From f42b7a6e100e769203541da95f18265ddf98e635 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 25 May 2021 18:31:31 +0200 Subject: [PATCH] Port to OpenSSL 3.0 The mokutil tool is using functions that were deprecated since OpenSSL 3.0 and needs to be ported to the newer functions that should be used instead. Resolves: rhbz#1958040 Signed-off-by: Javier Martinez Canillas --- 0005-mokutil-remove-simple-hash.patch | 260 ++++++++++++++++++ 0006-man-remove-simple-hash.patch | 81 ++++++ ...Digest-functions-instead-of-the-depr.patch | 98 +++++++ mokutil.spec | 9 +- 4 files changed, 447 insertions(+), 1 deletion(-) create mode 100644 0005-mokutil-remove-simple-hash.patch create mode 100644 0006-man-remove-simple-hash.patch create mode 100644 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch diff --git a/0005-mokutil-remove-simple-hash.patch b/0005-mokutil-remove-simple-hash.patch new file mode 100644 index 0000000..f53791a --- /dev/null +++ b/0005-mokutil-remove-simple-hash.patch @@ -0,0 +1,260 @@ +From b7a6c0a7ee8e66c5daa377d2e6f59461ed34f3bf Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 25 May 2021 12:46:03 +0200 +Subject: [PATCH] mokutil: remove "--simple-hash" + +The simple-hash password format is used by the very early MokManager and +not the default format anymore after we changed to password-crypt. +Remove the code to reduce the code size. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 87 +++++---------------------------------------------- + 1 file changed, 7 insertions(+), 80 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 252dc7a327f..563e585979b 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -76,7 +76,6 @@ + #define TEST_KEY (1 << 14) + #define RESET (1 << 15) + #define GENERATE_PW_HASH (1 << 16) +-#define SIMPLE_HASH (1 << 17) + #define IGNORE_DB (1 << 18) + #define USE_DB (1 << 19) + #define MOKX (1 << 20) +@@ -95,8 +94,6 @@ typedef unsigned long efi_status_t; + typedef uint8_t efi_bool_t; + typedef wchar_t efi_char16_t; /* UNICODE character */ + +-static int use_simple_hash; +- + typedef enum { + DELETE_MOK = 0, + ENROLL_MOK, +@@ -182,7 +179,6 @@ print_help () + printf ("Supplimentary Options:\n"); + printf (" --hash-file \t\tUse the specific password hash\n"); + printf (" --root-pw\t\t\t\tUse the root password\n"); +- printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); + printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); + } + +@@ -814,32 +810,6 @@ error: + return ret; + } + +-static int +-generate_auth (void *new_list, int list_len, char *password, +- unsigned int pw_len, uint8_t *auth) +-{ +- efi_char16_t efichar_pass[PASSWORD_MAX+1]; +- unsigned long efichar_len; +- SHA256_CTX ctx; +- +- if (!password || !auth) +- return -1; +- +- efichar_len = efichar_from_char (efichar_pass, password, +- pw_len * sizeof(efi_char16_t)); +- +- SHA256_Init (&ctx); +- +- if (new_list) +- SHA256_Update (&ctx, new_list, list_len); +- +- SHA256_Update (&ctx, efichar_pass, efichar_len); +- +- SHA256_Final (auth, &ctx); +- +- return 0; +-} +- + static void + generate_salt (char salt[], unsigned int salt_size) + { +@@ -979,7 +949,6 @@ update_request (void *new_list, int list_len, MokRequest req, + size_t data_size; + const char *req_name, *auth_name; + pw_crypt_t pw_crypt; +- uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; + unsigned int pw_len; + int auth_ret; +@@ -1028,12 +997,7 @@ update_request (void *new_list, int list_len, MokRequest req, + goto error; + } + +- if (!use_simple_hash) { +- auth_ret = generate_hash (&pw_crypt, password, pw_len); +- } else { +- auth_ret = generate_auth (new_list, list_len, password, +- pw_len, auth); +- } ++ auth_ret = generate_hash (&pw_crypt, password, pw_len); + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; +@@ -1069,13 +1033,8 @@ update_request (void *new_list, int list_len, MokRequest req, + } + + /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ +- if (!use_simple_hash) { +- data = (void *)&pw_crypt; +- data_size = PASSWORD_CRYPT_SIZE; +- } else { +- data = (void *)auth; +- data_size = SHA256_DIGEST_LENGTH; +- } ++ data = (void *)&pw_crypt; ++ data_size = PASSWORD_CRYPT_SIZE; + + if (efi_set_variable (efi_guid_shim, auth_name, data, data_size, + attributes, S_IRUSR | S_IWUSR) < 0) { +@@ -1904,26 +1863,16 @@ set_password (const char *hash_file, const int root_pw, const int clear) + goto error; + } + +- if (!use_simple_hash) { +- pw_crypt.method = DEFAULT_CRYPT_METHOD; +- auth_ret = generate_hash (&pw_crypt, password, pw_len); +- } else { +- auth_ret = generate_auth (NULL, 0, password, pw_len, +- auth); +- } ++ pw_crypt.method = DEFAULT_CRYPT_METHOD; ++ auth_ret = generate_hash (&pw_crypt, password, pw_len); + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; + } + } + +- if (!use_simple_hash) { +- data = (void *)&pw_crypt; +- data_size = PASSWORD_CRYPT_SIZE; +- } else { +- data = (void *)auth; +- data_size = SHA256_DIGEST_LENGTH; +- } ++ data = (void *)auth; ++ data_size = SHA256_DIGEST_LENGTH; + uint32_t attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; +@@ -2301,8 +2250,6 @@ main (int argc, char *argv[]) + DBName db_name = MOK_LIST_RT; + int ret = -1; + +- use_simple_hash = 0; +- + if (!efi_variables_supported ()) { + fprintf (stderr, "EFI variables are not supported on this system\n"); + exit (1); +@@ -2329,7 +2276,6 @@ main (int argc, char *argv[]) + {"hash-file", required_argument, 0, 'f'}, + {"generate-hash", optional_argument, 0, 'g'}, + {"root-pw", no_argument, 0, 'P'}, +- {"simple-hash", no_argument, 0, 's'}, + {"ignore-db", no_argument, 0, 0 }, + {"use-db", no_argument, 0, 0 }, + {"mok", no_argument, 0, 'm'}, +@@ -2531,10 +2477,6 @@ main (int argc, char *argv[]) + case 'x': + command |= EXPORT; + break; +- case 's': +- command |= SIMPLE_HASH; +- use_simple_hash = 1; +- break; + case 'm': + db_name = MOK_LIST_RT; + break; +@@ -2555,9 +2497,6 @@ main (int argc, char *argv[]) + } + } + +- if (use_root_pw == 1 && use_simple_hash == 1) +- use_simple_hash = 0; +- + if (hash_file && use_root_pw) + command |= HELP; + +@@ -2593,22 +2532,18 @@ main (int argc, char *argv[]) + ret = list_keys_in_var ("MokDel", efi_guid_shim); + break; + case IMPORT: +- case IMPORT | SIMPLE_HASH: + ret = issue_mok_request (files, total, ENROLL_MOK, + hash_file, use_root_pw); + break; + case DELETE: +- case DELETE | SIMPLE_HASH: + ret = issue_mok_request (files, total, DELETE_MOK, + hash_file, use_root_pw); + break; + case IMPORT_HASH: +- case IMPORT_HASH | SIMPLE_HASH: + ret = issue_hash_request (hash_str, ENROLL_MOK, + hash_file, use_root_pw); + break; + case DELETE_HASH: +- case DELETE_HASH | SIMPLE_HASH: + ret = issue_hash_request (hash_str, DELETE_MOK, + hash_file, use_root_pw); + break; +@@ -2623,11 +2558,9 @@ main (int argc, char *argv[]) + ret = export_db_keys (db_name); + break; + case PASSWORD: +- case PASSWORD | SIMPLE_HASH: + ret = set_password (hash_file, use_root_pw, 0); + break; + case CLEAR_PASSWORD: +- case CLEAR_PASSWORD | SIMPLE_HASH: + ret = set_password (NULL, 0, 1); + break; + case DISABLE_VALIDATION: +@@ -2643,7 +2576,6 @@ main (int argc, char *argv[]) + ret = test_key (ENROLL_MOK, key_file); + break; + case RESET: +- case RESET | SIMPLE_HASH: + ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw); + break; + case GENERATE_PW_HASH: +@@ -2662,22 +2594,18 @@ main (int argc, char *argv[]) + ret = list_keys_in_var ("MokXDel", efi_guid_shim); + break; + case IMPORT | MOKX: +- case IMPORT | SIMPLE_HASH | MOKX: + ret = issue_mok_request (files, total, ENROLL_BLACKLIST, + hash_file, use_root_pw); + break; + case DELETE | MOKX: +- case DELETE | SIMPLE_HASH | MOKX: + ret = issue_mok_request (files, total, DELETE_BLACKLIST, + hash_file, use_root_pw); + break; + case IMPORT_HASH | MOKX: +- case IMPORT_HASH | SIMPLE_HASH | MOKX: + ret = issue_hash_request (hash_str, ENROLL_BLACKLIST, + hash_file, use_root_pw); + break; + case DELETE_HASH | MOKX: +- case DELETE_HASH | SIMPLE_HASH | MOKX: + ret = issue_hash_request (hash_str, DELETE_BLACKLIST, + hash_file, use_root_pw); + break; +@@ -2688,7 +2616,6 @@ main (int argc, char *argv[]) + ret = revoke_request (DELETE_BLACKLIST); + break; + case RESET | MOKX: +- case RESET | SIMPLE_HASH | MOKX: + ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw); + break; + case TEST_KEY | MOKX: +-- +2.31.1 + diff --git a/0006-man-remove-simple-hash.patch b/0006-man-remove-simple-hash.patch new file mode 100644 index 0000000..4ae64a0 --- /dev/null +++ b/0006-man-remove-simple-hash.patch @@ -0,0 +1,81 @@ +From d944337820debcaa5e275ec6a3523702ee2d9dd7 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 27 Aug 2020 14:48:08 +0800 +Subject: [PATCH 2/2] man: remove "--simple-hash" + +Remove "--simple-hash" from the man page. + +Signed-off-by: Gary Lin +--- + man/mokutil.1 | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/man/mokutil.1 b/man/mokutil.1 +index 446298763ad..1f82ff1abed 100644 +--- a/man/mokutil.1 ++++ b/man/mokutil.1 +@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx |- X]) ++ [--mokx |- X]) + .br + \fBmokutil\fR [--revoke-import] + ([--mokx | -X]) +@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys + \fBmokutil\fR [--export | -x] + .br + \fBmokutil\fR [--password | -p] +- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s]) ++ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P]) + .br + \fBmokutil\fR [--clear-password | -c] +- ([--simple-hash | -s]) + .br + \fBmokutil\fR [--disable-validation] + .br +@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--reset] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mok | -X]) ++ [--mok | -X]) + .br + \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] + .br +@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--import-hash \fIhash\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--delete-hash \fIhash\fR] + ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | +- [--simple-hash | -s] | [--mokx | -X]) ++ [--mokx | -X]) + .br + \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] + .br +@@ -138,11 +136,6 @@ Use the password hash from a specific file + \fB-P, --root-pw\fR + Use the root password hash from /etc/shadow + .TP +-\fB-s, --simple-hash\fR +-Use the old SHA256 password hash method to hash the password +-.br +-Note: --root-pw invalidates --simple-hash +-.TP + \fB--ignore-db\fR + Tell shim to not use the keys in db to verify EFI images + .TP +-- +2.31.1 + diff --git a/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch b/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch new file mode 100644 index 0000000..67bdff8 --- /dev/null +++ b/0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch @@ -0,0 +1,98 @@ +From f552d2bb570568673d293fcb2263a2ee8c3333de Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 25 May 2021 15:22:29 +0200 +Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the + deprecated SHA1_*() + +The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads +to compile errors when building with -Werror=deprecated-declarations, i.e: + +mokutil.c: In function 'print_x509': +mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] + 424 | SHA1_Init (&ctx); + | ^~~~~~~~~ +... + +instead, the EVP_Digest*() functions could be used. Port to them and avoid +these build failures with the latest OpenSSL 3.0 version. + +Signed-off-by: Javier Martinez Canillas +--- + src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 563e585979b..3fdc791af7f 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size) + { + X509 *X509cert; + BIO *cert_bio; +- SHA_CTX ctx; +- uint8_t fingerprint[SHA_DIGEST_LENGTH]; ++ EVP_MD_CTX *ctx; ++ const EVP_MD *md; ++ unsigned int md_len; ++ unsigned char fingerprint[EVP_MAX_MD_SIZE]; + + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, cert, cert_size); +@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size) + X509cert = d2i_X509_bio (cert_bio, NULL); + if (X509cert == NULL) { + fprintf (stderr, "Invalid X509 certificate\n"); +- return -1; ++ goto cleanup_bio; ++ } ++ ++ md = EVP_get_digestbyname ("SHA1"); ++ if(md == NULL) { ++ fprintf (stderr, "Failed to get SHA1 digest\n"); ++ goto cleanup_bio; ++ } ++ ++ ctx = EVP_MD_CTX_create (); ++ if (ctx == NULL) { ++ fprintf (stderr, "Failed to create digest context\n"); ++ goto cleanup_bio; + } + +- SHA1_Init (&ctx); +- SHA1_Update (&ctx, cert, cert_size); +- SHA1_Final (fingerprint, &ctx); ++ if (!EVP_DigestInit_ex (ctx, md, NULL)) { ++ fprintf (stderr, "Failed to initialize digest context\n"); ++ goto cleanup_ctx; ++ } ++ ++ if (!EVP_DigestUpdate (ctx, cert, cert_size)) { ++ fprintf (stderr, "Failed to hash into the digest context\n"); ++ goto cleanup_ctx; ++ } ++ ++ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) { ++ fprintf (stderr, "Failed to get digest value\n"); ++ goto cleanup_ctx; ++ } + + printf ("SHA1 Fingerprint: "); +- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) { ++ for (unsigned int i = 0; i < md_len; i++) { + printf ("%02x", fingerprint[i]); +- if (i < SHA_DIGEST_LENGTH - 1) ++ if (i < md_len - 1) + printf (":"); + } + printf ("\n"); + X509_print_fp (stdout, X509cert); + ++cleanup_ctx: ++ EVP_MD_CTX_destroy (ctx); ++cleanup_bio: + BIO_free (cert_bio); + + return 0; +-- +2.31.1 + diff --git a/mokutil.spec b/mokutil.spec index 06e94c4..f8953ca 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -1,6 +1,6 @@ Name: mokutil Version: 0.4.0 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 Summary: Tool to manage UEFI Secure Boot MoK Keys License: GPLv3+ @@ -18,6 +18,9 @@ Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch +Patch0005: 0005-mokutil-remove-simple-hash.patch +Patch0006: 0006-man-remove-simple-hash.patch +Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch %description mokutil provides a tool to manage keys for Secure Boot through the MoK @@ -52,6 +55,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog +* Tue May 25 2021 Javier Martinez Canillas - 0.4.0-6 +- Port to OpenSSL 3.0 + Resolves: rhbz#1958040 + * Fri Apr 16 2021 Mohan Boddu - 2:0.4.0-5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937