rpms
/
tpm2-tss
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:c8
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

37 changed files with 2536 additions and 832 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/tpm2-tss-3.2.2.tar.gz SOURCES/tpm2-tss-2.3.2.tar.gz

2
.tpm2-tss.metadata
Unescape View File

@ -1 +1 @@
6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz c24ce8b20a8686ada775239389292f6d78020668 SOURCES/tpm2-tss-2.3.2.tar.gz

39
SOURCES/0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
Unescape View File

@ -0,0 +1,39 @@
From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 27 Apr 2020 16:33:16 +0200
Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
(Fixes #1704).
An unintended free of the tcti parameter in cleanup was possible.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_context.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
index b912a688..150a3495 100644
--- a/src/tss2-esys/esys_context.c
+++ b/src/tss2-esys/esys_context.c
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
*esys_context = calloc(1, sizeof(ESYS_CONTEXT));
return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
+ /* Store the application provided tcti to be return on Esys_GetTcti(). */
+ (*esys_context)->tcti_app_param = tcti;
+
/* Allocate memory for the SYS context */
syssize = Tss2_Sys_GetContextSize(0);
(*esys_context)->sys = calloc(1, syssize);
goto_if_null((*esys_context)->sys, "Error: During malloc.",
TSS2_ESYS_RC_MEMORY, cleanup_return);
- /* Store the application provided tcti to be return on Esys_GetTcti(). */
- (*esys_context)->tcti_app_param = tcti;
-
/* If no tcti was provided, initialize the default one. */
if (tcti == NULL) {
r = Tss2_TctiLdr_Initialize (NULL, &tcti);
--
2.41.0

128
SOURCES/0001-Esys_CreateLoaded-fix-resource-name-calculation.patch
Unescape View File

@ -0,0 +1,128 @@
From 70e9fae7ef535e7cf27a72ddbc818dfefcbdbdbb Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 18 Sep 2019 11:29:57 -0700
Subject: [PATCH] Esys_CreateLoaded: fix resource name calculation
The name calculated and cached for the ESYS_TR resource object was based
on the user supplied TPMT_PUBLIC. However, this template is often
missing data that the TPM fills in and returns in the TPM2B_PUBLIC
structure. Because of this, the cached name returned from
Esys_TR_GetName() and the name read from Esys_ReadPublic() would differ.
Add a test to detect this condition and correct it by copying the
returned TPM2B_PUBLIC to the ESYS_TR resource nodes TPM2B_PUBLIC cache
and calculate the name off of that.
Fixes: #1516
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/api/Esys_CreateLoaded.c | 14 ++++-----
test/integration/esys-createloaded.int.c | 37 ++++++++++++++++++++++++
2 files changed, 42 insertions(+), 9 deletions(-)
diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c
index a92649cade27..44c4400fcff9 100644
--- a/src/tss2-esys/api/Esys_CreateLoaded.c
+++ b/src/tss2-esys/api/Esys_CreateLoaded.c
@@ -317,14 +317,6 @@ Esys_CreateLoaded_Finish(
goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup);
}
- /* Update the meta data of the ESYS_TR object */
- objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC;
- size_t offset = 0;
- r = Tss2_MU_TPMT_PUBLIC_Unmarshal(&esysContext->in.CreateLoaded.inPublic->buffer[0],
- sizeof(TPMT_PUBLIC), &offset ,
- &objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea);
- goto_if_error(r, "Unmarshal TPMT_PUBULIC", error_cleanup);
-
/*Receive the TPM response and handle resubmissions if necessary. */
r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout);
if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) {
@@ -386,8 +378,12 @@ Esys_CreateLoaded_Finish(
error_cleanup);
+ /* Update the meta data of the ESYS_TR object */
+ objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC;
+ objectHandleNode->rsrc.misc.rsrc_key_pub = *loutPublic;
+
/* Check name and outPublic for consistency */
- if (!iesys_compare_name(loutPublic, &name))
+ if (!iesys_compare_name(&objectHandleNode->rsrc.misc.rsrc_key_pub, &name))
goto_error(r, TSS2_ESYS_RC_MALFORMED_RESPONSE,
"in Public name not equal name in response", error_cleanup);
diff --git a/test/integration/esys-createloaded.int.c b/test/integration/esys-createloaded.int.c
index ec8d68a0d43d..118f2a3bb1ff 100644
--- a/test/integration/esys-createloaded.int.c
+++ b/test/integration/esys-createloaded.int.c
@@ -8,6 +8,7 @@
#include <config.h>
#endif
+#include <stdbool.h>
#include <stdlib.h>
#include "tss2_esys.h"
@@ -19,6 +20,35 @@
#include "util/log.h"
#include "util/aux_util.h"
+static bool check_name(ESYS_CONTEXT * esys_context, ESYS_TR object_handle)
+{
+ bool result = false;
+
+ TPM2B_NAME *read_name = NULL;
+ TPM2B_NAME *get_name = NULL;
+
+ TSS2_RC r = Esys_ReadPublic(esys_context, object_handle,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+ NULL, &read_name, NULL);
+ goto_if_error(r, "Error esys readpublic", out);
+
+ r = Esys_TR_GetName(esys_context, object_handle, &get_name);
+ goto_if_error(r, "Error esys getname", out);
+
+ if (read_name->size != get_name->size) {
+ LOG_ERROR("name size mismatch %u != %u",
+ read_name->size, get_name->size);
+ goto out;
+ }
+
+ result = memcmp(read_name->name, get_name->name, get_name->size) == 0;
+
+out:
+ free(read_name);
+ free(get_name);
+
+ return result;
+}
/** This test is intended to test the ESAPI command CreateLoaded.
*
* We start by creating a primary key (Esys_CreatePrimary).
@@ -29,6 +59,8 @@
* - Esys_CreatePrimary() (M)
* - Esys_FlushContext() (M)
* - Esys_StartAuthSession() (M)
+ * - Esys_TR_GetName() (M)
+ * - Esys_TR_ReadPublic() (M)
*
* Used compiler defines: TEST_SESSION
*
@@ -239,6 +271,11 @@ test_esys_createloaded(ESYS_CONTEXT * esys_context)
goto_if_error(r, "Error During CreateLoaded", error);
+ bool names_match = check_name(esys_context, objectHandle);
+ if (!names_match) {
+ goto error;
+ }
+
r = Esys_FlushContext(esys_context, primaryHandle);
goto_if_error(r, "Flushing context", error);
--
2.27.0

25
SOURCES/0001-Return-proper-error-code-on-memory-allocation-failur.patch
Unescape View File

@ -0,0 +1,25 @@
From 93aab9433b5d66a916e28016a4b60c4a1c39acfc Mon Sep 17 00:00:00 2001
From: Pieter Agten <pieter.agten@gmail.com>
Date: Tue, 3 Dec 2019 20:52:29 +0100
Subject: [PATCH] Return proper error code on memory allocation failure
Signed-off-by: Pieter Agten <pieter.agten@gmail.com>
---
src/tss2-tcti/tctildr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index ff967317b57b..1528f6e52fd0 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -421,6 +421,7 @@ Tss2_TctiLdr_Initialize_Ex (const char *name,
}
ldr_ctx = calloc (1, sizeof (TSS2_TCTILDR_CONTEXT));
if (ldr_ctx == NULL) {
+ rc = TSS2_TCTI_RC_MEMORY;
goto err;
}
TSS2_TCTI_MAGIC (ldr_ctx) = TCTILDR_MAGIC;
--
2.27.0

51
SOURCES/0001-build-update-exported-symbols-map-for-libtss2-mu.patch
Unescape View File

@ -0,0 +1,51 @@
From b27956422d1b5bb53a56366e9b7e978f6b95e2f9 Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 2 Dec 2019 11:21:02 +0100
Subject: [PATCH] build: update exported symbols map for libtss2-mu
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
lib/tss2-mu.def | 4 ++++
lib/tss2-mu.map | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/tss2-mu.def b/lib/tss2-mu.def
index 36f4ba37b9fc..3c80cf225f77 100644
--- a/lib/tss2-mu.def
+++ b/lib/tss2-mu.def
@@ -226,6 +226,10 @@ EXPORTS
Tss2_MU_TPMU_PUBLIC_PARMS_Unmarshal
Tss2_MU_TPMU_PUBLIC_ID_Marshal
Tss2_MU_TPMU_PUBLIC_ID_Unmarshal
+ Tss2_MU_TPMU_NAME_Marshal
+ Tss2_MU_TPMU_NAME_Unmarshal
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal
Tss2_MU_TPMT_HA_Marshal
Tss2_MU_TPMT_HA_Unmarshal
Tss2_MU_TPMT_SYM_DEF_Marshal
diff --git a/lib/tss2-mu.map b/lib/tss2-mu.map
index 8ac754ed096a..09d9317e6749 100644
--- a/lib/tss2-mu.map
+++ b/lib/tss2-mu.map
@@ -228,6 +228,8 @@
Tss2_MU_TPMU_PUBLIC_ID_Unmarshal;
Tss2_MU_TPMU_NAME_Marshal;
Tss2_MU_TPMU_NAME_Unmarshal;
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal;
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal;
Tss2_MU_TPMT_HA_Marshal;
Tss2_MU_TPMT_HA_Unmarshal;
Tss2_MU_TPMT_SYM_DEF_Marshal;
@@ -274,8 +276,6 @@
Tss2_MU_TPM2_NT_Unmarshal;
Tss2_MU_TPMI_ALG_HASH_Marshal;
Tss2_MU_TPMI_ALG_HASH_Unmarshal;
- Tss2_MU_TPMI_BYTE_Marshal;
- Tss2_MU_TPMI_BYTE_Unmarshal;
local:
*;
};
--
2.27.0

1314
SOURCES/0001-esys-Check-object-handle-node-before-calling-compute.patch
View File

File diff suppressed because it is too large Load Diff

45
SOURCES/0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch
Unescape View File

@ -0,0 +1,45 @@
From 0bd19b61c8cd07d03b6efffc05f95d5ec427a3d6 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Tue, 14 Jan 2020 10:55:20 -0800
Subject: [PATCH] esys: fix Esys_StartAuthSession called with optional params
For an HMAC session if any of the optional params are ESYS_TR_NONE
we need to use the same tpm2_handles TPM2_RH_NULL (0x40000007)
as in the prepare call to correctly calculate cpHash and HMAC
values for the session.
Fixes: #1590
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 313604a2077c..3ccd842a7572 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -260,7 +260,19 @@ Esys_StartAuthSession_Async(
iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL);
/* Generate the auth values and set them in the SAPI command buffer */
- r = iesys_gen_auths(esysContext, tpmKeyNode, bindNode, NULL, &auths);
+
+ RSRC_NODE_T none;
+ size_t offset = 0;
+ none.rsrc.handle = TPM2_RH_NULL;
+ none.rsrc.rsrcType = IESYSC_WITHOUT_MISC_RSRC;
+ r = Tss2_MU_TPM2_HANDLE_Marshal(TPM2_RH_NULL,
+ none.rsrc.name.name,
+ sizeof(none.rsrc.name.name),
+ &offset);
+ return_state_if_error(r, _ESYS_STATE_INIT, "Marshaling TPM handle.");
+ none.rsrc.name.size = offset;
+ r = iesys_gen_auths(esysContext, tpmKeyNode ? tpmKeyNode : &none,
+ bindNode ? bindNode : &none, NULL, &auths);
return_state_if_error(r, _ESYS_STATE_INIT,
"Error in computation of auth values");
--
2.27.0

39
SOURCES/0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
Unescape View File

@ -0,0 +1,39 @@
From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Mon, 2 Mar 2020 14:45:52 -0800
Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
After tpm2_clear command is executed it sets all ownerAuth,
endorsementAuth, and lockoutAuth to the Empty Buffer and then
this is used for a response auth calculation.
This requires to recalculate the esys session auth value after
tpm2_clear is executed or the calculated response HMAC value
will be invalid and the command will fail with
err: 0x0007001b "Authorizing the TPM response failed"
Fixes: #1641
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_Clear.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
index f5c0b827425a..0f43f7e9b85f 100644
--- a/src/tss2-esys/api/Esys_Clear.c
+++ b/src/tss2-esys/api/Esys_Clear.c
@@ -199,6 +199,11 @@ Esys_Clear_Async(
return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
"Finish (Execute Async)");
+ /* If the command authorization is LOCKOUT we need to
+ * recompute session value with an empty auth */
+ if (authHandle == ESYS_TR_RH_LOCKOUT)
+ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
+
esysContext->state = _ESYS_STATE_SENT;
return r;
--
2.30.1

29
SOURCES/0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch
Unescape View File

@ -0,0 +1,29 @@
From 76641c1e6b016979973fead7a24bb8fca4ee8325 Mon Sep 17 00:00:00 2001
From: Johannes Holland <johannes.holland@infineon.com>
Date: Thu, 26 Sep 2019 09:46:09 +0100
Subject: [PATCH] esys: fix keysize of ECC curve TPM2_ECC_NISTP224
In esys_crypto_ossl.c, for the ECC curve TPM2_ECC_NISTP244 a key size of
38 is selected. However, 224 bit / 8 bit/byte = 28 byte.
Signed-off-by: Johannes Holland <johannes.holland@infineon.com>
---
src/tss2-esys/esys_crypto_ossl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 124501964ae7..3c5d86d69705 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -804,7 +804,7 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
break;
case TPM2_ECC_NIST_P224:
curveId = NID_secp224r1;
- key_size = 38;
+ key_size = 28;
break;
case TPM2_ECC_NIST_P256:
curveId = NID_X9_62_prime256v1;
--
2.27.0

47
SOURCES/0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch
Unescape View File

@ -0,0 +1,47 @@
From 380d5f9ec3aa1f5e456598fe66d275467660177b Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Thu, 16 Jan 2020 09:27:04 -0800
Subject: [PATCH] esys: fixup compute_encrypted_salt err handling in
Esys_StartAuthSession
Use return_state_if_error() macro for compute_encrypted_salt()
error handling in Esys_StartAuthSession to maintain the correct
context state.
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 3ccd842a7572..1717928a717d 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -223,20 +223,15 @@ Esys_StartAuthSession_Async(
TSS2_RC r2;
r2 = iesys_compute_encrypted_salt(esysContext, tpmKeyNode,
&encryptedSaltAux);
- return_if_error(r2, "Error in parameter encryption.");
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in parameter encryption.");
if (nonceCaller == NULL) {
r2 = iesys_crypto_hash_get_digest_size(authHash,&authHash_size);
- if (r2 != TSS2_RC_SUCCESS) {
- LOG_ERROR("Error: initialize auth session (%x).", r2);
- return r2;
- }
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in hash_get_digest_size.");
+
r2 = iesys_crypto_random2b(&esysContext->in.StartAuthSession.nonceCallerData,
authHash_size);
- if (r2 != TSS2_RC_SUCCESS) {
- LOG_ERROR("Error: initialize auth session (%x).", r2);
- return r2;
- }
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in crypto_random2b.");
esysContext->in.StartAuthSession.nonceCaller
= &esysContext->in.StartAuthSession.nonceCallerData;
nonceCaller = esysContext->in.StartAuthSession.nonceCaller;
--
2.27.0

38
SOURCES/0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch
Unescape View File

@ -0,0 +1,38 @@
From 1ec07af70925ece698b733d55dedd1d9878b70f2 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Fri, 24 Jan 2020 19:05:34 -0800
Subject: [PATCH] esys: zero out ctx->salt after on startAuthSession_finish
The ctx->salt is used to calculate session key during
startAuthSession call if the caller pass a valid tpmKey
parameter. There salt is calculated in the _Async call
and the the session key is calculated in the _Finish call.
The problem is that if in the same context an unsalted
session is created after a salted session the ctx->salt
will still hold the old value and it will incorrectly
be used for session key calculation in the the subsequent
_Finish call. To fix this the salt needs to be set to
cleaned after no longer needed.
Fixes: #1574
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 1717928a717d..6367419d7c9a 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -497,6 +497,7 @@ Esys_StartAuthSession_Finish(
goto_if_error(r, "Marshal session name", error_cleanup);
sessionHandleNode->rsrc.name.size = offset;
+ memset(&esysContext->salt, '\0', sizeof(esysContext->salt));
esysContext->state = _ESYS_STATE_INIT;
return TSS2_RC_SUCCESS;
--
2.27.0

41
SOURCES/0001-esys_iutil-fix-possible-NPD.patch
Unescape View File

@ -1,41 +0,0 @@
From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 3 Jun 2022 11:51:02 -0500
Subject: [PATCH 1/2] esys_iutil: fix possible NPD
Clang-10 scan-build reports:
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
^~~~~~~~~~~~~~~~~~~~
1 warning generated.
The code above the report checks that session might be NULL:
RSRC_NODE_T *session = esys_context->session_tab[session_idx];
if (session != NULL) {
IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session;
if (rsrc_session->type_policy_session == POLICY_PASSWORD) {
Thus suggesting/indicating session may be NULL in subsequent code where
session is dereferenced.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 4d31cef8..b364dd73 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
&auths->auths[session_idx]);
return_if_error(r, "Error while computing hmacs");
- if (esys_context->session_tab[session_idx] != NULL) {
+ if (esys_context->session_tab[session_idx] != NULL && session != NULL) {
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
auths->count++;
}
--
2.39.2

62
SOURCES/0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch
Unescape View File

@ -0,0 +1,62 @@
From 0bf42a4489973005ddd912a800dfb92eff2806e8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 16 Sep 2019 17:12:23 -0700
Subject: [PATCH] esys_iutil: use memcmp in byte array comparison
Rather than a byte for byte forloop, use memcmp() so the compiler can
use architectural optimizations.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 27 +++++----------------------
1 file changed, 5 insertions(+), 22 deletions(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 94d0332c5b7d..08a9b7dffcbd 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -35,23 +35,6 @@ cmp_UINT16(const UINT16 * in1, const UINT16 * in2)
}
}
-/**
- * Compare variables of type BYTE.
- * @param[in] in1 Variable to be compared with:
- * @param[in] in2
- */
-static bool
-cmp_BYTE(const BYTE * in1, const BYTE * in2)
-{
- LOG_TRACE("call");
- if (*in1 == *in2)
- return true;
- else {
- LOG_TRACE("cmp false");
- return false;
- }
-}
-
/**
* Compare two arrays of type BYTE.
* @param[in] in1 array to be compared with:.
@@ -65,12 +48,12 @@ cmp_BYTE_array(const BYTE * in1, size_t count1, const BYTE * in2, size_t count2)
LOG_TRACE("cmp false");
return false;
}
- for (size_t i = 0; i < count1; i++) {
- if (!cmp_BYTE(&in1[i], &in2[i])) {
- LOG_TRACE("cmp false");
- return false;
- }
+
+ if (memcmp(in1, in2, count2) != 0) {
+ LOG_TRACE("cmp false");
+ return false;
}
+
return true;
}
--
2.27.0

84
SOURCES/0001-man-Clean-up-libmandoc-parser-warnings.patch
Unescape View File

@ -0,0 +1,84 @@
From d696645b147eaac5d5c90ff3dca672e52d89d7f0 Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Mon, 27 Apr 2020 12:16:47 -0700
Subject: [PATCH] man: Clean up libmandoc parser warnings
- Fix typo in Tss2_Tcti_Device_Init.3.in.
- Remove .RE macros that had no preceding .RS macro in Tss2_TctiLdr_Initialize.3.in.
Replace .RE .sp with .LP.
- ' is a control character, format function names to be similar to
other manpages, and use \(oq and \(cq for quotes instead in tss2-tctildr.7.in.
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
man/Tss2_TctiLdr_Initialize.3.in | 6 ++----
man/Tss2_Tcti_Device_Init.3.in | 2 +-
man/tss2-tctildr.7.in | 12 ++++++++----
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/man/Tss2_TctiLdr_Initialize.3.in b/man/Tss2_TctiLdr_Initialize.3.in
index 8e5fffaa247b..eb5ea1f8315f 100644
--- a/man/Tss2_TctiLdr_Initialize.3.in
+++ b/man/Tss2_TctiLdr_Initialize.3.in
@@ -65,8 +65,7 @@ libtss2-tcti-tabrmd.so.0
libtss2-tcti-device.so.0
.IP \[bu]
libtss2-tcti-mssim.so.0
-.RE
-.sp
+.LP
When the
.I name
string is neither NULL nor the empty string the implementation will attempt
@@ -81,8 +80,7 @@ name with the following permutations:
libtss2-tcti-<name>.so.0
.IP \[bu]
libtss2-tcti-<name>.so
-.RE
-.sp
+.LP
The
.I config
string is not interpreted by the TctiLdr init functions and is passed
diff --git a/man/Tss2_Tcti_Device_Init.3.in b/man/Tss2_Tcti_Device_Init.3.in
index 3cd2eed7fb0b..122ede1536bc 100644
--- a/man/Tss2_Tcti_Device_Init.3.in
+++ b/man/Tss2_Tcti_Device_Init.3.in
@@ -86,7 +86,7 @@ is returned if any parameters contain unexpected values.
is returned if any parameters are NULL when they should not be.
.B TSS2_TCTI_RC_BAD_CONTEXT
is returned if the size of the provided
-.i tctiContext
+.I tctiContext
is insufficient.
.SH EXAMPLE
TCTI initialization fragment:
diff --git a/man/tss2-tctildr.7.in b/man/tss2-tctildr.7.in
index a907aec0cd64..7432316ec6bb 100644
--- a/man/tss2-tctildr.7.in
+++ b/man/tss2-tctildr.7.in
@@ -10,13 +10,17 @@ instances.
.SH DESCRIPTION
The TCTI dynamic loading and initialization protocol requires a lot of
boilerplate code. To reduce duplication the tss2-tctildr library adds the
-'Tss2_TctiLdr_Initialize', 'Tss2_TctiLdr_Initialize_Ex' and
-'Tss2_TctiLdr_Finalize' functions to abstract away the machinery required
+.BR Tss2_TctiLdr_Initialize (),
+.BR Tss2_TctiLdr_Initialize_Ex (),
+and
+.BR Tss2_TctiLdr_Finalize ()
+functions to abstract away the machinery required
to load, initialize, and finalize a TCTI context.
To assist in the discovery of TCTIs this library provides the
-'Tss2_TctiLdr_GetInfo' function. This function, paired with a 'free'
-function to free the memory allocated by 'GetInfo', provides a simple
+.BR Tss2_TctiLdr_GetInfo ()
+function. This function, paired with a \(oqfree\(cq
+function to free the memory allocated by \(oqGetInfo\(cq, provides a simple
query interface for discovery of the available and default TCTIs
available to the tss2-tctildr implementation
--
2.24.0

71
SOURCES/0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch
Unescape View File

@ -0,0 +1,71 @@
From 58ee0fd916671942e62ac9930f18225761a6dd66 Mon Sep 17 00:00:00 2001
From: Joe Richey <joerichey@google.com>
Date: Tue, 21 Jan 2020 20:04:45 -0800
Subject: [PATCH] mu: Remove use of VLAs for Marshalling TPML types
All of the `Tss2_MU_*_Marshal()` functions have the property that
`buffer` can be NULL, `offset` can be NULL, but both cannot be
NULL. Some Marshal functions check this directly (returning
`TSS2_MU_RC_BAD_REFERENCE` on error), but most do this by composing
existing Marshalling functions together.
The TMPL Marshal functions does things differently, it creates a local
VLA `local_buffer[buffer_size]` and uses that as the buffer pointer if
a NULL buffer is given. This is unnecessary, as this pointer is only
used for debug logging and passed to other Marshalling functions, which
will correctly handle a NULL buffer.
Note that the VLA in the existing code is of length `buffer_size` (the
length of the _entire_ buffer, _not_ the length of the data being
unmarshaled). This can potentially result in a very large stack
allocation, or stack overflow.
Signed-off-by: Joe Richey <joerichey@google.com>
---
src/tss2-mu/tpml-types.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
index 9506a26efd14..ae1ed6177d75 100644
--- a/src/tss2-mu/tpml-types.c
+++ b/src/tss2-mu/tpml-types.c
@@ -29,8 +29,6 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
size_t local_offset = 0; \
UINT32 i, count = 0; \
TSS2_RC ret = TSS2_RC_SUCCESS; \
- uint8_t *buf_ptr = buffer; \
- uint8_t local_buffer[buffer_size]; \
\
if (offset != NULL) { \
LOG_TRACE("offset non-NULL, initial value: %zu", *offset); \
@@ -60,24 +58,21 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
LOG_WARNING("count too big"); \
return TSS2_SYS_RC_BAD_VALUE; \
} \
-\
- if (buf_ptr == NULL) \
- buf_ptr = local_buffer; \
\
LOG_DEBUG(\
"Marshalling " #type " from 0x%" PRIxPTR " to buffer 0x%" PRIxPTR \
" at index 0x%zx", \
(uintptr_t)&src, \
- (uintptr_t)buf_ptr, \
+ (uintptr_t)buffer, \
local_offset); \
\
- ret = Tss2_MU_UINT32_Marshal(src->count, buf_ptr, buffer_size, &local_offset); \
+ ret = Tss2_MU_UINT32_Marshal(src->count, buffer, buffer_size, &local_offset); \
if (ret) \
return ret; \
\
for (i = 0; i < src->count; i++) \
{ \
- ret = marshal_func(op src->buf_name[i], buf_ptr, buffer_size, &local_offset); \
+ ret = marshal_func(op src->buf_name[i], buffer, buffer_size, &local_offset); \
if (ret) \
return ret; \
} \
--
2.27.0

29
SOURCES/0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
Unescape View File

@ -0,0 +1,29 @@
From 5ab8190843597ff6a255c59f91582e4dca117927 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Thu, 21 Nov 2019 14:49:27 +0100
Subject: [PATCH] sys: match counter variable type for cmdAuthsArray->count
TSS2L_SYS_AUTH_COMMAND.count is defined as uint16_t, so the counter
variable should be uint16_t as well.
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
index 1bc3f3c2556f..d946c14e5cfb 100644
--- a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
+++ b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
@@ -20,7 +20,7 @@ TSS2_RC Tss2_Sys_SetCmdAuths(
const TSS2L_SYS_AUTH_COMMAND *cmdAuthsArray)
{
_TSS2_SYS_CONTEXT_BLOB *ctx = syscontext_cast(sysContext);
- uint8_t i;
+ uint16_t i;
UINT32 authSize = 0;
UINT32 newCmdSize = 0;
size_t authOffset;
--
2.27.0

39
SOURCES/0001-tcti-device-getPollHandles-should-allow-num_handles-.patch
Unescape View File

@ -0,0 +1,39 @@
From c42450a294c4267998aa16a477e9218ee5953aa9 Mon Sep 17 00:00:00 2001
From: Jeffrey Ferreira <jeffpferreira@gmail.com>
Date: Thu, 19 Sep 2019 13:32:00 -0700
Subject: [PATCH] tcti-device: getPollHandles should allow num_handles query
Signed-off-by: Jeffrey Ferreira <jeffpferreira@gmail.com>
---
src/tss2-tcti/tcti-device.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index 44c9fe2083d5..53a698cad061 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -368,12 +368,19 @@ tcti_device_get_poll_handles (
return TSS2_TCTI_RC_BAD_CONTEXT;
}
- if (handles == NULL || num_handles == NULL) {
+ if (num_handles == NULL) {
return TSS2_TCTI_RC_BAD_REFERENCE;
}
+ if (handles != NULL && *num_handles < 1) {
+ return TSS2_TCTI_RC_INSUFFICIENT_BUFFER;
+ }
+
*num_handles = 1;
- handles->fd = tcti_dev->fd;
+ if (handles != NULL) {
+ handles->fd = tcti_dev->fd;
+ }
+
return TSS2_RC_SUCCESS;
#else
(void)(tctiContext);
--
2.27.0

39
SOURCES/0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch
Unescape View File

@ -0,0 +1,39 @@
From ffca561b2de43df0a9f7f9c0e717fca943f2c38b Mon Sep 17 00:00:00 2001
From: Johannes Holland <joh.ho@gmx.de>
Date: Tue, 20 Aug 2019 16:58:09 +0200
Subject: [PATCH] tctildr: fix segmentation fault if name_conf is too big
When strlen(name_conf) is too big and logging is set to at least DEBUG,
tctildr_conf_parse will cause a segmentation fault. This happens when
the unit tests are run with logging set to DEBUG. Hence, the logging
call has to be done after the check for strlen(name_conf).
Signed-off-by: Johannes Holland <joh.ho@gmx.de>
---
src/tss2-tcti/tctildr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index 76248f358860..ff967317b57b 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -117,7 +117,6 @@ tctildr_conf_parse (const char *name_conf,
char *split;
size_t combined_length;
- LOG_DEBUG ("name_conf: \"%s\"", name_conf);
if (name_conf == NULL) {
LOG_ERROR ("'name_conf' param may NOT be NULL");
return TSS2_TCTI_RC_BAD_REFERENCE;
@@ -127,6 +126,8 @@ tctildr_conf_parse (const char *name_conf,
LOG_ERROR ("combined conf length must be between 0 and PATH_MAX");
return TSS2_TCTI_RC_BAD_VALUE;
}
+
+ LOG_DEBUG ("name_conf: \"%s\"", name_conf);
if (combined_length == 0)
return TSS2_RC_SUCCESS;
split = strchr (name_conf, ':');
--
2.27.0

96
SOURCES/0001-tctildr-remove-the-private-implementation-of-strndup.patch
Unescape View File

@ -0,0 +1,96 @@
From 464da22b71e26421f55d4e8abc14711f89c89a28 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Thu, 20 Feb 2020 14:11:43 -0800
Subject: [PATCH] tctildr: remove the private implementation of strndup
In fact the private implementation of strndup is only
needed for windows.
Fixes: #1633
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
configure.ac | 2 +-
src/tss2-tcti/tctildr.c | 37 +++++++++++++++++--------------------
2 files changed, 18 insertions(+), 21 deletions(-)
diff --git a/configure.ac b/configure.ac
index d7724805966b..aa4ffb1b78a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,7 +45,6 @@ case "${host_os}" in
esac
AC_SUBST([LIBSOCKET_LDFLAGS])
-AC_CHECK_FUNCS([strndup])
AC_ARG_ENABLE([unit],
[AS_HELP_STRING([--enable-unit],
[build cmocka unit tests])],,
@@ -65,6 +64,7 @@ AC_ARG_ENABLE([esapi],
AM_CONDITIONAL(ESAPI, test "x$enable_esapi" = "xyes")
+AC_CHECK_FUNC([strndup],[],[AC_MSG_ERROR([strndup function not found])])
AC_ARG_ENABLE([tcti-device-async],
AS_HELP_STRING([--enable-tcti-device-async],
[Enable asynchronus operation on TCTI device
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index a46b301b3ea7..92af1d3a787d 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -15,8 +15,25 @@
#include <linux/limits.h>
#elif defined(_MSC_VER)
#include <windows.h>
+#include <limits.h>
#ifndef PATH_MAX
#define PATH_MAX MAX_PATH
+
+static char *strndup(const char* s, size_t n)
+{
+ char *dst = NULL;
+
+ if (n + 1 >= USHRT_MAX)
+ return NULL;
+
+ dst = calloc(1, n + 1);
+
+ if (dst == NULL)
+ return NULL;
+
+ memcpy(dst, s, n);
+ return dst;
+}
#endif
#else
#include <limits.h>
@@ -268,26 +285,6 @@ Tss2_TctiLdr_Finalize (TSS2_TCTI_CONTEXT **tctiContext)
*tctiContext = NULL;
}
-#if !defined(HAVE_STRNDUP)
-char*
-strndup (const char* s,
- size_t n)
-{
- char* dst = NULL;
-
- if (n + 1 < n) {
- return NULL;
- }
- dst = calloc(1, n + 1);
- if (dst == NULL) {
- return NULL;
- }
- memcpy(dst, s, n);
-
- return dst;
-}
-#endif /* HAVE_STRNDUP */
-
TSS2_RC
copy_info (const TSS2_TCTI_INFO *info_src,
TSS2_TCTI_INFO *info_dst)
--
2.30.1

65
SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
Unescape View File

@ -1,65 +0,0 @@
From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 24 Jan 2023 10:01:23 -0600
Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits
The commit (on 4.0.1 and master):
- 49107d65d5c7 tss2_rc: ensure layer number is in bounds
Introduces a bug where the right shift by 8 drops the lower byte going
into the unknown_layer handler function. This will effectively drop rc
error bits for unknown layers. The largest impact will be on windows
where their resource manager is not a registered handler.
Fix this by just dumping all the bytes and not get fancy with masking
things out.
Fixes: #2550
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 4 ++--
test/unit/test_tss2_rc.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 7e668a46..6de7d6f3 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc)
} else {
/*
* we don't want to drop any bits if we don't know what to do with it
- * so drop the layer byte since we we already have that.
+ * so just send the whole thing.
*/
- const char *e = unknown_layer_handler(rc >> 8);
+ const char *e = unknown_layer_handler(rc);
assert(e);
catbuf(buf, "%s", e);
}
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 0b0f57c6..e5051c85 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x100");
+ assert_string_equal(e, "1:0x1002A");
}
static void
@@ -288,7 +288,7 @@ test_all_FFs(void **state)
(void) state;
const char *e = Tss2_RC_Decode(0xFFFFFFFF);
- assert_string_equal(e, "255:0xFFFFFF");
+ assert_string_equal(e, "255:0xFFFFFFFF");
}
static void
--
2.41.0

139
SOURCES/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Unescape View File

@ -0,0 +1,139 @@
From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Jan 2023 11:53:06 -0600
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
The layer handler array was defined as 255, the max number of uint8,
which is the size of the layer field, however valid values are 0-255
allowing for 256 possibilities and thus the array was off by one and
needed to be sized to 256 entries. Update the size and add tests.
Note: previous implementations incorrectly dropped bits on unknown error
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
but earlier implementations returned 255:0xFFFF, dropping the middle
bits, this patch fixes that.
Fixes: CVE-2023-22745
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
2 files changed, 41 insertions(+), 11 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 93743048..0a64958f 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
/* SPDX-License-Identifier: BSD-2-Clause */
-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
static struct {
char name[TSS2_ERR_LAYER_NAME_MAX];
TSS2_RC_HANDLER handler;
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
ADD_HANDLER("tpm" , tpm2_ehandler),
ADD_NULL_HANDLER, /* layer 1 is unused */
ADD_NULL_HANDLER, /* layer 2 is unused */
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
static __thread char buf[32];
clearbuf(buf);
- catbuf(buf, "0x%X", tpm2_error_get(rc));
+ catbuf(buf, "0x%X", rc);
return buf;
}
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
catbuf(buf, "%u:", layer);
}
- handler = !handler ? unknown_layer_handler : handler;
-
/*
* Handlers only need the error bits. This way they don't
* need to concern themselves with masking off the layer
* bits or anything else.
*/
- UINT16 err_bits = tpm2_error_get(rc);
- const char *e = err_bits ? handler(err_bits) : "success";
- if (e) {
- catbuf(buf, "%s", e);
+ if (handler) {
+ UINT16 err_bits = tpm2_error_get(rc);
+ const char *e = err_bits ? handler(err_bits) : "success";
+ if (e) {
+ catbuf(buf, "%s", e);
+ } else {
+ catbuf(buf, "0x%X", err_bits);
+ }
} else {
- catbuf(buf, "0x%X", err_bits);
+ /*
+ * we don't want to drop any bits if we don't know what to do with it
+ * so drop the layer byte since we we already have that.
+ */
+ const char *e = unknown_layer_handler(rc >> 8);
+ assert(e);
+ catbuf(buf, "%s", e);
}
return buf;
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 1c8d66c9..9369beda 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x2A");
+ assert_string_equal(e, "1:0x100");
}
static void
@@ -281,6 +281,23 @@ test_tcti(void **state)
assert_string_equal(e, "tcti:Fails to connect to next lower layer");
}
+static void
+test_all_FFs(void **state)
+{
+ (void) state;
+
+ const char *e = Tss2_RC_Decode(0xFFFFFFFF);
+ assert_string_equal(e, "255:0xFFFFFF");
+}
+
+static void
+test_all_FFs_set_handler(void **state)
+{
+ (void) state;
+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
+ Tss2_RC_SetHandler(0xFF, NULL, NULL);
+}
+
/* link required symbol, but tpm2_tool.c declares it AND main, which
* we have a main below for cmocka tests.
*/
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
cmocka_unit_test(test_esys),
cmocka_unit_test(test_mu),
cmocka_unit_test(test_tcti),
+ cmocka_unit_test(test_all_FFs),
+ cmocka_unit_test(test_all_FFs_set_handler)
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.40.1

65
SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
Unescape View File

@ -1,65 +0,0 @@
From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 9 Feb 2023 15:22:08 +0100
Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling
There is a size check for the destination object whether the size is zero.
If the memory of the destination object is no cleared this might cause
a race conditions.
Unneeded tests from the integration test tpmclient were removed.
Fixes: #2564
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-mu/tpm2b-types.c | 6 +-----
test/tpmclient/tpmclient.int.c | 9 ---------
2 files changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 2e10f487..6e8915f6 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \
sizeof(size)); \
return TSS2_MU_RC_INSUFFICIENT_BUFFER; \
} \
- if (dest && dest->size != 0) { \
- LOG_WARNING("Size not zero"); \
- return TSS2_SYS_RC_BAD_VALUE; \
- } \
-\
+ \
rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \
if (rc) \
return rc; \
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
index deedcfb7..16443955 100644
--- a/test/tpmclient/tpmclient.int.c
+++ b/test/tpmclient/tpmclient.int.c
@@ -847,12 +847,6 @@ static void TestHierarchyControl()
rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 );
CheckPassed( rval );
- /* Test SYS for case where nvPublic.size != 0 */
- nvPublic.size = 0xff;
- INIT_SIMPLE_TPM2B_SIZE( nvName );
- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
-
nvPublic.size = 0;
INIT_SIMPLE_TPM2B_SIZE( nvName );
rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
@@ -2135,10 +2129,7 @@ static void EcEphemeralTest()
LOG_INFO("EC Ephemeral TESTS:" );
- /* Test SYS for case of Q size field not being set to 0. */
INIT_SIMPLE_TPM2B_SIZE( Q );
- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
Q.size = 0;
rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
--
2.41.0

31
SOURCES/0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
Unescape View File

@ -0,0 +1,31 @@
From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
From: Stefan Thom <mail@LordOfDorks.com>
Date: Fri, 5 Jun 2020 12:11:39 -0700
Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
Refer to specification part 1 Architecture, Section 20.1 AuditSession
Introduction: If the session was bound when created (see 19.6.10 and
19.6.12), the bind value is lost and any further use of the session for
authorization will require that the authValue be used in the HMAC.
Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
---
src/tss2-esys/esys_tr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index c9ea537a..d14c7d35 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
esys_object->rsrc.misc.rsrc_session.sessionAttributes =
(esys_object->rsrc.misc.rsrc_session.
sessionAttributes & ~mask) | (flags & mask);
+ if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
+ esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
return TSS2_RC_SUCCESS;
}
--
2.41.0

78
SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
Unescape View File

@ -1,78 +0,0 @@
From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 14 Feb 2023 19:52:28 +0100
Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning
Currently no parameter encryption was made during provisioning.
Now the EK es used as tpmkey for the create primary session of
the SRK and the SRK is used for parameter encryption of the
other command executed during provisioning.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Provision.c | 6 ++++--
src/tss2-fapi/fapi_int.h | 7 ++++---
src/tss2-fapi/fapi_util.c | 5 ++++-
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 97c25828..48f2fd3b 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_INIT_SRK);
/* Create session which will be used for SRK generation. */
context->srk_handle = context->ek_handle;
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
try_again_or_error_goto(r, "Cleanup", error_cleanup);
/* Create session which will be used for parameter encryption. */
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 5f666a75..8533112a 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE;
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
typedef UINT8 IFAPI_SESSION_TYPE;
-#define IFAPI_SESSION_GENEK 0x01
-#define IFAPI_SESSION1 0x02
-#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_GENEK 0x01
+#define IFAPI_SESSION1 0x02
+#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_USE_SRK 0x08
#define IFAPI_POLICY_PATH "policy"
#define IFAPI_NV_PATH "nv"
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 44dd4168..ded0d247 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context,
context->session2_attribute_flags = attribute_flags2;
char *file = NULL;
- if (!(session_flags & IFAPI_SESSION_GENEK)) {
+ if (session_flags & IFAPI_SESSION_USE_SRK) {
+ context->session_state = SESSION_CREATE_SESSION;
+ return TSS2_RC_SUCCESS;
+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) {
context->srk_handle = ESYS_TR_NONE;
context->session_state = SESSION_CREATE_SESSION;
return TSS2_RC_SUCCESS;
--
2.41.0

45
SOURCES/0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
Unescape View File

@ -0,0 +1,45 @@
From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Mon, 22 Mar 2021 16:43:36 -0700
Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
in hmac
Fixes #2037
TPM2.0 Architecture 19.6.5 Note 7
If the same session (not the first session) is used for decrypt and
encrypt, its nonceTPM is only used once. If different sessions are
used for decrypt and encrypt, both nonceTPMs are included.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
src/tss2-esys/esys_iutil.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 08a9b7df..1910c570 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&encryptNonce);
return_if_error(r, "More than one crypt session");
+ /*
+ * TPM2.0 Architecture 19.6.5 Note 7
+ *
+ * If the same session (not the first session) is used for decrypt and
+ * encrypt, its nonceTPM is only used once. If different sessions are used
+ * for decrypt and encrypt, both nonceTPMs are included
+ */
+ if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
+ decryptNonceIdx = 0;
+ }
+
+
/* Compute cp hash values for command buffer for all used algorithms */
r = iesys_compute_cp_hashtab(esys_context,
--
2.41.0

42
SOURCES/0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
Unescape View File

@ -0,0 +1,42 @@
From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 12 Jul 2021 10:52:53 +0200
Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
the obfuscated data. Fixes #2115.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_crypto.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
index aef3e50b..a2b7b937 100644
--- a/src/tss2-esys/esys_crypto.c
+++ b/src/tss2-esys/esys_crypto.c
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
size_t data_size_bits = data_size * 8;
size_t rest_size = data_size;
BYTE *kdfa_byte_ptr;
+ BYTE *data_start = data;
if (key == NULL || data == NULL) {
LOG_ERROR("Bad reference");
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
return_if_error(r, "iesys_crypto_KDFa failed");
/* XOR next data sub block with KDFa result */
kdfa_byte_ptr = kdfa_result;
- LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
i--)
*data++ ^= *kdfa_byte_ptr++;
- LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
}
return TSS2_RC_SUCCESS;
--
2.41.0

101
SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
Unescape View File

@ -1,101 +0,0 @@
From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 3 Mar 2023 11:17:43 +0100
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
sessions.
The parameter encryption for policy sessions was not enabled.
Now the parameter encryption is enabled and the auth value of
objects is added to the session key.
One exception is the cp hash policy. In this case the
the cp hash check forced by this policy would fail with an
encrypted parameter.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
3 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ded0d247..55ce3327 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
statecase(object->authorization_state, AUTH_INIT)
LOG_TRACE("**STATE** AUTH_INIT");
- if (!policy_digest_size(object)) {
- /* No policy used authorization callbacks have to be called if necessary. */
- if (object_with_auth(object)) {
- /* Check whether hierarchy was already authorized. */
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
- !object->misc.hierarchy.authorized) {
- char *description = NULL;
- r = ifapi_get_description(object, &description);
- return_if_error(r, "Get description");
-
- r = ifapi_set_auth(context, object, description);
- SAFE_FREE(description);
- return_if_error(r, "Set auth value");
- }
+ if (object_with_auth(object)) {
+ /* Check whether hierarchy was already authorized. */
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
+ !object->misc.hierarchy.authorized) {
+ char *description = NULL;
+ r = ifapi_get_description(object, &description);
+ return_if_error(r, "Get description");
+
+ r = ifapi_set_auth(context, object, description);
+ SAFE_FREE(description);
+ return_if_error(r, "Set auth value");
}
+ }
+ if (!policy_digest_size(object)) {
/* No policy session needed current fapi session can be used */
if (context->session1 && context->session1 != ESYS_TR_NONE)
*session = context->session1;
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
*session = ESYS_TR_PASSWORD;
break;
}
+
/* Save current object to be authorized in context. */
context->current_auth_object = object;
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index c2ce3301..0e7de316 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
r = Esys_PolicyCpHash_Finish(esys_ctx);
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
+ /* Disable encryption to enable check of cp hash defined in
+ policy cp. */
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
+ 0, 0xff);
+
current_policy->state = POLICY_EXECUTE_INIT;
return r;
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
index 997fb504..0e2823cb 100644
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
@@ -119,6 +119,10 @@ create_session(
r = Esys_StartAuthSession_Finish(context->esys, session);
if (r != TSS2_RC_SUCCESS)
return r;
+
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
+ 0xff);
context->policy.create_session_state = CREATE_SESSION_INIT;
break;
--
2.41.0

59
SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
Unescape View File

@ -1,59 +0,0 @@
From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 5 Mar 2023 19:19:22 +0100
Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC
sessions.
* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled.
* For Fapi_Unseal the response description was not enabled.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_CreateNv.c | 2 +-
src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +-
src/tss2-fapi/fapi_util.c | 3 ++-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c
index 45e72e33..8160b99d 100644
--- a/src/tss2-fapi/api/Fapi_CreateNv.c
+++ b/src/tss2-fapi/api/Fapi_CreateNv.c
@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish(
context->primary_state = PRIMARY_INIT;
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c
index 0615aa12..adf332e0 100644
--- a/src/tss2-fapi/api/Fapi_NvSetBits.c
+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c
@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish(
/* Prepare session for authorization */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 55ce3327..ef4a92d0 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2743,7 +2743,8 @@ ifapi_load_key(
/* Prepare the session creation. */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- TPMA_SESSION_DECRYPT, 0);
+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT,
+ 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
--
2.41.0

61
SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch
Unescape View File

@ -1,61 +0,0 @@
From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 3 Apr 2023 21:21:55 +0200
Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles.
* Evict control for persistent keys created with Fapi_CreateKey was
called with the wrong handle.
* If Fapi_Quote was executed with a primary key for this key flush
context was called.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++-----
src/tss2-fapi/fapi_util.c | 1 +
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c
index b71267a7..61e4e3db 100644
--- a/src/tss2-fapi/api/Fapi_Quote.c
+++ b/src/tss2-fapi/api/Fapi_Quote.c
@@ -392,16 +392,20 @@ Fapi_Quote_Finish(
goto_if_error(r, "Error: PCR_Quote", error_cleanup);
/* Flush the key used for the quote. */
- r = Esys_FlushContext_Async(context->esys, command->handle);
- goto_if_error(r, "Error: FlushContext", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Async(context->esys, command->handle);
+ goto_if_error(r, "Error: FlushContext", error_cleanup);
+ }
command->handle = ESYS_TR_NONE;
fallthrough;
statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH);
- r = Esys_FlushContext_Finish(context->esys);
- return_try_again(r);
- goto_if_error(r, "Error: Sign", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Finish(context->esys);
+ return_try_again(r);
+ goto_if_error(r, "Error: Sign", error_cleanup);
+ }
sig_key_object = command->key_object;
/* Convert the TPM-encoded signature into something useful for the caller. */
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ef4a92d0..49f7dd07 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4746,6 +4746,7 @@ ifapi_create_primary(
statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2);
if (template->persistent_handle) {
+ object->misc.key.persistent_handle = template->persistent_handle;
r = ifapi_authorize_object(context, hierarchy, &auth_session);
FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup);
--
2.41.0

62
SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch
Unescape View File

@ -1,62 +0,0 @@
From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 27 Feb 2023 18:00:54 +0100
Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor
The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY
is now disabled for builds with --disable-vendor.
Fixes: #2571
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
include/tss2/tss2_tpm2_types.h | 2 ++
src/tss2-mu/tpml-types.c | 2 ++
tss2-dlopen/tss2-dlopen-mu.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h
index 96286fb7..39a6978c 100644
--- a/include/tss2/tss2_tpm2_types.h
+++ b/include/tss2/tss2_tpm2_types.h
@@ -63,7 +63,9 @@
#define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2))
/* Vendor Specific Defines */
+#ifndef DISABLE_VENDOR
#define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32))
+#endif
/* Attached Component Capabilities */
#define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT))
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
index 60f85a8c..1df9bbb8 100644
--- a/src/tss2-mu/tpml-types.c
+++ b/src/tss2-mu/tpml-types.c
@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio
TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections)
TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR)
TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests)
+#ifndef DISABLE_VENDOR
TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL)
TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property)
+#endif
TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR)
TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities)
TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR)
diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c
index 2297818b..21cd1123 100644
--- a/tss2-dlopen/tss2-dlopen-mu.c
+++ b/tss2-dlopen/tss2-dlopen-mu.c
@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY);
MAKE_MU_STRUCT(TPML_ECC_CURVE);
MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY);
MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY);
+#ifndef DISABLE_VENDOR
MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY);
+#endif
MAKE_MU_STRUCT(TPML_AC_CAPABILITIES);
MAKE_MU_STRUCT(TPML_TAGGED_POLICY);
MAKE_MU_STRUCT(TPML_ACT_DATA);
--
2.41.0

35
SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
Unescape View File

@ -1,35 +0,0 @@
From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 10 Apr 2023 20:20:24 +0200
Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs.
Currenlty FAPI_GetInfo did produce errors if the TPM implements
SHA3 hash algs. Now a warning is displayed.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c
index 1eaa4eb2..65320da6 100644
--- a/src/tss2-fapi/tpm_json_serialize.c
+++ b/src/tss2-fapi/tpm_json_serialize.c
@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object
return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE);
TSS2_RC r;
+
+ if ((in->alg == TPM2_ALG_SHA3_256 ||
+ in->alg == TPM2_ALG_SHA3_384 ||
+ in->alg == TPM2_ALG_SHA3_512)) {
+ LOG_WARNING("SHA3 hash algs are not supported by TSS");
+ return TSS2_RC_SUCCESS;
+ }
+
json_object *jso2;
if (*jso == NULL)
*jso = json_object_new_object ();
--
2.41.0

39
SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
Unescape View File

@ -1,39 +0,0 @@
From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 9 Apr 2023 08:38:56 +0200
Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile
paths.
The provisioning test in ifapi_check_provisioned will be skipped
for ext nv and profile paths. The test did produce inappropriate
error messages if the corresponding paths did not exist in keystore.
The test is only needed for pathnames starting with the profile.
Fixes: #2596
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_keystore.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 7e50ee1e..38c2f7fd 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1772,6 +1772,14 @@ ifapi_check_provisioned(
*ok = false;
+ /* No profile in path, test can be skipped. */
+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) {
+ *ok = true;
+ return TSS2_RC_SUCCESS;
+ }
+
/* First expand path in user directory */
r = expand_path(keystore, rel_path, &directory);
goto_if_error(r, "Expand path", cleanup);
--
2.41.0

30
SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
Unescape View File

@ -1,30 +0,0 @@
From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 12 May 2023 09:30:53 +0200
Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy.
The list of pcr registers was was allocated with the wrong size in the
function copy_policy_element which caused a segfault if more than one
pcr was used.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_helpers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
index e1c4220b..5c574717 100644
--- a/src/tss2-fapi/ifapi_helpers.c
+++ b/src/tss2-fapi/ifapi_helpers.c
@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t
case POLICYPCR:
to_policy->element.PolicyPCR.pcrs =
calloc(1, sizeof(TPML_PCRVALUES) +
- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE));
+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE));
goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.",
r, TSS2_FAPI_RC_MEMORY, error);
to_policy->element.PolicyPCR.pcrs->count
--
2.41.0

15
SOURCES/tpm2-tss-3.0.0-doxygen.patch
Unescape View File

@ -1,15 +0,0 @@
diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in
--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200
+++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200
@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM
+EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \
+ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \
+ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \
+ IESYS_CMD_IN_PARAM
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include

2
SOURCES/tpm2-tss-systemd-sysusers.conf
Unescape View File

@ -1,2 +0,0 @@
#Type Name ID GECOS Home directory Shell
u tss 59 "Account used for TPM access" - -

255
SPECS/tpm2-tss.spec
Unescape View File

@ -1,41 +1,48 @@
Name: tpm2-tss Name: tpm2-tss
Version: 3.2.2 Version: 2.3.2
Release: 2%{?dist} Release: 5%{?dist}
Summary: TPM2.0 Software Stack Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
# is under TCGL(Trusted Computing Group License).
License: BSD License: BSD
URL: https://github.com/tpm2-software/tpm2-tss URL: https://github.com/tpm2-software/tpm2-tss
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: tpm2-tss-systemd-sysusers.conf # patch submitted upstream https://github.com/tpm2-software/tpm2-tss/pull/1707
# doxygen patch Patch0: 0001-man-Clean-up-libmandoc-parser-warnings.patch
Patch0: tpm2-tss-3.0.0-doxygen.patch # Upstream patches
Patch2: 0001-esys_iutil-fix-possible-NPD.patch Patch1: 0001-esys-Check-object-handle-node-before-calling-compute.patch
Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch Patch2: 0001-build-update-exported-symbols-map-for-libtss2-mu.patch
Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch Patch3: 0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch
Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch Patch4: 0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch
Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch Patch5: 0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch
Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch Patch6: 0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch
Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch Patch7: 0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch
Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch Patch8: 0001-tcti-device-getPollHandles-should-allow-num_handles-.patch
Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch Patch9: 0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch
Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch Patch10: 0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch
Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch Patch11: 0001-Esys_CreateLoaded-fix-resource-name-calculation.patch
Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
Patch16: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Patch17: 0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
Patch18: 0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
Patch19: 0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
Patch20: 0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
%global udevrules_prefix 60- %global udevrules_prefix 60-
BuildRequires: make
BuildRequires: autoconf-archive
BuildRequires: doxygen
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: json-c-devel BuildRequires: doxygen
BuildRequires: libcurl-devel BuildRequires: autoconf-archive
BuildRequires: libgcrypt-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-rpm-macros BuildRequires: libgcrypt-devel
BuildRequires: openssl-devel
Requires(pre): shadow-utils Requires(pre): shadow-utils
%description %description
@ -48,10 +55,7 @@ APIs for applications to access TPM module through kernel TPM drivers.
%build %build
# Use built-in tpm-udev.rules, with specified installation path and prefix. # Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \ %configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix}
--disable-tcti-pcap --disable-tcti-libtpms \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath # This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
@ -62,33 +66,31 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%install %install
%make_install %make_install
find %{buildroot}%{_libdir} -type f -name \*.la -delete find %{buildroot}%{_libdir} -type f -name \*.la -delete
rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tpm2-tss.conf
%pre %pre
%sysusers_create_compat %{SOURCE1} getent group tss >/dev/null || groupadd -f -g 59 -r tss
if ! getent passwd tss >/dev/null ; then
if ! getent passwd 59 >/dev/null ; then
useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
else
useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
fi
fi
exit 0 exit 0
%ldconfig_scriptlets
%files %files
%doc README.md CHANGELOG.md %doc README.md CHANGELOG.md
%license LICENSE %license LICENSE
%{_sysconfdir}/tpm2-tss/ %{_libdir}/libtss2-mu.so.*
%{_libdir}/libtss2-mu.so.0* %{_libdir}/libtss2-sys.so.*
%{_libdir}/libtss2-sys.so.1* %{_libdir}/libtss2-esys.so.*
%{_libdir}/libtss2-esys.so.0* %{_libdir}/libtss2-rc.so.*
%{_libdir}/libtss2-fapi.so.1* %{_libdir}/libtss2-tctildr.so.*
%{_libdir}/libtss2-rc.so.0* %{_libdir}/libtss2-tcti-device.so.*
%{_libdir}/libtss2-tctildr.so.0* %{_libdir}/libtss2-tcti-mssim.so.*
%{_libdir}/libtss2-tcti-cmd.so.0*
%{_libdir}/libtss2-tcti-device.so.0*
%{_libdir}/libtss2-tcti-mssim.so.0*
%{_libdir}/libtss2-tcti-swtpm.so.0*
%{_sysusersdir}/tpm2-tss.conf
%{_tmpfilesdir}/tpm2-tss-fapi.conf
%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules %{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules
%package devel %package devel
Summary: Headers and libraries for building apps that use tpm2-tss Summary: Headers and libraries for building apps that use tpm2-tss
Requires: %{name}%{_isa} = %{version}-%{release} Requires: %{name}%{_isa} = %{version}-%{release}
@ -102,144 +104,67 @@ use tpm2-tss.
%{_libdir}/libtss2-mu.so %{_libdir}/libtss2-mu.so
%{_libdir}/libtss2-sys.so %{_libdir}/libtss2-sys.so
%{_libdir}/libtss2-esys.so %{_libdir}/libtss2-esys.so
%{_libdir}/libtss2-fapi.so
%{_libdir}/libtss2-rc.so %{_libdir}/libtss2-rc.so
%{_libdir}/libtss2-tctildr.so %{_libdir}/libtss2-tctildr.so
%{_libdir}/libtss2-tcti-cmd.so %{_libdir}/libtss2-tcti-default.so
%{_libdir}/libtss2-tcti-device.so %{_libdir}/libtss2-tcti-device.so
%{_libdir}/libtss2-tcti-mssim.so %{_libdir}/libtss2-tcti-mssim.so
%{_libdir}/libtss2-tcti-swtpm.so
%{_libdir}/pkgconfig/tss2-mu.pc %{_libdir}/pkgconfig/tss2-mu.pc
%{_libdir}/pkgconfig/tss2-sys.pc %{_libdir}/pkgconfig/tss2-sys.pc
%{_libdir}/pkgconfig/tss2-esys.pc %{_libdir}/pkgconfig/tss2-esys.pc
%{_libdir}/pkgconfig/tss2-fapi.pc
%{_libdir}/pkgconfig/tss2-rc.pc %{_libdir}/pkgconfig/tss2-rc.pc
%{_libdir}/pkgconfig/tss2-tctildr.pc %{_libdir}/pkgconfig/tss2-tctildr.pc
%{_libdir}/pkgconfig/tss2-tcti-cmd.pc
%{_libdir}/pkgconfig/tss2-tcti-device.pc %{_libdir}/pkgconfig/tss2-tcti-device.pc
%{_libdir}/pkgconfig/tss2-tcti-mssim.pc %{_libdir}/pkgconfig/tss2-tcti-mssim.pc
%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc
%{_mandir}/man3/*.3.gz %{_mandir}/man3/*.3.gz
%{_mandir}/man5/*.5.gz
%{_mandir}/man7/tss2*.7.gz %{_mandir}/man7/tss2*.7.gz
%post -p /sbin/ldconfig
%changelog %postun -p /sbin/ldconfig
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
- Remove misapplied license
Resolves: rhbz#2160307
* Fri Jun 23 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-1
- Rebase to 3.2.2
- Use systemd-sysusers to create user
Resolves: CVE-2023-22745
Resolves: rhbz#2095479
Resolves: rhbz#2160307
Resolves: rhbz#2162613
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3
Resolves: rhbz#2041919
* Thu Feb 17 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-7
- Rebuild with latest json-c library
Related: rhbz#2023328
* Wed Aug 18 2021 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-6
- Fix failures while using OpenSSL 3
Resolves: rhbz#1984634
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.3-1
- Update to 3.0.2
* Sun Nov 22 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.2-1
- Update to 3.0.2
* Wed Sep 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.1-1
- Update to 3.0.1
* Tue Sep 15 2020 Than Ngo <than@redhat.com> - 3.0.0-4 %changelog
- Fix doxygen crash * Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
- Ensure layer number is in bounds
* Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-3 Resolves: rhbz#2160302
- Create tss user, if it doesn't exist, for userspace TPM access Resolves: rhbz#2162611
* Fri Aug 07 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-2 * Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
- Install sysusers config in sysusersdir (rhbz #1834519) - Fix hmac calculation for tpm2_clear command.
- Remove private implementation of strndup.
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-1 resolves: rhbz#1920825 rhbz#1940861
- Update to 3.0.0
* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-3
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.2-1 - Add tss user if doesn't exist.
- Update to 2.4.2 - Update exported symbols map for libtss2-mu
- esys: Check object handle node before calling compute_session_value
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-2 - esys: fix resource name calculation
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - esys: fix Esys_StartAuthSession called with optional params
- esys: fix keysize of ECC curve TPM2_ECC_NISTP224
* Thu May 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.1-1 - esys: fixup compute_encrypted_salt error handling
- Update to 2.4.1 - esys: use memcmp in byte array comparison
- esys: zero out ctx->salt after startAuthSession_finish
* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.4.0-3 - mu: Remove use of VLAs for Marshalling TPML types
- Use proper rundir and tmpfiles macros so proper directories are used - return proper error code on memory allocation failure
- sys: match counter variable type for cmdAuthsArray->count
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 2.4.0-2 - tcti-device: getPollHandles should allow num_handles query
- Rebuild (json-c) - tctildr: fix segmentation fault if name_conf is too big
resolves: rhbz#1879071 rhbz#1855180
* Thu Mar 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.0-1
- Update to 2.4.0 release * Mon Apr 27 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-2
- Clean up libmandoc parser errors.
* Mon Feb 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.3.3-1 resolves: rhbz#1789684
- Update to 2.3.3 release
* Thu Feb 20 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-1
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 13 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.2-1
- Update to 2.3.2 release - Update to 2.3.2 release
resolves: rhbz#1789684
* Fri Sep 6 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.1-1 * Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 2.0.0-5
- Update to 2.3.1 release - Add CI gating support
resolves: rhbz#1682418
* Thu Aug 15 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.0-1
- Update to 2.3.0 release
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed May 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.3-1
- Update to 2.2.3 release
* Fri Mar 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.2-1
- Update to 2.2.2 release
* Mon Mar 4 2019 Peter Robinson <pbrobinson@fedoraproject.org> 2.2.1-1
- Update to 2.2.1 release
* Wed Feb 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.2.0-1
- Update to 2.2.0 release
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 10 2018 Yunying Sun <yunying.sun@intel.com> - 2.1.0-1
- Update to 2.1.0 release
* Thu Aug 30 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.1-1 * Mon Jul 23 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 2.0.0-4
- Update to 2.0.1 release - Remove TCGL from spec license list.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

Write Preview
Loading…
Cancel
Save