This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 54998d8366d3e07c780a78c29c4d128866c1c0eb Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Jan 17 11:40:29 2022 +0100
Bug 40414: Add osslsigncode project --- .../0001-Make-code-work-with-OpenSSL-1.1.patch | 324 +++++++++++++++++++++ projects/osslsigncode/build | 19 ++ projects/osslsigncode/config | 17 ++ projects/osslsigncode/timestamping.patch | 56 ++++ 4 files changed, 416 insertions(+)
diff --git a/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch new file mode 100644 index 0000000..e290ab0 --- /dev/null +++ b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch @@ -0,0 +1,324 @@ +From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Reimar.Doeffinger@gmx.de +Date: Sun, 12 Mar 2017 23:00:12 +0100 +Subject: [PATCH] Make code work with OpenSSL 1.1. + +Changes in consist of: +- Use EVP_MD_CTX_new/free API instead of on-stack allocation +- Remove some M_ prefixes like for ASN1_IA5STRING_new +- Remove pagehash functionality because it is useless to me and + fixing it would be a pain. Would require declaring a few + ASN_SEQUENCES and use that to get the required i2d functions + from what I could find out. +- Remove OBJ_create calls that seem to serve no purpose, + now crash because NULL pointers are no longer handled + (who changes API that way?!) and even if that was fixed + lead to errors when these objects are later created + again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, + did not investigate further). + +diff --git a/osslsigncode.c b/osslsigncode.c +index 2978c02..3797458 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) + if (desc) { + info->programName = SpcString_new(); + info->programName->type = 1; +- info->programName->value.ascii = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, ++ info->programName->value.ascii = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->programName->value.ascii, + (const unsigned char*)desc, strlen(desc)); + } + + if (url) { + info->moreInfo = SpcLink_new(); + info->moreInfo->type = 0; +- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, ++ info->moreInfo->value.url = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->moreInfo->value.url, + (const unsigned char*)url, strlen(url)); + } + +@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const + + if (rfc3161) { + unsigned char mdbuf[EVP_MAX_MD_SIZE]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + + TimeStampReq *req = TimeStampReq_new(); + ASN1_INTEGER_set(req->version, 1); + req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); + req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); + req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; +- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); ++ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); + req->certReq = (void*)0x1; + + len = i2d_TimeStampReq(req, NULL); +@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { + 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 + }; + +-static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, +- unsigned int sigpos, int phtype, unsigned int *phlen); +- +-DECLARE_STACK_OF(ASN1_OCTET_STRING) +-#ifndef sk_ASN1_OCTET_STRING_new_null +-#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) +-#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) +-#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) +-#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) +-#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null +-#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) +-#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) +-#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) +-#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) +-{ +- unsigned int phlen; +- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); +- if (!ph) { +- fprintf(stderr, "Failed to calculate page hash\n"); +- exit(-1); +- } +- +- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); +- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); +- free(ph); +- +- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); +- sk_ASN1_OCTET_STRING_push(oset, ostr); +- unsigned char *p, *tmp; +- unsigned int l; +- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- ASN1_OCTET_STRING_free(ostr); +- sk_ASN1_OCTET_STRING_free(oset); +- +- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); +- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); +- aval->value = ASN1_TYPE_new(); +- aval->value->type = V_ASN1_SET; +- aval->value->value.set = ASN1_STRING_new(); +- ASN1_STRING_set(aval->value->value.set, p, l); +- OPENSSL_free(p); +- +- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); +- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- sk_SpcAttributeTypeAndOptionalValue_free(aset); +- SpcAttributeTypeAndOptionalValue_free(aval); +- +- SpcSerializedObject *so = SpcSerializedObject_new(); +- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); +- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); +- OPENSSL_free(p); +- +- SpcLink *link = SpcLink_new(); +- link->type = 1; +- link->value.moniker = so; +- return link; +-} +- + static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, +- int pagehash, char *indata, unsigned int peheader, int pe32plus, ++ char *indata, unsigned int peheader, int pe32plus, + unsigned int sigpos) + { + static const unsigned char msistr[] = { +@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + } else if (type == FILE_TYPE_PE) { + SpcPeImageData *pid = SpcPeImageData_new(); + ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); +- if (pagehash) { +- int phtype = NID_sha1; +- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) +- phtype = NID_sha256; +- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); +- } else { +- pid->file = get_obsolete_link(); +- } ++ pid->file = get_obsolete_link(); + l = i2d_SpcPeImageData(pid, NULL); + p = OPENSSL_malloc(l); + i2d_SpcPeImageData(pid, &p); +@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + ASN1_INTEGER_set(si->d, 0); + ASN1_INTEGER_set(si->e, 0); + ASN1_INTEGER_set(si->f, 0); +- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); ++ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); + l = i2d_SpcSipInfo(si, NULL); + p = OPENSSL_malloc(l); + i2d_SpcSipInfo(si, &p); +@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + hashlen = EVP_MD_size(md); + hash = OPENSSL_malloc(hashlen); + memset(hash, 0, hashlen); +- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); ++ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); + OPENSSL_free(hash); + + *len = i2d_SpcIndirectDataContent(idc, NULL); +@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + unsigned int peheader, int pe32plus, unsigned int fileend) + { + static unsigned char bfb[16*1024*1024]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + + memset(mdbuf, 0, EVP_MAX_MD_SIZE); + + (void)BIO_seek(bio, 0); + BIO_read(bio, bfb, peheader + 88); +- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); ++ EVP_DigestUpdate(mdctx, bfb, peheader + 88); + BIO_read(bio, bfb, 4); + BIO_read(bio, bfb, 60+pe32plus*16); +- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); ++ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); + BIO_read(bio, bfb, 8); + + unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; +@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + int l = BIO_read(bio, bfb, want); + if (l <= 0) + break; +- EVP_DigestUpdate(&mdctx, bfb, l); ++ EVP_DigestUpdate(mdctx, bfb, l); + n += l; + } + +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); + } + + +@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + int phlen = pphlen * (3 + nsections + sigpos / pagesize); + unsigned char *res = malloc(phlen); + unsigned char *zeroes = calloc(pagesize, 1); +- EVP_MD_CTX mdctx; +- +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, indata, peheader + 88); +- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); +- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, indata, peheader + 88); ++ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); ++ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); + memset(res, 0, 4); +- EVP_DigestFinal(&mdctx, res + 4, NULL); ++ EVP_DigestFinal(mdctx, res + 4, NULL); + + unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); + char *sections = indata + peheader + 24 + sizeofopthdr; +@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + unsigned int l; + for (l=0; l < rs; l+=pagesize, pi++) { + PUT_UINT32_LE(ro + l, res + pi*pphlen); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + if (rs - l < pagesize) { +- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); ++ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); + } else { +- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); ++ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); + } +- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); ++ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); + } + lastpos = ro + rs; + sections += 40; + } ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + PUT_UINT32_LE(lastpos, res + pi*pphlen); + memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); + pi++; +@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) + int nturl = 0, ntsurl = 0; + int addBlob = 0; + u_char *p = NULL; +- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; ++ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; + unsigned int tmp, peheader = 0, padlen = 0; + off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; + file_type_t type; +@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) + ERR_load_crypto_strings(); + OPENSSL_add_all_algorithms_conf(); + +- /* create some MS Authenticode OIDS we need later on */ +- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || +- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || +- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || +- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) +- DO_EXIT_0("Failed to add objects\n"); +- + md = EVP_sha1(); + + if (argc > 1) { +@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) + readpass = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { + comm = 1; +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { +- pagehash = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) + p7x = NULL; + } + +- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); ++ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); + len -= EVP_MD_size(md); + memcpy(buf, p, len); + OPENSSL_free(p); +-- +2.34.1 + diff --git a/projects/osslsigncode/build b/projects/osslsigncode/build new file mode 100644 index 0000000..0f7ae9b --- /dev/null +++ b/projects/osslsigncode/build @@ -0,0 +1,19 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +mkdir -p $distdir/[% project %] +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch +patch -p1 < ../timestamping.patch + +./autogen.sh +./configure --prefix=/[% project %] +make +make DESTDIR=$distdir install + +cd $distdir +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/osslsigncode/config b/projects/osslsigncode/config new file mode 100644 index 0000000..03dbcba --- /dev/null +++ b/projects/osslsigncode/config @@ -0,0 +1,17 @@ +# vim: filetype=yaml sw=2 +version: '[% c("abbrev") %]' +git_url: https://github.com/mtrojnar/osslsigncode +git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +var: + container: + use_container: 0 + deps: + - autoconf + - libtool + - pkg-config + - libssl-dev + - libcurl4-openssl-dev +input_files: + - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch + - filename: timestamping.patch diff --git a/projects/osslsigncode/timestamping.patch b/projects/osslsigncode/timestamping.patch new file mode 100644 index 0000000..94b5261 --- /dev/null +++ b/projects/osslsigncode/timestamping.patch @@ -0,0 +1,56 @@ +From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Fri, 5 Feb 2016 09:23:10 +0000 +Subject: [PATCH] Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 32e37c8..2978c02 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) + if (--argc < 1) usage(argv0); + url = *(++argv); + #ifdef ENABLE_CURL +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { + if (--argc < 1) usage(argv0); + turl[nturl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { + if (--argc < 1) usage(argv0); + tsurl[ntsurl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { + if (--argc < 1) usage(argv0); + proxy = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { + noverifypeer = 1; + #endif + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { +-- +2.7.0 + + +From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Sat, 11 Apr 2020 05:50:36 +0000 +Subject: [PATCH] fixup! Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 3797458..4f4b897 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { + if (--argc < 1) usage(argv0); + ++argv; + if (!strcmp(*argv, "md5")) { +-- +2.26.0