Use the swtpm_cert --signkey-pwd and --parentkey-pwd to pass key passwords
using files rather than using the command line options.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses several issues found with shellcheck. In particular
it now enables variables with spaces in them, such as file paths that
contain spaces.
Adjust one of the accompanying test cases to use spaces in the path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Block the SIGPIPE so that a failing write() can return an EPIPE
rather than killing the process with a SIGPIPE.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Block the SIGPIPE so that a failing write() can return an EPIPE
rather than killing the process with a SIGPIPE.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only accept new client connection on the control channel if we
currently do not have a client on the control channel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup will fail once libtpms starts supporting other PCR
hash banks than sha1, sha256, sha384, sha512, and sm3-256. So,
this patch allows to choose active PCR banks of the SHA3 series.
Further, unknown hash banks will not fail the tool anymore when
it tries to determine which hash banks are supported by the TPM
since it will then add the hex number of the hash algorithm to
the collection of supported hashes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Ubuntu (PPA) build system executes the build on an environment that
has problems with seccomp profiles. It does not allow us to run the test
suite with swtpm applying its seccomp profile since it fails with a
'bad system call' error. To work around this we introduce the env. variable
SWTPM_TEST_SECCOMP_OPT that we can set to "--seccomp action=none" to avoid
having swtpm apply it seccomp profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move wait_port_open and wait_port_closed to common file and handle
the timeout errors in test_commandline.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Wait for the PID file to appear rather than reading it right away.
This addresses an issue when runnin the test suite under valgrind
(make -j $(nproc) check).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM_EXE may be 'valgrind ... swtpm', so we have to protect it with quotes
when passing it as a parameter to a function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Search for the SWTPM_EXE / SWTPM_IOCTL executable using 'type -P' to
determine whether it is an executable rather than assuming a full path
is given on which we can check -x.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Delay the reading of the PID file if it is found to be empty.
This can happend if swtpm is run by valgrind.
Also, use the passed parameters rather than the global ones to check
the PID file contents against the expected pid. So far this worked
because PID and PID_FILE were variables used by every caller.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When running the TPM 1.2 vtpm_proxy test cases by launching the
swtpm with valgrind it may take a long time for the log to be
written and the device to appear. This is due to the self test
of the TPM 1.2 taking a while. So we need to move the reading
of the device into a loop and set the timeout of the loop to 10s
so that it passed under these circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup.sh uses file descriptor 100 for 'exec 100 <> ...'.
So we have to make sure that the file descriptor inherited from
the caller of swtpm_setup does not overlap with a reserved range
to be used by swtpm_setup.sh, which we declare to be [100..109].
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix a cut and paste error in the error message output and be more
verbose in log about encryption when using file descriptors.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The --print-capabilities is missing in the 'swtpm chardev' help screen
but the code is there to interpret the command line flag. This patch
adds the missing lines to the help screen.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The byte stream contained the TDES identifier at the wrong position,
so no TDES key was created. This patch fixes this but needs an update
to libtpms since some unmarshalling/marshaling code related to TDES
was missing there as well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the existing key derivation test case for TPM 2 with test cases
that use a newer TPM 2 state where we now exercise the new
CryptAdjustPrimeCandidate algorithm that produces the same results on
big and little enidan 32 bit and 64 bit machines. This newer algorithm
is available in libtpms with revision 155 of the TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use v1.3.0 of the IBM TSS 2.0 repo.
Depending on the revision that libtpms implements, some test cases have to be
replaced with empty files.
The test suite now works with the libtpms stable-0.6.0 and stable-0.7.0
branches. A patch fixing an NV PIN issue needed to be applied to those
branches.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since I am not often using the non-openssl crypto function usage
in libtpms, add a build to Travis that exercises the old code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The test_print_capability is failing if SWTPM_EXE is for example
holding more than one parameter like 'valgrind ... /bin/swtpm' since the
variable was not protected with quotes. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Travis build on OSX was failing due to the following error:
/usr/local/Homebrew/Library/Homebrew/brew.rb:23:in `require_relative': \
/usr/local/Homebrew/Library/Homebrew/global.rb:110: \
syntax error, unexpected keyword_rescue, expecting keyword_end (SyntaxError)
from /usr/local/Homebrew/Library/Homebrew/brew.rb:23:in `<main>'
The command "brew tap discoteq/discoteq" failed and exited with 1 during .
This patch resolves the issue.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the gnutls_x509_crt_get_subject_key_id() API call to get the subject
key ID of the signer's certificate rather than gnutls_x509_crt_get_key_id().
The latter returns the same result most of the time but there are instances
when this is not the case and the returned result is wrong.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OIDs for the TPM 1.2 and TPM 2 platform data
are different (though have the same name in the spec).
Adapt them for the TPM 2 case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the test environment is running in a seccomp profile do not check
that the seccomp profile of the swtpm process runs with the action
provided in --seccomp action=... since the environment may override
this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We have to use writev_full() when --vtpm-proxy is used since writev()
does not seem to work and we get an EIO error. writev_full() uses write(),
so we can use it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only build the libtpms dir if it doesn't exist. When we do a Coverity
scan build it looks like we are now running the script afterwards as
well and this creates a build failure due to the 2nd clone.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement read_eintr() to read into a buffer and handle EINTR on
the way.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Implement write_full and writev_full that handle partial writes.
Implement writev_full using write_full since handling partial writes
with iovec's can become quite complicated.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Get the PID of the started swtpm from the shell and validate it
against the contents of the pidfile afterwards.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
