Fix failures introduced with OpenSSL 3

Resolves: rhbz#1984621
Resolves: rhbz#1992339

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2022-01-19 18:35:33 +01:00
parent a20d90bf34
commit c15dc54057
8 changed files with 3300 additions and 1 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,54 @@
From 87120cf7fedcfc063ba5cd28ae4571909209a547 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgoldman@us.ibm.com>
Date: Mon, 23 Aug 2021 17:30:56 -0400
Subject: [PATCH 2/7] utils: Remove unused variables from certifyx509
notBefore and notAfter are set driectly in the partialCertificate
structure, and that is used to directly set the x509 structure.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
---
utils/certifyx509.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index ed42ac0..44640aa 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */
TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+ curveID = curveID; /* no longer used, get from parent */
/* command line argument defaults */
for (i=1 ; (i<argc) && (rc == 0) ; i++) {
if (strcmp(argv[i],"-ho") == 0) {
@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */
size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
- ASN1_TIME *notBefore = NULL;
- ASN1_TIME *notAfter = NULL;
uint8_t *tmpPartialDer = NULL; /* for the i2d */
/* add issuer */
@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
}
}
if (rc == 0) {
- /* can't fail, just returns a structure member */
- notBefore = X509_get_notBefore(x509Certificate);
irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
if (irc == 0) {
printf("createPartialCertificate: Error setting notBefore time\n");
@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
}
}
if (rc == 0) {
- notAfter = X509_get_notAfter(x509Certificate);
irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
if (irc == 0) {
printf("createPartialCertificate: Error setting notAfter time\n");
--
2.34.1

View File

@ -0,0 +1,99 @@
From 1c462889a517d6dbab721aa3e0597878e9c237d5 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Wed, 25 Aug 2021 18:02:11 -0400
Subject: [PATCH 3/7] : Update certifyx509 for Windows
Add static_ to the ASN1_SEQUENCE_END macros to suppress a gcc warning.
Change free to OPENSSL_free, required with i2d when OpenSSL is a dll.
Remove the tmpx509i file handling from the .bat file since certifyx509
no longer outputs it.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/certifyx509.c | 10 +++++-----
utils/regtests/testx509.bat | 5 -----
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index 44640aa..5602f62 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -94,7 +94,7 @@ typedef struct {
ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
+} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
/* the signature algorithm is optional while the extension list is mandatory */
ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
@@ -103,7 +103,7 @@ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY),
ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME),
ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3),
-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
+} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
@@ -122,7 +122,7 @@ ASN1_SEQUENCE(TPM_ADDTOCERT) = {
ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER),
ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY),
-} ASN1_SEQUENCE_END(TPM_ADDTOCERT)
+} static_ASN1_SEQUENCE_END(TPM_ADDTOCERT)
DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT)
IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT)
@@ -629,7 +629,7 @@ int main(int argc, char *argv[])
X509_free(x509Certificate); /* @1 */
}
free(x509Der); /* @2 */
- free(addToCert); /* @3 */
+ OPENSSL_free(addToCert); /* @3 */
return rc;
}
@@ -808,7 +808,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
#endif
X509_NAME_free(x509IssuerName); /* @1 */
X509_NAME_free(x509SubjectName); /* @2 */
- free(tmpPartialDer); /* @3 */
+ OPENSSL_free(tmpPartialDer); /* @3 */
return rc;
}
diff --git a/utils/regtests/testx509.bat b/utils/regtests/testx509.bat
index 0951ad6..17b69f6 100644
--- a/utils/regtests/testx509.bat
+++ b/utils/regtests/testx509.bat
@@ -80,8 +80,6 @@ for /L %%i in (1,1,!L!) do (
exit /B 1
)
- rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump
- rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
rem # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump
rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
rem # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump
@@ -102,8 +100,6 @@ for /L %%i in (1,1,!L!) do (
exit /B 1
)
-rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump
-rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
rem # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump
rem # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe
rem # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump
@@ -446,7 +442,6 @@ rm tmpsig1.bin
rm tmpx5091.bin
rm tmpx5091.pem
rm tmpx5092.pem
-rm tmpx509i.bin
rm tmppart2.bin
rm tmpadd2.bin
rm tmptbs2.bin
--
2.34.1

View File

@ -0,0 +1,111 @@
From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Tue, 31 Aug 2021 13:45:21 -0400
Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation
Make TPM_ADDTOCERT input const. Annotate malloc and free calls. Free
TPM_PARTIAL_CERT. Use TPM_ADDTOCERT_free. Remove unused
x509IssuerName and x509SubjectName and their frees. Free
TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/certifyx509.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index 5602f62..8ac5abd 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,
TPM_RC reformCertificate(X509 *x509Certificate,
TPMI_ALG_HASH halg,
TPMI_ALG_SIG_SCHEME scheme,
- TPM_ADDTOCERT *addToCert,
+ const TPM_ADDTOCERT *addToCert,
TPMT_SIGNATURE *tSignature);
TPM_RC addSignatureRsa(X509 *x509Certificate,
TPMI_ALG_HASH halg,
@@ -618,7 +618,7 @@ int main(int argc, char *argv[])
if (rc == 0) {
if (verbose) X509_print_fp(stdout, x509Certificate); /* for debug */
rc = convertX509ToDer(&x509DerLength,
- &x509Der, /* freed @2 */
+ &x509Der, /* freed @4 */
x509Certificate);
}
if ((rc == 0) && (outCertificateFilename != NULL)) {
@@ -628,8 +628,13 @@ int main(int argc, char *argv[])
if (x509Certificate != NULL) {
X509_free(x509Certificate); /* @1 */
}
- free(x509Der); /* @2 */
- OPENSSL_free(addToCert); /* @3 */
+ if (partialCertificate != NULL) {
+ TPM_PARTIAL_CERT_free(partialCertificate); /* @2 */
+ }
+ if (addToCert != NULL) {
+ TPM_ADDTOCERT_free(addToCert); /* @3 */
+ }
+ free(x509Der); /* @4 */
return rc;
}
@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
int irc;
ASN1_TIME *arc; /* return code */
- X509_NAME *x509IssuerName = NULL; /* composite issuer name, key/value pairs */
- X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */
size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
uint8_t *tmpPartialDer = NULL; /* for the i2d */
@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (rc == 0) {
if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
(unsigned long)issuerEntriesSize);
+ /* _new allocates the member. free it because createX509Name() allocates a new structure */
+ X509_NAME_free(partialCertificate->issuer);
+ partialCertificate->issuer = NULL;
rc = createX509Name(&partialCertificate->issuer, /* freed @1 */
issuerEntriesSize,
issuerEntries);
@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (!subeqiss) {
if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
(unsigned long)subjectEntriesSize);
+ X509_NAME_free(partialCertificate->subject);
+ partialCertificate->subject = NULL;
rc = createX509Name(&partialCertificate->subject, /* freed @2 */
subjectEntriesSize,
subjectEntries);
@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
else {
if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
(unsigned long)issuerEntriesSize);
+ X509_NAME_free(partialCertificate->subject);
+ partialCertificate->subject = NULL;
rc = createX509Name(&partialCertificate->subject, /* freed @2 */
issuerEntriesSize,
issuerEntries);
@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (verbose) X509_print_fp(stdout, x509Certificate);
}
#endif
- X509_NAME_free(x509IssuerName); /* @1 */
- X509_NAME_free(x509SubjectName); /* @2 */
OPENSSL_free(tmpPartialDer); /* @3 */
return rc;
}
@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate,
TPM_RC reformCertificate(X509 *x509Certificate,
TPMI_ALG_HASH halg,
TPMI_ALG_SIG_SCHEME scheme,
- TPM_ADDTOCERT *addToCert,
+ const TPM_ADDTOCERT *addToCert,
TPMT_SIGNATURE *tSignature)
{
TPM_RC rc = 0;
--
2.34.1

View File

@ -0,0 +1,91 @@
From bcbc2f0400cfc2f596283e8c528aed4576bfea69 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Fri, 3 Sep 2021 14:58:20 -0400
Subject: [PATCH 5/7] utils: Fix errors detected by gcc asan
In Uint32_Convert(), case the byte to uint32_t before the left shift
24 to suppress a warning.
In TSS_EFI_GetNameIndex(), do not compare data if the length does not
match, because this could cause a buffer overflow. Test should be &&,
not &.
TSS_Delete should only memset sessionData if the pointer is not NULL.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/efilib.c | 11 +++++++----
utils/eventlib.c | 10 +++++-----
utils/tss.c | 6 ++++--
3 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/utils/efilib.c b/utils/efilib.c
index 201a1f5..ab8177b 100644
--- a/utils/efilib.c
+++ b/utils/efilib.c
@@ -399,16 +399,19 @@ static void TSS_EFI_GetNameIndex(size_t *index,
const uint8_t *name,
uint64_t nameLength) /* half the total bytes in array */
{
- int m1,m2;
+ int m1 = 0;
+ int m2 = 0;
for (*index = 0 ;
*index < sizeof(tagTable) / sizeof(TAG_TABLE) ;
(*index)++) {
/* length match */
m1 = (nameLength * 2) == tagTable[*index].nameLength;
- /* string match */
- m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
- if (m1 & m2) {
+ if (m1) {
+ /* string match */
+ m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
+ }
+ if (m1 && m2) {
return;
}
}
diff --git a/utils/eventlib.c b/utils/eventlib.c
index 0c2801c..c56a22f 100644
--- a/utils/eventlib.c
+++ b/utils/eventlib.c
@@ -1346,12 +1346,12 @@ static uint32_t Uint32_Convert(uint32_t in)
{
uint32_t out = 0;
unsigned char *inb = (unsigned char *)&in;
-
+
/* little endian input */
- out = (inb[0] << 0) |
- (inb[1] << 8) |
- (inb[2] << 16) |
- (inb[3] << 24);
+ out = ((((uint32_t)inb[0]) << 0) |
+ (((uint32_t)inb[1]) << 8) |
+ (((uint32_t)inb[2]) << 16) |
+ (((uint32_t)inb[3]) << 24));
return out;
}
#endif /* TPM_TSS_NOFILE */
diff --git a/utils/tss.c b/utils/tss.c
index 574c448..6f0eede 100644
--- a/utils/tss.c
+++ b/utils/tss.c
@@ -179,8 +179,10 @@ TPM_RC TSS_Delete(TSS_CONTEXT *tssContext)
for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
/* erase any secrets */
- memset(tssContext->sessions[i].sessionData,
- 0, tssContext->sessions[i].sessionDataLength);
+ if (tssContext->sessions[i].sessionData != NULL) {
+ memset(tssContext->sessions[i].sessionData,
+ 0, tssContext->sessions[i].sessionDataLength);
+ }
free(tssContext->sessions[i].sessionData);
tssContext->sessions[i].sessionData = NULL;
tssContext->sessions[i].sessionDataLength = 0;
--
2.34.1

View File

@ -0,0 +1,103 @@
From 7128994537a7103b25acb1df238db747d7cb3274 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Fri, 10 Sep 2021 16:33:10 -0400
Subject: [PATCH 6/7] tss: Port HMAC operations to openssl 3.0
Replace the deprecated APIs.
- Compared to the next branch commit 6e22032d, changes related to HMAC are
ommited.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/tsscrypto.c | 58 ++++++++++++++++++++++++++++++-----------------
1 file changed, 37 insertions(+), 21 deletions(-)
diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
index 23d3b6e..1974563 100644
--- a/utils/tsscrypto.c
+++ b/utils/tsscrypto.c
@@ -79,6 +79,7 @@ extern int tssVerbose;
/* local prototypes */
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
TPMI_ALG_HASH hashAlg);
@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
Digests
*/
-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
- TPMI_ALG_HASH hashAlg)
+/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
+
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
{
- TPM_RC rc = 0;
+ TPM_RC rc = 0;
- if (rc == 0) {
- switch (hashAlg) {
+ switch (hashAlg) {
#ifdef TPM_ALG_SHA1
- case TPM_ALG_SHA1:
- *md = EVP_get_digestbyname("sha1");
- break;
+ case TPM_ALG_SHA1:
+ *str = "sha1";
+ break;
#endif
-#ifdef TPM_ALG_SHA256
- case TPM_ALG_SHA256:
- *md = EVP_get_digestbyname("sha256");
- break;
+#ifdef TPM_ALG_SHA256
+ case TPM_ALG_SHA256:
+ *str = "sha256";
+ break;
#endif
#ifdef TPM_ALG_SHA384
- case TPM_ALG_SHA384:
- *md = EVP_get_digestbyname("sha384");
- break;
+ case TPM_ALG_SHA384:
+ *str = "sha384";
+ break;
#endif
#ifdef TPM_ALG_SHA512
- case TPM_ALG_SHA512:
- *md = EVP_get_digestbyname("sha512");
- break;
+ case TPM_ALG_SHA512:
+ *str = "sha512";
+ break;
#endif
- default:
- rc = TSS_RC_BAD_HASH_ALGORITHM;
- }
+ default:
+ *str = NULL;
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ return rc;
+}
+
+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+ TPMI_ALG_HASH hashAlg)
+{
+ TPM_RC rc = 0;
+ const char *str = NULL;
+
+ if (rc == 0) {
+ rc = TSS_Hash_GetOsslString(&str, hashAlg);
+ }
+ if (rc == 0) {
+ *md = EVP_get_digestbyname(str);
}
return rc;
}
--
2.34.1

File diff suppressed because it is too large Load Diff

View File

@ -7,7 +7,7 @@
Name: tss2
Version: 1.6.0
Release: 4%{?dist}
Release: 5%{?dist}
Epoch: 1
Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities
@ -15,6 +15,13 @@ License: BSD
URL: http://sourceforge.net/projects/ibmtpm20tss/
Source0: https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
Patch0: tss2-1.6.0-manpage-cleanup.patch
Patch1: 0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch
Patch2: 0002-utils-Remove-unused-variables-from-certifyx509.patch
Patch3: 0003-Update-certifyx509-for-Windows.patch
Patch4: 0004-utils-Clean-up-certifyx509-memory-allocation.patch
Patch5: 0005-utils-Fix-errors-detected-by-gcc-asan.patch
Patch6: 0006-tss-Port-HMAC-operations-to-openssl-3.0.patch
Patch7: 0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
BuildRequires: automake
BuildRequires: autoconf
@ -70,6 +77,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
%doc ibmtss.doc
%changelog
* Fri Jan 28 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-5
- Fix failures introduced with OpenSSL 3
Resolves: rhbz#1984621
Resolves: rhbz#1992339
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688