commit 76f5d8ac04c8ef9cdbbd2da27f45d202d8767006 Author: CentOS Sources Date: Thu Aug 1 13:37:47 2019 -0400 import tpm-tools-1.3.9-7.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..08603c3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm-tools-1.3.9.tar.gz diff --git a/.tpm-tools.metadata b/.tpm-tools.metadata new file mode 100644 index 0000000..96e14a6 --- /dev/null +++ b/.tpm-tools.metadata @@ -0,0 +1 @@ +63d5cd42f464f7a200c508b551f5f2728f141a71 SOURCES/tpm-tools-1.3.9.tar.gz diff --git a/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch b/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch new file mode 100644 index 0000000..ed43ed0 --- /dev/null +++ b/SOURCES/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch @@ -0,0 +1,37 @@ +From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:28:33 +0100 +Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an + opaque struct + +With OpenSSL 1.1 the build fails with: +data_import.c:375:26: error: dereferencing pointer to incomplete type +'EVP_PKEY {aka struct evp_pkey_st}' + +The manual page[1] says: + Previous versions of this document suggested using + EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY + is now opaque this is no longer possible: the equivalent is + EVP_PKEY_base_id(pkey). + +[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html +--- + src/data_mgmt/data_import.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index f534717f02..d4d2052bc6 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, + goto out; + } + +- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { ++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { + logError( TOKEN_RSA_KEY_ERROR ); + + X509_free( pX509 ); +-- +2.9.3 + diff --git a/SOURCES/0001-man-manpage-cleanup.patch b/SOURCES/0001-man-manpage-cleanup.patch new file mode 100644 index 0000000..10e147a --- /dev/null +++ b/SOURCES/0001-man-manpage-cleanup.patch @@ -0,0 +1,232 @@ +From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sun, 27 Jan 2019 21:55:19 -0700 +Subject: [PATCH] man: manpage cleanup + +tpm_restrictsrk and tpm_unsealdata are missing manpages. +Add missing options to tpm_nvdefine and tpm_setpresence. + +Signed-off-by: Jerry Snitselaar +--- + man/man1/Makefile.am | 1 + + man/man1/tpm_unsealdata.1 | 60 +++++++++++++++++++++++++++++++++ + man/man8/Makefile.am | 1 + + man/man8/tpm_nvdefine.8 | 13 ++++++-- + man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++ + man/man8/tpm_setpresence.8 | 3 ++ + 6 files changed, 144 insertions(+), 2 deletions(-) + create mode 100644 man/man1/tpm_unsealdata.1 + create mode 100644 man/man8/tpm_restrictsrk.8 + +diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am +index ff8b571..f833363 100644 +--- a/man/man1/Makefile.am ++++ b/man/man1/Makefile.am +@@ -22,6 +22,7 @@ + # + + man1_MANS = tpm_sealdata.1 \ ++ tpm_unsealdata.1 \ + tpm_version.1 + if P11_SUPPORT + man1_MANS += tpmtoken_init.1 \ +diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1 +new file mode 100644 +index 0000000..80e8f12 +--- /dev/null ++++ b/man/man1/tpm_unsealdata.1 +@@ -0,0 +1,60 @@ ++.\" Copyright (C) 2019 International Business Machines Corporation ++.\" ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "tpm_unsealdata" 1 "2019-01-27" "TPM Management" ++.ce 1 ++TPM Management - tpm_unsealdata ++.SH NAME ++tpm_unsealdata \- unseal input data with the SRK of the system's TPM ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.B tpm_unsealdata ++.RB [ OPTION ] ++ ++.SH "DESCRIPTION" ++.PP ++\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM. ++ ++.TP ++\fB\-h\fR, \fB\-\-help\fR ++Display command usage info. ++.TP ++\fB-v\fR, \fB\-\-version\fR ++Display command version info. ++.TP ++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] ++Set logging level. ++.TP ++\fB-i\fR, \fB\-\-infile FILE\fR ++File containing data to unseal. ++.TP ++\fB-o\fR, \fB\-\-outfile FILE\fR ++Filename to write unsealed data to. Default is STDOUT. ++.TP ++\fB-z\fR, \fB\-\-well-known\fR ++Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option. ++ ++.SH "SEE ALSO" ++.PP ++\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3) ++ ++.SH "REPORTING BUGS" ++Report bugs to +diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am +index b38ac18..487a4c8 100644 +--- a/man/man8/Makefile.am ++++ b/man/man8/Makefile.am +@@ -36,6 +36,7 @@ man8_MANS = tpm_changeownerauth.8 \ + tpm_createek.8 \ + tpm_getpubek.8 \ + tpm_restrictpubek.8 \ ++ tpm_restrictsrk.8 \ + tpm_selftest.8 \ + tpm_setactive.8 \ + tpm_setclearable.8 \ +diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8 +index 13edb78..0eecc2a 100644 +--- a/man/man8/tpm_nvdefine.8 ++++ b/man/man8/tpm_nvdefine.8 +@@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes + .IP "\fB\-y, \-\-owner\-well\-known\fR" 4 + .IX Item "-y, --owner-well-known" + Use a secret of all zeros (20 bytes of zeros) as the owner's secret. +-.IP "\fB\-z, \-\-area\-well\-known\fR" 4 +-.IX Item "-z, --area-well-known" ++.IP "\fB\-z, \-\-data\-well\-known\fR" 4 ++.IX Item "-z, --data-well-known" + Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret. + .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4 + .IX Item "-o, --pwdo (optional parameter)" +@@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho + .IX Item "-s, --size" + The size of the \s-1NVRAM\s0 area. + The parameter must either be a decimal number or a hexadecimal number starting with '0x'. ++.IP "\fB\-r, \-\-rpcsr\fR" 4 ++.IX Item "-r, --rpcrs" ++PCRs to seal the NVRAM area to for reading (use multiple times) ++.IP "\fB\-w, \-\-wpcrs\fR" 4 ++.IX Item "-w, --wpcrs" ++PCRs to seal the NVRAM area to for writing (use multiple times) ++.IP "\fB\-f, \-\-filename\fR" 4 ++.IX Item "-f, --filename" ++File containing PCR info for the NVRAM area. + .IP "\fB\-p, \-\-permissions\fR" 4 + .IX Item "-p, --permissions" + The access permissions associated with the \s-1NVRAM\s0 area. +diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8 +new file mode 100644 +index 0000000..7935b7b +--- /dev/null ++++ b/man/man8/tpm_restrictsrk.8 +@@ -0,0 +1,68 @@ ++.\" Copyright (C) 2019 International Business Machines Corporation ++.\" ++.de Sh \" Subsection ++.br ++.if t .Sp ++.ne 5 ++.PP ++\fB\\$1\fR ++.PP ++.. ++.de Sp \" Vertical space (when we can't use .PP) ++.if t .sp .5v ++.if n .sp ++.. ++.de Ip \" List item ++.br ++.ie \\n(.$>=3 .ne \\$3 ++.el .ne 3 ++.IP "\\$1" \\$2 ++.. ++.TH "tpm_restrictsrk" 8 "2019-01-27" "TPM Management" ++.ce 1 ++TPM Management - tpm_restrictsrk ++.SH NAME ++tpm_restrictsrk \- restrict the ability to access the Storage Root Key ++.SH "SYNOPSIS" ++.ad l ++.hy 0 ++.B tpm_restrictsrk ++.RB [ OPTION ] ++ ++.SH "DESCRIPTION" ++.PP ++\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key. This is the default behavior and also available with the \fB\-\-status\fR option. ++This operation will be in effect until the owner is cleared and prompts for the owner passord. With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner. ++The command prompts for the owner password to complete the operation. The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out. ++ ++.TP ++\fB\-h\fR, \fB\-\-help\fR ++Display command usage info. ++.TP ++\fB-v\fR, \fB\-\-version\fR ++Display command version info. ++.TP ++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug] ++Set logging level. ++.TP ++\fB-u\fR, \fB\-\-unicode\fR ++Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes ++.TP ++\fB-a\fR, \fB\-\-allow\fR ++Allow SRK read access using SRK auth ++.TP ++\fB-s\fR, \fB\-\-status\fR ++Display the status of who can access the Storage Root Key ++.TP ++\fB-r\fR, \fB\-\-restrict\fR ++Restrict SRK read to owner only ++.TP ++\fB-z\fR, \fB\-\-well-known\fR ++Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password. ++ ++.SH "SEE ALSO" ++.PP ++\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8) ++ ++.SH "REPORTING BUGS" ++Report bugs to +diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8 +index a04c70f..96670e0 100644 +--- a/man/man8/tpm_setpresence.8 ++++ b/man/man8/tpm_setpresence.8 +@@ -46,6 +46,9 @@ Set logging level. + \fB-u\fR, \fB\-\-unicode\fR + Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes + .TP ++\fB-s\fR, \fB\-\-status\fR ++Report current physical presence states. ++.TP + \fB-a\fR, \fB\-\-assert\fR + Assert that an admin is physically present at the machine. + .TP +-- +2.20.1.98.gecbdaf0899 + diff --git a/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch new file mode 100644 index 0000000..e032344 --- /dev/null +++ b/SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch @@ -0,0 +1,29 @@ +From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sun, 27 Jan 2019 23:17:02 -0700 +Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile + manpage + +The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile. + +Signed-off-by: Jerry Snitselaar +--- + man/man3/tpmUnsealFile.3 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3 +index 1fda48f..c362298 100644 +--- a/man/man3/tpmUnsealFile.3 ++++ b/man/man3/tpmUnsealFile.3 +@@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines + .hy 0 + .B #include + .sp +-.B int tpmUnsealFile(char* file, char** data, int* size); ++.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown); + .br + .B void tpmUnsealShred(char* data, int size); + .br +-- +2.20.1.98.gecbdaf0899 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch new file mode 100644 index 0000000..e39ae8d --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch @@ -0,0 +1,54 @@ +From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 12:48:37 +0100 +Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID + +When the vendor ID contains null bytes then '^@' characters appear in +the tpm_version output. This can confuse users and it also causes e.g. +'grep' to treat the input as binary. Example: + + TPM Vendor ID: WEC\000 + +This change copies the vendor ID bytes over into a local string object. +This makes the code more independent of the vendor ID dimension and also +avoids NULL bytes being printed. +--- + src/tpm_mgmt/tpm_version.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 1019b71..78b78e8 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd) + UINT64 offset; + TSS_RESULT uiResult; + TPM_CAP_VERSION_INFO versionInfo; ++ char vendor_id[sizeof(versionInfo.tpmVendorID)+1]; + char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability. + + /* Disable logging to of "Bad Mode" during this call. +@@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd) + goto out_close; + } + ++ // copy over the individual characters into a regular string. ++ // This avoids that null bytes are written to stdout. ++ snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID ); ++ + logMsg(_(" TPM 1.2 Version Info:\n")); + logMsg(_(" Chip Version: %hhu.%hhu.%hhu.%hhu\n"), + versionInfo.version.major, versionInfo.version.minor, + versionInfo.version.revMajor, versionInfo.version.revMinor); + logMsg(_(" Spec Level: %hu\n"), versionInfo.specLevel); + logMsg(_(" Errata Revision: %hhu\n"), versionInfo.errataRev); +- logMsg(_(" TPM Vendor ID: %c%c%c%c\n"), +- versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1], +- versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]); ++ logMsg(_(" TPM Vendor ID: %s\n"), vendor_id); + + if (versionInfo.vendorSpecificSize) { + logMsg(_(" Vendor Specific data: ")); +-- +2.18.1 + diff --git a/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch new file mode 100644 index 0000000..949b58e --- /dev/null +++ b/SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch @@ -0,0 +1,38 @@ +From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 30 Nov 2018 13:17:01 +0100 +Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr + +If there was no data written to the temporary file then memsize == 1, no +data will be read from the file into the buffer and the buffer will not +be null terminated. This can cause random data to be output later on to +the original stderr like: + +'#precedence ::ffff:0:0/' + +or + +'xl?8?' + +Fix this by making sure the buffer is always zero terminated. +--- + src/tpm_mgmt/tpm_version.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c +index 78b78e8..e563a8c 100644 +--- a/src/tpm_mgmt/tpm_version.c ++++ b/src/tpm_mgmt/tpm_version.c +@@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr) + perror("read()"); + } + ++ // make sure the buffer is null terminated. ++ buf[st.st_size] = '\0'; ++ + // Restore stderr. + errout: + if (0 > dup2(olderr, STDERR_FILENO)) { +-- +2.18.1 + diff --git a/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch b/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch new file mode 100644 index 0000000..68d14bf --- /dev/null +++ b/SOURCES/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch @@ -0,0 +1,192 @@ +From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:43:10 +0100 +Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque + struct + +RSA is an opaque struct in OpenSSL 1.1. New getter functions must be +used to access the key components. The functions were not present in +OpenSSL 1.0, so add a compat header with the implementation of the +needed functions as suggested by the OpenSSL wiki [1] in order to allow +building tpm-tools with any version of OpenSSL. + +[1] https://wiki.openssl.org/index.php/1.1_API_Changes +--- + src/data_mgmt/Makefile.am | 3 ++- + src/data_mgmt/data_import.c | 52 ++++++++++++++++++++++--------------- + src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 21 deletions(-) + create mode 100644 src/data_mgmt/openssl_compat.h + +diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am +index de505e48ef..9457618ab9 100644 +--- a/src/data_mgmt/Makefile.am ++++ b/src/data_mgmt/Makefile.am +@@ -32,7 +32,8 @@ noinst_HEADERS = data_common.h \ + data_init.h \ + data_object.h \ + data_passwd.h \ +- data_protect.h ++ data_protect.h \ ++ openssl_compat.h + + # + # Common build flags +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index d4d2052bc6..532543f7d3 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -39,6 +39,7 @@ + #include + #include + ++#include "openssl_compat.h" + + /* + * Global variables +@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); ++ const BIGNUM *rsa_n, *rsa_e; ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); + + CK_RV rv; + +@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); + + // Create the RSA public key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); +- int dLen = BN_num_bytes( a_pRsa->d ); +- int pLen = BN_num_bytes( a_pRsa->p ); +- int qLen = BN_num_bytes( a_pRsa->q ); +- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); +- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); +- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); ++ const BIGNUM *rsa_n, *rsa_e, *rsa_d; ++ const BIGNUM *rsa_p, *rsa_q; ++ const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp; ++ ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d ); ++ RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q ); ++ RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); ++ int dLen = BN_num_bytes( rsa_d ); ++ int pLen = BN_num_bytes( rsa_p ); ++ int qLen = BN_num_bytes( rsa_q ); ++ int dmp1Len = BN_num_bytes( rsa_dmp1 ); ++ int dmq1Len = BN_num_bytes( rsa_dmq1 ); ++ int iqmpLen = BN_num_bytes( rsa_iqmp ); + + CK_RV rv; + +@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); +- BN_bn2bin( a_pRsa->d, d ); +- BN_bn2bin( a_pRsa->p, p ); +- BN_bn2bin( a_pRsa->q, q ); +- BN_bn2bin( a_pRsa->dmp1, dmp1 ); +- BN_bn2bin( a_pRsa->dmq1, dmq1 ); +- BN_bn2bin( a_pRsa->iqmp, iqmp ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); ++ BN_bn2bin( rsa_d, d ); ++ BN_bn2bin( rsa_p, p ); ++ BN_bn2bin( rsa_q, q ); ++ BN_bn2bin( rsa_dmp1, dmp1 ); ++ BN_bn2bin( rsa_dmq1, dmq1 ); ++ BN_bn2bin( rsa_iqmp, iqmp ); + + // Create the RSA private key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h +new file mode 100644 +index 0000000000..2a60fdf492 +--- /dev/null ++++ b/src/data_mgmt/openssl_compat.h +@@ -0,0 +1,58 @@ ++/* ++ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from: ++ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions ++ * and therefore: ++ * Copyright OpenSSL 2016 ++ * Contents licensed under the terms of the OpenSSL license ++ * See http://www.openssl.org/source/license.html for details ++ */ ++ ++#ifndef __OPENSSL_COMPAT_H ++#define __OPENSSL_COMPAT_H ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include ++ ++static inline void ++RSA_get0_key( const RSA *r, ++ const BIGNUM **n, ++ const BIGNUM **e, ++ const BIGNUM **d ) { ++ ++ if ( n ) ++ *n = r->n; ++ if ( e ) ++ *e = r->e; ++ if ( d ) ++ *d = r->d; ++} ++ ++static inline void ++RSA_get0_factors( const RSA *r, ++ const BIGNUM **p, ++ const BIGNUM **q ) { ++ ++ if ( p ) ++ *p = r->p; ++ if ( q ) ++ *q = r->q; ++} ++ ++static inline void ++RSA_get0_crt_params( const RSA *r, ++ const BIGNUM **dmp1, ++ const BIGNUM **dmq1, ++ const BIGNUM **iqmp ) { ++ ++ if ( dmp1 ) ++ *dmp1 = r->dmp1; ++ if ( dmq1 ) ++ *dmq1 = r->dmq1; ++ if ( iqmp ) ++ *iqmp = r->iqmp; ++} ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* __OPENSSL_COMPAT_H */ +-- +2.9.3 + diff --git a/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch new file mode 100644 index 0000000..1f18e8b --- /dev/null +++ b/SOURCES/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch @@ -0,0 +1,89 @@ +From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 12:00:39 +0100 +Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal + +Cipher contexts need to be allocated before using EVP_EncryptInit or +EVP_DecryptInit. Using a NULL context is invalid. + +Fixes: f50ab0949438 ("Support OpenSSL 1.1.0") +--- + lib/tpm_unseal.c | 12 ++++++++++-- + src/cmds/tpm_sealdata.c | 11 +++++++++-- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c +index fc4a84906a..005dab7f8f 100644 +--- a/lib/tpm_unseal.c ++++ b/lib/tpm_unseal.c +@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + int srkSecretLen; + unsigned char* res_data = NULL; + int res_size = 0; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bdata = NULL, *b64 = NULL, *bmem = NULL; + int bioRc; + +@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + } + + /* Decode and decrypt the encrypted data */ +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if ( ctx == NULL ) { ++ rc = TPMSEAL_STD_ERROR; ++ tpm_errno = ENOMEM; ++ goto tss_out; ++ } + EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV); + + /* Create a base64 BIO to decode the encrypted data */ +@@ -459,6 +464,9 @@ out: + } else + free(res_data); + ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return rc; + } + +diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c +index a2157f34b1..e25244a0f4 100644 +--- a/src/cmds/tpm_sealdata.c ++++ b/src/cmds/tpm_sealdata.c +@@ -118,7 +118,7 @@ int main(int argc, char **argv) + char *passwd = NULL; + int pswd_len; + BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bin = NULL, *bdata=NULL, *b64=NULL; + + initIntlSys(); +@@ -343,7 +343,11 @@ int main(int argc, char **argv) + BIO_puts(bdata, TPMSEAL_ENC_STRING); + bdata = BIO_push(b64, bdata); + +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ logError(_("Unable to allocate cipher context\n")); ++ goto out_close; ++ } + EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); + + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { +@@ -375,5 +379,8 @@ out: + BIO_free(bdata); + if (b64) + BIO_free(b64); ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return iRc; + } +-- +2.9.3 + diff --git a/SOURCES/tpm-tools-1.3.9-memset.patch b/SOURCES/tpm-tools-1.3.9-memset.patch new file mode 100644 index 0000000..cdd2406 --- /dev/null +++ b/SOURCES/tpm-tools-1.3.9-memset.patch @@ -0,0 +1,30 @@ +diff -ur tpm-tools-1.3.9/include/tpm_utils.h tpm-tools-1.3.9-new/include/tpm_utils.h +--- tpm-tools-1.3.9/include/tpm_utils.h 2014-07-23 13:37:12.000000000 -0700 ++++ tpm-tools-1.3.9-new/include/tpm_utils.h 2019-06-05 11:13:55.474783996 -0700 +@@ -71,7 +71,7 @@ + #define __no_optimize + #endif + +-void * __no_optimize __memset(void *s, int c, size_t n); ++void * __memset(void *s, int c, size_t n); + + typedef int (*CmdOptParser)( const int aOpt, const char *aOptArg ); + typedef void (*CmdHelpFunction)( const char *aCmd ); +diff -ur tpm-tools-1.3.9/lib/tpm_utils.c tpm-tools-1.3.9-new/lib/tpm_utils.c +--- tpm-tools-1.3.9/lib/tpm_utils.c 2014-07-23 13:37:12.000000000 -0700 ++++ tpm-tools-1.3.9-new/lib/tpm_utils.c 2019-06-05 11:13:41.570968364 -0700 +@@ -134,10 +134,12 @@ + return 0; + } + +-void * __no_optimize ++void * + __memset(void *s, int c, size_t n) + { +- return memset(s, c, n); ++ memset(s, c, n); ++ asm volatile("" ::: "memory"); ++ return s; + } + + /* diff --git a/SPECS/tpm-tools.spec b/SPECS/tpm-tools.spec new file mode 100644 index 0000000..d0ded9f --- /dev/null +++ b/SPECS/tpm-tools.spec @@ -0,0 +1,222 @@ +Name: tpm-tools +Summary: Management tools for the TPM hardware +Version: 1.3.9 +Release: 7%{?dist} +License: CPL +URL: http://trousers.sourceforge.net +Source0: http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz +BuildRequires: trousers-devel openssl-devel opencryptoki-devel +Patch0001: 0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch +Patch0002: 0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch +Patch0003: 0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch +# Patches 4 & 5 submitted upstream by SUSE +Patch0004: 0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch +Patch0005: 0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch +# submitted upstream +Patch0006: 0001-man-manpage-cleanup.patch +Patch0007: 0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch +Patch0008: tpm-tools-1.3.9-memset.patch + +%description +tpm-tools is a group of tools to manage and utilize the Trusted Computing +Group's TPM hardware. TPM hardware can create, store and use RSA keys +securely (without ever being exposed in memory), verify a platform's +software state using cryptographic hashes and more. + +%package pkcs11 +Summary: Management tools using PKCS#11 for the TPM hardware +# opencryptoki is dlopen'd, the Requires won't get picked up automatically +Requires: opencryptoki-libs%{?_isa} + +%description pkcs11 +tpm-tools-pkcs11 is a group of tools that use the TPM PKCS#11 token. All data +contained in the PKCS#11 data store is protected by the TPM (keys, +certificates, etc.). You can import keys and certificates, list out the +objects in the data store, and protect data. + +%package devel +Summary: Files to use the library routines supplied with tpm-tools +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +tpm-tools-devel is a package that contains the libraries and headers necessary +for developing tpm-tools applications. + +%prep +%autosetup -p1 -c %{name}-%{version} + +%build +%configure --disable-static --disable-rpath --disable-silent-rules +%make_build + +%install +%make_install INSTALL="install -p" +rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la +# autoreconf is not happy on rhel8 with tpm-tools, so temp +# work around to get new manpages in place +cp -p man/man1/tpm_unsealdata.1 %{buildroot}/%{_mandir}/man1 +cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8 + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%license LICENSE +%doc README +%{_bindir}/tpm_* +%{_sbindir}/tpm_* +%{_libdir}/libtpm_unseal.so.?.?.? +%{_libdir}/libtpm_unseal.so.? +%{_mandir}/man1/tpm_* +%{_mandir}/man8/tpm_* + +%files pkcs11 +%license LICENSE +%{_bindir}/tpmtoken_* +%{_mandir}/man1/tpmtoken_* + +%files devel +%{_libdir}/libtpm_unseal.so +%{_includedir}/tpm_tools/ +%{_mandir}/man3/tpmUnseal* + +%changelog +* Wed Jun 12 2019 Jerry Snitselaar - 1.3.9-7 +- Make sure new manpages get installed. +resolves: rhbz#1669892 + +* Wed Jun 05 2019 Jerry Snitselaar - 1.3.9-6 +- Fix annocheck warning +resolves: rhbz#1624180 + +* Wed May 22 2019 Jerry Snitselaar - 1.3.9-5 +- Add CI gating support +- tpm_version: remove garbled text +resolves: rhbz#1669892 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.3.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.3.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Feb 20 2017 Michal Schmidt - 1.3.9-1 +- Upstream release 1.3.9. +- Add fixes for build errors with OpenSSL 1.1. +- Add fixes for NULL cipher context use in seal/unseal. +- spec file modernization. + +* Sat Feb 11 2017 Fedora Release Engineering - 1.3.8-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1.3.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1.3.8-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.8-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.8-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Apr 03 2014 Michal Schmidt - 1.3.8-6 +- Fix FTBFS with current autotools (#1083627) +- Drop tpm-tools-1.3.7-build.patch, the package builds without it (#952372) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.3.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Feb 15 2013 Fedora Release Engineering - 1.3.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 1.3.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 3 2012 Peter Robinson - 1.3.8-2 +- Cleanup spec and modernise spec + +* Fri Jun 22 2012 Steve Grubb 1.3.8-1 +- New upstream release + +* Sat Jan 14 2012 Fedora Release Engineering - 1.3.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Sep 19 2011 Steve Grubb 1.3.7-1 +- New upstream release + +* Fri Jun 24 2011 Steve Grubb 1.3.5-5 +- Remove -Werror from compile flags (#716046) + +* Wed Feb 09 2011 Fedora Release Engineering - 1.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 08 2010 Michal Schmidt - 1.3.5-3 +- Add the LICENSE file to the -pkcs11 subpackage too, as it may be + installed independently. +- Remove useless macros. + +* Sun Feb 14 2010 Michal Schmidt - 1.3.5-2 +- Fix for DSO linking change. + +* Mon Feb 01 2010 Steve Grubb 1.3.5-1 +- New upstream bug fix release + +* Fri Jan 29 2010 Steve Grubb 1.3.4-2 +- Remove rpaths + +* Wed Oct 21 2009 Michal Schmidt - 1.3.4-1 +- Upstream release 1.3.4: + - adds SRK password support on unsealing +- LICENSE is back. +- Remove no longer needed patch: + tpm-tools-1.3.3-check-fwrite-success.patch + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Fri Aug 07 2009 Michal Schmidt 1.3.3-1 +- New upstream release 1.3.3. +- No longer needed patch, dropped: + tpm-tools-conditionally-build-tpmtoken-manpages-Makefile.in.patch +- Use global instead of define for macros. +- Remove rpaths. +- LICENSE file is suddenly missing in upstream tarball. +- Added patch to allow compilation: + tpm-tools-1.3.3-check-fwrite-success.patch + +* Wed Jul 29 2009 Michal Schmidt 1.3.1-10 +- Split the pkcs11 utilities into a subpackage. + +* Wed Jul 29 2009 Michal Schmidt 1.3.1-9 +- Enable pkcs11 support (tpmtoken_* utilities). + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 1.3.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz - 1.3.1-6 +- rebuild with new openssl + +* Tue Feb 19 2008 Fedora Release Engineering - 1.3.1-5 +- Autorebuild for GCC 4.3 + +* Tue Dec 18 2007 Kent Yoder - 1.3.1-4 +- Updated for comments in RHIT#394941 comment #6 +* Fri Dec 14 2007 Kent Yoder - 1.3.1-3 +- Updated to own the includedir/tpm_tools directory, removed +requirement on trousers and ldconfig in post/postun +* Thu Dec 13 2007 Kent Yoder - 1.3.1-2 +- Updated for Fedora package submission guidelines +* Fri Nov 16 2007 Kent Yoder - 1.3.1 +- Updates to configure +* Fri Oct 05 2007 Kent Yoder - 1.2.5.1 +- Updated build section to use smp_mflags +