From 91ee00905aa2c204055d92983607bc110d4fa772 Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Wed, 22 Mar 2023 10:54:59 +0100 Subject: [PATCH 1/3] FAPI: Skip test fapi-fix-provisioning-with template if no certificate is available. If the configure option --enable-self-generated-certificate is not used this test can't be executed because no certificate will be stored in NV ram. The test will be skipped if no certificate is available. Fixes: #2558 Signed-off-by: Juergen Repp --- .../fapi-provisioning-with-template.int.c | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/test/integration/fapi-provisioning-with-template.int.c b/test/integration/fapi-provisioning-with-template.int.c index 27f8e579d..ddef2a8e1 100644 --- a/test/integration/fapi-provisioning-with-template.int.c +++ b/test/integration/fapi-provisioning-with-template.int.c @@ -4,6 +4,8 @@ #endif #include +#include +#include #include "tss2_esys.h" #include "tss2_fapi.h" @@ -31,6 +33,39 @@ * @retval EXIT_SKIP * */ +static bool +fapi_ek_certless() +{ + FILE *stream = NULL; + long config_size; + char *config = NULL; + char *fapi_config_file = getenv("TSS2_FAPICONF"); + + stream = fopen(fapi_config_file, "r"); + if (!stream) { + LOG_ERROR("File %s does not exist", fapi_config_file); + return NULL; + } + fseek(stream, 0L, SEEK_END); + config_size = ftell(stream); + fclose(stream); + config = malloc(config_size + 1); + stream = fopen(fapi_config_file, "r"); + ssize_t ret = read(fileno(stream), config, config_size); + if (ret != config_size) { + LOG_ERROR("IO error %s.", fapi_config_file); + return NULL; + } + config[config_size] = '\0'; + if (strstr(config, "\"ek_cert_less\": \"yes\"") == NULL) { + SAFE_FREE(config); + return false; + } else { + SAFE_FREE(config); + return true; + } +} + int test_fapi_provision_template(FAPI_CONTEXT *context) { @@ -148,6 +183,9 @@ test_fapi_provision_template(FAPI_CONTEXT *context) TPM2B_AUTH auth = { .size = 0, .buffer = {} }; TPM2B_MAX_NV_BUFFER nv_data; + if (fapi_ek_certless()) + return EXIT_SKIP; + if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { nv_template_idx = ecc_nv_template_idx; nv_nonce_idx = ecc_nv_nonce_idx; @@ -166,7 +204,7 @@ test_fapi_provision_template(FAPI_CONTEXT *context) r = Esys_Initialize(&esys_ctx, tcti, NULL); goto_if_error(r, "Error Esys_Initialize", error); - /* + /* * Store template (marshaled TPMT_PUBLIC) in NV ram. */ r = Tss2_MU_TPMT_PUBLIC_Marshal(&in_public, &nv_data.buffer[0], From 24e2d976872fa69169a321f8dc74962876d370e2 Mon Sep 17 00:00:00 2001 From: orbea Date: Mon, 4 Jul 2022 23:55:18 -0700 Subject: [PATCH 2/3] Support LibreSSL This works with LibreSSL 3.5.x. Missing in LibreSSL: * RAND_OpenSSL (Deprecated in OpenSSL >= 3.0) * NID_sm2 Signed-off-by: orbea --- .github/workflows/main.yml | 21 +++++++++++++++++++++ src/tss2-esys/esys_crypto_ossl.c | 8 ++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 08dba6857..2e38162b0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -85,6 +85,27 @@ jobs: - name: failure if: ${{ failure() }} run: cat $(find ../ -name test-suite.log) || true + test-libressl: + runs-on: ubuntu-latest + if: "!contains(github.ref, 'coverity_scan')" + strategy: + matrix: + docker_image: [fedora-34-libressl] + steps: + - name: Check out repository + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Launch Action + uses: + tpm2-software/ci/runCI@main + with: + CC: gcc + DOCKER_IMAGE: ${{ matrix.docker_image }} + PROJECT_NAME: ${{ github.event.repository.name }} + - name: failure + if: ${{ failure() }} + run: cat $(find ../ -name test-suite.log) || true test-no-crypto-build: runs-on: ubuntu-latest if: "!contains(github.ref, 'coverity_scan')" diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c index 92b48b11c..bcbf0e89c 100644 --- a/src/tss2-esys/esys_crypto_ossl.c +++ b/src/tss2-esys/esys_crypto_ossl.c @@ -392,7 +392,8 @@ iesys_cryptossl_hmac_start(ESYS_CRYPTO_CONTEXT_BLOB ** context, "Error EVP_MD_CTX_create", cleanup); } -#if OPENSSL_VERSION_NUMBER < 0x10101000L +#if OPENSSL_VERSION_NUMBER < 0x10101000L || \ + ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3070000fL ) if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { #else /* this is preferred, but available since OpenSSL 1.1.1 only */ @@ -558,7 +559,9 @@ iesys_cryptossl_random2b( int rc; #if OPENSSL_VERSION_NUMBER < 0x30000000L const RAND_METHOD *rand_save = RAND_get_rand_method(); +#ifndef LIBRESSL_VERSION_NUMBER RAND_set_rand_method(RAND_OpenSSL()); +#endif #else OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); if (!libctx) @@ -615,8 +618,9 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, RSA *rsa_key = NULL; const EVP_MD * hashAlg = NULL; const RAND_METHOD *rand_save = RAND_get_rand_method(); - +#ifndef LIBRESSL_VERSION_NUMBER RAND_set_rand_method(RAND_OpenSSL()); +#endif #else OSSL_LIB_CTX *libctx = NULL; EVP_MD * hashAlg = NULL; From d8d605dfddea8b45d38f3c45513e94b6ffbb5e03 Mon Sep 17 00:00:00 2001 From: orbea Date: Fri, 14 Apr 2023 14:00:39 -0700 Subject: [PATCH 3/3] HACK: Disable --enable-self-generated-certificate See if the CI passes. --- .ci/docker.run | 24 ++++++++++++------------ .cirrus.yml | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.ci/docker.run b/.ci/docker.run index 1653f361a..49b6c9646 100755 --- a/.ci/docker.run +++ b/.ci/docker.run @@ -73,14 +73,14 @@ if ldconfig -p 2>/dev/null| grep libasan > /dev/null && ldconfig -p 2>/dev/null| fi if [ "$SCANBUILD" == "yes" ]; then - scan-build --status-bugs ../configure --enable-unit --enable-self-generated-certificate --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS + scan-build --status-bugs ../configure --enable-unit --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS elif [ "$CC" == "clang" ]; then - ../configure --enable-unit --enable-self-generated-certificate --enable-integration --with-maxloglevel=none --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS + ../configure --enable-unit --enable-integration --with-maxloglevel=none --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS else if [ "$WITH_TCTI" == "mssim" ]; then - ../configure $SANITIZER_OPTION --disable-tcti-swtpm --enable-unit --enable-self-generated-certificate --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS + ../configure $SANITIZER_OPTION --disable-tcti-swtpm --enable-unit --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS else - ../configure $SANITIZER_OPTION --with-maxloglevel=none --enable-debug=yes --enable-unit --enable-self-generated-certificate --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS + ../configure $SANITIZER_OPTION --with-maxloglevel=none --enable-debug=yes --enable-unit --enable-integration --with-crypto=$WITH_CRYPTO $CONFIGURE_OPTIONS fi fi @@ -100,34 +100,34 @@ pushd ./config_test if [ "$CC" == "gcc" ]; then # No TCTI - expect to fail echo "========================== START TEST - NO TCTI ==========================" - (../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --disable-tcti-swtpm --disable-tcti-mssim --disable-tcti-device && exit 1) || echo "failed as expected"; + (../configure --disable-doxygen-doc --enable-unit --enable-integration --disable-tcti-swtpm --disable-tcti-mssim --disable-tcti-device && exit 1) || echo "failed as expected"; # only device TCTI echo "========================== START TEST - device TCTI ==========================" - mkdir -p ./dev/tpm0 && ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --disable-tcti-swtpm --disable-tcti-mssim --enable-tcti-device --with-device=./dev/tpm0 + mkdir -p ./dev/tpm0 && ../configure --disable-doxygen-doc --enable-unit --enable-integration --disable-tcti-swtpm --disable-tcti-mssim --enable-tcti-device --with-device=./dev/tpm0 make -j check TESTS="test/unit/tcti-device" && rm -rf ./dev # only mssim TCTI echo "========================== START TEST - mssim TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --disable-tcti-swtpm --enable-tcti-mssim --disable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --disable-tcti-swtpm --enable-tcti-mssim --disable-tcti-device make -j check TESTS="test/unit/tcti-mssim" # device and mssim TCTIs echo "========================== START TEST - mssim & device TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --disable-tcti-swtpm --enable-tcti-mssim --enable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --disable-tcti-swtpm --enable-tcti-mssim --enable-tcti-device make -j check TESTS="test/unit/tcti-device test/unit/tcti-mssim" # only swtmp TCTI echo "========================== START TEST - swtpm TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --enable-tcti-swtpm --disable-tcti-mssim --disable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --enable-tcti-swtpm --disable-tcti-mssim --disable-tcti-device make -j check TESTS="test/unit/tcti-swtpm" # swtmp and device TCTIs echo "========================== START TEST - swtpm & device TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --enable-tcti-swtpm --disable-tcti-mssim --enable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --enable-tcti-swtpm --disable-tcti-mssim --enable-tcti-device make -j check TESTS="test/unit/tcti-swtpm test/unit/tcti-device" # swtmp and mssim TCTIs echo "========================== START TEST - swtpm & mssim TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --enable-tcti-swtpm --enable-tcti-mssim --disable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --enable-tcti-swtpm --enable-tcti-mssim --disable-tcti-device make -j check TESTS="test/unit/tcti-swtpm test/unit/tcti-mssim" # all TCTIs echo "========================== START TEST - swtpm & mssim & device TCTI ==========================" - ../configure --disable-doxygen-doc --enable-unit --enable-self-generated-certificate --enable-integration --enable-tcti-swtpm --enable-tcti-mssim --enable-tcti-device + ../configure --disable-doxygen-doc --enable-unit --enable-integration --enable-tcti-swtpm --enable-tcti-mssim --enable-tcti-device make -j check TESTS="test/unit/tcti-swtpm test/unit/tcti-mssim test/unit/tcti-device" fi # CC == gcc popd diff --git a/.cirrus.yml b/.cirrus.yml index f565cded7..2968e9759 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -27,5 +27,5 @@ task: - cd - && rm -fr libusb script: ./bootstrap && - ./configure --enable-self-generated-certificate --enable-unit=yes --enable-integration=yes --with-crypto=ossl --disable-doxygen-doc --enable-tcti-swtpm=no --enable-tcti-libtpms=no --enable-tcti-mssim=yes --disable-dependency-tracking && + ./configure --enable-unit=yes --enable-integration=yes --with-crypto=ossl --disable-doxygen-doc --enable-tcti-swtpm=no --enable-tcti-libtpms=no --enable-tcti-mssim=yes --disable-dependency-tracking && gmake -j distcheck || { cat /tmp/cirrus-ci-build/tpm2-tss-*/_build/sub/test-suite.log; exit 1; }