Accepting request 1130230 from security

OBS-URL: https://build.opensuse.org/request/show/1130230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ibmtss?expand=0&rev=21

ibmtss-openssl3-deprecation.patch

@@ -1,26 +0,0 @@
-Index: ibmtss-1.6.0/build.sh
-===================================================================
---- ibmtss-1.6.0.orig/build.sh
-+++ ibmtss-1.6.0/build.sh
-@@ -13,7 +13,7 @@ cleanup() {
- }
- 
- CC="${CC:-gcc}"
--CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
-+CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common -Wno-error=deprecated-declarations}"
- PREFIX="${PREFIX:-$HOME/tpm2}"
- 
- export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
-Index: ibmtss-1.6.0/configure.ac
-===================================================================
---- ibmtss-1.6.0.orig/configure.ac
-+++ ibmtss-1.6.0/configure.ac
-@@ -71,7 +71,7 @@ AC_ARG_ENABLE(debug,
- 
- # Linux requires -DTPM_POSIX
- case $host_os in
--       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS" ;;
-+       linux-*)        CFLAGS="-DTPM_POSIX $CFLAGS -Wno-error=deprecated-declarations" ;;
- esac
- 
- AC_ARG_ENABLE(tpm-2.0,

ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch

@@ -1,453 +0,0 @@
-From f1c6b44f95392c156b235d42bccc8235ee24bb6f Mon Sep 17 00:00:00 2001
-From: Ken Goldman <kgoldman@us.ibm.com>
-Date: Wed, 11 Aug 2021 18:22:41 -0400
-Subject: regtests: Update openssl key generation for 3.0.0
-
-OpenSSL 3.0.0 used a different pem and der key format.  Update the
-command line calls.  Bypass the tests that use these functions for
-mbedtls, which does not support the new format.
-
-Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
-
-diff --git a/utils/regtests/testdup.sh b/utils/regtests/testdup.sh
-index eeca02f..e849e44 100755
---- a/utils/regtests/testdup.sh
-+++ b/utils/regtests/testdup.sh
-@@ -7,7 +7,7 @@
- #			     Written by Ken Goldman				#
- #		       IBM Thomas J. Watson Research Center			#
- #										#
--# (c) Copyright IBM Corporation 2015 - 2020					#
-+# (c) Copyright IBM Corporation 2015 - 2021					#
- # 										#
- # All rights reserved.								#
- # 										#
-@@ -215,7 +215,12 @@ echo ""
- 
- if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
-     echo "generate the RSA signing key with openssl"
--    openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
-+
-+    openssl genpkey -out tmpprivkey.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
-+
-+# The following worked up to Openssl 3.0.0.  The key generation
-+# remains here for when mbedtls is updated, but the tests are now
-+# if'ed out
- 
- elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
-     echo "Generate the RSA signing  key with openssl"
-@@ -232,22 +237,24 @@ else
-     exit 255
- fi
- 
--echo "load the ECC storage key 80000001"
--${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out
--checkSuccess $?
-+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
- 
--echo "Start an HMAC auth session"
--${PREFIX}startauthsession -se h > run.out
--checkSuccess $?
-+    echo "load the ECC storage key 80000001"
-+    ${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccnistp256priv.bin -ipu storeeccnistp256pub.bin > run.out
-+    checkSuccess $?
- 
--for SESS in "" "-se0 02000000 1"
--do
--    for HALG in ${ITERATE_ALGS}
--    do
-+    echo "Start an HMAC auth session"
-+    ${PREFIX}startauthsession -se h > run.out
-+    checkSuccess $?
- 
--	for PARENT in 80000000 80000001
-+    for SESS in "" "-se0 02000000 1"
-+    do
-+	for HALG in ${ITERATE_ALGS}
- 	do
- 
-+	    for PARENT in 80000000 80000001
-+	    do
-+
- 		echo "Import the signing key under the parent key ${PARENT} ${HALG}"
- 		${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
- 		checkSuccess $?
-@@ -268,9 +275,10 @@ do
- 		${PREFIX}flushcontext -ha 80000002 > run.out
- 		checkSuccess $?
- 
-+	    done
- 	done
-     done
--done
-+fi
- 
- echo ""
- echo "Import PEM EC signing key under RSA and ECC storage key"
-@@ -300,49 +308,53 @@ else
-     exit 255
- fi
- 
--for CURVE in "nistp256" "nistp384"
--do
--    
--    for SESS in "" "-se0 02000000 1"
-+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
-+
-+    for CURVE in "nistp256" "nistp384"
-     do
--	for HALG in ${ITERATE_ALGS}
--	do
- 
--	    for PARENT in 80000000 80000001
-+	for SESS in "" "-se0 02000000 1"
-+	do
-+	    for HALG in ${ITERATE_ALGS}
- 	    do
- 
--		echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}"
--		${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
--		checkSuccess $?
-+		for PARENT in 80000000 80000001
-+		do
- 
--		echo "Load the TPM signing key"
--		${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
--		checkSuccess $?
-+		    echo "Import the ${CURVE} signing key under the parent key ${PARENT} ${HALG}"
-+		    ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpec${CURVE}privkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
-+		    checkSuccess $?
- 
--		echo "Sign the message ${HALG} ${SESS}"
--		${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
--		checkSuccess $?
-+		    echo "Load the TPM signing key"
-+		    ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
-+		    checkSuccess $?
- 
--		echo "Verify the signature ${HALG}"
--		${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
--		checkSuccess $?
-+		    echo "Sign the message ${HALG} ${SESS}"
-+		    ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
-+		    checkSuccess $?
- 
--		echo "Flush the signing key"
--		${PREFIX}flushcontext -ha 80000002 > run.out
--		checkSuccess $?
-+		    echo "Verify the signature ${HALG}"
-+		    ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
-+		    checkSuccess $?
- 
-+		    echo "Flush the signing key"
-+		    ${PREFIX}flushcontext -ha 80000002 > run.out
-+		    checkSuccess $?
-+
-+		done
- 	    done
- 	done
-     done
--done
- 
--echo "Flush the ECC storage key"
--${PREFIX}flushcontext -ha 80000001 > run.out
--checkSuccess $?
-+    echo "Flush the ECC storage key"
-+    ${PREFIX}flushcontext -ha 80000001 > run.out
-+    checkSuccess $?
- 
--echo "Flush the auth session"
--${PREFIX}flushcontext -ha 02000000 > run.out
--checkSuccess $?
-+    echo "Flush the auth session"
-+    ${PREFIX}flushcontext -ha 02000000 > run.out
-+    checkSuccess $?
-+
-+fi
- 
- echo ""
- echo "Rewrap"
-diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
-index 4f76522..5ae0b29 100755
---- a/utils/regtests/testrsa.sh
-+++ b/utils/regtests/testrsa.sh
-@@ -7,7 +7,7 @@
- #			     Written by Ken Goldman				#
- #		       IBM Thomas J. Watson Research Center			#
- #										#
--# (c) Copyright IBM Corporation 2015 - 2020					#
-+# (c) Copyright IBM Corporation 2015 - 2021					#
- # 										#
- # All rights reserved.								#
- # 										#
-@@ -59,20 +59,25 @@ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
-     do
- 
- 	echo "Generate the RSA $BITS encryption key with openssl"
--	openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1
-+	openssl genpkey -out tmpkeypairrsa${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
- 
- 	echo "Convert key pair to plaintext DER format"
--	openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
-+	openssl pkey -inform pem -in tmpkeypairrsa${BITS}.pem -outform der -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
- 
-     done
- 
-+
-+# The following worked up to Openssl 3.0.0.  The key generation
-+# remains here for when mbedtls is updated, but the tests are now
-+# if'ed out
-+
- elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
- 
-     for BITS in 2048 3072
-     do
- 
- 	echo "Generate the RSA $BITS encryption key with openssl"
--	openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -aes256 -passout pass:rrrr ${BITS} > run.out 2>&1
-+	openssl genrsa -out tmpkeypairrsaenc${BITS}.pem -outform pem -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass:rrrr > run.out 2>&1
- 
- 	echo "Convert RSA $BITS key pair to plaintext DER format"
- 	openssl rsa -in tmpkeypairrsaenc${BITS}.pem -passin pass:rrrr -outform der -out tmpkeypairrsa${BITS}.der > run.out 2>&1
-@@ -158,20 +163,22 @@ do
- 
- done
- 
--echo ""
--echo "Import PEM RSA encryption key"
--echo ""
-+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
- 
--echo "Start an HMAC auth session"
--${PREFIX}startauthsession -se h > run.out
--checkSuccess $?
-+    echo ""
-+    echo "Import PEM RSA encryption key"
-+    echo ""
- 
--for BITS in 2048 3072
--do
-+    echo "Start an HMAC auth session"
-+    ${PREFIX}startauthsession -se h > run.out
-+    checkSuccess $?
- 
--    for SESS in "" "-se0 02000000 1"
-+    for BITS in 2048 3072
-     do
- 
-+	for SESS in "" "-se0 02000000 1"
-+	do
-+
- 	echo "Import the $BITS encryption key under the primary key"
- 	${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
- 	checkSuccess $?
-@@ -201,97 +208,98 @@ do
- 	${PREFIX}flushcontext -ha 80000001 > run.out
- 	checkSuccess $?
- 
-+	done
-+
-     done
- 
--done
-+    echo "Flush the session"
-+    ${PREFIX}flushcontext -ha 02000000 > run.out
-+    checkSuccess $?
- 
--echo "Flush the session"
--${PREFIX}flushcontext -ha 02000000 > run.out
--checkSuccess $?
-+    echo ""
-+    echo "Import PEM RSA encryption key userWithAuth test"
-+    echo ""
- 
--echo ""
--echo "Import PEM RSA encryption key userWithAuth test"
--echo ""
-+    echo "Import the RSA 2048 encryption key under the primary key 80000000"
-+    ${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
-+    checkSuccess $?
- 
--echo "Import the RSA 2048 encryption key under the primary key 80000000"
--${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
--checkSuccess $?
-+    echo "Load the RSA 2048 encryption key 80000001"
-+    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
-+    checkSuccess $?
- 
--echo "Load the RSA 2048 encryption key 80000001"
--${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
--checkSuccess $?
-+    echo "RSA encrypt with the encryption key"
-+    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
-+    checkSuccess $?
- 
--echo "RSA encrypt with the encryption key"
--${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
--checkSuccess $?
-+    echo "RSA decrypt with the decryption key and password"
-+    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
-+    checkSuccess $?
- 
--echo "RSA decrypt with the decryption key and password"
--${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
--checkSuccess $?
-+    echo "Flush the encryption key"
-+    ${PREFIX}flushcontext -ha 80000001 > run.out
-+    checkSuccess $?
- 
--echo "Flush the encryption key"
--${PREFIX}flushcontext -ha 80000001 > run.out
--checkSuccess $?
-+    echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false"
-+    ${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
-+    checkSuccess $?
- 
--echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false"
--${PREFIX}importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
--checkSuccess $?
-+    echo "Load the RSA 2048 encryption key"
-+    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
-+    checkSuccess $?
- 
--echo "Load the RSA 2048 encryption key"
--${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
--checkSuccess $?
-+    echo "RSA decrypt with the decryption key and password - should fail"
-+    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
-+    checkFailure $?
- 
--echo "RSA decrypt with the decryption key and password - should fail"
--${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
--checkFailure $?
-+    echo "Flush the encryption key"
-+    ${PREFIX}flushcontext -ha 80000001 > run.out
-+    checkSuccess $?
- 
--echo "Flush the encryption key"
--${PREFIX}flushcontext -ha 80000001 > run.out
--checkSuccess $?
-+    echo ""
-+    echo "Loadexternal DER encryption key"
-+    echo ""
- 
-+    for BITS in 2048 3072
-+    do
- 
--echo ""
--echo "Loadexternal DER encryption key"
--echo ""
-+	echo "Start an HMAC auth session"
-+	${PREFIX}startauthsession -se h > run.out
-+	checkSuccess $?
- 
--for BITS in 2048 3072
--do
-+	for SESS in "" "-se0 02000000 1"
-+	do
- 
--    echo "Start an HMAC auth session"
--    ${PREFIX}startauthsession -se h > run.out
--    checkSuccess $?
-+	    echo "Load the openssl key pair in the NULL hierarchy 80000001"
-+	    ${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
-+	    checkSuccess $?
- 
--    for SESS in "" "-se0 02000000 1"
--    do
-+	    echo "RSA encrypt with the encryption key"
-+	    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
-+	    checkSuccess $?
- 
--	echo "Load the openssl key pair in the NULL hierarchy 80000001"
--	${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
--	checkSuccess $?
-+	    echo "RSA decrypt with the decryption key ${SESS}"
-+	    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
-+	    checkSuccess $?
- 
--	echo "RSA encrypt with the encryption key"
--	${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
--	checkSuccess $?
-+	    echo "Verify the decrypt result"
-+	    tail -c 3 dec.bin > tmp.bin
-+	    diff policies/aaa tmp.bin > run.out
-+	    checkSuccess $?
- 
--	echo "RSA decrypt with the decryption key ${SESS}"
--	${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
--	checkSuccess $?
-+	    echo "Flush the encryption key"
-+	    ${PREFIX}flushcontext -ha 80000001 > run.out
-+	    checkSuccess $?
- 
--	echo "Verify the decrypt result"
--	tail -c 3 dec.bin > tmp.bin
--	diff policies/aaa tmp.bin > run.out
--	checkSuccess $?
-+    done
- 
--	echo "Flush the encryption key"
--	${PREFIX}flushcontext -ha 80000001 > run.out
-+	echo "Flush the session"
-+	${PREFIX}flushcontext -ha 02000000 > run.out
- 	checkSuccess $?
- 
-     done
- 
--    echo "Flush the session"
--    ${PREFIX}flushcontext -ha 02000000 > run.out
--    checkSuccess $?
--
--done
-+fi
- 
- echo ""
- echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
-diff --git a/utils/regtests/testsalt.sh b/utils/regtests/testsalt.sh
-index 1bdc1a7..e0c3376 100755
---- a/utils/regtests/testsalt.sh
-+++ b/utils/regtests/testsalt.sh
-@@ -91,16 +91,17 @@ echo ""
- echo "Salt Session - Load External"
- echo ""
- 
--echo "Create RSA and ECC key pairs in PEM format using openssl"
-+echo "Create RSA key pair in DER format using openssl"
-   
--openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
--openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
-+openssl genpkey -out tmpkeypairrsa.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -pass pass:rrrr > run.out 2>&1
- 
-+echo "Create ECC key pair in PEM format using openssl"
- echo "Convert key pair to plaintext DER format"
- 
--openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1
-+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
- openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
- 
-+
- for HALG in ${ITERATE_ALGS}
- do
- 
-diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh
-index edfa014..3002ceb 100755
---- a/utils/regtests/testsign.sh
-+++ b/utils/regtests/testsign.sh
-@@ -47,11 +47,9 @@ echo ""
- for BITS in 2048 3072
- do
- 
--    echo "Create an RSA $BITS key pair in PEM format using openssl"
--    openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
-+    echo "Create an RSA $BITS key pair in DER format using openssl"
- 
--    echo "Convert RSA $BITS key pair to plaintext DER format"
--    openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
-+    openssl genpkey -out tmpkeypairrsa${BITS}.der -outform der -aes-256-cbc -algorithm rsa -pkeyopt rsa_keygen_bits:${BITS} -pass pass:rrrr > run.out 2>&1
- 
-     echo "Load the RSA $BITS signing key under the primary key"
-     ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu signrsa${BITS}pub.bin -pwdp sto > run.out
--- 
-2.38.0
-

ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch

@@ -1,237 +0,0 @@
-From 6e22032d637ea8c28cf84efa837a22909873466a Mon Sep 17 00:00:00 2001
-From: Ken Goldman <kgold@linux.ibm.com>
-Date: Fri, 10 Sep 2021 16:33:10 -0400
-Subject: tss: Port HMAC operations to openssl 3.0
-
-Replace the deprecated APIs.
-
-Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
-
-diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
-index 35f0ed3..c2ce01a 100644
---- a/utils/tsscrypto.c
-+++ b/utils/tsscrypto.c
-@@ -79,6 +79,7 @@ extern int tssVerbose;
- 
- /* local prototypes */
- 
-+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
- static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
- 			     TPMI_ALG_HASH hashAlg);
- 
-@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
-   Digests
- */
- 
--static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
--			     TPMI_ALG_HASH hashAlg)
-+/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
-+
-+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
- {
--    TPM_RC		rc = 0;
-+    TPM_RC	rc = 0;
- 
--    if (rc == 0) {
--	switch (hashAlg) {
-+    switch (hashAlg) {
- #ifdef TPM_ALG_SHA1
--	  case TPM_ALG_SHA1:
--	    *md = EVP_get_digestbyname("sha1");
--	    break;
-+      case TPM_ALG_SHA1:
-+	*str = "sha1";
-+	break;
- #endif
--#ifdef TPM_ALG_SHA256	
--	  case TPM_ALG_SHA256:
--	    *md = EVP_get_digestbyname("sha256");
--	    break;
-+#ifdef TPM_ALG_SHA256
-+      case TPM_ALG_SHA256:
-+	*str = "sha256";
-+	break;
- #endif
- #ifdef TPM_ALG_SHA384
--	  case 	TPM_ALG_SHA384:
--	    *md = EVP_get_digestbyname("sha384");
--	    break;
-+      case TPM_ALG_SHA384:
-+	*str = "sha384";
-+	break;
- #endif
- #ifdef TPM_ALG_SHA512
--	  case 	TPM_ALG_SHA512:
--	    *md = EVP_get_digestbyname("sha512");
--	    break;
-+      case TPM_ALG_SHA512:
-+	*str = "sha512";
-+	break;
- #endif
--	  default:
--	    rc = TSS_RC_BAD_HASH_ALGORITHM;
--	}
-+      default:
-+	*str = NULL;
-+	rc = TSS_RC_BAD_HASH_ALGORITHM;
-+    }
-+    return rc;
-+}
-+
-+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
-+			     TPMI_ALG_HASH hashAlg)
-+{
-+    TPM_RC		rc = 0;
-+    const char 		*str = NULL; 
-+
-+    if (rc == 0) {
-+	rc =  TSS_Hash_GetOsslString(&str, hashAlg);
-+    }
-+    if (rc == 0) {
-+	*md = EVP_get_digestbyname(str);
-     }
-     return rc;
- }
-@@ -175,37 +191,84 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
-     TPM_RC		rc = 0;
-     int 		irc = 0;
-     int			done = FALSE;
--    const EVP_MD 	*md;	/* message digest method */
--#if OPENSSL_VERSION_NUMBER < 0x10100000
-+    uint8_t 		*buffer;	/* segment to hash */
-+    int			length;		/* segment to hash */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000	
-     HMAC_CTX 		ctx;
-+    const EVP_MD 	*md = NULL;	/* message digest method */
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
-+    HMAC_CTX 		*ctx = NULL;
-+    const EVP_MD 	*md = NULL;	/* message digest method */
- #else
--    HMAC_CTX 		*ctx;
-+    EVP_MAC 		*mac = NULL;
-+    EVP_MAC_CTX 	*ctx = NULL;
-+    const char 		*algString = NULL;
-+    OSSL_PARAM 		params[2];
-+    size_t		outLength;
- #endif
--    int			length;
--    uint8_t 		*buffer;
--    
-+
-+    /* initialize the HMAC context */
- #if OPENSSL_VERSION_NUMBER < 0x10100000
-     HMAC_CTX_init(&ctx);
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
-+    if (rc == 0) {
-+	ctx = HMAC_CTX_new();
-+	if (ctx == NULL) {
-+	    if (tssVerbose) printf("TSS_Hash_Generate_valist: HMAC_CTX_new failed\n");
-+	    rc = TSS_RC_OUT_OF_MEMORY;
-+	}
-+    }
- #else
--    ctx = HMAC_CTX_new();
-+    if (rc == 0) {
-+	mac = EVP_MAC_fetch(NULL, "hmac", NULL);
-+	if (mac == NULL) {
-+	    if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_new failed\n");
-+	    rc = TSS_RC_OUT_OF_MEMORY;
-+	}
-+    }
-+    if (rc == 0) {
-+	ctx = EVP_MAC_CTX_new(mac);
-+	if (ctx == NULL) {
-+	    if (tssVerbose) printf("TSS_Hash_Generate_valist: EVP_MAC_CTX_new failed\n");
-+	    rc = TSS_RC_OUT_OF_MEMORY;
-+	}
-+    }
- #endif
-+
-+    /* get the message digest */
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
-     if (rc == 0) {
- 	rc = TSS_Hash_GetMd(&md, digest->hashAlg);
-     }
-+#else
-+    /* map algorithm to string */
-+    if (rc == 0) {
-+	rc =  TSS_Hash_GetOsslString(&algString, digest->hashAlg);
-+    }
-+#endif
-+
-+    /* initialize the MAC context */
-     if (rc == 0) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000
- 	irc = HMAC_Init_ex(&ctx,
- 			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
- 			   md,					/* message digest method */
- 			   NULL);
--#else
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
- 	irc = HMAC_Init_ex(ctx,
- 			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
- 			   md,					/* message digest method */
- 			   NULL);
-+#else
-+	params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)algString, 0);
-+	params[1] = OSSL_PARAM_construct_end();
-+	irc = EVP_MAC_init(ctx,
-+			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
-+			   params);				/* message digest method */
- #endif
--	
--	if (irc == 0) {
-+
-+	if (irc != 1) {
-+	    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Init failed\n");
- 	    rc = TSS_RC_HMAC;
- 	}
-     }
-@@ -220,11 +283,13 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
- 	    else {
- #if OPENSSL_VERSION_NUMBER < 0x10100000
- 		irc = HMAC_Update(&ctx, buffer, length);
--#else
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
- 		irc = HMAC_Update(ctx, buffer, length);
-+#else
-+		irc = EVP_MAC_update(ctx, buffer, length);
- #endif
--		if (irc == 0) {
--		    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC_Update failed\n");
-+		if (irc != 1) {
-+		    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Update failed\n");
- 		    rc = TSS_RC_HMAC;
- 		}
- 	    }
-@@ -237,18 +302,24 @@ TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
-     if (rc == 0) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000
- 	irc = HMAC_Final(&ctx, (uint8_t *)&digest->digest, NULL);
--#else
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
- 	irc = HMAC_Final(ctx, (uint8_t *)&digest->digest, NULL);
-+#else
-+	irc = EVP_MAC_final(ctx, (uint8_t *)&digest->digest,  &outLength, sizeof(digest->digest));
- #endif
- 	if (irc == 0) {
-+	    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC Final failed\n");
- 	    rc = TSS_RC_HMAC;
- 	}
-     }
- #if OPENSSL_VERSION_NUMBER < 0x10100000
-     HMAC_CTX_cleanup(&ctx);
--#else
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000
-     HMAC_CTX_free(ctx);
--#endif
-+#else
-+    EVP_MAC_CTX_free(ctx);
-+    EVP_MAC_free(mac);
-+ #endif
-     return rc;
- }
- 
--- 
-2.38.0
-

ibmtss-utils-Remove-unused-variables-from-certifyx509.patch

@@ -1,51 +0,0 @@
-From f335860d99fe11eec5599e1e53960ff1e75c0f82 Mon Sep 17 00:00:00 2001
-From: Ken Goldman <kgoldman@us.ibm.com>
-Date: Mon, 23 Aug 2021 17:30:56 -0400
-Subject: utils: Remove unused variables from certifyx509
-
-notBefore and notAfter are set driectly in the partialCertificate
-structure, and that is used to directly set the x509 structure.
-
-Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
-
-diff --git a/utils/certifyx509.c b/utils/certifyx509.c
-index ed42ac0..44640aa 100644
---- a/utils/certifyx509.c
-+++ b/utils/certifyx509.c
-@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
-     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
-     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
- 
-+    curveID = curveID;		/* no longer used, get from parent */
-     /* command line argument defaults */
-     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
- 	if (strcmp(argv[i],"-ho") == 0) {
-@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
-     X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
-     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
-     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
--    ASN1_TIME 	*notBefore = NULL;
--    ASN1_TIME 	*notAfter = NULL;
-     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
- 
-     /* add issuer */
-@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
- 	}
-     }
-     if (rc == 0) {
--	/* can't fail, just returns a structure member */
--	notBefore = X509_get_notBefore(x509Certificate);
- 	irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
- 	if (irc == 0) {
- 	    printf("createPartialCertificate: Error setting notBefore time\n");
-@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
- 	}
-     }
-     if (rc == 0) {
--	notAfter = X509_get_notAfter(x509Certificate);
- 	irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
- 	if (irc == 0) {
- 	    printf("createPartialCertificate: Error setting notAfter time\n");
--- 
-2.38.0
-

ibmtss.changes

@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Thu Nov 30 14:36:22 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 2.1.1:
+  * Add man page for tpmproxy.
+- Update to 2.1.0:
+  * Parse new IMA event log template data fields.
+  * Add option to verify IMA template data
+  * Correct minor regression test script typos.
+- Update to 2.0.0
+  * Expand TPMU_SENSITIVE_COMPOSITE to handle HW TPMs that return 5
+    RSA primes.  This is an ABI (not API) break.
+  * Add support for TPM2_ECC_Encrypt and TPM2_ECC_Decrypt
+  * Add more EFI event log handlers and event tracing.
+  * SW TPM test CA now uses SHA-256, not the deprecated SHA-1.
+  * Port tpmproxy for TPM 2.0 to Linux and Windows.
+  * Add many new EK root certificates.
+  * Remove OpenSSL functions deprecated in 3.x.
+  * Fix TSS bug when using encrypt and decrypt in a PWAP session.
+  * Add build flag to suppress SHA-1.
+- Remove patches fixed upstream:
+  * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
+  * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+  * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
+  * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
+  * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
+  * ibmtss-openssl3-deprecation.patch
+
 -------------------------------------------------------------------
 Wed Nov  9 13:33:51 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 

ibmtss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ibmtss
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,12 @@
 #
 
 
-#
-%define libversion 1
-%define libversion_full 1.6.0
+%define libversion 2
 %define libname libibmtss
 %define libpkgname %{libname}%{libversion}
 
 Name:           ibmtss
-Version:        1.6.0
+Version:        2.1.1
 Release:        0
 Summary:        IBM's TPM 2.0 TSS
 License:        BSD-3-Clause
@@ -32,12 +30,6 @@ URL:            https://sourceforge.net/projects/ibmtpm20tss
 Source:         https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
 Source1:        90-tpm-ibmtss.rules
 Patch1:         ibmtss-configure.ac-Do-not-disable-optimization-for-debug-b.patch
-Patch2:         ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch
-Patch3:         ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch
-Patch4:         ibmtss-utils-Remove-unused-variables-from-certifyx509.patch
-Patch5:         ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch
-Patch6:         ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
-Patch7:         ibmtss-openssl3-deprecation.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  ibmswtpm2
@@ -83,12 +75,14 @@ Includes IBM's TPM 2.0 TSS C header files
 %autopatch -p1
 
 %build
-autoreconf -i
-%configure --enable-hwtpm --enable-debug --disable-static
+autoreconf -ifv
+%configure --enable-debug --disable-static
 cd utils
-sed -i -e "s|/gsa/yktgsa/home/k/g/kgold/tpm2/utils|$PWD|" certificates/rootcerts.txt
+sed -i -e "s|/home/kgold/tss2/utils|$PWD|" certificates/rootcerts.txt
 %{_libexecdir}/%{name}/tpm_server & tpm_server="$!"
-CCFLAGS="%{optflags}" make LNAFLAGS="-Wl,-rpath,%{_libdir}" %{?_smp_mflags}
+export CCFLAGS="%{optflags}"
+export LNAFLAGS="-Wl,-rpath,%{_libdir}"
+%{make_build}
 testfailed=0
 TPM_INTERFACE_TYPE=socsim LD_LIBRARY_PATH=.libs ./reg.sh -a || testfailed=$?
 kill "$tpm_server" || :
@@ -113,12 +107,12 @@ find %{buildroot} -name .cvsignore | xargs rm -v
 
 %files
 %license LICENSE
-%doc ibmtss.doc
+%doc ibmtss.docx
 %{_bindir}/tss*
 %{_mandir}/man1/tss*.1%{?ext_man}
 
 %files -n %{libpkgname}
-%{_libdir}/%{libname}*.so.%{libversion_full}
+%{_libdir}/%{libname}*.so.%{version}
 %{_libdir}/%{libname}*.so.%{libversion}
 
 %files base

ibmtss1.6.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:83bebb0d36ef9ced6cf3be2be9f0b4463a692d67254df31216271a916aaba851
-size 1255456