From 82948c4cb7bd65512632d4e8828f83bfe506b0fd070b3a30fc50e9a7f5c3bb37 Mon Sep 17 00:00:00 2001 From: William Brown Date: Tue, 4 Feb 2025 00:30:22 +0000 Subject: [PATCH] - Update to 1.3.0: * Added support for RSA-OAEP decryption. * Added 'xof' and 'algid-absent' parameters to digests. * Added Parent to textual information printed by 'openssl pkey -text'. * Fixed multi-threaded operation, preventing the 'Esys called in bad sequence' errors (thanks to @Danigaralfo, @famez, and @AndreasFuchsTPM). * Fixed retrieval of OSSL_PKEY_PARAM_MAX_SIZE for RSA keys. The exact value is returned instead of a fixed TPM2_MAX_RSA_KEY_BYTES. * Fixed handling of absent emptyAuth value in the TSS2 PRIVATE KEY file. * Set authorization value of newly generated keys. This allows users of the C API to direcly use just generated EVP_PKEY. - Add tpm2-openssl.keyring - Don't install libtool archives OBS-URL: https://build.opensuse.org/package/show/security/tpm2-openssl?expand=0&rev=5 --- .gitattributes | 23 +++++++++++++ .gitignore | 1 + tpm2-openssl-1.2.0.tar.gz | 3 ++ tpm2-openssl-1.2.0.tar.gz.asc | 14 ++++++++ tpm2-openssl-1.3.0.tar.gz | 3 ++ tpm2-openssl-1.3.0.tar.gz.asc | 14 ++++++++ tpm2-openssl.changes | 55 ++++++++++++++++++++++++++++++ tpm2-openssl.keyring | 62 ++++++++++++++++++++++++++++++++++ tpm2-openssl.spec | 63 +++++++++++++++++++++++++++++++++++ 9 files changed, 238 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 tpm2-openssl-1.2.0.tar.gz create mode 100644 tpm2-openssl-1.2.0.tar.gz.asc create mode 100644 tpm2-openssl-1.3.0.tar.gz create mode 100644 tpm2-openssl-1.3.0.tar.gz.asc create mode 100644 tpm2-openssl.changes create mode 100644 tpm2-openssl.keyring create mode 100644 tpm2-openssl.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/tpm2-openssl-1.2.0.tar.gz b/tpm2-openssl-1.2.0.tar.gz new file mode 100644 index 0000000..beed34b --- /dev/null +++ b/tpm2-openssl-1.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ee15da2dceae1466ffba868e75a00b119d752babc1b6a2792286336a3324fb0 +size 424967 diff --git a/tpm2-openssl-1.2.0.tar.gz.asc b/tpm2-openssl-1.2.0.tar.gz.asc new file mode 100644 index 0000000..a91fed7 --- /dev/null +++ b/tpm2-openssl-1.2.0.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCAAdFiEEtyAf6AMbB68R9UI8YynPy2vm/XYFAmUqV6AACgkQYynPy2vm +/XaVMwv/Ytg3IjyniOdu4s3ct3E+Mj6ahw5KedqlOh4tSFFkHqRvwsVYDjBOeByM +i1F0FsngJWh4gSrUTeUrpsFYwL6NUKV8TDHQoO1bJUfwZSFQCPRBatk8XM3eGVlo +x3J1VTn59DHlqhaAtGtCuq18Dk9PfBYSgveuPPQHc3AybRKHu+7BVdmNqt8l17oG +k9yXFxspKI0WW/arnR0lBJ2iIblaNSqdUfThPHYnjqjX6nJckW9uwPTozwqNMJUV +L1xTaqw5ymh3AiVFbNcHFqyWS5TPV6PCfzXLVFMVlXCdSWt4n1KT/fN8EsAVN9VS +Om8kOzhyqdxpXqHwfjycfpj1jr1LLzJzvAd6ZP8bgULLxO61GZuljtP0hkMNpk1J +BjwzdW0W+NYWjlulZ6WRFDr/X+ejlJfyNxdJ8o/iPAezv45xmPwC66x62VJCEGkH +lMakTYlavwbpbjmSqFi3LDCQ/pYn4IIljaq2y1KzBu2hrIZ2yl1YU28atNLl+lpr +SOV/3zvk +=GGPd +-----END PGP SIGNATURE----- diff --git a/tpm2-openssl-1.3.0.tar.gz b/tpm2-openssl-1.3.0.tar.gz new file mode 100644 index 0000000..76e5441 --- /dev/null +++ b/tpm2-openssl-1.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a9aca55d4265ec501bcf9c56d21d6ca18dba902553f21c888fe725b42ea9964 +size 432730 diff --git a/tpm2-openssl-1.3.0.tar.gz.asc b/tpm2-openssl-1.3.0.tar.gz.asc new file mode 100644 index 0000000..028c8fe --- /dev/null +++ b/tpm2-openssl-1.3.0.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCAAdFiEEtyAf6AMbB68R9UI8YynPy2vm/XYFAmeVSl0ACgkQYynPy2vm +/XY6RgwAmIM24BlYcEm+my2KmbI5W33MSnP7SAotuZSuGUuDePBHEhxuWDmUhZ4D +upF18sMqdWXM4nYoPFEv8WSQwwXUx5hE6bYslUE6knC9UV+xDBXMjVrIMmqGegwJ +t0Qg/uEAGyxZTR7f4uAw0mk56/rrUEEWArlURElgP5wbaOSj8K3Bu4Lpllq3qCGW +s/o3X+vI5SYXL2XwII/+RhNlssPmg2U5Q6cVhX04yOGPq+TW4ndg1w0bA6aXuROv +uy/R7cdGhrqWEFGkrsMSNN7to/uSYqlmiAhO46AHD5eJTAs9ocLBepexezAO30nw +PRyGoM2qA+8cYX/jKg/Xr7ucHE2fQv1Fr+sC0s7XvWqLSzN+2RLCeQqXc5Iq+ImN +acELaLddKDwUEgg+demMPr/LZaVjZDfj+jkPejyzVCIhTTvvFOlINdkbNzW9g20f +M6j+yHXWBlTNqELjSUqISglsbAULDv9GZZ1+GKzSNcDDZFv7fLQHkK92/qf+Uw3v +uPMrYER/ +=tAaR +-----END PGP SIGNATURE----- diff --git a/tpm2-openssl.changes b/tpm2-openssl.changes new file mode 100644 index 0000000..78715f5 --- /dev/null +++ b/tpm2-openssl.changes @@ -0,0 +1,55 @@ +------------------------------------------------------------------- +Wed Jan 29 18:09:54 UTC 2025 - Lucas Mulling + +- Update to 1.3.0: + * Added support for RSA-OAEP decryption. + * Added 'xof' and 'algid-absent' parameters to digests. + * Added Parent to textual information printed by 'openssl pkey -text'. + * Fixed multi-threaded operation, preventing the 'Esys called in bad + sequence' errors (thanks to @Danigaralfo, @famez, and @AndreasFuchsTPM). + * Fixed retrieval of OSSL_PKEY_PARAM_MAX_SIZE for RSA keys. The exact value + is returned instead of a fixed TPM2_MAX_RSA_KEY_BYTES. + * Fixed handling of absent emptyAuth value in the TSS2 PRIVATE KEY file. + * Set authorization value of newly generated keys. This allows users of the C + API to direcly use just generated EVP_PKEY. +- Add tpm2-openssl.keyring +- Don't install libtool archives + +------------------------------------------------------------------- +Tue Oct 17 23:58:21 UTC 2023 - William Brown + +## Added +* Added support for ECDH with a KDF, which is used by ECC-based CMS (S/MIME). +* Added retrieval of OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY for EC keys and retrieval + of TLS-GROUP provider capabilities to enable mTLS authentication (thanks to @rshearman). +* Added mTLS example to documentation (thanks to @hoinmic). +* Added missing RAND parameters: 'state' and 'strength' (thanks to @mccarey). +* Added ability to run tests in a container (thanks to @afreof). +* Added Visual Studio properties to simplify the Windows build (thanks to @philippun1). + +## Changed + +* Symmetric operations are disabled by default. In most situations these are not needed and + cause a huge performance penalty. To enable, configure with --enable-op-digest or + --enable-op-cipher. + +## Removed + +* Removed unofficial support for tpm2-tss < 3.2.0, which do not support the openssl 3.x. + +## Fixed + +* Fixed key export: the private keys are not exportable, which shall fix some TPM-based sign + operations (thanks to @fhars). +* Fixed handle related operations on 32b machines (thanks to @dezgeg). +* Fixed OSSL_FUNC_KEYMGMT_HAS operations with NULL keys. +* Fixed a heap exception on some machines (thanks to @philippun1). +* Fixed build warnings when building on the Fedora Linux. +* In documentation and tests applied a correct order of providers (thanks to @hoinmic). +* Modified documentation: the user-space resource manager (abrmd) is almost mandatory for complex + scenarios such as SSL or X.509 operations. + +------------------------------------------------------------------- +Mon Jun 5 05:29:23 UTC 2023 - William Brown + +- Initial commit of tpm2-openssl diff --git a/tpm2-openssl.keyring b/tpm2-openssl.keyring new file mode 100644 index 0000000..7b6293e --- /dev/null +++ b/tpm2-openssl.keyring @@ -0,0 +1,62 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: Hockeypuck 2.2 +Comment: Hostname: + +xsDNBF7ubLoBDADAzSEkXjzTw9gpCt7twE2ppMmQMVfDO3Reci42NLTSlf13xD8O +CUK/HK5lpxQ7ypORxppEpu71oUC/7fgDAOziiDwtIUSE9r1xvrp9tqT1gcz9ZzoD ++Vfn9mJXeAFHTGQ36ar/C5Ey1xc3Bd1C2qJnyXbzcsiUFT5p9DKMe4V2Mi83MRJR +SmGm8jPZEowFhzc0IzRIvwZzEMn1DQKL1KqCBN4bXb/YXRwVt9fy2fmmA3UJH8tw +io8UZFyZMFLacTDD8HyluWFdhJU54NoBphkS6cdHadvYY/+VXtBwB0xJBKgVL1Jb +6C0/+ENZKRSM8YLhidMGl7gfeStyd+BhgnefSJgk/n8vavQ45cf0AlZwAqmf6RWp +SI6kO89GpN+xiIhGeenzqCmn9jO2lwoRgR9o6cCmWBbdP0vgpQD3aC4nkqSEVtvc +qWDHiwxcXJwSRq5Eo3oAmSCnIfFVTD5Tqh2cz09Kku9UoSu3TFqCa+RC5ccydi5x +Rx/KD27GD4voFF0AEQEAAc0oUGV0ciBHb3R0aGFyZCA8cGV0ci5nb3R0aGFyZEBj +ZW50cnVtLmN6PsLBFAQTAQoAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYh +BLcgH+gDGwevEfVCPGMpz8tr5v12BQJlKaxABQkJ/aaGAAoJEGMpz8tr5v12TB8L +/jcjUVsP7N9lwJ7RdmPLJB3qdruN95spgy8/DKrneYtG5qw6Q7jRuB/tkaS8utcu +T2ycjtinTAER3EmW+QIPX3Ym1s+wkse7pZKS7ltlktQ8/hHxel9OXtXzQJJ0JwfO +fkv787S0/g0gfIC8BiV54ZY4rHhx4h2G0OzXadZbx8dnpP4lrxDFB8PJqi6vqbX7 +9e6u9HlZkoGdTUbXexh9V9dXGBJdCrBtH0TlfQodnS8Wo3GWBJjj7W09o9EeWkgx +lv9cUOlSyFT3DjtFG6nyO4aqpZn1Ap24h/1JEvjlg6TUXxDelZ3D5eNW3hHg6Rl2 +DWypkbRYQ9IS5IYGcBwFgWowdTwcNsbNgBOpgQo12K6VB+Gap5PuP1GwH0+7cWfy +7NdrMYc7eJCVy274HxZAohlk3pI0ZHEDU/i0Xx0vmZkJgOUalOVzV44/2A4Y67jF +VD0T8JQ+4MdnbyT6cH45DKe16mX0VLyGdxppKj3ytoLFMc3Bj5IxXOcjibHaKSxW +9cLBFAQTAQoAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLcgH+gDGwev +EfVCPGMpz8tr5v12BQJjLamoBQkGIHBuAAoJEGMpz8tr5v12c1EL/2qz7fgkxne7 +aif0z0JRrM18SyTsxxdPk/EhvejQzz0cag0mRx2IX+OgzKrPjLR+3Jgfk3cedJUX +dAcR5YrvrLB1hoTaZ/xJTXL1IowkvTHNhSA01+vdn7YrxsKRqec+Wz2LufGFTiC4 +RCWdpRYDUBfNk+cUDJIGiPAVqYPK+e81XBtOJRrhOjbt1rkKed8DmF+rUvRG/2fl ++I09x+fo2CB0AjUNgSVwFKwZ0TiY3o2cwatGZz8z2LWEIhhWPPoq1XTuMkzYlVO0 +oEBYTYXJq2c8gWNSnvfSW3k65Rd5c2C9NfbiREY4xz+BLEYhVYToJ1jOyPrOnpBs +Q7BKEYEKioYE/fwrwXB3GZuQUu2SQtECWqYJMglGjO4AwNcImKQYiaqIoiZb6ayP +zUqPTF++rVh8zx1U7DEa5TSJr3vLapGWNpCFINE6XVQw93c+XG0iBi0lk2pmDyLZ +5YlNy+Kp1PuaEDbveSeFnmDD1JvA/Zr1Ugu/8SAQBVoNbDV6T8EwNM7AzQRe7my6 +AQwApvVaHIuxFTCxnbDPVY8s+UftniL1Bkp4QhstEGcbFQ6NJW06DCDARYbX8bZu +g0tFNweD6Hrh/2GqpTc+u2wPRipt2WsKPivrJIEAXvxTtGaLXp/FGWVrXq+5eyFx +YY/ldhparbs7HeppLCphZ5Q6dtwcu1o768LcNCK/tm6sUIPxBbZ1Qaczgrhka+8t +KS9PDesJ6QGF3Khz3fLk6b2MjiUL9eAhMi7451aD8fTFh3LpBC0u3exw9qxObgap +RFDbwie4lUZfInCP5ErdMBik4p41R0sNM8XSqXkYdAdeEx0ixSI0DlfJKEmHvwpx +Ah3s/5ugaU+JAsaPdJZJlfJ18Or10SSUvqZV9URhvPJd5db/JstO/iIN7ofpV1mG +KETNu+GLCpOX5+IF0f+esAFCO8s1LaUB4espPhpkouGCE1qa+Vgvy7jLCHCCJrBs +nZ+LrLKfnizsqu+xqYAySZARI30IIVDJ2S6j5Nfnh9/IGz0tCy3dZhQK/05WjP5h +b+p5ABEBAAHCwPwEGAEKACYCGwwWIQS3IB/oAxsHrxH1QjxjKc/La+b9dgUCZSmt +qgUJCf2n8AAKCRBjKc/La+b9drW8DACE+Aoc6A3ckw3616CAHCkgvPWXEm1mxFJA +RaMxD1529k9N2eBvJqVHkB0dDYrMvczKKzGQRLPr/7AWSx1cSxQiYqnMUFkz9Hjp +s3RNARoaU7ENHCmSWR/DQpijYPxNeQC5TTXNTojEVNkzKGJYK1bi4lvAaW2eIoVl +jfZny+92wiCUKtwLq4+4BgnTuuYkOsGTUQ5nEqxnlrLU7BhLUg4cYfy7345ykEdw +8f2ddazVXQjuhuYazJk/buuTX/fXrw0O6mmJEp44ZcFWtlTPOsGnVlcxy3qtBfuD +RJVT4vq5jIbTCkGyM6sS6EdVg8iy3R5+wLwkYaLLZOUH4iUtExMoU0H4euKZ/d9f ++Ae51w6hV25ZnuNMlWz4/4+GltDvVZHtE+2MyXlzvNynh/+7wjMPP49TBnxy+IpF +rh3Q1BnN6UKyaQW0bFClXt4Z0B+tIrItSy+kAMz04jGVkTLEuhE5TPgQMLwhOFqw +8BXDx/AhoQhF6TslsbjUyJU3cxkVpevCwPwEGAEKACYCGwwWIQS3IB/oAxsHrxH1 +QjxjKc/La+b9dgUCYy2p0wUJBiBwmQAKCRBjKc/La+b9dsp2DACMszdYmVTOyhWE +YYBMdp3LrAp15UkHOjIuxouNiuOxnB29RKupy4uc7PH12alUEx+6GM7VDo88Dmgo +k0JS+rpNViE7ZIDNV7fK/2GqS4XVxjPBN3M3RbzzmIAKSfMonuV6/A23VDV7iRZd +gb3JiPpzOTAv+jlLuiy/Ne8/+ew4+3oN3+FhH+TctEB8v4bZWl0YSsARJ2plqcYO +SMZMJLb06Q0be2CwprmGPTwxQmCc6ZpqOd3ZX2igIcFO4NisVvFwFh+m4nS1/GlL +r59wUIv81lFvz8hwDGktzXIL/AG2JqhfbtWJyM40lGe5Og/0jkuZ/6fva6hYjPeS +pLTNbsPWSn2pNexzcnoI2Hc1y1/9+LdAyq6lljJLzYyHRTHuT8O9bZCOoJJrn9md +RSo2PcEOP4x66gBg1b+Yux+H5undbYZ8gAqNbs3vVwC4h/j+H54dxDAKBb8+e3Bj +Diwx7ZlAkerP/zrLxmz4Eo12qTnY5cAJW/9JowpD4z1IBBQU1DA= +=GyEC +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tpm2-openssl.spec b/tpm2-openssl.spec new file mode 100644 index 0000000..82cb6e2 --- /dev/null +++ b/tpm2-openssl.spec @@ -0,0 +1,63 @@ +# +# spec file for package tpm2-openssl +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _MODULES_DIR %(pkg-config --variable=modulesdir libcrypto) + +Name: tpm2-openssl +Version: 1.3.0 +Release: 0 +Summary: OpenSSL 3 Engine for TPM2 devices +License: BSD-3-Clause +Group: Productivity/Security +URL: https://github.com/tpm2-software +Source0: %{url}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2: tpm2-openssl.keyring +BuildRequires: autoconf-archive +BuildRequires: libgcrypt-devel +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libcrypto) >= 3 +BuildRequires: pkgconfig(tss2-esys) >= 3.2.0 +BuildRequires: pkgconfig(tss2-rc) >= 3.2.0 +BuildRequires: pkgconfig(tss2-tctildr) +Conflicts: openssl_tpm2_engine + +%description +Makes the TPM 2.0 accessible via the standard OpenSSL API and command-line tools, so +one can add TPM support to (almost) any OpenSSL 3.x based application. + +%prep +%autosetup + +%build +autoreconf -fvi +%configure +%make_build + +%install +%make_install +# Remove libtool archives +find %{buildroot} -type f -name "*.la" -delete -print + +%files +%doc README.md +%license LICENSE +%{_MODULES_DIR}/tpm2.so + +%changelog