Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package ibmtss for openSUSE:Factory checked 
in at 2022-11-25 13:11:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ibmtss (Old)
 and      /work/SRC/openSUSE:Factory/.ibmtss.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "ibmtss"

Fri Nov 25 13:11:18 2022 rev:20 rq:1037857 version:1.6.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/ibmtss/ibmtss.changes    2021-11-28 
21:30:11.542060163 +0100
+++ /work/SRC/openSUSE:Factory/.ibmtss.new.1597/ibmtss.changes  2022-11-25 
13:11:27.067777681 +0100
@@ -1,0 +2,13 @@
+Wed Nov  9 13:33:51 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- Build with OpenSSL 3.0 deprecated functions until fixed upstream
+in the next version update [bsc#1205042]
+  * ibmtss-openssl3-deprecation.patch
+- Add upstream patches to fix build with OpenSSL 3.0
+  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+
+-------------------------------------------------------------------

New:
----
  ibmtss-openssl3-deprecation.patch
  ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
  ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
  ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
  ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
  ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ibmtss.spec ++++++
--- /var/tmp/diff_new_pack.zelhD8/_old  2022-11-25 13:11:27.851782060 +0100
+++ /var/tmp/diff_new_pack.zelhD8/_new  2022-11-25 13:11:27.859782105 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package ibmtss
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,12 @@
 Source:         
https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
 Source1:        90-tpm-ibmtss.rules
 Patch1:         
ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch
+Patch2:         ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+Patch3:         ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+Patch4:         ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+Patch5:         ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+Patch6:         
ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+Patch7:         ibmtss-openssl3-deprecation.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  ibmswtpm2

++++++ ibmtss-openssl3-deprecation.patch ++++++
Index: ibmtss-1.6.0/build.sh
===================================================================
--- ibmtss-1.6.0.orig/build.sh
+++ ibmtss-1.6.0/build.sh
@@ -13,7 +13,7 @@ cleanup() {
 }
 
 CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--Wformat -Werror=format-security 
-Werror=implicit-function-declaration -Werror=return-type -fno-common}"
+CFLAGS="${CFLAGS:--Wformat -Werror=format-security 
-Werror=implicit-function-declaration -Werror=return-type -fno-common 
-Wno-error=deprecated-declarations}"
 PREFIX="${PREFIX:-$HOME/tpm2}"
 
 export 
LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
Index: ibmtss-1.6.0/configure.ac
===================================================================
--- ibmtss-1.6.0.orig/configure.ac
+++ ibmtss-1.6.0/configure.ac
@@ -71,7 +71,7 @@ AC_ARG_ENABLE(debug,
 
 # Linux requires -DTPM_POSIX
 case $host_os in
-       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS" ;;
+       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS 
-Wno-error=deprecated-declarations" ;;
 esac
 
 AC_ARG_ENABLE(tpm-2.0,

++++++ ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch ++++++
>From f1c6b44f95392c156b235d42bccc8235ee24bb6f Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold...@us.ibm.com>
Date: Wed, 11 Aug 2021 18:22:41 -0400
Subject: regtests: Update openssl key generation for 3.0.0

OpenSSL 3.0.0 used a different pem and der key format.  Update the
command line calls.  Bypass the tests that use these functions for
mbedtls, which does not support the new format.

Signed-off-by: Ken Goldman <kgold...@us.ibm.com>

diff --git a/utils/regtests/testdup.sh b/utils/regtests/testdup.sh
index eeca02f..e849e44 100755
--- a/utils/regtests/testdup.sh
+++ b/utils/regtests/testdup.sh
@@ -7,7 +7,7 @@
 #                           Written by Ken Goldman                             
#
 #                     IBM Thomas J. Watson Research Center                     
#
 #                                                                              
#
-# (c) Copyright IBM Corporation 2015 - 2020                                    
#
+# (c) Copyright IBM Corporation 2015 - 2021                                    
#
 #                                                                              
#
 # All rights reserved.                                                         
#
 #                                                                              
#
@@ -215,7 +215,12 @@ echo ""
 
 if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
     echo "generate the RSA signing key with openssl"
-    openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > 
run.out 2>&1
+
+    openssl genpkey -out tmpprivkey.pem -outform pem -aes-256-cbc -algorithm 
rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
+
+# The following worked up to Openssl 3.0.0.  The key generation
+# remains here for when mbedtls is updated, but the tests are now
+# if'ed out
 
 elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
     echo "Generate the RSA signing  key with openssl"
@@ -232,22 +237,24 @@ else
     exit 255
 fi
 
-echo "load the ECC storage key 80000001"
-${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu 
storeeccnistp256pub.bin > run.out
-checkSuccess $?
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
 
-echo "Start an HMAC auth session"
-${PREFIX}startauthsession -se h > run.out
-checkSuccess $?
+    echo "load the ECC storage key 80000001"
+    ${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu 
storeeccnistp256pub.bin > run.out
+    checkSuccess $?
 
-for SESS in "" "-se0 02000000 1"
-do
-    for HALG in ${ITERATE_ALGS}
-    do
+    echo "Start an HMAC auth session"
+    ${PREFIX}startauthsession -se h > run.out
+    checkSuccess $?
 
-       for PARENT in 80000000 80000001
+    for SESS in "" "-se0 02000000 1"
+    do
+       for HALG in ${ITERATE_ALGS}
        do
 
+           for PARENT in 80000000 80000001
+           do
+
                echo "Import the signing key under the parent key ${PARENT} 
${HALG}"
                ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem 
-pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
                checkSuccess $?
@@ -268,9 +275,10 @@ do
                ${PREFIX}flushcontext -ha 80000002 > run.out
                checkSuccess $?
 
+           done
        done
     done
-done
+fi
 
 echo ""
 echo "Import PEM EC signing key under RSA and ECC storage key"
@@ -300,49 +308,53 @@ else
     exit 255
 fi
 
-for CURVE in "nistp256" "nistp384"
-do
-    
-    for SESS in "" "-se0 02000000 1"
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+    for CURVE in "nistp256" "nistp384"
     do
-       for HALG in ${ITERATE_ALGS}
-       do
 
-           for PARENT in 80000000 80000001
+       for SESS in "" "-se0 02000000 1"
+       do
+           for HALG in ${ITERATE_ALGS}
            do
 
-               echo "Import the ${CURVE} signing key under the parent key 
${PARENT} ${HALG}"
-               ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem 
tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg 
${HALG} > run.out
-               checkSuccess $?
+               for PARENT in 80000000 80000001
+               do
 
-               echo "Load the TPM signing key"
-               ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr 
tmppriv.bin > run.out
-               checkSuccess $?
+                   echo "Import the ${CURVE} signing key under the parent key 
${PARENT} ${HALG}"
+                   ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem 
tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg 
${HALG} > run.out
+                   checkSuccess $?
 
-               echo "Sign the message ${HALG} ${SESS}"
-               ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if 
policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
-               checkSuccess $?
+                   echo "Load the TPM signing key"
+                   ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr 
tmppriv.bin > run.out
+                   checkSuccess $?
 
-               echo "Verify the signature ${HALG}"
-               ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is 
tmpsig.bin -halg ${HALG} > run.out
-               checkSuccess $?
+                   echo "Sign the message ${HALG} ${SESS}"
+                   ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if 
policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+                   checkSuccess $?
 
-               echo "Flush the signing key"
-               ${PREFIX}flushcontext -ha 80000002 > run.out
-               checkSuccess $?
+                   echo "Verify the signature ${HALG}"
+                   ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa 
-is tmpsig.bin -halg ${HALG} > run.out
+                   checkSuccess $?
 
+                   echo "Flush the signing key"
+                   ${PREFIX}flushcontext -ha 80000002 > run.out
+                   checkSuccess $?
+
+               done
            done
        done
     done
-done
 
-echo "Flush the ECC storage key"
-${PREFIX}flushcontext -ha 80000001 > run.out
-checkSuccess $?
+    echo "Flush the ECC storage key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
 
-echo "Flush the auth session"
-${PREFIX}flushcontext -ha 02000000 > run.out
-checkSuccess $?
+    echo "Flush the auth session"
+    ${PREFIX}flushcontext -ha 02000000 > run.out
+    checkSuccess $?
+
+fi
 
 echo ""
 echo "Rewrap"
diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
index 4f76522..5ae0b29 100755
--- a/utils/regtests/testrsa.sh
+++ b/utils/regtests/testrsa.sh
@@ -7,7 +7,7 @@
 #                           Written by Ken Goldman                             
#
 #                     IBM Thomas J. Watson Research Center                     
#
 #                                                                              
#
-# (c) Copyright IBM Corporation 2015 - 2020                                    
#
+# (c) Copyright IBM Corporation 2015 - 2021                                    
#
 #                                                                              
#
 # All rights reserved.                                                         
#
 #                                                                              
#
@@ -59,20 +59,25 @@ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
     do
 
        echo "Generate the RSA $BITS encryption key with openssl"
-       openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 
${BITS} > run.out 2>&1
+       openssl genpkey -out tmpkeypairrsa${BITS}.pem -outform pem -aes-256-cbc 
-algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
 
        echo "Convert key pair to plaintext DER format"
-       openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out 
tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+       openssl pkey -inform pem -in tmpkeypairrsa${BITS}.pem -outform der -out 
tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
 
     done
 
+
+# The following worked up to Openssl 3.0.0.  The key generation
+# remains here for when mbedtls is updated, but the tests are now
+# if'ed out
+
 elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
 
     for BITS in 2048 3072
     do
 
        echo "Generate the RSA $BITS encryption key with openssl"
-       openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -aes256 -passout 
pass:rrrr ${BITS} > run.out 2>&1
+       openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -outform pem 
-aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass:rrrr > 
run.out 2>&1
 
        echo "Convert RSA $BITS key pair to plaintext DER format"
        openssl rsa -in tmpkeypairrsaenc${BITS}.pem -passin pass:rrrr -outform 
der -out tmpkeypairrsa${BITS}.der > run.out 2>&1
@@ -158,20 +163,22 @@ do
 
 done
 
-echo ""
-echo "Import PEM RSA encryption key"
-echo ""
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
 
-echo "Start an HMAC auth session"
-${PREFIX}startauthsession -se h > run.out
-checkSuccess $?
+    echo ""
+    echo "Import PEM RSA encryption key"
+    echo ""
 
-for BITS in 2048 3072
-do
+    echo "Start an HMAC auth session"
+    ${PREFIX}startauthsession -se h > run.out
+    checkSuccess $?
 
-    for SESS in "" "-se0 02000000 1"
+    for BITS in 2048 3072
     do
 
+       for SESS in "" "-se0 02000000 1"
+       do
+
        echo "Import the $BITS encryption key under the primary key"
        ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem 
tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
        checkSuccess $?
@@ -201,97 +208,98 @@ do
        ${PREFIX}flushcontext -ha 80000001 > run.out
        checkSuccess $?
 
+       done
+
     done
 
-done
+    echo "Flush the session"
+    ${PREFIX}flushcontext -ha 02000000 > run.out
+    checkSuccess $?
 
-echo "Flush the session"
-${PREFIX}flushcontext -ha 02000000 > run.out
-checkSuccess $?
+    echo ""
+    echo "Import PEM RSA encryption key userWithAuth test"
+    echo ""
 
-echo ""
-echo "Import PEM RSA encryption key userWithAuth test"
-echo ""
+    echo "Import the RSA 2048 encryption key under the primary key 80000000"
+    ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem 
-pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+    checkSuccess $?
 
-echo "Import the RSA 2048 encryption key under the primary key 80000000"
-${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem 
-pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
-checkSuccess $?
+    echo "Load the RSA 2048 encryption key 80000001"
+    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > 
run.out
+    checkSuccess $?
 
-echo "Load the RSA 2048 encryption key 80000001"
-${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
-checkSuccess $?
+    echo "RSA encrypt with the encryption key"
+    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+    checkSuccess $?
 
-echo "RSA encrypt with the encryption key"
-${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
-checkSuccess $?
+    echo "RSA decrypt with the decryption key and password"
+    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > 
run.out
+    checkSuccess $?
 
-echo "RSA decrypt with the decryption key and password"
-${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
-checkSuccess $?
+    echo "Flush the encryption key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
 
-echo "Flush the encryption key"
-${PREFIX}flushcontext -ha 80000001 > run.out
-checkSuccess $?
+    echo "Import the RSA 2048 encryption key under the primary key, 
userWithAuth false"
+    ${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem 
-pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
+    checkSuccess $?
 
-echo "Import the RSA 2048 encryption key under the primary key, userWithAuth 
false"
-${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem 
-pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
-checkSuccess $?
+    echo "Load the RSA 2048 encryption key"
+    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > 
run.out
+    checkSuccess $?
 
-echo "Load the RSA 2048 encryption key"
-${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
-checkSuccess $?
+    echo "RSA decrypt with the decryption key and password - should fail"
+    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > 
run.out
+    checkFailure $?
 
-echo "RSA decrypt with the decryption key and password - should fail"
-${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
-checkFailure $?
+    echo "Flush the encryption key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
 
-echo "Flush the encryption key"
-${PREFIX}flushcontext -ha 80000001 > run.out
-checkSuccess $?
+    echo ""
+    echo "Loadexternal DER encryption key"
+    echo ""
 
+    for BITS in 2048 3072
+    do
 
-echo ""
-echo "Loadexternal DER encryption key"
-echo ""
+       echo "Start an HMAC auth session"
+       ${PREFIX}startauthsession -se h > run.out
+       checkSuccess $?
 
-for BITS in 2048 3072
-do
+       for SESS in "" "-se0 02000000 1"
+       do
 
-    echo "Start an HMAC auth session"
-    ${PREFIX}startauthsession -se h > run.out
-    checkSuccess $?
+           echo "Load the openssl key pair in the NULL hierarchy 80000001"
+           ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk 
rrrr > run.out
+           checkSuccess $?
 
-    for SESS in "" "-se0 02000000 1"
-    do
+           echo "RSA encrypt with the encryption key"
+           ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > 
run.out
+           checkSuccess $?
 
-       echo "Load the openssl key pair in the NULL hierarchy 80000001"
-       ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > 
run.out
-       checkSuccess $?
+           echo "RSA decrypt with the decryption key ${SESS}"
+           ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin 
${SESS} > run.out
+           checkSuccess $?
 
-       echo "RSA encrypt with the encryption key"
-       ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
-       checkSuccess $?
+           echo "Verify the decrypt result"
+           tail -c 3 dec.bin > tmp.bin
+           diff policies/aaa tmp.bin > run.out
+           checkSuccess $?
 
-       echo "RSA decrypt with the decryption key ${SESS}"
-       ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin 
${SESS} > run.out
-       checkSuccess $?
+           echo "Flush the encryption key"
+           ${PREFIX}flushcontext -ha 80000001 > run.out
+           checkSuccess $?
 
-       echo "Verify the decrypt result"
-       tail -c 3 dec.bin > tmp.bin
-       diff policies/aaa tmp.bin > run.out
-       checkSuccess $?
+    done
 
-       echo "Flush the encryption key"
-       ${PREFIX}flushcontext -ha 80000001 > run.out
+       echo "Flush the session"
+       ${PREFIX}flushcontext -ha 02000000 > run.out
        checkSuccess $?
 
     done
 
-    echo "Flush the session"
-    ${PREFIX}flushcontext -ha 02000000 > run.out
-    checkSuccess $?
-
-done
+fi
 
 echo ""
 echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
diff --git a/utils/regtests/testsalt.sh b/utils/regtests/testsalt.sh
index 1bdc1a7..e0c3376 100755
--- a/utils/regtests/testsalt.sh
+++ b/utils/regtests/testsalt.sh
@@ -91,16 +91,17 @@ echo ""
 echo "Salt Session - Load External"
 echo ""
 
-echo "Create RSA and ECC key pairs in PEM format using openssl"
+echo "Create RSA key pair in DER format using openssl"
   
-openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > 
run.out 2>&1
-openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > 
run.out 2>&1
+openssl genpkey -out tmpkeypairrsa.der -outform der -aes-256-cbc -algorithm 
rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
 
+echo "Create ECC key pair in PEM format using openssl"
 echo "Convert key pair to plaintext DER format"
 
-openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out 
tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > 
run.out 2>&1
 openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out 
tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
 
+
 for HALG in ${ITERATE_ALGS}
 do
 
diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh
index edfa014..3002ceb 100755
--- a/utils/regtests/testsign.sh
+++ b/utils/regtests/testsign.sh
@@ -47,11 +47,9 @@ echo ""
 for BITS in 2048 3072
 do
 
-    echo "Create an RSA $BITS key pair in PEM format using openssl"
-    openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 
2048 > run.out 2>&1
+    echo "Create an RSA $BITS key pair in DER format using openssl"
 
-    echo "Convert RSA $BITS key pair to plaintext DER format"
-    openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out 
tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+    openssl genpkey -out tmpkeypairrsa${BITS}.der -outform der -aes-256-cbc 
-algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
 
     echo "Load the RSA $BITS signing key under the primary key"
     ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu 
signrsa${BITS}pub.bin -pwdp sto > run.out
-- 
2.38.0


++++++ ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch ++++++
>From 6e22032d637ea8c28cf84efa837a22909873466a Mon Sep 17 00:00:00 2001
From: Ken Goldman <kg...@linux.ibm.com>
Date: Fri, 10 Sep 2021 16:33:10 -0400
Subject: tss: Port HMAC operations to openssl 3.0

Replace the deprecated APIs.

Signed-off-by: Ken Goldman <kg...@linux.ibm.com>

diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
index 35f0ed3..c2ce01a 100644
--- a/utils/tsscrypto.c
+++ b/utils/tsscrypto.c
@@ -79,6 +79,7 @@ extern int tssVerbose;
 
 /* local prototypes */
 
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
 static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
                             TPMI_ALG_HASH hashAlg);
 
@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
   Digests
 */
 
-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
-                            TPMI_ALG_HASH hashAlg)
+/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string 
*/
+
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
 {
-    TPM_RC             rc = 0;
+    TPM_RC     rc = 0;
 
-    if (rc == 0) {
-       switch (hashAlg) {
+    switch (hashAlg) {
 #ifdef TPM_ALG_SHA1
-         case TPM_ALG_SHA1:
-           *md = EVP_get_digestbyname("sha1");
-           break;
+      case TPM_ALG_SHA1:
+       *str = "sha1";
+       break;
 #endif
-#ifdef TPM_ALG_SHA256  
-         case TPM_ALG_SHA256:
-           *md = EVP_get_digestbyname("sha256");
-           break;
+#ifdef TPM_ALG_SHA256
+      case TPM_ALG_SHA256:
+       *str = "sha256";
+       break;
 #endif
 #ifdef TPM_ALG_SHA384
-         case  TPM_ALG_SHA384:
-           *md = EVP_get_digestbyname("sha384");
-           break;
+      case TPM_ALG_SHA384:
+       *str = "sha384";
+       break;
 #endif
 #ifdef TPM_ALG_SHA512
-         case  TPM_ALG_SHA512:
-           *md = EVP_get_digestbyname("sha512");
-           break;
+      case TPM_ALG_SHA512:
+       *str = "sha512";
+       break;
 #endif
-         default:
-           rc = TSS_RC_BAD_HASH_ALGORITHM;
-       }
+      default:
+       *str = NULL;
+       rc = TSS_RC_BAD_HASH_ALGORITHM;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+                            TPMI_ALG_HASH hashAlg)
+{
+    TPM_RC             rc = 0;
+    const char                 *str = NULL; 
+
+    if (rc == 0) {
+       rc =  TSS_Hash_GetOsslString(&str, hashAlg);
+    }
+    if (rc == 0) {
+       *md = EVP_get_digestbyname(str);
     }
     return rc;
 }
@@ -175,37 +191,84 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,          
/* largest size of a digest */
     TPM_RC             rc = 0;
     int                irc = 0;
     int                        done = FALSE;
-    const EVP_MD       *md;    /* message digest method */
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+    uint8_t            *buffer;        /* segment to hash */
+    int                        length;         /* segment to hash */
+#if OPENSSL_VERSION_NUMBER < 0x10100000        
     HMAC_CTX           ctx;
+    const EVP_MD       *md = NULL;     /* message digest method */
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
+    HMAC_CTX           *ctx = NULL;
+    const EVP_MD       *md = NULL;     /* message digest method */
 #else
-    HMAC_CTX           *ctx;
+    EVP_MAC            *mac = NULL;
+    EVP_MAC_CTX        *ctx = NULL;
+    const char                 *algString = NULL;
+    OSSL_PARAM                 params[2];
+    size_t             outLength;
 #endif
-    int                        length;
-    uint8_t            *buffer;
-    
+
+    /* initialize the HMAC context */
 #if OPENSSL_VERSION_NUMBER < 0x10100000
     HMAC_CTX_init(&ctx);
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
+    if (rc == 0) {
+       ctx = HMAC_CTX_new();
+       if (ctx == NULL) {
+           if (tssVerbose) printf("TSS_Hash_Generate_valist: HMAC_CTX_new 
failed\n");
+           rc = TSS_RC_OUT_OF_MEMORY;
+       }
+    }
 #else
-    ctx = HMAC_CTX_new();
+    if (rc == 0) {
+       mac = EVP_MAC_fetch(NULL, "hmac", NULL);
+       if (mac == NULL) {
+           if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_new 
failed\n");
+           rc = TSS_RC_OUT_OF_MEMORY;
+       }
+    }
+    if (rc == 0) {
+       ctx = EVP_MAC_CTX_new(mac);
+       if (ctx == NULL) {
+           if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_CTX_new 
failed\n");
+           rc = TSS_RC_OUT_OF_MEMORY;
+       }
+    }
 #endif
+
+    /* get the message digest */
+#if OPENSSL_VERSION_NUMBER < 0x30000000
     if (rc == 0) {
        rc = TSS_Hash_GetMd(&md, digest->hashAlg);
     }
+#else
+    /* map algorithm to string */
+    if (rc == 0) {
+       rc =  TSS_Hash_GetOsslString(&algString, digest->hashAlg);
+    }
+#endif
+
+    /* initialize the MAC context */
     if (rc == 0) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
        irc = HMAC_Init_ex(&ctx,
                           hmacKey->b.buffer, hmacKey->b.size,  /* HMAC key */
                           md,                                  /* message 
digest method */
                           NULL);
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
        irc = HMAC_Init_ex(ctx,
                           hmacKey->b.buffer, hmacKey->b.size,  /* HMAC key */
                           md,                                  /* message 
digest method */
                           NULL);
+#else
+       params[0] = OSSL_PARAM_construct_utf8_string("digest", (char 
*)algString, 0);
+       params[1] = OSSL_PARAM_construct_end();
+       irc = EVP_MAC_init(ctx,
+                          hmacKey->b.buffer, hmacKey->b.size,  /* HMAC key */
+                          params);                             /* message 
digest method */
 #endif
-       
-       if (irc == 0) {
+
+       if (irc != 1) {
+           if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Init failed\n");
            rc = TSS_RC_HMAC;
        }
     }
@@ -220,11 +283,13 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,          
/* largest size of a digest */
            else {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
                irc = HMAC_Update(&ctx, buffer, length);
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
                irc = HMAC_Update(ctx, buffer, length);
+#else
+               irc = EVP_MAC_update(ctx, buffer, length);
 #endif
-               if (irc == 0) {
-                   if (tssVerbose) printf("TSS_HMAC_Generate: HMAC_Update 
failed\n");
+               if (irc != 1) {
+                   if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Update 
failed\n");
                    rc = TSS_RC_HMAC;
                }
            }
@@ -237,18 +302,24 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,          
/* largest size of a digest */
     if (rc == 0) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
        irc = HMAC_Final(&ctx, (uint8_t *)&digest->digest, NULL);
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
        irc = HMAC_Final(ctx, (uint8_t *)&digest->digest, NULL);
+#else
+       irc = EVP_MAC_final(ctx, (uint8_t *)&digest->digest,  &outLength, 
sizeof(digest->digest));
 #endif
        if (irc == 0) {
+           if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Final failed\n");
            rc = TSS_RC_HMAC;
        }
     }
 #if OPENSSL_VERSION_NUMBER < 0x10100000
     HMAC_CTX_cleanup(&ctx);
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000
     HMAC_CTX_free(ctx);
-#endif
+#else
+    EVP_MAC_CTX_free(ctx);
+    EVP_MAC_free(mac);
+ #endif
     return rc;
 }
 
-- 
2.38.0


++++++ ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch ++++++
++++ 1400 lines (skipped)

++++++ ibmtss-utils-Remove-unused-variables-from-certifyx509.patch ++++++
>From f335860d99fe11eec5599e1e53960ff1e75c0f82 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold...@us.ibm.com>
Date: Mon, 23 Aug 2021 17:30:56 -0400
Subject: utils: Remove unused variables from certifyx509

notBefore and notAfter are set driectly in the partialCertificate
structure, and that is used to directly set the x509 structure.

Signed-off-by: Ken Goldman <kgold...@us.ibm.com>

diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index ed42ac0..44640aa 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to 
log file */
     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
 
+    curveID = curveID;         /* no longer used, get from parent */
     /* command line argument defaults */
     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
        if (strcmp(argv[i],"-ho") == 0) {
@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT 
*partialCertificate,       /* input /
     X509_NAME  *x509SubjectName = NULL;/* composite subject name, key/value 
pairs */
     size_t     issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
     size_t     subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
-    ASN1_TIME  *notBefore = NULL;
-    ASN1_TIME  *notAfter = NULL;
     uint8_t    *tmpPartialDer = NULL;  /* for the i2d */
 
     /* add issuer */
@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT 
*partialCertificate,       /* input /
        }
     }
     if (rc == 0) {
-       /* can't fail, just returns a structure member */
-       notBefore = X509_get_notBefore(x509Certificate);
        irc = X509_set1_notBefore(x509Certificate, 
partialCertificate->validity->notBefore);
        if (irc == 0) {
            printf("createPartialCertificate: Error setting notBefore time\n");
@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT 
*partialCertificate,       /* input /
        }
     }
     if (rc == 0) {
-       notAfter = X509_get_notAfter(x509Certificate);
        irc = 
X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
        if (irc == 0) {
            printf("createPartialCertificate: Error setting notAfter time\n");
-- 
2.38.0


++++++ ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch ++++++
++++ 1448 lines (skipped)

Reply via email to