Accepting request 620445 from security

Please handle together with sr#620443, sr#620444, required dependencies.

- update to major version 3.1.0:
  - the tpm2 stack introduces an incompatible ABI to the previous version with
    this update. There is no compatibility layer, libraries have new names
  - install-man.patch: dropped, because we don't really need it
  - tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now
s etc.
  - upstream changelog:
    * tpm2_unseal: -P becomes -p
    * tpm2_sign: -P becomes -p
    * tpm2_nvreadlock: long form for -P is now --auth-hierarchy
    * tpm2_rsadecrypt: -P becomes -p
    * tpm2_nvrelease: long-form of -P becomes --auth-hierarchy
    * tpm2_nvdefine: -I becomes -p
    * tpm2_encryptdecrypt: -P becomes -p
    * tpm2_dictionarylockout: -P becomes -p
    * tpm2_createprimary: -K becomes -p
    * tpm2_createak: -E becomes -e
    * tpm2_certify: -k becomes -p
    * tpm2_hash: -g changes to -G
    * tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G.
    * tpm2_hmac: drop -g, just use the algorithm associated with the object.
    * tpm2_getmanufec: -g changes to -G
    * tpm2_createek: -g changes to -G
    * tpm2_createak: -g changes to -G
    * tpm2_verifysignature: -g becomes -G
    * tpm2_sign: -g becomes -G
    * tpm2_import: support specifying parent key with a context file,
      --parent-key-handle/-H becomes --parent-key/-C
    * tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to
      the NV_INDEX value passed to -x.

OBS-URL: https://build.opensuse.org/request/show/620445
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-tools?expand=0&rev=14

install-man.patch

@@ -1,20 +0,0 @@
-Index: tpm2-tools-3.0.4/Makefile.am
-===================================================================
---- tpm2-tools-3.0.4.orig/Makefile.am
-+++ tpm2-tools-3.0.4/Makefile.am
-@@ -273,7 +273,6 @@ EXTRA_DIST = $(top_srcdir)/man \
- 	     RELEASE.md \
- 	     test/system
- 
--if HAVE_PANDOC
-     man1_MANS := \
-     man/man1/tpm2_activatecredential.1 \
-     man/man1/tpm2_certify.1 \
-@@ -315,6 +314,7 @@ if HAVE_PANDOC
-     man/man1/tpm2_unseal.1 \
-     man/man1/tpm2_verifysignature.1
- 
-+if HAVE_PANDOC
- # If pandoc is enabled, we want to generate the manpages for the dist tarball
- EXTRA_DIST += $(man1_MANS)
- else

tpm2-tools-3.0.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ac05028347a9fa1da79b5d53b998193de0c3a76000badb961c3feb8b8a0e8e8e
-size 560648

tpm2-tools-3.1.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:287c83718cd1910667615b0d4a73400da7ebf93a2fba247461435560269f1375
+size 553400

tpm2.0-tools-fix-hardening.patch

@@ -1,15 +0,0 @@
-Index: tpm2-tools-3.0.3/configure.ac
-===================================================================
---- tpm2-tools-3.0.3.orig/configure.ac
-+++ tpm2-tools-3.0.3/configure.ac
-@@ -130,10 +130,8 @@ AS_IF([test x"$hardening" != x"no"], [
- 
-   add_hardened_c_flag([-Wformat])
-   add_hardened_c_flag([-Wformat-security])
--  add_hardened_c_flag([-Wstack-protector])
-   add_hardened_c_flag([-fstack-protector-all])
- 
--  add_hardened_define_flag([-U_FORTIFY_SOURCE])
-   add_hardened_define_flag([-D_FORTIFY_SOURCE=2])
- 
-   add_hardened_c_flag([-fPIC])

tpm2.0-tools.changes

@@ -1,3 +1,110 @@
+-------------------------------------------------------------------
+Fri Jun 29 12:03:48 UTC 2018 - matthias.gerstner@suse.com
+
+- update to major version 3.1.0:
+  - the tpm2 stack introduces an incompatible ABI to the previous version with
+    this update. There is no compatibility layer, libraries have new names
+  - install-man.patch: dropped, because we don't really need it
+  - tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now
+s etc.
+  - upstream changelog:
+    * tpm2_unseal: -P becomes -p
+    * tpm2_sign: -P becomes -p
+    * tpm2_nvreadlock: long form for -P is now --auth-hierarchy
+    * tpm2_rsadecrypt: -P becomes -p
+    * tpm2_nvrelease: long-form of -P becomes --auth-hierarchy
+    * tpm2_nvdefine: -I becomes -p
+    * tpm2_encryptdecrypt: -P becomes -p
+    * tpm2_dictionarylockout: -P becomes -p
+    * tpm2_createprimary: -K becomes -p
+    * tpm2_createak: -E becomes -e
+    * tpm2_certify: -k becomes -p
+    * tpm2_hash: -g changes to -G
+    * tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G.
+    * tpm2_hmac: drop -g, just use the algorithm associated with the object.
+    * tpm2_getmanufec: -g changes to -G
+    * tpm2_createek: -g changes to -G
+    * tpm2_createak: -g changes to -G
+    * tpm2_verifysignature: -g becomes -G
+    * tpm2_sign: -g becomes -G
+    * tpm2_import: support specifying parent key with a context file,
+      --parent-key-handle/-H becomes --parent-key/-C
+    * tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to
+      the NV_INDEX value passed to -x.
+    * Load TCTI's by SONAME, not raw .so file
+    * tpm2_activatecredential: -e becomes -E
+    * tpm2_activatecredential: -e becomes -E
+    * tpm2_certify: -c and -C are swapped, -k becomes -K
+    * tpm2_createprimary: -K becomes -k
+    * tpm2_encryptdecrypt: supports input and output to stdin and stdout respectively.
+    * tpm2_create: -g/-G become optional options.
+    * tpm2_createprimary: -g/-G become optional options.
+    * tpm2_verifysignature - Option `-r` changes to `-f` and supports signature format "rsa".
+    * tpm2_import - Parent public data option, `-K` is optional.
+    * tpm2_import - Supports importing external RSA 2048 keys via pem files.
+    * tpm2_pcrlist: Option `--algorithm` changes to `--halg`, which is in line with other tools.
+    * tpm2_verifysignature: Option `-r` and `--raw` have been removed. This were unused within the tool.
+    * tpm2_hmac: Option `--algorithm` changes to `--halg`, which is in line with the manpage.
+    * tpm2_makecredential: Option `--sec` changes to `--secret`.
+    * tpm2_activatecredential: Option `--Password` changes to `--auth-key`.
+    * system tests are now run with make check when --enable-unit is used in configure.
+    * tpm2_unseal: Option `--pwdk` changes to `--auth-key`.
+    * tpm2_sign: Option `--pwdk` changes to `--auth-key`.
+    * tpm2_rsadecrypt: Option `--pwdk` changes to `--auth-key`.
+    * tpm2_quote: Option `--ak-passwd` changes to `--auth-ak`
+    * tpm2_pcrevent: Option `--passwd` changes to `--auth-pcr`
+    * tpm2_nvwrite: Options `--authhandle` and `--handle-passwd`
+      changes to `--hierarchy` and `--auth-hierarchy` respectively.
+    * tpm2_nvread: Options `--authhandle` and `--handle-passwd`
+      changes to `--hierarchy` and `--auth-hierarchy` respectively.
+    * tpm2_nvdefine: Options `--authhandle`, `--handle-passwd` and `--index-passwd`
+      changes to `--hierarchy`, `--auth-hierarchy` and `--auth-index`
+      respectively.
+    * tpm2_loadexternal: `-H` changes to `-a` for specifying hierarchy.
+    * tpm2_load: Option `--pwdp` changes to `--auth-parent`.
+    * tpm2_hmac: Option `--pwdk` changes to `--auth-key`.
+    * tpm2_hash: `-H` changes to `-a` for specifying hierarchy.
+    * tpm2_getmanufec: Options `--owner-passwd`, `--endorse-passwd`
+    * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse`
+      and `--auth-ek` respectively.
+    * tpm2_evictcontrol: Option group `-A` and `--auth` changes to `-a` and `--hierarchy`
+      Option `--pwda` changes to `--auth-hierarchy`
+    * tpm2_encryptdecrypt: Option `--pwdk` changes to `--auth-key`.
+    * tpm2_dictionarylockout: Option `--lockout-passwd` changes to `--auth-lockout`
+    * tpm2_createprimary: Options `--pwdp` and `--pwdk` change to
+      `--auth-hierarchy` and `--auth-object` respectively.
+    * tpm2_createek: Options `--owner-passwd`, `--endorse-passwd`
+    * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse`
+      and `--auth-ek` respectively.
+    * tpm2_createak: Options `--owner-passwd`, `--endorse-passwd`
+    * and `--ak-passwd`change to `--auth-owner`, `--auth-endorse`
+      and `--auth-ak` respectively.
+    * tpm2_create: Options `--pwdo` and `--pwdk` change to `--auth-object` and
+      `--auth-key` respectively.
+    * tpm2_clearlock: Option `--lockout-passwd` changes to `--auth-lockout`
+    * tpm2_clear: Option `--lockout-passwd` changes to `--auth-lockout`
+    * tpm2_changeauth: Options, `--old-owner-passwd`, `--old-endorse-passwd`,
+      and `--old-lockout-passwd` go to `--old-auth-owner`, `--old-auth-endorse`,
+      and `--old-auth-lockout` respectively.
+    * tpm2_certify: Options `--pwdo` and `--pwdk` change to `--auth-object` and
+      `--auth-key` respectively.
+    * tpm2_createprimary: `-H` changes to `-a` for specifying hierarchy.
+    * tpm2_createak: support for non-persistent AK generation.
+    * tpm2_createek: support for non-persistent EK generation.
+    * tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key
+      output.
+    * tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key
+      output.
+    * Libre SSL builds fixed.
+    * Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options.
+    * tpm2_sign: supports signing a pre-computed hash via -D
+    * tpm2_clearlock: tool added
+    * test: system testing scripts moved into subordinate test directory.
+    * fix a buffer overflow in nvread/write tools.
+    * configure: enable code coverage option.
+    * tpm2_takeownership: split into tpm2_clear and tpm2_changeauth
+    * env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option.
+
 -------------------------------------------------------------------
 Tue Jun  5 09:55:43 UTC 2018 - matthias.gerstner@suse.com
 

tpm2.0-tools.spec

@@ -17,15 +17,13 @@
 
 
 Name:           tpm2.0-tools
-Version:        3.0.4
+Version:        3.1.0
 Release:        0
 Summary:        Trusted Platform Module (TPM) 2.0 administration tools
 License:        BSD-3-Clause
 Group:          Productivity/Security
 Url:            https://github.com/tpm2-software/tpm2-tools/releases
 Source0:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
-Patch0:         tpm2.0-tools-fix-hardening.patch
-Patch1:         install-man.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -41,6 +39,10 @@ BuildRequires:  libtool
 # don't need to generate them any more. On openSUSE we can still keep this
 # dependency for having fresh builds of the man pages (if that helps
 # anything?).
+#
+# Update: In the 3.1.0 a required patch is still missing and the man pages
+# won't be installed. they're shipped, though. so if pandoc isn't installed we
+# need to install them explicitly.
 BuildRequires:  pandoc
 %endif
 BuildRequires:  pkgconfig
@@ -59,13 +61,8 @@ associated interfaces.
 
 %prep
 %setup -q -n tpm2-tools-%{version}
-%patch0 -p1
-%patch1 -p1
 
 %build
-# patch1 (install-man) requires to run autoreconf ATM, because it modifies
-# Makefile.am. This can be dropped with the next release containing the fix.
-autoreconf
 %configure --disable-static
 make %{?_smp_mflags}
 
@@ -75,6 +72,12 @@ make %{?_smp_mflags} check
 %install
 make DESTDIR=%{buildroot} install %{?_smp_mflags}
 find %{buildroot} -type f -name "*.la" -delete -print
+%if ! 0%{?is_opensuse}
+# install man pages explicitly, until upstream fixes their installation
+# setup in autotools, see commit 72a28f36151db9bfa59a460ae0114dcece218862
+mkdir -p %{buildroot}/%{_mandir}/man1/
+cp %{_builddir}/tpm2-tools-%{version}/man/man1/* %{buildroot}/%{_mandir}/man1/
+%endif
 
 %files
 %defattr(-,root,root)