Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl_tpm2_engine for
openSUSE:Factory checked in at 2022-03-18 16:49:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old)
and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine"
Fri Mar 18 16:49:24 2022 rev:7 rq:962866 version:3.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes
2022-02-19 00:07:29.181017502 +0100
+++
/work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25692/openssl_tpm2_engine.changes
2022-03-18 16:49:25.209501911 +0100
@@ -1,0 +2,6 @@
+Tue Mar 1 15:11:41 UTC 2022 - [email protected]
+
+- Update to version 3.1.1
+ * Fix use after free in dynamic engines
+
+-------------------------------------------------------------------
Old:
----
openssl_tpm2_engine-3.1.0.tar.gz
New:
----
openssl_tpm2_engine-3.1.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl_tpm2_engine.spec ++++++
--- /var/tmp/diff_new_pack.n32t8t/_old 2022-03-18 16:49:25.689502282 +0100
+++ /var/tmp/diff_new_pack.n32t8t/_new 2022-03-18 16:49:25.697502288 +0100
@@ -18,7 +18,7 @@
Name: openssl_tpm2_engine
-Version: 3.1.0
+Version: 3.1.1
Release: 0
Summary: OpenSSL TPM 2.0 interface engine plugin
License: LGPL-2.1-only
++++++ openssl_tpm2_engine-3.1.0.tar.gz -> openssl_tpm2_engine-3.1.1.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/configure.ac
new/openssl_tpm2_engine-3.1.1/configure.ac
--- old/openssl_tpm2_engine-3.1.0/configure.ac 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/configure.ac 2022-03-01 14:24:28.000000000
+0100
@@ -2,7 +2,7 @@
# configure.in for the OpenSSL TPM engine project
#
-AC_INIT(openssl-tpm2-engine, 3.1.0, <[email protected]>)
+AC_INIT(openssl-tpm2-engine, 3.1.1, <[email protected]>)
AM_INIT_AUTOMAKE([foreign 1.6.3])
AC_CANONICAL_HOST
AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.c
new/openssl_tpm2_engine-3.1.1/e_tpm2-ecc.c
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/e_tpm2-ecc.c 2022-03-01 14:24:28.000000000
+0100
@@ -12,6 +12,7 @@
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/ecdh.h>
+#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/bn.h>
@@ -56,6 +57,7 @@
/* varibles used to get/set CRYPTO_EX_DATA values */
static int ec_app_data = TPM2_ENGINE_EX_DATA_UNINIT;
+static int active_keys = 0;
static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck,
TSS_CONTEXT **tssContext, char **auth,
@@ -84,7 +86,7 @@
return tpm2_load_key(tssContext, app_data, srk_auth, NULL);
}
-void tpm2_bind_key_to_engine_ecc(EVP_PKEY *pkey, void *data)
+void tpm2_bind_key_to_engine_ecc(ENGINE *e, EVP_PKEY *pkey, struct app_data
*data)
{
EC_KEY *eck = EVP_PKEY_get1_EC_KEY(pkey);
@@ -103,6 +105,9 @@
#endif
}
+ data->e = e;
+ ENGINE_init(e);
+ active_keys++;
#if OPENSSL_VERSION_NUMBER >= 0x30000000
EVP_PKEY_set1_EC_KEY(pkey, eck);
#else
@@ -118,6 +123,8 @@
if (!data)
return;
+ --active_keys;
+ ENGINE_finish(data->e);
tpm2_delete(data);
}
@@ -352,6 +359,10 @@
void tpm2_teardown_ecc_methods(void)
{
+ if (active_keys != 0) {
+ fprintf(stderr, "ERROR: engine torn down while keys active\n");
+ exit(1);
+ }
#if OPENSSL_VERSION_NUMBER < 0x10100000
if (tpm2_ecdsa) {
ECDSA_METHOD_free(tpm2_ecdsa);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.h
new/openssl_tpm2_engine-3.1.1/e_tpm2-ecc.h
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/e_tpm2-ecc.h 2022-03-01 14:24:28.000000000
+0100
@@ -1,7 +1,7 @@
#ifndef _E_TPM2_ECC_H
#define _E_TPM2_ECC_H
-void tpm2_bind_key_to_engine_ecc(EVP_PKEY *pkey, void *data);
+void tpm2_bind_key_to_engine_ecc(ENGINE *e, EVP_PKEY *pkey, struct app_data
*data);
int tpm2_setup_ecc_methods(void);
void tpm2_teardown_ecc_methods(void);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.c
new/openssl_tpm2_engine-3.1.1/e_tpm2-rsa.c
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/e_tpm2-rsa.c 2022-03-01 14:24:28.000000000
+0100
@@ -27,6 +27,7 @@
static int ex_app_data = TPM2_ENGINE_EX_DATA_UNINIT;
RSA_METHOD *tpm2_rsa = NULL;
+static int active_keys = 0;
#if OPENSSL_VERSION_NUMBER < 0x10100000
/* rsa functions */
@@ -116,7 +117,7 @@
return tpm2_load_key(tssContext, app_data, srk_auth, NULL);
}
-void tpm2_bind_key_to_engine_rsa(EVP_PKEY *pkey, void *data)
+void tpm2_bind_key_to_engine_rsa(ENGINE *e, EVP_PKEY *pkey, struct app_data
*data)
{
RSA *rsa = EVP_PKEY_get1_RSA(pkey);
@@ -127,8 +128,11 @@
#else
RSA_set_method(rsa, tpm2_rsa);
#endif
+ data->e = e;
+ ENGINE_init(e);
RSA_set_ex_data(rsa, ex_app_data, data);
+ active_keys++;
#if OPENSSL_VERSION_NUMBER >= 0x30000000
EVP_PKEY_set1_RSA(pkey, rsa);
@@ -146,6 +150,9 @@
if (!app_data)
return;
+ --active_keys;
+ ENGINE_finish(app_data->e);
+
tpm2_delete(app_data);
}
@@ -343,6 +350,10 @@
void tpm2_teardown_rsa_methods(void)
{
+ if (active_keys != 0) {
+ fprintf(stderr, "ERROR: engine torn down while keys active\n");
+ exit(1);
+ }
#if OPENSSL_VERSION_NUMBER >= 0x10100000
if (tpm2_rsa) {
RSA_meth_free(tpm2_rsa);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.h
new/openssl_tpm2_engine-3.1.1/e_tpm2-rsa.h
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/e_tpm2-rsa.h 2022-03-01 14:24:28.000000000
+0100
@@ -1,7 +1,7 @@
#ifndef _E_TPM2_RSA_H
#define _E_TPM2_RSA_H
-void tpm2_bind_key_to_engine_rsa(EVP_PKEY *pkey, void *data);
+void tpm2_bind_key_to_engine_rsa(ENGINE *e, EVP_PKEY *pkey, struct app_data
*data);
int tpm2_setup_rsa_methods(void);
void tpm2_teardown_rsa_methods(void);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2.c
new/openssl_tpm2_engine-3.1.1/e_tpm2.c
--- old/openssl_tpm2_engine-3.1.0/e_tpm2.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/e_tpm2.c 2022-03-01 14:24:28.000000000
+0100
@@ -116,14 +116,14 @@
{0, NULL, NULL, 0}
};
-void tpm2_bind_key_to_engine(EVP_PKEY *pkey, void *data)
+void tpm2_bind_key_to_engine(ENGINE *e, EVP_PKEY *pkey, struct app_data *data)
{
switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
- tpm2_bind_key_to_engine_rsa(pkey, data);
+ tpm2_bind_key_to_engine_rsa(e, pkey, data);
break;
case EVP_PKEY_EC:
- tpm2_bind_key_to_engine_ecc(pkey, data);
+ tpm2_bind_key_to_engine_ecc(e, pkey, data);
break;
default:
break;
@@ -193,7 +193,7 @@
if (askauth)
app_data->auth = tpm2_get_auth(ui, "TPM NV Key Password: ",
cb_data);
- tpm2_bind_key_to_engine(pkey, app_data);
+ tpm2_bind_key_to_engine(e, pkey, app_data);
out:
*ppkey = pkey;
@@ -241,7 +241,7 @@
return 0;
if (!public_only)
- tpm2_bind_key_to_engine(pkey, app_data);
+ tpm2_bind_key_to_engine(e, pkey, app_data);
*ppkey = pkey;
return 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/Makefile.am
new/openssl_tpm2_engine-3.1.1/tests/Makefile.am
--- old/openssl_tpm2_engine-3.1.0/tests/Makefile.am 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.1.1/tests/Makefile.am 2022-03-01
14:24:28.000000000 +0100
@@ -26,6 +26,7 @@
check_rsa_oaep_pss.sh \
restricted_parent.sh \
seal_unseal.sh \
+ dynamic_engine.sh \
stop_sw_tpm.sh
fail_connect.sh: tpm_server_found
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/dynamic_engine.sh
new/openssl_tpm2_engine-3.1.1/tests/dynamic_engine.sh
--- old/openssl_tpm2_engine-3.1.0/tests/dynamic_engine.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/openssl_tpm2_engine-3.1.1/tests/dynamic_engine.sh 2022-03-01
14:24:28.000000000 +0100
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -x
+
+bindir=${srcdir}/..
+
+# to work with the dynamic engine, we unset the openssl.cnf that
+# specifies a built in engine
+unset OPENSSL_CONF
+export OPENSSL_ENGINES=${srcdir}/../.libs
+ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so
+
+testkey() {
+ openssl pkey -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub
|| exit 1
+ # must be 32 bytes exactly for ECDSA signatures
+ echo -n "12345678901234567890123456789012" > tmp.plain
+ openssl pkeyutl -sign -engine tpm2 -keyform engine -in tmp.plain -inkey
key.tpm -out tmp.msg || exit 1
+ openssl pkeyutl -verify -in tmp.plain -sigfile tmp.msg -inkey key.pub
-pubin || exit 1
+}
+
+# check use of rsa key
+${bindir}/create_tpm2_key --rsa key.tpm || exit 1
+
+testkey
+
+${bindir}/create_tpm2_key --ec prime256v1 key.tpm || exit 1
+
+testkey
+
+exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tpm2-common.h
new/openssl_tpm2_engine-3.1.1/tpm2-common.h
--- old/openssl_tpm2_engine-3.1.0/tpm2-common.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.1.1/tpm2-common.h 2022-03-01 14:24:28.000000000
+0100
@@ -40,6 +40,7 @@
int num_commands;
unsigned int name_alg;
struct policy_command *commands;
+ ENGINE *e;
};
void tpm2_error(TPM_RC rc, const char *reason);
