Stefan Berger [Tue, 14 May 2019 17:36:31 +0000 (13:36 -0400)]
Switch ECDSA signature verification to OpenSSL
Switch the ECDSA signature verification to OpenSSL. Do the signature
creation in the next step so we can verify the creation / verification
against the original TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 30 May 2019 19:49:34 +0000 (15:49 -0400)]
build-sys: Add support for --disable-use-openssl-functions
OpenSSL's crypto library does not support all crypto functionality
we need in all versions. Elliptic curve support via EVP seems to
have been added much later than for example symmetric crypto support.
So, we move the USE_OPENSSL_FUNCTIONS out of Implementation.h
into configure.ac and let the build system detect what functionality
is available in the crypto library. In this patch we now also rename
USE_OPENSSL_FUNCTIONS to USE_OPENSSL_FUNCTIONS_SYMMETRIC to indicate
that we can use the symmetric crypto functions of the crypto lib.
Using the OpenSSL crypto support is enabled by default, so one has
to use --disable-use-openssl-functions, which we do for Travis now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 3 May 2019 17:45:20 +0000 (13:45 -0400)]
tpm2: Convert symmetric cipher implementations to use OpenSSL functions
Convert functions for symmetric encryption via AES and TDES to
use OpenSSL EVP functions where necessary. Leave the old code around
and use the #if USE_OPENSSL_FUNCTIONS to activate the new parts.
OpenSSL does not provide an implementation for TDES in CTR mode, so
we reuse the original TPM 2 code for this mode.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 3 May 2019 18:29:47 +0000 (14:29 -0400)]
tpm2: Add script to re-generate the test data for AES and new test for TDES
Add a script that uses openssl to create the test data we are using
in the TPM 2 code already. Extend this script with TDES 128 and 192 bit
key sizes and tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 12 Apr 2019 15:32:17 +0000 (10:32 -0500)]
Add missing #define TPM_HAVE_TPM2_DECLARATIONS in tpm2 code (RHEL 6)
Add some missing #define TPM_HAVE_TPM2_DECLARATIONS before the include
of "tpm_library_intern.h" in TPM 2 code so we don't run into compile
errors on RHEL 6 when data types are redefined in TPM 1.2 code.
Previous patch 73cad883bac seems to have missed those.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 30 Mar 2019 12:42:12 +0000 (08:42 -0400)]
tpm12: Build without support for maintentance commands
Introduce TPM_NOMAINTENANCE_COMMANDS #define to build the TPM 1.2 code
without maintenance commands support. The state for the maintenance
commands has been written out so far, so we have to leave this part
alive even though nothing can be done with the maintenance key anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 29 Mar 2019 19:02:38 +0000 (15:02 -0400)]
travis: Use cpp-coveralls with the -b option for proper path creation
Add the option -b ./src for proper path creation. Exclude the test
dir to avoid malformed path creation. Also exclude the swtpm dir
since nothing interesting is to be found there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 23 Mar 2019 23:51:41 +0000 (19:51 -0400)]
tests: Extend PCR and read again after restart of TPM with restored state
Extend the existing test case with extending PCR 10 and reading back
the result, then storing the state blobs and setting them and checking
the value of PCR 10 again.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 25 Mar 2019 14:16:00 +0000 (10:16 -0400)]
tpm2: TPM2_MainInit: Enable NVRAM in NVChip file case
When no callbacks are set and the plain NVChip file is used it wasn't
possible to save the state of the TPM 2 after a TPMLIB_Terminate()
TPMLIB_MainInit() sequence with a cached state (TPMLIB_SetState) since
in this case the NVRAM was not initialized. We now initialize the NV
in case no callback for restoring the state is set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 25 Mar 2019 16:08:13 +0000 (12:08 -0400)]
tpm2: Split off _plat__NVEnable_NVChipFile from _plat__NVEnable
Split off the part that was handling the NVChip file in _plat__NVEnable
and call this new function _plat__NVEnable_ChipFile so we can call it
separately in case the caller works with the plain NVChip file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On both functions the suffix _GFp has been removed by the renaming.
We need to call the new functions if OPENSSL_API_COMPAT is defined
and is >= 0x10200000L.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 8 Jan 2019 17:21:23 +0000 (12:21 -0500)]
travis: Add OS X target
Also test-compile on OS X. The 'distcheck' target cannot be used
since it results in deplicate symbol errors while linking (no idea
why it happens only with distcheck).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 7 Jan 2019 19:31:14 +0000 (14:31 -0500)]
travis: Build libtpms for coverage and test with swtpm
Build libtpms with code coverage enabled and run the swtpm test
suite on it.
Unfortunately cpp-coveralls has a problem creating correct file paths when
collecting the results so that the coverage results are not correctly sub-
mitted to coveralls.io. The issue may stem from the fact that the
Makefile.am in src/ contains rules for source files in subdirs src/tmp12/
and src/tpm2/ etc. I hope that this issue can be fixed at some point.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 5 Dec 2018 17:24:59 +0000 (12:24 -0500)]
tpm2: Propagate error from CryptRandStartup() and report error info
CryptRandStartup() did not propagate initialization errors to the caller
but always returned TRUE. We now return the initialization errors and
display an error message and some state variables.
This error should almost never occur, but the fuzzer was able to trigger
it with rev 146 when the random number generated returned 32 bit numbers only
and the same 32 bit number was returned as the one before it. With rev 150
the random number generating function now returns as many random numbers as
the caller requested and this error is not getting triggered anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 22 Nov 2018 14:17:09 +0000 (09:17 -0500)]
tpm2: Coverity: Deactivate dead functions
CryptHashCopyState is not called from anywhere and the useless
call to CryptGetHashDef() it does obviously doesn't matter. Deactivate
the whole function using #if 0.
NvClearPersistent() and NvUpdatePersistent() are not used, either,
so we can also deactivate them and suppress a pointer related issue
that Coverity is complaining about.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 3 Oct 2018 19:25:11 +0000 (15:25 -0400)]
tpm2: Remove Bn2bin conversion function used during OSSL 1.1 conversion
Bn2bin was used during the conversion of the code for supporting OSSL 1.1
and testing the math results of < OSSL 1.1 against those produced by
the bignum code in the TPM 2. It's not needed anymore since the upstream
code has support for any OSSL version now.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>