From 66ca280030c3c13f5ae3a0ed29a82dfd661882b4 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mon, 20 Feb 2017 13:37:03 +0100 Subject: [PATCH] Upstream release 1.3.9. Add fixes for build errors with OpenSSL 1.1. Add fixes for NULL cipher context use in seal/unseal. spec file modernization. --- .gitignore | 1 + ...penSSL-1.1-due-to-EVP_PKEY-being-an-.patch | 37 ++++ ...penSSL-1.1-due-to-RSA-being-an-opaqu.patch | 192 ++++++++++++++++++ ...nSSL-cipher-contexts-for-seal-unseal.patch | 89 ++++++++ sources | 2 +- tpm-tools.spec | 55 +++-- 6 files changed, 344 insertions(+), 32 deletions(-) create mode 100644 0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch create mode 100644 0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch create mode 100644 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch diff --git a/.gitignore b/.gitignore index fc75480..2a2a6c2 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ tpm-tools-1.3.4.tar.gz tpm-tools-1.3.5.tar.gz /tpm-tools-1.3.7.tar.gz /tpm-tools-1.3.8.tar.gz +/tpm-tools-1.3.9.tar.gz diff --git a/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch new file mode 100644 index 0000000..ed43ed0 --- /dev/null +++ b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch @@ -0,0 +1,37 @@ +From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:28:33 +0100 +Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an + opaque struct + +With OpenSSL 1.1 the build fails with: +data_import.c:375:26: error: dereferencing pointer to incomplete type +'EVP_PKEY {aka struct evp_pkey_st}' + +The manual page[1] says: + Previous versions of this document suggested using + EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY + is now opaque this is no longer possible: the equivalent is + EVP_PKEY_base_id(pkey). + +[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html +--- + src/data_mgmt/data_import.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index f534717f02..d4d2052bc6 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, + goto out; + } + +- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { ++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { + logError( TOKEN_RSA_KEY_ERROR ); + + X509_free( pX509 ); +-- +2.9.3 + diff --git a/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch new file mode 100644 index 0000000..68d14bf --- /dev/null +++ b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch @@ -0,0 +1,192 @@ +From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:43:10 +0100 +Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque + struct + +RSA is an opaque struct in OpenSSL 1.1. New getter functions must be +used to access the key components. The functions were not present in +OpenSSL 1.0, so add a compat header with the implementation of the +needed functions as suggested by the OpenSSL wiki [1] in order to allow +building tpm-tools with any version of OpenSSL. + +[1] https://wiki.openssl.org/index.php/1.1_API_Changes +--- + src/data_mgmt/Makefile.am | 3 ++- + src/data_mgmt/data_import.c | 52 ++++++++++++++++++++++--------------- + src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 21 deletions(-) + create mode 100644 src/data_mgmt/openssl_compat.h + +diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am +index de505e48ef..9457618ab9 100644 +--- a/src/data_mgmt/Makefile.am ++++ b/src/data_mgmt/Makefile.am +@@ -32,7 +32,8 @@ noinst_HEADERS = data_common.h \ + data_init.h \ + data_object.h \ + data_passwd.h \ +- data_protect.h ++ data_protect.h \ ++ openssl_compat.h + + # + # Common build flags +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index d4d2052bc6..532543f7d3 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -39,6 +39,7 @@ + #include + #include + ++#include "openssl_compat.h" + + /* + * Global variables +@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); ++ const BIGNUM *rsa_n, *rsa_e; ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); + + CK_RV rv; + +@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); + + // Create the RSA public key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); +- int dLen = BN_num_bytes( a_pRsa->d ); +- int pLen = BN_num_bytes( a_pRsa->p ); +- int qLen = BN_num_bytes( a_pRsa->q ); +- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); +- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); +- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); ++ const BIGNUM *rsa_n, *rsa_e, *rsa_d; ++ const BIGNUM *rsa_p, *rsa_q; ++ const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp; ++ ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d ); ++ RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q ); ++ RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); ++ int dLen = BN_num_bytes( rsa_d ); ++ int pLen = BN_num_bytes( rsa_p ); ++ int qLen = BN_num_bytes( rsa_q ); ++ int dmp1Len = BN_num_bytes( rsa_dmp1 ); ++ int dmq1Len = BN_num_bytes( rsa_dmq1 ); ++ int iqmpLen = BN_num_bytes( rsa_iqmp ); + + CK_RV rv; + +@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); +- BN_bn2bin( a_pRsa->d, d ); +- BN_bn2bin( a_pRsa->p, p ); +- BN_bn2bin( a_pRsa->q, q ); +- BN_bn2bin( a_pRsa->dmp1, dmp1 ); +- BN_bn2bin( a_pRsa->dmq1, dmq1 ); +- BN_bn2bin( a_pRsa->iqmp, iqmp ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); ++ BN_bn2bin( rsa_d, d ); ++ BN_bn2bin( rsa_p, p ); ++ BN_bn2bin( rsa_q, q ); ++ BN_bn2bin( rsa_dmp1, dmp1 ); ++ BN_bn2bin( rsa_dmq1, dmq1 ); ++ BN_bn2bin( rsa_iqmp, iqmp ); + + // Create the RSA private key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h +new file mode 100644 +index 0000000000..2a60fdf492 +--- /dev/null ++++ b/src/data_mgmt/openssl_compat.h +@@ -0,0 +1,58 @@ ++/* ++ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from: ++ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions ++ * and therefore: ++ * Copyright OpenSSL 2016 ++ * Contents licensed under the terms of the OpenSSL license ++ * See http://www.openssl.org/source/license.html for details ++ */ ++ ++#ifndef __OPENSSL_COMPAT_H ++#define __OPENSSL_COMPAT_H ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include ++ ++static inline void ++RSA_get0_key( const RSA *r, ++ const BIGNUM **n, ++ const BIGNUM **e, ++ const BIGNUM **d ) { ++ ++ if ( n ) ++ *n = r->n; ++ if ( e ) ++ *e = r->e; ++ if ( d ) ++ *d = r->d; ++} ++ ++static inline void ++RSA_get0_factors( const RSA *r, ++ const BIGNUM **p, ++ const BIGNUM **q ) { ++ ++ if ( p ) ++ *p = r->p; ++ if ( q ) ++ *q = r->q; ++} ++ ++static inline void ++RSA_get0_crt_params( const RSA *r, ++ const BIGNUM **dmp1, ++ const BIGNUM **dmq1, ++ const BIGNUM **iqmp ) { ++ ++ if ( dmp1 ) ++ *dmp1 = r->dmp1; ++ if ( dmq1 ) ++ *dmq1 = r->dmq1; ++ if ( iqmp ) ++ *iqmp = r->iqmp; ++} ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* __OPENSSL_COMPAT_H */ +-- +2.9.3 + diff --git a/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch new file mode 100644 index 0000000..1f18e8b --- /dev/null +++ b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch @@ -0,0 +1,89 @@ +From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 12:00:39 +0100 +Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal + +Cipher contexts need to be allocated before using EVP_EncryptInit or +EVP_DecryptInit. Using a NULL context is invalid. + +Fixes: f50ab0949438 ("Support OpenSSL 1.1.0") +--- + lib/tpm_unseal.c | 12 ++++++++++-- + src/cmds/tpm_sealdata.c | 11 +++++++++-- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c +index fc4a84906a..005dab7f8f 100644 +--- a/lib/tpm_unseal.c ++++ b/lib/tpm_unseal.c +@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + int srkSecretLen; + unsigned char* res_data = NULL; + int res_size = 0; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bdata = NULL, *b64 = NULL, *bmem = NULL; + int bioRc; + +@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + } + + /* Decode and decrypt the encrypted data */ +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if ( ctx == NULL ) { ++ rc = TPMSEAL_STD_ERROR; ++ tpm_errno = ENOMEM; ++ goto tss_out; ++ } + EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV); + + /* Create a base64 BIO to decode the encrypted data */ +@@ -459,6 +464,9 @@ out: + } else + free(res_data); + ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return rc; + } + +diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c +index a2157f34b1..e25244a0f4 100644 +--- a/src/cmds/tpm_sealdata.c ++++ b/src/cmds/tpm_sealdata.c +@@ -118,7 +118,7 @@ int main(int argc, char **argv) + char *passwd = NULL; + int pswd_len; + BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bin = NULL, *bdata=NULL, *b64=NULL; + + initIntlSys(); +@@ -343,7 +343,11 @@ int main(int argc, char **argv) + BIO_puts(bdata, TPMSEAL_ENC_STRING); + bdata = BIO_push(b64, bdata); + +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ logError(_("Unable to allocate cipher context\n")); ++ goto out_close; ++ } + EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); + + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { +@@ -375,5 +379,8 @@ out: + BIO_free(bdata); + if (b64) + BIO_free(b64); ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return iRc; + } +-- +2.9.3 + diff --git a/sources b/sources index a20d762..f837a64 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -85a978c4e03fefd4b73cbeadde7c4d0b tpm-tools-1.3.8.tar.gz +SHA512 (tpm-tools-1.3.9.tar.gz) = 460e56031aa65ede6b7aebf0c594d4093d870fb46f7c453c429e53cca442d4c7797ac29b519bca28d42133bc6d7701cdf938adbdf11f8be841157d4f4a3e17ca diff --git a/tpm-tools.spec b/tpm-tools.spec index 1ad1180..d2bb62f 100644 --- a/tpm-tools.spec +++ b/tpm-tools.spec @@ -1,18 +1,14 @@ Name: tpm-tools Summary: Management tools for the TPM hardware -Version: 1.3.8 -Release: 11%{?dist} +Version: 1.3.9 +Release: 1%{?dist} License: CPL -Group: Applications/System URL: http://trousers.sourceforge.net - Source0: http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz -# Package unnecessarily has -Werror and any problem kills the build -Patch0: tpm-tools-1.3.5-no-werror.patch - -BuildRequires: trousers-devel openssl-devel opencryptoki-devel chrpath -# Working with upstream to fix this, but in the mean time we need this -BuildRequires: automake autoconf gettext-devel libtool +BuildRequires: trousers-devel openssl-devel opencryptoki-devel +Patch0001: 0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch +Patch0002: 0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch +Patch0003: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch %description tpm-tools is a group of tools to manage and utilize the Trusted Computing @@ -22,7 +18,6 @@ software state using cryptographic hashes and more. %package pkcs11 Summary: Management tools using PKCS#11 for the TPM hardware -Group: Applications/System # opencryptoki is dlopen'd, the Requires won't get picked up automatically Requires: opencryptoki-libs%{?_isa} @@ -34,56 +29,54 @@ objects in the data store, and protect data. %package devel Summary: Files to use the library routines supplied with tpm-tools -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} %description devel tpm-tools-devel is a package that contains the libraries and headers necessary for developing tpm-tools applications. %prep -%setup -q -%patch0 -p1 -autoreconf -i +%autosetup -p1 -c %{name}-%{version} %build -%configure -make %{?_smp_mflags} V=1 +%configure --disable-static --disable-rpath --disable-silent-rules +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" +%make_install INSTALL="install -p" rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.a -chrpath -d %{buildroot}%{_bindir}/tpm_unsealdata -chrpath -d %{buildroot}%{_bindir}/tpm_sealdata %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) -%doc LICENSE README -%attr(755, root, root) %{_bindir}/tpm_* -%attr(755, root, root) %{_sbindir}/tpm_* -%attr(755, root, root) %{_libdir}/libtpm_unseal.so.?.?.? +%license LICENSE +%doc README +%{_bindir}/tpm_* +%{_sbindir}/tpm_* +%{_libdir}/libtpm_unseal.so.?.?.? %{_libdir}/libtpm_unseal.so.? %{_mandir}/man1/tpm_* %{_mandir}/man8/tpm_* %files pkcs11 -%doc LICENSE -%defattr(-,root,root,-) -%attr(755, root, root) %{_bindir}/tpmtoken_* +%license LICENSE +%{_bindir}/tpmtoken_* %{_mandir}/man1/tpmtoken_* %files devel -%defattr(-,root,root,-) %{_libdir}/libtpm_unseal.so %{_includedir}/tpm_tools/ %{_mandir}/man3/tpmUnseal* %changelog +* Mon Feb 20 2017 Michal Schmidt - 1.3.9-1 +- Upstream release 1.3.9. +- Add fixes for build errors with OpenSSL 1.1. +- Add fixes for NULL cipher context use in seal/unseal. +- spec file modernization. + * Sat Feb 11 2017 Fedora Release Engineering - 1.3.8-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild