Use OpenSSL functions to create EC keys only for the case that
rand == NULL in which case no KDF is being used and where we can
create a truly random key. This doesn't break the upgrade path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch the ECDSA signature verification to OpenSSL. Do the signature
creation in the next step so we can verify the creation / verification
against the original TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OpenSSL's crypto library does not support all crypto functionality
we need in all versions. Elliptic curve support via EVP seems to
have been added much later than for example symmetric crypto support.
So, we move the USE_OPENSSL_FUNCTIONS out of Implementation.h
into configure.ac and let the build system detect what functionality
is available in the crypto library. In this patch we now also rename
USE_OPENSSL_FUNCTIONS to USE_OPENSSL_FUNCTIONS_SYMMETRIC to indicate
that we can use the symmetric crypto functions of the crypto lib.
Using the OpenSSL crypto support is enabled by default, so one has
to use --disable-use-openssl-functions, which we do for Travis now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Maintain the build for the case of USE_OPENSSL_FUNCTIONS set to NO
where we build the original TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert functions for symmetric encryption via AES and TDES to
use OpenSSL EVP functions where necessary. Leave the old code around
and use the #if USE_OPENSSL_FUNCTIONS to activate the new parts.
OpenSSL does not provide an implementation for TDES in CTR mode, so
we reuse the original TPM 2 code for this mode.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement helper for getting OpenSSL crypto functions from
crytpo algorithm IDs, encryption modes, and key sizes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a script that uses openssl to create the test data we are using
in the TPM 2 code already. Extend this script with TDES 128 and 192 bit
key sizes and tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict the number of command line parameters passed to the
fuzz program in order not to overstep command line parameter
size restrictions.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add some missing #define TPM_HAVE_TPM2_DECLARATIONS before the include
of "tpm_library_intern.h" in TPM 2 code so we don't run into compile
errors on RHEL 6 when data types are redefined in TPM 1.2 code.
Previous patch 73cad883ba seems to have missed those.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove some cruft that was useful when TPM 2 code was still in the
works but now that things have settled don't need it anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
There were a few issues with the oss-fuzz integration from commit
8373f09854 ("build-sys: add oss-fuzz
support").
When building on OSS-Fuzz, the projects should use the provided CFLAGS
and CXXFLAGS and don't append any extra sanitization / fuzzing flags.
$LIB_FUZZING_ENGINE is defined to set the library to link to, and it
is a c++ library, so we should build fuzzer with c++...
Now --enable-fuzzer is only used for -fsanitize=fuzzer.
Add a tests/fuzz-main.c as fallback, to run the corpus on other builds.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Introduce TPM_NOMAINTENANCE_COMMANDS #define to build the TPM 1.2 code
without maintenance commands support. The state for the maintenance
commands has been written out so far, so we have to leave this part
alive even though nothing can be done with the maintenance key anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
There are several functions in the code that do not have a caller.
Deactivate all of them to get higher coverage of the code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the option -b ./src for proper path creation. Exclude the test
dir to avoid malformed path creation. Also exclude the swtpm dir
since nothing interesting is to be found there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This script will permit integration with Google OSS-FUZZ
https://github.com/google/oss-fuzz
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Leave a note in the TPMLIB_RegisterCallbacks() function about
the effects of leaving the store- and loaddata functions in the
interface unset.
Leave another not in TPMLIB_MainInit() to not use the library without
calling TPMLIB_RegiserCallbacks().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the existing test case with extending PCR 10 and reading back
the result, then storing the state blobs and setting them and checking
the value of PCR 10 again.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When no callbacks are set and the plain NVChip file is used it wasn't
possible to save the state of the TPM 2 after a TPMLIB_Terminate()
TPMLIB_MainInit() sequence with a cached state (TPMLIB_SetState) since
in this case the NVRAM was not initialized. We now initialize the NV
in case no callback for restoring the state is set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Split off the part that was handling the NVChip file in _plat__NVEnable
and call this new function _plat__NVEnable_ChipFile so we can call it
separately in case the caller works with the plain NVChip file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some OpenSSL EC API calls are deprecated starting in OpenSSL 1.2
and may fail the build due to the #warning they produce.
The affected functions have been renamed and consolidated with
other functions inside OpenSSL:
- EC_POINT_set_affine_coorindates_GFp
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/ec/ec_lib.c#L730
- EC_POINT_get_affine_coordinates_GFp
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/ec/ec_lib.c#L768
On both functions the suffix _GFp has been removed by the renaming.
We need to call the new functions if OPENSSL_API_COMPAT is defined
and is >= 0x10200000L.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
