commit bd776e808e806706a2afaad5aef8ffb748bde67f Author: Toshaan Bharvani Date: Tue May 17 08:56:37 2022 +0200 initial package creation Signed-off-by: Toshaan Bharvani diff --git a/SOURCES/0001-utils-Generate-X509-certificate-serial-number-using-.patch b/SOURCES/0001-utils-Generate-X509-certificate-serial-number-using-.patch new file mode 100644 index 0000000..e1ec3dc --- /dev/null +++ b/SOURCES/0001-utils-Generate-X509-certificate-serial-number-using-.patch @@ -0,0 +1,62 @@ +From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Thu, 1 Jul 2021 13:55:28 -0400 +Subject: [PATCH] utils: Generate X509 certificate serial number using sha256 + +This is just a test certificate, not a real CA. Certificate serial +numbers can be 20 octets maximum. Use a truncated sha256 because some +'lint' programs are now scanning for sha1. + +Signed-off-by: Ken Goldman +--- + utils/ekutils.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/utils/ekutils.c b/utils/ekutils.c +index a0a2734..aad6fba 100644 +--- a/utils/ekutils.c ++++ b/utils/ekutils.c +@@ -61,6 +61,7 @@ + + #include + #include ++#include + + #include + #include +@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat + ASN1_TIME *arc; /* return code */ + ASN1_INTEGER *x509Serial; /* certificate serial number in ASN1 */ + BIGNUM *x509SerialBN; /* certificate serial number as a BIGNUM */ +- unsigned char x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */ ++ unsigned char x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */ + X509_NAME *x509IssuerName; /* composite issuer name, key/value pairs */ + X509_NAME *x509SubjectName; /* composite subject name, key/value pairs */ + +@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat + add certificate serial number + */ + if (rc == 0) { ++ const EVP_MD *type; ++ + if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n"); + /* to create a unique serial number, hash the key to be certified */ +- SHA1(keyBuffer, keyLength, x509Serialbin); +- /* convert the SHA1 digest to a BIGNUM */ +- x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN); ++ type = EVP_sha256(); ++ irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL); ++ if (irc == 0) { ++ printf("startCertificate: Error in serial number EVP_Digest\n"); ++ rc = TSS_RC_X509_ERROR; ++ } ++ } ++ if (rc == 0) { ++ /* convert the digest to a BIGNUM, use 20 octets */ ++ x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN); + if (x509SerialBN == NULL) { + printf("startCertificate: Error in serial number BN_bin2bn\n"); + rc = TSS_RC_X509_ERROR; +-- +2.34.1 + diff --git a/SOURCES/0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch b/SOURCES/0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch new file mode 100644 index 0000000..042e8a1 --- /dev/null +++ b/SOURCES/0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch @@ -0,0 +1,1453 @@ +From c93d780442052ae113871f4033d788a5bbe288fa Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Mon, 23 Aug 2021 16:09:41 -0400 +Subject: [PATCH 1/7] utils: Update certifyx509 for Openssl 3.0.0 + +i2d_x509 no longer accepts a partial structure. Therefore, replace +the input and output parsers with the ASN.1 parsing macros. +Eliminated the custom DER parsing. Set the version from the TPM +output rather than hard coding to v3. + +Add x509 validity time compatibility functions to cryptutils.c + +Add -check_ss_sig to the regression test because openssl verify does +not verify the signature on self signed certificates. + +Signed-off-by: Ken Goldman +--- + utils/certifyx509.c | 952 +++++++++++++------------------------ + utils/cryptoutils.c | 32 +- + utils/cryptoutils.h | 5 +- + utils/regtests/testx509.sh | 9 +- + 4 files changed, 365 insertions(+), 633 deletions(-) + +diff --git a/utils/certifyx509.c b/utils/certifyx509.c +index 7e8ba8d..ed42ac0 100644 +--- a/utils/certifyx509.c ++++ b/utils/certifyx509.c +@@ -4,7 +4,7 @@ + /* Written by Ken Goldman */ + /* IBM Thomas J. Watson Research Center */ + /* */ +-/* (c) Copyright IBM Corporation 2019 - 2020. */ ++/* (c) Copyright IBM Corporation 2019 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -50,6 +50,11 @@ + #include + #include + ++#include ++#include ++#include ++#include ++ + #include "cryptoutils.h" + + #ifndef TPM_TSS_MBEDTLS +@@ -64,9 +69,74 @@ + /* NOTE: This is currently openssl only. */ + #include + ++/* definition of the partial certificate, from Part 3 TPM2_CertifyX509. ++ 1) Signature Algorithm Identifier (optional) ++ 2) Issuer (mandatory) ++ 3) Validity (mandatory) ++ 4) Subject Name (mandatory) ++ 5) Extensions (mandatory) ++*/ ++ ++typedef struct { ++ ASN1_TIME *notBefore; ++ ASN1_TIME *notAfter; ++} TPM_PARTIAL_CERT_VALIDITY; ++ ++/* partial certificate TPM input parameter entire structure */ ++typedef struct { ++ X509_ALGOR *algorithm; /* signature algorithm */ ++ X509_NAME *issuer; ++ TPM_PARTIAL_CERT_VALIDITY *validity; ++ X509_NAME *subject; ++ STACK_OF(X509_EXTENSION) *extensions; ++} TPM_PARTIAL_CERT; ++ ++ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = { ++ ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME), ++ ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME), ++} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY) ++ ++/* the signature algorithm is optional while the extension list is mandatory */ ++ASN1_SEQUENCE(TPM_PARTIAL_CERT) = { ++ ASN1_OPT(TPM_PARTIAL_CERT, algorithm, X509_ALGOR), ++ ASN1_SIMPLE(TPM_PARTIAL_CERT, issuer, X509_NAME), ++ ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY), ++ ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME), ++ ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3), ++} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT) ++ ++DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT) ++IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT) ++ ++/* add to signature TPM output parameter */ ++ ++typedef struct { ++ ASN1_INTEGER *version; ++ ASN1_INTEGER *serialNumber; ++ X509_ALGOR *signatureAlgorithm; ++ X509_PUBKEY *key; ++} TPM_ADDTOCERT; ++ ++ASN1_SEQUENCE(TPM_ADDTOCERT) = { ++ ASN1_EXP_OPT(TPM_ADDTOCERT, version, ASN1_INTEGER, 0), ++ ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER), ++ ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR), ++ ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY), ++} ASN1_SEQUENCE_END(TPM_ADDTOCERT) ++ ++DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT) ++IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT) ++ + static void printUsage(void); + +-TPM_RC createPartialCertificate(X509 *x509Certificate, ++TPM_RC addPartialCertExtension(TPM_PARTIAL_CERT *partialCertificate, ++ X509 *x509Certificate, ++ int nid, const char *value); ++TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate, ++ X509 *x509Certificate, ++ uint32_t tpmaObject); ++TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate, ++ X509 *x509Certificate, + uint8_t *partialCertificateDer, + uint16_t *partialCertificateDerLength, + size_t partialCertificateDerSize, +@@ -74,22 +144,11 @@ TPM_RC createPartialCertificate(X509 *x509Certificate, + uint32_t tpmaObject, + int addTpmaObject, + int subeqiss); +-TPM_RC convertCertToPartialCert(uint16_t *partialCertificateDerLength, +- uint8_t *partialCertificateDer, +- uint16_t certificateDerLength, +- uint8_t *certificateDer); + TPM_RC reformCertificate(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMI_ALG_SIG_SCHEME scheme, +- TPMI_ECC_CURVE curveID, +- TPM2B_MAX_BUFFER *addedToCertificate, +- TPMT_SIGNATURE *tSignature); +-TPM_RC addSerialNumber(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex); +-TPM_RC addPubKeyRsa(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex); ++ TPM_ADDTOCERT *addToCert, ++ TPMT_SIGNATURE *tSignature); + TPM_RC addSignatureRsa(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMT_SIGNATURE *tSignature); +@@ -97,38 +156,10 @@ TPM_RC addSignatureRsa(X509 *x509Certificate, + TPM_RC addSignatureEcc(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMT_SIGNATURE *signature); +-TPM_RC addPubKeyEcc(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex, +- TPMI_ECC_CURVE curveID); + #endif /* TPM_TSS_NOECC */ +-TPM_RC addCertExtensionTpmaOid(X509 *x509Certificate, +- uint32_t tpmaObject); +- +-TPM_RC getDataLength(uint8_t type, +- uint16_t *wrapperLength, +- uint16_t *dataLength, +- uint16_t *certificateDerIndex, +- uint8_t *certificateDer); +- +-TPM_RC skipSequence(uint16_t *certificateDerIndex, uint8_t *certificateDer); +-TPM_RC skipBitString(uint16_t *dataLength, +- uint16_t *certificateDerIndex, uint8_t *certificateDer); +- +-TPM_RC copyType(uint8_t type, +- uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer, +- uint16_t *certificateDerIndex, uint8_t *certificateDer); +- +-TPM_RC getInteger(uint16_t *integerLength, unsigned char *integerStream, +- uint16_t *certificateDerIndex, unsigned char *certificateDer); +-TPM_RC prependSequence(uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer); + + int verbose = FALSE; + +-/* FIXME +- length checks +-*/ +- + int main(int argc, char *argv[]) + { + TPM_RC rc = 0; +@@ -145,8 +176,8 @@ int main(int argc, char *argv[]) + TPMI_ALG_HASH halg = TPM_ALG_SHA256; + unsigned int bit = 0; + int testBit = FALSE; +- const char *keyPassword = NULL; +- const char *objectPassword = NULL; ++ const char *keyPassword = NULL; ++ const char *objectPassword = NULL; + const char *outPartialCertificateFilename = NULL; + const char *outCertificateFilename = NULL; + const char *addedToCertificateFilename = NULL; +@@ -167,6 +198,8 @@ int main(int argc, char *argv[]) + X509 *x509Certificate = NULL; + unsigned char *x509Der = NULL; + uint32_t x509DerLength = 0; ++ TPM_PARTIAL_CERT *partialCertificate = NULL; ++ TPM_ADDTOCERT *addToCert = NULL; + + setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */ + TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1"); +@@ -453,9 +486,8 @@ int main(int argc, char *argv[]) + } + in.reserved.t.size = 0; + } +- /* initialize a new, empty X509 structure. It will first be used to form the partialCertificate +- command parameter, and then be used to reform the certificate from the response +- parameters. */ ++ /* initialize a new, empty X509 structure. It will be used to reform the certificate from ++ the response parameters. */ + if (rc == 0) { + x509Certificate = X509_new(); /* freed @1 */ + if (x509Certificate == NULL) { +@@ -463,9 +495,19 @@ int main(int argc, char *argv[]) + rc = TSS_RC_OUT_OF_MEMORY; + } + } +- /* form partial certificate */ ++ /* initialize a new, empty TPM_PARTIAL_CERT structure. It will be used to form the ++ partialCertificate command parameter */ ++ if (rc == 0) { ++ partialCertificate = TPM_PARTIAL_CERT_new(); /* freed @2 */ ++ if (partialCertificate == NULL) { ++ printf("main: Error in TPM_PARTIAL_CERT_new\n"); ++ rc = TSS_RC_OUT_OF_MEMORY; ++ } ++ } ++ /* form partial certificate and populate the X509 certificate with the values */ + if (rc == 0) { +- rc = createPartialCertificate(x509Certificate, ++ rc = createPartialCertificate(partialCertificate, ++ x509Certificate, + in.partialCertificate.t.buffer, + &in.partialCertificate.b.size, + sizeof(in.partialCertificate.t.buffer), +@@ -474,6 +516,7 @@ int main(int argc, char *argv[]) + addTpmaObject, + subeqiss); + } ++ /* for debug testing */ + if ((rc == 0) && (testBit)) { + unsigned int bitInByte = bit % 8; + unsigned int byteInDer = bit / 8; +@@ -481,7 +524,7 @@ int main(int argc, char *argv[]) + if (verbose) { + printf("main: Testing byte %u bit %u\n", byteInDer, bitInByte); + printf("main: Byte was %02x\n", in.partialCertificate.t.buffer[byteInDer]); +- } ++ } + in.partialCertificate.t.buffer[byteInDer] ^= (1 << bitInByte); + if (verbose) printf("main: Byte is %02x\n", in.partialCertificate.t.buffer[byteInDer]); + } +@@ -530,17 +573,22 @@ int main(int argc, char *argv[]) + printf("%s%s%s\n", msg, submsg, num); + rc = EXIT_FAILURE; + } +- /* write response parameters for debug */ ++ /* ++ write response parameters for debug ++ */ ++ /* added to certificate */ + if ((rc == 0) && (addedToCertificateFilename != NULL)) { + rc = TSS_File_WriteBinaryFile(out.addedToCertificate.t.buffer, + out.addedToCertificate.t.size, + addedToCertificateFilename); + } ++ /* to be signed digest */ + if ((rc == 0) && (tbsDigestFilename != NULL)) { + rc = TSS_File_WriteBinaryFile(out.tbsDigest.t.buffer, + out.tbsDigest.t.size, + tbsDigestFilename); + } ++ /* signature */ + if ((rc == 0) && (signatureFilename != NULL)) { + rc = TSS_File_WriteStructure(&out.signature, + (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu, +@@ -549,11 +597,21 @@ int main(int argc, char *argv[]) + if (rc == 0) { + if (verbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0); + } +- /* reform the signed certificate from the original input plus the response parameters */ ++ /* convert the TPM output addedToCertificate DER to the OpenSSL structure */ ++ if (rc == 0) { ++ const unsigned char *tmpptr = out.addedToCertificate.t.buffer; ++ addToCert = d2i_TPM_ADDTOCERT(NULL, /* freed @3 */ ++ &tmpptr, out.addedToCertificate.t.size); ++ if (addToCert == NULL) { ++ printf("d2i_TPM_ADDTOCERT failed %p\n", addToCert); ++ rc = EXIT_FAILURE; ++ } ++ } ++ /* reform the signed certificate from the original X509 input plus the response parameters */ + if (rc == 0) { + rc = reformCertificate(x509Certificate, +- halg, scheme, curveID, +- &out.addedToCertificate, ++ halg, scheme, ++ addToCert, + &out.signature); + } + if (rc == 0) { +@@ -569,7 +627,8 @@ int main(int argc, char *argv[]) + if (x509Certificate != NULL) { + X509_free(x509Certificate); /* @1 */ + } +- free(x509Der); /* @2 */ ++ free(x509Der); /* @2 */ ++ free(addToCert); /* @3 */ + return rc; + } + +@@ -587,7 +646,7 @@ char *issuerEntries[] = { + "IBM" , + NULL , + "CA" , +- NULL ++ NULL + }; + + char *subjectEntries[] = { +@@ -597,22 +656,23 @@ char *subjectEntries[] = { + "IBM" , + NULL , + "Subject" , +- NULL ++ NULL + }; + +-/* createPartialCertificate() forms the partialCertificate DER. It starts with an empty X509 +- structure and adds the needed parameters. Then (in a total hack), converts the X509 structure to +- DER, parses the DER field by field, and outputs just the fields required for the +- partialCertificate parameter. ++/* createPartialCertificate() forms the partialCertificate DER. It starts with an empty X509 and ++ TPM_PARTIAL_CERT structures. It adds the needed parameters to both structures. It then ++ serializes the TPM_PARTIAL_CERT structure to partialCertificateDer; + + subeqiss FALSE: subject name is independent of issuer name + subeqiss TRUE: subject name is the same as the issuer name + */ + +-TPM_RC createPartialCertificate(X509 *x509Certificate, /* input / output */ ++TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / output */ ++ X509 *x509Certificate, /* input / output */ + uint8_t *partialCertificateDer, /* output */ + uint16_t *partialCertificateDerLength, +- size_t partialCertificateDerSize, ++ size_t partialCertificateDerSize, /* input, size of ++ partialCertificateDer */ + const char *keyUsage, + uint32_t tpmaObject, + int addTpmaObject, +@@ -626,40 +686,31 @@ TPM_RC createPartialCertificate(X509 *x509Certificate, /* input / output */ + X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */ + size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *); + size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *); +- +- uint32_t certificateDerLength = 0; +- uint8_t *certificateDer = NULL; ++ ASN1_TIME *notBefore = NULL; ++ ASN1_TIME *notAfter = NULL; ++ uint8_t *tmpPartialDer = NULL; /* for the i2d */ + +- partialCertificateDerSize = partialCertificateDerSize; /* FIXME needs size check */ +- +- /* add certificate version X509 v3 */ +- if (rc == 0) { +- irc = X509_set_version(x509Certificate, 2L); /* value 2 == v3 */ +- if (irc != 1) { +- printf("createPartialCertificate: Error in X509_set_version\n"); +- rc = TSS_RC_X509_ERROR; +- } +- } + /* add issuer */ + if (rc == 0) { + if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n", +- (unsigned long)issuerEntriesSize); +- rc = createX509Name(&x509IssuerName, /* freed @1 */ ++ (unsigned long)issuerEntriesSize); ++ rc = createX509Name(&partialCertificate->issuer, /* freed @1 */ + issuerEntriesSize, + issuerEntries); + } + if (rc == 0) { +- irc = X509_set_issuer_name(x509Certificate, x509IssuerName); ++ irc = X509_set_issuer_name(x509Certificate, partialCertificate->issuer); + if (irc != 1) { + printf("createPartialCertificate: Error setting issuer\n"); + rc = TSS_RC_X509_ERROR; + } + } +- /* add validity */ ++ /* ++ validity before ++ */ + if (rc == 0) { +- /* can't fail, just returns a structure member */ +- ASN1_TIME *notBefore = X509_get_notBefore(x509Certificate); +- arc = X509_gmtime_adj(notBefore ,0L); /* set to today */ ++ /* set to today */ ++ arc = X509_gmtime_adj(partialCertificate->validity->notBefore ,0L); + if (arc == NULL) { + printf("createPartialCertificate: Error setting notBefore time\n"); + rc = TSS_RC_X509_ERROR; +@@ -667,20 +718,39 @@ TPM_RC createPartialCertificate(X509 *x509Certificate, /* input / output */ + } + if (rc == 0) { + /* can't fail, just returns a structure member */ +- ASN1_TIME *notAfter = X509_get_notAfter(x509Certificate); +- arc = X509_gmtime_adj(notAfter, CERT_DURATION); /* set to duration */ ++ notBefore = X509_get_notBefore(x509Certificate); ++ irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore); ++ if (irc == 0) { ++ printf("createPartialCertificate: Error setting notBefore time\n"); ++ rc = TSS_RC_X509_ERROR; ++ } ++ } ++ /* ++ validity after ++ */ ++ if (rc == 0) { ++ /* set to duration */ ++ arc = X509_gmtime_adj(partialCertificate->validity->notAfter, CERT_DURATION); + if (arc == NULL) { + printf("createPartialCertificate: Error setting notAfter time\n"); + rc = TSS_RC_X509_ERROR; + } + } ++ if (rc == 0) { ++ notAfter = X509_get_notAfter(x509Certificate); ++ irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter); ++ if (irc == 0) { ++ printf("createPartialCertificate: Error setting notAfter time\n"); ++ rc = TSS_RC_X509_ERROR; ++ } ++ } + /* add subject */ + if (rc == 0) { + /* normal case */ + if (!subeqiss) { + if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n", + (unsigned long)subjectEntriesSize); +- rc = createX509Name(&x509SubjectName, /* freed @2 */ ++ rc = createX509Name(&partialCertificate->subject, /* freed @2 */ + subjectEntriesSize, + subjectEntries); + } +@@ -688,13 +758,13 @@ TPM_RC createPartialCertificate(X509 *x509Certificate, /* input / output */ + else { + if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n", + (unsigned long)issuerEntriesSize); +- rc = createX509Name(&x509SubjectName, /* freed @2 */ ++ rc = createX509Name(&partialCertificate->subject, /* freed @2 */ + issuerEntriesSize, + issuerEntries); + } + } + if (rc == 0) { +- irc = X509_set_subject_name(x509Certificate, x509SubjectName); ++ irc = X509_set_subject_name(x509Certificate, partialCertificate->subject); + if (irc != 1) { + printf("createPartialCertificate: Error setting subject\n"); + rc = TSS_RC_X509_ERROR; +@@ -703,109 +773,179 @@ TPM_RC createPartialCertificate(X509 *x509Certificate, /* input / output */ + /* add some certificate extensions, requires corresponding bits in subject key */ + if (rc == 0) { + if (verbose) printf("createPartialCertificate: Adding extensions\n"); +- rc = addCertExtension(x509Certificate, +- NID_key_usage, keyUsage); ++ rc = addPartialCertExtension(partialCertificate, ++ x509Certificate, ++ NID_key_usage, keyUsage); + } + /* optional TPMA_OBJECT extension */ + /* From TCG OID registry tcg-tpmaObject 2.23.133.10.1.1.1 */ + if (rc == 0) { + if (addTpmaObject) { +- rc = addCertExtensionTpmaOid(x509Certificate, tpmaObject); ++ rc = addPartialCertExtensionTpmaOid(partialCertificate, ++ x509Certificate, ++ tpmaObject); + } + } +- /* convertX509ToDer() serializes the openSSL X509 structure to a DER certificate stream */ ++ /* serialize the openSSL partial certificate structure to a DER stream */ ++ if (rc == 0) { ++ *partialCertificateDerLength = ++ (uint16_t)i2d_TPM_PARTIAL_CERT(partialCertificate, ++ &tmpPartialDer); /* freed @3 */ ++ } ++ /* check the i2d size, and copy the DER to the TPM input parameter */ + if (rc == 0) { +- rc = convertX509ToDer(&certificateDerLength, +- &certificateDer, /* freed @4 */ +- x509Certificate); /* input */ ++ if (*partialCertificateDerLength <= partialCertificateDerSize) { ++ memcpy(partialCertificateDer, tmpPartialDer, *partialCertificateDerLength); ++ } ++ else { ++ printf("createPartialCertificate: Partial cert size %u too large\n", ++ *partialCertificateDerLength); ++ rc = TSS_RC_X509_ERROR; ++ } + } +- /* for debug. The structure is incomplete and so will trace with errors */ ++#if 0 ++ /* for debug. The X509 structure is incomplete and so will trace with errors */ + if (rc == 0) { + if (verbose) printf("createPartialCertificate: Trace preliminary certificate\n"); + if (verbose) X509_print_fp(stdout, x509Certificate); + } +-#if 1 +- /* for debug. Use dumpasn1 to view the incomplete certificate */ ++#endif ++ X509_NAME_free(x509IssuerName); /* @1 */ ++ X509_NAME_free(x509SubjectName); /* @2 */ ++ free(tmpPartialDer); /* @3 */ ++ return rc; ++} ++ ++/* addPartialCertExtension() adds the extension type 'nid' to the partial certificate ++ ++ */ ++ ++TPM_RC addPartialCertExtension(TPM_PARTIAL_CERT *partialCertificate, ++ X509 *x509Certificate, ++ int nid, const char *value) ++{ ++ TPM_RC rc = 0; ++ X509_EXTENSION *extension = NULL; /* freed @1 */ ++ ++ if (rc == 0) { ++#if OPENSSL_VERSION_NUMBER < 0x10100000 ++ /* the cast is required for the older openssl 1.0 API */ ++ extension = X509V3_EXT_conf_nid(NULL, NULL, /* freed @1 */ ++ nid, (char *)value); ++#else ++ extension = X509V3_EXT_conf_nid(NULL, NULL, /* freed @1 */ ++ nid, value); ++#endif ++ if (extension == NULL) { ++ printf("addPartialCertExtension: Error creating nid %i extension %s\n", ++ nid, value); ++ rc = -1; ++ } ++ } + if (rc == 0) { +- rc = TSS_File_WriteBinaryFile(certificateDer, certificateDerLength , "tmpx509i.bin"); ++ STACK_OF(X509_EXTENSION) *src = ++ X509v3_add_ext(&partialCertificate->extensions, ++ extension, /* the extension to add */ ++ -1); /* location - append */ ++ if (src == NULL) { ++ printf("addPartialCertExtension: Error adding nid %i extension %s\n", ++ nid, value); ++ } + } +-#endif +- /* extract the partialCertificate DER from the X509 DER */ + if (rc == 0) { +- rc = convertCertToPartialCert(partialCertificateDerLength, +- partialCertificateDer, /* output partial */ +- certificateDerLength, +- certificateDer); /* input X509 */ ++ int irc = X509_add_ext(x509Certificate, ++ extension, /* the extension to add */ ++ -1); /* location - append */ ++ if (irc != 1) { ++ printf("addCertExtension: Error adding oid to extension\n"); ++ } ++ } ++ if (extension != NULL) { ++ X509_EXTENSION_free(extension); /* @1 */ + } +- X509_NAME_free(x509IssuerName); /* @1 */ +- X509_NAME_free(x509SubjectName); /* @2 */ +- free(certificateDer); /* @4 */ + return rc; + } + +-/* addCertExtension() adds the tpmaObject extension oid to the X509 certificate ++/* addPartialCertExtensionTpmaOid() adds the tpmaObject extension oid to the X509 certificate + +- */ ++ */ + +-TPM_RC addCertExtensionTpmaOid(X509 *x509Certificate, uint32_t tpmaObject) ++TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate, ++ X509 *x509Certificate, ++ uint32_t tpmaObject) + { + TPM_RC rc = 0; + X509_EXTENSION *extension = NULL; /* freed @1 */ + + + uint8_t tpmaObjectOid[] = {0x06, 0x07, 0x67, 0x81, 0x05, 0x0A, 0x01, 0x01, 0x01}; +- const uint8_t *tmpOidPtr; ++ const uint8_t *tmpOidPtr; /* const for d2i_ASN1_OBJECT */ + + /* BIT STRING 0x03 length 5 no padding 0, 4 dummy bytes of TPMA_OBJECT */ + uint8_t tpmaObjectData[] = {0x03, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00}; + ASN1_OBJECT *object = NULL; +- ASN1_OCTET_STRING *osData = NULL; ++ ASN1_OCTET_STRING *osData = NULL; + uint8_t *tmpOdPtr; + uint32_t tpmaObjectNbo = htonl(tpmaObject); + ++ ++ /* create the object */ + if (rc == 0) { +- tmpOidPtr = tpmaObjectOid; ++ tmpOidPtr = tpmaObjectOid; + object = d2i_ASN1_OBJECT(NULL, &tmpOidPtr, sizeof(tpmaObjectOid)); /* freed @2 */ + if (object == NULL) { +- printf("d2i_ASN1_OBJECT failed\n"); ++ printf("addPartialCertExtensionTpmaOid: d2i_ASN1_OBJECT failed\n"); + rc = TSS_RC_X509_ERROR; + } + } + if (rc == 0) { + osData = ASN1_OCTET_STRING_new(); /* freed @3 */ + if (osData == NULL) { +- printf("d2i_ASN1_OCTET_STRING failed\n"); ++ printf("addPartialCertExtensionTpmaOid: ASN1_OCTET_STRING_new failed\n"); + rc = TSS_RC_X509_ERROR; + } + } ++ /* copy the TPMA_OBJECT bytes to the BIT STRING place holder, set the result in the ++ ASN1_OCTET_STRING */ + if (rc == 0) { + tmpOdPtr = tpmaObjectData; + memcpy(tmpOdPtr + 3, &tpmaObjectNbo, sizeof(uint32_t)); + ASN1_OCTET_STRING_set(osData, tmpOdPtr, sizeof (tpmaObjectData)); + } ++ /* create the extension with the TPMA_OBJECT in the ASN1_OBJECT */ + if (rc == 0) { + extension = X509_EXTENSION_create_by_OBJ(NULL, /* freed @1 */ + object, +- 0, /* int crit */ ++ 0, /* int crit */ + osData); + if (extension == NULL) { +- printf("X509_EXTENSION_create_by_OBJ failed\n"); ++ printf("addPartialCertExtensionTpmaOid: X509_EXTENSION_create_by_OBJ failed\n"); + rc = TSS_RC_X509_ERROR; + } + } ++ /* append the extensions to the partial certificate stack */ ++ if (rc == 0) { ++ STACK_OF(X509_EXTENSION) *src = X509v3_add_ext(&partialCertificate->extensions, ++ extension, /* the extension to add */ ++ -1); /* location - append */ ++ if (src == NULL) { ++ printf("addPartialCertExtensionTpmaOid: Error adding oid to extension\n"); ++ } ++ } ++ /* append the extensions to the X509 certificate */ + if (rc == 0) { +- int irc = X509_add_ext(x509Certificate, /* the certificate */ ++ int irc = X509_add_ext(x509Certificate, /* the certificate */ + extension, /* the extension to add */ + -1); /* location - append */ + if (irc != 1) { +- printf("addCertExtension: Error adding oid to extension\n"); ++ printf("addPartialCertExtensionTpmaOid: Error adding oid to extension\n"); + } + } + if (extension != NULL) { + X509_EXTENSION_free(extension); /* @1 */ + } + if (object != NULL) { +- ASN1_OBJECT_free(object); /* @2 */ ++ ASN1_OBJECT_free(object); /* @2 */ + } + if (osData != NULL) { + ASN1_OCTET_STRING_free(osData); /* @3 */ +@@ -813,327 +953,95 @@ TPM_RC addCertExtensionTpmaOid(X509 *x509Certificate, uint32_t tpmaObject) + return rc; + } + +- +-/* convertCertToPartialCert() extracts the partialCertificate DER from the X509 DER +- +- It assumes that the input is well formed and has exactly the fields required. +-*/ +- +-TPM_RC convertCertToPartialCert(uint16_t *partialCertificateDerLength, +- uint8_t *partialCertificateDer, +- uint16_t certificateDerLength, +- uint8_t *certificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t certificateDerIndex = 0; /* index into the DER input */ +- +- +- certificateDerLength = certificateDerLength; /* FIXME for future error checking */ +- *partialCertificateDerLength = 0; /* updates on each call */ +- +- /* skip the outer SEQUENCE wrapper */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip outer SEQUENCE wrapper\n"); +- rc = skipSequence(&certificateDerIndex, certificateDer); +- } +- /* skip the inner SEQUENCE wrapper, will be back filled with the total length */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip inner SEQUENCE wrapper\n"); +- rc = skipSequence(&certificateDerIndex, certificateDer); +- } +- /* skip the a3 wrapping the version */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip a3 version wrapper\n"); +- rc = copyType(0xa0, NULL, NULL, /* NULL says to skip */ +- &certificateDerIndex, certificateDer); +- } +- /* skip the integer (version) */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip version\n"); +- rc = copyType(0x02, NULL, NULL, /* NULL says to skip */ +- &certificateDerIndex, certificateDer); +- } +- /* skip the sequence (serial number) */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip serial number\n"); +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- &certificateDerIndex, certificateDer); +- } +- /* copy the next SEQUENCE, issuer */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Copy issuer\n"); +- rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer, +- &certificateDerIndex, certificateDer); +- } +- /* copy the next SEQUENCE, validity */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Copy validity\n"); +- rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer, +- &certificateDerIndex, certificateDer); +- } +- /* copy the next SEQUENCE, subject */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Copy subject\n"); +- rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer, +- &certificateDerIndex, certificateDer); +- } +- /* skip the SEQUENCE (public key) */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Skip public key\n"); +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- &certificateDerIndex, certificateDer); +- } +- /* copy the a3 and encapsulating sequence */ +- if (rc == 0) { +- if (verbose) printf("convertCertToPartialCert: Copy a3 extensions\n"); +- rc = copyType(0xa3, partialCertificateDerLength, partialCertificateDer, +- &certificateDerIndex, certificateDer); +- } +- /* shift and back fill the sequence length */ +- if (rc == 0) { +- rc = prependSequence(partialCertificateDerLength, partialCertificateDer); +- } +- return rc; +-} +- +-/* reformCertificate() starts with the X509 certificate used as the input partialCertificate +- parameter plus a few fields like the version. It adds the output addedToCertificate and +- signature values to reform the X509 certificate that the TPM signed. +-*/ ++/* reformCertificate() starts with the X509 certificate filled with the input partialCertificate ++ parameter. It adds the output addedToCertificate and signature values to reform the X509 ++ certificate that the TPM signed. */ + + TPM_RC reformCertificate(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMI_ALG_SIG_SCHEME scheme, +- TPMI_ECC_CURVE curveID, +- TPM2B_MAX_BUFFER *addedToCertificate, ++ TPM_ADDTOCERT *addToCert, + TPMT_SIGNATURE *tSignature) + { + TPM_RC rc = 0; +- unsigned char *tmpAddedToCert = NULL; +- /* size_t tmpAddedToCertLength = 0; FIXME better to sanity check length */ +- +- /* the index increments, so this function must parse the addedToCertificate in its order */ +- uint16_t tmpAddedToCertIndex = 0; +- +- tmpAddedToCert = addedToCertificate->t.buffer; +- /* tmpAddedToCertLength = addedToCertificate->t.size; */ +- +- /* add serial number */ +- if (rc == 0) { +- rc = addSerialNumber(x509Certificate, +- tmpAddedToCert, +- &tmpAddedToCertIndex); +- } +- if (scheme == TPM_ALG_RSASSA) { +- /* add public key algorithm and public key */ +- if (rc == 0) { +- rc = addPubKeyRsa(x509Certificate, +- tmpAddedToCert, +- &tmpAddedToCertIndex); +- } +- /* add certificate signature */ +- if (rc == 0) { +- rc = addSignatureRsa(x509Certificate, halg, tSignature); ++ int irc; ++ long versionl; ++ EVP_PKEY *evpPubkey = NULL; /* EVP format public key to be certified */ ++ ++ /* version */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000 ++ /* Older openssl does not has the uint64 function. This function is deprecated but OK since ++ X509 certificates never have a negative version. */ ++ if (rc == 0) { ++ versionl= ASN1_INTEGER_get(addToCert->version); ++ if (versionl < 0) { ++ printf("reformCertificate: Error in ASN1_INTEGER_get version\n"); ++ rc = TSS_RC_X509_ERROR; + } + } +-#ifndef TPM_TSS_NOECC +- else { /* scheme == TPM_ALG_ECDSA */ +- /* add public key */ +- if (rc == 0) { +- rc = addPubKeyEcc(x509Certificate, +- tmpAddedToCert, +- &tmpAddedToCertIndex, +- curveID); ++#else ++ if (rc == 0) { ++ uint64_t version64; ++ irc = ASN1_INTEGER_get_uint64(&version64, addToCert->version); ++ if (irc != 1) { ++ printf("reformCertificate: Error in ASN1_INTEGER_get_uint64 version\n"); ++ rc = TSS_RC_X509_ERROR; + } +- /* add certificate signature */ +- if (rc == 0) { +- rc = addSignatureEcc(x509Certificate, halg, tSignature); ++ else if (version64 > LONG_MAX) { ++ printf("reformCertificate: Version out of range\n"); ++ rc = TSS_RC_X509_ERROR; ++ } ++ else { ++ versionl = (long)version64; + } + } +-#endif /* TPM_TSS_NOECC */ +- return rc; +-} +- +-/* addSerialNumber() is the first call from reforming the certificate. tmpAddedToCertIndex will be +- 0. +- +- After the call, tmpAddedToCertIndex will point after the serial number. +-*/ +- +-TPM_RC addSerialNumber(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex) +-{ +- TPM_RC rc = 0; +- ASN1_INTEGER *x509Serial; /* certificate serial number in ASN1 */ +- BIGNUM *x509SerialBN; /* certificate serial number as a BIGNUM */ +- unsigned char x509SerialBin[1048]; /* certificate serial number in binary */ +- uint16_t integerLength = 0; +- +- /* FIXME check the size */ +- +- x509SerialBN = NULL; +- +- /* skip outer sequence */ +- if (rc == 0) { +- rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip version */ +- if (rc == 0) { +- rc = copyType(0xa0, NULL, NULL, /* NULL says to skip */ +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* get integer serial number from addedToCertificate */ +- if (rc == 0) { +- rc = getInteger(&integerLength, x509SerialBin, +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* convert the integer stream to a BIGNUM */ ++#endif + if (rc == 0) { +- x509SerialBN = BN_bin2bn(x509SerialBin, integerLength, x509SerialBN); /* freed @1 */ +- if (x509SerialBN == NULL) { +- printf("addSerialNumber: Error in serial number BN_bin2bn\n"); ++ irc = X509_set_version(x509Certificate, versionl); ++ if (irc != 1) { ++ printf("reformCertificate: Error in X509_set_version\n"); + rc = TSS_RC_X509_ERROR; + } + } +- /* add it into the final certificate */ ++ /* serial number */ + if (rc == 0) { +- /* get the serial number structure member, can't fail */ +- x509Serial = X509_get_serialNumber(x509Certificate); +- /* convert the BIGNUM to ASN1 and add to X509 certificate */ +- x509Serial = BN_to_ASN1_INTEGER(x509SerialBN, x509Serial); +- if (x509Serial == NULL) { +- printf("addSerialNumber: Error setting certificate serial number\n"); ++ irc = X509_set_serialNumber(x509Certificate, addToCert->serialNumber); ++ if (irc != 1) { ++ printf("reformCertificate: Error in X509_set_serialNumber\n"); + rc = TSS_RC_X509_ERROR; + } + } +- if (x509SerialBN != NULL) BN_clear_free(x509SerialBN ); /* @1 */ +- return rc; +-} +- +-/* addPubKeyRsa() adds the public key to the certificate. tmpAddedToCertIndex must point to the +- public key. +- */ +- +-TPM_RC addPubKeyRsa(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex) +-{ +- TPM_RC rc = 0; +- TPM2B_PUBLIC_KEY_RSA tpm2bRsa; +- uint16_t dataLength; +- +- /* skip the SEQUENCE with the Signature Algorithm object identifier */ +- if (rc == 0) { +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the SEQUENCE wrapper for the Subject Public Key Info */ +- if (rc == 0) { +- rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the SEQUENCE Public Key Algorithm */ +- if (rc == 0) { +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the BIT STRING intoduction to the public key */ +- if (rc == 0) { +- rc = skipBitString(&dataLength, tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the SEQUENCE wrapper for the public key */ +- if (rc == 0) { +- rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* get the integer public modulus FIXME missing length check */ +- if (rc == 0) { +- rc = getInteger(&tpm2bRsa.t.size, tpm2bRsa.t.buffer, +- tmpAddedToCertIndex, tmpAddedToCert); +- } ++ /* public key including algorithm */ + if (rc == 0) { +- rc = addCertKeyRsa(x509Certificate, +- &tpm2bRsa); /* certified public key */ +- } +- /* skip the INTEGER public exponent - should not matter since it's the last item */ +- /* FIXME test for 010001 */ +- if (rc == 0) { +- uint16_t dummy; +- rc = getInteger(&dummy, NULL, +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- return rc; +-} +- +-#ifndef TPM_TSS_NOECC +-/* addPubKeyEcc() adds the public key to the certificate. tmpAddedToCertIndex must point to the +- public key. +- +- Supports TPM_ECC_NIST_P256, TPM_ECC_NIST_P384. +-*/ +- +- +-TPM_RC addPubKeyEcc(X509 *x509Certificate, +- unsigned char *tmpAddedToCert, +- uint16_t *tmpAddedToCertIndex, +- TPMI_ECC_CURVE curveID) +-{ +- TPM_RC rc = 0; +- uint16_t dataLength; +- uint16_t pointSize; +- +- /* skip the SEQUENCE with the Signature Algorithm object identifier ecdsaWithSHAnnn */ +- if (rc == 0) { +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the SEQUENCE wrapper for the Subject Public Key Info */ +- if (rc == 0) { +- rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the SEQUENCE Public Key Algorithm */ +- if (rc == 0) { +- rc = copyType(0x30, NULL, NULL, /* NULL says to skip */ +- tmpAddedToCertIndex, tmpAddedToCert); +- } +- /* skip the BIT STRING intoduction to the public key */ +- if (rc == 0) { +- rc = skipBitString(&dataLength, tmpAddedToCertIndex, tmpAddedToCert); ++ evpPubkey = X509_PUBKEY_get(addToCert->key); /* freed @1 */ ++ if (evpPubkey == NULL) { ++ printf("reformCertificate: X509_PUBKEY_get failed\n"); ++ rc = TSS_RC_OUT_OF_MEMORY; ++ } + } + if (rc == 0) { +- switch(curveID) { +- case TPM_ECC_NIST_P256: +- pointSize = 256/8; +- break; +- case TPM_ECC_NIST_P384: +- pointSize = 384/8; +- break; +- default: /* should never occur */ +- printf("addPubKeyEcc: Bad curveID %04x\n", curveID); +- rc = TSS_RC_BAD_SIGNATURE_ALGORITHM; +- break; ++ irc = X509_set_pubkey(x509Certificate, evpPubkey); ++ if (irc != 1) { ++ printf("reformCertificate: Error X509_set_pubkey failed\n"); ++ rc = TSS_RC_X509_ERROR; + } + } +- /* the next bytes are the 04, x and y */ ++ /* add certificate signature */ + if (rc == 0) { +- TPMT_PUBLIC tpmtPublic; +- +- *tmpAddedToCertIndex += 1; /* skip the 0x04 compression byte */ +- +- tpmtPublic.unique.ecc.x.t.size = pointSize; +- memcpy(tpmtPublic.unique.ecc.x.t.buffer, tmpAddedToCert + *tmpAddedToCertIndex, pointSize); +- *tmpAddedToCertIndex += pointSize; +- +- +- tpmtPublic.unique.ecc.y.t.size = pointSize; +- memcpy(tpmtPublic.unique.ecc.y.t.buffer, tmpAddedToCert + *tmpAddedToCertIndex, pointSize); +- *tmpAddedToCertIndex += pointSize; +- +- tpmtPublic.parameters.eccDetail.curveID = curveID; +- rc = addCertKeyEccT(x509Certificate, &tpmtPublic); ++ if (scheme == TPM_ALG_RSASSA) { ++ if (rc == 0) { ++ rc = addSignatureRsa(x509Certificate, halg, tSignature); ++ } ++ } ++ else { /* scheme == TPM_ALG_ECDSA */ ++ if (rc == 0) { ++ rc = addSignatureEcc(x509Certificate, halg, tSignature); ++ } ++ } + } ++ EVP_PKEY_free(evpPubkey); /* @1 **/ + return rc; + } +-#endif /* TPM_TSS_NOECC */ + + /* addSignatureRsa() copies the TPMT_SIGNATURE output of the TPM2_CertifyX509 command to the X509 + certificate. +@@ -1148,9 +1056,9 @@ TPM_RC addSignatureRsa(X509 *x509Certificate, + X509_ALGOR *signatureAlgorithm = NULL; + X509_ALGOR *certSignatureAlgorithm = NULL; + ASN1_BIT_STRING *asn1Signature = NULL; +- ++ + /* FIXME check sign length */ +- ++ + if (rc == 0) { + certSignatureAlgorithm = (X509_ALGOR *)X509_get0_tbs_sigalg(x509Certificate); + X509_get0_signature((OSSLCONST ASN1_BIT_STRING**)&asn1Signature, +@@ -1194,6 +1102,7 @@ TPM_RC addSignatureRsa(X509 *x509Certificate, + } + + #ifndef TPM_TSS_NOECC ++ + /* addSignatureEcc() copies the TPMT_SIGNATURE output of the TPM2_CertifyX509 command to the X509 + certificate. + */ +@@ -1214,7 +1123,7 @@ TPM_RC addSignatureEcc(X509 *x509Certificate, + int ecdsaSigBinLength; + + /* FIXME check sign length */ +- ++ + if (rc == 0) { + certSignatureAlgorithm = (X509_ALGOR *)X509_get0_tbs_sigalg(x509Certificate); + X509_get0_signature((OSSLCONST ASN1_BIT_STRING**)&asn1Signature, +@@ -1319,211 +1228,6 @@ TPM_RC addSignatureEcc(X509 *x509Certificate, + } + #endif /* TPM_TSS_NOECC */ + +-/* getDataLength() checks the type, gets the length of the wrapper and following data */ +- +-TPM_RC getDataLength(uint8_t type, /* expected type */ +- uint16_t *wrapperLength, /* wrapper */ +- uint16_t *dataLength, /* data */ +- uint16_t *certificateDerIndex, +- uint8_t *certificateDer) +-{ +- TPM_RC rc = 0; +- uint32_t i = 0; +- uint16_t lengthLength = 0; /* number of length bytes */ +- +- /* validate the wrapper type */ +- if (rc == 0) { +- if (certificateDer[*certificateDerIndex] != type) { +- printf("getDataLength: index %u expect %02x actual %02x\n", +- *certificateDerIndex, type, certificateDer[*certificateDerIndex]); +- rc = TSS_RC_X509_ERROR; +- } +- } +- /* get the length */ +- if (rc == 0) { +- /* long form length starts with the 'length of the length' */ +- if ((certificateDer[*certificateDerIndex + 1] & 0x80)) { +- lengthLength = certificateDer[*certificateDerIndex + 1] & 0x7f; +- if (lengthLength <= sizeof(*dataLength)) { +- +- *dataLength = 0; +- for (i = 0 ; i < lengthLength ; i++) { +- *dataLength <<= (i * 8); +- *dataLength += certificateDer[*certificateDerIndex + 2 + i]; +- } +- } +- else { +- printf("getDataLength: lengthLength %u too large for uint16_t\n", lengthLength); +- rc = TSS_RC_X509_ERROR; +- } +- } +- /* short form length is in byte following type */ +- else { +- *dataLength = certificateDer[*certificateDerIndex + 1] & 0x7f; +- } +- } +- if (rc == 0) { +- *wrapperLength = 2 + lengthLength; +- if (verbose) printf("getDataLength: wrapperLength %u dataLength %u\n", +- *wrapperLength, *dataLength); +- } +- return rc; +-} +- +-/* skipSequence() moves the certificateDerIndex past the SEQUENCE and its length. I.e., it just +- skips the wrapper, not the contents +-*/ +- +-TPM_RC skipSequence(uint16_t *certificateDerIndex, uint8_t *certificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t wrapperLength; +- uint16_t dataLength; +- +- if (rc == 0) { +- rc = getDataLength(0x30, /* variable length SEQUENCE */ +- &wrapperLength, +- &dataLength, +- certificateDerIndex, certificateDer); +- } +- if (rc == 0) { +- *certificateDerIndex += wrapperLength; +- } +- return rc; +-} +- +-/* skipBitString() moves the certificateDerIndex past the BIT STRING, its length, and its padding, +- not the contents +-*/ +- +-TPM_RC skipBitString(uint16_t *dataLength, +- uint16_t *certificateDerIndex, uint8_t *certificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t wrapperLength; +- +- if (rc == 0) { +- rc = getDataLength(0x03, /* BIT STRING */ +- &wrapperLength, +- dataLength, +- certificateDerIndex, certificateDer); +- } +- if (rc == 0) { +- *certificateDerIndex += wrapperLength; +- *certificateDerIndex += 1; /* BIT STRING padding */ +- } +- return rc; +-} +- +-/* copyType() copies the type at certificateDerIndex to partialCertificateDer. +- +- certificateDerIndex and partialCertificateDerLength are updated +-*/ +- +-TPM_RC copyType(uint8_t type, /* expected type */ +- uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer, +- uint16_t *certificateDerIndex, uint8_t *certificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t wrapperLength = 0; +- uint16_t dataLength = 0; +- +- if (rc == 0) { +- rc = getDataLength(type, +- &wrapperLength, +- &dataLength, +- certificateDerIndex, certificateDer); +- } +- if (rc == 0) { +- if (partialCertificateDer != NULL) { +- memcpy(partialCertificateDer + *partialCertificateDerLength, +- &(certificateDer[*certificateDerIndex]), +- wrapperLength + dataLength); +- *partialCertificateDerLength += wrapperLength + dataLength; +- } +- *certificateDerIndex += wrapperLength + dataLength; +- } +- return rc; +-} +- +-/* getInteger() copies the INTEGER data (not including the wrapper) to integerStream. +- +- certificateDerIndex is updated. +-*/ +- +-TPM_RC getInteger(uint16_t *integerDataLength, unsigned char *integerStream, +- uint16_t *certificateDerIndex, unsigned char *certificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t wrapperLength = 0; +- +- if (rc == 0) { +- rc = getDataLength(0x02, /* INTEGER */ +- &wrapperLength, +- integerDataLength, +- certificateDerIndex, certificateDer); +- } +- if (rc == 0) { +- if (integerStream != NULL) { +- memcpy(integerStream, +- certificateDer + *certificateDerIndex + wrapperLength, +- *integerDataLength); +- } +- *certificateDerIndex += wrapperLength + *integerDataLength; +- } +- return rc; +-} +- +-/* prependSequence() shifts the DER down and back fills the SEQUENCE and length */ +- +-TPM_RC prependSequence(uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer) +-{ +- TPM_RC rc = 0; +- uint16_t prefixLength; +- uint16_t lengthLength = 0; +- uint16_t i = 0; +- +- if (verbose) printf("prependSequence: total length %u %04x\n", +- *partialCertificateDerLength, *partialCertificateDerLength); +- /* calculate the number of prepended bytes */ +- if (rc == 0) { +- /* long form length when greater than 7f */ +- if ((*partialCertificateDerLength) > 0x7f) { +- lengthLength = (*partialCertificateDerLength / 0x100) + 1; /* +1 to round up */ +- prefixLength = 2 + lengthLength; /* SEQUENCE + length of length + length bytes */ +- } +- /* short form length when up to 7f */ +- else { +- prefixLength = 2; /* SEQUENCE + length byte */ +- } +- } +- /* shift the partialCertificateDer down by prefix length */ +- if (rc == 0) { +- memmove(partialCertificateDer + prefixLength, +- partialCertificateDer, +- *partialCertificateDerLength); +- } +- /* construct the prefix */ +- if (rc == 0) { +- partialCertificateDer[0] = 0x30; /* SEQUENCE */ +- /* long form length */ +- if (lengthLength > 0) { +- partialCertificateDer[1] = 0x80 + lengthLength; /* byte 1 bit 7 set for long form */ +- for (i = 0 ; i < lengthLength ; i++) { /* start at byte 2 */ +- partialCertificateDer[2 + i] = /* add length bytes */ +- (*partialCertificateDerLength >> ((lengthLength - i - 1) * 8)) & 0xff; +- } +- } +- /* short form length */ +- else { +- /* just length for short form, cast safe bacause of above test */ +- partialCertificateDer[1] = (uint8_t)*partialCertificateDerLength; +- } +- *partialCertificateDerLength += prefixLength; /* adjust the total length of the DER */ +- } +- return rc; +-} +- + static void printUsage(void) + { + printf("\n"); +@@ -1550,7 +1254,7 @@ static void printUsage(void) + printf("\t\te.g. decrypt: critical,dataEncipherment,keyAgreement,encipherOnly,decipherOnly\n"); + printf("\t\te.g. fixedTPM: critical,nonRepudiation\n"); + printf("\t\te.g. parent (restrict decrypt): critical,keyEncipherment\n"); +- ++ + printf("\t[-bit\tbit in partialCertificate to toggle]\n"); + printf("\t[-sub\tsubject same as issuer for self signed (root) certificate]\n"); + printf("\t[-opc\tpartial certificate file name (default do not save)]\n"); +@@ -1563,7 +1267,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); +- exit(1); ++ exit(1); + } + + #endif /* TPM_TSS_MBEDTLS */ +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index 7c4e931..eb5f0d2 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -4,7 +4,7 @@ + /* Written by Ken Goldman */ + /* IBM Thomas J. Watson Research Center */ + /* */ +-/* (c) Copyright IBM Corporation 2018 - 2020. */ ++/* (c) Copyright IBM Corporation 2018 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -160,6 +160,36 @@ void RSA_get0_factors(const RSA *rsaKey, + return; + } + ++static int ossl_x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm); ++ ++int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) ++{ ++ if (x == NULL) ++ return 0; ++ return ossl_x509_set1_time(&x->cert_info->validity->notBefore, tm); ++} ++ ++int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) ++{ ++ if (x == NULL) ++ return 0; ++ return ossl_x509_set1_time(&x->cert_info->validity->notAfter, tm); ++} ++ ++static int ossl_x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm) ++{ ++ ASN1_TIME *in; ++ in = *ptm; ++ if (in != tm) { ++ in = ASN1_STRING_dup(tm); ++ if (in != NULL) { ++ ASN1_TIME_free(*ptm); ++ *ptm = in; ++ } ++ } ++ return (in != NULL); ++} ++ + #endif /* pre openssl 1.1 */ + + /* These functions are only required for OpenSSL 1.0.1 OpenSSL 1.0.2 has them, and the structures +diff --git a/utils/cryptoutils.h b/utils/cryptoutils.h +index c2ddc6c..03452de 100644 +--- a/utils/cryptoutils.h ++++ b/utils/cryptoutils.h +@@ -4,7 +4,7 @@ + /* Written by Ken Goldman */ + /* IBM Thomas J. Watson Research Center */ + /* */ +-/* (c) Copyright IBM Corporation 2017 - 2019. */ ++/* (c) Copyright IBM Corporation 2017 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -225,6 +225,9 @@ extern "C" { + void RSA_get0_factors(const RSA *rsaKey, + const BIGNUM **p, + const BIGNUM **q); ++ int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); ++ int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); ++ EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key); + #endif /* pre openssl 1.1 */ + + #if OPENSSL_VERSION_NUMBER < 0x10002000 +diff --git a/utils/regtests/testx509.sh b/utils/regtests/testx509.sh +index 813085f..5640985 100755 +--- a/utils/regtests/testx509.sh ++++ b/utils/regtests/testx509.sh +@@ -73,8 +73,6 @@ do + checkSuccess $? + + +- # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump +- # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh + # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump + # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh + # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump +@@ -88,7 +86,7 @@ do + echo " INFO:" + + echo "Verify ${SALG[i]} self signed issuer root" +- openssl verify -CAfile tmpx5091.pem tmpx5091.pem > run.out 2>&1 ++ openssl verify -check_ss_sig -CAfile tmpx5091.pem tmpx5091.pem > run.out 2>&1 + grep -q OK run.out + checkSuccess $? + +@@ -96,8 +94,6 @@ do + ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg ${HALG[i]} -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin ${SALG[i]} -iob 00040472 > run.out + checkSuccess $? + +- # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump +- # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh + # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump + # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe + # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump +@@ -111,7 +107,7 @@ do + echo " INFO:" + + echo "Verify ${SALG[i]} subject against issuer" +- openssl verify -CAfile tmpx5091.pem tmpx5092.pem > run.out 2>&1 ++ openssl verify -check_ss_sig -CAfile tmpx5091.pem tmpx5092.pem > run.out 2>&1 + grep -q OK run.out + checkSuccess $? + +@@ -333,7 +329,6 @@ rm -r tmpsig1.bin + rm -r tmpx5091.bin + rm -r tmpx5091.pem + rm -r tmpx5092.pem +-rm -r tmpx509i.bin + rm -r tmppart2.bin + rm -r tmpadd2.bin + rm -r tmptbs2.bin +-- +2.34.1 + diff --git a/SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch b/SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch new file mode 100644 index 0000000..bf9022a --- /dev/null +++ b/SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch @@ -0,0 +1,600 @@ +From 14ccbe9112e21fe62d5cbbbebeae71ec38b77e4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Thu, 17 Feb 2022 16:29:39 +0100 +Subject: [PATCH 2/4] Update SHA-1 to SHA-256 in tests without restricting the + scope +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +--- + utils/policies/policycountertimer.bin | Bin 20 -> 32 bytes + utils/policies/policycphash.bin | Bin 20 -> 32 bytes + utils/policies/policycphash.txt | 2 +- + utils/policies/policycphashhash.bin | 2 +- + utils/policies/policynvargs.txt | Bin 13 -> 12 bytes + utils/policies/policynvnv.bin | Bin 20 -> 32 bytes + utils/policies/policynvnv.txt | 2 +- + utils/policies/policypcr.bin | 2 +- + utils/policies/policypcr0.txt | 2 +- + utils/policies/policypcrbm0.bin | Bin 20 -> 32 bytes + utils/policies/policywrittenset.bin | 2 +- + utils/reg.sh | 2 + + utils/regtests/testchangeauth.sh | 4 +- + utils/regtests/testevict.sh | 12 ++-- + utils/regtests/testnv.sh | 6 +- + utils/regtests/testpolicy.sh | 80 +++++++++++++------------- + utils/regtests/testrsa.sh | 8 +-- + utils/regtests/testsign.sh | 12 ++-- + 18 files changed, 69 insertions(+), 67 deletions(-) + +diff --git a/utils/policies/policycountertimer.bin b/utils/policies/policycountertimer.bin +index f767440113ab39251794257628b34f761ae05121..8937a155bdcdc535e5f013a03ce58fd5a193a6fd 100644 +GIT binary patch +literal 32 +ocmeBTv0vY?A&j>pRZ{#s$085m*E`r54EYbFMa|K0nsfat0L0V`*#H0l + +literal 20 +ccmaFX(x@JK!18iNvf_!!0jhUbsX5I80B48^c>n+a + +diff --git a/utils/policies/policycphash.bin b/utils/policies/policycphash.bin +index 1c357a65cc7cf408bc27d0a2a5c6a0735778e5ed..0f998b85ac2b6620049e350b0c31cc38b2f7414a 100644 +GIT binary patch +literal 32 +qcmV+*0N?)`MNQmbPb!)?)%V_-p09oM)7XSbN + +diff --git a/utils/policies/policynvnv.txt b/utils/policies/policynvnv.txt +index a124ea9..5d3d62e 100644 +--- a/utils/policies/policynvnv.txt ++++ b/utils/policies/policynvnv.txt +@@ -1 +1 @@ +-000001492c513f149e737ec4063fc1d37aee9beabc4b4bbf00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c +\ No newline at end of file ++0000014915ec7bf0b50732b49f8228e07d24365338f9e3ab994b00af08e5a3bffe55fd8b000b45a8f4283309cd5ef189746d7526786f712eb3df9960508ee343d3e63376bc6c +\ No newline at end of file +diff --git a/utils/policies/policypcr.bin b/utils/policies/policypcr.bin +index 8f69740..2597338 100644 +--- a/utils/policies/policypcr.bin ++++ b/utils/policies/policypcr.bin +@@ -1 +1 @@ +-3<`C4o7!v +\ No newline at end of file ++Վ|Or3pRwT 6 +\ No newline at end of file +diff --git a/utils/policies/policypcr0.txt b/utils/policies/policypcr0.txt +index b61f288..cd09bbf 100644 +--- a/utils/policies/policypcr0.txt ++++ b/utils/policies/policypcr0.txt +@@ -1 +1 @@ +-0000000000000000000000000000000000000000 +\ No newline at end of file ++0000000000000000000000000000000000000000000000000000000000000000 +diff --git a/utils/policies/policypcrbm0.bin b/utils/policies/policypcrbm0.bin +index bd0f292e05dc793b2831fec273c2eefa7b3a9672..666ea3c731d2f46d4d94768cab4464ff0bb0e5af 100644 +GIT binary patch +literal 32 +ocmb>Z5cE02?1^I8ss%e3mgaqqyRPviCuhr<=Bo*jp4^KQ0V0YJ<^TWy + +literal 20 +bcmd0`@U(b%wL7eEQs@+Ww#>9`zjTxVT?`1l + +diff --git a/utils/policies/policywrittenset.bin b/utils/policies/policywrittenset.bin +index 4f6bb8c..4ed9066 100644 +--- a/utils/policies/policywrittenset.bin ++++ b/utils/policies/policywrittenset.bin +@@ -1 +1 @@ +-0sH_e" +\ No newline at end of file ++}ӋSzaHE run.out ++ ${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out + checkSuccess $? + + echo "Sign a digest with the changed key" +- ${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out ++ ${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os sig.bin -pwdk xxx > run.out + checkSuccess $? + + echo "Flush the key" +diff --git a/utils/regtests/testevict.sh b/utils/regtests/testevict.sh +index 761eaa8..8f2806f 100755 +--- a/utils/regtests/testevict.sh ++++ b/utils/regtests/testevict.sh +@@ -58,11 +58,11 @@ ${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out + checkSuccess $? + + echo "Sign a digest with the transient key" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Sign a digest with the persistent key" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Flush the transient key" +@@ -74,11 +74,11 @@ ${PREFIX}flushcontext -ha 81800000 > run.out + checkFailure $? + + echo "Sign a digest with the transient key- should fail" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + echo "Sign a digest with the persistent key" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Flush the persistent key" +@@ -86,11 +86,11 @@ ${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out + checkSuccess $? + + echo "Sign a digest with the persistent key - should fail" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + echo "Sign a digest with the transient key - should fail" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + # ${PREFIX}getcapability -cap 1 -pr 80000000 +diff --git a/utils/regtests/testnv.sh b/utils/regtests/testnv.sh +index b941f2e..39a9a18 100755 +--- a/utils/regtests/testnv.sh ++++ b/utils/regtests/testnv.sh +@@ -56,7 +56,7 @@ checkSuccess $? + NALG=(${ITERATE_ALGS}) + BADNALG=(${BAD_ITERATE_ALGS}) + +-for ((i = 0 ; i < 4; i++)) ++for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++)) + do + + for SESS in "" "-se0 02000000 1" +@@ -212,10 +212,10 @@ checkSuccess $? + for SESS in "" "-se0 02000000 1" + do + +- SZ=(20 32 48 64) ++ SZ=(${ITERATE_ALGS_SIZES}) + HALG=(${ITERATE_ALGS}) + +- for ((i = 0 ; i < 4; i++)) ++ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++)) + do + + echo "NV Define Space ${HALG[$i]}" +diff --git a/utils/regtests/testpolicy.sh b/utils/regtests/testpolicy.sh +index e2e8bec..971e67f 100755 +--- a/utils/regtests/testpolicy.sh ++++ b/utils/regtests/testpolicy.sh +@@ -752,17 +752,17 @@ echo "Policy PCR no select" + echo "" + + # create AND term for policy PCR +-# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt ++# > policymakerpcr -halg sha256 -bm 0 -v -pr -of policies/policypcr.txt + # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709 + + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v ++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v + + # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 + # b6 fa 2c 23 + + echo "Create a signing key with policy PCR no select" +-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out ++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcrbm0.bin > run.out + checkSuccess $? + + echo "Load the signing key under the primary key" +@@ -770,11 +770,11 @@ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -halg sha1 -se p > run.out ++${PREFIX}startauthsession -halg sha256 -se p > run.out + checkSuccess $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out + checkSuccess $? + + echo "Policy get digest - should be 6d 38 49 38 ... " +@@ -790,11 +790,11 @@ ${PREFIX}policyrestart -ha 03000000 > run.out + checkSuccess $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out + checkSuccess $? + + echo "PCR extend PCR 0, updates pcr counter" +-${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out ++${PREFIX}pcrextend -ha 0 -halg sha256 -if policies/aaa > run.out + checkSuccess $? + + echo "Sign, should fail" +@@ -816,17 +816,17 @@ echo "" + # policypcr0.txt has 20 * 00 + + # create AND term for policy PCR +-# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt ++# > policymakerpcr -halg sha256 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt + # 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f + + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v ++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v + + # 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37 + # 21 04 76 8e + + echo "Create a signing key with policy PCR PCR 16 zero" +-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out ++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcr.bin > run.out + checkSuccess $? + + echo "Load the signing key under the primary key" +@@ -838,11 +838,11 @@ ${PREFIX}pcrreset -ha 16 > run.out + checkSuccess $? + + echo "Read PCR 16, should be 00 00 00 00 ..." +-${PREFIX}pcrread -ha 16 -halg sha1 > run.out ++${PREFIX}pcrread -ha 16 -halg sha256 > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Sign, policy not satisfied - should fail" +@@ -850,7 +850,7 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + checkFailure $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out + checkSuccess $? + + echo "Policy get digest - should be 85 33 11 83 ..." +@@ -862,19 +862,19 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + checkSuccess $? + + echo "PCR extend PCR 16" +-${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out ++${PREFIX}pcrextend -ha 16 -halg sha256 -if policies/aaa > run.out + checkSuccess $? + + echo "Read PCR 0, should be 1d 47 f6 8a ..." +-${PREFIX}pcrread -ha 16 -halg sha1 > run.out ++${PREFIX}pcrread -ha 16 -halg sha256 > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy PCR, update with the wrong digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out + checkSuccess $? + + echo "Policy get digest - should be 66 dd e5 e3" +@@ -903,21 +903,21 @@ checkSuccess $? + # + # policynvargs.txt (binary) + # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==) +-# hash -hi n -halg sha1 -if policies/policynvargs.txt -v +-# openssl dgst -sha1 policies/policynvargs.txt ++# hash -hi n -halg sha256 -if policies/policynvargs.txt -v ++# openssl dgst -sha256 policies/policynvargs.txt + # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf + # + # NV authorizing index + # + # after defining index and NV write to set written, use +-# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 ++# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 + # to get name + # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c + # + # append Name to policynvnv.txt + # + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v ++# > policymaker -halg sha256 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v + # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc + # + # file zero8.bin has 8 bytes of hex zero +@@ -927,11 +927,11 @@ echo "Policy NV, NV index authorizing" + echo "" + + echo "Define a setbits index, authorizing index" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -ty b > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "NV setbits to set written" +@@ -939,7 +939,7 @@ ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out + checkSuccess $? + + echo "NV Read public, get Name, written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "NV Read, should be zero" +@@ -947,11 +947,11 @@ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out + checkSuccess $? + + echo "Define an ordinary index, authorized index, policyNV" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000001 -nalg sha256 > run.out + checkSuccess $? + + echo "NV write to set written" +@@ -959,7 +959,7 @@ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "NV write, policy not satisfied - should fail" +@@ -1015,15 +1015,15 @@ echo "Policy NV Written" + echo "" + + echo "Define an ordinary index, authorized index, policyNV" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "NV write, policy not satisfied - should fail" +@@ -1043,7 +1043,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written yes, satisfy policy" +@@ -1063,7 +1063,7 @@ ${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written yes, satisfy policy" +@@ -1079,7 +1079,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written no" +@@ -1326,12 +1326,12 @@ checkSuccess $? + + # test using clockrateadjust + # policycphashhash.txt is (hex) 00000130 4000000c 000 +-# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v +-# openssl dgst -sha1 policycphashhash.txt ++# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha256 -v ++# openssl dgst -sha256 policycphashhash.txt + # cpHash is + # b5f919bbc01f0ebad02010169a67a8c158ec12f3 + # append to policycphash.txt 00000163 + cpHash +-# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr ++# policymaker -halg sha256 -if policies/policycphash.txt -of policies/policycphash.bin -pr + # 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f + + echo "" +@@ -1339,7 +1339,7 @@ echo "Policy cpHash" + echo "" + + echo "Set the platform policy to policy cpHash" +-${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out ++${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust using wrong password - should fail" +@@ -1347,7 +1347,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out + checkFailure $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust, policy not satisfied - should fail" +@@ -1690,7 +1690,7 @@ echo "Policy Counter Timer" + echo "" + + echo "Set the platform policy to policy " +-${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out ++${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust using wrong password - should fail" +@@ -1698,7 +1698,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out + checkFailure $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust, policy not satisfied - should fail" +diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh +index 4f76522..6e25398 100755 +--- a/utils/regtests/testrsa.sh ++++ b/utils/regtests/testrsa.sh +@@ -131,10 +131,10 @@ do + ${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out + checkSuccess $? + ++ HSIZ=(${ITERATE_ALGS_SIZES}) + HALG=(${ITERATE_ALGS}) +- HSIZ=("20" "32" "48" "64") + +- for ((i = 0 ; i < 4 ; i++)) ++ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT} ; i++)) + do + + echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}" +@@ -298,7 +298,7 @@ echo "Encrypt with OpenSSL OAEP, decrypt with TPM" + echo "" + + echo "Create OAEP encryption key" +-${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out ++${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out + checkSuccess $? + + echo "Load encryption key at 80000001" +@@ -306,7 +306,7 @@ ${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin > r + checkSuccess $? + + echo "Encrypt using OpenSSL and the PEM public key" +-openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1 ++openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1 + checkSuccess $? + + echo "Decrypt using TPM key at 80000001" +diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh +index edfa014..8a99bbf 100755 +--- a/utils/regtests/testsign.sh ++++ b/utils/regtests/testsign.sh +@@ -302,14 +302,14 @@ echo "" + # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin + + echo "Load external just the public part of PEM RSA" +-${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out ++${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out + checkSuccess $? + + echo "Sign a test message with openssl RSA" +-openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1 ++openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1 + + echo "Verify the RSA signature" +-${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out ++${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw > run.out + checkSuccess $? + + echo "Flush the signing key" +@@ -328,14 +328,14 @@ for CURVE in p256 p384 + do + + echo "Load external just the public part of PEM ECC ${CURVE}" +- ${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/${CURVE}pubkey.pem -ecc > run.out ++ ${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/${CURVE}pubkey.pem -ecc > run.out + checkSuccess $? + + echo "Sign a test message with openssl ECC ${CURVE}" +- openssl dgst -sha1 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1 ++ openssl dgst -sha256 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1 + + echo "Verify the ECC signature ${CURVE}" +- ${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out ++ ${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw -ecc > run.out + checkSuccess $? + + echo "Flush the ECC ${CURVE} signing key" +-- +2.34.1 + diff --git a/SOURCES/0002-utils-Remove-unused-variables-from-certifyx509.patch b/SOURCES/0002-utils-Remove-unused-variables-from-certifyx509.patch new file mode 100644 index 0000000..18a41b2 --- /dev/null +++ b/SOURCES/0002-utils-Remove-unused-variables-from-certifyx509.patch @@ -0,0 +1,54 @@ +From 87120cf7fedcfc063ba5cd28ae4571909209a547 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Mon, 23 Aug 2021 17:30:56 -0400 +Subject: [PATCH 2/7] utils: Remove unused variables from certifyx509 + +notBefore and notAfter are set driectly in the partialCertificate +structure, and that is used to directly set the x509 structure. + +Signed-off-by: Ken Goldman +--- + utils/certifyx509.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/utils/certifyx509.c b/utils/certifyx509.c +index ed42ac0..44640aa 100644 +--- a/utils/certifyx509.c ++++ b/utils/certifyx509.c +@@ -204,6 +204,7 @@ int main(int argc, char *argv[]) + setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */ + TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1"); + ++ curveID = curveID; /* no longer used, get from parent */ + /* command line argument defaults */ + for (i=1 ; (ivalidity->notBefore); + if (irc == 0) { + printf("createPartialCertificate: Error setting notBefore time\n"); +@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + } + } + if (rc == 0) { +- notAfter = X509_get_notAfter(x509Certificate); + irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter); + if (irc == 0) { + printf("createPartialCertificate: Error setting notAfter time\n"); +-- +2.34.1 + diff --git a/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch b/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch new file mode 100644 index 0000000..edb866d --- /dev/null +++ b/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch @@ -0,0 +1,1329 @@ +From 8004d7ddc5e1bd7809f6a385908ceff216061187 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Thu, 17 Feb 2022 19:02:10 +0100 +Subject: [PATCH 3/4] Restrict the usage of SHA-1 in code examples +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Due to SHA-1 not being considered secure, it should be not used for +cryptographical purposes. This commit disables the usage of SHA-1 in +cases where it is used in potentially exploitable situations, most +notably for creating signatures. + +Signed-off-by: Štěpán Horáček +--- + configure.ac | 4 ++++ + utils/certify.c | 7 ++----- + utils/certifycreation.c | 7 ++----- + utils/create.c | 10 ++-------- + utils/createloaded.c | 10 ++-------- + utils/createprimary.c | 10 ++-------- + utils/cryptoutils.c | 3 --- + utils/getcommandauditdigest.c | 7 ++----- + utils/getsessionauditdigest.c | 7 ++----- + utils/gettime.c | 7 ++----- + utils/hash.c | 7 ++----- + utils/hashsequencestart.c | 7 ++----- + utils/hmac.c | 7 ++----- + utils/hmacstart.c | 7 ++----- + utils/importpem.c | 14 ++++---------- + utils/loadexternal.c | 14 ++++---------- + utils/man/man1/tsscertify.1 | 2 +- + utils/man/man1/tsscertifycreation.1 | 2 +- + utils/man/man1/tsscreate.1 | 4 ++-- + utils/man/man1/tsscreateloaded.1 | 4 ++-- + utils/man/man1/tsscreateprimary.1 | 4 ++-- + utils/man/man1/tssgetcommandauditdigest.1 | 2 +- + utils/man/man1/tssgetsessionauditdigest.1 | 2 +- + utils/man/man1/tssgettime.1 | 2 +- + utils/man/man1/tsshash.1 | 2 +- + utils/man/man1/tsshashsequencestart.1 | 2 +- + utils/man/man1/tsshmac.1 | 2 +- + utils/man/man1/tsshmacstart.1 | 2 +- + utils/man/man1/tssimportpem.1 | 4 ++-- + utils/man/man1/tssloadexternal.1 | 4 ++-- + utils/man/man1/tssnvcertify.1 | 2 +- + utils/man/man1/tssnvdefinespace.1 | 2 +- + utils/man/man1/tssnvreadpublic.1 | 2 +- + utils/man/man1/tsspolicymaker.1 | 2 +- + utils/man/man1/tsspolicysigned.1 | 2 +- + utils/man/man1/tsspublicname.1 | 4 ++-- + utils/man/man1/tssquote.1 | 2 +- + utils/man/man1/tssrsadecrypt.1 | 2 +- + utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 +- + utils/man/man1/tsssetprimarypolicy.1 | 2 +- + utils/man/man1/tsssign.1 | 2 +- + utils/man/man1/tssstartauthsession.1 | 2 +- + utils/man/man1/tssverifysignature.1 | 2 +- + utils/nvcertify.c | 7 ++----- + utils/nvdefinespace.c | 8 ++------ + utils/nvreadpublic.c | 7 ++----- + utils/objecttemplates.c | 4 ++-- + utils/policymaker.c | 7 ++----- + utils/policysigned.c | 7 ++----- + utils/publicname.c | 14 ++++---------- + utils/quote.c | 7 ++----- + utils/reg.sh | 17 +++++++++++++---- + utils/regtests/testattest.sh | 15 ++++++++++----- + utils/regtests/testevent.sh | 2 +- + utils/rsadecrypt.c | 12 ++---------- + utils/setcommandcodeauditstatus.c | 7 ++----- + utils/setprimarypolicy.c | 5 +---- + utils/sign.c | 7 ++----- + utils/startauthsession.c | 7 ++----- + utils/verifysignature.c | 7 ++----- + 60 files changed, 122 insertions(+), 212 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ad870b1..4e4052e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -123,6 +123,10 @@ AC_ARG_ENABLE(rmtpm, + AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"]) + AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"]) + ++AC_ARG_ENABLE(restricted-hash-alg, ++ AS_HELP_STRING([--enable-restricted-hash-alg], [Restrict usage of SHA-1])) ++ AS_IF([test "$enable_restricted_hash_alg" = "yes"], [CFLAGS="-DRESTRICTED_HASH_ALG $CFLAGS"]) ++ + AC_CONFIG_FILES([Makefile + utils/Makefile + utils12/Makefile +diff --git a/utils/certify.c b/utils/certify.c +index f1f54d0..f3cfc84 100644 +--- a/utils/certify.c ++++ b/utils/certify.c +@@ -128,10 +128,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -397,7 +394,7 @@ static void printUsage(void) + printf("\t[-pwdo\tpassword for object (default empty)]\n"); + printf("\t-hk\tcertifying key handle\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); + printf("\t[-os\tsignature file name (default do not save)]\n"); +diff --git a/utils/certifycreation.c b/utils/certifycreation.c +index ab54c0a..20377d2 100644 +--- a/utils/certifycreation.c ++++ b/utils/certifycreation.c +@@ -121,10 +121,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -437,7 +434,7 @@ static void printUsage(void) + printf("\t-ho\tobject handle\n"); + printf("\t-hk\tcertifying key handle\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); + printf("\t-tk\tinput ticket file name\n"); +diff --git a/utils/create.c b/utils/create.c +index a8b805c..93c5d43 100644 +--- a/utils/create.c ++++ b/utils/create.c +@@ -239,10 +239,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -264,10 +261,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +diff --git a/utils/createloaded.c b/utils/createloaded.c +index d54f791..a21bbda 100644 +--- a/utils/createloaded.c ++++ b/utils/createloaded.c +@@ -235,10 +235,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -257,10 +254,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +diff --git a/utils/createprimary.c b/utils/createprimary.c +index 52ae083..d6374dd 100644 +--- a/utils/createprimary.c ++++ b/utils/createprimary.c +@@ -246,10 +246,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -271,10 +268,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index 57eade7..7b5de79 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -2025,9 +2025,6 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + /* map the hash algorithm to the openssl NID */ + if (rc == 0) { + switch (hashAlg) { +- case TPM_ALG_SHA1: +- nid = NID_sha1; +- break; + case TPM_ALG_SHA256: + nid = NID_sha256; + break; +diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c +index a219785..cc67a17 100644 +--- a/utils/getcommandauditdigest.c ++++ b/utils/getcommandauditdigest.c +@@ -117,10 +117,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -381,7 +378,7 @@ static void printUsage(void) + printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n"); + printf("\t-hk\tsigning key handle\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); + printf("\t[-os\tsignature file name (default do not save)]\n"); +diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c +index 61b12e6..e0706a1 100644 +--- a/utils/getsessionauditdigest.c ++++ b/utils/getsessionauditdigest.c +@@ -128,10 +128,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -377,7 +374,7 @@ static void printUsage(void) + printf("\t[-hk\tsigning key handle]\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); + printf("\t-hs\taudit session handle\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); + printf("\t[-os\tsignature file name (default do not save)]\n"); + printf("\t[-oa\tattestation output file name (default do not save)]\n"); +diff --git a/utils/gettime.c b/utils/gettime.c +index b07baf1..2e4b819 100644 +--- a/utils/gettime.c ++++ b/utils/gettime.c +@@ -118,10 +118,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -381,7 +378,7 @@ static void printUsage(void) + printf("\t-hk\tsigning key handle\n"); + printf("\t[-pwdk\tpassword for signing key (default empty)]\n"); + printf("\t[-pwde\tpassword for endorsement hierarchy (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); + printf("\t[-os\tsignature file name (default do not save)]\n"); +diff --git a/utils/hash.c b/utils/hash.c +index 71b8a7c..e21ff8c 100644 +--- a/utils/hash.c ++++ b/utils/hash.c +@@ -93,10 +93,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -300,7 +297,7 @@ static void printUsage(void) + printf("\n"); + printf("\t[-hi\thierarchy (e, o, p, n) (default null)]\n"); + printf("\t\te endorsement, o owner, p platform, n null\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t-if\tinput file to be hashed\n"); + printf("\t-ic\tdata string to be hashed\n"); + printf("\t[-ns\tno space, no text, no newlines]\n"); +diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c +index d54fadd..8b1e6fc 100644 +--- a/utils/hashsequencestart.c ++++ b/utils/hashsequencestart.c +@@ -87,10 +87,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- hashAlg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + hashAlg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -243,7 +240,7 @@ static void printUsage(void) + printf("Runs TPM2_HashSequenceStart\n"); + printf("\n"); + printf("\t[-pwda\tpassword for sequence (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512, null) (default sha256)]\n"); + printf("\t\tnull is an event sequence\n"); + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default NULL)\n"); +diff --git a/utils/hmac.c b/utils/hmac.c +index be63e1b..7ea325d 100644 +--- a/utils/hmac.c ++++ b/utils/hmac.c +@@ -105,10 +105,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -343,7 +340,7 @@ static void printUsage(void) + printf("\n"); + printf("\t-hk\tkey handle\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t-if\tinput file to be HMACed\n"); + printf("\t-ic\tdata string to be HMACed\n"); + printf("\t[-os\thmac file name (default do not save)]\n"); +diff --git a/utils/hmacstart.c b/utils/hmacstart.c +index 3fdd0f9..4463376 100644 +--- a/utils/hmacstart.c ++++ b/utils/hmacstart.c +@@ -109,10 +109,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -270,7 +267,7 @@ static void printUsage(void) + printf("\t-hk\tkey handle\n"); + printf("\t-pwdk\tpassword for key (default empty)\n"); + printf("\t-pwda\tpassword for sequence (default empty)\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); +diff --git a/utils/importpem.c b/utils/importpem.c +index 38ad125..cbf3794 100644 +--- a/utils/importpem.c ++++ b/utils/importpem.c +@@ -215,10 +215,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -240,10 +237,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -478,8 +472,8 @@ static void printUsage(void) + printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); + printf("\t-opu\tpublic area file name\n"); + printf("\t-opr\tprivate area file name\n"); +- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); +- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-pol\tpolicy file (default empty)]\n"); + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); +diff --git a/utils/loadexternal.c b/utils/loadexternal.c +index 877501c..fc8cd1a 100644 +--- a/utils/loadexternal.c ++++ b/utils/loadexternal.c +@@ -127,10 +127,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -152,10 +149,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -511,8 +505,8 @@ static void printUsage(void) + printf("Runs TPM2_LoadExternal\n"); + printf("\n"); + printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n"); +- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); +- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\n"); + printf("\t[Asymmetric Key Algorithm]\n"); + printf("\n"); +diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1 +index 6895ee7..b837209 100644 +--- a/utils/man/man1/tsscertify.1 ++++ b/utils/man/man1/tsscertify.1 +@@ -20,7 +20,7 @@ certifying key handle + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384 sha512) (default sha256)] ++(sha256, sha384 sha512) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc, hmac) (default rsa)] +diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1 +index 4382ed9..7c77a1e 100644 +--- a/utils/man/man1/tsscertifycreation.1 ++++ b/utils/man/man1/tsscertifycreation.1 +@@ -17,7 +17,7 @@ certifying key handle + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384) (default sha256)] ++(sha256, sha384) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc) (default rsa)] +diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1 +index b4eda75..f2f6fc4 100644 +--- a/utils/man/man1/tsscreate.1 ++++ b/utils/man/man1/tsscreate.1 +@@ -89,10 +89,10 @@ userWithAuth attribute clear (default set)] + data (inSensitive) file name] + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-pwdk + password for key (default empty)] +diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1 +index ccd3d73..ebcf721 100644 +--- a/utils/man/man1/tsscreateloaded.1 ++++ b/utils/man/man1/tsscreateloaded.1 +@@ -93,10 +93,10 @@ userWithAuth attribute clear (default set)] + data (inSensitive) file name] + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-der + object's parent is a derivation parent] +diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1 +index 895a42e..55a9d85 100644 +--- a/utils/man/man1/tsscreateprimary.1 ++++ b/utils/man/man1/tsscreateprimary.1 +@@ -114,10 +114,10 @@ userWithAuth attribute clear (default set)] + data (inSensitive) file name] + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .HP + \fB\-se[0\-2]\fR session handle / attributes (default PWAP) + .TP +diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1 +index 34711e0..11d3b78 100644 +--- a/utils/man/man1/tssgetcommandauditdigest.1 ++++ b/utils/man/man1/tssgetcommandauditdigest.1 +@@ -17,7 +17,7 @@ signing key handle + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc, hmac) (default rsa)] +diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1 +index d09c78b..3fa4a03 100644 +--- a/utils/man/man1/tssgetsessionauditdigest.1 ++++ b/utils/man/man1/tssgetsessionauditdigest.1 +@@ -20,7 +20,7 @@ password for key (default empty)] + audit session handle + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-qd + qualifying data file name] +diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1 +index bec0627..ac4b425 100644 +--- a/utils/man/man1/tssgettime.1 ++++ b/utils/man/man1/tssgettime.1 +@@ -17,7 +17,7 @@ password for signing key (default empty)] + password for endorsement hierarchy (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc, hmac) (default rsa)] +diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1 +index 6eff929..01fa758 100644 +--- a/utils/man/man1/tsshash.1 ++++ b/utils/man/man1/tsshash.1 +@@ -12,7 +12,7 @@ hierarchy (e, o, p, n) (default null)] + e endorsement, o owner, p platform, n null + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + \fB\-if\fR + input file to be hashed +diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1 +index f6d7f52..33225da 100644 +--- a/utils/man/man1/tsshashsequencestart.1 ++++ b/utils/man/man1/tsshashsequencestart.1 +@@ -11,7 +11,7 @@ Runs TPM2_HashSequenceStart + password for sequence (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512, null) (default sha256)] ++(sha256, sha384, sha512, null) (default sha256)] + null is an event sequence + .HP + \fB\-se[0\-2]\fR session handle / attributes (default NULL) +diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1 +index e64a861..c55b998 100644 +--- a/utils/man/man1/tsshmac.1 ++++ b/utils/man/man1/tsshmac.1 +@@ -14,7 +14,7 @@ key handle + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + \fB\-if\fR + input file to be HMACed +diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1 +index 65d4ab6..9dd8fbf 100644 +--- a/utils/man/man1/tsshmacstart.1 ++++ b/utils/man/man1/tsshmacstart.1 +@@ -17,7 +17,7 @@ password for key (default empty) + password for sequence (default empty) + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .HP + \fB\-se[0\-2]\fR session handle / attributes (default PWAP) + .TP +diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1 +index 21c362e..46821eb 100644 +--- a/utils/man/man1/tssimportpem.1 ++++ b/utils/man/man1/tssimportpem.1 +@@ -49,10 +49,10 @@ public area file name + private area file name + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-pol + policy file (default empty)] +diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1 +index e32a251..729d357 100644 +--- a/utils/man/man1/tssloadexternal.1 ++++ b/utils/man/man1/tssloadexternal.1 +@@ -11,10 +11,10 @@ Runs TPM2_LoadExternal + hierarchy (e, o, p, n) (default NULL)] + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .IP + [Asymmetric Key Algorithm] + .TP +diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1 +index c55f6dc..1a50fd6 100644 +--- a/utils/man/man1/tssnvcertify.1 ++++ b/utils/man/man1/tssnvcertify.1 +@@ -20,7 +20,7 @@ certifying key handle + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc, hmac) (default rsa)] +diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1 +index 0f378e9..5d9d395 100644 +--- a/utils/man/man1/tssnvdefinespace.1 ++++ b/utils/man/man1/tssnvdefinespace.1 +@@ -36,7 +36,7 @@ password for NV index (default empty)] + sets AUTHWRITE (if not PIN index), AUTHREAD + .TP + [\-nalg +-name algorithm (sha1, sha256, sha384 sha512) (default sha256)] ++name algorithm (sha256, sha384 sha512) (default sha256)] + .TP + [\-sz + data size in decimal (default 0)] +diff --git a/utils/man/man1/tssnvreadpublic.1 b/utils/man/man1/tssnvreadpublic.1 +index b8c7bbb..c8619bb 100644 +--- a/utils/man/man1/tssnvreadpublic.1 ++++ b/utils/man/man1/tssnvreadpublic.1 +@@ -11,7 +11,7 @@ Runs TPM2_NV_ReadPublic + NV index handle + .TP + [\-nalg +-expected name hash algorithm (sha1, sha256, sha384 sha512) ++expected name hash algorithm (sha256, sha384 sha512) + (default no check)] + .TP + [\-opu +diff --git a/utils/man/man1/tsspolicymaker.1 b/utils/man/man1/tsspolicymaker.1 +index 6660f36..36beaaa 100644 +--- a/utils/man/man1/tsspolicymaker.1 ++++ b/utils/man/man1/tsspolicymaker.1 +@@ -6,7 +6,7 @@ policymaker \- Runs TPM2 policymaker + policymaker + .TP + [\-halg +-hash algorithm (sha1 sha256 sha384 sha512) (default sha256)] ++hash algorithm (sha256 sha384 sha512) (default sha256)] + .TP + [\-nz + do not extend starting with zeros, just hash the last line] +diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1 +index f50b81a..dab24ba 100644 +--- a/utils/man/man1/tsspolicysigned.1 ++++ b/utils/man/man1/tsspolicysigned.1 +@@ -26,7 +26,7 @@ policyRef file (default none)] + expiration in decimal (default none)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + \fB\-sk\fR + RSA signing key file name (PEM format) +diff --git a/utils/man/man1/tsspublicname.1 b/utils/man/man1/tsspublicname.1 +index 6600436..e42481c 100644 +--- a/utils/man/man1/tsspublicname.1 ++++ b/utils/man/man1/tsspublicname.1 +@@ -45,10 +45,10 @@ rsapss + null + .TP + [\-nalg +-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++name hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-halg +-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] ++scheme hash algorithm (sha256, sha384, sha512) (default sha256)] + .TP + [\-uwa + userWithAuth attribute clear (default set)] +diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1 +index 04a2e60..3de384b 100644 +--- a/utils/man/man1/tssquote.1 ++++ b/utils/man/man1/tssquote.1 +@@ -17,7 +17,7 @@ quoting key handle + password for quoting key (default empty)] + .TP + [\-halg +-for signing (sha1, sha256, sha384, sha512) (default sha256)] ++for signing (sha256, sha384, sha512) (default sha256)] + .TP + [\-palg + for PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)] +diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1 +index 6c35e42..ff2b0f2 100644 +--- a/utils/man/man1/tssrsadecrypt.1 ++++ b/utils/man/man1/tssrsadecrypt.1 +@@ -16,7 +16,7 @@ password for key (default empty)[ + [\-ipwdk password file for key, nul terminated (default empty)] + \fB\-ie\fR encrypt file name + \fB\-od\fR decrypt file name (default do not save) +-[\-oid (sha1, sha256, sha384 sha512)] ++[\-oid (sha256, sha384 sha512)] + .IP + optionally add OID and PKCS1 padding to the + encrypt data (demo of signing with arbitrary OID) +diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1 +index c4d19dc..d84a0c2 100644 +--- a/utils/man/man1/tsssetcommandcodeauditstatus.1 ++++ b/utils/man/man1/tsssetcommandcodeauditstatus.1 +@@ -14,7 +14,7 @@ authhandle hierarchy (o, p) (default platform)] + authorization password (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512, null) (default null)] ++(sha256, sha384, sha512, null) (default null)] + .TP + [\-set + command code to set (may be specified more than once (default none)] +diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1 +index c67c1f9..9238407 100644 +--- a/utils/man/man1/tsssetprimarypolicy.1 ++++ b/utils/man/man1/tsssetprimarypolicy.1 +@@ -17,7 +17,7 @@ authorization password (default empty)] + policy file (default empty policy)] + .TP + [\-halg +-(sha1, sha256) (default null)] ++(sha256) (default null)] + .HP + \fB\-se[0\-2]\fR session handle / attributes (default PWAP) + .TP +diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1 +index d5ad351..df67aee 100644 +--- a/utils/man/man1/tsssign.1 ++++ b/utils/man/man1/tsssign.1 +@@ -17,7 +17,7 @@ input message to hash and sign + password for key (default empty)] + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-salg + signature algorithm (rsa, ecc, hmac) (default rsa)] +diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1 +index 3e944bb..ad16b0f 100644 +--- a/utils/man/man1/tssstartauthsession.1 ++++ b/utils/man/man1/tssstartauthsession.1 +@@ -19,7 +19,7 @@ t + Trial policy session + .TP + [\-halg +-(sha1, sha256, sha384, sha512) (default sha256)] ++(sha256, sha384, sha512) (default sha256)] + .TP + [\-hs + salt handle (default TPM_RH_NULL)] +diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1 +index e2d6460..d30eee9 100644 +--- a/utils/man/man1/tssverifysignature.1 ++++ b/utils/man/man1/tssverifysignature.1 +@@ -37,7 +37,7 @@ One of \fB\-hk\fR, \fB\-ipem\fR, \fB\-ihmac\fR must be specified + ticket file name (requires \fB\-hk\fR)] + .TP + [\-halg +-(sha1, sha256, sha384 sha512) (default sha256)] ++(sha256, sha384 sha512) (default sha256)] + .IP + [Asymmetric Key Algorithm] + .TP +diff --git a/utils/nvcertify.c b/utils/nvcertify.c +index 81bde69..440c894 100644 +--- a/utils/nvcertify.c ++++ b/utils/nvcertify.c +@@ -131,10 +131,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -433,7 +430,7 @@ static void printUsage(void) + printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); + printf("\t-hk\tcertifying key handle\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t-sz\tdata size\n"); + printf("\t[-off\toffset (default 0)]\n"); +diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c +index 18ce6ea..cbe253e 100644 +--- a/utils/nvdefinespace.c ++++ b/utils/nvdefinespace.c +@@ -124,11 +124,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- hashSize = SHA1_DIGEST_SIZE; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + hashSize = SHA256_DIGEST_SIZE; + } +@@ -562,7 +558,7 @@ static void printUsage(void) + printf("\n"); + printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); + printf("\t\tsets AUTHWRITE (if not PIN index), AUTHREAD\n"); +- printf("\t[-nalg\tname algorithm (sha1, sha256, sha384 sha512) (default sha256)]\n"); ++ printf("\t[-nalg\tname algorithm (sha256, sha384 sha512) (default sha256)]\n"); + printf("\t[-sz\tdata size in decimal (default 0)]\n"); + printf("\t\tIgnored for other than ordinary index\n"); + printf("\t[-ty\tindex type (o, c, b, e, p, f) (default ordinary)]\n"); +diff --git a/utils/nvreadpublic.c b/utils/nvreadpublic.c +index cf36b96..cbcae63 100644 +--- a/utils/nvreadpublic.c ++++ b/utils/nvreadpublic.c +@@ -101,10 +101,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -336,7 +333,7 @@ static void printUsage(void) + printf("Runs TPM2_NV_ReadPublic\n"); + printf("\n"); + printf("\t-ha\tNV index handle\n"); +- printf("\t[-nalg\texpected name hash algorithm (sha1, sha256, sha384 sha512)\n" ++ printf("\t[-nalg\texpected name hash algorithm (sha256, sha384 sha512)\n" + "\t\t(default no check)]\n"); + printf("\t[-opu\tNV public file name (default do not save)]\n"); + printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n"); +diff --git a/utils/objecttemplates.c b/utils/objecttemplates.c +index 37d7b64..4d1269c 100644 +--- a/utils/objecttemplates.c ++++ b/utils/objecttemplates.c +@@ -576,7 +576,7 @@ void printUsageTemplate(void) + printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); + printf("\t[-if\tdata (inSensitive) file name]\n"); + printf("\n"); +- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); +- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + return; + } +diff --git a/utils/policymaker.c b/utils/policymaker.c +index 7290ed7..818ac8b 100644 +--- a/utils/policymaker.c ++++ b/utils/policymaker.c +@@ -107,10 +107,7 @@ int main(int argc, char *argv[]) + if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- digest.hashAlg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + digest.hashAlg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -342,7 +339,7 @@ static void printUsage(void) + printf("\n"); + printf("policymaker\n"); + printf("\n"); +- printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n"); ++ printf("\t[-halg\thash algorithm (sha256 sha384 sha512) (default sha256)]\n"); + printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n"); + printf("\t-if\tinput policy statements in hex ascii\n"); + printf("\t[-of\toutput file - policy hash in binary]\n"); +diff --git a/utils/policysigned.c b/utils/policysigned.c +index 469cec9..dbecfe0 100644 +--- a/utils/policysigned.c ++++ b/utils/policysigned.c +@@ -216,10 +216,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -444,7 +441,7 @@ static void printUsage(void) + printf("\t[-cp\tcpHash file (default none)]\n"); + printf("\t[-pref\tpolicyRef file (default none)]\n"); + printf("\t[-exp\texpiration in decimal (default none)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t-sk\tRSA signing key file name (PEM format)\n"); + printf("\t\tUse this signing key.\n"); + printf("\t-is\tsignature file name\n"); +diff --git a/utils/publicname.c b/utils/publicname.c +index f599d36..fbe9ee4 100644 +--- a/utils/publicname.c ++++ b/utils/publicname.c +@@ -90,10 +90,7 @@ int main(int argc, char *argv[]) + if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -115,10 +112,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-nalg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- nalg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + nalg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -441,8 +435,8 @@ static void printUsage(void) + printf("\t\trsassa\n"); + printf("\t\trsapss\n"); + printf("\t\tnull\n"); +- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); +- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); + printf("\t[-si\tsigning (default) RSA]\n"); + printf("\t[-st\tstorage (default NULL scheme)]\n"); +diff --git a/utils/quote.c b/utils/quote.c +index c29fad0..154187c 100644 +--- a/utils/quote.c ++++ b/utils/quote.c +@@ -130,10 +130,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -424,7 +421,7 @@ static void printUsage(void) + printf("\t-hp\tpcr handle (may be specified more than once)\n"); + printf("\t-hk\tquoting key handle\n"); + printf("\t[-pwdk\tpassword for quoting key (default empty)]\n"); +- printf("\t[-halg\tfor signing (sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\tfor signing (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-palg\tfor PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t[-qd\tqualifying data file name]\n"); +diff --git a/utils/reg.sh b/utils/reg.sh +index 2d9d100..671720f 100755 +--- a/utils/reg.sh ++++ b/utils/reg.sh +@@ -70,11 +70,20 @@ PREFIX=./ + #PREFIX="valgrind ./" + + # hash algorithms to be used for testing ++export RESTRICTED_HASH_ALG + +-export ITERATE_ALGS="sha1 sha256 sha384 sha512" +-export ITERATE_ALGS_SIZES="20 32 48 64" +-export ITERATE_ALGS_COUNT=4 +-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++if [ "${RESTRICTED_HASH_ALG}" ]; then ++ export ITERATE_ALGS="sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="32 48 64" ++ export ITERATE_ALGS_COUNT=3 ++ export BAD_ITERATE_ALGS="sha384 sha512 sha256" ++else ++ export ITERATE_ALGS="sha1 sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="20 32 48 64" ++ export ITERATE_ALGS_COUNT=4 ++ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++fi ++export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512" + + printUsage () + { +diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh +index 2dacf88..044d35f 100755 +--- a/utils/regtests/testattest.sh ++++ b/utils/regtests/testattest.sh +@@ -379,21 +379,26 @@ echo "" + echo "Audit a PCR Read" + echo "" + +-for HALG in ${ITERATE_ALGS} ++for HALG in ${ITERATE_ALGS_WITH_SHA1} + do ++ if [ "${HALG}" = "sha1" ] && [ "${RESTRICTED_HASH_ALG}" ]; then ++ ALT_HALG=sha256 ++ else ++ ALT_HALG=${HALG} ++ fi + + echo "Start an audit session ${HALG}" +- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out ++ ${PREFIX}startauthsession -se h -halg ${ALT_HALG} > run.out + checkSuccess $? + + echo "PCR 16 reset" + ${PREFIX}pcrreset -ha 16 > run.out + checkSuccess $? + +- cp policies/zero${HALG}.bin tmpdigestr.bin ++ cp policies/zero${ALT_HALG}.bin tmpdigestr.bin + + echo "PCR 16 read ${HALG}" +- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out ++ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out + checkSuccess $? + + echo "Get session audit digest" +@@ -409,7 +414,7 @@ do + checkSuccess $? + + echo "PCR 16 read ${HALG}" +- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out ++ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out + checkSuccess $? + + echo "Get session audit digest" +diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh +index 6336920..57a96d2 100755 +--- a/utils/regtests/testevent.sh ++++ b/utils/regtests/testevent.sh +@@ -62,7 +62,7 @@ echo "" + + for TYPE in "1" "2" + do +- for HALG in ${ITERATE_ALGS} ++ for HALG in ${ITERATE_ALGS_WITH_SHA1} + do + + echo "Power cycle to reset IMA PCR" +diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c +index e2846af..a521edf 100644 +--- a/utils/rsadecrypt.c ++++ b/utils/rsadecrypt.c +@@ -130,10 +130,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-oid") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -391,7 +388,6 @@ static TPM_RC padData(uint8_t **buffer, + uint16_t digestSize; + const uint8_t *oid; + uint16_t oidSize; +- const uint8_t sha1Oid[] = {SHA1_DER}; + const uint8_t sha256Oid[] = {SHA256_DER}; + const uint8_t sha384Oid[] = {SHA384_DER}; + const uint8_t sha512Oid[] = {SHA512_DER}; +@@ -419,10 +415,6 @@ static TPM_RC padData(uint8_t **buffer, + /* determine the OID */ + if (rc == 0) { + switch (halg) { +- case TPM_ALG_SHA1: +- oid = sha1Oid; +- oidSize = SHA1_DER_SIZE; +- break; + case TPM_ALG_SHA256: + oid = sha256Oid; + oidSize = SHA256_DER_SIZE; +@@ -499,7 +491,7 @@ static void printUsage(void) + printf("\t[-ipwdk\tpassword file for key, nul terminated (default empty)]\n"); + printf("\t-ie\tencrypt file name\n"); + printf("\t-od\tdecrypt file name (default do not save)\n"); +- printf("\t[-oid\t(sha1, sha256, sha384 sha512)]\n"); ++ printf("\t[-oid\t(sha256, sha384 sha512)]\n"); + printf("\t\toptionally add OID and PKCS1 padding to the\n"); + printf("\t\tencrypt data (demo of signing with arbitrary OID)\n"); + printf("\n"); +diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c +index 7a880ae..7a95a59 100644 +--- a/utils/setcommandcodeauditstatus.c ++++ b/utils/setcommandcodeauditstatus.c +@@ -125,10 +125,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- in.auditAlg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + in.auditAlg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -287,7 +284,7 @@ static void printUsage(void) + printf("\n"); + printf("\t[-hi\tauthhandle hierarchy (o, p) (default platform)]\n"); + printf("\t[-pwda\tauthorization password (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default null)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512, null) (default null)]\n"); + printf("\t[-set\tcommand code to set (may be specified more than once (default none)]\n"); + printf("\t[-clr\tcommand code to clear (may be specified more than once (default none)]\n"); + printf("\n"); +diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c +index 619937f..100e265 100644 +--- a/utils/setprimarypolicy.c ++++ b/utils/setprimarypolicy.c +@@ -113,9 +113,6 @@ int main(int argc, char *argv[]) + if (strcmp(argv[i],"sha256") == 0) { + in.hashAlg = TPM_ALG_SHA256; + } +- else if (strcmp(argv[i],"sha1") == 0) { +- in.hashAlg = TPM_ALG_SHA1; +- } + else { + printf("Bad parameter %s for -halg\n", argv[i]); + printUsage(); +@@ -291,7 +288,7 @@ static void printUsage(void) + printf("\t[-hi\tauthhandle hierarchy (l, e, o, p) (default platform)]\n"); + printf("\t[-pwda\tauthorization password (default empty)]\n"); + printf("\t[-pol\tpolicy file (default empty policy)]\n"); +- printf("\t[-halg\t(sha1, sha256) (default null)]\n"); ++ printf("\t[-halg\t(sha256) (default null)]\n"); + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); +diff --git a/utils/sign.c b/utils/sign.c +index ba2be27..d37f786 100644 +--- a/utils/sign.c ++++ b/utils/sign.c +@@ -123,10 +123,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -474,7 +471,7 @@ static void printUsage(void) + printf("\t-hk\tkey handle\n"); + printf("\t-if\tinput message to hash and sign\n"); + printf("\t[-pwdk\tpassword for key (default empty)]\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); + printf("\t[-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]\n"); + printf("\t\t(default rsassa, ecdsa, hmac)]\n"); +diff --git a/utils/startauthsession.c b/utils/startauthsession.c +index d47c731..93dc511 100644 +--- a/utils/startauthsession.c ++++ b/utils/startauthsession.c +@@ -88,10 +88,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -291,7 +288,7 @@ static void printUsage(void) + printf("\t\tp Policy session\n"); + printf("\t\tt Trial policy session\n"); + printf("\n"); +- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-hs\tsalt handle (default TPM_RH_NULL)]\n"); + printf("\t[-bi\tbind handle (default TPM_RH_NULL)]\n"); + printf("\t[-pwdb\tbind password for bind handle (default empty)]\n"); +diff --git a/utils/verifysignature.c b/utils/verifysignature.c +index 57978d5..7603a1f 100644 +--- a/utils/verifysignature.c ++++ b/utils/verifysignature.c +@@ -133,10 +133,7 @@ int main(int argc, char *argv[]) + else if (strcmp(argv[i],"-halg") == 0) { + i++; + if (i < argc) { +- if (strcmp(argv[i],"sha1") == 0) { +- halg = TPM_ALG_SHA1; +- } +- else if (strcmp(argv[i],"sha256") == 0) { ++ if (strcmp(argv[i],"sha256") == 0) { + halg = TPM_ALG_SHA256; + } + else if (strcmp(argv[i],"sha384") == 0) { +@@ -473,7 +470,7 @@ static void printUsage(void) + printf("\n"); + printf("\t[-tk\tticket file name (requires -hk)]\n"); + printf("\n"); +- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); ++ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); + printf("\n"); + printf("\t[Asymmetric Key Algorithm]\n"); + printf("\n"); +-- +2.34.1 + diff --git a/SOURCES/0003-Update-certifyx509-for-Windows.patch b/SOURCES/0003-Update-certifyx509-for-Windows.patch new file mode 100644 index 0000000..b8be4d5 --- /dev/null +++ b/SOURCES/0003-Update-certifyx509-for-Windows.patch @@ -0,0 +1,99 @@ +From 1c462889a517d6dbab721aa3e0597878e9c237d5 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Wed, 25 Aug 2021 18:02:11 -0400 +Subject: [PATCH 3/7] : Update certifyx509 for Windows + +Add static_ to the ASN1_SEQUENCE_END macros to suppress a gcc warning. +Change free to OPENSSL_free, required with i2d when OpenSSL is a dll. + +Remove the tmpx509i file handling from the .bat file since certifyx509 +no longer outputs it. + +Signed-off-by: Ken Goldman +--- + utils/certifyx509.c | 10 +++++----- + utils/regtests/testx509.bat | 5 ----- + 2 files changed, 5 insertions(+), 10 deletions(-) + +diff --git a/utils/certifyx509.c b/utils/certifyx509.c +index 44640aa..5602f62 100644 +--- a/utils/certifyx509.c ++++ b/utils/certifyx509.c +@@ -94,7 +94,7 @@ typedef struct { + ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = { + ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME), + ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME), +-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY) ++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY) + + /* the signature algorithm is optional while the extension list is mandatory */ + ASN1_SEQUENCE(TPM_PARTIAL_CERT) = { +@@ -103,7 +103,7 @@ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = { + ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY), + ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME), + ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3), +-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT) ++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT) + + DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT) + IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT) +@@ -122,7 +122,7 @@ ASN1_SEQUENCE(TPM_ADDTOCERT) = { + ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER), + ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR), + ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY), +-} ASN1_SEQUENCE_END(TPM_ADDTOCERT) ++} static_ASN1_SEQUENCE_END(TPM_ADDTOCERT) + + DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT) + IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT) +@@ -629,7 +629,7 @@ int main(int argc, char *argv[]) + X509_free(x509Certificate); /* @1 */ + } + free(x509Der); /* @2 */ +- free(addToCert); /* @3 */ ++ OPENSSL_free(addToCert); /* @3 */ + return rc; + } + +@@ -808,7 +808,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + #endif + X509_NAME_free(x509IssuerName); /* @1 */ + X509_NAME_free(x509SubjectName); /* @2 */ +- free(tmpPartialDer); /* @3 */ ++ OPENSSL_free(tmpPartialDer); /* @3 */ + return rc; + } + +diff --git a/utils/regtests/testx509.bat b/utils/regtests/testx509.bat +index 0951ad6..17b69f6 100644 +--- a/utils/regtests/testx509.bat ++++ b/utils/regtests/testx509.bat +@@ -80,8 +80,6 @@ for /L %%i in (1,1,!L!) do ( + exit /B 1 + ) + +- rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump +- rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh + rem # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump + rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh + rem # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump +@@ -102,8 +100,6 @@ for /L %%i in (1,1,!L!) do ( + exit /B 1 + ) + +-rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump +-rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh + rem # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump + rem # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe + rem # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump +@@ -446,7 +442,6 @@ rm tmpsig1.bin + rm tmpx5091.bin + rm tmpx5091.pem + rm tmpx5092.pem +-rm tmpx509i.bin + rm tmppart2.bin + rm tmpadd2.bin + rm tmptbs2.bin +-- +2.34.1 + diff --git a/SOURCES/0004-Restrict-SHA-1-in-TSS.patch b/SOURCES/0004-Restrict-SHA-1-in-TSS.patch new file mode 100644 index 0000000..0cdd45f --- /dev/null +++ b/SOURCES/0004-Restrict-SHA-1-in-TSS.patch @@ -0,0 +1,136 @@ +From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Fri, 25 Feb 2022 15:28:28 +0100 +Subject: [PATCH 4/4] Restrict SHA-1 in TSS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +--- + utils/cryptoutils.c | 4 --- + utils/tss20.c | 81 ++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 80 insertions(+), 5 deletions(-) + +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index 7b5de79..98396a7 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, + /* map from hash algorithm to openssl nid */ + if (rc == 0) { + switch (halg) { +- case TPM_ALG_SHA1: +- nid = NID_sha1; +- md = EVP_sha1(); +- break; + case TPM_ALG_SHA256: + nid = NID_sha256; + md = EVP_sha256(); +diff --git a/utils/tss20.c b/utils/tss20.c +index c778069..bd05cf3 100644 +--- a/utils/tss20.c ++++ b/utils/tss20.c +@@ -678,6 +678,76 @@ extern int tssVerbose; + extern int tssVverbose; + extern int tssFirstCall; + ++int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea) ++{ ++ return publicArea->nameAlg == TPM_ALG_SHA1 || ++ ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) && ++ publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL && ++ publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1); ++} ++ ++int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme) ++{ ++ return sigScheme->details.any.hashAlg == TPM_ALG_SHA1; ++} ++ ++int TSS_CheckSha1(COMMAND_PARAMETERS *in, ++ TPM_CC commandCode) ++{ ++ switch (commandCode) ++ { ++ case TPM_CC_Certify: ++ return TSS_CheckSha1_SigScheme(&in->Certify.inScheme); ++ case TPM_CC_CertifyCreation: ++ return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme); ++ case TPM_CC_Create: ++ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); ++ case TPM_CC_CreateLoaded: ++ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); ++ case TPM_CC_CreatePrimary: ++ return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea); ++ case TPM_CC_GetCommandAuditDigest: ++ return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme); ++ case TPM_CC_GetSessionAuditDigest: ++ return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme); ++ case TPM_CC_GetTime: ++ return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme); ++ case TPM_CC_Hash: ++ return in->Hash.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_HashSequenceStart: ++ return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_HMAC: ++ return in->HMAC.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_HMAC_Start: ++ return in->HMAC_Start.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_Import: ++ return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea); ++ case TPM_CC_LoadExternal: ++ return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea); ++ case TPM_CC_NV_Certify: ++ return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme); ++ case TPM_CC_NV_DefineSpace: ++ return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1; ++ case TPM_CC_PolicySigned: ++ return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_Quote: ++ return TSS_CheckSha1_SigScheme(&in->Quote.inScheme); ++ case TPM_CC_RSA_Decrypt: ++ return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme); ++ case TPM_CC_SetCommandCodeAuditStatus: ++ return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1; ++ case TPM_CC_SetPrimaryPolicy: ++ return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1; ++ case TPM_CC_Sign: ++ return TSS_CheckSha1_SigScheme(&in->Sign.inScheme); ++ case TPM_CC_StartAuthSession: ++ return in->StartAuthSession.authHash == TPM_ALG_SHA1; ++ case TPM_CC_VerifySignature: ++ return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1; ++ } ++ ++ return 0; ++} + + TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, + RESPONSE_PARAMETERS *out, +@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, + va_list ap) + { + TPM_RC rc = 0; +- ++ ++#ifdef RESTRICTED_HASH_ALG ++ if (rc == 0) { ++ if (TSS_CheckSha1(in, commandCode)) { ++ rc = TPM_RC_HASH; ++ } ++ } ++#endif /* RESTRICTED_HASH_ALG */ ++ + /* create a TSS authorization context */ + if (rc == 0) { + TSS_InitAuthContext(tssContext->tssAuthContext); + } ++ + /* handle any command specific command pre-processing */ + if (rc == 0) { + rc = TSS_Command_PreProcessor(tssContext, +-- +2.34.1 + diff --git a/SOURCES/0004-utils-Clean-up-certifyx509-memory-allocation.patch b/SOURCES/0004-utils-Clean-up-certifyx509-memory-allocation.patch new file mode 100644 index 0000000..5b3c331 --- /dev/null +++ b/SOURCES/0004-utils-Clean-up-certifyx509-memory-allocation.patch @@ -0,0 +1,111 @@ +From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Tue, 31 Aug 2021 13:45:21 -0400 +Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation + +Make TPM_ADDTOCERT input const. Annotate malloc and free calls. Free +TPM_PARTIAL_CERT. Use TPM_ADDTOCERT_free. Remove unused +x509IssuerName and x509SubjectName and their frees. Free +TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs. + +Signed-off-by: Ken Goldman +--- + utils/certifyx509.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/utils/certifyx509.c b/utils/certifyx509.c +index 5602f62..8ac5abd 100644 +--- a/utils/certifyx509.c ++++ b/utils/certifyx509.c +@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate, + TPM_RC reformCertificate(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMI_ALG_SIG_SCHEME scheme, +- TPM_ADDTOCERT *addToCert, ++ const TPM_ADDTOCERT *addToCert, + TPMT_SIGNATURE *tSignature); + TPM_RC addSignatureRsa(X509 *x509Certificate, + TPMI_ALG_HASH halg, +@@ -618,7 +618,7 @@ int main(int argc, char *argv[]) + if (rc == 0) { + if (verbose) X509_print_fp(stdout, x509Certificate); /* for debug */ + rc = convertX509ToDer(&x509DerLength, +- &x509Der, /* freed @2 */ ++ &x509Der, /* freed @4 */ + x509Certificate); + } + if ((rc == 0) && (outCertificateFilename != NULL)) { +@@ -628,8 +628,13 @@ int main(int argc, char *argv[]) + if (x509Certificate != NULL) { + X509_free(x509Certificate); /* @1 */ + } +- free(x509Der); /* @2 */ +- OPENSSL_free(addToCert); /* @3 */ ++ if (partialCertificate != NULL) { ++ TPM_PARTIAL_CERT_free(partialCertificate); /* @2 */ ++ } ++ if (addToCert != NULL) { ++ TPM_ADDTOCERT_free(addToCert); /* @3 */ ++ } ++ free(x509Der); /* @4 */ + return rc; + } + +@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + int irc; + ASN1_TIME *arc; /* return code */ + +- X509_NAME *x509IssuerName = NULL; /* composite issuer name, key/value pairs */ +- X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */ + size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *); + size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *); + uint8_t *tmpPartialDer = NULL; /* for the i2d */ +@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + if (rc == 0) { + if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n", + (unsigned long)issuerEntriesSize); ++ /* _new allocates the member. free it because createX509Name() allocates a new structure */ ++ X509_NAME_free(partialCertificate->issuer); ++ partialCertificate->issuer = NULL; + rc = createX509Name(&partialCertificate->issuer, /* freed @1 */ + issuerEntriesSize, + issuerEntries); +@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + if (!subeqiss) { + if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n", + (unsigned long)subjectEntriesSize); ++ X509_NAME_free(partialCertificate->subject); ++ partialCertificate->subject = NULL; + rc = createX509Name(&partialCertificate->subject, /* freed @2 */ + subjectEntriesSize, + subjectEntries); +@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + else { + if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n", + (unsigned long)issuerEntriesSize); ++ X509_NAME_free(partialCertificate->subject); ++ partialCertificate->subject = NULL; + rc = createX509Name(&partialCertificate->subject, /* freed @2 */ + issuerEntriesSize, + issuerEntries); +@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / + if (verbose) X509_print_fp(stdout, x509Certificate); + } + #endif +- X509_NAME_free(x509IssuerName); /* @1 */ +- X509_NAME_free(x509SubjectName); /* @2 */ + OPENSSL_free(tmpPartialDer); /* @3 */ + return rc; + } +@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate, + TPM_RC reformCertificate(X509 *x509Certificate, + TPMI_ALG_HASH halg, + TPMI_ALG_SIG_SCHEME scheme, +- TPM_ADDTOCERT *addToCert, ++ const TPM_ADDTOCERT *addToCert, + TPMT_SIGNATURE *tSignature) + { + TPM_RC rc = 0; +-- +2.34.1 + diff --git a/SOURCES/0005-utils-Fix-errors-detected-by-gcc-asan.patch b/SOURCES/0005-utils-Fix-errors-detected-by-gcc-asan.patch new file mode 100644 index 0000000..1c20911 --- /dev/null +++ b/SOURCES/0005-utils-Fix-errors-detected-by-gcc-asan.patch @@ -0,0 +1,91 @@ +From bcbc2f0400cfc2f596283e8c528aed4576bfea69 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Fri, 3 Sep 2021 14:58:20 -0400 +Subject: [PATCH 5/7] utils: Fix errors detected by gcc asan + +In Uint32_Convert(), case the byte to uint32_t before the left shift +24 to suppress a warning. + +In TSS_EFI_GetNameIndex(), do not compare data if the length does not +match, because this could cause a buffer overflow. Test should be &&, +not &. + +TSS_Delete should only memset sessionData if the pointer is not NULL. + +Signed-off-by: Ken Goldman +--- + utils/efilib.c | 11 +++++++---- + utils/eventlib.c | 10 +++++----- + utils/tss.c | 6 ++++-- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/utils/efilib.c b/utils/efilib.c +index 201a1f5..ab8177b 100644 +--- a/utils/efilib.c ++++ b/utils/efilib.c +@@ -399,16 +399,19 @@ static void TSS_EFI_GetNameIndex(size_t *index, + const uint8_t *name, + uint64_t nameLength) /* half the total bytes in array */ + { +- int m1,m2; ++ int m1 = 0; ++ int m2 = 0; + for (*index = 0 ; + *index < sizeof(tagTable) / sizeof(TAG_TABLE) ; + (*index)++) { + + /* length match */ + m1 = (nameLength * 2) == tagTable[*index].nameLength; +- /* string match */ +- m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0; +- if (m1 & m2) { ++ if (m1) { ++ /* string match */ ++ m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0; ++ } ++ if (m1 && m2) { + return; + } + } +diff --git a/utils/eventlib.c b/utils/eventlib.c +index 0c2801c..c56a22f 100644 +--- a/utils/eventlib.c ++++ b/utils/eventlib.c +@@ -1346,12 +1346,12 @@ static uint32_t Uint32_Convert(uint32_t in) + { + uint32_t out = 0; + unsigned char *inb = (unsigned char *)∈ +- ++ + /* little endian input */ +- out = (inb[0] << 0) | +- (inb[1] << 8) | +- (inb[2] << 16) | +- (inb[3] << 24); ++ out = ((((uint32_t)inb[0]) << 0) | ++ (((uint32_t)inb[1]) << 8) | ++ (((uint32_t)inb[2]) << 16) | ++ (((uint32_t)inb[3]) << 24)); + return out; + } + #endif /* TPM_TSS_NOFILE */ +diff --git a/utils/tss.c b/utils/tss.c +index 574c448..6f0eede 100644 +--- a/utils/tss.c ++++ b/utils/tss.c +@@ -179,8 +179,10 @@ TPM_RC TSS_Delete(TSS_CONTEXT *tssContext) + for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) { + tssContext->sessions[i].sessionHandle = TPM_RH_NULL; + /* erase any secrets */ +- memset(tssContext->sessions[i].sessionData, +- 0, tssContext->sessions[i].sessionDataLength); ++ if (tssContext->sessions[i].sessionData != NULL) { ++ memset(tssContext->sessions[i].sessionData, ++ 0, tssContext->sessions[i].sessionDataLength); ++ } + free(tssContext->sessions[i].sessionData); + tssContext->sessions[i].sessionData = NULL; + tssContext->sessions[i].sessionDataLength = 0; +-- +2.34.1 + diff --git a/SOURCES/0006-tss-Port-HMAC-operations-to-openssl-3.0.patch b/SOURCES/0006-tss-Port-HMAC-operations-to-openssl-3.0.patch new file mode 100644 index 0000000..8b47144 --- /dev/null +++ b/SOURCES/0006-tss-Port-HMAC-operations-to-openssl-3.0.patch @@ -0,0 +1,103 @@ +From 7128994537a7103b25acb1df238db747d7cb3274 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Fri, 10 Sep 2021 16:33:10 -0400 +Subject: [PATCH 6/7] tss: Port HMAC operations to openssl 3.0 + +Replace the deprecated APIs. + +- Compared to the next branch commit 6e22032d, changes related to HMAC are + ommited. + +Signed-off-by: Ken Goldman +--- + utils/tsscrypto.c | 58 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 37 insertions(+), 21 deletions(-) + +diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c +index 23d3b6e..1974563 100644 +--- a/utils/tsscrypto.c ++++ b/utils/tsscrypto.c +@@ -79,6 +79,7 @@ extern int tssVerbose; + + /* local prototypes */ + ++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg); + static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, + TPMI_ALG_HASH hashAlg); + +@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void) + Digests + */ + +-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, +- TPMI_ALG_HASH hashAlg) ++/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */ ++ ++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg) + { +- TPM_RC rc = 0; ++ TPM_RC rc = 0; + +- if (rc == 0) { +- switch (hashAlg) { ++ switch (hashAlg) { + #ifdef TPM_ALG_SHA1 +- case TPM_ALG_SHA1: +- *md = EVP_get_digestbyname("sha1"); +- break; ++ case TPM_ALG_SHA1: ++ *str = "sha1"; ++ break; + #endif +-#ifdef TPM_ALG_SHA256 +- case TPM_ALG_SHA256: +- *md = EVP_get_digestbyname("sha256"); +- break; ++#ifdef TPM_ALG_SHA256 ++ case TPM_ALG_SHA256: ++ *str = "sha256"; ++ break; + #endif + #ifdef TPM_ALG_SHA384 +- case TPM_ALG_SHA384: +- *md = EVP_get_digestbyname("sha384"); +- break; ++ case TPM_ALG_SHA384: ++ *str = "sha384"; ++ break; + #endif + #ifdef TPM_ALG_SHA512 +- case TPM_ALG_SHA512: +- *md = EVP_get_digestbyname("sha512"); +- break; ++ case TPM_ALG_SHA512: ++ *str = "sha512"; ++ break; + #endif +- default: +- rc = TSS_RC_BAD_HASH_ALGORITHM; +- } ++ default: ++ *str = NULL; ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ return rc; ++} ++ ++static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, ++ TPMI_ALG_HASH hashAlg) ++{ ++ TPM_RC rc = 0; ++ const char *str = NULL; ++ ++ if (rc == 0) { ++ rc = TSS_Hash_GetOsslString(&str, hashAlg); ++ } ++ if (rc == 0) { ++ *md = EVP_get_digestbyname(str); + } + return rc; + } +-- +2.34.1 + diff --git a/SOURCES/0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch b/SOURCES/0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch new file mode 100644 index 0000000..a1c7f1e --- /dev/null +++ b/SOURCES/0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch @@ -0,0 +1,1376 @@ +From de47f3c95f973fa8fc873287ca8927038d225aa8 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Fri, 17 Sep 2021 19:04:39 -0400 +Subject: [PATCH 7/7] utils: Port to openssl 3.0.0 replaces RSA with EVP_PKEY + +The RSA structure is deprecated. This flows through all the +utilities, including the X509 public key handling, the PEM and DER +public and private key converters, the functions to convert to and +from the RSA bignums, the sign and encrypt functions. + +TODO are the equivalent updates for ECC and AES. + +- Compared to the next branch commit 65c77e87, changes related to HMAC are + ommited and a conflict is resolved. + +Signed-off-by: Ken Goldman +--- + utils/cryptoutils.c | 349 ++++++++++++++++++++++++++++++++++----- + utils/cryptoutils.h | 22 ++- + utils/efilib.c | 27 ++- + utils/ekutils.c | 50 ++++-- + utils/ekutils.h | 4 +- + utils/ibmtss/tsscrypto.h | 3 +- + utils/sign.c | 4 +- + utils/tsscrypto.c | 202 +++++++++++++++++++--- + 8 files changed, 572 insertions(+), 89 deletions(-) + +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index eb5f0d2..57eade7 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -61,6 +61,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++#include ++#endif + + #ifndef TPM_TSS_NOECC + #include +@@ -75,6 +78,9 @@ + #include + #include + ++TPM_RC TSS_Hash_GetMd(const EVP_MD **md, ++ TPMI_ALG_HASH hashAlg); ++ + #include "objecttemplates.h" + #include "cryptoutils.h" + +@@ -283,7 +289,8 @@ TPM_RC convertPemToEvpPubKey(EVP_PKEY **evpPkey, /* freed by caller */ + The return is void because the structure is opaque to the caller. This accomodates other crypto + libraries. + +- rsaKey is an RSA structure ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + + TPM_RC convertPemToRsaPrivKey(void **rsaKey, /* freed by caller */ +@@ -297,7 +304,11 @@ TPM_RC convertPemToRsaPrivKey(void **rsaKey, /* freed by caller */ + rc = TSS_File_Open(&pemKeyFile, pemKeyFilename, "rb"); /* closed @1 */ + } + if (rc == 0) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + *rsaKey = (void *)PEM_read_RSAPrivateKey(pemKeyFile, NULL, NULL, (void *)password); ++#else ++ *rsaKey = (void *)PEM_read_PrivateKey(pemKeyFile, NULL, NULL, (void *)password); ++#endif + if (*rsaKey == NULL) { + printf("convertPemToRsaPrivKey: Error in OpenSSL PEM_read_RSAPrivateKey()\n"); + rc = TSS_RC_PEM_ERROR; +@@ -334,6 +345,8 @@ TPM_RC convertEvpPkeyToEckey(EC_KEY **ecKey, /* freed by caller */ + #endif /* TPM_TSS_NOECC */ + #endif /* TPM_TPM20 */ + ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ + /* convertEvpPkeyToRsakey() retrieves the RSA key token from the EVP_PKEY */ + + TPM_RC convertEvpPkeyToRsakey(RSA **rsaKey, /* freed by caller */ +@@ -350,6 +363,7 @@ TPM_RC convertEvpPkeyToRsakey(RSA **rsaKey, /* freed by caller */ + } + return rc; + } ++#endif + + #ifdef TPM_TPM20 + #ifndef TPM_TSS_NOECC +@@ -426,19 +440,26 @@ TPM_RC convertEcKeyToPrivateKeyBin(int *privateKeyBytes, + #endif /* TPM_TPM20 */ + + /* convertRsaKeyToPrivateKeyBin() converts an OpenSSL RSA key token private prime p to a binary +- array */ ++ array ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, ++*/ + + TPM_RC convertRsaKeyToPrivateKeyBin(int *privateKeyBytes, + uint8_t **privateKeyBin, /* freed by caller */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + const RSA *rsaKey) ++#else ++ const EVP_PKEY *rsaKey) ++#endif + { + TPM_RC rc = 0; + const BIGNUM *p = NULL; +- const BIGNUM *q; + + /* get the private primes */ + if (rc == 0) { +- rc = getRsaKeyParts(NULL, NULL, NULL, &p, &q, rsaKey); ++ rc = getRsaKeyParts(NULL, NULL, NULL, &p, NULL, rsaKey); /* freed @2 */ + } + /* allocate a buffer for the private key array */ + if (rc == 0) { +@@ -448,7 +469,10 @@ TPM_RC convertRsaKeyToPrivateKeyBin(int *privateKeyBytes, + /* convert the private key bignum to binary */ + if (rc == 0) { + BN_bn2bin(p, *privateKeyBin); +- } ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ BN_free((BIGNUM *)p); /* @2 */ ++#endif + return rc; + } + +@@ -500,7 +524,11 @@ TPM_RC convertEcKeyToPublicKeyBin(int *modulusBytes, + #endif /* TPM_TSS_NOECC */ + #endif /* TPM_TPM20 */ + +-/* convertRsaKeyToPublicKeyBin() converts from an openssl RSA key token to a public modulus */ ++/* convertRsaKeyToPublicKeyBin() converts from an openssl RSA key token to a public modulus ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, ++*/ + + TPM_RC convertRsaKeyToPublicKeyBin(int *modulusBytes, + uint8_t **modulusBin, /* freed by caller */ +@@ -508,12 +536,10 @@ TPM_RC convertRsaKeyToPublicKeyBin(int *modulusBytes, + { + TPM_RC rc = 0; + const BIGNUM *n = NULL; +- const BIGNUM *e; +- const BIGNUM *d; + + /* get the public modulus from the RSA key token */ + if (rc == 0) { +- rc = getRsaKeyParts(&n, &e, &d, NULL, NULL, rsaKey); ++ rc = getRsaKeyParts(&n, NULL, NULL, NULL, NULL, rsaKey); + } + if (rc == 0) { + *modulusBytes = BN_num_bytes(n); +@@ -524,7 +550,10 @@ TPM_RC convertRsaKeyToPublicKeyBin(int *modulusBytes, + if (rc == 0) { + BN_bn2bin(n, *modulusBin); + } +- return rc; ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++ BN_free((BIGNUM *)n); /* @2 */ ++#endif ++ return rc; + } + + #ifdef TPM_TPM20 +@@ -882,11 +911,18 @@ TPM_RC convertEcKeyToPrivate(TPM2B_PRIVATE *objectPrivate, + + /* convertRsaKeyToPrivate() converts an openssl RSA key token to either a TPM2B_PRIVATE or + TPM2B_SENSITIVE ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + + TPM_RC convertRsaKeyToPrivate(TPM2B_PRIVATE *objectPrivate, + TPM2B_SENSITIVE *objectSensitive, +- RSA *rsaKey, ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ RSA *rsaKey, ++#else ++ EVP_PKEY *rsaKey, ++#endif + const char *password) + { + TPM_RC rc = 0; +@@ -957,7 +993,11 @@ TPM_RC convertEcKeyToPublic(TPM2B_PUBLIC *objectPublic, + + #ifdef TPM_TPM20 + +-/* convertRsaKeyToPublic() converts from an openssl RSA key token to a TPM2B_PUBLIC */ ++/* convertRsaKeyToPublic() converts from an openssl RSA key token to a TPM2B_PUBLIC ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, ++*/ + + TPM_RC convertRsaKeyToPublic(TPM2B_PUBLIC *objectPublic, + int keyType, +@@ -1110,16 +1150,25 @@ TPM_RC convertRsaPemToKeyPair(TPM2B_PUBLIC *objectPublic, + { + TPM_RC rc = 0; + EVP_PKEY *evpPkey = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; +- ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif ++ + if (rc == 0) { + rc = convertPemToEvpPrivKey(&evpPkey, /* freed @1 */ + pemKeyFilename, + password); + } + if (rc == 0) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rc = convertEvpPkeyToRsakey(&rsaKey, /* freed @2 */ + evpPkey); ++#else ++ /* openssl 3.0.0 and up use the EVP_PKEY directly */ ++ rsaKey = evpPkey; ++#endif + } + if (rc == 0) { + rc = convertRsaKeyToPrivate(objectPrivate, /* TPM2B_PRIVATE */ +@@ -1135,10 +1184,12 @@ TPM_RC convertRsaPemToKeyPair(TPM2B_PUBLIC *objectPublic, + halg, + rsaKey); + } +- TSS_RsaFree(rsaKey); /* @2 */ + if (evpPkey != NULL) { + EVP_PKEY_free(evpPkey); /* @1 */ + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ TSS_RsaFree(rsaKey); /* @2 */ ++#endif + return rc; + } + +@@ -1281,7 +1332,11 @@ TPM_RC convertRsaDerToKeyPair(TPM2B_PUBLIC *objectPublic, + const char *password) + { + TPM_RC rc = 0; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif + unsigned char *derBuffer = NULL; + size_t derSize; + +@@ -1293,7 +1348,12 @@ TPM_RC convertRsaDerToKeyPair(TPM2B_PUBLIC *objectPublic, + } + if (rc == 0) { + const unsigned char *tmpPtr = derBuffer; /* because pointer moves */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rsaKey = d2i_RSAPrivateKey(NULL, &tmpPtr, (long)derSize); /* freed @2 */ ++#else ++ rsaKey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, ++ &tmpPtr, (long)derSize); ++#endif + if (rsaKey == NULL) { + printf("convertRsaDerToKeyPair: could not convert key to RSA\n"); + rc = TPM_RC_VALUE; +@@ -1331,7 +1391,11 @@ TPM_RC convertRsaDerToPublic(TPM2B_PUBLIC *objectPublic, + const char *derKeyFilename) + { + TPM_RC rc = 0; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif + unsigned char *derBuffer = NULL; + size_t derSize; + +@@ -1343,7 +1407,11 @@ TPM_RC convertRsaDerToPublic(TPM2B_PUBLIC *objectPublic, + } + if (rc == 0) { + const unsigned char *tmpPtr = derBuffer; /* because pointer moves */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rsaKey = d2i_RSA_PUBKEY(NULL, &tmpPtr, (long)derSize); /* freed @2 */ ++#else ++ rsaKey = d2i_PUBKEY(NULL, &tmpPtr, (long)derSize); ++#endif + if (rsaKey == NULL) { + printf("convertRsaDerToPublic: could not convert key to RSA\n"); + rc = TPM_RC_VALUE; +@@ -1362,13 +1430,6 @@ TPM_RC convertRsaDerToPublic(TPM2B_PUBLIC *objectPublic, + return rc; + } + +-#endif /* TPM_TSS_NORSA */ +-#endif /* TPM_TPM20 */ +-#endif /* TPM_TSS_NOFILE */ +- +-#ifndef TPM_TSS_NOFILE +-#ifdef TPM_TPM20 +- + /* convertRsaPemToPublic() converts an RSA public key in PEM format to a TPM2B_PUBLIC */ + + TPM_RC convertRsaPemToPublic(TPM2B_PUBLIC *objectPublic, +@@ -1380,15 +1441,24 @@ TPM_RC convertRsaPemToPublic(TPM2B_PUBLIC *objectPublic, + { + TPM_RC rc = 0; + EVP_PKEY *evpPkey = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif + + if (rc == 0) { + rc = convertPemToEvpPubKey(&evpPkey, /* freed @1 */ + pemKeyFilename); + } + if (rc == 0) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rc = convertEvpPkeyToRsakey(&rsaKey, /* freed @2 */ + evpPkey); ++#else ++ /* openssl 3.0.0 and up use the EVP_PKEY directly */ ++ rsaKey = evpPkey; ++#endif + } + if (rc == 0) { + rc = convertRsaKeyToPublic(objectPublic, +@@ -1398,35 +1468,97 @@ TPM_RC convertRsaPemToPublic(TPM2B_PUBLIC *objectPublic, + halg, + rsaKey); + } +- RSA_free(rsaKey); /* @2 */ + if (evpPkey != NULL) { + EVP_PKEY_free(evpPkey); /* @1 */ + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ TSS_RsaFree(rsaKey); /* @2 */ ++#endif + return rc; + } + ++#endif /* TPM_TSS_NORSA */ + #endif /* TPM_TPM20 */ + #endif /* TPM_TSS_NOFILE */ + + /* getRsaKeyParts() gets the RSA key parts from an OpenSSL RSA key token. + + If n is not NULL, returns n, e, and d. If p is not NULL, returns p and q. ++ ++ For openssl < 3.0.0, the bignums are references to the RSA key and should not be freed separately. ++ ++ For openssl >= 3.0.0, the bignums are allocated and must be freed. ++ ++ FIXME - is there a better way? + */ + + TPM_RC getRsaKeyParts(const BIGNUM **n, +- const BIGNUM **e, +- const BIGNUM **d, +- const BIGNUM **p, +- const BIGNUM **q, +- const RSA *rsaKey) ++ const BIGNUM **e, ++ const BIGNUM **d, ++ const BIGNUM **p, ++ const BIGNUM **q, ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ const RSA *rsaKey) ++#else ++ const EVP_PKEY *rsaKey) ++#endif + { + TPM_RC rc = 0; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + if (n != NULL) { + RSA_get0_key(rsaKey, n, e, d); + } + if (p != NULL) { + RSA_get0_factors(rsaKey, p, q); + } ++#else ++ int irc; ++ if (rc == 0) { ++ if (n != NULL) { ++ irc = EVP_PKEY_get_bn_param(rsaKey, OSSL_PKEY_PARAM_RSA_N, (BIGNUM **)n); ++ if (irc != 1) { ++ printf("getRsaKeyParts: Error getting n\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ } ++ if (rc == 0) { ++ if (e != NULL) { ++ irc = EVP_PKEY_get_bn_param(rsaKey, OSSL_PKEY_PARAM_RSA_E, (BIGNUM **)e); ++ if (irc != 1) { ++ printf("getRsaKeyParts: Error getting e\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ } ++ if (rc == 0) { ++ if (d != NULL) { ++ irc = EVP_PKEY_get_bn_param(rsaKey, OSSL_PKEY_PARAM_RSA_D, (BIGNUM **)d); ++ if (irc != 1) { ++ printf("getRsaKeyParts: Error getting d\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ } ++ if (rc == 0) { ++ if (p != NULL) { ++ irc = EVP_PKEY_get_bn_param(rsaKey, OSSL_PKEY_PARAM_RSA_FACTOR1, (BIGNUM **)p); ++ if (irc != 1) { ++ printf("getRsaKeyParts: Error getting p\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ } ++ if (rc == 0) { ++ if (q != NULL) { ++ irc = EVP_PKEY_get_bn_param(rsaKey, OSSL_PKEY_PARAM_RSA_FACTOR2, (BIGNUM **)q); ++ if (irc != 1) { ++ printf("getRsaKeyParts: Error getting q\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ } ++#endif + return rc; + } + +@@ -1501,11 +1633,16 @@ TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey, /* freed by caller */ + const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa) + { + TPM_RC rc = 0; ++ /* public exponent */ ++ unsigned char earr[3] = {0x01, 0x00, 0x01}; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + int irc; + RSA *rsaPubKey = NULL; +- ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + if (rc == 0) { +- *evpPubkey = EVP_PKEY_new(); ++ *evpPubkey = EVP_PKEY_new(); /* freed by caller */ + if (*evpPubkey == NULL) { + printf("convertRsaPublicToEvpPubKey: EVP_PKEY failed\n"); + rc = TSS_RC_OUT_OF_MEMORY; +@@ -1513,10 +1650,10 @@ TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey, /* freed by caller */ + } + /* TPM to RSA token */ + if (rc == 0) { +- /* public exponent */ +- unsigned char earr[3] = {0x01, 0x00, 0x01}; ++ /* For Openssl < 3, rsaKey is an RSA structure. */ ++ /* For Openssl 3, rsaKey is an EVP_PKEY. */ + rc = TSS_RSAGeneratePublicTokenI +- ((void **)&rsaPubKey, /* freed as part of EVP_PKEY */ ++ ((void **)&rsaPubKey, /* freed by caller */ + tpm2bRsa->t.buffer, /* public modulus */ + tpm2bRsa->t.size, + earr, /* public exponent */ +@@ -1526,11 +1663,24 @@ TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey, /* freed by caller */ + if (rc == 0) { + irc = EVP_PKEY_assign_RSA(*evpPubkey, rsaPubKey); + if (irc == 0) { +- TSS_RsaFree(rsaPubKey); /* because not assigned tp EVP_PKEY */ ++ TSS_RsaFree(rsaPubKey); /* because not assigned to EVP_PKEY */ + printf("convertRsaPublicToEvpPubKey: EVP_PKEY_assign_RSA failed\n"); + rc = TSS_RC_RSA_KEY_CONVERT; + } + } ++#else /* FIXME this should always work? */ ++ /* TPM to RSA token */ ++ if (rc == 0) { ++ /* For Openssl < 3, rsaKey is an RSA structure. */ ++ /* For Openssl 3, rsaKey is an EVP_PKEY. */ ++ rc = TSS_RSAGeneratePublicTokenI ++ ((void **)evpPubkey, /* freed by caller */ ++ tpm2bRsa->t.buffer, /* public modulus */ ++ tpm2bRsa->t.size, ++ earr, /* public exponent */ ++ sizeof(earr)); ++ } ++#endif + return rc; + } + +@@ -1828,8 +1978,9 @@ TPM_RC verifyRSASignatureFromEvpPubKey(unsigned char *message, + EVP_PKEY *evpPkey) + { + TPM_RC rc = 0; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaPubKey = NULL; /* OpenSSL public key, RSA format */ +- ++ + /* construct the RSA key token */ + if (rc == 0) { + rsaPubKey = EVP_PKEY_get1_RSA(evpPkey); /* freed @1 */ +@@ -1838,6 +1989,9 @@ TPM_RC verifyRSASignatureFromEvpPubKey(unsigned char *message, + rc = TSS_RC_RSA_KEY_CONVERT; + } + } ++#else ++ EVP_PKEY *rsaPubKey = evpPkey; ++#endif + if (rc == 0) { + rc = verifyRSASignatureFromRSA(message, + messageSize, +@@ -1845,11 +1999,17 @@ TPM_RC verifyRSASignatureFromEvpPubKey(unsigned char *message, + halg, + rsaPubKey); + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + TSS_RsaFree(rsaPubKey); /* @1 */ ++#endif + return rc; + } + +-/* signRSAFromRSA() signs digest to signature, using th4 RSA key rsaKey. */ ++/* signRSAFromRSA() signs digest to signature, using rsaKey. ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, ++*/ + + TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + size_t signatureSize, +@@ -1859,8 +2019,9 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + { + TPM_RC rc = 0; + int irc; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + int nid; /* openssl hash algorithm */ +- ++ + /* map the hash algorithm to the openssl NID */ + if (rc == 0) { + switch (hashAlg) { +@@ -1903,6 +2064,54 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + rc = TSS_RC_RSA_SIGNATURE; + } + } ++#else ++ EVP_PKEY_CTX *ctx = NULL; ++ const EVP_MD *md; ++ ++ if (rc == 0) { ++ ctx = EVP_PKEY_CTX_new(rsaKey, NULL); /* freed @1 */ ++ if (ctx == NULL) { ++ printf("signRSAFromRSA: Error in EVP_PKEY_CTX_new()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_sign_init(ctx); ++ if (irc != 1) { ++ printf("signRSAFromRSA: Error in EVP_PKEY_sign_init()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ if (rc == 0) { ++ rc = TSS_Hash_GetMd(&md, hashAlg); ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_CTX_set_signature_md(ctx, md); ++ if (irc <= 0) { ++ printf("signRSAFromRSA: Error in EVP_PKEY_CTX_set_signature_md()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING); ++ if (irc <= 0) { ++ printf("signRSAFromRSA: Error in EVP_PKEY_CTX_set_rsa_padding()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ if (rc == 0) { ++ size_t siglen = signatureSize; ++ irc = EVP_PKEY_sign(ctx, ++ signature, &siglen, ++ digest, (unsigned int)digestLength); ++ *signatureLength = siglen; ++ if (irc != 1) { ++ printf("signRSAFromRSA: Error in EVP_PKEY_sign()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ EVP_PKEY_CTX_free(ctx); /* @1 */ ++#endif + return rc; + } + +@@ -1910,6 +2119,9 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + using the RSA public key in the OpenSSL RSA format. + + Supports RSASSA and RSAPSS schemes. ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + + TPM_RC verifyRSASignatureFromRSA(unsigned char *message, +@@ -1920,9 +2132,10 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, + { + TPM_RC rc = 0; + int irc; ++ const EVP_MD *md = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + int nid = 0; /* initialized these two to suppress false gcc -O3 + warnings */ +- const EVP_MD *md = NULL; + /* map from hash algorithm to openssl nid */ + if (rc == 0) { + switch (halg) { +@@ -1989,8 +2202,68 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, + else { + printf("verifyRSASignatureFromRSA: Bad signature scheme %04x\n", + tSignature->sigAlg); ++ rc = TSS_RC_RSA_SIGNATURE; + } +- return rc; ++#else ++ EVP_PKEY_CTX *ctx = NULL; ++ ++ if (rc == 0) { ++ ctx = EVP_PKEY_CTX_new(rsaPubKey, NULL); /* freed @1 */ ++ if (ctx == NULL) { ++ printf("verifyRSAFSignatureromRSA: Error in EVP_PKEY_CTX_new()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_verify_init(ctx); ++ if (irc != 1) { ++ printf("verifyRSASignatureFromRSA: Error in EVP_PKEY_verify_init()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ if (rc == 0) { ++ rc = TSS_Hash_GetMd(&md, halg); ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_CTX_set_signature_md(ctx, md); ++ if (irc <= 0) { ++ printf("verifyRSASignatureFromRSA: Error in EVP_PKEY_CTX_set_signature_md()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ /* verify the signature */ ++ if (rc == 0) { ++ if (tSignature->sigAlg == TPM_ALG_RSASSA) { ++ irc = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING); ++ } ++ else if (tSignature->sigAlg == TPM_ALG_RSAPSS) { ++ irc = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING); ++ } ++ else { ++ rc = TSS_RC_RSA_SIGNATURE; ++ printf("verifyRSASignatureFromRSA: Bad signature scheme %04x\n", ++ tSignature->sigAlg); ++ } ++ } ++ if (rc == 0) { ++ if (irc <= 0) { ++ printf("verifyRSASignatureFromRSA: Error in EVP_PKEY_CTX_set_rsa_padding()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_verify(ctx, ++ tSignature->signature.rsapss.sig.t.buffer, ++ tSignature->signature.rsapss.sig.t.size, ++ message, messageSize); ++ if (irc != 1) { ++ printf("verifyRSASignatureFromRSA: Error in EVP_PKEY_verify()\n"); ++ rc = TSS_RC_RSA_SIGNATURE; ++ } ++ } ++ EVP_PKEY_CTX_free(ctx); /* @1 */ ++#endif ++ return rc; + } + + #endif /* TPM_TSS_NORSA */ +diff --git a/utils/cryptoutils.h b/utils/cryptoutils.h +index 03452de..6809dea 100644 +--- a/utils/cryptoutils.h ++++ b/utils/cryptoutils.h +@@ -248,9 +248,10 @@ extern "C" { + + TPM_RC convertEvpPkeyToRsakey(RSA **rsaKey, + EVP_PKEY *evpPkey); +- TPM_RC convertRsaKeyToPrivateKeyBin(int *privateKeyBytes, ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ TPM_RC convertRsaKeyToPrivateKeyBin(int *privateKeyBytes, + uint8_t **privateKeyBin, +- const RSA *rsaKey); ++ const RSA *rsaKey); + TPM_RC convertRsaKeyToPrivate(TPM2B_PRIVATE *objectPrivate, + TPM2B_SENSITIVE *objectSensitive, + RSA *rsaKey, +@@ -260,7 +261,22 @@ extern "C" { + const BIGNUM **d, + const BIGNUM **p, + const BIGNUM **q, +- const RSA *rsaKey); ++ const RSA *rsaKey); ++#else ++ TPM_RC convertRsaKeyToPrivateKeyBin(int *privateKeyBytes, ++ uint8_t **privateKeyBin, ++ const EVP_PKEY *rsaKey); ++ TPM_RC convertRsaKeyToPrivate(TPM2B_PRIVATE *objectPrivate, ++ TPM2B_SENSITIVE *objectSensitive, ++ EVP_PKEY *rsaKey, ++ const char *password); ++ TPM_RC getRsaKeyParts(const BIGNUM **n, ++ const BIGNUM **e, ++ const BIGNUM **d, ++ const BIGNUM **p, ++ const BIGNUM **q, ++ const EVP_PKEY *rsaKey); ++#endif + int getRsaPubkeyAlgorithm(EVP_PKEY *pkey); + TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey, + const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa); +diff --git a/utils/efilib.c b/utils/efilib.c +index ab8177b..afed9dd 100644 +--- a/utils/efilib.c ++++ b/utils/efilib.c +@@ -64,6 +64,7 @@ + #include + #include + #include ++#include + + #include "eventlib.h" + #include "efilib.h" +@@ -4805,7 +4806,13 @@ static void TSS_EfiEventTag_Trace(TSST_EFIData *efiData) + uint32_t count; + TSS_UEFI_TAGGED_EVENT *taggedEventList = &efiData->efiData.taggedEventList; + #ifndef TPM_TSS_MBEDTLS +- RSA *rsaKey = NULL; ++#ifndef TPM_TSS_NORSA ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif ++#endif /* TPM_TSS_NORSA */ + #endif /* TPM_TSS_MBEDTLS */ + + printf(" tagged events %u\n", taggedEventList->count); +@@ -4815,17 +4822,25 @@ static void TSS_EfiEventTag_Trace(TSST_EFIData *efiData) + printf(" taggedEventID %08x\n", taggedEvent->taggedEventID); + /* https://github.com/mattifestation/TCGLogTools/blob/master/TCGLogTools.psm1 */ + /* by observation 0x00060002 appears to be a DER encoded public key */ +-#ifndef TPM_TSS_MBEDTLS ++#if ! defined TPM_TSS_MBEDTLS && ! defined TPM_TSS_NORSA + if (taggedEvent->taggedEventID == 0x00060002) { + const unsigned char *tmpData = NULL; + /* tmp pointer because d2i moves the pointer */ + tmpData = taggedEvent->taggedEventData; +- rsaKey = d2i_RSA_PUBKEY(NULL, &tmpData , taggedEvent->taggedEventDataSize); /* freed @2 */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ rsaKey = d2i_RSA_PUBKEY(NULL, &tmpData ,taggedEvent->taggedEventDataSize); /* freed @2 */ ++#else ++ rsaKey = d2i_PUBKEY(NULL, &tmpData, (long)taggedEvent->taggedEventDataSize); ++#endif /* OPENSSL_VERSION_NUMBER */ + if (rsaKey != NULL) { /* success */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA_print_fp(stdout, rsaKey, 4); ++#else ++ EVP_PKEY_print_public_fp(stdout, rsaKey, 4, NULL); ++#endif /* OPENSSL_VERSION_NUMBER */ + } + if (rsaKey != NULL) { +- RSA_free(rsaKey); ++ TSS_RsaFree(rsaKey); /* @2 */ + } + } + /* if it's not 0x00060002 or if the d2i fails */ +@@ -4834,10 +4849,10 @@ static void TSS_EfiEventTag_Trace(TSST_EFIData *efiData) + TSS_PrintAll(" taggedEvent", + taggedEvent->taggedEventData, taggedEvent->taggedEventDataSize); + } +-#else ++#else /* TPM_TSS_MBEDTLS or TPM_TSS_NORSA */ + TSS_PrintAll(" taggedEvent", + taggedEvent->taggedEventData, taggedEvent->taggedEventDataSize); +-#endif /* TPM_TSS_MBEDTLS */ ++#endif /* TPM_TSS_MBEDTLS TPM_TSS_NORSA */ + } + return; + } +diff --git a/utils/ekutils.c b/utils/ekutils.c +index a0a2734..cb7f938 100644 +--- a/utils/ekutils.c ++++ b/utils/ekutils.c +@@ -567,9 +567,12 @@ TPM_RC getIndexX509Certificate(TSS_CONTEXT *tssContext, + certificate stored in a file. + + Returns both the OpenSSL X509 certificate token and RSA public key token. ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + +-uint32_t getPubkeyFromDerCertFile(RSA **rsaPkey, ++uint32_t getPubkeyFromDerCertFile(void **rsaPkey, /* freed by caller */ + X509 **x509, + const char *derCertificateFileName) + { +@@ -594,7 +597,7 @@ uint32_t getPubkeyFromDerCertFile(RSA **rsaPkey, + } + /* extract the OpenSSL format public key from the X509 token */ + if (rc == 0) { +- rc = getPubKeyFromX509Cert(rsaPkey, *x509); ++ rc = getPubKeyFromX509Cert(rsaPkey, *x509); /* freed by caller */ + } + /* for debug, print the X509 certificate */ + if (rc == 0) { +@@ -612,9 +615,13 @@ uint32_t getPubkeyFromDerCertFile(RSA **rsaPkey, + #ifndef TPM_TSS_NORSA + + /* getPubKeyFromX509Cert() gets an OpenSSL RSA public key token from an OpenSSL X509 certificate +- token. */ ++ token. ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, ++*/ + +-uint32_t getPubKeyFromX509Cert(RSA **rsaPkey, ++uint32_t getPubKeyFromX509Cert(void **rsaPkey, + X509 *x509) + { + uint32_t rc = 0; +@@ -623,20 +630,24 @@ uint32_t getPubKeyFromX509Cert(RSA **rsaPkey, + if (rc == 0) { + evpPkey = X509_get_pubkey(x509); /* freed @1 */ + if (evpPkey == NULL) { +- printf("getPubKeyFromX509Cert: X509_get_pubkey failed\n"); ++ printf("getPubKeyFromX509Cert: X509_get_pubkey failed\n"); + rc = TSS_RC_X509_ERROR; + } + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + if (rc == 0) { + *rsaPkey = EVP_PKEY_get1_RSA(evpPkey); + if (*rsaPkey == NULL) { +- printf("getPubKeyFromX509Cert: EVP_PKEY_get1_RSA failed\n"); ++ printf("getPubKeyFromX509Cert: EVP_PKEY_get1_RSA failed\n"); + rc = TSS_RC_X509_ERROR; + } + } + if (evpPkey != NULL) { + EVP_PKEY_free(evpPkey); /* @1 */ + } ++#else ++ *rsaPkey = evpPkey; ++#endif + return rc; + } + #endif /* TPM_TSS_NORSA */ +@@ -1105,8 +1116,8 @@ TPM_RC convertX509ToEc(EC_KEY **ecKey, /* freed by caller */ + + If print is true, prints the EK certificate + +- The return is void because the structure is opaque to the caller. This accomodates other crypto +- libraries. ++ The ekCertificate return is void because the structure is opaque to the caller. This ++ accommodates other crypto libraries. + + ekCertificate is an X509 structure. + */ +@@ -1158,7 +1169,11 @@ TPM_RC convertCertificatePubKey(uint8_t **modulusBin, /* freed by caller */ + case EK_CERT_RSA_3072_INDEX_H6: + case EK_CERT_RSA_4096_INDEX_H7: + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif + /* check that the public key algorithm matches the ekCertIndex algorithm */ + if (rc == 0) { + if (pkeyType != EVP_PKEY_RSA) { +@@ -1169,12 +1184,16 @@ TPM_RC convertCertificatePubKey(uint8_t **modulusBin, /* freed by caller */ + } + /* convert the public key to OpenSSL structure */ + if (rc == 0) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rsaKey = EVP_PKEY_get1_RSA(pkey); /* freed @3 */ + if (rsaKey == NULL) { + printf("convertCertificatePubKey: Could not extract RSA public key " + "from X509 certificate\n"); + rc = TPM_RC_INTEGRITY; + } ++#else /* use the EVP_PKEY directly */ ++ rsaKey = pkey; ++#endif + } + if (rc == 0) { + rc = convertRsaKeyToPublicKeyBin(modulusBytes, +@@ -1185,7 +1204,9 @@ TPM_RC convertCertificatePubKey(uint8_t **modulusBin, /* freed by caller */ + if (print) TSS_PrintAll("Certificate public key:", + *modulusBin, *modulusBytes); + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA_free(rsaKey); /* @3 */ ++#endif + } + break; + #endif /* TPM_TSS_NORSA */ +@@ -1254,7 +1275,11 @@ TPM_RC convertCertificatePubKey12(uint8_t **modulusBin, /* freed by caller */ + const unsigned char *pk = NULL; /* do not free */ + int ppklen; + X509_ALGOR *palg = NULL; /* algorithm identifier for public key */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsaKey = NULL; ++#else ++ EVP_PKEY *rsaKey = NULL; ++#endif + + /* get internal pointer to the public key in the certificate */ + if (rc == 0) { +@@ -1278,7 +1303,12 @@ TPM_RC convertCertificatePubKey12(uint8_t **modulusBin, /* freed by caller */ + } + if (rc == 0) { + const unsigned char *tmppk = pk; /* because d2i moves the pointer */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + rsaKey = d2i_RSAPublicKey(NULL, &tmppk, ppklen); /* freed @1 */ ++#else ++ rsaKey = d2i_PublicKey(EVP_PKEY_RSA, NULL, ++ &tmppk, (long)ppklen); ++#endif + if (rsaKey == NULL) { + printf("convertCertificatePubKey12: Could not convert to RSA structure\n"); + rc = TPM_RC_INTEGRITY; +@@ -1290,9 +1320,7 @@ TPM_RC convertCertificatePubKey12(uint8_t **modulusBin, /* freed by caller */ + rsaKey); + TSS_PrintAll("convertCertificatePubKey12", *modulusBin, *modulusBytes); + } +- if (rsaKey != NULL) { +- RSA_free(rsaKey); /* @1 */ +- } ++ TSS_RsaFree(rsaKey); /* @1 */ + return rc; + } + +diff --git a/utils/ekutils.h b/utils/ekutils.h +index f37b7d2..18b0e48 100644 +--- a/utils/ekutils.h ++++ b/utils/ekutils.h +@@ -218,10 +218,10 @@ extern "C" { + #ifndef TPM_TSS_NO_OPENSSL + + +- uint32_t getPubkeyFromDerCertFile(RSA **rsaPkey, ++ uint32_t getPubkeyFromDerCertFile(void **rsaPkey, + X509 **x509, + const char *derCertificateFileName); +- uint32_t getPubKeyFromX509Cert(RSA **rsaPkey, ++ uint32_t getPubKeyFromX509Cert(void **rsaPkey, + X509 *x509); + TPM_RC getCaStore(X509_STORE **caStore, + X509 *caCert[], +diff --git a/utils/ibmtss/tsscrypto.h b/utils/ibmtss/tsscrypto.h +index 5bf5591..30d2ef1 100644 +--- a/utils/ibmtss/tsscrypto.h ++++ b/utils/ibmtss/tsscrypto.h +@@ -4,7 +4,7 @@ + /* Written by Ken Goldman */ + /* IBM Thomas J. Watson Research Center */ + /* */ +-/* (c) Copyright IBM Corporation 2015 - 2019. */ ++/* (c) Copyright IBM Corporation 2015 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -107,6 +107,7 @@ extern "C" { + LIB_EXPORT + TPM_RC TSS_RsaNew(void **rsaKey); + ++ /* deprecated */ + LIB_EXPORT + TPM_RC TSS_RSAGeneratePublicToken(RSA **rsa_pub_key, /* freed by caller */ + const unsigned char *narr, /* public modulus */ +diff --git a/utils/sign.c b/utils/sign.c +index 0635366..ba2be27 100644 +--- a/utils/sign.c ++++ b/utils/sign.c +@@ -4,7 +4,7 @@ + /* Written by Ken Goldman */ + /* IBM Thomas J. Watson Research Center */ + /* */ +-/* (c) Copyright IBM Corporation 2015 - 2019. */ ++/* (c) Copyright IBM Corporation 2015 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -426,6 +426,8 @@ int main(int argc, char *argv[]) + /* construct the OpenSSL RSA public key token */ + if (rc == 0) { + unsigned char earr[3] = {0x01, 0x00, 0x01}; ++ /* For Openssl < 3, rsaKey is an RSA structure. */ ++ /* For Openssl 3, rsaKey is an EVP_PKEY. */ + rc = TSS_RSAGeneratePublicTokenI + (&rsaPubKey, /* freed @2 */ + public.publicArea.unique.rsa.t.buffer, /* public modulus */ +diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c +index 1974563..2efddfc 100644 +--- a/utils/tsscrypto.c ++++ b/utils/tsscrypto.c +@@ -5,7 +5,7 @@ + /* IBM Thomas J. Watson Research Center */ + /* ECC Salt functions written by Bill Martin */ + /* */ +-/* (c) Copyright IBM Corporation 2015 - 2019. */ ++/* (c) Copyright IBM Corporation 2015 - 2021. */ + /* */ + /* All rights reserved. */ + /* */ +@@ -37,7 +37,7 @@ + /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + /********************************************************************************/ + +-/* Interface to OpenSSL version 1.0 or 1.1 crypto library */ ++/* Interface to OpenSSL version 1.0.2, 1.1.1, 3.0.0 crypto library */ + + #include + #include +@@ -59,6 +59,10 @@ + #include + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++#include ++#endif ++ + #include + #include + #include +@@ -67,6 +71,9 @@ + #include + #include + ++TPM_RC TSS_Hash_GetMd(const EVP_MD **md, ++ TPMI_ALG_HASH hashAlg); ++ + extern int tssVverbose; + extern int tssVerbose; + +@@ -80,8 +87,6 @@ extern int tssVerbose; + /* local prototypes */ + + static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg); +-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, +- TPMI_ALG_HASH hashAlg); + + #ifndef TPM_TSS_NOECC + +@@ -164,8 +169,8 @@ static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg) + return rc; + } + +-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, +- TPMI_ALG_HASH hashAlg) ++TPM_RC TSS_Hash_GetMd(const EVP_MD **md, ++ TPMI_ALG_HASH hashAlg) + { + TPM_RC rc = 0; + const char *str = NULL; +@@ -352,7 +357,8 @@ TPM_RC TSS_RandBytes(unsigned char *buffer, uint32_t size) + + This abstracts the crypto library specific allocation. + +- For Openssl, rsaKey is an RSA structure. ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + + TPM_RC TSS_RsaNew(void **rsaKey) +@@ -369,6 +375,7 @@ TPM_RC TSS_RsaNew(void **rsaKey) + } + } + /* construct the OpenSSL private key object */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + if (rc == 0) { + *rsaKey = RSA_new(); /* freed by caller */ + if (*rsaKey == NULL) { +@@ -376,20 +383,36 @@ TPM_RC TSS_RsaNew(void **rsaKey) + rc = TSS_RC_RSA_KEY_CONVERT; + } + } ++#else ++ if (rc == 0) { ++ *rsaKey = EVP_PKEY_new(); ++ if (*rsaKey == NULL) { ++ if (tssVerbose) printf("TSS_RsaNew: Error in EVP_PKEY_new()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ } ++#endif + return rc; + } + + /* TSS_RsaFree() frees an openssl RSA key token. + + This abstracts the crypto library specific free. +- +- For Openssl, rsaKey is an RSA structure. ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY, + */ + + void TSS_RsaFree(void *rsaKey) + { + if (rsaKey != NULL) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA_free(rsaKey); ++#else ++ EVP_PKEY_free(rsaKey); ++#endif + } + return; + } +@@ -418,42 +441,122 @@ TPM_RC TSS_RSAGeneratePublicToken(RSA **rsa_pub_key, /* freed by caller */ + /* TSS_RSAGeneratePublicTokenI() generates an RSA key token from n and e + + Free rsa_pub_key using TSS_RsaFree(); ++ ++ For Openssl < 3, rsaKey is an RSA structure. ++ For Openssl 3, rsaKey is an EVP_PKEY. + */ + + TPM_RC TSS_RSAGeneratePublicTokenI(void **rsa_pub_key, /* freed by caller */ +- const unsigned char *narr, /* public modulus */ ++ const unsigned char *narr, /* public modulus */ + uint32_t nbytes, +- const unsigned char *earr, /* public exponent */ ++ const unsigned char *earr, /* public exponent */ + uint32_t ebytes) + { + TPM_RC rc = 0; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++ int irc; ++#endif + BIGNUM * n = NULL; + BIGNUM * e = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA ** rsaPubKey = (RSA **)rsa_pub_key; /* openssl specific structure */ ++#else ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++#endif + + /* construct the OpenSSL private key object */ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + if (rc == 0) { +- rc = TSS_RsaNew(rsa_pub_key); +- } +- if (rc == 0) { +- rc = TSS_bin2bn(&n, narr, nbytes); /* freed by caller */ ++ rc = TSS_RsaNew(rsa_pub_key); /* freed by caller */ + } ++#endif + if (rc == 0) { +- rc = TSS_bin2bn(&e, earr, ebytes); /* freed by caller */ +- } ++ rc = TSS_bin2bn(&n, narr, nbytes); /* freed by caller, < 3.0.0 */ ++ } /* freed @4, 3.0.0 */ + if (rc == 0) { ++ rc = TSS_bin2bn(&e, earr, ebytes); /* freed by caller, < 3.0.0 */ ++ } /* freed @5, 3.0.0 */ + #if OPENSSL_VERSION_NUMBER < 0x10100000 ++ if (rc == 0) { + (*rsaPubKey)->n = n; + (*rsaPubKey)->e = e; + (*rsaPubKey)->d = NULL; +-#else +- int irc = RSA_set0_key(*rsaPubKey, n, e, NULL); ++ } ++#elif OPENSSL_VERSION_NUMBER < 0x30000000 ++ if (rc == 0) { ++ irc = RSA_set0_key(*rsaPubKey, n, e, NULL); + if (irc != 1) { + if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: Error in RSA_set0_key()\n"); + rc = TSS_RC_RSA_KEY_CONVERT; + } +-#endif + } ++#else ++ if (rc == 0) { ++ param_bld = OSSL_PARAM_BLD_new(); /* freed @2 */ ++ if (param_bld == NULL) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: Error in OSSL_PARAM_BLD_new()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = OSSL_PARAM_BLD_push_BN(param_bld, "n", n); ++ if (irc != 1) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in OSSL_PARAM_BLD_push_BN()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = OSSL_PARAM_BLD_push_BN(param_bld, "e", e); ++ if (irc != 1) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in OSSL_PARAM_BLD_push_BN()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ params = OSSL_PARAM_BLD_to_param(param_bld); /* freed @3 */ ++ if (params == NULL) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in OSSL_PARAM_BLD_to_param()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); /* freed @1 */ ++ if (ctx == NULL) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in EVP_PKEY_CTX_new_from_name()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_fromdata_init(ctx); ++ if (irc != 1) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in EVP_PKEY_fromdata_init()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_fromdata(ctx, (EVP_PKEY **)rsa_pub_key, /* freed by caller */ ++ EVP_PKEY_PUBLIC_KEY, params); ++ if (irc != 1) { ++ if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: " ++ "Error in OSSL_PARAM_BLD_push_BN()\n"); ++ rc = TSS_RC_RSA_KEY_CONVERT; ++ } ++ } ++ OSSL_PARAM_free(params); /* @3 */ ++ OSSL_PARAM_BLD_free(param_bld); /* @2 */ ++ EVP_PKEY_CTX_free(ctx); /* @1 */ ++ /* for openssl < 3.0.0, n and e are part of the RSA structure, freed with it. For 3.0.0 and up, ++ they're copied to the EVP_PKEY, so the parts are freed here. */ ++ BN_free(n); /* @4 */ ++ BN_free(e); /* @5 */ ++#endif + return rc; + } + +@@ -475,7 +578,12 @@ TPM_RC TSS_RSAPublicEncrypt(unsigned char *encrypt_data, /* encrypted data */ + { + TPM_RC rc = 0; + int irc; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + RSA *rsa_pub_key = NULL; ++#else ++ EVP_PKEY *rsa_pub_key = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++#endif + unsigned char *padded_data = NULL; + + if (tssVverbose) printf(" TSS_RSAPublicEncrypt: Input data size %lu\n", +@@ -486,12 +594,16 @@ TPM_RC TSS_RSAPublicEncrypt(unsigned char *encrypt_data, /* encrypted data */ + } + /* construct the OpenSSL public key object */ + if (rc == 0) { +- rc = TSS_RSAGeneratePublicTokenI((void **)&rsa_pub_key, /* freed @1 */ ++ /* For Openssl < 3, rsaKey is an RSA structure. */ ++ /* For Openssl 3, rsaKey is an EVP_PKEY, */ ++ rc = TSS_RSAGeneratePublicTokenI((void **)&rsa_pub_key, /* freed @3 */ + narr, /* public modulus */ + nbytes, + earr, /* public exponent */ + ebytes); + } ++ /* Must pad first and then encrypt because the encrypt call cannot specify an encoding ++ parameter */ + if (rc == 0) { + padded_data[0] = 0x00; + rc = TSS_RSA_padding_add_PKCS1_OAEP(padded_data, /* to */ +@@ -508,25 +620,61 @@ TPM_RC TSS_RSAPublicEncrypt(unsigned char *encrypt_data, /* encrypted data */ + (unsigned long)encrypt_data_size); + if (tssVverbose) TSS_PrintAll(" TPM_RSAPublicEncrypt: Padded data", padded_data, + (uint32_t)encrypt_data_size); +- /* encrypt with public key. Must pad first and then encrypt because the encrypt +- call cannot specify an encoding parameter */ ++ } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ if (rc == 0) { ++ /* encrypt with public key. */ + /* returns the size of the encrypted data. On error, -1 is returned */ + irc = RSA_public_encrypt((int)encrypt_data_size, /* from length */ + padded_data, /* from - the clear text data */ + encrypt_data, /* the padded and encrypted data */ +- rsa_pub_key, /* key */ ++ rsa_pub_key, /* RSA key structure */ + RSA_NO_PADDING); /* padding */ + if (irc < 0) { + if (tssVerbose) printf("TSS_RSAPublicEncrypt: Error in RSA_public_encrypt()\n"); + rc = TSS_RC_RSA_ENCRYPT; + } + } ++#else ++ /* create EVP_PKEY_CTX for the encrypt */ ++ if (rc == 0) { ++ ctx = EVP_PKEY_CTX_new(rsa_pub_key, NULL); /* freed @1 */ ++ if (ctx == NULL) { ++ printf("TSS_RSAPublicEncrypt: Error in EVP_PKEY_CTX_new()\n"); ++ rc = TSS_RC_RSA_ENCRYPT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_encrypt_init(ctx); ++ if (irc != 1) { ++ printf("TSS_RSAPublicEncrypt: Error in EVP_PKEY_encrypt_init()\n"); ++ rc = TSS_RC_RSA_ENCRYPT; ++ } ++ } ++ if (rc == 0) { ++ irc = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING); ++ if (irc <= 0) { ++ if (tssVerbose) printf("TSS_RSAPublicEncrypt: Error in EVP_PKEY_CTX_set_rsa_padding\n"); ++ rc = TSS_RC_RSA_ENCRYPT; ++ } ++ } ++ if (rc == 0) { ++ size_t outlen = encrypt_data_size; ++ irc = EVP_PKEY_encrypt(ctx, ++ encrypt_data, &outlen, ++ padded_data, encrypt_data_size); ++ } ++#endif + if (rc == 0) { + if (tssVverbose) printf(" TSS_RSAPublicEncrypt: RSA_public_encrypt() success\n"); + } +- TSS_RsaFree(rsa_pub_key); /* @1 */ +- free(padded_data); /* @2 */ +- return rc; ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#else ++ EVP_PKEY_CTX_free(ctx); /* @1 */ ++#endif ++ TSS_RsaFree(rsa_pub_key); /* @3 */ ++ free(padded_data); /* @2 */ ++ return rc; + } + + #endif /* TPM_TSS_NORSA */ +-- +2.34.1 + diff --git a/SOURCES/tss2-1.6.0-manpage-cleanup.patch b/SOURCES/tss2-1.6.0-manpage-cleanup.patch new file mode 100644 index 0000000..3a452de --- /dev/null +++ b/SOURCES/tss2-1.6.0-manpage-cleanup.patch @@ -0,0 +1,1534 @@ +diff -ur tss2/utils/man/man1/tssactivatecredential.1 tss2-new/utils/man/man1/tssactivatecredential.1 +--- tss2/utils/man/man1/tssactivatecredential.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssactivatecredential.1 2021-02-08 16:31:38.276692836 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH ACTIVATECREDENTIAL "1" "November 2020" "activatecredential 1.6" "User Commands" ++.TH TSSACTIVATECREDENTIAL "1" "November 2020" "tssactivatecredential 1.6" "User Commands" + .SH NAME +-activatecredential \- Runs TPM2 activatecredential ++tssactivatecredential \- Runs TPM2 activatecredential + .SH DESCRIPTION + activatecredential + .PP +diff -ur tss2/utils/man/man1/tsscertify.1 tss2-new/utils/man/man1/tsscertify.1 +--- tss2/utils/man/man1/tsscertify.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscertify.1 2021-02-08 16:31:59.975404868 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CERTIFY "1" "November 2020" "certify 1.6" "User Commands" ++.TH TSSCERTIFY "1" "November 2020" "tsscertify 1.6" "User Commands" + .SH NAME +-certify \- Runs TPM2 certify ++tsscertify \- Runs TPM2 certify + .SH DESCRIPTION + certify + .PP +diff -ur tss2/utils/man/man1/tsscertifycreation.1 tss2-new/utils/man/man1/tsscertifycreation.1 +--- tss2/utils/man/man1/tsscertifycreation.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscertifycreation.1 2021-02-08 16:32:20.162136981 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CERTIFYCREATION "1" "November 2020" "certifycreation 1.6" "User Commands" ++.TH TSSCERTIFYCREATION "1" "November 2020" "tsscertifycreation 1.6" "User Commands" + .SH NAME +-certifycreation \- Runs TPM2 certifycreation ++tsscertifycreation \- Runs TPM2 certifycreation + .SH DESCRIPTION + certifycreation + .PP +diff -ur tss2/utils/man/man1/tsscertifyx509.1 tss2-new/utils/man/man1/tsscertifyx509.1 +--- tss2/utils/man/man1/tsscertifyx509.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscertifyx509.1 2021-02-08 16:32:39.960874231 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CERTIFYX509 "1" "November 2020" "certifyx509 1.6" "User Commands" ++.TH TSSCERTIFYX509 "1" "November 2020" "tsscertifyx509 1.6" "User Commands" + .SH NAME +-certifyx509 \- Runs TPM2 certifyx509 ++tsscertifyx509 \- Runs TPM2 certifyx509 + .SH DESCRIPTION + certifyx509 + .PP +diff -ur tss2/utils/man/man1/tsschangeeps.1 tss2-new/utils/man/man1/tsschangeeps.1 +--- tss2/utils/man/man1/tsschangeeps.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsschangeeps.1 2021-02-08 16:32:56.672652441 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CHANGEEPS "1" "November 2020" "changeeps 1.6" "User Commands" ++.TH TSSCHANGEEPS "1" "November 2020" "tsschangeeps 1.6" "User Commands" + .SH NAME +-changeeps \- Runs TPM2 changeeps ++tsschangeeps \- Runs TPM2 changeeps + .SH DESCRIPTION + changeeps + .PP +diff -ur tss2/utils/man/man1/tsschangepps.1 tss2-new/utils/man/man1/tsschangepps.1 +--- tss2/utils/man/man1/tsschangepps.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsschangepps.1 2021-02-08 16:33:07.677506390 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CHANGEPPS "1" "November 2020" "changepps 1.6" "User Commands" ++.TH TSSCHANGEPPS "1" "November 2020" "tsschangepps 1.6" "User Commands" + .SH NAME +-changepps \- Runs TPM2 changepps ++tsschangepps \- Runs TPM2 changepps + .SH DESCRIPTION + changepps + .PP +diff -ur tss2/utils/man/man1/tssclear.1 tss2-new/utils/man/man1/tssclear.1 +--- tss2/utils/man/man1/tssclear.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssclear.1 2021-02-08 16:33:17.967369834 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CLEAR "1" "November 2020" "clear 1.6" "User Commands" ++.TH TSSCLEAR "1" "November 2020" "tssclear 1.6" "User Commands" + .SH NAME +-clear \- Runs TPM2 clear ++tssclear \- Runs TPM2 clear + .SH DESCRIPTION + clear + .PP +diff -ur tss2/utils/man/man1/tssclearcontrol.1 tss2-new/utils/man/man1/tssclearcontrol.1 +--- tss2/utils/man/man1/tssclearcontrol.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssclearcontrol.1 2021-02-08 16:33:36.186128054 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CLEARCONTROL "1" "November 2020" "clearcontrol 1.6" "User Commands" ++.TH TSSCLEARCONTROL "1" "November 2020" "tssclearcontrol 1.6" "User Commands" + .SH NAME +-clearcontrol \- Runs TPM2 clearcontrol ++tssclearcontrol \- Runs TPM2 clearcontrol + .SH DESCRIPTION + clearcontrol + .PP +diff -ur tss2/utils/man/man1/tssclockrateadjust.1 tss2-new/utils/man/man1/tssclockrateadjust.1 +--- tss2/utils/man/man1/tssclockrateadjust.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssclockrateadjust.1 2021-02-08 16:33:47.150982537 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CLOCKRATEADJUST "1" "November 2020" "clockrateadjust 1.6" "User Commands" ++.TH TSSCLOCKRATEADJUST "1" "November 2020" "tssclockrateadjust 1.6" "User Commands" + .SH NAME +-clockrateadjust \- Runs TPM2 clockrateadjust ++tssclockrateadjust \- Runs TPM2 clockrateadjust + .SH DESCRIPTION + clockrateadjust + .PP +diff -ur tss2/utils/man/man1/tssclockset.1 tss2-new/utils/man/man1/tssclockset.1 +--- tss2/utils/man/man1/tssclockset.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssclockset.1 2021-02-08 16:33:56.739855284 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CLOCKSET "1" "November 2020" "clockset 1.6" "User Commands" ++.TH TSSCLOCKSET "1" "November 2020" "tssclockset 1.6" "User Commands" + .SH NAME +-clockset \- Runs TPM2 clockset ++tssclockset \- Runs TPM2 clockset + .SH DESCRIPTION + clockset + .PP +diff -ur tss2/utils/man/man1/tsscommit.1 tss2-new/utils/man/man1/tsscommit.1 +--- tss2/utils/man/man1/tsscommit.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscommit.1 2021-02-08 16:34:10.171678495 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH COMMIT "1" "November 2020" "commit 1.6" "User Commands" ++.TH TSSCOMMIT "1" "November 2020" "tsscommit 1.6" "User Commands" + .SH NAME +-commit \- Runs TPM2 commit ++tsscommit \- Runs TPM2 commit + .SH DESCRIPTION + commit + .PP +diff -ur tss2/utils/man/man1/tsscontextload.1 tss2-new/utils/man/man1/tsscontextload.1 +--- tss2/utils/man/man1/tsscontextload.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscontextload.1 2021-02-08 16:34:31.794394389 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CONTEXTLOAD "1" "November 2020" "contextload 1.6" "User Commands" ++.TH TSSCONTEXTLOAD "1" "November 2020" "tsscontextload 1.6" "User Commands" + .SH NAME +-contextload \- Runs TPM2 contextload ++tsscontextload \- Runs TPM2 contextload + .SH DESCRIPTION + contextload + .PP +diff -ur tss2/utils/man/man1/tsscontextsave.1 tss2-new/utils/man/man1/tsscontextsave.1 +--- tss2/utils/man/man1/tsscontextsave.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscontextsave.1 2021-02-08 16:34:55.760079476 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CONTEXTSAVE "1" "November 2020" "contextsave 1.6" "User Commands" ++.TH TSSCONTEXTSAVE "1" "November 2020" "tsscontextsave 1.6" "User Commands" + .SH NAME +-contextsave \- Runs TPM2 contextsave ++tsscontextsave \- Runs TPM2 contextsave + .SH DESCRIPTION + contextsave + .PP +diff -ur tss2/utils/man/man1/tsscreate.1 tss2-new/utils/man/man1/tsscreate.1 +--- tss2/utils/man/man1/tsscreate.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscreate.1 2021-02-08 16:35:05.991945033 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CREATE "1" "November 2020" "create 1.6" "User Commands" ++.TH TSSCREATE "1" "November 2020" "tsscreate 1.6" "User Commands" + .SH NAME +-create \- Runs TPM2 create ++tsscreate \- Runs TPM2 create + .SH DESCRIPTION + create + .PP +diff -ur tss2/utils/man/man1/tsscreateek.1 tss2-new/utils/man/man1/tsscreateek.1 +--- tss2/utils/man/man1/tsscreateek.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscreateek.1 2021-02-08 16:35:17.024800070 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CREATEEK "1" "November 2020" "createek 1.6" "User Commands" ++.TH TSSCREATEEK "1" "November 2020" "tsscreateek 1.6" "User Commands" + .SH NAME +-createek \- Runs TPM2 createek ++tsscreateek \- Runs TPM2 createek + .SH DESCRIPTION + createek + .PP +diff -ur tss2/utils/man/man1/tsscreateekcert.1 tss2-new/utils/man/man1/tsscreateekcert.1 +--- tss2/utils/man/man1/tsscreateekcert.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscreateekcert.1 2021-02-08 16:35:31.887604787 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CREATEEKCERT "1" "November 2020" "createekcert 1.6" "User Commands" ++.TH TSSCREATEEKCERT "1" "November 2020" "tsscreateekcert 1.6" "User Commands" + .SH NAME +-createekcert \- Runs TPM2 createekcert ++tsscreateekcert \- Runs TPM2 createekcert + .SH SYNOPSIS + .B createekcert + \fI\,-rsa 2048 -cakey cakey.pem -capwd rrrr -v\/\fR +diff -ur tss2/utils/man/man1/tsscreateloaded.1 tss2-new/utils/man/man1/tsscreateloaded.1 +--- tss2/utils/man/man1/tsscreateloaded.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscreateloaded.1 2021-02-08 16:35:43.272455198 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CREATELOADED "1" "November 2020" "createloaded 1.6" "User Commands" ++.TH TSSCREATELOADED "1" "November 2020" "tsscreateloaded 1.6" "User Commands" + .SH NAME +-createloaded \- Runs TPM2 createloaded ++tsscreateloaded \- Runs TPM2 createloaded + .SH DESCRIPTION + createloaded + .PP +diff -ur tss2/utils/man/man1/tsscreateprimary.1 tss2-new/utils/man/man1/tsscreateprimary.1 +--- tss2/utils/man/man1/tsscreateprimary.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsscreateprimary.1 2021-02-08 16:35:53.966314682 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH CREATEPRIMARY "1" "November 2020" "createprimary 1.6" "User Commands" ++.TH TSSCREATEPRIMARY "1" "November 2020" "tsscreateprimary 1.6" "User Commands" + .SH NAME +-createprimary \- Runs TPM2 createprimary ++tsscreateprimary \- Runs TPM2 createprimary + .SH DESCRIPTION + createprimary creates a primary storage key + .PP +diff -ur tss2/utils/man/man1/tssdictionaryattacklockreset.1 tss2-new/utils/man/man1/tssdictionaryattacklockreset.1 +--- tss2/utils/man/man1/tssdictionaryattacklockreset.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssdictionaryattacklockreset.1 2021-02-08 16:36:04.509176147 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH DICTIONARYATTACKLOCKRESET "1" "November 2020" "dictionaryattacklockreset 1.6" "User Commands" ++.TH TSSDICTIONARYATTACKLOCKRESET "1" "November 2020" "tssdictionaryattacklockreset 1.6" "User Commands" + .SH NAME +-dictionaryattacklockreset \- Runs TPM2 dictionaryattacklockreset ++tssdictionaryattacklockreset \- Runs TPM2 dictionaryattacklockreset + .SH DESCRIPTION + dictionaryattacklockreset + .PP +diff -ur tss2/utils/man/man1/tssdictionaryattackparameters.1 tss2-new/utils/man/man1/tssdictionaryattackparameters.1 +--- tss2/utils/man/man1/tssdictionaryattackparameters.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssdictionaryattackparameters.1 2021-02-08 16:36:15.669029511 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH DICTIONARYATTACKPARAMETERS "1" "November 2020" "dictionaryattackparameters 1.6" "User Commands" ++.TH TSSDICTIONARYATTACKPARAMETERS "1" "November 2020" "tssdictionaryattackparameters 1.6" "User Commands" + .SH NAME +-dictionaryattackparameters \- Runs TPM2 dictionaryattackparameters ++tssdictionaryattackparameters \- Runs TPM2 dictionaryattackparameters + .SH DESCRIPTION + dictionaryattackparameters + .PP +diff -ur tss2/utils/man/man1/tssduplicate.1 tss2-new/utils/man/man1/tssduplicate.1 +--- tss2/utils/man/man1/tssduplicate.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssduplicate.1 2021-02-08 16:36:27.189878133 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH DUPLICATE "1" "November 2020" "duplicate 1.6" "User Commands" ++.TH TSSDUPLICATE "1" "November 2020" "tssduplicate 1.6" "User Commands" + .SH NAME +-duplicate \- Runs TPM2 duplicate ++tssduplicate \- Runs TPM2 duplicate + .SH DESCRIPTION + duplicate + .PP +diff -ur tss2/utils/man/man1/tsseccparameters.1 tss2-new/utils/man/man1/tsseccparameters.1 +--- tss2/utils/man/man1/tsseccparameters.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsseccparameters.1 2021-02-08 16:36:40.793699393 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH ECCPARAMETERS "1" "November 2020" "eccparameters 1.6" "User Commands" ++.TH TSSECCPARAMETERS "1" "November 2020" "tsseccparameters 1.6" "User Commands" + .SH NAME +-eccparameters \- Runs TPM2 eccparameters ++tsseccparameters \- Runs TPM2 eccparameters + .SH DESCRIPTION + eccparameters + .PP +diff -ur tss2/utils/man/man1/tssecephemeral.1 tss2-new/utils/man/man1/tssecephemeral.1 +--- tss2/utils/man/man1/tssecephemeral.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssecephemeral.1 2021-02-08 16:36:50.372573532 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH ECEPHEMERAL "1" "November 2020" "ecephemeral 1.6" "User Commands" ++.TH TSSECEPHEMERAL "1" "November 2020" "tssecephemeral 1.6" "User Commands" + .SH NAME +-ecephemeral \- Runs TPM2 ecephemeral ++tssecephemeral \- Runs TPM2 ecephemeral + .SH DESCRIPTION + ecephmeral + .PP +diff -ur tss2/utils/man/man1/tssencryptdecrypt.1 tss2-new/utils/man/man1/tssencryptdecrypt.1 +--- tss2/utils/man/man1/tssencryptdecrypt.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssencryptdecrypt.1 2021-02-08 16:37:01.006433816 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH ENCRYPTDECRYPT "1" "November 2020" "encryptdecrypt 1.6" "User Commands" ++.TH TSSENCRYPTDECRYPT "1" "November 2020" "tssencryptdecrypt 1.6" "User Commands" + .SH NAME +-encryptdecrypt \- Runs TPM2 encryptdecrypt ++tssencryptdecrypt \- Runs TPM2 encryptdecrypt + .SH DESCRIPTION + encryptdecrypt + .PP +diff -ur tss2/utils/man/man1/tsseventextend.1 tss2-new/utils/man/man1/tsseventextend.1 +--- tss2/utils/man/man1/tsseventextend.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tsseventextend.1 2021-02-08 16:37:11.765292444 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH EVENTEXTEND "1" "November 2020" "eventextend 1.6" "User Commands" ++.TH TSSEVENTEXTEND "1" "November 2020" "tsseventextend 1.6" "User Commands" + .SH NAME +-eventextend \- Runs TPM2 eventextend ++tsseventextend \- Runs TPM2 eventextend + .SH SYNOPSIS + .B eventextend + \fI\,-if \/\fR[\fI\,-v\/\fR] +diff -ur tss2/utils/man/man1/tsseventsequencecomplete.1 tss2-new/utils/man/man1/tsseventsequencecomplete.1 +--- tss2/utils/man/man1/tsseventsequencecomplete.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsseventsequencecomplete.1 2021-02-08 16:37:23.641136395 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH EVENTSEQUENCECOMPLETE "1" "November 2020" "eventsequencecomplete 1.6" "User Commands" ++.TH TSSEVENTSEQUENCECOMPLETE "1" "November 2020" "tsseventsequencecomplete 1.6" "User Commands" + .SH NAME +-eventsequencecomplete \- Runs TPM2 eventsequencecomplete ++tsseventsequencecomplete \- Runs TPM2 eventsequencecomplete + .SH DESCRIPTION + eventsequencecomplete + .PP +diff -ur tss2/utils/man/man1/tssevictcontrol.1 tss2-new/utils/man/man1/tssevictcontrol.1 +--- tss2/utils/man/man1/tssevictcontrol.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssevictcontrol.1 2021-02-08 16:37:33.136011637 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH EVICTCONTROL "1" "November 2020" "evictcontrol 1.6" "User Commands" ++.TH TSSEVICTCONTROL "1" "November 2020" "tssevictcontrol 1.6" "User Commands" + .SH NAME +-evictcontrol \- Runs TPM2 evictcontrol ++tssevictcontrol \- Runs TPM2 evictcontrol + .SH DESCRIPTION + evictcontrol + .PP +diff -ur tss2/utils/man/man1/tssflushcontext.1 tss2-new/utils/man/man1/tssflushcontext.1 +--- tss2/utils/man/man1/tssflushcontext.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssflushcontext.1 2021-02-08 16:37:43.319877829 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH FLUSHCONTEXT "1" "November 2020" "flushcontext 1.6" "User Commands" ++.TH TSSFLUSHCONTEXT "1" "November 2020" "tssflushcontext 1.6" "User Commands" + .SH NAME +-flushcontext \- Runs TPM2 flushcontext ++tssflushcontext \- Runs TPM2 flushcontext + .SH DESCRIPTION + flushcontext + .PP +diff -ur tss2/utils/man/man1/tssgetcapability.1 tss2-new/utils/man/man1/tssgetcapability.1 +--- tss2/utils/man/man1/tssgetcapability.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgetcapability.1 2021-02-08 16:37:53.430744980 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETCAPABILITY "1" "November 2020" "getcapability 1.6" "User Commands" ++.TH TSSGETCAPABILITY "1" "November 2020" "tssgetcapability 1.6" "User Commands" + .SH NAME +-getcapability \- Runs TPM2 getcapability ++tssgetcapability \- Runs TPM2 getcapability + .SH DESCRIPTION + getcapability + .PP +diff -ur tss2/utils/man/man1/tssgetcommandauditdigest.1 tss2-new/utils/man/man1/tssgetcommandauditdigest.1 +--- tss2/utils/man/man1/tssgetcommandauditdigest.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgetcommandauditdigest.1 2021-02-08 16:38:03.697610080 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETCOMMANDAUDITDIGEST "1" "November 2020" "getcommandauditdigest 1.6" "User Commands" ++.TH TSSGETCOMMANDAUDITDIGEST "1" "November 2020" "tssgetcommandauditdigest 1.6" "User Commands" + .SH NAME +-getcommandauditdigest \- Runs TPM2 getcommandauditdigest ++tssgetcommandauditdigest \- Runs TPM2 getcommandauditdigest + .SH DESCRIPTION + getcommandauditdigest + .PP +diff -ur tss2/utils/man/man1/tssgetcryptolibrary.1 tss2-new/utils/man/man1/tssgetcryptolibrary.1 +--- tss2/utils/man/man1/tssgetcryptolibrary.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgetcryptolibrary.1 2021-02-08 16:38:13.285484106 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETCRYPTOLIBRARY "1" "November 2020" "getcryptolibrary 1.6" "User Commands" ++.TH TSSGETCRYPTOLIBRARY "1" "November 2020" "tssgetcryptolibrary 1.6" "User Commands" + .SH NAME +-getcryptolibrary \- Runs TPM2 getcryptolibrary ++tssgetcryptolibrary \- Runs TPM2 getcryptolibrary + .SH DESCRIPTION + getcryptolibrary + .PP +diff -ur tss2/utils/man/man1/tssgetrandom.1 tss2-new/utils/man/man1/tssgetrandom.1 +--- tss2/utils/man/man1/tssgetrandom.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgetrandom.1 2021-02-08 16:38:28.289286407 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETRANDOM "1" "November 2020" "getrandom 1.6" "User Commands" ++.TH TSSGETRANDOM "1" "November 2020" "tssgetrandom 1.6" "User Commands" + .SH NAME +-getrandom \- Runs TPM2 getrandom ++tssgetrandom \- Runs TPM2 getrandom + .SH DESCRIPTION + getrandom + .PP +diff -ur tss2/utils/man/man1/tssgetsessionauditdigest.1 tss2-new/utils/man/man1/tssgetsessionauditdigest.1 +--- tss2/utils/man/man1/tssgetsessionauditdigest.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgetsessionauditdigest.1 2021-02-08 16:38:49.060012570 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETSESSIONAUDITDIGEST "1" "November 2020" "getsessionauditdigest 1.6" "User Commands" ++.TH TSSGETSESSIONAUDITDIGEST "1" "November 2020" "tssgetsessionauditdigest 1.6" "User Commands" + .SH NAME +-getsessionauditdigest \- Runs TPM2 getsessionauditdigest ++tssgetsessionauditdigest \- Runs TPM2 getsessionauditdigest + .SH DESCRIPTION + getsessionauditdigest + .PP +diff -ur tss2/utils/man/man1/tssgettestresult.1 tss2-new/utils/man/man1/tssgettestresult.1 +--- tss2/utils/man/man1/tssgettestresult.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgettestresult.1 2021-02-08 16:39:03.122827172 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETTESTRESULT "1" "November 2020" "gettestresult 1.6" "User Commands" ++.TH TSSGETTESTRESULT "1" "November 2020" "tssgettestresult 1.6" "User Commands" + .SH NAME +-gettestresult \- Runs TPM2 gettestresult ++tssgettestresult \- Runs TPM2 gettestresult + .SH DESCRIPTION + gettestresult + .PP +diff -ur tss2/utils/man/man1/tssgettime.1 tss2-new/utils/man/man1/tssgettime.1 +--- tss2/utils/man/man1/tssgettime.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssgettime.1 2021-02-08 16:39:14.638675349 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH GETTIME "1" "November 2020" "gettime 1.6" "User Commands" ++.TH TSSGETTIME "1" "November 2020" "tssgettime 1.6" "User Commands" + .SH NAME +-gettime \- Runs TPM2 gettime ++tssgettime \- Runs TPM2 gettime + .SH DESCRIPTION + gettime + .PP +diff -ur tss2/utils/man/man1/tsshash.1 tss2-new/utils/man/man1/tsshash.1 +--- tss2/utils/man/man1/tsshash.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshash.1 2021-02-08 16:39:24.577544317 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HASH "1" "November 2020" "hash 1.6" "User Commands" ++.TH TSSHASH "1" "November 2020" "tsshash 1.6" "User Commands" + .SH NAME +-hash \- Runs TPM2 hash ++tsshash \- Runs TPM2 hash + .SH DESCRIPTION + hash + .PP +diff -ur tss2/utils/man/man1/tsshashsequencestart.1 tss2-new/utils/man/man1/tsshashsequencestart.1 +--- tss2/utils/man/man1/tsshashsequencestart.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshashsequencestart.1 2021-02-08 16:39:40.157338918 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HASHSEQUENCESTART "1" "November 2020" "hashsequencestart 1.6" "User Commands" ++.TH TSSHASHSEQUENCESTART "1" "November 2020" "tsshashsequencestart 1.6" "User Commands" + .SH NAME +-hashsequencestart \- Runs TPM2 hashsequencestart ++tsshashsequencestart \- Runs TPM2 hashsequencestart + .SH DESCRIPTION + hashsequencestart + .PP +diff -ur tss2/utils/man/man1/tsshierarchychangeauth.1 tss2-new/utils/man/man1/tsshierarchychangeauth.1 +--- tss2/utils/man/man1/tsshierarchychangeauth.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshierarchychangeauth.1 2021-02-08 16:39:52.844171658 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HIERARCHYCHANGEAUTH "1" "November 2020" "hierarchychangeauth 1.6" "User Commands" ++.TH TSSHIERARCHYCHANGEAUTH "1" "November 2020" "tsshierarchychangeauth 1.6" "User Commands" + .SH NAME +-hierarchychangeauth \- Runs TPM2 hierarchychangeauth ++tsshierarchychangeauth \- Runs TPM2 hierarchychangeauth + .SH DESCRIPTION + hierarchychangeauth + .PP +diff -ur tss2/utils/man/man1/tsshierarchycontrol.1 tss2-new/utils/man/man1/tsshierarchycontrol.1 +--- tss2/utils/man/man1/tsshierarchycontrol.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshierarchycontrol.1 2021-02-08 16:40:06.439992415 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HIERARCHYCONTROL "1" "November 2020" "hierarchycontrol 1.6" "User Commands" ++.TH TSSHIERARCHYCONTROL "1" "November 2020" "tsshierarchycontrol 1.6" "User Commands" + .SH NAME +-hierarchycontrol \- Runs TPM2 hierarchycontrol ++tsshierarchycontrol \- Runs TPM2 hierarchycontrol + .SH DESCRIPTION + hierarchycontrol + .PP +diff -ur tss2/utils/man/man1/tsshmac.1 tss2-new/utils/man/man1/tsshmac.1 +--- tss2/utils/man/man1/tsshmac.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshmac.1 2021-02-08 16:40:31.313664487 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HMAC "1" "November 2020" "hmac 1.6" "User Commands" ++.TH TSSHMAC "1" "November 2020" "tsshmac 1.6" "User Commands" + .SH NAME +-hmac \- Runs TPM2 hmac ++tsshmac \- Runs TPM2 hmac + .SH DESCRIPTION + hmac + .PP +diff -ur tss2/utils/man/man1/tsshmacstart.1 tss2-new/utils/man/man1/tsshmacstart.1 +--- tss2/utils/man/man1/tsshmacstart.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsshmacstart.1 2021-02-08 16:40:41.213533970 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH HMACSTART "1" "November 2020" "hmacstart 1.6" "User Commands" ++.TH TSSHMACSTART "1" "November 2020" "tsshmacstart 1.6" "User Commands" + .SH NAME +-hmacstart \- Runs TPM2 hmacstart ++tsshmacstart \- Runs TPM2 hmacstart + .SH DESCRIPTION + hmacstart + .PP +diff -ur tss2/utils/man/man1/tssimport.1 tss2-new/utils/man/man1/tssimport.1 +--- tss2/utils/man/man1/tssimport.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssimport.1 2021-02-08 16:41:03.758236747 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH IMPORT "1" "November 2020" "import 1.6" "User Commands" ++.TH TSSIMPORT "1" "November 2020" "tssimport 1.6" "User Commands" + .SH NAME +-import \- Runs TPM2 import ++tssimport \- Runs TPM2 import + .SH DESCRIPTION + import + .PP +diff -ur tss2/utils/man/man1/tssimportpem.1 tss2-new/utils/man/man1/tssimportpem.1 +--- tss2/utils/man/man1/tssimportpem.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssimportpem.1 2021-02-08 16:41:31.710868228 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH IMPORTPEM "1" "November 2020" "importpem 1.6" "User Commands" ++.TH TSSIMPORTPEM "1" "November 2020" "tssimportpem 1.6" "User Commands" + .SH NAME +-importpem \- Runs TPM2 importpem ++tssimportpem \- Runs TPM2 importpem + .SH DESCRIPTION + importpem + .PP +diff -ur tss2/utils/man/man1/tssload.1 tss2-new/utils/man/man1/tssload.1 +--- tss2/utils/man/man1/tssload.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssload.1 2021-02-08 16:41:41.305741732 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH LOAD "1" "November 2020" "load 1.6" "User Commands" ++.TH TSSLOAD "1" "November 2020" "tssload 1.6" "User Commands" + .SH NAME +-load \- Runs TPM2 load ++tssload \- Runs TPM2 load + .SH DESCRIPTION + load + .PP +diff -ur tss2/utils/man/man1/tssloadexternal.1 tss2-new/utils/man/man1/tssloadexternal.1 +--- tss2/utils/man/man1/tssloadexternal.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssloadexternal.1 2021-02-08 16:41:50.850615895 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH LOADEXTERNAL "1" "November 2020" "loadexternal 1.6" "User Commands" ++.TH TSSLOADEXTERNAL "1" "November 2020" "tssloadexternal 1.6" "User Commands" + .SH NAME +-loadexternal \- Runs TPM2 loadexternal ++tssloadexternal \- Runs TPM2 loadexternal + .SH DESCRIPTION + loadexternal + .PP +diff -ur tss2/utils/man/man1/tssmakecredential.1 tss2-new/utils/man/man1/tssmakecredential.1 +--- tss2/utils/man/man1/tssmakecredential.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssmakecredential.1 2021-02-08 16:42:03.983442755 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH MAKECREDENTIAL "1" "November 2020" "makecredential 1.6" "User Commands" ++.TH TSSMAKECREDENTIAL "1" "November 2020" "tssmakecredential 1.6" "User Commands" + .SH NAME +-makecredential \- Runs TPM2 makecredential ++tssmakecredential \- Runs TPM2 makecredential + .SH DESCRIPTION + makecredential + .PP +diff -ur tss2/utils/man/man1/tssntc2getconfig.1 tss2-new/utils/man/man1/tssntc2getconfig.1 +--- tss2/utils/man/man1/tssntc2getconfig.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssntc2getconfig.1 2021-02-08 16:42:13.549316642 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NTC2GETCONFIG "1" "November 2020" "ntc2getconfig 1.6" "User Commands" ++.TH TSSNTC2GETCONFIG "1" "November 2020" "tssntc2getconfig 1.6" "User Commands" + .SH NAME +-ntc2getconfig \- Runs TPM2 ntc2getconfig ++tssntc2getconfig \- Runs TPM2 ntc2getconfig + .SH DESCRIPTION + ntc2getconfig + .PP +diff -ur tss2/utils/man/man1/tssntc2lockconfig.1 tss2-new/utils/man/man1/tssntc2lockconfig.1 +--- tss2/utils/man/man1/tssntc2lockconfig.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssntc2lockconfig.1 2021-02-08 16:42:24.331174497 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NTC2LOCKCONFIG "1" "November 2020" "ntc2lockconfig 1.6" "User Commands" ++.TH TSSNTC2LOCKCONFIG "1" "November 2020" "tssntc2lockconfig 1.6" "User Commands" + .SH NAME +-ntc2lockconfig \- Runs TPM2 ntc2lockconfig ++tssntc2lockconfig \- Runs TPM2 ntc2lockconfig + .SH DESCRIPTION + ntc2lockpreconfig + .PP +diff -ur tss2/utils/man/man1/tssntc2preconfig.1 tss2-new/utils/man/man1/tssntc2preconfig.1 +--- tss2/utils/man/man1/tssntc2preconfig.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssntc2preconfig.1 2021-02-08 16:42:46.105887307 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NTC2PRECONFIG "1" "November 2020" "ntc2preconfig 1.6" "User Commands" ++.TH TSSNTC2PRECONFIG "1" "November 2020" "tssntc2preconfig 1.6" "User Commands" + .SH NAME +-ntc2preconfig \- Runs TPM2 ntc2preconfig ++tssntc2preconfig \- Runs TPM2 ntc2preconfig + .SH DESCRIPTION + ntc2preconfig + .PP +diff -ur tss2/utils/man/man1/tssnvcertify.1 tss2-new/utils/man/man1/tssnvcertify.1 +--- tss2/utils/man/man1/tssnvcertify.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvcertify.1 2021-02-08 16:44:50.874241342 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVCERTIFY "1" "November 2020" "nvcertify 1.6" "User Commands" ++.TH TSSNVCERTIFY "1" "November 2020" "tssnvcertify 1.6" "User Commands" + .SH NAME +-nvcertify \- Runs TPM2 nvcertify ++tssnvcertify \- Runs TPM2 nvcertify + .SH DESCRIPTION + nvcertify + .PP +diff -ur tss2/utils/man/man1/tssnvchangeauth.1 tss2-new/utils/man/man1/tssnvchangeauth.1 +--- tss2/utils/man/man1/tssnvchangeauth.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvchangeauth.1 2021-02-08 16:45:00.287117165 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVCHANGEAUTH "1" "November 2020" "nvchangeauth 1.6" "User Commands" ++.TH TSSNVCHANGEAUTH "1" "November 2020" "tssnvchangeauth 1.6" "User Commands" + .SH NAME +-nvchangeauth \- Runs TPM2 nvchangeauth ++tssnvchangeauth \- Runs TPM2 nvchangeauth + .SH DESCRIPTION + nvchangeauth + .PP +diff -ur tss2/utils/man/man1/tssnvdefinespace.1 tss2-new/utils/man/man1/tssnvdefinespace.1 +--- tss2/utils/man/man1/tssnvdefinespace.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvdefinespace.1 2021-02-08 16:45:09.956989598 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVDEFINESPACE "1" "November 2020" "nvdefinespace 1.6" "User Commands" ++.TH TSSNVDEFINESPACE "1" "November 2020" "tssnvdefinespace 1.6" "User Commands" + .SH NAME +-nvdefinespace \- Runs TPM2 nvdefinespace ++tssnvdefinespace \- Runs TPM2 nvdefinespace + .SH DESCRIPTION + nvdefinespace + .PP +diff -ur tss2/utils/man/man1/tssnvextend.1 tss2-new/utils/man/man1/tssnvextend.1 +--- tss2/utils/man/man1/tssnvextend.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvextend.1 2021-02-08 16:45:18.993870380 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVEXTEND "1" "November 2020" "nvextend 1.6" "User Commands" ++.TH TSSNVEXTEND "1" "November 2020" "tssnvextend 1.6" "User Commands" + .SH NAME +-nvextend \- Runs TPM2 nvextend ++tssnvextend \- Runs TPM2 nvextend + .SH DESCRIPTION + nvextend + .PP +diff -ur tss2/utils/man/man1/tssnvglobalwritelock.1 tss2-new/utils/man/man1/tssnvglobalwritelock.1 +--- tss2/utils/man/man1/tssnvglobalwritelock.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvglobalwritelock.1 2021-02-08 16:45:29.344733830 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVGLOBALWRITELOCK "1" "November 2020" "nvglobalwritelock 1.6" "User Commands" ++.TH TSSNVGLOBALWRITELOCK "1" "November 2020" "tssnvglobalwritelock 1.6" "User Commands" + .SH NAME +-nvglobalwritelock \- Runs TPM2 nvglobalwritelock ++tssnvglobalwritelock \- Runs TPM2 nvglobalwritelock + .SH DESCRIPTION + nvglobalwritelock + .PP +diff -ur tss2/utils/man/man1/tssnvincrement.1 tss2-new/utils/man/man1/tssnvincrement.1 +--- tss2/utils/man/man1/tssnvincrement.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvincrement.1 2021-02-08 16:45:40.256589878 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVINCREMENT "1" "November 2020" "nvincrement 1.6" "User Commands" ++.TH TSSNVINCREMENT "1" "November 2020" "tssnvincrement 1.6" "User Commands" + .SH NAME +-nvincrement \- Runs TPM2 nvincrement ++tssnvincrement \- Runs TPM2 nvincrement + .SH DESCRIPTION + nvincrement + .PP +diff -ur tss2/utils/man/man1/tssnvread.1 tss2-new/utils/man/man1/tssnvread.1 +--- tss2/utils/man/man1/tssnvread.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvread.1 2021-02-08 16:45:49.323470266 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVREAD "1" "November 2020" "nvread 1.6" "User Commands" ++.TH TSSNVREAD "1" "November 2020" "tssnvread 1.6" "User Commands" + .SH NAME +-nvread \- Runs TPM2 nvread ++tssnvread \- Runs TPM2 nvread + .SH DESCRIPTION + nvread + .PP +diff -ur tss2/utils/man/man1/tssnvreadlock.1 tss2-new/utils/man/man1/tssnvreadlock.1 +--- tss2/utils/man/man1/tssnvreadlock.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvreadlock.1 2021-02-08 16:45:59.239339456 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVREADLOCK "1" "November 2020" "nvreadlock 1.6" "User Commands" ++.TH TSSNVREADLOCK "1" "November 2020" "tssnvreadlock 1.6" "User Commands" + .SH NAME +-nvreadlock \- Runs TPM2 nvreadlock ++tssnvreadlock \- Runs TPM2 nvreadlock + .SH DESCRIPTION + nvreadlock + .PP +diff -ur tss2/utils/man/man1/tssnvreadpublic.1 tss2-new/utils/man/man1/tssnvreadpublic.1 +--- tss2/utils/man/man1/tssnvreadpublic.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvreadpublic.1 2021-02-08 16:46:08.776213644 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVREADPUBLIC "1" "November 2020" "nvreadpublic 1.6" "User Commands" ++.TH TSSNVREADPUBLIC "1" "November 2020" "tssnvreadpublic 1.6" "User Commands" + .SH NAME +-nvreadpublic \- Runs TPM2 nvreadpublic ++tssnvreadpublic \- Runs TPM2 nvreadpublic + .SH DESCRIPTION + nvreadpublic + .PP +diff -ur tss2/utils/man/man1/tssnvsetbits.1 tss2-new/utils/man/man1/tssnvsetbits.1 +--- tss2/utils/man/man1/tssnvsetbits.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvsetbits.1 2021-02-08 16:46:19.200076131 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVSETBITS "1" "November 2020" "nvsetbits 1.6" "User Commands" ++.TH TSSNVSETBITS "1" "November 2020" "tssnvsetbits 1.6" "User Commands" + .SH NAME +-nvsetbits \- Runs TPM2 nvsetbits ++tssnvsetbits \- Runs TPM2 nvsetbits + .SH DESCRIPTION + nvsetbits + .PP +diff -ur tss2/utils/man/man1/tssnvundefinespace.1 tss2-new/utils/man/man1/tssnvundefinespace.1 +--- tss2/utils/man/man1/tssnvundefinespace.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvundefinespace.1 2021-02-08 16:46:29.029946453 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVUNDEFINESPACE "1" "November 2020" "nvundefinespace 1.6" "User Commands" ++.TH TSSNVUNDEFINESPACE "1" "November 2020" "tssnvundefinespace 1.6" "User Commands" + .SH NAME +-nvundefinespace \- Runs TPM2 nvundefinespace ++tssnvundefinespace \- Runs TPM2 nvundefinespace + .SH DESCRIPTION + nvundefinespace + .PP +diff -ur tss2/utils/man/man1/tssnvundefinespacespecial.1 tss2-new/utils/man/man1/tssnvundefinespacespecial.1 +--- tss2/utils/man/man1/tssnvundefinespacespecial.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvundefinespacespecial.1 2021-02-08 16:46:38.774817896 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVUNDEFINESPACESPECIAL "1" "November 2020" "nvundefinespacespecial 1.6" "User Commands" ++.TH TSSNVUNDEFINESPACESPECIAL "1" "November 2020" "tssnvundefinespacespecial 1.6" "User Commands" + .SH NAME +-nvundefinespacespecial \- Runs TPM2 nvundefinespacespecial ++tssnvundefinespacespecial \- Runs TPM2 nvundefinespacespecial + .SH DESCRIPTION + nvundefinespacespecial + .PP +diff -ur tss2/utils/man/man1/tssnvwrite.1 tss2-new/utils/man/man1/tssnvwrite.1 +--- tss2/utils/man/man1/tssnvwrite.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvwrite.1 2021-02-08 16:46:49.444677136 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVWRITE "1" "November 2020" "nvwrite 1.6" "User Commands" ++.TH TSSNVWRITE "1" "November 2020" "tssnvwrite 1.6" "User Commands" + .SH NAME +-nvwrite \- Runs TPM2 nvwrite ++tssnvwrite \- Runs TPM2 nvwrite + .SH DESCRIPTION + nvwrite + .PP +diff -ur tss2/utils/man/man1/tssnvwritelock.1 tss2-new/utils/man/man1/tssnvwritelock.1 +--- tss2/utils/man/man1/tssnvwritelock.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssnvwritelock.1 2021-02-08 16:46:59.163549415 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH NVWRITELOCK "1" "November 2020" "nvwritelock 1.6" "User Commands" ++.TH TSSNVWRITELOCK "1" "November 2020" "tssnvwritelock 1.6" "User Commands" + .SH NAME +-nvwritelock \- Runs TPM2 nvwritelock ++tssnvwritelock \- Runs TPM2 nvwritelock + .SH DESCRIPTION + nvwritelock + .PP +diff -ur tss2/utils/man/man1/tssobjectchangeauth.1 tss2-new/utils/man/man1/tssobjectchangeauth.1 +--- tss2/utils/man/man1/tssobjectchangeauth.1 2020-12-22 11:32:07.000000000 -0700 ++++ tss2-new/utils/man/man1/tssobjectchangeauth.1 2021-02-08 16:47:10.810396739 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH OBJECTCHANGEAUTH "1" "December 2020" "objectchangeauth 1.6" "User Commands" ++.TH TSSOBJECTCHANGEAUTH "1" "December 2020" "tssobjectchangeauth 1.6" "User Commands" + .SH NAME +-objectchangeauth \- Runs TPM2 objectchangeauth ++tssobjectchangeauth \- Runs TPM2 objectchangeauth + .SH DESCRIPTION + objectchangeauth + .PP +diff -ur tss2/utils/man/man1/tsspcrallocate.1 tss2-new/utils/man/man1/tsspcrallocate.1 +--- tss2/utils/man/man1/tsspcrallocate.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspcrallocate.1 2021-02-08 16:47:19.894277654 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PCRALLOCATE "1" "November 2020" "pcrallocate 1.6" "User Commands" ++.TH TSSPCRALLOCATE "1" "November 2020" "tsspcrallocate 1.6" "User Commands" + .SH NAME +-pcrallocate \- Runs TPM2 pcrallocate ++tsspcrallocate \- Runs TPM2 pcrallocate + .SH DESCRIPTION + pcrallocate + .PP +diff -ur tss2/utils/man/man1/tsspcrevent.1 tss2-new/utils/man/man1/tsspcrevent.1 +--- tss2/utils/man/man1/tsspcrevent.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspcrevent.1 2021-02-08 16:47:29.626150078 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PCREVENT "1" "November 2020" "pcrevent 1.6" "User Commands" ++.TH TSSPCREVENT "1" "November 2020" "tsspcrevent 1.6" "User Commands" + .SH NAME +-pcrevent \- Runs TPM2 pcrevent ++tsspcrevent \- Runs TPM2 pcrevent + .SH DESCRIPTION + pcrevent + .PP +diff -ur tss2/utils/man/man1/tsspcrextend.1 tss2-new/utils/man/man1/tsspcrextend.1 +--- tss2/utils/man/man1/tsspcrextend.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspcrextend.1 2021-02-08 16:47:38.970027588 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PCREXTEND "1" "November 2020" "pcrextend 1.6" "User Commands" ++.TH TSSPCREXTEND "1" "November 2020" "tsspcrextend 1.6" "User Commands" + .SH NAME +-pcrextend \- Runs TPM2 pcrextend ++tsspcrextend \- Runs TPM2 pcrextend + .SH DESCRIPTION + pcrextend + .PP +diff -ur tss2/utils/man/man1/tsspcrread.1 tss2-new/utils/man/man1/tsspcrread.1 +--- tss2/utils/man/man1/tsspcrread.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspcrread.1 2021-02-08 16:47:47.868910935 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PCRREAD "1" "November 2020" "pcrread 1.6" "User Commands" ++.TH TSSPCRREAD "1" "November 2020" "tsspcrread 1.6" "User Commands" + .SH NAME +-pcrread \- Runs TPM2 pcrread ++tsspcrread \- Runs TPM2 pcrread + .SH DESCRIPTION + pcrread + .PP +diff -ur tss2/utils/man/man1/tsspcrreset.1 tss2-new/utils/man/man1/tsspcrreset.1 +--- tss2/utils/man/man1/tsspcrreset.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspcrreset.1 2021-02-08 16:47:56.908792432 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PCRRESET "1" "November 2020" "pcrreset 1.6" "User Commands" ++.TH TSSPCRRESET "1" "November 2020" "tsspcrreset 1.6" "User Commands" + .SH NAME +-pcrreset \- Runs TPM2 pcrreset ++tsspcrreset \- Runs TPM2 pcrreset + .SH DESCRIPTION + pcrreset + .PP +diff -ur tss2/utils/man/man1/tsspolicyauthorize.1 tss2-new/utils/man/man1/tsspolicyauthorize.1 +--- tss2/utils/man/man1/tsspolicyauthorize.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyauthorize.1 2021-02-08 16:48:06.406667925 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYAUTHORIZE "1" "November 2020" "policyauthorize 1.6" "User Commands" ++.TH TSSPOLICYAUTHORIZE "1" "November 2020" "tsspolicyauthorize 1.6" "User Commands" + .SH NAME +-policyauthorize \- Runs TPM2 policyauthorize ++tsspolicyauthorize \- Runs TPM2 policyauthorize + .SH DESCRIPTION + policyauthorize + .PP +diff -ur tss2/utils/man/man1/tsspolicyauthorizenv.1 tss2-new/utils/man/man1/tsspolicyauthorizenv.1 +--- tss2/utils/man/man1/tsspolicyauthorizenv.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyauthorizenv.1 2021-02-08 16:48:15.747545477 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYAUTHORIZENV "1" "November 2020" "policyauthorizenv 1.6" "User Commands" ++.TH TSSPOLICYAUTHORIZENV "1" "November 2020" "tsspolicyauthorizenv 1.6" "User Commands" + .SH NAME +-policyauthorizenv \- Runs TPM2 policyauthorizenv ++tsspolicyauthorizenv \- Runs TPM2 policyauthorizenv + .SH DESCRIPTION + policyauthorizenv + .PP +diff -ur tss2/utils/man/man1/tsspolicyauthvalue.1 tss2-new/utils/man/man1/tsspolicyauthvalue.1 +--- tss2/utils/man/man1/tsspolicyauthvalue.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyauthvalue.1 2021-02-08 16:48:25.992411184 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYAUTHVALUE "1" "November 2020" "policyauthvalue 1.6" "User Commands" ++.TH TSSPOLICYAUTHVALUE "1" "November 2020" "tsspolicyauthvalue 1.6" "User Commands" + .SH NAME +-policyauthvalue \- Runs TPM2 policyauthvalue ++tsspolicyauthvalue \- Runs TPM2 policyauthvalue + .SH DESCRIPTION + policyauthvalue + .PP +diff -ur tss2/utils/man/man1/tsspolicycommandcode.1 tss2-new/utils/man/man1/tsspolicycommandcode.1 +--- tss2/utils/man/man1/tsspolicycommandcode.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicycommandcode.1 2021-02-08 16:48:35.707283825 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYCOMMANDCODE "1" "November 2020" "policycommandcode 1.6" "User Commands" ++.TH TSSPOLICYCOMMANDCODE "1" "November 2020" "tsspolicycommandcode 1.6" "User Commands" + .SH NAME +-policycommandcode \- Runs TPM2 policycommandcode ++tsspolicycommandcode \- Runs TPM2 policycommandcode + .SH DESCRIPTION + policycommandcode + .PP +diff -ur tss2/utils/man/man1/tsspolicycountertimer.1 tss2-new/utils/man/man1/tsspolicycountertimer.1 +--- tss2/utils/man/man1/tsspolicycountertimer.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicycountertimer.1 2021-02-08 16:48:45.963149380 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYCOUNTERTIMER "1" "November 2020" "policycountertimer 1.6" "User Commands" ++.TH TSSPOLICYCOUNTERTIMER "1" "November 2020" "tsspolicycountertimer 1.6" "User Commands" + .SH NAME +-policycountertimer \- Runs TPM2 policycountertimer ++tsspolicycountertimer \- Runs TPM2 policycountertimer + .SH DESCRIPTION + policycountertimer + .PP +diff -ur tss2/utils/man/man1/tsspolicycphash.1 tss2-new/utils/man/man1/tsspolicycphash.1 +--- tss2/utils/man/man1/tsspolicycphash.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicycphash.1 2021-02-08 16:48:57.465998590 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYCPHASH "1" "November 2020" "policycphash 1.6" "User Commands" ++.TH TSSPOLICYCPHASH "1" "November 2020" "tsspolicycphash 1.6" "User Commands" + .SH NAME +-policycphash \- Runs TPM2 policycphash ++tsspolicycphash \- Runs TPM2 policycphash + .SH DESCRIPTION + policycphash + .PP +diff -ur tss2/utils/man/man1/tsspolicyduplicationselect.1 tss2-new/utils/man/man1/tsspolicyduplicationselect.1 +--- tss2/utils/man/man1/tsspolicyduplicationselect.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyduplicationselect.1 2021-02-08 16:49:07.424868038 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYDUPLICATIONSELECT "1" "November 2020" "policyduplicationselect 1.6" "User Commands" ++.TH TSSPOLICYDUPLICATIONSELECT "1" "November 2020" "tsspolicyduplicationselect 1.6" "User Commands" + .SH NAME +-policyduplicationselect \- Runs TPM2 policyduplicationselect ++tsspolicyduplicationselect \- Runs TPM2 policyduplicationselect + .SH DESCRIPTION + policyduplicationselect + .PP +diff -ur tss2/utils/man/man1/tsspolicygetdigest.1 tss2-new/utils/man/man1/tsspolicygetdigest.1 +--- tss2/utils/man/man1/tsspolicygetdigest.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicygetdigest.1 2021-02-08 16:49:16.843744567 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYGETDIGEST "1" "November 2020" "policygetdigest 1.6" "User Commands" ++.TH TSSPOLICYGETDIGEST "1" "November 2020" "tsspolicygetdigest 1.6" "User Commands" + .SH NAME +-policygetdigest \- Runs TPM2 policygetdigest ++tsspolicygetdigest \- Runs TPM2 policygetdigest + .SH DESCRIPTION + policygetdigest + .PP +diff -ur tss2/utils/man/man1/tsspolicymaker.1 tss2-new/utils/man/man1/tsspolicymaker.1 +--- tss2/utils/man/man1/tsspolicymaker.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicymaker.1 2021-02-08 16:49:26.295620665 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYMAKER "1" "November 2020" "policymaker 1.6" "User Commands" ++.TH TSSPOLICYMAKER "1" "November 2020" "tsspolicymaker 1.6" "User Commands" + .SH NAME +-policymaker \- Runs TPM2 policymaker ++tsspolicymaker \- Runs TPM2 policymaker + .SH DESCRIPTION + policymaker + .TP +diff -ur tss2/utils/man/man1/tsspolicymakerpcr.1 tss2-new/utils/man/man1/tsspolicymakerpcr.1 +--- tss2/utils/man/man1/tsspolicymakerpcr.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicymakerpcr.1 2021-02-08 16:49:36.000493447 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYMAKERPCR "1" "November 2020" "policymakerpcr 1.6" "User Commands" ++.TH TSSPOLICYMAKERPCR "1" "November 2020" "tsspolicymakerpcr 1.6" "User Commands" + .SH NAME +-policymakerpcr \- Runs TPM2 policymakerpcr ++tsspolicymakerpcr \- Runs TPM2 policymakerpcr + .SH DESCRIPTION + policymakerpcr + .PP +diff -ur tss2/utils/man/man1/tsspolicynamehash.1 tss2-new/utils/man/man1/tsspolicynamehash.1 +--- tss2/utils/man/man1/tsspolicynamehash.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicynamehash.1 2021-02-08 16:49:45.570367991 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYNAMEHASH "1" "November 2020" "policynamehash 1.6" "User Commands" ++.TH TSSPOLICYNAMEHASH "1" "November 2020" "tsspolicynamehash 1.6" "User Commands" + .SH NAME +-policynamehash \- Runs TPM2 policynamehash ++tsspolicynamehash \- Runs TPM2 policynamehash + .SH DESCRIPTION + policynamehash + .PP +diff -ur tss2/utils/man/man1/tsspolicynv.1 tss2-new/utils/man/man1/tsspolicynv.1 +--- tss2/utils/man/man1/tsspolicynv.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicynv.1 2021-02-08 16:49:54.294253622 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYNV "1" "November 2020" "policynv 1.6" "User Commands" ++.TH TSSPOLICYNV "1" "November 2020" "tsspolicynv 1.6" "User Commands" + .SH NAME +-policynv \- Runs TPM2 policynv ++tsspolicynv \- Runs TPM2 policynv + .SH DESCRIPTION + policynv + .PP +diff -ur tss2/utils/man/man1/tsspolicynvwritten.1 tss2-new/utils/man/man1/tsspolicynvwritten.1 +--- tss2/utils/man/man1/tsspolicynvwritten.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicynvwritten.1 2021-02-08 16:50:04.221123489 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYNVWRITTEN "1" "November 2020" "policynvwritten 1.6" "User Commands" ++.TH TSSPOLICYNVWRITTEN "1" "November 2020" "tsspolicynvwritten 1.6" "User Commands" + .SH NAME +-policynvwritten \- Runs TPM2 policynvwritten ++tsspolicynvwritten \- Runs TPM2 policynvwritten + .SH DESCRIPTION + policynvwritten + .PP +diff -ur tss2/utils/man/man1/tsspolicyor.1 tss2-new/utils/man/man1/tsspolicyor.1 +--- tss2/utils/man/man1/tsspolicyor.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyor.1 2021-02-08 16:50:14.800984798 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYOR "1" "November 2020" "policyor 1.6" "User Commands" ++.TH TSSPOLICYOR "1" "November 2020" "tsspolicyor 1.6" "User Commands" + .SH NAME +-policyor \- Runs TPM2 policyor ++tsspolicyor \- Runs TPM2 policyor + .SH DESCRIPTION + policyor + .PP +diff -ur tss2/utils/man/man1/tsspolicypassword.1 tss2-new/utils/man/man1/tsspolicypassword.1 +--- tss2/utils/man/man1/tsspolicypassword.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicypassword.1 2021-02-08 16:50:25.403845804 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYPASSWORD "1" "November 2020" "policypassword 1.6" "User Commands" ++.TH TSSPOLICYPASSWORD "1" "November 2020" "tsspolicypassword 1.6" "User Commands" + .SH NAME +-policypassword \- Runs TPM2 policypassword ++tsspolicypassword \- Runs TPM2 policypassword + .SH DESCRIPTION + policypassword + .PP +diff -ur tss2/utils/man/man1/tsspolicypcr.1 tss2-new/utils/man/man1/tsspolicypcr.1 +--- tss2/utils/man/man1/tsspolicypcr.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicypcr.1 2021-02-08 16:50:34.575725570 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYPCR "1" "November 2020" "policypcr 1.6" "User Commands" ++.TH TSSPOLICYPCR "1" "November 2020" "tsspolicypcr 1.6" "User Commands" + .SH NAME +-policypcr \- Runs TPM2 policypcr ++tsspolicypcr \- Runs TPM2 policypcr + .SH DESCRIPTION + policypcr + .PP +diff -ur tss2/utils/man/man1/tsspolicyrestart.1 tss2-new/utils/man/man1/tsspolicyrestart.1 +--- tss2/utils/man/man1/tsspolicyrestart.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyrestart.1 2021-02-08 16:50:43.971602405 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYRESTART "1" "November 2020" "policyrestart 1.6" "User Commands" ++.TH TSSPOLICYRESTART "1" "November 2020" "tsspolicyrestart 1.6" "User Commands" + .SH NAME +-policyrestart \- Runs TPM2 policyrestart ++tsspolicyrestart \- Runs TPM2 policyrestart + .SH DESCRIPTION + policyrestart + .PP +diff -ur tss2/utils/man/man1/tsspolicysecret.1 tss2-new/utils/man/man1/tsspolicysecret.1 +--- tss2/utils/man/man1/tsspolicysecret.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicysecret.1 2021-02-08 16:50:52.506490523 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYSECRET "1" "November 2020" "policysecret 1.6" "User Commands" ++.TH TSSPOLICYSECRET "1" "November 2020" "tsspolicysecret 1.6" "User Commands" + .SH NAME +-policysecret \- Runs TPM2 policysecret ++tsspolicysecret \- Runs TPM2 policysecret + .SH DESCRIPTION + policysecret + .PP +diff -ur tss2/utils/man/man1/tsspolicysigned.1 tss2-new/utils/man/man1/tsspolicysigned.1 +--- tss2/utils/man/man1/tsspolicysigned.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicysigned.1 2021-02-08 16:51:27.980025490 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYSIGNED "1" "November 2020" "policysigned 1.6" "User Commands" ++.TH TSSPOLICYSIGNED "1" "November 2020" "tsspolicysigned 1.6" "User Commands" + .SH NAME +-policysigned \- Runs TPM2 policysigned ++tsspolicysigned \- Runs TPM2 policysigned + .SH DESCRIPTION + policysigned + .PP +diff -ur tss2/utils/man/man1/tsspolicytemplate.1 tss2-new/utils/man/man1/tsspolicytemplate.1 +--- tss2/utils/man/man1/tsspolicytemplate.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicytemplate.1 2021-02-08 16:51:37.439901481 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYTEMPLATE "1" "November 2020" "policytemplate 1.6" "User Commands" ++.TH TSSPOLICYTEMPLATE "1" "November 2020" "tsspolicytemplate 1.6" "User Commands" + .SH NAME +-policytemplate \- Runs TPM2 policytemplate ++tsspolicytemplate \- Runs TPM2 policytemplate + .SH DESCRIPTION + policytemplate + .PP +diff -ur tss2/utils/man/man1/tsspolicyticket.1 tss2-new/utils/man/man1/tsspolicyticket.1 +--- tss2/utils/man/man1/tsspolicyticket.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspolicyticket.1 2021-02-08 16:51:47.471769976 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POLICYTICKET "1" "November 2020" "policyticket 1.6" "User Commands" ++.TH TSSPOLICYTICKET "1" "November 2020" "tsspolicyticket 1.6" "User Commands" + .SH NAME +-policyticket \- Runs TPM2 policyticket ++tsspolicyticket \- Runs TPM2 policyticket + .SH DESCRIPTION + policyticket + .PP +diff -ur tss2/utils/man/man1/tsspowerup.1 tss2-new/utils/man/man1/tsspowerup.1 +--- tss2/utils/man/man1/tsspowerup.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspowerup.1 2021-02-08 16:51:56.862646874 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH POWERUP "1" "November 2020" "powerup 1.6" "User Commands" ++.TH TSSPOWERUP "1" "November 2020" "tsspowerup 1.6" "User Commands" + .SH NAME +-powerup \- Runs TPM2 powerup ++tsspowerup \- Runs TPM2 powerup + .SH DESCRIPTION + powerup + .PP +diff -ur tss2/utils/man/man1/tssprintattr.1 tss2-new/utils/man/man1/tssprintattr.1 +--- tss2/utils/man/man1/tssprintattr.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssprintattr.1 2021-02-08 16:52:06.023526784 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PRINTATTR "1" "November 2020" "printattr 1.6" "User Commands" ++.TH TSSPRINTATTR "1" "November 2020" "tssprintattr 1.6" "User Commands" + .SH NAME +-printattr \- Runs TPM2 printattr ++tssprintattr \- Runs TPM2 printattr + .SH DESCRIPTION + printattr + .PP +diff -ur tss2/utils/man/man1/tsspublicname.1 tss2-new/utils/man/man1/tsspublicname.1 +--- tss2/utils/man/man1/tsspublicname.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsspublicname.1 2021-02-08 16:52:14.554414957 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH PUBLICNAME "1" "November 2020" "publicname 1.6" "User Commands" ++.TH TSSPUBLICNAME "1" "November 2020" "tsspublicname 1.6" "User Commands" + .SH NAME +-publicname \- Runs TPM2 publicname ++tsspublicname \- Runs TPM2 publicname + .SH DESCRIPTION + publicname + .PP +diff -ur tss2/utils/man/man1/tssquote.1 tss2-new/utils/man/man1/tssquote.1 +--- tss2/utils/man/man1/tssquote.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssquote.1 2021-02-08 16:52:23.116302717 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH QUOTE "1" "November 2020" "quote 1.6" "User Commands" ++.TH TSSQUOTE "1" "November 2020" "tssquote 1.6" "User Commands" + .SH NAME +-quote \- Runs TPM2 quote ++tssquote \- Runs TPM2 quote + .SH DESCRIPTION + quote + .PP +diff -ur tss2/utils/man/man1/tssreadclock.1 tss2-new/utils/man/man1/tssreadclock.1 +--- tss2/utils/man/man1/tssreadclock.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssreadclock.1 2021-02-08 16:52:31.921187293 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH READCLOCK "1" "November 2020" "readclock 1.6" "User Commands" ++.TH TSSREADCLOCK "1" "November 2020" "tssreadclock 1.6" "User Commands" + .SH NAME +-readclock \- Runs TPM2 readclock ++tssreadclock \- Runs TPM2 readclock + .SH DESCRIPTION + readclock + .PP +diff -ur tss2/utils/man/man1/tssreadpublic.1 tss2-new/utils/man/man1/tssreadpublic.1 +--- tss2/utils/man/man1/tssreadpublic.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssreadpublic.1 2021-02-08 16:52:40.749071567 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH READPUBLIC "1" "November 2020" "readpublic 1.6" "User Commands" ++.TH TSSREADPUBLIC "1" "November 2020" "tssreadpublic 1.6" "User Commands" + .SH NAME +-readpublic \- Runs TPM2 readpublic ++tssreadpublic \- Runs TPM2 readpublic + .SH DESCRIPTION + readpublic + .PP +diff -ur tss2/utils/man/man1/tssreturncode.1 tss2-new/utils/man/man1/tssreturncode.1 +--- tss2/utils/man/man1/tssreturncode.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssreturncode.1 2021-02-08 16:52:49.563956012 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH RETURNCODE "1" "November 2020" "returncode 1.6" "User Commands" ++.TH TSSRETURNCODE "1" "November 2020" "tssreturncode 1.6" "User Commands" + .SH NAME +-returncode \- Runs TPM2 returncode ++tssreturncode \- Runs TPM2 returncode + .SH SYNOPSIS + .B returncode + \fI\,hex-number\/\fR +diff -ur tss2/utils/man/man1/tssrewrap.1 tss2-new/utils/man/man1/tssrewrap.1 +--- tss2/utils/man/man1/tssrewrap.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssrewrap.1 2021-02-08 16:52:58.230842398 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH REWRAP "1" "November 2020" "rewrap 1.6" "User Commands" ++.TH TSSREWRAP "1" "November 2020" "tssrewrap 1.6" "User Commands" + .SH NAME +-rewrap \- Runs TPM2 rewrap ++tssrewrap \- Runs TPM2 rewrap + .SH DESCRIPTION + rewrap + .PP +diff -ur tss2/utils/man/man1/tssrsadecrypt.1 tss2-new/utils/man/man1/tssrsadecrypt.1 +--- tss2/utils/man/man1/tssrsadecrypt.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssrsadecrypt.1 2021-02-08 16:53:07.510720751 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH RSADECRYPT "1" "November 2020" "rsadecrypt 1.6" "User Commands" ++.TH TSSRSADECRYPT "1" "November 2020" "tssrsadecrypt 1.6" "User Commands" + .SH NAME +-rsadecrypt \- Runs TPM2 rsadecrypt ++tssrsadecrypt \- Runs TPM2 rsadecrypt + .SH DESCRIPTION + rsadecrypt + .PP +diff -ur tss2/utils/man/man1/tssrsaencrypt.1 tss2-new/utils/man/man1/tssrsaencrypt.1 +--- tss2/utils/man/man1/tssrsaencrypt.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssrsaencrypt.1 2021-02-08 16:53:16.856598240 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH RSAENCRYPT "1" "November 2020" "rsaencrypt 1.6" "User Commands" ++.TH TSSRSAENCRYPT "1" "November 2020" "tssrsaencrypt 1.6" "User Commands" + .SH NAME +-rsaencrypt \- Runs TPM2 rsaencrypt ++tssrsaencrypt \- Runs TPM2 rsaencrypt + .SH DESCRIPTION + rsaencrypt + .PP +diff -ur tss2/utils/man/man1/tsssequencecomplete.1 tss2-new/utils/man/man1/tsssequencecomplete.1 +--- tss2/utils/man/man1/tsssequencecomplete.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssequencecomplete.1 2021-02-08 16:53:26.029477990 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SEQUENCECOMPLETE "1" "November 2020" "sequencecomplete 1.6" "User Commands" ++.TH TSSSEQUENCECOMPLETE "1" "November 2020" "tsssequencecomplete 1.6" "User Commands" + .SH NAME +-sequencecomplete \- Runs TPM2 sequencecomplete ++tsssequencecomplete \- Runs TPM2 sequencecomplete + .SH DESCRIPTION + sequencecomplete + .PP +diff -ur tss2/utils/man/man1/tsssequenceupdate.1 tss2-new/utils/man/man1/tsssequenceupdate.1 +--- tss2/utils/man/man1/tsssequenceupdate.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssequenceupdate.1 2021-02-08 16:53:35.202357744 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SEQUENCEUPDATE "1" "November 2020" "sequenceupdate 1.6" "User Commands" ++.TH TSSSEQUENCEUPDATE "1" "November 2020" "tsssequenceupdate 1.6" "User Commands" + .SH NAME +-sequenceupdate \- Runs TPM2 sequenceupdate ++tsssequenceupdate \- Runs TPM2 sequenceupdate + .SH DESCRIPTION + sequenceupdate + .PP +diff -ur tss2/utils/man/man1/tsssetcommandcodeauditstatus.1 tss2-new/utils/man/man1/tsssetcommandcodeauditstatus.1 +--- tss2/utils/man/man1/tsssetcommandcodeauditstatus.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssetcommandcodeauditstatus.1 2021-02-08 16:53:46.149214239 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SETCOMMANDCODEAUDITSTATUS "1" "November 2020" "setcommandcodeauditstatus 1.6" "User Commands" ++.TH TSSSETCOMMANDCODEAUDITSTATUS "1" "November 2020" "tsssetcommandcodeauditstatus 1.6" "User Commands" + .SH NAME +-setcommandcodeauditstatus \- Runs TPM2 setcommandcodeauditstatus ++tsssetcommandcodeauditstatus \- Runs TPM2 setcommandcodeauditstatus + .SH DESCRIPTION + setprimarypolicy + .PP +diff -ur tss2/utils/man/man1/tsssetprimarypolicy.1 tss2-new/utils/man/man1/tsssetprimarypolicy.1 +--- tss2/utils/man/man1/tsssetprimarypolicy.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssetprimarypolicy.1 2021-02-08 16:53:55.438092468 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SETPRIMARYPOLICY "1" "November 2020" "setprimarypolicy 1.6" "User Commands" ++.TH TSSSETPRIMARYPOLICY "1" "November 2020" "tsssetprimarypolicy 1.6" "User Commands" + .SH NAME +-setprimarypolicy \- Runs TPM2 setprimarypolicy ++tsssetprimarypolicy \- Runs TPM2 setprimarypolicy + .SH DESCRIPTION + setprimarypolicy + .PP +diff -ur tss2/utils/man/man1/tssshutdown.1 tss2-new/utils/man/man1/tssshutdown.1 +--- tss2/utils/man/man1/tssshutdown.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssshutdown.1 2021-02-08 16:54:04.711970895 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SHUTDOWN "1" "November 2020" "shutdown 1.6" "User Commands" ++.TH TSSSHUTDOWN "1" "November 2020" "tssshutdown 1.6" "User Commands" + .SH NAME +-shutdown \- Runs TPM2 shutdown ++tssshutdown \- Runs TPM2 shutdown + .SH DESCRIPTION + shutdown + .PP +diff -ur tss2/utils/man/man1/tsssign.1 tss2-new/utils/man/man1/tsssign.1 +--- tss2/utils/man/man1/tsssign.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssign.1 2021-02-08 16:54:13.183859837 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SIGN "1" "November 2020" "sign 1.6" "User Commands" ++.TH TSSSIGN "1" "November 2020" "tsssign 1.6" "User Commands" + .SH NAME +-sign \- Runs TPM2 sign ++tsssign \- Runs TPM2 sign + .SH DESCRIPTION + sign + .PP +diff -ur tss2/utils/man/man1/tsssignapp.1 tss2-new/utils/man/man1/tsssignapp.1 +--- tss2/utils/man/man1/tsssignapp.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsssignapp.1 2021-02-08 16:54:21.778747167 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH SIGNAPP "1" "November 2020" "signapp 1.6" "User Commands" ++.TH TSSSIGNAPP "1" "November 2020" "tsssignapp 1.6" "User Commands" + .SH NAME +-signapp \- Runs TPM2 signapp ++tsssignapp \- Runs TPM2 signapp + .SH DESCRIPTION + signapp + .PP +diff -ur tss2/utils/man/man1/tssstartauthsession.1 tss2-new/utils/man/man1/tssstartauthsession.1 +--- tss2/utils/man/man1/tssstartauthsession.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssstartauthsession.1 2021-02-08 16:54:31.697617140 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH STARTAUTHSESSION "1" "November 2020" "startauthsession 1.6" "User Commands" ++.TH TSSSTARTAUTHSESSION "1" "November 2020" "tssstartauthsession 1.6" "User Commands" + .SH NAME +-startauthsession \- Runs TPM2 startauthsession ++tssstartauthsession \- Runs TPM2 startauthsession + .SH DESCRIPTION + startauthsession + .PP +diff -ur tss2/utils/man/man1/tssstartup.1 tss2-new/utils/man/man1/tssstartup.1 +--- tss2/utils/man/man1/tssstartup.1 2020-12-22 11:02:31.000000000 -0700 ++++ tss2-new/utils/man/man1/tssstartup.1 2021-02-08 16:54:40.409502937 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH STARTUP "1" "December 2020" "startup 1.3" "User Commands" ++.TH TSSSTARTUP "1" "December 2020" "tssstartup 1.3" "User Commands" + .SH NAME +-startup \- Runs TPM2 startup ++tssstartup \- Runs TPM2 startup + .SH DESCRIPTION + startup + .PP +diff -ur tss2/utils/man/man1/tssstirrandom.1 tss2-new/utils/man/man1/tssstirrandom.1 +--- tss2/utils/man/man1/tssstirrandom.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssstirrandom.1 2021-02-08 16:54:49.478384047 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH STIRRANDOM "1" "November 2020" "stirrandom 1.6" "User Commands" ++.TH TSSSTIRRANDOM "1" "November 2020" "tssstirrandom 1.6" "User Commands" + .SH NAME +-stirrandom \- Runs TPM2 stirrandom ++tssstirrandom \- Runs TPM2 stirrandom + .SH DESCRIPTION + stirrandom + .PP +diff -ur tss2/utils/man/man1/tsstimepacket.1 tss2-new/utils/man/man1/tsstimepacket.1 +--- tss2/utils/man/man1/tsstimepacket.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsstimepacket.1 2021-02-08 16:54:59.412253821 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH TIMEPACKET "1" "November 2020" "timepacket 1.6" "User Commands" ++.TH TSSTIMEPACKET "1" "November 2020" "tsstimepacket 1.6" "User Commands" + .SH NAME +-timepacket \- Runs TPM2 timepacket ++tsstimepacket \- Runs TPM2 timepacket + .SH DESCRIPTION + timepacket + .PP +diff -ur tss2/utils/man/man1/tsstpm2pem.1 tss2-new/utils/man/man1/tsstpm2pem.1 +--- tss2/utils/man/man1/tsstpm2pem.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsstpm2pem.1 2021-02-08 16:55:08.168139038 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH TPM2PEM "1" "November 2020" "tpm2pem 1.6" "User Commands" ++.TH TSSTPM2PEM "1" "November 2020" "tsstpm2pem 1.6" "User Commands" + .SH NAME +-tpm2pem \- Runs TPM2 tpm2pem ++tsstpm2pem \- Runs TPM2 tpm2pem + .SH DESCRIPTION + tpm2pem + .PP +diff -ur tss2/utils/man/man1/tsstpmcmd.1 tss2-new/utils/man/man1/tsstpmcmd.1 +--- tss2/utils/man/man1/tsstpmcmd.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsstpmcmd.1 2021-02-08 16:55:17.363018503 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH TPMCMD "1" "November 2020" "tpmcmd 1.6" "User Commands" ++.TH TSSTPMCMD "1" "November 2020" "tsstpmcmd 1.6" "User Commands" + .SH NAME +-tpmcmd \- Runs TPM2 tpmcmd ++tsstpmcmd \- Runs TPM2 tpmcmd + .SH DESCRIPTION + tpmcmd + .PP +diff -ur tss2/utils/man/man1/tsstpmpublic2eccpoint.1 tss2-new/utils/man/man1/tsstpmpublic2eccpoint.1 +--- tss2/utils/man/man1/tsstpmpublic2eccpoint.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsstpmpublic2eccpoint.1 2021-02-08 16:55:29.710856638 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH TPMPUBLIC2ECCPOINT "1" "November 2020" "tpmpublic2eccpoint 1.6" "User Commands" ++.TH TSSTPMPUBLIC2ECCPOINT "1" "November 2020" "tsstpmpublic2eccpoint 1.6" "User Commands" + .SH NAME +-tpmpublic2eccpoint \- Runs TPM2 tpmpublic2eccpoint ++tsstpmpublic2eccpoint \- Runs TPM2 tpmpublic2eccpoint + .SH DESCRIPTION + tpmpublic2eccpoint + .PP +diff -ur tss2/utils/man/man1/tssunseal.1 tss2-new/utils/man/man1/tssunseal.1 +--- tss2/utils/man/man1/tssunseal.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssunseal.1 2021-02-08 16:55:38.629739505 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH UNSEAL "1" "November 2020" "unseal 1.6" "User Commands" ++.TH TSSUNSEAL "1" "November 2020" "tssunseal 1.6" "User Commands" + .SH NAME +-unseal \- Runs TPM2 unseal ++tssunseal \- Runs TPM2 unseal + .SH DESCRIPTION + unseal + .PP +diff -ur tss2/utils/man/man1/tssverifysignature.1 tss2-new/utils/man/man1/tssverifysignature.1 +--- tss2/utils/man/man1/tssverifysignature.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tssverifysignature.1 2021-02-08 16:55:47.469623345 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH VERIFYSIGNATURE "1" "November 2020" "verifysignature 1.6" "User Commands" ++.TH TSSVERIFYSIGNATURE "1" "November 2020" "tssverifysignature 1.6" "User Commands" + .SH NAME +-verifysignature \- Runs TPM2 verifysignature ++tssverifysignature \- Runs TPM2 verifysignature + .SH DESCRIPTION + verifysignature + .PP +diff -ur tss2/utils/man/man1/tsswriteapp.1 tss2-new/utils/man/man1/tsswriteapp.1 +--- tss2/utils/man/man1/tsswriteapp.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsswriteapp.1 2021-02-08 16:55:56.577503665 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH WRITEAPP "1" "November 2020" "writeapp 1.6" "User Commands" ++.TH TSSWRITEAPP "1" "November 2020" "tsswriteapp 1.6" "User Commands" + .SH NAME +-writeapp \- Runs TPM2 writeapp ++tsswriteapp \- Runs TPM2 writeapp + .SH DESCRIPTION + writeapp + .PP +diff -ur tss2/utils/man/man1/tsszgen2phase.1 tss2-new/utils/man/man1/tsszgen2phase.1 +--- tss2/utils/man/man1/tsszgen2phase.1 2021-01-15 14:45:18.000000000 -0700 ++++ tss2-new/utils/man/man1/tsszgen2phase.1 2021-02-08 16:56:07.272363121 -0700 +@@ -1,7 +1,7 @@ + .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.13. +-.TH ZGEN2PHASE "1" "November 2020" "zgen2phase 1.6" "User Commands" ++.TH TSSZGEN2PHASE "1" "November 2020" "tsszgen2phase 1.6" "User Commands" + .SH NAME +-zgen2phase \- Runs TPM2 zgen2phase ++tsszgen2phase \- Runs TPM2 zgen2phase + .SH DESCRIPTION + zgen2phase + .PP diff --git a/SPECS/tss2.spec b/SPECS/tss2.spec new file mode 100644 index 0000000..477825c --- /dev/null +++ b/SPECS/tss2.spec @@ -0,0 +1,187 @@ +# +# Spec file for IBM's TSS for the TPM 2.0 +# +%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro} + +%global incname ibmtss + +Name: tss2 +Version: 1.6.0 +Release: 6%{?dist} +Epoch: 1 +Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities + +License: BSD +URL: http://sourceforge.net/projects/ibmtpm20tss/ +Source0: https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz +Patch0: tss2-1.6.0-manpage-cleanup.patch +Patch1: 0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch +Patch2: 0002-utils-Remove-unused-variables-from-certifyx509.patch +Patch3: 0003-Update-certifyx509-for-Windows.patch +Patch4: 0004-utils-Clean-up-certifyx509-memory-allocation.patch +Patch5: 0005-utils-Fix-errors-detected-by-gcc-asan.patch +Patch6: 0006-tss-Port-HMAC-operations-to-openssl-3.0.patch +Patch7: 0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch +Patch8: 0001-utils-Generate-X509-certificate-serial-number-using-.patch +Patch9: 0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch +Patch10: 0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch +Patch11: 0004-Restrict-SHA-1-in-TSS.patch + + +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: gcc +BuildRequires: openssl-devel +BuildRequires: git +Requires: openssl + +%description +TSS2 is a user space Trusted Computing Group's Software Stack (TSS) for +TPM 2.0. It implements the functionality equivalent to the TCG TSS +working group's ESAPI, SAPI, and TCTI layers (and perhaps more) but with +a hopefully far simpler interface. + +It comes with about 80 "TPM tools" that can be used for rapid prototyping, +education and debugging. + +%package devel +Summary: Development libraries and headers for IBM's TSS 2.0 +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} + +%description devel +Development libraries and headers for IBM's TSS 2.0. You will need this in +order to build TSS 2.0 applications. + +%prep +%autosetup -S git -p1 -c %{name}-%{version} + +%build +autoreconf -vi +%configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-restricted-hash-alg +CCFLAGS="%{optflags}" \ +LNFLAGS="%{__global_ldflags}" \ +%{make_build} + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print + +%ldconfig_scriptlets + +%files +%license LICENSE +%{_bindir}/tss* +%{_libdir}/libibmtss.so.* +%{_libdir}/libibmtssutils.so.* +%attr(0644, root, root) %{_mandir}/man1/tss*.1* + +%files devel +%{_includedir}/%{incname} +%{_libdir}/libibmtss.so +%{_libdir}/libibmtssutils.so +%doc ibmtss.doc + +%changelog +* Thu Feb 24 2022 Stepan Horacek - 1:1.6.0-6 +- Restrict SHA-1 usage + Resolves: rhbz#1935450 + +* Fri Jan 28 2022 Stepan Horacek - 1:1.6.0-5 +- Fix failures introduced with OpenSSL 3 + Resolves: rhbz#1984621 + Resolves: rhbz#1992339 + +* Tue Aug 10 2021 Mohan Boddu - 1:1.6.0-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 1:1.6.0-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Apr 16 2021 Mohan Boddu - 1:1.6.0-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Feb 8 2021 Jerry Snitselaar - 1.6.0-1 +- Rebase to v1.6.0 release. +- Manpage cleanup. + +* Wed Jan 27 2021 Fedora Release Engineering - 1331-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 1331-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Feb 14 2020 Tom Stellard - 1331-5 +- Use make_build macro +- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make + +* Fri Jan 31 2020 Fedora Release Engineering - 1331-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Jeff Law - 1331-3 +- Ensure tssprintcmd has the compilation compilation flags, + PIC in particular + +* Sat Jul 27 2019 Fedora Release Engineering - 1331-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jerry Snitselaar - 1331-1 +- Rebase to version 1331 + +* Tue May 28 2019 Jerry Snitselaar - 1234-4 +- Fix covscan issues +- Fix compile and linker flag issues + +* Sun Feb 03 2019 Fedora Release Engineering - 1234-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 1234-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 18 2018 Jerry Snitselaar - 1234-1 +- Version bump. + +* Fri Feb 09 2018 Fedora Release Engineering - 1027-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 19 2018 Merlin Mathesius - 1027-1 +- Version bump. Now supported for all architectures. +- Generate man pages since they are no longer included in source archive. + +* Thu Aug 03 2017 Fedora Release Engineering - 713-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 713-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 713-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Oct 05 2016 Hon Ching(Vicky) Lo - 713-7 +- Removed defattr from the devel subpackage + +* Mon Sep 26 2016 Hon Ching(Vicky) Lo - 713-6 +- Added s390x arch as another "ExcludeArch" + +* Mon Sep 26 2016 Hon Ching(Vicky) Lo - 713-5 +- Replaced ExclusiveArch with ExcludeArch + +* Mon Sep 19 2016 Hon Ching(Vicky) Lo - 713-4 +- Used ExclusiveArch instead of BuildArch tag +- Removed attr from symlink in devel subpackage +- Added manpages and modified the Source0 +- Added CCFLAGS and LNFLAGS to enforce hardening and optimization + +* Wed Aug 17 2016 Hon Ching(Vicky) Lo - 713-3 +- Modified supported arch to ppc64le + +* Sat Aug 13 2016 Hon Ching(Vicky) Lo - 713-2 +- Minor spec fixes + +* Tue Aug 09 2016 Hon Ching(Vicky) Lo - 713-1 +- Updated for initial submission + +* Fri Mar 20 2015 George Wilson +- Initial implementation