synchronize some patches

2021-11-26 11:39:56 +08:00 · 2021-11-26 11:39:56 +08:00 · 31e72c6b0a
commit 31e72c6b0a
parent ebd60c7cda
5 changed files with 467 additions and 1 deletions
--- a/grub.patches
+++ b/grub.patches
@ -353,3 +353,6 @@ Patch0352: backport-0079-efi-tpm-Fix-typo-in-grub_efi_tpm2_protocol-struct.patch
 Patch0353: backport-0080-misc-Add-parentheses-around-ALIGN_UP-and-ALIGN_DOWN-.patch
 Patch0354: backport-0081-verifiers-Fix-calling-uninitialized-function-pointer.patch
 Patch0355: backport-templates-Fix-bad-test-on-GRUB_DISABLE_SUBMENU.patch
 Patch0356: grub2-set-password-prompts-to-enter-the-current-pass.patch
 Patch0357: support-TPM2.0.patch
 Patch0358: use-default-timestamp.patch
--- a/grub2-set-password-prompts-to-enter-the-current-pass.patch
+++ b/grub2-set-password-prompts-to-enter-the-current-pass.patch
@ -0,0 +1,302 @@
 From 5099013778b2433a4dee3ae5e4826d8add1c1fb7 Mon Sep 17 00:00:00 2001
 From: liuxin <liuxin264@huawei.com>
 Date: Thu, 2 Sep 2021 17:30:39 +0800
 Subject: [PATCH] grub2-set-password prompts to enter the current password and
 add the password complexity check
 ---
 util/grub-mkpasswd-pbkdf2.c |  95 +++++++++++++++++++++++++++++-
 util/grub-set-password.in   | 114 ++++++++++++++++++++++++++++++++++++
 2 files changed, 207 insertions(+), 2 deletions(-)
 diff --git a/util/grub-mkpasswd-pbkdf2.c b/util/grub-mkpasswd-pbkdf2.c
 index 5805f3c..68c2032 100644
 --- a/util/grub-mkpasswd-pbkdf2.c
 +++ b/util/grub-mkpasswd-pbkdf2.c
@@ -42,10 +42,14 @@
 #include "progname.h"
 +#define GRUB_PARAM_ERROR 1
 +#define GRUB_PARAM_SUCCESS 0
 +
 static struct argp_option options[] = {
   {"iteration-count",  'c', N_("NUM"), 0, N_("Number of PBKDF2 iterations"), 0},
   {"buflen",  'l', N_("NUM"), 0, N_("Length of generated hash"), 0},
   {"salt",  's', N_("NUM"), 0, N_("Length of salt"), 0},
 +  {"salt arg",  'a', N_("VARCHAR"), 0, N_("preset salt var(hex code)"), 0},
   { 0, 0, 0, 0, 0, 0 }
 };
@@ -54,8 +58,45 @@ struct arguments
   unsigned int count;
   unsigned int buflen;
   unsigned int saltlen;
 +  char * salt;
 };
 +static int illegal_char(char t)
 +{
 +  int illegal = GRUB_PARAM_ERROR;
 +  char legal[] = "0123456789ABCDEF";
 +  for (int i = 0; i < grub_strlen(legal); ++i) {
 +    if (t == legal[i]) {
 +      illegal = GRUB_PARAM_SUCCESS;
 +      break;
 +    }
 +  }
 +  return illegal;
 +}
 +
 +static int check_salt_verify(const char * arg)
 +{
 +  grub_size_t len = grub_strlen(arg);
 +  if (len <= 0 || len >= GRUB_SIZE_MAX)
 +  {
 +    fprintf(stderr, "salt length may be empty or too long!\n");
 +    return GRUB_PARAM_ERROR;
 +  }
 +  if (len % 2 != 0)
 +  {
 +    fprintf(stderr, "the salt value length is an even number!\n");
 +    return GRUB_PARAM_ERROR;
 +  }
 +  for (int i = 0; i < len; ++i)
 +  {
 +    if (illegal_char(arg[i]))
 +    {
 +      return GRUB_PARAM_ERROR;
 +    }
 +  }
 +  return GRUB_PARAM_SUCCESS;
 +}
 +
 static error_t
 argp_parser (int key, char *arg, struct argp_state *state)
 {
@@ -76,6 +117,16 @@ argp_parser (int key, char *arg, struct argp_state *state)
     case 's':
       arguments->saltlen = strtoul (arg, NULL, 0);
       break;
 +
 +    case 'a':
 +      if (check_salt_verify(arg))
 +      {
 +        fprintf(stderr, "only hexadecimal numbers consisting of digits and uppercase letters are supported\n");
 +        return ARGP_ERR_UNKNOWN;
 +      }
 +      arguments->saltlen = grub_strlen(arg) / 2;
 +      arguments->salt = arg;
 +      break;
     default:
       return ARGP_ERR_UNKNOWN;
     }
@@ -110,13 +161,44 @@ hexify (char *hex, grub_uint8_t *bin, grub_size_t n)
   *hex = 0;
 }
 +static void
 +hextobyte(const char *hex, grub_uint8_t *bin, grub_size_t n)
 +{
 +    while(n)
 +    {
 +        grub_uint8_t tmp = 0x00;
 +        if (((*hex) <= '9') && ((*hex) >= '0'))
 +        {
 +            tmp += (grub_uint8_t)((*hex) - '0') << 4 & 0xf0;
 +        }
 +        else
 +        {
 +            tmp += (grub_uint8_t)((*hex) - 'A' + 10) << 4 & 0xf0;
 +        }
 +        hex++;
 +        if (((*hex) <= '9') && ((*hex) >= '0'))
 +        {
 +            tmp += (grub_uint8_t)((*hex) - '0') & 0x0f;
 +        }
 +        else
 +        {
 +            tmp += (grub_uint8_t)((*hex) - 'A' + 10) & 0x0f;
 +        }
 +        *bin = tmp;
 +        bin++;
 +        hex++;
 +        n -= 2;
 +    }
 +}
 +
 int
 main (int argc, char *argv[])
 {
   struct arguments arguments = {
     .count = 10000,
     .buflen = 64,
 -    .saltlen = 64
 +    .saltlen = 64,
 +    .salt = NULL
   };
   char *result, *ptr;
   gcry_err_code_t gcry_err;
@@ -133,6 +215,12 @@ main (int argc, char *argv[])
       exit(1);
     }
 +  if (arguments.salt != NULL && grub_strlen(arguments.salt) != 2 * arguments.saltlen)
 +  {
 +    fprintf(stderr, "%s", _("If the -a parameter is set, don't set the -s parameter again\n"));
 +    exit(1);
 +  }
 +
   buf = xmalloc (arguments.buflen);
   salt = xmalloc (arguments.saltlen);
@@ -161,7 +249,10 @@ main (int argc, char *argv[])
     }
   memset (pass2, 0, sizeof (pass2));
 -  if (grub_get_random (salt, arguments.saltlen))
 +  if (arguments.salt != NULL)
 +  {
 +    hextobyte(arguments.salt, salt, arguments.saltlen * 2);
 +  } else if (grub_get_random (salt, arguments.saltlen))
     {
       memset (pass1, 0, sizeof (pass1));
       free (buf);
 diff --git a/util/grub-set-password.in b/util/grub-set-password.in
 index 487fbb1..3d0be26 100644
 --- a/util/grub-set-password.in
 +++ b/util/grub-set-password.in
@@ -87,16 +87,130 @@ fixtty() {
 }
 trap fixtty EXIT
 +
 +getsaltpass() {
 +	local P0
 +	local P1
 +	P0="$1" && shift
 +	P1="$1" && shift
 +	P2="$1" && shift
 +
 +	( echo ${P0} ; echo ${P1} ) | \
 +    	LC_ALL=C ${grub_mkpasswd} -a ${P2} | \
 +    	grep -v '[eE]nter password:' | \
 +    	sed -e "s/PBKDF2 hash of your password is //"
 +}
 +
 +verifyusercfgoldpasswd() {
 +    # get old password salt
 +    expectsalt=`cat ${grubdir}/user.cfg | cut -d "." -f 5`
 +    # get expect password
 +    expectpass=`cat ${grubdir}/user.cfg`
 +    prefix="GRUB2_PASSWORD="
 +
 +    stty -echo
 +    echo -n "Enter Current password: "
 +    read PASSWORD_CURRENT
 +    echo
 +
 +    needcheckpass="${prefix}$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
 +    if [ "$expectpass" != "$needcheckpass" ]; then
 +        echo "Authentication failed"
 +        exit 1
 +    fi
 +
 +    stty ${ttyopt}
 +}
 +
 +verifygrubcfgoldpasswd() {
 +    # get old password line
 +    expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root grub.pbkdf2.sha512" | cut -d " " -f 3`
 +    # if not get password, try a quotation mark match
 +    if [ -z "$expectpass" ];then
 +        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root \"grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "\"" -f 2`
 +    fi
 +    if [ -z "$expectpass" ];then
 +        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root 'grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "'" -f 2`
 +    fi
 +    if [ -n "$expectpass" ];then
 +        # get old password salt
 +        expectsalt=`echo ${expectpass} | cut -d "." -f 5`
 +        stty -echo
 +        echo -n "Enter Current password: "
 +        read PASSWORD_CURRENT
 +        echo
 +
 +        needcheckpass="$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
 +        if [ "$expectpass" != "$needcheckpass" ]; then
 +            echo "Authentication failed"
 +            exit 1
 +        fi
 +    fi
 +
 +}
 +
 +if [ -e ${grubdir}/user.cfg ];then
 +    verifyusercfgoldpasswd
 +else
 +    verifygrubcfgoldpasswd
 +fi
 +
 +checkcomplexity() {
 +    set +e
 +    USERNAME=`cat ${grubdir}/grub.cfg | grep "set superusers=" | cut -d "\"" -f 2 |tail -1`
 +    local P1="$1" && shift
 +    if [ "$P1" = "$USERNAME" ];then
 +        echo "The password contains the user name in some form"
 +        exit 1
 +    fi
 +    # password len >= 8
 +    strlen=`echo "$P1" | grep -E '^(.{8,}).*$'`
 +    if [ -z "$strlen" ];then
 +        echo "The password is shorter than 8 characters"
 +        exit 1
 +    fi
 +    # lowercase
 +    strlow=`echo "$P1" | grep -E --color '^(.*[a-z]+).*$'`
 +    # uppercase
 +    strupp=`echo $P1 | grep -E --color '^(.*[A-Z]).*$'`
 +    # special character
 +    strts=`echo $P1 | grep -E --color '^(.*\W).*$'`
 +    # num
 +    strnum=`echo $P1 | grep -E --color '^(.*[0-9]).*$'`
 +    complexity=0
 +    if [ -n "$strlow" ];then
 +        complexity=`expr $complexity + 1`
 +    fi
 +    if [ -n "$strupp" ];then
 +        complexity=`expr $complexity + 1`
 +    fi
 +    if [ -n "$strts" ];then
 +        complexity=`expr $complexity + 1`
 +    fi
 +    if [ -n "$strnum" ];then
 +        complexity=`expr $complexity + 1`
 +    fi
 +    if [ $complexity -lt 3 ];then
 +        echo "The password contains less than 3 character classes"
 +        exit 1
 +    fi
 +    set -e
 +}
 +
 stty -echo
 # prompt & confirm new grub2 root user password
 echo -n "Enter password: "
 read PASSWORD
 echo
 +stty ${ttyopt}
 +checkcomplexity $PASSWORD
 +stty -echo
 echo -n "Confirm password: "
 read PASSWORD_CONFIRM
 echo
 stty ${ttyopt}
 +checkcomplexity $PASSWORD_CONFIRM
 getpass() {
     local P0
 -- 
 2.23.0
--- a/grub2.spec
+++ b/grub2.spec
@ -8,7 +8,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	21
+Release:	22
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -451,6 +451,14 @@ rm -r /boot/grub2.tmp/ || :
 %{_datadir}/man/man*
 %changelog
 * Fri Nov 26 2021 xihaochen<xihaochen@huawei.com> - 2.04-22
 - Type:bugfix
 - ID:NA
 - SUG:NA
  DESC:grub2 set password prompts to enter the current pass
       support TPM2.0
       use default timestamp
 * Tue Nov 16 2021 fengtao <fengtao40@huawei.com> - 2.04-21
 - Type:bugfix
 - ID:NA
--- a/support-TPM2.0.patch
+++ b/support-TPM2.0.patch
@ -0,0 +1,96 @@
 From c4c243d19d77cab3591f0272c8e36619ccbbddf3 Mon Sep 17 00:00:00 2001
 From: gaoyusong <gaoyusong1@huawei.com>
 Date: Thu, 13 May 2021 18:34:23 +0800
 Subject: [PATCH] support TPM2.0
 ---
 grub-core/kern/verifiers.c | 25 +++++++++++++++++++------
 grub-core/script/execute.c | 12 +++++++++++-
 2 files changed, 30 insertions(+), 7 deletions(-)
 diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
 index aa3dc7c..dfd73e5 100644
 --- a/grub-core/kern/verifiers.c
 +++ b/grub-core/kern/verifiers.c
@@ -84,9 +84,16 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
   grub_file_t ret = 0;
   grub_err_t err;
   int defer = 0;
 +  int grub_env_flag = 0;
 +  char *ptr = NULL;
   grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
 +  ptr = grub_strstr(io->name, "grubenv");
 +  if (ptr) {
 +    grub_env_flag = 1;
 +  }
 +
   if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE
       || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE
       || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE))
@@ -148,6 +155,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
   verified->buf = grub_malloc (ret->size);
   if (!verified->buf)
     {
 +      grub_error (GRUB_ERR_OUT_OF_MEMORY,
 +            "cannot allocate verified buffer, the %s is too large\n", io->name);
       goto fail;
     }
   if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size)
@@ -158,9 +167,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
       goto fail;
     }
 -  err = ver->write (context, verified->buf, ret->size);
 -  if (err)
 -    goto fail;
 +  if (!grub_env_flag) {
 +    err = ver->write (context, verified->buf, ret->size);
 +    if (err)
 +      goto fail;
 +  }
   err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
   if (err)
@@ -179,9 +190,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
 	  /* Verification done earlier. So, we are happy here. */
 	  flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
 	continue;
 -      err = ver->write (context, verified->buf, ret->size);
 -      if (err)
 -	goto fail;
 +      if (!grub_env_flag) {
 +        err = ver->write (context, verified->buf, ret->size);
 +        if (err)
 +          goto fail;
 +      }
       err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
       if (err)
 diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
 index 0c6dd9c..3e761c4 100644
 --- a/grub-core/script/execute.c
 +++ b/grub-core/script/execute.c
@@ -1002,7 +1002,17 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
 			       argv.args[i]);
     }
   cmdstring[cmdlen - 1] = '\0';
 -  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
 +
 +  if (grub_strncmp(cmdstring, "[ 0 = 1 ]", 9) == 0) {
 +    char res_str[] = "[  = 1 ]";
 +    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
 +  } else if (grub_strncmp(cmdstring, "[ 0 = 1 -o  = 1 ]", 17) == 0) {
 +    char res_str[] = "[  = 1 -o  = 1 ]";
 +    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
 +  } else {
 +    grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
 +  }
 +
   grub_free (cmdstring);
   invert = 0;
   argc = argv.argc - 1;
 -- 
 2.19.1
--- a/use-default-timestamp.patch
+++ b/use-default-timestamp.patch
@ -0,0 +1,57 @@
 From 8922ea771163655f1d5dc8da589a6291976ae489 Mon Sep 17 00:00:00 2001
 From: zhouyihang <zhouyihang3@huawei.com>
 Date: Thu, 10 Jun 2021 20:01:54 +0800
 Subject: [PATCH] huawei use default timestamp
 ---
 docs/grub-dev.texi | 4 ++--
 docs/grub.texi     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
 index f488e82..355764a 100644
 --- a/docs/grub-dev.texi
 +++ b/docs/grub-dev.texi
@@ -18,7 +18,7 @@
 @copying
 This developer manual is for GNU GRUB (version @value{VERSION},
 -@value{UPDATED}).
 +24 June 2019).
 Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc.
@@ -40,7 +40,7 @@ Invariant Sections.
 @titlepage
 @sp 10
 @title the GNU GRUB developer manual
 -@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
 +@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
 @author Yoshinori K. Okuji
 @author Colin D Bennett
 @author Vesa Jääskeläinen
 diff --git a/docs/grub.texi b/docs/grub.texi
 index 262388c..41c1a89 100644
 --- a/docs/grub.texi
 +++ b/docs/grub.texi
@@ -18,7 +18,7 @@
 @copying
 This manual is for GNU GRUB (version @value{VERSION},
 -@value{UPDATED}).
 +24 June 2019).
 Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.
@@ -48,7 +48,7 @@ Invariant Sections.
 @titlepage
 @sp 10
 @title the GNU GRUB manual
 -@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
 +@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
 @author Gordon Matzigkeit
 @author Yoshinori K. Okuji
 @author Colin Watson
 -- 
 2.27.0