packages/pesign
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 116

Browse Source
This commit is contained in:
chen-jan 2023-05-04 16:58:54 +08:00
parent 0bfe93394f
commit e1150d5e13
9 changed files with 40 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0001-cms_common-Fixed-Segmentation-fault.patch Normal file
View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Mon, 20 Feb 2023 15:26:20 +0100
Subject: [PATCH] cms_common: Fixed Segmentation fault
When running efikeygen, the binary crashes with a segfault due
to dereferencing a **ptr instead of a *ptr.
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
(cherry picked from commit 227435af461f38fc4abeafe02884675ad4b1feb4)
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 24576f2..89d946a 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -956,7 +956,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
if (!ias)
cnreterr(-1, cms, "invalid issuer and serial number");
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
}
int

BIN
115.tar.gz
View File

Binary file not shown.

BIN
116.tar.gz Normal file
View File

Binary file not shown.

39
Bugfix-Free-resources-if-certificate-cannot-be-found.patch
View File

@ -1,39 +0,0 @@
From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
From: Chenxi Mao <chenxi.mao@suse.com>
Date: Tue, 13 Dec 2022 22:12:29 +0800
Subject: [PATCH 1/1] Free resources if certificate cannot be found
In find_certificate_by_callback, function return -1 directly without
free resource if node is null, that will lead to nss shut down failed.
The error message as below:
could not shut down NSS: NSS could not shutdown. Objects are still in use.
To fix this issue, free all resources before function return -1.
Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
---
src/cms_common.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 1c54c90..24576f2 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
}
}
- if (!node)
+ if (!node) {
+ PK11_DestroySlotListElement(slots, &psle);
+ PK11_FreeSlotList(slots);
+ CERT_DestroyCertList(certlist);
cnreterr(-1, cms, "Could not find certificate");
+ }
*cert = CERT_DupCertificate(node->cert);
--
2.33.0

112
Feature-pesign-support-SM2-signature-algorithm.patch
View File

@ -1,112 +0,0 @@
From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001
From: godcansee <liu332084460@foxmail.com>
Date: Sun, 2 Oct 2022 04:33:40 +0800
Subject: [PATCH 2/2] pesign support SM2 signature algorithm.
Co-authored-by:Huaxin Lu <luhuaxin1@huawei.com>
---
src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 1 deletion(-)
diff --git a/src/signer_info.c b/src/signer_info.c
index afa00e2..4aabf5d 100644
--- a/src/signer_info.c
+++ b/src/signer_info.c
@@ -157,6 +157,65 @@ err:
return -1;
}
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey,
+ SECItem *content, SECOidData *oid)
+{
+ int ret = -1;
+ SECKEYPublicKey *pubkey = NULL;
+ unsigned char *buf = NULL;
+ SECStatus status;
+ SECItem sig_raw = { 0 };
+
+ pubkey = CERT_ExtractPublicKey(cms->cert);
+ if (!pubkey) {
+ cms->log(cms, LOG_ERR, "could not get public key");
+ return -1;
+ }
+
+ if (pubkey->keyType != ecKey) {
+ cms->log(cms, LOG_ERR, "invalid key type for sm2");
+ goto out;
+ }
+
+ buf = malloc(content->len + SM3_LENGTH);
+ if (!buf) {
+ cms->log(cms, LOG_ERR, "fail to alloc item");
+ goto out;
+ }
+
+ status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue);
+ if (status != SECSuccess) {
+ cms->log(cms, LOG_ERR, "fail to compute sm2 z digest");
+ goto out;
+ }
+
+ memcpy(buf + SM3_LENGTH, content->data, content->len);
+ status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH,
+ privkey, oid->offset);
+ if (status != SECSuccess) {
+ cms->log(cms, LOG_ERR, "fail to sign data with sm2");
+ goto out;
+ }
+
+ status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64);
+ if (status != SECSuccess) {
+ cms->log(cms, LOG_ERR, "fail to encode sm2 sig");
+ goto out;
+ }
+
+ ret = 0;
+out:
+ SECKEY_DestroyPublicKey(pubkey);
+ if (buf)
+ free(buf);
+ if (sig_raw.data)
+ PORT_Free(sig_raw.data);
+
+ return ret;
+}
+#endif
+
static int
sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
{
@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
return -1;
}
- SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
+ SECOidTag oidt = digest_get_signature_oid(cms);
+ SECOidData *oid = SECOID_FindOIDByTag(oidt);
if (!oid)
goto err;
@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
memset (&tmp, '\0', sizeof (tmp));
SECStatus status;
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+ if (oidt == SEC_OID_SM2_WITH_SM3) {
+ status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ?
+ SECFailure : SECSuccess;
+ } else {
+ status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
+ privkey, oid->offset);
+ }
+#else
status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
privkey, oid->offset);
+#endif
SECKEY_DestroyPrivateKey(privkey);
privkey = NULL;
--
2.33.0

32
Feature-pesign-support-SM3-digest-algorithm.patch
View File

@ -1,32 +0,0 @@
From fa5e86eca363b8d2bcf23feedcc86fdd076be7d4 Mon Sep 17 00:00:00 2001
From: godcansee <liu332084460@foxmail.com>
Date: Sun, 2 Oct 2022 04:23:35 +0800
Subject: [PATCH 1/2] pesign support SM3 digest algorithm.
---
src/cms_common.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/cms_common.c b/src/cms_common.c
index d13b2cb..7b6dc0e 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -68,6 +68,15 @@ static struct digest_param digest_params[] = {
.size = 20
},
#endif
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+ {.name = "sm3",
+ .digest_tag = SEC_OID_SM3,
+ .signature_tag = SEC_OID_SM2_WITH_SM3,
+ .digest_encryption_tag = SEC_OID_SM2_WITH_SM3,
+ .efi_guid = NULL,
+ .size = 32
+ },
+#endif
};
static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
--
2.33.0

80
Fix-CVE-2022-3560.patch
View File

@ -1,80 +0,0 @@
From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Jan 2023 14:00:22 -0500
Subject: [PATCH] Use normal file permissions instead of ACLs
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
pesign-authorize is now deprecated and will be removed in a future
release.
Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/pesign-authorize.in | 50 +++--------------------------------------
1 file changed, 3 insertions(+), 47 deletions(-)
diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
index 69797d5..b4e89e0 100644
--- a/src/pesign-authorize.in
+++ b/src/pesign-authorize.in
@@ -2,56 +2,12 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-while read -r user ; do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done </etc/pesign/users
-
-declare -a filegroups=()
-declare -a dirgroups=()
-while read -r group ; do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done </etc/pesign/groups
-
-update_subdir() {
- subdir=$1 && shift
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk "${x}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk "${x}"
- setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
sleep 3
for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
done

32
Fix-build-error-of-gcc-version-too-low.patch
View File

@ -4,36 +4,14 @@ Date: Mon, 7 Nov 2022 20:41:08 +0800
Subject: [PATCH] fix build error of gcc version too low
---
src/daemon.c | 3 ---
src/password.c | 3 ---
2 files changed, 6 deletions(-)
1 file changed, 3 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 0a66deb..c5061bd 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -920,8 +920,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
/* GCC -fanalyzer has trouble with realloc
* https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
static int
handle_events(context *ctx)
{
@@ -1000,7 +998,6 @@ shutdown:
}
return 0;
}
-#pragma GCC diagnostic pop
static int
get_uid_and_gid(context *ctx, char **homedir)
diff --git a/src/password.c b/src/password.c
index 05add9a..0f359d2 100644
index ac1866e..3436ea2 100644
--- a/src/password.c
+++ b/src/password.c
@@ -304,14 +304,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
@@ -312,14 +312,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
/* Workaround for -fanalzer/reallocarray() bug
* https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
@ -47,7 +25,7 @@ index 05add9a..0f359d2 100644
-#pragma GCC diagnostic pop
span = strspn(start, whitespace_and_eol_chars);
dprintf("whitespace span is %zd", span);
dbgprintf("whitespace span is %zd", span);
--
2.27.0
2.39.1

21
pesign.spec
View File

@ -1,11 +1,11 @@
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 115
Release: 4
Version: 116
Release: 1
License: GPLv2
URL: https://github.com/rhboot/pesign
Source0: https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
Source0: https://github.com/rhboot/pesign/archive/refs/tags/116.tar.gz
Source1: certs.tar.xz
Source2: pesign.py
Source3: euleros-certs.tar.bz2
@ -17,13 +17,8 @@ BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
Patch0001: Bugfix-cms_common-fix-cert-match-check.patch
Patch0002: Bugfix-Free-resources-if-certificate-cannot-be-found.patch
# Feature: support SM2 and SM3
Patch9000: Feature-pesign-support-SM3-digest-algorithm.patch
Patch9001: Feature-pesign-support-SM2-signature-algorithm.patch
Patch0002: 0001-cms_common-Fixed-Segmentation-fault.patch
Patch9002: Fix-build-error-of-gcc-version-too-low.patch
Patch9003: Fix-CVE-2022-3560.patch
%description
pesign is a command line tool for manipulating signatures and
@ -84,22 +79,22 @@ exit 0
%config(noreplace)/%{_sysconfdir}/pesign/*
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
%attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
%{python3_sitelib}/mockbuild/plugins/*/pesign.*
%{python3_sitelib}/mockbuild/plugins/pesign.*
%exclude /boot
%exclude %{_sysconfdir}/rpm
%files help
%doc README TODO
%doc README.md TODO
%{_mandir}/man*/*
%changelog
* Thu May 04 2023 chenchen <chen_aka_jan@163.com> - 116-1
- Update to 116
* Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
- Fix CVE-2022-3560