Hello community,
here is the log from the commit of package suse-module-tools for
openSUSE:Factory checked in at 2016-06-12 18:50:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/suse-module-tools (Old)
and /work/SRC/openSUSE:Factory/.suse-module-tools.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "suse-module-tools"
Changes:
--------
--- /work/SRC/openSUSE:Factory/suse-module-tools/suse-module-tools.changes
2016-05-19 12:02:31.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.suse-module-tools.new/suse-module-tools.changes
2016-06-12 18:50:17.000000000 +0200
@@ -1,0 +2,17 @@
+Fri May 27 13:14:36 UTC 2016 - mma...@suse.cz
+
+- Run dos2unix on the modhash script.
+
+-------------------------------------------------------------------
+Thu May 26 07:36:58 UTC 2016 - j...@suse.com
+
+- Add modhash tool to calculate hash of signed module.
+ It strips X.509 or PKCS#7 signature before hash kernel module.
+ (fate#319460)
+
+-------------------------------------------------------------------
+Wed May 25 13:23:35 UTC 2016 - mma...@suse.cz
+
+- Remove -x bit from 50-kernel-uname_r.conf (bsc#981291).
+
+-------------------------------------------------------------------
New:
----
modhash
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ suse-module-tools.spec ++++++
--- /var/tmp/diff_new_pack.6GAOZz/_old 2016-06-12 18:50:18.000000000 +0200
+++ /var/tmp/diff_new_pack.6GAOZz/_new 2016-06-12 18:50:18.000000000 +0200
@@ -46,6 +46,7 @@
Source11: macros.initrd
Source12: regenerate-initrd-posttrans
Source13: 50-kernel-uname_r.conf
+Source14: modhash
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -94,10 +95,12 @@
install -d -m 755 "$b/usr/bin"
install -pm 755 %_sourcedir/modsign-verify "$b/usr/bin/"
install -pm 755 %_sourcedir/kmp-install "$b/usr/bin/"
+# modhash for calculating hash of signed kernel module
+install -pm 755 %_sourcedir/modhash "$b/usr/bin/"
# systemd service to load /boot/sysctl.conf-`uname -r`
install -d -m 755 "$b/usr/lib/systemd/system/systemd-sysctl.service.d"
-install -pm 755 %_sourcedir/50-kernel-uname_r.conf
"$b/usr/lib/systemd/system/systemd-sysctl.service.d"
+install -pm 644 %_sourcedir/50-kernel-uname_r.conf
"$b/usr/lib/systemd/system/systemd-sysctl.service.d"
%post
test_allow_on_install()
@@ -163,6 +166,7 @@
%config /etc/depmod.d/00-system.conf
%config /etc/rpm/macros.initrd
%_docdir/module-init-tools
+/usr/bin/modhash
/usr/bin/kmp-install
/usr/bin/modsign-verify
/usr/lib/module-init-tools
++++++ modhash ++++++
#!/usr/bin/perl
#
# Calculate the digest of the kernel module
# It will strip kernel modules signature before calculation.
#
# Based on modsign-verify, written by Michal Marek
# Authors:
# Gary Lin <g...@suse.com>
# Joey Lee <j...@suse.com>
#
my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n";
use strict;
use warnings;
use IPC::Open2;
use Getopt::Long;
use File::Temp qw(tempfile);
my $verbose = 1;
my $dgst = "sha256";
GetOptions(
"d=s" => \$dgst,
"q|quiet" => sub { $verbose-- if $verbose; },
"v|verbose" => sub { $verbose++; },
"h|help" => sub {
print $USAGE;
exit(0);
}
) or die($USAGE);
sub _verbose {
my $level = shift;
return if $verbose < $level;
print STDERR @_;
}
sub info { _verbose(1, @_); }
sub verbose { _verbose(2, @_); }
sub debug { _verbose(3, @_); }
if (@ARGV > 1) {
print STDERR "Excess arguments\n";
die($USAGE);
} elsif (@ARGV < 1) {
print STDERR "No module supplied\n";
die($USAGE);
}
my $module_name = shift(@ARGV);
if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and
$dgst ne "sha384" and $dgst ne "sha512") {
die("unsupported algorithm: $dgst");
}
#
# Function to read the contents of a file into a variable.
#
sub read_file($)
{
my ($file) = @_;
my $contents;
my $len;
open(FD, "<$file") || die $file;
binmode FD;
my @st = stat(FD);
die $file if (!@st);
$len = read(FD, $contents, $st[7]) || die $file;
close(FD) || die $file;
die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
if ($len != $st[7]);
return $contents;
}
sub openssl_pipe($$) {
my ($input, $cmd) = @_;
my ($pid, $res);
$pid = open2(*read_from, *write_to, $cmd) || die $cmd;
binmode write_to;
if (defined($input) && $input ne "") {
print write_to $input || die "$cmd: $!";
}
close(write_to) || die "$cmd: $!";
binmode read_from;
read(read_from, $res, 4096) || die "$cmd: $!";
close(read_from) || die "$cmd: $!";
waitpid($pid, 0) || die;
die "$cmd died: $?" if ($? >> 8);
return $res;
}
my $module = read_file($module_name);
my $module_len = length($module);
my $magic_number = "~Module signature appended~\n";
my $magic_len = length($magic_number);
my $info_len = 12;
if ($module_len < $magic_len) {
die "Module size too short\n";
}
sub eat
{
my $length = shift;
if ($module_len < $length) {
die "Module size too short\n";
}
my $res = substr($module, -$length);
$module = substr($module, 0, $module_len - $length);
$module_len -= $length;
return $res;
}
if (substr($module, -$magic_len) eq $magic_number) {
$module = substr($module, 0, $module_len - $magic_len);
$module_len -= $magic_len;
my $info = eat($info_len);
my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) =
unpack("CCCCCxxxN", $info);
my $signature = eat($sig_len);
if ($id_type == 1) {
if (unpack("n", $signature) == $sig_len - 2) {
verbose ("signed module (X.509)\n");
} else {
die "Invalid signature format\n";
}
if ($algo != 1) {
die "Unsupported signature algorithm\n";
}
$signature = substr($signature, 2);
my $key_id = eat($key_len);
my $name = eat($name_len);
} elsif ($id_type == 2) {
verbose ("signed module (PKCS#7)\n");
}
} else {
verbose ("unsigned module\n");
}
verbose("Hash algorithm: $dgst\n");
my $digest = openssl_pipe($module, "openssl dgst -$dgst");
$digest =~ s/\(stdin\)= //;
print "$module_name: $digest"
