import tpm-tools-1.3.9-7.el8

SOURCES/0001-man-manpage-cleanup.patch

@@ -0,0 +1,232 @@
+From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Sun, 27 Jan 2019 21:55:19 -0700
+Subject: [PATCH] man: manpage cleanup
+
+tpm_restrictsrk and tpm_unsealdata are missing manpages.
+Add missing options to tpm_nvdefine and tpm_setpresence.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ man/man1/Makefile.am       |  1 +
+ man/man1/tpm_unsealdata.1  | 60 +++++++++++++++++++++++++++++++++
+ man/man8/Makefile.am       |  1 +
+ man/man8/tpm_nvdefine.8    | 13 ++++++--
+ man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++
+ man/man8/tpm_setpresence.8 |  3 ++
+ 6 files changed, 144 insertions(+), 2 deletions(-)
+ create mode 100644 man/man1/tpm_unsealdata.1
+ create mode 100644 man/man8/tpm_restrictsrk.8
+
+diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
+index ff8b571..f833363 100644
+--- a/man/man1/Makefile.am
++++ b/man/man1/Makefile.am
+@@ -22,6 +22,7 @@
+ #
+ 
+ man1_MANS	=	tpm_sealdata.1		\
++			tpm_unsealdata.1	\
+ 			tpm_version.1
+ if P11_SUPPORT
+ man1_MANS	+=	tpmtoken_init.1		\
+diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1
+new file mode 100644
+index 0000000..80e8f12
+--- /dev/null
++++ b/man/man1/tpm_unsealdata.1
+@@ -0,0 +1,60 @@
++.\" Copyright (C) 2019 International Business Machines Corporation
++.\"
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "tpm_unsealdata" 1 "2019-01-27"  "TPM Management"
++.ce 1
++TPM Management - tpm_unsealdata
++.SH NAME
++tpm_unsealdata \- unseal input data with the SRK of the system's TPM
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.B tpm_unsealdata
++.RB [ OPTION ]
++
++.SH "DESCRIPTION"
++.PP
++\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM.
++
++.TP
++\fB\-h\fR, \fB\-\-help\fR
++Display command usage info.
++.TP
++\fB-v\fR, \fB\-\-version\fR
++Display command version info.
++.TP
++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]
++Set logging level.
++.TP
++\fB-i\fR, \fB\-\-infile FILE\fR
++File containing data to unseal.
++.TP
++\fB-o\fR, \fB\-\-outfile FILE\fR
++Filename to write unsealed data to.  Default is STDOUT.
++.TP
++\fB-z\fR, \fB\-\-well-known\fR
++Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option.
++
++.SH "SEE ALSO"
++.PP
++\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3)
++
++.SH "REPORTING BUGS"
++Report bugs to <trousers-users@lists.sourceforge.net>
+diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am
+index b38ac18..487a4c8 100644
+--- a/man/man8/Makefile.am
++++ b/man/man8/Makefile.am
+@@ -36,6 +36,7 @@ man8_MANS =	tpm_changeownerauth.8	\
+ 		tpm_createek.8		\
+ 		tpm_getpubek.8		\
+ 		tpm_restrictpubek.8	\
++		tpm_restrictsrk.8	\
+ 		tpm_selftest.8		\
+ 		tpm_setactive.8		\
+ 		tpm_setclearable.8	\
+diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8
+index 13edb78..0eecc2a 100644
+--- a/man/man8/tpm_nvdefine.8
++++ b/man/man8/tpm_nvdefine.8
+@@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes
+ .IP "\fB\-y, \-\-owner\-well\-known\fR" 4
+ .IX Item "-y, --owner-well-known"
+ Use a secret of all zeros (20 bytes of zeros) as the owner's secret.
+-.IP "\fB\-z, \-\-area\-well\-known\fR" 4
+-.IX Item "-z, --area-well-known"
++.IP "\fB\-z, \-\-data\-well\-known\fR" 4
++.IX Item "-z, --data-well-known"
+ Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret.
+ .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4
+ .IX Item "-o, --pwdo (optional parameter)"
+@@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho
+ .IX Item "-s, --size"
+ The size of the \s-1NVRAM\s0 area.
+ The parameter must either be a decimal number or a hexadecimal number starting with '0x'.
++.IP "\fB\-r, \-\-rpcsr\fR" 4
++.IX Item "-r, --rpcrs"
++PCRs to seal the NVRAM area to for reading (use multiple times)
++.IP "\fB\-w, \-\-wpcrs\fR" 4
++.IX Item "-w, --wpcrs"
++PCRs to seal the NVRAM area to for writing (use multiple times)
++.IP "\fB\-f, \-\-filename\fR" 4
++.IX Item "-f, --filename"
++File containing PCR info for the NVRAM area.
+ .IP "\fB\-p, \-\-permissions\fR" 4
+ .IX Item "-p, --permissions"
+ The access permissions associated with the \s-1NVRAM\s0 area.
+diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8
+new file mode 100644
+index 0000000..7935b7b
+--- /dev/null
++++ b/man/man8/tpm_restrictsrk.8
+@@ -0,0 +1,68 @@
++.\" Copyright (C) 2019 International Business Machines Corporation
++.\"
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "tpm_restrictsrk" 8 "2019-01-27"  "TPM Management"
++.ce 1
++TPM Management - tpm_restrictsrk
++.SH NAME
++tpm_restrictsrk \- restrict the ability to access the Storage Root Key
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.B tpm_restrictsrk
++.RB [ OPTION ]
++
++.SH "DESCRIPTION"
++.PP
++\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key.  This is the default behavior and also available with the \fB\-\-status\fR option.
++This operation will be in effect until the owner is cleared and prompts for the owner passord.  With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner.
++The command prompts for the owner password to complete the operation.  The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out.
++
++.TP
++\fB\-h\fR, \fB\-\-help\fR
++Display command usage info.
++.TP
++\fB-v\fR, \fB\-\-version\fR
++Display command version info.
++.TP
++\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]
++Set logging level.
++.TP
++\fB-u\fR, \fB\-\-unicode\fR
++Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes
++.TP
++\fB-a\fR, \fB\-\-allow\fR
++Allow SRK read access using SRK auth
++.TP
++\fB-s\fR, \fB\-\-status\fR
++Display the status of who can access the Storage Root Key
++.TP
++\fB-r\fR, \fB\-\-restrict\fR
++Restrict SRK read to owner only
++.TP
++\fB-z\fR, \fB\-\-well-known\fR
++Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password.
++
++.SH "SEE ALSO"
++.PP
++\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8)
++
++.SH "REPORTING BUGS"
++Report bugs to <trousers-users@lists.sourceforge.net>
+diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8
+index a04c70f..96670e0 100644
+--- a/man/man8/tpm_setpresence.8
++++ b/man/man8/tpm_setpresence.8
+@@ -46,6 +46,9 @@ Set logging level.
+ \fB-u\fR, \fB\-\-unicode\fR
+ Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes
+ .TP
++\fB-s\fR, \fB\-\-status\fR
++Report current physical presence states.
++.TP
+ \fB-a\fR, \fB\-\-assert\fR
+ Assert that an admin is physically present at the machine.
+ .TP
+-- 
+2.20.1.98.gecbdaf0899
+

SOURCES/0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch

@@ -0,0 +1,29 @@
+From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Sun, 27 Jan 2019 23:17:02 -0700
+Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile
+ manpage
+
+The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ man/man3/tpmUnsealFile.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3
+index 1fda48f..c362298 100644
+--- a/man/man3/tpmUnsealFile.3
++++ b/man/man3/tpmUnsealFile.3
+@@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines
+ .hy 0
+ .B #include <tpm_unseal/tpm_unseal.h>
+ .sp
+-.B int tpmUnsealFile(char* file, char** data, int* size);
++.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown);
+ .br
+ .B void tpmUnsealShred(char* data, int size);
+ .br
+-- 
+2.20.1.98.gecbdaf0899
+

SOURCES/0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch

@@ -0,0 +1,54 @@
+From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Fri, 30 Nov 2018 12:48:37 +0100
+Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID
+
+When the vendor ID contains null bytes then '^@' characters appear in
+the tpm_version output. This can confuse users and it also causes e.g.
+'grep' to treat the input as binary. Example:
+
+  TPM Vendor ID:       WEC\000
+
+This change copies the vendor ID bytes over into a local string object.
+This makes the code more independent of the vendor ID dimension and also
+avoids NULL bytes being printed.
+---
+ src/tpm_mgmt/tpm_version.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c
+index 1019b71..78b78e8 100644
+--- a/src/tpm_mgmt/tpm_version.c
++++ b/src/tpm_mgmt/tpm_version.c
+@@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd)
+ 		UINT64 offset;
+ 		TSS_RESULT uiResult;
+ 		TPM_CAP_VERSION_INFO versionInfo;
++		char vendor_id[sizeof(versionInfo.tpmVendorID)+1];
+ 		char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability.
+ 
+ 		/* Disable logging to of "Bad Mode" during this call. 
+@@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd)
+ 			goto out_close;
+ 		}
+ 
++		// copy over the individual characters into a regular string.
++		// This avoids that null bytes are written to stdout.
++		snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID );
++
+ 		logMsg(_("  TPM 1.2 Version Info:\n"));
+ 		logMsg(_("  Chip Version:        %hhu.%hhu.%hhu.%hhu\n"),
+ 		       versionInfo.version.major, versionInfo.version.minor,
+ 		       versionInfo.version.revMajor, versionInfo.version.revMinor);
+ 		logMsg(_("  Spec Level:          %hu\n"), versionInfo.specLevel);
+ 		logMsg(_("  Errata Revision:     %hhu\n"), versionInfo.errataRev);
+-		logMsg(_("  TPM Vendor ID:       %c%c%c%c\n"),
+-		       versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1],
+-		       versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]);
++		logMsg(_("  TPM Vendor ID:       %s\n"), vendor_id);
+ 
+ 		if (versionInfo.vendorSpecificSize) {
+ 			logMsg(_("  Vendor Specific data: "));
+-- 
+2.18.1
+

SOURCES/0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch

@@ -0,0 +1,38 @@
+From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Fri, 30 Nov 2018 13:17:01 +0100
+Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr
+
+If there was no data written to the temporary file then memsize == 1, no
+data will be read from the file into the buffer and the buffer will not
+be null terminated. This can cause random data to be output later on to
+the original stderr like:
+
+'#precedence ::ffff:0:0/'
+
+or
+
+'xl?8?'
+
+Fix this by making sure the buffer is always zero terminated.
+---
+ src/tpm_mgmt/tpm_version.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c
+index 78b78e8..e563a8c 100644
+--- a/src/tpm_mgmt/tpm_version.c
++++ b/src/tpm_mgmt/tpm_version.c
+@@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr)
+     perror("read()");
+   }
+ 
++  // make sure the buffer is null terminated.
++  buf[st.st_size] = '\0';
++
+   // Restore stderr.
+  errout:
+   if (0 > dup2(olderr, STDERR_FILENO)) {
+-- 
+2.18.1
+

SOURCES/tpm-tools-1.3.9-memset.patch

@@ -0,0 +1,30 @@
+diff -ur tpm-tools-1.3.9/include/tpm_utils.h tpm-tools-1.3.9-new/include/tpm_utils.h
+--- tpm-tools-1.3.9/include/tpm_utils.h	2014-07-23 13:37:12.000000000 -0700
++++ tpm-tools-1.3.9-new/include/tpm_utils.h	2019-06-05 11:13:55.474783996 -0700
+@@ -71,7 +71,7 @@
+ #define __no_optimize
+ #endif
+ 
+-void * __no_optimize __memset(void *s, int c, size_t n);
++void * __memset(void *s, int c, size_t n);
+ 
+ typedef int (*CmdOptParser)( const int aOpt, const char *aOptArg );
+ typedef void (*CmdHelpFunction)( const char *aCmd );
+diff -ur tpm-tools-1.3.9/lib/tpm_utils.c tpm-tools-1.3.9-new/lib/tpm_utils.c
+--- tpm-tools-1.3.9/lib/tpm_utils.c	2014-07-23 13:37:12.000000000 -0700
++++ tpm-tools-1.3.9-new/lib/tpm_utils.c	2019-06-05 11:13:41.570968364 -0700
+@@ -134,10 +134,12 @@
+ 	return 0;
+ }
+ 
+-void * __no_optimize
++void *
+ __memset(void *s, int c, size_t n)
+ {
+-	return memset(s, c, n);
++	memset(s, c, n);
++	asm volatile("" ::: "memory");
++	return s;
+ }
+ 
+ /*

SPECS/tpm-tools.spec

@@ -1,7 +1,7 @@
 Name:             tpm-tools
 Summary:          Management tools for the TPM hardware
 Version:          1.3.9
-Release:          4%{?dist}
+Release:          7%{?dist}
 License:          CPL
 URL:              http://trousers.sourceforge.net
 Source0:          http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz
@@ -9,6 +9,13 @@ BuildRequires:    trousers-devel openssl-devel opencryptoki-devel
 Patch0001:        0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch
 Patch0002:        0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch
 Patch0003:        0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch
+# Patches 4 & 5 submitted upstream by SUSE
+Patch0004:        0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch
+Patch0005:        0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch
+# submitted upstream
+Patch0006:        0001-man-manpage-cleanup.patch
+Patch0007:        0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch
+Patch0008:        tpm-tools-1.3.9-memset.patch
 
 %description
 tpm-tools is a group of tools to manage and utilize the Trusted Computing
@@ -45,6 +52,10 @@ for developing tpm-tools applications.
 %install
 %make_install INSTALL="install -p"
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la
+# autoreconf is not happy on rhel8 with tpm-tools, so temp
+# work around to get new manpages in place
+cp -p man/man1/tpm_unsealdata.1 %{buildroot}/%{_mandir}/man1
+cp -p man/man8/tpm_restrictsrk.8 %{buildroot}/%{_mandir}/man8
 
 %post -p /sbin/ldconfig
 
@@ -71,6 +82,19 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libtpm_unseal.la
 %{_mandir}/man3/tpmUnseal*
 
 %changelog
+* Wed Jun 12 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-7
+- Make sure new manpages get installed.
+resolves: rhbz#1669892
+
+* Wed Jun 05 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-6
+- Fix annocheck warning
+resolves: rhbz#1624180
+
+* Wed May 22 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-5
+- Add CI gating support
+- tpm_version: remove garbled text
+resolves: rhbz#1669892
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild