Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tpm2-pkcs11 for openSUSE:Factory
checked in at 2023-03-14 18:17:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tpm2-pkcs11 (Old)
and /work/SRC/openSUSE:Factory/.tpm2-pkcs11.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2-pkcs11"
Tue Mar 14 18:17:53 2023 rev:5 rq:1071796 version:1.9.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/tpm2-pkcs11/tpm2-pkcs11.changes 2022-07-15
13:52:53.499571440 +0200
+++ /work/SRC/openSUSE:Factory/.tpm2-pkcs11.new.31432/tpm2-pkcs11.changes
2023-03-14 18:17:57.692154141 +0100
@@ -1,0 +2,26 @@
+Thu Feb 16 15:21:43 UTC 2023 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Update to 1.9.0
+ + Fixed
+ * Fix autoconf invocation on a release tarball not being a git
+ repo for VERSION. VERSION file now generated and packaged as
+ part of the release tarball from the git version information.
+ * Fix TPM2_PKCS11_OWNER_AUTH not being used when a persistent SRK
+ is needed in the C_InitToken path.
+ * During an upgrade of the database to version 4, the config key
+ 'persistent' is added instead of 'transient', causing KeyError
+ when using the upgraded database.
+ * Leave the original db on upgrade failure, a bug caused the
+ original db to be unlinked not the upgraded db.
+ * A bug prevented the use of CreateLoaded if the TPM supports the
+ command.
+ * A bug when creating keys through the PKCS11 interface (not
+ tpm2-ptool), the attributes for CKA_ALLOWED_MECHANISMS were
+ encoded as a hex string and not a sequence of ints within the
+ YAML. Correcting this will trigger a db upgrade to 8
+ + Added
+ * Env varibale PKCS11_SQL_LOCK to allow setting a lock directory,
+ eg for temprary directory so lock files do not persist across
+ reboots.
+
+-------------------------------------------------------------------
Old:
----
tpm2-pkcs11-1.8.0.tar.gz
tpm2-pkcs11-1.8.0.tar.gz.asc
New:
----
tpm2-pkcs11-1.9.0.tar.gz
tpm2-pkcs11-1.9.0.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tpm2-pkcs11.spec ++++++
--- /var/tmp/diff_new_pack.xPNGTy/_old 2023-03-14 18:17:58.304157412 +0100
+++ /var/tmp/diff_new_pack.xPNGTy/_new 2023-03-14 18:17:58.308157434 +0100
@@ -1,7 +1,7 @@
#
# spec file for package tpm2-pkcs11
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define so_ver 0
%define pythons python3
Name: tpm2-pkcs11
-Version: 1.8.0
+Version: 1.9.0
Release: 0
Summary: A PKCS#11 interface for TPM2 hardware
License: BSD-2-Clause
++++++ tpm2-pkcs11-1.8.0.tar.gz -> tpm2-pkcs11-1.9.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/AUTHORS
new/tpm2-pkcs11-1.9.0/AUTHORS
--- old/tpm2-pkcs11-1.8.0/AUTHORS 2022-03-21 14:10:42.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/AUTHORS 2023-01-31 16:06:56.000000000 +0100
@@ -9,6 +9,7 @@
Johannes Holland <johannes.holl...@infineon.com>
Peter Huewe <peterhu...@gmx.de>
Imran Desai <imran.de...@intel.com>
+Vincent JARDIN <vjar...@free.fr>
malikabhi05 <abhishek.ma...@intel.com>
Tadeusz Struk <tadeusz.st...@intel.com>
Matthew Dempsky <matt...@dempsky.org>
@@ -18,6 +19,7 @@
Alvin Chen <sonoma...@gmail.com>
Tilman Keskinöz <arved+git...@arved.at>
Thomas Calderon <tcalde...@cloudflare.com>
+Å tÄpán HoráÄek <shora...@redhat.com>
Nicolas Oliver <nicolasolive...@gmail.com>
Joshua Lock <joshua.g.l...@intel.com>
å¼ äº <zhan...@uniontech.com>
@@ -26,6 +28,7 @@
SZ Lin (æä¸æº) <sz...@debian.org>
Robby Cornelissen <ro...@isr.co.jp>
Philip Fyvie <philip.fy...@mujin.co.jp>
+Nick Bedbury <ni...@twisthink.com>
Mitchell <mitch...@hotmail.com>
Khushboo Bindlish <khushboo.bindl...@gmail.com>
Jay Chetty <jay.che...@intel.com>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/Makefile-fuzz.am
new/tpm2-pkcs11-1.9.0/Makefile-fuzz.am
--- old/tpm2-pkcs11-1.8.0/Makefile-fuzz.am 2021-09-29 19:04:30.000000000
+0200
+++ new/tpm2-pkcs11-1.9.0/Makefile-fuzz.am 2023-01-20 16:32:09.000000000
+0100
@@ -55,6 +55,11 @@
test_fuzz_set_pin_fuzz_LDADD = $(libtpm2_test_pkcs11) $(AM_LDFLAGS)
$(CMOCKA_LIBS)
test_fuzz_set_pin_fuzz_SOURCES = test/fuzz/set-pin.fuzz.c
+test_fuzz_db_take_lock_fuzz_CFLAGS = $(AM_CFLAGS) $(FUZZING_CFLAGS)
$(CMOCKA_CFLAGS) -I$(srcdir)/test/fake-tpm
+test_fuzz_db_take_lock_fuzz_LDADD = $(libtpm2_test_pkcs11) $(AM_LDFLAGS)
$(CMOCKA_LIBS)
+test_fuzz_db_take_lock_fuzz_SOURCES = test/fuzz/db-take-lock.fuzz.c
+
+
AM_FUZZ32_LOG_FLAGS=$(FUZZING_FLAGS) -max_len=32
FUZZ32_LOG_COMPILER=$(FUZZ_RUNNER)
@@ -73,6 +78,7 @@
test/fuzz/init-token-sopin.fuzz \
test/fuzz/init-pin.fuzz \
test/fuzz/set-pin.fuzz \
+ test/fuzz/db-take-lock.fuzz \
test/fuzz/db-token-label.fuzz32 \
test/fuzz/init-token-label.fuzz32 \
test/fuzz/utils-ctx-unwrap-objauth.fuzz
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/Makefile.am
new/tpm2-pkcs11-1.9.0/Makefile.am
--- old/tpm2-pkcs11-1.8.0/Makefile.am 2022-03-21 14:07:16.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/Makefile.am 2023-01-20 16:32:09.000000000 +0100
@@ -32,7 +32,8 @@
docs \
test/integration/scripts \
misc/p11-kit \
- tools
+ tools \
+ VERSION
# Generate the AUTHORS file from git log
AUTHORS :
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/Makefile.in
new/tpm2-pkcs11-1.9.0/Makefile.in
--- old/tpm2-pkcs11-1.8.0/Makefile.in 2022-03-21 14:10:36.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/Makefile.in 2023-01-31 16:06:46.000000000 +0100
@@ -17,7 +17,7 @@
# SPDX-License-Identifier: BSD-2-Clause
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Mon Mar 21 08:10:36 CDT 2022
+# from AX_AM_MACROS_STATIC on Tue Jan 31 09:06:45 CST 2023
# SPDX-License-Identifier: BSD-2-Clause
@@ -139,6 +139,7 @@
@FUZZING_TRUE@ test/fuzz/init-token-sopin.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/init-pin.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/set-pin.fuzz$(EXEEXT) \
+@FUZZING_TRUE@ test/fuzz/db-take-lock.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/db-token-label.fuzz32$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/init-token-label.fuzz32$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/utils-ctx-unwrap-objauth.fuzz$(EXEEXT)
@@ -205,6 +206,7 @@
@FUZZING_TRUE@ test/fuzz/init-token-sopin.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/init-pin.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/set-pin.fuzz$(EXEEXT) \
+@FUZZING_TRUE@ test/fuzz/db-take-lock.fuzz$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/db-token-label.fuzz32$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/init-token-label.fuzz32$(EXEEXT) \
@FUZZING_TRUE@ test/fuzz/utils-ctx-unwrap-objauth.fuzz$(EXEEXT)
@@ -286,6 +288,18 @@
am_src_libtpm2_test_pkcs11_la_OBJECTS = $(am__objects_3)
src_libtpm2_test_pkcs11_la_OBJECTS = \
$(am_src_libtpm2_test_pkcs11_la_OBJECTS)
+am__test_fuzz_db_take_lock_fuzz_SOURCES_DIST = \
+ test/fuzz/db-take-lock.fuzz.c
+@FUZZING_TRUE@am_test_fuzz_db_take_lock_fuzz_OBJECTS =
test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.$(OBJEXT)
+test_fuzz_db_take_lock_fuzz_OBJECTS = \
+ $(am_test_fuzz_db_take_lock_fuzz_OBJECTS)
+@FUZZING_TRUE@test_fuzz_db_take_lock_fuzz_DEPENDENCIES = \
+@FUZZING_TRUE@ $(libtpm2_test_pkcs11) $(am__DEPENDENCIES_2) \
+@FUZZING_TRUE@ $(am__DEPENDENCIES_1)
+test_fuzz_db_take_lock_fuzz_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(test_fuzz_db_take_lock_fuzz_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
am__test_fuzz_db_token_label_fuzz32_SOURCES_DIST = \
test/fuzz/db-token-label.fuzz32.c
@FUZZING_TRUE@am_test_fuzz_db_token_label_fuzz32_OBJECTS =
test/fuzz/db_token_label_fuzz32-db-token-label.fuzz32.$(OBJEXT)
@@ -604,6 +618,7 @@
src/lib/$(DEPDIR)/token.Plo src/lib/$(DEPDIR)/tpm.Plo \
src/lib/$(DEPDIR)/twist.Plo src/lib/$(DEPDIR)/typed_memory.Plo \
src/lib/$(DEPDIR)/utils.Plo \
+ test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po \
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Po \
test/fuzz/$(DEPDIR)/init_pin_fuzz-init-pin.fuzz.Po \
test/fuzz/$(DEPDIR)/init_token_label_fuzz32-init-token-label.fuzz32.Po \
@@ -661,6 +676,7 @@
SOURCES = $(src_libtpm2_pkcs11_la_SOURCES) \
$(src_libtpm2_test_internal_la_SOURCES) \
$(src_libtpm2_test_pkcs11_la_SOURCES) \
+ $(test_fuzz_db_take_lock_fuzz_SOURCES) \
$(test_fuzz_db_token_label_fuzz32_SOURCES) \
$(test_fuzz_init_pin_fuzz_SOURCES) \
$(test_fuzz_init_token_label_fuzz32_SOURCES) \
@@ -685,6 +701,7 @@
DIST_SOURCES = $(src_libtpm2_pkcs11_la_SOURCES) \
$(src_libtpm2_test_internal_la_SOURCES) \
$(src_libtpm2_test_pkcs11_la_SOURCES) \
+ $(am__test_fuzz_db_take_lock_fuzz_SOURCES_DIST) \
$(am__test_fuzz_db_token_label_fuzz32_SOURCES_DIST) \
$(am__test_fuzz_init_pin_fuzz_SOURCES_DIST) \
$(am__test_fuzz_init_token_label_fuzz32_SOURCES_DIST) \
@@ -1204,7 +1221,7 @@
# Add source code files from bootstrap
EXTRA_DIST = LICENSE docs test/integration/scripts misc/p11-kit tools \
- AUTHORS lib/tpm2-pkcs11.map $(integration_scripts) \
+ VERSION AUTHORS lib/tpm2-pkcs11.map $(integration_scripts) \
test/integration/test.h test/integration/largebin.h \
test/integration/fixtures
CLEANFILES = AUTHORS $(am__append_4)
@@ -1402,6 +1419,9 @@
@FUZZING_TRUE@test_fuzz_set_pin_fuzz_LDFLAGS = $(WRAP_LD_FLAGS)
@FUZZING_TRUE@test_fuzz_set_pin_fuzz_LDADD = $(libtpm2_test_pkcs11)
$(AM_LDFLAGS) $(CMOCKA_LIBS)
@FUZZING_TRUE@test_fuzz_set_pin_fuzz_SOURCES = test/fuzz/set-pin.fuzz.c
+@FUZZING_TRUE@test_fuzz_db_take_lock_fuzz_CFLAGS = $(AM_CFLAGS)
$(FUZZING_CFLAGS) $(CMOCKA_CFLAGS) -I$(srcdir)/test/fake-tpm
+@FUZZING_TRUE@test_fuzz_db_take_lock_fuzz_LDADD = $(libtpm2_test_pkcs11)
$(AM_LDFLAGS) $(CMOCKA_LIBS)
+@FUZZING_TRUE@test_fuzz_db_take_lock_fuzz_SOURCES =
test/fuzz/db-take-lock.fuzz.c
@FUZZING_TRUE@AM_FUZZ32_LOG_FLAGS = $(FUZZING_FLAGS) -max_len=32
@FUZZING_TRUE@FUZZ32_LOG_COMPILER = $(FUZZ_RUNNER)
@FUZZING_TRUE@test_fuzz_init_token_label_fuzz32_CFLAGS = $(AM_CFLAGS)
$(FUZZING_CFLAGS) $(CMOCKA_CFLAGS) -I$(srcdir)/test/fake-tpm
@@ -1697,6 +1717,12 @@
test/fuzz/$(DEPDIR)/$(am__dirstamp):
@$(MKDIR_P) test/fuzz/$(DEPDIR)
@: > test/fuzz/$(DEPDIR)/$(am__dirstamp)
+test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.$(OBJEXT): \
+ test/fuzz/$(am__dirstamp) test/fuzz/$(DEPDIR)/$(am__dirstamp)
+
+test/fuzz/db-take-lock.fuzz$(EXEEXT): $(test_fuzz_db_take_lock_fuzz_OBJECTS)
$(test_fuzz_db_take_lock_fuzz_DEPENDENCIES)
$(EXTRA_test_fuzz_db_take_lock_fuzz_DEPENDENCIES) test/fuzz/$(am__dirstamp)
+ @rm -f test/fuzz/db-take-lock.fuzz$(EXEEXT)
+ $(AM_V_CCLD)$(test_fuzz_db_take_lock_fuzz_LINK)
$(test_fuzz_db_take_lock_fuzz_OBJECTS) $(test_fuzz_db_take_lock_fuzz_LDADD)
$(LIBS)
test/fuzz/db_token_label_fuzz32-db-token-label.fuzz32.$(OBJEXT): \
test/fuzz/$(am__dirstamp) test/fuzz/$(DEPDIR)/$(am__dirstamp)
@@ -1938,6 +1964,7 @@
@AMDEP_TRUE@@am__include@ @am__quote@src/lib/$(DEPDIR)/twist.Plo@am__quote@ #
am--include-marker
@AMDEP_TRUE@@am__include@
@am__quote@src/lib/$(DEPDIR)/typed_memory.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@src/lib/$(DEPDIR)/utils.Plo@am__quote@ #
am--include-marker
+@AMDEP_TRUE@@am__include@
@am__quote@test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po@am__quote@
# am--include-marker
@AMDEP_TRUE@@am__include@
@am__quote@test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Po@am__quote@
# am--include-marker
@AMDEP_TRUE@@am__include@
@am__quote@test/fuzz/$(DEPDIR)/init_pin_fuzz-init-pin.fuzz.Po@am__quote@ #
am--include-marker
@AMDEP_TRUE@@am__include@
@am__quote@test/fuzz/$(DEPDIR)/init_token_label_fuzz32-init-token-label.fuzz32.Po@am__quote@
# am--include-marker
@@ -2004,6 +2031,20 @@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.o: test/fuzz/db-take-lock.fuzz.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES)
$(AM_CPPFLAGS) $(CPPFLAGS) $(test_fuzz_db_take_lock_fuzz_CFLAGS) $(CFLAGS) -MT
test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.o -MD -MP -MF
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Tpo -c -o
test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.o `test -f
'test/fuzz/db-take-lock.fuzz.c' || echo
'$(srcdir)/'`test/fuzz/db-take-lock.fuzz.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Tpo
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@
$(AM_V_CC)source='test/fuzz/db-take-lock.fuzz.c'
object='test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.o' libtool=no
@AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES)
$(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fuzz_db_take_lock_fuzz_CFLAGS)
$(CFLAGS) -c -o test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.o `test -f
'test/fuzz/db-take-lock.fuzz.c' || echo
'$(srcdir)/'`test/fuzz/db-take-lock.fuzz.c
+
+test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.obj:
test/fuzz/db-take-lock.fuzz.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES)
$(AM_CPPFLAGS) $(CPPFLAGS) $(test_fuzz_db_take_lock_fuzz_CFLAGS) $(CFLAGS) -MT
test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.obj -MD -MP -MF
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Tpo -c -o
test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.obj `if test -f
'test/fuzz/db-take-lock.fuzz.c'; then $(CYGPATH_W)
'test/fuzz/db-take-lock.fuzz.c'; else $(CYGPATH_W)
'$(srcdir)/test/fuzz/db-take-lock.fuzz.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Tpo
test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@
$(AM_V_CC)source='test/fuzz/db-take-lock.fuzz.c'
object='test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.obj' libtool=no
@AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES)
$(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fuzz_db_take_lock_fuzz_CFLAGS)
$(CFLAGS) -c -o test/fuzz/db_take_lock_fuzz-db-take-lock.fuzz.obj `if test -f
'test/fuzz/db-take-lock.fuzz.c'; then $(CYGPATH_W)
'test/fuzz/db-take-lock.fuzz.c'; else $(CYGPATH_W)
'$(srcdir)/test/fuzz/db-take-lock.fuzz.c'; fi`
+
test/fuzz/db_token_label_fuzz32-db-token-label.fuzz32.o:
test/fuzz/db-token-label.fuzz32.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES)
$(AM_CPPFLAGS) $(CPPFLAGS) $(test_fuzz_db_token_label_fuzz32_CFLAGS) $(CFLAGS)
-MT test/fuzz/db_token_label_fuzz32-db-token-label.fuzz32.o -MD -MP -MF
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Tpo -c -o
test/fuzz/db_token_label_fuzz32-db-token-label.fuzz32.o `test -f
'test/fuzz/db-token-label.fuzz32.c' || echo
'$(srcdir)/'`test/fuzz/db-token-label.fuzz32.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Tpo
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Po
@@ -3163,6 +3204,7 @@
-rm -f src/lib/$(DEPDIR)/twist.Plo
-rm -f src/lib/$(DEPDIR)/typed_memory.Plo
-rm -f src/lib/$(DEPDIR)/utils.Plo
+ -rm -f test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po
-rm -f
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Po
-rm -f test/fuzz/$(DEPDIR)/init_pin_fuzz-init-pin.fuzz.Po
-rm -f
test/fuzz/$(DEPDIR)/init_token_label_fuzz32-init-token-label.fuzz32.Po
@@ -3273,6 +3315,7 @@
-rm -f src/lib/$(DEPDIR)/twist.Plo
-rm -f src/lib/$(DEPDIR)/typed_memory.Plo
-rm -f src/lib/$(DEPDIR)/utils.Plo
+ -rm -f test/fuzz/$(DEPDIR)/db_take_lock_fuzz-db-take-lock.fuzz.Po
-rm -f
test/fuzz/$(DEPDIR)/db_token_label_fuzz32-db-token-label.fuzz32.Po
-rm -f test/fuzz/$(DEPDIR)/init_pin_fuzz-init-pin.fuzz.Po
-rm -f
test/fuzz/$(DEPDIR)/init_token_label_fuzz32-init-token-label.fuzz32.Po
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/VERSION
new/tpm2-pkcs11-1.9.0/VERSION
--- old/tpm2-pkcs11-1.8.0/VERSION 1970-01-01 01:00:00.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/VERSION 2023-01-31 16:06:03.000000000 +0100
@@ -0,0 +1 @@
+1.9.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/aminclude_static.am
new/tpm2-pkcs11-1.9.0/aminclude_static.am
--- old/tpm2-pkcs11-1.8.0/aminclude_static.am 2022-03-21 14:10:36.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/aminclude_static.am 2023-01-31 16:06:45.000000000
+0100
@@ -1,6 +1,6 @@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Mon Mar 21 08:10:36 CDT 2022
+# from AX_AM_MACROS_STATIC on Tue Jan 31 09:06:45 CST 2023
# Code coverage
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/configure
new/tpm2-pkcs11-1.9.0/configure
--- old/tpm2-pkcs11-1.8.0/configure 2022-03-21 14:10:35.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/configure 2023-01-31 16:06:45.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tpm2-pkcs11 1.8.0.
+# Generated by GNU Autoconf 2.69 for tpm2-pkcs11 1.9.0.
#
# Report bugs to <https://github.com/tpm2-software/tpm2-pkcs11/issues>.
#
@@ -591,8 +591,8 @@
# Identity of this package.
PACKAGE_NAME='tpm2-pkcs11'
PACKAGE_TARNAME='tpm2-pkcs11'
-PACKAGE_VERSION='1.8.0'
-PACKAGE_STRING='tpm2-pkcs11 1.8.0'
+PACKAGE_VERSION='1.9.0'
+PACKAGE_STRING='tpm2-pkcs11 1.9.0'
PACKAGE_BUGREPORT='https://github.com/tpm2-software/tpm2-pkcs11/issues'
PACKAGE_URL='https://github.com/tpm2-software/tpm2-pkcs11'
@@ -1485,7 +1485,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures tpm2-pkcs11 1.8.0 to adapt to many kinds of systems.
+\`configure' configures tpm2-pkcs11 1.9.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1556,7 +1556,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of tpm2-pkcs11 1.8.0:";;
+ short | recursive ) echo "Configuration of tpm2-pkcs11 1.9.0:";;
esac
cat <<\_ACEOF
@@ -1753,7 +1753,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-tpm2-pkcs11 configure 1.8.0
+tpm2-pkcs11 configure 1.9.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2031,7 +2031,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by tpm2-pkcs11 $as_me 1.8.0, which was
+It was created by tpm2-pkcs11 $as_me 1.9.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -12009,7 +12009,7 @@
# Define the identity of the package.
PACKAGE='tpm2-pkcs11'
- VERSION='1.8.0'
+ VERSION='1.9.0'
cat >>confdefs.h <<_ACEOF
@@ -19048,7 +19048,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by tpm2-pkcs11 $as_me 1.8.0, which was
+This file was extended by tpm2-pkcs11 $as_me 1.9.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19115,7 +19115,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-tpm2-pkcs11 config.status 1.8.0
+tpm2-pkcs11 config.status 1.9.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/configure.ac
new/tpm2-pkcs11-1.9.0/configure.ac
--- old/tpm2-pkcs11-1.8.0/configure.ac 2022-03-21 14:07:16.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/configure.ac 2023-01-20 16:32:09.000000000 +0100
@@ -1,7 +1,7 @@
# SPDX-License-Identifier: BSD-2-Clause
AC_INIT([tpm2-pkcs11],
- [m4_esyscmd_s([git describe --tags --always --dirty])],
+ [m4_esyscmd_s([cat ./VERSION])],
[https://github.com/tpm2-software/tpm2-pkcs11/issues],
[],
[https://github.com/tpm2-software/tpm2-pkcs11])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/BUILDING.md
new/tpm2-pkcs11-1.9.0/docs/BUILDING.md
--- old/tpm2-pkcs11-1.8.0/docs/BUILDING.md 2022-03-21 14:08:02.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/docs/BUILDING.md 2023-01-20 16:32:09.000000000
+0100
@@ -26,8 +26,13 @@
### Optional Dependencies for tpm2_ptool
1. [tpm2-tools](https://github.com/tpm2-software/tpm2-tools): **Requires
version >= 4.0.1**
-2. [Python](https://www.python.org/): **Requires version >= 3.7**
-
+2. [Python](https://www.python.org/): **Requires version >= 3.7** and the
following Python Modules:
+ - bcrypt
+ - cryptography>=3.0
+ - pyyaml
+ - pyasn1
+ - pyasn1_modules
+ - tpm2_pytss
### Notes
The tpm2-tss and tpm2-tools projects must be obtained via source. Packaged
versions existing
in known package managers are likely too old.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/CONTRIBUTING.md
new/tpm2-pkcs11-1.9.0/docs/CONTRIBUTING.md
--- old/tpm2-pkcs11-1.8.0/docs/CONTRIBUTING.md 2022-03-21 14:07:16.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/docs/CONTRIBUTING.md 2023-01-20 16:32:09.000000000
+0100
@@ -4,10 +4,8 @@
<https://github.com/tpm2-software/tpm2-pkcs11/issues>
-Security sensitive bugs should be emailed to a maintainer or to Intel
-via the guidelines here:
-
-<https://security-center.intel.com/VulnerabilityHandlingGuidelines.aspx>
+Security sensitive bugs should be handled per the instructions in the
+[docs/SECURITY.md](docs/SECURITY.md) file.
## Guidelines for submitting changes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/INITIALIZING.md
new/tpm2-pkcs11-1.9.0/docs/INITIALIZING.md
--- old/tpm2-pkcs11-1.8.0/docs/INITIALIZING.md 2021-09-29 19:04:30.000000000
+0200
+++ new/tpm2-pkcs11-1.9.0/docs/INITIALIZING.md 2023-01-20 16:32:09.000000000
+0100
@@ -51,6 +51,12 @@
Their is no requirement to use the simulator and abrmd, this is all
configuration dependent.
+**LOCKING**
+
+When the SQL database is on the disk, the lock is set within the same folder
than the SQL file.
+It can lead to some issues if the lock is not released (system crash, reboot),
mostly on embedded
+systems. Another folder, for instance a tmpfs one, can be enforced using the
env `PKCS11_SQL_LOCK=/var/run/pkcs11_sql_locks`.
+
## Example Setup With tpm2_ptool
I use the simulator and tpm2-abrmd to set all of this up, like so:
```sh
@@ -214,4 +220,4 @@
label: myrsakey
Usage: encrypt, verify
```
-Note: You will only see the public objects when you login.
+Note: To see private objects you need to login.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/MAINTAINERS.md
new/tpm2-pkcs11-1.9.0/docs/MAINTAINERS.md
--- old/tpm2-pkcs11-1.8.0/docs/MAINTAINERS.md 1970-01-01 01:00:00.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/docs/MAINTAINERS.md 2023-01-20 16:32:09.000000000
+0100
@@ -0,0 +1,3 @@
+# Maintainers
+
+Bill Roberts <william.c.robe...@intel.com>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/RELEASE.md
new/tpm2-pkcs11-1.9.0/docs/RELEASE.md
--- old/tpm2-pkcs11-1.8.0/docs/RELEASE.md 2022-03-21 14:07:16.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/docs/RELEASE.md 2023-01-20 16:32:09.000000000
+0100
@@ -22,7 +22,7 @@
and *SHALL* be named `<major-version>.<minor-version>.X`.
Release candidates will be announced on the
-[mailing list](https://lists.01.org/mailman/listinfo/tpm2). When a RC has gone
1
+[mailing list](https://lists.linuxfoundation.org/mailman/listinfo/tpm2). When
a RC has gone 1
week without new substantive changes, a release will be conducted. Substantive
changes are generally not editorial in nature and they do not contain changes
to
the CI system. Substantive changes are changes to the man-pages, code or tests.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/SECURITY.md
new/tpm2-pkcs11-1.9.0/docs/SECURITY.md
--- old/tpm2-pkcs11-1.8.0/docs/SECURITY.md 1970-01-01 01:00:00.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/docs/SECURITY.md 2023-01-20 16:32:09.000000000
+0100
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+Currently supported versions:
+
+| Version | Supported |
+| -------- | ------------------ |
+| < 1.5.0 | :x: |
+| >= 1.5.0 | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+### Reporting
+
+Security vulnerabilities can be disclosed in one of two ways:
+- GitHub: *preferred* By following
[these](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
instructions.
+- Email: A descirption *should be emailed* to **all** members of the
[MAINTAINERS](MAINTAINERS) file to coordinate the
+disclosure of the vulnerability.
+
+### Tracking
+
+When a maintainer is notified of a security vulnerability, they *must* create
a GitHub security advisory
+per the instructions at:
+
+ -
<https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories>
+
+Maintainers *should* use the optional feature through GitHub to request a CVE
be issued, alternatively RedHat has provided CVE's
+in the past and *may* be used, but preference is on GitHub as the issuing CNA.
+
+### Publishing
+
+Once ready, maintainers should publish the security vulnerability as outlined
in:
+
+ -
<https://docs.github.com/en/code-security/repository-security-advisories/publishing-a-repository-security-advisory>
+
+As well as ensuring the publishing of the CVE, maintainers *shal*l have new
release versions ready to publish at the same time as
+the CVE. Maintainers *should* should strive to adhere to a sub 60 say turn
around from report to release.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/docs/SSH_HOSTKEYS.md
new/tpm2-pkcs11-1.9.0/docs/SSH_HOSTKEYS.md
--- old/tpm2-pkcs11-1.8.0/docs/SSH_HOSTKEYS.md 2021-09-29 19:04:30.000000000
+0200
+++ new/tpm2-pkcs11-1.9.0/docs/SSH_HOSTKEYS.md 2023-01-20 16:32:09.000000000
+0100
@@ -36,7 +36,7 @@
Add the following to /etc/ssh/sshd_config
```
HostKey /etc/ssh/ssh_hostkey_rsa.pub
-HostHostKeyAgent /tmp/hostagent.sock
+HostKeyAgent /tmp/hostagent.sock
```
(Re)start sshd and run:
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/src/lib/attrs.c
new/tpm2-pkcs11-1.9.0/src/lib/attrs.c
--- old/tpm2-pkcs11-1.8.0/src/lib/attrs.c 2022-03-08 22:44:18.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/src/lib/attrs.c 2023-01-20 16:32:09.000000000
+0100
@@ -201,6 +201,11 @@
return _attr_list_add(l, type, sizeof(value), (CK_BYTE_PTR)&value,
TYPE_BYTE_INT);
}
+bool attr_list_add_int_seq(attr_list *l, CK_ATTRIBUTE_TYPE type, CK_BYTE_PTR
value, CK_ULONG len) {
+
+ return _attr_list_add(l, type, len, value, TYPE_BYTE_INT_SEQ);
+}
+
bool attr_list_add_bool(attr_list *l, CK_ATTRIBUTE_TYPE type, CK_BBOOL value) {
return _attr_list_add(l, type, sizeof(value), &value, TYPE_BYTE_BOOL);
@@ -890,13 +895,13 @@
};
if (new_pub_attrs) {
- bool r = attr_list_add_buf(new_pub_attrs, CKA_ALLOWED_MECHANISMS,
+ bool r = attr_list_add_int_seq(new_pub_attrs, CKA_ALLOWED_MECHANISMS,
(CK_BYTE_PTR)&t, sizeof(t));
goto_error_false(r);
}
if (new_priv_attrs) {
- bool r = attr_list_add_buf(new_priv_attrs, CKA_ALLOWED_MECHANISMS,
+ bool r = attr_list_add_int_seq(new_priv_attrs, CKA_ALLOWED_MECHANISMS,
(CK_BYTE_PTR)&t, sizeof(t));
goto_error_false(r);
}
@@ -976,11 +981,11 @@
CKM_ECDSA_SHA512,
};
- bool r = attr_list_add_buf(new_pub_attrs, CKA_ALLOWED_MECHANISMS,
+ bool r = attr_list_add_int_seq(new_pub_attrs, CKA_ALLOWED_MECHANISMS,
(CK_BYTE_PTR)&t, sizeof(t));
goto_error_false(r);
- r = attr_list_add_buf(new_priv_attrs, CKA_ALLOWED_MECHANISMS,
+ r = attr_list_add_int_seq(new_priv_attrs, CKA_ALLOWED_MECHANISMS,
(CK_BYTE_PTR)&t, sizeof(t));
goto_error_false(r);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/src/lib/attrs.h
new/tpm2-pkcs11-1.9.0/src/lib/attrs.h
--- old/tpm2-pkcs11-1.8.0/src/lib/attrs.h 2022-03-08 22:44:18.000000000
+0100
+++ new/tpm2-pkcs11-1.9.0/src/lib/attrs.h 2023-01-20 16:32:09.000000000
+0100
@@ -105,6 +105,21 @@
bool attr_list_add_int(attr_list *l, CK_ATTRIBUTE_TYPE type, CK_ULONG value);
/**
+ * Adds a CK_ULONG to the attribute list and adds type data.
+ * @param l
+ * The list to add to.
+ * @param type
+ * The attribute type to add.
+ * @param value
+ * The buffer, can be NULL.
+ * @param len
+ * The length of the buffer. 0 is treated as NULL value.
+ * @return
+ * true on success, false otherwise.
+ */
+bool attr_list_add_int_seq(attr_list *l, CK_ATTRIBUTE_TYPE type, CK_BYTE_PTR
value, CK_ULONG len);
+
+/**
* Returns the count items in the attribute list.
*
* @param l
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/src/lib/db.c
new/tpm2-pkcs11-1.9.0/src/lib/db.c
--- old/tpm2-pkcs11-1.8.0/src/lib/db.c 2022-03-21 14:07:16.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/src/lib/db.c 2023-01-20 16:32:09.000000000 +0100
@@ -32,6 +32,7 @@
#include "tpm.h"
#include "twist.h"
#include "utils.h"
+#include "typed_memory.h"
#include <openssl/evp.h>
@@ -39,7 +40,7 @@
#define TPM2_PKCS11_STORE_DIR "/etc/tpm2_pkcs11"
#endif
-#define DB_VERSION 7
+#define DB_VERSION 8
#define goto_oom(x, l) if (!x) { LOGE("oom"); goto l; }
#define goto_error(x, l) if (x) { goto l; }
@@ -2131,6 +2132,69 @@
return rv;
}
+static CK_RV dbup_handler_from_7_to_8(sqlite3 *updb) {
+
+ /*
+ * Between version 7 and 8 of the DB the following changes need to be made:
+ *
+ * Table tobjects:
+ *
+ * The YAML attributes for a int sequence has to be a yaml sequence.
+ */
+
+
+ CK_RV rv = CKR_GENERAL_ERROR;
+ sqlite3_stmt *stmt = NULL;
+
+ int rc = sqlite3_prepare_v2(updb, "SELECT * from tobjects", -1, &stmt, 0);
+ if (rc != SQLITE_OK) {
+ LOGE("Failed to fetch data: %s", sqlite3_errmsg(updb));
+ goto error;
+ }
+
+ rc = sqlite3_step(stmt);
+ if (rc == SQLITE_DONE) {
+ goto out;
+ } else if (rc != SQLITE_ROW) {
+ LOGE("Failed to step: %s", sqlite3_errmsg(updb));
+ goto error;
+ }
+
+ while (rc == SQLITE_ROW) {
+ tobject *tobj = db_tobject_new(stmt);
+ if (!tobj) {
+ LOGE("Could not process tobjects for upgrade");
+ goto error;
+ }
+
+ /* for each tobject */
+ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(tobj->attrs,
CKA_ALLOWED_MECHANISMS);
+ CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
+ if (type != TYPE_BYTE_INT_SEQ) {
+ rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
+ }
+
+ tobject_free(tobj);
+ if (rv != CKR_OK) {
+ goto error;
+ }
+
+ rc = sqlite3_step(stmt);
+ if (rc != SQLITE_ROW && rc != SQLITE_DONE) {
+ LOGE("Failed to fetch data: %s\n", sqlite3_errmsg(updb));
+ goto error;
+ }
+ }
+
+out:
+ rv = CKR_OK;
+
+error:
+ sqlite3_finalize(stmt);
+ return rv;
+}
+
+
static CK_RV db_backup(sqlite3 *db, const char *dbpath, sqlite3 **updb, char
**copypath) {
CK_RV rv = CKR_GENERAL_ERROR;
@@ -2205,7 +2269,8 @@
dbup_handler_from_3_to_4,
dbup_handler_from_4_to_5,
dbup_handler_from_5_to_6,
- dbup_handler_from_6_to_7
+ dbup_handler_from_6_to_7,
+ dbup_handler_from_7_to_8
};
/*
@@ -2322,9 +2387,41 @@
return db_for_path(path, len, db_create_handler);
}
-static FILE *take_lock(const char *path, char *lockpath) {
+DEBUG_VISIBILITY FILE *take_lock(const char *path, char *lockpath) {
+
+ unsigned l;
- unsigned l = snprintf(lockpath, PATH_MAX, "%s%s", path, ".lock");
+ size_t lenv_lock = 0;
+ char *env_lock = getenv("PKCS11_SQL_LOCK");
+
+ if (env_lock && (lenv_lock = strlen(env_lock) > 0)) {
+ /*
+ * lock file shall be "PKCS11_SQL_LOCK" + '/' + path + ".lock", but
+ * path's '/' will be substituted by '_'.
+ */
+ if (env_lock[lenv_lock - 1] == '/') {
+ env_lock[lenv_lock - 1] = '\0';
+ lenv_lock--;
+ }
+ if ((lenv_lock + 1 + strlen(path) + strlen(".lock")) >= PATH_MAX) {
+ LOGE("Lock file path would be longer than PATH_MAX");
+ return NULL;
+ }
+ strncpy(lockpath, env_lock, PATH_MAX-1);
+ strcat(lockpath, "/");
+ for (size_t i = 0; path[i] && (i < PATH_MAX) && (i < strlen(path));
i++) {
+ lockpath[lenv_lock + 1 + i] = '\0';
+ if (path[i] == '/') {
+ lockpath[lenv_lock + 1 + i] = '_';
+ continue;
+ }
+ lockpath[lenv_lock + 1 + i] = path[i];
+ }
+ strcat(lockpath, ".lock");
+ l = strlen(lockpath);
+ } else {
+ l = snprintf(lockpath, PATH_MAX, "%s%s", path, ".lock");
+ }
if (l >= PATH_MAX) {
LOGE("Lock file path is longer than PATH_MAX");
return NULL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/src/lib/db.h
new/tpm2-pkcs11-1.9.0/src/lib/db.h
--- old/tpm2-pkcs11-1.8.0/src/lib/db.h 2021-09-29 19:04:30.000000000 +0200
+++ new/tpm2-pkcs11-1.9.0/src/lib/db.h 2023-01-20 16:32:09.000000000 +0100
@@ -74,6 +74,8 @@
/* Debug testing */
#ifdef TESTING
+#include <stdio.h>
+
#include "twist.h"
int get_blob_null(sqlite3_stmt *stmt, int i, twist *blob);
@@ -90,6 +92,7 @@
int __real_init_pobject(unsigned pid, pobject *pobj, tpm_ctx *tpm);
int init_sealobjects(unsigned tokid, sealobject *sealobj);
int __real_init_sealobjects(unsigned tokid, sealobject *sealobj);
+FILE *take_lock(const char *path, char *lockpath);
#endif
#endif /* SRC_PKCS11_LIB_DB_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/src/lib/tpm.c
new/tpm2-pkcs11-1.9.0/src/lib/tpm.c
--- old/tpm2-pkcs11-1.8.0/src/lib/tpm.c 2022-03-21 14:07:16.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/src/lib/tpm.c 2023-01-20 16:32:09.000000000 +0100
@@ -320,6 +320,31 @@
return true;
}
+static bool set_esys_auth_string(ESYS_CONTEXT *esys_ctx, ESYS_TR handle, const
char *auth) {
+
+ TPM2B_AUTH tpm_auth = TPM2B_EMPTY_INIT;
+
+ if (auth) {
+ size_t auth_len = strlen(auth);
+ if (auth_len > sizeof(tpm_auth.buffer)) {
+ LOGE("Auth value too large, got %zu expected < %zu",
+ auth_len, sizeof(tpm_auth.buffer));
+ return false;
+ }
+
+ tpm_auth.size = auth_len;
+ memcpy(tpm_auth.buffer, auth, auth_len);
+ }
+
+ TSS2_RC rval = Esys_TR_SetAuth(esys_ctx, handle, &tpm_auth);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOGE("Esys_TR_SetAuth: 0x%x:", rval);
+ return false;
+ }
+
+ return true;
+}
+
bool tpm_session_active(tpm_ctx *ctx) {
return (!!ctx->hmac_session);
}
@@ -2809,10 +2834,11 @@
if (!tpm->did_check_for_createloaded) {
/* do not free, value is cached */
rval = tpm_supports_cc(tpm, TPM2_CC_CreateLoaded,
- &tpm->did_check_for_createloaded);
+ &tpm->use_createloaded);
if (rval != TSS2_RC_SUCCESS) {
return rval;
}
+ tpm->did_check_for_createloaded = true;
}
if (out_handle && tpm->use_createloaded) {
@@ -4319,7 +4345,6 @@
/* TODO make configurable ? */
ESYS_TR hierarchy = ESYS_TR_RH_OWNER;
- TPM2B_AUTH hieararchy_auth = { 0 };
/*
* Hierarchy is currently fixed to owner auth, but eventually
@@ -4331,15 +4356,9 @@
* NULL
*/
const char *auth = getenv("TPM2_PKCS11_OWNER_AUTH");
- if (auth && auth[0]) {
- size_t len = strlen(auth);
- if (len > sizeof(hieararchy_auth.buffer)) {
- LOGE("TPM2_PKCS11_HIERARCHY_AUTH is too big. Max size is: %zu",
- sizeof(hieararchy_auth.buffer));
- return CKR_GENERAL_ERROR;
- }
- hieararchy_auth.size = (typeof(hieararchy_auth.size))len;
- memcpy(hieararchy_auth.buffer, auth, len);
+ bool res = set_esys_auth_string(tpm->esys_ctx, hierarchy, auth);
+ if (!res) {
+ return CKR_GENERAL_ERROR;
}
TPM2B_DATA outside_info = { 0 };
@@ -4357,12 +4376,6 @@
memcpy(a->buffer, pobj_auth, len);
}
- TSS2_RC rval = Esys_TR_SetAuth(tpm->esys_ctx, hierarchy, &hieararchy_auth);
- if (rval != TSS2_RC_SUCCESS) {
- LOGE("Esys_TR_SetAuth: %s:", Tss2_RC_Decode(rval));
- return CKR_GENERAL_ERROR;
- }
-
TPM2B_PUBLIC in_pub = { 0 };
CK_RV rv = templ->fn(tpm, &in_pub);
if (rv != CKR_OK) {
@@ -4376,7 +4389,7 @@
TPMT_TK_CREATION *ticket = NULL;
ESYS_TR handle = ESYS_TR_NONE;
- rval = Esys_CreatePrimary(tpm->esys_ctx,
+ TSS2_RC rval = Esys_CreatePrimary(tpm->esys_ctx,
hierarchy,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -4407,7 +4420,6 @@
/* TODO make configurable ? */
ESYS_TR hierarchy = ESYS_TR_RH_OWNER;
- TPM2B_AUTH hieararchy_auth = { 0 };
TPM2B_SENSITIVE_CREATE sens = { 0 };
@@ -4452,10 +4464,10 @@
TPM2B_DATA outside_info = { 0 };
TPML_PCR_SELECTION pcrs = { 0 };
- TSS2_RC rval = Esys_TR_SetAuth(tpm->esys_ctx, hierarchy, &hieararchy_auth);
- if (rval != TSS2_RC_SUCCESS) {
- LOGE("Esys_TR_SetAuth: %s:", Tss2_RC_Decode(rval));
- return CKR_GENERAL_ERROR;
+ const char *auth = getenv("TPM2_PKCS11_OWNER_AUTH");
+ bool res = set_esys_auth_string(tpm->esys_ctx, hierarchy, auth);
+ if (!res) {
+ return CKR_GENERAL_ERROR;
}
TPM2B_PUBLIC *out_pub = NULL;
@@ -4464,7 +4476,7 @@
TPMT_TK_CREATION *ticket = NULL;
ESYS_TR handle = ESYS_TR_NONE;
- rval = Esys_CreatePrimary(tpm->esys_ctx,
+ TSS2_RC rval = Esys_CreatePrimary(tpm->esys_ctx,
hierarchy,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/test/fuzz/db-take-lock.fuzz.c
new/tpm2-pkcs11-1.9.0/test/fuzz/db-take-lock.fuzz.c
--- old/tpm2-pkcs11-1.8.0/test/fuzz/db-take-lock.fuzz.c 1970-01-01
01:00:00.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/test/fuzz/db-take-lock.fuzz.c 2023-01-20
16:32:09.000000000 +0100
@@ -0,0 +1,112 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+#include "config.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <setjmp.h>
+
+#include <cmocka.h>
+
+#include <linux/limits.h>
+
+#include "db.h"
+
+static const uint8_t *_data;
+static size_t _size;
+
+typedef struct test_state test_state;
+struct test_state {
+ char *random_string;
+ char *tmp_dir;
+ FILE *file;
+};
+
+static inline test_state *test_state_cast(void **state) {
+ return (test_state *)*state;
+}
+
+static void test_state_free(test_state **test) {
+
+ if (test && *test) {
+ test_state *t = *test;
+ free(t->random_string);
+ if (t->file) {
+ fclose(t->file);
+ }
+ free(t);
+ *test = NULL;
+ }
+}
+
+static test_state *test_state_new(const uint8_t *data, size_t len) {
+
+ /* require a null terminated string */
+ char *null_term_data = calloc(1, len + 1);
+ if (!null_term_data) {
+ return NULL;
+ }
+ memcpy(null_term_data, data, len);
+
+ char tmp_key[] = "pkcs11_fuzztest_db_take_lock_XXXXXX";
+ char *tmp_dir = mkdtemp(tmp_key);
+ if (!tmp_dir) {
+ free(null_term_data);
+ return NULL;
+ }
+
+ test_state *t = calloc(1, sizeof(test_state));
+ if (!t) {
+ free(null_term_data);
+ return NULL;
+ }
+
+ t->random_string = null_term_data;
+ t->tmp_dir = tmp_dir;
+
+ return t;
+}
+
+static int setup(void **state) {
+
+ /* assign to state */
+ *state = test_state_new(_data, _size);
+
+ return *state == NULL;
+}
+
+static int teardown(void **state) {
+
+ test_state *s = test_state_cast(state);
+ test_state_free(&s);
+
+ return 0;
+}
+
+static void test(void **state) {
+
+ test_state *t = test_state_cast(state);
+ assert_non_null(t);
+
+ setenv("PKCS11_SQL_LOCK", t->random_string, true);
+
+ char lockpath[PATH_MAX];
+ t->file = take_lock(t->tmp_dir, lockpath);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+ _size = size;
+ _data = data;
+
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test, setup, teardown),
+ };
+
+ cmocka_run_group_tests(tests, NULL, NULL);
+ return 0;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tpm2-pkcs11-1.8.0/test/integration/pkcs11-tool-init-fapi.sh.fapi
new/tpm2-pkcs11-1.9.0/test/integration/pkcs11-tool-init-fapi.sh.fapi
--- old/tpm2-pkcs11-1.8.0/test/integration/pkcs11-tool-init-fapi.sh.fapi
2022-03-08 22:44:18.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/test/integration/pkcs11-tool-init-fapi.sh.fapi
2023-01-20 16:32:09.000000000 +0100
@@ -48,6 +48,11 @@
pkcs11_tool -I
pkcs11_tool -T
+# Their is no SRK so it should attempt to make an SRK, so lets test it with an
owner
+# hierarchy password set to make sure that works.
+tpm2_changeauth -cowner mynewpass
+export TPM2_PKCS11_OWNER_AUTH=mynewpass
+
echo "Initializing token"
pkcs11_tool --slot-index=0 --init-token --label=mynewtoken --so-pin=mynewsopin
echo "Token initialized"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tpm2-pkcs11-1.8.0/test/integration/pkcs11-tool-init.sh.nosetup
new/tpm2-pkcs11-1.9.0/test/integration/pkcs11-tool-init.sh.nosetup
--- old/tpm2-pkcs11-1.8.0/test/integration/pkcs11-tool-init.sh.nosetup
2022-03-08 22:44:18.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/test/integration/pkcs11-tool-init.sh.nosetup
2023-01-20 16:32:09.000000000 +0100
@@ -48,6 +48,11 @@
pkcs11_tool -I
pkcs11_tool -T
+# Their is no SRK so it should attempt to make an SRK, so lets test it with an
owner
+# hierarchy password set to make sure that works.
+tpm2_changeauth -cowner mynewpass
+export TPM2_PKCS11_OWNER_AUTH=mynewpass
+
echo "Initializing token"
pkcs11_tool --slot-index=0 --init-token --label=mynewtoken --so-pin=mynewsopin
echo "Token initialized"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-pkcs11-1.8.0/tools/tpm2_pkcs11/db.py
new/tpm2-pkcs11-1.9.0/tools/tpm2_pkcs11/db.py
--- old/tpm2-pkcs11-1.8.0/tools/tpm2_pkcs11/db.py 2022-03-21
14:07:16.000000000 +0100
+++ new/tpm2-pkcs11-1.9.0/tools/tpm2_pkcs11/db.py 2023-01-20
16:32:09.000000000 +0100
@@ -22,7 +22,7 @@
CKM_ECDSA_SHA512
)
-VERSION = 7
+VERSION = 8
#
# With Db() as db:
@@ -394,7 +394,7 @@
hexblob = bytes.hex(blob)
config = {
- 'persistent' : True,
+ 'transient': False,
'esys-tr': hexblob
}
@@ -532,6 +532,36 @@
attrs[CKA_ALLOWED_MECHANISMS] = list(deduped_attrs)
Db._updatetertiary(dbbakcon, t['id'], attrs)
+ def _update_on_8(self, dbbakcon):
+ '''
+ Between version 7 and 8 of the DB the following changes need to be
made:
+
+ Table tobjects:
+
+ The YAML attributes for a int sequence has to be a yaml sequence.
+ '''
+ import ctypes
+ import socket
+ long_size = ctypes.sizeof(ctypes.c_ulong)
+
+ c = dbbakcon.cursor()
+
+ c.execute('SELECT * from tobjects')
+ tobjs = c.fetchall()
+
+ for t in tobjs:
+ attrs = yaml.safe_load(io.StringIO(t['attrs']))
+ for attr in attrs:
+ # The allowed mechanism attribute is a buffer of hexadecimal
+ # written as a string instead of being a sequence of int
+ if attr == CKA_ALLOWED_MECHANISMS and \
+ isinstance(attrs[attr], str):
+ list_hexa =
[socket.ntohl(int(attrs[attr][i:i+long_size], 16)) for i in range(0,
len(attrs[attr]), long_size)]
+ list_int = [int(x,16) for x in list_hexa]
+ attrs[attr] = list_int
+
+ Db._updatetertiary(dbbakcon, t['id'], attrs)
+
def update_db(self, old_version, new_version=VERSION):
# were doing the update, so make a backup to manipulate
@@ -548,27 +578,33 @@
REPLACE INTO schema (id, schema_version) VALUES (1,
{version});
'''.format(version=new_version))
dbbakcon.execute(sql)
- finally:
- # Close the connections
- self._conn.commit()
- self._conn.close()
-
+ except Exception as e:
+ # Close the connection to backup
dbbakcon.commit()
dbbakcon.close()
- # move old db to ".old" suffix
- olddbpath = self._path + ".old"
- os.rename(self._path, olddbpath)
-
- # move the backup to the normal dbpath
- os.rename(dbbakpath, self._path)
-
- # unlink the old
- os.unlink(olddbpath)
-
- # re-establish a connection
- self._conn = sqlite3.connect(self._path)
- self._conn.row_factory = sqlite3.Row
+ # unlink the backup
+ os.unlink(dbbakpath)
+
+ raise e
+
+ # Close the connections
+ self._conn.commit()
+ self._conn.close()
+
+ dbbakcon.commit()
+ dbbakcon.close()
+
+ # move old db to ".old" suffix
+ olddbpath = self._path + ".old"
+ os.rename(self._path, olddbpath)
+
+ # move the backup to the normal dbpath
+ os.rename(dbbakpath, self._path)
+
+ # re-establish a connection
+ self._conn = sqlite3.connect(self._path)
+ self._conn.row_factory = sqlite3.Row
def _get_version(self):
c = self._conn.cursor()
