[arch-commits] Commit in sbsigntools/trunk (2 files)

Jan de Groot Sat, 11 Mar 2017 15:06:07 -0800

    Date: Saturday, March 11, 2017 @ 23:05:49
  Author: jgc
Revision: 290642


upgpkg: sbsigntools 0.8-2

Added:
  sbsigntools/trunk/update-openssl-api-usage-to-support-openssl-1.1.patch
Modified:
  sbsigntools/trunk/PKGBUILD

-------------------------------------------------------+
 PKGBUILD                                              |    9 -
 update-openssl-api-usage-to-support-openssl-1.1.patch |  143 ++++++++++++++++
 2 files changed, 149 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2017-03-11 22:57:50 UTC (rev 290641)
+++ PKGBUILD    2017-03-11 23:05:49 UTC (rev 290642)
@@ -5,7 +5,7 @@
 
 pkgname="sbsigntools"
 pkgver=0.8
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools to add signatures to EFI binaries and Drivers"
 arch=('x86_64' 'i686')
 url="https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools";
@@ -14,14 +14,17 @@
 depends=('libutil-linux' 'openssl')
 
source=("git+https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git#tag=v${pkgver}";
        "git://git.ozlabs.org/~ccan/ccan"
-       "0001-sbsigntools-fix-autogen.sh-for-build-service.patch")
+       "0001-sbsigntools-fix-autogen.sh-for-build-service.patch"
+        update-openssl-api-usage-to-support-openssl-1.1.patch)
 sha256sums=('SKIP'
             'SKIP'
-            '9085ad181f67ac911918864783a9804af456d33c4631659e6acaaa27987786d7')
+            '9085ad181f67ac911918864783a9804af456d33c4631659e6acaaa27987786d7'
+            'c48939a573c12f798e111921ac19ddf22c6e0cdfdc82dbb0b06c975d14a61341')
 
 prepare() {
        cd "${srcdir}/${pkgname}"
        patch -p1 -i 
"${srcdir}/0001-sbsigntools-fix-autogen.sh-for-build-service.patch"
+       patch -p1 -i ../update-openssl-api-usage-to-support-openssl-1.1.patch
 
        git submodule init
        git config submodule."lib/ccan.git".url "${srcdir}/ccan"

Added: update-openssl-api-usage-to-support-openssl-1.1.patch
===================================================================
--- update-openssl-api-usage-to-support-openssl-1.1.patch                       
        (rev 0)
+++ update-openssl-api-usage-to-support-openssl-1.1.patch       2017-03-11 
23:05:49 UTC (rev 290642)
@@ -0,0 +1,143 @@
+Author: Ben Hutchings <b...@decadent.org.uk>
+Date: Sun, 26 Jun 2016 22:04:29 +0200
+Description: Update OpenSSL API usage to support OpenSSL 1.1
+ Most structure definitions in OpenSSL are now opaque and we must call
+ the appropriate accessor functions to get information from them.
+ Not all the accessors are available in older versions, so define the
+ missing accessors as macros.
+ .
+ The X509_retrieve_match() function is no longer usable, as we cannot
+ initialise an X509_OBJECT ourselves.  Instead, iterate over the
+ certificate store and use X509_OBJECT_get_type and X509_cmp to
+ compare certificates.
+
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -55,6 +55,14 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
++#define X509_OBJECT_get_type(obj) ((obj)->type)
++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
++#define X509_STORE_get0_objects(certs) ((certs)->objs)
++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
++#endif
++
+ static const char *toolname = "sbverify";
+ static const int cert_name_len = 160;
+ 
+@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
+ 
+       for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
+               cert = sk_X509_value(p7->d.sign->cert, i);
+-              X509_NAME_oneline(cert->cert_info->subject,
++              X509_NAME_oneline(X509_get_subject_name(cert),
+                               subject_name, cert_name_len);
+-              X509_NAME_oneline(cert->cert_info->issuer,
++              X509_NAME_oneline(X509_get_issuer_name(cert),
+                               issuer_name, cert_name_len);
+ 
+               printf(" - subject: %s\n", subject_name);
+@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
+ static void print_certificate_store_certs(X509_STORE *certs)
+ {
+       char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
++      STACK_OF(X509_OBJECT) *objs;
+       X509_OBJECT *obj;
++      X509 *cert;
+       int i;
+ 
+       printf("certificate store:\n");
+ 
+-      for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
+-              obj = sk_X509_OBJECT_value(certs->objs, i);
++      objs = X509_STORE_get0_objects(certs);
++
++      for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++              obj = sk_X509_OBJECT_value(objs, i);
+ 
+-              if (obj->type != X509_LU_X509)
++              if (X509_OBJECT_get_type(obj) != X509_LU_X509)
+                       continue;
+ 
+-              X509_NAME_oneline(obj->data.x509->cert_info->subject,
++              cert = X509_OBJECT_get0_X509(obj);
++
++              X509_NAME_oneline(X509_get_subject_name(cert),
+                               subject_name, cert_name_len);
+-              X509_NAME_oneline(obj->data.x509->cert_info->issuer,
++              X509_NAME_oneline(X509_get_issuer_name(cert),
+                               issuer_name, cert_name_len);
+ 
+               printf(" - subject: %s\n", subject_name);
+@@ -182,12 +196,21 @@ static int load_detached_signature_data(
+ 
+ static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
+ {
+-      X509_OBJECT obj;
++      STACK_OF(X509_OBJECT) *objs;
++      X509_OBJECT *obj;
++      int i;
++
++      objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+ 
+-      obj.type = X509_LU_X509;
+-      obj.data.x509 = cert;
++      for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++              obj = sk_X509_OBJECT_value(objs, i);
+ 
+-      return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
++              if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
++                  !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
++                      return 1;
++      }
++
++      return 0;
+ }
+ 
+ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
+       int err = X509_STORE_CTX_get_error(ctx);
+ 
+       /* also accept code-signing keys */
+-      if (err == X509_V_ERR_INVALID_PURPOSE
+-                      && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
++      if (err == X509_V_ERR_INVALID_PURPOSE &&
++                      
X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
++                      == XKU_CODE_SIGN)
+               status = 1;
+ 
+       /* all certs given with the --cert argument are trusted */
+@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
+                       err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+                       err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+-              if (cert_in_store(ctx->current_cert, ctx))
++              if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
+                       status = 1;
+       }
+       /* UEFI doesn't care about expired signatures, so we shouldn't either. 
*/
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
+               return -1;
+ 
+       /* we use the X509 serial number as the key ID */
+-      if (!x509->cert_info || !x509->cert_info->serialNumber)
++      serial = X509_get_serialNumber(x509);
++      if (!serial)
+               goto out;
+ 
+-      serial = x509->cert_info->serialNumber;
+-
+       key->id_len = ASN1_STRING_length(serial);
+       key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+ 
+       key->description = talloc_array(key, char, description_len);
+-      X509_NAME_oneline(x509->cert_info->subject,
++      X509_NAME_oneline(X509_get_subject_name(x509),
+                       key->description, description_len);
+ 
+       rc = 0;

[arch-commits] Commit in sbsigntools/trunk (2 files)

Reply via email to