Accepting request 1228038 from security

OBS-URL: https://build.opensuse.org/request/show/1228038
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ibmtss?expand=0&rev=23

ibmtss-2.4.0-fix-FTBFS-2026.patch

@@ -0,0 +1,92 @@
+From 3a17ac01bea73d3568272d61b895a16a0bd85440 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Sun, 23 Oct 2050 00:02:27 -0400
+Subject: [PATCH] certs: Issue new self signed test EK CA certificates.
+
+The original CA certificates for signing EKs for TSS regression
+testing expired in 2026. This caused a failure in a distro that
+expects tests to pass for 15 years from the present. The new one is
+good until 2044.
+
+This affected neither the TSS nor the TPM vendor certificates.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/certificates/cacert.pem    | 38 ++++++++++++++++----------------
+ utils/certificates/cacertecc.pem | 22 +++++++++---------
+ 2 files changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/utils/certificates/cacert.pem b/utils/certificates/cacert.pem
+index b752ba54..5c7d1a5f 100644
+--- a/utils/certificates/cacert.pem
++++ b/utils/certificates/cacert.pem
+@@ -1,21 +1,21 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDbDCCAlKgAwIBAgIJALbpb8xivmmsMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
+-BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoM
+-A0lCTTEOMAwGA1UEAwwFRUsgQ0EwHhcNMTYwNTIzMTkwNjExWhcNMjYwMjIwMTkw
+-NjExWjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCFlvcmt0
+-b3duMQwwCgYDVQQKDANJQk0xDjAMBgNVBAMMBUVLIENBMIIBIzANBgkqhkiG9w0B
+-AQEFAAOCARAAMIIBCwKCAQICsUzdWU1yjZNL5QeJU/emaKBbOuHvZqdCvApjGM+T
+-31XO1s52BkxRtOjULxd+xiK0xogdxDwwsnh/o/YR9zmj7aDVFz068WCEBvjKkClf
+-KOk+1VpdAFzni+NNYMNESNul3ZWwEzpfBmghI7zJQrUBh1rn27PC9OtfTFhONzRT
+-XPq5K2vScvU3Wz0papT4+hEmsd8YyhMYJr00cjV2bDzphZ7wg9YNNpUMJZ4yipYy
+-4XLG+HVPb9DyERFQNpDooA/ZhCZVT8auDbdSvYyrO9q+Uxz30UeqXK3YnDCyk00k
+-JCBWmf3TobjWMKwZO3gUIRMrBuJ7UsEtkkh8+jLaJ7Qcl68CAwEAAaNQME4wHQYD
+-VR0OBBYEFMSPNuKcE6FeRlRc+DKJeakTyaDpMB8GA1UdIwQYMBaAFMSPNuKcE6Fe
+-RlRc+DKJeakTyaDpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEDAAFr
+-xBCzqiAkYNofYGNidpGrkiP2T3xj/hUx57HjVVoWNlVDBGsxbnoB+WlBqzApJLZC
+-/XZs/zuvS4bnMiSUEw2v8v3/sAqkzMJN7VOg0US1etNjPSrlBmSeun/6HX0C+5M2
+-wQ836P6Y49PePvJO6zGdxJ9SlZ8jKNgtQgQKyUSViSEj0N09CndQJMnOPYIYhc+T
+-/9/HPaNMymHu7Hep0/NgASoLnm8LzP+nzmR286L4DeZ47hKBHMbnTeNNlodEjh92
+-AyI4yaGKjujRjPokTHWUWjFt6t1VXn1cc6Sdpj2YVeFCjkjB9NmDV+Msv9h4UAqy
+-K0wEax/1fsWqDeoom5I1NA==
++MIIDejCCAmCgAwIBAgIUVOe6TM3djGkrJ/G+ttuqcW2o/ccwDQYJKoZIhvcNAQEL
++BQAwSzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhZb3JrdG93
++bjEMMAoGA1UECgwDSUJNMQ4wDAYDVQQDDAVFSyBDQTAeFw0yNDEwMjIwNDAwNDJa
++Fw00NDEwMTcwNDAwNDJaMEsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8G
++A1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoMA0lCTTEOMAwGA1UEAwwFRUsgQ0EwggEj
++MA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgKxTN1ZTXKNk0vlB4lT96ZooFs6
++4e9mp0K8CmMYz5PfVc7WznYGTFG06NQvF37GIrTGiB3EPDCyeH+j9hH3OaPtoNUX
++PTrxYIQG+MqQKV8o6T7VWl0AXOeL401gw0RI26XdlbATOl8GaCEjvMlCtQGHWufb
++s8L0619MWE43NFNc+rkra9Jy9TdbPSlqlPj6ESax3xjKExgmvTRyNXZsPOmFnvCD
++1g02lQwlnjKKljLhcsb4dU9v0PIREVA2kOigD9mEJlVPxq4Nt1K9jKs72r5THPfR
++R6pcrdicMLKTTSQkIFaZ/dOhuNYwrBk7eBQhEysG4ntSwS2SSHz6MtontByXrwID
++AQABo1MwUTAdBgNVHQ4EFgQUxI824pwToV5GVFz4Mol5qRPJoOkwHwYDVR0jBBgw
++FoAUxI824pwToV5GVFz4Mol5qRPJoOkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
++9w0BAQsFAAOCAQMAADawHyUjkBDBEjf9ITGSbdWhhPFAZ5R1YNxVY7gERFNIqm2/
++K2C0Dj8L3eYr7dyGSafQfOaMZRHaDDx/LiIrrrGGfcDMoBLdCPNNp04etRIe6w+y
++pSM3ebJm2RW415L8YrirXVO+cUEWvLZcotvszLgE4hzt+mFosmIy5U3/MQU7RyiW
++LS066Nw2IXyisb2kKiwEqw+iC4eWvj6DWnjgHqZJ6/0zuV9RjJXDFEq5YvV6E13I
++2OnvDaoq9FRadXHJmqdlSbpzuLMY4JOftXOTps1kfejMun303HUfzf7+LiA1bOf4
++UGt6LgzbOG72WRDQMKlhXNZcthNWtqU8ZCD0KQgP
+ -----END CERTIFICATE-----
+diff --git a/utils/certificates/cacertecc.pem b/utils/certificates/cacertecc.pem
+index a47eb31c..cfa802e4 100644
+--- a/utils/certificates/cacertecc.pem
++++ b/utils/certificates/cacertecc.pem
+@@ -1,13 +1,13 @@
+ -----BEGIN CERTIFICATE-----
+-MIIB4zCCAYmgAwIBAgIJALX8+MVL3dXPMAoGCCqGSM49BAMCME4xCzAJBgNVBAYT
+-AlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoMA0lC
+-TTERMA8GA1UEAwwIRUsgRUMgQ0EwHhcNMTcwMTEzMjAzOTE2WhcNMjcwMTExMjAz
+-OTE2WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCFlvcmt0
+-b3duMQwwCgYDVQQKDANJQk0xETAPBgNVBAMMCEVLIEVDIENBMFkwEwYHKoZIzj0C
+-AQYIKoZIzj0DAQcDQgAEahnfxuCQ+NsMcDIe8GZxIiFSX65CXICk6zc3NLRPbPvq
+-ToRdIanaP14TT6eu76FkNDzbtsY6PSMgVNTeAAnfGqNQME4wHQYDVR0OBBYEFAFk
+-p5Lu8Z+laxVYak8/WHhLsG+lMB8GA1UdIwQYMBaAFAFkp5Lu8Z+laxVYak8/WHhL
+-sG+lMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgQ9GClH24Y9NPpKdh
+-3HTwudrjYPYyjK8o5HQ9c8Xc9ecCIQD0NgIj1iUvkEzgNoXS7UP1RD0MpKdzywqM
+-5RyP15ckRA==
++MIIB8TCCAZegAwIBAgIUNMOdoYR8km3U06frlHaKH3I94pIwCgYIKoZIzj0EAwIw
++TjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhZb3JrdG93bjEM
++MAoGA1UECgwDSUJNMREwDwYDVQQDDAhFSyBFQyBDQTAeFw0yNDEwMjMxNTAwMjFa
++Fw00NDEwMTgxNTAwMjFaME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8G
++A1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoMA0lCTTERMA8GA1UEAwwIRUsgRUMgQ0Ew
++WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqGd/G4JD42wxwMh7wZnEiIVJfrkJc
++gKTrNzc0tE9s++pOhF0hqdo/XhNPp67voWQ0PNu2xjo9IyBU1N4ACd8ao1MwUTAd
++BgNVHQ4EFgQUAWSnku7xn6VrFVhqTz9YeEuwb6UwHwYDVR0jBBgwFoAUAWSnku7x
++n6VrFVhqTz9YeEuwb6UwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
++AiEAhLQDUXzw9zBXSgAM1PHdhKT9AcVN6DIOpZhniHwXnnQCIAM5Uzc7DrUpuWUM
++aXcP5Jnwafl78umJOocN/R72zWqt
+ -----END CERTIFICATE-----

ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch

@@ -1,10 +1,11 @@
-From 005064b673d937a305427eb9fa4d549f93f6090a Mon Sep 17 00:00:00 2001
+From 6d5c05a167d847ac21315aa4a1c171715cd816af Mon Sep 17 00:00:00 2001
 From: Michal Suchanek <msuchanek@suse.de>
 Date: Mon, 17 Aug 2020 18:21:51 +0200
-Subject: [PATCH] configure.ac: Do not disable optimization for debug build.
+Subject: [PATCH] configure.ac: Do not override optimization for debug build.
 
-This conflicts with FORTIFY_SOURCE and generates completely different
-assembly for debug and procuction.
+-O0 conflicts with FORTIFY_SOURCE and generates completely different
+assembly for debug and production. If user passes in C flags let them
+override the suggested -O0.
 
 Signed-off-by: Michal Suchanek <msuchanek@suse.de>
 ---
@@ -12,17 +13,18 @@ Signed-off-by: Michal Suchanek <msuchanek@suse.de>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
+index 30e9254b339a..883c4bb84efa 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -62,7 +62,7 @@ AC_CHECK_FUNCS([gethostbyname memmove memset socket strerror strtoul])
+@@ -67,7 +67,7 @@ AC_CHECK_FUNCS([gethostbyname memmove memset socket strerror strtoul])
  # Replace autotools default optimization
  AC_ARG_ENABLE(debug,
     AS_HELP_STRING([--enable-debug], [Build a TSS library used for debugging]))
 -   AS_IF([test "$enable_debug" = "yes"], [CFLAGS="$USER_CFLAGS -g -ggdb -O0"])
-+   AS_IF([test "$enable_debug" = "yes"], [CFLAGS="$USER_CFLAGS -g -ggdb -Wextra -Werror"])
++   AS_IF([test "$enable_debug" = "yes"], [CFLAGS="-O0 -g -ggdb $USER_CFLAGS -Wextra -Werror"])
  
  # Linux requires -DTPM_POSIX
  case $host_os in
 -- 
-2.26.2
+2.46.1
 

ibmtss.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Dec  3 07:26:17 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add ibmtss-2.4.0-fix-FTBFS-2026.patch to fix tests after 2026 (boo#1102840)
+
+-------------------------------------------------------------------
+Mon Oct 21 09:23:53 UTC 2024 - Michal Suchanek <msuchanek@suse.de>
+
+- Update to 2.4.0:
+  * Add support for EK intermediate certificates
+  * Support different IMA log digest algorithms
+  * add regtest
+  * html documentation
+- Refresh ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch
+- tss-Commit-changelog-and-autotools-version-update.patch
+- utils-Update-.so-version-to-2.4.patch
+
 -------------------------------------------------------------------
 Thu Nov 30 14:36:22 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

ibmtss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ibmtss
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,15 +21,18 @@
 %define libpkgname %{libname}%{libversion}
 
 Name:           ibmtss
-Version:        2.1.1
+Version:        2.4.0
 Release:        0
 Summary:        IBM's TPM 2.0 TSS
 License:        BSD-3-Clause
 Group:          Productivity/Security
-URL:            https://sourceforge.net/projects/ibmtpm20tss
-Source:         https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
+URL:            https://github.com/kgoldman/ibmtss
+Source:         https://github.com/kgoldman/ibmtss/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        90-tpm-ibmtss.rules
 Patch1:         ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch
+Patch2:         tss-Commit-changelog-and-autotools-version-update.patch
+Patch3:         utils-Update-.so-version-to-2.4.patch
+Patch4:         ibmtss-2.4.0-fix-FTBFS-2026.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  ibmswtpm2
@@ -71,8 +74,7 @@ Requires:       %{name} = %{version}
 Includes IBM's TPM 2.0 TSS C header files
 
 %prep
-%setup -q -c
-%autopatch -p1
+%autosetup -p1
 
 %build
 autoreconf -ifv
@@ -107,7 +109,7 @@ find %{buildroot} -name .cvsignore | xargs rm -v
 
 %files
 %license LICENSE
-%doc ibmtss.docx
+%doc ibmtss.html ibmtss.docx README
 %{_bindir}/tss*
 %{_mandir}/man1/tss*.1%{?ext_man}
 

tss-Commit-changelog-and-autotools-version-update.patch

@@ -0,0 +1,69 @@
+From 851bdd1ba8f5bda7f739161ec8db27f3df383751 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Mon, 14 Oct 2024 14:05:24 -0400
+Subject: [PATCH] tss: Commit changelog and autotools version update
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ ChangeLog    | 12 ++++++++++++
+ configure.ac |  6 +++---
+ tss2.spec    |  2 +-
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index b2433926fa3e..024eda389b88 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,15 @@
++----------------
++Changes in 2.4.0
++----------------
++
++Add support for SHA-256, SHA-384, and SHA-512 IMA event logs. Add
++local command line support and update the API to support
++attestation. Add known value test to event regression tests. Change
++the -ty switch to -ealg for event log angorithms.
++
++Add support for EK intermediate certificates in the IWG standard
++locations.
++
+ ----------------
+ Changes in 2.3 1
+ ----------------
+diff --git a/configure.ac b/configure.ac
+index 081bc19528e0..30e9254b339a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3,13 +3,13 @@
+ 
+ # Set package release version"
+ # After committing set git tag version.
+-AC_INIT(ibmtss, 2.3.1, kgold@linux.ibm.com)
++AC_INIT(ibmtss, 2.4.0, kgold@linux.ibm.com)
+ AC_PREREQ([2.63])
+ 
+ # Convert major.minor.micro to libtool versioning (current-revision-age)
+ TSSLIB_VER_MAJOR=2
+-TSSLIB_VER_MINOR=3
+-TSSLIB_VER_MICRO=1
++TSSLIB_VER_MINOR=4
++TSSLIB_VER_MICRO=0
+ TSSLIB_VERSION_INFO=`expr $TSSLIB_VER_MAJOR + $TSSLIB_VER_MINOR`:$TSSLIB_VER_MICRO:$TSSLIB_VER_MINOR
+ AC_SUBST([TSSLIB_VERSION_INFO], [$TSSLIB_VERSION_INFO])
+ 
+diff --git a/tss2.spec b/tss2.spec
+index e32583d69b11..68c2047f96f5 100644
+--- a/tss2.spec
++++ b/tss2.spec
+@@ -7,7 +7,7 @@
+ 
+ Name:           tss2
+ # this is the release of the TSS library
+-Version:        2.3.2
++Version:        2.4.0
+ # this is the release of the fedora package, goes back to 1 when version changes
+ Release:        1%{?dist}
+ Epoch:          1
+-- 
+2.46.1
+

utils-Update-.so-version-to-2.4.patch

@@ -0,0 +1,104 @@
+From 7cd742915823c0e18439c207018292c46deef513 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Thu, 17 Oct 2024 16:41:36 -0400
+Subject: [PATCH] utils: Update .so version to 2.4
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/makefile.nofile | 4 ++--
+ utils/makefiletpm12   | 4 ++--
+ utils/makefiletpm20   | 4 ++--
+ utils/makefiletpmc    | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/utils/makefile.nofile b/utils/makefile.nofile
+index 860ab6f019db..f67581cd9f8b 100644
+--- a/utils/makefile.nofile
++++ b/utils/makefile.nofile
+@@ -90,7 +90,7 @@ LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+ LNALIBS +=  -libmtssutils -libmtssmin
+ 
+ # versioned shared library
+-LIBTSSVERSIONED=libibmtssmin.so.2.1
++LIBTSSVERSIONED=libibmtssmin.so.2.4
+ 
+ # soname field of the shared library
+ # which will be made symbolic link to the versioned shared library
+@@ -109,7 +109,7 @@ endif
+ 
+ # TSS utilities shared library
+ 
+-LIBTSSUTILSVERSIONED=libibmtssutils.so.2.1
++LIBTSSUTILSVERSIONED=libibmtssutils.so.2.4
+ LIBTSSUTILSSONAME=libibmtssutils.so.2
+ LIBTSSUTILS=libibmtssutils.so
+ 
+diff --git a/utils/makefiletpm12 b/utils/makefiletpm12
+index 9a115cbd3003..cae10cbec301 100644
+--- a/utils/makefiletpm12
++++ b/utils/makefiletpm12
+@@ -103,7 +103,7 @@ LNALIBS +=  -libmtss
+ # shared library
+ 
+ # versioned shared library
+-LIBTSSVERSIONED=libibmtss.so.2.1
++LIBTSSVERSIONED=libibmtss.so.2.4
+ 
+ # soname field of the shared library
+ # which will be made symbolic link to the versioned shared library
+@@ -122,7 +122,7 @@ endif
+ 
+ # TSS utilities shared library
+ 
+-LIBTSSUTILSVERSIONED=libibmtssutils.so.2.1
++LIBTSSUTILSVERSIONED=libibmtssutils.so.2.4
+ LIBTSSUTILSSONAME=libibmtssutils.so.2
+ LIBTSSUTILS=libibmtssutils.so
+ 
+diff --git a/utils/makefiletpm20 b/utils/makefiletpm20
+index f6e55a9e822f..88e9343b76e8 100644
+--- a/utils/makefiletpm20
++++ b/utils/makefiletpm20
+@@ -140,7 +140,7 @@ LNALIBS +=  -libmtssutils -libmtss
+ # shared library
+ 
+ # versioned shared library
+-LIBTSSVERSIONED=libibmtss.so.2.3
++LIBTSSVERSIONED=libibmtss.so.2.4
+ 
+ # soname field of the shared library
+ # which will be made symbolic link to the versioned shared library
+@@ -159,7 +159,7 @@ endif
+ 
+ # TSS utilities shared library
+ 
+-LIBTSSUTILSVERSIONED=libibmtssutils.so.2.3
++LIBTSSUTILSVERSIONED=libibmtssutils.so.2.4
+ LIBTSSUTILSSONAME=libibmtssutils.so.2
+ LIBTSSUTILS=libibmtssutils.so
+ 
+diff --git a/utils/makefiletpmc b/utils/makefiletpmc
+index d2558f33b16b..00748b174bd4 100644
+--- a/utils/makefiletpmc
++++ b/utils/makefiletpmc
+@@ -108,7 +108,7 @@ LNALIBS +=  -libmtssutils -libmtss
+ # shared library
+ 
+ # versioned shared library
+-LIBTSSVERSIONED=libibmtss.so.2.3
++LIBTSSVERSIONED=libibmtss.so.2.4
+ 
+ # soname field of the shared library
+ # which will be made symbolic link to the versioned shared library
+@@ -127,7 +127,7 @@ endif
+ 
+ # TSS utilities shared library
+ 
+-LIBTSSUTILSVERSIONED=libibmtssutils.so.2.3
++LIBTSSUTILSVERSIONED=libibmtssutils.so.2.4
+ LIBTSSUTILSSONAME=libibmtssutils.so.2
+ LIBTSSUTILS=libibmtssutils.so
+ 
+-- 
+2.46.1
+