import CS tpm2-tss-3.2.2-2.el9
This commit is contained in:
parent
72d6299b99
commit
b8043f3516
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/tpm2-tss-3.0.3.tar.gz
|
||||
SOURCES/tpm2-tss-3.2.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
f83a4a9e544893c42ec108f6616a75e2f209d2d3 SOURCES/tpm2-tss-3.0.3.tar.gz
|
||||
6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz
|
||||
|
@ -1,61 +0,0 @@
|
||||
From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Fri, 19 Feb 2021 14:32:45 +0100
|
||||
Subject: FAPI: Fix reading of the root certificate for
|
||||
provisioning.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will
|
||||
only be used if it's allowed to use self generated root certificate with
|
||||
./configure --enable-self-generated-certificate
|
||||
|
||||
* This option is added to all integration tests which are using the TPM simulator.
|
||||
|
||||
- Compared to the upstream commit 199b4edc the changes to CI config files
|
||||
are omitted.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
configure.ac | 8 ++++++++
|
||||
src/tss2-fapi/api/Fapi_Provision.c | 4 ++++
|
||||
2 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index f4df879c..d3bbb93d 100755
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto],
|
||||
AS_IF([test "x$enable_weakcrypto" = "xyes"],
|
||||
AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS]))
|
||||
|
||||
+AC_ARG_ENABLE([self-generated-certificate],
|
||||
+ [AS_HELP_STRING([--enable-self-generated-certificate],
|
||||
+ [Alllow usage of self generated root certifcate])],,
|
||||
+ [enable_self_generated_certificate=no])
|
||||
+AS_IF([test "x$enable_self_generated_certificate" == xyes],
|
||||
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
|
||||
+
|
||||
+
|
||||
AC_SUBST([PATH])
|
||||
|
||||
dnl --------- Doxy Gen -----------------------
|
||||
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
|
||||
index 00534a2e..9cf804ad 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_Provision.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_Provision.c
|
||||
@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
|
||||
|
||||
statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
|
||||
/* Prepare reading of root certificate. */
|
||||
+ root_ca_file = NULL;
|
||||
+#ifdef SELF_GENERATED_CERTIFICATE
|
||||
+#pragma message ( "*** Allow self generated certifcate ***" )
|
||||
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
|
||||
+#endif
|
||||
if (!root_ca_file) {
|
||||
context->state = PROVISION_EK_CHECK_CERT;
|
||||
return TSS2_FAPI_RC_TRY_AGAIN;
|
||||
--
|
||||
2.26.3
|
@ -1,99 +0,0 @@
|
||||
From 446aef29b5e5d376a3724dbf95c851ac82baeb7f Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Thu, 19 Nov 2020 11:09:56 -0600
|
||||
Subject: [PATCH 01/23] esys_crypto_ossl: remove non-needed _ex OSSL funcs
|
||||
|
||||
Some of the OSSL _ex suffixed routines remained even after the ENGINE
|
||||
pointer was removed. The _ex functions with NULL engine don't do
|
||||
anything different then the non _ex suffixed ones. One _ex routine
|
||||
remains, RSA_generate_key_ex, becuase the _ex version is deprecated.
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/tss2-esys/esys_crypto_ossl.c | 23 +++++++++++------------
|
||||
1 file changed, 11 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
|
||||
index 392f97ae..6856e92d 100644
|
||||
--- a/src/tss2-esys/esys_crypto_ossl.c
|
||||
+++ b/src/tss2-esys/esys_crypto_ossl.c
|
||||
@@ -136,10 +136,9 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
|
||||
}
|
||||
|
||||
- if (1 != EVP_DigestInit_ex(mycontext->hash.ossl_context,
|
||||
- mycontext->hash.ossl_hash_alg,
|
||||
- NULL)) {
|
||||
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit_ex", cleanup);
|
||||
+ if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
|
||||
+ mycontext->hash.ossl_hash_alg)) {
|
||||
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
|
||||
}
|
||||
|
||||
*context = (IESYS_CRYPTO_CONTEXT_BLOB *) mycontext;
|
||||
@@ -241,13 +240,13 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
|
||||
}
|
||||
|
||||
- if (1 != EVP_DigestFinal_ex(mycontext->hash.ossl_context, buffer, &digest_size)) {
|
||||
+ if (1 != EVP_DigestFinal(mycontext->hash.ossl_context, buffer, &digest_size)) {
|
||||
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "Ossl error.");
|
||||
}
|
||||
|
||||
if (digest_size != mycontext->hash.hash_len) {
|
||||
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
- "Invalid size computed by EVP_DigestFinal_ex");
|
||||
+ "Invalid size computed by EVP_DigestFinal");
|
||||
}
|
||||
|
||||
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
|
||||
@@ -1056,11 +1055,11 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
|
||||
"Initialize cipher context", cleanup);
|
||||
}
|
||||
|
||||
- if (1 != EVP_EncryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
|
||||
+ if (1 != EVP_EncryptInit(ctx, cipher_alg,key, iv)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Initialize cipher operation", cleanup);
|
||||
}
|
||||
- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) {
|
||||
+ if (1 != EVP_EncryptInit(ctx, NULL, key, iv)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
|
||||
}
|
||||
|
||||
@@ -1069,7 +1068,7 @@ iesys_cryptossl_sym_aes_encrypt(uint8_t * key,
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
|
||||
}
|
||||
|
||||
- if (1 != EVP_EncryptFinal_ex(ctx, buffer, &cipher_len)) {
|
||||
+ if (1 != EVP_EncryptFinal(ctx, buffer, &cipher_len)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
|
||||
}
|
||||
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
|
||||
@@ -1144,12 +1143,12 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
|
||||
|
||||
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES input");
|
||||
|
||||
- if (1 != EVP_DecryptInit_ex(ctx, cipher_alg, NULL, key, iv)) {
|
||||
+ if (1 != EVP_DecryptInit(ctx, cipher_alg, key, iv)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Initialize cipher operation", cleanup);
|
||||
}
|
||||
|
||||
- if (1 != EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) {
|
||||
+ if (1 != EVP_DecryptInit(ctx, NULL, key, iv)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set key and iv", cleanup);
|
||||
}
|
||||
|
||||
@@ -1158,7 +1157,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt update", cleanup);
|
||||
}
|
||||
|
||||
- if (1 != EVP_DecryptFinal_ex(ctx, buffer, &cipher_len)) {
|
||||
+ if (1 != EVP_DecryptFinal(ctx, buffer, &cipher_len)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Encrypt final", cleanup);
|
||||
}
|
||||
LOGBLOB_TRACE(buffer, buffer_size, "IESYS AES output");
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,7 +1,7 @@
|
||||
From f140a8e5fdb2f3b9fbc3b32d1a844554008c2298 Mon Sep 17 00:00:00 2001
|
||||
From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Fri, 3 Jun 2022 11:51:02 -0500
|
||||
Subject: [PATCH 20/23] esys_iutil: fix possible NPD
|
||||
Subject: [PATCH 1/2] esys_iutil: fix possible NPD
|
||||
|
||||
Clang-10 scan-build reports:
|
||||
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
|
||||
@ -24,10 +24,10 @@ Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
|
||||
index 0cc92ca5..493f9b28 100644
|
||||
index 4d31cef8..b364dd73 100644
|
||||
--- a/src/tss2-esys/esys_iutil.c
|
||||
+++ b/src/tss2-esys/esys_iutil.c
|
||||
@@ -1339,7 +1339,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
|
||||
@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
|
||||
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
|
||||
&auths->auths[session_idx]);
|
||||
return_if_error(r, "Error while computing hmacs");
|
||||
@ -37,5 +37,5 @@ index 0cc92ca5..493f9b28 100644
|
||||
auths->count++;
|
||||
}
|
||||
--
|
||||
2.34.3
|
||||
2.39.2
|
||||
|
@ -0,0 +1,65 @@
|
||||
From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Tue, 24 Jan 2023 10:01:23 -0600
|
||||
Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits
|
||||
|
||||
The commit (on 4.0.1 and master):
|
||||
- 49107d65d5c7 tss2_rc: ensure layer number is in bounds
|
||||
|
||||
Introduces a bug where the right shift by 8 drops the lower byte going
|
||||
into the unknown_layer handler function. This will effectively drop rc
|
||||
error bits for unknown layers. The largest impact will be on windows
|
||||
where their resource manager is not a registered handler.
|
||||
|
||||
Fix this by just dumping all the bytes and not get fancy with masking
|
||||
things out.
|
||||
|
||||
Fixes: #2550
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/tss2-rc/tss2_rc.c | 4 ++--
|
||||
test/unit/test_tss2_rc.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
|
||||
index 7e668a46..6de7d6f3 100644
|
||||
--- a/src/tss2-rc/tss2_rc.c
|
||||
+++ b/src/tss2-rc/tss2_rc.c
|
||||
@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc)
|
||||
} else {
|
||||
/*
|
||||
* we don't want to drop any bits if we don't know what to do with it
|
||||
- * so drop the layer byte since we we already have that.
|
||||
+ * so just send the whole thing.
|
||||
*/
|
||||
- const char *e = unknown_layer_handler(rc >> 8);
|
||||
+ const char *e = unknown_layer_handler(rc);
|
||||
assert(e);
|
||||
catbuf(buf, "%s", e);
|
||||
}
|
||||
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
|
||||
index 0b0f57c6..e5051c85 100644
|
||||
--- a/test/unit/test_tss2_rc.c
|
||||
+++ b/test/unit/test_tss2_rc.c
|
||||
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
|
||||
* Test an unknown layer
|
||||
*/
|
||||
e = Tss2_RC_Decode(rc);
|
||||
- assert_string_equal(e, "1:0x100");
|
||||
+ assert_string_equal(e, "1:0x1002A");
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -288,7 +288,7 @@ test_all_FFs(void **state)
|
||||
(void) state;
|
||||
|
||||
const char *e = Tss2_RC_Decode(0xFFFFFFFF);
|
||||
- assert_string_equal(e, "255:0xFFFFFF");
|
||||
+ assert_string_equal(e, "255:0xFFFFFFFF");
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 53a5ba5c8476097fb5145cee4bed61b82d0cc225 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Mon, 7 Jun 2021 09:47:30 +0200
|
||||
Subject: [PATCH 02/23] FAPI: Remove useless code get_engine.
|
||||
|
||||
The function did always return NULL. So the default engine was used.
|
||||
Fixes #2085
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/fapi_crypto.c | 22 +---------------------
|
||||
1 file changed, 1 insertion(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
|
||||
index c50b5f0a..9c7e566c 100644
|
||||
--- a/src/tss2-fapi/fapi_crypto.c
|
||||
+++ b/src/tss2-fapi/fapi_crypto.c
|
||||
@@ -56,9 +56,6 @@ typedef struct _IFAPI_CRYPTO_CONTEXT {
|
||||
size_t hashSize;
|
||||
} IFAPI_CRYPTO_CONTEXT;
|
||||
|
||||
-/** A singleton crypto engine for hash operations */
|
||||
-static ENGINE *engine = NULL;
|
||||
-
|
||||
/**
|
||||
* Returns the signature scheme that is currently used in the FAPI context.
|
||||
*
|
||||
@@ -228,23 +225,6 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
|
||||
return 1;
|
||||
}
|
||||
|
||||
-/**
|
||||
- * Returns the singleton hash engine for the use in ifapi_hash operations. If
|
||||
- * it does not yet exist, this function creates it.
|
||||
- *
|
||||
- * @retval A singleton hash engine
|
||||
- */
|
||||
-static ENGINE *
|
||||
-get_engine()
|
||||
-{
|
||||
- /* If an engine is present, it is returned */
|
||||
- if (engine)
|
||||
- return engine;
|
||||
- /* Otherwise, engine is created and returned */
|
||||
- engine = ENGINE_by_id(NULL);
|
||||
- return engine;
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
|
||||
* algorithm identifier.
|
||||
@@ -1558,7 +1538,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
|
||||
}
|
||||
|
||||
if (1 != EVP_DigestInit_ex(mycontext->osslContext,
|
||||
- mycontext->osslHashAlgorithm, get_engine())) {
|
||||
+ mycontext->osslHashAlgorithm, NULL)) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Error EVP_DigestInit_ex",
|
||||
cleanup);
|
||||
}
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,42 +0,0 @@
|
||||
From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001
|
||||
From: Jonas Witschel <diabonas@gmx.de>
|
||||
Date: Mon, 1 Mar 2021 20:00:17 +0100
|
||||
Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with
|
||||
--disable-self-generated-certificate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of
|
||||
the root certificate for provisioning.") it is required to specify
|
||||
--enable-self-generated-certificate in order to make the FAPI integration tests
|
||||
pass. This is an option that should usually not be enabled in production builds
|
||||
for security reasons, but still some form of integration testing might be
|
||||
desirable in this case to verify whether the compiled library works as
|
||||
expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK
|
||||
certificate validation.
|
||||
|
||||
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
|
||||
---
|
||||
configure.ac | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d3bbb93d..d4324c9a 100755
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate],
|
||||
[AS_HELP_STRING([--enable-self-generated-certificate],
|
||||
[Alllow usage of self generated root certifcate])],,
|
||||
[enable_self_generated_certificate=no])
|
||||
-AS_IF([test "x$enable_self_generated_certificate" == xyes],
|
||||
- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
|
||||
+AS_IF([test "x$enable_self_generated_certificate" = xyes],
|
||||
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
|
||||
+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
|
||||
|
||||
|
||||
AC_SUBST([PATH])
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,65 @@
|
||||
From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Thu, 9 Feb 2023 15:22:08 +0100
|
||||
Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling
|
||||
|
||||
There is a size check for the destination object whether the size is zero.
|
||||
If the memory of the destination object is no cleared this might cause
|
||||
a race conditions.
|
||||
Unneeded tests from the integration test tpmclient were removed.
|
||||
Fixes: #2564
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-mu/tpm2b-types.c | 6 +-----
|
||||
test/tpmclient/tpmclient.int.c | 9 ---------
|
||||
2 files changed, 1 insertion(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
|
||||
index 2e10f487..6e8915f6 100644
|
||||
--- a/src/tss2-mu/tpm2b-types.c
|
||||
+++ b/src/tss2-mu/tpm2b-types.c
|
||||
@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \
|
||||
sizeof(size)); \
|
||||
return TSS2_MU_RC_INSUFFICIENT_BUFFER; \
|
||||
} \
|
||||
- if (dest && dest->size != 0) { \
|
||||
- LOG_WARNING("Size not zero"); \
|
||||
- return TSS2_SYS_RC_BAD_VALUE; \
|
||||
- } \
|
||||
-\
|
||||
+ \
|
||||
rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \
|
||||
if (rc) \
|
||||
return rc; \
|
||||
diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c
|
||||
index deedcfb7..16443955 100644
|
||||
--- a/test/tpmclient/tpmclient.int.c
|
||||
+++ b/test/tpmclient/tpmclient.int.c
|
||||
@@ -847,12 +847,6 @@ static void TestHierarchyControl()
|
||||
rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 );
|
||||
CheckPassed( rval );
|
||||
|
||||
- /* Test SYS for case where nvPublic.size != 0 */
|
||||
- nvPublic.size = 0xff;
|
||||
- INIT_SIMPLE_TPM2B_SIZE( nvName );
|
||||
- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
|
||||
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
|
||||
-
|
||||
nvPublic.size = 0;
|
||||
INIT_SIMPLE_TPM2B_SIZE( nvName );
|
||||
rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 );
|
||||
@@ -2135,10 +2129,7 @@ static void EcEphemeralTest()
|
||||
|
||||
LOG_INFO("EC Ephemeral TESTS:" );
|
||||
|
||||
- /* Test SYS for case of Q size field not being set to 0. */
|
||||
INIT_SIMPLE_TPM2B_SIZE( Q );
|
||||
- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
|
||||
- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE );
|
||||
|
||||
Q.size = 0;
|
||||
rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 );
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,78 @@
|
||||
From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Tue, 14 Feb 2023 19:52:28 +0100
|
||||
Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning
|
||||
|
||||
Currently no parameter encryption was made during provisioning.
|
||||
Now the EK es used as tpmkey for the create primary session of
|
||||
the SRK and the SRK is used for parameter encryption of the
|
||||
other command executed during provisioning.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_Provision.c | 6 ++++--
|
||||
src/tss2-fapi/fapi_int.h | 7 ++++---
|
||||
src/tss2-fapi/fapi_util.c | 5 ++++-
|
||||
3 files changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
|
||||
index 97c25828..48f2fd3b 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_Provision.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_Provision.c
|
||||
@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
|
||||
statecase(context->state, PROVISION_INIT_SRK);
|
||||
/* Create session which will be used for SRK generation. */
|
||||
context->srk_handle = context->ek_handle;
|
||||
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
|
||||
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
|
||||
+ TPMA_SESSION_DECRYPT, 0);
|
||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
||||
|
||||
fallthrough;
|
||||
@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
|
||||
try_again_or_error_goto(r, "Cleanup", error_cleanup);
|
||||
|
||||
/* Create session which will be used for parameter encryption. */
|
||||
- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0);
|
||||
+ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1,
|
||||
+ TPMA_SESSION_DECRYPT, 0);
|
||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
||||
|
||||
fallthrough;
|
||||
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
|
||||
index 5f666a75..8533112a 100644
|
||||
--- a/src/tss2-fapi/fapi_int.h
|
||||
+++ b/src/tss2-fapi/fapi_int.h
|
||||
@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE;
|
||||
#define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF
|
||||
|
||||
typedef UINT8 IFAPI_SESSION_TYPE;
|
||||
-#define IFAPI_SESSION_GENEK 0x01
|
||||
-#define IFAPI_SESSION1 0x02
|
||||
-#define IFAPI_SESSION2 0x04
|
||||
+#define IFAPI_SESSION_GENEK 0x01
|
||||
+#define IFAPI_SESSION1 0x02
|
||||
+#define IFAPI_SESSION2 0x04
|
||||
+#define IFAPI_SESSION_USE_SRK 0x08
|
||||
|
||||
#define IFAPI_POLICY_PATH "policy"
|
||||
#define IFAPI_NV_PATH "nv"
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index 44dd4168..ded0d247 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context,
|
||||
context->session2_attribute_flags = attribute_flags2;
|
||||
char *file = NULL;
|
||||
|
||||
- if (!(session_flags & IFAPI_SESSION_GENEK)) {
|
||||
+ if (session_flags & IFAPI_SESSION_USE_SRK) {
|
||||
+ context->session_state = SESSION_CREATE_SESSION;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
+ } else if (!(session_flags & IFAPI_SESSION_GENEK)) {
|
||||
context->srk_handle = ESYS_TR_NONE;
|
||||
context->session_state = SESSION_CREATE_SESSION;
|
||||
return TSS2_RC_SUCCESS;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 29f7b2855a9d1378bb8a757564e1f0367a84cb70 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Tue, 3 Aug 2021 16:24:41 +0200
|
||||
Subject: [PATCH 03/23] FAPI: Remove fauly free of an unused field.
|
||||
|
||||
The field out_data in IFAPI_Data_EncryptDecrypt was not used but freed in Fapi_Encrypt.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_Encrypt.c | 1 -
|
||||
src/tss2-fapi/fapi_int.h | 1 -
|
||||
2 files changed, 2 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_Encrypt.c b/src/tss2-fapi/api/Fapi_Encrypt.c
|
||||
index 2e892351..af8e2c58 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_Encrypt.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_Encrypt.c
|
||||
@@ -405,7 +405,6 @@ error_cleanup:
|
||||
SAFE_FREE(tpmCipherText);
|
||||
SAFE_FREE(command->keyPath);
|
||||
SAFE_FREE(command->in_data);
|
||||
- SAFE_FREE(command->out_data);
|
||||
ifapi_session_clean(context);
|
||||
LOG_TRACE("finished");
|
||||
return r;
|
||||
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
|
||||
index 90707da1..13c0333e 100644
|
||||
--- a/src/tss2-fapi/fapi_int.h
|
||||
+++ b/src/tss2-fapi/fapi_int.h
|
||||
@@ -386,7 +386,6 @@ typedef struct {
|
||||
uint8_t const *in_data;
|
||||
size_t in_dataSize;
|
||||
IFAPI_OBJECT *key_object; /**< The IPAPI object for the encryption key */
|
||||
- uint8_t *out_data; /**< The output of symmetric encrypt/decryption */
|
||||
ESYS_TR key_handle; /**< The ESYS handle of the encryption key */
|
||||
size_t numBytes; /**< The number of bytes of a ESYS request */
|
||||
size_t decrypt; /**< Switch whether to encrypt or decrypt */
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,29 +0,0 @@
|
||||
From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sat, 17 Jul 2021 20:15:51 +0200
|
||||
Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f2fa515a..0f759adb 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e
|
||||
$(libutil) $(libtss2_tctildr)
|
||||
|
||||
src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC)
|
||||
-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi
|
||||
+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS)
|
||||
src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS)
|
||||
if HAVE_LD_VERSION_SCRIPT
|
||||
src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,101 @@
|
||||
From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Fri, 3 Mar 2023 11:17:43 +0100
|
||||
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
|
||||
sessions.
|
||||
|
||||
The parameter encryption for policy sessions was not enabled.
|
||||
Now the parameter encryption is enabled and the auth value of
|
||||
objects is added to the session key.
|
||||
One exception is the cp hash policy. In this case the
|
||||
the cp hash check forced by this policy would fail with an
|
||||
encrypted parameter.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
|
||||
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
|
||||
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
|
||||
3 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index ded0d247..55ce3327 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
|
||||
statecase(object->authorization_state, AUTH_INIT)
|
||||
LOG_TRACE("**STATE** AUTH_INIT");
|
||||
|
||||
- if (!policy_digest_size(object)) {
|
||||
- /* No policy used authorization callbacks have to be called if necessary. */
|
||||
- if (object_with_auth(object)) {
|
||||
- /* Check whether hierarchy was already authorized. */
|
||||
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
|
||||
- !object->misc.hierarchy.authorized) {
|
||||
- char *description = NULL;
|
||||
- r = ifapi_get_description(object, &description);
|
||||
- return_if_error(r, "Get description");
|
||||
-
|
||||
- r = ifapi_set_auth(context, object, description);
|
||||
- SAFE_FREE(description);
|
||||
- return_if_error(r, "Set auth value");
|
||||
- }
|
||||
+ if (object_with_auth(object)) {
|
||||
+ /* Check whether hierarchy was already authorized. */
|
||||
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
|
||||
+ !object->misc.hierarchy.authorized) {
|
||||
+ char *description = NULL;
|
||||
+ r = ifapi_get_description(object, &description);
|
||||
+ return_if_error(r, "Get description");
|
||||
+
|
||||
+ r = ifapi_set_auth(context, object, description);
|
||||
+ SAFE_FREE(description);
|
||||
+ return_if_error(r, "Set auth value");
|
||||
}
|
||||
+ }
|
||||
+ if (!policy_digest_size(object)) {
|
||||
/* No policy session needed current fapi session can be used */
|
||||
if (context->session1 && context->session1 != ESYS_TR_NONE)
|
||||
*session = context->session1;
|
||||
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
|
||||
*session = ESYS_TR_PASSWORD;
|
||||
break;
|
||||
}
|
||||
+
|
||||
/* Save current object to be authorized in context. */
|
||||
context->current_auth_object = object;
|
||||
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
|
||||
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
|
||||
index c2ce3301..0e7de316 100644
|
||||
--- a/src/tss2-fapi/ifapi_policy_execute.c
|
||||
+++ b/src/tss2-fapi/ifapi_policy_execute.c
|
||||
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
|
||||
r = Esys_PolicyCpHash_Finish(esys_ctx);
|
||||
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
|
||||
|
||||
+ /* Disable encryption to enable check of cp hash defined in
|
||||
+ policy cp. */
|
||||
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
|
||||
+ 0, 0xff);
|
||||
+
|
||||
current_policy->state = POLICY_EXECUTE_INIT;
|
||||
return r;
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
|
||||
index 997fb504..0e2823cb 100644
|
||||
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
|
||||
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
|
||||
@@ -119,6 +119,10 @@ create_session(
|
||||
r = Esys_StartAuthSession_Finish(context->esys, session);
|
||||
if (r != TSS2_RC_SUCCESS)
|
||||
return r;
|
||||
+
|
||||
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
|
||||
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
|
||||
+ 0xff);
|
||||
context->policy.create_session_state = CREATE_SESSION_INIT;
|
||||
break;
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,44 +0,0 @@
|
||||
From 3a5967ba620849839e71ee304c09a6998109466a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Mon, 2 Aug 2021 15:50:26 +0200
|
||||
Subject: [PATCH 04/23] Remove deprecated OpenSSL_add_all_algorithms
|
||||
|
||||
From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
|
||||
de-initialisation is required.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
src/tss2-esys/esys_crypto_ossl.c | 2 +-
|
||||
src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
|
||||
2 files changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
|
||||
index 6856e92d..ab08b3b8 100644
|
||||
--- a/src/tss2-esys/esys_crypto_ossl.c
|
||||
+++ b/src/tss2-esys/esys_crypto_ossl.c
|
||||
@@ -1173,7 +1173,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
|
||||
*
|
||||
* Initialize OpenSSL internal tables.
|
||||
*
|
||||
- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
|
||||
+ * @retval TSS2_RC_SUCCESS always returned
|
||||
* does not deliver
|
||||
* a return code.
|
||||
*/
|
||||
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
index 9290a17e..35186e62 100644
|
||||
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
@@ -375,9 +375,6 @@ out_free_json:
|
||||
json_object_put(jso);
|
||||
|
||||
out:
|
||||
- /* In some case this call was necessary after curl usage */
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
free(hash);
|
||||
if (rc == 0) {
|
||||
return TSS2_RC_SUCCESS;
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sat, 17 Jul 2021 20:23:32 +0200
|
||||
Subject: Test: Remove duplicate openssl req -new
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The command is called twice, which is superfluous. Both the key
|
||||
and the certificate are created already by the first command.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
script/ekca/create_ca.sh | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
|
||||
index 90a5c791..61d976a3 100755
|
||||
--- a/script/ekca/create_ca.sh
|
||||
+++ b/script/ekca/create_ca.sh
|
||||
@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
|
||||
|
||||
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
|
||||
|
||||
-openssl req -new \
|
||||
- -key private/intermed-ca.key.pem \
|
||||
- -out intermed-ca.req.pem \
|
||||
- -passin file:pass.txt
|
||||
-
|
||||
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
|
||||
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,59 @@
|
||||
From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Sun, 5 Mar 2023 19:19:22 +0100
|
||||
Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC
|
||||
sessions.
|
||||
|
||||
* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled.
|
||||
* For Fapi_Unseal the response description was not enabled.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_CreateNv.c | 2 +-
|
||||
src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +-
|
||||
src/tss2-fapi/fapi_util.c | 3 ++-
|
||||
3 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c
|
||||
index 45e72e33..8160b99d 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_CreateNv.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_CreateNv.c
|
||||
@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish(
|
||||
context->primary_state = PRIMARY_INIT;
|
||||
r = ifapi_get_sessions_async(context,
|
||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
||||
- 0, 0);
|
||||
+ TPMA_SESSION_DECRYPT, 0);
|
||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
||||
fallthrough;
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c
|
||||
index 0615aa12..adf332e0 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_NvSetBits.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_NvSetBits.c
|
||||
@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish(
|
||||
/* Prepare session for authorization */
|
||||
r = ifapi_get_sessions_async(context,
|
||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
||||
- 0, 0);
|
||||
+ TPMA_SESSION_DECRYPT, 0);
|
||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
||||
|
||||
fallthrough;
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index 55ce3327..ef4a92d0 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -2743,7 +2743,8 @@ ifapi_load_key(
|
||||
/* Prepare the session creation. */
|
||||
r = ifapi_get_sessions_async(context,
|
||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
||||
- TPMA_SESSION_DECRYPT, 0);
|
||||
+ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT,
|
||||
+ 0);
|
||||
goto_if_error_reset_state(r, "Create sessions", error_cleanup);
|
||||
fallthrough;
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,76 +0,0 @@
|
||||
From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sat, 17 Jul 2021 21:22:28 +0200
|
||||
Subject: FAPI Test: Call EVP_DigestSignInit in the correct order
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The EVP_DigestSignInit should be called only once and before calling
|
||||
EVP_PKEY_CTX_set_rsa_padding. See a corresponding example
|
||||
[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html)
|
||||
|
||||
Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0.
|
||||
This PR makes the code compatible with OpenSSL 1.0 through 3.0.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
test/integration/fapi-data-crypt.int.c | 8 ++------
|
||||
test/integration/fapi-key-create-policy-signed.int.c | 8 ++------
|
||||
2 files changed, 4 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
|
||||
index b2d20b28..d42466db 100644
|
||||
--- a/test/integration/fapi-data-crypt.int.c
|
||||
+++ b/test/integration/fapi-data-crypt.int.c
|
||||
@@ -129,8 +129,8 @@ signatureCallback(
|
||||
mdctx = EVP_MD_CTX_create();
|
||||
chknull(mdctx);
|
||||
|
||||
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
|
||||
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
|
||||
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
|
||||
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
error_cleanup);
|
||||
}
|
||||
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
|
||||
@@ -140,10 +140,6 @@ signatureCallback(
|
||||
error_cleanup);
|
||||
}
|
||||
}
|
||||
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
|
||||
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
- error_cleanup);
|
||||
- }
|
||||
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
|
||||
error_cleanup);
|
||||
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
|
||||
index e51289a6..b903dec0 100644
|
||||
--- a/test/integration/fapi-key-create-policy-signed.int.c
|
||||
+++ b/test/integration/fapi-key-create-policy-signed.int.c
|
||||
@@ -144,8 +144,8 @@ signatureCallback(
|
||||
mdctx = EVP_MD_CTX_create();
|
||||
chknull(mdctx);
|
||||
|
||||
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
|
||||
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
|
||||
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
|
||||
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
error_cleanup);
|
||||
}
|
||||
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
|
||||
@@ -155,10 +155,6 @@ signatureCallback(
|
||||
error_cleanup);
|
||||
}
|
||||
}
|
||||
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
|
||||
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
- error_cleanup);
|
||||
- }
|
||||
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
|
||||
error_cleanup);
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,657 +0,0 @@
|
||||
From 5b777f29fd612f9972d416ed77b90156e2373e9f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Wed, 25 Aug 2021 14:02:38 +0200
|
||||
Subject: [PATCH 05/23] Use default OpenSSL context for internal crypto
|
||||
operations
|
||||
|
||||
The TPM2 provider may be loaded in the global library context.
|
||||
As we don't want the TPM to be called for some operations, we have
|
||||
to initialize own library context with the default provider.
|
||||
|
||||
This is similar to the RAND_set_rand_method dance with older OpenSSL.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
src/tss2-esys/esys_crypto_ossl.c | 175 ++++++++++++++++++++++---------
|
||||
src/tss2-fapi/fapi_crypto.c | 152 ++++++++++++++++++---------
|
||||
2 files changed, 225 insertions(+), 102 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
|
||||
index ab08b3b8..35af2028 100644
|
||||
--- a/src/tss2-esys/esys_crypto_ossl.c
|
||||
+++ b/src/tss2-esys/esys_crypto_ossl.c
|
||||
@@ -66,38 +66,101 @@ typedef struct _IESYS_CRYPTO_CONTEXT {
|
||||
} type; /**< The type of context to hold; hash or hmac */
|
||||
union {
|
||||
struct {
|
||||
- EVP_MD_CTX *ossl_context;
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
const EVP_MD *ossl_hash_alg;
|
||||
+#else
|
||||
+ OSSL_LIB_CTX *ossl_libctx;
|
||||
+ EVP_MD *ossl_hash_alg;
|
||||
+#endif
|
||||
+ EVP_MD_CTX *ossl_context;
|
||||
size_t hash_len;
|
||||
- } hash; /**< the state variables for a hash context */
|
||||
- struct {
|
||||
- EVP_MD_CTX *ossl_context;
|
||||
- const EVP_MD *ossl_hash_alg;
|
||||
- size_t hmac_len;
|
||||
- } hmac; /**< the state variables for an hmac context */
|
||||
+ } hash; /**< the state variables for a HASH or HMAC context */
|
||||
};
|
||||
} IESYS_CRYPTOSSL_CONTEXT;
|
||||
|
||||
-const EVP_MD *
|
||||
+static IESYS_CRYPTOSSL_CONTEXT *
|
||||
+iesys_cryptossl_context_new() {
|
||||
+ IESYS_CRYPTOSSL_CONTEXT *ctx;
|
||||
+
|
||||
+ if (!(ctx = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT))))
|
||||
+ return NULL;
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ /* The TPM2 provider may be loaded in the global library context.
|
||||
+ * As we don't want the TPM to be called for these operations, we have
|
||||
+ * to initialize own library context with the default provider. */
|
||||
+ if (!(ctx->hash.ossl_libctx = OSSL_LIB_CTX_new())) {
|
||||
+ SAFE_FREE(ctx);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+#endif
|
||||
+ return ctx;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+iesys_cryptossl_context_free(IESYS_CRYPTOSSL_CONTEXT *ctx) {
|
||||
+ if (!ctx)
|
||||
+ return;
|
||||
+
|
||||
+ EVP_MD_CTX_free(ctx->hash.ossl_context);
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ EVP_MD_free(ctx->hash.ossl_hash_alg);
|
||||
+ OSSL_LIB_CTX_free(ctx->hash.ossl_libctx);
|
||||
+#endif
|
||||
+ SAFE_FREE(ctx);
|
||||
+}
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+static const EVP_MD *
|
||||
get_ossl_hash_md(TPM2_ALG_ID hashAlg)
|
||||
{
|
||||
switch (hashAlg) {
|
||||
case TPM2_ALG_SHA1:
|
||||
return EVP_sha1();
|
||||
- break;
|
||||
case TPM2_ALG_SHA256:
|
||||
return EVP_sha256();
|
||||
- break;
|
||||
case TPM2_ALG_SHA384:
|
||||
return EVP_sha384();
|
||||
- break;
|
||||
case TPM2_ALG_SHA512:
|
||||
return EVP_sha512();
|
||||
- break;
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
+#else
|
||||
+static const char *
|
||||
+get_ossl_hash_md(TPM2_ALG_ID hashAlg)
|
||||
+{
|
||||
+ switch (hashAlg) {
|
||||
+ case TPM2_ALG_SHA1:
|
||||
+ return "SHA1";
|
||||
+ case TPM2_ALG_SHA256:
|
||||
+ return "SHA256";
|
||||
+ case TPM2_ALG_SHA384:
|
||||
+ return "SHA384";
|
||||
+ case TPM2_ALG_SHA512:
|
||||
+ return "SHA512";
|
||||
+ default:
|
||||
+ return NULL;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static int
|
||||
+iesys_cryptossl_context_set_hash_md(IESYS_CRYPTOSSL_CONTEXT *ctx, TPM2_ALG_ID hashAlg) {
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+ ctx->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg);
|
||||
+#else
|
||||
+ const char *alg_name = get_ossl_hash_md(hashAlg);
|
||||
+ if (!alg_name)
|
||||
+ return 0;
|
||||
+ ctx->hash.ossl_hash_alg = EVP_MD_fetch(ctx->hash.ossl_libctx, alg_name, NULL);
|
||||
+#endif
|
||||
+ if (!ctx->hash.ossl_hash_alg)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
|
||||
/** Provide the context for the computation of a hash digest.
|
||||
*
|
||||
@@ -117,12 +180,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
LOG_TRACE("call: context=%p hashAlg=%"PRIu16, context, hashAlg);
|
||||
return_if_null(context, "Context is NULL", TSS2_ESYS_RC_BAD_REFERENCE);
|
||||
return_if_null(context, "Null-Pointer passed for context", TSS2_ESYS_RC_BAD_REFERENCE);
|
||||
- IESYS_CRYPTOSSL_CONTEXT *mycontext;
|
||||
- mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
|
||||
+
|
||||
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
|
||||
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
|
||||
mycontext->type = IESYS_CRYPTOSSL_TYPE_HASH;
|
||||
|
||||
- if (!(mycontext->hash.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
|
||||
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
|
||||
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
|
||||
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
|
||||
}
|
||||
@@ -132,12 +195,12 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
|
||||
}
|
||||
|
||||
- if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
|
||||
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Error EVP_MD_CTX_create", cleanup);
|
||||
}
|
||||
|
||||
if (1 != EVP_DigestInit(mycontext->hash.ossl_context,
|
||||
- mycontext->hash.ossl_hash_alg)) {
|
||||
+ mycontext->hash.ossl_hash_alg)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Errror EVP_DigestInit", cleanup);
|
||||
}
|
||||
|
||||
@@ -146,9 +209,7 @@ iesys_cryptossl_hash_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
return TSS2_RC_SUCCESS;
|
||||
|
||||
cleanup:
|
||||
- if (mycontext->hash.ossl_context)
|
||||
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
|
||||
- SAFE_FREE(mycontext);
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
|
||||
return r;
|
||||
}
|
||||
@@ -252,8 +313,8 @@ iesys_cryptossl_hash_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
LOGBLOB_TRACE(buffer, mycontext->hash.hash_len, "read hash result");
|
||||
|
||||
*size = mycontext->hash.hash_len;
|
||||
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
|
||||
- free(mycontext);
|
||||
+
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
*context = NULL;
|
||||
|
||||
return TSS2_RC_SUCCESS;
|
||||
@@ -279,8 +340,7 @@ iesys_cryptossl_hash_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
|
||||
return;
|
||||
}
|
||||
|
||||
- EVP_MD_CTX_destroy(mycontext->hash.ossl_context);
|
||||
- free(mycontext);
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
*context = NULL;
|
||||
}
|
||||
|
||||
@@ -313,20 +373,20 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
return_error(TSS2_ESYS_RC_BAD_REFERENCE,
|
||||
"Null-Pointer passed in for context");
|
||||
}
|
||||
- IESYS_CRYPTOSSL_CONTEXT *mycontext = calloc(1, sizeof(IESYS_CRYPTOSSL_CONTEXT));
|
||||
+ IESYS_CRYPTOSSL_CONTEXT *mycontext = iesys_cryptossl_context_new();
|
||||
return_if_null(mycontext, "Out of Memory", TSS2_ESYS_RC_MEMORY);
|
||||
|
||||
- if (!(mycontext->hmac.ossl_hash_alg = get_ossl_hash_md(hashAlg))) {
|
||||
+ if (!iesys_cryptossl_context_set_hash_md(mycontext, hashAlg)) {
|
||||
goto_error(r, TSS2_ESYS_RC_NOT_IMPLEMENTED,
|
||||
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
|
||||
}
|
||||
|
||||
- if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hmac.hmac_len)) {
|
||||
+ if (iesys_crypto_hash_get_digest_size(hashAlg, &mycontext->hash.hash_len)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Unsupported hash algorithm (%"PRIu16")", cleanup, hashAlg);
|
||||
}
|
||||
|
||||
- if (!(mycontext->hmac.ossl_context = EVP_MD_CTX_create())) {
|
||||
+ if (!(mycontext->hash.ossl_context = EVP_MD_CTX_create())) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Error EVP_MD_CTX_create", cleanup);
|
||||
}
|
||||
@@ -341,8 +401,8 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
"Failed to create HMAC key", cleanup);
|
||||
}
|
||||
|
||||
- if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
|
||||
- mycontext->hmac.ossl_hash_alg, NULL, hkey)) {
|
||||
+ if(1 != EVP_DigestSignInit(mycontext->hash.ossl_context, NULL,
|
||||
+ mycontext->hash.ossl_hash_alg, NULL, hkey)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"DigestSignInit", cleanup);
|
||||
}
|
||||
@@ -356,11 +416,9 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
return TSS2_RC_SUCCESS;
|
||||
|
||||
cleanup:
|
||||
- if (mycontext->hmac.ossl_context)
|
||||
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
|
||||
if(hkey)
|
||||
EVP_PKEY_free(hkey);
|
||||
- SAFE_FREE(mycontext);
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -391,7 +449,7 @@ iesys_cryptossl_hmac_update(IESYS_CRYPTO_CONTEXT_BLOB * context,
|
||||
LOGBLOB_TRACE(buffer, size, "Updating hmac with");
|
||||
|
||||
/* Call update with the message */
|
||||
- if(1 != EVP_DigestSignUpdate(mycontext->hmac.ossl_context, buffer, size)) {
|
||||
+ if(1 != EVP_DigestSignUpdate(mycontext->hash.ossl_context, buffer, size)) {
|
||||
return_error(TSS2_ESYS_RC_GENERAL_FAILURE, "OSSL HMAC update");
|
||||
}
|
||||
|
||||
@@ -448,19 +506,18 @@ iesys_cryptossl_hmac_finish(IESYS_CRYPTO_CONTEXT_BLOB ** context,
|
||||
return_error(TSS2_ESYS_RC_BAD_REFERENCE, "bad context");
|
||||
}
|
||||
|
||||
- if (*size < mycontext->hmac.hmac_len) {
|
||||
+ if (*size < mycontext->hash.hash_len) {
|
||||
return_error(TSS2_ESYS_RC_BAD_SIZE, "Buffer too small");
|
||||
}
|
||||
|
||||
- if (1 != EVP_DigestSignFinal(mycontext->hmac.ossl_context, buffer, size)) {
|
||||
+ if (1 != EVP_DigestSignFinal(mycontext->hash.ossl_context, buffer, size)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "DigestSignFinal", cleanup);
|
||||
}
|
||||
|
||||
LOGBLOB_TRACE(buffer, *size, "read hmac result");
|
||||
|
||||
cleanup:
|
||||
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
|
||||
- SAFE_FREE(mycontext);
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
*context = NULL;
|
||||
return r;
|
||||
}
|
||||
@@ -510,9 +567,7 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
|
||||
return;
|
||||
}
|
||||
|
||||
- EVP_MD_CTX_destroy(mycontext->hmac.ossl_context);
|
||||
-
|
||||
- free(mycontext);
|
||||
+ iesys_cryptossl_context_free(mycontext);
|
||||
*context = NULL;
|
||||
}
|
||||
}
|
||||
@@ -529,9 +584,14 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
|
||||
TSS2_RC
|
||||
iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
|
||||
{
|
||||
+ int rc;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
const RAND_METHOD *rand_save = RAND_get_rand_method();
|
||||
RAND_set_rand_method(RAND_OpenSSL());
|
||||
+#else
|
||||
+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
|
||||
+ if (!libctx)
|
||||
+ return TSS2_ESYS_RC_MEMORY;
|
||||
#endif
|
||||
|
||||
if (num_bytes == 0) {
|
||||
@@ -540,16 +600,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
|
||||
nonce->size = num_bytes;
|
||||
}
|
||||
|
||||
- if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- RAND_set_rand_method(rand_save);
|
||||
+ rc = RAND_bytes(&nonce->buffer[0], nonce->size);
|
||||
+ RAND_set_rand_method(rand_save);
|
||||
+#else
|
||||
+ rc = RAND_bytes_ex(libctx, &nonce->buffer[0], nonce->size, 0);
|
||||
+ OSSL_LIB_CTX_free(libctx);
|
||||
#endif
|
||||
+ if (rc != 1)
|
||||
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Failure in random number generator.");
|
||||
- }
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- RAND_set_rand_method(rand_save);
|
||||
-#endif
|
||||
return TSS2_RC_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -578,28 +638,37 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
RSA *rsa_key = NULL;
|
||||
+ const EVP_MD * hashAlg = NULL;
|
||||
const RAND_METHOD *rand_save = RAND_get_rand_method();
|
||||
|
||||
RAND_set_rand_method(RAND_OpenSSL());
|
||||
#else
|
||||
+ OSSL_LIB_CTX *libctx = NULL;
|
||||
+ EVP_MD * hashAlg = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
OSSL_PARAM_BLD *build = NULL;
|
||||
#endif
|
||||
|
||||
TSS2_RC r = TSS2_RC_SUCCESS;
|
||||
- const EVP_MD * hashAlg = NULL;
|
||||
EVP_PKEY *evp_rsa_key = NULL;
|
||||
EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
|
||||
BIGNUM *bne = NULL, *n = NULL;
|
||||
int padding;
|
||||
char *label_copy = NULL;
|
||||
|
||||
- if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
|
||||
- LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
|
||||
- pub_tpm_key->publicArea.nameAlg);
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+ if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
|
||||
RAND_set_rand_method(rand_save);
|
||||
+#else
|
||||
+ if (!(libctx = OSSL_LIB_CTX_new()))
|
||||
+ return TSS2_ESYS_RC_MEMORY;
|
||||
+
|
||||
+ if (!(hashAlg = EVP_MD_fetch(libctx,
|
||||
+ get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg), NULL))) {
|
||||
+ OSSL_LIB_CTX_free(libctx);
|
||||
#endif
|
||||
+ LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
|
||||
+ pub_tpm_key->publicArea.nameAlg);
|
||||
return TSS2_ESYS_RC_NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
@@ -673,7 +742,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
cleanup);
|
||||
}
|
||||
|
||||
- if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
|
||||
+ if ((genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) == NULL
|
||||
|| EVP_PKEY_fromdata_init(genctx) <= 0
|
||||
|| EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
|
||||
@@ -744,6 +813,8 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
#else
|
||||
OSSL_FREE(params, OSSL_PARAM);
|
||||
OSSL_FREE(build, OSSL_PARAM_BLD);
|
||||
+ OSSL_FREE(hashAlg, EVP_MD);
|
||||
+ OSSL_FREE(libctx, OSSL_LIB_CTX);
|
||||
#endif
|
||||
return r;
|
||||
}
|
||||
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
|
||||
index 9c7e566c..d061cf48 100644
|
||||
--- a/src/tss2-fapi/fapi_crypto.c
|
||||
+++ b/src/tss2-fapi/fapi_crypto.c
|
||||
@@ -48,14 +48,34 @@
|
||||
|
||||
/** Context to hold temporary values for ifapi_crypto */
|
||||
typedef struct _IFAPI_CRYPTO_CONTEXT {
|
||||
- /** The hash engine's context */
|
||||
- EVP_MD_CTX *osslContext;
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
/** The currently used hash algorithm */
|
||||
const EVP_MD *osslHashAlgorithm;
|
||||
+#else
|
||||
+ OSSL_LIB_CTX *libctx;
|
||||
+ /** The currently used hash algorithm */
|
||||
+ EVP_MD *osslHashAlgorithm;
|
||||
+#endif
|
||||
+ /** The hash engine's context */
|
||||
+ EVP_MD_CTX *osslContext;
|
||||
/** The size of the hash's digest */
|
||||
size_t hashSize;
|
||||
} IFAPI_CRYPTO_CONTEXT;
|
||||
|
||||
+static void
|
||||
+ifapi_crypto_context_free(IFAPI_CRYPTO_CONTEXT *ctx)
|
||||
+{
|
||||
+ if (!ctx)
|
||||
+ return;
|
||||
+
|
||||
+ EVP_MD_CTX_destroy(ctx->osslContext);
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ EVP_MD_free(ctx->osslHashAlgorithm);
|
||||
+ OSSL_LIB_CTX_free(ctx->libctx);
|
||||
+#endif
|
||||
+ SAFE_FREE(ctx);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Returns the signature scheme that is currently used in the FAPI context.
|
||||
*
|
||||
@@ -225,6 +245,33 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+/**
|
||||
+ * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
|
||||
+ * identifier object.
|
||||
+ *
|
||||
+ * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
|
||||
+ *
|
||||
+ * @retval A suitable OpenSSL identifier object if one could be found
|
||||
+ * @retval NULL if no suitable identifier object could be found
|
||||
+ */
|
||||
+static const EVP_MD *
|
||||
+get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
|
||||
+{
|
||||
+ switch (hashAlgorithm) {
|
||||
+ case TPM2_ALG_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ case TPM2_ALG_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ case TPM2_ALG_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ case TPM2_ALG_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ default:
|
||||
+ return NULL;
|
||||
+ }
|
||||
+}
|
||||
+#else
|
||||
/**
|
||||
* Returns a suitable openSSL hash algorithm identifier for a given TSS hash
|
||||
* algorithm identifier.
|
||||
@@ -235,22 +282,23 @@ ifapi_bn2binpad(const BIGNUM *bn, unsigned char *bin, int binSize)
|
||||
* hashAlgorithm could be found
|
||||
* @retval NULL if no suitable hash algorithm identifier could be found
|
||||
*/
|
||||
-static const EVP_MD *
|
||||
+static const char *
|
||||
get_hash_md(TPM2_ALG_ID hashAlgorithm)
|
||||
{
|
||||
switch (hashAlgorithm) {
|
||||
case TPM2_ALG_SHA1:
|
||||
- return EVP_sha1();
|
||||
+ return "SHA1";
|
||||
case TPM2_ALG_SHA256:
|
||||
- return EVP_sha256();
|
||||
+ return "SHA256";
|
||||
case TPM2_ALG_SHA384:
|
||||
- return EVP_sha384();
|
||||
+ return "SHA384";
|
||||
case TPM2_ALG_SHA512:
|
||||
- return EVP_sha512();
|
||||
+ return "SHA512";
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
+#endif
|
||||
|
||||
/**
|
||||
* Returns a suitable openSSL RSA signature scheme identifiver for a given TSS
|
||||
@@ -1274,6 +1322,9 @@ ifapi_verify_signature_quote(
|
||||
BIO *bufio = NULL;
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
EVP_MD_CTX *mdctx = NULL;
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_LIB_CTX *libctx = NULL;
|
||||
+#endif
|
||||
|
||||
/* Check whether or not the key is valid */
|
||||
if (keyObject->objectType == IFAPI_KEY_OBJ) {
|
||||
@@ -1304,8 +1355,8 @@ ifapi_verify_signature_quote(
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_MD_CTX_create",
|
||||
error_cleanup);
|
||||
}
|
||||
-
|
||||
- const EVP_MD *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+ const EVP_MD *hashAlgorithm = get_ossl_hash_md(signatureScheme->details.any.hashAlg);
|
||||
if (!hashAlgorithm) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
|
||||
error_cleanup);
|
||||
@@ -1316,6 +1367,26 @@ ifapi_verify_signature_quote(
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit",
|
||||
error_cleanup);
|
||||
}
|
||||
+#else
|
||||
+ const char *hashAlgorithm = get_hash_md(signatureScheme->details.any.hashAlg);
|
||||
+ if (!hashAlgorithm) {
|
||||
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Invalid hash alg.",
|
||||
+ error_cleanup);
|
||||
+ }
|
||||
+
|
||||
+ /* The TPM2 provider may be loaded in the global library context.
|
||||
+ * As we don't want the TPM to be called for these operations, we have
|
||||
+ * to initialize own library context with the default provider. */
|
||||
+ libctx = OSSL_LIB_CTX_new();
|
||||
+ goto_if_null(libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
|
||||
+
|
||||
+ /* Verify the digest of the signature */
|
||||
+ if (1 != EVP_DigestVerifyInit_ex(mdctx, &pctx, hashAlgorithm, libctx,
|
||||
+ NULL, publicKey, NULL)) {
|
||||
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EVP_DigestVerifyInit_ex",
|
||||
+ error_cleanup);
|
||||
+ }
|
||||
+#endif
|
||||
goto_if_null(pctx, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
|
||||
if (EVP_PKEY_type(EVP_PKEY_id(publicKey)) == EVP_PKEY_RSA) {
|
||||
int padding = get_sig_scheme(signatureScheme->scheme);
|
||||
@@ -1339,12 +1410,13 @@ ifapi_verify_signature_quote(
|
||||
}
|
||||
|
||||
error_cleanup:
|
||||
- if (mdctx != NULL) {
|
||||
- EVP_MD_CTX_destroy(mdctx);
|
||||
- }
|
||||
+ EVP_MD_CTX_destroy(mdctx);
|
||||
SAFE_FREE(public_pem_key);
|
||||
EVP_PKEY_free(publicKey);
|
||||
BIO_free(bufio);
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_LIB_CTX_free(libctx);
|
||||
+#endif
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -1464,36 +1536,6 @@ ifapi_hash_get_digest_size(TPM2_ALG_ID hashAlgorithm)
|
||||
}
|
||||
}
|
||||
|
||||
-/**
|
||||
- * Converts a TSS hash algorithm identifier into an OpenSSL hash algorithm
|
||||
- * identifier object.
|
||||
- *
|
||||
- * @param[in] hashAlgorithm The TSS hash algorithm identifier to convert
|
||||
- *
|
||||
- * @retval A suitable OpenSSL identifier object if one could be found
|
||||
- * @retval NULL if no suitable identifier object could be found
|
||||
- */
|
||||
-static const EVP_MD *
|
||||
-get_ossl_hash_md(TPM2_ALG_ID hashAlgorithm)
|
||||
-{
|
||||
- switch (hashAlgorithm) {
|
||||
- case TPM2_ALG_SHA1:
|
||||
- return EVP_sha1();
|
||||
- break;
|
||||
- case TPM2_ALG_SHA256:
|
||||
- return EVP_sha256();
|
||||
- break;
|
||||
- case TPM2_ALG_SHA384:
|
||||
- return EVP_sha384();
|
||||
- break;
|
||||
- case TPM2_ALG_SHA512:
|
||||
- return EVP_sha512();
|
||||
- break;
|
||||
- default:
|
||||
- return NULL;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* Starts the computation of a hash digest.
|
||||
*
|
||||
@@ -1520,11 +1562,26 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
|
||||
mycontext = calloc(1, sizeof(IFAPI_CRYPTO_CONTEXT));
|
||||
return_if_null(mycontext, "Out of memory", TSS2_FAPI_RC_MEMORY);
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (!(mycontext->osslHashAlgorithm = get_ossl_hash_md(hashAlgorithm))) {
|
||||
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
|
||||
"Unsupported hash algorithm (%" PRIu16 ")", cleanup,
|
||||
hashAlgorithm);
|
||||
}
|
||||
+#else
|
||||
+ /* The TPM2 provider may be loaded in the global library context.
|
||||
+ * As we don't want the TPM to be called for these operations, we have
|
||||
+ * to initialize own library context with the default provider. */
|
||||
+ mycontext->libctx = OSSL_LIB_CTX_new();
|
||||
+ return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
|
||||
+
|
||||
+ if (!(mycontext->osslHashAlgorithm =
|
||||
+ EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
|
||||
+ goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
|
||||
+ "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
|
||||
+ hashAlgorithm);
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
if (!(mycontext->hashSize = ifapi_hash_get_digest_size(hashAlgorithm))) {
|
||||
goto_error(r, TSS2_FAPI_RC_BAD_VALUE,
|
||||
@@ -1548,10 +1605,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
|
||||
return TSS2_RC_SUCCESS;
|
||||
|
||||
cleanup:
|
||||
- if (mycontext->osslContext)
|
||||
- EVP_MD_CTX_destroy(mycontext->osslContext);
|
||||
- SAFE_FREE(mycontext);
|
||||
-
|
||||
+ ifapi_crypto_context_free(mycontext);
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -1630,8 +1684,7 @@ ifapi_crypto_hash_finish(IFAPI_CRYPTO_CONTEXT_BLOB **context,
|
||||
}
|
||||
|
||||
/* Finalize the hash context */
|
||||
- EVP_MD_CTX_destroy(mycontext->osslContext);
|
||||
- free(mycontext);
|
||||
+ ifapi_crypto_context_free(mycontext);
|
||||
*context = NULL;
|
||||
|
||||
return TSS2_RC_SUCCESS;
|
||||
@@ -1653,8 +1706,7 @@ ifapi_crypto_hash_abort(IFAPI_CRYPTO_CONTEXT_BLOB **context)
|
||||
}
|
||||
IFAPI_CRYPTO_CONTEXT *mycontext = (IFAPI_CRYPTO_CONTEXT *) * context;
|
||||
|
||||
- EVP_MD_CTX_destroy(mycontext->osslContext);
|
||||
- free(mycontext);
|
||||
+ ifapi_crypto_context_free(mycontext);
|
||||
*context = NULL;
|
||||
}
|
||||
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,70 +0,0 @@
|
||||
From 5ecd682797d2744d4a03c82ee5907db6766bcff1 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Tue, 12 Oct 2021 11:19:41 +0200
|
||||
Subject: [PATCH 06/23] FAPI: Add policy computation for create primary.
|
||||
|
||||
The policy digest for primary keys was only computed for keys created during provisioning.
|
||||
Now the policy digest is also computed for primary keys create with Fapi_CreateKey.
|
||||
Fixes #2175.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/fapi_int.h | 1 +
|
||||
src/tss2-fapi/fapi_util.c | 29 +++++++++++++++++++++++++++++
|
||||
2 files changed, 30 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
|
||||
index 13c0333e..d13ec413 100644
|
||||
--- a/src/tss2-fapi/fapi_int.h
|
||||
+++ b/src/tss2-fapi/fapi_int.h
|
||||
@@ -341,6 +341,7 @@ enum IFAPI_KEY_CREATE_STATE {
|
||||
KEY_CREATE_FLUSH1,
|
||||
KEY_CREATE_FLUSH2,
|
||||
KEY_CREATE_CALCULATE_POLICY,
|
||||
+ KEY_CREATE_PRIMARY_CALCULATE_POLICY,
|
||||
KEY_CREATE_WAIT_FOR_AUTHORIZATION,
|
||||
KEY_CREATE_CLEANUP,
|
||||
KEY_CREATE_WAIT_FOR_RANDOM,
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index a5fc28a3..a0fd714e 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -4539,6 +4539,35 @@ ifapi_create_primary(
|
||||
"hierarchy.", error_cleanup);
|
||||
}
|
||||
|
||||
+ if (context->cmd.Key_Create.policyPath
|
||||
+ && strcmp(context->cmd.Key_Create.policyPath, "") != 0)
|
||||
+ context->cmd.Key_Create.state = KEY_CREATE_PRIMARY_CALCULATE_POLICY;
|
||||
+ /* else jump over to KEY_CREATE_PRIMARY_WAIT_FOR_SESSION below */
|
||||
+ /* FALLTHRU */
|
||||
+ case KEY_CREATE_PRIMARY_CALCULATE_POLICY:
|
||||
+ if (context->cmd.Key_Create.state == KEY_CREATE_PRIMARY_CALCULATE_POLICY) {
|
||||
+ r = ifapi_calculate_tree(context, context->cmd.Key_Create.policyPath,
|
||||
+ &context->policy.policy,
|
||||
+ context->cmd.Key_Create.public_templ.public.publicArea.nameAlg,
|
||||
+ &context->policy.digest_idx,
|
||||
+ &context->policy.hash_size);
|
||||
+ return_try_again(r);
|
||||
+ goto_if_error2(r, "Calculate policy tree %s", error_cleanup,
|
||||
+ context->cmd.Key_Create.policyPath);
|
||||
+
|
||||
+ /* Store the calculated policy in the key object */
|
||||
+ object->policy = calloc(1, sizeof(TPMS_POLICY));
|
||||
+ return_if_null(object->policy, "Out of memory",
|
||||
+ TSS2_FAPI_RC_MEMORY);
|
||||
+ *(object->policy) = context->policy.policy;
|
||||
+
|
||||
+ context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.size =
|
||||
+ context->policy.hash_size;
|
||||
+ memcpy(&context->cmd.Key_Create.public_templ.public.publicArea.authPolicy.buffer[0],
|
||||
+ &context->policy.policy.policyDigests.digests[context->policy.digest_idx].digest,
|
||||
+ context->policy.hash_size);
|
||||
+ }
|
||||
+
|
||||
r = ifapi_get_sessions_async(context,
|
||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
||||
TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, 0);
|
||||
--
|
||||
2.34.3
|
||||
|
61
SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch
Normal file
61
SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Mon, 3 Apr 2023 21:21:55 +0200
|
||||
Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles.
|
||||
|
||||
* Evict control for persistent keys created with Fapi_CreateKey was
|
||||
called with the wrong handle.
|
||||
* If Fapi_Quote was executed with a primary key for this key flush
|
||||
context was called.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++-----
|
||||
src/tss2-fapi/fapi_util.c | 1 +
|
||||
2 files changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c
|
||||
index b71267a7..61e4e3db 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_Quote.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_Quote.c
|
||||
@@ -392,16 +392,20 @@ Fapi_Quote_Finish(
|
||||
goto_if_error(r, "Error: PCR_Quote", error_cleanup);
|
||||
|
||||
/* Flush the key used for the quote. */
|
||||
- r = Esys_FlushContext_Async(context->esys, command->handle);
|
||||
- goto_if_error(r, "Error: FlushContext", error_cleanup);
|
||||
+ if (!command->key_object->misc.key.persistent_handle) {
|
||||
+ r = Esys_FlushContext_Async(context->esys, command->handle);
|
||||
+ goto_if_error(r, "Error: FlushContext", error_cleanup);
|
||||
+ }
|
||||
command->handle = ESYS_TR_NONE;
|
||||
|
||||
fallthrough;
|
||||
|
||||
statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH);
|
||||
- r = Esys_FlushContext_Finish(context->esys);
|
||||
- return_try_again(r);
|
||||
- goto_if_error(r, "Error: Sign", error_cleanup);
|
||||
+ if (!command->key_object->misc.key.persistent_handle) {
|
||||
+ r = Esys_FlushContext_Finish(context->esys);
|
||||
+ return_try_again(r);
|
||||
+ goto_if_error(r, "Error: Sign", error_cleanup);
|
||||
+ }
|
||||
|
||||
sig_key_object = command->key_object;
|
||||
/* Convert the TPM-encoded signature into something useful for the caller. */
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index ef4a92d0..49f7dd07 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -4746,6 +4746,7 @@ ifapi_create_primary(
|
||||
|
||||
statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2);
|
||||
if (template->persistent_handle) {
|
||||
+ object->misc.key.persistent_handle = template->persistent_handle;
|
||||
r = ifapi_authorize_object(context, hierarchy, &auth_session);
|
||||
FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sat, 17 Jul 2021 21:29:25 +0200
|
||||
Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The EVP_PKEY_base_id is the right way to detect key type, used also
|
||||
by OpenSSL itself.
|
||||
This function is available since OpenSSL 1.0.0.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
test/integration/fapi-data-crypt.int.c | 2 +-
|
||||
test/integration/fapi-key-create-policy-signed.int.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
|
||||
index d42466db..a95cc9ef 100644
|
||||
--- a/test/integration/fapi-data-crypt.int.c
|
||||
+++ b/test/integration/fapi-data-crypt.int.c
|
||||
@@ -133,7 +133,7 @@ signatureCallback(
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
error_cleanup);
|
||||
}
|
||||
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
|
||||
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
|
||||
int signing_scheme = RSA_SIG_SCHEME;
|
||||
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
|
||||
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
|
||||
index b903dec0..8f917d35 100644
|
||||
--- a/test/integration/fapi-key-create-policy-signed.int.c
|
||||
+++ b/test/integration/fapi-key-create-policy-signed.int.c
|
||||
@@ -148,7 +148,7 @@ signatureCallback(
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
|
||||
error_cleanup);
|
||||
}
|
||||
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
|
||||
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
|
||||
int signing_scheme = RSA_SIG_SCHEME;
|
||||
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,137 +0,0 @@
|
||||
From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Fri, 5 Nov 2021 23:08:47 +0100
|
||||
Subject: [PATCH 07/23] FAPI: Fix loading of primary keys.
|
||||
|
||||
Problems caused by primary keys created with Fapi_CreateKey are fixed:
|
||||
|
||||
* For primary keys not in all cases the unique field was cleared before calling create
|
||||
primary.
|
||||
* If the primary key was used for signing the object was cleared after loading. So
|
||||
access e.g. to the certificate did not work.
|
||||
* For primary keys created with Fapi_Create with an auth value the auth_value was
|
||||
not used in inSensitive to recreate the primary key. Now the auth value callback
|
||||
is used to initialize inSensitive.
|
||||
|
||||
Fixes #2189.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/fapi_int.h | 1 +
|
||||
src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++--
|
||||
2 files changed, 60 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
|
||||
index d13ec413..7bcf442c 100644
|
||||
--- a/src/tss2-fapi/fapi_int.h
|
||||
+++ b/src/tss2-fapi/fapi_int.h
|
||||
@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY {
|
||||
PRIMARY_READ_HIERARCHY,
|
||||
PRIMARY_READ_HIERARCHY_FINISH,
|
||||
PRIMARY_AUTHORIZE_HIERARCHY,
|
||||
+ PRIMARY_GET_AUTH_VALUE,
|
||||
PRIMARY_WAIT_FOR_PRIMARY,
|
||||
PRIMARY_HAUTH_SENT,
|
||||
PRIMARY_CREATED,
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index a0fd714e..90f8b2aa 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+/** Set authorization value for a primary key to be created.
|
||||
+ *
|
||||
+ * The callback which provides the auth value must be defined.
|
||||
+ *
|
||||
+ * @param[in,out] context The FAPI_CONTEXT.
|
||||
+ * @param[in] object The auth value will be assigned to this object.
|
||||
+ * @param[in,out] inSensitive The sensitive data to store the auth value.
|
||||
+ *
|
||||
+ * @retval TSS2_RC_SUCCESS on success.
|
||||
+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting
|
||||
+ * the auth value is not defined.
|
||||
+ */
|
||||
+TSS2_RC
|
||||
+ifapi_set_auth_primary(
|
||||
+ FAPI_CONTEXT *context,
|
||||
+ IFAPI_OBJECT *object,
|
||||
+ TPMS_SENSITIVE_CREATE *inSensitive)
|
||||
+{
|
||||
+ TSS2_RC r;
|
||||
+ const char *auth = NULL;
|
||||
+ const char *obj_path;
|
||||
+
|
||||
+ memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE));
|
||||
+
|
||||
+ if (!object->misc.key.with_auth) {
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ obj_path = ifapi_get_object_path(object);
|
||||
+
|
||||
+ /* Check whether callback is defined. */
|
||||
+ if (context->callbacks.auth) {
|
||||
+ r = context->callbacks.auth(obj_path, object->misc.key.description,
|
||||
+ &auth, context->callbacks.authData);
|
||||
+ return_if_error(r, "AuthCallback");
|
||||
+ if (auth != NULL) {
|
||||
+ inSensitive->userAuth.size = strlen(auth);
|
||||
+ memcpy(&inSensitive->userAuth.buffer[0], auth,
|
||||
+ inSensitive->userAuth.size);
|
||||
+ }
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
+ }
|
||||
+ SAFE_FREE(auth);
|
||||
+ return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined.");
|
||||
+}
|
||||
+
|
||||
/** Set authorization value for a FAPI object.
|
||||
*
|
||||
* The callback which provides the auth value must be defined.
|
||||
@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
|
||||
IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key;
|
||||
TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData;
|
||||
TPMI_YES_NO moreData;
|
||||
- ESYS_TR auth_session;
|
||||
+ ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */
|
||||
|
||||
LOG_TRACE("call");
|
||||
|
||||
@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
|
||||
memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE));
|
||||
memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA));
|
||||
memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION));
|
||||
+ fallthrough;
|
||||
+
|
||||
+ statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE);
|
||||
+ /* Get the auth value to be stored in inSensitive */
|
||||
+ r = ifapi_set_auth_primary(context, pkey_object,
|
||||
+ &context->createPrimary.inSensitive.sensitive);
|
||||
+ return_try_again(r);
|
||||
+ goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup);
|
||||
|
||||
/* Prepare primary creation. */
|
||||
+ TPM2B_PUBLIC public = pkey->public;
|
||||
+ memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID));
|
||||
+
|
||||
r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle,
|
||||
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
|
||||
&context->createPrimary.inSensitive,
|
||||
- &pkey->public,
|
||||
+ &public,
|
||||
&context->createPrimary.outsideInfo,
|
||||
&context->createPrimary.creationPCR);
|
||||
return_if_error(r, "CreatePrimary");
|
||||
@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent)
|
||||
} else {
|
||||
LOG_TRACE("success");
|
||||
ifapi_cleanup_ifapi_object(context->loadKey.key_object);
|
||||
- ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
|
||||
return TSS2_RC_SUCCESS;
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,100 +0,0 @@
|
||||
From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sun, 18 Jul 2021 11:54:50 +0200
|
||||
Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The EVP_PKEY_sign functions are available since OpenSSL 1.0.0.
|
||||
The RSA_sign function is deprecated in OpenSSL 3.0.0.
|
||||
|
||||
This PR should work with OpenSSL 1.0.0 through 3.0.0.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
test/integration/fapi-ext-public-key.int.c | 38 +++++++++++-----------
|
||||
1 file changed, 19 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c
|
||||
index 363c58b7..971d7897 100644
|
||||
--- a/test/integration/fapi-ext-public-key.int.c
|
||||
+++ b/test/integration/fapi-ext-public-key.int.c
|
||||
@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
|
||||
BIO *bufio = NULL;
|
||||
|
||||
EVP_PKEY *evp_key = NULL;
|
||||
- RSA *rsa_key = NULL;
|
||||
+ EVP_PKEY_CTX *ctx = NULL;
|
||||
|
||||
/* Key will be used for non TPM signature verfication. */
|
||||
char *pubkey_pem =
|
||||
@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
|
||||
|
||||
bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
|
||||
evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
|
||||
- rsa_key = EVP_PKEY_get1_RSA(evp_key);
|
||||
|
||||
-
|
||||
- if (!bufio || !evp_key || !rsa_key) {
|
||||
+ if (!bufio || !evp_key) {
|
||||
LOG_ERROR("Generation of test key failed.");
|
||||
goto error;
|
||||
}
|
||||
@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
|
||||
0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d
|
||||
};
|
||||
uint8_t signature[256];
|
||||
- unsigned int signatureLength = 256;
|
||||
+ size_t signatureLength = 256;
|
||||
|
||||
- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) {
|
||||
- LOG_ERROR("Test RSA_sign failed.");
|
||||
+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) {
|
||||
+ LOG_ERROR("Test EVP_PKEY_CTX_new failed.");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ if (EVP_PKEY_sign_init(ctx) <= 0
|
||||
+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
|
||||
+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) {
|
||||
+ LOG_ERROR("Test EVP_PKEY_sign_init failed.");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) {
|
||||
+ LOG_ERROR("Test EVP_PKEY_sign failed.");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
|
||||
if (bufio) {
|
||||
BIO_free(bufio);
|
||||
}
|
||||
- if (evp_key) {
|
||||
- EVP_PKEY_free(evp_key);
|
||||
- }
|
||||
- if (rsa_key) {
|
||||
- RSA_free(rsa_key);
|
||||
- }
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ EVP_PKEY_free(evp_key);
|
||||
SAFE_FREE(path_list);
|
||||
SAFE_FREE(cert2);
|
||||
return EXIT_SUCCESS;
|
||||
@@ -258,12 +262,8 @@ error:
|
||||
if (bufio) {
|
||||
BIO_free(bufio);
|
||||
}
|
||||
- if (evp_key) {
|
||||
- EVP_PKEY_free(evp_key);
|
||||
- }
|
||||
- if (rsa_key) {
|
||||
- RSA_free(rsa_key);
|
||||
- }
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ EVP_PKEY_free(evp_key);
|
||||
SAFE_FREE(path_list);
|
||||
SAFE_FREE(cert2);
|
||||
return EXIT_FAILURE;
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,62 @@
|
||||
From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Mon, 27 Feb 2023 18:00:54 +0100
|
||||
Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor
|
||||
|
||||
The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY
|
||||
is now disabled for builds with --disable-vendor.
|
||||
Fixes: #2571
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
include/tss2/tss2_tpm2_types.h | 2 ++
|
||||
src/tss2-mu/tpml-types.c | 2 ++
|
||||
tss2-dlopen/tss2-dlopen-mu.c | 2 ++
|
||||
3 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h
|
||||
index 96286fb7..39a6978c 100644
|
||||
--- a/include/tss2/tss2_tpm2_types.h
|
||||
+++ b/include/tss2/tss2_tpm2_types.h
|
||||
@@ -63,7 +63,9 @@
|
||||
#define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2))
|
||||
|
||||
/* Vendor Specific Defines */
|
||||
+#ifndef DISABLE_VENDOR
|
||||
#define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32))
|
||||
+#endif
|
||||
|
||||
/* Attached Component Capabilities */
|
||||
#define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT))
|
||||
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
|
||||
index 60f85a8c..1df9bbb8 100644
|
||||
--- a/src/tss2-mu/tpml-types.c
|
||||
+++ b/src/tss2-mu/tpml-types.c
|
||||
@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio
|
||||
TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections)
|
||||
TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR)
|
||||
TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests)
|
||||
+#ifndef DISABLE_VENDOR
|
||||
TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL)
|
||||
TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property)
|
||||
+#endif
|
||||
TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR)
|
||||
TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities)
|
||||
TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR)
|
||||
diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c
|
||||
index 2297818b..21cd1123 100644
|
||||
--- a/tss2-dlopen/tss2-dlopen-mu.c
|
||||
+++ b/tss2-dlopen/tss2-dlopen-mu.c
|
||||
@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY);
|
||||
MAKE_MU_STRUCT(TPML_ECC_CURVE);
|
||||
MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY);
|
||||
MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY);
|
||||
+#ifndef DISABLE_VENDOR
|
||||
MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY);
|
||||
+#endif
|
||||
MAKE_MU_STRUCT(TPML_AC_CAPABILITIES);
|
||||
MAKE_MU_STRUCT(TPML_TAGGED_POLICY);
|
||||
MAKE_MU_STRUCT(TPML_ACT_DATA);
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,35 @@
|
||||
From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Mon, 10 Apr 2023 20:20:24 +0200
|
||||
Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs.
|
||||
|
||||
Currenlty FAPI_GetInfo did produce errors if the TPM implements
|
||||
SHA3 hash algs. Now a warning is displayed.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c
|
||||
index 1eaa4eb2..65320da6 100644
|
||||
--- a/src/tss2-fapi/tpm_json_serialize.c
|
||||
+++ b/src/tss2-fapi/tpm_json_serialize.c
|
||||
@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object
|
||||
return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE);
|
||||
|
||||
TSS2_RC r;
|
||||
+
|
||||
+ if ((in->alg == TPM2_ALG_SHA3_256 ||
|
||||
+ in->alg == TPM2_ALG_SHA3_384 ||
|
||||
+ in->alg == TPM2_ALG_SHA3_512)) {
|
||||
+ LOG_WARNING("SHA3 hash algs are not supported by TSS");
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
json_object *jso2;
|
||||
if (*jso == NULL)
|
||||
*jso = json_object_new_object ();
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,84 +0,0 @@
|
||||
From 68a7867198c84111bac3068c33d28e320df6a6f6 Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <seclab@huawei.com>
|
||||
Date: Wed, 13 Oct 2021 11:26:03 +0800
|
||||
Subject: [PATCH 08/23] Fix file descriptor leak when tcti initialization
|
||||
failed
|
||||
|
||||
Signed-off-by: JerryDevis <seclab@huawei.com>
|
||||
---
|
||||
src/tss2-tcti/tcti-device.c | 18 ++++++++++++++++--
|
||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
|
||||
index 94db070c..364297be 100644
|
||||
--- a/src/tss2-tcti/tcti-device.c
|
||||
+++ b/src/tss2-tcti/tcti-device.c
|
||||
@@ -309,6 +309,16 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
+static void close_tpm(int *fd)
|
||||
+{
|
||||
+ if (fd == NULL || *fd < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ close(*fd);
|
||||
+ *fd = -1;
|
||||
+}
|
||||
+
|
||||
void
|
||||
tcti_device_finalize (
|
||||
TSS2_TCTI_CONTEXT *tctiContext)
|
||||
@@ -319,7 +329,7 @@ tcti_device_finalize (
|
||||
if (tcti_dev == NULL) {
|
||||
return;
|
||||
}
|
||||
- close (tcti_dev->fd);
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
tcti_common->state = TCTI_STATE_FINAL;
|
||||
}
|
||||
|
||||
@@ -455,6 +465,7 @@ Tss2_Tcti_Device_Init (
|
||||
ssize_t sz = write_all (tcti_dev->fd, cmd, sizeof(cmd));
|
||||
if (sz < 0 || sz != sizeof(cmd)) {
|
||||
LOG_ERROR ("Could not probe device for partial response read support");
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
return TSS2_TCTI_RC_IO_ERROR;
|
||||
}
|
||||
LOG_DEBUG ("Command sent, reading header");
|
||||
@@ -465,12 +476,14 @@ Tss2_Tcti_Device_Init (
|
||||
if (rc_poll < 0 || rc_poll == 0) {
|
||||
LOG_ERROR ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
|
||||
tcti_dev->fd, rc_poll, errno, strerror(errno));
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
return TSS2_TCTI_RC_IO_ERROR;
|
||||
} else if (fds.revents == POLLIN) {
|
||||
TEMP_RETRY (sz, read (tcti_dev->fd, rsp, TPM_HEADER_SIZE));
|
||||
if (sz < 0 || sz != TPM_HEADER_SIZE) {
|
||||
LOG_ERROR ("Failed to read response header fd %d, got errno %d: %s",
|
||||
tcti_dev->fd, errno, strerror (errno));
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
return TSS2_TCTI_RC_IO_ERROR;
|
||||
}
|
||||
}
|
||||
@@ -482,6 +495,7 @@ Tss2_Tcti_Device_Init (
|
||||
if (rc_poll < 0) {
|
||||
LOG_DEBUG ("Failed to poll for response from fd %d, rc %d, errno %d: %s",
|
||||
tcti_dev->fd, rc_poll, errno, strerror(errno));
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
return TSS2_TCTI_RC_IO_ERROR;
|
||||
} else if (rc_poll == 0) {
|
||||
LOG_ERROR ("timeout waiting for response from fd %d", tcti_dev->fd);
|
||||
@@ -495,7 +509,7 @@ Tss2_Tcti_Device_Init (
|
||||
LOG_DEBUG ("Failed to get response tail fd %d, got errno %d: %s",
|
||||
tcti_dev->fd, errno, strerror (errno));
|
||||
tcti_common->partial_read_supported = 0;
|
||||
- close(tcti_dev->fd);
|
||||
+ close_tpm (&tcti_dev->fd);
|
||||
tcti_dev->fd = open_tpm (used_conf);
|
||||
if (tcti_dev->fd < 0) {
|
||||
LOG_ERROR ("Failed to open specified TCTI device file %s: %s",
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,65 +0,0 @@
|
||||
From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sat, 17 Jul 2021 22:43:00 +0200
|
||||
Subject: Require OpenSSL >= 1.1.0
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
To reduce the amount of version-specific code we drop support for
|
||||
OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are
|
||||
not API compatible with OpenSSL >= 1.1.0.
|
||||
|
||||
Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding
|
||||
PEP 644 contains a detailed impact analysis which is also relevant
|
||||
here.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
INSTALL.md | 3 +--
|
||||
configure.ac | 6 +++++-
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/INSTALL.md b/INSTALL.md
|
||||
index eec94c45..658e1f28 100644
|
||||
--- a/INSTALL.md
|
||||
+++ b/INSTALL.md
|
||||
@@ -14,7 +14,7 @@ following sections describe them for the supported platforms.
|
||||
* C library development libraries and header files
|
||||
* pkg-config
|
||||
* doxygen
|
||||
-* OpenSSL development libraries and header files
|
||||
+* OpenSSL development libraries and header files, version >= 1.1.0
|
||||
* libcurl development libraries
|
||||
|
||||
The following are dependencies only required when building test suites.
|
||||
@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library
|
||||
(tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as
|
||||
loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly
|
||||
configured version of Visual Studio 2017 and pressing the 'build' button.
|
||||
-Windows build setup requires OpenSSL >= v1.0.2 crypto library.
|
||||
|
||||
### References
|
||||
Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d4324c9a..12baa257 100755
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto],
|
||||
AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl")
|
||||
AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed")
|
||||
|
||||
+m4_define([ossl_min_version], [1.1.0])
|
||||
+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version])
|
||||
AS_IF([test "x$enable_esys" = xyes],
|
||||
[AS_IF([test "x$with_crypto" = xossl], [
|
||||
- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
|
||||
+ PKG_CHECK_MODULES([LIBCRYPTO],
|
||||
+ [libcrypto >= ossl_min_version],,
|
||||
+ [AC_MSG_ERROR([ossl_err])])
|
||||
AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend])
|
||||
TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS"
|
||||
TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS"
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,124 +0,0 @@
|
||||
From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sun, 18 Jul 2021 13:12:56 +0200
|
||||
Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Although the EVP_DigestUpdate functions are available in all OpenSSL
|
||||
versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the
|
||||
EVP_MD_CTX_new was introduced in OpenSSL 1.1.0.
|
||||
The SHA256_Update function is deprecated in OpenSSL 3.0.0.
|
||||
|
||||
This PR should work with OpenSSL 1.1.0 through 3.0.0.
|
||||
|
||||
- Compared to the upstream commit f4f528ff the changes related to the
|
||||
unit test are omitted.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------
|
||||
1 file changed, 25 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
index 2fb17fd0..9290a17e 100644
|
||||
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
|
||||
@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- SHA256_CTX sha256;
|
||||
- int is_success = SHA256_Init(&sha256);
|
||||
+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
|
||||
+ if (!sha256ctx) {
|
||||
+ LOG_ERROR("EVP_MD_CTX_new failed");
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
|
||||
if (!is_success) {
|
||||
- LOG_ERROR("SHA256_Init failed");
|
||||
+ LOG_ERROR("EVP_DigestInit failed");
|
||||
goto err;
|
||||
}
|
||||
|
||||
switch (ek_public->publicArea.type) {
|
||||
case TPM2_ALG_RSA:
|
||||
/* Add public key to the hash. */
|
||||
- is_success = SHA256_Update(&sha256,
|
||||
- ek_public->publicArea.unique.rsa.buffer,
|
||||
- ek_public->publicArea.unique.rsa.size);
|
||||
+ is_success = EVP_DigestUpdate(sha256ctx,
|
||||
+ ek_public->publicArea.unique.rsa.buffer,
|
||||
+ ek_public->publicArea.unique.rsa.size);
|
||||
if (!is_success) {
|
||||
- LOG_ERROR("SHA256_Update failed");
|
||||
+ LOG_ERROR("EVP_DigestUpdate failed");
|
||||
goto err;
|
||||
}
|
||||
|
||||
@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
|
||||
}
|
||||
/* Exponent 65537 will be added. */
|
||||
BYTE buf[3] = { 0x1, 0x00, 0x01 };
|
||||
- is_success = SHA256_Update(&sha256, buf, sizeof(buf));
|
||||
+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
|
||||
if (!is_success) {
|
||||
- LOG_ERROR("SHA256_Update failed");
|
||||
+ LOG_ERROR("EVP_DigestUpdate failed");
|
||||
goto err;
|
||||
}
|
||||
break;
|
||||
|
||||
case TPM2_ALG_ECC:
|
||||
- is_success = SHA256_Update(&sha256,
|
||||
- ek_public->publicArea.unique.ecc.x.buffer,
|
||||
- ek_public->publicArea.unique.ecc.x.size);
|
||||
+ is_success = EVP_DigestUpdate(sha256ctx,
|
||||
+ ek_public->publicArea.unique.ecc.x.buffer,
|
||||
+ ek_public->publicArea.unique.ecc.x.size);
|
||||
if (!is_success) {
|
||||
- LOG_ERROR("SHA256_Update failed");
|
||||
+ LOG_ERROR("EVP_DigestUpdate failed");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Add public key to the hash. */
|
||||
- is_success = SHA256_Update(&sha256,
|
||||
- ek_public->publicArea.unique.ecc.y.buffer,
|
||||
- ek_public->publicArea.unique.ecc.y.size);
|
||||
+ is_success = EVP_DigestUpdate(sha256ctx,
|
||||
+ ek_public->publicArea.unique.ecc.y.buffer,
|
||||
+ ek_public->publicArea.unique.ecc.y.size);
|
||||
if (!is_success) {
|
||||
- LOG_ERROR("SHA256_Update failed");
|
||||
+ LOG_ERROR("EVP_DigestUpdate failed");
|
||||
goto err;
|
||||
}
|
||||
break;
|
||||
@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
- is_success = SHA256_Final(hash, &sha256);
|
||||
+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
|
||||
if (!is_success) {
|
||||
LOG_ERROR("SHA256_Final failed");
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ EVP_MD_CTX_free(sha256ctx);
|
||||
LOG_TRACE("public-key-hash:");
|
||||
LOG_TRACE(" sha256: ");
|
||||
LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
|
||||
return hash;
|
||||
err:
|
||||
+ EVP_MD_CTX_free(sha256ctx);
|
||||
free(hash);
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,28 +0,0 @@
|
||||
From e1b4d9fd5b796711b38475c381a168a99003163c Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Thu, 2 Dec 2021 09:17:15 +0100
|
||||
Subject: [PATCH 09/23] FAPI: Fix leak in fapi crypto with ossl3
|
||||
|
||||
A leak in the case "out of memory" detected by scan-build was fixed.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/fapi_crypto.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
|
||||
index d061cf48..fd7ea555 100644
|
||||
--- a/src/tss2-fapi/fapi_crypto.c
|
||||
+++ b/src/tss2-fapi/fapi_crypto.c
|
||||
@@ -1573,7 +1573,7 @@ ifapi_crypto_hash_start(IFAPI_CRYPTO_CONTEXT_BLOB **context,
|
||||
* As we don't want the TPM to be called for these operations, we have
|
||||
* to initialize own library context with the default provider. */
|
||||
mycontext->libctx = OSSL_LIB_CTX_new();
|
||||
- return_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY);
|
||||
+ goto_if_null(mycontext->libctx, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
|
||||
|
||||
if (!(mycontext->osslHashAlgorithm =
|
||||
EVP_MD_fetch(mycontext->libctx, get_hash_md(hashAlgorithm), NULL))) {
|
||||
--
|
||||
2.34.3
|
||||
|
@ -0,0 +1,39 @@
|
||||
From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Sun, 9 Apr 2023 08:38:56 +0200
|
||||
Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile
|
||||
paths.
|
||||
|
||||
The provisioning test in ifapi_check_provisioned will be skipped
|
||||
for ext nv and profile paths. The test did produce inappropriate
|
||||
error messages if the corresponding paths did not exist in keystore.
|
||||
The test is only needed for pathnames starting with the profile.
|
||||
Fixes: #2596
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/ifapi_keystore.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
|
||||
index 7e50ee1e..38c2f7fd 100644
|
||||
--- a/src/tss2-fapi/ifapi_keystore.c
|
||||
+++ b/src/tss2-fapi/ifapi_keystore.c
|
||||
@@ -1772,6 +1772,14 @@ ifapi_check_provisioned(
|
||||
|
||||
*ok = false;
|
||||
|
||||
+ /* No profile in path, test can be skipped. */
|
||||
+ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) ||
|
||||
+ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) ||
|
||||
+ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) {
|
||||
+ *ok = true;
|
||||
+ return TSS2_RC_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
/* First expand path in user directory */
|
||||
r = expand_path(keystore, rel_path, &directory);
|
||||
goto_if_error(r, "Expand path", cleanup);
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 5652a33144973bdf570bea033ec185f8a7a6d038 Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
Date: Tue, 21 Dec 2021 17:44:00 +0800
|
||||
Subject: [PATCH 10/23] FAPI: Fix memory leak after ifapi_init_primary_finish
|
||||
failed
|
||||
|
||||
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
---
|
||||
src/tss2-fapi/fapi_util.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index 90f8b2aa..cd4e0979 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -807,6 +807,10 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE
|
||||
}
|
||||
|
||||
error_cleanup:
|
||||
+ SAFE_FREE(outPublic);
|
||||
+ SAFE_FREE(creationData);
|
||||
+ SAFE_FREE(creationHash);
|
||||
+ SAFE_FREE(creationTicket);
|
||||
ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object);
|
||||
free_string_list(k_sub_path);
|
||||
SAFE_FREE(pkey->serialization.buffer);
|
||||
--
|
||||
2.34.3
|
||||
|
30
SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
Normal file
30
SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen_repp@web.de>
|
||||
Date: Fri, 12 May 2023 09:30:53 +0200
|
||||
Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy.
|
||||
|
||||
The list of pcr registers was was allocated with the wrong size in the
|
||||
function copy_policy_element which caused a segfault if more than one
|
||||
pcr was used.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
||||
---
|
||||
src/tss2-fapi/ifapi_helpers.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c
|
||||
index e1c4220b..5c574717 100644
|
||||
--- a/src/tss2-fapi/ifapi_helpers.c
|
||||
+++ b/src/tss2-fapi/ifapi_helpers.c
|
||||
@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t
|
||||
case POLICYPCR:
|
||||
to_policy->element.PolicyPCR.pcrs =
|
||||
calloc(1, sizeof(TPML_PCRVALUES) +
|
||||
- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE));
|
||||
+ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE));
|
||||
goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.",
|
||||
r, TSS2_FAPI_RC_MEMORY, error);
|
||||
to_policy->element.PolicyPCR.pcrs->count
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,124 +0,0 @@
|
||||
From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sun, 18 Jul 2021 14:56:18 +0200
|
||||
Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0.
|
||||
|
||||
The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement
|
||||
EVP_MAC_update was added in OpenSSL 3.0, so version specific code is
|
||||
needed.
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
test/integration/sys-util.c | 50 +++++++++++++++++++++++--------------
|
||||
1 file changed, 31 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c
|
||||
index af83cf55..5865f002 100644
|
||||
--- a/test/integration/sys-util.c
|
||||
+++ b/test/integration/sys-util.c
|
||||
@@ -13,10 +13,13 @@
|
||||
#include <string.h>
|
||||
#include <assert.h>
|
||||
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/sha.h>
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#include <openssl/hmac.h>
|
||||
-#include <openssl/evp.h>
|
||||
-#include <openssl/opensslv.h>
|
||||
+#else
|
||||
+#include <openssl/core_names.h>
|
||||
+#endif
|
||||
|
||||
#define LOGMODULE testintegration
|
||||
#include "util/log.h"
|
||||
@@ -489,22 +492,18 @@ hmac(
|
||||
TPM2B_DIGEST **buffer_list,
|
||||
TPM2B_DIGEST *out)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
- HMAC_CTX *ctx;
|
||||
-#else
|
||||
- HMAC_CTX _ctx;
|
||||
- HMAC_CTX *ctx = &_ctx;
|
||||
-#endif
|
||||
- EVP_MD *evp;
|
||||
int rc = 1, i;
|
||||
- unsigned int *buf = NULL, size;
|
||||
+ unsigned int *buf = NULL;
|
||||
uint8_t *buf_ptr;
|
||||
+ EVP_MD *evp;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */
|
||||
- ctx = HMAC_CTX_new();
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+ unsigned int size;
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
#else
|
||||
- HMAC_CTX_init(ctx);
|
||||
+ size_t size;
|
||||
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
|
||||
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
|
||||
#endif
|
||||
|
||||
if (!ctx)
|
||||
@@ -538,21 +537,33 @@ hmac(
|
||||
|
||||
buf_ptr = (uint8_t *)buf;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL);
|
||||
#else
|
||||
- rc = HMAC_Init(ctx, key, key_len, evp);
|
||||
-#endif
|
||||
+ OSSL_PARAM params[2];
|
||||
|
||||
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
|
||||
+ (char *)EVP_MD_get0_name(evp), 0);
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+ rc = EVP_MAC_init(ctx, key, key_len, params);
|
||||
+#endif
|
||||
if (rc != 1)
|
||||
goto out;
|
||||
for (i = 0; buffer_list[i] != 0; i++) {
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
|
||||
+#else
|
||||
+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
|
||||
+#endif
|
||||
if (rc != 1)
|
||||
goto out;
|
||||
}
|
||||
/* buf_ptr has to be 4 bytes alligned for whatever reason */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rc = HMAC_Final(ctx, buf_ptr, &size);
|
||||
+#else
|
||||
+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size);
|
||||
+#endif
|
||||
if (rc != 1)
|
||||
goto out;
|
||||
|
||||
@@ -561,10 +572,11 @@ hmac(
|
||||
memcpy(out->buffer, buf, out->size);
|
||||
|
||||
out:
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
HMAC_CTX_free(ctx);
|
||||
#else
|
||||
- HMAC_CTX_cleanup(ctx);
|
||||
+ EVP_MAC_CTX_free(ctx);
|
||||
+ EVP_MAC_free(hmac);
|
||||
#endif
|
||||
|
||||
if (buf)
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,313 +0,0 @@
|
||||
From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001
|
||||
From: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
Date: Sun, 18 Jul 2021 20:21:01 +0200
|
||||
Subject: Drop support for OpenSSL < 1.1.0
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Delete code written to support OpenSSL < 1.1.0
|
||||
|
||||
Delete functions that have no effect in OpenSSL >= 1.1.0
|
||||
- ENGINE_load_builtin_engines()
|
||||
- OpenSSL_add_all_algorithms()
|
||||
- ERR_load_crypto_strings()
|
||||
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
|
||||
|
||||
Switch AppVeyor to use pre-built OpenSSL 1.1.0
|
||||
|
||||
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
|
||||
---
|
||||
src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
|
||||
src/tss2-esys/tss2-esys.vcxproj | 16 +++++++-------
|
||||
src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
|
||||
test/helper/tpm_getek.c | 11 ----------
|
||||
test/helper/tpm_getek_ecc.c | 9 --------
|
||||
5 files changed, 8 insertions(+), 84 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
|
||||
index 2eb0dfcb..a6259346 100644
|
||||
--- a/src/tss2-esys/esys_crypto_ossl.c
|
||||
+++ b/src/tss2-esys/esys_crypto_ossl.c
|
||||
@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
|
||||
nonce->size = num_bytes;
|
||||
}
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
RAND_set_rand_method(RAND_OpenSSL());
|
||||
-#else
|
||||
- RAND_set_rand_method(RAND_SSLeay());
|
||||
-#endif
|
||||
if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
|
||||
RAND_set_rand_method(rand_save);
|
||||
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
size_t * out_size, const char *label)
|
||||
{
|
||||
const RAND_METHOD *rand_save = RAND_get_rand_method();
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
RAND_set_rand_method(RAND_OpenSSL());
|
||||
-#else
|
||||
- RAND_set_rand_method(RAND_SSLeay());
|
||||
-#endif
|
||||
|
||||
TSS2_RC r = TSS2_RC_SUCCESS;
|
||||
const EVP_MD * hashAlg = NULL;
|
||||
@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Could not create evp key.", cleanup);
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
|
||||
- pub_tpm_key->publicArea.unique.rsa.size,
|
||||
- rsa_key->n)) {
|
||||
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
- "Could not create rsa n.", cleanup);
|
||||
- }
|
||||
-#else
|
||||
BIGNUM *n = NULL;
|
||||
if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
|
||||
pub_tpm_key->publicArea.unique.rsa.size,
|
||||
@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
"Could not set rsa n.", cleanup);
|
||||
}
|
||||
-#endif
|
||||
|
||||
if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
|
||||
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
|
||||
@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
|
||||
*/
|
||||
TSS2_RC
|
||||
iesys_cryptossl_init() {
|
||||
- ENGINE_load_builtin_engines();
|
||||
- OpenSSL_add_all_algorithms();
|
||||
return TSS2_RC_SUCCESS;
|
||||
}
|
||||
diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj
|
||||
index b75424aa..b2aa67ce 100644
|
||||
--- a/src/tss2-esys/tss2-esys.vcxproj
|
||||
+++ b/src/tss2-esys/tss2-esys.vcxproj
|
||||
@@ -69,13 +69,13 @@
|
||||
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
@@ -84,7 +84,7 @@
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<TargetMachine>MachineX86</TargetMachine>
|
||||
@@ -92,27 +92,27 @@
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
|
||||
index f5b3d272..c97b0a1d 100644
|
||||
--- a/src/tss2-fapi/fapi_crypto.c
|
||||
+++ b/src/tss2-fapi/fapi_crypto.c
|
||||
@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
|
||||
tpmSignature->signature.ecdsa.signatureR.size, NULL);
|
||||
goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- ecdsaSignature->s = bns;
|
||||
- ecdsaSignature->r = bnr;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
|
||||
osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
|
||||
if (osslRC == -1) {
|
||||
@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
|
||||
"Could not set exponent.", error_cleanup);
|
||||
}
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- rsa->e = e;
|
||||
- rsa->n = n;
|
||||
- rsa->d = d;
|
||||
- rsa->p = p;
|
||||
- rsa->q = q;
|
||||
- rsa->dmp1 = dmp1;
|
||||
- rsa->dmq1 = dmq1;
|
||||
- rsa->iqmp = iqmp;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
RSA_set0_key(rsa, n, e, d);
|
||||
RSA_set0_factors(rsa, p, q);
|
||||
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
|
||||
/* Assign the parameters to the key */
|
||||
if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
|
||||
@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
|
||||
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
|
||||
error_cleanup);
|
||||
}
|
||||
- /* Needed for older OSSL versions. */
|
||||
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
|
||||
OSSL_FREE(y, BN);
|
||||
OSSL_FREE(x, BN);
|
||||
return TSS2_RC_SUCCESS;
|
||||
@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
|
||||
|
||||
/* Initialize the ECDSA signature components */
|
||||
ECDSA_SIG *ecdsaSignature = NULL;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- BIGNUM *bnr;
|
||||
- BIGNUM *bns;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
const BIGNUM *bnr;
|
||||
const BIGNUM *bns;
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
|
||||
d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
|
||||
return_if_null(ecdsaSignature, "Invalid DER signature",
|
||||
TSS2_FAPI_RC_GENERAL_FAILURE);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- bns = ecdsaSignature->s;
|
||||
- bnr = ecdsaSignature->r;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
|
||||
/* Writing them to the TPM format signature */
|
||||
tpmSignature->signature.ecdsa.hash = hashAlgorithm;
|
||||
@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
|
||||
const BIGNUM *e = NULL, *n = NULL;
|
||||
int rsaKeySize = RSA_size(rsaKey);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- e = rsaKey->e;
|
||||
- n = rsaKey->n;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
RSA_get0_key(rsaKey, &n, &e, NULL);
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
|
||||
if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
|
||||
rsaKeySize)) {
|
||||
@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
|
||||
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
|
||||
}
|
||||
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
unsigned const char* tmp_ptr1 = crl_buffer;
|
||||
unsigned const char** tmp_ptr2 = &tmp_ptr1;
|
||||
|
||||
@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
|
||||
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
|
||||
} else {
|
||||
/* Get uri for ek intermediate certificate. */
|
||||
- OpenSSL_add_all_algorithms();
|
||||
info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
|
||||
|
||||
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
|
||||
@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
|
||||
goto_if_null2(cert_buffer, "No certificate downloaded", r,
|
||||
TSS2_FAPI_RC_NO_CERT, cleanup);
|
||||
|
||||
- OpenSSL_add_all_algorithms();
|
||||
intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
|
||||
|
||||
SAFE_FREE(cert_buffer);
|
||||
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
|
||||
index 21be0f46..c6a8e906 100644
|
||||
--- a/test/helper/tpm_getek.c
|
||||
+++ b/test/helper/tpm_getek.c
|
||||
@@ -147,20 +147,9 @@ main (int argc, char *argv[])
|
||||
exp = out_public.publicArea.parameters.rsaDetail.exponent;
|
||||
BN_set_word(e, exp);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
- rsa->e = e;
|
||||
- rsa->n = n;
|
||||
- rsa->d = d;
|
||||
- rsa->p = p;
|
||||
- rsa->q = q;
|
||||
- rsa->dmp1 = dmp1;
|
||||
- rsa->dmq1 = dmq1;
|
||||
- rsa->iqmp = iqmp;
|
||||
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
RSA_set0_key(rsa, n, e, d);
|
||||
RSA_set0_factors(rsa, p, q);
|
||||
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
||||
|
||||
EVP_PKEY_assign_RSA(evp, rsa);
|
||||
|
||||
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
|
||||
index 0419f47a..75165fdd 100644
|
||||
--- a/test/helper/tpm_getek_ecc.c
|
||||
+++ b/test/helper/tpm_getek_ecc.c
|
||||
@@ -128,14 +128,6 @@ main (int argc, char *argv[])
|
||||
/* Convert the key from out_public to PEM */
|
||||
|
||||
EVP_PKEY *evp = EVP_PKEY_new();
|
||||
-
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
- ERR_load_crypto_strings();
|
||||
-
|
||||
-
|
||||
EC_KEY *ecc_key = EC_KEY_new();
|
||||
BIGNUM *x = NULL, *y = NULL;
|
||||
BIO *bio;
|
||||
@@ -159,7 +151,6 @@ main (int argc, char *argv[])
|
||||
if (!EC_KEY_set_group(ecc_key, ecgroup))
|
||||
exit(1);
|
||||
|
||||
- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
|
||||
EC_GROUP_free(ecgroup);
|
||||
|
||||
/* Set the ECC parameters in the OpenSSL key */
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 8b3891af6b8125f30c4b229ee1ba0b30a112664a Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Tue, 21 Dec 2021 11:59:28 +0100
|
||||
Subject: [PATCH 11/23] esys: Return an error if ESYS_TR_NONE is passed to
|
||||
Esys_TR_GetName.
|
||||
|
||||
A segfault was produced in this case. Fixes #2243.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-esys/esys_tr.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
|
||||
index f0127d02..cf4caa09 100644
|
||||
--- a/src/tss2-esys/esys_tr.c
|
||||
+++ b/src/tss2-esys/esys_tr.c
|
||||
@@ -408,6 +408,7 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
|
||||
* @retval TSS2_ESYS_RC_MEMORY if needed memory can't be allocated.
|
||||
* @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library.
|
||||
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
|
||||
+ * @retval TSS2_ESYS_RC_BAD_TR if the handle is invalid.
|
||||
* @retval TSS2_SYS_RC_* for SAPI errors.
|
||||
*/
|
||||
TSS2_RC
|
||||
@@ -418,6 +419,10 @@ Esys_TR_GetName(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
|
||||
TSS2_RC r;
|
||||
_ESYS_ASSERT_NON_NULL(esys_context);
|
||||
|
||||
+ if (esys_handle == ESYS_TR_NONE) {
|
||||
+ return_error(TSS2_ESYS_RC_BAD_TR, "Name for ESYS_TR_NONE can't be determined.");
|
||||
+ }
|
||||
+
|
||||
r = esys_GetResourceObject(esys_context, esys_handle, &esys_object);
|
||||
return_if_error(r, "Object not found");
|
||||
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,45 +0,0 @@
|
||||
From d03674af6f2a66bb6d94f5a50871301c8650522d Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
Date: Wed, 5 Jan 2022 20:55:21 +0800
|
||||
Subject: [PATCH 12/23] FAPI: Fixed memory leak when ifapi_get_certificates
|
||||
failed
|
||||
|
||||
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
---
|
||||
src/tss2-fapi/fapi_util.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
|
||||
index cd4e0979..f64c4e8b 100644
|
||||
--- a/src/tss2-fapi/fapi_util.c
|
||||
+++ b/src/tss2-fapi/fapi_util.c
|
||||
@@ -4328,7 +4328,7 @@ ifapi_get_certificates(
|
||||
context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes = TPMA_NV_NO_DA;
|
||||
|
||||
r = ifapi_keystore_load_async(&context->keystore, &context->io, "/HS");
|
||||
- return_if_error2(r, "Could not open hierarchy /HS");
|
||||
+ goto_if_error_reset_state(r, "Could not open hierarchy /HS", error);
|
||||
|
||||
fallthrough;
|
||||
|
||||
@@ -4352,7 +4352,7 @@ ifapi_get_certificates(
|
||||
context->session2 = ESYS_TR_NONE;
|
||||
context->nv_cmd.nv_read_state = NV_READ_INIT;
|
||||
memset(&context->nv_cmd.nv_object, 0, sizeof(IFAPI_OBJECT));
|
||||
- Esys_Free(context->cmd.Provision.nvPublic);
|
||||
+ SAFE_FREE(context->cmd.Provision.nvPublic);
|
||||
fallthrough;
|
||||
|
||||
statecase(context->get_cert_state, GET_CERT_READ_CERT);
|
||||
@@ -4382,7 +4382,7 @@ ifapi_get_certificates(
|
||||
}
|
||||
|
||||
error:
|
||||
- SAFE_FREE(context->cmd.Provision.capabilityData);
|
||||
+ SAFE_FREE(context->cmd.Provision.nvPublic);
|
||||
SAFE_FREE(context->cmd.Provision.capabilityData);
|
||||
ifapi_cleanup_ifapi_object(&context->nv_cmd.auth_object);
|
||||
ifapi_free_object_list(*cert_list);
|
||||
--
|
||||
2.34.3
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,25 +0,0 @@
|
||||
From 53f235e27ee657266725137a551858b81c24c57b Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
Date: Wed, 5 Jan 2022 21:58:00 +0800
|
||||
Subject: [PATCH 13/23] FAPI: Free object when keystore_search_obj failed
|
||||
|
||||
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
---
|
||||
src/tss2-fapi/ifapi_keystore.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
|
||||
index 743de133..e805029f 100644
|
||||
--- a/src/tss2-fapi/ifapi_keystore.c
|
||||
+++ b/src/tss2-fapi/ifapi_keystore.c
|
||||
@@ -1239,6 +1239,7 @@ cleanup:
|
||||
r = TSS2_FAPI_RC_KEY_NOT_FOUND;
|
||||
}
|
||||
keystore->key_search.state = KSEARCH_INIT;
|
||||
+ ifapi_cleanup_ifapi_object(&object);
|
||||
return r;
|
||||
}
|
||||
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,27 +0,0 @@
|
||||
From ba3ba5c4ec4f0362a0915c5ae5e002c9cbdc9f1e Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
Date: Wed, 5 Jan 2022 22:09:26 +0800
|
||||
Subject: [PATCH 14/23] FAPI:Fixed the memory leak of command->data when
|
||||
Fapi_GetEsysBlob_Finish failed
|
||||
|
||||
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
index a54bece8..b152ae3a 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
@@ -395,7 +395,7 @@ error_cleanup:
|
||||
ifapi_cleanup_ifapi_object(object);
|
||||
ifapi_cleanup_ifapi_object(key_object);
|
||||
SAFE_FREE(command->path);
|
||||
- SAFE_FREE(*data);
|
||||
+ SAFE_FREE(command->data);
|
||||
SAFE_FREE(key_context);
|
||||
ifapi_session_clean(context);
|
||||
ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 5e2f86cbd55b7c82ebf4cef0a0abed6c04598bd9 Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
Date: Fri, 7 Jan 2022 11:56:14 +0800
|
||||
Subject: [PATCH 15/23] ESYS: Fixed annotation error of Esys_TR_Deserialize
|
||||
|
||||
Signed-off-by: JerryDevis <JerryDevis@users.noreply.github.com>
|
||||
---
|
||||
src/tss2-esys/esys_tr.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
|
||||
index cf4caa09..784f711a 100644
|
||||
--- a/src/tss2-esys/esys_tr.c
|
||||
+++ b/src/tss2-esys/esys_tr.c
|
||||
@@ -65,15 +65,14 @@ Esys_TR_Serialize(ESYS_CONTEXT * esys_context,
|
||||
*
|
||||
* Deserialize the metadata of an ESYS_TR object from a byte buffer that was
|
||||
* stored on disk for later use by a different program or context.
|
||||
- * An object can be serialized suing Esys_TR_Serialize.
|
||||
+ * An object can be deserialized using Esys_TR_Deserialize.
|
||||
* @param esys_context [in,out] The ESYS_CONTEXT.
|
||||
- * @param esys_handle [in] The ESYS_TR object to serialize.
|
||||
- * @param buffer [out] The buffer containing the serialized metadata.
|
||||
- * (caller-callocated) Shall be freed using free().
|
||||
- * @param buffer_size [out] The size of the buffer parameter.
|
||||
+ * @param esys_handle [out] The ESYS_TR object to deserialize.
|
||||
+ * @param buffer [in] The buffer containing the metadata of the ESYS_TR object.
|
||||
+ * @param buffer_size [in] The size of the buffer parameter.
|
||||
* @retval TSS2_RC_SUCCESS on Success.
|
||||
* @retval TSS2_ESYS_RC_MEMORY if the object can not be allocated.
|
||||
- * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshaling.
|
||||
+ * @retval TSS2_ESYS_RC_INSUFFICIENT_BUFFER if the buffer for unmarshalling.
|
||||
* @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext is NULL.
|
||||
* @retval TSS2_RCs produced by lower layers of the software stack.
|
||||
*/
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 80d8aa8e3d15fd01eacb40200b80a83ed940c207 Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <857869045@qq.com>
|
||||
Date: Sun, 9 Jan 2022 16:31:09 +0800
|
||||
Subject: [PATCH 16/23] FAPI: Clean up memory when Fapi_Delete_Async failed
|
||||
|
||||
Signed-off-by: JerryDevis <857869045@qq.com>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_Delete.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_Delete.c b/src/tss2-fapi/api/Fapi_Delete.c
|
||||
index 43ea0332..2b5826ab 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_Delete.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_Delete.c
|
||||
@@ -419,14 +419,14 @@ Fapi_Delete_Async(
|
||||
/* No session will be needed these files can be deleted without
|
||||
interaction with the TPM */
|
||||
r = ifapi_non_tpm_mode_init(context);
|
||||
- return_if_error(r, "Initialize Entity_Delete");
|
||||
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
|
||||
context->session1 = ESYS_TR_NONE;
|
||||
|
||||
context->state = ENTITY_DELETE_GET_FILE;
|
||||
} else {
|
||||
/* Check whether TCTI and ESYS are initialized */
|
||||
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
|
||||
- TSS2_FAPI_RC_NO_TPM);
|
||||
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
|
||||
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
|
||||
|
||||
/* If the async state automata of FAPI shall be tested, then we must not set
|
||||
the timeouts of ESYS to blocking mode.
|
||||
@@ -435,12 +435,12 @@ Fapi_Delete_Async(
|
||||
to block until a result is available. */
|
||||
#ifndef TEST_FAPI_ASYNC
|
||||
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
|
||||
- return_if_error_reset_state(r, "Set Timeout to blocking");
|
||||
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
|
||||
#endif /* TEST_FAPI_ASYNC */
|
||||
|
||||
/* A TPM session will be created to enable object authorization */
|
||||
r = ifapi_session_init(context);
|
||||
- return_if_error(r, "Initialize Entity_Delete");
|
||||
+ goto_if_error(r, "Initialize Entity_Delete", error_cleanup);
|
||||
|
||||
r = ifapi_get_sessions_async(context,
|
||||
IFAPI_SESSION_GENEK | IFAPI_SESSION1,
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,44 +0,0 @@
|
||||
From f03a243f4f1e249a0f4d96bc5722a44953cad72e Mon Sep 17 00:00:00 2001
|
||||
From: JerryDevis <857869045@qq.com>
|
||||
Date: Sun, 9 Jan 2022 18:44:49 +0800
|
||||
Subject: [PATCH 17/23] FAPI: Clean up memory when Fapi_GetEsysBlob_Async
|
||||
failed
|
||||
|
||||
Signed-off-by: JerryDevis <857869045@qq.com>
|
||||
---
|
||||
src/tss2-fapi/api/Fapi_GetEsysBlob.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/api/Fapi_GetEsysBlob.c b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
index b152ae3a..db67e2e4 100644
|
||||
--- a/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
+++ b/src/tss2-fapi/api/Fapi_GetEsysBlob.c
|
||||
@@ -157,8 +157,8 @@ Fapi_GetEsysBlob_Async(
|
||||
authObject->objectType = IFAPI_OBJ_NONE;
|
||||
|
||||
/* Check whether TCTI and ESYS are initialized */
|
||||
- return_if_null(context->esys, "Command can't be executed in none TPM mode.",
|
||||
- TSS2_FAPI_RC_NO_TPM);
|
||||
+ goto_if_null(context->esys, "Command can't be executed in none TPM mode.",
|
||||
+ TSS2_FAPI_RC_NO_TPM, error_cleanup);
|
||||
|
||||
/* If the async state automata of FAPI shall be tested, then we must not set
|
||||
the timeouts of ESYS to blocking mode.
|
||||
@@ -167,12 +167,12 @@ Fapi_GetEsysBlob_Async(
|
||||
to block until a result is available. */
|
||||
#ifndef TEST_FAPI_ASYNC
|
||||
r = Esys_SetTimeout(context->esys, TSS2_TCTI_TIMEOUT_BLOCK);
|
||||
- return_if_error_reset_state(r, "Set Timeout to blocking");
|
||||
+ goto_if_error_reset_state(r, "Set Timeout to blocking", error_cleanup);
|
||||
#endif /* TEST_FAPI_ASYNC */
|
||||
|
||||
/* A TPM session will be created to enable object authorization */
|
||||
r = ifapi_session_init(context);
|
||||
- return_if_error(r, "Initialize GetEsysBlob");
|
||||
+ goto_if_error(r, "Initialize GetEsysBlob", error_cleanup);
|
||||
|
||||
context->state = GET_ESYS_BLOB_GET_FILE;
|
||||
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From cd9987b0e400f8a77a19c3b8279eb931554cce7c Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Thu, 13 Jan 2022 11:46:22 +0100
|
||||
Subject: [PATCH 18/23] FAPI: Initialize object used for keystore search.
|
||||
|
||||
For an empty keystore a cleanup of an uninitialized object was executed. No the object
|
||||
type now is initialized with IFAPI_OBJ_NONE to prevent the cleanup.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-fapi/ifapi_keystore.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c
|
||||
index e805029f..c5486690 100644
|
||||
--- a/src/tss2-fapi/ifapi_keystore.c
|
||||
+++ b/src/tss2-fapi/ifapi_keystore.c
|
||||
@@ -1173,6 +1173,9 @@ keystore_search_obj(
|
||||
IFAPI_OBJECT object;
|
||||
size_t i;
|
||||
|
||||
+ /* Mark object "unread" */
|
||||
+ object.objectType = IFAPI_OBJ_NONE;
|
||||
+
|
||||
switch (keystore->key_search.state) {
|
||||
statecase(keystore->key_search.state, KSEARCH_INIT)
|
||||
r = ifapi_keystore_list_all(keystore,
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 7514e0f35f08666aa0cd5edc2859104c19b7b2a1 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
Date: Thu, 13 Jan 2022 16:48:30 +0100
|
||||
Subject: [PATCH 19/23] MU: Fix buffer upcast leading to misalignment
|
||||
|
||||
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-mu/tpm2b-types.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c
|
||||
index 6aa2feb3..2e10f487 100644
|
||||
--- a/src/tss2-mu/tpm2b-types.c
|
||||
+++ b/src/tss2-mu/tpm2b-types.c
|
||||
@@ -208,8 +208,10 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
|
||||
return rc; \
|
||||
\
|
||||
/* Update the size to the real value */ \
|
||||
- if (buffer) \
|
||||
- *(UINT16 *)ptr = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
|
||||
+ if (buffer) { \
|
||||
+ UINT16 t = HOST_TO_BE_16(buffer + local_offset - ptr - 2); \
|
||||
+ memcpy(ptr, &t, sizeof(t)); \
|
||||
+ } \
|
||||
\
|
||||
if (offset != NULL) { \
|
||||
*offset = local_offset; \
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,269 +0,0 @@
|
||||
From 495309fd8c6ef3c705c46cc28f9df52f5d59cba8 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Wed, 8 Jun 2022 11:09:53 -0500
|
||||
Subject: [PATCH 21/23] sapi: scope command handles
|
||||
|
||||
Scope command handles to where they are used.
|
||||
|
||||
- Compared to the upstream commit d4dee42e already missing commands were
|
||||
left out.
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/tss2-sys/sysapi_util.c | 237 +++++++++++++++++++------------------
|
||||
1 file changed, 119 insertions(+), 118 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
|
||||
index 685fcee8..d84acc5d 100644
|
||||
--- a/src/tss2-sys/sysapi_util.c
|
||||
+++ b/src/tss2-sys/sysapi_util.c
|
||||
@@ -168,127 +168,128 @@ TSS2_RC CommonOneCall(
|
||||
return rval;
|
||||
}
|
||||
|
||||
-static const COMMAND_HANDLES commandArray[] =
|
||||
-{
|
||||
- { TPM2_CC_Startup, 0, 0 },
|
||||
- { TPM2_CC_Shutdown, 0, 0 },
|
||||
- { TPM2_CC_SelfTest, 0, 0 },
|
||||
- { TPM2_CC_IncrementalSelfTest, 0, 0 },
|
||||
- { TPM2_CC_GetTestResult, 0, 0 },
|
||||
- { TPM2_CC_StartAuthSession, 2, 1 },
|
||||
- { TPM2_CC_PolicyRestart, 1, 0 },
|
||||
- { TPM2_CC_Create, 1, 0 },
|
||||
- { TPM2_CC_Load, 1, 1 },
|
||||
- { TPM2_CC_LoadExternal, 0, 1 },
|
||||
- { TPM2_CC_ReadPublic, 1, 0 },
|
||||
- { TPM2_CC_ActivateCredential, 2, 0 },
|
||||
- { TPM2_CC_MakeCredential, 1, 0 },
|
||||
- { TPM2_CC_Unseal, 1, 0 },
|
||||
- { TPM2_CC_ObjectChangeAuth, 2, 0 },
|
||||
- { TPM2_CC_Duplicate, 2, 0 },
|
||||
- { TPM2_CC_Rewrap, 2, 0 },
|
||||
- { TPM2_CC_Import, 1, 0 },
|
||||
- { TPM2_CC_RSA_Encrypt, 1, 0 },
|
||||
- { TPM2_CC_RSA_Decrypt, 1, 0 },
|
||||
- { TPM2_CC_ECDH_KeyGen, 1, 0 },
|
||||
- { TPM2_CC_ECDH_ZGen, 1, 0 },
|
||||
- { TPM2_CC_ECC_Parameters, 0, 0 },
|
||||
- { TPM2_CC_ZGen_2Phase, 1, 0 },
|
||||
- { TPM2_CC_EncryptDecrypt, 1, 0 },
|
||||
- { TPM2_CC_EncryptDecrypt2, 1, 0 },
|
||||
- { TPM2_CC_Hash, 0, 0 },
|
||||
- { TPM2_CC_HMAC, 1, 0 },
|
||||
- { TPM2_CC_GetRandom, 0, 0 },
|
||||
- { TPM2_CC_StirRandom, 0, 0 },
|
||||
- { TPM2_CC_HMAC_Start, 1, 1 },
|
||||
- { TPM2_CC_HashSequenceStart, 0, 1 },
|
||||
- { TPM2_CC_SequenceUpdate, 1, 0 },
|
||||
- { TPM2_CC_SequenceComplete, 1, 0 },
|
||||
- { TPM2_CC_EventSequenceComplete, 2, 0 },
|
||||
- { TPM2_CC_Certify, 2, 0 },
|
||||
- { TPM2_CC_CertifyCreation, 2, 0 },
|
||||
- { TPM2_CC_Quote, 1, 0 },
|
||||
- { TPM2_CC_GetSessionAuditDigest, 3, 0 },
|
||||
- { TPM2_CC_GetCommandAuditDigest, 2, 0 },
|
||||
- { TPM2_CC_GetTime, 2, 0 },
|
||||
- { TPM2_CC_Commit, 1, 0 },
|
||||
- { TPM2_CC_EC_Ephemeral, 0, 0 },
|
||||
- { TPM2_CC_VerifySignature, 1, 0 },
|
||||
- { TPM2_CC_Sign, 1, 0 },
|
||||
- { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
|
||||
- { TPM2_CC_PCR_Extend, 1, 0 },
|
||||
- { TPM2_CC_PCR_Event, 1, 0 },
|
||||
- { TPM2_CC_PCR_Read, 0, 0 },
|
||||
- { TPM2_CC_PCR_Allocate, 1, 0 },
|
||||
- { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
|
||||
- { TPM2_CC_PCR_SetAuthValue, 1, 0 },
|
||||
- { TPM2_CC_PCR_Reset, 1, 0 },
|
||||
- { TPM2_CC_PolicySigned, 2, 0 },
|
||||
- { TPM2_CC_PolicySecret, 2, 0 },
|
||||
- { TPM2_CC_PolicyTicket, 1, 0 },
|
||||
- { TPM2_CC_PolicyOR, 1, 0 },
|
||||
- { TPM2_CC_PolicyPCR, 1, 0 },
|
||||
- { TPM2_CC_PolicyLocality, 1, 0 },
|
||||
- { TPM2_CC_PolicyNV, 3, 0 },
|
||||
- { TPM2_CC_PolicyNvWritten, 1, 0 },
|
||||
- { TPM2_CC_PolicyCounterTimer, 1, 0 },
|
||||
- { TPM2_CC_PolicyCommandCode, 1, 0 },
|
||||
- { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
|
||||
- { TPM2_CC_PolicyCpHash, 1, 0 },
|
||||
- { TPM2_CC_PolicyNameHash, 1, 0 },
|
||||
- { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
|
||||
- { TPM2_CC_PolicyAuthorize, 1, 0 },
|
||||
- { TPM2_CC_PolicyAuthValue, 1, 0 },
|
||||
- { TPM2_CC_PolicyPassword, 1, 0 },
|
||||
- { TPM2_CC_PolicyGetDigest, 1, 0 },
|
||||
- { TPM2_CC_PolicyTemplate, 1, 0 },
|
||||
- { TPM2_CC_CreatePrimary, 1, 1 },
|
||||
- { TPM2_CC_HierarchyControl, 1, 0 },
|
||||
- { TPM2_CC_SetPrimaryPolicy, 1, 0 },
|
||||
- { TPM2_CC_ChangePPS, 1, 0 },
|
||||
- { TPM2_CC_ChangeEPS, 1, 0 },
|
||||
- { TPM2_CC_Clear, 1, 0 },
|
||||
- { TPM2_CC_ClearControl, 1, 0 },
|
||||
- { TPM2_CC_HierarchyChangeAuth, 1, 0 },
|
||||
- { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
|
||||
- { TPM2_CC_DictionaryAttackParameters, 1, 0 },
|
||||
- { TPM2_CC_PP_Commands, 1, 0 },
|
||||
- { TPM2_CC_SetAlgorithmSet, 1, 0 },
|
||||
- { TPM2_CC_FieldUpgradeStart, 2, 0 },
|
||||
- { TPM2_CC_FieldUpgradeData, 0, 0 },
|
||||
- { TPM2_CC_FirmwareRead, 0, 0 },
|
||||
- { TPM2_CC_ContextSave, 1, 0 },
|
||||
- { TPM2_CC_ContextLoad, 0, 1 },
|
||||
- { TPM2_CC_FlushContext, 1, 0 },
|
||||
- { TPM2_CC_EvictControl, 2, 0 },
|
||||
- { TPM2_CC_ReadClock, 0, 0 },
|
||||
- { TPM2_CC_ClockSet, 1, 0 },
|
||||
- { TPM2_CC_ClockRateAdjust, 1, 0 },
|
||||
- { TPM2_CC_GetCapability, 0, 0 },
|
||||
- { TPM2_CC_TestParms, 0, 0 },
|
||||
- { TPM2_CC_NV_DefineSpace, 1, 0 },
|
||||
- { TPM2_CC_NV_UndefineSpace, 2, 0 },
|
||||
- { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
|
||||
- { TPM2_CC_NV_ReadPublic, 1, 0 },
|
||||
- { TPM2_CC_NV_Write, 2, 0 },
|
||||
- { TPM2_CC_NV_Increment, 2, 0 },
|
||||
- { TPM2_CC_NV_Extend, 2, 0 },
|
||||
- { TPM2_CC_NV_SetBits, 2, 0 },
|
||||
- { TPM2_CC_NV_WriteLock, 2, 0 },
|
||||
- { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
|
||||
- { TPM2_CC_NV_Read, 2, 0 },
|
||||
- { TPM2_CC_NV_ReadLock, 2, 0 },
|
||||
- { TPM2_CC_NV_ChangeAuth, 1, 0 },
|
||||
- { TPM2_CC_NV_Certify, 3, 0 },
|
||||
- { TPM2_CC_CreateLoaded, 1, 1 },
|
||||
- { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
|
||||
- { TPM2_CC_AC_GetCapability, 1, 0 },
|
||||
- { TPM2_CC_AC_Send, 3, 0 },
|
||||
- { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
|
||||
-};
|
||||
|
||||
static int GetNumHandles(TPM2_CC commandCode, bool req)
|
||||
{
|
||||
+ static const COMMAND_HANDLES commandArray[] =
|
||||
+ {
|
||||
+ { TPM2_CC_Startup, 0, 0 },
|
||||
+ { TPM2_CC_Shutdown, 0, 0 },
|
||||
+ { TPM2_CC_SelfTest, 0, 0 },
|
||||
+ { TPM2_CC_IncrementalSelfTest, 0, 0 },
|
||||
+ { TPM2_CC_GetTestResult, 0, 0 },
|
||||
+ { TPM2_CC_StartAuthSession, 2, 1 },
|
||||
+ { TPM2_CC_PolicyRestart, 1, 0 },
|
||||
+ { TPM2_CC_Create, 1, 0 },
|
||||
+ { TPM2_CC_Load, 1, 1 },
|
||||
+ { TPM2_CC_LoadExternal, 0, 1 },
|
||||
+ { TPM2_CC_ReadPublic, 1, 0 },
|
||||
+ { TPM2_CC_ActivateCredential, 2, 0 },
|
||||
+ { TPM2_CC_MakeCredential, 1, 0 },
|
||||
+ { TPM2_CC_Unseal, 1, 0 },
|
||||
+ { TPM2_CC_ObjectChangeAuth, 2, 0 },
|
||||
+ { TPM2_CC_Duplicate, 2, 0 },
|
||||
+ { TPM2_CC_Rewrap, 2, 0 },
|
||||
+ { TPM2_CC_Import, 1, 0 },
|
||||
+ { TPM2_CC_RSA_Encrypt, 1, 0 },
|
||||
+ { TPM2_CC_RSA_Decrypt, 1, 0 },
|
||||
+ { TPM2_CC_ECDH_KeyGen, 1, 0 },
|
||||
+ { TPM2_CC_ECDH_ZGen, 1, 0 },
|
||||
+ { TPM2_CC_ECC_Parameters, 0, 0 },
|
||||
+ { TPM2_CC_ZGen_2Phase, 1, 0 },
|
||||
+ { TPM2_CC_EncryptDecrypt, 1, 0 },
|
||||
+ { TPM2_CC_EncryptDecrypt2, 1, 0 },
|
||||
+ { TPM2_CC_Hash, 0, 0 },
|
||||
+ { TPM2_CC_HMAC, 1, 0 },
|
||||
+ { TPM2_CC_GetRandom, 0, 0 },
|
||||
+ { TPM2_CC_StirRandom, 0, 0 },
|
||||
+ { TPM2_CC_HMAC_Start, 1, 1 },
|
||||
+ { TPM2_CC_HashSequenceStart, 0, 1 },
|
||||
+ { TPM2_CC_SequenceUpdate, 1, 0 },
|
||||
+ { TPM2_CC_SequenceComplete, 1, 0 },
|
||||
+ { TPM2_CC_EventSequenceComplete, 2, 0 },
|
||||
+ { TPM2_CC_Certify, 2, 0 },
|
||||
+ { TPM2_CC_CertifyCreation, 2, 0 },
|
||||
+ { TPM2_CC_Quote, 1, 0 },
|
||||
+ { TPM2_CC_GetSessionAuditDigest, 3, 0 },
|
||||
+ { TPM2_CC_GetCommandAuditDigest, 2, 0 },
|
||||
+ { TPM2_CC_GetTime, 2, 0 },
|
||||
+ { TPM2_CC_Commit, 1, 0 },
|
||||
+ { TPM2_CC_EC_Ephemeral, 0, 0 },
|
||||
+ { TPM2_CC_VerifySignature, 1, 0 },
|
||||
+ { TPM2_CC_Sign, 1, 0 },
|
||||
+ { TPM2_CC_SetCommandCodeAuditStatus, 1, 0 },
|
||||
+ { TPM2_CC_PCR_Extend, 1, 0 },
|
||||
+ { TPM2_CC_PCR_Event, 1, 0 },
|
||||
+ { TPM2_CC_PCR_Read, 0, 0 },
|
||||
+ { TPM2_CC_PCR_Allocate, 1, 0 },
|
||||
+ { TPM2_CC_PCR_SetAuthPolicy, 1, 0 },
|
||||
+ { TPM2_CC_PCR_SetAuthValue, 1, 0 },
|
||||
+ { TPM2_CC_PCR_Reset, 1, 0 },
|
||||
+ { TPM2_CC_PolicySigned, 2, 0 },
|
||||
+ { TPM2_CC_PolicySecret, 2, 0 },
|
||||
+ { TPM2_CC_PolicyTicket, 1, 0 },
|
||||
+ { TPM2_CC_PolicyOR, 1, 0 },
|
||||
+ { TPM2_CC_PolicyPCR, 1, 0 },
|
||||
+ { TPM2_CC_PolicyLocality, 1, 0 },
|
||||
+ { TPM2_CC_PolicyNV, 3, 0 },
|
||||
+ { TPM2_CC_PolicyNvWritten, 1, 0 },
|
||||
+ { TPM2_CC_PolicyCounterTimer, 1, 0 },
|
||||
+ { TPM2_CC_PolicyCommandCode, 1, 0 },
|
||||
+ { TPM2_CC_PolicyPhysicalPresence, 1, 0 },
|
||||
+ { TPM2_CC_PolicyCpHash, 1, 0 },
|
||||
+ { TPM2_CC_PolicyNameHash, 1, 0 },
|
||||
+ { TPM2_CC_PolicyDuplicationSelect, 1, 0 },
|
||||
+ { TPM2_CC_PolicyAuthorize, 1, 0 },
|
||||
+ { TPM2_CC_PolicyAuthValue, 1, 0 },
|
||||
+ { TPM2_CC_PolicyPassword, 1, 0 },
|
||||
+ { TPM2_CC_PolicyGetDigest, 1, 0 },
|
||||
+ { TPM2_CC_PolicyTemplate, 1, 0 },
|
||||
+ { TPM2_CC_CreatePrimary, 1, 1 },
|
||||
+ { TPM2_CC_HierarchyControl, 1, 0 },
|
||||
+ { TPM2_CC_SetPrimaryPolicy, 1, 0 },
|
||||
+ { TPM2_CC_ChangePPS, 1, 0 },
|
||||
+ { TPM2_CC_ChangeEPS, 1, 0 },
|
||||
+ { TPM2_CC_Clear, 1, 0 },
|
||||
+ { TPM2_CC_ClearControl, 1, 0 },
|
||||
+ { TPM2_CC_HierarchyChangeAuth, 1, 0 },
|
||||
+ { TPM2_CC_DictionaryAttackLockReset, 1, 0 },
|
||||
+ { TPM2_CC_DictionaryAttackParameters, 1, 0 },
|
||||
+ { TPM2_CC_PP_Commands, 1, 0 },
|
||||
+ { TPM2_CC_SetAlgorithmSet, 1, 0 },
|
||||
+ { TPM2_CC_FieldUpgradeStart, 2, 0 },
|
||||
+ { TPM2_CC_FieldUpgradeData, 0, 0 },
|
||||
+ { TPM2_CC_FirmwareRead, 0, 0 },
|
||||
+ { TPM2_CC_ContextSave, 1, 0 },
|
||||
+ { TPM2_CC_ContextLoad, 0, 1 },
|
||||
+ { TPM2_CC_FlushContext, 1, 0 },
|
||||
+ { TPM2_CC_EvictControl, 2, 0 },
|
||||
+ { TPM2_CC_ReadClock, 0, 0 },
|
||||
+ { TPM2_CC_ClockSet, 1, 0 },
|
||||
+ { TPM2_CC_ClockRateAdjust, 1, 0 },
|
||||
+ { TPM2_CC_GetCapability, 0, 0 },
|
||||
+ { TPM2_CC_TestParms, 0, 0 },
|
||||
+ { TPM2_CC_NV_DefineSpace, 1, 0 },
|
||||
+ { TPM2_CC_NV_UndefineSpace, 2, 0 },
|
||||
+ { TPM2_CC_NV_UndefineSpaceSpecial, 2, 0 },
|
||||
+ { TPM2_CC_NV_ReadPublic, 1, 0 },
|
||||
+ { TPM2_CC_NV_Write, 2, 0 },
|
||||
+ { TPM2_CC_NV_Increment, 2, 0 },
|
||||
+ { TPM2_CC_NV_Extend, 2, 0 },
|
||||
+ { TPM2_CC_NV_SetBits, 2, 0 },
|
||||
+ { TPM2_CC_NV_WriteLock, 2, 0 },
|
||||
+ { TPM2_CC_NV_GlobalWriteLock, 1, 0 },
|
||||
+ { TPM2_CC_NV_Read, 2, 0 },
|
||||
+ { TPM2_CC_NV_ReadLock, 2, 0 },
|
||||
+ { TPM2_CC_NV_ChangeAuth, 1, 0 },
|
||||
+ { TPM2_CC_NV_Certify, 3, 0 },
|
||||
+ { TPM2_CC_CreateLoaded, 1, 1 },
|
||||
+ { TPM2_CC_PolicyAuthorizeNV, 3, 0 },
|
||||
+ { TPM2_CC_AC_GetCapability, 1, 0 },
|
||||
+ { TPM2_CC_AC_Send, 3, 0 },
|
||||
+ { TPM2_CC_Policy_AC_SendSelect, 1, 0 }
|
||||
+ };
|
||||
+
|
||||
uint8_t i;
|
||||
|
||||
for (i = 0; i < sizeof(commandArray) / sizeof(COMMAND_HANDLES); i++) {
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,26 +0,0 @@
|
||||
From b289b38764e9f6c4fbe50008fede7baa47098a58 Mon Sep 17 00:00:00 2001
|
||||
From: Erik Larsson <who+github@cnackers.org>
|
||||
Date: Mon, 4 Jul 2022 19:14:30 +0200
|
||||
Subject: [PATCH 22/23] fapi: use correct userdata for cbauthnv
|
||||
|
||||
Signed-off-by: Erik Larsson <who+github@cnackers.org>
|
||||
---
|
||||
src/tss2-fapi/ifapi_policy_execute.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
|
||||
index caae103e..ddaf255c 100644
|
||||
--- a/src/tss2-fapi/ifapi_policy_execute.c
|
||||
+++ b/src/tss2-fapi/ifapi_policy_execute.c
|
||||
@@ -760,7 +760,7 @@ execute_policy_authorize_nv(
|
||||
switch (current_policy->state) {
|
||||
statecase(current_policy->state, POLICY_EXECUTE_INIT)
|
||||
/* Execute the policy stored in the NV object. */
|
||||
- r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthpol_userdata);
|
||||
+ r = cb->cbauthnv(&policy->nvPublic, hash_alg, cb->cbauthnv_userdata);
|
||||
try_again_or_error(r, "Execute policy authorize nv callback.");
|
||||
|
||||
r = ifapi_nv_get_name(&policy->nvPublic, ¤t_policy->name);
|
||||
--
|
||||
2.34.3
|
||||
|
@ -1,36 +0,0 @@
|
||||
From ecfc3b4c1e9a59c6a230398bced24118d19ea099 Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Thu, 7 Jul 2022 09:00:19 -0500
|
||||
Subject: [PATCH 23/23] SAPI: fix number of handles for FlushContext
|
||||
|
||||
The lookup table for the number of command handles for
|
||||
Tss2_Sys_FlushContext has the count set to 1, when in reality the
|
||||
command takes no handles in the handle area but a handle as the input
|
||||
parameter. This works currently because handles and parameters are just
|
||||
concatenated and the parsing logic on the TPM just unpacks them, so in
|
||||
this case, thet're in the same spot with the same value. This goes
|
||||
unnoticed until you call Tss2_Sys_GetCpBuffer and the buffer is empty as
|
||||
the logic things its a handle in the handle area and not a handle in the
|
||||
parameter area.
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/tss2-sys/sysapi_util.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tss2-sys/sysapi_util.c b/src/tss2-sys/sysapi_util.c
|
||||
index d84acc5d..a92f47a2 100644
|
||||
--- a/src/tss2-sys/sysapi_util.c
|
||||
+++ b/src/tss2-sys/sysapi_util.c
|
||||
@@ -262,7 +262,7 @@ static int GetNumHandles(TPM2_CC commandCode, bool req)
|
||||
{ TPM2_CC_FirmwareRead, 0, 0 },
|
||||
{ TPM2_CC_ContextSave, 1, 0 },
|
||||
{ TPM2_CC_ContextLoad, 0, 1 },
|
||||
- { TPM2_CC_FlushContext, 1, 0 },
|
||||
+ { TPM2_CC_FlushContext, 0, 0 },
|
||||
{ TPM2_CC_EvictControl, 2, 0 },
|
||||
{ TPM2_CC_ReadClock, 0, 0 },
|
||||
{ TPM2_CC_ClockSet, 1, 0 },
|
||||
--
|
||||
2.34.3
|
||||
|
2
SOURCES/tpm2-tss-systemd-sysusers.conf
Normal file
2
SOURCES/tpm2-tss-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
u tss 59 "Account used for TPM access" - -
|
@ -1,52 +1,25 @@
|
||||
Name: tpm2-tss
|
||||
Version: 3.0.3
|
||||
Release: 8%{?dist}
|
||||
Version: 3.2.2
|
||||
Release: 2%{?dist}
|
||||
Summary: TPM2.0 Software Stack
|
||||
|
||||
# The entire source code is under BSD except implementation.h and tpmb.h which
|
||||
# is under TCGL(Trusted Computing Group License).
|
||||
License: BSD and TCGL
|
||||
License: BSD
|
||||
URL: https://github.com/tpm2-software/tpm2-tss
|
||||
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
# doxygen crash
|
||||
Patch0: tpm2-tss-3.0.0-doxygen.patch
|
||||
# OpenSSL 3 support
|
||||
Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
|
||||
Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
|
||||
Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
|
||||
Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch
|
||||
Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
|
||||
Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
|
||||
Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
|
||||
Patch8: 0008-Require-OpenSSL-1.1.0.patch
|
||||
Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
|
||||
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
|
||||
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
|
||||
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
|
||||
Patch13: 0001-esys_crypto_ossl-remove-non-needed-_ex-OSSL-funcs.patch
|
||||
Patch14: 0002-FAPI-Remove-useless-code-get_engine.patch
|
||||
Patch15: 0003-FAPI-Remove-fauly-free-of-an-unused-field.patch
|
||||
Patch16: 0004-Remove-deprecated-OpenSSL_add_all_algorithms.patch
|
||||
Patch17: 0005-Use-default-OpenSSL-context-for-internal-crypto-oper.patch
|
||||
Patch18: 0006-FAPI-Add-policy-computation-for-create-primary.patch
|
||||
Patch19: 0007-FAPI-Fix-loading-of-primary-keys.patch
|
||||
Patch20: 0008-Fix-file-descriptor-leak-when-tcti-initialization-fa.patch
|
||||
Patch21: 0009-FAPI-Fix-leak-in-fapi-crypto-with-ossl3.patch
|
||||
Patch22: 0010-FAPI-Fix-memory-leak-after-ifapi_init_primary_finish.patch
|
||||
Patch23: 0011-esys-Return-an-error-if-ESYS_TR_NONE-is-passed-to-Es.patch
|
||||
Patch24: 0012-FAPI-Fixed-memory-leak-when-ifapi_get_certificates-f.patch
|
||||
Patch25: 0013-FAPI-Free-object-when-keystore_search_obj-failed.patch
|
||||
Patch26: 0014-FAPI-Fixed-the-memory-leak-of-command-data-when-Fapi.patch
|
||||
Patch27: 0015-ESYS-Fixed-annotation-error-of-Esys_TR_Deserialize.patch
|
||||
Patch28: 0016-FAPI-Clean-up-memory-when-Fapi_Delete_Async-failed.patch
|
||||
Patch29: 0017-FAPI-Clean-up-memory-when-Fapi_GetEsysBlob_Async-fai.patch
|
||||
Patch30: 0018-FAPI-Initialize-object-used-for-keystore-search.patch
|
||||
Patch31: 0019-MU-Fix-buffer-upcast-leading-to-misalignment.patch
|
||||
Patch32: 0020-esys_iutil-fix-possible-NPD.patch
|
||||
Patch33: 0021-sapi-scope-command-handles.patch
|
||||
Patch34: 0022-fapi-use-correct-userdata-for-cbauthnv.patch
|
||||
Patch35: 0023-SAPI-fix-number-of-handles-for-FlushContext.patch
|
||||
|
||||
Source1: tpm2-tss-systemd-sysusers.conf
|
||||
# doxygen patch
|
||||
Patch0: tpm2-tss-3.0.0-doxygen.patch
|
||||
Patch2: 0001-esys_iutil-fix-possible-NPD.patch
|
||||
Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch
|
||||
Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch
|
||||
Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch
|
||||
Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
|
||||
Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch
|
||||
Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch
|
||||
Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch
|
||||
Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch
|
||||
Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch
|
||||
Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch
|
||||
|
||||
%global udevrules_prefix 60-
|
||||
|
||||
@ -62,6 +35,7 @@ BuildRequires: libtool
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: systemd
|
||||
BuildRequires: systemd-rpm-macros
|
||||
Requires(pre): shadow-utils
|
||||
|
||||
%description
|
||||
@ -73,9 +47,9 @@ APIs for applications to access TPM module through kernel TPM drivers.
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
# Use built-in tpm-udev.rules, with specified installation path and prefix.
|
||||
%configure --disable-static --disable-silent-rules \
|
||||
--disable-tcti-pcap --disable-tcti-libtpms \
|
||||
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
|
||||
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
|
||||
|
||||
@ -88,16 +62,11 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
|
||||
%install
|
||||
%make_install
|
||||
find %{buildroot}%{_libdir} -type f -name \*.la -delete
|
||||
rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf
|
||||
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tpm2-tss.conf
|
||||
|
||||
%pre
|
||||
getent group tss >/dev/null || groupadd -f -g 59 -r tss
|
||||
if ! getent passwd tss >/dev/null ; then
|
||||
if ! getent passwd 59 >/dev/null ; then
|
||||
useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
|
||||
else
|
||||
useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
|
||||
fi
|
||||
fi
|
||||
%sysusers_create_compat %{SOURCE1}
|
||||
exit 0
|
||||
|
||||
%ldconfig_scriptlets
|
||||
@ -156,6 +125,18 @@ use tpm2-tss.
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2
|
||||
- Remove misapplied license
|
||||
Resolves: rhbz#2160307
|
||||
|
||||
* Fri Jun 23 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-1
|
||||
- Rebase to 3.2.2
|
||||
- Use systemd-sysusers to create user
|
||||
Resolves: CVE-2023-22745
|
||||
Resolves: rhbz#2095479
|
||||
Resolves: rhbz#2160307
|
||||
Resolves: rhbz#2162613
|
||||
|
||||
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8
|
||||
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3
|
||||
Resolves: rhbz#2041919
|
||||
|
Loading…
Reference in New Issue
Block a user