import tpm-tools-1.3.9-7.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/tpm-tools-1.3.9.tar.gz

.tpm-tools.metadata

@@ -0,0 +1 @@
+63d5cd42f464f7a200c508b551f5f2728f141a71 SOURCES/tpm-tools-1.3.9.tar.gz

SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch

@@ -0,0 +1,37 @@
+From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon, 20 Feb 2017 10:28:33 +0100
+Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an
+ opaque struct
+
+With OpenSSL 1.1 the build fails with:
+data_import.c:375:26: error: dereferencing pointer to incomplete type
+'EVP_PKEY {aka struct evp_pkey_st}'
+
+The manual page[1] says:
+  Previous versions of this document suggested using
+  EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY
+  is now opaque this is no longer possible: the equivalent is
+  EVP_PKEY_base_id(pkey).
+
+[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html
+---
+ src/data_mgmt/data_import.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c
+index f534717f02..d4d2052bc6 100644
+--- a/src/data_mgmt/data_import.c
++++ b/src/data_mgmt/data_import.c
+@@ -372,7 +372,7 @@ readX509Cert( const char  *a_pszFile,
+ 		goto out;
+ 	}
+ 
+-	if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) {
++	if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) {
+ 		logError( TOKEN_RSA_KEY_ERROR );
+ 
+ 		X509_free( pX509 );
+-- 
+2.9.3
+

SOURCES/0001-man-manpage-cleanup.patch

@@ -0,0 +1,232 @@
+From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Sun, 27 Jan 2019 21:55:19 -0700
+Subject: [PATCH] man: manpage cleanup
+
+tpm_restrictsrk and tpm_unsealdata are missing manpages.
+Add missing options to tpm_nvdefine and tpm_setpresence.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ man/man1/Makefile.am       |  1 +
+ man/man1/tpm_unsealdata.1  | 60 +++++++++++++++++++++++++++++++++
+ man/man8/Makefile.am       |  1 +
+ man/man8/tpm_nvdefine.8    | 13 ++++++--
+ man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++
+ man/man8/tpm_setpresence.8 |  3 ++
+ 6 files changed, 144 insertions(+), 2 deletions(-)
+ create mode 100644 man/man1/tpm_unsealdata.1
+ create mode 100644 man/man8/tpm_restrictsrk.8
+
+diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
+index ff8b571..f833363 100644
+--- a/man/man1/Makefile.am
++++ b/man/man1/Makefile.am
+@@ -22,6 +22,7 @@
+ #
+ 
+ man1_MANS	=	tpm_sealdata.1		\
++			tpm_unsealdata.1	\
+ 			tpm_version.1
+ if P11_SUPPORT
+ man1_MANS	+=	tpmtoken_init.1		\
+diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1
+new file mode 100644
+index 0000000..80e8f12
+--- /dev/null
++++ b/man/man1/tpm_unsealdata.1
+@@ -0,0 +1,60 @@
++.\" Copyright (C) 2019 International Business Machines Corporation
++.\"
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "tpm_unsealdata" 1 "2019-01-27"  "TPM Management"
++.ce 1
++TPM Management - tpm_unsealdata
++.SH NAME
++tpm_unsealdata \- unseal input data with the SRK of the system's TPM
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.B tpm_unsealdata
++.RB [ OPTION ]
++
++.SH "DESCRIPTION"
++.PP
++\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM.
++
++.TP
++\fB\-h\fR, \fB\-\-help\fR
++Display command usage info.
++.TP
++\fB-v\fR, \fB\-\-version\fR
++Display command version info.
++.TP
++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]
++Set logging level.
++.TP
++\fB-i\fR, \fB\-\-infile FILE\fR
++File containing data to unseal.
++.TP
++\fB-o\fR, \fB\-\-outfile FILE\fR
++Filename to write unsealed data to.  Default is STDOUT.
++.TP
++\fB-z\fR, \fB\-\-well-known\fR
++Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option.
++
++.SH "SEE ALSO"
++.PP
++\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3)
++
++.SH "REPORTING BUGS"
++Report bugs to <trousers-users@lists.sourceforge.net>
+diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am
+index b38ac18..487a4c8 100644
+--- a/man/man8/Makefile.am
++++ b/man/man8/Makefile.am
+@@ -36,6 +36,7 @@ man8_MANS =	tpm_changeownerauth.8	\
+ 		tpm_createek.8		\
+ 		tpm_getpubek.8		\
+ 		tpm_restrictpubek.8	\
++		tpm_restrictsrk.8	\
+ 		tpm_selftest.8		\
+ 		tpm_setactive.8		\
+ 		tpm_setclearable.8	\
+diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8
+index 13edb78..0eecc2a 100644
+--- a/man/man8/tpm_nvdefine.8
++++ b/man/man8/tpm_nvdefine.8
+@@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes
+ .IP "\fB\-y, \-\-owner\-well\-known\fR" 4
+ .IX Item "-y, --owner-well-known"
+ Use a secret of all zeros (20 bytes of zeros) as the owner's secret.
+-.IP "\fB\-z, \-\-area\-well\-known\fR" 4
+-.IX Item "-z, --area-well-known"
++.IP "\fB\-z, \-\-data\-well\-known\fR" 4
++.IX Item "-z, --data-well-known"
+ Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret.
+ .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4
+ .IX Item "-o, --pwdo (optional parameter)"
+@@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho
+ .IX Item "-s, --size"
+ The size of the \s-1NVRAM\s0 area.
+ The parameter must either be a decimal number or a hexadecimal number starting with '0x'.
++.IP "\fB\-r, \-\-rpcsr\fR" 4
++.IX Item "-r, --rpcrs"
++PCRs to seal the NVRAM area to for reading (use multiple times)
++.IP "\fB\-w, \-\-wpcrs\fR" 4
++.IX Item "-w, --wpcrs"
++PCRs to seal the NVRAM area to for writing (use multiple times)
++.IP "\fB\-f, \-\-filename\fR" 4
++.IX Item "-f, --filename"
++File containing PCR info for the NVRAM area.
+ .IP "\fB\-p, \-\-permissions\fR" 4
+ .IX Item "-p, --permissions"
+ The access permissions associated with the \s-1NVRAM\s0 area.
+diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8
+new file mode 100644
+index 0000000..7935b7b
+--- /dev/null
++++ b/man/man8/tpm_restrictsrk.8
+@@ -0,0 +1,68 @@
++.\" Copyright (C) 2019 International Business Machines Corporation
++.\"
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "tpm_restrictsrk" 8 "2019-01-27"  "TPM Management"
++.ce 1
++TPM Management - tpm_restrictsrk
++.SH NAME
++tpm_restrictsrk \- restrict the ability to access the Storage Root Key
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.B tpm_restrictsrk
++.RB [ OPTION ]
++
++.SH "DESCRIPTION"
++.PP
++\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key.  This is the default behavior and also available with the \fB\-\-status\fR option.
++This operation will be in effect until the owner is cleared and prompts for the owner passord.  With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner.
++The command prompts for the owner password to complete the operation.  The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out.
++
++.TP
++\fB\-h\fR, \fB\-\-help\fR
++Display command usage info.
++.TP
++\fB-v\fR, \fB\-\-version\fR
++Display command version info.
++.TP
++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]
++Set logging level.
++.TP
++\fB-u\fR, \fB\-\-unicode\fR
++Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes
++.TP
++\fB-a\fR, \fB\-\-allow\fR
++Allow SRK read access using SRK auth
++.TP
++\fB-s\fR, \fB\-\-status\fR
++Display the status of who can access the Storage Root Key
++.TP
++\fB-r\fR, \fB\-\-restrict\fR
++Restrict SRK read to owner only
++.TP
++\fB-z\fR, \fB\-\-well-known\fR
++Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password.
++
++.SH "SEE ALSO"
++.PP
++\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8)
++
++.SH "REPORTING BUGS"
++Report bugs to <trousers-users@lists.sourceforge.net>
+diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8
+index a04c70f..96670e0 100644
+--- a/man/man8/tpm_setpresence.8
++++ b/man/man8/tpm_setpresence.8
+@@ -46,6 +46,9 @@ Set logging level.
+ \fB-u\fR, \fB\-\-unicode\fR
+ Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes
+ .TP
++\fB-s\fR, \fB\-\-status\fR
++Report current physical presence states.
++.TP
+ \fB-a\fR, \fB\-\-assert\fR
+ Assert that an admin is physically present at the machine.
+ .TP
+-- 
+2.20.1.98.gecbdaf0899
+

SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch

@@ -0,0 +1,29 @@
+From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Sun, 27 Jan 2019 23:17:02 -0700
+Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile
+ manpage
+
+The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ man/man3/tpmUnsealFile.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3
+index 1fda48f..c362298 100644
+--- a/man/man3/tpmUnsealFile.3
++++ b/man/man3/tpmUnsealFile.3
+@@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines
+ .hy 0
+ .B #include <tpm_unseal/tpm_unseal.h>
+ .sp
+-.B int tpmUnsealFile(char* file, char** data, int* size);
++.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown);
+ .br
+ .B void tpmUnsealShred(char* data, int size);
+ .br
+-- 
+2.20.1.98.gecbdaf0899
+

SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch

@@ -0,0 +1,54 @@
+From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Fri, 30 Nov 2018 12:48:37 +0100
+Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID
+
+When the vendor ID contains null bytes then '^@' characters appear in
+the tpm_version output. This can confuse users and it also causes e.g.
+'grep' to treat the input as binary. Example:
+
+  TPM Vendor ID:       WEC\000
+
+This change copies the vendor ID bytes over into a local string object.
+This makes the code more independent of the vendor ID dimension and also
+avoids NULL bytes being printed.
+---
+ src/tpm_mgmt/tpm_version.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c
+index 1019b71..78b78e8 100644
+--- a/src/tpm_mgmt/tpm_version.c
++++ b/src/tpm_mgmt/tpm_version.c
+@@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd)
+ 		UINT64 offset;
+ 		TSS_RESULT uiResult;
+ 		TPM_CAP_VERSION_INFO versionInfo;
++		char vendor_id[sizeof(versionInfo.tpmVendorID)+1];
+ 		char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability.
+ 
+ 		/* Disable logging to of "Bad Mode" during this call. 
+@@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd)
+ 			goto out_close;
+ 		}
+ 
++		// copy over the individual characters into a regular string.
++		// This avoids that null bytes are written to stdout.
++		snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID );
++
+ 		logMsg(_("  TPM 1.2 Version Info:\n"));
+ 		logMsg(_("  Chip Version:        %hhu.%hhu.%hhu.%hhu\n"),
+ 		       versionInfo.version.major, versionInfo.version.minor,
+ 		       versionInfo.version.revMajor, versionInfo.version.revMinor);
+ 		logMsg(_("  Spec Level:          %hu\n"), versionInfo.specLevel);
+ 		logMsg(_("  Errata Revision:     %hhu\n"), versionInfo.errataRev);
+-		logMsg(_("  TPM Vendor ID:       %c%c%c%c\n"),
+-		       versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1],
+-		       versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]);
++		logMsg(_("  TPM Vendor ID:       %s\n"), vendor_id);
+ 
+ 		if (versionInfo.vendorSpecificSize) {
+ 			logMsg(_("  Vendor Specific data: "));
+-- 
+2.18.1
+

SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch

@@ -0,0 +1,38 @@
+From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Fri, 30 Nov 2018 13:17:01 +0100
+Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr
+
+If there was no data written to the temporary file then memsize == 1, no
+data will be read from the file into the buffer and the buffer will not
+be null terminated. This can cause random data to be output later on to
+the original stderr like:
+
+'#precedence ::ffff:0:0/'
+
+or
+
+'xl?8?'
+
+Fix this by making sure the buffer is always zero terminated.
+---
+ src/tpm_mgmt/tpm_version.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c
+index 78b78e8..e563a8c 100644
+--- a/src/tpm_mgmt/tpm_version.c
++++ b/src/tpm_mgmt/tpm_version.c
+@@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr)
+     perror("read()");
+   }
+ 
++  // make sure the buffer is null terminated.
++  buf[st.st_size] = '\0';
++
+   // Restore stderr.
+  errout:
+   if (0 > dup2(olderr, STDERR_FILENO)) {
+-- 
+2.18.1
+

SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch

@@ -0,0 +1,192 @@
+From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon, 20 Feb 2017 10:43:10 +0100
+Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque
+ struct
+
+RSA is an opaque struct in OpenSSL 1.1. New getter functions must be
+used to access the key components. The functions were not present in
+OpenSSL 1.0, so add a compat header with the implementation of the
+needed functions as suggested by the OpenSSL wiki [1] in order to allow
+building tpm-tools with any version of OpenSSL.
+
+[1] https://wiki.openssl.org/index.php/1.1_API_Changes
+---
+ src/data_mgmt/Makefile.am      |  3 ++-
+ src/data_mgmt/data_import.c    | 52 ++++++++++++++++++++++---------------
+ src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 21 deletions(-)
+ create mode 100644 src/data_mgmt/openssl_compat.h
+
+diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am
+index de505e48ef..9457618ab9 100644
+--- a/src/data_mgmt/Makefile.am
++++ b/src/data_mgmt/Makefile.am
+@@ -32,7 +32,8 @@ noinst_HEADERS =	data_common.h \
+ 			data_init.h \
+ 			data_object.h \
+ 			data_passwd.h \
+-			data_protect.h
++			data_protect.h \
++			openssl_compat.h
+ 
+ #
+ # Common build flags
+diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c
+index d4d2052bc6..532543f7d3 100644
+--- a/src/data_mgmt/data_import.c
++++ b/src/data_mgmt/data_import.c
+@@ -39,6 +39,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ 
++#include "openssl_compat.h"
+ 
+ /*
+  * Global variables
+@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA               *a_pRsa,
+ 
+ 	int  rc = -1;
+ 
+-	int  nLen = BN_num_bytes( a_pRsa->n );
+-	int  eLen = BN_num_bytes( a_pRsa->e );
++	const BIGNUM *rsa_n, *rsa_e;
++	RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL );
++
++	int  nLen = BN_num_bytes( rsa_n );
++	int  eLen = BN_num_bytes( rsa_e );
+ 
+ 	CK_RV  rv;
+ 
+@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA               *a_pRsa,
+ 	}
+ 
+ 	// Get binary representations of the RSA key information
+-	BN_bn2bin( a_pRsa->n, n );
+-	BN_bn2bin( a_pRsa->e, e );
++	BN_bn2bin( rsa_n, n );
++	BN_bn2bin( rsa_e, e );
+ 
+ 	// Create the RSA public key object
+ 	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
+@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA               *a_pRsa,
+ 
+ 	int  rc = -1;
+ 
+-	int  nLen = BN_num_bytes( a_pRsa->n );
+-	int  eLen = BN_num_bytes( a_pRsa->e );
+-	int  dLen = BN_num_bytes( a_pRsa->d );
+-	int  pLen = BN_num_bytes( a_pRsa->p );
+-	int  qLen = BN_num_bytes( a_pRsa->q );
+-	int  dmp1Len = BN_num_bytes( a_pRsa->dmp1 );
+-	int  dmq1Len = BN_num_bytes( a_pRsa->dmq1 );
+-	int  iqmpLen = BN_num_bytes( a_pRsa->iqmp );
++	const BIGNUM *rsa_n, *rsa_e, *rsa_d;
++	const BIGNUM *rsa_p, *rsa_q;
++	const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp;
++
++	RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d );
++	RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q );
++	RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp );
++
++	int  nLen = BN_num_bytes( rsa_n );
++	int  eLen = BN_num_bytes( rsa_e );
++	int  dLen = BN_num_bytes( rsa_d );
++	int  pLen = BN_num_bytes( rsa_p );
++	int  qLen = BN_num_bytes( rsa_q );
++	int  dmp1Len = BN_num_bytes( rsa_dmp1 );
++	int  dmq1Len = BN_num_bytes( rsa_dmq1 );
++	int  iqmpLen = BN_num_bytes( rsa_iqmp );
+ 
+ 	CK_RV  rv;
+ 
+@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA               *a_pRsa,
+ 	}
+ 
+ 	// Get binary representations of the RSA key information
+-	BN_bn2bin( a_pRsa->n, n );
+-	BN_bn2bin( a_pRsa->e, e );
+-	BN_bn2bin( a_pRsa->d, d );
+-	BN_bn2bin( a_pRsa->p, p );
+-	BN_bn2bin( a_pRsa->q, q );
+-	BN_bn2bin( a_pRsa->dmp1, dmp1 );
+-	BN_bn2bin( a_pRsa->dmq1, dmq1 );
+-	BN_bn2bin( a_pRsa->iqmp, iqmp );
++	BN_bn2bin( rsa_n, n );
++	BN_bn2bin( rsa_e, e );
++	BN_bn2bin( rsa_d, d );
++	BN_bn2bin( rsa_p, p );
++	BN_bn2bin( rsa_q, q );
++	BN_bn2bin( rsa_dmp1, dmp1 );
++	BN_bn2bin( rsa_dmq1, dmq1 );
++	BN_bn2bin( rsa_iqmp, iqmp );
+ 
+ 	// Create the RSA private key object
+ 	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
+diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h
+new file mode 100644
+index 0000000000..2a60fdf492
+--- /dev/null
++++ b/src/data_mgmt/openssl_compat.h
+@@ -0,0 +1,58 @@
++/*
++ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from:
++ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions
++ * and therefore:
++ * Copyright OpenSSL 2016
++ * Contents licensed under the terms of the OpenSSL license
++ * See http://www.openssl.org/source/license.html for details
++ */
++
++#ifndef __OPENSSL_COMPAT_H
++#define __OPENSSL_COMPAT_H
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
++#include <openssl/engine.h>
++
++static inline void
++RSA_get0_key( const RSA *r,
++              const BIGNUM **n,
++              const BIGNUM **e,
++              const BIGNUM **d ) {
++
++	if ( n )
++		*n = r->n;
++	if ( e )
++		*e = r->e;
++	if ( d )
++		*d = r->d;
++}
++
++static inline void
++RSA_get0_factors( const RSA *r,
++                  const BIGNUM **p,
++                  const BIGNUM **q ) {
++
++	if ( p )
++		*p = r->p;
++	if ( q )
++		*q = r->q;
++}
++
++static inline void
++RSA_get0_crt_params( const RSA *r,
++                     const BIGNUM **dmp1,
++                     const BIGNUM **dmq1,
++                     const BIGNUM **iqmp ) {
++
++	if ( dmp1 )
++		*dmp1 = r->dmp1;
++	if ( dmq1 )
++		*dmq1 = r->dmq1;
++	if ( iqmp )
++		*iqmp = r->iqmp;
++}
++
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#endif /* __OPENSSL_COMPAT_H */
+-- 
+2.9.3
+

SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch

@@ -0,0 +1,89 @@
+From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon, 20 Feb 2017 12:00:39 +0100
+Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal
+
+Cipher contexts need to be allocated before using EVP_EncryptInit or
+EVP_DecryptInit. Using a NULL context is invalid.
+
+Fixes: f50ab0949438 ("Support OpenSSL 1.1.0")
+---
+ lib/tpm_unseal.c        | 12 ++++++++++--
+ src/cmds/tpm_sealdata.c | 11 +++++++++--
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c
+index fc4a84906a..005dab7f8f 100644
+--- a/lib/tpm_unseal.c
++++ b/lib/tpm_unseal.c
+@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size,
+ 	int srkSecretLen;
+ 	unsigned char* res_data = NULL;
+ 	int res_size = 0;
+-
++	EVP_CIPHER_CTX *ctx = NULL;
+ 	BIO *bdata = NULL, *b64 = NULL, *bmem = NULL;
+ 	int bioRc;
+ 
+@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size,
+ 	}
+ 
+ 	/* Decode and decrypt the encrypted data */
+-	EVP_CIPHER_CTX *ctx = NULL;
++	ctx = EVP_CIPHER_CTX_new();
++	if ( ctx == NULL ) {
++		rc = TPMSEAL_STD_ERROR;
++		tpm_errno = ENOMEM;
++		goto tss_out;
++	}
+ 	EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV);
+ 
+ 	/* Create a base64 BIO to decode the encrypted data */
+@@ -459,6 +464,9 @@ out:
+ 	} else
+ 		free(res_data);
+ 
++	if (ctx)
++		EVP_CIPHER_CTX_free(ctx);
++
+ 	return rc;
+ }
+ 
+diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c
+index a2157f34b1..e25244a0f4 100644
+--- a/src/cmds/tpm_sealdata.c
++++ b/src/cmds/tpm_sealdata.c
+@@ -118,7 +118,7 @@ int main(int argc, char **argv)
+ 	char *passwd = NULL;
+ 	int pswd_len;
+ 	BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
+-
++	EVP_CIPHER_CTX *ctx = NULL;
+ 	BIO *bin = NULL, *bdata=NULL, *b64=NULL;
+ 
+ 	initIntlSys();
+@@ -343,7 +343,11 @@ int main(int argc, char **argv)
+ 	BIO_puts(bdata, TPMSEAL_ENC_STRING); 
+ 	bdata = BIO_push(b64, bdata);
+ 
+-	EVP_CIPHER_CTX *ctx = NULL;
++	ctx = EVP_CIPHER_CTX_new();
++	if (ctx == NULL) {
++		logError(_("Unable to allocate cipher context\n"));
++		goto out_close;
++	}
+ 	EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV);
+ 
+ 	while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) {
+@@ -375,5 +379,8 @@ out:
+ 		BIO_free(bdata);
+ 	if (b64)
+ 		BIO_free(b64);
++	if (ctx)
++		EVP_CIPHER_CTX_free(ctx);
++
+ 	return iRc;
+ }
+-- 
+2.9.3
+

SOURCES/tpm-tools-1.3.9-memset.patch

@@ -0,0 +1,30 @@
+diff -ur tpm-tools-1.3.9/include/tpm_utils.h tpm-tools-1.3.9-new/include/tpm_utils.h
+--- tpm-tools-1.3.9/include/tpm_utils.h	2014-07-23 13:37:12.000000000 -0700
++++ tpm-tools-1.3.9-new/include/tpm_utils.h	2019-06-05 11:13:55.474783996 -0700
+@@ -71,7 +71,7 @@
+ #define __no_optimize
+ #endif
+ 
+-void * __no_optimize __memset(void *s, int c, size_t n);
++void * __memset(void *s, int c, size_t n);
+ 
+ typedef int (*CmdOptParser)( const int aOpt, const char *aOptArg );
+ typedef void (*CmdHelpFunction)( const char *aCmd );
+diff -ur tpm-tools-1.3.9/lib/tpm_utils.c tpm-tools-1.3.9-new/lib/tpm_utils.c
+--- tpm-tools-1.3.9/lib/tpm_utils.c	2014-07-23 13:37:12.000000000 -0700
++++ tpm-tools-1.3.9-new/lib/tpm_utils.c	2019-06-05 11:13:41.570968364 -0700
+@@ -134,10 +134,12 @@
+ 	return 0;
+ }
+ 
+-void * __no_optimize
++void *
+ __memset(void *s, int c, size_t n)
+ {
+-	return memset(s, c, n);
++	memset(s, c, n);
++	asm volatile("" ::: "memory");
++	return s;
+ }
+ 
+ /*

SPECS/tpm-tools.spec

@@ -0,0 +1,222 @@
+Name:             tpm-tools
+Summary:          Management tools for the TPM hardware
+Version:          1.3.9
+Release:          7%{?dist}
+License:          CPL
+URL:              http://trousers.sourceforge.net
+Source0:          http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz
+BuildRequires:    trousers-devel openssl-devel opencryptoki-devel
+Patch0001:        0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch
+Patch0002:        0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch
+Patch0003:        0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch
+# Patches 4 & 5 submitted upstream by SUSE
+Patch0004:        0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch
+Patch0005:        0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch
+# submitted upstream
+Patch0006:        0001-man-manpage-cleanup.patch
+Patch0007:        0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch
+Patch0008:        tpm-tools-1.3.9-memset.patch
+
+%description
+tpm-tools is a group of tools to manage and utilize the Trusted Computing
+Group's TPM hardware. TPM hardware can create, store and use RSA keys
+securely (without ever being exposed in memory), verify a platform's
+software state using cryptographic hashes and more.
+
+%package        pkcs11
+Summary:        Management tools using PKCS#11 for the TPM hardware
+# opencryptoki is dlopen'd, the Requires won't get picked up automatically
+Requires:       opencryptoki-libs%{?_isa}
+
+%description    pkcs11
+tpm-tools-pkcs11 is a group of tools that use the TPM PKCS#11 token. All data
+contained in the PKCS#11 data store is protected by the TPM (keys,
+certificates, etc.). You can import keys and certificates, list out the
+objects in the data store, and protect data.
+
+%package        devel
+Summary:        Files to use the library routines supplied with tpm-tools
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description    devel
+tpm-tools-devel is a package that contains the libraries and headers necessary
+for developing tpm-tools applications.
+
+%prep
+%autosetup -p1 -c %{name}-%{version}
+
+%build
+%configure --disable-static --disable-rpath --disable-silent-rules
+%make_build
+
+%install
+%make_install INSTALL="install -p"
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la
+# autoreconf is not happy on rhel8 with tpm-tools, so temp
+# work around to get new manpages in place
+cp -p man/man1/tpm_unsealdata.1 %{buildroot}/%{_mandir}/man1
+cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%license LICENSE
+%doc README
+%{_bindir}/tpm_*
+%{_sbindir}/tpm_*
+%{_libdir}/libtpm_unseal.so.?.?.?
+%{_libdir}/libtpm_unseal.so.?
+%{_mandir}/man1/tpm_*
+%{_mandir}/man8/tpm_*
+
+%files pkcs11
+%license LICENSE
+%{_bindir}/tpmtoken_*
+%{_mandir}/man1/tpmtoken_*
+
+%files devel
+%{_libdir}/libtpm_unseal.so
+%{_includedir}/tpm_tools/
+%{_mandir}/man3/tpmUnseal*
+
+%changelog
+* Wed Jun 12 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-7
+- Make sure new manpages get installed.
+resolves: rhbz#1669892
+
+* Wed Jun 05 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-6
+- Fix annocheck warning
+resolves: rhbz#1624180
+
+* Wed May 22 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-5
+- Add CI gating support
+- tpm_version: remove garbled text
+resolves: rhbz#1669892
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Feb 20 2017 Michal Schmidt <mschmidt@redhat.com> - 1.3.9-1
+- Upstream release 1.3.9.
+- Add fixes for build errors with OpenSSL 1.1.
+- Add fixes for NULL cipher context use in seal/unseal.
+- spec file modernization.
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.8-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.8-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Apr 03 2014 Michal Schmidt <mschmidt@redhat.com> - 1.3.8-6
+- Fix FTBFS with current autotools (#1083627)
+- Drop tpm-tools-1.3.7-build.patch, the package builds without it (#952372)
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul  3 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3.8-2
+- Cleanup spec and modernise spec
+
+* Fri Jun 22 2012 Steve Grubb <sgrubb@redhat.com> 1.3.8-1
+- New upstream release
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Sep 19 2011 Steve Grubb <sgrubb@redhat.com> 1.3.7-1
+- New upstream release
+
+* Fri Jun 24 2011 Steve Grubb <sgrubb@redhat.com> 1.3.5-5
+- Remove -Werror from compile flags (#716046)
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> - 1.3.5-3
+- Add the LICENSE file to the -pkcs11 subpackage too, as it may be
+  installed independently.
+- Remove useless macros.
+
+* Sun Feb 14 2010 Michal Schmidt <mschmidt@redhat.com> - 1.3.5-2
+- Fix for DSO linking change.
+
+* Mon Feb 01 2010 Steve Grubb <sgrubb@redhat.com> 1.3.5-1
+- New upstream bug fix release
+
+* Fri Jan 29 2010 Steve Grubb <sgrubb@redhat.com> 1.3.4-2
+- Remove rpaths
+
+* Wed Oct 21 2009 Michal Schmidt <mschmidt@redhat.com> - 1.3.4-1
+- Upstream release 1.3.4:
+  - adds SRK password support on unsealing
+- LICENSE is back.
+- Remove no longer needed patch:
+  tpm-tools-1.3.3-check-fwrite-success.patch
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2
+- rebuilt with new openssl
+
+* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 1.3.3-1
+- New upstream release 1.3.3.
+- No longer needed patch, dropped:
+  tpm-tools-conditionally-build-tpmtoken-manpages-Makefile.in.patch
+- Use global instead of define for macros.
+- Remove rpaths.
+- LICENSE file is suddenly missing in upstream tarball.
+- Added patch to allow compilation:
+  tpm-tools-1.3.3-check-fwrite-success.patch
+
+* Wed Jul 29 2009 Michal Schmidt <mschmidt@redhat.com> 1.3.1-10
+- Split the pkcs11 utilities into a subpackage.
+
+* Wed Jul 29 2009 Michal Schmidt <mschmidt@redhat.com> 1.3.1-9
+- Enable pkcs11 support (tpmtoken_* utilities).
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.1-6
+- rebuild with new openssl
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.3.1-5
+- Autorebuild for GCC 4.3
+
+* Tue Dec 18 2007 Kent Yoder <kyoder@users.sf.net> - 1.3.1-4
+- Updated for comments in RHIT#394941 comment #6
+* Fri Dec 14 2007 Kent Yoder <kyoder@users.sf.net> - 1.3.1-3
+- Updated to own the includedir/tpm_tools directory, removed
+requirement on trousers and ldconfig in post/postun
+* Thu Dec 13 2007 Kent Yoder <kyoder@users.sf.net> - 1.3.1-2
+- Updated for Fedora package submission guidelines
+* Fri Nov 16 2007 Kent Yoder <kyoder@users.sf.net> - 1.3.1
+- Updates to configure
+* Fri Oct 05 2007 Kent Yoder <kyoder@users.sf.net> - 1.2.5.1
+- Updated build section to use smp_mflags
+