commit 930baecec64eafb102c22b1f784fa66ca0c1ef33 Author: CentOS Sources Date: Fri Aug 2 17:36:13 2019 -0400 import mokutil-0.3.0-9.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..acc77e2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/0.3.0.tar.gz diff --git a/.mokutil.metadata b/.mokutil.metadata new file mode 100644 index 0000000..0e0d9df --- /dev/null +++ b/.mokutil.metadata @@ -0,0 +1 @@ +8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch new file mode 100644 index 0000000..f752a3f --- /dev/null +++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 4 Nov 2014 15:50:03 +0800 +Subject: [PATCH 01/10] Fix the potential buffer overflow + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5b34f22fd98..93fb6fabcab 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) + MokToggleVar tvar; + char *password = NULL; + unsigned int pw_len; +- efi_char16_t efichar_pass[SB_PASSWORD_MAX]; ++ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; + int ret = -1; + + printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); +@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state) + efichar_from_char (efichar_pass, password, + SB_PASSWORD_MAX * sizeof(efi_char16_t)); + +- memcpy(tvar.password, efichar_pass, +- SB_PASSWORD_MAX * sizeof(efi_char16_t)); ++ memcpy(tvar.password, efichar_pass, sizeof(tvar.password)); + + tvar.mok_toggle_state = state; + +-- +2.17.1 + diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch new file mode 100644 index 0000000..33ca700 --- /dev/null +++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch @@ -0,0 +1,34 @@ +From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 24 Nov 2014 11:38:54 +0800 +Subject: [PATCH 02/10] Fix the 32bit signedness comparison + +--- + src/mokutil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 93fb6fabcab..a7e83f71f0b 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, + + /* Mok */ + read_size = read (fd, ptr, sizes[i]); +- if (read_size < 0 || read_size != sizes[i]) { ++ if (read_size < 0 || read_size != (int64_t)sizes[i]) { + fprintf (stderr, "Failed to read %s\n", files[i]); + goto error; + } +@@ -1645,7 +1645,7 @@ export_moks () + goto error; + } + +- while (offset < list[i].mok_size) { ++ while (offset < (int64_t)list[i].mok_size) { + write_size = write (fd, list[i].mok + offset, + list[i].mok_size - offset); + if (write_size < 0) { +-- +2.17.1 + diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch new file mode 100644 index 0000000..a9fe4e9 --- /dev/null +++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -0,0 +1,43 @@ +From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 19 Jun 2015 16:53:36 -0400 +Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work + right. + +This source tree uses: + +typedef wchar_t efi_char16_t; + +to define UEFI's UCS-2 character type. On many platforms, wchar_t is +32-bits by default. As a result, efichar_from_char winds up writing +4-byte characters instead of 2-byte characters. In the case where we +hash the password in mokutil, this works fine, because the same datatype +is used, and the values are the same. But for our feature toggles, +where we store the raw data and shim is interpretting the character +array, every other character winds up being L'\0', and verification +fails. + +So always build with -fshort-wchar to ensure we get 2-byte character +storage. + +Signed-off-by: Peter Jones +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fe28fb92241..69d412ac633 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -37,7 +37,7 @@ else + default_strict=no + fi + +-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11" ++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar" + + AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval, + enable_strict=$default_strict) +-- +2.17.1 + diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch new file mode 100644 index 0000000..f45fd42 --- /dev/null +++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch @@ -0,0 +1,32 @@ +From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 16 Jun 2015 17:06:30 -0400 +Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line. + +Related: rhbz#1115843 + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index a7e83f71f0b..1fb34f9d3aa 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type) + } + + switch (len) { ++#if 0 + case SHA_DIGEST_LENGTH*2: + *type = efi_guid_sha1; + hash_size = SHA_DIGEST_LENGTH; + break; ++#endif + case SHA224_DIGEST_LENGTH*2: + *type = efi_guid_sha224; + hash_size = SHA224_DIGEST_LENGTH; +-- +2.17.1 + diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch new file mode 100644 index 0000000..b041fc4 --- /dev/null +++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch @@ -0,0 +1,87 @@ +From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 13 Jan 2016 16:05:21 +0800 +Subject: [PATCH 05/10] Make all efi_guid_t const + +All UEFI GUIDs defined in efivar are const. Declare all of them const +to make gcc happy. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 1fb34f9d3aa..d2c52b4caaf 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) + } + + static uint32_t +-efi_hash_size (efi_guid_t *hash_type) ++efi_hash_size (const efi_guid_t *hash_type) + { + if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { + return SHA_DIGEST_LENGTH; +@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type) + } + + static uint32_t +-signature_size (efi_guid_t *hash_type) ++signature_size (const efi_guid_t *hash_type) + { + uint32_t hash_size; + +@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size) + + /* match the hash in the hash array and return the index if matched */ + static int +-match_hash_array (efi_guid_t *hash_type, const void *hash, ++match_hash_array (const efi_guid_t *hash_type, const void *hash, + const void *hash_array, const uint32_t array_size) + { + uint32_t hash_size, hash_count; +@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash, + } + + static int +-delete_data_from_list (efi_guid_t *var_guid, const char *var_name, +- efi_guid_t *type, void *data, uint32_t data_size) ++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, ++ const efi_guid_t *type, void *data, uint32_t data_size) + { + uint8_t *var_data = NULL; + size_t var_data_size = 0; +@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size) + } + + static int +-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size, +- efi_guid_t *vendor, const char *db_name) ++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, ++ const efi_guid_t *vendor, const char *db_name) + { + uint8_t *var_data; + size_t var_data_size; +@@ -1059,7 +1059,7 @@ done: + } + + static int +-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, ++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, + MokRequest req) + { + switch (req) { +@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, + } + + static int +-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size, ++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size, + MokRequest req) + { + uint8_t *authvar_data; +-- +2.17.1 + diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch new file mode 100644 index 0000000..af8b621 --- /dev/null +++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch @@ -0,0 +1,37 @@ +From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:19:43 -0400 +Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d2c52b4caaf..d554f6cca21 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + ret = efi_set_variable (*var_guid, var_name, +- var_data, total, attributes); ++ var_data, total, attributes, ++ S_IRUSR | S_IWUSR); + if (ret < 0) { + fprintf (stderr, "Failed to write variable \"%s\": %m\n", + var_name); +@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req, + data_size = list_len; + + if (efi_set_variable (efi_guid_shim, req_name, +- data, data_size, attributes) < 0) { ++ data, data_size, attributes, ++ S_IRUSR | S_IWUSR) < 0) { + switch (req) { + case ENROLL_MOK: + fprintf (stderr, "Failed to enroll new keys\n"); +-- +2.17.1 + diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch new file mode 100644 index 0000000..29720ad --- /dev/null +++ b/SOURCES/0007-Add-bash-completion-file.patch @@ -0,0 +1,98 @@ +From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:20:14 -0400 +Subject: [PATCH 07/10] Add bash completion file. + +Signed-off-by: Peter Jones +--- + configure.ac | 17 +++++++++++++++++ + Makefile.am | 5 +++++ + data/mokutil | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 data/mokutil + +diff --git a/configure.ac b/configure.ac +index 69d412ac633..7b52a063df0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset]) + PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) + PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) + ++AC_ARG_WITH([bash-completion-dir], ++ AS_HELP_STRING([--with-bash-completion-dir[=PATH]], ++ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]), ++ [], ++ [with_bash_completion_dir=yes]) ++ ++if test "x$with_bash_completion_dir" = "xyes"; then ++ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], ++ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"], ++ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"]) ++else ++ BASH_COMPLETION_DIR="$with_bash_completion_dir" ++fi ++ ++AC_SUBST([BASH_COMPLETION_DIR]) ++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"]) ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile]) +diff --git a/Makefile.am b/Makefile.am +index 9f0d4192515..c17cc4a86d8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1 +1,6 @@ + SUBDIRS = src man ++ ++if ENABLE_BASH_COMPLETION ++ bashcompletiondir = $(BASH_COMPLETION_DIR) ++ dist_bashcompletion_DATA = data/mokutil ++endif +diff --git a/data/mokutil b/data/mokutil +new file mode 100755 +index 00000000000..800b039e7f4 +--- /dev/null ++++ b/data/mokutil +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++_mokutil() ++{ ++ local cur=${COMP_WORDS[COMP_CWORD]} ++ ++ if [[ "$cur" == -* ]]; then ++ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) ) ++ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) ) ++ [[ $COMPREPLY == *= ]] && compopt -o nospace ++ return 0 ++ fi ++ ++ case "${COMP_WORDS[COMP_CWORD-1]}" in ++ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f) ++ _filedir ++ return 0 ++ ;; ++ --import-hash|--delete-hash) ++ COMPREPLY=( $( compgen -W "" ) ) ++ return 0 ++ ;; ++ --set-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --generate-hash|-g) ++ COMPREPLY=( $( compgen -o nospace -P= -W "") ) ++ return 0 ++ ;; ++ *) ++ return 0 ++ ;; ++ esac ++} ++ ++complete -F _mokutil mokutil +-- +2.17.1 + diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch new file mode 100644 index 0000000..5642502 --- /dev/null +++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch @@ -0,0 +1,27 @@ +From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 20 Jun 2016 11:18:17 -0500 +Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure + Boot support + +Signed-off-by: Tyler Hicks +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d554f6cca21..27f1292f3a9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2297,7 +2297,7 @@ main (int argc, char *argv[]) + rc = efi_get_variable (efi_guid_global, "SecureBoot", + &data, &data_size, &attributes); + if (rc < 0) { +- fprintf(stderr, "This system does't support Secure Boot\n"); ++ fprintf(stderr, "This system doesn't support Secure Boot\n"); + ret = -1; + goto out; + } +-- +2.17.1 + diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch new file mode 100644 index 0000000..0bed1d9 --- /dev/null +++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch @@ -0,0 +1,27 @@ +From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 3 Apr 2017 16:33:38 -0400 +Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret + twice. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 27f1292f3a9..0be9e8491fd 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid) + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { +- if (ret == ENOENT) { ++ if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } +-- +2.17.1 + diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch new file mode 100644 index 0000000..2d57007 --- /dev/null +++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch @@ -0,0 +1,101 @@ +From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 15 May 2018 11:20:15 -0400 +Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use + strlen() for strncpy bounds + +New gcc rightly comlplains when we do the following: + +strncpy (dest, src, strlen(src)); + +For two reasons: +a) it doesn't copy the NUL byte +b) it's otherwise the same thing strcpy() would have done + +This patch replaces that with stpncpy (just because it's slightly easier +to use) and the real bounds for the destination. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 0be9e8491fd..b5080107600 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + { + pw_crypt_t new_crypt; + char settings[SETTINGS_LEN]; ++ char *next; + char *crypt_string; + const char *prefix; +- int hash_len, prefix_len; ++ int hash_len, settings_len = sizeof (settings) - 2; + + if (!password || !pw_crypt || password[pw_len] != '\0') + return -1; +@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + prefix = get_crypt_prefix (pw_crypt->method); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + + pw_crypt->salt_size = get_salt_size (pw_crypt->method); + generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); + +- strncpy (settings, prefix, prefix_len); +- strncpy (settings + prefix_len, (const char *)pw_crypt->salt, +- pw_crypt->salt_size); +- settings[pw_crypt->salt_size + prefix_len] = '\0'; ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); ++ if (pw_crypt->salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ next = stpncpy (next, (const char *)pw_crypt->salt, ++ pw_crypt->salt_size); ++ *next = '\0'; + + crypt_string = crypt (password, settings); + if (!crypt_string) +@@ -1929,10 +1934,11 @@ static int + generate_pw_hash (const char *input_pw) + { + char settings[SETTINGS_LEN]; ++ char *next; + char *password = NULL; + char *crypt_string; + const char *prefix; +- int prefix_len; ++ int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw) + prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + +- strncpy (settings, prefix, prefix_len); ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); + salt_size = get_salt_size (DEFAULT_CRYPT_METHOD); +- generate_salt ((settings + prefix_len), salt_size); +- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0'; ++ if (salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ generate_salt (next, salt_size); ++ next += salt_size; ++ *next = '\0'; + + crypt_string = crypt (password, settings); + free (password); +-- +2.17.1 + diff --git a/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch new file mode 100644 index 0000000..0744d0a --- /dev/null +++ b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch @@ -0,0 +1,33 @@ +From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 25 Jul 2018 10:27:34 -0400 +Subject: [PATCH] Fix a integer comparison sign issue. + +I introduced this, and it's stupid: + +mokutil.c: In function 'generate_pw_hash': +mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare] + if (salt_size > settings_len - (next - settings)) { + ^ + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d03127abf54..068df0d109c 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw) + char *password = NULL; + char *crypt_string; + const char *prefix; +- int settings_len = sizeof (settings) - 2; ++ unsigned int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +-- +2.17.1 + diff --git a/SPECS/mokutil.spec b/SPECS/mokutil.spec new file mode 100644 index 0000000..e7db2ed --- /dev/null +++ b/SPECS/mokutil.spec @@ -0,0 +1,101 @@ +Name: mokutil +Version: 0.3.0 +Release: 9%{?dist} +Epoch: 1 +Summary: Tool to manage UEFI Secure Boot MoK Keys +License: GPLv3+ +URL: https://github.com/lcp/mokutil +ExclusiveArch: %{ix86} x86_64 aarch64 +BuildRequires: autoconf automake gnu-efi git openssl-devel openssl +BuildRequires: efivar-devel >= 31-1 +Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz +Conflicts: shim < 0.8-1%{?dist} +Obsoletes: mokutil <= 1:0.3.0-1 + +Patch0001: 0001-Fix-the-potential-buffer-overflow.patch +Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch +Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch +Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch +Patch0005: 0005-Make-all-efi_guid_t-const.patch +Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch +Patch0007: 0007-Add-bash-completion-file.patch +Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch +Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch +Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch +Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch + +%description +mokutil provides a tool to manage keys for Secure Boot through the MoK +("Machine's Own Keys") mechanism. + +%prep +%setup -q -n %{name}-%{version} +git init +git config user.email "%{name}-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} - 0.3.0-9 +- Minor obsoletes fix +- Import some fixes from upstream + +* Sat Jan 20 2018 Björn Esser - 1:0.3.0-8 +- Rebuilt for switch to libxcrypt + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.3.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.3.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 0.3.0-5 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Aug 17 2016 Peter Jones - 0.3.0-3 +- Rebuild for newer efivar again. + +* Wed Aug 10 2016 Peter Jones - 0.3.0-2 +- Update for newer efivar. + +* Tue Jun 14 2016 Peter Jones - 0.3.0-1 +- Update to 0.3.0 release. + Resolves: rhbz#1334628 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 1:0.2.0-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Mon Oct 06 2014 Peter Jones - 0.2.0-1 +- First independent package.