From c288033d93009db662832a620aad7eaef1d3d6f8 Mon Sep 17 00:00:00 2001 From: Alexander Miroshnichenko Date: Sat, 21 Sep 2019 15:49:14 +0300 Subject: [PATCH] app-crypt/sbsigntools: Bump 0.9.2 version with libressl patch --- app-crypt/sbsigntools/Manifest | 9 +- .../0002-image.c-clear-image-variable.patch | 29 ---- .../files/0003-Fix-for-multi-sign.patch | 39 ----- app-crypt/sbsigntools/files/libressl.patch | 19 +++ ...signtools-0.9.1-openssl-1.1.0-compat.patch | 152 ------------------ .../sbsigntools/sbsigntools-0.6-r2.ebuild | 44 ----- .../sbsigntools/sbsigntools-0.9.2.ebuild | 49 ++++++ 7 files changed, 72 insertions(+), 269 deletions(-) delete mode 100644 app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch delete mode 100644 app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch create mode 100644 app-crypt/sbsigntools/files/libressl.patch delete mode 100644 app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch delete mode 100644 app-crypt/sbsigntools/sbsigntools-0.6-r2.ebuild create mode 100644 app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild diff --git a/app-crypt/sbsigntools/Manifest b/app-crypt/sbsigntools/Manifest index 4c59e74..c0475f7 100644 --- a/app-crypt/sbsigntools/Manifest +++ b/app-crypt/sbsigntools/Manifest @@ -1,6 +1,5 @@ -AUX 0002-image.c-clear-image-variable.patch 822 BLAKE2B acb775f625ecd081d9b3d7e497b066218e82d2dc13f80c473c25361dc85098ee15e5f14530334e47c33fe7cc9b2349ffb1aaba7abe4fdd33bfdde05ed9191c39 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b -AUX 0003-Fix-for-multi-sign.patch 1452 BLAKE2B eaa6e39c18d13f3819d5852eda27eb5a8d589241224965392f1b1e067b5cb9ff0ece7fa83697e5fb6f5f8dd0acec15b7bbe57fcd5f761fcb2e8e1fc51193641f SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435 -AUX sbsigntools-0.9.1-openssl-1.1.0-compat.patch 4727 BLAKE2B 3b47c8086220cf12778bf5cd6018627a30ea349677eeb2cfcd1eaa1b83a25d39499ab21a1a123181a51f4138624c17e574050216f59c480e38d9774936f8b6f0 SHA512 6946e1d67161345088aee3ab54129b6e904b6008f2b275ab4eb55ed24fb2b866029f7d7ca856c5dfe76c395580f04709ad1be974369a1b4954b9e87cf812fd4b -DIST sbsigntool_0.6.orig.tar.gz 212375 BLAKE2B fab9141c7fbfa01ec24f975503ac83be4ae0664251a1311afb3d95124fec3750ce20a5ffab35b6965d4ee4585ab4ee91f25ae49488214a983b6fc006071d0968 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c -EBUILD sbsigntools-0.6-r2.ebuild 1175 BLAKE2B 929699251878c2860398192e990a9e502453e50f8d3b5259dc8e7bc0f6a9ffe6e746016f120efb24b92b0a934033bd1763f7a9f6592e421b49903da6e81e3951 SHA512 7751a727c445f3e50d5669aafce8f2e4869789c988c1a32a097be814ec466a2e876f80b454c2d0817d590206ccb6ae0f24ed845cf4dee26ca5bae55ff8accd4d +AUX libressl.patch 705 BLAKE2B 0d99c7bf12ce7b7f01a9165aeafa713d0c0051e116634b720cdaa7143c9e52a19827c9ae331a6f77f47be7e4be33fe187fdf79bd5654c6e3a8dd8ce4c7943672 SHA512 7bd9df4749519df069de264b9b814932710762fc177b4fa8a30d9e49b2e9f85148b675d99c83062418e0d5bd3e5d6ed3aa9ca8079cbf7652e7dc679b53b2e9ed +DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09 +DIST sbsigntools-0.9.2.tar.gz 56525 BLAKE2B 0bce1f534aa960672eab6a415e287b79ff9f18eb947e2217ad4533081f8b854e160b57828afbb56423b2dcab723d3a8aacb2e6affeb2057d17ce3c1761d96b11 SHA512 060753ed9c8db794e4755cc66c1940a2ccc89f4ddf0e825da1f1e6eaa75fc67c21060ee4b5dfb0c757b69e6f5959bfa68156d9f95a945cf63c6a20f1414a2c27 +EBUILD sbsigntools-0.9.2.ebuild 1333 BLAKE2B 8133ba395ae163442ddebec8ca8c69b215f93ae7930e892cc6c5b47075b6fab7fd98224dd1bb58c4cb4c7f531bafdc2fc26e88fe2b5311351be14d49ab683d9c SHA512 b65e6d67b8cc6a3d258d741dd86ca050abb6ab882aa294b60f1971beb7ca9324df480af2cb71799641bb28e970869e3ad7bbf17a738a0a7dc0e775ca625916cd MISC metadata.xml 291 BLAKE2B 0aeb75750176d719f10db508a8924d0bf2fe75e8544b275a7c7e11c44320ce4f7819febb093dd3083a33a998a225f2a3b882407a8ffc03d1a57d03cbfc0a7ff2 SHA512 f7a520fc9a216ff983bd3d361c6ddb3b635eb5dcd94ed042e7c5d0beb0b4e10cdb231e2b4ace599ebb93d4bb46e071a744f1a780ec83f451bb2ee6bad4c2d8cc diff --git a/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch b/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch deleted file mode 100644 index dfe183e..0000000 --- a/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Thu, 11 Apr 2013 21:12:17 -0700 -Subject: image.c: clear image variable - -Not zeroing the image after talloc occasionally leads to a segfault because -the programme thinks it has a signature when in reality it just has a junk -pointer and segfaults. - -Signed-off-by: James Bottomley ---- - src/image.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/image.c b/src/image.c -index cc55791..10eba0e 100644 ---- a/src/image.c -+++ b/src/image.c -@@ -401,6 +401,7 @@ struct image *image_load(const char *filename) - return NULL; - } - -+ memset(image, 0, sizeof(*image)); - rc = fileio_read_file(image, filename, &image->buf, &image->size); - if (rc) - goto err; --- -1.8.2.1 - diff --git a/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch b/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch deleted file mode 100644 index f42c696..0000000 --- a/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Mon, 30 Sep 2013 19:25:37 -0700 -Subject: [PATCH 4/4] Fix for multi-sign - -The new Tianocore multi-sign code fails now for images signed with -sbsigntools. The reason is that we don't actually align the signature table, -we just slap it straight after the binary data. Unfortunately, the new -multi-signature code checks that our alignment offsets are correct and fails -the signature for this reason. Fix by adding junk to the end of the image to -align the signature section. - -Signed-off-by: James Bottomley ---- - src/image.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/image.c b/src/image.c -index 10eba0e..519e288 100644 ---- a/src/image.c -+++ b/src/image.c -@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image) - - /* record the size of non-signature data */ - r = &image->checksum_regions[image->n_checksum_regions - 1]; -- image->data_size = (r->data - (void *)image->buf) + r->size; -+ /* -+ * The new Tianocore multisign does a stricter check of the signatures -+ * in particular, the signature table must start at an aligned offset -+ * fix this by adding bytes to the end of the text section (which must -+ * be included in the hash) -+ */ -+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8); - - return 0; - } --- -1.8.4 - diff --git a/app-crypt/sbsigntools/files/libressl.patch b/app-crypt/sbsigntools/files/libressl.patch new file mode 100644 index 0000000..ed03dfe --- /dev/null +++ b/app-crypt/sbsigntools/files/libressl.patch @@ -0,0 +1,19 @@ +--- a/src/sbverify.c 2017-10-28 16:23:16.000000000 +0300 ++++ b/src/sbverify.c 2018-09-27 17:46:37.592055110 +0300 +@@ -56,16 +56,12 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) + #define X509_OBJECT_get_type(obj) ((obj)->type) + #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) + #define X509_STORE_get0_objects(certs) ((certs)->objs) + #define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) +-#if OPENSSL_VERSION_NUMBER < 0x10020000L + #define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx) +-#endif +-#endif + + static const char *toolname = "sbverify"; + static const int cert_name_len = 160; diff --git a/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch b/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch deleted file mode 100644 index 2f9364f..0000000 --- a/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch +++ /dev/null @@ -1,152 +0,0 @@ -diff --git a/src/fileio.c b/src/fileio.c -index 032eb1e..09bc3aa 100644 ---- a/src/fileio.c -+++ b/src/fileio.c -@@ -40,6 +40,7 @@ - #include - #include - #include -+#include - - #include - #include -diff --git a/src/idc.c b/src/idc.c -index 236cefd..6d87bd4 100644 ---- a/src/idc.c -+++ b/src/idc.c -@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio) - - /* extract the idc from the signed PKCS7 'other' data */ - str = p7->d.sign->contents->d.other->value.asn1_string; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - idcbuf = buf = ASN1_STRING_data(str); -+#else -+ idcbuf = buf = ASN1_STRING_get0_data(str); -+#endif - idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); - - /* If we were passed a BIO, write the idc data, minus type and length, -@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image) - } - - /* check hash against the one we calculated from the image */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - buf = ASN1_STRING_data(str); -+#else -+ buf = ASN1_STRING_get0_data(str); -+#endif - if (memcmp(buf, sha, sizeof(sha))) { - fprintf(stderr, "Hash doesn't match image\n"); - fprintf(stderr, " got: %s\n", sha256_str(buf)); -diff --git a/src/sbattach.c b/src/sbattach.c -index a0c01b8..e89a23e 100644 ---- a/src/sbattach.c -+++ b/src/sbattach.c -@@ -231,6 +231,7 @@ int main(int argc, char **argv) - return EXIT_FAILURE; - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - ERR_load_crypto_strings(); - OpenSSL_add_all_digests(); - OPENSSL_config(NULL); -@@ -239,6 +240,7 @@ int main(int argc, char **argv) - * module isn't present). In either case ignore the errors - * (malloc will cause other failures out lower down */ - ERR_clear_error(); -+#endif - - image = image_load(image_filename); - if (!image) { -diff --git a/src/sbkeysync.c b/src/sbkeysync.c -index 7b17f40..419b1e7 100644 ---- a/src/sbkeysync.c -+++ b/src/sbkeysync.c -@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) - goto out; - - key->id_len = ASN1_STRING_length(serial); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); -+#else -+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); -+#endif - - key->description = talloc_array(key, char, description_len); - X509_NAME_oneline(X509_get_subject_name(x509), -@@ -927,6 +931,7 @@ int main(int argc, char **argv) - return EXIT_FAILURE; - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - ERR_load_crypto_strings(); - OpenSSL_add_all_digests(); - OpenSSL_add_all_ciphers(); -@@ -936,6 +941,7 @@ int main(int argc, char **argv) - * module isn't present). In either case ignore the errors - * (malloc will cause other failures out lower down */ - ERR_clear_error(); -+#endif - - ctx->filesystem_keys = init_keyset(ctx); - ctx->firmware_keys = init_keyset(ctx); -diff --git a/src/sbsign.c b/src/sbsign.c -index ff1fdfd..78d8d64 100644 ---- a/src/sbsign.c -+++ b/src/sbsign.c -@@ -188,6 +188,7 @@ int main(int argc, char **argv) - - talloc_steal(ctx, ctx->image); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - ERR_load_crypto_strings(); - OpenSSL_add_all_digests(); - OpenSSL_add_all_ciphers(); -@@ -197,6 +198,7 @@ int main(int argc, char **argv) - * module isn't present). In either case ignore the errors - * (malloc will cause other failures out lower down */ - ERR_clear_error(); -+#endif - if (engine) - pkey = fileio_read_engine_key(engine, keyfilename); - else -diff --git a/src/sbvarsign.c b/src/sbvarsign.c -index 7dcbe51..9319c8b 100644 ---- a/src/sbvarsign.c -+++ b/src/sbvarsign.c -@@ -509,6 +509,7 @@ int main(int argc, char **argv) - return EXIT_FAILURE; - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* initialise openssl */ - OpenSSL_add_all_digests(); - OpenSSL_add_all_ciphers(); -@@ -519,6 +520,7 @@ int main(int argc, char **argv) - * module isn't present). In either case ignore the errors - * (malloc will cause other failures out lower down */ - ERR_clear_error(); -+#endif - - /* set up the variable signing context */ - varname = argv[optind]; -diff --git a/src/sbverify.c b/src/sbverify.c -index 3920d91..d0b203a 100644 ---- a/src/sbverify.c -+++ b/src/sbverify.c -@@ -250,6 +250,7 @@ int main(int argc, char **argv) - verbose = false; - detached_sig_filename = NULL; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - OpenSSL_add_all_digests(); - ERR_load_crypto_strings(); - OPENSSL_config(NULL); -@@ -258,6 +259,7 @@ int main(int argc, char **argv) - * module isn't present). In either case ignore the errors - * (malloc will cause other failures out lower down */ - ERR_clear_error(); -+#endif - - for (;;) { - int idx; diff --git a/app-crypt/sbsigntools/sbsigntools-0.6-r2.ebuild b/app-crypt/sbsigntools/sbsigntools-0.6-r2.ebuild deleted file mode 100644 index 1a1435d..0000000 --- a/app-crypt/sbsigntools/sbsigntools-0.6-r2.ebuild +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" - -MY_PN="${PN::-1}" - -inherit eutils toolchain-funcs - -DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot" -HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool" -SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${MY_PN}_${PV}.orig.tar.gz" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="libressl" - -RDEPEND=" - !libressl? ( dev-libs/openssl:0= ) - libressl? ( dev-libs/libressl:0= ) - sys-apps/util-linux" -DEPEND="${RDEPEND} - sys-apps/help2man - sys-boot/gnu-efi - sys-libs/binutils-libs - virtual/pkgconfig" - -S="${WORKDIR}/${MY_PN}-${PV}" - -src_prepare() { - local iarch - case ${ARCH} in - ia64) iarch=ia64 ;; - x86) iarch=ia32 ;; - amd64) iarch=x86_64 ;; - *) die "unsupported architecture: ${ARCH}" ;; - esac - sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die - sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die - sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480 - epatch "${FILESDIR}"/0002-image.c-clear-image-variable.patch - epatch "${FILESDIR}"/0003-Fix-for-multi-sign.patch -} diff --git a/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild b/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild new file mode 100644 index 0000000..5b34299 --- /dev/null +++ b/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild @@ -0,0 +1,49 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MY_PN="${PN::-1}" + +inherit eutils autotools + +DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot" +HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/" +SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz + https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz" + +LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0" +SLOT="0" +KEYWORDS="amd64 ~arm64 x86" +IUSE="libressl" + +RDEPEND="!libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + sys-apps/util-linux" +DEPEND="${RDEPEND} + sys-apps/help2man + sys-boot/gnu-efi + sys-libs/binutils-libs + virtual/pkgconfig" + +src_prepare() { + mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed" + rmdir "${WORKDIR}"/lib || die "rmdir failed" + + local iarch + case ${ARCH} in + amd64) iarch=x86_64 ;; + arm64) iarch=aarch64 ;; + ia64) iarch=ia64 ;; + x86) iarch=ia32 ;; + *) die "unsupported architecture: ${ARCH}" ;; + esac + sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die + sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die + sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480 + + eapply "${FILESDIR}"/libressl.patch + + default + eautoreconf +}