rpms
/
tpm2-tss
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import tpm2-tss-3.0.3-8.el9

Browse Source
i9c changed/i9c/tpm2-tss-3.0.3-8.el9
MSVSphere Packaging Team 2 years ago
commit cdc189cc5d
39 changed files with 4321 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/tpm2-tss-3.0.3.tar.gz

1
.tpm2-tss.metadata
Unescape View File

@ -0,0 +1 @@
f83a4a9e544893c42ec108f6616a75e2f209d2d3 SOURCES/tpm2-tss-3.0.3.tar.gz

61
SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Unescape View File

@ -0,0 +1,61 @@
From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 19 Feb 2021 14:32:45 +0100
Subject: FAPI: Fix reading of the root certificate for
provisioning.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will
only be used if it's allowed to use self generated root certificate with
./configure --enable-self-generated-certificate
* This option is added to all integration tests which are using the TPM simulator.
- Compared to the upstream commit 199b4edc the changes to CI config files
are omitted.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
configure.ac | 8 ++++++++
src/tss2-fapi/api/Fapi_Provision.c | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/configure.ac b/configure.ac
index f4df879c..d3bbb93d 100755
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto],
AS_IF([test "x$enable_weakcrypto" = "xyes"],
AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS]))
+AC_ARG_ENABLE([self-generated-certificate],
+ [AS_HELP_STRING([--enable-self-generated-certificate],
+ [Alllow usage of self generated root certifcate])],,
+ [enable_self_generated_certificate=no])
+AS_IF([test "x$enable_self_generated_certificate" == xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+
+
AC_SUBST([PATH])
dnl --------- Doxy Gen -----------------------
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 00534a2e..9cf804ad 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
/* Prepare reading of root certificate. */
+ root_ca_file = NULL;
+#ifdef SELF_GENERATED_CERTIFICATE
+#pragma message ( "*** Allow self generated certifcate ***" )
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
+#endif
if (!root_ca_file) {
context->state = PROVISION_EK_CHECK_CERT;
return TSS2_FAPI_RC_TRY_AGAIN;
--
2.26.3

99
SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
Unescape View File

@ -0,0 +1,99 @@
From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Nov 2020 11:09:56 -0600
Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs
Some of the OSSL _ex suffixed routines remained even after the ENGINE
pointer was removed. The _ex functions with NULL engine don't do
anything different then the non _ex suffixed ones. One _ex routine
remains, RSA_generate_key_ex, becuase the _ex version is deprecated.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 392f97ae..6856e92d 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg,
- NULL)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup);
+ if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
+ mycontext->hash.ossl_hash_alg)) {
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
*context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext;
@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) {
+ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error.");
}
if (digest_size != mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
- "Invalid size computed by EVP_DigestFinal_ex");
+ "Invalid size computed by EVP_DigestFinal");
}
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
"Initialize cipher context", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input");
- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
--
2.34.3

63
SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch
Unescape View File

@ -0,0 +1,63 @@
From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 7 Jun 2021 09:47:30 +0200
Subject: [PATCH 02/23] FAPI: Remove useless code get_engine.
The function did always return NULL. So the default engine was used.
Fixes #2085
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index c50b5f0a..9c7e566c 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT {
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
-/** A singleton crypto engine for hash operations */
-static ENGINE *engine = NULL;
-
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
-/**
- * Returns the singleton hash engine for the use in ifapi_hash operations. If
- * it does not yet exist, this function creates it.
- *
- * @retval A singleton hash engine
- */
-static ENGINE *
-get_engine()
-{
- /* If an engine is present, it is returned */
- if (engine)
- return engine;
- /* Otherwise, engine is created and returned */
- engine = ENGINE_by_id(NULL);
- return engine;
-}
-
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
if (1 != EVP_DigestInit_ex(mycontext->osslContext,
- mycontext->osslHashAlgorithm, get_engine())) {
+ mycontext->osslHashAlgorithm, NULL)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex",
cleanup);
}
--
2.34.3

42
SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Unescape View File

@ -0,0 +1,42 @@
From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Mon, 1 Mar 2021 20:00:17 +0100
Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with
--disable-self-generated-certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of
the root certificate for provisioning.") it is required to specify
--enable-self-generated-certificate in order to make the FAPI integration tests
pass. This is an option that should usually not be enabled in production builds
for security reasons, but still some form of integration testing might be
desirable in this case to verify whether the compiled library works as
expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK
certificate validation.
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
configure.ac | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index d3bbb93d..d4324c9a 100755
--- a/configure.ac
+++ b/configure.ac
@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate],
[AS_HELP_STRING([--enable-self-generated-certificate],
[Alllow usage of self generated root certifcate])],,
[enable_self_generated_certificate=no])
-AS_IF([test "x$enable_self_generated_certificate" == xyes],
- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+AS_IF([test "x$enable_self_generated_certificate" = xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
AC_SUBST([PATH])
--
2.26.3

40
SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
Unescape View File

@ -0,0 +1,40 @@
From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 3 Aug 2021 16:24:41 +0200
Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field.
The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/api/Fapi_Encrypt.c | 1 -
src/tss2-fapi/fapi_int.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c
index 2e892351..af8e2c58 100644
--- a/src/tss2-fapi/api/Fapi_Encrypt.c
+++ b/src/tss2-fapi/api/Fapi_Encrypt.c
@@ -405,7 +405,6 @@ error_cleanup:
SAFE_FREE(tpmCipherText);
SAFE_FREE(command->keyPath);
SAFE_FREE(command->in_data);
- SAFE_FREE(command->out_data);
ifapi_session_clean(context);
LOG_TRACE("finished");
return r;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 90707da1..13c0333e 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -386,7 +386,6 @@ typedef struct {
uint8_t const *in_data;
size_t in_dataSize;
IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */
- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */
ESYS_TR key_handle; /**< The ESYS handle of the encryption key */
size_t numBytes; /**< The number of bytes of a ESYS request */
size_t decrypt; /**< Switch whether to encrypt or decrypt */
--
2.34.3

29
SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Unescape View File

@ -0,0 +1,29 @@
From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:15:51 +0200
Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index f2fa515a..0f759adb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e
$(libutil) $(libtss2_tctildr)
src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC)
-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi
+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS)
src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS)
if HAVE_LD_VERSION_SCRIPT
src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map
--
2.26.3

44
SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
Unescape View File

@ -0,0 +1,44 @@
From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Mon, 2 Aug 2021 15:50:26 +0200
Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms
From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
de-initialisation is required.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 2 +-
src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 6856e92d..ab08b3b8 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*
* Initialize OpenSSL internal tables.
*
- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
+ * @retval TSS2_RC_SUCCESS always returned
* does not deliver
* a return code.
*/
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 9290a17e..35186e62 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -375,9 +375,6 @@ out_free_json:
json_object_put(jso);
out:
- /* In some case this call was necessary after curl usage */
- OpenSSL_add_all_algorithms();
-
free(hash);
if (rc == 0) {
return TSS2_RC_SUCCESS;
--
2.34.3

35
SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch
Unescape View File

@ -0,0 +1,35 @@
From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:23:32 +0200
Subject: Test: Remove duplicate openssl req -new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command is called twice, which is superfluous. Both the key
and the certificate are created already by the first command.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
script/ekca/create_ca.sh | 5 -----
1 file changed, 5 deletions(-)
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 90a5c791..61d976a3 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
-openssl req -new \
- -key private/intermed-ca.key.pem \
- -out intermed-ca.req.pem \
- -passin file:pass.txt
-
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
--
2.26.3

76
SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Unescape View File

@ -0,0 +1,76 @@
From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:22:28 +0200
Subject: FAPI Test: Call EVP_DigestSignInit in the correct order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_DigestSignInit should be called only once and before calling
EVP_PKEY_CTX_set_rsa_padding. See a corresponding example
[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html)
Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0.
This PR makes the code compatible with OpenSSL 1.0 through 3.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 8 ++------
test/integration/fapi-key-create-policy-signed.int.c | 8 ++------
2 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index b2d20b28..d42466db 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -129,8 +129,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -140,10 +140,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index e51289a6..b903dec0 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -144,8 +144,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -155,10 +155,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
--
2.26.3

657
SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
Unescape View File

@ -0,0 +1,657 @@
From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Wed, 25 Aug 2021 14:02:38 +0200
Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto
operations
The TPM2 provider may be loaded in the global library context.
As we don't want the TPM to be called for some operations, we have
to initialize own library context with the default provider.
This is similar to the RAND_set_rand_method dance with older OpenSSL.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++---------
src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++---------
2 files changed, 225 insertions(+), 102 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index ab08b3b8..35af2028 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT {
} type; /**< The type of context to hold; hash or hmac */
union {
struct {
- EVP_MD_CTX *ossl_context;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
const EVP_MD *ossl_hash_alg;
+#else
+ OSSL_LIB_CTX *ossl_libctx;
+ EVP_MD *ossl_hash_alg;
+#endif
+ EVP_MD_CTX *ossl_context;
size_t hash_len;
- } hash; /**< the state variables for a hash context */
- struct {
- EVP_MD_CTX *ossl_context;
- const EVP_MD *ossl_hash_alg;
- size_t hmac_len;
- } hmac; /**< the state variables for an hmac context */
+ } hash; /**< the state variables for a HASH or HMAC context */
};
} IESYS_CRYPTOSSL_CONTEXT;
-const EVP_MD *
+static IESYS_CRYPTOSSL_CONTEXT *
+iesys_cryptossl_context_new() {
+ IESYS_CRYPTOSSL_CONTEXT *ctx;
+
+ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT))))
+ return NULL;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) {
+ SAFE_FREE(ctx);
+ return NULL;
+ }
+#endif
+ return ctx;
+}
+
+static void
+iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) {
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_free(ctx->hash.ossl_context);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->hash.ossl_hash_alg);
+ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+static const EVP_MD *
get_ossl_hash_md(TPM2_ALG_ID hashAlg)
{
switch (hashAlg) {
case TPM2_ALG_SHA1:
return EVP_sha1();
- break;
case TPM2_ALG_SHA256:
return EVP_sha256();
- break;
case TPM2_ALG_SHA384:
return EVP_sha384();
- break;
case TPM2_ALG_SHA512:
return EVP_sha512();
- break;
default:
return NULL;
}
}
+#else
+static const char *
+get_ossl_hash_md(TPM2_ALG_ID hashAlg)
+{
+ switch (hashAlg) {
+ case TPM2_ALG_SHA1:
+ return "SHA1";
+ case TPM2_ALG_SHA256:
+ return "SHA256";
+ case TPM2_ALG_SHA384:
+ return "SHA384";
+ case TPM2_ALG_SHA512:
+ return "SHA512";
+ default:
+ return NULL;
+ }
+}
+#endif
+
+static int
+iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg);
+#else
+ const char *alg_name = get_ossl_hash_md(hashAlg);
+ if (!alg_name)
+ return 0;
+ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL);
+#endif
+ if (!ctx->hash.ossl_hash_alg)
+ return 0;
+
+ return 1;
+}
/** Provide the context for the computation of a hash digest.
*
@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg);
return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE);
return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE);
- IESYS_CRYPTOSSL_CONTEXT *mycontext;
- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH;
- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg)) {
+ mycontext->hash.ossl_hash_alg)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hash.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
*size = mycontext->hash.hash_len;
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE,
"Null-Pointer passed in for context");
}
- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) {
+ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Error EVP_MD_CTX_create", cleanup);
}
@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Failed to create HMAC key", cleanup);
}
- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
- mycontext->hmac.ossl_hash_alg, NULL, hkey)) {
+ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL,
+ mycontext->hash.ossl_hash_alg, NULL, hkey)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"DigestSignInit", cleanup);
}
@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hmac.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
if(hkey)
EVP_PKEY_free(hkey);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context,
LOGBLOB_TRACE(buffer, size, "Updating hmac with");
/* Call update with the message */
- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) {
+ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update");
}
@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context");
}
- if (*size < mycontext->hmac.hmac_len) {
+ if (*size < mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) {
+ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup);
}
LOGBLOB_TRACE(buffer, *size, "read hmac result");
cleanup:
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return r;
}
@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
-
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
}
@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
TSS2_RC
iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
{
+ int rc;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
+#else
+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+ if (!libctx)
+ return TSS2_ESYS_RC_MEMORY;
#endif
if (num_bytes == 0) {
@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
+ rc = RAND_bytes(&nonce->buffer[0], nonce->size);
+ RAND_set_rand_method(rand_save);
+#else
+ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0);
+ OSSL_LIB_CTX_free(libctx);
#endif
+ if (rc != 1)
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
"Failure in random number generator.");
- }
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
-#endif
return TSS2_RC_SUCCESS;
}
@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
RSA *rsa_key = NULL;
+ const EVP_MD * hashAlg = NULL;
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
#else
+ OSSL_LIB_CTX *libctx = NULL;
+ EVP_MD * hashAlg = NULL;
OSSL_PARAM *params = NULL;
OSSL_PARAM_BLD *build = NULL;
#endif
TSS2_RC r = TSS2_RC_SUCCESS;
- const EVP_MD * hashAlg = NULL;
EVP_PKEY *evp_rsa_key = NULL;
EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
BIGNUM *bne = NULL, *n = NULL;
int padding;
char *label_copy = NULL;
- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
- pub_tpm_key->publicArea.nameAlg);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
RAND_set_rand_method(rand_save);
+#else
+ if (!(libctx = OSSL_LIB_CTX_new()))
+ return TSS2_ESYS_RC_MEMORY;
+
+ if (!(hashAlg = EVP_MD_fetch(libctx,
+ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) {
+ OSSL_LIB_CTX_free(libctx);
#endif
+ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
+ pub_tpm_key->publicArea.nameAlg);
return TSS2_ESYS_RC_NOT_IMPLEMENTED;
}
@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
cleanup);
}
- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
+ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL
|| EVP_PKEY_fromdata_init(genctx) <= 0
|| EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
#else
OSSL_FREE(params, OSSL_PARAM);
OSSL_FREE(build, OSSL_PARAM_BLD);
+ OSSL_FREE(hashAlg, EVP_MD);
+ OSSL_FREE(libctx, OSSL_LIB_CTX);
#endif
return r;
}
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 9c7e566c..d061cf48 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -48,14 +48,34 @@
/** Context to hold temporary values for ifapi_crypto */
typedef struct _IFAPI_CRYPTO_CONTEXT {
- /** The hash engine's context */
- EVP_MD_CTX *osslContext;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
/** The currently used hash algorithm */
const EVP_MD *osslHashAlgorithm;
+#else
+ OSSL_LIB_CTX *libctx;
+ /** The currently used hash algorithm */
+ EVP_MD *osslHashAlgorithm;
+#endif
+ /** The hash engine's context */
+ EVP_MD_CTX *osslContext;
/** The size of the hash's digest */
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
+static void
+ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx)
+{
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_destroy(ctx->osslContext);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->osslHashAlgorithm);
+ OSSL_LIB_CTX_free(ctx->libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+/**
+ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
+ * identifier object.
+ *
+ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
+ *
+ * @retval A suitable OpenSSL identifier object if one could be found
+ * @retval NULL if no suitable identifier object could be found
+ */
+static const EVP_MD *
+get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
+{
+ switch (hashAlgorithm) {
+ case TPM2_ALG_SHA1:
+ return EVP_sha1();
+ case TPM2_ALG_SHA256:
+ return EVP_sha256();
+ case TPM2_ALG_SHA384:
+ return EVP_sha384();
+ case TPM2_ALG_SHA512:
+ return EVP_sha512();
+ default:
+ return NULL;
+ }
+}
+#else
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
* hashAlgorithm could be found
* @retval NULL if no suitable hash algorithm identifier could be found
*/
-static const EVP_MD *
+static const char *
get_hash_md(TPM2_ALG_ID hashAlgorithm)
{
switch (hashAlgorithm) {
case TPM2_ALG_SHA1:
- return EVP_sha1();
+ return "SHA1";
case TPM2_ALG_SHA256:
- return EVP_sha256();
+ return "SHA256";
case TPM2_ALG_SHA384:
- return EVP_sha384();
+ return "SHA384";
case TPM2_ALG_SHA512:
- return EVP_sha512();
+ return "SHA512";
default:
return NULL;
}
}
+#endif
/**
* Returns a suitable openSSL RSA signature scheme identifiver for a given TSS
@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote(
BIO *bufio = NULL;
EVP_PKEY_CTX *pctx = NULL;
EVP_MD_CTX *mdctx = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX *libctx = NULL;
+#endif
/* Check whether or not the key is valid */
if (keyObject->objectType == IFAPI_KEY_OBJ) {
@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create",
error_cleanup);
}
-
- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg);
if (!hashAlgorithm) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
error_cleanup);
@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit",
error_cleanup);
}
+#else
+ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+ if (!hashAlgorithm) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
+ error_cleanup);
+ }
+
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ libctx = OSSL_LIB_CTX_new();
+ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
+
+ /* Verify the digest of the signature */
+ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx,
+ NULL, publicKey, NULL)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex",
+ error_cleanup);
+ }
+#endif
goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) {
int padding = get_sig_scheme(signatureScheme->scheme);
@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote(
}
error_cleanup:
- if (mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
+ EVP_MD_CTX_destroy(mdctx);
SAFE_FREE(public_pem_key);
EVP_PKEY_free(publicKey);
BIO_free(bufio);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX_free(libctx);
+#endif
return r;
}
@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm)
}
}
-/**
- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
- * identifier object.
- *
- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
- *
- * @retval A suitable OpenSSL identifier object if one could be found
- * @retval NULL if no suitable identifier object could be found
- */
-static const EVP_MD *
-get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
-{
- switch (hashAlgorithm) {
- case TPM2_ALG_SHA1:
- return EVP_sha1();
- break;
- case TPM2_ALG_SHA256:
- return EVP_sha256();
- break;
- case TPM2_ALG_SHA384:
- return EVP_sha384();
- break;
- case TPM2_ALG_SHA512:
- return EVP_sha512();
- break;
- default:
- return NULL;
- }
-}
-
/**
* Starts the computation of a hash digest.
*
@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT));
return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
"Unsupported hash algorithm (%" PRIu16 ")", cleanup,
hashAlgorithm);
}
+#else
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ mycontext->libctx = OSSL_LIB_CTX_new();
+ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+
+ if (!(mycontext->osslHashAlgorithm =
+ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
+ goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
+ "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
+ hashAlgorithm);
+ }
+#endif
if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->osslContext)
- EVP_MD_CTX_destroy(mycontext->osslContext);
- SAFE_FREE(mycontext);
-
+ ifapi_crypto_context_free(mycontext);
return r;
}
@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
/* Finalize the hash context */
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context)
}
IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context;
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
}
--
2.34.3

70
SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch
Unescape View File

@ -0,0 +1,70 @@
From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 12 Oct 2021 11:19:41 +0200
Subject: [PATCH 06/23] FAPI: Add policy computation for create primary.
The policy digest for primary keys was only computed for keys created during provisioning.
Now the policy digest is also computed for primary keys create with Fapi_CreateKey.
Fixes #2175.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 13c0333e..d13ec413 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE {
KEY_CREATE_FLUSH1,
KEY_CREATE_FLUSH2,
KEY_CREATE_CALCULATE_POLICY,
+ KEY_CREATE_PRIMARY_CALCULATE_POLICY,
KEY_CREATE_WAIT_FOR_AUTHORIZATION,
KEY_CREATE_CLEANUP,
KEY_CREATE_WAIT_FOR_RANDOM,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a5fc28a3..a0fd714e 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4539,6 +4539,35 @@ ifapi_create_primary(
"hierarchy.", error_cleanup);
}
+ if (context->cmd.Key_Create.policyPath
+ && strcmp(context->cmd.Key_Create.policyPath, "") != 0)
+ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY;
+ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */
+ /* FALLTHRU */
+ case KEY_CREATE_PRIMARY_CALCULATE_POLICY:
+ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) {
+ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath,
+ &context->policy.policy,
+ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg,
+ &context->policy.digest_idx,
+ &context->policy.hash_size);
+ return_try_again(r);
+ goto_if_error2(r, "Calculate policy tree %s", error_cleanup,
+ context->cmd.Key_Create.policyPath);
+
+ /* Store the calculated policy in the key object */
+ object->policy = calloc(1, sizeof(TPMS_POLICY));
+ return_if_null(object->policy, "Out of memory",
+ TSS2_FAPI_RC_MEMORY);
+ *(object->policy) = context->policy.policy;
+
+ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size =
+ context->policy.hash_size;
+ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0],
+ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest,
+ context->policy.hash_size);
+ }
+
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0);
--
2.34.3

47
SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Unescape View File

@ -0,0 +1,47 @@
From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:29:25 +0200
Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_base_id is the right way to detect key type, used also
by OpenSSL itself.
This function is available since OpenSSL 1.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 2 +-
test/integration/fapi-key-create-policy-signed.int.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index d42466db..a95cc9ef 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -133,7 +133,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index b903dec0..8f917d35 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -148,7 +148,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
--
2.26.3

137
SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch
Unescape View File

@ -0,0 +1,137 @@
From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 5 Nov 2021 23:08:47 +0100
Subject: [PATCH 07/23] FAPI: Fix loading of primary keys.
Problems caused by primary keys created with Fapi_CreateKey are fixed:
* For primary keys not in all cases the unique field was cleared before calling create
primary.
* If the primary key was used for signing the object was cleared after loading. So
access e.g. to the certificate did not work.
* For primary keys created with Fapi_Create with an auth value the auth_value was
not used in inSensitive to recreate the primary key. Now the auth value callback
is used to initialize inSensitive.
Fixes #2189.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index d13ec413..7bcf442c 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY {
PRIMARY_READ_HIERARCHY,
PRIMARY_READ_HIERARCHY_FINISH,
PRIMARY_AUTHORIZE_HIERARCHY,
+ PRIMARY_GET_AUTH_VALUE,
PRIMARY_WAIT_FOR_PRIMARY,
PRIMARY_HAUTH_SENT,
PRIMARY_CREATED,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a0fd714e..90f8b2aa 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object)
return NULL;
}
+/** Set authorization value for a primary key to be created.
+ *
+ * The callback which provides the auth value must be defined.
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @param[in] object The auth value will be assigned to this object.
+ * @param[in,out] inSensitive The sensitive data to store the auth value.
+ *
+ * @retval TSS2_RC_SUCCESS on success.
+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting
+ * the auth value is not defined.
+ */
+TSS2_RC
+ifapi_set_auth_primary(
+ FAPI_CONTEXT *context,
+ IFAPI_OBJECT *object,
+ TPMS_SENSITIVE_CREATE *inSensitive)
+{
+ TSS2_RC r;
+ const char *auth = NULL;
+ const char *obj_path;
+
+ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE));
+
+ if (!object->misc.key.with_auth) {
+ return TSS2_RC_SUCCESS;
+ }
+
+ obj_path = ifapi_get_object_path(object);
+
+ /* Check whether callback is defined. */
+ if (context->callbacks.auth) {
+ r = context->callbacks.auth(obj_path, object->misc.key.description,
+ &auth, context->callbacks.authData);
+ return_if_error(r, "AuthCallback");
+ if (auth != NULL) {
+ inSensitive->userAuth.size = strlen(auth);
+ memcpy(&inSensitive->userAuth.buffer[0], auth,
+ inSensitive->userAuth.size);
+ }
+ return TSS2_RC_SUCCESS;
+ }
+ SAFE_FREE(auth);
+ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined.");
+}
+
/** Set authorization value for a FAPI object.
*
* The callback which provides the auth value must be defined.
@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key;
TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData;
TPMI_YES_NO moreData;
- ESYS_TR auth_session;
+ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */
LOG_TRACE("call");
@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE));
memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA));
memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION));
+ fallthrough;
+
+ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE);
+ /* Get the auth value to be stored in inSensitive */
+ r = ifapi_set_auth_primary(context, pkey_object,
+ &context->createPrimary.inSensitive.sensitive);
+ return_try_again(r);
+ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup);
/* Prepare primary creation. */
+ TPM2B_PUBLIC public = pkey->public;
+ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID));
+
r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle,
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
&context->createPrimary.inSensitive,
- &pkey->public,
+ &public,
&context->createPrimary.outsideInfo,
&context->createPrimary.creationPCR);
return_if_error(r, "CreatePrimary");
@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent)
} else {
LOG_TRACE("success");
ifapi_cleanup_ifapi_object(context->loadKey.key_object);
- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
return TSS2_RC_SUCCESS;
}
break;
--
2.34.3

100
SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Unescape View File

@ -0,0 +1,100 @@
From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 11:54:50 +0200
Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_sign functions are available since OpenSSL 1.0.0.
The RSA_sign function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.0.0 through 3.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-ext-public-key.int.c | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c
index 363c58b7..971d7897 100644
--- a/test/integration/fapi-ext-public-key.int.c
+++ b/test/integration/fapi-ext-public-key.int.c
@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
BIO *bufio = NULL;
EVP_PKEY *evp_key = NULL;
- RSA *rsa_key = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
/* Key will be used for non TPM signature verfication. */
char *pubkey_pem =
@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
- rsa_key = EVP_PKEY_get1_RSA(evp_key);
-
- if (!bufio || !evp_key || !rsa_key) {
+ if (!bufio || !evp_key) {
LOG_ERROR("Generation of test key failed.");
goto error;
}
@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d
};
uint8_t signature[256];
- unsigned int signatureLength = 256;
+ size_t signatureLength = 256;
- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) {
- LOG_ERROR("Test RSA_sign failed.");
+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) {
+ LOG_ERROR("Test EVP_PKEY_CTX_new failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign_init(ctx) <= 0
+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign_init failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign failed.");
goto error;
}
@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_SUCCESS;
@@ -258,12 +262,8 @@ error:
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_FAILURE;
--
2.26.3

84
SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
Unescape View File

@ -0,0 +1,84 @@
From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001
From: JerryDevis <seclab@huawei.com>
Date: Wed, 13 Oct 2021 11:26:03 +0800
Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization
failed
Signed-off-by: JerryDevis <seclab@huawei.com>
---
src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index 94db070c..364297be 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -309,6 +309,16 @@ out:
return rc;
}
+static void close_tpm(int *fd)
+{
+ if (fd == NULL || *fd < 0) {
+ return;
+ }
+
+ close(*fd);
+ *fd = -1;
+}
+
void
tcti_device_finalize (
TSS2_TCTI_CONTEXT *tctiContext)
@@ -319,7 +329,7 @@ tcti_device_finalize (
if (tcti_dev == NULL) {
return;
}
- close (tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_common->state = TCTI_STATE_FINAL;
}
@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init (
ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd));
if (sz < 0 || sz != sizeof(cmd)) {
LOG_ERROR ("Could not probe device for partial response read support");
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
LOG_DEBUG ("Command sent, reading header");
@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0 || rc_poll == 0) {
LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (fds.revents == POLLIN) {
TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE));
if (sz < 0 || sz != TPM_HEADER_SIZE) {
LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
}
@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0) {
LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (rc_poll == 0) {
LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd);
@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init (
LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
tcti_common->partial_read_supported = 0;
- close(tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_dev->fd = open_tpm (used_conf);
if (tcti_dev->fd < 0) {
LOG_ERROR ("Failed to open specified TCTI device file %s: %s",
--
2.34.3

65
SOURCES/0008-Require-OpenSSL-1.1.0.patch
Unescape View File

@ -0,0 +1,65 @@
From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 22:43:00 +0200
Subject: Require OpenSSL >= 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To reduce the amount of version-specific code we drop support for
OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are
not API compatible with OpenSSL >= 1.1.0.
Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding
PEP 644 contains a detailed impact analysis which is also relevant
here.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
INSTALL.md | 3 +--
configure.ac | 6 +++++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index eec94c45..658e1f28 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -14,7 +14,7 @@ following sections describe them for the supported platforms.
* C library development libraries and header files
* pkg-config
* doxygen
-* OpenSSL development libraries and header files
+* OpenSSL development libraries and header files, version >= 1.1.0
* libcurl development libraries
The following are dependencies only required when building test suites.
@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library
(tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as
loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly
configured version of Visual Studio 2017 and pressing the 'build' button.
-Windows build setup requires OpenSSL >= v1.0.2 crypto library.
### References
Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/
diff --git a/configure.ac b/configure.ac
index d4324c9a..12baa257 100755
--- a/configure.ac
+++ b/configure.ac
@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto],
AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl")
AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed")
+m4_define([ossl_min_version], [1.1.0])
+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version])
AS_IF([test "x$enable_esys" = xyes],
[AS_IF([test "x$with_crypto" = xossl], [
- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
+ PKG_CHECK_MODULES([LIBCRYPTO],
+ [libcrypto >= ossl_min_version],,
+ [AC_MSG_ERROR([ossl_err])])
AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend])
TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS"
TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS"
--
2.26.3

124
SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Unescape View File

@ -0,0 +1,124 @@
From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 13:12:56 +0200
Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although the EVP_DigestUpdate functions are available in all OpenSSL
versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the
EVP_MD_CTX_new was introduced in OpenSSL 1.1.0.
The SHA256_Update function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.1.0 through 3.0.0.
- Compared to the upstream commit f4f528ff the changes related to the
unit test are omitted.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 2fb17fd0..9290a17e 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
return NULL;
}
- SHA256_CTX sha256;
- int is_success = SHA256_Init(&sha256);
+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
+ if (!sha256ctx) {
+ LOG_ERROR("EVP_MD_CTX_new failed");
+ goto err;
+ }
+
+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
if (!is_success) {
- LOG_ERROR("SHA256_Init failed");
+ LOG_ERROR("EVP_DigestInit failed");
goto err;
}
switch (ek_public->publicArea.type) {
case TPM2_ALG_RSA:
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.rsa.buffer,
- ek_public->publicArea.unique.rsa.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.rsa.buffer,
+ ek_public->publicArea.unique.rsa.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
}
/* Exponent 65537 will be added. */
BYTE buf[3] = { 0x1, 0x00, 0x01 };
- is_success = SHA256_Update(&sha256, buf, sizeof(buf));
+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
case TPM2_ALG_ECC:
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.x.buffer,
- ek_public->publicArea.unique.ecc.x.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.x.buffer,
+ ek_public->publicArea.unique.ecc.x.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.y.buffer,
- ek_public->publicArea.unique.ecc.y.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.y.buffer,
+ ek_public->publicArea.unique.ecc.y.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
goto err;
}
- is_success = SHA256_Final(hash, &sha256);
+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
if (!is_success) {
LOG_ERROR("SHA256_Final failed");
goto err;
}
+ EVP_MD_CTX_free(sha256ctx);
LOG_TRACE("public-key-hash:");
LOG_TRACE(" sha256: ");
LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
return hash;
err:
+ EVP_MD_CTX_free(sha256ctx);
free(hash);
return NULL;
}
--
2.26.3

28
SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
Unescape View File

@ -0,0 +1,28 @@
From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 2 Dec 2021 09:17:15 +0100
Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3
A leak in the case "out of memory" detected by scan-build was fixed.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index d061cf48..fd7ea555 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
* As we don't want the TPM to be called for these operations, we have
* to initialize own library context with the default provider. */
mycontext->libctx = OSSL_LIB_CTX_new();
- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
if (!(mycontext->osslHashAlgorithm =
EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
--
2.34.3

29
SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
Unescape View File

@ -0,0 +1,29 @@
From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Tue, 21 Dec 2021 17:44:00 +0800
Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 90f8b2aa..cd4e0979 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
}
error_cleanup:
+ SAFE_FREE(outPublic);
+ SAFE_FREE(creationData);
+ SAFE_FREE(creationHash);
+ SAFE_FREE(creationTicket);
ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object);
free_string_list(k_sub_path);
SAFE_FREE(pkey->serialization.buffer);
--
2.34.3

124
SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Unescape View File

@ -0,0 +1,124 @@
From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 14:56:18 +0200
Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0.
The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement
EVP_MAC_update was added in OpenSSL 3.0, so version specific code is
needed.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/sys-util.c | 50 +++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 19 deletions(-)
diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c
index af83cf55..5865f002 100644
--- a/test/integration/sys-util.c
+++ b/test/integration/sys-util.c
@@ -13,10 +13,13 @@
#include <string.h>
#include <assert.h>
+#include <openssl/evp.h>
#include <openssl/sha.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
-#include <openssl/evp.h>
-#include <openssl/opensslv.h>
+#else
+#include <openssl/core_names.h>
+#endif
#define LOGMODULE testintegration
#include "util/log.h"
@@ -489,22 +492,18 @@ hmac(
TPM2B_DIGEST **buffer_list,
TPM2B_DIGEST *out)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX _ctx;
- HMAC_CTX *ctx = &_ctx;
-#endif
- EVP_MD *evp;
int rc = 1, i;
- unsigned int *buf = NULL, size;
+ unsigned int *buf = NULL;
uint8_t *buf_ptr;
+ EVP_MD *evp;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */
- ctx = HMAC_CTX_new();
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ unsigned int size;
+ HMAC_CTX *ctx = HMAC_CTX_new();
#else
- HMAC_CTX_init(ctx);
+ size_t size;
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
#endif
if (!ctx)
@@ -538,21 +537,33 @@ hmac(
buf_ptr = (uint8_t *)buf;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL);
#else
- rc = HMAC_Init(ctx, key, key_len, evp);
-#endif
+ OSSL_PARAM params[2];
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
+ (char *)EVP_MD_get0_name(evp), 0);
+ params[1] = OSSL_PARAM_construct_end();
+ rc = EVP_MAC_init(ctx, key, key_len, params);
+#endif
if (rc != 1)
goto out;
for (i = 0; buffer_list[i] != 0; i++) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#else
+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#endif
if (rc != 1)
goto out;
}
/* buf_ptr has to be 4 bytes alligned for whatever reason */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Final(ctx, buf_ptr, &size);
+#else
+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size);
+#endif
if (rc != 1)
goto out;
@@ -561,10 +572,11 @@ hmac(
memcpy(out->buffer, buf, out->size);
out:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
HMAC_CTX_free(ctx);
#else
- HMAC_CTX_cleanup(ctx);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(hmac);
#endif
if (buf)
--
2.26.3

313
SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch
Unescape View File

@ -0,0 +1,313 @@
From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 20:21:01 +0200
Subject: Drop support for OpenSSL < 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Delete code written to support OpenSSL < 1.1.0
Delete functions that have no effect in OpenSSL >= 1.1.0
- ENGINE_load_builtin_engines()
- OpenSSL_add_all_algorithms()
- ERR_load_crypto_strings()
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
Switch AppVeyor to use pre-built OpenSSL 1.1.0
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
src/tss2-esys/tss2-esys.vcxproj | 16 +++++++-------
src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
test/helper/tpm_getek.c | 11 ----------
test/helper/tpm_getek_ecc.c | 9 --------
5 files changed, 8 insertions(+), 84 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 2eb0dfcb..a6259346 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
RAND_set_rand_method(rand_save);
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
size_t * out_size, const char *label)
{
const RAND_METHOD *rand_save = RAND_get_rand_method();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
TSS2_RC r = TSS2_RC_SUCCESS;
const EVP_MD * hashAlg = NULL;
@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not create evp key.", cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
- pub_tpm_key->publicArea.unique.rsa.size,
- rsa_key->n)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not create rsa n.", cleanup);
- }
-#else
BIGNUM *n = NULL;
if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
pub_tpm_key->publicArea.unique.rsa.size,
@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not set rsa n.", cleanup);
}
-#endif
if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*/
TSS2_RC
iesys_cryptossl_init() {
- ENGINE_load_builtin_engines();
- OpenSSL_add_all_algorithms();
return TSS2_RC_SUCCESS;
}
diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj
index b75424aa..b2aa67ce 100644
--- a/src/tss2-esys/tss2-esys.vcxproj
+++ b/src/tss2-esys/tss2-esys.vcxproj
@@ -69,13 +69,13 @@
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
@@ -84,7 +84,7 @@
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
@@ -92,27 +92,27 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index f5b3d272..c97b0a1d 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
tpmSignature->signature.ecdsa.signatureR.size, NULL);
goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- ecdsaSignature->s = bns;
- ecdsaSignature->r = bnr;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
if (osslRC == -1) {
@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
"Could not set exponent.", error_cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Assign the parameters to the key */
if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
error_cleanup);
}
- /* Needed for older OSSL versions. */
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
OSSL_FREE(y, BN);
OSSL_FREE(x, BN);
return TSS2_RC_SUCCESS;
@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
/* Initialize the ECDSA signature components */
ECDSA_SIG *ecdsaSignature = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- BIGNUM *bnr;
- BIGNUM *bns;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
const BIGNUM *bnr;
const BIGNUM *bns;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
return_if_null(ecdsaSignature, "Invalid DER signature",
TSS2_FAPI_RC_GENERAL_FAILURE);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- bns = ecdsaSignature->s;
- bnr = ecdsaSignature->r;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Writing them to the TPM format signature */
tpmSignature->signature.ecdsa.hash = hashAlgorithm;
@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
const BIGNUM *e = NULL, *n = NULL;
int rsaKeySize = RSA_size(rsaKey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- e = rsaKey->e;
- n = rsaKey->n;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_get0_key(rsaKey, &n, &e, NULL);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
rsaKeySize)) {
@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
}
- OpenSSL_add_all_algorithms();
-
unsigned const char* tmp_ptr1 = crl_buffer;
unsigned const char** tmp_ptr2 = &tmp_ptr1;
@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
} else {
/* Get uri for ek intermediate certificate. */
- OpenSSL_add_all_algorithms();
info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);
- OpenSSL_add_all_algorithms();
intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
SAFE_FREE(cert_buffer);
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
index 21be0f46..c6a8e906 100644
--- a/test/helper/tpm_getek.c
+++ b/test/helper/tpm_getek.c
@@ -147,20 +147,9 @@ main (int argc, char *argv[])
exp = out_public.publicArea.parameters.rsaDetail.exponent;
BN_set_word(e, exp);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
EVP_PKEY_assign_RSA(evp, rsa);
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
index 0419f47a..75165fdd 100644
--- a/test/helper/tpm_getek_ecc.c
+++ b/test/helper/tpm_getek_ecc.c
@@ -128,14 +128,6 @@ main (int argc, char *argv[])
/* Convert the key from out_public to PEM */
EVP_PKEY *evp = EVP_PKEY_new();
-
- OpenSSL_add_all_algorithms();
-
- OpenSSL_add_all_algorithms();
-
- ERR_load_crypto_strings();
-
-
EC_KEY *ecc_key = EC_KEY_new();
BIGNUM *x = NULL, *y = NULL;
BIO *bio;
@@ -159,7 +151,6 @@ main (int argc, char *argv[])
if (!EC_KEY_set_group(ecc_key, ecgroup))
exit(1);
- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
EC_GROUP_free(ecgroup);
/* Set the ECC parameters in the OpenSSL key */
--
2.26.3

39
SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
Unescape View File

@ -0,0 +1,39 @@
From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 21 Dec 2021 11:59:28 +0100
Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to
Esys_TR_GetName.
A segfault was produced in this case. Fixes #2243.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_tr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index f0127d02..cf4caa09 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
* @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated.
* @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
+ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid.
* @retval TSS2_SYS_RC_* for SAPI errors.
*/
TSS2_RC
@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
TSS2_RC r;
_ESYS_ASSERT_NON_NULL(esys_context);
+ if (esys_handle == ESYS_TR_NONE) {
+ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined.");
+ }
+
r = esys_GetResourceObject(esys_context, esys_handle, &esys_object);
return_if_error(r, "Object not found");
--
2.34.3

45
SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
Unescape View File

@ -0,0 +1,45 @@
From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 20:55:21 +0800
Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index cd4e0979..f64c4e8b 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4328,7 +4328,7 @@ ifapi_get_certificates(
context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA;
r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS");
- return_if_error2(r, "Could not open hierarchy /HS");
+ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error);
fallthrough;
@@ -4352,7 +4352,7 @@ ifapi_get_certificates(
context->session2 = ESYS_TR_NONE;
context->nv_cmd.nv_read_state = NV_READ_INIT;
memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT));
- Esys_Free(context->cmd.Provision.nvPublic);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
fallthrough;
statecase(context->get_cert_state, GET_CERT_READ_CERT);
@@ -4382,7 +4382,7 @@ ifapi_get_certificates(
}
error:
- SAFE_FREE(context->cmd.Provision.capabilityData);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
SAFE_FREE(context->cmd.Provision.capabilityData);
ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object);
ifapi_free_object_list(*cert_list);
--
2.34.3

1005
SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
View File

File diff suppressed because it is too large Load Diff

25
SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
Unescape View File

@ -0,0 +1,25 @@
From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 21:58:00 +0800
Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/ifapi_keystore.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 743de133..e805029f 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1239,6 +1239,7 @@ cleanup:
r = TSS2_FAPI_RC_KEY_NOT_FOUND;
}
keystore->key_search.state = KSEARCH_INIT;
+ ifapi_cleanup_ifapi_object(&object);
return r;
}
--
2.34.3

27
SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
Unescape View File

@ -0,0 +1,27 @@
From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 22:09:26 +0800
Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when
Fapi_GetEsysBlob_Finish failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index a54bece8..b152ae3a 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -395,7 +395,7 @@ error_cleanup:
ifapi_cleanup_ifapi_object(object);
ifapi_cleanup_ifapi_object(key_object);
SAFE_FREE(command->path);
- SAFE_FREE(*data);
+ SAFE_FREE(command->data);
SAFE_FREE(key_context);
ifapi_session_clean(context);
ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
--
2.34.3

38
SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
Unescape View File

@ -0,0 +1,38 @@
From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Fri, 7 Jan 2022 11:56:14 +0800
Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-esys/esys_tr.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index cf4caa09..784f711a 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context,
*
* Deserialize the metadata of an ESYS_TR object from a byte buffer that was
* stored on disk for later use by a different program or context.
- * An object can be serialized suing Esys_TR_Serialize.
+ * An object can be deserialized using Esys_TR_Deserialize.
* @param esys_context [in,out] The ESYS_CONTEXT.
- * @param esys_handle [in] The ESYS_TR object to serialize.
- * @param buffer [out] The buffer containing the serialized metadata.
- * (caller-callocated) Shall be freed using free().
- * @param buffer_size [out] The size of the buffer parameter.
+ * @param esys_handle [out] The ESYS_TR object to deserialize.
+ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object.
+ * @param buffer_size [in] The size of the buffer parameter.
* @retval TSS2_RC_SUCCESS on Success.
* @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated.
- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling.
+ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
* @retval TSS2_RCs produced by lower layers of the software stack.
*/
--
2.34.3

50
SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
Unescape View File

@ -0,0 +1,50 @@
From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 16:31:09 +0800
Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_Delete.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c
index 43ea0332..2b5826ab 100644
--- a/src/tss2-fapi/api/Fapi_Delete.c
+++ b/src/tss2-fapi/api/Fapi_Delete.c
@@ -419,14 +419,14 @@ Fapi_Delete_Async(
/* No session will be needed these files can be deleted without
interaction with the TPM */
r = ifapi_non_tpm_mode_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
context->session1 = ESYS_TR_NONE;
context->state = ENTITY_DELETE_GET_FILE;
} else {
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -435,12 +435,12 @@ Fapi_Delete_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
--
2.34.3

44
SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
Unescape View File

@ -0,0 +1,44 @@
From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 18:44:49 +0800
Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async
failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index b152ae3a..db67e2e4 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async(
authObject->objectType = IFAPI_OBJ_NONE;
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize GetEsysBlob");
+ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup);
context->state = GET_ESYS_BLOB_GET_FILE;
--
2.34.3

30
SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch
Unescape View File

@ -0,0 +1,30 @@
From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 11:46:22 +0100
Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search.
For an empty keystore a cleanup of an uninitialized object was executed. No the object
type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/ifapi_keystore.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index e805029f..c5486690 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1173,6 +1173,9 @@ keystore_search_obj(
IFAPI_OBJECT object;
size_t i;
+ /* Mark object "unread" */
+ object.objectType = IFAPI_OBJ_NONE;
+
switch (keystore->key_search.state) {
statecase(keystore->key_search.state, KSEARCH_INIT)
r = ifapi_keystore_list_all(keystore,
--
2.34.3

30
SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
Unescape View File

@ -0,0 +1,30 @@
From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 16:48:30 +0100
Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
src/tss2-mu/tpm2b-types.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 6aa2feb3..2e10f487 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
return rc; \
\
/* Update the size to the real value */ \
- if (buffer) \
- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ if (buffer) { \
+ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ memcpy(ptr, &t, sizeof(t)); \
+ } \
\
if (offset != NULL) { \
*offset = local_offset; \
--
2.34.3

41
SOURCES/0020-esys_iutil-fix-possible-NPD.patch
Unescape View File

@ -0,0 +1,41 @@
From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 3 Jun 2022 11:51:02 -0500
Subject: [PATCH 20/23] esys_iutil: fix possible NPD
Clang-10 scan-build reports:
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
^~~~~~~~~~~~~~~~~~~~
1 warning generated.
The code above the report checks that session might be NULL:
RSRC_NODE_T *session = esys_context->session_tab[session_idx];
if (session != NULL) {
IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session;
if (rsrc_session->type_policy_session == POLICY_PASSWORD) {
Thus suggesting/indicating session may be NULL in subsequent code where
session is dereferenced.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 0cc92ca5..493f9b28 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
&auths->auths[session_idx]);
return_if_error(r, "Error while computing hmacs");
- if (esys_context->session_tab[session_idx] != NULL) {
+ if (esys_context->session_tab[session_idx] != NULL && session != NULL) {
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
auths->count++;
}
--
2.34.3

269
SOURCES/0021-sapi-scope-command-handles.patch
Unescape View File

@ -0,0 +1,269 @@
From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 8 Jun 2022 11:09:53 -0500
Subject: [PATCH 21/23] sapi: scope command handles
Scope command handles to where they are used.
- Compared to the upstream commit d4dee42e already missing commands were
left out.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------
1 file changed, 119 insertions(+), 118 deletions(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index 685fcee8..d84acc5d 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall(
return rval;
}
-static const COMMAND_HANDLES commandArray[] =
-{
- { TPM2_CC_Startup, 0, 0 },
- { TPM2_CC_Shutdown, 0, 0 },
- { TPM2_CC_SelfTest, 0, 0 },
- { TPM2_CC_IncrementalSelfTest, 0, 0 },
- { TPM2_CC_GetTestResult, 0, 0 },
- { TPM2_CC_StartAuthSession, 2, 1 },
- { TPM2_CC_PolicyRestart, 1, 0 },
- { TPM2_CC_Create, 1, 0 },
- { TPM2_CC_Load, 1, 1 },
- { TPM2_CC_LoadExternal, 0, 1 },
- { TPM2_CC_ReadPublic, 1, 0 },
- { TPM2_CC_ActivateCredential, 2, 0 },
- { TPM2_CC_MakeCredential, 1, 0 },
- { TPM2_CC_Unseal, 1, 0 },
- { TPM2_CC_ObjectChangeAuth, 2, 0 },
- { TPM2_CC_Duplicate, 2, 0 },
- { TPM2_CC_Rewrap, 2, 0 },
- { TPM2_CC_Import, 1, 0 },
- { TPM2_CC_RSA_Encrypt, 1, 0 },
- { TPM2_CC_RSA_Decrypt, 1, 0 },
- { TPM2_CC_ECDH_KeyGen, 1, 0 },
- { TPM2_CC_ECDH_ZGen, 1, 0 },
- { TPM2_CC_ECC_Parameters, 0, 0 },
- { TPM2_CC_ZGen_2Phase, 1, 0 },
- { TPM2_CC_EncryptDecrypt, 1, 0 },
- { TPM2_CC_EncryptDecrypt2, 1, 0 },
- { TPM2_CC_Hash, 0, 0 },
- { TPM2_CC_HMAC, 1, 0 },
- { TPM2_CC_GetRandom, 0, 0 },
- { TPM2_CC_StirRandom, 0, 0 },
- { TPM2_CC_HMAC_Start, 1, 1 },
- { TPM2_CC_HashSequenceStart, 0, 1 },
- { TPM2_CC_SequenceUpdate, 1, 0 },
- { TPM2_CC_SequenceComplete, 1, 0 },
- { TPM2_CC_EventSequenceComplete, 2, 0 },
- { TPM2_CC_Certify, 2, 0 },
- { TPM2_CC_CertifyCreation, 2, 0 },
- { TPM2_CC_Quote, 1, 0 },
- { TPM2_CC_GetSessionAuditDigest, 3, 0 },
- { TPM2_CC_GetCommandAuditDigest, 2, 0 },
- { TPM2_CC_GetTime, 2, 0 },
- { TPM2_CC_Commit, 1, 0 },
- { TPM2_CC_EC_Ephemeral, 0, 0 },
- { TPM2_CC_VerifySignature, 1, 0 },
- { TPM2_CC_Sign, 1, 0 },
- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
- { TPM2_CC_PCR_Extend, 1, 0 },
- { TPM2_CC_PCR_Event, 1, 0 },
- { TPM2_CC_PCR_Read, 0, 0 },
- { TPM2_CC_PCR_Allocate, 1, 0 },
- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
- { TPM2_CC_PCR_SetAuthValue, 1, 0 },
- { TPM2_CC_PCR_Reset, 1, 0 },
- { TPM2_CC_PolicySigned, 2, 0 },
- { TPM2_CC_PolicySecret, 2, 0 },
- { TPM2_CC_PolicyTicket, 1, 0 },
- { TPM2_CC_PolicyOR, 1, 0 },
- { TPM2_CC_PolicyPCR, 1, 0 },
- { TPM2_CC_PolicyLocality, 1, 0 },
- { TPM2_CC_PolicyNV, 3, 0 },
- { TPM2_CC_PolicyNvWritten, 1, 0 },
- { TPM2_CC_PolicyCounterTimer, 1, 0 },
- { TPM2_CC_PolicyCommandCode, 1, 0 },
- { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
- { TPM2_CC_PolicyCpHash, 1, 0 },
- { TPM2_CC_PolicyNameHash, 1, 0 },
- { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
- { TPM2_CC_PolicyAuthorize, 1, 0 },
- { TPM2_CC_PolicyAuthValue, 1, 0 },
- { TPM2_CC_PolicyPassword, 1, 0 },
- { TPM2_CC_PolicyGetDigest, 1, 0 },
- { TPM2_CC_PolicyTemplate, 1, 0 },
- { TPM2_CC_CreatePrimary, 1, 1 },
- { TPM2_CC_HierarchyControl, 1, 0 },
- { TPM2_CC_SetPrimaryPolicy, 1, 0 },
- { TPM2_CC_ChangePPS, 1, 0 },
- { TPM2_CC_ChangeEPS, 1, 0 },
- { TPM2_CC_Clear, 1, 0 },
- { TPM2_CC_ClearControl, 1, 0 },
- { TPM2_CC_HierarchyChangeAuth, 1, 0 },
- { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
- { TPM2_CC_DictionaryAttackParameters, 1, 0 },
- { TPM2_CC_PP_Commands, 1, 0 },
- { TPM2_CC_SetAlgorithmSet, 1, 0 },
- { TPM2_CC_FieldUpgradeStart, 2, 0 },
- { TPM2_CC_FieldUpgradeData, 0, 0 },
- { TPM2_CC_FirmwareRead, 0, 0 },
- { TPM2_CC_ContextSave, 1, 0 },
- { TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
- { TPM2_CC_EvictControl, 2, 0 },
- { TPM2_CC_ReadClock, 0, 0 },
- { TPM2_CC_ClockSet, 1, 0 },
- { TPM2_CC_ClockRateAdjust, 1, 0 },
- { TPM2_CC_GetCapability, 0, 0 },
- { TPM2_CC_TestParms, 0, 0 },
- { TPM2_CC_NV_DefineSpace, 1, 0 },
- { TPM2_CC_NV_UndefineSpace, 2, 0 },
- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
- { TPM2_CC_NV_ReadPublic, 1, 0 },
- { TPM2_CC_NV_Write, 2, 0 },
- { TPM2_CC_NV_Increment, 2, 0 },
- { TPM2_CC_NV_Extend, 2, 0 },
- { TPM2_CC_NV_SetBits, 2, 0 },
- { TPM2_CC_NV_WriteLock, 2, 0 },
- { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
- { TPM2_CC_NV_Read, 2, 0 },
- { TPM2_CC_NV_ReadLock, 2, 0 },
- { TPM2_CC_NV_ChangeAuth, 1, 0 },
- { TPM2_CC_NV_Certify, 3, 0 },
- { TPM2_CC_CreateLoaded, 1, 1 },
- { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
- { TPM2_CC_AC_GetCapability, 1, 0 },
- { TPM2_CC_AC_Send, 3, 0 },
- { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
-};
static int GetNumHandles(TPM2_CC commandCode, bool req)
{
+ static const COMMAND_HANDLES commandArray[] =
+ {
+ { TPM2_CC_Startup, 0, 0 },
+ { TPM2_CC_Shutdown, 0, 0 },
+ { TPM2_CC_SelfTest, 0, 0 },
+ { TPM2_CC_IncrementalSelfTest, 0, 0 },
+ { TPM2_CC_GetTestResult, 0, 0 },
+ { TPM2_CC_StartAuthSession, 2, 1 },
+ { TPM2_CC_PolicyRestart, 1, 0 },
+ { TPM2_CC_Create, 1, 0 },
+ { TPM2_CC_Load, 1, 1 },
+ { TPM2_CC_LoadExternal, 0, 1 },
+ { TPM2_CC_ReadPublic, 1, 0 },
+ { TPM2_CC_ActivateCredential, 2, 0 },
+ { TPM2_CC_MakeCredential, 1, 0 },
+ { TPM2_CC_Unseal, 1, 0 },
+ { TPM2_CC_ObjectChangeAuth, 2, 0 },
+ { TPM2_CC_Duplicate, 2, 0 },
+ { TPM2_CC_Rewrap, 2, 0 },
+ { TPM2_CC_Import, 1, 0 },
+ { TPM2_CC_RSA_Encrypt, 1, 0 },
+ { TPM2_CC_RSA_Decrypt, 1, 0 },
+ { TPM2_CC_ECDH_KeyGen, 1, 0 },
+ { TPM2_CC_ECDH_ZGen, 1, 0 },
+ { TPM2_CC_ECC_Parameters, 0, 0 },
+ { TPM2_CC_ZGen_2Phase, 1, 0 },
+ { TPM2_CC_EncryptDecrypt, 1, 0 },
+ { TPM2_CC_EncryptDecrypt2, 1, 0 },
+ { TPM2_CC_Hash, 0, 0 },
+ { TPM2_CC_HMAC, 1, 0 },
+ { TPM2_CC_GetRandom, 0, 0 },
+ { TPM2_CC_StirRandom, 0, 0 },
+ { TPM2_CC_HMAC_Start, 1, 1 },
+ { TPM2_CC_HashSequenceStart, 0, 1 },
+ { TPM2_CC_SequenceUpdate, 1, 0 },
+ { TPM2_CC_SequenceComplete, 1, 0 },
+ { TPM2_CC_EventSequenceComplete, 2, 0 },
+ { TPM2_CC_Certify, 2, 0 },
+ { TPM2_CC_CertifyCreation, 2, 0 },
+ { TPM2_CC_Quote, 1, 0 },
+ { TPM2_CC_GetSessionAuditDigest, 3, 0 },
+ { TPM2_CC_GetCommandAuditDigest, 2, 0 },
+ { TPM2_CC_GetTime, 2, 0 },
+ { TPM2_CC_Commit, 1, 0 },
+ { TPM2_CC_EC_Ephemeral, 0, 0 },
+ { TPM2_CC_VerifySignature, 1, 0 },
+ { TPM2_CC_Sign, 1, 0 },
+ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
+ { TPM2_CC_PCR_Extend, 1, 0 },
+ { TPM2_CC_PCR_Event, 1, 0 },
+ { TPM2_CC_PCR_Read, 0, 0 },
+ { TPM2_CC_PCR_Allocate, 1, 0 },
+ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
+ { TPM2_CC_PCR_SetAuthValue, 1, 0 },
+ { TPM2_CC_PCR_Reset, 1, 0 },
+ { TPM2_CC_PolicySigned, 2, 0 },
+ { TPM2_CC_PolicySecret, 2, 0 },
+ { TPM2_CC_PolicyTicket, 1, 0 },
+ { TPM2_CC_PolicyOR, 1, 0 },
+ { TPM2_CC_PolicyPCR, 1, 0 },
+ { TPM2_CC_PolicyLocality, 1, 0 },
+ { TPM2_CC_PolicyNV, 3, 0 },
+ { TPM2_CC_PolicyNvWritten, 1, 0 },
+ { TPM2_CC_PolicyCounterTimer, 1, 0 },
+ { TPM2_CC_PolicyCommandCode, 1, 0 },
+ { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
+ { TPM2_CC_PolicyCpHash, 1, 0 },
+ { TPM2_CC_PolicyNameHash, 1, 0 },
+ { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
+ { TPM2_CC_PolicyAuthorize, 1, 0 },
+ { TPM2_CC_PolicyAuthValue, 1, 0 },
+ { TPM2_CC_PolicyPassword, 1, 0 },
+ { TPM2_CC_PolicyGetDigest, 1, 0 },
+ { TPM2_CC_PolicyTemplate, 1, 0 },
+ { TPM2_CC_CreatePrimary, 1, 1 },
+ { TPM2_CC_HierarchyControl, 1, 0 },
+ { TPM2_CC_SetPrimaryPolicy, 1, 0 },
+ { TPM2_CC_ChangePPS, 1, 0 },
+ { TPM2_CC_ChangeEPS, 1, 0 },
+ { TPM2_CC_Clear, 1, 0 },
+ { TPM2_CC_ClearControl, 1, 0 },
+ { TPM2_CC_HierarchyChangeAuth, 1, 0 },
+ { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
+ { TPM2_CC_DictionaryAttackParameters, 1, 0 },
+ { TPM2_CC_PP_Commands, 1, 0 },
+ { TPM2_CC_SetAlgorithmSet, 1, 0 },
+ { TPM2_CC_FieldUpgradeStart, 2, 0 },
+ { TPM2_CC_FieldUpgradeData, 0, 0 },
+ { TPM2_CC_FirmwareRead, 0, 0 },
+ { TPM2_CC_ContextSave, 1, 0 },
+ { TPM2_CC_ContextLoad, 0, 1 },
+ { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_EvictControl, 2, 0 },
+ { TPM2_CC_ReadClock, 0, 0 },
+ { TPM2_CC_ClockSet, 1, 0 },
+ { TPM2_CC_ClockRateAdjust, 1, 0 },
+ { TPM2_CC_GetCapability, 0, 0 },
+ { TPM2_CC_TestParms, 0, 0 },
+ { TPM2_CC_NV_DefineSpace, 1, 0 },
+ { TPM2_CC_NV_UndefineSpace, 2, 0 },
+ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
+ { TPM2_CC_NV_ReadPublic, 1, 0 },
+ { TPM2_CC_NV_Write, 2, 0 },
+ { TPM2_CC_NV_Increment, 2, 0 },
+ { TPM2_CC_NV_Extend, 2, 0 },
+ { TPM2_CC_NV_SetBits, 2, 0 },
+ { TPM2_CC_NV_WriteLock, 2, 0 },
+ { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
+ { TPM2_CC_NV_Read, 2, 0 },
+ { TPM2_CC_NV_ReadLock, 2, 0 },
+ { TPM2_CC_NV_ChangeAuth, 1, 0 },
+ { TPM2_CC_NV_Certify, 3, 0 },
+ { TPM2_CC_CreateLoaded, 1, 1 },
+ { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
+ { TPM2_CC_AC_GetCapability, 1, 0 },
+ { TPM2_CC_AC_Send, 3, 0 },
+ { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
+ };
+
uint8_t i;
for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) {
--
2.34.3

26
SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch
Unescape View File

@ -0,0 +1,26 @@
From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 4 Jul 2022 19:14:30 +0200
Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
src/tss2-fapi/ifapi_policy_execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index caae103e..ddaf255c 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -760,7 +760,7 @@ execute_policy_authorize_nv(
switch (current_policy->state) {
statecase(current_policy->state, POLICY_EXECUTE_INIT)
/* Execute the policy stored in the NV object. */
- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata);
+ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata);
try_again_or_error(r, "Execute policy authorize nv callback.");
r = ifapi_nv_get_name(&policy->nvPublic, &current_policy->name);
--
2.34.3

36
SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch
Unescape View File

@ -0,0 +1,36 @@
From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 7 Jul 2022 09:00:19 -0500
Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext
The lookup table for the number of command handles for
Tss2_Sys_FlushContext has the count set to 1, when in reality the
command takes no handles in the handle area but a handle as the input
parameter. This works currently because handles and parameters are just
concatenated and the parsing logic on the TPM just unpacks them, so in
this case, thet're in the same spot with the same value. This goes
unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as
the logic things its a handle in the handle area and not a handle in the
parameter area.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index d84acc5d..a92f47a2 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req)
{ TPM2_CC_FirmwareRead, 0, 0 },
{ TPM2_CC_ContextSave, 1, 0 },
{ TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_FlushContext, 0, 0 },
{ TPM2_CC_EvictControl, 2, 0 },
{ TPM2_CC_ReadClock, 0, 0 },
{ TPM2_CC_ClockSet, 1, 0 },
--
2.34.3

15
SOURCES/tpm2-tss-3.0.0-doxygen.patch
Unescape View File

@ -0,0 +1,15 @@
diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in
--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200
+++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200
@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM
+EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \
+ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \
+ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \
+ IESYS_CMD_IN_PARAM
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include

332
SPECS/tpm2-tss.spec
Unescape View File

@ -0,0 +1,332 @@
Name: tpm2-tss
Version: 3.0.3
Release: 8%{?dist}
Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
# is under TCGL(Trusted Computing Group License).
License: BSD and TCGL
URL: https://github.com/tpm2-software/tpm2-tss
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
# doxygen crash
Patch0: tpm2-tss-3.0.0-doxygen.patch
# OpenSSL 3 support
Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch
Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Patch8: 0008-Require-OpenSSL-1.1.0.patch
Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch
Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch
Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch
Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch
Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
Patch32: 0020-esys_iutil-fix-possible-NPD.patch
Patch33: 0021-sapi-scope-command-handles.patch
Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch
Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch
%global udevrules_prefix 60-
BuildRequires: make
BuildRequires: autoconf-archive
BuildRequires: doxygen
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: json-c-devel
BuildRequires: libcurl-devel
BuildRequires: libgcrypt-devel
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig
BuildRequires: systemd
Requires(pre): shadow-utils
%description
tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system
APIs. It sits between TPM driver and applications, providing TPM2.0 specified
APIs for applications to access TPM module through kernel TPM drivers.
%prep
%autosetup -p1 -n %{name}-%{version}
%build
autoreconf -i
# Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%make_build
%install
%make_install
find %{buildroot}%{_libdir} -type f -name \*.la -delete
%pre
getent group tss >/dev/null || groupadd -f -g 59 -r tss
if ! getent passwd tss >/dev/null ; then
if ! getent passwd 59 >/dev/null ; then
useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
else
useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
fi
fi
exit 0
%ldconfig_scriptlets
%files
%doc README.md CHANGELOG.md
%license LICENSE
%{_sysconfdir}/tpm2-tss/
%{_libdir}/libtss2-mu.so.0*
%{_libdir}/libtss2-sys.so.1*
%{_libdir}/libtss2-esys.so.0*
%{_libdir}/libtss2-fapi.so.1*
%{_libdir}/libtss2-rc.so.0*
%{_libdir}/libtss2-tctildr.so.0*
%{_libdir}/libtss2-tcti-cmd.so.0*
%{_libdir}/libtss2-tcti-device.so.0*
%{_libdir}/libtss2-tcti-mssim.so.0*
%{_libdir}/libtss2-tcti-swtpm.so.0*
%{_sysusersdir}/tpm2-tss.conf
%{_tmpfilesdir}/tpm2-tss-fapi.conf
%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules
%package devel
Summary: Headers and libraries for building apps that use tpm2-tss
Requires: %{name}%{_isa} = %{version}-%{release}
%description devel
This package contains headers and libraries required to build applications that
use tpm2-tss.
%files devel
%{_includedir}/tss2/
%{_libdir}/libtss2-mu.so
%{_libdir}/libtss2-sys.so
%{_libdir}/libtss2-esys.so
%{_libdir}/libtss2-fapi.so
%{_libdir}/libtss2-rc.so
%{_libdir}/libtss2-tctildr.so
%{_libdir}/libtss2-tcti-cmd.so
%{_libdir}/libtss2-tcti-device.so
%{_libdir}/libtss2-tcti-mssim.so
%{_libdir}/libtss2-tcti-swtpm.so
%{_libdir}/pkgconfig/tss2-mu.pc
%{_libdir}/pkgconfig/tss2-sys.pc
%{_libdir}/pkgconfig/tss2-esys.pc
%{_libdir}/pkgconfig/tss2-fapi.pc
%{_libdir}/pkgconfig/tss2-rc.pc
%{_libdir}/pkgconfig/tss2-tctildr.pc
%{_libdir}/pkgconfig/tss2-tcti-cmd.pc
%{_libdir}/pkgconfig/tss2-tcti-device.pc
%{_libdir}/pkgconfig/tss2-tcti-mssim.pc
%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc
%{_mandir}/man3/*.3.gz
%{_mandir}/man5/*.5.gz
%{_mandir}/man7/tss2*.7.gz
%changelog
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 3.0.3-8
- Rebuilt for MSVSphere 9.1.
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3
Resolves: rhbz#2041919
* Thu Feb 17 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-7
- Rebuild with latest json-c library
Related: rhbz#2023328
* Wed Aug 18 2021 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-6
- Fix failures while using OpenSSL 3
Resolves: rhbz#1984634
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.3-1
- Update to 3.0.2
* Sun Nov 22 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.2-1
- Update to 3.0.2
* Wed Sep 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.1-1
- Update to 3.0.1
* Tue Sep 15 2020 Than Ngo <than@redhat.com> - 3.0.0-4
- Fix doxygen crash
* Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-3
- Create tss user, if it doesn't exist, for userspace TPM access
* Fri Aug 07 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-2
- Install sysusers config in sysusersdir (rhbz #1834519)
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-1
- Update to 3.0.0
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.2-1
- Update to 2.4.2
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.1-1
- Update to 2.4.1
* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.4.0-3
- Use proper rundir and tmpfiles macros so proper directories are used
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 2.4.0-2
- Rebuild (json-c)
* Thu Mar 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.0-1
- Update to 2.4.0 release
* Mon Feb 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.3.3-1
- Update to 2.3.3 release
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 13 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.2-1
- Update to 2.3.2 release
* Fri Sep 6 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.1-1
- Update to 2.3.1 release
* Thu Aug 15 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.0-1
- Update to 2.3.0 release
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed May 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.3-1
- Update to 2.2.3 release
* Fri Mar 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.2-1
- Update to 2.2.2 release
* Mon Mar 4 2019 Peter Robinson <pbrobinson@fedoraproject.org> 2.2.1-1
- Update to 2.2.1 release
* Wed Feb 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.2.0-1
- Update to 2.2.0 release
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 10 2018 Yunying Sun <yunying.sun@intel.com> - 2.1.0-1
- Update to 2.1.0 release
* Thu Aug 30 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.1-1
- Update to 2.0.1 release
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 4 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.0-2
- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora
- Bump release version to 2.0.0-2
* Mon Jul 2 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.0-1
- Update to 2.0.0 release (RHBZ#1508870)
- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead
- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0
- Add scriptlet to fix Rpath errors
- Update file installation paths and names accordingly
* Sun Mar 04 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.4.0-1
- Update URLs to point to the new project location
- Add README.md CHANGELOG.md to %%files directive
- Update to 1.4.0 release (RHBZ#1508870)
* Fri Feb 23 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-4
- Install udev rule for TPM character devices
* Wed Feb 21 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-3
- Remove ExclusiveArch: %%{ix86} x86_64 directive
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-2
- Escape macros in %%changelog
* Fri Dec 08 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-1
- Update to 1.3.0 release
* Wed Nov 29 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-0.1.rc2
- Update to 1.3.0 release candidate 2 (RHBZ#1508870)
- Remove global pkg_prefix since now the upstream repo and package names match
- Update URLs to point to the new project location
- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care
- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball
- Add patch to include a LICENSE since the generated tarball does not have it
* Mon Aug 28 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.2.0-1
- Update to 1.2.0 release
- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed
- Fix SPEC file access mode
- Include new man pages in %%files directive
* Fri Aug 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.1.0-3
- Remove unneeded source tarballs (RHBZ#1482828)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-1
- Update to 1.1.0 release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Dec 12 2016 Sun Yunying <yunying.sun@intel.com> - 1.0-2
- Remove global macro pkg_version to avoid duplicate of version
- Use ExclusiveArch instead of ExcludeArch
- Use less wildcard in %%files section to be more specific
- Add trailing slash at end of added directory in %%file section
- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires
- Increase release version to 2
* Fri Dec 2 2016 Sun Yunying <yunying.sun@intel.com> - 1.0-1
- Initial version of the package
Write Preview
Loading…
Cancel
Save