From 32e338fcbe6060a1b6ef27d95f4bd8fa474111c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 22 Nov 2022 11:12:01 +0400 Subject: [PATCH] Update to 0.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc-André Lureau --- .gitignore | 1 + ...er-size-indicator-against-expected-s.patch | 54 ---- ...enSSL-FIPS-mode-to-avoid-libtpms-fai.patch | 279 ------------------ ...setup-fix-Werror-maybe-uninitialized.patch | 37 +++ sources | 2 +- swtpm.spec | 49 ++- 6 files changed, 63 insertions(+), 359 deletions(-) delete mode 100644 0001-swtpm-Check-header-size-indicator-against-expected-s.patch delete mode 100644 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch create mode 100644 0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch diff --git a/.gitignore b/.gitignore index a172e78..b9b9b02 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /swtpm-e59c0c1.tar.gz /swtpm-ea627b3.tar.gz /swtpm-b79fd91.tar.gz +/swtpm-0.8.0.tar.gz diff --git a/0001-swtpm-Check-header-size-indicator-against-expected-s.patch b/0001-swtpm-Check-header-size-indicator-against-expected-s.patch deleted file mode 100644 index 9a962c3..0000000 --- a/0001-swtpm-Check-header-size-indicator-against-expected-s.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Wed, 16 Feb 2022 11:17:47 -0500 -Subject: [PATCH] swtpm: Check header size indicator against expected size (CID - 375869) - -This fix addresses Coverity issue CID 375869. - -Check the header size indicated in the header of the state against the -expected size and return an error code in case the header size indicator -is different. There was only one header size so far since blobheader was -introduced, so we don't need to deal with different sizes. - -Without this fix a specially craft header could have cause out-of-bounds -accesses on the byte array containing the swtpm's state. - -Signed-off-by: Stefan Berger ---- - src/swtpm/swtpm_nvstore.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c -index 437088370e11..144d8975ec54 100644 ---- a/src/swtpm/swtpm_nvstore.c -+++ b/src/swtpm/swtpm_nvstore.c -@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, - uint8_t *hdrversion, bool quiet) - { - blobheader *bh = (blobheader *)data; -+ uint16_t hdrsize; - - if (length < sizeof(bh)) { - if (!quiet) -@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, - return TPM_BAD_VERSION; - } - -+ hdrsize = ntohs(bh->hdrsize); -+ if (hdrsize != sizeof(blobheader)) { -+ logprintf(STDERR_FILENO, -+ "bad header size: %u != %zu\n", -+ hdrsize, sizeof(blobheader)); -+ return TPM_BAD_DATASIZE; -+ } -+ - *hdrversion = bh->version; -- *dataoffset = ntohs(bh->hdrsize); -+ *dataoffset = hdrsize; - *hdrflags = ntohs(bh->flags); - - return TPM_SUCCESS; --- -2.34.1.428.gdcc0cd074f0c - diff --git a/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch b/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch deleted file mode 100644 index 815608d..0000000 --- a/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch +++ /dev/null @@ -1,279 +0,0 @@ -From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Wed, 8 Jun 2022 09:19:07 -0400 -Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures - -While libtpms does not provide any means to disable FIPS-disabled crypto -algorithms from being used, work around the issue by simply disabling the -FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit -swtpm with a failure message that it cannot be disabled. If FIPS mode -was successfully disabled, print out a message as well. - -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219 -Signed-off-by: Stefan Berger ---- - configure.ac | 9 ++++ - src/swtpm/Makefile.am | 2 + - src/swtpm/cuse_tpm.c | 5 ++ - src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++ - src/swtpm/fips.h | 43 ++++++++++++++++ - src/swtpm/swtpm.c | 3 ++ - src/swtpm/swtpm_chardev.c | 3 ++ - src/swtpm/utils.h | 2 + - 8 files changed, 167 insertions(+) - create mode 100644 src/swtpm/fips.c - create mode 100644 src/swtpm/fips.h - -diff --git a/configure.ac b/configure.ac -index ad3054e..30288c7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -156,6 +156,15 @@ openssl) - AC_MSG_RESULT([Building with openssl crypto library]) - LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto) - AC_SUBST([LIBCRYPTO_LIBS]) -+ AC_CHECK_HEADERS([openssl/fips.h], -+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1, -+ [whether openssl/fips.h is available])] -+ ) -+ AC_CHECK_LIB(crypto, -+ [FIPS_mode_set], -+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1, -+ [whether FIPS_mode_set API is available])] -+ ) - ;; - esac - -diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am -index 5454a6f..2a65950 100644 ---- a/src/swtpm/Makefile.am -+++ b/src/swtpm/Makefile.am -@@ -11,6 +11,7 @@ noinst_HEADERS = \ - capabilities.h \ - common.h \ - ctrlchannel.h \ -+ fips.h \ - key.h \ - locality.h \ - logging.h \ -@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \ - capabilities.c \ - common.c \ - ctrlchannel.c \ -+ fips.c \ - key.c \ - logging.c \ - mainloop.c \ -diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c -index 9dbc00d..3026e26 100644 ---- a/src/swtpm/cuse_tpm.c -+++ b/src/swtpm/cuse_tpm.c -@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac - goto exit; - } - -+ if (disable_fips_mode() < 0) { -+ ret = -1; -+ goto exit; -+ } -+ - if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) { - ret = -1; - goto exit; -diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c -new file mode 100644 -index 0000000..eeb2a0c ---- /dev/null -+++ b/src/swtpm/fips.c -@@ -0,0 +1,100 @@ -+/* -+ * fips.c -- FIPS mode related functions -+ * -+ * (c) Copyright IBM Corporation 2022. -+ * -+ * Author: Stefan Berger -+ * -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are -+ * met: -+ * -+ * Redistributions of source code must retain the above copyright notice, -+ * this list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * Neither the names of the IBM Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived from -+ * this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include "fips.h" -+#include "logging.h" -+ -+#if defined(HAVE_OPENSSL_FIPS_H) -+# include -+#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API) -+/* Cygwin has no fips.h but API exists */ -+extern int FIPS_mode(void); -+extern int FIPS_mode_set(int); -+#endif -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+# include -+#endif -+ -+#include -+ -+/* -+ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures -+ * -+ * While libtpms does not provide a solution to disable deactivated algorithms -+ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode. -+ * -+ * Returns < 0 on error, 0 otherwise. -+ */ -+#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API) -+int disable_fips_mode(void) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ int mode = EVP_default_properties_is_fips_enabled(NULL); -+#else -+ int mode = FIPS_mode(); -+#endif -+ int ret = 0; -+ -+ if (mode != 0) { -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ int rc = EVP_default_properties_enable_fips(NULL, 0); -+#else -+ int rc = FIPS_mode_set(0); -+#endif -+ if (rc == 1) { -+ logprintf(STDOUT_FILENO, -+ "Warning: Disabled OpenSSL FIPS mode\n"); -+ } else { -+ unsigned long err = ERR_get_error(); -+ logprintf(STDERR_FILENO, -+ "Failed to disable OpenSSL FIPS mode: %s\n", -+ ERR_error_string(err, NULL)); -+ ret = -1; -+ } -+ } -+ return ret; -+} -+#else -+/* OpenBSD & DragonFlyBSD case */ -+int disable_fips_mode(void) -+{ -+ return 0; -+} -+#endif -diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h -new file mode 100644 -index 0000000..14d4e9f ---- /dev/null -+++ b/src/swtpm/fips.h -@@ -0,0 +1,43 @@ -+/* -+ * fips.h -- FIPS mode related functions -+ * -+ * (c) Copyright IBM Corporation 2015. -+ * -+ * Author: Stefan Berger -+ * -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are -+ * met: -+ * -+ * Redistributions of source code must retain the above copyright notice, -+ * this list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * Neither the names of the IBM Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived from -+ * this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef _SWTPM_UTILS_H_ -+#define _SWTPM_UTILS_H_ -+ -+int disable_fips_mode(void); -+ -+#endif /* _SWTPM_UTILS_H_ */ -diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c -index 722a743..e618c56 100644 ---- a/src/swtpm/swtpm.c -+++ b/src/swtpm/swtpm.c -@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface) - daemonize_finish(); - } - -+ if (disable_fips_mode() < 0) -+ goto error_seccomp_profile; -+ - rc = mainLoop(&mlp, notify_fd[0]); - - error_seccomp_profile: -diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c -index 9710927..ab6d8fd 100644 ---- a/src/swtpm/swtpm_chardev.c -+++ b/src/swtpm/swtpm_chardev.c -@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i - daemonize_finish(); - } - -+ if (disable_fips_mode() < 0) -+ goto error_seccomp_profile; -+ - rc = mainLoop(&mlp, notify_fd[0]); - - error_seccomp_profile: -diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h -index 7502442..b8acd89 100644 ---- a/src/swtpm/utils.h -+++ b/src/swtpm/utils.h -@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt); - - ssize_t read_eintr(int fd, void *buffer, size_t buflen); - -+int disable_fips_mode(void); -+ - #endif /* _SWTPM_UTILS_H_ */ --- -2.36.1 - diff --git a/0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch b/0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch new file mode 100644 index 0000000..f5157ad --- /dev/null +++ b/0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch @@ -0,0 +1,37 @@ +From 95cd8db3dc822d8f741b90d560e50f44841f9d29 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 22 Nov 2022 11:24:57 +0400 +Subject: [PATCH] swtpm_setup: fix -Werror=maybe-uninitialized +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +/usr/include/glib-2.0/glib/glib-autocleanups.h:30:3: error: ‘argv’ may be used uninitialized [-Werror=maybe-uninitialized] + 30 | g_free (*pp); + | ^~~~~~~~~~~~ +swtpm_setup.c: In function ‘get_swtpm_capabilities.constprop.0’: +swtpm_setup.c:940:24: note: ‘argv’ was declared here + 940 | g_autofree gchar **argv; + | ^~~~ + +Signed-off-by: Marc-André Lureau +--- + src/swtpm_setup/swtpm_setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c +index 1b528c8..3570235 100644 +--- a/src/swtpm_setup/swtpm_setup.c ++++ b/src/swtpm_setup/swtpm_setup.c +@@ -937,7 +937,7 @@ static int get_swtpm_capabilities(gchar **swtpm_prg_l, gboolean is_tpm2, + gchar *my_argv[] = { "--print-capabilities", is_tpm2 ? "--tpm2" : NULL, NULL }; + g_autofree gchar *logop = NULL; + g_autoptr(GError) error = NULL; +- g_autofree gchar **argv; ++ g_autofree gchar **argv = NULL; + int exit_status = 0; + gboolean success; + int ret = 1; +-- +2.38.1 + diff --git a/sources b/sources index f7c95de..fa81820 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (swtpm-b79fd91.tar.gz) = bb17a2dc7542261618ea7572301d447820ad762478cb5b38b11cf49e46a6c81620861ba5d1f150c966fe19aed828da40431ce9544775bfd048152c2957bc178e +SHA512 (swtpm-0.8.0.tar.gz) = 7f70c19f732404061be6168c96c0dd3ec91ed8b50dddcafcb50d810062ce0e83ad85360191f97db5db9dc034e01d91cebe3912449d896d2cde68fe060a0adb09 diff --git a/swtpm.spec b/swtpm.spec index d072e48..649f7cd 100644 --- a/swtpm.spec +++ b/swtpm.spec @@ -1,9 +1,5 @@ %bcond_without gnutls -%global gitdate 20211109 -%global gitcommit b79fd91c4b4a74c9c5027b517c5036952c5525db -%global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7}) - # Macros needed by SELinux %global selinuxtype targeted %global moduletype contrib @@ -11,26 +7,26 @@ Summary: TPM Emulator Name: swtpm -Version: 0.7.0 -Release: 3.%{gitdate}git%{gitshortcommit}%{?dist} +Version: 0.8.0 +Release: 1%{?dist} License: BSD -Url: http://github.com/stefanberger/swtpm -Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz -Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch -Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch +Url: https://github.com/stefanberger/swtpm +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +Patch0001: 0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch -BuildRequires: make +BuildRequires: make BuildRequires: git-core BuildRequires: automake BuildRequires: autoconf BuildRequires: libtool BuildRequires: libtpms-devel >= 0.6.0 +BuildRequires: glib2-devel +BuildRequires: json-glib-devel BuildRequires: expect BuildRequires: net-tools BuildRequires: openssl-devel BuildRequires: socat BuildRequires: softhsm -BuildRequires: json-glib-devel %if %{with gnutls} BuildRequires: gnutls >= 3.4.0 BuildRequires: gnutls-devel @@ -42,7 +38,6 @@ BuildRequires: selinux-policy-devel BuildRequires: gcc BuildRequires: libseccomp-devel BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd -BuildRequires: python3-devel Requires: %{name}-libs = %{version}-%{release} Requires: libtpms >= 0.6.0 @@ -75,18 +70,18 @@ Requires: bash gnutls-utils %description tools Tools for the TPM emulator from the swtpm package -%package tools-pkcs11 -Summary: Tools for creating a local CA based on a TPM pkcs11 device -License: BSD -Requires: swtpm-tools = %{version}-%{release} -Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd -Requires: expect gnutls-utils +%package tools-pkcs11 +Summary: Tools for creating a local CA based on a pkcs11 device +License: BSD +Requires: swtpm-tools = %{version}-%{release} +Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd +Requires: expect gnutls-utils %description tools-pkcs11 Tools for creating a local CA based on a pkcs11 device %prep -%autosetup -S git -n %{name}-%{gitcommit} -p1 +%autosetup -S git -p1 %build @@ -95,8 +90,7 @@ NOCONFIGURE=1 ./autogen.sh %if %{with gnutls} --with-gnutls \ %endif - --without-cuse \ - --without-tpm1 + --without-cuse %make_build @@ -107,6 +101,7 @@ make %{?_smp_mflags} check VERBOSE=1 %make_install rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} +rm $RPM_BUILD_ROOT%{_mandir}/man8/swtpm_cuse.8* %post for pp in /usr/share/selinux/packages/swtpm.pp \ @@ -161,12 +156,12 @@ fi %{_mandir}/man8/swtpm_bios.8* %{_mandir}/man8/swtpm_cert.8* %{_mandir}/man8/swtpm_ioctl.8* -%{_mandir}/man8/swtpm-localca.conf.8* -%{_mandir}/man8/swtpm-localca.options.8* +%{_mandir}/man5/swtpm-localca.conf.5* +%{_mandir}/man5/swtpm-localca.options.5* %{_mandir}/man8/swtpm-localca.8* %{_mandir}/man8/swtpm_localca.8* %{_mandir}/man8/swtpm_setup.8* -%{_mandir}/man8/swtpm_setup.conf.8* +%{_mandir}/man5/swtpm_setup.conf.5* %config(noreplace) %{_sysconfdir}/swtpm_setup.conf %config(noreplace) %{_sysconfdir}/swtpm-localca.options %config(noreplace) %{_sysconfdir}/swtpm-localca.conf @@ -180,6 +175,10 @@ fi %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Tue Nov 22 2022 Marc-André Lureau - 0.8.0-1 +- Update to v0.8.0 release + Resolves: rhbz#2092944 + * Fri Jun 17 2022 Marc-André Lureau - 0.7.0-3.20211109gitb79fd91 - Disable OpenSSL FIPS mode to avoid libtpms failures Resolves: rhbz#2090219