From patchwork Wed Nov 21 02:44:37 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Carlos Santos <casantos@datacom.com.br>
X-Patchwork-Id: 1000850
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.136; helo=silver.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=datacom.com.br
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4306PP0SKqz9s8F
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Wed, 21 Nov 2018 13:45:10 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id EF6633003F;
	Wed, 21 Nov 2018 02:44:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Utd4ddeBKYEq; Wed, 21 Nov 2018 02:44:55 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 8C37F3000F;
	Wed, 21 Nov 2018 02:44:55 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 302561BF3E8
	for <buildroot@lists.busybox.net>;
	Wed, 21 Nov 2018 02:44:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 2C385883AC
	for <buildroot@lists.busybox.net>;
	Wed, 21 Nov 2018 02:44:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CMpFobzATtYz for <buildroot@lists.busybox.net>;
	Wed, 21 Nov 2018 02:44:52 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail.datacom.com.br (mx.datacom.ind.br [177.66.5.10])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 1B600883A8
	for <buildroot@buildroot.org>; Wed, 21 Nov 2018 02:44:51 +0000 (UTC)
Received: from mail.datacom.com.br (localhost [127.0.0.1])
	by mail.datacom.com.br (Postfix) with ESMTPS id A5A441BA33DE
	for <buildroot@buildroot.org>; Wed, 21 Nov 2018 00:45:24 -0200 (-02)
Received: from localhost (localhost [127.0.0.1])
	by mail.datacom.com.br (Postfix) with ESMTP id 96E2C1BA3281
	for <buildroot@buildroot.org>; Wed, 21 Nov 2018 00:45:24 -0200 (-02)
Received: from mail.datacom.com.br ([127.0.0.1])
	by localhost (mail.datacom.com.br [127.0.0.1]) (amavisd-new,
	port 10026)
	with ESMTP id OLYTNphzreso for <buildroot@buildroot.org>;
	Wed, 21 Nov 2018 00:45:24 -0200 (-02)
Received: from p7-1130br.casantos.org (unknown [186.215.58.65])
	by mail.datacom.com.br (Postfix) with ESMTPSA id 55EF31BA3209
	for <buildroot@buildroot.org>; Wed, 21 Nov 2018 00:45:24 -0200 (-02)
From: Carlos Santos <casantos@datacom.com.br>
To: buildroot@buildroot.org
Date: Wed, 21 Nov 2018 00:44:37 -0200
Message-Id: <20181121024437.21553-1-casantos@datacom.com.br>
X-Mailer: git-send-email 2.19.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH next] tpm2-tss: force libopenssl as openssl
	provider
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL and drop the patch to
compile with libressl.

The discussion with the tpm2-tss developers led to the conclusion that
libressl lacks some required functionalities. Quoting Andreas Fuchs[1]:
"LibreSSL does not support OAEP-mode with labels at all, even though the
internal OAEP-padding-function includes the parameters already. [...]
Further, the internal OAEP-padding-function does not support variable
hash algs, but staticly uses SHA1."

Notice that there will NOT be an option to use libgcrypt. OpenSSL will
soon become the default ESAPI crypto backend to prevent the problem of
forcing applications to link against both libgcrypt and libssl[2].

1. https://github.com/tpm2-software/tpm2-tss/pull/1207#issuecomment-440217659
2. https://github.com/tpm2-software/tpm2-tss/issues/1169

Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
 .../0001-ESYS-Fix-build-with-LibreSSL.patch   | 48 -------------------
 package/tpm2-tss/Config.in                    |  1 +
 2 files changed, 1 insertion(+), 48 deletions(-)
 delete mode 100644 package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch

diff --git a/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch b/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
deleted file mode 100644
index d8bf2a665c..0000000000
--- a/package/tpm2-tss/0001-ESYS-Fix-build-with-LibreSSL.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From e8b8ecd2f761430dd2e2c74505974b429fe6b40f Mon Sep 17 00:00:00 2001
-From: Carlos Santos <casantos@datacom.com.br>
-Date: Wed, 14 Nov 2018 23:31:25 -0200
-Subject: [PATCH] ESYS: Fix build with LibreSSL
-
-RAND_bytes() is declared in rand.h. Also, LibreSSL does not provide OAEP
-macros EVP_PKEY_CTX_set0_rsa_oaep_label and EVP_PKEY_CTX_set_rsa_oaep_md
-so use them conditionally.
-
-Signed-off-by: Carlos Santos <casantos@datacom.com.br>
----
- src/tss2-esys/esys_crypto_ossl.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
-index 43088f4a..6c0c76fe 100644
---- a/src/tss2-esys/esys_crypto_ossl.c
-+++ b/src/tss2-esys/esys_crypto_ossl.c
-@@ -10,6 +10,7 @@
- #include <openssl/aes.h>
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-+#include <openssl/rand.h>
- #include <stdio.h>
- 
- #include "tss2_esys.h"
-@@ -660,6 +661,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
-                    "Could not set RSA passing.", cleanup);
-     }
- 
-+/* LibreSSL does not provide these OAEP functions */
-+#ifdef EVP_PKEY_CTX_set0_rsa_oaep_label
-     if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label, strlen(label)+1)) {
-         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
-                    "Could not set RSA label.", cleanup);
-@@ -669,6 +672,9 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
-         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
-                    "Could not set hash algorithm.", cleanup);
-     }
-+#else
-+    (void) label;
-+#endif
- 
-     /* Determine out size */
-     if (1 != EVP_PKEY_encrypt(ctx, NULL, out_size, in_buffer, in_size)) {
--- 
-2.19.1
-
diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
index 933adb4b2a..2fb5b0f213 100644
--- a/package/tpm2-tss/Config.in
+++ b/package/tpm2-tss/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_TPM2_TSS
 	depends on !BR2_STATIC_LIBS # dlfcn.h
 	select BR2_PACKAGE_LIBURIPARSER
 	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL
 	help
 	  OSS implementation of the Trusted Computing Group's (TCG) TPM2
 	  Software Stack (TSS). This stack consists of the following