rpms/tpm2-tss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS tpm2-tss-3.2.2-2.el9

Browse Source
This commit is contained in:
eabdullin 2023-09-21 20:36:33 +00:00
parent 72d6299b99
commit b8043f3516
49 changed files with 638 additions and 3991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tpm2-tss-3.0.3.tar.gz
SOURCES/tpm2-tss-3.2.2.tar.gz

2
.tpm2-tss.metadata
View File

@ -1 +1 @@
f83a4a9e544893c42ec108f6616a75e2f209d2d3 SOURCES/tpm2-tss-3.0.3.tar.gz
6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz

61
SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
View File

@ -1,61 +0,0 @@
From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 19 Feb 2021 14:32:45 +0100
Subject: FAPI: Fix reading of the root certificate for
provisioning.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will
only be used if it's allowed to use self generated root certificate with
./configure --enable-self-generated-certificate
* This option is added to all integration tests which are using the TPM simulator.
- Compared to the upstream commit 199b4edc the changes to CI config files
are omitted.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
configure.ac | 8 ++++++++
src/tss2-fapi/api/Fapi_Provision.c | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/configure.ac b/configure.ac
index f4df879c..d3bbb93d 100755
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto],
AS_IF([test "x$enable_weakcrypto" = "xyes"],
AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS]))
+AC_ARG_ENABLE([self-generated-certificate],
+ [AS_HELP_STRING([--enable-self-generated-certificate],
+ [Alllow usage of self generated root certifcate])],,
+ [enable_self_generated_certificate=no])
+AS_IF([test "x$enable_self_generated_certificate" == xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+
+
AC_SUBST([PATH])
dnl --------- Doxy Gen -----------------------
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 00534a2e..9cf804ad 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
/* Prepare reading of root certificate. */
+ root_ca_file = NULL;
+#ifdef SELF_GENERATED_CERTIFICATE
+#pragma message ( "*** Allow self generated certifcate ***" )
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
+#endif
if (!root_ca_file) {
context->state = PROVISION_EK_CHECK_CERT;
return TSS2_FAPI_RC_TRY_AGAIN;
--
2.26.3

99
SOURCES/0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
View File

@ -1,99 +0,0 @@
From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Nov 2020 11:09:56 -0600
Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs
Some of the OSSL _ex suffixed routines remained even after the ENGINE
pointer was removed. The _ex functions with NULL engine don't do
anything different then the non _ex suffixed ones. One _ex routine
remains, RSA_generate_key_ex, becuase the _ex version is deprecated.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 392f97ae..6856e92d 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg,
- NULL)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup);
+ if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
+ mycontext->hash.ossl_hash_alg)) {
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
*context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext;
@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) {
+ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error.");
}
if (digest_size != mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
- "Invalid size computed by EVP_DigestFinal_ex");
+ "Invalid size computed by EVP_DigestFinal");
}
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
"Initialize cipher context", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input");
- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Initialize cipher operation", cleanup);
}
- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) {
+ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
}
@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
}
- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) {
+ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
}
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
--
2.34.3

10
SOURCES/0020-esys_iutil-fix-possible-NPD.patch → SOURCES/0001-esys_iutil-fix-possible-NPD.patch
View File

@ -1,7 +1,7 @@
From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001
From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 3 Jun 2022 11:51:02 -0500
Subject: [PATCH 20/23] esys_iutil: fix possible NPD
Subject: [PATCH 1/2] esys_iutil: fix possible NPD
Clang-10 scan-build reports:
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
@ -24,10 +24,10 @@ Signed-off-by: William Roberts <william.c.roberts@intel.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 0cc92ca5..493f9b28 100644
index 4d31cef8..b364dd73 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
&auths->auths[session_idx]);
return_if_error(r, "Error while computing hmacs");
@ -37,5 +37,5 @@ index 0cc92ca5..493f9b28 100644
auths->count++;
}
--
2.34.3
2.39.2

65
SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch Normal file
View File

@ -0,0 +1,65 @@
From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 24 Jan 2023 10:01:23 -0600
Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits
The commit (on 4.0.1 and master):
- 49107d65d5c7 tss2_rc: ensure layer number is in bounds
Introduces a bug where the right shift by 8 drops the lower byte going
into the unknown_layer handler function. This will effectively drop rc
error bits for unknown layers. The largest impact will be on windows
where their resource manager is not a registered handler.
Fix this by just dumping all the bytes and not get fancy with masking
things out.
Fixes: #2550
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 4 ++--
test/unit/test_tss2_rc.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 7e668a46..6de7d6f3 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc)
} else {
/*
* we don't want to drop any bits if we don't know what to do with it
- * so drop the layer byte since we we already have that.
+ * so just send the whole thing.
*/
- const char *e = unknown_layer_handler(rc >> 8);
+ const char *e = unknown_layer_handler(rc);
assert(e);
catbuf(buf, "%s", e);
}
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 0b0f57c6..e5051c85 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x100");
+ assert_string_equal(e, "1:0x1002A");
}
static void
@@ -288,7 +288,7 @@ test_all_FFs(void **state)
(void) state;
const char *e = Tss2_RC_Decode(0xFFFFFFFF);
- assert_string_equal(e, "255:0xFFFFFF");
+ assert_string_equal(e, "255:0xFFFFFFFF");
}
static void
--
2.41.0

63
SOURCES/0002-FAPI-Remove-useless-code-get_engine.patch
View File

@ -1,63 +0,0 @@
From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 7 Jun 2021 09:47:30 +0200
Subject: [PATCH 02/23] FAPI: Remove useless code get_engine.
The function did always return NULL. So the default engine was used.
Fixes #2085
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index c50b5f0a..9c7e566c 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT {
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
-/** A singleton crypto engine for hash operations */
-static ENGINE *engine = NULL;
-
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
-/**
- * Returns the singleton hash engine for the use in ifapi_hash operations. If
- * it does not yet exist, this function creates it.
- *
- * @retval A singleton hash engine
- */
-static ENGINE *
-get_engine()
-{
- /* If an engine is present, it is returned */
- if (engine)
- return engine;
- /* Otherwise, engine is created and returned */
- engine = ENGINE_by_id(NULL);
- return engine;
-}
-
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
if (1 != EVP_DigestInit_ex(mycontext->osslContext,
- mycontext->osslHashAlgorithm, get_engine())) {
+ mycontext->osslHashAlgorithm, NULL)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex",
cleanup);
}
--
2.34.3

42
SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
View File

@ -1,42 +0,0 @@
From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Mon, 1 Mar 2021 20:00:17 +0100
Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with
--disable-self-generated-certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of
the root certificate for provisioning.") it is required to specify
--enable-self-generated-certificate in order to make the FAPI integration tests
pass. This is an option that should usually not be enabled in production builds
for security reasons, but still some form of integration testing might be
desirable in this case to verify whether the compiled library works as
expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK
certificate validation.
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
configure.ac | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index d3bbb93d..d4324c9a 100755
--- a/configure.ac
+++ b/configure.ac
@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate],
[AS_HELP_STRING([--enable-self-generated-certificate],
[Alllow usage of self generated root certifcate])],,
[enable_self_generated_certificate=no])
-AS_IF([test "x$enable_self_generated_certificate" == xyes],
- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+AS_IF([test "x$enable_self_generated_certificate" = xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
AC_SUBST([PATH])
--
2.26.3

65
SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch Normal file
View File

@ -0,0 +1,65 @@
From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 9 Feb 2023 15:22:08 +0100
Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling
There is a size check for the destination object whether the size is zero.
If the memory of the destination object is no cleared this might cause
a race conditions.
Unneeded tests from the integration test tpmclient were removed.
Fixes: #2564
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-mu/tpm2b-types.c | 6 +-----
test/tpmclient/tpmclient.int.c | 9 ---------
2 files changed, 1 insertion(+), 14 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 2e10f487..6e8915f6 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \
sizeof(size)); \
return TSS2_MU_RC_INSUFFICIENT_BUFFER; \
} \
- if (dest && dest->size != 0) { \
- LOG_WARNING("Size not zero"); \
- return TSS2_SYS_RC_BAD_VALUE; \
- } \
-\
+ \
rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \
if (rc) \
return rc; \
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
index deedcfb7..16443955 100644
--- a/test/tpmclient/tpmclient.int.c
+++ b/test/tpmclient/tpmclient.int.c
@@ -847,12 +847,6 @@ static void TestHierarchyControl()
rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 );
CheckPassed( rval );
- /* Test SYS for case where nvPublic.size != 0 */
- nvPublic.size = 0xff;
- INIT_SIMPLE_TPM2B_SIZE( nvName );
- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
-
nvPublic.size = 0;
INIT_SIMPLE_TPM2B_SIZE( nvName );
rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
@@ -2135,10 +2129,7 @@ static void EcEphemeralTest()
LOG_INFO("EC Ephemeral TESTS:" );
- /* Test SYS for case of Q size field not being set to 0. */
INIT_SIMPLE_TPM2B_SIZE( Q );
- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
Q.size = 0;
rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
--
2.41.0

78
SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch Normal file
View File

@ -0,0 +1,78 @@
From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 14 Feb 2023 19:52:28 +0100
Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning
Currently no parameter encryption was made during provisioning.
Now the EK es used as tpmkey for the create primary session of
the SRK and the SRK is used for parameter encryption of the
other command executed during provisioning.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Provision.c | 6 ++++--
src/tss2-fapi/fapi_int.h | 7 ++++---
src/tss2-fapi/fapi_util.c | 5 ++++-
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 97c25828..48f2fd3b 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_INIT_SRK);
/* Create session which will be used for SRK generation. */
context->srk_handle = context->ek_handle;
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
try_again_or_error_goto(r, "Cleanup", error_cleanup);
/* Create session which will be used for parameter encryption. */
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 5f666a75..8533112a 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE;
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
typedef UINT8 IFAPI_SESSION_TYPE;
-#define IFAPI_SESSION_GENEK 0x01
-#define IFAPI_SESSION1 0x02
-#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_GENEK 0x01
+#define IFAPI_SESSION1 0x02
+#define IFAPI_SESSION2 0x04
+#define IFAPI_SESSION_USE_SRK 0x08
#define IFAPI_POLICY_PATH "policy"
#define IFAPI_NV_PATH "nv"
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 44dd4168..ded0d247 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context,
context->session2_attribute_flags = attribute_flags2;
char *file = NULL;
- if (!(session_flags & IFAPI_SESSION_GENEK)) {
+ if (session_flags & IFAPI_SESSION_USE_SRK) {
+ context->session_state = SESSION_CREATE_SESSION;
+ return TSS2_RC_SUCCESS;
+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) {
context->srk_handle = ESYS_TR_NONE;
context->session_state = SESSION_CREATE_SESSION;
return TSS2_RC_SUCCESS;
--
2.41.0

40
SOURCES/0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
View File

@ -1,40 +0,0 @@
From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 3 Aug 2021 16:24:41 +0200
Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field.
The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/api/Fapi_Encrypt.c | 1 -
src/tss2-fapi/fapi_int.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c
index 2e892351..af8e2c58 100644
--- a/src/tss2-fapi/api/Fapi_Encrypt.c
+++ b/src/tss2-fapi/api/Fapi_Encrypt.c
@@ -405,7 +405,6 @@ error_cleanup:
SAFE_FREE(tpmCipherText);
SAFE_FREE(command->keyPath);
SAFE_FREE(command->in_data);
- SAFE_FREE(command->out_data);
ifapi_session_clean(context);
LOG_TRACE("finished");
return r;
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 90707da1..13c0333e 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -386,7 +386,6 @@ typedef struct {
uint8_t const *in_data;
size_t in_dataSize;
IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */
- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */
ESYS_TR key_handle; /**< The ESYS handle of the encryption key */
size_t numBytes; /**< The number of bytes of a ESYS request */
size_t decrypt; /**< Switch whether to encrypt or decrypt */
--
2.34.3

29
SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
View File

@ -1,29 +0,0 @@
From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:15:51 +0200
Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index f2fa515a..0f759adb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e
$(libutil) $(libtss2_tctildr)
src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC)
-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi
+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS)
src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS)
if HAVE_LD_VERSION_SCRIPT
src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map
--
2.26.3

101
SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch Normal file
View File

@ -0,0 +1,101 @@
From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 3 Mar 2023 11:17:43 +0100
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
sessions.
The parameter encryption for policy sessions was not enabled.
Now the parameter encryption is enabled and the auth value of
objects is added to the session key.
One exception is the cp hash policy. In this case the
the cp hash check forced by this policy would fail with an
encrypted parameter.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
3 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ded0d247..55ce3327 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
statecase(object->authorization_state, AUTH_INIT)
LOG_TRACE("**STATE** AUTH_INIT");
- if (!policy_digest_size(object)) {
- /* No policy used authorization callbacks have to be called if necessary. */
- if (object_with_auth(object)) {
- /* Check whether hierarchy was already authorized. */
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
- !object->misc.hierarchy.authorized) {
- char *description = NULL;
- r = ifapi_get_description(object, &description);
- return_if_error(r, "Get description");
-
- r = ifapi_set_auth(context, object, description);
- SAFE_FREE(description);
- return_if_error(r, "Set auth value");
- }
+ if (object_with_auth(object)) {
+ /* Check whether hierarchy was already authorized. */
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
+ !object->misc.hierarchy.authorized) {
+ char *description = NULL;
+ r = ifapi_get_description(object, &description);
+ return_if_error(r, "Get description");
+
+ r = ifapi_set_auth(context, object, description);
+ SAFE_FREE(description);
+ return_if_error(r, "Set auth value");
}
+ }
+ if (!policy_digest_size(object)) {
/* No policy session needed current fapi session can be used */
if (context->session1 && context->session1 != ESYS_TR_NONE)
*session = context->session1;
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
*session = ESYS_TR_PASSWORD;
break;
}
+
/* Save current object to be authorized in context. */
context->current_auth_object = object;
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index c2ce3301..0e7de316 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
r = Esys_PolicyCpHash_Finish(esys_ctx);
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
+ /* Disable encryption to enable check of cp hash defined in
+ policy cp. */
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
+ 0, 0xff);
+
current_policy->state = POLICY_EXECUTE_INIT;
return r;
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
index 997fb504..0e2823cb 100644
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
@@ -119,6 +119,10 @@ create_session(
r = Esys_StartAuthSession_Finish(context->esys, session);
if (r != TSS2_RC_SUCCESS)
return r;
+
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
+ 0xff);
context->policy.create_session_state = CREATE_SESSION_INIT;
break;
--
2.41.0

44
SOURCES/0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
View File

@ -1,44 +0,0 @@
From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Mon, 2 Aug 2021 15:50:26 +0200
Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms
From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
de-initialisation is required.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 2 +-
src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 6856e92d..ab08b3b8 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*
* Initialize OpenSSL internal tables.
*
- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
+ * @retval TSS2_RC_SUCCESS always returned
* does not deliver
* a return code.
*/
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 9290a17e..35186e62 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -375,9 +375,6 @@ out_free_json:
json_object_put(jso);
out:
- /* In some case this call was necessary after curl usage */
- OpenSSL_add_all_algorithms();
-
free(hash);
if (rc == 0) {
return TSS2_RC_SUCCESS;
--
2.34.3

35
SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch
View File

@ -1,35 +0,0 @@
From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:23:32 +0200
Subject: Test: Remove duplicate openssl req -new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command is called twice, which is superfluous. Both the key
and the certificate are created already by the first command.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
script/ekca/create_ca.sh | 5 -----
1 file changed, 5 deletions(-)
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 90a5c791..61d976a3 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
-openssl req -new \
- -key private/intermed-ca.key.pem \
- -out intermed-ca.req.pem \
- -passin file:pass.txt
-
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
--
2.26.3

59
SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch Normal file
View File

@ -0,0 +1,59 @@
From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 5 Mar 2023 19:19:22 +0100
Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC
sessions.
* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled.
* For Fapi_Unseal the response description was not enabled.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_CreateNv.c | 2 +-
src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +-
src/tss2-fapi/fapi_util.c | 3 ++-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c
index 45e72e33..8160b99d 100644
--- a/src/tss2-fapi/api/Fapi_CreateNv.c
+++ b/src/tss2-fapi/api/Fapi_CreateNv.c
@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish(
context->primary_state = PRIMARY_INIT;
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c
index 0615aa12..adf332e0 100644
--- a/src/tss2-fapi/api/Fapi_NvSetBits.c
+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c
@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish(
/* Prepare session for authorization */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- 0, 0);
+ TPMA_SESSION_DECRYPT, 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 55ce3327..ef4a92d0 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2743,7 +2743,8 @@ ifapi_load_key(
/* Prepare the session creation. */
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
- TPMA_SESSION_DECRYPT, 0);
+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT,
+ 0);
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
fallthrough;
--
2.41.0

76
SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
View File

@ -1,76 +0,0 @@
From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:22:28 +0200
Subject: FAPI Test: Call EVP_DigestSignInit in the correct order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_DigestSignInit should be called only once and before calling
EVP_PKEY_CTX_set_rsa_padding. See a corresponding example
[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html)
Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0.
This PR makes the code compatible with OpenSSL 1.0 through 3.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 8 ++------
test/integration/fapi-key-create-policy-signed.int.c | 8 ++------
2 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index b2d20b28..d42466db 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -129,8 +129,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -140,10 +140,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index e51289a6..b903dec0 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -144,8 +144,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -155,10 +155,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
--
2.26.3

657
SOURCES/0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
View File

@ -1,657 +0,0 @@
From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Wed, 25 Aug 2021 14:02:38 +0200
Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto
operations
The TPM2 provider may be loaded in the global library context.
As we don't want the TPM to be called for some operations, we have
to initialize own library context with the default provider.
This is similar to the RAND_set_rand_method dance with older OpenSSL.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++---------
src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++---------
2 files changed, 225 insertions(+), 102 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index ab08b3b8..35af2028 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT {
} type; /**< The type of context to hold; hash or hmac */
union {
struct {
- EVP_MD_CTX *ossl_context;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
const EVP_MD *ossl_hash_alg;
+#else
+ OSSL_LIB_CTX *ossl_libctx;
+ EVP_MD *ossl_hash_alg;
+#endif
+ EVP_MD_CTX *ossl_context;
size_t hash_len;
- } hash; /**< the state variables for a hash context */
- struct {
- EVP_MD_CTX *ossl_context;
- const EVP_MD *ossl_hash_alg;
- size_t hmac_len;
- } hmac; /**< the state variables for an hmac context */
+ } hash; /**< the state variables for a HASH or HMAC context */
};
} IESYS_CRYPTOSSL_CONTEXT;
-const EVP_MD *
+static IESYS_CRYPTOSSL_CONTEXT *
+iesys_cryptossl_context_new() {
+ IESYS_CRYPTOSSL_CONTEXT *ctx;
+
+ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT))))
+ return NULL;
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) {
+ SAFE_FREE(ctx);
+ return NULL;
+ }
+#endif
+ return ctx;
+}
+
+static void
+iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) {
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_free(ctx->hash.ossl_context);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->hash.ossl_hash_alg);
+ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+static const EVP_MD *
get_ossl_hash_md(TPM2_ALG_ID hashAlg)
{
switch (hashAlg) {
case TPM2_ALG_SHA1:
return EVP_sha1();
- break;
case TPM2_ALG_SHA256:
return EVP_sha256();
- break;
case TPM2_ALG_SHA384:
return EVP_sha384();
- break;
case TPM2_ALG_SHA512:
return EVP_sha512();
- break;
default:
return NULL;
}
}
+#else
+static const char *
+get_ossl_hash_md(TPM2_ALG_ID hashAlg)
+{
+ switch (hashAlg) {
+ case TPM2_ALG_SHA1:
+ return "SHA1";
+ case TPM2_ALG_SHA256:
+ return "SHA256";
+ case TPM2_ALG_SHA384:
+ return "SHA384";
+ case TPM2_ALG_SHA512:
+ return "SHA512";
+ default:
+ return NULL;
+ }
+}
+#endif
+
+static int
+iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg);
+#else
+ const char *alg_name = get_ossl_hash_md(hashAlg);
+ if (!alg_name)
+ return 0;
+ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL);
+#endif
+ if (!ctx->hash.ossl_hash_alg)
+ return 0;
+
+ return 1;
+}
/** Provide the context for the computation of a hash digest.
*
@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg);
return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE);
return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE);
- IESYS_CRYPTOSSL_CONTEXT *mycontext;
- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH;
- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
}
if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
- mycontext->hash.ossl_hash_alg)) {
+ mycontext->hash.ossl_hash_alg)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
}
@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hash.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
*size = mycontext->hash.hash_len;
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE,
"Null-Pointer passed in for context");
}
- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) {
+ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
}
- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) {
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Error EVP_MD_CTX_create", cleanup);
}
@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
"Failed to create HMAC key", cleanup);
}
- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
- mycontext->hmac.ossl_hash_alg, NULL, hkey)) {
+ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL,
+ mycontext->hash.ossl_hash_alg, NULL, hkey)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"DigestSignInit", cleanup);
}
@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->hmac.ossl_context)
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
if(hkey)
EVP_PKEY_free(hkey);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
return r;
}
@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context,
LOGBLOB_TRACE(buffer, size, "Updating hmac with");
/* Call update with the message */
- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) {
+ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) {
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update");
}
@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context");
}
- if (*size < mycontext->hmac.hmac_len) {
+ if (*size < mycontext->hash.hash_len) {
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
}
- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) {
+ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup);
}
LOGBLOB_TRACE(buffer, *size, "read hmac result");
cleanup:
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
- SAFE_FREE(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
return r;
}
@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
return;
}
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
-
- free(mycontext);
+ iesys_cryptossl_context_free(mycontext);
*context = NULL;
}
}
@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
TSS2_RC
iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
{
+ int rc;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
+#else
+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+ if (!libctx)
+ return TSS2_ESYS_RC_MEMORY;
#endif
if (num_bytes == 0) {
@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
+ rc = RAND_bytes(&nonce->buffer[0], nonce->size);
+ RAND_set_rand_method(rand_save);
+#else
+ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0);
+ OSSL_LIB_CTX_free(libctx);
#endif
+ if (rc != 1)
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
"Failure in random number generator.");
- }
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- RAND_set_rand_method(rand_save);
-#endif
return TSS2_RC_SUCCESS;
}
@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
RSA *rsa_key = NULL;
+ const EVP_MD * hashAlg = NULL;
const RAND_METHOD *rand_save = RAND_get_rand_method();
RAND_set_rand_method(RAND_OpenSSL());
#else
+ OSSL_LIB_CTX *libctx = NULL;
+ EVP_MD * hashAlg = NULL;
OSSL_PARAM *params = NULL;
OSSL_PARAM_BLD *build = NULL;
#endif
TSS2_RC r = TSS2_RC_SUCCESS;
- const EVP_MD * hashAlg = NULL;
EVP_PKEY *evp_rsa_key = NULL;
EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
BIGNUM *bne = NULL, *n = NULL;
int padding;
char *label_copy = NULL;
- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
- pub_tpm_key->publicArea.nameAlg);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
RAND_set_rand_method(rand_save);
+#else
+ if (!(libctx = OSSL_LIB_CTX_new()))
+ return TSS2_ESYS_RC_MEMORY;
+
+ if (!(hashAlg = EVP_MD_fetch(libctx,
+ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) {
+ OSSL_LIB_CTX_free(libctx);
#endif
+ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
+ pub_tpm_key->publicArea.nameAlg);
return TSS2_ESYS_RC_NOT_IMPLEMENTED;
}
@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
cleanup);
}
- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
+ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL
|| EVP_PKEY_fromdata_init(genctx) <= 0
|| EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
#else
OSSL_FREE(params, OSSL_PARAM);
OSSL_FREE(build, OSSL_PARAM_BLD);
+ OSSL_FREE(hashAlg, EVP_MD);
+ OSSL_FREE(libctx, OSSL_LIB_CTX);
#endif
return r;
}
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index 9c7e566c..d061cf48 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -48,14 +48,34 @@
/** Context to hold temporary values for ifapi_crypto */
typedef struct _IFAPI_CRYPTO_CONTEXT {
- /** The hash engine's context */
- EVP_MD_CTX *osslContext;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
/** The currently used hash algorithm */
const EVP_MD *osslHashAlgorithm;
+#else
+ OSSL_LIB_CTX *libctx;
+ /** The currently used hash algorithm */
+ EVP_MD *osslHashAlgorithm;
+#endif
+ /** The hash engine's context */
+ EVP_MD_CTX *osslContext;
/** The size of the hash's digest */
size_t hashSize;
} IFAPI_CRYPTO_CONTEXT;
+static void
+ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx)
+{
+ if (!ctx)
+ return;
+
+ EVP_MD_CTX_destroy(ctx->osslContext);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD_free(ctx->osslHashAlgorithm);
+ OSSL_LIB_CTX_free(ctx->libctx);
+#endif
+ SAFE_FREE(ctx);
+}
+
/**
* Returns the signature scheme that is currently used in the FAPI context.
*
@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
return 1;
}
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+/**
+ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
+ * identifier object.
+ *
+ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
+ *
+ * @retval A suitable OpenSSL identifier object if one could be found
+ * @retval NULL if no suitable identifier object could be found
+ */
+static const EVP_MD *
+get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
+{
+ switch (hashAlgorithm) {
+ case TPM2_ALG_SHA1:
+ return EVP_sha1();
+ case TPM2_ALG_SHA256:
+ return EVP_sha256();
+ case TPM2_ALG_SHA384:
+ return EVP_sha384();
+ case TPM2_ALG_SHA512:
+ return EVP_sha512();
+ default:
+ return NULL;
+ }
+}
+#else
/**
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
* algorithm identifier.
@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
* hashAlgorithm could be found
* @retval NULL if no suitable hash algorithm identifier could be found
*/
-static const EVP_MD *
+static const char *
get_hash_md(TPM2_ALG_ID hashAlgorithm)
{
switch (hashAlgorithm) {
case TPM2_ALG_SHA1:
- return EVP_sha1();
+ return "SHA1";
case TPM2_ALG_SHA256:
- return EVP_sha256();
+ return "SHA256";
case TPM2_ALG_SHA384:
- return EVP_sha384();
+ return "SHA384";
case TPM2_ALG_SHA512:
- return EVP_sha512();
+ return "SHA512";
default:
return NULL;
}
}
+#endif
/**
* Returns a suitable openSSL RSA signature scheme identifiver for a given TSS
@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote(
BIO *bufio = NULL;
EVP_PKEY_CTX *pctx = NULL;
EVP_MD_CTX *mdctx = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX *libctx = NULL;
+#endif
/* Check whether or not the key is valid */
if (keyObject->objectType == IFAPI_KEY_OBJ) {
@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create",
error_cleanup);
}
-
- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg);
if (!hashAlgorithm) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
error_cleanup);
@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit",
error_cleanup);
}
+#else
+ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
+ if (!hashAlgorithm) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
+ error_cleanup);
+ }
+
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ libctx = OSSL_LIB_CTX_new();
+ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
+
+ /* Verify the digest of the signature */
+ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx,
+ NULL, publicKey, NULL)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex",
+ error_cleanup);
+ }
+#endif
goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) {
int padding = get_sig_scheme(signatureScheme->scheme);
@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote(
}
error_cleanup:
- if (mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
+ EVP_MD_CTX_destroy(mdctx);
SAFE_FREE(public_pem_key);
EVP_PKEY_free(publicKey);
BIO_free(bufio);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ OSSL_LIB_CTX_free(libctx);
+#endif
return r;
}
@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm)
}
}
-/**
- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
- * identifier object.
- *
- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
- *
- * @retval A suitable OpenSSL identifier object if one could be found
- * @retval NULL if no suitable identifier object could be found
- */
-static const EVP_MD *
-get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
-{
- switch (hashAlgorithm) {
- case TPM2_ALG_SHA1:
- return EVP_sha1();
- break;
- case TPM2_ALG_SHA256:
- return EVP_sha256();
- break;
- case TPM2_ALG_SHA384:
- return EVP_sha384();
- break;
- case TPM2_ALG_SHA512:
- return EVP_sha512();
- break;
- default:
- return NULL;
- }
-}
-
/**
* Starts the computation of a hash digest.
*
@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT));
return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
"Unsupported hash algorithm (%" PRIu16 ")", cleanup,
hashAlgorithm);
}
+#else
+ /* The TPM2 provider may be loaded in the global library context.
+ * As we don't want the TPM to be called for these operations, we have
+ * to initialize own library context with the default provider. */
+ mycontext->libctx = OSSL_LIB_CTX_new();
+ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+
+ if (!(mycontext->osslHashAlgorithm =
+ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
+ goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
+ "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
+ hashAlgorithm);
+ }
+#endif
if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) {
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
return TSS2_RC_SUCCESS;
cleanup:
- if (mycontext->osslContext)
- EVP_MD_CTX_destroy(mycontext->osslContext);
- SAFE_FREE(mycontext);
-
+ ifapi_crypto_context_free(mycontext);
return r;
}
@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context,
}
/* Finalize the hash context */
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
return TSS2_RC_SUCCESS;
@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context)
}
IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context;
- EVP_MD_CTX_destroy(mycontext->osslContext);
- free(mycontext);
+ ifapi_crypto_context_free(mycontext);
*context = NULL;
}
--
2.34.3

70
SOURCES/0006-FAPI-Add-policy-computation-for-create-primary.patch
View File

@ -1,70 +0,0 @@
From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 12 Oct 2021 11:19:41 +0200
Subject: [PATCH 06/23] FAPI: Add policy computation for create primary.
The policy digest for primary keys was only computed for keys created during provisioning.
Now the policy digest is also computed for primary keys create with Fapi_CreateKey.
Fixes #2175.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 13c0333e..d13ec413 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE {
KEY_CREATE_FLUSH1,
KEY_CREATE_FLUSH2,
KEY_CREATE_CALCULATE_POLICY,
+ KEY_CREATE_PRIMARY_CALCULATE_POLICY,
KEY_CREATE_WAIT_FOR_AUTHORIZATION,
KEY_CREATE_CLEANUP,
KEY_CREATE_WAIT_FOR_RANDOM,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a5fc28a3..a0fd714e 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4539,6 +4539,35 @@ ifapi_create_primary(
"hierarchy.", error_cleanup);
}
+ if (context->cmd.Key_Create.policyPath
+ && strcmp(context->cmd.Key_Create.policyPath, "") != 0)
+ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY;
+ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */
+ /* FALLTHRU */
+ case KEY_CREATE_PRIMARY_CALCULATE_POLICY:
+ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) {
+ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath,
+ &context->policy.policy,
+ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg,
+ &context->policy.digest_idx,
+ &context->policy.hash_size);
+ return_try_again(r);
+ goto_if_error2(r, "Calculate policy tree %s", error_cleanup,
+ context->cmd.Key_Create.policyPath);
+
+ /* Store the calculated policy in the key object */
+ object->policy = calloc(1, sizeof(TPMS_POLICY));
+ return_if_null(object->policy, "Out of memory",
+ TSS2_FAPI_RC_MEMORY);
+ *(object->policy) = context->policy.policy;
+
+ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size =
+ context->policy.hash_size;
+ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0],
+ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest,
+ context->policy.hash_size);
+ }
+
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0);
--
2.34.3

61
SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch Normal file
View File

@ -0,0 +1,61 @@
From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 3 Apr 2023 21:21:55 +0200
Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles.
* Evict control for persistent keys created with Fapi_CreateKey was
called with the wrong handle.
* If Fapi_Quote was executed with a primary key for this key flush
context was called.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++-----
src/tss2-fapi/fapi_util.c | 1 +
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c
index b71267a7..61e4e3db 100644
--- a/src/tss2-fapi/api/Fapi_Quote.c
+++ b/src/tss2-fapi/api/Fapi_Quote.c
@@ -392,16 +392,20 @@ Fapi_Quote_Finish(
goto_if_error(r, "Error: PCR_Quote", error_cleanup);
/* Flush the key used for the quote. */
- r = Esys_FlushContext_Async(context->esys, command->handle);
- goto_if_error(r, "Error: FlushContext", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Async(context->esys, command->handle);
+ goto_if_error(r, "Error: FlushContext", error_cleanup);
+ }
command->handle = ESYS_TR_NONE;
fallthrough;
statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH);
- r = Esys_FlushContext_Finish(context->esys);
- return_try_again(r);
- goto_if_error(r, "Error: Sign", error_cleanup);
+ if (!command->key_object->misc.key.persistent_handle) {
+ r = Esys_FlushContext_Finish(context->esys);
+ return_try_again(r);
+ goto_if_error(r, "Error: Sign", error_cleanup);
+ }
sig_key_object = command->key_object;
/* Convert the TPM-encoded signature into something useful for the caller. */
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ef4a92d0..49f7dd07 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4746,6 +4746,7 @@ ifapi_create_primary(
statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2);
if (template->persistent_handle) {
+ object->misc.key.persistent_handle = template->persistent_handle;
r = ifapi_authorize_object(context, hierarchy, &auth_session);
FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup);
--
2.41.0

47
SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
View File

@ -1,47 +0,0 @@
From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:29:25 +0200
Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_base_id is the right way to detect key type, used also
by OpenSSL itself.
This function is available since OpenSSL 1.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 2 +-
test/integration/fapi-key-create-policy-signed.int.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index d42466db..a95cc9ef 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -133,7 +133,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index b903dec0..8f917d35 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -148,7 +148,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
--
2.26.3

137
SOURCES/0007-FAPI-Fix-loading-of-primary-keys.patch
View File

@ -1,137 +0,0 @@
From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 5 Nov 2021 23:08:47 +0100
Subject: [PATCH 07/23] FAPI: Fix loading of primary keys.
Problems caused by primary keys created with Fapi_CreateKey are fixed:
* For primary keys not in all cases the unique field was cleared before calling create
primary.
* If the primary key was used for signing the object was cleared after loading. So
access e.g. to the certificate did not work.
* For primary keys created with Fapi_Create with an auth value the auth_value was
not used in inSensitive to recreate the primary key. Now the auth value callback
is used to initialize inSensitive.
Fixes #2189.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_int.h | 1 +
src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index d13ec413..7bcf442c 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY {
PRIMARY_READ_HIERARCHY,
PRIMARY_READ_HIERARCHY_FINISH,
PRIMARY_AUTHORIZE_HIERARCHY,
+ PRIMARY_GET_AUTH_VALUE,
PRIMARY_WAIT_FOR_PRIMARY,
PRIMARY_HAUTH_SENT,
PRIMARY_CREATED,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a0fd714e..90f8b2aa 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object)
return NULL;
}
+/** Set authorization value for a primary key to be created.
+ *
+ * The callback which provides the auth value must be defined.
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @param[in] object The auth value will be assigned to this object.
+ * @param[in,out] inSensitive The sensitive data to store the auth value.
+ *
+ * @retval TSS2_RC_SUCCESS on success.
+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting
+ * the auth value is not defined.
+ */
+TSS2_RC
+ifapi_set_auth_primary(
+ FAPI_CONTEXT *context,
+ IFAPI_OBJECT *object,
+ TPMS_SENSITIVE_CREATE *inSensitive)
+{
+ TSS2_RC r;
+ const char *auth = NULL;
+ const char *obj_path;
+
+ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE));
+
+ if (!object->misc.key.with_auth) {
+ return TSS2_RC_SUCCESS;
+ }
+
+ obj_path = ifapi_get_object_path(object);
+
+ /* Check whether callback is defined. */
+ if (context->callbacks.auth) {
+ r = context->callbacks.auth(obj_path, object->misc.key.description,
+ &auth, context->callbacks.authData);
+ return_if_error(r, "AuthCallback");
+ if (auth != NULL) {
+ inSensitive->userAuth.size = strlen(auth);
+ memcpy(&inSensitive->userAuth.buffer[0], auth,
+ inSensitive->userAuth.size);
+ }
+ return TSS2_RC_SUCCESS;
+ }
+ SAFE_FREE(auth);
+ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined.");
+}
+
/** Set authorization value for a FAPI object.
*
* The callback which provides the auth value must be defined.
@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key;
TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData;
TPMI_YES_NO moreData;
- ESYS_TR auth_session;
+ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */
LOG_TRACE("call");
@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE));
memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA));
memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION));
+ fallthrough;
+
+ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE);
+ /* Get the auth value to be stored in inSensitive */
+ r = ifapi_set_auth_primary(context, pkey_object,
+ &context->createPrimary.inSensitive.sensitive);
+ return_try_again(r);
+ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup);
/* Prepare primary creation. */
+ TPM2B_PUBLIC public = pkey->public;
+ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID));
+
r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle,
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
&context->createPrimary.inSensitive,
- &pkey->public,
+ &public,
&context->createPrimary.outsideInfo,
&context->createPrimary.creationPCR);
return_if_error(r, "CreatePrimary");
@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent)
} else {
LOG_TRACE("success");
ifapi_cleanup_ifapi_object(context->loadKey.key_object);
- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
return TSS2_RC_SUCCESS;
}
break;
--
2.34.3

100
SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
View File

@ -1,100 +0,0 @@
From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 11:54:50 +0200
Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The EVP_PKEY_sign functions are available since OpenSSL 1.0.0.
The RSA_sign function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.0.0 through 3.0.0.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-ext-public-key.int.c | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c
index 363c58b7..971d7897 100644
--- a/test/integration/fapi-ext-public-key.int.c
+++ b/test/integration/fapi-ext-public-key.int.c
@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
BIO *bufio = NULL;
EVP_PKEY *evp_key = NULL;
- RSA *rsa_key = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
/* Key will be used for non TPM signature verfication. */
char *pubkey_pem =
@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
- rsa_key = EVP_PKEY_get1_RSA(evp_key);
-
- if (!bufio || !evp_key || !rsa_key) {
+ if (!bufio || !evp_key) {
LOG_ERROR("Generation of test key failed.");
goto error;
}
@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d
};
uint8_t signature[256];
- unsigned int signatureLength = 256;
+ size_t signatureLength = 256;
- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) {
- LOG_ERROR("Test RSA_sign failed.");
+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) {
+ LOG_ERROR("Test EVP_PKEY_CTX_new failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign_init(ctx) <= 0
+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign_init failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign failed.");
goto error;
}
@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_SUCCESS;
@@ -258,12 +262,8 @@ error:
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_FAILURE;
--
2.26.3

62
SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch Normal file
View File

@ -0,0 +1,62 @@
From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 27 Feb 2023 18:00:54 +0100
Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor
The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY
is now disabled for builds with --disable-vendor.
Fixes: #2571
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
include/tss2/tss2_tpm2_types.h | 2 ++
src/tss2-mu/tpml-types.c | 2 ++
tss2-dlopen/tss2-dlopen-mu.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h
index 96286fb7..39a6978c 100644
--- a/include/tss2/tss2_tpm2_types.h
+++ b/include/tss2/tss2_tpm2_types.h
@@ -63,7 +63,9 @@
#define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2))
/* Vendor Specific Defines */
+#ifndef DISABLE_VENDOR
#define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32))
+#endif
/* Attached Component Capabilities */
#define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT))
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
index 60f85a8c..1df9bbb8 100644
--- a/src/tss2-mu/tpml-types.c
+++ b/src/tss2-mu/tpml-types.c
@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio
TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections)
TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR)
TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests)
+#ifndef DISABLE_VENDOR
TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL)
TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property)
+#endif
TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR)
TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities)
TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR)
diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c
index 2297818b..21cd1123 100644
--- a/tss2-dlopen/tss2-dlopen-mu.c
+++ b/tss2-dlopen/tss2-dlopen-mu.c
@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY);
MAKE_MU_STRUCT(TPML_ECC_CURVE);
MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY);
MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY);
+#ifndef DISABLE_VENDOR
MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY);
+#endif
MAKE_MU_STRUCT(TPML_AC_CAPABILITIES);
MAKE_MU_STRUCT(TPML_TAGGED_POLICY);
MAKE_MU_STRUCT(TPML_ACT_DATA);
--
2.41.0

35
SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch Normal file
View File

@ -0,0 +1,35 @@
From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 10 Apr 2023 20:20:24 +0200
Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs.
Currenlty FAPI_GetInfo did produce errors if the TPM implements
SHA3 hash algs. Now a warning is displayed.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c
index 1eaa4eb2..65320da6 100644
--- a/src/tss2-fapi/tpm_json_serialize.c
+++ b/src/tss2-fapi/tpm_json_serialize.c
@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object
return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE);
TSS2_RC r;
+
+ if ((in->alg == TPM2_ALG_SHA3_256 ||
+ in->alg == TPM2_ALG_SHA3_384 ||
+ in->alg == TPM2_ALG_SHA3_512)) {
+ LOG_WARNING("SHA3 hash algs are not supported by TSS");
+ return TSS2_RC_SUCCESS;
+ }
+
json_object *jso2;
if (*jso == NULL)
*jso = json_object_new_object ();
--
2.41.0

84
SOURCES/0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
View File

@ -1,84 +0,0 @@
From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001
From: JerryDevis <seclab@huawei.com>
Date: Wed, 13 Oct 2021 11:26:03 +0800
Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization
failed
Signed-off-by: JerryDevis <seclab@huawei.com>
---
src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index 94db070c..364297be 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -309,6 +309,16 @@ out:
return rc;
}
+static void close_tpm(int *fd)
+{
+ if (fd == NULL || *fd < 0) {
+ return;
+ }
+
+ close(*fd);
+ *fd = -1;
+}
+
void
tcti_device_finalize (
TSS2_TCTI_CONTEXT *tctiContext)
@@ -319,7 +329,7 @@ tcti_device_finalize (
if (tcti_dev == NULL) {
return;
}
- close (tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_common->state = TCTI_STATE_FINAL;
}
@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init (
ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd));
if (sz < 0 || sz != sizeof(cmd)) {
LOG_ERROR ("Could not probe device for partial response read support");
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
LOG_DEBUG ("Command sent, reading header");
@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0 || rc_poll == 0) {
LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (fds.revents == POLLIN) {
TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE));
if (sz < 0 || sz != TPM_HEADER_SIZE) {
LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
}
}
@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init (
if (rc_poll < 0) {
LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
tcti_dev->fd, rc_poll, errno, strerror(errno));
+ close_tpm (&tcti_dev->fd);
return TSS2_TCTI_RC_IO_ERROR;
} else if (rc_poll == 0) {
LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd);
@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init (
LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s",
tcti_dev->fd, errno, strerror (errno));
tcti_common->partial_read_supported = 0;
- close(tcti_dev->fd);
+ close_tpm (&tcti_dev->fd);
tcti_dev->fd = open_tpm (used_conf);
if (tcti_dev->fd < 0) {
LOG_ERROR ("Failed to open specified TCTI device file %s: %s",
--
2.34.3

65
SOURCES/0008-Require-OpenSSL-1.1.0.patch
View File

@ -1,65 +0,0 @@
From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 22:43:00 +0200
Subject: Require OpenSSL >= 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To reduce the amount of version-specific code we drop support for
OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are
not API compatible with OpenSSL >= 1.1.0.
Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding
PEP 644 contains a detailed impact analysis which is also relevant
here.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
INSTALL.md | 3 +--
configure.ac | 6 +++++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index eec94c45..658e1f28 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -14,7 +14,7 @@ following sections describe them for the supported platforms.
* C library development libraries and header files
* pkg-config
* doxygen
-* OpenSSL development libraries and header files
+* OpenSSL development libraries and header files, version >= 1.1.0
* libcurl development libraries
The following are dependencies only required when building test suites.
@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library
(tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as
loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly
configured version of Visual Studio 2017 and pressing the 'build' button.
-Windows build setup requires OpenSSL >= v1.0.2 crypto library.
### References
Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/
diff --git a/configure.ac b/configure.ac
index d4324c9a..12baa257 100755
--- a/configure.ac
+++ b/configure.ac
@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto],
AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl")
AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed")
+m4_define([ossl_min_version], [1.1.0])
+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version])
AS_IF([test "x$enable_esys" = xyes],
[AS_IF([test "x$with_crypto" = xossl], [
- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
+ PKG_CHECK_MODULES([LIBCRYPTO],
+ [libcrypto >= ossl_min_version],,
+ [AC_MSG_ERROR([ossl_err])])
AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend])
TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS"
TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS"
--
2.26.3

124
SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
View File

@ -1,124 +0,0 @@
From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 13:12:56 +0200
Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although the EVP_DigestUpdate functions are available in all OpenSSL
versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the
EVP_MD_CTX_new was introduced in OpenSSL 1.1.0.
The SHA256_Update function is deprecated in OpenSSL 3.0.0.
This PR should work with OpenSSL 1.1.0 through 3.0.0.
- Compared to the upstream commit f4f528ff the changes related to the
unit test are omitted.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 2fb17fd0..9290a17e 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
return NULL;
}
- SHA256_CTX sha256;
- int is_success = SHA256_Init(&sha256);
+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
+ if (!sha256ctx) {
+ LOG_ERROR("EVP_MD_CTX_new failed");
+ goto err;
+ }
+
+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
if (!is_success) {
- LOG_ERROR("SHA256_Init failed");
+ LOG_ERROR("EVP_DigestInit failed");
goto err;
}
switch (ek_public->publicArea.type) {
case TPM2_ALG_RSA:
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.rsa.buffer,
- ek_public->publicArea.unique.rsa.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.rsa.buffer,
+ ek_public->publicArea.unique.rsa.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
}
/* Exponent 65537 will be added. */
BYTE buf[3] = { 0x1, 0x00, 0x01 };
- is_success = SHA256_Update(&sha256, buf, sizeof(buf));
+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
case TPM2_ALG_ECC:
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.x.buffer,
- ek_public->publicArea.unique.ecc.x.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.x.buffer,
+ ek_public->publicArea.unique.ecc.x.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.y.buffer,
- ek_public->publicArea.unique.ecc.y.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.y.buffer,
+ ek_public->publicArea.unique.ecc.y.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
goto err;
}
- is_success = SHA256_Final(hash, &sha256);
+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
if (!is_success) {
LOG_ERROR("SHA256_Final failed");
goto err;
}
+ EVP_MD_CTX_free(sha256ctx);
LOG_TRACE("public-key-hash:");
LOG_TRACE(" sha256: ");
LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
return hash;
err:
+ EVP_MD_CTX_free(sha256ctx);
free(hash);
return NULL;
}
--
2.26.3

28
SOURCES/0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
View File

@ -1,28 +0,0 @@
From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 2 Dec 2021 09:17:15 +0100
Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3
A leak in the case "out of memory" detected by scan-build was fixed.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/fapi_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index d061cf48..fd7ea555 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
* As we don't want the TPM to be called for these operations, we have
* to initialize own library context with the default provider. */
mycontext->libctx = OSSL_LIB_CTX_new();
- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
+ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
if (!(mycontext->osslHashAlgorithm =
EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
--
2.34.3

39
SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch Normal file
View File

@ -0,0 +1,39 @@
From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 9 Apr 2023 08:38:56 +0200
Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile
paths.
The provisioning test in ifapi_check_provisioned will be skipped
for ext nv and profile paths. The test did produce inappropriate
error messages if the corresponding paths did not exist in keystore.
The test is only needed for pathnames starting with the profile.
Fixes: #2596
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_keystore.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 7e50ee1e..38c2f7fd 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1772,6 +1772,14 @@ ifapi_check_provisioned(
*ok = false;
+ /* No profile in path, test can be skipped. */
+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) ||
+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) {
+ *ok = true;
+ return TSS2_RC_SUCCESS;
+ }
+
/* First expand path in user directory */
r = expand_path(keystore, rel_path, &directory);
goto_if_error(r, "Expand path", cleanup);
--
2.41.0

29
SOURCES/0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
View File

@ -1,29 +0,0 @@
From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Tue, 21 Dec 2021 17:44:00 +0800
Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index 90f8b2aa..cd4e0979 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
}
error_cleanup:
+ SAFE_FREE(outPublic);
+ SAFE_FREE(creationData);
+ SAFE_FREE(creationHash);
+ SAFE_FREE(creationTicket);
ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object);
free_string_list(k_sub_path);
SAFE_FREE(pkey->serialization.buffer);
--
2.34.3

30
SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch Normal file
View File

@ -0,0 +1,30 @@
From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 12 May 2023 09:30:53 +0200
Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy.
The list of pcr registers was was allocated with the wrong size in the
function copy_policy_element which caused a segfault if more than one
pcr was used.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/ifapi_helpers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
index e1c4220b..5c574717 100644
--- a/src/tss2-fapi/ifapi_helpers.c
+++ b/src/tss2-fapi/ifapi_helpers.c
@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t
case POLICYPCR:
to_policy->element.PolicyPCR.pcrs =
calloc(1, sizeof(TPML_PCRVALUES) +
- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE));
+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE));
goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.",
r, TSS2_FAPI_RC_MEMORY, error);
to_policy->element.PolicyPCR.pcrs->count
--
2.41.0

124
SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
View File

@ -1,124 +0,0 @@
From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 14:56:18 +0200
Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0.
The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement
EVP_MAC_update was added in OpenSSL 3.0, so version specific code is
needed.
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/sys-util.c | 50 +++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 19 deletions(-)
diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c
index af83cf55..5865f002 100644
--- a/test/integration/sys-util.c
+++ b/test/integration/sys-util.c
@@ -13,10 +13,13 @@
#include <string.h>
#include <assert.h>
+#include <openssl/evp.h>
#include <openssl/sha.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
-#include <openssl/evp.h>
-#include <openssl/opensslv.h>
+#else
+#include <openssl/core_names.h>
+#endif
#define LOGMODULE testintegration
#include "util/log.h"
@@ -489,22 +492,18 @@ hmac(
TPM2B_DIGEST **buffer_list,
TPM2B_DIGEST *out)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX _ctx;
- HMAC_CTX *ctx = &_ctx;
-#endif
- EVP_MD *evp;
int rc = 1, i;
- unsigned int *buf = NULL, size;
+ unsigned int *buf = NULL;
uint8_t *buf_ptr;
+ EVP_MD *evp;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */
- ctx = HMAC_CTX_new();
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ unsigned int size;
+ HMAC_CTX *ctx = HMAC_CTX_new();
#else
- HMAC_CTX_init(ctx);
+ size_t size;
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
#endif
if (!ctx)
@@ -538,21 +537,33 @@ hmac(
buf_ptr = (uint8_t *)buf;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL);
#else
- rc = HMAC_Init(ctx, key, key_len, evp);
-#endif
+ OSSL_PARAM params[2];
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
+ (char *)EVP_MD_get0_name(evp), 0);
+ params[1] = OSSL_PARAM_construct_end();
+ rc = EVP_MAC_init(ctx, key, key_len, params);
+#endif
if (rc != 1)
goto out;
for (i = 0; buffer_list[i] != 0; i++) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#else
+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#endif
if (rc != 1)
goto out;
}
/* buf_ptr has to be 4 bytes alligned for whatever reason */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Final(ctx, buf_ptr, &size);
+#else
+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size);
+#endif
if (rc != 1)
goto out;
@@ -561,10 +572,11 @@ hmac(
memcpy(out->buffer, buf, out->size);
out:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
HMAC_CTX_free(ctx);
#else
- HMAC_CTX_cleanup(ctx);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(hmac);
#endif
if (buf)
--
2.26.3

313
SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch
View File

@ -1,313 +0,0 @@
From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 20:21:01 +0200
Subject: Drop support for OpenSSL < 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Delete code written to support OpenSSL < 1.1.0
Delete functions that have no effect in OpenSSL >= 1.1.0
- ENGINE_load_builtin_engines()
- OpenSSL_add_all_algorithms()
- ERR_load_crypto_strings()
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
Switch AppVeyor to use pre-built OpenSSL 1.1.0
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
src/tss2-esys/tss2-esys.vcxproj | 16 +++++++-------
src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
test/helper/tpm_getek.c | 11 ----------
test/helper/tpm_getek_ecc.c | 9 --------
5 files changed, 8 insertions(+), 84 deletions(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 2eb0dfcb..a6259346 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
RAND_set_rand_method(rand_save);
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
size_t * out_size, const char *label)
{
const RAND_METHOD *rand_save = RAND_get_rand_method();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
TSS2_RC r = TSS2_RC_SUCCESS;
const EVP_MD * hashAlg = NULL;
@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not create evp key.", cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
- pub_tpm_key->publicArea.unique.rsa.size,
- rsa_key->n)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not create rsa n.", cleanup);
- }
-#else
BIGNUM *n = NULL;
if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
pub_tpm_key->publicArea.unique.rsa.size,
@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not set rsa n.", cleanup);
}
-#endif
if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*/
TSS2_RC
iesys_cryptossl_init() {
- ENGINE_load_builtin_engines();
- OpenSSL_add_all_algorithms();
return TSS2_RC_SUCCESS;
}
diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj
index b75424aa..b2aa67ce 100644
--- a/src/tss2-esys/tss2-esys.vcxproj
+++ b/src/tss2-esys/tss2-esys.vcxproj
@@ -69,13 +69,13 @@
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
@@ -84,7 +84,7 @@
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
@@ -92,27 +92,27 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index f5b3d272..c97b0a1d 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
tpmSignature->signature.ecdsa.signatureR.size, NULL);
goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- ecdsaSignature->s = bns;
- ecdsaSignature->r = bnr;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
if (osslRC == -1) {
@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
"Could not set exponent.", error_cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Assign the parameters to the key */
if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
error_cleanup);
}
- /* Needed for older OSSL versions. */
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
OSSL_FREE(y, BN);
OSSL_FREE(x, BN);
return TSS2_RC_SUCCESS;
@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
/* Initialize the ECDSA signature components */
ECDSA_SIG *ecdsaSignature = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- BIGNUM *bnr;
- BIGNUM *bns;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
const BIGNUM *bnr;
const BIGNUM *bns;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
return_if_null(ecdsaSignature, "Invalid DER signature",
TSS2_FAPI_RC_GENERAL_FAILURE);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- bns = ecdsaSignature->s;
- bnr = ecdsaSignature->r;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Writing them to the TPM format signature */
tpmSignature->signature.ecdsa.hash = hashAlgorithm;
@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
const BIGNUM *e = NULL, *n = NULL;
int rsaKeySize = RSA_size(rsaKey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- e = rsaKey->e;
- n = rsaKey->n;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_get0_key(rsaKey, &n, &e, NULL);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
rsaKeySize)) {
@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
}
- OpenSSL_add_all_algorithms();
-
unsigned const char* tmp_ptr1 = crl_buffer;
unsigned const char** tmp_ptr2 = &tmp_ptr1;
@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
} else {
/* Get uri for ek intermediate certificate. */
- OpenSSL_add_all_algorithms();
info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);
- OpenSSL_add_all_algorithms();
intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
SAFE_FREE(cert_buffer);
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
index 21be0f46..c6a8e906 100644
--- a/test/helper/tpm_getek.c
+++ b/test/helper/tpm_getek.c
@@ -147,20 +147,9 @@ main (int argc, char *argv[])
exp = out_public.publicArea.parameters.rsaDetail.exponent;
BN_set_word(e, exp);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
EVP_PKEY_assign_RSA(evp, rsa);
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
index 0419f47a..75165fdd 100644
--- a/test/helper/tpm_getek_ecc.c
+++ b/test/helper/tpm_getek_ecc.c
@@ -128,14 +128,6 @@ main (int argc, char *argv[])
/* Convert the key from out_public to PEM */
EVP_PKEY *evp = EVP_PKEY_new();
-
- OpenSSL_add_all_algorithms();
-
- OpenSSL_add_all_algorithms();
-
- ERR_load_crypto_strings();
-
-
EC_KEY *ecc_key = EC_KEY_new();
BIGNUM *x = NULL, *y = NULL;
BIO *bio;
@@ -159,7 +151,6 @@ main (int argc, char *argv[])
if (!EC_KEY_set_group(ecc_key, ecgroup))
exit(1);
- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
EC_GROUP_free(ecgroup);
/* Set the ECC parameters in the OpenSSL key */
--
2.26.3

39
SOURCES/0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
View File

@ -1,39 +0,0 @@
From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Tue, 21 Dec 2021 11:59:28 +0100
Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to
Esys_TR_GetName.
A segfault was produced in this case. Fixes #2243.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_tr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index f0127d02..cf4caa09 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
* @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated.
* @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
+ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid.
* @retval TSS2_SYS_RC_* for SAPI errors.
*/
TSS2_RC
@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
TSS2_RC r;
_ESYS_ASSERT_NON_NULL(esys_context);
+ if (esys_handle == ESYS_TR_NONE) {
+ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined.");
+ }
+
r = esys_GetResourceObject(esys_context, esys_handle, &esys_object);
return_if_error(r, "Object not found");
--
2.34.3

45
SOURCES/0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
View File

@ -1,45 +0,0 @@
From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 20:55:21 +0800
Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates
failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/fapi_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index cd4e0979..f64c4e8b 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -4328,7 +4328,7 @@ ifapi_get_certificates(
context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA;
r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS");
- return_if_error2(r, "Could not open hierarchy /HS");
+ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error);
fallthrough;
@@ -4352,7 +4352,7 @@ ifapi_get_certificates(
context->session2 = ESYS_TR_NONE;
context->nv_cmd.nv_read_state = NV_READ_INIT;
memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT));
- Esys_Free(context->cmd.Provision.nvPublic);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
fallthrough;
statecase(context->get_cert_state, GET_CERT_READ_CERT);
@@ -4382,7 +4382,7 @@ ifapi_get_certificates(
}
error:
- SAFE_FREE(context->cmd.Provision.capabilityData);
+ SAFE_FREE(context->cmd.Provision.nvPublic);
SAFE_FREE(context->cmd.Provision.capabilityData);
ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object);
ifapi_free_object_list(*cert_list);
--
2.34.3

1005
SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
View File

File diff suppressed because it is too large Load Diff

25
SOURCES/0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
View File

@ -1,25 +0,0 @@
From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 21:58:00 +0800
Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/ifapi_keystore.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index 743de133..e805029f 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1239,6 +1239,7 @@ cleanup:
r = TSS2_FAPI_RC_KEY_NOT_FOUND;
}
keystore->key_search.state = KSEARCH_INIT;
+ ifapi_cleanup_ifapi_object(&object);
return r;
}
--
2.34.3

27
SOURCES/0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
View File

@ -1,27 +0,0 @@
From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Wed, 5 Jan 2022 22:09:26 +0800
Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when
Fapi_GetEsysBlob_Finish failed
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index a54bece8..b152ae3a 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -395,7 +395,7 @@ error_cleanup:
ifapi_cleanup_ifapi_object(object);
ifapi_cleanup_ifapi_object(key_object);
SAFE_FREE(command->path);
- SAFE_FREE(*data);
+ SAFE_FREE(command->data);
SAFE_FREE(key_context);
ifapi_session_clean(context);
ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
--
2.34.3

38
SOURCES/0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
View File

@ -1,38 +0,0 @@
From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001
From: JerryDevis <JerryDevis@users.noreply.github.com>
Date: Fri, 7 Jan 2022 11:56:14 +0800
Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
---
src/tss2-esys/esys_tr.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index cf4caa09..784f711a 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context,
*
* Deserialize the metadata of an ESYS_TR object from a byte buffer that was
* stored on disk for later use by a different program or context.
- * An object can be serialized suing Esys_TR_Serialize.
+ * An object can be deserialized using Esys_TR_Deserialize.
* @param esys_context [in,out] The ESYS_CONTEXT.
- * @param esys_handle [in] The ESYS_TR object to serialize.
- * @param buffer [out] The buffer containing the serialized metadata.
- * (caller-callocated) Shall be freed using free().
- * @param buffer_size [out] The size of the buffer parameter.
+ * @param esys_handle [out] The ESYS_TR object to deserialize.
+ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object.
+ * @param buffer_size [in] The size of the buffer parameter.
* @retval TSS2_RC_SUCCESS on Success.
* @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated.
- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling.
+ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling.
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
* @retval TSS2_RCs produced by lower layers of the software stack.
*/
--
2.34.3

50
SOURCES/0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
View File

@ -1,50 +0,0 @@
From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 16:31:09 +0800
Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_Delete.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c
index 43ea0332..2b5826ab 100644
--- a/src/tss2-fapi/api/Fapi_Delete.c
+++ b/src/tss2-fapi/api/Fapi_Delete.c
@@ -419,14 +419,14 @@ Fapi_Delete_Async(
/* No session will be needed these files can be deleted without
interaction with the TPM */
r = ifapi_non_tpm_mode_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
context->session1 = ESYS_TR_NONE;
context->state = ENTITY_DELETE_GET_FILE;
} else {
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -435,12 +435,12 @@ Fapi_Delete_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize Entity_Delete");
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
r = ifapi_get_sessions_async(context,
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
--
2.34.3

44
SOURCES/0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
View File

@ -1,44 +0,0 @@
From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001
From: JerryDevis <857869045@qq.com>
Date: Sun, 9 Jan 2022 18:44:49 +0800
Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async
failed
Signed-off-by: JerryDevis <857869045@qq.com>
---
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
index b152ae3a..db67e2e4 100644
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async(
authObject->objectType = IFAPI_OBJ_NONE;
/* Check whether TCTI and ESYS are initialized */
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
- TSS2_FAPI_RC_NO_TPM);
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
/* If the async state automata of FAPI shall be tested, then we must not set
the timeouts of ESYS to blocking mode.
@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async(
to block until a result is available. */
#ifndef TEST_FAPI_ASYNC
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
- return_if_error_reset_state(r, "Set Timeout to blocking");
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
#endif /* TEST_FAPI_ASYNC */
/* A TPM session will be created to enable object authorization */
r = ifapi_session_init(context);
- return_if_error(r, "Initialize GetEsysBlob");
+ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup);
context->state = GET_ESYS_BLOB_GET_FILE;
--
2.34.3

30
SOURCES/0018-FAPI-Initialize-object-used-for-keystore-search.patch
View File

@ -1,30 +0,0 @@
From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 11:46:22 +0100
Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search.
For an empty keystore a cleanup of an uninitialized object was executed. No the object
type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-fapi/ifapi_keystore.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
index e805029f..c5486690 100644
--- a/src/tss2-fapi/ifapi_keystore.c
+++ b/src/tss2-fapi/ifapi_keystore.c
@@ -1173,6 +1173,9 @@ keystore_search_obj(
IFAPI_OBJECT object;
size_t i;
+ /* Mark object "unread" */
+ object.objectType = IFAPI_OBJ_NONE;
+
switch (keystore->key_search.state) {
statecase(keystore->key_search.state, KSEARCH_INIT)
r = ifapi_keystore_list_all(keystore,
--
2.34.3

30
SOURCES/0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
View File

@ -1,30 +0,0 @@
From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Date: Thu, 13 Jan 2022 16:48:30 +0100
Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
---
src/tss2-mu/tpm2b-types.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
index 6aa2feb3..2e10f487 100644
--- a/src/tss2-mu/tpm2b-types.c
+++ b/src/tss2-mu/tpm2b-types.c
@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
return rc; \
\
/* Update the size to the real value */ \
- if (buffer) \
- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ if (buffer) { \
+ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
+ memcpy(ptr, &t, sizeof(t)); \
+ } \
\
if (offset != NULL) { \
*offset = local_offset; \
--
2.34.3

269
SOURCES/0021-sapi-scope-command-handles.patch
View File

@ -1,269 +0,0 @@
From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 8 Jun 2022 11:09:53 -0500
Subject: [PATCH 21/23] sapi: scope command handles
Scope command handles to where they are used.
- Compared to the upstream commit d4dee42e already missing commands were
left out.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------
1 file changed, 119 insertions(+), 118 deletions(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index 685fcee8..d84acc5d 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall(
return rval;
}
-static const COMMAND_HANDLES commandArray[] =
-{
- { TPM2_CC_Startup, 0, 0 },
- { TPM2_CC_Shutdown, 0, 0 },
- { TPM2_CC_SelfTest, 0, 0 },
- { TPM2_CC_IncrementalSelfTest, 0, 0 },
- { TPM2_CC_GetTestResult, 0, 0 },
- { TPM2_CC_StartAuthSession, 2, 1 },
- { TPM2_CC_PolicyRestart, 1, 0 },
- { TPM2_CC_Create, 1, 0 },
- { TPM2_CC_Load, 1, 1 },
- { TPM2_CC_LoadExternal, 0, 1 },
- { TPM2_CC_ReadPublic, 1, 0 },
- { TPM2_CC_ActivateCredential, 2, 0 },
- { TPM2_CC_MakeCredential, 1, 0 },
- { TPM2_CC_Unseal, 1, 0 },
- { TPM2_CC_ObjectChangeAuth, 2, 0 },
- { TPM2_CC_Duplicate, 2, 0 },
- { TPM2_CC_Rewrap, 2, 0 },
- { TPM2_CC_Import, 1, 0 },
- { TPM2_CC_RSA_Encrypt, 1, 0 },
- { TPM2_CC_RSA_Decrypt, 1, 0 },
- { TPM2_CC_ECDH_KeyGen, 1, 0 },
- { TPM2_CC_ECDH_ZGen, 1, 0 },
- { TPM2_CC_ECC_Parameters, 0, 0 },
- { TPM2_CC_ZGen_2Phase, 1, 0 },
- { TPM2_CC_EncryptDecrypt, 1, 0 },
- { TPM2_CC_EncryptDecrypt2, 1, 0 },
- { TPM2_CC_Hash, 0, 0 },
- { TPM2_CC_HMAC, 1, 0 },
- { TPM2_CC_GetRandom, 0, 0 },
- { TPM2_CC_StirRandom, 0, 0 },
- { TPM2_CC_HMAC_Start, 1, 1 },
- { TPM2_CC_HashSequenceStart, 0, 1 },
- { TPM2_CC_SequenceUpdate, 1, 0 },
- { TPM2_CC_SequenceComplete, 1, 0 },
- { TPM2_CC_EventSequenceComplete, 2, 0 },
- { TPM2_CC_Certify, 2, 0 },
- { TPM2_CC_CertifyCreation, 2, 0 },
- { TPM2_CC_Quote, 1, 0 },
- { TPM2_CC_GetSessionAuditDigest, 3, 0 },
- { TPM2_CC_GetCommandAuditDigest, 2, 0 },
- { TPM2_CC_GetTime, 2, 0 },
- { TPM2_CC_Commit, 1, 0 },
- { TPM2_CC_EC_Ephemeral, 0, 0 },
- { TPM2_CC_VerifySignature, 1, 0 },
- { TPM2_CC_Sign, 1, 0 },
- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
- { TPM2_CC_PCR_Extend, 1, 0 },
- { TPM2_CC_PCR_Event, 1, 0 },
- { TPM2_CC_PCR_Read, 0, 0 },
- { TPM2_CC_PCR_Allocate, 1, 0 },
- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
- { TPM2_CC_PCR_SetAuthValue, 1, 0 },
- { TPM2_CC_PCR_Reset, 1, 0 },
- { TPM2_CC_PolicySigned, 2, 0 },
- { TPM2_CC_PolicySecret, 2, 0 },
- { TPM2_CC_PolicyTicket, 1, 0 },
- { TPM2_CC_PolicyOR, 1, 0 },
- { TPM2_CC_PolicyPCR, 1, 0 },
- { TPM2_CC_PolicyLocality, 1, 0 },
- { TPM2_CC_PolicyNV, 3, 0 },
- { TPM2_CC_PolicyNvWritten, 1, 0 },
- { TPM2_CC_PolicyCounterTimer, 1, 0 },
- { TPM2_CC_PolicyCommandCode, 1, 0 },
- { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
- { TPM2_CC_PolicyCpHash, 1, 0 },
- { TPM2_CC_PolicyNameHash, 1, 0 },
- { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
- { TPM2_CC_PolicyAuthorize, 1, 0 },
- { TPM2_CC_PolicyAuthValue, 1, 0 },
- { TPM2_CC_PolicyPassword, 1, 0 },
- { TPM2_CC_PolicyGetDigest, 1, 0 },
- { TPM2_CC_PolicyTemplate, 1, 0 },
- { TPM2_CC_CreatePrimary, 1, 1 },
- { TPM2_CC_HierarchyControl, 1, 0 },
- { TPM2_CC_SetPrimaryPolicy, 1, 0 },
- { TPM2_CC_ChangePPS, 1, 0 },
- { TPM2_CC_ChangeEPS, 1, 0 },
- { TPM2_CC_Clear, 1, 0 },
- { TPM2_CC_ClearControl, 1, 0 },
- { TPM2_CC_HierarchyChangeAuth, 1, 0 },
- { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
- { TPM2_CC_DictionaryAttackParameters, 1, 0 },
- { TPM2_CC_PP_Commands, 1, 0 },
- { TPM2_CC_SetAlgorithmSet, 1, 0 },
- { TPM2_CC_FieldUpgradeStart, 2, 0 },
- { TPM2_CC_FieldUpgradeData, 0, 0 },
- { TPM2_CC_FirmwareRead, 0, 0 },
- { TPM2_CC_ContextSave, 1, 0 },
- { TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
- { TPM2_CC_EvictControl, 2, 0 },
- { TPM2_CC_ReadClock, 0, 0 },
- { TPM2_CC_ClockSet, 1, 0 },
- { TPM2_CC_ClockRateAdjust, 1, 0 },
- { TPM2_CC_GetCapability, 0, 0 },
- { TPM2_CC_TestParms, 0, 0 },
- { TPM2_CC_NV_DefineSpace, 1, 0 },
- { TPM2_CC_NV_UndefineSpace, 2, 0 },
- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
- { TPM2_CC_NV_ReadPublic, 1, 0 },
- { TPM2_CC_NV_Write, 2, 0 },
- { TPM2_CC_NV_Increment, 2, 0 },
- { TPM2_CC_NV_Extend, 2, 0 },
- { TPM2_CC_NV_SetBits, 2, 0 },
- { TPM2_CC_NV_WriteLock, 2, 0 },
- { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
- { TPM2_CC_NV_Read, 2, 0 },
- { TPM2_CC_NV_ReadLock, 2, 0 },
- { TPM2_CC_NV_ChangeAuth, 1, 0 },
- { TPM2_CC_NV_Certify, 3, 0 },
- { TPM2_CC_CreateLoaded, 1, 1 },
- { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
- { TPM2_CC_AC_GetCapability, 1, 0 },
- { TPM2_CC_AC_Send, 3, 0 },
- { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
-};
static int GetNumHandles(TPM2_CC commandCode, bool req)
{
+ static const COMMAND_HANDLES commandArray[] =
+ {
+ { TPM2_CC_Startup, 0, 0 },
+ { TPM2_CC_Shutdown, 0, 0 },
+ { TPM2_CC_SelfTest, 0, 0 },
+ { TPM2_CC_IncrementalSelfTest, 0, 0 },
+ { TPM2_CC_GetTestResult, 0, 0 },
+ { TPM2_CC_StartAuthSession, 2, 1 },
+ { TPM2_CC_PolicyRestart, 1, 0 },
+ { TPM2_CC_Create, 1, 0 },
+ { TPM2_CC_Load, 1, 1 },
+ { TPM2_CC_LoadExternal, 0, 1 },
+ { TPM2_CC_ReadPublic, 1, 0 },
+ { TPM2_CC_ActivateCredential, 2, 0 },
+ { TPM2_CC_MakeCredential, 1, 0 },
+ { TPM2_CC_Unseal, 1, 0 },
+ { TPM2_CC_ObjectChangeAuth, 2, 0 },
+ { TPM2_CC_Duplicate, 2, 0 },
+ { TPM2_CC_Rewrap, 2, 0 },
+ { TPM2_CC_Import, 1, 0 },
+ { TPM2_CC_RSA_Encrypt, 1, 0 },
+ { TPM2_CC_RSA_Decrypt, 1, 0 },
+ { TPM2_CC_ECDH_KeyGen, 1, 0 },
+ { TPM2_CC_ECDH_ZGen, 1, 0 },
+ { TPM2_CC_ECC_Parameters, 0, 0 },
+ { TPM2_CC_ZGen_2Phase, 1, 0 },
+ { TPM2_CC_EncryptDecrypt, 1, 0 },
+ { TPM2_CC_EncryptDecrypt2, 1, 0 },
+ { TPM2_CC_Hash, 0, 0 },
+ { TPM2_CC_HMAC, 1, 0 },
+ { TPM2_CC_GetRandom, 0, 0 },
+ { TPM2_CC_StirRandom, 0, 0 },
+ { TPM2_CC_HMAC_Start, 1, 1 },
+ { TPM2_CC_HashSequenceStart, 0, 1 },
+ { TPM2_CC_SequenceUpdate, 1, 0 },
+ { TPM2_CC_SequenceComplete, 1, 0 },
+ { TPM2_CC_EventSequenceComplete, 2, 0 },
+ { TPM2_CC_Certify, 2, 0 },
+ { TPM2_CC_CertifyCreation, 2, 0 },
+ { TPM2_CC_Quote, 1, 0 },
+ { TPM2_CC_GetSessionAuditDigest, 3, 0 },
+ { TPM2_CC_GetCommandAuditDigest, 2, 0 },
+ { TPM2_CC_GetTime, 2, 0 },
+ { TPM2_CC_Commit, 1, 0 },
+ { TPM2_CC_EC_Ephemeral, 0, 0 },
+ { TPM2_CC_VerifySignature, 1, 0 },
+ { TPM2_CC_Sign, 1, 0 },
+ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
+ { TPM2_CC_PCR_Extend, 1, 0 },
+ { TPM2_CC_PCR_Event, 1, 0 },
+ { TPM2_CC_PCR_Read, 0, 0 },
+ { TPM2_CC_PCR_Allocate, 1, 0 },
+ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
+ { TPM2_CC_PCR_SetAuthValue, 1, 0 },
+ { TPM2_CC_PCR_Reset, 1, 0 },
+ { TPM2_CC_PolicySigned, 2, 0 },
+ { TPM2_CC_PolicySecret, 2, 0 },
+ { TPM2_CC_PolicyTicket, 1, 0 },
+ { TPM2_CC_PolicyOR, 1, 0 },
+ { TPM2_CC_PolicyPCR, 1, 0 },
+ { TPM2_CC_PolicyLocality, 1, 0 },
+ { TPM2_CC_PolicyNV, 3, 0 },
+ { TPM2_CC_PolicyNvWritten, 1, 0 },
+ { TPM2_CC_PolicyCounterTimer, 1, 0 },
+ { TPM2_CC_PolicyCommandCode, 1, 0 },
+ { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
+ { TPM2_CC_PolicyCpHash, 1, 0 },
+ { TPM2_CC_PolicyNameHash, 1, 0 },
+ { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
+ { TPM2_CC_PolicyAuthorize, 1, 0 },
+ { TPM2_CC_PolicyAuthValue, 1, 0 },
+ { TPM2_CC_PolicyPassword, 1, 0 },
+ { TPM2_CC_PolicyGetDigest, 1, 0 },
+ { TPM2_CC_PolicyTemplate, 1, 0 },
+ { TPM2_CC_CreatePrimary, 1, 1 },
+ { TPM2_CC_HierarchyControl, 1, 0 },
+ { TPM2_CC_SetPrimaryPolicy, 1, 0 },
+ { TPM2_CC_ChangePPS, 1, 0 },
+ { TPM2_CC_ChangeEPS, 1, 0 },
+ { TPM2_CC_Clear, 1, 0 },
+ { TPM2_CC_ClearControl, 1, 0 },
+ { TPM2_CC_HierarchyChangeAuth, 1, 0 },
+ { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
+ { TPM2_CC_DictionaryAttackParameters, 1, 0 },
+ { TPM2_CC_PP_Commands, 1, 0 },
+ { TPM2_CC_SetAlgorithmSet, 1, 0 },
+ { TPM2_CC_FieldUpgradeStart, 2, 0 },
+ { TPM2_CC_FieldUpgradeData, 0, 0 },
+ { TPM2_CC_FirmwareRead, 0, 0 },
+ { TPM2_CC_ContextSave, 1, 0 },
+ { TPM2_CC_ContextLoad, 0, 1 },
+ { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_EvictControl, 2, 0 },
+ { TPM2_CC_ReadClock, 0, 0 },
+ { TPM2_CC_ClockSet, 1, 0 },
+ { TPM2_CC_ClockRateAdjust, 1, 0 },
+ { TPM2_CC_GetCapability, 0, 0 },
+ { TPM2_CC_TestParms, 0, 0 },
+ { TPM2_CC_NV_DefineSpace, 1, 0 },
+ { TPM2_CC_NV_UndefineSpace, 2, 0 },
+ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
+ { TPM2_CC_NV_ReadPublic, 1, 0 },
+ { TPM2_CC_NV_Write, 2, 0 },
+ { TPM2_CC_NV_Increment, 2, 0 },
+ { TPM2_CC_NV_Extend, 2, 0 },
+ { TPM2_CC_NV_SetBits, 2, 0 },
+ { TPM2_CC_NV_WriteLock, 2, 0 },
+ { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
+ { TPM2_CC_NV_Read, 2, 0 },
+ { TPM2_CC_NV_ReadLock, 2, 0 },
+ { TPM2_CC_NV_ChangeAuth, 1, 0 },
+ { TPM2_CC_NV_Certify, 3, 0 },
+ { TPM2_CC_CreateLoaded, 1, 1 },
+ { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
+ { TPM2_CC_AC_GetCapability, 1, 0 },
+ { TPM2_CC_AC_Send, 3, 0 },
+ { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
+ };
+
uint8_t i;
for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) {
--
2.34.3

26
SOURCES/0022-fapi-use-correct-userdata-for-cbauthnv.patch
View File

@ -1,26 +0,0 @@
From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 4 Jul 2022 19:14:30 +0200
Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
src/tss2-fapi/ifapi_policy_execute.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index caae103e..ddaf255c 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -760,7 +760,7 @@ execute_policy_authorize_nv(
switch (current_policy->state) {
statecase(current_policy->state, POLICY_EXECUTE_INIT)
/* Execute the policy stored in the NV object. */
- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata);
+ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata);
try_again_or_error(r, "Execute policy authorize nv callback.");
r = ifapi_nv_get_name(&policy->nvPublic, &current_policy->name);
--
2.34.3

36
SOURCES/0023-SAPI-fix-number-of-handles-for-FlushContext.patch
View File

@ -1,36 +0,0 @@
From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 7 Jul 2022 09:00:19 -0500
Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext
The lookup table for the number of command handles for
Tss2_Sys_FlushContext has the count set to 1, when in reality the
command takes no handles in the handle area but a handle as the input
parameter. This works currently because handles and parameters are just
concatenated and the parsing logic on the TPM just unpacks them, so in
this case, thet're in the same spot with the same value. This goes
unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as
the logic things its a handle in the handle area and not a handle in the
parameter area.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-sys/sysapi_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
index d84acc5d..a92f47a2 100644
--- a/src/tss2-sys/sysapi_util.c
+++ b/src/tss2-sys/sysapi_util.c
@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req)
{ TPM2_CC_FirmwareRead, 0, 0 },
{ TPM2_CC_ContextSave, 1, 0 },
{ TPM2_CC_ContextLoad, 0, 1 },
- { TPM2_CC_FlushContext, 1, 0 },
+ { TPM2_CC_FlushContext, 0, 0 },
{ TPM2_CC_EvictControl, 2, 0 },
{ TPM2_CC_ReadClock, 0, 0 },
{ TPM2_CC_ClockSet, 1, 0 },
--
2.34.3

2
SOURCES/tpm2-tss-systemd-sysusers.conf Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID GECOS Home directory Shell
u tss 59 "Account used for TPM access" - -

85
SPECS/tpm2-tss.spec
View File

@ -1,52 +1,25 @@
Name: tpm2-tss
Version: 3.0.3
Release: 8%{?dist}
Version: 3.2.2
Release: 2%{?dist}
Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which
# is under TCGL(Trusted Computing Group License).
License: BSD and TCGL
License: BSD
URL: https://github.com/tpm2-software/tpm2-tss
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
# doxygen crash
Source1: tpm2-tss-systemd-sysusers.conf
# doxygen patch
Patch0: tpm2-tss-3.0.0-doxygen.patch
# OpenSSL 3 support
Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch
Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Patch8: 0008-Require-OpenSSL-1.1.0.patch
Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch
Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch
Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch
Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch
Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
Patch32: 0020-esys_iutil-fix-possible-NPD.patch
Patch33: 0021-sapi-scope-command-handles.patch
Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch
Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch
Patch2: 0001-esys_iutil-fix-possible-NPD.patch
Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch
Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch
Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
%global udevrules_prefix 60-
@ -62,6 +35,7 @@ BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
Requires(pre): shadow-utils
%description
@ -73,9 +47,9 @@ APIs for applications to access TPM module through kernel TPM drivers.
%autosetup -p1 -n %{name}-%{version}
%build
autoreconf -i
# Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \
--disable-tcti-pcap --disable-tcti-libtpms \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
@ -88,16 +62,11 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%install
%make_install
find %{buildroot}%{_libdir} -type f -name \*.la -delete
rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tpm2-tss.conf
%pre
getent group tss >/dev/null || groupadd -f -g 59 -r tss
if ! getent passwd tss >/dev/null ; then
if ! getent passwd 59 >/dev/null ; then
useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
else
useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
fi
fi
%sysusers_create_compat %{SOURCE1}
exit 0
%ldconfig_scriptlets
@ -156,6 +125,18 @@ use tpm2-tss.
%changelog
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
- Remove misapplied license
Resolves: rhbz#2160307
* Fri Jun 23 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-1
- Rebase to 3.2.2
- Use systemd-sysusers to create user
Resolves: CVE-2023-22745
Resolves: rhbz#2095479
Resolves: rhbz#2160307
Resolves: rhbz#2162613
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3
Resolves: rhbz#2041919