swtpm: ignore failure to choose version for --print-capabilities
A version was selected early for TPMLIB_GetInfo() to succeed in
--print-capabilities. TPM 1.2 is the default version, but can now be
disabled in libtpms.
Ignore the error when the version is unsupported by libtpms and skip
reporting the GetInfo related details.
Nick Chevsky [Sat, 31 Jul 2021 17:17:59 +0000 (12:17 -0500)]
swtpm: Preserve mlp->flags in CMD_SET_DATAFD handler
Fix the handler for control channel command CMD_SET_DATAFD so that
it ORs new bits onto mlp->flags instead of overwriting its value.
This was causing loss of flags previously set during command-line
argument parsing, which resulted in user-provided options (e.g.
--terminate) to be permanently ignored if command CMD_SET_DATAFD
was at any point received on the control channel.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Stefan Berger [Fri, 11 Jun 2021 00:05:05 +0000 (20:05 -0400)]
swtpm_setup: Get key description from function generating the EK key
Pass an optional key_description parameter through the APIs to be able to
get the a human readable key description, such as 'rsa2048' or 'secp384r1'
of the key that was created.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 28 Jul 2021 12:49:40 +0000 (08:49 -0400)]
tests: Replace ${SWTPM}.pid with swtpm.pid in PID filename in 2 test cases
The PID filename was generated using the ${SWTPM} environment variable,
which caused test failures if set to a URL for example. Replace it with
'swptm'.
This issue was reported in issue #454.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Nick Chevsky [Tue, 27 Jul 2021 18:54:45 +0000 (13:54 -0500)]
Change swtpm-localca to swtpm_localca in manpages
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Stefan Berger [Mon, 26 Jul 2021 20:57:24 +0000 (16:57 -0400)]
build-sys: Add MY_CFLAGS, CFLAGS, and MY_LDFLAGS to all Makefile.am's
Add MY_CFLAGS, CFLAGS, and MY_LDFLAGS to all Makefile.am's so that they
can be defined during configure time as well as CFLAGS added during
build time. LDFLAGS were already handled correctly during build-time.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Nick Chevsky [Fri, 23 Jul 2021 20:15:22 +0000 (15:15 -0500)]
Debian packaging improvements
- debian/clean: Add files that were not being automatically cleaned
up by dh(1)'s `clean` target.
- debian/control:
- Add new recommended/required fields and bump Standards-Version.
- Remove redundant build dependencies that are implied transitively.
- Bump debhelper dependency version to match debian/compat.
- Move swtpm-libs's ${misc:Pre-Depends} dependency to `Pre-Depends`.
Resolves `depends-on-misc-pre-depends` Lintian warning.
- Sort packages and dependency lists alphabetically as per
wrap-and-sort(1).
- debian/not-installed: List deliberately non-installed files to
avoid dh_missing(1) warnings.
- debian/rules:
- Pass --no-scripts to dh_makeshlibs(1) in order to keep a
ldconfig(8) trigger from being implicitly added, which for
this package was redundant and triggered Lintian warning
`package-has-unnecessary-activation-of-ldconfig-trigger`.
- Remove redundant --parallel dh flag.
- Remove redundant dh_usrlocal override.
- debian/*.install:
- Add swtpm-create-tpmca(8) and its manpage, which were missing.
- Remove redundant `#! /usr/bin/dh-exec` lines.
- Sort entries alphabetically as per wrap-and-sort(1).
- debian/swtpm-tools.postinst.in: Add `set -e` to fail in case of
error. Fixes `maintainer-script-ignores-errors` Lintian warning.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Nick Chevsky [Sat, 24 Jul 2021 18:54:40 +0000 (13:54 -0500)]
Move swtpm_localca sources from samples/ to src/
- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Nick Chevsky [Wed, 21 Jul 2021 18:09:33 +0000 (13:09 -0500)]
Move swtpm_setup.conf.in from etc/ to samples/
- Makes swtpm_setup.conf.in consistent with the rest of the sample
configuration files in swtpm, whose templates ship in samples/ and
install the generated files to /etc.
- Works around dh_missing(1) erroneously reporting swtpm_setup.conf as
non-installed due to its having two copies in the build tree (one in
etc/ and another in debian/tmp/etc/).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Nick Chevsky [Wed, 21 Jul 2021 20:30:44 +0000 (15:30 -0500)]
Remove swtpm.spec from .gitignore
Even though swtpm.spec is an auto-generated file, the author would
like to keep it in the repository for ease of installing dependencies
during development. As long as the file is meant to be versioned, it
should not be in .gitignore. Discussion for context:
https://github.com/stefanberger/swtpm/pull/496#issuecomment-884432135
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Stefan Berger [Tue, 13 Jul 2021 15:03:18 +0000 (11:03 -0400)]
samples: Replace swtpm_localca with script calling swtpm-localca (issue #482)
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 14 Jul 2021 16:36:41 +0000 (12:36 -0400)]
swtpm_setup: Fix compiler errors when memcpy is a macro (Cygwin)
Since commit 502cb1129ad59 -D_FORTIFY_SOURCE=2 is passed to the gcc
command line resulting in memcpy() becoming a macro on Cygwin, which
then causes the following compiler errors due to the anonymous arrays
being used:
swtpm.c: In function ‘swtpm_tpm2_createprimary_ek_rsa’:
swtpm.c:686:26: error: macro "memcpy" passed 34 arguments, but takes just 3
686 | }, authpolicy_len);
| ^
In file included from /usr/include/string.h:180,
from swtpm.c:15:
/usr/include/ssp/string.h:97: note: macro "memcpy" defined here
97 | #define memcpy(dst, src, len) __ssp_bos_check3(memcpy, dst, src, len)
|
swtpm.c:682:9: error: statement with no effect [-Werror=unused-value]
682 | memcpy(authpolicy, (unsigned char []){
| ^~~~~~
swtpm.c:698:26: error: macro "memcpy" passed 50 arguments, but takes just 3
698 | }, authpolicy_len);
| ^
The solution is to surround the anonymous array definitions with '( )'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Eiichi Tsukata [Wed, 23 Jun 2021 03:50:32 +0000 (12:50 +0900)]
swtpm: Issue fsync to ensure state data reaches disk
Add fsync(2) before rename(2) for temp file to ensure data reaches disk
and for directory which containing state file to ensure directory entry
also reaches disk.
Tomasz Kłoczko [Fri, 11 Jun 2021 17:53:07 +0000 (18:53 +0100)]
build-sys: Call autoupdate and fix some resulting issues
autoreconf from autoconf 2.71 emmits a lot of warnings:
```
+ autoreconf -fiv
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:587: warning: macro 'AM_CFLAGS' not found in library
configure.ac:590: warning: macro 'AM_LDFLAGS' not found in library
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: aclocal --force -I m4
configure.ac:587: warning: macro 'AM_CFLAGS' not found in library
configure.ac:590: warning: macro 'AM_LDFLAGS' not found in library
autoreconf: running: /usr/bin/autoconf --force
configure.ac:29: warning: The macro `AC_CONFIG_HEADER' is obsolete.
configure.ac:29: You should run autoupdate.
./lib/autoconf/status.m4:719: AC_CONFIG_HEADER is expanded from...
configure.ac:29: the top level
configure.ac:53: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:53: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:53: the top level
configure.ac:76: warning: The macro `AC_HEADER_STDC' is obsolete.
configure.ac:76: You should run autoupdate.
./lib/autoconf/headers.m4:704: AC_HEADER_STDC is expanded from...
configure.ac:76: the top level
configure.ac:81: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
configure.ac:81: You should run autoupdate.
./lib/autoconf/types.m4:776: AC_TYPE_SIGNAL is expanded from...
configure.ac:81: the top level
configure.ac:202: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:202: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:202: the top level
configure.ac:279: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:279: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:279: the top level
configure.ac:434: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:434: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:434: the top level
configure.ac:441: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:441: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:441: the top level
configure.ac:521: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:521: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:521: the top level
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:40: installing './compile'
configure.ac:43: installing './config.guess'
configure.ac:43: installing './config.sub'
configure.ac:41: installing './install-sh'
configure.ac:48: installing './missing'
samples/Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
autoreconf: Leaving directory '.'
```
Execute autoupdate to apply all those chenges and then cleanup that
in next commits.
Signed-off-by: Tomasz Kłoczko <kloczek@github.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 21 Jun 2021 21:01:18 +0000 (17:01 -0400)]
sample: swtpm-localca: Add missing else branch for pkcs11 and PIN
Add a missing else branch that was forgotten about when the code was trans-
lated from python. This now also gets the test case
test_tpm2_samples_create_tpmca to work again when it is run from the command
line. This test case doesn't work as part of the test suite due to
concurreny issues with other test cases using tpm2-abrmd at the same.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Felipe Franciosi [Tue, 15 Jun 2021 09:51:01 +0000 (10:51 +0100)]
swtpm: Fix SWTPM names in comments and messages
Some of the code comes from libtpms, where various methods are named
"TPM_Something". The swtpm version of these methods are named
"SWTPM_Something". However, certain debug/log messages and comments were
updated accordingly to reflect that.
This is a cosmetic change that fixes that.
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Stefan Berger [Thu, 3 Jun 2021 14:18:21 +0000 (10:18 -0400)]
swtpm_localca: Adjust expiration days for 32-bit platforms
GnuTLS on 32-bit platforms complains about the long expiration time
of the certificates since they overflow the 32-bit time_t. Reduce
the duration to 12 years.
This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.
Overflow while parsing days
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 3 Jun 2021 14:04:53 +0000 (10:04 -0400)]
swtpm_setup: Initialize autfreed variables with NULL (gcc-11)
This patch addresses the following gcc-11 compiler issues:
In file included from /usr/include/glib-2.0/glib.h:114,
from swtpm_setup_utils.c:14:
swtpm_setup_utils.c: In function 'get_config_value':
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'tmp' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_setup_utils.c:36:31: note: 'tmp' was declared here
36 | g_autofree gchar *tmp;
| ^~~
swtpm.c: In function 'swtpm_start':
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'pidfile_file' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm.c:54:23: note: 'pidfile_file' was declared here
54 | g_autofree gchar *pidfile_file;
| ^~~~~~~~~~~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 3 Jun 2021 13:54:43 +0000 (09:54 -0400)]
swtpm_localca: Initialize autofreed variables to NULL (gcc-11)
This patch addresses the following gcc-11 compiler issues:
In file included from /usr/include/glib-2.0/glib.h:114,
from ../src/utils/swtpm_utils.h:13,
from swtpm_localca_utils.c:24:
swtpm_localca_utils.c: In function 'get_config_envvars':
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'value' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_localca_utils.c:98:37: note: 'value' was declared here
98 | g_autofree gchar *key, *value;
| ^~~~~
In file included from /usr/include/glib-2.0/glib.h:114,
from ../src/utils/swtpm_utils.h:13,
from swtpm_localca_utils.c:24:
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'key' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_localca_utils.c:98:31: note: 'key' was declared here
98 | g_autofree gchar *key, *value;
| ^~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Using these instead of the regular version number makes it
more complicated than necessary to perform builds, and there
doesn't seem to be any advantage in keeping them around.
After this change, the rpm building instructions contained in
the INSTALL file actually work.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
autogen.sh will automatically invoke configure passing it any
command line arguments it received, so we shouldn't instruct
the user to unnecessarily run it again immediately afterwards.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Stefan Berger [Mon, 24 May 2021 14:00:22 +0000 (10:00 -0400)]
build-sys: Only define single .PHONY
Fix the following issue due to multiple .PHONY definitions.
Makefile.am:34: warning: .PHONY was already defined in condition WITH_SELINUX, which is included in condition TRUE ...
Makefile.am:28: ... '.PHONY' previously defined here
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Jonas Witschel [Wed, 19 May 2021 08:30:41 +0000 (10:30 +0200)]
swtpm_cert: rename deprecated libtasn1 types
These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
deprecation warnings that are made fatal by -Werror:
ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
The new types were introduced almost ten years ago, so they should be pretty
universally available by now.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
build-sys: leave CFLAGS/LDFLAGS for user to be defined
This allows user to set specific flags during compilation, without
overriding configure-time cflags necessary for compilation.
See also:
https://www.gnu.org/software/automake/manual/html_node/User-Variables.html
https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
Stefan Berger [Wed, 17 Mar 2021 19:56:14 +0000 (15:56 -0400)]
tests: Set test-check local user.name and user.email before git am
If we are running the tests as a user that doesn't have a git config
setup we run into the following issue when trying to apply patches
suing 'git am':
Stefan Berger [Mon, 15 Mar 2021 14:06:43 +0000 (10:06 -0400)]
build-sys: Check for minimum required gnutls 3.4.0
RHEL 7's gnutls 3.3.29 does not take the private key passwords like later
versions take it. We require at least 3.4.0, though I am not entirely sure
when that change occurred. We may actually require >3.4.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sun, 28 Feb 2021 21:10:11 +0000 (16:10 -0500)]
swtpm_setup: Write note about non-standard EK when using --allow-signing
Write a note in swtpm_setup's help screen and man page that the usage
of --allow-signing will lead to a non-standard EK. Be more precise in the
man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>