tpm2-pkcs11: 1.9.0 -> 1.9.1 + adopt (#378737) (9c2ee04b) · Commits · nix / nixpkgs

pkgs/by-name/tp/tpm2-pkcs11/disable-java-integration.patch

0 → 100644

+58 −0

Original line number	Diff line number	Diff line
		diff --git a/Makefile-integration.am b/Makefile-integration.am
		index e2255de..3cea1d8 100644
		--- a/Makefile-integration.am
		+++ b/Makefile-integration.am
		@@ -7,7 +7,6 @@ integration_scripts = \
		test/integration/pkcs11-dbup.sh.nosetup \
		test/integration/tls-tests.sh \
		test/integration/openssl.sh \
		- test/integration/pkcs11-javarunner.sh.java \
		test/integration/nss-tests.sh \
		test/integration/ptool-link.sh.nosetup \
		test/integration/python-pkcs11.sh
		@@ -110,13 +109,5 @@ test_integration_pkcs_lockout_int_CFLAGS = $(AM_CFLAGS) $(TESTS_CFLAGS)
		test_integration_pkcs_lockout_int_LDADD = $(TESTS_LDADD) $(SQLITE3_LIBS)
		test_integration_pkcs_lockout_int_SOURCES = test/integration/pkcs-lockout.int.c test/integration/test.c

		-#
		-# Java Tests
		-#
		-AM_JAVA_LOG_FLAGS = --tabrmd-tcti=$(TABRMD_TCTI) --tsetup-script=$(top_srcdir)/test/integration/scripts/create_pkcs_store.sh
		-JAVA_LOG_COMPILER=$(LOG_COMPILER)
		-dist_noinst_JAVA = test/integration/PKCS11JavaTests.java
		-CLEANFILES += test/integration/PKCS11JavaTests.class
		-
		endif
		# END INTEGRATION
		diff --git a/configure.ac b/configure.ac
		index 1ec6eb4..7a0a8ee 100644
		--- a/configure.ac
		+++ b/configure.ac
		@@ -258,13 +258,6 @@ AC_ARG_ENABLE(
		[build and execute integration tests])],,
		[enable_integration=no])

		-# Test for Java compiler and interpreter without throwing fatal errors (since
		-# these macros are defined using AC_DEFUN they cannot be called conditionally)
		-m4_pushdef([AC_MSG_ERROR], [have_javac=no])
		-AX_PROG_JAVAC()
		-AX_PROG_JAVA()
		-m4_popdef([AC_MSG_ERROR])
		-
		AC_DEFUN([integration_test_checks], [

		AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
		@@ -382,13 +375,6 @@ AC_DEFUN([integration_test_checks], [
		[AC_MSG_ERROR([Integration tests enabled but tss2_provision executable not found.])])
		])

		- AS_IF([test "x$have_javac" = "xno"],
		- [AC_MSG_ERROR([Integration tests enabled but no Java compiler was found])])
		- AX_CHECK_CLASS([org.junit.Assert], ,
		- [AC_MSG_ERROR([Integration tests enabled but JUnit not found, try setting CLASSPATH])])
		- AX_CHECK_CLASS([org.hamcrest.SelfDescribing], ,
		- [AC_MSG_ERROR([Integration tests enabled but Hamcrest not found, try setting CLASSPATH])])
		-
		AC_SUBST([ENABLE_INTEGRATION], [$enable_integration])
		]) # end function integration_test_checks

pkgs/by-name/tp/tpm2-pkcs11/graceful-fapi-fail.patch

deleted100644 → 0

+0 −51

Original line number	Diff line number	Diff line
		From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001
		From: Jonathan McDowell <noodles@earth.li>
		Date: Wed, 1 Feb 2023 09:29:58 +0000
		Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in

		Instead of emitting:

		WARNING: Getting tokens from fapi backend failed.

		errors when FAPI support is not compiled in gracefully fail the FAPI
		init and don't log any warnings. We'll still produce a message
		indicating this is what's happened in verbose mode, but normal operation
		no longer gets an unnecessary message.

		Fixes #792

		Signed-off-by: Jonathan McDowell <noodles@earth.li>
		---
		src/lib/backend.c \| 4 +++-
		src/lib/backend_fapi.c \| 3 ++-
		2 files changed, 5 insertions(+), 2 deletions(-)

		diff --git a/src/lib/backend.c b/src/lib/backend.c
		index ca5e2ccf..128f58b9 100644
		--- a/src/lib/backend.c
		+++ b/src/lib/backend.c
		@@ -53,7 +53,9 @@ CK_RV backend_init(void) {
		LOGE(msg);
		return rv;
		}
		- LOGW(msg);
		+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
		+ LOGW(msg);
		+ }
		} else {
		fapi_init = true;
		}
		diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c
		index fe594f0e..3a203632 100644
		--- a/src/lib/backend_fapi.c
		+++ b/src/lib/backend_fapi.c
		@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist

		CK_RV backend_fapi_init(void) {

		- return CKR_OK;
		+ LOGV("FAPI not enabled, failing init");
		+ return CKR_FUNCTION_NOT_SUPPORTED;
		}

		CK_RV backend_fapi_destroy(void) {

pkgs/by-name/tp/tpm2-pkcs11/package.nix

+160 −57

Original line number	Diff line number	Diff line
		{
		stdenv,
		lib,
		fetchFromGitHub,
		pkg-config,
		autoreconfHook,
		autoconf-archive,
		autoreconfHook,
		buildEnv,
		clangStdenv,
		cmocka,
		dbus,
		expect,
		fetchFromGitHub,
		glibc,
		gnutls,
		iproute2,
		lib,
		libyaml,
		makeWrapper,
		patchelf,
		tpm2-tss,
		tpm2-tools,
		opensc,
		openssh,
		openssl,
		sqlite,
		nss,
		p11-kit,
		patchelf,
		pkg-config,
		python3,
		glibc,
		libyaml,
		abrmdSupport ? true,
		tpm2-abrmd ? null,
		stdenv,
		sqlite,
		swtpm,
		tpm2-abrmd,
		tpm2-openssl,
		tpm2-pkcs11, # for passthru abrmd tests
		tpm2-tools,
		tpm2-tss,
		which,
		xxd,
		abrmdSupport ? false,
		fapiSupport ? true,
		enableFuzzing ? false,
		}:

		stdenv.mkDerivation rec {
		let
		chosenStdenv = if enableFuzzing then clangStdenv else stdenv;
		in
		chosenStdenv.mkDerivation (finalAttrs: {
		pname = "tpm2-pkcs11";
		version = "1.9.0";
		version = "1.9.1";

		src = fetchFromGitHub {
		owner = "tpm2-software";
		repo = pname;
		rev = version;
		sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";
		repo = "tpm2-pkcs11";
		tag = finalAttrs.version;
		hash = "sha256-W74ckrpK7ypny1L3Gn7nNbOVh8zbHavIk/TX3b8XbI8=";
		};

		patches = [
		./version.patch
		./graceful-fapi-fail.patch
		];
		# Disable Java‐based tests because of missing dependencies
		patches = [ ./disable-java-integration.patch ];

		postPatch = ''
		echo ${lib.escapeShellArg finalAttrs.version} >VERSION

		# Don't run git in the bootstrap
		substituteInPlace bootstrap --replace-warn "git" "# git"

		# Provide configuration file for D-Bus
		substituteInPlace Makefile.am --replace-fail \
		"dbus-run-session" \
		"dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf"

		# Disable failing tests
		sed -E -i '/\<test\/integration\/(pkcs-crypt\.int\|pkcs11-tool\.sh)\>/d' \
		Makefile-integration.am

		patchShebangs test tools

		# The preConfigure phase doesn't seem to be working here
		# ./bootstrap MUST be executed as the first step, before all
		# of the autoreconfHook stuff
		postPatch = ''
		echo ${version} > VERSION
		./bootstrap
		'';

		configureFlags = lib.optionals (!fapiSupport) [
		# Note: this will be renamed to with-fapi in next release.
		"--enable-fapi=no"
		];
		configureFlags =
		[
		(lib.enableFeature finalAttrs.doCheck "unit")
		(lib.enableFeature finalAttrs.doCheck "integration")
		]
		++ lib.optionals enableFuzzing [
		"--enable-fuzzing"
		"--disable-hardening"
		]
		++ lib.optional fapiSupport "--with-fapi";

		strictDeps = true;

		nativeBuildInputs = [
		pkg-config
		autoreconfHook
		autoconf-archive
		autoreconfHook
		makeWrapper
		patchelf
		];
		buildInputs = [
		tpm2-tss
		tpm2-tools
		opensc
		openssl
		sqlite
		libyaml
		pkg-config
		(python3.withPackages (
		ps: with ps; [
		ps:
		with ps;
		[
		packaging
		pyyaml
		python-pkcs11
		cryptography
		pyasn1-modules
		tpm2-pytss
		]
		++ cryptography.optional-dependencies.ssh
		))
		];

		buildInputs = [
		libyaml
		opensc
		openssl
		sqlite
		tpm2-tools
		tpm2-tss
		];

		nativeCheckInputs = [
		dbus
		expect
		gnutls
		iproute2
		nss.tools
		opensc
		openssh
		openssl
		p11-kit
		sqlite
		swtpm
		tpm2-abrmd
		tpm2-tools
		which
		xxd
		];

		checkInputs = [
		cmocka
		tpm2-abrmd
		];

		enableParallelBuilding = true;
		hardeningDisable = lib.optional enableFuzzing "all";

		outputs = [
		"out"
		"bin"
		"dev"
		];

		doCheck = true;
		dontStrip = true;
		dontPatchELF = true;

		preCheck =
		let
		openssl-modules = buildEnv {
		name = "openssl-modules";
		pathsToLink = [ "/lib/ossl-modules" ];
		paths = map lib.getLib [
		openssl
		tpm2-openssl
		];
		};
		in
		''
		# Enable tests to load TCTI modules
		export LD_LIBRARY_PATH+=":${
		lib.makeLibraryPath [
		swtpm
		tpm2-tools
		tpm2-abrmd
		]
		}"

		# Enable tests to load TPM2 OpenSSL module
		export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"
		'';

		postInstall = ''
		mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
		mv ./tools/* $bin/share/tpm2_pkcs11/
		makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
		--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
		'';

		# To be able to use the userspace resource manager, the RUNPATH must
		# explicitly include the tpm2-abrmd shared libraries.
		preFixup =
		let
		rpath = lib.makeLibraryPath (
		(lib.optional abrmdSupport tpm2-abrmd)
		++ [
		tpm2-tss
		sqlite
		openssl
		[
		glibc
		libyaml
		openssl
		sqlite
		tpm2-tss
		]
		++ (lib.optional abrmdSupport tpm2-abrmd)
		);
		in
		''
		@@ -106,19 +210,18 @@ stdenv.mkDerivation rec {
		$out/lib/libtpm2_pkcs11.so.0.0.0
		'';

		postInstall = ''
		mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
		mv ./tools/* $bin/share/tpm2_pkcs11/
		makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
		--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
		'';
		passthru = {
		tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
		abrmdSupport = true;
		};
		};

		meta = with lib; {
		meta = {
		description = "PKCS#11 interface for TPM2 hardware";
		homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
		license = licenses.bsd2;
		platforms = platforms.linux;
		maintainers = [ ];
		license = lib.licenses.bsd2;
		platforms = lib.platforms.linux;
		maintainers = with lib.maintainers; [ numinit ];
		mainProgram = "tpm2_ptool";
		};
		}
		})

pkgs/by-name/tp/tpm2-pkcs11/version.patch

deleted100644 → 0

+0 −10

Original line number	Diff line number	Diff line
		--- a/bootstrap
		+++ b/bootstrap
		@@ -4,7 +4,6 @@

		# Generate a VERSION file that is included in the dist tarball to avoid needed git
		# when calling autoreconf in a release tarball.
		-git describe --tags --always --dirty > VERSION

		# generate list of source files for use in Makefile.am
		# if you add new source files, you must run ./bootstrap again

Admin message