Merge pull request #266568 from nbdd0121/tpm2

diff --git a/configure.ac b/configure.ac

index e861e42..018c19c 100644

--- a/configure.ac

+++ b/configure.ac

@@ -26,7 +26,7 @@

 #;**********************************************************************;

 AC_INIT([tpm2-pkcs11],

-  [m4_esyscmd_s([git describe --tags --always --dirty])],

+  [git-@VERSION@],

   [https://github.com/tpm2-software/tpm2-pkcs11/issues],

   [],

   [https://github.com/tpm2-software/tpm2-pkcs11])

, pkg-config, autoreconfHook, autoconf-archive, makeWrapper, patchelf

, tpm2-tss, tpm2-tools, opensc, openssl, sqlite, python3, glibc, libyaml

, abrmdSupport ? true, tpm2-abrmd ? null

, fapiSupport ? true

}:

stdenv.mkDerivation rec {

  pname = "tpm2-pkcs11";

  version = "1.8.0";

  version = "1.9.0";

  src = fetchFromGitHub {

    owner = "tpm2-software";

    repo = pname;

    rev = version;

    sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";

    sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";

  };

  patches = lib.singleton (

    substituteAll {

      src = ./0001-configure-ac-version.patch;

      VERSION = version;

    });

  patches = [

    ./version.patch

    ./graceful-fapi-fail.patch

  ];

  # The preConfigure phase doesn't seem to be working here

  # ./bootstrap MUST be executed as the first step, before all

  # of the autoreconfHook stuff

  postPatch = ''

    echo ${version} > VERSION

    ./bootstrap

  '';

  configureFlags = lib.optionals (!fapiSupport) [

    # Note: this will be renamed to with-fapi in next release.

    "--enable-fapi=no"

  ];

  nativeBuildInputs = [

    pkg-config autoreconfHook autoconf-archive makeWrapper patchelf

  ];

From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001

From: Jonathan McDowell <noodles@earth.li>

Date: Wed, 1 Feb 2023 09:29:58 +0000

Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in

Instead of emitting:

   WARNING: Getting tokens from fapi backend failed.

errors when FAPI support is not compiled in gracefully fail the FAPI

init and don't log any warnings. We'll still produce a message

indicating this is what's happened in verbose mode, but normal operation

no longer gets an unnecessary message.

Fixes #792

Signed-off-by: Jonathan McDowell <noodles@earth.li>

---

 src/lib/backend.c      | 4 +++-

 src/lib/backend_fapi.c | 3 ++-

 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib/backend.c b/src/lib/backend.c

index ca5e2ccf..128f58b9 100644

--- a/src/lib/backend.c

+++ b/src/lib/backend.c

@@ -53,7 +53,9 @@ CK_RV backend_init(void) {

             LOGE(msg);

             return rv;

         }

-        LOGW(msg);

+        if (rv != CKR_FUNCTION_NOT_SUPPORTED) {

+            LOGW(msg);

+        }

     } else {

         fapi_init = true;

     }

diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c

index fe594f0e..3a203632 100644

--- a/src/lib/backend_fapi.c

+++ b/src/lib/backend_fapi.c

@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist

 CK_RV backend_fapi_init(void) {

-	return CKR_OK;

+	LOGV("FAPI not enabled, failing init");

+	return CKR_FUNCTION_NOT_SUPPORTED;

 }

 CK_RV backend_fapi_destroy(void) {

--- a/bootstrap

+++ b/bootstrap

@@ -4,7 +4,6 @@

 # Generate a VERSION file that is included in the dist tarball to avoid needed git

 # when calling autoreconf in a release tarball.

-git describe --tags --always --dirty > VERSION

 # generate list of source files for use in Makefile.am

 # if you add new source files, you must run ./bootstrap again