[gentoo-commits] repo/gentoo:master commit in: app-crypt/sbsigntools/files/, app-crypt/sbsigntools/
commit: 9631d4aa77291cf8617737566aabd0a9d6a203c3
Author: Kai-Chun Ning gmail com>
AuthorDate: Wed Dec 14 10:15:43 2022 +
Commit: Sam James gentoo org>
CommitDate: Thu Dec 15 04:35:45 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9631d4aa
app-crypt/sbsigntools: fix segmentation fault w/ openssl 3
Closes: https://bugs.gentoo.org/805512
Signed-off-by: Kai-Chun Ning gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/28662
Signed-off-by: Sam James gentoo.org>
.../files/sbsigntools-0.9.4-openssl3.patch | 35 ++
app-crypt/sbsigntools/sbsigntools-0.9.4-r1.ebuild | 53 ++
2 files changed, 88 insertions(+)
diff --git a/app-crypt/sbsigntools/files/sbsigntools-0.9.4-openssl3.patch
b/app-crypt/sbsigntools/files/sbsigntools-0.9.4-openssl3.patch
new file mode 100644
index ..3fffe9b668eb
--- /dev/null
+++ b/app-crypt/sbsigntools/files/sbsigntools-0.9.4-openssl3.patch
@@ -0,0 +1,35 @@
+Subject: [PATCH] Fix openssl-3.0 issue involving ASN1 xxx_it
+From: Jeremi Piotrowski
+Origin: https://groups.io/g/sbsigntools/message/54
+
+Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
+
+openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to
+`const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
+OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
+available. This change should have been transparent to the application, but
+only if the `ASN1_ITEM_rptr()` macro is used.
+
+This change passes `make check` with both openssl 1.1 and 3.0.
+
+Signed-off-by: Jeremi Piotrowski
+---
+ src/idc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/idc.c b/src/idc.c
+index 6d87bd4..0a82218 100644
+--- a/src/idc.c
b/src/idc.c
+@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image
*image)
+
+ idc->data->type = OBJ_nid2obj(peid_nid);
+ idc->data->value = ASN1_TYPE_new();
+- type_set_sequence(image, idc->data->value, peid, _PEID_it);
++ type_set_sequence(image, idc->data->value, peid,
ASN1_ITEM_rptr(IDC_PEID));
+
+ idc->digest->alg->parameter = ASN1_TYPE_new();
+ idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
+--
+2.25.1
+
diff --git a/app-crypt/sbsigntools/sbsigntools-0.9.4-r1.ebuild
b/app-crypt/sbsigntools/sbsigntools-0.9.4-r1.ebuild
new file mode 100644
index ..5a78ca4edd5a
--- /dev/null
+++ b/app-crypt/sbsigntools/sbsigntools-0.9.4-r1.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MY_PN="${PN::-1}"
+
+inherit autotools toolchain-funcs
+
+DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
+HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/;
+SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
+ https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz;
+
+LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~riscv ~x86"
+IUSE=""
+
+RDEPEND="
+ dev-libs/openssl:0=
+ sys-apps/util-linux"
+DEPEND="${RDEPEND}
+ sys-apps/help2man
+ sys-boot/gnu-efi
+ sys-libs/binutils-libs
+ virtual/pkgconfig"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.9.4-no-werror.patch
+ "${FILESDIR}"/${PN}-0.9.4-openssl3.patch
+)
+
+src_prepare() {
+ mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
+ rmdir "${WORKDIR}"/lib || die "rmdir failed"
+
+ local iarch
+ case ${ARCH} in
+ amd64) iarch=x86_64 ;;
+ arm64) iarch=aarch64 ;;
+ ia64) iarch=ia64 ;;
+ riscv) iarch=riscv64 ;;
+ x86) iarch=ia32 ;;
+ *) die "unsupported architecture: ${ARCH}" ;;
+ esac
+ sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
+ sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
+ sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
+
+ default
+ eautoreconf
+}
[gentoo-commits] repo/gentoo:master commit in: app-crypt/sbsigntools/files/, app-crypt/sbsigntools/
commit: 3f80775fd1204bf44e4ecd41202b591e1d953e63
Author: Sam James gentoo org>
AuthorDate: Sat Jun 11 06:01:26 2022 +
Commit: Sam James gentoo org>
CommitDate: Sat Jun 11 06:03:18 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f80775f
app-crypt/sbsigntools: drop Werror
Closes: https://bugs.gentoo.org/832212
Bug: https://bugs.gentoo.org/845372
Bug: https://bugs.gentoo.org/828947
Signed-off-by: Sam James gentoo.org>
.../sbsigntools/files/sbsigntools-0.9.4-no-werror.patch | 13 +
app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild | 4
2 files changed, 17 insertions(+)
diff --git a/app-crypt/sbsigntools/files/sbsigntools-0.9.4-no-werror.patch
b/app-crypt/sbsigntools/files/sbsigntools-0.9.4-no-werror.patch
new file mode 100644
index ..42650929b87c
--- /dev/null
+++ b/app-crypt/sbsigntools/files/sbsigntools-0.9.4-no-werror.patch
@@ -0,0 +1,13 @@
+https://bugs.gentoo.org/832212
+https://bugs.gentoo.org/845372
+--- a/src/Makefile.am
b/src/Makefile.am
+@@ -7,7 +7,7 @@ AM_CFLAGS = -Wall -Wextra --std=gnu99
+ common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \
+ efivars.h $(coff_headers)
+ common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS)
+-common_CFLAGS = -I$(top_srcdir)/lib/ccan/ -Werror
++common_CFLAGS = -I$(top_srcdir)/lib/ccan/
+
+ sbsign_SOURCES = sbsign.c $(common_SOURCES)
+ sbsign_LDADD = $(common_LDADD)
diff --git a/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild
b/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild
index b8865b50a89d..ba90949d3bc3 100644
--- a/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild
+++ b/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild
@@ -26,6 +26,10 @@ DEPEND="${RDEPEND}
sys-libs/binutils-libs
virtual/pkgconfig"
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.9.4-no-werror.patch
+)
+
src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed"
[gentoo-commits] repo/gentoo:master commit in: app-crypt/sbsigntools/files/
commit: 303ab7ace0acadc65d7749fc441b35f76899639f
Author: Michael Mair-Keimberger levelnine at>
AuthorDate: Thu Nov 25 16:51:43 2021 +
Commit: Conrad Kostecki gentoo org>
CommitDate: Sun Dec 5 21:45:13 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=303ab7ac
app-crypt/sbsigntools: remove unused patch(es)
Closes: https://github.com/gentoo/gentoo/pull/23081
Package-Manager: Portage-3.0.28, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger levelnine.at>
Signed-off-by: Conrad Kostecki gentoo.org>
.../sbsigntools-0.9.1-openssl-1.1.0-compat.patch | 152 -
1 file changed, 152 deletions(-)
diff --git
a/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
b/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
deleted file mode 100644
index 2f9364f246ee..
--- a/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git a/src/fileio.c b/src/fileio.c
-index 032eb1e..09bc3aa 100644
a/src/fileio.c
-+++ b/src/fileio.c
-@@ -40,6 +40,7 @@
- #include
- #include
- #include
-+#include
-
- #include
- #include
-diff --git a/src/idc.c b/src/idc.c
-index 236cefd..6d87bd4 100644
a/src/idc.c
-+++ b/src/idc.c
-@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
-
- /* extract the idc from the signed PKCS7 'other' data */
- str = p7->d.sign->contents->d.other->value.asn1_string;
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- idcbuf = buf = ASN1_STRING_data(str);
-+#else
-+ idcbuf = buf = ASN1_STRING_get0_data(str);
-+#endif
- idc = d2i_IDC(NULL, , ASN1_STRING_length(str));
-
- /* If we were passed a BIO, write the idc data, minus type and length,
-@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
- }
-
- /* check hash against the one we calculated from the image */
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- buf = ASN1_STRING_data(str);
-+#else
-+ buf = ASN1_STRING_get0_data(str);
-+#endif
- if (memcmp(buf, sha, sizeof(sha))) {
- fprintf(stderr, "Hash doesn't match image\n");
- fprintf(stderr, " got: %s\n", sha256_str(buf));
-diff --git a/src/sbattach.c b/src/sbattach.c
-index a0c01b8..e89a23e 100644
a/src/sbattach.c
-+++ b/src/sbattach.c
-@@ -231,6 +231,7 @@ int main(int argc, char **argv)
- return EXIT_FAILURE;
- }
-
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- ERR_load_crypto_strings();
- OpenSSL_add_all_digests();
- OPENSSL_config(NULL);
-@@ -239,6 +240,7 @@ int main(int argc, char **argv)
-* module isn't present). In either case ignore the errors
-* (malloc will cause other failures out lower down */
- ERR_clear_error();
-+#endif
-
- image = image_load(image_filename);
- if (!image) {
-diff --git a/src/sbkeysync.c b/src/sbkeysync.c
-index 7b17f40..419b1e7 100644
a/src/sbkeysync.c
-+++ b/src/sbkeysync.c
-@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data,
size_t len)
- goto out;
-
- key->id_len = ASN1_STRING_length(serial);
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
-+#else
-+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial),
key->id_len);
-+#endif
-
- key->description = talloc_array(key, char, description_len);
- X509_NAME_oneline(X509_get_subject_name(x509),
-@@ -927,6 +931,7 @@ int main(int argc, char **argv)
- return EXIT_FAILURE;
- }
-
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- ERR_load_crypto_strings();
- OpenSSL_add_all_digests();
- OpenSSL_add_all_ciphers();
-@@ -936,6 +941,7 @@ int main(int argc, char **argv)
-* module isn't present). In either case ignore the errors
-* (malloc will cause other failures out lower down */
- ERR_clear_error();
-+#endif
-
- ctx->filesystem_keys = init_keyset(ctx);
- ctx->firmware_keys = init_keyset(ctx);
-diff --git a/src/sbsign.c b/src/sbsign.c
-index ff1fdfd..78d8d64 100644
a/src/sbsign.c
-+++ b/src/sbsign.c
-@@ -188,6 +188,7 @@ int main(int argc, char **argv)
-
- talloc_steal(ctx, ctx->image);
-
-+#if OPENSSL_VERSION_NUMBER < 0x1010L
- ERR_load_crypto_strings();
- OpenSSL_add_all_digests();
- OpenSSL_add_all_ciphers();
-@@ -197,6 +198,7 @@ int main(int argc, char **argv)
-* module isn't present). In either case ignore the errors
-* (malloc will cause other failures out lower down */
- ERR_clear_error();
-+#endif
- if (engine)
- pkey = fileio_read_engine_key(engine, keyfilename);
- else
-diff --git a/src/sbvarsign.c b/src/sbvarsign.c
-index 7dcbe51..9319c8b 100644
a/src/sbvarsign.c
-+++ b/src/sbvarsign.c
-@@ -509,6 +509,7 @@ int main(int argc, char
[gentoo-commits] repo/gentoo:master commit in: app-crypt/sbsigntools/files/
commit: b0c21fbbcd45cea8afada073831869d39e152fa8 Author: Michael Mair-Keimberger gmail com> AuthorDate: Thu Oct 1 18:23:49 2020 + Commit: Conrad Kostecki gentoo org> CommitDate: Fri Oct 9 13:44:27 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c21fbb app-crypt/sbsigntools: remove unused patches Closes: https://github.com/gentoo/gentoo/pull/17740 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Michael Mair-Keimberger gmail.com> Signed-off-by: Conrad Kostecki gentoo.org> .../files/0002-image.c-clear-image-variable.patch | 29 .../files/0003-Fix-for-multi-sign.patch| 39 -- 2 files changed, 68 deletions(-) diff --git a/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch b/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch deleted file mode 100644 index dfe183e66cd..000 --- a/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Thu, 11 Apr 2013 21:12:17 -0700 -Subject: image.c: clear image variable - -Not zeroing the image after talloc occasionally leads to a segfault because -the programme thinks it has a signature when in reality it just has a junk -pointer and segfaults. - -Signed-off-by: James Bottomley - src/image.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/image.c b/src/image.c -index cc55791..10eba0e 100644 a/src/image.c -+++ b/src/image.c -@@ -401,6 +401,7 @@ struct image *image_load(const char *filename) - return NULL; - } - -+ memset(image, 0, sizeof(*image)); - rc = fileio_read_file(image, filename, >buf, >size); - if (rc) - goto err; --- -1.8.2.1 - diff --git a/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch b/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch deleted file mode 100644 index f42c69616d1..000 --- a/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Mon, 30 Sep 2013 19:25:37 -0700 -Subject: [PATCH 4/4] Fix for multi-sign - -The new Tianocore multi-sign code fails now for images signed with -sbsigntools. The reason is that we don't actually align the signature table, -we just slap it straight after the binary data. Unfortunately, the new -multi-signature code checks that our alignment offsets are correct and fails -the signature for this reason. Fix by adding junk to the end of the image to -align the signature section. - -Signed-off-by: James Bottomley - src/image.c | 8 +++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/image.c b/src/image.c -index 10eba0e..519e288 100644 a/src/image.c -+++ b/src/image.c -@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image) - - /* record the size of non-signature data */ - r = >checksum_regions[image->n_checksum_regions - 1]; -- image->data_size = (r->data - (void *)image->buf) + r->size; -+ /* -+ * The new Tianocore multisign does a stricter check of the signatures -+ * in particular, the signature table must start at an aligned offset -+ * fix this by adding bytes to the end of the text section (which must -+ * be included in the hash) -+ */ -+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8); - - return 0; - } --- -1.8.4 -
