Compare commits
No commits in common. "c9-beta" and "imports/c8-beta/tpm2-pkcs11-1.6.0-1.el8" have entirely different histories.
c9-beta
...
imports/c8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/gpgkey-8E1F50C1.gpg
|
||||
SOURCES/tpm2-pkcs11-1.5.0.tar.gz
|
||||
SOURCES/tpm2-pkcs11-1.6.0.tar.gz
|
||||
|
@ -1,2 +1,2 @@
|
||||
46f82c0fdf30219e0d95c6e9291bbc708b315080 SOURCES/gpgkey-8E1F50C1.gpg
|
||||
9d4ad805203f0f063772f0c737bed949dfff52bd SOURCES/tpm2-pkcs11-1.5.0.tar.gz
|
||||
80b9b8b11f1469e22682acb710a052ed396a43da SOURCES/tpm2-pkcs11-1.6.0.tar.gz
|
||||
|
43
SOURCES/0001-Backup-with-sqlite3-special-command.patch
Normal file
43
SOURCES/0001-Backup-with-sqlite3-special-command.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From fc21b98dced2c78f90f917c1a45a28184024d604 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
|
||||
<shoracek@redhat.com>
|
||||
Date: Tue, 6 Sep 2022 16:54:33 +0200
|
||||
Subject: [PATCH 1/6] Backup with sqlite3 special command
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Upstream uses method introduced in Python 3.7, but RHEL 8 uses
|
||||
Python 3.6. This means that the method is not available and using the
|
||||
command line interface seems to be the simplest solution.
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
tools/tpm2_pkcs11/db.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
|
||||
index 7971028..1b18b8f 100644
|
||||
--- a/tools/tpm2_pkcs11/db.py
|
||||
+++ b/tools/tpm2_pkcs11/db.py
|
||||
@@ -6,6 +6,7 @@ import sys
|
||||
import sqlite3
|
||||
import textwrap
|
||||
import yaml
|
||||
+import subprocess
|
||||
|
||||
from .pkcs11t import (
|
||||
CKA_ALLOWED_MECHANISMS,
|
||||
@@ -258,8 +259,8 @@ class Db(object):
|
||||
if os.path.exists(dbpath):
|
||||
raise RuntimeError("Backup DB exists at {} not overwriting. "
|
||||
"Refusing to run".format(dbpath))
|
||||
+ subprocess.run(["sqlite3", self._path, ".backup {}".format(dbpath)])
|
||||
bck = sqlite3.connect(dbpath)
|
||||
- con.backup(bck)
|
||||
return (bck, dbpath)
|
||||
|
||||
def _update_on_2(self, dbbakcon):
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,158 @@
|
||||
From f633526b34c052514f3739cb1e08fdac38603eea Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Wed, 5 May 2021 11:52:23 -0500
|
||||
Subject: [PATCH 2/6] utils: fix stringop-overread in str_padded_copy
|
||||
|
||||
cc1: all warnings being treated as errors
|
||||
| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
|
||||
| make: *** Waiting for unfinished jobs....
|
||||
| In file included from src/lib/mutex.h:10,
|
||||
| from src/lib/session_ctx.h:6,
|
||||
| from src/lib/digest.h:13,
|
||||
| from src/lib/tpm.c:28:
|
||||
| In function 'str_padded_copy',
|
||||
| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
|
||||
| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
|
||||
| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
|
||||
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
| src/lib/utils.h: In function 'tpm_get_token_info':
|
||||
| src/lib/tpm.c:739:19: note: source object declared here
|
||||
| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
|
||||
| | ^~~~~~~~~~~~~~
|
||||
| cc1: all warnings being treated as errors
|
||||
| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
|
||||
| WARNING: exit code 1 from a shell command.
|
||||
|
||||
Fixes #676
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/lib/general.c | 8 ++++----
|
||||
src/lib/general.h | 2 +-
|
||||
src/lib/slot.c | 4 ++--
|
||||
src/lib/token.c | 4 ++--
|
||||
src/lib/tpm.c | 7 +++----
|
||||
src/lib/utils.h | 6 ++++--
|
||||
6 files changed, 16 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/lib/general.c b/src/lib/general.c
|
||||
index 9b7327c..eaddaf8 100644
|
||||
--- a/src/lib/general.c
|
||||
+++ b/src/lib/general.c
|
||||
@@ -19,8 +19,8 @@
|
||||
#define VERSION "UNKNOWN"
|
||||
#endif
|
||||
|
||||
-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
|
||||
-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
|
||||
+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
|
||||
+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
|
||||
|
||||
#define CRYPTOKI_VERSION { \
|
||||
.major = CRYPTOKI_VERSION_MAJOR, \
|
||||
@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
|
||||
|
||||
static CK_INFO *_info = NULL;
|
||||
if (!_info) {
|
||||
- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
|
||||
- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
|
||||
+ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
|
||||
+ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
|
||||
|
||||
parse_lib_version(&_info_.libraryVersion.major,
|
||||
&_info_.libraryVersion.minor);
|
||||
diff --git a/src/lib/general.h b/src/lib/general.h
|
||||
index 14a18e4..356c142 100644
|
||||
--- a/src/lib/general.h
|
||||
+++ b/src/lib/general.h
|
||||
@@ -10,7 +10,7 @@
|
||||
#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
|
||||
#define TPM2_TOKEN_MANUFACTURER "Intel"
|
||||
#define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
|
||||
-#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000"
|
||||
+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
|
||||
#define TPM2_TOKEN_HW_VERSION { 0, 0 }
|
||||
#define TPM2_TOKEN_FW_VERSION { 0, 0 }
|
||||
|
||||
diff --git a/src/lib/slot.c b/src/lib/slot.c
|
||||
index 548d22b..6db5bb9 100644
|
||||
--- a/src/lib/slot.c
|
||||
+++ b/src/lib/slot.c
|
||||
@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
|
||||
- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
|
||||
- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
|
||||
+ str_padded_copy(info->manufacturerID, token_info.manufacturerID);
|
||||
+ str_padded_copy(info->slotDescription, token_info.label);
|
||||
|
||||
info->hardwareVersion = token_info.hardwareVersion;
|
||||
info->firmwareVersion = token_info.firmwareVersion;
|
||||
diff --git a/src/lib/token.c b/src/lib/token.c
|
||||
index 6d7ebd2..c721129 100644
|
||||
--- a/src/lib/token.c
|
||||
+++ b/src/lib/token.c
|
||||
@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
|
||||
}
|
||||
|
||||
// Identification
|
||||
- str_padded_copy(info->label, t->label, sizeof(info->label));
|
||||
- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
|
||||
+ str_padded_copy(info->label, t->label);
|
||||
+ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
|
||||
|
||||
|
||||
// Memory: TODO not sure what memory values should go here, the platform?
|
||||
diff --git a/src/lib/tpm.c b/src/lib/tpm.c
|
||||
index 1639df4..7f9f052 100644
|
||||
--- a/src/lib/tpm.c
|
||||
+++ b/src/lib/tpm.c
|
||||
@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
|
||||
unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
|
||||
UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
|
||||
memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
|
||||
- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
|
||||
+ str_padded_copy(info->manufacturerID, manufacturerID);
|
||||
|
||||
// Map human readable Manufacturer String, if available,
|
||||
// otherwise 4 byte ID was already padded and will be used.
|
||||
for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
|
||||
if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
|
||||
str_padded_copy(info->manufacturerID,
|
||||
- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
|
||||
- sizeof(info->manufacturerID));
|
||||
+ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
|
||||
vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
|
||||
vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
|
||||
vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
|
||||
- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
|
||||
+ str_padded_copy(info->model, (unsigned char*) &vendor);
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
diff --git a/src/lib/utils.h b/src/lib/utils.h
|
||||
index 81c61fa..cf35746 100644
|
||||
--- a/src/lib/utils.h
|
||||
+++ b/src/lib/utils.h
|
||||
@@ -39,9 +39,11 @@
|
||||
|
||||
int str_to_ul(const char *val, size_t *res);
|
||||
|
||||
-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
|
||||
+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
|
||||
+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
|
||||
memset(dst, ' ', dst_len);
|
||||
- memcpy(dst, src, strnlen((char *)(src), dst_len));
|
||||
+ memcpy(dst, src, src_len);
|
||||
+ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
|
||||
}
|
||||
|
||||
twist utils_hash_pass(const twist pin, const twist salt);
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,30 @@
|
||||
From ad882c439cc6580837196bab5fd82599685d84e0 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@ledger.fr>
|
||||
Date: Thu, 20 May 2021 16:03:20 +0200
|
||||
Subject: [PATCH 3/6] utils: remove debug log message from str_padded_copy
|
||||
|
||||
Commit 9af101b54035 ("utils: fix stringop-overread in str_padded_copy")
|
||||
introduced a log message which is displayed every time the function
|
||||
`str_padded_copy` is used. This looks like a debug message used while
|
||||
working on the patch. Now that it is applied, remove the log message.
|
||||
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
|
||||
---
|
||||
src/lib/utils.h | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/utils.h b/src/lib/utils.h
|
||||
index cf35746..983da06 100644
|
||||
--- a/src/lib/utils.h
|
||||
+++ b/src/lib/utils.h
|
||||
@@ -43,7 +43,6 @@ int str_to_ul(const char *val, size_t *res);
|
||||
static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
|
||||
memset(dst, ' ', dst_len);
|
||||
memcpy(dst, src, src_len);
|
||||
- LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
|
||||
}
|
||||
|
||||
twist utils_hash_pass(const twist pin, const twist salt);
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,188 @@
|
||||
From 5bf5d6c22b9461321cec9ddeaae5795a5465bb03 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@ledger.fr>
|
||||
Date: Thu, 23 Sep 2021 21:34:03 +0200
|
||||
Subject: [PATCH 4/6] tpm2_ptool: do not re-encode the signed data when
|
||||
importing a certificate
|
||||
|
||||
When using `tpm2_ptool addcert`, several users experienced issues
|
||||
because the signed data of the certificate was re-encoded when being
|
||||
added to the database. More precisely, the encoded certificate data is
|
||||
encoded using a BER encoder which encodes booleans using 1 of True (cf.
|
||||
https://github.com/etingof/pyasn1/blob/v0.4.8/pyasn1/codec/ber/encoder.py#L164
|
||||
). But in DER, the encoding of "True" is 0xff, and changing the signed
|
||||
data made the signature of the certificate no longer valid.
|
||||
|
||||
To fix this issue:
|
||||
|
||||
- Directly use the result of `pem.readPemFromFile(f)` in attribute
|
||||
`CKA_VALUE`: this is directly the encoded form of the certificate.
|
||||
- Remove `pyasn1.codec.ber`, as this encoder is no longer used.
|
||||
- Rename the DER decoder from `decoder` to `derdecoder` and the encoder
|
||||
from `derenc` to `derencoder`, to make the code easier to read.
|
||||
|
||||
While at it:
|
||||
|
||||
- Reindent the code to 4-space indentation
|
||||
- Use `hashlib.sha1(bercert).digest()` directly to compute a SHA1
|
||||
digest, instead of using `m.update()`.
|
||||
|
||||
Fixes: https://github.com/tpm2-software/tpm2-pkcs11/issues/700
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
|
||||
---
|
||||
tools/tpm2_pkcs11/utils.py | 126 ++++++++++++++++++-------------------
|
||||
1 file changed, 60 insertions(+), 66 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_pkcs11/utils.py b/tools/tpm2_pkcs11/utils.py
|
||||
index b803f4c..91eab9a 100644
|
||||
--- a/tools/tpm2_pkcs11/utils.py
|
||||
+++ b/tools/tpm2_pkcs11/utils.py
|
||||
@@ -15,9 +15,7 @@ from cryptography.hazmat.primitives.asymmetric import (rsa, padding)
|
||||
from cryptography.hazmat.primitives import hashes
|
||||
|
||||
from pyasn1_modules import pem, rfc2459
|
||||
-from pyasn1.codec.der import decoder
|
||||
-from pyasn1.codec.ber import encoder as berenc
|
||||
-from pyasn1.codec.der import encoder as derenc
|
||||
+from pyasn1.codec.der import decoder as derdecoder, encoder as derencoder
|
||||
from pyasn1.type import namedtype, tag, univ
|
||||
|
||||
from .pkcs11t import * # noqa
|
||||
@@ -247,68 +245,64 @@ def asn1_format_ec_point_uncompressed(x, y):
|
||||
return s
|
||||
|
||||
def pemcert_to_attrs(certpath):
|
||||
- # rather than use pycryptography x509 parser, which gives native type access to certificate
|
||||
- # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them
|
||||
- with open(certpath, "r") as f:
|
||||
- substrate = pem.readPemFromFile(f)
|
||||
- cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
|
||||
-
|
||||
- c = cert['tbsCertificate']
|
||||
-
|
||||
- # print(cert.prettyPrint())
|
||||
-
|
||||
- h = binascii.hexlify
|
||||
- b = berenc.encode
|
||||
- d = derenc.encode
|
||||
-
|
||||
- bercert = b(cert)
|
||||
- hexbercert = h(bercert).decode()
|
||||
-
|
||||
- # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash
|
||||
- m = hashlib.sha1()
|
||||
- m.update(bercert)
|
||||
- bercertchecksum = m.digest()[0:3]
|
||||
- hexbercertchecksum = h(bercertchecksum).decode()
|
||||
-
|
||||
- subj = c['subject']
|
||||
- hexsubj = h(d(str2bytes(subj))).decode()
|
||||
-
|
||||
- issuer = c['issuer']
|
||||
- hexissuer = h(d(str2bytes(issuer))).decode()
|
||||
-
|
||||
- serial = c['serialNumber']
|
||||
- hexserial = h(d(str2bytes(serial))).decode()
|
||||
-
|
||||
- return {
|
||||
- # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE
|
||||
- # field.
|
||||
- CKA_CHECK_VALUE: hexbercertchecksum,
|
||||
- # Start date for the certificate (default empty)
|
||||
- CKA_START_DATE : "",
|
||||
- # End date for the certificate (default empty)
|
||||
- CKA_END_DATE : "",
|
||||
- # DER-encoding of the SubjectPublicKeyInfo for the public key
|
||||
- # contained in this certificate (default empty)
|
||||
- CKA_PUBLIC_KEY_INFO : "",
|
||||
- # DER encoded subject
|
||||
- CKA_SUBJECT : hexsubj,
|
||||
- # DER encoding of issuer
|
||||
- CKA_ISSUER : hexissuer,
|
||||
- # DER encoding of the cert serial
|
||||
- CKA_SERIAL_NUMBER : hexserial,
|
||||
- # BER encoding of the certificate
|
||||
- CKA_VALUE : hexbercert,
|
||||
- # RFC2279 string to URL where cert can be found, default empty
|
||||
- CKA_URL : '',
|
||||
- # hash of pub key subj, default empty
|
||||
- CKA_HASH_OF_SUBJECT_PUBLIC_KEY : '',
|
||||
- # Hash of pub key, default empty
|
||||
- CKA_HASH_OF_ISSUER_PUBLIC_KEY : '',
|
||||
- # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED
|
||||
- CKA_JAVA_MIDP_SECURITY_DOMAIN : CK_SECURITY_DOMAIN_UNSPECIFIED,
|
||||
- # Name hash algorithm, defaults to SHA1
|
||||
- CKA_NAME_HASH_ALGORITHM : CKM_SHA_1
|
||||
- }
|
||||
+ # rather than using pycryptography x509 parser, which gives native type access to certificate
|
||||
+ # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them
|
||||
+ with open(certpath, "r") as f:
|
||||
+ bercert = pem.readPemFromFile(f)
|
||||
+
|
||||
+ cert = derdecoder.decode(bercert, asn1Spec=rfc2459.Certificate())[0]
|
||||
+ c = cert['tbsCertificate']
|
||||
+
|
||||
+ # print(cert.prettyPrint())
|
||||
+
|
||||
+ h = binascii.hexlify
|
||||
+ d = derencoder.encode
|
||||
+
|
||||
+ hexbercert = h(bercert).decode()
|
||||
+
|
||||
+ # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash
|
||||
+ bercertchecksum = hashlib.sha1(bercert).digest()[0:3]
|
||||
+ hexbercertchecksum = h(bercertchecksum).decode()
|
||||
+
|
||||
+ subj = c['subject']
|
||||
+ hexsubj = h(d(str2bytes(subj))).decode()
|
||||
+
|
||||
+ issuer = c['issuer']
|
||||
+ hexissuer = h(d(str2bytes(issuer))).decode()
|
||||
+
|
||||
+ serial = c['serialNumber']
|
||||
+ hexserial = h(d(str2bytes(serial))).decode()
|
||||
+
|
||||
+ return {
|
||||
+ # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE
|
||||
+ # field.
|
||||
+ CKA_CHECK_VALUE: hexbercertchecksum,
|
||||
+ # Start date for the certificate (default empty)
|
||||
+ CKA_START_DATE: "",
|
||||
+ # End date for the certificate (default empty)
|
||||
+ CKA_END_DATE: "",
|
||||
+ # DER-encoding of the SubjectPublicKeyInfo for the public key
|
||||
+ # contained in this certificate (default empty)
|
||||
+ CKA_PUBLIC_KEY_INFO: "",
|
||||
+ # DER encoded subject
|
||||
+ CKA_SUBJECT: hexsubj,
|
||||
+ # DER encoding of issuer
|
||||
+ CKA_ISSUER: hexissuer,
|
||||
+ # DER encoding of the cert serial
|
||||
+ CKA_SERIAL_NUMBER: hexserial,
|
||||
+ # BER encoding of the certificate
|
||||
+ CKA_VALUE: hexbercert,
|
||||
+ # RFC2279 string to URL where cert can be found, default empty
|
||||
+ CKA_URL: '',
|
||||
+ # hash of pub key subj, default empty
|
||||
+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY: '',
|
||||
+ # Hash of pub key, default empty
|
||||
+ CKA_HASH_OF_ISSUER_PUBLIC_KEY: '',
|
||||
+ # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED
|
||||
+ CKA_JAVA_MIDP_SECURITY_DOMAIN: CK_SECURITY_DOMAIN_UNSPECIFIED,
|
||||
+ # Name hash algorithm, defaults to SHA1
|
||||
+ CKA_NAME_HASH_ALGORITHM: CKM_SHA_1
|
||||
+ }
|
||||
|
||||
def _pkcs11_to_str(value, prefix):
|
||||
|
||||
@@ -407,7 +401,7 @@ def asn1parse_tss_key(keypath):
|
||||
if len(substrate) == 0:
|
||||
sys.exit('Did not find key in tss key file: {}'.format(keypath))
|
||||
|
||||
- tss2_privkey, _ = decoder.decode(substrate, asn1Spec=TSSPrivKey())
|
||||
+ tss2_privkey, _ = derdecoder.decode(substrate, asn1Spec=TSSPrivKey())
|
||||
|
||||
return tss2_privkey
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
78
SOURCES/0005-db-fix-upgrade-backup.patch
Normal file
78
SOURCES/0005-db-fix-upgrade-backup.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 64b6bd89d0faad3274d0b224b1d1c92fcd397a62 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
|
||||
<shoracek@redhat.com>
|
||||
Date: Wed, 2 Nov 2022 19:23:13 +0100
|
||||
Subject: [PATCH 5/6] db: fix upgrade backup
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
During a failed upgrade, the original database was deleted and replaced
|
||||
with the upgraded one, making it impossible to revert the failed
|
||||
upgrade.
|
||||
|
||||
This commit fixes this problem by keeping the old version of the
|
||||
database as a separate file for upgrades that finished successfully and
|
||||
keeping the original database for those that did not.
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
tools/tpm2_pkcs11/db.py | 36 +++++++++++++++++++++---------------
|
||||
1 file changed, 21 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
|
||||
index 1b18b8f..d0a526b 100644
|
||||
--- a/tools/tpm2_pkcs11/db.py
|
||||
+++ b/tools/tpm2_pkcs11/db.py
|
||||
@@ -454,27 +454,33 @@ class Db(object):
|
||||
REPLACE INTO schema (id, schema_version) VALUES (1, {version});
|
||||
'''.format(version=new_version))
|
||||
dbbakcon.execute(sql)
|
||||
- finally:
|
||||
- # Close the connections
|
||||
- self._conn.commit()
|
||||
- self._conn.close()
|
||||
-
|
||||
+ except Exception as e:
|
||||
+ # Close the connection to backup
|
||||
dbbakcon.commit()
|
||||
dbbakcon.close()
|
||||
|
||||
- # move old db to ".old" suffix
|
||||
- olddbpath = self._path + ".old"
|
||||
- os.rename(self._path, olddbpath)
|
||||
+ # unlink the backup
|
||||
+ os.unlink(dbbakpath)
|
||||
+
|
||||
+ raise e
|
||||
+
|
||||
+ # Close the connections
|
||||
+ self._conn.commit()
|
||||
+ self._conn.close()
|
||||
|
||||
- # move the backup to the normal dbpath
|
||||
- os.rename(dbbakpath, self._path)
|
||||
+ dbbakcon.commit()
|
||||
+ dbbakcon.close()
|
||||
|
||||
- # unlink the old
|
||||
- os.unlink(olddbpath)
|
||||
+ # move old db to ".old" suffix
|
||||
+ olddbpath = self._path + ".old"
|
||||
+ os.rename(self._path, olddbpath)
|
||||
|
||||
- # re-establish a connection
|
||||
- self._conn = sqlite3.connect(self._path)
|
||||
- self._conn.row_factory = sqlite3.Row
|
||||
+ # move the backup to the normal dbpath
|
||||
+ os.rename(dbbakpath, self._path)
|
||||
+
|
||||
+ # re-establish a connection
|
||||
+ self._conn = sqlite3.connect(self._path)
|
||||
+ self._conn.row_factory = sqlite3.Row
|
||||
|
||||
def _get_version(self):
|
||||
c = self._conn.cursor()
|
||||
--
|
||||
2.38.1
|
||||
|
37
SOURCES/0006-db-fix-upgrade-to-version-4.patch
Normal file
37
SOURCES/0006-db-fix-upgrade-to-version-4.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 1d28d6eee8c1b02a900810e6f1e4582e1c4381a5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
|
||||
<shoracek@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 15:50:33 +0200
|
||||
Subject: [PATCH 6/6] db: fix upgrade to version 4
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
During upgrade of the database from version 3 to version 4, parameter
|
||||
'persistent' was used, although everywhere else the opposite 'transient'
|
||||
is used. This causes KeyError: 'transient' when using the upgraded
|
||||
database.
|
||||
|
||||
This commit fixes this by adding 'transient' during upgrade instead.
|
||||
|
||||
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
||||
---
|
||||
tools/tpm2_pkcs11/db.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
|
||||
index d0a526b..01ab298 100644
|
||||
--- a/tools/tpm2_pkcs11/db.py
|
||||
+++ b/tools/tpm2_pkcs11/db.py
|
||||
@@ -380,7 +380,7 @@ class Db(object):
|
||||
hexblob = bytes.hex(blob)
|
||||
|
||||
config = {
|
||||
- 'persistent' : True,
|
||||
+ 'transient': False,
|
||||
'esys-tr': hexblob
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
74
SOURCES/revert-require-py37.patch
Normal file
74
SOURCES/revert-require-py37.patch
Normal file
@ -0,0 +1,74 @@
|
||||
diff -Naur tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch
|
||||
--- tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 1969-12-31 16:00:00.000000000 -0800
|
||||
+++ tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 2021-03-23 15:26:46.043878215 -0700
|
||||
@@ -0,0 +1,43 @@
|
||||
+From ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 Mon Sep 17 00:00:00 2001
|
||||
+From: William Roberts <william.c.roberts@intel.com>
|
||||
+Date: Mon, 30 Dec 2019 14:10:14 -0600
|
||||
+Subject: [PATCH] tpm2_ptool: require python3.7 for db upgrade
|
||||
+
|
||||
+SQLite3 bindings for python don't have the backup API implemented until
|
||||
+Python 3.7. Make this the new minimum requirement for tpm2_ptool so
|
||||
+we can use this feature.
|
||||
+
|
||||
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
+---
|
||||
+ tools/setup.py | 1 +
|
||||
+ tools/tpm2_pkcs11/__init__.py | 6 +++---
|
||||
+ 2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
+
|
||||
+diff --git a/tools/setup.py b/tools/setup.py
|
||||
+index 494f9edd..4490dc61 100644
|
||||
+--- a/tools/setup.py
|
||||
++++ b/tools/setup.py
|
||||
+@@ -9,6 +9,7 @@
|
||||
+
|
||||
+ setup(
|
||||
+ name='tpm2-pkcs11-tools',
|
||||
++ python_requires='>=3.7',
|
||||
+ long_description=long_description,
|
||||
+ long_description_content_type='text/markdown',
|
||||
+ version='1.33.7',
|
||||
+diff --git a/tools/tpm2_pkcs11/__init__.py b/tools/tpm2_pkcs11/__init__.py
|
||||
+index ed83ef52..1ed8b3af 100644
|
||||
+--- a/tools/tpm2_pkcs11/__init__.py
|
||||
++++ b/tools/tpm2_pkcs11/__init__.py
|
||||
+@@ -2,6 +2,6 @@
|
||||
+
|
||||
+ import sys
|
||||
+
|
||||
+-# Sunset python < 3 support
|
||||
+-if sys.version_info[0] < 3:
|
||||
+- sys.exit("Python 3 or a more recent version is required.")
|
||||
+\ No newline at end of file
|
||||
++# Requires python 3.7 or greater
|
||||
++if (sys.version_info[0], sys.version_info[1]) < (3, 7):
|
||||
++ sys.exit("Python 3.7 or a more recent version is required.")
|
||||
+\ No newline at end of file
|
||||
diff -Naur tpm2-pkcs11-1.3.2/tools/setup.py tpm2-pkcs11-1.3.2a/tools/setup.py
|
||||
--- tpm2-pkcs11-1.3.2/tools/setup.py 2020-08-10 07:31:22.000000000 -0700
|
||||
+++ tpm2-pkcs11-1.3.2a/tools/setup.py 2021-03-23 15:27:01.160008742 -0700
|
||||
@@ -9,7 +9,6 @@
|
||||
|
||||
setup(
|
||||
name='tpm2-pkcs11-tools',
|
||||
- python_requires='>=3.7',
|
||||
long_description=long_description,
|
||||
long_description_content_type='text/markdown',
|
||||
version='1.33.7',
|
||||
diff -Naur tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py
|
||||
--- tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py 2020-08-09 06:46:13.000000000 -0700
|
||||
+++ tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py 2021-03-23 15:27:01.161008751 -0700
|
||||
@@ -2,6 +2,6 @@
|
||||
|
||||
import sys
|
||||
|
||||
-# Requires python 3.7 or greater
|
||||
-if (sys.version_info[0], sys.version_info[1]) < (3, 7):
|
||||
- sys.exit("Python 3.7 or a more recent version is required.")
|
||||
\ No newline at end of file
|
||||
+# Sunset python < 3 support
|
||||
+if sys.version_info[0] < 3:
|
||||
+ sys.exit("Python 3 or a more recent version is required.")
|
||||
\ No newline at end of file
|
||||
|
@ -1,100 +0,0 @@
|
||||
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
|
||||
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
|
||||
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
|
||||
@@ -438,82 +438,29 @@
|
||||
return rv;
|
||||
}
|
||||
|
||||
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
|
||||
-
|
||||
- if (siglen & 1) {
|
||||
- LOGE("Expected ECDSA signature length to be even, got : %lu",
|
||||
- siglen);
|
||||
- return CKR_SIGNATURE_LEN_RANGE;
|
||||
- }
|
||||
-
|
||||
- size_t len = siglen >> 1;
|
||||
-
|
||||
- unsigned char *rbuf = sig;
|
||||
- unsigned char *sbuf = &sig[len];
|
||||
-
|
||||
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
|
||||
- if (!r) {
|
||||
- LOGE("Could not make bignum for r");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
|
||||
- if (!s) {
|
||||
- LOGE("Could not make bignum for s");
|
||||
- BN_free(r);
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
|
||||
- if (!ossl_sig) {
|
||||
- LOGE("oom");
|
||||
- return CKR_HOST_MEMORY;
|
||||
- }
|
||||
-
|
||||
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
|
||||
- if (!rc) {
|
||||
- LOGE("Could not call ECDSA_SIG_set0");
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
- *outsig = ossl_sig;
|
||||
-
|
||||
- return CKR_OK;
|
||||
-}
|
||||
-
|
||||
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
|
||||
CK_BYTE_PTR digest, CK_ULONG digest_len,
|
||||
CK_BYTE_PTR signature, CK_ULONG signature_len) {
|
||||
|
||||
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
|
||||
- if (!eckey) {
|
||||
- LOGE("Expected EC Key");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
+ int rc = CKR_OK;
|
||||
+ EVP_PKEY_CTX *pctx = NULL;
|
||||
|
||||
- /*
|
||||
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
|
||||
- * R + S signatures, so convert it to ASN1 framing.
|
||||
- * See:
|
||||
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
|
||||
- * For details.
|
||||
- */
|
||||
- ECDSA_SIG *ossl_sig = NULL;
|
||||
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
|
||||
- if (rv != CKR_OK) {
|
||||
- return rv;
|
||||
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
|
||||
+ rc = CKR_HOST_MEMORY;
|
||||
+ goto fail;
|
||||
}
|
||||
|
||||
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
|
||||
- if (rc < 0) {
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
|
||||
- return CKR_GENERAL_ERROR;
|
||||
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
|
||||
+ EVP_PKEY_verify(pctx, signature, signature_len,
|
||||
+ digest, digest_len) != 1) {
|
||||
+ rc = CKR_SIGNATURE_INVALID;
|
||||
+ goto fail;
|
||||
}
|
||||
- ECDSA_SIG_free(ossl_sig);
|
||||
|
||||
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
|
||||
+fail:
|
||||
+ if (pctx)
|
||||
+ EVP_PKEY_CTX_free(pctx);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAl+ysTkACgkQbeLpB44f
|
||||
UMGhSBAAx2FY2flB6vuetgdKoh4G85Zgq8+xsmjsTRoXT8/4tS8wPL64ESYo89pG
|
||||
mhVr4KBb5tNVwntA73aQ/ko82zPnVSTFW0nHODTICME1NRnAZQpUJ1emZtRQdnxL
|
||||
ByZPNx2ub41zepsorqABxYZlugVX4j9GRK7HpyC3OKxw51Cvua8Ciww1u2uSELlU
|
||||
JjUbhUXJICAYcn31hKYcASHsYB7fio2QrmjGG8ZHiz2Dh1hW1kn5ezsgUKUIMYxQ
|
||||
bFcPmWcZF1N9GD5PB/LxE0V25ZiRxXUCfG0YfYR6fWY2uIfIW4izcgLZJI07KGnM
|
||||
rkW1nnBvzRvKTm6JALHoqnycIyfXJFYY/eJtXT0Yom1HKXEFEc4r9w5lor2pu6HP
|
||||
oE6z0pwLPXpbGhoOQ7m5IY6xfCmYtnMeb6f0qrEayGO4B9nAR4GUr6lagVeFK2Af
|
||||
0cOh2lyu2zo7qvgJxEk3DxYruiO3ivLMxm6h5Bt6UgkS605qNYb3R22hFR8uq3em
|
||||
ospbRcoxOaaIvxkIwqFm45sWNJOtxj25p0uPKEMmKKiBIbXadjSKoPcTFf2ihla3
|
||||
bRdg5zs8Sph4PkiESjR9UebNXvTL1h/ZTsrpM2BjprC9a4Aqyx8K/FTOVWFcXOim
|
||||
L/pa8fqwfI72BdasPtB+J+afP+bFQ+lxnrGHuPLHB4MjfVdvzyQ=
|
||||
=V8As
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc
Normal file
16
SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmCQRvIACgkQbeLpB44f
|
||||
UMGsBw//UOD/t2rZ18jAZSmordwrvYdtFNYC4229IxTnxOtq7agnieJUFrR9HZ+R
|
||||
eWzc3AIxMDK0+BSja+WKpLE64YPde7ZMjS2kXDYCFhjzJy8cq33Sf87KvEuonXp+
|
||||
Bp4MBQ5B8T4TngqGTUvTvZfM+h1LQf+CeUzgjsRcJPIwmhGD4dkCB6P+H7IZzth8
|
||||
tsGlprJsoOz5JChm7mBEhyyz4Z4odLB8jXmnZxL0W9FpQ6cbAWcSSg+9t9qSck4g
|
||||
xXgmR9GE3ZlbGcjCO0Sbazf12n3kL6NDDPB4j3XvGLA0xezsyaEmV31LDFMu4WbG
|
||||
X2vLVDT2zj3AUmeiYxjcSpRV4GJ6B+tqAOz1QqtFEnWuAuSupsZ/N3K3jRdpcAl+
|
||||
hw/Cyzo7Vnwt5RhAGJ/Eek1QdrtKKBWoVspbKsxOgsSJt/09q3bl9qQj5BtVeYT1
|
||||
RQOP0XDLhMQKwFlCiSS6jUDf7v/0bIwMV0eJXKmMhKFoxkN88fAPNgDSCXUNFme6
|
||||
2hOeZMkCuAaMKfFwJsJOg/1efPmJnpjwFKpKj6b2cz6PLqxGn1D1tVJMKOsJy/ME
|
||||
rMN8dSrftl/CJda4hKhz/wvZDkyH7Vd3ev5Yqg11Dr4IQyfuy296jsUKcMo6pM9q
|
||||
bSHTwelbqnsUy03MoghU67Mc480G0E1xzu8rTtbFIPCTxLuCK1s=
|
||||
=g3T8
|
||||
-----END PGP SIGNATURE-----
|
@ -1,51 +0,0 @@
|
||||
diff --git a/src/lib/slot.c b/src/lib/slot.c
|
||||
index b3c7c82..f0a4f2e 100644
|
||||
--- a/src/lib/slot.c
|
||||
+++ b/src/lib/slot.c
|
||||
@@ -120,7 +120,9 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
|
||||
}
|
||||
|
||||
str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
|
||||
- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
|
||||
+ size_t to_copy = sizeof (token_info.label);
|
||||
+ to_copy = (to_copy > sizeof (info->slotDescription)) ? sizeof (info->slotDescription) : to_copy;
|
||||
+ str_padded_copy(info->slotDescription, token_info.label, to_copy);
|
||||
|
||||
info->hardwareVersion = token_info.hardwareVersion;
|
||||
info->firmwareVersion = token_info.firmwareVersion;
|
||||
diff --git a/src/lib/tpm.c b/src/lib/tpm.c
|
||||
index 90fb3c3..1bce3ac 100644
|
||||
--- a/src/lib/tpm.c
|
||||
+++ b/src/lib/tpm.c
|
||||
@@ -732,7 +732,9 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
|
||||
unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
|
||||
UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
|
||||
memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
|
||||
- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
|
||||
+ size_t to_copy = sizeof (manufacturerID);
|
||||
+ to_copy = (to_copy > sizeof (info->manufacturerID)) ? sizeof (info->manufacturerID) : to_copy;
|
||||
+ str_padded_copy(info->manufacturerID, manufacturerID, to_copy);
|
||||
|
||||
// Map human readable Manufacturer String, if available,
|
||||
// otherwise 4 byte ID was already padded and will be used.
|
||||
diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
|
||||
index ec66f69..54ec883 100644
|
||||
--- a/test/unit/test_twist.c
|
||||
+++ b/test/unit/test_twist.c
|
||||
@@ -311,6 +311,8 @@ void test_twistbin_aappend_null_array(void **state) {
|
||||
}
|
||||
|
||||
void test_twistbin_aappend_twist_null(void **state) {
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wstringop-overflow="
|
||||
(void) state;
|
||||
|
||||
twist expected = twist_new("foo");
|
||||
@@ -322,6 +324,7 @@ void test_twistbin_aappend_twist_null(void **state) {
|
||||
assert_ptr_equal((void * )actual, (void * )expected);
|
||||
|
||||
twist_free(actual);
|
||||
+#pragma GCC diagnostic pop
|
||||
}
|
||||
|
||||
void test_twistbin_create_null(void **state) {
|
@ -1,86 +0,0 @@
|
||||
From 78f4e2b47d02cb8215f252e77c68a81dfe4afa30 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
|
||||
<szlin@debian.org>
|
||||
Date: Fri, 22 Jan 2021 14:38:03 +0800
|
||||
Subject: [PATCH] Fix endian issue on s390x platform
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
7 tests from test_db.c used an int type for sqlite3_last_insert_rowid,
|
||||
which caused endian issue and test failed on s390 platform
|
||||
|
||||
Signed-off-by: SZ Lin (林上智) <szlin@debian.org>
|
||||
Link: https://buildd.debian.org/status/fetch.php?pkg=tpm2-pkcs11&arch=s390x&ver=1.5.0-3&stamp=1611234144&raw=0
|
||||
---
|
||||
test/unit/test_db.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/test/unit/test_db.c b/test/unit/test_db.c
|
||||
index 7f11a487..d490d02f 100644
|
||||
--- a/test/unit/test_db.c
|
||||
+++ b/test/unit/test_db.c
|
||||
@@ -2503,7 +2503,7 @@ static void test_db_add_token_sqlite3_finalize_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_ERROR }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* TRANSACTION_END */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
@@ -2544,7 +2544,7 @@ static void test_db_add_token_sqlite3_prepare_v2_2_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_ERROR }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_OK }, /* TRANSACTION_END */
|
||||
@@ -2586,7 +2586,7 @@ static void test_db_add_token_sqlite3_bind_int_2_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_ERROR }, /* sqlite3_bind_int */
|
||||
@@ -2631,7 +2631,7 @@ static void test_db_add_token_sqlite3_bind_text_3_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
|
||||
@@ -2687,7 +2687,7 @@ static void test_db_add_token_sqlite3_bind_blob_1_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
|
||||
@@ -2746,7 +2746,7 @@ static void test_db_add_token_sqlite3_bind_blob_2_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
|
||||
@@ -2807,7 +2807,7 @@ static void test_db_add_token_sqlite3_step_2_fail(void **state) {
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
|
||||
{ .rc = SQLITE_DONE }, /* sqlite3_step */
|
||||
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
|
||||
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
|
||||
|
@ -6,8 +6,8 @@
|
||||
#global candidate RC0
|
||||
|
||||
Name: tpm2-pkcs11
|
||||
Version: 1.5.0
|
||||
Release: 9%{?candidate:.%{candidate}}%{?dist}
|
||||
Version: 1.6.0
|
||||
Release: 1%{?candidate:.%{candidate}}%{?dist}
|
||||
Summary: PKCS#11 interface for TPM 2.0 hardware
|
||||
|
||||
License: BSD
|
||||
@ -16,11 +16,19 @@ Source0: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{
|
||||
Source1: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz.asc
|
||||
# William Roberts (Bill Roberts) key from pgp.mit.edu
|
||||
Source2: gpgkey-8E1F50C1.gpg
|
||||
Patch0: tpm2-pkcs11-gcc11.patch
|
||||
# https://github.com/tpm2-software/tpm2-pkcs11/commit/78f4e2b47d02cb8215f252e77c68a81dfe4afa30
|
||||
Patch1: tpm2-pkcs11-s390x.patch
|
||||
Patch2: tpm2-pkcs11-1.5.0-openssl3.patch
|
||||
# Revert of ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 to build on EPEL 8
|
||||
Patch0: revert-require-py37.patch
|
||||
Patch1: 0001-Backup-with-sqlite3-special-command.patch
|
||||
Patch2: 0002-utils-fix-stringop-overread-in-str_padded_copy.patch
|
||||
Patch3: 0003-utils-remove-debug-log-message-from-str_padded_copy.patch
|
||||
Patch4: 0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch
|
||||
Patch5: 0005-db-fix-upgrade-backup.patch
|
||||
Patch6: 0006-db-fix-upgrade-to-version-4.patch
|
||||
|
||||
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: python3
|
||||
@ -52,9 +60,11 @@ as the cryptographic token.
|
||||
%package tools
|
||||
Summary: The tools required to setup and configure TPM2 for PKCS#11
|
||||
# Automatic generator does not work for me even though the requires.txt is in place
|
||||
Requires: tpm2-tools
|
||||
Requires: python3-cryptography
|
||||
Requires: python3-pyyaml
|
||||
Requires: python3-pyasn1-modules
|
||||
Requires: sqlite
|
||||
|
||||
%description tools
|
||||
The tools required to setup and configure TPM2 for PKCS#11.
|
||||
@ -65,7 +75,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||
|
||||
|
||||
%build
|
||||
%configure --enable-unit CFLAGS="%{optflags} -Wno-error=deprecated-declarations"
|
||||
%configure --enable-unit
|
||||
%{make_build}
|
||||
cd tools
|
||||
%py3_build
|
||||
@ -103,41 +113,12 @@ cd tools
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-9
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
* Wed Nov 16 2022 Štěpán Horáček <shoracek@redhat.com> - 1.6.0-1
|
||||
- Update to 1.6.0 for RHEL 8
|
||||
Resolves: rhbz#1896871
|
||||
|
||||
* Fri Jul 02 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-8
|
||||
- Fix product version for gating
|
||||
Resolves: rhbz#1972907
|
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-7
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-6
|
||||
- Work around for openssl 3.0 update. Related: rhbz#1958030
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-5
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Mon Feb 01 2021 Jakub Jelen <jjelen@redhat.com> - 1.5.0-4}
|
||||
- Unbreak the build on s390x (#1923383)
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Dec 07 2020 Jeff Law <law@redhat.com> - 1.5.0-2
|
||||
- Avoid stringop-overflow diagnostic in testsuite
|
||||
|
||||
* Wed Nov 18 2020 Jakub Jelen <jjelen@redhat.com> - 1.5.0-1
|
||||
- New upstream release
|
||||
|
||||
* Tue Sep 15 2020 Jeff Law <law@redhat.com> - 1.4.0-2
|
||||
- Fix two source over-reads detected by gcc-11
|
||||
|
||||
* Mon Aug 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4.0-1
|
||||
- Update to 1.4.0
|
||||
* Tue Mar 23 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 1.3.2-2
|
||||
- Revert python 3.7 requirement commit to allow building on EPEL 8
|
||||
|
||||
* Mon Aug 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3.2-1
|
||||
- Update to 1.3.2
|
||||
@ -203,5 +184,3 @@ Resolves: rhbz#1972907
|
||||
|
||||
* Tue Feb 19 2019 Jakub Jelen <jjelen@redhat.com> - 0-0.1.20190219git836d715
|
||||
- Initial release for Fedora
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user