Changelog:
* Allowed fsverity-utils to build when PKCS#11 support is not available in
OpenSSL. In that case, 'fsverity sign' just won't support that feature.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The project's readme indicates that some parts of the code is covered
by Apache license - add it to the RECIPE accordingly.
Reported-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
569d72e13e/docs/openssl-exception-gpl-2.0.yml (L7)
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* see more details: http://errors.yoctoproject.org/Errors/Details/850150/
des.c:199:9: error: too many arguments to function 'spinit'; expected 0, have 1
199 | spinit(key);
| ^~~~~~ ~~~
des.c:38:56: note: declared here
38 | static void permute_ip(), permute_fp(), perminit_ip(), spinit(),
| ^~~~~~
* Move function forward declarations to .h file to fix the following errors:
tripledes.c: In function '_mcrypt_desinit':
tripledes.c:198:18: error: passing argument 1 of 'perminit' from incompatible pointer type [-Wincompatible-pointer-types]
198 | perminit(&key->iperm, ip);
| ^~~~~~~~~~~
| |
| char (*)[16][16][8]
In file included from tripledes.c:23:
tripledes.h:11:27: note: expected 'char (*)[16][8]' but argument is of type 'char (*)[16][16][8]'
11 | static void perminit(char perm[][16][8], char p[64]);
| ~~~~~^~~~~~~~~~~~~
tripledes.c:199:18: error: passing argument 1 of 'perminit' from incompatible pointer type [-Wincompatible-pointer-types]
199 | perminit(&key->fperm, fp);
| ^~~~~~~~~~~
| |
| char (*)[16][16][8]
tripledes.h:11:27: note: expected 'char (*)[16][8]' but argument is of type 'char (*)[16][16][8]'
11 | static void perminit(char perm[][16][8], char p[64]);
| ~~~~~^~~~~~~~~~~~~
Changed parameter from &key to key
perminit(key->iperm, ip);
perminit(key->fperm, fp);
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We use veritysetup in our custom initramfs to verify the rootfs before
mounting it. We do not use udev or run systemd as PID1 in that
initramfs. This RDEPENDS on udev and lvm2, and everything that udev
ends up pulling in, thus bloats the initramfs by more than 10MiB.
Removing udev from PACKAGECONFIG is not really an option, because we
do want the udev integration in the real rootfs.
Demote it to a recommendation so that the initramfs recipe can avoid
udev and lvm2 using BAD_RECOMMENDATIONS or NO_RECOMMENDATIONS.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit removed the lvm2-udevrules package.
[https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=c37c867e1adddd6fa39cf3f3d4c6688ea6dc825a]
Align accordingly to avoid error at do_rootfs
Error:
Problem 1: package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
Problem 2: package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfscommon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfsdaemon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires gvfs >= 1.56.0, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
(try to add '--skip-broken' to skip uninstallable packages)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2024.
Changelog:
==========
* CVE-2024-34702: Fix a DoS caused by excessive name constraints.
* CVE-2024-39312: Fix a name constraint processing error, where if
permitted and excluded rules both applied to a certificate, only the
permitted rules would be checked.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
license preambles.
* Fix missing includes for cryptographic backend that could cause
compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2024.
0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch
removed since it's included in 1.0.20
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Add Ed448 signatures and X448 key exchange
- X.509 certificate verification now can optionally ignore the expiration date of root certificates.
- Support for "hybrid" EC point encoding is now deprecated.
- Support for creating EC_Group objects with parameters larger than 521 bits is now deprecated
- Add new build options to disable deprecated features, and to enable experimental features.
- Fix a bug affecting use of SIV and CCM ciphers in the FFI interface.
- Add new FFI interface botan_cipher_requires_entire_message
- Internal refactorings of the mp layer to support a new elliptic curve library.
- Use a new method for constant time division in Kyber to avoid a possible side channel where the compiler inserts use of a variable time division.
- Refactor test RNG usage to improve reproducibility.
- Add std::span interfaces to BigInt
- Refactorings and improvements to low level load/store utility functions.
- Fix the amalgamation build on ARM64
- Add Mac ARM based CI build
- Fix a thread serialization bug that caused sporadic test failures.
- Update GH Actions to v4
- Add examples of password based encryption and HTTPS+ASIO client.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Fix activation of OPAL-only encrypted LUKS device with tokens.
* Fix formatting of OPAL devices with 4096-byte sector size.
* Fix incorrect OPAL locking range alignment calculation if used
over an unaligned device partition.
* Add --hw-opal-factory-reset option description to the manual page.
* Do not check the passphrase quality for OPAL Admin PIN,
as this passphrase already exists.
* Update license for FAQ document to CC BY-SA 4.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup 2.7.1 Release Notes
==============================
Stable bug-fix release with minor extensions.
Changes since version 2.7.0
* Fix interrupted LUKS1 decryption resume.
With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
reencrypt command, resuming the interrupted LUKS1 decryption operation
could fail. LUKS2 was not affected.
* Allow --link-vk-to-keyring with --test-passphrase option.
This option allows uploading the volume key in a user-specified kernel
keyring without activating the device.
* Fix crash when --active-name was used in decryption initialization.
* Updates and changes to man pages, including indentation, sorting options
alphabetically, fixing mistakes in crypt_set_keyring_to_link, and
fixing some typos.
* Fix compilation with libargon2 when --disable-internal-argon2 was used.
* Do not require installed argon2.h header and never compile internal
libargon2 code if the crypto library directly supports Argon2.
* Fixes to regression tests to support older Linux distributions.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright years change
Changelog:
move all sha* applications to the libexec directory to allow them to coexist with other packages sha* applications - the caller is expected to make a symlink to them
add sha3sum
add kcapi_md_sha3_* wrapper APIs
various small fixes
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Monocypher has two recipes and a release tarball in home page and in github
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fixes:
ERROR: monocypher-4.0.2-r0 do_package: QA Issue: monocypher: Files/directories were installed but not shipped in any package:
/usr/lib/libmonocypher.so
/usr/lib/libmonocypher.so.4
/usr/lib/libmonocypher.a
/usr/lib/pkgconfig
/usr/lib/pkgconfig/monocypher.pc
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
monocypher: 5 installed and not shipped files. [installed-vs-shipped]
this only fixes the above issues, to make it usable with other
libdir values the .pc files would need to be fixed to respect passed
LIBDIR value as well as now they expect just lib:
monocypher.pc:libdir=${exec_prefix}/lib
tests/speed/libhydrogen.pc:libdir=${exec_prefix}/lib
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Adds monocypher, an easy to use, easy to deploy, auditable crypto library written in portable C. It approaches the size of TweetNaCl and the speed of libsodium
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to install libmcrypt-dev and lib32-libmcrypt-dev at same time:
Error: Transaction test error:
file /usr/bin/libmcrypt-config conflicts between attempted installs of
libmcrypt-dev-2.5.8-r0.core2_64 and lib32-libmcrypt-dev-2.5.8-r0.i586
Use MULTILIB_SCRIPTS from multilib_script.bbclass to handle them.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* enabled by default, because that's what dropbear expects and fails
without as shown in:
http://errors.yoctoproject.org/Errors/Details/720460/
dropbear/2022.83-r0/crypto_desc.c:72: undefined reference to `ltm_desc'
* add comment about the LICENSE
* use EXTRA_OEMAKE
* FYI: if you need to use this in dunfell (for whatever reason e.g. to
avoid CVE-2019-17362 in dropbear which contains bundled libtomcrypt),
then you need to add:
# Only needed for dunfell, fixed in kirkstone with:
# https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=4b308773eca7570ce5007e8f953b56252c17fdb1
DEPENDS += "libtool-cross"
EXTRA_OEMAKE += "'LIBTOOL=${HOST_SYS}-libtool'"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fixes:
ERROR: QA Issue: libtomcrypt: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/libtomcrypt.so.1.0.1
/usr/lib/libtomcrypt.so.1
/usr/lib/libtomcrypt.so
/usr/lib/pkgconfig
/usr/lib/pkgconfig/libtomcrypt.pc
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
libtomcrypt: 6 installed and not shipped files. [installed-vs-shipped]
when libdir is /usr/lib64 with multilib
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Mitigate occurences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Disable documentation as it needs asciidoctor which is not available
- Rename cryptsetup-reencrypt packageconfig to luks2-reencryption to match
the relevant configure option.
- Add a patch to enable 64bit off_t and lfs64
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Version 2.19.3, 2022-11-16
CVE-2022-43705: A malicious OCSP responder could forge OCSP responses due to a
failure to validate that an embedded certificate was issued by the end-entity
issuing certificate authority.
Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup SSH tokens is the only feature that has a dependency on
libssh. Add a packageconfig to control this dependency.
Change-Id: Iac4f91e099ad2e3a79aab183734108f8bfbff57f
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
