rpms/tpm2-pkcs11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c10s
rpms:c8s
rpms:c8
rpms:c8-beta
rpms:c9
rpms:c9s
rpms:imports/c10s/tpm2-pkcs11-1.9.0-7.el10
rpms:imports/c10s/tpm2-pkcs11-1.9.0-6.el10
rpms:imports/c8/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c8-beta/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c8s/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c9/tpm2-pkcs11-1.5.0-9.el9
rpms:imports/c9-beta/tpm2-pkcs11-1.5.0-9.el9
..
compare: rpms:imports/c8-beta/tpm2-pkcs11-1.6.0-1.el8
Branches Tags
rpms:c10s
rpms:c8s
rpms:c8
rpms:c8-beta
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:imports/c10s/tpm2-pkcs11-1.9.0-7.el10
rpms:imports/c10s/tpm2-pkcs11-1.9.0-6.el10
rpms:imports/c8/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c8-beta/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c8s/tpm2-pkcs11-1.6.0-1.el8
rpms:imports/c9/tpm2-pkcs11-1.5.0-9.el9
rpms:imports/c9-beta/tpm2-pkcs11-1.5.0-9.el9

No commits in common. "c9-beta" and "imports/c8-beta/tpm2-pkcs11-1.6.0-1.el8" have entirely different histories.
c9-beta ... imports/c8

15 changed files with 648 additions and 298 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/gpgkey-8E1F50C1.gpg SOURCES/gpgkey-8E1F50C1.gpg
SOURCES/tpm2-pkcs11-1.5.0.tar.gz SOURCES/tpm2-pkcs11-1.6.0.tar.gz

2
.tpm2-pkcs11.metadata
View File

@ -1,2 +1,2 @@
46f82c0fdf30219e0d95c6e9291bbc708b315080 SOURCES/gpgkey-8E1F50C1.gpg 46f82c0fdf30219e0d95c6e9291bbc708b315080 SOURCES/gpgkey-8E1F50C1.gpg
9d4ad805203f0f063772f0c737bed949dfff52bd SOURCES/tpm2-pkcs11-1.5.0.tar.gz 80b9b8b11f1469e22682acb710a052ed396a43da SOURCES/tpm2-pkcs11-1.6.0.tar.gz

43
SOURCES/0001-Backup-with-sqlite3-special-command.patch Normal file
View File

@ -0,0 +1,43 @@
From fc21b98dced2c78f90f917c1a45a28184024d604 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Tue, 6 Sep 2022 16:54:33 +0200
Subject: [PATCH 1/6] Backup with sqlite3 special command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Upstream uses method introduced in Python 3.7, but RHEL 8 uses
Python 3.6. This means that the method is not available and using the
command line interface seems to be the simplest solution.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
tools/tpm2_pkcs11/db.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
index 7971028..1b18b8f 100644
--- a/tools/tpm2_pkcs11/db.py
+++ b/tools/tpm2_pkcs11/db.py
@@ -6,6 +6,7 @@ import sys
import sqlite3
import textwrap
import yaml
+import subprocess
from .pkcs11t import (
CKA_ALLOWED_MECHANISMS,
@@ -258,8 +259,8 @@ class Db(object):
if os.path.exists(dbpath):
raise RuntimeError("Backup DB exists at {} not overwriting. "
"Refusing to run".format(dbpath))
+ subprocess.run(["sqlite3", self._path, ".backup {}".format(dbpath)])
bck = sqlite3.connect(dbpath)
- con.backup(bck)
return (bck, dbpath)
def _update_on_2(self, dbbakcon):
--
2.38.1

158
SOURCES/0002-utils-fix-stringop-overread-in-str_padded_copy.patch Normal file
View File

@ -0,0 +1,158 @@
From f633526b34c052514f3739cb1e08fdac38603eea Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 5 May 2021 11:52:23 -0500
Subject: [PATCH 2/6] utils: fix stringop-overread in str_padded_copy
cc1: all warnings being treated as errors
| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
| make: *** Waiting for unfinished jobs....
| In file included from src/lib/mutex.h:10,
| from src/lib/session_ctx.h:6,
| from src/lib/digest.h:13,
| from src/lib/tpm.c:28:
| In function 'str_padded_copy',
| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| src/lib/utils.h: In function 'tpm_get_token_info':
| src/lib/tpm.c:739:19: note: source object declared here
| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
| | ^~~~~~~~~~~~~~
| cc1: all warnings being treated as errors
| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
| WARNING: exit code 1 from a shell command.
Fixes #676
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/lib/general.c | 8 ++++----
src/lib/general.h | 2 +-
src/lib/slot.c | 4 ++--
src/lib/token.c | 4 ++--
src/lib/tpm.c | 7 +++----
src/lib/utils.h | 6 ++++--
6 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/src/lib/general.c b/src/lib/general.c
index 9b7327c..eaddaf8 100644
--- a/src/lib/general.c
+++ b/src/lib/general.c
@@ -19,8 +19,8 @@
#define VERSION "UNKNOWN"
#endif
-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
#define CRYPTOKI_VERSION { \
.major = CRYPTOKI_VERSION_MAJOR, \
@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
static CK_INFO *_info = NULL;
if (!_info) {
- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
+ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
+ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
parse_lib_version(&_info_.libraryVersion.major,
&_info_.libraryVersion.minor);
diff --git a/src/lib/general.h b/src/lib/general.h
index 14a18e4..356c142 100644
--- a/src/lib/general.h
+++ b/src/lib/general.h
@@ -10,7 +10,7 @@
#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
#define TPM2_TOKEN_MANUFACTURER "Intel"
#define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
-#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000"
+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
#define TPM2_TOKEN_HW_VERSION { 0, 0 }
#define TPM2_TOKEN_FW_VERSION { 0, 0 }
diff --git a/src/lib/slot.c b/src/lib/slot.c
index 548d22b..6db5bb9 100644
--- a/src/lib/slot.c
+++ b/src/lib/slot.c
@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
return CKR_GENERAL_ERROR;
}
- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
+ str_padded_copy(info->manufacturerID, token_info.manufacturerID);
+ str_padded_copy(info->slotDescription, token_info.label);
info->hardwareVersion = token_info.hardwareVersion;
info->firmwareVersion = token_info.firmwareVersion;
diff --git a/src/lib/token.c b/src/lib/token.c
index 6d7ebd2..c721129 100644
--- a/src/lib/token.c
+++ b/src/lib/token.c
@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
}
// Identification
- str_padded_copy(info->label, t->label, sizeof(info->label));
- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
+ str_padded_copy(info->label, t->label);
+ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
// Memory: TODO not sure what memory values should go here, the platform?
diff --git a/src/lib/tpm.c b/src/lib/tpm.c
index 1639df4..7f9f052 100644
--- a/src/lib/tpm.c
+++ b/src/lib/tpm.c
@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
+ str_padded_copy(info->manufacturerID, manufacturerID);
// Map human readable Manufacturer String, if available,
// otherwise 4 byte ID was already padded and will be used.
for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
str_padded_copy(info->manufacturerID,
- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
- sizeof(info->manufacturerID));
+ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
}
}
@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
+ str_padded_copy(info->model, (unsigned char*) &vendor);
return CKR_OK;
}
diff --git a/src/lib/utils.h b/src/lib/utils.h
index 81c61fa..cf35746 100644
--- a/src/lib/utils.h
+++ b/src/lib/utils.h
@@ -39,9 +39,11 @@
int str_to_ul(const char *val, size_t *res);
-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
memset(dst, ' ', dst_len);
- memcpy(dst, src, strnlen((char *)(src), dst_len));
+ memcpy(dst, src, src_len);
+ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
}
twist utils_hash_pass(const twist pin, const twist salt);
--
2.38.1

30
SOURCES/0003-utils-remove-debug-log-message-from-str_padded_copy.patch Normal file
View File

@ -0,0 +1,30 @@
From ad882c439cc6580837196bab5fd82599685d84e0 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@ledger.fr>
Date: Thu, 20 May 2021 16:03:20 +0200
Subject: [PATCH 3/6] utils: remove debug log message from str_padded_copy
Commit 9af101b54035 ("utils: fix stringop-overread in str_padded_copy")
introduced a log message which is displayed every time the function
`str_padded_copy` is used. This looks like a debug message used while
working on the patch. Now that it is applied, remove the log message.
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
---
src/lib/utils.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/lib/utils.h b/src/lib/utils.h
index cf35746..983da06 100644
--- a/src/lib/utils.h
+++ b/src/lib/utils.h
@@ -43,7 +43,6 @@ int str_to_ul(const char *val, size_t *res);
static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
memset(dst, ' ', dst_len);
memcpy(dst, src, src_len);
- LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
}
twist utils_hash_pass(const twist pin, const twist salt);
--
2.38.1

188
SOURCES/0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch Normal file
View File

@ -0,0 +1,188 @@
From 5bf5d6c22b9461321cec9ddeaae5795a5465bb03 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@ledger.fr>
Date: Thu, 23 Sep 2021 21:34:03 +0200
Subject: [PATCH 4/6] tpm2_ptool: do not re-encode the signed data when
importing a certificate
When using `tpm2_ptool addcert`, several users experienced issues
because the signed data of the certificate was re-encoded when being
added to the database. More precisely, the encoded certificate data is
encoded using a BER encoder which encodes booleans using 1 of True (cf.
https://github.com/etingof/pyasn1/blob/v0.4.8/pyasn1/codec/ber/encoder.py#L164
). But in DER, the encoding of "True" is 0xff, and changing the signed
data made the signature of the certificate no longer valid.
To fix this issue:
- Directly use the result of `pem.readPemFromFile(f)` in attribute
`CKA_VALUE`: this is directly the encoded form of the certificate.
- Remove `pyasn1.codec.ber`, as this encoder is no longer used.
- Rename the DER decoder from `decoder` to `derdecoder` and the encoder
from `derenc` to `derencoder`, to make the code easier to read.
While at it:
- Reindent the code to 4-space indentation
- Use `hashlib.sha1(bercert).digest()` directly to compute a SHA1
digest, instead of using `m.update()`.
Fixes: https://github.com/tpm2-software/tpm2-pkcs11/issues/700
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
---
tools/tpm2_pkcs11/utils.py | 126 ++++++++++++++++++-------------------
1 file changed, 60 insertions(+), 66 deletions(-)
diff --git a/tools/tpm2_pkcs11/utils.py b/tools/tpm2_pkcs11/utils.py
index b803f4c..91eab9a 100644
--- a/tools/tpm2_pkcs11/utils.py
+++ b/tools/tpm2_pkcs11/utils.py
@@ -15,9 +15,7 @@ from cryptography.hazmat.primitives.asymmetric import (rsa, padding)
from cryptography.hazmat.primitives import hashes
from pyasn1_modules import pem, rfc2459
-from pyasn1.codec.der import decoder
-from pyasn1.codec.ber import encoder as berenc
-from pyasn1.codec.der import encoder as derenc
+from pyasn1.codec.der import decoder as derdecoder, encoder as derencoder
from pyasn1.type import namedtype, tag, univ
from .pkcs11t import * # noqa
@@ -247,68 +245,64 @@ def asn1_format_ec_point_uncompressed(x, y):
return s
def pemcert_to_attrs(certpath):
- # rather than use pycryptography x509 parser, which gives native type access to certificate
- # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them
- with open(certpath, "r") as f:
- substrate = pem.readPemFromFile(f)
- cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
-
- c = cert['tbsCertificate']
-
- # print(cert.prettyPrint())
-
- h = binascii.hexlify
- b = berenc.encode
- d = derenc.encode
-
- bercert = b(cert)
- hexbercert = h(bercert).decode()
-
- # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash
- m = hashlib.sha1()
- m.update(bercert)
- bercertchecksum = m.digest()[0:3]
- hexbercertchecksum = h(bercertchecksum).decode()
-
- subj = c['subject']
- hexsubj = h(d(str2bytes(subj))).decode()
-
- issuer = c['issuer']
- hexissuer = h(d(str2bytes(issuer))).decode()
-
- serial = c['serialNumber']
- hexserial = h(d(str2bytes(serial))).decode()
-
- return {
- # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE
- # field.
- CKA_CHECK_VALUE: hexbercertchecksum,
- # Start date for the certificate (default empty)
- CKA_START_DATE : "",
- # End date for the certificate (default empty)
- CKA_END_DATE : "",
- # DER-encoding of the SubjectPublicKeyInfo for the public key
- # contained in this certificate (default empty)
- CKA_PUBLIC_KEY_INFO : "",
- # DER encoded subject
- CKA_SUBJECT : hexsubj,
- # DER encoding of issuer
- CKA_ISSUER : hexissuer,
- # DER encoding of the cert serial
- CKA_SERIAL_NUMBER : hexserial,
- # BER encoding of the certificate
- CKA_VALUE : hexbercert,
- # RFC2279 string to URL where cert can be found, default empty
- CKA_URL : '',
- # hash of pub key subj, default empty
- CKA_HASH_OF_SUBJECT_PUBLIC_KEY : '',
- # Hash of pub key, default empty
- CKA_HASH_OF_ISSUER_PUBLIC_KEY : '',
- # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED
- CKA_JAVA_MIDP_SECURITY_DOMAIN : CK_SECURITY_DOMAIN_UNSPECIFIED,
- # Name hash algorithm, defaults to SHA1
- CKA_NAME_HASH_ALGORITHM : CKM_SHA_1
- }
+ # rather than using pycryptography x509 parser, which gives native type access to certificate
+ # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them
+ with open(certpath, "r") as f:
+ bercert = pem.readPemFromFile(f)
+
+ cert = derdecoder.decode(bercert, asn1Spec=rfc2459.Certificate())[0]
+ c = cert['tbsCertificate']
+
+ # print(cert.prettyPrint())
+
+ h = binascii.hexlify
+ d = derencoder.encode
+
+ hexbercert = h(bercert).decode()
+
+ # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash
+ bercertchecksum = hashlib.sha1(bercert).digest()[0:3]
+ hexbercertchecksum = h(bercertchecksum).decode()
+
+ subj = c['subject']
+ hexsubj = h(d(str2bytes(subj))).decode()
+
+ issuer = c['issuer']
+ hexissuer = h(d(str2bytes(issuer))).decode()
+
+ serial = c['serialNumber']
+ hexserial = h(d(str2bytes(serial))).decode()
+
+ return {
+ # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE
+ # field.
+ CKA_CHECK_VALUE: hexbercertchecksum,
+ # Start date for the certificate (default empty)
+ CKA_START_DATE: "",
+ # End date for the certificate (default empty)
+ CKA_END_DATE: "",
+ # DER-encoding of the SubjectPublicKeyInfo for the public key
+ # contained in this certificate (default empty)
+ CKA_PUBLIC_KEY_INFO: "",
+ # DER encoded subject
+ CKA_SUBJECT: hexsubj,
+ # DER encoding of issuer
+ CKA_ISSUER: hexissuer,
+ # DER encoding of the cert serial
+ CKA_SERIAL_NUMBER: hexserial,
+ # BER encoding of the certificate
+ CKA_VALUE: hexbercert,
+ # RFC2279 string to URL where cert can be found, default empty
+ CKA_URL: '',
+ # hash of pub key subj, default empty
+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY: '',
+ # Hash of pub key, default empty
+ CKA_HASH_OF_ISSUER_PUBLIC_KEY: '',
+ # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED
+ CKA_JAVA_MIDP_SECURITY_DOMAIN: CK_SECURITY_DOMAIN_UNSPECIFIED,
+ # Name hash algorithm, defaults to SHA1
+ CKA_NAME_HASH_ALGORITHM: CKM_SHA_1
+ }
def _pkcs11_to_str(value, prefix):
@@ -407,7 +401,7 @@ def asn1parse_tss_key(keypath):
if len(substrate) == 0:
sys.exit('Did not find key in tss key file: {}'.format(keypath))
- tss2_privkey, _ = decoder.decode(substrate, asn1Spec=TSSPrivKey())
+ tss2_privkey, _ = derdecoder.decode(substrate, asn1Spec=TSSPrivKey())
return tss2_privkey
--
2.38.1

78
SOURCES/0005-db-fix-upgrade-backup.patch Normal file
View File

@ -0,0 +1,78 @@
From 64b6bd89d0faad3274d0b224b1d1c92fcd397a62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Wed, 2 Nov 2022 19:23:13 +0100
Subject: [PATCH 5/6] db: fix upgrade backup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During a failed upgrade, the original database was deleted and replaced
with the upgraded one, making it impossible to revert the failed
upgrade.
This commit fixes this problem by keeping the old version of the
database as a separate file for upgrades that finished successfully and
keeping the original database for those that did not.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
tools/tpm2_pkcs11/db.py | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
index 1b18b8f..d0a526b 100644
--- a/tools/tpm2_pkcs11/db.py
+++ b/tools/tpm2_pkcs11/db.py
@@ -454,27 +454,33 @@ class Db(object):
REPLACE INTO schema (id, schema_version) VALUES (1, {version});
'''.format(version=new_version))
dbbakcon.execute(sql)
- finally:
- # Close the connections
- self._conn.commit()
- self._conn.close()
-
+ except Exception as e:
+ # Close the connection to backup
dbbakcon.commit()
dbbakcon.close()
- # move old db to ".old" suffix
- olddbpath = self._path + ".old"
- os.rename(self._path, olddbpath)
+ # unlink the backup
+ os.unlink(dbbakpath)
+
+ raise e
+
+ # Close the connections
+ self._conn.commit()
+ self._conn.close()
- # move the backup to the normal dbpath
- os.rename(dbbakpath, self._path)
+ dbbakcon.commit()
+ dbbakcon.close()
- # unlink the old
- os.unlink(olddbpath)
+ # move old db to ".old" suffix
+ olddbpath = self._path + ".old"
+ os.rename(self._path, olddbpath)
- # re-establish a connection
- self._conn = sqlite3.connect(self._path)
- self._conn.row_factory = sqlite3.Row
+ # move the backup to the normal dbpath
+ os.rename(dbbakpath, self._path)
+
+ # re-establish a connection
+ self._conn = sqlite3.connect(self._path)
+ self._conn.row_factory = sqlite3.Row
def _get_version(self):
c = self._conn.cursor()
--
2.38.1

37
SOURCES/0006-db-fix-upgrade-to-version-4.patch Normal file
View File

@ -0,0 +1,37 @@
From 1d28d6eee8c1b02a900810e6f1e4582e1c4381a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Wed, 12 Oct 2022 15:50:33 +0200
Subject: [PATCH 6/6] db: fix upgrade to version 4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During upgrade of the database from version 3 to version 4, parameter
'persistent' was used, although everywhere else the opposite 'transient'
is used. This causes KeyError: 'transient' when using the upgraded
database.
This commit fixes this by adding 'transient' during upgrade instead.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
tools/tpm2_pkcs11/db.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tpm2_pkcs11/db.py b/tools/tpm2_pkcs11/db.py
index d0a526b..01ab298 100644
--- a/tools/tpm2_pkcs11/db.py
+++ b/tools/tpm2_pkcs11/db.py
@@ -380,7 +380,7 @@ class Db(object):
hexblob = bytes.hex(blob)
config = {
- 'persistent' : True,
+ 'transient': False,
'esys-tr': hexblob
}
--
2.38.1

74
SOURCES/revert-require-py37.patch Normal file
View File

@ -0,0 +1,74 @@
diff -Naur tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch
--- tpm2-pkcs11-1.3.2/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 1969-12-31 16:00:00.000000000 -0800
+++ tpm2-pkcs11-1.3.2a/ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6.patch 2021-03-23 15:26:46.043878215 -0700
@@ -0,0 +1,43 @@
+From ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Mon, 30 Dec 2019 14:10:14 -0600
+Subject: [PATCH] tpm2_ptool: require python3.7 for db upgrade
+
+SQLite3 bindings for python don't have the backup API implemented until
+Python 3.7. Make this the new minimum requirement for tpm2_ptool so
+we can use this feature.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/setup.py | 1 +
+ tools/tpm2_pkcs11/__init__.py | 6 +++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tools/setup.py b/tools/setup.py
+index 494f9edd..4490dc61 100644
+--- a/tools/setup.py
++++ b/tools/setup.py
+@@ -9,6 +9,7 @@
+
+ setup(
+ name='tpm2-pkcs11-tools',
++ python_requires='>=3.7',
+ long_description=long_description,
+ long_description_content_type='text/markdown',
+ version='1.33.7',
+diff --git a/tools/tpm2_pkcs11/__init__.py b/tools/tpm2_pkcs11/__init__.py
+index ed83ef52..1ed8b3af 100644
+--- a/tools/tpm2_pkcs11/__init__.py
++++ b/tools/tpm2_pkcs11/__init__.py
+@@ -2,6 +2,6 @@
+
+ import sys
+
+-# Sunset python < 3 support
+-if sys.version_info[0] < 3:
+- sys.exit("Python 3 or a more recent version is required.")
+\ No newline at end of file
++# Requires python 3.7 or greater
++if (sys.version_info[0], sys.version_info[1]) < (3, 7):
++ sys.exit("Python 3.7 or a more recent version is required.")
+\ No newline at end of file
diff -Naur tpm2-pkcs11-1.3.2/tools/setup.py tpm2-pkcs11-1.3.2a/tools/setup.py
--- tpm2-pkcs11-1.3.2/tools/setup.py 2020-08-10 07:31:22.000000000 -0700
+++ tpm2-pkcs11-1.3.2a/tools/setup.py 2021-03-23 15:27:01.160008742 -0700
@@ -9,7 +9,6 @@
setup(
name='tpm2-pkcs11-tools',
- python_requires='>=3.7',
long_description=long_description,
long_description_content_type='text/markdown',
version='1.33.7',
diff -Naur tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py
--- tpm2-pkcs11-1.3.2/tools/tpm2_pkcs11/__init__.py 2020-08-09 06:46:13.000000000 -0700
+++ tpm2-pkcs11-1.3.2a/tools/tpm2_pkcs11/__init__.py 2021-03-23 15:27:01.161008751 -0700
@@ -2,6 +2,6 @@
import sys
-# Requires python 3.7 or greater
-if (sys.version_info[0], sys.version_info[1]) < (3, 7):
- sys.exit("Python 3.7 or a more recent version is required.")
\ No newline at end of file
+# Sunset python < 3 support
+if sys.version_info[0] < 3:
+ sys.exit("Python 3 or a more recent version is required.")
\ No newline at end of file

100
SOURCES/tpm2-pkcs11-1.5.0-openssl3.patch
View File

@ -1,100 +0,0 @@
diff -urN tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c 2020-11-03 17:36:45.000000000 -0700
+++ tpm2-pkcs11-1.5.0-fix/src/lib/ssl_util.c 2021-05-26 10:17:23.723128758 -0700
@@ -438,82 +438,29 @@
return rv;
}
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-
- if (siglen & 1) {
- LOGE("Expected ECDSA signature length to be even, got : %lu",
- siglen);
- return CKR_SIGNATURE_LEN_RANGE;
- }
-
- size_t len = siglen >> 1;
-
- unsigned char *rbuf = sig;
- unsigned char *sbuf = &sig[len];
-
- BIGNUM *r = BN_bin2bn(rbuf, len, NULL);
- if (!r) {
- LOGE("Could not make bignum for r");
- return CKR_GENERAL_ERROR;
- }
-
- BIGNUM *s = BN_bin2bn(sbuf, len, NULL);
- if (!s) {
- LOGE("Could not make bignum for s");
- BN_free(r);
- return CKR_GENERAL_ERROR;
- }
-
- ECDSA_SIG *ossl_sig = ECDSA_SIG_new();
- if (!ossl_sig) {
- LOGE("oom");
- return CKR_HOST_MEMORY;
- }
-
- int rc = ECDSA_SIG_set0(ossl_sig, r, s);
- if (!rc) {
- LOGE("Could not call ECDSA_SIG_set0");
- ECDSA_SIG_free(ossl_sig);
- return CKR_GENERAL_ERROR;
- }
-
- *outsig = ossl_sig;
-
- return CKR_OK;
-}
-
static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
CK_BYTE_PTR digest, CK_ULONG digest_len,
CK_BYTE_PTR signature, CK_ULONG signature_len) {
- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
- if (!eckey) {
- LOGE("Expected EC Key");
- return CKR_GENERAL_ERROR;
- }
+ int rc = CKR_OK;
+ EVP_PKEY_CTX *pctx = NULL;
- /*
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
- * R + S signatures, so convert it to ASN1 framing.
- * See:
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
- * For details.
- */
- ECDSA_SIG *ossl_sig = NULL;
- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
- if (rv != CKR_OK) {
- return rv;
+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
+ rc = CKR_HOST_MEMORY;
+ goto fail;
}
- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
- if (rc < 0) {
- ECDSA_SIG_free(ossl_sig);
- SSL_UTIL_LOGE("ECDSA_do_verify failed");
- return CKR_GENERAL_ERROR;
+ if (EVP_PKEY_verify_init(pctx) != 1 ||
+ EVP_PKEY_verify(pctx, signature, signature_len,
+ digest, digest_len) != 1) {
+ rc = CKR_SIGNATURE_INVALID;
+ goto fail;
}
- ECDSA_SIG_free(ossl_sig);
- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
+fail:
+ if (pctx)
+ EVP_PKEY_CTX_free(pctx);
+ return rc;
}
CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,

16
SOURCES/tpm2-pkcs11-1.5.0.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAl+ysTkACgkQbeLpB44f
UMGhSBAAx2FY2flB6vuetgdKoh4G85Zgq8+xsmjsTRoXT8/4tS8wPL64ESYo89pG
mhVr4KBb5tNVwntA73aQ/ko82zPnVSTFW0nHODTICME1NRnAZQpUJ1emZtRQdnxL
ByZPNx2ub41zepsorqABxYZlugVX4j9GRK7HpyC3OKxw51Cvua8Ciww1u2uSELlU
JjUbhUXJICAYcn31hKYcASHsYB7fio2QrmjGG8ZHiz2Dh1hW1kn5ezsgUKUIMYxQ
bFcPmWcZF1N9GD5PB/LxE0V25ZiRxXUCfG0YfYR6fWY2uIfIW4izcgLZJI07KGnM
rkW1nnBvzRvKTm6JALHoqnycIyfXJFYY/eJtXT0Yom1HKXEFEc4r9w5lor2pu6HP
oE6z0pwLPXpbGhoOQ7m5IY6xfCmYtnMeb6f0qrEayGO4B9nAR4GUr6lagVeFK2Af
0cOh2lyu2zo7qvgJxEk3DxYruiO3ivLMxm6h5Bt6UgkS605qNYb3R22hFR8uq3em
ospbRcoxOaaIvxkIwqFm45sWNJOtxj25p0uPKEMmKKiBIbXadjSKoPcTFf2ihla3
bRdg5zs8Sph4PkiESjR9UebNXvTL1h/ZTsrpM2BjprC9a4Aqyx8K/FTOVWFcXOim
L/pa8fqwfI72BdasPtB+J+afP+bFQ+lxnrGHuPLHB4MjfVdvzyQ=
=V8As
-----END PGP SIGNATURE-----

16
SOURCES/tpm2-pkcs11-1.6.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmCQRvIACgkQbeLpB44f
UMGsBw//UOD/t2rZ18jAZSmordwrvYdtFNYC4229IxTnxOtq7agnieJUFrR9HZ+R
eWzc3AIxMDK0+BSja+WKpLE64YPde7ZMjS2kXDYCFhjzJy8cq33Sf87KvEuonXp+
Bp4MBQ5B8T4TngqGTUvTvZfM+h1LQf+CeUzgjsRcJPIwmhGD4dkCB6P+H7IZzth8
tsGlprJsoOz5JChm7mBEhyyz4Z4odLB8jXmnZxL0W9FpQ6cbAWcSSg+9t9qSck4g
xXgmR9GE3ZlbGcjCO0Sbazf12n3kL6NDDPB4j3XvGLA0xezsyaEmV31LDFMu4WbG
X2vLVDT2zj3AUmeiYxjcSpRV4GJ6B+tqAOz1QqtFEnWuAuSupsZ/N3K3jRdpcAl+
hw/Cyzo7Vnwt5RhAGJ/Eek1QdrtKKBWoVspbKsxOgsSJt/09q3bl9qQj5BtVeYT1
RQOP0XDLhMQKwFlCiSS6jUDf7v/0bIwMV0eJXKmMhKFoxkN88fAPNgDSCXUNFme6
2hOeZMkCuAaMKfFwJsJOg/1efPmJnpjwFKpKj6b2cz6PLqxGn1D1tVJMKOsJy/ME
rMN8dSrftl/CJda4hKhz/wvZDkyH7Vd3ev5Yqg11Dr4IQyfuy296jsUKcMo6pM9q
bSHTwelbqnsUy03MoghU67Mc480G0E1xzu8rTtbFIPCTxLuCK1s=
=g3T8
-----END PGP SIGNATURE-----

51
SOURCES/tpm2-pkcs11-gcc11.patch
View File

@ -1,51 +0,0 @@
diff --git a/src/lib/slot.c b/src/lib/slot.c
index b3c7c82..f0a4f2e 100644
--- a/src/lib/slot.c
+++ b/src/lib/slot.c
@@ -120,7 +120,9 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
}
str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
+ size_t to_copy = sizeof (token_info.label);
+ to_copy = (to_copy > sizeof (info->slotDescription)) ? sizeof (info->slotDescription) : to_copy;
+ str_padded_copy(info->slotDescription, token_info.label, to_copy);
info->hardwareVersion = token_info.hardwareVersion;
info->firmwareVersion = token_info.firmwareVersion;
diff --git a/src/lib/tpm.c b/src/lib/tpm.c
index 90fb3c3..1bce3ac 100644
--- a/src/lib/tpm.c
+++ b/src/lib/tpm.c
@@ -732,7 +732,9 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
+ size_t to_copy = sizeof (manufacturerID);
+ to_copy = (to_copy > sizeof (info->manufacturerID)) ? sizeof (info->manufacturerID) : to_copy;
+ str_padded_copy(info->manufacturerID, manufacturerID, to_copy);
// Map human readable Manufacturer String, if available,
// otherwise 4 byte ID was already padded and will be used.
diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
index ec66f69..54ec883 100644
--- a/test/unit/test_twist.c
+++ b/test/unit/test_twist.c
@@ -311,6 +311,8 @@ void test_twistbin_aappend_null_array(void **state) {
}
void test_twistbin_aappend_twist_null(void **state) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow="
(void) state;
twist expected = twist_new("foo");
@@ -322,6 +324,7 @@ void test_twistbin_aappend_twist_null(void **state) {
assert_ptr_equal((void * )actual, (void * )expected);
twist_free(actual);
+#pragma GCC diagnostic pop
}
void test_twistbin_create_null(void **state) {

86
SOURCES/tpm2-pkcs11-s390x.patch
View File

@ -1,86 +0,0 @@
From 78f4e2b47d02cb8215f252e77c68a81dfe4afa30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
<szlin@debian.org>
Date: Fri, 22 Jan 2021 14:38:03 +0800
Subject: [PATCH] Fix endian issue on s390x platform
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
7 tests from test_db.c used an int type for sqlite3_last_insert_rowid,
which caused endian issue and test failed on s390 platform
Signed-off-by: SZ Lin (林上智) <szlin@debian.org>
Link: https://buildd.debian.org/status/fetch.php?pkg=tpm2-pkcs11&arch=s390x&ver=1.5.0-3&stamp=1611234144&raw=0
---
test/unit/test_db.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/test/unit/test_db.c b/test/unit/test_db.c
index 7f11a487..d490d02f 100644
--- a/test/unit/test_db.c
+++ b/test/unit/test_db.c
@@ -2503,7 +2503,7 @@ static void test_db_add_token_sqlite3_finalize_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_ERROR }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* TRANSACTION_END */
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
@@ -2544,7 +2544,7 @@ static void test_db_add_token_sqlite3_prepare_v2_2_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_ERROR }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_OK }, /* TRANSACTION_END */
@@ -2586,7 +2586,7 @@ static void test_db_add_token_sqlite3_bind_int_2_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_ERROR }, /* sqlite3_bind_int */
@@ -2631,7 +2631,7 @@ static void test_db_add_token_sqlite3_bind_text_3_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
@@ -2687,7 +2687,7 @@ static void test_db_add_token_sqlite3_bind_blob_1_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
@@ -2746,7 +2746,7 @@ static void test_db_add_token_sqlite3_bind_blob_2_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */
@@ -2807,7 +2807,7 @@ static void test_db_add_token_sqlite3_step_2_fail(void **state) {
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_OK }, /* sqlite3_bind_text */
{ .rc = SQLITE_DONE }, /* sqlite3_step */
- { .rc = 42 }, /* sqlite3_last_insert_rowid*/
+ { .u64 = 42 }, /* sqlite3_last_insert_rowid*/
{ .rc = SQLITE_OK }, /* sqlite3_finalize */
{ .rc = SQLITE_OK }, /* sqlite3_prepare_v2 */
{ .rc = SQLITE_OK }, /* sqlite3_bind_int */

65
SPECS/tpm2-pkcs11.spec
View File

@ -6,8 +6,8 @@
#global candidate RC0 #global candidate RC0
Name: tpm2-pkcs11 Name: tpm2-pkcs11
Version: 1.5.0 Version: 1.6.0
Release: 9%{?candidate:.%{candidate}}%{?dist} Release: 1%{?candidate:.%{candidate}}%{?dist}
Summary: PKCS#11 interface for TPM 2.0 hardware Summary: PKCS#11 interface for TPM 2.0 hardware
License: BSD License: BSD
@ -16,11 +16,19 @@ Source0: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{
Source1: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz.asc Source1: https://github.com/tpm2-software/%{name}/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz.asc
# William Roberts (Bill Roberts) key from pgp.mit.edu # William Roberts (Bill Roberts) key from pgp.mit.edu
Source2: gpgkey-8E1F50C1.gpg Source2: gpgkey-8E1F50C1.gpg
Patch0: tpm2-pkcs11-gcc11.patch # Revert of ea5f1c078aff7fb09fb5fc78403d4f8c868c4ea6 to build on EPEL 8
# https://github.com/tpm2-software/tpm2-pkcs11/commit/78f4e2b47d02cb8215f252e77c68a81dfe4afa30 Patch0: revert-require-py37.patch
Patch1: tpm2-pkcs11-s390x.patch Patch1: 0001-Backup-with-sqlite3-special-command.patch
Patch2: tpm2-pkcs11-1.5.0-openssl3.patch Patch2: 0002-utils-fix-stringop-overread-in-str_padded_copy.patch
Patch3: 0003-utils-remove-debug-log-message-from-str_padded_copy.patch
Patch4: 0004-tpm2_ptool-do-not-re-encode-the-signed-data-when-imp.patch
Patch5: 0005-db-fix-upgrade-backup.patch
Patch6: 0006-db-fix-upgrade-to-version-4.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: libtool
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
BuildRequires: python3 BuildRequires: python3
@ -52,9 +60,11 @@ as the cryptographic token.
%package tools %package tools
Summary: The tools required to setup and configure TPM2 for PKCS#11 Summary: The tools required to setup and configure TPM2 for PKCS#11
# Automatic generator does not work for me even though the requires.txt is in place # Automatic generator does not work for me even though the requires.txt is in place
Requires: tpm2-tools
Requires: python3-cryptography Requires: python3-cryptography
Requires: python3-pyyaml Requires: python3-pyyaml
Requires: python3-pyasn1-modules Requires: python3-pyasn1-modules
Requires: sqlite
%description tools %description tools
The tools required to setup and configure TPM2 for PKCS#11. The tools required to setup and configure TPM2 for PKCS#11.
@ -65,7 +75,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%build %build
%configure --enable-unit CFLAGS="%{optflags} -Wno-error=deprecated-declarations" %configure --enable-unit
%{make_build} %{make_build}
cd tools cd tools
%py3_build %py3_build
@ -103,41 +113,12 @@ cd tools
%changelog %changelog
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-9 * Wed Nov 16 2022 Štěpán Horáček <shoracek@redhat.com> - 1.6.0-1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Update to 1.6.0 for RHEL 8
Related: rhbz#1991688 Resolves: rhbz#1896871
* Fri Jul 02 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-8 * Tue Mar 23 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 1.3.2-2
- Fix product version for gating - Revert python 3.7 requirement commit to allow building on EPEL 8
Resolves: rhbz#1972907
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.5.0-6
- Work around for openssl 3.0 update. Related: rhbz#1958030
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Feb 01 2021 Jakub Jelen <jjelen@redhat.com> - 1.5.0-4}
- Unbreak the build on s390x (#1923383)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Dec 07 2020 Jeff Law <law@redhat.com> - 1.5.0-2
- Avoid stringop-overflow diagnostic in testsuite
* Wed Nov 18 2020 Jakub Jelen <jjelen@redhat.com> - 1.5.0-1
- New upstream release
* Tue Sep 15 2020 Jeff Law <law@redhat.com> - 1.4.0-2
- Fix two source over-reads detected by gcc-11
* Mon Aug 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4.0-1
- Update to 1.4.0
* Mon Aug 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3.2-1 * Mon Aug 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3.2-1
- Update to 1.3.2 - Update to 1.3.2
@ -203,5 +184,3 @@ Resolves: rhbz#1972907
* Tue Feb 19 2019 Jakub Jelen <jjelen@redhat.com> - 0-0.1.20190219git836d715 * Tue Feb 19 2019 Jakub Jelen <jjelen@redhat.com> - 0-0.1.20190219git836d715
- Initial release for Fedora - Initial release for Fedora