import mokutil-0.3.0-9.el8
This commit is contained in:
commit
a618afa09d
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/0.3.0.tar.gz
|
1
.mokutil.metadata
Normal file
1
.mokutil.metadata
Normal file
@ -0,0 +1 @@
|
||||
8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz
|
36
SOURCES/0001-Fix-the-potential-buffer-overflow.patch
Normal file
36
SOURCES/0001-Fix-the-potential-buffer-overflow.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 4 Nov 2014 15:50:03 +0800
|
||||
Subject: [PATCH 01/10] Fix the potential buffer overflow
|
||||
|
||||
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
||||
---
|
||||
src/mokutil.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 5b34f22fd98..93fb6fabcab 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
|
||||
MokToggleVar tvar;
|
||||
char *password = NULL;
|
||||
unsigned int pw_len;
|
||||
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
|
||||
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
|
||||
int ret = -1;
|
||||
|
||||
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
|
||||
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
|
||||
efichar_from_char (efichar_pass, password,
|
||||
SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
||||
|
||||
- memcpy(tvar.password, efichar_pass,
|
||||
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
||||
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
|
||||
|
||||
tvar.mok_toggle_state = state;
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
34
SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
Normal file
34
SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 24 Nov 2014 11:38:54 +0800
|
||||
Subject: [PATCH 02/10] Fix the 32bit signedness comparison
|
||||
|
||||
---
|
||||
src/mokutil.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 93fb6fabcab..a7e83f71f0b 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
||||
|
||||
/* Mok */
|
||||
read_size = read (fd, ptr, sizes[i]);
|
||||
- if (read_size < 0 || read_size != sizes[i]) {
|
||||
+ if (read_size < 0 || read_size != (int64_t)sizes[i]) {
|
||||
fprintf (stderr, "Failed to read %s\n", files[i]);
|
||||
goto error;
|
||||
}
|
||||
@@ -1645,7 +1645,7 @@ export_moks ()
|
||||
goto error;
|
||||
}
|
||||
|
||||
- while (offset < list[i].mok_size) {
|
||||
+ while (offset < (int64_t)list[i].mok_size) {
|
||||
write_size = write (fd, list[i].mok + offset,
|
||||
list[i].mok_size - offset);
|
||||
if (write_size < 0) {
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,43 @@
|
||||
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 19 Jun 2015 16:53:36 -0400
|
||||
Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
|
||||
right.
|
||||
|
||||
This source tree uses:
|
||||
|
||||
typedef wchar_t efi_char16_t;
|
||||
|
||||
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
|
||||
32-bits by default. As a result, efichar_from_char winds up writing
|
||||
4-byte characters instead of 2-byte characters. In the case where we
|
||||
hash the password in mokutil, this works fine, because the same datatype
|
||||
is used, and the values are the same. But for our feature toggles,
|
||||
where we store the raw data and shim is interpretting the character
|
||||
array, every other character winds up being L'\0', and verification
|
||||
fails.
|
||||
|
||||
So always build with -fshort-wchar to ensure we get 2-byte character
|
||||
storage.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index fe28fb92241..69d412ac633 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -37,7 +37,7 @@ else
|
||||
default_strict=no
|
||||
fi
|
||||
|
||||
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
|
||||
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
|
||||
|
||||
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
|
||||
enable_strict=$default_strict)
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 17:06:30 -0400
|
||||
Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
|
||||
|
||||
Related: rhbz#1115843
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index a7e83f71f0b..1fb34f9d3aa 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
|
||||
}
|
||||
|
||||
switch (len) {
|
||||
+#if 0
|
||||
case SHA_DIGEST_LENGTH*2:
|
||||
*type = efi_guid_sha1;
|
||||
hash_size = SHA_DIGEST_LENGTH;
|
||||
break;
|
||||
+#endif
|
||||
case SHA224_DIGEST_LENGTH*2:
|
||||
*type = efi_guid_sha224;
|
||||
hash_size = SHA224_DIGEST_LENGTH;
|
||||
--
|
||||
2.17.1
|
||||
|
87
SOURCES/0005-Make-all-efi_guid_t-const.patch
Normal file
87
SOURCES/0005-Make-all-efi_guid_t-const.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Wed, 13 Jan 2016 16:05:21 +0800
|
||||
Subject: [PATCH 05/10] Make all efi_guid_t const
|
||||
|
||||
All UEFI GUIDs defined in efivar are const. Declare all of them const
|
||||
to make gcc happy.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
src/mokutil.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 1fb34f9d3aa..d2c52b4caaf 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
|
||||
}
|
||||
|
||||
static uint32_t
|
||||
-efi_hash_size (efi_guid_t *hash_type)
|
||||
+efi_hash_size (const efi_guid_t *hash_type)
|
||||
{
|
||||
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
|
||||
return SHA_DIGEST_LENGTH;
|
||||
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
|
||||
}
|
||||
|
||||
static uint32_t
|
||||
-signature_size (efi_guid_t *hash_type)
|
||||
+signature_size (const efi_guid_t *hash_type)
|
||||
{
|
||||
uint32_t hash_size;
|
||||
|
||||
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
|
||||
|
||||
/* match the hash in the hash array and return the index if matched */
|
||||
static int
|
||||
-match_hash_array (efi_guid_t *hash_type, const void *hash,
|
||||
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
|
||||
const void *hash_array, const uint32_t array_size)
|
||||
{
|
||||
uint32_t hash_size, hash_count;
|
||||
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
|
||||
}
|
||||
|
||||
static int
|
||||
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
|
||||
- efi_guid_t *type, void *data, uint32_t data_size)
|
||||
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||
+ const efi_guid_t *type, void *data, uint32_t data_size)
|
||||
{
|
||||
uint8_t *var_data = NULL;
|
||||
size_t var_data_size = 0;
|
||||
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
||||
}
|
||||
|
||||
static int
|
||||
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
|
||||
- efi_guid_t *vendor, const char *db_name)
|
||||
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
|
||||
+ const efi_guid_t *vendor, const char *db_name)
|
||||
{
|
||||
uint8_t *var_data;
|
||||
size_t var_data_size;
|
||||
@@ -1059,7 +1059,7 @@ done:
|
||||
}
|
||||
|
||||
static int
|
||||
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||
MokRequest req)
|
||||
{
|
||||
switch (req) {
|
||||
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||
}
|
||||
|
||||
static int
|
||||
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
|
||||
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
|
||||
MokRequest req)
|
||||
{
|
||||
uint8_t *authvar_data;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jun 2016 10:19:43 -0400
|
||||
Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index d2c52b4caaf..d554f6cca21 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||
| EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
ret = efi_set_variable (*var_guid, var_name,
|
||||
- var_data, total, attributes);
|
||||
+ var_data, total, attributes,
|
||||
+ S_IRUSR | S_IWUSR);
|
||||
if (ret < 0) {
|
||||
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
|
||||
var_name);
|
||||
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
|
||||
data_size = list_len;
|
||||
|
||||
if (efi_set_variable (efi_guid_shim, req_name,
|
||||
- data, data_size, attributes) < 0) {
|
||||
+ data, data_size, attributes,
|
||||
+ S_IRUSR | S_IWUSR) < 0) {
|
||||
switch (req) {
|
||||
case ENROLL_MOK:
|
||||
fprintf (stderr, "Failed to enroll new keys\n");
|
||||
--
|
||||
2.17.1
|
||||
|
98
SOURCES/0007-Add-bash-completion-file.patch
Normal file
98
SOURCES/0007-Add-bash-completion-file.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jun 2016 10:20:14 -0400
|
||||
Subject: [PATCH 07/10] Add bash completion file.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
configure.ac | 17 +++++++++++++++++
|
||||
Makefile.am | 5 +++++
|
||||
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 59 insertions(+)
|
||||
create mode 100755 data/mokutil
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 69d412ac633..7b52a063df0 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
|
||||
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
|
||||
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
|
||||
|
||||
+AC_ARG_WITH([bash-completion-dir],
|
||||
+ AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
|
||||
+ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
|
||||
+ [],
|
||||
+ [with_bash_completion_dir=yes])
|
||||
+
|
||||
+if test "x$with_bash_completion_dir" = "xyes"; then
|
||||
+ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
|
||||
+ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
|
||||
+ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
|
||||
+else
|
||||
+ BASH_COMPLETION_DIR="$with_bash_completion_dir"
|
||||
+fi
|
||||
+
|
||||
+AC_SUBST([BASH_COMPLETION_DIR])
|
||||
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
|
||||
+
|
||||
AC_CONFIG_FILES([Makefile
|
||||
src/Makefile
|
||||
man/Makefile])
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9f0d4192515..c17cc4a86d8 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1 +1,6 @@
|
||||
SUBDIRS = src man
|
||||
+
|
||||
+if ENABLE_BASH_COMPLETION
|
||||
+ bashcompletiondir = $(BASH_COMPLETION_DIR)
|
||||
+ dist_bashcompletion_DATA = data/mokutil
|
||||
+endif
|
||||
diff --git a/data/mokutil b/data/mokutil
|
||||
new file mode 100755
|
||||
index 00000000000..800b039e7f4
|
||||
--- /dev/null
|
||||
+++ b/data/mokutil
|
||||
@@ -0,0 +1,37 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+_mokutil()
|
||||
+{
|
||||
+ local cur=${COMP_WORDS[COMP_CWORD]}
|
||||
+
|
||||
+ if [[ "$cur" == -* ]]; then
|
||||
+ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
|
||||
+ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
|
||||
+ [[ $COMPREPLY == *= ]] && compopt -o nospace
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ case "${COMP_WORDS[COMP_CWORD-1]}" in
|
||||
+ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
|
||||
+ _filedir
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ --import-hash|--delete-hash)
|
||||
+ COMPREPLY=( $( compgen -W "" ) )
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ --set-verbosity)
|
||||
+ COMPREPLY=( $( compgen -W "true false") )
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ --generate-hash|-g)
|
||||
+ COMPREPLY=( $( compgen -o nospace -P= -W "") )
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ *)
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ esac
|
||||
+}
|
||||
+
|
||||
+complete -F _mokutil mokutil
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,27 @@
|
||||
From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
|
||||
From: Tyler Hicks <tyhicks@canonical.com>
|
||||
Date: Mon, 20 Jun 2016 11:18:17 -0500
|
||||
Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
|
||||
Boot support
|
||||
|
||||
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index d554f6cca21..27f1292f3a9 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
|
||||
rc = efi_get_variable (efi_guid_global, "SecureBoot",
|
||||
&data, &data_size, &attributes);
|
||||
if (rc < 0) {
|
||||
- fprintf(stderr, "This system does't support Secure Boot\n");
|
||||
+ fprintf(stderr, "This system doesn't support Secure Boot\n");
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,27 @@
|
||||
From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 3 Apr 2017 16:33:38 -0400
|
||||
Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
|
||||
twice.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 27f1292f3a9..0be9e8491fd 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
||||
|
||||
ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
||||
if (ret < 0) {
|
||||
- if (ret == ENOENT) {
|
||||
+ if (errno == ENOENT) {
|
||||
printf ("%s is empty\n", var_name);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,101 @@
|
||||
From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 15 May 2018 11:20:15 -0400
|
||||
Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
|
||||
strlen() for strncpy bounds
|
||||
|
||||
New gcc rightly comlplains when we do the following:
|
||||
|
||||
strncpy (dest, src, strlen(src));
|
||||
|
||||
For two reasons:
|
||||
a) it doesn't copy the NUL byte
|
||||
b) it's otherwise the same thing strcpy() would have done
|
||||
|
||||
This patch replaces that with stpncpy (just because it's slightly easier
|
||||
to use) and the real bounds for the destination.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 33 ++++++++++++++++++++++-----------
|
||||
1 file changed, 22 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 0be9e8491fd..b5080107600 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||
{
|
||||
pw_crypt_t new_crypt;
|
||||
char settings[SETTINGS_LEN];
|
||||
+ char *next;
|
||||
char *crypt_string;
|
||||
const char *prefix;
|
||||
- int hash_len, prefix_len;
|
||||
+ int hash_len, settings_len = sizeof (settings) - 2;
|
||||
|
||||
if (!password || !pw_crypt || password[pw_len] != '\0')
|
||||
return -1;
|
||||
@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||
prefix = get_crypt_prefix (pw_crypt->method);
|
||||
if (!prefix)
|
||||
return -1;
|
||||
- prefix_len = strlen(prefix);
|
||||
|
||||
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
|
||||
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
|
||||
|
||||
- strncpy (settings, prefix, prefix_len);
|
||||
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
|
||||
- pw_crypt->salt_size);
|
||||
- settings[pw_crypt->salt_size + prefix_len] = '\0';
|
||||
+ memset (settings, 0, sizeof (settings));
|
||||
+ next = stpncpy (settings, prefix, settings_len);
|
||||
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
|
||||
+ errno = EOVERFLOW;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ next = stpncpy (next, (const char *)pw_crypt->salt,
|
||||
+ pw_crypt->salt_size);
|
||||
+ *next = '\0';
|
||||
|
||||
crypt_string = crypt (password, settings);
|
||||
if (!crypt_string)
|
||||
@@ -1929,10 +1934,11 @@ static int
|
||||
generate_pw_hash (const char *input_pw)
|
||||
{
|
||||
char settings[SETTINGS_LEN];
|
||||
+ char *next;
|
||||
char *password = NULL;
|
||||
char *crypt_string;
|
||||
const char *prefix;
|
||||
- int prefix_len;
|
||||
+ int settings_len = sizeof (settings) - 2;
|
||||
unsigned int pw_len, salt_size;
|
||||
|
||||
if (input_pw) {
|
||||
@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
|
||||
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
|
||||
if (!prefix)
|
||||
return -1;
|
||||
- prefix_len = strlen(prefix);
|
||||
|
||||
- strncpy (settings, prefix, prefix_len);
|
||||
+ memset (settings, 0, sizeof (settings));
|
||||
+ next = stpncpy (settings, prefix, settings_len);
|
||||
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
|
||||
- generate_salt ((settings + prefix_len), salt_size);
|
||||
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
|
||||
+ if (salt_size > settings_len - (next - settings)) {
|
||||
+ errno = EOVERFLOW;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ generate_salt (next, salt_size);
|
||||
+ next += salt_size;
|
||||
+ *next = '\0';
|
||||
|
||||
crypt_string = crypt (password, settings);
|
||||
free (password);
|
||||
--
|
||||
2.17.1
|
||||
|
33
SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
Normal file
33
SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 25 Jul 2018 10:27:34 -0400
|
||||
Subject: [PATCH] Fix a integer comparison sign issue.
|
||||
|
||||
I introduced this, and it's stupid:
|
||||
|
||||
mokutil.c: In function 'generate_pw_hash':
|
||||
mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
|
||||
if (salt_size > settings_len - (next - settings)) {
|
||||
^
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index d03127abf54..068df0d109c 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
|
||||
char *password = NULL;
|
||||
char *crypt_string;
|
||||
const char *prefix;
|
||||
- int settings_len = sizeof (settings) - 2;
|
||||
+ unsigned int settings_len = sizeof (settings) - 2;
|
||||
unsigned int pw_len, salt_size;
|
||||
|
||||
if (input_pw) {
|
||||
--
|
||||
2.17.1
|
||||
|
101
SPECS/mokutil.spec
Normal file
101
SPECS/mokutil.spec
Normal file
@ -0,0 +1,101 @@
|
||||
Name: mokutil
|
||||
Version: 0.3.0
|
||||
Release: 9%{?dist}
|
||||
Epoch: 1
|
||||
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
||||
License: GPLv3+
|
||||
URL: https://github.com/lcp/mokutil
|
||||
ExclusiveArch: %{ix86} x86_64 aarch64
|
||||
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
|
||||
BuildRequires: efivar-devel >= 31-1
|
||||
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
|
||||
Conflicts: shim < 0.8-1%{?dist}
|
||||
Obsoletes: mokutil <= 1:0.3.0-1
|
||||
|
||||
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
|
||||
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
|
||||
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
|
||||
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
|
||||
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
||||
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
||||
Patch0007: 0007-Add-bash-completion-file.patch
|
||||
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
|
||||
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
|
||||
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
|
||||
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
|
||||
|
||||
%description
|
||||
mokutil provides a tool to manage keys for Secure Boot through the MoK
|
||||
("Machine's Own Keys") mechanism.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
git init
|
||||
git config user.email "%{name}-owner@fedoraproject.org"
|
||||
git config user.name "Fedora Ninjas"
|
||||
git add .
|
||||
git commit -a -q -m "%{version} baseline."
|
||||
git am %{patches} </dev/null
|
||||
git config --unset user.email
|
||||
git config --unset user.name
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
%configure
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc README
|
||||
%{_bindir}/mokutil
|
||||
%{_mandir}/man1/*
|
||||
%{_datadir}/bash-completion/completions/mokutil
|
||||
|
||||
%changelog
|
||||
* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
|
||||
- Minor obsoletes fix
|
||||
- Import some fixes from upstream
|
||||
|
||||
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
|
||||
- Rebuilt for switch to libxcrypt
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.3.0-5
|
||||
- Rebuild for efivar-31-1.fc26
|
||||
Related: rhbz#1468841
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.3.0-3
|
||||
- Rebuild for newer efivar again.
|
||||
|
||||
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.3.0-2
|
||||
- Update for newer efivar.
|
||||
|
||||
* Tue Jun 14 2016 Peter Jones <pjones@redhat.com> - 0.3.0-1
|
||||
- Update to 0.3.0 release.
|
||||
Resolves: rhbz#1334628
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.2.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.2.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1:0.2.0-2
|
||||
- Rebuilt for Fedora 23 Change
|
||||
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
|
||||
|
||||
* Mon Oct 06 2014 Peter Jones <pjones@redhat.com> - 0.2.0-1
|
||||
- First independent package.
|
Loading…
Reference in New Issue
Block a user