diff --git a/pkgs/tools/security/tpm-luks/default.nix b/pkgs/tools/security/tpm-luks/default.nix index 7d0ff797336d..e7a82f6089e7 100644 --- a/pkgs/tools/security/tpm-luks/default.nix +++ b/pkgs/tools/security/tpm-luks/default.nix @@ -10,6 +10,11 @@ stdenv.mkDerivation rec { sha256 = "1ms2v57f13r9km6mvf9rha5ndmlmjvrz3mcikai6nzhpj0nrjz0w"; }; + patches = [ + ./openssl-1.1.patch + ./signed-ptr.patch + ]; + nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ gawk trousers cryptsetup openssl ]; diff --git a/pkgs/tools/security/tpm-luks/openssl-1.1.patch b/pkgs/tools/security/tpm-luks/openssl-1.1.patch new file mode 100644 index 000000000000..10132242b345 --- /dev/null +++ b/pkgs/tools/security/tpm-luks/openssl-1.1.patch @@ -0,0 +1,63 @@ +diff --git a/swtpm-utils/lib/hmac.c b/swtpm-utils/lib/hmac.c +index 5545375..f9bedea 100644 +--- a/swtpm-utils/lib/hmac.c ++++ b/swtpm-utils/lib/hmac.c +@@ -381,15 +381,19 @@ uint32_t TSS_authhmac(unsigned char *digest, unsigned char *key, unsigned int ke + /****************************************************************************/ + uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, ...) + { +- HMAC_CTX hmac; ++ HMAC_CTX* hmac; + unsigned int dlen; + unsigned char *data; + va_list argp; +- +-#ifdef HAVE_HMAC_CTX_CLEANUP +- HMAC_CTX_init(&hmac); +-#endif +- HMAC_Init(&hmac,key,keylen,EVP_sha1()); ++ ++ hmac = HMAC_CTX_new(); ++ ++ if (hmac == NULL) ++ { ++ return ERR_MEM_ERR; ++ } ++ ++ HMAC_Init_ex(hmac,key,keylen,EVP_sha1(),NULL); + + va_start(argp,keylen); + for (;;) +@@ -398,15 +402,11 @@ uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned i + if (dlen == 0) break; + data = (unsigned char *)va_arg(argp,unsigned char *); + if (data == NULL) return ERR_NULL_ARG; +- HMAC_Update(&hmac,data,dlen); ++ HMAC_Update(hmac,data,dlen); + } +- HMAC_Final(&hmac,digest,&dlen); ++ HMAC_Final(hmac,digest,&dlen); + +-#ifdef HAVE_HMAC_CTX_CLEANUP +- HMAC_CTX_cleanup(&hmac); +-#else +- HMAC_cleanup(&hmac); +-#endif ++ HMAC_CTX_free(hmac); + va_end(argp); + return 0; + } +diff --git a/swtpm-utils/lib/keys.c b/swtpm-utils/lib/keys.c +index 99691b6..6627a1f 100644 +--- a/swtpm-utils/lib/keys.c ++++ b/swtpm-utils/lib/keys.c +@@ -1249,8 +1249,7 @@ RSA *TSS_convpubkey(pubkeydata *k) + exp); + } + /* set up the RSA public key structure */ +- rsa->n = mod; +- rsa->e = exp; ++ RSA_set0_key(rsa, mod, exp, NULL); + return rsa; + } + diff --git a/pkgs/tools/security/tpm-luks/signed-ptr.patch b/pkgs/tools/security/tpm-luks/signed-ptr.patch new file mode 100644 index 000000000000..83e356a4ef9e --- /dev/null +++ b/pkgs/tools/security/tpm-luks/signed-ptr.patch @@ -0,0 +1,15 @@ +diff --git a/swtpm-utils/getcapability.c b/swtpm-utils/getcapability.c +index 7359ba3..17b4324 100644 +--- a/swtpm-utils/getcapability.c ++++ b/swtpm-utils/getcapability.c +@@ -480,7 +480,8 @@ int main(int argc, char *argv[]) + } + + if (c) { +- char pcrmap[4], *pf; ++ char pcrmap[4]; ++ unsigned char *pf; + + memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect, + ndp.pcrInfoRead.pcrSelection.sizeOfSelect); +