rpms/mokutil
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Port to OpenSSL 3.0

Browse Source 
The mokutil tool is using functions that were deprecated since OpenSSL 3.0
and needs to be ported to the newer functions that should be used instead.

Resolves: rhbz#1958040

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
Javier Martinez Canillas 2021-05-25 18:31:31 +02:00
parent 66d416bba3
commit f42b7a6e10
No known key found for this signature in database
GPG Key ID: C751E590D63F3D69
4 changed files with 447 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

260
0005-mokutil-remove-simple-hash.patch Normal file
View File

@ -0,0 +1,260 @@
From b7a6c0a7ee8e66c5daa377d2e6f59461ed34f3bf Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 25 May 2021 12:46:03 +0200
Subject: [PATCH] mokutil: remove "--simple-hash"
The simple-hash password format is used by the very early MokManager and
not the default format anymore after we changed to password-crypt.
Remove the code to reduce the code size.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 87 +++++----------------------------------------------
1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 252dc7a327f..563e585979b 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,7 +76,6 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define SIMPLE_HASH (1 << 17)
#define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19)
#define MOKX (1 << 20)
@@ -95,8 +94,6 @@ typedef unsigned long efi_status_t;
typedef uint8_t efi_bool_t;
typedef wchar_t efi_char16_t; /* UNICODE character */
-static int use_simple_hash;
-
typedef enum {
DELETE_MOK = 0,
ENROLL_MOK,
@@ -182,7 +179,6 @@ print_help ()
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
printf (" --root-pw\t\t\t\tUse the root password\n");
- printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
}
@@ -814,32 +810,6 @@ error:
return ret;
}
-static int
-generate_auth (void *new_list, int list_len, char *password,
- unsigned int pw_len, uint8_t *auth)
-{
- efi_char16_t efichar_pass[PASSWORD_MAX+1];
- unsigned long efichar_len;
- SHA256_CTX ctx;
-
- if (!password || !auth)
- return -1;
-
- efichar_len = efichar_from_char (efichar_pass, password,
- pw_len * sizeof(efi_char16_t));
-
- SHA256_Init (&ctx);
-
- if (new_list)
- SHA256_Update (&ctx, new_list, list_len);
-
- SHA256_Update (&ctx, efichar_pass, efichar_len);
-
- SHA256_Final (auth, &ctx);
-
- return 0;
-}
-
static void
generate_salt (char salt[], unsigned int salt_size)
{
@@ -979,7 +949,6 @@ update_request (void *new_list, int list_len, MokRequest req,
size_t data_size;
const char *req_name, *auth_name;
pw_crypt_t pw_crypt;
- uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
unsigned int pw_len;
int auth_ret;
@@ -1028,12 +997,7 @@ update_request (void *new_list, int list_len, MokRequest req,
goto error;
}
- if (!use_simple_hash) {
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (new_list, list_len, password,
- pw_len, auth);
- }
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
@@ -1069,13 +1033,8 @@ update_request (void *new_list, int list_len, MokRequest req,
}
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)&pw_crypt;
+ data_size = PASSWORD_CRYPT_SIZE;
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
attributes, S_IRUSR | S_IWUSR) < 0) {
@@ -1904,26 +1863,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
goto error;
}
- if (!use_simple_hash) {
- pw_crypt.method = DEFAULT_CRYPT_METHOD;
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (NULL, 0, password, pw_len,
- auth);
- }
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
}
}
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)auth;
+ data_size = SHA256_DIGEST_LENGTH;
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
@@ -2301,8 +2250,6 @@ main (int argc, char *argv[])
DBName db_name = MOK_LIST_RT;
int ret = -1;
- use_simple_hash = 0;
-
if (!efi_variables_supported ()) {
fprintf (stderr, "EFI variables are not supported on this system\n");
exit (1);
@@ -2329,7 +2276,6 @@ main (int argc, char *argv[])
{"hash-file", required_argument, 0, 'f'},
{"generate-hash", optional_argument, 0, 'g'},
{"root-pw", no_argument, 0, 'P'},
- {"simple-hash", no_argument, 0, 's'},
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
{"mok", no_argument, 0, 'm'},
@@ -2531,10 +2477,6 @@ main (int argc, char *argv[])
case 'x':
command |= EXPORT;
break;
- case 's':
- command |= SIMPLE_HASH;
- use_simple_hash = 1;
- break;
case 'm':
db_name = MOK_LIST_RT;
break;
@@ -2555,9 +2497,6 @@ main (int argc, char *argv[])
}
}
- if (use_root_pw == 1 && use_simple_hash == 1)
- use_simple_hash = 0;
-
if (hash_file && use_root_pw)
command |= HELP;
@@ -2593,22 +2532,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokDel", efi_guid_shim);
break;
case IMPORT:
- case IMPORT | SIMPLE_HASH:
ret = issue_mok_request (files, total, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE:
- case DELETE | SIMPLE_HASH:
ret = issue_mok_request (files, total, DELETE_MOK,
hash_file, use_root_pw);
break;
case IMPORT_HASH:
- case IMPORT_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE_HASH:
- case DELETE_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, DELETE_MOK,
hash_file, use_root_pw);
break;
@@ -2623,11 +2558,9 @@ main (int argc, char *argv[])
ret = export_db_keys (db_name);
break;
case PASSWORD:
- case PASSWORD | SIMPLE_HASH:
ret = set_password (hash_file, use_root_pw, 0);
break;
case CLEAR_PASSWORD:
- case CLEAR_PASSWORD | SIMPLE_HASH:
ret = set_password (NULL, 0, 1);
break;
case DISABLE_VALIDATION:
@@ -2643,7 +2576,6 @@ main (int argc, char *argv[])
ret = test_key (ENROLL_MOK, key_file);
break;
case RESET:
- case RESET | SIMPLE_HASH:
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
break;
case GENERATE_PW_HASH:
@@ -2662,22 +2594,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokXDel", efi_guid_shim);
break;
case IMPORT | MOKX:
- case IMPORT | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE | MOKX:
- case DELETE | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
case IMPORT_HASH | MOKX:
- case IMPORT_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE_HASH | MOKX:
- case DELETE_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
@@ -2688,7 +2616,6 @@ main (int argc, char *argv[])
ret = revoke_request (DELETE_BLACKLIST);
break;
case RESET | MOKX:
- case RESET | SIMPLE_HASH | MOKX:
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
break;
case TEST_KEY | MOKX:
--
2.31.1

81
0006-man-remove-simple-hash.patch Normal file
View File

@ -0,0 +1,81 @@
From d944337820debcaa5e275ec6a3523702ee2d9dd7 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 14:48:08 +0800
Subject: [PATCH 2/2] man: remove "--simple-hash"
Remove "--simple-hash" from the man page.
Signed-off-by: Gary Lin <glin@suse.com>
---
man/mokutil.1 | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 446298763ad..1f82ff1abed 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx |- X])
+ [--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
([--mokx | -X])
@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--clear-password | -c]
- ([--simple-hash | -s])
.br
\fBmokutil\fR [--disable-validation]
.br
@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mok | -X])
+ [--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
@@ -138,11 +136,6 @@ Use the password hash from a specific file
\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
-\fB-s, --simple-hash\fR
-Use the old SHA256 password hash method to hash the password
-.br
-Note: --root-pw invalidates --simple-hash
-.TP
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP
--
2.31.1

98
0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch Normal file
View File

@ -0,0 +1,98 @@
From f552d2bb570568673d293fcb2263a2ee8c3333de Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 25 May 2021 15:22:29 +0200
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
deprecated SHA1_*()
The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads
to compile errors when building with -Werror=deprecated-declarations, i.e:
mokutil.c: In function 'print_x509':
mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
424 | SHA1_Init (&ctx);
| ^~~~~~~~~
...
instead, the EVP_Digest*() functions could be used. Port to them and avoid
these build failures with the latest OpenSSL 3.0 version.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 563e585979b..3fdc791af7f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
{
X509 *X509cert;
BIO *cert_bio;
- SHA_CTX ctx;
- uint8_t fingerprint[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX *ctx;
+ const EVP_MD *md;
+ unsigned int md_len;
+ unsigned char fingerprint[EVP_MAX_MD_SIZE];
cert_bio = BIO_new (BIO_s_mem ());
BIO_write (cert_bio, cert, cert_size);
@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size)
X509cert = d2i_X509_bio (cert_bio, NULL);
if (X509cert == NULL) {
fprintf (stderr, "Invalid X509 certificate\n");
- return -1;
+ goto cleanup_bio;
+ }
+
+ md = EVP_get_digestbyname ("SHA1");
+ if(md == NULL) {
+ fprintf (stderr, "Failed to get SHA1 digest\n");
+ goto cleanup_bio;
+ }
+
+ ctx = EVP_MD_CTX_create ();
+ if (ctx == NULL) {
+ fprintf (stderr, "Failed to create digest context\n");
+ goto cleanup_bio;
}
- SHA1_Init (&ctx);
- SHA1_Update (&ctx, cert, cert_size);
- SHA1_Final (fingerprint, &ctx);
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
+ fprintf (stderr, "Failed to initialize digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) {
+ fprintf (stderr, "Failed to hash into the digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
+ fprintf (stderr, "Failed to get digest value\n");
+ goto cleanup_ctx;
+ }
printf ("SHA1 Fingerprint: ");
- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) {
+ for (unsigned int i = 0; i < md_len; i++) {
printf ("%02x", fingerprint[i]);
- if (i < SHA_DIGEST_LENGTH - 1)
+ if (i < md_len - 1)
printf (":");
}
printf ("\n");
X509_print_fp (stdout, X509cert);
+cleanup_ctx:
+ EVP_MD_CTX_destroy (ctx);
+cleanup_bio:
BIO_free (cert_bio);
return 0;
--
2.31.1

9
mokutil.spec
View File

@ -1,6 +1,6 @@
Name: mokutil
Version: 0.4.0
Release: 5%{?dist}
Release: 6%{?dist}
Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
@ -18,6 +18,9 @@ Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch
Patch0005: 0005-mokutil-remove-simple-hash.patch
Patch0006: 0006-man-remove-simple-hash.patch
Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
%description
mokutil provides a tool to manage keys for Secure Boot through the MoK
@ -52,6 +55,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Tue May 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-6
- Port to OpenSSL 3.0
Resolves: rhbz#1958040
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937