Hello community,
here is the log from the commit of package openssl_tpm2_engine for
openSUSE:Factory checked in at 2020-07-05 01:19:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl_tpm2_engine (Old)
and /work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.3060 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl_tpm2_engine"
Sun Jul 5 01:19:34 2020 rev:2 rq:818537 version:2.4.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl_tpm2_engine/openssl_tpm2_engine.changes
2020-03-29 14:26:21.930118064 +0200
+++
/work/SRC/openSUSE:Factory/.openssl_tpm2_engine.new.3060/openssl_tpm2_engine.changes
2020-07-05 01:21:13.741563609 +0200
@@ -1,0 +2,14 @@
+Fri Jul 3 09:35:56 UTC 2020 - Pedro Monreal Gonzalez
<[email protected]>
+
+- Update tarball due to download_files error
+
+-------------------------------------------------------------------
+Thu Jul 2 15:03:09 UTC 2020 - [email protected]
+
+- Update to version 2.4.2
+ * Add every TPM supported curve (as defined by the TCG)
+ * Fix a bug with explicitly parametrised curve handling (needed for BN)
+ * Update the tests to be able to use swtpm
+ * Allow loading public key without password
+
+-------------------------------------------------------------------
Old:
----
openssl_tpm2_engine-2.4.1.tar.gz
New:
----
openssl_tpm2_engine-2.4.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl_tpm2_engine.spec ++++++
--- /var/tmp/diff_new_pack.LpPPNx/_old 2020-07-05 01:21:19.181579423 +0200
+++ /var/tmp/diff_new_pack.LpPPNx/_new 2020-07-05 01:21:19.185579435 +0200
@@ -18,7 +18,7 @@
Name: openssl_tpm2_engine
-Version: 2.4.1
+Version: 2.4.2
Release: 0
Summary: OpenSSL TPM 2.0 interface engine plugin
License: LGPL-2.1-only
++++++ openssl_tpm2_engine-2.4.1.tar.gz -> openssl_tpm2_engine-2.4.2.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/configure.ac
new/openssl_tpm2_engine-2.4.2/configure.ac
--- old/openssl_tpm2_engine-2.4.1/configure.ac 2020-03-26 05:20:49.000000000
+0100
+++ new/openssl_tpm2_engine-2.4.2/configure.ac 2020-07-02 16:14:25.000000000
+0200
@@ -2,7 +2,7 @@
# configure.in for the OpenSSL TPM engine project
#
-AC_INIT(openssl-tpm2-engine, 2.4.1, <[email protected]>)
+AC_INIT(openssl-tpm2-engine, 2.4.2, <[email protected]>)
AM_INIT_AUTOMAKE([foreign 1.6.3])
AC_CANONICAL_HOST
AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")
@@ -103,22 +103,35 @@
AC_MSG_ERROR([No TSS2 include directory found])))
AC_PATH_PROG(TPMSERVER,
tpm_server,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
+AC_PATH_PROG(SWTPM, swtpm,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
+AC_PATH_PROG(SWTPM_IOCTL,
swtpm_ioctl,,/bin:/usr/bin:/usr/lib/ibmtss:/usr/libexec/ibmtss)
CFLAGS="$CFLAGS -Wall"
SHREXT=$shrext_cmds
AC_SUBST(CFLAGS)
AC_SUBST(TSS_INCLUDE)
AC_SUBST(SHREXT)
+if test -x "${SWTPM}" -a -x "${SWTPM_IOCTL}"; then
+ testtpm=swtpm
+ unset TPMSERVER
+elif test -x "${TPMSERVER}"; then
+ testtpm=tpm_server
+else
+ testtpm=
+fi
+
+AC_SUBST(testtpm)
+
AC_OUTPUT([Makefile tests/Makefile])
cat <<EOF
CFLAGS: ${CFLAGS}
openssl engines directory: ${enginesdir}
-swtpm for testing: ${TPMSERVER}
+swtpm for testing: ${testtpm}
EOF
-if test -z "${TPMSERVER}"; then
+if test -z "${testtpm}"; then
AC_MSG_WARN([Software TPM not found, engine will build but can't be
tested])
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/e_tpm2.c
new/openssl_tpm2_engine-2.4.2/e_tpm2.c
--- old/openssl_tpm2_engine-2.4.1/e_tpm2.c 2020-03-26 05:20:49.000000000
+0100
+++ new/openssl_tpm2_engine-2.4.2/e_tpm2.c 2020-07-02 16:14:25.000000000
+0200
@@ -114,7 +114,7 @@
static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey,
TPM_HANDLE key, UI_METHOD *ui,
- void *cb_data)
+ void *cb_data, int public_only)
{
TPMT_PUBLIC p;
TSS_CONTEXT *tssContext;
@@ -147,6 +147,9 @@
if (!pkey) {
fprintf(stderr, "Failed to allocate a new EVP_KEY\n");
goto err_del;
+ } else if (public_only) {
+ tpm2_delete(app_data);
+ goto out;
}
app_data->key = key;
@@ -182,6 +185,7 @@
tpm2_bind_key_to_engine(pkey, app_data);
+ out:
*ppkey = pkey;
TSS_Delete(tssContext);
@@ -197,7 +201,7 @@
static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey,
const char *key_id, UI_METHOD *ui,
- void *cb_data)
+ void *cb_data, int public_only)
{
EVP_PKEY *pkey;
const int nvkey_len = strlen(nvprefix);
@@ -217,15 +221,17 @@
fprintf(stderr, "nvkey is not an NV index\n");
return 0;
}
- return tpm2_engine_load_nvkey(e, ppkey, key, ui, cb_data);
+ return tpm2_engine_load_nvkey(e, ppkey, key, ui,
+ cb_data, public_only);
}
rc = tpm2_load_engine_file(key_id, &app_data, &pkey, ui, cb_data,
- srk_auth, 1);
+ srk_auth, 1, public_only);
if (!rc)
return 0;
- tpm2_bind_key_to_engine(pkey, app_data);
+ if (!public_only)
+ tpm2_bind_key_to_engine(pkey, app_data);
*ppkey = pkey;
return 1;
@@ -238,7 +244,19 @@
EVP_PKEY *pkey;
int ret;
- ret = tpm2_engine_load_key_core(e, &pkey, key_id, ui, cb);
+ ret = tpm2_engine_load_key_core(e, &pkey, key_id, ui, cb, 0);
+ if (ret == 1)
+ return pkey;
+ return NULL;
+}
+
+static EVP_PKEY *tpm2_engine_load_pubkey(ENGINE *e, const char *key_id,
+ UI_METHOD *ui, void *cb)
+{
+ EVP_PKEY *pkey;
+ int ret;
+
+ ret = tpm2_engine_load_key_core(e, &pkey, key_id, ui, cb, 1);
if (ret == 1)
return pkey;
return NULL;
@@ -257,7 +275,7 @@
!ENGINE_set_init_function(e, tpm2_engine_init) ||
!ENGINE_set_finish_function(e, tpm2_engine_finish) ||
!ENGINE_set_ctrl_function(e, tpm2_engine_ctrl) ||
- !ENGINE_set_load_pubkey_function(e, tpm2_engine_load_key) ||
+ !ENGINE_set_load_pubkey_function(e, tpm2_engine_load_pubkey) ||
!ENGINE_set_load_privkey_function(e, tpm2_engine_load_key) ||
!ENGINE_set_cmd_defns(e, tpm2_cmd_defns) ||
!tpm2_setup_ecc_methods() ||
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/load_tpm2_key.c
new/openssl_tpm2_engine-2.4.2/load_tpm2_key.c
--- old/openssl_tpm2_engine-2.4.1/load_tpm2_key.c 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/load_tpm2_key.c 2020-07-02
16:14:25.000000000 +0200
@@ -134,7 +134,7 @@
}
ret = tpm2_load_engine_file(filename, &app_data, NULL, NULL, NULL,
- auth, 0);
+ auth, 0, 0);
if (!ret) {
fprintf(stderr, "Failed to parse file %s\n", filename);
exit(1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tests/Makefile.am
new/openssl_tpm2_engine-2.4.2/tests/Makefile.am
--- old/openssl_tpm2_engine-2.4.1/tests/Makefile.am 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/Makefile.am 2020-07-02
16:14:25.000000000 +0200
@@ -10,6 +10,7 @@
check_old_keys.sh \
check_der.sh \
create_ecc.sh \
+ create_nonopenssl_ecc.sh \
wrap_ecc.sh \
wrap_generic_ecc.sh \
wrap_pkcs12.sh \
@@ -28,13 +29,15 @@
fail_connect.sh: tpm_server_found
tpm_server_found:
- @if [ -z "$(TPMSERVER)" ]; then echo "ERROR: Can't run tests, no tpm
server is found"; exit 1; fi
+ @if [ -z "$(testtpm)" ]; then echo "ERROR: Can't run tests, no tpm
server is found"; exit 1; fi
+
+AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \
+ srcdir=$(abs_srcdir); export srcdir; \
+ OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; export OPENSSL_CONF; \
+ TPMSERVER=$(TPMSERVER); export TPMSERVER; \
+ SWTPM=$(SWTPM); export SWTPM; \
+ SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL;
-AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; \
- srcdir=$(abs_srcdir); \
- OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; \
- TPMSERVER=$(TPMSERVER); \
- export TPM_INTERFACE_TYPE OPENSSL_CONF srcdir TPMSERVER;
TEST_EXTENSIONS = .sh
CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tests/check_auth.sh
new/openssl_tpm2_engine-2.4.2/tests/check_auth.sh
--- old/openssl_tpm2_engine-2.4.1/tests/check_auth.sh 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/check_auth.sh 2020-07-02
16:14:25.000000000 +0200
@@ -9,7 +9,7 @@
# 3. encode a message using the TPM key
# 4. verify the message through the public key
${bindir}/create_tpm2_key -a -k passw0rd key2.tpm && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm
-pubout -out key2.pub && \
+openssl rsa -engine tpm2 -inform engine -pubin -in key2.tpm -pubout -out
key2.pub && \
echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2
-keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-2.4.1/tests/check_counter_timer.sh
new/openssl_tpm2_engine-2.4.2/tests/check_counter_timer.sh
--- old/openssl_tpm2_engine-2.4.1/tests/check_counter_timer.sh 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/check_counter_timer.sh 2020-07-02
16:14:25.000000000 +0200
@@ -28,7 +28,7 @@
# 4. verify the message through the public key
##
${bindir}/create_tpm2_key key.tpm -a -k paSSW0RD -c policy.txt && \
-openssl rsa -engine tpm2 -inform engine -passin pass:paSSW0RD -in key.tpm
-pubout -out key.pub && \
+openssl rsa -engine tpm2 -inform engine -pubin -in key.tpm -pubout -out
key.pub && \
echo "policy counter timer" | openssl rsautl -sign -passin pass:paSSW0RD
-engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/openssl_tpm2_engine-2.4.1/tests/create_nonopenssl_ecc.sh
new/openssl_tpm2_engine-2.4.2/tests/create_nonopenssl_ecc.sh
--- old/openssl_tpm2_engine-2.4.1/tests/create_nonopenssl_ecc.sh
1970-01-01 01:00:00.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/create_nonopenssl_ecc.sh
2020-07-02 16:14:25.000000000 +0200
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+bindir=${srcdir}/..
+
+##
+# test is
+# create a private key with a non openssl curve
+# 1. create two private tpm keys
+# 2. get public keys from openssl for these (remember explicit)
+# 3. derive a shared secret using priv1 and pub2
+# 4. derive a shared secret using priv2 and pub1
+# 5. check the secrets are identical
+##
+
+
+for curve in $(${bindir}/create_tpm2_key --list-curves); do
+ if openssl ecparam -name ${curve} 2>&1 | grep -v 'unknown curve'; then
+ continue
+ fi
+ echo "Checking curve ${curve}"
+ ${bindir}/create_tpm2_key --ecc ${curve} key1.tpm || \
+ exit 1
+ openssl pkey -engine tpm2 -inform engine -in key1.tpm -pubout -out
key1.pub || exit 1
+ ${bindir}/create_tpm2_key --ecc ${curve} key2.tpm || \
+ exit 1
+ openssl pkey -engine tpm2 -inform engine -in key2.tpm -pubout -out
key2.pub || exit 1
+ openssl pkeyutl -engine tpm2 -keyform engine -inkey key1.tpm -peerkey
key2.pub -derive -out secret1.bin || exit 1
+ openssl pkeyutl -engine tpm2 -keyform engine -inkey key2.tpm -peerkey
key1.pub -derive -out secret2.bin || exit 1
+ diff -b secret1.bin secret2.bin || exit 1
+done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tests/start_sw_tpm.sh
new/openssl_tpm2_engine-2.4.2/tests/start_sw_tpm.sh
--- old/openssl_tpm2_engine-2.4.1/tests/start_sw_tpm.sh 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/start_sw_tpm.sh 2020-07-02
16:14:25.000000000 +0200
@@ -1,9 +1,13 @@
-if [ -z "${TPMSERVER}" -o ! -x ${TPMSERVER} ]; then
- exit 1;
-fi
+#!/bin/bash
+set -x
+
# remove any prior TPM contents
-rm -f NVChip h*.bin
+rm -f NVChip h*.bin *.permall
+if [ -x "${SWTPM}" ]; then
+${SWTPM} socket --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322
--tpmstate dir=`pwd` &
+else
${TPMSERVER} > /dev/null 2>&1 &
+fi
pid=$!
echo ${pid} > tpm_server.pid
##
@@ -12,11 +16,16 @@
# store it permanently at handle 81000001 and flush the transient
##
a=0; while [ $a -lt 10 ]; do
- tsspowerup
+ if [ -x "${SWTPM_IOCTL}" ]; then
+ ${SWTPM_IOCTL} --tcp 127.0.0.1:2322 -i
+ else
+ tsspowerup
+ fi
if [ $? -eq 0 ]; then
break;
fi
sleep 1
+ a=$[$a+1]
done
if [ $a -eq 10 ]; then
echo "Waited 10s for tpm_server to come up; exiting"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tests/wrap_ecc.sh
new/openssl_tpm2_engine-2.4.2/tests/wrap_ecc.sh
--- old/openssl_tpm2_engine-2.4.1/tests/wrap_ecc.sh 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/tests/wrap_ecc.sh 2020-07-02
16:14:25.000000000 +0200
@@ -13,7 +13,19 @@
continue
fi
echo "Checking curve ${curve}"
- openssl ecparam -genkey -name ${curve} > tmp.param && \
+ openssl ecparam -param_enc named_curve -genkey -name ${curve} > tmp.param
&& \
+ openssl genpkey -paramfile tmp.param -out key.priv && \
+ ${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2
-keyform engine -out tmp.crt && \
+ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
+ exit 1
+done
+for curve in $(${bindir}/create_tpm2_key --list-curves); do
+ if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then
+ continue
+ fi
+ echo "Checking curve ${curve}"
+ openssl ecparam -param_enc explicit -genkey -name ${curve} > tmp.param && \
openssl genpkey -paramfile tmp.param -out key.priv && \
${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \
openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2
-keyform engine -out tmp.crt && \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tpm2-common.c
new/openssl_tpm2_engine-2.4.2/tpm2-common.c
--- old/openssl_tpm2_engine-2.4.1/tpm2-common.c 2020-03-26 05:20:49.000000000
+0100
+++ new/openssl_tpm2_engine-2.4.2/tpm2-common.c 2020-07-02 16:14:25.000000000
+0200
@@ -48,6 +48,116 @@
* openssl support (this excludes BN P256)
*/
struct tpm2_ECC_Curves tpm2_supported_curves[] = {
+ { .name = "prime192v1",
+ .nid = NID_X9_62_prime192v1,
+ .curve = TPM_ECC_NIST_P192,
+ /* p */
+ .C[0].s = 24,
+ .C[0].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ },
+ /* a */
+ .C[1].s = 24,
+ .C[1].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ },
+ /* b */
+ .C[2].s = 24,
+ .C[2].b = (BYTE [])
+ {
+ 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7,
+ 0x0F, 0xA7, 0xE9, 0xAB, 0x72, 0x24, 0x30, 0x49,
+ 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1,
+ },
+ /* gX */
+ .C[3].s = 24,
+ .C[3].b = (BYTE [])
+ {
+ 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6,
+ 0x7C, 0xBF, 0x20, 0xEB, 0x43, 0xA1, 0x88, 0x00,
+ 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12,
+ },
+ /* gY */
+ .C[4].s = 24,
+ .C[4].b = (BYTE [])
+ {
+ 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78,
+ 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5,
+ 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11,
+ },
+ /* order */
+ .C[5].s = 24,
+ .C[5].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x99, 0xDE, 0xF8, 0x36,
+ 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31,
+ },
+ },
+ { .name = "secp224r1",
+ .nid = NID_secp224r1,
+ .curve = TPM_ECC_NIST_P224,
+ /* p */
+ .C[0].s = 28,
+ .C[0].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01,
+ },
+ /* a */
+ .C[1].s = 28,
+ .C[1].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE,
+ },
+ /* b */
+ .C[2].s = 28,
+ .C[2].b = (BYTE [])
+ {
+ 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB,
+ 0xF5, 0x41, 0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7,
+ 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
+ 0x23, 0x55, 0xFF, 0xB4,
+ },
+ /* gX */
+ .C[3].s = 28,
+ .C[3].b = (BYTE [])
+ {
+ 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F,
+ 0x32, 0x13, 0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3,
+ 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
+ 0x11, 0x5C, 0x1D, 0x21,
+ },
+ /* gY */
+ .C[4].s = 28,
+ .C[4].b = (BYTE [])
+ {
+ 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb,
+ 0x4c, 0x22, 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0,
+ 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
+ 0x85, 0x00, 0x7e, 0x34,
+ },
+ /* order */
+ .C[5].s = 28,
+ .C[5].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x16, 0xA2,
+ 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
+ 0x5C, 0x5C, 0x2A, 0x3D
+ },
+ },
{ .name = "prime256v1",
.nid = NID_X9_62_prime256v1,
.curve = TPM_ECC_NIST_P256,
@@ -178,6 +288,94 @@
0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73,
},
},
+ { .name = "secp521r1",
+ .nid = NID_secp521r1,
+ .curve = TPM_ECC_NIST_P521,
+ /* p */
+ .C[0].s = 66,
+ .C[0].b = (BYTE [])
+ {
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF,
+ },
+ /* a */
+ .C[1].s = 66,
+ .C[1].b = (BYTE [])
+ {
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFC,
+ },
+ /* b */
+ .C[2].s = 66,
+ .C[2].b = (BYTE [])
+ {
+ 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C,
+ 0x9A, 0x1F, 0x92, 0x9A, 0x21, 0xA0, 0xB6, 0x85,
+ 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
+ 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1,
+ 0x09, 0xE1, 0x56, 0x19, 0x39, 0x51, 0xEC, 0x7E,
+ 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
+ 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C,
+ 0x34, 0xF1, 0xEF, 0x45, 0x1F, 0xD4, 0x6B, 0x50,
+ 0x3F, 0x00,
+ },
+ /* gX */
+ .C[3].s = 66,
+ .C[3].b = (BYTE [])
+ {
+ 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04,
+ 0xE9, 0xCD, 0x9E, 0x3E, 0xCB, 0x66, 0x23, 0x95,
+ 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
+ 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D,
+ 0x3D, 0xBA, 0xA1, 0x4B, 0x5E, 0x77, 0xEF, 0xE7,
+ 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
+ 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A,
+ 0x42, 0x9B, 0xF9, 0x7E, 0x7E, 0x31, 0xC2, 0xE5,
+ 0xBD, 0x66,
+ },
+ /* gY */
+ .C[4].s = 66,
+ .C[4].b = (BYTE [])
+ {
+ 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b,
+ 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d,
+ 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
+ 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e,
+ 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
+ 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
+ 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72,
+ 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1,
+ 0x66, 0x50,
+ },
+ /* order */
+ .C[5].s = 66,
+ .C[5].b = (BYTE [])
+ {
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFA, 0x51, 0x86, 0x87, 0x83, 0xBF, 0x2F,
+ 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
+ 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C,
+ 0x47, 0xAE, 0xBB, 0x6F, 0xB7, 0x1E, 0x91, 0x38,
+ 0x64, 0x09
+ },
+ },
/* openssl unknown algorithms below */
{ .name = "bnp256",
.nid = 0,
@@ -226,6 +424,130 @@
0xF6, 0x2D, 0x53, 0x6C, 0xD1, 0x0B, 0x50, 0x0D,
},
},
+ { .name = "bnp638",
+ .nid = 0,
+ .curve = TPM_ECC_BN_P638,
+ /* p */
+ .C[0].s = 80,
+ .C[0].b = (BYTE [])
+ {
+ 0x23, 0xFF, 0xFF, 0xFD, 0xC0, 0x00, 0x00, 0x0D,
+ 0x7F, 0xFF, 0xFF, 0xB8, 0x00, 0x00, 0x01, 0xD3,
+ 0xFF, 0xFF, 0xF9, 0x42, 0xD0, 0x00, 0x16, 0x5E,
+ 0x3F, 0xFF, 0x94, 0x87, 0x00, 0x00, 0xD5, 0x2F,
+ 0xFF, 0xFD, 0xD0, 0xE0, 0x00, 0x08, 0xDE, 0x55,
+ 0xC0, 0x00, 0x86, 0x52, 0x00, 0x21, 0xE5, 0x5B,
+ 0xFF, 0xFF, 0xF5, 0x1F, 0xFF, 0xF4, 0xEB, 0x80,
+ 0x00, 0x00, 0x00, 0x4C, 0x80, 0x01, 0x5A, 0xCD,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEC, 0xE0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67
+ },
+ /* a */
+ .C[1].s = 1 ,
+ .C[1].b = (BYTE [])
+ {
+ 0x00,
+ },
+ /* b */
+ .C[2].s = 2,
+ .C[2].b = (BYTE [])
+ {
+ 0x01, 0x01,
+ },
+ /* gX */
+ .C[3].s = 80,
+ .C[3].b = (BYTE [])
+ {
+ 0x23, 0xFF, 0xFF, 0xFD, 0xC0, 0x00, 0x00, 0x0D,
+ 0x7F, 0xFF, 0xFF, 0xB8, 0x00, 0x00, 0x01, 0xD3,
+ 0xFF, 0xFF, 0xF9, 0x42, 0xD0, 0x00, 0x16, 0x5E,
+ 0x3F, 0xFF, 0x94, 0x87, 0x00, 0x00, 0xD5, 0x2F,
+ 0xFF, 0xFD, 0xD0, 0xE0, 0x00, 0x08, 0xDE, 0x55,
+ 0xC0, 0x00, 0x86, 0x52, 0x00, 0x21, 0xE5, 0x5B,
+ 0xFF, 0xFF, 0xF5, 0x1F, 0xFF, 0xF4, 0xEB, 0x80,
+ 0x00, 0x00, 0x00, 0x4C, 0x80, 0x01, 0x5A, 0xCD,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEC, 0xE0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66,
+ },
+ /* gY */
+ .C[4].s = 1,
+ .C[4].b = (BYTE [])
+ {
+ 0x010,
+ },
+ /* order */
+ .C[5].s = 80,
+ .C[5].b = (BYTE [])
+ {
+ 0x23, 0xFF, 0xFF, 0xFD, 0xC0, 0x00, 0x00, 0x0D,
+ 0x7F, 0xFF, 0xFF, 0xB8, 0x00, 0x00, 0x01, 0xD3,
+ 0xFF, 0xFF, 0xF9, 0x42, 0xD0, 0x00, 0x16, 0x5E,
+ 0x3F, 0xFF, 0x94, 0x87, 0x00, 0x00, 0xD5, 0x2F,
+ 0xFF, 0xFD, 0xD0, 0xE0, 0x00, 0x08, 0xDE, 0x55,
+ 0x60, 0x00, 0x86, 0x55, 0x00, 0x21, 0xE5, 0x55,
+ 0xFF, 0xFF, 0xF5, 0x4F, 0xFF, 0xF4, 0xEA, 0xC0,
+ 0x00, 0x00, 0x00, 0x49, 0x80, 0x01, 0x54, 0xD9,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xED, 0xA0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x61
},
+ },
+ { .name = "sm2",
+ .nid = 0,
+ .curve = TPM_ECC_SM2_P256,
+ /* p */
+ .C[0].s = 32,
+ .C[0].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ },
+ /* a */
+ .C[1].s = 32,
+ .C[1].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ },
+ /* b */
+ .C[2].s = 32,
+ .C[2].b = (BYTE [])
+ {
+ 0x28, 0xE9, 0xFA, 0x9E, 0x9D, 0x9F, 0x5E, 0x34,
+ 0x4D, 0x5A, 0x9E, 0x4B, 0xCF, 0x65, 0x09, 0xA7,
+ 0xF3, 0x97, 0x89, 0xF5, 0x15, 0xAB, 0x8F, 0x92,
+ 0xDD, 0xBC, 0xBD, 0x41, 0x4D, 0x94, 0x0E, 0x93,
+ },
+ /* gX */
+ .C[3].s = 32,
+ .C[3].b = (BYTE [])
+ {
+ 0x32, 0xC4, 0xAE, 0x2C, 0x1F, 0x19, 0x81, 0x19,
+ 0x5F, 0x99, 0x04, 0x46, 0x6A, 0x39, 0xC9, 0x94,
+ 0x8F, 0xE3, 0x0B, 0xBF, 0xF2, 0x66, 0x0B, 0xE1,
+ 0x71, 0x5A, 0x45, 0x89, 0x33, 0x4C, 0x74, 0xC7,
+ },
+ /* gY */
+ .C[4].s = 32,
+ .C[4].b = (BYTE [])
+ {
+ 0xBC, 0x37, 0x36, 0xA2, 0xF4, 0xF6, 0x77, 0x9C,
+ 0x59, 0xBD, 0xCE, 0xE3, 0x6B, 0x69, 0x21, 0x53,
+ 0xD0, 0xA9, 0x87, 0x7C, 0xC6, 0x2A, 0x47, 0x40,
+ 0x02, 0xDF, 0x32, 0xE5, 0x21, 0x39, 0xF0, 0xA0,
+ },
+ /* order */
+ .C[5].s = 32,
+ .C[5].b = (BYTE [])
+ {
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x72, 0x03, 0xDF, 0x6B, 0x21, 0xC6, 0x05, 0x2B,
+ 0x53, 0xBB, 0xF4, 0x09, 0x39, 0xD5, 0x41, 0x23,
+ },
+ },
{ .name = NULL, }
};
@@ -404,6 +726,7 @@
if (!g)
goto err;
+ EC_GROUP_set_asn1_flag(g, 0);
P = EC_POINT_new(g);
if (!P)
goto err;
@@ -1033,7 +1356,8 @@
int tpm2_load_engine_file(const char *filename, struct app_data **app_data,
EVP_PKEY **ppkey, UI_METHOD *ui, void *cb_data,
- const char *srk_auth, int get_key_auth)
+ const char *srk_auth, int get_key_auth,
+ int public_only)
{
BIO *bf;
TSSLOADABLE *tssl = NULL;
@@ -1158,6 +1482,19 @@
TPM2B_PUBLIC_Unmarshal(&iin.objectPublic, &buffer, &size, FALSE);
ad->name_alg = iin.objectPublic.publicArea.nameAlg;
+ /* create the new objects to return */
+ if (ppkey) {
+ *ppkey = tpm2_to_openssl_public(&iin.objectPublic.publicArea);
+ if (!*ppkey) {
+ fprintf(stderr, "Failed to allocate a new EVP_KEY\n");
+ goto err_free;
+ }
+ if (public_only) {
+ tpm2_delete(ad);
+ goto out;
+ }
+ }
+
if (strcmp(OID_importableKey, oid) == 0) {
TPM_HANDLE session;
TSS_CONTEXT *tssContext;
@@ -1219,7 +1556,7 @@
TSS_Delete(tssContext);
if (rc) {
tpm2_error(rc, reason);
- goto err_free;
+ goto err_free_key;
}
buf = priv_2b.t.buffer;
size = sizeof(priv_2b.t.buffer);
@@ -1228,27 +1565,18 @@
&buf, &size);
ad->priv = OPENSSL_malloc(written);
if (!ad->priv)
- goto err_free;
+ goto err_free_key;
ad->priv_len = written;
memcpy(ad->priv, priv_2b.t.buffer, written);
} else {
ad->priv = OPENSSL_malloc(privkey->length);
if (!ad->priv)
- goto err_free;
+ goto err_free_key;
ad->priv_len = privkey->length;
memcpy(ad->priv, privkey->data, ad->priv_len);
}
- /* create the new objects to return */
- if (ppkey) {
- *ppkey = tpm2_to_openssl_public(&iin.objectPublic.publicArea);
- if (!*ppkey) {
- fprintf(stderr, "Failed to allocate a new EVP_KEY\n");
- goto err_free;
- }
- }
-
if (empty_auth == 0 && get_key_auth) {
ad->auth = tpm2_get_auth(ui, "TPM Key Password: ", cb_data);
if (!ad->auth)
@@ -1262,6 +1590,7 @@
if (!tpm2_engine_load_key_policy(ad, policy))
goto err_free_key;
+ out:
TSSLOADABLE_free(tssl);
TSSPRIVKEY_free(tpk);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/tpm2-common.h
new/openssl_tpm2_engine-2.4.2/tpm2-common.h
--- old/openssl_tpm2_engine-2.4.1/tpm2-common.h 2020-03-26 05:20:49.000000000
+0100
+++ new/openssl_tpm2_engine-2.4.2/tpm2-common.h 2020-07-02 16:14:25.000000000
+0200
@@ -70,7 +70,8 @@
const EC_POINT *pt);
int tpm2_load_engine_file(const char *filename, struct app_data **app_data,
EVP_PKEY **ppkey, UI_METHOD *ui, void *cb_data,
- const char *srk_auth, int get_key_auth);
+ const char *srk_auth, int get_key_auth,
+ int public_only);
TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data,
const char *srk_auth, uint32_t *psession);
void tpm2_unload_key(TSS_CONTEXT *tssContext, TPM_HANDLE key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openssl_tpm2_engine-2.4.1/unseal_tpm2_data.c
new/openssl_tpm2_engine-2.4.2/unseal_tpm2_data.c
--- old/openssl_tpm2_engine-2.4.1/unseal_tpm2_data.c 2020-03-26
05:20:49.000000000 +0100
+++ new/openssl_tpm2_engine-2.4.2/unseal_tpm2_data.c 2020-07-02
16:14:25.000000000 +0200
@@ -136,7 +136,7 @@
UI_method_set_reader(ui, ui_read);
rc = tpm2_load_engine_file(filename, &app_data, NULL,
- ui, pass, parent_auth, 1);
+ ui, pass, parent_auth, 1, 0);
if (!rc) {
reason = "tpm2_engine_load_file";
rc = NOT_TPM_ERROR;
