forked from rpms/raspberrypi2
Compare commits
3 Commits
629db978e7
...
53aa5cc99a
Author | SHA1 | Date | |
---|---|---|---|
53aa5cc99a | |||
ccd9121c36 | |||
178958ca86 |
613
SOURCES/openssl-3.0.patch
Normal file
613
SOURCES/openssl-3.0.patch
Normal file
@ -0,0 +1,613 @@
|
|||||||
|
From 1fdf61d4739f818edb85e50f7fa4c474196a0b0a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 09:11:14 +0200
|
||||||
|
Subject: [PATCH 1/3] sign-file,extract-cert: move common SSL helper functions
|
||||||
|
to a header
|
||||||
|
|
||||||
|
Couple error handling helpers are repeated in both tools, so
|
||||||
|
move them to a common header.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
|
||||||
|
Reviewed-by: Neal Gompa <neal@gompa.dev>
|
||||||
|
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
---
|
||||||
|
MAINTAINERS | 1 +
|
||||||
|
certs/Makefile | 2 +-
|
||||||
|
certs/extract-cert.c | 37 ++-----------------------------------
|
||||||
|
scripts/sign-file.c | 37 ++-----------------------------------
|
||||||
|
scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 45 insertions(+), 71 deletions(-)
|
||||||
|
create mode 100644 scripts/ssl-common.h
|
||||||
|
|
||||||
|
diff --git a/MAINTAINERS b/MAINTAINERS
|
||||||
|
index 6a6e2941c497..7aa208b18267 100644
|
||||||
|
--- a/MAINTAINERS
|
||||||
|
+++ b/MAINTAINERS
|
||||||
|
@@ -4823,6 +4823,7 @@ S: Maintained
|
||||||
|
F: Documentation/admin-guide/module-signing.rst
|
||||||
|
F: certs/
|
||||||
|
F: scripts/sign-file.c
|
||||||
|
+F: scripts/ssl-common.h
|
||||||
|
F: tools/certs/
|
||||||
|
|
||||||
|
CFAG12864B LCD DRIVER
|
||||||
|
diff --git a/certs/Makefile b/certs/Makefile
|
||||||
|
index 799ad7b9e68a..67e1f2707c2f 100644
|
||||||
|
--- a/certs/Makefile
|
||||||
|
+++ b/certs/Makefile
|
||||||
|
@@ -84,5 +84,5 @@ targets += x509_revocation_list
|
||||||
|
|
||||||
|
hostprogs := extract-cert
|
||||||
|
|
||||||
|
-HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
|
||||||
|
+HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts
|
||||||
|
HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
|
||||||
|
diff --git a/certs/extract-cert.c b/certs/extract-cert.c
|
||||||
|
index 70e9ec89d87d..8e7ba9974a1f 100644
|
||||||
|
--- a/certs/extract-cert.c
|
||||||
|
+++ b/certs/extract-cert.c
|
||||||
|
@@ -23,6 +23,8 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
|
||||||
|
+#include "ssl-common.h"
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
||||||
|
*
|
||||||
|
@@ -40,41 +42,6 @@ void format(void)
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void display_openssl_errors(int l)
|
||||||
|
-{
|
||||||
|
- const char *file;
|
||||||
|
- char buf[120];
|
||||||
|
- int e, line;
|
||||||
|
-
|
||||||
|
- if (ERR_peek_error() == 0)
|
||||||
|
- return;
|
||||||
|
- fprintf(stderr, "At main.c:%d:\n", l);
|
||||||
|
-
|
||||||
|
- while ((e = ERR_get_error_line(&file, &line))) {
|
||||||
|
- ERR_error_string(e, buf);
|
||||||
|
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void drain_openssl_errors(void)
|
||||||
|
-{
|
||||||
|
- const char *file;
|
||||||
|
- int line;
|
||||||
|
-
|
||||||
|
- if (ERR_peek_error() == 0)
|
||||||
|
- return;
|
||||||
|
- while (ERR_get_error_line(&file, &line)) {}
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-#define ERR(cond, fmt, ...) \
|
||||||
|
- do { \
|
||||||
|
- bool __cond = (cond); \
|
||||||
|
- display_openssl_errors(__LINE__); \
|
||||||
|
- if (__cond) { \
|
||||||
|
- err(1, fmt, ## __VA_ARGS__); \
|
||||||
|
- } \
|
||||||
|
- } while(0)
|
||||||
|
-
|
||||||
|
static const char *key_pass;
|
||||||
|
static BIO *wb;
|
||||||
|
static char *cert_dst;
|
||||||
|
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
|
||||||
|
index 3edb156ae52c..39ba58db5d4e 100644
|
||||||
|
--- a/scripts/sign-file.c
|
||||||
|
+++ b/scripts/sign-file.c
|
||||||
|
@@ -29,6 +29,8 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
|
||||||
|
+#include "ssl-common.h"
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
||||||
|
*
|
||||||
|
@@ -83,41 +85,6 @@ void format(void)
|
||||||
|
exit(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void display_openssl_errors(int l)
|
||||||
|
-{
|
||||||
|
- const char *file;
|
||||||
|
- char buf[120];
|
||||||
|
- int e, line;
|
||||||
|
-
|
||||||
|
- if (ERR_peek_error() == 0)
|
||||||
|
- return;
|
||||||
|
- fprintf(stderr, "At main.c:%d:\n", l);
|
||||||
|
-
|
||||||
|
- while ((e = ERR_get_error_line(&file, &line))) {
|
||||||
|
- ERR_error_string(e, buf);
|
||||||
|
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void drain_openssl_errors(void)
|
||||||
|
-{
|
||||||
|
- const char *file;
|
||||||
|
- int line;
|
||||||
|
-
|
||||||
|
- if (ERR_peek_error() == 0)
|
||||||
|
- return;
|
||||||
|
- while (ERR_get_error_line(&file, &line)) {}
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-#define ERR(cond, fmt, ...) \
|
||||||
|
- do { \
|
||||||
|
- bool __cond = (cond); \
|
||||||
|
- display_openssl_errors(__LINE__); \
|
||||||
|
- if (__cond) { \
|
||||||
|
- errx(1, fmt, ## __VA_ARGS__); \
|
||||||
|
- } \
|
||||||
|
- } while(0)
|
||||||
|
-
|
||||||
|
static const char *key_pass;
|
||||||
|
|
||||||
|
static int pem_pw_cb(char *buf, int len, int w, void *v)
|
||||||
|
diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..e6711c75ed91
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/scripts/ssl-common.h
|
||||||
|
@@ -0,0 +1,39 @@
|
||||||
|
+/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||||
|
+/*
|
||||||
|
+ * SSL helper functions shared by sign-file and extract-cert.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static void display_openssl_errors(int l)
|
||||||
|
+{
|
||||||
|
+ const char *file;
|
||||||
|
+ char buf[120];
|
||||||
|
+ int e, line;
|
||||||
|
+
|
||||||
|
+ if (ERR_peek_error() == 0)
|
||||||
|
+ return;
|
||||||
|
+ fprintf(stderr, "At main.c:%d:\n", l);
|
||||||
|
+
|
||||||
|
+ while ((e = ERR_get_error_line(&file, &line))) {
|
||||||
|
+ ERR_error_string(e, buf);
|
||||||
|
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void drain_openssl_errors(void)
|
||||||
|
+{
|
||||||
|
+ const char *file;
|
||||||
|
+ int line;
|
||||||
|
+
|
||||||
|
+ if (ERR_peek_error() == 0)
|
||||||
|
+ return;
|
||||||
|
+ while (ERR_get_error_line(&file, &line)) {}
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define ERR(cond, fmt, ...) \
|
||||||
|
+ do { \
|
||||||
|
+ bool __cond = (cond); \
|
||||||
|
+ display_openssl_errors(__LINE__); \
|
||||||
|
+ if (__cond) { \
|
||||||
|
+ errx(1, fmt, ## __VA_ARGS__); \
|
||||||
|
+ } \
|
||||||
|
+ } while (0)
|
||||||
|
--
|
||||||
|
2.46.2
|
||||||
|
|
||||||
|
|
||||||
|
From 98dbd2b45aa5185d63b839f482d43c16b71f31a5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 09:11:15 +0200
|
||||||
|
Subject: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated
|
||||||
|
ERR_get_error_line()
|
||||||
|
|
||||||
|
ERR_get_error_line() is deprecated since OpenSSL 3.0.
|
||||||
|
|
||||||
|
Use ERR_peek_error_line() instead, and combine display_openssl_errors()
|
||||||
|
and drain_openssl_errors() to a single function where parameter decides
|
||||||
|
if it should consume errors silently.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
|
||||||
|
Reviewed-by: Neal Gompa <neal@gompa.dev>
|
||||||
|
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
---
|
||||||
|
certs/extract-cert.c | 4 ++--
|
||||||
|
scripts/sign-file.c | 6 +++---
|
||||||
|
scripts/ssl-common.h | 23 ++++++++---------------
|
||||||
|
3 files changed, 13 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/certs/extract-cert.c b/certs/extract-cert.c
|
||||||
|
index 8e7ba9974a1f..61bbe0085671 100644
|
||||||
|
--- a/certs/extract-cert.c
|
||||||
|
+++ b/certs/extract-cert.c
|
||||||
|
@@ -99,11 +99,11 @@ int main(int argc, char **argv)
|
||||||
|
parms.cert = NULL;
|
||||||
|
|
||||||
|
ENGINE_load_builtin_engines();
|
||||||
|
- drain_openssl_errors();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
e = ENGINE_by_id("pkcs11");
|
||||||
|
ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
if (ENGINE_init(e))
|
||||||
|
- drain_openssl_errors();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
else
|
||||||
|
ERR(1, "ENGINE_init");
|
||||||
|
if (key_pass)
|
||||||
|
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
|
||||||
|
index 39ba58db5d4e..bb3fdf1a617c 100644
|
||||||
|
--- a/scripts/sign-file.c
|
||||||
|
+++ b/scripts/sign-file.c
|
||||||
|
@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||||
|
ENGINE *e;
|
||||||
|
|
||||||
|
ENGINE_load_builtin_engines();
|
||||||
|
- drain_openssl_errors();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
e = ENGINE_by_id("pkcs11");
|
||||||
|
ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
if (ENGINE_init(e))
|
||||||
|
- drain_openssl_errors();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
else
|
||||||
|
ERR(1, "ENGINE_init");
|
||||||
|
if (key_pass)
|
||||||
|
@@ -273,7 +273,7 @@ int main(int argc, char **argv)
|
||||||
|
|
||||||
|
/* Digest the module data. */
|
||||||
|
OpenSSL_add_all_digests();
|
||||||
|
- display_openssl_errors(__LINE__);
|
||||||
|
+ drain_openssl_errors(__LINE__, 0);
|
||||||
|
digest_algo = EVP_get_digestbyname(hash_algo);
|
||||||
|
ERR(!digest_algo, "EVP_get_digestbyname");
|
||||||
|
|
||||||
|
diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
|
||||||
|
index e6711c75ed91..2db0e181143c 100644
|
||||||
|
--- a/scripts/ssl-common.h
|
||||||
|
+++ b/scripts/ssl-common.h
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
* SSL helper functions shared by sign-file and extract-cert.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-static void display_openssl_errors(int l)
|
||||||
|
+static void drain_openssl_errors(int l, int silent)
|
||||||
|
{
|
||||||
|
const char *file;
|
||||||
|
char buf[120];
|
||||||
|
@@ -11,28 +11,21 @@ static void display_openssl_errors(int l)
|
||||||
|
|
||||||
|
if (ERR_peek_error() == 0)
|
||||||
|
return;
|
||||||
|
- fprintf(stderr, "At main.c:%d:\n", l);
|
||||||
|
+ if (!silent)
|
||||||
|
+ fprintf(stderr, "At main.c:%d:\n", l);
|
||||||
|
|
||||||
|
- while ((e = ERR_get_error_line(&file, &line))) {
|
||||||
|
+ while ((e = ERR_peek_error_line(&file, &line))) {
|
||||||
|
ERR_error_string(e, buf);
|
||||||
|
- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||||
|
+ if (!silent)
|
||||||
|
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
||||||
|
+ ERR_get_error();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void drain_openssl_errors(void)
|
||||||
|
-{
|
||||||
|
- const char *file;
|
||||||
|
- int line;
|
||||||
|
-
|
||||||
|
- if (ERR_peek_error() == 0)
|
||||||
|
- return;
|
||||||
|
- while (ERR_get_error_line(&file, &line)) {}
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
#define ERR(cond, fmt, ...) \
|
||||||
|
do { \
|
||||||
|
bool __cond = (cond); \
|
||||||
|
- display_openssl_errors(__LINE__); \
|
||||||
|
+ drain_openssl_errors(__LINE__, 0); \
|
||||||
|
if (__cond) { \
|
||||||
|
errx(1, fmt, ## __VA_ARGS__); \
|
||||||
|
} \
|
||||||
|
--
|
||||||
|
2.46.2
|
||||||
|
|
||||||
|
|
||||||
|
From eeffebeb081fcb81ae8a85b6a774dc14791dbc56 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Date: Fri, 20 Sep 2024 19:52:48 +0300
|
||||||
|
Subject: [PATCH 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL
|
||||||
|
MAJOR >= 3
|
||||||
|
|
||||||
|
ENGINE API has been deprecated since OpenSSL version 3.0 [1].
|
||||||
|
Distros have started dropping support from headers and in future
|
||||||
|
it will likely disappear also from library.
|
||||||
|
|
||||||
|
It has been superseded by the PROVIDER API, so use it instead
|
||||||
|
for OPENSSL MAJOR >= 3.
|
||||||
|
|
||||||
|
[1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md
|
||||||
|
|
||||||
|
[jarkko: fixed up alignment issues reported by checkpatch.pl --strict]
|
||||||
|
|
||||||
|
Signed-off-by: Jan Stancek <jstancek@redhat.com>
|
||||||
|
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
|
||||||
|
Reviewed-by: Neal Gompa <neal@gompa.dev>
|
||||||
|
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
|
||||||
|
---
|
||||||
|
certs/extract-cert.c | 103 ++++++++++++++++++++++++++++++-------------
|
||||||
|
scripts/sign-file.c | 93 ++++++++++++++++++++++++++------------
|
||||||
|
2 files changed, 138 insertions(+), 58 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/certs/extract-cert.c b/certs/extract-cert.c
|
||||||
|
index 61bbe0085671..7d6d468ed612 100644
|
||||||
|
--- a/certs/extract-cert.c
|
||||||
|
+++ b/certs/extract-cert.c
|
||||||
|
@@ -21,17 +21,18 @@
|
||||||
|
#include <openssl/bio.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
-#include <openssl/engine.h>
|
||||||
|
-
|
||||||
|
+#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
|
+# define USE_PKCS11_PROVIDER
|
||||||
|
+# include <openssl/provider.h>
|
||||||
|
+# include <openssl/store.h>
|
||||||
|
+#else
|
||||||
|
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
|
||||||
|
+# define USE_PKCS11_ENGINE
|
||||||
|
+# include <openssl/engine.h>
|
||||||
|
+# endif
|
||||||
|
+#endif
|
||||||
|
#include "ssl-common.h"
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
||||||
|
- *
|
||||||
|
- * Remove this if/when that API is no longer used
|
||||||
|
- */
|
||||||
|
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
||||||
|
-
|
||||||
|
#define PKEY_ID_PKCS7 2
|
||||||
|
|
||||||
|
static __attribute__((noreturn))
|
||||||
|
@@ -61,6 +62,66 @@ static void write_cert(X509 *x509)
|
||||||
|
fprintf(stderr, "Extracted cert: %s\n", buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static X509 *load_cert_pkcs11(const char *cert_src)
|
||||||
|
+{
|
||||||
|
+ X509 *cert = NULL;
|
||||||
|
+#ifdef USE_PKCS11_PROVIDER
|
||||||
|
+ OSSL_STORE_CTX *store;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
|
||||||
|
+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
|
||||||
|
+ if (!OSSL_PROVIDER_try_load(NULL, "default", true))
|
||||||
|
+ ERR(1, "OSSL_PROVIDER_try_load(default)");
|
||||||
|
+
|
||||||
|
+ store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
|
||||||
|
+ ERR(!store, "OSSL_STORE_open");
|
||||||
|
+
|
||||||
|
+ while (!OSSL_STORE_eof(store)) {
|
||||||
|
+ OSSL_STORE_INFO *info = OSSL_STORE_load(store);
|
||||||
|
+
|
||||||
|
+ if (!info) {
|
||||||
|
+ drain_openssl_errors(__LINE__, 0);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) {
|
||||||
|
+ cert = OSSL_STORE_INFO_get1_CERT(info);
|
||||||
|
+ ERR(!cert, "OSSL_STORE_INFO_get1_CERT");
|
||||||
|
+ }
|
||||||
|
+ OSSL_STORE_INFO_free(info);
|
||||||
|
+ if (cert)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ OSSL_STORE_close(store);
|
||||||
|
+#elif defined(USE_PKCS11_ENGINE)
|
||||||
|
+ ENGINE *e;
|
||||||
|
+ struct {
|
||||||
|
+ const char *cert_id;
|
||||||
|
+ X509 *cert;
|
||||||
|
+ } parms;
|
||||||
|
+
|
||||||
|
+ parms.cert_id = cert_src;
|
||||||
|
+ parms.cert = NULL;
|
||||||
|
+
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
+ e = ENGINE_by_id("pkcs11");
|
||||||
|
+ ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
+ if (ENGINE_init(e))
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
+ else
|
||||||
|
+ ERR(1, "ENGINE_init");
|
||||||
|
+ if (key_pass)
|
||||||
|
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
|
||||||
|
+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
|
||||||
|
+ ERR(!parms.cert, "Get X.509 from PKCS#11");
|
||||||
|
+ cert = parms.cert;
|
||||||
|
+#else
|
||||||
|
+ fprintf(stderr, "no pkcs11 engine/provider available\n");
|
||||||
|
+ exit(1);
|
||||||
|
+#endif
|
||||||
|
+ return cert;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char *cert_src;
|
||||||
|
@@ -89,28 +150,10 @@ int main(int argc, char **argv)
|
||||||
|
fclose(f);
|
||||||
|
exit(0);
|
||||||
|
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
|
||||||
|
- ENGINE *e;
|
||||||
|
- struct {
|
||||||
|
- const char *cert_id;
|
||||||
|
- X509 *cert;
|
||||||
|
- } parms;
|
||||||
|
+ X509 *cert = load_cert_pkcs11(cert_src);
|
||||||
|
|
||||||
|
- parms.cert_id = cert_src;
|
||||||
|
- parms.cert = NULL;
|
||||||
|
-
|
||||||
|
- ENGINE_load_builtin_engines();
|
||||||
|
- drain_openssl_errors(__LINE__, 1);
|
||||||
|
- e = ENGINE_by_id("pkcs11");
|
||||||
|
- ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
- if (ENGINE_init(e))
|
||||||
|
- drain_openssl_errors(__LINE__, 1);
|
||||||
|
- else
|
||||||
|
- ERR(1, "ENGINE_init");
|
||||||
|
- if (key_pass)
|
||||||
|
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
|
||||||
|
- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
|
||||||
|
- ERR(!parms.cert, "Get X.509 from PKCS#11");
|
||||||
|
- write_cert(parms.cert);
|
||||||
|
+ ERR(!cert, "load_cert_pkcs11 failed");
|
||||||
|
+ write_cert(cert);
|
||||||
|
} else {
|
||||||
|
BIO *b;
|
||||||
|
X509 *x509;
|
||||||
|
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
|
||||||
|
index bb3fdf1a617c..7070245edfc1 100644
|
||||||
|
--- a/scripts/sign-file.c
|
||||||
|
+++ b/scripts/sign-file.c
|
||||||
|
@@ -27,17 +27,18 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
-#include <openssl/engine.h>
|
||||||
|
-
|
||||||
|
+#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
|
+# define USE_PKCS11_PROVIDER
|
||||||
|
+# include <openssl/provider.h>
|
||||||
|
+# include <openssl/store.h>
|
||||||
|
+#else
|
||||||
|
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
|
||||||
|
+# define USE_PKCS11_ENGINE
|
||||||
|
+# include <openssl/engine.h>
|
||||||
|
+# endif
|
||||||
|
+#endif
|
||||||
|
#include "ssl-common.h"
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
||||||
|
- *
|
||||||
|
- * Remove this if/when that API is no longer used
|
||||||
|
- */
|
||||||
|
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
|
||||||
|
* assume that it's not available and its header file is missing and that we
|
||||||
|
@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
|
||||||
|
return pwlen;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||||
|
+static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
|
||||||
|
{
|
||||||
|
- EVP_PKEY *private_key;
|
||||||
|
+ EVP_PKEY *private_key = NULL;
|
||||||
|
+#ifdef USE_PKCS11_PROVIDER
|
||||||
|
+ OSSL_STORE_CTX *store;
|
||||||
|
|
||||||
|
- if (!strncmp(private_key_name, "pkcs11:", 7)) {
|
||||||
|
- ENGINE *e;
|
||||||
|
+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
|
||||||
|
+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
|
||||||
|
+ if (!OSSL_PROVIDER_try_load(NULL, "default", true))
|
||||||
|
+ ERR(1, "OSSL_PROVIDER_try_load(default)");
|
||||||
|
+
|
||||||
|
+ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
|
||||||
|
+ ERR(!store, "OSSL_STORE_open");
|
||||||
|
|
||||||
|
- ENGINE_load_builtin_engines();
|
||||||
|
+ while (!OSSL_STORE_eof(store)) {
|
||||||
|
+ OSSL_STORE_INFO *info = OSSL_STORE_load(store);
|
||||||
|
+
|
||||||
|
+ if (!info) {
|
||||||
|
+ drain_openssl_errors(__LINE__, 0);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
|
||||||
|
+ private_key = OSSL_STORE_INFO_get1_PKEY(info);
|
||||||
|
+ ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
|
||||||
|
+ }
|
||||||
|
+ OSSL_STORE_INFO_free(info);
|
||||||
|
+ if (private_key)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ OSSL_STORE_close(store);
|
||||||
|
+#elif defined(USE_PKCS11_ENGINE)
|
||||||
|
+ ENGINE *e;
|
||||||
|
+
|
||||||
|
+ ENGINE_load_builtin_engines();
|
||||||
|
+ drain_openssl_errors(__LINE__, 1);
|
||||||
|
+ e = ENGINE_by_id("pkcs11");
|
||||||
|
+ ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
+ if (ENGINE_init(e))
|
||||||
|
drain_openssl_errors(__LINE__, 1);
|
||||||
|
- e = ENGINE_by_id("pkcs11");
|
||||||
|
- ERR(!e, "Load PKCS#11 ENGINE");
|
||||||
|
- if (ENGINE_init(e))
|
||||||
|
- drain_openssl_errors(__LINE__, 1);
|
||||||
|
- else
|
||||||
|
- ERR(1, "ENGINE_init");
|
||||||
|
- if (key_pass)
|
||||||
|
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
|
||||||
|
- "Set PKCS#11 PIN");
|
||||||
|
- private_key = ENGINE_load_private_key(e, private_key_name,
|
||||||
|
- NULL, NULL);
|
||||||
|
- ERR(!private_key, "%s", private_key_name);
|
||||||
|
+ else
|
||||||
|
+ ERR(1, "ENGINE_init");
|
||||||
|
+ if (key_pass)
|
||||||
|
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
|
||||||
|
+ private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
|
||||||
|
+ ERR(!private_key, "%s", private_key_name);
|
||||||
|
+#else
|
||||||
|
+ fprintf(stderr, "no pkcs11 engine/provider available\n");
|
||||||
|
+ exit(1);
|
||||||
|
+#endif
|
||||||
|
+ return private_key;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||||
|
+{
|
||||||
|
+ if (!strncmp(private_key_name, "pkcs11:", 7)) {
|
||||||
|
+ return read_private_key_pkcs11(private_key_name);
|
||||||
|
} else {
|
||||||
|
+ EVP_PKEY *private_key;
|
||||||
|
BIO *b;
|
||||||
|
|
||||||
|
b = BIO_new_file(private_key_name, "rb");
|
||||||
|
@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
|
||||||
|
NULL);
|
||||||
|
ERR(!private_key, "%s", private_key_name);
|
||||||
|
BIO_free(b);
|
||||||
|
- }
|
||||||
|
|
||||||
|
- return private_key;
|
||||||
|
+ return private_key;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static X509 *read_x509(const char *x509_name)
|
||||||
|
--
|
||||||
|
2.46.2
|
||||||
|
|
@ -11,7 +11,7 @@ ExclusiveArch: aarch64
|
|||||||
|
|
||||||
%define local_version v8
|
%define local_version v8
|
||||||
%define bcmmodel 2711
|
%define bcmmodel 2711
|
||||||
%define extra_version 1
|
%define extra_version 2
|
||||||
|
|
||||||
# This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
|
# This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
|
||||||
# Be careful to change this not to disturb the seamless package update.
|
# Be careful to change this not to disturb the seamless package update.
|
||||||
@ -21,6 +21,12 @@ ExclusiveArch: aarch64
|
|||||||
%define kversion 6.6
|
%define kversion 6.6
|
||||||
%define patchlevel 51
|
%define patchlevel 51
|
||||||
|
|
||||||
|
%if 0%{?rhel} >= 10
|
||||||
|
%define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py
|
||||||
|
%else
|
||||||
|
%define pathfix pathfix.py
|
||||||
|
%endif
|
||||||
|
|
||||||
# standard kernel
|
# standard kernel
|
||||||
%define with_up %{?_without_up: 0} %{?!_without_up: 1}
|
%define with_up %{?_without_up: 0} %{?!_without_up: 1}
|
||||||
# tools
|
# tools
|
||||||
@ -39,6 +45,7 @@ License: GPLv2
|
|||||||
URL: https://github.com/raspberrypi/linux
|
URL: https://github.com/raspberrypi/linux
|
||||||
Source0: https://github.com/raspberrypi/linux/archive/refs/tags/stable_%{version_tag}.tar.gz
|
Source0: https://github.com/raspberrypi/linux/archive/refs/tags/stable_%{version_tag}.tar.gz
|
||||||
Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz
|
Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz
|
||||||
|
Patch1: openssl-3.0.patch
|
||||||
Patch100: config_2711.patch
|
Patch100: config_2711.patch
|
||||||
Patch101: config_2712.patch
|
Patch101: config_2712.patch
|
||||||
# Sources for kernel-tools
|
# Sources for kernel-tools
|
||||||
@ -165,8 +172,9 @@ glibc package.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n linux-stable_%{version_tag}
|
%setup -q -n linux-stable_%{version_tag}
|
||||||
%patch100 -p1
|
%patch -P 1 -p1
|
||||||
%patch101 -p1
|
%patch -P 100 -p1
|
||||||
|
%patch -P 101 -p1
|
||||||
perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
|
perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
|
||||||
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
|
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
|
||||||
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
|
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
|
||||||
@ -177,9 +185,9 @@ perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/con
|
|||||||
# -p preserves timestamps
|
# -p preserves timestamps
|
||||||
# -n prevents creating ~backup files
|
# -n prevents creating ~backup files
|
||||||
# -i specifies the interpreter for the shebang
|
# -i specifies the interpreter for the shebang
|
||||||
pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/
|
%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/
|
||||||
pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec
|
%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec
|
||||||
pathfix.py -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py
|
%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -432,6 +440,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 08 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.51-20241008.v8.2
|
||||||
|
- Fix build for AL10 Kitten
|
||||||
|
|
||||||
* Mon Oct 21 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.51-20241008.v8.1
|
* Mon Oct 21 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.51-20241008.v8.1
|
||||||
- Update kernel to version v6.6.51 stable_20241008
|
- Update kernel to version v6.6.51 stable_20241008
|
||||||
- Update firmware to 1.20241008
|
- Update firmware to 1.20241008
|
||||||
|
Loading…
Reference in New Issue
Block a user