summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch52
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch29
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch (renamed from meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch)36
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch41
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch73
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch158
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2bin13964172 -> 0 bytes
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch15
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch33
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch30
-rw-r--r--meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb57
11 files changed, 144 insertions, 380 deletions
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch
new file mode 100644
index 0000000..7ebff80
--- /dev/null
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch
@@ -0,0 +1,52 @@
1From 7a555e12924393104b4bdd361ca74c9d3e589166 Mon Sep 17 00:00:00 2001
2From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
3Date: Wed, 10 Mar 2021 15:51:49 +0200
4Subject: [PATCH 1/3] configure: Dont't check for gnu-efi
5
6The configure.ac is searching the gnu-efi libs in hardcoded paths making
7the configure fail.
8We explictly include the paths in our .bb recipe, so let's get rid of
9the check
10
11Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
12---
13 configure.ac | 15 +++++++--------
14 1 file changed, 7 insertions(+), 8 deletions(-)
15
16diff --git a/configure.ac b/configure.ac
17index 4ffb68ffa024..346296f82f06 100644
18--- a/configure.ac
19+++ b/configure.ac
20@@ -17,9 +17,9 @@ AC_PROG_MKDIR_P
21 AC_CHECK_TOOL(OBJCOPY, [objcopy])
22 AC_CHECK_TOOL(STRIP, [strip])
23
24- AC_CHECK_HEADER([bfd.h], [],
25- AC_MSG_ERROR([bfd.h not found.]
26-[bfd.h is usually distributed in a binutils development package.]))
27+ #AC_CHECK_HEADER([bfd.h], [],
28+ #AC_MSG_ERROR([bfd.h not found.]
29+#[bfd.h is usually distributed in a binutils development package.]))
30
31 if test $cross_compiling = no; then
32 AM_MISSING_PROG(HELP2MAN, help2man)
33@@ -75,12 +75,11 @@ for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/
34 CRTPATH=$path
35 fi
36 done
37-if test -z "$CRTPATH"; then
38- AC_MSG_ERROR([cannot find the gnu-efi crt path])
39-fi
40+#if test -z "$CRTPATH"; then
41+ #AC_MSG_ERROR([cannot find the gnu-efi crt path])
42+#fi
43
44-EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
45- -DEFI_FUNCTION_WRAPPER"
46+EFI_CPPFLAGS="-DEFI_FUNCTION_WRAPPER"
47 CPPFLAGS_save="$CPPFLAGS"
48 CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
49 AC_CHECK_HEADERS([efi.h], [], [], $EFI_INCLUDES)
50--
512.30.2
52
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch
new file mode 100644
index 0000000..df6abbc
--- /dev/null
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch
@@ -0,0 +1,29 @@
1From fb2663b257947effc510ec4133214a22d344a9a8 Mon Sep 17 00:00:00 2001
2From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
3Date: Wed, 10 Mar 2021 15:52:52 +0200
4Subject: [PATCH 2/3] docs: Don't build man pages
5
6Man pages not needed on embedded targets
7
8Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
9---
10 docs/Makefile.am | 5 -----
11 1 file changed, 5 deletions(-)
12
13diff --git a/docs/Makefile.am b/docs/Makefile.am
14index 89ed11012492..6918dd8cc3b8 100644
15--- a/docs/Makefile.am
16+++ b/docs/Makefile.am
17@@ -1,9 +1,4 @@
18
19-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \
20- sbkeysync.1
21-
22-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
23- sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in
24 CLEANFILES = $(man1_MANS)
25
26 $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
27--
282.30.2
29
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
index b67f56a..7d35805 100644
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
@@ -1,20 +1,20 @@
1From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001 1From 441f69eb94daa514f7dd4ba0db45a4e31f93015f Mon Sep 17 00:00:00 2001
2From: Lans Zhang <jia.zhang@windriver.com> 2From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
3Date: Fri, 15 Jan 2016 09:40:56 +0800 3Date: Wed, 10 Mar 2021 15:53:21 +0200
4Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature 4Subject: [PATCH 3/3] sbsign: add -x option to avoid overwrite existing
5 5 signature
6Upstream-Status: Pending
7 6
8Signed-off-by: Lans Zhang <jia.zhang@windriver.com> 7Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
8Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
9--- 9---
10 src/sbsign.c | 17 +++++++++++++++-- 10 src/sbsign.c | 17 +++++++++++++++--
11 1 file changed, 15 insertions(+), 2 deletions(-) 11 1 file changed, 15 insertions(+), 2 deletions(-)
12 12
13diff --git a/src/sbsign.c b/src/sbsign.c 13diff --git a/src/sbsign.c b/src/sbsign.c
14index dcf6eed..7dc101f 100644 14index 898fe669f9dd..3a5ed3248948 100644
15--- a/src/sbsign.c 15--- a/src/sbsign.c
16+++ b/src/sbsign.c 16+++ b/src/sbsign.c
17@@ -66,6 +66,7 @@ struct sign_context { 17@@ -69,6 +69,7 @@ struct sign_context {
18 }; 18 };
19 19
20 static struct option options[] = { 20 static struct option options[] = {
@@ -22,29 +22,29 @@ index dcf6eed..7dc101f 100644
22 { "output", required_argument, NULL, 'o' }, 22 { "output", required_argument, NULL, 'o' },
23 { "cert", required_argument, NULL, 'c' }, 23 { "cert", required_argument, NULL, 'c' },
24 { "key", required_argument, NULL, 'k' }, 24 { "key", required_argument, NULL, 'k' },
25@@ -87,6 +88,7 @@ static void usage(void) 25@@ -94,6 +95,7 @@ static void usage(void)
26 "\t--cert <certfile> certificate (x509 certificate)\n" 26 "\t--addcert <addcertfile> additional intermediate certificates in a file\n"
27 "\t--detached write a detached signature, instead of\n" 27 "\t--detached write a detached signature, instead of\n"
28 "\t a signed binary\n" 28 "\t a signed binary\n"
29+ "\t--noresign don't re-sign the binary if signed\n" 29+ "\t--noresign don't re-sign the binary if signed\n"
30 "\t--output <file> write signed data to <file>\n" 30 "\t--output <file> write signed data to <file>\n"
31 "\t (default <efi-boot-image>.signed,\n" 31 "\t (default <efi-boot-image>.signed,\n"
32 "\t or <efi-boot-image>.pk7 for detached\n" 32 "\t or <efi-boot-image>.pk7 for detached\n"
33@@ -114,7 +116,7 @@ int main(int argc, char **argv) 33@@ -155,7 +157,7 @@ int main(int argc, char **argv)
34 const char *keyfilename, *certfilename; 34 const char *keyfilename, *certfilename, *addcertfilename, *engine;
35 struct sign_context *ctx; 35 struct sign_context *ctx;
36 uint8_t *buf, *tmp; 36 uint8_t *buf, *tmp;
37- int rc, c, sigsize; 37- int rc, c, sigsize;
38+ int rc, c, sigsize, no_resign = 0; 38+ int rc, c, sigsize, no_resign = 0;
39 EVP_PKEY *pkey;
39 40
40 ctx = talloc_zero(NULL, struct sign_context); 41 ctx = talloc_zero(NULL, struct sign_context);
41 42@@ -167,11 +169,14 @@ int main(int argc, char **argv)
42@@ -123,11 +125,14 @@ int main(int argc, char **argv)
43 43
44 for (;;) { 44 for (;;) {
45 int idx; 45 int idx;
46- c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx); 46- c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx);
47+ c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx); 47+ c = getopt_long(argc, argv, "xo:c:k:dvVhe:a:", options, &idx);
48 if (c == -1) 48 if (c == -1)
49 break; 49 break;
50 50
@@ -55,7 +55,7 @@ index dcf6eed..7dc101f 100644
55 case 'o': 55 case 'o':
56 ctx->outfilename = talloc_strdup(ctx, optarg); 56 ctx->outfilename = talloc_strdup(ctx, optarg);
57 break; 57 break;
58@@ -178,6 +183,14 @@ int main(int argc, char **argv) 58@@ -228,6 +233,14 @@ int main(int argc, char **argv)
59 if (!ctx->image) 59 if (!ctx->image)
60 return EXIT_FAILURE; 60 return EXIT_FAILURE;
61 61
@@ -71,5 +71,5 @@ index dcf6eed..7dc101f 100644
71 71
72 ERR_load_crypto_strings(); 72 ERR_load_crypto_strings();
73-- 73--
741.9.1 742.30.2
75 75
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch
deleted file mode 100644
index 873ade0..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
2From: James Bottomley <JBottomley@Parallels.com>
3Date: Mon, 30 Sep 2013 19:25:37 -0700
4Subject: [PATCH] Fix for multi-sign
5
6Upstream-Status: Inappropriate [embedded specific]
7
8The new Tianocore multi-sign code fails now for images signed with
9sbsigntools. The reason is that we don't actually align the signature table,
10we just slap it straight after the binary data. Unfortunately, the new
11multi-signature code checks that our alignment offsets are correct and fails
12the signature for this reason. Fix by adding junk to the end of the image to
13align the signature section.
14
15Signed-off-by: James Bottomley <JBottomley@Parallels.com>
16---
17 src/image.c | 8 +++++++-
18 1 file changed, 7 insertions(+), 1 deletion(-)
19
20diff --git a/src/image.c b/src/image.c
21index 10eba0e..519e288 100644
22--- a/src/image.c
23+++ b/src/image.c
24@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
25
26 /* record the size of non-signature data */
27 r = &image->checksum_regions[image->n_checksum_regions - 1];
28- image->data_size = (r->data - (void *)image->buf) + r->size;
29+ /*
30+ * The new Tianocore multisign does a stricter check of the signatures
31+ * in particular, the signature table must start at an aligned offset
32+ * fix this by adding bytes to the end of the text section (which must
33+ * be included in the hash)
34+ */
35+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
36
37 return 0;
38 }
39--
401.8.4
41
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch
deleted file mode 100644
index 3619945..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001
2From: Lans Zhang <jia.zhang@windriver.com>
3Date: Wed, 16 Aug 2017 10:09:43 +0800
4Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0
5
6Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
7---
8 src/idc.c | 4 ++--
9 src/idc.h | 4 ++++
10 src/sbkeysync.c | 3 ++-
11 3 files changed, 8 insertions(+), 3 deletions(-)
12
13diff --git a/src/idc.c b/src/idc.c
14index 236cefd..7f99a53 100644
15--- a/src/idc.c
16+++ b/src/idc.c
17@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
18
19 /* extract the idc from the signed PKCS7 'other' data */
20 str = p7->d.sign->contents->d.other->value.asn1_string;
21- idcbuf = buf = ASN1_STRING_data(str);
22+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
23 idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
24
25 /* If we were passed a BIO, write the idc data, minus type and length,
26@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
27 }
28
29 /* check hash against the one we calculated from the image */
30- buf = ASN1_STRING_data(str);
31+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
32 if (memcmp(buf, sha, sizeof(sha))) {
33 fprintf(stderr, "Hash doesn't match image\n");
34 fprintf(stderr, " got: %s\n", sha256_str(buf));
35diff --git a/src/idc.h b/src/idc.h
36index a6526de..8011237 100644
37--- a/src/idc.h
38+++ b/src/idc.h
39@@ -36,6 +36,10 @@
40
41 #include <openssl/pkcs7.h>
42
43+#if OPENSSL_VERSION_NUMBER < 0x10100000L
44+#define ASN1_STRING_get0_data ASN1_STRING_data
45+#endif
46+
47 struct idc;
48
49 int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image);
50diff --git a/src/sbkeysync.c b/src/sbkeysync.c
51index a63d3b8..223a047 100644
52--- a/src/sbkeysync.c
53+++ b/src/sbkeysync.c
54@@ -54,6 +54,7 @@
55
56 #include "fileio.h"
57 #include "efivars.h"
58+#include "idc.h"
59
60 #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
61 #define PSTORE_FSTYPE 0x6165676C
62@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
63 serial = x509->cert_info->serialNumber;
64
65 key->id_len = ASN1_STRING_length(serial);
66- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
67+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
68
69 key->description = talloc_array(key, char, description_len);
70 X509_NAME_oneline(x509->cert_info->subject,
71--
722.7.5
73
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
deleted file mode 100644
index f517e47..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
+++ /dev/null
@@ -1,158 +0,0 @@
1From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
2From: Lans Zhang <jia.zhang@windriver.com>
3Date: Tue, 15 Aug 2017 13:05:14 +0800
4Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
5
6Most structure definitions in OpenSSL are now opaque and we must call
7the appropriate accessor functions to get information from them.
8Not all the accessors are available in older versions, so define the
9missing accessors as macros.
10
11The X509_retrieve_match() function is no longer usable, as we cannot
12initialise an X509_OBJECT ourselves. Instead, iterate over the
13certificate store and use X509_OBJECT_get_type and X509_cmp to
14compare certificates.
15
16Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
17Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
18---
19 src/sbkeysync.c | 7 +++----
20 src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
21 2 files changed, 41 insertions(+), 18 deletions(-)
22
23diff --git a/src/sbkeysync.c b/src/sbkeysync.c
24index ef028ef..19e3064 100644
25--- a/src/sbkeysync.c
26+++ b/src/sbkeysync.c
27@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
28 return -1;
29
30 /* we use the X509 serial number as the key ID */
31- if (!x509->cert_info || !x509->cert_info->serialNumber)
32+ serial = X509_get_serialNumber(x509);
33+ if (!serial)
34 goto out;
35
36- serial = x509->cert_info->serialNumber;
37-
38 key->id_len = ASN1_STRING_length(serial);
39 key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
40
41 key->description = talloc_array(key, char, description_len);
42- X509_NAME_oneline(x509->cert_info->subject,
43+ X509_NAME_oneline(X509_get_subject_name(x509),
44 key->description, description_len);
45
46 rc = 0;
47diff --git a/src/sbverify.c b/src/sbverify.c
48index fb03d21..0aed71a 100644
49--- a/src/sbverify.c
50+++ b/src/sbverify.c
51@@ -55,6 +55,14 @@
52 #include <openssl/pem.h>
53 #include <openssl/x509v3.h>
54
55+#if OPENSSL_VERSION_NUMBER < 0x10100000L
56+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
57+#define X509_OBJECT_get_type(obj) ((obj)->type)
58+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
59+#define X509_STORE_get0_objects(certs) ((certs)->objs)
60+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
61+#endif
62+
63 static const char *toolname = "sbverify";
64 static const int cert_name_len = 160;
65
66@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
67
68 for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
69 cert = sk_X509_value(p7->d.sign->cert, i);
70- X509_NAME_oneline(cert->cert_info->subject,
71+ X509_NAME_oneline(X509_get_subject_name(cert),
72 subject_name, cert_name_len);
73- X509_NAME_oneline(cert->cert_info->issuer,
74+ X509_NAME_oneline(X509_get_issuer_name(cert),
75 issuer_name, cert_name_len);
76
77 printf(" - subject: %s\n", subject_name);
78@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
79 static void print_certificate_store_certs(X509_STORE *certs)
80 {
81 char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
82+ STACK_OF(X509_OBJECT) *objs;
83 X509_OBJECT *obj;
84+ X509 *cert;
85 int i;
86
87 printf("certificate store:\n");
88
89- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
90- obj = sk_X509_OBJECT_value(certs->objs, i);
91+ objs = X509_STORE_get0_objects(certs);
92+
93+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
94+ obj = sk_X509_OBJECT_value(objs, i);
95
96- if (obj->type != X509_LU_X509)
97+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
98 continue;
99
100- X509_NAME_oneline(obj->data.x509->cert_info->subject,
101+ cert = X509_OBJECT_get0_X509(obj);
102+
103+ X509_NAME_oneline(X509_get_subject_name(cert),
104 subject_name, cert_name_len);
105- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
106+ X509_NAME_oneline(X509_get_issuer_name(cert),
107 issuer_name, cert_name_len);
108
109 printf(" - subject: %s\n", subject_name);
110@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
111
112 static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
113 {
114- X509_OBJECT obj;
115+ STACK_OF(X509_OBJECT) *objs;
116+ X509_OBJECT *obj;
117+ int i;
118+
119+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
120
121- obj.type = X509_LU_X509;
122- obj.data.x509 = cert;
123+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
124+ obj = sk_X509_OBJECT_value(objs, i);
125
126- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
127+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
128+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
129+ return 1;
130+ }
131+
132+ return 0;
133 }
134
135 static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
136@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
137 int err = X509_STORE_CTX_get_error(ctx);
138
139 /* also accept code-signing keys */
140- if (err == X509_V_ERR_INVALID_PURPOSE
141- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
142+ if (err == X509_V_ERR_INVALID_PURPOSE &&
143+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
144+ == XKU_CODE_SIGN)
145 status = 1;
146
147 /* all certs given with the --cert argument are trusted */
148 else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
149 err == X509_V_ERR_CERT_UNTRUSTED) {
150
151- if (cert_in_store(ctx->current_cert, ctx))
152+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
153 status = 1;
154 }
155
156--
1572.7.5
158
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2
deleted file mode 100644
index 9a2994f..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2
+++ /dev/null
Binary files differ
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch
deleted file mode 100644
index 9310628..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1Upstream-Status: Inappropriate [embedded specific]
2
3diff --git a/docs/Makefile.am b/docs/Makefile.am
4index 1b5a588..6918dd8 100644
5--- a/docs/Makefile.am
6+++ b/docs/Makefile.am
7@@ -1,8 +1,4 @@
8
9-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
10-
11-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
12- sbvarsign.1.in sbsiglist.1.in
13 CLEANFILES = $(man1_MANS)
14
15 $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
deleted file mode 100644
index 3031e4a..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001
2From: Lans Zhang <jia.zhang@windriver.com>
3Date: Tue, 31 Mar 2015 15:34:38 +0800
4Subject: [PATCH] Fix mixed implicit and normal rules
5
6Upstream-Status: Inappropriate [embedded specific]
7
8This patch comes from upstream:
9http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
10
11Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
12---
13 Makefile | 4 ----
14 1 file changed, 4 deletions(-)
15
16diff --git a/Makefile b/Makefile
17index 65d0d8f..a83185d 100644
18--- a/Makefile
19+++ b/Makefile
20@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score)
21 $(CC) -v >> $@
22 cat $^ | grep 'Total score:' >> $@
23
24-$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES)
25- mkdir -p `dirname $@`
26- $(CCANLINT) -v -s ccan/$* > $@ || true
27-
28 $(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends
29 tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 )
30
31--
321.8.3.1
33
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch
deleted file mode 100644
index 6fef038..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001
2From: Lans Zhang <jia.zhang@windriver.com>
3Date: Thu, 6 Apr 2017 11:11:14 +0800
4Subject: [PATCH] image: fix the segment fault caused by the uninitialized
5 sigbuf
6
7The uninitialized struct image might contain a non-zeroed sigbuf and then
8it is wrongly freed by image_add_signature().
9
10Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
11---
12 src/image.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/src/image.c b/src/image.c
16index cc55791..644e8f1 100644
17--- a/src/image.c
18+++ b/src/image.c
19@@ -395,7 +395,7 @@ struct image *image_load(const char *filename)
20 struct image *image;
21 int rc;
22
23- image = talloc(NULL, struct image);
24+ image = talloc_zero(NULL, struct image);
25 if (!image) {
26 perror("talloc(image)");
27 return NULL;
28--
292.11.0
30
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
index 2c2e9d9..271a33f 100644
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
@@ -8,18 +8,24 @@ LIC_FILES_CHKSUM = "\
8" 8"
9 9
10DEPENDS += "binutils openssl gnu-efi gnu-efi-native" 10DEPENDS += "binutils openssl gnu-efi gnu-efi-native"
11DEPENDS += "help2man-native coreutils-native openssl-native util-linux-native" 11DEPENDS += "binutils-native help2man-native coreutils-native openssl-native util-linux-native"
12 12
13PV = "0.8+git${SRCPV}" 13SRC_URI = " \
14 14 git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools \
15SRC_URI = "\ 15 git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan \
16 git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntool \ 16 file://0001-configure-Dont-t-check-for-gnu-efi.patch \
17 file://0002-docs-Don-t-build-man-pages.patch \
18 file://0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
17" 19"
18SRCREV="f12484869c9590682ac3253d583bf59b890bb826" 20SRCREV_sbsigntools ?= "f12484869c9590682ac3253d583bf59b890bb826"
21SRCREV_ccan ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
22SRCREV_FORMAT = "sbsigntools_ccan"
23
24PV = "0.9.2-git${SRCPV}"
19 25
20S = "${WORKDIR}/git" 26S = "${WORKDIR}/git"
21 27
22inherit native autotools-brokensep pkgconfig 28inherit autotools-brokensep pkgconfig native
23 29
24def efi_arch(d): 30def efi_arch(d):
25 import re 31 import re
@@ -35,16 +41,43 @@ def efi_arch(d):
35# --with-libtool-sysroot \ 41# --with-libtool-sysroot \
36#" 42#"
37 43
44HOST_EXTRACFLAGS += "\
45 INCLUDES+='-I${S}/lib/ccan.git/ \
46 -I${STAGING_INCDIR_NATIVE}/efi \
47 -I${STAGING_INCDIR_NATIVE} \
48"
49
38EXTRA_OEMAKE += "\ 50EXTRA_OEMAKE += "\
39 INCLUDES='-I${S}/lib/ccan.git' \ 51 INCLUDES='-I${S}/lib/ccan.git' \
40 EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \ 52 EFI_CPPFLAGS='-I${STAGING_INCDIR} -I${STAGING_INCDIR}/efi \
41 -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \ 53 -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \
42" 54"
43 55
44do_configure() { 56do_configure_prepend() {
45 cd "${S}" 57 cd ${S}
46 ./autogen.sh 58
47 oe_runconf 59 if [ ! -e lib/ccan ]; then
60
61 # Use empty SCOREDIR because 'make scores' is not run.
62 # The default setting depends on (non-whitelisted) host tools.
63 sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
64
65 lib/ccan.git/tools/create-ccan-tree \
66 --build-type=automake lib/ccan \
67 talloc read_write_all build_assert array_size endian
68 fi
69
70 # Create generatable docs from git
71 (
72 echo "Authors of sbsigntool:"
73 echo
74 git log --format='%an' | sort -u | sed 's,^,\t,'
75 ) > AUTHORS
76
77 # Generate simple ChangeLog
78 git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
79
80 cd ${B}
48} 81}
49 82
50BBCLASSEXTEND = "native nativesdk" 83BBCLASSEXTEND = "native nativesdk"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 09:58:27 +0000