From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 04 Apr 2016 12:53:35 +0100
Subject: scripts: Fix X.509 PEM support in sign-file

sign-file originally required the X.509 certificate to be in DER
format, but now has a fallback to PEM format.  It expects BIO_reset()
to return 1 on success, but:

       BIO_reset() normally returns 1 for success and 0 or -1 for failure.
       File BIOs are an exception, they return 0 for success and -1 for
       failure.

BIO_reset() also prints accumulated error messages, which we don't
want when we're about to try a fallback, so drain them first.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -229,10 +229,14 @@ int main(int argc, char **argv)
 	ERR(!b, "%s", x509_name);
 	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
 	if (!x509) {
-		ERR(BIO_reset(b) != 1, "%s", x509_name);
+		/*
+		 * We want to hold onto the error messages in case
+		 * it's neither valid DER or PEM, but BIO_reset() will
+		 * print them immediately so we can't.
+		 */
+		drain_openssl_errors();
+		ERR(BIO_reset(b) != 0, "%s", x509_name);
 		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
-		if (x509)
-			drain_openssl_errors();
 	}
 	BIO_free(b);
 	ERR(!x509, "%s", x509_name);