Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ibmtss for openSUSE:Factory checked in at 2022-11-25 13:11:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ibmtss (Old) and /work/SRC/openSUSE:Factory/.ibmtss.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ibmtss" Fri Nov 25 13:11:18 2022 rev:20 rq:1037857 version:1.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ibmtss/ibmtss.changes 2021-11-28 21:30:11.542060163 +0100 +++ /work/SRC/openSUSE:Factory/.ibmtss.new.1597/ibmtss.changes 2022-11-25 13:11:27.067777681 +0100 @@ -1,0 +2,13 @@ +Wed Nov 9 13:33:51 UTC 2022 - Pedro Monreal <pmonr...@suse.com> + +- Build with OpenSSL 3.0 deprecated functions until fixed upstream +in the next version update [bsc#1205042] + * ibmtss-openssl3-deprecation.patch +- Add upstream patches to fix build with OpenSSL 3.0 + * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch + * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch + * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch + * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch + * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch + +------------------------------------------------------------------- New: ---- ibmtss-openssl3-deprecation.patch ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch ibmtss-utils-Remove-unused-variables-from-certifyx509.patch ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ibmtss.spec ++++++ --- /var/tmp/diff_new_pack.zelhD8/_old 2022-11-25 13:11:27.851782060 +0100 +++ /var/tmp/diff_new_pack.zelhD8/_new 2022-11-25 13:11:27.859782105 +0100 @@ -1,7 +1,7 @@ # # spec file for package ibmtss # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,12 @@ Source: https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz Source1: 90-tpm-ibmtss.rules Patch1: ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch +Patch2: ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch +Patch3: ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch +Patch4: ibmtss-utils-Remove-unused-variables-from-certifyx509.patch +Patch5: ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch +Patch6: ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch +Patch7: ibmtss-openssl3-deprecation.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: ibmswtpm2 ++++++ ibmtss-openssl3-deprecation.patch ++++++ Index: ibmtss-1.6.0/build.sh =================================================================== --- ibmtss-1.6.0.orig/build.sh +++ ibmtss-1.6.0/build.sh @@ -13,7 +13,7 @@ cleanup() { } CC="${CC:-gcc}" -CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}" +CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common -Wno-error=deprecated-declarations}" PREFIX="${PREFIX:-$HOME/tpm2}" export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib" Index: ibmtss-1.6.0/configure.ac =================================================================== --- ibmtss-1.6.0.orig/configure.ac +++ ibmtss-1.6.0/configure.ac @@ -71,7 +71,7 @@ AC_ARG_ENABLE(debug, # Linux requires -DTPM_POSIX case $host_os in - linux-*) CFLAGS="-DTPM_POSIX $CFLAGS" ;; + linux-*) CFLAGS="-DTPM_POSIX $CFLAGS -Wno-error=deprecated-declarations" ;; esac AC_ARG_ENABLE(tpm-2.0, ++++++ ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch ++++++ >From f1c6b44f95392c156b235d42bccc8235ee24bb6f Mon Sep 17 00:00:00 2001 From: Ken Goldman <kgold...@us.ibm.com> Date: Wed, 11 Aug 2021 18:22:41 -0400 Subject: regtests: Update openssl key generation for 3.0.0 OpenSSL 3.0.0 used a different pem and der key format. Update the command line calls. Bypass the tests that use these functions for mbedtls, which does not support the new format. Signed-off-by: Ken Goldman <kgold...@us.ibm.com> diff --git a/utils/regtests/testdup.sh b/utils/regtests/testdup.sh index eeca02f..e849e44 100755 --- a/utils/regtests/testdup.sh +++ b/utils/regtests/testdup.sh @@ -7,7 +7,7 @@ # Written by Ken Goldman # # IBM Thomas J. Watson Research Center # # # -# (c) Copyright IBM Corporation 2015 - 2020 # +# (c) Copyright IBM Corporation 2015 - 2021 # # # # All rights reserved. # # # @@ -215,7 +215,12 @@ echo "" if [ ${CRYPTOLIBRARY} == "openssl" ]; then echo "generate the RSA signing key with openssl" - openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1 + + openssl genpkey -out tmpprivkey.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1 + +# The following worked up to Openssl 3.0.0. The key generation +# remains here for when mbedtls is updated, but the tests are now +# if'ed out elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then echo "Generate the RSA signing key with openssl" @@ -232,22 +237,24 @@ else exit 255 fi -echo "load the ECC storage key 80000001" -${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out -checkSuccess $? +if [ ${CRYPTOLIBRARY} == "openssl" ]; then -echo "Start an HMAC auth session" -${PREFIX}startauthsession -se h > run.out -checkSuccess $? + echo "load the ECC storage key 80000001" + ${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out + checkSuccess $? -for SESS in "" "-se0 02000000 1" -do - for HALG in ${ITERATE_ALGS} - do + echo "Start an HMAC auth session" + ${PREFIX}startauthsession -se h > run.out + checkSuccess $? - for PARENT in 80000000 80000001 + for SESS in "" "-se0 02000000 1" + do + for HALG in ${ITERATE_ALGS} do + for PARENT in 80000000 80000001 + do + echo "Import the signing key under the parent key ${PARENT} ${HALG}" ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out checkSuccess $? @@ -268,9 +275,10 @@ do ${PREFIX}flushcontext -ha 80000002 > run.out checkSuccess $? + done done done -done +fi echo "" echo "Import PEM EC signing key under RSA and ECC storage key" @@ -300,49 +308,53 @@ else exit 255 fi -for CURVE in "nistp256" "nistp384" -do - - for SESS in "" "-se0 02000000 1" +if [ ${CRYPTOLIBRARY} == "openssl" ]; then + + for CURVE in "nistp256" "nistp384" do - for HALG in ${ITERATE_ALGS} - do - for PARENT in 80000000 80000001 + for SESS in "" "-se0 02000000 1" + do + for HALG in ${ITERATE_ALGS} do - echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}" - ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out - checkSuccess $? + for PARENT in 80000000 80000001 + do - echo "Load the TPM signing key" - ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out - checkSuccess $? + echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}" + ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out + checkSuccess $? - echo "Sign the message ${HALG} ${SESS}" - ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out - checkSuccess $? + echo "Load the TPM signing key" + ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out + checkSuccess $? - echo "Verify the signature ${HALG}" - ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out - checkSuccess $? + echo "Sign the message ${HALG} ${SESS}" + ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out + checkSuccess $? - echo "Flush the signing key" - ${PREFIX}flushcontext -ha 80000002 > run.out - checkSuccess $? + echo "Verify the signature ${HALG}" + ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out + checkSuccess $? + echo "Flush the signing key" + ${PREFIX}flushcontext -ha 80000002 > run.out + checkSuccess $? + + done done done done -done -echo "Flush the ECC storage key" -${PREFIX}flushcontext -ha 80000001 > run.out -checkSuccess $? + echo "Flush the ECC storage key" + ${PREFIX}flushcontext -ha 80000001 > run.out + checkSuccess $? -echo "Flush the auth session" -${PREFIX}flushcontext -ha 02000000 > run.out -checkSuccess $? + echo "Flush the auth session" + ${PREFIX}flushcontext -ha 02000000 > run.out + checkSuccess $? + +fi echo "" echo "Rewrap" diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh index 4f76522..5ae0b29 100755 --- a/utils/regtests/testrsa.sh +++ b/utils/regtests/testrsa.sh @@ -7,7 +7,7 @@ # Written by Ken Goldman # # IBM Thomas J. Watson Research Center # # # -# (c) Copyright IBM Corporation 2015 - 2020 # +# (c) Copyright IBM Corporation 2015 - 2021 # # # # All rights reserved. # # # @@ -59,20 +59,25 @@ if [ ${CRYPTOLIBRARY} == "openssl" ]; then do echo "Generate the RSA $BITS encryption key with openssl" - openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1 + openssl genpkey -out tmpkeypairrsa${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1 echo "Convert key pair to plaintext DER format" - openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1 + openssl pkey -inform pem -in tmpkeypairrsa${BITS}.pem -outform der -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1 done + +# The following worked up to Openssl 3.0.0. The key generation +# remains here for when mbedtls is updated, but the tests are now +# if'ed out + elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then for BITS in 2048 3072 do echo "Generate the RSA $BITS encryption key with openssl" - openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1 + openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass:rrrr > run.out 2>&1 echo "Convert RSA $BITS key pair to plaintext DER format" openssl rsa -in tmpkeypairrsaenc${BITS}.pem -passin pass:rrrr -outform der -out tmpkeypairrsa${BITS}.der > run.out 2>&1 @@ -158,20 +163,22 @@ do done -echo "" -echo "Import PEM RSA encryption key" -echo "" +if [ ${CRYPTOLIBRARY} == "openssl" ]; then -echo "Start an HMAC auth session" -${PREFIX}startauthsession -se h > run.out -checkSuccess $? + echo "" + echo "Import PEM RSA encryption key" + echo "" -for BITS in 2048 3072 -do + echo "Start an HMAC auth session" + ${PREFIX}startauthsession -se h > run.out + checkSuccess $? - for SESS in "" "-se0 02000000 1" + for BITS in 2048 3072 do + for SESS in "" "-se0 02000000 1" + do + echo "Import the $BITS encryption key under the primary key" ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out checkSuccess $? @@ -201,97 +208,98 @@ do ${PREFIX}flushcontext -ha 80000001 > run.out checkSuccess $? + done + done -done + echo "Flush the session" + ${PREFIX}flushcontext -ha 02000000 > run.out + checkSuccess $? -echo "Flush the session" -${PREFIX}flushcontext -ha 02000000 > run.out -checkSuccess $? + echo "" + echo "Import PEM RSA encryption key userWithAuth test" + echo "" -echo "" -echo "Import PEM RSA encryption key userWithAuth test" -echo "" + echo "Import the RSA 2048 encryption key under the primary key 80000000" + ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out + checkSuccess $? -echo "Import the RSA 2048 encryption key under the primary key 80000000" -${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out -checkSuccess $? + echo "Load the RSA 2048 encryption key 80000001" + ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out + checkSuccess $? -echo "Load the RSA 2048 encryption key 80000001" -${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out -checkSuccess $? + echo "RSA encrypt with the encryption key" + ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out + checkSuccess $? -echo "RSA encrypt with the encryption key" -${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out -checkSuccess $? + echo "RSA decrypt with the decryption key and password" + ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out + checkSuccess $? -echo "RSA decrypt with the decryption key and password" -${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out -checkSuccess $? + echo "Flush the encryption key" + ${PREFIX}flushcontext -ha 80000001 > run.out + checkSuccess $? -echo "Flush the encryption key" -${PREFIX}flushcontext -ha 80000001 > run.out -checkSuccess $? + echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false" + ${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out + checkSuccess $? -echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false" -${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out -checkSuccess $? + echo "Load the RSA 2048 encryption key" + ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out + checkSuccess $? -echo "Load the RSA 2048 encryption key" -${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out -checkSuccess $? + echo "RSA decrypt with the decryption key and password - should fail" + ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out + checkFailure $? -echo "RSA decrypt with the decryption key and password - should fail" -${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out -checkFailure $? + echo "Flush the encryption key" + ${PREFIX}flushcontext -ha 80000001 > run.out + checkSuccess $? -echo "Flush the encryption key" -${PREFIX}flushcontext -ha 80000001 > run.out -checkSuccess $? + echo "" + echo "Loadexternal DER encryption key" + echo "" + for BITS in 2048 3072 + do -echo "" -echo "Loadexternal DER encryption key" -echo "" + echo "Start an HMAC auth session" + ${PREFIX}startauthsession -se h > run.out + checkSuccess $? -for BITS in 2048 3072 -do + for SESS in "" "-se0 02000000 1" + do - echo "Start an HMAC auth session" - ${PREFIX}startauthsession -se h > run.out - checkSuccess $? + echo "Load the openssl key pair in the NULL hierarchy 80000001" + ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out + checkSuccess $? - for SESS in "" "-se0 02000000 1" - do + echo "RSA encrypt with the encryption key" + ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out + checkSuccess $? - echo "Load the openssl key pair in the NULL hierarchy 80000001" - ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out - checkSuccess $? + echo "RSA decrypt with the decryption key ${SESS}" + ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out + checkSuccess $? - echo "RSA encrypt with the encryption key" - ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out - checkSuccess $? + echo "Verify the decrypt result" + tail -c 3 dec.bin > tmp.bin + diff policies/aaa tmp.bin > run.out + checkSuccess $? - echo "RSA decrypt with the decryption key ${SESS}" - ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out - checkSuccess $? + echo "Flush the encryption key" + ${PREFIX}flushcontext -ha 80000001 > run.out + checkSuccess $? - echo "Verify the decrypt result" - tail -c 3 dec.bin > tmp.bin - diff policies/aaa tmp.bin > run.out - checkSuccess $? + done - echo "Flush the encryption key" - ${PREFIX}flushcontext -ha 80000001 > run.out + echo "Flush the session" + ${PREFIX}flushcontext -ha 02000000 > run.out checkSuccess $? done - echo "Flush the session" - ${PREFIX}flushcontext -ha 02000000 > run.out - checkSuccess $? - -done +fi echo "" echo "Encrypt with OpenSSL OAEP, decrypt with TPM" diff --git a/utils/regtests/testsalt.sh b/utils/regtests/testsalt.sh index 1bdc1a7..e0c3376 100755 --- a/utils/regtests/testsalt.sh +++ b/utils/regtests/testsalt.sh @@ -91,16 +91,17 @@ echo "" echo "Salt Session - Load External" echo "" -echo "Create RSA and ECC key pairs in PEM format using openssl" +echo "Create RSA key pair in DER format using openssl" -openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1 -openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1 +openssl genpkey -out tmpkeypairrsa.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1 +echo "Create ECC key pair in PEM format using openssl" echo "Convert key pair to plaintext DER format" -openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1 +openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1 openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1 + for HALG in ${ITERATE_ALGS} do diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh index edfa014..3002ceb 100755 --- a/utils/regtests/testsign.sh +++ b/utils/regtests/testsign.sh @@ -47,11 +47,9 @@ echo "" for BITS in 2048 3072 do - echo "Create an RSA $BITS key pair in PEM format using openssl" - openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1 + echo "Create an RSA $BITS key pair in DER format using openssl" - echo "Convert RSA $BITS key pair to plaintext DER format" - openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1 + openssl genpkey -out tmpkeypairrsa${BITS}.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1 echo "Load the RSA $BITS signing key under the primary key" ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu signrsa${BITS}pub.bin -pwdp sto > run.out -- 2.38.0 ++++++ ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch ++++++ >From 6e22032d637ea8c28cf84efa837a22909873466a Mon Sep 17 00:00:00 2001 From: Ken Goldman <kg...@linux.ibm.com> Date: Fri, 10 Sep 2021 16:33:10 -0400 Subject: tss: Port HMAC operations to openssl 3.0 Replace the deprecated APIs. Signed-off-by: Ken Goldman <kg...@linux.ibm.com> diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c index 35f0ed3..c2ce01a 100644 --- a/utils/tsscrypto.c +++ b/utils/tsscrypto.c @@ -79,6 +79,7 @@ extern int tssVerbose; /* local prototypes */ +static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg); static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, TPMI_ALG_HASH hashAlg); @@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void) Digests */ -static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, - TPMI_ALG_HASH hashAlg) +/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */ + +static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg) { - TPM_RC rc = 0; + TPM_RC rc = 0; - if (rc == 0) { - switch (hashAlg) { + switch (hashAlg) { #ifdef TPM_ALG_SHA1 - case TPM_ALG_SHA1: - *md = EVP_get_digestbyname("sha1"); - break; + case TPM_ALG_SHA1: + *str = "sha1"; + break; #endif -#ifdef TPM_ALG_SHA256 - case TPM_ALG_SHA256: - *md = EVP_get_digestbyname("sha256"); - break; +#ifdef TPM_ALG_SHA256 + case TPM_ALG_SHA256: + *str = "sha256"; + break; #endif #ifdef TPM_ALG_SHA384 - case TPM_ALG_SHA384: - *md = EVP_get_digestbyname("sha384"); - break; + case TPM_ALG_SHA384: + *str = "sha384"; + break; #endif #ifdef TPM_ALG_SHA512 - case TPM_ALG_SHA512: - *md = EVP_get_digestbyname("sha512"); - break; + case TPM_ALG_SHA512: + *str = "sha512"; + break; #endif - default: - rc = TSS_RC_BAD_HASH_ALGORITHM; - } + default: + *str = NULL; + rc = TSS_RC_BAD_HASH_ALGORITHM; + } + return rc; +} + +static TPM_RC TSS_Hash_GetMd(const EVP_MD **md, + TPMI_ALG_HASH hashAlg) +{ + TPM_RC rc = 0; + const char *str = NULL; + + if (rc == 0) { + rc = TSS_Hash_GetOsslString(&str, hashAlg); + } + if (rc == 0) { + *md = EVP_get_digestbyname(str); } return rc; } @@ -175,37 +191,84 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest, /* largest size of a digest */ TPM_RC rc = 0; int irc = 0; int done = FALSE; - const EVP_MD *md; /* message digest method */ -#if OPENSSL_VERSION_NUMBER < 0x10100000 + uint8_t *buffer; /* segment to hash */ + int length; /* segment to hash */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 HMAC_CTX ctx; + const EVP_MD *md = NULL; /* message digest method */ +#elif OPENSSL_VERSION_NUMBER < 0x30000000 + HMAC_CTX *ctx = NULL; + const EVP_MD *md = NULL; /* message digest method */ #else - HMAC_CTX *ctx; + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + const char *algString = NULL; + OSSL_PARAM params[2]; + size_t outLength; #endif - int length; - uint8_t *buffer; - + + /* initialize the HMAC context */ #if OPENSSL_VERSION_NUMBER < 0x10100000 HMAC_CTX_init(&ctx); +#elif OPENSSL_VERSION_NUMBER < 0x30000000 + if (rc == 0) { + ctx = HMAC_CTX_new(); + if (ctx == NULL) { + if (tssVerbose) printf("TSS_Hash_Generate_valist: HMAC_CTX_new failed\n"); + rc = TSS_RC_OUT_OF_MEMORY; + } + } #else - ctx = HMAC_CTX_new(); + if (rc == 0) { + mac = EVP_MAC_fetch(NULL, "hmac", NULL); + if (mac == NULL) { + if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_new failed\n"); + rc = TSS_RC_OUT_OF_MEMORY; + } + } + if (rc == 0) { + ctx = EVP_MAC_CTX_new(mac); + if (ctx == NULL) { + if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_CTX_new failed\n"); + rc = TSS_RC_OUT_OF_MEMORY; + } + } #endif + + /* get the message digest */ +#if OPENSSL_VERSION_NUMBER < 0x30000000 if (rc == 0) { rc = TSS_Hash_GetMd(&md, digest->hashAlg); } +#else + /* map algorithm to string */ + if (rc == 0) { + rc = TSS_Hash_GetOsslString(&algString, digest->hashAlg); + } +#endif + + /* initialize the MAC context */ if (rc == 0) { #if OPENSSL_VERSION_NUMBER < 0x10100000 irc = HMAC_Init_ex(&ctx, hmacKey->b.buffer, hmacKey->b.size, /* HMAC key */ md, /* message digest method */ NULL); -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000 irc = HMAC_Init_ex(ctx, hmacKey->b.buffer, hmacKey->b.size, /* HMAC key */ md, /* message digest method */ NULL); +#else + params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)algString, 0); + params[1] = OSSL_PARAM_construct_end(); + irc = EVP_MAC_init(ctx, + hmacKey->b.buffer, hmacKey->b.size, /* HMAC key */ + params); /* message digest method */ #endif - - if (irc == 0) { + + if (irc != 1) { + if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Init failed\n"); rc = TSS_RC_HMAC; } } @@ -220,11 +283,13 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest, /* largest size of a digest */ else { #if OPENSSL_VERSION_NUMBER < 0x10100000 irc = HMAC_Update(&ctx, buffer, length); -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000 irc = HMAC_Update(ctx, buffer, length); +#else + irc = EVP_MAC_update(ctx, buffer, length); #endif - if (irc == 0) { - if (tssVerbose) printf("TSS_HMAC_Generate: HMAC_Update failed\n"); + if (irc != 1) { + if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Update failed\n"); rc = TSS_RC_HMAC; } } @@ -237,18 +302,24 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest, /* largest size of a digest */ if (rc == 0) { #if OPENSSL_VERSION_NUMBER < 0x10100000 irc = HMAC_Final(&ctx, (uint8_t *)&digest->digest, NULL); -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000 irc = HMAC_Final(ctx, (uint8_t *)&digest->digest, NULL); +#else + irc = EVP_MAC_final(ctx, (uint8_t *)&digest->digest, &outLength, sizeof(digest->digest)); #endif if (irc == 0) { + if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Final failed\n"); rc = TSS_RC_HMAC; } } #if OPENSSL_VERSION_NUMBER < 0x10100000 HMAC_CTX_cleanup(&ctx); -#else +#elif OPENSSL_VERSION_NUMBER < 0x30000000 HMAC_CTX_free(ctx); -#endif +#else + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); + #endif return rc; } -- 2.38.0 ++++++ ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch ++++++ ++++ 1400 lines (skipped) ++++++ ibmtss-utils-Remove-unused-variables-from-certifyx509.patch ++++++ >From f335860d99fe11eec5599e1e53960ff1e75c0f82 Mon Sep 17 00:00:00 2001 From: Ken Goldman <kgold...@us.ibm.com> Date: Mon, 23 Aug 2021 17:30:56 -0400 Subject: utils: Remove unused variables from certifyx509 notBefore and notAfter are set driectly in the partialCertificate structure, and that is used to directly set the x509 structure. Signed-off-by: Ken Goldman <kgold...@us.ibm.com> diff --git a/utils/certifyx509.c b/utils/certifyx509.c index ed42ac0..44640aa 100644 --- a/utils/certifyx509.c +++ b/utils/certifyx509.c @@ -204,6 +204,7 @@ int main(int argc, char *argv[]) setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */ TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1"); + curveID = curveID; /* no longer used, get from parent */ /* command line argument defaults */ for (i=1 ; (i<argc) && (rc == 0) ; i++) { if (strcmp(argv[i],"-ho") == 0) { @@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */ size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *); size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *); - ASN1_TIME *notBefore = NULL; - ASN1_TIME *notAfter = NULL; uint8_t *tmpPartialDer = NULL; /* for the i2d */ /* add issuer */ @@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / } } if (rc == 0) { - /* can't fail, just returns a structure member */ - notBefore = X509_get_notBefore(x509Certificate); irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore); if (irc == 0) { printf("createPartialCertificate: Error setting notBefore time\n"); @@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input / } } if (rc == 0) { - notAfter = X509_get_notAfter(x509Certificate); irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter); if (irc == 0) { printf("createPartialCertificate: Error setting notAfter time\n"); -- 2.38.0 ++++++ ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch ++++++ ++++ 1448 lines (skipped)