[packages/sbsigntool] - rel 3; fix openssl build from debian

arekm arekm at pld-linux.org
Wed Sep 26 13:53:45 CEST 2018


commit e164c3e2d41fa1aacf7a1a321259677f524133c0
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed Sep 26 13:53:38 2018 +0200

    - rel 3; fix openssl build from debian

 openssl.patch   | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 sbsigntool.spec |   5 +-
 2 files changed, 176 insertions(+), 1 deletion(-)
---
diff --git a/sbsigntool.spec b/sbsigntool.spec
index b3f0c7b..eb3e2a5 100644
--- a/sbsigntool.spec
+++ b/sbsigntool.spec
@@ -6,7 +6,7 @@ Summary:	Signing utility for UEFI secure boot
 Summary(pl.UTF-8):	Narzędzie do podpisywania dla bezpiecznego rozruchu UEFI
 Name:		sbsigntool
 Version:	0.6
-Release:	2
+Release:	3
 License:	GPL v3+ with OpenSSL exception
 Group:		Applications/System
 # git://kernel.ubuntu.com/jk/sbsigntool a7577f56b3c3c6e314576809cc9ce1bde94ae727
@@ -17,6 +17,7 @@ Source0:	%{name}-%{version}.tar.bz2
 Source1:	ccan-b1f28e.tar.bz2
 # Source1-md5:	a93c0ea0c36241285cee8d60d396ed01
 Patch0:		%{name}-efivars_magic.patch
+Patch1:		openssl.patch
 URL:		https://wiki.ubuntu.com/UEFI/SecureBoot
 BuildRequires:	autoconf >= 2.60
 BuildRequires:	automake
@@ -48,6 +49,8 @@ rozruchu UEFI (UEFI Secure Boot).
 %prep
 %setup -q -a1
 
+%patch1 -p1
+
 %build
 # from autogen.sh
 ccan_modules="talloc read_write_all build_assert array_size"
diff --git a/openssl.patch b/openssl.patch
new file mode 100644
index 0000000..8e52931
--- /dev/null
+++ b/openssl.patch
@@ -0,0 +1,172 @@
+From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <steve.langasek at canonical.com>
+Date: Wed, 15 Jul 2015 08:48:25 -0700
+Subject: [PATCH] Support openssl 1.0.2b and above
+
+Newer versions of openssl return a different error with alternate
+certificate chains; update for compatibility.
+
+Signed-off-by: Marc Deslauriers <marc.deslauriers at canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
+---
+ src/sbverify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sbverify.c b/src/sbverify.c
+index fb03d21..35890b9 100644
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -201,6 +201,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+ 
+ 	/* all certs given with the --cert argument are trusted */
+ 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
++			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ 			err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+ 		if (cert_in_store(ctx->current_cert, ctx))
+-- 
+2.1.4
+
+Author: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 26 Jun 2016 22:04:29 +0200
+Description: Update OpenSSL API usage to support OpenSSL 1.1
+ Most structure definitions in OpenSSL are now opaque and we must call
+ the appropriate accessor functions to get information from them.
+ Not all the accessors are available in older versions, so define the
+ missing accessors as macros.
+ .
+ The X509_retrieve_match() function is no longer usable, as we cannot
+ initialise an X509_OBJECT ourselves.  Instead, iterate over the
+ certificate store and use X509_OBJECT_get_type and X509_cmp to
+ compare certificates.
+
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -55,6 +55,14 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
++#define X509_OBJECT_get_type(obj) ((obj)->type)
++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
++#define X509_STORE_get0_objects(certs) ((certs)->objs)
++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
++#endif
++
+ static const char *toolname = "sbverify";
+ static const int cert_name_len = 160;
+ 
+@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
+ 
+ 	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
+ 		cert = sk_X509_value(p7->d.sign->cert, i);
+-		X509_NAME_oneline(cert->cert_info->subject,
++		X509_NAME_oneline(X509_get_subject_name(cert),
+ 				subject_name, cert_name_len);
+-		X509_NAME_oneline(cert->cert_info->issuer,
++		X509_NAME_oneline(X509_get_issuer_name(cert),
+ 				issuer_name, cert_name_len);
+ 
+ 		printf(" - subject: %s\n", subject_name);
+@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
+ static void print_certificate_store_certs(X509_STORE *certs)
+ {
+ 	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
++	STACK_OF(X509_OBJECT) *objs;
+ 	X509_OBJECT *obj;
++	X509 *cert;
+ 	int i;
+ 
+ 	printf("certificate store:\n");
+ 
+-	for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
+-		obj = sk_X509_OBJECT_value(certs->objs, i);
++	objs = X509_STORE_get0_objects(certs);
++
++	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++		obj = sk_X509_OBJECT_value(objs, i);
+ 
+-		if (obj->type != X509_LU_X509)
++		if (X509_OBJECT_get_type(obj) != X509_LU_X509)
+ 			continue;
+ 
+-		X509_NAME_oneline(obj->data.x509->cert_info->subject,
++		cert = X509_OBJECT_get0_X509(obj);
++
++		X509_NAME_oneline(X509_get_subject_name(cert),
+ 				subject_name, cert_name_len);
+-		X509_NAME_oneline(obj->data.x509->cert_info->issuer,
++		X509_NAME_oneline(X509_get_issuer_name(cert),
+ 				issuer_name, cert_name_len);
+ 
+ 		printf(" - subject: %s\n", subject_name);
+@@ -182,12 +196,21 @@ static int load_detached_signature_data(
+ 
+ static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
+ {
+-	X509_OBJECT obj;
++	STACK_OF(X509_OBJECT) *objs;
++	X509_OBJECT *obj;
++	int i;
++
++	objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+ 
+-	obj.type = X509_LU_X509;
+-	obj.data.x509 = cert;
++	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++		obj = sk_X509_OBJECT_value(objs, i);
+ 
+-	return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
++		if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
++		    !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
++			return 1;
++	}
++
++	return 0;
+ }
+ 
+ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
+ 	int err = X509_STORE_CTX_get_error(ctx);
+ 
+ 	/* also accept code-signing keys */
+-	if (err == X509_V_ERR_INVALID_PURPOSE
+-			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
++	if (err == X509_V_ERR_INVALID_PURPOSE &&
++			X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
++			== XKU_CODE_SIGN)
+ 		status = 1;
+ 
+ 	/* all certs given with the --cert argument are trusted */
+@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
+ 			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ 			err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+-		if (cert_in_store(ctx->current_cert, ctx))
++		if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
+ 			status = 1;
+ 	}
+ 	/* UEFI doesn't care about expired signatures, so we shouldn't either. */
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
+ 		return -1;
+ 
+ 	/* we use the X509 serial number as the key ID */
+-	if (!x509->cert_info || !x509->cert_info->serialNumber)
++	serial = X509_get_serialNumber(x509);
++	if (!serial)
+ 		goto out;
+ 
+-	serial = x509->cert_info->serialNumber;
+-
+ 	key->id_len = ASN1_STRING_length(serial);
+ 	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+ 
+ 	key->description = talloc_array(key, char, description_len);
+-	X509_NAME_oneline(x509->cert_info->subject,
++	X509_NAME_oneline(X509_get_subject_name(x509),
+ 			key->description, description_len);
+ 
+ 	rc = 0;
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/sbsigntool.git/commitdiff/e164c3e2d41fa1aacf7a1a321259677f524133c0



More information about the pld-cvs-commit mailing list