Avoid shadowing global msg through local variables with the same name
by renaming the global msg to g_msg.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid this type of complaint from static analyzer:
src/swtpm/tpmlib.c:392:37: note: Result of 'malloc' is converted to a
pointer of type 'unsigned char', which is incompatible with sizeof
operand type 'struct tpm_resp_header'
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OSSL_PARAM_construct_utf8_string takes a char * as parameter.
The OpenSSL code base casts constant strings to char *, so we can do this
also.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
serverdata will be assiged a const char * later on, therefore make it a
const char *. This can then also be passed into options_parse.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some function pass a const char * into the options parse function.
Therefore, convert it to accept a const char * now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the list of SWTPM_INFO flags with recently added flags for
TPMLIB_GetInfo. Use the CMD_GET_INFO control channel command to get
the currently active profile for a TPM 2 from swtpm and display it in
the log unless it is reconfigured.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ignore the remove-disabled parameter on non-'custom' profile identified
by return value '1'. Switch to negative return values in the called function.
Extend a test case to ensure that the --profile-remove-disabled option
on swtpm_setup, which is passed through to swtpm, has no effect on 'null'
and 'default-v1' profiles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Very old OpenSSL versions (e.g., 1.1.0i) are using /dev/urandom to get
entropy while newer ones are using the getrandom syscall that does not
need the device file. In some environments access to the created
/dev/urandom device file may not work (EACCESS; chroot test case) and
then OpenSSL will start failing operations that depend on good entropy.
Therefore, check the status of the random number generator after chroot.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
HMAC+sha1 may be restricted next, so test for it but do not support
forced removal of support for it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
CentOS 9 and RHEL >= 9.4 (maybe earlier also) are expected to log the
setting of OPENSSL_ENABLE_SHA1_SIGNATURES when a libtpms v0.9 state is
used where signing a SHA1 was allowed and needs to be enable with this
environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a function that checks whether a crypto algorithm identified by
TPM algorithm identifiers is disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
strv_remove: Remove matches from a 2nd array in a 1st array
strv_dedup: Remove duplicates in an array
strv_extend: Append elements of a 2nd array to a 1st array
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert check_rsaes to check_rsa_encryption that can also be used for
testing of unpadded RSA encryption.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not ignore the padding parameter passed to swtpm_rsasign but use
it as parameter to the OpenSSL function.
Change "rsapss" to "tsassa" in one case where it was wrong.
Also rename swtpm_rsasign to swtpm_rsa_sign.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Consoldiate some test cases related to the custom profile and add
additional checks for various StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert the TPM 1.2 test case test_samples_create_tpmca to be able to run
installed. It also needs to have the test_config file installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of sed that requires a parameter for the -i
option provide a sed-inplace wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of install that does not support the -D option
like install on Linux, provide a fileinstall wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid caching of container builds to get latest libtpms version and therefore
pass tests that depend on changes to libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add missing cmdarg-profile to the man page of swtpm_setup and adjust the
order to follow the order of the application output.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 96fe5afa forgot to add cmdarg-print-profiles to the list of
capabilities. Also fix typo in the man page and sort shown output
to match application output.
Fixes: 96fe5afa ("swtpm: Add support for --print-profiles option")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Split the download and untarring from the build of libtpms so that the
build actually happens. Otherwise it was not building libtpms anymore but
seems to have been using a cached version of the container that had an
older version of libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid setting the environment variable OPENSSL_ENABLE_SHA1_SIGNATURES
check whether SHA1 signature support is disabled in the TPM 2 profile.
It is disabled if either 'fips-host' or the pair 'no-sha1-signing' and
'no-sha1-verification' are found among the enabled attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use TPMLIB_WasManufactured to check whether a profile was applied since a
new instance was created. If a profile was given and no new TPM 2 instance
was created then display an error message and exit with an error code.
This avoids silently ignoring a provided profile that was not applied
since the TPM 2 instance already existed.
Make sure that a profile is only applied once by swtpm by clearing the
json_profile once TPMLIB_MainInit succeeded.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use an absolute path for TESTDIR, as we refer to it from different
directories.
Also fix killing gone swtpm process.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Run against the installed version only when SWTPM_TEST_IBMTSS is
set to the directory that has the tests, otherwise, build the known
version.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Use 'swtpm --help | grep cuse' to determine whether CUSE interface
is supported and CUSE related tests need to run. Make sure that
SWTPM_EXE is available when test_cuse is sourced.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM was set to 'swtpm' and only for uninstalled tests. Remove it and
replace its usage with 'swtpm' everywhere.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
