mirror of
https://git.yoctoproject.org/meta-security
synced 2026-04-20 23:40:05 +00:00
tpm2-tss-engine: update to 1.2.0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Armin Kuster
@@ -0,0 +1,48 @@
|
|||||||
|
From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Fuchs <andreas.fuchs@infineon.com>
|
||||||
|
Date: Mon, 22 May 2023 14:06:41 +0200
|
||||||
|
Subject: [PATCH 1/2] Configure: Allow disabling of digest-sign operations
|
||||||
|
|
||||||
|
Since the digest-sign operations perform the hash on the TPM and
|
||||||
|
TPMs in general do not support SHA512, this can lead to errors.
|
||||||
|
Depending on the use case, it might be preferable to not support
|
||||||
|
restricted keys (via digest+sign) but to rely on ordinary keys
|
||||||
|
only.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
|
||||||
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
configure.ac | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index d4a9356..b379042 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
|
||||||
|
PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
|
||||||
|
PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
|
||||||
|
PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
|
||||||
|
+
|
||||||
|
AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
|
||||||
|
[AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
|
||||||
|
[AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
|
||||||
|
+
|
||||||
|
+AC_ARG_ENABLE([digestsign],
|
||||||
|
+ [AS_HELP_STRING([--disable-digestsign],
|
||||||
|
+ [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
|
||||||
|
+ [enable_digestsign=yes])
|
||||||
|
AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
|
||||||
|
- [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
|
||||||
|
+ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
|
||||||
|
[AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
|
||||||
|
-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
|
||||||
|
+AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
|
||||||
|
[AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
|
||||||
|
Have required functionality from OpenSSL to support digest and sign)])
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
@@ -0,0 +1,78 @@
|
|||||||
|
From 766505bf5c943c614fd246d27d1e5cd66543250b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
||||||
|
Date: Mon, 6 May 2024 16:07:54 +0200
|
||||||
|
Subject: [PATCH 2/2] Fix mismatch of OpenSSL function signatures that cause
|
||||||
|
errors with gcc-14
|
||||||
|
|
||||||
|
Building with gcc-14 fails with diagnostics like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
src/tpm2-tss-engine-rsa.c:805:46: error: passing argument 2 of 'EVP_PKEY_meth_set_copy' from incompatible pointer type [-Wincompatible-pointer-types]
|
||||||
|
805 | EVP_PKEY_meth_set_copy(pkey_rsa_methods, rsa_pkey_copy);
|
||||||
|
| ^~~~~~~~~~~~~
|
||||||
|
| |
|
||||||
|
| int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}
|
||||||
|
/usr/include/openssl/evp.h:2005:36: note: expected 'int (*)(EVP_PKEY_CTX *, const EVP_PKEY_CTX *)' {aka 'int (*)(struct evp_pkey_ctx_st *, const struct evp_pkey_ctx_st *)'} but argument is of type 'int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *)' {aka 'int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)'}
|
||||||
|
```
|
||||||
|
|
||||||
|
A look into OpenSSL upstream shows that these functions have always had const
|
||||||
|
`src` parameters. Thus this error was simply not detected by earlier compiler
|
||||||
|
versions.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
|
||||||
|
Signed-off-by: Matthias Gerstner <matthias.gerstner@suse.de>
|
||||||
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
src/tpm2-tss-engine-ecc.c | 4 ++--
|
||||||
|
src/tpm2-tss-engine-rsa.c | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tpm2-tss-engine-ecc.c b/src/tpm2-tss-engine-ecc.c
|
||||||
|
index 9e72c85..f6b9c5a 100644
|
||||||
|
--- a/src/tpm2-tss-engine-ecc.c
|
||||||
|
+++ b/src/tpm2-tss-engine-ecc.c
|
||||||
|
@@ -52,7 +52,7 @@ EC_KEY_METHOD *ecc_methods = NULL;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_DIGEST_SIGN
|
||||||
|
-static int (*ecdsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
|
||||||
|
+static int (*ecdsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
|
||||||
|
static void (*ecdsa_pkey_orig_cleanup)(EVP_PKEY_CTX *ctx);
|
||||||
|
#endif /* HAVE_OPENSSL_DIGEST_SIGN */
|
||||||
|
|
||||||
|
@@ -405,7 +405,7 @@ ecdsa_ec_key_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_DIGEST_SIGN
|
||||||
|
static int
|
||||||
|
-ecdsa_pkey_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
|
||||||
|
+ecdsa_pkey_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
|
||||||
|
{
|
||||||
|
if (ecdsa_pkey_orig_copy && !ecdsa_pkey_orig_copy(dst, src))
|
||||||
|
return 0;
|
||||||
|
diff --git a/src/tpm2-tss-engine-rsa.c b/src/tpm2-tss-engine-rsa.c
|
||||||
|
index 41de34e..e7260c2 100644
|
||||||
|
--- a/src/tpm2-tss-engine-rsa.c
|
||||||
|
+++ b/src/tpm2-tss-engine-rsa.c
|
||||||
|
@@ -49,7 +49,7 @@ RSA_METHOD *rsa_methods = NULL;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_DIGEST_SIGN
|
||||||
|
-static int (*rsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
|
||||||
|
+static int (*rsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
|
||||||
|
static void (*rsa_pkey_orig_cleanup)(EVP_PKEY_CTX *ctx);
|
||||||
|
#endif /* HAVE_OPENSSL_DIGEST_SIGN */
|
||||||
|
|
||||||
|
@@ -637,7 +637,7 @@ RSA_METHOD rsa_methods = {
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_DIGEST_SIGN
|
||||||
|
static int
|
||||||
|
-rsa_pkey_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
|
||||||
|
+rsa_pkey_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
|
||||||
|
{
|
||||||
|
if (rsa_pkey_orig_copy && !rsa_pkey_orig_copy(dst, src))
|
||||||
|
return 0;
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
@@ -8,9 +8,12 @@ SECTION = "security/tpm"
|
|||||||
|
|
||||||
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
|
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
|
||||||
|
|
||||||
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
|
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
|
||||||
|
file://0001-Configure-Allow-disabling-of-digest-sign-operations.patch \
|
||||||
|
file://0002-Fix-mismatch-of-OpenSSL-function-signatures-that-cau.patch \
|
||||||
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"
|
SRC_URI[sha256sum] = "3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
|
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
|
||||||
|
|
||||||
Reference in New Issue
Block a user