powerel9
/
tpm2-tss
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

initial package creation 

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 3 years ago
commit
22dac4d7d9
14 changed files with 2338 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 61
      SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
  2. 42
      SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
  3. 29
      SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
  4. 35
      SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch
  5. 76
      SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
  6. 47
      SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
  7. 100
      SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
  8. 65
      SOURCES/0008-Require-OpenSSL-1.1.0.patch
  9. 124
      SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
  10. 124
      SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
  11. 313
      SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch
  12. 1005
      SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
  13. 15
      SOURCES/tpm2-tss-3.0.0-doxygen.patch
  14. 302
      SPECS/tpm2-tss.spec

61
SOURCES/0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Unescape View File

@ -0,0 +1,61 @@
From c14bd543879f2336e57aa2dff0b437407d858272 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 19 Feb 2021 14:32:45 +0100
Subject: FAPI: Fix reading of the root certificate for
provisioning.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* The root certificate defined by the environment variable FAPI_TEST_ROOT_CERT will
only be used if it's allowed to use self generated root certificate with
./configure --enable-self-generated-certificate

* This option is added to all integration tests which are using the TPM simulator.

- Compared to the upstream commit 199b4edc the changes to CI config files
are omitted.

Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
configure.ac | 8 ++++++++
src/tss2-fapi/api/Fapi_Provision.c | 4 ++++
2 files changed, 12 insertions(+)

diff --git a/configure.ac b/configure.ac
index f4df879c..d3bbb93d 100755
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,14 @@ AC_ARG_ENABLE([weakcrypto],
AS_IF([test "x$enable_weakcrypto" = "xyes"],
AC_DEFINE([DISABLE_WEAK_CRYPTO],[1],[DISABLE WEAK CRYPTO ALGORITHMS]))
+AC_ARG_ENABLE([self-generated-certificate],
+ [AS_HELP_STRING([--enable-self-generated-certificate],
+ [Alllow usage of self generated root certifcate])],,
+ [enable_self_generated_certificate=no])
+AS_IF([test "x$enable_self_generated_certificate" == xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+
+
AC_SUBST([PATH])
dnl --------- Doxy Gen -----------------------
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index 00534a2e..9cf804ad 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -797,7 +797,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
/* Prepare reading of root certificate. */
+ root_ca_file = NULL;
+#ifdef SELF_GENERATED_CERTIFICATE
+#pragma message ( "*** Allow self generated certifcate ***" )
root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
+#endif
if (!root_ca_file) {
context->state = PROVISION_EK_CHECK_CERT;
return TSS2_FAPI_RC_TRY_AGAIN;
--
2.26.3

42
SOURCES/0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Unescape View File

@ -0,0 +1,42 @@
From d680ea548b3ab066f6bea625af5d4000ca32cfee Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Mon, 1 Mar 2021 20:00:17 +0100
Subject: FAPI: use FAPI_TEST_EK_CERT_LESS with
--disable-self-generated-certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since commit 199b4edc265b2f4758aa22ebf4ed6472a34b9a7a ("FAPI: Fix reading of
the root certificate for provisioning.") it is required to specify
--enable-self-generated-certificate in order to make the FAPI integration tests
pass. This is an option that should usually not be enabled in production builds
for security reasons, but still some form of integration testing might be
desirable in this case to verify whether the compiled library works as
expected. Use FAPI_TEST_EK_CERT_LESS in this case to run the tests without EK
certificate validation.

Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
configure.ac | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index d3bbb93d..d4324c9a 100755
--- a/configure.ac
+++ b/configure.ac
@@ -444,8 +444,9 @@ AC_ARG_ENABLE([self-generated-certificate],
[AS_HELP_STRING([--enable-self-generated-certificate],
[Alllow usage of self generated root certifcate])],,
[enable_self_generated_certificate=no])
-AS_IF([test "x$enable_self_generated_certificate" == xyes],
- [AC_DEFINE([SELF_GENERATED_CERTIFICATE],[1], [Allow usage of self generated root certifcate])])
+AS_IF([test "x$enable_self_generated_certificate" = xyes],
+ [AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
+ [AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
AC_SUBST([PATH])
--
2.26.3

29
SOURCES/0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Unescape View File

@ -0,0 +1,29 @@
From c5933320e1bd557cc52f2d56baec4ea52edfbc47 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:15:51 +0200
Subject: Makefile.am: Use LIBCRYPTO_CFLAGS when building FAPI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index f2fa515a..0f759adb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -521,7 +521,7 @@ src_tss2_fapi_libtss2_fapi_la_LIBADD = $(libtss2_sys) $(libtss2_mu) $(libtss2_e
$(libutil) $(libtss2_tctildr)
src_tss2_fapi_libtss2_fapi_la_SOURCES = $(TSS2_FAPI_SRC)
-src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi
+src_tss2_fapi_libtss2_fapi_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/src/tss2-fapi $(LIBCRYPTO_CFLAGS)
src_tss2_fapi_libtss2_fapi_la_LDFLAGS = $(AM_LDFLAGS) $(LIBCRYPTO_LIBS) $(JSONC_LIBS) $(CURL_LIBS)
if HAVE_LD_VERSION_SCRIPT
src_tss2_fapi_libtss2_fapi_la_LDFLAGS += -Wl,--version-script=$(srcdir)/lib/tss2-fapi.map
--
2.26.3

35
SOURCES/0004-Test-Remove-duplicate-openssl-req-new.patch
Unescape View File

@ -0,0 +1,35 @@
From 738f6f045e740c3fc21579297990d60b7c2e83ed Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 20:23:32 +0200
Subject: Test: Remove duplicate openssl req -new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The command is called twice, which is superfluous. Both the key
and the certificate are created already by the first command.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
script/ekca/create_ca.sh | 5 -----
1 file changed, 5 deletions(-)

diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 90a5c791..61d976a3 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -94,11 +94,6 @@ ${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
-openssl req -new \
- -key private/intermed-ca.key.pem \
- -out intermed-ca.req.pem \
- -passin file:pass.txt
-
openssl rsa -inform PEM -in private/intermed-ca.key.pem \
-outform DER -out private/intermed-ca.key.der -passin file:pass.txt
--
2.26.3

76
SOURCES/0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Unescape View File

@ -0,0 +1,76 @@
From 563f9c951d9b050378b9d3659a932c98ab587b21 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:22:28 +0200
Subject: FAPI Test: Call EVP_DigestSignInit in the correct order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The EVP_DigestSignInit should be called only once and before calling
EVP_PKEY_CTX_set_rsa_padding. See a corresponding example
[here](https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_sign_init.html)

Current code works with OpenSSL 1.x, but fails with OpenSSL 3.0.
This PR makes the code compatible with OpenSSL 1.0 through 3.0.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 8 ++------
test/integration/fapi-key-create-policy-signed.int.c | 8 ++------
2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index b2d20b28..d42466db 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -129,8 +129,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -140,10 +140,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index e51289a6..b903dec0 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -144,8 +144,8 @@ signatureCallback(
mdctx = EVP_MD_CTX_create();
chknull(mdctx);
- if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
+ if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
@@ -155,10 +155,6 @@ signatureCallback(
error_cleanup);
}
}
- if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
- error_cleanup);
- }
if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
error_cleanup);
--
2.26.3

47
SOURCES/0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Unescape View File

@ -0,0 +1,47 @@
From 6e9c46f8c3bf91aac51b668fa78c3173c885760c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 21:29:25 +0200
Subject: FAPI Test: Use EVP_PKEY_base_id to detect key type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The EVP_PKEY_base_id is the right way to detect key type, used also
by OpenSSL itself.
This function is available since OpenSSL 1.0.0.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-data-crypt.int.c | 2 +-
test/integration/fapi-key-create-policy-signed.int.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
index d42466db..a95cc9ef 100644
--- a/test/integration/fapi-data-crypt.int.c
+++ b/test/integration/fapi-data-crypt.int.c
@@ -133,7 +133,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c
index b903dec0..8f917d35 100644
--- a/test/integration/fapi-key-create-policy-signed.int.c
+++ b/test/integration/fapi-key-create-policy-signed.int.c
@@ -148,7 +148,7 @@ signatureCallback(
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
error_cleanup);
}
- if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(priv_key) == EVP_PKEY_RSA) {
int signing_scheme = RSA_SIG_SCHEME;
if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
--
2.26.3

100
SOURCES/0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Unescape View File

@ -0,0 +1,100 @@
From 9ca735ab8f71a6b64f31867e55d43f3f5a51bfec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 11:54:50 +0200
Subject: FAPI Test: Change RSA_sign to EVP_PKEY_sign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The EVP_PKEY_sign functions are available since OpenSSL 1.0.0.
The RSA_sign function is deprecated in OpenSSL 3.0.0.

This PR should work with OpenSSL 1.0.0 through 3.0.0.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/fapi-ext-public-key.int.c | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c
index 363c58b7..971d7897 100644
--- a/test/integration/fapi-ext-public-key.int.c
+++ b/test/integration/fapi-ext-public-key.int.c
@@ -49,7 +49,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
BIO *bufio = NULL;
EVP_PKEY *evp_key = NULL;
- RSA *rsa_key = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
/* Key will be used for non TPM signature verfication. */
char *pubkey_pem =
@@ -186,10 +186,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
evp_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
- rsa_key = EVP_PKEY_get1_RSA(evp_key);
-
- if (!bufio || !evp_key || !rsa_key) {
+ if (!bufio || !evp_key) {
LOG_ERROR("Generation of test key failed.");
goto error;
}
@@ -199,10 +197,20 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d
};
uint8_t signature[256];
- unsigned int signatureLength = 256;
+ size_t signatureLength = 256;
- if (!RSA_sign(NID_sha1, digest, 20, signature, &signatureLength, rsa_key)) {
- LOG_ERROR("Test RSA_sign failed.");
+ if ((ctx = EVP_PKEY_CTX_new(evp_key, NULL)) == NULL) {
+ LOG_ERROR("Test EVP_PKEY_CTX_new failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign_init(ctx) <= 0
+ || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0
+ || EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign_init failed.");
+ goto error;
+ }
+ if (EVP_PKEY_sign(ctx, signature, &signatureLength, digest, 20) <= 0) {
+ LOG_ERROR("Test EVP_PKEY_sign failed.");
goto error;
}
@@ -243,12 +251,8 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context)
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_SUCCESS;
@@ -258,12 +262,8 @@ error:
if (bufio) {
BIO_free(bufio);
}
- if (evp_key) {
- EVP_PKEY_free(evp_key);
- }
- if (rsa_key) {
- RSA_free(rsa_key);
- }
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(evp_key);
SAFE_FREE(path_list);
SAFE_FREE(cert2);
return EXIT_FAILURE;
--
2.26.3

65
SOURCES/0008-Require-OpenSSL-1.1.0.patch
Unescape View File

@ -0,0 +1,65 @@
From 090a10a69340dc0825f611eceac60bf3f904a5ec Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sat, 17 Jul 2021 22:43:00 +0200
Subject: Require OpenSSL >= 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

To reduce the amount of version-specific code we drop support for
OpenSSL prior 1.1.0, including all forks such as LibreSSL, which are
not API compatible with OpenSSL >= 1.1.0.

Python 3.10 will even require OpenSSL >= 1.1.1. The corresponding
PEP 644 contains a detailed impact analysis which is also relevant
here.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
INSTALL.md | 3 +--
configure.ac | 6 +++++-
2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/INSTALL.md b/INSTALL.md
index eec94c45..658e1f28 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -14,7 +14,7 @@ following sections describe them for the supported platforms.
* C library development libraries and header files
* pkg-config
* doxygen
-* OpenSSL development libraries and header files
+* OpenSSL development libraries and header files, version >= 1.1.0
* libcurl development libraries
The following are dependencies only required when building test suites.
@@ -71,7 +71,6 @@ C Runtime (UCRT) version 10.0.16299.0. Building the type marshaling library
(tss2-mu.dll) and the system API (tss2-sapi.dll) should be as simple as
loading the tpm2-tss solution (tpm2-tss.sln) with a compatible and properly
configured version of Visual Studio 2017 and pressing the 'build' button.
-Windows build setup requires OpenSSL >= v1.0.2 crypto library.
### References
Visual Studio 2017 with "Clang for Windows": https://blogs.msdn.microsoft.com/vcblog/2017/03/07/use-any-c-compiler-with-visual-studio/
diff --git a/configure.ac b/configure.ac
index d4324c9a..12baa257 100755
--- a/configure.ac
+++ b/configure.ac
@@ -132,9 +132,13 @@ AC_ARG_WITH([crypto],
AM_CONDITIONAL(ESYS_OSSL, test "x$with_crypto" = "xossl")
AM_CONDITIONAL(ESYS_MBED, test "x$with_crypto" = "xmbed")
+m4_define([ossl_min_version], [1.1.0])
+m4_define([ossl_err], [OpenSSL libcrypto is missing or version requirements not met. OpenSSL version must be >= ossl_min_version])
AS_IF([test "x$enable_esys" = xyes],
[AS_IF([test "x$with_crypto" = xossl], [
- PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
+ PKG_CHECK_MODULES([LIBCRYPTO],
+ [libcrypto >= ossl_min_version],,
+ [AC_MSG_ERROR([ossl_err])])
AC_DEFINE([OSSL], [1], [OpenSSL cryptographic backend])
TSS2_ESYS_CFLAGS_CRYPTO="$LIBCRYPTO_CFLAGS"
TSS2_ESYS_LDFLAGS_CRYPTO="$LIBCRYPTO_LIBS"
--
2.26.3

124
SOURCES/0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Unescape View File

@ -0,0 +1,124 @@
From 75da8bd937e6bca14832240321a679634159f75b Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 13:12:56 +0200
Subject: FAPI: Change SHA256_Update to EVP_DigestUpdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Although the EVP_DigestUpdate functions are available in all OpenSSL
versions and the EVP_DigestFinal_ex was added in OpenSSL 0.9.7, the
EVP_MD_CTX_new was introduced in OpenSSL 1.1.0.
The SHA256_Update function is deprecated in OpenSSL 3.0.0.

This PR should work with OpenSSL 1.1.0 through 3.0.0.

- Compared to the upstream commit f4f528ff the changes related to the
unit test are omitted.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-fapi/ifapi_get_intl_cert.c | 43 +++++++++++++++++------------
1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
index 2fb17fd0..9290a17e 100644
--- a/src/tss2-fapi/ifapi_get_intl_cert.c
+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
@@ -52,21 +52,26 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
return NULL;
}
- SHA256_CTX sha256;
- int is_success = SHA256_Init(&sha256);
+ EVP_MD_CTX *sha256ctx = EVP_MD_CTX_new();
+ if (!sha256ctx) {
+ LOG_ERROR("EVP_MD_CTX_new failed");
+ goto err;
+ }
+
+ int is_success = EVP_DigestInit(sha256ctx, EVP_sha256());
if (!is_success) {
- LOG_ERROR("SHA256_Init failed");
+ LOG_ERROR("EVP_DigestInit failed");
goto err;
}
switch (ek_public->publicArea.type) {
case TPM2_ALG_RSA:
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.rsa.buffer,
- ek_public->publicArea.unique.rsa.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.rsa.buffer,
+ ek_public->publicArea.unique.rsa.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
@@ -77,28 +82,28 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
}
/* Exponent 65537 will be added. */
BYTE buf[3] = { 0x1, 0x00, 0x01 };
- is_success = SHA256_Update(&sha256, buf, sizeof(buf));
+ is_success = EVP_DigestUpdate(sha256ctx, buf, sizeof(buf));
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
case TPM2_ALG_ECC:
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.x.buffer,
- ek_public->publicArea.unique.ecc.x.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.x.buffer,
+ ek_public->publicArea.unique.ecc.x.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
/* Add public key to the hash. */
- is_success = SHA256_Update(&sha256,
- ek_public->publicArea.unique.ecc.y.buffer,
- ek_public->publicArea.unique.ecc.y.size);
+ is_success = EVP_DigestUpdate(sha256ctx,
+ ek_public->publicArea.unique.ecc.y.buffer,
+ ek_public->publicArea.unique.ecc.y.size);
if (!is_success) {
- LOG_ERROR("SHA256_Update failed");
+ LOG_ERROR("EVP_DigestUpdate failed");
goto err;
}
break;
@@ -108,17 +113,19 @@ static unsigned char *hash_ek_public(TPM2B_PUBLIC *ek_public) {
goto err;
}
- is_success = SHA256_Final(hash, &sha256);
+ is_success = EVP_DigestFinal_ex(sha256ctx, hash, NULL);
if (!is_success) {
LOG_ERROR("SHA256_Final failed");
goto err;
}
+ EVP_MD_CTX_free(sha256ctx);
LOG_TRACE("public-key-hash:");
LOG_TRACE(" sha256: ");
LOGBLOB_TRACE(&hash[0], SHA256_DIGEST_LENGTH, "Hash");
return hash;
err:
+ EVP_MD_CTX_free(sha256ctx);
free(hash);
return NULL;
}
--
2.26.3

124
SOURCES/0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Unescape View File

@ -0,0 +1,124 @@
From 89b2bd01f6fa1e267f57b2ceeb2ffaafb9cdb7c0 Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 14:56:18 +0200
Subject: Test: Use EVP_MAC_xxx with OpenSSL 3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drop support for OpenSSL < 1.1.0 and add support for OpenSSL >= 3.0.0.

The HMAC_Update is deprecated in OpenSSL 3.0, but the replacement
EVP_MAC_update was added in OpenSSL 3.0, so version specific code is
needed.

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
test/integration/sys-util.c | 50 +++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c
index af83cf55..5865f002 100644
--- a/test/integration/sys-util.c
+++ b/test/integration/sys-util.c
@@ -13,10 +13,13 @@
#include <string.h>
#include <assert.h>
+#include <openssl/evp.h>
#include <openssl/sha.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/hmac.h>
-#include <openssl/evp.h>
-#include <openssl/opensslv.h>
+#else
+#include <openssl/core_names.h>
+#endif
#define LOGMODULE testintegration
#include "util/log.h"
@@ -489,22 +492,18 @@ hmac(
TPM2B_DIGEST **buffer_list,
TPM2B_DIGEST *out)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- HMAC_CTX *ctx;
-#else
- HMAC_CTX _ctx;
- HMAC_CTX *ctx = &_ctx;
-#endif
- EVP_MD *evp;
int rc = 1, i;
- unsigned int *buf = NULL, size;
+ unsigned int *buf = NULL;
uint8_t *buf_ptr;
+ EVP_MD *evp;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- /* HMAC_CTX_new and HMAC_CTX_free are new in openSSL 1.1.0 */
- ctx = HMAC_CTX_new();
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ unsigned int size;
+ HMAC_CTX *ctx = HMAC_CTX_new();
#else
- HMAC_CTX_init(ctx);
+ size_t size;
+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac);
#endif
if (!ctx)
@@ -538,21 +537,33 @@ hmac(
buf_ptr = (uint8_t *)buf;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Init_ex(ctx, key, key_len, evp, NULL);
#else
- rc = HMAC_Init(ctx, key, key_len, evp);
-#endif
+ OSSL_PARAM params[2];
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
+ (char *)EVP_MD_get0_name(evp), 0);
+ params[1] = OSSL_PARAM_construct_end();
+ rc = EVP_MAC_init(ctx, key, key_len, params);
+#endif
if (rc != 1)
goto out;
for (i = 0; buffer_list[i] != 0; i++) {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#else
+ rc = EVP_MAC_update(ctx, buffer_list[i]->buffer, buffer_list[i]->size);
+#endif
if (rc != 1)
goto out;
}
/* buf_ptr has to be 4 bytes alligned for whatever reason */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
rc = HMAC_Final(ctx, buf_ptr, &size);
+#else
+ rc = EVP_MAC_final(ctx, buf_ptr, &size, out->size);
+#endif
if (rc != 1)
goto out;
@@ -561,10 +572,11 @@ hmac(
memcpy(out->buffer, buf, out->size);
out:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
HMAC_CTX_free(ctx);
#else
- HMAC_CTX_cleanup(ctx);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(hmac);
#endif
if (buf)
--
2.26.3

313
SOURCES/0011-Drop-support-for-OpenSSL-1.1.0.patch
Unescape View File

@ -0,0 +1,313 @@
From df8495b73df96f55425970e76c613b8a0950bf0c Mon Sep 17 00:00:00 2001
From: Petr Gotthard <petr.gotthard@centrum.cz>
Date: Sun, 18 Jul 2021 20:21:01 +0200
Subject: Drop support for OpenSSL < 1.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Delete code written to support OpenSSL < 1.1.0

Delete functions that have no effect in OpenSSL >= 1.1.0
- ENGINE_load_builtin_engines()
- OpenSSL_add_all_algorithms()
- ERR_load_crypto_strings()
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)

Switch AppVeyor to use pre-built OpenSSL 1.1.0

Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
---
src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
src/tss2-esys/tss2-esys.vcxproj | 16 +++++++-------
src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
test/helper/tpm_getek.c | 11 ----------
test/helper/tpm_getek_ecc.c | 9 --------
5 files changed, 8 insertions(+), 84 deletions(-)

diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 2eb0dfcb..a6259346 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
nonce->size = num_bytes;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
RAND_set_rand_method(rand_save);
return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
size_t * out_size, const char *label)
{
const RAND_METHOD *rand_save = RAND_get_rand_method();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RAND_set_rand_method(RAND_OpenSSL());
-#else
- RAND_set_rand_method(RAND_SSLeay());
-#endif
TSS2_RC r = TSS2_RC_SUCCESS;
const EVP_MD * hashAlg = NULL;
@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not create evp key.", cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
- pub_tpm_key->publicArea.unique.rsa.size,
- rsa_key->n)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
- "Could not create rsa n.", cleanup);
- }
-#else
BIGNUM *n = NULL;
if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
pub_tpm_key->publicArea.unique.rsa.size,
@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
"Could not set rsa n.", cleanup);
}
-#endif
if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
*/
TSS2_RC
iesys_cryptossl_init() {
- ENGINE_load_builtin_engines();
- OpenSSL_add_all_algorithms();
return TSS2_RC_SUCCESS;
}
diff --git a/src/tss2-esys/tss2-esys.vcxproj b/src/tss2-esys/tss2-esys.vcxproj
index b75424aa..b2aa67ce 100644
--- a/src/tss2-esys/tss2-esys.vcxproj
+++ b/src/tss2-esys/tss2-esys.vcxproj
@@ -69,13 +69,13 @@
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
@@ -84,7 +84,7 @@
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<WarningLevel>Level3</WarningLevel>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<TargetMachine>MachineX86</TargetMachine>
@@ -92,27 +92,27 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win32\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win32\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
- <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <AdditionalIncludeDirectories>$(SolutionDir);$(SolutionDir)\src;$(SolutionDir)\include\tss2;$(SolutionDir)\src\tss2-mu;$(SolutionDir)\src\tss2-sys;$(SolutionDir)\src\tss2-esys;C:\OpenSSL-v11-Win64\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;TSS2ESYS_EXPORTS;MAXLOGLEVEL=6;strtok_r=strtok_s;OSSL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
- <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-Win64\lib\libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>$(OutDir)\tss2-mu.lib;$(OutDir)\tss2-sys.lib;$(OutDir)\tss2-tctildr.lib;C:\OpenSSL-v11-Win64\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(SolutionDir)\lib\tss2-esys.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
index f5b3d272..c97b0a1d 100644
--- a/src/tss2-fapi/fapi_crypto.c
+++ b/src/tss2-fapi/fapi_crypto.c
@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
tpmSignature->signature.ecdsa.signatureR.size, NULL);
goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- ecdsaSignature->s = bns;
- ecdsaSignature->r = bnr;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
if (osslRC == -1) {
@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
"Could not set exponent.", error_cleanup);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Assign the parameters to the key */
if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
error_cleanup);
}
- /* Needed for older OSSL versions. */
- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
OSSL_FREE(y, BN);
OSSL_FREE(x, BN);
return TSS2_RC_SUCCESS;
@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
/* Initialize the ECDSA signature components */
ECDSA_SIG *ecdsaSignature = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- BIGNUM *bnr;
- BIGNUM *bns;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
const BIGNUM *bnr;
const BIGNUM *bns;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
return_if_null(ecdsaSignature, "Invalid DER signature",
TSS2_FAPI_RC_GENERAL_FAILURE);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- bns = ecdsaSignature->s;
- bnr = ecdsaSignature->r;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
/* Writing them to the TPM format signature */
tpmSignature->signature.ecdsa.hash = hashAlgorithm;
@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
const BIGNUM *e = NULL, *n = NULL;
int rsaKeySize = RSA_size(rsaKey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- e = rsaKey->e;
- n = rsaKey->n;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_get0_key(rsaKey, &n, &e, NULL);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
rsaKeySize)) {
@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
}
- OpenSSL_add_all_algorithms();
-
unsigned const char* tmp_ptr1 = crl_buffer;
unsigned const char** tmp_ptr2 = &tmp_ptr1;
@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
} else {
/* Get uri for ek intermediate certificate. */
- OpenSSL_add_all_algorithms();
info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
goto_if_null2(cert_buffer, "No certificate downloaded", r,
TSS2_FAPI_RC_NO_CERT, cleanup);
- OpenSSL_add_all_algorithms();
intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
SAFE_FREE(cert_buffer);
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
index 21be0f46..c6a8e906 100644
--- a/test/helper/tpm_getek.c
+++ b/test/helper/tpm_getek.c
@@ -147,20 +147,9 @@ main (int argc, char *argv[])
exp = out_public.publicArea.parameters.rsaDetail.exponent;
BN_set_word(e, exp);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- rsa->e = e;
- rsa->n = n;
- rsa->d = d;
- rsa->p = p;
- rsa->q = q;
- rsa->dmp1 = dmp1;
- rsa->dmq1 = dmq1;
- rsa->iqmp = iqmp;
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
RSA_set0_key(rsa, n, e, d);
RSA_set0_factors(rsa, p, q);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
EVP_PKEY_assign_RSA(evp, rsa);
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
index 0419f47a..75165fdd 100644
--- a/test/helper/tpm_getek_ecc.c
+++ b/test/helper/tpm_getek_ecc.c
@@ -128,14 +128,6 @@ main (int argc, char *argv[])
/* Convert the key from out_public to PEM */
EVP_PKEY *evp = EVP_PKEY_new();
-
- OpenSSL_add_all_algorithms();
-
- OpenSSL_add_all_algorithms();
-
- ERR_load_crypto_strings();
-
-
EC_KEY *ecc_key = EC_KEY_new();
BIGNUM *x = NULL, *y = NULL;
BIO *bio;
@@ -159,7 +151,6 @@ main (int argc, char *argv[])
if (!EC_KEY_set_group(ecc_key, ecgroup))
exit(1);
- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
EC_GROUP_free(ecgroup);
/* Set the ECC parameters in the OpenSSL key */
--
2.26.3

1005
SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
View File

File diff suppressed because it is too large Load Diff

15
SOURCES/tpm2-tss-3.0.0-doxygen.patch
Unescape View File

@ -0,0 +1,15 @@
diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in
--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200
+++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200
@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM
+EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \
+ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \
+ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \
+ IESYS_CMD_IN_PARAM
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include

302
SPECS/tpm2-tss.spec
Unescape View File

@ -0,0 +1,302 @@
Name: tpm2-tss
Version: 3.0.3
Release: 7%{?dist}
Summary: TPM2.0 Software Stack

# The entire source code is under BSD except implementation.h and tpmb.h which
# is under TCGL(Trusted Computing Group License).
License: BSD and TCGL
URL: https://github.com/tpm2-software/tpm2-tss
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
# doxygen crash
Patch0: tpm2-tss-3.0.0-doxygen.patch
# OpenSSL 3 support
Patch1: 0001-FAPI-Fix-reading-of-the-root-certificate-for-provisi.patch
Patch2: 0002-FAPI-use-FAPI_TEST_EK_CERT_LESS-with-disable-self-ge.patch
Patch3: 0003-Makefile.am-Use-LIBCRYPTO_CFLAGS-when-building-FAPI.patch
Patch4: 0004-Test-Remove-duplicate-openssl-req-new.patch
Patch5: 0005-FAPI-Test-Call-EVP_DigestSignInit-in-the-correct-ord.patch
Patch6: 0006-FAPI-Test-Use-EVP_PKEY_base_id-to-detect-key-type.patch
Patch7: 0007-FAPI-Test-Change-RSA_sign-to-EVP_PKEY_sign.patch
Patch8: 0008-Require-OpenSSL-1.1.0.patch
Patch9: 0009-FAPI-Change-SHA256_Update-to-EVP_DigestUpdate.patch
Patch10: 0010-Test-Use-EVP_MAC_xxx-with-OpenSSL-3.0.patch
Patch11: 0011-Drop-support-for-OpenSSL-1.1.0.patch
Patch12: 0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch


%global udevrules_prefix 60-

BuildRequires: make
BuildRequires: autoconf-archive
BuildRequires: doxygen
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: json-c-devel
BuildRequires: libcurl-devel
BuildRequires: libgcrypt-devel
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig
BuildRequires: systemd
Requires(pre): shadow-utils

%description
tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system
APIs. It sits between TPM driver and applications, providing TPM2.0 specified
APIs for applications to access TPM module through kernel TPM drivers.

%prep
%autosetup -p1 -n %{name}-%{version}

%build
autoreconf -i
# Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}

# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

%make_build

%install
%make_install
find %{buildroot}%{_libdir} -type f -name \*.la -delete

%pre
getent group tss >/dev/null || groupadd -f -g 59 -r tss
if ! getent passwd tss >/dev/null ; then
if ! getent passwd 59 >/dev/null ; then
useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
else
useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
fi
fi
exit 0

%ldconfig_scriptlets

%files
%doc README.md CHANGELOG.md
%license LICENSE
%{_sysconfdir}/tpm2-tss/
%{_libdir}/libtss2-mu.so.0*
%{_libdir}/libtss2-sys.so.1*
%{_libdir}/libtss2-esys.so.0*
%{_libdir}/libtss2-fapi.so.1*
%{_libdir}/libtss2-rc.so.0*
%{_libdir}/libtss2-tctildr.so.0*
%{_libdir}/libtss2-tcti-cmd.so.0*
%{_libdir}/libtss2-tcti-device.so.0*
%{_libdir}/libtss2-tcti-mssim.so.0*
%{_libdir}/libtss2-tcti-swtpm.so.0*
%{_sysusersdir}/tpm2-tss.conf
%{_tmpfilesdir}/tpm2-tss-fapi.conf
%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules

%package devel
Summary: Headers and libraries for building apps that use tpm2-tss
Requires: %{name}%{_isa} = %{version}-%{release}

%description devel
This package contains headers and libraries required to build applications that
use tpm2-tss.

%files devel
%{_includedir}/tss2/
%{_libdir}/libtss2-mu.so
%{_libdir}/libtss2-sys.so
%{_libdir}/libtss2-esys.so
%{_libdir}/libtss2-fapi.so
%{_libdir}/libtss2-rc.so
%{_libdir}/libtss2-tctildr.so
%{_libdir}/libtss2-tcti-cmd.so
%{_libdir}/libtss2-tcti-device.so
%{_libdir}/libtss2-tcti-mssim.so
%{_libdir}/libtss2-tcti-swtpm.so
%{_libdir}/pkgconfig/tss2-mu.pc
%{_libdir}/pkgconfig/tss2-sys.pc
%{_libdir}/pkgconfig/tss2-esys.pc
%{_libdir}/pkgconfig/tss2-fapi.pc
%{_libdir}/pkgconfig/tss2-rc.pc
%{_libdir}/pkgconfig/tss2-tctildr.pc
%{_libdir}/pkgconfig/tss2-tcti-cmd.pc
%{_libdir}/pkgconfig/tss2-tcti-device.pc
%{_libdir}/pkgconfig/tss2-tcti-mssim.pc
%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc
%{_mandir}/man3/*.3.gz
%{_mandir}/man5/*.5.gz
%{_mandir}/man7/tss2*.7.gz


%changelog
* Thu Feb 17 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-7
- Rebuild with latest json-c library
Related: rhbz#2023328

* Wed Aug 18 2021 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-6
- Fix failures while using OpenSSL 3
Resolves: rhbz#1984634

* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065

* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Thu Nov 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.3-1
- Update to 3.0.2

* Sun Nov 22 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.2-1
- Update to 3.0.2

* Wed Sep 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.1-1
- Update to 3.0.1

* Tue Sep 15 2020 Than Ngo <than@redhat.com> - 3.0.0-4
- Fix doxygen crash

* Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-3
- Create tss user, if it doesn't exist, for userspace TPM access

* Fri Aug 07 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-2
- Install sysusers config in sysusersdir (rhbz #1834519)

* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-1
- Update to 3.0.0

* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.2-1
- Update to 2.4.2

* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Thu May 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.1-1
- Update to 2.4.1

* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.4.0-3
- Use proper rundir and tmpfiles macros so proper directories are used

* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 2.4.0-2
- Rebuild (json-c)

* Thu Mar 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.0-1
- Update to 2.4.0 release

* Mon Feb 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.3.3-1
- Update to 2.3.3 release

* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Fri Dec 13 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.2-1
- Update to 2.3.2 release

* Fri Sep 6 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.1-1
- Update to 2.3.1 release

* Thu Aug 15 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.0-1
- Update to 2.3.0 release

* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Wed May 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.3-1
- Update to 2.2.3 release

* Fri Mar 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.2-1
- Update to 2.2.2 release

* Mon Mar 4 2019 Peter Robinson <pbrobinson@fedoraproject.org> 2.2.1-1
- Update to 2.2.1 release

* Wed Feb 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.2.0-1
- Update to 2.2.0 release

* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Wed Oct 10 2018 Yunying Sun <yunying.sun@intel.com> - 2.1.0-1
- Update to 2.1.0 release

* Thu Aug 30 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.1-1
- Update to 2.0.1 release

* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Wed Jul 4 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.0-2
- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora
- Bump release version to 2.0.0-2

* Mon Jul 2 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.0-1
- Update to 2.0.0 release (RHBZ#1508870)
- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead
- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0
- Add scriptlet to fix Rpath errors
- Update file installation paths and names accordingly

* Sun Mar 04 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.4.0-1
- Update URLs to point to the new project location
- Add README.md CHANGELOG.md to %%files directive
- Update to 1.4.0 release (RHBZ#1508870)

* Fri Feb 23 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-4
- Install udev rule for TPM character devices

* Wed Feb 21 2018 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-3
- Remove ExclusiveArch: %%{ix86} x86_64 directive

* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-2
- Escape macros in %%changelog

* Fri Dec 08 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-1
- Update to 1.3.0 release

* Wed Nov 29 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.3.0-0.1.rc2
- Update to 1.3.0 release candidate 2 (RHBZ#1508870)
- Remove global pkg_prefix since now the upstream repo and package names match
- Update URLs to point to the new project location
- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care
- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball
- Add patch to include a LICENSE since the generated tarball does not have it

* Mon Aug 28 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.2.0-1
- Update to 1.2.0 release
- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed
- Fix SPEC file access mode
- Include new man pages in %%files directive

* Fri Aug 18 2017 Javier Martinez Canillas <javierm@redhat.com> - 1.1.0-3
- Remove unneeded source tarballs (RHBZ#1482828)

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Sun Yunying <yunying.sun@intel.com> - 1.1.0-1
- Update to 1.1.0 release

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Mon Dec 12 2016 Sun Yunying <yunying.sun@intel.com> - 1.0-2
- Remove global macro pkg_version to avoid duplicate of version
- Use ExclusiveArch instead of ExcludeArch
- Use less wildcard in %%files section to be more specific
- Add trailing slash at end of added directory in %%file section
- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires
- Increase release version to 2

* Fri Dec 2 2016 Sun Yunying <yunying.sun@intel.com> - 1.0-1
- Initial version of the package
Write Preview
Loading…
Cancel
Save