Fix CI - tpm2-tss and ntp (aws#1589)

### Description of changes: 
* Fix CI integration tests

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

tests/ci/integration/run_ntp_integration.sh

@@ -23,8 +23,9 @@ NTP_WEBSITE_URL="https://downloads.nwtime.org/ntp/"
 # - the first grep searches for all occurrences of href attributes in anchor tags and outputs only the URLs,
 # - sed removes the href=" and trailing " from the URLs,
 # - the second grep filters only the links ending with .tar.gz,
+# - "head -n 1" gets only the first matching line
 # - cut strips "/ntp/" from the link and retains only the tar name.
-NTP_TAR=$(curl -s ${NTP_WEBSITE_URL} | grep -o 'href="[^"]*"' | sed 's/href="//;s/"$//' | grep '.tar.gz$' | cut -d '/' -f3)
+NTP_TAR=$(curl -s ${NTP_WEBSITE_URL} | grep -o 'href="[^"]*"' | sed 's/href="//;s/"$//' | grep '.tar.gz$' | head -n 1 | cut -d '/' -f3)
 NTP_DOWNLOAD_URL="${NTP_WEBSITE_URL}/${NTP_TAR}"
 NTP_SRC_FOLDER="${SCRATCH_FOLDER}/ntp-src"
 NTP_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ntp_patch"

tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch

@@ -1,18 +1,26 @@
-From cf4383fff44f86c03bfd19de31e73039bc204562 Mon Sep 17 00:00:00 2001
-From: Justin W Smith <[email protected]>
-Date: Mon, 22 Jan 2024 10:20:12 -0500
-Subject: [PATCH] Minor fixes for AWS-LC
+From 0b702b55bfece6c2910ea065bf0dffa9c1e1008e Mon Sep 17 00:00:00 2001
+From: Juergen Repp <[email protected]>
+Date: Fri, 10 May 2024 19:15:37 +0200
+Subject: [PATCH] FAPI: Improve the error message for self signed EK
+ certificates.
 
+The error message
+"curl_url_set for CURUPART_URL failed: Unsupported URL scheme"
+was displayed if a self signed EK certificate was stored in the TPM.
+Now a better error message is displayed to explain that FAPI can
+be used if "ek_cert_less" is set to "yes" in the FAPI config file.
+Addresses: #2833
+
+Signed-off-by: Juergen Repp <[email protected]>
 ---
- configure.ac                       | 6 ------
- src/tss2-esys/esys_crypto_ossl.c   | 2 +-
- src/tss2-fapi/ifapi_curl.c         | 6 +++---
- src/tss2-fapi/ifapi_get_web_cert.c | 1 +
- test/unit/fapi-eventlog.c          | 8 +++++---
- 5 files changed, 10 insertions(+), 13 deletions(-)
+ configure.ac                     | 6 ------
+ src/tss2-esys/esys_crypto_ossl.c | 2 +-
+ src/tss2-fapi/ifapi_curl.c       | 6 +++---
+ test/unit/fapi-eventlog.c        | 8 +++++---
+ 4 files changed, 9 insertions(+), 13 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 4250802e..f1e0cd8d 100644
+index eb6051ea..7051e51c 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -189,12 +189,6 @@ AS_IF([test "x$enable_esys" = xyes],
@@ -29,10 +37,10 @@ index 4250802e..f1e0cd8d 100644
             TSS2_ESYS_LDFLAGS_CRYPTO="$CRYPTO_LIBS"
         ], [test "x$with_crypto" = xmbed], [
 diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
-index 1620788c..503feefc 100644
+index 92625933..6b7166b4 100644
 --- a/src/tss2-esys/esys_crypto_ossl.c
 +++ b/src/tss2-esys/esys_crypto_ossl.c
-@@ -751,7 +751,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+@@ -753,7 +753,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
                     "Could not duplicate OAEP label", cleanup);
      }
 
@@ -42,10 +50,10 @@ index 1620788c..503feefc 100644
          goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
                     "Could not set RSA label.", cleanup);
 diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c
-index 976f36d0..ab39e5aa 100644
+index 35c04204..05839b86 100644
 --- a/src/tss2-fapi/ifapi_curl.c
 +++ b/src/tss2-fapi/ifapi_curl.c
-@@ -77,13 +77,13 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
+@@ -89,13 +89,13 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
      int curl_rc;
 
      *crl = NULL;
@@ -61,7 +69,7 @@ index 976f36d0..ab39e5aa 100644
              {
                  GENERAL_NAME *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
                  ASN1_IA5STRING *asn1_str = gen_name->d.uniformResourceIdentifier;
-@@ -160,7 +160,7 @@ ifapi_curl_verify_ek_cert(
+@@ -172,7 +172,7 @@ ifapi_curl_verify_ek_cert(
      X509_STORE_CTX *ctx = NULL;
      X509_CRL *crl_intermed = NULL;
      X509_CRL *crl_ek = NULL;
@@ -70,31 +78,19 @@ index 976f36d0..ab39e5aa 100644
      size_t ui;
      AUTHORITY_INFO_ACCESS *info = NULL;
      ASN1_IA5STRING *uri = NULL;
-diff --git a/src/tss2-fapi/ifapi_get_web_cert.c b/src/tss2-fapi/ifapi_get_web_cert.c
-index d06e8d81..b03dbf6e 100644
---- a/src/tss2-fapi/ifapi_get_web_cert.c
-+++ b/src/tss2-fapi/ifapi_get_web_cert.c
-@@ -10,6 +10,7 @@
- #include <string.h>
-
- #include <curl/curl.h>
-+#include <openssl/bio.h>
- #include <openssl/buffer.h>
- #include <openssl/evp.h>
- #include <openssl/sha.h>
 diff --git a/test/unit/fapi-eventlog.c b/test/unit/fapi-eventlog.c
-index dba463ad..84c46203 100644
+index 995e9ebb..4de5408a 100644
 --- a/test/unit/fapi-eventlog.c
 +++ b/test/unit/fapi-eventlog.c
-@@ -138,6 +138,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
+@@ -130,6 +130,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
      uint8_t *eventlog;
      size_t size;
      json_object *json_event_list = NULL;
 +#if HAVE_EVP_SM3
      IFAPI_PCR_REG pcrs[TPM2_MAX_PCRS];
 
      TPML_PCR_SELECTION pcr_selection =
-@@ -157,19 +158,20 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
+@@ -149,19 +150,20 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
           .buffer = { 0x15, 0xf4, 0xe6, 0xca, 0x45, 0x7d, 0x1a, 0xf6, 0xbc, 0x49,
                       0x51, 0x1a, 0x93, 0xba, 0x35, 0x00, 0xad, 0x69, 0xac, 0xc5 },
          };
@@ -117,7 +113,7 @@ index dba463ad..84c46203 100644
 
      json_object_put(json_event_list);
      SAFE_FREE(eventlog);
-@@ -179,7 +181,7 @@ static void
+@@ -171,7 +173,7 @@ static void
  check_bios_hcrtm(void **state)
  {