From c31e244e086d67e61dfc0326f8645a0454a977f5 Mon Sep 17 00:00:00 2001 From: Troy Dawson Date: Thu, 15 Oct 2020 13:04:17 -0700 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/trousers#ba65b02d14df4e4a21c824845cabda9bf5b5995d --- .gitignore | 8 + sources | 1 + tcsd.service | 10 + trousers-0.3.13-noinline.patch | 70 +++ trousers-0.3.14-double-free.patch | 27 ++ trousers-0.3.14-fix-indent-obj_policy.patch | 12 + trousers-0.3.14-fix-indent-tspi_key.patch | 18 + trousers-0.3.14-noinline.patch | 14 + trousers-0.3.14-tcsd-header-fix.patch | 37 ++ trousers-0.3.14-unlock-in-err-path.patch | 11 + trousers-openssl1.1.patch | 448 ++++++++++++++++++++ trousers.spec | 300 +++++++++++++ 12 files changed, 956 insertions(+) create mode 100644 sources create mode 100644 tcsd.service create mode 100644 trousers-0.3.13-noinline.patch create mode 100644 trousers-0.3.14-double-free.patch create mode 100644 trousers-0.3.14-fix-indent-obj_policy.patch create mode 100644 trousers-0.3.14-fix-indent-tspi_key.patch create mode 100644 trousers-0.3.14-noinline.patch create mode 100644 trousers-0.3.14-tcsd-header-fix.patch create mode 100644 trousers-0.3.14-unlock-in-err-path.patch create mode 100644 trousers-openssl1.1.patch create mode 100644 trousers.spec diff --git a/.gitignore b/.gitignore index e69de29..fead07e 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,8 @@ +trousers-0.3.1.tar.gz +trousers-0.3.4.tar.gz +/trousers-0.3.6.tar.gz +/trousers-0.3.9.tar.gz +/trousers-0.3.10.tar.gz +/trousers-0.3.11.2.tar.gz +/trousers-0.3.13.tar.gz +/trousers-0.3.14.tar.gz diff --git a/sources b/sources new file mode 100644 index 0000000..8948cd5 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (trousers-0.3.14.tar.gz) = bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21 diff --git a/tcsd.service b/tcsd.service new file mode 100644 index 0000000..dd76a33 --- /dev/null +++ b/tcsd.service @@ -0,0 +1,10 @@ +[Unit] +Description=TCG Core Services Daemon + +[Service] +Type=forking +ExecStart=/sbin/tcsd + +[Install] +WantedBy=multi-user.target + diff --git a/trousers-0.3.13-noinline.patch b/trousers-0.3.13-noinline.patch new file mode 100644 index 0000000..da1b09c --- /dev/null +++ b/trousers-0.3.13-noinline.patch @@ -0,0 +1,70 @@ +diff -up trousers-0.3.13/src/include/tcsps.h.noinline trousers-0.3.13/src/include/tcsps.h +--- trousers-0.3.13/src/include/tcsps.h.noinline 2014-04-24 20:05:44.000000000 +0200 ++++ trousers-0.3.13/src/include/tcsps.h 2015-05-26 16:36:20.685075185 +0200 +@@ -27,8 +27,8 @@ void ps_destroy(); + TSS_RESULT read_data(int, void *, UINT32); + TSS_RESULT write_data(int, void *, UINT32); + #else +-inline TSS_RESULT read_data(int, void *, UINT32); +-inline TSS_RESULT write_data(int, void *, UINT32); ++TSS_RESULT read_data(int, void *, UINT32); ++TSS_RESULT write_data(int, void *, UINT32); + #endif + int write_key_init(int, UINT32, UINT32, UINT32); + TSS_RESULT cache_key(UINT32, UINT16, TSS_UUID *, TSS_UUID *, UINT16, UINT32, UINT32); +diff -up trousers-0.3.13/src/include/tspps.h.noinline trousers-0.3.13/src/include/tspps.h +--- trousers-0.3.13/src/include/tspps.h.noinline 2014-04-24 20:05:44.000000000 +0200 ++++ trousers-0.3.13/src/include/tspps.h 2015-05-26 16:36:31.730325291 +0200 +@@ -18,8 +18,8 @@ + + TSS_RESULT get_file(int *); + int put_file(int); +-inline TSS_RESULT read_data(int, void *, UINT32); +-inline TSS_RESULT write_data(int, void *, UINT32); ++TSS_RESULT read_data(int, void *, UINT32); ++TSS_RESULT write_data(int, void *, UINT32); + UINT32 psfile_get_num_keys(int); + TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *); + TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *); +diff -up trousers-0.3.13/src/tcs/ps/ps_utils.c.noinline trousers-0.3.13/src/tcs/ps/ps_utils.c +--- trousers-0.3.13/src/tcs/ps/ps_utils.c.noinline 2014-04-24 20:05:44.000000000 +0200 ++++ trousers-0.3.13/src/tcs/ps/ps_utils.c 2015-05-26 16:38:33.626085483 +0200 +@@ -45,7 +45,7 @@ struct key_disk_cache *key_disk_cache_he + #ifdef SOLARIS + TSS_RESULT + #else +-inline TSS_RESULT ++TSS_RESULT + #endif + read_data(int fd, void *data, UINT32 size) + { +@@ -67,7 +67,7 @@ read_data(int fd, void *data, UINT32 siz + #ifdef SOLARIS + TSS_RESULT + #else +-inline TSS_RESULT ++TSS_RESULT + #endif + write_data(int fd, void *data, UINT32 size) + { +diff -up trousers-0.3.13/src/tspi/ps/ps_utils.c.noinline trousers-0.3.13/src/tspi/ps/ps_utils.c +--- trousers-0.3.13/src/tspi/ps/ps_utils.c.noinline 2014-04-24 20:05:44.000000000 +0200 ++++ trousers-0.3.13/src/tspi/ps/ps_utils.c 2015-05-26 16:39:30.881381965 +0200 +@@ -22,7 +22,7 @@ + #include "tspps.h" + #include "tsplog.h" + +-inline TSS_RESULT ++TSS_RESULT + read_data(int fd, void *data, UINT32 size) + { + int rc; +@@ -39,7 +39,7 @@ read_data(int fd, void *data, UINT32 siz + return TSS_SUCCESS; + } + +-inline TSS_RESULT ++TSS_RESULT + write_data(int fd, void *data, UINT32 size) + { + int rc; diff --git a/trousers-0.3.14-double-free.patch b/trousers-0.3.14-double-free.patch new file mode 100644 index 0000000..ef7a36a --- /dev/null +++ b/trousers-0.3.14-double-free.patch @@ -0,0 +1,27 @@ +diff -ur trousers-0.3.14/src/tspi/tsp_auth.c trousers-0.3.14-new/src/tspi/tsp_auth.c +--- trousers-0.3.14/src/tspi/tsp_auth.c 2014-07-23 12:42:45.000000000 -0700 ++++ trousers-0.3.14-new/src/tspi/tsp_auth.c 2019-05-27 13:41:57.316000945 -0700 +@@ -1221,7 +1221,7 @@ + } + + *handles = handle; +- handles_track = handles; ++ handles_track = handles; + + // Since the call tree of this function can possibly alloc memory + // (check RPC_ExecuteTransport_TP function), its better to keep track of +@@ -1229,9 +1229,11 @@ + result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL, + NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL); + +- free(handles); +- handles = NULL; +- free(handles_track); ++ if (handles != handles_track) { ++ free(handles); ++ } ++ ++ free(handles_track); + + return result; + } diff --git a/trousers-0.3.14-fix-indent-obj_policy.patch b/trousers-0.3.14-fix-indent-obj_policy.patch new file mode 100644 index 0000000..af53ee4 --- /dev/null +++ b/trousers-0.3.14-fix-indent-obj_policy.patch @@ -0,0 +1,12 @@ +diff -ur trousers-0.3.14/src/tspi/obj_policy.c trousers-0.3.14-new/src/tspi/obj_policy.c +--- trousers-0.3.14/src/tspi/obj_policy.c 2014-07-23 12:42:44.000000000 -0700 ++++ trousers-0.3.14-new/src/tspi/obj_policy.c 2019-05-27 13:29:56.720899059 -0700 +@@ -984,7 +984,7 @@ + policy->popupString, + policy->Secret))) + goto done; +- policy->SecretSet = TRUE; ++ policy->SecretSet = TRUE; + } + memcpy(secret, policy->Secret, TPM_SHA1_160_HASH_LEN); + *mode = policy->SecretMode; diff --git a/trousers-0.3.14-fix-indent-tspi_key.patch b/trousers-0.3.14-fix-indent-tspi_key.patch new file mode 100644 index 0000000..9278fc8 --- /dev/null +++ b/trousers-0.3.14-fix-indent-tspi_key.patch @@ -0,0 +1,18 @@ +diff -ur trousers-0.3.14/src/tspi/tspi_key.c trousers-0.3.14-new/src/tspi/tspi_key.c +--- trousers-0.3.14/src/tspi/tspi_key.c 2014-07-23 12:42:45.000000000 -0700 ++++ trousers-0.3.14-new/src/tspi/tspi_key.c 2019-05-27 13:44:42.366735438 -0700 +@@ -370,10 +370,10 @@ + /* get the key to be wrapped's private key */ + if ((result = obj_rsakey_get_priv_blob(hKey, &keyPrivBlobLen, &keyPrivBlob))) + goto done; +- /* verify if its under the maximum size, according to the +- * TPM_STORE_ASYMKEY specification */ +- if (keyPrivBlobLen > TPM_STORE_PRIVKEY_LEN) +- return TSPERR(TSS_E_ENC_INVALID_LENGTH); ++ /* verify if its under the maximum size, according to the ++ * TPM_STORE_ASYMKEY specification */ ++ if (keyPrivBlobLen > TPM_STORE_PRIVKEY_LEN) ++ return TSPERR(TSS_E_ENC_INVALID_LENGTH); + + /* get the key to be wrapped's blob */ + if ((result = obj_rsakey_get_blob(hKey, &keyBlobLen, &keyBlob))) diff --git a/trousers-0.3.14-noinline.patch b/trousers-0.3.14-noinline.patch new file mode 100644 index 0000000..2880bb3 --- /dev/null +++ b/trousers-0.3.14-noinline.patch @@ -0,0 +1,14 @@ +diff -ur a/src/include/tspps.h b/src/include/tspps.h +--- a/src/include/tspps.h 2014-07-23 12:42:44.000000000 -0700 ++++ b/src/include/tspps.h 2018-08-01 19:33:42.454192873 -0700 +@@ -18,8 +18,8 @@ + + TSS_RESULT get_file(int *); + int put_file(int); +-inline TSS_RESULT read_data(int, void *, UINT32); +-inline TSS_RESULT write_data(int, void *, UINT32); ++TSS_RESULT read_data(int, void *, UINT32); ++TSS_RESULT write_data(int, void *, UINT32); + UINT32 psfile_get_num_keys(int); + TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *); + TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *); diff --git a/trousers-0.3.14-tcsd-header-fix.patch b/trousers-0.3.14-tcsd-header-fix.patch new file mode 100644 index 0000000..b5b3f3b --- /dev/null +++ b/trousers-0.3.14-tcsd-header-fix.patch @@ -0,0 +1,37 @@ +From b692f86a93c8f7e6ac938277a9aec434b02c252b Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Wed, 18 Mar 2020 13:35:22 -0700 +Subject: [PATCH] trousers: resolve build failure + +The global variables tcsd_sa_chld and tcsd_sa_int in tcsd.h are +causing build failures in latest Fedora release: + +/usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:169: multiple definition of `tcsd_sa_chld'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:169: first defined here +/usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:168: multiple definition of `tcsd_sa_int'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:168: first defined here + +They are no longer used since 9b40e581470b ("Improved daemon's signal +handling") so just remove them. + +Signed-off-by: Jerry Snitselaar +--- + src/include/tcsd.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/include/tcsd.h b/src/include/tcsd.h +index 5b9462b85ed6..f5c286e01c86 100644 +--- a/src/include/tcsd.h ++++ b/src/include/tcsd.h +@@ -164,10 +164,4 @@ TSS_RESULT tcsd_thread_create(int, char *); + void *tcsd_thread_run(void *); + void thread_signal_init(); + +-/* signal handling */ +-#ifndef __APPLE__ +-struct sigaction tcsd_sa_int; +-struct sigaction tcsd_sa_chld; +-#endif +- + #endif +-- +2.24.0 + diff --git a/trousers-0.3.14-unlock-in-err-path.patch b/trousers-0.3.14-unlock-in-err-path.patch new file mode 100644 index 0000000..d4f7540 --- /dev/null +++ b/trousers-0.3.14-unlock-in-err-path.patch @@ -0,0 +1,11 @@ +diff -ur a/src/tspi/obj_context.c b/src/tspi/obj_context.c +--- a/src/tspi/obj_context.c 2014-11-03 12:31:55.000000000 -0700 ++++ b/src/tspi/obj_context.c 2018-08-10 11:02:02.246962638 -0700 +@@ -276,6 +276,7 @@ + context->machineName = (BYTE *)calloc(1, len); + if (context->machineName == NULL) { + LogError("malloc of %u bytes failed.", len); ++ obj_list_put(&context_list); + return TSPERR(TSS_E_OUTOFMEMORY); + } + memcpy(context->machineName, name, len); diff --git a/trousers-openssl1.1.patch b/trousers-openssl1.1.patch new file mode 100644 index 0000000..1fa2ebc --- /dev/null +++ b/trousers-openssl1.1.patch @@ -0,0 +1,448 @@ +@@ -, +, @@ +--- + src/tcs/crypto/openssl/crypto.c | 15 ++++++--- + src/trspi/crypto/openssl/hash.c | 17 ++++++---- + src/trspi/crypto/openssl/rsa.c | 64 ++++++++++++++++++++++++++++++----- + src/trspi/crypto/openssl/symmetric.c | 65 +++++++++++++++++++++--------------- + 4 files changed, 115 insertions(+), 46 deletions(-) +--- a/src/tcs/crypto/openssl/crypto.c ++++ a/src/tcs/crypto/openssl/crypto.c +@@ -31,13 +31,17 @@ + TSS_RESULT + Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + { +- EVP_MD_CTX md_ctx; ++ EVP_MD_CTX *md_ctx; + unsigned int result_size; + int rv; + ++ md_ctx = EVP_MD_CTX_new(); ++ if (md_ctx == NULL) ++ return TSPERR(TSS_E_OUTOFMEMORY); ++ + switch (HashType) { + case TSS_HASH_SHA1: +- rv = EVP_DigestInit(&md_ctx, EVP_sha1()); ++ rv = EVP_DigestInit(md_ctx, EVP_sha1()); + break; + default: + rv = TCSERR(TSS_E_BAD_PARAMETER); +@@ -50,19 +54,20 @@ Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + goto out; + } + +- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); ++ rv = EVP_DigestUpdate(md_ctx, Buf, BufSize); + if (rv != EVP_SUCCESS) { + rv = TCSERR(TSS_E_INTERNAL_ERROR); + goto out; + } + +- result_size = EVP_MD_CTX_size(&md_ctx); +- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); ++ result_size = EVP_MD_CTX_size(md_ctx); ++ rv = EVP_DigestFinal(md_ctx, Digest, &result_size); + if (rv != EVP_SUCCESS) { + rv = TCSERR(TSS_E_INTERNAL_ERROR); + } else + rv = TSS_SUCCESS; + + out: ++ EVP_MD_CTX_free(md_ctx); + return rv; + } +--- a/src/trspi/crypto/openssl/hash.c ++++ a/src/trspi/crypto/openssl/hash.c +@@ -56,13 +56,17 @@ int MGF1(unsigned char *, long, const unsigned char *, long); + TSS_RESULT + Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + { +- EVP_MD_CTX md_ctx; ++ EVP_MD_CTX *md_ctx; + unsigned int result_size; + int rv; + ++ md_ctx = EVP_MD_CTX_new(); ++ if (md_ctx == NULL) ++ return TSPERR(TSS_E_OUTOFMEMORY); ++ + switch (HashType) { + case TSS_HASH_SHA1: +- rv = EVP_DigestInit(&md_ctx, EVP_sha1()); ++ rv = EVP_DigestInit(md_ctx, EVP_sha1()); + break; + default: + rv = TSPERR(TSS_E_BAD_PARAMETER); +@@ -75,14 +79,14 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + goto err; + } + +- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); ++ rv = EVP_DigestUpdate(md_ctx, Buf, BufSize); + if (rv != EVP_SUCCESS) { + rv = TSPERR(TSS_E_INTERNAL_ERROR); + goto err; + } + +- result_size = EVP_MD_CTX_size(&md_ctx); +- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); ++ result_size = EVP_MD_CTX_size(md_ctx); ++ rv = EVP_DigestFinal(md_ctx, Digest, &result_size); + if (rv != EVP_SUCCESS) { + rv = TSPERR(TSS_E_INTERNAL_ERROR); + goto err; +@@ -94,6 +98,7 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + err: + DEBUG_print_openssl_errors(); + out: ++ EVP_MD_CTX_free(md_ctx); + return rv; + } + +@@ -112,7 +117,7 @@ Trspi_HashInit(Trspi_HashCtx *ctx, UINT32 HashType) + break; + } + +- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL) ++ if ((ctx->ctx = EVP_MD_CTX_new()) == NULL) + return TSPERR(TSS_E_OUTOFMEMORY); + + rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md); +--- a/src/trspi/crypto/openssl/rsa.c ++++ a/src/trspi/crypto/openssl/rsa.c +@@ -38,6 +38,25 @@ + #define DEBUG_print_openssl_errors() + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100001L ++static int ++RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) ++{ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ return 1; ++} ++#endif + + /* + * Hopefully this will make the code clearer since +@@ -61,6 +80,7 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */ + RSA *rsa = RSA_new(); + BYTE encodedData[256]; + int encodedDataLen; ++ BIGNUM *rsa_n = NULL, *rsa_e = NULL; + + if (rsa == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); +@@ -68,12 +88,20 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */ + } + + /* set the public key value in the OpenSSL object */ +- rsa->n = BN_bin2bn(publicKey, keysize, rsa->n); ++ rsa_n = BN_bin2bn(publicKey, keysize, NULL); + /* set the public exponent */ +- rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e); ++ rsa_e = BN_bin2bn(exp, sizeof(exp), NULL); + +- if (rsa->n == NULL || rsa->e == NULL) { ++ if (rsa_n == NULL || rsa_e == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); ++ BN_free(rsa_n); ++ BN_free(rsa_e); ++ goto err; ++ } ++ if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { ++ rv = TSPERR(TSS_E_FAIL); ++ BN_free(rsa_n); ++ BN_free(rsa_e); + goto err; + } + +@@ -123,6 +151,7 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength, + unsigned char exp[] = { 0x01, 0x00, 0x01 }; /* The default public exponent for the TPM */ + unsigned char buf[256]; + RSA *rsa = RSA_new(); ++ BIGNUM *rsa_n = NULL, *rsa_e = NULL; + + if (rsa == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); +@@ -146,12 +175,20 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength, + } + + /* set the public key value in the OpenSSL object */ +- rsa->n = BN_bin2bn(pModulus, iKeyLength, rsa->n); ++ rsa_n = BN_bin2bn(pModulus, iKeyLength, NULL); + /* set the public exponent */ +- rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e); ++ rsa_e = BN_bin2bn(exp, sizeof(exp), NULL); + +- if (rsa->n == NULL || rsa->e == NULL) { ++ if (rsa_n == NULL || rsa_e == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); ++ BN_free(rsa_n); ++ BN_free(rsa_e); ++ goto err; ++ } ++ if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { ++ rv = TSPERR(TSS_E_FAIL); ++ BN_free(rsa_n); ++ BN_free(rsa_e); + goto err; + } + +@@ -195,6 +232,7 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen, + int rv, e_size = 3; + unsigned char exp[] = { 0x01, 0x00, 0x01 }; + RSA *rsa = RSA_new(); ++ BIGNUM *rsa_n = NULL, *rsa_e = NULL; + + if (rsa == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); +@@ -237,12 +275,20 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen, + } + + /* set the public key value in the OpenSSL object */ +- rsa->n = BN_bin2bn(pubkey, pubsize, rsa->n); ++ rsa_n = BN_bin2bn(pubkey, pubsize, NULL); + /* set the public exponent */ +- rsa->e = BN_bin2bn(exp, e_size, rsa->e); ++ rsa_e = BN_bin2bn(exp, e_size, NULL); + +- if (rsa->n == NULL || rsa->e == NULL) { ++ if (rsa_n == NULL || rsa_e == NULL) { + rv = TSPERR(TSS_E_OUTOFMEMORY); ++ BN_free(rsa_n); ++ BN_free(rsa_e); ++ goto err; ++ } ++ if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) { ++ rv = TSPERR(TSS_E_FAIL); ++ BN_free(rsa_n); ++ BN_free(rsa_e); + goto err; + } + +--- a/src/trspi/crypto/openssl/symmetric.c ++++ a/src/trspi/crypto/openssl/symmetric.c +@@ -52,7 +52,7 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, + UINT32 *out_len) + { + TSS_RESULT result = TSS_SUCCESS; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx = NULL; + UINT32 tmp; + + switch (alg) { +@@ -64,33 +64,37 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, + break; + } + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ result = TSPERR(TSS_E_OUTOFMEMORY); ++ goto done; ++ } + +- if (!EVP_EncryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) { ++ if (!EVP_EncryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (*out_len < in_len + EVP_CIPHER_CTX_block_size(&ctx) - 1) { ++ if (*out_len < in_len + EVP_CIPHER_CTX_block_size(ctx) - 1) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + goto done; + } + +- if (!EVP_EncryptUpdate(&ctx, out, (int *)out_len, in, in_len)) { ++ if (!EVP_EncryptUpdate(ctx, out, (int *)out_len, in, in_len)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_EncryptFinal(&ctx, out + *out_len, (int *)&tmp)) { ++ if (!EVP_EncryptFinal(ctx, out + *out_len, (int *)&tmp)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + *out_len += tmp; + done: +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return result; + } + +@@ -99,7 +103,7 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, + UINT32 *out_len) + { + TSS_RESULT result = TSS_SUCCESS; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx = NULL; + UINT32 tmp; + + switch (alg) { +@@ -111,28 +115,32 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out, + break; + } + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ result = TSPERR(TSS_E_OUTOFMEMORY); ++ goto done; ++ } + +- if (!EVP_DecryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) { ++ if (!EVP_DecryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, in, in_len)) { ++ if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, in, in_len)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) { ++ if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + *out_len += tmp; + done: +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return result; + } + +@@ -255,7 +263,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + UINT32 *out_len) + { + TSS_RESULT result = TSS_SUCCESS; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + EVP_CIPHER *cipher; + BYTE *def_iv = NULL, *outiv_ptr; + UINT32 tmp; +@@ -269,7 +277,9 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + if ((cipher = get_openssl_cipher(alg, mode)) == NULL) + return TSPERR(TSS_E_INTERNAL_ERROR); + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ return TSPERR(TSS_E_OUTOFMEMORY); + + /* If the iv passed in is NULL, create a new random iv and prepend it to the ciphertext */ + iv_len = EVP_CIPHER_iv_length(cipher); +@@ -289,25 +299,25 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + outiv_ptr = out; + } + +- if (!EVP_EncryptInit(&ctx, (const EVP_CIPHER *)cipher, key, def_iv)) { ++ if (!EVP_EncryptInit(ctx, (const EVP_CIPHER *)cipher, key, def_iv)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(&ctx) * 2) - 1) { ++ if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(ctx) * 2) - 1) { + LogDebug("Not enough space to do symmetric encryption"); + result = TSPERR(TSS_E_INTERNAL_ERROR); + goto done; + } + +- if (!EVP_EncryptUpdate(&ctx, outiv_ptr, &outiv_len, in, in_len)) { ++ if (!EVP_EncryptUpdate(ctx, outiv_ptr, &outiv_len, in, in_len)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_EncryptFinal(&ctx, outiv_ptr + outiv_len, (int *)&tmp)) { ++ if (!EVP_EncryptFinal(ctx, outiv_ptr + outiv_len, (int *)&tmp)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; +@@ -320,7 +330,7 @@ done: + *out_len += iv_len; + free(def_iv); + } +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return result; + } + +@@ -329,7 +339,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + UINT32 *out_len) + { + TSS_RESULT result = TSS_SUCCESS; +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx = NULL; + EVP_CIPHER *cipher; + BYTE *def_iv = NULL, *iniv_ptr; + UINT32 tmp; +@@ -341,7 +351,10 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + if ((cipher = get_openssl_cipher(alg, mode)) == NULL) + return TSPERR(TSS_E_INTERNAL_ERROR); + +- EVP_CIPHER_CTX_init(&ctx); ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ return TSPERR(TSS_E_OUTOFMEMORY); ++ } + + /* If the iv is NULL, assume that its prepended to the ciphertext */ + if (iv == NULL) { +@@ -361,19 +374,19 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + iniv_len = in_len; + } + +- if (!EVP_DecryptInit(&ctx, cipher, key, def_iv)) { ++ if (!EVP_DecryptInit(ctx, cipher, key, def_iv)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, iniv_ptr, iniv_len)) { ++ if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, iniv_ptr, iniv_len)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; + } + +- if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) { ++ if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) { + result = TSPERR(TSS_E_INTERNAL_ERROR); + DEBUG_print_openssl_errors(); + goto done; +@@ -383,6 +396,6 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32 + done: + if (def_iv != iv) + free(def_iv); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return result; + } +-- diff --git a/trousers.spec b/trousers.spec new file mode 100644 index 0000000..b6f9618 --- /dev/null +++ b/trousers.spec @@ -0,0 +1,300 @@ +Name: trousers +Summary: TCG's Software Stack v1.2 +Version: 0.3.14 +Release: 3%{?dist} +License: BSD +Url: http://trousers.sourceforge.net + +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +Source1: tcsd.service +Patch1: trousers-0.3.14-noinline.patch +# submitted upstream +Patch2: trousers-0.3.14-unlock-in-err-path.patch +Patch3: trousers-0.3.14-fix-indent-obj_policy.patch +Patch4: trousers-0.3.14-double-free.patch +Patch5: trousers-0.3.14-fix-indent-tspi_key.patch +Patch6: trousers-0.3.14-tcsd-header-fix.patch + +BuildRequires: libtool, openssl-devel +BuildRequires: systemd +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires: %{name}-lib%{?_isa} = %{version}-%{release} + +%description +TrouSerS is an implementation of the Trusted Computing Group's Software Stack +(TSS) specification. You can use TrouSerS to write applications that make use +of your TPM hardware. TPM hardware can create, store and use RSA keys +securely (without ever being exposed in memory), verify a platform's software +state using cryptographic hashes and more. + +%package lib +Summary: TrouSerS libtspi library +# Needed obsoletes due to the -lib subpackage split +Obsoletes: trousers < 0.3.13-4 + +%description lib +The libtspi library for use in Trusted Computing enabled applications. + +%package static +Summary: TrouSerS TCG Device Driver Library +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The TCG Device Driver Library (TDDL) used by the TrouSerS tcsd as the +interface to the TPM's device driver. For more information about writing +applications to the TDDL interface, see the latest TSS spec at +https://www.trustedcomputinggroup.org/specs/TSS. + +%package devel +Summary: TrouSerS header files and documentation +Requires: %{name}-lib%{?_isa} = %{version}-%{release} + +%description devel +Header files and man pages for use in creating Trusted Computing enabled +applications. + +%prep +%autosetup -c -p1 +# fix man page paths +sed -i -e 's|/var/tpm|/var/lib/tpm|g' -e 's|/usr/local/var|/var|g' man/man5/tcsd.conf.5.in man/man8/tcsd.8.in + +%build +%configure --with-gui=openssl +make -k %{?_smp_mflags} + +%install +mkdir -p %{buildroot}%{_localstatedir}/lib/tpm +%make_install +find %{buildroot} -type f -name '*.la' -print -delete +mkdir -p %{buildroot}%{_unitdir} +install -Dpm0644 %{SOURCE1} %{buildroot}%{_unitdir}/ + +%pre +getent group tss >/dev/null || groupadd -f -g 59 -r tss +if ! getent passwd tss >/dev/null ; then + if ! getent passwd 59 >/dev/null ; then + useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + else + useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + fi +fi +exit 0 + +%post +%systemd_post tcsd.service + +%preun +%systemd_preun tcsd.service + +%postun +%systemd_postun_with_restart tcsd.service + +%files +%doc README ChangeLog +%{_sbindir}/tcsd +%config(noreplace) %attr(0600, tss, tss) %{_sysconfdir}/tcsd.conf +%{_mandir}/man5/* +%{_mandir}/man8/* +%attr(644,root,root) %{_unitdir}/tcsd.service +%attr(0700, tss, tss) %{_localstatedir}/lib/tpm/ + +%files lib +%license LICENSE +%{_libdir}/libtspi.so.1* + +%files devel +# The files to be used by developers, 'trousers-devel' +%doc doc/LTC-TSS_LLD_08_r2.pdf doc/TSS_programming_SNAFUs.txt +%attr(0755, root, root) %{_libdir}/libtspi.so +%{_includedir}/tss/ +%{_includedir}/trousers/ +%{_mandir}/man3/Tspi_* + +%files static +# The only static library shipped by trousers, the TDDL +%{_libdir}/libtddl.a + +%changelog +* Tue Sep 15 2020 Peter Robinson - 0.3.14-3 +- Update user creation to latest guidelines + +* Wed Jul 29 2020 Fedora Release Engineering - 0.3.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Mar 18 2020 Jerry Snitselaar - 0.3.14-1 +- Rebase to 0.3.14 release + +* Fri Jan 31 2020 Fedora Release Engineering - 0.3.13-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 0.3.13-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 0.3.13-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 0.3.13-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 0.3.13-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.3.13-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.3.13-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 7 2017 Peter Robinson 0.3.13-7 +- Add patch for OpenSSL 1.1 + +* Fri Feb 05 2016 Fedora Release Engineering - 0.3.13-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 0.3.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 26 2015 Tomáš Mráz 0.3.13-4 +- Split libtspi to a trousers-lib subpackage (#1225062) +- Fix FTBFS with current gcc (drop inline keyword when bogus) + +* Mon Aug 18 2014 Fedora Release Engineering - 0.3.13-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.3.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 15 2014 Steve Grubb 0.3.13-1 +- New upstream bug fix release + +* Tue Mar 18 2014 Steve Grubb 0.3.11.2-3 +- Fix crash when linking libgnutls and libmysqlclient (#1069079) +- Don't order tcsd after syslog.target (#1055198) + +* Thu Feb 13 2014 Peter Robinson 0.3.11.2-2 +- Minor spec cleanups + +* Mon Aug 19 2013 Steve Grubb 0.3.11.2-1 +- New upstream bug fix and license change release + +* Sun Aug 04 2013 Fedora Release Engineering - 0.3.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Sun Jun 02 2013 Steve Grubb 0.3.10-3 +- Remove +x bit from service file (#963916) + +* Fri Feb 15 2013 Fedora Release Engineering - 0.3.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Sep 25 2012 Steve Grubb 0.3.10-1 +- New upstream bug fix release + +* Thu Aug 30 2012 Steve Grubb 0.3.9-4 +- Make daemon full RELRO + +* Mon Aug 27 2012 Steve Grubb 0.3.9-3 +- bz #836476 - Provide native systemd service + +* Sun Jul 22 2012 Fedora Release Engineering - 0.3.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 21 2012 Steve Grubb 0.3.9-1 +- New upstream bug fix release + +* Sat Jan 14 2012 Fedora Release Engineering - 0.3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Apr 08 2011 Steve Grubb 0.3.6-1 +- New upstream bug fix release + +* Thu Feb 10 2011 Miloš Jakubíček - 0.3.4-5 +- Fix paths in man pages, mark them as %%doc -- fix BZ#676394 + +* Wed Feb 09 2011 Fedora Release Engineering - 0.3.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat May 01 2010 Miloš Jakubíček - 0.3.4-3 +- Fix init script to conform to Fedora guidelines +- Do not overuse macros + +* Mon Feb 08 2010 Steve Grubb 0.3.4-2 +- Fix issue freeing a data structure + +* Fri Jan 29 2010 Steve Grubb 0.3.4-1 +- New upstream bug fix release +- Upstream requested the tpm-emulator patch be dropped + +* Fri Aug 21 2009 Tomas Mraz - 0.3.1-19 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 0.3.1-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu May 14 2009 Milos Jakubicek - 0.3.1-17 +- Do not overuse macros. +- Removed unnecessary file requirements on chkconfig, ldconfig and service, + now requiring the initscripts and chkconfig packages. + +* Wed May 06 2009 Milos Jakubicek - 0.3.1-16 +- Fix a typo in groupadd causing the %%pre scriptlet to fail (resolves BZ#486155). + +* Mon Apr 27 2009 Milos Jakubicek - 0.3.1-15 +- Fix FTBFS: added trousers-0.3.1-gcc44.patch + +* Wed Feb 25 2009 Fedora Release Engineering - 0.3.1-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz - 0.3.1-13 +- rebuild with new openssl + +* Tue Dec 16 2008 David Woodhouse - 0.3.1-12 +- Bump release to avoid wrong tag in rawhide + +* Tue Dec 16 2008 David Woodhouse - 0.3.1-11 +- Work around SELinux namespace pollution (#464037) +- Use SO_REUSEADDR +- Use TPM emulator if it's available and no hardware is + +* Fri Aug 08 2008 Emily Ratliff - 0.3.1-10 +- Use the uid/gid pair assigned to trousers from BZ#457593 + +* Fri Aug 01 2008 Emily Ratliff - 0.3.1-9 +- Incorporated changes from the RHEL package which were done by Steve Grubb + +* Wed Jun 04 2008 Emily Ratliff - 0.3.1-8 +- Fix cast issue preventing successful build on ppc64 and x86_64 + +* Tue Jun 03 2008 Emily Ratliff - 0.3.1-7 +- Fix for BZ #434267 and #440733. Patch authored by Debora Velarde + +* Tue Feb 19 2008 Fedora Release Engineering - 0.3.1-6 +- Autorebuild for GCC 4.3 + +* Mon Dec 17 2007 Kent Yoder - 0.3.1-5 +- Updated static rpm's comment line (too long) + +* Thu Dec 13 2007 Kent Yoder - 0.3.1-4 +- Updated specfile for RHBZ#323441 comment #28 + +* Wed Dec 12 2007 Kent Yoder - 0.3.1-3 +- Updated specfile for RHBZ#323441 comment #22 + +* Wed Nov 28 2007 Kent Yoder - 0.3.1-2 +- Updated to include the include dirs in the devel package; +added the no-install-hooks patch + +* Wed Nov 28 2007 Kent Yoder - 0.3.1-1 +- Updated specfile for RHBZ#323441 comment #13 + +* Mon Nov 12 2007 Kent Yoder - 0.3.1 +- Updated specfile for comments in RHBZ#323441 + +* Wed Jun 07 2006 Kent Yoder - 0.2.6-1 +- Updated build section to use smp_mflags +- Removed .la file from installed dest and files section + +* Tue Jun 06 2006 Kent Yoder - 0.2.6-1 +- Initial add of changelog tag for trousers CVS