Accepting request 989000 from home:aplanas:branches:security

- Add patch to fix leakage of TPM simulator process
  add_missing_shut_down_call_on_cleanup.patch
- Add patch to fix fapi-quote-verify[_ecc].sh test
  fix_check_of_qualifying_data.patch
- Enable test execution by default

OBS-URL: https://build.opensuse.org/request/show/989000
OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=93

add_missing_shut_down_call_on_cleanup.patch

@@ -0,0 +1,70 @@
+From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 13 Jul 2022 13:35:19 +0200
+Subject: [PATCH] test: add missing shut_down call on cleanup
+
+The tests "gettime", "readclock" and "symlink" are not calling
+"shut_down" during the "cleanup" stage, making the TPM simulator to keep
+their process during the "make check".  Somehow this produces problems
+when the tests are executed in parallel under certain conditions, with
+the effect of "make" not ending and waiting to those process to die.
+
+This commit and the mising call in the "cleanup" stage.
+
+Fix #3042
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ test/integration/tests/gettime.sh   | 5 ++++-
+ test/integration/tests/readclock.sh | 5 ++++-
+ test/integration/tests/symlink.sh   | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh
+index 5a91210a7..054bef864 100644
+--- a/test/integration/tests/gettime.sh
++++ b/test/integration/tests/gettime.sh
+@@ -3,7 +3,10 @@
+ source helpers.sh
+ 
+ cleanup() {
+-	rm -f attest.sig attest.data
++    rm -f attest.sig attest.data
++    if [ "$1" != "no-shut-down" ]; then
++	shut_down
++    fi
+ }
+ trap cleanup EXIT
+ 
+diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh
+index 56a4c8622..2c59dad09 100644
+--- a/test/integration/tests/readclock.sh
++++ b/test/integration/tests/readclock.sh
+@@ -3,7 +3,10 @@
+ source helpers.sh
+ 
+ cleanup() {
+-	rm -f clock.yaml
++    rm -f clock.yaml
++    if [ "$1" != "no-shut-down" ]; then
++	shut_down
++    fi
+ }
+ trap cleanup EXIT
+ 
+diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh
+index d1c800ad0..b61349eef 100644
+--- a/test/integration/tests/symlink.sh
++++ b/test/integration/tests/symlink.sh
+@@ -4,7 +4,10 @@ source helpers.sh
+ 
+ TMP="$(mktemp -d)"
+ cleanup() {
+-	rm -rf "$TMP"
++    rm -rf "$TMP"
++    if [ "$1" != "no-shut-down" ]; then
++	shut_down
++    fi
+ }
+ trap cleanup EXIT
+ 

fix_check_of_qualifying_data.patch

@@ -0,0 +1,167 @@
+From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
+Date: Sat, 8 Jan 2022 13:43:00 +0100
+Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
+
+Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
+Errors that were not recognized before occur now.
+The order of the tests was cleaned up and for every quote and verify quote now
+the correct combination of the qualifying data and quote info containing the nonce
+is used.
+
+Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
+---
+ test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
+index ad4ade3a1..497d4337f 100644
+--- a/test/integration/fapi/fapi-quote-verify.sh
++++ b/test/integration/fapi/fapi-quote-verify.sh
+@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
+ NONCE_FILE=$TEMP_DIR/nonce.file
+ PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
+ QUOTE_INFO=$TEMP_DIR/quote.info
++QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
+ SIGNATURE_FILE=$TEMP_DIR/signature.file
+ CERTIFICATE_FILE=$TEMP_DIR/certificate.file
+ PCR_LOG=$TEMP_DIR/pcr.log
+@@ -35,14 +36,32 @@ tss2 provision
+ 
+ tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+ 
++tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
++tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
++
++
+ tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
+     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
+     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ 
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
++    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
++
+ echo "tss2 quote with EMPTY_FILE" # Expected to succeed
+ tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
+     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
+-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
++    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
++
++echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
++    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
++
++# Try with missing qualifyingData
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --quoteInfo=$QUOTE_EMPTY_INFO \
++    --signature=$SIGNATURE_FILE
+ 
+ echo "tss2 quote with BIG_FILE" # Expected to fail
+ expect <<EOF
+@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
+   exit 1
+ fi
+ 
+-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+-
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+-
+-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+-
+ echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
+ expect <<EOF
+ spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
+@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
+ }
+ EOF
+ 
+-# Try with missing qualifyingData
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE
+-
+ exit 0
+
+diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
+index ad4ade3a1..497d4337f 100644
+--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
++++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
+@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
+ NONCE_FILE=$TEMP_DIR/nonce.file
+ PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
+ QUOTE_INFO=$TEMP_DIR/quote.info
++QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
+ SIGNATURE_FILE=$TEMP_DIR/signature.file
+ CERTIFICATE_FILE=$TEMP_DIR/certificate.file
+ PCR_LOG=$TEMP_DIR/pcr.log
+@@ -35,14 +36,32 @@ tss2 provision
+ 
+ tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+ 
++tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
++tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
++
++
+ tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
+     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
+     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ 
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
++    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
++
+ echo "tss2 quote with EMPTY_FILE" # Expected to succeed
+ tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
+     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
+-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
++    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
++
++echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
++    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
++
++# Try with missing qualifyingData
++tss2 verifyquote --publicKeyPath="ext/myNewParent" \
++    --quoteInfo=$QUOTE_EMPTY_INFO \
++    --signature=$SIGNATURE_FILE
+ 
+ echo "tss2 quote with BIG_FILE" # Expected to fail
+ expect <<EOF
+@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
+   exit 1
+ fi
+ 
+-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+-
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+-
+-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+-
+ echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
+ expect <<EOF
+ spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
+@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
+ }
+ EOF
+ 
+-# Try with missing qualifyingData
+-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+-    --quoteInfo=$QUOTE_INFO \
+-    --signature=$SIGNATURE_FILE
+-
+ exit 0

tpm2.0-tools.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add patch to fix leakage of TPM simulator process
+  add_missing_shut_down_call_on_cleanup.patch
+- Add patch to fix fapi-quote-verify[_ecc].sh test
+  fix_check_of_qualifying_data.patch
+- Enable test execution by default
+
 -------------------------------------------------------------------
 Fri Jul  8 07:51:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
 

tpm2.0-tools.spec

@@ -17,7 +17,7 @@
 
 
 %define _lto_cflags %{nil}
-%bcond_with     test
+%bcond_without  test
 Name:           tpm2.0-tools
 Version:        5.2
 Release:        0
@@ -32,6 +32,10 @@ Source2:        tpm2-tools.keyring
 Patch0:         fix_bogus_warning.patch
 # PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041
 Patch1:         0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
+# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047
+Patch2:         add_missing_shut_down_call_on_cleanup.patch
+# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged
+Patch3:         fix_check_of_qualifying_data.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libcurl-devel
 BuildRequires:  libopenssl-devel
@@ -102,7 +106,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %check
 # Do the tests sequentially to kill all tpm_server instances
 # https://github.com/tpm2-software/tpm2-tools/issues/3042
-%make_build -j1 check
+%make_build check
 %endif
 
 %changelog