Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl_tpm2_engine for
openSUSE:Factory checked in at 2022-02-18 22:54:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old)
and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.1958 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine"
Fri Feb 18 22:54:29 2022 rev:5 rq: version:3.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes
2022-02-17 23:42:13.267700073 +0100
+++
/work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.1958/openssl_tpm2_engine.changes
2022-02-18 22:54:35.385455729 +0100
@@ -2,8 +1,0 @@
-Thu Feb 17 14:09:11 UTC 2022 - [email protected]
-
-- Update to version 3.1.0
- * Bandaid openssl-3 support
- * direct pcr policy creation options
- * TPM key RFC
-
--------------------------------------------------------------------
Old:
----
openssl_tpm2_engine-3.1.0.tar.gz
New:
----
openssl_tpm2_engine-3.0.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl_tpm2_engine.spec ++++++
--- /var/tmp/diff_new_pack.Mo4Xp1/_old 2022-02-18 22:54:36.017455672 +0100
+++ /var/tmp/diff_new_pack.Mo4Xp1/_new 2022-02-18 22:54:36.021455672 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssl_tpm2_engine
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2017 [email protected]
#
# All modifications and additions to the file contributed by third parties
@@ -18,7 +18,7 @@
Name: openssl_tpm2_engine
-Version: 3.1.0
+Version: 3.0.1
Release: 0
Summary: OpenSSL TPM 2.0 interface engine plugin
License: LGPL-2.1-only
++++++ openssl_tpm2_engine-3.1.0.tar.gz -> openssl_tpm2_engine-3.0.1.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/Makefile.am
new/openssl_tpm2_engine-3.0.1/Makefile.am
--- old/openssl_tpm2_engine-3.1.0/Makefile.am 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/Makefile.am 2021-04-04 22:47:14.000000000
+0200
@@ -9,10 +9,6 @@
CLEANFILES = $(man1_MANS)
endif
-if HAVE_OPENSSL3
-CFLAGS+= -DOPENSSL_API_COMPAT=0x10100000L
-endif
-
openssl_engine_LTLIBRARIES=libtpm2.la
bin_PROGRAMS=create_tpm2_key load_tpm2_key seal_tpm2_data unseal_tpm2_data
openssl_enginedir=@enginesdir@
@@ -45,4 +41,4 @@
install-data-hook:
cd $(DESTDIR)$(openssl_enginedir) && $(LN_S) -f libtpm2@SHREXT@
tpm2@SHREXT@
-SUBDIRS = tests doc
+SUBDIRS = tests
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/configure.ac
new/openssl_tpm2_engine-3.0.1/configure.ac
--- old/openssl_tpm2_engine-3.1.0/configure.ac 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/configure.ac 2021-04-04 22:47:14.000000000
+0200
@@ -2,7 +2,7 @@
# configure.in for the OpenSSL TPM engine project
#
-AC_INIT(openssl-tpm2-engine, 3.1.0, <[email protected]>)
+AC_INIT(openssl-tpm2-engine, 3.0.1, <[email protected]>)
AM_INIT_AUTOMAKE([foreign 1.6.3])
AC_CANONICAL_HOST
AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")
@@ -50,11 +50,6 @@
AC_SUBST(OPENSSL_INCLUDE_DIR)])
AC_LANG(C)
-
-PKG_CHECK_MODULES([DEPS], [libcrypto >= 3.0.0],
- [ac_have_openssl3=1],
- [PKG_CHECK_MODULES([DEPS], [libcrypto])])
-
AC_ARG_WITH(
[enginesdir],
[AC_HELP_STRING([--with-enginesdir], [OpenSSL engines directory])],
@@ -100,8 +95,6 @@
])
AM_CONDITIONAL(HAVE_IBM_TSS, test "$tsslibs" = "IBM")
-AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1")
-
AC_DISABLE_STATIC
AC_PROG_CC_STDC
AM_PROG_CC_C_O
@@ -135,8 +128,6 @@
AC_PATH_PROG(TPMSERVER,
tpm_server,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
AC_PATH_PROG(SWTPM, swtpm,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
AC_PATH_PROG(SWTPM_IOCTL,
swtpm_ioctl,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
-AC_CHECK_PROG(XML2RFC, xml2rfc, xml2rfc)
-AM_CONDITIONAL(HAVE_XML2RFC, test -n "${XML2RFC}")
CFLAGS="$CFLAGS -Wall"
SHREXT=$shrext_cmds
AC_SUBST(CFLAGS)
@@ -156,7 +147,7 @@
AC_SUBST(testtpm)
-AC_OUTPUT([Makefile tests/Makefile doc/Makefile])
+AC_OUTPUT([Makefile tests/Makefile])
cat <<EOF
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/create_tpm2_key.1.in
new/openssl_tpm2_engine-3.0.1/create_tpm2_key.1.in
--- old/openssl_tpm2_engine-3.1.0/create_tpm2_key.1.in 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/create_tpm2_key.1.in 2021-04-04
22:47:14.000000000 +0200
@@ -31,20 +31,6 @@
$ echo 0000016b >> policy.txt
-[PCR Values]
-
-The PCR values are specified as
-
- <bank>:<list>
-
-Where <bank> is any supported PCR hash bank and list specifies the
-PCRs to lock the key to as both comma separated individual values as
-well as comma separated ranges. So
-
- sha256:1,3 means PCRs 1 and 3 in the sha256 bank
-
- sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank
-
[examples]
Create a self-signed cert using the TPM engine:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/create_tpm2_key.c
new/openssl_tpm2_engine-3.0.1/create_tpm2_key.c
--- old/openssl_tpm2_engine-3.1.0/create_tpm2_key.c 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/create_tpm2_key.c 2021-04-04
22:47:14.000000000 +0200
@@ -36,7 +36,6 @@
{"key-size", 1, 0, 's'},
{"name-scheme", 1, 0, 'n'},
{"parent-handle", 1, 0, 'p'},
- {"pcr-lock", 1, 0, 'x'},
{"wrap", 1, 0, 'w'},
{"version", 0, 0, 'v'},
{"password", 1, 0, 'k'},
@@ -95,9 +94,6 @@
" may not be used for general
signing or\n"
" decryption but may be the
parent of other\n"
" keys (i.e. it is a storage
key)\n"
- "\t-x, --pcr-lock <pcrs> Lock the created key to the
specified PCRs\n"
- " By current value. See PCR
VALUES for\n"
- " details about formatting\n"
"\n"
"Report bugs to " PACKAGE_BUGREPORT "\n",
argv0);
@@ -821,10 +817,6 @@
ENCRYPTED_SECRET_2B secret, *enc_secret = NULL;
int restricted = 0;
char *parent_str = NULL;
- TPML_PCR_SELECTION pcr_lock;
- int has_policy = 0;
-
- pcr_lock.count = 0;
OpenSSL_add_all_digests();
/* may be needed to decrypt the key */
@@ -832,7 +824,7 @@
while (1) {
option_index = 0;
- c = getopt_long(argc, argv, "n:s:ab:p:hw:vk:re:ldc:i:x:",
+ c = getopt_long(argc, argv, "n:s:ab:p:hw:vk:re:ldc:i:",
long_options, &option_index);
if (c == -1)
break;
@@ -907,9 +899,6 @@
case 'i':
import = optarg;
break;
- case 'x':
- tpm2_get_pcr_lock(&pcr_lock, optarg);
- break;
case OPT_DEPRECATED:
version = 0;
break;
@@ -955,24 +944,11 @@
exit(1);
}
- if (pcr_lock.count !=0 && policyFilename) {
- fprintf(stderr, "cannot specify both policy file and pcr
lock\n");
- exit(1);
- }
-
- if (pcr_lock.count != 0 && import) {
- fprintf(stderr, "cannot specify pcr lock and import because
pcrs may not be correct\n");
- exit(1);
- }
-
- if (pcr_lock.count != 0 || policyFilename)
- has_policy = 1;
-
digest.hashAlg = name_alg;
sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
memset((uint8_t *)&digest.digest, 0, sizeInBytes);
- if (has_policy) {
+ if (policyFilename) {
sk = sk_TSSOPTPOLICY_new_null();
if (!sk) {
rc = NOT_TPM_ERROR;
@@ -980,11 +956,10 @@
goto out_err;
}
- if (policyFilename) {
- rc = tpm2_parse_policy_file(policyFilename, sk, auth,
&digest);
+ rc = tpm2_parse_policy_file(policyFilename, sk, auth, &digest);
+ if (rc) {
reason = "parse_policy_file";
- if (rc)
- goto out_free_policy;
+ goto out_free_policy;
}
}
@@ -1000,8 +975,6 @@
goto out_free_auth;
}
}
- if (has_policy && !policyFilename)
- tpm2_add_auth_policy(sk, &digest);
}
if (import) {
@@ -1009,8 +982,6 @@
EVP_PKEY *pkey = openssl_read_key(wrap);
TPMT_SENSITIVE s;
- rc = NOT_TPM_ERROR;
-
if (parent_str) {
parent = tpm2_get_parent_ext(parent_str);
if (parent == 0) {
@@ -1025,6 +996,8 @@
pub = &objectPublic;
priv = &outPrivate;
+ rc = NOT_TPM_ERROR;
+
if (!p_pkey || !pkey) {
reason = "read openssl key";
goto out_err;
@@ -1041,7 +1014,7 @@
reason = "openssl_to_tpm_public";
goto out_err;
}
- if (has_policy) {
+ if (policyFilename) {
VAL(pub->publicArea.objectAttributes) &=
~TPMA_OBJECT_USERWITHAUTH;
rc = TSS_TPM2B_Create(
@@ -1086,15 +1059,6 @@
goto out_free_auth;
}
- if (pcr_lock.count != 0) {
- rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock,
- sk, &digest);
- if (rc) {
- reason = "create pcr policy";
- goto out_free_auth;
- }
- }
-
if (parent_str) {
parent = tpm2_get_parent(tssContext, parent_str);
if (parent == 0) {
@@ -1147,7 +1111,7 @@
goto out_flush;
}
- if (has_policy) {
+ if (policyFilename) {
VAL(objectPublic.publicArea.objectAttributes) &=
~TPMA_OBJECT_USERWITHAUTH;
rc = TSS_TPM2B_Create(
@@ -1207,7 +1171,7 @@
tpm2_public_template_ecc(&objectPublic.publicArea, ecc);
}
- if (has_policy) {
+ if (policyFilename) {
VAL(objectPublic.publicArea.objectAttributes) &=
~TPMA_OBJECT_USERWITHAUTH;
rc = TSS_TPM2B_Create(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/doc/Makefile.am
new/openssl_tpm2_engine-3.0.1/doc/Makefile.am
--- old/openssl_tpm2_engine-3.1.0/doc/Makefile.am 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/doc/Makefile.am 1970-01-01
01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-XML2RFC_TARGETS = draft-bottomley-tpm2-keys.txt \
- draft-bottomley-tpm2-keys.html
-
-if HAVE_XML2RFC
-all: $(XML2RFC_TARGETS)
-
-clean-local:
- rm -fr $(XML2RFC_TARGETS)
-endif
-
-$(builddir)/%.txt: $(srcdir)/%.xml
- $(XML2RFC) --text -o $@ $<
-
-$(builddir)/%.html: $(srcdir)/%.xml
- $(XML2RFC) --html -o $@ $<
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-3.1.0/doc/draft-bottomley-tpm2-keys.xml
new/openssl_tpm2_engine-3.0.1/doc/draft-bottomley-tpm2-keys.xml
--- old/openssl_tpm2_engine-3.1.0/doc/draft-bottomley-tpm2-keys.xml
2022-02-17 00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/doc/draft-bottomley-tpm2-keys.xml
1970-01-01 01:00:00.000000000 +0100
@@ -1,465 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
-<!-- One method to get references from the online citation libraries.
-There has to be one entity for each item to be referenced.
-An alternate method (rfc include) is described in the references.
--->
-<!ENTITY RFC2119 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml";>
-<!ENTITY RFC8017 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8017.xml";>
-]>
-<?rfc toc="yes" ?>
-<rfc ipr="trust200902" category="info" docName="draft-bottomley-tpm-keys-00">
- <front>
- <title abbrev="TPM 2 Key Format">ASN.1 Specification for TPM 2.0 Key
Files</title>
- <author initials="J." surname="Bottomley" fullname="James E.J. Bottomley">
- <organization>Linux Kernel</organization>
- <address>
- <postal>
- <street/>
- <city/>
- <region/>
- <country>USA</country>
- </postal>
- <email>[email protected]</email>
- </address>
- </author>
- <date month="May" year="2021"/>
- <area>Security</area>
- <keyword>I-D</keyword>
- <keyword>Internet-Draft</keyword>
- <keyword>X.509</keyword>
- <abstract>
- <t>
- This specification is designed to be an extension to the ASN.1
- (defined in <xref target="X.680"/>) specification of PKCS #1
- <xref target="RFC8017"/> to define the file format of private
- keys that need to be loaded into a TPM 2 device to operate.
- </t>
- </abstract>
- </front>
- <middle>
- <section anchor="intro" title="Introduction">
- <t>
- The Security of private keys has long been a concern and the
- ability of ubiquitous devices like TPMs has made it useful to
- use them for secure private key storage. With the advent of
- TPM 2.0, private key storage inside the TPM (acting as a token
- which could be referred to by PKCS #11) has been discouraged,
- and instead key files which are loaded and evicted as
- necessary is the encouraged format. This standard defines an
- interoperable ASN.1 representation for such key files, so that
- a key created by one tool should be loadable by a different
- one.
- </t>
- </section>
- <section anchor="terms" title="Terminology">
- <t>
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
- NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
- "OPTIONAL" in this document are to be interpreted as described in
- <xref target="RFC2119"/>.
- </t>
- <section title="Notation">
- <dl>
- <dt>ASN.1</dt>
- <dd>Abstract Syntax Notation defined in
- <xref target="X.680"/></dd>
- <dt>DER</dt>
- <dd>Distinguished Encoding Rules. Basically a defined binary
- representation for ASN.1</dd>
- <dt>MSO</dt>
- <dd>Most Significant Octet (the highest order
- byte of an integer)</dd>
- <dt>PEM</dt>
- <dd>Privacy enhanced Electronic Mail. An ASCII compatible
- representation of DER</dd>
- <dt>TCG</dt>
- <dd>Trusted Computing Group</dd>
- <dt>TPM</dt>
- <dd>Trusted Platform Module</dd>
- </dl>
- </section>
- </section>
- <section anchor="keyrep" title="Key Representation">
- <t>
- All TPM 2.0 keys consist of two binary pieces, a public part,
- which can be parsed according to the TPM specification for
- TPM2B_PUBLIC <xref target="TPM2.0"/> and a private part, which
- is cryptographically sealed in such a way as to be only
- readable on the TPM that created it. The purpose of this
- specification is to specify a format by which the public and
- private pieces of a TPM key can be loaded.
- </t>
- <t>
- The design of the TPMkey ASN.1 format is that it should have a
- distinguishing OID at the beginning so the DER form of the
- key can be easily recognized. In PEM form, the key MUST have
- "-----BEGIN TSS2 PRIVATE KEY-----" and "-----END TSS2 PRIVATE
- KEY-----" as the PEM guards. All additional information that
- may be needed to load the key is specified as optional
- explicit elements, which can be extended by later
- specifications, which is why the TPMkey is not versioned.
- </t>
- <section anchor="tpmkey" title="TPMkey Syntax">
- <figure><artwork>
- TPMKey ::= SEQUENCE {
- type OBJECT IDENTIFIER
- emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL
- policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
- secret [2] EXPLICIT OCTET STRING OPTIONAL
- parent INTEGER
- pubkey OCTET STRING
- privkey OCTET STRING
- }
- </artwork></figure>
- <t>
- The fields of type TPMKey have the following meanings:
- </t>
- <section title="type">
- <t>
- A unique OID specifying the key type. This standard
- currently defines three types of keys: a loadable key,
- specified by id-loadablekey, (to be loaded with
- TPM2_Load), an importable key, specified by
- id-importablekey, (to be loaded with TPM2_Import) and a
- sealed data key, specified by id-sealedkey, (to be
- extracted with TPM2_Unseal). The TCG has reserved the
- following OID prefix for this:
- </t>
- <figure><artwork>
- id-tpmkey OBJECT IDENTIFIER ::=
- {joint-iso-itu-t(2) international-organizations(23) 133 10}
- </artwork></figure>
- <t>
- And the three key types are:
- </t>
- <figure><artwork>
- id-loadablekey OBJECT IDENTIFIER ::=
- {id-tpmkey 3}
- </artwork></figure>
- <figure><artwork>
- id-importablekey OBJECT IDENTIFIER ::=
- {id-tpmkey 4}
- </artwork></figure>
- <figure><artwork>
- id-sealedkey OBJECT IDENTIFIER ::=
- {id-tpmkey 5}
- </artwork></figure>
- </section>
- <section title="emptyAuth">
- <t>
- An implementation needs to know as it formulates the
- TPM2_Load/Import/Unseal command whether it must also send
- down an authorization, so this parameter gives that
- indication. emptyAuth MUST be true if authorization is
- NOT required and MUST BE either false or absent if
- authorization is required. Since this element has
- three states (one representing true and two representing
- false) it is RECOMMENDED that implementations emitting
- TPMkey representations use absence of the tag to represent
- false. However, implementations reading TPMKey MUST
- be able to process all three possible states.
- </t>
- </section>
- <section title="policy">
- <t>
- This MUST be present if the TPM key has a policy hash
- because it describes to the implementation how to
- construct the policy. The forms of the policy statement
- are described in section <xref target="policy"/>.
- </t>
- </section>
- <section title="secret">
- <t>
- This section describes the additional cryptographic
- secret used to specify the outer wrapping of an
- importable key. It MUST be present for key type
- id-importablekey and MUST NOT be present for any other
- key type.
- </t>
- <t>
- Importable keys (designed to be processed by TPM2_Import)
- MUST have an unencrypted inner wrapper (symmetricAlg MUST
- be TPM_ALG_NULL and encryptionKey MUST be empty) and an
- outer wrapper encrypted to the parent key using
- inSymSeed. The secret parameter is the fully marshalled
- TPM2B_ENCRYPTED_SECRET form of inSymSeed.
- </t>
- </section>
- <section title="parent">
- <t>
- This MUST be present for all keys and specifies the handle
- of the parent key. The parent key SHOULD be either a
- persistent handle (MSO 0x81) or a permanent handle (MSO
- 0x40). Since volatile handle numbering can change
- unexpectedly depending on key load order, the parent
- SHOULD NOT be a volatile handle (MSO 0x80). The parent MUST
- NOT have any other MSO.
- </t>
- <t>
- If a permanent handle (MSO 0x40) is specified then the
- implementation MUST run TPM2_CreatePrimary on the handle
- using the TCG specified Elliptic Curve template for the
- NIST P-256 curve and use the primary key so generated as
- the parent.
- </t>
- </section>
- <section title="pubkey">
- <t>
- This MUST be present and MUST correspond to the fully
- marshalled TPM2B_PUBLIC structure of the TPM Key.
- </t>
- </section>
- <section title="privkey">
- <t>
- This MUST be present and MUST correspond to the fully
- marshalled TPM2B_PRIVATE structure of the TPM Key. For
- importable keys, this must be the duplicate parameter that
- would be input to TPM2_Import.
- </t>
- </section>
- </section>
- </section>
- <section anchor="policy" title="Key Policy Specification">
- <t>
- Policy is constructed on a TPM by executing a sequence of
- policy statements. This specification currently only defines
- a limited subset of the allowed policy statements. The policy
- is specified by a hash, which the execution of the policy
- statements must reach in order for the policy to be validated
- (See <xref target="TPM2.0"/> Part 1 for a detailed description.
- </t>
- <t>
- The TPMPolicy ASN.1 MUST be a sequence of policy statements
- which correspond exactly to TPM policy instructions in the
- order they should be executed and additionally from which the
- ultimate policy hash can be constructed.
- </t>
- <t>
- The current policy specification is strictly for AND based
- policy only and may be extended at a later date with OR
- policy. However, the ASN.1 for policy is formulated as CONS
- elements, leaving the possibility of adding additional but
- optional elements for policy statements which are not
- supported by this standard (such as TPM2_PolicyAuthorize).
- </t>
- <section title="TPMPolicy Syntax">
- <figure><artwork>
- TPMPolicy ::= SEQUENCE {
- CommandCode [0] EXPLICIT INTEGER
- CommandPolicy [1] EXPLICIT OCTET STRING
- }
- </artwork></figure>
- <t>
- The Fields of type TPMPolicy have the following meanings:
- </t>
- <section title="CommandCode">
- <t>
- This is the integer representation of the TPM command code
- for the policy statement.
- </t>
- </section>
- <section title="CommandPolicy">
- <t>
- This is a binary string representing a fully marshalled,
- TPM ordered, command body for the TPM policy command.
- Therefore to send the command, the implementation simply
- marshalls the command code and appends this octet string
- as the body.
- </t>
- <t>
- Commands which have no body, such as TPM2_AuthVal, MUST be
- specified as a zero length OCTET STRING
- </t>
- </section>
- </section>
- <section title="Policy Implementation Considerations">
- <t>
- The policy hash for AND based policies is constructed by extension of
the prior policy hash
- </t>
- <figure><artwork>
- newHash = HASH ( oldHash || policyHash )
- </artwork></figure>
- <t>
- where policyHash is usually simply the hash of the fully
- marshalled policy command (including the CommandCode).
- However, this isn't true for TPM2_PolicyCounterTimer() so
- always consult the <xref target="TPM2.0"/> specifications
- for how to construct the policyHash.
- </t>
- <t>
- The implementation should fail fast for policy problems, so
- if an individual policy command returns a failure (which
- usually indicates a particular policy requirement cannot be
- met), that failure should be reported in as much detail as
- possible and processing of the key should fail at that
- point.
- </t>
- <section title="Authorization Policy">
- <t>
- When Authorization (Passing in a password) is required,
- the emptyAuth parameter MUST be absent or set to false
- and additionally the TPM_CC_PolicyAuthValue MUST be
- specified as the command code for one entry in the
- TPMPolicy sequence. However, the implementation MAY
- choose to execute either TPM2_PolicyPassword for TPM_RS_PW
- or TPM2_PolicyAuthValue for HMAC based authorization
- depending on whether the command being authorized is using
- sessions or not. If the policy does not require an
- authorization then the emptyAuth parameter MUST be set to
- true.
- </t>
- </section>
- </section>
- </section>
- <section anchor="implementation" title="Implementation Considerations">
- <t>
- Implementations SHOULD support all TCG mandated algorithms,
- but MAY omit those deemed insecure, such as the SHA1 hash.
- </t>
- <t>
- TPM2_Import transforms the privKey into a TPM2B_PRIVATE which
- can then be used as a source to TPM2_Load, making the loading
- of importable keys is necessarily a two stage process, which
- can be time consuming on some TPMs. Since the TPM2B_PRIVATE
- structure emitted by TPM2_Import is fully secure,
- Implementations SHOULD minimize the number of TPM2_Import
- operations by caching the emitted TPM2B_PRIVATE.
- </t>
- </section>
- <section anchor="security" title="Security Considerations">
- <t>
- The TPM 2.0 supports a variety of algorithms, the most common
- being SHA1 and SHA256 for hashing and RSA2048 and NIST P-256
- for asymmetric keys. Implementors SHOULD NOT use deprecated
- algorithms, such as SHA1, for any TPM operation. In
- particular, the algorithm used for the policy hash SHOULD NOT
- be SHA1 and this means that SHA1 SHOULD NOT be used as the
- name algorithm hash for any TPM key.
- </t>
- <t>
- TPM 2.0 supports a session mode (TPM_RS_PW) where
- authorizations are passed to the TPM in clear text over the
- TPM connection. Implementations SHOULD consider the
- possibility of snooping on the wire between the implementation
- and the TPM, such as <xref target="TPM GENIE"/>, and SHOULD
- use HMAC session authorizations as best practice for all TPM
- keys.
- </t>
- <t>
- In addition to snooping authorizations, snooping may also
- occur when key material is being exchanged between the TPM and
- the implementation, such as wrapping of private keys and the
- sealing and unsealing operations for sealed keys.
- Implementations SHOULD always use HMAC sessions with
- TPMA_SESSION_DECRYPT when sensitive information is passed in
- to the TPM and HMAC sessions with TPMA_SESSION_ENCRYPT when
- sensitive information is received from the TPM.
- </t>
- <t>
- The easiest way to get the TPM to wrap an external private key
- is to use TPM2_Import. However, since TPMA_SESSION_DECRYPT
- only protects the first parameter (which is encryptionKey),
- the duplicate should use inner symmetric encryption with a
- randomly generated ephemeral key, which is then presented to
- the TPM via the protected encryptionKey parameter.
- </t>
- <t>
- The TPM has a mode where it can generate private key material
- internally (using TPM2_Create) such that the private part of
- the key can never leave the TPM. Implementations SHOULD
- support this mode but should be aware that while keys created
- like this may be more secure than wrapped keys, they can also
- be used only while access to the TPM that created them is
- available, so implementations SHOULD also support wrapping for
- keys that are expected to outlive the TPM that's using them.
- Clients can then develop best practices around TPM wrapped
- identity keys, possibly with TPM created sub keys, which can
- only be used on the device they were wrapped for.
- </t>
- <t>
- Since TPM keys can only be used by the specific TPM that
- created them, which is usually embedded in a piece of
- hardware, they are secure against exfiltration attacks.
- However, consideration should be given to an attacker gaining
- access to the system containing the TPM. TPM keys are most
- secure when used as part of an operating system that has
- guaranteed trust properties, such as secure and measured boot.
- Implementations SHOULD assist users in constructing key
- policies that ensure the key can be used only when the
- operating system is within its trusted parameters to minimize
- threats from co-located attackers.
- </t>
- </section>
- <section anchor="IANA" title="IANA Considerations">
- <t>
- None.
- </t>
- </section>
- <section anchor="comments" title="Comments on and Enhancements to this
Document">
- <t>
- Comments on this document should be addressed to the author
- ([email protected]) but should also CC the
- email lists of the two projects implementing this
- specification:
- </t>
- <t>
- The OpenSSL engine: [email protected]
- </t>
- <t>
- The Linux Kernel: [email protected]
- </t>
- <t>
- The OpenSSL TPM2 engine <xref target="OPENSSL TPM2 ENGINE"/>
- is currently the only implementation of this full
- specification, so enhancements should be proposed after
- patches implementing the enhancement have been accepted by
- openssl_tpm2_engine or another full specification
- implementation.
- </t>
- </section>
-
- </middle>
- <back>
- <references title="Normative References">
- &RFC2119;
- &RFC8017;
- <reference anchor="TPM2.0"
target="https://trustedcomputinggroup.org/resource/tpm-library-specification/";>
- <front>
- <title>TPM 2.0 Library Specification</title>
- <author>
- <organization>Trusted Computing Group</organization>
- </author>
- <date year="2013" month="March" day="15"/>
- </front>
- </reference>
- <reference anchor="X.680"
target="https://itu.int/rec/T-REC-X.680-201508-I/en";>
- <front>
- <title>ITU-T Recommendation X.680,
- Information technology - Abstract Syntax Notation One
- (ASN.1): Specification of basic notation.</title>
- <author><organization>International Telecommunication
Union</organization></author>
- <date year="2015" month="August"/>
- </front>
- </reference>
- </references>
- <references title="Informative References">
- <reference anchor="TPM GENIE"
target="https://www.nccgroup.com/globalassets/about-us/us/documents/tpm-genie.pdf";>
- <front>
- <title>TPM Genie: Interposer Attacks Against the Trusted
- Platform Module Serial Bus</title>
- <author initials="J." surname="Boone" fullname="J. Boone">
- <organization>NCC Group</organization>
- </author>
- <date year="2018" month="March" day="9"/>
- </front>
- </reference>
- <reference anchor="OPENSSL TPM2 ENGINE"
target="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/";>
- <front>
- <title>OpenSSL TPM2 Engine</title>
- <author><organization>Open Source Project</organization></author>
- </front>
- </reference>
- </references>
- </back>
-</rfc>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.c
new/openssl_tpm2_engine-3.0.1/e_tpm2-ecc.c
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-ecc.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/e_tpm2-ecc.c 2021-04-04 22:47:14.000000000
+0200
@@ -103,11 +103,7 @@
#endif
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
- EVP_PKEY_set1_EC_KEY(pkey, eck);
-#else
EC_KEY_free(eck);
-#endif
}
static void tpm2_ecc_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.c
new/openssl_tpm2_engine-3.0.1/e_tpm2-rsa.c
--- old/openssl_tpm2_engine-3.1.0/e_tpm2-rsa.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/e_tpm2-rsa.c 2021-04-04 22:47:14.000000000
+0200
@@ -130,12 +130,8 @@
RSA_set_ex_data(rsa, ex_app_data, data);
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
- EVP_PKEY_set1_RSA(pkey, rsa);
-#else
/* release the reference EVP_PKEY_get1_RSA obtained */
RSA_free(rsa);
-#endif
}
static void tpm2_rsa_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/ibm-tss.h
new/openssl_tpm2_engine-3.0.1/ibm-tss.h
--- old/openssl_tpm2_engine-3.1.0/ibm-tss.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/ibm-tss.h 2021-04-04 22:47:14.000000000
+0200
@@ -487,32 +487,6 @@
return rc;
}
-static inline TPM_RC
-tpm2_PCR_Read(TSS_CONTEXT *tssContext, TPML_PCR_SELECTION *pcrSelectionIn,
- TPML_PCR_SELECTION *pcrSelectionOut, TPML_DIGEST *pcrValues)
-{
- PCR_Read_In in;
- PCR_Read_Out out;
- TPM_RC rc;
-
- in.pcrSelectionIn = *pcrSelectionIn;
-
- rc = TSS_Execute(tssContext,
- (RESPONSE_PARAMETERS *)&out,
- (COMMAND_PARAMETERS *)&in,
- NULL,
- TPM_CC_PCR_Read,
- TPM_RH_NULL, NULL, 0);
-
- if (rc)
- return rc;
-
- *pcrSelectionOut = out.pcrSelectionOut;
- *pcrValues = out.pcrValues;
-
- return rc;
-}
-
static inline TPM_HANDLE
tpm2_handle_int(TSS_CONTEXT *tssContext, TPM_HANDLE h)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/intel-tss.h
new/openssl_tpm2_engine-3.0.1/intel-tss.h
--- old/openssl_tpm2_engine-3.1.0/intel-tss.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/intel-tss.h 2021-04-04 22:47:14.000000000
+0200
@@ -151,7 +151,7 @@
\
*buffer += offset; \
*size -= offset; \
- *written += offset; \
+ *written = offset; \
\
return rc; \
}
@@ -179,9 +179,6 @@
TSS_CONVERT_MARSHAL(TPM2B_DIGEST, )
TSS_CONVERT_MARSHAL(TPM2B_PUBLIC, )
TSS_CONVERT_MARSHAL(TPM2B_PRIVATE, )
-TSS_CONVERT_MARSHAL(TPML_PCR_SELECTION, )
-TSS_CONVERT_MARSHAL(UINT32, *)
-#define TSS_TPM_CC_Marshal TSS_UINT32_Marshal
TSS_CONVERT_UNMARSHAL(TPML_PCR_SELECTION, )
TSS_CONVERT_UNMARSHAL(TPM2B_PRIVATE, )
@@ -938,25 +935,6 @@
operandB, offset, operation);
}
-static inline TPM_RC
-tpm2_PCR_Read(TSS_CONTEXT *tssContext, TPML_PCR_SELECTION *pcrSelectionIn,
- TPML_PCR_SELECTION *pcrSelectionOut, TPML_DIGEST *pcrValues)
-{
- TPML_PCR_SELECTION *out;
- TPML_DIGEST *val;
- TPM_RC rc;
-
- rc = Esys_PCR_Read(tssContext, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
- pcrSelectionIn, NULL, &out, &val);
- if (rc)
- return rc;
-
- *pcrSelectionOut = *out;
- *pcrValues = *val;
-
- return rc;
-}
-
static inline TPM_HANDLE
tpm2_handle_ext(TSS_CONTEXT *tssContext, TPM_HANDLE esysh)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/seal_tpm2_data.1.in
new/openssl_tpm2_engine-3.0.1/seal_tpm2_data.1.in
--- old/openssl_tpm2_engine-3.1.0/seal_tpm2_data.1.in 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/seal_tpm2_data.1.in 2021-04-04
22:47:14.000000000 +0200
@@ -7,20 +7,6 @@
TPM. Possible uses for this blob of data include as a symmetric key,
which is the use in the linux kernel trusted key infrastructure.
-[PCR Values]
-
-The PCR values are specified as
-
- <bank>:<list>
-
-Where <bank> is any supported PCR hash bank and list specifies the
-PCRs to lock the key to as both comma separated individual values as
-well as comma separated ranges. So
-
- sha256:1,3 means PCRs 1 and 3 in the sha256 bank
-
- sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank
-
[examples]
Create a sealed data blob to the storage parent (owner hierarchy)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/seal_tpm2_data.c
new/openssl_tpm2_engine-3.0.1/seal_tpm2_data.c
--- old/openssl_tpm2_engine-3.1.0/seal_tpm2_data.c 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/seal_tpm2_data.c 2021-04-04
22:47:14.000000000 +0200
@@ -27,7 +27,6 @@
{"auth-parent", 1, 0, 'b'},
{"help", 0, 0, 'h'},
{"parent-handle", 1, 0, 'p'},
- {"pcr-lock", 1, 0, 'x'},
{"version", 0, 0, 'v'},
{"password", 1, 0, 'k'},
{"da", 0, 0, 'd'},
@@ -72,10 +71,6 @@
"\t-m,--nomigrate Create a sealed data bundle
that can be\n"
" migrated to other systems.\n"
"\t-n, --name-scheme <scheme> name algorithm to use sha1
[sha256] sha384 sha512\n"
- "\t-x, --pcr-lock <pcrs> Lock the created key to the
specified PCRs\n"
- " By current value. See PCR
VALUES for\n"
- " details about formatting\n"
- "\n"
"\n"
"Report bugs to " PACKAGE_BUGREPORT "\n",
argv0);
@@ -111,10 +106,6 @@
int32_t size;
uint16_t pubkey_len, privkey_len;
char *parent_str = NULL;
- TPML_PCR_SELECTION pcr_lock;
- int has_policy = 0;
-
- pcr_lock.count = 0;
while (1) {
option_index = 0;
@@ -174,9 +165,6 @@
case 'm':
nomigrate = 1;
break;
- case 'x':
- tpm2_get_pcr_lock(&pcr_lock, optarg);
- break;
default:
printf("Unknown option '%c'\n", c);
usage(argv[0]);
@@ -195,32 +183,22 @@
usage(argv[0]);
}
- if (pcr_lock.count !=0 && policyFilename) {
- fprintf(stderr, "cannot specify both policy file and pcr
lock\n");
- exit(1);
- }
-
- if (pcr_lock.count != 0 || policyFilename)
- has_policy = 1;
-
digest.hashAlg = name_alg;
sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
memset((uint8_t *)&digest.digest, 0, sizeInBytes);
- if (has_policy) {
+ if (policyFilename) {
sk = sk_TSSOPTPOLICY_new_null();
if (!sk) {
fprintf(stderr, "Failed to allocate policy stack\n");
exit(1);
}
- if (policyFilename) {
- rc = tpm2_parse_policy_file(policyFilename, sk,
- data_auth, &digest);
- if (rc) {
- reason = "parse_policy_file";
- goto out_free_policy;
- }
+ rc = tpm2_parse_policy_file(policyFilename, sk,
+ data_auth, &digest);
+ if (rc) {
+ reason = "parse_policy_file";
+ goto out_free_policy;
}
}
@@ -237,8 +215,6 @@
goto out_free_auth;
}
}
- if (has_policy && !policyFilename)
- tpm2_add_auth_policy(sk, &digest);
}
dir = tpm2_set_unique_tssdir();
@@ -248,15 +224,6 @@
goto out_rmdir;
}
- if (pcr_lock.count != 0) {
- rc = tpm2_pcr_lock_policy(tssContext, &pcr_lock,
- sk, &digest);
- if (rc) {
- reason = "create pcr policy";
- goto out_free_auth;
- }
- }
-
if (parent_str) {
parent = tpm2_get_parent(tssContext, parent_str);
if (parent == 0) {
@@ -278,7 +245,7 @@
tpm2_public_template_seal(p);
- if (has_policy) {
+ if (policyFilename) {
VAL(p->objectAttributes) &=
~TPMA_OBJECT_USERWITHAUTH;
rc = TSS_TPM2B_Create(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-3.1.0/tests/check_counter_timer.sh
new/openssl_tpm2_engine-3.0.1/tests/check_counter_timer.sh
--- old/openssl_tpm2_engine-3.1.0/tests/check_counter_timer.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/check_counter_timer.sh 2021-04-04
22:47:14.000000000 +0200
@@ -27,11 +27,10 @@
# 3. encode a message using the TPM key
# 4. verify the message through the public key
##
-echo "policy counter timer" > plain.txt
${bindir}/create_tpm2_key key.tpm -a -k paSSW0RD -c policy.txt && \
openssl rsa -engine tpm2 -inform engine -pubin -in key.tpm -pubout -out
key.pub && \
-openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine
tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
-openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin
|| exit 1
+echo "policy counter timer" | openssl rsautl -sign -passin pass:paSSW0RD
-engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
##
# advance the TPM clock by ten minutes and a second which should make
@@ -45,7 +44,7 @@
# now the signing operation should fail
##
echo "Check key failure due to counter timer policy"
-openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine
tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1
+echo "policy fail counter timer" | openssl rsautl -sign -passin pass:paSSW0RD
-engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2>
tmp.txt && exit 1
# check we got the right failure message
grep "Policy Failure: Counter Timer at offset 8 is not <=" tmp.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-3.1.0/tests/check_enhanced_auth.sh
new/openssl_tpm2_engine-3.0.1/tests/check_enhanced_auth.sh
--- old/openssl_tpm2_engine-3.1.0/tests/check_enhanced_auth.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/check_enhanced_auth.sh 2021-04-04
22:47:14.000000000 +0200
@@ -19,22 +19,7 @@
${bindir}/create_tpm2_key key.tpm -c policies/policy_bogus.txt
a=0; while [ $a -lt 5 ]; do
a=$[$a+1]
- echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2
-keyform engine -inkey key.tpm -out tmp.msg && exit 1
-done
-
-##
-# Randomize the PCR banks
-##
-for h in "sha1" "sha256" "sha384"; do
- pcr=0;
- while [ $pcr -lt 24 ]; do
- tsspcrextend -ha $pcr -halg $h -ic $RANDOM
- pcr=$[$pcr + 1]
- done
- ##
- # reset PCR 16 for the fixed policy tests
- ##
- ${tss_pcrreset_cmd} -ha 16
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2
-keyform engine -inkey key.tpm -out tmp.msg && exit 1
done
for h in "sha1" "" "sha384"; do
@@ -50,11 +35,10 @@
# 2. get the corresponding public key from the engine
# 3. encode a message using the TPM key
# 4. verify the message through the public key
- echo "This is a Message" > plain.txt
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c
policies/policy_authvalue.txt && \
openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm
-pubout -out key2.pub && \
- openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey
key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub
-pubin || exit 1
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2
-keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
##
# test is
@@ -68,8 +52,8 @@
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt && \
openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out
key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key2.tpm -out tmp.msg && \
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub
-pubin || exit 1
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine
tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
##
# test is
@@ -81,8 +65,8 @@
${tss_pcrreset_cmd} -ha 16
${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt
openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub
&& \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key2.tpm -out tmp.msg && \
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub
-pubin
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine
tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
if [ $? -ne 1 ]; then
echo "TPM key should not be accessible"
exit 1
@@ -101,8 +85,8 @@
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c
policy_authvalue_pcr.txt && \
openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in
key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub
-pubin || exit 1
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine
tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
##
# test is
@@ -117,36 +101,6 @@
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c
policy_pcr_authvalue.txt && \
openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in
key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub
-pubin || exit 1
-
- ##
- # test is
- # 1. Create a key on a huge range of PCRs (testing multiple reads)
- # 2. verify key works with undisturbed PCRs
- # 3. extend non-mentioned pcr and verify key works
- # 4. extend mentioned PCR and verify key fails
- ##
- ${bindir}/create_tpm2_key ${n} -a -k passw0rd key.tpm --pcr-lock
1,2,3-15,17-23 --pcr-lock sha1:1-4 --pcr-lock sha384:10-20 || exit 1
- openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key.tpm
-pubout -out key.pub || exit 1
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub
-pubin || exit 1
- ${tss_pcrextend_cmd} -ha 16 -ic $RANDOM
- ${tss_pcrextend_cmd} -ha 5 -halg sha1 -ic $RANDOM
- ${tss_pcrextend_cmd} -ha 9 -halg sha384 -ic $RANDOM
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub
-pubin || exit 1
- ${tss_pcrextend_cmd} -ha 1 -halg sha1 -ic $RANDOM
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1
- ##
- # Check a smaller PCR lock with no auth
- ##
- ${bindir}/create_tpm2_key ${n} --pcr-lock 2,4,7,10 --pcr-lock sha1:1,3
key.tpm || exit 1
- openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub
|| exit 1
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform
engine -inkey key.tpm -out tmp.msg || exit 1
- openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub
-pubin || exit 1
- ${tss_pcrextend_cmd} -ha 4 -halg sha256 -ic $RANDOM
- echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2
-keyform engine -inkey key.tpm -out tmp.msg && exit 1
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine
tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
done
-
-exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/create_ecc.sh
new/openssl_tpm2_engine-3.0.1/tests/create_ecc.sh
--- old/openssl_tpm2_engine-3.1.0/tests/create_ecc.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/create_ecc.sh 2021-04-04
22:47:14.000000000 +0200
@@ -8,7 +8,7 @@
# 2. Create a self signed x509 certificate
# 3. verify the certificate
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve';
then
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
continue
fi
echo "Checking curve ${curve}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-3.1.0/tests/create_nonopenssl_ecc.sh
new/openssl_tpm2_engine-3.0.1/tests/create_nonopenssl_ecc.sh
--- old/openssl_tpm2_engine-3.1.0/tests/create_nonopenssl_ecc.sh
2022-02-17 00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/create_nonopenssl_ecc.sh
2021-04-04 22:47:14.000000000 +0200
@@ -14,7 +14,7 @@
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep -v '(invalid|unknown)
curve'; then
+ if openssl ecparam -name ${curve} 2>&1 | grep -v 'unknown curve'; then
continue
fi
echo "Checking curve ${curve}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/da_check.sh
new/openssl_tpm2_engine-3.0.1/tests/da_check.sh
--- old/openssl_tpm2_engine-3.1.0/tests/da_check.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/da_check.sh 2021-04-04
22:47:14.000000000 +0200
@@ -13,7 +13,7 @@
count=1;
while true; do
echo "This is a message" |
- openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin
pass:passwrd -out tmp.msg 2>tmp.txt
+ openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin
pass:passwrd -out tmp.msg 2>tmp.txt
val=$?
cat tmp.txt
if [ $val -ne 1 ]; then
@@ -39,7 +39,7 @@
echo "Locked out after $count tries"
# try with correct password, should still be locked out
echo "This is a message" |
-openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin
pass:passw0rd -out tmp.msg 2>tmp.txt
+openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin
pass:passw0rd -out tmp.msg 2>tmp.txt
val=$?
cat tmp.txt
if [ $val -ne 1 ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/derive_ecc.sh
new/openssl_tpm2_engine-3.0.1/tests/derive_ecc.sh
--- old/openssl_tpm2_engine-3.1.0/tests/derive_ecc.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/derive_ecc.sh 2021-04-04
22:47:14.000000000 +0200
@@ -24,7 +24,7 @@
##
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve';
then
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
continue
fi
echo "Checking curve ${curve} explicitly named"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/fail_connect.sh
new/openssl_tpm2_engine-3.0.1/tests/fail_connect.sh
--- old/openssl_tpm2_engine-3.1.0/tests/fail_connect.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/fail_connect.sh 2021-04-04
22:47:14.000000000 +0200
@@ -41,7 +41,7 @@
# conversion to public key doesn't actually contact the TPM
# so this should succeed
##
-openssl pkey -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2>
tmp.txt
+openssl rsa -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2>
tmp.txt
if [ $? -ne 0 ]; then
echo "TPM key import failed with $?"
cat tmp.txt
@@ -51,7 +51,7 @@
# key operation does contact the TPM and should fail
##
echo "This is a message" |\
-openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg
2> tmp.txt
+openssl rsautl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg
2> tmp.txt
if [ $? -ne 1 ]; then
echo "TPM key signing failed with $?"
cat tmp.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/seal_unseal.sh
new/openssl_tpm2_engine-3.0.1/tests/seal_unseal.sh
--- old/openssl_tpm2_engine-3.1.0/tests/seal_unseal.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/seal_unseal.sh 2021-04-04
22:47:14.000000000 +0200
@@ -16,22 +16,4 @@
echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} seal.tpm || exit 1;
${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
-##
-# Check with policy
-# test is
-# 1. seal with a pcr lock and no auth
-# 2. verify unseal
-# 3. move PCR on and verify no unseal
-# 4. 1-3 with auth and pcr lock
-##
-echo $DATA | ${bindir}/seal_tpm2_data --pcr-lock 2,16 seal.tpm || exit 1;
-${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1;
-tsspcrextend -ha 16 -ic $RANDOM
-${bindir}/unseal_tpm2_data seal.tpm && exit 1
-echo $DATA | ${bindir}/seal_tpm2_data -a -k ${AUTH} --pcr-lock 2,16 seal.tpm
|| exit 1;
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
-tsspcrextend -ha 16 -ic $RANDOM
-${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm && exit 1
-
-
exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/wrap_ecc.sh
new/openssl_tpm2_engine-3.0.1/tests/wrap_ecc.sh
--- old/openssl_tpm2_engine-3.1.0/tests/wrap_ecc.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/wrap_ecc.sh 2021-04-04
22:47:14.000000000 +0200
@@ -9,7 +9,7 @@
# 3. Create a self signed x509 certificate
# 4. verify the certificate
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep '(unknown|invalid) curve';
then
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
continue
fi
echo "Checking curve ${curve}"
@@ -21,7 +21,7 @@
exit 1
done
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve';
then
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
continue
fi
echo "Checking curve ${curve}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tests/wrap_generic_ecc.sh
new/openssl_tpm2_engine-3.0.1/tests/wrap_generic_ecc.sh
--- old/openssl_tpm2_engine-3.1.0/tests/wrap_generic_ecc.sh 2022-02-17
00:15:34.000000000 +0100
+++ new/openssl_tpm2_engine-3.0.1/tests/wrap_generic_ecc.sh 2021-04-04
22:47:14.000000000 +0200
@@ -9,7 +9,7 @@
# 3. Create a self signed x509 certificate
# 4. verify the certificate
for curve in $(${bindir}/create_tpm2_key --list-curves); do
- if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve';
then
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
continue
fi
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -out
key.priv && \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tpm2-common.c
new/openssl_tpm2_engine-3.0.1/tpm2-common.c
--- old/openssl_tpm2_engine-3.1.0/tpm2-common.c 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/tpm2-common.c 2021-04-04 22:47:14.000000000
+0200
@@ -29,25 +29,6 @@
#include "tpm2-asn.h"
#include "tpm2-common.h"
-static struct {
- const char *hash;
- TPM_ALG_ID alg;
-} tpm2_hashes[] = {
- { "sha1", TPM_ALG_SHA1 },
- { "sha256", TPM_ALG_SHA256 },
- { "sha384", TPM_ALG_SHA384 },
-#ifdef TPM_ALG_SHA512
- { "sha512", TPM_ALG_SHA512 },
-#endif
-#ifdef TPM_ALG_SM3_256
- { "sm3", TPM_ALG_SM3_256 },
-#endif
- { NULL, 0 }
-};
-
-#define MAX_TPM_PCRS 24
-const int MAX_TPM_PCRS_ARRAY = (MAX_TPM_PCRS + 7)/8;
-
struct myTPM2B {
UINT16 s;
BYTE *const b;
@@ -1489,7 +1470,7 @@
rc = tpm2_create(&tssContext, ad->dir);
if (rc) {
reason="tpm2_create";
- goto import_no_flush_err;
+ goto import_err;
}
parentHandle = tpm2_handle_int(tssContext, ad->parent);
@@ -1531,7 +1512,6 @@
import_err:
tpm2_flush_srk(tssContext, parentHandle);
- import_no_flush_err:
TSS_Delete(tssContext);
if (rc) {
tpm2_error(rc, reason);
@@ -1911,240 +1891,6 @@
sk_TSSOPTPOLICY_free(sk);
}
-static const char *get_hash_by_alg(TPM_ALG_ID alg)
-{
- int i;
-
- for (i = 0; tpm2_hashes[i].hash; i++)
- if (tpm2_hashes[i].alg == alg)
- break;
-
- return tpm2_hashes[i].hash;
-}
-
-static int add_pcrs_hash(TPML_PCR_SELECTION *pcrs, char *bank)
-{
- int i;
- TPM_ALG_ID alg;
-
- for (i = 0; tpm2_hashes[i].hash; i++)
- if (strcmp(tpm2_hashes[i].hash, bank) == 0)
- break;
-
- if (!tpm2_hashes[i].hash) {
- fprintf(stderr, "unknown bank in pcrs list %s\n", bank);
- exit(1);
- }
- alg = tpm2_hashes[i].alg;
-
- for (i = 0; i < pcrs->count; i++)
- if (pcrs->pcrSelections[i].hash == alg) {
- fprintf(stderr, "hash bank %s was already specified\n",
bank);
- exit(1);
- }
-
- pcrs->pcrSelections[i].hash = alg;
- pcrs->pcrSelections[i].sizeofSelect = MAX_TPM_PCRS_ARRAY;
- pcrs->count++;
-
- return i;
-}
-
-static void update_pcrs(TPML_PCR_SELECTION *pcrs, int bank, char *str)
-{
- char *sep = strchr(str, '-');
- char *endptr;
- long from, to;
- int i;
-
- if (sep)
- *sep = '\0';
- from = to = strtol(str, &endptr, 10);
- if (*endptr != '\0' || from < 0 || from >= MAX_TPM_PCRS)
- goto err;
-
- if (sep) {
- str = sep + 1;
- to = strtol(str, &endptr, 10);
-
- if (*endptr != '\0' || to < 0 || to >= MAX_TPM_PCRS)
- goto err;
- }
- if (to < from) {
- fprintf(stderr, "Incorrect PCR range specified %ld-%ld\n",
- from, to);
- exit(1);
- }
-
- for (i = from; i <= to; i++)
- pcrs->pcrSelections[bank].pcrSelect[i/8] |= (1 << (i%8));
-
- return;
- err:
- fprintf(stderr, "incorrect PCR specification %s\n", str);
- exit(1);
-}
-
-void tpm2_get_pcr_lock(TPML_PCR_SELECTION *pcrs, char *arg)
-{
- char *sep = strchr(arg, ':');
- char *bankstr = arg;
- int bank;
-
- if (sep) {
- *sep = '\0';
- arg = sep + 1;
- } else {
- bankstr = "sha256";
- }
- bank = add_pcrs_hash(pcrs, bankstr);
- for (sep = strchr(arg, ','); sep; arg = sep + 1, sep = strchr(arg,
',')) {
- *sep = '\0';
- update_pcrs(pcrs, bank, arg);
- }
- update_pcrs(pcrs, bank, arg);
-}
-
-static int hash_print(const char *hash, int start, BYTE val, int k,
- TPML_DIGEST *dl, EVP_MD_CTX *ctx)
-{
- int i, j;
-
- for (i = 0; i < 8; i++) {
- TPM2B_DIGEST *d;
- BYTE *db;
-
- if ((val & (1 << i)) == 0)
- continue;
-
- d = &dl->digests[k++];
- db = VAL_2B_P(d, buffer);
- EVP_DigestUpdate(ctx, VAL_2B_P(d, buffer), VAL_2B_P(d, size));
- printf("%s: %02d: ", hash, start + i);
- for (j = 0; j < VAL_2B_P(d, size); j++) {
- printf("%02x", db[j]);
- }
- printf("\n");
- }
- return k;
-}
-
-static void pcr_digests_process(TPML_PCR_SELECTION *in, TPML_PCR_SELECTION
*out,
- TPML_DIGEST *d, EVP_MD_CTX *ctx)
-{
- int i, j, k = 0;
-
- for (i = 0; i < in->count; i++) {
- const char *hash = get_hash_by_alg(out->pcrSelections[i].hash);
-
- for (j = 0; j < MAX_TPM_PCRS_ARRAY; j++) {
- in->pcrSelections[i].pcrSelect[j] &=
- ~out->pcrSelections[i].pcrSelect[j];
-
- k = hash_print(hash, j * 8,
- out->pcrSelections[i].pcrSelect[j],
- k, d, ctx);
- }
- }
-}
-
-TPM_RC tpm2_pcr_lock_policy(TSS_CONTEXT *tssContext,
- TPML_PCR_SELECTION *pcrs,
- STACK_OF(TSSOPTPOLICY) *sk,
- TPMT_HA *digest)
-{
- TSSOPTPOLICY *policy = TSSOPTPOLICY_new();
- TPM_RC rc;
- BYTE buf[1024];
- UINT16 written = 0;
- INT32 size = sizeof(buf);
- const TPM_CC cc = TPM_CC_PolicyPCR;
- DIGEST_2B pcrDigest;
- BYTE *buffer = buf;
- TPML_PCR_SELECTION pcrread, pcrreturn;
- TPML_DIGEST pcr_digests;
- EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-
- switch (digest->hashAlg) {
- case TPM_ALG_SHA1:
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
- break;
- case TPM_ALG_SHA256:
- EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
- break;
- case TPM_ALG_SHA384:
- EVP_DigestInit_ex(ctx, EVP_sha384(), NULL);
- break;
-#ifdef TPM_ALG_SHA512
- case TPM_ALG_SHA512:
- EVP_DigestInit_ex(ctx, EVP_sha512(), NULL);
- break;
-#endif
-#ifdef TPM_ALG_SM3_256
- case TPM_ALG_SM3_256:
- EVP_DigestInit_ex(ctx, EVP_sm3(), NULL);
- break;
-#endif
- default:
- fprintf(stderr, "Unknown TPM hash algorithm 0x%x\n",
- digest->hashAlg);
- exit(1);
- }
-
- pcrread = *pcrs;
-
- for (;;) {
- rc = tpm2_PCR_Read(tssContext, &pcrread, &pcrreturn,
&pcr_digests);
- if (pcr_digests.count == 0 || rc != TPM_RC_SUCCESS)
- break;
-
- pcr_digests_process(&pcrread, &pcrreturn, &pcr_digests, ctx);
- }
-
- EVP_DigestFinal_ex(ctx, pcrDigest.buffer, NULL);
- pcrDigest.size = TSS_GetDigestSize(digest->hashAlg);
- EVP_MD_CTX_destroy(ctx);
-
- if (rc)
- return rc;
-
- ASN1_INTEGER_set(policy->CommandCode, cc);
- TSS_TPM_CC_Marshal(&cc, &written, &buffer, &size);
- TSS_TPML_PCR_SELECTION_Marshal(pcrs, &written, &buffer, &size);
- memcpy(buffer, pcrDigest.buffer, pcrDigest.size);
- written += pcrDigest.size;
- ASN1_STRING_set(policy->CommandPolicy, buf + 4, written - 4);
- sk_TSSOPTPOLICY_push(sk, policy);
-
- TSS_Hash_Generate(digest,
- TSS_GetDigestSize(digest->hashAlg),
- (uint8_t *)&digest->digest,
- written, buf, 0, NULL);
-
- return TPM_RC_SUCCESS;
-}
-
-void tpm2_add_auth_policy(STACK_OF(TSSOPTPOLICY) *sk, TPMT_HA *digest)
-{
- TSSOPTPOLICY *policy = TSSOPTPOLICY_new();
- BYTE buf[4];
- BYTE *buffer = buf;
- UINT16 written = 0;
- INT32 size = sizeof(buf);
- const TPM_CC cc = TPM_CC_PolicyAuthValue;
-
- TSS_TPM_CC_Marshal(&cc, &written, &buffer, &size);
-
- ASN1_INTEGER_set(policy->CommandCode, cc);
- ASN1_STRING_set(policy->CommandPolicy, "", 0);
- sk_TSSOPTPOLICY_push(sk, policy);
-
- TSS_Hash_Generate(digest,
- TSS_GetDigestSize(digest->hashAlg),
- (uint8_t *)&digest->digest,
- written, buf, 0, NULL);
-}
-
IMPLEMENT_ASN1_FUNCTIONS(TSSOPTPOLICY)
IMPLEMENT_ASN1_FUNCTIONS(TSSLOADABLE)
IMPLEMENT_ASN1_FUNCTIONS(TSSPRIVKEY)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-3.1.0/tpm2-common.h
new/openssl_tpm2_engine-3.0.1/tpm2-common.h
--- old/openssl_tpm2_engine-3.1.0/tpm2-common.h 2022-02-17 00:15:34.000000000
+0100
+++ new/openssl_tpm2_engine-3.0.1/tpm2-common.h 2021-04-04 22:47:14.000000000
+0200
@@ -88,10 +88,4 @@
STACK_OF(TSSOPTPOLICY) *sk,
char *auth, TPMT_HA *digest);
void tpm2_free_policy(STACK_OF(TSSOPTPOLICY) *sk);
-void tpm2_get_pcr_lock(TPML_PCR_SELECTION *pcrs, char *arg);
-TPM_RC tpm2_pcr_lock_policy(TSS_CONTEXT *tssContext,
- TPML_PCR_SELECTION *pcrs,
- STACK_OF(TSSOPTPOLICY) *sk,
- TPMT_HA *digest);
-void tpm2_add_auth_policy(STACK_OF(TSSOPTPOLICY) *sk, TPMT_HA *digest);
#endif
