diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7d7a8a8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm2.0-tools-1.1.0.tar.gz diff --git a/.tpm2-tools.metadata b/.tpm2-tools.metadata new file mode 100644 index 0000000..a2ad6c3 --- /dev/null +++ b/.tpm2-tools.metadata @@ -0,0 +1 @@ +1d27f0e7564e7bf83b5751e5e9eb3f73c5dc971e SOURCES/tpm2.0-tools-1.1.0.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/HashEKPublicKey-cleanup.patch b/SOURCES/HashEKPublicKey-cleanup.patch new file mode 100644 index 0000000..f78ca91 --- /dev/null +++ b/SOURCES/HashEKPublicKey-cleanup.patch @@ -0,0 +1,97 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2016-11-04 07:13:32.000000000 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:46:04.144808304 -0700 +@@ -30,7 +30,7 @@ + //**********************************************************************; + + #include +- ++#include + #include + #include + #include +@@ -264,27 +264,69 @@ + + unsigned char *HashEKPublicKey(void) + { +- printf("Calculating the SHA256 hash of the Endorsement Public Key\n"); +- FILE *fp; ++ FILE *fp = NULL; ++ unsigned char *hash = NULL; + unsigned char EKpubKey[259]; +- unsigned char *hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH); ++ int rc, is_success; ++ unsigned int i; ++ size_t read; ++ ++ printf("Calculating the SHA256 hash of the Endorsement Public Key\n"); ++ + fp = fopen(outputFile, "rb"); +- if (fp == NULL) +- printf("File Open Error\n"); +- else +- { +- fseek(fp, 0x66, 0); +- fread(EKpubKey, 1, 256, fp); ++ if (fp == NULL) { ++ fprintf(stderr, "Could not open file: \"%s\"\n", outputFile); ++ return NULL; + } +- fclose(fp); +- EKpubKey[256] = 0x01; EKpubKey[257] = 0x00; EKpubKey[258] = 0x01; //Exponent ++ rc = fseek(fp, 0x66, 0); ++ if (rc < 0) { ++ fprintf(stderr, "Could not perform fseek: %s\n", strerror(errno)); ++ goto out; ++ } ++ read = fread(EKpubKey, 1, 256, fp); ++ if (read != 256) { ++ fprintf(stderr, "Could not read whole file.\n"); ++ goto out; ++ } ++ ++ hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH); ++ if (hash == NULL) { ++ fprintf(stderr, "Memory allocation failed.\n"); ++ goto out; ++ } ++ ++ EKpubKey[256] = 0x01; ++ EKpubKey[257] = 0x00; ++ EKpubKey[258] = 0x01; //Exponent + SHA256_CTX sha256; +- SHA256_Init(&sha256); +- SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey)); +- SHA256_Final(hash, &sha256); +- for (int i = 0; i < SHA256_DIGEST_LENGTH; i++) ++ is_success = SHA256_Init(&sha256); ++ if (!is_success) { ++ fprintf(stderr, "SHA256_Init failed\n"); ++ goto hash_out; ++ } ++ ++ is_success = SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey)); ++ if (!is_success) { ++ fprintf(stderr, "SHA256_Update failed\n"); ++ goto hash_out; ++ } ++ ++ is_success = SHA256_Final(hash, &sha256); ++ if (!is_success) { ++ fprintf(stderr, "SHA256_Final failed\n"); ++ goto hash_out; ++ } ++ ++ for (i = 0; i < SHA256_DIGEST_LENGTH; i++) + printf("%02X", hash[i]); + printf("\n"); ++ goto out; ++ ++hash_out: ++ free(hash); ++ hash = NULL; ++out: ++ fclose(fp); + return hash; + } + diff --git a/SOURCES/ekservaddr.patch b/SOURCES/ekservaddr.patch new file mode 100644 index 0000000..496e180 --- /dev/null +++ b/SOURCES/ekservaddr.patch @@ -0,0 +1,13 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 11:26:04.740073304 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 11:26:53.973845213 -0700 +@@ -615,8 +615,7 @@ + printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n"); + return -99; + } +- EKserverAddr = (char *)malloc(strlen(optarg)); +- strncpy(EKserverAddr, optarg, strlen(optarg)); ++ EKserverAddr = strdup(optarg); + printf("TPM Manufacturer EK provisioning address -- %s\n", EKserverAddr); + break; + default: diff --git a/SOURCES/fix-resource-leak-InitSysContext.patch b/SOURCES/fix-resource-leak-InitSysContext.patch new file mode 100644 index 0000000..e5dcf61 --- /dev/null +++ b/SOURCES/fix-resource-leak-InitSysContext.patch @@ -0,0 +1,15 @@ +diff -ur tpm2.0-tools-1.1.0/src/syscontext.c tpm2.0-tools-1.1.0-new/src/syscontext.c +--- tpm2.0-tools-1.1.0/src/syscontext.c 2016-11-04 07:13:32.000000000 -0700 ++++ tpm2.0-tools-1.1.0-new/src/syscontext.c 2017-04-04 22:46:07.365948473 -0700 +@@ -59,8 +59,10 @@ + + if( rval == TSS2_RC_SUCCESS ) + return sysContext; +- else ++ else { ++ free(sysContext); + return 0; ++ } + } + else + { diff --git a/SOURCES/ret-on-success-rc-decode.patch b/SOURCES/ret-on-success-rc-decode.patch new file mode 100644 index 0000000..b0ee2a5 --- /dev/null +++ b/SOURCES/ret-on-success-rc-decode.patch @@ -0,0 +1,11 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c +--- tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c 2016-11-04 07:13:32.000000000 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c 2017-04-05 14:23:36.654804125 -0700 +@@ -246,6 +246,7 @@ + fprintf (stderr, "Unknown TPM_RC format\n"); + return -1; + } ++ return 0; + } + /* Top level function to dump human readable data about TPM_RCs. + */ diff --git a/SOURCES/tpm2-getmanufec-null-ptr-checks.patch b/SOURCES/tpm2-getmanufec-null-ptr-checks.patch new file mode 100644 index 0000000..65ac086 --- /dev/null +++ b/SOURCES/tpm2-getmanufec-null-ptr-checks.patch @@ -0,0 +1,26 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-19 10:35:14.803672435 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-19 19:08:46.515111070 -0700 +@@ -385,6 +385,10 @@ + } + + char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr)); ++ if (!weblink) { ++ fprintf(stderr, "Memory allocation failed.\n"); ++ return -1; ++ } + memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr))); + strcat(weblink, EKserverAddr); + strcat(weblink, b64h); +@@ -394,6 +398,11 @@ + + FILE * respfile; + respfile = fopen(ECcertFile, "wb"); ++ if (!respfile) { ++ fprintf(stderr, "Unable to open file: %s\n", ECcertFile); ++ free(weblink); ++ return -1; ++ } + + curl_global_init(CURL_GLOBAL_DEFAULT); + curl = curl_easy_init(); diff --git a/SOURCES/tpm2-listpcrs-select.patch b/SOURCES/tpm2-listpcrs-select.patch new file mode 100644 index 0000000..1d2693b --- /dev/null +++ b/SOURCES/tpm2-listpcrs-select.patch @@ -0,0 +1,93 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp 2017-05-15 15:02:54.844952364 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp 2017-05-15 15:06:26.224438974 -0700 +@@ -159,38 +159,36 @@ + return 0; + } + +-void preparePcrSelections_g(TPMI_ALG_HASH algId) ++int preparePcrSelections(TPMI_ALG_HASH algId) + { +- UINT32 pcrId = 0; +- +- g_pcrSelections.count = 1; +- g_pcrSelections.pcrSelections[0].hash = algId; +- SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[0], 3); +- CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[0]); +- +- for(pcrId = 0; pcrId < 24; pcrId++) ++ TPMI_YES_NO moreData; ++ TPMS_CAPABILITY_DATA capabilityData; ++ UINT32 rval; ++ ++ rval = Tss2_Sys_GetCapability( sysContext, 0, TPM_CAP_PCRS, 0, 1, ++ &moreData, &capabilityData, 0 ); ++ if(rval != TPM_RC_SUCCESS) + { +- SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[0], pcrId ); ++ printf("\n......GetCapability: Get PCR allocation status Error. TPM Error:0x%x......\n", rval); ++ return -1; + } +-} +- +-void preparePcrSelections() +-{ +- UINT32 pcrId = 0; + + g_pcrSelections.count = 0; +- for( int i = 0; i < g_banks.count; i++ ) ++ for( int i=0; i < capabilityData.data.assignedPCR.count; i++ ) + { +- g_pcrSelections.pcrSelections[i].hash = g_banks.alg[i]; +- SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[i], 3); +- CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[i]); +- +- for(pcrId = 0; pcrId < 24; pcrId++) +- { +- SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId ); +- } ++ if (algId && (capabilityData.data.assignedPCR.pcrSelections[i].hash != algId)) ++ continue; ++ g_pcrSelections.pcrSelections[g_pcrSelections.count].hash = capabilityData.data.assignedPCR.pcrSelections[i].hash; ++ SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[g_pcrSelections.count], capabilityData.data.assignedPCR.pcrSelections[i].sizeofSelect); ++ for (int j = 0; j < g_pcrSelections.pcrSelections[g_pcrSelections.count].sizeofSelect; j++) ++ g_pcrSelections.pcrSelections[g_pcrSelections.count].pcrSelect[j] = capabilityData.data.assignedPCR.pcrSelections[i].pcrSelect[j]; + g_pcrSelections.count++; + } ++ ++ if (g_pcrSelections.count == 0) ++ return -1; ++ ++ return 0; + } + + // show all PCR banks according to g_pcrSelection & g_pcrs. +@@ -205,7 +203,7 @@ + printf("\nBank/Algorithm: %s(0x%04x)\n", + g_algs[alg_i].desc, g_pcrSelections.pcrSelections[i].hash); + +- for(UINT32 pcrId = 0; pcrId < 24; pcrId++) ++ for(UINT32 pcrId = 0; pcrId < g_pcrSelections.pcrSelections[i].sizeofSelect * 8; pcrId++) + { + if(!TEST_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId)) + continue; +@@ -246,7 +244,8 @@ + + int showAllPcrValues() + { +- preparePcrSelections(); ++ if(preparePcrSelections(0)) ++ return -1; + + if(readPcrValues()) + return -1; +@@ -270,7 +269,8 @@ + + int showAlgPcrValues(TPMI_ALG_HASH algId) + { +- preparePcrSelections_g(algId); ++ if(preparePcrSelections(algId)) ++ return -1; + + if(readPcrValues()) + return -1; diff --git a/SOURCES/tpm2_getmanuc-null-check.patch b/SOURCES/tpm2_getmanuc-null-check.patch new file mode 100644 index 0000000..d195787 --- /dev/null +++ b/SOURCES/tpm2_getmanuc-null-check.patch @@ -0,0 +1,44 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 15:47:18.271030008 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:47:39.326377029 -0700 +@@ -332,9 +332,16 @@ + + char *Base64Encode(const unsigned char* buffer) + { +- printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n"); + BIO *bio, *b64; + BUF_MEM *bufferPtr; ++ ++ printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n"); ++ ++ if (buffer == NULL) { ++ printf("HashEKPublicKey returned null\n"); ++ return NULL; ++ } ++ + b64 = BIO_new(BIO_f_base64()); + bio = BIO_new(BIO_s_mem()); + bio = BIO_push(b64, bio); +@@ -371,6 +378,12 @@ + int RetrieveEndorsementCredentials(char *b64h) + { + printf("Retrieving Endorsement Credential Certificate from the TPM Manufacturer EK Provisioning Server\n"); ++ ++ if (b64h == NULL) { ++ printf("Base64Encode returned null\n"); ++ return -1; ++ } ++ + char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr)); + memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr))); + strcat(weblink, EKserverAddr); +@@ -416,8 +429,7 @@ + printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n"); + return -99; + } +- RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey())); +- return 0; ++ return RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey())); + } + + void showHelp(const char *name) diff --git a/SOURCES/tpm2_getmanufec-leak-clean.patch b/SOURCES/tpm2_getmanufec-leak-clean.patch new file mode 100644 index 0000000..08e1e67 --- /dev/null +++ b/SOURCES/tpm2_getmanufec-leak-clean.patch @@ -0,0 +1,11 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 15:48:37.613337680 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:48:47.806505677 -0700 +@@ -418,6 +418,7 @@ + curl_global_cleanup(); + printf("\n"); + free(weblink); ++ fclose(respfile); + return 0; + } + diff --git a/SOURCES/void-return-listpcrs.patch b/SOURCES/void-return-listpcrs.patch new file mode 100644 index 0000000..e273156 --- /dev/null +++ b/SOURCES/void-return-listpcrs.patch @@ -0,0 +1,12 @@ +diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp +--- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp 2016-11-04 07:13:32.000000000 -0700 ++++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp 2017-04-05 02:43:59.619719509 -0700 +@@ -159,7 +159,7 @@ + return 0; + } + +-int preparePcrSelections_g(TPMI_ALG_HASH algId) ++void preparePcrSelections_g(TPMI_ALG_HASH algId) + { + UINT32 pcrId = 0; + diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec new file mode 100644 index 0000000..715d2a9 --- /dev/null +++ b/SPECS/tpm2-tools.spec @@ -0,0 +1,108 @@ +Name: tpm2-tools +Version: 1.1.0 +Release: 7%{?dist} +Summary: A TPM2.0 testing tool build upon TPM2.0-TSS + +%global pkg_prefix tpm2.0-tools + +License: BSD +URL: https://github.com/01org/tpm2.0-tools +Source0: https://github.com/01org/tpm2.0-tools/archive/v%{version}.tar.gz#/%{pkg_prefix}-%{version}.tar.gz +# RHEL only. code no longer exists upstream +Patch0000: fix-resource-leak-InitSysContext.patch +# RHEL only. Upstream commit 2b6bb441 contains this and more. +# Added code to clean up hash malloc in err paths +Patch0001: HashEKPublicKey-cleanup.patch +# Submitted upstream. https://github.com/01org/tpm2.0-tools/pull/272 +# Slightly different for RHEL due to code differences +Patch0002: tpm2_getmanuc-null-check.patch +# Fix is part of upstream commit 2b6bb441. +Patch0003: tpm2_getmanufec-leak-clean.patch +# Similar to part of upstream commit 2b6bb441. +Patch0004: ekservaddr.patch +# RHEL only. code completely changed upstream +Patch0005: void-return-listpcrs.patch +# Upstream commit 778bd1a0a1b5 +Patch0006: ret-on-success-rc-decode.patch +# Based on part of upstream commit 2b6bb441. +Patch0007: tpm2-getmanufec-null-ptr-checks.patch +# similar fix submitted upstream https://github.com/01org/tpm2.0-tools/pull/284 +Patch0008: tpm2-listpcrs-select.patch + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(openssl) +# tpm2-tss-devel provides sapi/tcti-device/tcti-socket +BuildRequires: pkgconfig(sapi) +BuildRequires: pkgconfig(tcti-device) +BuildRequires: pkgconfig(tcti-socket) + +# this package does not support big endian arch so far, +# and has been verified only on Intel platforms. +ExclusiveArch: %{ix86} x86_64 + +# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required +Requires: tpm2-tss%{?_isa} >= 1.0-2%{?dist} + +%description +tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. + +%prep +%autosetup -p1 -n %{pkg_prefix}-%{version} +./bootstrap + +%build +%configure --prefix=/usr --disable-static --disable-silent-rules +%make_build + +%install +%make_install + +%files +%doc README.md CHANGELOG +%license LICENSE +%{_sbindir}/tpm2_* + +%changelog +* Mon May 15 2017 Jerry Snitselaar - 1.1.0-7 +- decide pcrs to read based off data returned from TPM2_GetCapability +resolves: rhbz#1449276 + +* Wed Apr 19 2017 Jerry Snitselaar - 1.1.0-6 +- check for null ptrs in RetrieveEndorsementCredentials + +* Tue Apr 04 2017 Jerry Snitselaar - 1.1.0-5 +- Remove epel dependencies +- Change tpm2-tss dependency to not be tied to 1 version +- Fix resource leak in InitSysContext +- Clean up HashEKPublicKey +- Add needed null checks to tpm2_getmanufec +- clean up resource leak in tpm2_getmanufec +- use strdup to get server address in tpm2_getmanufec +- change preparePcrSelections_g to void +- return on success in print_rc_tpm_error_code +- Update release version +resolves: rhbz#1275029 - Add tpm2.0-tools package + +* Fri Jan 20 2017 Sun Yunying - 1.1.0-4 +- Dependency check failed for Requires again, here to fix this +- Update release version and changelog + +* Thu Jan 19 2017 Sun Yunying - 1.1.0-3 +- Change spec file permission to 644 to avoid rpmlint complain +- Update Requires to fix dependency check error reported in Bodhi +- Remove tpm2-tss-devel version in BuildRequires comment +- Update release version and changelog + +* Wed Dec 21 2016 Sun Yunying - 1.1.0-2 +- Remove pkg_version to avoid dupliate use of version +- Remove redundant BuildRequires for autoconf/automake/pkgconfig +- Add comments for BuildRequires of sapi/tcti-device/tcti-socket +- Use ExclusiveArch instead of ExcludeArch +- Requires tpm2-tss version updated to 1.0-2 +- Updated release version and changelog + +* Fri Dec 2 2016 Sun Yunying - 1.1.0-1 +- Initial version of the package