diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-12-17 04:11:34 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-01-09 02:21:44 +0300 |
commit | 1a4b7ee28bf7413af6513fb45ad0d0736048f866 (patch) | |
tree | 79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce /meta-security | |
parent | 5b9ede0403237c7dace972affa65cf64a1aadd0e (diff) | |
download | openbmc-1a4b7ee28bf7413af6513fb45ad0d0736048f866.tar.xz |
reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security')
81 files changed, 884 insertions, 1070 deletions
diff --git a/meta-security/README b/meta-security/README index ef80f2b20..e238271a6 100644 --- a/meta-security/README +++ b/meta-security/README @@ -48,209 +48,6 @@ other layers needed. e.g.: /path/to/meta-openembedded/meta-networking \ /path/to/layer/meta-security \ -Contents and Help -================= - -In this section the contents of the layer is listed, along with a short -help for each package. - - == bastille == - - Bastille is a system hardening / lockdown program which enhances the - security of a Unix host. It configures daemons, system settings and - firewalls to be more secure. It can shut off unneeded services - like rcp and rlogin, and helps create "chroot jails" that help limit the - vulnerability of common Internet services like Web services and DNS. - - usage : The functionality of Bastille which is available is - restricted to a purely informational one. The command: - bastille -c --os Yocto - will cause a series of menus containing security questions - about the system to be displayed to the user. For each - question, a default response, specified in the configuration - file which is installed with Bastille, will be selected. - The user may select an alternate response. When the user - has completed the sequence of menus Bastille saves the - responses to the configuration file. - - The command: - bastille -l lists the configuration files that Bastille - is able to locate. - - The other functionality which Bastille is intended to provide - is actually unavailable. This is not due to errors in poky - installation or configuration of the application. The Bastille - distribution is no longer supported. Significant modifications - would be required to make it possible to make use of the - functionality which is currently unavailable. - - - Additional information about Bastille can be found in the package - README file and other documentation. - - Alternatives to Bastille include buck-security and checksecurity, - described elsewhere in this file. - - - == redhat-security == - - Sometimes you want to check different aspects of a distribution for security problems. - This can be anything from file permissions to correctness of code. This is a collection of those tools. - Depending on what information the tool has to access, it may need to be run as root. - - - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags - to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. - It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. - In this mode it will only give a summary result for the package. To find which files don't comply, - re-run using just the package name. - - !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: - IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image - IMAGE_FEATURES += "package management" - for the correct output of rpm -qa - - - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID - and GID without also calling setgroups or initgroups. - - - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. - - - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. - Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. - - - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. - - - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. - This means that if the program has another vulnerablity such as stack buffer overflow, - any code the attacker places there is executable. Any program found must be fixed. - - - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. - Anything found must be investigated since its highly unusual for executables to be hidden. - - - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. - It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. - - - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. - Anything found by this test should be reported so that selinux policy can be fixed. - This test is very hardware specific, so to be effective a lot of people with different hardware - should run this test each upstream kernel version release. - - - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. - These both mean that there are daemons that do not have policy and are therefore running unconfined. - These should be reported as SE Linux policy problems. Because it checks currently running daemons, - the more you have running, the better the test is. - - - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names - instead of obscure ones created by something like mktemp. - - - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, - it also looks to see if any of the known good random name generator functions is called by looking - at the symbol table. If not, it will output the string. - - - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. - The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. - Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. - - - usage : simply invoke the script name in the terminal. - - - == pax-utils == - - ( This package can be found in oe-core ) - - pax-utils is a small set of various PaX aware and related utilities for - ELF binaries. - - - scanelf : With this application you can print out information specific to the ELF structure of a binary. - For more help please consult the man pages or the readme file. - - - pspax : is a user-space utility that scans the proc directory and list - ELF types, as well as their respective PaX flags and filenames and - attributes. Depending on build options, it may additionaly display the - process running set of capabilities. - - - scanmacho : is a user-space utility to quickly scan given - Mach-Os, directories, or common system paths for different information. This - may include Mach-O types, their install_names, etc. - - - dumpelf : is a user-space utility to dump all of the internal - ELF structures into the equivalent C structures for fun debugging and/or - reference purposes. - - - usage : simply invoke the script name in the terminal. - - - == buck-security == - - Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux - system. This enables you to quickly overview the security status of your Linux system. - - usage : !!! before starting to use this tool please run the following command: !!! - - export GPG_TTY=`tty` - - This command is needed for the usage of the comand --make-checksum, which creates - a checksum for the files in the system. - - switch to directory /usr/local/buck-security. - before running the script, you should check the activated checks in conf/buck-security.conf file. - after altering the changes, save the file and simply run : - - ./buck-security - - you can choose between different outputs : 1, 2(default) or 3. - - More detailed usage can be found typing ./buck-security --help - - - == libseccomp == - - The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. - The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional - function-call based filtering interface that should be familiar to, and easily adopted by application developers. - - usage : More detailed usage can be found in the man pages and README file of the package. - - - - == checksecurity == - - checksecurity is a simple package which will scan your system for several simple security holes. - It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. - - - usage : To start checksecurity simply write in the terminal : - - checksecurity - - More detailed usage can be found in the man pages and README file of the package. - - - == nikto == - - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, - including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific - problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, - HTTP server options, and will attempt to identify installed web servers and software. - - usage : To start nikto simply write in the terminal : - - nikto - - More detailed usage can be found in the man pages and README file of the package. - - - == nmap == - - Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. - Many systems and network administrators also find it useful for tasks such as network inventory, - managing service upgrade schedules, and monitoring host or service uptime. - - usage : To start nikto simply write in the terminal : - - nmap - - More detailed usage can be found in the man pages and README file of the package. Maintenance ----------- @@ -260,8 +57,8 @@ Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' -Maintainers: Saul Wold <sgw@linux.intel.com> - Armin Kuster <akuster@mvista.com> +Maintainers: Armin Kuster <akuster808@gmail.com> + Saul Wold <sgw@linux.intel.com> License diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index efc426ed7..19e647e7f 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -7,8 +7,10 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" -BBFILE_PRIORITY_security = "6" +BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "sumo" +LAYERSERIES_COMPAT_security = "thud" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" + +DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}" diff --git a/meta-security/docs/overview.txt b/meta-security/docs/overview.txt new file mode 100644 index 000000000..ed3135aaa --- /dev/null +++ b/meta-security/docs/overview.txt @@ -0,0 +1,197 @@ +Meta-security Docs +============= + +In this section the contents of the layer is listed, along with a short +help for each package. + + == bastille == + + Bastille is a system hardening / lockdown program which enhances the + security of a Unix host. It configures daemons, system settings and + firewalls to be more secure. It can shut off unneeded services + like rcp and rlogin, and helps create "chroot jails" that help limit the + vulnerability of common Internet services like Web services and DNS. + + usage : The functionality of Bastille which is available is + restricted to a purely informational one. The command: + bastille -c --os Yocto + will cause a series of menus containing security questions + about the system to be displayed to the user. For each + question, a default response, specified in the configuration + file which is installed with Bastille, will be selected. + The user may select an alternate response. When the user + has completed the sequence of menus Bastille saves the + responses to the configuration file. + + The command: + bastille -l lists the configuration files that Bastille + is able to locate. + + The other functionality which Bastille is intended to provide + is actually unavailable. This is not due to errors in poky + installation or configuration of the application. The Bastille + distribution is no longer supported. Significant modifications + would be required to make it possible to make use of the + functionality which is currently unavailable. + + + Additional information about Bastille can be found in the package + README file and other documentation. + + Alternatives to Bastille include buck-security and checksecurity, + described elsewhere in this file. + + + == redhat-security == + + Sometimes you want to check different aspects of a distribution for security problems. + This can be anything from file permissions to correctness of code. This is a collection of those tools. + Depending on what information the tool has to access, it may need to be run as root. + + - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags + to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing. + It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it. + In this mode it will only give a summary result for the package. To find which files don't comply, + re-run using just the package name. + + !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: + IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image + IMAGE_FEATURES += "package management" - for the correct output of rpm -qa + + - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID + and GID without also calling setgroups or initgroups. + + - rpm-drop-groups.sh : Same as above, but takes an rpm name instead. + + - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. + Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended. + + - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem. + + - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable. + This means that if the program has another vulnerablity such as stack buffer overflow, + any code the attacker places there is executable. Any program found must be fixed. + + - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden. + Anything found must be investigated since its highly unusual for executables to be hidden. + + - find-sh4errors.sh : This program scans the whole file system looking for shell scripts. + It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes. + + - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled. + Anything found by this test should be reported so that selinux policy can be fixed. + This test is very hardware specific, so to be effective a lot of people with different hardware + should run this test each upstream kernel version release. + + - selinux-ls-unconfined.sh : This script scans the running processes and looks for anything labeled with initrc_t or inetd. + These both mean that there are daemons that do not have policy and are therefore running unconfined. + These should be reported as SE Linux policy problems. Because it checks currently running daemons, + the more you have running, the better the test is. + + - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names + instead of obscure ones created by something like mktemp. + + - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this, + it also looks to see if any of the known good random name generator functions is called by looking + at the symbol table. If not, it will output the string. + + - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package. + The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it. + Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug. + + + usage : simply invoke the script name in the terminal. + + + == pax-utils == + + ( This package can be found in oe-core ) + + pax-utils is a small set of various PaX aware and related utilities for + ELF binaries. + + - scanelf : With this application you can print out information specific to the ELF structure of a binary. + For more help please consult the man pages or the readme file. + + - pspax : is a user-space utility that scans the proc directory and list + ELF types, as well as their respective PaX flags and filenames and + attributes. Depending on build options, it may additionaly display the + process running set of capabilities. + + - scanmacho : is a user-space utility to quickly scan given + Mach-Os, directories, or common system paths for different information. This + may include Mach-O types, their install_names, etc. + + - dumpelf : is a user-space utility to dump all of the internal + ELF structures into the equivalent C structures for fun debugging and/or + reference purposes. + + + usage : simply invoke the script name in the terminal. + + + == buck-security == + + Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux + system. This enables you to quickly overview the security status of your Linux system. + + usage : !!! before starting to use this tool please run the following command: !!! + + export GPG_TTY=`tty` + + This command is needed for the usage of the comand --make-checksum, which creates + a checksum for the files in the system. + + switch to directory /usr/local/buck-security. + before running the script, you should check the activated checks in conf/buck-security.conf file. + after altering the changes, save the file and simply run : + + ./buck-security + + you can choose between different outputs : 1, 2(default) or 3. + + More detailed usage can be found typing ./buck-security --help + + + == libseccomp == + + The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp. + The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional + function-call based filtering interface that should be familiar to, and easily adopted by application developers. + + usage : More detailed usage can be found in the man pages and README file of the package. + + + + == checksecurity == + + checksecurity is a simple package which will scan your system for several simple security holes. + It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. + + + usage : To start checksecurity simply write in the terminal : + + checksecurity + + More detailed usage can be found in the man pages and README file of the package. + + + == nikto == + + Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, + including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific + problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, + HTTP server options, and will attempt to identify installed web servers and software. + + usage : To start nikto simply write in the terminal : + + nikto + + More detailed usage can be found in the man pages and README file of the package. + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 31716d6e7..fcc5cd6ca 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -6,9 +6,9 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" -BBFILE_PRIORITY_scanners-layer = "6" +BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "sumo" +LAYERSERIES_COMPAT_scanners-layer = "thud" LAYERDEPENDS_scanners-layer = " \ core \ diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb index 884999c08..28a44691c 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb @@ -6,9 +6,12 @@ HOMEDIR = "https://cisofy.com/" LICENSE = "GPL-3.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" -SRCREV= "1be5154b35ce144db4f386856debe8a06b403899" -SRC_URI = "git://github.com/CISOfy/Lynis.git" -S = "${WORKDIR}/git" +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" + +SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902" +SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac" + +S = "${WORKDIR}/${BPN}" inherit autotools-brokensep diff --git a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend index e9fd44ade..604bacb1a 100644 --- a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend +++ b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend @@ -1,4 +1 @@ -OS_RELEASE_FIELDS += "CPE_NAME" - CPE_NAME="cpe:/o:openembedded:nodistro:0" - diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index fb01a1134..a6a9373ea 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -8,11 +8,9 @@ LICENSE = "LGPL-2.1" DEPENDS = "python3-dbus" -SRCREV = "3fd5c75a08223de35a865d026d2a6980ec9c1d74" +SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76" SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" -PV = "0.1.6+git${SRCPV}" - inherit setuptools3 S = "${WORKDIR}/git" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb index 7cbb1e2ec..e2a4fa2e6 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb @@ -11,7 +11,7 @@ DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" -SRCREV = "240930d42611983c65ecae16dbca3248ce130921" +SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ file://crypto_pkgconfig.patch \ file://run-ptest \ @@ -46,6 +46,7 @@ do_configure_prepend () { sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am + sed -i 's:python2:python:' ${S}/utils/scap-as-rpm } diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index a2f0cabaf..1b5f7d581 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -6,9 +6,9 @@ BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" -BBFILE_PRIORITY_tpm-layer = "6" +BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "sumo" +LAYERSERIES_COMPAT_tpm-layer = "thud" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 13b505fa0..c4c8fb22b 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -1,4 +1,4 @@ -DESCRIPTION = "Security packagegroup for Poky" +DESCRIPTION = "TPM2 packagegroup for Security" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" @@ -12,7 +12,7 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2.0-tools \ trousers \ libtss2 \ - libtctidevice \ - libtctisocket \ - resourcemgr \ + libtss2-tcti-device \ + libtss2-tcti-mssim \ + tpm2-abrmd \ " diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb index b29ec6bbe..a930d7bc3 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb @@ -1,11 +1,9 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f" +LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff" -SRC_URI = " \ - git://github.com/stefanberger/libtpms.git \ - " +SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25" +SRC_URI = "git://github.com/stefanberger/libtpms.git" S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch index 67071b605..bed8b92a2 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch @@ -8,20 +8,20 @@ Add "-z" option to select well known password in create_tpm_key tool. Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com> -diff --git a/create_tpm_key.c b/create_tpm_key.c -index fee917f..7b94d62 100644 ---- a/create_tpm_key.c -+++ b/create_tpm_key.c -@@ -46,6 +46,8 @@ - #include <trousers/tss.h> - #include <trousers/trousers.h> +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -48,6 +48,8 @@ + + #include "ssl_compat.h" +#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ + #define print_error(a,b) \ fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \ a, b, Trspi_Error_String(b)) -@@ -70,6 +72,7 @@ usage(char *argv0) +@@ -72,6 +74,7 @@ usage(char *argv0) "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n" "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n" "\t\t-s|--key-size key size in bits [2048]\n" @@ -29,7 +29,7 @@ index fee917f..7b94d62 100644 "\t\t-a|--auth require a password for the key [NO]\n" "\t\t-p|--popup use TSS GUI popup dialogs to get the password " "for the\n\t\t\t\t key [NO] (implies --auth)\n" -@@ -147,6 +150,7 @@ int main(int argc, char **argv) +@@ -154,6 +157,7 @@ int main(int argc, char **argv) int asn1_len; char *filename, c, *openssl_key = NULL; int option_index, auth = 0, popup = 0, wrap = 0; @@ -37,7 +37,7 @@ index fee917f..7b94d62 100644 UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER; UINT32 key_size = 2048; -@@ -154,12 +158,15 @@ int main(int argc, char **argv) +@@ -161,12 +165,15 @@ int main(int argc, char **argv) while (1) { option_index = 0; @@ -54,7 +54,7 @@ index fee917f..7b94d62 100644 case 'a': initFlags |= TSS_KEY_AUTHORIZATION; auth = 1; -@@ -293,6 +300,8 @@ int main(int argc, char **argv) +@@ -300,6 +307,8 @@ int main(int argc, char **argv) if (srk_authusage) { char *authdata = calloc(1, 128); @@ -63,7 +63,7 @@ index fee917f..7b94d62 100644 if (!authdata) { fprintf(stderr, "malloc failed.\n"); -@@ -309,17 +318,26 @@ int main(int argc, char **argv) +@@ -316,17 +325,26 @@ int main(int argc, char **argv) exit(result); } diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch index f718f2e64..2caaaf054 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch @@ -9,20 +9,20 @@ use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password. Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com> -diff --git a/e_tpm.c b/e_tpm.c -index f3e8bcf..7dcb75a 100644 ---- a/e_tpm.c -+++ b/e_tpm.c +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c @@ -38,6 +38,8 @@ - #include "e_tpm.h" + #include "ssl_compat.h" +#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ + //#define DLOPEN_TSPI #ifndef OPENSSL_NO_HW -@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb TSS_RESULT result; UINT32 authusage; BYTE *auth; @@ -33,7 +33,7 @@ index f3e8bcf..7dcb75a 100644 if (hSRK != NULL_HKEY) { DBGFN("SRK is already loaded."); -@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb return 0; } diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch deleted file mode 100644 index d24a150e5..000000000 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001 -From: Lans Zhang <jia.zhang@windriver.com> -Date: Mon, 19 Jun 2017 14:54:28 +0800 -Subject: [PATCH] Fix not building libtpm.la - -Signed-off-by: Lans Zhang <jia.zhang@windriver.com> ---- - Makefile.am | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index 6695656..634a7e6 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi - libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c - - create_tpm_key_SOURCES=create_tpm_key.c --create_tpm_key_LDADD=-ltspi -+create_tpm_key_LDFLAGS=-ltspi -+ -+LDADD=libtpm.la --- -2.7.5 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch index a88148fe4..cc8772d20 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch @@ -22,11 +22,11 @@ Signed-off-by: Meng Li <Meng.Li@windriver.com> e_tpm_err.c | 4 ++ 3 files changed, 164 insertions(+), 1 deletion(-) -diff --git a/e_tpm.c b/e_tpm.c -index 7dcb75a..11bf74b 100644 ---- a/e_tpm.c -+++ b/e_tpm.c -@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void) +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void) ERR_clear_error(); } @@ -145,7 +145,7 @@ index 7dcb75a..11bf74b 100644 int tpm_load_srk(UI_METHOD *ui, void *cb_data) { TSS_RESULT result; -@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb return 0; } @@ -197,7 +197,7 @@ index 7dcb75a..11bf74b 100644 if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); secretMode = TSS_SECRET_MODE_SHA1; -@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) +@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb authlen = strlen(auth); } } @@ -205,11 +205,11 @@ index 7dcb75a..11bf74b 100644 else { if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", cb_data)) { -diff --git a/e_tpm.h b/e_tpm.h -index 6316e0b..56ff202 100644 ---- a/e_tpm.h -+++ b/e_tpm.h -@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); +Index: git/src/e_tpm.h +=================================================================== +--- git.orig/src/e_tpm.h ++++ git/src/e_tpm.h +@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea #define TPM_F_TPM_FILL_RSA_OBJECT 116 #define TPM_F_TPM_ENGINE_GET_AUTH 117 #define TPM_F_TPM_CREATE_SRK_POLICY 118 @@ -218,7 +218,7 @@ index 6316e0b..56ff202 100644 /* Reason codes. */ #define TPM_R_ALREADY_LOADED 100 -@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); +@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea #define TPM_R_ID_INVALID 125 #define TPM_R_UI_METHOD_FAILED 126 #define TPM_R_UNKNOWN_SECRET_MODE 127 @@ -227,11 +227,11 @@ index 6316e0b..56ff202 100644 /* structure pointed to by the RSA object's app_data pointer */ struct rsa_app_data -diff --git a/e_tpm_err.c b/e_tpm_err.c -index 25a5d0f..439e267 100644 ---- a/e_tpm_err.c -+++ b/e_tpm_err.c -@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = { +Index: git/src/e_tpm_err.c +=================================================================== +--- git.orig/src/e_tpm_err.c ++++ git/src/e_tpm_err.c +@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[] {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, @@ -240,7 +240,7 @@ index 25a5d0f..439e267 100644 {0, NULL} }; -@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = { +@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[] {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, {TPM_R_ID_INVALID, "engine id doesn't match"}, {TPM_R_UI_METHOD_FAILED, "ui function failed"}, @@ -249,6 +249,3 @@ index 25a5d0f..439e267 100644 {0, NULL} }; --- -2.9.3 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch index 076704de8..535472a20 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch @@ -15,11 +15,11 @@ Signed-off-by: Meng Li <Meng.Li@windriver.com> create_tpm_key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/create_tpm_key.c b/create_tpm_key.c -index 7b94d62..f30af90 100644 ---- a/create_tpm_key.c -+++ b/create_tpm_key.c -@@ -148,7 +148,8 @@ int main(int argc, char **argv) +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -155,7 +155,8 @@ int main(int argc, char **argv) ASN1_OCTET_STRING *blob_str; unsigned char *blob_asn1 = NULL; int asn1_len; @@ -29,6 +29,3 @@ index 7b94d62..f30af90 100644 int option_index, auth = 0, popup = 0, wrap = 0; int wellknownkey = 0; UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; --- -1.7.9.5 - diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch new file mode 100644 index 000000000..2f8eb8127 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch @@ -0,0 +1,34 @@ +Fix compiling for openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch + int *out_len) + { + int total_len, len, ret; +- EVP_ENCODE_CTX dctx; ++ EVP_ENCODE_CTX *dctx; + +- EVP_DecodeInit(&dctx); ++ dctx = EVP_ENCODE_CTX_new(); ++ EVP_DecodeInit(dctx); + + total_len = 0; +- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); ++ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; + } + + total_len += len; +- ret = EVP_DecodeFinal(&dctx, outdata, &len); ++ ret = EVP_DecodeFinal(dctx, outdata, &len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb index 4854f70e3..0f98b79f2 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -1,5 +1,5 @@ DESCRIPTION = "OpenSSL secure engine based on TPM hardware" -HOMEPAGE = "https://sourceforge.net/projects/trousers/" +HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" SECTION = "security/tpm" LICENSE = "openssl" @@ -8,18 +8,18 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" DEPENDS += "openssl trousers" SRC_URI = "\ - git://git.code.sf.net/p/trousers/openssl_tpm_engine \ + git://github.com/mgerstner/openssl_tpm_engine.git \ file://0001-create-tpm-key-support-well-known-key-option.patch \ file://0002-libtpm-support-env-TPM_SRK_PW.patch \ - file://0003-Fix-not-building-libtpm.la.patch \ file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ + file://openssl11_build_fix.patch \ " -SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60" +SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf" S = "${WORKDIR}/git" -inherit autotools-brokensep +inherit autotools-brokensep pkgconfig # The definitions below are used to decrypt the srk password. # It is allowed to define the values in 3 forms: string, hex number and @@ -41,35 +41,22 @@ CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" #CFLAGS_append += "-DTPM_SRK_PLAIN_PW" do_configure_prepend() { - cd "${S}" + cd ${B} cp LICENSE COPYING - touch NEWS AUTHORS ChangeLog + touch NEWS AUTHORS ChangeLog README } -do_install_append() { - install -m 0755 -d "${D}${libdir}/engines" - install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines" - install -m 0755 -d "${D}${libdir}/ssl/engines" - - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0" - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so" - cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so" - mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so" - mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la" - rm -rf "${D}${libdir}/openssl" -} - -FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la" +FILES_${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la" FILES_${PN}-dbg += "\ - ${libdir}/ssl/engines/.debug \ - ${libdir}/engines/.debug \ - ${prefix}/local/ssl/lib/engines/.debug \ + ${libdir}/ssl/engines-1.1/.debug \ + ${libdir}/engines-1.1/.debug \ + ${prefix}/local/ssl/lib/engines-1.1/.debug \ " FILES_${PN} += "\ - ${libdir}/ssl/engines/libtpm.so* \ - ${libdir}/engines/libtpm.so* \ + ${libdir}/ssl/engines-1.1/tpm.so* \ + ${libdir}/engines-1.1/tpm.so* \ ${libdir}/libtpm.so* \ - ${prefix}/local/ssl/lib/engines/libtpm.so* \ + ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \ " RDEPENDS_${PN} += "libcrypto libtspi" diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch new file mode 100644 index 000000000..cf2d43780 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch @@ -0,0 +1,45 @@ +Enable building with openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/src/pcr-extend.c +=================================================================== +--- git.orig/src/pcr-extend.c ++++ git/src/pcr-extend.c +@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t + static unsigned char* + sha1_file (FILE *file, unsigned int *hash_len) + { +- EVP_MD_CTX ctx = { 0 }; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned char *buf = NULL, *hash = NULL; + size_t num_read = 0; + +@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("malloc:\n"); + goto sha1_fail; + } +- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) { ++ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has + num_read = fread (buf, 1, BUF_SIZE, file); + if (num_read <= 0) + break; +- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) { ++ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("calloc of hash buffer:\n"); + goto sha1_fail; + } +- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) { ++ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb index 0cc4f6370..f8347b7f1 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb @@ -9,7 +9,8 @@ DEPENDS = "libtspi" PV = "0.1+git${SRCPV}" SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316" -SRC_URI = "git://github.com/flihp/pcr-extend.git " +SRC_URI = "git://github.com/flihp/pcr-extend.git \ + file://fix_openssl11_build.patch " inherit autotools diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb index 747602000..3fe1393af 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb @@ -3,23 +3,21 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" SECTION = "apps" -DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native" +DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # configure checks for the tools already during compilation and # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -RDEPENDS_${PN} += "tpm-tools" -SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8" -SRC_URI = "git://github.com/stefanberger/swtpm.git \ - file://fix_lib_search_path.patch \ +SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ " S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig +inherit autotools pkgconfig PARALLEL_MAKE = "" TSS_USER="tss" @@ -36,21 +34,12 @@ EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}" -# dup bootstrap -do_configure_prepend () { - libtoolize --force --copy - autoheader - aclocal - automake --add-missing -c - autoconf -} - USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ --no-create-home --shell /bin/false ${BPN}" -RDEPENDS_${PN} = "libtpm expect socat bash" +RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch new file mode 100644 index 000000000..5018d45b2 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch @@ -0,0 +1,56 @@ +Title: Fix FTBFS with clang due to uninitialized values +Date: 2015-06-28 +Author: Alexander <sanek23994@gmail.com> +Bug-Debian: http://bugs.debian.org/753063 + +Upstream-Status: Backport +tpm-tools_1.3.9.1-0.1.debian.tar + +Signed-off-by: Armin kuster <akuster808@gmail.com> + +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400 +@@ -165,7 +165,7 @@ + + TSS_BOOL bCmd, bHwd; + BOOL bRc; +- TSS_HPOLICY hTpmPolicy; ++ TSS_HPOLICY hTpmPolicy = 0; + char *pwd = NULL; + int pswd_len; + char rsp[5]; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400 +@@ -67,7 +67,7 @@ + char *szSrkPasswd = NULL; + int tpm_len, srk_len; + TSS_HTPM hTpm; +- TSS_HKEY hSrk; ++ TSS_HKEY hSrk = 0; + TSS_FLAG fSrkAttrs; + TSS_HPOLICY hTpmPolicy, hSrkPolicy; + int iRc = -1; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400 +@@ -220,7 +220,7 @@ + close(fd); + fd = -1; + } else if (fillvalue >= 0) { +- if (length < 0) { ++ if (length == 0) { + logError(_("Requiring size parameter.\n")); + return -1; + } +--- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400 +@@ -432,8 +432,8 @@ + + char *pszPin = NULL; + +- CK_RV rv; +- CK_SESSION_HANDLE hSession; ++ CK_RV rv = 0; ++ CK_SESSION_HANDLE hSession = 0; + CK_OBJECT_HANDLE hObject; + CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 }; + diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch new file mode 100644 index 000000000..c2a264b62 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch @@ -0,0 +1,110 @@ +Author: Philipp Kern <pkern@debian.org> +Subject: Fix openssl1.1 support in data_mgmt +Date: Tue, 31 Jan 2017 22:40:10 +0100 + +Upstream-Status: Backport +tpm-tools_1.3.9.1-0.1.debian.tar + +Signed-off-by: Armin kuster <akuster808@gmail.com> + +--- + src/data_mgmt/data_import.c | 60 ++++++++++++++++++++++++++++---------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, + goto out; + } + +- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { ++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { + logError( TOKEN_RSA_KEY_ERROR ); + + X509_free( pX509 ); +@@ -691,8 +691,13 @@ createRsaPubKeyObject( RSA + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); ++ const BIGNUM *bn; ++ const BIGNUM *be; ++ ++ RSA_get0_key( a_pRsa, &bn, &be, NULL ); ++ ++ int nLen = BN_num_bytes( bn ); ++ int eLen = BN_num_bytes( be ); + + CK_RV rv; + +@@ -732,8 +737,8 @@ createRsaPubKeyObject( RSA + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); ++ BN_bn2bin( bn, n ); ++ BN_bn2bin( be, e ); + + // Create the RSA public key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +@@ -760,14 +765,27 @@ createRsaPrivKeyObject( RSA + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); +- int dLen = BN_num_bytes( a_pRsa->d ); +- int pLen = BN_num_bytes( a_pRsa->p ); +- int qLen = BN_num_bytes( a_pRsa->q ); +- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); +- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); +- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); ++ const BIGNUM *bn; ++ const BIGNUM *be; ++ const BIGNUM *bd; ++ const BIGNUM *bp; ++ const BIGNUM *bq; ++ const BIGNUM *bdmp1; ++ const BIGNUM *bdmq1; ++ const BIGNUM *biqmp; ++ ++ RSA_get0_key( a_pRsa, &bn, &be, &bd); ++ RSA_get0_factors( a_pRsa, &bp, &bq); ++ RSA_get0_crt_params( a_pRsa, &bdmp1, &bdmq1, &biqmp ); ++ ++ int nLen = BN_num_bytes( bn ); ++ int eLen = BN_num_bytes( be ); ++ int dLen = BN_num_bytes( bd ); ++ int pLen = BN_num_bytes( bp ); ++ int qLen = BN_num_bytes( bq ); ++ int dmp1Len = BN_num_bytes( bdmp1 ); ++ int dmq1Len = BN_num_bytes( bdmq1 ); ++ int iqmpLen = BN_num_bytes( biqmp ); + + CK_RV rv; + +@@ -821,14 +839,14 @@ createRsaPrivKeyObject( RSA + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); +- BN_bn2bin( a_pRsa->d, d ); +- BN_bn2bin( a_pRsa->p, p ); +- BN_bn2bin( a_pRsa->q, q ); +- BN_bn2bin( a_pRsa->dmp1, dmp1 ); +- BN_bn2bin( a_pRsa->dmq1, dmq1 ); +- BN_bn2bin( a_pRsa->iqmp, iqmp ); ++ BN_bn2bin( bn, n ); ++ BN_bn2bin( be, e ); ++ BN_bn2bin( bd, d ); ++ BN_bn2bin( bp, p ); ++ BN_bn2bin( bq, q ); ++ BN_bn2bin( bdmp1, dmp1 ); ++ BN_bn2bin( bdmq1, dmq1 ); ++ BN_bn2bin( biqmp, iqmp ); + + // Create the RSA private key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch new file mode 100644 index 000000000..9ae3f72a3 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch @@ -0,0 +1,18 @@ +Upstream-Status: Pending +Update to build with openssl 1.1.x + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/src/cmds/tpm_extendpcr.c +=================================================================== +--- git.orig/src/cmds/tpm_extendpcr.c ++++ git/src/cmds/tpm_extendpcr.c +@@ -136,7 +136,7 @@ int main(int argc, char **argv) + + unsigned char msg[EVP_MAX_MD_SIZE]; + unsigned int msglen; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(&ctx, EVP_sha1()); + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) + EVP_DigestUpdate(&ctx, line, lineLen); diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch index ab5e68320..40150af87 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch @@ -1,8 +1,8 @@ -Index: tpm-tools-1.3.8/include/tpm_tspi.h +Index: git/include/tpm_tspi.h =================================================================== ---- tpm-tools-1.3.8.orig/include/tpm_tspi.h 2011-08-17 08:20:35.000000000 -0400 -+++ tpm-tools-1.3.8/include/tpm_tspi.h 2013-01-05 23:26:31.571598217 -0500 -@@ -117,6 +117,10 @@ +--- git.orig/include/tpm_tspi.h ++++ git/include/tpm_tspi.h +@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U UINT32 *a_PcrSize, BYTE **a_PcrValue); TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx, UINT32 a_PcrSize, BYTE *a_PcrValue); @@ -13,11 +13,11 @@ Index: tpm-tools-1.3.8/include/tpm_tspi.h #ifdef TSS_LIB_IS_12 TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v); TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue); -Index: tpm-tools-1.3.8/lib/tpm_tspi.c +Index: git/lib/tpm_tspi.c =================================================================== ---- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400 -+++ tpm-tools-1.3.8/lib/tpm_tspi.c 2013-01-05 23:27:37.731593490 -0500 -@@ -594,6 +594,20 @@ +--- git.orig/lib/tpm_tspi.c ++++ git/lib/tpm_tspi.c +@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr return result; } @@ -38,10 +38,10 @@ Index: tpm-tools-1.3.8/lib/tpm_tspi.c #ifdef TSS_LIB_IS_12 /* * These getPasswd functions will wrap calls to the other functions and check to see if the TSS -Index: tpm-tools-1.3.8/src/cmds/Makefile.am +Index: git/src/cmds/Makefile.am =================================================================== ---- tpm-tools-1.3.8.orig/src/cmds/Makefile.am 2011-08-15 13:52:08.000000000 -0400 -+++ tpm-tools-1.3.8/src/cmds/Makefile.am 2013-01-05 23:30:46.223593698 -0500 +--- git.orig/src/cmds/Makefile.am ++++ git/src/cmds/Makefile.am @@ -22,6 +22,7 @@ # @@ -50,16 +50,16 @@ Index: tpm-tools-1.3.8/src/cmds/Makefile.am tpm_unsealdata if TSS_LIB_IS_12 -@@ -33,4 +34,5 @@ - LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto +@@ -33,4 +34,5 @@ endif + LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@ tpm_sealdata_SOURCES = tpm_sealdata.c +tpm_extendpcr_SOURCES = tpm_extendpcr.c tpm_unsealdata_SOURCES = tpm_unsealdata.c -Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c +Index: git/src/cmds/tpm_extendpcr.c =================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c 2013-01-05 23:37:43.403585514 -0500 +--- /dev/null ++++ git/src/cmds/tpm_extendpcr.c @@ -0,0 +1,181 @@ +/* + * The Initial Developer of the Original Code is International diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb index f670bffce..88ef19f73 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb @@ -12,14 +12,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" DEPENDS = "libtspi openssl" DEPENDS_class-native = "trousers-native" -SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee" +SRCREV = "bdf9f1bc8f63cd6fc370c2deb58d03ac55079e84" SRC_URI = " \ git://git.code.sf.net/p/trousers/tpm-tools \ file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://05-openssl1.1_fix_data_mgmt.patch \ + file://openssl1.1_fix.patch \ " -PV = "1.3.9.1+git${SRCPV}" - inherit autotools-brokensep gettext S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb index a5d6843b9..63473790d 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb @@ -9,14 +9,16 @@ SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native" +DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \ + libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" + SRC_URI = "\ git://github.com/01org/tpm2-abrmd.git \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8" +SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1" S = "${WORKDIR}/git" @@ -33,11 +35,8 @@ USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "tss" USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" -PACKAGECONFIG ?="udev" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" - +PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" -PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir" do_install_append() { install -d "${D}${sysconfdir}/init.d" @@ -47,8 +46,9 @@ do_install_append() { install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" } -FILES_${PN} += "${libdir}/systemd/system-preset" +FILES_${PN} += "${libdir}/systemd/system-preset \ + ${datadir}/dbus-1" -RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket" +RDEPENDS_${PN} += "tpm2.0-tss" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb index 7ec12fc73..3f40eb70e 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb @@ -6,13 +6,10 @@ SECTION = "tpm" DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" -# July 10, 2017 -SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881" +SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9" -SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools" +SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X" S = "${WORKDIR}/tpm2.0-tools" -PV = "2.0.0+git${SRCPV}" - inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb deleted file mode 100644 index b673c2bfd..000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb +++ /dev/null @@ -1,99 +0,0 @@ -SUMMARY = "Software stack for TPM2." -DESCRIPTION = "tpm2.0-tss like woah." -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -SECTION = "tpm" - -DEPENDS = "autoconf-archive pkgconfig" - -SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38" - -SRC_URI = " \ - git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \ - file://ax_pthread.m4 \ -" - -inherit autotools pkgconfig systemd - -S = "${WORKDIR}/git" - -do_configure_prepend () { - mkdir -p ${S}/m4 - cp ${WORKDIR}/ax_pthread.m4 ${S}/m4 - # execute the bootstrap script - currentdir=$(pwd) - cd ${S} - ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap - cd $currentdir -} - -INHERIT += "extrausers" -EXTRA_USERS_PARAMS = "\ - useradd -p '' tss; \ - groupadd tss; \ - " - -SYSTEMD_PACKAGES = "resourcemgr" -SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service" -SYSTEMD_AUTO_ENABLE_resourcemgr = "enable" - -do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}" -fix_systemd_unit () { - sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service -} - -do_install_append() { - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service - fi -} - -PROVIDES = "${PACKAGES}" -PACKAGES = " \ - ${PN}-dbg \ - ${PN}-doc \ - libtss2 \ - libtss2-dev \ - libtss2-staticdev \ - libtctidevice \ - libtctidevice-dev \ - libtctidevice-staticdev \ - libtctisocket \ - libtctisocket-dev \ - libtctisocket-staticdev \ - resourcemgr \ -" - -FILES_libtss2 = " \ - ${libdir}/libsapi.so.0.0.0 \ - ${libdir}/libmarshal.so.0.0.0 \ -" -FILES_libtss2-dev = " \ - ${includedir}/sapi \ - ${includedir}/tcti/common.h \ - ${libdir}/libsapi.so* \ - ${libdir}/libmarshal.so* \ - ${libdir}/pkgconfig/sapi.pc \ -" -FILES_libtss2-staticdev = " \ - ${libdir}/libsapi.a \ - ${libdir}/libsapi.la \ - ${libdir}/libmarshal.a \ - ${libdir}/libmarshal.la \ -" -FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0" -FILES_libtctidevice-dev = " \ - ${includedir}/tcti/tcti_device.h \ - ${libdir}/libtcti-device.so* \ - ${libdir}/pkgconfig/tcti-device.pc \ -" -FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a" -FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0" -FILES_libtctisocket-dev = " \ - ${includedir}/tcti/tcti_socket.h \ - ${libdir}/libtcti-socket.so* \ - ${libdir}/pkgconfig/tcti-socket.pc \ -" -FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a" -FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb new file mode 100644 index 000000000..9d1ff72f3 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb @@ -0,0 +1,74 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "tpm2.0-tss like woah." +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4" +SECTION = "tpm" + +DEPENDS = "autoconf-archive-native libgcrypt" + +SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351" + +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x" + +inherit autotools-brokensep pkgconfig systemd + +S = "${WORKDIR}/git" + +do_configure_prepend () { + ./bootstrap +} + +INHERIT += "extrausers" +EXTRA_USERS_PARAMS = "\ + useradd -p '' tss; \ + groupadd tss; \ + " + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN} \ + ${PN}-dbg \ + ${PN}-doc \ + libtss2-mu \ + libtss2-mu-dev \ + libtss2-mu-staticdev \ + libtss2-tcti-device \ + libtss2-tcti-device-dev \ + libtss2-tcti-device-staticdev \ + libtss2-tcti-mssim \ + libtss2-tcti-mssim-dev \ + libtss2-tcti-mssim-staticdev \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ +" + +FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES_libtss2-tcti-device-dev = " \ + ${includedir}/tss2/tss2_tcti_device.h \ + ${libdir}/pkgconfig/tss2-tcti-device.pc \ + ${libdir}/libtss2-tcti-device.so" +FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" + +FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES_libtss2-tcti-mssim-dev = " \ + ${includedir}/tss2/tss2_tcti_mssim.h \ + ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ + ${libdir}/libtss2-tcti-mssim.so" +FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" + +FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES_libtss2-mu-dev = " \ + ${includedir}/tss2/tss2_mu.h \ + ${libdir}/pkgconfig/tss2-mu.pc \ + ${libdir}/libtss2-mu.so" +FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" + +FILES_libtss2 = "${libdir}/libtss2*so.*" +FILES_libtss2-dev = " \ + ${includedir} \ + ${libdir}/pkgconfig \ + ${libdir}/libtss2*so" +FILES_libtss2-staticdev = "${libdir}/libtss*a" + +FILES_${PN} = "${libdir}/udev" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb index 866791c29..866791c29 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb diff --git a/meta-security/recipes-browers/tor/tor_6.5.2.bb b/meta-security/recipes-browers/tor/tor_6.5.2.bb deleted file mode 100644 index 1e3a81273..000000000 --- a/meta-security/recipes-browers/tor/tor_6.5.2.bb +++ /dev/null @@ -1,7 +0,0 @@ -SUMMARY = "Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security." - -HOMEPAGE = "https://www.torproject.org/" - -LICENSE = "GPV-v2" - -SRC_URI = "https://github.com/TheTorProject/gettorbrowser/archive/v6.5.2.tar.gz" diff --git a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb b/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb deleted file mode 100644 index a826d1d10..000000000 --- a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "The Advanced Forensic Format (AFF) is on-disk format for storing computer forensic information." -HOMEPAGE = "http://www.afflib.org/" -LICENSE = " BSD-4-Clause & CPL-1.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=d1b2c6d0d6908f45d143ef6380727828" - -DEPENDS = " zlib ncurses readline openssl libgcrypt" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}-1.1.diff.gz;name=dpatch \ - file://configure_rm_ms_flags.patch \ - " - -SRC_URI[orig.md5sum] = "b7ff4d2945882018eb1536cad182ad01" -SRC_URI[orig.sha256sum] = "19cacfd558dc00e11975e820e3c4383b52aabbd5ca081d27bb7994a035d2f4ad" -SRC_URI[dpatch.md5sum] = "171e871024545b487589e6c85290576f" -SRC_URI[dpatch.sha256sum] = "db632e254ee51a1e4328cd4449d414eff4795053d4e36bfa8e0020fcb4085cdd" - -inherit autotools-brokensep pkgconfig - -CPPFLAGS = "-I${STAGING_INCDIR}" -LDFLAGS = "-L${STAGING_LIBDIR}" - -PACKAGECONFIG ??= "" -PACKAGECONFIG[curl] = "--with-curl=${STAGING_LIBDIR}, --without-curl, curl" -PACKAGECONFIG[expat] = "--with-expat=${STAGING_LIBDIR}, --without-expat, expat" -PACKAGECONFIG[fuse] = "--enable-fuse=yes, --enable-fuse=no, fuse" -PACKAGECONFIG[python] = "--enable-python=yes, --enable-python=no, python" - -EXTRA_OECONF += "--enable-s3=no CPPFLAGS=-I${STAGING_INCDIR} LDFLAGS=-L${STAGING_LIBDIR}" -EXTRA_OEMAKE += "CPPFLAGS='${CPPFLAGS}' LDFLAGS='-L${STAGING_LIBDIR} -I${STAGING_INCDIR}'" diff --git a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch b/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch deleted file mode 100644 index ac335001b..000000000 --- a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -remove ms lib options when cross compiling - -Signed-Off-By: Armin Kuster <akuster808@gmail.com> - -Index: configure.ac -=================================================================== ---- a.orig/configure.ac -+++ a/configure.ac -@@ -47,7 +47,6 @@ if test x"${cross_compiling}" = "xno" ; - AC_MSG_NOTICE([ LDFLAGS = ${LDFLAGS} ]) - else - AC_MSG_NOTICE([Cross Compiling --- will not update CPPFALGS or LDFLAGS with /usr/local, /opt/local or /sw]) -- LIBS="$LIBS -lws2_32 -lgdi32" - fi - - if test -r /bin/uname.exe ; then diff --git a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch b/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch deleted file mode 100644 index 0881f25c7..000000000 --- a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -Upstream Status: pending - -Don't use inline with gcc 5.0 - -fixes: -undefined reference to `libuna_unicode_character_size_to_utf8' - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: libuna/libuna_inline.h -=================================================================== ---- a/libuna/libuna_inline.h -+++ b/libuna/libuna_inline.h -@@ -27,7 +27,7 @@ - #if defined( _MSC_VER ) - #define LIBUNA_INLINE _inline - --#elif defined( __BORLANDC__ ) || defined( __clang__ ) -+#elif defined( __BORLANDC__ ) || defined( __clang__ ) || ( __GNUC__ > 4 ) - #define LIBUNA_INLINE /* inline */ - - #else diff --git a/meta-security/recipes-forensic/libewf/libewf_20140608.bb b/meta-security/recipes-forensic/libewf/libewf_20140608.bb deleted file mode 100644 index f7dce1296..000000000 --- a/meta-security/recipes-forensic/libewf/libewf_20140608.bb +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "library with support for Expert Witness Compression Format" -LICENSE = "LGPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=58c39b26c0549f8e1bb4122173f474cd" - -DEPENDS = "virtual/gettext libtool" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/libe/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - file://gcc5_fix.patch \ - " -SRC_URI[orig.md5sum] = "fdf615f23937fad8e02b60b9e3e5fb35" -SRC_URI[orig.sha256sum] = "d14030ce6122727935fbd676d0876808da1e112721f3cb108564a4d9bf73da71" - -inherit autotools-brokensep pkgconfig gettext - -PACKAGECONFIG ??= "zlib ssl bz2" -PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib" -PACKAGECONFIG[bz2] = "--with-bzip2, --without-bzip2, bzip2, bzip2" -PACKAGECONFIG[ssl] = "--with-openssl, --without-openssl, openssl, openssl" -PACKAGECONFIG[fuse] = "--with-libfuse, --without-libfuse, fuse" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" - -EXTRA_OECONF += "--with-gnu-ld --disable-rpath" - -RDEPENDS_${PN} += " util-linux-libuuid" diff --git a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch b/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch deleted file mode 100644 index 03b1fb9e7..000000000 --- a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch +++ /dev/null @@ -1,23 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Don't use host include or lib paths in *FLAGS - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: configure.ac -=================================================================== ---- a/configure.ac -+++ b/configure.ac -@@ -84,12 +84,6 @@ AX_PTHREAD([ - LDFLAGS="$LDFLAGS $PTHREAD_CFLAGS" - CC="$PTHREAD_CC"],[]) - --dnl Not all compilers include /usr/local in the include and link path --if test -d /usr/local/include; then -- CPPFLAGS="$CPPFLAGS -I/usr/local/include" -- LDFLAGS="$LDFLAGS -L/usr/local/lib" --fi -- - dnl Add enable/disable option - AC_ARG_ENABLE([java], - [AS_HELP_STRING([--disable-java], [Do not build the java bindings or jar file])]) diff --git a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb b/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb deleted file mode 100644 index ba335f3c3..000000000 --- a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb +++ /dev/null @@ -1,31 +0,0 @@ -SUMMARY = "The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate disk images." -HOMEPAGE = "http://www.sleuthkit.org/sleuthkit/" -LICENSE = "IPL-1.0 & GPLv2 & CPL-1.0" -LIC_FILES_CHKSUM = "file://licenses/GNU-COPYING;startline=4;endline=5;md5=475b4784903850b579dc6e6310bd5f08\ - file://licenses/IBM-LICENSE;startline=1;endline=2;md5=1fc3300388b0d6e6216825dd89c2e3a2\ - file://licenses/cpl1.0.txt;startline=1;endline=2;md5=9e58c878202c73a4e3ed4be72598fb92" - -DEPENDS = "libtool" - -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/s/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \ - file://fix_host_poison.patch \ - " -SRC_URI[orig.md5sum] = "139a12f06952d8a40bbe07884994cf5d" -SRC_URI[orig.sha256sum] = "67f9d2a31a8884d58698d6122fc1a1bfa9bf238582bde2b49228ec9b899f0327" - -inherit autotools-brokensep pkgconfig gettext - -PACKAGECONFIG ??= "aff zlib ewf" -PACKAGECONFIG[aff] = "--with-afflib=${STAGING_DIR_HOST}/usr, --without-afflib, afflib" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr, --without-zlib, zlib" -PACKAGECONFIG[ewf] = "--with-libewf=${STAGING_DIR_HOST}/usr, --without-libewf, libewf" - -#--with-gnu-ld -EXTRA_OECONF += "--enable-static=no --disable-java LIBS='-L${STAGING_LIBDIR}' LDFLAGS='-L${STAGING_LIBDIR}' CPPFLAGS='-I${STAGING_INCDIR}'" - -# Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP_${PN} = "ldflags" - -FILES_${PN} += " ${datadir}/tsk" - -RDEPENDS_${PN} += " perl" diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb index fc9b614f1..e3f8dc99c 100644 --- a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb +++ b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb @@ -21,11 +21,11 @@ SRC_URI = " \ file://functions \ file://apparmor \ file://apparmor.service \ - file://run-ptest \ + file://run-ptest \ " -SRC_URI[md5sum] = "899fd834dc5c8ebf2d52b97e4a174af7" -SRC_URI[sha256sum] = "b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a" +SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" +SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" PARALLEL_MAKE = "" @@ -46,7 +46,7 @@ HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" python() { if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') } diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb index 4df072e0b..d73922778 100644 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb @@ -6,16 +6,13 @@ LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" DEPENDS = "libnl openssl sqlite3 libpcre libpcap" -RC = "rc2" -SRC_URI = "http://download.aircrack-ng.org/${BP}-${RC}.tar.gz \ - file://fixup_cflags.patch" -SRC_URI[md5sum] = "ebe9d537f06f4d6956213af09c4476da" -SRC_URI[sha256sum] = "ba5b3eda44254efc5b7c9f776eb756f7cc323ad5d0813c101e92edb483d157e9" +SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" -inherit autotools-brokensep pkgconfig +SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623" +SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca" -S = "${WORKDIR}/${BP}-rc2" +inherit autotools-brokensep pkgconfig PACKAGECONFIG ?= "" CFLAGS += " -I${S}/src/include" diff --git a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch b/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch deleted file mode 100644 index e13dd24ba..000000000 --- a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch +++ /dev/null @@ -1,28 +0,0 @@ -Upstream Status: Iinappropriate - -Issues do to build env. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: aircrack-ng-1.2-rc2/src/Makefile -=================================================================== ---- aircrack-ng-1.2-rc2.orig/src/Makefile -+++ aircrack-ng-1.2-rc2/src/Makefile -@@ -3,8 +3,6 @@ include $(AC_ROOT)/common.mak - - TEST_DIR = $(AC_ROOT)/test - --CFLAGS += -Iinclude -- - iCC = $(shell find /opt/intel/cc/*/bin/icc) - iCFLAGS = -w -mcpu=pentiumpro -march=pentiumpro $(COMMON_CFLAGS) - iOPTFLAGS = -O3 -ip -ipo -D_FILE_OFFSET_BITS=64 -@@ -102,7 +100,7 @@ endif - - - ifeq ($(subst TRUE,true,$(filter TRUE true,$(sqlite) $(SQLITE))),true) -- LIBSQL = -L/usr/local/lib -lsqlite3 -+ LIBSQL = -lsqlite3 - else - LIBSQL = - endif diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index eee1a38e1..152c03ae5 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,7 +9,7 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit allarch module-base +inherit module-base SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ diff --git a/meta-security/recipes-security/clamav/clamav_0.99.3.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 688250da4..8c2c2fa2f 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.3.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -8,7 +8,7 @@ DEPENDS = "libtool db libmspack chrpath-replacement-native" LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" -SRCREV = "224f73461a44e278e9fa50ba59f51ee5e64373e0" +SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ file://clamd.conf \ diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index f55b0c390..1f780f9e3 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -29,6 +29,7 @@ EXTRA_OECONF = "\ --libdir=${base_libdir} \ --disable-pywrap \ --disable-nls \ + --with-pamdir=${base_libdir}/security \ " PACKAGECONFIG ??= "nss \ @@ -43,12 +44,16 @@ do_configure_prepend() { export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" + sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac } do_install_append() { chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private - mkdir -p ${D}/${libdir} - mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} + # ${base_libdir} is identical to ${libdir} when usrmerge enabled + if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then + mkdir -p ${D}/${libdir} + mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir} + fi sed -i -e 's:-I${STAGING_INCDIR}::' \ -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap diff --git a/meta-security/recipes-security/fail2ban/files/run-ptest b/meta-security/recipes-security/fail2ban/files/run-ptest new file mode 100644 index 000000000..9f6aebe82 --- /dev/null +++ b/meta-security/recipes-security/fail2ban/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +##PYTHON## fail2ban-testcases diff --git a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb b/meta-security/recipes-security/fail2ban/python-fail2ban.inc index 7e2deba2d..9245f17b1 100644 --- a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb +++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc @@ -9,14 +9,15 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="a45488465e0dd547eb8479c0fa9fd577c1837213" +SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" SRC_URI = " \ - git://github.com/fail2ban/fail2ban.git;branch=0.10 \ + git://github.com/fail2ban/fail2ban.git;branch=0.11 \ file://initd \ - file://fail2ban_setup.py \ + file://fail2ban_setup.py \ + file://run-ptest \ " -inherit update-rc.d setuptools +inherit update-rc.d ptest S = "${WORKDIR}/git" @@ -32,10 +33,17 @@ do_install_append () { install -d ${D}/${sysconfdir}/fail2ban install -d ${D}/${sysconfdir}/init.d install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + chown -R root:root ${D}/${bindir} +} + +do_install_ptest_append () { + install -d ${D}${PTEST_PATH} + sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} } FILES_${PN} += "/run" INSANE_SKIP_${PN}_append = "already-stripped" -RDEPENDS_${PN} = "sysklogd iptables sqlite3 python python-pyinotify" +RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify" diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb new file mode 100644 index 000000000..17a7dd8dd --- /dev/null +++ b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb @@ -0,0 +1,4 @@ +inherit setuptools +require python-fail2ban.inc + +RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban" diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb new file mode 100644 index 000000000..5c887e857 --- /dev/null +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb @@ -0,0 +1,4 @@ +inherit setuptools3 +require python-fail2ban.inc + +RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb index 4f0b12c4a..8847a0fc4 100644 --- a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb +++ b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb @@ -9,7 +9,7 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRCREV = "e4c4d0984dee2531897e13c32a18d5e54a2a4aa6" +SRCREV = "142326810eb19d6794793db6d24d0775a15aa8e5" SRC_URI = "git://github.com/google/fscryptctl.git" S = "${WORKDIR}/git" diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb index 1a7af86be..a8757f980 100644 --- a/meta-security/recipes-security/images/security-build-image.bb +++ b/meta-security/recipes-security/images/security-build-image.bb @@ -6,9 +6,7 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ packagegroup-core-security \ - os-release \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \ - ${CORE_IMAGE_EXTRA_INSTALL}" + os-release" IMAGE_LINGUAS ?= " " diff --git a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch b/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch deleted file mode 100644 index af3ef421d..000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch +++ /dev/null @@ -1,37 +0,0 @@ -Remove the hardcoded lib and include dirs - -Upstream-Status: Inappropriate [cross compile specific] - -written by: Amy Fong <amy.fong@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- keynote-2.3/configure.in.orig 2010-05-24 04:44:16.000000000 -0700 -+++ keynote-2.3/configure.in 2010-05-24 04:44:55.000000000 -0700 -@@ -21,27 +21,16 @@ - AC_PATH_PROG(ECHO, echo, /bin/echo) - AC_PATH_PROG(SED, sed, /usr/bin/sed) - --dnl Checks for libraries. --LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\ -- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib" -- - AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm") - AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref") - AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto") - AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue") - --dnl Checks for header files. --CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\ -- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\ -- -I/usr/local/openssl/include -I/pkg/include" -- - AC_HEADER_STDC - AC_HEADER_TIME - AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h) - AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h crypto.h memory.h) - --dnl Checks for other files -- - dnl Checks for typedefs, structures, and compiler characteristics. - AC_C_CONST - AC_CHECK_TYPE(u_int, unsigned int) diff --git a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch b/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch deleted file mode 100644 index 80d87cf28..000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch +++ /dev/null @@ -1,36 +0,0 @@ -Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable. - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> - -diff --git a/Makefile.in b/Makefile.in -index b216648..42b4827 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -35,6 +35,7 @@ MKDIR = @MKDIR@ - SED = @SED@ - ECHO = @ECHO@ - TR = @TR@ -+LDFLAGS = @LDFLAGS@ - - TARFLAGS = -cvzf ${DISTFILE} - YACCFLAGS2 = -d -p kv -b z -@@ -83,7 +84,7 @@ $(TARGET): $(OBJS) - $(RANLIB) $(TARGET) - - $(TARGET2): $(TARGET) $(OBJS2) -- $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) - - k.tab.c: keynote.y header.h keynote.h assertion.h config.h - $(YACC) $(YACCFLAGS) keynote.y -@@ -131,7 +132,7 @@ $(SSLCERT) $(SSLKEY): - -keyout $(SSLKEY) - - test-sample: all $(OBJS3) -- $(CC) $(CFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) - - test-sig: all $(SSLCERT) $(SSLKEY) - $(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1 diff --git a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest b/meta-security/recipes-security/keynote/keynote-2.3/run-ptest deleted file mode 100644 index 4dc35c9d1..000000000 --- a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd @PTEST_PATH@ -keynote verify -e testsuite/test-env \ - -r false,maybe,probably,true \ - -k testsuite/auth1 -k testsuite/auth2 \ - -k testsuite/auth3 -k testsuite/auth4 \ - -l testsuite/test-assertion1 \ - -l testsuite/test-assertion2 \ - -l testsuite/test-assertion3 \ - -l testsuite/test-assertion4 \ - -l testsuite/test-assertion5 \ - -l testsuite/test-assertion6 \ - -l testsuite/test-assertion7 \ - && echo "PASS: keynote-ptest" \ - || echo "FAIL: keynote-ptest" diff --git a/meta-security/recipes-security/keynote/keynote_2.3.bb b/meta-security/recipes-security/keynote/keynote_2.3.bb deleted file mode 100644 index e6924858d..000000000 --- a/meta-security/recipes-security/keynote/keynote_2.3.bb +++ /dev/null @@ -1,40 +0,0 @@ -SUMMARY = "Keynote tool and library" -DESCRIPTION = "KeyNote is a simple and flexible trust-management \ - system designed to work well for a variety of large- and small- \ - scale Internet-based applications. \ -" -HOMEPAGE = "http://www.cs.columbia.edu/~angelos/keynote.html" -SECTION = "security" - -LICENSE = "ISC" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3a265095c549c1808686a676f2699c98" - -MAIN_ID = "${@d.getVar('PV').split('.')[0]}" -MINOR_ID = "${@d.getVar('PV').split('.')[1]}" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}-${MAIN_ID}-${MINOR_ID}/${BPN}_${PV}.tar.gz \ - file://configure-remove-hardcode-path.patch \ - file://makefile-add-ldflags.patch \ - file://run-ptest \ -" -S = "${WORKDIR}/${BPN}-${PV}+dfsg.orig" - -inherit autotools-brokensep ptest - -SRC_URI[md5sum] = "a14553e6ad921b5c85026ce5bec3afe7" -SRC_URI[sha256sum] = "38d2acfa1c3630a07adcb5c8fe92d2aef7f0e6d242b8998b2bbb1c6e4c408d46" - -DEPENDS = "flex openssl" - -EXTRA_OEMAKE += "test-sample -j1" - -do_install() { - install -D -m 0755 ${S}/keynote ${D}${bindir}/keynote - install -D -m 0644 ${S}/libkeynote.a ${D}${libdir}/libkeynote.a - install -D -m 0644 ${S}/keynote.h ${D}${includedir}/keynote.h -} - -do_install_ptest() { - install -D -m 0755 ${S}/sample-app ${D}${PTEST_PATH} - cp -r ${S}/testsuite ${D}${PTEST_PATH} - sed -i 's|@PTEST_PATH@|${PTEST_PATH}|' ${D}${PTEST_PATH}/run-ptest -} diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb index 2ead8fa19..a4222b9e9 100644 --- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb @@ -27,6 +27,8 @@ SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ + BINDIR=${base_bindir} \ + SBINDIR=${base_sbindir} \ LIBDIR=${base_libdir} \ USRLIBDIR=${base_libdir} \ BUILDFOR=${SITEINFO_BITS}-bit \ diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb index 8d58163c9..9c66db68c 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb @@ -35,8 +35,7 @@ do_install_ptest() { done } -FILES_${PN} = "${bindir} ${libdir}/${PN}.so*" +FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN} = "bash" RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch b/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch deleted file mode 100644 index 356b5071b..000000000 --- a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch +++ /dev/null @@ -1,37 +0,0 @@ -[PATCH] redefine the python library install dir - -Upstream-Status: Pending - -If install-lib is not defined, it is always /usr/lib/, but it -maybe /usr/lib64 for multilib - -Signed-off-by: Roy Li <rongqing.li@windriver.com> ---- - Makefile.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 1bb062c..cced2fb 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -311,7 +311,7 @@ build-zenmap: $(ZENMAPDIR)/setup.py $(ZENMAPDIR)/zenmapCore/Version.py - - install-zenmap: $(ZENMAPDIR)/setup.py - $(INSTALL) -d $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -- cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --force $(if $(DESTDIR),--root "$(DESTDIR)") -+ cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --force $(if $(DESTDIR),--root "$(DESTDIR)") - $(INSTALL) -c -m 644 docs/zenmap.1 $(DESTDIR)$(mandir)/man1/ - # Create a symlink from nmapfe to zenmap if nmapfe doesn't exist or is - # already a link. -@@ -328,7 +328,7 @@ build-nping: $(NPINGDIR)/Makefile nbase_build nsock_build netutil_build $(NPINGD - @cd $(NPINGDIR) && $(MAKE) - - install-ndiff: -- cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" $(if $(DESTDIR),--root "$(DESTDIR)") -+ cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" $(if $(DESTDIR),--root "$(DESTDIR)") - - NSE_FILES = scripts/script.db scripts/*.nse - NSE_LIB_LUA_FILES = nselib/*.lua nselib/*.luadoc --- -1.9.1 - diff --git a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch b/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch deleted file mode 100644 index cfe043af4..000000000 --- a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch +++ /dev/null @@ -1,48 +0,0 @@ -[PATCH] replace "./shtool mkdir" with coreutils mkdir command - -Upstream-Status: Pending - -"./shtool mkdir" is used when mkdir has not -p parameter, but mkdir in today -most release has supportted the -p parameter, not need to use shtool, and it -can not fix the race if two process are running mkdir to create same dir - -Signed-off-by: Roy Li <rongqing.li@windriver.com> ---- - ncat/Makefile.in | 4 ++-- - nmap-update/Makefile.in | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ncat/Makefile.in b/ncat/Makefile.in -index cfd306d..2166e08 100644 ---- a/ncat/Makefile.in -+++ b/ncat/Makefile.in -@@ -163,11 +163,11 @@ $(NSOCKDIR)/libnsock.a: $(NSOCKDIR)/Makefile - - install: $(TARGET) - @echo Installing Ncat; -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 - $(INSTALL) -c -m 755 ncat $(DESTDIR)$(bindir)/ncat - $(STRIP) -x $(DESTDIR)$(bindir)/ncat - if [ -n "$(DATAFILES)" ]; then \ -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(pkgdatadir); \ -+ mkdir -p -m 755 $(DESTDIR)$(pkgdatadir); \ - $(INSTALL) -c -m 644 $(DATAFILES) $(DESTDIR)$(pkgdatadir)/; \ - fi - $(INSTALL) -c -m 644 docs/$(TARGET).1 $(DESTDIR)$(mandir)/man1/$(TARGET).1 -diff --git a/nmap-update/Makefile.in b/nmap-update/Makefile.in -index 89ff928..93f48d8 100644 ---- a/nmap-update/Makefile.in -+++ b/nmap-update/Makefile.in -@@ -37,7 +37,7 @@ $(NBASELIB): - cd $(NBASEDIR) && $(MAKE) - - install: nmap-update -- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 -+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 - $(INSTALL) -c -m 755 nmap-update $(DESTDIR)$(bindir) - $(STRIP) -x $(DESTDIR)$(bindir)/nmap-update - $(INSTALL) -c -m 644 ../docs/nmap-update.1 $(DESTDIR)$(mandir)/man1/ --- -1.9.1 - diff --git a/meta-security/recipes-security/nmap/nmap_7.60.bb b/meta-security/recipes-security/nmap/nmap_7.60.bb deleted file mode 100644 index a6616eb13..000000000 --- a/meta-security/recipes-security/nmap/nmap_7.60.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "network auditing tool" -DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.\nGui support via appending to IMAGE_FEATURES x11-base in local.conf" -SECTION = "security" -LICENSE = "GPL-2.0" - -LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=700c690f4ca6b1754f3f1db8645e42d9" - -SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \ - file://nmap-redefine-the-python-library-dir.patch \ - file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \ -" - -SRC_URI[md5sum] = "4e454266559ddf2c4e2109866c62560c" -SRC_URI[sha256sum] = "a8796ecc4fa6c38aad6139d9515dc8113023a82e9d787e5a5fb5fa1b05516f21" - -inherit autotools-brokensep pkgconfig pythonnative distro_features_check - -PACKAGECONFIG ?= "ncat nping ndiff pcap" -PACKAGECONFIG += " ${@bb.utils.contains('IMAGE_FEATURES', 'x11-base', 'zenmap', '', d)}" - -PACKAGECONFIG[pcap] = "--with-pcap=linux, --without-pcap, libpcap, libpcap" -PACKAGECONFIG[pcre] = "--with-libpcre=${STAGING_LIBDIR}/.., --with-libpcre=included, libpre" -PACKAGECONFIG[ssl] = "--with-openssl=${STAGING_LIBDIR}/.., --without-openssl, openssl, openssl" -PACKAGECONFIG[ssh2] = "--with-openssh2=${STAGING_LIBDIR}/.., --without-openssh2, libssh2, libssh2" -PACKAGECONFIG[libz] = "--with-libz=${STAGING_LIBDIR}/.., --without-libz, zlib, zlib" - -#disable/enable packages -PACKAGECONFIG[nping] = ",--without-nping," -PACKAGECONFIG[ncat] = ",--without-ncat," -PACKAGECONFIG[ndiff] = ",--without-ndiff,python" -PACKAGECONFIG[update] = ",--without-nmap-update," - -#Add gui -PACKAGECONFIG[zenmap] = "--with-zenmap, --without-zenmap, gtk+ python-core python-codecs python-io python-logging python-unittest python-xml python-netclient python-doctest python-subprocess python-pygtk, python-core python-codecs python-io python-logging python-netclient python-xml python-unittest python-doctest python-subprocess python-pygtk gtk+" - -EXTRA_OECONF = "--with-libdnet=included --with-liblinear=included --without-subversion --with-liblua=included" - -export PYTHON_SITEPACKAGES_DIR - -do_configure() { - # strip hard coded python2# - sed -i -e 's=python2\.*=python=g' ${S}/configure.ac - sed -i -e 's=python2\.*=python=g' ${S}/configure - autoconf - oe_runconf -} - -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'zenmap', '${PN}-zenmap', '', d)}" - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" -FILES_${PN}-zenmap = "${@bb.utils.contains("PACKAGECONFIG", "zenmap", "${bindir}/*zenmap ${bindir}/xnmap ${datadir}/applications/* ${bindir}/nmapfe ${datadir}/zenmap/* ${PYTHON_SITEPACKAGES_DIR}/radialnet/* ${PYTHON_SITEPACKAGES_DIR}/zenmap*", "", d)}" - -RDEPENDS_${PN} = "python" -RDEPENDS_${PN}-zenmap = "nmap" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index 6682d2905..e847847b8 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -12,6 +12,7 @@ PACKAGES = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -20,6 +21,7 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -27,7 +29,11 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - scapy \ + python-scapy \ + ding-libs \ + xmlsec1 \ + keyutils \ + libseccomp \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -52,13 +58,28 @@ RDEPENDS_packagegroup-security-hardening = " \ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ - samhain-client \ + samhain-standalone \ suricata \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " + +SUMMARY_packagegroup-security-ptest = "Security packages with ptests" +RDEPENDS_packagegroup-security-ptest = " \ + samhain-standalone-ptest \ + xmlsec1-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + ptest-runner \ + " diff --git a/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb index 812408e5e..812408e5e 100644 --- a/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb +++ b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb diff --git a/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb index 9341d4440..9341d4440 100644 --- a/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb +++ b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb index 4fed9e9e9..4fed9e9e9 100644 --- a/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb +++ b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-security/samhain/samhain.inc index db96264b3..944bf0d0b 100644 --- a/meta-security/recipes-security/samhain/samhain.inc +++ b/meta-security/recipes-security/samhain/samhain.inc @@ -19,8 +19,11 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f" -SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7" +SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" +SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" + +UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" +UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" S = "${WORKDIR}/samhain-${PV}" diff --git a/meta-security/recipes-security/scapy/scapy/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest index 91b29f907..91b29f907 100755 --- a/meta-security/recipes-security/scapy/scapy/run-ptest +++ b/meta-security/recipes-security/scapy/files/run-ptest diff --git a/meta-security/recipes-security/scapy/scapy_2.3.3.bb b/meta-security/recipes-security/scapy/python-scapy.inc index 1c8685b1a..5abe7db76 100644 --- a/meta-security/recipes-security/scapy/scapy_2.3.3.bb +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -5,20 +5,16 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" -SRC_URI = "https://github.com/secdev/${BPN}/archive/v${PV}.tar.gz;downloadfilename=${BP}.tar.gz \ - file://run-ptest \ -" +SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" +SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" -SRC_URI[md5sum] = "336d6832110efcf79ad30c9856ef5842" -SRC_URI[sha256sum] = "67642cf7b806e02daeddd588577588caebddc3426db7904e7999a0b0334a63b5" - -inherit setuptools ptest +inherit pypi ptest do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } -RDEPENDS_${PN} = "tcpdump python-subprocess python-compression python-netclient \ - python-netserver python-pydoc python-pkgutil python-shell \ - python-threading python-numbers python-pycrypto" +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ + ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ + ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb new file mode 100644 index 000000000..98db1fd6d --- /dev/null +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb @@ -0,0 +1,6 @@ +inherit setuptools +require python-scapy.inc + +SRC_URI += "file://run-ptest" + +RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb new file mode 100644 index 000000000..93ca7be8a --- /dev/null +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb @@ -0,0 +1,4 @@ +inherit setuptools3 +require python-scapy.inc + +SRC_URI += "file://run-ptest" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.0.bb b/meta-security/recipes-security/sssd/sssd_1.16.3.bb index ff5b618bc..8f7f805fd 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.0.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.3.bb @@ -1,6 +1,6 @@ SUMMARY = "system security services daemon" DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://fedorahosted.org/sssd/" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" SECTION = "base" LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" @@ -11,8 +11,8 @@ DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ file://sssd.conf " -SRC_URI[md5sum] = "f721ace2ebfa6744cfea55e3ecd2d82f" -SRC_URI[sha256sum] = "c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f" +SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" +SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz Binary files differnew file mode 100644 index 000000000..aed375474 --- /dev/null +++ b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-security/suricata/files/run-ptest new file mode 100644 index 000000000..666ba9c95 --- /dev/null +++ b/meta-security/recipes-security/suricata/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +suricata -u diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-security/suricata/files/suricata.service new file mode 100644 index 000000000..a99a76ef8 --- /dev/null +++ b/meta-security/recipes-security/suricata/files/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target +Requires=network.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki + +[Service] +Type=simple +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +RestrictAddressFamilies= +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 +ExecReload=/bin/kill -HUP $MAINPID +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=yes + +[Install] +WantedBy=multi-user.target + diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-security/suricata/files/suricata.yaml index 90417b03d..8d06a2744 100644 --- a/meta-security/recipes-security/suricata/files/suricata.yaml +++ b/meta-security/recipes-security/suricata/files/suricata.yaml @@ -787,7 +787,7 @@ logging: enabled: no filename: /var/log/suricata.log - syslog: - enabled: no + enabled: yes facility: local5 format: "[%i] <%d> -- " diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.25.bb b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb index 8305f7010..8305f7010 100644 --- a/meta-security/recipes-security/suricata/libhtp_0.5.25.bb +++ b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-security/suricata/suricata.inc index a2d36eb61..1f421210d 100644 --- a/meta-security/recipes-security/suricata/suricata.inc +++ b/meta-security/recipes-security/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.0.0" +VER = "4.0.5" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "41fb91b4cbc6705b353e4bdd02c3df4b" -SRC_URI[sha256sum] = "6b8b183a8409829ca92c71854cc1abed45f04ccfb7f14c08211f4edf571fa577" +SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" +SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" diff --git a/meta-security/recipes-security/suricata/suricata_4.0.0.bb b/meta-security/recipes-security/suricata/suricata_4.0.5.bb index e16348670..6c0a109be 100644 --- a/meta-security/recipes-security/suricata/suricata_4.0.0.bb +++ b/meta-security/recipes-security/suricata/suricata_4.0.5.bb @@ -4,16 +4,24 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" +SRC_URI += "file://emerging.rules.tar.gz;name=rules" + SRC_URI += " \ file://volatiles.03_suricata \ file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ " -inherit autotools-brokensep pkgconfig python-dir +SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" +SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" + +inherit autotools-brokensep pkgconfig python-dir systemd ptest CFLAGS += "-D_DEFAULT_SOURCE" -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes " +CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ + ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " EXTRA_OECONF += " --disable-debug \ --enable-non-bundled-htp \ @@ -21,6 +29,8 @@ EXTRA_OECONF += " --disable-debug \ " PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," @@ -28,33 +38,59 @@ PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap- PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," export logdir = "${localstatedir}/log" do_install_append () { + install -d ${D}${sysconfdir}/suricata + + oe_runmake install-conf DESTDIR=${D} + + # mimic move of downloaded rules to e_sysconfrulesdir + cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata + + oe_runmake install-rules DESTDIR=${D} + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 644 classification.config ${D}${sysconfdir}/suricata - install -m 644 reference.config ${D}${sysconfdir}/suricata - install -m 644 ${WORKDIR}/suricata.yaml ${D}${sysconfdir}/suricata install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + } pkg_postinst_ontarget_${PN} () { if [ -e /etc/init.d/populate-volatile.sh ] ; then ${sysconfdir}/init.d/populate-volatile.sh update fi - ${bindir}/suricata -c ${sysconfdir}/suricata.yaml -i eth0 } -PACKAGES += "${PN}-python" -FILES_${PN} = "${bindir}/suricata ${sysconfdir}/default ${sysconfdir}/suricata ${logdir}/suricata" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-socketcontrol" +FILES_${PN} += "${systemd_unitdir}" +FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-security/tripwire/files/run-ptest new file mode 100644 index 000000000..aedfddc59 --- /dev/null +++ b/meta-security/recipes-security/tripwire/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +./twtest.pl diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb index 465960f23..59d1f35c5 100644 --- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb @@ -16,11 +16,12 @@ SRC_URI = "\ file://twcfg.txt \ file://twinstall.sh \ file://twpol-yocto.txt \ + file://run-ptest \ " S = "${WORKDIR}/git" -inherit autotools-brokensep update-rc.d +inherit autotools-brokensep update-rc.d ptest INITSCRIPT_NAME = "tripwire" INITSCRIPT_PARAMS = "start 40 S ." @@ -58,9 +59,15 @@ do_install () { install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} } +do_install_ptest_append () { + install -d ${D}${PTEST_PATH}/tests + cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} +} FILES_${PN} += "${libdir} ${docdir}/${PN}/*" FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" +FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" +RDEPENDS_${PN}-ptest = " perl lib-perl" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch index fcc63b34c..1cec47fca 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch @@ -1,4 +1,4 @@ -From 47379747e34f952d31af028c672940ca7859ae3c Mon Sep 17 00:00:00 2001 +From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 From: Yulong Pei <Yulong.pei@windriver.com> Date: Wed, 21 Jul 2010 22:33:43 +0800 Subject: [PATCH] change finding path of nss and nspr @@ -7,66 +7,61 @@ Upstream-Status: Pending Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> - +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - configure.ac | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) + configure.ac | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac -index 3278200..6edec7d 100644 +index 951b3eb..1fdeb0f 100644 --- a/configure.ac +++ b/configure.ac -@@ -644,7 +644,7 @@ if test "z$NSS_FOUND" = "zno" ; then +@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" + NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" + NSPR_PACKAGE=mozilla-nspr + NSS_PACKAGE=mozilla-nss +-NSPR_INCLUDE_MARKER="nspr/nspr.h" ++NSPR_INCLUDE_MARKER="nspr.h" + NSPR_LIB_MARKER="libnspr4$shrext" + NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" +-NSS_INCLUDE_MARKER="nss/nss.h" ++NSS_INCLUDE_MARKER="nss3/nss.h" + NSS_LIB_MARKER="libnss3$shrext" + NSS_LIBS_LIST="-lnss3 -lsmime3" - if test "z$with_nspr" != "z" ; then - NSPR_PREFIX="$with_nspr" -- NSPR_CFLAGS="-I$with_nspr/include -I$with_nspr/include/nspr" -+ NSPR_CFLAGS="-I$with_nspr/usr/include -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSPR_LIBS="-Wl,-rpath-link -Wl,$with_nspr/lib -L$with_nspr/lib $NSPR_LIBS_LIST" - else -@@ -652,7 +652,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - NSPR_INCLUDES_FOUND="yes" - NSPR_LIBS_FOUND="yes" -- NSPR_PRINIT_H="$with_nspr/include/prinit.h" -+ NSPR_PRINIT_H="$with_nspr/usr/include/nspr4/prinit.h" +@@ -898,24 +898,24 @@ fi + dnl Priority 1: User specifies the path to installation + if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then + AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) +- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then +- NSPR_INCLUDE_PATH="$with_nspr/include" +- NSPR_LIB_PATH="$with_nspr/lib" ++ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then ++ NSPR_INCLUDE_PATH="$with_nspr/usr/include" ++ NSPR_LIB_PATH="$with_nspr/${libdir}" + NSPR_FOUND="yes" + AC_MSG_RESULT([yes]) else - for dir in $ac_nss_inc_dir ; do - if test -f $dir/nspr/prinit.h ; then -@@ -690,7 +690,7 @@ if test "z$NSS_FOUND" = "zno" ; then - OLD_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$NSPR_CFLAGS" - AC_EGREP_CPP(yes,[ -- #include <prinit.h> -+ #include <nspr4/prinit.h> - #if PR_VMAJOR >= 4 - yes - #endif -@@ -715,7 +715,7 @@ if test "z$NSS_FOUND" = "zno" ; then - NSS_NSS_H="" - - if test "z$with_nss" != "z" ; then -- NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss" -+ NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/usr/include -I$with_nss/usr/include/nss3 -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib -L$with_nss/lib $NSS_LIBS_LIST" - else -@@ -723,7 +723,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - NSS_INCLUDES_FOUND="yes" - NSS_LIBS_FOUND="yes" -- NSS_NSS_H="$with_nss/include/nss.h" -+ NSS_NSS_H="$with_nss/usr/include/nss3/nss.h" +- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) ++ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) + fi + fi + if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then + AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) +- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then +- NSS_INCLUDE_PATH="$with_nss/include" +- NSS_LIB_PATH="$with_nss/lib" ++ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then ++ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" ++ NSS_LIB_PATH="$with_nss/${libdir}" + NSS_FOUND="yes" + AC_MSG_RESULT([yes]) else - for dir in $ac_nss_inc_dir ; do - if test -f $dir/nss/nss.h ; then -@@ -761,7 +761,7 @@ if test "z$NSS_FOUND" = "zno" ; then - OLD_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS" - AC_EGREP_CPP(yes,[ -- #include <nss.h> -+ #include <nss3/nss.h> - #if NSS_VMAJOR >= 3 && NSS_VMINOR >= 2 - yes - #endif +- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) ++ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) + fi + fi + +-- +2.7.4 + diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch deleted file mode 100644 index 5f967bbaa..000000000 --- a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 1d8ae4b32bd76c19ec238f30eb9b1ee582cbe990 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 2 Mar 2018 01:10:58 -0800 -Subject: [PATCH] xmlsec1: fix a typo in examples/verify3.c - -Upstream-Status: Submitted [https://github.com/lsh123/xmlsec/pull/153] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/verify3.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/examples/verify3.c b/examples/verify3.c -index 2d26ae7..68f52ab 100644 ---- a/examples/verify3.c -+++ b/examples/verify3.c -@@ -1,4 +1,4 @@ --4/** -+/** - * XML Security Library example: Verifying a file signed with X509 certificate - * - * Verifies a file signed with X509 certificate. diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb index 341ca08fd..2dbbf331e 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb @@ -17,12 +17,11 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://change-finding-path-of-nss.patch \ file://makefile-ptest.patch \ file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://xmlsec1-fix-a-typo-in-examples-verify3.c.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "dbbef1efc69e61bc4629650205a05b41" -SRC_URI[sha256sum] = "967ca83edf25ccb5b48a3c4a09ad3405a63365576503bf34290a42de1b92fcd2" +SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" +SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" inherit autotools-brokensep ptest pkgconfig |