diff --git a/gnutls-3.7.3-libtss2-dlopen.patch b/gnutls-3.7.3-libtss2-dlopen.patch index 702f11d..b4cf45b 100644 --- a/gnutls-3.7.3-libtss2-dlopen.patch +++ b/gnutls-3.7.3-libtss2-dlopen.patch @@ -1,4 +1,4 @@ -From 958bd910fa4693d47b2507679267e9d3b4101096 Mon Sep 17 00:00:00 2001 +From f5e5ab910b8b1d69f962ca033d1295c3e1e1e131 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 23 Feb 2022 19:48:52 +0100 Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed @@ -10,15 +10,15 @@ multiple crypto libraries. Signed-off-by: Daiki Ueno --- - configure.ac | 11 ++- + configure.ac | 11 +- lib/Makefile.am | 6 +- lib/tpm2.c | 2 +- lib/tpm2.h | 2 +- - lib/tpm2_esys.c | 205 ++++++++++++++++++++++++++++++++++---------- + lib/tpm2_esys.c | 273 ++++++++++++++++++++++++++++++++++++-------- tests/Makefile.am | 3 +- - tests/sanity-lib.sh | 36 ++++++++ + tests/sanity-lib.sh | 40 +++++++ tests/tpm2.sh | 14 ++- - 8 files changed, 224 insertions(+), 55 deletions(-) + 8 files changed, 296 insertions(+), 55 deletions(-) create mode 100644 tests/sanity-lib.sh diff --git a/configure.ac b/configure.ac @@ -127,10 +127,10 @@ index e40dc01df7..7966e2d811 100644 void release_tpm2_ctx(struct tpm2_info_st *info); diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c -index 93e54413ba..584e384d2b 100644 +index 93e54413ba..4000c1b76e 100644 --- a/lib/tpm2_esys.c +++ b/lib/tpm2_esys.c -@@ -72,6 +72,102 @@ +@@ -72,6 +72,170 @@ #include #include @@ -140,36 +140,104 @@ index 93e54413ba..584e384d2b 100644 + * crypto libraries. Instead, only dlopen it as needed. + */ + -+#if !((defined __GNUC__ && 2 <= __GNUC__) || \ -+ (defined __clang_major__ && 4 <= __clang_major__)) -+# error "typeof compiler keyword is needed for TPM2 support" -+#endif -+ +static void *_gnutls_tss2_esys_dlhandle; +static void *_gnutls_tss2_mu_dlhandle; +static void *_gnutls_tss2_tctildr_dlhandle; + -+static typeof(Esys_GetCapability) (*_gnutls_tss2_Esys_GetCapability); -+static typeof(Esys_Free) (*_gnutls_tss2_Esys_Free); -+static typeof(Esys_TR_SetAuth) (*_gnutls_tss2_Esys_TR_SetAuth); -+static typeof(Esys_CreatePrimary) (*_gnutls_tss2_Esys_CreatePrimary); -+static typeof(Esys_Initialize) (*_gnutls_tss2_Esys_Initialize); -+static typeof(Esys_Startup) (*_gnutls_tss2_Esys_Startup); -+static typeof(Esys_TR_FromTPMPublic) (*_gnutls_tss2_Esys_TR_FromTPMPublic); -+static typeof(Esys_ReadPublic) (*_gnutls_tss2_Esys_ReadPublic); -+static typeof(Esys_Load) (*_gnutls_tss2_Esys_Load); -+static typeof(Esys_FlushContext) (*_gnutls_tss2_Esys_FlushContext); -+static typeof(Esys_Finalize) (*_gnutls_tss2_Esys_Finalize); -+static typeof(Esys_RSA_Decrypt) (*_gnutls_tss2_Esys_RSA_Decrypt); -+static typeof(Esys_Sign) (*_gnutls_tss2_Esys_Sign); ++static TSS2_RC ++(*_gnutls_tss2_Esys_GetCapability)(ESYS_CONTEXT *esysContext, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ TPM2_CAP capability, ++ UINT32 property, ++ UINT32 propertyCount, ++ TPMI_YES_NO *moreData, ++ TPMS_CAPABILITY_DATA **capabilityData); ++static void (*_gnutls_tss2_Esys_Free)(void *__ptr); ++static TSS2_RC (*_gnutls_tss2_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext, ++ ESYS_TR handle, ++ TPM2B_AUTH const *authValue); ++static TSS2_RC ++(*_gnutls_tss2_Esys_CreatePrimary)(ESYS_CONTEXT *esysContext, ++ ESYS_TR primaryHandle, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ const TPM2B_SENSITIVE_CREATE *inSensitive, ++ const TPM2B_PUBLIC *inPublic, ++ const TPM2B_DATA *outsideInfo, ++ const TPML_PCR_SELECTION *creationPCR, ++ ESYS_TR *objectHandle, ++ TPM2B_PUBLIC **outPublic, ++ TPM2B_CREATION_DATA **creationData, ++ TPM2B_DIGEST **creationHash, ++ TPMT_TK_CREATION **creationTicket); ++static TSS2_RC (*_gnutls_tss2_Esys_Initialize)(ESYS_CONTEXT **esys_context, ++ TSS2_TCTI_CONTEXT *tcti, ++ TSS2_ABI_VERSION *abiVersion); ++static TSS2_RC (*_gnutls_tss2_Esys_Startup)(ESYS_CONTEXT *esysContext, ++ TPM2_SU startupType); ++static TSS2_RC (*_gnutls_tss2_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext, ++ TPM2_HANDLE tpm_handle, ++ ESYS_TR optionalSession1, ++ ESYS_TR optionalSession2, ++ ESYS_TR optionalSession3, ++ ESYS_TR *object); ++static TSS2_RC (*_gnutls_tss2_Esys_ReadPublic)(ESYS_CONTEXT *esysContext, ++ ESYS_TR objectHandle, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ TPM2B_PUBLIC **outPublic, ++ TPM2B_NAME **name, ++ TPM2B_NAME **qualifiedName); ++static TSS2_RC (*_gnutls_tss2_Esys_Load)(ESYS_CONTEXT *esysContext, ++ ESYS_TR parentHandle, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ const TPM2B_PRIVATE *inPrivate, ++ const TPM2B_PUBLIC *inPublic, ++ ESYS_TR *objectHandle); ++static TSS2_RC (*_gnutls_tss2_Esys_FlushContext)(ESYS_CONTEXT *esysContext, ++ ESYS_TR flushHandle); ++static void (*_gnutls_tss2_Esys_Finalize)(ESYS_CONTEXT **context); ++static TSS2_RC ++(*_gnutls_tss2_Esys_RSA_Decrypt)(ESYS_CONTEXT *esysContext, ++ ESYS_TR keyHandle, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ const TPM2B_PUBLIC_KEY_RSA *cipherText, ++ const TPMT_RSA_DECRYPT *inScheme, ++ const TPM2B_DATA *label, ++ TPM2B_PUBLIC_KEY_RSA **message); ++static TSS2_RC (*_gnutls_tss2_Esys_Sign)(ESYS_CONTEXT *esysContext, ++ ESYS_TR keyHandle, ++ ESYS_TR shandle1, ++ ESYS_TR shandle2, ++ ESYS_TR shandle3, ++ const TPM2B_DIGEST *digest, ++ const TPMT_SIG_SCHEME *inScheme, ++ const TPMT_TK_HASHCHECK *validation, ++ TPMT_SIGNATURE **signature); + -+static typeof(Tss2_MU_TPM2B_PRIVATE_Unmarshal) -+(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal); -+static typeof(Tss2_MU_TPM2B_PUBLIC_Unmarshal) -+(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal); ++static TSS2_RC ++(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[], ++ size_t buffer_size, ++ size_t *offset, ++ TPM2B_PRIVATE *dest); ++static TSS2_RC ++(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], ++ size_t buffer_size, ++ size_t *offset, ++ TPM2B_PUBLIC *dest); + -+static typeof(Tss2_TctiLdr_Initialize) (*_gnutls_tss2_Tss2_TctiLdr_Initialize); -+static typeof(Tss2_TctiLdr_Finalize) (*_gnutls_tss2_Tss2_TctiLdr_Finalize); ++static TSS2_RC ++(*_gnutls_tss2_Tss2_TctiLdr_Initialize)(const char *nameConf, ++ TSS2_TCTI_CONTEXT **context); ++static void (*_gnutls_tss2_Tss2_TctiLdr_Finalize)(TSS2_TCTI_CONTEXT **context); + +#define DLSYM_TSS2(sys, sym) \ + _gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \ @@ -233,7 +301,7 @@ index 93e54413ba..584e384d2b 100644 struct tpm2_info_st { TPM2B_PUBLIC pub; TPM2B_PRIVATE priv; -@@ -227,10 +323,10 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -227,10 +391,10 @@ get_primary_template(ESYS_CONTEXT *ctx) UINT32 i; TSS2_RC rc; @@ -248,7 +316,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { _gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc); return NULL; -@@ -239,7 +335,7 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -239,7 +403,7 @@ get_primary_template(ESYS_CONTEXT *ctx) for (i = 0; i < capability_data->data.algorithms.count; i++) { if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_ECC) { @@ -257,7 +325,7 @@ index 93e54413ba..584e384d2b 100644 return &primary_template_ecc; } } -@@ -247,12 +343,12 @@ get_primary_template(ESYS_CONTEXT *ctx) +@@ -247,12 +411,12 @@ get_primary_template(ESYS_CONTEXT *ctx) for (i = 0; i < capability_data->data.algorithms.count; i++) { if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_RSA) { @@ -272,7 +340,7 @@ index 93e54413ba..584e384d2b 100644 _gnutls_debug_log("tpm2: unable to find primary template\n"); return NULL; } -@@ -320,7 +416,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, +@@ -320,7 +484,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, install_tpm_passphrase(&info->ownerauth, pass); info->need_ownerauth = false; } @@ -281,7 +349,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -329,7 +425,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, +@@ -329,7 +493,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info, if (!primary_template) { return gnutls_assert_val(GNUTLS_E_TPM_ERROR); } @@ -290,7 +358,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &primary_sensitive, primary_template, -@@ -359,14 +455,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -359,14 +523,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, _gnutls_debug_log("tpm2: establishing connection with TPM\n"); @@ -307,7 +375,7 @@ index 93e54413ba..584e384d2b 100644 if (rc == TPM2_RC_INITIALIZE) { _gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n"); } else if (rc) { -@@ -381,7 +477,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -381,7 +545,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, goto error; } } else { @@ -316,7 +384,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -@@ -399,7 +495,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -399,7 +563,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, if (!info->did_ownerauth && !info->ownerauth.size) { TPM2B_PUBLIC *pub = NULL; @@ -325,7 +393,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, -@@ -408,7 +504,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -408,7 +572,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) { info->need_ownerauth = true; } @@ -334,7 +402,7 @@ index 93e54413ba..584e384d2b 100644 } reauth: if (info->need_ownerauth) { -@@ -420,7 +516,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -420,7 +584,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, install_tpm_passphrase(&info->ownerauth, pass); info->need_ownerauth = false; } @@ -343,7 +411,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { gnutls_assert(); _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", -@@ -432,7 +528,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -432,7 +596,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, _gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n", parent_handle); @@ -352,7 +420,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &info->priv, &info->pub, key_handle); -@@ -450,7 +546,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -450,7 +614,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, info->did_ownerauth = true; if (parent_is_generated(info->parent)) { @@ -361,7 +429,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { _gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n", rc); -@@ -461,14 +557,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, +@@ -461,14 +625,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle, return 0; error: if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) { @@ -379,7 +447,7 @@ index 93e54413ba..584e384d2b 100644 return GNUTLS_E_TPM_ERROR; } -@@ -488,7 +584,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle) +@@ -488,7 +652,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle) info->need_userauth = false; } @@ -388,7 +456,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { _gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc); return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -574,7 +670,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -574,7 +738,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, goto out; } @@ -397,7 +465,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &digest, &in_scheme, &label, &tsig); if (rc_is_key_auth_failed(rc)) { -@@ -591,14 +687,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -591,14 +755,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size); out: @@ -415,7 +483,7 @@ index 93e54413ba..584e384d2b 100644 } return ret; -@@ -661,7 +757,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -661,7 +825,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, goto out; } @@ -424,7 +492,7 @@ index 93e54413ba..584e384d2b 100644 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &digest, &in_scheme, &validation, &tsig); -@@ -682,31 +778,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, +@@ -682,31 +846,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s); out: @@ -461,7 +529,7 @@ index 93e54413ba..584e384d2b 100644 { const char *tcti; const char * const tcti_vars[] = { -@@ -718,6 +806,11 @@ tcti_once_init(void) +@@ -718,6 +874,11 @@ tcti_once_init(void) size_t i; TSS2_RC rc; @@ -473,7 +541,7 @@ index 93e54413ba..584e384d2b 100644 for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) { tcti = secure_getenv(tcti_vars[i]); if (tcti && *tcti != '\0') { -@@ -727,7 +820,7 @@ tcti_once_init(void) +@@ -727,7 +888,7 @@ tcti_once_init(void) } } if (tcti && *tcti != '\0') { @@ -482,7 +550,7 @@ index 93e54413ba..584e384d2b 100644 if (rc) { _gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n", rc); -@@ -735,13 +828,35 @@ tcti_once_init(void) +@@ -735,13 +896,35 @@ tcti_once_init(void) } } @@ -519,7 +587,7 @@ index 93e54413ba..584e384d2b 100644 if (!tcti_ctx) { return gnutls_assert_val(GNUTLS_E_TPM_ERROR); -@@ -757,16 +872,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, +@@ -757,16 +940,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey, info->parent = parent; @@ -556,10 +624,10 @@ index 529f1cc077..64ce470a02 100644 dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh new file mode 100644 -index 0000000000..fd38c764fb +index 0000000000..1e3612781b --- /dev/null +++ b/tests/sanity-lib.sh -@@ -0,0 +1,36 @@ +@@ -0,0 +1,40 @@ +#!/bin/sh + +# Copyright (C) 2022 Red Hat, Inc. @@ -586,6 +654,10 @@ index 0000000000..fd38c764fb +: ${LDD=ldd} +: ${LIBTOOL=libtool} + ++if ! test -x "${CLI_DEBUG}"; then ++ exit 77 ++fi ++ +# ldd.sh doesn't check recursive dependencies +${LDD} --version >/dev/null || exit 77 + diff --git a/gnutls.spec b/gnutls.spec index 86e5b34..737b764 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.7.3 -Release: 8%{?dist} +Release: 9%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.2-enable-intel-cet.patch @@ -343,6 +343,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Feb 25 2022 Daiki Ueno - 3.7.3-9 +- Stop using typeof keyword for tss2 function prototypes (#2057490) + * Thu Feb 24 2022 Daiki Ueno - 3.7.3-8 - Fix previous change for loading libtss2* (#2057490)