Accepting request 209457 from home:gary_lin:branches:Base:System

Include upstream patches and support MOK blacklist

OBS-URL: https://build.opensuse.org/request/show/209457
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=12
This commit is contained in:
Gary Ching-Pang Lin 2013-12-05 02:46:51 +00:00 committed by Git OBS Bridge
parent 44db4978c2
commit 30ebafa53a
4 changed files with 3784 additions and 0 deletions

2917
mokutil-mokx-support.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,853 @@
From 9bbf4150add7de95bfeed8515aa9d9d63977ebd4 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 25 Sep 2013 18:04:29 +0800
Subject: [PATCH 01/10] Update the copyright declaration
Allow the binary to be linked with openssl
---
src/efi.h | 47 +++++++++++++++++++++++++++++------------------
src/efilib.c | 17 +++++++++++++++++
src/mokutil.c | 14 ++++++++++++++
src/password-crypt.c | 14 ++++++++++++++
src/password-crypt.h | 14 ++++++++++++++
src/signature.h | 30 ++++++++++++++++++++++++++++++
6 files changed, 118 insertions(+), 18 deletions(-)
diff --git a/src/efi.h b/src/efi.h
index 7930a94..a622a2b 100644
--- a/src/efi.h
+++ b/src/efi.h
@@ -1,22 +1,33 @@
/*
- efi.h - Extensible Firmware Interface definitions
-
- Copyright (C) 2001, 2003 Dell Computer Corporation <Matt_Domsch@dell.com>
- Copyright (C) 2012 Gary Lin <glin@suse.com>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Copyright (C) 2001, 2003 Dell Computer Corporation <Matt_Domsch@dell.com>
+ * Copyright (C) 2012-2013 Gary Lin <glin@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef EFI_H
diff --git a/src/efilib.c b/src/efilib.c
index c2336f9..6db914f 100644
--- a/src/efilib.c
+++ b/src/efilib.c
@@ -14,6 +14,23 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
* A part of the source code is copied from efibootmgr
*/
#include <sys/types.h>
diff --git a/src/mokutil.c b/src/mokutil.c
index e7ea08f..109a3eb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -14,6 +14,20 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include <stdio.h>
#include <stdlib.h>
diff --git a/src/password-crypt.c b/src/password-crypt.c
index a1d213b..7fbc3b6 100644
--- a/src/password-crypt.c
+++ b/src/password-crypt.c
@@ -13,6 +13,20 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include <string.h>
#include <stdlib.h>
diff --git a/src/password-crypt.h b/src/password-crypt.h
index b694ac1..04451b4 100644
--- a/src/password-crypt.h
+++ b/src/password-crypt.h
@@ -13,6 +13,20 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef __PASSWORD_CRYPT_H__
#define __PASSWORD_CRYPT_H__
diff --git a/src/signature.h b/src/signature.h
index f795f14..df88e98 100644
--- a/src/signature.h
+++ b/src/signature.h
@@ -1,3 +1,33 @@
+/**
+ * Copyright (C) 2012-2013 Gary Lin <glin@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ *
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
#define SHA256_DIGEST_SIZE 32
#define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
--
1.8.1.4
From dcb76ee1e91c02a026bc0b0b8d02dac71d3c85e1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Wed, 2 Oct 2013 13:09:20 -0400
Subject: [PATCH 02/10] Add support for disabling/enabling the use of DB for
verification
This lets a user disable the use of DB for verification purposes. The new
options "--ignore-db" and "--use-db" toggle the state of this. This sets
a UEFI variable called MokDB that makes MokManager prompt the user to approve
the setting after a reboot.
We refactor MokSBVar to MokToggleVar and set_validation to set_toggle, as
both MokDB and MokSB are really just toggle variables.
---
src/mokutil.c | 54 +++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 41 insertions(+), 13 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 109a3eb..41bd8eb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,6 +76,8 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
#define SIMPLE_HASH (1 << 17)
+#define IGNORE_DB (1 << 18)
+#define USE_DB (1 << 19)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -90,10 +92,10 @@ typedef struct {
} MokListNode;
typedef struct {
- uint32_t mok_sb_state;
+ uint32_t mok_toggle_state;
uint32_t password_length;
uint16_t password[SB_PASSWORD_MAX];
-} MokSBVar;
+} MokToggleVar;
static void
print_help ()
@@ -119,6 +121,8 @@ print_help ()
printf (" --test-key <der file>\t\t\tTest if the key is enrolled or not\n");
printf (" --reset\t\t\t\tReset MOK list\n");
printf (" --generate-hash[=password]\t\tGenerate the password hash\n");
+ printf (" --ignore-db\t\t\t\tIgnore DB for validation\n");
+ printf (" --use-db\t\t\t\tUse DB for validation\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1108,10 +1112,10 @@ error:
}
static int
-set_validation (uint32_t state)
+set_toggle (const char * VarName, uint32_t state)
{
efi_variable_t var;
- MokSBVar sbvar;
+ MokToggleVar tvar;
char *password = NULL;
int pw_len;
efi_char16_t efichar_pass[SB_PASSWORD_MAX];
@@ -1123,26 +1127,26 @@ set_validation (uint32_t state)
goto error;
}
- sbvar.password_length = pw_len;
+ tvar.password_length = pw_len;
efichar_from_char (efichar_pass, password,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- memcpy(sbvar.password, efichar_pass,
+ memcpy(tvar.password, efichar_pass,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- sbvar.mok_sb_state = state;
+ tvar.mok_toggle_state = state;
- var.VariableName = "MokSB";
+ var.VariableName = VarName;
var.VendorGuid = SHIM_LOCK_GUID;
- var.Data = (void *)&sbvar;
- var.DataSize = sizeof(sbvar);
+ var.Data = (void *)&tvar;
+ var.DataSize = sizeof(tvar);
var.Attributes = EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_protected_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to request new SB state\n");
+ fprintf (stderr, "Failed to request new %s state\n", VarName);
goto error;
}
@@ -1156,13 +1160,13 @@ error:
static int
disable_validation()
{
- return set_validation(0);
+ return set_toggle("MokSB", 0);
}
static int
enable_validation()
{
- return set_validation(1);
+ return set_toggle("MokSB", 1);
}
static int
@@ -1195,6 +1199,18 @@ sb_state ()
}
static int
+disable_db()
+{
+ return set_toggle("MokDB", 0);
+}
+
+static int
+enable_db()
+{
+ return set_toggle("MokDB", 1);
+}
+
+static int
test_key (const char *key_file)
{
struct stat buf;
@@ -1346,6 +1362,8 @@ main (int argc, char *argv[])
{"generate-hash", optional_argument, 0, 'g'},
{"root-pw", no_argument, 0, 'P'},
{"simple-hash", no_argument, 0, 's'},
+ {"ignore-db", no_argument, 0, 0 },
+ {"use-db", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -1377,6 +1395,10 @@ main (int argc, char *argv[])
command |= SB_STATE;
} else if (strcmp (option, "reset") == 0) {
command |= RESET;
+ } else if (strcmp (option, "ignore-db") == 0) {
+ command |= IGNORE_DB;
+ } else if (strcmp (option, "use-db") == 0) {
+ command |= USE_DB;
}
break;
case 'd':
@@ -1523,6 +1545,12 @@ main (int argc, char *argv[])
case GENERATE_PW_HASH:
ret = generate_pw_hash (input_pw);
break;
+ case IGNORE_DB:
+ ret = disable_db ();
+ break;
+ case USE_DB:
+ ret = enable_db ();
+ break;
default:
print_help ();
break;
--
1.8.1.4
From 2cc44c8e18c48a6985265fd3173e156280d1ec59 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 09:41:41 -0500
Subject: [PATCH 03/10] Free mok lists we've allocated in our error paths.
Coverity says they're leaking, and it's right, though I suspect we just
exit anyway.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 41bd8eb..566c14e 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -343,6 +343,7 @@ delete_key_from_list (void *mok, uint32_t mok_size,
ret = 1;
done:
+ free (list);
free (var.Data);
return ret;
@@ -763,6 +764,7 @@ is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
}
done:
+ free (list);
free (var.Data);
return ret;
@@ -1037,6 +1039,7 @@ export_moks ()
ret = 0;
error:
+ free (list);
free (var.Data);
return ret;
--
1.8.1.4
From 86007043adb5bbd2dd0e206998a16783779f9bd3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 09:43:57 -0500
Subject: [PATCH 04/10] Don't close file descriptors < 0.
Coverity complains, though you'll just get EBADFD.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 566c14e..4f9b288 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1256,7 +1256,8 @@ error:
if (key)
free (key);
- close (fd);
+ if (fd >= 0)
+ close (fd);
return ret;
}
--
1.8.1.4
From 11d68c32f35306dd475d429ba8fbc127a1c77f44 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 09:48:32 -0500
Subject: [PATCH 05/10] Error check reading hash from file.
Coverity noticed that if read() returns error, we're doing string[-1].
We're also only reading some of the file in some cases. Replaced this
with a proper read loop.
Also we were overruning the string by one byte.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 4f9b288..2a5e72f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -29,6 +29,7 @@
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
+#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -567,7 +568,7 @@ static int
get_hash_from_file (const char *file, pw_crypt_t *pw_crypt)
{
char string[300];
- ssize_t read_len;
+ ssize_t read_len = 0;
int fd;
fd = open (file, O_RDONLY);
@@ -575,10 +576,23 @@ get_hash_from_file (const char *file, pw_crypt_t *pw_crypt)
fprintf (stderr, "Failed to open %s\n", file);
return -1;
}
- read_len = read (fd, string, 300);
+
+ while (read_len < 300) {
+ int rc = read (fd, string + read_len, 300 - read_len);
+ if (rc == EAGAIN)
+ continue;
+ if (rc < 0) {
+ fprintf (stderr, "Failed to read %s: %m\n", file);
+ close (fd);
+ return -1;
+ }
+ if (rc == 0)
+ break;
+ read_len += rc;
+ }
close (fd);
- if (string[read_len] != '\0') {
+ if (string[read_len-1] != '\0') {
fprintf (stderr, "corrupted string\n");
return -1;
}
--
1.8.1.4
From 97b09b346640ea74e7d51c9b59247cd75836c453 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 10:01:35 -0500
Subject: [PATCH 06/10] Use a read/realloc loop to avoid a race condition on
stat()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Coverity says:
4. shim-0.7/mokutil-0.2.0/src/mokutil.c:1228:toctou Calling function
"open(char const *, int, ...)" that uses "key_file" after a check
function. This can cause a time-of-check, time-of-use race condition.
So with the new code we'll probably get garbage if somebody tries racing
that for some reason, but at least it'll be consistent garbage :)
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 2a5e72f..f29b57d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1227,6 +1227,30 @@ enable_db()
return set_toggle("MokDB", 1);
}
+static inline int
+read_file(int fd, char **bufp, size_t *lenptr) {
+ int alloced = 0, size = 0, i = 0;
+ char * buf = NULL;
+
+ do {
+ size += i;
+ if ((size + 1024) > alloced) {
+ alloced += 4096;
+ buf = realloc (buf, alloced + 1);
+ }
+ } while ((i = read (fd, buf + size, 1024)) > 0);
+
+ if (i < 0) {
+ free (buf);
+ return -1;
+ }
+
+ *bufp = buf;
+ *lenptr = size;
+
+ return 0;
+}
+
static int
test_key (const char *key_file)
{
@@ -1235,21 +1259,14 @@ test_key (const char *key_file)
ssize_t read_size;
int fd, ret = -1;
- if (stat (key_file, &buf) != 0) {
- fprintf (stderr, "Failed to get file status, %s\n", key_file);
- return -1;
- }
-
- key = malloc (buf.st_size);
-
fd = open (key_file, O_RDONLY);
if (fd < 0) {
fprintf (stderr, "Failed to open %s\n", key_file);
goto error;
}
- read_size = read (fd, key, buf.st_size);
- if (read_size < 0 || read_size != buf.st_size) {
+ int rc = read_file (fd, &key, &read_size);
+ if (rc < 0) {
fprintf (stderr, "Failed to read %s\n", key_file);
goto error;
}
--
1.8.1.4
From 5facb36c5320fe54d38ab081505259c962f8fadb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 10:04:06 -0500
Subject: [PATCH 07/10] Fix check for string termination that was actually a
NULL ptr check...
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Coverity says:
2. shim-0.7/mokutil-0.2.0/src/password-crypt.c:267:check_after_deref
Null-checking "tmp" suggests that it may be null, but it has already
been dereferenced on all paths leading to the check.
And:
2. shim-0.7/mokutil-0.2.0/src/password-crypt.c:215:check_after_deref
Null-checking "tmp" suggests that it may be null, but it has already
been dereferenced on all paths leading to the check.
But to me it looks like these were supposed to be checking for end-of-string
instead.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/password-crypt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/password-crypt.c b/src/password-crypt.c
index 7fbc3b6..17362f1 100644
--- a/src/password-crypt.c
+++ b/src/password-crypt.c
@@ -212,7 +212,7 @@ decode_sha256_pass (const char *string, pw_crypt_t *pw_crypt)
tmp = ptr;
if (strlen (ptr) > SHA256_B64_LENGTH) {
while (*tmp != '$') {
- if (tmp == '\0')
+ if (*tmp == '\0')
return -1;
count++;
tmp++;
@@ -264,7 +264,7 @@ decode_sha512_pass (const char *string, pw_crypt_t *pw_crypt)
tmp = ptr;
if (strlen (ptr) > SHA512_B64_LENGTH) {
while (*tmp != '$') {
- if (tmp == '\0')
+ if (*tmp == '\0')
return -1;
count++;
tmp++;
--
1.8.1.4
From fcae982278ee1399d44c10a162a825589f735b54 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 15 Nov 2013 10:23:03 -0500
Subject: [PATCH 08/10] Make generate_pw_hash() somewhat cleaner.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Coverity needlessly complains:
2. shim-0.7/mokutil-0.2.0/src/mokutil.c:1322:check_after_deref
Null-checking "password" suggests that it may be null, but it has
already been dereferenced on all paths leading to the check.
While this doesn't really make any difference, the whole ret and
error-path was overkill here, so I got rid of it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index f29b57d..c6cfb29 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1312,7 +1312,7 @@ generate_pw_hash (const char *input_pw)
char *crypt_string;
const char *prefix;
int prefix_len;
- int pw_len, salt_size, ret = -1;
+ int pw_len, salt_size;
if (input_pw) {
pw_len = strlen (input_pw);
@@ -1345,19 +1345,15 @@ generate_pw_hash (const char *input_pw)
settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
crypt_string = crypt (password, settings);
+ free (password);
if (!crypt_string) {
fprintf (stderr, "Failed to generate hash\n");
- goto error;
+ return -1;
}
printf ("%s\n", crypt_string);
- ret = 0;
-error:
- if (password)
- free (password);
-
- return ret;
+ return 0;
}
int
@@ -1489,6 +1485,10 @@ main (int argc, char *argv[])
break;
case 't':
key_file = strdup (optarg);
+ if (key_file == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
command |= TEST_KEY;
break;
--
1.8.1.4
From ab16ba45293896bc9e649d23e20ae4e39946f219 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 25 Nov 2013 16:55:23 +0800
Subject: [PATCH 09/10] Fix warnings from gcc
---
src/mokutil.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index c6cfb29..9aa4376 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1228,9 +1228,9 @@ enable_db()
}
static inline int
-read_file(int fd, char **bufp, size_t *lenptr) {
+read_file(int fd, void **bufp, size_t *lenptr) {
int alloced = 0, size = 0, i = 0;
- char * buf = NULL;
+ void * buf = NULL;
do {
size += i;
@@ -1254,10 +1254,9 @@ read_file(int fd, char **bufp, size_t *lenptr) {
static int
test_key (const char *key_file)
{
- struct stat buf;
void *key = NULL;
- ssize_t read_size;
- int fd, ret = -1;
+ size_t read_size;
+ int fd, rc, ret = -1;
fd = open (key_file, O_RDONLY);
if (fd < 0) {
@@ -1265,7 +1264,7 @@ test_key (const char *key_file)
goto error;
}
- int rc = read_file (fd, &key, &read_size);
+ rc = read_file (fd, &key, &read_size);
if (rc < 0) {
fprintf (stderr, "Failed to read %s\n", key_file);
goto error;
--
1.8.1.4
From a1a7385419b45834a728464f36100fa1098b9741 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 25 Nov 2013 16:57:33 +0800
Subject: [PATCH 10/10] Fix the indentation
---
src/mokutil.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9aa4376..e4e247c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1229,26 +1229,26 @@ enable_db()
static inline int
read_file(int fd, void **bufp, size_t *lenptr) {
- int alloced = 0, size = 0, i = 0;
- void * buf = NULL;
-
- do {
- size += i;
- if ((size + 1024) > alloced) {
- alloced += 4096;
- buf = realloc (buf, alloced + 1);
- }
- } while ((i = read (fd, buf + size, 1024)) > 0);
+ int alloced = 0, size = 0, i = 0;
+ void * buf = NULL;
- if (i < 0) {
- free (buf);
- return -1;
- }
+ do {
+ size += i;
+ if ((size + 1024) > alloced) {
+ alloced += 4096;
+ buf = realloc (buf, alloced + 1);
+ }
+ } while ((i = read (fd, buf + size, 1024)) > 0);
- *bufp = buf;
- *lenptr = size;
+ if (i < 0) {
+ free (buf);
+ return -1;
+ }
+
+ *bufp = buf;
+ *lenptr = size;
- return 0;
+ return 0;
}
static int
--
1.8.1.4

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Dec 5 02:11:40 UTC 2013 - glin@suse.com
- Add mokutil-upstream-fixes.patch to include upstream fixes for
db signature check, gcc warnings, and error handling
- Add mokutil-mokx-support.patch to support the MOK blacklist
(FATE#316531)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com

View File

@ -24,6 +24,10 @@ License: GPL-3.0
Group: Productivity/Security Group: Productivity/Security
Url: https://github.com/lcp/mokutil Url: https://github.com/lcp/mokutil
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
# PATCH-FIX-UPSTREAM mokutil-upstream-fixes.patch glin@suse.com -- Include upstream fixes for db signature check, gcc warnings, error handling
Patch1: mokutil-upstream-fixes.patch
# PATCH-FIX-UPSTREAM mokutil-mokx-support.patch glin@suse.com -- Support the MOK blacklist
Patch2: mokutil-mokx-support.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: libopenssl-devel >= 0.9.8
@ -43,6 +47,8 @@ Authors:
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
%build %build
%configure %configure