Accepting request 910608 from home:gmbr3:Active
- Update to version 0.6.0: - Addressed potential symlink attack issue (CVE-2020-28407) - Rewritten in 'C'; needs json-glib - Use timeouts for communicating with swtpm (Unix socket) - Fix --print-capabilities for 'swtpm chardev' - Various cleanups and fixes (coverity) - Enable selinux support OBS-URL: https://build.opensuse.org/request/show/910608 OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=18
This commit is contained in:
parent
099d31ba0a
commit
9f05f64ac4
3
swtpm-0.6.0.tar.gz
Normal file
3
swtpm-0.6.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d05098d6879a44f02cb0225290f2edeea083ea9a322f5acf98c7a6ddb5f46d29
|
||||||
|
size 326049
|
@ -1,114 +0,0 @@
|
|||||||
From 0b0041bda9df8bf704d7aff8c32da0d18cd9eb28 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jonas Witschel <diabonas@archlinux.org>
|
|
||||||
Date: Wed, 19 May 2021 10:30:41 +0200
|
|
||||||
Subject: [PATCH] swtpm_cert: rename deprecated libtasn1 types
|
|
||||||
|
|
||||||
These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
|
|
||||||
The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
|
|
||||||
deprecation warnings that are made fatal by -Werror:
|
|
||||||
|
|
||||||
ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
|
|
||||||
76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
|
|
||||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
[...]
|
|
||||||
|
|
||||||
The new types were introduced almost ten years ago, so they should be pretty
|
|
||||||
universally available by now.
|
|
||||||
|
|
||||||
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
|
|
||||||
---
|
|
||||||
src/swtpm_cert/ek-cert.c | 24 ++++++++++++------------
|
|
||||||
1 file changed, 12 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/swtpm_cert/ek-cert.c b/src/swtpm_cert/ek-cert.c
|
|
||||||
index c991559c..c8074614 100644
|
|
||||||
--- a/src/swtpm_cert/ek-cert.c
|
|
||||||
+++ b/src/swtpm_cert/ek-cert.c
|
|
||||||
@@ -73,9 +73,9 @@ enum cert_type_t {
|
|
||||||
#define ALLOW_SIGNING_F 2 /* EK can be used for signing */
|
|
||||||
#define DECRYPTION_F 4 /* EK can be used for decryption; default */
|
|
||||||
|
|
||||||
-extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
|
|
||||||
+extern const asn1_static_node tpm_asn1_tab[];
|
|
||||||
|
|
||||||
-ASN1_TYPE _tpm_asn;
|
|
||||||
+asn1_node _tpm_asn;
|
|
||||||
|
|
||||||
typedef struct tdTCG_PCCLIENT_STORED_CERT {
|
|
||||||
uint16_t tag;
|
|
||||||
@@ -333,7 +333,7 @@ asn_free(void)
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-encode_asn1(gnutls_datum_t *asn1, ASN1_TYPE at)
|
|
||||||
+encode_asn1(gnutls_datum_t *asn1, asn1_node at)
|
|
||||||
{
|
|
||||||
int err;
|
|
||||||
|
|
||||||
@@ -361,7 +361,7 @@ encode_asn1(gnutls_datum_t *asn1, ASN1_TYPE at)
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-build_tpm_manufacturer_info(ASN1_TYPE *at,
|
|
||||||
+build_tpm_manufacturer_info(asn1_node *at,
|
|
||||||
const char *manufacturer,
|
|
||||||
const char *tpm_model,
|
|
||||||
const char *tpm_version)
|
|
||||||
@@ -443,7 +443,7 @@ create_tpm_manufacturer_info(const char *manufacturer,
|
|
||||||
const char *tpm_version,
|
|
||||||
gnutls_datum_t *asn1)
|
|
||||||
{
|
|
||||||
- ASN1_TYPE at = ASN1_TYPE_EMPTY;
|
|
||||||
+ asn1_node at = NULL;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
err = asn_init();
|
|
||||||
@@ -475,7 +475,7 @@ create_tpm_manufacturer_info(const char *manufacturer,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-build_platf_manufacturer_info(ASN1_TYPE *at,
|
|
||||||
+build_platf_manufacturer_info(asn1_node *at,
|
|
||||||
const char *manufacturer,
|
|
||||||
const char *platf_model,
|
|
||||||
const char *platf_version,
|
|
||||||
@@ -569,7 +569,7 @@ create_platf_manufacturer_info(const char *manufacturer,
|
|
||||||
gnutls_datum_t *asn1,
|
|
||||||
bool forTPM2)
|
|
||||||
{
|
|
||||||
- ASN1_TYPE at = ASN1_TYPE_EMPTY;
|
|
||||||
+ asn1_node at = NULL;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
err = asn_init();
|
|
||||||
@@ -612,9 +612,9 @@ create_tpm_and_platform_manuf_info(
|
|
||||||
gnutls_datum_t *asn1,
|
|
||||||
bool forTPM2)
|
|
||||||
{
|
|
||||||
- ASN1_TYPE at = ASN1_TYPE_EMPTY;
|
|
||||||
- ASN1_TYPE tpm_at = ASN1_TYPE_EMPTY;
|
|
||||||
- ASN1_TYPE platf_at = ASN1_TYPE_EMPTY;
|
|
||||||
+ asn1_node at = NULL;
|
|
||||||
+ asn1_node tpm_at = NULL;
|
|
||||||
+ asn1_node platf_at = NULL;
|
|
||||||
int err;
|
|
||||||
gnutls_datum_t datum = {
|
|
||||||
.data = NULL,
|
|
||||||
@@ -725,7 +725,7 @@ create_tpm_specification_info(const char *spec_family,
|
|
||||||
unsigned int spec_revision,
|
|
||||||
gnutls_datum_t *asn1)
|
|
||||||
{
|
|
||||||
- ASN1_TYPE at = ASN1_TYPE_EMPTY;
|
|
||||||
+ asn1_node at = NULL;
|
|
||||||
int err;
|
|
||||||
unsigned int bigendian;
|
|
||||||
unsigned char twoscomp[1 + sizeof(bigendian)] = { 0, };
|
|
||||||
@@ -797,7 +797,7 @@ create_tpm_specification_info(const char *spec_family,
|
|
||||||
static int
|
|
||||||
create_cert_extended_key_usage(const char *oid, gnutls_datum_t *asn1)
|
|
||||||
{
|
|
||||||
- ASN1_TYPE at = ASN1_TYPE_EMPTY;
|
|
||||||
+ asn1_node at = NULL;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
err = asn_init();
|
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Aug 7 15:02:40 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||||||
|
|
||||||
|
- Update to version 0.6.0:
|
||||||
|
- Addressed potential symlink attack issue (CVE-2020-28407)
|
||||||
|
- Rewritten in 'C'; needs json-glib
|
||||||
|
- Use timeouts for communicating with swtpm (Unix socket)
|
||||||
|
- Fix --print-capabilities for 'swtpm chardev'
|
||||||
|
- Various cleanups and fixes (coverity)
|
||||||
|
- Enable selinux support
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
101
swtpm.spec
101
swtpm.spec
@ -18,16 +18,19 @@
|
|||||||
|
|
||||||
# Scripts in this package are python3
|
# Scripts in this package are python3
|
||||||
%define skip_python2 1
|
%define skip_python2 1
|
||||||
|
# SELinux
|
||||||
|
%define selinuxtype targeted
|
||||||
|
%define modulename1 swtpm
|
||||||
|
%define modulename2 swtpm_svirt
|
||||||
|
%define modulename3 swtpmcuse
|
||||||
Name: swtpm
|
Name: swtpm
|
||||||
Version: 0.5.2
|
Version: 0.6.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Software TPM emulator
|
Summary: Software TPM emulator
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
Group: System/Base
|
Group: System/Base
|
||||||
URL: https://github.com/stefanberger/swtpm
|
URL: https://github.com/stefanberger/swtpm
|
||||||
Source: https://github.com/stefanberger/swtpm/archive/v%{version}.tar.gz
|
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Patch0: swtpm-rename_deprecated_libtasn1_types.patch
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: expect
|
BuildRequires: expect
|
||||||
@ -41,13 +44,18 @@ BuildRequires: libseccomp-devel
|
|||||||
BuildRequires: libtasn1-devel
|
BuildRequires: libtasn1-devel
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: libtpms-devel
|
BuildRequires: libtpms-devel
|
||||||
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: python3-cryptography
|
BuildRequires: python3-cryptography
|
||||||
|
BuildRequires: selinux-policy-devel
|
||||||
|
BuildRequires: selinux-policy-targeted
|
||||||
BuildRequires: socat
|
BuildRequires: socat
|
||||||
|
BuildRequires: pkgconfig(json-glib-1.0)
|
||||||
|
BuildRequires: pkgconfig(systemd)
|
||||||
Requires: iproute2
|
Requires: iproute2
|
||||||
Requires: python3-cryptography
|
Requires: python3-cryptography
|
||||||
Requires: trousers
|
Requires: trousers
|
||||||
Requires: user(tss)
|
Requires: (%{name}-selinux if selinux-policy-base)
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
Requires(pre): user(tss)
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The SWTPM package provides TPM emulators with different front-end interfaces
|
The SWTPM package provides TPM emulators with different front-end interfaces
|
||||||
@ -67,60 +75,77 @@ Requires: libtpms-devel
|
|||||||
%description devel
|
%description devel
|
||||||
The development files for SWTPM
|
The development files for SWTPM
|
||||||
|
|
||||||
|
%package selinux
|
||||||
|
Summary: SELinux module for the Software TPM emulator
|
||||||
|
Group: System/Management
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
BuildArch: noarch
|
||||||
|
%{selinux_requires}
|
||||||
|
|
||||||
|
%description selinux
|
||||||
|
This package provides the SELinux module for the Software TPM emulator.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%autosetup
|
||||||
%patch0 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
mkdir m4
|
||||||
# Fix rpmlint env-script-interpreter error
|
autoreconf -fiv
|
||||||
sed -i -e "s|^#!/usr/bin/env |#!/usr/bin/|" \
|
# configure looks for semodule on PATH
|
||||||
%_builddir/%buildsubdir/src/swtpm_setup/swtpm_setup.in \
|
export PATH="$PATH:%{_sbindir}"
|
||||||
%_builddir/%buildsubdir/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py \
|
|
||||||
%_builddir/%buildsubdir/samples/swtpm-create-tpmca \
|
|
||||||
%_builddir/%buildsubdir/samples/swtpm-create-user-config-files.in \
|
|
||||||
%_builddir/%buildsubdir/samples/swtpm-localca.in \
|
|
||||||
%_builddir/%buildsubdir/samples/py_swtpm_localca/swtpm_localca.py
|
|
||||||
|
|
||||||
./autogen.sh
|
|
||||||
%configure --with-openssl --disable-static \
|
%configure --with-openssl --disable-static \
|
||||||
--with-tss-user=root --with-tss-group=tss
|
--with-tss-user=root --with-tss-group=tss \
|
||||||
make %{?_smp_mflags}
|
--with-selinux
|
||||||
|
%make_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
|
find %{buildroot} -type f -name "*.la" -delete -print
|
||||||
|
mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
|
||||||
|
mv %{buildroot}%{_datadir}/selinux/packages/*.pp %{buildroot}%{_datadir}/selinux/packages/targeted
|
||||||
mkdir -p %{buildroot}%{_localstatedir}/lib/swtpm-localca
|
mkdir -p %{buildroot}%{_localstatedir}/lib/swtpm-localca
|
||||||
|
|
||||||
%post -p /sbin/ldconfig
|
%post -p /sbin/ldconfig
|
||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%pre selinux
|
||||||
|
%selinux_relabel_pre -s %{selinuxtype}
|
||||||
|
|
||||||
|
%post selinux
|
||||||
|
%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename1}.pp
|
||||||
|
%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename2}.pp
|
||||||
|
%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename3}.pp
|
||||||
|
|
||||||
|
%postun selinux
|
||||||
|
if [ $1 -eq 0 ]; then
|
||||||
|
%selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename1}
|
||||||
|
%selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename2}
|
||||||
|
%selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename3}
|
||||||
|
fi
|
||||||
|
|
||||||
|
%posttrans selinux
|
||||||
|
%selinux_relabel_post -s %{selinuxtype}
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
|
||||||
%doc CHANGES README TODO
|
%doc CHANGES README TODO
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%{_bindir}/swtpm*
|
%{_bindir}/swtpm*
|
||||||
%config %{_sysconfdir}/swtpm*
|
%config %{_sysconfdir}/swtpm*
|
||||||
%dir %{_datadir}/swtpm
|
%{_datadir}/swtpm
|
||||||
%{_datadir}/swtpm/*
|
|
||||||
%dir %{_libdir}/swtpm
|
%dir %{_libdir}/swtpm
|
||||||
%{_libdir}/swtpm/*.so.*
|
%{_libdir}/swtpm/*.so.*
|
||||||
%{_mandir}/man8/swtpm*
|
%{_mandir}/man8/swtpm*%{?ext_man}
|
||||||
%dir %{python_sitelib}/py_swtpm_localca
|
|
||||||
%dir %{python_sitelib}/py_swtpm_setup
|
|
||||||
%pycache_only %{python_sitelib}/py_swtpm_localca/__pycache__
|
|
||||||
%pycache_only %{python_sitelib}/py_swtpm_setup/__pycache__
|
|
||||||
%{python_sitelib}/py_swtpm_localca/*.py
|
|
||||||
%{python_sitelib}/py_swtpm_setup/*.py
|
|
||||||
%{python_sitelib}/swtpm_localca*
|
|
||||||
%{python_sitelib}/swtpm_setup*
|
|
||||||
%dir %attr(0750,tss,root) %{_localstatedir}/lib/swtpm-localca
|
%dir %attr(0750,tss,root) %{_localstatedir}/lib/swtpm-localca
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_libdir}/swtpm/*.so
|
%{_libdir}/swtpm/*.so
|
||||||
%{_libdir}/swtpm/*.la
|
%{_includedir}/swtpm
|
||||||
%dir %{_includedir}/swtpm/
|
%{_mandir}/man3/swtpm*%{?ext_man}
|
||||||
%{_includedir}/swtpm/*
|
|
||||||
%{_mandir}/man3/swtpm*
|
%files selinux
|
||||||
|
%{_datadir}/selinux/packages/targeted/*.pp
|
||||||
|
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename1}
|
||||||
|
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename2}
|
||||||
|
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename3}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:2e5ccf591e34c25bd9ae78a0aff9ff1d037dacd90b5e05b9fdc9bcece239f0af
|
|
||||||
size 309436
|
|
Loading…
Reference in New Issue
Block a user