diff --git a/0005-mokutil-remove-simple-hash.patch b/0005-mokutil-remove-simple-hash.patch new file mode 100644 index 0000000..f53791a --- /dev/null +++ b/0005-mokutil-remove-simple-hash.patch @@ -0,0 +1,260 @@ +From b7a6c0a7ee8e66c5daa377d2e6f59461ed34f3bf Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 25 May 2021 12:46:03 +0200 +Subject: [PATCH] mokutil: remove "--simple-hash" + +The simple-hash password format is used by the very early MokManager and +not the default format anymore after we changed to password-crypt. +Remove the code to reduce the code size. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 87 +++++---------------------------------------------- + 1 file changed, 7 insertions(+), 80 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 252dc7a327f..563e585979b 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -76,7 +76,6 @@ + #define TEST_KEY (1 << 14) + #define RESET (1 << 15) + #define GENERATE_PW_HASH (1 << 16) +-#define SIMPLE_HASH (1 << 17) + #define IGNORE_DB (1 << 18) + #define USE_DB (1 << 19) + #define MOKX (1 << 20) +@@ -95,8 +94,6 @@ typedef unsigned long efi_status_t; + typedef uint8_t efi_bool_t; + typedef wchar_t efi_char16_t; /* UNICODE character */ + +-static int use_simple_hash; +- + typedef enum { + DELETE_MOK = 0, + ENROLL_MOK, +@@ -182,7 +179,6 @@ print_help () + printf ("Supplimentary Options:\n"); + printf (" --hash-file \t\tUse the specific password hash\n"); + printf (" --root-pw\t\t\t\tUse the root password\n"); +- printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); + printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); + } + +@@ -814,32 +810,6 @@ error: + return ret; + } + +-static int +-generate_auth (void *new_list, int list_len, char *password, +- unsigned int pw_len, uint8_t *auth) +-{ +- efi_char16_t efichar_pass[PASSWORD_MAX+1]; +- unsigned long efichar_len; +- SHA256_CTX ctx; +- +- if (!password || !auth) +- return -1; +- +- efichar_len = efichar_from_char (efichar_pass, password, +- pw_len * sizeof(efi_char16_t)); +- +- SHA256_Init (&ctx); +- +- if (new_list) +- SHA256_Update (&ctx, new_list, list_len); +- +- SHA256_Update (&ctx, efichar_pass, efichar_len); +- +- SHA256_Final (auth, &ctx); +- +- return 0; +-} +- + static void + generate_salt (char salt[], unsigned int salt_size) + { +@@ -979,7 +949,6 @@ update_request (void *new_list, int list_len, MokRequest req, + size_t data_size; + const char *req_name, *auth_name; + pw_crypt_t pw_crypt; +- uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; + unsigned int pw_len; + int auth_ret; +@@ -1028,12 +997,7 @@ update_request (void *new_list, int list_len, MokRequest req, + goto error; + } + +- if (!use_simple_hash) { +- auth_ret = generate_hash (&pw_crypt, password, pw_len); +- } else { +- auth_ret = generate_auth (new_list, list_len, password, +- pw_len, auth); +- } ++ auth_ret = generate_hash (&pw_crypt, password, pw_len); + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; +@@ -1069,13 +1033,8 @@ update_request (void *new_list, int list_len, MokRequest req, + } + + /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ +- if (!use_simple_hash) { +- data = (void *)&pw_crypt; +- data_size = PASSWORD_CRYPT_SIZE; +- } else { +- data = (void *)auth; +- data_size = SHA256_DIGEST_LENGTH; +- } ++ data = (void *)&pw_crypt; ++ data_size = PASSWORD_CRYPT_SIZE; + + if (efi_set_variable (efi_guid_shim, auth_name, data, data_size, + attributes, S_IRUSR | S_IWUSR) < 0) { +@@ -1904,26 +1863,16 @@ set_password (const char *hash_file, const int root_pw, const int clear) + goto error; + } + +- if (!use_simple_hash) { +- pw_crypt.method = DEFAULT_CRYPT_METHOD; +- auth_ret = generate_hash (&pw_crypt, password, pw_len); +- } else { +- auth_ret = generate_auth (NULL, 0, password, pw_len, +- auth); +- } ++ pw_crypt.method = DEFAULT_CRYPT_METHOD; ++ auth_ret = generate_hash (&pw_crypt, password, pw_len); + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; + } + } + +- if (!use_simple_hash) { +- data = (void *)&pw_crypt; +- data_size = PASSWORD_CRYPT_SIZE; +- } else { +- data = (void *)auth; +- data_size = SHA256_DIGEST_LENGTH; +- } ++ data = (void *)auth; ++ data_size = SHA256_DIGEST_LENGTH; + uint32_t attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; +@@ -2301,8 +2250,6 @@ main (int argc, char *argv[]) + DBName db_name = MOK_LIST_RT; + int ret = -1; + +- use_simple_hash = 0; +- + if (!efi_variables_supported ()) { + fprintf (stderr, "EFI variables are not supported on this system\n"); + exit (1); +@@ -2329,7 +2276,6 @@ main (int argc, char *argv[]) + {"hash-file", required_argument, 0, 'f'}, + {"generate-hash", optional_argument, 0, 'g'}, + {"root-pw", no_argument, 0, 'P'}, +- {"simple-hash", no_argument, 0, 's'}, + {"ignore-db", no_argument, 0, 0 }, + {"use-db", no_argument, 0, 0 }, + {"mok", no_argument, 0, 'm'}, +@@ -2531,10 +2477,6 @@ main (int argc, char *argv[]) + case 'x': + command |= EXPORT; + break; +- case 's': +- command |= SIMPLE_HASH; +- use_simple_hash = 1; +- break; + case 'm': + db_name = MOK_LIST_RT; + break; +@@ -2555,9 +2497,6 @@ main (int argc, char *argv[]) + } + } + +- if (use_root_pw == 1 && use_simple_hash == 1) +- use_simple_hash = 0; +- + if (hash_file && use_root_pw) + command |= HELP; + +@@ -2593,22 +2532,18 @@ main (int argc, char *argv[]) + ret = list_keys_in_var ("MokDel", efi_guid_shim); + break; + case IMPORT: +- case IMPORT | SIMPLE_HASH: + ret = issue_mok_request (files, total, ENROLL_MOK, + hash_file, use_root_pw); + break; + case DELETE: +- case DELETE | SIMPLE_HASH: + ret = issue_mok_request (files, total, DELETE_MOK, + hash_file, use_root_pw); + break; + case IMPORT_HASH: +- case IMPORT_HASH | SIMPLE_HASH: + ret = issue_hash_request (hash_str, ENROLL_MOK, + hash_file, use_root_pw); + break; + case DELETE_HASH: +- case DELETE_HASH | SIMPLE_HASH: + ret = issue_hash_request (hash_str, DELETE_MOK, + hash_file, use_root_pw); + break; +@@ -2623,11 +2558,9 @@ main (int argc, char *argv[]) + ret = export_db_keys (db_name); + break; + case PASSWORD: +- case PASSWORD | SIMPLE_HASH: + ret = set_password (hash_file, use_root_pw, 0); + break; + case CLEAR_PASSWORD: +- case CLEAR_PASSWORD | SIMPLE_HASH: + ret = set_password (NULL, 0, 1); + break; + case DISABLE_VALIDATION: +@@ -2643,7 +2576,6 @@ main (int argc, char *argv[]) + ret = test_key (ENROLL_MOK, key_file); + break; + case RESET: +- case RESET | SIMPLE_HASH: + ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw); + break; + case GENERATE_PW_HASH: +@@ -2662,22 +2594,18 @@ main (int argc, char *argv[]) + ret = list_keys_in_var ("MokXDel", efi_guid_shim); + break; + case IMPORT | MOKX: +- case IMPORT | SIMPLE_HASH | MOKX: + ret = issue_mok_request (files, total, ENROLL_BLACKLIST, + hash_file, use_root_pw); + break; + case DELETE | MOKX: +- case DELETE | SIMPLE_HASH | MOKX: + ret = issue_mok_request (files, total, DELETE_BLACKLIST, + hash_file, use_root_pw); + break; + case IMPORT_HASH | MOKX: +- case IMPORT_HASH | SIMPLE_HASH | MOKX: + ret = issue_hash_request (hash_str, ENROLL_BLACKLIST, + hash_file, use_root_pw); + break; + case DELETE_HASH | MOKX: +- case DELETE_HASH | SIMPLE_HASH | MOKX: + ret = issue_hash_request (hash_str, DELETE_BLACKLIST, + hash_file, use_root_pw); + break; +@@ -2688,7 +2616,6 @@ main (int argc, char *argv[]) + ret = revoke_request (DELETE_BLACKLIST); + break; + case RESET | MOKX: +- case RESET | SIMPLE_HASH | MOKX: + ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw); + break; + case TEST_KEY | MOKX: +-- +2.31.1 + diff --git a/0006-man-remove-simple-hash.patch b/0006-man-remove-simple-hash.patch new file mode 100644 index 0000000..4ae64a0 --- /dev/null +++ b/0006-man-remove-simple-hash.patch @@ -0,0 +1,81 @@ +From d944337820debcaa5e275ec6a3523702ee2d9dd7 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 27 Aug 2020 14:48:08 +0800 +Subject: [PATCH 2/2] man: remove "--simple-hash" + +Remove "--simple-hash" from the man page. + +Signed-off-by: Gary Lin +--- + man/mokutil.1 | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/man/mokutil.1 b/man/mokutil.1 +index 446298763ad..1f82ff1abed 100644 +--- a/man/mokutil.1 ++++ b/man/mokutil.1 +@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx |- X]) ++ [--mokx |- X]) + .br + \fBmokutil\fR [--revoke-import] + ([--mokx | -X]) +@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys + \fBmokutil\fR [--export | -x] + .br + \fBmokutil\fR [--password | -p] +- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s]) ++ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P]) + .br + \fBmokutil\fR [--clear-password | -c] +- ([--simple-hash | -s]) + .br + \fBmokutil\fR [--disable-validation] + .br +@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--reset] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mok | -X]) ++ [--mok | -X]) + .br + \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] + .br +@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--import-hash \fIhash\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--delete-hash \fIhash\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] + .br +@@ -138,11 +136,6 @@ Use the password hash from a specific file + \fB-P, --root-pw\fR + Use the root password hash from /etc/shadow + .TP +-\fB-s, --simple-hash\fR +-Use the old SHA256 password hash method to hash the password +-.br +-Note: --root-pw invalidates --simple-hash +-.TP + \fB--ignore-db\fR + Tell shim to not use the keys in db to verify EFI images + .TP +-- +2.31.1 + diff --git a/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch b/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch new file mode 100644 index 0000000..67bdff8 --- /dev/null +++ b/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch @@ -0,0 +1,98 @@ +From f552d2bb570568673d293fcb2263a2ee8c3333de Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 25 May 2021 15:22:29 +0200 +Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the + deprecated SHA1_*() + +The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads +to compile errors when building with -Werror=deprecated-declarations, i.e: + +mokutil.c: In function 'print_x509': +mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] + 424 | SHA1_Init (&ctx); + | ^~~~~~~~~ +... + +instead, the EVP_Digest*() functions could be used. Port to them and avoid +these build failures with the latest OpenSSL 3.0 version. + +Signed-off-by: Javier Martinez Canillas +--- + src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 563e585979b..3fdc791af7f 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size) + { + X509 *X509cert; + BIO *cert_bio; +- SHA_CTX ctx; +- uint8_t fingerprint[SHA_DIGEST_LENGTH]; ++ EVP_MD_CTX *ctx; ++ const EVP_MD *md; ++ unsigned int md_len; ++ unsigned char fingerprint[EVP_MAX_MD_SIZE]; + + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, cert, cert_size); +@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size) + X509cert = d2i_X509_bio (cert_bio, NULL); + if (X509cert == NULL) { + fprintf (stderr, "Invalid X509 certificate\n"); +- return -1; ++ goto cleanup_bio; ++ } ++ ++ md = EVP_get_digestbyname ("SHA1"); ++ if(md == NULL) { ++ fprintf (stderr, "Failed to get SHA1 digest\n"); ++ goto cleanup_bio; ++ } ++ ++ ctx = EVP_MD_CTX_create (); ++ if (ctx == NULL) { ++ fprintf (stderr, "Failed to create digest context\n"); ++ goto cleanup_bio; + } + +- SHA1_Init (&ctx); +- SHA1_Update (&ctx, cert, cert_size); +- SHA1_Final (fingerprint, &ctx); ++ if (!EVP_DigestInit_ex (ctx, md, NULL)) { ++ fprintf (stderr, "Failed to initialize digest context\n"); ++ goto cleanup_ctx; ++ } ++ ++ if (!EVP_DigestUpdate (ctx, cert, cert_size)) { ++ fprintf (stderr, "Failed to hash into the digest context\n"); ++ goto cleanup_ctx; ++ } ++ ++ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) { ++ fprintf (stderr, "Failed to get digest value\n"); ++ goto cleanup_ctx; ++ } + + printf ("SHA1 Fingerprint: "); +- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) { ++ for (unsigned int i = 0; i < md_len; i++) { + printf ("%02x", fingerprint[i]); +- if (i < SHA_DIGEST_LENGTH - 1) ++ if (i < md_len - 1) + printf (":"); + } + printf ("\n"); + X509_print_fp (stdout, X509cert); + ++cleanup_ctx: ++ EVP_MD_CTX_destroy (ctx); ++cleanup_bio: + BIO_free (cert_bio); + + return 0; +-- +2.31.1 + diff --git a/mokutil.spec b/mokutil.spec index 06e94c4..f8953ca 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -1,6 +1,6 @@ Name: mokutil Version: 0.4.0 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 Summary: Tool to manage UEFI Secure Boot MoK Keys License: GPLv3+ @@ -18,6 +18,9 @@ Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch +Patch0005: 0005-mokutil-remove-simple-hash.patch +Patch0006: 0006-man-remove-simple-hash.patch +Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch %description mokutil provides a tool to manage keys for Secure Boot through the MoK @@ -52,6 +55,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog +* Tue May 25 2021 Javier Martinez Canillas - 0.4.0-6 +- Port to OpenSSL 3.0 + Resolves: rhbz#1958040 + * Fri Apr 16 2021 Mohan Boddu - 2:0.4.0-5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937