diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2022-05-01 14:28:52 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2022-05-01 20:07:42 +0300 |
| commit | 03907ee1b9e938b9ce87f4d781c905c2a41592c2 (patch) | |
| tree | 504ede0334e848ecee70584d0bde508a5b30e9d3 /meta-security | |
| parent | d541ec52554ae60b0d5903cccf97905bcaaf209e (diff) | |
| download | openbmc-03907ee1b9e938b9ce87f4d781c905c2a41592c2.tar.xz | |
subtree updates2.13.0-dev
meta-security: 498ca39cd6..93f2146211:
Anton Antonov (1):
Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
Joe Slater (1):
LICENSE: update to SPDX standard names
Petr Gotthard (6):
tpm2-tools: fix missing version number
tpm2-openssl: update to 1.1.0
tpm2-tss: update to 3.2.0
tpm2-abrmd: update to 2.4.1
tpm2-tss-engine: fix version string and build with openssl 3.0
tpm2-pkcs11: update to 1.8.0
Ranjitsinh Rathod (1):
samhain.inc: Correct LICENSE to GPL-2.0-only
poky: 30b38d9cb9..9e55696042:
Abongwa Amahnui Bonalais (2):
documentation/brief-yoctoprojectqs: add directory for local.conf
dev-manual: add command used to add the signed-off-by line.
Alex Kiernan (12):
kernel: Delete unused KERNEL_LOCALVERSION variable
wpa-supplicant: Reorder/group following style guide
wpa-supplicant: Avoid changing directory in do_install
wpa-supplicant: Use PACKAGE_BEFORE_PN/${PN}
wpa-supplicant: Backport libwpa/clean build fixes
wpa-supplicant: Build static library if not DISABLE_STATIC
wpa-supplicant: Use upstream defconfig
wpa-supplicant: Simplify build/install flow
wpa-supplicant: Package dynamic modules
wpa-supplicant: Install wpa_passphrase when not disabled
wpa-supplicant: Package shared library into wpa-supplicant-lib
eudev: Remove unused files
Alexander Kanavin (35):
webkitgtk: update 2.34.6 -> 2.36.0
epiphany: upgrade 41.3 -> 42.0
itstool: correct upstream version check
piglit: update to latest revision
vulkan-samples: update to latest revision
libxvmc: update 1.0.12 -> 1.0.13
libsndfile1: update 1.0.31 -> 1.1.0
at-spi2-core: update 2.42.0 -> 2.44.0
cmake: update 3.22.3 -> 3.23.0
gdk-pixbuf: upgrade 2.42.6 -> 2.42.8
librsvg: upgrade 2.52.7 -> 2.54.0
libgcrypt: upgrade 1.9.4 -> 1.10.1
llvm: update 13.0.1 -> 14.0.0
llvm: use default install paths
squashfs-tools: update 4.5 -> 4.5.1
webkitgtk: adjust patch status
go-helloworld: update to latest revision
libxml2: update patch status
python3-psutil: submit patch upstream
gnu-config: update to latest revision
go-helloworld: update to latest revision
piglit: update to latest revision
vulkan-samples: update to latest revision
python3-typing-extensions: upgrade 3.10.0.0 -> 4.2.0
python3-pyparsing: upgrade 3.0.7 -> 3.0.8
glib: upgrade 2.72.0 -> 2.72.1
go: update 1.18 -> 1.18.1
meson: update 0.61.3 -> 0.62.1
icu: update 70.1 -> 71.1
valgrind: update 3.18.1 -> 3.19.0
libcap-ng: update 0.8.2 -> 0.8.3
libgpg-error: 1.44 -> 1.45
cmake: update 3.23.0 -> 3.23.1
stress-ng: upgrade 0.13.12 -> 0.14.00
llvm: update 14.0.0 -> 14.0.1
Alexandre Belloni (1):
cmake: update license hashes
Andrei Gherzan (1):
automake: Drop redundant 'u' flag in ARFLAGS
Bruce Ashfield (3):
linux-yocto-dev: update to v5.18+
lttng-modules: support kernel 5.18+
kernel-yocto: allow patch author date to be commit date
Carlos Rafael Giani (2):
gstreamer1.0-plugins-good: Fix libsoup dependency
gstreamer1.0: Minor documentation addition
Chen Qi (3):
cases/buildepoxy.py: fix typo
go.bbclass: disable the use of the default configuration file
go-helloworld: remove unused GO_WORKDIR
Davide Gardenal (2):
create-spdx: fix error when symlink cannot be created
create-spdx: delete virtual/kernel dependency to fix FreeRTOS build
Dmitry Baryshkov (5):
linux-firmware: correct license for ar3k firmware
linux-firmware: split ath3k firmware
arch-armv8-2a.inc: fix a typo in TUNEVALID variable
arch-armv8-4a.inc: add tune include for armv8.4a
image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
Ferry Toth (2):
apt: add apt selftest to test signed package feeds
package_manager: fix missing dependency on gnupg when signing deb package feeds
Henning Schild (1):
wic: do not use PARTLABEL for msdos partition tables
Jacob Kroon (1):
zlib: Add patch to fix building icedtea7-native from meta-java
Jasper Orschulko (1):
repo: upgrade 2.22 -> 2.23
Jiaqing Zhao (3):
sed: Specify shell for "nobody" user in run-ptest
base-passwd: Disable shell for default users
strace: Don't run ptest as "nobody"
Joerg Vehlow (1):
go: Always pass interpreter to linker
Jon Mason (4):
linux-yocto: Remove unnecessary, commented out qemuarm entry
qemuarm64: use virtio pci interfaces
poky-tiny: enable qemuarmv5/qemuarm64 and cleanups
poky-tiny: add a distro description
Justin Bronder (1):
pulseaudio: conditionally depend on alsa-plugins-pulseaudio-conf
Kai Kang (1):
update_udev_hwdb: fix multilib issue with systemd
Khem Raj (28):
webkitgtk: Add missing header locale.h
python3: Do not detect multiarch when cross compiling
kernel-devsrc: Check for gen_vdso_offsets.sh before copying on riscv
babeltrace: Disable warnings as errors
xserver-xorg: Fix build with gcc12
systemtap: Fix build with gcc-12
gnupg: Disable FORTIFY_SOURCES on mips
riscv: Add tunes for rv64 without compressed instructions
mdadm: Drop clang specific cflags
harfbuzz: Upgrade to 4.2.0
pango: Upgrade to 1.50.6
pango: Drop using additional cflags with clang
pango: Skip test-layout ptest
go: Upgrade to 1.18
go: Drop GOBUILDMODE
go: Disable pie in cgo for mips
go-target: Pass -trimpath to go linker
seatd: Disable overflow warning as error on ppc64/musl
gcc: Upgrade to 11.3 release
musl: Fix build when usrmerge distro feature is enabled
gcompat: Fix build when usrmerge distro feature is enabled
libc-glibc: Use libxcrypt to provide virtual/crypt
glibc: Update to latest 2.35 tip
qemu.bbclass: Extend ppc/ppc64 extra options
busybox: Use base_bindir instead of hardcoding /bin path
musl-locales: Add package
util-linux: Create u-a symlink for findfs utility
kmod: Enable xz support by default
Konrad Weihmann (11):
kern-tools-native: add missing license
gmp: add missing COPYINGv3
itstool: add missing COPYING.GPL3
libcap: add pam_cap license
libsdl2: fix license
libidn2: add Unicode-DFS-2016 license
gettext: add MIT conditional as license
python3-pip: correct license
cmake: add missing licenses
git: correct license
ncurses: use COPYING file
Lee Chee Yang (1):
migration-guides: release-notes-4.0: update 'Repositories / Downloads' section
Marius Kriegerowski (1):
bitbake: bitbake-diffsigs: Make PEP8 compliant
Martin Jansa (1):
systemd-boot: remove outdated EFI_LD comment
Matt Madison (1):
bitbake: providers: use local variable for packages_dynamic pattern
Michael Halstead (3):
releases: update for yocto 4.0
set_versions: update for 4.0 release
releases: update to include 3.3.6
Michael Opdenacker (5):
meta-poky: update conf-notes.txt
overview-manual: licensing section fixes
manuals: correct and improve descriptions of Autotools
manuals: refer to "YP Compatible" layers instead of "curated" ones
migration-guides: release-notes-4.0: mention LTS release
Naveen Saini (1):
gstreamer1.0-plugins-bad: drop patch
Nicolas Dechesne (2):
migration-guides: stop including documents with ".. include"
sanity: skip make 4.2.1 warning for debian
Olaf Mandel (1):
bitbake: fetch2/git: canonicalize ids in generated tarballs
Paul Eggleton (9):
migration-3.4: add missing entry on EXTRA_USERS_PARAMS
ref-manual: add a note about hard-coded passwords
ref-manual: mention wildcarding support in INCOMPATIBLE_LICENSE
ref-manual: add mention of vendor filtering to CVE_PRODUCT
ref-manual: add KERNEL_DEBUG_TIMESTAMPS
ref-manual: add empty-dirs QA check and QA_EMPTY_DIRS*
migration-guides: complete migration guide for 4.0
migration-guides: add release notes for 4.0
ref-manual: add ZSTD_THREADS
Paul Gortmaker (1):
install/devshell: Introduce git intercept script due to fakeroot issues
Paulo Neves (1):
selftest/lic_checksum: Add test for filename containing space
Pavel Zhukov (1):
bitbake: fetch2: Add GIT_SSH_COMMAND to the list of exports
Peter Kjellerstedt (8):
bitbake: pyinotify.py: Simplify identification of which event has occurred
shadow: Disable the use of syslog() for the native tools
u-boot: Correct the SRC_URI
u-boot: Inherit pkgconfig
bitbake: fetch2/git: Simplify the validation of SHA-1 revisions
terminal.py: Restore error output from Terminal
devshell.bbclass: Allow devshell & pydevshell to use the network
license_image.bbclass: Make QA errors fail the build
Peter Marko (1):
openssl: extract legacy provider module to a separate package
Pgowda (2):
glibc: ptest: Fix glibc-tests package issue
rust: update 1.59.0 -> 1.60.0
Portia (2):
volatile-binds: Change DefaultDependencies from false to no
volatile-binds: Remove TimeoutSec and allow DefaultTimeoutSec to be used
Quentin Schulz (15):
docs: sphinx-static: switchers.js.in: remove duplicate for outdated versions
docs: set_versions.py: add information about obsolescence of a release
docs: sphinx-static: switchers.js.in: improve obsolete version detection
docs: set_versions.py: fix latest release of a branch being shown twice in switchers.js
docs: set_versions.py: fix latest version of an active release shown as obsolete
docs: update Bitbake objects.inv location for master branch
docs: set_versions.py: mark as obsolete only branches and old tags from obsolete releases
docs: sphinx-static: switchers.js.in: rename all_versions to switcher_versions
docs: sphinx-static: switchers.js.in: fix broken switcher for branches
docs: sphinx-static: switchers.js.in: do not mark branches as outdated
docs: conf.py: fix cve extlinks caption for sphinx <4.0
docs: ref-manual: variables: add hashed password example in EXTRA_USERS_PARAMS
docs: migration-guides: migration-3.4: mention that hardcoded password are supported if hashed
docs: migration-guides: release-notes-4.0: fix risc-v typo
docs: migration-guides: release-notes-4.0: replace kernel placeholder with correct recipe name
Rahul Kumar (1):
neard: Switch SRC_URI to git repo
Ricardo Salveti (1):
bitbake: fetch2/crate: fix logger.debug line
Richard Purdie (47):
qemu: Add fix for CVE-2022-1050
tiff: Add marker for CVE-2022-1056 being fixed
git: Ignore CVE-2022-24975
Revert "adwaita-icon-theme: upgrade 41.0 -> 42.0"
migration-guide: Kirkstone is now 4.0
local.conf.sample: Update for 4.0 in sstate url
externalsrc/devtool: Fix to work with fixed export funcition flags handling
sanity: Show a warning that make 4.2.1 is buggy on non-ubuntu systems
runqemu: Allow auto detection of the correct graphics options
bitbake: checksum: Allow spaces in URI filenames
bitbake: ast: Improve function flags handling for EXPORT_FUNCTIONS
rxvt-unicode: Fix icon name
puzzles: Drop broken icon
build-appliance-image: Update to master head revision
build-appliance-image: Update to master head revision
bluez5: Add fix for startup issues under systemd
build-appliance-image: Update to master head revision
alsa-tools: Ensure we install correctly
libxshmfence: Correct LICENSE to HPND
bitbake.conf: Correct BB_SIGNATURE_EXCLUDE_FLAGS
git: Upgrade 2.35.1 -> 2.35.2
build-appliance-image: Update to master head revision
buildtools-tarball: Only add cert envvars if certs are included
buildtools: Add standalone make tarball
poky: Use INIT_MANAGER in main distro config
bitbake: tests/parse: Fix one test overwriting another
bitbake: server/process: Drop unused import
bitbake: ui/buildinfohelper: Drop unused import
bitbake: cooker: Drop unused loop
bitbake: msg: Drop unused local variable
bitbake: buildinfohelper: Drop unused function
bitbake: fetch2/crate: Drop unused import
bitbake: siggen: Drop pointless break statement
bitbake: ui/knotty: Drop pointless pass statement
bitbake: persist_data: Use a valid exception for missing implementation
bitbake: runqueue: Drop pointless variable assignment
bitbake: buildinfohelper: Drop unused variables
poky/meta-yocto-bsp: Post release version/codename updates
xorg-app: Tweak handling of compression changes in SRC_URI
ref-manual: Add XZ_THREADS and XZ_MEMLIMIT
set_versions: Add a getlatest command to obtain the latest release branch name
layer.conf: Post release codename changes
base: Drop git intercept
bitbake: fetch2/osc: Add missing parameter
staging: Ensure we filter out ourselves
lib/sstatesig: Fix find_siginfo to match sstate filename generation
bitbake: runqueue: Fix sig file location when using multiconfig
Robert Joslyn (1):
curl: Update to 7.83.0
Robert Yang (1):
bitbake: fetch2/ssh.py: decode path back for ssh
Ross Burton (12):
zlib: upgrade to 1.2.12
qemu: backport a patch to optionally disable i8042 (AT and PS/2) hardware
qemux86-64: disable legacy i8042 (AT keyboard, PS/2 mouse)
e2fsprogs: fix CVE-2022-1304
subversion: upgrade to 1.14.2
python3: ignore CVE-2015-20107
bitbake.conf: mark all directories as safe for git to read
cve_check: skip remote patches that haven't been fetched when searching for CVE tags
cve-check: no need to depend on the fetch task
poky.conf: set PACKAGE_CLASSES explicitly to package_rpm
distro/poky-tiny: don't put translations into images
musl-locales: explicitly depend on gettext-native
Russ Dill (2):
package.bbclass: Prevent perform_packagecopy from removing /sysroot-only
kernel-yocto.bbclass: Fixup do_kernel_configcheck usage of KMETA
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: make finding of changed signatures more robust
Scott Murray (1):
runqemu: Do not auto detect graphics if publicvnc is specified
Sean Anderson (1):
wic: Add dependencies for erofs-utils
Simone Weiss (1):
libgpg-error: Add ptest
Stefan Herbrechtsmeier (1):
recipetool: Do not use mutable default arguments in Python
Steve Sakoman (3):
busybox: fix CVE-2022-28391
lua: fix CVE-2022-28805
scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng
Xu Huan (5):
python3-dbusmock: upgrade 0.27.3 -> 0.27.5
python3-pip: upgrade 22.0.3 -> 22.0.4
python3-zipp: upgrade 3.7.0 -> 3.8.0
python3-hypothesis: upgrade 6.39.5 -> 6.41.0
python3-sphinx: upgrade 4.4.0 -> 4.5.0
wangmy (34):
freetype: upgrade 2.11.1 -> 2.12.0
ghostscript: upgrade 9.55.0 -> 9.56.1
libsoup: upgrade 3.0.5 -> 3.0.6
libx11: upgrade 1.7.3.1 -> 1.7.5
acpica: upgrade 20211217 -> 20220331
apt: upgrade 2.4.3 -> 2.4.4
dpkg: upgrade 1.21.4 -> 1.21.7
fontconfig: upgrade 2.13.1 -> 2.14.0
mc: upgrade 4.8.27 -> 4.8.28
shared-mime-info: upgrade 2.1 -> 2.2
strace: upgrade 5.16 -> 5.17
sysvinit: upgrade 3.01 -> 3.02
libbsd: upgrade 0.11.5 -> 0.11.6
boost: upgrade 1.78.0 -> 1.79.0
enchant2: upgrade 2.3.2 -> 2.3.3
help2man: upgrade 1.49.1 -> 1.49.2
json-c: upgrade 0.15 -> 0.16
libaio: upgrade 0.3.112 -> 0.3.113
libusb1: upgrade 1.0.25 -> 1.0.26
libgit2: upgrade 1.4.2 -> 1.4.3
libcap: upgrade 2.63 -> 2.64
linux-firmware: upgrade 20220310 -> 20220411
mtools: upgrade 4.0.38 -> 4.0.39
libpcre2: upgrade 10.39 -> 10.40
python3-jsonpointer: upgrade 2.2 -> 2.3
python3-sphinx-rtd-theme: upgrade 0.5.0 -> 1.0.0
dropbear: upgrade 2020.81 -> 2022.82
gptfdisk: upgrade 1.0.8 -> 1.0.9
kexec-tools: upgrade 2.0.23 -> 2.0.24
libxcursor: upgrade 1.2.0 -> 1.2.1
mkfontscale: upgrade 1.2.1 -> 1.2.2
xdpyinfo: upgrade 1.3.2 -> 1.3.3
apt: upgrade 2.4.4 -> 2.4.5
python3-hypothesis: upgrade 6.41.0 -> 6.44.0
zhengruoqin (7):
createrepo-c: upgrade 0.19.0 -> 0.20.0
expat: upgrade 2.4.7 -> 2.4.8
ethtool: upgrade 5.16 -> 5.17
git: upgrade 2.35.2 -> 2.35.3
openssh: upgrade 8.9p1 -> 9.0p1
wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
ruby: upgrade 3.1.1 -> 3.1.2
meta-openembedded: 1888971b1f..77c2fda04e:
Alex Kiernan (2):
audit: Upgrade 3.0.6 -> 3.0.7
mosh: Drop perl dependencies from server
Andreas Müller (21):
libnma: upgrade 1.8.36 -> 1.8.38
gnome-control-center: upgrade 41.2 -> 42.0
gnome-flashback: upgrade 3.42.1 -> 3.44.0
gnome-panel: upgrade 3.42.0 -> 3.44.0
gnome-session: upgrade 41.3 -> 42.0
gnome-shell-extensions: upgrade 41.1 -> 42.0
gthumb: upgrade 3.12.0 -> 3.12.2
ibus: upgrade 1.5.23+ -> 1.5.26
libportal: upgrade 0.5 -> 0.6
network-manager-applet: upgrade 1.24.0 -> 1.24.0
sysprof: upgrade 3.42.1 -> 3.44.0
gnome-shell: fix bluetooth PACKAGECONFIG
packagegroup-gnome-desktop: replace gnome-bluetooth by gnome-bluetooth4
gnome-bluetooth: avoid clashes with gnome-bluetooth4
gnome-bluetooth: rename recipes to avoid suffix in future
gnome-bluetooth: Add PACKAGECONFIG pulseaudio and filter by distro-feature
gnome-backgrounds: upgrade 41.0 -> 42.0
gnome-settings-daemon: upgrade 41.0 -> 42.1
libgweather4: Fix introspection build
gjs: Add cairo to DEPENDS unconditionally
gnome-shell-extensions: Stop copying gnome-classic session to wayland
Andrej Valek (1):
poco: upgrade 1.11.1 -> 1.11.2
Armin Kuster (1):
meta-oe-image: fix build depends
Bassem Boubaker (1):
conntrack-tools: Fix missing capability
Ben Fekih, Hichem (1):
sdbus-c++-libsystemd: bugfix dev package is not installed
Carlos Rafael Giani (1):
pipewire: Upgrade to version 0.3.50
Changqing Li (1):
drbd-utils: fix for usrmerge
Dmitry Baryshkov (1):
gpsd: split python utils from gps-utils
Hongxu Jia (1):
cdrkit: add new option -eltorito-platform for genimageiso
Jan Vermaete (1):
netdata: version bump 1.33.1 -> 1.34.1
Jiaqing Zhao (1):
libesmtp: Disable NTLM support by default
KARN JYE LAU (1):
icewm:include imlib2-loaders package
Kai Kang (1):
python3-blivetgui: use symbolic list-add and edit- icons
Khem Raj (60):
dbus-cxx: Include missing <utility> header
safec: Upgrade to 3.7.1
mongodb: Update to 4.4.13
libkcapi: Upgrade to 1.4.0
libpfm4: Remove -Werror from compiler flags
parallel-deqp-runner: Fix build with gcc 12
glmark2: Fix build with gcc12
memcached: Upgrade to 1.6.15
tvheadend: Update to latest trunk
ot-br-posix: Disable Wsign-compare for clang
opensaf: Fix build with gcc 12
boost-sml: Disable examples
mpich: Add new directory modules/hwloc/config to search path
gnulib: Do not use git operations to install the sources
sysprof: Fix build to work with llvm libunwind
linuxconsole: Fix makefile issue found with clang
mongodb: Fix aarch64 build with gcc12
libcereal: Link libatomics with gcc as well
wpantund: Add missing dependency on boost
gimp: Disable vector icons on 32bit systems
mozjs-91: Upgrade to 91.8.0
mozjs-78: Switch to system libicu
nodejs: Upgrade to 16.14.2
ot-br-posix: Fix build with gcc
dlt-daemon: Fix build on rv32/rv64
grpc: Fix build with rv32/rv64
ltrace: Fix build on ppc64 with gcc12
opencv: Fix build with gcc-12 on ppc64
mozjs-91: Disable strip
mozjs-91: Add option to use system ICU
sysprof: Remove libunwind on rv32
crash: Fix build for mips target
tcsh: Do not install symlinks into /bin with usrmerge
arno-iptables-firewall: Do not use bitbake variable inside S
fluentbit: Fix build with usrmerge distro feature
tomoyo-tools: Define SBINDIR
tomoyo-tools: Drop md5sum
gradm: Upgrade to 3.1-202111052217
babeld: Upgrade to 1.11
scsirastools: Fix build with usrmerge
dietsplash: specify install rootdir
linux-atm: Add knob to root prefix
ufw: Fix build with usrmerge distro feature
netdata: Fix build errors with clang
klibc: Recognise --dyld-prefix clang option
mozjs: Use vendored icu on ppc/clang
boinc-client: Do not overwrite same file when using usrmerge
pam-ssh-agent-auth: Use specific versions of BSD licenses
fwupd: Enable build with musl
lirc: install systemd units only when using systemd distro feature
fluentbit: Disable systemd support when systemd distro feature is disabled
gtksourceview5: Allow wayland or x11
gtkmm3: Allow wayland or x11 in distro features
gparted: Allow wayland or x11 distro features
lirc: Delete systemd unit files on non systemd distros
atkmm: Allow build with wayland
pangomm: Allow building with wayland
lockdev: Drop cumulative debian patch
boinc-client: Make script install not depend on host install paths
babl: Fix build with meson 0.62+
Leon Anavi (2):
python3-bitstruct: Upgrade 8.13.0 -> 8.14.0
python3-marshmallow: Upgrade 3.14.1 -> 3.15.0
Marguet, Nicolas (1):
openjpeg: fix CVE-2022-1122
Mingli Yu (4):
tgt: move from meta-openstack
libconfig-general-perl: move from meta-openstack
crash: Upgrade to 8.0.0
makedumpfile: Upgrade to 1.7.1
Oleksandr Kravchuk (4):
htpdate: update to 1.3.3
redis: upgrade to 7.0-rc3
pkcs11-helper: fix PV
python3-imgtool: update to 1.9.0
Peter Kjellerstedt (3):
gpsd: Only copy the Python files if they are created
poppler: Support building for native
gpsd: Correct the creation of the gps-utils-python package
Preeti Sachan (1):
gnuplot: inherit pkgconfig
Robert Yang (1):
libldb: Fix installed-vs-shipped and rebuild error
Suhrid_S (1):
clinfo: Upgrade 2.2.18.04.06 -> 3.0.21.02.21
Trevor Gamblin (2):
nftables: add ptest
phoronix-test-suite: upgrade 10.8.1 -> 10.8.2
Willy Tu (1):
absil-cpp: Update SRC_URI to to the latest google internal sync
Xu Huan (10):
python3-redis: upgrade 4.2.1 -> 4.2.2
python3-sentry-sdk: upgrade 1.5.7 -> 1.5.8
python3-sqlalchemy: upgrade 1.4.34 -> 1.4.35
python3-graphviz: upgrade 0.19.1 -> 0.19.2
python3-kivy: upgrade 2.0.0 -> 2.1.0
python3-aenum: upgrade 3.1.8 -> 3.1.11
python3-aws-iot-device-sdk-python: upgrade 1.5.1 -> 1.5.2
python3-cmd2: upgrade 2.4.0 -> 2.4.1
python3-django: upgrade 2.2.27 -> 2.2.28
python3-imageio: upgrade 2.16.1 -> 2.17.0
Yi Zhao (6):
frr: add recipe
libldb: upgrade 2.3.2 -> 2.3.3
samba: upgrade 4.14.12 -> 4.14.13
frr: install correct initscript
frr: add PACKAGECONFIG for fpm
frr: inherit autotools-brokensep instead of autotools
wangmy (51):
nbdkit: upgrade 1.25.7 -> 1.30.2
icewm: upgrade 2.9.0 -> 2.9.6
lapack: upgrade 3.9.0 -> 3.10.0
libbpf: upgrade 0.5.0 -> 0.7.0
libmtp: upgrade 1.1.18 -> 1.1.19
logwatch: upgrade 7.5.3 -> 7.6
mpich: upgrade 3.4.3 -> 4.0.2
libvpx: upgrade 1.8.2 -> 1.11.0
linuxconsole: upgrade 1.7.0 -> 1.7.1
mercurial: upgrade 5.5 -> 6.1
ocl-icd: upgrade 2.3.0 -> 2.3.1
octave: upgrade 6.4.0 -> 7.1.0
rdma-core: upgrade 39.0 -> 40.0
pam-plugin-ldapdb: upgrade 1.3 -> 1.3.1
pax-utils: upgrade 1.2.2 -> 1.3.3
pcsc-tools: upgrade 1.5.8 -> 1.6.0
pegtl: upgrade 3.2.1 -> 3.2.5
qpdf: upgrade 10.5.0 -> 10.6.3
s-nail: upgrade 14.9.23 -> 14.9.24
smcroute: upgrade 2.5.4 -> 2.5.5
squashfs-tools-ng: upgrade 1.0.2 -> 1.1.4
st: upgrade 0.8.4 -> 0.8.5
tracker: upgrade 3.2.1 -> 3.3.0
thingsboard-gateway: upgrade 2.8 -> 2.9
thrift: upgrade 0.14.2 -> 0.16.0
toybox: upgrade 0.8.5 -> 0.8.6
unbound: upgrade 1.13.2 -> 1.15.0
twm: upgrade 1.0.11 -> 1.0.12
unixodbc: upgrade 2.3.7 -> 2.3.9
xterm: upgrade 368 -> 372
python3-cppy: upgrade 1.2.0 -> 1.2.1
evince: upgrade 42.1 -> 42.2
evolution-data-server: upgrade 3.44.0 -> 3.44.1
gspell: upgrade 1.9.1 -> 1.10.0
gtksourceview5: upgrade 5.4.0 -> 5.4.1
libadwaita: upgrade 1.1.0 -> 1.1.1
nautilus: upgrade 42.0 -> 42.1.1
htpdate: upgrade 1.3.3 -> 1.3.4
nanomsg: upgrade 1.1.5 -> 1.2
nbdkit: upgrade 1.30.2 -> 1.31.1
ctags: upgrade 5.9.20220410.0 -> 5.9.20220417.0
hexedit: upgrade 1.5 -> 1.6
lapack: upgrade 3.10.0 -> 3.10.1
links: upgrade to 2.26
lsscsi: upgrade 0.31 -> 0.32
openwsman: upgrade 2.6.11 -> 2.7.1
libdbd-sqlite-perl: upgrade 1.68 -> 1.70
libencode-perl: upgrade 3.16 -> 3.17
libextutils-cppguess-perl: upgrade 0.23 -> 0.26
libtest-harness-perl: upgrade 3.42 -> 3.44
ostree: upgrade 2021.6 -> 2022.2
zhengruoqin (5):
python3-google-api-python-client: upgrade 2.42.0 -> 2.43.0
python3-googleapis-common-protos: upgrade 1.54.0 -> 1.56.0
python3-nocaselist: upgrade 1.0.4 -> 1.0.5
python3-pylint: upgrade 2.13.2 -> 2.13.5
python3-nocasedict: upgrade 1.0.2 -> 1.0.3
meta-raspberrypi: 83f5577d8d..c97a9e34ab:
Andrei Gherzan (20):
raspberrypi-firmware: Update to 20220331
linux-raspberrypi: Update 5.15 recipe to 5.15.34
linux-raspberrypi: Update 5.10 recipe to 5.10.110
bcm2835: Update to 1.71
pi-blaster: Uprev the recipe
linux-firmware-rpidistro: Update to 20210315-3+rpt4
raspi-gpio: Uprev revision to current HEAD of master branch
python3-rtimu: Upgrade to 7.2.1
rpio: Upgrade to 0.10.1
python3-adafruit-pureio: Uprade to 1.1.8
python3-adafruit-platformdetect: Upgrade to 3.22.1
python3-adafruit-circuitpython-register: Upgrade to 1.9.8
rpi-basic-image: Drop image
rpi-hwup-image: Drop image
packagegroup-rpi-test: Include more packages
ci: Use test builds with the test image
docs: Drop mention of deprecated images
docs: Bump copyright year
rpi-base.inc: Add MCP3008 ADC overlay
kmod: Enable xz compression
Davide Gardenal (1):
bluez-firmware-rpidistro: Add compatibility to oe-core/create-spdx
Jan Vermaete (1):
docs: link to latest documentation of kas
Khem Raj (1):
python3-sense-hat: Use specific BSD license
Meng Li (1):
u-boot: Remove the randundant patch
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Icdb885a2d340dc3c88b971c57dede6902a9708e3
Diffstat (limited to 'meta-security')
42 files changed, 440 insertions, 2261 deletions
diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md index 85e0d10f4f..97026ea602 100644 --- a/meta-security/meta-parsec/README.md +++ b/meta-security/meta-parsec/README.md @@ -43,20 +43,34 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" By default the Parsec service will be deployed into the image with -TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in -and with the default config file from the Parsec repository: -https://github.com/parallaxsecond/parsec/blob/main/config.toml +PKCS11 and MBED-CRYPTO providers build-in. + The TPM provider will also be built by default if: +- DISTRO_FEATURES contains "tmp2" and +- "tpm-layer" (meta-tpm) is included in BBLAYERS - You can use PACKAGECONFIG for Parsec servic recipe to define -what providers should be built in. For example, - PACKAGECONFIG:pn-parsec-service = "TPM" +You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example: - The default Parsec service config file contains the MbedCrypto provider -enabled. The config file needs to be updated to use the Parsec service -with other providers like TPM or PKCS11. The required procedures are -covered in Parsec documentation. -https://parallaxsecond.github.io/parsec-book/ + PACKAGECONFIG:pn-parsec-service = "TS" + + +The default Parsec service config file is taken from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml +This config file contains the MbedCrypto provider enabled. +The config needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required changes are +covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/ + + PARSEC_CONFIG can be used in a bbappend file to replace the default config. +For example: + +``` +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://config-TS.toml \ + " +PARSEC_CONFIG = "${WORKDIR}/config-TS.toml" +``` Updating recipes ================ diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch index c01ff065c9..25258985a9 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch @@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory. Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Upstream-Status: Inappropriate [deployment configuration] ---- a/systemd-daemon/parsec.service 2021-03-28 18:34:18.703196235 +0100 -+++ b/systemd-daemon/parsec.service 2021-03-28 18:35:14.279830299 +0100 -@@ -3,7 +3,9 @@ +diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +index c07c3b9..a6fe6a3 100644 +--- a/systemd-daemon/parsec.service ++++ b/systemd-daemon/parsec.service +@@ -3,13 +3,15 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html - + [Service] -WorkingDirectory=/home/parsec/ +User=parsec +Group=parsec +WorkingDirectory=/var/lib/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml - - [Install] + # Systemd hardening + ProtectSystem=full + ProtectHome=true + ProtectHostname=true +-ProtectKernelTunables=true ++#ProtectKernelTunables=true + ProtectKernelModules=true + ProtectKernelLogs=true + ProtectControlGroups=true diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc deleted file mode 100644 index fd88e87176..0000000000 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc +++ /dev/null @@ -1,246 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ - crate://crates.io/addr2line/0.15.2 \ - crate://crates.io/adler/1.0.2 \ - crate://crates.io/aho-corasick/0.7.15 \ - crate://crates.io/ansi_term/0.11.0 \ - crate://crates.io/anyhow/1.0.41 \ - crate://crates.io/arrayvec/0.5.2 \ - crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/backtrace/0.3.59 \ - crate://crates.io/base64/0.12.3 \ - crate://crates.io/base64/0.13.0 \ - crate://crates.io/bincode/1.3.3 \ - crate://crates.io/bindgen/0.56.0 \ - crate://crates.io/bindgen/0.57.0 \ - crate://crates.io/bitfield/0.13.2 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/bitvec/0.19.5 \ - crate://crates.io/boringssl-src/0.3.0+688fc5c \ - crate://crates.io/bumpalo/3.7.0 \ - crate://crates.io/bytes/0.5.6 \ - crate://crates.io/bytes/1.0.1 \ - crate://crates.io/cc/1.0.68 \ - crate://crates.io/cexpr/0.4.0 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/chrono/0.4.19 \ - crate://crates.io/clang-sys/1.2.0 \ - crate://crates.io/clap/2.33.3 \ - crate://crates.io/cmake/0.1.45 \ - crate://crates.io/const-oid/0.6.0 \ - crate://crates.io/cryptoauthlib-sys/0.2.0 \ - crate://crates.io/cryptoki-sys/0.1.2 \ - crate://crates.io/cryptoki/0.2.0 \ - crate://crates.io/data-encoding/2.3.2 \ - crate://crates.io/der-oid-macro/0.4.0 \ - crate://crates.io/der-parser/5.1.0 \ - crate://crates.io/der/0.4.0 \ - crate://crates.io/derivative/2.2.0 \ - crate://crates.io/either/1.6.1 \ - crate://crates.io/enumflags2/0.6.4 \ - crate://crates.io/enumflags2_derive/0.6.4 \ - crate://crates.io/env_logger/0.8.4 \ - crate://crates.io/failure/0.1.8 \ - crate://crates.io/failure_derive/0.1.8 \ - crate://crates.io/fixedbitset/0.2.0 \ - crate://crates.io/form_urlencoded/1.0.1 \ - crate://crates.io/funty/1.1.0 \ - crate://crates.io/futures-channel/0.3.15 \ - crate://crates.io/futures-core/0.3.15 \ - crate://crates.io/futures-executor/0.3.15 \ - crate://crates.io/futures-io/0.3.15 \ - crate://crates.io/futures-macro/0.3.15 \ - crate://crates.io/futures-sink/0.3.15 \ - crate://crates.io/futures-task/0.3.15 \ - crate://crates.io/futures-util/0.3.15 \ - crate://crates.io/futures/0.3.15 \ - crate://crates.io/generic-array/0.14.4 \ - crate://crates.io/getrandom/0.2.3 \ - crate://crates.io/gimli/0.24.0 \ - crate://crates.io/glob/0.3.0 \ - crate://crates.io/grpcio-compiler/0.7.0 \ - crate://crates.io/grpcio-sys/0.9.0+1.38.0 \ - crate://crates.io/grpcio/0.9.0 \ - crate://crates.io/hamming/0.1.3 \ - crate://crates.io/hashbrown/0.9.1 \ - crate://crates.io/heck/0.3.3 \ - crate://crates.io/hermit-abi/0.1.18 \ - crate://crates.io/hex/0.4.3 \ - crate://crates.io/hostname-validator/1.1.0 \ - crate://crates.io/humantime/2.1.0 \ - crate://crates.io/idna/0.2.3 \ - crate://crates.io/indexmap/1.6.2 \ - crate://crates.io/instant/0.1.9 \ - crate://crates.io/itertools/0.8.2 \ - crate://crates.io/itertools/0.9.0 \ - crate://crates.io/itoa/0.4.7 \ - crate://crates.io/js-sys/0.3.51 \ - crate://crates.io/jsonwebkey/0.3.2 \ - crate://crates.io/jsonwebtoken/7.2.0 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/lazycell/1.3.0 \ - crate://crates.io/lexical-core/0.7.6 \ - crate://crates.io/libc/0.2.97 \ - crate://crates.io/libloading/0.7.0 \ - crate://crates.io/libz-sys/1.1.3 \ - crate://crates.io/lock_api/0.4.4 \ - crate://crates.io/log/0.4.14 \ - crate://crates.io/matches/0.1.8 \ - crate://crates.io/mbox/0.5.0 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/miniz_oxide/0.4.4 \ - crate://crates.io/multimap/0.8.3 \ - crate://crates.io/nom/5.1.2 \ - crate://crates.io/nom/6.2.0 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.3.2 \ - crate://crates.io/num-bigint/0.4.0 \ - crate://crates.io/num-complex/0.3.1 \ - crate://crates.io/num-derive/0.3.3 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-iter/0.1.42 \ - crate://crates.io/num-rational/0.3.2 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num/0.3.1 \ - crate://crates.io/num_cpus/1.13.0 \ - crate://crates.io/object/0.24.0 \ - crate://crates.io/oid-registry/0.1.3 \ - crate://crates.io/oid/0.1.1 \ - crate://crates.io/once_cell/1.8.0 \ - crate://crates.io/parking_lot/0.11.1 \ - crate://crates.io/parking_lot_core/0.8.3 \ - crate://crates.io/parsec-interface/0.25.0 \ - crate://crates.io/peeking_take_while/0.1.2 \ - crate://crates.io/pem/0.8.3 \ - crate://crates.io/percent-encoding/2.1.0 \ - crate://crates.io/petgraph/0.5.1 \ - crate://crates.io/picky-asn1-der/0.2.4 \ - crate://crates.io/picky-asn1-x509/0.4.0 \ - crate://crates.io/picky-asn1/0.3.1 \ - crate://crates.io/pin-project-lite/0.2.6 \ - crate://crates.io/pin-utils/0.1.0 \ - crate://crates.io/pkcs8/0.7.0 \ - crate://crates.io/pkg-config/0.3.19 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/primal-bit/0.3.0 \ - crate://crates.io/primal-check/0.3.1 \ - crate://crates.io/primal-estimate/0.3.1 \ - crate://crates.io/primal-sieve/0.3.1 \ - crate://crates.io/primal/0.3.0 \ - crate://crates.io/proc-macro-error-attr/1.0.4 \ - crate://crates.io/proc-macro-error/1.0.4 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro-nested/0.1.7 \ - crate://crates.io/proc-macro2/1.0.27 \ - crate://crates.io/prost-build/0.7.0 \ - crate://crates.io/prost-derive/0.6.1 \ - crate://crates.io/prost-derive/0.7.0 \ - crate://crates.io/prost-types/0.7.0 \ - crate://crates.io/prost/0.6.1 \ - crate://crates.io/prost/0.7.0 \ - crate://crates.io/protobuf-codegen/2.24.1 \ - crate://crates.io/protobuf/2.24.1 \ - crate://crates.io/protoc-grpcio/3.0.0 \ - crate://crates.io/protoc/2.24.1 \ - crate://crates.io/psa-crypto-sys/0.9.0 \ - crate://crates.io/psa-crypto/0.9.0 \ - crate://crates.io/quote/1.0.9 \ - crate://crates.io/radium/0.5.3 \ - crate://crates.io/rand/0.8.4 \ - crate://crates.io/rand_chacha/0.3.1 \ - crate://crates.io/rand_core/0.6.3 \ - crate://crates.io/rand_hc/0.3.1 \ - crate://crates.io/redox_syscall/0.2.9 \ - crate://crates.io/regex-syntax/0.6.25 \ - crate://crates.io/regex/1.4.6 \ - crate://crates.io/remove_dir_all/0.5.3 \ - crate://crates.io/ring/0.16.20 \ - crate://crates.io/rust-cryptoauthlib/0.4.0 \ - crate://crates.io/rustc-demangle/0.1.20 \ - crate://crates.io/rustc-hash/1.1.0 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/rusticata-macros/3.0.1 \ - crate://crates.io/rustversion/1.0.5 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/same-file/1.0.6 \ - crate://crates.io/scopeguard/1.1.0 \ - crate://crates.io/sd-notify/0.2.0 \ - crate://crates.io/secrecy/0.7.0 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/serde/1.0.126 \ - crate://crates.io/serde_bytes/0.11.5 \ - crate://crates.io/serde_derive/1.0.126 \ - crate://crates.io/serde_json/1.0.64 \ - crate://crates.io/shlex/0.1.1 \ - crate://crates.io/signal-hook-registry/1.4.0 \ - crate://crates.io/signal-hook/0.3.9 \ - crate://crates.io/simple_asn1/0.4.1 \ - crate://crates.io/simple_asn1/0.5.3 \ - crate://crates.io/slab/0.4.3 \ - crate://crates.io/smallvec/1.6.1 \ - crate://crates.io/spiffe/0.1.1 \ - crate://crates.io/spin/0.5.2 \ - crate://crates.io/spki/0.4.0 \ - crate://crates.io/stable_deref_trait/1.2.0 \ - crate://crates.io/static_assertions/1.1.0 \ - crate://crates.io/strsim/0.8.0 \ - crate://crates.io/structopt-derive/0.4.14 \ - crate://crates.io/structopt/0.3.21 \ - crate://crates.io/strum_macros/0.19.4 \ - crate://crates.io/syn/1.0.73 \ - crate://crates.io/synstructure/0.12.4 \ - crate://crates.io/tap/1.0.1 \ - crate://crates.io/target-lexicon/0.12.0 \ - crate://crates.io/tempfile/3.2.0 \ - crate://crates.io/termcolor/1.1.2 \ - crate://crates.io/textwrap/0.11.0 \ - crate://crates.io/thiserror-impl/1.0.25 \ - crate://crates.io/thiserror/1.0.25 \ - crate://crates.io/threadpool/1.8.1 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/tinyvec/1.2.0 \ - crate://crates.io/tinyvec_macros/0.1.0 \ - crate://crates.io/toml/0.5.8 \ - crate://crates.io/tss-esapi-sys/0.2.0 \ - crate://crates.io/tss-esapi/7.0.0-alpha.1 \ - crate://crates.io/typenum/1.13.0 \ - crate://crates.io/unicode-bidi/0.3.5 \ - crate://crates.io/unicode-normalization/0.1.19 \ - crate://crates.io/unicode-segmentation/1.7.1 \ - crate://crates.io/unicode-width/0.1.8 \ - crate://crates.io/unicode-xid/0.2.2 \ - crate://crates.io/untrusted/0.7.1 \ - crate://crates.io/url/2.2.2 \ - crate://crates.io/users/0.11.0 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/vcpkg/0.2.15 \ - crate://crates.io/vec_map/0.8.2 \ - crate://crates.io/version/3.0.0 \ - crate://crates.io/version_check/0.9.3 \ - crate://crates.io/walkdir/2.3.2 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/wasm-bindgen-backend/0.2.74 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.74 \ - crate://crates.io/wasm-bindgen-macro/0.2.74 \ - crate://crates.io/wasm-bindgen-shared/0.2.74 \ - crate://crates.io/wasm-bindgen/0.2.74 \ - crate://crates.io/web-sys/0.3.51 \ - crate://crates.io/which/3.1.1 \ - crate://crates.io/which/4.1.0 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-util/0.1.5 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/wyz/0.2.0 \ - crate://crates.io/x509-parser/0.9.2 \ - crate://crates.io/yasna/0.3.2 \ - crate://crates.io/zeroize/1.3.0 \ - crate://crates.io/zeroize_derive/1.1.0 \ -" - -LIC_FILES_CHKSUM = " \ - file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \ -" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index 3f12139b7a..d1d6c07ad0 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -2,7 +2,8 @@ SUMMARY = "Platform AbstRaction for SECurity Daemon" HOMEPAGE = "https://github.com/parallaxsecond/parsec" LICENSE = "Apache-2.0" -inherit cargo +inherit cargo pkgconfig +DEPENDS = "clang-native" SRC_URI += "crate://crates.io/parsec-service/${PV} \ file://parsec_init \ @@ -10,14 +11,10 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \ file://parsec-tmpfiles.conf \ " -DEPENDS = "clang-native" - -PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO CRYPTOAUTHLIB" - +PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO" have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}" PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}" - PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts" PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss" PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings," @@ -28,7 +25,7 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" -inherit pkgconfig systemd +inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" inherit update-rc.d @@ -73,6 +70,7 @@ FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \ ${libexecdir}/parsec/parsec \ ${systemd_unitdir}/system/parsec.service \ + ${localstatedir}/lib/parsec \ ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \ ${sysconfdir}/init.d/parsec \ " diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc new file mode 100644 index 0000000000..b6934f8147 --- /dev/null +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc @@ -0,0 +1,232 @@ +# This file is created from parsec repository Cargo.lock using cargo-bitbake tool + +SRC_URI += " \ + crate://crates.io/ahash/0.7.6 \ + crate://crates.io/aho-corasick/0.7.18 \ + crate://crates.io/ansi_term/0.12.1 \ + crate://crates.io/anyhow/1.0.56 \ + crate://crates.io/arrayvec/0.5.2 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/base64/0.12.3 \ + crate://crates.io/base64/0.13.0 \ + crate://crates.io/bincode/1.3.3 \ + crate://crates.io/bindgen/0.57.0 \ + crate://crates.io/bindgen/0.59.2 \ + crate://crates.io/bitfield/0.13.2 \ + crate://crates.io/bitflags/1.3.2 \ + crate://crates.io/bitvec/0.19.6 \ + crate://crates.io/bumpalo/3.9.1 \ + crate://crates.io/bytes/1.1.0 \ + crate://crates.io/cc/1.0.73 \ + crate://crates.io/cexpr/0.4.0 \ + crate://crates.io/cexpr/0.6.0 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/chrono/0.4.19 \ + crate://crates.io/clang-sys/1.3.1 \ + crate://crates.io/clap/2.34.0 \ + crate://crates.io/cmake/0.1.45 \ + crate://crates.io/const-oid/0.6.2 \ + crate://crates.io/cryptoauthlib-sys/0.2.2 \ + crate://crates.io/cryptoki-sys/0.1.3 \ + crate://crates.io/cryptoki/0.2.1 \ + crate://crates.io/data-encoding/2.3.2 \ + crate://crates.io/der-oid-macro/0.4.0 \ + crate://crates.io/der-parser/5.1.2 \ + crate://crates.io/der/0.4.5 \ + crate://crates.io/derivative/2.2.0 \ + crate://crates.io/either/1.6.1 \ + crate://crates.io/enumflags2/0.7.3 \ + crate://crates.io/enumflags2_derive/0.7.3 \ + crate://crates.io/env_logger/0.8.4 \ + crate://crates.io/env_logger/0.9.0 \ + crate://crates.io/fallible-iterator/0.2.0 \ + crate://crates.io/fallible-streaming-iterator/0.1.9 \ + crate://crates.io/fastrand/1.7.0 \ + crate://crates.io/fixedbitset/0.2.0 \ + crate://crates.io/form_urlencoded/1.0.1 \ + crate://crates.io/funty/1.1.0 \ + crate://crates.io/futures-channel/0.3.21 \ + crate://crates.io/futures-core/0.3.21 \ + crate://crates.io/futures-executor/0.3.21 \ + crate://crates.io/futures-io/0.3.21 \ + crate://crates.io/futures-macro/0.3.21 \ + crate://crates.io/futures-sink/0.3.21 \ + crate://crates.io/futures-task/0.3.21 \ + crate://crates.io/futures-util/0.3.21 \ + crate://crates.io/futures/0.3.21 \ + crate://crates.io/generic-array/0.14.5 \ + crate://crates.io/getrandom/0.2.5 \ + crate://crates.io/glob/0.3.0 \ + crate://crates.io/grpcio-sys/0.9.1+1.38.0 \ + crate://crates.io/grpcio/0.9.1 \ + crate://crates.io/hashbrown/0.11.2 \ + crate://crates.io/hashlink/0.7.0 \ + crate://crates.io/heck/0.3.3 \ + crate://crates.io/hermit-abi/0.1.19 \ + crate://crates.io/hex/0.4.3 \ + crate://crates.io/hostname-validator/1.1.0 \ + crate://crates.io/humantime/2.1.0 \ + crate://crates.io/idna/0.2.3 \ + crate://crates.io/indexmap/1.8.0 \ + crate://crates.io/instant/0.1.12 \ + crate://crates.io/itertools/0.10.3 \ + crate://crates.io/itoa/1.0.1 \ + crate://crates.io/js-sys/0.3.56 \ + crate://crates.io/jsonwebkey/0.3.2 \ + crate://crates.io/jsonwebtoken/7.2.0 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/lazycell/1.3.0 \ + crate://crates.io/lexical-core/0.7.6 \ + crate://crates.io/libc/0.2.120 \ + crate://crates.io/libloading/0.7.3 \ + crate://crates.io/libsqlite3-sys/0.23.2 \ + crate://crates.io/libz-sys/1.1.5 \ + crate://crates.io/lock_api/0.4.6 \ + crate://crates.io/log/0.4.14 \ + crate://crates.io/matches/0.1.9 \ + crate://crates.io/mbox/0.6.0 \ + crate://crates.io/memchr/2.4.1 \ + crate://crates.io/minimal-lexical/0.2.1 \ + crate://crates.io/multimap/0.8.3 \ + crate://crates.io/nom/5.1.2 \ + crate://crates.io/nom/6.1.2 \ + crate://crates.io/nom/7.1.1 \ + crate://crates.io/num-bigint/0.2.6 \ + crate://crates.io/num-bigint/0.3.3 \ + crate://crates.io/num-bigint/0.4.3 \ + crate://crates.io/num-complex/0.3.1 \ + crate://crates.io/num-derive/0.3.3 \ + crate://crates.io/num-integer/0.1.44 \ + crate://crates.io/num-iter/0.1.42 \ + crate://crates.io/num-rational/0.3.2 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num/0.3.1 \ + crate://crates.io/num_cpus/1.13.1 \ + crate://crates.io/oid-registry/0.1.5 \ + crate://crates.io/oid/0.2.1 \ + crate://crates.io/once_cell/1.10.0 \ + crate://crates.io/parking_lot/0.11.2 \ + crate://crates.io/parking_lot_core/0.8.5 \ + crate://crates.io/parsec-interface/0.26.0 \ + crate://crates.io/peeking_take_while/0.1.2 \ + crate://crates.io/pem/0.8.3 \ + crate://crates.io/percent-encoding/2.1.0 \ + crate://crates.io/pest/2.1.3 \ + crate://crates.io/petgraph/0.5.1 \ + crate://crates.io/picky-asn1-der/0.2.5 \ + crate://crates.io/picky-asn1-x509/0.6.1 \ + crate://crates.io/picky-asn1/0.3.3 \ + crate://crates.io/pin-project-lite/0.2.8 \ + crate://crates.io/pin-utils/0.1.0 \ + crate://crates.io/pkcs8/0.7.6 \ + crate://crates.io/pkg-config/0.3.24 \ + crate://crates.io/ppv-lite86/0.2.16 \ + crate://crates.io/proc-macro-error-attr/1.0.4 \ + crate://crates.io/proc-macro-error/1.0.4 \ + crate://crates.io/proc-macro2/1.0.36 \ + crate://crates.io/prost-build/0.8.0 \ + crate://crates.io/prost-derive/0.8.0 \ + crate://crates.io/prost-types/0.8.0 \ + crate://crates.io/prost/0.8.0 \ + crate://crates.io/protobuf/2.27.1 \ + crate://crates.io/psa-crypto-sys/0.9.2 \ + crate://crates.io/psa-crypto/0.9.1 \ + crate://crates.io/quote/1.0.15 \ + crate://crates.io/radium/0.5.3 \ + crate://crates.io/rand/0.8.5 \ + crate://crates.io/rand_chacha/0.3.1 \ + crate://crates.io/rand_core/0.6.3 \ + crate://crates.io/redox_syscall/0.2.11 \ + crate://crates.io/regex-syntax/0.6.25 \ + crate://crates.io/regex/1.5.5 \ + crate://crates.io/remove_dir_all/0.5.3 \ + crate://crates.io/ring/0.16.20 \ + crate://crates.io/rusqlite/0.26.3 \ + crate://crates.io/rust-cryptoauthlib/0.4.5 \ + crate://crates.io/rustc-hash/1.1.0 \ + crate://crates.io/rustc_version/0.3.3 \ + crate://crates.io/rusticata-macros/3.2.0 \ + crate://crates.io/rustversion/1.0.6 \ + crate://crates.io/ryu/1.0.9 \ + crate://crates.io/same-file/1.0.6 \ + crate://crates.io/scopeguard/1.1.0 \ + crate://crates.io/sd-notify/0.2.0 \ + crate://crates.io/secrecy/0.7.0 \ + crate://crates.io/semver-parser/0.10.2 \ + crate://crates.io/semver/0.11.0 \ + crate://crates.io/serde/1.0.136 \ + crate://crates.io/serde_bytes/0.11.5 \ + crate://crates.io/serde_derive/1.0.136 \ + crate://crates.io/serde_json/1.0.79 \ + crate://crates.io/shlex/0.1.1 \ + crate://crates.io/shlex/1.1.0 \ + crate://crates.io/signal-hook-registry/1.4.0 \ + crate://crates.io/signal-hook/0.3.13 \ + crate://crates.io/simple_asn1/0.4.1 \ + crate://crates.io/simple_asn1/0.5.4 \ + crate://crates.io/slab/0.4.5 \ + crate://crates.io/smallvec/1.8.0 \ + crate://crates.io/spiffe/0.2.0 \ + crate://crates.io/spin/0.5.2 \ + crate://crates.io/spki/0.4.1 \ + crate://crates.io/stable_deref_trait/1.2.0 \ + crate://crates.io/static_assertions/1.1.0 \ + crate://crates.io/strsim/0.8.0 \ + crate://crates.io/structopt-derive/0.4.18 \ + crate://crates.io/structopt/0.3.26 \ + crate://crates.io/strum_macros/0.21.1 \ + crate://crates.io/syn/1.0.88 \ + crate://crates.io/synstructure/0.12.6 \ + crate://crates.io/tap/1.0.1 \ + crate://crates.io/target-lexicon/0.12.3 \ + crate://crates.io/tempfile/3.3.0 \ + crate://crates.io/termcolor/1.1.3 \ + crate://crates.io/textwrap/0.11.0 \ + crate://crates.io/thiserror-impl/1.0.30 \ + crate://crates.io/thiserror/1.0.30 \ + crate://crates.io/threadpool/1.8.1 \ + crate://crates.io/time/0.1.44 \ + crate://crates.io/tinyvec/1.5.1 \ + crate://crates.io/tinyvec_macros/0.1.0 \ + crate://crates.io/toml/0.5.8 \ + crate://crates.io/tss-esapi-sys/0.3.0 \ + crate://crates.io/tss-esapi/7.0.1 \ + crate://crates.io/typenum/1.15.0 \ + crate://crates.io/ucd-trie/0.1.3 \ + crate://crates.io/unicode-bidi/0.3.7 \ + crate://crates.io/unicode-normalization/0.1.19 \ + crate://crates.io/unicode-segmentation/1.9.0 \ + crate://crates.io/unicode-width/0.1.9 \ + crate://crates.io/unicode-xid/0.2.2 \ + crate://crates.io/untrusted/0.7.1 \ + crate://crates.io/url/2.2.2 \ + crate://crates.io/users/0.11.0 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/vcpkg/0.2.15 \ + crate://crates.io/vec_map/0.8.2 \ + crate://crates.io/version/3.0.0 \ + crate://crates.io/version_check/0.9.4 \ + crate://crates.io/walkdir/2.3.2 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen-backend/0.2.79 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.79 \ + crate://crates.io/wasm-bindgen-macro/0.2.79 \ + crate://crates.io/wasm-bindgen-shared/0.2.79 \ + crate://crates.io/wasm-bindgen/0.2.79 \ + crate://crates.io/web-sys/0.3.56 \ + crate://crates.io/which/4.2.4 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-util/0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/wyz/0.2.0 \ + crate://crates.io/x509-parser/0.9.2 \ + crate://crates.io/yasna/0.3.2 \ + crate://crates.io/zeroize/1.3.0 \ + crate://crates.io/zeroize_derive/1.3.2 \ +" + +LIC_FILES_CHKSUM = " \ + file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57 \ +" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb index 4b053b9ca3..4b053b9ca3 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.bb diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.inc b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.inc index 567cc378aa..d17ec25d73 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.1.inc +++ b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.5.2.inc @@ -1,31 +1,30 @@ # This file is created from parsec-tool repository Cargo.lock using cargo-bitbake tool SRC_URI += " \ - crate://crates.io/aho-corasick/0.7.15 \ - crate://crates.io/ansi_term/0.11.0 \ + crate://crates.io/aho-corasick/0.7.18 \ crate://crates.io/ansi_term/0.12.1 \ - crate://crates.io/anyhow/1.0.44 \ + crate://crates.io/anyhow/1.0.56 \ crate://crates.io/arrayvec/0.5.2 \ crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/autocfg/1.1.0 \ crate://crates.io/base64/0.12.3 \ crate://crates.io/base64/0.13.0 \ crate://crates.io/bincode/1.3.3 \ crate://crates.io/bindgen/0.57.0 \ crate://crates.io/bitflags/1.3.2 \ - crate://crates.io/bitvec/0.19.5 \ + crate://crates.io/bitvec/0.19.6 \ crate://crates.io/block-buffer/0.9.0 \ - crate://crates.io/bumpalo/3.7.1 \ + crate://crates.io/bumpalo/3.9.1 \ crate://crates.io/bytes/1.1.0 \ - crate://crates.io/cc/1.0.70 \ + crate://crates.io/cc/1.0.73 \ crate://crates.io/cexpr/0.4.0 \ crate://crates.io/cfg-if/1.0.0 \ crate://crates.io/chrono/0.4.19 \ - crate://crates.io/clang-sys/1.2.2 \ - crate://crates.io/clap/2.33.3 \ - crate://crates.io/clap/3.0.0-beta.4 \ - crate://crates.io/clap_derive/3.0.0-beta.4 \ - crate://crates.io/cmake/0.1.45 \ + crate://crates.io/clang-sys/1.3.1 \ + crate://crates.io/clap/2.34.0 \ + crate://crates.io/clap/3.0.0-beta.5 \ + crate://crates.io/clap_derive/3.0.0-beta.5 \ + crate://crates.io/cmake/0.1.48 \ crate://crates.io/const-oid/0.6.2 \ crate://crates.io/cpufeatures/0.2.1 \ crate://crates.io/data-encoding/2.3.2 \ @@ -38,16 +37,16 @@ SRC_URI += " \ crate://crates.io/env_logger/0.8.4 \ crate://crates.io/form_urlencoded/1.0.1 \ crate://crates.io/funty/1.1.0 \ - crate://crates.io/futures-channel/0.3.17 \ - crate://crates.io/futures-core/0.3.17 \ - crate://crates.io/futures-executor/0.3.17 \ - crate://crates.io/futures-io/0.3.17 \ - crate://crates.io/futures-macro/0.3.17 \ - crate://crates.io/futures-sink/0.3.17 \ - crate://crates.io/futures-task/0.3.17 \ - crate://crates.io/futures-util/0.3.17 \ - crate://crates.io/futures/0.3.17 \ - crate://crates.io/generic-array/0.14.4 \ + crate://crates.io/futures-channel/0.3.21 \ + crate://crates.io/futures-core/0.3.21 \ + crate://crates.io/futures-executor/0.3.21 \ + crate://crates.io/futures-io/0.3.21 \ + crate://crates.io/futures-macro/0.3.21 \ + crate://crates.io/futures-sink/0.3.21 \ + crate://crates.io/futures-task/0.3.21 \ + crate://crates.io/futures-util/0.3.21 \ + crate://crates.io/futures/0.3.21 \ + crate://crates.io/generic-array/0.14.5 \ crate://crates.io/glob/0.3.0 \ crate://crates.io/grpcio-sys/0.9.1+1.38.0 \ crate://crates.io/grpcio/0.9.1 \ @@ -56,28 +55,28 @@ SRC_URI += " \ crate://crates.io/hermit-abi/0.1.19 \ crate://crates.io/humantime/2.1.0 \ crate://crates.io/idna/0.2.3 \ - crate://crates.io/indexmap/1.7.0 \ - crate://crates.io/instant/0.1.11 \ - crate://crates.io/itertools/0.10.1 \ - crate://crates.io/itoa/0.4.8 \ - crate://crates.io/js-sys/0.3.55 \ + crate://crates.io/indexmap/1.8.0 \ + crate://crates.io/instant/0.1.12 \ + crate://crates.io/itertools/0.10.3 \ + crate://crates.io/itoa/1.0.1 \ + crate://crates.io/js-sys/0.3.56 \ crate://crates.io/jsonwebkey/0.3.2 \ crate://crates.io/jsonwebtoken/7.2.0 \ crate://crates.io/lazy_static/1.4.0 \ crate://crates.io/lazycell/1.3.0 \ crate://crates.io/lexical-core/0.7.6 \ - crate://crates.io/libc/0.2.103 \ - crate://crates.io/libloading/0.7.0 \ - crate://crates.io/libz-sys/1.1.3 \ - crate://crates.io/lock_api/0.4.5 \ + crate://crates.io/libc/0.2.120 \ + crate://crates.io/libloading/0.7.3 \ + crate://crates.io/libz-sys/1.1.5 \ + crate://crates.io/lock_api/0.4.6 \ crate://crates.io/log/0.4.14 \ crate://crates.io/matches/0.1.9 \ - crate://crates.io/memchr/2.3.4 \ + crate://crates.io/memchr/2.4.1 \ crate://crates.io/nom/5.1.2 \ - crate://crates.io/nom/6.2.1 \ + crate://crates.io/nom/6.1.2 \ crate://crates.io/num-bigint/0.2.6 \ crate://crates.io/num-bigint/0.3.3 \ - crate://crates.io/num-bigint/0.4.2 \ + crate://crates.io/num-bigint/0.4.3 \ crate://crates.io/num-complex/0.3.1 \ crate://crates.io/num-derive/0.3.3 \ crate://crates.io/num-integer/0.1.44 \ @@ -85,83 +84,84 @@ SRC_URI += " \ crate://crates.io/num-rational/0.3.2 \ crate://crates.io/num-traits/0.2.14 \ crate://crates.io/num/0.3.1 \ + crate://crates.io/num_threads/0.1.5 \ crate://crates.io/oid-registry/0.1.5 \ crate://crates.io/oid/0.2.1 \ - crate://crates.io/once_cell/1.8.0 \ + crate://crates.io/once_cell/1.10.0 \ crate://crates.io/opaque-debug/0.3.0 \ - crate://crates.io/os_str_bytes/3.1.0 \ + crate://crates.io/os_str_bytes/4.1.1 \ crate://crates.io/parking_lot/0.11.2 \ crate://crates.io/parking_lot_core/0.8.5 \ crate://crates.io/parsec-client/0.14.0 \ crate://crates.io/parsec-interface/0.26.0 \ crate://crates.io/peeking_take_while/0.1.2 \ crate://crates.io/pem/0.8.3 \ - crate://crates.io/pem/1.0.1 \ + crate://crates.io/pem/1.0.2 \ crate://crates.io/percent-encoding/2.1.0 \ crate://crates.io/picky-asn1-der/0.2.5 \ crate://crates.io/picky-asn1-x509/0.6.1 \ crate://crates.io/picky-asn1/0.3.3 \ - crate://crates.io/pin-project-lite/0.2.7 \ + crate://crates.io/pin-project-lite/0.2.8 \ crate://crates.io/pin-utils/0.1.0 \ crate://crates.io/pkcs8/0.7.6 \ - crate://crates.io/pkg-config/0.3.20 \ + crate://crates.io/pkg-config/0.3.24 \ crate://crates.io/proc-macro-error-attr/1.0.4 \ crate://crates.io/proc-macro-error/1.0.4 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro-nested/0.1.7 \ - crate://crates.io/proc-macro2/1.0.29 \ + crate://crates.io/proc-macro2/1.0.36 \ crate://crates.io/prost-derive/0.8.0 \ crate://crates.io/prost/0.8.0 \ - crate://crates.io/protobuf/2.25.1 \ + crate://crates.io/protobuf/2.27.1 \ crate://crates.io/psa-crypto-sys/0.9.2 \ crate://crates.io/psa-crypto/0.9.1 \ - crate://crates.io/quote/1.0.9 \ + crate://crates.io/quote/1.0.15 \ crate://crates.io/radium/0.5.3 \ - crate://crates.io/rcgen/0.8.14 \ - crate://crates.io/redox_syscall/0.2.10 \ + crate://crates.io/rcgen/0.9.2 \ + crate://crates.io/redox_syscall/0.2.11 \ crate://crates.io/regex-syntax/0.6.25 \ - crate://crates.io/regex/1.4.6 \ + crate://crates.io/regex/1.5.5 \ crate://crates.io/ring/0.16.20 \ crate://crates.io/rustc-hash/1.1.0 \ crate://crates.io/rusticata-macros/3.2.0 \ - crate://crates.io/rustversion/1.0.5 \ - crate://crates.io/ryu/1.0.5 \ + crate://crates.io/rustversion/1.0.6 \ + crate://crates.io/ryu/1.0.9 \ crate://crates.io/same-file/1.0.6 \ crate://crates.io/scopeguard/1.1.0 \ crate://crates.io/secrecy/0.7.0 \ - crate://crates.io/serde/1.0.130 \ + crate://crates.io/serde/1.0.136 \ crate://crates.io/serde_bytes/0.11.5 \ - crate://crates.io/serde_derive/1.0.130 \ - crate://crates.io/serde_json/1.0.68 \ + crate://crates.io/serde_derive/1.0.136 \ + crate://crates.io/serde_json/1.0.79 \ crate://crates.io/sha2/0.9.9 \ crate://crates.io/shlex/0.1.1 \ crate://crates.io/simple_asn1/0.4.1 \ crate://crates.io/simple_asn1/0.5.4 \ - crate://crates.io/slab/0.4.4 \ - crate://crates.io/smallvec/1.6.1 \ + crate://crates.io/slab/0.4.5 \ + crate://crates.io/smallvec/1.8.0 \ crate://crates.io/spiffe/0.2.0 \ crate://crates.io/spin/0.5.2 \ crate://crates.io/spki/0.4.1 \ crate://crates.io/static_assertions/1.1.0 \ crate://crates.io/strsim/0.10.0 \ crate://crates.io/strsim/0.8.0 \ - crate://crates.io/structopt-derive/0.4.16 \ - crate://crates.io/structopt/0.3.23 \ - crate://crates.io/syn/1.0.77 \ - crate://crates.io/synstructure/0.12.5 \ + crate://crates.io/structopt-derive/0.4.18 \ + crate://crates.io/structopt/0.3.26 \ + crate://crates.io/syn/1.0.89 \ + crate://crates.io/synstructure/0.12.6 \ crate://crates.io/tap/1.0.1 \ - crate://crates.io/termcolor/1.1.2 \ + crate://crates.io/termcolor/1.1.3 \ crate://crates.io/textwrap/0.11.0 \ crate://crates.io/textwrap/0.14.2 \ - crate://crates.io/thiserror-impl/1.0.29 \ - crate://crates.io/thiserror/1.0.29 \ + crate://crates.io/thiserror-impl/1.0.30 \ + crate://crates.io/thiserror/1.0.30 \ crate://crates.io/time/0.1.44 \ - crate://crates.io/tinyvec/1.5.0 \ + crate://crates.io/time/0.3.7 \ + crate://crates.io/tinyvec/1.5.1 \ crate://crates.io/tinyvec_macros/0.1.0 \ - crate://crates.io/typenum/1.14.0 \ - crate://crates.io/unicode-bidi/0.3.6 \ + crate://crates.io/typenum/1.15.0 \ + crate://crates.io/unicase/2.6.0 \ + crate://crates.io/unicode-bidi/0.3.7 \ crate://crates.io/unicode-normalization/0.1.19 \ - crate://crates.io/unicode-segmentation/1.8.0 \ + crate://crates.io/unicode-segmentation/1.9.0 \ crate://crates.io/unicode-width/0.1.9 \ crate://crates.io/unicode-xid/0.2.2 \ crate://crates.io/untrusted/0.7.1 \ @@ -170,15 +170,15 @@ SRC_URI += " \ crate://crates.io/uuid/0.8.2 \ crate://crates.io/vcpkg/0.2.15 \ crate://crates.io/vec_map/0.8.2 \ - crate://crates.io/version_check/0.9.3 \ + crate://crates.io/version_check/0.9.4 \ crate://crates.io/walkdir/2.3.2 \ crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/wasm-bindgen-backend/0.2.78 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.78 \ - crate://crates.io/wasm-bindgen-macro/0.2.78 \ - crate://crates.io/wasm-bindgen-shared/0.2.78 \ - crate://crates.io/wasm-bindgen/0.2.78 \ - crate://crates.io/web-sys/0.3.55 \ + crate://crates.io/wasm-bindgen-backend/0.2.79 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.79 \ + crate://crates.io/wasm-bindgen-macro/0.2.79 \ + crate://crates.io/wasm-bindgen-shared/0.2.79 \ + crate://crates.io/wasm-bindgen/0.2.79 \ + crate://crates.io/web-sys/0.3.56 \ crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ crate://crates.io/winapi-util/0.1.5 \ crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ @@ -186,9 +186,9 @@ SRC_URI += " \ crate://crates.io/wyz/0.2.0 \ crate://crates.io/x509-parser/0.9.2 \ crate://crates.io/yasna/0.3.2 \ - crate://crates.io/yasna/0.4.0 \ + crate://crates.io/yasna/0.5.0 \ crate://crates.io/zeroize/1.3.0 \ - crate://crates.io/zeroize_derive/1.2.0 \ + crate://crates.io/zeroize_derive/1.3.2 \ " LIC_FILES_CHKSUM = " \ diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb index 947c27e365..f665e29ed4 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb @@ -3,7 +3,7 @@ SUMMARY = "Lynis is a free and open source security and auditing tool." HOMEDIR = "https://cisofy.com/" -LICENSE = "GPL-3.0" +LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index c236641746..4babcf946a 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -4,7 +4,7 @@ SUMARRY = "NIST Certified SCAP 1.2 toolkit" HOME_URL = "https://www.open-scap.org/tools/openscap-base/" LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 0c651f16fe..6f29eda791 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -4,7 +4,7 @@ SUMARRY = "SCAP content for various platforms" HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native" diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb index 2b969edd44..e3e643e005 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -2,7 +2,7 @@ DESCRIPTION = "OpenSSL secure engine based on TPM hardware" HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" SECTION = "security/tpm" -LICENSE = "openssl" +LICENSE = "OpenSSL" LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" DEPENDS += "openssl trousers" diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb index 77f65aefd6..45da416a78 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb @@ -1,7 +1,7 @@ SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR." HOMEPAGE = "https://github.com/flihp/pcr-extend" SECTION = "security/tpm" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS = "libtspi" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb index 18181712cd..daafae33cb 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb @@ -13,14 +13,12 @@ DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" SRC_URI = "\ - git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \ + https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "4f332013a02c422e186c4aaf127ab6a40b996028" - -S = "${WORKDIR}/git" +SRC_URI[sha256sum] = "a7844a257eaf5176f612fe9620018edc0880cca7036465ad2593f83ae0ad6673" inherit autotools pkgconfig systemd update-rc.d useradd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb deleted file mode 100644 index f6a694ce7a..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab" - -SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master" - -SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b" - -S = "${WORKDIR}/git" - -inherit pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb new file mode 100644 index 0000000000..55061c9103 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb @@ -0,0 +1,19 @@ +SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab" + +DEPENDS = "autoconf-archive-native tpm2-tss openssl" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "eedcc0b72ad6d232e6f9f55a780290c4d33a4d06efca9314f8a36d7384eb1dfc" + +inherit autotools pkgconfig + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} + +FILES:${PN} = "\ + ${libdir}/ossl-modules/tpm2.so" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch deleted file mode 100644 index 9d3f073e0a..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 14 Oct 2020 08:55:33 -0700 -Subject: [PATCH] remove local binary checkes - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upsteam-Status: Inappropriate -These are only needed to run on the tartget so we add an RDPENDS. -Not needed for building. - ---- - configure.ac | 48 ------------------------------------------------ - 1 file changed, 48 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 50e7d4b..2b9abcf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -219,54 +219,6 @@ AX_PROG_JAVAC() - AX_PROG_JAVA() - m4_popdef([AC_MSG_ERROR]) - --AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no]) -- AS_IF([test "x$tpm2_createprimary" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no]) -- AS_IF([test "x$tpm2_create" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no]) -- AS_IF([test "x$tpm2_evictcontrol" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no]) -- AS_IF([test "x$tpm2_readpublic" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no]) -- AS_IF([test "x$tpm2_load" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no]) -- AS_IF([test "x$tpm2_loadexternal" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no]) -- AS_IF([test "x$tpm2_unseal" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no]) -- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no]) -- AS_IF([test "x$tpm2_sign" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no]) -- AS_IF([test "x$tpm2_getcap" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no]) -- AS_IF([test "x$tpm2_import" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no]) -- AS_IF([test "x$tpm2_changeauth" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])]) -- - AC_DEFUN([integration_test_checks], [ - - PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],, --- -2.17.1 - diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch deleted file mode 100644 index ac2f92c90e..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch +++ /dev/null @@ -1,1305 +0,0 @@ -From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001 -From: William Roberts <william.c.roberts@intel.com> -Date: Fri, 3 Sep 2021 11:24:40 -0500 -Subject: [PATCH 1/2] ssl: compile against OSSL 3.0 - -Compile against OpenSSL. This moves functions non-deprecated things if -possible and ignores deprecation warnings when not. Padding manipulation -routines seem to have been marked deprecated in OSSL 3.0, so we need to -figure out a porting strategy here. - -Fixes: #686 - -Signed-off-by: William Roberts <william.c.roberts@intel.com> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - src/lib/backend_esysdb.c | 5 +- - src/lib/backend_fapi.c | 5 +- - src/lib/encrypt.c | 2 +- - src/lib/mech.c | 72 +--- - src/lib/object.c | 3 +- - src/lib/sign.c | 2 +- - src/lib/ssl_util.c | 531 ++++++++++++++++-------- - src/lib/ssl_util.h | 31 +- - src/lib/tpm.c | 6 +- - src/lib/utils.c | 35 +- - src/lib/utils.h | 13 - - test/integration/pkcs-sign-verify.int.c | 94 ++--- - 12 files changed, 441 insertions(+), 358 deletions(-) - -Index: git/src/lib/backend_esysdb.c -=================================================================== ---- git.orig/src/lib/backend_esysdb.c -+++ git/src/lib/backend_esysdb.c -@@ -3,6 +3,7 @@ - #include "config.h" - #include "backend_esysdb.h" - #include "db.h" -+#include "ssl_util.h" - #include "tpm.h" - - CK_RV backend_esysdb_init(void) { -@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi - } - - twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt; -- twist sealobjauth = utils_hash_pass(tpin, sealsalt); -+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); - if (!sealobjauth) { - rv = CKR_HOST_MEMORY; - goto error; -@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to - */ - twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt; - -- twist oldauth = utils_hash_pass(toldpin, oldsalt); -+ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt); - if (!oldauth) { - goto out; - } -Index: git/src/lib/backend_fapi.c -=================================================================== ---- git.orig/src/lib/backend_fapi.c -+++ git/src/lib/backend_fapi.c -@@ -11,6 +11,7 @@ - #include "backend_fapi.h" - #include "emitter.h" - #include "parser.h" -+#include "ssl_util.h" - #include "utils.h" - - #ifdef HAVE_FAPI -@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping - } - - twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt; -- twist sealobjauth = utils_hash_pass(tpin, sealsalt); -+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); - if (!sealobjauth) { - rv = CKR_HOST_MEMORY; - goto error; -@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke - } - rv = CKR_GENERAL_ERROR; - -- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); -+ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); - if (!oldauth) { - goto out; - } -Index: git/src/lib/encrypt.c -=================================================================== ---- git.orig/src/lib/encrypt.c -+++ git/src/lib/encrypt.c -@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat - CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) { - - EVP_PKEY *pkey = NULL; -- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - return rv; - } -Index: git/src/lib/mech.c -=================================================================== ---- git.orig/src/lib/mech.c -+++ git/src/lib/mech.c -@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C - } - - int nid = 0; -- CK_RV rv = ec_params_to_nid(a, &nid); -+ CK_RV rv = ssl_util_params_to_nid(a, &nid); - if (rv != CKR_OK) { - return rv; - } -@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl - } - - /* Apply the PKCS1.5 padding */ -- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len, -- inbuf, inlen); -- if (!rc) { -+ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen, -+ outbuf, padded_len); -+ if (rv != CKR_OK) { - LOGE("Applying RSA padding failed"); -- return CKR_GENERAL_ERROR; -+ return rv; - } - - *outlen = padded_len; -@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md - size_t key_bytes = *keybits / 8; - - unsigned char buf[4096]; -- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf), -- inbuf, inlen, -- key_bytes); -- if (rc < 0) { -+ CK_ULONG buflen = sizeof(buf); -+ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes, -+ buf, &buflen); -+ if (rv != CKR_OK) { - LOGE("Could not recover CKM_RSA_PKCS Padding"); -- return CKR_GENERAL_ERROR; -+ return rv; - } - -- /* cannot be < 0 because of check above */ -- if (!outbuf || (unsigned)rc > *outlen) { -- *outlen = rc; -+ if (!outbuf || buflen > *outlen) { -+ *outlen = buflen; - return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK; - } - -- *outlen = rc; -- memcpy(outbuf, buf, rc); -+ *outlen = buflen; -+ memcpy(outbuf, buf, buflen); - - return CKR_OK; - } -@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl, - return CKR_GENERAL_ERROR; - } - -- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -- if (!exp_attr) { -- LOGE("Signing key has no CKA_PUBLIC_EXPONENT"); -- return CKR_GENERAL_ERROR; -- } -- - if (modulus_attr->ulValueLen > *outlen) { - LOGE("Output buffer is too small, got: %lu, required at least %lu", - *outlen, modulus_attr->ulValueLen); - return CKR_GENERAL_ERROR; - } - -- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL); -- if (!e) { -- LOGE("Could not convert exponent to bignum"); -- return CKR_GENERAL_ERROR; -- } -- -- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL); -- if (!n) { -- LOGE("Could not convert modulus to bignum"); -- BN_free(e); -- return CKR_GENERAL_ERROR; -- } -- -- RSA *rsa = RSA_new(); -- if (!rsa) { -- LOGE("oom"); -- return CKR_HOST_MEMORY; -- } -- -- int rc = RSA_set0_key(rsa, n, e, NULL); -- if (!rc) { -- LOGE("Could not set modulus and exponent to OSSL RSA key"); -- BN_free(n); -- BN_free(e); -- RSA_free(rsa); -- return CKR_GENERAL_ERROR; -+ EVP_PKEY *pkey = NULL; -+ rv = ssl_util_attrs_to_evp(attrs, &pkey); -+ if (rv != CKR_OK) { -+ return rv; - } - -- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, -- inbuf, md, -1); -- RSA_free(rsa); -- if (!rc) { -+ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf); -+ EVP_PKEY_free(pkey); -+ if (rv != CKR_OK) { - LOGE("Applying RSA padding failed"); - return CKR_GENERAL_ERROR; - } -Index: git/src/lib/object.c -=================================================================== ---- git.orig/src/lib/object.c -+++ git/src/lib/object.c -@@ -15,6 +15,7 @@ - #include "object.h" - #include "pkcs11.h" - #include "session_ctx.h" -+#include "ssl_util.h" - #include "token.h" - #include "utils.h" - -@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject * - } - - int nid = 0; -- CK_RV rv = ec_params_to_nid(a, &nid); -+ CK_RV rv = ssl_util_params_to_nid(a, &nid); - if (rv != CKR_OK) { - return rv; - } -Index: git/src/lib/sign.c -=================================================================== ---- git.orig/src/lib/sign.c -+++ git/src/lib/sign.c -@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet - } - - EVP_PKEY *pkey = NULL; -- rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - return NULL; - } -Index: git/src/lib/ssl_util.c -=================================================================== ---- git.orig/src/lib/ssl_util.c -+++ git/src/lib/ssl_util.c -@@ -10,6 +10,7 @@ - #include <openssl/rsa.h> - #include <openssl/sha.h> - -+#include "attrs.h" - #include "log.h" - #include "pkcs11.h" - #include "ssl_util.h" -@@ -19,194 +20,228 @@ - #include <openssl/evperr.h> - #endif - --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#include <openssl/core_names.h> -+#endif - - /* -- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to -- * create an API compatible version of it. -+ * TODO Port these routines -+ * Deprecated function block to port -+ * -+ * There are no padding routine replacements in OSSL 3.0. -+ * - per Matt Caswell (maintainer) on mailing list. -+ * Signature verification can likely be done with EVP Verify interface. - */ --size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, -- point_conversion_form_t form, -- unsigned char **pbuf, BN_CTX *ctx) { -- -- /* Get the required buffer length */ -- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL); -- if (!len) { -- return 0; -- } -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -+#endif - -- /* allocate it */ -- unsigned char *buf = OPENSSL_malloc(len); -- if (!buf) { -- return 0; -- } -+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, -+ const CK_BYTE_PTR inbuf, const EVP_MD *md, -+ CK_BYTE_PTR outbuf) { - -- /* convert it */ -- len = EC_POINT_point2oct(group, point, form, buf, len, ctx); -- if (!len) { -- OPENSSL_free(buf); -- return 0; -+ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey); -+ if (!rsa) { -+ return CKR_GENERAL_ERROR; - } - -- *pbuf = buf; -- return len; --} -+ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, -+ inbuf, md, -1); - --size_t OBJ_length(const ASN1_OBJECT *obj) { -+ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR; -+} - -- if (!obj) { -- return 0; -- } -+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, -+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) { - -- return obj->length; -+ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen, -+ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR; - } - --const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) { -+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, -+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) { - -- if (!obj) { -- return NULL; -+ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen, -+ inbuf, inlen, rsa_len); -+ if (rc < 0) { -+ return CKR_GENERAL_ERROR; - } - -- return obj->data; -+ /* cannot be negative due to check above */ -+ *outbuflen = rc; -+ return CKR_OK; - } - --const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) { -- return ASN1_STRING_data((ASN1_STRING *)x); --} -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#pragma GCC diagnostic pop -+#endif - --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) - -- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { -- return 0; -- } -+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { -+ -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen), -+ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen), -+ OSSL_PARAM_END -+ }; - -- if (n != NULL) { -- BN_free(r->n); -- r->n = n; -+ /* convert params to EVP key */ -+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); -+ if (!evp_ctx) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); -+ return CKR_GENERAL_ERROR; - } - -- if (e != NULL) { -- BN_free(r->e); -- r->e = e; -+ int rc = EVP_PKEY_fromdata_init(evp_ctx); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ return CKR_GENERAL_ERROR; - } - -- if (d != NULL) { -- BN_free(r->d); -- r->d = d; -+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ return CKR_GENERAL_ERROR; - } - -- return 1; -+ EVP_PKEY_CTX_free(evp_ctx); -+ -+ return CKR_OK; - } - --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { -+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { -+ -+ /* -+ * The simplest way I have found to deal with this is to convert the ASN1 object in -+ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and -+ * then take the int nid and convert it to a friendly name like prime256v1. -+ * EVP_PKEY_fromdata can handle group by name. -+ * -+ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value". -+ */ -+ int curve_id = 0; -+ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id); -+ if (rv != CKR_OK) { -+ LOGE("Could not get nid from params"); -+ return rv; -+ } - -- if (!r || !s) { -- return 0; -+ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */ -+ const unsigned char *x = ecpoint->pValue; -+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); -+ if (!os) { -+ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s"); -+ return CKR_GENERAL_ERROR; - } - -- BN_free(sig->r); -- BN_free(sig->s); -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0), -+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length), -+ OSSL_PARAM_END -+ }; - -- sig->r = r; -- sig->s = s; -+ /* convert params to EVP key */ -+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); -+ if (!evp_ctx) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; -+ } - -- return 1; --} -+ int rc = EVP_PKEY_fromdata_init(evp_ctx); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; -+ } - --EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) { -- if (pkey->type != EVP_PKEY_EC) { -- return NULL; -+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; - } - -- return pkey->pkey.ec; -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ -+ return CKR_OK; - } --#endif - --static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) { -+#else - -- RSA *rsa = NULL; -- BIGNUM *e = NULL, *n = NULL; -+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { - -- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -- if (!exp) { -- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); -+ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL); -+ if (!e) { -+ LOGE("Could not convert exponent to bignum"); - return CKR_GENERAL_ERROR; - } - -- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); -- if (!mod) { -- LOGE("RSA Object must have attribute CKA_MODULUS"); -+ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL); -+ if (!n) { -+ LOGE("Could not convert modulus to bignum"); -+ BN_free(e); - return CKR_GENERAL_ERROR; - } - -- rsa = RSA_new(); -+ RSA *rsa = RSA_new(); - if (!rsa) { -- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure"); -- goto error; -+ LOGE("oom"); -+ return CKR_HOST_MEMORY; - } - -- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL); -- if (!e) { -- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format"); -- goto error; -+ int rc = RSA_set0_key(rsa, n, e, NULL); -+ if (!rc) { -+ LOGE("Could not set modulus and exponent to OSSL RSA key"); -+ BN_free(n); -+ BN_free(e); -+ RSA_free(rsa); -+ return CKR_GENERAL_ERROR; - } - -- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL); -- if (!n) { -- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format"); -- goto error; -+ /* assigned to RSA key */ -+ n = e = NULL; -+ -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ SSL_UTIL_LOGE("EVP_PKEY_new"); -+ RSA_free(rsa); -+ return CKR_GENERAL_ERROR; - } - -- if (!RSA_set0_key(rsa, n, e, NULL)) { -- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components"); -+ rc = EVP_PKEY_assign_RSA(pkey, rsa); -+ if (rc != 1) { - RSA_free(rsa); -- BN_free(e); -- BN_free(n); -- goto error; -+ EVP_PKEY_free(pkey); -+ return CKR_GENERAL_ERROR; - } - -- *outkey = rsa; -+ *out_pkey = pkey; - - return CKR_OK; -- --error: -- RSA_free(rsa); -- if (e) { -- BN_free(e); -- } -- if (n) { -- BN_free(n); -- } -- -- return CKR_GENERAL_ERROR; - } - --static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) { -+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { - -- EC_KEY *key = EC_KEY_new(); -- if (!key) { -+ EC_KEY *ecc = EC_KEY_new(); -+ if (!ecc) { - LOGE("oom"); - return CKR_HOST_MEMORY; - } - -- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); -- if (!ecparams) { -- LOGE("ECC Key must have attribute CKA_EC_PARAMS"); -- return CKR_GENERAL_ERROR; -- } -- -- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); -- if (!ecpoint) { -- LOGE("ECC Key must have attribute CKA_EC_POINT"); -- return CKR_GENERAL_ERROR; -- } -- - /* set params */ - const unsigned char *x = ecparams->pValue; -- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen); -+ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen); - if (!k) { - SSL_UTIL_LOGE("Could not update key with EC Parameters"); -- EC_KEY_free(key); -+ EC_KEY_free(ecc); - return CKR_GENERAL_ERROR; - } - -@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY * - ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); - if (os) { - x = os->data; -- k = o2i_ECPublicKey(&key, &x, os->length); -+ k = o2i_ECPublicKey(&ecc, &x, os->length); - ASN1_STRING_free(os); - if (!k) { - SSL_UTIL_LOGE("Could not update key with EC Points"); -- EC_KEY_free(key); -+ EC_KEY_free(ecc); - return CKR_GENERAL_ERROR; - } - } - -- *outkey = key; -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ SSL_UTIL_LOGE("EVP_PKEY_new"); -+ EC_KEY_free(ecc); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc); -+ if (!rc) { -+ SSL_UTIL_LOGE("Could not set pkey with ec key"); -+ EC_KEY_free(ecc); -+ EVP_PKEY_free(pkey); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ *out_pkey = pkey; - return CKR_OK; - } -+#endif - --CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) { -+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) { - -- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE); -+ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE); - if (!a) { - LOGE("Expected object to have attribute CKA_KEY_TYPE"); - return CKR_KEY_TYPE_INCONSISTENT; -@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY * - return CKR_OK; - } - -- EVP_PKEY *pkey = EVP_PKEY_new(); -- if (!pkey) { -- LOGE("oom"); -- return CKR_HOST_MEMORY; -- } -+ EVP_PKEY *pkey = NULL; - - if (key_type == CKK_EC) { -- EC_KEY *e = NULL; -- rv = convert_pubkey_ECC(&e, obj->attrs); -- if (rv != CKR_OK) { -- return rv; -+ -+ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); -+ if (!ecparams) { -+ LOGE("ECC Key must have attribute CKA_EC_PARAMS"); -+ return CKR_GENERAL_ERROR; - } -- int rc = EVP_PKEY_assign_EC_KEY(pkey, e); -- if (!rc) { -- SSL_UTIL_LOGE("Could not set pkey with ec key"); -- EC_KEY_free(e); -- EVP_PKEY_free(pkey); -+ -+ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); -+ if (!ecpoint) { -+ LOGE("ECC Key must have attribute CKA_EC_POINT"); - return CKR_GENERAL_ERROR; - } -- } else if (key_type == CKK_RSA) { -- RSA *r = NULL; -- rv = convert_pubkey_RSA(&r, obj->attrs); -+ -+ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey); - if (rv != CKR_OK) { - return rv; - } -- int rc = EVP_PKEY_assign_RSA(pkey, r); -- if (!rc) { -- SSL_UTIL_LOGE("Could not set pkey with rsa key"); -- RSA_free(r); -- EVP_PKEY_free(pkey); -+ -+ } else if (key_type == CKK_RSA) { -+ -+ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -+ if (!exp) { -+ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); - return CKR_GENERAL_ERROR; - } -+ -+ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); -+ if (!mod) { -+ LOGE("RSA Object must have attribute CKA_MODULUS"); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ rv = get_RSA_evp_pubkey(exp, mod, &pkey); -+ if (rv != CKR_OK) { -+ return rv; -+ } -+ - } else { - LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type); -- EVP_PKEY_free(pkey); - return CKR_KEY_TYPE_INCONSISTENT; - } - -+ assert(pkey); - *outpkey = pkey; - - return CKR_OK; -@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK - } - } - -- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); -- if (!rc) { -- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); -- goto error; -+ if (md) { -+ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); -+ if (!rc) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); -+ goto error; -+ } - } - - *outpkey_ctx = pkey_ctx; -@@ -421,21 +482,12 @@ error: - return CKR_GENERAL_ERROR; - } - --static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, -- int padding, const EVP_MD *md, -- CK_BYTE_PTR digest, CK_ULONG digest_len, -- CK_BYTE_PTR signature, CK_ULONG signature_len) { -+static CK_RV sig_verify(EVP_PKEY_CTX *ctx, -+ const unsigned char *sig, size_t siglen, -+ const unsigned char *tbs, size_t tbslen) { - - CK_RV rv = CKR_GENERAL_ERROR; -- -- EVP_PKEY_CTX *pkey_ctx = NULL; -- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, -- EVP_PKEY_verify_init, &pkey_ctx); -- if (rv != CKR_OK) { -- return rv; -- } -- -- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len); -+ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen); - if (rc < 0) { - SSL_UTIL_LOGE("EVP_PKEY_verify failed"); - } else if (rc == 1) { -@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY - rv = CKR_SIGNATURE_INVALID; - } - -- EVP_PKEY_CTX_free(pkey_ctx); - return rv; - } - --static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) { -+static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, -+ unsigned char **outbuf, size_t *outlen) { - - if (siglen & 1) { - LOGE("Expected ECDSA signature length to be even, got : %lu", -@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT - return CKR_GENERAL_ERROR; - } - -- *outsig = ossl_sig; -+ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL); -+ if (sig_len <= 0) { -+ if (rc < 0) { -+ SSL_UTIL_LOGE("ECDSA_do_verify failed"); -+ } else { -+ LOGE("Expected length to be greater than 0"); -+ } -+ ECDSA_SIG_free(ossl_sig); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ unsigned char *buf = calloc(1, sig_len); -+ if (!buf) { -+ LOGE("oom"); -+ ECDSA_SIG_free(ossl_sig); -+ return CKR_HOST_MEMORY; -+ } -+ -+ unsigned char *p = buf; -+ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p); -+ if (sig_len2 < 0) { -+ SSL_UTIL_LOGE("ECDSA_do_verify failed"); -+ ECDSA_SIG_free(ossl_sig); -+ free(buf); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ assert(sig_len == sig_len2); -+ -+ ECDSA_SIG_free(ossl_sig); -+ -+ *outbuf = buf; -+ *outlen = sig_len; - - return CKR_OK; - } - - static CK_RV do_sig_verify_ec(EVP_PKEY *pkey, -+ const EVP_MD *md, - CK_BYTE_PTR digest, CK_ULONG digest_len, - CK_BYTE_PTR signature, CK_ULONG signature_len) { - -- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); -- if (!eckey) { -- LOGE("Expected EC Key"); -- return CKR_GENERAL_ERROR; -- } -- - /* - * OpenSSL expects ASN1 framed signatures, PKCS11 does flat - * R + S signatures, so convert it to ASN1 framing. -@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY * - * https://github.com/tpm2-software/tpm2-pkcs11/issues/277 - * For details. - */ -- ECDSA_SIG *ossl_sig = NULL; -- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig); -+ unsigned char *buf = NULL; -+ size_t buflen = 0; -+ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen); - if (rv != CKR_OK) { - return rv; - } - -- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey); -- if (rc < 0) { -- ECDSA_SIG_free(ossl_sig); -- SSL_UTIL_LOGE("ECDSA_do_verify failed"); -- return CKR_GENERAL_ERROR; -+ EVP_PKEY_CTX *pkey_ctx = NULL; -+ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md, -+ EVP_PKEY_verify_init, &pkey_ctx); -+ if (rv != CKR_OK) { -+ free(buf); -+ return rv; - } -- ECDSA_SIG_free(ossl_sig); - -- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID; -+ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len); -+ -+ EVP_PKEY_CTX_free(pkey_ctx); -+ free(buf); -+ -+ return rv; -+} -+ -+static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, -+ int padding, const EVP_MD *md, -+ CK_BYTE_PTR digest, CK_ULONG digest_len, -+ CK_BYTE_PTR signature, CK_ULONG signature_len) { -+ -+ CK_RV rv = CKR_GENERAL_ERROR; -+ -+ EVP_PKEY_CTX *pkey_ctx = NULL; -+ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, -+ EVP_PKEY_verify_init, &pkey_ctx); -+ if (rv != CKR_OK) { -+ return rv; -+ } -+ -+ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len); -+ -+ EVP_PKEY_CTX_free(pkey_ctx); -+ return rv; - } - - CK_RV ssl_util_sig_verify(EVP_PKEY *pkey, -@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey - digest, digest_len, - signature, signature_len); - case EVP_PKEY_EC: -- return do_sig_verify_ec(pkey, digest, digest_len, -+ return do_sig_verify_ec(pkey, md, digest, digest_len, - signature, signature_len); - default: - LOGE("Unknown PKEY type, got: %d", type); -@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY * - EVP_PKEY_CTX_free(pkey_ctx); - return rv; - } -+ -+twist ssl_util_hash_pass(const twist pin, const twist salt) { -+ -+ -+ twist out = NULL; -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -+ if (!ctx) { -+ SSL_UTIL_LOGE("EVP_MD_CTX_new"); -+ return NULL; -+ } -+ -+ int rc = EVP_DigestInit(ctx, EVP_sha256()); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestInit"); -+ goto error; -+ } -+ -+ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin)); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestUpdate"); -+ goto error; -+ } -+ -+ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt)); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestUpdate"); -+ goto error; -+ } -+ -+ unsigned int len = sizeof(md); -+ rc = EVP_DigestFinal(ctx, md, &len); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestFinal"); -+ goto error; -+ } -+ -+ /* truncate the password to 32 characters */ -+ out = twist_hex_new((char *)md, sizeof(md)/2); -+ -+error: -+ EVP_MD_CTX_free(ctx); -+ -+ return out; -+} -+ -+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { -+ -+ const unsigned char *p = ecparams->pValue; -+ -+ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); -+ if (!a) { -+ LOGE("Unknown CKA_EC_PARAMS value"); -+ return CKR_ATTRIBUTE_VALUE_INVALID; -+ } -+ -+ *nid = OBJ_obj2nid(a); -+ ASN1_OBJECT_free(a); -+ -+ return CKR_OK; -+} -Index: git/src/lib/ssl_util.h -=================================================================== ---- git.orig/src/lib/ssl_util.h -+++ git/src/lib/ssl_util.h -@@ -11,8 +11,8 @@ - - #include "pkcs11.h" - -+#include "attrs.h" - #include "log.h" --#include "object.h" - #include "twist.h" - - #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ -@@ -22,6 +22,10 @@ - #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f - #endif - -+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ -+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f -+#endif -+ - /* OpenSSL Backwards Compat APIs */ - #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) - #include <string.h> -@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const - - #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL)); - --CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj); -+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey); - - CK_RV ssl_util_encrypt(EVP_PKEY *pkey, - int padding, twist label, const EVP_MD *md, -@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK - fn_EVP_PKEY_init init_fn, - EVP_PKEY_CTX **outpkey_ctx); - -+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, -+ const CK_BYTE_PTR inbuf, const EVP_MD *md, -+ CK_BYTE_PTR outbuf); -+ -+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, -+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen); -+ -+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, -+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen); -+ -+twist ssl_util_hash_pass(const twist pin, const twist salt); -+ -+/** -+ * Given an attribute of CKA_EC_PARAMS returns the nid value. -+ * @param ecparams -+ * The DER X9.62 parameters value -+ * @param nid -+ * The nid to set -+ * @return -+ * CKR_OK on success. -+ */ -+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); -+ - #endif /* SRC_LIB_SSL_UTIL_H_ */ -Index: git/src/lib/tpm.c -=================================================================== ---- git.orig/src/lib/tpm.c -+++ git/src/lib/tpm.c -@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT - tpm_key_data *keydat = (tpm_key_data *)udata; - - int nid = 0; -- CK_RV rv = ec_params_to_nid(attr, &nid); -+ CK_RV rv = ssl_util_params_to_nid(attr, &nid); - if (rv != CKR_OK) { - return rv; - } -@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_ - goto out; - } - -- int rc = EC_POINT_set_affine_coordinates_GFp(group, -+ int rc = EC_POINT_set_affine_coordinates(group, - pub_key_point_tmp, - bn_x, - bn_y, -@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct - goto out; - } - -- rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - goto out; - } -Index: git/src/lib/utils.c -=================================================================== ---- git.orig/src/lib/utils.c -+++ git/src/lib/utils.c -@@ -7,6 +7,7 @@ - #include <openssl/sha.h> - - #include "log.h" -+#include "ssl_util.h" - #include "token.h" - #include "utils.h" - -@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist - pin_to_use = newpin; - } - -- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use); -+ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use); - if (!*newauthhex) { - goto out; - } -@@ -330,22 +331,6 @@ out: - - } - --twist utils_hash_pass(const twist pin, const twist salt) { -- -- -- unsigned char md[SHA256_DIGEST_LENGTH]; -- -- SHA256_CTX sha256; -- SHA256_Init(&sha256); -- -- SHA256_Update(&sha256, pin, twist_len(pin)); -- SHA256_Update(&sha256, salt, twist_len(salt)); -- SHA256_Final(md, &sha256); -- -- /* truncate the password to 32 characters */ -- return twist_hex_new((char *)md, sizeof(md)/2); --} -- - size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) { - - switch(mttype) { -@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp - - return CKR_OK; - } -- --CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { -- -- const unsigned char *p = ecparams->pValue; -- -- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); -- if (!a) { -- LOGE("Unknown CKA_EC_PARAMS value"); -- return CKR_ATTRIBUTE_VALUE_INVALID; -- } -- -- *nid = OBJ_obj2nid(a); -- ASN1_OBJECT_free(a); -- -- return CKR_OK; --} - - CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen, - CK_BYTE_PTR out, CK_ULONG_PTR outlen) { -Index: git/src/lib/utils.h -=================================================================== ---- git.orig/src/lib/utils.h -+++ git/src/lib/utils.h -@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U - memcpy(dst, src, src_len); - } - --twist utils_hash_pass(const twist pin, const twist salt); -- - twist aes256_gcm_decrypt(const twist key, const twist objauth); - - twist aes256_gcm_encrypt(twist keybin, twist plaintextbin); -@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra - CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth); - - /** -- * Given an attribute of CKA_EC_PARAMS returns the nid value. -- * @param ecparams -- * The DER X9.62 parameters value -- * @param nid -- * The nid to set -- * @return -- * CKR_OK on success. -- */ --CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); -- --/** - * Removes a PKCS7 padding on a 16 byte block. - * @param in - * The PKCS5 padded input. -Index: git/test/integration/pkcs-sign-verify.int.c -=================================================================== ---- git.orig/test/integration/pkcs-sign-verify.int.c -+++ git/test/integration/pkcs-sign-verify.int.c -@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_ - assert_int_equal(rv, CKR_OK); - } - --static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { -- -- CK_ULONG i; -- for (i=0; i < attr_len; i++) { -- CK_ATTRIBUTE_PTR a = &attrs[i]; -- if (a->type == type) { -- return a; -- } -- } -- -- return NULL; --} -- --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_PRE11 --#endif -- --RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { -- -- RSA *ssl_rsa_key = NULL; -- BIGNUM *e = NULL, *n = NULL; -- -- /* get the exponent */ -- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len); -- assert_non_null(a); -- -- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL); -- assert_non_null(e); -- -- /* get the modulus */ -- a = get_attr(CKA_MODULUS, attrs, attr_len); -- assert_non_null(a); -- -- n = BN_bin2bn(a->pValue, a->ulValueLen, -- NULL); -- assert_non_null(n); -- -- ssl_rsa_key = RSA_new(); -- assert_non_null(ssl_rsa_key); -- --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) -- ssl_rsa_key->e = e; -- ssl_rsa_key->n = n; --#else -- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL); -- assert_int_equal(rc, 1); --#endif -- -- return ssl_rsa_key; --} -- --static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { -- -- EVP_PKEY *pkey = EVP_PKEY_new(); -- assert_non_null(pkey); -- -- int rc = EVP_PKEY_set1_RSA(pkey, pub); -- assert_int_equal(rc, 1); -+static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { - - EVP_MD_CTX *ctx = EVP_MD_CTX_create(); - const EVP_MD* md = EVP_get_digestbyname("SHA256"); - assert_non_null(md); - -- rc = EVP_DigestInit_ex(ctx, md, NULL); -+ int rc = EVP_DigestInit_ex(ctx, md, NULL); - assert_int_equal(rc, 1); - - rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey); -@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR - rc = EVP_DigestVerifyFinal(ctx, sig, sig_len); - assert_int_equal(rc, 1); - -- EVP_PKEY_free(pkey); - EVP_MD_CTX_destroy(ctx); - } - -@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void - assert_int_equal(siglen, 256); - - /* build an OSSL RSA key from parts */ -- CK_BYTE _tmp_bufs[2][1024]; -+ CK_BYTE _tmp_bufs[3][1024]; - CK_ATTRIBUTE attrs[] = { -- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, -- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] }, -+ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, -+ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] }, -+ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] }, - }; - - rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs)); - assert_int_equal(rv, CKR_OK); - -- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs)); -- assert_non_null(r); -+ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD; -+ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type); -+ assert_int_equal(rv, CKR_OK); -+ -+ EVP_PKEY *pkey = NULL; -+ attr_list *l = attr_list_new(); -+ -+ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type); -+ assert_true(res); - -- verify(r, msg, sizeof(msg) - 1, sig, siglen); -- RSA_free(r); -+ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen); -+ assert_true(res); -+ -+ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen); -+ assert_true(res); -+ -+ rv = ssl_util_attrs_to_evp(l, &pkey); -+ assert_int_equal(rv, CKR_OK); -+ attr_list_free(l); -+ -+ verify(pkey, msg, sizeof(msg) - 1, sig, siglen); -+ EVP_PKEY_free(pkey); - } - - static void test_sign_verify_context_specific_good(void **state) { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch deleted file mode 100644 index ef0a6dcde9..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001 -From: William Roberts <william.c.roberts@intel.com> -Date: Fri, 3 Sep 2021 11:30:50 -0500 -Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater - -THIS DROPS SUPPORT FOR OSSL 1.0.2. - -Signed-off-by: William Roberts <william.c.roberts@intel.com> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> ---- - configure.ac | 2 +- - src/lib/ssl_util.h | 43 +++++-------------------------------------- - 2 files changed, 6 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a7aeaf5..94fb5d4 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0], - # require sqlite3 and libcrypto - PKG_CHECK_MODULES([SQLITE3], [sqlite3]) - PKG_CHECK_MODULES([YAML], [yaml-0.1]) --PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g]) -+PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0]) - - # check for pthread - AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])]) -diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h -index 9909fd6..2591728 100644 ---- a/src/lib/ssl_util.h -+++ b/src/lib/ssl_util.h -@@ -15,51 +15,18 @@ - #include "log.h" - #include "twist.h" - --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_PRE11 --/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */ --#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */ -+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */ - #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f - #endif - --#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111) -+#include <openssl/evperr.h> - #endif - --/* OpenSSL Backwards Compat APIs */ --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) --#include <string.h> --size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, -- point_conversion_form_t form, -- unsigned char **pbuf, BN_CTX *ctx); -- --const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); -- --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -- --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -- --EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey); -- --static inline void *OPENSSL_memdup(const void *dup, size_t l) { -- -- void *p = OPENSSL_malloc(l); -- if (!p) { -- return NULL; -- } -- -- memcpy(p, dup, l); -- return p; --} -- --#endif -- --#ifndef RSA_PSS_SALTLEN_DIGEST --#define RSA_PSS_SALTLEN_DIGEST -1 -+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ -+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f - #endif - --/* Utility APIs */ -- - #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL)); - - CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey); --- -2.25.1 - diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch deleted file mode 100644 index d38e23777c..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch +++ /dev/null @@ -1,12 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: git/bootstrap -=================================================================== ---- git.orig/bootstrap -+++ git/bootstrap -@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE - ) > ${VARS_FILE} - - mkdir -p m4 --${AUTORECONF} --install --sym $@ diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb index 177c3c3777..a9174e6717 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb @@ -6,21 +6,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native" -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \ - file://bootstrap_fixup.patch \ - file://0001-remove-local-binary-checkes.patch \ - file://0001-ssl-compile-against-OSSL-3.0.patch \ - file://0002-ossl-require-version-1.1.0-or-greater.patch \ - " +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851" - -S = "${WORKDIR}/git" +SRC_URI[sha256sum] = "79f28899047defd6b4b72b7268dd56abf27774954022315f818c239af33e05bd" inherit autotools-brokensep pkgconfig python3native -do_configure:prepend () { - ${S}/bootstrap +EXTRA_OECONF += "--disable-ptool-checks" + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac } do_compile:append() { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb index 6e95a0e8fe..f924038bdb 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb @@ -11,3 +11,8 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630" inherit autotools pkgconfig bash-completion + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb index 4d1f425d8e..efe62a8209 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb @@ -8,16 +8,23 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https" +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5" inherit autotools-brokensep pkgconfig systemd -S = "${WORKDIR}/git" +# It uses the API deprecated since the OpenSSL 3.0 +CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter' + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion" -FILES:${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" -FILES:${PN}-engines = "${libdir}/engines-1.1/lib*.so*" -FILES:${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" +FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*" +FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*" +FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a" FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 deleted file mode 100644 index d383ad5c6d..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 +++ /dev/null @@ -1,332 +0,0 @@ -# =========================================================================== -# http://www.gnu.org/software/autoconf-archive/ax_pthread.html -# =========================================================================== -# -# SYNOPSIS -# -# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) -# -# DESCRIPTION -# -# This macro figures out how to build C programs using POSIX threads. It -# sets the PTHREAD_LIBS output variable to the threads library and linker -# flags, and the PTHREAD_CFLAGS output variable to any special C compiler -# flags that are needed. (The user can also force certain compiler -# flags/libs to be tested by setting these environment variables.) -# -# Also sets PTHREAD_CC to any special C compiler that is needed for -# multi-threaded programs (defaults to the value of CC otherwise). (This -# is necessary on AIX to use the special cc_r compiler alias.) -# -# NOTE: You are assumed to not only compile your program with these flags, -# but also link it with them as well. e.g. you should link with -# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS -# -# If you are only building threads programs, you may wish to use these -# variables in your default LIBS, CFLAGS, and CC: -# -# LIBS="$PTHREAD_LIBS $LIBS" -# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -# CC="$PTHREAD_CC" -# -# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant -# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name -# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). -# -# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the -# PTHREAD_PRIO_INHERIT symbol is defined when compiling with -# PTHREAD_CFLAGS. -# -# ACTION-IF-FOUND is a list of shell commands to run if a threads library -# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it -# is not found. If ACTION-IF-FOUND is not specified, the default action -# will define HAVE_PTHREAD. -# -# Please let the authors know if this macro fails on any platform, or if -# you have any other suggestions or comments. This macro was based on work -# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help -# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by -# Alejandro Forero Cuervo to the autoconf macro repository. We are also -# grateful for the helpful feedback of numerous users. -# -# Updated for Autoconf 2.68 by Daniel Richard G. -# -# LICENSE -# -# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu> -# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG> -# -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 3 of the License, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program. If not, see <http://www.gnu.org/licenses/>. -# -# As a special exception, the respective Autoconf Macro's copyright owner -# gives unlimited permission to copy, distribute and modify the configure -# scripts that are the output of Autoconf when processing the Macro. You -# need not follow the terms of the GNU General Public License when using -# or distributing such scripts, even though portions of the text of the -# Macro appear in them. The GNU General Public License (GPL) does govern -# all other use of the material that constitutes the Autoconf Macro. -# -# This special exception to the GPL applies to versions of the Autoconf -# Macro released by the Autoconf Archive. When you make and distribute a -# modified version of the Autoconf Macro, you may extend this special -# exception to the GPL to apply to your modified version as well. - -#serial 21 - -AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) -AC_DEFUN([AX_PTHREAD], [ -AC_REQUIRE([AC_CANONICAL_HOST]) -AC_LANG_PUSH([C]) -ax_pthread_ok=no - -# We used to check for pthread.h first, but this fails if pthread.h -# requires special compiler flags (e.g. on True64 or Sequent). -# It gets checked for in the link test anyway. - -# First of all, check if the user has set any of the PTHREAD_LIBS, -# etcetera environment variables, and if threads linking works using -# them: -if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) - AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) - AC_MSG_RESULT([$ax_pthread_ok]) - if test x"$ax_pthread_ok" = xno; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -fi - -# We must check for the threads library under a number of different -# names; the ordering is very important because some systems -# (e.g. DEC) have both -lpthread and -lpthreads, where one of the -# libraries is broken (non-POSIX). - -# Create a list of thread flags to try. Items starting with a "-" are -# C compiler flags, and other items are library names, except for "none" -# which indicates that we try without any flags at all, and "pthread-config" -# which is a program returning the flags for the Pth emulation library. - -ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - -# The ordering *is* (sometimes) important. Some notes on the -# individual items follow: - -# pthreads: AIX (must check this before -lpthread) -# none: in case threads are in libc; should be tried before -Kthread and -# other compiler flags to prevent continual compiler warnings -# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) -# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) -# -pthreads: Solaris/gcc -# -mthreads: Mingw32/gcc, Lynx/gcc -# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it -# doesn't hurt to check since this sometimes defines pthreads too; -# also defines -D_REENTRANT) -# ... -mt is also the pthreads flag for HP/aCC -# pthread: Linux, etcetera -# --thread-safe: KAI C++ -# pthread-config: use pthread-config program (for GNU Pth library) - -case ${host_os} in - solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based - # tests will erroneously succeed. (We need to link with -pthreads/-mt/ - # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather - # a function called by this macro, so we could check for that, but - # who knows whether they'll stub that too in a future libc.) So, - # we'll just look for -pthreads and -lpthread first: - - ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" - ;; - - darwin*) - ax_pthread_flags="-pthread $ax_pthread_flags" - ;; -esac - -# Clang doesn't consider unrecognized options an error unless we specify -# -Werror. We throw in some extra Clang-specific options to ensure that -# this doesn't happen for GCC, which also accepts -Werror. - -AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) -save_CFLAGS="$CFLAGS" -ax_pthread_extra_flags="-Werror" -CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" -AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], - [AC_MSG_RESULT([yes])], - [ax_pthread_extra_flags= - AC_MSG_RESULT([no])]) -CFLAGS="$save_CFLAGS" - -if test x"$ax_pthread_ok" = xno; then -for flag in $ax_pthread_flags; do - - case $flag in - none) - AC_MSG_CHECKING([whether pthreads work without any flags]) - ;; - - -*) - AC_MSG_CHECKING([whether pthreads work with $flag]) - PTHREAD_CFLAGS="$flag" - ;; - - pthread-config) - AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) - if test x"$ax_pthread_config" = xno; then continue; fi - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) - AC_MSG_CHECKING([for the pthreads library -l$flag]) - PTHREAD_LIBS="-l$flag" - ;; - esac - - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we - # need a special flag -Kthread to make this header compile.) - # We check for pthread_join because it is in -lpthread on IRIX - # while pthread_create is in libc. We check for pthread_attr_init - # due to DEC craziness with -lpthreads. We check for - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h> - static void routine(void *a) { a = 0; } - static void *start_routine(void *a) { return a; }], - [pthread_t th; pthread_attr_t attr; - pthread_create(&th, 0, start_routine, 0); - pthread_join(th, 0); - pthread_attr_init(&attr); - pthread_cleanup_push(routine, 0); - pthread_cleanup_pop(0) /* ; */])], - [ax_pthread_ok=yes], - []) - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - AC_MSG_RESULT([$ax_pthread_ok]) - if test "x$ax_pthread_ok" = xyes; then - break; - fi - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" -done -fi - -# Various other checks: -if test "x$ax_pthread_ok" = xyes; then - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. - AC_MSG_CHECKING([for joinable pthread attribute]) - attr_name=unknown - for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>], - [int attr = $attr; return attr /* ; */])], - [attr_name=$attr; break], - []) - done - AC_MSG_RESULT([$attr_name]) - if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then - AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], - [Define to necessary symbol if this constant - uses a non-standard name on your system.]) - fi - - AC_MSG_CHECKING([if more special flags are required for pthreads]) - flag=no - case ${host_os} in - aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; - osf* | hpux*) flag="-D_REENTRANT";; - solaris*) - if test "$GCC" = "yes"; then - flag="-D_REENTRANT" - else - # TODO: What about Clang on Solaris? - flag="-mt -D_REENTRANT" - fi - ;; - esac - AC_MSG_RESULT([$flag]) - if test "x$flag" != xno; then - PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" - fi - - AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], - [ax_cv_PTHREAD_PRIO_INHERIT], [ - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]], - [[int i = PTHREAD_PRIO_INHERIT;]])], - [ax_cv_PTHREAD_PRIO_INHERIT=yes], - [ax_cv_PTHREAD_PRIO_INHERIT=no]) - ]) - AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], - [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - # More AIX lossage: compile with *_r variant - if test "x$GCC" != xyes; then - case $host_os in - aix*) - AS_CASE(["x/$CC"], - [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], - [#handle absolute path differently from PATH based program lookup - AS_CASE(["x$CC"], - [x/*], - [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], - [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) - ;; - esac - fi -fi - -test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" - -AC_SUBST([PTHREAD_LIBS]) -AC_SUBST([PTHREAD_CFLAGS]) -AC_SUBST([PTHREAD_CC]) - -# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: -if test x"$ax_pthread_ok" = xyes; then - ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) - : -else - ax_pthread_ok=no - $2 -fi -AC_LANG_POP -])dnl AX_PTHREAD diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch deleted file mode 100644 index ecaca6ea57..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch +++ /dev/null @@ -1,31 +0,0 @@ -This fixes musl build issue do to missing FD_* defines. -Add sys/select.h - -Upstream-Status: Pending - -Signed-off-by: Armin Kuster <akuster@mvista.com> - -Index: TPM2.0-TSS/tcti/tcti_socket.cpp -=================================================================== ---- TPM2.0-TSS.orig/tcti/tcti_socket.cpp -+++ TPM2.0-TSS/tcti/tcti_socket.cpp -@@ -28,6 +28,7 @@ - #include <stdio.h> - #include <stdlib.h> // Needed for _wtoi - -+#include "sys/select.h" - #include <sapi/tpm20.h> - #include <tcti/tcti_socket.h> - #include "sysapi_util.h" -Index: TPM2.0-TSS/resourcemgr/resourcemgr.c -=================================================================== ---- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c -+++ TPM2.0-TSS/resourcemgr/resourcemgr.c -@@ -28,6 +28,7 @@ - #include <stdio.h> - #include <stdlib.h> // Needed for _wtoi - -+#include "sys/select.h" - #include <sapi/tpm20.h> - #include <tcti/tcti_device.h> - #include <tcti/tcti_socket.h> diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch index b5579e1b93..450698ff64 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch @@ -5,22 +5,25 @@ Not appropriate for cross build env. Upstream-Status: OE [inappropriate] Signed-off-by: Armin Kuster <akuster808@gmail.com> -Index: tpm2-tss-3.1.0/configure.ac +Index: tpm2-tss-3.2.0/configure.ac =================================================================== ---- tpm2-tss-3.1.0.orig/configure.ac -+++ tpm2-tss-3.1.0/configure.ac -@@ -471,14 +471,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy +--- tpm2-tss-3.2.0.orig/configure.ac ++++ tpm2-tss-3.2.0/configure.ac +@@ -488,17 +488,6 @@ AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes) AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes") - # Check all tools used by make install --AS_IF([test "$HOSTOS" = "Linux"], -- [ERROR_IF_NO_PROG([groupadd]) -- ERROR_IF_NO_PROG([useradd]) -- ERROR_IF_NO_PROG([id]) -- ERROR_IF_NO_PROG([chown]) -- ERROR_IF_NO_PROG([chmod]) -- ERROR_IF_NO_PROG([mkdir]) -- ERROR_IF_NO_PROG([setfacl])]) +-# Check all tools used by make install +-AS_IF([test "$HOSTOS" = "Linux"], +- [ AC_CHECK_PROG(useradd, useradd, yes) +- AC_CHECK_PROG(groupadd, groupadd, yes) +- AC_CHECK_PROG(adduser, adduser, yes) +- AC_CHECK_PROG(addgroup, addgroup, yes) +- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], +- [AC_MSG_ERROR([addgroup or groupadd are needed.])]) +- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], +- [AC_MSG_ERROR([adduser or useradd are needed.])])]) +- AC_SUBST([PATH]) + dnl --------- Doxy Gen ----------------------- diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb index ddcfb58ea8..8440bb9e9f 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb @@ -10,7 +10,7 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN file://fixup_hosttools.patch \ " -SRC_URI[sha256sum] = "8900a6603f74310b749b65f23c3461cde6e2a23a5f61058b21004c25f9cf19e8" +SRC_URI[sha256sum] = "48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912" inherit autotools pkgconfig systemd useradd @@ -26,6 +26,11 @@ USERADD_PACKAGES = "${PN}" GROUPADD_PARAM:${PN} = "--system tss" USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} + do_install:append() { # Remove /run as it is created on startup rm -rf ${D}/run diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb index fbfa8a7d07..b1fb58db3e 100644 --- a/meta-security/recipes-ids/aide/aide_0.17.3.bb +++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb @@ -1,7 +1,7 @@ SUMMARY = "Advanced Intrusion Detection Environment" HOMEPAGE = "https://aide.github.io" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" DEPENDS = "bison-native libpcre" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb index 853facf38e..b0759b10ef 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb @@ -1,5 +1,5 @@ SUMMARY = "A full platform to monitor and control your systems" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9" diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 5c1d6f57a7..df9e215b8c 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -1,6 +1,6 @@ DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis" HOMEPAGE = "http://www.la-samhna.de/samhain/" -LICENSE = "GPL-2.0-or-later" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" PV = "4.4.7" diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 5bb0e3e209..9149e89232 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -3,7 +3,7 @@ DESCRIPTION = "Open Source Tripwire® software is a security and data \ integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems" HOMEPAGE="http://sourceforge.net/projects/tripwire" SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb index 8ad3c76ae1..046a3a0915 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb @@ -8,7 +8,7 @@ DESCRIPTION = "user-space parser utility for AppArmor \ HOMEAPAGE = "http://apparmor.net/" SECTION = "admin" -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 08da24ad2c..8d148bb379 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -2,7 +2,7 @@ SUMMARY = "Tomoyo" DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "ncurses" diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index 7a8ca7859d..6c52392908 100644 --- a/meta-security/recipes-mac/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -1,7 +1,7 @@ DESCRIPTION = "Selection of tools for developers working with Smack" HOMEPAGE = "https://github.com/smack-team/smack" SECTION = "Security/Access Control" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" diff --git a/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/meta-security/recipes-perl/perl/lib-perl_0.63.bb index 7895864be1..4c964d5c1b 100644 --- a/meta-security/recipes-perl/perl/lib-perl_0.63.bb +++ b/meta-security/recipes-perl/perl/lib-perl_0.63.bb @@ -4,7 +4,7 @@ directories to Perl's search path so that later 'use' or 'require' statements \ will find modules which are not located in the default search path." SECTION = "libs" -LICENSE = "Artistic-1.0 | GPL-1.0+" +LICENSE = "Artistic-1.0 | GPL-1.0-or-later" PR = "r0" LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=94b119f1a7b8d611efc89b5d562a1a50" diff --git a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb index 63e4d7a8b8..881c2a3948 100644 --- a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb +++ b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb @@ -2,7 +2,7 @@ SUMMARY = "Linux security scanner" DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \ system. This enables you to quickly overview the security status of your Linux system." SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz" diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb index 9a1d77a0c1..e053a150b8 100644 --- a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb +++ b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb @@ -1,7 +1,7 @@ SUMMARY = "basic system security checks" DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes." SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb index f76f1df292..d3722c05f1 100644 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -1,7 +1,7 @@ SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" diff --git a/meta-security/recipes-security/chipsec/chipsec_git.bb b/meta-security/recipes-security/chipsec/chipsec_git.bb index 156be09fc7..d6c3ff28af 100644 --- a/meta-security/recipes-security/chipsec/chipsec_git.bb +++ b/meta-security/recipes-security/chipsec/chipsec_git.bb @@ -4,7 +4,7 @@ DESCRIPTION = "CHIPSEC is a framework for analyzing the security \ of PC platforms including hardware, system firmware \ (BIOS/UEFI), and platform components." -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d" SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \ diff --git a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index 65db10f976..1b91f46b6c 100644 --- a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb +++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -1,7 +1,7 @@ SUMMARY = "A library for Microsoft compression formats" HOMEPAGE = "http://www.cabextract.org.uk/libmspack/" SECTION = "lib" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb index f151e4e139..8e6b444a2f 100644 --- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -3,7 +3,7 @@ DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network dev HOMEPAGE = "https://nmap.org/ncrack" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" diff --git a/meta-security/recipes-security/paxctl/paxctl_0.9.bb b/meta-security/recipes-security/paxctl/paxctl_0.9.bb index 55a0dcac9e..5c9aff1558 100644 --- a/meta-security/recipes-security/paxctl/paxctl_0.9.bb +++ b/meta-security/recipes-security/paxctl/paxctl_0.9.bb @@ -3,7 +3,7 @@ DESCRIPTION = "paxctl is a tool that allows PaX flags to be modified on a \ kernel patches and secure distributions, such as \ GrSecurity or Adamantix and Hardened Gen-too, respectively." HOMEPAGE = "https://pax.grsecurity.net/" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \ file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \ " diff --git a/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb index d6d4cea18f..c47688fa79 100644 --- a/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb @@ -1,7 +1,7 @@ SUMMARY = "redhat security tools" DESCRIPTION = "Tools used by redhat linux distribution for security checks" SECTION = "security" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "file://find-chroot-py.sh \ |