Date: Saturday, March 11, 2017 @ 23:05:49 Author: jgc Revision: 290642
upgpkg: sbsigntools 0.8-2 Added: sbsigntools/trunk/update-openssl-api-usage-to-support-openssl-1.1.patch Modified: sbsigntools/trunk/PKGBUILD -------------------------------------------------------+ PKGBUILD | 9 - update-openssl-api-usage-to-support-openssl-1.1.patch | 143 ++++++++++++++++ 2 files changed, 149 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-03-11 22:57:50 UTC (rev 290641) +++ PKGBUILD 2017-03-11 23:05:49 UTC (rev 290642) @@ -5,7 +5,7 @@ pkgname="sbsigntools" pkgver=0.8 -pkgrel=1 +pkgrel=2 pkgdesc="Tools to add signatures to EFI binaries and Drivers" arch=('x86_64' 'i686') url="https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools" @@ -14,14 +14,17 @@ depends=('libutil-linux' 'openssl') source=("git+https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git#tag=v${pkgver}" "git://git.ozlabs.org/~ccan/ccan" - "0001-sbsigntools-fix-autogen.sh-for-build-service.patch") + "0001-sbsigntools-fix-autogen.sh-for-build-service.patch" + update-openssl-api-usage-to-support-openssl-1.1.patch) sha256sums=('SKIP' 'SKIP' - '9085ad181f67ac911918864783a9804af456d33c4631659e6acaaa27987786d7') + '9085ad181f67ac911918864783a9804af456d33c4631659e6acaaa27987786d7' + 'c48939a573c12f798e111921ac19ddf22c6e0cdfdc82dbb0b06c975d14a61341') prepare() { cd "${srcdir}/${pkgname}" patch -p1 -i "${srcdir}/0001-sbsigntools-fix-autogen.sh-for-build-service.patch" + patch -p1 -i ../update-openssl-api-usage-to-support-openssl-1.1.patch git submodule init git config submodule."lib/ccan.git".url "${srcdir}/ccan" Added: update-openssl-api-usage-to-support-openssl-1.1.patch =================================================================== --- update-openssl-api-usage-to-support-openssl-1.1.patch (rev 0) +++ update-openssl-api-usage-to-support-openssl-1.1.patch 2017-03-11 23:05:49 UTC (rev 290642) @@ -0,0 +1,143 @@ +Author: Ben Hutchings <b...@decadent.org.uk> +Date: Sun, 26 Jun 2016 22:04:29 +0200 +Description: Update OpenSSL API usage to support OpenSSL 1.1 + Most structure definitions in OpenSSL are now opaque and we must call + the appropriate accessor functions to get information from them. + Not all the accessors are available in older versions, so define the + missing accessors as macros. + . + The X509_retrieve_match() function is no longer usable, as we cannot + initialise an X509_OBJECT ourselves. Instead, iterate over the + certificate store and use X509_OBJECT_get_type and X509_cmp to + compare certificates. + +--- a/src/sbverify.c ++++ b/src/sbverify.c +@@ -55,6 +55,14 @@ + #include <openssl/pem.h> + #include <openssl/x509v3.h> + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) ++#define X509_OBJECT_get_type(obj) ((obj)->type) ++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) ++#define X509_STORE_get0_objects(certs) ((certs)->objs) ++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) ++#endif ++ + static const char *toolname = "sbverify"; + static const int cert_name_len = 160; + +@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 * + + for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) { + cert = sk_X509_value(p7->d.sign->cert, i); +- X509_NAME_oneline(cert->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(cert->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 * + static void print_certificate_store_certs(X509_STORE *certs) + { + char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; ++ STACK_OF(X509_OBJECT) *objs; + X509_OBJECT *obj; ++ X509 *cert; + int i; + + printf("certificate store:\n"); + +- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) { +- obj = sk_X509_OBJECT_value(certs->objs, i); ++ objs = X509_STORE_get0_objects(certs); ++ ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- if (obj->type != X509_LU_X509) ++ if (X509_OBJECT_get_type(obj) != X509_LU_X509) + continue; + +- X509_NAME_oneline(obj->data.x509->cert_info->subject, ++ cert = X509_OBJECT_get0_X509(obj); ++ ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(obj->data.x509->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -182,12 +196,21 @@ static int load_detached_signature_data( + + static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) + { +- X509_OBJECT obj; ++ STACK_OF(X509_OBJECT) *objs; ++ X509_OBJECT *obj; ++ int i; ++ ++ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); + +- obj.type = X509_LU_X509; +- obj.data.x509 = cert; ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; ++ if (X509_OBJECT_get_type(obj) == X509_LU_X509 && ++ !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) ++ return 1; ++ } ++ ++ return 0; + } + + static int x509_verify_cb(int status, X509_STORE_CTX *ctx) +@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5 + int err = X509_STORE_CTX_get_error(ctx); + + /* also accept code-signing keys */ +- if (err == X509_V_ERR_INVALID_PURPOSE +- && ctx->cert->ex_xkusage == XKU_CODE_SIGN) ++ if (err == X509_V_ERR_INVALID_PURPOSE && ++ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx)) ++ == XKU_CODE_SIGN) + status = 1; + + /* all certs given with the --cert argument are trusted */ +@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5 + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || + err == X509_V_ERR_CERT_UNTRUSTED) { + +- if (cert_in_store(ctx->current_cert, ctx)) ++ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx)) + status = 1; + } + /* UEFI doesn't care about expired signatures, so we shouldn't either. */ +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke + return -1; + + /* we use the X509 serial number as the key ID */ +- if (!x509->cert_info || !x509->cert_info->serialNumber) ++ serial = X509_get_serialNumber(x509); ++ if (!serial) + goto out; + +- serial = x509->cert_info->serialNumber; +- + key->id_len = ASN1_STRING_length(serial); + key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); + + key->description = talloc_array(key, char, description_len); +- X509_NAME_oneline(x509->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(x509), + key->description, description_len); + + rc = 0;