->realized; + if (!sl) + return -1; + + if (sl->realized) { + free(sl->realized); + sl->realized = NULL; + } + + efi_signature_list *esl = data; + efi_signature_data *esd = NULL; + +} +#endif + +int +signature_list_realize(signature_list *sl, void **out, size_t *outsize) +{ + if (sl->realized) { + free(sl->realized); + sl->realized = NULL; + } struct efi_signature_list *esl = NULL; uint32_t size = sizeof (*esl) + @@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl) void *ret = calloc(1, size); if (!ret) - return NULL; + return -1; esl = ret; memcpy(esl, sl, sizeof (*esl)); @@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl) } sl->realized = ret; - return ret; + + *out = ret; + *outsize = size; + return 0; } void diff --git a/src/siglist.h b/src/siglist.h index 2961a39..a576ffd 100644 --- a/src/siglist.h +++ b/src/siglist.h @@ -24,7 +24,8 @@ typedef struct signature_list signature_list; extern signature_list *signature_list_new(efi_guid_t SignatureType); extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner, uint8_t *sig, uint32_t sigsize); -extern void *signature_list_realize(signature_list *sl); +extern int signature_list_realize(signature_list *sl, + void **out, size_t *outsize); extern void signature_list_free(signature_list *sl); #endif /* SIGLIST_H */ diff --git a/src/wincert.c b/src/wincert.c index 4b5ba45..4197a87 100644 --- a/src/wincert.c +++ b/src/wincert.c @@ -25,13 +25,13 @@ struct cert_list_entry { }; static int -generate_cert_list(cms_context *cms, void **cert_list, - size_t *cert_list_size) +generate_cert_list(SECItem **signatures, int num_signatures, + void **cert_list, size_t *cert_list_size) { size_t cl_size = 0; - for (int i = 0; i < cms->num_signatures; i++) { + for (int i = 0; i < num_signatures; i++) { cl_size += sizeof (win_certificate); - cl_size += cms->signatures[i]->len; + cl_size += signatures[i]->len; } uint8_t *data = malloc(cl_size); @@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list, *cert_list = (void *)data; *cert_list_size = cl_size; - for (int i = 0; i < cms->num_signatures; i++) { + for (int i = 0; i < num_signatures; i++) { struct cert_list_entry *cle = (struct cert_list_entry *)data; - cle->wc.length = cms->signatures[i]->len + + cle->wc.length = signatures[i]->len + sizeof (win_certificate); cle->wc.revision = WIN_CERT_REVISION_2_0; cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA; - memcpy(&cle->data[0], cms->signatures[i]->data, - cms->signatures[i]->len); - data += sizeof (win_certificate) + cms->signatures[i]->len; + memcpy(&cle->data[0], signatures[i]->data, + signatures[i]->len); + data += sizeof (win_certificate) + signatures[i]->len; } return 0; @@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size) } int -finalize_signatures(cms_context *cms, Pe *pe) +finalize_signatures(SECItem **sigs, int num_sigs, Pe *pe) { void *clist = NULL; size_t clist_size = 0; - if (generate_cert_list(cms, &clist, &clist_size) < 0) + if (generate_cert_list(sigs, num_sigs, + &clist, &clist_size) < 0) return -1; if (implant_cert_list(pe, clist, clist_size) < 0) { @@ -126,6 +127,13 @@ done: void *certs = iter->certs; size_t size = iter->size; + void *map = NULL; + size_t map_size = 0; + + map = pe_rawfile(iter->pe, &map_size); + if (!map || map_size < 1) + return 0; + while (1) { win_certificate *tmpcert; if (n + sizeof (*tmpcert) >= size) @@ -133,6 +141,9 @@ done: tmpcert = (win_certificate *)((uint8_t *)certs + n); + if ((intptr_t)tmpcert > (intptr_t)map + map_size) + return -1; + /* length _includes_ the size of the structure. */ uint32_t length = le32_to_cpu(tmpcert->length); @@ -193,7 +204,23 @@ available_cert_space(Pe *pe) return totalsize - foundsize; } -ssize_t calculate_signature_space(cms_context *cms, Pe *pe) +size_t +get_reserved_sig_space(cms_context *cms, Pe *pe) +{ + size_t ret = 0; + for (int i = 0; i < cms->num_signatures; i++) + ret += cms->signatures[i]->len + sizeof (win_certificate); + return ret; +} + +ssize_t +calculate_signature_overhead(ssize_t size) +{ + return sizeof(win_certificate); +} + +ssize_t +calculate_signature_space(cms_context *cms, Pe *pe) { int rc; @@ -209,7 +236,9 @@ err: if (rc < 0) goto err; - ssize_t ret = sig.len + dd->certs.size + sizeof(win_certificate) - + size_t res = get_reserved_sig_space(cms, pe); + + ssize_t ret = res + sig.len + sizeof(win_certificate) - available_cert_space(pe); //free(sig.data); @@ -218,7 +247,7 @@ err: } int -parse_signatures(cms_context *cms, Pe *pe) +parse_signatures(SECItem ***sigs, int *num_sigs, Pe *pe) { cert_iter iter; int rc = cert_iter_init(&iter, pe); @@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe) } if (nsigs == 0) { - cms->num_signatures = 0; - cms->signatures = NULL; + *num_sigs = 0; + *sigs = NULL; return 0; } @@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe) i++; } - cms->num_signatures = nsigs; - cms->signatures = signatures; + *num_sigs = nsigs; + *sigs = signatures; return 0; err: diff --git a/src/wincert.h b/src/wincert.h index 4309915..ed7e15c 100644 --- a/src/wincert.h +++ b/src/wincert.h @@ -32,8 +32,6 @@ typedef struct win_certificate { uint16_t cert_type; } win_certificate; -extern int finalize_signatures(cms_context *cms, Pe *pe); - typedef struct cert_iter { Pe *pe; off_t n; @@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe); extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size); extern ssize_t available_cert_space(Pe *pe); extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe); -extern int parse_signatures(cms_context *cms, Pe *pe); +extern int parse_signatures(SECItem ***sigs, int *num_sigs, Pe *pe); +extern int finalize_signatures(SECItem **sigs, int num_sigs, Pe *pe); +extern size_t get_reserved_sig_space(cms_context *cms, Pe *pe); +extern ssize_t calculate_signature_overhead(ssize_t size); + #endif /* PESIGN_WINCERT_H */ -- 1.7.10.4 ++++++ pesign-bnc808594-align-signatures.patch ++++++

From 21cec8feac92a8cda788eaf3f9e9aee9d1b92672 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 25 Mar 2013 11:34:45 -0400 Subject: [PATCH 1/8] If the last hunk of the file isn't 16-byte aligned, pad before digesting.

When we (or MS) create a data directory section, we pad it to 16-bytes. This means that when you add that and then hash, you'll have that 0-extension before the data directory (in this case, the cert list) in the checksum. If we do -h without embedding the signature in the binary, we still need to take that into account. Signed-off-by: Peter Jones --- src/cms_common.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/cms_common.c b/src/cms_common.c index 9ab2021..306d53e 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -795,6 +795,12 @@ err: return -1; } +#if 1 +#define dprintf(fmt, ...) +#else +#define dprintf(fmt, args...) printf(fmt, ## args) +#endif + int generate_digest(cms_context *cms, Pe *pe) { @@ -860,6 +866,8 @@ generate_digest(cms_context *cms, Pe *pe) cms->log(cms, LOG_ERR, "Pe header is invalid"); goto error; } + dprintf("beginning of hash\n"); + dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); generate_digest_step(cms, hash_base, hash_size); /* 5. Skip over the image checksum @@ -882,6 +890,7 @@ generate_digest(cms_context *cms, Pe *pe) goto error; } generate_digest_step(cms, hash_base, hash_size); + dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); /* 8. Skip over the crt dir * 9. Hash everything up to the end of the image header. */ @@ -895,6 +904,7 @@ generate_digest(cms_context *cms, Pe *pe) goto error; } generate_digest_step(cms, hash_base, hash_size); + dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); /* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */ hashed_bytes = pe32opthdr ? pe32opthdr->header_size @@ -926,6 +936,7 @@ generate_digest(cms_context *cms, Pe *pe) } generate_digest_step(cms, hash_base, hash_size); + dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); hashed_bytes += hash_size; } @@ -938,8 +949,19 @@ generate_digest(cms_context *cms, Pe *pe) cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); goto error_shdrs; } - generate_digest_step(cms, hash_base, hash_size); + if (hash_size % 16 != 0) { + size_t tmp_size = hash_size + (16 - (hash_size % 16)); + uint8_t tmp_array[tmp_size]; + memset(tmp_array, '\0', tmp_size); + memcpy(tmp_array, hash_base, hash_size); + generate_digest_step(cms, tmp_array, tmp_size); + dprintf("digesting %lx + %lx\n", (unsigned long)tmp_array, tmp_size); + } else { + generate_digest_step(cms, hash_base, hash_size); + dprintf("digesting %lx + %lx\n", hash_base - map, hash_size); + } } + dprintf("end of hash\n"); rc = generate_digest_finish(cms); if (rc < 0) -- 1.7.10.4

From d07c91cffaeaaa1b0f0a0dbc684e073d976ee9f3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 25 Mar 2013 12:53:05 -0400 Subject: [PATCH 2/8] Pad signatures everywhere /except/ -h.

If you run -h, you may be using that hash in a db/dbx variable, in which case the padding isn't appropriate. Everywhere else, it's for implanting at some stage. Signed-off-by: Peter Jones --- src/cms_common.c | 4 ++-- src/cms_common.h | 2 +- src/daemon.c | 6 +++--- src/pesign.c | 15 ++++++++------- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/cms_common.c b/src/cms_common.c index 306d53e..f2ee684 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -802,7 +802,7 @@ err: #endif int -generate_digest(cms_context *cms, Pe *pe) +generate_digest(cms_context *cms, Pe *pe, int padded) { void *hash_base; size_t hash_size; @@ -949,7 +949,7 @@ generate_digest(cms_context *cms, Pe *pe) cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); goto error_shdrs; } - if (hash_size % 16 != 0) { + if (hash_size % 16 != 0 && padded) { size_t tmp_size = hash_size + (16 - (hash_size % 16)); uint8_t tmp_array[tmp_size]; memset(tmp_array, '\0', tmp_size); diff --git a/src/cms_common.h b/src/cms_common.h index a3848cd..d819aab 100644 --- a/src/cms_common.h +++ b/src/cms_common.h @@ -105,7 +105,7 @@ extern int generate_spc_link(cms_context *cms, SpcLink *slp, extern int generate_spc_string(cms_context *cms, SECItem *ssp, char *str, int len); -extern int generate_digest(cms_context *cms, Pe *pe); +extern int generate_digest(cms_context *cms, Pe *pe, int padded); extern int generate_signature(cms_context *ctx); extern int unlock_nss_token(cms_context *ctx); extern int find_certificate(cms_context *ctx); diff --git a/src/daemon.c b/src/daemon.c index 92ae856..69821ba 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -433,7 +433,7 @@ malformed: if (rc < 0) goto finish; - rc = generate_digest(ctx->cms, outpe); + rc = generate_digest(ctx->cms, outpe, 1); if (rc < 0) { err_attached: pe_end(outpe); @@ -448,7 +448,7 @@ err_attached: if (sigspace < 0) goto err_attached; allocate_signature_space(outpe, sigspace); - rc = generate_digest(ctx->cms, outpe); + rc = generate_digest(ctx->cms, outpe, 1); if (rc < 0) goto err_attached; rc = generate_signature(ctx->cms); @@ -463,7 +463,7 @@ err_attached: ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, "pesignd: could not truncate output file: %m"); } - rc = generate_digest(ctx->cms, inpe); + rc = generate_digest(ctx->cms, inpe, 1); if (rc < 0) { err_detached: if (ftruncate(outfd, 0) != 0) { diff --git a/src/pesign.c b/src/pesign.c index fcb2dca..81515d2 100644 --- a/src/pesign.c +++ b/src/pesign.c @@ -473,7 +473,8 @@ main(int argc, char *argv[]) "force overwriting of output file", NULL }, {"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1, "create a new signature", NULL }, - {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL }, + {"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, + "hash binary", NULL }, {"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, &digest_name, 0, "digest type to use for pe hash" }, {"import-signed-certificate", 'm', @@ -669,7 +670,7 @@ main(int argc, char *argv[]) open_input(ctxp); open_output(ctxp); close_input(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->outpe); + generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); sigspace = calculate_signature_space(ctxp->cms_ctx, ctxp->outpe); allocate_signature_space(ctxp->outpe, sigspace); @@ -683,7 +684,7 @@ main(int argc, char *argv[]) case EXPORT_SATTRS: open_input(ctxp); open_sattr_output(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->inpe); + generate_digest(ctxp->cms_ctx, ctxp->inpe, 1); generate_sattr_blob(ctxp); close_sattr_output(ctxp); close_input(ctxp); @@ -779,7 +780,7 @@ main(int argc, char *argv[]) break; case GENERATE_DIGEST|PRINT_DIGEST: open_input(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->inpe); + generate_digest(ctxp->cms_ctx, ctxp->inpe, 0); print_digest(ctxp); break; /* generate a signature and save it in a separate file */ @@ -793,7 +794,7 @@ main(int argc, char *argv[]) } open_input(ctxp); open_sig_output(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->inpe); + generate_digest(ctxp->cms_ctx, ctxp->inpe, 1); generate_signature(ctxp->cms_ctx); export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii); break; @@ -814,11 +815,11 @@ main(int argc, char *argv[]) open_input(ctxp); open_output(ctxp); close_input(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->outpe); + generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); sigspace = calculate_signature_space(ctxp->cms_ctx, ctxp->outpe); allocate_signature_space(ctxp->outpe, sigspace); - generate_digest(ctxp->cms_ctx, ctxp->outpe); + generate_digest(ctxp->cms_ctx, ctxp->outpe, 1); generate_signature(ctxp->cms_ctx); insert_signature(ctxp->cms_ctx, ctxp->signum); finalize_signatures(ctxp->cms_ctx->signatures, -- 1.7.10.4

From 29a593849964bb89c29bb40dd6a1f4bb5a90e675 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Mar 2013 11:02:43 -0400 Subject: [PATCH 3/8] Deal with PE-COFF 8.2+ alignment restrictions for the certificate list.

PE-COFF 8.2 and newer finally specify the certificate list as a proper array, but they kindly made a new rule that each entry has to be 8-byte aligned. So align them now :/ Signed-off-by: Peter Jones --- src/wincert.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/wincert.c b/src/wincert.c index 4197a87..3686918 100644 --- a/src/wincert.c +++ b/src/wincert.c @@ -42,6 +42,11 @@ generate_cert_list(SECItem **signatures, int num_signatures, *cert_list_size = cl_size; for (int i = 0; i < num_signatures; i++) { + /* pe-coff 8.2 adds some text that says each cert list + * entry is 8-byte aligned, so that means we need to align + * them here. */ + if ((intptr_t)data % 8 != 0) + data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8))); struct cert_list_entry *cle = (struct cert_list_entry *)data; cle->wc.length = signatures[i]->len + sizeof (win_certificate); @@ -170,6 +175,11 @@ done: iter->n += sizeof (*tmpcert) + length; + /* each cert list entry must be aligned to an 8-byte + * boundary */ + if (iter->n % 8 != 0) + iter->n += 8 - (iter->n % 8); + return 1; } } @@ -208,8 +218,13 @@ size_t get_reserved_sig_space(cms_context *cms, Pe *pe) { size_t ret = 0; - for (int i = 0; i < cms->num_signatures; i++) + for (int i = 0; i < cms->num_signatures; i++) { ret += cms->signatures[i]->len + sizeof (win_certificate); + /* each certificate list entry must be 8-byte aligned, + * so we need to account for that in our space calculation */ + if (ret % 8 != 0) + ret += 8 - (ret % 8); + } return ret; } @@ -238,6 +253,11 @@ err: size_t res = get_reserved_sig_space(cms, pe); + /* pe-coff 8.2 adds some text that says each cert list entry is + * 8-byte aligned, so that means we need alignment space here. */ + if (res % 8 != 0) + res += 8 - (res % 8); + ssize_t ret = res + sig.len + sizeof(win_certificate) - available_cert_space(pe); -- 1.7.10.4

From 731aa2ac9012a39fd4ccee813c77a9e75235606c Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 22 Mar 2013 09:56:23 -0400 Subject: [PATCH 4/8] More certificate list alignment fixups (based on work by Gary Lin)

There was still some chance the first entry wasn't aligned right, and doing it ad-hoc every time wasn't that great. So fix that. This is really all Gary's work, I've just reformatted it a little bit. Signed-off-by: Peter Jones --- libdpe/common.h | 2 ++ libdpe/pe_allocspace.c | 4 ++-- src/wincert.c | 24 ++++++++++-------------- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/libdpe/common.h b/libdpe/common.h index 5d379e8..be42738 100644 --- a/libdpe/common.h +++ b/libdpe/common.h @@ -31,6 +31,8 @@ #define is_64_bit(pe) ((pe)->flags & IMAGE_FILE_32BIT_MACHINE) +#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align) + #define xfree(x) ({if (x) { free(x); x = NULL; }}) #define xmunmap(addr, size) ({if (addr) { munmap(addr,size); addr = NULL; }}) diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c index 0ae1f5d..716373c 100644 --- a/libdpe/pe_allocspace.c +++ b/libdpe/pe_allocspace.c @@ -86,7 +86,7 @@ pe_extend_file(Pe *pe, size_t size, uint32_t *new_space, int align) void *new = NULL; if (align) - align = (pe->maximum_size + size) % align; + align = ALIGNMENT_PADDING(pe->maximum_size, align); int extra = size + align; int rc = ftruncate(pe->fildes, pe->maximum_size + extra); @@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) /* XXX PJFIX TODO: this should try to find space in the already * mapped regions. */ - rc = pe_extend_file(pe, size, offset, 0); + rc = pe_extend_file(pe, size, offset, 8); if (rc < 0) return -1; return 0; diff --git a/src/wincert.c b/src/wincert.c index 3686918..cc612b6 100644 --- a/src/wincert.c +++ b/src/wincert.c @@ -19,6 +19,8 @@ #include "pesign.h" +#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align) + struct cert_list_entry { win_certificate wc; uint8_t data[]; @@ -32,6 +34,7 @@ generate_cert_list(SECItem **signatures, int num_signatures, for (int i = 0; i < num_signatures; i++) { cl_size += sizeof (win_certificate); cl_size += signatures[i]->len; + cl_size += ALIGNMENT_PADDING(cl_size, 8); } uint8_t *data = malloc(cl_size); @@ -45,16 +48,16 @@ generate_cert_list(SECItem **signatures, int num_signatures, /* pe-coff 8.2 adds some text that says each cert list * entry is 8-byte aligned, so that means we need to align * them here. */ - if ((intptr_t)data % 8 != 0) - data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8))); struct cert_list_entry *cle = (struct cert_list_entry *)data; cle->wc.length = signatures[i]->len + + ALIGNMENT_PADDING(signatures[i]->len, 8) + sizeof (win_certificate); cle->wc.revision = WIN_CERT_REVISION_2_0; cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA; memcpy(&cle->data[0], signatures[i]->data, signatures[i]->len); data += sizeof (win_certificate) + signatures[i]->len; + data += ALIGNMENT_PADDING(signatures[i]->len, 8); } return 0; @@ -175,11 +178,6 @@ done: iter->n += sizeof (*tmpcert) + length; - /* each cert list entry must be aligned to an 8-byte - * boundary */ - if (iter->n % 8 != 0) - iter->n += 8 - (iter->n % 8); - return 1; } } @@ -222,8 +220,7 @@ get_reserved_sig_space(cms_context *cms, Pe *pe) ret += cms->signatures[i]->len + sizeof (win_certificate); /* each certificate list entry must be 8-byte aligned, * so we need to account for that in our space calculation */ - if (ret % 8 != 0) - ret += 8 - (ret % 8); + ret += ALIGNMENT_PADDING(ret, 8); } return ret; } @@ -253,14 +250,13 @@ err: size_t res = get_reserved_sig_space(cms, pe); - /* pe-coff 8.2 adds some text that says each cert list entry is - * 8-byte aligned, so that means we need alignment space here. */ - if (res % 8 != 0) - res += 8 - (res % 8); - ssize_t ret = res + sig.len + sizeof(win_certificate) - available_cert_space(pe); + /* pe-coff 8.2 adds some text that says each cert list entry is + * 8-byte aligned, so that means we need alignment space here. */ + ret += ALIGNMENT_PADDING(ret, 8); + //free(sig.data); return ret; -- 1.7.10.4

From 12595de05a873712a76e6118f00f324fd257d0f6 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 26 Mar 2013 11:28:57 +0800 Subject: [PATCH 5/8] Pad the file to be 16-byte aligned, instead of 8-byte

--- libdpe/pe_allocspace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c index 716373c..8b09153 100644 --- a/libdpe/pe_allocspace.c +++ b/libdpe/pe_allocspace.c @@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) /* XXX PJFIX TODO: this should try to find space in the already * mapped regions. */ - rc = pe_extend_file(pe, size, offset, 8); + rc = pe_extend_file(pe, size, offset, 16); if (rc < 0) return -1; return 0; -- 1.7.10.4

From deb5811f7e718d8d0d9c41ad18d2302876334e7a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 26 Mar 2013 11:34:33 +0800 Subject: [PATCH 6/8] Add an option, -padding, for -h to pad signatures

We are using "-h" to check the integrity of the file after inserting a raw signature. Add this option to make the digests consistent. --- src/pesign.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/pesign.c b/src/pesign.c index 81515d2..57fe96e 100644 --- a/src/pesign.c +++ b/src/pesign.c @@ -440,6 +440,7 @@ main(int argc, char *argv[]) int remove = 0; int daemon = 0; int fork = 1; + int padding = 0; char *digest_name = "sha256"; char *tokenname = "NSS Certificate DB"; @@ -518,6 +519,8 @@ main(int argc, char *argv[]) "run as a daemon process", NULL }, {"nofork", 'N', POPT_ARG_VAL, &fork, 0, "don't fork when daemonizing", NULL }, + {"padding", 'P', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN, + &padding, 1, "pad data section", NULL }, POPT_AUTOALIAS POPT_AUTOHELP POPT_TABLEEND @@ -780,7 +783,7 @@ main(int argc, char *argv[]) break; case GENERATE_DIGEST|PRINT_DIGEST: open_input(ctxp); - generate_digest(ctxp->cms_ctx, ctxp->inpe, 0); + generate_digest(ctxp->cms_ctx, ctxp->inpe, padding); print_digest(ctxp); break; /* generate a signature and save it in a separate file */ -- 1.7.10.4

From 63221e01d0a857ce844b4b17798b5da1ea6a6be1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 26 Mar 2013 18:30:58 +0800 Subject: [PATCH 7/8] Clear the space for the certificate list

Make sure the aligned bytes are '\0' Signed-off-by: Gary Ching-Pang Lin --- src/wincert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wincert.c b/src/wincert.c index cc612b6..75fdceb 100644 --- a/src/wincert.c +++ b/src/wincert.c @@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures, cl_size += ALIGNMENT_PADDING(cl_size, 8); } - uint8_t *data = malloc(cl_size); + uint8_t *data = calloc(1, cl_size); if (!data) return -1; -- 1.7.10.4

From 18080ba4acb235fd3b2e679f0308992255e6ca52 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 27 Mar 2013 10:49:38 +0800 Subject: [PATCH 8/8] The file should be 8-byte aligned, actually...

--- libdpe/pe_allocspace.c | 2 +- src/cms_common.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c index 8b09153..716373c 100644 --- a/libdpe/pe_allocspace.c +++ b/libdpe/pe_allocspace.c @@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset) /* XXX PJFIX TODO: this should try to find space in the already * mapped regions. */ - rc = pe_extend_file(pe, size, offset, 16); + rc = pe_extend_file(pe, size, offset, 8); if (rc < 0) return -1; return 0; diff --git a/src/cms_common.c b/src/cms_common.c index f2ee684..2c998d9 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -949,8 +949,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded) cms->log(cms, LOG_ERR, "Pe has invalid trailing data"); goto error_shdrs; } - if (hash_size % 16 != 0 && padded) { - size_t tmp_size = hash_size + (16 - (hash_size % 16)); + if (hash_size % 8 != 0 && padded) { + size_t tmp_size = hash_size + (8 - (hash_size % 8)); uint8_t tmp_array[tmp_size]; memset(tmp_array, '\0', tmp_size); memcpy(tmp_array, hash_base, hash_size); -- 1.7.10.4 ++++++ pesign-client-initialize-action.patch ++++++ diff --git a/src/client.c b/src/client.c index 1ec582b..dcc5257 100644 --- a/src/client.c +++ b/src/client.c @@ -435,7 +435,7 @@ main(int argc, char *argv[]) char *certname = NULL; poptContext optCon; int rc; - int action; + int action = 0; char *infile = NULL; char *outfile = NULL; char *exportfile = NULL; @@ -500,6 +500,12 @@ main(int argc, char *argv[]) exit(1); } + if (action == NO_FLAGS) { + poptPrintUsage(optCon, stdout, 0); + poptFreeContext(optCon); + exit(0); + } + if (action & SIGN_BINARY && (!outfile && !exportfile)) { fprintf(stderr, "pesign-client: neither --outfile nor --export " "specified\n"); ++++++ pesign-client-read-pin-file.patch ++++++ diff --git a/src/client.c b/src/client.c index dcc5257..9bcaf3e 100644 --- a/src/client.c +++ b/src/client.c @@ -201,7 +201,8 @@ get_token_pin(int pinfd, char *pinfile, char *envname) if (!pinf) return NULL; - ssize_t n = getline(&pin, 0, pinf); + size_t pin_n; + ssize_t n = getline(&pin, &pin_n, pinf); if (n < 0 || !pin) { fclose(pinf); return NULL; ++++++ pesign-fix-build-errors.patch ++++++ --- src/daemon.c | 35 ++++++++++++++++++++++++++++------- src/password.c | 3 ++- src/pesign.c | 10 ++++++++-- 3 files changed, 38 insertions(+), 10 deletions(-) --- a/src/daemon.c +++ b/src/daemon.c @@ -436,7 +436,11 @@ malformed: if (rc < 0) { err_attached: pe_end(outpe); - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } goto finish; } ssize_t sigspace = calculate_signature_space(ctx->cms, outpe); @@ -453,21 +457,33 @@ err_attached: finalize_signatures(ctx->cms, outpe); pe_end(outpe); } else { - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output file: %m"); + } rc = generate_digest(ctx->cms, inpe); if (rc < 0) { err_detached: - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } goto finish; } rc = generate_signature(ctx->cms); if (rc < 0) goto err_detached; rc = export_signature(ctx->cms, outfd, 0); - if (rc >= 0) - ftruncate(outfd, rc); - else if (rc < 0) + if (rc >= 0) { + if (ftruncate(outfd, rc) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } + } else if (rc < 0) { goto err_detached; + } } finish: @@ -979,7 +995,12 @@ daemonize(cms_context *cms_ctx, int do_f exit(1); } - chdir(homedir ? homedir : "/"); + if (chdir(homedir ? homedir : "/") != 0) { + ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, + "pesignd: could not change working directory " + "for pesign: %m"); + exit(1); + } if (getuid() == 0) { /* process is running as root, drop privileges */ --- a/src/password.c +++ b/src/password.c @@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input echoOff(infd); } - fgets ( phrase, sizeof(phrase), input); + if (fgets(phrase, sizeof(phrase), input) == NULL) + phrase[0] = '\0'; if (isTTY) { fprintf(output, "\n"); --- a/src/pesign.c +++ b/src/pesign.c @@ -161,9 +161,15 @@ open_output(pesign_context *ctx) addr = pe_rawfile(ctx->inpe, &size); - ftruncate(ctx->outfd, size); + if (ftruncate(ctx->outfd, size) != 0) { + fprintf(stderr, "pesign: could not truncate output file: %m\n"); + exit(1); + } lseek(ctx->outfd, 0, SEEK_SET); - write(ctx->outfd, addr, size); + if (write(ctx->outfd, addr, size) != size) { + fprintf(stderr, "pesign: could not write output file: %m\n"); + exit(1); + } Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP; ctx->outpe = pe_begin(ctx->outfd, cmd, NULL); ++++++ pesign-fix-export-attributes.patch ++++++

From 8376d873bf72c06b5efaa9dad812eb783cda5d41 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 25 Jan 2013 10:34:55 -0500 Subject: [PATCH] Fix up "-E", which apparently broke during some refactoring.

Signed-off-by: Peter Jones --- src/actions.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/actions.c b/src/actions.c index 6c32819..5c5dd89 100644 --- a/src/actions.c +++ b/src/actions.c @@ -373,6 +373,15 @@ generate_sattr_blob(pesign_context *ctx) { int rc; SECItem sa; + SpcContentInfo ci; + + memset(&ci, '\0', sizeof (ci)); + rc = generate_spc_content_info(ctx->cms_ctx, &ci); + if (rc < 0) { + fprintf(stderr, "Could not generate content info: %s\n", + PORT_ErrorToString(PORT_GetError())); + exit(1); + } rc = generate_signed_attributes(ctx->cms_ctx, &sa); if (rc < 0) { -- 1.7.10.4 ++++++ pesign-local-database.patch ++++++ commit 21439f502b16cd168950cc2e38bfd6b6353ee428 Author: Matthew Garrett Date: Tue Nov 27 10:11:36 2012 -0500 Add support for local certificate database directories Users may wish to use a certificate database other than the systemwide one. Add an option for that. --- src/daemon.c | 4 ++-- src/daemon.h | 2 +- src/pesign.c | 9 +++++++-- 3 files changed, 10 insertions(+), 5 deletions(-) --- a/src/daemon.c +++ b/src/daemon.c @@ -877,7 +877,7 @@ err: } int -daemonize(cms_context *cms_ctx, int do_fork) +daemonize(cms_context *cms_ctx, char *certdir, int do_fork) { int rc = 0; context ctx = { @@ -913,7 +913,7 @@ daemonize(cms_context *cms_ctx, int do_f "pesignd starting (pid %d)", ctx.pid); - SECStatus status = NSS_Init("/etc/pki/pesign"); + SECStatus status = NSS_Init(certdir); if (status != SECSuccess) { fprintf(stderr, "Could not initialize nss: %s\n", PORT_ErrorToString(PORT_GetError())); --- a/src/daemon.h +++ b/src/daemon.h @@ -19,7 +19,7 @@ #ifndef DAEMON_H #define DAEMON_H 1 -extern int daemonize(cms_context *ctx, int do_fork); +extern int daemonize(cms_context *ctx, char *certdir, int do_fork); typedef struct { uint32_t version; --- a/src/pesign.c +++ b/src/pesign.c @@ -443,6 +443,7 @@ main(int argc, char *argv[]) char *tokenname = "NSS Certificate DB"; char *origtoken = tokenname; char *certname = NULL; + char *certdir = "/etc/pki/pesign"; rc = pesign_context_new(&ctxp); if (rc < 0) { @@ -460,6 +461,10 @@ main(int argc, char *argv[]) {"certficate", 'c', POPT_ARG_STRING, &certname, 0, "specify certificate nickname", "<certificate nickname>" }, + {"certdir", 'n', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, + &certdir, 0, + "specify nss certificate database directory", + "<certificate directory path>" }, {"privkey", 'p', POPT_ARG_STRING, &ctxp->privkeyfile, 0, "specify private key file", "<privkey>" }, {"force", 'f', POPT_ARG_VAL, &ctxp->force, 1, @@ -542,7 +547,7 @@ main(int argc, char *argv[]) poptFreeContext(optCon); if (!daemon) { - SECStatus status = NSS_Init("/etc/pki/pesign"); + SECStatus status = NSS_Init(certdir); if (status != SECSuccess) { fprintf(stderr, "Could not initialize nss: %s\n", PORT_ErrorToString(PORT_GetError())); @@ -796,7 +801,7 @@ main(int argc, char *argv[]) close_output(ctxp); break; case DAEMONIZE: - rc = daemonize(ctxp->cms_ctx, fork); + rc = daemonize(ctxp->cms_ctx, certdir, fork); break; default: fprintf(stderr, "Incompatible flags (0x%08x): ", action); ++++++ pesign-no-set-image-size.patch ++++++ --- a/libdpe/pe_addcert.c 2013-02-12 14:30:49.000000000 +0000 +++ b/libdpe/pe_addcert.c 2013-02-12 14:30:55.000000000 +0000 @@ -61,7 +61,9 @@ pe_alloccert(Pe *pe, size_t size) dd->certs.virtual_address = compute_file_addr(pe, addr); dd->certs.size = size; +#if 0 pe_set_image_size(pe); +#endif return 0; } ++++++ pesign-privkey_unneeded.diff ++++++ --- src/cms_common.c | 9 ++++++++- src/cms_common.h | 1 + src/pesign.c | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) --- a/src/cms_common.c +++ b/src/cms_common.c @@ -276,6 +276,7 @@ struct cbdata { CERTCertificate *cert; PK11SlotListElement *psle; secuPWData *pwdata; + int privkey_unneeded; }; static SECStatus @@ -288,6 +289,11 @@ is_valid_cert(CERTCertificate *cert, voi SECKEYPrivateKey *privkey = NULL; + if (cbdata->privkey_unneeded) { + cbdata->cert = cert; + return SECSuccess; + } + privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); if (privkey != NULL) { cbdata->cert = cert; @@ -398,7 +404,7 @@ err_slots: goto err_slots_errmsg; SECStatus status; - if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { cms->log(cms, LOG_ERR, "Authentication failed on " @@ -425,6 +431,7 @@ err_slots: .cert = NULL, .psle = psle, .pwdata = pwdata, + .privkey_unneeded = cms->privkey_unneeded, }; status = PK11_TraverseCertsForNicknameInSlot(&nickname, psle->slot, --- a/src/cms_common.h +++ b/src/cms_common.h @@ -37,6 +37,7 @@ typedef int (*cms_common_logger)(struct typedef struct cms_context { PRArenaPool *arena; void *privkey; + int privkey_unneeded; char *tokenname; char *certname; --- a/src/pesign.c +++ b/src/pesign.c @@ -650,6 +650,7 @@ main(int argc, char *argv[]) */ case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: check_inputs(ctxp); + ctxp->cms_ctx->privkey_unneeded = 1; rc = find_certificate(ctxp->cms_ctx); if (rc < 0) { fprintf(stderr, "pesign: Could not find " ++++++ pesign-suse-build.patch ++++++ --- Make.defaults | 5 +++-- Make.rules | 4 ++-- Makefile | 6 +++--- src/Makefile | 10 +++++----- src/pesign.sysvinit | 12 ++++++++---- util/Makefile | 6 +++--- 6 files changed, 24 insertions(+), 19 deletions(-) Index: pesign-0.99/Make.defaults =================================================================== --- pesign-0.99.orig/Make.defaults +++ pesign-0.99/Make.defaults @@ -5,7 +5,8 @@ HOSTARCH = $(shell uname -m | sed s,i[ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) INCDIR = -I$(TOPDIR)/include CPPFLAGS = -DCONFIG_$(ARCH) -CFLAGS = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE +OPTFLAGS = -O0 -g +CFLAGS = $(ARCH3264) $(OPTFLAGS) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE ASFLAGS = $(ARCH3264) LDFLAGS = -nostdlib CCLDFLAGS = -shared @@ -22,7 +23,7 @@ OBJCOPY = $(bindir)objcopy ifeq ($(ARCH),ia64) CFLAGS += -mfixed-range=f32-f127 - LIBDIR = $(PREFIX)/lib64 + LIBDIR = $(PREFIX)/lib endif ifeq ($(ARCH), ia32) Index: pesign-0.99/Make.rules =================================================================== --- pesign-0.99.orig/Make.rules +++ pesign-0.99/Make.rules @@ -2,10 +2,10 @@ $(AR) -cvqs $@ $^ % : %.o - $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) + $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS) %.so : - $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@ + $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $^ $(CCLDFLAGS) -o $@ %.o: %.c $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ Index: pesign-0.99/Makefile =================================================================== --- pesign-0.99.orig/Makefile +++ pesign-0.99/Makefile @@ -2,7 +2,7 @@ TOPDIR = $(shell echo $$PWD) include $(TOPDIR)/Make.defaults -SUBDIRS := include libdpe src util +SUBDIRS := include libdpe src DOCDIR := /share/doc/ VERSION = 0.99 @@ -16,8 +16,8 @@ clean : install : @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done - $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ - $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ + $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ install_systemd: @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done Index: pesign-0.99/src/Makefile =================================================================== --- pesign-0.99.orig/src/Makefile +++ pesign-0.99/src/Makefile @@ -7,8 +7,9 @@ LIBS = popt STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a PKLIBS = nss LDFLAGS = -CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib))) +CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib))) -lpthread CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror +UNITDIR = /lib/systemd/system TARGETS = pesign authvar client @@ -60,12 +61,12 @@ clean : depclean install_systemd: $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/ $(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf - $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/ - $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/ + $(INSTALL) -d -m 755 $(INSTALLROOT)/$(UNITDIR) + $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/$(UNITDIR) install_sysvinit: - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ - $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign + $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/init.d/ + $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/init.d/pesign install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ Index: pesign-0.99/util/Makefile =================================================================== --- pesign-0.99.orig/util/Makefile +++ pesign-0.99/util/Makefile @@ -4,7 +4,7 @@ TOPDIR = $(SRCDIR)/.. include $(TOPDIR)/Make.defaults FORMAT=efi-app-$(HOSTARCH) -LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) +LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) CCLDFLAGS = CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration @@ -17,8 +17,8 @@ clean : @rm -rfv *.o *.a *.so $(TARGETS) install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ + $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ + $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ .PHONY: all clean install Index: pesign-0.99/src/pesign.sysvinit =================================================================== --- pesign-0.99.orig/src/pesign.sysvinit +++ pesign-0.99/src/pesign.sysvinit @@ -6,21 +6,25 @@ # processname: /usr/bin/pesign # pidfile: /var/run/pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: +# Provides: pesign +# Should-Start: $remote_fs +# Should-Stop: $remote_fs +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 5 # Default-Stop: # Short-Description: The pesign PE signing daemon # Description: The pesign PE signing daemon ### END INIT INFO -. /etc/init.d/functions [ -f /usr/bin/pesign ] || exit 1 +PESIGN_PIDFILE=/var/run/pesign.pid RETVAL=0 start(){ echo -n "Starting pesign: " - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign ++++++ pesign-upstream-fixes.patch ++++++ ++++ 2482 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org