import tss2-1.6.0-6.el9_0

.gitignore

@@ -0,0 +1 @@
+SOURCES/ibmtss1.6.0.tar.gz

.tss2.metadata

@@ -0,0 +1 @@
+fcd86e864f69443f72ecbf18f26e39844aefee44 SOURCES/ibmtss1.6.0.tar.gz

SOURCES/0001-utils-Generate-X509-certificate-serial-number-using-.patch

@@ -0,0 +1,62 @@
+From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgoldman@us.ibm.com>
+Date: Thu, 1 Jul 2021 13:55:28 -0400
+Subject: [PATCH] utils: Generate X509 certificate serial number using sha256
+
+This is just a test certificate, not a real CA.  Certificate serial
+numbers can be 20 octets maximum.  Use a truncated sha256 because some
+'lint' programs are now scanning for sha1.
+
+Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
+---
+ utils/ekutils.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/utils/ekutils.c b/utils/ekutils.c
+index a0a2734..aad6fba 100644
+--- a/utils/ekutils.c
++++ b/utils/ekutils.c
+@@ -61,6 +61,7 @@
+ 
+ #include <openssl/pem.h>
+ #include <openssl/x509.h>
++#include <openssl/evp.h>
+ 
+ #include <ibmtss/tssresponsecode.h>
+ #include <ibmtss/tssutils.h>
+@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
+     ASN1_TIME 		*arc;			/* return code */
+     ASN1_INTEGER 	*x509Serial;		/* certificate serial number in ASN1 */
+     BIGNUM 		*x509SerialBN;		/* certificate serial number as a BIGNUM */
+-    unsigned char 	x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */
++    unsigned char 	x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */
+     X509_NAME 		*x509IssuerName;	/* composite issuer name, key/value pairs */
+     X509_NAME 		*x509SubjectName;	/* composite subject name, key/value pairs */
+ 
+@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
+       add certificate serial number
+     */
+     if (rc == 0) {
++	const EVP_MD *type;
++
+ 	if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n");
+ 	/* to create a unique serial number, hash the key to be certified */
+-	SHA1(keyBuffer, keyLength, x509Serialbin);
+-	/* convert the SHA1 digest to a BIGNUM */
+-	x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN);
++	type = EVP_sha256();
++	irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL);
++	if (irc == 0) {
++	    printf("startCertificate: Error in serial number EVP_Digest\n");
++	    rc = TSS_RC_X509_ERROR;
++	}
++    }
++    if (rc == 0) {
++	/* convert the digest to a BIGNUM, use 20 octets */
++	x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN);
+ 	if (x509SerialBN == NULL) {
+ 	    printf("startCertificate: Error in serial number BN_bin2bn\n");
+ 	    rc = TSS_RC_X509_ERROR;
+-- 
+2.34.1
+

SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch

@@ -0,0 +1,600 @@
+From 14ccbe9112e21fe62d5cbbbebeae71ec38b77e4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
+ <shoracek@redhat.com>
+Date: Thu, 17 Feb 2022 16:29:39 +0100
+Subject: [PATCH 2/4] Update SHA-1 to SHA-256 in tests without restricting the
+ scope
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Å tÄ›pán HoráÄ<C2A1>ek <shoracek@redhat.com>
+---
+ utils/policies/policycountertimer.bin | Bin 20 -> 32 bytes
+ utils/policies/policycphash.bin       | Bin 20 -> 32 bytes
+ utils/policies/policycphash.txt       |   2 +-
+ utils/policies/policycphashhash.bin   |   2 +-
+ utils/policies/policynvargs.txt       | Bin 13 -> 12 bytes
+ utils/policies/policynvnv.bin         | Bin 20 -> 32 bytes
+ utils/policies/policynvnv.txt         |   2 +-
+ utils/policies/policypcr.bin          |   2 +-
+ utils/policies/policypcr0.txt         |   2 +-
+ utils/policies/policypcrbm0.bin       | Bin 20 -> 32 bytes
+ utils/policies/policywrittenset.bin   |   2 +-
+ utils/reg.sh                          |   2 +
+ utils/regtests/testchangeauth.sh      |   4 +-
+ utils/regtests/testevict.sh           |  12 ++--
+ utils/regtests/testnv.sh              |   6 +-
+ utils/regtests/testpolicy.sh          |  80 +++++++++++++-------------
+ utils/regtests/testrsa.sh             |   8 +--
+ utils/regtests/testsign.sh            |  12 ++--
+ 18 files changed, 69 insertions(+), 67 deletions(-)
+
+diff --git a/utils/policies/policycountertimer.bin b/utils/policies/policycountertimer.bin
+index f767440113ab39251794257628b34f761ae05121..8937a155bdcdc535e5f013a03ce58fd5a193a6fd 100644
+GIT binary patch
+literal 32
+ocmeBTv0vY?A&j>pRZ{#s$085m*E`r54EYbFMa|K0nsfat0L0V`*#H0l
+
+literal 20
+ccmaFX(x@JK!18iNvf_!!0jhUbsX5I80B48^c>n+a
+
+diff --git a/utils/policies/policycphash.bin b/utils/policies/policycphash.bin
+index 1c357a65cc7cf408bc27d0a2a5c6a0735778e5ed..0f998b85ac2b6620049e350b0c31cc38b2f7414a 100644
+GIT binary patch
+literal 32
+qcmV+*0N?)`MNQmb<N(X@{1co_-#=a<IaKWOQl0d(fR)m3=&W@Mq7i=p
+
+literal 20
+ccmZR3lJoQPaee~<iJE0anHyTR1PSH?0A-{JC;$Ke
+
+diff --git a/utils/policies/policycphash.txt b/utils/policies/policycphash.txt
+index 52edeab..bc06262 100644
+--- a/utils/policies/policycphash.txt
++++ b/utils/policies/policycphash.txt
+@@ -1 +1 @@
+-0000016eb5f919bbc01f0ebad02010169a67a8c158ec12f3
++0000016e58f8c9f3300b71c97c7c6ec3e18afba176e3f582d96ab67df29acb559fc7d34f
+diff --git a/utils/policies/policycphashhash.bin b/utils/policies/policycphashhash.bin
+index a30627d..e88c974 100644
+--- a/utils/policies/policycphashhash.bin
++++ b/utils/policies/policycphashhash.bin
+@@ -1 +1 @@
+-µù»ÀºÐ šg¨ÁXìó
+\ No newline at end of file
++XøÉó0qÉ||nÃáŠû¡vãõ‚Ùj¶}òšËUŸÇÓO
+\ No newline at end of file
+diff --git a/utils/policies/policynvargs.txt b/utils/policies/policynvargs.txt
+index 4f4d97c4a15e2f16ef61e8b3d31182382bc88b6d..ce58bc9f84b9623e708de4eb8427a57d9f9a160f 100644
+GIT binary patch
+literal 12
+KcmZQzKmY&$3;+QD
+
+literal 13
+LcmZQzKmaZP02crY
+
+diff --git a/utils/policies/policynvnv.bin b/utils/policies/policynvnv.bin
+index df080a73e76146d5474cc3d1b2ed1e09fad62e3d..bb54d249107c9ff17a8af7141d491f6bec88b001 100644
+GIT binary patch
+literal 32
+qcmV+*0N?+4*1${A{L{NkNx*#e^i_%2jn+j)Ac{3i{<g<lL9fU}!V=B^
+
+literal 20
+ccmdlp+sD6}Ax$z`_U4>Pb!)?)%V_-p09oM)7XSbN
+
+diff --git a/utils/policies/policynvnv.txt b/utils/policies/policynvnv.txt
+index a124ea9..5d3d62e 100644
+--- a/utils/policies/policynvnv.txt
++++ b/utils/policies/policynvnv.txt
+@@ -1 +1 @@
+-000001492c513f149e737ec4063fc1d37aee9beabc4b4bbf00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+\ No newline at end of file
++0000014915ec7bf0b50732b49f8228e07d24365338f9e3ab994b00af08e5a3bffe55fd8b000b45a8f4283309cd5ef189746d7526786f712eb3df9960508ee343d3e63376bc6c
+\ No newline at end of file
+diff --git a/utils/policies/policypcr.bin b/utils/policies/policypcr.bin
+index 8f69740..2597338 100644
+--- a/utils/policies/policypcr.bin
++++ b/utils/policies/policypcr.bin
+@@ -1 +1 @@
+-…3ƒõè<`C4oŸ7!vŽ
+\ No newline at end of file
++¿òÕŽ˜ù|ïÁOr­<72>3¼p’ÖR·Èw•’T¯„6
+\ No newline at end of file
+diff --git a/utils/policies/policypcr0.txt b/utils/policies/policypcr0.txt
+index b61f288..cd09bbf 100644
+--- a/utils/policies/policypcr0.txt
++++ b/utils/policies/policypcr0.txt
+@@ -1 +1 @@
+-0000000000000000000000000000000000000000
+\ No newline at end of file
++0000000000000000000000000000000000000000000000000000000000000000
+diff --git a/utils/policies/policypcrbm0.bin b/utils/policies/policypcrbm0.bin
+index bd0f292e05dc793b2831fec273c2eefa7b3a9672..666ea3c731d2f46d4d94768cab4464ff0bb0e5af 100644
+GIT binary patch
+literal 32
+ocmb>Z5cE02?1^I8ss%e3mgaqqyRPviCuhr<=Bo*jp4^KQ0V0YJ<^TWy
+
+literal 20
+bcmd0`@U(b%wL7eEQs@+Ww#>9`zjTxVT?`1l
+
+diff --git a/utils/policies/policywrittenset.bin b/utils/policies/policywrittenset.bin
+index 4f6bb8c..4ed9066 100644
+--- a/utils/policies/policywrittenset.bin
++++ b/utils/policies/policywrittenset.bin
+@@ -1 +1 @@
+-0sHß
_ëíe”æý¬„"ã	
+\ No newline at end of file
++÷ˆ}ŠèÓ‹à¬Sózža‹õH…E<zTݰƦ;ë
+\ No newline at end of file
+diff --git a/utils/reg.sh b/utils/reg.sh
+index 048863b..2d9d100 100755
+--- a/utils/reg.sh
++++ b/utils/reg.sh
+@@ -72,6 +72,8 @@ PREFIX=./
+ # hash algorithms to be used for testing
+ 
+ export ITERATE_ALGS="sha1 sha256 sha384 sha512"
++export ITERATE_ALGS_SIZES="20 32 48 64"
++export ITERATE_ALGS_COUNT=4
+ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+ 
+ printUsage ()
+diff --git a/utils/regtests/testchangeauth.sh b/utils/regtests/testchangeauth.sh
+index 303b318..b830a96 100755
+--- a/utils/regtests/testchangeauth.sh
++++ b/utils/regtests/testchangeauth.sh
+@@ -67,11 +67,11 @@ do
+ 	checkSuccess $?
+ 
+ 	echo "Sign a digest with the original key ${SESS}"
+-	${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
++	${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
+ 	checkSuccess $?
+ 
+ 	echo "Sign a digest with the changed key"
+-	${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
++	${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+ 	checkSuccess $?
+ 
+ 	echo "Flush the key"
+diff --git a/utils/regtests/testevict.sh b/utils/regtests/testevict.sh
+index 761eaa8..8f2806f 100755
+--- a/utils/regtests/testevict.sh
++++ b/utils/regtests/testevict.sh
+@@ -58,11 +58,11 @@ ${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+ checkSuccess $?
+ 
+ echo "Sign a digest with the transient key"
+-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkSuccess $?
+ 
+ echo "Sign a digest with the persistent key"
+-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkSuccess $?
+ 
+ echo "Flush the transient key"
+@@ -74,11 +74,11 @@ ${PREFIX}flushcontext -ha 81800000 > run.out
+ checkFailure $?
+ 
+ echo "Sign a digest with the transient key- should fail"
+-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkFailure $?
+ 
+ echo "Sign a digest with the persistent key"
+-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkSuccess $?
+ 
+ echo "Flush the persistent key"
+@@ -86,11 +86,11 @@ ${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+ checkSuccess $?
+ 
+ echo "Sign a digest with the persistent key - should fail"
+-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkFailure $?
+ 
+ echo "Sign a digest with the transient key - should fail"
+-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
+ checkFailure $?
+ 
+ # ${PREFIX}getcapability  -cap 1 -pr 80000000
+diff --git a/utils/regtests/testnv.sh b/utils/regtests/testnv.sh
+index b941f2e..39a9a18 100755
+--- a/utils/regtests/testnv.sh
++++ b/utils/regtests/testnv.sh
+@@ -56,7 +56,7 @@ checkSuccess $?
+ NALG=(${ITERATE_ALGS})
+ BADNALG=(${BAD_ITERATE_ALGS})
+ 
+-for ((i = 0 ; i < 4; i++))
++for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++))
+ do
+ 
+     for SESS in "" "-se0 02000000 1"
+@@ -212,10 +212,10 @@ checkSuccess $?
+ for SESS in "" "-se0 02000000 1"
+ do
+ 
+-    SZ=(20 32 48 64)
++    SZ=(${ITERATE_ALGS_SIZES})
+     HALG=(${ITERATE_ALGS})
+ 
+-    for ((i = 0 ; i < 4; i++))
++    for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++))
+     do
+ 
+ 	echo "NV Define Space ${HALG[$i]}"
+diff --git a/utils/regtests/testpolicy.sh b/utils/regtests/testpolicy.sh
+index e2e8bec..971e67f 100755
+--- a/utils/regtests/testpolicy.sh
++++ b/utils/regtests/testpolicy.sh
+@@ -752,17 +752,17 @@ echo "Policy PCR no select"
+ echo ""
+ 
+ # create AND term for policy PCR
+-# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
++# > policymakerpcr -halg sha256 -bm 0 -v -pr -of policies/policypcr.txt
+ # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
+ 
+ # convert to binary policy
+-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+ 
+ # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 
+ # b6 fa 2c 23 
+ 
+ echo "Create a signing key with policy PCR no select"
+-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcrbm0.bin > run.out
+ checkSuccess $?
+ 
+ echo "Load the signing key under the primary key"
+@@ -770,11 +770,11 @@ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+ checkSuccess $?
+ 
+ echo "Start a policy session"
+-${PREFIX}startauthsession -halg sha1 -se p > run.out
++${PREFIX}startauthsession -halg sha256 -se p > run.out
+ checkSuccess $?
+ 
+ echo "Policy PCR, update with the correct digest"
+-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out
+ checkSuccess $?
+ 
+ echo "Policy get digest - should be 6d 38 49 38 ... "
+@@ -790,11 +790,11 @@ ${PREFIX}policyrestart -ha 03000000 > run.out
+ checkSuccess $?
+ 
+ echo "Policy PCR, update with the correct digest"
+-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out
+ checkSuccess $?
+ 
+ echo "PCR extend PCR 0, updates pcr counter"
+-${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
++${PREFIX}pcrextend -ha 0 -halg sha256 -if policies/aaa > run.out
+ checkSuccess $?
+ 
+ echo "Sign, should fail"
+@@ -816,17 +816,17 @@ echo ""
+ # policypcr0.txt has 20 * 00
+ 
+ # create AND term for policy PCR
+-# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
++# > policymakerpcr -halg sha256 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+ # 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f
+ 
+ # convert to binary policy
+-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+ 
+ # 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37
+ # 21 04 76 8e
+ 
+ echo "Create a signing key with policy PCR PCR 16 zero"
+-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcr.bin > run.out
+ checkSuccess $?
+ 
+ echo "Load the signing key under the primary key"
+@@ -838,11 +838,11 @@ ${PREFIX}pcrreset -ha 16 > run.out
+ checkSuccess $?
+ 
+ echo "Read PCR 16, should be 00 00 00 00 ..."
+-${PREFIX}pcrread -ha 16 -halg sha1 > run.out
++${PREFIX}pcrread -ha 16 -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Start a policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Sign, policy not satisfied - should fail"
+@@ -850,7 +850,7 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ checkFailure $?
+ 
+ echo "Policy PCR, update with the correct digest"
+-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out
+ checkSuccess $?
+ 
+ echo "Policy get digest - should be 85 33 11 83 ..."
+@@ -862,19 +862,19 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+ checkSuccess $?
+ 
+ echo "PCR extend PCR 16"
+-${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
++${PREFIX}pcrextend -ha 16 -halg sha256 -if policies/aaa > run.out
+ checkSuccess $?
+ 
+ echo "Read PCR 0, should be 1d 47 f6 8a ..."
+-${PREFIX}pcrread -ha 16 -halg sha1 > run.out
++${PREFIX}pcrread -ha 16 -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Start a policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Policy PCR, update with the wrong digest"
+-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out
+ checkSuccess $?
+ 
+ echo "Policy get digest - should be 66 dd e5 e3"
+@@ -903,21 +903,21 @@ checkSuccess $?
+ #
+ # policynvargs.txt (binary)
+ # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
+-# hash -hi n -halg sha1 -if policies/policynvargs.txt -v
+-# openssl dgst -sha1 policies/policynvargs.txt
++# hash -hi n -halg sha256 -if policies/policynvargs.txt -v
++# openssl dgst -sha256 policies/policynvargs.txt
+ # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
+ #
+ # NV authorizing index
+ #
+ # after defining index and NV write to set written, use 
+-# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1
++# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha256
+ # to get name
+ # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+ #
+ # append Name to policynvnv.txt
+ #
+ # convert to binary policy
+-# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
++# > policymaker -halg sha256 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+ # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc 
+ #
+ # file zero8.bin has 8 bytes of hex zero
+@@ -927,11 +927,11 @@ echo "Policy NV, NV index authorizing"
+ echo ""
+ 
+ echo "Define a setbits index, authorizing index"
+-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -ty b > run.out
+ checkSuccess $?
+ 
+ echo "NV Read public, get Name, not written"
+-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "NV setbits to set written"
+@@ -939,7 +939,7 @@ ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out
+ checkSuccess $?
+ 
+ echo "NV Read public, get Name, written"
+-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "NV Read, should be zero"
+@@ -947,11 +947,11 @@ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+ checkSuccess $?
+ 
+ echo "Define an ordinary index, authorized index, policyNV"
+-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+ checkSuccess $?
+ 
+ echo "NV Read public, get Name, not written"
+-${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out
++${PREFIX}nvreadpublic -ha 01000001 -nalg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "NV write to set written"
+@@ -959,7 +959,7 @@ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
+ checkSuccess $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+  
+ echo "NV write, policy not satisfied  - should fail"
+@@ -1015,15 +1015,15 @@ echo "Policy NV Written"
+ echo ""
+ 
+ echo "Define an ordinary index, authorized index, policyNV"
+-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out  
++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
+ checkSuccess $?
+ 
+ echo "NV Read public, get Name, not written"
+-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out  
++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+  
+ echo "NV write, policy not satisfied  - should fail"
+@@ -1043,7 +1043,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Policy NV Written yes, satisfy policy"
+@@ -1063,7 +1063,7 @@ ${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
+ checkSuccess $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Policy NV Written yes, satisfy policy"
+@@ -1079,7 +1079,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out
+ checkSuccess $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Policy NV Written no"
+@@ -1326,12 +1326,12 @@ checkSuccess $?
+ 
+ # test using clockrateadjust
+ # policycphashhash.txt is (hex) 00000130 4000000c 000
+-# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
+-# openssl dgst -sha1 policycphashhash.txt
++# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha256 -v
++# openssl dgst -sha256 policycphashhash.txt
+ # cpHash is
+ # b5f919bbc01f0ebad02010169a67a8c158ec12f3
+ # append to policycphash.txt 00000163 + cpHash
+-# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
++# policymaker -halg sha256 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+ #  06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f 
+ 
+ echo ""
+@@ -1339,7 +1339,7 @@ echo "Policy cpHash"
+ echo ""
+ 
+ echo "Set the platform policy to policy cpHash"
+-${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
++${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Clockrate adjust using wrong password - should fail"
+@@ -1347,7 +1347,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+ checkFailure $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out 
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Clockrate adjust, policy not satisfied - should fail"
+@@ -1690,7 +1690,7 @@ echo "Policy Counter Timer"
+ echo ""
+ 
+ echo "Set the platform policy to policy "
+-${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
++${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Clockrate adjust using wrong password - should fail"
+@@ -1698,7 +1698,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+ checkFailure $?
+ 
+ echo "Start policy session"
+-${PREFIX}startauthsession -se p -halg sha1 > run.out
++${PREFIX}startauthsession -se p -halg sha256 > run.out
+ checkSuccess $?
+ 
+ echo "Clockrate adjust, policy not satisfied - should fail"
+diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
+index 4f76522..6e25398 100755
+--- a/utils/regtests/testrsa.sh
++++ b/utils/regtests/testrsa.sh
+@@ -131,10 +131,10 @@ do
+     ${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out
+     checkSuccess $?
+ 
++    HSIZ=(${ITERATE_ALGS_SIZES})
+     HALG=(${ITERATE_ALGS})
+-    HSIZ=("20" "32" "48" "64")
+ 
+-    for ((i = 0 ; i < 4 ; i++))
++    for ((i = 0 ; i < ${ITERATE_ALGS_COUNT} ; i++))
+     do
+ 
+ 	echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}"
+@@ -298,7 +298,7 @@ echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+ echo ""
+ 
+ echo "Create OAEP encryption key"
+-${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out	
++${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
+ checkSuccess $?
+ 
+ echo "Load encryption key at 80000001"
+@@ -306,7 +306,7 @@ ${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin  > r
+ checkSuccess $?
+ 
+ echo "Encrypt using OpenSSL and the PEM public key"
+-openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1
++openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
+ checkSuccess $?
+ 
+ echo "Decrypt using TPM key at 80000001"
+diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh
+index edfa014..8a99bbf 100755
+--- a/utils/regtests/testsign.sh
++++ b/utils/regtests/testsign.sh
+@@ -302,14 +302,14 @@ echo ""
+ # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+ 
+ echo "Load external just the public part of PEM RSA"
+-${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
++${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+ checkSuccess $?
+ 
+ echo "Sign a test message with openssl RSA"
+-openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
++openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+ 
+ echo "Verify the RSA signature"
+-${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
++${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw > run.out
+ checkSuccess $?
+ 
+ echo "Flush the signing key"
+@@ -328,14 +328,14 @@ for CURVE in p256 p384
+ do
+ 
+     echo "Load external just the public part of PEM ECC ${CURVE}"
+-    ${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/${CURVE}pubkey.pem -ecc > run.out
++    ${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/${CURVE}pubkey.pem -ecc > run.out
+     checkSuccess $?
+ 
+     echo "Sign a test message with openssl ECC ${CURVE}"
+-    openssl dgst -sha1 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1
++    openssl dgst -sha256 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1
+ 
+     echo "Verify the ECC signature ${CURVE}"
+-    ${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
++    ${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw -ecc > run.out
+     checkSuccess $?
+ 
+     echo "Flush the ECC ${CURVE} signing key"
+-- 
+2.34.1
+

SOURCES/0002-utils-Remove-unused-variables-from-certifyx509.patch

@@ -0,0 +1,54 @@
+From 87120cf7fedcfc063ba5cd28ae4571909209a547 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgoldman@us.ibm.com>
+Date: Mon, 23 Aug 2021 17:30:56 -0400
+Subject: [PATCH 2/7] utils: Remove unused variables from certifyx509
+
+notBefore and notAfter are set driectly in the partialCertificate
+structure, and that is used to directly set the x509 structure.
+
+Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
+---
+ utils/certifyx509.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index ed42ac0..44640aa 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
+     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+ 
++    curveID = curveID;		/* no longer used, get from parent */
+     /* command line argument defaults */
+     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+ 	if (strcmp(argv[i],"-ho") == 0) {
+@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+-    ASN1_TIME 	*notBefore = NULL;
+-    ASN1_TIME 	*notAfter = NULL;
+     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
+ 
+     /* add issuer */
+@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	/* can't fail, just returns a structure member */
+-	notBefore = X509_get_notBefore(x509Certificate);
+ 	irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notBefore time\n");
+@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	notAfter = X509_get_notAfter(x509Certificate);
+ 	irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notAfter time\n");
+-- 
+2.34.1
+

SOURCES/0003-Update-certifyx509-for-Windows.patch

@@ -0,0 +1,99 @@
+From 1c462889a517d6dbab721aa3e0597878e9c237d5 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Wed, 25 Aug 2021 18:02:11 -0400
+Subject: [PATCH 3/7] : Update certifyx509 for Windows
+
+Add static_ to the ASN1_SEQUENCE_END macros to suppress a gcc warning.
+Change free to OPENSSL_free, required with i2d when OpenSSL is a dll.
+
+Remove the tmpx509i file handling from the .bat file since certifyx509
+no longer outputs it.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/certifyx509.c         | 10 +++++-----
+ utils/regtests/testx509.bat |  5 -----
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index 44640aa..5602f62 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -94,7 +94,7 @@ typedef struct {
+ ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
+     ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
+     ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
+-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
+ 
+ /* the signature algorithm is optional while the extension list is mandatory */
+ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
+@@ -103,7 +103,7 @@ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
+     ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY),
+     ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME),
+     ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3),
+-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
+ 
+ DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
+ IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
+@@ -122,7 +122,7 @@ ASN1_SEQUENCE(TPM_ADDTOCERT) = {
+     ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER),
+     ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR),
+     ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY),
+-} ASN1_SEQUENCE_END(TPM_ADDTOCERT)
++} static_ASN1_SEQUENCE_END(TPM_ADDTOCERT)
+ 
+ DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT)
+ IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT)
+@@ -629,7 +629,7 @@ int main(int argc, char *argv[])
+ 	X509_free(x509Certificate);			/* @1 */
+     }
+     free(x509Der);					/* @2 */
+-    free(addToCert);					/* @3 */
++    OPENSSL_free(addToCert);				/* @3 */
+     return rc;
+ }
+ 
+@@ -808,7 +808,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ #endif
+     X509_NAME_free(x509IssuerName);	/* @1 */
+     X509_NAME_free(x509SubjectName);	/* @2 */
+-    free(tmpPartialDer);		/* @3 */
++    OPENSSL_free(tmpPartialDer);	/* @3 */
+     return rc;
+ }
+ 
+diff --git a/utils/regtests/testx509.bat b/utils/regtests/testx509.bat
+index 0951ad6..17b69f6 100644
+--- a/utils/regtests/testx509.bat
++++ b/utils/regtests/testx509.bat
+@@ -80,8 +80,6 @@ for /L %%i in (1,1,!L!) do (
+ 	exit /B 1
+     )
+ 
+-    rem # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i1.dump
+-    rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+     rem # dumpasn1 -a -l -d     tmppart1.bin > tmppart1.dump
+     rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+     rem # dumpasn1 -a -l -d     tmpadd1.bin  > tmpadd1.dump
+@@ -102,8 +100,6 @@ for /L %%i in (1,1,!L!) do (
+ 	exit /B 1
+     )
+ 
+-rem     # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i2.dump
+-rem     # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+ rem     # dumpasn1 -a -l -d     tmppart2.bin > tmppart2.dump
+ rem     # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe 
+ rem     # dumpasn1 -a -l -d     tmpadd2.bin  > tmpadd2.dump
+@@ -446,7 +442,6 @@ rm tmpsig1.bin
+ rm tmpx5091.bin
+ rm tmpx5091.pem
+ rm tmpx5092.pem
+-rm tmpx509i.bin
+ rm tmppart2.bin
+ rm tmpadd2.bin
+ rm tmptbs2.bin
+-- 
+2.34.1
+

SOURCES/0004-Restrict-SHA-1-in-TSS.patch

@@ -0,0 +1,136 @@
+From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
+ <shoracek@redhat.com>
+Date: Fri, 25 Feb 2022 15:28:28 +0100
+Subject: [PATCH 4/4] Restrict SHA-1 in TSS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
+---
+ utils/cryptoutils.c |  4 ---
+ utils/tss20.c       | 81 ++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 80 insertions(+), 5 deletions(-)
+
+diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
+index 7b5de79..98396a7 100644
+--- a/utils/cryptoutils.c
++++ b/utils/cryptoutils.c
+@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
+     /* map from hash algorithm to openssl nid */
+     if (rc == 0) {
+ 	switch (halg) {
+-	  case TPM_ALG_SHA1:
+-	    nid = NID_sha1;
+-	    md = EVP_sha1();
+-	    break;
+ 	  case TPM_ALG_SHA256:
+ 	    nid = NID_sha256;
+ 	    md = EVP_sha256();
+diff --git a/utils/tss20.c b/utils/tss20.c
+index c778069..bd05cf3 100644
+--- a/utils/tss20.c
++++ b/utils/tss20.c
+@@ -678,6 +678,76 @@ extern int tssVerbose;
+ extern int tssVverbose;
+ extern int tssFirstCall;
+ 
++int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea)
++{
++    return publicArea->nameAlg == TPM_ALG_SHA1 ||
++	   ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) &&
++	    publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL &&
++	    publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1);
++}
++
++int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme)
++{
++    return sigScheme->details.any.hashAlg == TPM_ALG_SHA1;
++}
++
++int TSS_CheckSha1(COMMAND_PARAMETERS *in,
++		  TPM_CC commandCode)
++{
++    switch (commandCode)
++    {
++    case TPM_CC_Certify:
++	return TSS_CheckSha1_SigScheme(&in->Certify.inScheme);
++    case TPM_CC_CertifyCreation:
++	return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme);
++    case TPM_CC_Create:
++	return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
++    case TPM_CC_CreateLoaded:
++	return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
++    case TPM_CC_CreatePrimary:
++	return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea);
++    case TPM_CC_GetCommandAuditDigest:
++	return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme);
++    case TPM_CC_GetSessionAuditDigest:
++	return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme);
++    case TPM_CC_GetTime:
++	return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme);
++    case TPM_CC_Hash:
++	return in->Hash.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_HashSequenceStart:
++	return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_HMAC:
++	return in->HMAC.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_HMAC_Start:
++	return in->HMAC_Start.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_Import:
++	return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea);
++    case TPM_CC_LoadExternal:
++	return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea);
++    case TPM_CC_NV_Certify:
++	return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme);
++    case TPM_CC_NV_DefineSpace:
++	return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1;
++    case TPM_CC_PolicySigned:
++	return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_Quote:
++	return TSS_CheckSha1_SigScheme(&in->Quote.inScheme);
++    case TPM_CC_RSA_Decrypt:
++	return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme);
++    case TPM_CC_SetCommandCodeAuditStatus:
++	return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1;
++    case TPM_CC_SetPrimaryPolicy:
++	return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1;
++    case TPM_CC_Sign:
++	return TSS_CheckSha1_SigScheme(&in->Sign.inScheme);
++    case TPM_CC_StartAuthSession:
++	return in->StartAuthSession.authHash == TPM_ALG_SHA1;
++    case TPM_CC_VerifySignature:
++	return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1;
++    }
++
++    return 0;
++}
+ 
+ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
+ 		     RESPONSE_PARAMETERS *out,
+@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
+ 		     va_list ap)
+ {
+     TPM_RC		rc = 0;
+-	
++
++#ifdef RESTRICTED_HASH_ALG
++    if (rc == 0) {
++	if (TSS_CheckSha1(in, commandCode)) {
++	    rc = TPM_RC_HASH;
++	}
++    }
++#endif /* RESTRICTED_HASH_ALG */
++
+     /* create a TSS authorization context */
+     if (rc == 0) {
+ 	TSS_InitAuthContext(tssContext->tssAuthContext);
+     }
++
+     /* handle any command specific command pre-processing */
+     if (rc == 0) {
+ 	rc = TSS_Command_PreProcessor(tssContext,
+-- 
+2.34.1
+

SOURCES/0004-utils-Clean-up-certifyx509-memory-allocation.patch

@@ -0,0 +1,111 @@
+From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Tue, 31 Aug 2021 13:45:21 -0400
+Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation
+
+Make TPM_ADDTOCERT input const.  Annotate malloc and free calls.  Free
+TPM_PARTIAL_CERT.  Use TPM_ADDTOCERT_free.  Remove unused
+x509IssuerName and x509SubjectName and their frees.  Free
+TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/certifyx509.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index 5602f62..8ac5abd 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,
+ TPM_RC reformCertificate(X509 			*x509Certificate,
+ 			 TPMI_ALG_HASH		halg,
+ 			 TPMI_ALG_SIG_SCHEME   	scheme,
+-			 TPM_ADDTOCERT		*addToCert,
++			 const TPM_ADDTOCERT	*addToCert,
+ 			 TPMT_SIGNATURE 	*tSignature);
+ TPM_RC addSignatureRsa(X509 		*x509Certificate,
+ 		       TPMI_ALG_HASH	halg,
+@@ -618,7 +618,7 @@ int main(int argc, char *argv[])
+     if (rc == 0) {
+ 	if (verbose) X509_print_fp(stdout, x509Certificate);	/* for debug */
+ 	rc = convertX509ToDer(&x509DerLength,
+-			      &x509Der,				/* freed @2 */
++			      &x509Der,				/* freed @4 */
+ 			      x509Certificate);
+     }
+     if ((rc == 0) && (outCertificateFilename != NULL)) {
+@@ -628,8 +628,13 @@ int main(int argc, char *argv[])
+     if (x509Certificate != NULL) {
+ 	X509_free(x509Certificate);			/* @1 */
+     }
+-    free(x509Der);					/* @2 */
+-    OPENSSL_free(addToCert);				/* @3 */
++    if (partialCertificate != NULL) {
++	TPM_PARTIAL_CERT_free(partialCertificate);	/* @2 */
++    }
++    if (addToCert != NULL) {
++	TPM_ADDTOCERT_free(addToCert);			/* @3 */
++    }
++    free(x509Der);					/* @4 */
+     return rc;
+ }
+ 
+@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     int		irc;
+     ASN1_TIME	*arc;			/* return code */
+ 
+-    X509_NAME 	*x509IssuerName = NULL;	/* composite issuer name, key/value pairs */
+-    X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
+@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     if (rc == 0) {
+ 	if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
+ 			    (unsigned long)issuerEntriesSize);
++	/* _new allocates the member.  free it because createX509Name() allocates a new structure */
++	X509_NAME_free(partialCertificate->issuer);
++	partialCertificate->issuer = NULL;
+ 	rc = createX509Name(&partialCertificate->issuer,	/* freed @1 */
+ 			    issuerEntriesSize,
+ 			    issuerEntries);
+@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	if (!subeqiss) {
+ 	    if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
+ 				(unsigned long)subjectEntriesSize);
++	    X509_NAME_free(partialCertificate->subject);
++	    partialCertificate->subject = NULL;
+ 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
+ 				subjectEntriesSize,
+ 				subjectEntries);
+@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	else {
+ 	    if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
+ 				(unsigned long)issuerEntriesSize);
++	    X509_NAME_free(partialCertificate->subject);
++	    partialCertificate->subject = NULL;
+ 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
+ 				issuerEntriesSize,
+ 				issuerEntries);
+@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	if (verbose) X509_print_fp(stdout, x509Certificate);
+     }
+ #endif
+-    X509_NAME_free(x509IssuerName);	/* @1 */
+-    X509_NAME_free(x509SubjectName);	/* @2 */
+     OPENSSL_free(tmpPartialDer);	/* @3 */
+     return rc;
+ }
+@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT  *partialCertificate,
+ TPM_RC reformCertificate(X509 			*x509Certificate,
+ 			 TPMI_ALG_HASH		halg,
+ 			 TPMI_ALG_SIG_SCHEME   	scheme,
+-			 TPM_ADDTOCERT		*addToCert,
++			 const TPM_ADDTOCERT	*addToCert,
+ 			 TPMT_SIGNATURE 	*tSignature)
+ {
+     TPM_RC 		rc = 0;
+-- 
+2.34.1
+

SOURCES/0005-utils-Fix-errors-detected-by-gcc-asan.patch

@@ -0,0 +1,91 @@
+From bcbc2f0400cfc2f596283e8c528aed4576bfea69 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Fri, 3 Sep 2021 14:58:20 -0400
+Subject: [PATCH 5/7] utils: Fix errors detected by gcc asan
+
+In Uint32_Convert(), case the byte to uint32_t before the left shift
+24 to suppress a warning.
+
+In TSS_EFI_GetNameIndex(), do not compare data if the length does not
+match, because this could cause a buffer overflow.  Test should be &&,
+not &.
+
+TSS_Delete should only memset sessionData if the pointer is not NULL.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/efilib.c   | 11 +++++++----
+ utils/eventlib.c | 10 +++++-----
+ utils/tss.c      |  6 ++++--
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/utils/efilib.c b/utils/efilib.c
+index 201a1f5..ab8177b 100644
+--- a/utils/efilib.c
++++ b/utils/efilib.c
+@@ -399,16 +399,19 @@ static void TSS_EFI_GetNameIndex(size_t *index,
+ 				 const uint8_t *name,
+ 				 uint64_t nameLength)	/* half the total bytes in array */
+ {
+-    int m1,m2;
++    int m1 = 0;
++    int m2 = 0;
+     for (*index = 0 ;
+ 	 *index < sizeof(tagTable) / sizeof(TAG_TABLE)  ;
+ 	 (*index)++) {
+ 
+ 	/* length match */
+ 	m1 = (nameLength * 2) == tagTable[*index].nameLength;
+-	/* string match */
+-	m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
+-	if (m1 & m2) {
++	if (m1) {
++	    /* string match */
++	    m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
++	}
++	if (m1 && m2) {
+ 	    return;
+ 	}
+     }
+diff --git a/utils/eventlib.c b/utils/eventlib.c
+index 0c2801c..c56a22f 100644
+--- a/utils/eventlib.c
++++ b/utils/eventlib.c
+@@ -1346,12 +1346,12 @@ static uint32_t Uint32_Convert(uint32_t in)
+ {
+     uint32_t out = 0;
+     unsigned char *inb = (unsigned char *)&in;
+-    
++
+     /* little endian input */
+-    out = (inb[0] <<  0) |
+-	  (inb[1] <<  8) |
+-	  (inb[2] << 16) |
+-	  (inb[3] << 24);
++    out = ((((uint32_t)inb[0]) <<  0) |
++	   (((uint32_t)inb[1]) <<  8) |
++	   (((uint32_t)inb[2]) << 16) |
++	   (((uint32_t)inb[3]) << 24));
+     return out;
+ }
+ #endif /* TPM_TSS_NOFILE */
+diff --git a/utils/tss.c b/utils/tss.c
+index 574c448..6f0eede 100644
+--- a/utils/tss.c
++++ b/utils/tss.c
+@@ -179,8 +179,10 @@ TPM_RC TSS_Delete(TSS_CONTEXT *tssContext)
+ 	    for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+ 		tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
+ 		/* erase any secrets */
+-		memset(tssContext->sessions[i].sessionData,
+-		       0, tssContext->sessions[i].sessionDataLength);
++		if (tssContext->sessions[i].sessionData != NULL) {
++		    memset(tssContext->sessions[i].sessionData,
++			   0, tssContext->sessions[i].sessionDataLength);
++		}
+ 		free(tssContext->sessions[i].sessionData);
+ 		tssContext->sessions[i].sessionData = NULL;
+ 		tssContext->sessions[i].sessionDataLength = 0;
+-- 
+2.34.1
+

SOURCES/0006-tss-Port-HMAC-operations-to-openssl-3.0.patch

@@ -0,0 +1,103 @@
+From 7128994537a7103b25acb1df238db747d7cb3274 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Fri, 10 Sep 2021 16:33:10 -0400
+Subject: [PATCH 6/7] tss: Port HMAC operations to openssl 3.0
+
+Replace the deprecated APIs.
+
+- Compared to the next branch commit 6e22032d, changes related to HMAC are
+  ommited.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/tsscrypto.c | 58 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 21 deletions(-)
+
+diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
+index 23d3b6e..1974563 100644
+--- a/utils/tsscrypto.c
++++ b/utils/tsscrypto.c
+@@ -79,6 +79,7 @@ extern int tssVerbose;
+ 
+ /* local prototypes */
+ 
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
+ static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+ 			     TPMI_ALG_HASH hashAlg);
+ 
+@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
+   Digests
+ */
+ 
+-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+-			     TPMI_ALG_HASH hashAlg)
++/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
++
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
+ {
+-    TPM_RC		rc = 0;
++    TPM_RC	rc = 0;
+ 
+-    if (rc == 0) {
+-	switch (hashAlg) {
++    switch (hashAlg) {
+ #ifdef TPM_ALG_SHA1
+-	  case TPM_ALG_SHA1:
+-	    *md = EVP_get_digestbyname("sha1");
+-	    break;
++      case TPM_ALG_SHA1:
++	*str = "sha1";
++	break;
+ #endif
+-#ifdef TPM_ALG_SHA256	
+-	  case TPM_ALG_SHA256:
+-	    *md = EVP_get_digestbyname("sha256");
+-	    break;
++#ifdef TPM_ALG_SHA256
++      case TPM_ALG_SHA256:
++	*str = "sha256";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA384
+-	  case 	TPM_ALG_SHA384:
+-	    *md = EVP_get_digestbyname("sha384");
+-	    break;
++      case TPM_ALG_SHA384:
++	*str = "sha384";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA512
+-	  case 	TPM_ALG_SHA512:
+-	    *md = EVP_get_digestbyname("sha512");
+-	    break;
++      case TPM_ALG_SHA512:
++	*str = "sha512";
++	break;
+ #endif
+-	  default:
+-	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+-	}
++      default:
++	*str = NULL;
++	rc = TSS_RC_BAD_HASH_ALGORITHM;
++    }
++    return rc;
++}
++
++static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
++			     TPMI_ALG_HASH hashAlg)
++{
++    TPM_RC		rc = 0;
++    const char 		*str = NULL; 
++
++    if (rc == 0) {
++	rc =  TSS_Hash_GetOsslString(&str, hashAlg);
++    }
++    if (rc == 0) {
++	*md = EVP_get_digestbyname(str);
+     }
+     return rc;
+ }
+-- 
+2.34.1
+

SPECS/tss2.spec

@@ -0,0 +1,187 @@
+#
+# Spec file for IBM's TSS for the TPM 2.0
+#
+%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
+
+%global incname ibmtss
+
+Name:		tss2
+Version:	1.6.0
+Release:	6%{?dist}
+Epoch:	        1
+Summary:	IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities
+
+License:	BSD
+URL:		http://sourceforge.net/projects/ibmtpm20tss/
+Source0:	https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
+Patch0:         tss2-1.6.0-manpage-cleanup.patch
+Patch1:		0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+Patch2:		0002-utils-Remove-unused-variables-from-certifyx509.patch
+Patch3:		0003-Update-certifyx509-for-Windows.patch
+Patch4:		0004-utils-Clean-up-certifyx509-memory-allocation.patch
+Patch5:		0005-utils-Fix-errors-detected-by-gcc-asan.patch
+Patch6:		0006-tss-Port-HMAC-operations-to-openssl-3.0.patch
+Patch7:		0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+Patch8:		0001-utils-Generate-X509-certificate-serial-number-using-.patch
+Patch9:		0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch
+Patch10: 	0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch
+Patch11:	0004-Restrict-SHA-1-in-TSS.patch
+
+
+BuildRequires: automake
+BuildRequires: autoconf
+BuildRequires: libtool
+BuildRequires:  gcc
+BuildRequires:	openssl-devel
+BuildRequires:	git
+Requires:	openssl
+
+%description
+TSS2 is a user space Trusted Computing Group's Software Stack (TSS) for
+TPM 2.0.  It implements the functionality equivalent to the TCG TSS
+working group's ESAPI, SAPI, and TCTI layers (and perhaps more) but with
+a hopefully far simpler interface.
+
+It comes with about 80 "TPM tools" that can be used for rapid prototyping,
+education and debugging. 
+
+%package devel
+Summary:	Development libraries and headers for IBM's TSS 2.0
+Requires:	%{name}%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description devel
+Development libraries and headers for IBM's TSS 2.0. You will need this in
+order to build TSS 2.0 applications.
+
+%prep
+%autosetup -S git -p1 -c %{name}-%{version}
+
+%build
+autoreconf -vi
+%configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-restricted-hash-alg
+CCFLAGS="%{optflags}" \
+LNFLAGS="%{__global_ldflags}" \
+%{make_build}
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%ldconfig_scriptlets
+
+%files
+%license LICENSE
+%{_bindir}/tss*
+%{_libdir}/libibmtss.so.*
+%{_libdir}/libibmtssutils.so.*
+%attr(0644, root, root) %{_mandir}/man1/tss*.1*
+
+%files devel
+%{_includedir}/%{incname}
+%{_libdir}/libibmtss.so
+%{_libdir}/libibmtssutils.so
+%doc ibmtss.doc
+
+%changelog
+* Thu Feb 24 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-6
+- Restrict SHA-1 usage
+  Resolves: rhbz#1935450
+
+* Fri Jan 28 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-5
+- Fix failures introduced with OpenSSL 3
+  Resolves: rhbz#1984621
+  Resolves: rhbz#1992339
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Feb 8 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.6.0-1
+- Rebase to v1.6.0 release.
+- Manpage cleanup.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1331-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1331-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Feb 14 2020 Tom Stellard <tstellar@redhat.com> - 1331-5
+- Use make_build macro
+- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1331-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Jeff Law <law@redhat.com> - 1331-3
+- Ensure tssprintcmd has the compilation compilation flags,
+  PIC in particular
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1331-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-1
+- Rebase to version 1331
+
+* Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-4
+- Fix covscan issues
+- Fix compile and linker flag issues
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1234-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1234-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jun 18 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-1
+- Version bump.
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1027-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 19 2018 Merlin Mathesius <mmathesi@redhat.com> - 1027-1
+- Version bump. Now supported for all architectures.
+- Generate man pages since they are no longer included in source archive.
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 05 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-7
+- Removed defattr from the devel subpackage 
+
+* Mon Sep 26 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-6
+- Added s390x arch as another "ExcludeArch"
+
+* Mon Sep 26 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-5
+- Replaced ExclusiveArch with ExcludeArch 
+ 
+* Mon Sep 19 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-4
+- Used ExclusiveArch instead of BuildArch tag
+- Removed attr from symlink in devel subpackage 
+- Added manpages and modified the Source0
+- Added CCFLAGS and LNFLAGS to enforce hardening and optimization
+
+* Wed Aug 17 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-3
+- Modified supported arch to ppc64le
+
+* Sat Aug 13 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-2
+- Minor spec fixes 
+
+* Tue Aug 09 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-1
+- Updated for initial submission 
+
+* Fri Mar 20 2015 George Wilson <gcwilson@us.ibm.com>
+- Initial implementation