[linux] 07/07: scripts: Fix X.509 PEM support in sign-file
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Apr 4 18:29:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch benh/secure-boot
in repository linux.
commit 76de9f06e045b56dd68cc8b42bf256a878188ada
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Apr 4 19:28:26 2016 +0100
scripts: Fix X.509 PEM support in sign-file
DER format works but it's easier if we can use PEM everywhere.
---
debian/changelog | 1 +
...cripts-fix-x.509-pem-support-in-sign-file.patch | 37 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 39 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 527e42a..837d029 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ linux (4.5-1~exp2) UNRELEASED; urgency=medium
- debian/control: Add build-dependencies on libssl-dev, openssl
- debian/copyright: Note that extract-cert and sign-file are under LGPL 2.1
- linux-kbuild: Add extract-cert and sign-file programs
+ - scripts: Fix X.509 PEM support in sign-file
* certs: Set SYSTEM_TRUSTED_KEYS to my own personal certificate to support
initial testing of signed modules
diff --git a/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
new file mode 100644
index 0000000..36990d8
--- /dev/null
+++ b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 04 Apr 2016 12:53:35 +0100
+Subject: scripts: Fix X.509 PEM support in sign-file
+
+sign-file originally required the X.509 certificate to be in DER
+format, but now has a fallback to PEM format. It expects BIO_reset()
+to return 1 on success, but:
+
+ BIO_reset() normally returns 1 for success and 0 or -1 for failure.
+ File BIOs are an exception, they return 0 for success and -1 for
+ failure.
+
+BIO_reset() also prints accumulated error messages, which we don't
+want when we're about to try a fallback, so drain them first.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -229,10 +229,14 @@ int main(int argc, char **argv)
+ ERR(!b, "%s", x509_name);
+ x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
+ if (!x509) {
+- ERR(BIO_reset(b) != 1, "%s", x509_name);
++ /*
++ * We want to hold onto the error messages in case
++ * it's neither valid DER or PEM, but BIO_reset() will
++ * print them immediately so we can't.
++ */
++ drain_openssl_errors();
++ ERR(BIO_reset(b) != 0, "%s", x509_name);
+ x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
+- if (x509)
+- drain_openssl_errors();
+ }
+ BIO_free(b);
+ ERR(!x509, "%s", x509_name);
diff --git a/debian/patches/series b/debian/patches/series
index 44807c5..93f22b3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,3 +133,4 @@ bugfix/all/lockdep-add-missing-macros.patch
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/power-cpupower-fix-manpages-NAME.patch
bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
+bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list