import gnutls-3.7.3-9.el9
This commit is contained in:
parent
69169ae197
commit
acc3f5f154
2440
SOURCES/gnutls-3.7.3-allowlist-api.patch
Normal file
2440
SOURCES/gnutls-3.7.3-allowlist-api.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,19 +1,26 @@
|
||||
diff --color -ru a/lib/priority.c b/lib/priority.c
|
||||
--- a/lib/priority.c 2022-01-14 07:53:21.000000000 +0100
|
||||
+++ b/lib/priority.c 2022-02-15 09:31:36.388485784 +0100
|
||||
@@ -2030,15 +2030,6 @@
|
||||
diff --git a/lib/priority.c b/lib/priority.c
|
||||
index 9feec47fe2..40511710fd 100644
|
||||
--- a/lib/priority.c
|
||||
+++ b/lib/priority.c
|
||||
@@ -2001,13 +2001,14 @@ char *_gnutls_resolve_priorities(const char* priorities)
|
||||
additional++;
|
||||
}
|
||||
|
||||
- /* Always try to refresh the cached data, to allow it to be
|
||||
- * updated without restarting all applications.
|
||||
- */
|
||||
- ret = _gnutls_update_system_priorities();
|
||||
- ret = _gnutls_update_system_priorities(false /* defer_system_wide */);
|
||||
- if (ret < 0) {
|
||||
- _gnutls_debug_log("failed to update system priorities: %s\n",
|
||||
- gnutls_strerror(ret));
|
||||
- }
|
||||
-
|
||||
+ /* If priority string is not constructed yet, construct and finalize */
|
||||
+ if (!system_wide_config.priority_string) {
|
||||
+ ret = _gnutls_update_system_priorities(false
|
||||
+ /* defer_system_wide */);
|
||||
+ if (ret < 0) {
|
||||
+ _gnutls_debug_log("failed to update system priorities: "
|
||||
+ " %s\n", gnutls_strerror(ret));
|
||||
+ }
|
||||
}
|
||||
|
||||
do {
|
||||
ss_next = strchr(ss, ',');
|
||||
if (ss_next) {
|
||||
|
259
SOURCES/gnutls-3.7.3-gost-ifdef.patch
Normal file
259
SOURCES/gnutls-3.7.3-gost-ifdef.patch
Normal file
@ -0,0 +1,259 @@
|
||||
From 85a881cbca6f8e8578af7a026163ac3075ea267c Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Mon, 21 Feb 2022 16:28:49 +0100
|
||||
Subject: [PATCH] priority: compile out GOST algorithms IDs if they are
|
||||
disabled
|
||||
|
||||
When compiled with --disable-gost, gnutls-cli --priority NORMAL --list
|
||||
still prints GOST algorithms for ciphers, MACs, and signatures. This
|
||||
change adds compile time checks to suppress them.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/priority.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/priority.c b/lib/priority.c
|
||||
index 54d7b1bb45..0c7ac65d7b 100644
|
||||
--- a/lib/priority.c
|
||||
+++ b/lib/priority.c
|
||||
@@ -309,7 +309,9 @@ static const int _kx_priority_secure[] = {
|
||||
static const int* kx_priority_secure = _kx_priority_secure;
|
||||
|
||||
static const int _kx_priority_gost[] = {
|
||||
+#ifdef ENABLE_GOST
|
||||
GNUTLS_KX_VKO_GOST_12,
|
||||
+#endif
|
||||
0,
|
||||
};
|
||||
static const int* kx_priority_gost = _kx_priority_gost;
|
||||
@@ -507,9 +509,10 @@ static const int _sign_priority_secure192[] = {
|
||||
static const int* sign_priority_secure192 = _sign_priority_secure192;
|
||||
|
||||
static const int _sign_priority_gost[] = {
|
||||
+#ifdef ENABLE_GOST
|
||||
GNUTLS_SIGN_GOST_256,
|
||||
GNUTLS_SIGN_GOST_512,
|
||||
-
|
||||
+#endif
|
||||
0
|
||||
};
|
||||
static const int* sign_priority_gost = _sign_priority_gost;
|
||||
@@ -531,13 +534,17 @@ static const int *cipher_priority_normal = _cipher_priority_normal_default;
|
||||
static const int *mac_priority_normal = mac_priority_normal_default;
|
||||
|
||||
static const int _cipher_priority_gost[] = {
|
||||
+#ifdef ENABLE_GOST
|
||||
GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
|
||||
+#endif
|
||||
0
|
||||
};
|
||||
static const int *cipher_priority_gost = _cipher_priority_gost;
|
||||
|
||||
static const int _mac_priority_gost[] = {
|
||||
+#ifdef ENABLE_GOST
|
||||
GNUTLS_MAC_GOST28147_TC26Z_IMIT,
|
||||
+#endif
|
||||
0
|
||||
};
|
||||
static const int *mac_priority_gost = _mac_priority_gost;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
From f2bb30f68922d72f8bed29cc8b2a065087a0969f Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Tue, 22 Feb 2022 17:09:46 +0100
|
||||
Subject: [PATCH] algorithms: ensure _list() exclude non-existing algorithms
|
||||
|
||||
This aligns the behavior of _list() function for sign/pk to the one
|
||||
for cipher/mac: the former previously returned all the algorithms
|
||||
defined, while the latter returns only algorithms compiled in.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/algorithms/publickey.c | 8 +++-
|
||||
lib/algorithms/sign.c | 4 +-
|
||||
lib/crypto-backend.h | 2 +
|
||||
lib/nettle/pk.c | 86 ++++++++++++++++++++++++++++++++++++++
|
||||
lib/pk.h | 2 +
|
||||
5 files changed, 99 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
|
||||
index b4cd6b1df0..caf53972ab 100644
|
||||
--- a/lib/algorithms/publickey.c
|
||||
+++ b/lib/algorithms/publickey.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <algorithms.h>
|
||||
#include "errors.h"
|
||||
#include <x509/common.h>
|
||||
+#include "pk.h"
|
||||
|
||||
|
||||
/* KX mappings to PK algorithms */
|
||||
@@ -203,8 +204,11 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void)
|
||||
int i = 0;
|
||||
|
||||
GNUTLS_PK_LOOP(
|
||||
- if (p->id != GNUTLS_PK_UNKNOWN && supported_pks[i > 0 ? (i - 1) : 0] != p->id)
|
||||
- supported_pks[i++] = p->id
|
||||
+ if (p->id != GNUTLS_PK_UNKNOWN &&
|
||||
+ supported_pks[i > 0 ? (i - 1) : 0] != p->id &&
|
||||
+ _gnutls_pk_exists(p->id)) {
|
||||
+ supported_pks[i++] = p->id;
|
||||
+ }
|
||||
);
|
||||
supported_pks[i++] = 0;
|
||||
}
|
||||
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
|
||||
index 06abdb4cf8..4a5aaa75e1 100644
|
||||
--- a/lib/algorithms/sign.c
|
||||
+++ b/lib/algorithms/sign.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <x509/common.h>
|
||||
#include <assert.h>
|
||||
#include "c-strcase.h"
|
||||
+#include "pk.h"
|
||||
|
||||
/* signature algorithms;
|
||||
*/
|
||||
@@ -631,7 +632,8 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void)
|
||||
|
||||
GNUTLS_SIGN_LOOP(
|
||||
/* list all algorithms, but not duplicates */
|
||||
- if (supported_sign[i] != p->id) {
|
||||
+ if (supported_sign[i] != p->id &&
|
||||
+ _gnutls_pk_sign_exists(p->id)) {
|
||||
assert(i+1 < MAX_ALGOS);
|
||||
supported_sign[i++] = p->id;
|
||||
supported_sign[i+1] = 0;
|
||||
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
|
||||
index 9874033221..f0f68c337e 100644
|
||||
--- a/lib/crypto-backend.h
|
||||
+++ b/lib/crypto-backend.h
|
||||
@@ -418,6 +418,8 @@ typedef struct gnutls_crypto_pk {
|
||||
unsigned int flags);
|
||||
|
||||
int (*curve_exists) (gnutls_ecc_curve_t); /* true/false */
|
||||
+ int (*pk_exists) (gnutls_pk_algorithm_t); /* true/false */
|
||||
+ int (*sign_exists) (gnutls_sign_algorithm_t); /* true/false */
|
||||
} gnutls_crypto_pk_st;
|
||||
|
||||
/* priority: infinity for backend algorithms, 90 for kernel
|
||||
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
|
||||
index a146568266..eba246f0b3 100644
|
||||
--- a/lib/nettle/pk.c
|
||||
+++ b/lib/nettle/pk.c
|
||||
@@ -1883,6 +1883,90 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
|
||||
}
|
||||
}
|
||||
|
||||
+static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
|
||||
+{
|
||||
+ switch (pk) {
|
||||
+ case GNUTLS_PK_RSA:
|
||||
+ case GNUTLS_PK_DSA:
|
||||
+ case GNUTLS_PK_DH:
|
||||
+ case GNUTLS_PK_ECDSA:
|
||||
+ case GNUTLS_PK_ECDH_X25519:
|
||||
+ case GNUTLS_PK_RSA_PSS:
|
||||
+ case GNUTLS_PK_EDDSA_ED25519:
|
||||
+#if ENABLE_GOST
|
||||
+ case GNUTLS_PK_GOST_01:
|
||||
+ case GNUTLS_PK_GOST_12_256:
|
||||
+ case GNUTLS_PK_GOST_12_512:
|
||||
+#endif
|
||||
+ case GNUTLS_PK_ECDH_X448:
|
||||
+ case GNUTLS_PK_EDDSA_ED448:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
|
||||
+{
|
||||
+ switch (sign) {
|
||||
+ case GNUTLS_SIGN_RSA_SHA1:
|
||||
+ case GNUTLS_SIGN_DSA_SHA1:
|
||||
+ case GNUTLS_SIGN_RSA_MD5:
|
||||
+ case GNUTLS_SIGN_RSA_MD2:
|
||||
+ case GNUTLS_SIGN_RSA_RMD160:
|
||||
+ case GNUTLS_SIGN_RSA_SHA256:
|
||||
+ case GNUTLS_SIGN_RSA_SHA384:
|
||||
+ case GNUTLS_SIGN_RSA_SHA512:
|
||||
+ case GNUTLS_SIGN_RSA_SHA224:
|
||||
+ case GNUTLS_SIGN_DSA_SHA224:
|
||||
+ case GNUTLS_SIGN_DSA_SHA256:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA1:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA224:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA256:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA384:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA512:
|
||||
+ case GNUTLS_SIGN_DSA_SHA384:
|
||||
+ case GNUTLS_SIGN_DSA_SHA512:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA3_224:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA3_256:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA3_384:
|
||||
+ case GNUTLS_SIGN_ECDSA_SHA3_512:
|
||||
+
|
||||
+ case GNUTLS_SIGN_DSA_SHA3_224:
|
||||
+ case GNUTLS_SIGN_DSA_SHA3_256:
|
||||
+ case GNUTLS_SIGN_DSA_SHA3_384:
|
||||
+ case GNUTLS_SIGN_DSA_SHA3_512:
|
||||
+ case GNUTLS_SIGN_RSA_SHA3_224:
|
||||
+ case GNUTLS_SIGN_RSA_SHA3_256:
|
||||
+ case GNUTLS_SIGN_RSA_SHA3_384:
|
||||
+ case GNUTLS_SIGN_RSA_SHA3_512:
|
||||
+
|
||||
+ case GNUTLS_SIGN_RSA_PSS_SHA256:
|
||||
+ case GNUTLS_SIGN_RSA_PSS_SHA384:
|
||||
+ case GNUTLS_SIGN_RSA_PSS_SHA512:
|
||||
+ case GNUTLS_SIGN_EDDSA_ED25519:
|
||||
+ case GNUTLS_SIGN_RSA_RAW:
|
||||
+
|
||||
+ case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
|
||||
+ case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
|
||||
+ case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
|
||||
+
|
||||
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
|
||||
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
|
||||
+ case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
|
||||
+
|
||||
+#if ENABLE_GOST
|
||||
+ case GNUTLS_SIGN_GOST_94:
|
||||
+ case GNUTLS_SIGN_GOST_256:
|
||||
+ case GNUTLS_SIGN_GOST_512:
|
||||
+#endif
|
||||
+ case GNUTLS_SIGN_EDDSA_ED448:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* Generates algorithm's parameters. That is:
|
||||
* For DSA: p, q, and g are generated.
|
||||
* For RSA: nothing
|
||||
@@ -3872,4 +3956,6 @@ gnutls_crypto_pk_st _gnutls_pk_ops = {
|
||||
.pk_fixup_private_params = wrap_nettle_pk_fixup,
|
||||
.derive = _wrap_nettle_pk_derive,
|
||||
.curve_exists = _wrap_nettle_pk_curve_exists,
|
||||
+ .pk_exists = _wrap_nettle_pk_exists,
|
||||
+ .sign_exists = _wrap_nettle_pk_sign_exists
|
||||
};
|
||||
diff --git a/lib/pk.h b/lib/pk.h
|
||||
index cc61e08cef..7f3c9995da 100644
|
||||
--- a/lib/pk.h
|
||||
+++ b/lib/pk.h
|
||||
@@ -40,6 +40,8 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
|
||||
#define _gnutls_pk_generate_params( algo, bits, priv) _gnutls_pk_ops.generate_params( algo, bits, priv)
|
||||
#define _gnutls_pk_hash_algorithm( pk, sig, params, hash) _gnutls_pk_ops.hash_algorithm(pk, sig, params, hash)
|
||||
#define _gnutls_pk_curve_exists( curve) _gnutls_pk_ops.curve_exists(curve)
|
||||
+#define _gnutls_pk_exists(algo) _gnutls_pk_ops.pk_exists(algo)
|
||||
+#define _gnutls_pk_sign_exists(algo) _gnutls_pk_ops.sign_exists(algo)
|
||||
|
||||
inline static int
|
||||
_gnutls_pk_fixup(gnutls_pk_algorithm_t algo, gnutls_direction_t direction,
|
||||
--
|
||||
2.34.1
|
||||
|
719
SOURCES/gnutls-3.7.3-libtss2-dlopen.patch
Normal file
719
SOURCES/gnutls-3.7.3-libtss2-dlopen.patch
Normal file
@ -0,0 +1,719 @@
|
||||
From f5e5ab910b8b1d69f962ca033d1295c3e1e1e131 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Wed, 23 Feb 2022 19:48:52 +0100
|
||||
Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed
|
||||
|
||||
libtss2-esys links to OpenSSL or mbed TLS for cryptography, which may
|
||||
cause packaging issues. This instead dlopen's tss2 libraries as
|
||||
needed so non-TPM applications continue working without loading
|
||||
multiple crypto libraries.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
configure.ac | 11 +-
|
||||
lib/Makefile.am | 6 +-
|
||||
lib/tpm2.c | 2 +-
|
||||
lib/tpm2.h | 2 +-
|
||||
lib/tpm2_esys.c | 273 ++++++++++++++++++++++++++++++++++++--------
|
||||
tests/Makefile.am | 3 +-
|
||||
tests/sanity-lib.sh | 40 +++++++
|
||||
tests/tpm2.sh | 14 ++-
|
||||
8 files changed, 296 insertions(+), 55 deletions(-)
|
||||
create mode 100644 tests/sanity-lib.sh
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 53c3aefca1..721ff208f0 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit
|
||||
|
||||
AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
|
||||
|
||||
+need_ltlibdl=no
|
||||
+
|
||||
AC_ARG_WITH(tpm2,
|
||||
AS_HELP_STRING([--without-tpm2],
|
||||
[Disable TPM2 support.]),
|
||||
@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then
|
||||
if test "$have_tpm2" = "yes"; then
|
||||
tss2lib="tss2-esys tss2-mu tss2-tctildr"
|
||||
AC_DEFINE([HAVE_TSS2], 1, [Have TSS2])
|
||||
+ need_ltlibdl=yes
|
||||
elif test "$with_tpm2" = "yes"; then
|
||||
AC_MSG_ERROR([[
|
||||
***
|
||||
@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then
|
||||
AC_SUBST([TSS_LIBS], [-ltspi])
|
||||
AC_SUBST([TSS_CFLAGS], [])
|
||||
AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM])
|
||||
- with_tpm=yes],
|
||||
+ with_tpm=yes,
|
||||
+ need_ltlibdl=yes],
|
||||
[AC_MSG_RESULT(no)
|
||||
AC_MSG_WARN([[
|
||||
***
|
||||
@@ -957,6 +961,9 @@ fi
|
||||
AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library])
|
||||
AC_SUBST(TROUSERS_LIB)
|
||||
|
||||
+
|
||||
+AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes)
|
||||
+
|
||||
# For minitasn1.
|
||||
AC_CHECK_SIZEOF(unsigned long int, 4)
|
||||
AC_CHECK_SIZEOF(unsigned int, 4)
|
||||
@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support:
|
||||
Random gen. variant: $rnd_variant
|
||||
PKCS#11 support: $with_p11_kit
|
||||
TPM support: $with_tpm
|
||||
- TPM2 support: $have_tpm2
|
||||
+ TPM2 support: $with_tpm2
|
||||
KTLS support: $enable_ktls
|
||||
])
|
||||
|
||||
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
||||
index 35df35ee8d..e61ee1b6ae 100644
|
||||
--- a/lib/Makefile.am
|
||||
+++ b/lib/Makefile.am
|
||||
@@ -44,7 +44,7 @@ AM_CPPFLAGS = \
|
||||
-I$(srcdir)/x509 \
|
||||
$(LIBTASN1_CFLAGS) \
|
||||
$(P11_KIT_CFLAGS) \
|
||||
- $(TPM2_CFLAGS)
|
||||
+ $(TSS2_CFLAGS)
|
||||
|
||||
if !HAVE_LIBUNISTRING
|
||||
SUBDIRS += unistring
|
||||
@@ -156,7 +156,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
|
||||
auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
|
||||
extras/libgnutls_extras.la
|
||||
thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \
|
||||
- $(P11_KIT_LIBS) $(LIB_SELECT) $(TSS2_LIBS) $(GNUTLS_LIBS_PRIVATE)
|
||||
+ $(P11_KIT_LIBS) $(LIB_SELECT) $(GNUTLS_LIBS_PRIVATE)
|
||||
|
||||
if HAVE_LIBIDN2
|
||||
thirdparty_libadd += $(LIBIDN2_LIBS)
|
||||
@@ -203,7 +203,7 @@ all-local: $(hmac_files)
|
||||
CLEANFILES = $(hmac_files)
|
||||
endif
|
||||
|
||||
-if ENABLE_TROUSERS
|
||||
+if NEED_LTLIBDL
|
||||
thirdparty_libadd += $(LTLIBDL)
|
||||
endif
|
||||
|
||||
diff --git a/lib/tpm2.c b/lib/tpm2.c
|
||||
index 076cc7f407..750eadc777 100644
|
||||
--- a/lib/tpm2.c
|
||||
+++ b/lib/tpm2.c
|
||||
@@ -297,5 +297,5 @@ int _gnutls_load_tpm2_key(gnutls_privkey_t pkey, const gnutls_datum_t *fdata)
|
||||
|
||||
void _gnutls_tpm2_deinit(void)
|
||||
{
|
||||
- tpm2_tcti_deinit();
|
||||
+ tpm2_esys_deinit();
|
||||
}
|
||||
diff --git a/lib/tpm2.h b/lib/tpm2.h
|
||||
index e40dc01df7..7966e2d811 100644
|
||||
--- a/lib/tpm2.h
|
||||
+++ b/lib/tpm2.h
|
||||
@@ -37,7 +37,7 @@ struct tpm2_info_st;
|
||||
|
||||
struct tpm2_info_st *tpm2_info_init(struct pin_info_st *pin);
|
||||
|
||||
-void tpm2_tcti_deinit(void);
|
||||
+void tpm2_esys_deinit(void);
|
||||
|
||||
void release_tpm2_ctx(struct tpm2_info_st *info);
|
||||
|
||||
diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c
|
||||
index 93e54413ba..4000c1b76e 100644
|
||||
--- a/lib/tpm2_esys.c
|
||||
+++ b/lib/tpm2_esys.c
|
||||
@@ -72,6 +72,170 @@
|
||||
#include <tss2/tss2_esys.h>
|
||||
#include <tss2/tss2_tctildr.h>
|
||||
|
||||
+#include <dlfcn.h>
|
||||
+
|
||||
+/* We don't want to link to libtss2-esys, as it brings in other
|
||||
+ * crypto libraries. Instead, only dlopen it as needed.
|
||||
+ */
|
||||
+
|
||||
+static void *_gnutls_tss2_esys_dlhandle;
|
||||
+static void *_gnutls_tss2_mu_dlhandle;
|
||||
+static void *_gnutls_tss2_tctildr_dlhandle;
|
||||
+
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Esys_GetCapability)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ TPM2_CAP capability,
|
||||
+ UINT32 property,
|
||||
+ UINT32 propertyCount,
|
||||
+ TPMI_YES_NO *moreData,
|
||||
+ TPMS_CAPABILITY_DATA **capabilityData);
|
||||
+static void (*_gnutls_tss2_Esys_Free)(void *__ptr);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR handle,
|
||||
+ TPM2B_AUTH const *authValue);
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Esys_CreatePrimary)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR primaryHandle,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ const TPM2B_SENSITIVE_CREATE *inSensitive,
|
||||
+ const TPM2B_PUBLIC *inPublic,
|
||||
+ const TPM2B_DATA *outsideInfo,
|
||||
+ const TPML_PCR_SELECTION *creationPCR,
|
||||
+ ESYS_TR *objectHandle,
|
||||
+ TPM2B_PUBLIC **outPublic,
|
||||
+ TPM2B_CREATION_DATA **creationData,
|
||||
+ TPM2B_DIGEST **creationHash,
|
||||
+ TPMT_TK_CREATION **creationTicket);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_Initialize)(ESYS_CONTEXT **esys_context,
|
||||
+ TSS2_TCTI_CONTEXT *tcti,
|
||||
+ TSS2_ABI_VERSION *abiVersion);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_Startup)(ESYS_CONTEXT *esysContext,
|
||||
+ TPM2_SU startupType);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext,
|
||||
+ TPM2_HANDLE tpm_handle,
|
||||
+ ESYS_TR optionalSession1,
|
||||
+ ESYS_TR optionalSession2,
|
||||
+ ESYS_TR optionalSession3,
|
||||
+ ESYS_TR *object);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_ReadPublic)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR objectHandle,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ TPM2B_PUBLIC **outPublic,
|
||||
+ TPM2B_NAME **name,
|
||||
+ TPM2B_NAME **qualifiedName);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_Load)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR parentHandle,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ const TPM2B_PRIVATE *inPrivate,
|
||||
+ const TPM2B_PUBLIC *inPublic,
|
||||
+ ESYS_TR *objectHandle);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_FlushContext)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR flushHandle);
|
||||
+static void (*_gnutls_tss2_Esys_Finalize)(ESYS_CONTEXT **context);
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Esys_RSA_Decrypt)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR keyHandle,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ const TPM2B_PUBLIC_KEY_RSA *cipherText,
|
||||
+ const TPMT_RSA_DECRYPT *inScheme,
|
||||
+ const TPM2B_DATA *label,
|
||||
+ TPM2B_PUBLIC_KEY_RSA **message);
|
||||
+static TSS2_RC (*_gnutls_tss2_Esys_Sign)(ESYS_CONTEXT *esysContext,
|
||||
+ ESYS_TR keyHandle,
|
||||
+ ESYS_TR shandle1,
|
||||
+ ESYS_TR shandle2,
|
||||
+ ESYS_TR shandle3,
|
||||
+ const TPM2B_DIGEST *digest,
|
||||
+ const TPMT_SIG_SCHEME *inScheme,
|
||||
+ const TPMT_TK_HASHCHECK *validation,
|
||||
+ TPMT_SIGNATURE **signature);
|
||||
+
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[],
|
||||
+ size_t buffer_size,
|
||||
+ size_t *offset,
|
||||
+ TPM2B_PRIVATE *dest);
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[],
|
||||
+ size_t buffer_size,
|
||||
+ size_t *offset,
|
||||
+ TPM2B_PUBLIC *dest);
|
||||
+
|
||||
+static TSS2_RC
|
||||
+(*_gnutls_tss2_Tss2_TctiLdr_Initialize)(const char *nameConf,
|
||||
+ TSS2_TCTI_CONTEXT **context);
|
||||
+static void (*_gnutls_tss2_Tss2_TctiLdr_Finalize)(TSS2_TCTI_CONTEXT **context);
|
||||
+
|
||||
+#define DLSYM_TSS2(sys, sym) \
|
||||
+ _gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \
|
||||
+ if (!_gnutls_tss2_##sym) { \
|
||||
+ return -1; \
|
||||
+ }
|
||||
+
|
||||
+static int
|
||||
+init_tss2_funcs(void)
|
||||
+{
|
||||
+ if (!_gnutls_tss2_esys_dlhandle) {
|
||||
+ _gnutls_tss2_esys_dlhandle =
|
||||
+ dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL);
|
||||
+ if (!_gnutls_tss2_esys_dlhandle) {
|
||||
+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DLSYM_TSS2(esys, Esys_GetCapability)
|
||||
+ DLSYM_TSS2(esys, Esys_Free)
|
||||
+ DLSYM_TSS2(esys, Esys_TR_SetAuth)
|
||||
+ DLSYM_TSS2(esys, Esys_CreatePrimary)
|
||||
+ DLSYM_TSS2(esys, Esys_Initialize)
|
||||
+ DLSYM_TSS2(esys, Esys_Startup)
|
||||
+ DLSYM_TSS2(esys, Esys_TR_FromTPMPublic)
|
||||
+ DLSYM_TSS2(esys, Esys_ReadPublic)
|
||||
+ DLSYM_TSS2(esys, Esys_Load)
|
||||
+ DLSYM_TSS2(esys, Esys_FlushContext)
|
||||
+ DLSYM_TSS2(esys, Esys_Finalize)
|
||||
+ DLSYM_TSS2(esys, Esys_RSA_Decrypt)
|
||||
+ DLSYM_TSS2(esys, Esys_Sign)
|
||||
+
|
||||
+ if (!_gnutls_tss2_mu_dlhandle) {
|
||||
+ _gnutls_tss2_mu_dlhandle =
|
||||
+ dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL);
|
||||
+ if (!_gnutls_tss2_mu_dlhandle) {
|
||||
+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal)
|
||||
+ DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal)
|
||||
+
|
||||
+ if (!_gnutls_tss2_tctildr_dlhandle) {
|
||||
+ _gnutls_tss2_tctildr_dlhandle =
|
||||
+ dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL);
|
||||
+ if (!_gnutls_tss2_tctildr_dlhandle) {
|
||||
+ _gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize)
|
||||
+ DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize)
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct tpm2_info_st {
|
||||
TPM2B_PUBLIC pub;
|
||||
TPM2B_PRIVATE priv;
|
||||
@@ -227,10 +391,10 @@ get_primary_template(ESYS_CONTEXT *ctx)
|
||||
UINT32 i;
|
||||
TSS2_RC rc;
|
||||
|
||||
- rc = Esys_GetCapability (ctx,
|
||||
- ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
- TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
|
||||
- NULL, &capability_data);
|
||||
+ rc = _gnutls_tss2_Esys_GetCapability(ctx,
|
||||
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
+ TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
|
||||
+ NULL, &capability_data);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc);
|
||||
return NULL;
|
||||
@@ -239,7 +403,7 @@ get_primary_template(ESYS_CONTEXT *ctx)
|
||||
for (i = 0; i < capability_data->data.algorithms.count; i++) {
|
||||
if (capability_data->data.algorithms.algProperties[i].alg ==
|
||||
TPM2_ALG_ECC) {
|
||||
- Esys_Free(capability_data);
|
||||
+ _gnutls_tss2_Esys_Free(capability_data);
|
||||
return &primary_template_ecc;
|
||||
}
|
||||
}
|
||||
@@ -247,12 +411,12 @@ get_primary_template(ESYS_CONTEXT *ctx)
|
||||
for (i = 0; i < capability_data->data.algorithms.count; i++) {
|
||||
if (capability_data->data.algorithms.algProperties[i].alg ==
|
||||
TPM2_ALG_RSA) {
|
||||
- Esys_Free(capability_data);
|
||||
+ _gnutls_tss2_Esys_Free(capability_data);
|
||||
return &primary_template_rsa;
|
||||
}
|
||||
}
|
||||
|
||||
- Esys_Free(capability_data);
|
||||
+ _gnutls_tss2_Esys_Free(capability_data);
|
||||
_gnutls_debug_log("tpm2: unable to find primary template\n");
|
||||
return NULL;
|
||||
}
|
||||
@@ -320,7 +484,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
|
||||
install_tpm_passphrase(&info->ownerauth, pass);
|
||||
info->need_ownerauth = false;
|
||||
}
|
||||
- rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
|
||||
+ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
|
||||
return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
|
||||
@@ -329,7 +493,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
|
||||
if (!primary_template) {
|
||||
return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
|
||||
}
|
||||
- rc = Esys_CreatePrimary(ctx, hierarchy,
|
||||
+ rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy,
|
||||
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
&primary_sensitive,
|
||||
primary_template,
|
||||
@@ -359,14 +523,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
|
||||
_gnutls_debug_log("tpm2: establishing connection with TPM\n");
|
||||
|
||||
- rc = Esys_Initialize(ctx, tcti_ctx, NULL);
|
||||
+ rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL);
|
||||
if (rc) {
|
||||
gnutls_assert();
|
||||
_gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc);
|
||||
goto error;
|
||||
}
|
||||
|
||||
- rc = Esys_Startup(*ctx, TPM2_SU_CLEAR);
|
||||
+ rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR);
|
||||
if (rc == TPM2_RC_INITIALIZE) {
|
||||
_gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n");
|
||||
} else if (rc) {
|
||||
@@ -381,7 +545,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
- rc = Esys_TR_FromTPMPublic(*ctx, info->parent,
|
||||
+ rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent,
|
||||
ESYS_TR_NONE,
|
||||
ESYS_TR_NONE,
|
||||
ESYS_TR_NONE,
|
||||
@@ -399,7 +563,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
if (!info->did_ownerauth && !info->ownerauth.size) {
|
||||
TPM2B_PUBLIC *pub = NULL;
|
||||
|
||||
- rc = Esys_ReadPublic(*ctx, parent_handle,
|
||||
+ rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle,
|
||||
ESYS_TR_NONE,
|
||||
ESYS_TR_NONE,
|
||||
ESYS_TR_NONE,
|
||||
@@ -408,7 +572,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
!(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) {
|
||||
info->need_ownerauth = true;
|
||||
}
|
||||
- Esys_Free(pub);
|
||||
+ _gnutls_tss2_Esys_Free(pub);
|
||||
}
|
||||
reauth:
|
||||
if (info->need_ownerauth) {
|
||||
@@ -420,7 +584,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
install_tpm_passphrase(&info->ownerauth, pass);
|
||||
info->need_ownerauth = false;
|
||||
}
|
||||
- rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
|
||||
+ rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
|
||||
if (rc) {
|
||||
gnutls_assert();
|
||||
_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n",
|
||||
@@ -432,7 +596,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
_gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n",
|
||||
parent_handle);
|
||||
|
||||
- rc = Esys_Load(*ctx, parent_handle,
|
||||
+ rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle,
|
||||
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
&info->priv, &info->pub,
|
||||
key_handle);
|
||||
@@ -450,7 +614,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
info->did_ownerauth = true;
|
||||
|
||||
if (parent_is_generated(info->parent)) {
|
||||
- rc = Esys_FlushContext(*ctx, parent_handle);
|
||||
+ rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n",
|
||||
rc);
|
||||
@@ -461,14 +625,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
|
||||
return 0;
|
||||
error:
|
||||
if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) {
|
||||
- Esys_FlushContext(*ctx, parent_handle);
|
||||
+ _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
|
||||
}
|
||||
if (*key_handle != ESYS_TR_NONE) {
|
||||
- Esys_FlushContext(*ctx, *key_handle);
|
||||
+ _gnutls_tss2_Esys_FlushContext(*ctx, *key_handle);
|
||||
}
|
||||
*key_handle = ESYS_TR_NONE;
|
||||
|
||||
- Esys_Finalize(ctx);
|
||||
+ _gnutls_tss2_Esys_Finalize(ctx);
|
||||
return GNUTLS_E_TPM_ERROR;
|
||||
}
|
||||
|
||||
@@ -488,7 +652,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
|
||||
info->need_userauth = false;
|
||||
}
|
||||
|
||||
- rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
|
||||
+ rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
|
||||
return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
|
||||
@@ -574,7 +738,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- rc = Esys_RSA_Decrypt(ectx, key_handle,
|
||||
+ rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle,
|
||||
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
&digest, &in_scheme, &label, &tsig);
|
||||
if (rc_is_key_auth_failed(rc)) {
|
||||
@@ -591,14 +755,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
|
||||
|
||||
ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size);
|
||||
out:
|
||||
- Esys_Free(tsig);
|
||||
+ _gnutls_tss2_Esys_Free(tsig);
|
||||
|
||||
if (key_handle != ESYS_TR_NONE) {
|
||||
- Esys_FlushContext(ectx, key_handle);
|
||||
+ _gnutls_tss2_Esys_FlushContext(ectx, key_handle);
|
||||
}
|
||||
|
||||
if (ectx) {
|
||||
- Esys_Finalize(&ectx);
|
||||
+ _gnutls_tss2_Esys_Finalize(&ectx);
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -661,7 +825,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- rc = Esys_Sign(ectx, key_handle,
|
||||
+ rc = _gnutls_tss2_Esys_Sign(ectx, key_handle,
|
||||
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
&digest, &in_scheme, &validation,
|
||||
&tsig);
|
||||
@@ -682,31 +846,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
|
||||
|
||||
ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s);
|
||||
out:
|
||||
- Esys_Free(tsig);
|
||||
+ _gnutls_tss2_Esys_Free(tsig);
|
||||
|
||||
if (key_handle != ESYS_TR_NONE) {
|
||||
- Esys_FlushContext(ectx, key_handle);
|
||||
+ _gnutls_tss2_Esys_FlushContext(ectx, key_handle);
|
||||
}
|
||||
|
||||
if (ectx) {
|
||||
- Esys_Finalize(&ectx);
|
||||
+ _gnutls_tss2_Esys_Finalize(&ectx);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
-GNUTLS_ONCE(tcti_once);
|
||||
-
|
||||
-void
|
||||
-tpm2_tcti_deinit(void)
|
||||
-{
|
||||
- if (tcti_ctx) {
|
||||
- Tss2_TctiLdr_Finalize(&tcti_ctx);
|
||||
- }
|
||||
-}
|
||||
+GNUTLS_ONCE(tpm2_esys_once);
|
||||
|
||||
static void
|
||||
-tcti_once_init(void)
|
||||
+tpm2_esys_once_init(void)
|
||||
{
|
||||
const char *tcti;
|
||||
const char * const tcti_vars[] = {
|
||||
@@ -718,6 +874,11 @@ tcti_once_init(void)
|
||||
size_t i;
|
||||
TSS2_RC rc;
|
||||
|
||||
+ if (init_tss2_funcs() < 0) {
|
||||
+ _gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) {
|
||||
tcti = secure_getenv(tcti_vars[i]);
|
||||
if (tcti && *tcti != '\0') {
|
||||
@@ -727,7 +888,7 @@ tcti_once_init(void)
|
||||
}
|
||||
}
|
||||
if (tcti && *tcti != '\0') {
|
||||
- rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
|
||||
+ rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n",
|
||||
rc);
|
||||
@@ -735,13 +896,35 @@ tcti_once_init(void)
|
||||
}
|
||||
}
|
||||
|
||||
+/* called by the global destructor through _gnutls_tpm2_deinit */
|
||||
+void
|
||||
+tpm2_esys_deinit(void)
|
||||
+{
|
||||
+ if (tcti_ctx) {
|
||||
+ _gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx);
|
||||
+ tcti_ctx = NULL;
|
||||
+ }
|
||||
+ if (_gnutls_tss2_esys_dlhandle) {
|
||||
+ dlclose(_gnutls_tss2_esys_dlhandle);
|
||||
+ _gnutls_tss2_esys_dlhandle = NULL;
|
||||
+ }
|
||||
+ if (_gnutls_tss2_mu_dlhandle) {
|
||||
+ dlclose(_gnutls_tss2_mu_dlhandle);
|
||||
+ _gnutls_tss2_mu_dlhandle = NULL;
|
||||
+ }
|
||||
+ if (_gnutls_tss2_tctildr_dlhandle) {
|
||||
+ dlclose(_gnutls_tss2_tctildr_dlhandle);
|
||||
+ _gnutls_tss2_tctildr_dlhandle = NULL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
|
||||
unsigned int parent, bool emptyauth,
|
||||
gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
|
||||
{
|
||||
TSS2_RC rc;
|
||||
|
||||
- (void)gnutls_once(&tcti_once, tcti_once_init);
|
||||
+ (void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init);
|
||||
|
||||
if (!tcti_ctx) {
|
||||
return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
|
||||
@@ -757,16 +940,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
|
||||
|
||||
info->parent = parent;
|
||||
|
||||
- rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
|
||||
- &info->priv);
|
||||
+ rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
|
||||
+ &info->priv);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n",
|
||||
rc);
|
||||
return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
|
||||
}
|
||||
|
||||
- rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
|
||||
- &info->pub);
|
||||
+ rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
|
||||
+ &info->pub);
|
||||
if (rc) {
|
||||
_gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n",
|
||||
rc);
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 529f1cc077..64ce470a02 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
|
||||
psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \
|
||||
sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
|
||||
serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
|
||||
- server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh
|
||||
+ server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \
|
||||
+ sanity-lib.sh
|
||||
|
||||
if !DISABLE_SYSTEM_CONFIG
|
||||
dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
|
||||
diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1e3612781b
|
||||
--- /dev/null
|
||||
+++ b/tests/sanity-lib.sh
|
||||
@@ -0,0 +1,40 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2022 Red Hat, Inc.
|
||||
+#
|
||||
+# Author: Daiki Ueno
|
||||
+#
|
||||
+# This file is part of GnuTLS.
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU Lesser General Public License
|
||||
+# along with this program. If not, see <https://www.gnu.org/licenses/>
|
||||
+
|
||||
+: ${top_builddir=..}
|
||||
+: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}}
|
||||
+: ${LDD=ldd}
|
||||
+: ${LIBTOOL=libtool}
|
||||
+
|
||||
+if ! test -x "${CLI_DEBUG}"; then
|
||||
+ exit 77
|
||||
+fi
|
||||
+
|
||||
+# ldd.sh doesn't check recursive dependencies
|
||||
+${LDD} --version >/dev/null || exit 77
|
||||
+
|
||||
+# We use gnutls-cli-debug, as it has the fewest dependencies among our
|
||||
+# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound).
|
||||
+if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \
|
||||
+ grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then
|
||||
+ echo "gnutls-cli-debug links to other crypto library"
|
||||
+ exit 1
|
||||
+fi
|
||||
diff --git a/tests/tpm2.sh b/tests/tpm2.sh
|
||||
index 854986c552..6f8e44c64b 100755
|
||||
--- a/tests/tpm2.sh
|
||||
+++ b/tests/tpm2.sh
|
||||
@@ -21,8 +21,6 @@
|
||||
# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
-set +e
|
||||
-
|
||||
: ${srcdir=.}
|
||||
: ${CERTTOOL=../src/certtool${EXEEXT}}
|
||||
KEYPEMFILE=tpmkey.$$.key.pem
|
||||
@@ -192,6 +190,10 @@ run_tests()
|
||||
|
||||
echo " - Generating ${KEYPEMFILE}"
|
||||
tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE}
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ echo "unable to generate key"
|
||||
+ return 1
|
||||
+ fi
|
||||
cat ${KEYPEMFILE}
|
||||
|
||||
echo " - Generating certificate based on key"
|
||||
@@ -200,6 +202,10 @@ run_tests()
|
||||
"${CERTTOOL}" --generate-self-signed -d 3 \
|
||||
--load-privkey "${KEYPEMFILE}" \
|
||||
--template "${srcdir}/cert-tests/templates/template-test.tmpl"
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ echo "unable to generate certificate"
|
||||
+ return 1
|
||||
+ fi
|
||||
|
||||
if test "${kalg}" = "rsa";then
|
||||
echo " - Generating RSA-PSS certificate based on key"
|
||||
@@ -207,6 +213,10 @@ run_tests()
|
||||
--load-privkey "${KEYPEMFILE}" \
|
||||
--sign-params rsa-pss \
|
||||
--template "${srcdir}/cert-tests/templates/template-test.tmpl"
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ echo "unable to generate certificate"
|
||||
+ return 1
|
||||
+ fi
|
||||
fi
|
||||
|
||||
stop_swtpm
|
||||
--
|
||||
2.34.1
|
||||
|
44
SOURCES/gnutls-3.7.3-max-algos.patch
Normal file
44
SOURCES/gnutls-3.7.3-max-algos.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From b5a2cbce49d94a04a68acbbc31caaa0c5d7b3321 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Sosedkin <asosedkin@redhat.com>
|
||||
Date: Fri, 18 Feb 2022 11:05:15 +0100
|
||||
Subject: [PATCH] bump GNUTLS_MAX_ALGORITHM_NUM / MAX_ALGOS
|
||||
|
||||
Fedora 36 LEGACY crypto-policy uses allowlisting format
|
||||
and is long enough to blow past the 64 priority string
|
||||
elements mark, causing, effectively, priority string truncation.
|
||||
|
||||
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
||||
---
|
||||
lib/includes/gnutls/gnutls.h.in | 2 +-
|
||||
lib/priority.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
|
||||
index 6359a0edb6..16140c8787 100644
|
||||
--- a/lib/includes/gnutls/gnutls.h.in
|
||||
+++ b/lib/includes/gnutls/gnutls.h.in
|
||||
@@ -408,7 +408,7 @@ typedef enum {
|
||||
/* exported for other gnutls headers. This is the maximum number of
|
||||
* algorithms (ciphers, kx or macs).
|
||||
*/
|
||||
-#define GNUTLS_MAX_ALGORITHM_NUM 64
|
||||
+#define GNUTLS_MAX_ALGORITHM_NUM 128
|
||||
#define GNUTLS_MAX_SESSION_ID_SIZE 32
|
||||
|
||||
|
||||
diff --git a/lib/priority.c b/lib/priority.c
|
||||
index 54d7b1bb45..e7698ba7eb 100644
|
||||
--- a/lib/priority.c
|
||||
+++ b/lib/priority.c
|
||||
@@ -43,7 +43,7 @@
|
||||
#include "profiles.h"
|
||||
#include "name_val_array.h"
|
||||
|
||||
-#define MAX_ELEMENTS 64
|
||||
+#define MAX_ELEMENTS GNUTLS_MAX_ALGORITHM_NUM
|
||||
|
||||
#define ENABLE_PROFILE(c, profile) do { \
|
||||
c->additional_verify_flags &= 0x00ffffff; \
|
||||
--
|
||||
2.34.1
|
||||
|
@ -13,17 +13,24 @@ print(string.sub(hash, 0, 16))
|
||||
}
|
||||
|
||||
Version: 3.7.3
|
||||
Release: 5%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Patch1: gnutls-3.6.7-no-now-guile.patch
|
||||
Patch2: gnutls-3.2.7-rpath.patch
|
||||
Patch3: gnutls-3.7.2-enable-intel-cet.patch
|
||||
Patch4: gnutls-3.7.2-no-explicit-init.patch
|
||||
Patch5: gnutls-3.7.3-disable-config-reload.patch
|
||||
Patch6: gnutls-3.7.3-fips-rsa-keygen.patch
|
||||
Patch7: gnutls-3.7.3-ktls-stub.patch
|
||||
Patch8: gnutls-3.7.3-fips-pkcs12.patch
|
||||
Patch9: gnutls-3.7.3-fix-tests-in-fips.patch
|
||||
%bcond_with bootstrap
|
||||
Patch5: gnutls-3.7.3-fips-rsa-keygen.patch
|
||||
Patch6: gnutls-3.7.3-ktls-stub.patch
|
||||
Patch7: gnutls-3.7.3-fips-pkcs12.patch
|
||||
Patch8: gnutls-3.7.3-fix-tests-in-fips.patch
|
||||
Patch9: gnutls-3.7.3-gost-ifdef.patch
|
||||
Patch10: gnutls-3.7.3-max-algos.patch
|
||||
Patch11: gnutls-3.7.3-allowlist-api.patch
|
||||
Patch12: gnutls-3.7.3-libtss2-dlopen.patch
|
||||
|
||||
# not upstreamed
|
||||
Patch100: gnutls-3.7.3-disable-config-reload.patch
|
||||
|
||||
%bcond_without bootstrap
|
||||
%bcond_without dane
|
||||
%if 0%{?rhel}
|
||||
%bcond_with guile
|
||||
@ -43,8 +50,9 @@ License: GPLv3+ and LGPLv2+
|
||||
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
|
||||
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
|
||||
%if %{with bootstrap}
|
||||
BuildRequires: automake, autoconf, gperf, libtool, texinfo
|
||||
BuildRequires: automake, autoconf, gperf, libtool
|
||||
%endif
|
||||
BuildRequires: texinfo
|
||||
BuildRequires: nettle-devel >= 3.5.1
|
||||
%if %{with tpm12}
|
||||
BuildRequires: trousers-devel >= 0.3.11.2
|
||||
@ -335,6 +343,21 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-9
|
||||
- Stop using typeof keyword for tss2 function prototypes (#2057490)
|
||||
- Ensure allowlist API is called before priority string construction (#1975421)
|
||||
|
||||
* Thu Feb 24 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-8
|
||||
- Fix previous change for loading libtss2* (#2057490)
|
||||
|
||||
* Wed Feb 23 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-7
|
||||
- Increase GNUTLS_MAX_ALGORITHM_NUM for allowlisting (#2033220)
|
||||
- Ensure allowlisting API is called before priority string is constructed (#2042532)
|
||||
- Use dlopen for loading libtss2* to avoid OpenSSL dependency (#2057490)
|
||||
|
||||
* Tue Feb 22 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-6
|
||||
- Compile out GOST algorithm IDs (#1945292)
|
||||
|
||||
* Thu Feb 17 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.3-5
|
||||
- Fix upstream testsuite in fips mode (#2051637)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user