Apply upstream commits to fix FTBFS (ps: version 4 is availabe)
This commit is contained in:
parent
7de321e3ad
commit
f34068734f
102
0008-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Normal file
102
0008-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
From 385a7dd63fad61a28e38444da797d947f1c79623 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 15 May 2018 11:20:15 -0400
|
||||||
|
Subject: [PATCH 01/12] generate_hash() / generate_pw_hash(): don't use
|
||||||
|
strlen() for strncpy bounds
|
||||||
|
|
||||||
|
New gcc rightly comlplains when we do the following:
|
||||||
|
|
||||||
|
strncpy (dest, src, strlen(src));
|
||||||
|
|
||||||
|
For two reasons:
|
||||||
|
a) it doesn't copy the NUL byte
|
||||||
|
b) it's otherwise the same thing strcpy() would have done
|
||||||
|
|
||||||
|
This patch replaces that with stpncpy (just because it's slightly easier
|
||||||
|
to use) and the real bounds for the destination.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 34 +++++++++++++++++++++++-----------
|
||||||
|
1 file changed, 23 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 6e9a342..6e31e2d 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -766,9 +766,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||||
|
{
|
||||||
|
pw_crypt_t new_crypt;
|
||||||
|
char settings[SETTINGS_LEN];
|
||||||
|
+ char *next;
|
||||||
|
char *crypt_string;
|
||||||
|
const char *prefix;
|
||||||
|
- int hash_len, prefix_len;
|
||||||
|
+ int hash_len, settings_len = sizeof (settings) - 2;
|
||||||
|
|
||||||
|
if (!password || !pw_crypt || password[pw_len] != '\0')
|
||||||
|
return -1;
|
||||||
|
@@ -776,15 +777,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||||
|
prefix = get_crypt_prefix (pw_crypt->method);
|
||||||
|
if (!prefix)
|
||||||
|
return -1;
|
||||||
|
- prefix_len = strlen(prefix);
|
||||||
|
|
||||||
|
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
|
||||||
|
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
|
||||||
|
|
||||||
|
- strncpy (settings, prefix, prefix_len);
|
||||||
|
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
|
||||||
|
- pw_crypt->salt_size);
|
||||||
|
- settings[pw_crypt->salt_size + prefix_len] = '\0';
|
||||||
|
+ memset (settings, 0, sizeof (settings));
|
||||||
|
+ next = stpncpy (settings, prefix, settings_len);
|
||||||
|
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
|
||||||
|
+ errno = EOVERFLOW;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ next = stpncpy (next, (const char *)pw_crypt->salt,
|
||||||
|
+ pw_crypt->salt_size);
|
||||||
|
+ *next = '\0';
|
||||||
|
|
||||||
|
crypt_string = crypt (password, settings);
|
||||||
|
if (!crypt_string)
|
||||||
|
@@ -1931,10 +1936,11 @@ static int
|
||||||
|
generate_pw_hash (const char *input_pw)
|
||||||
|
{
|
||||||
|
char settings[SETTINGS_LEN];
|
||||||
|
+ char *next;
|
||||||
|
char *password = NULL;
|
||||||
|
char *crypt_string;
|
||||||
|
const char *prefix;
|
||||||
|
- int prefix_len;
|
||||||
|
+ int settings_len = sizeof (settings) - 2;
|
||||||
|
unsigned int pw_len, salt_size;
|
||||||
|
|
||||||
|
if (input_pw) {
|
||||||
|
@@ -1960,12 +1966,18 @@ generate_pw_hash (const char *input_pw)
|
||||||
|
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
|
||||||
|
if (!prefix)
|
||||||
|
return -1;
|
||||||
|
- prefix_len = strlen(prefix);
|
||||||
|
|
||||||
|
- strncpy (settings, prefix, prefix_len);
|
||||||
|
+ memset (settings, 0, sizeof (settings));
|
||||||
|
+ next = stpncpy (settings, prefix, settings_len);
|
||||||
|
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
|
||||||
|
- generate_salt ((settings + prefix_len), salt_size);
|
||||||
|
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
|
||||||
|
+ if (salt_size > settings_len - (next - settings)) {
|
||||||
|
+ free(password);
|
||||||
|
+ errno = EOVERFLOW;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ generate_salt (next, salt_size);
|
||||||
|
+ next += salt_size;
|
||||||
|
+ *next = '\0';
|
||||||
|
|
||||||
|
crypt_string = crypt (password, settings);
|
||||||
|
free (password);
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
117
0009-Avoid-taking-pointer-to-packed-struct.patch
Normal file
117
0009-Avoid-taking-pointer-to-packed-struct.patch
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Harry Youd <harry@harryyoud.co.uk>
|
||||||
|
Date: Wed, 31 Jul 2019 19:44:53 +0100
|
||||||
|
Subject: [PATCH 12/12] Avoid taking pointer to packed struct
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
|
||||||
|
---
|
||||||
|
src/mokutil.c | 38 ++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 22 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index e2d567d..8892613 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
||||||
|
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
|
||||||
|
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
|
||||||
|
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
|
||||||
|
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
|
||||||
|
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
|
||||||
|
+ efi_guid_t sigtype = CertList->SignatureType;
|
||||||
|
+
|
||||||
|
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
||||||
|
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
|
||||||
|
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
|
||||||
|
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
|
||||||
|
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
|
||||||
|
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
|
||||||
|
dbsize -= CertList->SignatureListSize;
|
||||||
|
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
||||||
|
CertList->SignatureListSize);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
||||||
|
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
|
||||||
|
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
||||||
|
+ (CertList->SignatureSize != signature_size (&sigtype))) {
|
||||||
|
dbsize -= CertList->SignatureListSize;
|
||||||
|
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
||||||
|
CertList->SignatureListSize);
|
||||||
|
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||||
|
}
|
||||||
|
|
||||||
|
list[count].header = CertList;
|
||||||
|
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
|
||||||
|
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
||||||
|
/* X509 certificate */
|
||||||
|
list[count].mok_size = CertList->SignatureSize -
|
||||||
|
sizeof(efi_guid_t);
|
||||||
|
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
|
||||||
|
|
||||||
|
for (unsigned int i = 0; i < mok_num; i++) {
|
||||||
|
printf ("[key %d]\n", i+1);
|
||||||
|
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
|
||||||
|
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||||
|
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
||||||
|
print_x509 ((char *)list[i].mok, list[i].mok_size);
|
||||||
|
} else {
|
||||||
|
- print_hash_array (&list[i].header->SignatureType,
|
||||||
|
+ print_hash_array (&sigtype,
|
||||||
|
list[i].mok, list[i].mok_size);
|
||||||
|
}
|
||||||
|
if (i < mok_num - 1)
|
||||||
|
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||||
|
remain = total;
|
||||||
|
for (unsigned int i = 0; i < mok_num; i++) {
|
||||||
|
remain -= list[i].header->SignatureListSize;
|
||||||
|
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
||||||
|
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||||
|
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
sig_list_size = list[i].header->SignatureListSize;
|
||||||
|
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
||||||
|
}
|
||||||
|
|
||||||
|
for (unsigned int i = 0; i < node_num; i++) {
|
||||||
|
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
||||||
|
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||||
|
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
|
||||||
|
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
||||||
|
goto error;
|
||||||
|
/* Check if there is a signature list with the same type */
|
||||||
|
for (unsigned int i = 0; i < mok_num; i++) {
|
||||||
|
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
|
||||||
|
- &hash_type) == 0) {
|
||||||
|
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
|
||||||
|
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
|
||||||
|
merge_ind = i;
|
||||||
|
list_size -= sizeof(EFI_SIGNATURE_LIST);
|
||||||
|
break;
|
||||||
|
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
|
||||||
|
for (unsigned i = 0; i < mok_num; i++) {
|
||||||
|
off_t offset = 0;
|
||||||
|
ssize_t write_size;
|
||||||
|
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||||
|
|
||||||
|
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
|
||||||
|
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
/* Dump X509 certificate to files */
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: mokutil
|
Name: mokutil
|
||||||
Version: 0.3.0
|
Version: 0.3.0
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -20,6 +20,8 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
|
|||||||
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
||||||
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
||||||
Patch0007: 0007-Add-bash-completion-file.patch
|
Patch0007: 0007-Add-bash-completion-file.patch
|
||||||
|
Patch0008: 0008-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
|
||||||
|
Patch0009: 0009-Avoid-taking-pointer-to-packed-struct.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
mokutil provides a tool to manage keys for Secure Boot through the MoK
|
mokutil provides a tool to manage keys for Secure Boot through the MoK
|
||||||
@ -54,6 +56,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
|||||||
%{_datadir}/bash-completion/completions/mokutil
|
%{_datadir}/bash-completion/completions/mokutil
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Oct 24 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:0.3.0-14
|
||||||
|
- Apply upstream commits to fix FTBFS
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user