import mokutil-0.3.0-9.el8

2019-05-07 06:17:12 -04:00 · 2019-05-07 06:17:12 -04:00 · a618afa09d
commit a618afa09d
14 changed files with 658 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 SOURCES/0.3.0.tar.gz
--- a/.mokutil.metadata
+++ b/.mokutil.metadata
@ -0,0 +1 @@
 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz
--- a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
+++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
@ -0,0 +1,36 @@
 From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 4 Nov 2014 15:50:03 +0800
 Subject: [PATCH 01/10] Fix the potential buffer overflow
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 src/mokutil.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 5b34f22fd98..93fb6fabcab 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
 	MokToggleVar tvar;
 	char *password = NULL;
 	unsigned int pw_len;
 -	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
 +	efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
 	int ret = -1;
 	printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
 	efichar_from_char (efichar_pass, password,
 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
 -	memcpy(tvar.password, efichar_pass,
 -	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
 +	memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
 	tvar.mok_toggle_state = state;
 -- 
 2.17.1
--- a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
+++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
@ -0,0 +1,34 @@
 From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 24 Nov 2014 11:38:54 +0800
 Subject: [PATCH 02/10] Fix the 32bit signedness comparison
 ---
 src/mokutil.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 93fb6fabcab..a7e83f71f0b 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
 		/* Mok */
 		read_size = read (fd, ptr, sizes[i]);
 -		if (read_size < 0 || read_size != sizes[i]) {
 +		if (read_size < 0 || read_size != (int64_t)sizes[i]) {
 			fprintf (stderr, "Failed to read %s\n", files[i]);
 			goto error;
 		}
@@ -1645,7 +1645,7 @@ export_moks ()
 			goto error;
 		}
 -		while (offset < list[i].mok_size) {
 +		while (offset < (int64_t)list[i].mok_size) {
 			write_size = write (fd, list[i].mok + offset,
 						list[i].mok_size - offset);
 			if (write_size < 0) {
 -- 
 2.17.1
--- a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@ -0,0 +1,43 @@
 From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Jun 2015 16:53:36 -0400
 Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
 right.
 This source tree uses:
 typedef wchar_t efi_char16_t;
 to define UEFI's UCS-2 character type.  On many platforms, wchar_t is
 32-bits by default.  As a result, efichar_from_char winds up writing
 4-byte characters instead of 2-byte characters.  In the case where we
 hash the password in mokutil, this works fine, because the same datatype
 is used, and the values are the same.  But for our feature toggles,
 where we store the raw data and shim is interpretting the character
 array, every other character winds up being L'\0', and verification
 fails.
 So always build with -fshort-wchar to ensure we get 2-byte character
 storage.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index fe28fb92241..69d412ac633 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -37,7 +37,7 @@ else
 	default_strict=no
 fi
 -WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
 +WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
 AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
 		enable_strict=$default_strict)
 -- 
 2.17.1
--- a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
@ -0,0 +1,32 @@
 From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 16 Jun 2015 17:06:30 -0400
 Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
 Related: rhbz#1115843
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/mokutil.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index a7e83f71f0b..1fb34f9d3aa 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
 	}
 	switch (len) {
 +#if 0
 	case SHA_DIGEST_LENGTH*2:
 		*type = efi_guid_sha1;
 		hash_size = SHA_DIGEST_LENGTH;
 		break;
 +#endif
 	case SHA224_DIGEST_LENGTH*2:
 		*type = efi_guid_sha224;
 		hash_size = SHA224_DIGEST_LENGTH;
 -- 
 2.17.1
--- a/SOURCES/0005-Make-all-efi_guid_t-const.patch
+++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch
@ -0,0 +1,87 @@
 From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Wed, 13 Jan 2016 16:05:21 +0800
 Subject: [PATCH 05/10] Make all efi_guid_t const
 All UEFI GUIDs defined in efivar are const. Declare all of them const
 to make gcc happy.
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 src/mokutil.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 1fb34f9d3aa..d2c52b4caaf 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
 }
 static uint32_t
 -efi_hash_size (efi_guid_t *hash_type)
 +efi_hash_size (const efi_guid_t *hash_type)
 {
 	if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
 		return SHA_DIGEST_LENGTH;
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
 }
 static uint32_t
 -signature_size (efi_guid_t *hash_type)
 +signature_size (const efi_guid_t *hash_type)
 {
 	uint32_t hash_size;
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
 /* match the hash in the hash array and return the index if matched */
 static int
 -match_hash_array (efi_guid_t *hash_type, const void *hash,
 +match_hash_array (const efi_guid_t *hash_type, const void *hash,
 		  const void *hash_array, const uint32_t array_size)
 {
 	uint32_t hash_size, hash_count;
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
 }
 static int
 -delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
 -		       efi_guid_t *type, void *data, uint32_t data_size)
 +delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
 +		       const efi_guid_t *type, void *data, uint32_t data_size)
 {
 	uint8_t *var_data = NULL;
 	size_t var_data_size = 0;
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
 }
 static int
 -is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
 -	      efi_guid_t *vendor, const char *db_name)
 +is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
 +	      const efi_guid_t *vendor, const char *db_name)
 {
 	uint8_t *var_data;
 	size_t var_data_size;
@@ -1059,7 +1059,7 @@ done:
 }
 static int
 -is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
 +is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
 		  MokRequest req)
 {
 	switch (req) {
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
 }
 static int
 -in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
 +in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
 		    MokRequest req)
 {
 	uint8_t *authvar_data;
 -- 
 2.17.1
--- a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
@ -0,0 +1,37 @@
 From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jun 2016 10:19:43 -0400
 Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/mokutil.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index d2c52b4caaf..d554f6cca21 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
 		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
 		     | EFI_VARIABLE_RUNTIME_ACCESS;
 	ret = efi_set_variable (*var_guid, var_name,
 -				var_data, total, attributes);
 +				var_data, total, attributes,
 +				S_IRUSR | S_IWUSR);
 	if (ret < 0) {
 		fprintf (stderr, "Failed to write variable \"%s\": %m\n",
 			 var_name);
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
 		data_size = list_len;
 		if (efi_set_variable (efi_guid_shim, req_name,
 -				      data, data_size, attributes) < 0) {
 +				      data, data_size, attributes,
 +				      S_IRUSR | S_IWUSR) < 0) {
 			switch (req) {
 			case ENROLL_MOK:
 				fprintf (stderr, "Failed to enroll new keys\n");
 -- 
 2.17.1
--- a/SOURCES/0007-Add-bash-completion-file.patch
+++ b/SOURCES/0007-Add-bash-completion-file.patch
@ -0,0 +1,98 @@
 From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jun 2016 10:20:14 -0400
 Subject: [PATCH 07/10] Add bash completion file.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 configure.ac | 17 +++++++++++++++++
 Makefile.am  |  5 +++++
 data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100755 data/mokutil
 diff --git a/configure.ac b/configure.ac
 index 69d412ac633..7b52a063df0 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
 PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
 PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
 +AC_ARG_WITH([bash-completion-dir],
 +    AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
 +        [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
 +    [],
 +    [with_bash_completion_dir=yes])
 +
 +if test "x$with_bash_completion_dir" = "xyes"; then
 +    PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
 +        [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
 +        [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
 +else
 +    BASH_COMPLETION_DIR="$with_bash_completion_dir"
 +fi
 +
 +AC_SUBST([BASH_COMPLETION_DIR])
 +AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
 +
 AC_CONFIG_FILES([Makefile
                  src/Makefile
 		 man/Makefile])
 diff --git a/Makefile.am b/Makefile.am
 index 9f0d4192515..c17cc4a86d8 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -1 +1,6 @@
 SUBDIRS = src man
 +
 +if ENABLE_BASH_COMPLETION
 +  bashcompletiondir = $(BASH_COMPLETION_DIR)
 +  dist_bashcompletion_DATA = data/mokutil
 +endif
 diff --git a/data/mokutil b/data/mokutil
 new file mode 100755
 index 00000000000..800b039e7f4
 --- /dev/null
 +++ b/data/mokutil
@@ -0,0 +1,37 @@
 +#!/bin/bash
 +
 +_mokutil()
 +{
 +	local cur=${COMP_WORDS[COMP_CWORD]}
 +
 +	if [[ "$cur" == -* ]]; then
 +		#COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
 +		COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
 +		[[ $COMPREPLY == *= ]] && compopt -o nospace
 +		return 0
 +	fi
 +
 +	case "${COMP_WORDS[COMP_CWORD-1]}" in
 +	--import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
 +		_filedir
 +		return 0
 +		;;
 +	--import-hash|--delete-hash)
 +		COMPREPLY=( $( compgen -W "" ) )
 +		return 0
 +		;;
 +	--set-verbosity)
 +		COMPREPLY=( $( compgen -W "true false") )
 +		return 0
 +		;;
 +	--generate-hash|-g)
 +		COMPREPLY=( $( compgen -o nospace -P= -W "") )
 +		return 0
 +		;;
 +	*)
 +		return 0
 +		;;
 +	esac
 +}
 +
 +complete -F _mokutil mokutil
 -- 
 2.17.1
--- a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
@ -0,0 +1,27 @@
 From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
 From: Tyler Hicks <tyhicks@canonical.com>
 Date: Mon, 20 Jun 2016 11:18:17 -0500
 Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
 Boot support
 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
 ---
 src/mokutil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index d554f6cca21..27f1292f3a9 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
 		rc = efi_get_variable (efi_guid_global, "SecureBoot",
 				       &data, &data_size, &attributes);
 		if (rc < 0) {
 -			fprintf(stderr, "This system does't support Secure Boot\n");
 +			fprintf(stderr, "This system doesn't support Secure Boot\n");
 			ret = -1;
 			goto out;
 		}
 -- 
 2.17.1
--- a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
@ -0,0 +1,27 @@
 From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 3 Apr 2017 16:33:38 -0400
 Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
 twice.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/mokutil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 27f1292f3a9..0be9e8491fd 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
 	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
 	if (ret < 0) {
 -		if (ret == ENOENT) {
 +		if (errno == ENOENT) {
 			printf ("%s is empty\n", var_name);
 			return 0;
 		}
 -- 
 2.17.1
--- a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
@ -0,0 +1,101 @@
 From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 15 May 2018 11:20:15 -0400
 Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
 strlen() for strncpy bounds
 New gcc rightly comlplains when we do the following:
 strncpy (dest, src, strlen(src));
 For two reasons:
 a) it doesn't copy the NUL byte
 b) it's otherwise the same thing strcpy() would have done
 This patch replaces that with stpncpy (just because it's slightly easier
 to use) and the real bounds for the destination.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/mokutil.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 0be9e8491fd..b5080107600 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
 {
 	pw_crypt_t new_crypt;
 	char settings[SETTINGS_LEN];
 +	char *next;
 	char *crypt_string;
 	const char *prefix;
 -	int hash_len, prefix_len;
 +	int hash_len, settings_len = sizeof (settings) - 2;
 	if (!password || !pw_crypt || password[pw_len] != '\0')
 		return -1;
@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
 	prefix = get_crypt_prefix (pw_crypt->method);
 	if (!prefix)
 		return -1;
 -	prefix_len = strlen(prefix);
 	pw_crypt->salt_size = get_salt_size (pw_crypt->method);
 	generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
 -	strncpy (settings, prefix, prefix_len);
 -	strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
 -		 pw_crypt->salt_size);
 -	settings[pw_crypt->salt_size + prefix_len] = '\0';
 +	memset (settings, 0, sizeof (settings));
 +	next = stpncpy (settings, prefix, settings_len);
 +	if (pw_crypt->salt_size > settings_len - (next - settings)) {
 +		errno = EOVERFLOW;
 +		return -1;
 +	}
 +	next = stpncpy (next, (const char *)pw_crypt->salt,
 +			pw_crypt->salt_size);
 +	*next = '\0';
 	crypt_string = crypt (password, settings);
 	if (!crypt_string)
@@ -1929,10 +1934,11 @@ static int
 generate_pw_hash (const char *input_pw)
 {
 	char settings[SETTINGS_LEN];
 +        char *next;
 	char *password = NULL;
 	char *crypt_string;
 	const char *prefix;
 -	int prefix_len;
 +	int settings_len = sizeof (settings) - 2;
 	unsigned int pw_len, salt_size;
 	if (input_pw) {
@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
 	prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
 	if (!prefix)
 		return -1;
 -	prefix_len = strlen(prefix);
 -	strncpy (settings, prefix, prefix_len);
 +	memset (settings, 0, sizeof (settings));
 +	next = stpncpy (settings, prefix, settings_len);
 	salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
 -	generate_salt ((settings + prefix_len), salt_size);
 -	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
 +	if (salt_size > settings_len - (next - settings)) {
 +		errno = EOVERFLOW;
 +		return -1;
 +	}
 +	generate_salt (next, salt_size);
 +	next += salt_size;
 +	*next = '\0';
 	crypt_string = crypt (password, settings);
 	free (password);
 -- 
 2.17.1
--- a/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
+++ b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
@ -0,0 +1,33 @@
 From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 25 Jul 2018 10:27:34 -0400
 Subject: [PATCH] Fix a integer comparison sign issue.
 I introduced this, and it's stupid:
 mokutil.c: In function 'generate_pw_hash':
 mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
  if (salt_size > settings_len - (next - settings)) {
                ^
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/mokutil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index d03127abf54..068df0d109c 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
 	char *password = NULL;
 	char *crypt_string;
 	const char *prefix;
 -	int settings_len = sizeof (settings) - 2;
 +	unsigned int settings_len = sizeof (settings) - 2;
 	unsigned int pw_len, salt_size;
 	if (input_pw) {
 -- 
 2.17.1
--- a/SPECS/mokutil.spec
+++ b/SPECS/mokutil.spec
@ -0,0 +1,101 @@
 Name:           mokutil
 Version:        0.3.0
 Release:        9%{?dist}
 Epoch:          1
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 License:        GPLv3+
 URL:            https://github.com/lcp/mokutil
 ExclusiveArch:  %{ix86} x86_64 aarch64
 BuildRequires:  autoconf automake gnu-efi git openssl-devel openssl
 BuildRequires:  efivar-devel >= 31-1
 Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz
 Conflicts:      shim < 0.8-1%{?dist}
 Obsoletes:      mokutil <= 1:0.3.0-1
 Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
 Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
 Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
 Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
 Patch0005: 0005-Make-all-efi_guid_t-const.patch
 Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
 Patch0007: 0007-Add-bash-completion-file.patch
 Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
 Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
 Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
 Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
 %description
 mokutil provides a tool to manage keys for Secure Boot through the MoK
 ("Machine's Own Keys") mechanism.
 %prep
 %setup -q -n %{name}-%{version}
 git init
 git config user.email "%{name}-owner@fedoraproject.org"
 git config user.name "Fedora Ninjas"
 git add .
 git commit -a -q -m "%{version} baseline."
 git am %{patches} </dev/null
 git config --unset user.email
 git config --unset user.name
 %build
 ./autogen.sh
 %configure
 make %{?_smp_mflags}
 %install
 rm -rf %{buildroot}
 make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %files
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %doc README
 %{_bindir}/mokutil
 %{_mandir}/man1/*
 %{_datadir}/bash-completion/completions/mokutil
 %changelog
 * Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
 - Minor obsoletes fix
 - Import some fixes from upstream
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
 - Rebuilt for switch to libxcrypt
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.3.0-5
 - Rebuild for efivar-31-1.fc26
  Related: rhbz#1468841
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.3.0-3
 - Rebuild for newer efivar again.
 * Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.3.0-2
 - Update for newer efivar.
 * Tue Jun 14 2016 Peter Jones <pjones@redhat.com> - 0.3.0-1
 - Update to 0.3.0 release.
  Resolves: rhbz#1334628
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.2.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.2.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 1:0.2.0-2
 - Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
 * Mon Oct 06 2014 Peter Jones <pjones@redhat.com> - 0.2.0-1
 - First independent package.
		`@ -0,0 +1 @@`
							`8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz`