From 79ee77ae833581405759ddfc345b6a866c5e8198 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 24 Feb 2022 22:02:34 +0100 Subject: [PATCH] Fix previous change for loading libtss2* Resolves: #2057490 Signed-off-by: Daiki Ueno --- gnutls-3.7.3-libtss2-dlopen.patch | 576 +++++++++++++++--------------- gnutls.spec | 5 +- 2 files changed, 285 insertions(+), 296 deletions(-) diff --git a/gnutls-3.7.3-libtss2-dlopen.patch b/gnutls-3.7.3-libtss2-dlopen.patch index 49fe740..702f11d 100644 --- a/gnutls-3.7.3-libtss2-dlopen.patch +++ b/gnutls-3.7.3-libtss2-dlopen.patch @@ -1,4 +1,4 @@ -From 1719288f7e57d6b9593ef0c01fdcf7ac304c099f Mon Sep 17 00:00:00 2001 +From 958bd910fa4693d47b2507679267e9d3b4101096 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 23 Feb 2022 19:48:52 +0100 Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed @@ -10,15 +10,19 @@ multiple crypto libraries. Signed-off-by: Daiki Ueno --- - configure.ac | 12 +- - lib/Makefile.am | 6 +- - lib/tpm2.c | 2 +- - lib/tpm2.h | 2 +- - lib/tpm2_esys.c | 330 ++++++++++++++++++++++++++++++++++++++++++------ - 5 files changed, 303 insertions(+), 49 deletions(-) + configure.ac | 11 ++- + lib/Makefile.am | 6 +- + lib/tpm2.c | 2 +- + lib/tpm2.h | 2 +- + lib/tpm2_esys.c | 205 ++++++++++++++++++++++++++++++++++---------- + tests/Makefile.am | 3 +- + tests/sanity-lib.sh | 36 ++++++++ + tests/tpm2.sh | 14 ++- + 8 files changed, 224 insertions(+), 55 deletions(-) + create mode 100644 tests/sanity-lib.sh diff --git a/configure.ac b/configure.ac -index 53c3aefca1..be51b376a6 100644 +index 53c3aefca1..721ff208f0 100644 --- a/configure.ac +++ b/configure.ac @@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit @@ -30,11 +34,7 @@ index 53c3aefca1..be51b376a6 100644 AC_ARG_WITH(tpm2, AS_HELP_STRING([--without-tpm2], [Disable TPM2 support.]), -@@ -889,9 +891,11 @@ AC_ARG_WITH(tpm2, - if test "$with_tpm2" != "no"; then - PKG_CHECK_MODULES(TSS2, [tss2-esys tss2-mu tss2-tctildr], - [have_tpm2=yes], [have_tpm2=no]) -+ PKG_CHECK_EXISTS([tss2-esys], , [have_tpm2=no]) +@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then if test "$have_tpm2" = "yes"; then tss2lib="tss2-esys tss2-mu tss2-tctildr" AC_DEFINE([HAVE_TSS2], 1, [Have TSS2]) @@ -42,7 +42,7 @@ index 53c3aefca1..be51b376a6 100644 elif test "$with_tpm2" = "yes"; then AC_MSG_ERROR([[ *** -@@ -920,7 +924,8 @@ if test "$with_tpm" != "no"; then +@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then AC_SUBST([TSS_LIBS], [-ltspi]) AC_SUBST([TSS_CFLAGS], []) AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM]) @@ -52,7 +52,7 @@ index 53c3aefca1..be51b376a6 100644 [AC_MSG_RESULT(no) AC_MSG_WARN([[ *** -@@ -957,6 +962,9 @@ fi +@@ -957,6 +961,9 @@ fi AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library]) AC_SUBST(TROUSERS_LIB) @@ -62,7 +62,7 @@ index 53c3aefca1..be51b376a6 100644 # For minitasn1. AC_CHECK_SIZEOF(unsigned long int, 4) AC_CHECK_SIZEOF(unsigned int, 4) -@@ -1312,7 +1320,7 @@ AC_MSG_NOTICE([External hardware support: +@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support: Random gen. variant: $rnd_variant PKCS#11 support: $with_p11_kit TPM support: $with_tpm @@ -127,10 +127,10 @@ index e40dc01df7..7966e2d811 100644 void release_tpm2_ctx(struct tpm2_info_st *info); diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c -index 93e54413ba..e1a54f12a1 100644 +index 93e54413ba..584e384d2b 100644 --- a/lib/tpm2_esys.c +++ b/lib/tpm2_esys.c -@@ -72,6 +72,217 @@ +@@ -72,6 +72,102 @@ #include #include @@ -140,215 +140,100 @@ index 93e54413ba..e1a54f12a1 100644 + * crypto libraries. Instead, only dlopen it as needed. + */ + ++#if !((defined __GNUC__ && 2 <= __GNUC__) || \ ++ (defined __clang_major__ && 4 <= __clang_major__)) ++# error "typeof compiler keyword is needed for TPM2 support" ++#endif ++ +static void *_gnutls_tss2_esys_dlhandle; +static void *_gnutls_tss2_mu_dlhandle; +static void *_gnutls_tss2_tctildr_dlhandle; + -+#define DEFINE_TSS2_FUNC(sys, ret, func, args, argscall) \ -+ typedef ret(*_gnutls_tss2_##sys##_PTR_##func) args; \ -+ static _gnutls_tss2_##sys##_PTR_##func _g_##func = 0; \ -+ static inline ret _gnutls_tss2_##sys##_##func args \ -+ { \ -+ if (unlikely(!_g_##func)) { \ -+ _g_##func = dlsym(_gnutls_tss2_##sys##_dlhandle,\ -+ #func); \ -+ } \ -+ return _g_##func argscall; \ ++static typeof(Esys_GetCapability) (*_gnutls_tss2_Esys_GetCapability); ++static typeof(Esys_Free) (*_gnutls_tss2_Esys_Free); ++static typeof(Esys_TR_SetAuth) (*_gnutls_tss2_Esys_TR_SetAuth); ++static typeof(Esys_CreatePrimary) (*_gnutls_tss2_Esys_CreatePrimary); ++static typeof(Esys_Initialize) (*_gnutls_tss2_Esys_Initialize); ++static typeof(Esys_Startup) (*_gnutls_tss2_Esys_Startup); ++static typeof(Esys_TR_FromTPMPublic) (*_gnutls_tss2_Esys_TR_FromTPMPublic); ++static typeof(Esys_ReadPublic) (*_gnutls_tss2_Esys_ReadPublic); ++static typeof(Esys_Load) (*_gnutls_tss2_Esys_Load); ++static typeof(Esys_FlushContext) (*_gnutls_tss2_Esys_FlushContext); ++static typeof(Esys_Finalize) (*_gnutls_tss2_Esys_Finalize); ++static typeof(Esys_RSA_Decrypt) (*_gnutls_tss2_Esys_RSA_Decrypt); ++static typeof(Esys_Sign) (*_gnutls_tss2_Esys_Sign); ++ ++static typeof(Tss2_MU_TPM2B_PRIVATE_Unmarshal) ++(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal); ++static typeof(Tss2_MU_TPM2B_PUBLIC_Unmarshal) ++(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal); ++ ++static typeof(Tss2_TctiLdr_Initialize) (*_gnutls_tss2_Tss2_TctiLdr_Initialize); ++static typeof(Tss2_TctiLdr_Finalize) (*_gnutls_tss2_Tss2_TctiLdr_Finalize); ++ ++#define DLSYM_TSS2(sys, sym) \ ++ _gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \ ++ if (!_gnutls_tss2_##sym) { \ ++ return -1; \ + } + -+DEFINE_TSS2_FUNC(esys, TSS2_RC, -+ Esys_GetCapability, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ TPM2_CAP capability, -+ UINT32 property, -+ UINT32 propertyCount, -+ TPMI_YES_NO *moreData, -+ TPMS_CAPABILITY_DATA **capabilityData), -+ (esysContext, -+ shandle1, -+ shandle2, -+ shandle3, -+ capability, -+ property, -+ propertyCount, -+ moreData, -+ capabilityData)) -+DEFINE_TSS2_FUNC(esys, void, Esys_Free, (void *__ptr), (__ptr)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_TR_SetAuth, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR handle, -+ TPM2B_AUTH const *authValue), -+ (esysContext, -+ handle, -+ authValue)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_CreatePrimary, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR primaryHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_SENSITIVE_CREATE *inSensitive, -+ const TPM2B_PUBLIC *inPublic, -+ const TPM2B_DATA *outsideInfo, -+ const TPML_PCR_SELECTION *creationPCR, -+ ESYS_TR *objectHandle, -+ TPM2B_PUBLIC **outPublic, -+ TPM2B_CREATION_DATA **creationData, -+ TPM2B_DIGEST **creationHash, -+ TPMT_TK_CREATION **creationTicket), -+ (esysContext, -+ primaryHandle, -+ shandle1, -+ shandle2, -+ shandle3, -+ inSensitive, -+ inPublic, -+ outsideInfo, -+ creationPCR, -+ objectHandle, -+ outPublic, -+ creationData, -+ creationHash, -+ creationTicket)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Initialize, -+ (ESYS_CONTEXT **esys_context, -+ TSS2_TCTI_CONTEXT *tcti, -+ TSS2_ABI_VERSION *abiVersion), -+ (esys_context, -+ tcti, -+ abiVersion)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Startup, -+ (ESYS_CONTEXT *esysContext, -+ TPM2_SU startupType), -+ (esysContext, -+ startupType)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_TR_FromTPMPublic, -+ (ESYS_CONTEXT *esysContext, -+ TPM2_HANDLE tpm_handle, -+ ESYS_TR optionalSession1, -+ ESYS_TR optionalSession2, -+ ESYS_TR optionalSession3, -+ ESYS_TR *object), -+ (esysContext, -+ tpm_handle, -+ optionalSession1, -+ optionalSession2, -+ optionalSession3, -+ object)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_ReadPublic, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR objectHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ TPM2B_PUBLIC **outPublic, -+ TPM2B_NAME **name, -+ TPM2B_NAME **qualifiedName), -+ (esysContext, -+ objectHandle, -+ shandle1, -+ shandle2, -+ shandle3, -+ outPublic, -+ name, -+ qualifiedName)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Load, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR parentHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_PRIVATE *inPrivate, -+ const TPM2B_PUBLIC *inPublic, -+ ESYS_TR *objectHandle), -+ (esysContext, -+ parentHandle, -+ shandle1, -+ shandle2, -+ shandle3, -+ inPrivate, -+ inPublic, -+ objectHandle)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_FlushContext, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR flushHandle), -+ (esysContext, -+ flushHandle)) -+DEFINE_TSS2_FUNC(esys, void, Esys_Finalize, (ESYS_CONTEXT **context), (context)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_RSA_Decrypt, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR keyHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_PUBLIC_KEY_RSA *cipherText, -+ const TPMT_RSA_DECRYPT *inScheme, -+ const TPM2B_DATA *label, -+ TPM2B_PUBLIC_KEY_RSA **message), -+ (esysContext, -+ keyHandle, -+ shandle1, -+ shandle2, -+ shandle3, -+ cipherText, -+ inScheme, -+ label, -+ message)) -+DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Sign, -+ (ESYS_CONTEXT *esysContext, -+ ESYS_TR keyHandle, -+ ESYS_TR shandle1, -+ ESYS_TR shandle2, -+ ESYS_TR shandle3, -+ const TPM2B_DIGEST *digest, -+ const TPMT_SIG_SCHEME *inScheme, -+ const TPMT_TK_HASHCHECK *validation, -+ TPMT_SIGNATURE **signature), -+ (esysContext, -+ keyHandle, -+ shandle1, -+ shandle2, -+ shandle3, -+ digest, -+ inScheme, -+ validation, -+ signature)) ++static int ++init_tss2_funcs(void) ++{ ++ if (!_gnutls_tss2_esys_dlhandle) { ++ _gnutls_tss2_esys_dlhandle = ++ dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL); ++ if (!_gnutls_tss2_esys_dlhandle) { ++ _gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n"); ++ return -1; ++ } ++ } + -+DEFINE_TSS2_FUNC(mu, TSS2_RC, Tss2_MU_TPM2B_PRIVATE_Unmarshal, -+ (uint8_t const buffer[], -+ size_t buffer_size, -+ size_t *offset, -+ TPM2B_PRIVATE *dest), -+ (buffer, -+ buffer_size, -+ offset, -+ dest)) -+DEFINE_TSS2_FUNC(mu, TSS2_RC, Tss2_MU_TPM2B_PUBLIC_Unmarshal, -+ (uint8_t const buffer[], -+ size_t buffer_size, -+ size_t *offset, -+ TPM2B_PUBLIC *dest), -+ (buffer, -+ buffer_size, -+ offset, -+ dest)) ++ DLSYM_TSS2(esys, Esys_GetCapability) ++ DLSYM_TSS2(esys, Esys_Free) ++ DLSYM_TSS2(esys, Esys_TR_SetAuth) ++ DLSYM_TSS2(esys, Esys_CreatePrimary) ++ DLSYM_TSS2(esys, Esys_Initialize) ++ DLSYM_TSS2(esys, Esys_Startup) ++ DLSYM_TSS2(esys, Esys_TR_FromTPMPublic) ++ DLSYM_TSS2(esys, Esys_ReadPublic) ++ DLSYM_TSS2(esys, Esys_Load) ++ DLSYM_TSS2(esys, Esys_FlushContext) ++ DLSYM_TSS2(esys, Esys_Finalize) ++ DLSYM_TSS2(esys, Esys_RSA_Decrypt) ++ DLSYM_TSS2(esys, Esys_Sign) + -+DEFINE_TSS2_FUNC(tctildr, TSS2_RC, Tss2_TctiLdr_Initialize, -+ (const char *nameConf, -+ TSS2_TCTI_CONTEXT **context), -+ (nameConf, -+ context)) -+DEFINE_TSS2_FUNC(tctildr, void, Tss2_TctiLdr_Finalize, -+ (TSS2_TCTI_CONTEXT **context), -+ (context)) ++ if (!_gnutls_tss2_mu_dlhandle) { ++ _gnutls_tss2_mu_dlhandle = ++ dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL); ++ if (!_gnutls_tss2_mu_dlhandle) { ++ _gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n"); ++ return -1; ++ } ++ } ++ ++ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal) ++ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal) ++ ++ if (!_gnutls_tss2_tctildr_dlhandle) { ++ _gnutls_tss2_tctildr_dlhandle = ++ dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL); ++ if (!_gnutls_tss2_tctildr_dlhandle) { ++ _gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n"); ++ return -1; ++ } ++ } ++ ++ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize) ++ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize) ++ ++ return 0; ++} + struct tpm2_info_st { TPM2B_PUBLIC pub; TPM2B_PRIVATE priv; -@@ -227,10 +438,10 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -227,10 +323,10 @@ get_primary_template(ESYS_CONTEXT *ctx) UINT32 i; TSS2_RC rc; @@ -356,86 +241,61 @@ index 93e54413ba..e1a54f12a1 100644 - ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, - TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS, - NULL, &capability_data); -+ rc = _gnutls_tss2_esys_Esys_GetCapability(ctx, ++ rc = _gnutls_tss2_Esys_GetCapability(ctx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS, + NULL, &capability_data); if (rc) { _gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc); return NULL; -@@ -239,7 +450,7 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -239,7 +335,7 @@ get_primary_template(ESYS_CONTEXT *ctx) for (i = 0; i < capability_data->data.algorithms.count; i++) { if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_ECC) { - Esys_Free(capability_data); -+ _gnutls_tss2_esys_Esys_Free(capability_data); ++ _gnutls_tss2_Esys_Free(capability_data); return &primary_template_ecc; } } -@@ -247,12 +458,12 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -247,12 +343,12 @@ get_primary_template(ESYS_CONTEXT *ctx) for (i = 0; i < capability_data->data.algorithms.count; i++) { if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_RSA) { - Esys_Free(capability_data); -+ _gnutls_tss2_esys_Esys_Free(capability_data); ++ _gnutls_tss2_Esys_Free(capability_data); return &primary_template_rsa; } } - Esys_Free(capability_data); -+ _gnutls_tss2_esys_Esys_Free(capability_data); ++ _gnutls_tss2_Esys_Free(capability_data); _gnutls_debug_log("tpm2: unable to find primary template\n"); return NULL; } -@@ -320,7 +531,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, +@@ -320,7 +416,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, install_tpm_passphrase(&info->ownerauth, pass); info->need_ownerauth = false; } - rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); -+ rc = _gnutls_tss2_esys_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); ++ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth); if (rc) { _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -329,7 +540,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, +@@ -329,7 +425,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, if (!primary_template) { return gnutls_assert_val(GNUTLS_E_TPM_ERROR); } - rc = Esys_CreatePrimary(ctx, hierarchy, -+ rc = _gnutls_tss2_esys_Esys_CreatePrimary(ctx, hierarchy, ++ rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &primary_sensitive, primary_template, -@@ -355,18 +566,39 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, - ESYS_TR parent_handle = ESYS_TR_NONE; - TSS2_RC rc; - -+ if (!_gnutls_tss2_esys_dlhandle) { -+ _gnutls_tss2_esys_dlhandle = -+ dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_esys_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n"); -+ goto error; -+ } -+ _gnutls_tss2_mu_dlhandle = -+ dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_mu_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n"); -+ goto error; -+ } -+ _gnutls_tss2_tctildr_dlhandle = -+ dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL); -+ if (!_gnutls_tss2_tctildr_dlhandle) { -+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n"); -+ goto error; -+ } -+ } -+ - *key_handle = ESYS_TR_NONE; +@@ -359,14 +455,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, _gnutls_debug_log("tpm2: establishing connection with TPM\n"); - rc = Esys_Initialize(ctx, tcti_ctx, NULL); -+ rc = _gnutls_tss2_esys_Esys_Initialize(ctx, tcti_ctx, NULL); ++ rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL); if (rc) { gnutls_assert(); _gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc); @@ -443,149 +303,149 @@ index 93e54413ba..e1a54f12a1 100644 } - rc = Esys_Startup(*ctx, TPM2_SU_CLEAR); -+ rc = _gnutls_tss2_esys_Esys_Startup(*ctx, TPM2_SU_CLEAR); ++ rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR); if (rc == TPM2_RC_INITIALIZE) { _gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n"); } else if (rc) { -@@ -381,7 +613,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -381,7 +477,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, goto error; } } else { - rc = Esys_TR_FromTPMPublic(*ctx, info->parent, -+ rc = _gnutls_tss2_esys_Esys_TR_FromTPMPublic(*ctx, info->parent, ++ rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -@@ -399,7 +631,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -399,7 +495,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, if (!info->did_ownerauth && !info->ownerauth.size) { TPM2B_PUBLIC *pub = NULL; - rc = Esys_ReadPublic(*ctx, parent_handle, -+ rc = _gnutls_tss2_esys_Esys_ReadPublic(*ctx, parent_handle, ++ rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -@@ -408,7 +640,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -408,7 +504,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) { info->need_ownerauth = true; } - Esys_Free(pub); -+ _gnutls_tss2_esys_Esys_Free(pub); ++ _gnutls_tss2_Esys_Free(pub); } reauth: if (info->need_ownerauth) { -@@ -420,7 +652,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -420,7 +516,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, install_tpm_passphrase(&info->ownerauth, pass); info->need_ownerauth = false; } - rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth); -+ rc = _gnutls_tss2_esys_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth); ++ rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth); if (rc) { gnutls_assert(); _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", -@@ -432,7 +664,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -432,7 +528,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, _gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n", parent_handle); - rc = Esys_Load(*ctx, parent_handle, -+ rc = _gnutls_tss2_esys_Esys_Load(*ctx, parent_handle, ++ rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &info->priv, &info->pub, key_handle); -@@ -450,7 +682,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -450,7 +546,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, info->did_ownerauth = true; if (parent_is_generated(info->parent)) { - rc = Esys_FlushContext(*ctx, parent_handle); -+ rc = _gnutls_tss2_esys_Esys_FlushContext(*ctx, parent_handle); ++ rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle); if (rc) { _gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n", rc); -@@ -461,14 +693,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -461,14 +557,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, return 0; error: if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) { - Esys_FlushContext(*ctx, parent_handle); -+ _gnutls_tss2_esys_Esys_FlushContext(*ctx, parent_handle); ++ _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle); } if (*key_handle != ESYS_TR_NONE) { - Esys_FlushContext(*ctx, *key_handle); -+ _gnutls_tss2_esys_Esys_FlushContext(*ctx, *key_handle); ++ _gnutls_tss2_Esys_FlushContext(*ctx, *key_handle); } *key_handle = ESYS_TR_NONE; - Esys_Finalize(ctx); -+ _gnutls_tss2_esys_Esys_Finalize(ctx); ++ _gnutls_tss2_Esys_Finalize(ctx); return GNUTLS_E_TPM_ERROR; } -@@ -488,7 +720,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle) +@@ -488,7 +584,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle) info->need_userauth = false; } - rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth); -+ rc = _gnutls_tss2_esys_Esys_TR_SetAuth(ctx, key_handle, &info->userauth); ++ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth); if (rc) { _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -574,7 +806,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -574,7 +670,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, goto out; } - rc = Esys_RSA_Decrypt(ectx, key_handle, -+ rc = _gnutls_tss2_esys_Esys_RSA_Decrypt(ectx, key_handle, ++ rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &digest, &in_scheme, &label, &tsig); if (rc_is_key_auth_failed(rc)) { -@@ -591,14 +823,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -591,14 +687,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size); out: - Esys_Free(tsig); -+ _gnutls_tss2_esys_Esys_Free(tsig); ++ _gnutls_tss2_Esys_Free(tsig); if (key_handle != ESYS_TR_NONE) { - Esys_FlushContext(ectx, key_handle); -+ _gnutls_tss2_esys_Esys_FlushContext(ectx, key_handle); ++ _gnutls_tss2_Esys_FlushContext(ectx, key_handle); } if (ectx) { - Esys_Finalize(&ectx); -+ _gnutls_tss2_esys_Esys_Finalize(&ectx); ++ _gnutls_tss2_Esys_Finalize(&ectx); } return ret; -@@ -661,7 +893,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -661,7 +757,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, goto out; } - rc = Esys_Sign(ectx, key_handle, -+ rc = _gnutls_tss2_esys_Esys_Sign(ectx, key_handle, ++ rc = _gnutls_tss2_Esys_Sign(ectx, key_handle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &digest, &in_scheme, &validation, &tsig); -@@ -682,14 +914,14 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -682,31 +778,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s); out: - Esys_Free(tsig); -+ _gnutls_tss2_esys_Esys_Free(tsig); ++ _gnutls_tss2_Esys_Free(tsig); if (key_handle != ESYS_TR_NONE) { - Esys_FlushContext(ectx, key_handle); -+ _gnutls_tss2_esys_Esys_FlushContext(ectx, key_handle); ++ _gnutls_tss2_Esys_FlushContext(ectx, key_handle); } if (ectx) { - Esys_Finalize(&ectx); -+ _gnutls_tss2_esys_Esys_Finalize(&ectx); ++ _gnutls_tss2_Esys_Finalize(&ectx); } return ret; -@@ -697,14 +929,6 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, - - GNUTLS_ONCE(tcti_once); + } +-GNUTLS_ONCE(tcti_once); +- -void -tpm2_tcti_deinit(void) -{ @@ -593,20 +453,36 @@ index 93e54413ba..e1a54f12a1 100644 - Tss2_TctiLdr_Finalize(&tcti_ctx); - } -} -- ++GNUTLS_ONCE(tpm2_esys_once); + static void - tcti_once_init(void) +-tcti_once_init(void) ++tpm2_esys_once_init(void) { -@@ -727,7 +951,7 @@ tcti_once_init(void) + const char *tcti; + const char * const tcti_vars[] = { +@@ -718,6 +806,11 @@ tcti_once_init(void) + size_t i; + TSS2_RC rc; + ++ if (init_tss2_funcs() < 0) { ++ _gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n"); ++ return; ++ } ++ + for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) { + tcti = secure_getenv(tcti_vars[i]); + if (tcti && *tcti != '\0') { +@@ -727,7 +820,7 @@ tcti_once_init(void) } } if (tcti && *tcti != '\0') { - rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx); -+ rc = _gnutls_tss2_tctildr_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx); ++ rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx); if (rc) { _gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n", rc); -@@ -735,6 +959,28 @@ tcti_once_init(void) +@@ -735,13 +828,35 @@ tcti_once_init(void) } } @@ -615,7 +491,7 @@ index 93e54413ba..e1a54f12a1 100644 +tpm2_esys_deinit(void) +{ + if (tcti_ctx) { -+ _gnutls_tss2_tctildr_Tss2_TctiLdr_Finalize(&tcti_ctx); ++ _gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx); + tcti_ctx = NULL; + } + if (_gnutls_tss2_esys_dlhandle) { @@ -635,13 +511,21 @@ index 93e54413ba..e1a54f12a1 100644 int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, unsigned int parent, bool emptyauth, gnutls_datum_t *privdata, gnutls_datum_t *pubdata) -@@ -757,16 +1003,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, + { + TSS2_RC rc; + +- (void)gnutls_once(&tcti_once, tcti_once_init); ++ (void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init); + + if (!tcti_ctx) { + return gnutls_assert_val(GNUTLS_E_TPM_ERROR); +@@ -757,16 +872,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, info->parent = parent; - rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, - &info->priv); -+ rc = _gnutls_tss2_mu_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, ++ rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, + &info->priv); if (rc) { _gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n", @@ -651,11 +535,113 @@ index 93e54413ba..e1a54f12a1 100644 - rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL, - &info->pub); -+ rc = _gnutls_tss2_mu_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL, ++ rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL, + &info->pub); if (rc) { _gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n", rc); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 529f1cc077..64ce470a02 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start + psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \ + sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \ +- server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh ++ server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \ ++ sanity-lib.sh + + if !DISABLE_SYSTEM_CONFIG + dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ +diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh +new file mode 100644 +index 0000000000..fd38c764fb +--- /dev/null ++++ b/tests/sanity-lib.sh +@@ -0,0 +1,36 @@ ++#!/bin/sh ++ ++# Copyright (C) 2022 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program. If not, see ++ ++: ${top_builddir=..} ++: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}} ++: ${LDD=ldd} ++: ${LIBTOOL=libtool} ++ ++# ldd.sh doesn't check recursive dependencies ++${LDD} --version >/dev/null || exit 77 ++ ++# We use gnutls-cli-debug, as it has the fewest dependencies among our ++# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound). ++if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \ ++ grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then ++ echo "gnutls-cli-debug links to other crypto library" ++ exit 1 ++fi +diff --git a/tests/tpm2.sh b/tests/tpm2.sh +index 854986c552..6f8e44c64b 100755 +--- a/tests/tpm2.sh ++++ b/tests/tpm2.sh +@@ -21,8 +21,6 @@ + # along with GnuTLS; if not, write to the Free Software Foundation, + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +-set +e +- + : ${srcdir=.} + : ${CERTTOOL=../src/certtool${EXEEXT}} + KEYPEMFILE=tpmkey.$$.key.pem +@@ -192,6 +190,10 @@ run_tests() + + echo " - Generating ${KEYPEMFILE}" + tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE} ++ if [ $? -ne 0 ]; then ++ echo "unable to generate key" ++ return 1 ++ fi + cat ${KEYPEMFILE} + + echo " - Generating certificate based on key" +@@ -200,6 +202,10 @@ run_tests() + "${CERTTOOL}" --generate-self-signed -d 3 \ + --load-privkey "${KEYPEMFILE}" \ + --template "${srcdir}/cert-tests/templates/template-test.tmpl" ++ if [ $? -ne 0 ]; then ++ echo "unable to generate certificate" ++ return 1 ++ fi + + if test "${kalg}" = "rsa";then + echo " - Generating RSA-PSS certificate based on key" +@@ -207,6 +213,10 @@ run_tests() + --load-privkey "${KEYPEMFILE}" \ + --sign-params rsa-pss \ + --template "${srcdir}/cert-tests/templates/template-test.tmpl" ++ if [ $? -ne 0 ]; then ++ echo "unable to generate certificate" ++ return 1 ++ fi + fi + + stop_swtpm -- 2.34.1 diff --git a/gnutls.spec b/gnutls.spec index cc33116..86e5b34 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.7.3 -Release: 7%{?dist} +Release: 8%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.2-enable-intel-cet.patch @@ -343,6 +343,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Feb 24 2022 Daiki Ueno - 3.7.3-8 +- Fix previous change for loading libtss2* (#2057490) + * Wed Feb 23 2022 Daiki Ueno - 3.7.3-7 - Increase GNUTLS_MAX_ALGORITHM_NUM for allowlisting (#2033220) - Ensure allowlisting API is called before priority string is constructed (#2042532)