import tss2-1234-5.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/ibmtss1234.tar.gz

.tss2.metadata

@@ -0,0 +1 @@
+e72e2b7fddca88c6563cbd614ec322309ffdda4e SOURCES/ibmtss1234.tar.gz

SOURCES/0001-ekutils-fix-null-check-in-convertPemToX509.patch

@@ -0,0 +1,28 @@
+From a73fda67a980fd8129ba3cc6158cd4f5d9be7562 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 20 Jun 2018 11:01:21 -0700
+Subject: [PATCH 1/3] ekutils: fix null check in convertPemToX509
+
+assignment is to *x509, but check is against x509. Change check to *x509.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ utils/ekutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/ekutils.c b/utils/ekutils.c
+index 5f27bd6..8887bd5 100644
+--- a/utils/ekutils.c
++++ b/utils/ekutils.c
+@@ -1144,7 +1144,7 @@ uint32_t convertPemToX509(X509 **x509,				/* freed by caller */
+     /* convert the platform certificate from PEM to DER */
+     if (rc == 0) {
+ 	*x509 = PEM_read_X509(pemCertificateFile , NULL, NULL, NULL);	/* freed @1 */
+-	if (x509 == NULL) {
++	if (*x509 == NULL) {
+ 	    printf("convertPemToX509: Cannot parse PEM certificate file %s\n",
+ 		   pemCertificateFilename);
+ 	    rc = TSS_RC_FILE_READ;
+-- 
+2.17.0
+

SOURCES/0002-ektuils-check-return-of-X509_gmtime_adj-for-notAfter.patch

@@ -0,0 +1,30 @@
+From 29f30ccc4032949e54be1996c24a7752793c3603 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 20 Jun 2018 11:03:06 -0700
+Subject: [PATCH 2/3] ektuils: check return of X509_gmtime_adj for notAfter
+ adjustment
+
+The is a check for arc == NULL, but arc doesn't get assigned the
+return value from x509_gmtime_adj.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ utils/ekutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/ekutils.c b/utils/ekutils.c
+index 8887bd5..36f8ece 100644
+--- a/utils/ekutils.c
++++ b/utils/ekutils.c
+@@ -1590,7 +1590,7 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
+     if (rc == 0) {
+ 	/* can't fail, just returns a structure member */
+ 	ASN1_TIME *notAfter = X509_get_notAfter(x509Certificate);
+-	X509_gmtime_adj(notAfter, CERT_DURATION);	/* set to duration */
++	arc = X509_gmtime_adj(notAfter, CERT_DURATION);	/* set to duration */
+ 	if (arc == NULL) {
+ 	    printf("startCertificate: Error setting notAfter time\n");
+ 	    rc = TSS_RC_X509_ERROR;
+-- 
+2.17.0
+

SOURCES/0003-imalib-call-memcmp-with-correct-size.patch

@@ -0,0 +1,28 @@
+From 108d9ba48ab922521b1124970156f2d2f59eea0b Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Thu, 21 Jun 2018 09:13:54 -0700
+Subject: [PATCH 3/3] imalib: call memcmp with correct size
+
+imaEvent digest is size of SHA1_DIGEST_SIZE, so call memcmp with that value.
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ utils/imalib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/imalib.c b/utils/imalib.c
+index a7f42fc..42e2aa5 100644
+--- a/utils/imalib.c
++++ b/utils/imalib.c
+@@ -826,7 +826,7 @@ uint32_t IMA_Extend(TPMT_HA *imapcr,
+ 	}
+     }
+     if (rc == 0) {
+-	notAllZero = memcmp(imaEvent->digest, zeroDigest, digestSize);
++	notAllZero = memcmp(imaEvent->digest, zeroDigest, SHA1_DIGEST_SIZE);
+ 	imapcr->hashAlg = hashAlg;
+ 	if (notAllZero) {
+ #if 0
+-- 
+2.17.0
+

SOURCES/0004-certifycreation-Check-that-creation-hash-file-name-r.patch

@@ -0,0 +1,28 @@
+From e5ffbe2736f4ad4370fb44c216ecd6092a01003c Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Thu, 21 Jun 2018 13:00:51 -0700
+Subject: [PATCH] certifycreation: Check that creation hash file name received
+
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+---
+ utils/certifycreation.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/utils/certifycreation.c b/utils/certifycreation.c
+index 50e3718..4a6cd0a 100644
+--- a/utils/certifycreation.c
++++ b/utils/certifycreation.c
+@@ -298,6 +298,10 @@ int main(int argc, char *argv[])
+ 	printf("Missing ticket parameter -tk\n");
+ 	printUsage();
+     }
++    if (creationHashFilename == NULL) {
++	    printf("Missing creation hash file parameter -ch\n");
++	    printUsage();
++    }
+     if (rc == 0) {
+ 	/* Handle of key that will perform certifying */
+ 	in.objectHandle = objectHandle;
+-- 
+2.17.0
+

SOURCES/flags-fixup.patch

@@ -0,0 +1,33 @@
+diff -ur tss2-1234/utils/makefile-common tss2-1234-new/utils/makefile-common
+--- tss2-1234/utils/makefile-common	2018-05-29 12:00:46.000000000 -0700
++++ tss2-1234-new/utils/makefile-common	2018-10-02 15:10:20.783078580 -0700
+@@ -44,7 +44,7 @@
+ CCFLAGS += 				\
+ 	-Wall -W -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+ 	-Wformat=2 -Wold-style-definition -Wno-self-assign \
+-	-ggdb -O0 -c
++	-ggdb -c
+ 
+ # to compile with optimizations on (warning will result)
+ #	-O3 -c
+diff -ur tss2-1234/utils/makefile.fedora tss2-1234-new/utils/makefile.fedora
+--- tss2-1234/utils/makefile.fedora	2018-05-15 10:07:20.000000000 -0700
++++ tss2-1234-new/utils/makefile.fedora	2018-10-02 15:11:33.909083615 -0700
+@@ -71,7 +71,7 @@
+ 
+ # compile - common flags for TSS library and applications
+ 
+-CCFLAGS += 	-DTPM_POSIX
++CCFLAGS += 	-DTPM_POSIX -DTPM_INTERFACE_TYPE_DEFAULT="\"dev\"" -DTPM_DEVICE_DEFAULT="\"/dev/tpmrm0\""
+ 
+ # example of pointing to a locally built openssl 1.1
+ # CCFLAGS += 	-I/home/kgold/openssl-1.1.0c/include
+@@ -119,7 +119,7 @@
+ LNLFLAGS += -shared -Wl,-z,now
+ 
+ # This is an alternative to using the bfd linker on Ubuntu
+-# LNLLIBS += -lcrypto
++LNLLIBS += -lcrypto
+ 
+ # link - for applications, TSS path, TSS and OpenSSl libraries
+ 

SOURCES/hash_generate.patch

@@ -0,0 +1,18 @@
+diff -ur tss2-1234/utils/policymaker.c tss2-1234-new/utils/policymaker.c
+--- tss2-1234/utils/policymaker.c	2018-10-18 12:16:59.742439220 -0700
++++ tss2-1234-new/utils/policymaker.c	2018-10-18 12:34:34.991755536 -0700
+@@ -208,10 +208,10 @@
+ 	}
+ 	/* hash extend */
+ 	if ((rc == 0) && (prc != NULL)) {
+-	    TSS_Hash_Generate(&digest,
+-			      startSizeInBytes, (uint8_t *)&digest.digest,	/* extend */
+-			      lineLength /2, lineBinary,
+-			      0, NULL);
++	    rc = TSS_Hash_Generate(&digest,
++				   startSizeInBytes, (uint8_t *)&digest.digest,	/* extend */
++				   lineLength /2, lineBinary,
++				   0, NULL);
+ 	}
+ 	if ((rc == 0) && (prc != NULL)) {
+ 	    if (verbose) TSS_PrintAll("intermediate policy digest",

SPECS/tss2.spec

@@ -0,0 +1,187 @@
+#
+# Spec file for IBM's TSS for the TPM 2.0
+#
+%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
+
+Name:		tss2
+Version:	1234
+Release:	5%{?dist}
+Summary:	IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities
+
+Group:		Applications/System	
+License:	BSD
+URL:		http://sourceforge.net/projects/ibmtpm20tss/
+Source0:	https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
+
+Patch0: 0001-ekutils-fix-null-check-in-convertPemToX509.patch
+Patch1: 0002-ektuils-check-return-of-X509_gmtime_adj-for-notAfter.patch
+Patch2: 0003-imalib-call-memcmp-with-correct-size.patch
+Patch3: 0004-certifycreation-Check-that-creation-hash-file-name-r.patch
+Patch4: flags-fixup.patch
+Patch5: header-file.patch
+# reported upstream https://sourceforge.net/p/ibmtpm20tss/mailman/message/36444738/
+# and reported fixed, but not yet pushed to sourceforge.
+Patch6: hash_generate.patch
+
+BuildRequires:	help2man
+BuildRequires:	openssl-devel
+BuildRequires:  gcc
+Requires:	openssl
+
+%description
+TSS2 is a user space Trusted Computing Group's Software Stack (TSS) for
+TPM 2.0.  It implements the functionality equivalent to the TCG TSS
+working group's ESAPI, SAPI, and TCTI layers (and perhaps more) but with
+a hopefully far simpler interface.
+
+It comes with about 80 "TPM tools" that can be used for rapid prototyping,
+education and debugging. 
+
+%package devel
+Summary:	Development libraries and headers for IBM's TSS 2.0
+Group:		Development/Libraries
+Requires:	%{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+Development libraries and headers for IBM's TSS 2.0. You will need this in
+order to build TSS 2.0 applications.
+
+%define incname ibmtss
+
+%prep
+%setup -q -c %{name}-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
+%build
+# nonstandard variable names are used in place of CFLAGS and LDFLAGS
+pushd utils
+CCFLAGS="%{optflags}" \
+LNFLAGS="%{__global_ldflags}" \
+make -f makefile.fedora %{?_smp_mflags} 
+
+# Generate man pages for extracted list of executables
+mkdir -p man/man1
+BIN_PREFIX=tss
+man_exe=$(sed -n "s,^help2man.*/usr/bin/${BIN_PREFIX}\\([^ ]*\) .*\$,\\1,p" makeman.sh)
+for f in $man_exe; do
+	# prefixed name
+        n=${BIN_PREFIX}$f
+	# extract description of binary
+	desc=$(sed -n -e "s,^help2man.* -n \"\\([^\"]*\\)\".*/usr/bin/$n .*\$,\\1,p" makeman.sh)
+	# temporarily link executable to prefixed name so man page is generated with correct name
+	ln -s $PWD/$f %{_tmppath}/$n
+	LD_LIBRARY_PATH="$PWD:$LD_LIBRARY_PATH" help2man -h-h --version-string="v%{version}" -n "$desc" %{_tmppath}/$n > man/man1/$n.1
+	rm %{_tmppath}/$n
+done
+popd
+
+%install
+# Prefix for namespacing
+BIN_PREFIX=tss
+mkdir -p %{buildroot}/%{_bindir}
+mkdir -p %{buildroot}/%{_libdir}
+mkdir -p %{buildroot}/%{_includedir}/%{incname}/
+mkdir -p %{buildroot}/%{_mandir}/man1
+pushd utils
+# Pick out executables and copy with namespacing
+for f in *; do
+	if [[ -x $f && -f $f && ! $f =~ .*\..* ]]; then
+		cp -p $f %{buildroot}/%{_bindir}/${BIN_PREFIX}$f
+	fi;
+done
+cp -p *.so.0.1 %{buildroot}/%{_libdir}
+cp -p %{incname}/*.h %{buildroot}/%{_includedir}/%{incname}/
+cp -p man/man1/tss*.1 %{buildroot}/%{_mandir}/man1/
+popd
+
+
+# Make symbolic links to the shared lib
+pushd %{buildroot}/%{_libdir}
+rm -f libibmtss.so.0
+ln -sf libibmtss.so.0.1 libibmtss.so.0
+rm -f libibmtss.so
+ln -sf libibmtss.so.0 libibmtss.so
+popd
+
+%post -p /sbin/ldconfig 
+%postun -p /sbin/ldconfig
+
+%files
+%license LICENSE
+%{_bindir}/tss*
+%{_libdir}/libibmtss.so.0
+%{_libdir}/libibmtss.so.0.*
+%attr(0644, root, root) %{_mandir}/man1/tss*.1*
+
+%files devel
+%{_includedir}/%{incname}
+%{_libdir}/libibmtss.so
+%doc ibmtss.doc
+
+%changelog
+* Fri Oct 05 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-5
+- Move header files to ibmtss directory.
+- Check return value of TSS_Hash_Generate.
+resolves: rhbz#1636245
+
+* Tue Oct 02 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-4
+- Fix compile and link flags
+resolves: rhbz#1624182
+
+* Thu Jul 19 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-3
+- Clean up covscan issues.
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1234-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jun 18 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-1
+- Version bump.
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1027-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 19 2018 Merlin Mathesius <mmathesi@redhat.com> - 1027-1
+- Version bump. Now supported for all architectures.
+- Generate man pages since they are no longer included in source archive.
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 713-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 05 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-7
+- Removed defattr from the devel subpackage 
+
+* Mon Sep 26 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-6
+- Added s390x arch as another "ExcludeArch"
+
+* Mon Sep 26 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-5
+- Replaced ExclusiveArch with ExcludeArch 
+ 
+* Mon Sep 19 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-4
+- Used ExclusiveArch instead of BuildArch tag
+- Removed attr from symlink in devel subpackage 
+- Added manpages and modified the Source0
+- Added CCFLAGS and LNFLAGS to enforce hardening and optimization
+
+* Wed Aug 17 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-3
+- Modified supported arch to ppc64le
+
+* Sat Aug 13 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-2
+- Minor spec fixes 
+
+* Tue Aug 09 2016 Hon Ching(Vicky) Lo <lo1@us.ibm.com> - 713-1
+- Updated for initial submission 
+
+* Fri Mar 20 2015 George Wilson <gcwilson@us.ibm.com>
+- Initial implementation