subtree updates
meta-security: 498ca39cd6..93f2146211:
Anton Antonov (1):
Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
Joe Slater (1):
LICENSE: update to SPDX standard names
Petr Gotthard (6):
tpm2-tools: fix missing version number
tpm2-openssl: update to 1.1.0
tpm2-tss: update to 3.2.0
tpm2-abrmd: update to 2.4.1
tpm2-tss-engine: fix version string and build with openssl 3.0
tpm2-pkcs11: update to 1.8.0
Ranjitsinh Rathod (1):
samhain.inc: Correct LICENSE to GPL-2.0-only
poky: 30b38d9cb9..9e55696042:
Abongwa Amahnui Bonalais (2):
documentation/brief-yoctoprojectqs: add directory for local.conf
dev-manual: add command used to add the signed-off-by line.
Alex Kiernan (12):
kernel: Delete unused KERNEL_LOCALVERSION variable
wpa-supplicant: Reorder/group following style guide
wpa-supplicant: Avoid changing directory in do_install
wpa-supplicant: Use PACKAGE_BEFORE_PN/${PN}
wpa-supplicant: Backport libwpa/clean build fixes
wpa-supplicant: Build static library if not DISABLE_STATIC
wpa-supplicant: Use upstream defconfig
wpa-supplicant: Simplify build/install flow
wpa-supplicant: Package dynamic modules
wpa-supplicant: Install wpa_passphrase when not disabled
wpa-supplicant: Package shared library into wpa-supplicant-lib
eudev: Remove unused files
Alexander Kanavin (35):
webkitgtk: update 2.34.6 -> 2.36.0
epiphany: upgrade 41.3 -> 42.0
itstool: correct upstream version check
piglit: update to latest revision
vulkan-samples: update to latest revision
libxvmc: update 1.0.12 -> 1.0.13
libsndfile1: update 1.0.31 -> 1.1.0
at-spi2-core: update 2.42.0 -> 2.44.0
cmake: update 3.22.3 -> 3.23.0
gdk-pixbuf: upgrade 2.42.6 -> 2.42.8
librsvg: upgrade 2.52.7 -> 2.54.0
libgcrypt: upgrade 1.9.4 -> 1.10.1
llvm: update 13.0.1 -> 14.0.0
llvm: use default install paths
squashfs-tools: update 4.5 -> 4.5.1
webkitgtk: adjust patch status
go-helloworld: update to latest revision
libxml2: update patch status
python3-psutil: submit patch upstream
gnu-config: update to latest revision
go-helloworld: update to latest revision
piglit: update to latest revision
vulkan-samples: update to latest revision
python3-typing-extensions: upgrade 3.10.0.0 -> 4.2.0
python3-pyparsing: upgrade 3.0.7 -> 3.0.8
glib: upgrade 2.72.0 -> 2.72.1
go: update 1.18 -> 1.18.1
meson: update 0.61.3 -> 0.62.1
icu: update 70.1 -> 71.1
valgrind: update 3.18.1 -> 3.19.0
libcap-ng: update 0.8.2 -> 0.8.3
libgpg-error: 1.44 -> 1.45
cmake: update 3.23.0 -> 3.23.1
stress-ng: upgrade 0.13.12 -> 0.14.00
llvm: update 14.0.0 -> 14.0.1
Alexandre Belloni (1):
cmake: update license hashes
Andrei Gherzan (1):
automake: Drop redundant 'u' flag in ARFLAGS
Bruce Ashfield (3):
linux-yocto-dev: update to v5.18+
lttng-modules: support kernel 5.18+
kernel-yocto: allow patch author date to be commit date
Carlos Rafael Giani (2):
gstreamer1.0-plugins-good: Fix libsoup dependency
gstreamer1.0: Minor documentation addition
Chen Qi (3):
cases/buildepoxy.py: fix typo
go.bbclass: disable the use of the default configuration file
go-helloworld: remove unused GO_WORKDIR
Davide Gardenal (2):
create-spdx: fix error when symlink cannot be created
create-spdx: delete virtual/kernel dependency to fix FreeRTOS build
Dmitry Baryshkov (5):
linux-firmware: correct license for ar3k firmware
linux-firmware: split ath3k firmware
arch-armv8-2a.inc: fix a typo in TUNEVALID variable
arch-armv8-4a.inc: add tune include for armv8.4a
image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
Ferry Toth (2):
apt: add apt selftest to test signed package feeds
package_manager: fix missing dependency on gnupg when signing deb package feeds
Henning Schild (1):
wic: do not use PARTLABEL for msdos partition tables
Jacob Kroon (1):
zlib: Add patch to fix building icedtea7-native from meta-java
Jasper Orschulko (1):
repo: upgrade 2.22 -> 2.23
Jiaqing Zhao (3):
sed: Specify shell for "nobody" user in run-ptest
base-passwd: Disable shell for default users
strace: Don't run ptest as "nobody"
Joerg Vehlow (1):
go: Always pass interpreter to linker
Jon Mason (4):
linux-yocto: Remove unnecessary, commented out qemuarm entry
qemuarm64: use virtio pci interfaces
poky-tiny: enable qemuarmv5/qemuarm64 and cleanups
poky-tiny: add a distro description
Justin Bronder (1):
pulseaudio: conditionally depend on alsa-plugins-pulseaudio-conf
Kai Kang (1):
update_udev_hwdb: fix multilib issue with systemd
Khem Raj (28):
webkitgtk: Add missing header locale.h
python3: Do not detect multiarch when cross compiling
kernel-devsrc: Check for gen_vdso_offsets.sh before copying on riscv
babeltrace: Disable warnings as errors
xserver-xorg: Fix build with gcc12
systemtap: Fix build with gcc-12
gnupg: Disable FORTIFY_SOURCES on mips
riscv: Add tunes for rv64 without compressed instructions
mdadm: Drop clang specific cflags
harfbuzz: Upgrade to 4.2.0
pango: Upgrade to 1.50.6
pango: Drop using additional cflags with clang
pango: Skip test-layout ptest
go: Upgrade to 1.18
go: Drop GOBUILDMODE
go: Disable pie in cgo for mips
go-target: Pass -trimpath to go linker
seatd: Disable overflow warning as error on ppc64/musl
gcc: Upgrade to 11.3 release
musl: Fix build when usrmerge distro feature is enabled
gcompat: Fix build when usrmerge distro feature is enabled
libc-glibc: Use libxcrypt to provide virtual/crypt
glibc: Update to latest 2.35 tip
qemu.bbclass: Extend ppc/ppc64 extra options
busybox: Use base_bindir instead of hardcoding /bin path
musl-locales: Add package
util-linux: Create u-a symlink for findfs utility
kmod: Enable xz support by default
Konrad Weihmann (11):
kern-tools-native: add missing license
gmp: add missing COPYINGv3
itstool: add missing COPYING.GPL3
libcap: add pam_cap license
libsdl2: fix license
libidn2: add Unicode-DFS-2016 license
gettext: add MIT conditional as license
python3-pip: correct license
cmake: add missing licenses
git: correct license
ncurses: use COPYING file
Lee Chee Yang (1):
migration-guides: release-notes-4.0: update 'Repositories / Downloads' section
Marius Kriegerowski (1):
bitbake: bitbake-diffsigs: Make PEP8 compliant
Martin Jansa (1):
systemd-boot: remove outdated EFI_LD comment
Matt Madison (1):
bitbake: providers: use local variable for packages_dynamic pattern
Michael Halstead (3):
releases: update for yocto 4.0
set_versions: update for 4.0 release
releases: update to include 3.3.6
Michael Opdenacker (5):
meta-poky: update conf-notes.txt
overview-manual: licensing section fixes
manuals: correct and improve descriptions of Autotools
manuals: refer to "YP Compatible" layers instead of "curated" ones
migration-guides: release-notes-4.0: mention LTS release
Naveen Saini (1):
gstreamer1.0-plugins-bad: drop patch
Nicolas Dechesne (2):
migration-guides: stop including documents with ".. include"
sanity: skip make 4.2.1 warning for debian
Olaf Mandel (1):
bitbake: fetch2/git: canonicalize ids in generated tarballs
Paul Eggleton (9):
migration-3.4: add missing entry on EXTRA_USERS_PARAMS
ref-manual: add a note about hard-coded passwords
ref-manual: mention wildcarding support in INCOMPATIBLE_LICENSE
ref-manual: add mention of vendor filtering to CVE_PRODUCT
ref-manual: add KERNEL_DEBUG_TIMESTAMPS
ref-manual: add empty-dirs QA check and QA_EMPTY_DIRS*
migration-guides: complete migration guide for 4.0
migration-guides: add release notes for 4.0
ref-manual: add ZSTD_THREADS
Paul Gortmaker (1):
install/devshell: Introduce git intercept script due to fakeroot issues
Paulo Neves (1):
selftest/lic_checksum: Add test for filename containing space
Pavel Zhukov (1):
bitbake: fetch2: Add GIT_SSH_COMMAND to the list of exports
Peter Kjellerstedt (8):
bitbake: pyinotify.py: Simplify identification of which event has occurred
shadow: Disable the use of syslog() for the native tools
u-boot: Correct the SRC_URI
u-boot: Inherit pkgconfig
bitbake: fetch2/git: Simplify the validation of SHA-1 revisions
terminal.py: Restore error output from Terminal
devshell.bbclass: Allow devshell & pydevshell to use the network
license_image.bbclass: Make QA errors fail the build
Peter Marko (1):
openssl: extract legacy provider module to a separate package
Pgowda (2):
glibc: ptest: Fix glibc-tests package issue
rust: update 1.59.0 -> 1.60.0
Portia (2):
volatile-binds: Change DefaultDependencies from false to no
volatile-binds: Remove TimeoutSec and allow DefaultTimeoutSec to be used
Quentin Schulz (15):
docs: sphinx-static: switchers.js.in: remove duplicate for outdated versions
docs: set_versions.py: add information about obsolescence of a release
docs: sphinx-static: switchers.js.in: improve obsolete version detection
docs: set_versions.py: fix latest release of a branch being shown twice in switchers.js
docs: set_versions.py: fix latest version of an active release shown as obsolete
docs: update Bitbake objects.inv location for master branch
docs: set_versions.py: mark as obsolete only branches and old tags from obsolete releases
docs: sphinx-static: switchers.js.in: rename all_versions to switcher_versions
docs: sphinx-static: switchers.js.in: fix broken switcher for branches
docs: sphinx-static: switchers.js.in: do not mark branches as outdated
docs: conf.py: fix cve extlinks caption for sphinx <4.0
docs: ref-manual: variables: add hashed password example in EXTRA_USERS_PARAMS
docs: migration-guides: migration-3.4: mention that hardcoded password are supported if hashed
docs: migration-guides: release-notes-4.0: fix risc-v typo
docs: migration-guides: release-notes-4.0: replace kernel placeholder with correct recipe name
Rahul Kumar (1):
neard: Switch SRC_URI to git repo
Ricardo Salveti (1):
bitbake: fetch2/crate: fix logger.debug line
Richard Purdie (47):
qemu: Add fix for CVE-2022-1050
tiff: Add marker for CVE-2022-1056 being fixed
git: Ignore CVE-2022-24975
Revert "adwaita-icon-theme: upgrade 41.0 -> 42.0"
migration-guide: Kirkstone is now 4.0
local.conf.sample: Update for 4.0 in sstate url
externalsrc/devtool: Fix to work with fixed export funcition flags handling
sanity: Show a warning that make 4.2.1 is buggy on non-ubuntu systems
runqemu: Allow auto detection of the correct graphics options
bitbake: checksum: Allow spaces in URI filenames
bitbake: ast: Improve function flags handling for EXPORT_FUNCTIONS
rxvt-unicode: Fix icon name
puzzles: Drop broken icon
build-appliance-image: Update to master head revision
build-appliance-image: Update to master head revision
bluez5: Add fix for startup issues under systemd
build-appliance-image: Update to master head revision
alsa-tools: Ensure we install correctly
libxshmfence: Correct LICENSE to HPND
bitbake.conf: Correct BB_SIGNATURE_EXCLUDE_FLAGS
git: Upgrade 2.35.1 -> 2.35.2
build-appliance-image: Update to master head revision
buildtools-tarball: Only add cert envvars if certs are included
buildtools: Add standalone make tarball
poky: Use INIT_MANAGER in main distro config
bitbake: tests/parse: Fix one test overwriting another
bitbake: server/process: Drop unused import
bitbake: ui/buildinfohelper: Drop unused import
bitbake: cooker: Drop unused loop
bitbake: msg: Drop unused local variable
bitbake: buildinfohelper: Drop unused function
bitbake: fetch2/crate: Drop unused import
bitbake: siggen: Drop pointless break statement
bitbake: ui/knotty: Drop pointless pass statement
bitbake: persist_data: Use a valid exception for missing implementation
bitbake: runqueue: Drop pointless variable assignment
bitbake: buildinfohelper: Drop unused variables
poky/meta-yocto-bsp: Post release version/codename updates
xorg-app: Tweak handling of compression changes in SRC_URI
ref-manual: Add XZ_THREADS and XZ_MEMLIMIT
set_versions: Add a getlatest command to obtain the latest release branch name
layer.conf: Post release codename changes
base: Drop git intercept
bitbake: fetch2/osc: Add missing parameter
staging: Ensure we filter out ourselves
lib/sstatesig: Fix find_siginfo to match sstate filename generation
bitbake: runqueue: Fix sig file location when using multiconfig
Robert Joslyn (1):
curl: Update to 7.83.0
Robert Yang (1):
bitbake: fetch2/ssh.py: decode path back for ssh
Ross Burton (12):
zlib: upgrade to 1.2.12
qemu: backport a patch to optionally disable i8042 (AT and PS/2) hardware
qemux86-64: disable legacy i8042 (AT keyboard, PS/2 mouse)
e2fsprogs: fix CVE-2022-1304
subversion: upgrade to 1.14.2
python3: ignore CVE-2015-20107
bitbake.conf: mark all directories as safe for git to read
cve_check: skip remote patches that haven't been fetched when searching for CVE tags
cve-check: no need to depend on the fetch task
poky.conf: set PACKAGE_CLASSES explicitly to package_rpm
distro/poky-tiny: don't put translations into images
musl-locales: explicitly depend on gettext-native
Russ Dill (2):
package.bbclass: Prevent perform_packagecopy from removing /sysroot-only
kernel-yocto.bbclass: Fixup do_kernel_configcheck usage of KMETA
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: make finding of changed signatures more robust
Scott Murray (1):
runqemu: Do not auto detect graphics if publicvnc is specified
Sean Anderson (1):
wic: Add dependencies for erofs-utils
Simone Weiss (1):
libgpg-error: Add ptest
Stefan Herbrechtsmeier (1):
recipetool: Do not use mutable default arguments in Python
Steve Sakoman (3):
busybox: fix CVE-2022-28391
lua: fix CVE-2022-28805
scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng
Xu Huan (5):
python3-dbusmock: upgrade 0.27.3 -> 0.27.5
python3-pip: upgrade 22.0.3 -> 22.0.4
python3-zipp: upgrade 3.7.0 -> 3.8.0
python3-hypothesis: upgrade 6.39.5 -> 6.41.0
python3-sphinx: upgrade 4.4.0 -> 4.5.0
wangmy (34):
freetype: upgrade 2.11.1 -> 2.12.0
ghostscript: upgrade 9.55.0 -> 9.56.1
libsoup: upgrade 3.0.5 -> 3.0.6
libx11: upgrade 1.7.3.1 -> 1.7.5
acpica: upgrade 20211217 -> 20220331
apt: upgrade 2.4.3 -> 2.4.4
dpkg: upgrade 1.21.4 -> 1.21.7
fontconfig: upgrade 2.13.1 -> 2.14.0
mc: upgrade 4.8.27 -> 4.8.28
shared-mime-info: upgrade 2.1 -> 2.2
strace: upgrade 5.16 -> 5.17
sysvinit: upgrade 3.01 -> 3.02
libbsd: upgrade 0.11.5 -> 0.11.6
boost: upgrade 1.78.0 -> 1.79.0
enchant2: upgrade 2.3.2 -> 2.3.3
help2man: upgrade 1.49.1 -> 1.49.2
json-c: upgrade 0.15 -> 0.16
libaio: upgrade 0.3.112 -> 0.3.113
libusb1: upgrade 1.0.25 -> 1.0.26
libgit2: upgrade 1.4.2 -> 1.4.3
libcap: upgrade 2.63 -> 2.64
linux-firmware: upgrade 20220310 -> 20220411
mtools: upgrade 4.0.38 -> 4.0.39
libpcre2: upgrade 10.39 -> 10.40
python3-jsonpointer: upgrade 2.2 -> 2.3
python3-sphinx-rtd-theme: upgrade 0.5.0 -> 1.0.0
dropbear: upgrade 2020.81 -> 2022.82
gptfdisk: upgrade 1.0.8 -> 1.0.9
kexec-tools: upgrade 2.0.23 -> 2.0.24
libxcursor: upgrade 1.2.0 -> 1.2.1
mkfontscale: upgrade 1.2.1 -> 1.2.2
xdpyinfo: upgrade 1.3.2 -> 1.3.3
apt: upgrade 2.4.4 -> 2.4.5
python3-hypothesis: upgrade 6.41.0 -> 6.44.0
zhengruoqin (7):
createrepo-c: upgrade 0.19.0 -> 0.20.0
expat: upgrade 2.4.7 -> 2.4.8
ethtool: upgrade 5.16 -> 5.17
git: upgrade 2.35.2 -> 2.35.3
openssh: upgrade 8.9p1 -> 9.0p1
wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
ruby: upgrade 3.1.1 -> 3.1.2
meta-openembedded: 1888971b1f..77c2fda04e:
Alex Kiernan (2):
audit: Upgrade 3.0.6 -> 3.0.7
mosh: Drop perl dependencies from server
Andreas Müller (21):
libnma: upgrade 1.8.36 -> 1.8.38
gnome-control-center: upgrade 41.2 -> 42.0
gnome-flashback: upgrade 3.42.1 -> 3.44.0
gnome-panel: upgrade 3.42.0 -> 3.44.0
gnome-session: upgrade 41.3 -> 42.0
gnome-shell-extensions: upgrade 41.1 -> 42.0
gthumb: upgrade 3.12.0 -> 3.12.2
ibus: upgrade 1.5.23+ -> 1.5.26
libportal: upgrade 0.5 -> 0.6
network-manager-applet: upgrade 1.24.0 -> 1.24.0
sysprof: upgrade 3.42.1 -> 3.44.0
gnome-shell: fix bluetooth PACKAGECONFIG
packagegroup-gnome-desktop: replace gnome-bluetooth by gnome-bluetooth4
gnome-bluetooth: avoid clashes with gnome-bluetooth4
gnome-bluetooth: rename recipes to avoid suffix in future
gnome-bluetooth: Add PACKAGECONFIG pulseaudio and filter by distro-feature
gnome-backgrounds: upgrade 41.0 -> 42.0
gnome-settings-daemon: upgrade 41.0 -> 42.1
libgweather4: Fix introspection build
gjs: Add cairo to DEPENDS unconditionally
gnome-shell-extensions: Stop copying gnome-classic session to wayland
Andrej Valek (1):
poco: upgrade 1.11.1 -> 1.11.2
Armin Kuster (1):
meta-oe-image: fix build depends
Bassem Boubaker (1):
conntrack-tools: Fix missing capability
Ben Fekih, Hichem (1):
sdbus-c++-libsystemd: bugfix dev package is not installed
Carlos Rafael Giani (1):
pipewire: Upgrade to version 0.3.50
Changqing Li (1):
drbd-utils: fix for usrmerge
Dmitry Baryshkov (1):
gpsd: split python utils from gps-utils
Hongxu Jia (1):
cdrkit: add new option -eltorito-platform for genimageiso
Jan Vermaete (1):
netdata: version bump 1.33.1 -> 1.34.1
Jiaqing Zhao (1):
libesmtp: Disable NTLM support by default
KARN JYE LAU (1):
icewm:include imlib2-loaders package
Kai Kang (1):
python3-blivetgui: use symbolic list-add and edit- icons
Khem Raj (60):
dbus-cxx: Include missing <utility> header
safec: Upgrade to 3.7.1
mongodb: Update to 4.4.13
libkcapi: Upgrade to 1.4.0
libpfm4: Remove -Werror from compiler flags
parallel-deqp-runner: Fix build with gcc 12
glmark2: Fix build with gcc12
memcached: Upgrade to 1.6.15
tvheadend: Update to latest trunk
ot-br-posix: Disable Wsign-compare for clang
opensaf: Fix build with gcc 12
boost-sml: Disable examples
mpich: Add new directory modules/hwloc/config to search path
gnulib: Do not use git operations to install the sources
sysprof: Fix build to work with llvm libunwind
linuxconsole: Fix makefile issue found with clang
mongodb: Fix aarch64 build with gcc12
libcereal: Link libatomics with gcc as well
wpantund: Add missing dependency on boost
gimp: Disable vector icons on 32bit systems
mozjs-91: Upgrade to 91.8.0
mozjs-78: Switch to system libicu
nodejs: Upgrade to 16.14.2
ot-br-posix: Fix build with gcc
dlt-daemon: Fix build on rv32/rv64
grpc: Fix build with rv32/rv64
ltrace: Fix build on ppc64 with gcc12
opencv: Fix build with gcc-12 on ppc64
mozjs-91: Disable strip
mozjs-91: Add option to use system ICU
sysprof: Remove libunwind on rv32
crash: Fix build for mips target
tcsh: Do not install symlinks into /bin with usrmerge
arno-iptables-firewall: Do not use bitbake variable inside S
fluentbit: Fix build with usrmerge distro feature
tomoyo-tools: Define SBINDIR
tomoyo-tools: Drop md5sum
gradm: Upgrade to 3.1-202111052217
babeld: Upgrade to 1.11
scsirastools: Fix build with usrmerge
dietsplash: specify install rootdir
linux-atm: Add knob to root prefix
ufw: Fix build with usrmerge distro feature
netdata: Fix build errors with clang
klibc: Recognise --dyld-prefix clang option
mozjs: Use vendored icu on ppc/clang
boinc-client: Do not overwrite same file when using usrmerge
pam-ssh-agent-auth: Use specific versions of BSD licenses
fwupd: Enable build with musl
lirc: install systemd units only when using systemd distro feature
fluentbit: Disable systemd support when systemd distro feature is disabled
gtksourceview5: Allow wayland or x11
gtkmm3: Allow wayland or x11 in distro features
gparted: Allow wayland or x11 distro features
lirc: Delete systemd unit files on non systemd distros
atkmm: Allow build with wayland
pangomm: Allow building with wayland
lockdev: Drop cumulative debian patch
boinc-client: Make script install not depend on host install paths
babl: Fix build with meson 0.62+
Leon Anavi (2):
python3-bitstruct: Upgrade 8.13.0 -> 8.14.0
python3-marshmallow: Upgrade 3.14.1 -> 3.15.0
Marguet, Nicolas (1):
openjpeg: fix CVE-2022-1122
Mingli Yu (4):
tgt: move from meta-openstack
libconfig-general-perl: move from meta-openstack
crash: Upgrade to 8.0.0
makedumpfile: Upgrade to 1.7.1
Oleksandr Kravchuk (4):
htpdate: update to 1.3.3
redis: upgrade to 7.0-rc3
pkcs11-helper: fix PV
python3-imgtool: update to 1.9.0
Peter Kjellerstedt (3):
gpsd: Only copy the Python files if they are created
poppler: Support building for native
gpsd: Correct the creation of the gps-utils-python package
Preeti Sachan (1):
gnuplot: inherit pkgconfig
Robert Yang (1):
libldb: Fix installed-vs-shipped and rebuild error
Suhrid_S (1):
clinfo: Upgrade 2.2.18.04.06 -> 3.0.21.02.21
Trevor Gamblin (2):
nftables: add ptest
phoronix-test-suite: upgrade 10.8.1 -> 10.8.2
Willy Tu (1):
absil-cpp: Update SRC_URI to to the latest google internal sync
Xu Huan (10):
python3-redis: upgrade 4.2.1 -> 4.2.2
python3-sentry-sdk: upgrade 1.5.7 -> 1.5.8
python3-sqlalchemy: upgrade 1.4.34 -> 1.4.35
python3-graphviz: upgrade 0.19.1 -> 0.19.2
python3-kivy: upgrade 2.0.0 -> 2.1.0
python3-aenum: upgrade 3.1.8 -> 3.1.11
python3-aws-iot-device-sdk-python: upgrade 1.5.1 -> 1.5.2
python3-cmd2: upgrade 2.4.0 -> 2.4.1
python3-django: upgrade 2.2.27 -> 2.2.28
python3-imageio: upgrade 2.16.1 -> 2.17.0
Yi Zhao (6):
frr: add recipe
libldb: upgrade 2.3.2 -> 2.3.3
samba: upgrade 4.14.12 -> 4.14.13
frr: install correct initscript
frr: add PACKAGECONFIG for fpm
frr: inherit autotools-brokensep instead of autotools
wangmy (51):
nbdkit: upgrade 1.25.7 -> 1.30.2
icewm: upgrade 2.9.0 -> 2.9.6
lapack: upgrade 3.9.0 -> 3.10.0
libbpf: upgrade 0.5.0 -> 0.7.0
libmtp: upgrade 1.1.18 -> 1.1.19
logwatch: upgrade 7.5.3 -> 7.6
mpich: upgrade 3.4.3 -> 4.0.2
libvpx: upgrade 1.8.2 -> 1.11.0
linuxconsole: upgrade 1.7.0 -> 1.7.1
mercurial: upgrade 5.5 -> 6.1
ocl-icd: upgrade 2.3.0 -> 2.3.1
octave: upgrade 6.4.0 -> 7.1.0
rdma-core: upgrade 39.0 -> 40.0
pam-plugin-ldapdb: upgrade 1.3 -> 1.3.1
pax-utils: upgrade 1.2.2 -> 1.3.3
pcsc-tools: upgrade 1.5.8 -> 1.6.0
pegtl: upgrade 3.2.1 -> 3.2.5
qpdf: upgrade 10.5.0 -> 10.6.3
s-nail: upgrade 14.9.23 -> 14.9.24
smcroute: upgrade 2.5.4 -> 2.5.5
squashfs-tools-ng: upgrade 1.0.2 -> 1.1.4
st: upgrade 0.8.4 -> 0.8.5
tracker: upgrade 3.2.1 -> 3.3.0
thingsboard-gateway: upgrade 2.8 -> 2.9
thrift: upgrade 0.14.2 -> 0.16.0
toybox: upgrade 0.8.5 -> 0.8.6
unbound: upgrade 1.13.2 -> 1.15.0
twm: upgrade 1.0.11 -> 1.0.12
unixodbc: upgrade 2.3.7 -> 2.3.9
xterm: upgrade 368 -> 372
python3-cppy: upgrade 1.2.0 -> 1.2.1
evince: upgrade 42.1 -> 42.2
evolution-data-server: upgrade 3.44.0 -> 3.44.1
gspell: upgrade 1.9.1 -> 1.10.0
gtksourceview5: upgrade 5.4.0 -> 5.4.1
libadwaita: upgrade 1.1.0 -> 1.1.1
nautilus: upgrade 42.0 -> 42.1.1
htpdate: upgrade 1.3.3 -> 1.3.4
nanomsg: upgrade 1.1.5 -> 1.2
nbdkit: upgrade 1.30.2 -> 1.31.1
ctags: upgrade 5.9.20220410.0 -> 5.9.20220417.0
hexedit: upgrade 1.5 -> 1.6
lapack: upgrade 3.10.0 -> 3.10.1
links: upgrade to 2.26
lsscsi: upgrade 0.31 -> 0.32
openwsman: upgrade 2.6.11 -> 2.7.1
libdbd-sqlite-perl: upgrade 1.68 -> 1.70
libencode-perl: upgrade 3.16 -> 3.17
libextutils-cppguess-perl: upgrade 0.23 -> 0.26
libtest-harness-perl: upgrade 3.42 -> 3.44
ostree: upgrade 2021.6 -> 2022.2
zhengruoqin (5):
python3-google-api-python-client: upgrade 2.42.0 -> 2.43.0
python3-googleapis-common-protos: upgrade 1.54.0 -> 1.56.0
python3-nocaselist: upgrade 1.0.4 -> 1.0.5
python3-pylint: upgrade 2.13.2 -> 2.13.5
python3-nocasedict: upgrade 1.0.2 -> 1.0.3
meta-raspberrypi: 83f5577d8d..c97a9e34ab:
Andrei Gherzan (20):
raspberrypi-firmware: Update to 20220331
linux-raspberrypi: Update 5.15 recipe to 5.15.34
linux-raspberrypi: Update 5.10 recipe to 5.10.110
bcm2835: Update to 1.71
pi-blaster: Uprev the recipe
linux-firmware-rpidistro: Update to 20210315-3+rpt4
raspi-gpio: Uprev revision to current HEAD of master branch
python3-rtimu: Upgrade to 7.2.1
rpio: Upgrade to 0.10.1
python3-adafruit-pureio: Uprade to 1.1.8
python3-adafruit-platformdetect: Upgrade to 3.22.1
python3-adafruit-circuitpython-register: Upgrade to 1.9.8
rpi-basic-image: Drop image
rpi-hwup-image: Drop image
packagegroup-rpi-test: Include more packages
ci: Use test builds with the test image
docs: Drop mention of deprecated images
docs: Bump copyright year
rpi-base.inc: Add MCP3008 ADC overlay
kmod: Enable xz compression
Davide Gardenal (1):
bluez-firmware-rpidistro: Add compatibility to oe-core/create-spdx
Jan Vermaete (1):
docs: link to latest documentation of kas
Khem Raj (1):
python3-sense-hat: Use specific BSD license
Meng Li (1):
u-boot: Remove the randundant patch
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Icdb885a2d340dc3c88b971c57dede6902a9708e3
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 2b969ed..e3e643e 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -2,7 +2,7 @@
HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine"
SECTION = "security/tpm"
-LICENSE = "openssl"
+LICENSE = "OpenSSL"
LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
DEPENDS += "openssl trousers"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
index 77f65ae..45da416 100644
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -1,7 +1,7 @@
SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
HOMEPAGE = "https://github.com/flihp/pcr-extend"
SECTION = "security/tpm"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS = "libtspi"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
similarity index 90%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
index 1818171..daafae3 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
@@ -13,14 +13,12 @@
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
- git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \
+ https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
-SRCREV = "4f332013a02c422e186c4aaf127ab6a40b996028"
-
-S = "${WORKDIR}/git"
+SRC_URI[sha256sum] = "a7844a257eaf5176f612fe9620018edc0880cca7036465ad2593f83ae0ad6673"
inherit autotools pkgconfig systemd update-rc.d useradd
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
deleted file mode 100644
index f6a694c..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
-
-SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master"
-
-SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b"
-
-S = "${WORKDIR}/git"
-
-inherit pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb
new file mode 100644
index 0000000..55061c9
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb
@@ -0,0 +1,19 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+DEPENDS = "autoconf-archive-native tpm2-tss openssl"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "eedcc0b72ad6d232e6f9f55a780290c4d33a4d06efca9314f8a36d7384eb1dfc"
+
+inherit autotools pkgconfig
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
+
+FILES:${PN} = "\
+ ${libdir}/ossl-modules/tpm2.so"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
deleted file mode 100644
index 9d3f073..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 14 Oct 2020 08:55:33 -0700
-Subject: [PATCH] remove local binary checkes
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upsteam-Status: Inappropriate
-These are only needed to run on the tartget so we add an RDPENDS.
-Not needed for building.
-
----
- configure.ac | 48 ------------------------------------------------
- 1 file changed, 48 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 50e7d4b..2b9abcf 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -219,54 +219,6 @@ AX_PROG_JAVAC()
- AX_PROG_JAVA()
- m4_popdef([AC_MSG_ERROR])
-
--AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
-- AS_IF([test "x$tpm2_createprimary" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no])
-- AS_IF([test "x$tpm2_create" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no])
-- AS_IF([test "x$tpm2_evictcontrol" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no])
-- AS_IF([test "x$tpm2_readpublic" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no])
-- AS_IF([test "x$tpm2_load" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no])
-- AS_IF([test "x$tpm2_loadexternal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no])
-- AS_IF([test "x$tpm2_unseal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no])
-- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no])
-- AS_IF([test "x$tpm2_sign" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no])
-- AS_IF([test "x$tpm2_getcap" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no])
-- AS_IF([test "x$tpm2_import" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no])
-- AS_IF([test "x$tpm2_changeauth" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])])
--
- AC_DEFUN([integration_test_checks], [
-
- PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],,
---
-2.17.1
-
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
deleted file mode 100644
index ac2f92c..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
+++ /dev/null
@@ -1,1305 +0,0 @@
-From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 3 Sep 2021 11:24:40 -0500
-Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
-
-Compile against OpenSSL. This moves functions non-deprecated things if
-possible and ignores deprecation warnings when not. Padding manipulation
-routines seem to have been marked deprecated in OSSL 3.0, so we need to
-figure out a porting strategy here.
-
-Fixes: #686
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/lib/backend_esysdb.c | 5 +-
- src/lib/backend_fapi.c | 5 +-
- src/lib/encrypt.c | 2 +-
- src/lib/mech.c | 72 +---
- src/lib/object.c | 3 +-
- src/lib/sign.c | 2 +-
- src/lib/ssl_util.c | 531 ++++++++++++++++--------
- src/lib/ssl_util.h | 31 +-
- src/lib/tpm.c | 6 +-
- src/lib/utils.c | 35 +-
- src/lib/utils.h | 13 -
- test/integration/pkcs-sign-verify.int.c | 94 ++---
- 12 files changed, 441 insertions(+), 358 deletions(-)
-
-Index: git/src/lib/backend_esysdb.c
-===================================================================
---- git.orig/src/lib/backend_esysdb.c
-+++ git/src/lib/backend_esysdb.c
-@@ -3,6 +3,7 @@
- #include "config.h"
- #include "backend_esysdb.h"
- #include "db.h"
-+#include "ssl_util.h"
- #include "tpm.h"
-
- CK_RV backend_esysdb_init(void) {
-@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
- }
-
- twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
-- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
- if (!sealobjauth) {
- rv = CKR_HOST_MEMORY;
- goto error;
-@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
- */
- twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
-
-- twist oldauth = utils_hash_pass(toldpin, oldsalt);
-+ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
- if (!oldauth) {
- goto out;
- }
-Index: git/src/lib/backend_fapi.c
-===================================================================
---- git.orig/src/lib/backend_fapi.c
-+++ git/src/lib/backend_fapi.c
-@@ -11,6 +11,7 @@
- #include "backend_fapi.h"
- #include "emitter.h"
- #include "parser.h"
-+#include "ssl_util.h"
- #include "utils.h"
-
- #ifdef HAVE_FAPI
-@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
- }
-
- twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
-- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
- if (!sealobjauth) {
- rv = CKR_HOST_MEMORY;
- goto error;
-@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
- }
- rv = CKR_GENERAL_ERROR;
-
-- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
-+ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
- if (!oldauth) {
- goto out;
- }
-Index: git/src/lib/encrypt.c
-===================================================================
---- git.orig/src/lib/encrypt.c
-+++ git/src/lib/encrypt.c
-@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
- CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
-
- EVP_PKEY *pkey = NULL;
-- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- return rv;
- }
-Index: git/src/lib/mech.c
-===================================================================
---- git.orig/src/lib/mech.c
-+++ git/src/lib/mech.c
-@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
- }
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(a, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(a, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
- }
-
- /* Apply the PKCS1.5 padding */
-- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
-- inbuf, inlen);
-- if (!rc) {
-+ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
-+ outbuf, padded_len);
-+ if (rv != CKR_OK) {
- LOGE("Applying RSA padding failed");
-- return CKR_GENERAL_ERROR;
-+ return rv;
- }
-
- *outlen = padded_len;
-@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
- size_t key_bytes = *keybits / 8;
-
- unsigned char buf[4096];
-- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
-- inbuf, inlen,
-- key_bytes);
-- if (rc < 0) {
-+ CK_ULONG buflen = sizeof(buf);
-+ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
-+ buf, &buflen);
-+ if (rv != CKR_OK) {
- LOGE("Could not recover CKM_RSA_PKCS Padding");
-- return CKR_GENERAL_ERROR;
-+ return rv;
- }
-
-- /* cannot be < 0 because of check above */
-- if (!outbuf || (unsigned)rc > *outlen) {
-- *outlen = rc;
-+ if (!outbuf || buflen > *outlen) {
-+ *outlen = buflen;
- return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
- }
-
-- *outlen = rc;
-- memcpy(outbuf, buf, rc);
-+ *outlen = buflen;
-+ memcpy(outbuf, buf, buflen);
-
- return CKR_OK;
- }
-@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
- return CKR_GENERAL_ERROR;
- }
-
-- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-- if (!exp_attr) {
-- LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
-- return CKR_GENERAL_ERROR;
-- }
--
- if (modulus_attr->ulValueLen > *outlen) {
- LOGE("Output buffer is too small, got: %lu, required at least %lu",
- *outlen, modulus_attr->ulValueLen);
- return CKR_GENERAL_ERROR;
- }
-
-- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
-- if (!e) {
-- LOGE("Could not convert exponent to bignum");
-- return CKR_GENERAL_ERROR;
-- }
--
-- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
-- if (!n) {
-- LOGE("Could not convert modulus to bignum");
-- BN_free(e);
-- return CKR_GENERAL_ERROR;
-- }
--
-- RSA *rsa = RSA_new();
-- if (!rsa) {
-- LOGE("oom");
-- return CKR_HOST_MEMORY;
-- }
--
-- int rc = RSA_set0_key(rsa, n, e, NULL);
-- if (!rc) {
-- LOGE("Could not set modulus and exponent to OSSL RSA key");
-- BN_free(n);
-- BN_free(e);
-- RSA_free(rsa);
-- return CKR_GENERAL_ERROR;
-+ EVP_PKEY *pkey = NULL;
-+ rv = ssl_util_attrs_to_evp(attrs, &pkey);
-+ if (rv != CKR_OK) {
-+ return rv;
- }
-
-- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-- inbuf, md, -1);
-- RSA_free(rsa);
-- if (!rc) {
-+ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
-+ EVP_PKEY_free(pkey);
-+ if (rv != CKR_OK) {
- LOGE("Applying RSA padding failed");
- return CKR_GENERAL_ERROR;
- }
-Index: git/src/lib/object.c
-===================================================================
---- git.orig/src/lib/object.c
-+++ git/src/lib/object.c
-@@ -15,6 +15,7 @@
- #include "object.h"
- #include "pkcs11.h"
- #include "session_ctx.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
-
-@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
- }
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(a, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(a, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-Index: git/src/lib/sign.c
-===================================================================
---- git.orig/src/lib/sign.c
-+++ git/src/lib/sign.c
-@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
- }
-
- EVP_PKEY *pkey = NULL;
-- rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- return NULL;
- }
-Index: git/src/lib/ssl_util.c
-===================================================================
---- git.orig/src/lib/ssl_util.c
-+++ git/src/lib/ssl_util.c
-@@ -10,6 +10,7 @@
- #include <openssl/rsa.h>
- #include <openssl/sha.h>
-
-+#include "attrs.h"
- #include "log.h"
- #include "pkcs11.h"
- #include "ssl_util.h"
-@@ -19,194 +20,228 @@
- #include <openssl/evperr.h>
- #endif
-
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#include <openssl/core_names.h>
-+#endif
-
- /*
-- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
-- * create an API compatible version of it.
-+ * TODO Port these routines
-+ * Deprecated function block to port
-+ *
-+ * There are no padding routine replacements in OSSL 3.0.
-+ * - per Matt Caswell (maintainer) on mailing list.
-+ * Signature verification can likely be done with EVP Verify interface.
- */
--size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-- point_conversion_form_t form,
-- unsigned char **pbuf, BN_CTX *ctx) {
--
-- /* Get the required buffer length */
-- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
-- if (!len) {
-- return 0;
-- }
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-+#endif
-
-- /* allocate it */
-- unsigned char *buf = OPENSSL_malloc(len);
-- if (!buf) {
-- return 0;
-- }
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+ const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+ CK_BYTE_PTR outbuf) {
-
-- /* convert it */
-- len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
-- if (!len) {
-- OPENSSL_free(buf);
-- return 0;
-+ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
-+ if (!rsa) {
-+ return CKR_GENERAL_ERROR;
- }
-
-- *pbuf = buf;
-- return len;
--}
-+ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-+ inbuf, md, -1);
-
--size_t OBJ_length(const ASN1_OBJECT *obj) {
-+ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
-+}
-
-- if (!obj) {
-- return 0;
-- }
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
-
-- return obj->length;
-+ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
-+ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
- }
-
--const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
-
-- if (!obj) {
-- return NULL;
-+ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
-+ inbuf, inlen, rsa_len);
-+ if (rc < 0) {
-+ return CKR_GENERAL_ERROR;
- }
-
-- return obj->data;
-+ /* cannot be negative due to check above */
-+ *outbuflen = rc;
-+ return CKR_OK;
- }
-
--const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
-- return ASN1_STRING_data((ASN1_STRING *)x);
--}
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic pop
-+#endif
-
--int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-
-- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
-- return 0;
-- }
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
-+
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
-+ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
-+ OSSL_PARAM_END
-+ };
-
-- if (n != NULL) {
-- BN_free(r->n);
-- r->n = n;
-+ /* convert params to EVP key */
-+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
-+ if (!evp_ctx) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (e != NULL) {
-- BN_free(r->e);
-- r->e = e;
-+ int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (d != NULL) {
-- BN_free(r->d);
-- r->d = d;
-+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ return CKR_GENERAL_ERROR;
- }
-
-- return 1;
-+ EVP_PKEY_CTX_free(evp_ctx);
-+
-+ return CKR_OK;
- }
-
--int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
-+
-+ /*
-+ * The simplest way I have found to deal with this is to convert the ASN1 object in
-+ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
-+ * then take the int nid and convert it to a friendly name like prime256v1.
-+ * EVP_PKEY_fromdata can handle group by name.
-+ *
-+ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
-+ */
-+ int curve_id = 0;
-+ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
-+ if (rv != CKR_OK) {
-+ LOGE("Could not get nid from params");
-+ return rv;
-+ }
-
-- if (!r || !s) {
-- return 0;
-+ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
-+ const unsigned char *x = ecpoint->pValue;
-+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
-+ if (!os) {
-+ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
-+ return CKR_GENERAL_ERROR;
- }
-
-- BN_free(sig->r);
-- BN_free(sig->s);
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
-+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
-+ OSSL_PARAM_END
-+ };
-
-- sig->r = r;
-- sig->s = s;
-+ /* convert params to EVP key */
-+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
-+ if (!evp_ctx) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
-+ }
-
-- return 1;
--}
-+ int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
-+ }
-
--EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
-- if (pkey->type != EVP_PKEY_EC) {
-- return NULL;
-+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
- }
-
-- return pkey->pkey.ec;
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+
-+ return CKR_OK;
- }
--#endif
-
--static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
-+#else
-
-- RSA *rsa = NULL;
-- BIGNUM *e = NULL, *n = NULL;
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
-
-- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-- if (!exp) {
-- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
-+ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
-+ if (!e) {
-+ LOGE("Could not convert exponent to bignum");
- return CKR_GENERAL_ERROR;
- }
-
-- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-- if (!mod) {
-- LOGE("RSA Object must have attribute CKA_MODULUS");
-+ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
-+ if (!n) {
-+ LOGE("Could not convert modulus to bignum");
-+ BN_free(e);
- return CKR_GENERAL_ERROR;
- }
-
-- rsa = RSA_new();
-+ RSA *rsa = RSA_new();
- if (!rsa) {
-- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
-- goto error;
-+ LOGE("oom");
-+ return CKR_HOST_MEMORY;
- }
-
-- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
-- if (!e) {
-- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
-- goto error;
-+ int rc = RSA_set0_key(rsa, n, e, NULL);
-+ if (!rc) {
-+ LOGE("Could not set modulus and exponent to OSSL RSA key");
-+ BN_free(n);
-+ BN_free(e);
-+ RSA_free(rsa);
-+ return CKR_GENERAL_ERROR;
- }
-
-- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
-- if (!n) {
-- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
-- goto error;
-+ /* assigned to RSA key */
-+ n = e = NULL;
-+
-+ EVP_PKEY *pkey = EVP_PKEY_new();
-+ if (!pkey) {
-+ SSL_UTIL_LOGE("EVP_PKEY_new");
-+ RSA_free(rsa);
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (!RSA_set0_key(rsa, n, e, NULL)) {
-- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
-+ rc = EVP_PKEY_assign_RSA(pkey, rsa);
-+ if (rc != 1) {
- RSA_free(rsa);
-- BN_free(e);
-- BN_free(n);
-- goto error;
-+ EVP_PKEY_free(pkey);
-+ return CKR_GENERAL_ERROR;
- }
-
-- *outkey = rsa;
-+ *out_pkey = pkey;
-
- return CKR_OK;
--
--error:
-- RSA_free(rsa);
-- if (e) {
-- BN_free(e);
-- }
-- if (n) {
-- BN_free(n);
-- }
--
-- return CKR_GENERAL_ERROR;
- }
-
--static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
-
-- EC_KEY *key = EC_KEY_new();
-- if (!key) {
-+ EC_KEY *ecc = EC_KEY_new();
-+ if (!ecc) {
- LOGE("oom");
- return CKR_HOST_MEMORY;
- }
-
-- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-- if (!ecparams) {
-- LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-- return CKR_GENERAL_ERROR;
-- }
--
-- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-- if (!ecpoint) {
-- LOGE("ECC Key must have attribute CKA_EC_POINT");
-- return CKR_GENERAL_ERROR;
-- }
--
- /* set params */
- const unsigned char *x = ecparams->pValue;
-- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
-+ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
- if (!k) {
- SSL_UTIL_LOGE("Could not update key with EC Parameters");
-- EC_KEY_free(key);
-+ EC_KEY_free(ecc);
- return CKR_GENERAL_ERROR;
- }
-
-@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
- ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
- if (os) {
- x = os->data;
-- k = o2i_ECPublicKey(&key, &x, os->length);
-+ k = o2i_ECPublicKey(&ecc, &x, os->length);
- ASN1_STRING_free(os);
- if (!k) {
- SSL_UTIL_LOGE("Could not update key with EC Points");
-- EC_KEY_free(key);
-+ EC_KEY_free(ecc);
- return CKR_GENERAL_ERROR;
- }
- }
-
-- *outkey = key;
-+ EVP_PKEY *pkey = EVP_PKEY_new();
-+ if (!pkey) {
-+ SSL_UTIL_LOGE("EVP_PKEY_new");
-+ EC_KEY_free(ecc);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
-+ if (!rc) {
-+ SSL_UTIL_LOGE("Could not set pkey with ec key");
-+ EC_KEY_free(ecc);
-+ EVP_PKEY_free(pkey);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ *out_pkey = pkey;
- return CKR_OK;
- }
-+#endif
-
--CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
-
-- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
-+ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
- if (!a) {
- LOGE("Expected object to have attribute CKA_KEY_TYPE");
- return CKR_KEY_TYPE_INCONSISTENT;
-@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
- return CKR_OK;
- }
-
-- EVP_PKEY *pkey = EVP_PKEY_new();
-- if (!pkey) {
-- LOGE("oom");
-- return CKR_HOST_MEMORY;
-- }
-+ EVP_PKEY *pkey = NULL;
-
- if (key_type == CKK_EC) {
-- EC_KEY *e = NULL;
-- rv = convert_pubkey_ECC(&e, obj->attrs);
-- if (rv != CKR_OK) {
-- return rv;
-+
-+ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-+ if (!ecparams) {
-+ LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-+ return CKR_GENERAL_ERROR;
- }
-- int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
-- if (!rc) {
-- SSL_UTIL_LOGE("Could not set pkey with ec key");
-- EC_KEY_free(e);
-- EVP_PKEY_free(pkey);
-+
-+ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-+ if (!ecpoint) {
-+ LOGE("ECC Key must have attribute CKA_EC_POINT");
- return CKR_GENERAL_ERROR;
- }
-- } else if (key_type == CKK_RSA) {
-- RSA *r = NULL;
-- rv = convert_pubkey_RSA(&r, obj->attrs);
-+
-+ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
- if (rv != CKR_OK) {
- return rv;
- }
-- int rc = EVP_PKEY_assign_RSA(pkey, r);
-- if (!rc) {
-- SSL_UTIL_LOGE("Could not set pkey with rsa key");
-- RSA_free(r);
-- EVP_PKEY_free(pkey);
-+
-+ } else if (key_type == CKK_RSA) {
-+
-+ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-+ if (!exp) {
-+ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
- return CKR_GENERAL_ERROR;
- }
-+
-+ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-+ if (!mod) {
-+ LOGE("RSA Object must have attribute CKA_MODULUS");
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ rv = get_RSA_evp_pubkey(exp, mod, &pkey);
-+ if (rv != CKR_OK) {
-+ return rv;
-+ }
-+
- } else {
- LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
-- EVP_PKEY_free(pkey);
- return CKR_KEY_TYPE_INCONSISTENT;
- }
-
-+ assert(pkey);
- *outpkey = pkey;
-
- return CKR_OK;
-@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
- }
- }
-
-- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-- if (!rc) {
-- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-- goto error;
-+ if (md) {
-+ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-+ if (!rc) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-+ goto error;
-+ }
- }
-
- *outpkey_ctx = pkey_ctx;
-@@ -421,21 +482,12 @@ error:
- return CKR_GENERAL_ERROR;
- }
-
--static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-- int padding, const EVP_MD *md,
-- CK_BYTE_PTR digest, CK_ULONG digest_len,
-- CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
-+ const unsigned char *sig, size_t siglen,
-+ const unsigned char *tbs, size_t tbslen) {
-
- CK_RV rv = CKR_GENERAL_ERROR;
--
-- EVP_PKEY_CTX *pkey_ctx = NULL;
-- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-- EVP_PKEY_verify_init, &pkey_ctx);
-- if (rv != CKR_OK) {
-- return rv;
-- }
--
-- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
- if (rc < 0) {
- SSL_UTIL_LOGE("EVP_PKEY_verify failed");
- } else if (rc == 1) {
-@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
- rv = CKR_SIGNATURE_INVALID;
- }
-
-- EVP_PKEY_CTX_free(pkey_ctx);
- return rv;
- }
-
--static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-+static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
-+ unsigned char **outbuf, size_t *outlen) {
-
- if (siglen & 1) {
- LOGE("Expected ECDSA signature length to be even, got : %lu",
-@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
- return CKR_GENERAL_ERROR;
- }
-
-- *outsig = ossl_sig;
-+ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
-+ if (sig_len <= 0) {
-+ if (rc < 0) {
-+ SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+ } else {
-+ LOGE("Expected length to be greater than 0");
-+ }
-+ ECDSA_SIG_free(ossl_sig);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ unsigned char *buf = calloc(1, sig_len);
-+ if (!buf) {
-+ LOGE("oom");
-+ ECDSA_SIG_free(ossl_sig);
-+ return CKR_HOST_MEMORY;
-+ }
-+
-+ unsigned char *p = buf;
-+ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
-+ if (sig_len2 < 0) {
-+ SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+ ECDSA_SIG_free(ossl_sig);
-+ free(buf);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ assert(sig_len == sig_len2);
-+
-+ ECDSA_SIG_free(ossl_sig);
-+
-+ *outbuf = buf;
-+ *outlen = sig_len;
-
- return CKR_OK;
- }
-
- static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
-+ const EVP_MD *md,
- CK_BYTE_PTR digest, CK_ULONG digest_len,
- CK_BYTE_PTR signature, CK_ULONG signature_len) {
-
-- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
-- if (!eckey) {
-- LOGE("Expected EC Key");
-- return CKR_GENERAL_ERROR;
-- }
--
- /*
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
- * R + S signatures, so convert it to ASN1 framing.
-@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
- * For details.
- */
-- ECDSA_SIG *ossl_sig = NULL;
-- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
-+ unsigned char *buf = NULL;
-+ size_t buflen = 0;
-+ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
- if (rv != CKR_OK) {
- return rv;
- }
-
-- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
-- if (rc < 0) {
-- ECDSA_SIG_free(ossl_sig);
-- SSL_UTIL_LOGE("ECDSA_do_verify failed");
-- return CKR_GENERAL_ERROR;
-+ EVP_PKEY_CTX *pkey_ctx = NULL;
-+ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
-+ EVP_PKEY_verify_init, &pkey_ctx);
-+ if (rv != CKR_OK) {
-+ free(buf);
-+ return rv;
- }
-- ECDSA_SIG_free(ossl_sig);
-
-- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
-+ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
-+
-+ EVP_PKEY_CTX_free(pkey_ctx);
-+ free(buf);
-+
-+ return rv;
-+}
-+
-+static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-+ int padding, const EVP_MD *md,
-+ CK_BYTE_PTR digest, CK_ULONG digest_len,
-+ CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+
-+ CK_RV rv = CKR_GENERAL_ERROR;
-+
-+ EVP_PKEY_CTX *pkey_ctx = NULL;
-+ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-+ EVP_PKEY_verify_init, &pkey_ctx);
-+ if (rv != CKR_OK) {
-+ return rv;
-+ }
-+
-+ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+
-+ EVP_PKEY_CTX_free(pkey_ctx);
-+ return rv;
- }
-
- CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
-@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
- digest, digest_len,
- signature, signature_len);
- case EVP_PKEY_EC:
-- return do_sig_verify_ec(pkey, digest, digest_len,
-+ return do_sig_verify_ec(pkey, md, digest, digest_len,
- signature, signature_len);
- default:
- LOGE("Unknown PKEY type, got: %d", type);
-@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
- EVP_PKEY_CTX_free(pkey_ctx);
- return rv;
- }
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt) {
-+
-+
-+ twist out = NULL;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ SSL_UTIL_LOGE("EVP_MD_CTX_new");
-+ return NULL;
-+ }
-+
-+ int rc = EVP_DigestInit(ctx, EVP_sha256());
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestInit");
-+ goto error;
-+ }
-+
-+ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestUpdate");
-+ goto error;
-+ }
-+
-+ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestUpdate");
-+ goto error;
-+ }
-+
-+ unsigned int len = sizeof(md);
-+ rc = EVP_DigestFinal(ctx, md, &len);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestFinal");
-+ goto error;
-+ }
-+
-+ /* truncate the password to 32 characters */
-+ out = twist_hex_new((char *)md, sizeof(md)/2);
-+
-+error:
-+ EVP_MD_CTX_free(ctx);
-+
-+ return out;
-+}
-+
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
-+
-+ const unsigned char *p = ecparams->pValue;
-+
-+ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-+ if (!a) {
-+ LOGE("Unknown CKA_EC_PARAMS value");
-+ return CKR_ATTRIBUTE_VALUE_INVALID;
-+ }
-+
-+ *nid = OBJ_obj2nid(a);
-+ ASN1_OBJECT_free(a);
-+
-+ return CKR_OK;
-+}
-Index: git/src/lib/ssl_util.h
-===================================================================
---- git.orig/src/lib/ssl_util.h
-+++ git/src/lib/ssl_util.h
-@@ -11,8 +11,8 @@
-
- #include "pkcs11.h"
-
-+#include "attrs.h"
- #include "log.h"
--#include "object.h"
- #include "twist.h"
-
- #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
-@@ -22,6 +22,10 @@
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#endif
-+
- /* OpenSSL Backwards Compat APIs */
- #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
- #include <string.h>
-@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
-
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
-
--CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
-
- CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
- int padding, twist label, const EVP_MD *md,
-@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
- fn_EVP_PKEY_init init_fn,
- EVP_PKEY_CTX **outpkey_ctx);
-
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+ const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+ CK_BYTE_PTR outbuf);
-+
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
-+
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt);
-+
-+/**
-+ * Given an attribute of CKA_EC_PARAMS returns the nid value.
-+ * @param ecparams
-+ * The DER X9.62 parameters value
-+ * @param nid
-+ * The nid to set
-+ * @return
-+ * CKR_OK on success.
-+ */
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
-+
- #endif /* SRC_LIB_SSL_UTIL_H_ */
-Index: git/src/lib/tpm.c
-===================================================================
---- git.orig/src/lib/tpm.c
-+++ git/src/lib/tpm.c
-@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
- tpm_key_data *keydat = (tpm_key_data *)udata;
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(attr, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(attr, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
- goto out;
- }
-
-- int rc = EC_POINT_set_affine_coordinates_GFp(group,
-+ int rc = EC_POINT_set_affine_coordinates(group,
- pub_key_point_tmp,
- bn_x,
- bn_y,
-@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
- goto out;
- }
-
-- rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- goto out;
- }
-Index: git/src/lib/utils.c
-===================================================================
---- git.orig/src/lib/utils.c
-+++ git/src/lib/utils.c
-@@ -7,6 +7,7 @@
- #include <openssl/sha.h>
-
- #include "log.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
-
-@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
- pin_to_use = newpin;
- }
-
-- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
-+ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
- if (!*newauthhex) {
- goto out;
- }
-@@ -330,22 +331,6 @@ out:
-
- }
-
--twist utils_hash_pass(const twist pin, const twist salt) {
--
--
-- unsigned char md[SHA256_DIGEST_LENGTH];
--
-- SHA256_CTX sha256;
-- SHA256_Init(&sha256);
--
-- SHA256_Update(&sha256, pin, twist_len(pin));
-- SHA256_Update(&sha256, salt, twist_len(salt));
-- SHA256_Final(md, &sha256);
--
-- /* truncate the password to 32 characters */
-- return twist_hex_new((char *)md, sizeof(md)/2);
--}
--
- size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
-
- switch(mttype) {
-@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
-
- return CKR_OK;
- }
--
--CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
--
-- const unsigned char *p = ecparams->pValue;
--
-- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-- if (!a) {
-- LOGE("Unknown CKA_EC_PARAMS value");
-- return CKR_ATTRIBUTE_VALUE_INVALID;
-- }
--
-- *nid = OBJ_obj2nid(a);
-- ASN1_OBJECT_free(a);
--
-- return CKR_OK;
--}
-
- CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
- CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
-Index: git/src/lib/utils.h
-===================================================================
---- git.orig/src/lib/utils.h
-+++ git/src/lib/utils.h
-@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
- memcpy(dst, src, src_len);
- }
-
--twist utils_hash_pass(const twist pin, const twist salt);
--
- twist aes256_gcm_decrypt(const twist key, const twist objauth);
-
- twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
-@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
- CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
-
- /**
-- * Given an attribute of CKA_EC_PARAMS returns the nid value.
-- * @param ecparams
-- * The DER X9.62 parameters value
-- * @param nid
-- * The nid to set
-- * @return
-- * CKR_OK on success.
-- */
--CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
--
--/**
- * Removes a PKCS7 padding on a 16 byte block.
- * @param in
- * The PKCS5 padded input.
-Index: git/test/integration/pkcs-sign-verify.int.c
-===================================================================
---- git.orig/test/integration/pkcs-sign-verify.int.c
-+++ git/test/integration/pkcs-sign-verify.int.c
-@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
- assert_int_equal(rv, CKR_OK);
- }
-
--static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
--
-- CK_ULONG i;
-- for (i=0; i < attr_len; i++) {
-- CK_ATTRIBUTE_PTR a = &attrs[i];
-- if (a->type == type) {
-- return a;
-- }
-- }
--
-- return NULL;
--}
--
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
--#endif
--
--RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
--
-- RSA *ssl_rsa_key = NULL;
-- BIGNUM *e = NULL, *n = NULL;
--
-- /* get the exponent */
-- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
-- assert_non_null(a);
--
-- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
-- assert_non_null(e);
--
-- /* get the modulus */
-- a = get_attr(CKA_MODULUS, attrs, attr_len);
-- assert_non_null(a);
--
-- n = BN_bin2bn(a->pValue, a->ulValueLen,
-- NULL);
-- assert_non_null(n);
--
-- ssl_rsa_key = RSA_new();
-- assert_non_null(ssl_rsa_key);
--
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-- ssl_rsa_key->e = e;
-- ssl_rsa_key->n = n;
--#else
-- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
-- assert_int_equal(rc, 1);
--#endif
--
-- return ssl_rsa_key;
--}
--
--static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
--
-- EVP_PKEY *pkey = EVP_PKEY_new();
-- assert_non_null(pkey);
--
-- int rc = EVP_PKEY_set1_RSA(pkey, pub);
-- assert_int_equal(rc, 1);
-+static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
-
- EVP_MD_CTX *ctx = EVP_MD_CTX_create();
- const EVP_MD* md = EVP_get_digestbyname("SHA256");
- assert_non_null(md);
-
-- rc = EVP_DigestInit_ex(ctx, md, NULL);
-+ int rc = EVP_DigestInit_ex(ctx, md, NULL);
- assert_int_equal(rc, 1);
-
- rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
-@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
- rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
- assert_int_equal(rc, 1);
-
-- EVP_PKEY_free(pkey);
- EVP_MD_CTX_destroy(ctx);
- }
-
-@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
- assert_int_equal(siglen, 256);
-
- /* build an OSSL RSA key from parts */
-- CK_BYTE _tmp_bufs[2][1024];
-+ CK_BYTE _tmp_bufs[3][1024];
- CK_ATTRIBUTE attrs[] = {
-- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
-+ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-+ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
-+ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
- };
-
- rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
- assert_int_equal(rv, CKR_OK);
-
-- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
-- assert_non_null(r);
-+ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
-+ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
-+ assert_int_equal(rv, CKR_OK);
-+
-+ EVP_PKEY *pkey = NULL;
-+ attr_list *l = attr_list_new();
-+
-+ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
-+ assert_true(res);
-
-- verify(r, msg, sizeof(msg) - 1, sig, siglen);
-- RSA_free(r);
-+ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
-+ assert_true(res);
-+
-+ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
-+ assert_true(res);
-+
-+ rv = ssl_util_attrs_to_evp(l, &pkey);
-+ assert_int_equal(rv, CKR_OK);
-+ attr_list_free(l);
-+
-+ verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
-+ EVP_PKEY_free(pkey);
- }
-
- static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
deleted file mode 100644
index ef0a6dc..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 3 Sep 2021 11:30:50 -0500
-Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
-
-THIS DROPS SUPPORT FOR OSSL 1.0.2.
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
----
- configure.ac | 2 +-
- src/lib/ssl_util.h | 43 +++++--------------------------------------
- 2 files changed, 6 insertions(+), 39 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index a7aeaf5..94fb5d4 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
- # require sqlite3 and libcrypto
- PKG_CHECK_MODULES([SQLITE3], [sqlite3])
- PKG_CHECK_MODULES([YAML], [yaml-0.1])
--PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
-+PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
-
- # check for pthread
- AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
-diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
-index 9909fd6..2591728 100644
---- a/src/lib/ssl_util.h
-+++ b/src/lib/ssl_util.h
-@@ -15,51 +15,18 @@
- #include "log.h"
- #include "twist.h"
-
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
--/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
--#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
-
--#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
-+#include <openssl/evperr.h>
- #endif
-
--/* OpenSSL Backwards Compat APIs */
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
--#include <string.h>
--size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-- point_conversion_form_t form,
-- unsigned char **pbuf, BN_CTX *ctx);
--
--const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
--
--int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
--
--int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
--
--EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
--
--static inline void *OPENSSL_memdup(const void *dup, size_t l) {
--
-- void *p = OPENSSL_malloc(l);
-- if (!p) {
-- return NULL;
-- }
--
-- memcpy(p, dup, l);
-- return p;
--}
--
--#endif
--
--#ifndef RSA_PSS_SALTLEN_DIGEST
--#define RSA_PSS_SALTLEN_DIGEST -1
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
- #endif
-
--/* Utility APIs */
--
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
-
- CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
---
-2.25.1
-
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
deleted file mode 100644
index d38e237..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/bootstrap
-===================================================================
---- git.orig/bootstrap
-+++ git/bootstrap
-@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE
- ) > ${VARS_FILE}
-
- mkdir -p m4
--${AUTORECONF} --install --sym $@
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
similarity index 76%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index 177c3c3..a9174e6 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -6,21 +6,17 @@
DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
- file://bootstrap_fixup.patch \
- file://0001-remove-local-binary-checkes.patch \
- file://0001-ssl-compile-against-OSSL-3.0.patch \
- file://0002-ossl-require-version-1.1.0-or-greater.patch \
- "
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
-
-S = "${WORKDIR}/git"
+SRC_URI[sha256sum] = "79f28899047defd6b4b72b7268dd56abf27774954022315f818c239af33e05bd"
inherit autotools-brokensep pkgconfig python3native
-do_configure:prepend () {
- ${S}/bootstrap
+EXTRA_OECONF += "--disable-ptool-checks"
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
do_compile:append() {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index 6e95a0e..f924038 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -11,3 +11,8 @@
SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
inherit autotools pkgconfig bash-completion
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 4d1f425..efe62a8 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -8,16 +8,23 @@
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
-SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https"
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"
inherit autotools-brokensep pkgconfig systemd
-S = "${WORKDIR}/git"
+# It uses the API deprecated since the OpenSSL 3.0
+CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter'
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion"
-FILES:${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*"
-FILES:${PN}-engines = "${libdir}/engines-1.1/lib*.so*"
-FILES:${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a"
+FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*"
+FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*"
+FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a"
FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
deleted file mode 100644
index d383ad5..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
+++ /dev/null
@@ -1,332 +0,0 @@
-# ===========================================================================
-# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
-#
-# DESCRIPTION
-#
-# This macro figures out how to build C programs using POSIX threads. It
-# sets the PTHREAD_LIBS output variable to the threads library and linker
-# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
-# flags that are needed. (The user can also force certain compiler
-# flags/libs to be tested by setting these environment variables.)
-#
-# Also sets PTHREAD_CC to any special C compiler that is needed for
-# multi-threaded programs (defaults to the value of CC otherwise). (This
-# is necessary on AIX to use the special cc_r compiler alias.)
-#
-# NOTE: You are assumed to not only compile your program with these flags,
-# but also link it with them as well. e.g. you should link with
-# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
-#
-# If you are only building threads programs, you may wish to use these
-# variables in your default LIBS, CFLAGS, and CC:
-#
-# LIBS="$PTHREAD_LIBS $LIBS"
-# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-# CC="$PTHREAD_CC"
-#
-# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
-# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
-# (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
-#
-# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
-# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
-# PTHREAD_CFLAGS.
-#
-# ACTION-IF-FOUND is a list of shell commands to run if a threads library
-# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
-# is not found. If ACTION-IF-FOUND is not specified, the default action
-# will define HAVE_PTHREAD.
-#
-# Please let the authors know if this macro fails on any platform, or if
-# you have any other suggestions or comments. This macro was based on work
-# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
-# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
-# Alejandro Forero Cuervo to the autoconf macro repository. We are also
-# grateful for the helpful feedback of numerous users.
-#
-# Updated for Autoconf 2.68 by Daniel Richard G.
-#
-# LICENSE
-#
-# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
-# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-# As a special exception, the respective Autoconf Macro's copyright owner
-# gives unlimited permission to copy, distribute and modify the configure
-# scripts that are the output of Autoconf when processing the Macro. You
-# need not follow the terms of the GNU General Public License when using
-# or distributing such scripts, even though portions of the text of the
-# Macro appear in them. The GNU General Public License (GPL) does govern
-# all other use of the material that constitutes the Autoconf Macro.
-#
-# This special exception to the GPL applies to versions of the Autoconf
-# Macro released by the Autoconf Archive. When you make and distribute a
-# modified version of the Autoconf Macro, you may extend this special
-# exception to the GPL to apply to your modified version as well.
-
-#serial 21
-
-AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
-AC_DEFUN([AX_PTHREAD], [
-AC_REQUIRE([AC_CANONICAL_HOST])
-AC_LANG_PUSH([C])
-ax_pthread_ok=no
-
-# We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on True64 or Sequent).
-# It gets checked for in the link test anyway.
-
-# First of all, check if the user has set any of the PTHREAD_LIBS,
-# etcetera environment variables, and if threads linking works using
-# them:
-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
- AC_MSG_RESULT([$ax_pthread_ok])
- if test x"$ax_pthread_ok" = xno; then
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
- fi
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-fi
-
-# We must check for the threads library under a number of different
-# names; the ordering is very important because some systems
-# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
-# libraries is broken (non-POSIX).
-
-# Create a list of thread flags to try. Items starting with a "-" are
-# C compiler flags, and other items are library names, except for "none"
-# which indicates that we try without any flags at all, and "pthread-config"
-# which is a program returning the flags for the Pth emulation library.
-
-ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
-
-# The ordering *is* (sometimes) important. Some notes on the
-# individual items follow:
-
-# pthreads: AIX (must check this before -lpthread)
-# none: in case threads are in libc; should be tried before -Kthread and
-# other compiler flags to prevent continual compiler warnings
-# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
-# -pthreads: Solaris/gcc
-# -mthreads: Mingw32/gcc, Lynx/gcc
-# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-# doesn't hurt to check since this sometimes defines pthreads too;
-# also defines -D_REENTRANT)
-# ... -mt is also the pthreads flag for HP/aCC
-# pthread: Linux, etcetera
-# --thread-safe: KAI C++
-# pthread-config: use pthread-config program (for GNU Pth library)
-
-case ${host_os} in
- solaris*)
-
- # On Solaris (at least, for some versions), libc contains stubbed
- # (non-functional) versions of the pthreads routines, so link-based
- # tests will erroneously succeed. (We need to link with -pthreads/-mt/
- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather
- # a function called by this macro, so we could check for that, but
- # who knows whether they'll stub that too in a future libc.) So,
- # we'll just look for -pthreads and -lpthread first:
-
- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
- ;;
-
- darwin*)
- ax_pthread_flags="-pthread $ax_pthread_flags"
- ;;
-esac
-
-# Clang doesn't consider unrecognized options an error unless we specify
-# -Werror. We throw in some extra Clang-specific options to ensure that
-# this doesn't happen for GCC, which also accepts -Werror.
-
-AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
-save_CFLAGS="$CFLAGS"
-ax_pthread_extra_flags="-Werror"
-CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
- [AC_MSG_RESULT([yes])],
- [ax_pthread_extra_flags=
- AC_MSG_RESULT([no])])
-CFLAGS="$save_CFLAGS"
-
-if test x"$ax_pthread_ok" = xno; then
-for flag in $ax_pthread_flags; do
-
- case $flag in
- none)
- AC_MSG_CHECKING([whether pthreads work without any flags])
- ;;
-
- -*)
- AC_MSG_CHECKING([whether pthreads work with $flag])
- PTHREAD_CFLAGS="$flag"
- ;;
-
- pthread-config)
- AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
- if test x"$ax_pthread_config" = xno; then continue; fi
- PTHREAD_CFLAGS="`pthread-config --cflags`"
- PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
- ;;
-
- *)
- AC_MSG_CHECKING([for the pthreads library -l$flag])
- PTHREAD_LIBS="-l$flag"
- ;;
- esac
-
- save_LIBS="$LIBS"
- save_CFLAGS="$CFLAGS"
- LIBS="$PTHREAD_LIBS $LIBS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
-
- # Check for various functions. We must include pthread.h,
- # since some functions may be macros. (On the Sequent, we
- # need a special flag -Kthread to make this header compile.)
- # We check for pthread_join because it is in -lpthread on IRIX
- # while pthread_create is in libc. We check for pthread_attr_init
- # due to DEC craziness with -lpthreads. We check for
- # pthread_cleanup_push because it is one of the few pthread
- # functions on Solaris that doesn't have a non-functional libc stub.
- # We try pthread_create on general principles.
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
- static void routine(void *a) { a = 0; }
- static void *start_routine(void *a) { return a; }],
- [pthread_t th; pthread_attr_t attr;
- pthread_create(&th, 0, start_routine, 0);
- pthread_join(th, 0);
- pthread_attr_init(&attr);
- pthread_cleanup_push(routine, 0);
- pthread_cleanup_pop(0) /* ; */])],
- [ax_pthread_ok=yes],
- [])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- AC_MSG_RESULT([$ax_pthread_ok])
- if test "x$ax_pthread_ok" = xyes; then
- break;
- fi
-
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
-done
-fi
-
-# Various other checks:
-if test "x$ax_pthread_ok" = xyes; then
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-
- # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
- AC_MSG_CHECKING([for joinable pthread attribute])
- attr_name=unknown
- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
- [int attr = $attr; return attr /* ; */])],
- [attr_name=$attr; break],
- [])
- done
- AC_MSG_RESULT([$attr_name])
- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
- [Define to necessary symbol if this constant
- uses a non-standard name on your system.])
- fi
-
- AC_MSG_CHECKING([if more special flags are required for pthreads])
- flag=no
- case ${host_os} in
- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";;
- osf* | hpux*) flag="-D_REENTRANT";;
- solaris*)
- if test "$GCC" = "yes"; then
- flag="-D_REENTRANT"
- else
- # TODO: What about Clang on Solaris?
- flag="-mt -D_REENTRANT"
- fi
- ;;
- esac
- AC_MSG_RESULT([$flag])
- if test "x$flag" != xno; then
- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
- fi
-
- AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
- [ax_cv_PTHREAD_PRIO_INHERIT], [
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
- [[int i = PTHREAD_PRIO_INHERIT;]])],
- [ax_cv_PTHREAD_PRIO_INHERIT=yes],
- [ax_cv_PTHREAD_PRIO_INHERIT=no])
- ])
- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- # More AIX lossage: compile with *_r variant
- if test "x$GCC" != xyes; then
- case $host_os in
- aix*)
- AS_CASE(["x/$CC"],
- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
- [#handle absolute path differently from PATH based program lookup
- AS_CASE(["x$CC"],
- [x/*],
- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
- ;;
- esac
- fi
-fi
-
-test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
-
-AC_SUBST([PTHREAD_LIBS])
-AC_SUBST([PTHREAD_CFLAGS])
-AC_SUBST([PTHREAD_CC])
-
-# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test x"$ax_pthread_ok" = xyes; then
- ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
- :
-else
- ax_pthread_ok=no
- $2
-fi
-AC_LANG_POP
-])dnl AX_PTHREAD
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
deleted file mode 100644
index ecaca6e..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-This fixes musl build issue do to missing FD_* defines.
-Add sys/select.h
-
-Upstream-Status: Pending
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-Index: TPM2.0-TSS/tcti/tcti_socket.cpp
-===================================================================
---- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
-+++ TPM2.0-TSS/tcti/tcti_socket.cpp
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_socket.h>
- #include "sysapi_util.h"
-Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
-===================================================================
---- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
-+++ TPM2.0-TSS/resourcemgr/resourcemgr.c
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_device.h>
- #include <tcti/tcti_socket.h>
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
index b5579e1..450698f 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
@@ -5,22 +5,25 @@
Upstream-Status: OE [inappropriate]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: tpm2-tss-3.1.0/configure.ac
+Index: tpm2-tss-3.2.0/configure.ac
===================================================================
---- tpm2-tss-3.1.0.orig/configure.ac
-+++ tpm2-tss-3.1.0/configure.ac
-@@ -471,14 +471,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy
+--- tpm2-tss-3.2.0.orig/configure.ac
++++ tpm2-tss-3.2.0/configure.ac
+@@ -488,17 +488,6 @@
AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")
- # Check all tools used by make install
--AS_IF([test "$HOSTOS" = "Linux"],
-- [ERROR_IF_NO_PROG([groupadd])
-- ERROR_IF_NO_PROG([useradd])
-- ERROR_IF_NO_PROG([id])
-- ERROR_IF_NO_PROG([chown])
-- ERROR_IF_NO_PROG([chmod])
-- ERROR_IF_NO_PROG([mkdir])
-- ERROR_IF_NO_PROG([setfacl])])
+-# Check all tools used by make install
+-AS_IF([test "$HOSTOS" = "Linux"],
+- [ AC_CHECK_PROG(useradd, useradd, yes)
+- AC_CHECK_PROG(groupadd, groupadd, yes)
+- AC_CHECK_PROG(adduser, adduser, yes)
+- AC_CHECK_PROG(addgroup, addgroup, yes)
+- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
+- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+- [AC_MSG_ERROR([adduser or useradd are needed.])])])
+-
AC_SUBST([PATH])
+ dnl --------- Doxy Gen -----------------------
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
similarity index 90%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
index ddcfb58..8440bb9 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
@@ -10,7 +10,7 @@
file://fixup_hosttools.patch \
"
-SRC_URI[sha256sum] = "8900a6603f74310b749b65f23c3461cde6e2a23a5f61058b21004c25f9cf19e8"
+SRC_URI[sha256sum] = "48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912"
inherit autotools pkgconfig systemd useradd
@@ -26,6 +26,11 @@
GROUPADD_PARAM:${PN} = "--system tss"
USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
+
do_install:append() {
# Remove /run as it is created on startup
rm -rf ${D}/run