rpms/tpm2-tss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import tpm2-tss-3.0.3-8.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 10:37:23 -04:00 committed by Stepan Oksanichenko
parent c03fe3acd6
commit 72d6299b99
24 changed files with 1979 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch Normal file
View File

@ -0,0 +1,99 @@
From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Nov 2020 11:09:56 -0600
Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs
Some of the OSSL _ex suffixed routines remained even after the ENGINE
pointer was removed. The _ex functions with NULL engine don't do
anything different then the non _ex suffixed ones. One _ex routine
remains, RSA_generate_key_ex, becuase the _ex version is deprecated.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 392f97ae..6856e92d 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg,
- NULL)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup);
+ if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
+ mycontext->hash.ossl_hash_alg)) {
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
*context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext;
@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) {
+ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error.");
}
if (digest_size != mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
- "Invalid size computed by EVP_DigestFinal_ex");
+ "Invalid size computed by EVP_DigestFinal");
}
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
"Initialize cipher context", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input");
- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
--
2.34.3

63
SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch Normal file
View File

@ -0,0 +1,63 @@
From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 7 Jun 2021 09:47:30 +0200
Subject: [PATCH 02/23] FAPI: Remove useless code get_engine.
The function did always return NULL. So the default engine was used.
Fixes #2085
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index c50b5f0a..9c7e566c 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT {
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
-/** A singleton crypto engine for hash operations */
-static ENGINE *engine = NULL;
-
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
-/**
- * Returns the singleton hash engine for the use in ifapi_hash operations. If
- * it does not yet exist, this function creates it.
- *
- * @retval A singleton hash engine
- */
-static ENGINE *
-get_engine()
-{
- /* If an engine is present, it is returned */
- if (engine)
- return engine;
- /* Otherwise, engine is created and returned */
- engine = ENGINE_by_id(NULL);
- return engine;
-}
-
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
if (1 != EVP_DigestInit_ex(mycontext->osslContext,
- mycontext->osslHashAlgorithm, get_engine())) {
+ mycontext->osslHashAlgorithm, NULL)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex",
cleanup);
}
--
2.34.3

40
SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch Normal file
View File

@ -0,0 +1,40 @@
From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 3 Aug 2021 16:24:41 +0200
Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field.
The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/api/Fapi_Encrypt.c | 1 -
src/tss2-fapi/fapi_int.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c
index 2e892351..af8e2c58 100644
--- a/src/tss2-fapi/api/Fapi_Encrypt.c
+++ b/src/tss2-fapi/api/Fapi_Encrypt.c
@@ -405,7 +405,6 @@ error_cleanup:
SAFE_FREE(tpmCipherText);
SAFE_FREE(command->keyPath);
SAFE_FREE(command->in_data);
- SAFE_FREE(command->out_data);
ifapi_session_clean(context);
LOG_TRACE("finished");
return r;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 90707da1..13c0333e 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -386,7 +386,6 @@ typedef struct {
uint8_t const *in_data;
size_t in_dataSize;
IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */
- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */
ESYS_TR key_handle; /**< The ESYS handle of the encryption key */
size_t numBytes; /**< The number of bytes of a ESYS request */
size_t decrypt; /**< Switch whether to encrypt or decrypt */
--
2.34.3

44
SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch Normal file
View File

@ -0,0 +1,44 @@
From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Mon, 2 Aug 2021 15:50:26 +0200
Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms
From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
de-initialisation is required.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 2 +-
src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 6856e92d..ab08b3b8 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*
* Initialize OpenSSL internal tables.
*
- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
+ * @retval TSS2_RC_SUCCESS always returned
* does not deliver
* a return code.
*/
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 9290a17e..35186e62 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -375,9 +375,6 @@ out_free_json:
json_object_put(jso);
out:
- /* In some case this call was necessary after curl usage */
- OpenSSL_add_all_algorithms();
-
free(hash);
if (rc == 0) {
return TSS2_RC_SUCCESS;
--
2.34.3

657
SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch Normal file
View File

@ -0,0 +1,657 @@
From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Wed, 25 Aug 2021 14:02:38 +0200
Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto
operations
The TPM2 provider may be loaded in the global library context.
As we don't want the TPM to be called for some operations, we have
to initialize own library context with the default provider.
This is similar to the RAND_set_rand_method dance with older OpenSSL.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++---------
src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++---------
2 files changed, 225 insertions(+), 102 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index ab08b3b8..35af2028 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT {
} type; /**< The type of context to hold; hash or hmac */
union {
struct {
- EVP_MD_CTX *ossl_context;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
const EVP_MD *ossl_hash_alg;
+#else
+ OSSL_LIB_CTX *ossl_libctx;
+ EVP_MD *ossl_hash_alg;
+#endif
+ EVP_MD_CTX *ossl_context;
size_t hash_len;
- } hash; /**< the state variables for a hash context */
- struct {
- EVP_MD_CTX *ossl_context;
- const EVP_MD *ossl_hash_alg;
- size_t hmac_len;
- } hmac; /**< the state variables for an hmac context */
+ } hash; /**< the state variables for a HASH or HMAC context */
};
} IESYS_CRYPTOSSL_CONTEXT;
-const EVP_MD *
+static IESYS_CRYPTOSSL_CONTEXT *
+iesys_cryptossl_context_new() {
+ IESYS_CRYPTOSSL_CONTEXT *ctx;
+
+ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT))))
+ return NULL;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) {
+ SAFE_FREE(ctx);
+ return NULL;
+ }
+#endif
+ return ctx;
+}
+
+static void
+iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) {
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_free(ctx->hash.ossl_context);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->hash.ossl_hash_alg);
+ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+static const EVP_MD *
get_ossl_hash_md(TPM2_ALG_ID hashAlg)
{
switch (hashAlg) {
case TPM2_ALG_SHA1:
return EVP_sha1();
- break;
case TPM2_ALG_SHA256:
return EVP_sha256();
- break;
case TPM2_ALG_SHA384:
return EVP_sha384();
- break;
case TPM2_ALG_SHA512:
return EVP_sha512();
- break;
default:
return NULL;
}
}
+#else
+static const char *
+get_ossl_hash_md(TPM2_ALG_ID hashAlg)
+{
+ switch (hashAlg) {
+ case TPM2_ALG_SHA1:
+ return "SHA1";
+ case TPM2_ALG_SHA256:
+ return "SHA256";
+ case TPM2_ALG_SHA384:
+ return "SHA384";
+ case TPM2_ALG_SHA512:
+ return "SHA512";
+ default:
+ return NULL;
+ }
+}
+#endif
+
+static int
+iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg);
+#else
+ const char *alg_name = get_ossl_hash_md(hashAlg);
+ if (!alg_name)
+ return 0;
+ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL);
+#endif
+ if (!ctx->hash.ossl_hash_alg)
+ return 0;
+
+ return 1;
+}
/** Provide the context for the computation of a hash digest.
*
@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg);
return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE);
return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE);
- IESYS_CRYPTOSSL_CONTEXT *mycontext;
- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH;
- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg)) {
+ mycontext->hash.ossl_hash_alg)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hash.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
*size = mycontext->hash.hash_len;
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE,
"Null-Pointer passed in for context");
}
- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) {
+ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Error EVP_MD_CTX_create", cleanup);
}
@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Failed to create HMAC key", cleanup);
}
- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
- mycontext->hmac.ossl_hash_alg, NULL, hkey)) {
+ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL,
+ mycontext->hash.ossl_hash_alg, NULL, hkey)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"DigestSignInit", cleanup);
}
@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hmac.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
if(hkey)
EVP_PKEY_free(hkey);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context,
LOGBLOB_TRACE(buffer, size, "Updating hmac with");
/* Call update with the message */
- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) {
+ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update");
}
@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context");
}
- if (*size < mycontext->hmac.hmac_len) {
+ if (*size < mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) {
+ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup);
}
LOGBLOB_TRACE(buffer, *size, "read hmac result");
cleanup:
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return r;
}
@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
-
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
}
@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
TSS2_RC
iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
{
+ int rc;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
+#else
+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+ if (!libctx)
+ return TSS2_ESYS_RC_MEMORY;
#endif
if (num_bytes == 0) {
@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
+ rc = RAND_bytes(&nonce->buffer[0], nonce->size);
+ RAND_set_rand_method(rand_save);
+#else
+ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0);
+ OSSL_LIB_CTX_free(libctx);
#endif
+ if (rc != 1)
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
"Failure in random number generator.");
- }
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
-#endif
return TSS2_RC_SUCCESS;
}
@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
RSA *rsa_key = NULL;
+ const EVP_MD * hashAlg = NULL;
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
#else
+ OSSL_LIB_CTX *libctx = NULL;
+ EVP_MD * hashAlg = NULL;
OSSL_PARAM *params = NULL;
OSSL_PARAM_BLD *build = NULL;
#endif
TSS2_RC r = TSS2_RC_SUCCESS;
- const EVP_MD * hashAlg = NULL;
EVP_PKEY *evp_rsa_key = NULL;
EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
BIGNUM *bne = NULL, *n = NULL;
int padding;
char *label_copy = NULL;
- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
- pub_tpm_key->publicArea.nameAlg);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
RAND_set_rand_method(rand_save);
+#else
+ if (!(libctx = OSSL_LIB_CTX_new()))
+ return TSS2_ESYS_RC_MEMORY;
+
+ if (!(hashAlg = EVP_MD_fetch(libctx,
+ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) {
+ OSSL_LIB_CTX_free(libctx);
#endif
+ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
+ pub_tpm_key->publicArea.nameAlg);
return TSS2_ESYS_RC_NOT_IMPLEMENTED;
}
@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
cleanup);
}
- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
+ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL
|| EVP_PKEY_fromdata_init(genctx) <= 0
|| EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
#else
OSSL_FREE(params, OSSL_PARAM);
OSSL_FREE(build, OSSL_PARAM_BLD);
+ OSSL_FREE(hashAlg, EVP_MD);
+ OSSL_FREE(libctx, OSSL_LIB_CTX);
#endif
return r;
}
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 9c7e566c..d061cf48 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -48,14 +48,34 @@
/** Context to hold temporary values for ifapi_crypto */
typedef struct _IFAPI_CRYPTO_CONTEXT {
- /** The hash engine's context */
- EVP_MD_CTX *osslContext;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
/** The currently used hash algorithm */
const EVP_MD *osslHashAlgorithm;
+#else
+ OSSL_LIB_CTX *libctx;
+ /** The currently used hash algorithm */
+ EVP_MD *osslHashAlgorithm;
+#endif
+ /** The hash engine's context */
+ EVP_MD_CTX *osslContext;
/** The size of the hash's digest */
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
+static void
+ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx)
+{
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_destroy(ctx->osslContext);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->osslHashAlgorithm);
+ OSSL_LIB_CTX_free(ctx->libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+/**
+ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
+ * identifier object.
+ *
+ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
+ *
+ * @retval A suitable OpenSSL identifier object if one could be found
+ * @retval NULL if no suitable identifier object could be found
+ */
+static const EVP_MD *
+get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
+{
+ switch (hashAlgorithm) {
+ case TPM2_ALG_SHA1:
+ return EVP_sha1();
+ case TPM2_ALG_SHA256:
+ return EVP_sha256();
+ case TPM2_ALG_SHA384:
+ return EVP_sha384();
+ case TPM2_ALG_SHA512:
+ return EVP_sha512();
+ default:
+ return NULL;
+ }
+}
+#else
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
* hashAlgorithm could be found
* @retval NULL if no suitable hash algorithm identifier could be found
*/
-static const EVP_MD *
+static const char *
get_hash_md(TPM2_ALG_ID hashAlgorithm)
{
switch (hashAlgorithm) {
case TPM2_ALG_SHA1:
- return EVP_sha1();
+ return "SHA1";
case TPM2_ALG_SHA256:
- return EVP_sha256();
+ return "SHA256";
case TPM2_ALG_SHA384:
- return EVP_sha384();
+ return "SHA384";
case TPM2_ALG_SHA512:
- return EVP_sha512();
+ return "SHA512";
default:
return NULL;
}
}
+#endif
/**
* Returns a suitable openSSL RSA signature scheme identifiver for a given TSS
@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote(
BIO *bufio = NULL;
EVP_PKEY_CTX *pctx = NULL;
EVP_MD_CTX *mdctx = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX *libctx = NULL;
+#endif
/* Check whether or not the key is valid */
if (keyObject->objectType == IFAPI_KEY_OBJ) {
@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create",
error_cleanup);
}
-
- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg);
if (!hashAlgorithm) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
error_cleanup);
@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit",
error_cleanup);
}
+#else
+ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+ if (!hashAlgorithm) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
+ error_cleanup);
+ }
+
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ libctx = OSSL_LIB_CTX_new();
+ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
+
+ /* Verify the digest of the signature */
+ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx,
+ NULL, publicKey, NULL)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex",
+ error_cleanup);
+ }
+#endif
goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) {
int padding = get_sig_scheme(signatureScheme->scheme);
@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote(
}
error_cleanup:
- if (mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
+ EVP_MD_CTX_destroy(mdctx);
SAFE_FREE(public_pem_key);
EVP_PKEY_free(publicKey);
BIO_free(bufio);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX_free(libctx);
+#endif
return r;
}
@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm)
}
}
-/**
- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
- * identifier object.
- *
- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
- *
- * @retval A suitable OpenSSL identifier object if one could be found
- * @retval NULL if no suitable identifier object could be found
- */
-static const EVP_MD *
-get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
-{
- switch (hashAlgorithm) {
- case TPM2_ALG_SHA1:
- return EVP_sha1();
- break;
- case TPM2_ALG_SHA256:
- return EVP_sha256();
- break;
- case TPM2_ALG_SHA384:
- return EVP_sha384();
- break;
- case TPM2_ALG_SHA512:
- return EVP_sha512();
- break;
- default:
- return NULL;
- }
-}
-
/**
* Starts the computation of a hash digest.
*
@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT));
return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
"Unsupported hash algorithm (%" PRIu16 ")", cleanup,
hashAlgorithm);
}
+#else
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ mycontext->libctx = OSSL_LIB_CTX_new();
+ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+
+ if (!(mycontext->osslHashAlgorithm =
+ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
+ goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
+ "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
+ hashAlgorithm);
+ }
+#endif
if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->osslContext)
- EVP_MD_CTX_destroy(mycontext->osslContext);
- SAFE_FREE(mycontext);
-
+ ifapi_crypto_context_free(mycontext);
return r;
}
@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
/* Finalize the hash context */
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context)
}
IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context;
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
}
--
2.34.3

70
SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch Normal file
View File

@ -0,0 +1,70 @@
From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 12 Oct 2021 11:19:41 +0200
Subject: [PATCH 06/23] FAPI: Add policy computation for create primary.
The policy digest for primary keys was only computed for keys created during provisioning.
Now the policy digest is also computed for primary keys create with Fapi_CreateKey.
Fixes #2175.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 13c0333e..d13ec413 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE {
KEY_CREATE_FLUSH1,
KEY_CREATE_FLUSH2,
KEY_CREATE_CALCULATE_POLICY,
+ KEY_CREATE_PRIMARY_CALCULATE_POLICY,
KEY_CREATE_WAIT_FOR_AUTHORIZATION,
KEY_CREATE_CLEANUP,
KEY_CREATE_WAIT_FOR_RANDOM,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a5fc28a3..a0fd714e 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4539,6 +4539,35 @@ ifapi_create_primary(
"hierarchy.", error_cleanup);
}
+ if (context->cmd.Key_Create.policyPath
+ && strcmp(context->cmd.Key_Create.policyPath, "") != 0)
+ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY;
+ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */
+ /* FALLTHRU */
+ case KEY_CREATE_PRIMARY_CALCULATE_POLICY:
+ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) {
+ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath,
+ &context->policy.policy,
+ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg,
+ &context->policy.digest_idx,
+ &context->policy.hash_size);
+ return_try_again(r);
+ goto_if_error2(r, "Calculate policy tree %s", error_cleanup,
+ context->cmd.Key_Create.policyPath);
+
+ /* Store the calculated policy in the key object */
+ object->policy = calloc(1, sizeof(TPMS_POLICY));
+ return_if_null(object->policy, "Out of memory",
+ TSS2_FAPI_RC_MEMORY);
+ *(object->policy) = context->policy.policy;
+
+ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size =
+ context->policy.hash_size;
+ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0],
+ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest,
+ context->policy.hash_size);
+ }
+
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0);
--
2.34.3

137
SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch Normal file
View File

@ -0,0 +1,137 @@
From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 5 Nov 2021 23:08:47 +0100
Subject: [PATCH 07/23] FAPI: Fix loading of primary keys.
Problems caused by primary keys created with Fapi_CreateKey are fixed:
* For primary keys not in all cases the unique field was cleared before calling create
primary.
* If the primary key was used for signing the object was cleared after loading. So
access e.g. to the certificate did not work.
* For primary keys created with Fapi_Create with an auth value the auth_value was
not used in inSensitive to recreate the primary key. Now the auth value callback
is used to initialize inSensitive.
Fixes #2189.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index d13ec413..7bcf442c 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY {
PRIMARY_READ_HIERARCHY,
PRIMARY_READ_HIERARCHY_FINISH,
PRIMARY_AUTHORIZE_HIERARCHY,
+ PRIMARY_GET_AUTH_VALUE,
PRIMARY_WAIT_FOR_PRIMARY,
PRIMARY_HAUTH_SENT,
PRIMARY_CREATED,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a0fd714e..90f8b2aa 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object)
return NULL;
}
+/** Set authorization value for a primary key to be created.
+ *
+ * The callback which provides the auth value must be defined.
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @param[in] object The auth value will be assigned to this object.
+ * @param[in,out] inSensitive The sensitive data to store the auth value.
+ *
+ * @retval TSS2_RC_SUCCESS on success.
+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting
+ * the auth value is not defined.
+ */
+TSS2_RC
+ifapi_set_auth_primary(
+ FAPI_CONTEXT *context,
+ IFAPI_OBJECT *object,
+ TPMS_SENSITIVE_CREATE *inSensitive)
+{
+ TSS2_RC r;
+ const char *auth = NULL;
+ const char *obj_path;
+
+ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE));
+
+ if (!object->misc.key.with_auth) {
+ return TSS2_RC_SUCCESS;
+ }
+
+ obj_path = ifapi_get_object_path(object);
+
+ /* Check whether callback is defined. */
+ if (context->callbacks.auth) {
+ r = context->callbacks.auth(obj_path, object->misc.key.description,
+ &auth, context->callbacks.authData);
+ return_if_error(r, "AuthCallback");
+ if (auth != NULL) {
+ inSensitive->userAuth.size = strlen(auth);
+ memcpy(&inSensitive->userAuth.buffer[0], auth,
+ inSensitive->userAuth.size);
+ }
+ return TSS2_RC_SUCCESS;
+ }
+ SAFE_FREE(auth);
+ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined.");
+}
+
/** Set authorization value for a FAPI object.
*
* The callback which provides the auth value must be defined.
@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key;
TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData;
TPMI_YES_NO moreData;
- ESYS_TR auth_session;
+ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */
LOG_TRACE("call");
@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE));
memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA));
memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION));
+ fallthrough;
+
+ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE);
+ /* Get the auth value to be stored in inSensitive */
+ r = ifapi_set_auth_primary(context, pkey_object,
+ &context->createPrimary.inSensitive.sensitive);
+ return_try_again(r);
+ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup);
/* Prepare primary creation. */
+ TPM2B_PUBLIC public = pkey->public;
+ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID));
+
r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle,
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
&context->createPrimary.inSensitive,
- &pkey->public,
+ &public,
&context->createPrimary.outsideInfo,
&context->createPrimary.creationPCR);
return_if_error(r, "CreatePrimary");
@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent)
} else {
LOG_TRACE("success");
ifapi_cleanup_ifapi_object(context->loadKey.key_object);
- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
return TSS2_RC_SUCCESS;
}
break;
--
2.34.3

84
SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch Normal file
View File

@ -0,0 +1,84 @@
From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001
From: JerryDevis <seclab@huawei.com>
Date: Wed, 13 Oct 2021 11:26:03 +0800
Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization
failed
Signed-off-by: JerryDevis <seclab@huawei.com>
---
src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index 94db070c..364297be 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -309,6 +309,16 @@ out:
return rc;
}
+static void close_tpm(int *fd)
+{
+ if (fd == NULL || *fd < 0) {
+ return;
+ }
+
+ close(*fd);
+ *fd = -1;
+}
+
void
tcti_device_finalize (
TSS2_TCTI_CONTEXT *tctiContext)
@@ -319,7 +329,7 @@ tcti_device_finalize (
if (tcti_dev == NULL) {
return;
}
- close (tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_common->state = TCTI_STATE_FINAL;
}
@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init (
ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd));
if (sz < 0 || sz != sizeof(cmd)) {
LOG_ERROR ("Could not probe device for partial response read support");
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
LOG_DEBUG ("Command sent, reading header");
@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0 || rc_poll == 0) {
LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (fds.revents == POLLIN) {
TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE));
if (sz < 0 || sz != TPM_HEADER_SIZE) {
LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
}
@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0) {
LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (rc_poll == 0) {
LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd);
@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init (
LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
tcti_common->partial_read_supported = 0;
- close(tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_dev->fd = open_tpm (used_conf);
if (tcti_dev->fd < 0) {
LOG_ERROR ("Failed to open specified TCTI device file %s: %s",
--
2.34.3

28
SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch Normal file
View File

@ -0,0 +1,28 @@
From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 2 Dec 2021 09:17:15 +0100
Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3
A leak in the case "out of memory" detected by scan-build was fixed.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index d061cf48..fd7ea555 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
* As we don't want the TPM to be called for these operations, we have
* to initialize own library context with the default provider. */
mycontext->libctx = OSSL_LIB_CTX_new();
- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
if (!(mycontext->osslHashAlgorithm =
EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
--
2.34.3

29
SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch Normal file
View File

@ -0,0 +1,29 @@
From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Tue, 21 Dec 2021 17:44:00 +0800
Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 90f8b2aa..cd4e0979 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
}
error_cleanup:
+ SAFE_FREE(outPublic);
+ SAFE_FREE(creationData);
+ SAFE_FREE(creationHash);
+ SAFE_FREE(creationTicket);
ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object);
free_string_list(k_sub_path);
SAFE_FREE(pkey->serialization.buffer);
--
2.34.3

39
SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch Normal file
View File

@ -0,0 +1,39 @@
From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 21 Dec 2021 11:59:28 +0100
Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to
Esys_TR_GetName.
A segfault was produced in this case. Fixes #2243.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_tr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index f0127d02..cf4caa09 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
* @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated.
* @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
+ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid.
* @retval TSS2_SYS_RC_* for SAPI errors.
*/
TSS2_RC
@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
TSS2_RC r;
_ESYS_ASSERT_NON_NULL(esys_context);
+ if (esys_handle == ESYS_TR_NONE) {
+ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined.");
+ }
+
r = esys_GetResourceObject(esys_context, esys_handle, &esys_object);
return_if_error(r, "Object not found");
--
2.34.3

45
SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch Normal file
View File

@ -0,0 +1,45 @@
From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 20:55:21 +0800
Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index cd4e0979..f64c4e8b 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4328,7 +4328,7 @@ ifapi_get_certificates(
context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA;
r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS");
- return_if_error2(r, "Could not open hierarchy /HS");
+ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error);
fallthrough;
@@ -4352,7 +4352,7 @@ ifapi_get_certificates(
context->session2 = ESYS_TR_NONE;
context->nv_cmd.nv_read_state = NV_READ_INIT;
memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT));
- Esys_Free(context->cmd.Provision.nvPublic);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
fallthrough;
statecase(context->get_cert_state, GET_CERT_READ_CERT);
@@ -4382,7 +4382,7 @@ ifapi_get_certificates(
}
error:
- SAFE_FREE(context->cmd.Provision.capabilityData);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
SAFE_FREE(context->cmd.Provision.capabilityData);
ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object);
ifapi_free_object_list(*cert_list);
--
2.34.3

25
SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch Normal file
View File

@ -0,0 +1,25 @@
From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 21:58:00 +0800
Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/ifapi_keystore.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 743de133..e805029f 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1239,6 +1239,7 @@ cleanup:
r = TSS2_FAPI_RC_KEY_NOT_FOUND;
}
keystore->key_search.state = KSEARCH_INIT;
+ ifapi_cleanup_ifapi_object(&object);
return r;
}
--
2.34.3

27
SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch Normal file
View File

@ -0,0 +1,27 @@
From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 22:09:26 +0800
Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when
Fapi_GetEsysBlob_Finish failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index a54bece8..b152ae3a 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -395,7 +395,7 @@ error_cleanup:
ifapi_cleanup_ifapi_object(object);
ifapi_cleanup_ifapi_object(key_object);
SAFE_FREE(command->path);
- SAFE_FREE(*data);
+ SAFE_FREE(command->data);
SAFE_FREE(key_context);
ifapi_session_clean(context);
ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
--
2.34.3

38
SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch Normal file
View File

@ -0,0 +1,38 @@
From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Fri, 7 Jan 2022 11:56:14 +0800
Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-esys/esys_tr.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index cf4caa09..784f711a 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context,
*
* Deserialize the metadata of an ESYS_TR object from a byte buffer that was
* stored on disk for later use by a different program or context.
- * An object can be serialized suing Esys_TR_Serialize.
+ * An object can be deserialized using Esys_TR_Deserialize.
* @param esys_context [in,out] The ESYS_CONTEXT.
- * @param esys_handle [in] The ESYS_TR object to serialize.
- * @param buffer [out] The buffer containing the serialized metadata.
- * (caller-callocated) Shall be freed using free().
- * @param buffer_size [out] The size of the buffer parameter.
+ * @param esys_handle [out] The ESYS_TR object to deserialize.
+ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object.
+ * @param buffer_size [in] The size of the buffer parameter.
* @retval TSS2_RC_SUCCESS on Success.
* @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated.
- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling.
+ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
* @retval TSS2_RCs produced by lower layers of the software stack.
*/
--
2.34.3

50
SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch Normal file
View File

@ -0,0 +1,50 @@
From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 16:31:09 +0800
Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_Delete.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c
index 43ea0332..2b5826ab 100644
--- a/src/tss2-fapi/api/Fapi_Delete.c
+++ b/src/tss2-fapi/api/Fapi_Delete.c
@@ -419,14 +419,14 @@ Fapi_Delete_Async(
/* No session will be needed these files can be deleted without
interaction with the TPM */
r = ifapi_non_tpm_mode_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
context->session1 = ESYS_TR_NONE;
context->state = ENTITY_DELETE_GET_FILE;
} else {
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -435,12 +435,12 @@ Fapi_Delete_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
--
2.34.3

44
SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch Normal file
View File

@ -0,0 +1,44 @@
From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 18:44:49 +0800
Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async
failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index b152ae3a..db67e2e4 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async(
authObject->objectType = IFAPI_OBJ_NONE;
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize GetEsysBlob");
+ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup);
context->state = GET_ESYS_BLOB_GET_FILE;
--
2.34.3

30
SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch Normal file
View File

@ -0,0 +1,30 @@
From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 11:46:22 +0100
Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search.
For an empty keystore a cleanup of an uninitialized object was executed. No the object
type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/ifapi_keystore.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index e805029f..c5486690 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1173,6 +1173,9 @@ keystore_search_obj(
IFAPI_OBJECT object;
size_t i;
+ /* Mark object "unread" */
+ object.objectType = IFAPI_OBJ_NONE;
+
switch (keystore->key_search.state) {
statecase(keystore->key_search.state, KSEARCH_INIT)
r = ifapi_keystore_list_all(keystore,
--
2.34.3

30
SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch Normal file
View File

@ -0,0 +1,30 @@
From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 16:48:30 +0100
Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
src/tss2-mu/tpm2b-types.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 6aa2feb3..2e10f487 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
return rc; \
\
/* Update the size to the real value */ \
- if (buffer) \
- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ if (buffer) { \
+ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ memcpy(ptr, &t, sizeof(t)); \
+ } \
\
if (offset != NULL) { \
*offset = local_offset; \
--
2.34.3

41
SOURCES/0020-esys_iutil-fix-possible-NPD.patch Normal file
View File

@ -0,0 +1,41 @@
From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 3 Jun 2022 11:51:02 -0500
Subject: [PATCH 20/23] esys_iutil: fix possible NPD
Clang-10 scan-build reports:
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
^~~~~~~~~~~~~~~~~~~~
1 warning generated.
The code above the report checks that session might be NULL:
RSRC_NODE_T *session = esys_context->session_tab[session_idx];
if (session != NULL) {
IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session;
if (rsrc_session->type_policy_session == POLICY_PASSWORD) {
Thus suggesting/indicating session may be NULL in subsequent code where
session is dereferenced.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 0cc92ca5..493f9b28 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
&auths->auths[session_idx]);
return_if_error(r, "Error while computing hmacs");
- if (esys_context->session_tab[session_idx] != NULL) {
+ if (esys_context->session_tab[session_idx] != NULL && session != NULL) {
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
auths->count++;
}
--
2.34.3

269
SOURCES/0021-sapi-scope-command-handles.patch Normal file
View File

@ -0,0 +1,269 @@
From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 8 Jun 2022 11:09:53 -0500
Subject: [PATCH 21/23] sapi: scope command handles
Scope command handles to where they are used.
- Compared to the upstream commit d4dee42e already missing commands were
left out.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------
1 file changed, 119 insertions(+), 118 deletions(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index 685fcee8..d84acc5d 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall(
return rval;
}
-static const COMMAND_HANDLES commandArray[] =
-{
- { TPM2_CC_Startup, 0, 0 },
- { TPM2_CC_Shutdown, 0, 0 },
- { TPM2_CC_SelfTest, 0, 0 },
- { TPM2_CC_IncrementalSelfTest, 0, 0 },
- { TPM2_CC_GetTestResult, 0, 0 },
- { TPM2_CC_StartAuthSession, 2, 1 },
- { TPM2_CC_PolicyRestart, 1, 0 },
- { TPM2_CC_Create, 1, 0 },
- { TPM2_CC_Load, 1, 1 },
- { TPM2_CC_LoadExternal, 0, 1 },
- { TPM2_CC_ReadPublic, 1, 0 },
- { TPM2_CC_ActivateCredential, 2, 0 },
- { TPM2_CC_MakeCredential, 1, 0 },
- { TPM2_CC_Unseal, 1, 0 },
- { TPM2_CC_ObjectChangeAuth, 2, 0 },
- { TPM2_CC_Duplicate, 2, 0 },
- { TPM2_CC_Rewrap, 2, 0 },
- { TPM2_CC_Import, 1, 0 },
- { TPM2_CC_RSA_Encrypt, 1, 0 },
- { TPM2_CC_RSA_Decrypt, 1, 0 },
- { TPM2_CC_ECDH_KeyGen, 1, 0 },
- { TPM2_CC_ECDH_ZGen, 1, 0 },
- { TPM2_CC_ECC_Parameters, 0, 0 },
- { TPM2_CC_ZGen_2Phase, 1, 0 },
- { TPM2_CC_EncryptDecrypt, 1, 0 },
- { TPM2_CC_EncryptDecrypt2, 1, 0 },
- { TPM2_CC_Hash, 0, 0 },
- { TPM2_CC_HMAC, 1, 0 },
- { TPM2_CC_GetRandom, 0, 0 },
- { TPM2_CC_StirRandom, 0, 0 },
- { TPM2_CC_HMAC_Start, 1, 1 },
- { TPM2_CC_HashSequenceStart, 0, 1 },
- { TPM2_CC_SequenceUpdate, 1, 0 },
- { TPM2_CC_SequenceComplete, 1, 0 },
- { TPM2_CC_EventSequenceComplete, 2, 0 },
- { TPM2_CC_Certify, 2, 0 },
- { TPM2_CC_CertifyCreation, 2, 0 },
- { TPM2_CC_Quote, 1, 0 },
- { TPM2_CC_GetSessionAuditDigest, 3, 0 },
- { TPM2_CC_GetCommandAuditDigest, 2, 0 },
- { TPM2_CC_GetTime, 2, 0 },
- { TPM2_CC_Commit, 1, 0 },
- { TPM2_CC_EC_Ephemeral, 0, 0 },
- { TPM2_CC_VerifySignature, 1, 0 },
- { TPM2_CC_Sign, 1, 0 },
- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
- { TPM2_CC_PCR_Extend, 1, 0 },
- { TPM2_CC_PCR_Event, 1, 0 },
- { TPM2_CC_PCR_Read, 0, 0 },
- { TPM2_CC_PCR_Allocate, 1, 0 },
- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
- { TPM2_CC_PCR_SetAuthValue, 1, 0 },
- { TPM2_CC_PCR_Reset, 1, 0 },
- { TPM2_CC_PolicySigned, 2, 0 },
- { TPM2_CC_PolicySecret, 2, 0 },
- { TPM2_CC_PolicyTicket, 1, 0 },
- { TPM2_CC_PolicyOR, 1, 0 },
- { TPM2_CC_PolicyPCR, 1, 0 },
- { TPM2_CC_PolicyLocality, 1, 0 },
- { TPM2_CC_PolicyNV, 3, 0 },
- { TPM2_CC_PolicyNvWritten, 1, 0 },
- { TPM2_CC_PolicyCounterTimer, 1, 0 },
- { TPM2_CC_PolicyCommandCode, 1, 0 },
- { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
- { TPM2_CC_PolicyCpHash, 1, 0 },
- { TPM2_CC_PolicyNameHash, 1, 0 },
- { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
- { TPM2_CC_PolicyAuthorize, 1, 0 },
- { TPM2_CC_PolicyAuthValue, 1, 0 },
- { TPM2_CC_PolicyPassword, 1, 0 },
- { TPM2_CC_PolicyGetDigest, 1, 0 },
- { TPM2_CC_PolicyTemplate, 1, 0 },
- { TPM2_CC_CreatePrimary, 1, 1 },
- { TPM2_CC_HierarchyControl, 1, 0 },
- { TPM2_CC_SetPrimaryPolicy, 1, 0 },
- { TPM2_CC_ChangePPS, 1, 0 },
- { TPM2_CC_ChangeEPS, 1, 0 },
- { TPM2_CC_Clear, 1, 0 },
- { TPM2_CC_ClearControl, 1, 0 },
- { TPM2_CC_HierarchyChangeAuth, 1, 0 },
- { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
- { TPM2_CC_DictionaryAttackParameters, 1, 0 },
- { TPM2_CC_PP_Commands, 1, 0 },
- { TPM2_CC_SetAlgorithmSet, 1, 0 },
- { TPM2_CC_FieldUpgradeStart, 2, 0 },
- { TPM2_CC_FieldUpgradeData, 0, 0 },
- { TPM2_CC_FirmwareRead, 0, 0 },
- { TPM2_CC_ContextSave, 1, 0 },
- { TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
- { TPM2_CC_EvictControl, 2, 0 },
- { TPM2_CC_ReadClock, 0, 0 },
- { TPM2_CC_ClockSet, 1, 0 },
- { TPM2_CC_ClockRateAdjust, 1, 0 },
- { TPM2_CC_GetCapability, 0, 0 },
- { TPM2_CC_TestParms, 0, 0 },
- { TPM2_CC_NV_DefineSpace, 1, 0 },
- { TPM2_CC_NV_UndefineSpace, 2, 0 },
- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
- { TPM2_CC_NV_ReadPublic, 1, 0 },
- { TPM2_CC_NV_Write, 2, 0 },
- { TPM2_CC_NV_Increment, 2, 0 },
- { TPM2_CC_NV_Extend, 2, 0 },
- { TPM2_CC_NV_SetBits, 2, 0 },
- { TPM2_CC_NV_WriteLock, 2, 0 },
- { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
- { TPM2_CC_NV_Read, 2, 0 },
- { TPM2_CC_NV_ReadLock, 2, 0 },
- { TPM2_CC_NV_ChangeAuth, 1, 0 },
- { TPM2_CC_NV_Certify, 3, 0 },
- { TPM2_CC_CreateLoaded, 1, 1 },
- { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
- { TPM2_CC_AC_GetCapability, 1, 0 },
- { TPM2_CC_AC_Send, 3, 0 },
- { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
-};
static int GetNumHandles(TPM2_CC commandCode, bool req)
{
+ static const COMMAND_HANDLES commandArray[] =
+ {
+ { TPM2_CC_Startup, 0, 0 },
+ { TPM2_CC_Shutdown, 0, 0 },
+ { TPM2_CC_SelfTest, 0, 0 },
+ { TPM2_CC_IncrementalSelfTest, 0, 0 },
+ { TPM2_CC_GetTestResult, 0, 0 },
+ { TPM2_CC_StartAuthSession, 2, 1 },
+ { TPM2_CC_PolicyRestart, 1, 0 },
+ { TPM2_CC_Create, 1, 0 },
+ { TPM2_CC_Load, 1, 1 },
+ { TPM2_CC_LoadExternal, 0, 1 },
+ { TPM2_CC_ReadPublic, 1, 0 },
+ { TPM2_CC_ActivateCredential, 2, 0 },
+ { TPM2_CC_MakeCredential, 1, 0 },
+ { TPM2_CC_Unseal, 1, 0 },
+ { TPM2_CC_ObjectChangeAuth, 2, 0 },
+ { TPM2_CC_Duplicate, 2, 0 },
+ { TPM2_CC_Rewrap, 2, 0 },
+ { TPM2_CC_Import, 1, 0 },
+ { TPM2_CC_RSA_Encrypt, 1, 0 },
+ { TPM2_CC_RSA_Decrypt, 1, 0 },
+ { TPM2_CC_ECDH_KeyGen, 1, 0 },
+ { TPM2_CC_ECDH_ZGen, 1, 0 },
+ { TPM2_CC_ECC_Parameters, 0, 0 },
+ { TPM2_CC_ZGen_2Phase, 1, 0 },
+ { TPM2_CC_EncryptDecrypt, 1, 0 },
+ { TPM2_CC_EncryptDecrypt2, 1, 0 },
+ { TPM2_CC_Hash, 0, 0 },
+ { TPM2_CC_HMAC, 1, 0 },
+ { TPM2_CC_GetRandom, 0, 0 },
+ { TPM2_CC_StirRandom, 0, 0 },
+ { TPM2_CC_HMAC_Start, 1, 1 },
+ { TPM2_CC_HashSequenceStart, 0, 1 },
+ { TPM2_CC_SequenceUpdate, 1, 0 },
+ { TPM2_CC_SequenceComplete, 1, 0 },
+ { TPM2_CC_EventSequenceComplete, 2, 0 },
+ { TPM2_CC_Certify, 2, 0 },
+ { TPM2_CC_CertifyCreation, 2, 0 },
+ { TPM2_CC_Quote, 1, 0 },
+ { TPM2_CC_GetSessionAuditDigest, 3, 0 },
+ { TPM2_CC_GetCommandAuditDigest, 2, 0 },
+ { TPM2_CC_GetTime, 2, 0 },
+ { TPM2_CC_Commit, 1, 0 },
+ { TPM2_CC_EC_Ephemeral, 0, 0 },
+ { TPM2_CC_VerifySignature, 1, 0 },
+ { TPM2_CC_Sign, 1, 0 },
+ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
+ { TPM2_CC_PCR_Extend, 1, 0 },
+ { TPM2_CC_PCR_Event, 1, 0 },
+ { TPM2_CC_PCR_Read, 0, 0 },
+ { TPM2_CC_PCR_Allocate, 1, 0 },
+ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
+ { TPM2_CC_PCR_SetAuthValue, 1, 0 },
+ { TPM2_CC_PCR_Reset, 1, 0 },
+ { TPM2_CC_PolicySigned, 2, 0 },
+ { TPM2_CC_PolicySecret, 2, 0 },
+ { TPM2_CC_PolicyTicket, 1, 0 },
+ { TPM2_CC_PolicyOR, 1, 0 },
+ { TPM2_CC_PolicyPCR, 1, 0 },
+ { TPM2_CC_PolicyLocality, 1, 0 },
+ { TPM2_CC_PolicyNV, 3, 0 },
+ { TPM2_CC_PolicyNvWritten, 1, 0 },
+ { TPM2_CC_PolicyCounterTimer, 1, 0 },
+ { TPM2_CC_PolicyCommandCode, 1, 0 },
+ { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
+ { TPM2_CC_PolicyCpHash, 1, 0 },
+ { TPM2_CC_PolicyNameHash, 1, 0 },
+ { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
+ { TPM2_CC_PolicyAuthorize, 1, 0 },
+ { TPM2_CC_PolicyAuthValue, 1, 0 },
+ { TPM2_CC_PolicyPassword, 1, 0 },
+ { TPM2_CC_PolicyGetDigest, 1, 0 },
+ { TPM2_CC_PolicyTemplate, 1, 0 },
+ { TPM2_CC_CreatePrimary, 1, 1 },
+ { TPM2_CC_HierarchyControl, 1, 0 },
+ { TPM2_CC_SetPrimaryPolicy, 1, 0 },
+ { TPM2_CC_ChangePPS, 1, 0 },
+ { TPM2_CC_ChangeEPS, 1, 0 },
+ { TPM2_CC_Clear, 1, 0 },
+ { TPM2_CC_ClearControl, 1, 0 },
+ { TPM2_CC_HierarchyChangeAuth, 1, 0 },
+ { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
+ { TPM2_CC_DictionaryAttackParameters, 1, 0 },
+ { TPM2_CC_PP_Commands, 1, 0 },
+ { TPM2_CC_SetAlgorithmSet, 1, 0 },
+ { TPM2_CC_FieldUpgradeStart, 2, 0 },
+ { TPM2_CC_FieldUpgradeData, 0, 0 },
+ { TPM2_CC_FirmwareRead, 0, 0 },
+ { TPM2_CC_ContextSave, 1, 0 },
+ { TPM2_CC_ContextLoad, 0, 1 },
+ { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_EvictControl, 2, 0 },
+ { TPM2_CC_ReadClock, 0, 0 },
+ { TPM2_CC_ClockSet, 1, 0 },
+ { TPM2_CC_ClockRateAdjust, 1, 0 },
+ { TPM2_CC_GetCapability, 0, 0 },
+ { TPM2_CC_TestParms, 0, 0 },
+ { TPM2_CC_NV_DefineSpace, 1, 0 },
+ { TPM2_CC_NV_UndefineSpace, 2, 0 },
+ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
+ { TPM2_CC_NV_ReadPublic, 1, 0 },
+ { TPM2_CC_NV_Write, 2, 0 },
+ { TPM2_CC_NV_Increment, 2, 0 },
+ { TPM2_CC_NV_Extend, 2, 0 },
+ { TPM2_CC_NV_SetBits, 2, 0 },
+ { TPM2_CC_NV_WriteLock, 2, 0 },
+ { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
+ { TPM2_CC_NV_Read, 2, 0 },
+ { TPM2_CC_NV_ReadLock, 2, 0 },
+ { TPM2_CC_NV_ChangeAuth, 1, 0 },
+ { TPM2_CC_NV_Certify, 3, 0 },
+ { TPM2_CC_CreateLoaded, 1, 1 },
+ { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
+ { TPM2_CC_AC_GetCapability, 1, 0 },
+ { TPM2_CC_AC_Send, 3, 0 },
+ { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
+ };
+
uint8_t i;
for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) {
--
2.34.3

26
SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch Normal file
View File

@ -0,0 +1,26 @@
From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 4 Jul 2022 19:14:30 +0200
Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
src/tss2-fapi/ifapi_policy_execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index caae103e..ddaf255c 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -760,7 +760,7 @@ execute_policy_authorize_nv(
switch (current_policy->state) {
statecase(current_policy->state, POLICY_EXECUTE_INIT)
/* Execute the policy stored in the NV object. */
- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata);
+ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata);
try_again_or_error(r, "Execute policy authorize nv callback.");
r = ifapi_nv_get_name(&policy->nvPublic, &current_policy->name);
--
2.34.3

36
SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch Normal file
View File

@ -0,0 +1,36 @@
From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 7 Jul 2022 09:00:19 -0500
Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext
The lookup table for the number of command handles for
Tss2_Sys_FlushContext has the count set to 1, when in reality the
command takes no handles in the handle area but a handle as the input
parameter. This works currently because handles and parameters are just
concatenated and the parsing logic on the TPM just unpacks them, so in
this case, thet're in the same spot with the same value. This goes
unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as
the logic things its a handle in the handle area and not a handle in the
parameter area.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index d84acc5d..a92f47a2 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req)
{ TPM2_CC_FirmwareRead, 0, 0 },
{ TPM2_CC_ContextSave, 1, 0 },
{ TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_FlushContext, 0, 0 },
{ TPM2_CC_EvictControl, 2, 0 },
{ TPM2_CC_ReadClock, 0, 0 },
{ TPM2_CC_ClockSet, 1, 0 },
--
2.34.3

29
SPECS/tpm2-tss.spec
View File

@ -1,6 +1,6 @@
Name: tpm2-tss
Version: 3.0.3
Release: 7%{?dist}
Release: 8%{?dist}
Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
@ -23,6 +23,29 @@ Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch
Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch
Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch
Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch
Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
Patch32: 0020-esys_iutil-fix-possible-NPD.patch
Patch33: 0021-sapi-scope-command-handles.patch
Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch
Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch
%global udevrules_prefix 60-
@ -133,6 +156,10 @@ use tpm2-tss.
%changelog
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3
Resolves: rhbz#2041919
* Thu Feb 17 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-7
- Rebuild with latest json-c library
Related: rhbz#2023328