Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/trousers.git#16f74e55185e71ad1d63e31e50c8639e5a0b8a4b
2020-11-07 03:02:08 +00:00 · 2020-11-07 03:02:08 +00:00 · dbf057f2f4
commit dbf057f2f4
parent 6d0c24adf3
10 changed files with 17 additions and 735 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,3 +6,4 @@ trousers-0.3.4.tar.gz
 /trousers-0.3.11.2.tar.gz
 /trousers-0.3.13.tar.gz
 /trousers-0.3.14.tar.gz
 /trousers-0.3.15.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (trousers-0.3.14.tar.gz) = bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21
+SHA512 (trousers-0.3.15.tar.gz) = 769c7d891c6306c1b3252448f86e3043ee837e566c9431f5b4353512113e2907f6ce29c91e8044c420025b79c5f3ff2396ddce93f73b1eb2a15ea1de89ac0fdb
--- a/trousers-0.3.13-noinline.patch
+++ b/trousers-0.3.13-noinline.patch
@ -1,70 +0,0 @@
 diff -up trousers-0.3.13/src/include/tcsps.h.noinline trousers-0.3.13/src/include/tcsps.h
 --- trousers-0.3.13/src/include/tcsps.h.noinline	2014-04-24 20:05:44.000000000 +0200
 +++ trousers-0.3.13/src/include/tcsps.h	2015-05-26 16:36:20.685075185 +0200
@@ -27,8 +27,8 @@ void		   ps_destroy();
 TSS_RESULT  read_data(int, void *, UINT32);
 TSS_RESULT  write_data(int, void *, UINT32);
 #else
 -inline TSS_RESULT  read_data(int, void *, UINT32);
 -inline TSS_RESULT  write_data(int, void *, UINT32);
 +TSS_RESULT  read_data(int, void *, UINT32);
 +TSS_RESULT  write_data(int, void *, UINT32);
 #endif
 int		   write_key_init(int, UINT32, UINT32, UINT32);
 TSS_RESULT	   cache_key(UINT32, UINT16, TSS_UUID *, TSS_UUID *, UINT16, UINT32, UINT32);
 diff -up trousers-0.3.13/src/include/tspps.h.noinline trousers-0.3.13/src/include/tspps.h
 --- trousers-0.3.13/src/include/tspps.h.noinline	2014-04-24 20:05:44.000000000 +0200
 +++ trousers-0.3.13/src/include/tspps.h	2015-05-26 16:36:31.730325291 +0200
@@ -18,8 +18,8 @@
 TSS_RESULT	   get_file(int *);
 int		   put_file(int);
 -inline TSS_RESULT  read_data(int, void *, UINT32);
 -inline TSS_RESULT  write_data(int, void *, UINT32);
 +TSS_RESULT  read_data(int, void *, UINT32);
 +TSS_RESULT  write_data(int, void *, UINT32);
 UINT32		   psfile_get_num_keys(int);
 TSS_RESULT	   psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *);
 TSS_RESULT	   psfile_remove_key_by_uuid(int, TSS_UUID *);
 diff -up trousers-0.3.13/src/tcs/ps/ps_utils.c.noinline trousers-0.3.13/src/tcs/ps/ps_utils.c
 --- trousers-0.3.13/src/tcs/ps/ps_utils.c.noinline	2014-04-24 20:05:44.000000000 +0200
 +++ trousers-0.3.13/src/tcs/ps/ps_utils.c	2015-05-26 16:38:33.626085483 +0200
@@ -45,7 +45,7 @@ struct key_disk_cache *key_disk_cache_he
 #ifdef SOLARIS
 TSS_RESULT
 #else
 -inline TSS_RESULT
 +TSS_RESULT
 #endif
 read_data(int fd, void *data, UINT32 size)
 {
@@ -67,7 +67,7 @@ read_data(int fd, void *data, UINT32 siz
 #ifdef SOLARIS
 TSS_RESULT
 #else
 -inline TSS_RESULT
 +TSS_RESULT
 #endif
 write_data(int fd, void *data, UINT32 size)
 {
 diff -up trousers-0.3.13/src/tspi/ps/ps_utils.c.noinline trousers-0.3.13/src/tspi/ps/ps_utils.c
 --- trousers-0.3.13/src/tspi/ps/ps_utils.c.noinline	2014-04-24 20:05:44.000000000 +0200
 +++ trousers-0.3.13/src/tspi/ps/ps_utils.c	2015-05-26 16:39:30.881381965 +0200
@@ -22,7 +22,7 @@
 #include "tspps.h"
 #include "tsplog.h"
 -inline TSS_RESULT
 +TSS_RESULT
 read_data(int fd, void *data, UINT32 size)
 {
 	int rc;
@@ -39,7 +39,7 @@ read_data(int fd, void *data, UINT32 siz
 	return TSS_SUCCESS;
 }
 -inline TSS_RESULT
 +TSS_RESULT
 write_data(int fd, void *data, UINT32 size)
 {
 	int rc;
--- a/trousers-0.3.14-correct-security-issues.patch
+++ b/trousers-0.3.14-correct-security-issues.patch
@ -1,89 +0,0 @@
 From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
 From: Matthias Gerstner <mgerstner@suse.de>
 Date: Fri, 14 Aug 2020 22:14:36 -0700
 Subject: [PATCH 1/2] Correct multiple security issues that are present if the
 tcsd is started by root instead of the tss user.
 Patch fixes the following 3 CVEs:
 CVE-2020-24332
 If the tcsd daemon is started with root privileges,
 the creation of the system.data file is prone to symlink attacks
 CVE-2020-24330
 If the tcsd daemon is started with root privileges,
 it fails to drop the root gid after it is no longer needed
 CVE-2020-24331
 If the tcsd daemon is started with root privileges,
 the tss user has read and write access to the /etc/tcsd.conf file
 Authored-by: Matthias Gerstner <mgerstner@suse.de>
 Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
 ---
 src/tcs/ps/tcsps.c   |  2 +-
 src/tcsd/svrside.c   |  1 +
 src/tcsd/tcsd_conf.c | 10 +++++-----
 3 files changed, 7 insertions(+), 6 deletions(-)
 diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
 index e47154b20612..85d45a96b7c3 100644
 --- a/src/tcs/ps/tcsps.c
 +++ b/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
 	}
 	/* open and lock the file */
 -	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
 +	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
 	if (system_ps_fd < 0) {
 		LogError("system PS: open() of %s failed: %s",
 				tcsd_options.system_ps_file, strerror(errno));
 diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
 index 1ae1636f8730..1c12ff3afdd0 100644
 --- a/src/tcsd/svrside.c
 +++ b/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
 		}
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
 +	setgid(pwd->pw_gid);
 	setuid(pwd->pw_uid);
 #endif
 #endif
 diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
 index a31503df3f1f..ea8ea13f5f16 100644
 --- a/src/tcsd/tcsd_conf.c
 +++ b/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
 #ifndef SOLARIS
 	struct group *grp;
 	struct passwd *pw;
 -	mode_t mode = (S_IRUSR|S_IWUSR);
 +	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
 #endif /* SOLARIS */
 	TSS_RESULT result;
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
 	}
 	/* make sure user/group TSS owns the conf file */
 -	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
 +	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
 -				TSS_USER_NAME, TSS_GROUP_NAME);
 +				"root", TSS_GROUP_NAME);
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
 -	/* make sure only the tss user can manipulate the config file */
 +	/* make sure only the tss user can read (but not manipulate) the config file */
 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
 -		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
 +		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
 #endif /* SOLARIS */
 -- 
 2.27.0
--- a/trousers-0.3.14-double-free.patch
+++ b/trousers-0.3.14-double-free.patch
@ -1,27 +0,0 @@
 diff -ur trousers-0.3.14/src/tspi/tsp_auth.c trousers-0.3.14-new/src/tspi/tsp_auth.c
 --- trousers-0.3.14/src/tspi/tsp_auth.c	2014-07-23 12:42:45.000000000 -0700
 +++ trousers-0.3.14-new/src/tspi/tsp_auth.c	2019-05-27 13:41:57.316000945 -0700
@@ -1221,7 +1221,7 @@
 	}
 	*handles = handle;
 -    handles_track = handles;
 +	handles_track = handles;
     // Since the call tree of this function can possibly alloc memory 
     // (check RPC_ExecuteTransport_TP function), its better to keep track of
@@ -1229,9 +1229,11 @@
 	result = obj_context_transport_execute(tspContext, TPM_ORD_Terminate_Handle, 0, NULL,
 					       NULL, &handlesLen, &handles, NULL, NULL, NULL, NULL);
 -	free(handles);
 -    handles = NULL;
 -    free(handles_track);
 +	if (handles != handles_track) {
 +		free(handles);
 +	}
 +
 +	free(handles_track);
 	return result;
 }
--- a/trousers-0.3.14-no-optimize.patch
+++ b/trousers-0.3.14-no-optimize.patch
@ -1,49 +0,0 @@
 From 6edef3777f9b9a26e63168bb81c8d4f4ddb17017 Mon Sep 17 00:00:00 2001
 From: Jerry Snitselaar <jsnitsel@redhat.com>
 Date: Wed, 5 Jun 2019 11:51:33 -0700
 Subject: [PATCH 2/2] trousers: don't use __no_optimize
 The trousers is failing annocheck hardened check due to
 __no_optimize being used for __tspi_memset(). Instead of
 __no_optimize use a asm memory barrier.
 Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
 Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
 ---
 src/include/spi_utils.h    | 2 +-
 src/tspi/tsp_context_mem.c | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/include/spi_utils.h b/src/include/spi_utils.h
 index 11255b20a21d..6ef21ce0cc83 100644
 --- a/src/include/spi_utils.h
 +++ b/src/include/spi_utils.h
@@ -53,7 +53,7 @@ MUTEX_DECLARE_EXTERN(mem_cache_lock);
 void *calloc_tspi(TSS_HCONTEXT, UINT32);
 TSS_RESULT free_tspi(TSS_HCONTEXT, void *);
 TSS_RESULT __tspi_add_mem_entry(TSS_HCONTEXT, void *);
 -void * __no_optimize __tspi_memset(void *, int, size_t);
 +void * __tspi_memset(void *, int, size_t);
 /* secrets.c */
 diff --git a/src/tspi/tsp_context_mem.c b/src/tspi/tsp_context_mem.c
 index 2982df9fed06..2769af3662b9 100644
 --- a/src/tspi/tsp_context_mem.c
 +++ b/src/tspi/tsp_context_mem.c
@@ -258,8 +258,10 @@ free_tspi(TSS_HCONTEXT tspContext, void *memPointer)
 }
 /* definition for a memset that cannot be optimized away */
 -void * __no_optimize
 +void *
 __tspi_memset(void *s, int c, size_t n)
 {
 -	return memset(s, c, n);
 +	memset(s, c, n);
 +	asm volatile("" ::: "memory");
 +	return s;
 }
 -- 
 2.27.0
--- a/trousers-0.3.14-noinline.patch
+++ b/trousers-0.3.14-noinline.patch
@ -1,6 +1,6 @@
-diff -ur a/src/include/tspps.h b/src/include/tspps.h
+diff -ur trousers-0.3.15/src/include/tspps.h trousers-0.3.15-new/src/include/tspps.h
--- a/src/include/tspps.h	2014-07-23 12:42:44.000000000 -0700
+--- trousers-0.3.15/src/include/tspps.h	2020-05-27 23:01:45.000000000 -0700
-+++ b/src/include/tspps.h	2018-08-01 19:33:42.454192873 -0700
+++ trousers-0.3.15-new/src/include/tspps.h	2020-11-06 17:46:53.796319788 -0700
@@ -18,8 +18,8 @@
 TSS_RESULT	   get_file(int *);
--- a/trousers-0.3.14-tcsd-header-fix.patch
+++ b/trousers-0.3.14-tcsd-header-fix.patch
@ -1,37 +0,0 @@
 From b692f86a93c8f7e6ac938277a9aec434b02c252b Mon Sep 17 00:00:00 2001
 From: Jerry Snitselaar <jsnitsel@redhat.com>
 Date: Wed, 18 Mar 2020 13:35:22 -0700
 Subject: [PATCH] trousers: resolve build failure
 The global variables tcsd_sa_chld and tcsd_sa_int in tcsd.h are
 causing build failures in latest Fedora release:
 /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:169: multiple definition of `tcsd_sa_chld'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:169: first defined here
 /usr/bin/ld: ../../src/tcs/libtcs.a(libtcs_a-tcsi_changeauth.o):/builddir/build/BUILD/trousers-0.3.13/src/tcs/../include/tcsd.h:168: multiple definition of `tcsd_sa_int'; tcsd-svrside.o:/builddir/build/BUILD/trousers-0.3.13/src/tcsd/../../src/include/tcsd.h:168: first defined here
 They are no longer used since 9b40e581470b ("Improved daemon's signal
 handling") so just remove them.
 Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
 ---
 src/include/tcsd.h | 6 ------
 1 file changed, 6 deletions(-)
 diff --git a/src/include/tcsd.h b/src/include/tcsd.h
 index 5b9462b85ed6..f5c286e01c86 100644
 --- a/src/include/tcsd.h
 +++ b/src/include/tcsd.h
@@ -164,10 +164,4 @@ TSS_RESULT tcsd_thread_create(int, char *);
 void	   *tcsd_thread_run(void *);
 void	   thread_signal_init();
 -/* signal handling */
 -#ifndef __APPLE__
 -struct sigaction tcsd_sa_int;
 -struct sigaction tcsd_sa_chld;
 -#endif
 -
 #endif
 -- 
 2.24.0
--- a/trousers-openssl1.1.patch
+++ b/trousers-openssl1.1.patch
@ -1,448 +0,0 @@
@@ -, +, @@ 
 ---
 src/tcs/crypto/openssl/crypto.c      | 15 ++++++---
 src/trspi/crypto/openssl/hash.c      | 17 ++++++----
 src/trspi/crypto/openssl/rsa.c       | 64 ++++++++++++++++++++++++++++++-----
 src/trspi/crypto/openssl/symmetric.c | 65 +++++++++++++++++++++---------------
 4 files changed, 115 insertions(+), 46 deletions(-)
 --- a/src/tcs/crypto/openssl/crypto.c	
 +++ a/src/tcs/crypto/openssl/crypto.c	
@@ -31,13 +31,17 @@ 
 TSS_RESULT
 Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
 {
 -	EVP_MD_CTX md_ctx;
 +	EVP_MD_CTX *md_ctx;
 	unsigned int result_size;
 	int rv;
 +	md_ctx = EVP_MD_CTX_new();
 +	if (md_ctx == NULL)
 +		return TSPERR(TSS_E_OUTOFMEMORY);
 +
 	switch (HashType) {
 		case TSS_HASH_SHA1:
 -			rv = EVP_DigestInit(&md_ctx, EVP_sha1());
 +			rv = EVP_DigestInit(md_ctx, EVP_sha1());
 			break;
 		default:
 			rv = TCSERR(TSS_E_BAD_PARAMETER);
@@ -50,19 +54,20 @@ Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
 		goto out;
 	}
 -	rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
 +	rv = EVP_DigestUpdate(md_ctx, Buf, BufSize);
 	if (rv != EVP_SUCCESS) {
 		rv = TCSERR(TSS_E_INTERNAL_ERROR);
 		goto out;
 	}
 -	result_size = EVP_MD_CTX_size(&md_ctx);
 -	rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
 +	result_size = EVP_MD_CTX_size(md_ctx);
 +	rv = EVP_DigestFinal(md_ctx, Digest, &result_size);
 	if (rv != EVP_SUCCESS) {
 		rv = TCSERR(TSS_E_INTERNAL_ERROR);
 	} else
 		rv = TSS_SUCCESS;
 out:
 +	EVP_MD_CTX_free(md_ctx);
 	return rv;
 }
 --- a/src/trspi/crypto/openssl/hash.c	
 +++ a/src/trspi/crypto/openssl/hash.c	
@@ -56,13 +56,17 @@ int MGF1(unsigned char *, long, const unsigned char *, long);
 TSS_RESULT
 Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
 {
 -	EVP_MD_CTX md_ctx;
 +	EVP_MD_CTX *md_ctx;
 	unsigned int result_size;
 	int rv;
 +	md_ctx = EVP_MD_CTX_new();
 +	if (md_ctx == NULL)
 +		return TSPERR(TSS_E_OUTOFMEMORY);
 +
 	switch (HashType) {
 		case TSS_HASH_SHA1:
 -			rv = EVP_DigestInit(&md_ctx, EVP_sha1());
 +			rv = EVP_DigestInit(md_ctx, EVP_sha1());
 			break;
 		default:
 			rv = TSPERR(TSS_E_BAD_PARAMETER);
@@ -75,14 +79,14 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
 		goto err;
 	}
 -	rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
 +	rv = EVP_DigestUpdate(md_ctx, Buf, BufSize);
 	if (rv != EVP_SUCCESS) {
 		rv = TSPERR(TSS_E_INTERNAL_ERROR);
 		goto err;
 	}
 -	result_size = EVP_MD_CTX_size(&md_ctx);
 -	rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
 +	result_size = EVP_MD_CTX_size(md_ctx);
 +	rv = EVP_DigestFinal(md_ctx, Digest, &result_size);
 	if (rv != EVP_SUCCESS) {
 		rv = TSPERR(TSS_E_INTERNAL_ERROR);
 		goto err;
@@ -94,6 +98,7 @@ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
 err:
 	DEBUG_print_openssl_errors();
 out:
 +	EVP_MD_CTX_free(md_ctx);
         return rv;
 }
@@ -112,7 +117,7 @@ Trspi_HashInit(Trspi_HashCtx *ctx, UINT32 HashType)
 			break;
 	}
 -	if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL)
 +	if ((ctx->ctx = EVP_MD_CTX_new()) == NULL)
 		return TSPERR(TSS_E_OUTOFMEMORY);
 	rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md);
 --- a/src/trspi/crypto/openssl/rsa.c	
 +++ a/src/trspi/crypto/openssl/rsa.c	
@@ -38,6 +38,25 @@ 
 #define DEBUG_print_openssl_errors()
 #endif
 +#if OPENSSL_VERSION_NUMBER < 0x10100001L
 +static int
 +RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 +{
 +	if (n != NULL) {
 +		BN_free(r->n);
 +		r->n = n;
 +	}
 +	if (e != NULL) {
 +		BN_free(r->e);
 +		r->e = e;
 +	}
 +	if (d != NULL) {
 +		BN_free(r->d);
 +		r->d = d;
 +	}
 +	return 1;
 +}
 +#endif
 /*
  * Hopefully this will make the code clearer since
@@ -61,6 +80,7 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */
 	RSA *rsa = RSA_new();
 	BYTE encodedData[256];
 	int encodedDataLen;
 +	BIGNUM *rsa_n = NULL, *rsa_e = NULL;
 	if (rsa == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
@@ -68,12 +88,20 @@ Trspi_RSA_Encrypt(unsigned char *dataToEncrypt, /* in */
 	}
 	/* set the public key value in the OpenSSL object */
 -	rsa->n = BN_bin2bn(publicKey, keysize, rsa->n);
 +	rsa_n = BN_bin2bn(publicKey, keysize, NULL);
 	/* set the public exponent */
 -	rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e);
 +	rsa_e = BN_bin2bn(exp, sizeof(exp), NULL);
 -	if (rsa->n == NULL || rsa->e == NULL) {
 +	if (rsa_n == NULL || rsa_e == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 +		goto err;
 +	}
 +	if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
 +		rv = TSPERR(TSS_E_FAIL);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 		goto err;
 	}
@@ -123,6 +151,7 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength,
 	unsigned char exp[] = { 0x01, 0x00, 0x01 }; /* The default public exponent for the TPM */
 	unsigned char buf[256];
 	RSA *rsa = RSA_new();
 +	BIGNUM *rsa_n = NULL, *rsa_e = NULL;
 	if (rsa == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
@@ -146,12 +175,20 @@ Trspi_Verify(UINT32 HashType, BYTE *pHash, UINT32 iHashLength,
 	}
 	/* set the public key value in the OpenSSL object */
 -	rsa->n = BN_bin2bn(pModulus, iKeyLength, rsa->n);
 +	rsa_n = BN_bin2bn(pModulus, iKeyLength, NULL);
 	/* set the public exponent */
 -	rsa->e = BN_bin2bn(exp, sizeof(exp), rsa->e);
 +	rsa_e = BN_bin2bn(exp, sizeof(exp), NULL);
 -	if (rsa->n == NULL || rsa->e == NULL) {
 +	if (rsa_n == NULL || rsa_e == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 +		goto err;
 +	}
 +	if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
 +		rv = TSPERR(TSS_E_FAIL);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 		goto err;
 	}
@@ -195,6 +232,7 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen,
 	int rv, e_size = 3;
 	unsigned char exp[] = { 0x01, 0x00, 0x01 };
 	RSA *rsa = RSA_new();
 +	BIGNUM *rsa_n = NULL, *rsa_e = NULL;
 	if (rsa == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
@@ -237,12 +275,20 @@ Trspi_RSA_Public_Encrypt(unsigned char *in, unsigned int inlen,
 	}
 	/* set the public key value in the OpenSSL object */
 -	rsa->n = BN_bin2bn(pubkey, pubsize, rsa->n);
 +	rsa_n = BN_bin2bn(pubkey, pubsize, NULL);
 	/* set the public exponent */
 -	rsa->e = BN_bin2bn(exp, e_size, rsa->e);
 +	rsa_e = BN_bin2bn(exp, e_size, NULL);
 -	if (rsa->n == NULL || rsa->e == NULL) {
 +	if (rsa_n == NULL || rsa_e == NULL) {
 		rv = TSPERR(TSS_E_OUTOFMEMORY);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 +		goto err;
 +	}
 +	if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
 +		rv = TSPERR(TSS_E_FAIL);
 +		BN_free(rsa_n);
 +		BN_free(rsa_e);
 		goto err;
 	}
 --- a/src/trspi/crypto/openssl/symmetric.c	
 +++ a/src/trspi/crypto/openssl/symmetric.c	
@@ -52,7 +52,7 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
 		  UINT32 *out_len)
 {
 	TSS_RESULT result = TSS_SUCCESS;
 -	EVP_CIPHER_CTX ctx;
 +	EVP_CIPHER_CTX *ctx = NULL;
 	UINT32 tmp;
 	switch (alg) {
@@ -64,33 +64,37 @@ Trspi_Encrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
 			break;
 	}
 -	EVP_CIPHER_CTX_init(&ctx);
 +	ctx = EVP_CIPHER_CTX_new();
 +	if (ctx == NULL) {
 +		result = TSPERR(TSS_E_OUTOFMEMORY);
 +		goto done;
 +	}
 -	if (!EVP_EncryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) {
 +	if (!EVP_EncryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (*out_len < in_len + EVP_CIPHER_CTX_block_size(&ctx) - 1) {
 +	if (*out_len < in_len + EVP_CIPHER_CTX_block_size(ctx) - 1) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		goto done;
 	}
 -	if (!EVP_EncryptUpdate(&ctx, out, (int *)out_len, in, in_len)) {
 +	if (!EVP_EncryptUpdate(ctx, out, (int *)out_len, in, in_len)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_EncryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
 +	if (!EVP_EncryptFinal(ctx, out + *out_len, (int *)&tmp)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 	*out_len += tmp;
 done:
 -	EVP_CIPHER_CTX_cleanup(&ctx);
 +	EVP_CIPHER_CTX_free(ctx);
 	return result;
 }
@@ -99,7 +103,7 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
 		  UINT32 *out_len)
 {
 	TSS_RESULT result = TSS_SUCCESS;
 -	EVP_CIPHER_CTX ctx;
 +	EVP_CIPHER_CTX *ctx = NULL;
 	UINT32 tmp;
 	switch (alg) {
@@ -111,28 +115,32 @@ Trspi_Decrypt_ECB(UINT16 alg, BYTE *key, BYTE *in, UINT32 in_len, BYTE *out,
 			break;
 	}
 -	EVP_CIPHER_CTX_init(&ctx);
 +	ctx = EVP_CIPHER_CTX_new();
 +	if (ctx == NULL) {
 +		result = TSPERR(TSS_E_OUTOFMEMORY);
 +		goto done;
 +	}
 -	if (!EVP_DecryptInit(&ctx, EVP_aes_256_ecb(), key, NULL)) {
 +	if (!EVP_DecryptInit(ctx, EVP_aes_256_ecb(), key, NULL)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, in, in_len)) {
 +	if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, in, in_len)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
 +	if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 	*out_len += tmp;
 done:
 -	EVP_CIPHER_CTX_cleanup(&ctx);
 +	EVP_CIPHER_CTX_free(ctx);
 	return result;
 }
@@ -255,7 +263,7 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 		 UINT32 *out_len)
 {
 	TSS_RESULT result = TSS_SUCCESS;
 -	EVP_CIPHER_CTX ctx;
 +	EVP_CIPHER_CTX *ctx;
 	EVP_CIPHER *cipher;
 	BYTE *def_iv = NULL, *outiv_ptr;
 	UINT32 tmp;
@@ -269,7 +277,9 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 	if ((cipher = get_openssl_cipher(alg, mode)) == NULL)
 		return TSPERR(TSS_E_INTERNAL_ERROR);
 -	EVP_CIPHER_CTX_init(&ctx);
 +	ctx = EVP_CIPHER_CTX_new();
 +	if (ctx == NULL)
 +		return TSPERR(TSS_E_OUTOFMEMORY);
 	/* If the iv passed in is NULL, create a new random iv and prepend it to the ciphertext */
 	iv_len = EVP_CIPHER_iv_length(cipher);
@@ -289,25 +299,25 @@ Trspi_SymEncrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 		outiv_ptr = out;
 	}
 -	if (!EVP_EncryptInit(&ctx, (const EVP_CIPHER *)cipher, key, def_iv)) {
 +	if (!EVP_EncryptInit(ctx, (const EVP_CIPHER *)cipher, key, def_iv)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(&ctx) * 2) - 1) {
 +	if ((UINT32)outiv_len < in_len + (EVP_CIPHER_CTX_block_size(ctx) * 2) - 1) {
 		LogDebug("Not enough space to do symmetric encryption");
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		goto done;
 	}
 -	if (!EVP_EncryptUpdate(&ctx, outiv_ptr, &outiv_len, in, in_len)) {
 +	if (!EVP_EncryptUpdate(ctx, outiv_ptr, &outiv_len, in, in_len)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_EncryptFinal(&ctx, outiv_ptr + outiv_len, (int *)&tmp)) {
 +	if (!EVP_EncryptFinal(ctx, outiv_ptr + outiv_len, (int *)&tmp)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
@@ -320,7 +330,7 @@ done:
 		*out_len += iv_len;
 		free(def_iv);
 	}
 -	EVP_CIPHER_CTX_cleanup(&ctx);
 +	EVP_CIPHER_CTX_free(ctx);
 	return result;
 }
@@ -329,7 +339,7 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 		 UINT32 *out_len)
 {
 	TSS_RESULT result = TSS_SUCCESS;
 -	EVP_CIPHER_CTX ctx;
 +	EVP_CIPHER_CTX *ctx = NULL;
 	EVP_CIPHER *cipher;
 	BYTE *def_iv = NULL, *iniv_ptr;
 	UINT32 tmp;
@@ -341,7 +351,10 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 	if ((cipher = get_openssl_cipher(alg, mode)) == NULL)
 		return TSPERR(TSS_E_INTERNAL_ERROR);
 -	EVP_CIPHER_CTX_init(&ctx);
 +	ctx = EVP_CIPHER_CTX_new();
 +	if (ctx == NULL) {
 +		return TSPERR(TSS_E_OUTOFMEMORY);
 +	}
 	/* If the iv is NULL, assume that its prepended to the ciphertext */
 	if (iv == NULL) {
@@ -361,19 +374,19 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 		iniv_len = in_len;
 	}
 -	if (!EVP_DecryptInit(&ctx, cipher, key, def_iv)) {
 +	if (!EVP_DecryptInit(ctx, cipher, key, def_iv)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_DecryptUpdate(&ctx, out, (int *)out_len, iniv_ptr, iniv_len)) {
 +	if (!EVP_DecryptUpdate(ctx, out, (int *)out_len, iniv_ptr, iniv_len)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
 	}
 -	if (!EVP_DecryptFinal(&ctx, out + *out_len, (int *)&tmp)) {
 +	if (!EVP_DecryptFinal(ctx, out + *out_len, (int *)&tmp)) {
 		result = TSPERR(TSS_E_INTERNAL_ERROR);
 		DEBUG_print_openssl_errors();
 		goto done;
@@ -383,6 +396,6 @@ Trspi_SymDecrypt(UINT16 alg, UINT16 mode, BYTE *key, BYTE *iv, BYTE *in, UINT32
 done:
 	if (def_iv != iv)
 		free(def_iv);
 -	EVP_CIPHER_CTX_cleanup(&ctx);
 +	EVP_CIPHER_CTX_free(ctx);
 	return result;
 }
 -- 
--- a/trousers.spec
+++ b/trousers.spec
@ -1,7 +1,7 @@
 Name: trousers
 Summary: TCG's Software Stack v1.2
-Version: 0.3.14
+Version: 0.3.15
-Release: 4%{?dist}
+Release: 1%{?dist}
 License: BSD
 Url: http://trousers.sourceforge.net
@ -11,13 +11,9 @@ Patch1:  trousers-0.3.14-noinline.patch
 # submitted upstream
 Patch2: trousers-0.3.14-unlock-in-err-path.patch
 Patch3: trousers-0.3.14-fix-indent-obj_policy.patch
-Patch4: trousers-0.3.14-double-free.patch
+Patch4: trousers-0.3.14-fix-indent-tspi_key.patch
 Patch5: trousers-0.3.14-fix-indent-tspi_key.patch
 Patch6: trousers-0.3.14-tcsd-header-fix.patch
 Patch7: trousers-0.3.14-correct-security-issues.patch
 Patch8: trousers-0.3.14-no-optimize.patch
-BuildRequires: libtool, openssl-devel
+BuildRequires: libtool openssl-devel gettext-devel autoconf automake
 BuildRequires: systemd
 Requires(pre): shadow-utils
 Requires(post): systemd-units
@ -59,11 +55,13 @@ Header files and man pages for use in creating Trusted Computing enabled
 applications.
 %prep
-%autosetup -c -p1
+%autosetup -p1
 # fix man page paths
 sed -i -e 's|/var/tpm|/var/lib/tpm|g' -e 's|/usr/local/var|/var|g' man/man5/tcsd.conf.5.in man/man8/tcsd.8.in
 %build
 chmod +x ./bootstrap.sh
 ./bootstrap.sh
 %configure --with-gui=openssl
 make -k %{?_smp_mflags}
@ -120,6 +118,9 @@ exit 0
 %{_libdir}/libtddl.a
 %changelog
 * Fri Nov 06 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 0.3.15-1
 - Rebase to 0.3.15 release.
 * Thu Oct 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 0.3.14-4
 - Fix for CVE-2020-24330 (RHBZ#1874824)
 - Fix for CVE-2020-24331 (RHBZ#1870057)
`@ -1 +1 @@`
	`SHA512 (trousers-0.3.14.tar.gz) = bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21`	`SHA512 (trousers-0.3.15.tar.gz) = 769c7d891c6306c1b3252448f86e3043ee837e566c9431f5b4353512113e2907f6ce29c91e8044c420025b79c5f3ff2396ddce93f73b1eb2a15ea1de89ac0fdb`