Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl_tpm2_engine for openSUSE:Factory checked in at 2023-12-05 17:03:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old) and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine" Tue Dec 5 17:03:15 2023 rev:14 rq:1130868 version:4.0.2 Changes: -------- --- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes 2023-07-06 18:29:18.243376232 +0200 +++ /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25432/openssl_tpm2_engine.changes 2023-12-05 17:03:26.945662632 +0100 @@ -1,0 +2,10 @@ +Mon Dec 5 03:53:40 UTC 2023 - james.bottom...@hansenpartnership.com + +- Update to version 4.0.2 + * Fixes for openssl 3.2 + * fix for encrypted secret size + * fix for swtpm and swtpm2 simultaneous install + * gcc-13 fix + * make signed_tpm2_policy match man page + +------------------------------------------------------------------- Old: ---- openssl_tpm2_engine-4.0.1.tar.gz New: ---- openssl_tpm2_engine-4.0.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl_tpm2_engine.spec ++++++ --- /var/tmp/diff_new_pack.mxoQd5/_old 2023-12-05 17:03:27.673689467 +0100 +++ /var/tmp/diff_new_pack.mxoQd5/_new 2023-12-05 17:03:27.673689467 +0100 @@ -18,7 +18,7 @@ Name: openssl_tpm2_engine -Version: 4.0.1 +Version: 4.0.2 Release: 0 Summary: OpenSSL TPM 2.0 interface engine plugin License: LGPL-2.1-only ++++++ openssl_tpm2_engine-4.0.1.tar.gz -> openssl_tpm2_engine-4.0.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/configure.ac new/openssl_tpm2_engine-4.0.2/configure.ac --- old/openssl_tpm2_engine-4.0.1/configure.ac 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/configure.ac 2023-12-05 04:47:13.000000000 +0100 @@ -2,7 +2,7 @@ # configure.in for the OpenSSL TPM engine project # -AC_INIT(openssl-tpm2-engine, 4.0.1, <openssl-tpm2-eng...@groups.io>) +AC_INIT(openssl-tpm2-engine, 4.0.2, <openssl-tpm2-eng...@groups.io>) AM_INIT_AUTOMAKE([foreign 1.6.3]) AC_CANONICAL_HOST AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/include/tpm2-common.h new/openssl_tpm2_engine-4.0.2/src/include/tpm2-common.h --- old/openssl_tpm2_engine-4.0.1/src/include/tpm2-common.h 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/include/tpm2-common.h 2023-12-05 04:47:13.000000000 +0100 @@ -129,4 +129,6 @@ int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText, unsigned char *to, int padding, int protection, char *srk_auth); +int tpm2_rm_signed_policy(char *tpmkey, int rmnum); +int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/libcommon/tpm2-common.c new/openssl_tpm2_engine-4.0.2/src/libcommon/tpm2-common.c --- old/openssl_tpm2_engine-4.0.1/src/libcommon/tpm2-common.c 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/libcommon/tpm2-common.c 2023-12-05 04:47:13.000000000 +0100 @@ -2349,6 +2349,89 @@ return rc; } +static void tpm2_read_tpk(char *tpmkey, TSSPRIVKEY **tpk) +{ + BIO *bf; + *tpk = NULL; + + bf = BIO_new_file(tpmkey, "r"); + if (!bf) { + fprintf(stderr, "File %s does not exist or cannot be read\n", + tpmkey); + return; + } + + *tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL); + if (!*tpk) { + BIO_seek(bf, 0); + ERR_clear_error(); + *tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL); + } + BIO_free(bf); + if (!*tpk) + fprintf(stderr, "Cannot parse file as TPM key\n"); +} + +static int tpm2_write_tpk(char *tpmkey, TSSPRIVKEY *tpk) +{ + BIO *bf; + + bf = BIO_new_file(tpmkey, "w"); + if (bf == NULL) { + fprintf(stderr, "Failed to open key file %s for writing\n", + tpmkey); + return 1; + } + PEM_write_bio_TSSPRIVKEY(bf, tpk); + BIO_free(bf); + + return 0; +} + +int tpm2_rm_signed_policy(char *tpmkey, int rmnum) +{ + TSSPRIVKEY *tpk; + TSSAUTHPOLICY *ap; + int ret = 0; + + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) + return 1; + + if (sk_TSSAUTHPOLICY_num(tpk->authPolicy) < rmnum) { + fprintf(stderr, "Policy %d does not exist\n", rmnum); + goto out_free; + } + + ap = sk_TSSAUTHPOLICY_delete(tpk->authPolicy, rmnum - 1); + TSSAUTHPOLICY_free(ap); + + ret = tpm2_write_tpk(tpmkey, tpk); + + out_free: + TSSPRIVKEY_free(tpk); + return ret; +} + +int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk) +{ + TSSPRIVKEY *tpk; + + *sk = NULL; + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) + return 1; + + if (tpk->authPolicy) { + *sk = sk_TSSAUTHPOLICY_dup(tpk->authPolicy); + /* dup does not duplicate elements, so transfer ownership */ + sk_TSSAUTHPOLICY_zero(tpk->authPolicy); + } + + TSSPRIVKEY_free(tpk); + return 0; +} + TPM_RC tpm2_new_signed_policy(char *tpmkey, char *policykey, char *engine, TSSAUTHPOLICY *ap, TPMT_HA *digest) { @@ -2368,24 +2451,10 @@ BYTE buf[1024]; UINT16 written = 0; - bf = BIO_new_file(tpmkey, "r"); - if (!bf) { - fprintf(stderr, "File %s does not exist or cannot be read\n", - tpmkey); + tpm2_read_tpk(tpmkey, &tpk); + if (!tpk) return 0; - } - tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL); - if (!tpk) { - BIO_seek(bf, 0); - ERR_clear_error(); - tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL); - } - BIO_free(bf); - if (!tpk) { - fprintf(stderr, "Cannot parse file as TPM key\n"); - return 0; - } if (!tpk->policy || sk_TSSOPTPOLICY_num(tpk->policy) <= 0) { fprintf(stderr, "TPM Key has no policy\n"); goto err_free_tpmkey; @@ -2460,17 +2529,10 @@ * latest policy addition first */ sk_TSSAUTHPOLICY_unshift(tpk->authPolicy, ap); - bf = BIO_new_file(tpmkey, "w"); - if (bf == NULL) { - fprintf(stderr, "Failed to open key file %s for writing\n", - tpmkey); - goto err_free_tpmkey; - } - PEM_write_bio_TSSPRIVKEY(bf, tpk); - BIO_free(bf); + rc = tpm2_write_tpk(tpmkey, tpk); TSSPRIVKEY_free(tpk); - return 0; + return rc; err_free_tpmkey: TSSPRIVKEY_free(tpk); @@ -3045,6 +3107,7 @@ &null_2b, &null_2b, SHA256_DIGEST_LENGTH*8); /* OK the ephermeral public point is now the encrypted secret */ size = sizeof(ephemeral_pt); + written = 0; buf = enc_secret->secret; TSS_TPM2B_ECC_POINT_Marshal(&ephemeral_pt, &written, &buf, &size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/decryption.c new/openssl_tpm2_engine-4.0.2/src/provider/decryption.c --- old/openssl_tpm2_engine-4.0.1/src/provider/decryption.c 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/provider/decryption.c 2023-12-05 04:47:13.000000000 +0100 @@ -32,6 +32,11 @@ { struct decryption_ctx *dctx = ctx; + if (dctx->ad) + tpm2_keymgmt_free(dctx->ad); + if (dctx->peer_ad) + tpm2_keymgmt_free(dctx->peer_ad); + osslm_decryption_freectx(&dctx->dctx); OPENSSL_free(dctx); } @@ -108,6 +113,8 @@ struct decryption_ctx *dctx = ctx; dctx->ad = key; + atomic_fetch_add_explicit(&dctx->ad->refs, 1, + memory_order_relaxed); return 1; } @@ -118,6 +125,8 @@ struct decryption_ctx *dctx = ctx; dctx->peer_ad = peerkey; + atomic_fetch_add_explicit(&dctx->peer_ad->refs, 1, + memory_order_relaxed); return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/keymgmt.c new/openssl_tpm2_engine-4.0.2/src/provider/keymgmt.c --- old/openssl_tpm2_engine-4.0.1/src/provider/keymgmt.c 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/provider/keymgmt.c 2023-12-05 04:47:13.000000000 +0100 @@ -20,7 +20,7 @@ return ad; } -static void tpm2_keymgmt_free(void *ref) +void tpm2_keymgmt_free(void *ref) { struct app_data *ad = ref; int refcnt = atomic_fetch_sub_explicit(&ad->refs, 1, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/provider.h new/openssl_tpm2_engine-4.0.2/src/provider/provider.h --- old/openssl_tpm2_engine-4.0.1/src/provider/provider.h 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/provider/provider.h 2023-12-05 04:47:13.000000000 +0100 @@ -33,6 +33,7 @@ extern const OSSL_ALGORITHM keymgmts[]; void *tpm2_keymgmt_new(void *pctx); /* needed by decode_encode.c */ +void tpm2_keymgmt_free(void *ref); /* needed by decryption.c */ /* signatures.c */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/tools/signed_tpm2_policy.c new/openssl_tpm2_engine-4.0.2/src/tools/signed_tpm2_policy.c --- old/openssl_tpm2_engine-4.0.1/src/tools/signed_tpm2_policy.c 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/tools/signed_tpm2_policy.c 2023-12-05 04:47:13.000000000 +0100 @@ -101,7 +101,7 @@ { char *filename, *policyFilename = NULL, *policy_name = NULL, *policy_signing_key; - int option_index, c, auth = 0; + int option_index, c, auth = 0, i; const char *reason = NULL; TPM_RC rc; char *engine = NULL; @@ -110,12 +110,38 @@ TPMT_HA digest; int size; TPML_PCR_SELECTION pcr_lock = { 0 }; + STACK_OF(TSSAUTHPOLICY) *sk; + enum cmd { + CMD_ADD = 0, + CMD_LS, + CMD_RM, + CMD_MAX + } cmd; + static char *command[] = { + [CMD_ADD] = "add", + [CMD_LS] = "ls", + [CMD_RM] = "rm", + }; + char *argv0 = argv[0]; OpenSSL_add_all_digests(); /* may be needed to decrypt the key */ OpenSSL_add_all_ciphers(); - while (1) { + if (argc < 2) + usage(argv0); + + for (cmd = CMD_ADD; cmd < CMD_MAX; cmd++) + if (strcmp(argv[1], command[cmd]) == 0) + break; + if (cmd == CMD_MAX) { + fprintf(stderr, "Unknown command %s\n", argv[1]); + usage(argv0); + } + argc--; + argv++; + + while (cmd == CMD_ADD) { option_index = 0; c = getopt_long(argc, argv, "ahvc:x:e:n:", long_options, &option_index); @@ -127,14 +153,14 @@ auth = 1; break; case 'h': - usage(argv[0]); + usage(argv0); break; case 'v': fprintf(stdout, "%s " VERSION "\n" "Copyright 2017 by James Bottomley\n" "License LGPL-2.1-only\n" "Written by James Bottomley <james.bottom...@hansenpartnership.com>\n", - argv[0]); + argv0); exit(0); case 'c': policyFilename = optarg; @@ -153,95 +179,137 @@ break; default: printf("Unknown option '%c'\n", c); - usage(argv[0]); + usage(argv0); break; } } - if (optind >= argc - 1) { - printf("Too few arguments: Expected file name as last argument\n"); - usage(argv[0]); + if (((cmd == CMD_RM || cmd == CMD_ADD) && optind != argc - 2) || + (cmd == CMD_LS && optind != argc - 1)) { + fprintf(stderr, "Incorrect number of arguments\n"); + usage(argv0); } - filename = argv[argc - 2]; - policy_signing_key = argv[argc - 1]; + switch(cmd) { + case CMD_ADD: + filename = argv[argc - 2]; + policy_signing_key = argv[argc - 1]; + + if (optind < argc - 2) { + printf("Unexpected additional arguments\n"); + usage(argv0); + } - if (optind < argc - 2) { - printf("Unexpected additional arguments\n"); - usage(argv[0]); - } + name_alg = tpm2_get_name_alg(filename); + digest.hashAlg = name_alg; + size = TSS_GetDigestSize(digest.hashAlg); + memset((uint8_t *)&digest.digest, 0, size); + + ap = TSSAUTHPOLICY_new(); + if (policy_name) { + ap->name = ASN1_UTF8STRING_new(); + ASN1_STRING_set(ap->name, policy_name, strlen(policy_name)); + } + ap->policy = sk_TSSOPTPOLICY_new_null(); + if (!ap->policy) { + rc = NOT_TPM_ERROR; + reason="sk_TSSOPTPOLICY_new_null allocation"; + goto out_err; + } - name_alg = tpm2_get_name_alg(filename); - digest.hashAlg = name_alg; - size = TSS_GetDigestSize(digest.hashAlg); - memset((uint8_t *)&digest.digest, 0, size); - - ap = TSSAUTHPOLICY_new(); - if (policy_name) { - ap->name = ASN1_UTF8STRING_new(); - ASN1_STRING_set(ap->name, policy_name, strlen(policy_name)); - } - ap->policy = sk_TSSOPTPOLICY_new_null(); - if (!ap->policy) { - rc = NOT_TPM_ERROR; - reason="sk_TSSOPTPOLICY_new_null allocation"; + if (policyFilename) { + rc = tpm2_parse_policy_file(policyFilename, ap->policy, + (char *)(unsigned long)auth, + &digest); + reason = "parse_policy_file"; + if (rc) + goto out_free_policy; + } else if (signed_policy) { + rc = tpm2_add_signed_policy(ap->policy, signed_policy, &digest); + reason = "add_signed_policy"; + if (rc) + goto out_free_policy; + } + + if (auth) + tpm2_add_auth_policy(ap->policy, &digest); + + if (pcr_lock.count != 0) { + TSS_CONTEXT *tssContext = NULL; + const char *dir; + + dir = tpm2_set_unique_tssdir(); + rc = tpm2_create(&tssContext, dir); + if (rc) { + reason = "TSS_Create"; + goto out_free_policy; + } + rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock, + ap->policy, &digest); + TSS_Delete(tssContext); + tpm2_rm_tssdir(dir); + if (rc) { + reason = "create pcr policy"; + goto out_free_policy; + } + } + + rc = tpm2_new_signed_policy(filename, policy_signing_key, + engine, ap, &digest); + if (rc == 0) + exit(0); + + /* tpm2_new_signed_policy frees the key which includes the policy */ goto out_err; - } - if (policyFilename) { - rc = tpm2_parse_policy_file(policyFilename, ap->policy, - (char *)(unsigned long)auth, - &digest); - reason = "parse_policy_file"; - if (rc) - goto out_free_policy; - } else if (signed_policy) { - rc = tpm2_add_signed_policy(ap->policy, signed_policy, &digest); - reason = "add_signed_policy"; - if (rc) - goto out_free_policy; - } + out_free_policy: + if (ap->name) + ASN1_UTF8STRING_free(ap->name); + tpm2_free_policy(ap->policy); + out_err: + if (rc == NOT_TPM_ERROR) + fprintf(stderr, "%s failed\n", reason); + else + tpm2_error(rc, reason); - if (auth) - tpm2_add_auth_policy(ap->policy, &digest); + exit(1); - if (pcr_lock.count != 0) { - TSS_CONTEXT *tssContext = NULL; - const char *dir; - - dir = tpm2_set_unique_tssdir(); - rc = tpm2_create(&tssContext, dir); - if (rc) { - reason = "TSS_Create"; - goto out_free_policy; - } - rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock, - ap->policy, &digest); - TSS_Delete(tssContext); - tpm2_rm_tssdir(dir); - if (rc) { - reason = "create pcr policy"; - goto out_free_policy; - } - } + case CMD_LS: + filename = argv[argc - 1]; - rc = tpm2_new_signed_policy(filename, policy_signing_key, engine, - ap, &digest); - if (rc == 0) + rc = tpm2_get_signed_policy(filename, &sk); + if (rc) + exit(1); + if (!sk || sk_TSSAUTHPOLICY_num(sk) <=0 ) { + printf("Key has no signed policies\n"); + sk_TSSAUTHPOLICY_free(sk); + exit(0); + } + printf("Policy Name\n"); + for (i = 0; i < sk_TSSAUTHPOLICY_num(sk); i++) { + TSSAUTHPOLICY *ap = sk_TSSAUTHPOLICY_value(sk, i); + int sz = ap->name ? ap->name->length : 0; + char *name = ap->name ? (char *)ap->name->data : ""; + if (sz) + printf("%6d %*s\n", i+1, sz, name); + else + printf("%6d\n", i+1); + } + sk_TSSAUTHPOLICY_pop_free(sk, TSSAUTHPOLICY_free); exit(0); - /* tpm2_new_signed_policy frees the key which includes the policy */ - goto out_err; + case CMD_RM: + filename = argv[argc - 2]; + i = atoi(argv[argc - 1]); - out_free_policy: - if (ap->name) - ASN1_UTF8STRING_free(ap->name); - tpm2_free_policy(ap->policy); - out_err: - if (rc == NOT_TPM_ERROR) - fprintf(stderr, "%s failed\n", reason); - else - tpm2_error(rc, reason); + rc = tpm2_rm_signed_policy(filename, i); + if (rc) + exit(1); + exit(0); - exit(1); + case CMD_MAX: + /* has to be here because stupid gcc doesn't notice + * the check above means it's impossible to get here*/ + ; + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/tools/unseal_tpm2_data.c new/openssl_tpm2_engine-4.0.2/src/tools/unseal_tpm2_data.c --- old/openssl_tpm2_engine-4.0.1/src/tools/unseal_tpm2_data.c 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/src/tools/unseal_tpm2_data.c 2023-12-05 04:47:13.000000000 +0100 @@ -67,7 +67,7 @@ char *filename; TPM_RC rc; TSS_CONTEXT *tssContext; - const char *reason; + const char *reason = NULL; TPM_HANDLE itemHandle; SENSITIVE_DATA_2B outData; uint32_t parent, session; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/check_signed_policies.sh new/openssl_tpm2_engine-4.0.2/tests/check_signed_policies.sh --- old/openssl_tpm2_engine-4.0.1/tests/check_signed_policies.sh 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/tests/check_signed_policies.sh 2023-12-05 04:47:13.000000000 +0100 @@ -1,6 +1,5 @@ #!/bin/bash - tss_pcrreset_cmd=tsspcrreset tss_pcrextend_cmd=tsspcrextend @@ -49,18 +48,18 @@ # 5. do sign with key and verify four times. Check that all # but the last succeeds and the last one fails ${tss_pcrreset_cmd} -ha 16 - ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 key.tpm policy.key || exit 1 - ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-0" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-0" --pcr-lock 16 seal.tpm policy.key || exit 1 openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 key.tpm policy.key || exit 1 - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extend" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extend" --pcr-lock 16 seal.tpm policy.key || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock 16 key.tpm policy.key || exit 1 - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx2" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx2" --pcr-lock 16 seal.tpm policy.key || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 key.tpm policy.key || exit 1 - ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 seal.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx3" --pcr-lock 16 key.tpm policy.key || exit 1 + ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx3" --pcr-lock 16 seal.tpm policy.key || exit 1 ${tss_pcrreset_cmd} -ha 16 openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 @@ -80,7 +79,17 @@ ${tss_pcrextend_cmd} -ha 16 -ic aaa openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1 ${bindir}/unseal_tpm2_data seal.tpm && exit 1 - + ## + # Finally check we can find the zero pcr16 policy in the list + # and remove it + ## + ${tss_pcrreset_cmd} -ha 16 + ${bindir}/signed_tpm2_policy ls seal.tpm | grep -q "4 PCR16-0" || exit 1 + ${bindir}/signed_tpm2_policy rm seal.tpm 4 || exit 1 + ${bindir}/signed_tpm2_policy ls seal.tpm | grep -q " PCR16-0" && exit 1 + ${bindir}/unseal_tpm2_data seal.tpm && exit 1 + ${tss_pcrextend_cmd} -ha 16 -ic aaa + ${bindir}/unseal_tpm2_data seal.tpm || exit 1 done done exit 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/create_nonopenssl_ecc.sh new/openssl_tpm2_engine-4.0.2/tests/create_nonopenssl_ecc.sh --- old/openssl_tpm2_engine-4.0.1/tests/create_nonopenssl_ecc.sh 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/tests/create_nonopenssl_ecc.sh 2023-12-05 04:47:13.000000000 +0100 @@ -2,7 +2,7 @@ # swtpm doesn't have a correct implementation of the Barreto-Naehrig curves # which are the only openssl unparametrised ones, so skip the test -if [ -x "${SWTPM}" ]; then +if [ ! -x "${TPMSERVER}" -a -x "${SWTPM}" ]; then exit 77; fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/dynamic_engine.sh new/openssl_tpm2_engine-4.0.2/tests/dynamic_engine.sh --- old/openssl_tpm2_engine-4.0.1/tests/dynamic_engine.sh 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/tests/dynamic_engine.sh 2023-12-05 04:47:13.000000000 +0100 @@ -7,6 +7,7 @@ unset OPENSSL_CONF export OPENSSL_ENGINES=${testdir}/../src/engine/.libs ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so +export LD_LIBRARY_PATH=${OPENSSL_ENGINES}:{LD_LIBRARY_PATH} testkey() { openssl pkey $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/start_sw_tpm.sh new/openssl_tpm2_engine-4.0.2/tests/start_sw_tpm.sh --- old/openssl_tpm2_engine-4.0.1/tests/start_sw_tpm.sh 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/tests/start_sw_tpm.sh 2023-12-05 04:47:13.000000000 +0100 @@ -3,10 +3,10 @@ # remove any prior TPM contents rm -f NVChip h*.bin *.permall -if [ -x "${SWTPM}" ]; then -${SWTPM} socket --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --tpmstate dir=`pwd` & -else +if [ -x "${TPMSERVER}" ]; then ${TPMSERVER} > /dev/null 2>&1 & +else +${SWTPM} socket --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --tpmstate dir=`pwd` & fi pid=$! echo ${pid} > tpm_server.pid @@ -16,7 +16,7 @@ # store it permanently at handle 81000001 and flush the transient ## a=0; while [ $a -lt 10 ]; do - if [ -x "${SWTPM_IOCTL}" ]; then + if [ ! -x "${TPMSERVER}" -a -x "${SWTPM_IOCTL}" ]; then ${SWTPM_IOCTL} --tcp 127.0.0.1:2322 -i else tsspowerup diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/wrap_pkcs12.sh new/openssl_tpm2_engine-4.0.2/tests/wrap_pkcs12.sh --- old/openssl_tpm2_engine-4.0.1/tests/wrap_pkcs12.sh 2023-07-05 21:32:10.000000000 +0200 +++ new/openssl_tpm2_engine-4.0.2/tests/wrap_pkcs12.sh 2023-12-05 04:47:13.000000000 +0100 @@ -10,8 +10,13 @@ openssl ecparam -genkey -name prime256v1 > tmp.param || exit 1 openssl genpkey -paramfile tmp.param -out key.priv || exit 1 -openssl req -new -x509 -subj '/CN=test CA/' -key key.priv -out tmp.crt || exit 1 -openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt +# warning: openssl 3.2 bug; subshell execution with standard openssl.cnf +# to work around +( + unset OPENSSL_CONF + openssl req -new -x509 -subj '/CN=test CA/' -key key.priv --extensions v3_ca -out tmp.crt || exit 1 + openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt +) ${bindir}/create_tpm2_key -w tmp.p12 key.tpm || exit 1