From 94b2079a241deb45ff273e62835f4e4594e58d3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= Date: Tue, 27 Jun 2023 13:11:01 +0200 Subject: [PATCH] Rebase to 3.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: CVE-2023-22745 Resolves: rhbz#2160307 Resolves: rhbz#2162613 Signed-off-by: Štěpán Horáček --- ...-of-the-root-certificate-for-provisi.patch | 61 - ...ssl-remove-non-needed-_ex-OSSL-funcs.patch | 99 -- ... => 0001-esys_iutil-fix-possible-NPD.patch | 10 +- ...-unknown-layer-handler-dropping-bits.patch | 65 ++ ...-FAPI-Remove-useless-code-get_engine.patch | 63 -- ...ST_EK_CERT_LESS-with-disable-self-ge.patch | 42 - ...ded-size-check-in-TPM2B-unmarshaling.patch | 65 ++ ...arameter-encryption-for-provisioning.patch | 78 ++ ...Remove-fauly-free-of-an-unused-field.patch | 40 - ...-LIBCRYPTO_CFLAGS-when-building-FAPI.patch | 29 - ...-parameter-encryption-for-policy-ses.patch | 101 ++ ...eprecated-OpenSSL_add_all_algorithms.patch | 44 - ...est-Remove-duplicate-openssl-req-new.patch | 35 - ...-parameter-encryption-for-some-HMAC-.patch | 59 + ...VP_DigestSignInit-in-the-correct-ord.patch | 76 -- ...SSL-context-for-internal-crypto-oper.patch | 657 ----------- ...olicy-computation-for-create-primary.patch | 70 -- ...FAPI-Fix-usage-of-persistent-handles.patch | 61 + ...-EVP_PKEY_base_id-to-detect-key-type.patch | 47 - 0007-FAPI-Fix-loading-of-primary-keys.patch | 137 --- ...est-Change-RSA_sign-to-EVP_PKEY_sign.patch | 100 -- ...Fix-failed-build-with-disable-vendor.patch | 62 + ...o-display-warning-for-SHA3-hash-algs.patch | 35 + ...tor-leak-when-tcti-initialization-fa.patch | 84 -- 0008-Require-OpenSSL-1.1.0.patch | 65 -- ...ge-SHA256_Update-to-EVP_DigestUpdate.patch | 124 -- ...I-Fix-leak-in-fapi-crypto-with-ossl3.patch | 28 - ...ioning-test-for-nv-ext-and-profile-p.patch | 39 + ...leak-after-ifapi_init_primary_finish.patch | 29 - ...I-Fix-wrong-allocation-of-pcr-policy.patch | 30 + ...est-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch | 124 -- 0011-Drop-support-for-OpenSSL-1.1.0.patch | 313 ----- ...rror-if-ESYS_TR_NONE-is-passed-to-Es.patch | 39 - ...y-leak-when-ifapi_get_certificates-f.patch | 45 - ...P_PKEY-export-import-for-OpenSSL-3.0.patch | 1005 ----------------- ...ject-when-keystore_search_obj-failed.patch | 25 - ...emory-leak-of-command-data-when-Fapi.patch | 27 - ...otation-error-of-Esys_TR_Deserialize.patch | 38 - ...memory-when-Fapi_Delete_Async-failed.patch | 50 - ...mory-when-Fapi_GetEsysBlob_Async-fai.patch | 44 - ...lize-object-used-for-keystore-search.patch | 30 - ...uffer-upcast-leading-to-misalignment.patch | 30 - 0021-sapi-scope-command-handles.patch | 269 ----- ...pi-use-correct-userdata-for-cbauthnv.patch | 26 - ...x-number-of-handles-for-FlushContext.patch | 36 - sources | 2 +- tpm2-tss.spec | 66 +- 47 files changed, 625 insertions(+), 3979 deletions(-) delete mode 100644 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch delete mode 100644 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch rename 0020-esys_iutil-fix-possible-NPD.patch => 0001-esys_iutil-fix-possible-NPD.patch (87%) create mode 100644 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch delete mode 100644 0002-FAPI-Remove-useless-code-get_engine.patch delete mode 100644 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch create mode 100644 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch create mode 100644 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch delete mode 100644 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch delete mode 100644 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch create mode 100644 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch delete mode 100644 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch delete mode 100644 0004-Test-Remove-duplicate-openssl-req-new.patch create mode 100644 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch delete mode 100644 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch delete mode 100644 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch delete mode 100644 0006-FAPI-Add-policy-computation-for-create-primary.patch create mode 100644 0006-FAPI-Fix-usage-of-persistent-handles.patch delete mode 100644 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch delete mode 100644 0007-FAPI-Fix-loading-of-primary-keys.patch delete mode 100644 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch create mode 100644 0007-build-Fix-failed-build-with-disable-vendor.patch create mode 100644 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch delete mode 100644 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch delete mode 100644 0008-Require-OpenSSL-1.1.0.patch delete mode 100644 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch delete mode 100644 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch create mode 100644 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch delete mode 100644 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch create mode 100644 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch delete mode 100644 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch delete mode 100644 0011-Drop-support-for-OpenSSL-1.1.0.patch delete mode 100644 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch delete mode 100644 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch delete mode 100644 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch delete mode 100644 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch delete mode 100644 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch delete mode 100644 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch delete mode 100644 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch delete mode 100644 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch delete mode 100644 0018-FAPI-Initialize-object-used-for-keystore-search.patch delete mode 100644 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch delete mode 100644 0021-sapi-scope-command-handles.patch delete mode 100644 0022-fapi-use-correct-userdata-for-cbauthnv.patch delete mode 100644 0023-SAPI-fix-number-of-handles-for-FlushContext.patch diff --git a/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch b/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch deleted file mode 100644 index 7bc8738..0000000 --- a/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch +++ /dev/null @@ -1,61 +0,0 @@ -From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Fri, 19 Feb 2021 14:32:45 +0100 -Subject: FAPI: Fix reading of the root certificate for - provisioning. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will - only be used if it's allowed to use self generated root certificate with - ./configure --enable-self-generated-certificate - -* This option is added to all integration tests which are using the TPM simulator. - - - Compared to the upstream commit 199b4edc the changes to CI config files - are omitted. - -Signed-off-by: Juergen Repp ---- - configure.ac | 8 ++++++++ - src/tss2-fapi/api/Fapi_Provision.c | 4 ++++ - 2 files changed, 12 insertions(+) - -diff --git a/configure.ac b/configure.ac -index f4df879c..d3bbb93d 100755 ---- a/configure.ac -+++ b/configure.ac -@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto], - AS_IF([test "x$enable_weakcrypto" = "xyes"], - AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS])) - -+AC_ARG_ENABLE([self-generated-certificate], -+ [AS_HELP_STRING([--enable-self-generated-certificate], -+ [Alllow usage of self generated root certifcate])],, -+ [enable_self_generated_certificate=no]) -+AS_IF([test "x$enable_self_generated_certificate" == xyes], -+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])]) -+ -+ - AC_SUBST([PATH]) - - dnl --------- Doxy Gen ----------------------- -diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c -index 00534a2e..9cf804ad 100644 ---- a/src/tss2-fapi/api/Fapi_Provision.c -+++ b/src/tss2-fapi/api/Fapi_Provision.c -@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) - - statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT); - /* Prepare reading of root certificate. */ -+ root_ca_file = NULL; -+#ifdef SELF_GENERATED_CERTIFICATE -+#pragma message ( "*** Allow self generated certifcate ***" ) - root_ca_file = getenv("FAPI_TEST_ROOT_CERT"); -+#endif - if (!root_ca_file) { - context->state = PROVISION_EK_CHECK_CERT; - return TSS2_FAPI_RC_TRY_AGAIN; --- -2.26.3 diff --git a/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch b/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch deleted file mode 100644 index 4a5dda9..0000000 --- a/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Thu, 19 Nov 2020 11:09:56 -0600 -Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs - -Some of the OSSL _ex suffixed routines remained even after the ENGINE -pointer was removed. The _ex functions with NULL engine don't do -anything different then the non _ex suffixed ones. One _ex routine -remains, RSA_generate_key_ex, becuase the _ex version is deprecated. - -Signed-off-by: William Roberts ---- - src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------ - 1 file changed, 11 insertions(+), 12 deletions(-) - -diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index 392f97ae..6856e92d 100644 ---- a/src/tss2-esys/esys_crypto_ossl.c -+++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup); - } - -- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context, -- mycontext->hash.ossl_hash_alg, -- NULL)) { -- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup); -+ if (1 != EVP_DigestInit(mycontext->hash.ossl_context, -+ mycontext->hash.ossl_hash_alg)) { -+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup); - } - - *context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext; -@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, - return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small"); - } - -- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) { -+ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) { - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error."); - } - - if (digest_size != mycontext->hash.hash_len) { - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, -- "Invalid size computed by EVP_DigestFinal_ex"); -+ "Invalid size computed by EVP_DigestFinal"); - } - - LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result"); -@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key, - "Initialize cipher context", cleanup); - } - -- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) { -+ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Initialize cipher operation", cleanup); - } -- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) { -+ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup); - } - -@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key, - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup); - } - -- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) { -+ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup); - } - LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output"); -@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, - - LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input"); - -- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) { -+ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Initialize cipher operation", cleanup); - } - -- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) { -+ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup); - } - -@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup); - } - -- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) { -+ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup); - } - LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output"); --- -2.34.3 - diff --git a/0020-esys_iutil-fix-possible-NPD.patch b/0001-esys_iutil-fix-possible-NPD.patch similarity index 87% rename from 0020-esys_iutil-fix-possible-NPD.patch rename to 0001-esys_iutil-fix-possible-NPD.patch index 5c940e3..20e6eb3 100644 --- a/0020-esys_iutil-fix-possible-NPD.patch +++ b/0001-esys_iutil-fix-possible-NPD.patch @@ -1,7 +1,7 @@ -From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001 +From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001 From: William Roberts Date: Fri, 3 Jun 2022 11:51:02 -0500 -Subject: [PATCH 20/23] esys_iutil: fix possible NPD +Subject: [PATCH 1/2] esys_iutil: fix possible NPD Clang-10 scan-build reports: src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer @@ -24,10 +24,10 @@ Signed-off-by: William Roberts 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c -index 0cc92ca5..493f9b28 100644 +index 4d31cef8..b364dd73 100644 --- a/src/tss2-esys/esys_iutil.c +++ b/src/tss2-esys/esys_iutil.c -@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context, +@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context, && encryptNonceIdx > 0) ? encryptNonce : NULL, &auths->auths[session_idx]); return_if_error(r, "Error while computing hmacs"); @@ -37,5 +37,5 @@ index 0cc92ca5..493f9b28 100644 auths->count++; } -- -2.34.3 +2.39.2 diff --git a/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch b/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch new file mode 100644 index 0000000..0c7930d --- /dev/null +++ b/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch @@ -0,0 +1,65 @@ +From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Tue, 24 Jan 2023 10:01:23 -0600 +Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits + +The commit (on 4.0.1 and master): + - 49107d65d5c7 tss2_rc: ensure layer number is in bounds + +Introduces a bug where the right shift by 8 drops the lower byte going +into the unknown_layer handler function. This will effectively drop rc +error bits for unknown layers. The largest impact will be on windows +where their resource manager is not a registered handler. + +Fix this by just dumping all the bytes and not get fancy with masking +things out. + +Fixes: #2550 + +Signed-off-by: William Roberts +--- + src/tss2-rc/tss2_rc.c | 4 ++-- + test/unit/test_tss2_rc.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c +index 7e668a46..6de7d6f3 100644 +--- a/src/tss2-rc/tss2_rc.c ++++ b/src/tss2-rc/tss2_rc.c +@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc) + } else { + /* + * we don't want to drop any bits if we don't know what to do with it +- * so drop the layer byte since we we already have that. ++ * so just send the whole thing. + */ +- const char *e = unknown_layer_handler(rc >> 8); ++ const char *e = unknown_layer_handler(rc); + assert(e); + catbuf(buf, "%s", e); + } +diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c +index 0b0f57c6..e5051c85 100644 +--- a/test/unit/test_tss2_rc.c ++++ b/test/unit/test_tss2_rc.c +@@ -199,7 +199,7 @@ test_custom_handler(void **state) + * Test an unknown layer + */ + e = Tss2_RC_Decode(rc); +- assert_string_equal(e, "1:0x100"); ++ assert_string_equal(e, "1:0x1002A"); + } + + static void +@@ -288,7 +288,7 @@ test_all_FFs(void **state) + (void) state; + + const char *e = Tss2_RC_Decode(0xFFFFFFFF); +- assert_string_equal(e, "255:0xFFFFFF"); ++ assert_string_equal(e, "255:0xFFFFFFFF"); + } + + static void +-- +2.41.0 + diff --git a/0002-FAPI-Remove-useless-code-get_engine.patch b/0002-FAPI-Remove-useless-code-get_engine.patch deleted file mode 100644 index 045dca2..0000000 --- a/0002-FAPI-Remove-useless-code-get_engine.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Mon, 7 Jun 2021 09:47:30 +0200 -Subject: [PATCH 02/23] FAPI: Remove useless code get_engine. - -The function did always return NULL. So the default engine was used. -Fixes #2085 - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/fapi_crypto.c | 22 +--------------------- - 1 file changed, 1 insertion(+), 21 deletions(-) - -diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c -index c50b5f0a..9c7e566c 100644 ---- a/src/tss2-fapi/fapi_crypto.c -+++ b/src/tss2-fapi/fapi_crypto.c -@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT { - size_t hashSize; - } IFAPI_CRYPTO_CONTEXT; - --/** A singleton crypto engine for hash operations */ --static ENGINE *engine = NULL; -- - /** - * Returns the signature scheme that is currently used in the FAPI context. - * -@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) - return 1; - } - --/** -- * Returns the singleton hash engine for the use in ifapi_hash operations. If -- * it does not yet exist, this function creates it. -- * -- * @retval A singleton hash engine -- */ --static ENGINE * --get_engine() --{ -- /* If an engine is present, it is returned */ -- if (engine) -- return engine; -- /* Otherwise, engine is created and returned */ -- engine = ENGINE_by_id(NULL); -- return engine; --} -- - /** - * Returns a suitable openSSL hash algorithm identifier for a given TSS hash - * algorithm identifier. -@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, - } - - if (1 != EVP_DigestInit_ex(mycontext->osslContext, -- mycontext->osslHashAlgorithm, get_engine())) { -+ mycontext->osslHashAlgorithm, NULL)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex", - cleanup); - } --- -2.34.3 - diff --git a/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch b/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch deleted file mode 100644 index af47f2d..0000000 --- a/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Mon, 1 Mar 2021 20:00:17 +0100 -Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with - --disable-self-generated-certificate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of -the root certificate for provisioning.") it is required to specify ---enable-self-generated-certificate in order to make the FAPI integration tests -pass. This is an option that should usually not be enabled in production builds -for security reasons, but still some form of integration testing might be -desirable in this case to verify whether the compiled library works as -expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK -certificate validation. - -Signed-off-by: Jonas Witschel ---- - configure.ac | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d3bbb93d..d4324c9a 100755 ---- a/configure.ac -+++ b/configure.ac -@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate], - [AS_HELP_STRING([--enable-self-generated-certificate], - [Alllow usage of self generated root certifcate])],, - [enable_self_generated_certificate=no]) --AS_IF([test "x$enable_self_generated_certificate" == xyes], -- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])]) -+AS_IF([test "x$enable_self_generated_certificate" = xyes], -+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])], -+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])]) - - - AC_SUBST([PATH]) --- -2.26.3 - diff --git a/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch b/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch new file mode 100644 index 0000000..f6b7d65 --- /dev/null +++ b/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch @@ -0,0 +1,65 @@ +From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 9 Feb 2023 15:22:08 +0100 +Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling + +There is a size check for the destination object whether the size is zero. +If the memory of the destination object is no cleared this might cause +a race conditions. +Unneeded tests from the integration test tpmclient were removed. +Fixes: #2564 + +Signed-off-by: Juergen Repp +--- + src/tss2-mu/tpm2b-types.c | 6 +----- + test/tpmclient/tpmclient.int.c | 9 --------- + 2 files changed, 1 insertion(+), 14 deletions(-) + +diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c +index 2e10f487..6e8915f6 100644 +--- a/src/tss2-mu/tpm2b-types.c ++++ b/src/tss2-mu/tpm2b-types.c +@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \ + sizeof(size)); \ + return TSS2_MU_RC_INSUFFICIENT_BUFFER; \ + } \ +- if (dest && dest->size != 0) { \ +- LOG_WARNING("Size not zero"); \ +- return TSS2_SYS_RC_BAD_VALUE; \ +- } \ +-\ ++ \ + rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \ + if (rc) \ + return rc; \ +diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c +index deedcfb7..16443955 100644 +--- a/test/tpmclient/tpmclient.int.c ++++ b/test/tpmclient/tpmclient.int.c +@@ -847,12 +847,6 @@ static void TestHierarchyControl() + rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 ); + CheckPassed( rval ); + +- /* Test SYS for case where nvPublic.size != 0 */ +- nvPublic.size = 0xff; +- INIT_SIMPLE_TPM2B_SIZE( nvName ); +- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); +- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); +- + nvPublic.size = 0; + INIT_SIMPLE_TPM2B_SIZE( nvName ); + rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); +@@ -2135,10 +2129,7 @@ static void EcEphemeralTest() + + LOG_INFO("EC Ephemeral TESTS:" ); + +- /* Test SYS for case of Q size field not being set to 0. */ + INIT_SIMPLE_TPM2B_SIZE( Q ); +- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); +- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); + + Q.size = 0; + rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); +-- +2.41.0 + diff --git a/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch b/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch new file mode 100644 index 0000000..955acd1 --- /dev/null +++ b/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch @@ -0,0 +1,78 @@ +From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 14 Feb 2023 19:52:28 +0100 +Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning + +Currently no parameter encryption was made during provisioning. +Now the EK es used as tpmkey for the create primary session of +the SRK and the SRK is used for parameter encryption of the +other command executed during provisioning. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Provision.c | 6 ++++-- + src/tss2-fapi/fapi_int.h | 7 ++++--- + src/tss2-fapi/fapi_util.c | 5 ++++- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c +index 97c25828..48f2fd3b 100644 +--- a/src/tss2-fapi/api/Fapi_Provision.c ++++ b/src/tss2-fapi/api/Fapi_Provision.c +@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + statecase(context->state, PROVISION_INIT_SRK); + /* Create session which will be used for SRK generation. */ + context->srk_handle = context->ek_handle; +- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); ++ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + try_again_or_error_goto(r, "Cleanup", error_cleanup); + + /* Create session which will be used for parameter encryption. */ +- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); ++ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index 5f666a75..8533112a 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE; + #define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF + + typedef UINT8 IFAPI_SESSION_TYPE; +-#define IFAPI_SESSION_GENEK 0x01 +-#define IFAPI_SESSION1 0x02 +-#define IFAPI_SESSION2 0x04 ++#define IFAPI_SESSION_GENEK 0x01 ++#define IFAPI_SESSION1 0x02 ++#define IFAPI_SESSION2 0x04 ++#define IFAPI_SESSION_USE_SRK 0x08 + + #define IFAPI_POLICY_PATH "policy" + #define IFAPI_NV_PATH "nv" +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 44dd4168..ded0d247 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context, + context->session2_attribute_flags = attribute_flags2; + char *file = NULL; + +- if (!(session_flags & IFAPI_SESSION_GENEK)) { ++ if (session_flags & IFAPI_SESSION_USE_SRK) { ++ context->session_state = SESSION_CREATE_SESSION; ++ return TSS2_RC_SUCCESS; ++ } else if (!(session_flags & IFAPI_SESSION_GENEK)) { + context->srk_handle = ESYS_TR_NONE; + context->session_state = SESSION_CREATE_SESSION; + return TSS2_RC_SUCCESS; +-- +2.41.0 + diff --git a/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch b/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch deleted file mode 100644 index cbebb20..0000000 --- a/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Tue, 3 Aug 2021 16:24:41 +0200 -Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field. - -The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/api/Fapi_Encrypt.c | 1 - - src/tss2-fapi/fapi_int.h | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c -index 2e892351..af8e2c58 100644 ---- a/src/tss2-fapi/api/Fapi_Encrypt.c -+++ b/src/tss2-fapi/api/Fapi_Encrypt.c -@@ -405,7 +405,6 @@ error_cleanup: - SAFE_FREE(tpmCipherText); - SAFE_FREE(command->keyPath); - SAFE_FREE(command->in_data); -- SAFE_FREE(command->out_data); - ifapi_session_clean(context); - LOG_TRACE("finished"); - return r; -diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h -index 90707da1..13c0333e 100644 ---- a/src/tss2-fapi/fapi_int.h -+++ b/src/tss2-fapi/fapi_int.h -@@ -386,7 +386,6 @@ typedef struct { - uint8_t const *in_data; - size_t in_dataSize; - IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */ -- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */ - ESYS_TR key_handle; /**< The ESYS handle of the encryption key */ - size_t numBytes; /**< The number of bytes of a ESYS request */ - size_t decrypt; /**< Switch whether to encrypt or decrypt */ --- -2.34.3 - diff --git a/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch b/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch deleted file mode 100644 index 3da7764..0000000 --- a/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sat, 17 Jul 2021 20:15:51 +0200 -Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Petr Gotthard ---- - Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index f2fa515a..0f759adb 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e - $(libutil) $(libtss2_tctildr) - - src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC) --src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi -+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS) - src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS) - if HAVE_LD_VERSION_SCRIPT - src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map --- -2.26.3 - diff --git a/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch b/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch new file mode 100644 index 0000000..28b2a3d --- /dev/null +++ b/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch @@ -0,0 +1,101 @@ +From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 3 Mar 2023 11:17:43 +0100 +Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy + sessions. + +The parameter encryption for policy sessions was not enabled. +Now the parameter encryption is enabled and the auth value of +objects is added to the session key. +One exception is the cp hash policy. In this case the +the cp hash check forced by this policy would fail with an +encrypted parameter. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------ + src/tss2-fapi/ifapi_policy_execute.c | 5 +++++ + src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++ + 3 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index ded0d247..55ce3327 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses + statecase(object->authorization_state, AUTH_INIT) + LOG_TRACE("**STATE** AUTH_INIT"); + +- if (!policy_digest_size(object)) { +- /* No policy used authorization callbacks have to be called if necessary. */ +- if (object_with_auth(object)) { +- /* Check whether hierarchy was already authorized. */ +- if (object->objectType != IFAPI_HIERARCHY_OBJ || +- !object->misc.hierarchy.authorized) { +- char *description = NULL; +- r = ifapi_get_description(object, &description); +- return_if_error(r, "Get description"); +- +- r = ifapi_set_auth(context, object, description); +- SAFE_FREE(description); +- return_if_error(r, "Set auth value"); +- } ++ if (object_with_auth(object)) { ++ /* Check whether hierarchy was already authorized. */ ++ if (object->objectType != IFAPI_HIERARCHY_OBJ || ++ !object->misc.hierarchy.authorized) { ++ char *description = NULL; ++ r = ifapi_get_description(object, &description); ++ return_if_error(r, "Get description"); ++ ++ r = ifapi_set_auth(context, object, description); ++ SAFE_FREE(description); ++ return_if_error(r, "Set auth value"); + } ++ } ++ if (!policy_digest_size(object)) { + /* No policy session needed current fapi session can be used */ + if (context->session1 && context->session1 != ESYS_TR_NONE) + *session = context->session1; +@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses + *session = ESYS_TR_PASSWORD; + break; + } ++ + /* Save current object to be authorized in context. */ + context->current_auth_object = object; + r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object), +diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c +index c2ce3301..0e7de316 100644 +--- a/src/tss2-fapi/ifapi_policy_execute.c ++++ b/src/tss2-fapi/ifapi_policy_execute.c +@@ -1245,6 +1245,11 @@ execute_policy_cp_hash( + r = Esys_PolicyCpHash_Finish(esys_ctx); + try_again_or_error(r, "Execute PolicyCpHash_Finish."); + ++ /* Disable encryption to enable check of cp hash defined in ++ policy cp. */ ++ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session, ++ 0, 0xff); ++ + current_policy->state = POLICY_EXECUTE_INIT; + return r; + +diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c +index 997fb504..0e2823cb 100644 +--- a/src/tss2-fapi/ifapi_policyutil_execute.c ++++ b/src/tss2-fapi/ifapi_policyutil_execute.c +@@ -119,6 +119,10 @@ create_session( + r = Esys_StartAuthSession_Finish(context->esys, session); + if (r != TSS2_RC_SUCCESS) + return r; ++ ++ r = Esys_TRSess_SetAttributes(context->esys, *session, ++ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, ++ 0xff); + context->policy.create_session_state = CREATE_SESSION_INIT; + break; + +-- +2.41.0 + diff --git a/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch b/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch deleted file mode 100644 index 6f62186..0000000 --- a/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Mon, 2 Aug 2021 15:50:26 +0200 -Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms - -From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or -de-initialisation is required. - -Signed-off-by: Petr Gotthard ---- - src/tss2-esys/esys_crypto_ossl.c | 2 +- - src/tss2-fapi/ifapi_get_intl_cert.c | 3 --- - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index 6856e92d..ab08b3b8 100644 ---- a/src/tss2-esys/esys_crypto_ossl.c -+++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, - * - * Initialize OpenSSL internal tables. - * -- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms -+ * @retval TSS2_RC_SUCCESS always returned - * does not deliver - * a return code. - */ -diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c -index 9290a17e..35186e62 100644 ---- a/src/tss2-fapi/ifapi_get_intl_cert.c -+++ b/src/tss2-fapi/ifapi_get_intl_cert.c -@@ -375,9 +375,6 @@ out_free_json: - json_object_put(jso); - - out: -- /* In some case this call was necessary after curl usage */ -- OpenSSL_add_all_algorithms(); -- - free(hash); - if (rc == 0) { - return TSS2_RC_SUCCESS; --- -2.34.3 - diff --git a/0004-Test-Remove-duplicate-openssl-req-new.patch b/0004-Test-Remove-duplicate-openssl-req-new.patch deleted file mode 100644 index a8c4d23..0000000 --- a/0004-Test-Remove-duplicate-openssl-req-new.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sat, 17 Jul 2021 20:23:32 +0200 -Subject: Test: Remove duplicate openssl req -new -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The command is called twice, which is superfluous. Both the key -and the certificate are created already by the first command. - -Signed-off-by: Petr Gotthard ---- - script/ekca/create_ca.sh | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh -index 90a5c791..61d976a3 100755 ---- a/script/ekca/create_ca.sh -+++ b/script/ekca/create_ca.sh -@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF - - openssl req -new -out intermed-ca.req.pem -passout file:pass.txt - --openssl req -new \ -- -key private/intermed-ca.key.pem \ -- -out intermed-ca.req.pem \ -- -passin file:pass.txt -- - openssl rsa -inform PEM -in private/intermed-ca.key.pem \ - -outform DER -out private/intermed-ca.key.der -passin file:pass.txt - --- -2.26.3 - diff --git a/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch b/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch new file mode 100644 index 0000000..fd385af --- /dev/null +++ b/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch @@ -0,0 +1,59 @@ +From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 5 Mar 2023 19:19:22 +0100 +Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC + sessions. + +* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled. +* For Fapi_Unseal the response description was not enabled. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_CreateNv.c | 2 +- + src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +- + src/tss2-fapi/fapi_util.c | 3 ++- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c +index 45e72e33..8160b99d 100644 +--- a/src/tss2-fapi/api/Fapi_CreateNv.c ++++ b/src/tss2-fapi/api/Fapi_CreateNv.c +@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish( + context->primary_state = PRIMARY_INIT; + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- 0, 0); ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + fallthrough; + +diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c +index 0615aa12..adf332e0 100644 +--- a/src/tss2-fapi/api/Fapi_NvSetBits.c ++++ b/src/tss2-fapi/api/Fapi_NvSetBits.c +@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish( + /* Prepare session for authorization */ + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- 0, 0); ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 55ce3327..ef4a92d0 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2743,7 +2743,8 @@ ifapi_load_key( + /* Prepare the session creation. */ + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- TPMA_SESSION_DECRYPT, 0); ++ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT, ++ 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + fallthrough; + +-- +2.41.0 + diff --git a/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch b/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch deleted file mode 100644 index 206f5de..0000000 --- a/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sat, 17 Jul 2021 21:22:28 +0200 -Subject: FAPI Test: Call EVP_DigestSignInit in the correct order -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The EVP_DigestSignInit should be called only once and before calling -EVP_PKEY_CTX_set_rsa_padding. See a corresponding example -[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html) - -Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0. -This PR makes the code compatible with OpenSSL 1.0 through 3.0. - -Signed-off-by: Petr Gotthard ---- - test/integration/fapi-data-crypt.int.c | 8 ++------ - test/integration/fapi-key-create-policy-signed.int.c | 8 ++------ - 2 files changed, 4 insertions(+), 12 deletions(-) - -diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c -index b2d20b28..d42466db 100644 ---- a/test/integration/fapi-data-crypt.int.c -+++ b/test/integration/fapi-data-crypt.int.c -@@ -129,8 +129,8 @@ signatureCallback( - mdctx = EVP_MD_CTX_create(); - chknull(mdctx); - -- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) { -- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.", -+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", - error_cleanup); - } - if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { -@@ -140,10 +140,6 @@ signatureCallback( - error_cleanup); - } - } -- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { -- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", -- error_cleanup); -- } - if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.", - error_cleanup); -diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c -index e51289a6..b903dec0 100644 ---- a/test/integration/fapi-key-create-policy-signed.int.c -+++ b/test/integration/fapi-key-create-policy-signed.int.c -@@ -144,8 +144,8 @@ signatureCallback( - mdctx = EVP_MD_CTX_create(); - chknull(mdctx); - -- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) { -- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.", -+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", - error_cleanup); - } - if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { -@@ -155,10 +155,6 @@ signatureCallback( - error_cleanup); - } - } -- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) { -- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", -- error_cleanup); -- } - if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.", - error_cleanup); --- -2.26.3 - diff --git a/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch b/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch deleted file mode 100644 index 9617245..0000000 --- a/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch +++ /dev/null @@ -1,657 +0,0 @@ -From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Wed, 25 Aug 2021 14:02:38 +0200 -Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto - operations - -The TPM2 provider may be loaded in the global library context. -As we don't want the TPM to be called for some operations, we have -to initialize own library context with the default provider. - -This is similar to the RAND_set_rand_method dance with older OpenSSL. - -Signed-off-by: Petr Gotthard ---- - src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++--------- - src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++--------- - 2 files changed, 225 insertions(+), 102 deletions(-) - -diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index ab08b3b8..35af2028 100644 ---- a/src/tss2-esys/esys_crypto_ossl.c -+++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT { - } type; /**< The type of context to hold; hash or hmac */ - union { - struct { -- EVP_MD_CTX *ossl_context; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - const EVP_MD *ossl_hash_alg; -+#else -+ OSSL_LIB_CTX *ossl_libctx; -+ EVP_MD *ossl_hash_alg; -+#endif -+ EVP_MD_CTX *ossl_context; - size_t hash_len; -- } hash; /**< the state variables for a hash context */ -- struct { -- EVP_MD_CTX *ossl_context; -- const EVP_MD *ossl_hash_alg; -- size_t hmac_len; -- } hmac; /**< the state variables for an hmac context */ -+ } hash; /**< the state variables for a HASH or HMAC context */ - }; - } IESYS_CRYPTOSSL_CONTEXT; - --const EVP_MD * -+static IESYS_CRYPTOSSL_CONTEXT * -+iesys_cryptossl_context_new() { -+ IESYS_CRYPTOSSL_CONTEXT *ctx; -+ -+ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)))) -+ return NULL; -+ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ /* The TPM2 provider may be loaded in the global library context. -+ * As we don't want the TPM to be called for these operations, we have -+ * to initialize own library context with the default provider. */ -+ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) { -+ SAFE_FREE(ctx); -+ return NULL; -+ } -+#endif -+ return ctx; -+} -+ -+static void -+iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) { -+ if (!ctx) -+ return; -+ -+ EVP_MD_CTX_free(ctx->hash.ossl_context); -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ EVP_MD_free(ctx->hash.ossl_hash_alg); -+ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx); -+#endif -+ SAFE_FREE(ctx); -+} -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+static const EVP_MD * - get_ossl_hash_md(TPM2_ALG_ID hashAlg) - { - switch (hashAlg) { - case TPM2_ALG_SHA1: - return EVP_sha1(); -- break; - case TPM2_ALG_SHA256: - return EVP_sha256(); -- break; - case TPM2_ALG_SHA384: - return EVP_sha384(); -- break; - case TPM2_ALG_SHA512: - return EVP_sha512(); -- break; - default: - return NULL; - } - } -+#else -+static const char * -+get_ossl_hash_md(TPM2_ALG_ID hashAlg) -+{ -+ switch (hashAlg) { -+ case TPM2_ALG_SHA1: -+ return "SHA1"; -+ case TPM2_ALG_SHA256: -+ return "SHA256"; -+ case TPM2_ALG_SHA384: -+ return "SHA384"; -+ case TPM2_ALG_SHA512: -+ return "SHA512"; -+ default: -+ return NULL; -+ } -+} -+#endif -+ -+static int -+iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg); -+#else -+ const char *alg_name = get_ossl_hash_md(hashAlg); -+ if (!alg_name) -+ return 0; -+ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL); -+#endif -+ if (!ctx->hash.ossl_hash_alg) -+ return 0; -+ -+ return 1; -+} - - /** Provide the context for the computation of a hash digest. - * -@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg); - return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE); - return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE); -- IESYS_CRYPTOSSL_CONTEXT *mycontext; -- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)); -+ -+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new(); - return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY); - mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH; - -- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) { -+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) { - goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED, - "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); - } -@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); - } - -- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { -+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup); - } - - if (1 != EVP_DigestInit(mycontext->hash.ossl_context, -- mycontext->hash.ossl_hash_alg)) { -+ mycontext->hash.ossl_hash_alg)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup); - } - -@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - return TSS2_RC_SUCCESS; - - cleanup: -- if (mycontext->hash.ossl_context) -- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); -- SAFE_FREE(mycontext); -+ iesys_cryptossl_context_free(mycontext); - - return r; - } -@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, - LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result"); - - *size = mycontext->hash.hash_len; -- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); -- free(mycontext); -+ -+ iesys_cryptossl_context_free(mycontext); - *context = NULL; - - return TSS2_RC_SUCCESS; -@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) - return; - } - -- EVP_MD_CTX_destroy(mycontext->hash.ossl_context); -- free(mycontext); -+ iesys_cryptossl_context_free(mycontext); - *context = NULL; - } - -@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - return_error(TSS2_ESYS_RC_BAD_REFERENCE, - "Null-Pointer passed in for context"); - } -- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT)); -+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new(); - return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY); - -- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) { -+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) { - goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED, - "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); - } - -- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) { -+ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg); - } - -- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) { -+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Error EVP_MD_CTX_create", cleanup); - } -@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - "Failed to create HMAC key", cleanup); - } - -- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL, -- mycontext->hmac.ossl_hash_alg, NULL, hkey)) { -+ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL, -+ mycontext->hash.ossl_hash_alg, NULL, hkey)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "DigestSignInit", cleanup); - } -@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - return TSS2_RC_SUCCESS; - - cleanup: -- if (mycontext->hmac.ossl_context) -- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); - if(hkey) - EVP_PKEY_free(hkey); -- SAFE_FREE(mycontext); -+ iesys_cryptossl_context_free(mycontext); - return r; - } - -@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context, - LOGBLOB_TRACE(buffer, size, "Updating hmac with"); - - /* Call update with the message */ -- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) { -+ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) { - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update"); - } - -@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context, - return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context"); - } - -- if (*size < mycontext->hmac.hmac_len) { -+ if (*size < mycontext->hash.hash_len) { - return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small"); - } - -- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) { -+ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup); - } - - LOGBLOB_TRACE(buffer, *size, "read hmac result"); - - cleanup: -- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); -- SAFE_FREE(mycontext); -+ iesys_cryptossl_context_free(mycontext); - *context = NULL; - return r; - } -@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) - return; - } - -- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context); -- -- free(mycontext); -+ iesys_cryptossl_context_free(mycontext); - *context = NULL; - } - } -@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) - TSS2_RC - iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) - { -+ int rc; - #if OPENSSL_VERSION_NUMBER < 0x30000000L - const RAND_METHOD *rand_save = RAND_get_rand_method(); - RAND_set_rand_method(RAND_OpenSSL()); -+#else -+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); -+ if (!libctx) -+ return TSS2_ESYS_RC_MEMORY; - #endif - - if (num_bytes == 0) { -@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) - nonce->size = num_bytes; - } - -- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { - #if OPENSSL_VERSION_NUMBER < 0x30000000L -- RAND_set_rand_method(rand_save); -+ rc = RAND_bytes(&nonce->buffer[0], nonce->size); -+ RAND_set_rand_method(rand_save); -+#else -+ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0); -+ OSSL_LIB_CTX_free(libctx); - #endif -+ if (rc != 1) - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, - "Failure in random number generator."); -- } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -- RAND_set_rand_method(rand_save); --#endif - return TSS2_RC_SUCCESS; - } - -@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - { - #if OPENSSL_VERSION_NUMBER < 0x30000000L - RSA *rsa_key = NULL; -+ const EVP_MD * hashAlg = NULL; - const RAND_METHOD *rand_save = RAND_get_rand_method(); - - RAND_set_rand_method(RAND_OpenSSL()); - #else -+ OSSL_LIB_CTX *libctx = NULL; -+ EVP_MD * hashAlg = NULL; - OSSL_PARAM *params = NULL; - OSSL_PARAM_BLD *build = NULL; - #endif - - TSS2_RC r = TSS2_RC_SUCCESS; -- const EVP_MD * hashAlg = NULL; - EVP_PKEY *evp_rsa_key = NULL; - EVP_PKEY_CTX *genctx = NULL, *ctx = NULL; - BIGNUM *bne = NULL, *n = NULL; - int padding; - char *label_copy = NULL; - -- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { -- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", -- pub_tpm_key->publicArea.nameAlg); - #if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { - RAND_set_rand_method(rand_save); -+#else -+ if (!(libctx = OSSL_LIB_CTX_new())) -+ return TSS2_ESYS_RC_MEMORY; -+ -+ if (!(hashAlg = EVP_MD_fetch(libctx, -+ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) { -+ OSSL_LIB_CTX_free(libctx); - #endif -+ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", -+ pub_tpm_key->publicArea.nameAlg); - return TSS2_ESYS_RC_NOT_IMPLEMENTED; - } - -@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - cleanup); - } - -- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL -+ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL - || EVP_PKEY_fromdata_init(genctx) <= 0 - || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.", -@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - #else - OSSL_FREE(params, OSSL_PARAM); - OSSL_FREE(build, OSSL_PARAM_BLD); -+ OSSL_FREE(hashAlg, EVP_MD); -+ OSSL_FREE(libctx, OSSL_LIB_CTX); - #endif - return r; - } -diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c -index 9c7e566c..d061cf48 100644 ---- a/src/tss2-fapi/fapi_crypto.c -+++ b/src/tss2-fapi/fapi_crypto.c -@@ -48,14 +48,34 @@ - - /** Context to hold temporary values for ifapi_crypto */ - typedef struct _IFAPI_CRYPTO_CONTEXT { -- /** The hash engine's context */ -- EVP_MD_CTX *osslContext; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - /** The currently used hash algorithm */ - const EVP_MD *osslHashAlgorithm; -+#else -+ OSSL_LIB_CTX *libctx; -+ /** The currently used hash algorithm */ -+ EVP_MD *osslHashAlgorithm; -+#endif -+ /** The hash engine's context */ -+ EVP_MD_CTX *osslContext; - /** The size of the hash's digest */ - size_t hashSize; - } IFAPI_CRYPTO_CONTEXT; - -+static void -+ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx) -+{ -+ if (!ctx) -+ return; -+ -+ EVP_MD_CTX_destroy(ctx->osslContext); -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ EVP_MD_free(ctx->osslHashAlgorithm); -+ OSSL_LIB_CTX_free(ctx->libctx); -+#endif -+ SAFE_FREE(ctx); -+} -+ - /** - * Returns the signature scheme that is currently used in the FAPI context. - * -@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) - return 1; - } - -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+/** -+ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm -+ * identifier object. -+ * -+ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert -+ * -+ * @retval A suitable OpenSSL identifier object if one could be found -+ * @retval NULL if no suitable identifier object could be found -+ */ -+static const EVP_MD * -+get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm) -+{ -+ switch (hashAlgorithm) { -+ case TPM2_ALG_SHA1: -+ return EVP_sha1(); -+ case TPM2_ALG_SHA256: -+ return EVP_sha256(); -+ case TPM2_ALG_SHA384: -+ return EVP_sha384(); -+ case TPM2_ALG_SHA512: -+ return EVP_sha512(); -+ default: -+ return NULL; -+ } -+} -+#else - /** - * Returns a suitable openSSL hash algorithm identifier for a given TSS hash - * algorithm identifier. -@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize) - * hashAlgorithm could be found - * @retval NULL if no suitable hash algorithm identifier could be found - */ --static const EVP_MD * -+static const char * - get_hash_md(TPM2_ALG_ID hashAlgorithm) - { - switch (hashAlgorithm) { - case TPM2_ALG_SHA1: -- return EVP_sha1(); -+ return "SHA1"; - case TPM2_ALG_SHA256: -- return EVP_sha256(); -+ return "SHA256"; - case TPM2_ALG_SHA384: -- return EVP_sha384(); -+ return "SHA384"; - case TPM2_ALG_SHA512: -- return EVP_sha512(); -+ return "SHA512"; - default: - return NULL; - } - } -+#endif - - /** - * Returns a suitable openSSL RSA signature scheme identifiver for a given TSS -@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote( - BIO *bufio = NULL; - EVP_PKEY_CTX *pctx = NULL; - EVP_MD_CTX *mdctx = NULL; -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ OSSL_LIB_CTX *libctx = NULL; -+#endif - - /* Check whether or not the key is valid */ - if (keyObject->objectType == IFAPI_KEY_OBJ) { -@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote( - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create", - error_cleanup); - } -- -- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg); - if (!hashAlgorithm) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.", - error_cleanup); -@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote( - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit", - error_cleanup); - } -+#else -+ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg); -+ if (!hashAlgorithm) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.", -+ error_cleanup); -+ } -+ -+ /* The TPM2 provider may be loaded in the global library context. -+ * As we don't want the TPM to be called for these operations, we have -+ * to initialize own library context with the default provider. */ -+ libctx = OSSL_LIB_CTX_new(); -+ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup); -+ -+ /* Verify the digest of the signature */ -+ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx, -+ NULL, publicKey, NULL)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex", -+ error_cleanup); -+ } -+#endif - goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup); - if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) { - int padding = get_sig_scheme(signatureScheme->scheme); -@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote( - } - - error_cleanup: -- if (mdctx != NULL) { -- EVP_MD_CTX_destroy(mdctx); -- } -+ EVP_MD_CTX_destroy(mdctx); - SAFE_FREE(public_pem_key); - EVP_PKEY_free(publicKey); - BIO_free(bufio); -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ OSSL_LIB_CTX_free(libctx); -+#endif - return r; - } - -@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm) - } - } - --/** -- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm -- * identifier object. -- * -- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert -- * -- * @retval A suitable OpenSSL identifier object if one could be found -- * @retval NULL if no suitable identifier object could be found -- */ --static const EVP_MD * --get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm) --{ -- switch (hashAlgorithm) { -- case TPM2_ALG_SHA1: -- return EVP_sha1(); -- break; -- case TPM2_ALG_SHA256: -- return EVP_sha256(); -- break; -- case TPM2_ALG_SHA384: -- return EVP_sha384(); -- break; -- case TPM2_ALG_SHA512: -- return EVP_sha512(); -- break; -- default: -- return NULL; -- } --} -- - /** - * Starts the computation of a hash digest. - * -@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, - mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT)); - return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY); - -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) { - goto_error(r, TSS2_FAPI_RC_BAD_VALUE, - "Unsupported hash algorithm (%" PRIu16 ")", cleanup, - hashAlgorithm); - } -+#else -+ /* The TPM2 provider may be loaded in the global library context. -+ * As we don't want the TPM to be called for these operations, we have -+ * to initialize own library context with the default provider. */ -+ mycontext->libctx = OSSL_LIB_CTX_new(); -+ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY); -+ -+ if (!(mycontext->osslHashAlgorithm = -+ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) { -+ goto_error(r, TSS2_FAPI_RC_BAD_VALUE, -+ "Unsupported hash algorithm (%" PRIu16 ")", cleanup, -+ hashAlgorithm); -+ } -+#endif - - if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) { - goto_error(r, TSS2_FAPI_RC_BAD_VALUE, -@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, - return TSS2_RC_SUCCESS; - - cleanup: -- if (mycontext->osslContext) -- EVP_MD_CTX_destroy(mycontext->osslContext); -- SAFE_FREE(mycontext); -- -+ ifapi_crypto_context_free(mycontext); - return r; - } - -@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context, - } - - /* Finalize the hash context */ -- EVP_MD_CTX_destroy(mycontext->osslContext); -- free(mycontext); -+ ifapi_crypto_context_free(mycontext); - *context = NULL; - - return TSS2_RC_SUCCESS; -@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context) - } - IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context; - -- EVP_MD_CTX_destroy(mycontext->osslContext); -- free(mycontext); -+ ifapi_crypto_context_free(mycontext); - *context = NULL; - } - --- -2.34.3 - diff --git a/0006-FAPI-Add-policy-computation-for-create-primary.patch b/0006-FAPI-Add-policy-computation-for-create-primary.patch deleted file mode 100644 index 421614c..0000000 --- a/0006-FAPI-Add-policy-computation-for-create-primary.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Tue, 12 Oct 2021 11:19:41 +0200 -Subject: [PATCH 06/23] FAPI: Add policy computation for create primary. - -The policy digest for primary keys was only computed for keys created during provisioning. -Now the policy digest is also computed for primary keys create with Fapi_CreateKey. -Fixes #2175. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/fapi_int.h | 1 + - src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++ - 2 files changed, 30 insertions(+) - -diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h -index 13c0333e..d13ec413 100644 ---- a/src/tss2-fapi/fapi_int.h -+++ b/src/tss2-fapi/fapi_int.h -@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE { - KEY_CREATE_FLUSH1, - KEY_CREATE_FLUSH2, - KEY_CREATE_CALCULATE_POLICY, -+ KEY_CREATE_PRIMARY_CALCULATE_POLICY, - KEY_CREATE_WAIT_FOR_AUTHORIZATION, - KEY_CREATE_CLEANUP, - KEY_CREATE_WAIT_FOR_RANDOM, -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index a5fc28a3..a0fd714e 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -4539,6 +4539,35 @@ ifapi_create_primary( - "hierarchy.", error_cleanup); - } - -+ if (context->cmd.Key_Create.policyPath -+ && strcmp(context->cmd.Key_Create.policyPath, "") != 0) -+ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY; -+ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */ -+ /* FALLTHRU */ -+ case KEY_CREATE_PRIMARY_CALCULATE_POLICY: -+ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) { -+ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath, -+ &context->policy.policy, -+ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg, -+ &context->policy.digest_idx, -+ &context->policy.hash_size); -+ return_try_again(r); -+ goto_if_error2(r, "Calculate policy tree %s", error_cleanup, -+ context->cmd.Key_Create.policyPath); -+ -+ /* Store the calculated policy in the key object */ -+ object->policy = calloc(1, sizeof(TPMS_POLICY)); -+ return_if_null(object->policy, "Out of memory", -+ TSS2_FAPI_RC_MEMORY); -+ *(object->policy) = context->policy.policy; -+ -+ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size = -+ context->policy.hash_size; -+ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0], -+ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest, -+ context->policy.hash_size); -+ } -+ - r = ifapi_get_sessions_async(context, - IFAPI_SESSION_GENEK | IFAPI_SESSION1, - TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0); --- -2.34.3 - diff --git a/0006-FAPI-Fix-usage-of-persistent-handles.patch b/0006-FAPI-Fix-usage-of-persistent-handles.patch new file mode 100644 index 0000000..b1b2df0 --- /dev/null +++ b/0006-FAPI-Fix-usage-of-persistent-handles.patch @@ -0,0 +1,61 @@ +From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 3 Apr 2023 21:21:55 +0200 +Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles. + +* Evict control for persistent keys created with Fapi_CreateKey was + called with the wrong handle. +* If Fapi_Quote was executed with a primary key for this key flush + context was called. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++----- + src/tss2-fapi/fapi_util.c | 1 + + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c +index b71267a7..61e4e3db 100644 +--- a/src/tss2-fapi/api/Fapi_Quote.c ++++ b/src/tss2-fapi/api/Fapi_Quote.c +@@ -392,16 +392,20 @@ Fapi_Quote_Finish( + goto_if_error(r, "Error: PCR_Quote", error_cleanup); + + /* Flush the key used for the quote. */ +- r = Esys_FlushContext_Async(context->esys, command->handle); +- goto_if_error(r, "Error: FlushContext", error_cleanup); ++ if (!command->key_object->misc.key.persistent_handle) { ++ r = Esys_FlushContext_Async(context->esys, command->handle); ++ goto_if_error(r, "Error: FlushContext", error_cleanup); ++ } + command->handle = ESYS_TR_NONE; + + fallthrough; + + statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH); +- r = Esys_FlushContext_Finish(context->esys); +- return_try_again(r); +- goto_if_error(r, "Error: Sign", error_cleanup); ++ if (!command->key_object->misc.key.persistent_handle) { ++ r = Esys_FlushContext_Finish(context->esys); ++ return_try_again(r); ++ goto_if_error(r, "Error: Sign", error_cleanup); ++ } + + sig_key_object = command->key_object; + /* Convert the TPM-encoded signature into something useful for the caller. */ +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index ef4a92d0..49f7dd07 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -4746,6 +4746,7 @@ ifapi_create_primary( + + statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2); + if (template->persistent_handle) { ++ object->misc.key.persistent_handle = template->persistent_handle; + r = ifapi_authorize_object(context, hierarchy, &auth_session); + FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup); + +-- +2.41.0 + diff --git a/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch b/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch deleted file mode 100644 index 9d51715..0000000 --- a/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sat, 17 Jul 2021 21:29:25 +0200 -Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The EVP_PKEY_base_id is the right way to detect key type, used also -by OpenSSL itself. -This function is available since OpenSSL 1.0.0. - -Signed-off-by: Petr Gotthard ---- - test/integration/fapi-data-crypt.int.c | 2 +- - test/integration/fapi-key-create-policy-signed.int.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c -index d42466db..a95cc9ef 100644 ---- a/test/integration/fapi-data-crypt.int.c -+++ b/test/integration/fapi-data-crypt.int.c -@@ -133,7 +133,7 @@ signatureCallback( - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", - error_cleanup); - } -- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { -+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) { - int signing_scheme = RSA_SIG_SCHEME; - if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.", -diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c -index b903dec0..8f917d35 100644 ---- a/test/integration/fapi-key-create-policy-signed.int.c -+++ b/test/integration/fapi-key-create-policy-signed.int.c -@@ -148,7 +148,7 @@ signatureCallback( - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.", - error_cleanup); - } -- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) { -+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) { - int signing_scheme = RSA_SIG_SCHEME; - if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.", --- -2.26.3 - diff --git a/0007-FAPI-Fix-loading-of-primary-keys.patch b/0007-FAPI-Fix-loading-of-primary-keys.patch deleted file mode 100644 index 3131fd8..0000000 --- a/0007-FAPI-Fix-loading-of-primary-keys.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Fri, 5 Nov 2021 23:08:47 +0100 -Subject: [PATCH 07/23] FAPI: Fix loading of primary keys. - -Problems caused by primary keys created with Fapi_CreateKey are fixed: - -* For primary keys not in all cases the unique field was cleared before calling create - primary. -* If the primary key was used for signing the object was cleared after loading. So - access e.g. to the certificate did not work. -* For primary keys created with Fapi_Create with an auth value the auth_value was - not used in inSensitive to recreate the primary key. Now the auth value callback - is used to initialize inSensitive. - -Fixes #2189. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/fapi_int.h | 1 + - src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++-- - 2 files changed, 60 insertions(+), 3 deletions(-) - -diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h -index d13ec413..7bcf442c 100644 ---- a/src/tss2-fapi/fapi_int.h -+++ b/src/tss2-fapi/fapi_int.h -@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY { - PRIMARY_READ_HIERARCHY, - PRIMARY_READ_HIERARCHY_FINISH, - PRIMARY_AUTHORIZE_HIERARCHY, -+ PRIMARY_GET_AUTH_VALUE, - PRIMARY_WAIT_FOR_PRIMARY, - PRIMARY_HAUTH_SENT, - PRIMARY_CREATED, -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index a0fd714e..90f8b2aa 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object) - return NULL; - } - -+/** Set authorization value for a primary key to be created. -+ * -+ * The callback which provides the auth value must be defined. -+ * -+ * @param[in,out] context The FAPI_CONTEXT. -+ * @param[in] object The auth value will be assigned to this object. -+ * @param[in,out] inSensitive The sensitive data to store the auth value. -+ * -+ * @retval TSS2_RC_SUCCESS on success. -+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting -+ * the auth value is not defined. -+ */ -+TSS2_RC -+ifapi_set_auth_primary( -+ FAPI_CONTEXT *context, -+ IFAPI_OBJECT *object, -+ TPMS_SENSITIVE_CREATE *inSensitive) -+{ -+ TSS2_RC r; -+ const char *auth = NULL; -+ const char *obj_path; -+ -+ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE)); -+ -+ if (!object->misc.key.with_auth) { -+ return TSS2_RC_SUCCESS; -+ } -+ -+ obj_path = ifapi_get_object_path(object); -+ -+ /* Check whether callback is defined. */ -+ if (context->callbacks.auth) { -+ r = context->callbacks.auth(obj_path, object->misc.key.description, -+ &auth, context->callbacks.authData); -+ return_if_error(r, "AuthCallback"); -+ if (auth != NULL) { -+ inSensitive->userAuth.size = strlen(auth); -+ memcpy(&inSensitive->userAuth.buffer[0], auth, -+ inSensitive->userAuth.size); -+ } -+ return TSS2_RC_SUCCESS; -+ } -+ SAFE_FREE(auth); -+ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined."); -+} -+ - /** Set authorization value for a FAPI object. - * - * The callback which provides the auth value must be defined. -@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle) - IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key; - TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData; - TPMI_YES_NO moreData; -- ESYS_TR auth_session; -+ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */ - - LOG_TRACE("call"); - -@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle) - memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE)); - memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA)); - memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION)); -+ fallthrough; -+ -+ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE); -+ /* Get the auth value to be stored in inSensitive */ -+ r = ifapi_set_auth_primary(context, pkey_object, -+ &context->createPrimary.inSensitive.sensitive); -+ return_try_again(r); -+ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup); - - /* Prepare primary creation. */ -+ TPM2B_PUBLIC public = pkey->public; -+ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID)); -+ - r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle, - auth_session, ESYS_TR_NONE, ESYS_TR_NONE, - &context->createPrimary.inSensitive, -- &pkey->public, -+ &public, - &context->createPrimary.outsideInfo, - &context->createPrimary.creationPCR); - return_if_error(r, "CreatePrimary"); -@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent) - } else { - LOG_TRACE("success"); - ifapi_cleanup_ifapi_object(context->loadKey.key_object); -- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); - return TSS2_RC_SUCCESS; - } - break; --- -2.34.3 - diff --git a/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch b/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch deleted file mode 100644 index 350fdc7..0000000 --- a/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sun, 18 Jul 2021 11:54:50 +0200 -Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The EVP_PKEY_sign functions are available since OpenSSL 1.0.0. -The RSA_sign function is deprecated in OpenSSL 3.0.0. - -This PR should work with OpenSSL 1.0.0 through 3.0.0. - -Signed-off-by: Petr Gotthard ---- - test/integration/fapi-ext-public-key.int.c | 38 +++++++++++----------- - 1 file changed, 19 insertions(+), 19 deletions(-) - -diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c -index 363c58b7..971d7897 100644 ---- a/test/integration/fapi-ext-public-key.int.c -+++ b/test/integration/fapi-ext-public-key.int.c -@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) - BIO *bufio = NULL; - - EVP_PKEY *evp_key = NULL; -- RSA *rsa_key = NULL; -+ EVP_PKEY_CTX *ctx = NULL; - - /* Key will be used for non TPM signature verfication. */ - char *pubkey_pem = -@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) - - bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem)); - evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL); -- rsa_key = EVP_PKEY_get1_RSA(evp_key); - -- -- if (!bufio || !evp_key || !rsa_key) { -+ if (!bufio || !evp_key) { - LOG_ERROR("Generation of test key failed."); - goto error; - } -@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) - 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d - }; - uint8_t signature[256]; -- unsigned int signatureLength = 256; -+ size_t signatureLength = 256; - -- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) { -- LOG_ERROR("Test RSA_sign failed."); -+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) { -+ LOG_ERROR("Test EVP_PKEY_CTX_new failed."); -+ goto error; -+ } -+ if (EVP_PKEY_sign_init(ctx) <= 0 -+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 -+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) { -+ LOG_ERROR("Test EVP_PKEY_sign_init failed."); -+ goto error; -+ } -+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) { -+ LOG_ERROR("Test EVP_PKEY_sign failed."); - goto error; - } - -@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) - if (bufio) { - BIO_free(bufio); - } -- if (evp_key) { -- EVP_PKEY_free(evp_key); -- } -- if (rsa_key) { -- RSA_free(rsa_key); -- } -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(evp_key); - SAFE_FREE(path_list); - SAFE_FREE(cert2); - return EXIT_SUCCESS; -@@ -258,12 +262,8 @@ error: - if (bufio) { - BIO_free(bufio); - } -- if (evp_key) { -- EVP_PKEY_free(evp_key); -- } -- if (rsa_key) { -- RSA_free(rsa_key); -- } -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(evp_key); - SAFE_FREE(path_list); - SAFE_FREE(cert2); - return EXIT_FAILURE; --- -2.26.3 - diff --git a/0007-build-Fix-failed-build-with-disable-vendor.patch b/0007-build-Fix-failed-build-with-disable-vendor.patch new file mode 100644 index 0000000..5ff29c9 --- /dev/null +++ b/0007-build-Fix-failed-build-with-disable-vendor.patch @@ -0,0 +1,62 @@ +From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 27 Feb 2023 18:00:54 +0100 +Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor + +The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY +is now disabled for builds with --disable-vendor. +Fixes: #2571 + +Signed-off-by: Juergen Repp +--- + include/tss2/tss2_tpm2_types.h | 2 ++ + src/tss2-mu/tpml-types.c | 2 ++ + tss2-dlopen/tss2-dlopen-mu.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h +index 96286fb7..39a6978c 100644 +--- a/include/tss2/tss2_tpm2_types.h ++++ b/include/tss2/tss2_tpm2_types.h +@@ -63,7 +63,9 @@ + #define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2)) + + /* Vendor Specific Defines */ ++#ifndef DISABLE_VENDOR + #define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32)) ++#endif + + /* Attached Component Capabilities */ + #define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT)) +diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c +index 60f85a8c..1df9bbb8 100644 +--- a/src/tss2-mu/tpml-types.c ++++ b/src/tss2-mu/tpml-types.c +@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio + TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections) + TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR) + TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests) ++#ifndef DISABLE_VENDOR + TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL) + TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property) ++#endif + TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR) + TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities) + TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR) +diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c +index 2297818b..21cd1123 100644 +--- a/tss2-dlopen/tss2-dlopen-mu.c ++++ b/tss2-dlopen/tss2-dlopen-mu.c +@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY); + MAKE_MU_STRUCT(TPML_ECC_CURVE); + MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY); + MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY); ++#ifndef DISABLE_VENDOR + MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY); ++#endif + MAKE_MU_STRUCT(TPML_AC_CAPABILITIES); + MAKE_MU_STRUCT(TPML_TAGGED_POLICY); + MAKE_MU_STRUCT(TPML_ACT_DATA); +-- +2.41.0 + diff --git a/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch b/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch new file mode 100644 index 0000000..14aa2b5 --- /dev/null +++ b/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch @@ -0,0 +1,35 @@ +From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 10 Apr 2023 20:20:24 +0200 +Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs. + +Currenlty FAPI_GetInfo did produce errors if the TPM implements +SHA3 hash algs. Now a warning is displayed. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c +index 1eaa4eb2..65320da6 100644 +--- a/src/tss2-fapi/tpm_json_serialize.c ++++ b/src/tss2-fapi/tpm_json_serialize.c +@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object + return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE); + + TSS2_RC r; ++ ++ if ((in->alg == TPM2_ALG_SHA3_256 || ++ in->alg == TPM2_ALG_SHA3_384 || ++ in->alg == TPM2_ALG_SHA3_512)) { ++ LOG_WARNING("SHA3 hash algs are not supported by TSS"); ++ return TSS2_RC_SUCCESS; ++ } ++ + json_object *jso2; + if (*jso == NULL) + *jso = json_object_new_object (); +-- +2.41.0 + diff --git a/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch b/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch deleted file mode 100644 index bc54a23..0000000 --- a/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Wed, 13 Oct 2021 11:26:03 +0800 -Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization - failed - -Signed-off-by: JerryDevis ---- - src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c -index 94db070c..364297be 100644 ---- a/src/tss2-tcti/tcti-device.c -+++ b/src/tss2-tcti/tcti-device.c -@@ -309,6 +309,16 @@ out: - return rc; - } - -+static void close_tpm(int *fd) -+{ -+ if (fd == NULL || *fd < 0) { -+ return; -+ } -+ -+ close(*fd); -+ *fd = -1; -+} -+ - void - tcti_device_finalize ( - TSS2_TCTI_CONTEXT *tctiContext) -@@ -319,7 +329,7 @@ tcti_device_finalize ( - if (tcti_dev == NULL) { - return; - } -- close (tcti_dev->fd); -+ close_tpm (&tcti_dev->fd); - tcti_common->state = TCTI_STATE_FINAL; - } - -@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init ( - ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd)); - if (sz < 0 || sz != sizeof(cmd)) { - LOG_ERROR ("Could not probe device for partial response read support"); -+ close_tpm (&tcti_dev->fd); - return TSS2_TCTI_RC_IO_ERROR; - } - LOG_DEBUG ("Command sent, reading header"); -@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init ( - if (rc_poll < 0 || rc_poll == 0) { - LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s", - tcti_dev->fd, rc_poll, errno, strerror(errno)); -+ close_tpm (&tcti_dev->fd); - return TSS2_TCTI_RC_IO_ERROR; - } else if (fds.revents == POLLIN) { - TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE)); - if (sz < 0 || sz != TPM_HEADER_SIZE) { - LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s", - tcti_dev->fd, errno, strerror (errno)); -+ close_tpm (&tcti_dev->fd); - return TSS2_TCTI_RC_IO_ERROR; - } - } -@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init ( - if (rc_poll < 0) { - LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s", - tcti_dev->fd, rc_poll, errno, strerror(errno)); -+ close_tpm (&tcti_dev->fd); - return TSS2_TCTI_RC_IO_ERROR; - } else if (rc_poll == 0) { - LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd); -@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init ( - LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s", - tcti_dev->fd, errno, strerror (errno)); - tcti_common->partial_read_supported = 0; -- close(tcti_dev->fd); -+ close_tpm (&tcti_dev->fd); - tcti_dev->fd = open_tpm (used_conf); - if (tcti_dev->fd < 0) { - LOG_ERROR ("Failed to open specified TCTI device file %s: %s", --- -2.34.3 - diff --git a/0008-Require-OpenSSL-1.1.0.patch b/0008-Require-OpenSSL-1.1.0.patch deleted file mode 100644 index 4742055..0000000 --- a/0008-Require-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sat, 17 Jul 2021 22:43:00 +0200 -Subject: Require OpenSSL >= 1.1.0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To reduce the amount of version-specific code we drop support for -OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are -not API compatible with OpenSSL >= 1.1.0. - -Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding -PEP 644 contains a detailed impact analysis which is also relevant -here. - -Signed-off-by: Petr Gotthard ---- - INSTALL.md | 3 +-- - configure.ac | 6 +++++- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/INSTALL.md b/INSTALL.md -index eec94c45..658e1f28 100644 ---- a/INSTALL.md -+++ b/INSTALL.md -@@ -14,7 +14,7 @@ following sections describe them for the supported platforms. - * C library development libraries and header files - * pkg-config - * doxygen --* OpenSSL development libraries and header files -+* OpenSSL development libraries and header files, version >= 1.1.0 - * libcurl development libraries - - The following are dependencies only required when building test suites. -@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library - (tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as - loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly - configured version of Visual Studio 2017 and pressing the 'build' button. --Windows build setup requires OpenSSL >= v1.0.2 crypto library. - - ### References - Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/ -diff --git a/configure.ac b/configure.ac -index d4324c9a..12baa257 100755 ---- a/configure.ac -+++ b/configure.ac -@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto], - AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl") - AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed") - -+m4_define([ossl_min_version], [1.1.0]) -+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version]) - AS_IF([test "x$enable_esys" = xyes], - [AS_IF([test "x$with_crypto" = xossl], [ -- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto]) -+ PKG_CHECK_MODULES([LIBCRYPTO], -+ [libcrypto >= ossl_min_version],, -+ [AC_MSG_ERROR([ossl_err])]) - AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend]) - TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS" - TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS" --- -2.26.3 - diff --git a/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch b/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch deleted file mode 100644 index 7aba1f6..0000000 --- a/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sun, 18 Jul 2021 13:12:56 +0200 -Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Although the EVP_DigestUpdate functions are available in all OpenSSL -versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the -EVP_MD_CTX_new was introduced in OpenSSL 1.1.0. -The SHA256_Update function is deprecated in OpenSSL 3.0.0. - -This PR should work with OpenSSL 1.1.0 through 3.0.0. - - - Compared to the upstream commit f4f528ff the changes related to the - unit test are omitted. - -Signed-off-by: Petr Gotthard ---- - src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------ - 1 file changed, 25 insertions(+), 18 deletions(-) - -diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c -index 2fb17fd0..9290a17e 100644 ---- a/src/tss2-fapi/ifapi_get_intl_cert.c -+++ b/src/tss2-fapi/ifapi_get_intl_cert.c -@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { - return NULL; - } - -- SHA256_CTX sha256; -- int is_success = SHA256_Init(&sha256); -+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new(); -+ if (!sha256ctx) { -+ LOG_ERROR("EVP_MD_CTX_new failed"); -+ goto err; -+ } -+ -+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256()); - if (!is_success) { -- LOG_ERROR("SHA256_Init failed"); -+ LOG_ERROR("EVP_DigestInit failed"); - goto err; - } - - switch (ek_public->publicArea.type) { - case TPM2_ALG_RSA: - /* Add public key to the hash. */ -- is_success = SHA256_Update(&sha256, -- ek_public->publicArea.unique.rsa.buffer, -- ek_public->publicArea.unique.rsa.size); -+ is_success = EVP_DigestUpdate(sha256ctx, -+ ek_public->publicArea.unique.rsa.buffer, -+ ek_public->publicArea.unique.rsa.size); - if (!is_success) { -- LOG_ERROR("SHA256_Update failed"); -+ LOG_ERROR("EVP_DigestUpdate failed"); - goto err; - } - -@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { - } - /* Exponent 65537 will be added. */ - BYTE buf[3] = { 0x1, 0x00, 0x01 }; -- is_success = SHA256_Update(&sha256, buf, sizeof(buf)); -+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf)); - if (!is_success) { -- LOG_ERROR("SHA256_Update failed"); -+ LOG_ERROR("EVP_DigestUpdate failed"); - goto err; - } - break; - - case TPM2_ALG_ECC: -- is_success = SHA256_Update(&sha256, -- ek_public->publicArea.unique.ecc.x.buffer, -- ek_public->publicArea.unique.ecc.x.size); -+ is_success = EVP_DigestUpdate(sha256ctx, -+ ek_public->publicArea.unique.ecc.x.buffer, -+ ek_public->publicArea.unique.ecc.x.size); - if (!is_success) { -- LOG_ERROR("SHA256_Update failed"); -+ LOG_ERROR("EVP_DigestUpdate failed"); - goto err; - } - - /* Add public key to the hash. */ -- is_success = SHA256_Update(&sha256, -- ek_public->publicArea.unique.ecc.y.buffer, -- ek_public->publicArea.unique.ecc.y.size); -+ is_success = EVP_DigestUpdate(sha256ctx, -+ ek_public->publicArea.unique.ecc.y.buffer, -+ ek_public->publicArea.unique.ecc.y.size); - if (!is_success) { -- LOG_ERROR("SHA256_Update failed"); -+ LOG_ERROR("EVP_DigestUpdate failed"); - goto err; - } - break; -@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) { - goto err; - } - -- is_success = SHA256_Final(hash, &sha256); -+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL); - if (!is_success) { - LOG_ERROR("SHA256_Final failed"); - goto err; - } - -+ EVP_MD_CTX_free(sha256ctx); - LOG_TRACE("public-key-hash:"); - LOG_TRACE(" sha256: "); - LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash"); - return hash; - err: -+ EVP_MD_CTX_free(sha256ctx); - free(hash); - return NULL; - } --- -2.26.3 - diff --git a/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch b/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch deleted file mode 100644 index cb2a3e4..0000000 --- a/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Thu, 2 Dec 2021 09:17:15 +0100 -Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3 - -A leak in the case "out of memory" detected by scan-build was fixed. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/fapi_crypto.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c -index d061cf48..fd7ea555 100644 ---- a/src/tss2-fapi/fapi_crypto.c -+++ b/src/tss2-fapi/fapi_crypto.c -@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context, - * As we don't want the TPM to be called for these operations, we have - * to initialize own library context with the default provider. */ - mycontext->libctx = OSSL_LIB_CTX_new(); -- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY); -+ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup); - - if (!(mycontext->osslHashAlgorithm = - EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) { --- -2.34.3 - diff --git a/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch b/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch new file mode 100644 index 0000000..4fe97d2 --- /dev/null +++ b/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch @@ -0,0 +1,39 @@ +From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 9 Apr 2023 08:38:56 +0200 +Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile + paths. + +The provisioning test in ifapi_check_provisioned will be skipped +for ext nv and profile paths. The test did produce inappropriate +error messages if the corresponding paths did not exist in keystore. +The test is only needed for pathnames starting with the profile. +Fixes: #2596 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_keystore.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c +index 7e50ee1e..38c2f7fd 100644 +--- a/src/tss2-fapi/ifapi_keystore.c ++++ b/src/tss2-fapi/ifapi_keystore.c +@@ -1772,6 +1772,14 @@ ifapi_check_provisioned( + + *ok = false; + ++ /* No profile in path, test can be skipped. */ ++ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) || ++ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) || ++ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) { ++ *ok = true; ++ return TSS2_RC_SUCCESS; ++ } ++ + /* First expand path in user directory */ + r = expand_path(keystore, rel_path, &directory); + goto_if_error(r, "Expand path", cleanup); +-- +2.41.0 + diff --git a/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch b/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch deleted file mode 100644 index c383e4e..0000000 --- a/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Tue, 21 Dec 2021 17:44:00 +0800 -Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish - failed - -Signed-off-by: JerryDevis ---- - src/tss2-fapi/fapi_util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index 90f8b2aa..cd4e0979 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE - } - - error_cleanup: -+ SAFE_FREE(outPublic); -+ SAFE_FREE(creationData); -+ SAFE_FREE(creationHash); -+ SAFE_FREE(creationTicket); - ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object); - free_string_list(k_sub_path); - SAFE_FREE(pkey->serialization.buffer); --- -2.34.3 - diff --git a/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch b/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch new file mode 100644 index 0000000..2e83a61 --- /dev/null +++ b/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch @@ -0,0 +1,30 @@ +From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 12 May 2023 09:30:53 +0200 +Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy. + +The list of pcr registers was was allocated with the wrong size in the +function copy_policy_element which caused a segfault if more than one +pcr was used. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c +index e1c4220b..5c574717 100644 +--- a/src/tss2-fapi/ifapi_helpers.c ++++ b/src/tss2-fapi/ifapi_helpers.c +@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t + case POLICYPCR: + to_policy->element.PolicyPCR.pcrs = + calloc(1, sizeof(TPML_PCRVALUES) + +- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE)); ++ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE)); + goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.", + r, TSS2_FAPI_RC_MEMORY, error); + to_policy->element.PolicyPCR.pcrs->count +-- +2.41.0 + diff --git a/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch b/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch deleted file mode 100644 index c0e4b49..0000000 --- a/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sun, 18 Jul 2021 14:56:18 +0200 -Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0. - -The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement -EVP_MAC_update was added in OpenSSL 3.0, so version specific code is -needed. - -Signed-off-by: Petr Gotthard ---- - test/integration/sys-util.c | 50 +++++++++++++++++++++++-------------- - 1 file changed, 31 insertions(+), 19 deletions(-) - -diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c -index af83cf55..5865f002 100644 ---- a/test/integration/sys-util.c -+++ b/test/integration/sys-util.c -@@ -13,10 +13,13 @@ - #include - #include - -+#include - #include -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - #include --#include --#include -+#else -+#include -+#endif - - #define LOGMODULE testintegration - #include "util/log.h" -@@ -489,22 +492,18 @@ hmac( - TPM2B_DIGEST **buffer_list, - TPM2B_DIGEST *out) - { --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -- HMAC_CTX *ctx; --#else -- HMAC_CTX _ctx; -- HMAC_CTX *ctx = &_ctx; --#endif -- EVP_MD *evp; - int rc = 1, i; -- unsigned int *buf = NULL, size; -+ unsigned int *buf = NULL; - uint8_t *buf_ptr; -+ EVP_MD *evp; - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */ -- ctx = HMAC_CTX_new(); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ unsigned int size; -+ HMAC_CTX *ctx = HMAC_CTX_new(); - #else -- HMAC_CTX_init(ctx); -+ size_t size; -+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); -+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac); - #endif - - if (!ctx) -@@ -538,21 +537,33 @@ hmac( - - buf_ptr = (uint8_t *)buf; - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL); - #else -- rc = HMAC_Init(ctx, key, key_len, evp); --#endif -+ OSSL_PARAM params[2]; - -+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST, -+ (char *)EVP_MD_get0_name(evp), 0); -+ params[1] = OSSL_PARAM_construct_end(); -+ rc = EVP_MAC_init(ctx, key, key_len, params); -+#endif - if (rc != 1) - goto out; - for (i = 0; buffer_list[i] != 0; i++) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size); -+#else -+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size); -+#endif - if (rc != 1) - goto out; - } - /* buf_ptr has to be 4 bytes alligned for whatever reason */ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - rc = HMAC_Final(ctx, buf_ptr, &size); -+#else -+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size); -+#endif - if (rc != 1) - goto out; - -@@ -561,10 +572,11 @@ hmac( - memcpy(out->buffer, buf, out->size); - - out: --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - HMAC_CTX_free(ctx); - #else -- HMAC_CTX_cleanup(ctx); -+ EVP_MAC_CTX_free(ctx); -+ EVP_MAC_free(hmac); - #endif - - if (buf) --- -2.26.3 - diff --git a/0011-Drop-support-for-OpenSSL-1.1.0.patch b/0011-Drop-support-for-OpenSSL-1.1.0.patch deleted file mode 100644 index 3c77e9d..0000000 --- a/0011-Drop-support-for-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,313 +0,0 @@ -From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sun, 18 Jul 2021 20:21:01 +0200 -Subject: Drop support for OpenSSL < 1.1.0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Delete code written to support OpenSSL < 1.1.0 - -Delete functions that have no effect in OpenSSL >= 1.1.0 - - ENGINE_load_builtin_engines() - - OpenSSL_add_all_algorithms() - - ERR_load_crypto_strings() - - EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE) - -Switch AppVeyor to use pre-built OpenSSL 1.1.0 - -Signed-off-by: Petr Gotthard ---- - src/tss2-esys/esys_crypto_ossl.c | 19 ---------------- - src/tss2-esys/tss2-esys.vcxproj | 16 +++++++------- - src/tss2-fapi/fapi_crypto.c | 37 -------------------------------- - test/helper/tpm_getek.c | 11 ---------- - test/helper/tpm_getek_ecc.c | 9 -------- - 5 files changed, 8 insertions(+), 84 deletions(-) - -diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index 2eb0dfcb..a6259346 100644 ---- a/src/tss2-esys/esys_crypto_ossl.c -+++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) - nonce->size = num_bytes; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L - RAND_set_rand_method(RAND_OpenSSL()); --#else -- RAND_set_rand_method(RAND_SSLeay()); --#endif - if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { - RAND_set_rand_method(rand_save); - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, -@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - size_t * out_size, const char *label) - { - const RAND_METHOD *rand_save = RAND_get_rand_method(); --#if OPENSSL_VERSION_NUMBER >= 0x10100000L - RAND_set_rand_method(RAND_OpenSSL()); --#else -- RAND_set_rand_method(RAND_SSLeay()); --#endif - - TSS2_RC r = TSS2_RC_SUCCESS; - const EVP_MD * hashAlg = NULL; -@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Could not create evp key.", cleanup); - } --#if OPENSSL_VERSION_NUMBER < 0x10100000L -- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, -- pub_tpm_key->publicArea.unique.rsa.size, -- rsa_key->n)) { -- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Could not create rsa n.", cleanup); -- } --#else - BIGNUM *n = NULL; - if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, - pub_tpm_key->publicArea.unique.rsa.size, -@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Could not set rsa n.", cleanup); - } --#endif - - if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, - */ - TSS2_RC - iesys_cryptossl_init() { -- ENGINE_load_builtin_engines(); -- OpenSSL_add_all_algorithms(); - return TSS2_RC_SUCCESS; - } -diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj -index b75424aa..b2aa67ce 100644 ---- a/src/tss2-esys/tss2-esys.vcxproj -+++ b/src/tss2-esys/tss2-esys.vcxproj -@@ -69,13 +69,13 @@ - MultiThreadedDebugDLL - Level3 - Disabled -- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories) -+ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories) - - - MachineX86 - true - Windows -- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies) -+ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies) - $(SolutionDir)\lib\tss2-esys.def - - -@@ -84,7 +84,7 @@ - WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) - MultiThreadedDLL - Level3 -- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories) -+ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories) - - - MachineX86 -@@ -92,27 +92,27 @@ - Windows - true - true -- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies) -+ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies) - $(SolutionDir)\lib\tss2-esys.def - - - - -- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories) -+ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories) - _DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) - - -- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies) -+ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies) - $(SolutionDir)\lib\tss2-esys.def - - - - -- $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories) -+ $(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories) - NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions) - - -- $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies) -+ $(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies) - $(SolutionDir)\lib\tss2-esys.def - - -diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c -index f5b3d272..c97b0a1d 100644 ---- a/src/tss2-fapi/fapi_crypto.c -+++ b/src/tss2-fapi/fapi_crypto.c -@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der( - tpmSignature->signature.ecdsa.signatureR.size, NULL); - goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup); - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- ecdsaSignature->s = bns; -- ecdsaSignature->r = bnr; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - ECDSA_SIG_set0(ecdsaSignature, bnr, bns); --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - - osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL); - if (osslRC == -1) { -@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) - "Could not set exponent.", error_cleanup); - } - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- rsa->e = e; -- rsa->n = n; -- rsa->d = d; -- rsa->p = p; -- rsa->q = q; -- rsa->dmp1 = dmp1; -- rsa->dmq1 = dmq1; -- rsa->iqmp = iqmp; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - RSA_set0_key(rsa, n, e, d); - RSA_set0_factors(rsa, p, q); - RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - - /* Assign the parameters to the key */ - if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { -@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", - error_cleanup); - } -- /* Needed for older OSSL versions. */ -- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE); - OSSL_FREE(y, BN); - OSSL_FREE(x, BN); - return TSS2_RC_SUCCESS; -@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm( - - /* Initialize the ECDSA signature components */ - ECDSA_SIG *ecdsaSignature = NULL; --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- BIGNUM *bnr; -- BIGNUM *bns; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - const BIGNUM *bnr; - const BIGNUM *bns; --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - - d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize); - return_if_null(ecdsaSignature, "Invalid DER signature", - TSS2_FAPI_RC_GENERAL_FAILURE); - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- bns = ecdsaSignature->s; -- bnr = ecdsaSignature->r; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns); --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - - /* Writing them to the TPM format signature */ - tpmSignature->signature.ecdsa.hash = hashAlgorithm; -@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp( - const BIGNUM *e = NULL, *n = NULL; - int rsaKeySize = RSA_size(rsaKey); - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- e = rsaKey->e; -- n = rsaKey->n; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - RSA_get0_key(rsaKey, &n, &e, NULL); --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - tpmPublic->publicArea.unique.rsa.size = rsaKeySize; - if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], - rsaKeySize)) { -@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl) - goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup); - } - -- OpenSSL_add_all_algorithms(); -- - unsigned const char* tmp_ptr1 = crl_buffer; - unsigned const char** tmp_ptr2 = &tmp_ptr1; - -@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert( - r, TSS2_FAPI_RC_BAD_VALUE, cleanup); - } else { - /* Get uri for ek intermediate certificate. */ -- OpenSSL_add_all_algorithms(); - info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL); - - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { -@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert( - goto_if_null2(cert_buffer, "No certificate downloaded", r, - TSS2_FAPI_RC_NO_CERT, cleanup); - -- OpenSSL_add_all_algorithms(); - intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size); - - SAFE_FREE(cert_buffer); -diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c -index 21be0f46..c6a8e906 100644 ---- a/test/helper/tpm_getek.c -+++ b/test/helper/tpm_getek.c -@@ -147,20 +147,9 @@ main (int argc, char *argv[]) - exp = out_public.publicArea.parameters.rsaDetail.exponent; - BN_set_word(e, exp); - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -- rsa->e = e; -- rsa->n = n; -- rsa->d = d; -- rsa->p = p; -- rsa->q = q; -- rsa->dmp1 = dmp1; -- rsa->dmq1 = dmq1; -- rsa->iqmp = iqmp; --#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - RSA_set0_key(rsa, n, e, d); - RSA_set0_factors(rsa, p, q); - RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ - - EVP_PKEY_assign_RSA(evp, rsa); - -diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c -index 0419f47a..75165fdd 100644 ---- a/test/helper/tpm_getek_ecc.c -+++ b/test/helper/tpm_getek_ecc.c -@@ -128,14 +128,6 @@ main (int argc, char *argv[]) - /* Convert the key from out_public to PEM */ - - EVP_PKEY *evp = EVP_PKEY_new(); -- -- OpenSSL_add_all_algorithms(); -- -- OpenSSL_add_all_algorithms(); -- -- ERR_load_crypto_strings(); -- -- - EC_KEY *ecc_key = EC_KEY_new(); - BIGNUM *x = NULL, *y = NULL; - BIO *bio; -@@ -159,7 +151,6 @@ main (int argc, char *argv[]) - if (!EC_KEY_set_group(ecc_key, ecgroup)) - exit(1); - -- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE); - EC_GROUP_free(ecgroup); - - /* Set the ECC parameters in the OpenSSL key */ --- -2.26.3 - diff --git a/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch b/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch deleted file mode 100644 index fa2dd72..0000000 --- a/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Tue, 21 Dec 2021 11:59:28 +0100 -Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to - Esys_TR_GetName. - -A segfault was produced in this case. Fixes #2243. - -Signed-off-by: Juergen Repp ---- - src/tss2-esys/esys_tr.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c -index f0127d02..cf4caa09 100644 ---- a/src/tss2-esys/esys_tr.c -+++ b/src/tss2-esys/esys_tr.c -@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle, - * @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated. - * @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library. - * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL. -+ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid. - * @retval TSS2_SYS_RC_* for SAPI errors. - */ - TSS2_RC -@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle, - TSS2_RC r; - _ESYS_ASSERT_NON_NULL(esys_context); - -+ if (esys_handle == ESYS_TR_NONE) { -+ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined."); -+ } -+ - r = esys_GetResourceObject(esys_context, esys_handle, &esys_object); - return_if_error(r, "Object not found"); - --- -2.34.3 - diff --git a/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch b/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch deleted file mode 100644 index f27cd6b..0000000 --- a/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Wed, 5 Jan 2022 20:55:21 +0800 -Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates - failed - -Signed-off-by: JerryDevis ---- - src/tss2-fapi/fapi_util.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c -index cd4e0979..f64c4e8b 100644 ---- a/src/tss2-fapi/fapi_util.c -+++ b/src/tss2-fapi/fapi_util.c -@@ -4328,7 +4328,7 @@ ifapi_get_certificates( - context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA; - - r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS"); -- return_if_error2(r, "Could not open hierarchy /HS"); -+ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error); - - fallthrough; - -@@ -4352,7 +4352,7 @@ ifapi_get_certificates( - context->session2 = ESYS_TR_NONE; - context->nv_cmd.nv_read_state = NV_READ_INIT; - memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT)); -- Esys_Free(context->cmd.Provision.nvPublic); -+ SAFE_FREE(context->cmd.Provision.nvPublic); - fallthrough; - - statecase(context->get_cert_state, GET_CERT_READ_CERT); -@@ -4382,7 +4382,7 @@ ifapi_get_certificates( - } - - error: -- SAFE_FREE(context->cmd.Provision.capabilityData); -+ SAFE_FREE(context->cmd.Provision.nvPublic); - SAFE_FREE(context->cmd.Provision.capabilityData); - ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object); - ifapi_free_object_list(*cert_list); --- -2.34.3 - diff --git a/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch b/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch deleted file mode 100644 index d98ec63..0000000 --- a/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch +++ /dev/null @@ -1,1005 +0,0 @@ -From f328c68cba9d5511b7d2d2615b3a28987edbdfac Mon Sep 17 00:00:00 2001 -From: Petr Gotthard -Date: Sun, 18 Jul 2021 21:30:59 +0200 -Subject: Implement EVP_PKEY export/import for OpenSSL 3.0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and -the generic `EVP_PKEY` must be used instead. -Since export/import of raw keys still requires access to the internal structures -the OpenSSL 3.0 introduced a completely new approach to access key internals. - -This PR: - - preserves the current export/import impementation for OpenSSL 1.1.x - - implements key export/import for OpenSSL 3.0.0 - -Signed-off-by: Petr Gotthard ---- - src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++----- - src/tss2-fapi/fapi_crypto.c | 275 +++++++++++++++++++++---------- - test/helper/tpm_getek.c | 53 +++--- - test/helper/tpm_getek_ecc.c | 61 +++++-- - 4 files changed, 386 insertions(+), 157 deletions(-) - -diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index a6259346..392f97ae 100644 ---- a/src/tss2-esys/esys_crypto_ossl.c -+++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -8,9 +8,17 @@ - #include - #endif - -+#include - #include --#include - #include -+#include -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#include -+#else -+#include -+#include -+#include -+#endif - #include - #include - -@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, - "Error EVP_MD_CTX_create", cleanup); - } - -+#if OPENSSL_VERSION_NUMBER < 0x10101000L - if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { -+#else -+ /* this is preferred, but available since OpenSSL 1.1.1 only */ -+ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) { -+#endif - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "EVP_PKEY_new_mac_key", cleanup); -+ "Failed to create HMAC key", cleanup); - } - - if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL, -@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) - TSS2_RC - iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) - { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - const RAND_METHOD *rand_save = RAND_get_rand_method(); -+ RAND_set_rand_method(RAND_OpenSSL()); -+#endif - - if (num_bytes == 0) { - nonce->size = sizeof(TPMU_HA); -@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) - nonce->size = num_bytes; - } - -- RAND_set_rand_method(RAND_OpenSSL()); - if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - RAND_set_rand_method(rand_save); -+#endif - return_error(TSS2_ESYS_RC_GENERAL_FAILURE, - "Failure in random number generator."); - } -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - RAND_set_rand_method(rand_save); -+#endif - return TSS2_RC_SUCCESS; - } - -@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - BYTE * out_buffer, - size_t * out_size, const char *label) - { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ RSA *rsa_key = NULL; - const RAND_METHOD *rand_save = RAND_get_rand_method(); -+ - RAND_set_rand_method(RAND_OpenSSL()); -+#else -+ OSSL_PARAM *params = NULL; -+ OSSL_PARAM_BLD *build = NULL; -+#endif - - TSS2_RC r = TSS2_RC_SUCCESS; - const EVP_MD * hashAlg = NULL; -- RSA * rsa_key = NULL; - EVP_PKEY *evp_rsa_key = NULL; -- EVP_PKEY_CTX *ctx = NULL; -- BIGNUM* bne = NULL; -+ EVP_PKEY_CTX *genctx = NULL, *ctx = NULL; -+ BIGNUM *bne = NULL, *n = NULL; - int padding; - char *label_copy = NULL; - - if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { - LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", - pub_tpm_key->publicArea.nameAlg); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - RAND_set_rand_method(rand_save); -+#endif - return TSS2_ESYS_RC_NOT_IMPLEMENTED; - } - -- if (!(bne = BN_new())) { -- goto_error(r, TSS2_ESYS_RC_MEMORY, -- "Could not allocate Big Number", cleanup); -- } -- - switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) { - case TPM2_ALG_NULL: - padding = RSA_NO_PADDING; -@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - exp = 65537; - else - exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent; -- if (1 != BN_set_word(bne, exp)) { -+ -+ if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, -+ pub_tpm_key->publicArea.unique.rsa.size, -+ NULL))) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Could not set exponent.", cleanup); -+ "Could not create rsa n.", cleanup); - } - -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (!(rsa_key = RSA_new())) { - goto_error(r, TSS2_ESYS_RC_MEMORY, - "Could not allocate RSA key", cleanup); - } - -- if (1 != RSA_generate_key_ex(rsa_key, -- pub_tpm_key->publicArea.parameters.rsaDetail.keyBits, -- bne, NULL)) { -- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key", -- cleanup); -+ if (!(bne = BN_new())) { -+ goto_error(r, TSS2_ESYS_RC_MEMORY, -+ "Could not allocate Big Number", cleanup); - } -- -- if (!(evp_rsa_key = EVP_PKEY_new())) { -+ if (1 != BN_set_word(bne, exp)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Could not create evp key.", cleanup); -+ "Could not set exponent.", cleanup); - } -- BIGNUM *n = NULL; -- if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, -- pub_tpm_key->publicArea.unique.rsa.size, -- NULL))) { -+ -+ if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Could not create rsa n.", cleanup); -+ "Could not set rsa n.", cleanup); - } -+ /* ownership got transferred */ -+ n = NULL; -+ bne = NULL; - -- if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) { -+ if (!(evp_rsa_key = EVP_PKEY_new())) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Could not set rsa n.", cleanup); -+ "Could not create evp key.", cleanup); - } - -- if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { -+ if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Could not set rsa key.", cleanup); - } -+ /* ownership got transferred */ -+ rsa_key = NULL; -+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+ if ((build = OSSL_PARAM_BLD_new()) == NULL -+ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) -+ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) -+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { -+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.", -+ cleanup); -+ } -+ -+ if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL -+ || EVP_PKEY_fromdata_init(genctx) <= 0 -+ || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { -+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.", -+ cleanup); -+ } -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - r = TSS2_RC_SUCCESS; - - cleanup: -+ OSSL_FREE(genctx, EVP_PKEY_CTX); - OSSL_FREE(ctx, EVP_PKEY_CTX); - OSSL_FREE(evp_rsa_key, EVP_PKEY); -- OSSL_FREE(rsa_key, RSA); - OSSL_FREE(bne, BN); -+ OSSL_FREE(n, BN); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ OSSL_FREE(rsa_key, RSA); - RAND_set_rand_method(rand_save); -+#else -+ OSSL_FREE(params, OSSL_PARAM); -+ OSSL_FREE(build, OSSL_PARAM_BLD); -+#endif - return r; - } - -@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, - { - TSS2_RC r = TSS2_RC_SUCCESS; - EC_GROUP *group = NULL; /* Group defines the used curve */ -- EC_KEY *eph_ec_key = NULL; /* Ephemeral ec key of application */ -+ EVP_PKEY_CTX *ctx = NULL; -+ EVP_PKEY *eph_pkey = NULL; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - const EC_POINT *eph_pub_key = NULL; /* Public part of ephemeral key */ -+ const BIGNUM *eph_priv_key = NULL; -+#else -+ BIGNUM *eph_priv_key = NULL; -+#endif - EC_POINT *tpm_pub_key = NULL; /* Public part of TPM key */ - EC_POINT *mul_eph_tpm = NULL; - BIGNUM *bn_x = NULL; -@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, - } - - /* Create ephemeral key */ -- if (!(eph_ec_key = EC_KEY_new())) { -+ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL -+ || EVP_PKEY_keygen_init(ctx) <= 0) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Create ec key", cleanup); -+ "Initialize ec key generation", cleanup); - } -- if (1 != EC_KEY_set_group(eph_ec_key , group)) { - -- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup); -- } -- -- if (1 != EC_KEY_generate_key(eph_ec_key)) { -+ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0 -+ || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup); - } - -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey); -+ - if (!(eph_pub_key = EC_KEY_get0_public_key(eph_ec_key))) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup); - } - -+ eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); - if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Ephemeral public key is on curve",cleanup); -@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, - if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x, - bn_y, NULL)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -- "Get affine x coordinate", cleanup); -+ "Get affine coordinates", cleanup); -+ } -+#else -+ if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key) -+ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x) -+ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) { -+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -+ "Get ephemeral key", cleanup); - } -+#endif - - if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, - r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key); - goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup); - -- /* Multiply the ephemeral private key with TPM public key */ -- const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); -- - if (!(mul_eph_tpm = EC_POINT_new(group))) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup); - } - -+ /* Multiply the ephemeral private key with TPM public key */ - if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL, - tpm_pub_key, eph_priv_key, NULL)) { - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, - OSSL_FREE(mul_eph_tpm, EC_POINT); - OSSL_FREE(tpm_pub_key, EC_POINT); - OSSL_FREE(group,EC_GROUP); -- OSSL_FREE(eph_ec_key, EC_KEY); -+ OSSL_FREE(ctx, EVP_PKEY_CTX); -+ OSSL_FREE(eph_pkey, EVP_PKEY); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - /* Note: free of eph_pub_key already done by free of eph_ec_key */ -+#else -+ OSSL_FREE(eph_priv_key, BN); -+#endif - OSSL_FREE(bn_x, BN); - OSSL_FREE(bn_y, BN); - return r; -diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c -index c97b0a1d..c50b5f0a 100644 ---- a/src/tss2-fapi/fapi_crypto.c -+++ b/src/tss2-fapi/fapi_crypto.c -@@ -11,10 +11,15 @@ - #include - - #include --#include - #include --#include - #include -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#include -+#else -+#include -+#include -+#include -+#endif - #include - #include - #include -@@ -380,66 +385,89 @@ cleanup: - * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated. - */ - static TSS2_RC --ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) -+ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) - { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ RSA *rsa = NULL; -+#else -+ OSSL_PARAM_BLD *build = NULL; -+ OSSL_PARAM *params = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+#endif -+ - /* Check for NULL parameters */ - return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); - return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); - -+ TSS2_RC r = TSS2_RC_SUCCESS; - /* Initialize the RSA parameters */ -- TSS2_RC r; -- RSA *rsa = RSA_new(); -- BIGNUM *e = BN_new(); -- BIGNUM *d = BN_new(); -- BIGNUM *p = BN_new(); -- BIGNUM *q = BN_new(); -- BIGNUM *dmp1 = BN_new(); -- BIGNUM *dmq1 = BN_new(); -- BIGNUM *iqmp = BN_new(); -+ BIGNUM *e = NULL; - BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer, - tpmPublicKey->publicArea.unique.rsa.size, NULL); -- -- if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) { -+ if (!n) { - goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); - } - -- BN_set_word(d, 0); -- BN_set_word(p, 0); -- BN_set_word(q, 0); -- BN_set_word(dmp1, 0); -- BN_set_word(dmq1, 0); -- BN_set_word(iqmp, 0); - uint32_t exp; - if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0) - exp = 65537; - else - exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent; -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if ((rsa = RSA_new()) == NULL) { -+ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); -+ } -+ -+ if ((e = BN_new()) == NULL) { -+ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); -+ } - if (1 != BN_set_word(e, exp)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, - "Could not set exponent.", error_cleanup); - } - -- RSA_set0_key(rsa, n, e, d); -- RSA_set0_factors(rsa, p, q); -- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); -+ if (!RSA_set0_key(rsa, n, e, NULL)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, -+ "Could not set public key.", error_cleanup); -+ } -+ n = NULL; /* ownership transferred */ -+ e = NULL; -+ -+ *evpPublicKey = EVP_PKEY_new(); -+ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); - - /* Assign the parameters to the key */ -- if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { -+ if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) { -+ EVP_PKEY_free(*evpPublicKey); - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key", - error_cleanup); - } -- return TSS2_RC_SUCCESS; -- -+ rsa = NULL; /* ownership transferred */ - error_cleanup: - OSSL_FREE(rsa, RSA); -+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+ if ((build = OSSL_PARAM_BLD_new()) == NULL -+ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) -+ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) -+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters", -+ error_cleanup); -+ } -+ -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL -+ || EVP_PKEY_fromdata_init(ctx) <= 0 -+ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key", -+ error_cleanup); -+ } -+error_cleanup: -+ OSSL_FREE(ctx, EVP_PKEY_CTX); -+ OSSL_FREE(params, OSSL_PARAM); -+ OSSL_FREE(build, OSSL_PARAM_BLD); -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - OSSL_FREE(e, BN); - OSSL_FREE(n, BN); -- OSSL_FREE(d, BN); -- OSSL_FREE(p, BN); -- OSSL_FREE(q, BN); -- OSSL_FREE(dmp1, BN); -- OSSL_FREE(dmq1, BN); -- OSSL_FREE(iqmp, BN); - return r; - } - -@@ -459,18 +487,26 @@ error_cleanup: - * the function. - */ - static TSS2_RC --ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) -+ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) - { - /* Check for NULL parameters */ - return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); - return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); - -- TSS2_RC r; -+ TSS2_RC r = TSS2_RC_SUCCESS; - EC_GROUP *ecgroup = NULL; - int curveId; - BIGNUM *x = NULL, *y = NULL; -- EC_KEY *ecKey = EC_KEY_new(); -- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); -+ EC_POINT *ecPoint = NULL; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ EC_KEY *ecKey = NULL; -+#else -+ OSSL_PARAM_BLD *build = NULL; -+ OSSL_PARAM *params = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ unsigned char *puboct = NULL; -+ size_t bsize; -+#endif - - /* Find the curve of the ECC key */ - switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) { -@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) - goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE, - error_cleanup); - -- if (!EC_KEY_set_group(ecKey, ecgroup)) { -- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", -- error_cleanup); -- } -- EC_GROUP_free(ecgroup); -- - /* Set the ECC parameters in the OpenSSL key */ - x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer, - tpmPublicKey->publicArea.unique.ecc.x.size, NULL); -@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) - goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); - } - -- if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) { -+ if ((ecPoint = EC_POINT_new(ecgroup)) == NULL -+ || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates", -+ error_cleanup); -+ } -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ ecKey = EC_KEY_new(); -+ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); -+ -+ if (!EC_KEY_set_group(ecKey, ecgroup)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", -+ error_cleanup); -+ } -+ -+ if (!EC_KEY_set_public_key(ecKey, ecPoint)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, -- "EC_KEY_set_public_key_affine_coordinates", error_cleanup); -+ "EC_KEY_set_public_key", error_cleanup); - } - -- if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) { -+ *evpPublicKey = EVP_PKEY_new(); -+ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); -+ -+ if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) { -+ EVP_PKEY_free(*evpPublicKey); - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", - error_cleanup); - } -- OSSL_FREE(y, BN); -- OSSL_FREE(x, BN); -- return TSS2_RC_SUCCESS; -+ ecKey = NULL; /* ownership transferred */ -+error_cleanup: -+ OSSL_FREE(ecKey, EC_KEY); -+#else -+ if ((build = OSSL_PARAM_BLD_new()) == NULL -+ || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, -+ (char *)OBJ_nid2sn(curveId), 0) -+ || (bsize = EC_POINT_point2buf(ecgroup, ecPoint, -+ POINT_CONVERSION_COMPRESSED, -+ &puboct, NULL)) == 0 -+ || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, -+ puboct, bsize) -+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters", -+ error_cleanup); -+ } - -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL -+ || EVP_PKEY_fromdata_init(ctx) <= 0 -+ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key", -+ error_cleanup); -+ } - error_cleanup: -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(build); -+ OPENSSL_free(puboct); -+#endif -+ OSSL_FREE(ecPoint, EC_POINT); -+ OSSL_FREE(ecgroup, EC_GROUP); - OSSL_FREE(y, BN); - OSSL_FREE(x, BN); -- OSSL_FREE(ecKey, EC_KEY); - return r; - } - -@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm( - BIO *bio = NULL; - TSS2_RC r = TPM2_RC_SUCCESS; - -- evpPublicKey = EVP_PKEY_new(); -- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); -- - /* Memory IO will be used for OSSL key conversion */ - bio = BIO_new(BIO_s_mem()); -- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); -+ goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); - - if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { -- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); -- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) -- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); -- else { -+ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); -+ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { -+ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); -+ } else { - goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); - } - goto_if_error(r, "Get ossl public key.", cleanup); -@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm( - signatureSize); - } else { - return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme."); -- - } - } else if (tpmPublic->type == TPM2_ALG_ECC) { - return ifapi_ecc_der_sig_to_tpm(signature, signatureSize, -@@ -856,12 +926,16 @@ ecdsa_verify_signature( - return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE); - - TSS2_RC r = TSS2_RC_SUCCESS; -- EC_KEY *eccKey = NULL; -+ EVP_PKEY_CTX *ctx = NULL; - -- eccKey = EVP_PKEY_get1_EC_KEY(publicKey); -+ if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL -+ || !EVP_PKEY_verify_init(ctx)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, -+ "Cannot initialize signature verification.", error_cleanup); -+ } - - /* Try to verify the signature using ECDSA, note that param 0 is unused */ -- int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey); -+ int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize); - if (rc == 0) { - goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED, - "ECDSA signature verification failed.", error_cleanup); -@@ -871,7 +945,7 @@ ecdsa_verify_signature( - } - - error_cleanup: -- OSSL_FREE(eccKey, EC_KEY); -+ OSSL_FREE(ctx, EVP_PKEY_CTX); - return r; - } - -@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp( - - /* Extract the public information */ - TSS2_RC r = TSS2_RC_SUCCESS; -+ int keyBits, keySize; -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ const BIGNUM *e = NULL, *n = NULL; - RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey); - return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); -- const BIGNUM *e = NULL, *n = NULL; -- int rsaKeySize = RSA_size(rsaKey); - -+ keySize = RSA_size(rsaKey); -+ keyBits = keySize * 8; - RSA_get0_key(rsaKey, &n, &e, NULL); -- tpmPublic->publicArea.unique.rsa.size = rsaKeySize; -+#else -+ BIGNUM *e = NULL, *n = NULL; -+ -+ keyBits = EVP_PKEY_get_bits(publicKey); -+ keySize = (keyBits + 7) / 8; -+ if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n) -+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) { -+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, -+ "Retrieve pubkey", cleanup); -+ } -+#endif -+ tpmPublic->publicArea.unique.rsa.size = keySize; - if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], -- rsaKeySize)) { -+ keySize)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, - "Write big num byte buffer", cleanup); - } -- tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8; -+ tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits; - tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e); - - cleanup: -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - OSSL_FREE(rsaKey, RSA); -+#else -+ BN_free(e); -+ BN_free(n); -+#endif - return r; - } - -@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp( - - /* Initialize variables that will contain the relevant information */ - TSS2_RC r = TSS2_RC_SUCCESS; -- EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); -- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); -- const EC_GROUP *ecGroup; -- const EC_POINT *publicPoint; - int curveId; - size_t ecKeySize; - BIGNUM *bnX = NULL; - BIGNUM *bnY = NULL; - TPMI_ECC_CURVE tpmCurveId; -- -- if (!ecKey) { -- return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!"); -- } -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ const EC_GROUP *ecGroup; -+ const EC_POINT *publicPoint; -+ EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); -+ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); - - /* Retrieve the relevant information and write it to tpmPublic */ - ecGroup = EC_KEY_get0_group(ecKey); - publicPoint = EC_KEY_get0_public_key(ecKey); - curveId = EC_GROUP_get_curve_name(ecGroup); -- ecKeySize = EC_GROUP_get_degree(ecGroup) / 8; -- tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; -- tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; -+ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; - - if (!(bnX = BN_new())) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup); -@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp( - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, - "Get affine coordinates", cleanup); - } -+#else -+ char curveName[80]; -+ -+ if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME, -+ curveName, sizeof(curveName), NULL) -+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX) -+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) { -+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, -+ "Get public key", cleanup); -+ } -+ curveId = OBJ_txt2nid(curveName); -+ EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId); -+ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; -+ EC_GROUP_free(ecGroup); -+#endif -+ tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; -+ tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; - if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0], - ecKeySize)) { - goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, -@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp( - tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId; - - cleanup: -+#if OPENSSL_VERSION_NUMBER < 0x30000000 - OSSL_FREE(ecKey, EC_KEY); -+#endif - OSSL_FREE(bnX, BN); - OSSL_FREE(bnY, BN); - return r; -@@ -2077,14 +2185,11 @@ ifapi_get_tpm_key_fingerprint( - "Unsupported hash algorithm (%" PRIu16 ")", cleanup, - hashAlg); - -- evpPublicKey = EVP_PKEY_new(); -- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); -- - if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { -- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); -- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) -- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); -- else { -+ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); -+ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { -+ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); -+ } else { - goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); - } - goto_if_error(r, "Get ossl public key.", cleanup); -diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c -index c6a8e906..67f76b6a 100644 ---- a/test/helper/tpm_getek.c -+++ b/test/helper/tpm_getek.c -@@ -7,8 +7,14 @@ - #include - #include - #include --#include - #include -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+#include -+#else -+#include -+#include -+#include -+#endif - - #include "tss2_sys.h" - #include "tss2_mu.h" -@@ -109,7 +115,7 @@ main (int argc, char *argv[]) - - /* Convert the key from out_public to PEM */ - -- EVP_PKEY *evp = EVP_PKEY_new(); -+ EVP_PKEY *evp = NULL; - BIO *bio; - FILE *out = NULL; - -@@ -124,34 +130,35 @@ main (int argc, char *argv[]) - else - bio = BIO_new_fp(stdout, BIO_NOCLOSE); - -- RSA *rsa = RSA_new(); -- BIGNUM *e = BN_new(); -- BIGNUM *d = BN_new(); -- BIGNUM *p = BN_new(); -- BIGNUM *q = BN_new(); -- BIGNUM *dmp1 = BN_new(); -- BIGNUM *dmq1 = BN_new(); -- BIGNUM *iqmp = BN_new(); - BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer, - out_public.publicArea.unique.rsa.size, NULL); -- BN_set_word(d, 0); -- BN_set_word(p, 0); -- BN_set_word(q, 0); -- BN_set_word(dmp1, 0); -- BN_set_word(dmq1, 0); -- BN_set_word(iqmp, 0); - uint32_t exp; - if (out_public.publicArea.parameters.rsaDetail.exponent == 0) - exp = 65537; - else - exp = out_public.publicArea.parameters.rsaDetail.exponent; -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ BIGNUM *e = BN_new(); - BN_set_word(e, exp); - -- RSA_set0_key(rsa, n, e, d); -- RSA_set0_factors(rsa, p, q); -- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); -+ RSA *rsa = RSA_new(); -+ RSA_set0_key(rsa, n, e, NULL); -+ n = NULL; -+ e = NULL; - -+ evp = EVP_PKEY_new(); - EVP_PKEY_assign_RSA(evp, rsa); -+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ -+ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); -+ OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n); -+ OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp); -+ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); -+ -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); -+ EVP_PKEY_fromdata_init(ctx); -+ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ - - if (!PEM_write_bio_PUBKEY(bio, evp)) { - LOG_ERROR("PEM_write failed"); -@@ -159,6 +166,14 @@ main (int argc, char *argv[]) - } - - EVP_PKEY_free(evp); -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ /* ownership was taken by the EVP_PKEY */ -+#else -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(build); -+#endif -+ BN_free(n); - BIO_free(bio); - fclose(out); - -diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c -index 75165fdd..d4602925 100644 ---- a/test/helper/tpm_getek_ecc.c -+++ b/test/helper/tpm_getek_ecc.c -@@ -7,9 +7,15 @@ - #include - #include - #include --#include - #include - #include -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+#include -+#else -+#include -+#include -+#include -+#endif - #include - - #include "tss2_sys.h" -@@ -127,8 +133,7 @@ main (int argc, char *argv[]) - - /* Convert the key from out_public to PEM */ - -- EVP_PKEY *evp = EVP_PKEY_new(); -- EC_KEY *ecc_key = EC_KEY_new(); -+ EVP_PKEY *evp = NULL; - BIGNUM *x = NULL, *y = NULL; - BIO *bio; - FILE *out = NULL; -@@ -148,11 +153,6 @@ main (int argc, char *argv[]) - nid = EC_curve_nist2nid("P-256"); - EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid); - -- if (!EC_KEY_set_group(ecc_key, ecgroup)) -- exit(1); -- -- EC_GROUP_free(ecgroup); -- - /* Set the ECC parameters in the OpenSSL key */ - x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer, - out_public.publicArea.unique.ecc.x.size, NULL); -@@ -164,15 +164,46 @@ main (int argc, char *argv[]) - exit(1); - } - -- if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) { -+ EC_POINT *point = EC_POINT_new(ecgroup); -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL); -+#else -+ EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL); -+#endif -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ EC_KEY *ecc_key = EC_KEY_new(); -+ if (!EC_KEY_set_group(ecc_key, ecgroup)) -+ exit(1); -+ -+ if (!EC_KEY_set_public_key(ecc_key, point)) { - exit(1); - } - -+ evp = EVP_PKEY_new(); - if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) { - handleErrors(); - LOG_ERROR("PEM_write failed"); - exit(1); - } -+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ -+ unsigned char *puboct = NULL; -+ size_t bsize; -+ -+ bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED, -+ &puboct, NULL); -+ -+ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); -+ OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, -+ (char *)OBJ_nid2sn(nid), 0); -+ OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, -+ puboct, bsize); -+ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); -+ -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); -+ EVP_PKEY_fromdata_init(ctx); -+ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ - - if (!PEM_write_bio_PUBKEY(bio, evp)) { - handleErrors(); -@@ -180,9 +211,19 @@ main (int argc, char *argv[]) - exit(1); - } - -+ EVP_PKEY_free(evp); -+#if OPENSSL_VERSION_NUMBER < 0x30000000 -+ /* ownership was taken by the EVP_PKEY */ -+#else -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(build); -+ OPENSSL_free(puboct); -+#endif -+ EC_POINT_free(point); -+ EC_GROUP_free(ecgroup); - BN_free(y); - BN_free(x); -- EVP_PKEY_free(evp); - BIO_free(bio); - fclose(out); - --- -2.26.3 - diff --git a/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch b/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch deleted file mode 100644 index 23a5c04..0000000 --- a/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Wed, 5 Jan 2022 21:58:00 +0800 -Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed - -Signed-off-by: JerryDevis ---- - src/tss2-fapi/ifapi_keystore.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c -index 743de133..e805029f 100644 ---- a/src/tss2-fapi/ifapi_keystore.c -+++ b/src/tss2-fapi/ifapi_keystore.c -@@ -1239,6 +1239,7 @@ cleanup: - r = TSS2_FAPI_RC_KEY_NOT_FOUND; - } - keystore->key_search.state = KSEARCH_INIT; -+ ifapi_cleanup_ifapi_object(&object); - return r; - } - --- -2.34.3 - diff --git a/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch b/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch deleted file mode 100644 index f3b8282..0000000 --- a/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Wed, 5 Jan 2022 22:09:26 +0800 -Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when - Fapi_GetEsysBlob_Finish failed - -Signed-off-by: JerryDevis ---- - src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c -index a54bece8..b152ae3a 100644 ---- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c -+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c -@@ -395,7 +395,7 @@ error_cleanup: - ifapi_cleanup_ifapi_object(object); - ifapi_cleanup_ifapi_object(key_object); - SAFE_FREE(command->path); -- SAFE_FREE(*data); -+ SAFE_FREE(command->data); - SAFE_FREE(key_context); - ifapi_session_clean(context); - ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); --- -2.34.3 - diff --git a/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch b/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch deleted file mode 100644 index 6ce1c21..0000000 --- a/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001 -From: JerryDevis -Date: Fri, 7 Jan 2022 11:56:14 +0800 -Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize - -Signed-off-by: JerryDevis ---- - src/tss2-esys/esys_tr.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c -index cf4caa09..784f711a 100644 ---- a/src/tss2-esys/esys_tr.c -+++ b/src/tss2-esys/esys_tr.c -@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context, - * - * Deserialize the metadata of an ESYS_TR object from a byte buffer that was - * stored on disk for later use by a different program or context. -- * An object can be serialized suing Esys_TR_Serialize. -+ * An object can be deserialized using Esys_TR_Deserialize. - * @param esys_context [in,out] The ESYS_CONTEXT. -- * @param esys_handle [in] The ESYS_TR object to serialize. -- * @param buffer [out] The buffer containing the serialized metadata. -- * (caller-callocated) Shall be freed using free(). -- * @param buffer_size [out] The size of the buffer parameter. -+ * @param esys_handle [out] The ESYS_TR object to deserialize. -+ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object. -+ * @param buffer_size [in] The size of the buffer parameter. - * @retval TSS2_RC_SUCCESS on Success. - * @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated. -- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling. -+ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling. - * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL. - * @retval TSS2_RCs produced by lower layers of the software stack. - */ --- -2.34.3 - diff --git a/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch b/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch deleted file mode 100644 index d1200ea..0000000 --- a/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001 -From: JerryDevis <857869045@qq.com> -Date: Sun, 9 Jan 2022 16:31:09 +0800 -Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed - -Signed-off-by: JerryDevis <857869045@qq.com> ---- - src/tss2-fapi/api/Fapi_Delete.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c -index 43ea0332..2b5826ab 100644 ---- a/src/tss2-fapi/api/Fapi_Delete.c -+++ b/src/tss2-fapi/api/Fapi_Delete.c -@@ -419,14 +419,14 @@ Fapi_Delete_Async( - /* No session will be needed these files can be deleted without - interaction with the TPM */ - r = ifapi_non_tpm_mode_init(context); -- return_if_error(r, "Initialize Entity_Delete"); -+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup); - context->session1 = ESYS_TR_NONE; - - context->state = ENTITY_DELETE_GET_FILE; - } else { - /* Check whether TCTI and ESYS are initialized */ -- return_if_null(context->esys, "Command can't be executed in none TPM mode.", -- TSS2_FAPI_RC_NO_TPM); -+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.", -+ TSS2_FAPI_RC_NO_TPM, error_cleanup); - - /* If the async state automata of FAPI shall be tested, then we must not set - the timeouts of ESYS to blocking mode. -@@ -435,12 +435,12 @@ Fapi_Delete_Async( - to block until a result is available. */ - #ifndef TEST_FAPI_ASYNC - r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK); -- return_if_error_reset_state(r, "Set Timeout to blocking"); -+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup); - #endif /* TEST_FAPI_ASYNC */ - - /* A TPM session will be created to enable object authorization */ - r = ifapi_session_init(context); -- return_if_error(r, "Initialize Entity_Delete"); -+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup); - - r = ifapi_get_sessions_async(context, - IFAPI_SESSION_GENEK | IFAPI_SESSION1, --- -2.34.3 - diff --git a/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch b/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch deleted file mode 100644 index 1c6d160..0000000 --- a/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001 -From: JerryDevis <857869045@qq.com> -Date: Sun, 9 Jan 2022 18:44:49 +0800 -Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async - failed - -Signed-off-by: JerryDevis <857869045@qq.com> ---- - src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c -index b152ae3a..db67e2e4 100644 ---- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c -+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c -@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async( - authObject->objectType = IFAPI_OBJ_NONE; - - /* Check whether TCTI and ESYS are initialized */ -- return_if_null(context->esys, "Command can't be executed in none TPM mode.", -- TSS2_FAPI_RC_NO_TPM); -+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.", -+ TSS2_FAPI_RC_NO_TPM, error_cleanup); - - /* If the async state automata of FAPI shall be tested, then we must not set - the timeouts of ESYS to blocking mode. -@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async( - to block until a result is available. */ - #ifndef TEST_FAPI_ASYNC - r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK); -- return_if_error_reset_state(r, "Set Timeout to blocking"); -+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup); - #endif /* TEST_FAPI_ASYNC */ - - /* A TPM session will be created to enable object authorization */ - r = ifapi_session_init(context); -- return_if_error(r, "Initialize GetEsysBlob"); -+ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup); - - context->state = GET_ESYS_BLOB_GET_FILE; - --- -2.34.3 - diff --git a/0018-FAPI-Initialize-object-used-for-keystore-search.patch b/0018-FAPI-Initialize-object-used-for-keystore-search.patch deleted file mode 100644 index 2764d0d..0000000 --- a/0018-FAPI-Initialize-object-used-for-keystore-search.patch +++ /dev/null @@ -1,30 +0,0 @@ -From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Thu, 13 Jan 2022 11:46:22 +0100 -Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search. - -For an empty keystore a cleanup of an uninitialized object was executed. No the object -type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup. - -Signed-off-by: Juergen Repp ---- - src/tss2-fapi/ifapi_keystore.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c -index e805029f..c5486690 100644 ---- a/src/tss2-fapi/ifapi_keystore.c -+++ b/src/tss2-fapi/ifapi_keystore.c -@@ -1173,6 +1173,9 @@ keystore_search_obj( - IFAPI_OBJECT object; - size_t i; - -+ /* Mark object "unread" */ -+ object.objectType = IFAPI_OBJ_NONE; -+ - switch (keystore->key_search.state) { - statecase(keystore->key_search.state, KSEARCH_INIT) - r = ifapi_keystore_list_all(keystore, --- -2.34.3 - diff --git a/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch b/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch deleted file mode 100644 index e15286c..0000000 --- a/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001 -From: Andreas Fuchs -Date: Thu, 13 Jan 2022 16:48:30 +0100 -Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment - -Signed-off-by: Andreas Fuchs ---- - src/tss2-mu/tpm2b-types.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c -index 6aa2feb3..2e10f487 100644 ---- a/src/tss2-mu/tpm2b-types.c -+++ b/src/tss2-mu/tpm2b-types.c -@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \ - return rc; \ - \ - /* Update the size to the real value */ \ -- if (buffer) \ -- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \ -+ if (buffer) { \ -+ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \ -+ memcpy(ptr, &t, sizeof(t)); \ -+ } \ - \ - if (offset != NULL) { \ - *offset = local_offset; \ --- -2.34.3 - diff --git a/0021-sapi-scope-command-handles.patch b/0021-sapi-scope-command-handles.patch deleted file mode 100644 index c5032b4..0000000 --- a/0021-sapi-scope-command-handles.patch +++ /dev/null @@ -1,269 +0,0 @@ -From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Wed, 8 Jun 2022 11:09:53 -0500 -Subject: [PATCH 21/23] sapi: scope command handles - -Scope command handles to where they are used. - - - Compared to the upstream commit d4dee42e already missing commands were - left out. - -Signed-off-by: William Roberts ---- - src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------ - 1 file changed, 119 insertions(+), 118 deletions(-) - -diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c -index 685fcee8..d84acc5d 100644 ---- a/src/tss2-sys/sysapi_util.c -+++ b/src/tss2-sys/sysapi_util.c -@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall( - return rval; - } - --static const COMMAND_HANDLES commandArray[] = --{ -- { TPM2_CC_Startup, 0, 0 }, -- { TPM2_CC_Shutdown, 0, 0 }, -- { TPM2_CC_SelfTest, 0, 0 }, -- { TPM2_CC_IncrementalSelfTest, 0, 0 }, -- { TPM2_CC_GetTestResult, 0, 0 }, -- { TPM2_CC_StartAuthSession, 2, 1 }, -- { TPM2_CC_PolicyRestart, 1, 0 }, -- { TPM2_CC_Create, 1, 0 }, -- { TPM2_CC_Load, 1, 1 }, -- { TPM2_CC_LoadExternal, 0, 1 }, -- { TPM2_CC_ReadPublic, 1, 0 }, -- { TPM2_CC_ActivateCredential, 2, 0 }, -- { TPM2_CC_MakeCredential, 1, 0 }, -- { TPM2_CC_Unseal, 1, 0 }, -- { TPM2_CC_ObjectChangeAuth, 2, 0 }, -- { TPM2_CC_Duplicate, 2, 0 }, -- { TPM2_CC_Rewrap, 2, 0 }, -- { TPM2_CC_Import, 1, 0 }, -- { TPM2_CC_RSA_Encrypt, 1, 0 }, -- { TPM2_CC_RSA_Decrypt, 1, 0 }, -- { TPM2_CC_ECDH_KeyGen, 1, 0 }, -- { TPM2_CC_ECDH_ZGen, 1, 0 }, -- { TPM2_CC_ECC_Parameters, 0, 0 }, -- { TPM2_CC_ZGen_2Phase, 1, 0 }, -- { TPM2_CC_EncryptDecrypt, 1, 0 }, -- { TPM2_CC_EncryptDecrypt2, 1, 0 }, -- { TPM2_CC_Hash, 0, 0 }, -- { TPM2_CC_HMAC, 1, 0 }, -- { TPM2_CC_GetRandom, 0, 0 }, -- { TPM2_CC_StirRandom, 0, 0 }, -- { TPM2_CC_HMAC_Start, 1, 1 }, -- { TPM2_CC_HashSequenceStart, 0, 1 }, -- { TPM2_CC_SequenceUpdate, 1, 0 }, -- { TPM2_CC_SequenceComplete, 1, 0 }, -- { TPM2_CC_EventSequenceComplete, 2, 0 }, -- { TPM2_CC_Certify, 2, 0 }, -- { TPM2_CC_CertifyCreation, 2, 0 }, -- { TPM2_CC_Quote, 1, 0 }, -- { TPM2_CC_GetSessionAuditDigest, 3, 0 }, -- { TPM2_CC_GetCommandAuditDigest, 2, 0 }, -- { TPM2_CC_GetTime, 2, 0 }, -- { TPM2_CC_Commit, 1, 0 }, -- { TPM2_CC_EC_Ephemeral, 0, 0 }, -- { TPM2_CC_VerifySignature, 1, 0 }, -- { TPM2_CC_Sign, 1, 0 }, -- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 }, -- { TPM2_CC_PCR_Extend, 1, 0 }, -- { TPM2_CC_PCR_Event, 1, 0 }, -- { TPM2_CC_PCR_Read, 0, 0 }, -- { TPM2_CC_PCR_Allocate, 1, 0 }, -- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 }, -- { TPM2_CC_PCR_SetAuthValue, 1, 0 }, -- { TPM2_CC_PCR_Reset, 1, 0 }, -- { TPM2_CC_PolicySigned, 2, 0 }, -- { TPM2_CC_PolicySecret, 2, 0 }, -- { TPM2_CC_PolicyTicket, 1, 0 }, -- { TPM2_CC_PolicyOR, 1, 0 }, -- { TPM2_CC_PolicyPCR, 1, 0 }, -- { TPM2_CC_PolicyLocality, 1, 0 }, -- { TPM2_CC_PolicyNV, 3, 0 }, -- { TPM2_CC_PolicyNvWritten, 1, 0 }, -- { TPM2_CC_PolicyCounterTimer, 1, 0 }, -- { TPM2_CC_PolicyCommandCode, 1, 0 }, -- { TPM2_CC_PolicyPhysicalPresence, 1, 0 }, -- { TPM2_CC_PolicyCpHash, 1, 0 }, -- { TPM2_CC_PolicyNameHash, 1, 0 }, -- { TPM2_CC_PolicyDuplicationSelect, 1, 0 }, -- { TPM2_CC_PolicyAuthorize, 1, 0 }, -- { TPM2_CC_PolicyAuthValue, 1, 0 }, -- { TPM2_CC_PolicyPassword, 1, 0 }, -- { TPM2_CC_PolicyGetDigest, 1, 0 }, -- { TPM2_CC_PolicyTemplate, 1, 0 }, -- { TPM2_CC_CreatePrimary, 1, 1 }, -- { TPM2_CC_HierarchyControl, 1, 0 }, -- { TPM2_CC_SetPrimaryPolicy, 1, 0 }, -- { TPM2_CC_ChangePPS, 1, 0 }, -- { TPM2_CC_ChangeEPS, 1, 0 }, -- { TPM2_CC_Clear, 1, 0 }, -- { TPM2_CC_ClearControl, 1, 0 }, -- { TPM2_CC_HierarchyChangeAuth, 1, 0 }, -- { TPM2_CC_DictionaryAttackLockReset, 1, 0 }, -- { TPM2_CC_DictionaryAttackParameters, 1, 0 }, -- { TPM2_CC_PP_Commands, 1, 0 }, -- { TPM2_CC_SetAlgorithmSet, 1, 0 }, -- { TPM2_CC_FieldUpgradeStart, 2, 0 }, -- { TPM2_CC_FieldUpgradeData, 0, 0 }, -- { TPM2_CC_FirmwareRead, 0, 0 }, -- { TPM2_CC_ContextSave, 1, 0 }, -- { TPM2_CC_ContextLoad, 0, 1 }, -- { TPM2_CC_FlushContext, 1, 0 }, -- { TPM2_CC_EvictControl, 2, 0 }, -- { TPM2_CC_ReadClock, 0, 0 }, -- { TPM2_CC_ClockSet, 1, 0 }, -- { TPM2_CC_ClockRateAdjust, 1, 0 }, -- { TPM2_CC_GetCapability, 0, 0 }, -- { TPM2_CC_TestParms, 0, 0 }, -- { TPM2_CC_NV_DefineSpace, 1, 0 }, -- { TPM2_CC_NV_UndefineSpace, 2, 0 }, -- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 }, -- { TPM2_CC_NV_ReadPublic, 1, 0 }, -- { TPM2_CC_NV_Write, 2, 0 }, -- { TPM2_CC_NV_Increment, 2, 0 }, -- { TPM2_CC_NV_Extend, 2, 0 }, -- { TPM2_CC_NV_SetBits, 2, 0 }, -- { TPM2_CC_NV_WriteLock, 2, 0 }, -- { TPM2_CC_NV_GlobalWriteLock, 1, 0 }, -- { TPM2_CC_NV_Read, 2, 0 }, -- { TPM2_CC_NV_ReadLock, 2, 0 }, -- { TPM2_CC_NV_ChangeAuth, 1, 0 }, -- { TPM2_CC_NV_Certify, 3, 0 }, -- { TPM2_CC_CreateLoaded, 1, 1 }, -- { TPM2_CC_PolicyAuthorizeNV, 3, 0 }, -- { TPM2_CC_AC_GetCapability, 1, 0 }, -- { TPM2_CC_AC_Send, 3, 0 }, -- { TPM2_CC_Policy_AC_SendSelect, 1, 0 } --}; - - static int GetNumHandles(TPM2_CC commandCode, bool req) - { -+ static const COMMAND_HANDLES commandArray[] = -+ { -+ { TPM2_CC_Startup, 0, 0 }, -+ { TPM2_CC_Shutdown, 0, 0 }, -+ { TPM2_CC_SelfTest, 0, 0 }, -+ { TPM2_CC_IncrementalSelfTest, 0, 0 }, -+ { TPM2_CC_GetTestResult, 0, 0 }, -+ { TPM2_CC_StartAuthSession, 2, 1 }, -+ { TPM2_CC_PolicyRestart, 1, 0 }, -+ { TPM2_CC_Create, 1, 0 }, -+ { TPM2_CC_Load, 1, 1 }, -+ { TPM2_CC_LoadExternal, 0, 1 }, -+ { TPM2_CC_ReadPublic, 1, 0 }, -+ { TPM2_CC_ActivateCredential, 2, 0 }, -+ { TPM2_CC_MakeCredential, 1, 0 }, -+ { TPM2_CC_Unseal, 1, 0 }, -+ { TPM2_CC_ObjectChangeAuth, 2, 0 }, -+ { TPM2_CC_Duplicate, 2, 0 }, -+ { TPM2_CC_Rewrap, 2, 0 }, -+ { TPM2_CC_Import, 1, 0 }, -+ { TPM2_CC_RSA_Encrypt, 1, 0 }, -+ { TPM2_CC_RSA_Decrypt, 1, 0 }, -+ { TPM2_CC_ECDH_KeyGen, 1, 0 }, -+ { TPM2_CC_ECDH_ZGen, 1, 0 }, -+ { TPM2_CC_ECC_Parameters, 0, 0 }, -+ { TPM2_CC_ZGen_2Phase, 1, 0 }, -+ { TPM2_CC_EncryptDecrypt, 1, 0 }, -+ { TPM2_CC_EncryptDecrypt2, 1, 0 }, -+ { TPM2_CC_Hash, 0, 0 }, -+ { TPM2_CC_HMAC, 1, 0 }, -+ { TPM2_CC_GetRandom, 0, 0 }, -+ { TPM2_CC_StirRandom, 0, 0 }, -+ { TPM2_CC_HMAC_Start, 1, 1 }, -+ { TPM2_CC_HashSequenceStart, 0, 1 }, -+ { TPM2_CC_SequenceUpdate, 1, 0 }, -+ { TPM2_CC_SequenceComplete, 1, 0 }, -+ { TPM2_CC_EventSequenceComplete, 2, 0 }, -+ { TPM2_CC_Certify, 2, 0 }, -+ { TPM2_CC_CertifyCreation, 2, 0 }, -+ { TPM2_CC_Quote, 1, 0 }, -+ { TPM2_CC_GetSessionAuditDigest, 3, 0 }, -+ { TPM2_CC_GetCommandAuditDigest, 2, 0 }, -+ { TPM2_CC_GetTime, 2, 0 }, -+ { TPM2_CC_Commit, 1, 0 }, -+ { TPM2_CC_EC_Ephemeral, 0, 0 }, -+ { TPM2_CC_VerifySignature, 1, 0 }, -+ { TPM2_CC_Sign, 1, 0 }, -+ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 }, -+ { TPM2_CC_PCR_Extend, 1, 0 }, -+ { TPM2_CC_PCR_Event, 1, 0 }, -+ { TPM2_CC_PCR_Read, 0, 0 }, -+ { TPM2_CC_PCR_Allocate, 1, 0 }, -+ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 }, -+ { TPM2_CC_PCR_SetAuthValue, 1, 0 }, -+ { TPM2_CC_PCR_Reset, 1, 0 }, -+ { TPM2_CC_PolicySigned, 2, 0 }, -+ { TPM2_CC_PolicySecret, 2, 0 }, -+ { TPM2_CC_PolicyTicket, 1, 0 }, -+ { TPM2_CC_PolicyOR, 1, 0 }, -+ { TPM2_CC_PolicyPCR, 1, 0 }, -+ { TPM2_CC_PolicyLocality, 1, 0 }, -+ { TPM2_CC_PolicyNV, 3, 0 }, -+ { TPM2_CC_PolicyNvWritten, 1, 0 }, -+ { TPM2_CC_PolicyCounterTimer, 1, 0 }, -+ { TPM2_CC_PolicyCommandCode, 1, 0 }, -+ { TPM2_CC_PolicyPhysicalPresence, 1, 0 }, -+ { TPM2_CC_PolicyCpHash, 1, 0 }, -+ { TPM2_CC_PolicyNameHash, 1, 0 }, -+ { TPM2_CC_PolicyDuplicationSelect, 1, 0 }, -+ { TPM2_CC_PolicyAuthorize, 1, 0 }, -+ { TPM2_CC_PolicyAuthValue, 1, 0 }, -+ { TPM2_CC_PolicyPassword, 1, 0 }, -+ { TPM2_CC_PolicyGetDigest, 1, 0 }, -+ { TPM2_CC_PolicyTemplate, 1, 0 }, -+ { TPM2_CC_CreatePrimary, 1, 1 }, -+ { TPM2_CC_HierarchyControl, 1, 0 }, -+ { TPM2_CC_SetPrimaryPolicy, 1, 0 }, -+ { TPM2_CC_ChangePPS, 1, 0 }, -+ { TPM2_CC_ChangeEPS, 1, 0 }, -+ { TPM2_CC_Clear, 1, 0 }, -+ { TPM2_CC_ClearControl, 1, 0 }, -+ { TPM2_CC_HierarchyChangeAuth, 1, 0 }, -+ { TPM2_CC_DictionaryAttackLockReset, 1, 0 }, -+ { TPM2_CC_DictionaryAttackParameters, 1, 0 }, -+ { TPM2_CC_PP_Commands, 1, 0 }, -+ { TPM2_CC_SetAlgorithmSet, 1, 0 }, -+ { TPM2_CC_FieldUpgradeStart, 2, 0 }, -+ { TPM2_CC_FieldUpgradeData, 0, 0 }, -+ { TPM2_CC_FirmwareRead, 0, 0 }, -+ { TPM2_CC_ContextSave, 1, 0 }, -+ { TPM2_CC_ContextLoad, 0, 1 }, -+ { TPM2_CC_FlushContext, 1, 0 }, -+ { TPM2_CC_EvictControl, 2, 0 }, -+ { TPM2_CC_ReadClock, 0, 0 }, -+ { TPM2_CC_ClockSet, 1, 0 }, -+ { TPM2_CC_ClockRateAdjust, 1, 0 }, -+ { TPM2_CC_GetCapability, 0, 0 }, -+ { TPM2_CC_TestParms, 0, 0 }, -+ { TPM2_CC_NV_DefineSpace, 1, 0 }, -+ { TPM2_CC_NV_UndefineSpace, 2, 0 }, -+ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 }, -+ { TPM2_CC_NV_ReadPublic, 1, 0 }, -+ { TPM2_CC_NV_Write, 2, 0 }, -+ { TPM2_CC_NV_Increment, 2, 0 }, -+ { TPM2_CC_NV_Extend, 2, 0 }, -+ { TPM2_CC_NV_SetBits, 2, 0 }, -+ { TPM2_CC_NV_WriteLock, 2, 0 }, -+ { TPM2_CC_NV_GlobalWriteLock, 1, 0 }, -+ { TPM2_CC_NV_Read, 2, 0 }, -+ { TPM2_CC_NV_ReadLock, 2, 0 }, -+ { TPM2_CC_NV_ChangeAuth, 1, 0 }, -+ { TPM2_CC_NV_Certify, 3, 0 }, -+ { TPM2_CC_CreateLoaded, 1, 1 }, -+ { TPM2_CC_PolicyAuthorizeNV, 3, 0 }, -+ { TPM2_CC_AC_GetCapability, 1, 0 }, -+ { TPM2_CC_AC_Send, 3, 0 }, -+ { TPM2_CC_Policy_AC_SendSelect, 1, 0 } -+ }; -+ - uint8_t i; - - for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) { --- -2.34.3 - diff --git a/0022-fapi-use-correct-userdata-for-cbauthnv.patch b/0022-fapi-use-correct-userdata-for-cbauthnv.patch deleted file mode 100644 index 230acb6..0000000 --- a/0022-fapi-use-correct-userdata-for-cbauthnv.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001 -From: Erik Larsson -Date: Mon, 4 Jul 2022 19:14:30 +0200 -Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv - -Signed-off-by: Erik Larsson ---- - src/tss2-fapi/ifapi_policy_execute.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c -index caae103e..ddaf255c 100644 ---- a/src/tss2-fapi/ifapi_policy_execute.c -+++ b/src/tss2-fapi/ifapi_policy_execute.c -@@ -760,7 +760,7 @@ execute_policy_authorize_nv( - switch (current_policy->state) { - statecase(current_policy->state, POLICY_EXECUTE_INIT) - /* Execute the policy stored in the NV object. */ -- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata); -+ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata); - try_again_or_error(r, "Execute policy authorize nv callback."); - - r = ifapi_nv_get_name(&policy->nvPublic, ¤t_policy->name); --- -2.34.3 - diff --git a/0023-SAPI-fix-number-of-handles-for-FlushContext.patch b/0023-SAPI-fix-number-of-handles-for-FlushContext.patch deleted file mode 100644 index 2856138..0000000 --- a/0023-SAPI-fix-number-of-handles-for-FlushContext.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Thu, 7 Jul 2022 09:00:19 -0500 -Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext - -The lookup table for the number of command handles for -Tss2_Sys_FlushContext has the count set to 1, when in reality the -command takes no handles in the handle area but a handle as the input -parameter. This works currently because handles and parameters are just -concatenated and the parsing logic on the TPM just unpacks them, so in -this case, thet're in the same spot with the same value. This goes -unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as -the logic things its a handle in the handle area and not a handle in the -parameter area. - -Signed-off-by: William Roberts ---- - src/tss2-sys/sysapi_util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c -index d84acc5d..a92f47a2 100644 ---- a/src/tss2-sys/sysapi_util.c -+++ b/src/tss2-sys/sysapi_util.c -@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req) - { TPM2_CC_FirmwareRead, 0, 0 }, - { TPM2_CC_ContextSave, 1, 0 }, - { TPM2_CC_ContextLoad, 0, 1 }, -- { TPM2_CC_FlushContext, 1, 0 }, -+ { TPM2_CC_FlushContext, 0, 0 }, - { TPM2_CC_EvictControl, 2, 0 }, - { TPM2_CC_ReadClock, 0, 0 }, - { TPM2_CC_ClockSet, 1, 0 }, --- -2.34.3 - diff --git a/sources b/sources index 4a9668d..cfbae7b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tpm2-tss-3.0.3.tar.gz) = 54a926db55790250d69c81ac6e436556072057dd7c610d2718689030287dee69d533d4e04b3325dd73d9fc7635dad0bf0a7bfb082957bb51cb420efdb68efaf8 +SHA512 (tpm2-tss-3.2.2.tar.gz) = efa71d04de907f74cf0e451a55124cb6fa804fddc2530ecc728a76030e0ae1e8597048c81cd4316397318f273e95754cf85745fc49966208b60babd398989aa6 \ No newline at end of file diff --git a/tpm2-tss.spec b/tpm2-tss.spec index a741f1f..da4ef8e 100644 --- a/tpm2-tss.spec +++ b/tpm2-tss.spec @@ -1,6 +1,6 @@ Name: tpm2-tss -Version: 3.0.3 -Release: 8%{?dist} +Version: 3.2.2 +Release: 1%{?dist} Summary: TPM2.0 Software Stack # The entire source code is under BSD except implementation.h and tpmb.h which @@ -9,45 +9,19 @@ License: BSD and TCGL URL: https://github.com/tpm2-software/tpm2-tss Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz Source1: tpm2-tss-systemd-sysusers.conf -# doxygen crash -Patch0: tpm2-tss-3.0.0-doxygen.patch -# OpenSSL 3 support -Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch -Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch -Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch -Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch -Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch -Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch -Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch -Patch8: 0008-Require-OpenSSL-1.1.0.patch -Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch -Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch -Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch -Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch -Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch -Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch -Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch -Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch -Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch -Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch -Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch -Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch -Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch -Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch -Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch -Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch -Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch -Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch -Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch -Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch -Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch -Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch -Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch -Patch32: 0020-esys_iutil-fix-possible-NPD.patch -Patch33: 0021-sapi-scope-command-handles.patch -Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch -Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch - +# doxygen patch +Patch0: tpm2-tss-3.0.0-doxygen.patch +Patch2: 0001-esys_iutil-fix-possible-NPD.patch +Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch +Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch +Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch +Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch +Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch +Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch +Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch +Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch +Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch +Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch %global udevrules_prefix 60- @@ -75,9 +49,9 @@ APIs for applications to access TPM module through kernel TPM drivers. %autosetup -p1 -n %{name}-%{version} %build -autoreconf -i # Use built-in tpm-udev.rules, with specified installation path and prefix. %configure --disable-static --disable-silent-rules \ + --disable-tcti-pcap --disable-tcti-libtpms \ --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \ --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} @@ -153,6 +127,14 @@ use tpm2-tss. %changelog +* Fri Jun 23 2023 Štěpán Horáček - 3.2.2-1 +- Rebase to 3.2.2 +- Use systemd-sysusers to create user + Resolves: CVE-2023-22745 + Resolves: rhbz#2095479 + Resolves: rhbz#2160307 + Resolves: rhbz#2162613 + * Wed Aug 10 2022 Štěpán Horáček - 3.0.3-8 - Fix memory leaks, potential crashes, upgrade to OpenSSL 3 Resolves: rhbz#2041919