From be3f5ffed8f65243a41f7e8a7f15db82ab53fb1a Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 18:43:47 -0400 Subject: [PATCH] import UBI tpm2-tss-4.1.3-6.el10 --- ...-FAPI-Fix-order-of-calloc-parameters.patch | 1122 +++++++++++++++++ ...hether-auth-values-exist-for-hierarc.patch | 87 ++ ...-error-message-for-self-signed-EK-ce.patch | 42 + ...oduced-in-Tss2_TctiLdr_Initialize_Ex.patch | 34 + ...f-external-PEM-keys-for-PolicyAuthor.patch | 74 ++ ...ng-format-directive-in-ifap_set_auth.patch | 29 + ...icyTemplate-policyDigest-calculation.patch | 35 + ...I-Fix-unnecessary-writes-to-keystore.patch | 145 +++ ...I-Fix-segfault-if-json-field-is-null.patch | 50 + 0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch | 39 + ...ll-of-socket_xmit_buf-in-send_sim_se.patch | 48 + 0012-FAPI-Fix-missing-scanf-checks.patch | 42 + ...ariable-address-stored-in-non-local-.patch | 92 ++ 0014-FAPI-Fix-misleading-error-message.patch | 29 + ...-if-d_type-of-dirent-is-not-supporte.patch | 174 +++ ...-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch | 67 + 0017-FAPI-Add-missing-EFI-events.patch | 65 + ...FAPI-Add-Intel-ODCA-Root-Certificate.patch | 46 + 0020-FAPI-Fix-leak-in-Fapi_Sign.patch | 29 + ...ntiation-of-policyduplication-select.patch | 40 + ...ct-authorization-for-policy-authoriz.patch | 41 + tpm2-tss.spec | 30 +- 22 files changed, 2357 insertions(+), 3 deletions(-) create mode 100644 0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch create mode 100644 0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch create mode 100644 0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch create mode 100644 0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch create mode 100644 0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch create mode 100644 0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch create mode 100644 0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch create mode 100644 0008-FAPI-Fix-unnecessary-writes-to-keystore.patch create mode 100644 0009-FAPI-Fix-segfault-if-json-field-is-null.patch create mode 100644 0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch create mode 100644 0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch create mode 100644 0012-FAPI-Fix-missing-scanf-checks.patch create mode 100644 0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch create mode 100644 0014-FAPI-Fix-misleading-error-message.patch create mode 100644 0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch create mode 100644 0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch create mode 100644 0017-FAPI-Add-missing-EFI-events.patch create mode 100644 0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch create mode 100644 0020-FAPI-Fix-leak-in-Fapi_Sign.patch create mode 100644 0021-FAPI-Fix-instantiation-of-policyduplication-select.patch create mode 100644 0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch diff --git a/0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch b/0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch new file mode 100644 index 0000000..2cbb93a --- /dev/null +++ b/0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch @@ -0,0 +1,1122 @@ +From 6ed0fc0a7bf8f8695a066d224e2927302f3a2cc2 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 26 Apr 2024 15:28:58 +0200 +Subject: [PATCH 01/22] ESYS/FAPI: Fix order of calloc parameters. + +In some calloc calls the parameters number of elements and +size were swapped. Fixes #2820. + +Signed-off-by: Juergen Repp +--- + src/tss2-esys/api/Esys_AC_GetCapability.c | 2 +- + src/tss2-esys/api/Esys_AC_Send.c | 2 +- + src/tss2-esys/api/Esys_ActivateCredential.c | 2 +- + src/tss2-esys/api/Esys_Certify.c | 4 ++-- + src/tss2-esys/api/Esys_CertifyCreation.c | 4 ++-- + src/tss2-esys/api/Esys_CertifyX509.c | 6 +++--- + src/tss2-esys/api/Esys_Commit.c | 6 +++--- + src/tss2-esys/api/Esys_ContextSave.c | 2 +- + src/tss2-esys/api/Esys_Create.c | 10 +++++----- + src/tss2-esys/api/Esys_CreateLoaded.c | 4 ++-- + src/tss2-esys/api/Esys_CreatePrimary.c | 8 ++++---- + src/tss2-esys/api/Esys_Duplicate.c | 6 +++--- + src/tss2-esys/api/Esys_ECC_Parameters.c | 2 +- + src/tss2-esys/api/Esys_ECDH_KeyGen.c | 4 ++-- + src/tss2-esys/api/Esys_ECDH_ZGen.c | 2 +- + src/tss2-esys/api/Esys_EC_Ephemeral.c | 2 +- + src/tss2-esys/api/Esys_EncryptDecrypt.c | 4 ++-- + src/tss2-esys/api/Esys_EncryptDecrypt2.c | 4 ++-- + src/tss2-esys/api/Esys_EventSequenceComplete.c | 2 +- + src/tss2-esys/api/Esys_FieldUpgradeData.c | 4 ++-- + src/tss2-esys/api/Esys_FirmwareRead.c | 2 +- + src/tss2-esys/api/Esys_GetCapability.c | 2 +- + src/tss2-esys/api/Esys_GetCommandAuditDigest.c | 4 ++-- + src/tss2-esys/api/Esys_GetRandom.c | 2 +- + src/tss2-esys/api/Esys_GetSessionAuditDigest.c | 4 ++-- + src/tss2-esys/api/Esys_GetTestResult.c | 2 +- + src/tss2-esys/api/Esys_GetTime.c | 4 ++-- + src/tss2-esys/api/Esys_HMAC.c | 2 +- + src/tss2-esys/api/Esys_Hash.c | 4 ++-- + src/tss2-esys/api/Esys_Import.c | 2 +- + src/tss2-esys/api/Esys_IncrementalSelfTest.c | 2 +- + src/tss2-esys/api/Esys_MAC.c | 2 +- + src/tss2-esys/api/Esys_MakeCredential.c | 4 ++-- + src/tss2-esys/api/Esys_NV_Certify.c | 4 ++-- + src/tss2-esys/api/Esys_NV_Read.c | 2 +- + src/tss2-esys/api/Esys_NV_ReadPublic.c | 4 ++-- + src/tss2-esys/api/Esys_ObjectChangeAuth.c | 2 +- + src/tss2-esys/api/Esys_PCR_Event.c | 2 +- + src/tss2-esys/api/Esys_PCR_Read.c | 4 ++-- + src/tss2-esys/api/Esys_PolicyGetDigest.c | 2 +- + src/tss2-esys/api/Esys_PolicySecret.c | 4 ++-- + src/tss2-esys/api/Esys_PolicySigned.c | 4 ++-- + src/tss2-esys/api/Esys_Quote.c | 4 ++-- + src/tss2-esys/api/Esys_RSA_Decrypt.c | 2 +- + src/tss2-esys/api/Esys_RSA_Encrypt.c | 2 +- + src/tss2-esys/api/Esys_ReadClock.c | 2 +- + src/tss2-esys/api/Esys_ReadPublic.c | 6 +++--- + src/tss2-esys/api/Esys_Rewrap.c | 4 ++-- + src/tss2-esys/api/Esys_SequenceComplete.c | 4 ++-- + src/tss2-esys/api/Esys_Sign.c | 2 +- + src/tss2-esys/api/Esys_Unseal.c | 2 +- + src/tss2-esys/api/Esys_Vendor_TCG_Test.c | 2 +- + src/tss2-esys/api/Esys_VerifySignature.c | 2 +- + src/tss2-esys/api/Esys_ZGen_2Phase.c | 4 ++-- + src/tss2-fapi/fapi_util.c | 4 ++-- + src/tss2-fapi/ifapi_io.c | 2 +- + src/tss2-fapi/ifapi_policy_callbacks.c | 2 +- + src/tss2-fapi/ifapi_policyutil_execute.c | 6 +++--- + test/integration/main-fapi.c | 4 ++-- + 59 files changed, 99 insertions(+), 99 deletions(-) + +diff --git a/src/tss2-esys/api/Esys_AC_GetCapability.c b/src/tss2-esys/api/Esys_AC_GetCapability.c +index 3c784439..95806570 100644 +--- a/src/tss2-esys/api/Esys_AC_GetCapability.c ++++ b/src/tss2-esys/api/Esys_AC_GetCapability.c +@@ -252,7 +252,7 @@ TSS2_RC Esys_AC_GetCapability_Finish( + + /* Allocate memory for response parameters */ + if (capabilityData != NULL) { +- *capabilityData = calloc(sizeof(TPML_AC_CAPABILITIES), 1); ++ *capabilityData = calloc(1, sizeof(TPML_AC_CAPABILITIES)); + if (*capabilityData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_AC_Send.c b/src/tss2-esys/api/Esys_AC_Send.c +index e511fcfd..5d6f0aec 100644 +--- a/src/tss2-esys/api/Esys_AC_Send.c ++++ b/src/tss2-esys/api/Esys_AC_Send.c +@@ -261,7 +261,7 @@ TSS2_RC Esys_AC_Send_Finish( + + /* Allocate memory for response parameters */ + if (acDataOut != NULL) { +- *acDataOut = calloc(sizeof(TPMS_AC_OUTPUT), 1); ++ *acDataOut = calloc(1, sizeof(TPMS_AC_OUTPUT)); + if (*acDataOut == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_ActivateCredential.c b/src/tss2-esys/api/Esys_ActivateCredential.c +index 338063eb..4070f42f 100644 +--- a/src/tss2-esys/api/Esys_ActivateCredential.c ++++ b/src/tss2-esys/api/Esys_ActivateCredential.c +@@ -281,7 +281,7 @@ Esys_ActivateCredential_Finish( + + /* Allocate memory for response parameters */ + if (certInfo != NULL) { +- *certInfo = calloc(sizeof(TPM2B_DIGEST), 1); ++ *certInfo = calloc(1, sizeof(TPM2B_DIGEST)); + if (*certInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_Certify.c b/src/tss2-esys/api/Esys_Certify.c +index d139887d..d034b707 100644 +--- a/src/tss2-esys/api/Esys_Certify.c ++++ b/src/tss2-esys/api/Esys_Certify.c +@@ -285,13 +285,13 @@ Esys_Certify_Finish( + + /* Allocate memory for response parameters */ + if (certifyInfo != NULL) { +- *certifyInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *certifyInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*certifyInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_CertifyCreation.c b/src/tss2-esys/api/Esys_CertifyCreation.c +index 7df13be5..3f1a1b12 100644 +--- a/src/tss2-esys/api/Esys_CertifyCreation.c ++++ b/src/tss2-esys/api/Esys_CertifyCreation.c +@@ -295,13 +295,13 @@ Esys_CertifyCreation_Finish( + + /* Allocate memory for response parameters */ + if (certifyInfo != NULL) { +- *certifyInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *certifyInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*certifyInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_CertifyX509.c b/src/tss2-esys/api/Esys_CertifyX509.c +index 5865eee0..44c6fa26 100644 +--- a/src/tss2-esys/api/Esys_CertifyX509.c ++++ b/src/tss2-esys/api/Esys_CertifyX509.c +@@ -293,19 +293,19 @@ Esys_CertifyX509_Finish( + + /* Allocate memory for response parameters */ + if (addedToCertificate != NULL) { +- *addedToCertificate = calloc(sizeof(TPM2B_MAX_BUFFER), 1); ++ *addedToCertificate = calloc(1, sizeof(TPM2B_MAX_BUFFER)); + if (*addedToCertificate == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (tbsDigest != NULL) { +- *tbsDigest = calloc(sizeof(TPM2B_DIGEST), 1); ++ *tbsDigest = calloc(1, sizeof(TPM2B_DIGEST)); + if (*tbsDigest == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Commit.c b/src/tss2-esys/api/Esys_Commit.c +index c7a50209..4045ca38 100644 +--- a/src/tss2-esys/api/Esys_Commit.c ++++ b/src/tss2-esys/api/Esys_Commit.c +@@ -286,19 +286,19 @@ Esys_Commit_Finish( + + /* Allocate memory for response parameters */ + if (K != NULL) { +- *K = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *K = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*K == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (L != NULL) { +- *L = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *L = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*L == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (E != NULL) { +- *E = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *E = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*E == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_ContextSave.c b/src/tss2-esys/api/Esys_ContextSave.c +index 33ca4934..d487ab30 100644 +--- a/src/tss2-esys/api/Esys_ContextSave.c ++++ b/src/tss2-esys/api/Esys_ContextSave.c +@@ -208,7 +208,7 @@ Esys_ContextSave_Finish( + esysContext->state = _ESYS_STATE_INTERNALERROR; + + /* Allocate memory for response parameters */ +- lcontext = calloc(sizeof(TPMS_CONTEXT), 1); ++ lcontext = calloc(1, sizeof(TPMS_CONTEXT)); + if (lcontext == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_Create.c b/src/tss2-esys/api/Esys_Create.c +index f435688e..e873d83d 100644 +--- a/src/tss2-esys/api/Esys_Create.c ++++ b/src/tss2-esys/api/Esys_Create.c +@@ -335,31 +335,31 @@ Esys_Create_Finish( + + /* Allocate memory for response parameters */ + if (outPrivate != NULL) { +- *outPrivate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *outPrivate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*outPrivate == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (outPublic != NULL) { +- *outPublic = calloc(sizeof(TPM2B_PUBLIC), 1); ++ *outPublic = calloc(1, sizeof(TPM2B_PUBLIC)); + if (*outPublic == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (creationData != NULL) { +- *creationData = calloc(sizeof(TPM2B_CREATION_DATA), 1); ++ *creationData = calloc(1, sizeof(TPM2B_CREATION_DATA)); + if (*creationData == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (creationHash != NULL) { +- *creationHash = calloc(sizeof(TPM2B_DIGEST), 1); ++ *creationHash = calloc(1, sizeof(TPM2B_DIGEST)); + if (*creationHash == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (creationTicket != NULL) { +- *creationTicket = calloc(sizeof(TPMT_TK_CREATION), 1); ++ *creationTicket = calloc(1, sizeof(TPMT_TK_CREATION)); + if (*creationTicket == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c +index 5b183ae1..7ee4f0bb 100644 +--- a/src/tss2-esys/api/Esys_CreateLoaded.c ++++ b/src/tss2-esys/api/Esys_CreateLoaded.c +@@ -325,12 +325,12 @@ Esys_CreateLoaded_Finish( + return r; + + if (outPrivate != NULL) { +- *outPrivate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *outPrivate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*outPrivate == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } +- loutPublic = calloc(sizeof(TPM2B_PUBLIC), 1); ++ loutPublic = calloc(1, sizeof(TPM2B_PUBLIC)); + if (loutPublic == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_CreatePrimary.c b/src/tss2-esys/api/Esys_CreatePrimary.c +index 3a9ef83e..90f1be13 100644 +--- a/src/tss2-esys/api/Esys_CreatePrimary.c ++++ b/src/tss2-esys/api/Esys_CreatePrimary.c +@@ -344,24 +344,24 @@ Esys_CreatePrimary_Finish( + if (r != TSS2_RC_SUCCESS) + return r; + +- loutPublic = calloc(sizeof(TPM2B_PUBLIC), 1); ++ loutPublic = calloc(1, sizeof(TPM2B_PUBLIC)); + if (loutPublic == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + if (creationData != NULL) { +- *creationData = calloc(sizeof(TPM2B_CREATION_DATA), 1); ++ *creationData = calloc(1, sizeof(TPM2B_CREATION_DATA)); + if (*creationData == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (creationHash != NULL) { +- *creationHash = calloc(sizeof(TPM2B_DIGEST), 1); ++ *creationHash = calloc(1, sizeof(TPM2B_DIGEST)); + if (*creationHash == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (creationTicket != NULL) { +- *creationTicket = calloc(sizeof(TPMT_TK_CREATION), 1); ++ *creationTicket = calloc(1, sizeof(TPMT_TK_CREATION)); + if (*creationTicket == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Duplicate.c b/src/tss2-esys/api/Esys_Duplicate.c +index dbc3d643..62249d0f 100644 +--- a/src/tss2-esys/api/Esys_Duplicate.c ++++ b/src/tss2-esys/api/Esys_Duplicate.c +@@ -302,19 +302,19 @@ Esys_Duplicate_Finish( + + /* Allocate memory for response parameters */ + if (encryptionKeyOut != NULL) { +- *encryptionKeyOut = calloc(sizeof(TPM2B_DATA), 1); ++ *encryptionKeyOut = calloc(1, sizeof(TPM2B_DATA)); + if (*encryptionKeyOut == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (duplicate != NULL) { +- *duplicate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *duplicate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*duplicate == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (outSymSeed != NULL) { +- *outSymSeed = calloc(sizeof(TPM2B_ENCRYPTED_SECRET), 1); ++ *outSymSeed = calloc(1, sizeof(TPM2B_ENCRYPTED_SECRET)); + if (*outSymSeed == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_ECC_Parameters.c b/src/tss2-esys/api/Esys_ECC_Parameters.c +index 63924d66..841f85ad 100644 +--- a/src/tss2-esys/api/Esys_ECC_Parameters.c ++++ b/src/tss2-esys/api/Esys_ECC_Parameters.c +@@ -243,7 +243,7 @@ Esys_ECC_Parameters_Finish( + + /* Allocate memory for response parameters */ + if (parameters != NULL) { +- *parameters = calloc(sizeof(TPMS_ALGORITHM_DETAIL_ECC), 1); ++ *parameters = calloc(1, sizeof(TPMS_ALGORITHM_DETAIL_ECC)); + if (*parameters == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_ECDH_KeyGen.c b/src/tss2-esys/api/Esys_ECDH_KeyGen.c +index 4513443e..b146c964 100644 +--- a/src/tss2-esys/api/Esys_ECDH_KeyGen.c ++++ b/src/tss2-esys/api/Esys_ECDH_KeyGen.c +@@ -256,13 +256,13 @@ Esys_ECDH_KeyGen_Finish( + + /* Allocate memory for response parameters */ + if (zPoint != NULL) { +- *zPoint = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *zPoint = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*zPoint == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (pubPoint != NULL) { +- *pubPoint = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *pubPoint = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*pubPoint == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_ECDH_ZGen.c b/src/tss2-esys/api/Esys_ECDH_ZGen.c +index d3441949..99aae82e 100644 +--- a/src/tss2-esys/api/Esys_ECDH_ZGen.c ++++ b/src/tss2-esys/api/Esys_ECDH_ZGen.c +@@ -255,7 +255,7 @@ Esys_ECDH_ZGen_Finish( + + /* Allocate memory for response parameters */ + if (outPoint != NULL) { +- *outPoint = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *outPoint = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*outPoint == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_EC_Ephemeral.c b/src/tss2-esys/api/Esys_EC_Ephemeral.c +index 91ecea42..df6e1e71 100644 +--- a/src/tss2-esys/api/Esys_EC_Ephemeral.c ++++ b/src/tss2-esys/api/Esys_EC_Ephemeral.c +@@ -241,7 +241,7 @@ Esys_EC_Ephemeral_Finish( + + /* Allocate memory for response parameters */ + if (Q != NULL) { +- *Q = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *Q = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*Q == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_EncryptDecrypt.c b/src/tss2-esys/api/Esys_EncryptDecrypt.c +index eac6e9ba..c9f5f258 100644 +--- a/src/tss2-esys/api/Esys_EncryptDecrypt.c ++++ b/src/tss2-esys/api/Esys_EncryptDecrypt.c +@@ -282,13 +282,13 @@ Esys_EncryptDecrypt_Finish( + + /* Allocate memory for response parameters */ + if (outData != NULL) { +- *outData = calloc(sizeof(TPM2B_MAX_BUFFER), 1); ++ *outData = calloc(1, sizeof(TPM2B_MAX_BUFFER)); + if (*outData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (ivOut != NULL) { +- *ivOut = calloc(sizeof(TPM2B_IV), 1); ++ *ivOut = calloc(1, sizeof(TPM2B_IV)); + if (*ivOut == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_EncryptDecrypt2.c b/src/tss2-esys/api/Esys_EncryptDecrypt2.c +index 31e8a51f..83c309fa 100644 +--- a/src/tss2-esys/api/Esys_EncryptDecrypt2.c ++++ b/src/tss2-esys/api/Esys_EncryptDecrypt2.c +@@ -276,13 +276,13 @@ Esys_EncryptDecrypt2_Finish( + + /* Allocate memory for response parameters */ + if (outData != NULL) { +- *outData = calloc(sizeof(TPM2B_MAX_BUFFER), 1); ++ *outData = calloc(1, sizeof(TPM2B_MAX_BUFFER)); + if (*outData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (ivOut != NULL) { +- *ivOut = calloc(sizeof(TPM2B_IV), 1); ++ *ivOut = calloc(1, sizeof(TPM2B_IV)); + if (*ivOut == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_EventSequenceComplete.c b/src/tss2-esys/api/Esys_EventSequenceComplete.c +index 0a94ac79..b67c5ec6 100644 +--- a/src/tss2-esys/api/Esys_EventSequenceComplete.c ++++ b/src/tss2-esys/api/Esys_EventSequenceComplete.c +@@ -277,7 +277,7 @@ Esys_EventSequenceComplete_Finish( + + /* Allocate memory for response parameters */ + if (results != NULL) { +- *results = calloc(sizeof(TPML_DIGEST_VALUES), 1); ++ *results = calloc(1, sizeof(TPML_DIGEST_VALUES)); + if (*results == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_FieldUpgradeData.c b/src/tss2-esys/api/Esys_FieldUpgradeData.c +index 1c6eb331..faff828d 100644 +--- a/src/tss2-esys/api/Esys_FieldUpgradeData.c ++++ b/src/tss2-esys/api/Esys_FieldUpgradeData.c +@@ -243,13 +243,13 @@ Esys_FieldUpgradeData_Finish( + + /* Allocate memory for response parameters */ + if (nextDigest != NULL) { +- *nextDigest = calloc(sizeof(TPMT_HA), 1); ++ *nextDigest = calloc(1, sizeof(TPMT_HA)); + if (*nextDigest == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (firstDigest != NULL) { +- *firstDigest = calloc(sizeof(TPMT_HA), 1); ++ *firstDigest = calloc(1, sizeof(TPMT_HA)); + if (*firstDigest == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_FirmwareRead.c b/src/tss2-esys/api/Esys_FirmwareRead.c +index 7a75aa03..d7db5c2f 100644 +--- a/src/tss2-esys/api/Esys_FirmwareRead.c ++++ b/src/tss2-esys/api/Esys_FirmwareRead.c +@@ -239,7 +239,7 @@ Esys_FirmwareRead_Finish( + + /* Allocate memory for response parameters */ + if (fuData != NULL) { +- *fuData = calloc(sizeof(TPM2B_MAX_BUFFER), 1); ++ *fuData = calloc(1, sizeof(TPM2B_MAX_BUFFER)); + if (*fuData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_GetCapability.c b/src/tss2-esys/api/Esys_GetCapability.c +index 8fb996d2..7cc0d4f6 100644 +--- a/src/tss2-esys/api/Esys_GetCapability.c ++++ b/src/tss2-esys/api/Esys_GetCapability.c +@@ -261,7 +261,7 @@ Esys_GetCapability_Finish( + + /* Allocate memory for response parameters */ + if (capabilityData != NULL) { +- *capabilityData = calloc(sizeof(TPMS_CAPABILITY_DATA), 1); ++ *capabilityData = calloc(1, sizeof(TPMS_CAPABILITY_DATA)); + if (*capabilityData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_GetCommandAuditDigest.c b/src/tss2-esys/api/Esys_GetCommandAuditDigest.c +index 6d96f0cf..bccff573 100644 +--- a/src/tss2-esys/api/Esys_GetCommandAuditDigest.c ++++ b/src/tss2-esys/api/Esys_GetCommandAuditDigest.c +@@ -283,13 +283,13 @@ Esys_GetCommandAuditDigest_Finish( + + /* Allocate memory for response parameters */ + if (auditInfo != NULL) { +- *auditInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *auditInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*auditInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_GetRandom.c b/src/tss2-esys/api/Esys_GetRandom.c +index 292117f3..8d588961 100644 +--- a/src/tss2-esys/api/Esys_GetRandom.c ++++ b/src/tss2-esys/api/Esys_GetRandom.c +@@ -237,7 +237,7 @@ Esys_GetRandom_Finish( + + /* Allocate memory for response parameters */ + if (randomBytes != NULL) { +- *randomBytes = calloc(sizeof(TPM2B_DIGEST), 1); ++ *randomBytes = calloc(1, sizeof(TPM2B_DIGEST)); + if (*randomBytes == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_GetSessionAuditDigest.c b/src/tss2-esys/api/Esys_GetSessionAuditDigest.c +index 8a076f55..e617d014 100644 +--- a/src/tss2-esys/api/Esys_GetSessionAuditDigest.c ++++ b/src/tss2-esys/api/Esys_GetSessionAuditDigest.c +@@ -297,13 +297,13 @@ Esys_GetSessionAuditDigest_Finish( + + /* Allocate memory for response parameters */ + if (auditInfo != NULL) { +- *auditInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *auditInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*auditInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_GetTestResult.c b/src/tss2-esys/api/Esys_GetTestResult.c +index 746e7a60..c5ee9682 100644 +--- a/src/tss2-esys/api/Esys_GetTestResult.c ++++ b/src/tss2-esys/api/Esys_GetTestResult.c +@@ -236,7 +236,7 @@ Esys_GetTestResult_Finish( + + /* Allocate memory for response parameters */ + if (outData != NULL) { +- *outData = calloc(sizeof(TPM2B_MAX_BUFFER), 1); ++ *outData = calloc(1, sizeof(TPM2B_MAX_BUFFER)); + if (*outData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_GetTime.c b/src/tss2-esys/api/Esys_GetTime.c +index 857183c8..ed3a019f 100644 +--- a/src/tss2-esys/api/Esys_GetTime.c ++++ b/src/tss2-esys/api/Esys_GetTime.c +@@ -281,13 +281,13 @@ Esys_GetTime_Finish( + + /* Allocate memory for response parameters */ + if (timeInfo != NULL) { +- *timeInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *timeInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*timeInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_HMAC.c b/src/tss2-esys/api/Esys_HMAC.c +index f8af9d4a..02dbe172 100644 +--- a/src/tss2-esys/api/Esys_HMAC.c ++++ b/src/tss2-esys/api/Esys_HMAC.c +@@ -260,7 +260,7 @@ Esys_HMAC_Finish( + + /* Allocate memory for response parameters */ + if (outHMAC != NULL) { +- *outHMAC = calloc(sizeof(TPM2B_DIGEST), 1); ++ *outHMAC = calloc(1, sizeof(TPM2B_DIGEST)); + if (*outHMAC == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_Hash.c b/src/tss2-esys/api/Esys_Hash.c +index 57a55051..fb8b2d70 100644 +--- a/src/tss2-esys/api/Esys_Hash.c ++++ b/src/tss2-esys/api/Esys_Hash.c +@@ -260,13 +260,13 @@ Esys_Hash_Finish( + + /* Allocate memory for response parameters */ + if (outHash != NULL) { +- *outHash = calloc(sizeof(TPM2B_DIGEST), 1); ++ *outHash = calloc(1, sizeof(TPM2B_DIGEST)); + if (*outHash == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (validation != NULL) { +- *validation = calloc(sizeof(TPMT_TK_HASHCHECK), 1); ++ *validation = calloc(1, sizeof(TPMT_TK_HASHCHECK)); + if (*validation == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Import.c b/src/tss2-esys/api/Esys_Import.c +index 38dc4cea..7e23b39a 100644 +--- a/src/tss2-esys/api/Esys_Import.c ++++ b/src/tss2-esys/api/Esys_Import.c +@@ -283,7 +283,7 @@ Esys_Import_Finish( + + /* Allocate memory for response parameters */ + if (outPrivate != NULL) { +- *outPrivate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *outPrivate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*outPrivate == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_IncrementalSelfTest.c b/src/tss2-esys/api/Esys_IncrementalSelfTest.c +index c07c935b..fc879520 100644 +--- a/src/tss2-esys/api/Esys_IncrementalSelfTest.c ++++ b/src/tss2-esys/api/Esys_IncrementalSelfTest.c +@@ -243,7 +243,7 @@ Esys_IncrementalSelfTest_Finish( + + /* Allocate memory for response parameters */ + if (toDoList != NULL) { +- *toDoList = calloc(sizeof(TPML_ALG), 1); ++ *toDoList = calloc(1, sizeof(TPML_ALG)); + if (*toDoList == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_MAC.c b/src/tss2-esys/api/Esys_MAC.c +index d63a00db..cdc6f21a 100644 +--- a/src/tss2-esys/api/Esys_MAC.c ++++ b/src/tss2-esys/api/Esys_MAC.c +@@ -262,7 +262,7 @@ Esys_MAC_Finish( + + /* Allocate memory for response parameters */ + if (outMAC != NULL) { +- *outMAC = calloc(sizeof(TPM2B_DIGEST), 1); ++ *outMAC = calloc(1, sizeof(TPM2B_DIGEST)); + if (*outMAC == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_MakeCredential.c b/src/tss2-esys/api/Esys_MakeCredential.c +index 741e6efd..aba72359 100644 +--- a/src/tss2-esys/api/Esys_MakeCredential.c ++++ b/src/tss2-esys/api/Esys_MakeCredential.c +@@ -264,13 +264,13 @@ Esys_MakeCredential_Finish( + + /* Allocate memory for response parameters */ + if (credentialBlob != NULL) { +- *credentialBlob = calloc(sizeof(TPM2B_ID_OBJECT), 1); ++ *credentialBlob = calloc(1, sizeof(TPM2B_ID_OBJECT)); + if (*credentialBlob == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (secret != NULL) { +- *secret = calloc(sizeof(TPM2B_ENCRYPTED_SECRET), 1); ++ *secret = calloc(1, sizeof(TPM2B_ENCRYPTED_SECRET)); + if (*secret == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_NV_Certify.c b/src/tss2-esys/api/Esys_NV_Certify.c +index bc2c255a..682497bc 100644 +--- a/src/tss2-esys/api/Esys_NV_Certify.c ++++ b/src/tss2-esys/api/Esys_NV_Certify.c +@@ -307,13 +307,13 @@ Esys_NV_Certify_Finish( + + /* Allocate memory for response parameters */ + if (certifyInfo != NULL) { +- *certifyInfo = calloc(sizeof(TPM2B_ATTEST), 1); ++ *certifyInfo = calloc(1, sizeof(TPM2B_ATTEST)); + if (*certifyInfo == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_NV_Read.c b/src/tss2-esys/api/Esys_NV_Read.c +index 79174d44..b240f15f 100644 +--- a/src/tss2-esys/api/Esys_NV_Read.c ++++ b/src/tss2-esys/api/Esys_NV_Read.c +@@ -275,7 +275,7 @@ Esys_NV_Read_Finish( + + /* Allocate memory for response parameters */ + if (data != NULL) { +- *data = calloc(sizeof(TPM2B_MAX_NV_BUFFER), 1); ++ *data = calloc(1, sizeof(TPM2B_MAX_NV_BUFFER)); + if (*data == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_NV_ReadPublic.c b/src/tss2-esys/api/Esys_NV_ReadPublic.c +index 3879ac67..9fcbf488 100644 +--- a/src/tss2-esys/api/Esys_NV_ReadPublic.c ++++ b/src/tss2-esys/api/Esys_NV_ReadPublic.c +@@ -266,11 +266,11 @@ Esys_NV_ReadPublic_Finish( + esysContext->state = _ESYS_STATE_INTERNALERROR; + + /* Allocate memory for response parameters */ +- lnvPublic = calloc(sizeof(TPM2B_NV_PUBLIC), 1); ++ lnvPublic = calloc(1, sizeof(TPM2B_NV_PUBLIC)); + if (lnvPublic == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +- lnvName = calloc(sizeof(TPM2B_NAME), 1); ++ lnvName = calloc(1, sizeof(TPM2B_NAME)); + if (lnvName == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_ObjectChangeAuth.c b/src/tss2-esys/api/Esys_ObjectChangeAuth.c +index 300afe0e..ba63a9cd 100644 +--- a/src/tss2-esys/api/Esys_ObjectChangeAuth.c ++++ b/src/tss2-esys/api/Esys_ObjectChangeAuth.c +@@ -284,7 +284,7 @@ Esys_ObjectChangeAuth_Finish( + + /* Allocate memory for response parameters */ + if (outPrivate != NULL) { +- *outPrivate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *outPrivate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*outPrivate == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_PCR_Event.c b/src/tss2-esys/api/Esys_PCR_Event.c +index ba352384..487e2711 100644 +--- a/src/tss2-esys/api/Esys_PCR_Event.c ++++ b/src/tss2-esys/api/Esys_PCR_Event.c +@@ -259,7 +259,7 @@ Esys_PCR_Event_Finish( + + /* Allocate memory for response parameters */ + if (digests != NULL) { +- *digests = calloc(sizeof(TPML_DIGEST_VALUES), 1); ++ *digests = calloc(1, sizeof(TPML_DIGEST_VALUES)); + if (*digests == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_PCR_Read.c b/src/tss2-esys/api/Esys_PCR_Read.c +index adcf966c..47affe45 100644 +--- a/src/tss2-esys/api/Esys_PCR_Read.c ++++ b/src/tss2-esys/api/Esys_PCR_Read.c +@@ -258,13 +258,13 @@ Esys_PCR_Read_Finish( + + /* Allocate memory for response parameters */ + if (pcrSelectionOut != NULL) { +- *pcrSelectionOut = calloc(sizeof(TPML_PCR_SELECTION), 1); ++ *pcrSelectionOut = calloc(1, sizeof(TPML_PCR_SELECTION)); + if (*pcrSelectionOut == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (pcrValues != NULL) { +- *pcrValues = calloc(sizeof(TPML_DIGEST), 1); ++ *pcrValues = calloc(1, sizeof(TPML_DIGEST)); + if (*pcrValues == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_PolicyGetDigest.c b/src/tss2-esys/api/Esys_PolicyGetDigest.c +index 8ee3fccb..5d321765 100644 +--- a/src/tss2-esys/api/Esys_PolicyGetDigest.c ++++ b/src/tss2-esys/api/Esys_PolicyGetDigest.c +@@ -253,7 +253,7 @@ Esys_PolicyGetDigest_Finish( + + /* Allocate memory for response parameters */ + if (policyDigest != NULL) { +- *policyDigest = calloc(sizeof(TPM2B_DIGEST), 1); ++ *policyDigest = calloc(1, sizeof(TPM2B_DIGEST)); + if (*policyDigest == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_PolicySecret.c b/src/tss2-esys/api/Esys_PolicySecret.c +index cecd8a38..dcf45864 100644 +--- a/src/tss2-esys/api/Esys_PolicySecret.c ++++ b/src/tss2-esys/api/Esys_PolicySecret.c +@@ -297,13 +297,13 @@ Esys_PolicySecret_Finish( + + /* Allocate memory for response parameters */ + if (timeout != NULL) { +- *timeout = calloc(sizeof(TPM2B_TIMEOUT), 1); ++ *timeout = calloc(1, sizeof(TPM2B_TIMEOUT)); + if (*timeout == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (policyTicket != NULL) { +- *policyTicket = calloc(sizeof(TPMT_TK_AUTH), 1); ++ *policyTicket = calloc(1, sizeof(TPMT_TK_AUTH)); + if (*policyTicket == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_PolicySigned.c b/src/tss2-esys/api/Esys_PolicySigned.c +index cfcd4b86..1f7869bb 100644 +--- a/src/tss2-esys/api/Esys_PolicySigned.c ++++ b/src/tss2-esys/api/Esys_PolicySigned.c +@@ -297,13 +297,13 @@ Esys_PolicySigned_Finish( + + /* Allocate memory for response parameters */ + if (timeout != NULL) { +- *timeout = calloc(sizeof(TPM2B_TIMEOUT), 1); ++ *timeout = calloc(1, sizeof(TPM2B_TIMEOUT)); + if (*timeout == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (policyTicket != NULL) { +- *policyTicket = calloc(sizeof(TPMT_TK_AUTH), 1); ++ *policyTicket = calloc(1, sizeof(TPMT_TK_AUTH)); + if (*policyTicket == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Quote.c b/src/tss2-esys/api/Esys_Quote.c +index 1e3ed1a5..eb717f87 100644 +--- a/src/tss2-esys/api/Esys_Quote.c ++++ b/src/tss2-esys/api/Esys_Quote.c +@@ -271,13 +271,13 @@ Esys_Quote_Finish( + + /* Allocate memory for response parameters */ + if (quoted != NULL) { +- *quoted = calloc(sizeof(TPM2B_ATTEST), 1); ++ *quoted = calloc(1, sizeof(TPM2B_ATTEST)); + if (*quoted == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_RSA_Decrypt.c b/src/tss2-esys/api/Esys_RSA_Decrypt.c +index 084d4997..43365fdd 100644 +--- a/src/tss2-esys/api/Esys_RSA_Decrypt.c ++++ b/src/tss2-esys/api/Esys_RSA_Decrypt.c +@@ -265,7 +265,7 @@ Esys_RSA_Decrypt_Finish( + + /* Allocate memory for response parameters */ + if (message != NULL) { +- *message = calloc(sizeof(TPM2B_PUBLIC_KEY_RSA), 1); ++ *message = calloc(1, sizeof(TPM2B_PUBLIC_KEY_RSA)); + if (*message == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_RSA_Encrypt.c b/src/tss2-esys/api/Esys_RSA_Encrypt.c +index 50314722..a0f5454c 100644 +--- a/src/tss2-esys/api/Esys_RSA_Encrypt.c ++++ b/src/tss2-esys/api/Esys_RSA_Encrypt.c +@@ -262,7 +262,7 @@ Esys_RSA_Encrypt_Finish( + + /* Allocate memory for response parameters */ + if (outData != NULL) { +- *outData = calloc(sizeof(TPM2B_PUBLIC_KEY_RSA), 1); ++ *outData = calloc(1, sizeof(TPM2B_PUBLIC_KEY_RSA)); + if (*outData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_ReadClock.c b/src/tss2-esys/api/Esys_ReadClock.c +index 17d81803..f58bc3e6 100644 +--- a/src/tss2-esys/api/Esys_ReadClock.c ++++ b/src/tss2-esys/api/Esys_ReadClock.c +@@ -238,7 +238,7 @@ Esys_ReadClock_Finish( + + /* Allocate memory for response parameters */ + if (currentTime != NULL) { +- *currentTime = calloc(sizeof(TPMS_TIME_INFO), 1); ++ *currentTime = calloc(1, sizeof(TPMS_TIME_INFO)); + if (*currentTime == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_ReadPublic.c b/src/tss2-esys/api/Esys_ReadPublic.c +index 7c078d8b..34e03bcb 100644 +--- a/src/tss2-esys/api/Esys_ReadPublic.c ++++ b/src/tss2-esys/api/Esys_ReadPublic.c +@@ -268,19 +268,19 @@ Esys_ReadPublic_Finish( + + /* Allocate memory for response parameters */ + if (outPublic != NULL) { +- *outPublic = calloc(sizeof(TPM2B_PUBLIC), 1); ++ *outPublic = calloc(1, sizeof(TPM2B_PUBLIC)); + if (*outPublic == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (name != NULL) { +- *name = calloc(sizeof(TPM2B_NAME), 1); ++ *name = calloc(1, sizeof(TPM2B_NAME)); + if (*name == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + } + if (qualifiedName != NULL) { +- *qualifiedName = calloc(sizeof(TPM2B_NAME), 1); ++ *qualifiedName = calloc(1, sizeof(TPM2B_NAME)); + if (*qualifiedName == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Rewrap.c b/src/tss2-esys/api/Esys_Rewrap.c +index e9325a0a..5a25873b 100644 +--- a/src/tss2-esys/api/Esys_Rewrap.c ++++ b/src/tss2-esys/api/Esys_Rewrap.c +@@ -285,13 +285,13 @@ Esys_Rewrap_Finish( + + /* Allocate memory for response parameters */ + if (outDuplicate != NULL) { +- *outDuplicate = calloc(sizeof(TPM2B_PRIVATE), 1); ++ *outDuplicate = calloc(1, sizeof(TPM2B_PRIVATE)); + if (*outDuplicate == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (outSymSeed != NULL) { +- *outSymSeed = calloc(sizeof(TPM2B_ENCRYPTED_SECRET), 1); ++ *outSymSeed = calloc(1, sizeof(TPM2B_ENCRYPTED_SECRET)); + if (*outSymSeed == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_SequenceComplete.c b/src/tss2-esys/api/Esys_SequenceComplete.c +index b6dd8627..c50ac56d 100644 +--- a/src/tss2-esys/api/Esys_SequenceComplete.c ++++ b/src/tss2-esys/api/Esys_SequenceComplete.c +@@ -287,13 +287,13 @@ Esys_SequenceComplete_Finish( + + /* Allocate memory for response parameters */ + if (result != NULL) { +- *result = calloc(sizeof(TPM2B_DIGEST), 1); ++ *result = calloc(1, sizeof(TPM2B_DIGEST)); + if (*result == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (validation != NULL) { +- *validation = calloc(sizeof(TPMT_TK_HASHCHECK), 1); ++ *validation = calloc(1, sizeof(TPMT_TK_HASHCHECK)); + if (*validation == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-esys/api/Esys_Sign.c b/src/tss2-esys/api/Esys_Sign.c +index 5502cc3a..f9fd7e0d 100644 +--- a/src/tss2-esys/api/Esys_Sign.c ++++ b/src/tss2-esys/api/Esys_Sign.c +@@ -271,7 +271,7 @@ Esys_Sign_Finish( + + /* Allocate memory for response parameters */ + if (signature != NULL) { +- *signature = calloc(sizeof(TPMT_SIGNATURE), 1); ++ *signature = calloc(1, sizeof(TPMT_SIGNATURE)); + if (*signature == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_Unseal.c b/src/tss2-esys/api/Esys_Unseal.c +index d019ca5c..b5f30531 100644 +--- a/src/tss2-esys/api/Esys_Unseal.c ++++ b/src/tss2-esys/api/Esys_Unseal.c +@@ -255,7 +255,7 @@ Esys_Unseal_Finish( + + /* Allocate memory for response parameters */ + if (outData != NULL) { +- *outData = calloc(sizeof(TPM2B_SENSITIVE_DATA), 1); ++ *outData = calloc(1, sizeof(TPM2B_SENSITIVE_DATA)); + if (*outData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_Vendor_TCG_Test.c b/src/tss2-esys/api/Esys_Vendor_TCG_Test.c +index 06dfacf7..d614faf1 100644 +--- a/src/tss2-esys/api/Esys_Vendor_TCG_Test.c ++++ b/src/tss2-esys/api/Esys_Vendor_TCG_Test.c +@@ -231,7 +231,7 @@ Esys_Vendor_TCG_Test_Finish( + + /* Allocate memory for response parameters */ + if (outputData != NULL) { +- *outputData = calloc(sizeof(TPM2B_DATA), 1); ++ *outputData = calloc(1, sizeof(TPM2B_DATA)); + if (*outputData == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_VerifySignature.c b/src/tss2-esys/api/Esys_VerifySignature.c +index f4ae2eb4..a55a4af0 100644 +--- a/src/tss2-esys/api/Esys_VerifySignature.c ++++ b/src/tss2-esys/api/Esys_VerifySignature.c +@@ -262,7 +262,7 @@ Esys_VerifySignature_Finish( + + /* Allocate memory for response parameters */ + if (validation != NULL) { +- *validation = calloc(sizeof(TPMT_TK_VERIFIED), 1); ++ *validation = calloc(1, sizeof(TPMT_TK_VERIFIED)); + if (*validation == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } +diff --git a/src/tss2-esys/api/Esys_ZGen_2Phase.c b/src/tss2-esys/api/Esys_ZGen_2Phase.c +index 55a2c26d..286dbaa4 100644 +--- a/src/tss2-esys/api/Esys_ZGen_2Phase.c ++++ b/src/tss2-esys/api/Esys_ZGen_2Phase.c +@@ -278,13 +278,13 @@ Esys_ZGen_2Phase_Finish( + + /* Allocate memory for response parameters */ + if (outZ1 != NULL) { +- *outZ1 = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *outZ1 = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*outZ1 == NULL) { + return_error(TSS2_ESYS_RC_MEMORY, "Out of memory"); + } + } + if (outZ2 != NULL) { +- *outZ2 = calloc(sizeof(TPM2B_ECC_POINT), 1); ++ *outZ2 = calloc(1, sizeof(TPM2B_ECC_POINT)); + if (*outZ2 == NULL) { + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index d2dc9ff0..82d0d0fa 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2322,7 +2322,7 @@ ifapi_nv_write( + context->nv_cmd.data_idx = 0; + + /* Use calloc to ensure zero padding for write buffer. */ +- context->nv_cmd.write_data = calloc(size, 1); ++ context->nv_cmd.write_data = calloc(1, size); + goto_if_null2(context->nv_cmd.write_data, "Out of memory.", r, + TSS2_FAPI_RC_MEMORY, + error_cleanup); +@@ -2762,7 +2762,7 @@ ifapi_get_random(FAPI_CONTEXT *context, size_t numBytes, uint8_t **data) + switch (context->get_random_state) { + statecase(context->get_random_state, GET_RANDOM_INIT); + context->get_random.numBytes = numBytes; +- context->get_random.data = calloc(context->get_random.numBytes, 1); ++ context->get_random.data = calloc(1, context->get_random.numBytes); + context->get_random.idx = 0; + return_if_null(context->get_random.data, "FAPI out of memory.", + TSS2_FAPI_RC_MEMORY); +diff --git a/src/tss2-fapi/ifapi_io.c b/src/tss2-fapi/ifapi_io.c +index 0ff56886..97ad7952 100644 +--- a/src/tss2-fapi/ifapi_io.c ++++ b/src/tss2-fapi/ifapi_io.c +@@ -581,7 +581,7 @@ dirfiles_all(const char *dir_name, NODE_OBJECT_T **list, size_t *n) + closedir(dir); + return_if_error(r, "Out of memory"); + +- NODE_OBJECT_T *file_obj = calloc(sizeof(NODE_OBJECT_T), 1); ++ NODE_OBJECT_T *file_obj = calloc(1, sizeof(NODE_OBJECT_T)); + if (!file_obj) { + LOG_ERROR("Out of memory."); + SAFE_FREE(path); +diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c +index 8bc6e7f5..10d591bb 100644 +--- a/src/tss2-fapi/ifapi_policy_callbacks.c ++++ b/src/tss2-fapi/ifapi_policy_callbacks.c +@@ -1132,7 +1132,7 @@ search_policy( + } + } + /* Extend linked list.*/ +- policy_object = calloc(sizeof(struct POLICY_LIST), 1); ++ policy_object = calloc(1, sizeof(struct POLICY_LIST)); + return_if_null(policy_object, "Out of memory.", TSS2_FAPI_RC_MEMORY); + + strdup_check(policy_object->path, context->fsearch.current_path, r, cleanup); +diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c +index b0925f0f..24b1c65c 100644 +--- a/src/tss2-fapi/ifapi_policyutil_execute.c ++++ b/src/tss2-fapi/ifapi_policyutil_execute.c +@@ -42,12 +42,12 @@ new_policy( + IFAPI_POLICY_EXEC_CTX *pol_exec_ctx; + IFAPI_POLICY_EXEC_CB_CTX *pol_exec_cb_ctx; + +- *current_policy = calloc(sizeof(IFAPI_POLICYUTIL_STACK), 1); ++ *current_policy = calloc(1, sizeof(IFAPI_POLICYUTIL_STACK)); + if (!*current_policy) { + return_error(TSS2_FAPI_RC_MEMORY, "Out of memory"); + } + +- pol_exec_ctx = calloc(sizeof(IFAPI_POLICY_EXEC_CTX), 1); ++ pol_exec_ctx = calloc(1, sizeof(IFAPI_POLICY_EXEC_CTX)); + if (!pol_exec_ctx) { + SAFE_FREE(*current_policy); + return_error(TSS2_FAPI_RC_MEMORY, "Out of memory"); +@@ -73,7 +73,7 @@ new_policy( + pol_exec_ctx->callbacks.cbaction = ifapi_policy_action; + pol_exec_ctx->callbacks.cbaction_userdata = context; + +- pol_exec_cb_ctx = calloc(sizeof(IFAPI_POLICY_EXEC_CB_CTX), 1); ++ pol_exec_cb_ctx = calloc(1, sizeof(IFAPI_POLICY_EXEC_CB_CTX)); + if (!pol_exec_cb_ctx) { + SAFE_FREE(*current_policy); + return_error(TSS2_FAPI_RC_MEMORY, "Out of memory"); +diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c +index 59b1913c..ebf9019d 100644 +--- a/test/integration/main-fapi.c ++++ b/test/integration/main-fapi.c +@@ -1182,7 +1182,7 @@ get_pubkey_fingerprint(EVP_PKEY *key, char **fingerprint) + goto error_cleanup; + } + #endif +- *fingerprint = calloc(TPM2_SHA256_DIGEST_SIZE * 2 + 1, 1); ++ *fingerprint = calloc(1, TPM2_SHA256_DIGEST_SIZE * 2 + 1); + if (!(*fingerprint)) { + LOG_ERROR("Failed to allocate fingerprint."); + goto error_cleanup; +@@ -1402,7 +1402,7 @@ test_fapi_setup(TSS2_TEST_FAPI_CONTEXT **test_ctx) + int ret; + + size = sizeof(TSS2_TEST_FAPI_CONTEXT); +- *test_ctx = calloc(size, 1); ++ *test_ctx = calloc(1, size); + if (test_ctx == NULL) { + LOG_ERROR("Failed to allocate 0x%zx bytes for the test context", size); + goto error; +-- +2.51.0 + diff --git a/0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch b/0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch new file mode 100644 index 0000000..b1fa0c9 --- /dev/null +++ b/0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch @@ -0,0 +1,87 @@ +From 86ff2ee77eb19558e8ae133ad78dcd2d6f59eef1 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 3 May 2024 11:57:43 +0200 +Subject: [PATCH 02/22] FAPI: Add check whether auth values exist for + hierarchies. + +Currently FAPI provisioning tries to create the EK and SRK with the +NULL auth value for the hierarchies. +Now first the corresponding flag in TPM2_CAP_TPM_PROPERTIES with +the property TPM2_PT_PERMANENT is checked. If an auth value is used +for the hierarchy the auth value callback will be called. +The "retry" code in the BAD_AUTH case is removed. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Provision.c | 10 ++++++++++ + src/tss2-fapi/fapi_util.c | 32 +----------------------------- + 2 files changed, 11 insertions(+), 31 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c +index 3046b90b..87e0f505 100644 +--- a/src/tss2-fapi/api/Fapi_Provision.c ++++ b/src/tss2-fapi/api/Fapi_Provision.c +@@ -512,6 +512,16 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + command->auth_state = (*capabilityData)->data.tpmProperties.tpmProperty[0].value; + SAFE_FREE(*capabilityData); + ++ if (command->auth_state & TPMA_PERMANENT_ENDORSEMENTAUTHSET) { ++ hierarchy_he->misc.hierarchy.with_auth = TPM2_YES; ++ } ++ if (command->auth_state & TPMA_PERMANENT_OWNERAUTHSET) { ++ hierarchy_hs->misc.hierarchy.with_auth = TPM2_YES; ++ } ++ if (command->auth_state & TPMA_PERMANENT_LOCKOUTAUTHSET) { ++ hierarchy_lockout->misc.hierarchy.with_auth = TPM2_YES; ++ } ++ + /* Check the TPM capabilities for the persistent handle. */ + if (command->public_templ.persistent_handle) { + r = Esys_GetCapability_Async(context->esys, +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 82d0d0fa..740d5e4a 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -760,38 +760,8 @@ ifapi_init_primary_finish(FAPI_CONTEXT *context, TSS2_KEY_TYPE ktype, IFAPI_OBJE + if (base_rc(r) == TSS2_BASE_RC_TRY_AGAIN) + return TSS2_FAPI_RC_TRY_AGAIN; + +- /* Retry with authorization callback after trial with null auth */ +- if (number_rc(r) == TPM2_RC_BAD_AUTH +- && hierarchy->misc.hierarchy.with_auth == TPM2_NO) { +- char *description; +- r = ifapi_get_description(hierarchy, &description); +- return_if_error(r, "Get description"); ++ goto_if_error_reset_state(r, "FAPI Provision", error_cleanup); + +- r = ifapi_set_auth(context, hierarchy, description); +- SAFE_FREE(description); +- goto_if_error_reset_state(r, "CreatePrimary", error_cleanup); +- +- r = Esys_CreatePrimary_Async(context->esys, hierarchy->public.handle, +- (context->session1 == ESYS_TR_NONE) ? +- ESYS_TR_PASSWORD : context->session1, +- ESYS_TR_NONE, ESYS_TR_NONE, +- &context->cmd.Provision.inSensitive, +- &context->cmd.Provision.public_templ.public, +- &context->cmd.Provision.outsideInfo, +- &context->cmd.Provision.creationPCR); +- goto_if_error_reset_state(r, "CreatePrimary", error_cleanup); +- +- if (ktype == TSS2_EK) { +- context->state = PROVISION_AUTH_EK_AUTH_SENT; +- } else { +- context->state = PROVISION_AUTH_SRK_AUTH_SENT; +- } +- hierarchy->misc.hierarchy.with_auth = TPM2_YES; +- return TSS2_FAPI_RC_TRY_AGAIN; +- +- } else { +- goto_if_error_reset_state(r, "FAPI Provision", error_cleanup); +- } + /* Set EK or SRK handle in context. */ + if (ktype == TSS2_EK) { + context->ek_handle = primaryHandle; +-- +2.51.0 + diff --git a/0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch b/0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch new file mode 100644 index 0000000..db837f2 --- /dev/null +++ b/0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch @@ -0,0 +1,42 @@ +From 661a0b0ef63c015106bc28827c9fac484b0b719d Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 10 May 2024 19:15:37 +0200 +Subject: [PATCH 03/22] FAPI: Improve the error message for self signed EK + certificates. + +The error message +"curl_url_set for CURUPART_URL failed: Unsupported URL scheme" +was displayed if a self signed EK certificate was stored in the TPM. +Now a better error message is displayed to explain that FAPI can +be used if "ek_cert_less" is set to "yes" in the FAPI config file. +Addresses: #2833 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_curl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c +index 976f36d0..9827afcd 100644 +--- a/src/tss2-fapi/ifapi_curl.c ++++ b/src/tss2-fapi/ifapi_curl.c +@@ -175,6 +175,16 @@ ifapi_curl_verify_ek_cert( + goto_if_null2(ek_cert, "Failed to convert PEM certificate to DER.", + r, TSS2_FAPI_RC_BAD_VALUE, cleanup); + ++ if (is_self_signed(ek_cert)) { ++ /* A self signed certificate was stored in the TPM and ek_cert_less was not set.*/ ++ goto_error(r, TSS2_FAPI_RC_NO_CERT, ++ "A self signed EK certifcate for current crypto profile was found. " ++ "You may want to switch the profile in fapi-config or " ++ "set the ek_cert_less or ek_cert_file options in fapi-config. " ++ "See also https://tpm2-software.github.io/2020/07/22/Fapi_Crypto_Profiles.html", ++ cleanup); ++ } ++ + if (intermed_cert_pem) { + intermed_cert = get_X509_from_pem(intermed_cert_pem); + goto_if_null2(intermed_cert, "Failed to convert PEM certificate to DER.", +-- +2.51.0 + diff --git a/0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch b/0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch new file mode 100644 index 0000000..1b8af71 --- /dev/null +++ b/0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch @@ -0,0 +1,34 @@ +From 90d20f92a0da1e1d783419928a43fa850e2f9533 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 18 May 2024 20:21:14 +0200 +Subject: [PATCH 04/22] TCTI: Fix leak produced in Tss2_TctiLdr_Initialize_Ex + +The return code of tctildr_init_context_data was not checked in +Tss2_TctiLdr_Initialize_Ex. The cleanup part of this function was +not executed and so a leak was produced. +Fixes #2842 + +Signed-off-by: Juergen Repp +--- + src/tss2-tcti/tctildr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c +index 4f380ceb..af913193 100644 +--- a/src/tss2-tcti/tctildr.c ++++ b/src/tss2-tcti/tctildr.c +@@ -524,7 +524,10 @@ Tss2_TctiLdr_Initialize_Ex (const char *name, + } + + *tctiContext = (TSS2_TCTI_CONTEXT *) ldr_ctx; +- return tctildr_init_context_data(*tctiContext, local_name, local_conf); ++ rc = tctildr_init_context_data(*tctiContext, local_name, local_conf); ++ if (rc == TSS2_RC_SUCCESS) { ++ return rc; ++ } + + err: + if (*tctiContext != NULL) { +-- +2.51.0 + diff --git a/0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch b/0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch new file mode 100644 index 0000000..f7d7cc0 --- /dev/null +++ b/0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch @@ -0,0 +1,74 @@ +From 17802f7911562779830daa4cb49dbb07a94964ac Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 2 Jun 2024 14:28:18 +0200 +Subject: [PATCH 05/22] FAPI: Fix usage of external PEM keys for + PolicyAuthorize. + +* PolicyAuthorize with an external imported PEM key did not work if + the default nameAlg for the imported key (sha1) was not equal to + the default nameAlg in the current fapi profile. + The nameAlg from the profile is now used for the imported key. +* To prevent a possible double free after cleanup of a policy + the NULL pointer is set for the reference to this policy. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Import.c | 2 ++ + src/tss2-fapi/fapi_crypto.c | 4 ++-- + src/tss2-fapi/ifapi_policy_callbacks.c | 4 +++- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c +index 2aa5ed79..33f5e69a 100644 +--- a/src/tss2-fapi/api/Fapi_Import.c ++++ b/src/tss2-fapi/api/Fapi_Import.c +@@ -194,6 +194,8 @@ Fapi_Import_Async( + &extPubKey->public); + goto_if_error(r, "Convert PEM public key into TPM public key.", cleanup_error); + ++ extPubKey->public.publicArea.nameAlg = context->profiles.default_profile.nameAlg; ++ + command->new_object = *object; + if (strncmp("/", path, 1) == 0) + pos = 1; +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index 43b1bbbb..28385ad3 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -122,7 +122,7 @@ static const TPM2B_PUBLIC templateRsaSign = { + .size = 0, + .publicArea = { + .type = TPM2_ALG_RSA, +- .nameAlg = TPM2_ALG_SHA1, ++ .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ), + .authPolicy = { + .size = 0, +@@ -153,7 +153,7 @@ static const TPM2B_PUBLIC templateEccSign = { + .size = 0, + .publicArea = { + .type = TPM2_ALG_ECC, +- .nameAlg = TPM2_ALG_SHA1, ++ .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ), + .authPolicy = { + .size = 0, +diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c +index 10d591bb..9c52088d 100644 +--- a/src/tss2-fapi/ifapi_policy_callbacks.c ++++ b/src/tss2-fapi/ifapi_policy_callbacks.c +@@ -1466,8 +1466,10 @@ ifapi_exec_auth_policy( + cleanup: + SAFE_FREE(names); + /* Check whether cleanup was executed. */ +- if (fapi_ctx->policy.policyutil_stack) ++ if (fapi_ctx->policy.policyutil_stack) { + cleanup_policy_list(current_policy->policy_list); ++ current_policy->policy_list = NULL; ++ } + return r; + } + +-- +2.51.0 + diff --git a/0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch b/0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch new file mode 100644 index 0000000..5416dea --- /dev/null +++ b/0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch @@ -0,0 +1,29 @@ +From 379d53c62a7f5e8db828f94b518ff6cbfa2289e6 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 26 Jun 2024 16:47:28 +0200 +Subject: [PATCH 06/22] FAPI: Fix wrong format directive in ifap_set_auth + +%u was used for a 16 bit unsigned integer and %lu for sizeof. +Fixes: #2856 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 740d5e4a..d73e50f1 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -441,7 +441,7 @@ ifapi_set_auth( + if (auth != NULL) { + authValue.size = strlen(auth); + if (authValue.size > sizeof(TPMU_HA)) { +- return_error2(TSS2_FAPI_RC_BAD_VALUE, "Size of auth value %u > %lu", ++ return_error2(TSS2_FAPI_RC_BAD_VALUE, "Size of auth value %"PRIu16" > %zu", + authValue.size, sizeof(TPMU_HA)); + } + memcpy(&authValue.buffer[0], auth, authValue.size); +-- +2.51.0 + diff --git a/0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch b/0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch new file mode 100644 index 0000000..a42fe49 --- /dev/null +++ b/0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch @@ -0,0 +1,35 @@ +From fd21afd65ee7007c0eabbbfbed4cde6b6ec64fbc Mon Sep 17 00:00:00 2001 +From: Johannes Holland +Date: Mon, 15 Jul 2024 14:51:11 +0200 +Subject: [PATCH 07/22] fapi: fix PolicyTemplate policyDigest calculation. + +We forgot to input the old policyDigest for the hash calculation of the +new policyDigest. + +Bug was not caught due to missing return code assignment in +policy-execute, see 80ffbf825f127. + +Fixes: #2862 + +Signed-off-by: Johannes Holland +--- + src/tss2-fapi/ifapi_policy_calculate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_policy_calculate.c b/src/tss2-fapi/ifapi_policy_calculate.c +index 92fc812c..073ab0eb 100644 +--- a/src/tss2-fapi/ifapi_policy_calculate.c ++++ b/src/tss2-fapi/ifapi_policy_calculate.c +@@ -1269,6 +1269,9 @@ ifapi_calculate_policy_template( + r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg); + return_if_error(r, "crypto hash start"); + ++ HASH_UPDATE_BUFFER(cryptoContext, ++ ¤t_digest->digests[digest_idx].digest, hash_size, ++ r, cleanup); + HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyTemplate, r, + cleanup); + HASH_UPDATE_BUFFER(cryptoContext, &used_template_hash->buffer[0], +-- +2.51.0 + diff --git a/0008-FAPI-Fix-unnecessary-writes-to-keystore.patch b/0008-FAPI-Fix-unnecessary-writes-to-keystore.patch new file mode 100644 index 0000000..ac4f0eb --- /dev/null +++ b/0008-FAPI-Fix-unnecessary-writes-to-keystore.patch @@ -0,0 +1,145 @@ +From 1ea2ff7a2779b584bd6e5a95f839187019edd66a Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 2 Aug 2024 20:31:19 +0200 +Subject: [PATCH 08/22] FAPI: Fix unnecessary writes to keystore. + +* A duplicate write operation to the keystore was executed by + Fapi_NvWrite. +* A write operation to the keystore was only needed after the + first call of Fapi_NvWrite because the NV_WRITTEN bit was set. +* A write operation to the keystore by Fapi_ChangeAuth was only needed + if the value of the attribute with_auth was changed. + +Addresses: #2881 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_ChangeAuth.c | 26 ++++++++++++++++++++++---- + src/tss2-fapi/api/Fapi_NvWrite.c | 24 ------------------------ + src/tss2-fapi/fapi_util.c | 13 +++++++++++++ + 3 files changed, 35 insertions(+), 28 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_ChangeAuth.c b/src/tss2-fapi/api/Fapi_ChangeAuth.c +index 42e994c2..9aaf2d39 100644 +--- a/src/tss2-fapi/api/Fapi_ChangeAuth.c ++++ b/src/tss2-fapi/api/Fapi_ChangeAuth.c +@@ -413,10 +413,19 @@ Fapi_ChangeAuth_Finish( + empty authorization or an actual password. */ + object = command->key_object; + +- if (strlen(command->authValue) > 0) ++ if (strlen(command->authValue) > 0) { ++ if (object->misc.key.with_auth == TPM2_YES) { ++ context->state = ENTITY_CHANGE_AUTH_CLEANUP; ++ return TSS2_FAPI_RC_TRY_AGAIN; ++ } + object->misc.key.with_auth = TPM2_YES; +- else ++ } else { ++ if (object->misc.key.with_auth == TPM2_NO) { ++ context->state = ENTITY_CHANGE_AUTH_CLEANUP; ++ return TSS2_FAPI_RC_TRY_AGAIN; ++ } + object->misc.key.with_auth = TPM2_NO; ++ } + fallthrough; + + statecase(context->state, ENTITY_CHANGE_AUTH_WRITE_PREPARE) +@@ -496,10 +505,19 @@ Fapi_ChangeAuth_Finish( + + /* Update the information about whether the new Auth is an empty + authorization or an actual password. */ +- if (strlen(command->authValue) > 0) ++ if (strlen(command->authValue) > 0) { ++ if (object->misc.key.with_auth == TPM2_YES) { ++ context->state = ENTITY_CHANGE_AUTH_CLEANUP; ++ return TSS2_FAPI_RC_TRY_AGAIN; ++ } + object->misc.nv.with_auth = TPM2_YES; +- else ++ } else { ++ if (object->misc.key.with_auth == TPM2_NO) { ++ context->state = ENTITY_CHANGE_AUTH_CLEANUP; ++ return TSS2_FAPI_RC_TRY_AGAIN; ++ } + object->misc.nv.with_auth = TPM2_NO; ++ } + + /* Jump over to the AUTH_WRITE_PREPARE state for storing the + new metadata to the keystore. */ +diff --git a/src/tss2-fapi/api/Fapi_NvWrite.c b/src/tss2-fapi/api/Fapi_NvWrite.c +index c8df7cdf..b9d16313 100644 +--- a/src/tss2-fapi/api/Fapi_NvWrite.c ++++ b/src/tss2-fapi/api/Fapi_NvWrite.c +@@ -252,10 +252,6 @@ Fapi_NvWrite_Finish( + + switch (context->state) { + statecase(context->state, NV_WRITE_READ); +- /* First check whether the file in object store can be updated. */ +- r = ifapi_keystore_check_writeable(&context->keystore, command->nvPath); +- goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup); +- + /* Write to the NV index. */ + r = ifapi_nv_write(context, command->nvPath, command->offset, + command->data, command->numBytes); +@@ -263,26 +259,6 @@ Fapi_NvWrite_Finish( + return_try_again(r); + goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup); + +- +- /* Perform esys serialization if necessary */ +- r = ifapi_esys_serialize_object(context->esys, &command->nv_object); +- goto_if_error(r, "Prepare serialization", error_cleanup); +- +- /* Start writing the NV object to the key store */ +- r = ifapi_keystore_store_async(&context->keystore, &context->io, +- command->nvPath, +- &command->nv_object); +- goto_if_error_reset_state(r, "Could not open: %sh", error_cleanup, +- command->nvPath); +- +- fallthrough; +- +- statecase(context->state, NV_WRITE_WRITE); +- /* Finish writing the NV object to the key store */ +- r = ifapi_keystore_store_finish(&context->io); +- return_try_again(r); +- return_if_error_reset_state(r, "write_finish failed"); +- + fallthrough; + + statecase(context->state, NV_WRITE_CLEANUP) +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index d73e50f1..4b147ff9 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2322,6 +2322,13 @@ ifapi_nv_write( + context->nv_cmd.esys_handle = nv_index; + context->nv_cmd.nv_obj = object->misc.nv; + ++ /* Check whether the file in object store can be updated if necessary */ ++ if (!(context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes & ++ TPMA_NV_WRITTEN) ){ ++ r = ifapi_keystore_check_writeable(&context->keystore, nvPath); ++ goto_if_error_reset_state(r, "Check whether update object store is possible.", error_cleanup); ++ } ++ + /* Determine the object which will be uses for authorization. */ + if (object->misc.nv.public.nvPublic.attributes & TPMA_NV_PPWRITE) { + ifapi_init_hierarchy_object(auth_object, ESYS_TR_RH_PLATFORM); +@@ -2443,6 +2450,12 @@ ifapi_nv_write( + return TSS2_FAPI_RC_TRY_AGAIN; + + } ++ if (context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes & ++ TPMA_NV_WRITTEN) { ++ LOG_DEBUG("success"); ++ r = TSS2_RC_SUCCESS; ++ break; ++ } + fallthrough; + + statecase(context->nv_cmd.nv_write_state, NV2_WRITE_WRITE_PREPARE); +-- +2.51.0 + diff --git a/0009-FAPI-Fix-segfault-if-json-field-is-null.patch b/0009-FAPI-Fix-segfault-if-json-field-is-null.patch new file mode 100644 index 0000000..512adf7 --- /dev/null +++ b/0009-FAPI-Fix-segfault-if-json-field-is-null.patch @@ -0,0 +1,50 @@ +From 4be439941693b223244ef5fd33a46e80861a429c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 31 Jul 2024 22:37:07 +0200 +Subject: [PATCH 09/22] FAPI: Fix segfault if json field is null. + +The function json_object_object_get_ex does not create a +json object for the parameter value in the case "key":null. +This caused a segfault in json deserialization. +Fixes: #2878 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/tpm_json_deserialize.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c +index 1b27a83f..02a72592 100644 +--- a/src/tss2-fapi/tpm_json_deserialize.c ++++ b/src/tss2-fapi/tpm_json_deserialize.c +@@ -231,13 +231,25 @@ ifapi_get_sub_object(json_object *jso, char *name, json_object **sub_jso) + { + int i; + if (json_object_object_get_ex(jso, name, sub_jso)) { +- return true; ++ if (*sub_jso) { ++ return true; ++ } else { ++ return false; ++ } + } else { + char name2[strlen(name) + 1]; + for (i = 0; name[i]; i++) + name2[i] = tolower(name[i]); + name2[strlen(name)] = '\0'; +- return json_object_object_get_ex(jso, name2, sub_jso); ++ if (json_object_object_get_ex(jso, name2, sub_jso)) { ++ if (*sub_jso) { ++ return true; ++ } else { ++ return false; ++ } ++ } else { ++ return false; ++ } + } + } + +-- +2.51.0 + diff --git a/0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch b/0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch new file mode 100644 index 0000000..0d53eec --- /dev/null +++ b/0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch @@ -0,0 +1,39 @@ +From 236c9c61cecf478cf4ae86606495a9f93535a27a Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 21 Aug 2024 18:56:02 +0200 +Subject: [PATCH 10/22] FAPI: Fix Fapi_ChangeAuth for keys. + +The keystore has to be updated after Fapi_ChangeAuth for key +objects because the private field is changed. +If not an HMAC error is produced when this key is used. +Fixes: #2890 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_ChangeAuth.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_ChangeAuth.c b/src/tss2-fapi/api/Fapi_ChangeAuth.c +index 9aaf2d39..d9003920 100644 +--- a/src/tss2-fapi/api/Fapi_ChangeAuth.c ++++ b/src/tss2-fapi/api/Fapi_ChangeAuth.c +@@ -414,16 +414,8 @@ Fapi_ChangeAuth_Finish( + object = command->key_object; + + if (strlen(command->authValue) > 0) { +- if (object->misc.key.with_auth == TPM2_YES) { +- context->state = ENTITY_CHANGE_AUTH_CLEANUP; +- return TSS2_FAPI_RC_TRY_AGAIN; +- } + object->misc.key.with_auth = TPM2_YES; + } else { +- if (object->misc.key.with_auth == TPM2_NO) { +- context->state = ENTITY_CHANGE_AUTH_CLEANUP; +- return TSS2_FAPI_RC_TRY_AGAIN; +- } + object->misc.key.with_auth = TPM2_NO; + } + fallthrough; +-- +2.51.0 + diff --git a/0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch b/0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch new file mode 100644 index 0000000..5d65100 --- /dev/null +++ b/0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch @@ -0,0 +1,48 @@ +From 67d21f1c0b66b802230a4710d056759d3c707e11 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 2 Dec 2024 20:33:43 +0100 +Subject: [PATCH 11/22] tcti-msim: Fix call of socket_xmit_buf in + send_sim_session_end. + +* socket_xmit_buf was not called after successful marshalling. +* The result of the write function was not set in the wrapper function for + write in the teardown function. + +Fixes: #2915 + +Signed-off-by: Juergen Repp +--- + src/tss2-tcti/tcti-mssim.c | 2 +- + test/unit/tcti-mssim.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/tss2-tcti/tcti-mssim.c b/src/tss2-tcti/tcti-mssim.c +index a0afa9fd..cf6f4208 100644 +--- a/src/tss2-tcti/tcti-mssim.c ++++ b/src/tss2-tcti/tcti-mssim.c +@@ -134,7 +134,7 @@ send_sim_session_end ( + TSS2_RC rc; + + rc = Tss2_MU_UINT32_Marshal (TPM_SESSION_END, buf, sizeof (buf), NULL); +- if (rc == TSS2_RC_SUCCESS) { ++ if (rc != TSS2_RC_SUCCESS) { + return rc; + } + return socket_xmit_buf (sock, buf, sizeof (buf)); +diff --git a/test/unit/tcti-mssim.c b/test/unit/tcti-mssim.c +index bafcb743..90e97c5f 100644 +--- a/test/unit/tcti-mssim.c ++++ b/test/unit/tcti-mssim.c +@@ -337,6 +337,9 @@ tcti_socket_teardown (void **state) + { + TSS2_TCTI_CONTEXT *ctx = (TSS2_TCTI_CONTEXT*)*state; + ++ will_return (__wrap_write, 4); ++ will_return (__wrap_write, 4); ++ + Tss2_Tcti_Finalize (ctx); + free (ctx); + return 0; +-- +2.51.0 + diff --git a/0012-FAPI-Fix-missing-scanf-checks.patch b/0012-FAPI-Fix-missing-scanf-checks.patch new file mode 100644 index 0000000..b7469b4 --- /dev/null +++ b/0012-FAPI-Fix-missing-scanf-checks.patch @@ -0,0 +1,42 @@ +From 159d5cfc8058fa654d614d8108919806dca091b5 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 19 Oct 2024 13:21:20 +0200 +Subject: [PATCH 12/22] FAPI: Fix missing scanf checks. + +In several cases the return value of scanf was not checked. +Thus afterwards acces to variables not initialized was possible. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_helpers.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c +index bd6e2dab..a651af42 100644 +--- a/src/tss2-fapi/ifapi_helpers.c ++++ b/src/tss2-fapi/ifapi_helpers.c +@@ -84,8 +84,8 @@ ifapi_set_key_flags(const char *type, bool policy, IFAPI_KEY_TEMPLATE *template) + } else if (strcasecmp(flag, "noda") == 0) { + attributes |= TPMA_OBJECT_NODA; + } else if (strncmp(flag, "0x", 2) == 0) { +- sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos); +- if ((size_t)pos != strlen(flag) - 2) { ++ if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 || ++ (size_t)pos != strlen(flag) - 2) { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s", + error, flag); + } +@@ -181,8 +181,8 @@ ifapi_set_nv_flags(const char *type, IFAPI_NV_TEMPLATE *template, + } else if (strcasecmp(flag, "noda") == 0) { + attributes |= TPMA_NV_NO_DA; + } else if (strncmp(flag, "0x", 2) == 0) { +- sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos); +- if ((size_t)pos != strlen(flag) - 2) { ++ if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 || ++ (size_t)pos != strlen(flag) - 2) { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s", + error, flag); + } +-- +2.51.0 + diff --git a/0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch b/0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch new file mode 100644 index 0000000..3bb7a1f --- /dev/null +++ b/0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch @@ -0,0 +1,92 @@ +From 639cb917cb020b0aeb849054e538ddf7a41c497c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 19 Oct 2024 14:03:43 +0200 +Subject: [PATCH 13/22] FAPI: Fix Local variable address stored in non-local + memory. + +The corresponding local array is now created with malloc and +freed after the execution of Fapi_WriteAuthorizeNv_Finish. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c | 15 ++++++++++----- + src/tss2-fapi/fapi_int.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c +index 8e346e80..1a133188 100644 +--- a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c ++++ b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c +@@ -227,7 +227,6 @@ Fapi_WriteAuthorizeNv_Finish( + + TSS2_RC r; + const size_t maxNvSize = sizeof(TPMU_HA) + sizeof(TPMI_ALG_HASH); +- BYTE nvBuffer[maxNvSize]; + size_t offset = 0; + + /* Check for NULL parameters */ +@@ -242,6 +241,7 @@ Fapi_WriteAuthorizeNv_Finish( + + switch (context->state) { + statecase(context->state, WRITE_AUTHORIZE_NV_READ_NV) ++ nvCmd->nv_buffer = NULL; + /* First check whether the file in object store can be updated. */ + r = ifapi_keystore_check_writeable(&context->keystore, nvCmd->nvPath); + goto_if_error_reset_state(r, +@@ -275,25 +275,29 @@ Fapi_WriteAuthorizeNv_Finish( + + statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE) + ++ nvCmd->nv_buffer = malloc(maxNvSize); ++ if (!nvCmd->nv_buffer) { ++ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); ++ } ++ + /* Copy hash alg followed by digest into a buffer to be written to NV ram */ + r = Tss2_MU_TPMI_ALG_HASH_Marshal( + object->misc.nv.public.nvPublic.nameAlg, +- &nvBuffer[0], maxNvSize, &offset); ++ &nvCmd->nv_buffer[0], maxNvSize, &offset); + goto_if_error_reset_state(r, "FAPI marshal hash alg", error_cleanup); + + void * currentDigest = + &policy->policyDigests.digests[command->digest_idx].digest; +- memcpy(&nvBuffer[offset], currentDigest, command->hash_size); ++ memcpy(&nvCmd->nv_buffer[offset], currentDigest, command->hash_size); + + /* Store these data in the context to be used for re-entry on nv_write. */ +- nvCmd->data = &nvBuffer[0]; + nvCmd->numBytes = command->hash_size + sizeof(TPMI_ALG_HASH); + fallthrough; + + statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM) + /* Perform the actual NV Write operation. */ + r = ifapi_nv_write(context, nvCmd->nvPath, 0, +- nvCmd->data, context->nv_cmd.numBytes); ++ nvCmd->nv_buffer, context->nv_cmd.numBytes); + return_try_again(r); + goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup); + +@@ -345,6 +349,7 @@ error_cleanup: + /* Cleanup any intermediate results and state stored in the context. */ + SAFE_FREE(command->policyPath); + SAFE_FREE(nvCmd->nvPath); ++ SAFE_FREE(nvCmd->nv_buffer); + ifapi_session_clean(context); + ifapi_cleanup_policy(policy); + ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index 84352684..06f69c5c 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -233,6 +233,7 @@ typedef struct { + UINT16 offset; /**< Offset in TPM memory TPM */ + size_t data_idx; /**< Offset in the read buffer */ + const uint8_t *data; /**< Buffer for data to be written */ ++ uint8_t *nv_buffer; /**< Buffer for data to be written */ + uint8_t *rdata; /**< Buffer for data to be read */ + size_t size; /**< size of rdata */ + IFAPI_OBJECT auth_object; /**< Object used for authentication */ +-- +2.51.0 + diff --git a/0014-FAPI-Fix-misleading-error-message.patch b/0014-FAPI-Fix-misleading-error-message.patch new file mode 100644 index 0000000..fec21e2 --- /dev/null +++ b/0014-FAPI-Fix-misleading-error-message.patch @@ -0,0 +1,29 @@ +From 4f0a1fa7055652a93fb49b4960b074d40656fb30 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 11 Dec 2024 12:30:40 +0100 +Subject: [PATCH 14/22] FAPI: Fix misleading error message. + +The error message "key not found" was misleading for the case when +a NV object was not found. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_keystore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c +index 8d47b1e8..293df979 100644 +--- a/src/tss2-fapi/ifapi_keystore.c ++++ b/src/tss2-fapi/ifapi_keystore.c +@@ -1158,7 +1158,7 @@ keystore_search_obj( + statecase(keystore->key_search.state, KSEARCH_SEARCH_OBJECT) + /* Use the next object in the path list */ + if (keystore->key_search.path_idx == 0) { +- goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, "Key not found.", cleanup); ++ goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, "Key or NV object not found.", cleanup); + } + keystore->key_search.path_idx -= 1; + path_idx = keystore->key_search.path_idx; +-- +2.51.0 + diff --git a/0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch b/0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch new file mode 100644 index 0000000..bcee642 --- /dev/null +++ b/0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch @@ -0,0 +1,174 @@ +From a76999637a7880124f84b02196f7fe17716b91a7 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 16 Dec 2024 22:35:20 +0100 +Subject: [PATCH 15/22] FAPI: Fix file io if d_type of dirent is not supported. + +It is not guaranteed that d-type of the structure dirent contains the +type of a file entry. It is possible that d_type has the value DT_UNKNOWN +or d_type is not supported at all. +To fix this problem, the functions is_regular_file and is_directory are +defined. +Fixes #2927 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_io.c | 101 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 98 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/ifapi_io.c b/src/tss2-fapi/ifapi_io.c +index 97ad7952..4f138a2e 100644 +--- a/src/tss2-fapi/ifapi_io.c ++++ b/src/tss2-fapi/ifapi_io.c +@@ -31,6 +31,88 @@ + #include "util/log.h" + #include "util/aux_util.h" + ++/** Determine if a sub file in directory is also a directory ++ * ++ * @param[in] directory The directory containing the file ++ * @param[in] entry The dirent entry of the file. ++ * @param[out] isdir The flag whether file is a directory. ++ * @retval TSS2_RC_SUCCESS: if the function call was a success. ++ * @retval TSS2_FAPI_RC_IO_ERROR: if an I/O error was encountered; such as the file was not found. ++ * @retval TSS2_FAPI_RC_MEMORY: if memory could not be allocated to hold the read data. ++ */ ++static TSS2_RC ++is_directory(const char* dir_name, struct dirent *entry, bool *isdir) { ++ TSS2_RC r; ++ char *path; ++ ++#ifdef _DIRENT_HAVE_D_TYPE ++ if (entry->d_type == DT_DIR) { ++ *isdir = true; ++ return TSS2_RC_SUCCESS; ++ } else if (entry->d_type != DT_UNKNOWN) { ++ *isdir = false; ++ return TSS2_RC_SUCCESS; ++ } ++#endif ++ /* stat is used if d_type is not supported or unknown. */ ++ struct stat file_stat; ++ r = ifapi_asprintf(&path, "%s/%s", dir_name, entry->d_name); ++ return_if_error(r, "Out of memory"); ++ ++ if (stat(path, &file_stat) == -1) { ++ free(path); ++ return_error(TSS2_FAPI_RC_IO_ERROR, "stat failed."); ++ } ++ if (S_ISDIR(file_stat.st_mode)) { ++ *isdir = true; ++ } else { ++ *isdir = false; ++ } ++ free(path); ++ return TSS2_RC_SUCCESS; ++} ++ ++/** Determine if a sub file in directory is a regular file. ++ * ++ * @param[in] directory The directory containing the file ++ * @param[in] entry The dirent entry of the file. ++ * @param[out] isreg The flag whether file is a regular file. ++ * @retval TSS2_RC_SUCCESS: if the function call was a success. ++ * @retval TSS2_FAPI_RC_IO_ERROR: if an I/O error was encountered; such as the file was not found. ++ * @retval TSS2_FAPI_RC_MEMORY: if memory could not be allocated to hold the read data. ++ */ ++static TSS2_RC ++is_regular_file(const char* dir_name, struct dirent *entry, bool *isreg) { ++ TSS2_RC r; ++ char *path; ++ ++#ifdef _DIRENT_HAVE_D_TYPE ++ if (entry->d_type == DT_REG) { ++ *isreg = true; ++ return TSS2_RC_SUCCESS; ++ } else if (entry->d_type != DT_UNKNOWN){ ++ *isreg = false; ++ return TSS2_RC_SUCCESS; ++ } ++#endif ++ /* stat is used if d_type is not supported or unknown. */ ++ struct stat file_stat; ++ r = ifapi_asprintf(&path, "%s/%s", dir_name, entry->d_name); ++ return_if_error(r, "Out of memory"); ++ ++ if (stat(path, &file_stat) == -1) { ++ free(path); ++ return_error(TSS2_FAPI_RC_IO_ERROR, "stat failed."); ++ } ++ if (S_ISREG(file_stat.st_mode)) { ++ *isreg = true; ++ } else { ++ *isreg = false; ++ } ++ free(path); ++ return TSS2_RC_SUCCESS; ++} ++ + /** Start reading a file's complete content into memory in an asynchronous way. + * + * @param[in,out] io The input/output context being used for file I/O. +@@ -392,6 +474,7 @@ ifapi_io_remove_directories( + TSS2_RC r; + char *path; + size_t len_kstore_path, len_dir_path, diff_len, pos; ++ bool is_dir; + + LOG_TRACE("Removing directory: %s", dirname); + +@@ -409,7 +492,10 @@ ifapi_io_remove_directories( + continue; + + /* If an entry is a directory then we call ourself recursively to remove those */ +- if (entry->d_type == DT_DIR) { ++ r = is_directory(dirname, entry, &is_dir); ++ goto_if_error(r, "directory check", error_cleanup); ++ ++ if (is_dir) { + r = ifapi_asprintf(&path, "%s/%s", dirname, entry->d_name); + goto_if_error(r, "Out of memory", error_cleanup); + +@@ -482,6 +568,8 @@ ifapi_io_dirfiles( + int numentries = 0; + struct dirent **namelist; + size_t numpaths = 0; ++ bool is_reg_file; ++ TSS2_RC r; + check_not_null(dirname); + check_not_null(files); + check_not_null(numfiles); +@@ -500,7 +588,10 @@ ifapi_io_dirfiles( + /* Iterating through the list of entries inside the directory. */ + for (size_t i = 0; i < (size_t) numentries; i++) { + LOG_TRACE("Looking at %s", namelist[i]->d_name); +- if (namelist[i]->d_type != DT_REG) ++ ++ r = is_regular_file(dirname, namelist[i], &is_reg_file); ++ if (r) goto error_oom; ++ if (!is_reg_file) + continue; + + paths[numpaths] = strdup(namelist[i]->d_name); +@@ -551,6 +642,7 @@ dirfiles_all(const char *dir_name, NODE_OBJECT_T **list, size_t *n) + TSS2_RC r; + char *path; + NODE_OBJECT_T *second; ++ bool is_dir; + + if (!(dir = opendir(dir_name))) { + return TSS2_RC_SUCCESS; +@@ -559,7 +651,10 @@ dirfiles_all(const char *dir_name, NODE_OBJECT_T **list, size_t *n) + /* Iterating through the list of entries inside the directory. */ + while ((entry = readdir(dir)) != NULL) { + path = NULL; +- if (entry->d_type == DT_DIR) { ++ r = is_directory(dir_name, entry, &is_dir); ++ return_if_error(r, "directory check failed"); ++ ++ if (is_dir) { + /* Recursive call for sub directories */ + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; +-- +2.51.0 + diff --git a/0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch b/0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch new file mode 100644 index 0000000..785df19 --- /dev/null +++ b/0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch @@ -0,0 +1,67 @@ +From 2af808f554a815e20482d9405ff3f9f36539c428 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 25 Jan 2025 12:25:20 +0100 +Subject: [PATCH 16/22] SAPI: Allow state CMD_STAGE_SEND_COMMAND for + Tss2_Sys_GetCpBuffer. + +The CP buffer should still be available before Tss2_ExecuteFinish is +called. + +Signed-off-by: Juergen Repp +--- + src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c | 2 +- + test/tpmclient/tpmclient.int.c | 18 +++++++++--------- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c b/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c +index d054ac45..7b227789 100644 +--- a/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c ++++ b/src/tss2-sys/api/Tss2_Sys_GetCpBuffer.c +@@ -22,7 +22,7 @@ TSS2_RC Tss2_Sys_GetCpBuffer( + if (!ctx || !cpBufferUsedSize || !cpBuffer) + return TSS2_SYS_RC_BAD_REFERENCE; + +- if (ctx->previousStage != CMD_STAGE_PREPARE) ++ if (ctx->previousStage != CMD_STAGE_PREPARE && ctx->previousStage != CMD_STAGE_SEND_COMMAND) + return TSS2_SYS_RC_BAD_SEQUENCE; + + *cpBuffer = ctx->cpBuffer; +diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c +index 537050d2..25965d34 100644 +--- a/test/tpmclient/tpmclient.int.c ++++ b/test/tpmclient/tpmclient.int.c +@@ -2101,14 +2101,7 @@ retry: + rval = Tss2_Sys_SetDecryptParam( sysContext, 10, (uint8_t *)4 ); + CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #12 */ + +- /* +- * NOTE: Stick test for BAD_SEQUENCE for GetCpBuffer here, just +- * because it's easier to do this way. +- */ +- rval = Tss2_Sys_GetCpBuffer( sysContext, (size_t *)4, &cpBuffer ); +- CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #13 */ +- +- /* ++ /* + * Now finish the write command so that TPM isn't stuck trying + * to send a response. + */ +@@ -2117,7 +2110,14 @@ retry: + LOG_INFO ("got TPM2_RC_RETRY, trying again"); + goto retry; + } +- CheckPassed( rval ); /* #14 */ ++ CheckPassed( rval ); /* #13 */ ++ ++ /* ++ * NOTE: Stick test for BAD_SEQUENCE for GetCpBuffer here, just ++ * because it's easier to do this way. ++ */ ++ rval = Tss2_Sys_GetCpBuffer( sysContext, (size_t *)4, &cpBuffer ); ++ CheckFailed( rval, TSS2_SYS_RC_BAD_SEQUENCE ); /* #14 */ + + /* Test GetEncryptParam for no encrypt param case. */ + rval = Tss2_Sys_GetEncryptParam( sysContext, &encryptParamSize, &encryptParamBuffer ); +-- +2.51.0 + diff --git a/0017-FAPI-Add-missing-EFI-events.patch b/0017-FAPI-Add-missing-EFI-events.patch new file mode 100644 index 0000000..92a2db9 --- /dev/null +++ b/0017-FAPI-Add-missing-EFI-events.patch @@ -0,0 +1,65 @@ +From 134aba7994e6a8d799d38cbe1090581f7a8d7903 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 17 Feb 2025 19:50:07 +0100 +Subject: [PATCH 17/22] FAPI: Add missing EFI events. + +Now all events which are implemented in the tpm2 tool command +tpm2_eventlog are implemented in FAPI. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/efi_event.h | 3 +++ + src/tss2-fapi/ifapi_json_eventlog_serialize.c | 9 +++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/tss2-fapi/efi_event.h b/src/tss2-fapi/efi_event.h +index 7c6b9184..b602b06d 100644 +--- a/src/tss2-fapi/efi_event.h ++++ b/src/tss2-fapi/efi_event.h +@@ -43,6 +43,9 @@ + #define EV_EFI_ACTION EV_EFI_EVENT_BASE + 0x7 + #define EV_EFI_PLATFORM_FIRMWARE_BLOB EV_EFI_EVENT_BASE + 0x8 + #define EV_EFI_HANDOFF_TABLES EV_EFI_EVENT_BASE + 0x9 ++#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 EV_EFI_EVENT_BASE + 0xa ++#define EV_EFI_HANDOFF_TABLES2 EV_EFI_EVENT_BASE + 0xb ++#define EV_EFI_VARIABLE_BOOT2 EV_EFI_EVENT_BASE + 0xc + #define EV_EFI_HCRTM_EVENT EV_EFI_EVENT_BASE + 0x10 + #define EV_EFI_VARIABLE_AUTHORITY EV_EFI_EVENT_BASE + 0xe0 + +diff --git a/src/tss2-fapi/ifapi_json_eventlog_serialize.c b/src/tss2-fapi/ifapi_json_eventlog_serialize.c +index c875568c..b4abeb19 100644 +--- a/src/tss2-fapi/ifapi_json_eventlog_serialize.c ++++ b/src/tss2-fapi/ifapi_json_eventlog_serialize.c +@@ -124,6 +124,13 @@ char const *eventtype_to_string (UINT32 event_type) { + return "EV_EFI_HCRTM_EVENT"; + case EV_EFI_VARIABLE_AUTHORITY: + return "EV_EFI_VARIABLE_AUTHORITY"; ++ case EV_EFI_PLATFORM_FIRMWARE_BLOB2: ++ return "EV_EFI_PLATFORM_FIRMWARE_BLOB2"; ++ case EV_EFI_HANDOFF_TABLES2: ++ return "EV_EFI_HANDOFF_TABLES2"; ++ case EV_EFI_VARIABLE_BOOT2: ++ return "EV_EFI_VARIABLE_BOOT2"; ++ + default: + return "Unknown event type"; + } +@@ -341,6 +348,7 @@ TSS2_RC ifapi_json_TCG_EVENT2_serialize(const TCG_EVENT2 *in, UINT32 event_type, + /* TCG PC Client FPF section 9.2.6 */ + case EV_EFI_VARIABLE_DRIVER_CONFIG: + case EV_EFI_VARIABLE_BOOT: ++ case EV_EFI_VARIABLE_BOOT2: + case EV_EFI_VARIABLE_AUTHORITY: + { + #if (MAXLOGLEVEL != LOGL_NONE) +@@ -389,6 +397,7 @@ TSS2_RC ifapi_json_TCG_EVENT2_serialize(const TCG_EVENT2 *in, UINT32 event_type, + /* TCG PC Client FPF section 9.2.5 */ + case EV_S_CRTM_CONTENTS: + case EV_EFI_PLATFORM_FIRMWARE_BLOB: ++ case EV_EFI_PLATFORM_FIRMWARE_BLOB2: + { + UEFI_PLATFORM_FIRMWARE_BLOB *data = + (UEFI_PLATFORM_FIRMWARE_BLOB*)in->Event; +-- +2.51.0 + diff --git a/0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch b/0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch new file mode 100644 index 0000000..a713ca8 --- /dev/null +++ b/0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch @@ -0,0 +1,46 @@ +From 40e6166f5baea4369dd980dd9b62319e6cdac6eb Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 12 Feb 2025 14:27:24 +0100 +Subject: [PATCH 18/22] FAPI: Add Intel ODCA Root Certificate. + +This certificate will be needed for Intel TPM's where the +intermediate certificates are stored in NV ram. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_certificates.h | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/src/tss2-fapi/fapi_certificates.h b/src/tss2-fapi/fapi_certificates.h +index a59e46aa..37b3dbc9 100644 +--- a/src/tss2-fapi/fapi_certificates.h ++++ b/src/tss2-fapi/fapi_certificates.h +@@ -592,6 +592,25 @@ static char * root_cert_list[] = { + "7r+i6q84W2nJdd+BoQQv4sk5GeuN2j2u4k1a8DkRPsVPc2I9QTtbzekchTK1GCXW\n" + "ki3DKGkZUEuaoaa60Kgw55Q5rt1eK7HKEG5npmR8aEod7BDLWy4CMTNAWR5iabCW\n" + "/KX28JbJL6Phau9j\n" ++ "-----END CERTIFICATE-----\n", ++ ++ /* Intel ODCA Root Certificate */ ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICujCCAj6gAwIBAgIUPLLiHTrwySRtWxR4lxKLlu7MJ7wwDAYIKoZIzj0EAwMF\n" ++ "ADCBiTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBD\n" ++ "bGFyYTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xIzAhBgNVBAsMGk9uRGll\n" ++ "IENBIFJvb3QgQ2VydCBTaWduaW5nMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4X\n" ++ "DTE5MDQwMzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowgYkxCzAJBgNVBAYMAlVTMQsw\n" ++ "CQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVs\n" ++ "IENvcnBvcmF0aW9uMSMwIQYDVQQLDBpPbkRpZSBDQSBSb290IENlcnQgU2lnbmlu\n" ++ "ZzEWMBQGA1UEAwwNd3d3LmludGVsLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\n" ++ "BK8SfB2UflvXZqb5Kc3+lokrABHWazvNER2axPURP64HILkXChPB0OEX5hLB7Okw\n" ++ "7Dy6oFqB5tQVDupgfvUX/SgYBEaDdG5rCVFrGAis6HX5TA2ewQmj14r2ncHBgnpp\n" ++ "B6NjMGEwHwYDVR0jBBgwFoAUtFjJ9uQIQKPyWMg5eG6ujgqNnDgwDwYDVR0TAQH/\n" ++ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLRYyfbkCECj8ljIOXhu\n" ++ "ro4KjZw4MAwGCCqGSM49BAMDBQADaAAwZQIxAP9B4lFF86uvpHmkcp61cWaU565a\n" ++ "yE3p7ezu9haLE/lPLh5hFQfmTi1nm/sG3JEXMQIwNpKfHoDmUTrUyezhhfv3GG+1\n" ++ "CqBXstmCYH40buj9jKW3pHWc71s9arEmPWli7I8U\n" + "-----END CERTIFICATE-----\n" + + }; +-- +2.51.0 + diff --git a/0020-FAPI-Fix-leak-in-Fapi_Sign.patch b/0020-FAPI-Fix-leak-in-Fapi_Sign.patch new file mode 100644 index 0000000..2c39c8d --- /dev/null +++ b/0020-FAPI-Fix-leak-in-Fapi_Sign.patch @@ -0,0 +1,29 @@ +From 5a69b211ed087e9b2e2eaa36d411cb54b2a3fd6c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 2 Jun 2025 14:40:03 +0200 +Subject: [PATCH 20/22] FAPI: Fix leak in Fapi_Sign + +Fapi_Sign causes a memory leak when the optional public key output parameter +is not provided. Fixes: #2962 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Sign.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/api/Fapi_Sign.c b/src/tss2-fapi/api/Fapi_Sign.c +index 52b3c9c6..2ec43172 100644 +--- a/src/tss2-fapi/api/Fapi_Sign.c ++++ b/src/tss2-fapi/api/Fapi_Sign.c +@@ -296,7 +296,7 @@ Fapi_Sign_Finish( + /* Perform the signing operation using a helper. */ + r = ifapi_key_sign(context, command->key_object, + command->padding, &command->digest, &command->tpm_signature, +- &command->publicKey, ++ publicKey ? &command->publicKey : NULL, + (certificate) ? &command->certificate : NULL); + return_try_again(r); + goto_if_error(r, "Fapi sign.", cleanup); +-- +2.51.0 + diff --git a/0021-FAPI-Fix-instantiation-of-policyduplication-select.patch b/0021-FAPI-Fix-instantiation-of-policyduplication-select.patch new file mode 100644 index 0000000..5353ad2 --- /dev/null +++ b/0021-FAPI-Fix-instantiation-of-policyduplication-select.patch @@ -0,0 +1,40 @@ +From 00d96269ac8797317f07b8e362c59f315ccb70b0 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 29 Jul 2025 07:28:20 +0200 +Subject: [PATCH 21/22] FAPI: Fix instantiation of policyduplication select. + +The instantiation of the policy did only work when a object path was used +in the policy definition. Now also the object name or the public data +of the object can be used. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_policy_instantiate.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_policy_instantiate.c b/src/tss2-fapi/ifapi_policy_instantiate.c +index 014d4166..f6ada249 100644 +--- a/src/tss2-fapi/ifapi_policy_instantiate.c ++++ b/src/tss2-fapi/ifapi_policy_instantiate.c +@@ -333,9 +333,18 @@ ifapi_policyeval_instantiate_finish( + break; + + case POLICYDUPLICATIONSELECT: ++ if (pol_element->element.PolicyDuplicationSelect.newParentName.size) { ++ break; ++ } + if (pol_element->element.PolicyDuplicationSelect.newParentPublic.type) { + /* public data is already set in policy. Path will not be needed. */ + SAFE_FREE(pol_element->element.PolicyDuplicationSelect.newParentPath); ++ r = ifapi_get_name( ++ &pol_element->element.PolicyDuplicationSelect.newParentPublic, ++ &pol_element->element.PolicyDuplicationSelect.newParentName); ++ return_if_error(r, "Compute object name"); ++ ++ pol_element->element.PolicyDuplicationSelect.newParentPublic.type = 0; + break; + } + +-- +2.51.0 + diff --git a/0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch b/0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch new file mode 100644 index 0000000..cc49633 --- /dev/null +++ b/0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch @@ -0,0 +1,41 @@ +From 876ea76879d60e03920e0a8d47b76d13ee82ea2f Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 22 Aug 2025 15:36:02 +0200 +Subject: [PATCH 22/22] FAPI: Fix nv object authorization for policy authorize + nv. + +The cleanup function for the nv object to be authorized was called before +authorization, and the wrong object was used for authorization. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_policy_callbacks.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/tss2-fapi/ifapi_policy_callbacks.c b/src/tss2-fapi/ifapi_policy_callbacks.c +index 9c52088d..99748176 100644 +--- a/src/tss2-fapi/ifapi_policy_callbacks.c ++++ b/src/tss2-fapi/ifapi_policy_callbacks.c +@@ -1570,7 +1570,6 @@ ifapi_exec_auth_nv_policy( + goto_if_error(r, "Initialize NV object", cleanup); + + current_policy->nv_index = cb_ctx->object.public.handle; +- ifapi_cleanup_ifapi_object(&cb_ctx->object); + get_nv_auth_object(&cb_ctx->object, + current_policy->nv_index, + ¤t_policy->auth_objectNV, +@@ -1579,8 +1578,10 @@ ifapi_exec_auth_nv_policy( + + statecase(cb_ctx->cb_state, POL_CB_AUTHORIZE_OBJECT) + /* Authorize the NV object with the corresponding auth object. */ +- r = ifapi_authorize_object(fapi_ctx, &cb_ctx->auth_object, &cb_ctx->session); ++ r = ifapi_authorize_object(fapi_ctx, ¤t_policy->auth_objectNV, &cb_ctx->session); + return_try_again(r); ++ ++ ifapi_cleanup_ifapi_object(&cb_ctx->object); + goto_if_error(r, "Authorize object.", cleanup); + + /* Prepare the reading of the NV index from TPM. */ +-- +2.51.0 + diff --git a/tpm2-tss.spec b/tpm2-tss.spec index 98b564b..e0870e5 100644 --- a/tpm2-tss.spec +++ b/tpm2-tss.spec @@ -5,7 +5,7 @@ Name: tpm2-tss Version: 4.1.3 -Release: 5%{?candidate:.%{candidate}}%{?dist} +Release: 6%{?candidate:.%{candidate}}%{?dist} Summary: TPM2.0 Software Stack # The entire source code is under BSD except implementation.h and tpmb.h which @@ -17,15 +17,35 @@ Source1: tpm2-tss-systemd-sysusers.conf # doxygen crash Patch0: tpm2-tss-3.0.0-doxygen.patch Patch1: 0001-Remove-OpenSSL-engine-API-dependency.patch +Patch101: 0001-ESYS-FAPI-Fix-order-of-calloc-parameters.patch +Patch102: 0002-FAPI-Add-check-whether-auth-values-exist-for-hierarc.patch +Patch103: 0003-FAPI-Improve-the-error-message-for-self-signed-EK-ce.patch +Patch104: 0004-TCTI-Fix-leak-produced-in-Tss2_TctiLdr_Initialize_Ex.patch +Patch105: 0005-FAPI-Fix-usage-of-external-PEM-keys-for-PolicyAuthor.patch +Patch106: 0006-FAPI-Fix-wrong-format-directive-in-ifap_set_auth.patch +Patch107: 0007-fapi-fix-PolicyTemplate-policyDigest-calculation.patch +Patch108: 0008-FAPI-Fix-unnecessary-writes-to-keystore.patch +Patch109: 0009-FAPI-Fix-segfault-if-json-field-is-null.patch +Patch110: 0010-FAPI-Fix-Fapi_ChangeAuth-for-keys.patch +Patch111: 0011-tcti-msim-Fix-call-of-socket_xmit_buf-in-send_sim_se.patch +Patch112: 0012-FAPI-Fix-missing-scanf-checks.patch +Patch113: 0013-FAPI-Fix-Local-variable-address-stored-in-non-local-.patch +Patch114: 0014-FAPI-Fix-misleading-error-message.patch +Patch115: 0015-FAPI-Fix-file-io-if-d_type-of-dirent-is-not-supporte.patch +Patch116: 0016-SAPI-Allow-state-CMD_STAGE_SEND_COMMAND-for-Tss2_Sys.patch +Patch117: 0017-FAPI-Add-missing-EFI-events.patch +Patch118: 0018-FAPI-Add-Intel-ODCA-Root-Certificate.patch +Patch120: 0020-FAPI-Fix-leak-in-Fapi_Sign.patch +Patch121: 0021-FAPI-Fix-instantiation-of-policyduplication-select.patch +Patch122: 0022-FAPI-Fix-nv-object-authorization-for-policy-authoriz.patch + %global udevrules_prefix 60- -%if %{with rc} BuildRequires: autoconf BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: libtool -%endif BuildRequires: make BuildRequires: doxygen BuildRequires: gcc @@ -155,6 +175,10 @@ use tpm2-tss. %changelog +* Fri Sep 5 2025 Štěpán Horáček - 4.1.3-6 +- Backport upstream fixes + Resolves: RHEL-94936 + * Tue Oct 29 2024 Troy Dawson - 4.1.3-5 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018