From 1a4b7ee28bf7413af6513fb45ad0d0736048f866 Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Sun, 16 Dec 2018 17:11:34 -0800 Subject: reset upstream subtrees to yocto 2.6 Reset the following subtrees on thud HEAD: poky: 87e3a9739d meta-openembedded: 6094ae18c8 meta-security: 31dc4e7532 meta-raspberrypi: a48743dc36 meta-xilinx: c42016e2e6 Also re-apply backports that didn't make it into thud: poky: 17726d0 systemd-systemctl-native: handle Install wildcards meta-openembedded: 4321a5d libtinyxml2: update to 7.0.1 042f0a3 libcereal: Add native and nativesdk classes e23284f libcereal: Allow empty package 030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG 179a1b9 gtest: update to 1.8.1 Squashed OpenBMC subtree compatibility updates: meta-aspeed: Brad Bishop (1): aspeed: add yocto 2.6 compatibility meta-ibm: Brad Bishop (1): ibm: prepare for yocto 2.6 meta-ingrasys: Brad Bishop (1): ingrasys: set layer compatibility to yocto 2.6 meta-openpower: Brad Bishop (1): openpower: set layer compatibility to yocto 2.6 meta-phosphor: Brad Bishop (3): phosphor: set layer compatibility to thud phosphor: libgpg-error: drop patches phosphor: react to fitimage artifact rename Ed Tanous (4): Dropbear: upgrade options for latest upgrade yocto2.6: update openssl options busybox: remove upstream watchdog patch systemd: Rebase CONFIG_CGROUP_BPF patch Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7 Signed-off-by: Brad Bishop --- meta-security/README | 207 +-------------------- meta-security/conf/layer.conf | 6 +- meta-security/docs/overview.txt | 197 ++++++++++++++++++++ .../meta-security-compliance/conf/layer.conf | 4 +- .../recipes-auditors/lynis/lynis_2.5.1.bb | 38 ---- .../recipes-auditors/lynis/lynis_2.6.8.bb | 41 ++++ .../recipes-core/os-release/os-release.bbappend | 3 - .../openscap-daemon/openscap-daemon_0.1.10.bb | 18 ++ .../openscap-daemon/openscap-daemon_0.1.6.bb | 20 -- .../recipes-openscap/openscap/openscap_1.2.15.bb | 86 --------- .../recipes-openscap/openscap/openscap_1.2.17.bb | 87 +++++++++ meta-security/meta-tpm/conf/layer.conf | 4 +- .../packagegroup/packagegroup-security-tpm2.bb | 8 +- .../meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb | 8 +- ...ate-tpm-key-support-well-known-key-option.patch | 24 +-- .../files/0002-libtpm-support-env-TPM_SRK_PW.patch | 14 +- .../files/0003-Fix-not-building-libtpm.la.patch | 25 --- ...-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | 41 ++-- ...-tpm-engine-change-variable-c-type-from-c.patch | 13 +- .../files/openssl11_build_fix.patch | 34 ++++ .../openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb | 78 -------- .../openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb | 65 +++++++ .../pcr-extend/files/fix_openssl11_build.patch | 45 +++++ .../recipes-tpm/pcr-extend/pcr-extend_git.bb | 3 +- .../meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb | 21 +-- .../tpm-tools/files/04-fix-FTBFS-clang.patch | 56 ++++++ .../files/05-openssl1.1_fix_data_mgmt.patch | 110 +++++++++++ .../tpm-tools/files/openssl1.1_fix.patch | 18 ++ .../tpm-tools/files/tpm-tools-extendpcr.patch | 32 ++-- .../recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb | 36 ++++ .../recipes-tpm/tpm-tools/tpm-tools_git.bb | 35 ---- .../recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb | 54 ------ .../recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb | 54 ++++++ .../recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb | 15 ++ .../recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb | 18 -- .../recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb | 99 ---------- .../recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb | 74 ++++++++ .../tpm2simulator/tpm2simulator-native_138.bb | 22 --- .../recipes-tpm/tpm2simulator/tpm2simulator_138.bb | 22 +++ meta-security/recipes-browers/tor/tor_6.5.2.bb | 7 - .../recipes-forensic/afflib/afflib_3.6.6.bb | 30 --- .../afflib/files/configure_rm_ms_flags.patch | 18 -- .../recipes-forensic/libewf/files/gcc5_fix.patch | 22 --- .../recipes-forensic/libewf/libewf_20140608.bb | 24 --- .../sleuth/files/fix_host_poison.patch | 23 --- .../recipes-forensic/sleuth/sleuthkit_4.1.3.bb | 31 --- .../recipes-security/AppArmor/apparmor_2.11.0.bb | 159 ---------------- .../recipes-security/AppArmor/apparmor_2.12.bb | 159 ++++++++++++++++ .../aircrack-ng/aircrack-ng_1.2.bb | 37 ---- .../aircrack-ng/aircrack-ng_1.3.bb | 34 ++++ .../aircrack-ng/files/fixup_cflags.patch | 28 --- .../recipes-security/bastille/bastille_3.2.1.bb | 2 +- .../recipes-security/clamav/clamav_0.99.3.bb | 158 ---------------- .../recipes-security/clamav/clamav_0.99.4.bb | 158 ++++++++++++++++ .../ecryptfs-utils/ecryptfs-utils_111.bb | 9 +- .../recipes-security/fail2ban/fail2ban_0.10.2.bb | 41 ---- .../recipes-security/fail2ban/files/run-ptest | 3 + .../recipes-security/fail2ban/python-fail2ban.inc | 49 +++++ .../fail2ban/python-fail2ban_0.10.3.1.bb | 4 + .../fail2ban/python3-fail2ban_0.10.3.1.bb | 4 + .../fscryptctl/fscryptctl_0.1.0.bb | 2 +- .../images/security-build-image.bb | 4 +- .../configure-remove-hardcode-path.patch | 37 ---- .../keynote/keynote-2.3/makefile-add-ldflags.patch | 36 ---- .../recipes-security/keynote/keynote-2.3/run-ptest | 16 -- .../recipes-security/keynote/keynote_2.3.bb | 40 ---- .../recipes-security/keyutils/keyutils_1.5.10.bb | 2 + .../libseccomp/libseccomp_2.3.3.bb | 3 +- .../nmap-redefine-the-python-library-dir.patch | 37 ---- ...shtool-mkdir-with-coreutils-mkdir-command.patch | 48 ----- meta-security/recipes-security/nmap/nmap_7.60.bb | 54 ------ .../packagegroup/packagegroup-core-security.bb | 27 ++- .../samhain/samhain-client_4.2.2.bb | 11 -- .../samhain/samhain-client_4.3.0.bb | 11 ++ .../samhain/samhain-server_4.2.2.bb | 20 -- .../samhain/samhain-server_4.3.0.bb | 20 ++ .../samhain/samhain-standalone_4.2.2.bb | 31 --- .../samhain/samhain-standalone_4.3.0.bb | 31 +++ meta-security/recipes-security/samhain/samhain.inc | 7 +- .../recipes-security/scapy/files/run-ptest | 4 + .../recipes-security/scapy/python-scapy.inc | 20 ++ .../recipes-security/scapy/python-scapy_2.4.0.bb | 6 + .../recipes-security/scapy/python3-scapy_2.4.0.bb | 4 + .../recipes-security/scapy/scapy/run-ptest | 4 - .../recipes-security/scapy/scapy_2.3.3.bb | 24 --- meta-security/recipes-security/sssd/sssd_1.16.0.bb | 73 -------- meta-security/recipes-security/sssd/sssd_1.16.3.bb | 73 ++++++++ .../suricata/files/emerging.rules.tar.gz | Bin 0 -> 2252393 bytes .../recipes-security/suricata/files/run-ptest | 3 + .../suricata/files/suricata.service | 20 ++ .../recipes-security/suricata/files/suricata.yaml | 2 +- .../recipes-security/suricata/libhtp_0.5.25.bb | 15 -- .../recipes-security/suricata/libhtp_0.5.27.bb | 15 ++ .../recipes-security/suricata/suricata.inc | 6 +- .../recipes-security/suricata/suricata_4.0.0.bb | 60 ------ .../recipes-security/suricata/suricata_4.0.5.bb | 96 ++++++++++ .../recipes-security/tripwire/files/run-ptest | 3 + .../recipes-security/tripwire/tripwire_2.4.3.6.bb | 9 +- .../xmlsec1/change-finding-path-of-nss.patch | 107 +++++------ .../xmlsec1-fix-a-typo-in-examples-verify3.c.patch | 23 --- .../recipes-security/xmlsec1/xmlsec1_1.2.25.bb | 57 ------ .../recipes-security/xmlsec1/xmlsec1_1.2.26.bb | 56 ++++++ 102 files changed, 1833 insertions(+), 2019 deletions(-) create mode 100644 meta-security/docs/overview.txt delete mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb create mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb create mode 100644 meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb delete mode 100644 meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb delete mode 100644 meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb create mode 100644 meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch create mode 100644 meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb delete mode 100644 meta-security/recipes-browers/tor/tor_6.5.2.bb delete mode 100644 meta-security/recipes-forensic/afflib/afflib_3.6.6.bb delete mode 100644 meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch delete mode 100644 meta-security/recipes-forensic/libewf/files/gcc5_fix.patch delete mode 100644 meta-security/recipes-forensic/libewf/libewf_20140608.bb delete mode 100644 meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch delete mode 100644 meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb delete mode 100644 meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb create mode 100644 meta-security/recipes-security/AppArmor/apparmor_2.12.bb delete mode 100644 meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb create mode 100644 meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb delete mode 100644 meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch delete mode 100644 meta-security/recipes-security/clamav/clamav_0.99.3.bb create mode 100644 meta-security/recipes-security/clamav/clamav_0.99.4.bb delete mode 100644 meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb create mode 100644 meta-security/recipes-security/fail2ban/files/run-ptest create mode 100644 meta-security/recipes-security/fail2ban/python-fail2ban.inc create mode 100644 meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb create mode 100644 meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb delete mode 100644 meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch delete mode 100644 meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch delete mode 100644 meta-security/recipes-security/keynote/keynote-2.3/run-ptest delete mode 100644 meta-security/recipes-security/keynote/keynote_2.3.bb delete mode 100644 meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch delete mode 100644 meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch delete mode 100644 meta-security/recipes-security/nmap/nmap_7.60.bb delete mode 100644 meta-security/recipes-security/samhain/samhain-client_4.2.2.bb create mode 100644 meta-security/recipes-security/samhain/samhain-client_4.3.0.bb delete mode 100644 meta-security/recipes-security/samhain/samhain-server_4.2.2.bb create mode 100644 meta-security/recipes-security/samhain/samhain-server_4.3.0.bb delete mode 100644 meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb create mode 100644 meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb create mode 100755 meta-security/recipes-security/scapy/files/run-ptest create mode 100644 meta-security/recipes-security/scapy/python-scapy.inc create mode 100644 meta-security/recipes-security/scapy/python-scapy_2.4.0.bb create mode 100644 meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb delete mode 100755 meta-security/recipes-security/scapy/scapy/run-ptest delete mode 100644 meta-security/recipes-security/scapy/scapy_2.3.3.bb delete mode 100644 meta-security/recipes-security/sssd/sssd_1.16.0.bb create mode 100644 meta-security/recipes-security/sssd/sssd_1.16.3.bb create mode 100644 meta-security/recipes-security/suricata/files/emerging.rules.tar.gz create mode 100644 meta-security/recipes-security/suricata/files/run-ptest create mode 100644 meta-security/recipes-security/suricata/files/suricata.service delete mode 100644 meta-security/recipes-security/suricata/libhtp_0.5.25.bb create mode 100644 meta-security/recipes-security/suricata/libhtp_0.5.27.bb delete mode 100644 meta-security/recipes-security/suricata/suricata_4.0.0.bb create mode 100644 meta-security/recipes-security/suricata/suricata_4.0.5.bb create mode 100644 meta-security/recipes-security/tripwire/files/run-ptest delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch delete mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb create mode 100644 meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb (limited to 'meta-security') diff --git a/meta-security/README b/meta-security/README index ef80f2b202..e238271a66 100644 --- a/meta-security/README +++ b/meta-security/README @@ -48,209 +48,6 @@ other layers needed. e.g.: /path/to/meta-openembedded/meta-networking \ /path/to/layer/meta-security \ -Contents and Help -================= - -In this section the contents of the layer is listed, along with a short -help for each package. - - == bastille == - - Bastille is a system hardening / lockdown program which enhances the - security of a Unix host. It configures daemons, system settings and - firewalls to be more secure. It can shut off unneeded services - like rcp and rlogin, and helps create "chroot jails" that help limit the - vulnerability of common Internet services like Web services and DNS. - - usage : The functionality of Bastille which is available is - restricted to a purely informational one. The command: - bastille -c --os Yocto - will cause a series of menus containing security questions - about the system to be displayed to the user. For each - question, a default response, specified in the configuration - file which is installed with Bastille, will be selected. - The user may select an alternate response. When the user - has completed the sequence of menus Bastille saves the - responses to the configuration file. - - The command: - bastille -l lists the configuration files that Bastille - is able to locate. - - The other functionality which Bastille is intended to provide - is actually unavailable. This is not due to errors in poky - installation or configuration of the application. The Bastille - distribution is no longer supported. Significant modifications - would be required to make it possible to make use of the - functionality which is currently unavailable. - - - Additional information about Bastille can be found in the package - README file and other documentation. - - Alternatives to Bastille include buck-security and checksecurity, - described elsewhere in this file. - - - == redhat-security == - - Sometimes you want to check different aspects of a distribution for security problems. - This can be anything from file permissions to correctness of code. This is a collection of those tools. - Depending on what information the tool has to access, it may need to be run as root. - - - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags - to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. - It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. - In this mode it will only give a summary result for the package. To find which files don't comply, - re-run using just the package name. - - !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: - IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image - IMAGE_FEATURES += "package management" - for the correct output of rpm -qa - - - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID - and GID without also calling setgroups or initgroups. - - - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. - - - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. - Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. - - - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. - - - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. - This means that if the program has another vulnerablity such as stack buffer overflow, - any code the attacker places there is executable. Any program found must be fixed. - - - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. - Anything found must be investigated since its highly unusual for executables to be hidden. - - - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. - It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. - - - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. - Anything found by this test should be reported so that selinux policy can be fixed. - This test is very hardware specific, so to be effective a lot of people with different hardware - should run this test each upstream kernel version release. - - - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. - These both mean that there are daemons that do not have policy and are therefore running unconfined. - These should be reported as SE Linux policy problems. Because it checks currently running daemons, - the more you have running, the better the test is. - - - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names - instead of obscure ones created by something like mktemp. - - - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, - it also looks to see if any of the known good random name generator functions is called by looking - at the symbol table. If not, it will output the string. - - - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. - The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. - Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. - - - usage : simply invoke the script name in the terminal. - - - == pax-utils == - - ( This package can be found in oe-core ) - - pax-utils is a small set of various PaX aware and related utilities for - ELF binaries. - - - scanelf : With this application you can print out information specific to the ELF structure of a binary. - For more help please consult the man pages or the readme file. - - - pspax : is a user-space utility that scans the proc directory and list - ELF types, as well as their respective PaX flags and filenames and - attributes. Depending on build options, it may additionaly display the - process running set of capabilities. - - - scanmacho : is a user-space utility to quickly scan given - Mach-Os, directories, or common system paths for different information. This - may include Mach-O types, their install_names, etc. - - - dumpelf : is a user-space utility to dump all of the internal - ELF structures into the equivalent C structures for fun debugging and/or - reference purposes. - - - usage : simply invoke the script name in the terminal. - - - == buck-security == - - Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux - system. This enables you to quickly overview the security status of your Linux system. - - usage : !!! before starting to use this tool please run the following command: !!! - - export GPG_TTY=`tty` - - This command is needed for the usage of the comand --make-checksum, which creates - a checksum for the files in the system. - - switch to directory /usr/local/buck-security. - before running the script, you should check the activated checks in conf/buck-security.conf file. - after altering the changes, save the file and simply run : - - ./buck-security - - you can choose between different outputs : 1, 2(default) or 3. - - More detailed usage can be found typing ./buck-security --help - - - == libseccomp == - - The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. - The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional - function-call based filtering interface that should be familiar to, and easily adopted by application developers. - - usage : More detailed usage can be found in the man pages and README file of the package. - - - - == checksecurity == - - checksecurity is a simple package which will scan your system for several simple security holes. - It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. - - - usage : To start checksecurity simply write in the terminal : - - checksecurity - - More detailed usage can be found in the man pages and README file of the package. - - - == nikto == - - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, - including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific - problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, - HTTP server options, and will attempt to identify installed web servers and software. - - usage : To start nikto simply write in the terminal : - - nikto - - More detailed usage can be found in the man pages and README file of the package. - - - == nmap == - - Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. - Many systems and network administrators also find it useful for tasks such as network inventory, - managing service upgrade schedules, and monitoring host or service uptime. - - usage : To start nikto simply write in the terminal : - - nmap - - More detailed usage can be found in the man pages and README file of the package. Maintenance ----------- @@ -260,8 +57,8 @@ Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' -Maintainers: Saul Wold - Armin Kuster +Maintainers: Armin Kuster + Saul Wold License diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index efc426ed7a..19e647e7ff 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -7,8 +7,10 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" -BBFILE_PRIORITY_security = "6" +BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "sumo" +LAYERSERIES_COMPAT_security = "thud" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" + +DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}" diff --git a/meta-security/docs/overview.txt b/meta-security/docs/overview.txt new file mode 100644 index 0000000000..ed3135aaa4 --- /dev/null +++ b/meta-security/docs/overview.txt @@ -0,0 +1,197 @@ +Meta-security Docs +============= + +In this section the contents of the layer is listed, along with a short +help for each package. + + == bastille == + + Bastille is a system hardening / lockdown program which enhances the + security of a Unix host. It configures daemons, system settings and + firewalls to be more secure. It can shut off unneeded services + like rcp and rlogin, and helps create "chroot jails" that help limit the + vulnerability of common Internet services like Web services and DNS. + + usage : The functionality of Bastille which is available is + restricted to a purely informational one. The command: + bastille -c --os Yocto + will cause a series of menus containing security questions + about the system to be displayed to the user. For each + question, a default response, specified in the configuration + file which is installed with Bastille, will be selected. + The user may select an alternate response. When the user + has completed the sequence of menus Bastille saves the + responses to the configuration file. + + The command: + bastille -l lists the configuration files that Bastille + is able to locate. + + The other functionality which Bastille is intended to provide + is actually unavailable. This is not due to errors in poky + installation or configuration of the application. The Bastille + distribution is no longer supported. Significant modifications + would be required to make it possible to make use of the + functionality which is currently unavailable. + + + Additional information about Bastille can be found in the package + README file and other documentation. + + Alternatives to Bastille include buck-security and checksecurity, + described elsewhere in this file. + + + == redhat-security == + + Sometimes you want to check different aspects of a distribution for security problems. + This can be anything from file permissions to correctness of code. This is a collection of those tools. + Depending on what information the tool has to access, it may need to be run as root. + + - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags + to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. + It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. + In this mode it will only give a summary result for the package. To find which files don't comply, + re-run using just the package name. + + !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: + IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image + IMAGE_FEATURES += "package management" - for the correct output of rpm -qa + + - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID + and GID without also calling setgroups or initgroups. + + - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. + + - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. + Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. + + - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. + + - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. + This means that if the program has another vulnerablity such as stack buffer overflow, + any code the attacker places there is executable. Any program found must be fixed. + + - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. + Anything found must be investigated since its highly unusual for executables to be hidden. + + - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. + It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. + + - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. + Anything found by this test should be reported so that selinux policy can be fixed. + This test is very hardware specific, so to be effective a lot of people with different hardware + should run this test each upstream kernel version release. + + - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. + These both mean that there are daemons that do not have policy and are therefore running unconfined. + These should be reported as SE Linux policy problems. Because it checks currently running daemons, + the more you have running, the better the test is. + + - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names + instead of obscure ones created by something like mktemp. + + - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, + it also looks to see if any of the known good random name generator functions is called by looking + at the symbol table. If not, it will output the string. + + - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. + The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. + Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. + + + usage : simply invoke the script name in the terminal. + + + == pax-utils == + + ( This package can be found in oe-core ) + + pax-utils is a small set of various PaX aware and related utilities for + ELF binaries. + + - scanelf : With this application you can print out information specific to the ELF structure of a binary. + For more help please consult the man pages or the readme file. + + - pspax : is a user-space utility that scans the proc directory and list + ELF types, as well as their respective PaX flags and filenames and + attributes. Depending on build options, it may additionaly display the + process running set of capabilities. + + - scanmacho : is a user-space utility to quickly scan given + Mach-Os, directories, or common system paths for different information. This + may include Mach-O types, their install_names, etc. + + - dumpelf : is a user-space utility to dump all of the internal + ELF structures into the equivalent C structures for fun debugging and/or + reference purposes. + + + usage : simply invoke the script name in the terminal. + + + == buck-security == + + Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux + system. This enables you to quickly overview the security status of your Linux system. + + usage : !!! before starting to use this tool please run the following command: !!! + + export GPG_TTY=`tty` + + This command is needed for the usage of the comand --make-checksum, which creates + a checksum for the files in the system. + + switch to directory /usr/local/buck-security. + before running the script, you should check the activated checks in conf/buck-security.conf file. + after altering the changes, save the file and simply run : + + ./buck-security + + you can choose between different outputs : 1, 2(default) or 3. + + More detailed usage can be found typing ./buck-security --help + + + == libseccomp == + + The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. + The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional + function-call based filtering interface that should be familiar to, and easily adopted by application developers. + + usage : More detailed usage can be found in the man pages and README file of the package. + + + + == checksecurity == + + checksecurity is a simple package which will scan your system for several simple security holes. + It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. + + + usage : To start checksecurity simply write in the terminal : + + checksecurity + + More detailed usage can be found in the man pages and README file of the package. + + + == nikto == + + Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, + including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific + problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, + HTTP server options, and will attempt to identify installed web servers and software. + + usage : To start nikto simply write in the terminal : + + nikto + + More detailed usage can be found in the man pages and README file of the package. + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 31716d6e79..fcc5cd6cae 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -6,9 +6,9 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" -BBFILE_PRIORITY_scanners-layer = "6" +BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "sumo" +LAYERSERIES_COMPAT_scanners-layer = "thud" LAYERDEPENDS_scanners-layer = " \ core \ diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb deleted file mode 100644 index 884999c08e..0000000000 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMMARY = "Lynis is a free and open source security and auditing tool." -HOMEDIR = "https://cisofy.com/" -LICENSE = "GPL-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" - -SRCREV= "1be5154b35ce144db4f386856debe8a06b403899" -SRC_URI = "git://github.com/CISOfy/Lynis.git" -S = "${WORKDIR}/git" - -inherit autotools-brokensep - -do_compile[noexec] = "1" -do_configure[noexec] = "1" - -do_install () { - install -d ${D}/${bindir} - install -d ${D}/${sysconfdir}/lynis - install -m 555 ${S}/lynis ${D}/${bindir} - - install -d ${D}/${datadir}/lynis/db - install -d ${D}/${datadir}/lynis/plugins - install -d ${D}/${datadir}/lynis/include - install -d ${D}/${datadir}/lynis/extras - - cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. - cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. - cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. - cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. - cp ${S}/*.prf ${D}/${sysconfdir}/lynis -} - -FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" -FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" - -RDEPENDS_${PN} += "procps" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb new file mode 100644 index 0000000000..28a44691c3 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb @@ -0,0 +1,41 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMMARY = "Lynis is a free and open source security and auditing tool." +HOMEDIR = "https://cisofy.com/" +LICENSE = "GPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" + +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" + +SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902" +SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac" + +S = "${WORKDIR}/${BPN}" + +inherit autotools-brokensep + +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install () { + install -d ${D}/${bindir} + install -d ${D}/${sysconfdir}/lynis + install -m 555 ${S}/lynis ${D}/${bindir} + + install -d ${D}/${datadir}/lynis/db + install -d ${D}/${datadir}/lynis/plugins + install -d ${D}/${datadir}/lynis/include + install -d ${D}/${datadir}/lynis/extras + + cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. + cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. + cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. + cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. + cp ${S}/*.prf ${D}/${sysconfdir}/lynis +} + +FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" +FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" + +RDEPENDS_${PN} += "procps" diff --git a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend index e9fd44ade8..604bacb1a0 100644 --- a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend +++ b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend @@ -1,4 +1 @@ -OS_RELEASE_FIELDS += "CPE_NAME" - CPE_NAME="cpe:/o:openembedded:nodistro:0" - diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb new file mode 100644 index 0000000000..a6a9373ea1 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -0,0 +1,18 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "The OpenSCAP Daemon is a service that runs in the background." +HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88" +LICENSE = "LGPL-2.1" + +DEPENDS = "python3-dbus" + +SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76" +SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" + +inherit setuptools3 + +S = "${WORKDIR}/git" + +RDEPENDS_${PN} = "python" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb deleted file mode 100644 index fb01a1134c..0000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "The OpenSCAP Daemon is a service that runs in the background." -HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88" -LICENSE = "LGPL-2.1" - -DEPENDS = "python3-dbus" - -SRCREV = "3fd5c75a08223de35a865d026d2a6980ec9c1d74" -SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" - -PV = "0.1.6+git${SRCPV}" - -inherit setuptools3 - -S = "${WORKDIR}/git" - -RDEPENDS_${PN} = "python" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb deleted file mode 100644 index 7cbb1e2eca..0000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "240930d42611983c65ecae16dbca3248ce130921" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb new file mode 100644 index 0000000000..e2a4fa2e69 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb @@ -0,0 +1,87 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ + libxslt libcap swig swig-native" + +DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" + +SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ + file://crypto_pkgconfig.patch \ + file://run-ptest \ +" + +inherit autotools-brokensep pkgconfig python3native perlnative ptest + +S = "${WORKDIR}/git" + +PACKAGECONFIG ?= "nss3 pcre rpm" +PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" +PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " +PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" +PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" +PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" +PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" + +export LDFLAGS += " -ldl" + +EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ + --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ + --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ +" + +EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ + --disable-probes-solaris --disable-probes-unix \ + --enable-util-oscap \ +" + +do_configure_prepend () { + sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am + sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am + sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am + sed -i 's:python2:python:' ${S}/utils/scap-as-rpm +} + + +include openscap.inc + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h +} + +do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" + +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + +TESTDIR = "tests" + +do_compile_ptest() { + sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py + echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile + oe_runmake -C ${TESTDIR} buildtest-TESTS +} + +do_install_ptest() { + # install the tests + cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} +} + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python libgcc" +RDEPENDS_${PN}-ptest = "bash perl python" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index a2f0cabaf6..1b5f7d581e 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -6,9 +6,9 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" -BBFILE_PRIORITY_tpm-layer = "6" +BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "sumo" +LAYERSERIES_COMPAT_tpm-layer = "thud" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 13b505fa0f..c4c8fb22b4 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -1,4 +1,4 @@ -DESCRIPTION = "Security packagegroup for Poky" +DESCRIPTION = "TPM2 packagegroup for Security" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" @@ -12,7 +12,7 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2.0-tools \ trousers \ libtss2 \ - libtctidevice \ - libtctisocket \ - resourcemgr \ + libtss2-tcti-device \ + libtss2-tcti-mssim \ + tpm2-abrmd \ " diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb index b29ec6bbed..a930d7bc37 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb @@ -1,11 +1,9 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f" +LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff" -SRC_URI = " \ - git://github.com/stefanberger/libtpms.git \ - " +SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25" +SRC_URI = "git://github.com/stefanberger/libtpms.git" S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch index 67071b6058..bed8b92a2a 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch @@ -8,20 +8,20 @@ Add "-z" option to select well known password in create_tpm_key tool. Signed-off-by: Junxian.Xiao -diff --git a/create_tpm_key.c b/create_tpm_key.c -index fee917f..7b94d62 100644 ---- a/create_tpm_key.c -+++ b/create_tpm_key.c -@@ -46,6 +46,8 @@ - #include - #include +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -48,6 +48,8 @@ + + #include "ssl_compat.h" +#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ + #define print_error(a,b) \ fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \ a, b, Trspi_Error_String(b)) -@@ -70,6 +72,7 @@ usage(char *argv0) +@@ -72,6 +74,7 @@ usage(char *argv0) "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n" "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n" "\t\t-s|--key-size key size in bits [2048]\n" @@ -29,7 +29,7 @@ index fee917f..7b94d62 100644 "\t\t-a|--auth require a password for the key [NO]\n" "\t\t-p|--popup use TSS GUI popup dialogs to get the password " "for the\n\t\t\t\t key [NO] (implies --auth)\n" -@@ -147,6 +150,7 @@ int main(int argc, char **argv) +@@ -154,6 +157,7 @@ int main(int argc, char **argv) int asn1_len; char *filename, c, *openssl_key = NULL; int option_index, auth = 0, popup = 0, wrap = 0; @@ -37,7 +37,7 @@ index fee917f..7b94d62 100644 UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER; UINT32 key_size = 2048; -@@ -154,12 +158,15 @@ int main(int argc, char **argv) +@@ -161,12 +165,15 @@ int main(int argc, char **argv) while (1) { option_index = 0; @@ -54,7 +54,7 @@ index fee917f..7b94d62 100644 case 'a': initFlags |= TSS_KEY_AUTHORIZATION; auth = 1; -@@ -293,6 +300,8 @@ int main(int argc, char **argv) +@@ -300,6 +307,8 @@ int main(int argc, char **argv) if (srk_authusage) { char *authdata = calloc(1, 128); @@ -63,7 +63,7 @@ index fee917f..7b94d62 100644 if (!authdata) { fprintf(stderr, "malloc failed.\n"); -@@ -309,17 +318,26 @@ int main(int argc, char **argv) +@@ -316,17 +325,26 @@ int main(int argc, char **argv) exit(result); } diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch index f718f2e640..2caaaf0543 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch @@ -9,20 +9,20 @@ use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password. Signed-off-by: Junxian.Xiao -diff --git a/e_tpm.c b/e_tpm.c -index f3e8bcf..7dcb75a 100644 ---- a/e_tpm.c -+++ b/e_tpm.c +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c @@ -38,6 +38,8 @@ - #include "e_tpm.h" + #include "ssl_compat.h" +#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ + //#define DLOPEN_TSPI #ifndef OPENSSL_NO_HW -@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb TSS_RESULT result; UINT32 authusage; BYTE *auth; @@ -33,7 +33,7 @@ index f3e8bcf..7dcb75a 100644 if (hSRK != NULL_HKEY) { DBGFN("SRK is already loaded."); -@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb return 0; } diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch deleted file mode 100644 index d24a150e57..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Mon, 19 Jun 2017 14:54:28 +0800 -Subject: [PATCH] Fix not building libtpm.la - -Signed-off-by: Lans Zhang ---- - Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index 6695656..634a7e6 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi - libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c - - create_tpm_key_SOURCES=create_tpm_key.c --create_tpm_key_LDADD=-ltspi -+create_tpm_key_LDFLAGS=-ltspi -+ -+LDADD=libtpm.la --- -2.7.5 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch index a88148fe48..cc8772d20c 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch @@ -22,11 +22,11 @@ Signed-off-by: Meng Li e_tpm_err.c | 4 ++ 3 files changed, 164 insertions(+), 1 deletion(-) -diff --git a/e_tpm.c b/e_tpm.c -index 7dcb75a..11bf74b 100644 ---- a/e_tpm.c -+++ b/e_tpm.c -@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void) +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void) ERR_clear_error(); } @@ -145,7 +145,7 @@ index 7dcb75a..11bf74b 100644 int tpm_load_srk(UI_METHOD *ui, void *cb_data) { TSS_RESULT result; -@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb return 0; } @@ -197,7 +197,7 @@ index 7dcb75a..11bf74b 100644 if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); secretMode = TSS_SECRET_MODE_SHA1; -@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb authlen = strlen(auth); } } @@ -205,11 +205,11 @@ index 7dcb75a..11bf74b 100644 else { if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", cb_data)) { -diff --git a/e_tpm.h b/e_tpm.h -index 6316e0b..56ff202 100644 ---- a/e_tpm.h -+++ b/e_tpm.h -@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); +Index: git/src/e_tpm.h +=================================================================== +--- git.orig/src/e_tpm.h ++++ git/src/e_tpm.h +@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea #define TPM_F_TPM_FILL_RSA_OBJECT 116 #define TPM_F_TPM_ENGINE_GET_AUTH 117 #define TPM_F_TPM_CREATE_SRK_POLICY 118 @@ -218,7 +218,7 @@ index 6316e0b..56ff202 100644 /* Reason codes. */ #define TPM_R_ALREADY_LOADED 100 -@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); +@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea #define TPM_R_ID_INVALID 125 #define TPM_R_UI_METHOD_FAILED 126 #define TPM_R_UNKNOWN_SECRET_MODE 127 @@ -227,11 +227,11 @@ index 6316e0b..56ff202 100644 /* structure pointed to by the RSA object's app_data pointer */ struct rsa_app_data -diff --git a/e_tpm_err.c b/e_tpm_err.c -index 25a5d0f..439e267 100644 ---- a/e_tpm_err.c -+++ b/e_tpm_err.c -@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = { +Index: git/src/e_tpm_err.c +=================================================================== +--- git.orig/src/e_tpm_err.c ++++ git/src/e_tpm_err.c +@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[] {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, @@ -240,7 +240,7 @@ index 25a5d0f..439e267 100644 {0, NULL} }; -@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = { +@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[] {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, {TPM_R_ID_INVALID, "engine id doesn't match"}, {TPM_R_UI_METHOD_FAILED, "ui function failed"}, @@ -249,6 +249,3 @@ index 25a5d0f..439e267 100644 {0, NULL} }; --- -2.9.3 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch index 076704de8a..535472a20e 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch @@ -15,11 +15,11 @@ Signed-off-by: Meng Li create_tpm_key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/create_tpm_key.c b/create_tpm_key.c -index 7b94d62..f30af90 100644 ---- a/create_tpm_key.c -+++ b/create_tpm_key.c -@@ -148,7 +148,8 @@ int main(int argc, char **argv) +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -155,7 +155,8 @@ int main(int argc, char **argv) ASN1_OCTET_STRING *blob_str; unsigned char *blob_asn1 = NULL; int asn1_len; @@ -29,6 +29,3 @@ index 7b94d62..f30af90 100644 int option_index, auth = 0, popup = 0, wrap = 0; int wellknownkey = 0; UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; --- -1.7.9.5 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch new file mode 100644 index 0000000000..2f8eb81272 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch @@ -0,0 +1,34 @@ +Fix compiling for openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch + int *out_len) + { + int total_len, len, ret; +- EVP_ENCODE_CTX dctx; ++ EVP_ENCODE_CTX *dctx; + +- EVP_DecodeInit(&dctx); ++ dctx = EVP_ENCODE_CTX_new(); ++ EVP_DecodeInit(dctx); + + total_len = 0; +- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); ++ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; + } + + total_len += len; +- ret = EVP_DecodeFinal(&dctx, outdata, &len); ++ ret = EVP_DecodeFinal(dctx, outdata, &len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb deleted file mode 100644 index 4854f70e33..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb +++ /dev/null @@ -1,78 +0,0 @@ -DESCRIPTION = "OpenSSL secure engine based on TPM hardware" -HOMEPAGE = "https://sourceforge.net/projects/trousers/" -SECTION = "security/tpm" - -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" - -DEPENDS += "openssl trousers" - -SRC_URI = "\ - git://git.code.sf.net/p/trousers/openssl_tpm_engine \ - file://0001-create-tpm-key-support-well-known-key-option.patch \ - file://0002-libtpm-support-env-TPM_SRK_PW.patch \ - file://0003-Fix-not-building-libtpm.la.patch \ - file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ - file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ -" -SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep - -# The definitions below are used to decrypt the srk password. -# It is allowed to define the values in 3 forms: string, hex number and -# the hybrid, e.g, -# srk_dec_pw = "incendia" -# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61" -# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a" -# -# Due to the limit of escape character, the hybrid must be written in -# above style. The actual values defined below in C code style are: -# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' }; -# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' }; -srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" -srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" - -CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" - -# Uncomment below line if using the plain srk password for development -#CFLAGS_append += "-DTPM_SRK_PLAIN_PW" - -do_configure_prepend() { - cd "${S}" - cp LICENSE COPYING - touch NEWS AUTHORS ChangeLog -} - -do_install_append() { - install -m 0755 -d "${D}${libdir}/engines" - install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines" - install -m 0755 -d "${D}${libdir}/ssl/engines" - - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0" - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so" - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so" - mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so" - mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la" - rm -rf "${D}${libdir}/openssl" -} - -FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la" -FILES_${PN}-dbg += "\ - ${libdir}/ssl/engines/.debug \ - ${libdir}/engines/.debug \ - ${prefix}/local/ssl/lib/engines/.debug \ -" -FILES_${PN} += "\ - ${libdir}/ssl/engines/libtpm.so* \ - ${libdir}/engines/libtpm.so* \ - ${libdir}/libtpm.so* \ - ${prefix}/local/ssl/lib/engines/libtpm.so* \ -" - -RDEPENDS_${PN} += "libcrypto libtspi" - -INSANE_SKIP_${PN} = "libdir" -INSANE_SKIP_${PN}-dbg = "libdir" diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb new file mode 100644 index 0000000000..0f98b79f2e --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -0,0 +1,65 @@ +DESCRIPTION = "OpenSSL secure engine based on TPM hardware" +HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" +SECTION = "security/tpm" + +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" + +DEPENDS += "openssl trousers" + +SRC_URI = "\ + git://github.com/mgerstner/openssl_tpm_engine.git \ + file://0001-create-tpm-key-support-well-known-key-option.patch \ + file://0002-libtpm-support-env-TPM_SRK_PW.patch \ + file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ + file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ + file://openssl11_build_fix.patch \ +" +SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +# The definitions below are used to decrypt the srk password. +# It is allowed to define the values in 3 forms: string, hex number and +# the hybrid, e.g, +# srk_dec_pw = "incendia" +# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61" +# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a" +# +# Due to the limit of escape character, the hybrid must be written in +# above style. The actual values defined below in C code style are: +# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' }; +# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' }; +srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" +srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" + +CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" + +# Uncomment below line if using the plain srk password for development +#CFLAGS_append += "-DTPM_SRK_PLAIN_PW" + +do_configure_prepend() { + cd ${B} + cp LICENSE COPYING + touch NEWS AUTHORS ChangeLog README +} + +FILES_${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la" +FILES_${PN}-dbg += "\ + ${libdir}/ssl/engines-1.1/.debug \ + ${libdir}/engines-1.1/.debug \ + ${prefix}/local/ssl/lib/engines-1.1/.debug \ +" +FILES_${PN} += "\ + ${libdir}/ssl/engines-1.1/tpm.so* \ + ${libdir}/engines-1.1/tpm.so* \ + ${libdir}/libtpm.so* \ + ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \ +" + +RDEPENDS_${PN} += "libcrypto libtspi" + +INSANE_SKIP_${PN} = "libdir" +INSANE_SKIP_${PN}-dbg = "libdir" diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch new file mode 100644 index 0000000000..cf2d437801 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch @@ -0,0 +1,45 @@ +Enable building with openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: git/src/pcr-extend.c +=================================================================== +--- git.orig/src/pcr-extend.c ++++ git/src/pcr-extend.c +@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t + static unsigned char* + sha1_file (FILE *file, unsigned int *hash_len) + { +- EVP_MD_CTX ctx = { 0 }; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned char *buf = NULL, *hash = NULL; + size_t num_read = 0; + +@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("malloc:\n"); + goto sha1_fail; + } +- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) { ++ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has + num_read = fread (buf, 1, BUF_SIZE, file); + if (num_read <= 0) + break; +- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) { ++ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("calloc of hash buffer:\n"); + goto sha1_fail; + } +- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) { ++ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb index 0cc4f6370f..f8347b7f15 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb @@ -9,7 +9,8 @@ DEPENDS = "libtspi" PV = "0.1+git${SRCPV}" SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316" -SRC_URI = "git://github.com/flihp/pcr-extend.git " +SRC_URI = "git://github.com/flihp/pcr-extend.git \ + file://fix_openssl11_build.patch " inherit autotools diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb index 747602000d..3fe1393af1 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb @@ -3,23 +3,21 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" SECTION = "apps" -DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native" +DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # configure checks for the tools already during compilation and # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -RDEPENDS_${PN} += "tpm-tools" -SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8" -SRC_URI = "git://github.com/stefanberger/swtpm.git \ - file://fix_lib_search_path.patch \ +SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ " S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig +inherit autotools pkgconfig PARALLEL_MAKE = "" TSS_USER="tss" @@ -36,21 +34,12 @@ EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}" -# dup bootstrap -do_configure_prepend () { - libtoolize --force --copy - autoheader - aclocal - automake --add-missing -c - autoconf -} - USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ --no-create-home --shell /bin/false ${BPN}" -RDEPENDS_${PN} = "libtpm expect socat bash" +RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch new file mode 100644 index 0000000000..5018d45b21 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch @@ -0,0 +1,56 @@ +Title: Fix FTBFS with clang due to uninitialized values +Date: 2015-06-28 +Author: Alexander +Bug-Debian: http://bugs.debian.org/753063 + +Upstream-Status: Backport +tpm-tools_1.3.9.1-0.1.debian.tar + +Signed-off-by: Armin kuster + +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400 +@@ -165,7 +165,7 @@ + + TSS_BOOL bCmd, bHwd; + BOOL bRc; +- TSS_HPOLICY hTpmPolicy; ++ TSS_HPOLICY hTpmPolicy = 0; + char *pwd = NULL; + int pswd_len; + char rsp[5]; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400 +@@ -67,7 +67,7 @@ + char *szSrkPasswd = NULL; + int tpm_len, srk_len; + TSS_HTPM hTpm; +- TSS_HKEY hSrk; ++ TSS_HKEY hSrk = 0; + TSS_FLAG fSrkAttrs; + TSS_HPOLICY hTpmPolicy, hSrkPolicy; + int iRc = -1; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400 +@@ -220,7 +220,7 @@ + close(fd); + fd = -1; + } else if (fillvalue >= 0) { +- if (length < 0) { ++ if (length == 0) { + logError(_("Requiring size parameter.\n")); + return -1; + } +--- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400 +@@ -432,8 +432,8 @@ + + char *pszPin = NULL; + +- CK_RV rv; +- CK_SESSION_HANDLE hSession; ++ CK_RV rv = 0; ++ CK_SESSION_HANDLE hSession = 0; + CK_OBJECT_HANDLE hObject; + CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 }; + diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch new file mode 100644 index 0000000000..c2a264b628 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch @@ -0,0 +1,110 @@ +Author: Philipp Kern +Subject: Fix openssl1.1 support in data_mgmt +Date: Tue, 31 Jan 2017 22:40:10 +0100 + +Upstream-Status: Backport +tpm-tools_1.3.9.1-0.1.debian.tar + +Signed-off-by: Armin kuster + +--- + src/data_mgmt/data_import.c | 60 ++++++++++++++++++++++++++++---------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, + goto out; + } + +- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { ++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { + logError( TOKEN_RSA_KEY_ERROR ); + + X509_free( pX509 ); +@@ -691,8 +691,13 @@ createRsaPubKeyObject( RSA + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); ++ const BIGNUM *bn; ++ const BIGNUM *be; ++ ++ RSA_get0_key( a_pRsa, &bn, &be, NULL ); ++ ++ int nLen = BN_num_bytes( bn ); ++ int eLen = BN_num_bytes( be ); + + CK_RV rv; + +@@ -732,8 +737,8 @@ createRsaPubKeyObject( RSA + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); ++ BN_bn2bin( bn, n ); ++ BN_bn2bin( be, e ); + + // Create the RSA public key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +@@ -760,14 +765,27 @@ createRsaPrivKeyObject( RSA + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); +- int dLen = BN_num_bytes( a_pRsa->d ); +- int pLen = BN_num_bytes( a_pRsa->p ); +- int qLen = BN_num_bytes( a_pRsa->q ); +- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); +- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); +- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); ++ const BIGNUM *bn; ++ const BIGNUM *be; ++ const BIGNUM *bd; ++ const BIGNUM *bp; ++ const BIGNUM *bq; ++ const BIGNUM *bdmp1; ++ const BIGNUM *bdmq1; ++ const BIGNUM *biqmp; ++ ++ RSA_get0_key( a_pRsa, &bn, &be, &bd); ++ RSA_get0_factors( a_pRsa, &bp, &bq); ++ RSA_get0_crt_params( a_pRsa, &bdmp1, &bdmq1, &biqmp ); ++ ++ int nLen = BN_num_bytes( bn ); ++ int eLen = BN_num_bytes( be ); ++ int dLen = BN_num_bytes( bd ); ++ int pLen = BN_num_bytes( bp ); ++ int qLen = BN_num_bytes( bq ); ++ int dmp1Len = BN_num_bytes( bdmp1 ); ++ int dmq1Len = BN_num_bytes( bdmq1 ); ++ int iqmpLen = BN_num_bytes( biqmp ); + + CK_RV rv; + +@@ -821,14 +839,14 @@ createRsaPrivKeyObject( RSA + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); +- BN_bn2bin( a_pRsa->d, d ); +- BN_bn2bin( a_pRsa->p, p ); +- BN_bn2bin( a_pRsa->q, q ); +- BN_bn2bin( a_pRsa->dmp1, dmp1 ); +- BN_bn2bin( a_pRsa->dmq1, dmq1 ); +- BN_bn2bin( a_pRsa->iqmp, iqmp ); ++ BN_bn2bin( bn, n ); ++ BN_bn2bin( be, e ); ++ BN_bn2bin( bd, d ); ++ BN_bn2bin( bp, p ); ++ BN_bn2bin( bq, q ); ++ BN_bn2bin( bdmp1, dmp1 ); ++ BN_bn2bin( bdmq1, dmq1 ); ++ BN_bn2bin( biqmp, iqmp ); + + // Create the RSA private key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch new file mode 100644 index 0000000000..9ae3f72a3e --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch @@ -0,0 +1,18 @@ +Upstream-Status: Pending +Update to build with openssl 1.1.x + +Signed-off-by: Armin Kuster + +Index: git/src/cmds/tpm_extendpcr.c +=================================================================== +--- git.orig/src/cmds/tpm_extendpcr.c ++++ git/src/cmds/tpm_extendpcr.c +@@ -136,7 +136,7 @@ int main(int argc, char **argv) + + unsigned char msg[EVP_MAX_MD_SIZE]; + unsigned int msglen; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(&ctx, EVP_sha1()); + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) + EVP_DigestUpdate(&ctx, line, lineLen); diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch index ab5e683207..40150af87d 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch @@ -1,8 +1,8 @@ -Index: tpm-tools-1.3.8/include/tpm_tspi.h +Index: git/include/tpm_tspi.h =================================================================== ---- tpm-tools-1.3.8.orig/include/tpm_tspi.h 2011-08-17 08:20:35.000000000 -0400 -+++ tpm-tools-1.3.8/include/tpm_tspi.h 2013-01-05 23:26:31.571598217 -0500 -@@ -117,6 +117,10 @@ +--- git.orig/include/tpm_tspi.h ++++ git/include/tpm_tspi.h +@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U UINT32 *a_PcrSize, BYTE **a_PcrValue); TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx, UINT32 a_PcrSize, BYTE *a_PcrValue); @@ -13,11 +13,11 @@ Index: tpm-tools-1.3.8/include/tpm_tspi.h #ifdef TSS_LIB_IS_12 TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v); TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue); -Index: tpm-tools-1.3.8/lib/tpm_tspi.c +Index: git/lib/tpm_tspi.c =================================================================== ---- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400 -+++ tpm-tools-1.3.8/lib/tpm_tspi.c 2013-01-05 23:27:37.731593490 -0500 -@@ -594,6 +594,20 @@ +--- git.orig/lib/tpm_tspi.c ++++ git/lib/tpm_tspi.c +@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr return result; } @@ -38,10 +38,10 @@ Index: tpm-tools-1.3.8/lib/tpm_tspi.c #ifdef TSS_LIB_IS_12 /* * These getPasswd functions will wrap calls to the other functions and check to see if the TSS -Index: tpm-tools-1.3.8/src/cmds/Makefile.am +Index: git/src/cmds/Makefile.am =================================================================== ---- tpm-tools-1.3.8.orig/src/cmds/Makefile.am 2011-08-15 13:52:08.000000000 -0400 -+++ tpm-tools-1.3.8/src/cmds/Makefile.am 2013-01-05 23:30:46.223593698 -0500 +--- git.orig/src/cmds/Makefile.am ++++ git/src/cmds/Makefile.am @@ -22,6 +22,7 @@ # @@ -50,16 +50,16 @@ Index: tpm-tools-1.3.8/src/cmds/Makefile.am tpm_unsealdata if TSS_LIB_IS_12 -@@ -33,4 +34,5 @@ - LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto +@@ -33,4 +34,5 @@ endif + LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@ tpm_sealdata_SOURCES = tpm_sealdata.c +tpm_extendpcr_SOURCES = tpm_extendpcr.c tpm_unsealdata_SOURCES = tpm_unsealdata.c -Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c +Index: git/src/cmds/tpm_extendpcr.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c 2013-01-05 23:37:43.403585514 -0500 +--- /dev/null ++++ git/src/cmds/tpm_extendpcr.c @@ -0,0 +1,181 @@ +/* + * The Initial Developer of the Original Code is International diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb new file mode 100644 index 0000000000..88ef19f732 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb @@ -0,0 +1,36 @@ +SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM." +DESCRIPTION = " \ + The tpm-tools package contains commands to allow the platform administrator \ + the ability to manage and diagnose the platform's TPM. Additionally, the \ + package contains commands to utilize some of the capabilities available \ + in the TPM PKCS#11 interface implemented in the openCryptoki project. \ + " +SECTION = "tpm" +LICENSE = "CPL-1.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" + +DEPENDS = "libtspi openssl" +DEPENDS_class-native = "trousers-native" + +SRCREV = "bdf9f1bc8f63cd6fc370c2deb58d03ac55079e84" +SRC_URI = " \ + git://git.code.sf.net/p/trousers/tpm-tools \ + file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://05-openssl1.1_fix_data_mgmt.patch \ + file://openssl1.1_fix.patch \ + " + +inherit autotools-brokensep gettext + +S = "${WORKDIR}/git" + +do_configure_prepend () { + mkdir -p po + mkdir -p m4 + cp -R po_/* po/ + touch po/Makefile.in.in + touch m4/Makefile.am +} + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb deleted file mode 100644 index f670bffce5..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb +++ /dev/null @@ -1,35 +0,0 @@ -SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM." -DESCRIPTION = " \ - The tpm-tools package contains commands to allow the platform administrator \ - the ability to manage and diagnose the platform's TPM. Additionally, the \ - package contains commands to utilize some of the capabilities available \ - in the TPM PKCS#11 interface implemented in the openCryptoki project. \ - " -SECTION = "tpm" -LICENSE = "CPL-1.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" - -DEPENDS = "libtspi openssl" -DEPENDS_class-native = "trousers-native" - -SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee" -SRC_URI = " \ - git://git.code.sf.net/p/trousers/tpm-tools \ - file://tpm-tools-extendpcr.patch \ - " - -PV = "1.3.9.1+git${SRCPV}" - -inherit autotools-brokensep gettext - -S = "${WORKDIR}/git" - -do_configure_prepend () { - mkdir -p po - mkdir -p m4 - cp -R po_/* po/ - touch po/Makefile.in.in - touch m4/Makefile.am -} - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb deleted file mode 100644 index a5d6843b98..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "TPM2 Access Broker & Resource Manager" -DESCRIPTION = "This is a system daemon implementing the TPM2 access \ -broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \ -is implemented using Glib and the GObject system. In this documentation and \ -in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \ -" -SECTION = "security/tpm" - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" - -DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native" - -SRC_URI = "\ - git://github.com/01org/tpm2-abrmd.git \ - file://tpm2-abrmd-init.sh \ - file://tpm2-abrmd.default \ -" -SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig systemd update-rc.d useradd - -SYSTEMD_PACKAGES += "${PN}" -SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" - -INITSCRIPT_NAME = "${PN}" -INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "tss" -USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" - -PACKAGECONFIG ?="udev" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" - -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" -PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir" - -do_install_append() { - install -d "${D}${sysconfdir}/init.d" - install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" - - install -d "${D}${sysconfdir}/default" - install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" -} - -FILES_${PN} += "${libdir}/systemd/system-preset" - -RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb new file mode 100644 index 0000000000..63473790db --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb @@ -0,0 +1,54 @@ +SUMMARY = "TPM2 Access Broker & Resource Manager" +DESCRIPTION = "This is a system daemon implementing the TPM2 access \ +broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \ +is implemented using Glib and the GObject system. In this documentation and \ +in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \ +" +SECTION = "security/tpm" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" + +DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \ + libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" + + +SRC_URI = "\ + git://github.com/01org/tpm2-abrmd.git \ + file://tpm2-abrmd-init.sh \ + file://tpm2-abrmd.default \ +" +SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig systemd update-rc.d useradd + +SYSTEMD_PACKAGES += "${PN}" +SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" +SYSTEMD_AUTO_ENABLE_${PN} = "disable" + +INITSCRIPT_NAME = "${PN}" +INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "tss" +USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" + +do_install_append() { + install -d "${D}${sysconfdir}/init.d" + install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" + + install -d "${D}${sysconfdir}/default" + install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" +} + +FILES_${PN} += "${libdir}/systemd/system-preset \ + ${datadir}/dbus-1" + +RDEPENDS_${PN} += "tpm2.0-tss" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb new file mode 100644 index 0000000000..3f40eb70e7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb @@ -0,0 +1,15 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2.0-tools" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" +SECTION = "tpm" + +DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" + +SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9" + +SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X" + +S = "${WORKDIR}/tpm2.0-tools" + +inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb deleted file mode 100644 index 7ec12fc731..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2.0-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" -SECTION = "tpm" - -DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" - -# July 10, 2017 -SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881" - -SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools" - -S = "${WORKDIR}/tpm2.0-tools" - -PV = "2.0.0+git${SRCPV}" - -inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb deleted file mode 100644 index b673c2bfdb..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb +++ /dev/null @@ -1,99 +0,0 @@ -SUMMARY = "Software stack for TPM2." -DESCRIPTION = "tpm2.0-tss like woah." -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -SECTION = "tpm" - -DEPENDS = "autoconf-archive pkgconfig" - -SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38" - -SRC_URI = " \ - git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \ - file://ax_pthread.m4 \ -" - -inherit autotools pkgconfig systemd - -S = "${WORKDIR}/git" - -do_configure_prepend () { - mkdir -p ${S}/m4 - cp ${WORKDIR}/ax_pthread.m4 ${S}/m4 - # execute the bootstrap script - currentdir=$(pwd) - cd ${S} - ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap - cd $currentdir -} - -INHERIT += "extrausers" -EXTRA_USERS_PARAMS = "\ - useradd -p '' tss; \ - groupadd tss; \ - " - -SYSTEMD_PACKAGES = "resourcemgr" -SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service" -SYSTEMD_AUTO_ENABLE_resourcemgr = "enable" - -do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}" -fix_systemd_unit () { - sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service -} - -do_install_append() { - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service - fi -} - -PROVIDES = "${PACKAGES}" -PACKAGES = " \ - ${PN}-dbg \ - ${PN}-doc \ - libtss2 \ - libtss2-dev \ - libtss2-staticdev \ - libtctidevice \ - libtctidevice-dev \ - libtctidevice-staticdev \ - libtctisocket \ - libtctisocket-dev \ - libtctisocket-staticdev \ - resourcemgr \ -" - -FILES_libtss2 = " \ - ${libdir}/libsapi.so.0.0.0 \ - ${libdir}/libmarshal.so.0.0.0 \ -" -FILES_libtss2-dev = " \ - ${includedir}/sapi \ - ${includedir}/tcti/common.h \ - ${libdir}/libsapi.so* \ - ${libdir}/libmarshal.so* \ - ${libdir}/pkgconfig/sapi.pc \ -" -FILES_libtss2-staticdev = " \ - ${libdir}/libsapi.a \ - ${libdir}/libsapi.la \ - ${libdir}/libmarshal.a \ - ${libdir}/libmarshal.la \ -" -FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0" -FILES_libtctidevice-dev = " \ - ${includedir}/tcti/tcti_device.h \ - ${libdir}/libtcti-device.so* \ - ${libdir}/pkgconfig/tcti-device.pc \ -" -FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a" -FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0" -FILES_libtctisocket-dev = " \ - ${includedir}/tcti/tcti_socket.h \ - ${libdir}/libtcti-socket.so* \ - ${libdir}/pkgconfig/tcti-socket.pc \ -" -FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a" -FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb new file mode 100644 index 0000000000..9d1ff72f39 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb @@ -0,0 +1,74 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "tpm2.0-tss like woah." +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4" +SECTION = "tpm" + +DEPENDS = "autoconf-archive-native libgcrypt" + +SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351" + +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x" + +inherit autotools-brokensep pkgconfig systemd + +S = "${WORKDIR}/git" + +do_configure_prepend () { + ./bootstrap +} + +INHERIT += "extrausers" +EXTRA_USERS_PARAMS = "\ + useradd -p '' tss; \ + groupadd tss; \ + " + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN} \ + ${PN}-dbg \ + ${PN}-doc \ + libtss2-mu \ + libtss2-mu-dev \ + libtss2-mu-staticdev \ + libtss2-tcti-device \ + libtss2-tcti-device-dev \ + libtss2-tcti-device-staticdev \ + libtss2-tcti-mssim \ + libtss2-tcti-mssim-dev \ + libtss2-tcti-mssim-staticdev \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ +" + +FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES_libtss2-tcti-device-dev = " \ + ${includedir}/tss2/tss2_tcti_device.h \ + ${libdir}/pkgconfig/tss2-tcti-device.pc \ + ${libdir}/libtss2-tcti-device.so" +FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" + +FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES_libtss2-tcti-mssim-dev = " \ + ${includedir}/tss2/tss2_tcti_mssim.h \ + ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ + ${libdir}/libtss2-tcti-mssim.so" +FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" + +FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES_libtss2-mu-dev = " \ + ${includedir}/tss2/tss2_mu.h \ + ${libdir}/pkgconfig/tss2-mu.pc \ + ${libdir}/libtss2-mu.so" +FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" + +FILES_libtss2 = "${libdir}/libtss2*so.*" +FILES_libtss2-dev = " \ + ${includedir} \ + ${libdir}/pkgconfig \ + ${libdir}/libtss2*so" +FILES_libtss2-staticdev = "${libdir}/libtss*a" + +FILES_${PN} = "${libdir}/udev" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb deleted file mode 100644 index 866791c291..0000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "TPM 2.0 Simulator Extraction Script" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b" - -DEPENDS = "python" - -SRCREV = "e45324eba268723d39856111e7933c5c76238481" -SRC_URI = "git://github.com/stwagnr/tpm2simulator.git" - -S = "${WORKDIR}/git" -OECMAKE_SOURCEPATH = "${S}/cmake" - -inherit native lib_package cmake - -EXTRA_OECMAKE = " \ - -DCMAKE_BUILD_TYPE=Debug \ - -DSPEC_VERSION=138 \ -" - -do_configure_prepend () { - sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py -} diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb new file mode 100644 index 0000000000..866791c291 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb @@ -0,0 +1,22 @@ +SUMMARY = "TPM 2.0 Simulator Extraction Script" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b" + +DEPENDS = "python" + +SRCREV = "e45324eba268723d39856111e7933c5c76238481" +SRC_URI = "git://github.com/stwagnr/tpm2simulator.git" + +S = "${WORKDIR}/git" +OECMAKE_SOURCEPATH = "${S}/cmake" + +inherit native lib_package cmake + +EXTRA_OECMAKE = " \ + -DCMAKE_BUILD_TYPE=Debug \ + -DSPEC_VERSION=138 \ +" + +do_configure_prepend () { + sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py +} diff --git a/meta-security/recipes-browers/tor/tor_6.5.2.bb b/meta-security/recipes-browers/tor/tor_6.5.2.bb deleted file mode 100644 index 1e3a812731..0000000000 --- a/meta-security/recipes-browers/tor/tor_6.5.2.bb +++ /dev/null @@ -1,7 +0,0 @@ -SUMMARY = "Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security." - -HOMEPAGE = "https://www.torproject.org/" - -LICENSE = "GPV-v2" - -SRC_URI = "https://github.com/TheTorProject/gettorbrowser/archive/v6.5.2.tar.gz" diff --git a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb b/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb deleted file mode 100644 index a826d1d107..0000000000 --- a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "The Advanced Forensic Format (AFF) is on-disk format for storing computer forensic information." -HOMEPAGE = "http://www.afflib.org/" -LICENSE = " BSD-4-Clause & CPL-1.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=d1b2c6d0d6908f45d143ef6380727828" - -DEPENDS = " zlib ncurses readline openssl libgcrypt" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}-1.1.diff.gz;name=dpatch \ - file://configure_rm_ms_flags.patch \ - " - -SRC_URI[orig.md5sum] = "b7ff4d2945882018eb1536cad182ad01" -SRC_URI[orig.sha256sum] = "19cacfd558dc00e11975e820e3c4383b52aabbd5ca081d27bb7994a035d2f4ad" -SRC_URI[dpatch.md5sum] = "171e871024545b487589e6c85290576f" -SRC_URI[dpatch.sha256sum] = "db632e254ee51a1e4328cd4449d414eff4795053d4e36bfa8e0020fcb4085cdd" - -inherit autotools-brokensep pkgconfig - -CPPFLAGS = "-I${STAGING_INCDIR}" -LDFLAGS = "-L${STAGING_LIBDIR}" - -PACKAGECONFIG ??= "" -PACKAGECONFIG[curl] = "--with-curl=${STAGING_LIBDIR}, --without-curl, curl" -PACKAGECONFIG[expat] = "--with-expat=${STAGING_LIBDIR}, --without-expat, expat" -PACKAGECONFIG[fuse] = "--enable-fuse=yes, --enable-fuse=no, fuse" -PACKAGECONFIG[python] = "--enable-python=yes, --enable-python=no, python" - -EXTRA_OECONF += "--enable-s3=no CPPFLAGS=-I${STAGING_INCDIR} LDFLAGS=-L${STAGING_LIBDIR}" -EXTRA_OEMAKE += "CPPFLAGS='${CPPFLAGS}' LDFLAGS='-L${STAGING_LIBDIR} -I${STAGING_INCDIR}'" diff --git a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch b/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch deleted file mode 100644 index ac335001bb..0000000000 --- a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -remove ms lib options when cross compiling - -Signed-Off-By: Armin Kuster - -Index: configure.ac -=================================================================== ---- a.orig/configure.ac -+++ a/configure.ac -@@ -47,7 +47,6 @@ if test x"${cross_compiling}" = "xno" ; - AC_MSG_NOTICE([ LDFLAGS = ${LDFLAGS} ]) - else - AC_MSG_NOTICE([Cross Compiling --- will not update CPPFALGS or LDFLAGS with /usr/local, /opt/local or /sw]) -- LIBS="$LIBS -lws2_32 -lgdi32" - fi - - if test -r /bin/uname.exe ; then diff --git a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch b/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch deleted file mode 100644 index 0881f25c77..0000000000 --- a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -Upstream Status: pending - -Don't use inline with gcc 5.0 - -fixes: -undefined reference to `libuna_unicode_character_size_to_utf8' - -Signed-off-by: Armin Kuster - -Index: libuna/libuna_inline.h -=================================================================== ---- a/libuna/libuna_inline.h -+++ b/libuna/libuna_inline.h -@@ -27,7 +27,7 @@ - #if defined( _MSC_VER ) - #define LIBUNA_INLINE _inline - --#elif defined( __BORLANDC__ ) || defined( __clang__ ) -+#elif defined( __BORLANDC__ ) || defined( __clang__ ) || ( __GNUC__ > 4 ) - #define LIBUNA_INLINE /* inline */ - - #else diff --git a/meta-security/recipes-forensic/libewf/libewf_20140608.bb b/meta-security/recipes-forensic/libewf/libewf_20140608.bb deleted file mode 100644 index f7dce12964..0000000000 --- a/meta-security/recipes-forensic/libewf/libewf_20140608.bb +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "library with support for Expert Witness Compression Format" -LICENSE = "LGPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=58c39b26c0549f8e1bb4122173f474cd" - -DEPENDS = "virtual/gettext libtool" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/libe/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - file://gcc5_fix.patch \ - " -SRC_URI[orig.md5sum] = "fdf615f23937fad8e02b60b9e3e5fb35" -SRC_URI[orig.sha256sum] = "d14030ce6122727935fbd676d0876808da1e112721f3cb108564a4d9bf73da71" - -inherit autotools-brokensep pkgconfig gettext - -PACKAGECONFIG ??= "zlib ssl bz2" -PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib" -PACKAGECONFIG[bz2] = "--with-bzip2, --without-bzip2, bzip2, bzip2" -PACKAGECONFIG[ssl] = "--with-openssl, --without-openssl, openssl, openssl" -PACKAGECONFIG[fuse] = "--with-libfuse, --without-libfuse, fuse" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" - -EXTRA_OECONF += "--with-gnu-ld --disable-rpath" - -RDEPENDS_${PN} += " util-linux-libuuid" diff --git a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch b/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch deleted file mode 100644 index 03b1fb9e75..0000000000 --- a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch +++ /dev/null @@ -1,23 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Don't use host include or lib paths in *FLAGS - -Signed-off-by: Armin Kuster - -Index: configure.ac -=================================================================== ---- a/configure.ac -+++ b/configure.ac -@@ -84,12 +84,6 @@ AX_PTHREAD([ - LDFLAGS="$LDFLAGS $PTHREAD_CFLAGS" - CC="$PTHREAD_CC"],[]) - --dnl Not all compilers include /usr/local in the include and link path --if test -d /usr/local/include; then -- CPPFLAGS="$CPPFLAGS -I/usr/local/include" -- LDFLAGS="$LDFLAGS -L/usr/local/lib" --fi -- - dnl Add enable/disable option - AC_ARG_ENABLE([java], - [AS_HELP_STRING([--disable-java], [Do not build the java bindings or jar file])]) diff --git a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb b/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb deleted file mode 100644 index ba335f3c39..0000000000 --- a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb +++ /dev/null @@ -1,31 +0,0 @@ -SUMMARY = "The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate disk images." -HOMEPAGE = "http://www.sleuthkit.org/sleuthkit/" -LICENSE = "IPL-1.0 & GPLv2 & CPL-1.0" -LIC_FILES_CHKSUM = "file://licenses/GNU-COPYING;startline=4;endline=5;md5=475b4784903850b579dc6e6310bd5f08\ - file://licenses/IBM-LICENSE;startline=1;endline=2;md5=1fc3300388b0d6e6216825dd89c2e3a2\ - file://licenses/cpl1.0.txt;startline=1;endline=2;md5=9e58c878202c73a4e3ed4be72598fb92" - -DEPENDS = "libtool" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/s/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - file://fix_host_poison.patch \ - " -SRC_URI[orig.md5sum] = "139a12f06952d8a40bbe07884994cf5d" -SRC_URI[orig.sha256sum] = "67f9d2a31a8884d58698d6122fc1a1bfa9bf238582bde2b49228ec9b899f0327" - -inherit autotools-brokensep pkgconfig gettext - -PACKAGECONFIG ??= "aff zlib ewf" -PACKAGECONFIG[aff] = "--with-afflib=${STAGING_DIR_HOST}/usr, --without-afflib, afflib" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr, --without-zlib, zlib" -PACKAGECONFIG[ewf] = "--with-libewf=${STAGING_DIR_HOST}/usr, --without-libewf, libewf" - -#--with-gnu-ld -EXTRA_OECONF += "--enable-static=no --disable-java LIBS='-L${STAGING_LIBDIR}' LDFLAGS='-L${STAGING_LIBDIR}' CPPFLAGS='-I${STAGING_INCDIR}'" - -# Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP_${PN} = "ldflags" - -FILES_${PN} += " ${datadir}/tsk" - -RDEPENDS_${PN} += " perl" diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb b/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb deleted file mode 100644 index fc9b614f1d..0000000000 --- a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb +++ /dev/null @@ -1,159 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "899fd834dc5c8ebf2d52b97e4a174af7" -SRC_URI[sha256sum] = "b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan -inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/apparmor-${PV}" - -PACKAGECONFIG ?="man python perl" -PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -CONFIGUREOPTS_remove = "--disable-static" -EXTRA_OECONF_append = " --enable-static" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} - sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile - sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile -} - -do_compile () { - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service \ - ${D}${systemd_system_unitdir} - fi -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" - -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -ALLOW_EMPTY_${PN} = "1" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb new file mode 100644 index 0000000000..e3f8dc99cd --- /dev/null +++ b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb @@ -0,0 +1,159 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native" + +SRC_URI = " \ + http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://run-ptest \ + " + +SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" +SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" + +PARALLEL_MAKE = "" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan +inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} + +S = "${WORKDIR}/apparmor-${PV}" + +PACKAGECONFIG ?="man python perl" +PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" +PACKAGECONFIG[apache2] = ",,apache2," + +PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" +HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" + + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +CONFIGUREOPTS_remove = "--disable-static" +EXTRA_OECONF_append = " --enable-static" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile + sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile +} + +do_compile () { + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install ${WORKDIR}/functions ${D}/lib/apparmor + if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then + install -d ${D}${systemd_system_unitdir} + install ${WORKDIR}/apparmor.service \ + ${D}${systemd_system_unitdir} + fi +} + +do_compile_ptest () { + oe_runmake -C ${B}/tests/regression/apparmor + oe_runmake -C ${B}/parser/tst + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + install -d ${t}/parser/tst + cp -rf ${B}/parser/tst ${t}/parser + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE = "disable" + +PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" + +FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +ALLOW_EMPTY_${PN} = "1" + +RDEPENDS_${PN} += "bash lsb" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb deleted file mode 100644 index 4df072e0be..0000000000 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb +++ /dev/null @@ -1,37 +0,0 @@ -SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" -DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." -SECTION = "security" -LICENSE = "GPL-2.0" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" - -DEPENDS = "libnl openssl sqlite3 libpcre libpcap" -RC = "rc2" -SRC_URI = "http://download.aircrack-ng.org/${BP}-${RC}.tar.gz \ - file://fixup_cflags.patch" - -SRC_URI[md5sum] = "ebe9d537f06f4d6956213af09c4476da" -SRC_URI[sha256sum] = "ba5b3eda44254efc5b7c9f776eb756f7cc323ad5d0813c101e92edb483d157e9" - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/${BP}-rc2" - -PACKAGECONFIG ?= "" -CFLAGS += " -I${S}/src/include" - -OEMAKE_EXTRA = "sqlite=true experimental=true pcre=true \ - prefix=${prefix} \ - " - -do_compile () { - make ${OEMAKE_EXTRA} TOOL_PREFIX=${TARGET_SYS}- -} - -do_install () { - make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install -} - -FILES_${PN} += "/usr/local/" - -RDEPENDS_${PN} = "libpcap" diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb new file mode 100644 index 0000000000..d73922778b --- /dev/null +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb @@ -0,0 +1,34 @@ +SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" +DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." +SECTION = "security" +LICENSE = "GPL-2.0" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" + +DEPENDS = "libnl openssl sqlite3 libpcre libpcap" + +SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" + +SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623" +SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca" + +inherit autotools-brokensep pkgconfig + +PACKAGECONFIG ?= "" +CFLAGS += " -I${S}/src/include" + +OEMAKE_EXTRA = "sqlite=true experimental=true pcre=true \ + prefix=${prefix} \ + " + +do_compile () { + make ${OEMAKE_EXTRA} TOOL_PREFIX=${TARGET_SYS}- +} + +do_install () { + make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install +} + +FILES_${PN} += "/usr/local/" + +RDEPENDS_${PN} = "libpcap" diff --git a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch b/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch deleted file mode 100644 index e13dd24baf..0000000000 --- a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch +++ /dev/null @@ -1,28 +0,0 @@ -Upstream Status: Iinappropriate - -Issues do to build env. - -Signed-off-by: Armin Kuster - -Index: aircrack-ng-1.2-rc2/src/Makefile -=================================================================== ---- aircrack-ng-1.2-rc2.orig/src/Makefile -+++ aircrack-ng-1.2-rc2/src/Makefile -@@ -3,8 +3,6 @@ include $(AC_ROOT)/common.mak - - TEST_DIR = $(AC_ROOT)/test - --CFLAGS += -Iinclude -- - iCC = $(shell find /opt/intel/cc/*/bin/icc) - iCFLAGS = -w -mcpu=pentiumpro -march=pentiumpro $(COMMON_CFLAGS) - iOPTFLAGS = -O3 -ip -ipo -D_FILE_OFFSET_BITS=64 -@@ -102,7 +100,7 @@ endif - - - ifeq ($(subst TRUE,true,$(filter TRUE true,$(sqlite) $(SQLITE))),true) -- LIBSQL = -L/usr/local/lib -lsqlite3 -+ LIBSQL = -lsqlite3 - else - LIBSQL = - endif diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index eee1a38e1c..152c03ae55 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,7 +9,7 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit allarch module-base +inherit module-base SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ diff --git a/meta-security/recipes-security/clamav/clamav_0.99.3.bb b/meta-security/recipes-security/clamav/clamav_0.99.3.bb deleted file mode 100644 index 688250da45..0000000000 --- a/meta-security/recipes-security/clamav/clamav_0.99.3.bb +++ /dev/null @@ -1,158 +0,0 @@ -SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface" -DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats." -HOMEPAGE = "http://www.clamav.net/index.html" -SECTION = "security" -LICENSE = "LGPL-2.1" - -DEPENDS = "libtool db libmspack chrpath-replacement-native" - -LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" - -SRCREV = "224f73461a44e278e9fa50ba59f51ee5e64373e0" - -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ - file://clamd.conf \ - file://freshclam.conf \ - file://volatiles.03_clamav \ - file://${BPN}.service \ - " - -S = "${WORKDIR}/git" - -LEAD_SONAME = "libclamav.so" -SO_VER = "7.1.1" - -EXTRANATIVEPATH += "chrpath-native" - -inherit autotools-brokensep pkgconfig useradd systemd - -UID = "clamav" -GID = "clamav" - -# Clamav has a built llvm version 2 but does not build with gcc 6.x, -# disable the internal one. This is a known issue -# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, -# as defined below - -CLAMAV_LLVM ?= "oellvm" -CLAMAV_LLVM_RELEASE ?= "6.0" - -PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" -PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" - -PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," -PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," -PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," -PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " - -EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ - --without-libcheck-prefix --disable-unrar \ - --disable-mempool \ - --program-prefix="" \ - --disable-yara \ - --disable-rpath \ - " - -do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile_append() { - # brute force removing RPATH - chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} - chrpath -d ${B}/sigtool/.libs/sigtool - chrpath -d ${B}/clambc/.libs/clambc - chrpath -d ${B}/clamscan/.libs/clamscan - chrpath -d ${B}/clamconf/.libs/clamconf - chrpath -d ${B}/clamd/.libs/clamd - chrpath -d ${B}/freshclam/.libs/freshclam -} - -do_install_append() { - install -d ${D}/${sysconfdir} - install -d ${D}/${localstatedir}/lib/clamav - install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles - - install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir} - install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir} - install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav - sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc - rm ${D}/${libdir}/libclamav.so - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service - fi -} - -pkg_postinst_ontarget_${PN} () { - if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - chown ${UID}:${GID} ${localstatedir}/lib/clamav -} - - -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ - ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" - -FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ - ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ - ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ - ${docdir}/clamav/* " - -FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ - ${docdir}/clamdscan/* \ - ${mandir}/man1/clamdscan* \ - " - -FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ - ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \ - ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ - ${sysconfdir}/clamd.conf* \ - ${systemd_unitdir}/system/clamav-daemon/* \ - ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \ - ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon " - -FILES_${PN}-freshclam = "${bindir}/freshclam \ - ${sysconfdir}/freshclam.conf* \ - ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ - ${localstatedir}/lib/clamav \ - ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ - ${mandir}/man5/freshclam.conf.* \ - ${systemd_unitdir}/system/clamav-freshclam.service" - -FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ - ${libdir}/pkgconfig/*.pc \ - ${mandir}/man1/clamav-config.* \ - ${includedir}/*.h ${docdir}/libclamav* " - -FILES_${PN}-staticdev = "${libdir}/*.a" - -FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libmspack.so*\ - ${docdir}/libclamav/* " - -FILES_${PN}-doc = "${mandir}/man/* \ - ${datadir}/man/* \ - ${docdir}/* " - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${UID}" -USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ - ${localstatedir}/spool/${BPN} \ - --no-create-home --shell /bin/false ${BPN}" - -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" -SYSTEMD_SERVICE_${PN} = "${BPN}.service" - -RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb new file mode 100644 index 0000000000..8c2c2fa2f9 --- /dev/null +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -0,0 +1,158 @@ +SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface" +DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats." +HOMEPAGE = "http://www.clamav.net/index.html" +SECTION = "security" +LICENSE = "LGPL-2.1" + +DEPENDS = "libtool db libmspack chrpath-replacement-native" + +LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" + +SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" + +SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ + file://clamd.conf \ + file://freshclam.conf \ + file://volatiles.03_clamav \ + file://${BPN}.service \ + " + +S = "${WORKDIR}/git" + +LEAD_SONAME = "libclamav.so" +SO_VER = "7.1.1" + +EXTRANATIVEPATH += "chrpath-native" + +inherit autotools-brokensep pkgconfig useradd systemd + +UID = "clamav" +GID = "clamav" + +# Clamav has a built llvm version 2 but does not build with gcc 6.x, +# disable the internal one. This is a known issue +# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, +# as defined below + +CLAMAV_LLVM ?= "oellvm" +CLAMAV_LLVM_RELEASE ?= "6.0" + +PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" +PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" + +PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" +PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," +PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," +PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," +PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" +PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " +PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " +PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " + +EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ + --without-libcheck-prefix --disable-unrar \ + --disable-mempool \ + --program-prefix="" \ + --disable-yara \ + --disable-rpath \ + " + +do_configure () { + cd ${S} + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile_append() { + # brute force removing RPATH + chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} + chrpath -d ${B}/sigtool/.libs/sigtool + chrpath -d ${B}/clambc/.libs/clambc + chrpath -d ${B}/clamscan/.libs/clamscan + chrpath -d ${B}/clamconf/.libs/clamconf + chrpath -d ${B}/clamd/.libs/clamd + chrpath -d ${B}/freshclam/.libs/freshclam +} + +do_install_append() { + install -d ${D}/${sysconfdir} + install -d ${D}/${localstatedir}/lib/clamav + install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles + + install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir} + install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir} + install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav + sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc + rm ${D}/${libdir}/libclamav.so + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then + install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service + fi +} + +pkg_postinst_ontarget_${PN} () { + if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + chown ${UID}:${GID} ${localstatedir}/lib/clamav +} + + +PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ + ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" + +FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ + ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ + ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ + ${docdir}/clamav/* " + +FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ + ${docdir}/clamdscan/* \ + ${mandir}/man1/clamdscan* \ + " + +FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ + ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \ + ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ + ${sysconfdir}/clamd.conf* \ + ${systemd_unitdir}/system/clamav-daemon/* \ + ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \ + ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon " + +FILES_${PN}-freshclam = "${bindir}/freshclam \ + ${sysconfdir}/freshclam.conf* \ + ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ + ${localstatedir}/lib/clamav \ + ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ + ${mandir}/man5/freshclam.conf.* \ + ${systemd_unitdir}/system/clamav-freshclam.service" + +FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ + ${libdir}/pkgconfig/*.pc \ + ${mandir}/man1/clamav-config.* \ + ${includedir}/*.h ${docdir}/libclamav* " + +FILES_${PN}-staticdev = "${libdir}/*.a" + +FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libmspack.so*\ + ${docdir}/libclamav/* " + +FILES_${PN}-doc = "${mandir}/man/* \ + ${datadir}/man/* \ + ${docdir}/* " + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system ${UID}" +USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ + ${localstatedir}/spool/${BPN} \ + --no-create-home --shell /bin/false ${BPN}" + +RPROVIDES_${PN} += "${PN}-systemd" +RREPLACES_${PN} += "${PN}-systemd" +RCONFLICTS_${PN} += "${PN}-systemd" +SYSTEMD_SERVICE_${PN} = "${BPN}.service" + +RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index f55b0c3901..1f780f9e38 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -29,6 +29,7 @@ EXTRA_OECONF = "\ --libdir=${base_libdir} \ --disable-pywrap \ --disable-nls \ + --with-pamdir=${base_libdir}/security \ " PACKAGECONFIG ??= "nss \ @@ -43,12 +44,16 @@ do_configure_prepend() { export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" + sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac } do_install_append() { chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private - mkdir -p ${D}/${libdir} - mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} + # ${base_libdir} is identical to ${libdir} when usrmerge enabled + if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then + mkdir -p ${D}/${libdir} + mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} + fi sed -i -e 's:-I${STAGING_INCDIR}::' \ -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap diff --git a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb b/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb deleted file mode 100644 index 7e2deba2da..0000000000 --- a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb +++ /dev/null @@ -1,41 +0,0 @@ -SUMMARY = "Daemon to ban hosts that cause multiple authentication errors." -DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \ -many failed login attempts. It does this by updating system firewall rules to reject new \ -connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \ -out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \ -and is easy to configure to read any log file you choose, for any error you choose." -HOMEPAGE = "http://www.fail2ban.org" - -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" - -SRCREV ="a45488465e0dd547eb8479c0fa9fd577c1837213" -SRC_URI = " \ - git://github.com/fail2ban/fail2ban.git;branch=0.10 \ - file://initd \ - file://fail2ban_setup.py \ -" - -inherit update-rc.d setuptools - -S = "${WORKDIR}/git" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "fail2ban-server" -INITSCRIPT_PARAMS = "defaults 25" - -do_compile_prepend () { - cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py -} - -do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server -} - -FILES_${PN} += "/run" - -INSANE_SKIP_${PN}_append = "already-stripped" - -RDEPENDS_${PN} = "sysklogd iptables sqlite3 python python-pyinotify" diff --git a/meta-security/recipes-security/fail2ban/files/run-ptest b/meta-security/recipes-security/fail2ban/files/run-ptest new file mode 100644 index 0000000000..9f6aebe82c --- /dev/null +++ b/meta-security/recipes-security/fail2ban/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +##PYTHON## fail2ban-testcases diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/meta-security/recipes-security/fail2ban/python-fail2ban.inc new file mode 100644 index 0000000000..9245f17b1c --- /dev/null +++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc @@ -0,0 +1,49 @@ +SUMMARY = "Daemon to ban hosts that cause multiple authentication errors." +DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \ +many failed login attempts. It does this by updating system firewall rules to reject new \ +connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \ +out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \ +and is easy to configure to read any log file you choose, for any error you choose." +HOMEPAGE = "http://www.fail2ban.org" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" + +SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" +SRC_URI = " \ + git://github.com/fail2ban/fail2ban.git;branch=0.11 \ + file://initd \ + file://fail2ban_setup.py \ + file://run-ptest \ +" + +inherit update-rc.d ptest + +S = "${WORKDIR}/git" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "fail2ban-server" +INITSCRIPT_PARAMS = "defaults 25" + +do_compile_prepend () { + cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py +} + +do_install_append () { + install -d ${D}/${sysconfdir}/fail2ban + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + chown -R root:root ${D}/${bindir} +} + +do_install_ptest_append () { + install -d ${D}${PTEST_PATH} + sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} +} + +FILES_${PN} += "/run" + +INSANE_SKIP_${PN}_append = "already-stripped" + +RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify" diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb new file mode 100644 index 0000000000..17a7dd8ddb --- /dev/null +++ b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb @@ -0,0 +1,4 @@ +inherit setuptools +require python-fail2ban.inc + +RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban" diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb new file mode 100644 index 0000000000..5c887e8572 --- /dev/null +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb @@ -0,0 +1,4 @@ +inherit setuptools3 +require python-fail2ban.inc + +RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb index 4f0b12c4a0..8847a0fc44 100644 --- a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb +++ b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb @@ -9,7 +9,7 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRCREV = "e4c4d0984dee2531897e13c32a18d5e54a2a4aa6" +SRCREV = "142326810eb19d6794793db6d24d0775a15aa8e5" SRC_URI = "git://github.com/google/fscryptctl.git" S = "${WORKDIR}/git" diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb index 1a7af86be5..a8757f980e 100644 --- a/meta-security/recipes-security/images/security-build-image.bb +++ b/meta-security/recipes-security/images/security-build-image.bb @@ -6,9 +6,7 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ packagegroup-core-security \ - os-release \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \ - ${CORE_IMAGE_EXTRA_INSTALL}" + os-release" IMAGE_LINGUAS ?= " " diff --git a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch b/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch deleted file mode 100644 index af3ef421da..0000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch +++ /dev/null @@ -1,37 +0,0 @@ -Remove the hardcoded lib and include dirs - -Upstream-Status: Inappropriate [cross compile specific] - -written by: Amy Fong -Signed-off-by: Jackie Huang - ---- keynote-2.3/configure.in.orig 2010-05-24 04:44:16.000000000 -0700 -+++ keynote-2.3/configure.in 2010-05-24 04:44:55.000000000 -0700 -@@ -21,27 +21,16 @@ - AC_PATH_PROG(ECHO, echo, /bin/echo) - AC_PATH_PROG(SED, sed, /usr/bin/sed) - --dnl Checks for libraries. --LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\ -- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib" -- - AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm") - AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref") - AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto") - AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue") - --dnl Checks for header files. --CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\ -- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\ -- -I/usr/local/openssl/include -I/pkg/include" -- - AC_HEADER_STDC - AC_HEADER_TIME - AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h) - AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h crypto.h memory.h) - --dnl Checks for other files -- - dnl Checks for typedefs, structures, and compiler characteristics. - AC_C_CONST - AC_CHECK_TYPE(u_int, unsigned int) diff --git a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch b/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch deleted file mode 100644 index 80d87cf28f..0000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch +++ /dev/null @@ -1,36 +0,0 @@ -Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable. - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao - -diff --git a/Makefile.in b/Makefile.in -index b216648..42b4827 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -35,6 +35,7 @@ MKDIR = @MKDIR@ - SED = @SED@ - ECHO = @ECHO@ - TR = @TR@ -+LDFLAGS = @LDFLAGS@ - - TARFLAGS = -cvzf ${DISTFILE} - YACCFLAGS2 = -d -p kv -b z -@@ -83,7 +84,7 @@ $(TARGET): $(OBJS) - $(RANLIB) $(TARGET) - - $(TARGET2): $(TARGET) $(OBJS2) -- $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) - - k.tab.c: keynote.y header.h keynote.h assertion.h config.h - $(YACC) $(YACCFLAGS) keynote.y -@@ -131,7 +132,7 @@ $(SSLCERT) $(SSLKEY): - -keyout $(SSLKEY) - - test-sample: all $(OBJS3) -- $(CC) $(CFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) - - test-sig: all $(SSLCERT) $(SSLKEY) - $(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1 diff --git a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest b/meta-security/recipes-security/keynote/keynote-2.3/run-ptest deleted file mode 100644 index 4dc35c9d19..0000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd @PTEST_PATH@ -keynote verify -e testsuite/test-env \ - -r false,maybe,probably,true \ - -k testsuite/auth1 -k testsuite/auth2 \ - -k testsuite/auth3 -k testsuite/auth4 \ - -l testsuite/test-assertion1 \ - -l testsuite/test-assertion2 \ - -l testsuite/test-assertion3 \ - -l testsuite/test-assertion4 \ - -l testsuite/test-assertion5 \ - -l testsuite/test-assertion6 \ - -l testsuite/test-assertion7 \ - && echo "PASS: keynote-ptest" \ - || echo "FAIL: keynote-ptest" diff --git a/meta-security/recipes-security/keynote/keynote_2.3.bb b/meta-security/recipes-security/keynote/keynote_2.3.bb deleted file mode 100644 index e6924858df..0000000000 --- a/meta-security/recipes-security/keynote/keynote_2.3.bb +++ /dev/null @@ -1,40 +0,0 @@ -SUMMARY = "Keynote tool and library" -DESCRIPTION = "KeyNote is a simple and flexible trust-management \ - system designed to work well for a variety of large- and small- \ - scale Internet-based applications. \ -" -HOMEPAGE = "http://www.cs.columbia.edu/~angelos/keynote.html" -SECTION = "security" - -LICENSE = "ISC" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3a265095c549c1808686a676f2699c98" - -MAIN_ID = "${@d.getVar('PV').split('.')[0]}" -MINOR_ID = "${@d.getVar('PV').split('.')[1]}" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}-${MAIN_ID}-${MINOR_ID}/${BPN}_${PV}.tar.gz \ - file://configure-remove-hardcode-path.patch \ - file://makefile-add-ldflags.patch \ - file://run-ptest \ -" -S = "${WORKDIR}/${BPN}-${PV}+dfsg.orig" - -inherit autotools-brokensep ptest - -SRC_URI[md5sum] = "a14553e6ad921b5c85026ce5bec3afe7" -SRC_URI[sha256sum] = "38d2acfa1c3630a07adcb5c8fe92d2aef7f0e6d242b8998b2bbb1c6e4c408d46" - -DEPENDS = "flex openssl" - -EXTRA_OEMAKE += "test-sample -j1" - -do_install() { - install -D -m 0755 ${S}/keynote ${D}${bindir}/keynote - install -D -m 0644 ${S}/libkeynote.a ${D}${libdir}/libkeynote.a - install -D -m 0644 ${S}/keynote.h ${D}${includedir}/keynote.h -} - -do_install_ptest() { - install -D -m 0755 ${S}/sample-app ${D}${PTEST_PATH} - cp -r ${S}/testsuite ${D}${PTEST_PATH} - sed -i 's|@PTEST_PATH@|${PTEST_PATH}|' ${D}${PTEST_PATH}/run-ptest -} diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb index 2ead8fa19e..a4222b9e99 100644 --- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb @@ -27,6 +27,8 @@ SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ + BINDIR=${base_bindir} \ + SBINDIR=${base_sbindir} \ LIBDIR=${base_libdir} \ USRLIBDIR=${base_libdir} \ BUILDFOR=${SITEINFO_BITS}-bit \ diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb index 8d58163c95..9c66db68ca 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb @@ -35,8 +35,7 @@ do_install_ptest() { done } -FILES_${PN} = "${bindir} ${libdir}/${PN}.so*" +FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN} = "bash" RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch b/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch deleted file mode 100644 index 356b5071bf..0000000000 --- a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch +++ /dev/null @@ -1,37 +0,0 @@ -[PATCH] redefine the python library install dir - -Upstream-Status: Pending - -If install-lib is not defined, it is always /usr/lib/, but it -maybe /usr/lib64 for multilib - -Signed-off-by: Roy Li ---- - Makefile.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 1bb062c..cced2fb 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -311,7 +311,7 @@ build-zenmap: $(ZENMAPDIR)/setup.py $(ZENMAPDIR)/zenmapCore/Version.py - - install-zenmap: $(ZENMAPDIR)/setup.py - $(INSTALL) -d $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -- cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --force $(if $(DESTDIR),--root "$(DESTDIR)") -+ cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --force $(if $(DESTDIR),--root "$(DESTDIR)") - $(INSTALL) -c -m 644 docs/zenmap.1 $(DESTDIR)$(mandir)/man1/ - # Create a symlink from nmapfe to zenmap if nmapfe doesn't exist or is - # already a link. -@@ -328,7 +328,7 @@ build-nping: $(NPINGDIR)/Makefile nbase_build nsock_build netutil_build $(NPINGD - @cd $(NPINGDIR) && $(MAKE) - - install-ndiff: -- cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" $(if $(DESTDIR),--root "$(DESTDIR)") -+ cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" $(if $(DESTDIR),--root "$(DESTDIR)") - - NSE_FILES = scripts/script.db scripts/*.nse - NSE_LIB_LUA_FILES = nselib/*.lua nselib/*.luadoc --- -1.9.1 - diff --git a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch b/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch deleted file mode 100644 index cfe043af4b..0000000000 --- a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch +++ /dev/null @@ -1,48 +0,0 @@ -[PATCH] replace "./shtool mkdir" with coreutils mkdir command - -Upstream-Status: Pending - -"./shtool mkdir" is used when mkdir has not -p parameter, but mkdir in today -most release has supportted the -p parameter, not need to use shtool, and it -can not fix the race if two process are running mkdir to create same dir - -Signed-off-by: Roy Li ---- - ncat/Makefile.in | 4 ++-- - nmap-update/Makefile.in | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ncat/Makefile.in b/ncat/Makefile.in -index cfd306d..2166e08 100644 ---- a/ncat/Makefile.in -+++ b/ncat/Makefile.in -@@ -163,11 +163,11 @@ $(NSOCKDIR)/libnsock.a: $(NSOCKDIR)/Makefile - - install: $(TARGET) - @echo Installing Ncat; -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 - $(INSTALL) -c -m 755 ncat $(DESTDIR)$(bindir)/ncat - $(STRIP) -x $(DESTDIR)$(bindir)/ncat - if [ -n "$(DATAFILES)" ]; then \ -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(pkgdatadir); \ -+ mkdir -p -m 755 $(DESTDIR)$(pkgdatadir); \ - $(INSTALL) -c -m 644 $(DATAFILES) $(DESTDIR)$(pkgdatadir)/; \ - fi - $(INSTALL) -c -m 644 docs/$(TARGET).1 $(DESTDIR)$(mandir)/man1/$(TARGET).1 -diff --git a/nmap-update/Makefile.in b/nmap-update/Makefile.in -index 89ff928..93f48d8 100644 ---- a/nmap-update/Makefile.in -+++ b/nmap-update/Makefile.in -@@ -37,7 +37,7 @@ $(NBASELIB): - cd $(NBASEDIR) && $(MAKE) - - install: nmap-update -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 - $(INSTALL) -c -m 755 nmap-update $(DESTDIR)$(bindir) - $(STRIP) -x $(DESTDIR)$(bindir)/nmap-update - $(INSTALL) -c -m 644 ../docs/nmap-update.1 $(DESTDIR)$(mandir)/man1/ --- -1.9.1 - diff --git a/meta-security/recipes-security/nmap/nmap_7.60.bb b/meta-security/recipes-security/nmap/nmap_7.60.bb deleted file mode 100644 index a6616eb133..0000000000 --- a/meta-security/recipes-security/nmap/nmap_7.60.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "network auditing tool" -DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.\nGui support via appending to IMAGE_FEATURES x11-base in local.conf" -SECTION = "security" -LICENSE = "GPL-2.0" - -LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=700c690f4ca6b1754f3f1db8645e42d9" - -SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \ - file://nmap-redefine-the-python-library-dir.patch \ - file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \ -" - -SRC_URI[md5sum] = "4e454266559ddf2c4e2109866c62560c" -SRC_URI[sha256sum] = "a8796ecc4fa6c38aad6139d9515dc8113023a82e9d787e5a5fb5fa1b05516f21" - -inherit autotools-brokensep pkgconfig pythonnative distro_features_check - -PACKAGECONFIG ?= "ncat nping ndiff pcap" -PACKAGECONFIG += " ${@bb.utils.contains('IMAGE_FEATURES', 'x11-base', 'zenmap', '', d)}" - -PACKAGECONFIG[pcap] = "--with-pcap=linux, --without-pcap, libpcap, libpcap" -PACKAGECONFIG[pcre] = "--with-libpcre=${STAGING_LIBDIR}/.., --with-libpcre=included, libpre" -PACKAGECONFIG[ssl] = "--with-openssl=${STAGING_LIBDIR}/.., --without-openssl, openssl, openssl" -PACKAGECONFIG[ssh2] = "--with-openssh2=${STAGING_LIBDIR}/.., --without-openssh2, libssh2, libssh2" -PACKAGECONFIG[libz] = "--with-libz=${STAGING_LIBDIR}/.., --without-libz, zlib, zlib" - -#disable/enable packages -PACKAGECONFIG[nping] = ",--without-nping," -PACKAGECONFIG[ncat] = ",--without-ncat," -PACKAGECONFIG[ndiff] = ",--without-ndiff,python" -PACKAGECONFIG[update] = ",--without-nmap-update," - -#Add gui -PACKAGECONFIG[zenmap] = "--with-zenmap, --without-zenmap, gtk+ python-core python-codecs python-io python-logging python-unittest python-xml python-netclient python-doctest python-subprocess python-pygtk, python-core python-codecs python-io python-logging python-netclient python-xml python-unittest python-doctest python-subprocess python-pygtk gtk+" - -EXTRA_OECONF = "--with-libdnet=included --with-liblinear=included --without-subversion --with-liblua=included" - -export PYTHON_SITEPACKAGES_DIR - -do_configure() { - # strip hard coded python2# - sed -i -e 's=python2\.*=python=g' ${S}/configure.ac - sed -i -e 's=python2\.*=python=g' ${S}/configure - autoconf - oe_runconf -} - -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'zenmap', '${PN}-zenmap', '', d)}" - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" -FILES_${PN}-zenmap = "${@bb.utils.contains("PACKAGECONFIG", "zenmap", "${bindir}/*zenmap ${bindir}/xnmap ${datadir}/applications/* ${bindir}/nmapfe ${datadir}/zenmap/* ${PYTHON_SITEPACKAGES_DIR}/radialnet/* ${PYTHON_SITEPACKAGES_DIR}/zenmap*", "", d)}" - -RDEPENDS_${PN} = "python" -RDEPENDS_${PN}-zenmap = "nmap" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index 6682d29054..e847847b82 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -12,6 +12,7 @@ PACKAGES = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -20,6 +21,7 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -27,7 +29,11 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - scapy \ + python-scapy \ + ding-libs \ + xmlsec1 \ + keyutils \ + libseccomp \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -52,13 +58,28 @@ RDEPENDS_packagegroup-security-hardening = " \ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ - samhain-client \ + samhain-standalone \ suricata \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " + +SUMMARY_packagegroup-security-ptest = "Security packages with ptests" +RDEPENDS_packagegroup-security-ptest = " \ + samhain-standalone-ptest \ + xmlsec1-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + ptest-runner \ + " diff --git a/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb deleted file mode 100644 index 812408e5e4..0000000000 --- a/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb +++ /dev/null @@ -1,11 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 15 85" - -require samhain.inc - -# Let the default Logserver be 127.0.0.1 -EXTRA_OECONF += " \ - --with-logserver=${SAMHAIN_SERVER} \ - --with-port=${SAMHAIN_PORT} \ - " - -RDEPENDS_${PN} = "acl zlib attr bash" diff --git a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb new file mode 100644 index 0000000000..812408e5e4 --- /dev/null +++ b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb @@ -0,0 +1,11 @@ +INITSCRIPT_PARAMS = "defaults 15 85" + +require samhain.inc + +# Let the default Logserver be 127.0.0.1 +EXTRA_OECONF += " \ + --with-logserver=${SAMHAIN_SERVER} \ + --with-port=${SAMHAIN_PORT} \ + " + +RDEPENDS_${PN} = "acl zlib attr bash" diff --git a/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb deleted file mode 100644 index 9341d44408..0000000000 --- a/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb +++ /dev/null @@ -1,20 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 14 86" - -require samhain.inc - -DEPENDS = "gmp" - -SRC_URI += "file://samhain-server-volatiles" - -TARGET_CC_ARCH += "${LDFLAGS}" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/samhain-server-volatiles \ - ${D}${sysconfdir}/default/volatiles/samhain-server - - install -m 700 samhain-install.sh init/samhain.startLinux \ - init/samhain.startLSB ${D}/var/lib/samhain -} - -RDEPENDS_${PN} += "gmp bash perl" diff --git a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb new file mode 100644 index 0000000000..9341d44408 --- /dev/null +++ b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb @@ -0,0 +1,20 @@ +INITSCRIPT_PARAMS = "defaults 14 86" + +require samhain.inc + +DEPENDS = "gmp" + +SRC_URI += "file://samhain-server-volatiles" + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_install_append() { + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/samhain-server-volatiles \ + ${D}${sysconfdir}/default/volatiles/samhain-server + + install -m 700 samhain-install.sh init/samhain.startLinux \ + init/samhain.startLSB ${D}/var/lib/samhain +} + +RDEPENDS_${PN} += "gmp bash perl" diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb deleted file mode 100644 index 4fed9e9e97..0000000000 --- a/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb +++ /dev/null @@ -1,31 +0,0 @@ -require samhain.inc - -SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ - file://run-ptest \ -" - -PROVIDES += "samhain" - -SYSTEMD_SERVICE_${PN} = "samhain.service" - -inherit ptest - -do_compile() { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then - oe_runmake cutest - rm -f ${S}*.o config_xor.h internal.h - fi - oe_runmake "$@" -} - -do_install_append() { - ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain -} - -do_install_ptest() { - mkdir -p ${D}${PTEST_PATH} - install ${S}/cutest ${D}${PTEST_PATH} -} - -RPROVIDES_${PN} += "samhain" -RCONFLICTS_${PN} = "samhain-client samhain-server" diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb new file mode 100644 index 0000000000..4fed9e9e97 --- /dev/null +++ b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb @@ -0,0 +1,31 @@ +require samhain.inc + +SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ + file://run-ptest \ +" + +PROVIDES += "samhain" + +SYSTEMD_SERVICE_${PN} = "samhain.service" + +inherit ptest + +do_compile() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then + oe_runmake cutest + rm -f ${S}*.o config_xor.h internal.h + fi + oe_runmake "$@" +} + +do_install_append() { + ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain +} + +do_install_ptest() { + mkdir -p ${D}${PTEST_PATH} + install ${S}/cutest ${D}${PTEST_PATH} +} + +RPROVIDES_${PN} += "samhain" +RCONFLICTS_${PN} = "samhain-client samhain-server" diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-security/samhain/samhain.inc index db96264b3c..944bf0d0b7 100644 --- a/meta-security/recipes-security/samhain/samhain.inc +++ b/meta-security/recipes-security/samhain/samhain.inc @@ -19,8 +19,11 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f" -SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7" +SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" +SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" + +UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" +UPSTREAM_CHECK_REGEX = "samhain_signed-(?P(\d+(\.\d+)+))\.tar" S = "${WORKDIR}/samhain-${PV}" diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest new file mode 100755 index 0000000000..91b29f907f --- /dev/null +++ b/meta-security/recipes-security/scapy/files/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh +UTscapy -t regression.uts -f text -l -C \ + -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ + 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc new file mode 100644 index 0000000000..5abe7db766 --- /dev/null +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -0,0 +1,20 @@ +SUMMARY = "Network scanning and manipulation tool" +DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." +SECTION = "security" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" + +SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" +SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" + +inherit pypi ptest + +do_install_ptest() { + install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} + sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest +} + +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ + ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ + ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb new file mode 100644 index 0000000000..98db1fd6d1 --- /dev/null +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb @@ -0,0 +1,6 @@ +inherit setuptools +require python-scapy.inc + +SRC_URI += "file://run-ptest" + +RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb new file mode 100644 index 0000000000..93ca7be8a5 --- /dev/null +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb @@ -0,0 +1,4 @@ +inherit setuptools3 +require python-scapy.inc + +SRC_URI += "file://run-ptest" diff --git a/meta-security/recipes-security/scapy/scapy/run-ptest b/meta-security/recipes-security/scapy/scapy/run-ptest deleted file mode 100755 index 91b29f907f..0000000000 --- a/meta-security/recipes-security/scapy/scapy/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -UTscapy -t regression.uts -f text -l -C \ - -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ - 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/meta-security/recipes-security/scapy/scapy_2.3.3.bb b/meta-security/recipes-security/scapy/scapy_2.3.3.bb deleted file mode 100644 index 1c8685b1aa..0000000000 --- a/meta-security/recipes-security/scapy/scapy_2.3.3.bb +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" - -SRC_URI = "https://github.com/secdev/${BPN}/archive/v${PV}.tar.gz;downloadfilename=${BP}.tar.gz \ - file://run-ptest \ -" - -SRC_URI[md5sum] = "336d6832110efcf79ad30c9856ef5842" -SRC_URI[sha256sum] = "67642cf7b806e02daeddd588577588caebddc3426db7904e7999a0b0334a63b5" - -inherit setuptools ptest - -do_install_ptest() { - install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} - sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump python-subprocess python-compression python-netclient \ - python-netserver python-pydoc python-pkgutil python-shell \ - python-threading python-numbers python-pycrypto" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.0.bb b/meta-security/recipes-security/sssd/sssd_1.16.0.bb deleted file mode 100644 index ff5b618bc6..0000000000 --- a/meta-security/recipes-security/sssd/sssd_1.16.0.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://fedorahosted.org/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ - file://sssd.conf " - -SRC_URI[md5sum] = "f721ace2ebfa6744cfea55e3ecd2d82f" -SRC_URI[sha256sum] = "c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f" - -inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check - -REQUIRED_DISTRO_FEATURES = "pam" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} \ - ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" - -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" -PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings" -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir=" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl" - -EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = "${BPN}.service" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* " -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} += "bind dbus" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/meta-security/recipes-security/sssd/sssd_1.16.3.bb new file mode 100644 index 0000000000..8f7f805fd2 --- /dev/null +++ b/meta-security/recipes-security/sssd/sssd_1.16.3.bb @@ -0,0 +1,73 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ + file://sssd.conf " + +SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" +SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" + +inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check + +REQUIRED_DISTRO_FEATURES = "pam" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_path_NSUPDATE=${bindir} \ + ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" + +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings" +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir=" +PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl" + +EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = "${BPN}.service" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* " +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} += "bind dbus" diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz new file mode 100644 index 0000000000..aed375474f Binary files /dev/null and b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz differ diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-security/suricata/files/run-ptest new file mode 100644 index 0000000000..666ba9c954 --- /dev/null +++ b/meta-security/recipes-security/suricata/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +suricata -u diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-security/suricata/files/suricata.service new file mode 100644 index 0000000000..a99a76ef86 --- /dev/null +++ b/meta-security/recipes-security/suricata/files/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target +Requires=network.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki + +[Service] +Type=simple +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +RestrictAddressFamilies= +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 +ExecReload=/bin/kill -HUP $MAINPID +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=yes + +[Install] +WantedBy=multi-user.target + diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-security/suricata/files/suricata.yaml index 90417b03d4..8d06a27449 100644 --- a/meta-security/recipes-security/suricata/files/suricata.yaml +++ b/meta-security/recipes-security/suricata/files/suricata.yaml @@ -787,7 +787,7 @@ logging: enabled: no filename: /var/log/suricata.log - syslog: - enabled: no + enabled: yes facility: local5 format: "[%i] <%d> -- " diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.25.bb b/meta-security/recipes-security/suricata/libhtp_0.5.25.bb deleted file mode 100644 index 8305f70105..0000000000 --- a/meta-security/recipes-security/suricata/libhtp_0.5.25.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -DEPENDS = "zlib" - -inherit autotools pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -S = "${WORKDIR}/suricata-${VER}/${BPN}" - -RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb new file mode 100644 index 0000000000..8305f70105 --- /dev/null +++ b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb @@ -0,0 +1,15 @@ +SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." + +require suricata.inc + +LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +DEPENDS = "zlib" + +inherit autotools pkgconfig + +CFLAGS += "-D_DEFAULT_SOURCE" + +S = "${WORKDIR}/suricata-${VER}/${BPN}" + +RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-security/suricata/suricata.inc index a2d36eb61c..1f421210d6 100644 --- a/meta-security/recipes-security/suricata/suricata.inc +++ b/meta-security/recipes-security/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.0.0" +VER = "4.0.5" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "41fb91b4cbc6705b353e4bdd02c3df4b" -SRC_URI[sha256sum] = "6b8b183a8409829ca92c71854cc1abed45f04ccfb7f14c08211f4edf571fa577" +SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" +SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" diff --git a/meta-security/recipes-security/suricata/suricata_4.0.0.bb b/meta-security/recipes-security/suricata/suricata_4.0.0.bb deleted file mode 100644 index e16348670e..0000000000 --- a/meta-security/recipes-security/suricata/suricata_4.0.0.bb +++ /dev/null @@ -1,60 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - " - -inherit autotools-brokensep pkgconfig python-dir - -CFLAGS += "-D_DEFAULT_SOURCE" - -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes " - -EXTRA_OECONF += " --disable-debug \ - --enable-non-bundled-htp \ - --disable-gccmarch-native \ - " - -PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" -PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" - -export logdir = "${localstatedir}/log" - -do_install_append () { - install -d ${D}${sysconfdir}/suricata - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 644 classification.config ${D}${sysconfdir}/suricata - install -m 644 reference.config ${D}${sysconfdir}/suricata - install -m 644 ${WORKDIR}/suricata.yaml ${D}${sysconfdir}/suricata - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - ${bindir}/suricata -c ${sysconfdir}/suricata.yaml -i eth0 -} - -PACKAGES += "${PN}-python" -FILES_${PN} = "${bindir}/suricata ${sysconfdir}/default ${sysconfdir}/suricata ${logdir}/suricata" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/meta-security/recipes-security/suricata/suricata_4.0.5.bb new file mode 100644 index 0000000000..6c0a109be0 --- /dev/null +++ b/meta-security/recipes-security/suricata/suricata_4.0.5.bb @@ -0,0 +1,96 @@ +SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRC_URI += "file://emerging.rules.tar.gz;name=rules" + +SRC_URI += " \ + file://volatiles.03_suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + " + +SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" +SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" + +inherit autotools-brokensep pkgconfig python-dir systemd ptest + +CFLAGS += "-D_DEFAULT_SOURCE" + +CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ + ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " + +EXTRA_OECONF += " --disable-debug \ + --enable-non-bundled-htp \ + --disable-gccmarch-native \ + " + +PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + +PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," +PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," +PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," +PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," +PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " +PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," +PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," + +PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" +PACKAGECONFIG[file] = ",,file, file" +PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," +PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," +PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," + +export logdir = "${localstatedir}/log" + +do_install_append () { + + install -d ${D}${sysconfdir}/suricata + + oe_runmake install-conf DESTDIR=${D} + + # mimic move of downloaded rules to e_sysconfrulesdir + cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata + + oe_runmake install-rules DESTDIR=${D} + + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi +} + +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-socketcontrol" +FILES_${PN} += "${systemd_unitdir}" +FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" + +RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-security/tripwire/files/run-ptest new file mode 100644 index 0000000000..aedfddc597 --- /dev/null +++ b/meta-security/recipes-security/tripwire/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +./twtest.pl diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb index 465960f236..59d1f35c57 100644 --- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb @@ -16,11 +16,12 @@ SRC_URI = "\ file://twcfg.txt \ file://twinstall.sh \ file://twpol-yocto.txt \ + file://run-ptest \ " S = "${WORKDIR}/git" -inherit autotools-brokensep update-rc.d +inherit autotools-brokensep update-rc.d ptest INITSCRIPT_NAME = "tripwire" INITSCRIPT_PARAMS = "start 40 S ." @@ -58,9 +59,15 @@ do_install () { install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} } +do_install_ptest_append () { + install -d ${D}${PTEST_PATH}/tests + cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} +} FILES_${PN} += "${libdir} ${docdir}/${PN}/*" FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" +FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" +RDEPENDS_${PN}-ptest = " perl lib-perl" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch index fcc63b34cf..1cec47fca0 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch @@ -1,4 +1,4 @@ -From 47379747e34f952d31af028c672940ca7859ae3c Mon Sep 17 00:00:00 2001 +From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 From: Yulong Pei Date: Wed, 21 Jul 2010 22:33:43 +0800 Subject: [PATCH] change finding path of nss and nspr @@ -7,66 +7,61 @@ Upstream-Status: Pending Signed-off-by: Yulong Pei Signed-off-by: Mingli Yu - +Signed-off-by: Yi Zhao --- - configure.ac | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) + configure.ac | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac -index 3278200..6edec7d 100644 +index 951b3eb..1fdeb0f 100644 --- a/configure.ac +++ b/configure.ac -@@ -644,7 +644,7 @@ if test "z$NSS_FOUND" = "zno" ; then +@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" + NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" + NSPR_PACKAGE=mozilla-nspr + NSS_PACKAGE=mozilla-nss +-NSPR_INCLUDE_MARKER="nspr/nspr.h" ++NSPR_INCLUDE_MARKER="nspr.h" + NSPR_LIB_MARKER="libnspr4$shrext" + NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" +-NSS_INCLUDE_MARKER="nss/nss.h" ++NSS_INCLUDE_MARKER="nss3/nss.h" + NSS_LIB_MARKER="libnss3$shrext" + NSS_LIBS_LIST="-lnss3 -lsmime3" - if test "z$with_nspr" != "z" ; then - NSPR_PREFIX="$with_nspr" -- NSPR_CFLAGS="-I$with_nspr/include -I$with_nspr/include/nspr" -+ NSPR_CFLAGS="-I$with_nspr/usr/include -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSPR_LIBS="-Wl,-rpath-link -Wl,$with_nspr/lib -L$with_nspr/lib $NSPR_LIBS_LIST" - else -@@ -652,7 +652,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - NSPR_INCLUDES_FOUND="yes" - NSPR_LIBS_FOUND="yes" -- NSPR_PRINIT_H="$with_nspr/include/prinit.h" -+ NSPR_PRINIT_H="$with_nspr/usr/include/nspr4/prinit.h" +@@ -898,24 +898,24 @@ fi + dnl Priority 1: User specifies the path to installation + if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then + AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) +- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then +- NSPR_INCLUDE_PATH="$with_nspr/include" +- NSPR_LIB_PATH="$with_nspr/lib" ++ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then ++ NSPR_INCLUDE_PATH="$with_nspr/usr/include" ++ NSPR_LIB_PATH="$with_nspr/${libdir}" + NSPR_FOUND="yes" + AC_MSG_RESULT([yes]) else - for dir in $ac_nss_inc_dir ; do - if test -f $dir/nspr/prinit.h ; then -@@ -690,7 +690,7 @@ if test "z$NSS_FOUND" = "zno" ; then - OLD_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$NSPR_CFLAGS" - AC_EGREP_CPP(yes,[ -- #include -+ #include - #if PR_VMAJOR >= 4 - yes - #endif -@@ -715,7 +715,7 @@ if test "z$NSS_FOUND" = "zno" ; then - NSS_NSS_H="" - - if test "z$with_nss" != "z" ; then -- NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss" -+ NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/usr/include -I$with_nss/usr/include/nss3 -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib -L$with_nss/lib $NSS_LIBS_LIST" - else -@@ -723,7 +723,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - NSS_INCLUDES_FOUND="yes" - NSS_LIBS_FOUND="yes" -- NSS_NSS_H="$with_nss/include/nss.h" -+ NSS_NSS_H="$with_nss/usr/include/nss3/nss.h" +- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) ++ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) + fi + fi + if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then + AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) +- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then +- NSS_INCLUDE_PATH="$with_nss/include" +- NSS_LIB_PATH="$with_nss/lib" ++ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then ++ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" ++ NSS_LIB_PATH="$with_nss/${libdir}" + NSS_FOUND="yes" + AC_MSG_RESULT([yes]) else - for dir in $ac_nss_inc_dir ; do - if test -f $dir/nss/nss.h ; then -@@ -761,7 +761,7 @@ if test "z$NSS_FOUND" = "zno" ; then - OLD_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS" - AC_EGREP_CPP(yes,[ -- #include -+ #include - #if NSS_VMAJOR >= 3 && NSS_VMINOR >= 2 - yes - #endif +- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) ++ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) + fi + fi + +-- +2.7.4 + diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch deleted file mode 100644 index 5f967bbaad..0000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 1d8ae4b32bd76c19ec238f30eb9b1ee582cbe990 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Fri, 2 Mar 2018 01:10:58 -0800 -Subject: [PATCH] xmlsec1: fix a typo in examples/verify3.c - -Upstream-Status: Submitted [https://github.com/lsh123/xmlsec/pull/153] - -Signed-off-by: Jackie Huang - ---- - examples/verify3.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/examples/verify3.c b/examples/verify3.c -index 2d26ae7..68f52ab 100644 ---- a/examples/verify3.c -+++ b/examples/verify3.c -@@ -1,4 +1,4 @@ --4/** -+/** - * XML Security Library example: Verifying a file signed with X509 certificate - * - * Verifies a file signed with X509 certificate. diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb deleted file mode 100644 index 341ca08fd5..0000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb +++ /dev/null @@ -1,57 +0,0 @@ -SUMMARY = "XML Security Library is a C library based on LibXML2" -DESCRIPTION = "\ - XML Security Library is a C library based on \ - LibXML2 and OpenSSL. The library was created with a goal to support major \ - XML security standards "XML Digital Signature" and "XML Encryption". \ - " -HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" - -SECTION = "libs" - -SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ - file://fix-ltmain.sh.patch \ - file://change-finding-path-of-nss.patch \ - file://makefile-ptest.patch \ - file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://xmlsec1-fix-a-typo-in-examples-verify3.c.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "dbbef1efc69e61bc4629650205a05b41" -SRC_URI[sha256sum] = "967ca83edf25ccb5b48a3c4a09ad3405a63365576503bf34290a42de1b92fcd2" - -inherit autotools-brokensep ptest pkgconfig - -CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" - -EXTRA_OECONF = "\ - --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ - " - -FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" -FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" - -do_compile_ptest () { - oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all -} - -do_install_append() { - for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ - ${libdir}/pkgconfig/xmlsec1-openssl.pc; do - sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i - done -} - -do_install_ptest () { - oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest -} diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb new file mode 100644 index 0000000000..2dbbf331e1 --- /dev/null +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb @@ -0,0 +1,56 @@ +SUMMARY = "XML Security Library is a C library based on LibXML2" +DESCRIPTION = "\ + XML Security Library is a C library based on \ + LibXML2 and OpenSSL. The library was created with a goal to support major \ + XML security standards "XML Digital Signature" and "XML Encryption". \ + " +HOMEPAGE = "http://www.aleksey.com/xmlsec/" +DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" + +SECTION = "libs" + +SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ + file://fix-ltmain.sh.patch \ + file://change-finding-path-of-nss.patch \ + file://makefile-ptest.patch \ + file://xmlsec1-examples-allow-build-in-separate-dir.patch \ + file://run-ptest \ + " + +SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" +SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" + +inherit autotools-brokensep ptest pkgconfig + +CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" +CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" + +EXTRA_OECONF = "\ + --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ + " + +FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" +FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" + +RDEPENDS_${PN}-ptest += "${PN}-dev" +INSANE_SKIP_${PN}-ptest += "dev-deps" + +PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" + +do_compile_ptest () { + oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all +} + +do_install_append() { + for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ + ${libdir}/pkgconfig/xmlsec1-openssl.pc; do + sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i + done +} + +do_install_ptest () { + oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest +} -- cgit v1.2.3