diff options
Diffstat (limited to 'meta-security/meta-tpm')
16 files changed, 70 insertions, 1898 deletions
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb index 2b969edd44..e3e643e005 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -2,7 +2,7 @@ DESCRIPTION = "OpenSSL secure engine based on TPM hardware" HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" SECTION = "security/tpm" -LICENSE = "openssl" +LICENSE = "OpenSSL" LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" DEPENDS += "openssl trousers" diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb index 77f65aefd6..45da416a78 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb @@ -1,7 +1,7 @@ SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR." HOMEPAGE = "https://github.com/flihp/pcr-extend" SECTION = "security/tpm" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS = "libtspi" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb index 18181712cd..daafae33cb 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb @@ -13,14 +13,12 @@ DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" SRC_URI = "\ - git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \ + https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "4f332013a02c422e186c4aaf127ab6a40b996028" - -S = "${WORKDIR}/git" +SRC_URI[sha256sum] = "a7844a257eaf5176f612fe9620018edc0880cca7036465ad2593f83ae0ad6673" inherit autotools pkgconfig systemd update-rc.d useradd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb deleted file mode 100644 index f6a694ce7a..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab" - -SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master" - -SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b" - -S = "${WORKDIR}/git" - -inherit pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb new file mode 100644 index 0000000000..55061c9103 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb @@ -0,0 +1,19 @@ +SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab" + +DEPENDS = "autoconf-archive-native tpm2-tss openssl" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "eedcc0b72ad6d232e6f9f55a780290c4d33a4d06efca9314f8a36d7384eb1dfc" + +inherit autotools pkgconfig + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} + +FILES:${PN} = "\ + ${libdir}/ossl-modules/tpm2.so" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch deleted file mode 100644 index 9d3f073e0a..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 14 Oct 2020 08:55:33 -0700 -Subject: [PATCH] remove local binary checkes - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upsteam-Status: Inappropriate -These are only needed to run on the tartget so we add an RDPENDS. -Not needed for building. - ---- - configure.ac | 48 ------------------------------------------------ - 1 file changed, 48 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 50e7d4b..2b9abcf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -219,54 +219,6 @@ AX_PROG_JAVAC() - AX_PROG_JAVA() - m4_popdef([AC_MSG_ERROR]) - --AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no]) -- AS_IF([test "x$tpm2_createprimary" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no]) -- AS_IF([test "x$tpm2_create" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no]) -- AS_IF([test "x$tpm2_evictcontrol" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no]) -- AS_IF([test "x$tpm2_readpublic" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no]) -- AS_IF([test "x$tpm2_load" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no]) -- AS_IF([test "x$tpm2_loadexternal" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no]) -- AS_IF([test "x$tpm2_unseal" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no]) -- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no]) -- AS_IF([test "x$tpm2_sign" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no]) -- AS_IF([test "x$tpm2_getcap" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no]) -- AS_IF([test "x$tpm2_import" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])]) -- --AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no]) -- AS_IF([test "x$tpm2_changeauth" != "xyes"], -- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])]) -- - AC_DEFUN([integration_test_checks], [ - - PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],, --- -2.17.1 - diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch deleted file mode 100644 index ac2f92c90e..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch +++ /dev/null @@ -1,1305 +0,0 @@ -From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001 -From: William Roberts <william.c.roberts@intel.com> -Date: Fri, 3 Sep 2021 11:24:40 -0500 -Subject: [PATCH 1/2] ssl: compile against OSSL 3.0 - -Compile against OpenSSL. This moves functions non-deprecated things if -possible and ignores deprecation warnings when not. Padding manipulation -routines seem to have been marked deprecated in OSSL 3.0, so we need to -figure out a porting strategy here. - -Fixes: #686 - -Signed-off-by: William Roberts <william.c.roberts@intel.com> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - src/lib/backend_esysdb.c | 5 +- - src/lib/backend_fapi.c | 5 +- - src/lib/encrypt.c | 2 +- - src/lib/mech.c | 72 +--- - src/lib/object.c | 3 +- - src/lib/sign.c | 2 +- - src/lib/ssl_util.c | 531 ++++++++++++++++-------- - src/lib/ssl_util.h | 31 +- - src/lib/tpm.c | 6 +- - src/lib/utils.c | 35 +- - src/lib/utils.h | 13 - - test/integration/pkcs-sign-verify.int.c | 94 ++--- - 12 files changed, 441 insertions(+), 358 deletions(-) - -Index: git/src/lib/backend_esysdb.c -=================================================================== ---- git.orig/src/lib/backend_esysdb.c -+++ git/src/lib/backend_esysdb.c -@@ -3,6 +3,7 @@ - #include "config.h" - #include "backend_esysdb.h" - #include "db.h" -+#include "ssl_util.h" - #include "tpm.h" - - CK_RV backend_esysdb_init(void) { -@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi - } - - twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt; -- twist sealobjauth = utils_hash_pass(tpin, sealsalt); -+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); - if (!sealobjauth) { - rv = CKR_HOST_MEMORY; - goto error; -@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to - */ - twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt; - -- twist oldauth = utils_hash_pass(toldpin, oldsalt); -+ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt); - if (!oldauth) { - goto out; - } -Index: git/src/lib/backend_fapi.c -=================================================================== ---- git.orig/src/lib/backend_fapi.c -+++ git/src/lib/backend_fapi.c -@@ -11,6 +11,7 @@ - #include "backend_fapi.h" - #include "emitter.h" - #include "parser.h" -+#include "ssl_util.h" - #include "utils.h" - - #ifdef HAVE_FAPI -@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping - } - - twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt; -- twist sealobjauth = utils_hash_pass(tpin, sealsalt); -+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); - if (!sealobjauth) { - rv = CKR_HOST_MEMORY; - goto error; -@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke - } - rv = CKR_GENERAL_ERROR; - -- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); -+ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); - if (!oldauth) { - goto out; - } -Index: git/src/lib/encrypt.c -=================================================================== ---- git.orig/src/lib/encrypt.c -+++ git/src/lib/encrypt.c -@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat - CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) { - - EVP_PKEY *pkey = NULL; -- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - return rv; - } -Index: git/src/lib/mech.c -=================================================================== ---- git.orig/src/lib/mech.c -+++ git/src/lib/mech.c -@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C - } - - int nid = 0; -- CK_RV rv = ec_params_to_nid(a, &nid); -+ CK_RV rv = ssl_util_params_to_nid(a, &nid); - if (rv != CKR_OK) { - return rv; - } -@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl - } - - /* Apply the PKCS1.5 padding */ -- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len, -- inbuf, inlen); -- if (!rc) { -+ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen, -+ outbuf, padded_len); -+ if (rv != CKR_OK) { - LOGE("Applying RSA padding failed"); -- return CKR_GENERAL_ERROR; -+ return rv; - } - - *outlen = padded_len; -@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md - size_t key_bytes = *keybits / 8; - - unsigned char buf[4096]; -- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf), -- inbuf, inlen, -- key_bytes); -- if (rc < 0) { -+ CK_ULONG buflen = sizeof(buf); -+ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes, -+ buf, &buflen); -+ if (rv != CKR_OK) { - LOGE("Could not recover CKM_RSA_PKCS Padding"); -- return CKR_GENERAL_ERROR; -+ return rv; - } - -- /* cannot be < 0 because of check above */ -- if (!outbuf || (unsigned)rc > *outlen) { -- *outlen = rc; -+ if (!outbuf || buflen > *outlen) { -+ *outlen = buflen; - return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK; - } - -- *outlen = rc; -- memcpy(outbuf, buf, rc); -+ *outlen = buflen; -+ memcpy(outbuf, buf, buflen); - - return CKR_OK; - } -@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl, - return CKR_GENERAL_ERROR; - } - -- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -- if (!exp_attr) { -- LOGE("Signing key has no CKA_PUBLIC_EXPONENT"); -- return CKR_GENERAL_ERROR; -- } -- - if (modulus_attr->ulValueLen > *outlen) { - LOGE("Output buffer is too small, got: %lu, required at least %lu", - *outlen, modulus_attr->ulValueLen); - return CKR_GENERAL_ERROR; - } - -- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL); -- if (!e) { -- LOGE("Could not convert exponent to bignum"); -- return CKR_GENERAL_ERROR; -- } -- -- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL); -- if (!n) { -- LOGE("Could not convert modulus to bignum"); -- BN_free(e); -- return CKR_GENERAL_ERROR; -- } -- -- RSA *rsa = RSA_new(); -- if (!rsa) { -- LOGE("oom"); -- return CKR_HOST_MEMORY; -- } -- -- int rc = RSA_set0_key(rsa, n, e, NULL); -- if (!rc) { -- LOGE("Could not set modulus and exponent to OSSL RSA key"); -- BN_free(n); -- BN_free(e); -- RSA_free(rsa); -- return CKR_GENERAL_ERROR; -+ EVP_PKEY *pkey = NULL; -+ rv = ssl_util_attrs_to_evp(attrs, &pkey); -+ if (rv != CKR_OK) { -+ return rv; - } - -- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, -- inbuf, md, -1); -- RSA_free(rsa); -- if (!rc) { -+ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf); -+ EVP_PKEY_free(pkey); -+ if (rv != CKR_OK) { - LOGE("Applying RSA padding failed"); - return CKR_GENERAL_ERROR; - } -Index: git/src/lib/object.c -=================================================================== ---- git.orig/src/lib/object.c -+++ git/src/lib/object.c -@@ -15,6 +15,7 @@ - #include "object.h" - #include "pkcs11.h" - #include "session_ctx.h" -+#include "ssl_util.h" - #include "token.h" - #include "utils.h" - -@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject * - } - - int nid = 0; -- CK_RV rv = ec_params_to_nid(a, &nid); -+ CK_RV rv = ssl_util_params_to_nid(a, &nid); - if (rv != CKR_OK) { - return rv; - } -Index: git/src/lib/sign.c -=================================================================== ---- git.orig/src/lib/sign.c -+++ git/src/lib/sign.c -@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet - } - - EVP_PKEY *pkey = NULL; -- rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - return NULL; - } -Index: git/src/lib/ssl_util.c -=================================================================== ---- git.orig/src/lib/ssl_util.c -+++ git/src/lib/ssl_util.c -@@ -10,6 +10,7 @@ - #include <openssl/rsa.h> - #include <openssl/sha.h> - -+#include "attrs.h" - #include "log.h" - #include "pkcs11.h" - #include "ssl_util.h" -@@ -19,194 +20,228 @@ - #include <openssl/evperr.h> - #endif - --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#include <openssl/core_names.h> -+#endif - - /* -- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to -- * create an API compatible version of it. -+ * TODO Port these routines -+ * Deprecated function block to port -+ * -+ * There are no padding routine replacements in OSSL 3.0. -+ * - per Matt Caswell (maintainer) on mailing list. -+ * Signature verification can likely be done with EVP Verify interface. - */ --size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, -- point_conversion_form_t form, -- unsigned char **pbuf, BN_CTX *ctx) { -- -- /* Get the required buffer length */ -- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL); -- if (!len) { -- return 0; -- } -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -+#endif - -- /* allocate it */ -- unsigned char *buf = OPENSSL_malloc(len); -- if (!buf) { -- return 0; -- } -+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, -+ const CK_BYTE_PTR inbuf, const EVP_MD *md, -+ CK_BYTE_PTR outbuf) { - -- /* convert it */ -- len = EC_POINT_point2oct(group, point, form, buf, len, ctx); -- if (!len) { -- OPENSSL_free(buf); -- return 0; -+ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey); -+ if (!rsa) { -+ return CKR_GENERAL_ERROR; - } - -- *pbuf = buf; -- return len; --} -+ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, -+ inbuf, md, -1); - --size_t OBJ_length(const ASN1_OBJECT *obj) { -+ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR; -+} - -- if (!obj) { -- return 0; -- } -+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, -+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) { - -- return obj->length; -+ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen, -+ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR; - } - --const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) { -+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, -+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) { - -- if (!obj) { -- return NULL; -+ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen, -+ inbuf, inlen, rsa_len); -+ if (rc < 0) { -+ return CKR_GENERAL_ERROR; - } - -- return obj->data; -+ /* cannot be negative due to check above */ -+ *outbuflen = rc; -+ return CKR_OK; - } - --const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) { -- return ASN1_STRING_data((ASN1_STRING *)x); --} -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) -+#pragma GCC diagnostic pop -+#endif - --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) - -- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { -- return 0; -- } -+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { -+ -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen), -+ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen), -+ OSSL_PARAM_END -+ }; - -- if (n != NULL) { -- BN_free(r->n); -- r->n = n; -+ /* convert params to EVP key */ -+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); -+ if (!evp_ctx) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); -+ return CKR_GENERAL_ERROR; - } - -- if (e != NULL) { -- BN_free(r->e); -- r->e = e; -+ int rc = EVP_PKEY_fromdata_init(evp_ctx); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ return CKR_GENERAL_ERROR; - } - -- if (d != NULL) { -- BN_free(r->d); -- r->d = d; -+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ return CKR_GENERAL_ERROR; - } - -- return 1; -+ EVP_PKEY_CTX_free(evp_ctx); -+ -+ return CKR_OK; - } - --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { -+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { -+ -+ /* -+ * The simplest way I have found to deal with this is to convert the ASN1 object in -+ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and -+ * then take the int nid and convert it to a friendly name like prime256v1. -+ * EVP_PKEY_fromdata can handle group by name. -+ * -+ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value". -+ */ -+ int curve_id = 0; -+ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id); -+ if (rv != CKR_OK) { -+ LOGE("Could not get nid from params"); -+ return rv; -+ } - -- if (!r || !s) { -- return 0; -+ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */ -+ const unsigned char *x = ecpoint->pValue; -+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); -+ if (!os) { -+ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s"); -+ return CKR_GENERAL_ERROR; - } - -- BN_free(sig->r); -- BN_free(sig->s); -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0), -+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length), -+ OSSL_PARAM_END -+ }; - -- sig->r = r; -- sig->s = s; -+ /* convert params to EVP key */ -+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); -+ if (!evp_ctx) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; -+ } - -- return 1; --} -+ int rc = EVP_PKEY_fromdata_init(evp_ctx); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; -+ } - --EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) { -- if (pkey->type != EVP_PKEY_EC) { -- return NULL; -+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_PKEY_fromdata"); -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ return CKR_GENERAL_ERROR; - } - -- return pkey->pkey.ec; -+ EVP_PKEY_CTX_free(evp_ctx); -+ OPENSSL_free(os); -+ -+ return CKR_OK; - } --#endif - --static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) { -+#else - -- RSA *rsa = NULL; -- BIGNUM *e = NULL, *n = NULL; -+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { - -- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -- if (!exp) { -- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); -+ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL); -+ if (!e) { -+ LOGE("Could not convert exponent to bignum"); - return CKR_GENERAL_ERROR; - } - -- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); -- if (!mod) { -- LOGE("RSA Object must have attribute CKA_MODULUS"); -+ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL); -+ if (!n) { -+ LOGE("Could not convert modulus to bignum"); -+ BN_free(e); - return CKR_GENERAL_ERROR; - } - -- rsa = RSA_new(); -+ RSA *rsa = RSA_new(); - if (!rsa) { -- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure"); -- goto error; -+ LOGE("oom"); -+ return CKR_HOST_MEMORY; - } - -- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL); -- if (!e) { -- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format"); -- goto error; -+ int rc = RSA_set0_key(rsa, n, e, NULL); -+ if (!rc) { -+ LOGE("Could not set modulus and exponent to OSSL RSA key"); -+ BN_free(n); -+ BN_free(e); -+ RSA_free(rsa); -+ return CKR_GENERAL_ERROR; - } - -- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL); -- if (!n) { -- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format"); -- goto error; -+ /* assigned to RSA key */ -+ n = e = NULL; -+ -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ SSL_UTIL_LOGE("EVP_PKEY_new"); -+ RSA_free(rsa); -+ return CKR_GENERAL_ERROR; - } - -- if (!RSA_set0_key(rsa, n, e, NULL)) { -- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components"); -+ rc = EVP_PKEY_assign_RSA(pkey, rsa); -+ if (rc != 1) { - RSA_free(rsa); -- BN_free(e); -- BN_free(n); -- goto error; -+ EVP_PKEY_free(pkey); -+ return CKR_GENERAL_ERROR; - } - -- *outkey = rsa; -+ *out_pkey = pkey; - - return CKR_OK; -- --error: -- RSA_free(rsa); -- if (e) { -- BN_free(e); -- } -- if (n) { -- BN_free(n); -- } -- -- return CKR_GENERAL_ERROR; - } - --static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) { -+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { - -- EC_KEY *key = EC_KEY_new(); -- if (!key) { -+ EC_KEY *ecc = EC_KEY_new(); -+ if (!ecc) { - LOGE("oom"); - return CKR_HOST_MEMORY; - } - -- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); -- if (!ecparams) { -- LOGE("ECC Key must have attribute CKA_EC_PARAMS"); -- return CKR_GENERAL_ERROR; -- } -- -- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); -- if (!ecpoint) { -- LOGE("ECC Key must have attribute CKA_EC_POINT"); -- return CKR_GENERAL_ERROR; -- } -- - /* set params */ - const unsigned char *x = ecparams->pValue; -- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen); -+ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen); - if (!k) { - SSL_UTIL_LOGE("Could not update key with EC Parameters"); -- EC_KEY_free(key); -+ EC_KEY_free(ecc); - return CKR_GENERAL_ERROR; - } - -@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY * - ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); - if (os) { - x = os->data; -- k = o2i_ECPublicKey(&key, &x, os->length); -+ k = o2i_ECPublicKey(&ecc, &x, os->length); - ASN1_STRING_free(os); - if (!k) { - SSL_UTIL_LOGE("Could not update key with EC Points"); -- EC_KEY_free(key); -+ EC_KEY_free(ecc); - return CKR_GENERAL_ERROR; - } - } - -- *outkey = key; -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ SSL_UTIL_LOGE("EVP_PKEY_new"); -+ EC_KEY_free(ecc); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc); -+ if (!rc) { -+ SSL_UTIL_LOGE("Could not set pkey with ec key"); -+ EC_KEY_free(ecc); -+ EVP_PKEY_free(pkey); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ *out_pkey = pkey; - return CKR_OK; - } -+#endif - --CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) { -+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) { - -- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE); -+ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE); - if (!a) { - LOGE("Expected object to have attribute CKA_KEY_TYPE"); - return CKR_KEY_TYPE_INCONSISTENT; -@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY * - return CKR_OK; - } - -- EVP_PKEY *pkey = EVP_PKEY_new(); -- if (!pkey) { -- LOGE("oom"); -- return CKR_HOST_MEMORY; -- } -+ EVP_PKEY *pkey = NULL; - - if (key_type == CKK_EC) { -- EC_KEY *e = NULL; -- rv = convert_pubkey_ECC(&e, obj->attrs); -- if (rv != CKR_OK) { -- return rv; -+ -+ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); -+ if (!ecparams) { -+ LOGE("ECC Key must have attribute CKA_EC_PARAMS"); -+ return CKR_GENERAL_ERROR; - } -- int rc = EVP_PKEY_assign_EC_KEY(pkey, e); -- if (!rc) { -- SSL_UTIL_LOGE("Could not set pkey with ec key"); -- EC_KEY_free(e); -- EVP_PKEY_free(pkey); -+ -+ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); -+ if (!ecpoint) { -+ LOGE("ECC Key must have attribute CKA_EC_POINT"); - return CKR_GENERAL_ERROR; - } -- } else if (key_type == CKK_RSA) { -- RSA *r = NULL; -- rv = convert_pubkey_RSA(&r, obj->attrs); -+ -+ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey); - if (rv != CKR_OK) { - return rv; - } -- int rc = EVP_PKEY_assign_RSA(pkey, r); -- if (!rc) { -- SSL_UTIL_LOGE("Could not set pkey with rsa key"); -- RSA_free(r); -- EVP_PKEY_free(pkey); -+ -+ } else if (key_type == CKK_RSA) { -+ -+ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); -+ if (!exp) { -+ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); - return CKR_GENERAL_ERROR; - } -+ -+ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); -+ if (!mod) { -+ LOGE("RSA Object must have attribute CKA_MODULUS"); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ rv = get_RSA_evp_pubkey(exp, mod, &pkey); -+ if (rv != CKR_OK) { -+ return rv; -+ } -+ - } else { - LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type); -- EVP_PKEY_free(pkey); - return CKR_KEY_TYPE_INCONSISTENT; - } - -+ assert(pkey); - *outpkey = pkey; - - return CKR_OK; -@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK - } - } - -- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); -- if (!rc) { -- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); -- goto error; -+ if (md) { -+ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); -+ if (!rc) { -+ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); -+ goto error; -+ } - } - - *outpkey_ctx = pkey_ctx; -@@ -421,21 +482,12 @@ error: - return CKR_GENERAL_ERROR; - } - --static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, -- int padding, const EVP_MD *md, -- CK_BYTE_PTR digest, CK_ULONG digest_len, -- CK_BYTE_PTR signature, CK_ULONG signature_len) { -+static CK_RV sig_verify(EVP_PKEY_CTX *ctx, -+ const unsigned char *sig, size_t siglen, -+ const unsigned char *tbs, size_t tbslen) { - - CK_RV rv = CKR_GENERAL_ERROR; -- -- EVP_PKEY_CTX *pkey_ctx = NULL; -- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, -- EVP_PKEY_verify_init, &pkey_ctx); -- if (rv != CKR_OK) { -- return rv; -- } -- -- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len); -+ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen); - if (rc < 0) { - SSL_UTIL_LOGE("EVP_PKEY_verify failed"); - } else if (rc == 1) { -@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY - rv = CKR_SIGNATURE_INVALID; - } - -- EVP_PKEY_CTX_free(pkey_ctx); - return rv; - } - --static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) { -+static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, -+ unsigned char **outbuf, size_t *outlen) { - - if (siglen & 1) { - LOGE("Expected ECDSA signature length to be even, got : %lu", -@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT - return CKR_GENERAL_ERROR; - } - -- *outsig = ossl_sig; -+ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL); -+ if (sig_len <= 0) { -+ if (rc < 0) { -+ SSL_UTIL_LOGE("ECDSA_do_verify failed"); -+ } else { -+ LOGE("Expected length to be greater than 0"); -+ } -+ ECDSA_SIG_free(ossl_sig); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ unsigned char *buf = calloc(1, sig_len); -+ if (!buf) { -+ LOGE("oom"); -+ ECDSA_SIG_free(ossl_sig); -+ return CKR_HOST_MEMORY; -+ } -+ -+ unsigned char *p = buf; -+ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p); -+ if (sig_len2 < 0) { -+ SSL_UTIL_LOGE("ECDSA_do_verify failed"); -+ ECDSA_SIG_free(ossl_sig); -+ free(buf); -+ return CKR_GENERAL_ERROR; -+ } -+ -+ assert(sig_len == sig_len2); -+ -+ ECDSA_SIG_free(ossl_sig); -+ -+ *outbuf = buf; -+ *outlen = sig_len; - - return CKR_OK; - } - - static CK_RV do_sig_verify_ec(EVP_PKEY *pkey, -+ const EVP_MD *md, - CK_BYTE_PTR digest, CK_ULONG digest_len, - CK_BYTE_PTR signature, CK_ULONG signature_len) { - -- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); -- if (!eckey) { -- LOGE("Expected EC Key"); -- return CKR_GENERAL_ERROR; -- } -- - /* - * OpenSSL expects ASN1 framed signatures, PKCS11 does flat - * R + S signatures, so convert it to ASN1 framing. -@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY * - * https://github.com/tpm2-software/tpm2-pkcs11/issues/277 - * For details. - */ -- ECDSA_SIG *ossl_sig = NULL; -- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig); -+ unsigned char *buf = NULL; -+ size_t buflen = 0; -+ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen); - if (rv != CKR_OK) { - return rv; - } - -- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey); -- if (rc < 0) { -- ECDSA_SIG_free(ossl_sig); -- SSL_UTIL_LOGE("ECDSA_do_verify failed"); -- return CKR_GENERAL_ERROR; -+ EVP_PKEY_CTX *pkey_ctx = NULL; -+ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md, -+ EVP_PKEY_verify_init, &pkey_ctx); -+ if (rv != CKR_OK) { -+ free(buf); -+ return rv; - } -- ECDSA_SIG_free(ossl_sig); - -- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID; -+ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len); -+ -+ EVP_PKEY_CTX_free(pkey_ctx); -+ free(buf); -+ -+ return rv; -+} -+ -+static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, -+ int padding, const EVP_MD *md, -+ CK_BYTE_PTR digest, CK_ULONG digest_len, -+ CK_BYTE_PTR signature, CK_ULONG signature_len) { -+ -+ CK_RV rv = CKR_GENERAL_ERROR; -+ -+ EVP_PKEY_CTX *pkey_ctx = NULL; -+ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, -+ EVP_PKEY_verify_init, &pkey_ctx); -+ if (rv != CKR_OK) { -+ return rv; -+ } -+ -+ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len); -+ -+ EVP_PKEY_CTX_free(pkey_ctx); -+ return rv; - } - - CK_RV ssl_util_sig_verify(EVP_PKEY *pkey, -@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey - digest, digest_len, - signature, signature_len); - case EVP_PKEY_EC: -- return do_sig_verify_ec(pkey, digest, digest_len, -+ return do_sig_verify_ec(pkey, md, digest, digest_len, - signature, signature_len); - default: - LOGE("Unknown PKEY type, got: %d", type); -@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY * - EVP_PKEY_CTX_free(pkey_ctx); - return rv; - } -+ -+twist ssl_util_hash_pass(const twist pin, const twist salt) { -+ -+ -+ twist out = NULL; -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -+ if (!ctx) { -+ SSL_UTIL_LOGE("EVP_MD_CTX_new"); -+ return NULL; -+ } -+ -+ int rc = EVP_DigestInit(ctx, EVP_sha256()); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestInit"); -+ goto error; -+ } -+ -+ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin)); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestUpdate"); -+ goto error; -+ } -+ -+ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt)); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestUpdate"); -+ goto error; -+ } -+ -+ unsigned int len = sizeof(md); -+ rc = EVP_DigestFinal(ctx, md, &len); -+ if (rc != 1) { -+ SSL_UTIL_LOGE("EVP_DigestFinal"); -+ goto error; -+ } -+ -+ /* truncate the password to 32 characters */ -+ out = twist_hex_new((char *)md, sizeof(md)/2); -+ -+error: -+ EVP_MD_CTX_free(ctx); -+ -+ return out; -+} -+ -+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { -+ -+ const unsigned char *p = ecparams->pValue; -+ -+ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); -+ if (!a) { -+ LOGE("Unknown CKA_EC_PARAMS value"); -+ return CKR_ATTRIBUTE_VALUE_INVALID; -+ } -+ -+ *nid = OBJ_obj2nid(a); -+ ASN1_OBJECT_free(a); -+ -+ return CKR_OK; -+} -Index: git/src/lib/ssl_util.h -=================================================================== ---- git.orig/src/lib/ssl_util.h -+++ git/src/lib/ssl_util.h -@@ -11,8 +11,8 @@ - - #include "pkcs11.h" - -+#include "attrs.h" - #include "log.h" --#include "object.h" - #include "twist.h" - - #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ -@@ -22,6 +22,10 @@ - #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f - #endif - -+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ -+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f -+#endif -+ - /* OpenSSL Backwards Compat APIs */ - #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) - #include <string.h> -@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const - - #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL)); - --CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj); -+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey); - - CK_RV ssl_util_encrypt(EVP_PKEY *pkey, - int padding, twist label, const EVP_MD *md, -@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK - fn_EVP_PKEY_init init_fn, - EVP_PKEY_CTX **outpkey_ctx); - -+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, -+ const CK_BYTE_PTR inbuf, const EVP_MD *md, -+ CK_BYTE_PTR outbuf); -+ -+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, -+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen); -+ -+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, -+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen); -+ -+twist ssl_util_hash_pass(const twist pin, const twist salt); -+ -+/** -+ * Given an attribute of CKA_EC_PARAMS returns the nid value. -+ * @param ecparams -+ * The DER X9.62 parameters value -+ * @param nid -+ * The nid to set -+ * @return -+ * CKR_OK on success. -+ */ -+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); -+ - #endif /* SRC_LIB_SSL_UTIL_H_ */ -Index: git/src/lib/tpm.c -=================================================================== ---- git.orig/src/lib/tpm.c -+++ git/src/lib/tpm.c -@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT - tpm_key_data *keydat = (tpm_key_data *)udata; - - int nid = 0; -- CK_RV rv = ec_params_to_nid(attr, &nid); -+ CK_RV rv = ssl_util_params_to_nid(attr, &nid); - if (rv != CKR_OK) { - return rv; - } -@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_ - goto out; - } - -- int rc = EC_POINT_set_affine_coordinates_GFp(group, -+ int rc = EC_POINT_set_affine_coordinates(group, - pub_key_point_tmp, - bn_x, - bn_y, -@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct - goto out; - } - -- rv = ssl_util_tobject_to_evp(&pkey, tobj); -+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); - if (rv != CKR_OK) { - goto out; - } -Index: git/src/lib/utils.c -=================================================================== ---- git.orig/src/lib/utils.c -+++ git/src/lib/utils.c -@@ -7,6 +7,7 @@ - #include <openssl/sha.h> - - #include "log.h" -+#include "ssl_util.h" - #include "token.h" - #include "utils.h" - -@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist - pin_to_use = newpin; - } - -- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use); -+ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use); - if (!*newauthhex) { - goto out; - } -@@ -330,22 +331,6 @@ out: - - } - --twist utils_hash_pass(const twist pin, const twist salt) { -- -- -- unsigned char md[SHA256_DIGEST_LENGTH]; -- -- SHA256_CTX sha256; -- SHA256_Init(&sha256); -- -- SHA256_Update(&sha256, pin, twist_len(pin)); -- SHA256_Update(&sha256, salt, twist_len(salt)); -- SHA256_Final(md, &sha256); -- -- /* truncate the password to 32 characters */ -- return twist_hex_new((char *)md, sizeof(md)/2); --} -- - size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) { - - switch(mttype) { -@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp - - return CKR_OK; - } -- --CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { -- -- const unsigned char *p = ecparams->pValue; -- -- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); -- if (!a) { -- LOGE("Unknown CKA_EC_PARAMS value"); -- return CKR_ATTRIBUTE_VALUE_INVALID; -- } -- -- *nid = OBJ_obj2nid(a); -- ASN1_OBJECT_free(a); -- -- return CKR_OK; --} - - CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen, - CK_BYTE_PTR out, CK_ULONG_PTR outlen) { -Index: git/src/lib/utils.h -=================================================================== ---- git.orig/src/lib/utils.h -+++ git/src/lib/utils.h -@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U - memcpy(dst, src, src_len); - } - --twist utils_hash_pass(const twist pin, const twist salt); -- - twist aes256_gcm_decrypt(const twist key, const twist objauth); - - twist aes256_gcm_encrypt(twist keybin, twist plaintextbin); -@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra - CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth); - - /** -- * Given an attribute of CKA_EC_PARAMS returns the nid value. -- * @param ecparams -- * The DER X9.62 parameters value -- * @param nid -- * The nid to set -- * @return -- * CKR_OK on success. -- */ --CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); -- --/** - * Removes a PKCS7 padding on a 16 byte block. - * @param in - * The PKCS5 padded input. -Index: git/test/integration/pkcs-sign-verify.int.c -=================================================================== ---- git.orig/test/integration/pkcs-sign-verify.int.c -+++ git/test/integration/pkcs-sign-verify.int.c -@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_ - assert_int_equal(rv, CKR_OK); - } - --static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { -- -- CK_ULONG i; -- for (i=0; i < attr_len; i++) { -- CK_ATTRIBUTE_PTR a = &attrs[i]; -- if (a->type == type) { -- return a; -- } -- } -- -- return NULL; --} -- --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_PRE11 --#endif -- --RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { -- -- RSA *ssl_rsa_key = NULL; -- BIGNUM *e = NULL, *n = NULL; -- -- /* get the exponent */ -- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len); -- assert_non_null(a); -- -- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL); -- assert_non_null(e); -- -- /* get the modulus */ -- a = get_attr(CKA_MODULUS, attrs, attr_len); -- assert_non_null(a); -- -- n = BN_bin2bn(a->pValue, a->ulValueLen, -- NULL); -- assert_non_null(n); -- -- ssl_rsa_key = RSA_new(); -- assert_non_null(ssl_rsa_key); -- --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) -- ssl_rsa_key->e = e; -- ssl_rsa_key->n = n; --#else -- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL); -- assert_int_equal(rc, 1); --#endif -- -- return ssl_rsa_key; --} -- --static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { -- -- EVP_PKEY *pkey = EVP_PKEY_new(); -- assert_non_null(pkey); -- -- int rc = EVP_PKEY_set1_RSA(pkey, pub); -- assert_int_equal(rc, 1); -+static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { - - EVP_MD_CTX *ctx = EVP_MD_CTX_create(); - const EVP_MD* md = EVP_get_digestbyname("SHA256"); - assert_non_null(md); - -- rc = EVP_DigestInit_ex(ctx, md, NULL); -+ int rc = EVP_DigestInit_ex(ctx, md, NULL); - assert_int_equal(rc, 1); - - rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey); -@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR - rc = EVP_DigestVerifyFinal(ctx, sig, sig_len); - assert_int_equal(rc, 1); - -- EVP_PKEY_free(pkey); - EVP_MD_CTX_destroy(ctx); - } - -@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void - assert_int_equal(siglen, 256); - - /* build an OSSL RSA key from parts */ -- CK_BYTE _tmp_bufs[2][1024]; -+ CK_BYTE _tmp_bufs[3][1024]; - CK_ATTRIBUTE attrs[] = { -- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, -- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] }, -+ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, -+ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] }, -+ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] }, - }; - - rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs)); - assert_int_equal(rv, CKR_OK); - -- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs)); -- assert_non_null(r); -+ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD; -+ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type); -+ assert_int_equal(rv, CKR_OK); -+ -+ EVP_PKEY *pkey = NULL; -+ attr_list *l = attr_list_new(); -+ -+ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type); -+ assert_true(res); - -- verify(r, msg, sizeof(msg) - 1, sig, siglen); -- RSA_free(r); -+ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen); -+ assert_true(res); -+ -+ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen); -+ assert_true(res); -+ -+ rv = ssl_util_attrs_to_evp(l, &pkey); -+ assert_int_equal(rv, CKR_OK); -+ attr_list_free(l); -+ -+ verify(pkey, msg, sizeof(msg) - 1, sig, siglen); -+ EVP_PKEY_free(pkey); - } - - static void test_sign_verify_context_specific_good(void **state) { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch deleted file mode 100644 index ef0a6dcde9..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001 -From: William Roberts <william.c.roberts@intel.com> -Date: Fri, 3 Sep 2021 11:30:50 -0500 -Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater - -THIS DROPS SUPPORT FOR OSSL 1.0.2. - -Signed-off-by: William Roberts <william.c.roberts@intel.com> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> ---- - configure.ac | 2 +- - src/lib/ssl_util.h | 43 +++++-------------------------------------- - 2 files changed, 6 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a7aeaf5..94fb5d4 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0], - # require sqlite3 and libcrypto - PKG_CHECK_MODULES([SQLITE3], [sqlite3]) - PKG_CHECK_MODULES([YAML], [yaml-0.1]) --PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g]) -+PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0]) - - # check for pthread - AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])]) -diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h -index 9909fd6..2591728 100644 ---- a/src/lib/ssl_util.h -+++ b/src/lib/ssl_util.h -@@ -15,51 +15,18 @@ - #include "log.h" - #include "twist.h" - --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_PRE11 --/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */ --#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */ -+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */ - #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f - #endif - --#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ --#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f -+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111) -+#include <openssl/evperr.h> - #endif - --/* OpenSSL Backwards Compat APIs */ --#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) --#include <string.h> --size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, -- point_conversion_form_t form, -- unsigned char **pbuf, BN_CTX *ctx); -- --const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); -- --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -- --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -- --EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey); -- --static inline void *OPENSSL_memdup(const void *dup, size_t l) { -- -- void *p = OPENSSL_malloc(l); -- if (!p) { -- return NULL; -- } -- -- memcpy(p, dup, l); -- return p; --} -- --#endif -- --#ifndef RSA_PSS_SALTLEN_DIGEST --#define RSA_PSS_SALTLEN_DIGEST -1 -+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ -+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f - #endif - --/* Utility APIs */ -- - #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL)); - - CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey); --- -2.25.1 - diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch deleted file mode 100644 index d38e23777c..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch +++ /dev/null @@ -1,12 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: git/bootstrap -=================================================================== ---- git.orig/bootstrap -+++ git/bootstrap -@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE - ) > ${VARS_FILE} - - mkdir -p m4 --${AUTORECONF} --install --sym $@ diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb index 177c3c3777..a9174e6717 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb @@ -6,21 +6,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native" -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \ - file://bootstrap_fixup.patch \ - file://0001-remove-local-binary-checkes.patch \ - file://0001-ssl-compile-against-OSSL-3.0.patch \ - file://0002-ossl-require-version-1.1.0-or-greater.patch \ - " +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851" - -S = "${WORKDIR}/git" +SRC_URI[sha256sum] = "79f28899047defd6b4b72b7268dd56abf27774954022315f818c239af33e05bd" inherit autotools-brokensep pkgconfig python3native -do_configure:prepend () { - ${S}/bootstrap +EXTRA_OECONF += "--disable-ptool-checks" + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac } do_compile:append() { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb index 6e95a0e8fe..f924038bdb 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb @@ -11,3 +11,8 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630" inherit autotools pkgconfig bash-completion + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb index 4d1f425d8e..efe62a8209 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb @@ -8,16 +8,23 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https" +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5" inherit autotools-brokensep pkgconfig systemd -S = "${WORKDIR}/git" +# It uses the API deprecated since the OpenSSL 3.0 +CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter' + +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion" -FILES:${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" -FILES:${PN}-engines = "${libdir}/engines-1.1/lib*.so*" -FILES:${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" +FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*" +FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*" +FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a" FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 deleted file mode 100644 index d383ad5c6d..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 +++ /dev/null @@ -1,332 +0,0 @@ -# =========================================================================== -# http://www.gnu.org/software/autoconf-archive/ax_pthread.html -# =========================================================================== -# -# SYNOPSIS -# -# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) -# -# DESCRIPTION -# -# This macro figures out how to build C programs using POSIX threads. It -# sets the PTHREAD_LIBS output variable to the threads library and linker -# flags, and the PTHREAD_CFLAGS output variable to any special C compiler -# flags that are needed. (The user can also force certain compiler -# flags/libs to be tested by setting these environment variables.) -# -# Also sets PTHREAD_CC to any special C compiler that is needed for -# multi-threaded programs (defaults to the value of CC otherwise). (This -# is necessary on AIX to use the special cc_r compiler alias.) -# -# NOTE: You are assumed to not only compile your program with these flags, -# but also link it with them as well. e.g. you should link with -# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS -# -# If you are only building threads programs, you may wish to use these -# variables in your default LIBS, CFLAGS, and CC: -# -# LIBS="$PTHREAD_LIBS $LIBS" -# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -# CC="$PTHREAD_CC" -# -# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant -# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name -# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). -# -# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the -# PTHREAD_PRIO_INHERIT symbol is defined when compiling with -# PTHREAD_CFLAGS. -# -# ACTION-IF-FOUND is a list of shell commands to run if a threads library -# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it -# is not found. If ACTION-IF-FOUND is not specified, the default action -# will define HAVE_PTHREAD. -# -# Please let the authors know if this macro fails on any platform, or if -# you have any other suggestions or comments. This macro was based on work -# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help -# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by -# Alejandro Forero Cuervo to the autoconf macro repository. We are also -# grateful for the helpful feedback of numerous users. -# -# Updated for Autoconf 2.68 by Daniel Richard G. -# -# LICENSE -# -# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu> -# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG> -# -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 3 of the License, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program. If not, see <http://www.gnu.org/licenses/>. -# -# As a special exception, the respective Autoconf Macro's copyright owner -# gives unlimited permission to copy, distribute and modify the configure -# scripts that are the output of Autoconf when processing the Macro. You -# need not follow the terms of the GNU General Public License when using -# or distributing such scripts, even though portions of the text of the -# Macro appear in them. The GNU General Public License (GPL) does govern -# all other use of the material that constitutes the Autoconf Macro. -# -# This special exception to the GPL applies to versions of the Autoconf -# Macro released by the Autoconf Archive. When you make and distribute a -# modified version of the Autoconf Macro, you may extend this special -# exception to the GPL to apply to your modified version as well. - -#serial 21 - -AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) -AC_DEFUN([AX_PTHREAD], [ -AC_REQUIRE([AC_CANONICAL_HOST]) -AC_LANG_PUSH([C]) -ax_pthread_ok=no - -# We used to check for pthread.h first, but this fails if pthread.h -# requires special compiler flags (e.g. on True64 or Sequent). -# It gets checked for in the link test anyway. - -# First of all, check if the user has set any of the PTHREAD_LIBS, -# etcetera environment variables, and if threads linking works using -# them: -if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) - AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) - AC_MSG_RESULT([$ax_pthread_ok]) - if test x"$ax_pthread_ok" = xno; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -fi - -# We must check for the threads library under a number of different -# names; the ordering is very important because some systems -# (e.g. DEC) have both -lpthread and -lpthreads, where one of the -# libraries is broken (non-POSIX). - -# Create a list of thread flags to try. Items starting with a "-" are -# C compiler flags, and other items are library names, except for "none" -# which indicates that we try without any flags at all, and "pthread-config" -# which is a program returning the flags for the Pth emulation library. - -ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - -# The ordering *is* (sometimes) important. Some notes on the -# individual items follow: - -# pthreads: AIX (must check this before -lpthread) -# none: in case threads are in libc; should be tried before -Kthread and -# other compiler flags to prevent continual compiler warnings -# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) -# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) -# -pthreads: Solaris/gcc -# -mthreads: Mingw32/gcc, Lynx/gcc -# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it -# doesn't hurt to check since this sometimes defines pthreads too; -# also defines -D_REENTRANT) -# ... -mt is also the pthreads flag for HP/aCC -# pthread: Linux, etcetera -# --thread-safe: KAI C++ -# pthread-config: use pthread-config program (for GNU Pth library) - -case ${host_os} in - solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based - # tests will erroneously succeed. (We need to link with -pthreads/-mt/ - # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather - # a function called by this macro, so we could check for that, but - # who knows whether they'll stub that too in a future libc.) So, - # we'll just look for -pthreads and -lpthread first: - - ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" - ;; - - darwin*) - ax_pthread_flags="-pthread $ax_pthread_flags" - ;; -esac - -# Clang doesn't consider unrecognized options an error unless we specify -# -Werror. We throw in some extra Clang-specific options to ensure that -# this doesn't happen for GCC, which also accepts -Werror. - -AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) -save_CFLAGS="$CFLAGS" -ax_pthread_extra_flags="-Werror" -CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" -AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], - [AC_MSG_RESULT([yes])], - [ax_pthread_extra_flags= - AC_MSG_RESULT([no])]) -CFLAGS="$save_CFLAGS" - -if test x"$ax_pthread_ok" = xno; then -for flag in $ax_pthread_flags; do - - case $flag in - none) - AC_MSG_CHECKING([whether pthreads work without any flags]) - ;; - - -*) - AC_MSG_CHECKING([whether pthreads work with $flag]) - PTHREAD_CFLAGS="$flag" - ;; - - pthread-config) - AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) - if test x"$ax_pthread_config" = xno; then continue; fi - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) - AC_MSG_CHECKING([for the pthreads library -l$flag]) - PTHREAD_LIBS="-l$flag" - ;; - esac - - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we - # need a special flag -Kthread to make this header compile.) - # We check for pthread_join because it is in -lpthread on IRIX - # while pthread_create is in libc. We check for pthread_attr_init - # due to DEC craziness with -lpthreads. We check for - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h> - static void routine(void *a) { a = 0; } - static void *start_routine(void *a) { return a; }], - [pthread_t th; pthread_attr_t attr; - pthread_create(&th, 0, start_routine, 0); - pthread_join(th, 0); - pthread_attr_init(&attr); - pthread_cleanup_push(routine, 0); - pthread_cleanup_pop(0) /* ; */])], - [ax_pthread_ok=yes], - []) - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - AC_MSG_RESULT([$ax_pthread_ok]) - if test "x$ax_pthread_ok" = xyes; then - break; - fi - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" -done -fi - -# Various other checks: -if test "x$ax_pthread_ok" = xyes; then - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. - AC_MSG_CHECKING([for joinable pthread attribute]) - attr_name=unknown - for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do - AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>], - [int attr = $attr; return attr /* ; */])], - [attr_name=$attr; break], - []) - done - AC_MSG_RESULT([$attr_name]) - if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then - AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], - [Define to necessary symbol if this constant - uses a non-standard name on your system.]) - fi - - AC_MSG_CHECKING([if more special flags are required for pthreads]) - flag=no - case ${host_os} in - aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; - osf* | hpux*) flag="-D_REENTRANT";; - solaris*) - if test "$GCC" = "yes"; then - flag="-D_REENTRANT" - else - # TODO: What about Clang on Solaris? - flag="-mt -D_REENTRANT" - fi - ;; - esac - AC_MSG_RESULT([$flag]) - if test "x$flag" != xno; then - PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" - fi - - AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], - [ax_cv_PTHREAD_PRIO_INHERIT], [ - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]], - [[int i = PTHREAD_PRIO_INHERIT;]])], - [ax_cv_PTHREAD_PRIO_INHERIT=yes], - [ax_cv_PTHREAD_PRIO_INHERIT=no]) - ]) - AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], - [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - # More AIX lossage: compile with *_r variant - if test "x$GCC" != xyes; then - case $host_os in - aix*) - AS_CASE(["x/$CC"], - [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], - [#handle absolute path differently from PATH based program lookup - AS_CASE(["x$CC"], - [x/*], - [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], - [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) - ;; - esac - fi -fi - -test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" - -AC_SUBST([PTHREAD_LIBS]) -AC_SUBST([PTHREAD_CFLAGS]) -AC_SUBST([PTHREAD_CC]) - -# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: -if test x"$ax_pthread_ok" = xyes; then - ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) - : -else - ax_pthread_ok=no - $2 -fi -AC_LANG_POP -])dnl AX_PTHREAD diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch deleted file mode 100644 index ecaca6ea57..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch +++ /dev/null @@ -1,31 +0,0 @@ -This fixes musl build issue do to missing FD_* defines. -Add sys/select.h - -Upstream-Status: Pending - -Signed-off-by: Armin Kuster <akuster@mvista.com> - -Index: TPM2.0-TSS/tcti/tcti_socket.cpp -=================================================================== ---- TPM2.0-TSS.orig/tcti/tcti_socket.cpp -+++ TPM2.0-TSS/tcti/tcti_socket.cpp -@@ -28,6 +28,7 @@ - #include <stdio.h> - #include <stdlib.h> // Needed for _wtoi - -+#include "sys/select.h" - #include <sapi/tpm20.h> - #include <tcti/tcti_socket.h> - #include "sysapi_util.h" -Index: TPM2.0-TSS/resourcemgr/resourcemgr.c -=================================================================== ---- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c -+++ TPM2.0-TSS/resourcemgr/resourcemgr.c -@@ -28,6 +28,7 @@ - #include <stdio.h> - #include <stdlib.h> // Needed for _wtoi - -+#include "sys/select.h" - #include <sapi/tpm20.h> - #include <tcti/tcti_device.h> - #include <tcti/tcti_socket.h> diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch index b5579e1b93..450698ff64 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch @@ -5,22 +5,25 @@ Not appropriate for cross build env. Upstream-Status: OE [inappropriate] Signed-off-by: Armin Kuster <akuster808@gmail.com> -Index: tpm2-tss-3.1.0/configure.ac +Index: tpm2-tss-3.2.0/configure.ac =================================================================== ---- tpm2-tss-3.1.0.orig/configure.ac -+++ tpm2-tss-3.1.0/configure.ac -@@ -471,14 +471,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy +--- tpm2-tss-3.2.0.orig/configure.ac ++++ tpm2-tss-3.2.0/configure.ac +@@ -488,17 +488,6 @@ AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes) AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes") - # Check all tools used by make install --AS_IF([test "$HOSTOS" = "Linux"], -- [ERROR_IF_NO_PROG([groupadd]) -- ERROR_IF_NO_PROG([useradd]) -- ERROR_IF_NO_PROG([id]) -- ERROR_IF_NO_PROG([chown]) -- ERROR_IF_NO_PROG([chmod]) -- ERROR_IF_NO_PROG([mkdir]) -- ERROR_IF_NO_PROG([setfacl])]) +-# Check all tools used by make install +-AS_IF([test "$HOSTOS" = "Linux"], +- [ AC_CHECK_PROG(useradd, useradd, yes) +- AC_CHECK_PROG(groupadd, groupadd, yes) +- AC_CHECK_PROG(adduser, adduser, yes) +- AC_CHECK_PROG(addgroup, addgroup, yes) +- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], +- [AC_MSG_ERROR([addgroup or groupadd are needed.])]) +- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], +- [AC_MSG_ERROR([adduser or useradd are needed.])])]) +- AC_SUBST([PATH]) + dnl --------- Doxy Gen ----------------------- diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb index ddcfb58ea8..8440bb9e9f 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb @@ -10,7 +10,7 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN file://fixup_hosttools.patch \ " -SRC_URI[sha256sum] = "8900a6603f74310b749b65f23c3461cde6e2a23a5f61058b21004c25f9cf19e8" +SRC_URI[sha256sum] = "48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912" inherit autotools pkgconfig systemd useradd @@ -26,6 +26,11 @@ USERADD_PACKAGES = "${PN}" GROUPADD_PARAM:${PN} = "--system tss" USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" +do_configure:prepend() { + # do not extract the version number from git + sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac +} + do_install:append() { # Remove /run as it is created on startup rm -rf ${D}/run |