Update to v0.5.0 which supports OpenSSL 1.0.x/1.1.x.

This is a forked version of OpenSSL TPM engine from the original
upstream, TrouSerS project.

1 files changed, 368 insertions, 0 deletions

diff --git a/security/openssl_tpm_engine/files/patch-src-e_tpm.c b/security/openssl_tpm_engine/files/patch-src-e_tpm.c
new file mode 100644
index 000000000000..69a7dac3dede
--- /dev/null
+++ b/security/openssl_tpm_engine/files/patch-src-e_tpm.c
@@ -0,0 +1,368 @@
+--- src/e_tpm.c.orig	2017-12-18 15:45:34 UTC
++++ src/e_tpm.c
+@@ -34,6 +34,7 @@
+ #include <tss/tspi.h>
+ 
+ #include <trousers/trousers.h>  // XXX DEBUG
++#include <trousers/tss.h>
+ 
+ #include "e_tpm.h"
+ #include "ssl_compat.h"
+@@ -55,10 +56,10 @@ static char *tpm_engine_get_auth(UI_METHOD *, char *, 
+ /* rsa functions */
+ static int tpm_rsa_init(RSA *rsa);
+ static int tpm_rsa_finish(RSA *rsa);
+-static int tpm_rsa_pub_dec(int, const unsigned char *, unsigned char *, RSA *, int);
+-static int tpm_rsa_pub_enc(int, const unsigned char *, unsigned char *, RSA *, int);
+-static int tpm_rsa_priv_dec(int, const unsigned char *, unsigned char *, RSA *, int);
+-static int tpm_rsa_priv_enc(int, const unsigned char *, unsigned char *, RSA *, int);
++static int tpm_rsa_pub_dec(int, unsigned char *, unsigned char *, RSA *, int);
++static int tpm_rsa_pub_enc(int, unsigned char *, unsigned char *, RSA *, int);
++static int tpm_rsa_priv_dec(int, unsigned char *, unsigned char *, RSA *, int);
++static int tpm_rsa_priv_enc(int, unsigned char *, unsigned char *, RSA *, int);
+ //static int tpm_rsa_sign(int, const unsigned char *, unsigned int, unsigned char *, unsigned int *, const RSA *);
+ static int tpm_rsa_keygen(RSA *, int, BIGNUM *, BN_GENCB *);
+ #endif
+@@ -72,6 +73,7 @@ static RAND_SEED_RET_TYPE tpm_rand_seed(const void *, 
+ #define TPM_CMD_SO_PATH		ENGINE_CMD_BASE
+ #define TPM_CMD_PIN		ENGINE_CMD_BASE+1
+ #define TPM_CMD_SECRET_MODE	ENGINE_CMD_BASE+2
++#define TPM_CMD_QUOTE		ENGINE_CMD_BASE+3
+ static const ENGINE_CMD_DEFN tpm_cmd_defns[] = {
+ 	{TPM_CMD_SO_PATH,
+ 	 "SO_PATH",
+@@ -85,6 +87,10 @@ static const ENGINE_CMD_DEFN tpm_cmd_defns[] = {
+ 	 "SECRET_MODE",
+ 	 "The TSS secret mode for all secrets",
+ 	 ENGINE_CMD_FLAG_NUMERIC},
++	{TPM_CMD_QUOTE,
++	"QUOTE",
++	"Perform a TPM_Quote() with the given structure",
++	ENGINE_CMD_FLAG_NUMERIC},
+ 	{0, NULL, NULL, 0}
+ };
+ 
+@@ -151,6 +157,9 @@ static unsigned int (*p_tspi_Hash_SetHashValue)();
+ static unsigned int (*p_tspi_GetPolicyObject)();
+ static unsigned int (*p_tspi_Policy_SetSecret)();
+ static unsigned int (*p_tspi_Policy_AssignToObject)();
++static unsigned int (*p_tspi_PcrComposite_SelectPcrIndex)();
++static unsigned int (*p_tspi_TPM_Quote)();
++static unsigned int (*p_tspi_NV_ReadValue)();
+ 
+ /* Override the real function calls to use our indirect pointers */
+ #define Tspi_Context_Create p_tspi_Context_Create
+@@ -177,6 +186,9 @@ static unsigned int (*p_tspi_Policy_AssignToObject)();
+ #define Tspi_Hash_SetHashValue p_tspi_Hash_SetHashValue
+ #define Tspi_Policy_SetSecret p_tspi_Policy_SetSecret
+ #define Tspi_Policy_AssignToObject p_tspi_Policy_AssignToObject
++#define	Tspi_PcrComposite_SelectPcrIndex p_tspi_PcrComposite_SelectPcrIndex
++#define	Tspi_TPM_Quote p_tspi_TPM_Quote
++#define	Tspi_NV_ReadValue p_tspi_NV_ReadValue
+ #endif /* DLOPEN_TSPI */
+ 
+ static int setup_rsa_method()
+@@ -262,6 +274,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 	TSS_RESULT result;
+ 	UINT32 authusage;
+ 	BYTE *auth;
++	BYTE well_known[TPM_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
+ 
+ 	if (hSRK != NULL_HKEY) {
+ 		DBGFN("SRK is already loaded.");
+@@ -308,6 +321,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 		return 0;
+ 	}
+ 
++	if (ui) {
+ 	if ((auth = calloc(1, 128)) == NULL) {
+ 		TSSerr(TPM_F_TPM_LOAD_SRK, ERR_R_MALLOC_FAILURE);
+ 		return 0;
+@@ -333,6 +347,15 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 
+ 	free(auth);
+ 
++	} else {
++		if ((result = Tspi_Policy_SetSecret(hSRKPolicy, TSS_SECRET_MODE_SHA1, 20, well_known))) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++	}
++
+ 	return 1;
+ }
+ 
+@@ -390,7 +413,10 @@ static int tpm_engine_init(ENGINE * e)
+ 	    !bind_tspi_func(tpm_dso, Context_GetTpmObject) ||
+ 	    !bind_tspi_func(tpm_dso, GetAttribUint32) ||
+ 	    !bind_tspi_func(tpm_dso, SetAttribData) ||
+-	    !bind_tspi_func(tpm_dso, Policy_AssignToObject)
++	    !bind_tspi_func(tpm_dso, Policy_AssignToObject) ||
++	    !bind_tspi_func(tpm_dso, PcrComposite_SelectPcrIndex) ||
++	    !bind_tspi_func(tpm_dso, TPM_Quote) ||
++	    !bind_tspi_func(tpm_dso, NV_ReadValue)
+ 	    ) {
+ 		TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_DSO_FAILURE);
+ 		goto err;
+@@ -452,6 +478,9 @@ err:
+ 	p_tspi_Policy_AssignToObject = NULL;
+ 	p_tspi_TPM_StirRandom = NULL;
+ 	p_tspi_TPM_GetRandom = NULL;
++	p_tspi_PcrComposite_SelectPcrIndex = NULL;
++	p_tspi_TPM_Quote = NULL;
++	p_tspi_NV_ReadValue = NULL;
+ #endif
+ 	return 0;
+ }
+@@ -590,6 +619,55 @@ err:
+ 	return 0;
+ }
+ 
++/*
++ *     Read a keyblob from NVRAM into an OpenSSL memory BIO
++ *             by Christian Holler (c.hol...@sirrix.com), Sirrix AG
++ */
++int BIO_from_nvram(unsigned int index, unsigned int length, BIO** bio)
++{
++	TSS_RESULT result;
++	TSS_HNVSTORE hNVStore;
++	BYTE *dataRead = NULL;
++
++	//unsigned int blobLength = 559;
++
++	BIO *mem = BIO_new(BIO_s_mem());
++
++	/* Create TPM NV object */
++	result = p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_NV, 0,
++				     &hNVStore);
++
++	if (result != TSS_SUCCESS) {
++		 TSSerr(TPM_F_TPM_BIO_FROM_NVRAM,
++			 TPM_R_REQUEST_FAILED);
++		 return 0;
++	}
++
++	/* Set the index to be read */
++	result = p_tspi_SetAttribUint32(hNVStore, TSS_TSPATTRIB_NV_INDEX, 0,
++				(UINT32) index);
++
++	if (result != TSS_SUCCESS) {
++		 TSSerr(TPM_F_TPM_BIO_FROM_NVRAM,
++			 TPM_R_REQUEST_FAILED);
++		 return 0;
++	}
++
++	result = p_tspi_NV_ReadValue(hNVStore, 0, &length, &dataRead);
++	BIO_write(mem, dataRead, length);
++	p_tspi_Context_FreeMemory(hContext, dataRead);
++
++	if (result != TSS_SUCCESS ) {
++		 TSSerr(TPM_F_TPM_BIO_FROM_NVRAM,
++			 TPM_R_REQUEST_FAILED);
++		 return 0;
++	}
++
++	*bio = mem;
++
++	return 1;
++}
++
+ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const char *key_id,
+ 				     UI_METHOD *ui, void *cb_data)
+ {
+@@ -604,7 +682,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const 
+ 
+ 	DBG("%s", __FUNCTION__);
+ 
+-	if (!key_id) {
++	if (!key_id && !cb_data) {
+ 		TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY, ERR_R_PASSED_NULL_PARAMETER);
+ 		return NULL;
+ 	}
+@@ -614,17 +692,27 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const 
+ 		return NULL;
+ 	}
+ 
++	if (cb_data) {
++		struct nvram_request *nvreq = cb_data;
++
++		if (!BIO_from_nvram(nvreq->index, nvreq->length, &bf)) {
++			TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
++			    TPM_R_NVRAM_FAILED);
++			return NULL;
++		}
++	} else {
+ 	if ((bf = BIO_new_file(key_id, "r")) == NULL) {
+ 		TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
+-		       TPM_R_FILE_NOT_FOUND);
++			TPM_R_FILE_NOT_FOUND);
+ 		return NULL;
+ 	}
++	}
+ 
+ 	blobstr = PEM_ASN1_read_bio((void *)d2i_ASN1_OCTET_STRING,
+ 				    "TSS KEY BLOB", bf, NULL, NULL, NULL);
+ 	if (!blobstr) {
+ 		TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
+-		       TPM_R_FILE_READ_FAILED);
++			TPM_R_FILE_READ_FAILED);
+ 		BIO_free(bf);
+ 		return NULL;
+ 	}
+@@ -635,7 +723,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const 
+ 						   blobstr->length,
+ 						   blobstr->data, &hKey))) {
+ 		TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
+-		       TPM_R_REQUEST_FAILED);
++			TPM_R_REQUEST_FAILED);
+ 		return NULL;
+ 	}
+ 	ASN1_OCTET_STRING_free(blobstr);
+@@ -645,7 +733,7 @@ static EVP_PKEY *tpm_engine_load_key(ENGINE *e, const 
+ 					     &authusage))) {
+ 		Tspi_Context_CloseObject(hContext, hKey);
+ 		TSSerr(TPM_F_TPM_ENGINE_LOAD_KEY,
+-		       TPM_R_REQUEST_FAILED);
++			TPM_R_REQUEST_FAILED);
+ 		return NULL;
+ 	}
+ 
+@@ -747,7 +835,7 @@ static int tpm_create_srk_policy(void *secret)
+ 							  TSS_POLICY_USAGE,
+ 							  &hSRKPolicy))) {
+ 			TSSerr(TPM_F_TPM_CREATE_SRK_POLICY,
+-			       TPM_R_REQUEST_FAILED);
++				TPM_R_REQUEST_FAILED);
+ 			return 0;
+ 		}
+ 	}
+@@ -761,6 +849,70 @@ static int tpm_create_srk_policy(void *secret)
+ 	return 1;
+ }
+ 
++static int tpm_quote(void* p) {
++	TSS_RESULT result;
++	TSS_HPCRS hPcrComposite;
++	TSS_VALIDATION tssVal;
++
++	unsigned int i = 0;
++
++	struct quote_request *request = p;
++
++	struct rsa_app_data *app_data = RSA_get_ex_data(request->rsa, ex_app_data);
++
++	/* No app_data, this is not a TPM Key and we cannot use it for quote */
++	if (!app_data) {
++		 return 0;
++	}
++
++	/* Key is invalid */
++	if (app_data->hKey == NULL_HKEY) {
++		 TSSerr(TPM_F_TPM_QUOTE, TPM_R_INVALID_KEY);
++		 return 0;
++	}
++
++	/* Set up PcrComposite Structure, this is a set
++	 * of PCRs which will be used for the quote */
++	result =
++		 p_tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS,
++				   TSS_PCRS_STRUCT_INFO, &hPcrComposite);
++	if (result != TSS_SUCCESS) {
++		TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED);
++		 return 0;
++	}
++
++	/* Add all PCR values to be used to PcrComposite structure */
++	for (i = 0; i < request->PCRSelLength; i++) {
++		 if (request->PCRSel[i]) {
++			  result = p_tspi_PcrComposite_SelectPcrIndex(hPcrComposite, i);
++
++			  if (result != TSS_SUCCESS) {
++				   TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED);
++				   return 0;
++			  }
++		 }
++	}
++
++	/* Set the nonce */
++	tssVal.rgbExternalData = request->nonce;
++	tssVal.ulExternalDataLength = SHA_DIGEST_LENGTH;
++
++	result = p_tspi_TPM_Quote(hTPM, app_data->hKey, hPcrComposite, &tssVal);
++
++	if (result != TSS_SUCCESS) {
++		 TSSerr(TPM_F_TPM_QUOTE, TPM_R_REQUEST_FAILED);
++		 return 0;
++	}
++
++	request->rgbData = tssVal.rgbData;
++	request->ulValidationDataLength = tssVal.ulValidationDataLength;
++	request->rgbValidationData = tssVal.rgbValidationData;
++
++	p_tspi_Context_CloseObject(hContext, hPcrComposite);
++
++	return 1;
++}
++
+ static int tpm_engine_ctrl(ENGINE * e, int cmd, long i, void *p, void (*f) ())
+ {
+ 	int initialised = !!hContext;
+@@ -799,6 +951,8 @@ static int tpm_engine_ctrl(ENGINE * e, int cmd, long i
+ 			return 1;
+ 		case TPM_CMD_PIN:
+ 			return tpm_create_srk_policy(p);
++		case TPM_CMD_QUOTE:
++			return tpm_quote(p);
+ 		default:
+ 			break;
+ 	}
+@@ -853,7 +1007,7 @@ static int tpm_rsa_finish(RSA *rsa)
+ }
+ 
+ static int tpm_rsa_pub_dec(int flen,
+-			   const unsigned char *from,
++			   unsigned char *from,
+ 			   unsigned char *to,
+ 			   RSA *rsa,
+ 			   int padding)
+@@ -872,7 +1026,7 @@ static int tpm_rsa_pub_dec(int flen,
+ }
+ 
+ static int tpm_rsa_priv_dec(int flen,
+-			    const unsigned char *from,
++			    unsigned char *from,
+ 			    unsigned char *to,
+ 			    RSA *rsa,
+ 			    int padding)
+@@ -949,7 +1103,7 @@ static int tpm_rsa_priv_dec(int flen,
+ }
+ 
+ static int tpm_rsa_pub_enc(int flen,
+-			   const unsigned char *from,
++			   unsigned char *from,
+ 			   unsigned char *to,
+ 			   RSA *rsa,
+ 			   int padding)
+@@ -1056,7 +1210,7 @@ static int tpm_rsa_pub_enc(int flen,
+ }
+ 
+ static int tpm_rsa_priv_enc(int flen,
+-			    const unsigned char *from,
++			    unsigned char *from,
+ 			    unsigned char *to,
+ 			    RSA *rsa,
+ 			    int padding)
+@@ -1101,7 +1255,10 @@ static int tpm_rsa_priv_enc(int flen,
+ 	}
+ 
+ 	if (app_data->sigScheme == TSS_SS_RSASSAPKCS1V15_SHA1) {
+-		if (flen != SHA_DIGEST_LENGTH) {
++		if (flen == SHA_DIGEST_LENGTH+15) {
++			from += 15;
++			flen = SHA_DIGEST_LENGTH;
++		} else if (flen != SHA_DIGEST_LENGTH) {
+ 			TSSerr(TPM_F_TPM_RSA_PRIV_ENC, TPM_R_INVALID_MSG_SIZE);
+ 			return 0;
+ 		}