diff --git a/.gitignore b/.gitignore index 08603c3..345faa5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tpm-tools-1.3.9.tar.gz +SOURCES/tpm-tools-1.3.9.2.tar.gz diff --git a/.tpm-tools.metadata b/.tpm-tools.metadata index 96e14a6..ff70eea 100644 --- a/.tpm-tools.metadata +++ b/.tpm-tools.metadata @@ -1 +1 @@ -63d5cd42f464f7a200c508b551f5f2728f141a71 SOURCES/tpm-tools-1.3.9.tar.gz +ea481aab52e3cffa3a257ce848b07f3ea12b8923 SOURCES/tpm-tools-1.3.9.2.tar.gz diff --git a/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch b/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch deleted file mode 100644 index ed43ed0..0000000 --- a/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001 -From: Michal Schmidt -Date: Mon, 20 Feb 2017 10:28:33 +0100 -Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an - opaque struct - -With OpenSSL 1.1 the build fails with: -data_import.c:375:26: error: dereferencing pointer to incomplete type -'EVP_PKEY {aka struct evp_pkey_st}' - -The manual page[1] says: - Previous versions of this document suggested using - EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY - is now opaque this is no longer possible: the equivalent is - EVP_PKEY_base_id(pkey). - -[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html ---- - src/data_mgmt/data_import.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c -index f534717f02..d4d2052bc6 100644 ---- a/src/data_mgmt/data_import.c -+++ b/src/data_mgmt/data_import.c -@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, - goto out; - } - -- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { -+ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { - logError( TOKEN_RSA_KEY_ERROR ); - - X509_free( pX509 ); --- -2.9.3 - diff --git a/SOURCES/0001-man-manpage-cleanup.patch b/SOURCES/0001-man-manpage-cleanup.patch deleted file mode 100644 index 10e147a..0000000 --- a/SOURCES/0001-man-manpage-cleanup.patch +++ /dev/null @@ -1,232 +0,0 @@ -From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001 -From: Jerry Snitselaar -Date: Sun, 27 Jan 2019 21:55:19 -0700 -Subject: [PATCH] man: manpage cleanup - -tpm_restrictsrk and tpm_unsealdata are missing manpages. -Add missing options to tpm_nvdefine and tpm_setpresence. - -Signed-off-by: Jerry Snitselaar ---- - man/man1/Makefile.am | 1 + - man/man1/tpm_unsealdata.1 | 60 +++++++++++++++++++++++++++++++++ - man/man8/Makefile.am | 1 + - man/man8/tpm_nvdefine.8 | 13 ++++++-- - man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++ - man/man8/tpm_setpresence.8 | 3 ++ - 6 files changed, 144 insertions(+), 2 deletions(-) - create mode 100644 man/man1/tpm_unsealdata.1 - create mode 100644 man/man8/tpm_restrictsrk.8 - -diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am -index ff8b571..f833363 100644 ---- a/man/man1/Makefile.am -+++ b/man/man1/Makefile.am -@@ -22,6 +22,7 @@ - # - - man1_MANS = tpm_sealdata.1 \ -+ tpm_unsealdata.1 \ - tpm_version.1 - if P11_SUPPORT - man1_MANS += tpmtoken_init.1 \ -diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1 -new file mode 100644 -index 0000000..80e8f12 ---- /dev/null -+++ b/man/man1/tpm_unsealdata.1 -@@ -0,0 +1,60 @@ -+.\" Copyright (C) 2019 International Business Machines Corporation -+.\" -+.de Sh \" Subsection -+.br -+.if t .Sp -+.ne 5 -+.PP -+\fB\\$1\fR -+.PP -+.. -+.de Sp \" Vertical space (when we can't use .PP) -+.if t .sp .5v -+.if n .sp -+.. -+.de Ip \" List item -+.br -+.ie \\n(.$>=3 .ne \\$3 -+.el .ne 3 -+.IP "\\$1" \\$2 -+.. -+.TH "tpm_unsealdata" 1 "2019-01-27" "TPM Management" -+.ce 1 -+TPM Management - tpm_unsealdata -+.SH NAME -+tpm_unsealdata \- unseal input data with the SRK of the system's TPM -+.SH "SYNOPSIS" -+.ad l -+.hy 0 -+.B tpm_unsealdata -+.RB [ OPTION ] -+ -+.SH "DESCRIPTION" -+.PP -+\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM. -+ -+.TP -+\fB\-h\fR, \fB\-\-help\fR -+Display command usage info. -+.TP -+\fB-v\fR, \fB\-\-version\fR -+Display command version info. -+.TP -+\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] -+Set logging level. -+.TP -+\fB-i\fR, \fB\-\-infile FILE\fR -+File containing data to unseal. -+.TP -+\fB-o\fR, \fB\-\-outfile FILE\fR -+Filename to write unsealed data to. Default is STDOUT. -+.TP -+\fB-z\fR, \fB\-\-well-known\fR -+Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option. -+ -+.SH "SEE ALSO" -+.PP -+\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3) -+ -+.SH "REPORTING BUGS" -+Report bugs to -diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am -index b38ac18..487a4c8 100644 ---- a/man/man8/Makefile.am -+++ b/man/man8/Makefile.am -@@ -36,6 +36,7 @@ man8_MANS = tpm_changeownerauth.8 \ - tpm_createek.8 \ - tpm_getpubek.8 \ - tpm_restrictpubek.8 \ -+ tpm_restrictsrk.8 \ - tpm_selftest.8 \ - tpm_setactive.8 \ - tpm_setclearable.8 \ -diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8 -index 13edb78..0eecc2a 100644 ---- a/man/man8/tpm_nvdefine.8 -+++ b/man/man8/tpm_nvdefine.8 -@@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes - .IP "\fB\-y, \-\-owner\-well\-known\fR" 4 - .IX Item "-y, --owner-well-known" - Use a secret of all zeros (20 bytes of zeros) as the owner's secret. --.IP "\fB\-z, \-\-area\-well\-known\fR" 4 --.IX Item "-z, --area-well-known" -+.IP "\fB\-z, \-\-data\-well\-known\fR" 4 -+.IX Item "-z, --data-well-known" - Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret. - .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4 - .IX Item "-o, --pwdo (optional parameter)" -@@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho - .IX Item "-s, --size" - The size of the \s-1NVRAM\s0 area. - The parameter must either be a decimal number or a hexadecimal number starting with '0x'. -+.IP "\fB\-r, \-\-rpcsr\fR" 4 -+.IX Item "-r, --rpcrs" -+PCRs to seal the NVRAM area to for reading (use multiple times) -+.IP "\fB\-w, \-\-wpcrs\fR" 4 -+.IX Item "-w, --wpcrs" -+PCRs to seal the NVRAM area to for writing (use multiple times) -+.IP "\fB\-f, \-\-filename\fR" 4 -+.IX Item "-f, --filename" -+File containing PCR info for the NVRAM area. - .IP "\fB\-p, \-\-permissions\fR" 4 - .IX Item "-p, --permissions" - The access permissions associated with the \s-1NVRAM\s0 area. -diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8 -new file mode 100644 -index 0000000..7935b7b ---- /dev/null -+++ b/man/man8/tpm_restrictsrk.8 -@@ -0,0 +1,68 @@ -+.\" Copyright (C) 2019 International Business Machines Corporation -+.\" -+.de Sh \" Subsection -+.br -+.if t .Sp -+.ne 5 -+.PP -+\fB\\$1\fR -+.PP -+.. -+.de Sp \" Vertical space (when we can't use .PP) -+.if t .sp .5v -+.if n .sp -+.. -+.de Ip \" List item -+.br -+.ie \\n(.$>=3 .ne \\$3 -+.el .ne 3 -+.IP "\\$1" \\$2 -+.. -+.TH "tpm_restrictsrk" 8 "2019-01-27" "TPM Management" -+.ce 1 -+TPM Management - tpm_restrictsrk -+.SH NAME -+tpm_restrictsrk \- restrict the ability to access the Storage Root Key -+.SH "SYNOPSIS" -+.ad l -+.hy 0 -+.B tpm_restrictsrk -+.RB [ OPTION ] -+ -+.SH "DESCRIPTION" -+.PP -+\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key. This is the default behavior and also available with the \fB\-\-status\fR option. -+This operation will be in effect until the owner is cleared and prompts for the owner passord. With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner. -+The command prompts for the owner password to complete the operation. The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out. -+ -+.TP -+\fB\-h\fR, \fB\-\-help\fR -+Display command usage info. -+.TP -+\fB-v\fR, \fB\-\-version\fR -+Display command version info. -+.TP -+\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] -+Set logging level. -+.TP -+\fB-u\fR, \fB\-\-unicode\fR -+Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes -+.TP -+\fB-a\fR, \fB\-\-allow\fR -+Allow SRK read access using SRK auth -+.TP -+\fB-s\fR, \fB\-\-status\fR -+Display the status of who can access the Storage Root Key -+.TP -+\fB-r\fR, \fB\-\-restrict\fR -+Restrict SRK read to owner only -+.TP -+\fB-z\fR, \fB\-\-well-known\fR -+Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password. -+ -+.SH "SEE ALSO" -+.PP -+\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8) -+ -+.SH "REPORTING BUGS" -+Report bugs to -diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8 -index a04c70f..96670e0 100644 ---- a/man/man8/tpm_setpresence.8 -+++ b/man/man8/tpm_setpresence.8 -@@ -46,6 +46,9 @@ Set logging level. - \fB-u\fR, \fB\-\-unicode\fR - Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes - .TP -+\fB-s\fR, \fB\-\-status\fR -+Report current physical presence states. -+.TP - \fB-a\fR, \fB\-\-assert\fR - Assert that an admin is physically present at the machine. - .TP --- -2.20.1.98.gecbdaf0899 - diff --git a/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch b/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch deleted file mode 100644 index 68d14bf..0000000 --- a/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001 -From: Michal Schmidt -Date: Mon, 20 Feb 2017 10:43:10 +0100 -Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque - struct - -RSA is an opaque struct in OpenSSL 1.1. New getter functions must be -used to access the key components. The functions were not present in -OpenSSL 1.0, so add a compat header with the implementation of the -needed functions as suggested by the OpenSSL wiki [1] in order to allow -building tpm-tools with any version of OpenSSL. - -[1] https://wiki.openssl.org/index.php/1.1_API_Changes ---- - src/data_mgmt/Makefile.am | 3 ++- - src/data_mgmt/data_import.c | 52 ++++++++++++++++++++++--------------- - src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 92 insertions(+), 21 deletions(-) - create mode 100644 src/data_mgmt/openssl_compat.h - -diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am -index de505e48ef..9457618ab9 100644 ---- a/src/data_mgmt/Makefile.am -+++ b/src/data_mgmt/Makefile.am -@@ -32,7 +32,8 @@ noinst_HEADERS = data_common.h \ - data_init.h \ - data_object.h \ - data_passwd.h \ -- data_protect.h -+ data_protect.h \ -+ openssl_compat.h - - # - # Common build flags -diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c -index d4d2052bc6..532543f7d3 100644 ---- a/src/data_mgmt/data_import.c -+++ b/src/data_mgmt/data_import.c -@@ -39,6 +39,7 @@ - #include - #include - -+#include "openssl_compat.h" - - /* - * Global variables -@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA *a_pRsa, - - int rc = -1; - -- int nLen = BN_num_bytes( a_pRsa->n ); -- int eLen = BN_num_bytes( a_pRsa->e ); -+ const BIGNUM *rsa_n, *rsa_e; -+ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL ); -+ -+ int nLen = BN_num_bytes( rsa_n ); -+ int eLen = BN_num_bytes( rsa_e ); - - CK_RV rv; - -@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA *a_pRsa, - } - - // Get binary representations of the RSA key information -- BN_bn2bin( a_pRsa->n, n ); -- BN_bn2bin( a_pRsa->e, e ); -+ BN_bn2bin( rsa_n, n ); -+ BN_bn2bin( rsa_e, e ); - - // Create the RSA public key object - rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); -@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA *a_pRsa, - - int rc = -1; - -- int nLen = BN_num_bytes( a_pRsa->n ); -- int eLen = BN_num_bytes( a_pRsa->e ); -- int dLen = BN_num_bytes( a_pRsa->d ); -- int pLen = BN_num_bytes( a_pRsa->p ); -- int qLen = BN_num_bytes( a_pRsa->q ); -- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); -- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); -- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); -+ const BIGNUM *rsa_n, *rsa_e, *rsa_d; -+ const BIGNUM *rsa_p, *rsa_q; -+ const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp; -+ -+ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d ); -+ RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q ); -+ RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp ); -+ -+ int nLen = BN_num_bytes( rsa_n ); -+ int eLen = BN_num_bytes( rsa_e ); -+ int dLen = BN_num_bytes( rsa_d ); -+ int pLen = BN_num_bytes( rsa_p ); -+ int qLen = BN_num_bytes( rsa_q ); -+ int dmp1Len = BN_num_bytes( rsa_dmp1 ); -+ int dmq1Len = BN_num_bytes( rsa_dmq1 ); -+ int iqmpLen = BN_num_bytes( rsa_iqmp ); - - CK_RV rv; - -@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA *a_pRsa, - } - - // Get binary representations of the RSA key information -- BN_bn2bin( a_pRsa->n, n ); -- BN_bn2bin( a_pRsa->e, e ); -- BN_bn2bin( a_pRsa->d, d ); -- BN_bn2bin( a_pRsa->p, p ); -- BN_bn2bin( a_pRsa->q, q ); -- BN_bn2bin( a_pRsa->dmp1, dmp1 ); -- BN_bn2bin( a_pRsa->dmq1, dmq1 ); -- BN_bn2bin( a_pRsa->iqmp, iqmp ); -+ BN_bn2bin( rsa_n, n ); -+ BN_bn2bin( rsa_e, e ); -+ BN_bn2bin( rsa_d, d ); -+ BN_bn2bin( rsa_p, p ); -+ BN_bn2bin( rsa_q, q ); -+ BN_bn2bin( rsa_dmp1, dmp1 ); -+ BN_bn2bin( rsa_dmq1, dmq1 ); -+ BN_bn2bin( rsa_iqmp, iqmp ); - - // Create the RSA private key object - rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); -diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h -new file mode 100644 -index 0000000000..2a60fdf492 ---- /dev/null -+++ b/src/data_mgmt/openssl_compat.h -@@ -0,0 +1,58 @@ -+/* -+ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from: -+ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions -+ * and therefore: -+ * Copyright OpenSSL 2016 -+ * Contents licensed under the terms of the OpenSSL license -+ * See http://www.openssl.org/source/license.html for details -+ */ -+ -+#ifndef __OPENSSL_COMPAT_H -+#define __OPENSSL_COMPAT_H -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+ -+static inline void -+RSA_get0_key( const RSA *r, -+ const BIGNUM **n, -+ const BIGNUM **e, -+ const BIGNUM **d ) { -+ -+ if ( n ) -+ *n = r->n; -+ if ( e ) -+ *e = r->e; -+ if ( d ) -+ *d = r->d; -+} -+ -+static inline void -+RSA_get0_factors( const RSA *r, -+ const BIGNUM **p, -+ const BIGNUM **q ) { -+ -+ if ( p ) -+ *p = r->p; -+ if ( q ) -+ *q = r->q; -+} -+ -+static inline void -+RSA_get0_crt_params( const RSA *r, -+ const BIGNUM **dmp1, -+ const BIGNUM **dmq1, -+ const BIGNUM **iqmp ) { -+ -+ if ( dmp1 ) -+ *dmp1 = r->dmp1; -+ if ( dmq1 ) -+ *dmq1 = r->dmq1; -+ if ( iqmp ) -+ *iqmp = r->iqmp; -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#endif /* __OPENSSL_COMPAT_H */ --- -2.9.3 - diff --git a/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch index 1f18e8b..52aae01 100644 --- a/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch +++ b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch @@ -1,35 +1,34 @@ -From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001 +From 105c0f43399d75645be59b3c6be68b57a711d84a Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mon, 20 Feb 2017 12:00:39 +0100 -Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal +Subject: [PATCH] Allocate OpenSSL cipher contexts for seal/unseal Cipher contexts need to be allocated before using EVP_EncryptInit or EVP_DecryptInit. Using a NULL context is invalid. Fixes: f50ab0949438 ("Support OpenSSL 1.1.0") --- - lib/tpm_unseal.c | 12 ++++++++++-- - src/cmds/tpm_sealdata.c | 11 +++++++++-- - 2 files changed, 19 insertions(+), 4 deletions(-) + lib/tpm_unseal.c | 11 ++++++++++- + src/cmds/tpm_sealdata.c | 10 +++++++++- + 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c -index fc4a84906a..005dab7f8f 100644 +index 4aadf21ec1bb..88f21cf40b72 100644 --- a/lib/tpm_unseal.c +++ b/lib/tpm_unseal.c -@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, - int srkSecretLen; +@@ -87,6 +87,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, unsigned char* res_data = NULL; int res_size = 0; -- + + EVP_CIPHER_CTX *ctx = NULL; BIO *bdata = NULL, *b64 = NULL, *bmem = NULL; int bioRc; -@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, +@@ -408,7 +409,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, } /* Decode and decrypt the encrypted data */ -- EVP_CIPHER_CTX *ctx = NULL; +- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + ctx = EVP_CIPHER_CTX_new(); + if ( ctx == NULL ) { + rc = TPMSEAL_STD_ERROR; @@ -39,7 +38,7 @@ index fc4a84906a..005dab7f8f 100644 EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV); /* Create a base64 BIO to decode the encrypted data */ -@@ -459,6 +464,9 @@ out: +@@ -459,6 +465,9 @@ out: } else free(res_data); @@ -50,23 +49,22 @@ index fc4a84906a..005dab7f8f 100644 } diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c -index a2157f34b1..e25244a0f4 100644 +index 88f63ca0ef89..cd5c49a37f64 100644 --- a/src/cmds/tpm_sealdata.c +++ b/src/cmds/tpm_sealdata.c -@@ -118,7 +118,7 @@ int main(int argc, char **argv) - char *passwd = NULL; +@@ -119,6 +119,7 @@ int main(int argc, char **argv) int pswd_len; BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; -- + + EVP_CIPHER_CTX *ctx = NULL; BIO *bin = NULL, *bdata=NULL, *b64=NULL; initIntlSys(); -@@ -343,7 +343,11 @@ int main(int argc, char **argv) +@@ -343,7 +344,11 @@ int main(int argc, char **argv) BIO_puts(bdata, TPMSEAL_ENC_STRING); bdata = BIO_push(b64, bdata); -- EVP_CIPHER_CTX *ctx = NULL; +- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + logError(_("Unable to allocate cipher context\n")); @@ -75,7 +73,7 @@ index a2157f34b1..e25244a0f4 100644 EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { -@@ -375,5 +379,8 @@ out: +@@ -375,5 +380,8 @@ out: BIO_free(bdata); if (b64) BIO_free(b64); @@ -85,5 +83,5 @@ index a2157f34b1..e25244a0f4 100644 return iRc; } -- -2.9.3 +2.27.0 diff --git a/SOURCES/tpm-tools-1.3.9-memset.patch b/SOURCES/tpm-tools-1.3.9-memset.patch deleted file mode 100644 index cdd2406..0000000 --- a/SOURCES/tpm-tools-1.3.9-memset.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -ur tpm-tools-1.3.9/include/tpm_utils.h tpm-tools-1.3.9-new/include/tpm_utils.h ---- tpm-tools-1.3.9/include/tpm_utils.h 2014-07-23 13:37:12.000000000 -0700 -+++ tpm-tools-1.3.9-new/include/tpm_utils.h 2019-06-05 11:13:55.474783996 -0700 -@@ -71,7 +71,7 @@ - #define __no_optimize - #endif - --void * __no_optimize __memset(void *s, int c, size_t n); -+void * __memset(void *s, int c, size_t n); - - typedef int (*CmdOptParser)( const int aOpt, const char *aOptArg ); - typedef void (*CmdHelpFunction)( const char *aCmd ); -diff -ur tpm-tools-1.3.9/lib/tpm_utils.c tpm-tools-1.3.9-new/lib/tpm_utils.c ---- tpm-tools-1.3.9/lib/tpm_utils.c 2014-07-23 13:37:12.000000000 -0700 -+++ tpm-tools-1.3.9-new/lib/tpm_utils.c 2019-06-05 11:13:41.570968364 -0700 -@@ -134,10 +134,12 @@ - return 0; - } - --void * __no_optimize -+void * - __memset(void *s, int c, size_t n) - { -- return memset(s, c, n); -+ memset(s, c, n); -+ asm volatile("" ::: "memory"); -+ return s; - } - - /* diff --git a/SPECS/tpm-tools.spec b/SPECS/tpm-tools.spec index d0ded9f..f6bae9c 100644 --- a/SPECS/tpm-tools.spec +++ b/SPECS/tpm-tools.spec @@ -1,21 +1,15 @@ Name: tpm-tools Summary: Management tools for the TPM hardware -Version: 1.3.9 -Release: 7%{?dist} +Version: 1.3.9.2 +Release: 1%{?dist} License: CPL URL: http://trousers.sourceforge.net Source0: http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz -BuildRequires: trousers-devel openssl-devel opencryptoki-devel -Patch0001: 0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch -Patch0002: 0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch -Patch0003: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch -# Patches 4 & 5 submitted upstream by SUSE -Patch0004: 0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch -Patch0005: 0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch -# submitted upstream -Patch0006: 0001-man-manpage-cleanup.patch -Patch0007: 0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch -Patch0008: tpm-tools-1.3.9-memset.patch +BuildRequires: trousers-devel openssl-devel opencryptoki-devel gettext-devel autoconf automake libtool +Patch0001: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch +Patch0002: 0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch +Patch0003: 0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch +Patch0004: 0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch %description tpm-tools is a group of tools to manage and utilize the Trusted Computing @@ -43,9 +37,11 @@ tpm-tools-devel is a package that contains the libraries and headers necessary for developing tpm-tools applications. %prep -%autosetup -p1 -c %{name}-%{version} +%autosetup -p1 %{name}-%{version} %build +chmod +x ./bootstrap.sh +./bootstrap.sh %configure --disable-static --disable-rpath --disable-silent-rules %make_build @@ -82,6 +78,10 @@ cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8 %{_mandir}/man3/tpmUnseal* %changelog +* Tue Nov 03 2020 Jerry Snitselaar - 1.3.9.2-1 +- Rebase to 1.3.9.2 release. +resolves: rhbz#1725781 + * Wed Jun 12 2019 Jerry Snitselaar - 1.3.9-7 - Make sure new manpages get installed. resolves: rhbz#1669892