Gitiles
Code Review Sign In
gerrit.openbmc.org / stefanberger / openbmc / 53961c2d8a97d0f9e5a90c17ca48380657e79c3e^! / . / meta-security / meta-tpm / recipes-tpm2 / tpm2-pkcs11 / files / 0002-ossl-require-version-1.1.0-or-greater.patch
commit53961c2d8a97d0f9e5a90c17ca48380657e79c3e[log] [tgz]
authorPatrick Williams <patrick@stwcx.xyz>Thu Jan 20 11:06:23 2022 -0600
committerPatrick Williams <patrick@stwcx.xyz>Thu Jan 20 11:06:26 2022 -0600
tree0f30b66a917f31dfd698059e03d254464b48c564
parentcbf46010eab661117b0225bdb30fcf565c1d8b3c [diff] [blame]
meta-security: subtree update:a85fbe980e..c20b35b527

Anton Antonov (1):
      Parsec service. Update PACKAGECONFIG definitions and README.md

Armin Kuster (20):
      python3-fail2ban: fix build failure and cleanup
      meta-parsec/README: remove rust layer req.
      opendnssec: blacklist do to ldns being blacklisted
      apparmor: Add a python 3.10 compatability patch
      tpm2-tools: update to 5.2
      openssl-tpm-engine: fix build issue with openssl 3
      tpm2-openssl: add new pkg
      tpm2-pkcs11: update to 1.7.0
      recipes: Update SRC_URI branch and protocols
      sssd: Create /var/log/sssd in runtime
      bastille: Create /var/log/Bastille in runtime
      python3-fail2ban: remove /run
      tpm2-pkcs11: update to 1.7.0
      libest: does not build with openssl 3.x
      clamav: fix useradd warning
      python3-fail2ban: update to tip
      tpm2-pkcs11: backport openssl 3.x build fixes
      packagegroup-security-tpm2: drop ibmswtpm2
      meta-integrity: drop strongswan bbappends
      meta-tpm: drop strongswan bbappends

Kai Kang (2):
      sssd: re-package to fix QA issues
      apparmor: fix warning of remove operator combined with +=

Kristian Klausen (2):
      swtpm: update to 0.6.1
      dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS

Liwei Song (1):
      recipes-security/chipsec: platform security assessment framework

Stefan Mueller-Klieser (1):
      tpm2-tss: fix fapi package config

Yi Zhao (2):
      openssl-tpm-engine: fix warning for append operator combined with +=
      meta-parsec/README.md: fix for append operator combined with +=

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0

diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
new file mode 100644
index 0000000..ef0a6dc
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch

@@ -0,0 +1,93 @@
+From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:30:50 -0500
+Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
+
+THIS DROPS SUPPORT FOR OSSL 1.0.2.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ configure.ac       |  2 +-
+ src/lib/ssl_util.h | 43 +++++--------------------------------------
+ 2 files changed, 6 insertions(+), 39 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a7aeaf5..94fb5d4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
+ # require sqlite3 and libcrypto
+ PKG_CHECK_MODULES([SQLITE3],     [sqlite3])
+ PKG_CHECK_MODULES([YAML],        [yaml-0.1])
+-PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.0.2g])
++PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.1.0])
+ 
+ # check for pthread
+ AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
+diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
+index 9909fd6..2591728 100644
+--- a/src/lib/ssl_util.h
++++ b/src/lib/ssl_util.h
+@@ -15,51 +15,18 @@
+ #include "log.h"
+ #include "twist.h"
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
+-#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
++#include <openssl/evperr.h>
+ #endif
+ 
+-/* OpenSSL Backwards Compat APIs */
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+-#include <string.h>
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+-                          point_conversion_form_t form,
+-                          unsigned char **pbuf, BN_CTX *ctx);
+-
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
+-
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+-
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+-
+-static inline void *OPENSSL_memdup(const void *dup, size_t l) {
+-
+-    void *p = OPENSSL_malloc(l);
+-    if (!p) {
+-        return NULL;
+-    }
+-
+-    memcpy(p, dup, l);
+-    return p;
+-}
+-
+-#endif
+-
+-#ifndef RSA_PSS_SALTLEN_DIGEST
+-#define RSA_PSS_SALTLEN_DIGEST -1
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
+ #endif
+ 
+-/* Utility APIs */
+-
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+ 
+ CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+-- 
+2.25.1
+