The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
BSD's sed does not print \n as newline, so we have to split the string
into different lines using tr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We have occasional test failures on Travis running tests on OS X where
time seems to be going backwards in the dictionary attack timeout test.
This patch tries to detect that the time went backwards and skip the
test once a failure would have been detected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add build targets selinux-install and selinux-uninstall to install
and uninstall the SELinux policy rules at a given priority. The
priority defeaults to 400, which works fine on Fedora.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when calling $create_certs_tool and only use
eval for resolving variables from the config file.
We only want variable substitution for entries from configuration
files, so escape all other special shell characters that may be
making it onto the command line so that no subshells are opened
and no redirection to files can occurr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-localca test with odd vmid string to ensure
that they go into the certificate unmodified.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the tpm2_ptool use a store in the temporary directory so that
with every test we have a clean environment.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique port 65452/65354 to test_tpm2_save_load_state to
avoid conflict with test_tpm_probe also using
SWTPM_SERVER_PORT=65526
SWTPM_CTRL_PORT=65527
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique ports 65450/65451 to test_tpm2_sample_create_tpmca
to avoid clashes with test_samples_create_tpmca that is using
SWTPM_SERVER_PORT=65434
SWTPM_CTRL_PORT=65435
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign unique ports 65448/65449 to test_tpm2_setbuffersize to avoid clash
with test_samples_create_tpmca using TCSD_LISTEN_PORT=65436.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The generated sample keys started with 00010203, thus leaving the upper
15 bits of the key as '0', which in turn causes gnutls to think that the
key is only 2033 bit long, thus rejecting certificate verification once
the min-verification-profile is set to 'medium' in gnutls's config file
in /etc/crypto-policies/back-ends/gnutls.config.
We now create sample keys starting with 800102, which sets the highest bit.
This fixes test errors on Fedora Rawhide due to the change in the
min-verification-profile setting in gnutls.config.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A typo in the condition meant that netstat was always required regardless of
whether tcsd is available or not.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the tcsd (trousers) is available, TPM 1.2 support should work as well.
Typically the tss user and group should be defined at this point, but
this may not always be the case, so make sure that this user and group
are available on the system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Change the file and directory ownership of tcsd related files only if it
is absolutely needed. It is not needed if we are running as user TCSD_USER
in group TCSD_GROUP because then the files were created with the needed
owner and group. This avoids problems when trying to change file ownership
when invoked by libvirt where we do not have the capabilities to change
file ownership even as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the TSS_USER != TSS_GROUP, e.g., user 'root' and group 'tss', then
tcsd requires that the access mode bits on the $TCSD_CONFIG file are set
to 0640, otherwise we get this error:
TCSD ERROR: TCSD config file (/tmp/tmp.Yd4LIF7mCE) must be mode 0640
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Redirect stdout and stderr from tcsd into a file and if tcsd reported
an error copy the error into the logfile. This makes debugging tcsd
related issues, such as ownership or access mode issues, easier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Error out if libtpms.pc cannot be found for pkg-config. This now requires that an
in-place libtpms be accessed like this:
PKG_CONFIG_PATH=/home/stefanb/libtpms/ \
LIBTPMS_CFLAGS=-I/home/stefanb/libtpms/include/ \
LIBTPMS_LDFLAGS=-L/home/stefanb/libtpms/src/.libs/ \
./configure --prefix=/usr
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following linker issue reported for Gentoo in
issue #280.
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to EVP_sha512
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to PKCS5_PBKDF2_HMAC
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to SHA512
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes a clang issue report in issue #280.
clang does not use ld, so we cannot grep for support of certain linker
flags but have to test-compile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.5.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. This test also passes with libtpms
0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove swtpm_cuse related install script since not needed anymore.
Also address the following issues:
E: swtpm-tools: unknown-control-interpreter control/postinst #!/usr/bin/env
W: swtpm: syntax-error-in-debian-changelog line 25 "bad key-value after `;': `urgency medium'"
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms version 0.6.3, 0.7.3, and master have a change to the TPM 2 code
that affects the pcrUpdateCounter, which now returns a smaller value than
before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The first part of the derived key test only works fine on 64 bit
little endian machines. Skip big endian machines.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Building things like this in-place is really useful when you can't be
bothered to package and install them for your distribution but still
want to use them. This patch allows building swtpm with libtpms in
place. Simply specify the location to LDFLAGS and CFLAGS on the
configure line
LIBTPMS_CFLAGS=-I/home/jejb/git/libtpms/include/ LIBTPMS_LDFLAGS=-L/home/jejb/git/libtpms/src/.libs/ ./configure
It will then build a version that can run in-place.
I also think it corrects a bug in the original in that if pkg-config
had specified a non standard library location, the version check
wouldn't have used it.
Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the libtpms capabilities via 'swtpm_ioctl -i 4' to see whether
libtpms supports RSA 3072 bit keys. Only if this is not the case
deactivate all RSA 3072 bit key tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
