Compare commits

...

No commits in common. "c9" and "c8" have entirely different histories.
c9 ... c8

21 changed files with 1003 additions and 249 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/mokutil-0.6.0.tar.gz
SOURCES/0.3.0.tar.gz

View File

@ -1 +1 @@
b38fa41703cae749d8f642d3218cdff5d5d9a8ec SOURCES/mokutil-0.6.0.tar.gz
8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz

View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
Subject: [PATCH] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..93fb6fa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
MokToggleVar tvar;
char *password = NULL;
unsigned int pw_len;
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
int ret = -1;
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
efichar_from_char (efichar_pass, password,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- memcpy(tvar.password, efichar_pass,
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
tvar.mok_toggle_state = state;

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 May 2022 11:23:28 -0400
Subject: [PATCH] Show usage instead of aborting on bad flags
Aborting here just confuses users and is sufficiently unexpected to
cause the filing of bugs.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 82694cb1ce3b29c3705c25ae4cea3d07fe57b558)
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5d725c9..e8228af 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
goto out;
case 'h':
case '?':
+ default:
command |= HELP;
break;
- default:
- abort ();
}
}

View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Nov 2014 11:38:54 +0800
Subject: [PATCH] Fix the 32bit signedness comparison
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 93fb6fa..a7e83f7 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
/* Mok */
read_size = read (fd, ptr, sizes[i]);
- if (read_size < 0 || read_size != sizes[i]) {
+ if (read_size < 0 || read_size != (int64_t)sizes[i]) {
fprintf (stderr, "Failed to read %s\n", files[i]);
goto error;
}
@@ -1645,7 +1645,7 @@ export_moks ()
goto error;
}
- while (offset < list[i].mok_size) {
+ while (offset < (int64_t)list[i].mok_size) {
write_size = write (fd, list[i].mok + offset,
list[i].mok_size - offset);
if (write_size < 0) {

View File

@ -1,26 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong2@huawei.com>
Date: Mon, 30 May 2022 17:54:47 +0800
Subject: [PATCH] mokutil bugfix: del unused opt "-s"
The -s option can cause unexcepted result.
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08)
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e8228af..6982ade 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
};
int option_index = 0;
- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
+ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
long_options, &option_index);
if (c == -1)

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
This source tree uses:
typedef wchar_t efi_char16_t;
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
32-bits by default. As a result, efichar_from_char winds up writing
4-byte characters instead of 2-byte characters. In the case where we
hash the password in mokutil, this works fine, because the same datatype
is used, and the values are the same. But for our feature toggles,
where we store the raw data and shim is interpretting the character
array, every other character winds up being L'\0', and verification
fails.
So always build with -fshort-wchar to ensure we get 2-byte character
storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fe28fb9..69d412a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
default_strict=no
fi
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)

View File

@ -1,28 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 12:56:31 -0400
Subject: [PATCH] Fix leak of list in delete_data_from_req_var()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248)
---
src/util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util.c b/src/util.c
index 621869f..6cd0302 100644
--- a/src/util.c
+++ b/src/util.c
@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
}
/* the key or hash is not in this list */
- if (start == NULL)
- return 0;
+ if (start == NULL) {
+ ret = 0;
+ goto done;
+ }
/* all keys are removed */
if (total == 0) {

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 16 Jun 2015 17:06:30 -0400
Subject: [PATCH] Don't allow sha1 on the mokutil command line.
Related: rhbz#1115843
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a7e83f7..1fb34f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
}
switch (len) {
+#if 0
case SHA_DIGEST_LENGTH*2:
*type = efi_guid_sha1;
hash_size = SHA_DIGEST_LENGTH;
break;
+#endif
case SHA224_DIGEST_LENGTH*2:
*type = efi_guid_sha224;
hash_size = SHA224_DIGEST_LENGTH;

View File

@ -1,70 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 13:00:22 -0400
Subject: [PATCH] Fix leak of fd in mok_get_variable()
On success, it was never closed. Refactor the code to use a single
egress path so its closure is clear.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a)
---
src/util.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/util.c b/src/util.c
index 6cd0302..f7fc033 100644
--- a/src/util.c
+++ b/src/util.c
@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
return fd;
rc = fstat(fd, &sb);
- if (rc < 0) {
-err_close:
- close(fd);
- return rc;
- }
+ if (rc < 0)
+ goto done;
if (sb.st_size == 0) {
errno = ENOENT;
rc = -1;
- goto err_close;
+ goto done;
}
bufsz = sb.st_size;
buf = calloc(1, bufsz);
- if (!buf)
- goto err_close;
+ if (!buf) {
+ rc = -1;
+ goto done;
+ }
while (pos < bufsz) {
ssz = read(fd, &buf[pos], bufsz - pos);
@@ -82,15 +81,18 @@ err_close:
errno == EINTR)
continue;
free(buf);
- goto err_close;
+ rc = -1;
+ goto done;
}
pos += ssz;
}
*datap = buf;
*data_sizep = pos;
-
- return 0;
+ rc = 0;
+done:
+ close(fd);
+ return rc;
}
MokListNode*

View File

@ -0,0 +1,84 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
Subject: [PATCH] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1fb34f9..d2c52b4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
}
static uint32_t
-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
{
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
return SHA_DIGEST_LENGTH;
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
}
static uint32_t
-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
{
uint32_t hash_size;
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
/* match the hash in the hash array and return the index if matched */
static int
-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
const void *hash_array, const uint32_t array_size)
{
uint32_t hash_size, hash_count;
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
}
static int
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
- efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ const efi_guid_t *type, void *data, uint32_t data_size)
{
uint8_t *var_data = NULL;
size_t var_data_size = 0;
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
- efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
{
uint8_t *var_data;
size_t var_data_size;
@@ -1059,7 +1059,7 @@ done:
}
static int
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
{
switch (req) {
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
}
static int
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
MokRequest req)
{
uint8_t *authvar_data;

View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d2c52b4..d554f6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
ret = efi_set_variable (*var_guid, var_name,
- var_data, total, attributes);
+ var_data, total, attributes,
+ S_IRUSR | S_IWUSR);
if (ret < 0) {
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
var_name);
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
data_size = list_len;
if (efi_set_variable (efi_guid_shim, req_name,
- data, data_size, attributes) < 0) {
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
switch (req) {
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");

View File

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:20:14 -0400
Subject: [PATCH] Add bash completion file.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 17 +++++++++++++++++
Makefile.am | 5 +++++
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 data/mokutil
diff --git a/configure.ac b/configure.ac
index 69d412a..7b52a06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+AC_ARG_WITH([bash-completion-dir],
+ AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
+ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
+ [],
+ [with_bash_completion_dir=yes])
+
+if test "x$with_bash_completion_dir" = "xyes"; then
+ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
+ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
+else
+ BASH_COMPLETION_DIR="$with_bash_completion_dir"
+fi
+
+AC_SUBST([BASH_COMPLETION_DIR])
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile])
diff --git a/Makefile.am b/Makefile.am
index 9f0d419..c17cc4a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1 +1,6 @@
SUBDIRS = src man
+
+if ENABLE_BASH_COMPLETION
+ bashcompletiondir = $(BASH_COMPLETION_DIR)
+ dist_bashcompletion_DATA = data/mokutil
+endif
diff --git a/data/mokutil b/data/mokutil
new file mode 100755
index 0000000..800b039
--- /dev/null
+++ b/data/mokutil
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+_mokutil()
+{
+ local cur=${COMP_WORDS[COMP_CWORD]}
+
+ if [[ "$cur" == -* ]]; then
+ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
+ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
+ [[ $COMPREPLY == *= ]] && compopt -o nospace
+ return 0
+ fi
+
+ case "${COMP_WORDS[COMP_CWORD-1]}" in
+ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
+ _filedir
+ return 0
+ ;;
+ --import-hash|--delete-hash)
+ COMPREPLY=( $( compgen -W "" ) )
+ return 0
+ ;;
+ --set-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --generate-hash|-g)
+ COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ return 0
+ ;;
+ *)
+ return 0
+ ;;
+ esac
+}
+
+complete -F _mokutil mokutil

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Mon, 20 Jun 2016 11:18:17 -0500
Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
support
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d554f6c..27f1292 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
rc = efi_get_variable (efi_guid_global, "SecureBoot",
&data, &data_size, &attributes);
if (rc < 0) {
- fprintf(stderr, "This system does't support Secure Boot\n");
+ fprintf(stderr, "This system doesn't support Secure Boot\n");
ret = -1;
goto out;
}

View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 3 Apr 2017 16:33:38 -0400
Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 27f1292..0be9e84 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
if (ret < 0) {
- if (ret == ENOENT) {
+ if (errno == ENOENT) {
printf ("%s is empty\n", var_name);
return 0;
}

View File

@ -0,0 +1,98 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 15 May 2018 11:20:15 -0400
Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
New gcc rightly comlplains when we do the following:
strncpy (dest, src, strlen(src));
For two reasons:
a) it doesn't copy the NUL byte
b) it's otherwise the same thing strcpy() would have done
This patch replaces that with stpncpy (just because it's slightly easier
to use) and the real bounds for the destination.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0be9e84..b508010 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
{
pw_crypt_t new_crypt;
char settings[SETTINGS_LEN];
+ char *next;
char *crypt_string;
const char *prefix;
- int hash_len, prefix_len;
+ int hash_len, settings_len = sizeof (settings) - 2;
if (!password || !pw_crypt || password[pw_len] != '\0')
return -1;
@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
prefix = get_crypt_prefix (pw_crypt->method);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
- strncpy (settings, prefix, prefix_len);
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
- pw_crypt->salt_size);
- settings[pw_crypt->salt_size + prefix_len] = '\0';
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
+ errno = EOVERFLOW;
+ return -1;
+ }
+ next = stpncpy (next, (const char *)pw_crypt->salt,
+ pw_crypt->salt_size);
+ *next = '\0';
crypt_string = crypt (password, settings);
if (!crypt_string)
@@ -1929,10 +1934,11 @@ static int
generate_pw_hash (const char *input_pw)
{
char settings[SETTINGS_LEN];
+ char *next;
char *password = NULL;
char *crypt_string;
const char *prefix;
- int prefix_len;
+ int settings_len = sizeof (settings) - 2;
unsigned int pw_len, salt_size;
if (input_pw) {
@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
- strncpy (settings, prefix, prefix_len);
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
- generate_salt ((settings + prefix_len), salt_size);
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+ if (salt_size > settings_len - (next - settings)) {
+ errno = EOVERFLOW;
+ return -1;
+ }
+ generate_salt (next, salt_size);
+ next += salt_size;
+ *next = '\0';
crypt_string = crypt (password, settings);
free (password);

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 25 Jul 2018 10:27:34 -0400
Subject: [PATCH] Fix a integer comparison sign issue.
I introduced this, and it's stupid:
mokutil.c: In function 'generate_pw_hash':
mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
if (salt_size > settings_len - (next - settings)) {
^
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b508010..ac15c73 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
char *password = NULL;
char *crypt_string;
const char *prefix;
- int settings_len = sizeof (settings) - 2;
+ unsigned int settings_len = sizeof (settings) - 2;
unsigned int pw_len, salt_size;
if (input_pw) {

View File

@ -0,0 +1,240 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 17 Aug 2020 14:18:31 -0400
Subject: [PATCH] initial mok-variables code
This patch adds support for getting mok variables from
/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
variables.
Resolves: rhbz#1868820
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index ac15c73..838599c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
return 0;
}
+static int
+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
+{
+ char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name";
+ size_t filename_sz = sizeof(filename);
+ int fd, rc;
+ struct stat sb = { 0, };
+ uint8_t *buf;
+ size_t bufsz, pos = 0;
+ ssize_t ssz;
+
+ *datap = 0;
+ *data_sizep = 0;
+
+ snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name);
+
+ fd = open(filename, O_RDONLY);
+ if (fd < 0)
+ return fd;
+
+ rc = fstat(fd, &sb);
+ if (rc < 0) {
+err_close:
+ close(fd);
+ return rc;
+ }
+
+ if (sb.st_size == 0) {
+ errno = ENOENT;
+ rc = -1;
+ goto err_close;
+ }
+
+ bufsz = sb.st_size;
+ buf = calloc(1, bufsz);
+ if (!buf)
+ goto err_close;
+
+ while (pos < bufsz) {
+ ssz = read(fd, &buf[pos], bufsz - pos);
+ if (ssz < 0) {
+ if (errno == EAGAIN ||
+ errno == EWOULDBLOCK ||
+ errno == EINTR)
+ continue;
+ free(buf);
+ goto err_close;
+ }
+
+ pos += ssz;
+ }
+ *datap = buf;
+ *data_sizep = pos;
+
+ return 0;
+}
+
static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{
@@ -596,25 +653,44 @@ static int
list_keys_in_var (const char *var_name, const efi_guid_t guid)
{
uint8_t *data = NULL;
- size_t data_size;
+ char varname[] = "implausibly-long-mok-variable-name";
+ size_t data_sz, i, varname_sz = sizeof(varname);
uint32_t attributes;
int ret;
- ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
- if (ret < 0) {
- if (errno == ENOENT) {
- printf ("%s is empty\n", var_name);
- return 0;
+ ret = mok_get_variable(var_name, &data, &data_sz);
+ if (ret >= 0) {
+ ret = list_keys (data, data_sz);
+ free(data);
+ return ret;
+ }
+
+ for (i = 0; i < SIZE_MAX; i++) {
+ if (i == 0) {
+ snprintf(varname, varname_sz, "%s", var_name);
+ } else {
+ snprintf(varname, varname_sz, "%s%zu", var_name, i);
}
- fprintf (stderr, "Failed to read %s: %m\n", var_name);
- return -1;
+ ret = efi_get_variable (guid, varname, &data, &data_sz,
+ &attributes);
+ if (ret < 0)
+ return 0;
+
+ ret = list_keys (data, data_sz);
+ free(data);
+ /*
+ * If ret is < 0, the next one will error as well.
+ * If ret is 0, we need to test the next variable.
+ * If it's 1, that's a real answer.
+ */
+ if (ret < 0)
+ return 0;
+ if (ret > 0)
+ return ret;
}
- ret = list_keys (data, data_size);
- free (data);
-
- return ret;
+ return 0;
}
static int
@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
- const efi_guid_t *vendor, const char *db_name)
+is_one_duplicate (const efi_guid_t *type,
+ const void *data, const uint32_t data_size,
+ uint8_t *var_data, size_t var_data_size)
{
- uint8_t *var_data;
- size_t var_data_size;
- uint32_t attributes;
uint32_t node_num;
MokListNode *list;
int ret = 0;
- if (!data || data_size == 0 || !db_name)
- return 0;
-
- ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size,
- &attributes);
- if (ret < 0)
+ if (!data || data_size == 0)
return 0;
list = build_mok_list (var_data, var_data_size, &node_num);
@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
done:
if (list)
free (list);
- free (var_data);
return ret;
}
+static int
+is_duplicate (const efi_guid_t *type,
+ const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
+{
+ uint32_t attributes;
+ char varname[] = "implausibly-long-mok-variable-name";
+ size_t varname_sz = sizeof(varname);
+ int ret = 0;
+ size_t i;
+
+ if (!strncmp(db_name, "Mok", 3)) {
+ uint8_t *var_data = NULL;
+ size_t var_data_size = 0;
+ ret = mok_get_variable(db_name, &var_data, &var_data_size);
+ if (ret >= 0) {
+ ret = is_one_duplicate(type, data, data_size,
+ var_data, var_data_size);
+ if (ret >= 0) {
+ free (var_data);
+ return ret;
+ }
+ var_data = NULL;
+ var_data_size = 0;
+ }
+ }
+
+ for (i = 0; i < SIZE_MAX; i++) {
+ uint8_t *var_data = NULL;
+ size_t var_data_size = 0;
+ if (i == 0) {
+ snprintf(varname, varname_sz, "%s", db_name);
+ } else {
+ snprintf(varname, varname_sz, "%s%zu", db_name, i);
+ }
+
+ ret = efi_get_variable (*vendor, varname,
+ &var_data, &var_data_size,
+ &attributes);
+ if (ret < 0)
+ return 0;
+
+ ret = is_one_duplicate(type, data, data_size,
+ var_data, var_data_size);
+ free (var_data);
+ /*
+ * If ret is < 0, the next one will error as well.
+ * If ret is 0, we need to test the next variable.
+ * If it's 1, that's a real answer.
+ */
+ if (ret < 0)
+ return 0;
+ if (ret > 0)
+ return ret;
+ }
+
+ return 0;
+}
+
static int
is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)

View File

@ -0,0 +1,193 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Fri, 3 Dec 2021 14:18:31 +0100
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
fallback debugging.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
[rharwood: no sb_check, no util renaming]
(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f)
[rharwood: flags are sparse now]
---
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
data/mokutil | 8 +++++++
man/mokutil.1 | 10 +++++++++
3 files changed, 88 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 838599c..1cec4e9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,8 @@
#define IMPORT_HASH (1 << 21)
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -152,6 +154,8 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2169,6 +2213,8 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2207,6 +2253,8 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
@@ -2270,6 +2318,22 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2557,6 +2621,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
default:
print_help ();
break;
diff --git a/data/mokutil b/data/mokutil
index 800b039..af6b6ff 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -24,6 +24,14 @@ _mokutil()
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..30dcfb2 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -161,6 +165,12 @@ this is not the password hash.
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP

View File

@ -1,4 +1,13 @@
Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch
Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
Patch0012: 0012-initial-mok-variables-code.patch
Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch

View File

@ -1,26 +1,17 @@
Name: mokutil
Version: 0.6.0
Release: 4%{?dist}
Epoch: 2
Version: 0.3.0
Release: 12%{?dist}
Epoch: 1
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
URL: https://github.com/lcp/mokutil
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: mokutil.patches
ExclusiveArch: %{ix86} x86_64 aarch64 %{arm}
BuildRequires: autoconf
BuildRequires: automake
ExclusiveArch: %{ix86} x86_64 aarch64
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
BuildRequires: efivar-devel >= 31-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: gnu-efi
BuildRequires: keyutils-libs-devel
BuildRequires: make
BuildRequires: openssl
BuildRequires: openssl-devel
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Source1: mokutil.patches
Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil < 0.2.0
Obsoletes: mokutil <= 1:0.3.0-1
%include %{SOURCE1}
@ -29,17 +20,27 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
("Machine's Own Keys") mechanism.
%prep
%autosetup -S git_am -b 0 -T
%setup -q -n %{name}-%{version}
git init
git config user.email "%{name}-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build
./autogen.sh
%configure
%{make_build}
make %{?_smp_mflags}
%install
%{make_install}
rm -rf %{buildroot}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README
%{_bindir}/mokutil
@ -47,77 +48,23 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Thu Oct 27 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.6.0-4
- Sync with Fedora at same NVR
- Resolves: #2084621
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 1:0.3.0-12
- Add ability to set fallback verbose mode
- Resolves: #2030704
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 2:0.5.0-3
- Add support for "mokutil --list-sbat-revocations" and
"mokutil --set-sbat-policy"
Related: CVE-2022-28737
* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
- Bump NVR for brew to build the package
Related: rhbz##1907418
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-2
- Add git to buildrequires
- Resolves: #2081474
* Wed Dec 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-10
- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/
as well as attempting to consume numbered mok variables from efivarfs
when mok-variables aren't present (pjones)
Resolves: rhbz#1907418
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-1
- New upstream version (0.5.0)
- Resolves: #2081474
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
- Add ability to change fallback verbose mode
- Resolves: #2069296
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue May 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-6
- Port to OpenSSL 3.0
Resolves: rhbz#1958040
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-4
- Add SBAT and mok-variables support
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-1
- Update to 0.4.0 release
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.3.0-14
- Pull one more upstream patch to keep this in sync with the f31 build.
* Thu Oct 24 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:0.3.0-14
- Apply upstream commits to fix FTBFS
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-11
- Rebuilt for libcrypt.so.2 (#1666033)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
- Minor obsoletes fix
- Import some fixes from upstream
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
- Rebuilt for switch to libxcrypt