Package: sbsigntool Version: 0.6-3 Severity: normal Tags: patch Here's the diff for version 0.6-3.1, which fixed the two open bugs and some other minor issues I found along the way.
I tested building the new version on arm64 on armhf. It failed on armhf, but this appears to be a toolchain issue: the linker reported various symbols in libc as undefined, but only when linking sbkeysync and not any of the other programs. This build failure won't prevent propagation to testing, and I assume that it will be resolved later by an update to the toolchain. The test suite assumes an x86 multilib compiler, so I stopped it running on anything but amd64, i386 and kfreebsd-amd64. I did some basic manual tests of sbsign, sbattach and sbverify on arm64 and armhf, successfully. Ben. --- diff -Nru sbsigntool-0.6/debian/changelog sbsigntool-0.6/debian/changelog --- sbsigntool-0.6/debian/changelog 2016-04-20 09:34:30.000000000 +0200 +++ sbsigntool-0.6/debian/changelog 2016-06-26 23:39:15.000000000 +0200 @@ -1,3 +1,14 @@ +sbsigntool (0.6-3.1) unstable; urgency=medium + + * Non-maintainer upload with approval of maintainer + * Limit build-dependency on gcc-multilib to the architectures where it + is available, and disable tests where it is not + * Enable building on arm64 and armhf (Closes: #821144) + * Update OpenSSL API usage to support OpenSSL 1.1 (Closes: #828539) + * Remove incorrect Vcs-Bzr field + + -- Ben Hutchings <b...@decadent.org.uk> Sun, 26 Jun 2016 23:39:15 +0200 + sbsigntool (0.6-3) unstable; urgency=medium * Add sbsign_check_write_return.patch: check return when writing diff -Nru sbsigntool-0.6/debian/control sbsigntool-0.6/debian/control --- sbsigntool-0.6/debian/control 2016-04-19 08:06:55.000000000 +0200 +++ sbsigntool-0.6/debian/control 2016-06-26 22:45:44.000000000 +0200 @@ -4,7 +4,7 @@ Maintainer: Pierre Chifflier <pol...@debian.org> Build-Depends: debhelper (>= 9.0.0), dh-autoreconf, - gcc-multilib, + gcc-multilib [amd64 i386 kfreebsd-amd64], binutils-dev, libssl-dev, openssl, @@ -14,13 +14,11 @@ help2man, gnu-efi Standards-Version: 3.9.7 -Vcs-Bzr: lp:ubuntu/sbsigntool Package: sbsigntool -Architecture: any-amd64 any-i386 +Architecture: any-amd64 any-i386 arm64 armhf Depends: ${shlibs:Depends}, ${misc:Depends} Multi-Arch: foreign Description: Tools to manipulate signatures on UEFI binaries and drivers This package installs tools which can cryptographically sign EFI binaries and drivers. - Currently it can only sign x86_64 EFI binaries and drivers. diff -Nru sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch --- sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch 1970-01-01 02:00:00.000000000 +0200 +++ sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch 2016-06-26 22:59:28.000000000 +0200 @@ -0,0 +1,19 @@ +Author: Ben Hutchings <b...@decadent.org.uk> +Date: Sun, 26 Jun 2016 22:56:18 +0200 +Description: Fix EFI architecture detection + Currently we use 'uname -m', which tells us the build architecture. + In a cross-building environment or compat environment, this is not the + same as the host architecture. Use AC_CANONICAL_HOST instead. + +--- a/configure.ac ++++ b/configure.ac +@@ -64,7 +64,8 @@ PKG_CHECK_MODULES(uuid, uuid, + AC_MSG_ERROR([libuuid (from the uuid package) is required])) + + dnl gnu-efi headers require extra include dirs +-EFI_ARCH=$(uname -m) ++AC_CANONICAL_HOST ++EFI_ARCH=$host_cpu + case $EFI_ARCH in + i*86) + EFI_ARCH="ia32" diff -Nru sbsigntool-0.6/debian/patches/series sbsigntool-0.6/debian/patches/series --- sbsigntool-0.6/debian/patches/series 2016-04-18 22:56:08.000000000 +0200 +++ sbsigntool-0.6/debian/patches/series 2016-06-26 22:55:38.000000000 +0200 @@ -11,3 +11,5 @@ 0001-Support-openssl-1.0.2b-and-above.patch sbverify_clear_out_cert_content.patch sbsign_check_write_return.patch +update-openssl-api-usage-to-support-openssl-1.1.patch +fix-efi-arch-detection.patch diff -Nru sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch --- sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch 1970-01-01 02:00:00.000000000 +0200 +++ sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch 2016-06-26 22:20:59.000000000 +0200 @@ -0,0 +1,143 @@ +Author: Ben Hutchings <b...@decadent.org.uk> +Date: Sun, 26 Jun 2016 22:04:29 +0200 +Description: Update OpenSSL API usage to support OpenSSL 1.1 + Most structure definitions in OpenSSL are now opaque and we must call + the appropriate accessor functions to get information from them. + Not all the accessors are available in older versions, so define the + missing accessors as macros. + . + The X509_retrieve_match() function is no longer usable, as we cannot + initialise an X509_OBJECT ourselves. Instead, iterate over the + certificate store and use X509_OBJECT_get_type and X509_cmp to + compare certificates. + +--- a/src/sbverify.c ++++ b/src/sbverify.c +@@ -55,6 +55,14 @@ + #include <openssl/pem.h> + #include <openssl/x509v3.h> + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) ++#define X509_OBJECT_get_type(obj) ((obj)->type) ++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) ++#define X509_STORE_get0_objects(certs) ((certs)->objs) ++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) ++#endif ++ + static const char *toolname = "sbverify"; + static const int cert_name_len = 160; + +@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 * + + for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) { + cert = sk_X509_value(p7->d.sign->cert, i); +- X509_NAME_oneline(cert->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(cert->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 * + static void print_certificate_store_certs(X509_STORE *certs) + { + char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; ++ STACK_OF(X509_OBJECT) *objs; + X509_OBJECT *obj; ++ X509 *cert; + int i; + + printf("certificate store:\n"); + +- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) { +- obj = sk_X509_OBJECT_value(certs->objs, i); ++ objs = X509_STORE_get0_objects(certs); ++ ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- if (obj->type != X509_LU_X509) ++ if (X509_OBJECT_get_type(obj) != X509_LU_X509) + continue; + +- X509_NAME_oneline(obj->data.x509->cert_info->subject, ++ cert = X509_OBJECT_get0_X509(obj); ++ ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(obj->data.x509->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -182,12 +196,21 @@ static int load_detached_signature_data( + + static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) + { +- X509_OBJECT obj; ++ STACK_OF(X509_OBJECT) *objs; ++ X509_OBJECT *obj; ++ int i; ++ ++ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); + +- obj.type = X509_LU_X509; +- obj.data.x509 = cert; ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; ++ if (X509_OBJECT_get_type(obj) == X509_LU_X509 && ++ !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) ++ return 1; ++ } ++ ++ return 0; + } + + static int x509_verify_cb(int status, X509_STORE_CTX *ctx) +@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5 + int err = X509_STORE_CTX_get_error(ctx); + + /* also accept code-signing keys */ +- if (err == X509_V_ERR_INVALID_PURPOSE +- && ctx->cert->ex_xkusage == XKU_CODE_SIGN) ++ if (err == X509_V_ERR_INVALID_PURPOSE && ++ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx)) ++ == XKU_CODE_SIGN) + status = 1; + + /* all certs given with the --cert argument are trusted */ +@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5 + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || + err == X509_V_ERR_CERT_UNTRUSTED) { + +- if (cert_in_store(ctx->current_cert, ctx)) ++ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx)) + status = 1; + } + /* UEFI doesn't care about expired signatures, so we shouldn't either. */ +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke + return -1; + + /* we use the X509 serial number as the key ID */ +- if (!x509->cert_info || !x509->cert_info->serialNumber) ++ serial = X509_get_serialNumber(x509); ++ if (!serial) + goto out; + +- serial = x509->cert_info->serialNumber; +- + key->id_len = ASN1_STRING_length(serial); + key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); + + key->description = talloc_array(key, char, description_len); +- X509_NAME_oneline(x509->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(x509), + key->description, description_len); + + rc = 0; diff -Nru sbsigntool-0.6/debian/rules sbsigntool-0.6/debian/rules --- sbsigntool-0.6/debian/rules 2016-03-08 09:01:25.000000000 +0200 +++ sbsigntool-0.6/debian/rules 2016-06-26 20:54:52.000000000 +0200 @@ -1,8 +1,17 @@ #!/usr/bin/make -f # -*- makefile -*- +include /usr/share/dpkg/architecture.mk + # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 %: dh $@ --with autoreconf + +# Upstream tests are specific to x86, and require gcc-multilib which +# is only available on some x86 architectures +override_dh_auto_test: +ifneq ($(filter amd64 i386 kfreebsd-amd64,$(DEB_HOST_ARCH)),) + dh_auto_test +endif -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sbsigntool depends on: ii libc6 2.22-11 ii libssl1.0.2 1.0.2h-1 ii libuuid1 2.28-5 sbsigntool recommends no packages. sbsigntool suggests no packages. -- no debconf information