From 2a840eeba94bfd471e6392aacd2dee4b8ecfa077 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 02:06:41 -0500 Subject: [PATCH] import tpm2-tss-3.0.3-8.el9 --- .gitignore | 1 + .tpm2-tss.metadata | 1 + ...-of-the-root-certificate-for-provisi.patch | 61 + ...ssl-remove-non-needed-_ex-OSSL-funcs.patch | 99 ++ ...-FAPI-Remove-useless-code-get_engine.patch | 63 ++ ...ST_EK_CERT_LESS-with-disable-self-ge.patch | 42 + ...Remove-fauly-free-of-an-unused-field.patch | 40 + ...-LIBCRYPTO_CFLAGS-when-building-FAPI.patch | 29 + ...eprecated-OpenSSL_add_all_algorithms.patch | 44 + ...est-Remove-duplicate-openssl-req-new.patch | 35 + ...VP_DigestSignInit-in-the-correct-ord.patch | 76 ++ ...SSL-context-for-internal-crypto-oper.patch | 657 +++++++++++ ...olicy-computation-for-create-primary.patch | 70 ++ ...-EVP_PKEY_base_id-to-detect-key-type.patch | 47 + ...007-FAPI-Fix-loading-of-primary-keys.patch | 137 +++ ...est-Change-RSA_sign-to-EVP_PKEY_sign.patch | 100 ++ ...tor-leak-when-tcti-initialization-fa.patch | 84 ++ SOURCES/0008-Require-OpenSSL-1.1.0.patch | 65 ++ ...ge-SHA256_Update-to-EVP_DigestUpdate.patch | 124 ++ ...I-Fix-leak-in-fapi-crypto-with-ossl3.patch | 28 + ...leak-after-ifapi_init_primary_finish.patch | 29 + ...est-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch | 124 ++ .../0011-Drop-support-for-OpenSSL-1.1.0.patch | 313 +++++ ...rror-if-ESYS_TR_NONE-is-passed-to-Es.patch | 39 + ...y-leak-when-ifapi_get_certificates-f.patch | 45 + ...P_PKEY-export-import-for-OpenSSL-3.0.patch | 1005 +++++++++++++++++ ...ject-when-keystore_search_obj-failed.patch | 25 + ...emory-leak-of-command-data-when-Fapi.patch | 27 + ...otation-error-of-Esys_TR_Deserialize.patch | 38 + ...memory-when-Fapi_Delete_Async-failed.patch | 50 + ...mory-when-Fapi_GetEsysBlob_Async-fai.patch | 44 + ...lize-object-used-for-keystore-search.patch | 30 + ...uffer-upcast-leading-to-misalignment.patch | 30 + .../0020-esys_iutil-fix-possible-NPD.patch | 41 + SOURCES/0021-sapi-scope-command-handles.patch | 269 +++++ ...pi-use-correct-userdata-for-cbauthnv.patch | 26 + ...x-number-of-handles-for-FlushContext.patch | 36 + SOURCES/tpm2-tss-3.0.0-doxygen.patch | 15 + SPECS/tpm2-tss.spec | 329 ++++++ 39 files changed, 4318 insertions(+) create mode 100644 .gitignore create mode 100644 .tpm2-tss.metadata create mode 100644 SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch create mode 100644 SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch create mode 100644 SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch create mode 100644 SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch create mode 100644 SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch create mode 100644 SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch create mode 100644 SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch create mode 100644 SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch create mode 100644 SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch create mode 100644 SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch create mode 100644 SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch create mode 100644 SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch create mode 100644 SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch create mode 100644 SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch create mode 100644 SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch create mode 100644 SOURCES/0008-Require-OpenSSL-1.1.0.patch create mode 100644 SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch create mode 100644 SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch create mode 100644 SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch create mode 100644 SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch create mode 100644 SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch create mode 100644 SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch create mode 100644 SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch create mode 100644 SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch create mode 100644 SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch create mode 100644 SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch create mode 100644 SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch create mode 100644 SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch create mode 100644 SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch create mode 100644 SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch create mode 100644 SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch create mode 100644 SOURCES/0020-esys_iutil-fix-possible-NPD.patch create mode 100644 SOURCES/0021-sapi-scope-command-handles.patch create mode 100644 SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch create mode 100644 SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch create mode 100644 SOURCES/tpm2-tss-3.0.0-doxygen.patch create mode 100644 SPECS/tpm2-tss.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..14d759d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm2-tss-3.0.3.tar.gz diff --git a/.tpm2-tss.metadata b/.tpm2-tss.metadata new file mode 100644 index 0000000..a779edc --- /dev/null +++ b/.tpm2-tss.metadata @@ -0,0 +1 @@ +f83a4a9e544893c42ec108f6616a75e2f209d2d3 SOURCES/tpm2-tss-3.0.3.tar.gz diff --git a/SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch b/SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch new file mode 100644 index 0000000..7bc8738 --- /dev/null +++ b/SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch @@ -0,0 +1,61 @@ +From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 19 Feb 2021 14:32:45 +0100 +Subject: FAPI: Fix reading of the root certificate for + provisioning. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will + only be used if it's allowed to use self generated root certificate with + ./configure --enable-self-generated-certificate + +* This option is added to all integration tests which are using the TPM simulator. + + - Compared to the upstream commit 199b4edc the changes to CI config files + are omitted. + +Signed-off-by: Juergen Repp +--- + configure.ac | 8 ++++++++ + src/tss2-fapi/api/Fapi_Provision.c | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/configure.ac b/configure.ac +index f4df879c..d3bbb93d 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto], + AS_IF([test "x$enable_weakcrypto" = "xyes"], + AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS])) + ++AC_ARG_ENABLE([self-generated-certificate], ++ [AS_HELP_STRING([--enable-self-generated-certificate], ++ [Alllow usage of self generated root certifcate])],, ++ [enable_self_generated_certificate=no]) ++AS_IF([test "x$enable_self_generated_certificate" == xyes], ++ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])]) ++ ++ + AC_SUBST([PATH]) + + dnl --------- Doxy Gen ----------------------- +diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c +index 00534a2e..9cf804ad 100644 +--- a/src/tss2-fapi/api/Fapi_Provision.c ++++ b/src/tss2-fapi/api/Fapi_Provision.c +@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + + statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT); + /* Prepare reading of root certificate. */ ++ root_ca_file = NULL; ++#ifdef SELF_GENERATED_CERTIFICATE ++#pragma message ( "*** Allow self generated certifcate ***" ) + root_ca_file = getenv("FAPI_TEST_ROOT_CERT"); ++#endif + if (!root_ca_file) { + context->state = PROVISION_EK_CHECK_CERT; + return TSS2_FAPI_RC_TRY_AGAIN; +-- +2.26.3 diff --git a/SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch b/SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch new file mode 100644 index 0000000..4a5dda9 --- /dev/null +++ b/SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch @@ -0,0 +1,99 @@ +From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Thu, 19 Nov 2020 11:09:56 -0600 +Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs + +Some of the OSSL _ex suffixed routines remained even after the ENGINE +pointer was removed. The _ex functions with NULL engine don't do +anything different then the non _ex suffixed ones. One _ex routine +remains, RSA_generate_key_ex, becuase the _ex version is deprecated. + +Signed-off-by: William Roberts +--- + src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 392f97ae..6856e92d 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup); + } + +- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context, +- mycontext->hash.ossl_hash_alg, +- NULL)) { +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup); ++ if (1 != EVP_DigestInit(mycontext->hash.ossl_context, ++ mycontext->hash.ossl_hash_alg)) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup); + } + + *context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext; +@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, + return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small"); + } + +- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) { ++ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) { + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error."); + } + + if (digest_size != mycontext->hash.hash_len) { + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, +- "Invalid size computed by EVP_DigestFinal_ex"); ++ "Invalid size computed by EVP_DigestFinal"); + } + + LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result"); +@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key, + "Initialize cipher context", cleanup); + } + +- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) { ++ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Initialize cipher operation", cleanup); + } +- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) { ++ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup); + } + +@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup); + } + +- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) { ++ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup); + } + LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output"); +@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + + LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input"); + +- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) { ++ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Initialize cipher operation", cleanup); + } + +- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) { ++ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup); + } + +@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup); + } + +- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) { ++ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup); + } + LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output"); +-- +2.34.3 + diff --git a/SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch b/SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch new file mode 100644 index 0000000..045dca2 --- /dev/null +++ b/SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch @@ -0,0 +1,63 @@ +From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 7 Jun 2021 09:47:30 +0200 +Subject: [PATCH 02/23] FAPI: Remove useless code get_engine. + +The function did always return NULL. So the default engine was used. +Fixes #2085 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_crypto.c | 22 +--------------------- + 1 file changed, 1 insertion(+), 21 deletions(-) + +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index c50b5f0a..9c7e566c 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT { + size_t hashSize; + } IFAPI_CRYPTO_CONTEXT; + +-/** A singleton crypto engine for hash operations */ +-static ENGINE *engine = NULL; +- + /** + * Returns the signature scheme that is currently used in the FAPI context. + * +@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) + return 1; + } + +-/** +- * Returns the singleton hash engine for the use in ifapi_hash operations. If +- * it does not yet exist, this function creates it. +- * +- * @retval A singleton hash engine +- */ +-static ENGINE * +-get_engine() +-{ +- /* If an engine is present, it is returned */ +- if (engine) +- return engine; +- /* Otherwise, engine is created and returned */ +- engine = ENGINE_by_id(NULL); +- return engine; +-} +- + /** + * Returns a suitable openSSL hash algorithm identifier for a given TSS hash + * algorithm identifier. +@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, + } + + if (1 != EVP_DigestInit_ex(mycontext->osslContext, +- mycontext->osslHashAlgorithm, get_engine())) { ++ mycontext->osslHashAlgorithm, NULL)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex", + cleanup); + } +-- +2.34.3 + diff --git a/SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch b/SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch new file mode 100644 index 0000000..af47f2d --- /dev/null +++ b/SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch @@ -0,0 +1,42 @@ +From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Mon, 1 Mar 2021 20:00:17 +0100 +Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with + --disable-self-generated-certificate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of +the root certificate for provisioning.") it is required to specify +--enable-self-generated-certificate in order to make the FAPI integration tests +pass. This is an option that should usually not be enabled in production builds +for security reasons, but still some form of integration testing might be +desirable in this case to verify whether the compiled library works as +expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK +certificate validation. + +Signed-off-by: Jonas Witschel +--- + configure.ac | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d3bbb93d..d4324c9a 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate], + [AS_HELP_STRING([--enable-self-generated-certificate], + [Alllow usage of self generated root certifcate])],, + [enable_self_generated_certificate=no]) +-AS_IF([test "x$enable_self_generated_certificate" == xyes], +- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])]) ++AS_IF([test "x$enable_self_generated_certificate" = xyes], ++ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])], ++ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])]) + + + AC_SUBST([PATH]) +-- +2.26.3 + diff --git a/SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch b/SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch new file mode 100644 index 0000000..cbebb20 --- /dev/null +++ b/SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch @@ -0,0 +1,40 @@ +From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 3 Aug 2021 16:24:41 +0200 +Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field. + +The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Encrypt.c | 1 - + src/tss2-fapi/fapi_int.h | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c +index 2e892351..af8e2c58 100644 +--- a/src/tss2-fapi/api/Fapi_Encrypt.c ++++ b/src/tss2-fapi/api/Fapi_Encrypt.c +@@ -405,7 +405,6 @@ error_cleanup: + SAFE_FREE(tpmCipherText); + SAFE_FREE(command->keyPath); + SAFE_FREE(command->in_data); +- SAFE_FREE(command->out_data); + ifapi_session_clean(context); + LOG_TRACE("finished"); + return r; +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index 90707da1..13c0333e 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -386,7 +386,6 @@ typedef struct { + uint8_t const *in_data; + size_t in_dataSize; + IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */ +- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */ + ESYS_TR key_handle; /**< The ESYS handle of the encryption key */ + size_t numBytes; /**< The number of bytes of a ESYS request */ + size_t decrypt; /**< Switch whether to encrypt or decrypt */ +-- +2.34.3 + diff --git a/SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch b/SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch new file mode 100644 index 0000000..3da7764 --- /dev/null +++ b/SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch @@ -0,0 +1,29 @@ +From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sat, 17 Jul 2021 20:15:51 +0200 +Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Gotthard +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index f2fa515a..0f759adb 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e + $(libutil) $(libtss2_tctildr) + + src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC) +-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi ++src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS) + src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS) + if HAVE_LD_VERSION_SCRIPT + src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map +-- +2.26.3 + diff --git a/SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch b/SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch new file mode 100644 index 0000000..6f62186 --- /dev/null +++ b/SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch @@ -0,0 +1,44 @@ +From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Mon, 2 Aug 2021 15:50:26 +0200 +Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms + +From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or +de-initialisation is required. + +Signed-off-by: Petr Gotthard +--- + src/tss2-esys/esys_crypto_ossl.c | 2 +- + src/tss2-fapi/ifapi_get_intl_cert.c | 3 --- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 6856e92d..ab08b3b8 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + * + * Initialize OpenSSL internal tables. + * +- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms ++ * @retval TSS2_RC_SUCCESS always returned + * does not deliver + * a return code. + */ +diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c +index 9290a17e..35186e62 100644 +--- a/src/tss2-fapi/ifapi_get_intl_cert.c ++++ b/src/tss2-fapi/ifapi_get_intl_cert.c +@@ -375,9 +375,6 @@ out_free_json: + json_object_put(jso); + + out: +- /* In some case this call was necessary after curl usage */ +- OpenSSL_add_all_algorithms(); +- + free(hash); + if (rc == 0) { + return TSS2_RC_SUCCESS; +-- +2.34.3 + diff --git a/SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch b/SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch new file mode 100644 index 0000000..a8c4d23 --- /dev/null +++ b/SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch @@ -0,0 +1,35 @@ +From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sat, 17 Jul 2021 20:23:32 +0200 +Subject: Test: Remove duplicate openssl req -new +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The command is called twice, which is superfluous. Both the key +and the certificate are created already by the first command. + +Signed-off-by: Petr Gotthard +--- + script/ekca/create_ca.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh +index 90a5c791..61d976a3 100755 +--- a/script/ekca/create_ca.sh ++++ b/script/ekca/create_ca.sh +@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF + + openssl req -new -out intermed-ca.req.pem -passout file:pass.txt + +-openssl req -new \ +- -key private/intermed-ca.key.pem \ +- -out intermed-ca.req.pem \ +- -passin file:pass.txt +- + openssl rsa -inform PEM -in private/intermed-ca.key.pem \ + -outform DER -out private/intermed-ca.key.der -passin file:pass.txt + +-- +2.26.3 + diff --git a/SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch b/SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch new file mode 100644 index 0000000..206f5de --- /dev/null +++ b/SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch @@ -0,0 +1,76 @@ +From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sat, 17 Jul 2021 21:22:28 +0200 +Subject: FAPI Test: Call EVP_DigestSignInit in the correct order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The EVP_DigestSignInit should be called only once and before calling +EVP_PKEY_CTX_set_rsa_padding. See a corresponding example +[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html) + +Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0. +This PR makes the code compatible with OpenSSL 1.0 through 3.0. + +Signed-off-by: Petr Gotthard +--- + test/integration/fapi-data-crypt.int.c | 8 ++------ + test/integration/fapi-key-create-policy-signed.int.c | 8 ++------ + 2 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c +index b2d20b28..d42466db 100644 +--- a/test/integration/fapi-data-crypt.int.c ++++ b/test/integration/fapi-data-crypt.int.c +@@ -129,8 +129,8 @@ signatureCallback( + mdctx = EVP_MD_CTX_create(); + chknull(mdctx); + +- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.", ++ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", + error_cleanup); + } + if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { +@@ -140,10 +140,6 @@ signatureCallback( + error_cleanup); + } + } +- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", +- error_cleanup); +- } + if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.", + error_cleanup); +diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c +index e51289a6..b903dec0 100644 +--- a/test/integration/fapi-key-create-policy-signed.int.c ++++ b/test/integration/fapi-key-create-policy-signed.int.c +@@ -144,8 +144,8 @@ signatureCallback( + mdctx = EVP_MD_CTX_create(); + chknull(mdctx); + +- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.", ++ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", + error_cleanup); + } + if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { +@@ -155,10 +155,6 @@ signatureCallback( + error_cleanup); + } + } +- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", +- error_cleanup); +- } + if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.", + error_cleanup); +-- +2.26.3 + diff --git a/SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch b/SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch new file mode 100644 index 0000000..9617245 --- /dev/null +++ b/SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch @@ -0,0 +1,657 @@ +From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Wed, 25 Aug 2021 14:02:38 +0200 +Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto + operations + +The TPM2 provider may be loaded in the global library context. +As we don't want the TPM to be called for some operations, we have +to initialize own library context with the default provider. + +This is similar to the RAND_set_rand_method dance with older OpenSSL. + +Signed-off-by: Petr Gotthard +--- + src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++--------- + src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++--------- + 2 files changed, 225 insertions(+), 102 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index ab08b3b8..35af2028 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT { + } type; /**< The type of context to hold; hash or hmac */ + union { + struct { +- EVP_MD_CTX *ossl_context; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + const EVP_MD *ossl_hash_alg; ++#else ++ OSSL_LIB_CTX *ossl_libctx; ++ EVP_MD *ossl_hash_alg; ++#endif ++ EVP_MD_CTX *ossl_context; + size_t hash_len; +- } hash; /**< the state variables for a hash context */ +- struct { +- EVP_MD_CTX *ossl_context; +- const EVP_MD *ossl_hash_alg; +- size_t hmac_len; +- } hmac; /**< the state variables for an hmac context */ ++ } hash; /**< the state variables for a HASH or HMAC context */ + }; + } IESYS_CRYPTOSSL_CONTEXT; + +-const EVP_MD * ++static IESYS_CRYPTOSSL_CONTEXT * ++iesys_cryptossl_context_new() { ++ IESYS_CRYPTOSSL_CONTEXT *ctx; ++ ++ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)))) ++ return NULL; ++ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* The TPM2 provider may be loaded in the global library context. ++ * As we don't want the TPM to be called for these operations, we have ++ * to initialize own library context with the default provider. */ ++ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) { ++ SAFE_FREE(ctx); ++ return NULL; ++ } ++#endif ++ return ctx; ++} ++ ++static void ++iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) { ++ if (!ctx) ++ return; ++ ++ EVP_MD_CTX_free(ctx->hash.ossl_context); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ EVP_MD_free(ctx->hash.ossl_hash_alg); ++ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx); ++#endif ++ SAFE_FREE(ctx); ++} ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++static const EVP_MD * + get_ossl_hash_md(TPM2_ALG_ID hashAlg) + { + switch (hashAlg) { + case TPM2_ALG_SHA1: + return EVP_sha1(); +- break; + case TPM2_ALG_SHA256: + return EVP_sha256(); +- break; + case TPM2_ALG_SHA384: + return EVP_sha384(); +- break; + case TPM2_ALG_SHA512: + return EVP_sha512(); +- break; + default: + return NULL; + } + } ++#else ++static const char * ++get_ossl_hash_md(TPM2_ALG_ID hashAlg) ++{ ++ switch (hashAlg) { ++ case TPM2_ALG_SHA1: ++ return "SHA1"; ++ case TPM2_ALG_SHA256: ++ return "SHA256"; ++ case TPM2_ALG_SHA384: ++ return "SHA384"; ++ case TPM2_ALG_SHA512: ++ return "SHA512"; ++ default: ++ return NULL; ++ } ++} ++#endif ++ ++static int ++iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg); ++#else ++ const char *alg_name = get_ossl_hash_md(hashAlg); ++ if (!alg_name) ++ return 0; ++ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL); ++#endif ++ if (!ctx->hash.ossl_hash_alg) ++ return 0; ++ ++ return 1; ++} + + /** Provide the context for the computation of a hash digest. + * +@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg); + return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE); + return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE); +- IESYS_CRYPTOSSL_CONTEXT *mycontext; +- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)); ++ ++ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new(); + return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY); + mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH; + +- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) { ++ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) { + goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED, + "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); + } +@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); + } + +- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { ++ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup); + } + + if (1 != EVP_DigestInit(mycontext->hash.ossl_context, +- mycontext->hash.ossl_hash_alg)) { ++ mycontext->hash.ossl_hash_alg)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup); + } + +@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + return TSS2_RC_SUCCESS; + + cleanup: +- if (mycontext->hash.ossl_context) +- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); +- SAFE_FREE(mycontext); ++ iesys_cryptossl_context_free(mycontext); + + return r; + } +@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, + LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result"); + + *size = mycontext->hash.hash_len; +- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); +- free(mycontext); ++ ++ iesys_cryptossl_context_free(mycontext); + *context = NULL; + + return TSS2_RC_SUCCESS; +@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) + return; + } + +- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); +- free(mycontext); ++ iesys_cryptossl_context_free(mycontext); + *context = NULL; + } + +@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + return_error(TSS2_ESYS_RC_BAD_REFERENCE, + "Null-Pointer passed in for context"); + } +- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)); ++ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new(); + return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY); + +- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) { ++ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) { + goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED, + "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); + } + +- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) { ++ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); + } + +- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) { ++ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Error EVP_MD_CTX_create", cleanup); + } +@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + "Failed to create HMAC key", cleanup); + } + +- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL, +- mycontext->hmac.ossl_hash_alg, NULL, hkey)) { ++ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL, ++ mycontext->hash.ossl_hash_alg, NULL, hkey)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "DigestSignInit", cleanup); + } +@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + return TSS2_RC_SUCCESS; + + cleanup: +- if (mycontext->hmac.ossl_context) +- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); + if(hkey) + EVP_PKEY_free(hkey); +- SAFE_FREE(mycontext); ++ iesys_cryptossl_context_free(mycontext); + return r; + } + +@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context, + LOGBLOB_TRACE(buffer, size, "Updating hmac with"); + + /* Call update with the message */ +- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) { ++ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) { + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update"); + } + +@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, + return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context"); + } + +- if (*size < mycontext->hmac.hmac_len) { ++ if (*size < mycontext->hash.hash_len) { + return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small"); + } + +- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) { ++ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup); + } + + LOGBLOB_TRACE(buffer, *size, "read hmac result"); + + cleanup: +- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); +- SAFE_FREE(mycontext); ++ iesys_cryptossl_context_free(mycontext); + *context = NULL; + return r; + } +@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) + return; + } + +- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); +- +- free(mycontext); ++ iesys_cryptossl_context_free(mycontext); + *context = NULL; + } + } +@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) + TSS2_RC + iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + { ++ int rc; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + const RAND_METHOD *rand_save = RAND_get_rand_method(); + RAND_set_rand_method(RAND_OpenSSL()); ++#else ++ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); ++ if (!libctx) ++ return TSS2_ESYS_RC_MEMORY; + #endif + + if (num_bytes == 0) { +@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + nonce->size = num_bytes; + } + +- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { + #if OPENSSL_VERSION_NUMBER < 0x30000000L +- RAND_set_rand_method(rand_save); ++ rc = RAND_bytes(&nonce->buffer[0], nonce->size); ++ RAND_set_rand_method(rand_save); ++#else ++ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0); ++ OSSL_LIB_CTX_free(libctx); + #endif ++ if (rc != 1) + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, + "Failure in random number generator."); +- } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L +- RAND_set_rand_method(rand_save); +-#endif + return TSS2_RC_SUCCESS; + } + +@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + { + #if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA *rsa_key = NULL; ++ const EVP_MD * hashAlg = NULL; + const RAND_METHOD *rand_save = RAND_get_rand_method(); + + RAND_set_rand_method(RAND_OpenSSL()); + #else ++ OSSL_LIB_CTX *libctx = NULL; ++ EVP_MD * hashAlg = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *build = NULL; + #endif + + TSS2_RC r = TSS2_RC_SUCCESS; +- const EVP_MD * hashAlg = NULL; + EVP_PKEY *evp_rsa_key = NULL; + EVP_PKEY_CTX *genctx = NULL, *ctx = NULL; + BIGNUM *bne = NULL, *n = NULL; + int padding; + char *label_copy = NULL; + +- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { +- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", +- pub_tpm_key->publicArea.nameAlg); + #if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { + RAND_set_rand_method(rand_save); ++#else ++ if (!(libctx = OSSL_LIB_CTX_new())) ++ return TSS2_ESYS_RC_MEMORY; ++ ++ if (!(hashAlg = EVP_MD_fetch(libctx, ++ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) { ++ OSSL_LIB_CTX_free(libctx); + #endif ++ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", ++ pub_tpm_key->publicArea.nameAlg); + return TSS2_ESYS_RC_NOT_IMPLEMENTED; + } + +@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + cleanup); + } + +- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ++ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL + || EVP_PKEY_fromdata_init(genctx) <= 0 + || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.", +@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + #else + OSSL_FREE(params, OSSL_PARAM); + OSSL_FREE(build, OSSL_PARAM_BLD); ++ OSSL_FREE(hashAlg, EVP_MD); ++ OSSL_FREE(libctx, OSSL_LIB_CTX); + #endif + return r; + } +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index 9c7e566c..d061cf48 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -48,14 +48,34 @@ + + /** Context to hold temporary values for ifapi_crypto */ + typedef struct _IFAPI_CRYPTO_CONTEXT { +- /** The hash engine's context */ +- EVP_MD_CTX *osslContext; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + /** The currently used hash algorithm */ + const EVP_MD *osslHashAlgorithm; ++#else ++ OSSL_LIB_CTX *libctx; ++ /** The currently used hash algorithm */ ++ EVP_MD *osslHashAlgorithm; ++#endif ++ /** The hash engine's context */ ++ EVP_MD_CTX *osslContext; + /** The size of the hash's digest */ + size_t hashSize; + } IFAPI_CRYPTO_CONTEXT; + ++static void ++ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx) ++{ ++ if (!ctx) ++ return; ++ ++ EVP_MD_CTX_destroy(ctx->osslContext); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ EVP_MD_free(ctx->osslHashAlgorithm); ++ OSSL_LIB_CTX_free(ctx->libctx); ++#endif ++ SAFE_FREE(ctx); ++} ++ + /** + * Returns the signature scheme that is currently used in the FAPI context. + * +@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) + return 1; + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++/** ++ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm ++ * identifier object. ++ * ++ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert ++ * ++ * @retval A suitable OpenSSL identifier object if one could be found ++ * @retval NULL if no suitable identifier object could be found ++ */ ++static const EVP_MD * ++get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm) ++{ ++ switch (hashAlgorithm) { ++ case TPM2_ALG_SHA1: ++ return EVP_sha1(); ++ case TPM2_ALG_SHA256: ++ return EVP_sha256(); ++ case TPM2_ALG_SHA384: ++ return EVP_sha384(); ++ case TPM2_ALG_SHA512: ++ return EVP_sha512(); ++ default: ++ return NULL; ++ } ++} ++#else + /** + * Returns a suitable openSSL hash algorithm identifier for a given TSS hash + * algorithm identifier. +@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) + * hashAlgorithm could be found + * @retval NULL if no suitable hash algorithm identifier could be found + */ +-static const EVP_MD * ++static const char * + get_hash_md(TPM2_ALG_ID hashAlgorithm) + { + switch (hashAlgorithm) { + case TPM2_ALG_SHA1: +- return EVP_sha1(); ++ return "SHA1"; + case TPM2_ALG_SHA256: +- return EVP_sha256(); ++ return "SHA256"; + case TPM2_ALG_SHA384: +- return EVP_sha384(); ++ return "SHA384"; + case TPM2_ALG_SHA512: +- return EVP_sha512(); ++ return "SHA512"; + default: + return NULL; + } + } ++#endif + + /** + * Returns a suitable openSSL RSA signature scheme identifiver for a given TSS +@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote( + BIO *bufio = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mdctx = NULL; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ OSSL_LIB_CTX *libctx = NULL; ++#endif + + /* Check whether or not the key is valid */ + if (keyObject->objectType == IFAPI_KEY_OBJ) { +@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create", + error_cleanup); + } +- +- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg); + if (!hashAlgorithm) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.", + error_cleanup); +@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit", + error_cleanup); + } ++#else ++ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg); ++ if (!hashAlgorithm) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.", ++ error_cleanup); ++ } ++ ++ /* The TPM2 provider may be loaded in the global library context. ++ * As we don't want the TPM to be called for these operations, we have ++ * to initialize own library context with the default provider. */ ++ libctx = OSSL_LIB_CTX_new(); ++ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup); ++ ++ /* Verify the digest of the signature */ ++ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx, ++ NULL, publicKey, NULL)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex", ++ error_cleanup); ++ } ++#endif + goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup); + if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) { + int padding = get_sig_scheme(signatureScheme->scheme); +@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote( + } + + error_cleanup: +- if (mdctx != NULL) { +- EVP_MD_CTX_destroy(mdctx); +- } ++ EVP_MD_CTX_destroy(mdctx); + SAFE_FREE(public_pem_key); + EVP_PKEY_free(publicKey); + BIO_free(bufio); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ OSSL_LIB_CTX_free(libctx); ++#endif + return r; + } + +@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm) + } + } + +-/** +- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm +- * identifier object. +- * +- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert +- * +- * @retval A suitable OpenSSL identifier object if one could be found +- * @retval NULL if no suitable identifier object could be found +- */ +-static const EVP_MD * +-get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm) +-{ +- switch (hashAlgorithm) { +- case TPM2_ALG_SHA1: +- return EVP_sha1(); +- break; +- case TPM2_ALG_SHA256: +- return EVP_sha256(); +- break; +- case TPM2_ALG_SHA384: +- return EVP_sha384(); +- break; +- case TPM2_ALG_SHA512: +- return EVP_sha512(); +- break; +- default: +- return NULL; +- } +-} +- + /** + * Starts the computation of a hash digest. + * +@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, + mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT)); + return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY); + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, + "Unsupported hash algorithm (%" PRIu16 ")", cleanup, + hashAlgorithm); + } ++#else ++ /* The TPM2 provider may be loaded in the global library context. ++ * As we don't want the TPM to be called for these operations, we have ++ * to initialize own library context with the default provider. */ ++ mycontext->libctx = OSSL_LIB_CTX_new(); ++ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY); ++ ++ if (!(mycontext->osslHashAlgorithm = ++ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) { ++ goto_error(r, TSS2_FAPI_RC_BAD_VALUE, ++ "Unsupported hash algorithm (%" PRIu16 ")", cleanup, ++ hashAlgorithm); ++ } ++#endif + + if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, +@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, + return TSS2_RC_SUCCESS; + + cleanup: +- if (mycontext->osslContext) +- EVP_MD_CTX_destroy(mycontext->osslContext); +- SAFE_FREE(mycontext); +- ++ ifapi_crypto_context_free(mycontext); + return r; + } + +@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context, + } + + /* Finalize the hash context */ +- EVP_MD_CTX_destroy(mycontext->osslContext); +- free(mycontext); ++ ifapi_crypto_context_free(mycontext); + *context = NULL; + + return TSS2_RC_SUCCESS; +@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context) + } + IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context; + +- EVP_MD_CTX_destroy(mycontext->osslContext); +- free(mycontext); ++ ifapi_crypto_context_free(mycontext); + *context = NULL; + } + +-- +2.34.3 + diff --git a/SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch b/SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch new file mode 100644 index 0000000..421614c --- /dev/null +++ b/SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch @@ -0,0 +1,70 @@ +From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 12 Oct 2021 11:19:41 +0200 +Subject: [PATCH 06/23] FAPI: Add policy computation for create primary. + +The policy digest for primary keys was only computed for keys created during provisioning. +Now the policy digest is also computed for primary keys create with Fapi_CreateKey. +Fixes #2175. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_int.h | 1 + + src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index 13c0333e..d13ec413 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE { + KEY_CREATE_FLUSH1, + KEY_CREATE_FLUSH2, + KEY_CREATE_CALCULATE_POLICY, ++ KEY_CREATE_PRIMARY_CALCULATE_POLICY, + KEY_CREATE_WAIT_FOR_AUTHORIZATION, + KEY_CREATE_CLEANUP, + KEY_CREATE_WAIT_FOR_RANDOM, +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index a5fc28a3..a0fd714e 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -4539,6 +4539,35 @@ ifapi_create_primary( + "hierarchy.", error_cleanup); + } + ++ if (context->cmd.Key_Create.policyPath ++ && strcmp(context->cmd.Key_Create.policyPath, "") != 0) ++ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY; ++ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */ ++ /* FALLTHRU */ ++ case KEY_CREATE_PRIMARY_CALCULATE_POLICY: ++ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) { ++ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath, ++ &context->policy.policy, ++ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg, ++ &context->policy.digest_idx, ++ &context->policy.hash_size); ++ return_try_again(r); ++ goto_if_error2(r, "Calculate policy tree %s", error_cleanup, ++ context->cmd.Key_Create.policyPath); ++ ++ /* Store the calculated policy in the key object */ ++ object->policy = calloc(1, sizeof(TPMS_POLICY)); ++ return_if_null(object->policy, "Out of memory", ++ TSS2_FAPI_RC_MEMORY); ++ *(object->policy) = context->policy.policy; ++ ++ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size = ++ context->policy.hash_size; ++ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0], ++ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest, ++ context->policy.hash_size); ++ } ++ + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, + TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0); +-- +2.34.3 + diff --git a/SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch b/SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch new file mode 100644 index 0000000..9d51715 --- /dev/null +++ b/SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch @@ -0,0 +1,47 @@ +From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sat, 17 Jul 2021 21:29:25 +0200 +Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The EVP_PKEY_base_id is the right way to detect key type, used also +by OpenSSL itself. +This function is available since OpenSSL 1.0.0. + +Signed-off-by: Petr Gotthard +--- + test/integration/fapi-data-crypt.int.c | 2 +- + test/integration/fapi-key-create-policy-signed.int.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c +index d42466db..a95cc9ef 100644 +--- a/test/integration/fapi-data-crypt.int.c ++++ b/test/integration/fapi-data-crypt.int.c +@@ -133,7 +133,7 @@ signatureCallback( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", + error_cleanup); + } +- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { ++ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) { + int signing_scheme = RSA_SIG_SCHEME; + if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.", +diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c +index b903dec0..8f917d35 100644 +--- a/test/integration/fapi-key-create-policy-signed.int.c ++++ b/test/integration/fapi-key-create-policy-signed.int.c +@@ -148,7 +148,7 @@ signatureCallback( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", + error_cleanup); + } +- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { ++ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) { + int signing_scheme = RSA_SIG_SCHEME; + if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.", +-- +2.26.3 + diff --git a/SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch b/SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch new file mode 100644 index 0000000..3131fd8 --- /dev/null +++ b/SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch @@ -0,0 +1,137 @@ +From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 5 Nov 2021 23:08:47 +0100 +Subject: [PATCH 07/23] FAPI: Fix loading of primary keys. + +Problems caused by primary keys created with Fapi_CreateKey are fixed: + +* For primary keys not in all cases the unique field was cleared before calling create + primary. +* If the primary key was used for signing the object was cleared after loading. So + access e.g. to the certificate did not work. +* For primary keys created with Fapi_Create with an auth value the auth_value was + not used in inSensitive to recreate the primary key. Now the auth value callback + is used to initialize inSensitive. + +Fixes #2189. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_int.h | 1 + + src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++-- + 2 files changed, 60 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index d13ec413..7bcf442c 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY { + PRIMARY_READ_HIERARCHY, + PRIMARY_READ_HIERARCHY_FINISH, + PRIMARY_AUTHORIZE_HIERARCHY, ++ PRIMARY_GET_AUTH_VALUE, + PRIMARY_WAIT_FOR_PRIMARY, + PRIMARY_HAUTH_SENT, + PRIMARY_CREATED, +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index a0fd714e..90f8b2aa 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object) + return NULL; + } + ++/** Set authorization value for a primary key to be created. ++ * ++ * The callback which provides the auth value must be defined. ++ * ++ * @param[in,out] context The FAPI_CONTEXT. ++ * @param[in] object The auth value will be assigned to this object. ++ * @param[in,out] inSensitive The sensitive data to store the auth value. ++ * ++ * @retval TSS2_RC_SUCCESS on success. ++ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting ++ * the auth value is not defined. ++ */ ++TSS2_RC ++ifapi_set_auth_primary( ++ FAPI_CONTEXT *context, ++ IFAPI_OBJECT *object, ++ TPMS_SENSITIVE_CREATE *inSensitive) ++{ ++ TSS2_RC r; ++ const char *auth = NULL; ++ const char *obj_path; ++ ++ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE)); ++ ++ if (!object->misc.key.with_auth) { ++ return TSS2_RC_SUCCESS; ++ } ++ ++ obj_path = ifapi_get_object_path(object); ++ ++ /* Check whether callback is defined. */ ++ if (context->callbacks.auth) { ++ r = context->callbacks.auth(obj_path, object->misc.key.description, ++ &auth, context->callbacks.authData); ++ return_if_error(r, "AuthCallback"); ++ if (auth != NULL) { ++ inSensitive->userAuth.size = strlen(auth); ++ memcpy(&inSensitive->userAuth.buffer[0], auth, ++ inSensitive->userAuth.size); ++ } ++ return TSS2_RC_SUCCESS; ++ } ++ SAFE_FREE(auth); ++ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined."); ++} ++ + /** Set authorization value for a FAPI object. + * + * The callback which provides the auth value must be defined. +@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle) + IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key; + TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData; + TPMI_YES_NO moreData; +- ESYS_TR auth_session; ++ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */ + + LOG_TRACE("call"); + +@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle) + memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE)); + memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA)); + memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION)); ++ fallthrough; ++ ++ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE); ++ /* Get the auth value to be stored in inSensitive */ ++ r = ifapi_set_auth_primary(context, pkey_object, ++ &context->createPrimary.inSensitive.sensitive); ++ return_try_again(r); ++ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup); + + /* Prepare primary creation. */ ++ TPM2B_PUBLIC public = pkey->public; ++ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID)); ++ + r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle, + auth_session, ESYS_TR_NONE, ESYS_TR_NONE, + &context->createPrimary.inSensitive, +- &pkey->public, ++ &public, + &context->createPrimary.outsideInfo, + &context->createPrimary.creationPCR); + return_if_error(r, "CreatePrimary"); +@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent) + } else { + LOG_TRACE("success"); + ifapi_cleanup_ifapi_object(context->loadKey.key_object); +- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); + return TSS2_RC_SUCCESS; + } + break; +-- +2.34.3 + diff --git a/SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch b/SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch new file mode 100644 index 0000000..350fdc7 --- /dev/null +++ b/SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch @@ -0,0 +1,100 @@ +From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 11:54:50 +0200 +Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The EVP_PKEY_sign functions are available since OpenSSL 1.0.0. +The RSA_sign function is deprecated in OpenSSL 3.0.0. + +This PR should work with OpenSSL 1.0.0 through 3.0.0. + +Signed-off-by: Petr Gotthard +--- + test/integration/fapi-ext-public-key.int.c | 38 +++++++++++----------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c +index 363c58b7..971d7897 100644 +--- a/test/integration/fapi-ext-public-key.int.c ++++ b/test/integration/fapi-ext-public-key.int.c +@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) + BIO *bufio = NULL; + + EVP_PKEY *evp_key = NULL; +- RSA *rsa_key = NULL; ++ EVP_PKEY_CTX *ctx = NULL; + + /* Key will be used for non TPM signature verfication. */ + char *pubkey_pem = +@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) + + bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem)); + evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL); +- rsa_key = EVP_PKEY_get1_RSA(evp_key); + +- +- if (!bufio || !evp_key || !rsa_key) { ++ if (!bufio || !evp_key) { + LOG_ERROR("Generation of test key failed."); + goto error; + } +@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) + 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d + }; + uint8_t signature[256]; +- unsigned int signatureLength = 256; ++ size_t signatureLength = 256; + +- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) { +- LOG_ERROR("Test RSA_sign failed."); ++ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) { ++ LOG_ERROR("Test EVP_PKEY_CTX_new failed."); ++ goto error; ++ } ++ if (EVP_PKEY_sign_init(ctx) <= 0 ++ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ++ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) { ++ LOG_ERROR("Test EVP_PKEY_sign_init failed."); ++ goto error; ++ } ++ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) { ++ LOG_ERROR("Test EVP_PKEY_sign failed."); + goto error; + } + +@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) + if (bufio) { + BIO_free(bufio); + } +- if (evp_key) { +- EVP_PKEY_free(evp_key); +- } +- if (rsa_key) { +- RSA_free(rsa_key); +- } ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(evp_key); + SAFE_FREE(path_list); + SAFE_FREE(cert2); + return EXIT_SUCCESS; +@@ -258,12 +262,8 @@ error: + if (bufio) { + BIO_free(bufio); + } +- if (evp_key) { +- EVP_PKEY_free(evp_key); +- } +- if (rsa_key) { +- RSA_free(rsa_key); +- } ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(evp_key); + SAFE_FREE(path_list); + SAFE_FREE(cert2); + return EXIT_FAILURE; +-- +2.26.3 + diff --git a/SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch b/SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch new file mode 100644 index 0000000..bc54a23 --- /dev/null +++ b/SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch @@ -0,0 +1,84 @@ +From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Wed, 13 Oct 2021 11:26:03 +0800 +Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization + failed + +Signed-off-by: JerryDevis +--- + src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c +index 94db070c..364297be 100644 +--- a/src/tss2-tcti/tcti-device.c ++++ b/src/tss2-tcti/tcti-device.c +@@ -309,6 +309,16 @@ out: + return rc; + } + ++static void close_tpm(int *fd) ++{ ++ if (fd == NULL || *fd < 0) { ++ return; ++ } ++ ++ close(*fd); ++ *fd = -1; ++} ++ + void + tcti_device_finalize ( + TSS2_TCTI_CONTEXT *tctiContext) +@@ -319,7 +329,7 @@ tcti_device_finalize ( + if (tcti_dev == NULL) { + return; + } +- close (tcti_dev->fd); ++ close_tpm (&tcti_dev->fd); + tcti_common->state = TCTI_STATE_FINAL; + } + +@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init ( + ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd)); + if (sz < 0 || sz != sizeof(cmd)) { + LOG_ERROR ("Could not probe device for partial response read support"); ++ close_tpm (&tcti_dev->fd); + return TSS2_TCTI_RC_IO_ERROR; + } + LOG_DEBUG ("Command sent, reading header"); +@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init ( + if (rc_poll < 0 || rc_poll == 0) { + LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s", + tcti_dev->fd, rc_poll, errno, strerror(errno)); ++ close_tpm (&tcti_dev->fd); + return TSS2_TCTI_RC_IO_ERROR; + } else if (fds.revents == POLLIN) { + TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE)); + if (sz < 0 || sz != TPM_HEADER_SIZE) { + LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s", + tcti_dev->fd, errno, strerror (errno)); ++ close_tpm (&tcti_dev->fd); + return TSS2_TCTI_RC_IO_ERROR; + } + } +@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init ( + if (rc_poll < 0) { + LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s", + tcti_dev->fd, rc_poll, errno, strerror(errno)); ++ close_tpm (&tcti_dev->fd); + return TSS2_TCTI_RC_IO_ERROR; + } else if (rc_poll == 0) { + LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd); +@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init ( + LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s", + tcti_dev->fd, errno, strerror (errno)); + tcti_common->partial_read_supported = 0; +- close(tcti_dev->fd); ++ close_tpm (&tcti_dev->fd); + tcti_dev->fd = open_tpm (used_conf); + if (tcti_dev->fd < 0) { + LOG_ERROR ("Failed to open specified TCTI device file %s: %s", +-- +2.34.3 + diff --git a/SOURCES/0008-Require-OpenSSL-1.1.0.patch b/SOURCES/0008-Require-OpenSSL-1.1.0.patch new file mode 100644 index 0000000..4742055 --- /dev/null +++ b/SOURCES/0008-Require-OpenSSL-1.1.0.patch @@ -0,0 +1,65 @@ +From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sat, 17 Jul 2021 22:43:00 +0200 +Subject: Require OpenSSL >= 1.1.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To reduce the amount of version-specific code we drop support for +OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are +not API compatible with OpenSSL >= 1.1.0. + +Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding +PEP 644 contains a detailed impact analysis which is also relevant +here. + +Signed-off-by: Petr Gotthard +--- + INSTALL.md | 3 +-- + configure.ac | 6 +++++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/INSTALL.md b/INSTALL.md +index eec94c45..658e1f28 100644 +--- a/INSTALL.md ++++ b/INSTALL.md +@@ -14,7 +14,7 @@ following sections describe them for the supported platforms. + * C library development libraries and header files + * pkg-config + * doxygen +-* OpenSSL development libraries and header files ++* OpenSSL development libraries and header files, version >= 1.1.0 + * libcurl development libraries + + The following are dependencies only required when building test suites. +@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library + (tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as + loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly + configured version of Visual Studio 2017 and pressing the 'build' button. +-Windows build setup requires OpenSSL >= v1.0.2 crypto library. + + ### References + Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/ +diff --git a/configure.ac b/configure.ac +index d4324c9a..12baa257 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto], + AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl") + AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed") + ++m4_define([ossl_min_version], [1.1.0]) ++m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version]) + AS_IF([test "x$enable_esys" = xyes], + [AS_IF([test "x$with_crypto" = xossl], [ +- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto]) ++ PKG_CHECK_MODULES([LIBCRYPTO], ++ [libcrypto >= ossl_min_version],, ++ [AC_MSG_ERROR([ossl_err])]) + AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend]) + TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS" + TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS" +-- +2.26.3 + diff --git a/SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch b/SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch new file mode 100644 index 0000000..7aba1f6 --- /dev/null +++ b/SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch @@ -0,0 +1,124 @@ +From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 13:12:56 +0200 +Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Although the EVP_DigestUpdate functions are available in all OpenSSL +versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the +EVP_MD_CTX_new was introduced in OpenSSL 1.1.0. +The SHA256_Update function is deprecated in OpenSSL 3.0.0. + +This PR should work with OpenSSL 1.1.0 through 3.0.0. + + - Compared to the upstream commit f4f528ff the changes related to the + unit test are omitted. + +Signed-off-by: Petr Gotthard +--- + src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------ + 1 file changed, 25 insertions(+), 18 deletions(-) + +diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c +index 2fb17fd0..9290a17e 100644 +--- a/src/tss2-fapi/ifapi_get_intl_cert.c ++++ b/src/tss2-fapi/ifapi_get_intl_cert.c +@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { + return NULL; + } + +- SHA256_CTX sha256; +- int is_success = SHA256_Init(&sha256); ++ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new(); ++ if (!sha256ctx) { ++ LOG_ERROR("EVP_MD_CTX_new failed"); ++ goto err; ++ } ++ ++ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256()); + if (!is_success) { +- LOG_ERROR("SHA256_Init failed"); ++ LOG_ERROR("EVP_DigestInit failed"); + goto err; + } + + switch (ek_public->publicArea.type) { + case TPM2_ALG_RSA: + /* Add public key to the hash. */ +- is_success = SHA256_Update(&sha256, +- ek_public->publicArea.unique.rsa.buffer, +- ek_public->publicArea.unique.rsa.size); ++ is_success = EVP_DigestUpdate(sha256ctx, ++ ek_public->publicArea.unique.rsa.buffer, ++ ek_public->publicArea.unique.rsa.size); + if (!is_success) { +- LOG_ERROR("SHA256_Update failed"); ++ LOG_ERROR("EVP_DigestUpdate failed"); + goto err; + } + +@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { + } + /* Exponent 65537 will be added. */ + BYTE buf[3] = { 0x1, 0x00, 0x01 }; +- is_success = SHA256_Update(&sha256, buf, sizeof(buf)); ++ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf)); + if (!is_success) { +- LOG_ERROR("SHA256_Update failed"); ++ LOG_ERROR("EVP_DigestUpdate failed"); + goto err; + } + break; + + case TPM2_ALG_ECC: +- is_success = SHA256_Update(&sha256, +- ek_public->publicArea.unique.ecc.x.buffer, +- ek_public->publicArea.unique.ecc.x.size); ++ is_success = EVP_DigestUpdate(sha256ctx, ++ ek_public->publicArea.unique.ecc.x.buffer, ++ ek_public->publicArea.unique.ecc.x.size); + if (!is_success) { +- LOG_ERROR("SHA256_Update failed"); ++ LOG_ERROR("EVP_DigestUpdate failed"); + goto err; + } + + /* Add public key to the hash. */ +- is_success = SHA256_Update(&sha256, +- ek_public->publicArea.unique.ecc.y.buffer, +- ek_public->publicArea.unique.ecc.y.size); ++ is_success = EVP_DigestUpdate(sha256ctx, ++ ek_public->publicArea.unique.ecc.y.buffer, ++ ek_public->publicArea.unique.ecc.y.size); + if (!is_success) { +- LOG_ERROR("SHA256_Update failed"); ++ LOG_ERROR("EVP_DigestUpdate failed"); + goto err; + } + break; +@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { + goto err; + } + +- is_success = SHA256_Final(hash, &sha256); ++ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL); + if (!is_success) { + LOG_ERROR("SHA256_Final failed"); + goto err; + } + ++ EVP_MD_CTX_free(sha256ctx); + LOG_TRACE("public-key-hash:"); + LOG_TRACE(" sha256: "); + LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash"); + return hash; + err: ++ EVP_MD_CTX_free(sha256ctx); + free(hash); + return NULL; + } +-- +2.26.3 + diff --git a/SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch b/SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch new file mode 100644 index 0000000..cb2a3e4 --- /dev/null +++ b/SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch @@ -0,0 +1,28 @@ +From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 2 Dec 2021 09:17:15 +0100 +Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3 + +A leak in the case "out of memory" detected by scan-build was fixed. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index d061cf48..fd7ea555 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, + * As we don't want the TPM to be called for these operations, we have + * to initialize own library context with the default provider. */ + mycontext->libctx = OSSL_LIB_CTX_new(); +- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY); ++ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup); + + if (!(mycontext->osslHashAlgorithm = + EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) { +-- +2.34.3 + diff --git a/SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch b/SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch new file mode 100644 index 0000000..c383e4e --- /dev/null +++ b/SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch @@ -0,0 +1,29 @@ +From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Tue, 21 Dec 2021 17:44:00 +0800 +Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish + failed + +Signed-off-by: JerryDevis +--- + src/tss2-fapi/fapi_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 90f8b2aa..cd4e0979 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE + } + + error_cleanup: ++ SAFE_FREE(outPublic); ++ SAFE_FREE(creationData); ++ SAFE_FREE(creationHash); ++ SAFE_FREE(creationTicket); + ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object); + free_string_list(k_sub_path); + SAFE_FREE(pkey->serialization.buffer); +-- +2.34.3 + diff --git a/SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch b/SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch new file mode 100644 index 0000000..c0e4b49 --- /dev/null +++ b/SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch @@ -0,0 +1,124 @@ +From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 14:56:18 +0200 +Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0. + +The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement +EVP_MAC_update was added in OpenSSL 3.0, so version specific code is +needed. + +Signed-off-by: Petr Gotthard +--- + test/integration/sys-util.c | 50 +++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 19 deletions(-) + +diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c +index af83cf55..5865f002 100644 +--- a/test/integration/sys-util.c ++++ b/test/integration/sys-util.c +@@ -13,10 +13,13 @@ + #include + #include + ++#include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + #include +-#include +-#include ++#else ++#include ++#endif + + #define LOGMODULE testintegration + #include "util/log.h" +@@ -489,22 +492,18 @@ hmac( + TPM2B_DIGEST **buffer_list, + TPM2B_DIGEST *out) + { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L +- HMAC_CTX *ctx; +-#else +- HMAC_CTX _ctx; +- HMAC_CTX *ctx = &_ctx; +-#endif +- EVP_MD *evp; + int rc = 1, i; +- unsigned int *buf = NULL, size; ++ unsigned int *buf = NULL; + uint8_t *buf_ptr; ++ EVP_MD *evp; + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L +- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */ +- ctx = HMAC_CTX_new(); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ unsigned int size; ++ HMAC_CTX *ctx = HMAC_CTX_new(); + #else +- HMAC_CTX_init(ctx); ++ size_t size; ++ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac); + #endif + + if (!ctx) +@@ -538,21 +537,33 @@ hmac( + + buf_ptr = (uint8_t *)buf; + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL); + #else +- rc = HMAC_Init(ctx, key, key_len, evp); +-#endif ++ OSSL_PARAM params[2]; + ++ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST, ++ (char *)EVP_MD_get0_name(evp), 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ rc = EVP_MAC_init(ctx, key, key_len, params); ++#endif + if (rc != 1) + goto out; + for (i = 0; buffer_list[i] != 0; i++) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size); ++#else ++ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size); ++#endif + if (rc != 1) + goto out; + } + /* buf_ptr has to be 4 bytes alligned for whatever reason */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + rc = HMAC_Final(ctx, buf_ptr, &size); ++#else ++ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size); ++#endif + if (rc != 1) + goto out; + +@@ -561,10 +572,11 @@ hmac( + memcpy(out->buffer, buf, out->size); + + out: +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + HMAC_CTX_free(ctx); + #else +- HMAC_CTX_cleanup(ctx); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(hmac); + #endif + + if (buf) +-- +2.26.3 + diff --git a/SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch b/SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch new file mode 100644 index 0000000..3c77e9d --- /dev/null +++ b/SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch @@ -0,0 +1,313 @@ +From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 20:21:01 +0200 +Subject: Drop support for OpenSSL < 1.1.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Delete code written to support OpenSSL < 1.1.0 + +Delete functions that have no effect in OpenSSL >= 1.1.0 + - ENGINE_load_builtin_engines() + - OpenSSL_add_all_algorithms() + - ERR_load_crypto_strings() + - EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE) + +Switch AppVeyor to use pre-built OpenSSL 1.1.0 + +Signed-off-by: Petr Gotthard +--- + src/tss2-esys/esys_crypto_ossl.c | 19 ---------------- + src/tss2-esys/tss2-esys.vcxproj | 16 +++++++------- + src/tss2-fapi/fapi_crypto.c | 37 -------------------------------- + test/helper/tpm_getek.c | 11 ---------- + test/helper/tpm_getek_ecc.c | 9 -------- + 5 files changed, 8 insertions(+), 84 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 2eb0dfcb..a6259346 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + nonce->size = num_bytes; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RAND_set_rand_method(RAND_OpenSSL()); +-#else +- RAND_set_rand_method(RAND_SSLeay()); +-#endif + if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { + RAND_set_rand_method(rand_save); + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + size_t * out_size, const char *label) + { + const RAND_METHOD *rand_save = RAND_get_rand_method(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RAND_set_rand_method(RAND_OpenSSL()); +-#else +- RAND_set_rand_method(RAND_SSLeay()); +-#endif + + TSS2_RC r = TSS2_RC_SUCCESS; + const EVP_MD * hashAlg = NULL; +@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not create evp key.", cleanup); + } +-#if OPENSSL_VERSION_NUMBER < 0x10100000L +- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, +- pub_tpm_key->publicArea.unique.rsa.size, +- rsa_key->n)) { +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create rsa n.", cleanup); +- } +-#else + BIGNUM *n = NULL; + if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, + pub_tpm_key->publicArea.unique.rsa.size, +@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not set rsa n.", cleanup); + } +-#endif + + if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + */ + TSS2_RC + iesys_cryptossl_init() { +- ENGINE_load_builtin_engines(); +- OpenSSL_add_all_algorithms(); + return TSS2_RC_SUCCESS; + } +diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj +index b75424aa..b2aa67ce 100644 +--- a/src/tss2-esys/tss2-esys.vcxproj ++++ b/src/tss2-esys/tss2-esys.vcxproj +@@ -69,13 +69,13 @@ + MultiThreadedDebugDLL + Level3 + Disabled +- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories) ++ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories) + + + MachineX86 + true + Windows +- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies) ++ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies) + $(SolutionDir)\lib\tss2-esys.def + + +@@ -84,7 +84,7 @@ + WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) + MultiThreadedDLL + Level3 +- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories) ++ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories) + + + MachineX86 +@@ -92,27 +92,27 @@ + Windows + true + true +- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies) ++ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies) + $(SolutionDir)\lib\tss2-esys.def + + + + +- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories) ++ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories) + _DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) + + +- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies) ++ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies) + $(SolutionDir)\lib\tss2-esys.def + + + + +- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories) ++ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories) + NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) + + +- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies) ++ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies) + $(SolutionDir)\lib\tss2-esys.def + + +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index f5b3d272..c97b0a1d 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der( + tpmSignature->signature.ecdsa.signatureR.size, NULL); + goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- ecdsaSignature->s = bns; +- ecdsaSignature->r = bnr; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + ECDSA_SIG_set0(ecdsaSignature, bnr, bns); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL); + if (osslRC == -1) { +@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + "Could not set exponent.", error_cleanup); + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- rsa->e = e; +- rsa->n = n; +- rsa->d = d; +- rsa->p = p; +- rsa->q = q; +- rsa->dmp1 = dmp1; +- rsa->dmq1 = dmq1; +- rsa->iqmp = iqmp; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_set0_key(rsa, n, e, d); + RSA_set0_factors(rsa, p, q); + RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + /* Assign the parameters to the key */ + if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { +@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", + error_cleanup); + } +- /* Needed for older OSSL versions. */ +- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE); + OSSL_FREE(y, BN); + OSSL_FREE(x, BN); + return TSS2_RC_SUCCESS; +@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm( + + /* Initialize the ECDSA signature components */ + ECDSA_SIG *ecdsaSignature = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- BIGNUM *bnr; +- BIGNUM *bns; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + const BIGNUM *bnr; + const BIGNUM *bns; +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize); + return_if_null(ecdsaSignature, "Invalid DER signature", + TSS2_FAPI_RC_GENERAL_FAILURE); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- bns = ecdsaSignature->s; +- bnr = ecdsaSignature->r; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + /* Writing them to the TPM format signature */ + tpmSignature->signature.ecdsa.hash = hashAlgorithm; +@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp( + const BIGNUM *e = NULL, *n = NULL; + int rsaKeySize = RSA_size(rsaKey); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- e = rsaKey->e; +- n = rsaKey->n; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_get0_key(rsaKey, &n, &e, NULL); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + tpmPublic->publicArea.unique.rsa.size = rsaKeySize; + if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], + rsaKeySize)) { +@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl) + goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup); + } + +- OpenSSL_add_all_algorithms(); +- + unsigned const char* tmp_ptr1 = crl_buffer; + unsigned const char** tmp_ptr2 = &tmp_ptr1; + +@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert( + r, TSS2_FAPI_RC_BAD_VALUE, cleanup); + } else { + /* Get uri for ek intermediate certificate. */ +- OpenSSL_add_all_algorithms(); + info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL); + + for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { +@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert( + goto_if_null2(cert_buffer, "No certificate downloaded", r, + TSS2_FAPI_RC_NO_CERT, cleanup); + +- OpenSSL_add_all_algorithms(); + intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size); + + SAFE_FREE(cert_buffer); +diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c +index 21be0f46..c6a8e906 100644 +--- a/test/helper/tpm_getek.c ++++ b/test/helper/tpm_getek.c +@@ -147,20 +147,9 @@ main (int argc, char *argv[]) + exp = out_public.publicArea.parameters.rsaDetail.exponent; + BN_set_word(e, exp); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- rsa->e = e; +- rsa->n = n; +- rsa->d = d; +- rsa->p = p; +- rsa->q = q; +- rsa->dmp1 = dmp1; +- rsa->dmq1 = dmq1; +- rsa->iqmp = iqmp; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_set0_key(rsa, n, e, d); + RSA_set0_factors(rsa, p, q); + RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + EVP_PKEY_assign_RSA(evp, rsa); + +diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c +index 0419f47a..75165fdd 100644 +--- a/test/helper/tpm_getek_ecc.c ++++ b/test/helper/tpm_getek_ecc.c +@@ -128,14 +128,6 @@ main (int argc, char *argv[]) + /* Convert the key from out_public to PEM */ + + EVP_PKEY *evp = EVP_PKEY_new(); +- +- OpenSSL_add_all_algorithms(); +- +- OpenSSL_add_all_algorithms(); +- +- ERR_load_crypto_strings(); +- +- + EC_KEY *ecc_key = EC_KEY_new(); + BIGNUM *x = NULL, *y = NULL; + BIO *bio; +@@ -159,7 +151,6 @@ main (int argc, char *argv[]) + if (!EC_KEY_set_group(ecc_key, ecgroup)) + exit(1); + +- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE); + EC_GROUP_free(ecgroup); + + /* Set the ECC parameters in the OpenSSL key */ +-- +2.26.3 + diff --git a/SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch b/SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch new file mode 100644 index 0000000..fa2dd72 --- /dev/null +++ b/SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch @@ -0,0 +1,39 @@ +From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 21 Dec 2021 11:59:28 +0100 +Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to + Esys_TR_GetName. + +A segfault was produced in this case. Fixes #2243. + +Signed-off-by: Juergen Repp +--- + src/tss2-esys/esys_tr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c +index f0127d02..cf4caa09 100644 +--- a/src/tss2-esys/esys_tr.c ++++ b/src/tss2-esys/esys_tr.c +@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle, + * @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated. + * @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library. + * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL. ++ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid. + * @retval TSS2_SYS_RC_* for SAPI errors. + */ + TSS2_RC +@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle, + TSS2_RC r; + _ESYS_ASSERT_NON_NULL(esys_context); + ++ if (esys_handle == ESYS_TR_NONE) { ++ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined."); ++ } ++ + r = esys_GetResourceObject(esys_context, esys_handle, &esys_object); + return_if_error(r, "Object not found"); + +-- +2.34.3 + diff --git a/SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch b/SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch new file mode 100644 index 0000000..f27cd6b --- /dev/null +++ b/SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch @@ -0,0 +1,45 @@ +From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Wed, 5 Jan 2022 20:55:21 +0800 +Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates + failed + +Signed-off-by: JerryDevis +--- + src/tss2-fapi/fapi_util.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index cd4e0979..f64c4e8b 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -4328,7 +4328,7 @@ ifapi_get_certificates( + context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA; + + r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS"); +- return_if_error2(r, "Could not open hierarchy /HS"); ++ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error); + + fallthrough; + +@@ -4352,7 +4352,7 @@ ifapi_get_certificates( + context->session2 = ESYS_TR_NONE; + context->nv_cmd.nv_read_state = NV_READ_INIT; + memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT)); +- Esys_Free(context->cmd.Provision.nvPublic); ++ SAFE_FREE(context->cmd.Provision.nvPublic); + fallthrough; + + statecase(context->get_cert_state, GET_CERT_READ_CERT); +@@ -4382,7 +4382,7 @@ ifapi_get_certificates( + } + + error: +- SAFE_FREE(context->cmd.Provision.capabilityData); ++ SAFE_FREE(context->cmd.Provision.nvPublic); + SAFE_FREE(context->cmd.Provision.capabilityData); + ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object); + ifapi_free_object_list(*cert_list); +-- +2.34.3 + diff --git a/SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch b/SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch new file mode 100644 index 0000000..d98ec63 --- /dev/null +++ b/SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch @@ -0,0 +1,1005 @@ +From f328c68cba9d5511b7d2d2615b3a28987edbdfac Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 21:30:59 +0200 +Subject: Implement EVP_PKEY export/import for OpenSSL 3.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and +the generic `EVP_PKEY` must be used instead. +Since export/import of raw keys still requires access to the internal structures +the OpenSSL 3.0 introduced a completely new approach to access key internals. + +This PR: + - preserves the current export/import impementation for OpenSSL 1.1.x + - implements key export/import for OpenSSL 3.0.0 + +Signed-off-by: Petr Gotthard +--- + src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++----- + src/tss2-fapi/fapi_crypto.c | 275 +++++++++++++++++++++---------- + test/helper/tpm_getek.c | 53 +++--- + test/helper/tpm_getek_ecc.c | 61 +++++-- + 4 files changed, 386 insertions(+), 157 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index a6259346..392f97ae 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -8,9 +8,17 @@ + #include + #endif + ++#include + #include +-#include + #include ++#include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#include ++#else ++#include ++#include ++#include ++#endif + #include + #include + +@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + "Error EVP_MD_CTX_create", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x10101000L + if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { ++#else ++ /* this is preferred, but available since OpenSSL 1.1.1 only */ ++ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) { ++#endif + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "EVP_PKEY_new_mac_key", cleanup); ++ "Failed to create HMAC key", cleanup); + } + + if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL, +@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) + TSS2_RC + iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + const RAND_METHOD *rand_save = RAND_get_rand_method(); ++ RAND_set_rand_method(RAND_OpenSSL()); ++#endif + + if (num_bytes == 0) { + nonce->size = sizeof(TPMU_HA); +@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + nonce->size = num_bytes; + } + +- RAND_set_rand_method(RAND_OpenSSL()); + if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, + "Failure in random number generator."); + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return TSS2_RC_SUCCESS; + } + +@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + BYTE * out_buffer, + size_t * out_size, const char *label) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ RSA *rsa_key = NULL; + const RAND_METHOD *rand_save = RAND_get_rand_method(); ++ + RAND_set_rand_method(RAND_OpenSSL()); ++#else ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *build = NULL; ++#endif + + TSS2_RC r = TSS2_RC_SUCCESS; + const EVP_MD * hashAlg = NULL; +- RSA * rsa_key = NULL; + EVP_PKEY *evp_rsa_key = NULL; +- EVP_PKEY_CTX *ctx = NULL; +- BIGNUM* bne = NULL; ++ EVP_PKEY_CTX *genctx = NULL, *ctx = NULL; ++ BIGNUM *bne = NULL, *n = NULL; + int padding; + char *label_copy = NULL; + + if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { + LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", + pub_tpm_key->publicArea.nameAlg); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return TSS2_ESYS_RC_NOT_IMPLEMENTED; + } + +- if (!(bne = BN_new())) { +- goto_error(r, TSS2_ESYS_RC_MEMORY, +- "Could not allocate Big Number", cleanup); +- } +- + switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) { + case TPM2_ALG_NULL: + padding = RSA_NO_PADDING; +@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + exp = 65537; + else + exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent; +- if (1 != BN_set_word(bne, exp)) { ++ ++ if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, ++ pub_tpm_key->publicArea.unique.rsa.size, ++ NULL))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not set exponent.", cleanup); ++ "Could not create rsa n.", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (!(rsa_key = RSA_new())) { + goto_error(r, TSS2_ESYS_RC_MEMORY, + "Could not allocate RSA key", cleanup); + } + +- if (1 != RSA_generate_key_ex(rsa_key, +- pub_tpm_key->publicArea.parameters.rsaDetail.keyBits, +- bne, NULL)) { +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key", +- cleanup); ++ if (!(bne = BN_new())) { ++ goto_error(r, TSS2_ESYS_RC_MEMORY, ++ "Could not allocate Big Number", cleanup); + } +- +- if (!(evp_rsa_key = EVP_PKEY_new())) { ++ if (1 != BN_set_word(bne, exp)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create evp key.", cleanup); ++ "Could not set exponent.", cleanup); + } +- BIGNUM *n = NULL; +- if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, +- pub_tpm_key->publicArea.unique.rsa.size, +- NULL))) { ++ ++ if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create rsa n.", cleanup); ++ "Could not set rsa n.", cleanup); + } ++ /* ownership got transferred */ ++ n = NULL; ++ bne = NULL; + +- if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) { ++ if (!(evp_rsa_key = EVP_PKEY_new())) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not set rsa n.", cleanup); ++ "Could not create evp key.", cleanup); + } + +- if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { ++ if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not set rsa key.", cleanup); + } ++ /* ownership got transferred */ ++ rsa_key = NULL; ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) ++ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.", ++ cleanup); ++ } ++ ++ if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(genctx) <= 0 ++ || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.", ++ cleanup); ++ } ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + r = TSS2_RC_SUCCESS; + + cleanup: ++ OSSL_FREE(genctx, EVP_PKEY_CTX); + OSSL_FREE(ctx, EVP_PKEY_CTX); + OSSL_FREE(evp_rsa_key, EVP_PKEY); +- OSSL_FREE(rsa_key, RSA); + OSSL_FREE(bne, BN); ++ OSSL_FREE(n, BN); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ OSSL_FREE(rsa_key, RSA); + RAND_set_rand_method(rand_save); ++#else ++ OSSL_FREE(params, OSSL_PARAM); ++ OSSL_FREE(build, OSSL_PARAM_BLD); ++#endif + return r; + } + +@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + { + TSS2_RC r = TSS2_RC_SUCCESS; + EC_GROUP *group = NULL; /* Group defines the used curve */ +- EC_KEY *eph_ec_key = NULL; /* Ephemeral ec key of application */ ++ EVP_PKEY_CTX *ctx = NULL; ++ EVP_PKEY *eph_pkey = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + const EC_POINT *eph_pub_key = NULL; /* Public part of ephemeral key */ ++ const BIGNUM *eph_priv_key = NULL; ++#else ++ BIGNUM *eph_priv_key = NULL; ++#endif + EC_POINT *tpm_pub_key = NULL; /* Public part of TPM key */ + EC_POINT *mul_eph_tpm = NULL; + BIGNUM *bn_x = NULL; +@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + } + + /* Create ephemeral key */ +- if (!(eph_ec_key = EC_KEY_new())) { ++ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ++ || EVP_PKEY_keygen_init(ctx) <= 0) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Create ec key", cleanup); ++ "Initialize ec key generation", cleanup); + } +- if (1 != EC_KEY_set_group(eph_ec_key , group)) { + +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup); +- } +- +- if (1 != EC_KEY_generate_key(eph_ec_key)) { ++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0 ++ || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey); ++ + if (!(eph_pub_key = EC_KEY_get0_public_key(eph_ec_key))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup); + } + ++ eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); + if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Ephemeral public key is on curve",cleanup); +@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x, + bn_y, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Get affine x coordinate", cleanup); ++ "Get affine coordinates", cleanup); ++ } ++#else ++ if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key) ++ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x) ++ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, ++ "Get ephemeral key", cleanup); + } ++#endif + + if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key); + goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup); + +- /* Multiply the ephemeral private key with TPM public key */ +- const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); +- + if (!(mul_eph_tpm = EC_POINT_new(group))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup); + } + ++ /* Multiply the ephemeral private key with TPM public key */ + if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL, + tpm_pub_key, eph_priv_key, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + OSSL_FREE(mul_eph_tpm, EC_POINT); + OSSL_FREE(tpm_pub_key, EC_POINT); + OSSL_FREE(group,EC_GROUP); +- OSSL_FREE(eph_ec_key, EC_KEY); ++ OSSL_FREE(ctx, EVP_PKEY_CTX); ++ OSSL_FREE(eph_pkey, EVP_PKEY); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + /* Note: free of eph_pub_key already done by free of eph_ec_key */ ++#else ++ OSSL_FREE(eph_priv_key, BN); ++#endif + OSSL_FREE(bn_x, BN); + OSSL_FREE(bn_y, BN); + return r; +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index c97b0a1d..c50b5f0a 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -11,10 +11,15 @@ + #include + + #include +-#include + #include +-#include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#include ++#else ++#include ++#include ++#include ++#endif + #include + #include + #include +@@ -380,66 +385,89 @@ cleanup: + * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated. + */ + static TSS2_RC +-ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) ++ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ RSA *rsa = NULL; ++#else ++ OSSL_PARAM_BLD *build = NULL; ++ OSSL_PARAM *params = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++#endif ++ + /* Check for NULL parameters */ + return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + ++ TSS2_RC r = TSS2_RC_SUCCESS; + /* Initialize the RSA parameters */ +- TSS2_RC r; +- RSA *rsa = RSA_new(); +- BIGNUM *e = BN_new(); +- BIGNUM *d = BN_new(); +- BIGNUM *p = BN_new(); +- BIGNUM *q = BN_new(); +- BIGNUM *dmp1 = BN_new(); +- BIGNUM *dmq1 = BN_new(); +- BIGNUM *iqmp = BN_new(); ++ BIGNUM *e = NULL; + BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer, + tpmPublicKey->publicArea.unique.rsa.size, NULL); +- +- if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) { ++ if (!n) { + goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); + } + +- BN_set_word(d, 0); +- BN_set_word(p, 0); +- BN_set_word(q, 0); +- BN_set_word(dmp1, 0); +- BN_set_word(dmq1, 0); +- BN_set_word(iqmp, 0); + uint32_t exp; + if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0) + exp = 65537; + else + exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if ((rsa = RSA_new()) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); ++ } ++ ++ if ((e = BN_new()) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); ++ } + if (1 != BN_set_word(e, exp)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Could not set exponent.", error_cleanup); + } + +- RSA_set0_key(rsa, n, e, d); +- RSA_set0_factors(rsa, p, q); +- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); ++ if (!RSA_set0_key(rsa, n, e, NULL)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Could not set public key.", error_cleanup); ++ } ++ n = NULL; /* ownership transferred */ ++ e = NULL; ++ ++ *evpPublicKey = EVP_PKEY_new(); ++ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); + + /* Assign the parameters to the key */ +- if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { ++ if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) { ++ EVP_PKEY_free(*evpPublicKey); + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key", + error_cleanup); + } +- return TSS2_RC_SUCCESS; +- ++ rsa = NULL; /* ownership transferred */ + error_cleanup: + OSSL_FREE(rsa, RSA); ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) ++ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters", ++ error_cleanup); ++ } ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(ctx) <= 0 ++ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key", ++ error_cleanup); ++ } ++error_cleanup: ++ OSSL_FREE(ctx, EVP_PKEY_CTX); ++ OSSL_FREE(params, OSSL_PARAM); ++ OSSL_FREE(build, OSSL_PARAM_BLD); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + OSSL_FREE(e, BN); + OSSL_FREE(n, BN); +- OSSL_FREE(d, BN); +- OSSL_FREE(p, BN); +- OSSL_FREE(q, BN); +- OSSL_FREE(dmp1, BN); +- OSSL_FREE(dmq1, BN); +- OSSL_FREE(iqmp, BN); + return r; + } + +@@ -459,18 +487,26 @@ error_cleanup: + * the function. + */ + static TSS2_RC +-ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) ++ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) + { + /* Check for NULL parameters */ + return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + +- TSS2_RC r; ++ TSS2_RC r = TSS2_RC_SUCCESS; + EC_GROUP *ecgroup = NULL; + int curveId; + BIGNUM *x = NULL, *y = NULL; +- EC_KEY *ecKey = EC_KEY_new(); +- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); ++ EC_POINT *ecPoint = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ EC_KEY *ecKey = NULL; ++#else ++ OSSL_PARAM_BLD *build = NULL; ++ OSSL_PARAM *params = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ unsigned char *puboct = NULL; ++ size_t bsize; ++#endif + + /* Find the curve of the ECC key */ + switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) { +@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE, + error_cleanup); + +- if (!EC_KEY_set_group(ecKey, ecgroup)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", +- error_cleanup); +- } +- EC_GROUP_free(ecgroup); +- + /* Set the ECC parameters in the OpenSSL key */ + x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer, + tpmPublicKey->publicArea.unique.ecc.x.size, NULL); +@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); + } + +- if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) { ++ if ((ecPoint = EC_POINT_new(ecgroup)) == NULL ++ || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates", ++ error_cleanup); ++ } ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ ecKey = EC_KEY_new(); ++ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); ++ ++ if (!EC_KEY_set_group(ecKey, ecgroup)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", ++ error_cleanup); ++ } ++ ++ if (!EC_KEY_set_public_key(ecKey, ecPoint)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, +- "EC_KEY_set_public_key_affine_coordinates", error_cleanup); ++ "EC_KEY_set_public_key", error_cleanup); + } + +- if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) { ++ *evpPublicKey = EVP_PKEY_new(); ++ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); ++ ++ if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) { ++ EVP_PKEY_free(*evpPublicKey); + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", + error_cleanup); + } +- OSSL_FREE(y, BN); +- OSSL_FREE(x, BN); +- return TSS2_RC_SUCCESS; ++ ecKey = NULL; /* ownership transferred */ ++error_cleanup: ++ OSSL_FREE(ecKey, EC_KEY); ++#else ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, ++ (char *)OBJ_nid2sn(curveId), 0) ++ || (bsize = EC_POINT_point2buf(ecgroup, ecPoint, ++ POINT_CONVERSION_COMPRESSED, ++ &puboct, NULL)) == 0 ++ || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, ++ puboct, bsize) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters", ++ error_cleanup); ++ } + ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(ctx) <= 0 ++ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key", ++ error_cleanup); ++ } + error_cleanup: ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++ OPENSSL_free(puboct); ++#endif ++ OSSL_FREE(ecPoint, EC_POINT); ++ OSSL_FREE(ecgroup, EC_GROUP); + OSSL_FREE(y, BN); + OSSL_FREE(x, BN); +- OSSL_FREE(ecKey, EC_KEY); + return r; + } + +@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm( + BIO *bio = NULL; + TSS2_RC r = TPM2_RC_SUCCESS; + +- evpPublicKey = EVP_PKEY_new(); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); +- + /* Memory IO will be used for OSSL key conversion */ + bio = BIO_new(BIO_s_mem()); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); ++ goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); + + if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { +- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); +- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) +- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); +- else { ++ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { ++ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); + } + goto_if_error(r, "Get ossl public key.", cleanup); +@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm( + signatureSize); + } else { + return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme."); +- + } + } else if (tpmPublic->type == TPM2_ALG_ECC) { + return ifapi_ecc_der_sig_to_tpm(signature, signatureSize, +@@ -856,12 +926,16 @@ ecdsa_verify_signature( + return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + + TSS2_RC r = TSS2_RC_SUCCESS; +- EC_KEY *eccKey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; + +- eccKey = EVP_PKEY_get1_EC_KEY(publicKey); ++ if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL ++ || !EVP_PKEY_verify_init(ctx)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Cannot initialize signature verification.", error_cleanup); ++ } + + /* Try to verify the signature using ECDSA, note that param 0 is unused */ +- int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey); ++ int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize); + if (rc == 0) { + goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED, + "ECDSA signature verification failed.", error_cleanup); +@@ -871,7 +945,7 @@ ecdsa_verify_signature( + } + + error_cleanup: +- OSSL_FREE(eccKey, EC_KEY); ++ OSSL_FREE(ctx, EVP_PKEY_CTX); + return r; + } + +@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp( + + /* Extract the public information */ + TSS2_RC r = TSS2_RC_SUCCESS; ++ int keyBits, keySize; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ const BIGNUM *e = NULL, *n = NULL; + RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey); + return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); +- const BIGNUM *e = NULL, *n = NULL; +- int rsaKeySize = RSA_size(rsaKey); + ++ keySize = RSA_size(rsaKey); ++ keyBits = keySize * 8; + RSA_get0_key(rsaKey, &n, &e, NULL); +- tpmPublic->publicArea.unique.rsa.size = rsaKeySize; ++#else ++ BIGNUM *e = NULL, *n = NULL; ++ ++ keyBits = EVP_PKEY_get_bits(publicKey); ++ keySize = (keyBits + 7) / 8; ++ if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Retrieve pubkey", cleanup); ++ } ++#endif ++ tpmPublic->publicArea.unique.rsa.size = keySize; + if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], +- rsaKeySize)) { ++ keySize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Write big num byte buffer", cleanup); + } +- tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8; ++ tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits; + tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e); + + cleanup: ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + OSSL_FREE(rsaKey, RSA); ++#else ++ BN_free(e); ++ BN_free(n); ++#endif + return r; + } + +@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp( + + /* Initialize variables that will contain the relevant information */ + TSS2_RC r = TSS2_RC_SUCCESS; +- EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); +- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); +- const EC_GROUP *ecGroup; +- const EC_POINT *publicPoint; + int curveId; + size_t ecKeySize; + BIGNUM *bnX = NULL; + BIGNUM *bnY = NULL; + TPMI_ECC_CURVE tpmCurveId; +- +- if (!ecKey) { +- return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!"); +- } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ const EC_GROUP *ecGroup; ++ const EC_POINT *publicPoint; ++ EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); ++ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); + + /* Retrieve the relevant information and write it to tpmPublic */ + ecGroup = EC_KEY_get0_group(ecKey); + publicPoint = EC_KEY_get0_public_key(ecKey); + curveId = EC_GROUP_get_curve_name(ecGroup); +- ecKeySize = EC_GROUP_get_degree(ecGroup) / 8; +- tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; +- tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; ++ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; + + if (!(bnX = BN_new())) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup); +@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Get affine coordinates", cleanup); + } ++#else ++ char curveName[80]; ++ ++ if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME, ++ curveName, sizeof(curveName), NULL) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, ++ "Get public key", cleanup); ++ } ++ curveId = OBJ_txt2nid(curveName); ++ EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId); ++ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; ++ EC_GROUP_free(ecGroup); ++#endif ++ tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; ++ tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; + if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0], + ecKeySize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, +@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp( + tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId; + + cleanup: ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + OSSL_FREE(ecKey, EC_KEY); ++#endif + OSSL_FREE(bnX, BN); + OSSL_FREE(bnY, BN); + return r; +@@ -2077,14 +2185,11 @@ ifapi_get_tpm_key_fingerprint( + "Unsupported hash algorithm (%" PRIu16 ")", cleanup, + hashAlg); + +- evpPublicKey = EVP_PKEY_new(); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); +- + if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { +- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); +- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) +- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); +- else { ++ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { ++ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else { + goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); + } + goto_if_error(r, "Get ossl public key.", cleanup); +diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c +index c6a8e906..67f76b6a 100644 +--- a/test/helper/tpm_getek.c ++++ b/test/helper/tpm_getek.c +@@ -7,8 +7,14 @@ + #include + #include + #include +-#include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#include ++#else ++#include ++#include ++#include ++#endif + + #include "tss2_sys.h" + #include "tss2_mu.h" +@@ -109,7 +115,7 @@ main (int argc, char *argv[]) + + /* Convert the key from out_public to PEM */ + +- EVP_PKEY *evp = EVP_PKEY_new(); ++ EVP_PKEY *evp = NULL; + BIO *bio; + FILE *out = NULL; + +@@ -124,34 +130,35 @@ main (int argc, char *argv[]) + else + bio = BIO_new_fp(stdout, BIO_NOCLOSE); + +- RSA *rsa = RSA_new(); +- BIGNUM *e = BN_new(); +- BIGNUM *d = BN_new(); +- BIGNUM *p = BN_new(); +- BIGNUM *q = BN_new(); +- BIGNUM *dmp1 = BN_new(); +- BIGNUM *dmq1 = BN_new(); +- BIGNUM *iqmp = BN_new(); + BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer, + out_public.publicArea.unique.rsa.size, NULL); +- BN_set_word(d, 0); +- BN_set_word(p, 0); +- BN_set_word(q, 0); +- BN_set_word(dmp1, 0); +- BN_set_word(dmq1, 0); +- BN_set_word(iqmp, 0); + uint32_t exp; + if (out_public.publicArea.parameters.rsaDetail.exponent == 0) + exp = 65537; + else + exp = out_public.publicArea.parameters.rsaDetail.exponent; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ BIGNUM *e = BN_new(); + BN_set_word(e, exp); + +- RSA_set0_key(rsa, n, e, d); +- RSA_set0_factors(rsa, p, q); +- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); ++ RSA *rsa = RSA_new(); ++ RSA_set0_key(rsa, n, e, NULL); ++ n = NULL; ++ e = NULL; + ++ evp = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(evp, rsa); ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ ++ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); ++ OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n); ++ OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp); ++ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); ++ ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); ++ EVP_PKEY_fromdata_init(ctx); ++ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ + + if (!PEM_write_bio_PUBKEY(bio, evp)) { + LOG_ERROR("PEM_write failed"); +@@ -159,6 +166,14 @@ main (int argc, char *argv[]) + } + + EVP_PKEY_free(evp); ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* ownership was taken by the EVP_PKEY */ ++#else ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++#endif ++ BN_free(n); + BIO_free(bio); + fclose(out); + +diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c +index 75165fdd..d4602925 100644 +--- a/test/helper/tpm_getek_ecc.c ++++ b/test/helper/tpm_getek_ecc.c +@@ -7,9 +7,15 @@ + #include + #include + #include +-#include + #include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#include ++#else ++#include ++#include ++#include ++#endif + #include + + #include "tss2_sys.h" +@@ -127,8 +133,7 @@ main (int argc, char *argv[]) + + /* Convert the key from out_public to PEM */ + +- EVP_PKEY *evp = EVP_PKEY_new(); +- EC_KEY *ecc_key = EC_KEY_new(); ++ EVP_PKEY *evp = NULL; + BIGNUM *x = NULL, *y = NULL; + BIO *bio; + FILE *out = NULL; +@@ -148,11 +153,6 @@ main (int argc, char *argv[]) + nid = EC_curve_nist2nid("P-256"); + EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid); + +- if (!EC_KEY_set_group(ecc_key, ecgroup)) +- exit(1); +- +- EC_GROUP_free(ecgroup); +- + /* Set the ECC parameters in the OpenSSL key */ + x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer, + out_public.publicArea.unique.ecc.x.size, NULL); +@@ -164,15 +164,46 @@ main (int argc, char *argv[]) + exit(1); + } + +- if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) { ++ EC_POINT *point = EC_POINT_new(ecgroup); ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++ EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL); ++#else ++ EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL); ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ EC_KEY *ecc_key = EC_KEY_new(); ++ if (!EC_KEY_set_group(ecc_key, ecgroup)) ++ exit(1); ++ ++ if (!EC_KEY_set_public_key(ecc_key, point)) { + exit(1); + } + ++ evp = EVP_PKEY_new(); + if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) { + handleErrors(); + LOG_ERROR("PEM_write failed"); + exit(1); + } ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ ++ unsigned char *puboct = NULL; ++ size_t bsize; ++ ++ bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED, ++ &puboct, NULL); ++ ++ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); ++ OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, ++ (char *)OBJ_nid2sn(nid), 0); ++ OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, ++ puboct, bsize); ++ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); ++ ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); ++ EVP_PKEY_fromdata_init(ctx); ++ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ + + if (!PEM_write_bio_PUBKEY(bio, evp)) { + handleErrors(); +@@ -180,9 +211,19 @@ main (int argc, char *argv[]) + exit(1); + } + ++ EVP_PKEY_free(evp); ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* ownership was taken by the EVP_PKEY */ ++#else ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++ OPENSSL_free(puboct); ++#endif ++ EC_POINT_free(point); ++ EC_GROUP_free(ecgroup); + BN_free(y); + BN_free(x); +- EVP_PKEY_free(evp); + BIO_free(bio); + fclose(out); + +-- +2.26.3 + diff --git a/SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch b/SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch new file mode 100644 index 0000000..23a5c04 --- /dev/null +++ b/SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch @@ -0,0 +1,25 @@ +From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Wed, 5 Jan 2022 21:58:00 +0800 +Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed + +Signed-off-by: JerryDevis +--- + src/tss2-fapi/ifapi_keystore.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c +index 743de133..e805029f 100644 +--- a/src/tss2-fapi/ifapi_keystore.c ++++ b/src/tss2-fapi/ifapi_keystore.c +@@ -1239,6 +1239,7 @@ cleanup: + r = TSS2_FAPI_RC_KEY_NOT_FOUND; + } + keystore->key_search.state = KSEARCH_INIT; ++ ifapi_cleanup_ifapi_object(&object); + return r; + } + +-- +2.34.3 + diff --git a/SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch b/SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch new file mode 100644 index 0000000..f3b8282 --- /dev/null +++ b/SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch @@ -0,0 +1,27 @@ +From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Wed, 5 Jan 2022 22:09:26 +0800 +Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when + Fapi_GetEsysBlob_Finish failed + +Signed-off-by: JerryDevis +--- + src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c +index a54bece8..b152ae3a 100644 +--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c ++++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c +@@ -395,7 +395,7 @@ error_cleanup: + ifapi_cleanup_ifapi_object(object); + ifapi_cleanup_ifapi_object(key_object); + SAFE_FREE(command->path); +- SAFE_FREE(*data); ++ SAFE_FREE(command->data); + SAFE_FREE(key_context); + ifapi_session_clean(context); + ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); +-- +2.34.3 + diff --git a/SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch b/SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch new file mode 100644 index 0000000..6ce1c21 --- /dev/null +++ b/SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch @@ -0,0 +1,38 @@ +From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001 +From: JerryDevis +Date: Fri, 7 Jan 2022 11:56:14 +0800 +Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize + +Signed-off-by: JerryDevis +--- + src/tss2-esys/esys_tr.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c +index cf4caa09..784f711a 100644 +--- a/src/tss2-esys/esys_tr.c ++++ b/src/tss2-esys/esys_tr.c +@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context, + * + * Deserialize the metadata of an ESYS_TR object from a byte buffer that was + * stored on disk for later use by a different program or context. +- * An object can be serialized suing Esys_TR_Serialize. ++ * An object can be deserialized using Esys_TR_Deserialize. + * @param esys_context [in,out] The ESYS_CONTEXT. +- * @param esys_handle [in] The ESYS_TR object to serialize. +- * @param buffer [out] The buffer containing the serialized metadata. +- * (caller-callocated) Shall be freed using free(). +- * @param buffer_size [out] The size of the buffer parameter. ++ * @param esys_handle [out] The ESYS_TR object to deserialize. ++ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object. ++ * @param buffer_size [in] The size of the buffer parameter. + * @retval TSS2_RC_SUCCESS on Success. + * @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated. +- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling. ++ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling. + * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL. + * @retval TSS2_RCs produced by lower layers of the software stack. + */ +-- +2.34.3 + diff --git a/SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch b/SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch new file mode 100644 index 0000000..d1200ea --- /dev/null +++ b/SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch @@ -0,0 +1,50 @@ +From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001 +From: JerryDevis <857869045@qq.com> +Date: Sun, 9 Jan 2022 16:31:09 +0800 +Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed + +Signed-off-by: JerryDevis <857869045@qq.com> +--- + src/tss2-fapi/api/Fapi_Delete.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c +index 43ea0332..2b5826ab 100644 +--- a/src/tss2-fapi/api/Fapi_Delete.c ++++ b/src/tss2-fapi/api/Fapi_Delete.c +@@ -419,14 +419,14 @@ Fapi_Delete_Async( + /* No session will be needed these files can be deleted without + interaction with the TPM */ + r = ifapi_non_tpm_mode_init(context); +- return_if_error(r, "Initialize Entity_Delete"); ++ goto_if_error(r, "Initialize Entity_Delete", error_cleanup); + context->session1 = ESYS_TR_NONE; + + context->state = ENTITY_DELETE_GET_FILE; + } else { + /* Check whether TCTI and ESYS are initialized */ +- return_if_null(context->esys, "Command can't be executed in none TPM mode.", +- TSS2_FAPI_RC_NO_TPM); ++ goto_if_null(context->esys, "Command can't be executed in none TPM mode.", ++ TSS2_FAPI_RC_NO_TPM, error_cleanup); + + /* If the async state automata of FAPI shall be tested, then we must not set + the timeouts of ESYS to blocking mode. +@@ -435,12 +435,12 @@ Fapi_Delete_Async( + to block until a result is available. */ + #ifndef TEST_FAPI_ASYNC + r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK); +- return_if_error_reset_state(r, "Set Timeout to blocking"); ++ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup); + #endif /* TEST_FAPI_ASYNC */ + + /* A TPM session will be created to enable object authorization */ + r = ifapi_session_init(context); +- return_if_error(r, "Initialize Entity_Delete"); ++ goto_if_error(r, "Initialize Entity_Delete", error_cleanup); + + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +-- +2.34.3 + diff --git a/SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch b/SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch new file mode 100644 index 0000000..1c6d160 --- /dev/null +++ b/SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch @@ -0,0 +1,44 @@ +From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001 +From: JerryDevis <857869045@qq.com> +Date: Sun, 9 Jan 2022 18:44:49 +0800 +Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async + failed + +Signed-off-by: JerryDevis <857869045@qq.com> +--- + src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c +index b152ae3a..db67e2e4 100644 +--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c ++++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c +@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async( + authObject->objectType = IFAPI_OBJ_NONE; + + /* Check whether TCTI and ESYS are initialized */ +- return_if_null(context->esys, "Command can't be executed in none TPM mode.", +- TSS2_FAPI_RC_NO_TPM); ++ goto_if_null(context->esys, "Command can't be executed in none TPM mode.", ++ TSS2_FAPI_RC_NO_TPM, error_cleanup); + + /* If the async state automata of FAPI shall be tested, then we must not set + the timeouts of ESYS to blocking mode. +@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async( + to block until a result is available. */ + #ifndef TEST_FAPI_ASYNC + r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK); +- return_if_error_reset_state(r, "Set Timeout to blocking"); ++ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup); + #endif /* TEST_FAPI_ASYNC */ + + /* A TPM session will be created to enable object authorization */ + r = ifapi_session_init(context); +- return_if_error(r, "Initialize GetEsysBlob"); ++ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup); + + context->state = GET_ESYS_BLOB_GET_FILE; + +-- +2.34.3 + diff --git a/SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch b/SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch new file mode 100644 index 0000000..2764d0d --- /dev/null +++ b/SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch @@ -0,0 +1,30 @@ +From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 13 Jan 2022 11:46:22 +0100 +Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search. + +For an empty keystore a cleanup of an uninitialized object was executed. No the object +type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_keystore.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c +index e805029f..c5486690 100644 +--- a/src/tss2-fapi/ifapi_keystore.c ++++ b/src/tss2-fapi/ifapi_keystore.c +@@ -1173,6 +1173,9 @@ keystore_search_obj( + IFAPI_OBJECT object; + size_t i; + ++ /* Mark object "unread" */ ++ object.objectType = IFAPI_OBJ_NONE; ++ + switch (keystore->key_search.state) { + statecase(keystore->key_search.state, KSEARCH_INIT) + r = ifapi_keystore_list_all(keystore, +-- +2.34.3 + diff --git a/SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch b/SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch new file mode 100644 index 0000000..e15286c --- /dev/null +++ b/SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch @@ -0,0 +1,30 @@ +From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs +Date: Thu, 13 Jan 2022 16:48:30 +0100 +Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment + +Signed-off-by: Andreas Fuchs +--- + src/tss2-mu/tpm2b-types.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c +index 6aa2feb3..2e10f487 100644 +--- a/src/tss2-mu/tpm2b-types.c ++++ b/src/tss2-mu/tpm2b-types.c +@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \ + return rc; \ + \ + /* Update the size to the real value */ \ +- if (buffer) \ +- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \ ++ if (buffer) { \ ++ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \ ++ memcpy(ptr, &t, sizeof(t)); \ ++ } \ + \ + if (offset != NULL) { \ + *offset = local_offset; \ +-- +2.34.3 + diff --git a/SOURCES/0020-esys_iutil-fix-possible-NPD.patch b/SOURCES/0020-esys_iutil-fix-possible-NPD.patch new file mode 100644 index 0000000..5c940e3 --- /dev/null +++ b/SOURCES/0020-esys_iutil-fix-possible-NPD.patch @@ -0,0 +1,41 @@ +From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 3 Jun 2022 11:51:02 -0500 +Subject: [PATCH 20/23] esys_iutil: fix possible NPD + +Clang-10 scan-build reports: +src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer + auths->auths[auths->count].sessionHandle = session->rsrc.handle; + ^~~~~~~~~~~~~~~~~~~~ +1 warning generated. + +The code above the report checks that session might be NULL: +RSRC_NODE_T *session = esys_context->session_tab[session_idx]; + if (session != NULL) { + IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session; + if (rsrc_session->type_policy_session == POLICY_PASSWORD) { + +Thus suggesting/indicating session may be NULL in subsequent code where +session is dereferenced. + +Signed-off-by: William Roberts +--- + src/tss2-esys/esys_iutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c +index 0cc92ca5..493f9b28 100644 +--- a/src/tss2-esys/esys_iutil.c ++++ b/src/tss2-esys/esys_iutil.c +@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context, + && encryptNonceIdx > 0) ? encryptNonce : NULL, + &auths->auths[session_idx]); + return_if_error(r, "Error while computing hmacs"); +- if (esys_context->session_tab[session_idx] != NULL) { ++ if (esys_context->session_tab[session_idx] != NULL && session != NULL) { + auths->auths[auths->count].sessionHandle = session->rsrc.handle; + auths->count++; + } +-- +2.34.3 + diff --git a/SOURCES/0021-sapi-scope-command-handles.patch b/SOURCES/0021-sapi-scope-command-handles.patch new file mode 100644 index 0000000..c5032b4 --- /dev/null +++ b/SOURCES/0021-sapi-scope-command-handles.patch @@ -0,0 +1,269 @@ +From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Wed, 8 Jun 2022 11:09:53 -0500 +Subject: [PATCH 21/23] sapi: scope command handles + +Scope command handles to where they are used. + + - Compared to the upstream commit d4dee42e already missing commands were + left out. + +Signed-off-by: William Roberts +--- + src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------ + 1 file changed, 119 insertions(+), 118 deletions(-) + +diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c +index 685fcee8..d84acc5d 100644 +--- a/src/tss2-sys/sysapi_util.c ++++ b/src/tss2-sys/sysapi_util.c +@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall( + return rval; + } + +-static const COMMAND_HANDLES commandArray[] = +-{ +- { TPM2_CC_Startup, 0, 0 }, +- { TPM2_CC_Shutdown, 0, 0 }, +- { TPM2_CC_SelfTest, 0, 0 }, +- { TPM2_CC_IncrementalSelfTest, 0, 0 }, +- { TPM2_CC_GetTestResult, 0, 0 }, +- { TPM2_CC_StartAuthSession, 2, 1 }, +- { TPM2_CC_PolicyRestart, 1, 0 }, +- { TPM2_CC_Create, 1, 0 }, +- { TPM2_CC_Load, 1, 1 }, +- { TPM2_CC_LoadExternal, 0, 1 }, +- { TPM2_CC_ReadPublic, 1, 0 }, +- { TPM2_CC_ActivateCredential, 2, 0 }, +- { TPM2_CC_MakeCredential, 1, 0 }, +- { TPM2_CC_Unseal, 1, 0 }, +- { TPM2_CC_ObjectChangeAuth, 2, 0 }, +- { TPM2_CC_Duplicate, 2, 0 }, +- { TPM2_CC_Rewrap, 2, 0 }, +- { TPM2_CC_Import, 1, 0 }, +- { TPM2_CC_RSA_Encrypt, 1, 0 }, +- { TPM2_CC_RSA_Decrypt, 1, 0 }, +- { TPM2_CC_ECDH_KeyGen, 1, 0 }, +- { TPM2_CC_ECDH_ZGen, 1, 0 }, +- { TPM2_CC_ECC_Parameters, 0, 0 }, +- { TPM2_CC_ZGen_2Phase, 1, 0 }, +- { TPM2_CC_EncryptDecrypt, 1, 0 }, +- { TPM2_CC_EncryptDecrypt2, 1, 0 }, +- { TPM2_CC_Hash, 0, 0 }, +- { TPM2_CC_HMAC, 1, 0 }, +- { TPM2_CC_GetRandom, 0, 0 }, +- { TPM2_CC_StirRandom, 0, 0 }, +- { TPM2_CC_HMAC_Start, 1, 1 }, +- { TPM2_CC_HashSequenceStart, 0, 1 }, +- { TPM2_CC_SequenceUpdate, 1, 0 }, +- { TPM2_CC_SequenceComplete, 1, 0 }, +- { TPM2_CC_EventSequenceComplete, 2, 0 }, +- { TPM2_CC_Certify, 2, 0 }, +- { TPM2_CC_CertifyCreation, 2, 0 }, +- { TPM2_CC_Quote, 1, 0 }, +- { TPM2_CC_GetSessionAuditDigest, 3, 0 }, +- { TPM2_CC_GetCommandAuditDigest, 2, 0 }, +- { TPM2_CC_GetTime, 2, 0 }, +- { TPM2_CC_Commit, 1, 0 }, +- { TPM2_CC_EC_Ephemeral, 0, 0 }, +- { TPM2_CC_VerifySignature, 1, 0 }, +- { TPM2_CC_Sign, 1, 0 }, +- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 }, +- { TPM2_CC_PCR_Extend, 1, 0 }, +- { TPM2_CC_PCR_Event, 1, 0 }, +- { TPM2_CC_PCR_Read, 0, 0 }, +- { TPM2_CC_PCR_Allocate, 1, 0 }, +- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 }, +- { TPM2_CC_PCR_SetAuthValue, 1, 0 }, +- { TPM2_CC_PCR_Reset, 1, 0 }, +- { TPM2_CC_PolicySigned, 2, 0 }, +- { TPM2_CC_PolicySecret, 2, 0 }, +- { TPM2_CC_PolicyTicket, 1, 0 }, +- { TPM2_CC_PolicyOR, 1, 0 }, +- { TPM2_CC_PolicyPCR, 1, 0 }, +- { TPM2_CC_PolicyLocality, 1, 0 }, +- { TPM2_CC_PolicyNV, 3, 0 }, +- { TPM2_CC_PolicyNvWritten, 1, 0 }, +- { TPM2_CC_PolicyCounterTimer, 1, 0 }, +- { TPM2_CC_PolicyCommandCode, 1, 0 }, +- { TPM2_CC_PolicyPhysicalPresence, 1, 0 }, +- { TPM2_CC_PolicyCpHash, 1, 0 }, +- { TPM2_CC_PolicyNameHash, 1, 0 }, +- { TPM2_CC_PolicyDuplicationSelect, 1, 0 }, +- { TPM2_CC_PolicyAuthorize, 1, 0 }, +- { TPM2_CC_PolicyAuthValue, 1, 0 }, +- { TPM2_CC_PolicyPassword, 1, 0 }, +- { TPM2_CC_PolicyGetDigest, 1, 0 }, +- { TPM2_CC_PolicyTemplate, 1, 0 }, +- { TPM2_CC_CreatePrimary, 1, 1 }, +- { TPM2_CC_HierarchyControl, 1, 0 }, +- { TPM2_CC_SetPrimaryPolicy, 1, 0 }, +- { TPM2_CC_ChangePPS, 1, 0 }, +- { TPM2_CC_ChangeEPS, 1, 0 }, +- { TPM2_CC_Clear, 1, 0 }, +- { TPM2_CC_ClearControl, 1, 0 }, +- { TPM2_CC_HierarchyChangeAuth, 1, 0 }, +- { TPM2_CC_DictionaryAttackLockReset, 1, 0 }, +- { TPM2_CC_DictionaryAttackParameters, 1, 0 }, +- { TPM2_CC_PP_Commands, 1, 0 }, +- { TPM2_CC_SetAlgorithmSet, 1, 0 }, +- { TPM2_CC_FieldUpgradeStart, 2, 0 }, +- { TPM2_CC_FieldUpgradeData, 0, 0 }, +- { TPM2_CC_FirmwareRead, 0, 0 }, +- { TPM2_CC_ContextSave, 1, 0 }, +- { TPM2_CC_ContextLoad, 0, 1 }, +- { TPM2_CC_FlushContext, 1, 0 }, +- { TPM2_CC_EvictControl, 2, 0 }, +- { TPM2_CC_ReadClock, 0, 0 }, +- { TPM2_CC_ClockSet, 1, 0 }, +- { TPM2_CC_ClockRateAdjust, 1, 0 }, +- { TPM2_CC_GetCapability, 0, 0 }, +- { TPM2_CC_TestParms, 0, 0 }, +- { TPM2_CC_NV_DefineSpace, 1, 0 }, +- { TPM2_CC_NV_UndefineSpace, 2, 0 }, +- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 }, +- { TPM2_CC_NV_ReadPublic, 1, 0 }, +- { TPM2_CC_NV_Write, 2, 0 }, +- { TPM2_CC_NV_Increment, 2, 0 }, +- { TPM2_CC_NV_Extend, 2, 0 }, +- { TPM2_CC_NV_SetBits, 2, 0 }, +- { TPM2_CC_NV_WriteLock, 2, 0 }, +- { TPM2_CC_NV_GlobalWriteLock, 1, 0 }, +- { TPM2_CC_NV_Read, 2, 0 }, +- { TPM2_CC_NV_ReadLock, 2, 0 }, +- { TPM2_CC_NV_ChangeAuth, 1, 0 }, +- { TPM2_CC_NV_Certify, 3, 0 }, +- { TPM2_CC_CreateLoaded, 1, 1 }, +- { TPM2_CC_PolicyAuthorizeNV, 3, 0 }, +- { TPM2_CC_AC_GetCapability, 1, 0 }, +- { TPM2_CC_AC_Send, 3, 0 }, +- { TPM2_CC_Policy_AC_SendSelect, 1, 0 } +-}; + + static int GetNumHandles(TPM2_CC commandCode, bool req) + { ++ static const COMMAND_HANDLES commandArray[] = ++ { ++ { TPM2_CC_Startup, 0, 0 }, ++ { TPM2_CC_Shutdown, 0, 0 }, ++ { TPM2_CC_SelfTest, 0, 0 }, ++ { TPM2_CC_IncrementalSelfTest, 0, 0 }, ++ { TPM2_CC_GetTestResult, 0, 0 }, ++ { TPM2_CC_StartAuthSession, 2, 1 }, ++ { TPM2_CC_PolicyRestart, 1, 0 }, ++ { TPM2_CC_Create, 1, 0 }, ++ { TPM2_CC_Load, 1, 1 }, ++ { TPM2_CC_LoadExternal, 0, 1 }, ++ { TPM2_CC_ReadPublic, 1, 0 }, ++ { TPM2_CC_ActivateCredential, 2, 0 }, ++ { TPM2_CC_MakeCredential, 1, 0 }, ++ { TPM2_CC_Unseal, 1, 0 }, ++ { TPM2_CC_ObjectChangeAuth, 2, 0 }, ++ { TPM2_CC_Duplicate, 2, 0 }, ++ { TPM2_CC_Rewrap, 2, 0 }, ++ { TPM2_CC_Import, 1, 0 }, ++ { TPM2_CC_RSA_Encrypt, 1, 0 }, ++ { TPM2_CC_RSA_Decrypt, 1, 0 }, ++ { TPM2_CC_ECDH_KeyGen, 1, 0 }, ++ { TPM2_CC_ECDH_ZGen, 1, 0 }, ++ { TPM2_CC_ECC_Parameters, 0, 0 }, ++ { TPM2_CC_ZGen_2Phase, 1, 0 }, ++ { TPM2_CC_EncryptDecrypt, 1, 0 }, ++ { TPM2_CC_EncryptDecrypt2, 1, 0 }, ++ { TPM2_CC_Hash, 0, 0 }, ++ { TPM2_CC_HMAC, 1, 0 }, ++ { TPM2_CC_GetRandom, 0, 0 }, ++ { TPM2_CC_StirRandom, 0, 0 }, ++ { TPM2_CC_HMAC_Start, 1, 1 }, ++ { TPM2_CC_HashSequenceStart, 0, 1 }, ++ { TPM2_CC_SequenceUpdate, 1, 0 }, ++ { TPM2_CC_SequenceComplete, 1, 0 }, ++ { TPM2_CC_EventSequenceComplete, 2, 0 }, ++ { TPM2_CC_Certify, 2, 0 }, ++ { TPM2_CC_CertifyCreation, 2, 0 }, ++ { TPM2_CC_Quote, 1, 0 }, ++ { TPM2_CC_GetSessionAuditDigest, 3, 0 }, ++ { TPM2_CC_GetCommandAuditDigest, 2, 0 }, ++ { TPM2_CC_GetTime, 2, 0 }, ++ { TPM2_CC_Commit, 1, 0 }, ++ { TPM2_CC_EC_Ephemeral, 0, 0 }, ++ { TPM2_CC_VerifySignature, 1, 0 }, ++ { TPM2_CC_Sign, 1, 0 }, ++ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 }, ++ { TPM2_CC_PCR_Extend, 1, 0 }, ++ { TPM2_CC_PCR_Event, 1, 0 }, ++ { TPM2_CC_PCR_Read, 0, 0 }, ++ { TPM2_CC_PCR_Allocate, 1, 0 }, ++ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 }, ++ { TPM2_CC_PCR_SetAuthValue, 1, 0 }, ++ { TPM2_CC_PCR_Reset, 1, 0 }, ++ { TPM2_CC_PolicySigned, 2, 0 }, ++ { TPM2_CC_PolicySecret, 2, 0 }, ++ { TPM2_CC_PolicyTicket, 1, 0 }, ++ { TPM2_CC_PolicyOR, 1, 0 }, ++ { TPM2_CC_PolicyPCR, 1, 0 }, ++ { TPM2_CC_PolicyLocality, 1, 0 }, ++ { TPM2_CC_PolicyNV, 3, 0 }, ++ { TPM2_CC_PolicyNvWritten, 1, 0 }, ++ { TPM2_CC_PolicyCounterTimer, 1, 0 }, ++ { TPM2_CC_PolicyCommandCode, 1, 0 }, ++ { TPM2_CC_PolicyPhysicalPresence, 1, 0 }, ++ { TPM2_CC_PolicyCpHash, 1, 0 }, ++ { TPM2_CC_PolicyNameHash, 1, 0 }, ++ { TPM2_CC_PolicyDuplicationSelect, 1, 0 }, ++ { TPM2_CC_PolicyAuthorize, 1, 0 }, ++ { TPM2_CC_PolicyAuthValue, 1, 0 }, ++ { TPM2_CC_PolicyPassword, 1, 0 }, ++ { TPM2_CC_PolicyGetDigest, 1, 0 }, ++ { TPM2_CC_PolicyTemplate, 1, 0 }, ++ { TPM2_CC_CreatePrimary, 1, 1 }, ++ { TPM2_CC_HierarchyControl, 1, 0 }, ++ { TPM2_CC_SetPrimaryPolicy, 1, 0 }, ++ { TPM2_CC_ChangePPS, 1, 0 }, ++ { TPM2_CC_ChangeEPS, 1, 0 }, ++ { TPM2_CC_Clear, 1, 0 }, ++ { TPM2_CC_ClearControl, 1, 0 }, ++ { TPM2_CC_HierarchyChangeAuth, 1, 0 }, ++ { TPM2_CC_DictionaryAttackLockReset, 1, 0 }, ++ { TPM2_CC_DictionaryAttackParameters, 1, 0 }, ++ { TPM2_CC_PP_Commands, 1, 0 }, ++ { TPM2_CC_SetAlgorithmSet, 1, 0 }, ++ { TPM2_CC_FieldUpgradeStart, 2, 0 }, ++ { TPM2_CC_FieldUpgradeData, 0, 0 }, ++ { TPM2_CC_FirmwareRead, 0, 0 }, ++ { TPM2_CC_ContextSave, 1, 0 }, ++ { TPM2_CC_ContextLoad, 0, 1 }, ++ { TPM2_CC_FlushContext, 1, 0 }, ++ { TPM2_CC_EvictControl, 2, 0 }, ++ { TPM2_CC_ReadClock, 0, 0 }, ++ { TPM2_CC_ClockSet, 1, 0 }, ++ { TPM2_CC_ClockRateAdjust, 1, 0 }, ++ { TPM2_CC_GetCapability, 0, 0 }, ++ { TPM2_CC_TestParms, 0, 0 }, ++ { TPM2_CC_NV_DefineSpace, 1, 0 }, ++ { TPM2_CC_NV_UndefineSpace, 2, 0 }, ++ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 }, ++ { TPM2_CC_NV_ReadPublic, 1, 0 }, ++ { TPM2_CC_NV_Write, 2, 0 }, ++ { TPM2_CC_NV_Increment, 2, 0 }, ++ { TPM2_CC_NV_Extend, 2, 0 }, ++ { TPM2_CC_NV_SetBits, 2, 0 }, ++ { TPM2_CC_NV_WriteLock, 2, 0 }, ++ { TPM2_CC_NV_GlobalWriteLock, 1, 0 }, ++ { TPM2_CC_NV_Read, 2, 0 }, ++ { TPM2_CC_NV_ReadLock, 2, 0 }, ++ { TPM2_CC_NV_ChangeAuth, 1, 0 }, ++ { TPM2_CC_NV_Certify, 3, 0 }, ++ { TPM2_CC_CreateLoaded, 1, 1 }, ++ { TPM2_CC_PolicyAuthorizeNV, 3, 0 }, ++ { TPM2_CC_AC_GetCapability, 1, 0 }, ++ { TPM2_CC_AC_Send, 3, 0 }, ++ { TPM2_CC_Policy_AC_SendSelect, 1, 0 } ++ }; ++ + uint8_t i; + + for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) { +-- +2.34.3 + diff --git a/SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch b/SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch new file mode 100644 index 0000000..230acb6 --- /dev/null +++ b/SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch @@ -0,0 +1,26 @@ +From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001 +From: Erik Larsson +Date: Mon, 4 Jul 2022 19:14:30 +0200 +Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv + +Signed-off-by: Erik Larsson +--- + src/tss2-fapi/ifapi_policy_execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c +index caae103e..ddaf255c 100644 +--- a/src/tss2-fapi/ifapi_policy_execute.c ++++ b/src/tss2-fapi/ifapi_policy_execute.c +@@ -760,7 +760,7 @@ execute_policy_authorize_nv( + switch (current_policy->state) { + statecase(current_policy->state, POLICY_EXECUTE_INIT) + /* Execute the policy stored in the NV object. */ +- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata); ++ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata); + try_again_or_error(r, "Execute policy authorize nv callback."); + + r = ifapi_nv_get_name(&policy->nvPublic, ¤t_policy->name); +-- +2.34.3 + diff --git a/SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch b/SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch new file mode 100644 index 0000000..2856138 --- /dev/null +++ b/SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch @@ -0,0 +1,36 @@ +From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Thu, 7 Jul 2022 09:00:19 -0500 +Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext + +The lookup table for the number of command handles for +Tss2_Sys_FlushContext has the count set to 1, when in reality the +command takes no handles in the handle area but a handle as the input +parameter. This works currently because handles and parameters are just +concatenated and the parsing logic on the TPM just unpacks them, so in +this case, thet're in the same spot with the same value. This goes +unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as +the logic things its a handle in the handle area and not a handle in the +parameter area. + +Signed-off-by: William Roberts +--- + src/tss2-sys/sysapi_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c +index d84acc5d..a92f47a2 100644 +--- a/src/tss2-sys/sysapi_util.c ++++ b/src/tss2-sys/sysapi_util.c +@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req) + { TPM2_CC_FirmwareRead, 0, 0 }, + { TPM2_CC_ContextSave, 1, 0 }, + { TPM2_CC_ContextLoad, 0, 1 }, +- { TPM2_CC_FlushContext, 1, 0 }, ++ { TPM2_CC_FlushContext, 0, 0 }, + { TPM2_CC_EvictControl, 2, 0 }, + { TPM2_CC_ReadClock, 0, 0 }, + { TPM2_CC_ClockSet, 1, 0 }, +-- +2.34.3 + diff --git a/SOURCES/tpm2-tss-3.0.0-doxygen.patch b/SOURCES/tpm2-tss-3.0.0-doxygen.patch new file mode 100644 index 0000000..2f82472 --- /dev/null +++ b/SOURCES/tpm2-tss-3.0.0-doxygen.patch @@ -0,0 +1,15 @@ +diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in +--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200 ++++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200 +@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS = + # Note that the wildcards are matched against the file with absolute path, so to + # exclude all test directories use the pattern */test/* + +-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM ++EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \ ++ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \ ++ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \ ++ IESYS_CMD_IN_PARAM + + # The EXAMPLE_PATH tag can be used to specify one or more files or directories + # that contain example code fragments that are included (see the \include diff --git a/SPECS/tpm2-tss.spec b/SPECS/tpm2-tss.spec new file mode 100644 index 0000000..e35e1e0 --- /dev/null +++ b/SPECS/tpm2-tss.spec @@ -0,0 +1,329 @@ +Name: tpm2-tss +Version: 3.0.3 +Release: 8%{?dist} +Summary: TPM2.0 Software Stack + +# The entire source code is under BSD except implementation.h and tpmb.h which +# is under TCGL(Trusted Computing Group License). +License: BSD and TCGL +URL: https://github.com/tpm2-software/tpm2-tss +Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz +# doxygen crash +Patch0: tpm2-tss-3.0.0-doxygen.patch +# OpenSSL 3 support +Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch +Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch +Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch +Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch +Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch +Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch +Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch +Patch8: 0008-Require-OpenSSL-1.1.0.patch +Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch +Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch +Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch +Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch +Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch +Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch +Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch +Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch +Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch +Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch +Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch +Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch +Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch +Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch +Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch +Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch +Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch +Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch +Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch +Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch +Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch +Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch +Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch +Patch32: 0020-esys_iutil-fix-possible-NPD.patch +Patch33: 0021-sapi-scope-command-handles.patch +Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch +Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch + + +%global udevrules_prefix 60- + +BuildRequires: make +BuildRequires: autoconf-archive +BuildRequires: doxygen +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: json-c-devel +BuildRequires: libcurl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libtool +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: systemd +Requires(pre): shadow-utils + +%description +tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system +APIs. It sits between TPM driver and applications, providing TPM2.0 specified +APIs for applications to access TPM module through kernel TPM drivers. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +autoreconf -i +# Use built-in tpm-udev.rules, with specified installation path and prefix. +%configure --disable-static --disable-silent-rules \ + --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \ + --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} + +# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name \*.la -delete + +%pre +getent group tss >/dev/null || groupadd -f -g 59 -r tss +if ! getent passwd tss >/dev/null ; then + if ! getent passwd 59 >/dev/null ; then + useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + else + useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + fi +fi +exit 0 + +%ldconfig_scriptlets + +%files +%doc README.md CHANGELOG.md +%license LICENSE +%{_sysconfdir}/tpm2-tss/ +%{_libdir}/libtss2-mu.so.0* +%{_libdir}/libtss2-sys.so.1* +%{_libdir}/libtss2-esys.so.0* +%{_libdir}/libtss2-fapi.so.1* +%{_libdir}/libtss2-rc.so.0* +%{_libdir}/libtss2-tctildr.so.0* +%{_libdir}/libtss2-tcti-cmd.so.0* +%{_libdir}/libtss2-tcti-device.so.0* +%{_libdir}/libtss2-tcti-mssim.so.0* +%{_libdir}/libtss2-tcti-swtpm.so.0* +%{_sysusersdir}/tpm2-tss.conf +%{_tmpfilesdir}/tpm2-tss-fapi.conf +%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules + +%package devel +Summary: Headers and libraries for building apps that use tpm2-tss +Requires: %{name}%{_isa} = %{version}-%{release} + +%description devel +This package contains headers and libraries required to build applications that +use tpm2-tss. + +%files devel +%{_includedir}/tss2/ +%{_libdir}/libtss2-mu.so +%{_libdir}/libtss2-sys.so +%{_libdir}/libtss2-esys.so +%{_libdir}/libtss2-fapi.so +%{_libdir}/libtss2-rc.so +%{_libdir}/libtss2-tctildr.so +%{_libdir}/libtss2-tcti-cmd.so +%{_libdir}/libtss2-tcti-device.so +%{_libdir}/libtss2-tcti-mssim.so +%{_libdir}/libtss2-tcti-swtpm.so +%{_libdir}/pkgconfig/tss2-mu.pc +%{_libdir}/pkgconfig/tss2-sys.pc +%{_libdir}/pkgconfig/tss2-esys.pc +%{_libdir}/pkgconfig/tss2-fapi.pc +%{_libdir}/pkgconfig/tss2-rc.pc +%{_libdir}/pkgconfig/tss2-tctildr.pc +%{_libdir}/pkgconfig/tss2-tcti-cmd.pc +%{_libdir}/pkgconfig/tss2-tcti-device.pc +%{_libdir}/pkgconfig/tss2-tcti-mssim.pc +%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc +%{_mandir}/man3/*.3.gz +%{_mandir}/man5/*.5.gz +%{_mandir}/man7/tss2*.7.gz + + +%changelog +* Wed Aug 10 2022 Štěpán Horáček - 3.0.3-8 +- Fix memory leaks, potential crashes, upgrade to OpenSSL 3 + Resolves: rhbz#2041919 + +* Thu Feb 17 2022 Štěpán Horáček - 3.0.3-7 +- Rebuild with latest json-c library + Related: rhbz#2023328 + +* Wed Aug 18 2021 Štěpán Horáček - 3.0.3-6 +- Fix failures while using OpenSSL 3 + Resolves: rhbz#1984634 + +* Tue Aug 10 2021 Mohan Boddu - 3.0.3-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 3.0.3-4 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Apr 16 2021 Mohan Boddu - 3.0.3-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Nov 26 2020 Peter Robinson - 3.0.3-1 +- Update to 3.0.2 + +* Sun Nov 22 2020 Peter Robinson - 3.0.2-1 +- Update to 3.0.2 + +* Wed Sep 23 2020 Peter Robinson - 3.0.1-1 +- Update to 3.0.1 + +* Tue Sep 15 2020 Than Ngo - 3.0.0-4 +- Fix doxygen crash + +* Tue Sep 15 2020 Peter Robinson - 3.0.0-3 +- Create tss user, if it doesn't exist, for userspace TPM access + +* Fri Aug 07 2020 Peter Robinson - 3.0.0-2 +- Install sysusers config in sysusersdir (rhbz #1834519) + +* Wed Aug 05 2020 Peter Robinson - 3.0.0-1 +- Update to 3.0.0 + +* Wed Aug 05 2020 Peter Robinson - 2.4.2-1 +- Update to 2.4.2 + +* Wed Jul 29 2020 Fedora Release Engineering - 2.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu May 14 2020 Peter Robinson - 2.4.1-1 +- Update to 2.4.1 + +* Fri May 08 2020 Paul Wouters - 2.4.0-3 +- Use proper rundir and tmpfiles macros so proper directories are used + +* Tue Apr 21 2020 Björn Esser - 2.4.0-2 +- Rebuild (json-c) + +* Thu Mar 12 2020 Peter Robinson - 2.4.0-1 +- Update to 2.4.0 release + +* Mon Feb 24 2020 Peter Robinson - 2.3.3-1 +- Update to 2.3.3 release + +* Fri Jan 31 2020 Fedora Release Engineering - 2.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Yunying Sun - 2.3.2-1 +- Update to 2.3.2 release + +* Fri Sep 6 2019 Yunying Sun - 2.3.1-1 +- Update to 2.3.1 release + +* Thu Aug 15 2019 Yunying Sun - 2.3.0-1 +- Update to 2.3.0 release + +* Sat Jul 27 2019 Fedora Release Engineering - 2.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 29 2019 Yunying Sun - 2.2.3-1 +- Update to 2.2.3 release + +* Fri Mar 29 2019 Yunying Sun - 2.2.2-1 +- Update to 2.2.2 release + +* Mon Mar 4 2019 Peter Robinson 2.2.1-1 +- Update to 2.2.1 release + +* Wed Feb 06 2019 Javier Martinez Canillas - 2.2.0-1 +- Update to 2.2.0 release + +* Sun Feb 03 2019 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 10 2018 Yunying Sun - 2.1.0-1 +- Update to 2.1.0 release + +* Thu Aug 30 2018 Yunying Sun - 2.0.1-1 +- Update to 2.0.1 release + +* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Yunying Sun - 2.0.0-2 +- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora +- Bump release version to 2.0.0-2 + +* Mon Jul 2 2018 Yunying Sun - 2.0.0-1 +- Update to 2.0.0 release (RHBZ#1508870) +- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead +- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0 +- Add scriptlet to fix Rpath errors +- Update file installation paths and names accordingly + +* Sun Mar 04 2018 Javier Martinez Canillas - 1.4.0-1 +- Update URLs to point to the new project location +- Add README.md CHANGELOG.md to %%files directive +- Update to 1.4.0 release (RHBZ#1508870) + +* Fri Feb 23 2018 Javier Martinez Canillas - 1.3.0-4 +- Install udev rule for TPM character devices + +* Wed Feb 21 2018 Javier Martinez Canillas - 1.3.0-3 +- Remove ExclusiveArch: %%{ix86} x86_64 directive + +* Fri Feb 09 2018 Igor Gnatenko - 1.3.0-2 +- Escape macros in %%changelog + +* Fri Dec 08 2017 Javier Martinez Canillas - 1.3.0-1 +- Update to 1.3.0 release + +* Wed Nov 29 2017 Javier Martinez Canillas - 1.3.0-0.1.rc2 +- Update to 1.3.0 release candidate 2 (RHBZ#1508870) +- Remove global pkg_prefix since now the upstream repo and package names match +- Update URLs to point to the new project location +- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care +- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball +- Add patch to include a LICENSE since the generated tarball does not have it + +* Mon Aug 28 2017 Javier Martinez Canillas - 1.2.0-1 +- Update to 1.2.0 release +- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed +- Fix SPEC file access mode +- Include new man pages in %%files directive + +* Fri Aug 18 2017 Javier Martinez Canillas - 1.1.0-3 +- Remove unneeded source tarballs (RHBZ#1482828) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Sun Yunying - 1.1.0-1 +- Update to 1.1.0 release + +* Sat Feb 11 2017 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 12 2016 Sun Yunying - 1.0-2 +- Remove global macro pkg_version to avoid duplicate of version +- Use ExclusiveArch instead of ExcludeArch +- Use less wildcard in %%files section to be more specific +- Add trailing slash at end of added directory in %%file section +- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires +- Increase release version to 2 + +* Fri Dec 2 2016 Sun Yunying - 1.0-1 +- Initial version of the package