tss2/0004-utils-Clean-up-certifyx509-memory-allocation.patch

From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Tue, 31 Aug 2021 13:45:21 -0400
Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation

Make TPM_ADDTOCERT input const.  Annotate malloc and free calls.  Free
TPM_PARTIAL_CERT.  Use TPM_ADDTOCERT_free.  Remove unused
x509IssuerName and x509SubjectName and their frees.  Free
TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.

Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
 utils/certifyx509.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index 5602f62..8ac5abd 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,
 TPM_RC reformCertificate(X509 			*x509Certificate,
 			 TPMI_ALG_HASH		halg,
 			 TPMI_ALG_SIG_SCHEME   	scheme,
-			 TPM_ADDTOCERT		*addToCert,
+			 const TPM_ADDTOCERT	*addToCert,
 			 TPMT_SIGNATURE 	*tSignature);
 TPM_RC addSignatureRsa(X509 		*x509Certificate,
 		       TPMI_ALG_HASH	halg,
@@ -618,7 +618,7 @@ int main(int argc, char *argv[])
     if (rc == 0) {
 	if (verbose) X509_print_fp(stdout, x509Certificate);	/* for debug */
 	rc = convertX509ToDer(&x509DerLength,
-			      &x509Der,				/* freed @2 */
+			      &x509Der,				/* freed @4 */
 			      x509Certificate);
     }
     if ((rc == 0) && (outCertificateFilename != NULL)) {
@@ -628,8 +628,13 @@ int main(int argc, char *argv[])
     if (x509Certificate != NULL) {
 	X509_free(x509Certificate);			/* @1 */
     }
-    free(x509Der);					/* @2 */
-    OPENSSL_free(addToCert);				/* @3 */
+    if (partialCertificate != NULL) {
+	TPM_PARTIAL_CERT_free(partialCertificate);	/* @2 */
+    }
+    if (addToCert != NULL) {
+	TPM_ADDTOCERT_free(addToCert);			/* @3 */
+    }
+    free(x509Der);					/* @4 */
     return rc;
 }
 
@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
     int		irc;
     ASN1_TIME	*arc;			/* return code */
 
-    X509_NAME 	*x509IssuerName = NULL;	/* composite issuer name, key/value pairs */
-    X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
     if (rc == 0) {
 	if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
 			    (unsigned long)issuerEntriesSize);
+	/* _new allocates the member.  free it because createX509Name() allocates a new structure */
+	X509_NAME_free(partialCertificate->issuer);
+	partialCertificate->issuer = NULL;
 	rc = createX509Name(&partialCertificate->issuer,	/* freed @1 */
 			    issuerEntriesSize,
 			    issuerEntries);
@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
 	if (!subeqiss) {
 	    if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
 				(unsigned long)subjectEntriesSize);
+	    X509_NAME_free(partialCertificate->subject);
+	    partialCertificate->subject = NULL;
 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
 				subjectEntriesSize,
 				subjectEntries);
@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
 	else {
 	    if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
 				(unsigned long)issuerEntriesSize);
+	    X509_NAME_free(partialCertificate->subject);
+	    partialCertificate->subject = NULL;
 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
 				issuerEntriesSize,
 				issuerEntries);
@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
 	if (verbose) X509_print_fp(stdout, x509Certificate);
     }
 #endif
-    X509_NAME_free(x509IssuerName);	/* @1 */
-    X509_NAME_free(x509SubjectName);	/* @2 */
     OPENSSL_free(tmpPartialDer);	/* @3 */
     return rc;
 }
@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT  *partialCertificate,
 TPM_RC reformCertificate(X509 			*x509Certificate,
 			 TPMI_ALG_HASH		halg,
 			 TPMI_ALG_SIG_SCHEME   	scheme,
-			 TPM_ADDTOCERT		*addToCert,
+			 const TPM_ADDTOCERT	*addToCert,
 			 TPMT_SIGNATURE 	*tSignature)
 {
     TPM_RC 		rc = 0;
-- 
2.34.1
Fix failures introduced with OpenSSL 3 Resolves: rhbz#1984621 Resolves: rhbz#1992339 Signed-off-by: Štěpán Horáček <shoracek@redhat.com> 2022-01-19 17:35:33 +00:00			`From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001`
			`From: Ken Goldman <kgold@linux.ibm.com>`
			`Date: Tue, 31 Aug 2021 13:45:21 -0400`
			`Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation`

			`Make TPM_ADDTOCERT input const. Annotate malloc and free calls. Free`
			`TPM_PARTIAL_CERT. Use TPM_ADDTOCERT_free. Remove unused`
			`x509IssuerName and x509SubjectName and their frees. Free`
			`TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.`

			`Signed-off-by: Ken Goldman <kgold@linux.ibm.com>`
			`---`
			`utils/certifyx509.c \| 26 +++++++++++++++++---------`
			`1 file changed, 17 insertions(+), 9 deletions(-)`

			`diff --git a/utils/certifyx509.c b/utils/certifyx509.c`
			`index 5602f62..8ac5abd 100644`
			`--- a/utils/certifyx509.c`
			`+++ b/utils/certifyx509.c`
			`@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,`
			`TPM_RC reformCertificate(X509 *x509Certificate,`
			`TPMI_ALG_HASH halg,`
			`TPMI_ALG_SIG_SCHEME scheme,`
			`- TPM_ADDTOCERT *addToCert,`
			`+ const TPM_ADDTOCERT *addToCert,`
			`TPMT_SIGNATURE *tSignature);`
			`TPM_RC addSignatureRsa(X509 *x509Certificate,`
			`TPMI_ALG_HASH halg,`
			`@@ -618,7 +618,7 @@ int main(int argc, char *argv[])`
			`if (rc == 0) {`
			`if (verbose) X509_print_fp(stdout, x509Certificate); /* for debug */`
			`rc = convertX509ToDer(&x509DerLength,`
			`- &x509Der, /* freed @2 */`
			`+ &x509Der, /* freed @4 */`
			`x509Certificate);`
			`}`
			`if ((rc == 0) && (outCertificateFilename != NULL)) {`
			`@@ -628,8 +628,13 @@ int main(int argc, char *argv[])`
			`if (x509Certificate != NULL) {`
			`X509_free(x509Certificate); /* @1 */`
			`}`
			`- free(x509Der); /* @2 */`
			`- OPENSSL_free(addToCert); /* @3 */`
			`+ if (partialCertificate != NULL) {`
			`+ TPM_PARTIAL_CERT_free(partialCertificate); /* @2 */`
			`+ }`
			`+ if (addToCert != NULL) {`
			`+ TPM_ADDTOCERT_free(addToCert); /* @3 */`
			`+ }`
			`+ free(x509Der); /* @4 */`
			`return rc;`
			`}`

			`@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT partialCertificate, / input /`
			`int irc;`
			`ASN1_TIME arc; / return code */`

			`- X509_NAME x509IssuerName = NULL; / composite issuer name, key/value pairs */`
			`- X509_NAME x509SubjectName = NULL;/ composite subject name, key/value pairs */`
			`size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);`
			`size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);`
			`uint8_t tmpPartialDer = NULL; / for the i2d */`
			`@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT partialCertificate, / input /`
			`if (rc == 0) {`
			`if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",`
			`(unsigned long)issuerEntriesSize);`
			`+ /* _new allocates the member. free it because createX509Name() allocates a new structure */`
			`+ X509_NAME_free(partialCertificate->issuer);`
			`+ partialCertificate->issuer = NULL;`
			`rc = createX509Name(&partialCertificate->issuer, /* freed @1 */`
			`issuerEntriesSize,`
			`issuerEntries);`
			`@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT partialCertificate, / input /`
			`if (!subeqiss) {`
			`if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",`
			`(unsigned long)subjectEntriesSize);`
			`+ X509_NAME_free(partialCertificate->subject);`
			`+ partialCertificate->subject = NULL;`
			`rc = createX509Name(&partialCertificate->subject, /* freed @2 */`
			`subjectEntriesSize,`
			`subjectEntries);`
			`@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT partialCertificate, / input /`
			`else {`
			`if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",`
			`(unsigned long)issuerEntriesSize);`
			`+ X509_NAME_free(partialCertificate->subject);`
			`+ partialCertificate->subject = NULL;`
			`rc = createX509Name(&partialCertificate->subject, /* freed @2 */`
			`issuerEntriesSize,`
			`issuerEntries);`
			`@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT partialCertificate, / input /`
			`if (verbose) X509_print_fp(stdout, x509Certificate);`
			`}`
			`#endif`
			`- X509_NAME_free(x509IssuerName); /* @1 */`
			`- X509_NAME_free(x509SubjectName); /* @2 */`
			`OPENSSL_free(tmpPartialDer); /* @3 */`
			`return rc;`
			`}`
			`@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate,`
			`TPM_RC reformCertificate(X509 *x509Certificate,`
			`TPMI_ALG_HASH halg,`
			`TPMI_ALG_SIG_SCHEME scheme,`
			`- TPM_ADDTOCERT *addToCert,`
			`+ const TPM_ADDTOCERT *addToCert,`
			`TPMT_SIGNATURE *tSignature)`
			`{`
			`TPM_RC rc = 0;`
			`--`
			`2.34.1`