import tss2-1331-2.el8

2019-11-05 16:27:59 -05:00 · 2019-11-05 16:27:59 -05:00 · e64499eb96
commit e64499eb96
parent eb62b83f4c
9 changed files with 54 additions and 51777 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/ibmtss1234.tar.gz
+SOURCES/ibmtss1331.tar.gz
--- a/.tss2.metadata
+++ b/.tss2.metadata
@ -1 +1 @@
-e72e2b7fddca88c6563cbd614ec322309ffdda4e SOURCES/ibmtss1234.tar.gz
+39a13864ad42cafae27683fa52bc1d5d21dad39c SOURCES/ibmtss1331.tar.gz
--- a/SOURCES/0001-ekutils-fix-null-check-in-convertPemToX509.patch
+++ b/SOURCES/0001-ekutils-fix-null-check-in-convertPemToX509.patch
@ -1,28 +0,0 @@
-From a73fda67a980fd8129ba3cc6158cd4f5d9be7562 Mon Sep 17 00:00:00 2001
-From: Jerry Snitselaar <jsnitsel@redhat.com>
-Date: Wed, 20 Jun 2018 11:01:21 -0700
-Subject: [PATCH 1/3] ekutils: fix null check in convertPemToX509
-
-assignment is to *x509, but check is against x509. Change check to *x509.
-
-Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
- utils/ekutils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/utils/ekutils.c b/utils/ekutils.c
-index 5f27bd6..8887bd5 100644
--- a/utils/ekutils.c
-+++ b/utils/ekutils.c
-@@ -1144,7 +1144,7 @@ uint32_t convertPemToX509(X509 **x509,				/* freed by caller */
-     /* convert the platform certificate from PEM to DER */
-     if (rc == 0) {
- 	*x509 = PEM_read_X509(pemCertificateFile , NULL, NULL, NULL);	/* freed @1 */
-	if (x509 == NULL) {
-+	if (*x509 == NULL) {
- 	    printf("convertPemToX509: Cannot parse PEM certificate file %s\n",
- 		   pemCertificateFilename);
- 	    rc = TSS_RC_FILE_READ;
-- 
-2.17.0
-
--- a/SOURCES/0001-tss2-fix-bounds-check-in-IMA_Event_PcrExtend.patch
+++ b/SOURCES/0001-tss2-fix-bounds-check-in-IMA_Event_PcrExtend.patch
@ -0,0 +1,31 @@
+From 8f232900d3b8f8af65a029f49c17ee53d3cca122 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Thu, 6 Jun 2019 14:53:18 -0700
+Subject: [PATCH] tss2: fix bounds check in IMA_Event_PcrExtend
+
+pcrs is declared with IMPLEMENTATION_PCR elements,
+so the index bounds check should be >= IMPLEMENTATION_PCR
+since indexing at value IMPLEMENTATION_PCR would be off the
+end of the array. This was flagged by coverity.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ utils/imalib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/imalib.c b/utils/imalib.c
+index 4957c1b..a841cd6 100644
+--- a/utils/imalib.c
+++ b/utils/imalib.c
+@@ -1306,7 +1306,7 @@ uint32_t IMA_Event_PcrExtend(TPMT_HA pcrs[IMA_PCR_BANKS][IMPLEMENTATION_PCR],
+     
+     /* validate PCR number */
+     if (rc == 0) {
+-	if (imaEvent->pcrIndex > IMPLEMENTATION_PCR) {
+	if (imaEvent->pcrIndex >= IMPLEMENTATION_PCR) {
+ 	    printf("ERROR: IMA_Event_PcrExtend: PCR number %u out of range\n", imaEvent->pcrIndex);
+ 	    rc = TSS_RC_BAD_PROPERTY;
+ 	}
+-- 
+2.21.0
+
--- a/SOURCES/0002-ektuils-check-return-of-X509_gmtime_adj-for-notAfter.patch
+++ b/SOURCES/0002-ektuils-check-return-of-X509_gmtime_adj-for-notAfter.patch
@ -1,30 +0,0 @@
-From 29f30ccc4032949e54be1996c24a7752793c3603 Mon Sep 17 00:00:00 2001
-From: Jerry Snitselaar <jsnitsel@redhat.com>
-Date: Wed, 20 Jun 2018 11:03:06 -0700
-Subject: [PATCH 2/3] ektuils: check return of X509_gmtime_adj for notAfter
- adjustment
-
-The is a check for arc == NULL, but arc doesn't get assigned the
-return value from x509_gmtime_adj.
-
-Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
- utils/ekutils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/utils/ekutils.c b/utils/ekutils.c
-index 8887bd5..36f8ece 100644
--- a/utils/ekutils.c
-+++ b/utils/ekutils.c
-@@ -1590,7 +1590,7 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
-     if (rc == 0) {
- 	/* can't fail, just returns a structure member */
- 	ASN1_TIME *notAfter = X509_get_notAfter(x509Certificate);
-	X509_gmtime_adj(notAfter, CERT_DURATION);	/* set to duration */
-+	arc = X509_gmtime_adj(notAfter, CERT_DURATION);	/* set to duration */
- 	if (arc == NULL) {
- 	    printf("startCertificate: Error setting notAfter time\n");
- 	    rc = TSS_RC_X509_ERROR;
-- 
-2.17.0
-
--- a/SOURCES/0003-imalib-call-memcmp-with-correct-size.patch
+++ b/SOURCES/0003-imalib-call-memcmp-with-correct-size.patch
@ -1,28 +0,0 @@
-From 108d9ba48ab922521b1124970156f2d2f59eea0b Mon Sep 17 00:00:00 2001
-From: Jerry Snitselaar <jsnitsel@redhat.com>
-Date: Thu, 21 Jun 2018 09:13:54 -0700
-Subject: [PATCH 3/3] imalib: call memcmp with correct size
-
-imaEvent digest is size of SHA1_DIGEST_SIZE, so call memcmp with that value.
-
-Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
- utils/imalib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/utils/imalib.c b/utils/imalib.c
-index a7f42fc..42e2aa5 100644
--- a/utils/imalib.c
-+++ b/utils/imalib.c
-@@ -826,7 +826,7 @@ uint32_t IMA_Extend(TPMT_HA *imapcr,
- 	}
-     }
-     if (rc == 0) {
-	notAllZero = memcmp(imaEvent->digest, zeroDigest, digestSize);
-+	notAllZero = memcmp(imaEvent->digest, zeroDigest, SHA1_DIGEST_SIZE);
- 	imapcr->hashAlg = hashAlg;
- 	if (notAllZero) {
- #if 0
-- 
-2.17.0
-
--- a/SOURCES/0004-certifycreation-Check-that-creation-hash-file-name-r.patch
+++ b/SOURCES/0004-certifycreation-Check-that-creation-hash-file-name-r.patch
@ -1,28 +0,0 @@
-From e5ffbe2736f4ad4370fb44c216ecd6092a01003c Mon Sep 17 00:00:00 2001
-From: Jerry Snitselaar <jsnitsel@redhat.com>
-Date: Thu, 21 Jun 2018 13:00:51 -0700
-Subject: [PATCH] certifycreation: Check that creation hash file name received
-
-Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
- utils/certifycreation.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/utils/certifycreation.c b/utils/certifycreation.c
-index 50e3718..4a6cd0a 100644
--- a/utils/certifycreation.c
-+++ b/utils/certifycreation.c
-@@ -298,6 +298,10 @@ int main(int argc, char *argv[])
- 	printf("Missing ticket parameter -tk\n");
- 	printUsage();
-     }
-+    if (creationHashFilename == NULL) {
-+	    printf("Missing creation hash file parameter -ch\n");
-+	    printUsage();
-+    }
-     if (rc == 0) {
- 	/* Handle of key that will perform certifying */
- 	in.objectHandle = objectHandle;
-- 
-2.17.0
-
--- a/SOURCES/header-file.patch
+++ b/SOURCES/header-file.patch
--- a/SPECS/tss2.spec
+++ b/SPECS/tss2.spec
@ -4,8 +4,8 @@
 %{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}

 Name:		tss2
-Version:	1234
-Release:	5%{?dist}
+Version:	1331
+Release:	2%{?dist}
 Summary:	IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities

 Group:		Applications/System	
@ -13,17 +13,13 @@ License:	BSD
 URL:		http://sourceforge.net/projects/ibmtpm20tss/
 Source0:	https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz

-Patch0: 0001-ekutils-fix-null-check-in-convertPemToX509.patch
-Patch1: 0002-ektuils-check-return-of-X509_gmtime_adj-for-notAfter.patch
-Patch2: 0003-imalib-call-memcmp-with-correct-size.patch
-Patch3: 0004-certifycreation-Check-that-creation-hash-file-name-r.patch
 Patch4: flags-fixup.patch
-Patch5: header-file.patch
 # reported upstream https://sourceforge.net/p/ibmtpm20tss/mailman/message/36444738/
 # and reported fixed, but not yet pushed to sourceforge.
-Patch6: hash_generate.patch
+Patch5: hash_generate.patch
+# Submitted upstream
+Patch6: 0001-tss2-fix-bounds-check-in-IMA_Event_PcrExtend.patch

-BuildRequires:	help2man
 BuildRequires:	openssl-devel
 BuildRequires:  gcc
 Requires:	openssl
@ -49,14 +45,7 @@ order to build TSS 2.0 applications.
 %define incname ibmtss

 %prep
-%setup -q -c %{name}-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
+%autosetup -p1 -c %{name}-%{version}

 %build
 # nonstandard variable names are used in place of CFLAGS and LDFLAGS
@ -64,21 +53,6 @@ pushd utils
 CCFLAGS="%{optflags}" \
 LNFLAGS="%{__global_ldflags}" \
 make -f makefile.fedora %{?_smp_mflags} 
-
-# Generate man pages for extracted list of executables
-mkdir -p man/man1
-BIN_PREFIX=tss
-man_exe=$(sed -n "s,^help2man.*/usr/bin/${BIN_PREFIX}\\([^ ]*\) .*\$,\\1,p" makeman.sh)
-for f in $man_exe; do
-	# prefixed name
-        n=${BIN_PREFIX}$f
-	# extract description of binary
-	desc=$(sed -n -e "s,^help2man.* -n \"\\([^\"]*\\)\".*/usr/bin/$n .*\$,\\1,p" makeman.sh)
-	# temporarily link executable to prefixed name so man page is generated with correct name
-	ln -s $PWD/$f %{_tmppath}/$n
-	LD_LIBRARY_PATH="$PWD:$LD_LIBRARY_PATH" help2man -h-h --version-string="v%{version}" -n "$desc" %{_tmppath}/$n > man/man1/$n.1
-	rm %{_tmppath}/$n
-done
 popd

 %install
@ -95,7 +69,7 @@ for f in *; do
 		cp -p $f %{buildroot}/%{_bindir}/${BIN_PREFIX}$f
 	fi;
 done
-cp -p *.so.0.1 %{buildroot}/%{_libdir}
+cp -p *.so.1.1 %{buildroot}/%{_libdir}
 cp -p %{incname}/*.h %{buildroot}/%{_includedir}/%{incname}/
 cp -p man/man1/tss*.1 %{buildroot}/%{_mandir}/man1/
 popd
@ -103,10 +77,10 @@ popd

 # Make symbolic links to the shared lib
 pushd %{buildroot}/%{_libdir}
-rm -f libibmtss.so.0
-ln -sf libibmtss.so.0.1 libibmtss.so.0
+rm -f libibmtss.so.1
+ln -sf libibmtss.so.1.1 libibmtss.so.1
 rm -f libibmtss.so
-ln -sf libibmtss.so.0 libibmtss.so
+ln -sf libibmtss.so.1 libibmtss.so
 popd

 %post -p /sbin/ldconfig 
@ -115,8 +89,8 @@ popd
 %files
 %license LICENSE
 %{_bindir}/tss*
-%{_libdir}/libibmtss.so.0
-%{_libdir}/libibmtss.so.0.*
+%{_libdir}/libibmtss.so.1
+%{_libdir}/libibmtss.so.1.*
 %attr(0644, root, root) %{_mandir}/man1/tss*.1*

 %files devel
@ -125,6 +99,15 @@ popd
 %doc ibmtss.doc

 %changelog
+* Thu Jun 06 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-2
+- Fix bounds check in IMA_Event_PcrExtend
+resolves: rhbz#1669239
+
+* Thu May 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-1
+- Rebase to v1331
+- Add initial CI gating support
+resolves: rhbz#1669239
+
 * Fri Oct 05 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-5
 - Move header files to ibmtss directory.
 - Check return value of TSS_Hash_Generate.