From d6e4bff8f1ec1118282bea9413d74a94388108ac Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Mon, 13 Jun 2022 16:32:45 -0400
Subject: [PATCH 1/3] Add support for openssl-3

We're currently using a raft of APIs which trigger deprecation
warnings, so add OPENSSL_API_COMPAT to the command line for openssl-3
to cause them not to break the build.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 configure.ac    | 9 ++++++---
 src/Makefile.am | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 23dbc54..23c17f4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,9 +55,12 @@ AC_DEFINE_UNQUOTED(HAVE_LITTLE_ENDIAN, $little_endian, [Little-endian system])
 AC_DEFINE_UNQUOTED(HAVE_BIG_ENDIAN, $big_endian, [Big-endian system])
 
 PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES(libcrypto, libcrypto,
-    [],
-    AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))
+PKG_CHECK_MODULES(libcrypto, [libcrypto >= 3.0.0],
+                  [ac_have_openssl3=1],
+                  [PKG_CHECK_MODULES(libcrypto, libcrypto,
+                   [],
+                   AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))])
+AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1")
 
 PKG_CHECK_MODULES(uuid, uuid,
     [],
diff --git a/src/Makefile.am b/src/Makefile.am
index e3f039b..38f93ff 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -4,6 +4,10 @@ bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync
 coff_headers = coff/external.h coff/pe.h
 AM_CFLAGS = -Wall -Wextra --std=gnu99
 
+if HAVE_OPENSSL3
+AM_CFLAGS += -DOPENSSL_API_COMPAT=0x10100000L
+endif
+
 common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \
 	efivars.h $(coff_headers)
 common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS)

From 75d8405eca50bc62da4d6115f09f9a42969092e1 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
Date: Mon, 27 Sep 2021 17:27:27 +0200
Subject: [PATCH 2/3] Fix openssl-3.0 issue involving ASN1 xxx_it

Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.

openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to
`const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application, but
only if the `ASN1_ITEM_rptr()` macro is used.

This change passes `make check` with both openssl 1.1 and 3.0.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 src/idc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/idc.c b/src/idc.c
index 6d87bd4..0a82218 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
 
 	idc->data->type = OBJ_nid2obj(peid_nid);
 	idc->data->value = ASN1_TYPE_new();
-	type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+	type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
 
         idc->digest->alg->parameter = ASN1_TYPE_new();
         idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);

From 9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Sun, 19 Mar 2023 17:07:59 -0400
Subject: [PATCH 3/3] Version 0.9.5

Andreas Schwab (1):
      sbsigntool: add support for RISC-V 64-bit PE/COFF images

Daniel Axtens (1):
      sbvarsign: do not include PKCS#7 attributes

James Bottomley (1):
      Add support for openssl-3

Jeremi Piotrowski (1):
      Fix openssl-3.0 issue involving ASN1 xxx_it

dann frazier (1):
      sbkeysync: Don't ignore errors from insert_new_keys()

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 23c17f4..8a5340a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([sbsigntool], [0.9.4], [James.Bottomley@HansenPartnership.com])
+AC_INIT([sbsigntool], [0.9.5], [James.Bottomley@HansenPartnership.com])
 
 AM_INIT_AUTOMAKE()