* [Buildroot] [PATCH next] tpm2-tss: force libopenssl as openssl provider
@ 2018-11-21 2:44 Carlos Santos
2018-11-24 14:10 ` Thomas Petazzoni
0 siblings, 1 reply; 2+ messages in thread
From: Carlos Santos @ 2018-11-21 2:44 UTC (permalink / raw)
To: buildroot
Select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL and drop the patch to
compile with libressl.
The discussion with the tpm2-tss developers led to the conclusion that
libressl lacks some required functionalities. Quoting Andreas Fuchs[1]:
"LibreSSL does not support OAEP-mode with labels at all, even though the
internal OAEP-padding-function includes the parameters already. [...]
Further, the internal OAEP-padding-function does not support variable
hash algs, but staticly uses SHA1."
Notice that there will NOT be an option to use libgcrypt. OpenSSL will
soon become the default ESAPI crypto backend to prevent the problem of
forcing applications to link against both libgcrypt and libssl[2].
1. https://github.com/tpm2-software/tpm2-tss/pull/1207#issuecomment-440217659
2. https://github.com/tpm2-software/tpm2-tss/issues/1169
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
.../0001-ESYS-Fix-build-with-LibreSSL.patch | 48 -------------------
package/tpm2-tss/Config.in | 1 +
2 files changed, 1 insertion(+), 48 deletions(-)
delete mode 100644 package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
diff --git a/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch b/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
deleted file mode 100644
index d8bf2a665c..0000000000
--- a/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From e8b8ecd2f761430dd2e2c74505974b429fe6b40f Mon Sep 17 00:00:00 2001
-From: Carlos Santos <casantos@datacom.com.br>
-Date: Wed, 14 Nov 2018 23:31:25 -0200
-Subject: [PATCH] ESYS: Fix build with LibreSSL
-
-RAND_bytes() is declared in rand.h. Also, LibreSSL does not provide OAEP
-macros EVP_PKEY_CTX_set0_rsa_oaep_label and EVP_PKEY_CTX_set_rsa_oaep_md
-so use them conditionally.
-
-Signed-off-by: Carlos Santos <casantos@datacom.com.br>
----
- src/tss2-esys/esys_crypto_ossl.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
-index 43088f4a..6c0c76fe 100644
---- a/src/tss2-esys/esys_crypto_ossl.c
-+++ b/src/tss2-esys/esys_crypto_ossl.c
-@@ -10,6 +10,7 @@
- #include <openssl/aes.h>
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-+#include <openssl/rand.h>
- #include <stdio.h>
-
- #include "tss2_esys.h"
-@@ -660,6 +661,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
- "Could not set RSA passing.", cleanup);
- }
-
-+/* LibreSSL does not provide these OAEP functions */
-+#ifdef EVP_PKEY_CTX_set0_rsa_oaep_label
- if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label, strlen(label)+1)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not set RSA label.", cleanup);
-@@ -669,6 +672,9 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not set hash algorithm.", cleanup);
- }
-+#else
-+ (void) label;
-+#endif
-
- /* Determine out size */
- if (1 != EVP_PKEY_encrypt(ctx, NULL, out_size, in_buffer, in_size)) {
---
-2.19.1
-
diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
index 933adb4b2a..2fb5b0f213 100644
--- a/package/tpm2-tss/Config.in
+++ b/package/tpm2-tss/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_TPM2_TSS
depends on !BR2_STATIC_LIBS # dlfcn.h
select BR2_PACKAGE_LIBURIPARSER
select BR2_PACKAGE_OPENSSL
+ select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL
help
OSS implementation of the Trusted Computing Group's (TCG) TPM2
Software Stack (TSS). This stack consists of the following
--
2.19.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH next] tpm2-tss: force libopenssl as openssl provider
2018-11-21 2:44 [Buildroot] [PATCH next] tpm2-tss: force libopenssl as openssl provider Carlos Santos
@ 2018-11-24 14:10 ` Thomas Petazzoni
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Petazzoni @ 2018-11-24 14:10 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 21 Nov 2018 00:44:37 -0200, Carlos Santos wrote:
> Select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL and drop the patch to
> compile with libressl.
>
> The discussion with the tpm2-tss developers led to the conclusion that
> libressl lacks some required functionalities. Quoting Andreas Fuchs[1]:
> "LibreSSL does not support OAEP-mode with labels at all, even though the
> internal OAEP-padding-function includes the parameters already. [...]
> Further, the internal OAEP-padding-function does not support variable
> hash algs, but staticly uses SHA1."
>
> Notice that there will NOT be an option to use libgcrypt. OpenSSL will
> soon become the default ESAPI crypto backend to prevent the problem of
> forcing applications to link against both libgcrypt and libssl[2].
>
> 1. https://github.com/tpm2-software/tpm2-tss/pull/1207#issuecomment-440217659
> 2. https://github.com/tpm2-software/tpm2-tss/issues/1169
>
> Signed-off-by: Carlos Santos <casantos@datacom.com.br>
> ---
> .../0001-ESYS-Fix-build-with-LibreSSL.patch | 48 -------------------
> package/tpm2-tss/Config.in | 1 +
> 2 files changed, 1 insertion(+), 48 deletions(-)
> delete mode 100644 package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
Applied to next, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-24 14:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-21 2:44 [Buildroot] [PATCH next] tpm2-tss: force libopenssl as openssl provider Carlos Santos
2018-11-24 14:10 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox