app-crypt/sbsigntools: Bump 0.9.2 version with libressl patch

This commit is contained in:
Alexander Miroshnichenko 2019-09-21 15:49:14 +03:00
parent 9b504d8fcc
commit c288033d93
Signed by: alex
GPG Key ID: E93720C6C73A77F4
7 changed files with 72 additions and 269 deletions

View File

@ -1,6 +1,5 @@
AUX 0002-image.c-clear-image-variable.patch 822 BLAKE2B acb775f625ecd081d9b3d7e497b066218e82d2dc13f80c473c25361dc85098ee15e5f14530334e47c33fe7cc9b2349ffb1aaba7abe4fdd33bfdde05ed9191c39 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b AUX libressl.patch 705 BLAKE2B 0d99c7bf12ce7b7f01a9165aeafa713d0c0051e116634b720cdaa7143c9e52a19827c9ae331a6f77f47be7e4be33fe187fdf79bd5654c6e3a8dd8ce4c7943672 SHA512 7bd9df4749519df069de264b9b814932710762fc177b4fa8a30d9e49b2e9f85148b675d99c83062418e0d5bd3e5d6ed3aa9ca8079cbf7652e7dc679b53b2e9ed
AUX 0003-Fix-for-multi-sign.patch 1452 BLAKE2B eaa6e39c18d13f3819d5852eda27eb5a8d589241224965392f1b1e067b5cb9ff0ece7fa83697e5fb6f5f8dd0acec15b7bbe57fcd5f761fcb2e8e1fc51193641f SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435 DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09
AUX sbsigntools-0.9.1-openssl-1.1.0-compat.patch 4727 BLAKE2B 3b47c8086220cf12778bf5cd6018627a30ea349677eeb2cfcd1eaa1b83a25d39499ab21a1a123181a51f4138624c17e574050216f59c480e38d9774936f8b6f0 SHA512 6946e1d67161345088aee3ab54129b6e904b6008f2b275ab4eb55ed24fb2b866029f7d7ca856c5dfe76c395580f04709ad1be974369a1b4954b9e87cf812fd4b DIST sbsigntools-0.9.2.tar.gz 56525 BLAKE2B 0bce1f534aa960672eab6a415e287b79ff9f18eb947e2217ad4533081f8b854e160b57828afbb56423b2dcab723d3a8aacb2e6affeb2057d17ce3c1761d96b11 SHA512 060753ed9c8db794e4755cc66c1940a2ccc89f4ddf0e825da1f1e6eaa75fc67c21060ee4b5dfb0c757b69e6f5959bfa68156d9f95a945cf63c6a20f1414a2c27
DIST sbsigntool_0.6.orig.tar.gz 212375 BLAKE2B fab9141c7fbfa01ec24f975503ac83be4ae0664251a1311afb3d95124fec3750ce20a5ffab35b6965d4ee4585ab4ee91f25ae49488214a983b6fc006071d0968 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c EBUILD sbsigntools-0.9.2.ebuild 1333 BLAKE2B 8133ba395ae163442ddebec8ca8c69b215f93ae7930e892cc6c5b47075b6fab7fd98224dd1bb58c4cb4c7f531bafdc2fc26e88fe2b5311351be14d49ab683d9c SHA512 b65e6d67b8cc6a3d258d741dd86ca050abb6ab882aa294b60f1971beb7ca9324df480af2cb71799641bb28e970869e3ad7bbf17a738a0a7dc0e775ca625916cd
EBUILD sbsigntools-0.6-r2.ebuild 1175 BLAKE2B 929699251878c2860398192e990a9e502453e50f8d3b5259dc8e7bc0f6a9ffe6e746016f120efb24b92b0a934033bd1763f7a9f6592e421b49903da6e81e3951 SHA512 7751a727c445f3e50d5669aafce8f2e4869789c988c1a32a097be814ec466a2e876f80b454c2d0817d590206ccb6ae0f24ed845cf4dee26ca5bae55ff8accd4d
MISC metadata.xml 291 BLAKE2B 0aeb75750176d719f10db508a8924d0bf2fe75e8544b275a7c7e11c44320ce4f7819febb093dd3083a33a998a225f2a3b882407a8ffc03d1a57d03cbfc0a7ff2 SHA512 f7a520fc9a216ff983bd3d361c6ddb3b635eb5dcd94ed042e7c5d0beb0b4e10cdb231e2b4ace599ebb93d4bb46e071a744f1a780ec83f451bb2ee6bad4c2d8cc MISC metadata.xml 291 BLAKE2B 0aeb75750176d719f10db508a8924d0bf2fe75e8544b275a7c7e11c44320ce4f7819febb093dd3083a33a998a225f2a3b882407a8ffc03d1a57d03cbfc0a7ff2 SHA512 f7a520fc9a216ff983bd3d361c6ddb3b635eb5dcd94ed042e7c5d0beb0b4e10cdb231e2b4ace599ebb93d4bb46e071a744f1a780ec83f451bb2ee6bad4c2d8cc

View File

@ -1,29 +0,0 @@
From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Thu, 11 Apr 2013 21:12:17 -0700
Subject: image.c: clear image variable
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/image.c b/src/image.c
index cc55791..10eba0e 100644
--- a/src/image.c
+++ b/src/image.c
@@ -401,6 +401,7 @@ struct image *image_load(const char *filename)
return NULL;
}
+ memset(image, 0, sizeof(*image));
rc = fileio_read_file(image, filename, &image->buf, &image->size);
if (rc)
goto err;
--
1.8.2.1

View File

@ -1,39 +0,0 @@
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Mon, 30 Sep 2013 19:25:37 -0700
Subject: [PATCH 4/4] Fix for multi-sign
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index 10eba0e..519e288 100644
--- a/src/image.c
+++ b/src/image.c
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
/* record the size of non-signature data */
r = &image->checksum_regions[image->n_checksum_regions - 1];
- image->data_size = (r->data - (void *)image->buf) + r->size;
+ /*
+ * The new Tianocore multisign does a stricter check of the signatures
+ * in particular, the signature table must start at an aligned offset
+ * fix this by adding bytes to the end of the text section (which must
+ * be included in the hash)
+ */
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
return 0;
}
--
1.8.4

View File

@ -0,0 +1,19 @@
--- a/src/sbverify.c 2017-10-28 16:23:16.000000000 +0300
+++ b/src/sbverify.c 2018-09-27 17:46:37.592055110 +0300
@@ -56,16 +56,12 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
#define X509_OBJECT_get_type(obj) ((obj)->type)
#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
#define X509_STORE_get0_objects(certs) ((certs)->objs)
#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
-#if OPENSSL_VERSION_NUMBER < 0x10020000L
#define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx)
-#endif
-#endif
static const char *toolname = "sbverify";
static const int cert_name_len = 160;

View File

@ -1,152 +0,0 @@
diff --git a/src/fileio.c b/src/fileio.c
index 032eb1e..09bc3aa 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -40,6 +40,7 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+#include <openssl/ui.h>
#include <ccan/talloc/talloc.h>
#include <ccan/read_write_all/read_write_all.h>
diff --git a/src/idc.c b/src/idc.c
index 236cefd..6d87bd4 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
/* extract the idc from the signed PKCS7 'other' data */
str = p7->d.sign->contents->d.other->value.asn1_string;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
idcbuf = buf = ASN1_STRING_data(str);
+#else
+ idcbuf = buf = ASN1_STRING_get0_data(str);
+#endif
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
}
/* check hash against the one we calculated from the image */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
buf = ASN1_STRING_data(str);
+#else
+ buf = ASN1_STRING_get0_data(str);
+#endif
if (memcmp(buf, sha, sizeof(sha))) {
fprintf(stderr, "Hash doesn't match image\n");
fprintf(stderr, " got: %s\n", sha256_str(buf));
diff --git a/src/sbattach.c b/src/sbattach.c
index a0c01b8..e89a23e 100644
--- a/src/sbattach.c
+++ b/src/sbattach.c
@@ -231,6 +231,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OPENSSL_config(NULL);
@@ -239,6 +240,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
image = image_load(image_filename);
if (!image) {
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index 7b17f40..419b1e7 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
goto out;
key->id_len = ASN1_STRING_length(serial);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+#else
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+#endif
key->description = talloc_array(key, char, description_len);
X509_NAME_oneline(X509_get_subject_name(x509),
@@ -927,6 +931,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -936,6 +941,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
ctx->filesystem_keys = init_keyset(ctx);
ctx->firmware_keys = init_keyset(ctx);
diff --git a/src/sbsign.c b/src/sbsign.c
index ff1fdfd..78d8d64 100644
--- a/src/sbsign.c
+++ b/src/sbsign.c
@@ -188,6 +188,7 @@ int main(int argc, char **argv)
talloc_steal(ctx, ctx->image);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -197,6 +198,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
if (engine)
pkey = fileio_read_engine_key(engine, keyfilename);
else
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
index 7dcbe51..9319c8b 100644
--- a/src/sbvarsign.c
+++ b/src/sbvarsign.c
@@ -509,6 +509,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* initialise openssl */
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -519,6 +520,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
/* set up the variable signing context */
varname = argv[optind];
diff --git a/src/sbverify.c b/src/sbverify.c
index 3920d91..d0b203a 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -250,6 +250,7 @@ int main(int argc, char **argv)
verbose = false;
detached_sig_filename = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
OPENSSL_config(NULL);
@@ -258,6 +259,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
for (;;) {
int idx;

View File

@ -1,44 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="5"
MY_PN="${PN::-1}"
inherit eutils toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool"
SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${MY_PN}_${PV}.orig.tar.gz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64 x86"
IUSE="libressl"
RDEPEND="
!libressl? ( dev-libs/openssl:0= )
libressl? ( dev-libs/libressl:0= )
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
S="${WORKDIR}/${MY_PN}-${PV}"
src_prepare() {
local iarch
case ${ARCH} in
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
amd64) iarch=x86_64 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
epatch "${FILESDIR}"/0002-image.c-clear-image-variable.patch
epatch "${FILESDIR}"/0003-Fix-for-multi-sign.patch
}

View File

@ -0,0 +1,49 @@
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
MY_PN="${PN::-1}"
inherit eutils autotools
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/"
SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz"
LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
SLOT="0"
KEYWORDS="amd64 ~arm64 x86"
IUSE="libressl"
RDEPEND="!libressl? ( dev-libs/openssl:0= )
libressl? ( dev-libs/libressl:0= )
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed"
local iarch
case ${ARCH} in
amd64) iarch=x86_64 ;;
arm64) iarch=aarch64 ;;
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
eapply "${FILESDIR}"/libressl.patch
default
eautoreconf
}