It's not possible to recreate the issue with the failing test case
locally on Xenial, so just disable the ASAN usage on swtpm by disabling
the CFLAGS variable.
The one failing test case show this. All other ones work.
FAIL: test_parameters
=====================
Test 0: SUCCESS with parameters ''.
Test 1: SUCCESS with parameters '--createek'.
Test 2: ==27310==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.
ERROR: Test with parameters '--take-ownership' failed.
FAIL test_parameters (exit status: 1)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially crafted header could cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
autoreconf from autoconf 2.71 emmits a lot of warnings:
+ autoreconf -fiv
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: aclocal --force -I m4
autoreconf: running: /usr/bin/autoconf --force
configure.ac:29: warning: The macro `AC_CONFIG_HEADER' is obsolete.
configure.ac:29: You should run autoupdate.
./lib/autoconf/status.m4:719: AC_CONFIG_HEADER is expanded from...
configure.ac:29: the top level
configure.ac:53: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:53: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:53: the top level
configure.ac:76: warning: The macro `AC_HEADER_STDC' is obsolete.
configure.ac:76: You should run autoupdate.
./lib/autoconf/headers.m4:704: AC_HEADER_STDC is expanded from...
configure.ac:76: the top level
configure.ac:81: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
configure.ac:81: You should run autoupdate.
./lib/autoconf/types.m4:776: AC_TYPE_SIGNAL is expanded from...
configure.ac:81: the top level
configure.ac:202: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:202: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:202: the top level
configure.ac:267: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:267: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:267: the top level
configure.ac:430: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:430: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:430: the top level
configure.ac:437: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:437: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:437: the top level
configure.ac:517: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:517: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:517: the top level
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:40: installing './compile'
configure.ac:48: installing './missing'
Makefile.am:34: warning: .PHONY was already defined in condition WITH_SELINUX, which is included in condition TRUE ...
Makefile.am:28: ... '.PHONY' previously defined here
src/swtpm/Makefile.am: installing './depcomp'
autoreconf: './config.sub' is updated
autoreconf: './config.guess' is updated
autoreconf: Leaving directory '.'
Execute autoupdate to apply all those changes.
Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
deprecation warnings that are made fatal by -Werror:
ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
The new types were introduced almost ten years ago, so they should be pretty
universally available by now.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Changes to libtpms will require that the volatile state files
during this test may be larger than 9000 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pip 21.0.0 seems to be broken when upgraded to on Xenial. So
let's just only upgrade to 20.3.3.
$ sudo pip3 install --upgrade cryptography
Traceback (most recent call last):
File "/usr/local/bin/pip3", line 7, in <module>
from pip._internal.cli.main import main
File "/usr/local/lib/python3.5/dist-packages/pip/_internal/cli/main.py", line 60
sys.stderr.write(f"ERROR: {exc}")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following issue:
$ ./src/swtpm/swtpm chardev --print-capabilities --tpm2
swtpm: Error: Missing character device or file descriptor
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not bother trying to keep pidfilefd open in case fd = pidfilefd,
but close it unconditionally. If writing the pidfile fails, the process
terminates anyway, besides that we only ever need to write to the
pidfile once, which is happening in this function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following compilation issue/bug:
ctrlchannel.c: In function ‘ctrlchannel_process_fd’:
ctrlchannel.c:694:13: error: array subscript ‘ptm_hdata[0]’ is partly outside array bounds of ‘struct output[1]’ [-Werror=array-bounds]
694 | data->u.resp.tpm_result = htobe32(res);
| ^~
ctrlchannel.c:486:7: note: while referencing ‘output’
486 | } output;
| ^~~~~~
Sending hashes to the TPM is not currently used in any major
application, so this bug should not affect much.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older ARM processors need more time to create the initial CA keys
and then the key for the TPM. So we increase the timeout to 30s.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses CVE-2020-28407.
Use the open() call rather than the fopen() call when accessing
the statefile and make sure we do not follow symlinks using O_NOFOLLOW.
The modification does not allow an attacker to create a symbolic link
with the name of the temporary file (TMP2-00.permall for TPM 2) and
have this point to a valueable file and swtpm ends up overwriting the
file. The success of the attack depends on the attacker having access
to the TPM's state directory (--tpmstate dir=...).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses CVE-2020-28407.
Use the open() call rather than the fopen() call when creating a pidfile.
Also prevent us from following symbolic links when opening the pidfile for
writing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses CVE-2020-28407.
Prevent us from following symliks when we open the lockfile
for writing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Due to recent changes in tcsd, it doesn't accept 'tss:tss 0600' anymore
for the tcsd config file but we need to use 'root:tss 0640' for it.
So far only Fedora seems to be affected. It now depends on whether tcsd
has been patched what ownership is required. So we try first the old
configuration and then the new one.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support writing state files atomically we first write into
a temporary file and then rename it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When creating the user config files, fall back to using ${HOME}/.config
if XDG_CONFIG_HOME is not set on a system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
During the rewrite the additonal "/.config/" got dropped from the
path when using ${HOME} for locating he default config file.
Re-add it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the local CA was create the signing key of the intermediate CA
was not properly protected by the passwords. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the pkcs11 related test case to set the environment variable for
softhsm_setup to use the temporary directory for config file and state
of softhsm. Also set the SOFTHSM2_CONF environment variable since
certtool also uses the pkcs11 module which in turn will look for its
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use softhsm's SOFTHSM2_CONF environment variable to set the directory
where the configration file is located so that we can now use a temporary
directory for the location of the directory. Use the environment variable
SOFTHSM_SETUP_CONFIGDIR to set the directory where softhsm_setup can
setup its temporary environment for the config file and state of softhsm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Slow systems, like Cygwin, need so much time from taking the time to sending
the command that we need to take the current time again to check whether the
success is valid. Previously the test may have failed since the old time that
was taken did not allow the success to be valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
