rpms/pesign
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release (116)

Browse Source 
Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2023-01-31 15:03:53 +00:00
parent bb3aaa1ba2
commit 0b14fad476
26 changed files with 7 additions and 2589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
0001-daemon-remove-always-true-comparison.patch
View File

@ -1,24 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Mar 2022 12:59:34 -0500
Subject: [PATCH] daemon: remove always-true comparison
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/daemon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 0a66deb..ff88210 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -221,8 +221,7 @@ malformed:
if (!ctx->cms->tokenname)
goto oom;
- if (!tp->value)
- pin = strndup((char *)tp->value, tp->size);
+ pin = strndup((char *)tp->value, tp->size);
if (!pin)
goto oom;

40
0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
View File

@ -1,40 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:45:28 -0500
Subject: [PATCH] make: handle some gcc -Wanalyzer flags better
This makes it so we won't use the -Wanalyzer / -fanalyzer flags by
default, because they're still pretty overzealous.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 130c1ee..1c18904 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -32,11 +32,11 @@ CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O2 -g3 -pipe -fPIE -fstack-protector-all \
-fstack-clash-protection \
$(if $(filter x86_64 ia32,$(ARCH)),-fcf-protection=full,)
-DIAGFLAGS ?= -fmessage-length=0 \
+DIAGFLAGS ?= $(call enabled,ENABLE_GCC_ANALYZER,-fmessage-length=0 \
-fdiagnostics-color=always \
-fdiagnostics-format=text \
-fdiagnostics-show-cwe \
- -fanalyzer \
+ -fanalyzer) \
$(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,)
AS ?= $(CROSS_COMPILE)as
AR ?= $(CROSS_COMPILE)$(if $(filter $(CC),clang),llvm-ar,$(notdir $(CC))-ar)
@@ -59,7 +59,7 @@ endif
cflags = $(CFLAGS) $(ARCH3264) \
-Wall -Wextra -Wsign-compare -Wno-unused-result \
-Wno-unused-function -Wno-missing-field-initializers \
- -Wno-analyzer-malloc-leak \
+ $(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,) \
-Werror -Wno-error=cpp -Wno-free-nonheap-object \
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \

664
0003-Rename-dprintf-to-dbgprintf.patch
View File

@ -1,664 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:46:16 -0500
Subject: [PATCH] Rename "dprintf' to "dbgprintf"
stdio defines a dprintf() macro now, so using dprintf() for our debug
printer gets obnoxious warnings. This renames it to dbgprintf().
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 73 +++++++++++++++++++++++++++++------------------------
src/cms_pe_common.c | 20 +++++++--------
src/efikeygen.c | 16 ++++++------
src/file_pe.c | 6 +++--
src/password.c | 68 ++++++++++++++++++++++++-------------------------
src/pesign.c | 10 ++++----
src/util.h | 26 +++++++++----------
7 files changed, 114 insertions(+), 105 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index ca37e6a..86341ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -333,13 +333,13 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
if (!pwdata) {
cms->pwdata.source = PW_SOURCE_INVALID;
- dprintf("pwdata:NULL");
+ dbgprintf("pwdata:NULL");
} else {
memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
- dprintf("pwdata:%p", pwdata);
- dprintf("pwdata->source:%d", pwdata->source);
- dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
- pwdata->data ? pwdata->data : "(null)");
+ dbgprintf("pwdata:%p", pwdata);
+ dbgprintf("pwdata->source:%d", pwdata->source);
+ dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+ pwdata->data ? pwdata->data : "(null)");
}
egress();
@@ -382,7 +382,7 @@ is_valid_cert(CERTCertificate *cert, void *data)
errnum = PORT_GetError();
if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
- dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
PORT_SetError(0);
errnum = 0;
}
@@ -415,7 +415,7 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
errnum = PORT_GetError();
if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
- dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
PORT_SetError(0);
errnum = 0;
}
@@ -467,23 +467,23 @@ unescape_html_in_place(char *s)
size_t pos = 0;
char *s1;
- dprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
+ dbgprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
do {
s1 = strchrnul(&s[pos], '%');
if (s1[0] == '\0')
break;
- dprintf("s1 is \"%s\"", s1);
+ dbgprintf("s1 is \"%s\"", s1);
if ((size_t)(s1 - s) < (size_t)(sz - 3)) {
int c;
c = (hexchar_to_bin(s1[1]) << 4)
| (hexchar_to_bin(s1[2]) & 0xf);
- dprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
+ dbgprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
s1[0] = c;
memmove(&s1[1], &s1[3], sz - (&s1[3] - s));
sz -= 2;
pos = &s1[1] - s;
- dprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
+ dbgprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
}
} while (pos < sz);
}
@@ -499,7 +499,7 @@ resolve_pkcs11_token_in_place(char *tokenname)
char c = *cp;
*cp = '\0';
- dprintf("ntn:\"%s\"", ntn);
+ dbgprintf("ntn:\"%s\"", ntn);
if (!strncmp(&ntn[pos], "token=", 6)) {
ntn += 6;
memmove(tokenname, ntn, cp - ntn + 1);
@@ -510,13 +510,13 @@ resolve_pkcs11_token_in_place(char *tokenname)
ntn = cp + (c ? 1 : 0);
}
unescape_html_in_place(tokenname);
- dprintf("token name is \"%s\"", tokenname);
+ dbgprintf("token name is \"%s\"", tokenname);
}
#define resolve_token_name(tn) ({ \
char *s_ = tn; \
if (!strncmp(tn, "pkcs11:", 7)) { \
- dprintf("provided token name is pkcs11 uri; parsing"); \
+ dbgprintf("provided token name is pkcs11 uri; parsing");\
s_ = strdupa(tn+7); \
resolve_pkcs11_token_in_place(s_); \
} \
@@ -528,7 +528,8 @@ unlock_nss_token(cms_context *cms)
{
char *tokenname = resolve_token_name(cms->tokenname);
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -592,7 +593,8 @@ find_certificate(cms_context *cms, int needs_private_key)
return -1;
}
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -610,10 +612,10 @@ find_certificate(cms_context *cms, int needs_private_key)
}
while (psle) {
- dprintf("looking for token \"%s\", got \"%s\"",
- tokenname, PK11_GetTokenName(psle->slot));
+ dbgprintf("looking for token \"%s\", got \"%s\"",
+ tokenname, PK11_GetTokenName(psle->slot));
if (!strcmp(tokenname, PK11_GetTokenName(psle->slot))) {
- dprintf("found token \"%s\"", tokenname);
+ dbgprintf("found token \"%s\"", tokenname);
break;
}
@@ -673,8 +675,9 @@ find_certificate(cms_context *cms, int needs_private_key)
psle->slot, is_valid_cert, &cbd);
errnum = PORT_GetError();
if (errnum)
- dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
} else {
status = PK11_TraverseCertsForNicknameInSlot(&nickname,
psle->slot,
@@ -682,28 +685,30 @@ find_certificate(cms_context *cms, int needs_private_key)
&cbd);
errnum = PORT_GetError();
if (errnum)
- dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
}
- dprintf("status:%d cbd.cert:%p", status, cbd.cert);
+ dbgprintf("status:%d cbd.cert:%p", status, cbd.cert);
if (status == SECSuccess && cbd.cert != NULL) {
if (cms->cert)
CERT_DestroyCertificate(cms->cert);
cms->cert = CERT_DupCertificate(cbd.cert);
} else {
errnum = PORT_GetError();
- dprintf("token traversal %s; cert %sfound:%s:%s",
- status == SECSuccess ? "succeeded" : "failed",
- cbd.cert == NULL ? "not" : "",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("token traversal %s; cert %sfound:%s:%s",
+ status == SECSuccess ? "succeeded" : "failed",
+ cbd.cert == NULL ? "not" : "",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
}
save_port_err() {
- dprintf("Destroying cert list");
+ dbgprintf("Destroying cert list");
CERT_DestroyCertList(certlist);
- dprintf("Destroying slot list element");
+ dbgprintf("Destroying slot list element");
PK11_DestroySlotListElement(slots, &psle);
- dprintf("Destroying slot list");
+ dbgprintf("Destroying slot list");
PK11_FreeSlotList(slots);
cms->psle = NULL;
}
@@ -723,7 +728,8 @@ find_slot_for_token(cms_context *cms, PK11SlotInfo **slot)
char *tokenname = resolve_token_name(cms->tokenname);
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -792,7 +798,8 @@ find_certificate_by_callback(cms_context *cms,
return -1;
}
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
diff --git a/src/cms_pe_common.c b/src/cms_pe_common.c
index 3a3921b..fb90ecb 100644
--- a/src/cms_pe_common.c
+++ b/src/cms_pe_common.c
@@ -188,8 +188,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
}
if (!check_pointer_and_size(cms, pe, hash_base, hash_size))
cmsgotoerr(error, cms, "PE header is invalid");
- dprintf("beginning of hash");
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("beginning of hash");
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
generate_digest_step(cms, hash_base, hash_size);
/* 5. Skip over the image checksum
@@ -209,7 +209,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
cmsgotoerr(error, cms, "PE data directory is invalid");
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
/* 8. Skip over the crt dir
* 9. Hash everything up to the end of the image header. */
@@ -222,7 +222,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
cmsgotoerr(error, cms, "PE relocations table is invalid");
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
hashed_bytes = pe32opthdr ? pe32opthdr->header_size
@@ -256,16 +256,16 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
char *name = shdrs[i].name;
if (name && name[0] == '/')
name = get_str(cms, pe, name + 1);
- dprintf("section:\"%s\"", name ? name : "(null)");
+ dbgprintf("section:\"%s\"", name ? name : "(null)");
if (name && !strcmp(name, ".vendor_cert")) {
- dprintf("skipping .vendor_cert section");
+ dbgprintf("skipping .vendor_cert section");
hashed_bytes += hash_size;
continue;
}
}
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
hashed_bytes += hash_size;
}
@@ -285,15 +285,15 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
memset(tmp_array, '\0', tmp_size);
memcpy(tmp_array, hash_base, hash_size);
generate_digest_step(cms, tmp_array, tmp_size);
- dprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
+ dbgprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
tmp_size);
} else {
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map,
+ dbgprintf("digesting %tx + %zx", hash_base - map,
hash_size);
}
}
- dprintf("end of hash");
+ dbgprintf("end of hash");
rc = generate_digest_finish(cms);
if (rc < 0)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 940fdf5..dd40502 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -1067,9 +1067,9 @@ int main(int argc, char *argv[])
errno = 0;
timeul = strtoul(not_valid_before, &endptr, 0);
- dprintf("not_valid_before:%lu", timeul);
+ dbgprintf("not_valid_before:%lu", timeul);
if (errno == 0 && endptr && *endptr == 0) {
- dprintf("not_valid_before:%lu", timeul);
+ dbgprintf("not_valid_before:%lu", timeul);
not_before = (PRTime)timeul * PR_USEC_PER_SEC;
} else {
prstatus = PR_ParseTimeString(not_valid_before,
@@ -1078,7 +1078,7 @@ int main(int argc, char *argv[])
"could not parse date \"%s\"",
not_valid_before);
}
- dprintf("not_before:%"PRId64, not_before);
+ dbgprintf("not_before:%"PRId64, not_before);
}
if (not_valid_after) {
@@ -1086,11 +1086,11 @@ int main(int argc, char *argv[])
char *endptr;
errno = 0;
- dprintf("not_valid_after:%s", not_valid_after);
+ dbgprintf("not_valid_after:%s", not_valid_after);
timeul = strtoul(not_valid_after, &endptr, 0);
- dprintf("not_valid_after:%lu", timeul);
+ dbgprintf("not_valid_after:%lu", timeul);
if (errno == 0 && endptr && *endptr == 0) {
- dprintf("not_valid_after:%lu", timeul);
+ dbgprintf("not_valid_after:%lu", timeul);
not_after = (PRTime)timeul * PR_USEC_PER_SEC;
} else {
prstatus = PR_ParseTimeString(not_valid_after, PR_TRUE,
@@ -1102,10 +1102,10 @@ int main(int argc, char *argv[])
} else {
// Mon Jan 19 03:14:07 GMT 2037, aka 0x7fffffff minus 1 year.
time_t time = 0x7ffffffful - 60ul * 60 * 24 * 365;
- dprintf("not_valid_after:%lu", time);
+ dbgprintf("not_valid_after:%lu", time);
not_after = (PRTime)time * PR_USEC_PER_SEC;
}
- dprintf("not_after:%"PRId64, not_after);
+ dbgprintf("not_after:%"PRId64, not_after);
CERTValidity *validity = NULL;
validity = CERT_CreateValidity(not_before, not_after);
diff --git a/src/file_pe.c b/src/file_pe.c
index fa97b89..fed6edb 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -264,7 +264,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
/* generate a signature and save it in a separate file */
case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
perr = PORT_GetError();
- dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ dbgprintf("PORT_GetError():%s:%s",
+ PORT_ErrorToName(perr), PORT_ErrorToString(perr));
PORT_SetError(0);
rc = find_certificate(ctxp->cms_ctx, 1);
conderrx(rc < 0, 1, "Could not find certificate %s",
@@ -281,7 +282,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
check_inputs(ctxp);
perr = PORT_GetError();
- dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ dbgprintf("PORT_GetError():%s:%s",
+ PORT_ErrorToName(perr), PORT_ErrorToString(perr));
rc = find_certificate(ctxp->cms_ctx, 1);
conderrx(rc < 0, 1, "Could not find certificate %s",
ctxp->cms_ctx->certname);
diff --git a/src/password.c b/src/password.c
index 05add9a..18c32ed 100644
--- a/src/password.c
+++ b/src/password.c
@@ -167,7 +167,7 @@ SECU_GetPasswordString(void *arg UNUSED, char *prompt)
char *ret;
ingress();
ret = get_password(stdin, stdout, prompt, NULL);
- dprintf("password:\"%s\"", ret ? ret : "(null)");
+ dbgprintf("password:\"%s\"", ret ? ret : "(null)");
egress();
return ret;
}
@@ -194,7 +194,7 @@ parse_pwfile_line(char *start, struct token_pass *tp)
size_t offset = 0;
span = strspn(line, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
if (span == 0 && line[span] == '\0')
return -1;
line += span;
@@ -210,17 +210,17 @@ parse_pwfile_line(char *start, struct token_pass *tp)
offset += escspan + 2;
} while(escspan < span);
span += offset;
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
if (line[span] == '\0') {
- dprintf("returning %td", (line + span) - start);
+ dbgprintf("returning %td", (line + span) - start);
return (line + span) - start;
}
line[span] = '\0';
line += span + 1;
span = strspn(line, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
line += span;
tp->token = tp->pass;
tp->pass = line;
@@ -233,15 +233,15 @@ parse_pwfile_line(char *start, struct token_pass *tp)
offset += escspan + 2;
} while(escspan < span);
span += offset;
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
if (line[span] != '\0')
line[span++] = '\0';
resolve_escapes(tp->token);
- dprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
- dprintf("token:\"%s\"", tp->token);
- dprintf("pass:\"%s\"", tp->pass);
- dprintf("returning %td", (line + span) - start);
+ dbgprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
+ dbgprintf("token:\"%s\"", tp->token);
+ dbgprintf("pass:\"%s\"", tp->pass);
+ dbgprintf("returning %td", (line + span) - start);
return (line + span) - start;
}
@@ -260,7 +260,7 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
char *path;
ingress();
- dprintf("token_name: %s", token_name);
+ dbgprintf("token_name: %s", token_name);
if (cms->pwdata.source != PW_FROMFILEDB) {
cms->log(cms, LOG_ERR,
"Got to %s() but no file is specified.\n",
@@ -289,8 +289,8 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
if (rc < 0 || file_len < 1)
goto err_file;
file[file_len-1] = '\0';
- dprintf("file_len:%zd", file_len);
- dprintf("file:\"%s\"", file);
+ dbgprintf("file_len:%zd", file_len);
+ dbgprintf("file:\"%s\"", file);
unbreak_line_continuations(file, file_len);
}
@@ -314,23 +314,23 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
#pragma GCC diagnostic pop
span = strspn(start, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
start += span;
span = strcspn(start, eol_chars);
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
c = start[span];
start[span] = '\0';
- dprintf("file:\"%s\"", file);
+ dbgprintf("file:\"%s\"", file);
rc = parse_pwfile_line(start, &phrases[nphrases++]);
- dprintf("parse_pwfile_line returned %d", rc);
+ dbgprintf("parse_pwfile_line returned %d", rc);
if (rc < 0)
goto err_phrases;
if (c != '\0')
span++;
start += span;
- dprintf("start is file[%td] == '\\x%02hhx'", start - file,
+ dbgprintf("start is file[%td] == '\\x%02hhx'", start - file,
start[0]);
}
@@ -359,7 +359,7 @@ err_file:
err_phrases:
xfree(phrases);
err:
- dprintf("ret:\"%s\"", ret ? ret : "(null)");
+ dbgprintf("ret:\"%s\"", ret ? ret : "(null)");
egress();
return ret;
}
@@ -412,10 +412,10 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
ingress();
if (PK11_ProtectedAuthenticationPath(slot)) {
- dprintf("prompting for PW_DEVICE data");
+ dbgprintf("prompting for PW_DEVICE data");
pwdata = &pwxtrn;
} else {
- dprintf("using pwdata from cms");
+ dbgprintf("using pwdata from cms");
pwdata = &cms->pwdata;
}
@@ -423,17 +423,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
pwdata->source >= PW_SOURCE_MAX ||
pwdata->orig_source <= PW_SOURCE_INVALID ||
pwdata->orig_source >= PW_SOURCE_MAX) {
- dprintf("pwdata is invalid");
+ dbgprintf("pwdata is invalid");
return NULL;
}
- dprintf("pwdata:%p retry:%d", pwdata, retry);
- dprintf("pwdata->source:%s (%d) orig:%s (%d)",
- pw_source_names[pwdata->source], pwdata->source,
- pw_source_names[pwdata->orig_source], pwdata->orig_source);
- dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
- pwdata->data ? pwdata->data : "(null)");
- dprintf("pwdata->intdata:%ld", pwdata->intdata);
+ dbgprintf("pwdata:%p retry:%d", pwdata, retry);
+ dbgprintf("pwdata->source:%s (%d) orig:%s (%d)",
+ pw_source_names[pwdata->source], pwdata->source,
+ pw_source_names[pwdata->orig_source], pwdata->orig_source);
+ dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+ pwdata->data ? pwdata->data : "(null)");
+ dbgprintf("pwdata->intdata:%ld", pwdata->intdata);
if (retry) {
warnx("Incorrect password/PIN entered.");
@@ -470,7 +470,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
case PW_FROMFILEDB:
case PW_DATABASE:
- dprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
+ dbgprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
/* Instead of opening and closing the file every time, get the pw
* once, then keep it in memory (duh).
*/
@@ -480,17 +480,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
return pw;
case PW_FROMENV:
- dprintf("pwdata->source:PW_FROMENV");
+ dbgprintf("pwdata->source:PW_FROMENV");
if (!pwdata || !pwdata->data)
break;
pw = get_env(pwdata->data);
- dprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
+ dbgprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
pwdata->data = pw;
pwdata->source = PW_PLAINTEXT;
goto PW_PLAINTEXT;
case PW_FROMFILE:
- dprintf("pwdata->source:PW_FROMFILE");
+ dbgprintf("pwdata->source:PW_FROMFILE");
in = fopen(pwdata->data, "r");
if (!in)
return NULL;
@@ -501,7 +501,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
goto PW_PLAINTEXT;
case PW_FROMFD:
- dprintf("pwdata->source:PW_FROMFD");
+ dbgprintf("pwdata->source:PW_FROMFD");
rc = pwdata->intdata;
in = fdopen(pwdata->intdata, "r");
if (!in)
diff --git a/src/pesign.c b/src/pesign.c
index c2ff35f..f548d81 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -333,7 +333,7 @@ main(int argc, char *argv[])
while ((rc = poptGetNextOpt(optCon)) > 0) {
switch (rc) {
case POPT_RET_PWDB:
- dprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -346,7 +346,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_ENV:
- dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -359,7 +359,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_PINFD:
- dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -373,7 +373,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_PINFILE:
- dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -387,7 +387,7 @@ main(int argc, char *argv[])
}
}
- dprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
+ dbgprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
pwdata.source,
pwdata.source == PW_SOURCE_INVALID ? "" : "not ");
if (pwdata.source == PW_SOURCE_INVALID && secure_getenv("PESIGN_TOKEN_PIN")) {
diff --git a/src/util.h b/src/util.h
index ba8c621..6616011 100644
--- a/src/util.h
+++ b/src/util.h
@@ -269,28 +269,28 @@ proxy_fd_mode(int fd, char *infile, mode_t *outmode, size_t *inlength)
extern long verbosity(void);
-#define dprintf_(tv, file, func, line, fmt, args...) ({ \
- struct timeval tv; \
- gettimeofday(&tv, NULL); \
- warnx("%ld.%lu %s:%s():%d: " fmt, \
- tv.tv_sec, tv.tv_usec, \
- file, func, line, ##args); \
+#define dbgprintf_(tv, file, func, line, fmt, args...) ({ \
+ struct timeval tv; \
+ gettimeofday(&tv, NULL); \
+ warnx("%ld.%lu %s:%s():%d: " fmt, \
+ tv.tv_sec, tv.tv_usec, \
+ file, func, line, ##args); \
})
#if defined(PESIGN_DEBUG)
-#define dprintf(fmt, args...) \
- dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
- __FILE__, __func__, __LINE__ - 2, fmt, ##args)
+#define dbgprintf(fmt, args...) \
+ dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
+ __FILE__, __func__, __LINE__ - 2, fmt, ##args)
#else
-#define dprintf(fmt, args...) ({ \
+#define dbgprintf(fmt, args...) ({ \
if (verbosity() > 1) \
- dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
+ dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
__FILE__, __func__, __LINE__ - 3, \
fmt, ##args); \
0; \
})
#endif
-#define ingress() dprintf("ingress");
-#define egress() dprintf("egress");
+#define ingress() dbgprintf("ingress");
+#define egress() dbgprintf("egress");
#endif /* PESIGN_UTIL_H */
// vim:fenc=utf-8:tw=75:noet

30
0004-.gitignore-add-compile_commands.json-and-.cache.patch
View File

@ -1,30 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:47:20 -0500
Subject: [PATCH] .gitignore: add compile_commands.json and .cache/
These are used by bear/cnc/clangd/etc, but there's no reason to trip
over them all the time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.gitignore b/.gitignore
index bf0617b..7425432 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.cache/
.*.d
.*.P
.*.sw?
@@ -26,6 +27,7 @@
/*.rpm
*-8be4df61-93ca-11d2-aa0d-00e098032b8c
*-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+compile_commands.json
core.*
cov-int/
pwfile

31
0005-pesign-print-digests-before-filenames-like-sha256sum.patch
View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:44:46 -0500
Subject: [PATCH] pesign: print digests before filenames like sha256sum does
Most digest tools print the digest before the filename, there's no
reason pesign needs to be different.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/file_pe.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/file_pe.c b/src/file_pe.c
index fed6edb..805e614 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -121,12 +121,11 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
(unsigned char)ctx->digests[j].pe_digest->data[i]);
- printf("\n");
+ printf(" %s\n", pctx->infile);
}
void

318
0006-Add-pesum-an-authenticode-digest-generator.patch
View File

@ -1,318 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:54:39 -0500
Subject: [PATCH] Add 'pesum', an authenticode digest generator.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesum.c | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/.gitignore | 1 +
src/Makefile | 12 +++-
src/pesum.1.mdoc | 38 +++++++++++
4 files changed, 244 insertions(+), 2 deletions(-)
create mode 100644 src/pesum.c
create mode 100644 src/pesum.1.mdoc
diff --git a/src/pesum.c b/src/pesum.c
new file mode 100644
index 0000000..e4ddaf8
--- /dev/null
+++ b/src/pesum.c
@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: GPLv2
+/*
+ * pesum.c - pesum command line tool
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#include "fix_coverity.h"
+
+#include <err.h>
+#include <popt.h>
+
+#include <nss.h>
+#include <prerror.h>
+
+#include "pesign.h"
+#include "pesign_standalone.h"
+
+static struct {
+ int flag;
+ const char *name;
+} flag_names[] = {
+ {DAEMONIZE, "daemonize"},
+ {GENERATE_DIGEST, "hash"},
+ {GENERATE_SIGNATURE, "sign"},
+ {IMPORT_RAW_SIGNATURE, "import-raw-sig"},
+ {IMPORT_SIGNATURE, "import-sig"},
+ {IMPORT_SATTRS, "import-sattrs" },
+ {EXPORT_SATTRS, "export-sattrs" },
+ {EXPORT_SIGNATURE, "export-sig"},
+ {EXPORT_PUBKEY, "export-pubkey"},
+ {EXPORT_CERT, "export-cert"},
+ {REMOVE_SIGNATURE, "remove"},
+ {LIST_SIGNATURES, "list"},
+ {FLAG_LIST_END, NULL},
+};
+
+void
+print_flag_name(FILE *f, int flag)
+{
+ for (int i = 0; flag_names[i].flag != FLAG_LIST_END; i++) {
+ if (flag_names[i].flag == flag)
+ fprintf(f, "%s ", flag_names[i].name);
+ }
+}
+
+static long *verbose;
+
+long
+verbosity(void)
+{
+ if (!verbose)
+ return 0;
+ return *verbose;
+}
+
+int
+main(int argc, char *argv[])
+{
+ int rc;
+ SECStatus status;
+
+ char *digest_name = "sha256";
+ char *orig_digest_name = digest_name;
+ int padding = 1;
+ long verbose_cmd_line = 0;
+ const char *infile;
+
+ int action = GENERATE_DIGEST|PRINT_DIGEST;
+ file_format fmt = FORMAT_PE_BINARY;
+
+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ verbose = &verbose_cmd_line;
+
+ poptContext optCon;
+ struct poptOption options[] = {
+ {.argInfo = POPT_ARG_INTL_DOMAIN,
+ .arg = "pesum" },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
+ .arg = &verbose_cmd_line,
+ .val = 1,
+ .descrip = "be more verbose" },
+ {.longName = "debug",
+ .shortName = '\0',
+ .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
+ .arg = &verbose_cmd_line,
+ .val = 2,
+ .descrip = "be very verbose" },
+ {.longName = "digest-type",
+ .shortName = 'd',
+ .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+ .arg = &digest_name,
+ .descrip = "digest type to use for pe hash" },
+ {.longName = "digest_type",
+ .shortName = '\0',
+ .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
+ .arg = &digest_name,
+ .descrip = "digest type to use for pe hash" },
+ {.longName = "padding",
+ .shortName = 'P',
+ .argInfo = POPT_ARG_VAL,
+ .arg = &padding,
+ .val = 1,
+ .descrip = "pad data section (default)" },
+ {.longName = "nopadding",
+ .shortName = 'p',
+ .argInfo = POPT_ARG_VAL,
+ .arg = &padding,
+ .val = 0,
+ .descrip = "do not pad the data section" },
+ POPT_AUTOALIAS
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ optCon = poptGetContext("pesum", argc, (const char **)argv, options,0);
+
+ rc = poptReadDefaultConfig(optCon, 0);
+ if (rc < 0 && !(rc == POPT_ERROR_ERRNO && errno == ENOENT))
+ errx(1, "poptReadDefaultConfig failed: %s", poptStrerror(rc));
+
+ while ((rc = poptGetNextOpt(optCon)) > 0) {
+ ;
+ }
+
+ if (rc < -1)
+ errx(1, "Invalid argument: %s: %s",
+ poptBadOption(optCon, 0), poptStrerror(rc));
+
+ if (!poptPeekArg(optCon))
+ errx(1, "nothing to do");
+
+ status = NSS_NoDB_Init(NULL);
+ if (status != SECSuccess)
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
+
+ while ((infile = poptGetArg(optCon)) != NULL) {
+ pesign_context *ctxp = NULL;
+
+ char *ext = strrchr(infile, '.');
+ if (ext && strcmp(ext, ".ko") == 0)
+ fmt = FORMAT_KERNEL_MODULE;
+
+ rc = pesign_context_new(&ctxp);
+ if (rc < 0)
+ err(1, "Could not initialize context");
+
+ ctxp->verbose = verbose_cmd_line;
+
+ ctxp->hash = 1;
+ ctxp->infile = strdup(infile);
+ if (!ctxp->infile)
+ err(1, "Could not allocate memory");
+
+ rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
+ int is_help = strcmp(digest_name, "help") ? 0 : 1;
+ if (rc < 0) {
+ if (!is_help) {
+ fprintf(stderr, "Digest \"%s\" not found.\n",
+ digest_name);
+ }
+ exit(!is_help);
+ }
+
+ errno = 0;
+ switch (fmt) {
+ case FORMAT_PE_BINARY:
+ pe_handle_action(ctxp, action, padding);
+ break;
+ case FORMAT_KERNEL_MODULE:
+ kmod_handle_action(ctxp, action);
+ break;
+ }
+
+ pesign_context_free(ctxp);
+ }
+
+ poptFreeContext(optCon);
+
+ if (digest_name && digest_name != orig_digest_name)
+ free(digest_name);
+
+ status = NSS_Shutdown();
+ if (status != SECSuccess)
+ errx(1, "could not shut down NSS: %s",
+ PORT_ErrorToString(PORT_GetError()));
+
+ return 0;
+}
+
+// vim:fenc=utf-8:tw=75:noet
diff --git a/src/.gitignore b/src/.gitignore
index 64ce217..f8f6d66 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -5,6 +5,7 @@ client
efikeygen
efidbtool
pesigcheck
+pesum
peverify
pesign.service
pesign.sysvinit
diff --git a/src/Makefile b/src/Makefile
index 7010514..79cf09e 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen pesigcheck pesign \
- pesign-rpmbuild-helper pesign-authorize
+ pesign-rpmbuild-helper pesign-authorize pesum
CFGTARGETS=tmpfiles.conf
SVCTARGETS=pesign.sysvinit pesign.service
MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
@@ -29,9 +29,12 @@ EFIKEYGEN_SOURCES = efikeygen.c
PESIGCHECK_SOURCES = pesigcheck.c pesigcheck_context.c certdb.c
PESIGN_SOURCES = pesign.c pesign_context.c actions.c daemon.c \
file_pe.c file_kmod.c pesign_kmod.c
+PESUM_SOURCES = pesum.c pesign_context.c actions.c \
+ file_pe.c file_kmod.c pesign_kmod.c
ALL_SOURCES=$(COMMON_SOURCES) $(AUTHVAR_SORUCES) $(CLIENT_SOURCES) \
- $(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES)
+ $(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES) \
+ $(PESUM_SOURCES)
-include $(call deps-of,$(ALL_SOURCES))
authvar : $(call objects-of,$(AUTHVAR_SOURCES) $(COMMON_SOURCES))
@@ -53,6 +56,10 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesum : $(call objects-of,$(PESUM_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURCES))
+pesum : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
+pesum : PKGS=efivar nss nspr popt
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -81,6 +88,7 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
+ $(INSTALL) -m 755 pesum $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 client $(INSTALLROOT)$(bindir)pesign-client
$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(bindir)
diff --git a/src/pesum.1.mdoc b/src/pesum.1.mdoc
new file mode 100644
index 0000000..edd08ce
--- /dev/null
+++ b/src/pesum.1.mdoc
@@ -0,0 +1,38 @@
+.Dd $Mdocdate: Mar 11 2022$
+.Dt PESUM 1
+.Os Linux
+.Sh NAME
+.Nm pesum
+.Nd tool for generating Authenticode digests
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Ar file0.efi
+.Op Ar file1.efi ...
+.Sh DESCRIPTION
+.Nm
+is a command line tool to generate Authenticode digests of PE binaries.
+.Sh EXAMPLES
+.Ss Getting the Authenticode digest of some files
+host:$ \fBpesum shimx64.efi grubx64.efi\fR
+8c5806e66bb5b052ebf860e1722474269cff3dde588610df21dbe8cf12c08390\ shimx64.efi
+546a71319c22da1d81879383c4c74be06d1c374bdecfafc9fcc80bd541802bfc\ grubx64.efi
+.Sh STANDARDS
+.Rs
+.%B Portable Executable
+.%I Microsoft
+.%D August 26, 2019
+.%U https://docs.microsoft.com/en-us/windows/win32/debug/pe-format\ \&
+.Re
+
+.Rs
+.%B Windows Authenticode Portable Executable Signature Format
+.%I Microsoft
+.%D March 21, 2008
+.%U https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx\ \&
+.Re
+.Sh SEE ALSO
+.Xr pesign 1
+.LP
+.Sh AUTHORS
+.An Peter Jones

54
0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
View File

@ -1,54 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julian Sikorski <belegdol+github@gmail.com>
Date: Wed, 23 Mar 2022 20:54:03 +0100
Subject: [PATCH] Fix building signed kernels on setups other than koji
Thanks to Will Springer for the idea. Details at
https://bugzilla.redhat.com/show_bug.cgi?id=1880858
Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
Suggested-by: Will Springer <skirmisher@protonmail.com>
---
src/pesign-rpmbuild-helper.in | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 0a845d2..c9d5570 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -172,24 +172,22 @@ main() {
USERNAME="${USERNAME:-$(id -un)}"
local socket="" || :
- if grep -q ID=fedora /etc/os-release \
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ elif grep -q ID=fedora /etc/os-release \
&& [[ "${rhelver}" -lt 7 ]] \
&& [[ "${USERNAME}" = "mockbuild" ]] \
&& [[ "${vendor}" = "Fedora Project" ]] \
&& [[ "${HOSTNAME}" =~ bkernel.* ]]
then
- if [[ -S /run/pesign/socket ]] ; then
- socket=/run/pesign/socket
- elif [[ -S /var/run/pesign/socket ]]; then
- socket=/var/run/pesign/socket
- else
- echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
- echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
- ls -ld /run/pesign /var/run/pesign 1>&2 ||:
- ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
- getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- fi
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
fi
if [[ "${rhelver}" -ge 7 ]] ; then

23
0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
View File

@ -1,23 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 25 Mar 2022 15:01:54 -0400
Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index 1c18904..05aadd0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
$(call pkg-config-ccldflags)
efi_cflags = $(cflags)
ASFLAGS ?= $(ARCH3264)
-CPPFLAGS ?= -D_FORTIFY_SOURCE=2
+CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D)
ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)

24
0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
View File

@ -1,24 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 10 Aug 2021 12:39:08 -0400
Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 34af57c..b7d6af1 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -34,7 +34,8 @@
%{?__pesign_cert:--cert %{__pesign_cert}} \\\
%{?_buildhost:--hostname "%{_buildhost}"} \\\
%{?vendor:--vendor "%{vendor}"} \\\
- %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?rhel:--rhelver "%{rhel}"} \\\
+ %{?centos:--rhelver "%{centos}"} \\\
%{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
%{?-a:--rhelcafile "%{-a*}"} \\\
%{?-c:--rhelcertfile "%{-c*}"} \\\

25
0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
View File

@ -1,25 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 4 Apr 2022 14:45:29 -0400
Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
Signed-off-by: Peter Jones <pjones@redhat.com>
[rharwood: manually reapply to main]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/pesign-rpmbuild-helper.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c9d5570..9dee56e 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -190,7 +190,7 @@ main() {
getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
fi
- if [[ "${rhelver}" -ge 7 ]] ; then
+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
nssdir="$(mktemp -p "${PWD}" -d)"
echo > "${nssdir}/pwfile"
certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"

17
0011-Rename-README-README.md.patch
View File

@ -1,17 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 13 May 2022 15:53:05 -0400
Subject: [PATCH] Rename README -> README.md
Rich text will let me compact links.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README => README.md | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename README => README.md (100%)
diff --git a/README b/README.md
similarity index 100%
rename from README
rename to README.md

56
0012-README.md-show-off-a-bit-more.patch
View File

@ -1,56 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 13 May 2022 16:09:12 -0400
Subject: [PATCH] README.md: show off a bit more
Prominently mention efikeygen and add examples of usage for it and
pesign proper.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README.md | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index d70bc53..e9f0cb7 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,34 @@
-Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with
-the PE and Authenticode specifications.
+# pesign + efikeygen
-This is vaguely analogous to the tool described by
-http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx
+Signing tools for PE-COFF binaries. Compliant with the PE and Authenticode
+specifications.
+(These serve a similar purpose to Microsoft's
+[SignTool.exe](http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx),
+except for Linux.)
+
+## Examples
+
+Generate a key for use with pesign, stored on disk:
+
+```
+efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+```
+
+For more complex and secure use cases (e.g., hardware tokens), see
+efikeygen man page (`man efikeygen`).
+
+Sign a UEFI application using that key:
+
+```
+pesign -i grubx64.efi -o grubx64.efi.signed -c 'Custom Secureboot' -s
+```
+
+Show signatures on a UEFI application:
+
+```
+pesign -i grubx64.efi.signed -S
+```
+
+For more signing/verification operations, see the pesign man page (`man
+pesign`).

23
0013-Fix-missing-line-in-README.md.patch
View File

@ -1,23 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 16 May 2022 15:31:25 -0400
Subject: [PATCH] Fix missing line in README.md
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index e9f0cb7..7bbd6dd 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,8 @@ Generate a key for use with pesign, stored on disk:
efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
```
+(where TYPE is m if you're only signing kernel modules, and k otherwise).
+
For more complex and secure use cases (e.g., hardware tokens), see
efikeygen man page (`man efikeygen`).

23
0014-Fix-typo-in-efikeygen-command.patch
View File

@ -1,23 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matt Bernhard <bernhard@voting.works>
Date: Fri, 27 May 2022 14:40:49 -0400
Subject: [PATCH] Fix typo in efikeygen command
Signed-off-by: Matt Bernhard <mdb92nc@gmail.com>
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 7bbd6dd..b6949a2 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ except for Linux.)
Generate a key for use with pesign, stored on disk:
```
-efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+efikeygen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
```
(where TYPE is m if you're only signing kernel modules, and k otherwise).

53
0015-pesigcheck-Fix-crash-on-digest-match.patch
View File

@ -1,53 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Visa Hankala <visa@hankala.org>
Date: Fri, 10 Jun 2022 13:25:13 +0000
Subject: [PATCH] pesigcheck: Fix crash on digest match
Set selected_digest when the digest is found in db or dbx.
This fixes the following crash of pesigcheck:
Program received signal SIGSEGV, Segmentation fault.
0x00005555555597fa in memcpy (__len=24, __src=0x31,
__dest=0x55555558d908)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0 0x00005555555597fa in memcpy (__len=24, __src=0x31,
__dest=0x55555558d908)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#1 get_digest (digest=digest@entry=0x55555558d908,
ctx=<optimized out>, ctx=<optimized out>) at pesigcheck.c:226
#2 0x00005555555592fd in check_signature (
reasons=<synthetic pointer>, nreasons=<synthetic pointer>,
ctx=0x7fffffffded0) at pesigcheck.c:262
#3 main (argc=<optimized out>, argv=<optimized out>)
at pesigcheck.c:512
Signed-off-by: Visa Hankala <visa@hankala.org>
---
src/certdb.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index e013b9d..69d5daf 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -267,12 +267,16 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0)
+ if (memcmp (digest, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = 0;
return FOUND;
+ }
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0)
+ if (memcmp (digest, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = 1;
return FOUND;
+ }
}
return NOT_FOUND;

272
0016-cms-store-digest-as-pointer-instead-of-index.patch
View File

@ -1,272 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 10 Jun 2022 14:40:33 -0400
Subject: [PATCH] cms: store digest as pointer instead of index
Storage as an index is problematic because the sentinel value -1 was
used, but accesses were unchecked, leading to crashes like that in
3b1031a6b779cb80c11b34eec84c5a0cc215efed ("pesigcheck: Fix crash on
digest match"). By storing a pointer, we get an explicit NULL
dereference: still a crash, but preferred since it's clearer.
Since the index was previously also used for retrieving digest
parameters, include a pointer to the relevant struct digest_param in the
struct digest.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/certdb.c | 15 ++++++++-------
src/cms_common.c | 34 ++++++++++------------------------
src/content_info.c | 4 ++--
src/file_kmod.c | 2 +-
src/file_pe.c | 9 +++++----
src/pesigcheck.c | 4 +---
src/cms_common.h | 13 ++++++++++++-
7 files changed, 39 insertions(+), 42 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 69d5daf..f512824 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,18 +263,19 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest;
+ void *digest_data;
+ struct digest *digests = ctx->cms_ctx->digests;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = 0;
+ digest_data = digests[0].pe_digest->data;
+ if (memcmp (digest_data, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = &digests[0];
return FOUND;
}
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = 1;
+ digest_data = digests[1].pe_digest->data;
+ if (memcmp (digest_data, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = &digests[1];
return FOUND;
}
}
diff --git a/src/cms_common.c b/src/cms_common.c
index 86341ca..2275f67 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,15 +33,6 @@
#include "hex.h"
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
static struct digest_param digest_params[] = {
{.name = "sha256",
.digest_tag = SEC_OID_SHA256,
@@ -65,29 +56,25 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].digest_tag;
+ return cms->selected_digest->digest_params->digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].digest_encryption_tag;
+ return cms->selected_digest->digest_params->digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].signature_tag;
+ return cms->selected_digest->digest_params->signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].size;
+ return cms->selected_digest->digest_params->size;
}
void
@@ -142,8 +129,6 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
- cms->selected_digest = -1;
-
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -226,7 +211,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = -1;
+ cms->selected_digest = NULL;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -351,7 +336,7 @@ set_digest_parameters(cms_context *cms, char *name)
if (strcmp(name, "help")) {
for (int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
- cms->selected_digest = i;
+ cms->selected_digest = &cms->digests[i];
return 0;
}
}
@@ -1279,6 +1264,7 @@ generate_digest_begin(cms_context *cms)
cngotoerr(err, cms, "could not create digest context");
PK11_DigestBegin(digests[i].pk11ctx);
+ digests[i].digest_params = &digest_params[i];
}
cms->digests = digests;
@@ -1351,11 +1337,11 @@ generate_signature(cms_context *cms)
{
int rc = 0;
- if (cms->digests[cms->selected_digest].pe_digest == NULL)
+ if (cms->selected_digest->pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
- cms->digests[cms->selected_digest].pe_digest->len))
+ if (content_is_empty(cms->selected_digest->pe_digest->data,
+ cms->selected_digest->pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 9684850..777aa28 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- int i = cms->selected_digest;
- memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
+ memcpy(&di.digest, cms->selected_digest->pe_digest,
+ sizeof(di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
cms->log(cms, LOG_ERR, "got empty digest");
diff --git a/src/file_kmod.c b/src/file_kmod.c
index 6880cda..c8875fc 100644
--- a/src/file_kmod.c
+++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
kmod_write_signature(cms_context *cms, int outfd)
{
SEC_PKCS7ContentInfo *cinfo;
- SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
+ SECItem *digest = cms->selected_digest->pe_digest;
SECStatus rv;
struct write_sig_info info = {
.outfd = outfd,
diff --git a/src/file_pe.c b/src/file_pe.c
index 805e614..c22b2af 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -114,6 +114,8 @@ check_inputs(pesign_context *ctx)
static void
print_digest(pesign_context *pctx)
{
+ unsigned int i;
+
if (!pctx)
return;
@@ -121,10 +123,9 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- int j = ctx->selected_digest;
- for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
- printf("%02x",
- (unsigned char)ctx->digests[j].pe_digest->data[i]);
+ unsigned char *ddata = ctx->selected_digest->pe_digest->data;
+ for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
+ printf("%02x", ddata[i]);
printf(" %s\n", pctx->infile);
}
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 6dc67f7..ebb404d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -221,9 +221,7 @@ static void
get_digest(pesigcheck_context *ctx, SECItem *digest)
{
struct cms_context *cms = ctx->cms_ctx;
- struct digest *cms_digest = &cms->digests[cms->selected_digest];
-
- memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+ memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
}
static int
diff --git a/src/cms_common.h b/src/cms_common.h
index c7acbcf..c7d4f69 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,6 +12,7 @@
#include <secpkcs7.h>
#include <errno.h>
+#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -57,9 +58,19 @@
goto errlabel; \
})
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
struct digest {
PK11Context *pk11ctx;
SECItem *pe_digest;
+ struct digest_param *digest_params;
};
typedef struct pk12_file {
@@ -133,7 +144,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- int selected_digest;
+ struct digest *selected_digest;
int omit_vendor_cert;
SECItem newsig;

31
0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 7 Jul 2022 16:56:41 -0400
Subject: [PATCH] Fix mandoc invocation to not produce garbage
Bizarrely, mandoc doesn't default to outputting man - the default is
"locale", which is either ASCII or UTF-8 (by locale). This output is
supposed to be some kind of plain-text, but it's formatted so strangely
I'm not sure what the purpose is. Regardless, it doesn't go well to
feed this into man(1).
Tell mandoc explicitly to produce man pages.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Make.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.rules b/Make.rules
index 12e322b..f6bf5fa 100644
--- a/Make.rules
+++ b/Make.rules
@@ -54,7 +54,7 @@ define substitute-version =
endef
%.1 : %.1.mdoc
- @mandoc -man -Ios=Linux $^ > $@
+ @mandoc -man -T man -Ios=Linux $^ > $@
% : %.in
@$(call substitute-version,$<,$@)

41
0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
View File

@ -1,41 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 15:31:52 -0400
Subject: [PATCH] Work around GCC being obnoxiously incompatible with GCC
GCC added and then later removed the diagnostic flag
"-Wanalyzer-use-of-uninitialized-value", and so this doesn't work with
newer versions of GCC.
This patch removes the previous workaround for when it didn't work well.
I really wish any of our compilers had any sense of rigor with this
stuff at all.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index ff88210..d66dd50 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
free(pollfds);
}
-/* GCC -fanalyzer has trouble with realloc
- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
static int
handle_events(context *ctx)
{
@@ -999,7 +995,6 @@ shutdown:
}
return 0;
}
-#pragma GCC diagnostic pop
static int
get_uid_and_gid(context *ctx, char **homedir)

51
0019-get_password_passthrough-handle-the-callback-context.patch
View File

@ -1,51 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 14:21:44 -0400
Subject: [PATCH] get_password_passthrough(): handle the callback context right
Right now, we have a few callback functions for PK11_Authenticate(), and
they take different arguments. This is incorrect; none of the callers
ever pass anything through except our CMS context.
This fixes get_password_passthrough() to correctly accept the CMS
context and get the passthrough data from cms->pwdata instead of trying
to treat the CMS context as the pwdata.
Related: rhbz#2122777
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/password.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/password.c b/src/password.c
index 18c32ed..8eb1c33 100644
--- a/src/password.c
+++ b/src/password.c
@@ -365,13 +365,23 @@ err:
}
char *
-get_password_passthrough(PK11SlotInfo *slot UNUSED,
- PRBool retry, void *arg)
+get_password_passthrough(PK11SlotInfo *slot UNUSED, PRBool retry, void *arg)
{
+ cms_context *cms;
+ secuPWData *pwdata;
+
+ dbgprintf("ctx:%p", arg);
+
if (retry || !arg)
return NULL;
- char *ret = strdup(arg);
+ cms = (cms_context *)arg;
+ pwdata = &cms->pwdata;
+
+ if (pwdata->source != PW_PLAINTEXT)
+ return NULL;
+
+ char *ret = strdup(pwdata->data);
if (!ret)
err(1, "Could not allocate memory");

47
0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
View File

@ -1,47 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 15:22:10 -0400
Subject: [PATCH] read_password(): only prune CR/NL from the end of the file
Right now, when we read the password/PIN from a file, we're pruning the
end of the string from the file we read indiscriminately. If you don't
have a newline, that means we're cutting off the final digits of the
text.
This changes it to prune only common special characters from the
pinfile, but also to prune /all/ of them.
Related: rhbz#2122777
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/password.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index 8eb1c33..ac1866e 100644
--- a/src/password.c
+++ b/src/password.c
@@ -79,6 +79,7 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
int infd = fileno(in);
struct termios tio;
char *ret;
+ int len;
ingress();
ret = fgets(buf, bufsz, in);
@@ -96,7 +97,14 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
if (ret == NULL)
return -1;
- buf[strlen(buf)-1] = '\0';
+ len = strlen(buf);
+ while (len > 0 && (buf[len-1] == '\r' || buf[len-1] == '\n')) {
+ buf[len-1] = '\0';
+ len--;
+ }
+ if (len == 0)
+ return -1;
+
egress();
return 0;
}

276
0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
View File

@ -1,276 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 16:22:18 -0400
Subject: [PATCH] Revert "cms: store digest as pointer instead of index"
In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
cms->selected_digest to be a pointer to the member of the digests array
rather than an index. Unfortunately this is just as bad, because the
bugs that come up wind up setting pointers to NULL+(selected*offset),
i.e. 0x10, and that doesn't get us any closer to actually finding any
problem.
For now, the new approach is going to be to make it an index again, but
to default it to 0 (sha256) rather than -1, so if it isn't set at the
correct part of the lifecycle it'll just default to the (nearly always)
correct choice.
This reverts commit 926782c216532a83f9ff864dee39d2349d61fd23.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 +++++++--------
src/cms_common.c | 34 ++++++++++++++++++++++++----------
src/content_info.c | 4 ++--
src/file_kmod.c | 2 +-
src/file_pe.c | 9 ++++-----
src/pesigcheck.c | 4 +++-
src/cms_common.h | 13 +------------
7 files changed, 42 insertions(+), 39 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index f512824..69d5daf 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,19 +263,18 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest_data;
- struct digest *digests = ctx->cms_ctx->digests;
+ void *digest;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest_data = digests[0].pe_digest->data;
- if (memcmp (digest_data, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = &digests[0];
+ digest = ctx->cms_ctx->digests[0].pe_digest->data;
+ if (memcmp (digest, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = 0;
return FOUND;
}
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest_data = digests[1].pe_digest->data;
- if (memcmp (digest_data, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = &digests[1];
+ digest = ctx->cms_ctx->digests[1].pe_digest->data;
+ if (memcmp (digest, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = 1;
return FOUND;
}
}
diff --git a/src/cms_common.c b/src/cms_common.c
index 2275f67..86341ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,6 +33,15 @@
#include "hex.h"
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
static struct digest_param digest_params[] = {
{.name = "sha256",
.digest_tag = SEC_OID_SHA256,
@@ -56,25 +65,29 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->digest_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->digest_encryption_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->signature_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- return cms->selected_digest->digest_params->size;
+ int i = cms->selected_digest;
+ return digest_params[i].size;
}
void
@@ -129,6 +142,8 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
+ cms->selected_digest = -1;
+
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -211,7 +226,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = NULL;
+ cms->selected_digest = -1;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -336,7 +351,7 @@ set_digest_parameters(cms_context *cms, char *name)
if (strcmp(name, "help")) {
for (int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
- cms->selected_digest = &cms->digests[i];
+ cms->selected_digest = i;
return 0;
}
}
@@ -1264,7 +1279,6 @@ generate_digest_begin(cms_context *cms)
cngotoerr(err, cms, "could not create digest context");
PK11_DigestBegin(digests[i].pk11ctx);
- digests[i].digest_params = &digest_params[i];
}
cms->digests = digests;
@@ -1337,11 +1351,11 @@ generate_signature(cms_context *cms)
{
int rc = 0;
- if (cms->selected_digest->pe_digest == NULL)
+ if (cms->digests[cms->selected_digest].pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->selected_digest->pe_digest->data,
- cms->selected_digest->pe_digest->len))
+ if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
+ cms->digests[cms->selected_digest].pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 777aa28..9684850 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- memcpy(&di.digest, cms->selected_digest->pe_digest,
- sizeof(di.digest));
+ int i = cms->selected_digest;
+ memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
cms->log(cms, LOG_ERR, "got empty digest");
diff --git a/src/file_kmod.c b/src/file_kmod.c
index c8875fc..6880cda 100644
--- a/src/file_kmod.c
+++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
kmod_write_signature(cms_context *cms, int outfd)
{
SEC_PKCS7ContentInfo *cinfo;
- SECItem *digest = cms->selected_digest->pe_digest;
+ SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
SECStatus rv;
struct write_sig_info info = {
.outfd = outfd,
diff --git a/src/file_pe.c b/src/file_pe.c
index c22b2af..805e614 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -114,8 +114,6 @@ check_inputs(pesign_context *ctx)
static void
print_digest(pesign_context *pctx)
{
- unsigned int i;
-
if (!pctx)
return;
@@ -123,9 +121,10 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- unsigned char *ddata = ctx->selected_digest->pe_digest->data;
- for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
- printf("%02x", ddata[i]);
+ int j = ctx->selected_digest;
+ for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
+ printf("%02x",
+ (unsigned char)ctx->digests[j].pe_digest->data[i]);
printf(" %s\n", pctx->infile);
}
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index ebb404d..6dc67f7 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -221,7 +221,9 @@ static void
get_digest(pesigcheck_context *ctx, SECItem *digest)
{
struct cms_context *cms = ctx->cms_ctx;
- memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
}
static int
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d4f69..c7acbcf 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,7 +12,6 @@
#include <secpkcs7.h>
#include <errno.h>
-#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -58,19 +57,9 @@
goto errlabel; \
})
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
struct digest {
PK11Context *pk11ctx;
SECItem *pe_digest;
- struct digest_param *digest_params;
};
typedef struct pk12_file {
@@ -144,7 +133,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- struct digest *selected_digest;
+ int selected_digest;
int omit_vendor_cert;
SECItem newsig;

149
0022-CMS-add-some-minor-cleanups.patch
View File

@ -1,149 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 17:02:46 -0400
Subject: [PATCH] CMS: add some minor cleanups
We reverted 926782c216532a83f9ff864dee39d2349d61fd23 so that a future
patch can try a different approach, but that commit also had a few
cleanups that are worthwhile on their own.
This patch re-introduces the cleanup to move "struct digest_param" to a
more reasonable place and the cleanup to check_hash(), and takes it just
a bit farther.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 26 +++++++++++++++-----------
src/cms_common.c | 39 ++++++++++++++++-----------------------
src/cms_common.h | 16 ++++++++++++++++
3 files changed, 47 insertions(+), 34 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 69d5daf..eb5221f 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,20 +263,24 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest;
+ void *digest_data;
+ struct digest *digests = ctx->cms_ctx->digests;
+ int selected_digest = -1;
+ size_t size;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = 0;
- return FOUND;
- }
+ selected_digest = DIGEST_PARAM_SHA256;
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = 1;
- return FOUND;
- }
+ selected_digest = DIGEST_PARAM_SHA1;
+ } else {
+ return NOT_FOUND;
+ }
+
+ digest_data = digests[selected_digest].pe_digest->data;
+ size = digest_params[selected_digest].size;
+ if (memcmp (digest_data, sig->data, size) == 0) {
+ ctx->cms_ctx->selected_digest = selected_digest;
+ return FOUND;
}
return NOT_FOUND;
diff --git a/src/cms_common.c b/src/cms_common.c
index 86341ca..7bddedf 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,34 +33,27 @@
#include "hex.h"
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
-static struct digest_param digest_params[] = {
- {.name = "sha256",
- .digest_tag = SEC_OID_SHA256,
- .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
- .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
- .efi_guid = &efi_guid_sha256,
- .size = 32
+const struct digest_param digest_params[] = {
+ [DIGEST_PARAM_SHA256] = {
+ .name = "sha256",
+ .digest_tag = SEC_OID_SHA256,
+ .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
+ .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+ .efi_guid = &efi_guid_sha256,
+ .size = 32
},
#if 1
- {.name = "sha1",
- .digest_tag = SEC_OID_SHA1,
- .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
- .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
- .efi_guid = &efi_guid_sha1,
- .size = 20
+ [DIGEST_PARAM_SHA1] = {
+ .name = "sha1",
+ .digest_tag = SEC_OID_SHA1,
+ .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
+ .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+ .efi_guid = &efi_guid_sha1,
+ .size = 20
},
#endif
};
-static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
diff --git a/src/cms_common.h b/src/cms_common.h
index c7acbcf..e45402c 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,6 +12,7 @@
#include <secpkcs7.h>
#include <errno.h>
+#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -62,6 +63,21 @@ struct digest {
SECItem *pe_digest;
};
+#define DIGEST_PARAM_SHA256 0
+#define DIGEST_PARAM_SHA1 1
+
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
+extern const struct digest_param digest_params[2];
+extern const int n_digest_params;
+
typedef struct pk12_file {
char *path;
int fd;

291
0023-CMS-make-cms-selected_digest-an-index-again.patch
View File

@ -1,291 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 30 Aug 2022 15:42:15 -0400
Subject: [PATCH] CMS: make cms->selected_digest an index (again)
In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
cms->selected_digest to be a pointer to the entry in cms->digests.
Because cms->digests is lazily allocated, setting the selected_digest
pointer has to be done at the right part of the CMS context life cycle,
and in some cases it clearly is not:
==334217== Command: ./src/pesign -n tmp -s --pinfile tmp/pinfile -t OpenSC\ Card\ (testcard) -c kernel-signer -i tmp/unsigned.efi -o tmp/signed.efi --force
==334217==
==334217== Invalid read of size 8
==334217== at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
==334217== by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
==334217== by 0x11D348: generate_spc_signed_data (signed_data.c:279)
==334217== by 0x11EDFD: calculate_signature_space (wincert.c:297)
==334217== by 0x11467D: pe_handle_action (file_pe.c:298)
==334217== by 0x10F962: main (pesign.c:585)
==334217== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==334217==
==334217==
==334217== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==334217== Access not within mapped region at address 0x10
==334217== at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
==334217== by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
==334217== by 0x11D348: generate_spc_signed_data (signed_data.c:279)
==334217== by 0x11EDFD: calculate_signature_space (wincert.c:297)
==334217== by 0x11467D: pe_handle_action (file_pe.c:298)
==334217== by 0x10F962: main (pesign.c:585)
==334217== If you believe this happened as a result of a stack
==334217== overflow in your program's main thread (unlikely but
==334217== possible), you can try to increase the size of the
==334217== main thread stack using the --main-stacksize= flag.
==334217== The main thread stack size used in this run was 8388608.
==334217==
==334217== HEAP SUMMARY:
==334217== in use at exit: 588,544 bytes in 4,388 blocks
==334217== total heap usage: 8,568 allocs, 4,180 frees, 2,077,115 bytes allocated
==334217==
==334217== LEAK SUMMARY:
==334217== definitely lost: 25 bytes in 1 blocks
==334217== indirectly lost: 0 bytes in 0 blocks
==334217== possibly lost: 51,378 bytes in 166 blocks
==334217== still reachable: 537,141 bytes in 4,221 blocks
==334217== of which reachable via heuristic:
==334217== length64 : 321,312 bytes in 590 blocks
==334217== suppressed: 0 bytes in 0 blocks
==334217== Rerun with --leak-check=full to see details of leaked memory
==334217==
==334217== For lists of detected and suppressed errors, rerun with: -s
==334217== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
There is also a similar issue in the daemon code, and how to fix it
there is not immediately clear to me.
Currently, we realistically only support using sha256 digests, so for
now I've chosen to paper over the issue by switching back to
cms->selected_digest be an index into both ctx->digests and
digest_params, but switching the default value from -1 to 0, aka
DIGEST_PARAM_SHA256. We can revisit this issue later whenever we add
sha384 support (or whichever other digest).
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 2 +-
src/cms_common.c | 41 +++++++++++++++++++++++------------------
src/content_info.c | 2 +-
src/cms_common.h | 5 +++--
4 files changed, 28 insertions(+), 22 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index eb5221f..467a01d 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -265,7 +265,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
efi_guid_t efi_sha1 = efi_guid_sha1;
void *digest_data;
struct digest *digests = ctx->cms_ctx->digests;
- int selected_digest = -1;
+ unsigned int selected_digest;
size_t size;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
diff --git a/src/cms_common.c b/src/cms_common.c
index 7bddedf..1c54c90 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,6 +33,10 @@
#include "hex.h"
+/*
+ * Note that cms->selected_digest defaults to 0, which means the first
+ * entry of this array is the default digest.
+ */
const struct digest_param digest_params[] = {
[DIGEST_PARAM_SHA256] = {
.name = "sha256",
@@ -53,33 +57,33 @@ const struct digest_param digest_params[] = {
},
#endif
};
-const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].size;
}
@@ -91,7 +95,7 @@ teardown_digests(cms_context *ctx)
if (!digests)
return;
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (digests[i].pk11ctx) {
PK11_Finalize(digests[i].pk11ctx);
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
@@ -135,7 +139,7 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
- cms->selected_digest = -1;
+ cms->selected_digest = DEFAULT_DIGEST_PARAM;
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
@@ -219,7 +223,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = -1;
+ cms->selected_digest = DEFAULT_DIGEST_PARAM;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -342,7 +346,7 @@ int
set_digest_parameters(cms_context *cms, char *name)
{
if (strcmp(name, "help")) {
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
cms->selected_digest = i;
return 0;
@@ -350,7 +354,7 @@ set_digest_parameters(cms_context *cms, char *name)
}
} else {
printf("Supported digests: ");
- for (int i = 0; digest_params[i].name != NULL; i++) {
+ for (unsigned int i = 0; digest_params[i].name != NULL; i++) {
printf("%s ", digest_params[i].name);
}
printf("\n");
@@ -1265,7 +1269,7 @@ generate_digest_begin(cms_context *cms)
cnreterr(-1, cms, "could not allocate digest context");
}
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
digests[i].pk11ctx = PK11_CreateDigestContext(
digest_params[i].digest_tag);
if (!digests[i].pk11ctx)
@@ -1278,7 +1282,7 @@ generate_digest_begin(cms_context *cms)
return 0;
err:
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (digests[i].pk11ctx)
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
}
@@ -1290,7 +1294,7 @@ err:
void
generate_digest_step(cms_context *cms, void *data, size_t len)
{
- for (int i = 0; i < n_digest_params; i++)
+ for (unsigned int i = 0; i < n_digest_params; i++)
PK11_DigestOp(cms->digests[i].pk11ctx, data, len);
}
@@ -1299,7 +1303,7 @@ generate_digest_finish(cms_context *cms)
{
void *mark = PORT_ArenaMark(cms->arena);
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
SECItem *digest = PORT_ArenaZAlloc(cms->arena,sizeof (SECItem));
if (digest == NULL)
cngotoerr(err, cms, "could not allocate memory");
@@ -1326,7 +1330,7 @@ generate_digest_finish(cms_context *cms)
PORT_ArenaUnmark(cms->arena, mark);
return 0;
err:
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (cms->digests[i].pk11ctx)
PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE);
}
@@ -1343,12 +1347,13 @@ int
generate_signature(cms_context *cms)
{
int rc = 0;
+ int i = cms->selected_digest;
- if (cms->digests[cms->selected_digest].pe_digest == NULL)
+ if (cms->digests[i].pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
- cms->digests[cms->selected_digest].pe_digest->len))
+ if (content_is_empty(cms->digests[i].pe_digest->data,
+ cms->digests[i].pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 9684850..900974c 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,7 +181,7 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
diff --git a/src/cms_common.h b/src/cms_common.h
index e45402c..35a128a 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -65,6 +65,7 @@ struct digest {
#define DIGEST_PARAM_SHA256 0
#define DIGEST_PARAM_SHA1 1
+#define DEFAULT_DIGEST_PARAM DIGEST_PARAM_SHA256
struct digest_param {
char *name;
@@ -76,7 +77,7 @@ struct digest_param {
};
extern const struct digest_param digest_params[2];
-extern const int n_digest_params;
+extern const unsigned int n_digest_params;
typedef struct pk12_file {
char *path;
@@ -149,7 +150,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- int selected_digest;
+ unsigned int selected_digest;
int omit_vendor_cert;
SECItem newsig;

23
pesign.patches
View File

@ -1,23 +0,0 @@
Patch0001: 0001-daemon-remove-always-true-comparison.patch
Patch0002: 0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
Patch0003: 0003-Rename-dprintf-to-dbgprintf.patch
Patch0004: 0004-.gitignore-add-compile_commands.json-and-.cache.patch
Patch0005: 0005-pesign-print-digests-before-filenames-like-sha256sum.patch
Patch0006: 0006-Add-pesum-an-authenticode-digest-generator.patch
Patch0007: 0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
Patch0008: 0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
Patch0009: 0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0010: 0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
Patch0011: 0011-Rename-README-README.md.patch
Patch0012: 0012-README.md-show-off-a-bit-more.patch
Patch0013: 0013-Fix-missing-line-in-README.md.patch
Patch0014: 0014-Fix-typo-in-efikeygen-command.patch
Patch0015: 0015-pesigcheck-Fix-crash-on-digest-match.patch
Patch0016: 0016-cms-store-digest-as-pointer-instead-of-index.patch
Patch0017: 0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
Patch0018: 0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
Patch0019: 0019-get_password_passthrough-handle-the-callback-context.patch
Patch0020: 0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
Patch0021: 0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
Patch0022: 0022-CMS-add-some-minor-cleanups.patch
Patch0023: 0023-CMS-make-cms-selected_digest-an-index-again.patch

8
pesign.spec
View File

@ -5,8 +5,8 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 115
Release: 9%{?dist}
Version: 116
Release: 1%{?dist}
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
@ -162,6 +162,10 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Tue Jan 31 2023 Robbie Harwood <rharwood@redhat.com> - 116-1
- New upstream release (116)
- Resolves: CVE-2022-3560
* Wed Aug 31 2022 Robbie Harwood <rharwood@redhat.com> - 115-9
- Roll up to pjones's smartcard/cms fixes

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
SHA512 (pesign-115.tar.bz2) = 0091d70e286326b1ed74418ca8c5a2a63d42e6aa3eccdfc4f09a34241b2addfe878af17d1d74648b7da79d6cd7158fcca0f3a52f4a82a57cacae4617b42b1faa
SHA512 (pesign-116.tar.bz2) = be3e1083f5e9f889cb8f7c50a8ebe723542fb2f6d1de8de9b04a9f21526ebaa8ab1efc7d4be11bcb0bc9862fa4bc6f78ee35e4d3496dd3b8927170b97795d25c