Add probing for -fstack-protector to the existing
-fstack-protector-strong since not all platforms support either one
of them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to build with OpenSSL 3.0 we need to added
-Wno-deprecated-declarations to the default CFLAGS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OpenSSL 3.0 has converted several RSA-related #defines to functions, so
that AX_CHECK_DEFINE only works for OpenSSL 1.1.0 but for OpenSSL 3.0.0
we have to also use AC_CHECK_LIB to determine whether the function is
available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run autoupdate on configure.ac and address the following issues:
configure.ac:10: warning: 'AM_CONFIG_HEADER': this macro is obsolete.
configure.ac:10: You should use the 'AC_CONFIG_HEADERS' macro instead.
./lib/autoconf/general.m4:2434: AC_DIAGNOSE is expanded from...
aclocal.m4:1071: AM_CONFIG_HEADER is expanded from...
configure.ac:10: the top level
configure.ac:31: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:31: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:31: the top level
configure.ac:72: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:72: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:72: the top level
configure.ac:90: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:90: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:90: the top level
configure.ac:253: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:253: You should run autoupdate.
m4/libtool.m4:99: AC_PROG_LIBTOOL is expanded from...
configure.ac:253: the top level
configure.ac:258: warning: The macro `AC_HEADER_STDC' is obsolete.
configure.ac:258: You should run autoupdate.
./lib/autoconf/headers.m4:704: AC_HEADER_STDC is expanded from...
configure.ac:258: the top level
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The TPM is supposed to provide the output IV in the ivInOut parameter in
CryptSymmetricEncrypt. In the case of using the openssl routines, the
output IV is missed, and the resulting output from the TPM is in the
input IV.
OpenSSL unfortunately does not export EVP_CIPHER_CTX_iv() until
tags/OpenSSL_1_1_0, so we have to fall back to the reference code for
previous OpenSSL versions.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support setting different install paths for package config files
using the --with-pkgconfigdir option.
Drop the hardcoded pkgconfigdir variable in the Makefile.am as per the
manpage http://manpages.ubuntu.com/manpages/cosmic/man7/pkg.m4.7.html
the macro PKG_INSTALLDIR defaults to $libdir/pkgconfig.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Make --with-tpm2 the implicit default now and choosen openssl.
When using --without-tpm2 one has to again choose the crypto-library
which defaults to freebl as before. This type of build seems rather
rare by now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The freebl build (TPM 1.2 only) is currently broken:
configure: error: OpenSSL crypto function usage requires openssl as crypto library
Set 'enable_use_openssl_functions=no' in the freebl case to avoid probing
the OpenSSL crypto functions.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use AC_LINK_IFELSE to check whether linker flags like 'now' and
'relro' are understood or remain unused (= useless), and only add them
to the set of HARDENING_LDFLAGS, if they are used by the linker. clang
for example does not seem to use them and Cygwin's linker does not
understand them.
Note: This patch merely improves on the handling of these flags but does
not solve a compilation issue when clang is used, unlike swtpm where
this created issues.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
TPM 2 support has been in libtpms for quite some time now
and the experimental tag can be removed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid the accumulation of -lcrypto while testing for symbols in the -lcrypto
library by saving the LIBS variable before doing the series of tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some of the functions that OpenSSL uses are #define's for which
we need to check using a new AX_CHECK_DEFINE. We need to check for
them also because they were added at different points in time.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement key creation with OpenSSL if rand == NULL, meaning
that we create a non-KDF-derived key, so a purely random key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check for RSA functions we need for calling the cryto lib for
doing RSA operations. Set the environment variable
USE_OPENSSL_FUNCTIONS_RSA to '1' if found, to '0' otherwise.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use OpenSSL function to create TDES keys if rand == NULL,
which indicates that a truely random key needs to be generated
rather than one derived from a KDF.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use OpenSSL functions to create EC keys only for the case that
rand == NULL in which case no KDF is being used and where we can
create a truly random key. This doesn't break the upgrade path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch the ECDSA signature verification to OpenSSL. Do the signature
creation in the next step so we can verify the creation / verification
against the original TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OpenSSL's crypto library does not support all crypto functionality
we need in all versions. Elliptic curve support via EVP seems to
have been added much later than for example symmetric crypto support.
So, we move the USE_OPENSSL_FUNCTIONS out of Implementation.h
into configure.ac and let the build system detect what functionality
is available in the crypto library. In this patch we now also rename
USE_OPENSSL_FUNCTIONS to USE_OPENSSL_FUNCTIONS_SYMMETRIC to indicate
that we can use the symmetric crypto functions of the crypto lib.
Using the OpenSSL crypto support is enabled by default, so one has
to use --disable-use-openssl-functions, which we do for Travis now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
There were a few issues with the oss-fuzz integration from commit
8373f09854 ("build-sys: add oss-fuzz
support").
When building on OSS-Fuzz, the projects should use the provided CFLAGS
and CXXFLAGS and don't append any extra sanitization / fuzzing flags.
$LIB_FUZZING_ENGINE is defined to set the library to link to, and it
is a c++ library, so we should build fuzzer with c++...
Now --enable-fuzzer is only used for -fsanitize=fuzzer.
Add a tests/fuzz-main.c as fallback, to run the corpus on other builds.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Allow the user to pass in the CFLAGS. Previously they were overwritten
with -O2 -g, which are the default CFLAGS if none are passed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --enable-test-coverage that sets additional CFLAGS
and LDFLAGS.
gcov creates files with suffixes .gcov, .gcno, and .gcda that we
need clean up in a few directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of gcc need some input file to compile so that
we learn whether -fstack-protector-strong is supported.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The linker on FreeBSD seems to be broken and fails for other reasons
when testing for support of the --version-script flag. The error
that is reported is:
local symbol 'environ' in /usr/lib/crt1.o is referenced by DSO.
Also __progname is needed.
To work around this problem we add a test.syms file that only has
these two symbols in it, which is enough for the test in
configure.ac and gives version script support in case of the
broken linker.
On FreeBSD TPM 1.2 related tests were failing due to test case 6
failures in case no linker script was used. (Very odd.) This patch
fixes this problem.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check whether the linker supports the linker flag --version-script.
The OS X linkwer does not seem to support it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Now that patches for writing the state into files and extensions
to their headers have all been applied we can build the TPM 2
code into the library.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Introduce --with-tpm2 for ./configure to enable building with
TPM 2 functionality. Delay the building of TPM 2 code until more
patches are applied and the vTPM state that's created has a chance
of being backwards compatible.
Extend the libtpms API to allow user to choose version of TPM.
Missing functionality at this point:
- TPM 2 needs to be extended to serialize and deserialize its volatile state
- Handling of the establishment bit
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
