Accepting request 1037119 from home:pmonrealgonzalez:branches:security

- Build with OpenSSL 3.0 deprecated functions until fixed upstream
in the next version update [bsc#1205042]
  * ibmtss-openssl3-deprecation.patch
- Add upstream patches to fix build with OpenSSL 3.0
  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch

OBS-URL: https://build.opensuse.org/request/show/1037119
OBS-URL: https://build.opensuse.org/package/show/security/ibmtss?expand=0&rev=43

ibmtss-openssl3-deprecation.patch

@@ -0,0 +1,26 @@
+Index: ibmtss-1.6.0/build.sh
+===================================================================
+--- ibmtss-1.6.0.orig/build.sh
++++ ibmtss-1.6.0/build.sh
+@@ -13,7 +13,7 @@ cleanup() {
+ }
+ 
+ CC="${CC:-gcc}"
+-CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
++CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common -Wno-error=deprecated-declarations}"
+ PREFIX="${PREFIX:-$HOME/tpm2}"
+ 
+ export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
+Index: ibmtss-1.6.0/configure.ac
+===================================================================
+--- ibmtss-1.6.0.orig/configure.ac
++++ ibmtss-1.6.0/configure.ac
+@@ -71,7 +71,7 @@ AC_ARG_ENABLE(debug,
+ 
+ # Linux requires -DTPM_POSIX
+ case $host_os in
+-       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS" ;;
++       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS -Wno-error=deprecated-declarations" ;;
+ esac
+ 
+ AC_ARG_ENABLE(tpm-2.0,

ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch

@@ -0,0 +1,453 @@
+From f1c6b44f95392c156b235d42bccc8235ee24bb6f Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgoldman@us.ibm.com>
+Date: Wed, 11 Aug 2021 18:22:41 -0400
+Subject: regtests: Update openssl key generation for 3.0.0
+
+OpenSSL 3.0.0 used a different pem and der key format.  Update the
+command line calls.  Bypass the tests that use these functions for
+mbedtls, which does not support the new format.
+
+Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
+
+diff --git a/utils/regtests/testdup.sh b/utils/regtests/testdup.sh
+index eeca02f..e849e44 100755
+--- a/utils/regtests/testdup.sh
++++ b/utils/regtests/testdup.sh
+@@ -7,7 +7,7 @@
+ #			     Written by Ken Goldman				#
+ #		       IBM Thomas J. Watson Research Center			#
+ #										#
+-# (c) Copyright IBM Corporation 2015 - 2020					#
++# (c) Copyright IBM Corporation 2015 - 2021					#
+ # 										#
+ # All rights reserved.								#
+ # 										#
+@@ -215,7 +215,12 @@ echo ""
+ 
+ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+     echo "generate the RSA signing key with openssl"
+-    openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
++
++    openssl genpkey -out tmpprivkey.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
++
++# The following worked up to Openssl 3.0.0.  The key generation
++# remains here for when mbedtls is updated, but the tests are now
++# if'ed out
+ 
+ elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+     echo "Generate the RSA signing  key with openssl"
+@@ -232,22 +237,24 @@ else
+     exit 255
+ fi
+ 
+-echo "load the ECC storage key 80000001"
+-${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out
+-checkSuccess $?
++if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ 
+-echo "Start an HMAC auth session"
+-${PREFIX}startauthsession -se h > run.out
+-checkSuccess $?
++    echo "load the ECC storage key 80000001"
++    ${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out
++    checkSuccess $?
+ 
+-for SESS in "" "-se0 02000000 1"
+-do
+-    for HALG in ${ITERATE_ALGS}
+-    do
++    echo "Start an HMAC auth session"
++    ${PREFIX}startauthsession -se h > run.out
++    checkSuccess $?
+ 
+-	for PARENT in 80000000 80000001
++    for SESS in "" "-se0 02000000 1"
++    do
++	for HALG in ${ITERATE_ALGS}
+ 	do
+ 
++	    for PARENT in 80000000 80000001
++	    do
++
+ 		echo "Import the signing key under the parent key ${PARENT} ${HALG}"
+ 		${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+ 		checkSuccess $?
+@@ -268,9 +275,10 @@ do
+ 		${PREFIX}flushcontext -ha 80000002 > run.out
+ 		checkSuccess $?
+ 
++	    done
+ 	done
+     done
+-done
++fi
+ 
+ echo ""
+ echo "Import PEM EC signing key under RSA and ECC storage key"
+@@ -300,49 +308,53 @@ else
+     exit 255
+ fi
+ 
+-for CURVE in "nistp256" "nistp384"
+-do
+-    
+-    for SESS in "" "-se0 02000000 1"
++if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
++
++    for CURVE in "nistp256" "nistp384"
+     do
+-	for HALG in ${ITERATE_ALGS}
+-	do
+ 
+-	    for PARENT in 80000000 80000001
++	for SESS in "" "-se0 02000000 1"
++	do
++	    for HALG in ${ITERATE_ALGS}
+ 	    do
+ 
+-		echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}"
+-		${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+-		checkSuccess $?
++		for PARENT in 80000000 80000001
++		do
+ 
+-		echo "Load the TPM signing key"
+-		${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+-		checkSuccess $?
++		    echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}"
++		    ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
++		    checkSuccess $?
+ 
+-		echo "Sign the message ${HALG} ${SESS}"
+-		${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+-		checkSuccess $?
++		    echo "Load the TPM signing key"
++		    ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
++		    checkSuccess $?
+ 
+-		echo "Verify the signature ${HALG}"
+-		${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
+-		checkSuccess $?
++		    echo "Sign the message ${HALG} ${SESS}"
++		    ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
++		    checkSuccess $?
+ 
+-		echo "Flush the signing key"
+-		${PREFIX}flushcontext -ha 80000002 > run.out
+-		checkSuccess $?
++		    echo "Verify the signature ${HALG}"
++		    ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
++		    checkSuccess $?
+ 
++		    echo "Flush the signing key"
++		    ${PREFIX}flushcontext -ha 80000002 > run.out
++		    checkSuccess $?
++
++		done
+ 	    done
+ 	done
+     done
+-done
+ 
+-echo "Flush the ECC storage key"
+-${PREFIX}flushcontext -ha 80000001 > run.out
+-checkSuccess $?
++    echo "Flush the ECC storage key"
++    ${PREFIX}flushcontext -ha 80000001 > run.out
++    checkSuccess $?
+ 
+-echo "Flush the auth session"
+-${PREFIX}flushcontext -ha 02000000 > run.out
+-checkSuccess $?
++    echo "Flush the auth session"
++    ${PREFIX}flushcontext -ha 02000000 > run.out
++    checkSuccess $?
++
++fi
+ 
+ echo ""
+ echo "Rewrap"
+diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
+index 4f76522..5ae0b29 100755
+--- a/utils/regtests/testrsa.sh
++++ b/utils/regtests/testrsa.sh
+@@ -7,7 +7,7 @@
+ #			     Written by Ken Goldman				#
+ #		       IBM Thomas J. Watson Research Center			#
+ #										#
+-# (c) Copyright IBM Corporation 2015 - 2020					#
++# (c) Copyright IBM Corporation 2015 - 2021					#
+ # 										#
+ # All rights reserved.								#
+ # 										#
+@@ -59,20 +59,25 @@ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+     do
+ 
+ 	echo "Generate the RSA $BITS encryption key with openssl"
+-	openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1
++	openssl genpkey -out tmpkeypairrsa${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
+ 
+ 	echo "Convert key pair to plaintext DER format"
+-	openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
++	openssl pkey -inform pem -in tmpkeypairrsa${BITS}.pem -outform der -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+ 
+     done
+ 
++
++# The following worked up to Openssl 3.0.0.  The key generation
++# remains here for when mbedtls is updated, but the tests are now
++# if'ed out
++
+ elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+ 
+     for BITS in 2048 3072
+     do
+ 
+ 	echo "Generate the RSA $BITS encryption key with openssl"
+-	openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1
++	openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass:rrrr > run.out 2>&1
+ 
+ 	echo "Convert RSA $BITS key pair to plaintext DER format"
+ 	openssl rsa -in tmpkeypairrsaenc${BITS}.pem -passin pass:rrrr -outform der -out tmpkeypairrsa${BITS}.der > run.out 2>&1
+@@ -158,20 +163,22 @@ do
+ 
+ done
+ 
+-echo ""
+-echo "Import PEM RSA encryption key"
+-echo ""
++if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+ 
+-echo "Start an HMAC auth session"
+-${PREFIX}startauthsession -se h > run.out
+-checkSuccess $?
++    echo ""
++    echo "Import PEM RSA encryption key"
++    echo ""
+ 
+-for BITS in 2048 3072
+-do
++    echo "Start an HMAC auth session"
++    ${PREFIX}startauthsession -se h > run.out
++    checkSuccess $?
+ 
+-    for SESS in "" "-se0 02000000 1"
++    for BITS in 2048 3072
+     do
+ 
++	for SESS in "" "-se0 02000000 1"
++	do
++
+ 	echo "Import the $BITS encryption key under the primary key"
+ 	${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+ 	checkSuccess $?
+@@ -201,97 +208,98 @@ do
+ 	${PREFIX}flushcontext -ha 80000001 > run.out
+ 	checkSuccess $?
+ 
++	done
++
+     done
+ 
+-done
++    echo "Flush the session"
++    ${PREFIX}flushcontext -ha 02000000 > run.out
++    checkSuccess $?
+ 
+-echo "Flush the session"
+-${PREFIX}flushcontext -ha 02000000 > run.out
+-checkSuccess $?
++    echo ""
++    echo "Import PEM RSA encryption key userWithAuth test"
++    echo ""
+ 
+-echo ""
+-echo "Import PEM RSA encryption key userWithAuth test"
+-echo ""
++    echo "Import the RSA 2048 encryption key under the primary key 80000000"
++    ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
++    checkSuccess $?
+ 
+-echo "Import the RSA 2048 encryption key under the primary key 80000000"
+-${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+-checkSuccess $?
++    echo "Load the RSA 2048 encryption key 80000001"
++    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
++    checkSuccess $?
+ 
+-echo "Load the RSA 2048 encryption key 80000001"
+-${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+-checkSuccess $?
++    echo "RSA encrypt with the encryption key"
++    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
++    checkSuccess $?
+ 
+-echo "RSA encrypt with the encryption key"
+-${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+-checkSuccess $?
++    echo "RSA decrypt with the decryption key and password"
++    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
++    checkSuccess $?
+ 
+-echo "RSA decrypt with the decryption key and password"
+-${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+-checkSuccess $?
++    echo "Flush the encryption key"
++    ${PREFIX}flushcontext -ha 80000001 > run.out
++    checkSuccess $?
+ 
+-echo "Flush the encryption key"
+-${PREFIX}flushcontext -ha 80000001 > run.out
+-checkSuccess $?
++    echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false"
++    ${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
++    checkSuccess $?
+ 
+-echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false"
+-${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
+-checkSuccess $?
++    echo "Load the RSA 2048 encryption key"
++    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
++    checkSuccess $?
+ 
+-echo "Load the RSA 2048 encryption key"
+-${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+-checkSuccess $?
++    echo "RSA decrypt with the decryption key and password - should fail"
++    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
++    checkFailure $?
+ 
+-echo "RSA decrypt with the decryption key and password - should fail"
+-${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+-checkFailure $?
++    echo "Flush the encryption key"
++    ${PREFIX}flushcontext -ha 80000001 > run.out
++    checkSuccess $?
+ 
+-echo "Flush the encryption key"
+-${PREFIX}flushcontext -ha 80000001 > run.out
+-checkSuccess $?
++    echo ""
++    echo "Loadexternal DER encryption key"
++    echo ""
+ 
++    for BITS in 2048 3072
++    do
+ 
+-echo ""
+-echo "Loadexternal DER encryption key"
+-echo ""
++	echo "Start an HMAC auth session"
++	${PREFIX}startauthsession -se h > run.out
++	checkSuccess $?
+ 
+-for BITS in 2048 3072
+-do
++	for SESS in "" "-se0 02000000 1"
++	do
+ 
+-    echo "Start an HMAC auth session"
+-    ${PREFIX}startauthsession -se h > run.out
+-    checkSuccess $?
++	    echo "Load the openssl key pair in the NULL hierarchy 80000001"
++	    ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
++	    checkSuccess $?
+ 
+-    for SESS in "" "-se0 02000000 1"
+-    do
++	    echo "RSA encrypt with the encryption key"
++	    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
++	    checkSuccess $?
+ 
+-	echo "Load the openssl key pair in the NULL hierarchy 80000001"
+-	${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
+-	checkSuccess $?
++	    echo "RSA decrypt with the decryption key ${SESS}"
++	    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
++	    checkSuccess $?
+ 
+-	echo "RSA encrypt with the encryption key"
+-	${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+-	checkSuccess $?
++	    echo "Verify the decrypt result"
++	    tail -c 3 dec.bin > tmp.bin
++	    diff policies/aaa tmp.bin > run.out
++	    checkSuccess $?
+ 
+-	echo "RSA decrypt with the decryption key ${SESS}"
+-	${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
+-	checkSuccess $?
++	    echo "Flush the encryption key"
++	    ${PREFIX}flushcontext -ha 80000001 > run.out
++	    checkSuccess $?
+ 
+-	echo "Verify the decrypt result"
+-	tail -c 3 dec.bin > tmp.bin
+-	diff policies/aaa tmp.bin > run.out
+-	checkSuccess $?
++    done
+ 
+-	echo "Flush the encryption key"
+-	${PREFIX}flushcontext -ha 80000001 > run.out
++	echo "Flush the session"
++	${PREFIX}flushcontext -ha 02000000 > run.out
+ 	checkSuccess $?
+ 
+     done
+ 
+-    echo "Flush the session"
+-    ${PREFIX}flushcontext -ha 02000000 > run.out
+-    checkSuccess $?
+-
+-done
++fi
+ 
+ echo ""
+ echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+diff --git a/utils/regtests/testsalt.sh b/utils/regtests/testsalt.sh
+index 1bdc1a7..e0c3376 100755
+--- a/utils/regtests/testsalt.sh
++++ b/utils/regtests/testsalt.sh
+@@ -91,16 +91,17 @@ echo ""
+ echo "Salt Session - Load External"
+ echo ""
+ 
+-echo "Create RSA and ECC key pairs in PEM format using openssl"
++echo "Create RSA key pair in DER format using openssl"
+   
+-openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+-openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
++openssl genpkey -out tmpkeypairrsa.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
+ 
++echo "Create ECC key pair in PEM format using openssl"
+ echo "Convert key pair to plaintext DER format"
+ 
+-openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1
++openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
+ openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
+ 
++
+ for HALG in ${ITERATE_ALGS}
+ do
+ 
+diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh
+index edfa014..3002ceb 100755
+--- a/utils/regtests/testsign.sh
++++ b/utils/regtests/testsign.sh
+@@ -47,11 +47,9 @@ echo ""
+ for BITS in 2048 3072
+ do
+ 
+-    echo "Create an RSA $BITS key pair in PEM format using openssl"
+-    openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
++    echo "Create an RSA $BITS key pair in DER format using openssl"
+ 
+-    echo "Convert RSA $BITS key pair to plaintext DER format"
+-    openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
++    openssl genpkey -out tmpkeypairrsa${BITS}.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
+ 
+     echo "Load the RSA $BITS signing key under the primary key"
+     ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu signrsa${BITS}pub.bin -pwdp sto > run.out
+-- 
+2.38.0
+

ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch

@@ -0,0 +1,237 @@
+From 6e22032d637ea8c28cf84efa837a22909873466a Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Fri, 10 Sep 2021 16:33:10 -0400
+Subject: tss: Port HMAC operations to openssl 3.0
+
+Replace the deprecated APIs.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+
+diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
+index 35f0ed3..c2ce01a 100644
+--- a/utils/tsscrypto.c
++++ b/utils/tsscrypto.c
+@@ -79,6 +79,7 @@ extern int tssVerbose;
+ 
+ /* local prototypes */
+ 
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
+ static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+ 			     TPMI_ALG_HASH hashAlg);
+ 
+@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
+   Digests
+ */
+ 
+-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+-			     TPMI_ALG_HASH hashAlg)
++/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
++
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
+ {
+-    TPM_RC		rc = 0;
++    TPM_RC	rc = 0;
+ 
+-    if (rc == 0) {
+-	switch (hashAlg) {
++    switch (hashAlg) {
+ #ifdef TPM_ALG_SHA1
+-	  case TPM_ALG_SHA1:
+-	    *md = EVP_get_digestbyname("sha1");
+-	    break;
++      case TPM_ALG_SHA1:
++	*str = "sha1";
++	break;
+ #endif
+-#ifdef TPM_ALG_SHA256	
+-	  case TPM_ALG_SHA256:
+-	    *md = EVP_get_digestbyname("sha256");
+-	    break;
++#ifdef TPM_ALG_SHA256
++      case TPM_ALG_SHA256:
++	*str = "sha256";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA384
+-	  case 	TPM_ALG_SHA384:
+-	    *md = EVP_get_digestbyname("sha384");
+-	    break;
++      case TPM_ALG_SHA384:
++	*str = "sha384";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA512
+-	  case 	TPM_ALG_SHA512:
+-	    *md = EVP_get_digestbyname("sha512");
+-	    break;
++      case TPM_ALG_SHA512:
++	*str = "sha512";
++	break;
+ #endif
+-	  default:
+-	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+-	}
++      default:
++	*str = NULL;
++	rc = TSS_RC_BAD_HASH_ALGORITHM;
++    }
++    return rc;
++}
++
++static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
++			     TPMI_ALG_HASH hashAlg)
++{
++    TPM_RC		rc = 0;
++    const char 		*str = NULL; 
++
++    if (rc == 0) {
++	rc =  TSS_Hash_GetOsslString(&str, hashAlg);
++    }
++    if (rc == 0) {
++	*md = EVP_get_digestbyname(str);
+     }
+     return rc;
+ }
+@@ -175,37 +191,84 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
+     TPM_RC		rc = 0;
+     int 		irc = 0;
+     int			done = FALSE;
+-    const EVP_MD 	*md;	/* message digest method */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++    uint8_t 		*buffer;	/* segment to hash */
++    int			length;		/* segment to hash */
++#if OPENSSL_VERSION_NUMBER < 0x10100000	
+     HMAC_CTX 		ctx;
++    const EVP_MD 	*md = NULL;	/* message digest method */
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
++    HMAC_CTX 		*ctx = NULL;
++    const EVP_MD 	*md = NULL;	/* message digest method */
+ #else
+-    HMAC_CTX 		*ctx;
++    EVP_MAC 		*mac = NULL;
++    EVP_MAC_CTX 	*ctx = NULL;
++    const char 		*algString = NULL;
++    OSSL_PARAM 		params[2];
++    size_t		outLength;
+ #endif
+-    int			length;
+-    uint8_t 		*buffer;
+-    
++
++    /* initialize the HMAC context */
+ #if OPENSSL_VERSION_NUMBER < 0x10100000
+     HMAC_CTX_init(&ctx);
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
++    if (rc == 0) {
++	ctx = HMAC_CTX_new();
++	if (ctx == NULL) {
++	    if (tssVerbose) printf("TSS_Hash_Generate_valist: HMAC_CTX_new failed\n");
++	    rc = TSS_RC_OUT_OF_MEMORY;
++	}
++    }
+ #else
+-    ctx = HMAC_CTX_new();
++    if (rc == 0) {
++	mac = EVP_MAC_fetch(NULL, "hmac", NULL);
++	if (mac == NULL) {
++	    if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_new failed\n");
++	    rc = TSS_RC_OUT_OF_MEMORY;
++	}
++    }
++    if (rc == 0) {
++	ctx = EVP_MAC_CTX_new(mac);
++	if (ctx == NULL) {
++	    if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_CTX_new failed\n");
++	    rc = TSS_RC_OUT_OF_MEMORY;
++	}
++    }
+ #endif
++
++    /* get the message digest */
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+     if (rc == 0) {
+ 	rc = TSS_Hash_GetMd(&md, digest->hashAlg);
+     }
++#else
++    /* map algorithm to string */
++    if (rc == 0) {
++	rc =  TSS_Hash_GetOsslString(&algString, digest->hashAlg);
++    }
++#endif
++
++    /* initialize the MAC context */
+     if (rc == 0) {
+ #if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	irc = HMAC_Init_ex(&ctx,
+ 			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
+ 			   md,					/* message digest method */
+ 			   NULL);
+-#else
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
+ 	irc = HMAC_Init_ex(ctx,
+ 			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
+ 			   md,					/* message digest method */
+ 			   NULL);
++#else
++	params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)algString, 0);
++	params[1] = OSSL_PARAM_construct_end();
++	irc = EVP_MAC_init(ctx,
++			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
++			   params);				/* message digest method */
+ #endif
+-	
+-	if (irc == 0) {
++
++	if (irc != 1) {
++	    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Init failed\n");
+ 	    rc = TSS_RC_HMAC;
+ 	}
+     }
+@@ -220,11 +283,13 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
+ 	    else {
+ #if OPENSSL_VERSION_NUMBER < 0x10100000
+ 		irc = HMAC_Update(&ctx, buffer, length);
+-#else
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
+ 		irc = HMAC_Update(ctx, buffer, length);
++#else
++		irc = EVP_MAC_update(ctx, buffer, length);
+ #endif
+-		if (irc == 0) {
+-		    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC_Update failed\n");
++		if (irc != 1) {
++		    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Update failed\n");
+ 		    rc = TSS_RC_HMAC;
+ 		}
+ 	    }
+@@ -237,18 +302,24 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
+     if (rc == 0) {
+ #if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	irc = HMAC_Final(&ctx, (uint8_t *)&digest->digest, NULL);
+-#else
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
+ 	irc = HMAC_Final(ctx, (uint8_t *)&digest->digest, NULL);
++#else
++	irc = EVP_MAC_final(ctx, (uint8_t *)&digest->digest,  &outLength, sizeof(digest->digest));
+ #endif
+ 	if (irc == 0) {
++	    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Final failed\n");
+ 	    rc = TSS_RC_HMAC;
+ 	}
+     }
+ #if OPENSSL_VERSION_NUMBER < 0x10100000
+     HMAC_CTX_cleanup(&ctx);
+-#else
++#elif OPENSSL_VERSION_NUMBER < 0x30000000
+     HMAC_CTX_free(ctx);
+-#endif
++#else
++    EVP_MAC_CTX_free(ctx);
++    EVP_MAC_free(mac);
++ #endif
+     return rc;
+ }
+ 
+-- 
+2.38.0
+

ibmtss-utils-Remove-unused-variables-from-certifyx509.patch

@@ -0,0 +1,51 @@
+From f335860d99fe11eec5599e1e53960ff1e75c0f82 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgoldman@us.ibm.com>
+Date: Mon, 23 Aug 2021 17:30:56 -0400
+Subject: utils: Remove unused variables from certifyx509
+
+notBefore and notAfter are set driectly in the partialCertificate
+structure, and that is used to directly set the x509 structure.
+
+Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index ed42ac0..44640aa 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
+     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+ 
++    curveID = curveID;		/* no longer used, get from parent */
+     /* command line argument defaults */
+     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+ 	if (strcmp(argv[i],"-ho") == 0) {
+@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+-    ASN1_TIME 	*notBefore = NULL;
+-    ASN1_TIME 	*notAfter = NULL;
+     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
+ 
+     /* add issuer */
+@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	/* can't fail, just returns a structure member */
+-	notBefore = X509_get_notBefore(x509Certificate);
+ 	irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notBefore time\n");
+@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	notAfter = X509_get_notAfter(x509Certificate);
+ 	irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notAfter time\n");
+-- 
+2.38.0
+

ibmtss.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Nov  9 13:33:51 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Build with OpenSSL 3.0 deprecated functions until fixed upstream
+in the next version update [bsc#1205042]
+  * ibmtss-openssl3-deprecation.patch
+- Add upstream patches to fix build with OpenSSL 3.0
+  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+
 -------------------------------------------------------------------
 Thu Nov 25 11:48:53 UTC 2021 - Michal Suchanek <msuchanek@suse.com>
 

ibmtss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ibmtss
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,12 @@ URL:            https://sourceforge.net/projects/ibmtpm20tss
 Source:         https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
 Source1:        90-tpm-ibmtss.rules
 Patch1:         ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch
+Patch2:         ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+Patch3:         ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+Patch4:         ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+Patch5:         ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+Patch6:         ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+Patch7:         ibmtss-openssl3-deprecation.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  ibmswtpm2