Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl_tpm2_engine for
openSUSE:Factory checked in at 2023-12-05 17:03:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old)
and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine"
Tue Dec 5 17:03:15 2023 rev:14 rq:1130868 version:4.0.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes
2023-07-06 18:29:18.243376232 +0200
+++
/work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.25432/openssl_tpm2_engine.changes
2023-12-05 17:03:26.945662632 +0100
@@ -1,0 +2,10 @@
+Mon Dec 5 03:53:40 UTC 2023 - [email protected]
+
+- Update to version 4.0.2
+ * Fixes for openssl 3.2
+ * fix for encrypted secret size
+ * fix for swtpm and swtpm2 simultaneous install
+ * gcc-13 fix
+ * make signed_tpm2_policy match man page
+
+-------------------------------------------------------------------
Old:
----
openssl_tpm2_engine-4.0.1.tar.gz
New:
----
openssl_tpm2_engine-4.0.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl_tpm2_engine.spec ++++++
--- /var/tmp/diff_new_pack.mxoQd5/_old 2023-12-05 17:03:27.673689467 +0100
+++ /var/tmp/diff_new_pack.mxoQd5/_new 2023-12-05 17:03:27.673689467 +0100
@@ -18,7 +18,7 @@
Name: openssl_tpm2_engine
-Version: 4.0.1
+Version: 4.0.2
Release: 0
Summary: OpenSSL TPM 2.0 interface engine plugin
License: LGPL-2.1-only
++++++ openssl_tpm2_engine-4.0.1.tar.gz -> openssl_tpm2_engine-4.0.2.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/configure.ac
new/openssl_tpm2_engine-4.0.2/configure.ac
--- old/openssl_tpm2_engine-4.0.1/configure.ac 2023-07-05 21:32:10.000000000
+0200
+++ new/openssl_tpm2_engine-4.0.2/configure.ac 2023-12-05 04:47:13.000000000
+0100
@@ -2,7 +2,7 @@
# configure.in for the OpenSSL TPM engine project
#
-AC_INIT(openssl-tpm2-engine, 4.0.1, <[email protected]>)
+AC_INIT(openssl-tpm2-engine, 4.0.2, <[email protected]>)
AM_INIT_AUTOMAKE([foreign 1.6.3])
AC_CANONICAL_HOST
AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/include/tpm2-common.h
new/openssl_tpm2_engine-4.0.2/src/include/tpm2-common.h
--- old/openssl_tpm2_engine-4.0.1/src/include/tpm2-common.h 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/include/tpm2-common.h 2023-12-05
04:47:13.000000000 +0100
@@ -129,4 +129,6 @@
int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText,
unsigned char *to, int padding, int protection,
char *srk_auth);
+int tpm2_rm_signed_policy(char *tpmkey, int rmnum);
+int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.0.1/src/libcommon/tpm2-common.c
new/openssl_tpm2_engine-4.0.2/src/libcommon/tpm2-common.c
--- old/openssl_tpm2_engine-4.0.1/src/libcommon/tpm2-common.c 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/libcommon/tpm2-common.c 2023-12-05
04:47:13.000000000 +0100
@@ -2349,6 +2349,89 @@
return rc;
}
+static void tpm2_read_tpk(char *tpmkey, TSSPRIVKEY **tpk)
+{
+ BIO *bf;
+ *tpk = NULL;
+
+ bf = BIO_new_file(tpmkey, "r");
+ if (!bf) {
+ fprintf(stderr, "File %s does not exist or cannot be read\n",
+ tpmkey);
+ return;
+ }
+
+ *tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL);
+ if (!*tpk) {
+ BIO_seek(bf, 0);
+ ERR_clear_error();
+ *tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL);
+ }
+ BIO_free(bf);
+ if (!*tpk)
+ fprintf(stderr, "Cannot parse file as TPM key\n");
+}
+
+static int tpm2_write_tpk(char *tpmkey, TSSPRIVKEY *tpk)
+{
+ BIO *bf;
+
+ bf = BIO_new_file(tpmkey, "w");
+ if (bf == NULL) {
+ fprintf(stderr, "Failed to open key file %s for writing\n",
+ tpmkey);
+ return 1;
+ }
+ PEM_write_bio_TSSPRIVKEY(bf, tpk);
+ BIO_free(bf);
+
+ return 0;
+}
+
+int tpm2_rm_signed_policy(char *tpmkey, int rmnum)
+{
+ TSSPRIVKEY *tpk;
+ TSSAUTHPOLICY *ap;
+ int ret = 0;
+
+ tpm2_read_tpk(tpmkey, &tpk);
+ if (!tpk)
+ return 1;
+
+ if (sk_TSSAUTHPOLICY_num(tpk->authPolicy) < rmnum) {
+ fprintf(stderr, "Policy %d does not exist\n", rmnum);
+ goto out_free;
+ }
+
+ ap = sk_TSSAUTHPOLICY_delete(tpk->authPolicy, rmnum - 1);
+ TSSAUTHPOLICY_free(ap);
+
+ ret = tpm2_write_tpk(tpmkey, tpk);
+
+ out_free:
+ TSSPRIVKEY_free(tpk);
+ return ret;
+}
+
+int tpm2_get_signed_policy(char *tpmkey, STACK_OF(TSSAUTHPOLICY) **sk)
+{
+ TSSPRIVKEY *tpk;
+
+ *sk = NULL;
+ tpm2_read_tpk(tpmkey, &tpk);
+ if (!tpk)
+ return 1;
+
+ if (tpk->authPolicy) {
+ *sk = sk_TSSAUTHPOLICY_dup(tpk->authPolicy);
+ /* dup does not duplicate elements, so transfer ownership */
+ sk_TSSAUTHPOLICY_zero(tpk->authPolicy);
+ }
+
+ TSSPRIVKEY_free(tpk);
+ return 0;
+}
+
TPM_RC tpm2_new_signed_policy(char *tpmkey, char *policykey, char *engine,
TSSAUTHPOLICY *ap, TPMT_HA *digest)
{
@@ -2368,24 +2451,10 @@
BYTE buf[1024];
UINT16 written = 0;
- bf = BIO_new_file(tpmkey, "r");
- if (!bf) {
- fprintf(stderr, "File %s does not exist or cannot be read\n",
- tpmkey);
+ tpm2_read_tpk(tpmkey, &tpk);
+ if (!tpk)
return 0;
- }
- tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL);
- if (!tpk) {
- BIO_seek(bf, 0);
- ERR_clear_error();
- tpk = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSPRIVKEY), bf, NULL);
- }
- BIO_free(bf);
- if (!tpk) {
- fprintf(stderr, "Cannot parse file as TPM key\n");
- return 0;
- }
if (!tpk->policy || sk_TSSOPTPOLICY_num(tpk->policy) <= 0) {
fprintf(stderr, "TPM Key has no policy\n");
goto err_free_tpmkey;
@@ -2460,17 +2529,10 @@
* latest policy addition first */
sk_TSSAUTHPOLICY_unshift(tpk->authPolicy, ap);
- bf = BIO_new_file(tpmkey, "w");
- if (bf == NULL) {
- fprintf(stderr, "Failed to open key file %s for writing\n",
- tpmkey);
- goto err_free_tpmkey;
- }
- PEM_write_bio_TSSPRIVKEY(bf, tpk);
- BIO_free(bf);
+ rc = tpm2_write_tpk(tpmkey, tpk);
TSSPRIVKEY_free(tpk);
- return 0;
+ return rc;
err_free_tpmkey:
TSSPRIVKEY_free(tpk);
@@ -3045,6 +3107,7 @@
&null_2b, &null_2b, SHA256_DIGEST_LENGTH*8);
/* OK the ephermeral public point is now the encrypted secret */
size = sizeof(ephemeral_pt);
+ written = 0;
buf = enc_secret->secret;
TSS_TPM2B_ECC_POINT_Marshal(&ephemeral_pt, &written,
&buf, &size);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/decryption.c
new/openssl_tpm2_engine-4.0.2/src/provider/decryption.c
--- old/openssl_tpm2_engine-4.0.1/src/provider/decryption.c 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/provider/decryption.c 2023-12-05
04:47:13.000000000 +0100
@@ -32,6 +32,11 @@
{
struct decryption_ctx *dctx = ctx;
+ if (dctx->ad)
+ tpm2_keymgmt_free(dctx->ad);
+ if (dctx->peer_ad)
+ tpm2_keymgmt_free(dctx->peer_ad);
+
osslm_decryption_freectx(&dctx->dctx);
OPENSSL_free(dctx);
}
@@ -108,6 +113,8 @@
struct decryption_ctx *dctx = ctx;
dctx->ad = key;
+ atomic_fetch_add_explicit(&dctx->ad->refs, 1,
+ memory_order_relaxed);
return 1;
}
@@ -118,6 +125,8 @@
struct decryption_ctx *dctx = ctx;
dctx->peer_ad = peerkey;
+ atomic_fetch_add_explicit(&dctx->peer_ad->refs, 1,
+ memory_order_relaxed);
return 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/keymgmt.c
new/openssl_tpm2_engine-4.0.2/src/provider/keymgmt.c
--- old/openssl_tpm2_engine-4.0.1/src/provider/keymgmt.c 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/provider/keymgmt.c 2023-12-05
04:47:13.000000000 +0100
@@ -20,7 +20,7 @@
return ad;
}
-static void tpm2_keymgmt_free(void *ref)
+void tpm2_keymgmt_free(void *ref)
{
struct app_data *ad = ref;
int refcnt = atomic_fetch_sub_explicit(&ad->refs, 1,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/src/provider/provider.h
new/openssl_tpm2_engine-4.0.2/src/provider/provider.h
--- old/openssl_tpm2_engine-4.0.1/src/provider/provider.h 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/provider/provider.h 2023-12-05
04:47:13.000000000 +0100
@@ -33,6 +33,7 @@
extern const OSSL_ALGORITHM keymgmts[];
void *tpm2_keymgmt_new(void *pctx); /* needed by decode_encode.c */
+void tpm2_keymgmt_free(void *ref); /* needed by decryption.c */
/* signatures.c */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.0.1/src/tools/signed_tpm2_policy.c
new/openssl_tpm2_engine-4.0.2/src/tools/signed_tpm2_policy.c
--- old/openssl_tpm2_engine-4.0.1/src/tools/signed_tpm2_policy.c
2023-07-05 21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/tools/signed_tpm2_policy.c
2023-12-05 04:47:13.000000000 +0100
@@ -101,7 +101,7 @@
{
char *filename, *policyFilename = NULL, *policy_name = NULL,
*policy_signing_key;
- int option_index, c, auth = 0;
+ int option_index, c, auth = 0, i;
const char *reason = NULL;
TPM_RC rc;
char *engine = NULL;
@@ -110,12 +110,38 @@
TPMT_HA digest;
int size;
TPML_PCR_SELECTION pcr_lock = { 0 };
+ STACK_OF(TSSAUTHPOLICY) *sk;
+ enum cmd {
+ CMD_ADD = 0,
+ CMD_LS,
+ CMD_RM,
+ CMD_MAX
+ } cmd;
+ static char *command[] = {
+ [CMD_ADD] = "add",
+ [CMD_LS] = "ls",
+ [CMD_RM] = "rm",
+ };
+ char *argv0 = argv[0];
OpenSSL_add_all_digests();
/* may be needed to decrypt the key */
OpenSSL_add_all_ciphers();
- while (1) {
+ if (argc < 2)
+ usage(argv0);
+
+ for (cmd = CMD_ADD; cmd < CMD_MAX; cmd++)
+ if (strcmp(argv[1], command[cmd]) == 0)
+ break;
+ if (cmd == CMD_MAX) {
+ fprintf(stderr, "Unknown command %s\n", argv[1]);
+ usage(argv0);
+ }
+ argc--;
+ argv++;
+
+ while (cmd == CMD_ADD) {
option_index = 0;
c = getopt_long(argc, argv, "ahvc:x:e:n:",
long_options, &option_index);
@@ -127,14 +153,14 @@
auth = 1;
break;
case 'h':
- usage(argv[0]);
+ usage(argv0);
break;
case 'v':
fprintf(stdout, "%s " VERSION "\n"
"Copyright 2017 by James Bottomley\n"
"License LGPL-2.1-only\n"
"Written by James Bottomley
<[email protected]>\n",
- argv[0]);
+ argv0);
exit(0);
case 'c':
policyFilename = optarg;
@@ -153,95 +179,137 @@
break;
default:
printf("Unknown option '%c'\n", c);
- usage(argv[0]);
+ usage(argv0);
break;
}
}
- if (optind >= argc - 1) {
- printf("Too few arguments: Expected file name as last
argument\n");
- usage(argv[0]);
+ if (((cmd == CMD_RM || cmd == CMD_ADD) && optind != argc - 2) ||
+ (cmd == CMD_LS && optind != argc - 1)) {
+ fprintf(stderr, "Incorrect number of arguments\n");
+ usage(argv0);
}
- filename = argv[argc - 2];
- policy_signing_key = argv[argc - 1];
+ switch(cmd) {
+ case CMD_ADD:
+ filename = argv[argc - 2];
+ policy_signing_key = argv[argc - 1];
+
+ if (optind < argc - 2) {
+ printf("Unexpected additional arguments\n");
+ usage(argv0);
+ }
- if (optind < argc - 2) {
- printf("Unexpected additional arguments\n");
- usage(argv[0]);
- }
+ name_alg = tpm2_get_name_alg(filename);
+ digest.hashAlg = name_alg;
+ size = TSS_GetDigestSize(digest.hashAlg);
+ memset((uint8_t *)&digest.digest, 0, size);
+
+ ap = TSSAUTHPOLICY_new();
+ if (policy_name) {
+ ap->name = ASN1_UTF8STRING_new();
+ ASN1_STRING_set(ap->name, policy_name,
strlen(policy_name));
+ }
+ ap->policy = sk_TSSOPTPOLICY_new_null();
+ if (!ap->policy) {
+ rc = NOT_TPM_ERROR;
+ reason="sk_TSSOPTPOLICY_new_null allocation";
+ goto out_err;
+ }
- name_alg = tpm2_get_name_alg(filename);
- digest.hashAlg = name_alg;
- size = TSS_GetDigestSize(digest.hashAlg);
- memset((uint8_t *)&digest.digest, 0, size);
-
- ap = TSSAUTHPOLICY_new();
- if (policy_name) {
- ap->name = ASN1_UTF8STRING_new();
- ASN1_STRING_set(ap->name, policy_name, strlen(policy_name));
- }
- ap->policy = sk_TSSOPTPOLICY_new_null();
- if (!ap->policy) {
- rc = NOT_TPM_ERROR;
- reason="sk_TSSOPTPOLICY_new_null allocation";
+ if (policyFilename) {
+ rc = tpm2_parse_policy_file(policyFilename, ap->policy,
+ (char *)(unsigned long)auth,
+ &digest);
+ reason = "parse_policy_file";
+ if (rc)
+ goto out_free_policy;
+ } else if (signed_policy) {
+ rc = tpm2_add_signed_policy(ap->policy, signed_policy,
&digest);
+ reason = "add_signed_policy";
+ if (rc)
+ goto out_free_policy;
+ }
+
+ if (auth)
+ tpm2_add_auth_policy(ap->policy, &digest);
+
+ if (pcr_lock.count != 0) {
+ TSS_CONTEXT *tssContext = NULL;
+ const char *dir;
+
+ dir = tpm2_set_unique_tssdir();
+ rc = tpm2_create(&tssContext, dir);
+ if (rc) {
+ reason = "TSS_Create";
+ goto out_free_policy;
+ }
+ rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock,
+ ap->policy, &digest);
+ TSS_Delete(tssContext);
+ tpm2_rm_tssdir(dir);
+ if (rc) {
+ reason = "create pcr policy";
+ goto out_free_policy;
+ }
+ }
+
+ rc = tpm2_new_signed_policy(filename, policy_signing_key,
+ engine, ap, &digest);
+ if (rc == 0)
+ exit(0);
+
+ /* tpm2_new_signed_policy frees the key which includes the
policy */
goto out_err;
- }
- if (policyFilename) {
- rc = tpm2_parse_policy_file(policyFilename, ap->policy,
- (char *)(unsigned long)auth,
- &digest);
- reason = "parse_policy_file";
- if (rc)
- goto out_free_policy;
- } else if (signed_policy) {
- rc = tpm2_add_signed_policy(ap->policy, signed_policy, &digest);
- reason = "add_signed_policy";
- if (rc)
- goto out_free_policy;
- }
+ out_free_policy:
+ if (ap->name)
+ ASN1_UTF8STRING_free(ap->name);
+ tpm2_free_policy(ap->policy);
+ out_err:
+ if (rc == NOT_TPM_ERROR)
+ fprintf(stderr, "%s failed\n", reason);
+ else
+ tpm2_error(rc, reason);
- if (auth)
- tpm2_add_auth_policy(ap->policy, &digest);
+ exit(1);
- if (pcr_lock.count != 0) {
- TSS_CONTEXT *tssContext = NULL;
- const char *dir;
-
- dir = tpm2_set_unique_tssdir();
- rc = tpm2_create(&tssContext, dir);
- if (rc) {
- reason = "TSS_Create";
- goto out_free_policy;
- }
- rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock,
- ap->policy, &digest);
- TSS_Delete(tssContext);
- tpm2_rm_tssdir(dir);
- if (rc) {
- reason = "create pcr policy";
- goto out_free_policy;
- }
- }
+ case CMD_LS:
+ filename = argv[argc - 1];
- rc = tpm2_new_signed_policy(filename, policy_signing_key, engine,
- ap, &digest);
- if (rc == 0)
+ rc = tpm2_get_signed_policy(filename, &sk);
+ if (rc)
+ exit(1);
+ if (!sk || sk_TSSAUTHPOLICY_num(sk) <=0 ) {
+ printf("Key has no signed policies\n");
+ sk_TSSAUTHPOLICY_free(sk);
+ exit(0);
+ }
+ printf("Policy Name\n");
+ for (i = 0; i < sk_TSSAUTHPOLICY_num(sk); i++) {
+ TSSAUTHPOLICY *ap = sk_TSSAUTHPOLICY_value(sk, i);
+ int sz = ap->name ? ap->name->length : 0;
+ char *name = ap->name ? (char *)ap->name->data : "";
+ if (sz)
+ printf("%6d %*s\n", i+1, sz, name);
+ else
+ printf("%6d\n", i+1);
+ }
+ sk_TSSAUTHPOLICY_pop_free(sk, TSSAUTHPOLICY_free);
exit(0);
- /* tpm2_new_signed_policy frees the key which includes the policy */
- goto out_err;
+ case CMD_RM:
+ filename = argv[argc - 2];
+ i = atoi(argv[argc - 1]);
- out_free_policy:
- if (ap->name)
- ASN1_UTF8STRING_free(ap->name);
- tpm2_free_policy(ap->policy);
- out_err:
- if (rc == NOT_TPM_ERROR)
- fprintf(stderr, "%s failed\n", reason);
- else
- tpm2_error(rc, reason);
+ rc = tpm2_rm_signed_policy(filename, i);
+ if (rc)
+ exit(1);
+ exit(0);
- exit(1);
+ case CMD_MAX:
+ /* has to be here because stupid gcc doesn't notice
+ * the check above means it's impossible to get here*/
+ ;
+ }
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.0.1/src/tools/unseal_tpm2_data.c
new/openssl_tpm2_engine-4.0.2/src/tools/unseal_tpm2_data.c
--- old/openssl_tpm2_engine-4.0.1/src/tools/unseal_tpm2_data.c 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/src/tools/unseal_tpm2_data.c 2023-12-05
04:47:13.000000000 +0100
@@ -67,7 +67,7 @@
char *filename;
TPM_RC rc;
TSS_CONTEXT *tssContext;
- const char *reason;
+ const char *reason = NULL;
TPM_HANDLE itemHandle;
SENSITIVE_DATA_2B outData;
uint32_t parent, session;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.0.1/tests/check_signed_policies.sh
new/openssl_tpm2_engine-4.0.2/tests/check_signed_policies.sh
--- old/openssl_tpm2_engine-4.0.1/tests/check_signed_policies.sh
2023-07-05 21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/tests/check_signed_policies.sh
2023-12-05 04:47:13.000000000 +0100
@@ -1,6 +1,5 @@
#!/bin/bash
-
tss_pcrreset_cmd=tsspcrreset
tss_pcrextend_cmd=tsspcrextend
@@ -49,18 +48,18 @@
# 5. do sign with key and verify four times. Check that all
# but the last succeeds and the last one fails
${tss_pcrreset_cmd} -ha 16
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16
key.tpm policy.key || exit 1
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16
seal.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-0" --pcr-lock 16
key.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-0" --pcr-lock 16
seal.tpm policy.key || exit 1
openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16
key.tpm policy.key || exit 1
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16
seal.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extend"
--pcr-lock 16 key.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extend"
--pcr-lock 16 seal.tpm policy.key || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock
16 key.tpm policy.key || exit 1
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx2" --pcr-lock
16 seal.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx2"
--pcr-lock 16 key.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx2"
--pcr-lock 16 seal.tpm policy.key || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock
16 key.tpm policy.key || exit 1
- ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock
16 seal.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx3"
--pcr-lock 16 key.tpm policy.key || exit 1
+ ${bindir}/signed_tpm2_policy add --policy-name "PCR16-extendx3"
--pcr-lock 16 seal.tpm policy.key || exit 1
${tss_pcrreset_cmd} -ha 16
openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm
-out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey
key.pub -pubin || exit 1
@@ -80,7 +79,17 @@
${tss_pcrextend_cmd} -ha 16 -ic aaa
openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm
-out tmp.msg && exit 1
${bindir}/unseal_tpm2_data seal.tpm && exit 1
-
+ ##
+ # Finally check we can find the zero pcr16 policy in the list
+ # and remove it
+ ##
+ ${tss_pcrreset_cmd} -ha 16
+ ${bindir}/signed_tpm2_policy ls seal.tpm | grep -q "4 PCR16-0" || exit
1
+ ${bindir}/signed_tpm2_policy rm seal.tpm 4 || exit 1
+ ${bindir}/signed_tpm2_policy ls seal.tpm | grep -q " PCR16-0" && exit 1
+ ${bindir}/unseal_tpm2_data seal.tpm && exit 1
+ ${tss_pcrextend_cmd} -ha 16 -ic aaa
+ ${bindir}/unseal_tpm2_data seal.tpm || exit 1
done
done
exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-4.0.1/tests/create_nonopenssl_ecc.sh
new/openssl_tpm2_engine-4.0.2/tests/create_nonopenssl_ecc.sh
--- old/openssl_tpm2_engine-4.0.1/tests/create_nonopenssl_ecc.sh
2023-07-05 21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/tests/create_nonopenssl_ecc.sh
2023-12-05 04:47:13.000000000 +0100
@@ -2,7 +2,7 @@
# swtpm doesn't have a correct implementation of the Barreto-Naehrig curves
# which are the only openssl unparametrised ones, so skip the test
-if [ -x "${SWTPM}" ]; then
+if [ ! -x "${TPMSERVER}" -a -x "${SWTPM}" ]; then
exit 77;
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/dynamic_engine.sh
new/openssl_tpm2_engine-4.0.2/tests/dynamic_engine.sh
--- old/openssl_tpm2_engine-4.0.1/tests/dynamic_engine.sh 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/tests/dynamic_engine.sh 2023-12-05
04:47:13.000000000 +0100
@@ -7,6 +7,7 @@
unset OPENSSL_CONF
export OPENSSL_ENGINES=${testdir}/../src/engine/.libs
ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so
+export LD_LIBRARY_PATH=${OPENSSL_ENGINES}:{LD_LIBRARY_PATH}
testkey() {
openssl pkey $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/start_sw_tpm.sh
new/openssl_tpm2_engine-4.0.2/tests/start_sw_tpm.sh
--- old/openssl_tpm2_engine-4.0.1/tests/start_sw_tpm.sh 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/tests/start_sw_tpm.sh 2023-12-05
04:47:13.000000000 +0100
@@ -3,10 +3,10 @@
# remove any prior TPM contents
rm -f NVChip h*.bin *.permall
-if [ -x "${SWTPM}" ]; then
-${SWTPM} socket --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322
--tpmstate dir=`pwd` &
-else
+if [ -x "${TPMSERVER}" ]; then
${TPMSERVER} > /dev/null 2>&1 &
+else
+${SWTPM} socket --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322
--tpmstate dir=`pwd` &
fi
pid=$!
echo ${pid} > tpm_server.pid
@@ -16,7 +16,7 @@
# store it permanently at handle 81000001 and flush the transient
##
a=0; while [ $a -lt 10 ]; do
- if [ -x "${SWTPM_IOCTL}" ]; then
+ if [ ! -x "${TPMSERVER}" -a -x "${SWTPM_IOCTL}" ]; then
${SWTPM_IOCTL} --tcp 127.0.0.1:2322 -i
else
tsspowerup
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-4.0.1/tests/wrap_pkcs12.sh
new/openssl_tpm2_engine-4.0.2/tests/wrap_pkcs12.sh
--- old/openssl_tpm2_engine-4.0.1/tests/wrap_pkcs12.sh 2023-07-05
21:32:10.000000000 +0200
+++ new/openssl_tpm2_engine-4.0.2/tests/wrap_pkcs12.sh 2023-12-05
04:47:13.000000000 +0100
@@ -10,8 +10,13 @@
openssl ecparam -genkey -name prime256v1 > tmp.param || exit 1
openssl genpkey -paramfile tmp.param -out key.priv || exit 1
-openssl req -new -x509 -subj '/CN=test CA/' -key key.priv -out tmp.crt || exit
1
-openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt
+# warning: openssl 3.2 bug; subshell execution with standard openssl.cnf
+# to work around
+(
+ unset OPENSSL_CONF
+ openssl req -new -x509 -subj '/CN=test CA/' -key key.priv --extensions
v3_ca -out tmp.crt || exit 1
+ openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in
tmp.crt
+)
${bindir}/create_tpm2_key -w tmp.p12 key.tpm || exit 1
