commit: e2163d2ada041a93a694dd763ad0204854d19b25
Author: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
AuthorDate: Mon May 3 16:22:40 2021 +0000
Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Mon May 3 16:22:40 2021 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=e2163d2a
app-crypt/sbsigntools: new package
Package-Manager: Portage-3.0.18, Repoman-3.0.2
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>
app-crypt/sbsigntools/Manifest | 2 +
.../sbsigntools-0.9.1-openssl-1.1.0-compat.patch | 152 +++++++++++++++++++
.../files/sbsigntools-0.9.2-libressl.patch | 161 +++++++++++++++++++++
app-crypt/sbsigntools/metadata.xml | 10 ++
app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild | 48 ++++++
5 files changed, 373 insertions(+)
diff --git a/app-crypt/sbsigntools/Manifest b/app-crypt/sbsigntools/Manifest
new file mode 100644
index 0000000..564b3aa
--- /dev/null
+++ b/app-crypt/sbsigntools/Manifest
@@ -0,0 +1,2 @@
+DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B
8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8
SHA512
6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09
+DIST sbsigntools-0.9.2.tar.gz 56525 BLAKE2B
0bce1f534aa960672eab6a415e287b79ff9f18eb947e2217ad4533081f8b854e160b57828afbb56423b2dcab723d3a8aacb2e6affeb2057d17ce3c1761d96b11
SHA512
060753ed9c8db794e4755cc66c1940a2ccc89f4ddf0e825da1f1e6eaa75fc67c21060ee4b5dfb0c757b69e6f5959bfa68156d9f95a945cf63c6a20f1414a2c27
diff --git
a/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
b/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
new file mode 100644
index 0000000..2f9364f
--- /dev/null
+++ b/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch
@@ -0,0 +1,152 @@
+diff --git a/src/fileio.c b/src/fileio.c
+index 032eb1e..09bc3aa 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -40,6 +40,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
+ #include <openssl/engine.h>
++#include <openssl/ui.h>
+
+ #include <ccan/talloc/talloc.h>
+ #include <ccan/read_write_all/read_write_all.h>
+diff --git a/src/idc.c b/src/idc.c
+index 236cefd..6d87bd4 100644
+--- a/src/idc.c
++++ b/src/idc.c
+@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
+
+ /* extract the idc from the signed PKCS7 'other' data */
+ str = p7->d.sign->contents->d.other->value.asn1_string;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ idcbuf = buf = ASN1_STRING_data(str);
++#else
++ idcbuf = buf = ASN1_STRING_get0_data(str);
++#endif
+ idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+
+ /* If we were passed a BIO, write the idc data, minus type and length,
+@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
+ }
+
+ /* check hash against the one we calculated from the image */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ buf = ASN1_STRING_data(str);
++#else
++ buf = ASN1_STRING_get0_data(str);
++#endif
+ if (memcmp(buf, sha, sizeof(sha))) {
+ fprintf(stderr, "Hash doesn't match image\n");
+ fprintf(stderr, " got: %s\n", sha256_str(buf));
+diff --git a/src/sbattach.c b/src/sbattach.c
+index a0c01b8..e89a23e 100644
+--- a/src/sbattach.c
++++ b/src/sbattach.c
+@@ -231,6 +231,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OPENSSL_config(NULL);
+@@ -239,6 +240,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ image = image_load(image_filename);
+ if (!image) {
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index 7b17f40..419b1e7 100644
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data,
size_t len)
+ goto out;
+
+ key->id_len = ASN1_STRING_length(serial);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
++#else
++ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial),
key->id_len);
++#endif
+
+ key->description = talloc_array(key, char, description_len);
+ X509_NAME_oneline(X509_get_subject_name(x509),
+@@ -927,6 +931,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -936,6 +941,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ ctx->filesystem_keys = init_keyset(ctx);
+ ctx->firmware_keys = init_keyset(ctx);
+diff --git a/src/sbsign.c b/src/sbsign.c
+index ff1fdfd..78d8d64 100644
+--- a/src/sbsign.c
++++ b/src/sbsign.c
+@@ -188,6 +188,7 @@ int main(int argc, char **argv)
+
+ talloc_steal(ctx, ctx->image);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -197,6 +198,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+ if (engine)
+ pkey = fileio_read_engine_key(engine, keyfilename);
+ else
+diff --git a/src/sbvarsign.c b/src/sbvarsign.c
+index 7dcbe51..9319c8b 100644
+--- a/src/sbvarsign.c
++++ b/src/sbvarsign.c
+@@ -509,6 +509,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* initialise openssl */
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -519,6 +520,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ /* set up the variable signing context */
+ varname = argv[optind];
+diff --git a/src/sbverify.c b/src/sbverify.c
+index 3920d91..d0b203a 100644
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -250,6 +250,7 @@ int main(int argc, char **argv)
+ verbose = false;
+ detached_sig_filename = NULL;
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OpenSSL_add_all_digests();
+ ERR_load_crypto_strings();
+ OPENSSL_config(NULL);
+@@ -258,6 +259,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ for (;;) {
+ int idx;
diff --git a/app-crypt/sbsigntools/files/sbsigntools-0.9.2-libressl.patch
b/app-crypt/sbsigntools/files/sbsigntools-0.9.2-libressl.patch
new file mode 100644
index 0000000..226f7fd
--- /dev/null
+++ b/app-crypt/sbsigntools/files/sbsigntools-0.9.2-libressl.patch
@@ -0,0 +1,161 @@
+diff --git a/src/fileio.c b/src/fileio.c
+index 032eb1e..09bc3aa 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -40,6 +40,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
+ #include <openssl/engine.h>
++#include <openssl/ui.h>
+
+ #include <ccan/talloc/talloc.h>
+ #include <ccan/read_write_all/read_write_all.h>
+diff --git a/src/idc.c b/src/idc.c
+index 236cefd..18c670a 100644
+--- a/src/idc.c
++++ b/src/idc.c
+@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
+
+ /* extract the idc from the signed PKCS7 'other' data */
+ str = p7->d.sign->contents->d.other->value.asn1_string;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ idcbuf = buf = ASN1_STRING_data(str);
++#else
++ idcbuf = buf = ASN1_STRING_get0_data(str);
++#endif
+ idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+
+ /* If we were passed a BIO, write the idc data, minus type and length,
+@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
+ }
+
+ /* check hash against the one we calculated from the image */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ buf = ASN1_STRING_data(str);
++#else
++ buf = ASN1_STRING_get0_data(str);
++#endif
+ if (memcmp(buf, sha, sizeof(sha))) {
+ fprintf(stderr, "Hash doesn't match image\n");
+ fprintf(stderr, " got: %s\n", sha256_str(buf));
+diff --git a/src/sbattach.c b/src/sbattach.c
+index a0c01b8..fe5a18e 100644
+--- a/src/sbattach.c
++++ b/src/sbattach.c
+@@ -231,6 +231,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OPENSSL_config(NULL);
+@@ -239,6 +240,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ image = image_load(image_filename);
+ if (!image) {
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index 7b17f40..753ca52 100644
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data,
size_t len)
+ goto out;
+
+ key->id_len = ASN1_STRING_length(serial);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
++#else
++ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial),
key->id_len);
++#endif
+
+ key->description = talloc_array(key, char, description_len);
+ X509_NAME_oneline(X509_get_subject_name(x509),
+@@ -927,6 +931,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -936,6 +941,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ ctx->filesystem_keys = init_keyset(ctx);
+ ctx->firmware_keys = init_keyset(ctx);
+diff --git a/src/sbsign.c b/src/sbsign.c
+index ff1fdfd..5754113 100644
+--- a/src/sbsign.c
++++ b/src/sbsign.c
+@@ -188,6 +188,7 @@ int main(int argc, char **argv)
+
+ talloc_steal(ctx, ctx->image);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -197,6 +198,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+ if (engine)
+ pkey = fileio_read_engine_key(engine, keyfilename);
+ else
+diff --git a/src/sbvarsign.c b/src/sbvarsign.c
+index ebf625c..43a1a61 100644
+--- a/src/sbvarsign.c
++++ b/src/sbvarsign.c
+@@ -509,6 +509,7 @@ int main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* initialise openssl */
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+@@ -519,6 +520,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ /* set up the variable signing context */
+ varname = argv[optind];
+diff --git a/src/sbverify.c b/src/sbverify.c
+index 3920d91..3d9c0a1 100644
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -56,7 +56,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+ #define X509_OBJECT_get_type(obj) ((obj)->type)
+ #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+@@ -250,6 +250,7 @@ int main(int argc, char **argv)
+ verbose = false;
+ detached_sig_filename = NULL;
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ OpenSSL_add_all_digests();
+ ERR_load_crypto_strings();
+ OPENSSL_config(NULL);
+@@ -258,6 +259,7 @@ int main(int argc, char **argv)
+ * module isn't present). In either case ignore the errors
+ * (malloc will cause other failures out lower down */
+ ERR_clear_error();
++#endif
+
+ for (;;) {
+ int idx;
diff --git a/app-crypt/sbsigntools/metadata.xml
b/app-crypt/sbsigntools/metadata.xml
new file mode 100644
index 0000000..20001d6
--- /dev/null
+++ b/app-crypt/sbsigntools/metadata.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";>
+<pkgmetadata>
+ <maintainer type="person">
+ <email>[email protected]</email>
+ </maintainer>
+ <upstream>
+ <remote-id type="launchpad">ubuntu</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild
b/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild
new file mode 100644
index 0000000..92c0ab7
--- /dev/null
+++ b/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MY_PN="${PN::-1}"
+
+inherit autotools toolchain-funcs
+
+DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
+HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/";
+SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
+ https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz";
+
+LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
+SLOT="0"
+KEYWORDS="amd64 ~arm64 x86"
+IUSE=""
+
+RDEPEND="
+ dev-libs/openssl:0=
+ sys-apps/util-linux"
+DEPEND="${RDEPEND}
+ sys-apps/help2man
+ sys-boot/gnu-efi
+ sys-libs/binutils-libs
+ virtual/pkgconfig"
+
+src_prepare() {
+ eapply "${FILESDIR}"/"${P}"-libressl.patch
+ mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
+ rmdir "${WORKDIR}"/lib || die "rmdir failed"
+
+ local iarch
+ case ${ARCH} in
+ amd64) iarch=x86_64 ;;
+ arm64) iarch=aarch64 ;;
+ ia64) iarch=ia64 ;;
+ x86) iarch=ia32 ;;
+ *) die "unsupported architecture: ${ARCH}" ;;
+ esac
+ sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
+ sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
+ sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
+
+ default
+ eautoreconf
+}
