rpms/mokutil
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 0.4.0 release

Browse Source 
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
Javier Martinez Canillas 2020-06-11 10:16:10 +02:00
parent 0b183ace80
commit bb6336e087
No known key found for this signature in database
GPG Key ID: C751E590D63F3D69
12 changed files with 9 additions and 482 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
0009-Avoid-taking-pointer-to-packed-struct.patch → 0001-Avoid-taking-pointer-to-packed-struct.patch
View File

@ -1,7 +1,7 @@
From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001 From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk> From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100 Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH 12/12] Avoid taking pointer to packed struct Subject: [PATCH] Avoid taking pointer to packed struct
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit

36
0001-Fix-the-potential-buffer-overflow.patch
View File

@ -1,36 +0,0 @@
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
Subject: [PATCH 1/7] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..93fb6fa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
MokToggleVar tvar;
char *password = NULL;
unsigned int pw_len;
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
int ret = -1;
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
efichar_from_char (efichar_pass, password,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- memcpy(tvar.password, efichar_pass,
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
tvar.mok_toggle_state = state;
--
2.7.4

0
0010-Fix-a-integer-comparison-sign-issue.patch → 0002-Fix-a-integer-comparison-sign-issue.patch
View File

34
0002-Fix-the-32bit-signedness-comparison.patch
View File

@ -1,34 +0,0 @@
From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Nov 2014 11:38:54 +0800
Subject: [PATCH 2/7] Fix the 32bit signedness comparison
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 93fb6fa..a7e83f7 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
/* Mok */
read_size = read (fd, ptr, sizes[i]);
- if (read_size < 0 || read_size != sizes[i]) {
+ if (read_size < 0 || read_size != (int64_t)sizes[i]) {
fprintf (stderr, "Failed to read %s\n", files[i]);
goto error;
}
@@ -1645,7 +1645,7 @@ export_moks ()
goto error;
}
- while (offset < list[i].mok_size) {
+ while (offset < (int64_t)list[i].mok_size) {
write_size = write (fd, list[i].mok + offset,
list[i].mok_size - offset);
if (write_size < 0) {
--
2.7.4

42
0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
View File

@ -1,42 +0,0 @@
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right.
This source tree uses:
typedef wchar_t efi_char16_t;
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
32-bits by default. As a result, efichar_from_char winds up writing
4-byte characters instead of 2-byte characters. In the case where we
hash the password in mokutil, this works fine, because the same datatype
is used, and the values are the same. But for our feature toggles,
where we store the raw data and shim is interpretting the character
array, every other character winds up being L'\0', and verification
fails.
So always build with -fshort-wchar to ensure we get 2-byte character
storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fe28fb9..69d412a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
default_strict=no
fi
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)
--
2.7.4

32
0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
View File

@ -1,32 +0,0 @@
From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 16 Jun 2015 17:06:30 -0400
Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line.
Related: rhbz#1115843
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a7e83f7..1fb34f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
}
switch (len) {
+#if 0
case SHA_DIGEST_LENGTH*2:
*type = efi_guid_sha1;
hash_size = SHA_DIGEST_LENGTH;
break;
+#endif
case SHA224_DIGEST_LENGTH*2:
*type = efi_guid_sha224;
hash_size = SHA224_DIGEST_LENGTH;
--
2.7.4

87
0005-Make-all-efi_guid_t-const.patch
View File

@ -1,87 +0,0 @@
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
Subject: [PATCH 5/7] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1fb34f9..d2c52b4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
}
static uint32_t
-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
{
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
return SHA_DIGEST_LENGTH;
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
}
static uint32_t
-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
{
uint32_t hash_size;
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
/* match the hash in the hash array and return the index if matched */
static int
-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
const void *hash_array, const uint32_t array_size)
{
uint32_t hash_size, hash_count;
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
}
static int
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
- efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ const efi_guid_t *type, void *data, uint32_t data_size)
{
uint8_t *var_data = NULL;
size_t var_data_size = 0;
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
- efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
{
uint8_t *var_data;
size_t var_data_size;
@@ -1059,7 +1059,7 @@ done:
}
static int
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
{
switch (req) {
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
}
static int
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
MokRequest req)
{
uint8_t *authvar_data;
--
2.7.4

37
0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
View File

@ -1,37 +0,0 @@
From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d2c52b4..d554f6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
ret = efi_set_variable (*var_guid, var_name,
- var_data, total, attributes);
+ var_data, total, attributes,
+ S_IRUSR | S_IWUSR);
if (ret < 0) {
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
var_name);
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
data_size = list_len;
if (efi_set_variable (efi_guid_shim, req_name,
- data, data_size, attributes) < 0) {
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
switch (req) {
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");
--
2.7.4

98
0007-Add-bash-completion-file.patch
View File

@ -1,98 +0,0 @@
From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:20:14 -0400
Subject: [PATCH 7/7] Add bash completion file.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Makefile.am | 5 +++++
configure.ac | 17 +++++++++++++++++
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 data/mokutil
diff --git a/Makefile.am b/Makefile.am
index 9f0d419..c17cc4a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1 +1,6 @@
SUBDIRS = src man
+
+if ENABLE_BASH_COMPLETION
+ bashcompletiondir = $(BASH_COMPLETION_DIR)
+ dist_bashcompletion_DATA = data/mokutil
+endif
diff --git a/configure.ac b/configure.ac
index 69d412a..7b52a06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+AC_ARG_WITH([bash-completion-dir],
+ AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
+ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
+ [],
+ [with_bash_completion_dir=yes])
+
+if test "x$with_bash_completion_dir" = "xyes"; then
+ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
+ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
+else
+ BASH_COMPLETION_DIR="$with_bash_completion_dir"
+fi
+
+AC_SUBST([BASH_COMPLETION_DIR])
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile])
diff --git a/data/mokutil b/data/mokutil
new file mode 100755
index 0000000..800b039
--- /dev/null
+++ b/data/mokutil
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+_mokutil()
+{
+ local cur=${COMP_WORDS[COMP_CWORD]}
+
+ if [[ "$cur" == -* ]]; then
+ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
+ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
+ [[ $COMPREPLY == *= ]] && compopt -o nospace
+ return 0
+ fi
+
+ case "${COMP_WORDS[COMP_CWORD-1]}" in
+ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
+ _filedir
+ return 0
+ ;;
+ --import-hash|--delete-hash)
+ COMPREPLY=( $( compgen -W "" ) )
+ return 0
+ ;;
+ --set-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --generate-hash|-g)
+ COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ return 0
+ ;;
+ *)
+ return 0
+ ;;
+ esac
+}
+
+complete -F _mokutil mokutil
--
2.7.4

102
0008-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
View File

@ -1,102 +0,0 @@
From 385a7dd63fad61a28e38444da797d947f1c79623 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 15 May 2018 11:20:15 -0400
Subject: [PATCH 01/12] generate_hash() / generate_pw_hash(): don't use
strlen() for strncpy bounds
New gcc rightly comlplains when we do the following:
strncpy (dest, src, strlen(src));
For two reasons:
a) it doesn't copy the NUL byte
b) it's otherwise the same thing strcpy() would have done
This patch replaces that with stpncpy (just because it's slightly easier
to use) and the real bounds for the destination.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6e9a342..6e31e2d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -766,9 +766,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
{
pw_crypt_t new_crypt;
char settings[SETTINGS_LEN];
+ char *next;
char *crypt_string;
const char *prefix;
- int hash_len, prefix_len;
+ int hash_len, settings_len = sizeof (settings) - 2;
if (!password || !pw_crypt || password[pw_len] != '\0')
return -1;
@@ -776,15 +777,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
prefix = get_crypt_prefix (pw_crypt->method);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
- strncpy (settings, prefix, prefix_len);
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
- pw_crypt->salt_size);
- settings[pw_crypt->salt_size + prefix_len] = '\0';
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
+ errno = EOVERFLOW;
+ return -1;
+ }
+ next = stpncpy (next, (const char *)pw_crypt->salt,
+ pw_crypt->salt_size);
+ *next = '\0';
crypt_string = crypt (password, settings);
if (!crypt_string)
@@ -1931,10 +1936,11 @@ static int
generate_pw_hash (const char *input_pw)
{
char settings[SETTINGS_LEN];
+ char *next;
char *password = NULL;
char *crypt_string;
const char *prefix;
- int prefix_len;
+ int settings_len = sizeof (settings) - 2;
unsigned int pw_len, salt_size;
if (input_pw) {
@@ -1960,12 +1966,18 @@ generate_pw_hash (const char *input_pw)
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
- strncpy (settings, prefix, prefix_len);
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
- generate_salt ((settings + prefix_len), salt_size);
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+ if (salt_size > settings_len - (next - settings)) {
+ free(password);
+ errno = EOVERFLOW;
+ return -1;
+ }
+ generate_salt (next, salt_size);
+ next += salt_size;
+ *next = '\0';
crypt_string = crypt (password, settings);
free (password);
--
2.21.0

19
mokutil.spec
View File

@ -1,6 +1,6 @@
Name: mokutil Name: mokutil
Version: 0.3.0 Version: 0.4.0
Release: 15%{?dist} Release: 1%{?dist}
Epoch: 2 Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+ License: GPLv3+
@ -13,16 +13,8 @@ Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Conflicts: shim < 0.8-1%{?dist} Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil < 0.2.0 Obsoletes: mokutil < 0.2.0
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
Patch0008: 0008-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Patch0009: 0009-Avoid-taking-pointer-to-packed-struct.patch
Patch0010: 0010-Fix-a-integer-comparison-sign-issue.patch
%description %description
mokutil provides a tool to manage keys for Secure Boot through the MoK mokutil provides a tool to manage keys for Secure Boot through the MoK
@ -57,6 +49,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil %{_datadir}/bash-completion/completions/mokutil
%changelog %changelog
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-1
- Update to 0.4.0 release
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
5b102eed26eaef5f622f3f5478351c12 0.3.0.tar.gz SHA512 (0.4.0.tar.gz) = 1caa4242fda51f73b5e1a97ad38d9235cee5e5dad72e3e40c9e44a20c76cd5397e299693733e4d52e3b05b0272a30732d8c3ea86403739cbc6545de16c1a2dd0