app-crypt/sbsigntools: Bump 0.9.2 version with libressl patch
This commit is contained in:
@@ -1,29 +0,0 @@
|
||||
From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001
|
||||
From: James Bottomley <JBottomley@Parallels.com>
|
||||
Date: Thu, 11 Apr 2013 21:12:17 -0700
|
||||
Subject: image.c: clear image variable
|
||||
|
||||
Not zeroing the image after talloc occasionally leads to a segfault because
|
||||
the programme thinks it has a signature when in reality it just has a junk
|
||||
pointer and segfaults.
|
||||
|
||||
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
||||
---
|
||||
src/image.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index cc55791..10eba0e 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -401,6 +401,7 @@ struct image *image_load(const char *filename)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ memset(image, 0, sizeof(*image));
|
||||
rc = fileio_read_file(image, filename, &image->buf, &image->size);
|
||||
if (rc)
|
||||
goto err;
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
@@ -1,39 +0,0 @@
|
||||
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
|
||||
From: James Bottomley <JBottomley@Parallels.com>
|
||||
Date: Mon, 30 Sep 2013 19:25:37 -0700
|
||||
Subject: [PATCH 4/4] Fix for multi-sign
|
||||
|
||||
The new Tianocore multi-sign code fails now for images signed with
|
||||
sbsigntools. The reason is that we don't actually align the signature table,
|
||||
we just slap it straight after the binary data. Unfortunately, the new
|
||||
multi-signature code checks that our alignment offsets are correct and fails
|
||||
the signature for this reason. Fix by adding junk to the end of the image to
|
||||
align the signature section.
|
||||
|
||||
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
||||
---
|
||||
src/image.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index 10eba0e..519e288 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
|
||||
|
||||
/* record the size of non-signature data */
|
||||
r = &image->checksum_regions[image->n_checksum_regions - 1];
|
||||
- image->data_size = (r->data - (void *)image->buf) + r->size;
|
||||
+ /*
|
||||
+ * The new Tianocore multisign does a stricter check of the signatures
|
||||
+ * in particular, the signature table must start at an aligned offset
|
||||
+ * fix this by adding bytes to the end of the text section (which must
|
||||
+ * be included in the hash)
|
||||
+ */
|
||||
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
1.8.4
|
||||
|
||||
19
app-crypt/sbsigntools/files/libressl.patch
Normal file
19
app-crypt/sbsigntools/files/libressl.patch
Normal file
@@ -0,0 +1,19 @@
|
||||
--- a/src/sbverify.c 2017-10-28 16:23:16.000000000 +0300
|
||||
+++ b/src/sbverify.c 2018-09-27 17:46:37.592055110 +0300
|
||||
@@ -56,16 +56,12 @@
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
|
||||
#define X509_OBJECT_get_type(obj) ((obj)->type)
|
||||
#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
|
||||
#define X509_STORE_get0_objects(certs) ((certs)->objs)
|
||||
#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10020000L
|
||||
#define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx)
|
||||
-#endif
|
||||
-#endif
|
||||
|
||||
static const char *toolname = "sbverify";
|
||||
static const int cert_name_len = 160;
|
||||
@@ -1,152 +0,0 @@
|
||||
diff --git a/src/fileio.c b/src/fileio.c
|
||||
index 032eb1e..09bc3aa 100644
|
||||
--- a/src/fileio.c
|
||||
+++ b/src/fileio.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/engine.h>
|
||||
+#include <openssl/ui.h>
|
||||
|
||||
#include <ccan/talloc/talloc.h>
|
||||
#include <ccan/read_write_all/read_write_all.h>
|
||||
diff --git a/src/idc.c b/src/idc.c
|
||||
index 236cefd..6d87bd4 100644
|
||||
--- a/src/idc.c
|
||||
+++ b/src/idc.c
|
||||
@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
|
||||
|
||||
/* extract the idc from the signed PKCS7 'other' data */
|
||||
str = p7->d.sign->contents->d.other->value.asn1_string;
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
idcbuf = buf = ASN1_STRING_data(str);
|
||||
+#else
|
||||
+ idcbuf = buf = ASN1_STRING_get0_data(str);
|
||||
+#endif
|
||||
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
|
||||
|
||||
/* If we were passed a BIO, write the idc data, minus type and length,
|
||||
@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
|
||||
}
|
||||
|
||||
/* check hash against the one we calculated from the image */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
buf = ASN1_STRING_data(str);
|
||||
+#else
|
||||
+ buf = ASN1_STRING_get0_data(str);
|
||||
+#endif
|
||||
if (memcmp(buf, sha, sizeof(sha))) {
|
||||
fprintf(stderr, "Hash doesn't match image\n");
|
||||
fprintf(stderr, " got: %s\n", sha256_str(buf));
|
||||
diff --git a/src/sbattach.c b/src/sbattach.c
|
||||
index a0c01b8..e89a23e 100644
|
||||
--- a/src/sbattach.c
|
||||
+++ b/src/sbattach.c
|
||||
@@ -231,6 +231,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OPENSSL_config(NULL);
|
||||
@@ -239,6 +240,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
image = image_load(image_filename);
|
||||
if (!image) {
|
||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||
index 7b17f40..419b1e7 100644
|
||||
--- a/src/sbkeysync.c
|
||||
+++ b/src/sbkeysync.c
|
||||
@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||
goto out;
|
||||
|
||||
key->id_len = ASN1_STRING_length(serial);
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
|
||||
+#else
|
||||
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||
+#endif
|
||||
|
||||
key->description = talloc_array(key, char, description_len);
|
||||
X509_NAME_oneline(X509_get_subject_name(x509),
|
||||
@@ -927,6 +931,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -936,6 +941,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
ctx->filesystem_keys = init_keyset(ctx);
|
||||
ctx->firmware_keys = init_keyset(ctx);
|
||||
diff --git a/src/sbsign.c b/src/sbsign.c
|
||||
index ff1fdfd..78d8d64 100644
|
||||
--- a/src/sbsign.c
|
||||
+++ b/src/sbsign.c
|
||||
@@ -188,6 +188,7 @@ int main(int argc, char **argv)
|
||||
|
||||
talloc_steal(ctx, ctx->image);
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -197,6 +198,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
if (engine)
|
||||
pkey = fileio_read_engine_key(engine, keyfilename);
|
||||
else
|
||||
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
|
||||
index 7dcbe51..9319c8b 100644
|
||||
--- a/src/sbvarsign.c
|
||||
+++ b/src/sbvarsign.c
|
||||
@@ -509,6 +509,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
/* initialise openssl */
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -519,6 +520,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
/* set up the variable signing context */
|
||||
varname = argv[optind];
|
||||
diff --git a/src/sbverify.c b/src/sbverify.c
|
||||
index 3920d91..d0b203a 100644
|
||||
--- a/src/sbverify.c
|
||||
+++ b/src/sbverify.c
|
||||
@@ -250,6 +250,7 @@ int main(int argc, char **argv)
|
||||
verbose = false;
|
||||
detached_sig_filename = NULL;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OpenSSL_add_all_digests();
|
||||
ERR_load_crypto_strings();
|
||||
OPENSSL_config(NULL);
|
||||
@@ -258,6 +259,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
for (;;) {
|
||||
int idx;
|
||||
Reference in New Issue
Block a user