From 965475acca2cbcc1d748a8b6a05f8c7cf57d075a Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 14 Jun 2016 10:29:44 +0100
Subject: KEYS: Strip trailing spaces

Strip some trailing spaces.

Signed-off-by: David Howells <dhowells@redhat.com>
---
 include/keys/rxrpc-type.h   | 2 +-
 security/keys/persistent.c  | 2 +-
 security/keys/request_key.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/keys/rxrpc-type.h b/include/keys/rxrpc-type.h
index fc4875433817..5de0673f333b 100644
--- a/include/keys/rxrpc-type.h
+++ b/include/keys/rxrpc-type.h
@@ -51,7 +51,7 @@ struct krb5_principal {
 struct krb5_tagged_data {
 	/* for tag value, see /usr/include/krb5/krb5.h
 	 * - KRB5_AUTHDATA_* for auth data
-	 * - 
+	 * -
 	 */
 	s32		tag;
 	u32		data_len;
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
index 2ef45b319dd9..1edc1f0a0ce2 100644
--- a/security/keys/persistent.c
+++ b/security/keys/persistent.c
@@ -114,7 +114,7 @@ found:
 		ret = key_link(key_ref_to_ptr(dest_ref), persistent);
 		if (ret == 0) {
 			key_set_timeout(persistent, persistent_keyring_expiry);
-			ret = persistent->serial;		
+			ret = persistent->serial;
 		}
 	}
 
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index a29e3554751e..43affcf10b22 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -442,7 +442,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
 
 	if (ctx->index_key.type == &key_type_keyring)
 		return ERR_PTR(-EPERM);
-	
+
 	user = key_user_lookup(current_fsuid());
 	if (!user)
 		return ERR_PTR(-ENOMEM);
-- 
cgit v1.2.3


From 9552c7aebb8c36912612fddad5b55267c671a303 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 14 Jun 2016 13:18:33 +0100
Subject: modsign: Make sign-file determine the format of the X.509 cert

Make sign-file determine the format of the X.509 certificate by reading the
first two bytes and seeing if the first byte is 0x30 and the second
0x81-0x84.  If this is the case, assume it's DER encoded, otherwise assume
it to be PEM encoded.

Without this, it gets awkward to deal with the error messages from
d2i_X509_bio() when we want to call BIO_reset() and then PEM_read_bio() in
case the certificate was PEM encoded rather than X.509 encoded.

Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ben Hutchings <ben@decadent.org.uk>
cc: David Woodhouse <dwmw2@infradead.org>
cc: Juerg Haefliger <juerg.haefliger@hpe.com>
cc: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/sign-file.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index d912d5a56a5e..53af6dc3e6c1 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -1,6 +1,6 @@
 /* Sign a module file using the given key.
  *
- * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
+ * Copyright © 2014-2016 Red Hat, Inc. All Rights Reserved.
  * Copyright © 2015      Intel Corporation.
  * Copyright © 2016      Hewlett Packard Enterprise Development LP
  *
@@ -167,19 +167,37 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 
 static X509 *read_x509(const char *x509_name)
 {
+	unsigned char buf[2];
 	X509 *x509;
 	BIO *b;
+	int n;
 
 	b = BIO_new_file(x509_name, "rb");
 	ERR(!b, "%s", x509_name);
-	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
-	if (!x509) {
-		ERR(BIO_reset(b) != 1, "%s", x509_name);
-		x509 = PEM_read_bio_X509(b, NULL, NULL,
-					 NULL); /* PEM encoded X.509 */
-		if (x509)
-			drain_openssl_errors();
+
+	/* Look at the first two bytes of the file to determine the encoding */
+	n = BIO_read(b, buf, 2);
+	if (n != 2) {
+		if (BIO_should_retry(b)) {
+			fprintf(stderr, "%s: Read wanted retry\n", x509_name);
+			exit(1);
+		}
+		if (n >= 0) {
+			fprintf(stderr, "%s: Short read\n", x509_name);
+			exit(1);
+		}
+		ERR(1, "%s", x509_name);
 	}
+
+	ERR(BIO_reset(b) != 0, "%s", x509_name);
+
+	if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
+		/* Assume raw DER encoded X.509 */
+		x509 = d2i_X509_bio(b, NULL);
+	else
+		/* Assume PEM encoded X.509 */
+		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
+
 	BIO_free(b);
 	ERR(!x509, "%s", x509_name);
 
-- 
cgit v1.2.3