Index: head/security/openssl_tpm_engine/Makefile =================================================================== --- head/security/openssl_tpm_engine/Makefile (revision 494465) +++ head/security/openssl_tpm_engine/Makefile (revision 494466) @@ -1,48 +1,48 @@ # Created by: Sebastian Schuetz # $FreeBSD$ PORTNAME= openssl_tpm_engine -PORTVERSION= 0.4.2 -PORTREVISION= 4 +PORTVERSION= 0.5.0 +DISTVERSIONPREFIX= v CATEGORIES= security -MASTER_SITES= SF/trousers/OpenSSL%20TPM%20Engine/${PORTVERSION} MAINTAINER= hrs@FreeBSD.org COMMENT= OpenSSL TPM engine LICENSE= OpenSSL LICENSE_FILE= ${WRKSRC}/LICENSE RUN_DEPENDS= ${LOCALBASE}/sbin/tcsd:security/trousers LIB_DEPENDS= libtspi.so:security/trousers -USES= autoreconf gmake libtool ssl +USES= autoreconf gmake libtool localbase ssl +USE_GITHUB= yes USE_LDCONFIG= yes + +GH_ACCOUNT= mgerstner GNU_CONFIGURE= yes -LDFLAGS+= -L${OPENSSLLIB} -lcrypto -L${LOCALBASE}/lib -CFLAGS+= -I${OPENSSLINC} -I${LOCALBASE}/include +CONFIGURE_ARGS= --with-openssl="${OPENSSLBASE}" SUB_FILES= pkg-message PLIST_FILES= bin/create_tpm_key \ - lib/openssl/engines/libtpm.so \ - lib/openssl/engines/libtpm.so.0 \ - lib/openssl/engines/libtpm.so.0.0.0 + lib/openssl/engines/tpm.so INSTALL_TARGET= install-strip PORTEXAMPLES= openssl.cnf.sample OPTIONS_DEFINE= EXAMPLES .include .if ${SSL_DEFAULT:Mlibressl*} IGNORE= Detected LibreSSL (RAND_METHOD structure unsupported) .endif post-patch: @${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' \ - ${WRKSRC}/openssl.cnf.sample + ${WRKSRC}/dist/openssl.cnf.sample post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} - ${INSTALL_DATA} ${WRKSRC}/openssl.cnf.sample ${STAGEDIR}${EXAMPLESDIR} + ${INSTALL_DATA} ${WRKSRC}/dist/openssl.cnf.sample \ + ${STAGEDIR}${EXAMPLESDIR} .include Index: head/security/openssl_tpm_engine/distinfo =================================================================== --- head/security/openssl_tpm_engine/distinfo (revision 494465) +++ head/security/openssl_tpm_engine/distinfo (revision 494466) @@ -1,2 +1,3 @@ -SHA256 (openssl_tpm_engine-0.4.2.tar.gz) = 2df697e583053f7047a89daa4585e21fc67cf4397ee34ece94cf2d4b4f7ab49c -SIZE (openssl_tpm_engine-0.4.2.tar.gz) = 528196 +TIMESTAMP = 1551568882 +SHA256 (mgerstner-openssl_tpm_engine-v0.5.0_GH0.tar.gz) = 328cc0ce0c1fd816c284efb79234be6157bb995d24a5e8065750f162aa72c060 +SIZE (mgerstner-openssl_tpm_engine-v0.5.0_GH0.tar.gz) = 25305 Index: head/security/openssl_tpm_engine/files/patch-e_tpm.c =================================================================== --- head/security/openssl_tpm_engine/files/patch-e_tpm.c (revision 494465) +++ head/security/openssl_tpm_engine/files/patch-e_tpm.c (nonexistent) @@ -1,368 +0,0 @@ ---- e_tpm.c.orig 2012-09-19 17:57:45 UTC -+++ e_tpm.c -@@ -35,6 +35,7 @@ - #include - - #include // XXX DEBUG -+#include - - #include "e_tpm.h" - -@@ -55,10 +56,10 @@ static char *tpm_engine_get_auth(UI_METH - /* rsa functions */ - static int tpm_rsa_init(RSA *rsa); - static int tpm_rsa_finish(RSA *rsa); --static int tpm_rsa_pub_dec(int, const unsigned char *, unsigned char *, RSA *, int); --static int tpm_rsa_pub_enc(int, const unsigned char *, unsigned char *, RSA *, int); --static int tpm_rsa_priv_dec(int, const unsigned char *, unsigned char *, RSA *, int); --static int tpm_rsa_priv_enc(int, const unsigned char *, unsigned char *, RSA *, int); -+static int tpm_rsa_pub_dec(int, unsigned char *, unsigned char *, RSA *, int); -+static int tpm_rsa_pub_enc(int, unsigned char *, unsigned char *, RSA *, int); -+static int tpm_rsa_priv_dec(int, unsigned char *, unsigned char *, RSA *, int); -+static int tpm_rsa_priv_enc(int, unsigned char *, unsigned char *, RSA *, int); - //static int tpm_rsa_sign(int, const unsigned char *, unsigned int, unsigned char *, unsigned int *, const RSA *); - static int tpm_rsa_keygen(RSA *, int, BIGNUM *, BN_GENCB *); - #endif -@@ -72,6 +73,7 @@ static void tpm_rand_seed(const void *, - #define TPM_CMD_SO_PATH ENGINE_CMD_BASE - #define TPM_CMD_PIN ENGINE_CMD_BASE+1 - #define TPM_CMD_SECRET_MODE ENGINE_CMD_BASE+2 -+#define TPM_CMD_QUOTE ENGINE_CMD_BASE+3 - static const ENGINE_CMD_DEFN tpm_cmd_defns[] = { - {TPM_CMD_SO_PATH, - "SO_PATH", -@@ -85,6 +87,10 @@ static const ENGINE_CMD_DEFN tpm_cmd_def - "SECRET_MODE", - "The TSS secret mode for all secrets", - ENGINE_CMD_FLAG_NUMERIC}, -+ {TPM_CMD_QUOTE, -+ "QUOTE", -+ "Perform a TPM_Quote() with the given structure", -+ ENGINE_CMD_FLAG_NUMERIC}, - {0, NULL, NULL, 0} - }; - -@@ -167,6 +173,9 @@ static unsigned int (*p_tspi_Hash_SetHas - static unsigned int (*p_tspi_GetPolicyObject)(); - static unsigned int (*p_tspi_Policy_SetSecret)(); - static unsigned int (*p_tspi_Policy_AssignToObject)(); -+static unsigned int (*p_tspi_PcrComposite_SelectPcrIndex)(); -+static unsigned int (*p_tspi_TPM_Quote)(); -+static unsigned int (*p_tspi_NV_ReadValue)(); - - /* Override the real function calls to use our indirect pointers */ - #define Tspi_Context_Create p_tspi_Context_Create -@@ -193,6 +202,9 @@ static unsigned int (*p_tspi_Policy_Assi - #define Tspi_Hash_SetHashValue p_tspi_Hash_SetHashValue - #define Tspi_Policy_SetSecret p_tspi_Policy_SetSecret - #define Tspi_Policy_AssignToObject p_tspi_Policy_AssignToObject -+#define Tspi_PcrComposite_SelectPcrIndex p_tspi_PcrComposite_SelectPcrIndex -+#define Tspi_TPM_Quote p_tspi_TPM_Quote -+#define Tspi_NV_ReadValue p_tspi_NV_ReadValue - #endif /* DLOPEN_TSPI */ - - /* This internal function is used by ENGINE_tpm() and possibly by the -@@ -248,6 +260,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - TSS_RESULT result; - UINT32 authusage; - BYTE *auth; -+ BYTE well_known[TPM_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; - - if (hSRK != NULL_HKEY) { - DBGFN("SRK is already loaded."); -@@ -294,6 +307,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - return 0; - } - -+ if (ui) { - if ((auth = calloc(1, 128)) == NULL) { - TSSerr(TPM_F_TPM_LOAD_SRK, ERR_R_MALLOC_FAILURE); - return 0; -@@ -319,6 +333,15 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - - free(auth); - -+ } else { -+ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, TSS_SECRET_MODE_SHA1, 20, well_known))) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ } -+ - return 1; - } - -@@ -376,7 +399,10 @@ static int tpm_engine_init(ENGINE * e) - !bind_tspi_func(tpm_dso, Context_GetTpmObject) || - !bind_tspi_func(tpm_dso, GetAttribUint32) || - !bind_tspi_func(tpm_dso, SetAttribData) || -- !bind_tspi_func(tpm_dso, Policy_AssignToObject) -+ !bind_tspi_func(tpm_dso, Policy_AssignToObject) || -+ !bind_tspi_func(tpm_dso, PcrComposite_SelectPcrIndex) || -+ !bind_tspi_func(tpm_dso, TPM_Quote) || -+ !bind_tspi_func(tpm_dso, NV_ReadValue) - ) { - TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_DSO_FAILURE); - goto err; -@@ -438,6 +464,9 @@ err: - p_tspi_Policy_AssignToObject = NULL; - p_tspi_TPM_StirRandom = NULL; - p_tspi_TPM_GetRandom = NULL; -+ p_tspi_PcrComposite_SelectPcrIndex = NULL; -+ p_tspi_TPM_Quote = NULL; -+ p_tspi_NV_ReadValue = NULL; - #endif - return 0; - } -@@ -566,6 +595,55 @@ int fill_out_rsa_object(RSA *rsa, TSS_HK - return 1; - } - -+/* -+ * Read a keyblob from NVRAM into an OpenSSL memory BIO -+ * by Christian Holler (c.hol...@sirrix.com), Sirrix AG -+ */ -+int BIO_from_nvram(unsigned int index, unsigned int length, BIO** bio) -+{ -+ TSS_RESULT result; -+ TSS_HNVSTORE hNVStore; -+ BYTE *dataRead = NULL; -+ -+ //unsigned int blobLength = 559; -+ -+ BIO *mem = BIO_new(BIO_s_mem()); -+ -+ /* Create TPM NV object */ -+ result = p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_NV, 0, -+ &hNVStore); -+ -+ if (result != TSS_SUCCESS) { -+ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, -+ TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ /* Set the index to be read */ -+ result = p_tspi_SetAttribUint32(hNVStore, TSS_TSPATTRIB_NV_INDEX, 0, -+ (UINT32) index); -+ -+ if (result != TSS_SUCCESS) { -+ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, -+ TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ result = p_tspi_NV_ReadValue(hNVStore, 0, &length, &dataRead); -+ BIO_write(mem, dataRead, length); -+ p_tspi_Context_FreeMemory(hContext, dataRead); -+ -+ if (result != TSS_SUCCESS ) { -+ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, -+ TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ *bio = mem; -+ -+ return 1; -+} -+ - static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const char *key_id, - UI_METHOD *ui, void *cb_data) - { -@@ -580,7 +658,7 @@ static EVP_PKEY *tpm_engine_load_key(ENG - - DBG("%s", __FUNCTION__); - -- if (!key_id) { -+ if (!key_id && !cb_data) { - TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_PASSED_NULL_PARAMETER); - return NULL; - } -@@ -590,17 +668,27 @@ static EVP_PKEY *tpm_engine_load_key(ENG - return NULL; - } - -+ if (cb_data) { -+ struct nvram_request *nvreq = cb_data; -+ -+ if (!BIO_from_nvram(nvreq->index, nvreq->length, &bf)) { -+ TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, -+ TPM_R_NVRAM_FAILED); -+ return NULL; -+ } -+ } else { - if ((bf = BIO_new_file(key_id, "r")) == NULL) { - TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, -- TPM_R_FILE_NOT_FOUND); -+ TPM_R_FILE_NOT_FOUND); - return NULL; - } -+ } - - blobstr = PEM_ASN1_read_bio((void *)d2i_ASN1_OCTET_STRING, - "TSS KEY BLOB", bf, NULL, NULL, NULL); - if (!blobstr) { - TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, -- TPM_R_FILE_READ_FAILED); -+ TPM_R_FILE_READ_FAILED); - BIO_free(bf); - return NULL; - } -@@ -611,7 +699,7 @@ static EVP_PKEY *tpm_engine_load_key(ENG - blobstr->length, - blobstr->data, &hKey))) { - TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, -- TPM_R_REQUEST_FAILED); -+ TPM_R_REQUEST_FAILED); - return NULL; - } - ASN1_OCTET_STRING_free(blobstr); -@@ -621,7 +709,7 @@ static EVP_PKEY *tpm_engine_load_key(ENG - &authusage))) { - Tspi_Context_CloseObject(hContext, hKey); - TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, -- TPM_R_REQUEST_FAILED); -+ TPM_R_REQUEST_FAILED); - return NULL; - } - -@@ -726,7 +814,7 @@ static int tpm_create_srk_policy(void *s - TSS_POLICY_USAGE, - &hSRKPolicy))) { - TSSerr(TPM_F_TPM_CREATE_SRK_POLICY, -- TPM_R_REQUEST_FAILED); -+ TPM_R_REQUEST_FAILED); - return 0; - } - } -@@ -740,6 +828,70 @@ static int tpm_create_srk_policy(void *s - return 1; - } - -+static int tpm_quote(void* p) { -+ TSS_RESULT result; -+ TSS_HPCRS hPcrComposite; -+ TSS_VALIDATION tssVal; -+ -+ unsigned int i = 0; -+ -+ struct quote_request *request = p; -+ -+ struct rsa_app_data *app_data = RSA_get_ex_data(request->rsa, ex_app_data); -+ -+ /* No app_data, this is not a TPM Key and we cannot use it for quote */ -+ if (!app_data) { -+ return 0; -+ } -+ -+ /* Key is invalid */ -+ if (app_data->hKey == NULL_HKEY) { -+ TSSerr(TPM_F_TPM_QUOTE, TPM_R_INVALID_KEY); -+ return 0; -+ } -+ -+ /* Set up PcrComposite Structure, this is a set -+ * of PCRs which will be used for the quote */ -+ result = -+ p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, -+ TSS_PCRS_STRUCT_INFO, &hPcrComposite); -+ if (result != TSS_SUCCESS) { -+ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ /* Add all PCR values to be used to PcrComposite structure */ -+ for (i = 0; i < request->PCRSelLength; i++) { -+ if (request->PCRSel[i]) { -+ result = p_tspi_PcrComposite_SelectPcrIndex(hPcrComposite, i); -+ -+ if (result != TSS_SUCCESS) { -+ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ } -+ } -+ -+ /* Set the nonce */ -+ tssVal.rgbExternalData = request->nonce; -+ tssVal.ulExternalDataLength = SHA_DIGEST_LENGTH; -+ -+ result = p_tspi_TPM_Quote(hTPM, app_data->hKey, hPcrComposite, &tssVal); -+ -+ if (result != TSS_SUCCESS) { -+ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ request->rgbData = tssVal.rgbData; -+ request->ulValidationDataLength = tssVal.ulValidationDataLength; -+ request->rgbValidationData = tssVal.rgbValidationData; -+ -+ p_tspi_Context_CloseObject(hContext, hPcrComposite); -+ -+ return 1; -+} -+ - static int tpm_engine_ctrl(ENGINE * e, int cmd, long i, void *p, void (*f) ()) - { - int initialised = !!hContext; -@@ -778,6 +930,8 @@ static int tpm_engine_ctrl(ENGINE * e, i - return 1; - case TPM_CMD_PIN: - return tpm_create_srk_policy(p); -+ case TPM_CMD_QUOTE: -+ return tpm_quote(p); - default: - break; - } -@@ -832,7 +986,7 @@ static int tpm_rsa_finish(RSA *rsa) - } - - static int tpm_rsa_pub_dec(int flen, -- const unsigned char *from, -+ unsigned char *from, - unsigned char *to, - RSA *rsa, - int padding) -@@ -851,7 +1005,7 @@ static int tpm_rsa_pub_dec(int flen, - } - - static int tpm_rsa_priv_dec(int flen, -- const unsigned char *from, -+ unsigned char *from, - unsigned char *to, - RSA *rsa, - int padding) -@@ -928,7 +1082,7 @@ static int tpm_rsa_priv_dec(int flen, - } - - static int tpm_rsa_pub_enc(int flen, -- const unsigned char *from, -+ unsigned char *from, - unsigned char *to, - RSA *rsa, - int padding) -@@ -1035,7 +1189,7 @@ static int tpm_rsa_pub_enc(int flen, - } - - static int tpm_rsa_priv_enc(int flen, -- const unsigned char *from, -+ unsigned char *from, - unsigned char *to, - RSA *rsa, - int padding) -@@ -1080,7 +1234,10 @@ static int tpm_rsa_priv_enc(int flen, - } - - if (app_data->sigScheme == TSS_SS_RSASSAPKCS1V15_SHA1) { -- if (flen != SHA_DIGEST_LENGTH) { -+ if (flen == SHA_DIGEST_LENGTH+15) { -+ from += 15; -+ flen = SHA_DIGEST_LENGTH; -+ } else if (flen != SHA_DIGEST_LENGTH) { - TSSerr(TPM_F_TPM_RSA_PRIV_ENC, TPM_R_INVALID_MSG_SIZE); - return 0; - } Property changes on: head/security/openssl_tpm_engine/files/patch-e_tpm.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-e_tpm.h =================================================================== --- head/security/openssl_tpm_engine/files/patch-e_tpm.h (revision 494465) +++ head/security/openssl_tpm_engine/files/patch-e_tpm.h (nonexistent) @@ -1,47 +0,0 @@ -http://sourceforge.net/mailarchive/message.php?msg_name=4C0E2D48.20803%40sirrix.com - ---- e_tpm.h.orig 2012-09-12 15:32:53 UTC -+++ e_tpm.h -@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea - #define TPM_F_TPM_FILL_RSA_OBJECT 116 - #define TPM_F_TPM_ENGINE_GET_AUTH 117 - #define TPM_F_TPM_CREATE_SRK_POLICY 118 -+#define TPM_F_TPM_BIO_FROM_NVRAM 119 -+#define TPM_F_TPM_QUOTE 120 - - /* Reason codes. */ - #define TPM_R_ALREADY_LOADED 100 -@@ -96,6 +98,7 @@ void ERR_TSS_error(int function, int rea - #define TPM_R_ID_INVALID 125 - #define TPM_R_UI_METHOD_FAILED 126 - #define TPM_R_UNKNOWN_SECRET_MODE 127 -+#define TPM_R_NVRAM_FAILED 128 - - /* structure pointed to by the RSA object's app_data pointer */ - struct rsa_app_data -@@ -107,6 +110,25 @@ struct rsa_app_data - UINT32 sigScheme; - }; - -+/* Added by c.hol...@sirrix.com */ -+struct quote_request -+{ -+ RSA* rsa; -+ unsigned int PCRSel[256]; -+ unsigned int PCRSelLength; -+ const unsigned char* nonce; -+ unsigned int nonceLen; -+ unsigned char* rgbData; -+ unsigned int ulValidationDataLength; -+ unsigned char* rgbValidationData; -+}; -+ -+struct nvram_request -+{ -+ unsigned int index; -+ unsigned int length; -+}; -+ - #define TPM_ENGINE_EX_DATA_UNINIT -1 - #define RSA_PKCS1_OAEP_PADDING_SIZE (2 * SHA_DIGEST_LENGTH + 2) - Property changes on: head/security/openssl_tpm_engine/files/patch-e_tpm.h ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-openssl.cnf.sample =================================================================== --- head/security/openssl_tpm_engine/files/patch-openssl.cnf.sample (revision 494465) +++ head/security/openssl_tpm_engine/files/patch-openssl.cnf.sample (nonexistent) @@ -1,11 +0,0 @@ ---- openssl.cnf.sample.orig 2012-09-19 17:56:45 UTC -+++ openssl.cnf.sample -@@ -18,7 +18,7 @@ engines = engine_section - foo = tpm_section - - [tpm_section] --dynamic_path = /usr/local/ssl/lib/engines/libtpm.so -+dynamic_path = %%PREFIX%%/lib/openssl/engines/libtpm.so - engine_id = tpm - default_algorithms = ALL - #default_algorithms = RAND,RSA Property changes on: head/security/openssl_tpm_engine/files/patch-openssl.cnf.sample ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-e_tpm_err.c =================================================================== --- head/security/openssl_tpm_engine/files/patch-e_tpm_err.c (revision 494465) +++ head/security/openssl_tpm_engine/files/patch-e_tpm_err.c (nonexistent) @@ -1,20 +0,0 @@ -http://sourceforge.net/mailarchive/message.php?msg_name=4C0E2D48.20803%40sirrix.com - ---- e_tpm_err.c.orig 2011-01-20 18:24:04 UTC -+++ e_tpm_err.c -@@ -235,6 +235,7 @@ static ERR_STRING_DATA TPM_str_functs[] - {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, - {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, - {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, -+ {ERR_PACK(0, TPM_F_TPM_BIO_FROM_NVRAM, 0), "TPM_BIO_FROM_NVRAM"}, - {0, NULL} - }; - -@@ -265,6 +266,7 @@ static ERR_STRING_DATA TPM_str_reasons[] - {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, - {TPM_R_ID_INVALID, "engine id doesn't match"}, - {TPM_R_UI_METHOD_FAILED, "ui function failed"}, -+ {TPM_R_NVRAM_FAILED, "nvram failure"}, - {0, NULL} - }; - Property changes on: head/security/openssl_tpm_engine/files/patch-e_tpm_err.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-dist-openssl.cnf.sample =================================================================== --- head/security/openssl_tpm_engine/files/patch-dist-openssl.cnf.sample (nonexistent) +++ head/security/openssl_tpm_engine/files/patch-dist-openssl.cnf.sample (revision 494466) @@ -0,0 +1,11 @@ +--- dist/openssl.cnf.sample.orig 2017-12-18 15:45:34 UTC ++++ dist/openssl.cnf.sample +@@ -18,7 +18,7 @@ engines = engine_section + foo = tpm_section + + [tpm_section] +-dynamic_path = /usr/local/ssl/lib/engines/libtpm.so ++dynamic_path = %%PREFIX%%/lib/openssl/engines/tpm.so + engine_id = tpm + default_algorithms = ALL + #default_algorithms = RAND,RSA Property changes on: head/security/openssl_tpm_engine/files/patch-dist-openssl.cnf.sample ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-src-e_tpm.c =================================================================== --- head/security/openssl_tpm_engine/files/patch-src-e_tpm.c (nonexistent) +++ head/security/openssl_tpm_engine/files/patch-src-e_tpm.c (revision 494466) @@ -0,0 +1,368 @@ +--- src/e_tpm.c.orig 2017-12-18 15:45:34 UTC ++++ src/e_tpm.c +@@ -34,6 +34,7 @@ + #include + + #include // XXX DEBUG ++#include + + #include "e_tpm.h" + #include "ssl_compat.h" +@@ -55,10 +56,10 @@ static char *tpm_engine_get_auth(UI_METHOD *, char *, + /* rsa functions */ + static int tpm_rsa_init(RSA *rsa); + static int tpm_rsa_finish(RSA *rsa); +-static int tpm_rsa_pub_dec(int, const unsigned char *, unsigned char *, RSA *, int); +-static int tpm_rsa_pub_enc(int, const unsigned char *, unsigned char *, RSA *, int); +-static int tpm_rsa_priv_dec(int, const unsigned char *, unsigned char *, RSA *, int); +-static int tpm_rsa_priv_enc(int, const unsigned char *, unsigned char *, RSA *, int); ++static int tpm_rsa_pub_dec(int, unsigned char *, unsigned char *, RSA *, int); ++static int tpm_rsa_pub_enc(int, unsigned char *, unsigned char *, RSA *, int); ++static int tpm_rsa_priv_dec(int, unsigned char *, unsigned char *, RSA *, int); ++static int tpm_rsa_priv_enc(int, unsigned char *, unsigned char *, RSA *, int); + //static int tpm_rsa_sign(int, const unsigned char *, unsigned int, unsigned char *, unsigned int *, const RSA *); + static int tpm_rsa_keygen(RSA *, int, BIGNUM *, BN_GENCB *); + #endif +@@ -72,6 +73,7 @@ static RAND_SEED_RET_TYPE tpm_rand_seed(const void *, + #define TPM_CMD_SO_PATH ENGINE_CMD_BASE + #define TPM_CMD_PIN ENGINE_CMD_BASE+1 + #define TPM_CMD_SECRET_MODE ENGINE_CMD_BASE+2 ++#define TPM_CMD_QUOTE ENGINE_CMD_BASE+3 + static const ENGINE_CMD_DEFN tpm_cmd_defns[] = { + {TPM_CMD_SO_PATH, + "SO_PATH", +@@ -85,6 +87,10 @@ static const ENGINE_CMD_DEFN tpm_cmd_defns[] = { + "SECRET_MODE", + "The TSS secret mode for all secrets", + ENGINE_CMD_FLAG_NUMERIC}, ++ {TPM_CMD_QUOTE, ++ "QUOTE", ++ "Perform a TPM_Quote() with the given structure", ++ ENGINE_CMD_FLAG_NUMERIC}, + {0, NULL, NULL, 0} + }; + +@@ -151,6 +157,9 @@ static unsigned int (*p_tspi_Hash_SetHashValue)(); + static unsigned int (*p_tspi_GetPolicyObject)(); + static unsigned int (*p_tspi_Policy_SetSecret)(); + static unsigned int (*p_tspi_Policy_AssignToObject)(); ++static unsigned int (*p_tspi_PcrComposite_SelectPcrIndex)(); ++static unsigned int (*p_tspi_TPM_Quote)(); ++static unsigned int (*p_tspi_NV_ReadValue)(); + + /* Override the real function calls to use our indirect pointers */ + #define Tspi_Context_Create p_tspi_Context_Create +@@ -177,6 +186,9 @@ static unsigned int (*p_tspi_Policy_AssignToObject)(); + #define Tspi_Hash_SetHashValue p_tspi_Hash_SetHashValue + #define Tspi_Policy_SetSecret p_tspi_Policy_SetSecret + #define Tspi_Policy_AssignToObject p_tspi_Policy_AssignToObject ++#define Tspi_PcrComposite_SelectPcrIndex p_tspi_PcrComposite_SelectPcrIndex ++#define Tspi_TPM_Quote p_tspi_TPM_Quote ++#define Tspi_NV_ReadValue p_tspi_NV_ReadValue + #endif /* DLOPEN_TSPI */ + + static int setup_rsa_method() +@@ -262,6 +274,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + TSS_RESULT result; + UINT32 authusage; + BYTE *auth; ++ BYTE well_known[TPM_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; + + if (hSRK != NULL_HKEY) { + DBGFN("SRK is already loaded."); +@@ -308,6 +321,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + return 0; + } + ++ if (ui) { + if ((auth = calloc(1, 128)) == NULL) { + TSSerr(TPM_F_TPM_LOAD_SRK, ERR_R_MALLOC_FAILURE); + return 0; +@@ -333,6 +347,15 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + + free(auth); + ++ } else { ++ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, TSS_SECRET_MODE_SHA1, 20, well_known))) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ } ++ + return 1; + } + +@@ -390,7 +413,10 @@ static int tpm_engine_init(ENGINE * e) + !bind_tspi_func(tpm_dso, Context_GetTpmObject) || + !bind_tspi_func(tpm_dso, GetAttribUint32) || + !bind_tspi_func(tpm_dso, SetAttribData) || +- !bind_tspi_func(tpm_dso, Policy_AssignToObject) ++ !bind_tspi_func(tpm_dso, Policy_AssignToObject) || ++ !bind_tspi_func(tpm_dso, PcrComposite_SelectPcrIndex) || ++ !bind_tspi_func(tpm_dso, TPM_Quote) || ++ !bind_tspi_func(tpm_dso, NV_ReadValue) + ) { + TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_DSO_FAILURE); + goto err; +@@ -452,6 +478,9 @@ err: + p_tspi_Policy_AssignToObject = NULL; + p_tspi_TPM_StirRandom = NULL; + p_tspi_TPM_GetRandom = NULL; ++ p_tspi_PcrComposite_SelectPcrIndex = NULL; ++ p_tspi_TPM_Quote = NULL; ++ p_tspi_NV_ReadValue = NULL; + #endif + return 0; + } +@@ -590,6 +619,55 @@ err: + return 0; + } + ++/* ++ * Read a keyblob from NVRAM into an OpenSSL memory BIO ++ * by Christian Holler (c.hol...@sirrix.com), Sirrix AG ++ */ ++int BIO_from_nvram(unsigned int index, unsigned int length, BIO** bio) ++{ ++ TSS_RESULT result; ++ TSS_HNVSTORE hNVStore; ++ BYTE *dataRead = NULL; ++ ++ //unsigned int blobLength = 559; ++ ++ BIO *mem = BIO_new(BIO_s_mem()); ++ ++ /* Create TPM NV object */ ++ result = p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_NV, 0, ++ &hNVStore); ++ ++ if (result != TSS_SUCCESS) { ++ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, ++ TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ /* Set the index to be read */ ++ result = p_tspi_SetAttribUint32(hNVStore, TSS_TSPATTRIB_NV_INDEX, 0, ++ (UINT32) index); ++ ++ if (result != TSS_SUCCESS) { ++ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, ++ TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ result = p_tspi_NV_ReadValue(hNVStore, 0, &length, &dataRead); ++ BIO_write(mem, dataRead, length); ++ p_tspi_Context_FreeMemory(hContext, dataRead); ++ ++ if (result != TSS_SUCCESS ) { ++ TSSerr(TPM_F_TPM_BIO_FROM_NVRAM, ++ TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ *bio = mem; ++ ++ return 1; ++} ++ + static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const char *key_id, + UI_METHOD *ui, void *cb_data) + { +@@ -604,7 +682,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const + + DBG("%s", __FUNCTION__); + +- if (!key_id) { ++ if (!key_id && !cb_data) { + TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } +@@ -614,17 +692,27 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const + return NULL; + } + ++ if (cb_data) { ++ struct nvram_request *nvreq = cb_data; ++ ++ if (!BIO_from_nvram(nvreq->index, nvreq->length, &bf)) { ++ TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ++ TPM_R_NVRAM_FAILED); ++ return NULL; ++ } ++ } else { + if ((bf = BIO_new_file(key_id, "r")) == NULL) { + TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, +- TPM_R_FILE_NOT_FOUND); ++ TPM_R_FILE_NOT_FOUND); + return NULL; + } ++ } + + blobstr = PEM_ASN1_read_bio((void *)d2i_ASN1_OCTET_STRING, + "TSS KEY BLOB", bf, NULL, NULL, NULL); + if (!blobstr) { + TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, +- TPM_R_FILE_READ_FAILED); ++ TPM_R_FILE_READ_FAILED); + BIO_free(bf); + return NULL; + } +@@ -635,7 +723,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const + blobstr->length, + blobstr->data, &hKey))) { + TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, +- TPM_R_REQUEST_FAILED); ++ TPM_R_REQUEST_FAILED); + return NULL; + } + ASN1_OCTET_STRING_free(blobstr); +@@ -645,7 +733,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const + &authusage))) { + Tspi_Context_CloseObject(hContext, hKey); + TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, +- TPM_R_REQUEST_FAILED); ++ TPM_R_REQUEST_FAILED); + return NULL; + } + +@@ -747,7 +835,7 @@ static int tpm_create_srk_policy(void *secret) + TSS_POLICY_USAGE, + &hSRKPolicy))) { + TSSerr(TPM_F_TPM_CREATE_SRK_POLICY, +- TPM_R_REQUEST_FAILED); ++ TPM_R_REQUEST_FAILED); + return 0; + } + } +@@ -761,6 +849,70 @@ static int tpm_create_srk_policy(void *secret) + return 1; + } + ++static int tpm_quote(void* p) { ++ TSS_RESULT result; ++ TSS_HPCRS hPcrComposite; ++ TSS_VALIDATION tssVal; ++ ++ unsigned int i = 0; ++ ++ struct quote_request *request = p; ++ ++ struct rsa_app_data *app_data = RSA_get_ex_data(request->rsa, ex_app_data); ++ ++ /* No app_data, this is not a TPM Key and we cannot use it for quote */ ++ if (!app_data) { ++ return 0; ++ } ++ ++ /* Key is invalid */ ++ if (app_data->hKey == NULL_HKEY) { ++ TSSerr(TPM_F_TPM_QUOTE, TPM_R_INVALID_KEY); ++ return 0; ++ } ++ ++ /* Set up PcrComposite Structure, this is a set ++ * of PCRs which will be used for the quote */ ++ result = ++ p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, ++ TSS_PCRS_STRUCT_INFO, &hPcrComposite); ++ if (result != TSS_SUCCESS) { ++ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ /* Add all PCR values to be used to PcrComposite structure */ ++ for (i = 0; i < request->PCRSelLength; i++) { ++ if (request->PCRSel[i]) { ++ result = p_tspi_PcrComposite_SelectPcrIndex(hPcrComposite, i); ++ ++ if (result != TSS_SUCCESS) { ++ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ } ++ } ++ ++ /* Set the nonce */ ++ tssVal.rgbExternalData = request->nonce; ++ tssVal.ulExternalDataLength = SHA_DIGEST_LENGTH; ++ ++ result = p_tspi_TPM_Quote(hTPM, app_data->hKey, hPcrComposite, &tssVal); ++ ++ if (result != TSS_SUCCESS) { ++ TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ request->rgbData = tssVal.rgbData; ++ request->ulValidationDataLength = tssVal.ulValidationDataLength; ++ request->rgbValidationData = tssVal.rgbValidationData; ++ ++ p_tspi_Context_CloseObject(hContext, hPcrComposite); ++ ++ return 1; ++} ++ + static int tpm_engine_ctrl(ENGINE * e, int cmd, long i, void *p, void (*f) ()) + { + int initialised = !!hContext; +@@ -799,6 +951,8 @@ static int tpm_engine_ctrl(ENGINE * e, int cmd, long i + return 1; + case TPM_CMD_PIN: + return tpm_create_srk_policy(p); ++ case TPM_CMD_QUOTE: ++ return tpm_quote(p); + default: + break; + } +@@ -853,7 +1007,7 @@ static int tpm_rsa_finish(RSA *rsa) + } + + static int tpm_rsa_pub_dec(int flen, +- const unsigned char *from, ++ unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding) +@@ -872,7 +1026,7 @@ static int tpm_rsa_pub_dec(int flen, + } + + static int tpm_rsa_priv_dec(int flen, +- const unsigned char *from, ++ unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding) +@@ -949,7 +1103,7 @@ static int tpm_rsa_priv_dec(int flen, + } + + static int tpm_rsa_pub_enc(int flen, +- const unsigned char *from, ++ unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding) +@@ -1056,7 +1210,7 @@ static int tpm_rsa_pub_enc(int flen, + } + + static int tpm_rsa_priv_enc(int flen, +- const unsigned char *from, ++ unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding) +@@ -1101,7 +1255,10 @@ static int tpm_rsa_priv_enc(int flen, + } + + if (app_data->sigScheme == TSS_SS_RSASSAPKCS1V15_SHA1) { +- if (flen != SHA_DIGEST_LENGTH) { ++ if (flen == SHA_DIGEST_LENGTH+15) { ++ from += 15; ++ flen = SHA_DIGEST_LENGTH; ++ } else if (flen != SHA_DIGEST_LENGTH) { + TSSerr(TPM_F_TPM_RSA_PRIV_ENC, TPM_R_INVALID_MSG_SIZE); + return 0; + } Property changes on: head/security/openssl_tpm_engine/files/patch-src-e_tpm.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-src-e_tpm.h =================================================================== --- head/security/openssl_tpm_engine/files/patch-src-e_tpm.h (nonexistent) +++ head/security/openssl_tpm_engine/files/patch-src-e_tpm.h (revision 494466) @@ -0,0 +1,45 @@ +--- src/e_tpm.h.orig 2017-12-18 15:45:34 UTC ++++ src/e_tpm.h +@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *fil + #define TPM_F_TPM_FILL_RSA_OBJECT 116 + #define TPM_F_TPM_ENGINE_GET_AUTH 117 + #define TPM_F_TPM_CREATE_SRK_POLICY 118 ++#define TPM_F_TPM_BIO_FROM_NVRAM 119 ++#define TPM_F_TPM_QUOTE 120 + + /* Reason codes. */ + #define TPM_R_ALREADY_LOADED 100 +@@ -96,6 +98,7 @@ void ERR_TSS_error(int function, int reason, char *fil + #define TPM_R_ID_INVALID 125 + #define TPM_R_UI_METHOD_FAILED 126 + #define TPM_R_UNKNOWN_SECRET_MODE 127 ++#define TPM_R_NVRAM_FAILED 128 + + /* structure pointed to by the RSA object's app_data pointer */ + struct rsa_app_data +@@ -105,6 +108,25 @@ struct rsa_app_data + TSS_HENCDATA hEncData; + UINT32 encScheme; + UINT32 sigScheme; ++}; ++ ++/* Added by c.hol...@sirrix.com */ ++struct quote_request ++{ ++ RSA* rsa; ++ unsigned int PCRSel[256]; ++ unsigned int PCRSelLength; ++ const unsigned char* nonce; ++ unsigned int nonceLen; ++ unsigned char* rgbData; ++ unsigned int ulValidationDataLength; ++ unsigned char* rgbValidationData; ++}; ++ ++struct nvram_request ++{ ++ unsigned int index; ++ unsigned int length; + }; + + #define TPM_ENGINE_EX_DATA_UNINIT -1 Property changes on: head/security/openssl_tpm_engine/files/patch-src-e_tpm.h ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/files/patch-src-e_tpm_err.c =================================================================== --- head/security/openssl_tpm_engine/files/patch-src-e_tpm_err.c (nonexistent) +++ head/security/openssl_tpm_engine/files/patch-src-e_tpm_err.c (revision 494466) @@ -0,0 +1,18 @@ +--- src/e_tpm_err.c.orig 2017-12-18 15:45:34 UTC ++++ src/e_tpm_err.c +@@ -234,6 +234,7 @@ static ERR_STRING_DATA TPM_str_functs[] = { + {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, + {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, + {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, ++ {ERR_PACK(0, TPM_F_TPM_BIO_FROM_NVRAM, 0), "TPM_BIO_FROM_NVRAM"}, + {0, NULL} + }; + +@@ -264,6 +265,7 @@ static ERR_STRING_DATA TPM_str_reasons[] = { + {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, + {TPM_R_ID_INVALID, "engine id doesn't match"}, + {TPM_R_UI_METHOD_FAILED, "ui function failed"}, ++ {TPM_R_NVRAM_FAILED, "nvram failure"}, + {0, NULL} + }; + Property changes on: head/security/openssl_tpm_engine/files/patch-src-e_tpm_err.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssl_tpm_engine/pkg-descr =================================================================== --- head/security/openssl_tpm_engine/pkg-descr (revision 494465) +++ head/security/openssl_tpm_engine/pkg-descr (revision 494466) @@ -1,3 +1,8 @@ -This package contains 2 sets of code, a command-line utility used to -generate a TSS key blob and write it to disk and an OpenSSL engine -which interfaces with the TSS API. +This is a forked version of OpenSSL TPM engine from the original +upstream, TrouSerS project. + +This package contains two sets of code, a command-line utility used to +generate a TSS key blob and write it to disk and an OpenSSL engine which +interfaces with the TSS API. + +WWW: https://github.com/mgerstner/openssl_tpm_engine