rpms/tpm2-tss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

tpm2-tss: Fix failures while using OpenSSL 3

Browse Source 
Resolves: rhbz#1984634

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2021-08-18 18:52:31 +02:00
parent 28afe25eab
commit 15c4079733
13 changed files with 2042 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch Normal file
View File

@ -0,0 +1,61 @@
From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 19 Feb 2021 14:32:45 +0100
Subject: FAPI: Fix reading of the root certificate for
provisioning.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will
only be used if it's allowed to use self generated root certificate with
./configure --enable-self-generated-certificate
* This option is added to all integration tests which are using the TPM simulator.
- Compared to the upstream commit 199b4edc the changes to CI config files
are omitted.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
configure.ac | 8 ++++++++
src/tss2-fapi/api/Fapi_Provision.c | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/configure.ac b/configure.ac
index f4df879c..d3bbb93d 100755
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto],
AS_IF([test "x$enable_weakcrypto" = "xyes"],
AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS]))
+AC_ARG_ENABLE([self-generated-certificate],
+ [AS_HELP_STRING([--enable-self-generated-certificate],
+ [Alllow usage of self generated root certifcate])],,
+ [enable_self_generated_certificate=no])
+AS_IF([test "x$enable_self_generated_certificate" == xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+
+
AC_SUBST([PATH])
dnl --------- Doxy Gen -----------------------
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 00534a2e..9cf804ad 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
/* Prepare reading of root certificate. */
+ root_ca_file = NULL;
+#ifdef SELF_GENERATED_CERTIFICATE
+#pragma message ( "*** Allow self generated certifcate ***" )
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
+#endif
if (!root_ca_file) {
context->state = PROVISION_EK_CHECK_CERT;
return TSS2_FAPI_RC_TRY_AGAIN;
--
2.26.3

42
0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch Normal file
View File

@ -0,0 +1,42 @@
From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Mon, 1 Mar 2021 20:00:17 +0100
Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with
--disable-self-generated-certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of
the root certificate for provisioning.") it is required to specify
--enable-self-generated-certificate in order to make the FAPI integration tests
pass. This is an option that should usually not be enabled in production builds
for security reasons, but still some form of integration testing might be
desirable in this case to verify whether the compiled library works as
expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK
certificate validation.
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
configure.ac | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index d3bbb93d..d4324c9a 100755
--- a/configure.ac
+++ b/configure.ac
@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate],
[AS_HELP_STRING([--enable-self-generated-certificate],
[Alllow usage of self generated root certifcate])],,
[enable_self_generated_certificate=no])
-AS_IF([test "x$enable_self_generated_certificate" == xyes],
- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+AS_IF([test "x$enable_self_generated_certificate" = xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
AC_SUBST([PATH])
--
2.26.3

29
0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch Normal file
View File

@ -0,0 +1,29 @@
From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:15:51 +0200
Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index f2fa515a..0f759adb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e
$(libutil) $(libtss2_tctildr)
src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC)
-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi
+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS)
src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS)
if HAVE_LD_VERSION_SCRIPT
src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map
--
2.26.3

35
0004-Test-Remove-duplicate-openssl-req-new.patch Normal file
View File

@ -0,0 +1,35 @@
From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:23:32 +0200
Subject: Test: Remove duplicate openssl req -new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command is called twice, which is superfluous. Both the key
and the certificate are created already by the first command.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
script/ekca/create_ca.sh | 5 -----
1 file changed, 5 deletions(-)
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 90a5c791..61d976a3 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
-openssl req -new \
- -key private/intermed-ca.key.pem \
- -out intermed-ca.req.pem \
- -passin file:pass.txt
-
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
--
2.26.3

76
0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch Normal file
View File

@ -0,0 +1,76 @@
From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:22:28 +0200
Subject: FAPI Test: Call EVP_DigestSignInit in the correct order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_DigestSignInit should be called only once and before calling
EVP_PKEY_CTX_set_rsa_padding. See a corresponding example
[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html)
Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0.
This PR makes the code compatible with OpenSSL 1.0 through 3.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 8 ++------
test/integration/fapi-key-create-policy-signed.int.c | 8 ++------
2 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index b2d20b28..d42466db 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -129,8 +129,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -140,10 +140,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index e51289a6..b903dec0 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -144,8 +144,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -155,10 +155,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
--
2.26.3

47
0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch Normal file
View File

@ -0,0 +1,47 @@
From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:29:25 +0200
Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_base_id is the right way to detect key type, used also
by OpenSSL itself.
This function is available since OpenSSL 1.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 2 +-
test/integration/fapi-key-create-policy-signed.int.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index d42466db..a95cc9ef 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -133,7 +133,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index b903dec0..8f917d35 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -148,7 +148,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
--
2.26.3

100
0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch Normal file
View File

@ -0,0 +1,100 @@
From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 11:54:50 +0200
Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_sign functions are available since OpenSSL 1.0.0.
The RSA_sign function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.0.0 through 3.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-ext-public-key.int.c | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c
index 363c58b7..971d7897 100644
--- a/test/integration/fapi-ext-public-key.int.c
+++ b/test/integration/fapi-ext-public-key.int.c
@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
BIO *bufio = NULL;
EVP_PKEY *evp_key = NULL;
- RSA *rsa_key = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
/* Key will be used for non TPM signature verfication. */
char *pubkey_pem =
@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
- rsa_key = EVP_PKEY_get1_RSA(evp_key);
-
- if (!bufio || !evp_key || !rsa_key) {
+ if (!bufio || !evp_key) {
LOG_ERROR("Generation of test key failed.");
goto error;
}
@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d
};
uint8_t signature[256];
- unsigned int signatureLength = 256;
+ size_t signatureLength = 256;
- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) {
- LOG_ERROR("Test RSA_sign failed.");
+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) {
+ LOG_ERROR("Test EVP_PKEY_CTX_new failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign_init(ctx) <= 0
+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign_init failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign failed.");
goto error;
}
@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_SUCCESS;
@@ -258,12 +262,8 @@ error:
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_FAILURE;
--
2.26.3

65
0008-Require-OpenSSL-1.1.0.patch Normal file
View File

@ -0,0 +1,65 @@
From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 22:43:00 +0200
Subject: Require OpenSSL >= 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To reduce the amount of version-specific code we drop support for
OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are
not API compatible with OpenSSL >= 1.1.0.
Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding
PEP 644 contains a detailed impact analysis which is also relevant
here.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
INSTALL.md | 3 +--
configure.ac | 6 +++++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index eec94c45..658e1f28 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -14,7 +14,7 @@ following sections describe them for the supported platforms.
* C library development libraries and header files
* pkg-config
* doxygen
-* OpenSSL development libraries and header files
+* OpenSSL development libraries and header files, version >= 1.1.0
* libcurl development libraries
The following are dependencies only required when building test suites.
@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library
(tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as
loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly
configured version of Visual Studio 2017 and pressing the 'build' button.
-Windows build setup requires OpenSSL >= v1.0.2 crypto library.
### References
Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/
diff --git a/configure.ac b/configure.ac
index d4324c9a..12baa257 100755
--- a/configure.ac
+++ b/configure.ac
@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto],
AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl")
AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed")
+m4_define([ossl_min_version], [1.1.0])
+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version])
AS_IF([test "x$enable_esys" = xyes],
[AS_IF([test "x$with_crypto" = xossl], [
- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
+ PKG_CHECK_MODULES([LIBCRYPTO],
+ [libcrypto >= ossl_min_version],,
+ [AC_MSG_ERROR([ossl_err])])
AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend])
TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS"
TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS"
--
2.26.3

124
0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch Normal file
View File

@ -0,0 +1,124 @@
From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 13:12:56 +0200
Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although the EVP_DigestUpdate functions are available in all OpenSSL
versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the
EVP_MD_CTX_new was introduced in OpenSSL 1.1.0.
The SHA256_Update function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.1.0 through 3.0.0.
- Compared to the upstream commit f4f528ff the changes related to the
unit test are omitted.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 2fb17fd0..9290a17e 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
return NULL;
}
- SHA256_CTX sha256;
- int is_success = SHA256_Init(&sha256);
+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
+ if (!sha256ctx) {
+ LOG_ERROR("EVP_MD_CTX_new failed");
+ goto err;
+ }
+
+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
if (!is_success) {
- LOG_ERROR("SHA256_Init failed");
+ LOG_ERROR("EVP_DigestInit failed");
goto err;
}
switch (ek_public->publicArea.type) {
case TPM2_ALG_RSA:
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.rsa.buffer,
- ek_public->publicArea.unique.rsa.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.rsa.buffer,
+ ek_public->publicArea.unique.rsa.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
}
/* Exponent 65537 will be added. */
BYTE buf[3] = { 0x1, 0x00, 0x01 };
- is_success = SHA256_Update(&sha256, buf, sizeof(buf));
+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
case TPM2_ALG_ECC:
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.x.buffer,
- ek_public->publicArea.unique.ecc.x.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.x.buffer,
+ ek_public->publicArea.unique.ecc.x.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.y.buffer,
- ek_public->publicArea.unique.ecc.y.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.y.buffer,
+ ek_public->publicArea.unique.ecc.y.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
goto err;
}
- is_success = SHA256_Final(hash, &sha256);
+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
if (!is_success) {
LOG_ERROR("SHA256_Final failed");
goto err;
}
+ EVP_MD_CTX_free(sha256ctx);
LOG_TRACE("public-key-hash:");
LOG_TRACE(" sha256: ");
LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
return hash;
err:
+ EVP_MD_CTX_free(sha256ctx);
free(hash);
return NULL;
}
--
2.26.3

124
0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch Normal file
View File

@ -0,0 +1,124 @@
From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 14:56:18 +0200
Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0.
The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement
EVP_MAC_update was added in OpenSSL 3.0, so version specific code is
needed.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/sys-util.c | 50 +++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 19 deletions(-)
diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c
index af83cf55..5865f002 100644
--- a/test/integration/sys-util.c
+++ b/test/integration/sys-util.c
@@ -13,10 +13,13 @@
#include <string.h>
#include <assert.h>
+#include <openssl/evp.h>
#include <openssl/sha.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
-#include <openssl/evp.h>
-#include <openssl/opensslv.h>
+#else
+#include <openssl/core_names.h>
+#endif
#define LOGMODULE testintegration
#include "util/log.h"
@@ -489,22 +492,18 @@ hmac(
TPM2B_DIGEST **buffer_list,
TPM2B_DIGEST *out)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX _ctx;
- HMAC_CTX *ctx = &_ctx;
-#endif
- EVP_MD *evp;
int rc = 1, i;
- unsigned int *buf = NULL, size;
+ unsigned int *buf = NULL;
uint8_t *buf_ptr;
+ EVP_MD *evp;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */
- ctx = HMAC_CTX_new();
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ unsigned int size;
+ HMAC_CTX *ctx = HMAC_CTX_new();
#else
- HMAC_CTX_init(ctx);
+ size_t size;
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
#endif
if (!ctx)
@@ -538,21 +537,33 @@ hmac(
buf_ptr = (uint8_t *)buf;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL);
#else
- rc = HMAC_Init(ctx, key, key_len, evp);
-#endif
+ OSSL_PARAM params[2];
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
+ (char *)EVP_MD_get0_name(evp), 0);
+ params[1] = OSSL_PARAM_construct_end();
+ rc = EVP_MAC_init(ctx, key, key_len, params);
+#endif
if (rc != 1)
goto out;
for (i = 0; buffer_list[i] != 0; i++) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#else
+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#endif
if (rc != 1)
goto out;
}
/* buf_ptr has to be 4 bytes alligned for whatever reason */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Final(ctx, buf_ptr, &size);
+#else
+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size);
+#endif
if (rc != 1)
goto out;
@@ -561,10 +572,11 @@ hmac(
memcpy(out->buffer, buf, out->size);
out:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
HMAC_CTX_free(ctx);
#else
- HMAC_CTX_cleanup(ctx);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(hmac);
#endif
if (buf)
--
2.26.3

313
0011-Drop-support-for-OpenSSL-1.1.0.patch Normal file
View File

@ -0,0 +1,313 @@
From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 20:21:01 +0200
Subject: Drop support for OpenSSL < 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Delete code written to support OpenSSL < 1.1.0
Delete functions that have no effect in OpenSSL >= 1.1.0
- ENGINE_load_builtin_engines()
- OpenSSL_add_all_algorithms()
- ERR_load_crypto_strings()
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
Switch AppVeyor to use pre-built OpenSSL 1.1.0
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
src/tss2-esys/tss2-esys.vcxproj | 16 +++++++-------
src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
test/helper/tpm_getek.c | 11 ----------
test/helper/tpm_getek_ecc.c | 9 --------
5 files changed, 8 insertions(+), 84 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 2eb0dfcb..a6259346 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
RAND_set_rand_method(rand_save);
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
size_t * out_size, const char *label)
{
const RAND_METHOD *rand_save = RAND_get_rand_method();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
TSS2_RC r = TSS2_RC_SUCCESS;
const EVP_MD * hashAlg = NULL;
@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not create evp key.", cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
- pub_tpm_key->publicArea.unique.rsa.size,
- rsa_key->n)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not create rsa n.", cleanup);
- }
-#else
BIGNUM *n = NULL;
if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
pub_tpm_key->publicArea.unique.rsa.size,
@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not set rsa n.", cleanup);
}
-#endif
if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*/
TSS2_RC
iesys_cryptossl_init() {
- ENGINE_load_builtin_engines();
- OpenSSL_add_all_algorithms();
return TSS2_RC_SUCCESS;
}
diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj
index b75424aa..b2aa67ce 100644
--- a/src/tss2-esys/tss2-esys.vcxproj
+++ b/src/tss2-esys/tss2-esys.vcxproj
@@ -69,13 +69,13 @@
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
@@ -84,7 +84,7 @@
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
@@ -92,27 +92,27 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index f5b3d272..c97b0a1d 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
tpmSignature->signature.ecdsa.signatureR.size, NULL);
goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- ecdsaSignature->s = bns;
- ecdsaSignature->r = bnr;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
if (osslRC == -1) {
@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
"Could not set exponent.", error_cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Assign the parameters to the key */
if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
error_cleanup);
}
- /* Needed for older OSSL versions. */
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
OSSL_FREE(y, BN);
OSSL_FREE(x, BN);
return TSS2_RC_SUCCESS;
@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
/* Initialize the ECDSA signature components */
ECDSA_SIG *ecdsaSignature = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- BIGNUM *bnr;
- BIGNUM *bns;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
const BIGNUM *bnr;
const BIGNUM *bns;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
return_if_null(ecdsaSignature, "Invalid DER signature",
TSS2_FAPI_RC_GENERAL_FAILURE);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- bns = ecdsaSignature->s;
- bnr = ecdsaSignature->r;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Writing them to the TPM format signature */
tpmSignature->signature.ecdsa.hash = hashAlgorithm;
@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
const BIGNUM *e = NULL, *n = NULL;
int rsaKeySize = RSA_size(rsaKey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- e = rsaKey->e;
- n = rsaKey->n;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_get0_key(rsaKey, &n, &e, NULL);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
rsaKeySize)) {
@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
}
- OpenSSL_add_all_algorithms();
-
unsigned const char* tmp_ptr1 = crl_buffer;
unsigned const char** tmp_ptr2 = &tmp_ptr1;
@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
} else {
/* Get uri for ek intermediate certificate. */
- OpenSSL_add_all_algorithms();
info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);
- OpenSSL_add_all_algorithms();
intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
SAFE_FREE(cert_buffer);
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
index 21be0f46..c6a8e906 100644
--- a/test/helper/tpm_getek.c
+++ b/test/helper/tpm_getek.c
@@ -147,20 +147,9 @@ main (int argc, char *argv[])
exp = out_public.publicArea.parameters.rsaDetail.exponent;
BN_set_word(e, exp);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
EVP_PKEY_assign_RSA(evp, rsa);
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
index 0419f47a..75165fdd 100644
--- a/test/helper/tpm_getek_ecc.c
+++ b/test/helper/tpm_getek_ecc.c
@@ -128,14 +128,6 @@ main (int argc, char *argv[])
/* Convert the key from out_public to PEM */
EVP_PKEY *evp = EVP_PKEY_new();
-
- OpenSSL_add_all_algorithms();
-
- OpenSSL_add_all_algorithms();
-
- ERR_load_crypto_strings();
-
-
EC_KEY *ecc_key = EC_KEY_new();
BIGNUM *x = NULL, *y = NULL;
BIO *bio;
@@ -159,7 +151,6 @@ main (int argc, char *argv[])
if (!EC_KEY_set_group(ecc_key, ecgroup))
exit(1);
- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
EC_GROUP_free(ecgroup);
/* Set the ECC parameters in the OpenSSL key */
--
2.26.3

1005
0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch Normal file
View File

File diff suppressed because it is too large Load Diff

23
tpm2-tss.spec
View File

@ -1,6 +1,6 @@
Name: tpm2-tss
Version: 3.0.3
Release: 5%{?dist}
Release: 6%{?dist}
Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
@ -10,6 +10,20 @@ URL: https://github.com/tpm2-software/tpm2-tss
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
# doxygen crash
Patch0: tpm2-tss-3.0.0-doxygen.patch
# OpenSSL 3 support
Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch
Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Patch8: 0008-Require-OpenSSL-1.1.0.patch
Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
%global udevrules_prefix 60-
@ -33,9 +47,10 @@ APIs. It sits between TPM driver and applications, providing TPM2.0 specified
APIs for applications to access TPM module through kernel TPM drivers.
%prep
%autosetup -n %{name}-%{version}
%autosetup -p1 -n %{name}-%{version}
%build
autoreconf -i
# Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
@ -118,6 +133,10 @@ use tpm2-tss.
%changelog
* Wed Aug 18 2021 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-6
- Fix failures while using OpenSSL 3
Resolves: rhbz#1984634
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688