meta-security: subtree update:a85fbe980e..c20b35b527
Anton Antonov (1):
Parsec service. Update PACKAGECONFIG definitions and README.md
Armin Kuster (20):
python3-fail2ban: fix build failure and cleanup
meta-parsec/README: remove rust layer req.
opendnssec: blacklist do to ldns being blacklisted
apparmor: Add a python 3.10 compatability patch
tpm2-tools: update to 5.2
openssl-tpm-engine: fix build issue with openssl 3
tpm2-openssl: add new pkg
tpm2-pkcs11: update to 1.7.0
recipes: Update SRC_URI branch and protocols
sssd: Create /var/log/sssd in runtime
bastille: Create /var/log/Bastille in runtime
python3-fail2ban: remove /run
tpm2-pkcs11: update to 1.7.0
libest: does not build with openssl 3.x
clamav: fix useradd warning
python3-fail2ban: update to tip
tpm2-pkcs11: backport openssl 3.x build fixes
packagegroup-security-tpm2: drop ibmswtpm2
meta-integrity: drop strongswan bbappends
meta-tpm: drop strongswan bbappends
Kai Kang (2):
sssd: re-package to fix QA issues
apparmor: fix warning of remove operator combined with +=
Kristian Klausen (2):
swtpm: update to 0.6.1
dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS
Liwei Song (1):
recipes-security/chipsec: platform security assessment framework
Stefan Mueller-Klieser (1):
tpm2-tss: fix fapi package config
Yi Zhao (2):
openssl-tpm-engine: fix warning for append operator combined with +=
meta-parsec/README.md: fix for append operator combined with +=
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index 0b6d053..93f667d 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -67,7 +67,7 @@
IMAGE_TYPES += "${VERITY_TYPES}"
CONVERSIONTYPES += "verity"
CONVERSION_CMD:verity = "verity_setup ${type}"
-CONVERSION_DEPENDS:verity = "cryptsetup-native"
+CONVERSION_DEPENDS_verity = "cryptsetup-native"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc
deleted file mode 100644
index 807075c..0000000
--- a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc
+++ /dev/null
@@ -1,61 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += " \
- aikgen \
- tpm \
-"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-PACKAGECONFIG_ima += "\
- imc-test \
- imv-test \
- imc-scanner \
- imv-scanner \
- imc-os \
- imv-os \
- imc-attestation \
- imv-attestation \
- tnc-ifmap \
- tnc-imc \
- tnc-imv \
- tnc-pdp \
- tnccs-11 \
- tnccs-20 \
- tnccs-dynamic \
- "
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
-
-PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,,"
-PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,,"
-PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,,"
-PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,,"
-PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima,,"
-PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,,"
-PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,,"
-
-PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,,"
-PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,,"
-PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,,"
-PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,,"
-PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima,,"
-PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,,"
-PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,,"
-
-PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap,libxml2,"
-PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,,"
-
-PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2,"
-PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,,"
-PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,"
-
-#FILES_${PN} += "${libdir}/ipsec/imcvs/*.so ${datadir}/regid.2004-03.org.strongswan"
-#FILES_${PN}-dbg += "${libdir}/ipsec/imcvs/.debug"
-#FILES_${PN}-dev += "${libdir}/ipsec/imcvs/*.la"
-#FILES_${PN}-staticdev += "${libdir}/ipsec/imcvs/*.a"
diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 4669fd2..0000000
--- a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'imp', 'strongswan-ima.inc', '', d)}
diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md
index 24958ac..bb4c2b9 100644
--- a/meta-security/meta-parsec/README.md
+++ b/meta-security/meta-parsec/README.md
@@ -1,8 +1,7 @@
meta-parsec layer
==============
-This layer contains recipes for the Parsec service with Mbed-Crypto,
-Pkcs11 and TPM providers and parsec tools.
+This layer contains recipes for the Parsec service and parsec tools.
Dependencies
============
@@ -11,23 +10,12 @@
URI: git://git.openembedded.org/meta-openembedded
branch: master
- revision: HEAD
- prio: default
URI git://git.yoctoproject.org/meta-security
branch: master
- revision: HEAD
- prio: default
-
- URI https://github.com/meta-rust/meta-rust.git
- branch: master
- revision: HEAD
- prio: default
URI https://github.com/kraj/meta-clang.git
branch: master
- revision: HEAD
- prio: default
Adding the meta-parsec layer to your build
==========================================
@@ -44,7 +32,6 @@
/path/to/yocto/meta-yocto-bsp \
/path/to/meta-openembedded/meta-oe \
/path/to/meta-openembedded/meta-python \
- /path/to/meta-rust \
/path/to/meta-clang \
/path/to/meta-security/meta-tpm \
/path/to/meta-security/meta-parsec \
@@ -55,9 +42,16 @@
IMAGE_INSTALL:append = " parsec-service"
- The Parsec service will be deployed into the image built with all the supported
-providers and with the default config file from the Parsec repository:
+ By default the Parsec service will be deployed into the image with
+TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
+and with the default config file from the Parsec repository:
https://github.com/parallaxsecond/parsec/blob/main/config.toml
+
+ You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example,
+
+ PACKAGECONFIG:pn-parsec-service = "TPM"
+
The default Parsec service config file contains the MbedCrypto provider
enabled. The config file needs to be updated to use the Parsec service
with other providers like TPM or PKCS11. The required procedures are
@@ -86,24 +80,31 @@
This layer also contains a recipe for pasec-tool which can be used for
manual testing of the Parsec service:
- IMAGE_INSTALL:append += " parsec-tools"
+ IMAGE_INSTALL:append = " parsec-tools"
There are a series of Parsec Demo videos showing how to use parsec-tool
to test the Parsec service base functionality:
https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
+ The parsec-tool recipe also includes `parsec-cli-tests.sh` script
+which runs e2e tests against all providers enabled and configured
+in Parsec service.
+
You can use runqemu to start a VM with a built image file and run
manual tests with parsec-tool.
+Enabling Parsec providers for manual testing
+============================================
+
1. MbedCrypto provider
The default Parsec service config file contains the MbedCrypto provider
-enabled. No changes required for manual testing.
+enabled. No changes required.
2. PKCS11 provider
The Software HSM can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL:append += " softhsm"
+ IMAGE_INSTALL:append = " softhsm"
Inside the running VM:
- Stop Parsec
@@ -134,7 +135,7 @@
The IBM Software TPM service can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL:append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+ IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
Inside the running VM:
- Stop Parsec
@@ -165,11 +166,11 @@
Send pull requests, patches, comments or questions to yocto@yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-parsec][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-parsec][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
index b8bfa98..9161872 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
@@ -13,15 +13,15 @@
DEPENDS = "clang-native"
PACKAGECONFIG ??= "TPM PKCS11 MBED-CRYPTO CRYPTOAUTHLIB"
-PACKAGECONFIG[ALL] = "all-providers,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider,,tpm2-tss"
-PACKAGECONFIG[PKCS11] = "pkcs11-provider,"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
-PARSEC_PROVIDERS = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).replace(' ', ',')}"
-CARGO_BUILD_FLAGS += " --features ${PARSEC_PROVIDERS},cryptoki/generate-bindings,tss-esapi/generate-bindings"
+PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
+CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
inherit systemd
SYSTEMD_SERVICE:${PN} = "parsec.service"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
index 0fef233..7e9f214 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
@@ -6,7 +6,7 @@
LICENSE = "MIT"
SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
-SRC_URI = "git://github.com/akuster/oe-scap.git"
+SRC_URI = "git://github.com/akuster/oe-scap.git;branch=master;protocol=https"
SRC_URI += " \
file://run_cve.sh \
file://run_test.sh \
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index f109566..549a888 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -9,7 +9,7 @@
DEPENDS = "python3-dbus"
SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76"
-SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \
+SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git;branch=master;protocol=https \
file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \
"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
index 51fa9ee..192b008 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
@@ -3,7 +3,7 @@
require openscap.inc
SRCREV = "0cb55c55af6be9934d6fd0caf4563b206f289732"
-SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \
"
DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
index 73a4729..a18cbd1 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
@@ -6,7 +6,7 @@
include openscap.inc
SRCREV = "a85943eee400fdbe59234d1c4a02d8cf710c4625"
-SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \
+SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3;protocol=https \
"
PV = "1.3.3+git${SRCPV}"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
index d80ecd7..ecf136d 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
@@ -1,7 +1,7 @@
SUMARRY = "SCAP content for various platforms, upstream version"
SRCREV = "8cb2d0f351faff5440742258782281164953b0a6"
-SRC_URI = "git://github.com/ComplianceAsCode/content.git"
+SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https"
DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
index 0617c56..ddde5cc 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
@@ -1,7 +1,7 @@
SUMARRY = "SCAP content for various platforms, OE changes"
SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
-SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \
+SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;;protocol=https \
file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \
file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \
file://0001-fix-deprecated-instance-of-element.getchildren.patch \
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
deleted file mode 100644
index 8250282..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Apr 2020 10:44:19 +0200
-Subject: [PATCH] xfrmi: Only build if libcharon is built
-
-The kernel-netlink plugin is only built if libcharon is.
-
-Closes strongswan/strongswan#167.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/Makefile.am | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-Index: strongswan-5.8.4/src/Makefile.am
-===================================================================
---- strongswan-5.8.4.orig/src/Makefile.am
-+++ strongswan-5.8.4/src/Makefile.am
-@@ -42,6 +42,9 @@ endif
-
- if USE_LIBCHARON
- SUBDIRS += libcharon
-+if USE_KERNEL_NETLINK
-+ SUBDIRS += xfrmi
-+endif
- endif
-
- if USE_FILE_CONFIG
-@@ -143,7 +146,3 @@ endif
- if USE_TPM
- SUBDIRS += tpm_extendpcr
- endif
--
--if USE_KERNEL_NETLINK
-- SUBDIRS += xfrmi
--endif
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
deleted file mode 100644
index 497474f..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
+++ /dev/null
@@ -1,12 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += "aikgen tpm"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 34757bb..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)}
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 764b2e5..b8324e5 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -18,5 +18,4 @@
libtss2-tcti-mssim \
tpm2-abrmd \
tpm2-pkcs11 \
- ibmswtpm2 \
"
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
index 95ba5c5..8fe62cf 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
@@ -3,7 +3,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
SRCREV = "f6dd8f55eab4910131ec6a6a570dcd7951bd10e4"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8;protocol=https"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 9ad8967..2b969ed 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -8,7 +8,7 @@
DEPENDS += "openssl trousers"
SRC_URI = "\
- git://github.com/mgerstner/openssl_tpm_engine.git \
+ git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
file://0001-create-tpm-key-support-well-known-key-option.patch \
file://0002-libtpm-support-env-TPM_SRK_PW.patch \
file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
@@ -35,10 +35,10 @@
srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
-CFLAGS:append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
# Uncomment below line if using the plain srk password for development
-#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
do_configure:prepend() {
cd ${B}
@@ -46,17 +46,17 @@
touch NEWS AUTHORS ChangeLog README
}
-FILES:${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
+FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
FILES:${PN}-dbg += "\
- ${libdir}/ssl/engines-1.1/.debug \
- ${libdir}/engines-1.1/.debug \
- ${prefix}/local/ssl/lib/engines-1.1/.debug \
+ ${libdir}/ssl/engines-3/.debug \
+ ${libdir}/engines-3/.debug \
+ ${prefix}/local/ssl/lib/engines-3/.debug \
"
FILES:${PN} += "\
- ${libdir}/ssl/engines-1.1/tpm.so* \
- ${libdir}/engines-1.1/tpm.so* \
+ ${libdir}/ssl/engines-3/tpm.so* \
+ ${libdir}/engines-3/tpm.so* \
${libdir}/libtpm.so* \
- ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+ ${prefix}/local/ssl/lib/engines-3/tpm.so* \
"
RDEPENDS:${PN} += "libcrypto libtspi"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
index f8347b7..77f65ae 100644
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -9,7 +9,7 @@
PV = "0.1+git${SRCPV}"
SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
-SRC_URI = "git://github.com/flihp/pcr-extend.git \
+SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
file://fix_openssl11_build.patch "
inherit autotools
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
index 644f3ac..bb93374 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -1,6 +1,6 @@
SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
LICENSE = "MIT"
-DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+DEPENDS = "swtpm-native"
inherit native
@@ -14,23 +14,19 @@
for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
exe=`basename $i`
case $exe in
- swtpm_setup.sh)
+ swtpm_setup)
cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
#! /bin/sh
#
-# Wrapper around swtpm_setup.sh which adds parameters required to
+# Wrapper around swtpm_setup which adds parameters required to
# run the setup as non-root directly from the native sysroot.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
-# tcsd only allows to be run as root or tss. Pretend to be root...
-exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+exec swtpm_setup --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
EOF
;;
- swtpm_setup)
- true
- ;;
*)
cat >${WORKDIR}/${exe}_oe.sh <<EOF
#! /bin/sh
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
similarity index 68%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
index 912e939..63734b9 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
@@ -3,14 +3,11 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
SECTION = "apps"
-DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libtpm libtpm-native"
+# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
-# configure checks for the tools already during compilation and
-# then swtpm_setup needs them at runtime
-DEPENDS:append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native"
-
-SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \
+SRCREV = "98187d24fe14851653a7c46eb16e9c5f0b9beaa1"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.6;protocol=https \
file://ioctl_h.patch \
file://oe_configure.patch \
"
@@ -19,7 +16,7 @@
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
-inherit autotools pkgconfig python3native
+inherit autotools pkgconfig perlnative
TSS_USER="tss"
TSS_GROUP="tss"
@@ -28,7 +25,10 @@
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
+# used by swtpm-create-tpmca (the last two is provided by gnutls)
+# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
@@ -41,14 +41,11 @@
--no-create-home --shell /bin/false ${BPN}"
-PACKAGES =+ "${PN}-python"
-FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}"
-
PACKAGE_BEFORE_PN = "${PN}-cuse"
FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
INSANE_SKIP:${PN} += "dev-so"
-RDEPENDS:${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted"
+RDEPENDS:${PN} = "libtpm"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 53cf8ff..4672bba 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -15,7 +15,7 @@
DEPENDS = "libtspi tpm-tools"
-SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools"
+SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
index dbe1647..3b3da4f 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -14,7 +14,7 @@
SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/tpm-tools \
+ git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
file://tpm-tools-extendpcr.patch \
file://04-fix-FTBFS-clang.patch \
file://openssl1.1_fix.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index 5e03b71..192c66c 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -10,7 +10,7 @@
PV = "0.3.15+git${SRCPV}"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/trousers \
+ git://git.code.sf.net/p/trousers/trousers;branch=master \
file://trousers.init.sh \
file://trousers-udev.rules \
file://tcsd.service \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
index b80ef79..1818171 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
@@ -13,7 +13,7 @@
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
- git://github.com/tpm2-software/tpm2-abrmd.git \
+ git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
new file mode 100644
index 0000000..f6a694c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
@@ -0,0 +1,11 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master"
+
+SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b"
+
+S = "${WORKDIR}/git"
+
+inherit pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
new file mode 100644
index 0000000..ac2f92c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
@@ -0,0 +1,1305 @@
+From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:24:40 -0500
+Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
+
+Compile against OpenSSL. This moves functions non-deprecated things if
+possible and ignores deprecation warnings when not. Padding manipulation
+routines seem to have been marked deprecated in OSSL 3.0, so we need to
+figure out a porting strategy here.
+
+Fixes: #686
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ src/lib/backend_esysdb.c | 5 +-
+ src/lib/backend_fapi.c | 5 +-
+ src/lib/encrypt.c | 2 +-
+ src/lib/mech.c | 72 +---
+ src/lib/object.c | 3 +-
+ src/lib/sign.c | 2 +-
+ src/lib/ssl_util.c | 531 ++++++++++++++++--------
+ src/lib/ssl_util.h | 31 +-
+ src/lib/tpm.c | 6 +-
+ src/lib/utils.c | 35 +-
+ src/lib/utils.h | 13 -
+ test/integration/pkcs-sign-verify.int.c | 94 ++---
+ 12 files changed, 441 insertions(+), 358 deletions(-)
+
+Index: git/src/lib/backend_esysdb.c
+===================================================================
+--- git.orig/src/lib/backend_esysdb.c
++++ git/src/lib/backend_esysdb.c
+@@ -3,6 +3,7 @@
+ #include "config.h"
+ #include "backend_esysdb.h"
+ #include "db.h"
++#include "ssl_util.h"
+ #include "tpm.h"
+
+ CK_RV backend_esysdb_init(void) {
+@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
+ }
+
+ twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
+- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+ if (!sealobjauth) {
+ rv = CKR_HOST_MEMORY;
+ goto error;
+@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
+ */
+ twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
+
+- twist oldauth = utils_hash_pass(toldpin, oldsalt);
++ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
+ if (!oldauth) {
+ goto out;
+ }
+Index: git/src/lib/backend_fapi.c
+===================================================================
+--- git.orig/src/lib/backend_fapi.c
++++ git/src/lib/backend_fapi.c
+@@ -11,6 +11,7 @@
+ #include "backend_fapi.h"
+ #include "emitter.h"
+ #include "parser.h"
++#include "ssl_util.h"
+ #include "utils.h"
+
+ #ifdef HAVE_FAPI
+@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
+ }
+
+ twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
+- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+ if (!sealobjauth) {
+ rv = CKR_HOST_MEMORY;
+ goto error;
+@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
+ }
+ rv = CKR_GENERAL_ERROR;
+
+- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
++ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
+ if (!oldauth) {
+ goto out;
+ }
+Index: git/src/lib/encrypt.c
+===================================================================
+--- git.orig/src/lib/encrypt.c
++++ git/src/lib/encrypt.c
+@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
+ CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
+
+ EVP_PKEY *pkey = NULL;
+- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+Index: git/src/lib/mech.c
+===================================================================
+--- git.orig/src/lib/mech.c
++++ git/src/lib/mech.c
+@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
+ }
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(a, &nid);
++ CK_RV rv = ssl_util_params_to_nid(a, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
+ }
+
+ /* Apply the PKCS1.5 padding */
+- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
+- inbuf, inlen);
+- if (!rc) {
++ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
++ outbuf, padded_len);
++ if (rv != CKR_OK) {
+ LOGE("Applying RSA padding failed");
+- return CKR_GENERAL_ERROR;
++ return rv;
+ }
+
+ *outlen = padded_len;
+@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
+ size_t key_bytes = *keybits / 8;
+
+ unsigned char buf[4096];
+- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
+- inbuf, inlen,
+- key_bytes);
+- if (rc < 0) {
++ CK_ULONG buflen = sizeof(buf);
++ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
++ buf, &buflen);
++ if (rv != CKR_OK) {
+ LOGE("Could not recover CKM_RSA_PKCS Padding");
+- return CKR_GENERAL_ERROR;
++ return rv;
+ }
+
+- /* cannot be < 0 because of check above */
+- if (!outbuf || (unsigned)rc > *outlen) {
+- *outlen = rc;
++ if (!outbuf || buflen > *outlen) {
++ *outlen = buflen;
+ return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
+ }
+
+- *outlen = rc;
+- memcpy(outbuf, buf, rc);
++ *outlen = buflen;
++ memcpy(outbuf, buf, buflen);
+
+ return CKR_OK;
+ }
+@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
+ return CKR_GENERAL_ERROR;
+ }
+
+- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+- if (!exp_attr) {
+- LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ if (modulus_attr->ulValueLen > *outlen) {
+ LOGE("Output buffer is too small, got: %lu, required at least %lu",
+ *outlen, modulus_attr->ulValueLen);
+ return CKR_GENERAL_ERROR;
+ }
+
+- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
+- if (!e) {
+- LOGE("Could not convert exponent to bignum");
+- return CKR_GENERAL_ERROR;
+- }
+-
+- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
+- if (!n) {
+- LOGE("Could not convert modulus to bignum");
+- BN_free(e);
+- return CKR_GENERAL_ERROR;
+- }
+-
+- RSA *rsa = RSA_new();
+- if (!rsa) {
+- LOGE("oom");
+- return CKR_HOST_MEMORY;
+- }
+-
+- int rc = RSA_set0_key(rsa, n, e, NULL);
+- if (!rc) {
+- LOGE("Could not set modulus and exponent to OSSL RSA key");
+- BN_free(n);
+- BN_free(e);
+- RSA_free(rsa);
+- return CKR_GENERAL_ERROR;
++ EVP_PKEY *pkey = NULL;
++ rv = ssl_util_attrs_to_evp(attrs, &pkey);
++ if (rv != CKR_OK) {
++ return rv;
+ }
+
+- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
+- inbuf, md, -1);
+- RSA_free(rsa);
+- if (!rc) {
++ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
++ EVP_PKEY_free(pkey);
++ if (rv != CKR_OK) {
+ LOGE("Applying RSA padding failed");
+ return CKR_GENERAL_ERROR;
+ }
+Index: git/src/lib/object.c
+===================================================================
+--- git.orig/src/lib/object.c
++++ git/src/lib/object.c
+@@ -15,6 +15,7 @@
+ #include "object.h"
+ #include "pkcs11.h"
+ #include "session_ctx.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+
+@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
+ }
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(a, &nid);
++ CK_RV rv = ssl_util_params_to_nid(a, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+Index: git/src/lib/sign.c
+===================================================================
+--- git.orig/src/lib/sign.c
++++ git/src/lib/sign.c
+@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
+ }
+
+ EVP_PKEY *pkey = NULL;
+- rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ return NULL;
+ }
+Index: git/src/lib/ssl_util.c
+===================================================================
+--- git.orig/src/lib/ssl_util.c
++++ git/src/lib/ssl_util.c
+@@ -10,6 +10,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/sha.h>
+
++#include "attrs.h"
+ #include "log.h"
+ #include "pkcs11.h"
+ #include "ssl_util.h"
+@@ -19,194 +20,228 @@
+ #include <openssl/evperr.h>
+ #endif
+
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#include <openssl/core_names.h>
++#endif
+
+ /*
+- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
+- * create an API compatible version of it.
++ * TODO Port these routines
++ * Deprecated function block to port
++ *
++ * There are no padding routine replacements in OSSL 3.0.
++ * - per Matt Caswell (maintainer) on mailing list.
++ * Signature verification can likely be done with EVP Verify interface.
+ */
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+- point_conversion_form_t form,
+- unsigned char **pbuf, BN_CTX *ctx) {
+-
+- /* Get the required buffer length */
+- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
+- if (!len) {
+- return 0;
+- }
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++#endif
+
+- /* allocate it */
+- unsigned char *buf = OPENSSL_malloc(len);
+- if (!buf) {
+- return 0;
+- }
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++ const CK_BYTE_PTR inbuf, const EVP_MD *md,
++ CK_BYTE_PTR outbuf) {
+
+- /* convert it */
+- len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
+- if (!len) {
+- OPENSSL_free(buf);
+- return 0;
++ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
++ if (!rsa) {
++ return CKR_GENERAL_ERROR;
+ }
+
+- *pbuf = buf;
+- return len;
+-}
++ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
++ inbuf, md, -1);
+
+-size_t OBJ_length(const ASN1_OBJECT *obj) {
++ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
++}
+
+- if (!obj) {
+- return 0;
+- }
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
+
+- return obj->length;
++ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
++ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
+ }
+
+-const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
+
+- if (!obj) {
+- return NULL;
++ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
++ inbuf, inlen, rsa_len);
++ if (rc < 0) {
++ return CKR_GENERAL_ERROR;
+ }
+
+- return obj->data;
++ /* cannot be negative due to check above */
++ *outbuflen = rc;
++ return CKR_OK;
+ }
+
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
+- return ASN1_STRING_data((ASN1_STRING *)x);
+-}
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic pop
++#endif
+
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
+
+- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+- return 0;
+- }
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
++
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
++ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
++ OSSL_PARAM_END
++ };
+
+- if (n != NULL) {
+- BN_free(r->n);
+- r->n = n;
++ /* convert params to EVP key */
++ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
++ if (!evp_ctx) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (e != NULL) {
+- BN_free(r->e);
+- r->e = e;
++ int rc = EVP_PKEY_fromdata_init(evp_ctx);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
++ EVP_PKEY_CTX_free(evp_ctx);
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (d != NULL) {
+- BN_free(r->d);
+- r->d = d;
++ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++ EVP_PKEY_CTX_free(evp_ctx);
++ return CKR_GENERAL_ERROR;
+ }
+
+- return 1;
++ EVP_PKEY_CTX_free(evp_ctx);
++
++ return CKR_OK;
+ }
+
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
++
++ /*
++ * The simplest way I have found to deal with this is to convert the ASN1 object in
++ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
++ * then take the int nid and convert it to a friendly name like prime256v1.
++ * EVP_PKEY_fromdata can handle group by name.
++ *
++ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
++ */
++ int curve_id = 0;
++ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
++ if (rv != CKR_OK) {
++ LOGE("Could not get nid from params");
++ return rv;
++ }
+
+- if (!r || !s) {
+- return 0;
++ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
++ const unsigned char *x = ecpoint->pValue;
++ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
++ if (!os) {
++ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
++ return CKR_GENERAL_ERROR;
+ }
+
+- BN_free(sig->r);
+- BN_free(sig->s);
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
++ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
++ OSSL_PARAM_END
++ };
+
+- sig->r = r;
+- sig->s = s;
++ /* convert params to EVP key */
++ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++ if (!evp_ctx) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
++ }
+
+- return 1;
+-}
++ int rc = EVP_PKEY_fromdata_init(evp_ctx);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
++ }
+
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
+- if (pkey->type != EVP_PKEY_EC) {
+- return NULL;
++ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
+ }
+
+- return pkey->pkey.ec;
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++
++ return CKR_OK;
+ }
+-#endif
+
+-static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
++#else
+
+- RSA *rsa = NULL;
+- BIGNUM *e = NULL, *n = NULL;
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
+
+- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+- if (!exp) {
+- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
++ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
++ if (!e) {
++ LOGE("Could not convert exponent to bignum");
+ return CKR_GENERAL_ERROR;
+ }
+
+- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
+- if (!mod) {
+- LOGE("RSA Object must have attribute CKA_MODULUS");
++ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
++ if (!n) {
++ LOGE("Could not convert modulus to bignum");
++ BN_free(e);
+ return CKR_GENERAL_ERROR;
+ }
+
+- rsa = RSA_new();
++ RSA *rsa = RSA_new();
+ if (!rsa) {
+- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
+- goto error;
++ LOGE("oom");
++ return CKR_HOST_MEMORY;
+ }
+
+- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
+- if (!e) {
+- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
+- goto error;
++ int rc = RSA_set0_key(rsa, n, e, NULL);
++ if (!rc) {
++ LOGE("Could not set modulus and exponent to OSSL RSA key");
++ BN_free(n);
++ BN_free(e);
++ RSA_free(rsa);
++ return CKR_GENERAL_ERROR;
+ }
+
+- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
+- if (!n) {
+- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
+- goto error;
++ /* assigned to RSA key */
++ n = e = NULL;
++
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ SSL_UTIL_LOGE("EVP_PKEY_new");
++ RSA_free(rsa);
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (!RSA_set0_key(rsa, n, e, NULL)) {
+- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
++ rc = EVP_PKEY_assign_RSA(pkey, rsa);
++ if (rc != 1) {
+ RSA_free(rsa);
+- BN_free(e);
+- BN_free(n);
+- goto error;
++ EVP_PKEY_free(pkey);
++ return CKR_GENERAL_ERROR;
+ }
+
+- *outkey = rsa;
++ *out_pkey = pkey;
+
+ return CKR_OK;
+-
+-error:
+- RSA_free(rsa);
+- if (e) {
+- BN_free(e);
+- }
+- if (n) {
+- BN_free(n);
+- }
+-
+- return CKR_GENERAL_ERROR;
+ }
+
+-static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
+
+- EC_KEY *key = EC_KEY_new();
+- if (!key) {
++ EC_KEY *ecc = EC_KEY_new();
++ if (!ecc) {
+ LOGE("oom");
+ return CKR_HOST_MEMORY;
+ }
+
+- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
+- if (!ecparams) {
+- LOGE("ECC Key must have attribute CKA_EC_PARAMS");
+- return CKR_GENERAL_ERROR;
+- }
+-
+- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
+- if (!ecpoint) {
+- LOGE("ECC Key must have attribute CKA_EC_POINT");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ /* set params */
+ const unsigned char *x = ecparams->pValue;
+- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
++ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
+ if (!k) {
+ SSL_UTIL_LOGE("Could not update key with EC Parameters");
+- EC_KEY_free(key);
++ EC_KEY_free(ecc);
+ return CKR_GENERAL_ERROR;
+ }
+
+@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
+ if (os) {
+ x = os->data;
+- k = o2i_ECPublicKey(&key, &x, os->length);
++ k = o2i_ECPublicKey(&ecc, &x, os->length);
+ ASN1_STRING_free(os);
+ if (!k) {
+ SSL_UTIL_LOGE("Could not update key with EC Points");
+- EC_KEY_free(key);
++ EC_KEY_free(ecc);
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+- *outkey = key;
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ SSL_UTIL_LOGE("EVP_PKEY_new");
++ EC_KEY_free(ecc);
++ return CKR_GENERAL_ERROR;
++ }
++
++ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
++ if (!rc) {
++ SSL_UTIL_LOGE("Could not set pkey with ec key");
++ EC_KEY_free(ecc);
++ EVP_PKEY_free(pkey);
++ return CKR_GENERAL_ERROR;
++ }
++
++ *out_pkey = pkey;
+ return CKR_OK;
+ }
++#endif
+
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
+
+- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
++ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
+ if (!a) {
+ LOGE("Expected object to have attribute CKA_KEY_TYPE");
+ return CKR_KEY_TYPE_INCONSISTENT;
+@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
+ return CKR_OK;
+ }
+
+- EVP_PKEY *pkey = EVP_PKEY_new();
+- if (!pkey) {
+- LOGE("oom");
+- return CKR_HOST_MEMORY;
+- }
++ EVP_PKEY *pkey = NULL;
+
+ if (key_type == CKK_EC) {
+- EC_KEY *e = NULL;
+- rv = convert_pubkey_ECC(&e, obj->attrs);
+- if (rv != CKR_OK) {
+- return rv;
++
++ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
++ if (!ecparams) {
++ LOGE("ECC Key must have attribute CKA_EC_PARAMS");
++ return CKR_GENERAL_ERROR;
+ }
+- int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
+- if (!rc) {
+- SSL_UTIL_LOGE("Could not set pkey with ec key");
+- EC_KEY_free(e);
+- EVP_PKEY_free(pkey);
++
++ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
++ if (!ecpoint) {
++ LOGE("ECC Key must have attribute CKA_EC_POINT");
+ return CKR_GENERAL_ERROR;
+ }
+- } else if (key_type == CKK_RSA) {
+- RSA *r = NULL;
+- rv = convert_pubkey_RSA(&r, obj->attrs);
++
++ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+- int rc = EVP_PKEY_assign_RSA(pkey, r);
+- if (!rc) {
+- SSL_UTIL_LOGE("Could not set pkey with rsa key");
+- RSA_free(r);
+- EVP_PKEY_free(pkey);
++
++ } else if (key_type == CKK_RSA) {
++
++ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
++ if (!exp) {
++ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
+ return CKR_GENERAL_ERROR;
+ }
++
++ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
++ if (!mod) {
++ LOGE("RSA Object must have attribute CKA_MODULUS");
++ return CKR_GENERAL_ERROR;
++ }
++
++ rv = get_RSA_evp_pubkey(exp, mod, &pkey);
++ if (rv != CKR_OK) {
++ return rv;
++ }
++
+ } else {
+ LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
+- EVP_PKEY_free(pkey);
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+
++ assert(pkey);
+ *outpkey = pkey;
+
+ return CKR_OK;
+@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+ }
+ }
+
+- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
+- if (!rc) {
+- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
+- goto error;
++ if (md) {
++ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
++ if (!rc) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
++ goto error;
++ }
+ }
+
+ *outpkey_ctx = pkey_ctx;
+@@ -421,21 +482,12 @@ error:
+ return CKR_GENERAL_ERROR;
+ }
+
+-static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
+- int padding, const EVP_MD *md,
+- CK_BYTE_PTR digest, CK_ULONG digest_len,
+- CK_BYTE_PTR signature, CK_ULONG signature_len) {
++static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
++ const unsigned char *sig, size_t siglen,
++ const unsigned char *tbs, size_t tbslen) {
+
+ CK_RV rv = CKR_GENERAL_ERROR;
+-
+- EVP_PKEY_CTX *pkey_ctx = NULL;
+- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
+- EVP_PKEY_verify_init, &pkey_ctx);
+- if (rv != CKR_OK) {
+- return rv;
+- }
+-
+- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
+ if (rc < 0) {
+ SSL_UTIL_LOGE("EVP_PKEY_verify failed");
+ } else if (rc == 1) {
+@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
+ rv = CKR_SIGNATURE_INVALID;
+ }
+
+- EVP_PKEY_CTX_free(pkey_ctx);
+ return rv;
+ }
+
+-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
++static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
++ unsigned char **outbuf, size_t *outlen) {
+
+ if (siglen & 1) {
+ LOGE("Expected ECDSA signature length to be even, got : %lu",
+@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
+ return CKR_GENERAL_ERROR;
+ }
+
+- *outsig = ossl_sig;
++ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
++ if (sig_len <= 0) {
++ if (rc < 0) {
++ SSL_UTIL_LOGE("ECDSA_do_verify failed");
++ } else {
++ LOGE("Expected length to be greater than 0");
++ }
++ ECDSA_SIG_free(ossl_sig);
++ return CKR_GENERAL_ERROR;
++ }
++
++ unsigned char *buf = calloc(1, sig_len);
++ if (!buf) {
++ LOGE("oom");
++ ECDSA_SIG_free(ossl_sig);
++ return CKR_HOST_MEMORY;
++ }
++
++ unsigned char *p = buf;
++ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
++ if (sig_len2 < 0) {
++ SSL_UTIL_LOGE("ECDSA_do_verify failed");
++ ECDSA_SIG_free(ossl_sig);
++ free(buf);
++ return CKR_GENERAL_ERROR;
++ }
++
++ assert(sig_len == sig_len2);
++
++ ECDSA_SIG_free(ossl_sig);
++
++ *outbuf = buf;
++ *outlen = sig_len;
+
+ return CKR_OK;
+ }
+
+ static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
++ const EVP_MD *md,
+ CK_BYTE_PTR digest, CK_ULONG digest_len,
+ CK_BYTE_PTR signature, CK_ULONG signature_len) {
+
+- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
+- if (!eckey) {
+- LOGE("Expected EC Key");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ /*
+ * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
+ * R + S signatures, so convert it to ASN1 framing.
+@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
+ * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
+ * For details.
+ */
+- ECDSA_SIG *ossl_sig = NULL;
+- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
++ unsigned char *buf = NULL;
++ size_t buflen = 0;
++ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+
+- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
+- if (rc < 0) {
+- ECDSA_SIG_free(ossl_sig);
+- SSL_UTIL_LOGE("ECDSA_do_verify failed");
+- return CKR_GENERAL_ERROR;
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
++ EVP_PKEY_verify_init, &pkey_ctx);
++ if (rv != CKR_OK) {
++ free(buf);
++ return rv;
+ }
+- ECDSA_SIG_free(ossl_sig);
+
+- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
++ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ free(buf);
++
++ return rv;
++}
++
++static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
++ int padding, const EVP_MD *md,
++ CK_BYTE_PTR digest, CK_ULONG digest_len,
++ CK_BYTE_PTR signature, CK_ULONG signature_len) {
++
++ CK_RV rv = CKR_GENERAL_ERROR;
++
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
++ EVP_PKEY_verify_init, &pkey_ctx);
++ if (rv != CKR_OK) {
++ return rv;
++ }
++
++ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ return rv;
+ }
+
+ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
+@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
+ digest, digest_len,
+ signature, signature_len);
+ case EVP_PKEY_EC:
+- return do_sig_verify_ec(pkey, digest, digest_len,
++ return do_sig_verify_ec(pkey, md, digest, digest_len,
+ signature, signature_len);
+ default:
+ LOGE("Unknown PKEY type, got: %d", type);
+@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
+ EVP_PKEY_CTX_free(pkey_ctx);
+ return rv;
+ }
++
++twist ssl_util_hash_pass(const twist pin, const twist salt) {
++
++
++ twist out = NULL;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ SSL_UTIL_LOGE("EVP_MD_CTX_new");
++ return NULL;
++ }
++
++ int rc = EVP_DigestInit(ctx, EVP_sha256());
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestInit");
++ goto error;
++ }
++
++ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestUpdate");
++ goto error;
++ }
++
++ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestUpdate");
++ goto error;
++ }
++
++ unsigned int len = sizeof(md);
++ rc = EVP_DigestFinal(ctx, md, &len);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestFinal");
++ goto error;
++ }
++
++ /* truncate the password to 32 characters */
++ out = twist_hex_new((char *)md, sizeof(md)/2);
++
++error:
++ EVP_MD_CTX_free(ctx);
++
++ return out;
++}
++
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
++
++ const unsigned char *p = ecparams->pValue;
++
++ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
++ if (!a) {
++ LOGE("Unknown CKA_EC_PARAMS value");
++ return CKR_ATTRIBUTE_VALUE_INVALID;
++ }
++
++ *nid = OBJ_obj2nid(a);
++ ASN1_OBJECT_free(a);
++
++ return CKR_OK;
++}
+Index: git/src/lib/ssl_util.h
+===================================================================
+--- git.orig/src/lib/ssl_util.h
++++ git/src/lib/ssl_util.h
+@@ -11,8 +11,8 @@
+
+ #include "pkcs11.h"
+
++#include "attrs.h"
+ #include "log.h"
+-#include "object.h"
+ #include "twist.h"
+
+ #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+@@ -22,6 +22,10 @@
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#endif
++
+ /* OpenSSL Backwards Compat APIs */
+ #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+ #include <string.h>
+@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
+
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+
+ CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
+ int padding, twist label, const EVP_MD *md,
+@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+ fn_EVP_PKEY_init init_fn,
+ EVP_PKEY_CTX **outpkey_ctx);
+
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++ const CK_BYTE_PTR inbuf, const EVP_MD *md,
++ CK_BYTE_PTR outbuf);
++
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++ CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
++
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
++
++twist ssl_util_hash_pass(const twist pin, const twist salt);
++
++/**
++ * Given an attribute of CKA_EC_PARAMS returns the nid value.
++ * @param ecparams
++ * The DER X9.62 parameters value
++ * @param nid
++ * The nid to set
++ * @return
++ * CKR_OK on success.
++ */
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
++
+ #endif /* SRC_LIB_SSL_UTIL_H_ */
+Index: git/src/lib/tpm.c
+===================================================================
+--- git.orig/src/lib/tpm.c
++++ git/src/lib/tpm.c
+@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
+ tpm_key_data *keydat = (tpm_key_data *)udata;
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(attr, &nid);
++ CK_RV rv = ssl_util_params_to_nid(attr, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
+ goto out;
+ }
+
+- int rc = EC_POINT_set_affine_coordinates_GFp(group,
++ int rc = EC_POINT_set_affine_coordinates(group,
+ pub_key_point_tmp,
+ bn_x,
+ bn_y,
+@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
+ goto out;
+ }
+
+- rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ goto out;
+ }
+Index: git/src/lib/utils.c
+===================================================================
+--- git.orig/src/lib/utils.c
++++ git/src/lib/utils.c
+@@ -7,6 +7,7 @@
+ #include <openssl/sha.h>
+
+ #include "log.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+
+@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
+ pin_to_use = newpin;
+ }
+
+- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
++ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
+ if (!*newauthhex) {
+ goto out;
+ }
+@@ -330,22 +331,6 @@ out:
+
+ }
+
+-twist utils_hash_pass(const twist pin, const twist salt) {
+-
+-
+- unsigned char md[SHA256_DIGEST_LENGTH];
+-
+- SHA256_CTX sha256;
+- SHA256_Init(&sha256);
+-
+- SHA256_Update(&sha256, pin, twist_len(pin));
+- SHA256_Update(&sha256, salt, twist_len(salt));
+- SHA256_Final(md, &sha256);
+-
+- /* truncate the password to 32 characters */
+- return twist_hex_new((char *)md, sizeof(md)/2);
+-}
+-
+ size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
+
+ switch(mttype) {
+@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
+
+ return CKR_OK;
+ }
+-
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
+-
+- const unsigned char *p = ecparams->pValue;
+-
+- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
+- if (!a) {
+- LOGE("Unknown CKA_EC_PARAMS value");
+- return CKR_ATTRIBUTE_VALUE_INVALID;
+- }
+-
+- *nid = OBJ_obj2nid(a);
+- ASN1_OBJECT_free(a);
+-
+- return CKR_OK;
+-}
+
+ CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
+ CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
+Index: git/src/lib/utils.h
+===================================================================
+--- git.orig/src/lib/utils.h
++++ git/src/lib/utils.h
+@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
+ memcpy(dst, src, src_len);
+ }
+
+-twist utils_hash_pass(const twist pin, const twist salt);
+-
+ twist aes256_gcm_decrypt(const twist key, const twist objauth);
+
+ twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
+@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
+ CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
+
+ /**
+- * Given an attribute of CKA_EC_PARAMS returns the nid value.
+- * @param ecparams
+- * The DER X9.62 parameters value
+- * @param nid
+- * The nid to set
+- * @return
+- * CKR_OK on success.
+- */
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
+-
+-/**
+ * Removes a PKCS7 padding on a 16 byte block.
+ * @param in
+ * The PKCS5 padded input.
+Index: git/test/integration/pkcs-sign-verify.int.c
+===================================================================
+--- git.orig/test/integration/pkcs-sign-verify.int.c
++++ git/test/integration/pkcs-sign-verify.int.c
+@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
+ assert_int_equal(rv, CKR_OK);
+ }
+
+-static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+- CK_ULONG i;
+- for (i=0; i < attr_len; i++) {
+- CK_ATTRIBUTE_PTR a = &attrs[i];
+- if (a->type == type) {
+- return a;
+- }
+- }
+-
+- return NULL;
+-}
+-
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-#endif
+-
+-RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+- RSA *ssl_rsa_key = NULL;
+- BIGNUM *e = NULL, *n = NULL;
+-
+- /* get the exponent */
+- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
+- assert_non_null(a);
+-
+- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
+- assert_non_null(e);
+-
+- /* get the modulus */
+- a = get_attr(CKA_MODULUS, attrs, attr_len);
+- assert_non_null(a);
+-
+- n = BN_bin2bn(a->pValue, a->ulValueLen,
+- NULL);
+- assert_non_null(n);
+-
+- ssl_rsa_key = RSA_new();
+- assert_non_null(ssl_rsa_key);
+-
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+- ssl_rsa_key->e = e;
+- ssl_rsa_key->n = n;
+-#else
+- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
+- assert_int_equal(rc, 1);
+-#endif
+-
+- return ssl_rsa_key;
+-}
+-
+-static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+-
+- EVP_PKEY *pkey = EVP_PKEY_new();
+- assert_non_null(pkey);
+-
+- int rc = EVP_PKEY_set1_RSA(pkey, pub);
+- assert_int_equal(rc, 1);
++static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+
+ EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+ const EVP_MD* md = EVP_get_digestbyname("SHA256");
+ assert_non_null(md);
+
+- rc = EVP_DigestInit_ex(ctx, md, NULL);
++ int rc = EVP_DigestInit_ex(ctx, md, NULL);
+ assert_int_equal(rc, 1);
+
+ rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
+ rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
+ assert_int_equal(rc, 1);
+
+- EVP_PKEY_free(pkey);
+ EVP_MD_CTX_destroy(ctx);
+ }
+
+@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
+ assert_int_equal(siglen, 256);
+
+ /* build an OSSL RSA key from parts */
+- CK_BYTE _tmp_bufs[2][1024];
++ CK_BYTE _tmp_bufs[3][1024];
+ CK_ATTRIBUTE attrs[] = {
+- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
+- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
++ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
++ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
++ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
+ };
+
+ rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
+ assert_int_equal(rv, CKR_OK);
+
+- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
+- assert_non_null(r);
++ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
++ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
++ assert_int_equal(rv, CKR_OK);
++
++ EVP_PKEY *pkey = NULL;
++ attr_list *l = attr_list_new();
++
++ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
++ assert_true(res);
+
+- verify(r, msg, sizeof(msg) - 1, sig, siglen);
+- RSA_free(r);
++ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
++ assert_true(res);
++
++ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
++ assert_true(res);
++
++ rv = ssl_util_attrs_to_evp(l, &pkey);
++ assert_int_equal(rv, CKR_OK);
++ attr_list_free(l);
++
++ verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
++ EVP_PKEY_free(pkey);
+ }
+
+ static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
new file mode 100644
index 0000000..ef0a6dc
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
@@ -0,0 +1,93 @@
+From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:30:50 -0500
+Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
+
+THIS DROPS SUPPORT FOR OSSL 1.0.2.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ configure.ac | 2 +-
+ src/lib/ssl_util.h | 43 +++++--------------------------------------
+ 2 files changed, 6 insertions(+), 39 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a7aeaf5..94fb5d4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
+ # require sqlite3 and libcrypto
+ PKG_CHECK_MODULES([SQLITE3], [sqlite3])
+ PKG_CHECK_MODULES([YAML], [yaml-0.1])
+-PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
++PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
+
+ # check for pthread
+ AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
+diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
+index 9909fd6..2591728 100644
+--- a/src/lib/ssl_util.h
++++ b/src/lib/ssl_util.h
+@@ -15,51 +15,18 @@
+ #include "log.h"
+ #include "twist.h"
+
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
+-#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
++#include <openssl/evperr.h>
+ #endif
+
+-/* OpenSSL Backwards Compat APIs */
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+-#include <string.h>
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+- point_conversion_form_t form,
+- unsigned char **pbuf, BN_CTX *ctx);
+-
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
+-
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+-
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+-
+-static inline void *OPENSSL_memdup(const void *dup, size_t l) {
+-
+- void *p = OPENSSL_malloc(l);
+- if (!p) {
+- return NULL;
+- }
+-
+- memcpy(p, dup, l);
+- return p;
+-}
+-
+-#endif
+-
+-#ifndef RSA_PSS_SALTLEN_DIGEST
+-#define RSA_PSS_SALTLEN_DIGEST -1
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
+ #endif
+
+-/* Utility APIs */
+-
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+
+ CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+--
+2.25.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
deleted file mode 100644
index 5c91a5e..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 13:32:05 -0500
-Subject: [PATCH 1/4] test: fix build for gcc11
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes 0 size regions by ignoring them. The test code intentionally does
-bad things.
-
-test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
-test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=]
- 327 | actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Pending
-Fix out for merge to offical repo
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- test/unit/test_twist.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
-index ec66f69f..58d4530a 100644
---- a/test/unit/test_twist.c
-+++ b/test/unit/test_twist.c
-@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
- void test_twistbin_new_overflow_1(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_2(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_3(void **state) {
-@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
- twist actual = twistbin_aappend(expected, NULL, 42);
- assert_ptr_equal((void * )actual, (void * )expected);
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- assert_ptr_equal((void * )actual, (void * )expected);
-+#pragma GCC diagnostic pop
-
- twist_free(actual);
- }
-
-From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 11:52:23 -0500
-Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
-
-cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
-| make: *** Waiting for unfinished jobs....
-| In file included from src/lib/mutex.h:10,
-| from src/lib/session_ctx.h:6,
-| from src/lib/digest.h:13,
-| from src/lib/tpm.c:28:
-| In function 'str_padded_copy',
-| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
-| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
-| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
-| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-| src/lib/utils.h: In function 'tpm_get_token_info':
-| src/lib/tpm.c:739:19: note: source object declared here
-| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
-| | ^~~~~~~~~~~~~~
-| cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
-| WARNING: exit code 1 from a shell command.
-
-Fixes #676
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.c | 8 ++++----
- src/lib/general.h | 2 +-
- src/lib/slot.c | 4 ++--
- src/lib/token.c | 4 ++--
- src/lib/tpm.c | 7 +++----
- src/lib/utils.h | 6 ++++--
- 6 files changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/src/lib/general.c b/src/lib/general.c
-index 9b7327c1..eaddaf82 100644
---- a/src/lib/general.c
-+++ b/src/lib/general.c
-@@ -19,8 +19,8 @@
- #define VERSION "UNKNOWN"
- #endif
-
--#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
--#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
-+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
-+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
-
- #define CRYPTOKI_VERSION { \
- .major = CRYPTOKI_VERSION_MAJOR, \
-@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
-
- static CK_INFO *_info = NULL;
- if (!_info) {
-- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
-- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
-+ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
-+ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
-
- parse_lib_version(&_info_.libraryVersion.major,
- &_info_.libraryVersion.minor);
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 14a18e46..356c142d 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -10,7 +10,7 @@
- #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
- #define TPM2_TOKEN_MANUFACTURER "Intel"
- #define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
--#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000"
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
- #define TPM2_TOKEN_HW_VERSION { 0, 0 }
- #define TPM2_TOKEN_FW_VERSION { 0, 0 }
-
-diff --git a/src/lib/slot.c b/src/lib/slot.c
-index 548d22b5..6db5bb93 100644
---- a/src/lib/slot.c
-+++ b/src/lib/slot.c
-@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
- return CKR_GENERAL_ERROR;
- }
-
-- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
-- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
-+ str_padded_copy(info->manufacturerID, token_info.manufacturerID);
-+ str_padded_copy(info->slotDescription, token_info.label);
-
- info->hardwareVersion = token_info.hardwareVersion;
- info->firmwareVersion = token_info.firmwareVersion;
-diff --git a/src/lib/token.c b/src/lib/token.c
-index 6d7ebd27..c7211296 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
- }
-
- // Identification
-- str_padded_copy(info->label, t->label, sizeof(info->label));
-- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
-+ str_padded_copy(info->label, t->label);
-+ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
-
-
- // Memory: TODO not sure what memory values should go here, the platform?
-diff --git a/src/lib/tpm.c b/src/lib/tpm.c
-index 1639df48..7f9f052a 100644
---- a/src/lib/tpm.c
-+++ b/src/lib/tpm.c
-@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
- UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
- memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
-- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
-+ str_padded_copy(info->manufacturerID, manufacturerID);
-
- // Map human readable Manufacturer String, if available,
- // otherwise 4 byte ID was already padded and will be used.
- for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
- if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
- str_padded_copy(info->manufacturerID,
-- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
-- sizeof(info->manufacturerID));
-+ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
- }
- }
-
-@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
- vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
- vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
-- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
-+ str_padded_copy(info->model, (unsigned char*) &vendor);
-
- return CKR_OK;
- }
-diff --git a/src/lib/utils.h b/src/lib/utils.h
-index 81c61fae..cf357464 100644
---- a/src/lib/utils.h
-+++ b/src/lib/utils.h
-@@ -39,9 +39,11 @@
-
- int str_to_ul(const char *val, size_t *res);
-
--static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
-+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
-+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
- memset(dst, ' ', dst_len);
-- memcpy(dst, src, strnlen((char *)(src), dst_len));
-+ memcpy(dst, src, src_len);
-+ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
- }
-
- twist utils_hash_pass(const twist pin, const twist salt);
-
-From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:09:27 -0500
-Subject: [PATCH 3/4] general: drop unused macros
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 356c142d..b3089554 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,17 +7,7 @@
-
- #include "pkcs11.h"
-
--#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
--#define TPM2_TOKEN_MANUFACTURER "Intel"
--#define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
- static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--#define TPM2_TOKEN_HW_VERSION { 0, 0 }
--#define TPM2_TOKEN_FW_VERSION { 0, 0 }
--
--#define TPM2_SLOT_DESCRIPTION "Intel TPM2.0 Cryptoki"
--#define TPM2_SLOT_MANUFACTURER TPM2_TOKEN_MANUFACTURER
--#define TPM2_SLOT_HW_VERSION TPM2_TOKEN_HW_VERSION
--#define TPM2_SLOT_FW_VERSION TPM2_TOKEN_FW_VERSION
-
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
-
-From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:11:04 -0500
-Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 2 --
- src/lib/token.c | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index b3089554..9afd61ec 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,8 +7,6 @@
-
- #include "pkcs11.h"
-
--static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
- CK_RV general_get_info(CK_INFO *info);
-diff --git a/src/lib/token.c b/src/lib/token.c
-index c7211296..63a9a71b 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -20,6 +20,8 @@
- #include "token.h"
- #include "utils.h"
-
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
-+
- void pobject_config_free(pobject_config *c) {
-
- if (c->is_transient) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
similarity index 89%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
index fdeda26..3a0917a 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
@@ -6,13 +6,14 @@
DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \
+SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
file://bootstrap_fixup.patch \
file://0001-remove-local-binary-checkes.patch \
- file://677.patch \
+ file://0001-ssl-compile-against-OSSL-3.0.patch \
+ file://0002-ossl-require-version-1.1.0-or-greater.patch \
"
-SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273"
+SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 47113d2..2bf1eed 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -4,7 +4,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git;branch=master;protocol=https \
file://configure_oe_fixup.patch \
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
file://fix_header_file.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
similarity index 80%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index dbd324a..6e95a0e 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -8,6 +8,6 @@
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-SRC_URI[sha256sum] = "e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1"
+SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
inherit autotools pkgconfig bash-completion
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
index dfebc07..d324e33 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
@@ -10,7 +10,7 @@
PE = "1"
SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
-SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
inherit autotools-brokensep pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 3069b1f..4d1f425 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -9,7 +9,7 @@
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x"
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https"
inherit autotools-brokensep pkgconfig systemd
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
index 6470879..1a36a5b 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
@@ -15,7 +15,7 @@
PACKAGECONFIG ??= ""
PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
-PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c "
+PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c "
EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
EXTRA_OECONF:remove = " --disable-static"
@@ -73,6 +73,11 @@
${libdir}/libtss2*so"
FILES:libtss2-staticdev = "${libdir}/libtss*a"
-FILES:${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev"
+FILES:${PN} = "\
+ ${libdir}/udev \
+ ${nonarch_base_libdir}/udev \
+ ${sysconfdir}/tmpfiles.d \
+ ${sysconfdir}/tpm2-tss \
+ ${sysconfdir}/sysusers.d"
RDEPENDS:libtss2 = "libgcrypt"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 6375e24..fefc66d 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -38,8 +38,6 @@
python3-privacyidea \
python3-fail2ban \
softhsm \
- libest \
- opendnssec \
sshguard \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
diff --git a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
index 887c75d..81f2b8f 100644
--- a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
+++ b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
@@ -3,7 +3,7 @@
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=105e75b680b2ab82fa5718661b41f3bf"
-SRC_URI = "git://github.com/crowdsecurity/crowdsec.git;branch=master"
+SRC_URI = "git://github.com/crowdsecurity/crowdsec.git;branch=master;protocol=https"
SRCREV = "73e0bbaf93070f4a640eb5a22212b5dcf26699de"
DEPENDS = "jq-native"
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
index 309ca52..853facf 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -4,7 +4,7 @@
DEPENDS = "openssl libpcre2 zlib libevent"
-SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
+SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \
file://0001-Makefile-drop-running-scrips-install.patch \
file://0002-Makefile-don-t-set-uid-gid.patch \
"
diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 3a9bc1d..93cb443 100644
--- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -9,7 +9,7 @@
SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0"
SRC_URI = "\
- git://github.com/Tripwire/tripwire-open-source.git \
+ git://github.com/Tripwire/tripwire-open-source.git;branch=master;protocol=https \
file://tripwire.cron \
file://tripwire.sh \
file://tripwire.txt \
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
index dca53a3..818be15 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
@@ -16,15 +16,15 @@
SRC_URI = " \
git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
file://run-ptest \
- file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
file://0001-Makefile-fix-hardcoded-installation-directories.patch \
file://0001-rc.apparmor.debian-add-missing-functions.patch \
+ file://py3_10_fixup.patch \
"
-SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
+SRCREV = "b23de501807b8b5793e9654da8688b5fd3281154"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
@@ -168,7 +168,7 @@
# Add coreutils and findutils only if sysvinit scripts are in use
RDEPENDS:${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
-RDEPENDS:${PN}:remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS:${PN}:remove = "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS:${PN}-ptest += "perl coreutils dbus-lib bash"
INSANE_SKIP:${PN} = "ldflags"
diff --git a/meta-security/recipes-mac/AppArmor/files/py3_10_fixup.patch b/meta-security/recipes-mac/AppArmor/files/py3_10_fixup.patch
new file mode 100644
index 0000000..05f8460
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/py3_10_fixup.patch
@@ -0,0 +1,35 @@
+m4/ax_python_devel.m4: do not check for distutils
+
+With py 3.10 this prints a deprecation warning which is
+taken as an error. Upstream should rework the code to not
+use distuils.
+
+Upstream-Status: Inappropriate [needs a proper fix upstream]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/libraries/libapparmor/m4/ac_python_devel.m4
+===================================================================
+--- git.orig/libraries/libapparmor/m4/ac_python_devel.m4
++++ git/libraries/libapparmor/m4/ac_python_devel.m4
+@@ -66,21 +66,6 @@ variable to configure. See ``configure -
+ fi
+
+ #
+- # Check if you have distutils, else fail
+- #
+- AC_MSG_CHECKING([for the distutils Python package])
+- ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
+- if test -z "$ac_distutils_result"; then
+- AC_MSG_RESULT([yes])
+- else
+- AC_MSG_RESULT([no])
+- AC_MSG_ERROR([cannot import Python module "distutils".
+-Please check your Python installation. The error was:
+-$ac_distutils_result])
+- PYTHON_VERSION=""
+- fi
+-
+- #
+ # Check for Python include path
+ #
+ AC_MSG_CHECKING([for Python include path])
diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb
index 6c2f041..79a8f5a 100644
--- a/meta-security/recipes-mac/smack/smack_1.3.1.bb
+++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb
@@ -7,7 +7,7 @@
SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8"
SRC_URI = " \
- git://github.com/smack-team/smack.git \
+ git://github.com/smack-team/smack.git;branch=master;protocol=https \
file://smack_generator_make_fixup.patch \
file://run-ptest"
diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb
index 12c9bce..9a6e44a 100644
--- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb
+++ b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb
@@ -7,7 +7,7 @@
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8"
SRCREV = "c3754e45e04f9104db93b2048afd094427102d48"
-SRC_URI = "git://github.com/slimm609/checksec.sh"
+SRC_URI = "git://github.com/slimm609/checksec.sh;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
index 25123dc..f0889de 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -11,7 +11,7 @@
# July 27th
SRCREV = "c389dfa4c3af92b006ada4f7595bbc3e6df3f356"
-SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104 \
+SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=https \
file://clamd.conf \
file://freshclam.conf \
file://volatiles.03_clamav \
@@ -135,11 +135,11 @@
${datadir}/man/* \
${docdir}/* "
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM:${PN} = "--system ${CLAMAV_UID}"
-USERADD_PARAM:${PN} = "--system -g ${CLAMAV_GID} --home-dir \
+USERADD_PACKAGES = "${PN}-freshclam "
+GROUPADD_PARAM:${PN}-freshclam = "--system ${CLAMAV_UID}"
+USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
- --no-create-home --shell /sbin/nologin ${BPN}"
+ --no-create-home --shell /sbin/nologin ${PN}"
RPROVIDES:${PN} += "${PN}-systemd"
RREPLACES:${PN} += "${PN}-systemd"
diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
index 72281c5..2d82983 100644
--- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb
+++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
@@ -48,7 +48,6 @@
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
- install -d ${D}${localstatedir}/log/Bastille
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
install -m 0755 BastilleBackEnd ${D}${sbindir}
@@ -148,6 +147,20 @@
${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
ln -s RevertBastille ${D}${sbindir}/UndoBastille
+
+ # Create /var/log/Bastille in runtime.
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
+ install -d ${D}${nonarch_libdir}/tmpfiles.d
+ echo "d ${localstatedir}/log/Bastille - - - -" > ${D}${nonarch_libdir}/tmpfiles.d/Bastille.conf
+ fi
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d root root 0755 ${localstatedir}/log/Bastille none" > ${D}${sysconfdir}/default/volatiles/99_Bastille
+ fi
}
-FILES:${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"
+FILES:${PN} += "${datadir}/Bastille \
+ ${libdir}/Bastille \
+ ${libdir}/perl* \
+ ${sysconfdir}/* \
+ ${nonarch_libdir}/tmpfiles.d"
diff --git a/meta-security/recipes-security/chipsec/chipsec_git.bb b/meta-security/recipes-security/chipsec/chipsec_git.bb
new file mode 100644
index 0000000..e265a08
--- /dev/null
+++ b/meta-security/recipes-security/chipsec/chipsec_git.bb
@@ -0,0 +1,35 @@
+SUMMARY = "CHIPSEC: Platform Security Assessment Framework"
+
+DESCRIPTION = "CHIPSEC is a framework for analyzing the security \
+ of PC platforms including hardware, system firmware \
+ (BIOS/UEFI), and platform components."
+
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
+
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \
+ "
+
+SRCREV = "b2a61684826dc8b9f622a844a40efea579cd7e7d"
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+S = "${WORKDIR}/git"
+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
+DEPENDS = "virtual/kernel nasm-native python3-setuptools-native"
+RDEPENDS:${PN} += "python3 python3-modules"
+
+inherit module distutils3
+
+do_compile:append() {
+ cd ${S}/drivers/linux
+ oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR}
+}
+
+do_install:append() {
+ install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
+}
+
+FILES:${PN} += "${exec_prefix} \
+"
diff --git a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
deleted file mode 100755
index e231949..0000000
--- a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
+++ /dev/null
@@ -1,174 +0,0 @@
-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
-# vi: set ft=python sts=4 ts=4 sw=4 noet :
-
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors"
-__license__ = "GPL"
-
-import platform
-
-try:
- import setuptools
- from setuptools import setup
- from setuptools.command.install import install
- from setuptools.command.install_scripts import install_scripts
-except ImportError:
- setuptools = None
- from distutils.core import setup
-
-# all versions
-from distutils.command.build_py import build_py
-from distutils.command.build_scripts import build_scripts
-if setuptools is None:
- from distutils.command.install import install
- from distutils.command.install_scripts import install_scripts
-try:
- # python 3.x
- from distutils.command.build_py import build_py_2to3
- from distutils.command.build_scripts import build_scripts_2to3
- _2to3 = True
-except ImportError:
- # python 2.x
- _2to3 = False
-
-import os
-from os.path import isfile, join, isdir, realpath
-import sys
-import warnings
-from glob import glob
-
-from fail2ban.setup import updatePyExec
-
-if setuptools and "test" in sys.argv:
- import logging
- logSys = logging.getLogger("fail2ban")
- hdlr = logging.StreamHandler(sys.stdout)
- fmt = logging.Formatter("%(asctime)-15s %(message)s")
- hdlr.setFormatter(fmt)
- logSys.addHandler(hdlr)
- if set(["-q", "--quiet"]) & set(sys.argv):
- logSys.setLevel(logging.CRITICAL)
- warnings.simplefilter("ignore")
- sys.warnoptions.append("ignore")
- elif set(["-v", "--verbose"]) & set(sys.argv):
- logSys.setLevel(logging.DEBUG)
- else:
- logSys.setLevel(logging.INFO)
-elif "test" in sys.argv:
- print("python distribute required to execute fail2ban tests")
- print("")
-
-longdesc = '''
-Fail2Ban scans log files like /var/log/pwdfail or
-/var/log/apache/error_log and bans IP that makes
-too many password failures. It updates firewall rules
-to reject the IP address or executes user defined
-commands.'''
-
-if setuptools:
- setup_extra = {
- 'test_suite': "fail2ban.tests.utils.gatherTests",
- 'use_2to3': True,
- }
-else:
- setup_extra = {}
-
-data_files_extra = []
-
-# Installing documentation files only under Linux or other GNU/ systems
-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding
-# installation there (see e.g. #1233)
-platform_system = platform.system().lower()
-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt']
-if platform_system in ('solaris', 'sunos'):
- doc_files.append('README.Solaris')
-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'):
- data_files_extra.append(
- ('/usr/share/doc/fail2ban', doc_files)
- )
-
-# Get version number, avoiding importing fail2ban.
-# This is due to tests not functioning for python3 as 2to3 takes place later
-exec(open(join("fail2ban", "version.py")).read())
-
-setup(
- name = "fail2ban",
- version = version,
- description = "Ban IPs that make too many password failures",
- long_description = longdesc,
- author = "Cyril Jaquier & Fail2Ban Contributors",
- author_email = "cyril.jaquier@fail2ban.org",
- url = "http://www.fail2ban.org",
- license = "GPL",
- platforms = "Posix",
- cmdclass = {
- 'build_py': build_py, 'build_scripts': build_scripts,
- },
- scripts = [
- 'bin/fail2ban-client',
- 'bin/fail2ban-server',
- 'bin/fail2ban-regex',
- 'bin/fail2ban-testcases',
- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
- ],
- packages = [
- 'fail2ban',
- 'fail2ban.client',
- 'fail2ban.server',
- 'fail2ban.tests',
- 'fail2ban.tests.action_d',
- ],
- package_data = {
- 'fail2ban.tests':
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/files')
- for f in w[2]] +
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/config')
- for f in w[2]] +
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
- for w in os.walk('fail2ban/tests/action_d')
- for f in w[2]]
- },
- data_files = [
- ('/etc/fail2ban',
- glob("config/*.conf")
- ),
- ('/etc/fail2ban/filter.d',
- glob("config/filter.d/*.conf")
- ),
- ('/etc/fail2ban/filter.d/ignorecommands',
- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)]
- ),
- ('/etc/fail2ban/action.d',
- glob("config/action.d/*.conf") +
- glob("config/action.d/*.py")
- ),
- ('/etc/fail2ban/fail2ban.d',
- ''
- ),
- ('/etc/fail2ban/jail.d',
- ''
- ),
- ('/var/lib/fail2ban',
- ''
- ),
- ] + data_files_extra,
- **setup_extra
-)
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
index ed75a0e..f6394cc 100644
--- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
@@ -9,10 +9,9 @@
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
-SRCREV ="eea1881b734b73599a21df2bfbe58b11f78d0a46"
-SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \
+SRCREV ="4fe4ac8dde6ba14841da598ec37f8c6911fe0f64"
+SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11;protocol=https \
file://initd \
- file://fail2ban_setup.py \
file://run-ptest \
"
@@ -20,17 +19,18 @@
S = "${WORKDIR}/git"
-do_compile:prepend () {
- cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py
+do_compile () {
cd ${S}
./fail2ban-2to3
}
do_install:append () {
+ rm -f ${D}/${bindir}/fail2ban-python
install -d ${D}/${sysconfdir}/fail2ban
install -d ${D}/${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
chown -R root:root ${D}/${bindir}
+ rm -rf ${D}/run
}
do_install_ptest:append () {
@@ -38,9 +38,9 @@
install -d ${D}${PTEST_PATH}/bin
sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
+ rm -f ${D}${PTEST_PATH}/bin/fail2ban-python
}
-FILES:${PN} += "/run"
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "fail2ban-server"
diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
index a70d310..66bf429 100644
--- a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
+++ b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
@@ -14,7 +14,7 @@
DEPENDS += "go-dep-native libpam"
SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4"
-SRC_URI = "git://github.com/google/fscrypt.git"
+SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https"
GO_IMPORT = "import"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
index 26f549b..d319e48 100644
--- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
+++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
@@ -10,7 +10,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRCREV = "56b898c896240328adef7407090215abbe9ee03d"
-SRC_URI = "git://github.com/google/fscryptctl.git"
+SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
index 4ab8374..e8ddf29 100644
--- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
+++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
@@ -3,7 +3,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
LICENSE = "Apache-2.0"
-SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
+SRC_URI = "git://github.com/google/google-authenticator-libpam.git;branch=master;protocol=https"
SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef"
DEPENDS = "libpam"
diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb
index fda2df4..41a4025 100644
--- a/meta-security/recipes-security/libest/libest_3.2.0.bb
+++ b/meta-security/recipes-security/libest/libest_3.2.0.bb
@@ -6,7 +6,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
-SRC_URI = "git://github.com/cisco/libest;branch=main"
+SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https"
DEPENDS = "openssl"
@@ -25,3 +25,6 @@
PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
+
+# https://github.com/cisco/libest/issues/104
+PNBLACKLIST[libest] ?= "Needs porting to openssl 3.x"
diff --git a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
index 8c288be..65db10f 100644
--- a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
+++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
@@ -7,7 +7,7 @@
LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd"
SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc"
-SRC_URI = "git://github.com/kyz/libmspack.git"
+SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
inherit autotools
diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
index 8b221e5..f151e4e 100644
--- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb
+++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
@@ -7,7 +7,7 @@
LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2"
SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426"
-SRC_URI = "git://github.com/nmap/ncrack.git"
+SRC_URI = "git://github.com/nmap/ncrack.git;branch=master;protocol=https"
DEPENDS = "openssl zlib"
diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
index 242f3ac..8542d69 100644
--- a/meta-security/recipes-security/nikto/nikto_2.1.6.bb
+++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
@@ -7,7 +7,7 @@
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
-SRC_URI = "git://github.com/sullo/nikto.git \
+SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
file://location.patch"
S = "${WORKDIR}/git/program"
diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.10.bb
similarity index 88%
rename from meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
rename to meta-security/recipes-security/opendnssec/opendnssec_2.1.10.bb
index 6c1bd46..6b53711 100644
--- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
+++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.10.bb
@@ -10,7 +10,7 @@
file://libdns_conf_fix.patch \
"
-SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5"
+SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756"
inherit autotools pkgconfig perlnative
@@ -32,3 +32,5 @@
}
RDEPENDS:${PN} = "softhsm"
+
+PNBLACKLIST[opendnssec] ?= "Needs porting to openssl 3.x"
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.2.bb b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
index 76d6e03..8bc8787 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.2.bb
+++ b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
@@ -86,13 +86,23 @@
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
install -d ${D}/${sysconfdir}/${BPN}
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
- install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+ # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
+ # upstream stops creating /var/log/sssd, or adds something else in
+ # /var/log.
+ rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log
+ rmdir --ignore-fail-on-non-empty ${D}${localstatedir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
fi
+ if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+ fi
+
# Remove /run as it is created on startup
rm -rf ${D}/run
@@ -106,6 +116,8 @@
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
+FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
+
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
INITSCRIPT_NAME = "sssd"
@@ -125,10 +137,14 @@
"
SYSTEMD_AUTO_ENABLE = "disable"
-FILES:${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so"
-FILES:${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
+PACKAGES =+ "libsss-sudo"
+ALLOW_EMPTY:libsss-sudo = "1"
-# The package contains symlinks that trip up insane
-INSANE_SKIP:${PN} = "dev-so"
+FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
+ ${datadir}/dbus-1/system-services/*.service \
+ ${libdir}/krb5/* \
+ ${libdir}/ldb/* \
+ "
+FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
-RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam"
+RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"