[linux] 07/07: scripts: Fix X.509 PEM support in sign-file

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Apr 4 18:29:54 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch benh/secure-boot
in repository linux.

commit 76de9f06e045b56dd68cc8b42bf256a878188ada
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Apr 4 19:28:26 2016 +0100

    scripts: Fix X.509 PEM support in sign-file
    
    DER format works but it's easier if we can use PEM everywhere.
---
 debian/changelog                                   |  1 +
 ...cripts-fix-x.509-pem-support-in-sign-file.patch | 37 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 39 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 527e42a..837d029 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ linux (4.5-1~exp2) UNRELEASED; urgency=medium
     - debian/control: Add build-dependencies on libssl-dev, openssl
     - debian/copyright: Note that extract-cert and sign-file are under LGPL 2.1
     - linux-kbuild: Add extract-cert and sign-file programs
+    - scripts: Fix X.509 PEM support in sign-file
   * certs: Set SYSTEM_TRUSTED_KEYS to my own personal certificate to support
     initial testing of signed modules
 
diff --git a/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
new file mode 100644
index 0000000..36990d8
--- /dev/null
+++ b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 04 Apr 2016 12:53:35 +0100
+Subject: scripts: Fix X.509 PEM support in sign-file
+
+sign-file originally required the X.509 certificate to be in DER
+format, but now has a fallback to PEM format.  It expects BIO_reset()
+to return 1 on success, but:
+
+       BIO_reset() normally returns 1 for success and 0 or -1 for failure.
+       File BIOs are an exception, they return 0 for success and -1 for
+       failure.
+
+BIO_reset() also prints accumulated error messages, which we don't
+want when we're about to try a fallback, so drain them first.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -229,10 +229,14 @@ int main(int argc, char **argv)
+ 	ERR(!b, "%s", x509_name);
+ 	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
+ 	if (!x509) {
+-		ERR(BIO_reset(b) != 1, "%s", x509_name);
++		/*
++		 * We want to hold onto the error messages in case
++		 * it's neither valid DER or PEM, but BIO_reset() will
++		 * print them immediately so we can't.
++		 */
++		drain_openssl_errors();
++		ERR(BIO_reset(b) != 0, "%s", x509_name);
+ 		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
+-		if (x509)
+-			drain_openssl_errors();
+ 	}
+ 	BIO_free(b);
+ 	ERR(!x509, "%s", x509_name);
diff --git a/debian/patches/series b/debian/patches/series
index 44807c5..93f22b3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,3 +133,4 @@ bugfix/all/lockdep-add-missing-macros.patch
 bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
 bugfix/all/power-cpupower-fix-manpages-NAME.patch
 bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
+bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list