commit 2b472b0487be1badde8493a2422cd1185dd18019 Author: CentOS Sources Date: Tue May 18 02:37:16 2021 -0400 import tpm-tools-1.3.9.2-1.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..345faa5 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm-tools-1.3.9.2.tar.gz diff --git a/.tpm-tools.metadata b/.tpm-tools.metadata new file mode 100644 index 0000000..ff70eea --- /dev/null +++ b/.tpm-tools.metadata @@ -0,0 +1 @@ +ea481aab52e3cffa3a257ce848b07f3ea12b8923 SOURCES/tpm-tools-1.3.9.2.tar.gz diff --git a/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch new file mode 100644 index 0000000..e032344 --- /dev/null +++ b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch @@ -0,0 +1,29 @@ +From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sun, 27 Jan 2019 23:17:02 -0700 +Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile + manpage + +The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile. + +Signed-off-by: Jerry Snitselaar +--- + man/man3/tpmUnsealFile.3 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3 +index 1fda48f..c362298 100644 +--- a/man/man3/tpmUnsealFile.3 ++++ b/man/man3/tpmUnsealFile.3 +@@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines + .hy 0 + .B #include + .sp +-.B int tpmUnsealFile(char* file, char** data, int* size); ++.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown); + .br + .B void tpmUnsealShred(char* data, int size); + .br +-- +2.20.1.98.gecbdaf0899 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch new file mode 100644 index 0000000..e39ae8d --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch @@ -0,0 +1,54 @@ +From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 12:48:37 +0100 +Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID + +When the vendor ID contains null bytes then '^@' characters appear in +the tpm_version output. This can confuse users and it also causes e.g. +'grep' to treat the input as binary. Example: + + TPM Vendor ID: WEC\000 + +This change copies the vendor ID bytes over into a local string object. +This makes the code more independent of the vendor ID dimension and also +avoids NULL bytes being printed. +--- + src/tpm_mgmt/tpm_version.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 1019b71..78b78e8 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd) + UINT64 offset; + TSS_RESULT uiResult; + TPM_CAP_VERSION_INFO versionInfo; ++ char vendor_id[sizeof(versionInfo.tpmVendorID)+1]; + char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability. + + /* Disable logging to of "Bad Mode" during this call. +@@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd) + goto out_close; + } + ++ // copy over the individual characters into a regular string. ++ // This avoids that null bytes are written to stdout. ++ snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID ); ++ + logMsg(_(" TPM 1.2 Version Info:\n")); + logMsg(_(" Chip Version: %hhu.%hhu.%hhu.%hhu\n"), + versionInfo.version.major, versionInfo.version.minor, + versionInfo.version.revMajor, versionInfo.version.revMinor); + logMsg(_(" Spec Level: %hu\n"), versionInfo.specLevel); + logMsg(_(" Errata Revision: %hhu\n"), versionInfo.errataRev); +- logMsg(_(" TPM Vendor ID: %c%c%c%c\n"), +- versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1], +- versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]); ++ logMsg(_(" TPM Vendor ID: %s\n"), vendor_id); + + if (versionInfo.vendorSpecificSize) { + logMsg(_(" Vendor Specific data: ")); +-- +2.18.1 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch new file mode 100644 index 0000000..949b58e --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch @@ -0,0 +1,38 @@ +From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 13:17:01 +0100 +Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr + +If there was no data written to the temporary file then memsize == 1, no +data will be read from the file into the buffer and the buffer will not +be null terminated. This can cause random data to be output later on to +the original stderr like: + +'#precedence ::ffff:0:0/' + +or + +'xl?8?' + +Fix this by making sure the buffer is always zero terminated. +--- + src/tpm_mgmt/tpm_version.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 78b78e8..e563a8c 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr) + perror("read()"); + } + ++ // make sure the buffer is null terminated. ++ buf[st.st_size] = '\0'; ++ + // Restore stderr. + errout: + if (0 > dup2(olderr, STDERR_FILENO)) { +-- +2.18.1 + diff --git a/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch new file mode 100644 index 0000000..52aae01 --- /dev/null +++ b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch @@ -0,0 +1,87 @@ +From 105c0f43399d75645be59b3c6be68b57a711d84a Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 12:00:39 +0100 +Subject: [PATCH] Allocate OpenSSL cipher contexts for seal/unseal + +Cipher contexts need to be allocated before using EVP_EncryptInit or +EVP_DecryptInit. Using a NULL context is invalid. + +Fixes: f50ab0949438 ("Support OpenSSL 1.1.0") +--- + lib/tpm_unseal.c | 11 ++++++++++- + src/cmds/tpm_sealdata.c | 10 +++++++++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c +index 4aadf21ec1bb..88f21cf40b72 100644 +--- a/lib/tpm_unseal.c ++++ b/lib/tpm_unseal.c +@@ -87,6 +87,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + unsigned char* res_data = NULL; + int res_size = 0; + ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bdata = NULL, *b64 = NULL, *bmem = NULL; + int bioRc; + +@@ -408,7 +409,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + } + + /* Decode and decrypt the encrypted data */ +- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); ++ ctx = EVP_CIPHER_CTX_new(); ++ if ( ctx == NULL ) { ++ rc = TPMSEAL_STD_ERROR; ++ tpm_errno = ENOMEM; ++ goto tss_out; ++ } + EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV); + + /* Create a base64 BIO to decode the encrypted data */ +@@ -459,6 +465,9 @@ out: + } else + free(res_data); + ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return rc; + } + +diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c +index 88f63ca0ef89..cd5c49a37f64 100644 +--- a/src/cmds/tpm_sealdata.c ++++ b/src/cmds/tpm_sealdata.c +@@ -119,6 +119,7 @@ int main(int argc, char **argv) + int pswd_len; + BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; + ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bin = NULL, *bdata=NULL, *b64=NULL; + + initIntlSys(); +@@ -343,7 +344,11 @@ int main(int argc, char **argv) + BIO_puts(bdata, TPMSEAL_ENC_STRING); + bdata = BIO_push(b64, bdata); + +- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ logError(_("Unable to allocate cipher context\n")); ++ goto out_close; ++ } + EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); + + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { +@@ -375,5 +380,8 @@ out: + BIO_free(bdata); + if (b64) + BIO_free(b64); ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return iRc; + } +-- +2.27.0 + diff --git a/SPECS/tpm-tools.spec b/SPECS/tpm-tools.spec new file mode 100644 index 0000000..f6bae9c --- /dev/null +++ b/SPECS/tpm-tools.spec @@ -0,0 +1,222 @@ +Name: tpm-tools +Summary: Management tools for the TPM hardware +Version: 1.3.9.2 +Release: 1%{?dist} +License: CPL +URL: http://trousers.sourceforge.net +Source0: http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz +BuildRequires: trousers-devel openssl-devel opencryptoki-devel gettext-devel autoconf automake libtool +Patch0001: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch +Patch0002: 0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch +Patch0003: 0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch +Patch0004: 0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch + +%description +tpm-tools is a group of tools to manage and utilize the Trusted Computing +Group's TPM hardware. TPM hardware can create, store and use RSA keys +securely (without ever being exposed in memory), verify a platform's +software state using cryptographic hashes and more. + +%package pkcs11 +Summary: Management tools using PKCS#11 for the TPM hardware +# opencryptoki is dlopen'd, the Requires won't get picked up automatically +Requires: opencryptoki-libs%{?_isa} + +%description pkcs11 +tpm-tools-pkcs11 is a group of tools that use the TPM PKCS#11 token. All data +contained in the PKCS#11 data store is protected by the TPM (keys, +certificates, etc.). You can import keys and certificates, list out the +objects in the data store, and protect data. + +%package devel +Summary: Files to use the library routines supplied with tpm-tools +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +tpm-tools-devel is a package that contains the libraries and headers necessary +for developing tpm-tools applications. + +%prep +%autosetup -p1 %{name}-%{version} + +%build +chmod +x ./bootstrap.sh +./bootstrap.sh +%configure --disable-static --disable-rpath --disable-silent-rules +%make_build + +%install +%make_install INSTALL="install -p" +rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la +# autoreconf is not happy on rhel8 with tpm-tools, so temp +# work around to get new manpages in place +cp -p man/man1/tpm_unsealdata.1 %{buildroot}/%{_mandir}/man1 +cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8 + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%license LICENSE +%doc README +%{_bindir}/tpm_* +%{_sbindir}/tpm_* +%{_libdir}/libtpm_unseal.so.?.?.? +%{_libdir}/libtpm_unseal.so.? +%{_mandir}/man1/tpm_* +%{_mandir}/man8/tpm_* + +%files pkcs11 +%license LICENSE +%{_bindir}/tpmtoken_* +%{_mandir}/man1/tpmtoken_* + +%files devel +%{_libdir}/libtpm_unseal.so +%{_includedir}/tpm_tools/ +%{_mandir}/man3/tpmUnseal* + +%changelog +* Tue Nov 03 2020 Jerry Snitselaar - 1.3.9.2-1 +- Rebase to 1.3.9.2 release. +resolves: rhbz#1725781 + +* Wed Jun 12 2019 Jerry Snitselaar - 1.3.9-7 +- Make sure new manpages get installed. +resolves: rhbz#1669892 + +* Wed Jun 05 2019 Jerry Snitselaar - 1.3.9-6 +- Fix annocheck warning +resolves: rhbz#1624180 + +* Wed May 22 2019 Jerry Snitselaar - 1.3.9-5 +- Add CI gating support +- tpm_version: remove garbled text +resolves: rhbz#1669892 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.3.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.3.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Feb 20 2017 Michal Schmidt - 1.3.9-1 +- Upstream release 1.3.9. +- Add fixes for build errors with OpenSSL 1.1. +- Add fixes for NULL cipher context use in seal/unseal. +- spec file modernization. + +* Sat Feb 11 2017 Fedora Release Engineering - 1.3.8-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1.3.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1.3.8-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.8-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.8-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Apr 03 2014 Michal Schmidt - 1.3.8-6 +- Fix FTBFS with current autotools (#1083627) +- Drop tpm-tools-1.3.7-build.patch, the package builds without it (#952372) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.3.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Feb 15 2013 Fedora Release Engineering - 1.3.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 1.3.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 3 2012 Peter Robinson - 1.3.8-2 +- Cleanup spec and modernise spec + +* Fri Jun 22 2012 Steve Grubb 1.3.8-1 +- New upstream release + +* Sat Jan 14 2012 Fedora Release Engineering - 1.3.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Sep 19 2011 Steve Grubb 1.3.7-1 +- New upstream release + +* Fri Jun 24 2011 Steve Grubb 1.3.5-5 +- Remove -Werror from compile flags (#716046) + +* Wed Feb 09 2011 Fedora Release Engineering - 1.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 08 2010 Michal Schmidt - 1.3.5-3 +- Add the LICENSE file to the -pkcs11 subpackage too, as it may be + installed independently. +- Remove useless macros. + +* Sun Feb 14 2010 Michal Schmidt - 1.3.5-2 +- Fix for DSO linking change. + +* Mon Feb 01 2010 Steve Grubb 1.3.5-1 +- New upstream bug fix release + +* Fri Jan 29 2010 Steve Grubb 1.3.4-2 +- Remove rpaths + +* Wed Oct 21 2009 Michal Schmidt - 1.3.4-1 +- Upstream release 1.3.4: + - adds SRK password support on unsealing +- LICENSE is back. +- Remove no longer needed patch: + tpm-tools-1.3.3-check-fwrite-success.patch + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Fri Aug 07 2009 Michal Schmidt 1.3.3-1 +- New upstream release 1.3.3. +- No longer needed patch, dropped: + tpm-tools-conditionally-build-tpmtoken-manpages-Makefile.in.patch +- Use global instead of define for macros. +- Remove rpaths. +- LICENSE file is suddenly missing in upstream tarball. +- Added patch to allow compilation: + tpm-tools-1.3.3-check-fwrite-success.patch + +* Wed Jul 29 2009 Michal Schmidt 1.3.1-10 +- Split the pkcs11 utilities into a subpackage. + +* Wed Jul 29 2009 Michal Schmidt 1.3.1-9 +- Enable pkcs11 support (tpmtoken_* utilities). + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 1.3.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz - 1.3.1-6 +- rebuild with new openssl + +* Tue Feb 19 2008 Fedora Release Engineering - 1.3.1-5 +- Autorebuild for GCC 4.3 + +* Tue Dec 18 2007 Kent Yoder - 1.3.1-4 +- Updated for comments in RHIT#394941 comment #6 +* Fri Dec 14 2007 Kent Yoder - 1.3.1-3 +- Updated to own the includedir/tpm_tools directory, removed +requirement on trousers and ldconfig in post/postun +* Thu Dec 13 2007 Kent Yoder - 1.3.1-2 +- Updated for Fedora package submission guidelines +* Fri Nov 16 2007 Kent Yoder - 1.3.1 +- Updates to configure +* Fri Oct 05 2007 Kent Yoder - 1.2.5.1 +- Updated build section to use smp_mflags +