Accepting request 209457 from home:gary_lin:branches:Base:System

Include upstream patches and support MOK blacklist OBS-URL: https://build.opensuse.org/request/show/209457 OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=12
2013-12-05 02:46:51 +00:00 · 2013-12-05 02:46:51 +00:00 · 30ebafa53a
commit 30ebafa53a
parent 44db4978c2
4 changed files with 3784 additions and 0 deletions
--- a/mokutil-mokx-support.patch
+++ b/mokutil-mokx-support.patch
--- a/mokutil-upstream-fixes.patch
+++ b/mokutil-upstream-fixes.patch
@ -0,0 +1,853 @@
+From 9bbf4150add7de95bfeed8515aa9d9d63977ebd4 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 25 Sep 2013 18:04:29 +0800
+Subject: [PATCH 01/10] Update the copyright declaration
+
+Allow the binary to be linked with openssl
+---
+ src/efi.h            | 47 +++++++++++++++++++++++++++++------------------
+ src/efilib.c         | 17 +++++++++++++++++
+ src/mokutil.c        | 14 ++++++++++++++
+ src/password-crypt.c | 14 ++++++++++++++
+ src/password-crypt.h | 14 ++++++++++++++
+ src/signature.h      | 30 ++++++++++++++++++++++++++++++
+ 6 files changed, 118 insertions(+), 18 deletions(-)
+
+diff --git a/src/efi.h b/src/efi.h
+index 7930a94..a622a2b 100644
+--- a/src/efi.h
+++ b/src/efi.h
+@@ -1,22 +1,33 @@
+ /*
+-  efi.h - Extensible Firmware Interface definitions
+-
+-  Copyright (C) 2001, 2003 Dell Computer Corporation <Matt_Domsch@dell.com>
+-  Copyright (C) 2012 Gary Lin <glin@suse.com>
+-
+-    This program is free software; you can redistribute it and/or modify
+-    it under the terms of the GNU General Public License as published by
+-    the Free Software Foundation; either version 2 of the License, or
+-    (at your option) any later version.
+-
+-    This program is distributed in the hope that it will be useful,
+-    but WITHOUT ANY WARRANTY; without even the implied warranty of
+-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-    GNU General Public License for more details.
+-
+-    You should have received a copy of the GNU General Public License
+-    along with this program; if not, write to the Free Software
+-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ * Copyright (C) 2001, 2003 Dell Computer Corporation <Matt_Domsch@dell.com>
+ * Copyright (C) 2012-2013 Gary Lin <glin@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+  */
+ 
+ #ifndef EFI_H
+diff --git a/src/efilib.c b/src/efilib.c
+index c2336f9..6db914f 100644
+--- a/src/efilib.c
+++ b/src/efilib.c
+@@ -14,6 +14,23 @@
+  * You should have received a copy of the GNU General Public License
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+  * A part of the source code is copied from efibootmgr
+  */
+ #include <sys/types.h>
+diff --git a/src/mokutil.c b/src/mokutil.c
+index e7ea08f..109a3eb 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -14,6 +14,20 @@
+  *
+  * You should have received a copy of the GNU General Public License
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+  */
+ #include <stdio.h>
+ #include <stdlib.h>
+diff --git a/src/password-crypt.c b/src/password-crypt.c
+index a1d213b..7fbc3b6 100644
+--- a/src/password-crypt.c
+++ b/src/password-crypt.c
+@@ -13,6 +13,20 @@
+  *
+  * You should have received a copy of the GNU General Public License
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+  */
+ #include <string.h>
+ #include <stdlib.h>
+diff --git a/src/password-crypt.h b/src/password-crypt.h
+index b694ac1..04451b4 100644
+--- a/src/password-crypt.h
+++ b/src/password-crypt.h
+@@ -13,6 +13,20 @@
+  *
+  * You should have received a copy of the GNU General Public License
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+  */
+ #ifndef __PASSWORD_CRYPT_H__
+ #define __PASSWORD_CRYPT_H__
+diff --git a/src/signature.h b/src/signature.h
+index f795f14..df88e98 100644
+--- a/src/signature.h
+++ b/src/signature.h
+@@ -1,3 +1,33 @@
+/**
+ * Copyright (C) 2012-2013 Gary Lin <glin@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+ #define SHA256_DIGEST_SIZE  32
+ 
+ #define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
+-- 
+1.8.1.4
+
+
+From dcb76ee1e91c02a026bc0b0b8d02dac71d3c85e1 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 2 Oct 2013 13:09:20 -0400
+Subject: [PATCH 02/10] Add support for disabling/enabling the use of DB for
+ verification
+
+This lets a user disable the use of DB for verification purposes.  The new
+options "--ignore-db" and "--use-db" toggle the state of this.  This sets
+a UEFI variable called MokDB that makes MokManager prompt the user to approve
+the setting after a reboot.
+
+We refactor MokSBVar to MokToggleVar and set_validation to set_toggle, as
+both MokDB and MokSB are really just toggle variables.
+---
+ src/mokutil.c | 54 +++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 41 insertions(+), 13 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 109a3eb..41bd8eb 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -76,6 +76,8 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
+ #define RESET              (1 << 15)
+ #define GENERATE_PW_HASH   (1 << 16)
+ #define SIMPLE_HASH        (1 << 17)
+#define IGNORE_DB          (1 << 18)
+#define USE_DB             (1 << 19)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -90,10 +92,10 @@ typedef struct {
+ } MokListNode;
+ 
+ typedef struct {
+-	uint32_t mok_sb_state;
+	uint32_t mok_toggle_state;
+ 	uint32_t password_length;
+ 	uint16_t password[SB_PASSWORD_MAX];
+-} MokSBVar;
+} MokToggleVar;
+ 
+ static void
+ print_help ()
+@@ -119,6 +121,8 @@ print_help ()
+ 	printf ("  --test-key <der file>\t\t\tTest if the key is enrolled or not\n");
+ 	printf ("  --reset\t\t\t\tReset MOK list\n");
+ 	printf ("  --generate-hash[=password]\t\tGenerate the password hash\n");
+	printf ("  --ignore-db\t\t\t\tIgnore DB for validation\n");
+	printf ("  --use-db\t\t\t\tUse DB for validation\n");
+ 	printf ("\n");
+ 	printf ("Supplimentary Options:\n");
+ 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
+@@ -1108,10 +1112,10 @@ error:
+ }
+ 
+ static int
+-set_validation (uint32_t state)
+set_toggle (const char * VarName, uint32_t state)
+ {
+ 	efi_variable_t var;
+-	MokSBVar sbvar;
+	MokToggleVar tvar;
+ 	char *password = NULL;
+ 	int pw_len;
+ 	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+@@ -1123,26 +1127,26 @@ set_validation (uint32_t state)
+ 		goto error;
+ 	}
+ 
+-	sbvar.password_length = pw_len;
+	tvar.password_length = pw_len;
+ 
+ 	efichar_from_char (efichar_pass, password,
+ 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	memcpy(sbvar.password, efichar_pass,
+	memcpy(tvar.password, efichar_pass,
+ 	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	sbvar.mok_sb_state = state;
+	tvar.mok_toggle_state = state;
+ 
+-	var.VariableName = "MokSB";
+	var.VariableName = VarName;
+ 	var.VendorGuid = SHIM_LOCK_GUID;
+-	var.Data = (void *)&sbvar;
+-	var.DataSize = sizeof(sbvar);
+	var.Data = (void *)&tvar;
+	var.DataSize = sizeof(tvar);
+ 	var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ 		| EFI_VARIABLE_BOOTSERVICE_ACCESS
+ 		| EFI_VARIABLE_RUNTIME_ACCESS;
+ 
+ 	if (edit_protected_variable (&var) != EFI_SUCCESS) {
+-		fprintf (stderr, "Failed to request new SB state\n");
+		fprintf (stderr, "Failed to request new %s state\n", VarName);
+ 		goto error;
+ 	}
+ 
+@@ -1156,13 +1160,13 @@ error:
+ static int
+ disable_validation()
+ {
+-	return set_validation(0);
+	return set_toggle("MokSB", 0);
+ }
+ 
+ static int
+ enable_validation()
+ {
+-	return set_validation(1);
+	return set_toggle("MokSB", 1);
+ }
+ 
+ static int
+@@ -1195,6 +1199,18 @@ sb_state ()
+ }
+ 
+ static int
+disable_db()
+{
+	return set_toggle("MokDB", 0);
+}
+
+static int
+enable_db()
+{
+	return set_toggle("MokDB", 1);
+}
+
+static int
+ test_key (const char *key_file)
+ {
+ 	struct stat buf;
+@@ -1346,6 +1362,8 @@ main (int argc, char *argv[])
+ 			{"generate-hash",      optional_argument, 0, 'g'},
+ 			{"root-pw",            no_argument,       0, 'P'},
+ 			{"simple-hash",        no_argument,       0, 's'},
+			{"ignore-db",          no_argument,       0, 0  },
+			{"use-db",             no_argument,       0, 0  },
+ 			{0, 0, 0, 0}
+ 		};
+ 
+@@ -1377,6 +1395,10 @@ main (int argc, char *argv[])
+ 				command |= SB_STATE;
+ 			} else if (strcmp (option, "reset") == 0) {
+ 				command |= RESET;
+			} else if (strcmp (option, "ignore-db") == 0) {
+				command |= IGNORE_DB;
+			} else if (strcmp (option, "use-db") == 0) {
+				command |= USE_DB;
+ 			}
+ 			break;
+ 		case 'd':
+@@ -1523,6 +1545,12 @@ main (int argc, char *argv[])
+ 		case GENERATE_PW_HASH:
+ 			ret = generate_pw_hash (input_pw);
+ 			break;
+		case IGNORE_DB:
+			ret = disable_db ();
+			break;
+		case USE_DB:
+			ret = enable_db ();
+			break;
+ 		default:
+ 			print_help ();
+ 			break;
+-- 
+1.8.1.4
+
+
+From 2cc44c8e18c48a6985265fd3173e156280d1ec59 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 09:41:41 -0500
+Subject: [PATCH 03/10] Free mok lists we've allocated in our error paths.
+
+Coverity says they're leaking, and it's right, though I suspect we just
+exit anyway.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 41bd8eb..566c14e 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -343,6 +343,7 @@ delete_key_from_list (void *mok, uint32_t mok_size,
+ 
+ 	ret = 1;
+ done:
+	free (list);
+ 	free (var.Data);
+ 
+ 	return ret;
+@@ -763,6 +764,7 @@ is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
+ 	}
+ 
+ done:
+	free (list);
+ 	free (var.Data);
+ 
+ 	return ret;
+@@ -1037,6 +1039,7 @@ export_moks ()
+ 
+ 	ret = 0;
+ error:
+	free (list);
+ 	free (var.Data);
+ 
+ 	return ret;
+-- 
+1.8.1.4
+
+
+From 86007043adb5bbd2dd0e206998a16783779f9bd3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 09:43:57 -0500
+Subject: [PATCH 04/10] Don't close file descriptors < 0.
+
+Coverity complains, though you'll just get EBADFD.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 566c14e..4f9b288 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1256,7 +1256,8 @@ error:
+ 	if (key)
+ 		free (key);
+ 
+-	close (fd);
+	if (fd >= 0)
+		close (fd);
+ 
+ 	return ret;
+ }
+-- 
+1.8.1.4
+
+
+From 11d68c32f35306dd475d429ba8fbc127a1c77f44 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 09:48:32 -0500
+Subject: [PATCH 05/10] Error check reading hash from file.
+
+Coverity noticed that if read() returns error, we're doing string[-1].
+We're also only reading some of the file in some cases.  Replaced this
+with a proper read loop.
+
+Also we were overruning the string by one byte.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 4f9b288..2a5e72f 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -29,6 +29,7 @@
+  * version.  If you delete this exception statement from all source
+  * files in the program, then also delete it here.
+  */
+#include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -567,7 +568,7 @@ static int
+ get_hash_from_file (const char *file, pw_crypt_t *pw_crypt)
+ {
+ 	char string[300];
+-	ssize_t read_len;
+	ssize_t read_len = 0;
+ 	int fd;
+ 
+ 	fd = open (file, O_RDONLY);
+@@ -575,10 +576,23 @@ get_hash_from_file (const char *file, pw_crypt_t *pw_crypt)
+ 		fprintf (stderr, "Failed to open %s\n", file);
+ 		return -1;
+ 	}
+-	read_len = read (fd, string, 300);
+
+	while (read_len < 300) {
+		int rc = read (fd, string + read_len, 300 - read_len);
+		if (rc == EAGAIN)
+			continue;
+		if (rc < 0) {
+			fprintf (stderr, "Failed to read %s: %m\n", file);
+			close (fd);
+			return -1;
+		}
+		if (rc == 0)
+			break;
+		read_len += rc;
+	}
+ 	close (fd);
+ 
+-	if (string[read_len] != '\0') {
+	if (string[read_len-1] != '\0') {
+ 		fprintf (stderr, "corrupted string\n");
+ 		return -1;
+ 	}
+-- 
+1.8.1.4
+
+
+From 97b09b346640ea74e7d51c9b59247cd75836c453 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 10:01:35 -0500
+Subject: [PATCH 06/10] Use a read/realloc loop to avoid a race condition on
+ stat()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Coverity says:
+ 4. shim-0.7/mokutil-0.2.0/src/mokutil.c:1228:toctou – Calling function
+ "open(char const *, int, ...)" that uses "key_file" after a check
+ function. This can cause a time-of-check, time-of-use race condition.
+
+So with the new code we'll probably get garbage if somebody tries racing
+that for some reason, but at least it'll be consistent garbage :)
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 2a5e72f..f29b57d 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1227,6 +1227,30 @@ enable_db()
+ 	return set_toggle("MokDB", 1);
+ }
+ 
+static inline int
+read_file(int fd, char **bufp, size_t *lenptr) {
+    int alloced = 0, size = 0, i = 0;
+    char * buf = NULL;
+
+    do {
+	size += i;
+	if ((size + 1024) > alloced) {
+	    alloced += 4096;
+	    buf = realloc (buf, alloced + 1);
+	}
+    } while ((i = read (fd, buf + size, 1024)) > 0);
+
+    if (i < 0) {
+        free (buf);
+	return -1;
+    }
+
+    *bufp = buf;
+    *lenptr = size;
+
+    return 0;
+}
+
+ static int
+ test_key (const char *key_file)
+ {
+@@ -1235,21 +1259,14 @@ test_key (const char *key_file)
+ 	ssize_t read_size;
+ 	int fd, ret = -1;
+ 
+-	if (stat (key_file, &buf) != 0) {
+-		fprintf (stderr, "Failed to get file status, %s\n", key_file);
+-		return -1;
+-	}
+-
+-	key = malloc (buf.st_size);
+-
+ 	fd = open (key_file, O_RDONLY);
+ 	if (fd < 0) {
+ 		fprintf (stderr, "Failed to open %s\n", key_file);
+ 		goto error;
+ 	}
+ 
+-	read_size = read (fd, key, buf.st_size);
+-	if (read_size < 0 || read_size != buf.st_size) {
+	int rc = read_file (fd, &key, &read_size);
+	if (rc < 0) {
+ 		fprintf (stderr, "Failed to read %s\n", key_file);
+ 		goto error;
+ 	}
+-- 
+1.8.1.4
+
+
+From 5facb36c5320fe54d38ab081505259c962f8fadb Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 10:04:06 -0500
+Subject: [PATCH 07/10] Fix check for string termination that was actually a
+ NULL ptr check...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Coverity says:
+
+ 2. shim-0.7/mokutil-0.2.0/src/password-crypt.c:267:check_after_deref –
+ Null-checking "tmp" suggests that it may be null, but it has already
+ been dereferenced on all paths leading to the check.
+
+And:
+
+ 2. shim-0.7/mokutil-0.2.0/src/password-crypt.c:215:check_after_deref –
+ Null-checking "tmp" suggests that it may be null, but it has already
+ been dereferenced on all paths leading to the check.
+
+But to me it looks like these were supposed to be checking for end-of-string
+instead.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/password-crypt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/password-crypt.c b/src/password-crypt.c
+index 7fbc3b6..17362f1 100644
+--- a/src/password-crypt.c
+++ b/src/password-crypt.c
+@@ -212,7 +212,7 @@ decode_sha256_pass (const char *string, pw_crypt_t *pw_crypt)
+ 	tmp = ptr;
+ 	if (strlen (ptr) > SHA256_B64_LENGTH) {
+ 		while (*tmp != '$') {
+-			if (tmp == '\0')
+			if (*tmp == '\0')
+ 				return -1;
+ 			count++;
+ 			tmp++;
+@@ -264,7 +264,7 @@ decode_sha512_pass (const char *string, pw_crypt_t *pw_crypt)
+ 	tmp = ptr;
+ 	if (strlen (ptr) > SHA512_B64_LENGTH) {
+ 		while (*tmp != '$') {
+-			if (tmp == '\0')
+			if (*tmp == '\0')
+ 				return -1;
+ 			count++;
+ 			tmp++;
+-- 
+1.8.1.4
+
+
+From fcae982278ee1399d44c10a162a825589f735b54 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 10:23:03 -0500
+Subject: [PATCH 08/10] Make generate_pw_hash() somewhat cleaner.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Coverity needlessly complains:
+
+ 2. shim-0.7/mokutil-0.2.0/src/mokutil.c:1322:check_after_deref –
+ Null-checking "password" suggests that it may be null, but it has
+ already been dereferenced on all paths leading to the check.
+
+While this doesn't really make any difference, the whole ret and
+error-path was overkill here, so I got rid of it.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index f29b57d..c6cfb29 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1312,7 +1312,7 @@ generate_pw_hash (const char *input_pw)
+ 	char *crypt_string;
+ 	const char *prefix;
+ 	int prefix_len;
+-	int pw_len, salt_size, ret = -1;
+	int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+ 		pw_len = strlen (input_pw);
+@@ -1345,19 +1345,15 @@ generate_pw_hash (const char *input_pw)
+ 	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+	free (password);
+ 	if (!crypt_string) {
+ 		fprintf (stderr, "Failed to generate hash\n");
+-		goto error;
+		return -1;
+ 	}
+ 
+ 	printf ("%s\n", crypt_string);
+ 
+-	ret = 0;
+-error:
+-	if (password)
+-		free (password);
+-
+-	return ret;
+	return 0;
+ }
+ 
+ int
+@@ -1489,6 +1485,10 @@ main (int argc, char *argv[])
+ 			break;
+ 		case 't':
+ 			key_file = strdup (optarg);
+			if (key_file == NULL) {
+				fprintf (stderr, "Could not allocate space: %m\n");
+				exit(1);
+			}
+ 
+ 			command |= TEST_KEY;
+ 			break;
+-- 
+1.8.1.4
+
+
+From ab16ba45293896bc9e649d23e20ae4e39946f219 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 25 Nov 2013 16:55:23 +0800
+Subject: [PATCH 09/10] Fix warnings from gcc
+
+---
+ src/mokutil.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index c6cfb29..9aa4376 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1228,9 +1228,9 @@ enable_db()
+ }
+ 
+ static inline int
+-read_file(int fd, char **bufp, size_t *lenptr) {
+read_file(int fd, void **bufp, size_t *lenptr) {
+     int alloced = 0, size = 0, i = 0;
+-    char * buf = NULL;
+    void * buf = NULL;
+ 
+     do {
+ 	size += i;
+@@ -1254,10 +1254,9 @@ read_file(int fd, char **bufp, size_t *lenptr) {
+ static int
+ test_key (const char *key_file)
+ {
+-	struct stat buf;
+ 	void *key = NULL;
+-	ssize_t read_size;
+-	int fd, ret = -1;
+	size_t read_size;
+	int fd, rc, ret = -1;
+ 
+ 	fd = open (key_file, O_RDONLY);
+ 	if (fd < 0) {
+@@ -1265,7 +1264,7 @@ test_key (const char *key_file)
+ 		goto error;
+ 	}
+ 
+-	int rc = read_file (fd, &key, &read_size);
+	rc = read_file (fd, &key, &read_size);
+ 	if (rc < 0) {
+ 		fprintf (stderr, "Failed to read %s\n", key_file);
+ 		goto error;
+-- 
+1.8.1.4
+
+
+From a1a7385419b45834a728464f36100fa1098b9741 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 25 Nov 2013 16:57:33 +0800
+Subject: [PATCH 10/10] Fix the indentation
+
+---
+ src/mokutil.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 9aa4376..e4e247c 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1229,26 +1229,26 @@ enable_db()
+ 
+ static inline int
+ read_file(int fd, void **bufp, size_t *lenptr) {
+-    int alloced = 0, size = 0, i = 0;
+-    void * buf = NULL;
+-
+-    do {
+-	size += i;
+-	if ((size + 1024) > alloced) {
+-	    alloced += 4096;
+-	    buf = realloc (buf, alloced + 1);
+-	}
+-    } while ((i = read (fd, buf + size, 1024)) > 0);
+	int alloced = 0, size = 0, i = 0;
+	void * buf = NULL;
+ 
+-    if (i < 0) {
+-        free (buf);
+-	return -1;
+-    }
+	do {
+		size += i;
+		if ((size + 1024) > alloced) {
+			alloced += 4096;
+			buf = realloc (buf, alloced + 1);
+		}
+	} while ((i = read (fd, buf + size, 1024)) > 0);
+ 
+-    *bufp = buf;
+-    *lenptr = size;
+	if (i < 0) {
+		free (buf);
+		return -1;
+	}
+
+	*bufp = buf;
+	*lenptr = size;
+ 
+-    return 0;
+	return 0;
+ }
+ 
+ static int
+-- 
+1.8.1.4
+
--- a/mokutil.changes
+++ b/mokutil.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Dec  5 02:11:40 UTC 2013 - glin@suse.com
+
+- Add mokutil-upstream-fixes.patch to include upstream fixes for
+  db signature check, gcc warnings, and error handling
+- Add mokutil-mokx-support.patch to support the MOK blacklist
+  (FATE#316531)
+
 -------------------------------------------------------------------
 Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com

--- a/mokutil.spec
+++ b/mokutil.spec
@ -24,6 +24,10 @@ License:        GPL-3.0
 Group:          Productivity/Security
 Url:            https://github.com/lcp/mokutil
 Source:         %{name}-%{version}.tar.bz2
+# PATCH-FIX-UPSTREAM mokutil-upstream-fixes.patch glin@suse.com -- Include upstream fixes for db signature check, gcc warnings, error handling
+Patch1:         mokutil-upstream-fixes.patch
+# PATCH-FIX-UPSTREAM mokutil-mokx-support.patch glin@suse.com -- Support the MOK blacklist
+Patch2:         mokutil-mokx-support.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libopenssl-devel >= 0.9.8
@ -43,6 +47,8 @@ Authors:

 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1

 %build
 %configure