Compare commits

...

63 Commits
master ... main

Author SHA1 Message Date
Robbie Harwood bb3aaa1ba2 Roll up to pjones's smartcard/cms fixes
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-31 21:06:34 +00:00
Robbie Harwood 4b458cfe9f Rebuild for python bytecode change
See-also: #2107826
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-02 14:34:06 +00:00
Robbie Harwood c2da1bf6da Revert "Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild"
This reverts commit f1d5690e2e.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-02 10:32:50 -04:00
Fedora Release Engineering f1d5690e2e Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-22 13:02:33 +00:00
Robbie Harwood fbf8f35ae7 Fix formatting of man pages
Resolves: #2104778
2022-07-07 21:06:42 +00:00
Robbie Harwood 3bf806fd9f Detect presence of rpm-sign when checking for rhel-ness
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-04-04 14:53:00 -04:00
Robbie Harwood 1d2597d20d Correctly handle rhel and centos macros
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-04-01 19:28:29 +00:00
Robbie Harwood c324cc0c6c Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-25 15:05:20 -04:00
Robbie Harwood b201f43f63 Add support for non-koji signing in macros
Resolves: #1880858
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-24 21:24:15 +00:00
Robbie Harwood bdccb8412c New upstream version (115)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-08 13:06:40 -05:00
Robbie Harwood 57b330e905 Disable distro build flags
No.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-14 17:44:40 -05:00
Robbie Harwood 2638a1181b Disable -fanalyzer since it's broken and pragmas don't work
See-also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104370
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-14 22:29:12 +00:00
Robbie Harwood 840c1cffff Fix explicit NULL deref when daemonizing
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-14 21:10:49 +00:00
Robbie Harwood eb423047cd Bump efivar minimum version for clarity
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-09 14:35:36 -05:00
Robbie Harwood 534c97e8ed Attempt to fix signing parsing by dropping pesign_args
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-02 16:13:43 -05:00
Robbie Harwood ed9353e1df Fix build for 32-bit arches
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-01 17:38:52 -05:00
Robbie Harwood c7c4e0f825 New upstream version (114)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-01 14:52:18 -05:00
Fedora Release Engineering 98a054d3eb - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-21 07:08:24 +00:00
Robbie Harwood 409a7cdd41 Fix upstream URL; no code changes
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-12-14 13:51:22 -05:00
Robbie Harwood 3c1a1c5064 Add rpminspect configuration (no code changes)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-10-05 13:05:22 -04:00
Fedora Release Engineering 6816587aa8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-23 01:25:42 +00:00
Zbigniew Jędrzejewski-Szmek 28f91e739a Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
2021-03-02 16:13:04 +01:00
Fedora Release Engineering 53bd735c54 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-27 06:14:58 +00:00
Tom Stellard 6f2919a23c Add BuildRequires: make
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2021-01-08 19:09:25 +00:00
Jeff Law f7bf001e45 - Turn off -Wfree-nonheap-object 2020-11-16 12:31:41 -07:00
Peter Jones 2ee3400b3c Add the rundir related stuff that was staged on my f32 checkout.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-03 16:30:11 -04:00
Peter Jones e69b8ee715 Try to make kernel and fwupd both work at the same time.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-03 11:00:39 -04:00
Peter Jones 9dddf18b10 Try to make kernel and fwupd both work at the same time.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-30 22:45:37 -04:00
Fedora Release Engineering 92fa0a36af - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-28 20:31:11 +00:00
Peter Jones 885ef5ef5e I really cannot figure out why bkernel01 thinks the certificate nickname
starts with /CN=, but it does, so I'm gonna stop fighting with the sand.

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 15:14:49 -04:00
Peter Jones 2cab315fd4 this one seems to work in my mock setup
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 13:42:13 -04:00
Peter Jones 1f469180cd Solve the hostname problem a different way.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 12:34:10 -04:00
Peter Jones a52f86ee59 Add a dep on hostname
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 12:06:08 -04:00
Peter Jones c43a6a2473 ... and fix its copy pasta syntax bug 2020-07-16 12:01:15 -04:00
Peter Jones 00ec5834e3 Make the bkernel hack even more load bearing... 2020-07-16 10:54:54 -04:00
Peter Jones 2335e6390f More kernel build debugging...
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 09:59:19 -04:00
Peter Jones 658f5fea05 More kernel build debugging...
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 15:24:12 -04:00
Peter Jones 1702b23026 More kernel build debugging...
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 14:36:34 -04:00
Peter Jones 9dfdddd33a Disable the pesign-authorize call in posttrans, until we can figure out a
better way to deal with that in the fedora kernel builder chroot setup

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 13:36:52 -04:00
Peter Jones 6a576773ff Make pesign require nss-tools for the posttrans scriptlet
Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 13:05:37 -04:00
Peter Jones bad9f46443 Make pesign require nss-tools for the posttrans scriptlet
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 12:59:52 -04:00
Peter Jones 50819c8ebf another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 10:58:54 -04:00
Peter Jones 392ac74b01 another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 10:58:22 -04:00
Peter Jones e29d99c4d1 another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 09:54:55 -04:00
Peter Jones 38e8425bf8 another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 18:50:33 -04:00
Peter Jones 15d1a5085d another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 18:34:50 -04:00
Peter Jones a74165d143 another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 17:32:28 -04:00
Peter Jones b61c40cec6 another test build
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 16:43:27 -04:00
Peter Jones 35ff4c5da1 Fix missing file...
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 14:06:07 -04:00
Peter Jones 4f2a0b0969 Attempt to fix kernel signing failures caused by -3...
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 14:00:27 -04:00
Peter Jones 9b526cffa9 Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773
  Related: rhbz#1678146

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-06-12 11:52:32 -04:00
Peter Jones edca44f2a2 Fix a signing protocol bug we introduced in 113 that makes the fedora
kernel builders fail.
  Related: rhbz#1708773

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-06-11 17:51:01 -04:00
Javier Martinez Canillas 8f36a7851d
Update to 113 release
Resolves: rhbz#1708773

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-11 17:54:20 +02:00
Javier Martinez Canillas 6076214ded
Switch default NSS database to SQLite format
Resolves: rhbz#1827902

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-08 18:07:13 +02:00
Peter Jones 9664ede71c Make sure the patch for -29 is actually in the build in f32, and
synchronize with master.

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-02-24 12:48:24 -05:00
Peter Jones 6a21c3cf8a Backport a minor fix.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-02-18 17:33:22 -05:00
Peter Jones f4cb5bfd7e Rebuild to match OpenSC's token name mangling change.
Signed-off-by: Peter Jones <pjones@redhat.com>
2020-02-18 17:27:22 -05:00
Jeremy Cline e9b8bb7577 pesign: Apparently opensc got updated and the token name changed
All the kernel builds started failing yesterday because the signing
token could not be found. Update the token name in the macro shipped by
pesign.
2020-02-18 17:26:24 -05:00
Fedora Release Engineering 6666916c12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-30 06:39:31 +00:00
Peter Jones e8c65c74be Rebuild to fix an NSS API issue.
Signed-off-by: Peter Jones <pjones@redhat.com>
2019-11-12 13:16:18 -05:00
Igor Gnatenko 6ef5e2d179
Revert "pesign fails to build from source: https://bugzilla.redhat.com/show_bug.cgi?id=1675653"
This reverts commit f45e45d127.

References: https://pagure.io/releng/issue/8618
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-08-12 17:36:50 +02:00
Fedora Release Engineering f45e45d127 pesign fails to build from source: https://bugzilla.redhat.com/show_bug.cgi?id=1675653 2019-08-08 16:17:10 +00:00
Fedora Release Engineering 9688270a8b - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-26 08:32:10 +00:00
57 changed files with 2759 additions and 2260 deletions

View File

@ -1,72 +0,0 @@
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
and it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 34 ----------------------------------
src/cms_common.h | 1 -
2 files changed, 35 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index b19bc62..6a4e6a7 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
return 0;
}
-static SEC_ASN1Template IntegerTemplate[] = {
- {.kind = SEC_ASN1_INTEGER,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(long),
- },
- { 0 },
-};
-
-int
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
-{
- void *ret;
-
- uint32_t u32;
-
- SECItem input = {
- .data = (void *)&integer,
- .len = sizeof(integer),
- .type = siUnsignedInteger,
- };
-
- if (integer < 0x100000000) {
- u32 = integer & 0xffffffffUL;
- input.data = (void *)&u32;
- input.len = sizeof(u32);
- }
-
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
- if (ret == NULL)
- cmsreterr(-1, cms, "could not encode data");
- return 0;
-}
-
int
generate_time(cms_context *cms, SECItem *encoded, time_t when)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index 7d77faf..c7d7268 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
SECOidTag tag);
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
extern int generate_string(cms_context *cms, SECItem *der, char *str);
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,
--
2.13.4

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Mar 2022 12:59:34 -0500
Subject: [PATCH] daemon: remove always-true comparison
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/daemon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 0a66deb..ff88210 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -221,8 +221,7 @@ malformed:
if (!ctx->cms->tokenname)
goto oom;
- if (!tp->value)
- pin = strndup((char *)tp->value, tp->size);
+ pin = strndup((char *)tp->value, tp->size);
if (!pin)
goto oom;

View File

@ -1,73 +0,0 @@
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH 02/29] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/client.c | 2 +-
src/efikeygen.c | 2 +-
src/efisiglist.c | 2 +-
src/pesigcheck.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--
2.13.4

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:45:28 -0500
Subject: [PATCH] make: handle some gcc -Wanalyzer flags better
This makes it so we won't use the -Wanalyzer / -fanalyzer flags by
default, because they're still pretty overzealous.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 130c1ee..1c18904 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -32,11 +32,11 @@ CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O2 -g3 -pipe -fPIE -fstack-protector-all \
-fstack-clash-protection \
$(if $(filter x86_64 ia32,$(ARCH)),-fcf-protection=full,)
-DIAGFLAGS ?= -fmessage-length=0 \
+DIAGFLAGS ?= $(call enabled,ENABLE_GCC_ANALYZER,-fmessage-length=0 \
-fdiagnostics-color=always \
-fdiagnostics-format=text \
-fdiagnostics-show-cwe \
- -fanalyzer \
+ -fanalyzer) \
$(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,)
AS ?= $(CROSS_COMPILE)as
AR ?= $(CROSS_COMPILE)$(if $(filter $(CC),clang),llvm-ar,$(notdir $(CC))-ar)
@@ -59,7 +59,7 @@ endif
cflags = $(CFLAGS) $(ARCH3264) \
-Wall -Wextra -Wsign-compare -Wno-unused-result \
-Wno-unused-function -Wno-missing-field-initializers \
- -Wno-analyzer-malloc-leak \
+ $(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,) \
-Werror -Wno-error=cpp -Wno-free-nonheap-object \
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \

View File

@ -0,0 +1,664 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:46:16 -0500
Subject: [PATCH] Rename "dprintf' to "dbgprintf"
stdio defines a dprintf() macro now, so using dprintf() for our debug
printer gets obnoxious warnings. This renames it to dbgprintf().
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 73 +++++++++++++++++++++++++++++------------------------
src/cms_pe_common.c | 20 +++++++--------
src/efikeygen.c | 16 ++++++------
src/file_pe.c | 6 +++--
src/password.c | 68 ++++++++++++++++++++++++-------------------------
src/pesign.c | 10 ++++----
src/util.h | 26 +++++++++----------
7 files changed, 114 insertions(+), 105 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index ca37e6a..86341ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -333,13 +333,13 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
if (!pwdata) {
cms->pwdata.source = PW_SOURCE_INVALID;
- dprintf("pwdata:NULL");
+ dbgprintf("pwdata:NULL");
} else {
memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
- dprintf("pwdata:%p", pwdata);
- dprintf("pwdata->source:%d", pwdata->source);
- dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
- pwdata->data ? pwdata->data : "(null)");
+ dbgprintf("pwdata:%p", pwdata);
+ dbgprintf("pwdata->source:%d", pwdata->source);
+ dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+ pwdata->data ? pwdata->data : "(null)");
}
egress();
@@ -382,7 +382,7 @@ is_valid_cert(CERTCertificate *cert, void *data)
errnum = PORT_GetError();
if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
- dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
PORT_SetError(0);
errnum = 0;
}
@@ -415,7 +415,7 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
errnum = PORT_GetError();
if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
- dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
PORT_SetError(0);
errnum = 0;
}
@@ -467,23 +467,23 @@ unescape_html_in_place(char *s)
size_t pos = 0;
char *s1;
- dprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
+ dbgprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
do {
s1 = strchrnul(&s[pos], '%');
if (s1[0] == '\0')
break;
- dprintf("s1 is \"%s\"", s1);
+ dbgprintf("s1 is \"%s\"", s1);
if ((size_t)(s1 - s) < (size_t)(sz - 3)) {
int c;
c = (hexchar_to_bin(s1[1]) << 4)
| (hexchar_to_bin(s1[2]) & 0xf);
- dprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
+ dbgprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
s1[0] = c;
memmove(&s1[1], &s1[3], sz - (&s1[3] - s));
sz -= 2;
pos = &s1[1] - s;
- dprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
+ dbgprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
}
} while (pos < sz);
}
@@ -499,7 +499,7 @@ resolve_pkcs11_token_in_place(char *tokenname)
char c = *cp;
*cp = '\0';
- dprintf("ntn:\"%s\"", ntn);
+ dbgprintf("ntn:\"%s\"", ntn);
if (!strncmp(&ntn[pos], "token=", 6)) {
ntn += 6;
memmove(tokenname, ntn, cp - ntn + 1);
@@ -510,13 +510,13 @@ resolve_pkcs11_token_in_place(char *tokenname)
ntn = cp + (c ? 1 : 0);
}
unescape_html_in_place(tokenname);
- dprintf("token name is \"%s\"", tokenname);
+ dbgprintf("token name is \"%s\"", tokenname);
}
#define resolve_token_name(tn) ({ \
char *s_ = tn; \
if (!strncmp(tn, "pkcs11:", 7)) { \
- dprintf("provided token name is pkcs11 uri; parsing"); \
+ dbgprintf("provided token name is pkcs11 uri; parsing");\
s_ = strdupa(tn+7); \
resolve_pkcs11_token_in_place(s_); \
} \
@@ -528,7 +528,8 @@ unlock_nss_token(cms_context *cms)
{
char *tokenname = resolve_token_name(cms->tokenname);
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -592,7 +593,8 @@ find_certificate(cms_context *cms, int needs_private_key)
return -1;
}
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -610,10 +612,10 @@ find_certificate(cms_context *cms, int needs_private_key)
}
while (psle) {
- dprintf("looking for token \"%s\", got \"%s\"",
- tokenname, PK11_GetTokenName(psle->slot));
+ dbgprintf("looking for token \"%s\", got \"%s\"",
+ tokenname, PK11_GetTokenName(psle->slot));
if (!strcmp(tokenname, PK11_GetTokenName(psle->slot))) {
- dprintf("found token \"%s\"", tokenname);
+ dbgprintf("found token \"%s\"", tokenname);
break;
}
@@ -673,8 +675,9 @@ find_certificate(cms_context *cms, int needs_private_key)
psle->slot, is_valid_cert, &cbd);
errnum = PORT_GetError();
if (errnum)
- dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
} else {
status = PK11_TraverseCertsForNicknameInSlot(&nickname,
psle->slot,
@@ -682,28 +685,30 @@ find_certificate(cms_context *cms, int needs_private_key)
&cbd);
errnum = PORT_GetError();
if (errnum)
- dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
}
- dprintf("status:%d cbd.cert:%p", status, cbd.cert);
+ dbgprintf("status:%d cbd.cert:%p", status, cbd.cert);
if (status == SECSuccess && cbd.cert != NULL) {
if (cms->cert)
CERT_DestroyCertificate(cms->cert);
cms->cert = CERT_DupCertificate(cbd.cert);
} else {
errnum = PORT_GetError();
- dprintf("token traversal %s; cert %sfound:%s:%s",
- status == SECSuccess ? "succeeded" : "failed",
- cbd.cert == NULL ? "not" : "",
- PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
+ dbgprintf("token traversal %s; cert %sfound:%s:%s",
+ status == SECSuccess ? "succeeded" : "failed",
+ cbd.cert == NULL ? "not" : "",
+ PORT_ErrorToName(errnum),
+ PORT_ErrorToString(errnum));
}
save_port_err() {
- dprintf("Destroying cert list");
+ dbgprintf("Destroying cert list");
CERT_DestroyCertList(certlist);
- dprintf("Destroying slot list element");
+ dbgprintf("Destroying slot list element");
PK11_DestroySlotListElement(slots, &psle);
- dprintf("Destroying slot list");
+ dbgprintf("Destroying slot list");
PK11_FreeSlotList(slots);
cms->psle = NULL;
}
@@ -723,7 +728,8 @@ find_slot_for_token(cms_context *cms, PK11SlotInfo **slot)
char *tokenname = resolve_token_name(cms->tokenname);
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
@@ -792,7 +798,8 @@ find_certificate_by_callback(cms_context *cms,
return -1;
}
- dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
+ dbgprintf("setting password function to %s",
+ cms->func ? "cms->func" : "SECU_GetModulePassword");
PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
PK11SlotList *slots = NULL;
diff --git a/src/cms_pe_common.c b/src/cms_pe_common.c
index 3a3921b..fb90ecb 100644
--- a/src/cms_pe_common.c
+++ b/src/cms_pe_common.c
@@ -188,8 +188,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
}
if (!check_pointer_and_size(cms, pe, hash_base, hash_size))
cmsgotoerr(error, cms, "PE header is invalid");
- dprintf("beginning of hash");
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("beginning of hash");
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
generate_digest_step(cms, hash_base, hash_size);
/* 5. Skip over the image checksum
@@ -209,7 +209,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
cmsgotoerr(error, cms, "PE data directory is invalid");
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
/* 8. Skip over the crt dir
* 9. Hash everything up to the end of the image header. */
@@ -222,7 +222,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
cmsgotoerr(error, cms, "PE relocations table is invalid");
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
hashed_bytes = pe32opthdr ? pe32opthdr->header_size
@@ -256,16 +256,16 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
char *name = shdrs[i].name;
if (name && name[0] == '/')
name = get_str(cms, pe, name + 1);
- dprintf("section:\"%s\"", name ? name : "(null)");
+ dbgprintf("section:\"%s\"", name ? name : "(null)");
if (name && !strcmp(name, ".vendor_cert")) {
- dprintf("skipping .vendor_cert section");
+ dbgprintf("skipping .vendor_cert section");
hashed_bytes += hash_size;
continue;
}
}
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
hashed_bytes += hash_size;
}
@@ -285,15 +285,15 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
memset(tmp_array, '\0', tmp_size);
memcpy(tmp_array, hash_base, hash_size);
generate_digest_step(cms, tmp_array, tmp_size);
- dprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
+ dbgprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
tmp_size);
} else {
generate_digest_step(cms, hash_base, hash_size);
- dprintf("digesting %tx + %zx", hash_base - map,
+ dbgprintf("digesting %tx + %zx", hash_base - map,
hash_size);
}
}
- dprintf("end of hash");
+ dbgprintf("end of hash");
rc = generate_digest_finish(cms);
if (rc < 0)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 940fdf5..dd40502 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -1067,9 +1067,9 @@ int main(int argc, char *argv[])
errno = 0;
timeul = strtoul(not_valid_before, &endptr, 0);
- dprintf("not_valid_before:%lu", timeul);
+ dbgprintf("not_valid_before:%lu", timeul);
if (errno == 0 && endptr && *endptr == 0) {
- dprintf("not_valid_before:%lu", timeul);
+ dbgprintf("not_valid_before:%lu", timeul);
not_before = (PRTime)timeul * PR_USEC_PER_SEC;
} else {
prstatus = PR_ParseTimeString(not_valid_before,
@@ -1078,7 +1078,7 @@ int main(int argc, char *argv[])
"could not parse date \"%s\"",
not_valid_before);
}
- dprintf("not_before:%"PRId64, not_before);
+ dbgprintf("not_before:%"PRId64, not_before);
}
if (not_valid_after) {
@@ -1086,11 +1086,11 @@ int main(int argc, char *argv[])
char *endptr;
errno = 0;
- dprintf("not_valid_after:%s", not_valid_after);
+ dbgprintf("not_valid_after:%s", not_valid_after);
timeul = strtoul(not_valid_after, &endptr, 0);
- dprintf("not_valid_after:%lu", timeul);
+ dbgprintf("not_valid_after:%lu", timeul);
if (errno == 0 && endptr && *endptr == 0) {
- dprintf("not_valid_after:%lu", timeul);
+ dbgprintf("not_valid_after:%lu", timeul);
not_after = (PRTime)timeul * PR_USEC_PER_SEC;
} else {
prstatus = PR_ParseTimeString(not_valid_after, PR_TRUE,
@@ -1102,10 +1102,10 @@ int main(int argc, char *argv[])
} else {
// Mon Jan 19 03:14:07 GMT 2037, aka 0x7fffffff minus 1 year.
time_t time = 0x7ffffffful - 60ul * 60 * 24 * 365;
- dprintf("not_valid_after:%lu", time);
+ dbgprintf("not_valid_after:%lu", time);
not_after = (PRTime)time * PR_USEC_PER_SEC;
}
- dprintf("not_after:%"PRId64, not_after);
+ dbgprintf("not_after:%"PRId64, not_after);
CERTValidity *validity = NULL;
validity = CERT_CreateValidity(not_before, not_after);
diff --git a/src/file_pe.c b/src/file_pe.c
index fa97b89..fed6edb 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -264,7 +264,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
/* generate a signature and save it in a separate file */
case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
perr = PORT_GetError();
- dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ dbgprintf("PORT_GetError():%s:%s",
+ PORT_ErrorToName(perr), PORT_ErrorToString(perr));
PORT_SetError(0);
rc = find_certificate(ctxp->cms_ctx, 1);
conderrx(rc < 0, 1, "Could not find certificate %s",
@@ -281,7 +282,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
check_inputs(ctxp);
perr = PORT_GetError();
- dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ dbgprintf("PORT_GetError():%s:%s",
+ PORT_ErrorToName(perr), PORT_ErrorToString(perr));
rc = find_certificate(ctxp->cms_ctx, 1);
conderrx(rc < 0, 1, "Could not find certificate %s",
ctxp->cms_ctx->certname);
diff --git a/src/password.c b/src/password.c
index 05add9a..18c32ed 100644
--- a/src/password.c
+++ b/src/password.c
@@ -167,7 +167,7 @@ SECU_GetPasswordString(void *arg UNUSED, char *prompt)
char *ret;
ingress();
ret = get_password(stdin, stdout, prompt, NULL);
- dprintf("password:\"%s\"", ret ? ret : "(null)");
+ dbgprintf("password:\"%s\"", ret ? ret : "(null)");
egress();
return ret;
}
@@ -194,7 +194,7 @@ parse_pwfile_line(char *start, struct token_pass *tp)
size_t offset = 0;
span = strspn(line, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
if (span == 0 && line[span] == '\0')
return -1;
line += span;
@@ -210,17 +210,17 @@ parse_pwfile_line(char *start, struct token_pass *tp)
offset += escspan + 2;
} while(escspan < span);
span += offset;
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
if (line[span] == '\0') {
- dprintf("returning %td", (line + span) - start);
+ dbgprintf("returning %td", (line + span) - start);
return (line + span) - start;
}
line[span] = '\0';
line += span + 1;
span = strspn(line, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
line += span;
tp->token = tp->pass;
tp->pass = line;
@@ -233,15 +233,15 @@ parse_pwfile_line(char *start, struct token_pass *tp)
offset += escspan + 2;
} while(escspan < span);
span += offset;
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
if (line[span] != '\0')
line[span++] = '\0';
resolve_escapes(tp->token);
- dprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
- dprintf("token:\"%s\"", tp->token);
- dprintf("pass:\"%s\"", tp->pass);
- dprintf("returning %td", (line + span) - start);
+ dbgprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
+ dbgprintf("token:\"%s\"", tp->token);
+ dbgprintf("pass:\"%s\"", tp->pass);
+ dbgprintf("returning %td", (line + span) - start);
return (line + span) - start;
}
@@ -260,7 +260,7 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
char *path;
ingress();
- dprintf("token_name: %s", token_name);
+ dbgprintf("token_name: %s", token_name);
if (cms->pwdata.source != PW_FROMFILEDB) {
cms->log(cms, LOG_ERR,
"Got to %s() but no file is specified.\n",
@@ -289,8 +289,8 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
if (rc < 0 || file_len < 1)
goto err_file;
file[file_len-1] = '\0';
- dprintf("file_len:%zd", file_len);
- dprintf("file:\"%s\"", file);
+ dbgprintf("file_len:%zd", file_len);
+ dbgprintf("file:\"%s\"", file);
unbreak_line_continuations(file, file_len);
}
@@ -314,23 +314,23 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
#pragma GCC diagnostic pop
span = strspn(start, whitespace_and_eol_chars);
- dprintf("whitespace span is %zd", span);
+ dbgprintf("whitespace span is %zd", span);
start += span;
span = strcspn(start, eol_chars);
- dprintf("non-whitespace span is %zd", span);
+ dbgprintf("non-whitespace span is %zd", span);
c = start[span];
start[span] = '\0';
- dprintf("file:\"%s\"", file);
+ dbgprintf("file:\"%s\"", file);
rc = parse_pwfile_line(start, &phrases[nphrases++]);
- dprintf("parse_pwfile_line returned %d", rc);
+ dbgprintf("parse_pwfile_line returned %d", rc);
if (rc < 0)
goto err_phrases;
if (c != '\0')
span++;
start += span;
- dprintf("start is file[%td] == '\\x%02hhx'", start - file,
+ dbgprintf("start is file[%td] == '\\x%02hhx'", start - file,
start[0]);
}
@@ -359,7 +359,7 @@ err_file:
err_phrases:
xfree(phrases);
err:
- dprintf("ret:\"%s\"", ret ? ret : "(null)");
+ dbgprintf("ret:\"%s\"", ret ? ret : "(null)");
egress();
return ret;
}
@@ -412,10 +412,10 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
ingress();
if (PK11_ProtectedAuthenticationPath(slot)) {
- dprintf("prompting for PW_DEVICE data");
+ dbgprintf("prompting for PW_DEVICE data");
pwdata = &pwxtrn;
} else {
- dprintf("using pwdata from cms");
+ dbgprintf("using pwdata from cms");
pwdata = &cms->pwdata;
}
@@ -423,17 +423,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
pwdata->source >= PW_SOURCE_MAX ||
pwdata->orig_source <= PW_SOURCE_INVALID ||
pwdata->orig_source >= PW_SOURCE_MAX) {
- dprintf("pwdata is invalid");
+ dbgprintf("pwdata is invalid");
return NULL;
}
- dprintf("pwdata:%p retry:%d", pwdata, retry);
- dprintf("pwdata->source:%s (%d) orig:%s (%d)",
- pw_source_names[pwdata->source], pwdata->source,
- pw_source_names[pwdata->orig_source], pwdata->orig_source);
- dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
- pwdata->data ? pwdata->data : "(null)");
- dprintf("pwdata->intdata:%ld", pwdata->intdata);
+ dbgprintf("pwdata:%p retry:%d", pwdata, retry);
+ dbgprintf("pwdata->source:%s (%d) orig:%s (%d)",
+ pw_source_names[pwdata->source], pwdata->source,
+ pw_source_names[pwdata->orig_source], pwdata->orig_source);
+ dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+ pwdata->data ? pwdata->data : "(null)");
+ dbgprintf("pwdata->intdata:%ld", pwdata->intdata);
if (retry) {
warnx("Incorrect password/PIN entered.");
@@ -470,7 +470,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
case PW_FROMFILEDB:
case PW_DATABASE:
- dprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
+ dbgprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
/* Instead of opening and closing the file every time, get the pw
* once, then keep it in memory (duh).
*/
@@ -480,17 +480,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
return pw;
case PW_FROMENV:
- dprintf("pwdata->source:PW_FROMENV");
+ dbgprintf("pwdata->source:PW_FROMENV");
if (!pwdata || !pwdata->data)
break;
pw = get_env(pwdata->data);
- dprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
+ dbgprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
pwdata->data = pw;
pwdata->source = PW_PLAINTEXT;
goto PW_PLAINTEXT;
case PW_FROMFILE:
- dprintf("pwdata->source:PW_FROMFILE");
+ dbgprintf("pwdata->source:PW_FROMFILE");
in = fopen(pwdata->data, "r");
if (!in)
return NULL;
@@ -501,7 +501,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
goto PW_PLAINTEXT;
case PW_FROMFD:
- dprintf("pwdata->source:PW_FROMFD");
+ dbgprintf("pwdata->source:PW_FROMFD");
rc = pwdata->intdata;
in = fdopen(pwdata->intdata, "r");
if (!in)
diff --git a/src/pesign.c b/src/pesign.c
index c2ff35f..f548d81 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -333,7 +333,7 @@ main(int argc, char *argv[])
while ((rc = poptGetNextOpt(optCon)) > 0) {
switch (rc) {
case POPT_RET_PWDB:
- dprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -346,7 +346,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_ENV:
- dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -359,7 +359,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_PINFD:
- dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -373,7 +373,7 @@ main(int argc, char *argv[])
continue;
case POPT_RET_PINFILE:
- dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ dbgprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
@@ -387,7 +387,7 @@ main(int argc, char *argv[])
}
}
- dprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
+ dbgprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
pwdata.source,
pwdata.source == PW_SOURCE_INVALID ? "" : "not ");
if (pwdata.source == PW_SOURCE_INVALID && secure_getenv("PESIGN_TOKEN_PIN")) {
diff --git a/src/util.h b/src/util.h
index ba8c621..6616011 100644
--- a/src/util.h
+++ b/src/util.h
@@ -269,28 +269,28 @@ proxy_fd_mode(int fd, char *infile, mode_t *outmode, size_t *inlength)
extern long verbosity(void);
-#define dprintf_(tv, file, func, line, fmt, args...) ({ \
- struct timeval tv; \
- gettimeofday(&tv, NULL); \
- warnx("%ld.%lu %s:%s():%d: " fmt, \
- tv.tv_sec, tv.tv_usec, \
- file, func, line, ##args); \
+#define dbgprintf_(tv, file, func, line, fmt, args...) ({ \
+ struct timeval tv; \
+ gettimeofday(&tv, NULL); \
+ warnx("%ld.%lu %s:%s():%d: " fmt, \
+ tv.tv_sec, tv.tv_usec, \
+ file, func, line, ##args); \
})
#if defined(PESIGN_DEBUG)
-#define dprintf(fmt, args...) \
- dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
- __FILE__, __func__, __LINE__ - 2, fmt, ##args)
+#define dbgprintf(fmt, args...) \
+ dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
+ __FILE__, __func__, __LINE__ - 2, fmt, ##args)
#else
-#define dprintf(fmt, args...) ({ \
+#define dbgprintf(fmt, args...) ({ \
if (verbosity() > 1) \
- dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
+ dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_), \
__FILE__, __func__, __LINE__ - 3, \
fmt, ##args); \
0; \
})
#endif
-#define ingress() dprintf("ingress");
-#define egress() dprintf("egress");
+#define ingress() dbgprintf("ingress");
+#define egress() dbgprintf("egress");
#endif /* PESIGN_UTIL_H */
// vim:fenc=utf-8:tw=75:noet

View File

@ -1,26 +0,0 @@
From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Aug 2016 17:12:39 -0400
Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index c97b452..3511080 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra
+ -Wall -Werror -Wextra -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
--
2.13.4

View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:47:20 -0500
Subject: [PATCH] .gitignore: add compile_commands.json and .cache/
These are used by bear/cnc/clangd/etc, but there's no reason to trip
over them all the time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.gitignore b/.gitignore
index bf0617b..7425432 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.cache/
.*.d
.*.P
.*.sw?
@@ -26,6 +27,7 @@
/*.rpm
*-8be4df61-93ca-11d2-aa0d-00e098032b8c
*-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+compile_commands.json
core.*
cov-int/
pwfile

View File

@ -1,39 +0,0 @@
From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:00:34 -0400
Subject: [PATCH 04/29] Fix "certficate" argument name.
This fixes our typoed argument name by making the incorrectly spelled
version be a popt alias, and fixing the real implementation to be
spelled right in pesign.c .
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
src/pesign.popt | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index af374b6..279a17a 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
.arg = &ctxp->outfile,
.descrip = "specify output file",
.argDescrip = "<outfile>" },
- {.longName = "certficate",
+ {.longName = "certificate",
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certname,
diff --git a/src/pesign.popt b/src/pesign.popt
index 7b3385d..5a97748 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,2 +1,3 @@
pesign alias --cert --certificate
+pesign alias --certficate --certificate
pesign alias --daemon --daemonize
--
2.13.4

View File

@ -1,26 +0,0 @@
From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Jun 2016 15:38:38 +0200
Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
The --ascii option does not exist.
---
src/pesign.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.1 b/src/pesign.1
index 47d1aec..29ae060 100644
--- a/src/pesign.1
+++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
-\fB-\-ascii\fR
+\fB-\-ascii\-armor\fR
Use ascii armoring on exported certificates.
.TP
--
2.13.4

View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:44:46 -0500
Subject: [PATCH] pesign: print digests before filenames like sha256sum does
Most digest tools print the digest before the filename, there's no
reason pesign needs to be different.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/file_pe.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/file_pe.c b/src/file_pe.c
index fed6edb..805e614 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -121,12 +121,11 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
(unsigned char)ctx->digests[j].pe_digest->data[i]);
- printf("\n");
+ printf(" %s\n", pctx->infile);
}
void

View File

@ -0,0 +1,318 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 11 Mar 2022 12:54:39 -0500
Subject: [PATCH] Add 'pesum', an authenticode digest generator.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesum.c | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/.gitignore | 1 +
src/Makefile | 12 +++-
src/pesum.1.mdoc | 38 +++++++++++
4 files changed, 244 insertions(+), 2 deletions(-)
create mode 100644 src/pesum.c
create mode 100644 src/pesum.1.mdoc
diff --git a/src/pesum.c b/src/pesum.c
new file mode 100644
index 0000000..e4ddaf8
--- /dev/null
+++ b/src/pesum.c
@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: GPLv2
+/*
+ * pesum.c - pesum command line tool
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#include "fix_coverity.h"
+
+#include <err.h>
+#include <popt.h>
+
+#include <nss.h>
+#include <prerror.h>
+
+#include "pesign.h"
+#include "pesign_standalone.h"
+
+static struct {
+ int flag;
+ const char *name;
+} flag_names[] = {
+ {DAEMONIZE, "daemonize"},
+ {GENERATE_DIGEST, "hash"},
+ {GENERATE_SIGNATURE, "sign"},
+ {IMPORT_RAW_SIGNATURE, "import-raw-sig"},
+ {IMPORT_SIGNATURE, "import-sig"},
+ {IMPORT_SATTRS, "import-sattrs" },
+ {EXPORT_SATTRS, "export-sattrs" },
+ {EXPORT_SIGNATURE, "export-sig"},
+ {EXPORT_PUBKEY, "export-pubkey"},
+ {EXPORT_CERT, "export-cert"},
+ {REMOVE_SIGNATURE, "remove"},
+ {LIST_SIGNATURES, "list"},
+ {FLAG_LIST_END, NULL},
+};
+
+void
+print_flag_name(FILE *f, int flag)
+{
+ for (int i = 0; flag_names[i].flag != FLAG_LIST_END; i++) {
+ if (flag_names[i].flag == flag)
+ fprintf(f, "%s ", flag_names[i].name);
+ }
+}
+
+static long *verbose;
+
+long
+verbosity(void)
+{
+ if (!verbose)
+ return 0;
+ return *verbose;
+}
+
+int
+main(int argc, char *argv[])
+{
+ int rc;
+ SECStatus status;
+
+ char *digest_name = "sha256";
+ char *orig_digest_name = digest_name;
+ int padding = 1;
+ long verbose_cmd_line = 0;
+ const char *infile;
+
+ int action = GENERATE_DIGEST|PRINT_DIGEST;
+ file_format fmt = FORMAT_PE_BINARY;
+
+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ verbose = &verbose_cmd_line;
+
+ poptContext optCon;
+ struct poptOption options[] = {
+ {.argInfo = POPT_ARG_INTL_DOMAIN,
+ .arg = "pesum" },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
+ .arg = &verbose_cmd_line,
+ .val = 1,
+ .descrip = "be more verbose" },
+ {.longName = "debug",
+ .shortName = '\0',
+ .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
+ .arg = &verbose_cmd_line,
+ .val = 2,
+ .descrip = "be very verbose" },
+ {.longName = "digest-type",
+ .shortName = 'd',
+ .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+ .arg = &digest_name,
+ .descrip = "digest type to use for pe hash" },
+ {.longName = "digest_type",
+ .shortName = '\0',
+ .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
+ .arg = &digest_name,
+ .descrip = "digest type to use for pe hash" },
+ {.longName = "padding",
+ .shortName = 'P',
+ .argInfo = POPT_ARG_VAL,
+ .arg = &padding,
+ .val = 1,
+ .descrip = "pad data section (default)" },
+ {.longName = "nopadding",
+ .shortName = 'p',
+ .argInfo = POPT_ARG_VAL,
+ .arg = &padding,
+ .val = 0,
+ .descrip = "do not pad the data section" },
+ POPT_AUTOALIAS
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ optCon = poptGetContext("pesum", argc, (const char **)argv, options,0);
+
+ rc = poptReadDefaultConfig(optCon, 0);
+ if (rc < 0 && !(rc == POPT_ERROR_ERRNO && errno == ENOENT))
+ errx(1, "poptReadDefaultConfig failed: %s", poptStrerror(rc));
+
+ while ((rc = poptGetNextOpt(optCon)) > 0) {
+ ;
+ }
+
+ if (rc < -1)
+ errx(1, "Invalid argument: %s: %s",
+ poptBadOption(optCon, 0), poptStrerror(rc));
+
+ if (!poptPeekArg(optCon))
+ errx(1, "nothing to do");
+
+ status = NSS_NoDB_Init(NULL);
+ if (status != SECSuccess)
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
+
+ while ((infile = poptGetArg(optCon)) != NULL) {
+ pesign_context *ctxp = NULL;
+
+ char *ext = strrchr(infile, '.');
+ if (ext && strcmp(ext, ".ko") == 0)
+ fmt = FORMAT_KERNEL_MODULE;
+
+ rc = pesign_context_new(&ctxp);
+ if (rc < 0)
+ err(1, "Could not initialize context");
+
+ ctxp->verbose = verbose_cmd_line;
+
+ ctxp->hash = 1;
+ ctxp->infile = strdup(infile);
+ if (!ctxp->infile)
+ err(1, "Could not allocate memory");
+
+ rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
+ int is_help = strcmp(digest_name, "help") ? 0 : 1;
+ if (rc < 0) {
+ if (!is_help) {
+ fprintf(stderr, "Digest \"%s\" not found.\n",
+ digest_name);
+ }
+ exit(!is_help);
+ }
+
+ errno = 0;
+ switch (fmt) {
+ case FORMAT_PE_BINARY:
+ pe_handle_action(ctxp, action, padding);
+ break;
+ case FORMAT_KERNEL_MODULE:
+ kmod_handle_action(ctxp, action);
+ break;
+ }
+
+ pesign_context_free(ctxp);
+ }
+
+ poptFreeContext(optCon);
+
+ if (digest_name && digest_name != orig_digest_name)
+ free(digest_name);
+
+ status = NSS_Shutdown();
+ if (status != SECSuccess)
+ errx(1, "could not shut down NSS: %s",
+ PORT_ErrorToString(PORT_GetError()));
+
+ return 0;
+}
+
+// vim:fenc=utf-8:tw=75:noet
diff --git a/src/.gitignore b/src/.gitignore
index 64ce217..f8f6d66 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -5,6 +5,7 @@ client
efikeygen
efidbtool
pesigcheck
+pesum
peverify
pesign.service
pesign.sysvinit
diff --git a/src/Makefile b/src/Makefile
index 7010514..79cf09e 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen pesigcheck pesign \
- pesign-rpmbuild-helper pesign-authorize
+ pesign-rpmbuild-helper pesign-authorize pesum
CFGTARGETS=tmpfiles.conf
SVCTARGETS=pesign.sysvinit pesign.service
MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
@@ -29,9 +29,12 @@ EFIKEYGEN_SOURCES = efikeygen.c
PESIGCHECK_SOURCES = pesigcheck.c pesigcheck_context.c certdb.c
PESIGN_SOURCES = pesign.c pesign_context.c actions.c daemon.c \
file_pe.c file_kmod.c pesign_kmod.c
+PESUM_SOURCES = pesum.c pesign_context.c actions.c \
+ file_pe.c file_kmod.c pesign_kmod.c
ALL_SOURCES=$(COMMON_SOURCES) $(AUTHVAR_SORUCES) $(CLIENT_SOURCES) \
- $(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES)
+ $(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES) \
+ $(PESUM_SOURCES)
-include $(call deps-of,$(ALL_SOURCES))
authvar : $(call objects-of,$(AUTHVAR_SOURCES) $(COMMON_SOURCES))
@@ -53,6 +56,10 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesum : $(call objects-of,$(PESUM_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURCES))
+pesum : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
+pesum : PKGS=efivar nss nspr popt
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -81,6 +88,7 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
+ $(INSTALL) -m 755 pesum $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 client $(INSTALLROOT)$(bindir)pesign-client
$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(bindir)
diff --git a/src/pesum.1.mdoc b/src/pesum.1.mdoc
new file mode 100644
index 0000000..edd08ce
--- /dev/null
+++ b/src/pesum.1.mdoc
@@ -0,0 +1,38 @@
+.Dd $Mdocdate: Mar 11 2022$
+.Dt PESUM 1
+.Os Linux
+.Sh NAME
+.Nm pesum
+.Nd tool for generating Authenticode digests
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Ar file0.efi
+.Op Ar file1.efi ...
+.Sh DESCRIPTION
+.Nm
+is a command line tool to generate Authenticode digests of PE binaries.
+.Sh EXAMPLES
+.Ss Getting the Authenticode digest of some files
+host:$ \fBpesum shimx64.efi grubx64.efi\fR
+8c5806e66bb5b052ebf860e1722474269cff3dde588610df21dbe8cf12c08390\ shimx64.efi
+546a71319c22da1d81879383c4c74be06d1c374bdecfafc9fcc80bd541802bfc\ grubx64.efi
+.Sh STANDARDS
+.Rs
+.%B Portable Executable
+.%I Microsoft
+.%D August 26, 2019
+.%U https://docs.microsoft.com/en-us/windows/win32/debug/pe-format\ \&
+.Re
+
+.Rs
+.%B Windows Authenticode Portable Executable Signature Format
+.%I Microsoft
+.%D March 21, 2008
+.%U https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx\ \&
+.Re
+.Sh SEE ALSO
+.Xr pesign 1
+.LP
+.Sh AUTHORS
+.An Peter Jones

View File

@ -1,22 +0,0 @@
From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:05:40 -0400
Subject: [PATCH 06/29] Make --ascii work, since we documented it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.popt | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pesign.popt b/src/pesign.popt
index 5a97748..5ae0c5c 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,3 +1,4 @@
pesign alias --cert --certificate
pesign alias --certficate --certificate
pesign alias --daemon --daemonize
+pesign alias --ascii --ascii-armor
--
2.13.4

View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julian Sikorski <belegdol+github@gmail.com>
Date: Wed, 23 Mar 2022 20:54:03 +0100
Subject: [PATCH] Fix building signed kernels on setups other than koji
Thanks to Will Springer for the idea. Details at
https://bugzilla.redhat.com/show_bug.cgi?id=1880858
Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
Suggested-by: Will Springer <skirmisher@protonmail.com>
---
src/pesign-rpmbuild-helper.in | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 0a845d2..c9d5570 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -172,24 +172,22 @@ main() {
USERNAME="${USERNAME:-$(id -un)}"
local socket="" || :
- if grep -q ID=fedora /etc/os-release \
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ elif grep -q ID=fedora /etc/os-release \
&& [[ "${rhelver}" -lt 7 ]] \
&& [[ "${USERNAME}" = "mockbuild" ]] \
&& [[ "${vendor}" = "Fedora Project" ]] \
&& [[ "${HOSTNAME}" =~ bkernel.* ]]
then
- if [[ -S /run/pesign/socket ]] ; then
- socket=/run/pesign/socket
- elif [[ -S /var/run/pesign/socket ]]; then
- socket=/var/run/pesign/socket
- else
- echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
- echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
- ls -ld /run/pesign /var/run/pesign 1>&2 ||:
- ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
- getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- fi
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
fi
if [[ "${rhelver}" -ge 7 ]] ; then

View File

@ -1,32 +0,0 @@
From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Mon, 7 Nov 2016 11:37:08 -0600
Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
rather than use hard coded values
---
src/macros.pesign | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 18e5b5e..69280e9 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -41,11 +41,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
+ %{_pesign_client} -t %{__pesign_token} \\\
+ -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 25 Mar 2022 15:01:54 -0400
Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index 1c18904..05aadd0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
$(call pkg-config-ccldflags)
efi_cflags = $(cflags)
ASFLAGS ?= $(ARCH3264)
-CPPFLAGS ?= -D_FORTIFY_SOURCE=2
+CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D)
ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)

View File

@ -1,25 +0,0 @@
From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Thu, 16 Feb 2017 15:08:30 -0800
Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
---
src/certdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 2a08042..b7c99bb 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- certUsageSSLServer,
+ certUsageObjectSigner,
digest, HASH_AlgSHA256,
PR_FALSE, atTime);
if (!result) {
--
2.13.4

View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 10 Aug 2021 12:39:08 -0400
Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 34af57c..b7d6af1 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -34,7 +34,8 @@
%{?__pesign_cert:--cert %{__pesign_cert}} \\\
%{?_buildhost:--hostname "%{_buildhost}"} \\\
%{?vendor:--vendor "%{vendor}"} \\\
- %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?rhel:--rhelver "%{rhel}"} \\\
+ %{?centos:--rhelver "%{centos}"} \\\
%{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
%{?-a:--rhelcafile "%{-a*}"} \\\
%{?-c:--rhelcertfile "%{-c*}"} \\\

View File

@ -1,47 +0,0 @@
From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 24 Apr 2017 15:18:10 -0400
Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 0d49c1a..d7be542 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
cert_iter iter;
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
-
+
if (check_db_hash(DBX, ctx) == FOUND)
return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
.arg = (void *)callback,
.descrip = (void *)ctxp },
+ {.longName = "certfile",
+ .shortName = 'c',
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ .arg = (void *)callback,
+ .descrip = (void *)ctxp },
{.longName = "in",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certfile,
- .descrip = "the certificate (in DER form) for verification ",
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
.argDescrip = "<certfile>" },
POPT_AUTOALIAS
POPT_AUTOHELP
--
2.13.4

View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 4 Apr 2022 14:45:29 -0400
Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
Signed-off-by: Peter Jones <pjones@redhat.com>
[rharwood: manually reapply to main]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/pesign-rpmbuild-helper.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c9d5570..9dee56e 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -190,7 +190,7 @@ main() {
getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
fi
- if [[ "${rhelver}" -ge 7 ]] ; then
+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
nssdir="$(mktemp -p "${PWD}" -d)"
echo > "${nssdir}/pwfile"
certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"

View File

@ -1,27 +0,0 @@
From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:15:07 -0400
Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/signed_data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/signed_data.c b/src/signed_data.c
index 721db90..9e0af23 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
{
SpcSignerInfo **signerInfo_list;
- int err, rc;
+ int err = 0;
+ int rc;
if (!signerInfo_list_p)
return -1;
--
2.13.4

View File

@ -0,0 +1,17 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 13 May 2022 15:53:05 -0400
Subject: [PATCH] Rename README -> README.md
Rich text will let me compact links.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README => README.md | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename README => README.md (100%)
diff --git a/README b/README.md
similarity index 100%
rename from README
rename to README.md

View File

@ -1,26 +0,0 @@
From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:23:36 -0400
Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index 279a17a..5879cfc 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("hash: ");
+ printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
--
2.13.4

View File

@ -1,104 +0,0 @@
From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 May 2017 10:49:57 -0400
Subject: [PATCH 12/29] Add coverity build scripts
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 1 +
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
Make.defaults | 2 ++
Make.rules | 4 ++++
Makefile | 1 +
5 files changed, 45 insertions(+)
create mode 100644 Make.coverity
diff --git a/.gitignore b/.gitignore
index 1635ba2..847e172 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
*.tar.*
*.rpm
core.*
+cov-int
diff --git a/Make.coverity b/Make.coverity
new file mode 100644
index 0000000..b80b091
--- /dev/null
+++ b/Make.coverity
@@ -0,0 +1,37 @@
+include $(TOPDIR)/Make.version
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.defaults
+
+COV_EMAIL=$(call get-config,coverity.email)
+COV_TOKEN=$(call get-config,coverity.token)
+COV_URL=$(call get-config,coverity.url)
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
+
+cov-int : clean
+ cov-build --dir cov-int make all
+
+cov-clean :
+ @rm -vf $(NAME)-coverity-*.tar.*
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
+
+cov-file : | $(COV_FILE)
+
+$(COV_FILE) : cov-int
+ tar caf $@ cov-int
+
+cov-upload :
+ @if [[ -n "$(COV_URL)" ]] && \
+ [[ -n "$(COV_TOKEN)" ]] && \
+ [[ -n "$(COV_EMAIL)" ]] ; \
+ then \
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ else \
+ echo Coverity output is in $(COV_FILE) ; \
+ fi
+
+coverity : cov-file cov-upload
+
+clean : | cov-clean
+
+.PHONY : coverity cov-upload cov-clean cov-file
diff --git a/Make.defaults b/Make.defaults
index 3511080..39b78f0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -1,3 +1,5 @@
+NAME = pesign
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
prefix ?= /usr/
prefix := $(abspath $(prefix))/
libdir ?= $(prefix)lib64/
diff --git a/Make.rules b/Make.rules
index af5ecfe..5e3c83d 100644
--- a/Make.rules
+++ b/Make.rules
@@ -79,3 +79,7 @@ endef
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
+
+define get-config =
+$(shell git config --local --get "$(NAME).$(1)")
+endef
diff --git a/Makefile b/Makefile
index db8eb7e..ca1a359 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.coverity
SUBDIRS := include libdpe src
--
2.13.4

View File

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 13 May 2022 16:09:12 -0400
Subject: [PATCH] README.md: show off a bit more
Prominently mention efikeygen and add examples of usage for it and
pesign proper.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README.md | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index d70bc53..e9f0cb7 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,34 @@
-Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with
-the PE and Authenticode specifications.
+# pesign + efikeygen
-This is vaguely analogous to the tool described by
-http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx
+Signing tools for PE-COFF binaries. Compliant with the PE and Authenticode
+specifications.
+(These serve a similar purpose to Microsoft's
+[SignTool.exe](http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx),
+except for Linux.)
+
+## Examples
+
+Generate a key for use with pesign, stored on disk:
+
+```
+efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+```
+
+For more complex and secure use cases (e.g., hardware tokens), see
+efikeygen man page (`man efikeygen`).
+
+Sign a UEFI application using that key:
+
+```
+pesign -i grubx64.efi -o grubx64.efi.signed -c 'Custom Secureboot' -s
+```
+
+Show signatures on a UEFI application:
+
+```
+pesign -i grubx64.efi.signed -S
+```
+
+For more signing/verification operations, see the pesign man page (`man
+pesign`).

View File

@ -1,25 +0,0 @@
From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 8 Jul 2017 16:31:18 -0400
Subject: [PATCH 13/29] Document implicit fallthrough.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/authvar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/authvar.c b/src/authvar.c
index ad659ca..03e0c47 100644
--- a/src/authvar.c
+++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
case IMPORT|SET:
case IMPORT|SIGN|SET:
fprintf(stderr, "authvar: not implemented\n");
+ /* fallthrough. */
case IMPORT|SIGN|EXPORT:
default:
fprintf(stderr, "authvar: invalid flags: ");
--
2.13.4

View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 16 May 2022 15:31:25 -0400
Subject: [PATCH] Fix missing line in README.md
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index e9f0cb7..7bbd6dd 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,8 @@ Generate a key for use with pesign, stored on disk:
efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
```
+(where TYPE is m if you're only signing kernel modules, and k otherwise).
+
For more complex and secure use cases (e.g., hardware tokens), see
efikeygen man page (`man efikeygen`).

View File

@ -1,50 +0,0 @@
From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 16 May 2016 15:25:53 -0400
Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 6 +++---
src/pesign-authorize-users | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index a4f895e..cf51fb6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${group}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${group}:rw ${y}
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 8b9a885..940138e 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${username}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${username}:rw ${y}
done
fi
--
2.13.4

View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matt Bernhard <bernhard@voting.works>
Date: Fri, 27 May 2022 14:40:49 -0400
Subject: [PATCH] Fix typo in efikeygen command
Signed-off-by: Matt Bernhard <mdb92nc@gmail.com>
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 7bbd6dd..b6949a2 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ except for Linux.)
Generate a key for use with pesign, stored on disk:
```
-efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+efikeygen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
```
(where TYPE is m if you're only signing kernel modules, and k otherwise).

View File

@ -1,59 +0,0 @@
From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:31:38 -0400
Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
indices.
That was all kinds of wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/oid.c | 10 +++++++---
src/oid.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/oid.c b/src/oid.c
index 9d8154f..7037e1e 100644
--- a/src/oid.c
+++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
};
#define OID(num, desc_s, oidtype, length, value) \
@@ -53,11 +54,14 @@ static struct {
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
&oiddata[10]),
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
- &oiddata[30]),
+ &oiddata[20]),
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
- 10, &oiddata[40]),
+ 10, &oiddata[30]),
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
- siAsciiString, 9, &oiddata[50]),
+ siAsciiString, 9, &oiddata[40]),
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
+ "Certificate is used for kernel modules only", siDEROID, 10,
+ &oiddata[49]),
{ .oid = END_OID_LIST }
};
diff --git a/src/oid.h b/src/oid.h
index 599f49d..0e00781 100644
--- a/src/oid.h
+++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
END_OID_LIST
} ms_oid_t;
--
2.13.4

View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Visa Hankala <visa@hankala.org>
Date: Fri, 10 Jun 2022 13:25:13 +0000
Subject: [PATCH] pesigcheck: Fix crash on digest match
Set selected_digest when the digest is found in db or dbx.
This fixes the following crash of pesigcheck:
Program received signal SIGSEGV, Segmentation fault.
0x00005555555597fa in memcpy (__len=24, __src=0x31,
__dest=0x55555558d908)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0 0x00005555555597fa in memcpy (__len=24, __src=0x31,
__dest=0x55555558d908)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#1 get_digest (digest=digest@entry=0x55555558d908,
ctx=<optimized out>, ctx=<optimized out>) at pesigcheck.c:226
#2 0x00005555555592fd in check_signature (
reasons=<synthetic pointer>, nreasons=<synthetic pointer>,
ctx=0x7fffffffded0) at pesigcheck.c:262
#3 main (argc=<optimized out>, argv=<optimized out>)
at pesigcheck.c:512
Signed-off-by: Visa Hankala <visa@hankala.org>
---
src/certdb.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index e013b9d..69d5daf 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -267,12 +267,16 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0)
+ if (memcmp (digest, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = 0;
return FOUND;
+ }
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0)
+ if (memcmp (digest, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = 1;
return FOUND;
+ }
}
return NOT_FOUND;

View File

@ -0,0 +1,272 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 10 Jun 2022 14:40:33 -0400
Subject: [PATCH] cms: store digest as pointer instead of index
Storage as an index is problematic because the sentinel value -1 was
used, but accesses were unchecked, leading to crashes like that in
3b1031a6b779cb80c11b34eec84c5a0cc215efed ("pesigcheck: Fix crash on
digest match"). By storing a pointer, we get an explicit NULL
dereference: still a crash, but preferred since it's clearer.
Since the index was previously also used for retrieving digest
parameters, include a pointer to the relevant struct digest_param in the
struct digest.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/certdb.c | 15 ++++++++-------
src/cms_common.c | 34 ++++++++++------------------------
src/content_info.c | 4 ++--
src/file_kmod.c | 2 +-
src/file_pe.c | 9 +++++----
src/pesigcheck.c | 4 +---
src/cms_common.h | 13 ++++++++++++-
7 files changed, 39 insertions(+), 42 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 69d5daf..f512824 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,18 +263,19 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest;
+ void *digest_data;
+ struct digest *digests = ctx->cms_ctx->digests;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = 0;
+ digest_data = digests[0].pe_digest->data;
+ if (memcmp (digest_data, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = &digests[0];
return FOUND;
}
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = 1;
+ digest_data = digests[1].pe_digest->data;
+ if (memcmp (digest_data, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = &digests[1];
return FOUND;
}
}
diff --git a/src/cms_common.c b/src/cms_common.c
index 86341ca..2275f67 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,15 +33,6 @@
#include "hex.h"
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
static struct digest_param digest_params[] = {
{.name = "sha256",
.digest_tag = SEC_OID_SHA256,
@@ -65,29 +56,25 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].digest_tag;
+ return cms->selected_digest->digest_params->digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].digest_encryption_tag;
+ return cms->selected_digest->digest_params->digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].signature_tag;
+ return cms->selected_digest->digest_params->signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- int i = cms->selected_digest;
- return digest_params[i].size;
+ return cms->selected_digest->digest_params->size;
}
void
@@ -142,8 +129,6 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
- cms->selected_digest = -1;
-
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -226,7 +211,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = -1;
+ cms->selected_digest = NULL;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -351,7 +336,7 @@ set_digest_parameters(cms_context *cms, char *name)
if (strcmp(name, "help")) {
for (int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
- cms->selected_digest = i;
+ cms->selected_digest = &cms->digests[i];
return 0;
}
}
@@ -1279,6 +1264,7 @@ generate_digest_begin(cms_context *cms)
cngotoerr(err, cms, "could not create digest context");
PK11_DigestBegin(digests[i].pk11ctx);
+ digests[i].digest_params = &digest_params[i];
}
cms->digests = digests;
@@ -1351,11 +1337,11 @@ generate_signature(cms_context *cms)
{
int rc = 0;
- if (cms->digests[cms->selected_digest].pe_digest == NULL)
+ if (cms->selected_digest->pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
- cms->digests[cms->selected_digest].pe_digest->len))
+ if (content_is_empty(cms->selected_digest->pe_digest->data,
+ cms->selected_digest->pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 9684850..777aa28 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- int i = cms->selected_digest;
- memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
+ memcpy(&di.digest, cms->selected_digest->pe_digest,
+ sizeof(di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
cms->log(cms, LOG_ERR, "got empty digest");
diff --git a/src/file_kmod.c b/src/file_kmod.c
index 6880cda..c8875fc 100644
--- a/src/file_kmod.c
+++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
kmod_write_signature(cms_context *cms, int outfd)
{
SEC_PKCS7ContentInfo *cinfo;
- SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
+ SECItem *digest = cms->selected_digest->pe_digest;
SECStatus rv;
struct write_sig_info info = {
.outfd = outfd,
diff --git a/src/file_pe.c b/src/file_pe.c
index 805e614..c22b2af 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -114,6 +114,8 @@ check_inputs(pesign_context *ctx)
static void
print_digest(pesign_context *pctx)
{
+ unsigned int i;
+
if (!pctx)
return;
@@ -121,10 +123,9 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- int j = ctx->selected_digest;
- for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
- printf("%02x",
- (unsigned char)ctx->digests[j].pe_digest->data[i]);
+ unsigned char *ddata = ctx->selected_digest->pe_digest->data;
+ for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
+ printf("%02x", ddata[i]);
printf(" %s\n", pctx->infile);
}
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 6dc67f7..ebb404d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -221,9 +221,7 @@ static void
get_digest(pesigcheck_context *ctx, SECItem *digest)
{
struct cms_context *cms = ctx->cms_ctx;
- struct digest *cms_digest = &cms->digests[cms->selected_digest];
-
- memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+ memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
}
static int
diff --git a/src/cms_common.h b/src/cms_common.h
index c7acbcf..c7d4f69 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,6 +12,7 @@
#include <secpkcs7.h>
#include <errno.h>
+#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -57,9 +58,19 @@
goto errlabel; \
})
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
struct digest {
PK11Context *pk11ctx;
SECItem *pe_digest;
+ struct digest_param *digest_params;
};
typedef struct pk12_file {
@@ -133,7 +144,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- int selected_digest;
+ struct digest *selected_digest;
int omit_vendor_cert;
SECItem newsig;

View File

@ -1,197 +0,0 @@
From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:43:56 -0400
Subject: [PATCH 16/29] efikeygen: add --modsign
---
src/cms_common.c | 29 ++++++++++++++++++++++++++++
src/cms_common.h | 1 +
src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
3 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6a4e6a7..2df2cfe 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
return 0;
}
+static SEC_ASN1Template EKUOidSequence[] = {
+ {
+ .kind = SEC_ASN1_OBJECT_ID,
+ .offset = 0,
+ .sub = &SEC_AnyTemplate,
+ .size = sizeof (SECItem),
+ },
+ { 0 }
+};
+
+int
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
+{
+ void *rv;
+ SECOidData *oid_data;
+
+ oid_data = SECOID_FindOIDByTag(oid_tag);
+ if (!oid_data)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
+ EKUOidSequence);
+ if (rv == NULL)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ encoded->type = siBuffer;
+ return 0;
+}
+
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d7268..7a31273 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
SECItem *items, int num_items);
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
SECItem *original);
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
time_t end);
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 8a515a5..9390578 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
#include <libdpe/libdpe.h>
#include "cms_common.h"
+#include "oid.h"
#include "util.h"
typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
}
static int
-add_extended_key_usage(cms_context *cms, void *extHandle)
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
{
- SECItem value = {
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
- "\x05\x05\x07\x03\x03",
- .len = 12,
- .type = siBuffer
- };
+ SECItem values[2];
+ SECItem wrapped = { 0 };
+ SECStatus status;
+ SECOidTag tag;
+ int rc;
+
+ if (modsign_only < 1 || modsign_only > 2)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
+ printf("tag: %d\n", tag);
+ rc = make_eku_oid(cms, &values[1], tag);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
- SECStatus status;
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
- &value, PR_FALSE, PR_TRUE);
+ &wrapped, PR_FALSE, PR_TRUE);
if (status != SECSuccess)
cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
SECKEYPublicKey *spubkey,
- char *url)
+ char *url, int modsign_only)
{
void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
- rc = add_extended_key_usage(cms, extHandle);
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
{
int is_ca = 0;
int is_self_signed = -1;
+ int modsign_only = 0;
char *tokenname = "NSS Certificate DB";
char *signer = NULL;
char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
.descrip = "Generate a self-signed certificate" },
/* stuff about the generated key */
+ {.longName = "kernel",
+ .shortName = 'k',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 1,
+ .descrip = "Generate a kernel-signing certificate" },
+ {.longName = "module",
+ .shortName = 'm',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 2,
+ .descrip = "Generate a module-signing certificate" },
{.longName = "nickname",
.shortName = 'n',
.argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
liberr(1, "could not allocate cms context");
}
+ if (modsign_only < 1 || modsign_only > 2)
+ errx(1, "either --kernel or --module must be used");
+
SECStatus status = NSS_InitReadWrite(dbdir);
if (status != SECSuccess)
nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
SECKEYPublicKey *pubkey = NULL;
SECKEYPrivateKey *privkey = NULL;
+ status = register_oids(cms);
+ if (status != SECSuccess)
+ nsserr(1, "Could not register OIDs");
+
PK11SlotInfo *slot = NULL;
if (pubfile) {
rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
- spubkey, url);
+ spubkey, url, modsign_only);
if (rc < 0)
exit(1);
--
2.13.4

View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 7 Jul 2022 16:56:41 -0400
Subject: [PATCH] Fix mandoc invocation to not produce garbage
Bizarrely, mandoc doesn't default to outputting man - the default is
"locale", which is either ASCII or UTF-8 (by locale). This output is
supposed to be some kind of plain-text, but it's formatted so strangely
I'm not sure what the purpose is. Regardless, it doesn't go well to
feed this into man(1).
Tell mandoc explicitly to produce man pages.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Make.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.rules b/Make.rules
index 12e322b..f6bf5fa 100644
--- a/Make.rules
+++ b/Make.rules
@@ -54,7 +54,7 @@ define substitute-version =
endef
%.1 : %.1.mdoc
- @mandoc -man -Ios=Linux $^ > $@
+ @mandoc -man -T man -Ios=Linux $^ > $@
% : %.in
@$(call substitute-version,$<,$@)

View File

@ -1,121 +0,0 @@
From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:25:02 -0400
Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
validation time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 9 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index b7c99bb..1a4baf1 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
return check_db(which, ctx, check_hash, NULL, 0);
}
-static PRTime
-determine_reasonable_time(CERTCertificate *cert)
+static void
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
+ PRTime *notBefore, PRTime *notAfter)
{
- PRTime notBefore, notAfter;
- CERT_GetCertTimes(cert, &notBefore, &notAfter);
- return notBefore;
+ CERTCertDBHandle *defaultdb, *certdb;
+ SEC_PKCS7SignedData *sdp;
+ CERTCertificate **certs = NULL;
+ SECItem **rawcerts;
+ int i, certcount;
+ SECStatus rv;
+
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
+err:
+ *notBefore = 0;
+ *notAfter = 0x7fffffffffffffff;
+ return;
+ }
+
+ sdp = cinfo->content.signedData;
+ rawcerts = sdp->rawCerts;
+
+ defaultdb = CERT_GetDefaultCertDB();
+
+ certdb = defaultdb;
+ if (certdb == NULL)
+ goto err;
+
+ certcount = 0;
+ if (rawcerts != NULL) {
+ for (; rawcerts[certcount] != NULL; certcount++)
+ ;
+ }
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto err;
+
+ for (i = 0; i < certcount; i++) {
+ PRTime nb = 0, na = 0x7fffffffffff;
+ CERT_GetCertTimes(certs[i], &nb, &na);
+ if (*notBefore < nb)
+ *notBefore = nb;
+ if (*notAfter > na)
+ *notAfter = na;
+ }
+
+ CERT_DestroyCertArray(certs, certcount);
}
static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
cert->timeOK = PR_TRUE;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
SECItem *eTime;
PRTime atTime;
// atTime = determine_reasonable_time(cert);
eTime = SEC_PKCS7GetSigningTime(cinfo);
if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
- atTime = determine_reasonable_time(cert);
- } else {
- atTime = determine_reasonable_time(cert);
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
}
+
+ if (lateNow < earlyNow)
+ printf("Impossible time constraints: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
certUsageObjectSigner,
--
2.13.4

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 15:31:52 -0400
Subject: [PATCH] Work around GCC being obnoxiously incompatible with GCC
GCC added and then later removed the diagnostic flag
"-Wanalyzer-use-of-uninitialized-value", and so this doesn't work with
newer versions of GCC.
This patch removes the previous workaround for when it didn't work well.
I really wish any of our compilers had any sense of rigor with this
stuff at all.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index ff88210..d66dd50 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
free(pollfds);
}
-/* GCC -fanalyzer has trouble with realloc
- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
static int
handle_events(context *ctx)
{
@@ -999,7 +995,6 @@ shutdown:
}
return 0;
}
-#pragma GCC diagnostic pop
static int
get_uid_and_gid(context *ctx, char **homedir)

View File

@ -1,137 +0,0 @@
From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:58:50 -0400
Subject: [PATCH 18/29] show which db we're checking
---
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
src/pesigcheck_context.c | 2 ++
src/pesigcheck_context.h | 1 +
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1a4baf1..673e074 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -18,6 +18,7 @@
*/
#include <fcntl.h>
+#include <libgen.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
return -1;
db->type = type;
-
db->fd = open(dbfile, O_RDONLY);
if (db->fd < 0) {
save_errno(free(db));
return -1;
}
+ char *path = strdup(dbfile);
+ if (!path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
+ db->path = basename(path);
+ db->path = strdup(db->path);
+ free(path);
+ if (!db->path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
struct stat sb;
int rc = fstat(db->fd, &sb);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
rc = read_file(db->fd, (char **)&db->map, &sz);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
void
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
"database \"%s\": %m\n", DBX_PATH);
exit(1);
}
+
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
+ if (rc < 0 && errno != ENOENT) {
+ fprintf(stderr, "pesigcheck: Could not add key database "
+ "\"%s\": %m\n", MOKX_PATH);
+ exit(1);
+ }
+
+ if (ctx->dbx == NULL) {
+ fprintf(stderr, "pesigcheck: warning: "
+ "No key recovation database available\n");
+ }
}
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
sig.type = siBuffer;
while (dbl) {
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
+ dbl->path);
EFI_SIGNATURE_LIST *certlist;
EFI_SIGNATURE_DATA *cert;
size_t dbsize = dbl->datalen;
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
index b934cbe..5a355b1 100644
--- a/src/pesigcheck_context.c
+++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
munmap(db->map, db->size);
close(db->fd);
ctx->db = db->next;
+ free(db->path);
free(db);
}
while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
if (db->type == DB_CERT)
free(db->data);
munmap(db->map, db->size);
+ free(db->path);
close(db->fd);
ctx->dbx = db->next;
free(db);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 1b916e3..7b5cc89 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
struct dblist {
db_f_type type;
+ char *path;
int fd;
struct dblist *next;
size_t size;
--
2.13.4

View File

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 14:21:44 -0400
Subject: [PATCH] get_password_passthrough(): handle the callback context right
Right now, we have a few callback functions for PK11_Authenticate(), and
they take different arguments. This is incorrect; none of the callers
ever pass anything through except our CMS context.
This fixes get_password_passthrough() to correctly accept the CMS
context and get the passthrough data from cms->pwdata instead of trying
to treat the CMS context as the pwdata.
Related: rhbz#2122777
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/password.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/password.c b/src/password.c
index 18c32ed..8eb1c33 100644
--- a/src/password.c
+++ b/src/password.c
@@ -365,13 +365,23 @@ err:
}
char *
-get_password_passthrough(PK11SlotInfo *slot UNUSED,
- PRBool retry, void *arg)
+get_password_passthrough(PK11SlotInfo *slot UNUSED, PRBool retry, void *arg)
{
+ cms_context *cms;
+ secuPWData *pwdata;
+
+ dbgprintf("ctx:%p", arg);
+
if (retry || !arg)
return NULL;
- char *ret = strdup(arg);
+ cms = (cms_context *)arg;
+ pwdata = &cms->pwdata;
+
+ if (pwdata->source != PW_PLAINTEXT)
+ return NULL;
+
+ char *ret = strdup(pwdata->data);
if (!ret)
err(1, "Could not allocate memory");

View File

@ -1,97 +0,0 @@
From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH 19/29] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (!cinfo)
goto out;
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
/* Generate the digest of contentInfo */
/* XXX support only sha256 for now */
digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--
2.13.4

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 15:22:10 -0400
Subject: [PATCH] read_password(): only prune CR/NL from the end of the file
Right now, when we read the password/PIN from a file, we're pruning the
end of the string from the file we read indiscriminately. If you don't
have a newline, that means we're cutting off the final digits of the
text.
This changes it to prune only common special characters from the
pinfile, but also to prune /all/ of them.
Related: rhbz#2122777
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/password.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index 8eb1c33..ac1866e 100644
--- a/src/password.c
+++ b/src/password.c
@@ -79,6 +79,7 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
int infd = fileno(in);
struct termios tio;
char *ret;
+ int len;
ingress();
ret = fgets(buf, bufsz, in);
@@ -96,7 +97,14 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
if (ret == NULL)
return -1;
- buf[strlen(buf)-1] = '\0';
+ len = strlen(buf);
+ while (len > 0 && (buf[len-1] == '\r' || buf[len-1] == '\n')) {
+ buf[len-1] = '\0';
+ len--;
+ }
+ if (len == 0)
+ return -1;
+
egress();
return 0;
}

View File

@ -1,419 +0,0 @@
From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:01:13 -0400
Subject: [PATCH 20/29] try to say why something fails
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 ++-
src/certdb.h | 2 +-
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
src/pesigcheck_context.h | 1 +
4 files changed, 233 insertions(+), 29 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1078a8a..fae80af 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
static db_status
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- void *data, ssize_t datalen)
+ void *data, ssize_t datalen, SECItem *match)
{
SECItem pkcs7sig, sig;
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
found = check(ctx, &sig,
&certlist->SignatureType,
&pkcs7sig);
- if (found == FOUND)
+ if (found == FOUND) {
+ if (match)
+ memcpy(match, &sig,
+ sizeof(sig));
return FOUND;
+ }
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
certlist->SignatureSize);
}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
db_status
check_db_hash(db_specifier which, pesigcheck_context *ctx)
{
- return check_db(which, ctx, check_hash, NULL, 0);
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
}
static void
@@ -459,7 +463,8 @@ out:
}
db_status
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
+ void *data, ssize_t datalen, SECItem *match)
{
- return check_db(which, ctx, check_cert, data, datalen);
+ return check_db(which, ctx, check_cert, data, datalen, match);
}
diff --git a/src/certdb.h b/src/certdb.h
index ccf3c87..8402299 100644
--- a/src/certdb.h
+++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
- void *data, ssize_t datalen);
+ void *data, ssize_t datalen, SECItem *match);
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index d7be542..c8e1086 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
}
static int
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
+ SECItem *digest_out)
{
SECItem sig, *pe_digest, *content;
uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
content = cinfo->content.signedData->contentInfo.content.data;
digest = content->data + content->len - pe_digest->len;
+ if (digest_out) {
+ digest_out->data = malloc(pe_digest->len);
+ digest_out->len = pe_digest->len;
+ digest_out->type = pe_digest->type;
+ memcpy(digest_out->data, digest, pe_digest->len);
+ }
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
goto out;
@@ -120,22 +129,149 @@ out:
return ret;
}
+struct reason {
+ enum {
+ WHITELISTED = 0,
+ INVALID = 1,
+ BLACKLISTED = 2,
+ NO_WHITELIST = 3,
+ } reason;
+ enum {
+ NONE = 0,
+ DIGEST = 1,
+ SIGNATURE = 2,
+ } type;
+ union {
+ struct {
+ SECItem digest;
+ };
+ struct {
+ SECItem sig;
+ SECItem db_cert;
+ };
+ };
+};
+
+static void
+print_digest(SECItem *digest)
+{
+ char buf[digest->len * 2 + 2];
+
+ for (unsigned int i = 0; i < digest->len; i++)
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
+ digest->data[i]);
+ buf[digest->len * 2] = '\0';
+ printf("%s\n", buf);
+}
+
+static void
+print_certificate(SECItem *cert)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ printf("cert: %p\n", cert);
+}
+
+static void
+print_signatures(SECItem *database_cert, SECItem *signature)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ print_certificate(database_cert);
+ print_certificate(signature);
+}
+
+static void
+print_reason(struct reason *reason)
+{
+ switch (reason->reason) {
+ case WHITELISTED:
+ printf("Whitelist entry: ");
+ if (reason->type == DIGEST)
+ print_digest(&reason->digest);
+ else if (reason->type == SIGNATURE)
+ print_signatures(&reason->sig, &reason->db_cert);
+ else
+ errx(1, "Unknown data type %d\n", reason->type);
+ break;
+ case INVALID:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case BLACKLISTED:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case NO_WHITELIST:
+ if (reason->type == NONE)
+ printf("No matching whitelist entry.\n");
+ else
+ errx(1, "Invalid data type %d\n", reason->type);
+ break;
+ default:
+ errx(1, "Unknown reason type %d\n", reason->reason);
+ break;
+ }
+}
+
+static void
+get_digest(pesigcheck_context *ctx, SECItem *digest)
+{
+ struct cms_context *cms = ctx->cms_ctx;
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+}
+
static int
-check_signature(pesigcheck_context *ctx)
+check_signature(pesigcheck_context *ctx, int *nreasons,
+ struct reason **reasons)
{
- int has_valid_cert = 0;
- int has_invalid_cert = 0;
+ bool has_valid_cert = false;
+ bool is_invalid = false;
+ struct reason *reasonps = NULL, *reason;
+ int num_reasons = 16;
+ int nreason = 0;
int rc = 0;
+ int ret = -1;
cert_iter iter;
+ reasonps = calloc(sizeof(struct reason), 512);
+ if (!reasonps)
+ err(1, "check_signature");
+
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- if (check_db_hash(DBX, ctx) == FOUND)
- return -1;
+ if (check_db_hash(DBX, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = BLACKLISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ reason += 1;
+ is_invalid = true;
+ }
- if (check_db_hash(DB, ctx) == FOUND)
- has_valid_cert = 1;
+ if (check_db_hash(DB, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = WHITELISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ nreason += 1;
+ has_valid_cert = true;
+ }
rc = cert_iter_init(&iter, ctx->inpe);
if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
ssize_t datalen;
while (1) {
+ /*
+ * Make sure we always have enough for this iteration of the
+ * loop, plus one "NO_WHITELIST" entry at the end.
+ */
+ if (nreason >= num_reasons - 4) {
+ struct reason *new_reasons;
+
+ num_reasons += 16;
+
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
+ if (!new_reasons)
+ err(1, "check_signature");
+ reasonps = new_reasons;
+ }
+
rc = next_cert(&iter, &data, &datalen);
if (rc <= 0)
break;
- if (cert_matches_digest(ctx, data, datalen) < 0) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (cert_matches_digest(ctx, data, datalen,
+ &reason->digest) < 0) {
+ reason->reason = INVALID;
+ reason->type = DIGEST;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DBX, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = INVALID;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
- has_valid_cert = 1;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DB, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = WHITELISTED;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ has_valid_cert = true;
+ }
}
err:
- if (has_invalid_cert)
- return -1;
+ if (has_valid_cert != true) {
+ if (is_invalid != true) {
+ reason = &reasonps[nreason];
+ reason->reason = NO_WHITELIST;
+ reason->type = NONE;
+ nreason += 1;
+ }
+ is_invalid = true;
+ }
- if (has_valid_cert)
- return 0;
+ if (is_invalid == false)
+ ret = 0;
- return -1;
+ if (nreasons && reasons) {
+ *nreasons = nreason;
+ *reasons = reasonps;
+ } else {
+ free(reasonps);
+ }
+
+ return ret;
}
void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
pesigcheck_context ctx, *ctxp = &ctx;
+ struct reason *reasons = NULL;
+ int nreasons = 0;
+
char *dbfile = NULL;
char *dbxfile = NULL;
char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
.arg = &ctx.quiet,
.val = 1,
.descrip = "return only; no text output." },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_BIT_SET,
+ .arg = &ctx.verbose,
+ .val = 1,
+ .descrip = "print reasons for success and failure." },
{.longName = "no-system-db",
.shortName = 'n',
.argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
exit(1);
}
- rc = check_signature(ctxp);
+ rc = check_signature(ctxp, &nreasons, &reasons);
- close_input(ctxp);
+ if (!ctx.quiet && ctx.verbose) {
+ for (int i = 0; i < nreasons; i++)
+ print_reason(&reasons[i]);
+ }
if (!ctx.quiet)
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
rc >= 0 ? "valid" : "invalid");
+ close_input(ctxp);
pesigcheck_context_fini(&ctx);
NSS_Shutdown();
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 7b5cc89..aec415e 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
Pe *inpe;
int quiet;
+ int verbose;
hashlist *hashes;
--
2.13.4

View File

@ -1,34 +0,0 @@
From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 6 May 2017 22:45:34 +0200
Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded. This bit me when trying to drive pesign with an expect
script.
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/password.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index cd1c07e..d4eae0d 100644
--- a/src/password.c
+++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
for (;;) {
/* Prompt for password */
if (isTTY) {
+ echoOff(infd);
fprintf(output, "%s", prompt);
fflush (output);
- echoOff(infd);
}
fgets ( phrase, sizeof(phrase), input);
--
2.13.4

View File

@ -0,0 +1,276 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 16:22:18 -0400
Subject: [PATCH] Revert "cms: store digest as pointer instead of index"
In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
cms->selected_digest to be a pointer to the member of the digests array
rather than an index. Unfortunately this is just as bad, because the
bugs that come up wind up setting pointers to NULL+(selected*offset),
i.e. 0x10, and that doesn't get us any closer to actually finding any
problem.
For now, the new approach is going to be to make it an index again, but
to default it to 0 (sha256) rather than -1, so if it isn't set at the
correct part of the lifecycle it'll just default to the (nearly always)
correct choice.
This reverts commit 926782c216532a83f9ff864dee39d2349d61fd23.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 +++++++--------
src/cms_common.c | 34 ++++++++++++++++++++++++----------
src/content_info.c | 4 ++--
src/file_kmod.c | 2 +-
src/file_pe.c | 9 ++++-----
src/pesigcheck.c | 4 +++-
src/cms_common.h | 13 +------------
7 files changed, 42 insertions(+), 39 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index f512824..69d5daf 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,19 +263,18 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest_data;
- struct digest *digests = ctx->cms_ctx->digests;
+ void *digest;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest_data = digests[0].pe_digest->data;
- if (memcmp (digest_data, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = &digests[0];
+ digest = ctx->cms_ctx->digests[0].pe_digest->data;
+ if (memcmp (digest, sig->data, 32) == 0) {
+ ctx->cms_ctx->selected_digest = 0;
return FOUND;
}
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest_data = digests[1].pe_digest->data;
- if (memcmp (digest_data, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = &digests[1];
+ digest = ctx->cms_ctx->digests[1].pe_digest->data;
+ if (memcmp (digest, sig->data, 20) == 0) {
+ ctx->cms_ctx->selected_digest = 1;
return FOUND;
}
}
diff --git a/src/cms_common.c b/src/cms_common.c
index 2275f67..86341ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,6 +33,15 @@
#include "hex.h"
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
static struct digest_param digest_params[] = {
{.name = "sha256",
.digest_tag = SEC_OID_SHA256,
@@ -56,25 +65,29 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->digest_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->digest_encryption_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- return cms->selected_digest->digest_params->signature_tag;
+ int i = cms->selected_digest;
+ return digest_params[i].signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- return cms->selected_digest->digest_params->size;
+ int i = cms->selected_digest;
+ return digest_params[i].size;
}
void
@@ -129,6 +142,8 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
+ cms->selected_digest = -1;
+
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -211,7 +226,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = NULL;
+ cms->selected_digest = -1;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -336,7 +351,7 @@ set_digest_parameters(cms_context *cms, char *name)
if (strcmp(name, "help")) {
for (int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
- cms->selected_digest = &cms->digests[i];
+ cms->selected_digest = i;
return 0;
}
}
@@ -1264,7 +1279,6 @@ generate_digest_begin(cms_context *cms)
cngotoerr(err, cms, "could not create digest context");
PK11_DigestBegin(digests[i].pk11ctx);
- digests[i].digest_params = &digest_params[i];
}
cms->digests = digests;
@@ -1337,11 +1351,11 @@ generate_signature(cms_context *cms)
{
int rc = 0;
- if (cms->selected_digest->pe_digest == NULL)
+ if (cms->digests[cms->selected_digest].pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->selected_digest->pe_digest->data,
- cms->selected_digest->pe_digest->len))
+ if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
+ cms->digests[cms->selected_digest].pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 777aa28..9684850 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- memcpy(&di.digest, cms->selected_digest->pe_digest,
- sizeof(di.digest));
+ int i = cms->selected_digest;
+ memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
cms->log(cms, LOG_ERR, "got empty digest");
diff --git a/src/file_kmod.c b/src/file_kmod.c
index c8875fc..6880cda 100644
--- a/src/file_kmod.c
+++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
kmod_write_signature(cms_context *cms, int outfd)
{
SEC_PKCS7ContentInfo *cinfo;
- SECItem *digest = cms->selected_digest->pe_digest;
+ SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
SECStatus rv;
struct write_sig_info info = {
.outfd = outfd,
diff --git a/src/file_pe.c b/src/file_pe.c
index c22b2af..805e614 100644
--- a/src/file_pe.c
+++ b/src/file_pe.c
@@ -114,8 +114,6 @@ check_inputs(pesign_context *ctx)
static void
print_digest(pesign_context *pctx)
{
- unsigned int i;
-
if (!pctx)
return;
@@ -123,9 +121,10 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- unsigned char *ddata = ctx->selected_digest->pe_digest->data;
- for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
- printf("%02x", ddata[i]);
+ int j = ctx->selected_digest;
+ for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
+ printf("%02x",
+ (unsigned char)ctx->digests[j].pe_digest->data[i]);
printf(" %s\n", pctx->infile);
}
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index ebb404d..6dc67f7 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -221,7 +221,9 @@ static void
get_digest(pesigcheck_context *ctx, SECItem *digest)
{
struct cms_context *cms = ctx->cms_ctx;
- memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
}
static int
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d4f69..c7acbcf 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,7 +12,6 @@
#include <secpkcs7.h>
#include <errno.h>
-#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -58,19 +57,9 @@
goto errlabel; \
})
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
struct digest {
PK11Context *pk11ctx;
SECItem *pe_digest;
- struct digest_param *digest_params;
};
typedef struct pk12_file {
@@ -144,7 +133,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- struct digest *selected_digest;
+ int selected_digest;
int omit_vendor_cert;
SECItem newsig;

View File

@ -0,0 +1,149 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 29 Aug 2022 17:02:46 -0400
Subject: [PATCH] CMS: add some minor cleanups
We reverted 926782c216532a83f9ff864dee39d2349d61fd23 so that a future
patch can try a different approach, but that commit also had a few
cleanups that are worthwhile on their own.
This patch re-introduces the cleanup to move "struct digest_param" to a
more reasonable place and the cleanup to check_hash(), and takes it just
a bit farther.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 26 +++++++++++++++-----------
src/cms_common.c | 39 ++++++++++++++++-----------------------
src/cms_common.h | 16 ++++++++++++++++
3 files changed, 47 insertions(+), 34 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 69d5daf..eb5221f 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -263,20 +263,24 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
{
efi_guid_t efi_sha256 = efi_guid_sha256;
efi_guid_t efi_sha1 = efi_guid_sha1;
- void *digest;
+ void *digest_data;
+ struct digest *digests = ctx->cms_ctx->digests;
+ int selected_digest = -1;
+ size_t size;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[0].pe_digest->data;
- if (memcmp (digest, sig->data, 32) == 0) {
- ctx->cms_ctx->selected_digest = 0;
- return FOUND;
- }
+ selected_digest = DIGEST_PARAM_SHA256;
} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
- digest = ctx->cms_ctx->digests[1].pe_digest->data;
- if (memcmp (digest, sig->data, 20) == 0) {
- ctx->cms_ctx->selected_digest = 1;
- return FOUND;
- }
+ selected_digest = DIGEST_PARAM_SHA1;
+ } else {
+ return NOT_FOUND;
+ }
+
+ digest_data = digests[selected_digest].pe_digest->data;
+ size = digest_params[selected_digest].size;
+ if (memcmp (digest_data, sig->data, size) == 0) {
+ ctx->cms_ctx->selected_digest = selected_digest;
+ return FOUND;
}
return NOT_FOUND;
diff --git a/src/cms_common.c b/src/cms_common.c
index 86341ca..7bddedf 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,34 +33,27 @@
#include "hex.h"
-struct digest_param {
- char *name;
- SECOidTag digest_tag;
- SECOidTag signature_tag;
- SECOidTag digest_encryption_tag;
- const efi_guid_t *efi_guid;
- int size;
-};
-
-static struct digest_param digest_params[] = {
- {.name = "sha256",
- .digest_tag = SEC_OID_SHA256,
- .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
- .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
- .efi_guid = &efi_guid_sha256,
- .size = 32
+const struct digest_param digest_params[] = {
+ [DIGEST_PARAM_SHA256] = {
+ .name = "sha256",
+ .digest_tag = SEC_OID_SHA256,
+ .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
+ .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+ .efi_guid = &efi_guid_sha256,
+ .size = 32
},
#if 1
- {.name = "sha1",
- .digest_tag = SEC_OID_SHA1,
- .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
- .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
- .efi_guid = &efi_guid_sha1,
- .size = 20
+ [DIGEST_PARAM_SHA1] = {
+ .name = "sha1",
+ .digest_tag = SEC_OID_SHA1,
+ .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
+ .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+ .efi_guid = &efi_guid_sha1,
+ .size = 20
},
#endif
};
-static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
diff --git a/src/cms_common.h b/src/cms_common.h
index c7acbcf..e45402c 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -12,6 +12,7 @@
#include <secpkcs7.h>
#include <errno.h>
+#include <efivar.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/types.h>
@@ -62,6 +63,21 @@ struct digest {
SECItem *pe_digest;
};
+#define DIGEST_PARAM_SHA256 0
+#define DIGEST_PARAM_SHA1 1
+
+struct digest_param {
+ char *name;
+ SECOidTag digest_tag;
+ SECOidTag signature_tag;
+ SECOidTag digest_encryption_tag;
+ const efi_guid_t *efi_guid;
+ int size;
+};
+
+extern const struct digest_param digest_params[2];
+extern const int n_digest_params;
+
typedef struct pk12_file {
char *path;
int fd;

View File

@ -1,27 +0,0 @@
From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Tue, 13 Jun 2017 13:20:16 -0700
Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
This better supports non-systemd configurations with tmpfs on /run.
---
src/pesign.sysvinit.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index d8fffca..dc508d8 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
+ mkdir /var/run/pesign 2>/dev/null &&
+ chown pesign:pesign /var/run/pesign &&
+ chmod 0770 /var/run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
--
2.13.4

View File

@ -1,217 +0,0 @@
From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH 23/29] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.13.4

View File

@ -0,0 +1,291 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 30 Aug 2022 15:42:15 -0400
Subject: [PATCH] CMS: make cms->selected_digest an index (again)
In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
cms->selected_digest to be a pointer to the entry in cms->digests.
Because cms->digests is lazily allocated, setting the selected_digest
pointer has to be done at the right part of the CMS context life cycle,
and in some cases it clearly is not:
==334217== Command: ./src/pesign -n tmp -s --pinfile tmp/pinfile -t OpenSC\ Card\ (testcard) -c kernel-signer -i tmp/unsigned.efi -o tmp/signed.efi --force
==334217==
==334217== Invalid read of size 8
==334217== at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
==334217== by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
==334217== by 0x11D348: generate_spc_signed_data (signed_data.c:279)
==334217== by 0x11EDFD: calculate_signature_space (wincert.c:297)
==334217== by 0x11467D: pe_handle_action (file_pe.c:298)
==334217== by 0x10F962: main (pesign.c:585)
==334217== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==334217==
==334217==
==334217== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==334217== Access not within mapped region at address 0x10
==334217== at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
==334217== by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
==334217== by 0x11D348: generate_spc_signed_data (signed_data.c:279)
==334217== by 0x11EDFD: calculate_signature_space (wincert.c:297)
==334217== by 0x11467D: pe_handle_action (file_pe.c:298)
==334217== by 0x10F962: main (pesign.c:585)
==334217== If you believe this happened as a result of a stack
==334217== overflow in your program's main thread (unlikely but
==334217== possible), you can try to increase the size of the
==334217== main thread stack using the --main-stacksize= flag.
==334217== The main thread stack size used in this run was 8388608.
==334217==
==334217== HEAP SUMMARY:
==334217== in use at exit: 588,544 bytes in 4,388 blocks
==334217== total heap usage: 8,568 allocs, 4,180 frees, 2,077,115 bytes allocated
==334217==
==334217== LEAK SUMMARY:
==334217== definitely lost: 25 bytes in 1 blocks
==334217== indirectly lost: 0 bytes in 0 blocks
==334217== possibly lost: 51,378 bytes in 166 blocks
==334217== still reachable: 537,141 bytes in 4,221 blocks
==334217== of which reachable via heuristic:
==334217== length64 : 321,312 bytes in 590 blocks
==334217== suppressed: 0 bytes in 0 blocks
==334217== Rerun with --leak-check=full to see details of leaked memory
==334217==
==334217== For lists of detected and suppressed errors, rerun with: -s
==334217== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
There is also a similar issue in the daemon code, and how to fix it
there is not immediately clear to me.
Currently, we realistically only support using sha256 digests, so for
now I've chosen to paper over the issue by switching back to
cms->selected_digest be an index into both ctx->digests and
digest_params, but switching the default value from -1 to 0, aka
DIGEST_PARAM_SHA256. We can revisit this issue later whenever we add
sha384 support (or whichever other digest).
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 2 +-
src/cms_common.c | 41 +++++++++++++++++++++++------------------
src/content_info.c | 2 +-
src/cms_common.h | 5 +++--
4 files changed, 28 insertions(+), 22 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index eb5221f..467a01d 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -265,7 +265,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
efi_guid_t efi_sha1 = efi_guid_sha1;
void *digest_data;
struct digest *digests = ctx->cms_ctx->digests;
- int selected_digest = -1;
+ unsigned int selected_digest;
size_t size;
if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
diff --git a/src/cms_common.c b/src/cms_common.c
index 7bddedf..1c54c90 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -33,6 +33,10 @@
#include "hex.h"
+/*
+ * Note that cms->selected_digest defaults to 0, which means the first
+ * entry of this array is the default digest.
+ */
const struct digest_param digest_params[] = {
[DIGEST_PARAM_SHA256] = {
.name = "sha256",
@@ -53,33 +57,33 @@ const struct digest_param digest_params[] = {
},
#endif
};
-const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
SECOidTag
digest_get_digest_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].digest_tag;
}
SECOidTag
digest_get_encryption_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].digest_encryption_tag;
}
SECOidTag
digest_get_signature_oid(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].signature_tag;
}
int
digest_get_digest_size(cms_context *cms)
{
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
return digest_params[i].size;
}
@@ -91,7 +95,7 @@ teardown_digests(cms_context *ctx)
if (!digests)
return;
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (digests[i].pk11ctx) {
PK11_Finalize(digests[i].pk11ctx);
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
@@ -135,7 +139,7 @@ cms_context_init(cms_context *cms)
if (!cms->arena)
cnreterr(-1, cms, "could not create cryptographic arena");
- cms->selected_digest = -1;
+ cms->selected_digest = DEFAULT_DIGEST_PARAM;
INIT_LIST_HEAD(&cms->pk12_ins);
cms->pk12_out.fd = -1;
@@ -219,7 +223,7 @@ cms_context_fini(cms_context *cms)
memset(&cms->newsig, '\0', sizeof (cms->newsig));
}
- cms->selected_digest = -1;
+ cms->selected_digest = DEFAULT_DIGEST_PARAM;
if (cms->ci_digest) {
free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -342,7 +346,7 @@ int
set_digest_parameters(cms_context *cms, char *name)
{
if (strcmp(name, "help")) {
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (!strcmp(name, digest_params[i].name)) {
cms->selected_digest = i;
return 0;
@@ -350,7 +354,7 @@ set_digest_parameters(cms_context *cms, char *name)
}
} else {
printf("Supported digests: ");
- for (int i = 0; digest_params[i].name != NULL; i++) {
+ for (unsigned int i = 0; digest_params[i].name != NULL; i++) {
printf("%s ", digest_params[i].name);
}
printf("\n");
@@ -1265,7 +1269,7 @@ generate_digest_begin(cms_context *cms)
cnreterr(-1, cms, "could not allocate digest context");
}
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
digests[i].pk11ctx = PK11_CreateDigestContext(
digest_params[i].digest_tag);
if (!digests[i].pk11ctx)
@@ -1278,7 +1282,7 @@ generate_digest_begin(cms_context *cms)
return 0;
err:
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (digests[i].pk11ctx)
PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
}
@@ -1290,7 +1294,7 @@ err:
void
generate_digest_step(cms_context *cms, void *data, size_t len)
{
- for (int i = 0; i < n_digest_params; i++)
+ for (unsigned int i = 0; i < n_digest_params; i++)
PK11_DigestOp(cms->digests[i].pk11ctx, data, len);
}
@@ -1299,7 +1303,7 @@ generate_digest_finish(cms_context *cms)
{
void *mark = PORT_ArenaMark(cms->arena);
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
SECItem *digest = PORT_ArenaZAlloc(cms->arena,sizeof (SECItem));
if (digest == NULL)
cngotoerr(err, cms, "could not allocate memory");
@@ -1326,7 +1330,7 @@ generate_digest_finish(cms_context *cms)
PORT_ArenaUnmark(cms->arena, mark);
return 0;
err:
- for (int i = 0; i < n_digest_params; i++) {
+ for (unsigned int i = 0; i < n_digest_params; i++) {
if (cms->digests[i].pk11ctx)
PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE);
}
@@ -1343,12 +1347,13 @@ int
generate_signature(cms_context *cms)
{
int rc = 0;
+ int i = cms->selected_digest;
- if (cms->digests[cms->selected_digest].pe_digest == NULL)
+ if (cms->digests[i].pe_digest == NULL)
cnreterr(-1, cms, "PE digest has not been allocated");
- if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
- cms->digests[cms->selected_digest].pe_digest->len))
+ if (content_is_empty(cms->digests[i].pe_digest->data,
+ cms->digests[i].pe_digest->len))
cnreterr(-1, cms, "PE binary has not been digested");
SECItem sd_der;
diff --git a/src/content_info.c b/src/content_info.c
index 9684850..900974c 100644
--- a/src/content_info.c
+++ b/src/content_info.c
@@ -181,7 +181,7 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
- int i = cms->selected_digest;
+ unsigned int i = cms->selected_digest;
memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
diff --git a/src/cms_common.h b/src/cms_common.h
index e45402c..35a128a 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -65,6 +65,7 @@ struct digest {
#define DIGEST_PARAM_SHA256 0
#define DIGEST_PARAM_SHA1 1
+#define DEFAULT_DIGEST_PARAM DIGEST_PARAM_SHA256
struct digest_param {
char *name;
@@ -76,7 +77,7 @@ struct digest_param {
};
extern const struct digest_param digest_params[2];
-extern const int n_digest_params;
+extern const unsigned int n_digest_params;
typedef struct pk12_file {
char *path;
@@ -149,7 +150,7 @@ typedef struct cms_context {
int db_out, dbx_out, dbt_out;
struct digest *digests;
- int selected_digest;
+ unsigned int selected_digest;
int omit_vendor_cert;
SECItem newsig;

View File

@ -1,95 +0,0 @@
From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:28:19 -0400
Subject: [PATCH 24/29] Make the daemon also try to give better errors on
-EPERM etc.
Basically 6796e5f but also for the daemon. This also tries to fix them
up to save errno better, for more accurate reporting.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 27 +++++++++++++++++++++++++--
src/pesign.c | 8 ++++++--
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 7f694b2..942d576 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -19,6 +19,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <glob.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
"pesignd starting (pid %d)", ctx.pid);
SECStatus status = NSS_Init(certdir);
+ int error = errno;
if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ errno = error;
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_NOTICE,
+ "Could not open NSS database (\"%s\"): %m",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+ }
+ if (status != SECSuccess) {
+ errno = error;
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
- "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
+ "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
exit(1);
}
diff --git a/src/pesign.c b/src/pesign.c
index 5879cfc..6ceda34 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
+ int error;
if (need_db) {
status = NSS_Init(certdir);
if (status != SECSuccess) {
char *globpattern = NULL;
+ error = errno;
rc = asprintf(&globpattern, "%s/cert*.db",
certdir);
if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
} else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
- PORT_ErrorToString(PORT_GetError()));
+ errno = error;
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
}
status = register_oids(ctxp->cms_ctx);
--
2.13.4

View File

@ -1,31 +0,0 @@
From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:40:33 -0400
Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index fae80af..29c9502 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
if (lateNow < earlyNow)
- printf("Signature has impossible time constraint: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
+ earlyNow / 1000000LL, lateNow / 1000000LL);
atTime = earlyNow / 2 + lateNow / 2;
-
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)
--
2.13.4

View File

@ -1,41 +0,0 @@
From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:02:38 -0400
Subject: [PATCH 26/29] Clean up gcc command lines a little
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 39b78f0..b6c0381 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra -Wno-error=cpp
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
SOFLAGS = -shared
clang_cflags =
-gcc_cflags = -Wmaybe-uninitialized
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
cflags = $(CFLAGS) $(ARCH3264) \
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
- -Wno-unused-function\
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
+ -Wno-unused-function -Wsign-compare \
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
-fno-merge-constants -fkeep-inline-functions \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--
2.13.4

View File

@ -1,54 +0,0 @@
From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:03:37 -0400
Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 5 +----
src/pesign-groups | 1 +
src/pesign-users | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
create mode 100644 src/pesign-groups
create mode 100644 src/pesign-users
diff --git a/src/Makefile b/src/Makefile
index 84ad130..7d68fa1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
-pesign-users pesign-groups :
- echo pesign > $@
-
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
diff --git a/src/pesign-groups b/src/pesign-groups
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-groups
@@ -0,0 +1 @@
+pesign
diff --git a/src/pesign-users b/src/pesign-users
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-users
@@ -0,0 +1 @@
+pesign
--
2.13.4

View File

@ -1,43 +0,0 @@
From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:31:31 -0400
Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
unless overridden
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 69280e9..22a3ee6 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,6 +9,9 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_token} \\\
- -c %{__pesign_cert} \\\
+ %{_pesign_client} -t %{__pesign_client_token} \\\
+ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

View File

@ -1,39 +0,0 @@
From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 14 Aug 2017 11:37:43 -0400
Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
have perms on the socket
---
src/macros.pesign | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 22a3ee6..1665b4c 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -43,6 +43,21 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
+ "$(id -un)" == "mockbuild" -a \\\
+ "$(uname -m)" == "x86_64" ] && \\\
+ grep -q ID=fedora /etc/os-release && \\\
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
+ ! [ -S /var/run/pesign/socket ]; then \
+ echo "No socket even though this is %{_buildhost}" \
+ ls -ld /var/run/pesign || : \
+ getfacl /var/run/pesign || : \
+ ls -l /var/run/pesign/socket || : \
+ getfacl /var/run/pesign/socket || : \
+ echo =========== env ============== \
+ set \
+ echo =========== env ============== \
+ exit 1 \
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
--
2.13.4

0
noautobuild Normal file
View File

23
pesign.patches Normal file
View File

@ -0,0 +1,23 @@
Patch0001: 0001-daemon-remove-always-true-comparison.patch
Patch0002: 0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
Patch0003: 0003-Rename-dprintf-to-dbgprintf.patch
Patch0004: 0004-.gitignore-add-compile_commands.json-and-.cache.patch
Patch0005: 0005-pesign-print-digests-before-filenames-like-sha256sum.patch
Patch0006: 0006-Add-pesum-an-authenticode-digest-generator.patch
Patch0007: 0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
Patch0008: 0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
Patch0009: 0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0010: 0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
Patch0011: 0011-Rename-README-README.md.patch
Patch0012: 0012-README.md-show-off-a-bit-more.patch
Patch0013: 0013-Fix-missing-line-in-README.md.patch
Patch0014: 0014-Fix-typo-in-efikeygen-command.patch
Patch0015: 0015-pesigcheck-Fix-crash-on-digest-match.patch
Patch0016: 0016-cms-store-digest-as-pointer-instead-of-index.patch
Patch0017: 0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
Patch0018: 0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
Patch0019: 0019-get_password_passthrough-handle-the-callback-context.patch
Patch0020: 0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
Patch0021: 0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
Patch0022: 0022-CMS-add-some-minor-cleanups.patch
Patch0023: 0023-CMS-make-cms-selected_digest-an-index-again.patch

View File

@ -1,33 +1,39 @@
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
# No. I have enough trouble already.
%undefine _auto_set_build_flags
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 0.112
Release: 25%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Version: 115
Release: 9%{?dist}
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: efivar-devel >= 38-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: libuuid-devel
BuildRequires: make
BuildRequires: mandoc
BuildRequires: nspr
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: nss-tools
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: python3
BuildRequires: python3-rpm-macros
BuildRequires: tar
BuildRequires: xz
BuildRequires: python3-rpm-macros
BuildRequires: python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd-rpm-macros
%endif
Requires: nspr
Requires: nss
Requires: nss-tools >= 3.53
Requires: nss-util
Requires: popt
Requires: rpm
@ -37,39 +43,13 @@ ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Source3: pesign.patches
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
Patch0004: 0004-Fix-certficate-argument-name.patch
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
Patch0012: 0012-Add-coverity-build-scripts.patch
Patch0013: 0013-Document-implicit-fallthrough.patch
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
Patch0016: 0016-efikeygen-add-modsign.patch
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
Patch0018: 0018-show-which-db-we-re-checking.patch
Patch0019: 0019-more-about-the-time.patch
Patch0020: 0020-try-to-say-why-something-fails.patch
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
Patch0023: 0023-Better-authorization-scripts.-Again.patch
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
# generate with tool
%include %{SOURCE3}
%description
This package contains the pesign utility for signing UEFI binaries as
@ -87,9 +67,6 @@ git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
# https://bugzilla.redhat.com/show_bug.cgi?id=1678146
sed -i 's|/var/run/pesign|/run/pesign|' src/tmpfiles.conf
%build
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
@ -127,7 +104,7 @@ install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
exit 0
@ -135,40 +112,48 @@ exit 0
%post
%systemd_post pesign.service
#%%posttrans
#%%{_libexecdir}/pesign/pesign-authorize
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%posttrans
certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
# this is disabled currently because it breaks the fedora kernel build root
# generation - because we don't currently have a good way of populating
# /etc/pesign/{users,groups} before the buildroot is installed, or
# populating them and re-running pesign-authorize afterwards but before the
# package build of e.g. kernel
#%%{_libexecdir}/pesign/pesign-authorize
%endif
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README TODO
%doc README.md TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
%{_bindir}/pesum
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%{_libexecdir}/pesign/pesign-rpmbuild-helper
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
@ -177,6 +162,126 @@ exit 0
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Wed Aug 31 2022 Robbie Harwood <rharwood@redhat.com> - 115-9
- Roll up to pjones's smartcard/cms fixes
* Tue Aug 02 2022 Robbie Harwood <rharwood@redhat.com> - 115-8
- Rebuild for python bytecode change
- See-also: #2107826
* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 115-6
- Fix formatting of man pages
- Resolves: #2104778
* Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com> - 115-5
- Detect presence of rpm-sign when checking for rhel-ness
* Fri Apr 01 2022 Robbie Harwood <rharwood@redhat.com> - 115-4
- Correctly handle rhel and centos macros
* Fri Mar 25 2022 Robbie Harwood <rharwood@redhat.com> - 115-3
- Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
* Thu Mar 24 2022 Robbie Harwood <rharwood@redhat.com> - 115-2
- Add support for non-koji signing in macros
- Resolves: #1880858
* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 115-1
- New upstream version (115)
* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-4
- Disable -fanalyzer since it's broken and pragmas don't work
- See-also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104370
* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-3
- Fix explicit NULL deref when daemonizing
* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 114-2
- Attempt to fix signing parsing by dropping pesign_args
* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
- New upstream version (114)
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 113-16
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 16 2020 Jeff Law <law@redhat.com> - 113-14
- Turn off -Wfree-nonheap-object
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
- Add the rundir related stuff that was staged on my f32 checkout.
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
- Try to make kernel and fwupd both work at the same time.
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
- I really cannot figure out why bkernel01 thinks the certificate nickname
starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
- Even more kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
- More kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
- Disable the pesign-authorize call in posttrans, until we can figure out a
better way to deal with that in the fedora kernel builder chroot setup
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
- Make pesign require nss-tools for the posttrans scriptlet
- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
- Attempt to fix kernel signing failures caused by -3...
* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
- Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773
Related: rhbz#1678146
* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
- Fix a signing protocol bug we introduced in 113 that makes the fedora
kernel builders fail.
Related: rhbz#1708773
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
- Update to 113 release
Resolves: rhbz#1708773
* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
- Switch default NSS database to SQLite format (pjones)
Resolves: rhbz#1827902
* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
- Make sure the patch for -29 is actually in the build in f32, and
synchronize with master.
* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
- Rebuild to match OpenSC's token name mangling change.
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
- Rebuild to fix an NSS API issue.
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Mar 6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
- Fix build (#1675653)
- Add missing closing quote in macro (#1651020)

13
rpminspect.yaml Normal file
View File

@ -0,0 +1,13 @@
---
inspections:
# Not a Java package
javabytecode: off
# These just flag when things change "too much"
changedfiles: off
filesize: off
patches: off
upstream: off
# https://bugzilla.redhat.com/show_bug.cgi?id=2010936
annocheck: off

View File

@ -1,2 +1,2 @@
e377e0bc924287ee09356a239c5f51a8 certs.tar.xz
eae1d66e160be744ff310ad7592ae31e pesign-0.112.tar.bz2
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
SHA512 (pesign-115.tar.bz2) = 0091d70e286326b1ed74418ca8c5a2a63d42e6aa3eccdfc4f09a34241b2addfe878af17d1d74648b7da79d6cd7158fcca0f3a52f4a82a57cacae4617b42b1faa