Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tpm2-0-tss for openSUSE:Factory checked in at 2021-02-01 13:25:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tpm2-0-tss (Old) and /work/SRC/openSUSE:Factory/.tpm2-0-tss.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tpm2-0-tss" Mon Feb 1 13:25:56 2021 rev:25 rq:867410 version:3.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/tpm2-0-tss/tpm2-0-tss.changes 2020-10-28 09:58:47.723162099 +0100 +++ /work/SRC/openSUSE:Factory/.tpm2-0-tss.new.28504/tpm2-0-tss.changes 2021-02-01 13:26:06.133906933 +0100 @@ -1,0 +2,25 @@ +Thu Jan 28 09:18:58 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com> + +- update to 3.0.3: + - changes in 3.0.3: + * Fix Regression in Fapi_List + * Fix memory leak in policy calculation + - changes in 3.0.2: + * FAPI: Fix setting of the system flag of NV objects + * This will let NV object metadata be created system-wide always instead of + * locally in the user. Existing metadata will remain in the user directory. + * It can be moved to the corresponding systemstore manually if needed. + * FAPI: Fix policy searching, when a policyRef was provided + * FAPI: Accept EK-Certs without CRL dist point + * FAPI: Fix return codes of Fapi_List + * FAPI: Fix memleak in policy execution + * FAPI: Fix coverity NULL-pointer check + * FAPI: Set the written flag of NV objects in FAPI PolicyNV commands + * FAPI: Fix deleting of policy files. + * FAPI: Fix wrong file loading during object search. + * Fapi: Fix memory leak + * Fapi: Fix potential NULL-Dereference + * Fapi: Remove superfluous NULL check + * Fix a memory leak in async keystore load. + +------------------------------------------------------------------- Old: ---- tpm2-tss-3.0.1.tar.gz New: ---- tpm2-tss-3.0.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tpm2-0-tss.spec ++++++ --- /var/tmp/diff_new_pack.7KMblM/_old 2021-02-01 13:26:07.253908676 +0100 +++ /var/tmp/diff_new_pack.7KMblM/_new 2021-02-01 13:26:07.257908682 +0100 @@ -1,7 +1,7 @@ # # spec file for package tpm2-0-tss # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: tpm2-0-tss -Version: 3.0.1 +Version: 3.0.3 Release: 0 Summary: Intel's TCG Software Stack access libraries for TPM 2.0 chips License: BSD-2-Clause @@ -268,12 +268,12 @@ %{_tmpfilesdir}/tpm2-tss-fapi.conf # this would fix "tmpfile-not-in-filelist" warnings but when adding these # entries then it complains about "directories not owned by a package:" for -# /run/tpm2-0-tss & friends. When adding them as %ghost, too, then Leap15.1 +# /run/tpm2-0-tss & friends. When adding them as %%ghost, too, then Leap15.1 # complains about "found conflict of libtss2-fapi1-3.0.1-lp152.103.1.x86_64 # with libtss2-fapi1-3.0.1-lp152.103.1.x86_64". Thus leave it be for the # moment, some insane circle of errors is involved here. -#%%ghost %{_sharedstatedir}/%{name}/system/keystore -#%%ghost %{_rundir}/%{name}/eventlog +# %%ghost %%{_sharedstatedir}/%%{name}/system/keystore +# %%ghost %%{_rundir}/%%{name}/eventlog %files -n libtss2-tcti-cmd0 %defattr(-,root,root) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.7KMblM/_old 2021-02-01 13:26:07.285908726 +0100 +++ /var/tmp/diff_new_pack.7KMblM/_new 2021-02-01 13:26:07.285908726 +0100 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/intel/tpm2-tss.git</param> <param name="scm">git</param> - <param name="revision">2.3.3</param> + <param name="revision">3.0.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> </service> ++++++ tpm2-tss-3.0.1.tar.gz -> tpm2-tss-3.0.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/AUTHORS new/tpm2-tss-3.0.3/AUTHORS --- old/tpm2-tss-3.0.1/AUTHORS 2020-09-23 17:46:34.000000000 +0200 +++ new/tpm2-tss-3.0.3/AUTHORS 2020-11-25 15:11:20.000000000 +0100 @@ -48,6 +48,7 @@ Safayet N Ahmed <Safayet.Ahmed@ge.com> Michael Eckel <michael.eckel@sit.fraunhofer.de> Juergen Repp <repp@pc-repp.sit.fraunhofer.de> +John Andersen <johnandersenpdx@gmail.com> Johannes Holland <joh.ho@gmx.de> Joe Richey <joerichey@google.com> Jerry Snitselaar <jsnitsel@redhat.com> @@ -65,6 +66,7 @@ Seunghun Han <kkamagui@gmail.com> Safayet Ahmed <Safayet.Ahmed@ge.com> root <will.c.arthur@intel.com> +Roman Kagan <rvkagan@gmail.com> Richard Yoo <ryoo@google.com> Michael Nix <mchl.nix@googlemail.com> Matthias Gerstner <matthias.gerstner@suse.de> @@ -78,7 +80,6 @@ lakshminarayanand <Lakshmi_Narayanan_Du@dell.com> Julian Trzeciak <juliantrzeciak@gmail.com> joselacour11@hotmail.com <joselacour11@hotmail.com> -John Andersen <johnandersenpdx@gmail.com> Jia Zhang <zhang.jia@linux.alibaba.com> Imran Desai <imran.desai@intel.com> genofire <geno+dev@fireorbit.de> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/CHANGELOG.md new/tpm2-tss-3.0.3/CHANGELOG.md --- old/tpm2-tss-3.0.1/CHANGELOG.md 2020-09-23 17:45:47.000000000 +0200 +++ new/tpm2-tss-3.0.3/CHANGELOG.md 2020-11-25 15:10:56.000000000 +0100 @@ -3,6 +3,30 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) +## [3.0.3] - 2020-11-25 +### Changed or Fixed +- Fix Regression in Fapi_List +- Fix memory leak in policy calculation + +## [3.0.2] - 2020-11-20 +### Changed or Fixed +- FAPI: Fix setting of the system flag of NV objects + This will let NV object metadata be created system-wide always instead of + locally in the user. Existing metadata will remain in the user directory. + It can be moved to the corresponding systemstore manually if needed. +- FAPI: Fix policy searching, when a policyRef was provided +- FAPI: Accept EK-Certs without CRL dist point +- FAPI: Fix return codes of Fapi_List +- FAPI: Fix memleak in policy execution +- FAPI: Fix coverity NULL-pointer check +- FAPI: Set the written flag of NV objects in FAPI PolicyNV commands +- FAPI: Fix deleting of policy files. +- FAPI: Fix wrong file loading during object search. +- Fapi: Fix memory leak +- Fapi: Fix potential NULL-Dereference +- Fapi: Remove superfluous NULL check +- Fix a memory leak in async keystore load. + ## [3.0.1] - 2020-09-23 ### Changed or Fixed - Fix CVE-2020-24455 FAPI PolicyPCR not instatiating correctly diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/Makefile.in new/tpm2-tss-3.0.3/Makefile.in --- old/tpm2-tss-3.0.1/Makefile.in 2020-09-23 17:47:04.000000000 +0200 +++ new/tpm2-tss-3.0.3/Makefile.in 2020-11-25 15:11:13.000000000 +0100 @@ -20,7 +20,7 @@ # All rights reserved. # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Mi 23. Sep 17:47:02 CEST 2020 +# from AX_AM_MACROS_STATIC on Wed Nov 25 15:11:12 CET 2020 # SPDX-License-Identifier: BSD-2-Clause # Copyright (c) 2015 - 2018 Intel Corporation @@ -23909,8 +23909,8 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -@AUTOCONF_CODE_COVERAGE_2019_01_06_FALSE@distclean-local: @AUTOCONF_CODE_COVERAGE_2019_01_06_FALSE@clean-local: +@AUTOCONF_CODE_COVERAGE_2019_01_06_FALSE@distclean-local: check-valgrind: check-valgrind-am check-valgrind-am: check-valgrind-local diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/aminclude_static.am new/tpm2-tss-3.0.3/aminclude_static.am --- old/tpm2-tss-3.0.1/aminclude_static.am 2020-09-23 17:47:02.000000000 +0200 +++ new/tpm2-tss-3.0.3/aminclude_static.am 2020-11-25 15:11:12.000000000 +0100 @@ -1,4 +1,4 @@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Mi 23. Sep 17:47:02 CEST 2020 +# from AX_AM_MACROS_STATIC on Wed Nov 25 15:11:12 CET 2020 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/configure new/tpm2-tss-3.0.3/configure --- old/tpm2-tss-3.0.1/configure 2020-09-23 17:46:28.000000000 +0200 +++ new/tpm2-tss-3.0.3/configure 2020-11-25 15:11:11.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tpm2-tss 3.0.1. +# Generated by GNU Autoconf 2.69 for tpm2-tss 3.0.3. # # Report bugs to <https://github.com/tpm2-software/tpm2-tss/issues>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='tpm2-tss' PACKAGE_TARNAME='tpm2-tss' -PACKAGE_VERSION='3.0.1' -PACKAGE_STRING='tpm2-tss 3.0.1' +PACKAGE_VERSION='3.0.3' +PACKAGE_STRING='tpm2-tss 3.0.3' PACKAGE_BUGREPORT='https://github.com/tpm2-software/tpm2-tss/issues' PACKAGE_URL='https://github.com/tpm2-software/tpm2-tss' @@ -1556,7 +1556,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tpm2-tss 3.0.1 to adapt to many kinds of systems. +\`configure' configures tpm2-tss 3.0.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1627,7 +1627,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tpm2-tss 3.0.1:";; + short | recursive ) echo "Configuration of tpm2-tss 3.0.3:";; esac cat <<\_ACEOF @@ -1835,7 +1835,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tpm2-tss configure 3.0.1 +tpm2-tss configure 3.0.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2371,7 +2371,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tpm2-tss $as_me 3.0.1, which was +It was created by tpm2-tss $as_me 3.0.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3235,7 +3235,7 @@ # Define the identity of the package. PACKAGE='tpm2-tss' - VERSION='3.0.1' + VERSION='3.0.3' cat >>confdefs.h <<_ACEOF @@ -23329,7 +23329,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tpm2-tss $as_me 3.0.1, which was +This file was extended by tpm2-tss $as_me 3.0.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23396,7 +23396,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tpm2-tss config.status 3.0.1 +tpm2-tss config.status 3.0.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/configure.ac new/tpm2-tss-3.0.3/configure.ac --- old/tpm2-tss-3.0.1/configure.ac 2020-09-23 17:45:29.000000000 +0200 +++ new/tpm2-tss-3.0.3/configure.ac 2020-11-25 15:10:56.000000000 +0100 @@ -4,7 +4,7 @@ # All rights reserved. AC_INIT([tpm2-tss], - [3.0.1], + [3.0.3], [https://github.com/tpm2-software/tpm2-tss/issues], [], [https://github.com/tpm2-software/tpm2-tss]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-esys.pc.in new/tpm2-tss-3.0.3/lib/tss2-esys.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-esys.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-esys.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,6 +8,6 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu tss2-sys -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-esys -L${libdir} Libs.private: @LIBADD_DL@ @LIBSOCKET_LDFLAGS@ @TSS2_ESYS_LDFLAGS_CRYPTO@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-fapi.pc.in new/tpm2-tss-3.0.3/lib/tss2-fapi.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-fapi.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-fapi.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,5 +8,5 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu tss2-esys tss2-tctildr libcurl libcrypto json-c -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-fapi -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-mu.pc.in new/tpm2-tss-3.0.3/lib/tss2-mu.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-mu.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-mu.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -7,5 +7,5 @@ Description: TPM2 type marshaling and unmarshaling library. URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-mu -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-rc.pc.in new/tpm2-tss-3.0.3/lib/tss2-rc.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-rc.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-rc.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -7,5 +7,5 @@ Description: TPM2 error decoding library. URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-rc -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-sys.pc.in new/tpm2-tss-3.0.3/lib/tss2-sys.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-sys.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-sys.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,6 +8,6 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-sys -L${libdir} Libs.private: @LIBSOCKET_LDFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-tcti-cmd.pc.in new/tpm2-tss-3.0.3/lib/tss2-tcti-cmd.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-tcti-cmd.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-tcti-cmd.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -7,5 +7,5 @@ Description: TCTI library for communicating with a subproccess that can communicate with the TPM. URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-tcti-cmd -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-tcti-device.pc.in new/tpm2-tss-3.0.3/lib/tss2-tcti-device.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-tcti-device.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-tcti-device.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,5 +8,5 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-tcti-device -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-tcti-mssim.pc.in new/tpm2-tss-3.0.3/lib/tss2-tcti-mssim.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-tcti-mssim.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-tcti-mssim.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,5 +8,5 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-tcti-mssim -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-tcti-swtpm.pc.in new/tpm2-tss-3.0.3/lib/tss2-tcti-swtpm.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-tcti-swtpm.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-tcti-swtpm.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -8,5 +8,5 @@ URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ Requires.private: tss2-mu -Cflags: -I${includedir} -I${includedir}/tss +Cflags: -I${includedir} -I${includedir}/tss2 Libs: -ltss2-tcti-swtpm -L${libdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/lib/tss2-tctildr.pc.in new/tpm2-tss-3.0.3/lib/tss2-tctildr.pc.in --- old/tpm2-tss-3.0.1/lib/tss2-tctildr.pc.in 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/lib/tss2-tctildr.pc.in 2020-11-25 15:10:25.000000000 +0100 @@ -7,5 +7,5 @@ Description: Library to simplify management of TCTIs. URL: https://github.com/tpm2-software/tpm2-tss Version: @VERSION@ -Cflags: -I@includedir@ -I${includedir}/tss +Cflags: -I@includedir@ -I${includedir}/tss2 Libs: -ltss2-tctildr -L@libdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/man/man7/tss2-tcti-swtpm.7 new/tpm2-tss-3.0.3/man/man7/tss2-tcti-swtpm.7 --- old/tpm2-tss-3.0.1/man/man7/tss2-tcti-swtpm.7 2020-09-23 17:47:08.000000000 +0200 +++ new/tpm2-tss-3.0.3/man/man7/tss2-tcti-swtpm.7 2020-11-25 15:11:20.000000000 +0100 @@ -25,7 +25,7 @@ .BR tcti-tabrmd (7), .BR tpm2-abrmd (8) .SH COLOPHON -This page is part of release 3.0.1 of Open Source implementation of the +This page is part of release 3.0.3 of Open Source implementation of the TCG TPM2 Software Stack (TSS2). A description of the project, information about reporting bugs, and the latest version of this page can be found at \%https://github.com/tpm2-software/tpm2-tss/. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_CreateNv.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_CreateNv.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_CreateNv.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_CreateNv.c 2020-11-25 15:10:25.000000000 +0100 @@ -442,6 +442,9 @@ else miscNv->with_auth = TPM2_NO; + /* NV objects will always be stored in the system store */ + nvCmd->nv_object.system = TPM2_YES; + /* Perform esys serialization if necessary */ r = ifapi_esys_serialize_object(context->esys, &nvCmd->nv_object); goto_if_error(r, "Prepare serialization", error_cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Delete.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Delete.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Delete.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Delete.c 2020-11-25 15:10:25.000000000 +0100 @@ -391,6 +391,13 @@ &command->numPaths); goto_if_error(r, "get entities.", error_cleanup); + /* Check whether a path for exactly one policy was passed. */ + if (command->numPaths == 0 && ifapi_path_type_p(path, IFAPI_POLICY_PATH)) { + command->numPaths = 1; + command->pathlist = calloc(1, sizeof(char *)); + strdup_check(command->pathlist[0], path, r, error_cleanup); + } + command->path_idx = command->numPaths; if (command->numPaths == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Import.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Import.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Import.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Import.c 2020-11-25 15:10:25.000000000 +0100 @@ -622,9 +622,8 @@ ifapi_cleanup_ifapi_object(&command->object); if (command->private) { SAFE_FREE(command->private); - if (newObject) - /* Private buffer was already freed. */ - newObject->misc.key.private.buffer = NULL; + /* Private buffer was already freed. */ + newObject->misc.key.private.buffer = NULL; } ifapi_cleanup_ifapi_object(&context->createPrimary.pkey_object); if (context->loadKey.key_object){ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_List.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_List.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_List.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_List.c 2020-11-25 15:10:25.000000000 +0100 @@ -169,6 +169,7 @@ char **pathList) { LOG_TRACE("called for context:%p", context); + bool provision_check_ok; TSS2_RC r = TSS2_RC_SUCCESS; size_t sizePathList = 0; @@ -188,7 +189,7 @@ goto_if_error(r, "get entities.", cleanup); if (numPaths == 0) - goto cleanup; + goto check_provisioning; /* Determine size of char string to be returnded */ for (size_t i = 0; i < numPaths; i++) @@ -208,25 +209,35 @@ strcat(*pathList, IFAPI_LIST_DELIM); } - LOG_TRACE("finished"); - -cleanup: - /* Cleanup any intermediate results and state stored in the context. */ - SAFE_FREE(command->searchPath); + check_provisioning: if (numPaths == 0 && (r == TSS2_RC_SUCCESS)) { - if (command->searchPath && strcmp(command->searchPath,"/") !=0) { - LOG_ERROR("Path not found: %s", command->searchPath); + if (command->searchPath && (strcmp(command->searchPath,"/") == 0 + || strcmp(command->searchPath,"") == 0)) { + LOG_WARNING("Path not found: %s", command->searchPath); r = TSS2_FAPI_RC_NOT_PROVISIONED; } else { - LOG_ERROR("FAPI not provisioned."); - r = TSS2_FAPI_RC_NOT_PROVISIONED; + r = ifapi_check_provisioned(&context->keystore, command->searchPath, &provision_check_ok); + goto_if_error(r, "Provisioning check.", cleanup); + + if (provision_check_ok) { + LOG_WARNING("Path not found: %s", command->searchPath); + r = TSS2_FAPI_RC_PATH_NOT_FOUND; + } else { + LOG_WARNING("Profile of path not provisioned: %s", command->searchPath); + r = TSS2_FAPI_RC_NOT_PROVISIONED; + } } } + LOG_TRACE("finished"); + +cleanup: + /* Cleanup any intermediate results and state stored in the context. */ if (numPaths > 0) { for (size_t i = 0; i < numPaths; i++){ SAFE_FREE(pathArray[i]); } } + SAFE_FREE(command->searchPath); SAFE_FREE(pathArray); return r; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvExtend.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvExtend.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvExtend.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvExtend.c 2020-11-25 15:10:25.000000000 +0100 @@ -427,6 +427,9 @@ JSON_C_TO_STRING_PRETTY), r, error_cleanup); + /* Set written bit in keystore */ + context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes |= TPMA_NV_WRITTEN; + /* Perform esys serialization if necessary */ r = ifapi_esys_serialize_object(context->esys, &command->nv_object); goto_if_error(r, "Prepare serialization", error_cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvIncrement.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvIncrement.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvIncrement.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvIncrement.c 2020-11-25 15:10:25.000000000 +0100 @@ -307,6 +307,9 @@ return_try_again(r); goto_if_error_reset_state(r, "FAPI NV_Increment_Finish", error_cleanup); + /* Set written bit in keystore */ + context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes |= TPMA_NV_WRITTEN; + /* Perform esys serialization if necessary */ r = ifapi_esys_serialize_object(context->esys, &command->nv_object); goto_if_error(r, "Prepare serialization", error_cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvSetBits.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvSetBits.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_NvSetBits.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_NvSetBits.c 2020-11-25 15:10:25.000000000 +0100 @@ -317,6 +317,9 @@ return_try_again(r); goto_if_error_reset_state(r, "FAPI NV_SetBits_Finish", error_cleanup); + /* Set written bit in keystore */ + context->nv_cmd.nv_object.misc.nv.public.nvPublic.attributes |= TPMA_NV_WRITTEN; + /* Serialize the ESYS object for updating the metadata in the keystore. */ r = ifapi_esys_serialize_object(context->esys, object); goto_if_error(r, "Prepare serialization", error_cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Provision.c new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Provision.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/api/Fapi_Provision.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/api/Fapi_Provision.c 2020-11-25 15:10:25.000000000 +0100 @@ -374,6 +374,11 @@ statecase(context->state, PROVISION_READ_HIERARCHY); path = command->pathlist[command->path_idx]; + if (path == NULL) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Wrong path.", + error_cleanup); + } + r = ifapi_keystore_load_finish(&context->keystore, &context->io, &command->hierarchies[command->path_idx]); return_try_again(r); @@ -381,6 +386,11 @@ /* Search for slash followed by hierarchy after profile */ path = strchr(&path[1], '/'); + if (path == NULL) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Wrong path.", + error_cleanup); + } /* Use the first appropriate hierarchy for provisioning. The first found hierarchy will be copied into the provisioning context.*/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/fapi_crypto.c new/tpm2-tss-3.0.3/src/tss2-fapi/fapi_crypto.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/fapi_crypto.c 2020-07-20 14:47:05.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/fapi_crypto.c 2020-11-25 14:00:15.000000000 +0100 @@ -1640,6 +1640,11 @@ } } + /* No CRL dist point in the cert is legitimate */ + if (url == NULL) { + goto cleanup; + } + curl_rc = ifapi_get_curl_buffer(url, &crl_buffer, &crl_buffer_size); if (curl_rc != 0) { goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/fapi_util.c new/tpm2-tss-3.0.3/src/tss2-fapi/fapi_util.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/fapi_util.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/fapi_util.c 2020-11-25 15:10:25.000000000 +0100 @@ -3390,6 +3390,9 @@ r = ifapi_get_name(&outPublic->publicArea, &object->misc.key.name); goto_if_error(r, "Get key name", error_cleanup); + SAFE_FREE(outPrivate); + SAFE_FREE(outPublic); + if (object->misc.key.public.publicArea.type == TPM2_ALG_RSA) object->misc.key.signing_scheme = context->cmd.Key_Create.profile->rsa_signing_scheme; else @@ -3402,10 +3405,16 @@ r = ifapi_authorize_object(context, &context->loadKey.auth_object, &auth_session); FAPI_SYNC(r, "Authorize key.", error_cleanup); + TPM2B_PRIVATE private; + private.size = object->misc.key.private.size; + memcpy(&private.buffer[0], &object->misc.key.private.buffer[0], + private.size); + r = Esys_Load_Async(context->esys, context->loadKey.handle, auth_session, ESYS_TR_NONE, ESYS_TR_NONE, - outPrivate, outPublic); + &private, + &object->misc.key.public); goto_if_error(r, "Load key.", error_cleanup); } @@ -3489,9 +3498,6 @@ fallthrough; statecase(context->cmd.Key_Create.state, KEY_CREATE_WRITE_PREPARE); - SAFE_FREE(outPrivate); - SAFE_FREE(outPublic); - if (template->persistent_handle) { /* Compute the serialization, which will be used for the reconstruction of the key object. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_keystore.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_keystore.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_keystore.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_keystore.c 2020-11-25 15:10:25.000000000 +0100 @@ -61,8 +61,7 @@ * @retval TSS2_FAPI_RC_MEMORY: If memory for the path list could not be allocated. * @retval TSS2_FAPI_RC_BAD_VALUE If no explicit path can be derived from the * implicit path. - * @retval TSS2_FAPI_RC_PATH_NOT_FOUND if a FAPI object path was not found - * during authorization. + * @retval TSS2_FAPI_RC_BAD_PATH if no valid key path could be created. */ static TSS2_RC initialize_explicit_key_path( @@ -119,7 +118,7 @@ hierarchy = "HS"; } else { LOG_ERROR("Hierarchy cannot be determined."); - r = TSS2_FAPI_RC_PATH_NOT_FOUND; + r = TSS2_FAPI_RC_BAD_PATH; goto error; } /* Add the used hierarchy to the linked list. */ @@ -129,7 +128,7 @@ goto error; } if (list_node == NULL) { - goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, "Explicit path can't be determined.", + goto_error(r, TSS2_FAPI_RC_BAD_PATH, "Explicit path can't be determined.", error); } @@ -141,21 +140,21 @@ } if (hierarchy && strcmp(hierarchy, "HS") == 0 && strcmp(list_node->str, "EK") == 0) { - LOG_ERROR("Key EK cannot be create in the storage hierarchy."); - r = TSS2_FAPI_RC_PATH_NOT_FOUND; + LOG_ERROR("Key EK cannot be created in the storage hierarchy."); + r = TSS2_FAPI_RC_BAD_PATH; goto error; } if (hierarchy && strcmp(hierarchy, "HE") == 0 && strcmp(list_node->str, "SRK") == 0) { LOG_ERROR("Key EK cannot be create in the endorsement hierarchy."); - r = TSS2_FAPI_RC_PATH_NOT_FOUND; + r = TSS2_FAPI_RC_BAD_PATH; goto error; } if (hierarchy && strcmp(hierarchy, "HN") == 0 && (strcmp(list_node->str, "SRK") == 0 || strcmp(list_node->str, "EK") == 0)) { LOG_ERROR("Key EK and SRK cannot be created in NULL hierarchy."); - r = TSS2_FAPI_RC_PATH_NOT_FOUND; + r = TSS2_FAPI_RC_BAD_PATH; goto error; } @@ -511,6 +510,7 @@ { TSS2_RC r; char *directory = NULL; + bool provision_check_ok; /* First expand path in user directory */ r = expand_path(keystore, rel_path, &directory); @@ -533,16 +533,26 @@ goto cleanup; } + /* Check whether provisioning was made for the path profile. */ + r = ifapi_check_provisioned(keystore, rel_path, &provision_check_ok); + goto_if_error(r, "Provisioning check.", cleanup); + + if (!provision_check_ok) { + goto_error(r, TSS2_FAPI_RC_NOT_PROVISIONED, + "FAPI not provisioned for path: %s.", + cleanup, rel_path); + } + /* Check type of object which does not exist. */ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH)) { /* NV directory does not exist. */ goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, - "FAPI not provisioned. File %s does not exist.", + "File %s does not exist.", cleanup, rel_path); } else if (ifapi_hierarchy_path_p(rel_path)) { /* Hierarchy which should be created during provisioning could not be loaded. */ - goto_error(r, TSS2_FAPI_RC_NOT_PROVISIONED, - "FAPI not provisioned. Hierarchy file %s does not exist.", + goto_error(r, TSS2_FAPI_RC_PATH_NOT_FOUND, + "Hierarchy file %s does not exist.", cleanup, rel_path); } else { /* Object file for key does not exist in keystore */ @@ -603,6 +613,7 @@ return r; error_cleanup: + SAFE_FREE(abs_path); SAFE_FREE(keystore->rel_path); return r; } @@ -1183,6 +1194,11 @@ path = keystore->key_search.pathlist[path_idx]; LOG_TRACE("Check file: %s %zu", path, keystore->key_search.path_idx); + /* Skip policy files. */ + if (ifapi_path_type_p(path, IFAPI_POLICY_PATH)) { + return TSS2_FAPI_RC_TRY_AGAIN; + } + r = ifapi_keystore_load_async(keystore, io, path); return_if_error2(r, "Could not open: %s", path); @@ -1764,3 +1780,65 @@ } } } + +/** Check whether profile directory exists for a fapi path. + * + * It will be checked whether a profile directory exists for a path which starts + * with a profile name after fapi pathname expansion. + * + * @param[in] keystore The key directories and default profile. + * @param[in] rel_path The relative path to be checked. + * @param[out] ok The boolean value whether the check ok. + * @retval TSS2_RC_SUCCESS if the check could be made. + * @retval TSS2_FAPI_RC_MEMORY: if memory could not be allocated to compute + * the absolute paths. + */ +TSS2_RC +ifapi_check_provisioned( + IFAPI_KEYSTORE *keystore, + const char *rel_path, + bool *ok) +{ + TSS2_RC r = TSS2_RC_SUCCESS; + char *directory = NULL; + char *profile_dir = NULL; + char *end_profile; + + *ok = false; + + /* First expand path in user directory */ + r = expand_path(keystore, rel_path, &directory); + goto_if_error(r, "Expand path", cleanup); + + /* Check whether the path starts with a profile. */ + if (directory && (strncmp(directory, "P_", 2) != 0 || strncmp(directory, "/P_", 2) != 0)) { + end_profile = strchr(&directory[1], '/'); + if (end_profile) { + end_profile[0] = '\0'; + } + /* Compute user path of the profile. */ + r = ifapi_asprintf(&profile_dir, "%s/%s", keystore->userdir, directory); + goto_if_error2(r, "Profile path could not be created.", cleanup); + + if (ifapi_io_path_exists(profile_dir)) { + *ok = true; + goto cleanup; + } + /* Compute system path of the profile. */ + SAFE_FREE(profile_dir); + r = ifapi_asprintf(&profile_dir, "%s/%s", keystore->systemdir, directory); + goto_if_error2(r, "Profile path could not be created.", cleanup); + + if (ifapi_io_path_exists(profile_dir)) { + *ok = true; + goto cleanup; + } + } else { + /* No check needed because no profile found in the path. */ + *ok = true; + } + cleanup: + SAFE_FREE(profile_dir); + SAFE_FREE(directory); + return r; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_keystore.h new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_keystore.h --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_keystore.h 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_keystore.h 2020-11-25 15:10:25.000000000 +0100 @@ -280,4 +280,10 @@ ifapi_cleanup_ifapi_object( IFAPI_OBJECT *object); +TSS2_RC +ifapi_check_provisioned( + IFAPI_KEYSTORE *keystore, + const char *rel_path, + bool *ok); + #endif /* IFAPI_KEYSTORE_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy.c 2020-11-25 15:10:25.000000000 +0100 @@ -116,6 +116,8 @@ r = ifapi_policyeval_instantiate_finish(&context->policy.eval_ctx); FAPI_SYNC(r, "Instantiate policy.", cleanup); ifapi_free_node_list(context->policy.eval_ctx.policy_elements); + context->policy.eval_ctx.policy_elements = NULL; + if (!(*hash_size = ifapi_hash_get_digest_size(hash_alg))) { goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Unsupported hash algorithm (%" PRIu16 ")", cleanup, @@ -151,6 +153,8 @@ statecasedefault(context->policy.state); } cleanup: + ifapi_free_node_list(context->policy.eval_ctx.policy_elements); + context->policy.eval_ctx.policy_elements = NULL; context->policy.state = POLICY_INIT; return r; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_calculate.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_calculate.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_calculate.c 2020-03-11 12:36:05.000000000 +0100 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_calculate.c 2020-11-23 11:02:14.000000000 +0100 @@ -1065,6 +1065,10 @@ memset(&nv_name, 0, sizeof(TPM2B_NAME)); + /* Written flag has to be set for policy calculation, because during + policy execution it will be set. */ + policy->nvPublic.nvPublic.attributes |= TPMA_NV_WRITTEN; + /* Compute NV name from public info */ r = ifapi_nv_get_name(&policy->nvPublic, &nv_name); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_callbacks.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_callbacks.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_callbacks.c 2020-09-22 14:16:50.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_callbacks.c 2020-11-25 15:10:25.000000000 +0100 @@ -712,6 +712,27 @@ return TSS2_RC_SUCCESS; } +static bool +cmp_policy_ref(TPM2B_NONCE *ref1, TPM2B_NONCE *ref2) +{ + if ((!ref1 || !ref1->size) && (!ref2 || !ref2->size)) { + return true; + } + if (!ref1 || !ref1->size || !ref2 || !ref2->size) { + return false; + } + + if (ref1->size != ref2->size) { + return false; + } + + if (memcmp(&ref1->buffer[0], &ref2->buffer[0], ref1->size) != 0) { + return false; + } + + return true; +} + /** Check whether public data of key is assigned to policy. * * It will be checked whether policy was authorized by abort key with public @@ -719,26 +740,29 @@ * * @param[in] policy The policy to be checked. * @param[in] publicVoid The public information of the key. - * @param[in] nameAlgVoid Not used for this compare function. + * @param[in] policyReferenceVoid The policy reverence to be compared. * @param[out] equal Switch whether check was successful. */ static TSS2_RC equal_policy_authorization( TPMS_POLICY *policy, void *publicVoid, - void *nameAlgVoid, + void *policyRefVoid, bool *equal) { TPMT_PUBLIC *public = publicVoid; - (void)nameAlgVoid; + TPM2B_NONCE *policyRef = policyRefVoid; size_t i; TPML_POLICYAUTHORIZATIONS *authorizations = policy->policyAuthorizations; *equal = false; + if (authorizations) { for (i = 0; i < authorizations->count; i++) { - if (ifapi_TPMT_PUBLIC_cmp - (public, &authorizations->authorizations[i].key)) { + /* Check public information if key and policyRef */ + if (ifapi_TPMT_PUBLIC_cmp(public, &authorizations->authorizations[i].key) && + cmp_policy_ref(policyRef, + &authorizations->authorizations[i].policyRef)) { *equal = true; return TSS2_RC_SUCCESS; } @@ -1005,6 +1029,7 @@ for (i = 0; i < policy->policyAuthorizations->count; i++) { if (ifapi_TPMT_PUBLIC_cmp(public, &policy->policyAuthorizations->authorizations[i].key)) { + /* The public info was already stored in the policy. */ *signature = policy->policyAuthorizations->authorizations[i].signature; return TSS2_RC_SUCCESS; } @@ -1075,6 +1100,7 @@ TPMT_PUBLIC *key_public, TPMI_ALG_HASH hash_alg, TPM2B_DIGEST *digest, + TPM2B_NONCE *policyRef, TPMT_SIGNATURE *signature, void *userdata) { @@ -1113,7 +1139,7 @@ statecase(cb_ctx->cb_state, POL_CB_SEARCH_POLICY) r = search_policy(fapi_ctx, equal_policy_authorization, true, - key_public, NULL, + key_public, policyRef, ¤t_policy->policy_list); FAPI_SYNC(r, "Search policy", cleanup); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_callbacks.h new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_callbacks.h --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_callbacks.h 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_callbacks.h 2020-11-25 15:10:25.000000000 +0100 @@ -93,6 +93,7 @@ TPMT_PUBLIC *key_public, TPMI_ALG_HASH hash_alg, TPM2B_DIGEST *digest, + TPM2B_NONCE *policyRef, TPMT_SIGNATURE *signature, void *userdata); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_execute.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_execute.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_execute.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_execute.c 2020-11-25 15:10:25.000000000 +0100 @@ -524,6 +524,7 @@ statecasedefault(current_policy->state); } cleanup: + SAFE_FREE(current_policy->nonceTPM); SAFE_FREE(current_policy->pem_key); SAFE_FREE(signature_ossl); SAFE_FREE(current_policy->buffer); @@ -608,6 +609,7 @@ /* Execute authorized policy. */ ifapi_policyeval_EXEC_CB *cb = ¤t_policy->callbacks; r = cb->cbauthpol(&policy->keyPublic, hash_alg, &policy->approvedPolicy, + &policy->policyRef, &policy->signature, cb->cbauthpol_userdata); return_try_again(r); goto_if_error(r, "Execute authorized policy.", cleanup); @@ -888,7 +890,7 @@ r = Esys_PolicySecret_Finish(esys_ctx, NULL, NULL); return_try_again(r); - goto_if_error(r, "FAPI PolicyAuthorizeNV_Finish", cleanup); + goto_if_error(r, "FAPI PolicyAuthorizeNV_Finish", error_cleanup); break; statecasedefault(current_policy->state); @@ -896,6 +898,10 @@ cleanup: return r; + + error_cleanup: + SAFE_FREE(current_policy->nonceTPM); + return r; } /** Execute a policy depending on the TPM timers. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_execute.h new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_execute.h --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_execute.h 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_execute.h 2020-11-25 15:10:25.000000000 +0100 @@ -77,6 +77,7 @@ TPMT_PUBLIC *key_public, TPMI_ALG_HASH hash_alg, TPM2B_DIGEST *digest, + TPM2B_NONCE *policyRef, TPMT_SIGNATURE *signature, void *userdata); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_instantiate.c new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_instantiate.c --- old/tpm2-tss-3.0.1/src/tss2-fapi/ifapi_policy_instantiate.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/src/tss2-fapi/ifapi_policy_instantiate.c 2020-11-25 15:10:25.000000000 +0100 @@ -35,6 +35,10 @@ TSS2_RC r = TSS2_RC_SUCCESS; size_t i, j; + if (!policy) { + return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "Bad policy pointer"); + } + for (i = 0; i < policy->count; i++) { if (policy->elements[i].type == POLICYOR) { /* Policy with sub policies */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/test/integration/fapi-check-wrong-paths.int.c new/tpm2-tss-3.0.3/test/integration/fapi-check-wrong-paths.int.c --- old/tpm2-tss-3.0.1/test/integration/fapi-check-wrong-paths.int.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/test/integration/fapi-check-wrong-paths.int.c 2020-11-25 15:10:25.000000000 +0100 @@ -53,7 +53,7 @@ goto error; } - if (r != TSS2_FAPI_RC_PATH_NOT_FOUND) { + if (r != TSS2_FAPI_RC_BAD_PATH) { goto_if_error(r, "Wrong return code", error); } @@ -64,7 +64,7 @@ goto error; } - if (r != TSS2_FAPI_RC_PATH_NOT_FOUND) { + if (r != TSS2_FAPI_RC_BAD_PATH) { goto_if_error(r, "Wrong return code", error); } @@ -75,7 +75,7 @@ goto error; } - if (r != TSS2_FAPI_RC_PATH_NOT_FOUND) { + if (r != TSS2_FAPI_RC_BAD_PATH) { goto_if_error(r, "Error Fapi_CreateKey", error); } @@ -86,7 +86,7 @@ goto error; } - if (r != TSS2_FAPI_RC_PATH_NOT_FOUND) { + if (r != TSS2_FAPI_RC_BAD_PATH) { goto_if_error(r, "Error Fapi_CreateNv", error); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tss-3.0.1/test/integration/fapi-get-random.int.c new/tpm2-tss-3.0.3/test/integration/fapi-get-random.int.c --- old/tpm2-tss-3.0.1/test/integration/fapi-get-random.int.c 2020-09-22 14:16:18.000000000 +0200 +++ new/tpm2-tss-3.0.3/test/integration/fapi-get-random.int.c 2020-11-25 15:10:25.000000000 +0100 @@ -42,6 +42,7 @@ size_t bytesRequested = sizeof(TPMU_HA) + 10; uint8_t *randomBytes = NULL; + r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error);