import mokutil-0.3.0-9.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/0.3.0.tar.gz

.mokutil.metadata

@@ -0,0 +1 @@
+8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz

SOURCES/0001-Fix-the-potential-buffer-overflow.patch

@@ -0,0 +1,36 @@
+From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 4 Nov 2014 15:50:03 +0800
+Subject: [PATCH 01/10] Fix the potential buffer overflow
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 5b34f22fd98..93fb6fabcab 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	MokToggleVar tvar;
+ 	char *password = NULL;
+ 	unsigned int pw_len;
+-	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
++	efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
+ 	int ret = -1;
+ 
+ 	printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
+@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	efichar_from_char (efichar_pass, password,
+ 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	memcpy(tvar.password, efichar_pass,
+-	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
++	memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
+ 
+ 	tvar.mok_toggle_state = state;
+ 
+-- 
+2.17.1
+

SOURCES/0002-Fix-the-32bit-signedness-comparison.patch

@@ -0,0 +1,34 @@
+From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Nov 2014 11:38:54 +0800
+Subject: [PATCH 02/10] Fix the 32bit signedness comparison
+
+---
+ src/mokutil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 93fb6fabcab..a7e83f71f0b 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 
+ 		/* Mok */
+ 		read_size = read (fd, ptr, sizes[i]);
+-		if (read_size < 0 || read_size != sizes[i]) {
++		if (read_size < 0 || read_size != (int64_t)sizes[i]) {
+ 			fprintf (stderr, "Failed to read %s\n", files[i]);
+ 			goto error;
+ 		}
+@@ -1645,7 +1645,7 @@ export_moks ()
+ 			goto error;
+ 		}
+ 
+-		while (offset < list[i].mok_size) {
++		while (offset < (int64_t)list[i].mok_size) {
+ 			write_size = write (fd, list[i].mok + offset,
+ 						list[i].mok_size - offset);
+ 			if (write_size < 0) {
+-- 
+2.17.1
+

SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch

@@ -0,0 +1,43 @@
+From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 19 Jun 2015 16:53:36 -0400
+Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
+ right.
+
+This source tree uses:
+
+typedef wchar_t efi_char16_t;
+
+to define UEFI's UCS-2 character type.  On many platforms, wchar_t is
+32-bits by default.  As a result, efichar_from_char winds up writing
+4-byte characters instead of 2-byte characters.  In the case where we
+hash the password in mokutil, this works fine, because the same datatype
+is used, and the values are the same.  But for our feature toggles,
+where we store the raw data and shim is interpretting the character
+array, every other character winds up being L'\0', and verification
+fails.
+
+So always build with -fshort-wchar to ensure we get 2-byte character
+storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fe28fb92241..69d412ac633 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -37,7 +37,7 @@ else
+ 	default_strict=no
+ fi
+ 
+-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
+ 
+ AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
+ 		enable_strict=$default_strict)
+-- 
+2.17.1
+

SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch

@@ -0,0 +1,32 @@
+From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 16 Jun 2015 17:06:30 -0400
+Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
+
+Related: rhbz#1115843
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index a7e83f71f0b..1fb34f9d3aa 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
+ 	}
+ 
+ 	switch (len) {
++#if 0
+ 	case SHA_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha1;
+ 		hash_size = SHA_DIGEST_LENGTH;
+ 		break;
++#endif
+ 	case SHA224_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha224;
+ 		hash_size = SHA224_DIGEST_LENGTH;
+-- 
+2.17.1
+

SOURCES/0005-Make-all-efi_guid_t-const.patch

@@ -0,0 +1,87 @@
+From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Jan 2016 16:05:21 +0800
+Subject: [PATCH 05/10] Make all efi_guid_t const
+
+All UEFI GUIDs defined in efivar are const. Declare all of them const
+to make gcc happy.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1fb34f9d3aa..d2c52b4caaf 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
+ }
+ 
+ static uint32_t
+-efi_hash_size (efi_guid_t *hash_type)
++efi_hash_size (const efi_guid_t *hash_type)
+ {
+ 	if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
+ 		return SHA_DIGEST_LENGTH;
+@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
+ }
+ 
+ static uint32_t
+-signature_size (efi_guid_t *hash_type)
++signature_size (const efi_guid_t *hash_type)
+ {
+ 	uint32_t hash_size;
+ 
+@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
+ 
+ /* match the hash in the hash array and return the index if matched */
+ static int
+-match_hash_array (efi_guid_t *hash_type, const void *hash,
++match_hash_array (const efi_guid_t *hash_type, const void *hash,
+ 		  const void *hash_array, const uint32_t array_size)
+ {
+ 	uint32_t hash_size, hash_count;
+@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
+ }
+ 
+ static int
+-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
+-		       efi_guid_t *type, void *data, uint32_t data_size)
++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
++		       const efi_guid_t *type, void *data, uint32_t data_size)
+ {
+ 	uint8_t *var_data = NULL;
+ 	size_t var_data_size = 0;
+@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      efi_guid_t *vendor, const char *db_name)
++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
++	      const efi_guid_t *vendor, const char *db_name)
+ {
+ 	uint8_t *var_data;
+ 	size_t var_data_size;
+@@ -1059,7 +1059,7 @@ done:
+ }
+ 
+ static int
+-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
+ {
+ 	switch (req) {
+@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+ }
+ 
+ static int
+-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
+ 		    MokRequest req)
+ {
+ 	uint8_t *authvar_data;
+-- 
+2.17.1
+

SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch

@@ -0,0 +1,37 @@
+From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:19:43 -0400
+Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d2c52b4caaf..d554f6cca21 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ 		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ 		     | EFI_VARIABLE_RUNTIME_ACCESS;
+ 	ret = efi_set_variable (*var_guid, var_name,
+-				var_data, total, attributes);
++				var_data, total, attributes,
++				S_IRUSR | S_IWUSR);
+ 	if (ret < 0) {
+ 		fprintf (stderr, "Failed to write variable \"%s\": %m\n",
+ 			 var_name);
+@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
+ 		data_size = list_len;
+ 
+ 		if (efi_set_variable (efi_guid_shim, req_name,
+-				      data, data_size, attributes) < 0) {
++				      data, data_size, attributes,
++				      S_IRUSR | S_IWUSR) < 0) {
+ 			switch (req) {
+ 			case ENROLL_MOK:
+ 				fprintf (stderr, "Failed to enroll new keys\n");
+-- 
+2.17.1
+

SOURCES/0007-Add-bash-completion-file.patch

@@ -0,0 +1,98 @@
+From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:20:14 -0400
+Subject: [PATCH 07/10] Add bash completion file.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 17 +++++++++++++++++
+ Makefile.am  |  5 +++++
+ data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 data/mokutil
+
+diff --git a/configure.ac b/configure.ac
+index 69d412ac633..7b52a063df0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
+ PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
+ PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+ 
++AC_ARG_WITH([bash-completion-dir],
++    AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
++        [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
++    [],
++    [with_bash_completion_dir=yes])
++
++if test "x$with_bash_completion_dir" = "xyes"; then
++    PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
++        [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
++        [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
++else
++    BASH_COMPLETION_DIR="$with_bash_completion_dir"
++fi
++
++AC_SUBST([BASH_COMPLETION_DIR])
++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
++
+ AC_CONFIG_FILES([Makefile
+                  src/Makefile
+ 		 man/Makefile])
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d4192515..c17cc4a86d8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
++
++if ENABLE_BASH_COMPLETION
++  bashcompletiondir = $(BASH_COMPLETION_DIR)
++  dist_bashcompletion_DATA = data/mokutil
++endif
+diff --git a/data/mokutil b/data/mokutil
+new file mode 100755
+index 00000000000..800b039e7f4
+--- /dev/null
++++ b/data/mokutil
+@@ -0,0 +1,37 @@
++#!/bin/bash
++
++_mokutil()
++{
++	local cur=${COMP_WORDS[COMP_CWORD]}
++
++	if [[ "$cur" == -* ]]; then
++		#COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
++		COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
++		[[ $COMPREPLY == *= ]] && compopt -o nospace
++		return 0
++	fi
++
++	case "${COMP_WORDS[COMP_CWORD-1]}" in
++	--import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
++		_filedir
++		return 0
++		;;
++	--import-hash|--delete-hash)
++		COMPREPLY=( $( compgen -W "" ) )
++		return 0
++		;;
++	--set-verbosity)
++		COMPREPLY=( $( compgen -W "true false") )
++		return 0
++		;;
++	--generate-hash|-g)
++		COMPREPLY=( $( compgen -o nospace -P= -W "") )
++		return 0
++		;;
++	*)
++		return 0
++		;;
++	esac
++}
++
++complete -F _mokutil mokutil
+-- 
+2.17.1
+

SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch

@@ -0,0 +1,27 @@
+From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 20 Jun 2016 11:18:17 -0500
+Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
+ Boot support
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d554f6cca21..27f1292f3a9 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
+ 		rc = efi_get_variable (efi_guid_global, "SecureBoot",
+ 				       &data, &data_size, &attributes);
+ 		if (rc < 0) {
+-			fprintf(stderr, "This system does't support Secure Boot\n");
++			fprintf(stderr, "This system doesn't support Secure Boot\n");
+ 			ret = -1;
+ 			goto out;
+ 		}
+-- 
+2.17.1
+

SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch

@@ -0,0 +1,27 @@
+From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 3 Apr 2017 16:33:38 -0400
+Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
+ twice.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 27f1292f3a9..0be9e8491fd 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ 
+ 	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ 	if (ret < 0) {
+-		if (ret == ENOENT) {
++		if (errno == ENOENT) {
+ 			printf ("%s is empty\n", var_name);
+ 			return 0;
+ 		}
+-- 
+2.17.1
+

SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch

@@ -0,0 +1,101 @@
+From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 May 2018 11:20:15 -0400
+Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
+ strlen() for strncpy bounds
+
+New gcc rightly comlplains when we do the following:
+
+strncpy (dest, src, strlen(src));
+
+For two reasons:
+a) it doesn't copy the NUL byte
+b) it's otherwise the same thing strcpy() would have done
+
+This patch replaces that with stpncpy (just because it's slightly easier
+to use) and the real bounds for the destination.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 0be9e8491fd..b5080107600 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ {
+ 	pw_crypt_t new_crypt;
+ 	char settings[SETTINGS_LEN];
++	char *next;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int hash_len, prefix_len;
++	int hash_len, settings_len = sizeof (settings) - 2;
+ 
+ 	if (!password || !pw_crypt || password[pw_len] != '\0')
+ 		return -1;
+@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ 	prefix = get_crypt_prefix (pw_crypt->method);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+ 	pw_crypt->salt_size = get_salt_size (pw_crypt->method);
+ 	generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
+ 
+-	strncpy (settings, prefix, prefix_len);
+-	strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
+-		 pw_crypt->salt_size);
+-	settings[pw_crypt->salt_size + prefix_len] = '\0';
++	memset (settings, 0, sizeof (settings));
++	next = stpncpy (settings, prefix, settings_len);
++	if (pw_crypt->salt_size > settings_len - (next - settings)) {
++		errno = EOVERFLOW;
++		return -1;
++	}
++	next = stpncpy (next, (const char *)pw_crypt->salt,
++			pw_crypt->salt_size);
++	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	if (!crypt_string)
+@@ -1929,10 +1934,11 @@ static int
+ generate_pw_hash (const char *input_pw)
+ {
+ 	char settings[SETTINGS_LEN];
++        char *next;
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int prefix_len;
++	int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
+ 	prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+-	strncpy (settings, prefix, prefix_len);
++	memset (settings, 0, sizeof (settings));
++	next = stpncpy (settings, prefix, settings_len);
+ 	salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
+-	generate_salt ((settings + prefix_len), salt_size);
+-	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
++	if (salt_size > settings_len - (next - settings)) {
++		errno = EOVERFLOW;
++		return -1;
++	}
++	generate_salt (next, salt_size);
++	next += salt_size;
++	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	free (password);
+-- 
+2.17.1
+

SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch

@@ -0,0 +1,33 @@
+From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 25 Jul 2018 10:27:34 -0400
+Subject: [PATCH] Fix a integer comparison sign issue.
+
+I introduced this, and it's stupid:
+
+mokutil.c: In function 'generate_pw_hash':
+mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
+  if (salt_size > settings_len - (next - settings)) {
+                ^
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d03127abf54..068df0d109c 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int settings_len = sizeof (settings) - 2;
++	unsigned int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+-- 
+2.17.1
+

SPECS/mokutil.spec

@@ -0,0 +1,101 @@
+Name:           mokutil
+Version:        0.3.0
+Release:        9%{?dist}
+Epoch:          1
+Summary:        Tool to manage UEFI Secure Boot MoK Keys
+License:        GPLv3+
+URL:            https://github.com/lcp/mokutil
+ExclusiveArch:  %{ix86} x86_64 aarch64
+BuildRequires:  autoconf automake gnu-efi git openssl-devel openssl
+BuildRequires:  efivar-devel >= 31-1
+Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz
+Conflicts:      shim < 0.8-1%{?dist}
+Obsoletes:      mokutil <= 1:0.3.0-1
+
+Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
+Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
+Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+Patch0005: 0005-Make-all-efi_guid_t-const.patch
+Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+Patch0007: 0007-Add-bash-completion-file.patch
+Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
+
+%description
+mokutil provides a tool to manage keys for Secure Boot through the MoK
+("Machine's Own Keys") mechanism.
+
+%prep
+%setup -q -n %{name}-%{version}
+git init
+git config user.email "%{name}-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+
+%build
+./autogen.sh
+%configure
+make %{?_smp_mflags}
+
+%install
+rm -rf %{buildroot}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README
+%{_bindir}/mokutil
+%{_mandir}/man1/*
+%{_datadir}/bash-completion/completions/mokutil
+
+%changelog
+* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
+- Minor obsoletes fix
+- Import some fixes from upstream
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
+- Rebuilt for switch to libxcrypt
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.3.0-5
+- Rebuild for efivar-31-1.fc26
+  Related: rhbz#1468841
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.3.0-3
+- Rebuild for newer efivar again.
+
+* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.3.0-2
+- Update for newer efivar.
+
+* Tue Jun 14 2016 Peter Jones <pjones@redhat.com> - 0.3.0-1
+- Update to 0.3.0 release.
+  Resolves: rhbz#1334628
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.2.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1:0.2.0-2
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Mon Oct 06 2014 Peter Jones <pjones@redhat.com> - 0.2.0-1
+- First independent package.