Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl_tpm2_engine for
openSUSE:Factory checked in at 2025-11-13 17:26:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old)
and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.2061 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine"
Thu Nov 13 17:26:33 2025 rev:21 rq:1317414 version:4.4.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes
2025-03-01 19:16:47.093672698 +0100
+++
/work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.2061/openssl_tpm2_engine.changes
2025-11-13 17:28:40.422431075 +0100
@@ -1,0 +2,7 @@
+Wed Nov 12 15:20:44 UTC 2025 - James Bottomley
<[email protected]>
+
+- Update to version 4.4.3
+ * Fix openssl-3.0 build
+ * Fix tests for Ubuntu
+
+-------------------------------------------------------------------
Old:
----
openssl_tpm2_engine-4.4.2.tar.gz
New:
----
openssl_tpm2_engine-4.4.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl_tpm2_engine.spec ++++++
--- /var/tmp/diff_new_pack.CD6mnT/_old 2025-11-13 17:28:42.226507649 +0100
+++ /var/tmp/diff_new_pack.CD6mnT/_new 2025-11-13 17:28:42.254508838 +0100
@@ -18,7 +18,7 @@
Name: openssl_tpm2_engine
-Version: 4.4.2
+Version: 4.4.3
Release: 0
Summary: OpenSSL TPM 2.0 interface engine plugin
License: LGPL-2.1-only
++++++ openssl_tpm2_engine-4.4.2.tar.gz -> openssl_tpm2_engine-4.4.3.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/configure.ac
new/openssl_tpm2_engine-4.4.3/configure.ac
--- old/openssl_tpm2_engine-4.4.2/configure.ac 2025-02-28 16:04:33.000000000
+0100
+++ new/openssl_tpm2_engine-4.4.3/configure.ac 2025-11-12 16:16:09.000000000
+0100
@@ -2,7 +2,7 @@
# configure.in for the OpenSSL TPM engine project
#
-AC_INIT(openssl-tpm2-engine, 4.4.2, <[email protected]>)
+AC_INIT(openssl-tpm2-engine, 4.4.3, <[email protected]>)
AM_INIT_AUTOMAKE([foreign 1.6.3])
AC_CANONICAL_HOST
AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")
@@ -83,7 +83,12 @@
fi
if test "$ac_have_openssl3" = "1"; then
- modulesdir=\"`$PKG_CONFIG --variable=modulesdir libcrypto`\"
+ modulesdir=`$PKG_CONFIG --variable=modulesdir libcrypto`
+ if test -z "$modulesdir"; then
+ buildprovider=0
+ else
+ buildprovider=1
+ fi
AC_SUBST(modulesdir)
fi
@@ -106,6 +111,7 @@
AM_CONDITIONAL(HAVE_IBM_TSS, test "$tsslibs" = "IBM")
AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1")
+AM_CONDITIONAL(BUILD_PROVIDER, test "$buildprovider" = "1")
AC_DISABLE_STATIC
AC_PROG_CC_STDC
@@ -163,6 +169,9 @@
testtpm=
fi
+AM_CONDITIONAL(HAVE_INTEL_SERVER, test -n "$testtpm" -a -z "$TPMSERVER")
+AM_CONDITIONAL(HAVE_IBM_SERVER, test -n "$testtpm" -a -n "$TPMSERVER")
+
AC_SUBST(testtpm)
AC_OUTPUT([Makefile
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.4.2/src/opensslmissing/signature.c
new/openssl_tpm2_engine-4.4.3/src/opensslmissing/signature.c
--- old/openssl_tpm2_engine-4.4.2/src/opensslmissing/signature.c
2025-02-28 16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/src/opensslmissing/signature.c
2025-11-12 16:16:09.000000000 +0100
@@ -262,8 +262,10 @@
else if (strcmp(p->data,
OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO)
== 0)
ctx->salt_len = RSA_PSS_SALTLEN_AUTO;
+#ifdef RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
else if (strcmp(p->data,
OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
ctx->salt_len = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
+#endif
else
ctx->salt_len = atoi(p->data);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/src/provider/Makefile.am
new/openssl_tpm2_engine-4.4.3/src/provider/Makefile.am
--- old/openssl_tpm2_engine-4.4.2/src/provider/Makefile.am 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/src/provider/Makefile.am 2025-11-12
16:16:09.000000000 +0100
@@ -1,7 +1,7 @@
AM_CPPFLAGS=-I../include
COMMONLIB = ../libcommon/libcommon.a ../opensslmissing/libosslm.a
-if HAVE_OPENSSL3
+if BUILD_PROVIDER
openssl_provider_LTLIBRARIES=libtpm2.la
openssl_providerdir=@modulesdir@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/tests/attestation.sh
new/openssl_tpm2_engine-4.4.3/tests/attestation.sh
--- old/openssl_tpm2_engine-4.4.2/tests/attestation.sh 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/attestation.sh 2025-11-12
16:16:09.000000000 +0100
@@ -1,5 +1,11 @@
#!/bin/bash
set -x
+##
+# The tss2 on Ubuntu is too old to contain tsscreateekcert which is
+# required for the attestation checks
+##
+which tsscreateekcert || exit 77
+
##
# We already created eksign.name and null.name, so check them first
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.4.2/tests/check_counter_timer.sh
new/openssl_tpm2_engine-4.4.3/tests/check_counter_timer.sh
--- old/openssl_tpm2_engine-4.4.2/tests/check_counter_timer.sh 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/check_counter_timer.sh 2025-11-12
16:16:09.000000000 +0100
@@ -1,5 +1,13 @@
#!/bin/bash
+##
+# The tss2 on Ubuntu is too old to recognize the -clock argument
+##
+if tssclockset|grep -qe -time; then
+ CLOCKARG=-time
+else
+ CLOCKARG=-clock
+fi
##
# create a policy based on the tpm current clock the failing policy
@@ -38,7 +46,7 @@
##
echo "Advance clock to expire key"
clock=$[$clock+1000]
-tssclockset -hi o -clock ${clock} || exit 1
+tssclockset -hi o ${CLOCKARG} ${clock} || exit 1
##
# now the signing operation should fail
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/tests/check_importable.sh
new/openssl_tpm2_engine-4.4.3/tests/check_importable.sh
--- old/openssl_tpm2_engine-4.4.2/tests/check_importable.sh 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/check_importable.sh 2025-11-12
16:16:09.000000000 +0100
@@ -1,9 +1,17 @@
#!/bin/bash
-
+set -x
+##
+# The tss2 on Ubuntu is too old to allow variable size RSA keys
+##
+if tsscreateprimary -h | grep -qe '-rsa \[keybits\]'; then
+ RSAARG="-rsa 2048"
+else
+ RSAARG=-rsa
+fi
# export the parent key as a EC and RSA public key
${bindir}/attest_tpm2_primary --certify owner --name ${testdir}/eksign.name
--file srk.pub || exit 1
-prim=$(tsscreateprimary -rsa 2048 -hi o -opem srkrsa.pub | sed 's/Handle //')
|| exit 1
+prim=$(tsscreateprimary ${RSAARG} -hi o -opem srkrsa.pub | sed 's/Handle //')
|| exit 1
tssflushcontext -ha ${prim} || exit 1
for n in sha1 sha256 sha384; do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.4.2/tests/check_rsa_oaep_pss.sh
new/openssl_tpm2_engine-4.4.3/tests/check_rsa_oaep_pss.sh
--- old/openssl_tpm2_engine-4.4.2/tests/check_rsa_oaep_pss.sh 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/check_rsa_oaep_pss.sh 2025-11-12
16:16:09.000000000 +0100
@@ -11,10 +11,13 @@
# this PSS signature will be padded manually and done as an unpadded encrypt
# by the TPM
##
-openssl sha256 -out tmp.md -binary tmp.txt || exit 1
-openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -pkeyopt
rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in
tmp.md -out tmp.msg -passin pass:passw0rd || exit 1
-# OpenSSL bug in some versions returns false for correct signature
-openssl pkeyutl -verify -inkey key.pub -pubin -pkeyopt rsa_padding_mode:pss
-pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -sigfile
tmp.msg|grep 'Signature Verified Successfully'|| exit 1
+for salt in 20 -1 -2 -3; do
+ openssl sha256 -out tmp.md -binary tmp.txt || exit 1
+ openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -pkeyopt
rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256
-pkeyopt rsa_pss_saltlen:${salt} -in tmp.md -out tmp.msg -passin pass:passw0rd
|| exit 1
+ # OpenSSL bug in some versions returns false for correct signature
+ openssl pkeyutl -verify -inkey key.pub -pubin -pkeyopt
rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in
tmp.md -sigfile tmp.msg|grep 'Signature Verified Successfully'|| exit 1
+done
+
##
# finally an OAEP encrypt which triggers an unpadded decrypt
##
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/tests/engine/Makefile.am
new/openssl_tpm2_engine-4.4.3/tests/engine/Makefile.am
--- old/openssl_tpm2_engine-4.4.2/tests/engine/Makefile.am 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/engine/Makefile.am 2025-11-12
16:16:09.000000000 +0100
@@ -44,15 +44,22 @@
testdir=$(abs_srcdir)/..; export testdir; \
TPM_NULL_NAME=${testdir}/null.name; \
OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; export OPENSSL_CONF; \
- TPMSERVER=$(TPMSERVER); export TPMSERVER; \
TSSTYPE=@TSSTYPE@; export TSSTYPE; \
- SWTPM=$(SWTPM); export SWTPM; \
- SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; \
ENGINE="-engine tpm2"; export ENGINE; \
INFORM="-inform engine"; export INFORM; \
KEYFORM="-keyform engine"; export KEYFORM; \
CAKEYFORM="-CAkeyform engine"; export CAKEYFORM;
+if HAVE_INTEL_SERVER
+AM_TESTS_ENVIRONMENT += \
+ SWTPM=$(SWTPM); export SWTPM; \
+ SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL;
+endif
+if HAVE_IBM_SERVER
+AM_TESTS_ENVIRONMENT += \
+ TPMSERVER=$(TPMSERVER); export TPMSERVER;
+endif
+
TEST_EXTENSIONS = .sh
CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.*
fifo tss2.* *.name
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/tests/fail_connect.sh
new/openssl_tpm2_engine-4.4.3/tests/fail_connect.sh
--- old/openssl_tpm2_engine-4.4.2/tests/fail_connect.sh 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/fail_connect.sh 2025-11-12
16:16:09.000000000 +0100
@@ -1,6 +1,12 @@
#!/bin/bash
set -x
+[ -f /etc/os-release ] && source /etc/os-release
+##
+# The version of Intel TSS on ubuntu crashes if no emulator is running
+##
+[ "$TSSTYPE" = "Intel" -a "$NAME" = "Ubuntu" ] && exit 77
+
##
# test is
# Start without any TPM socket listener and check the correct
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.4.2/tests/provider/Makefile.am
new/openssl_tpm2_engine-4.4.3/tests/provider/Makefile.am
--- old/openssl_tpm2_engine-4.4.2/tests/provider/Makefile.am 2025-02-28
16:04:33.000000000 +0100
+++ new/openssl_tpm2_engine-4.4.3/tests/provider/Makefile.am 2025-11-12
16:16:09.000000000 +0100
@@ -1,4 +1,4 @@
-if HAVE_OPENSSL3
+if BUILD_PROVIDER
TESTS = ../fail_connect.sh
TESTS += ../start_sw_tpm.sh
@@ -44,15 +44,22 @@
bindir=$(abs_srcdir)/../../src/tools; export bindir; \
testdir=$(abs_srcdir)/..; export testdir; \
OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; export OPENSSL_CONF; \
- TPMSERVER=$(TPMSERVER); export TPMSERVER; \
TSSTYPE=@TSSTYPE@; export TSSTYPE; \
- SWTPM=$(SWTPM); export SWTPM; \
- SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; \
ENGINE="-provider default -provider-path
$(abs_srcdir)/../../src/provider/.libs -provider libtpm2"; export ENGINE; \
INFORM=""; export INFORM; \
KEYFORM=""; export KEYFORM; \
CAKEYFORM=""; export CAKEYFORM;
+if HAVE_INTEL_SERVER
+AM_TESTS_ENVIRONMENT += \
+ SWTPM=$(SWTPM); export SWTPM; \
+ SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL;
+endif
+if HAVE_IBM_SERVER
+AM_TESTS_ENVIRONMENT += \
+ TPMSERVER=$(TPMSERVER); export TPMSERVER;
+endif
+
endif
TEST_EXTENSIONS = .sh
