openssl-tpm-engine: add package

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2017-10-08 10:24:48 -0700
committer: Armin Kuster <akuster808@gmail.com> 2017-10-10 07:24:59 -0700
commit: aeb9e6c571d572b320fae730770760258d15fc5b (patch)
tree: f283a1dcc0553a64fd70baf4af93831ded9671b7
parent: ef1e8d914462cfce093b84e9917250270be60569 (diff)
download: meta-security-aeb9e6c571d572b320fae730770760258d15fc5b.tar.gz
6 files changed, 570 insertions, 0 deletions
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
new file mode 100644
index 0000000..67071b6
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -0,0 +1,99 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date:   Wed Jun 19 18:57:13 2013 +0800
+support well-known password in openssl-tpm-engine.
+Add "-z" option to select well known password in create_tpm_key tool.
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index fee917f..7b94d62 100644
+--- a/create_tpm_key.c
+++ b/create_tpm_key.c
+@@ -46,6 +46,8 @@
+ #include <trousers/tss.h>
+ #include <trousers/trousers.h>
+ 
+#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
+
+ #define print_error(a,b) \
+        fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
+                a, b, Trspi_Error_String(b))
+@@ -70,6 +72,7 @@ usage(char *argv0)
+                "\t\t-e|--enc-scheme  encryption scheme to use [PKCSV15] or OAEP\n"
+                "\t\t-q|--sig-scheme  signature scheme to use [DER] or SHA1\n"
+                "\t\t-s|--key-size    key size in bits [2048]\n"
+               "\t\t-z|--zerokey     use well known 20 bytes zero as SRK password.\n"
+                "\t\t-a|--auth        require a password for the key [NO]\n"
+                "\t\t-p|--popup       use TSS GUI popup dialogs to get the password "
+                "for the\n\t\t\t\t key [NO] (implies --auth)\n"
+@@ -147,6 +150,7 @@ int main(int argc, char **argv)
+        int             asn1_len;
+        char            *filename, c, *openssl_key = NULL;
+        int             option_index, auth = 0, popup = 0, wrap = 0;
+       int             wellknownkey = 0;
+        UINT32          enc_scheme = TSS_ES_RSAESPKCSV15;
+        UINT32          sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
+        UINT32          key_size = 2048;
+@@ -154,12 +158,15 @@ int main(int argc, char **argv)
+ 
+        while (1) {
+                option_index = 0;
+-               c = getopt_long(argc, argv, "pe:q:s:ahw:",
+               c = getopt_long(argc, argv, "pe:q:s:zahw:",
+                                long_options, &option_index);
+                if (c == -1)
+                        break;
+ 
+                switch (c) {
+                       case 'z':
+                               wellknownkey = 1;
+                               break;
+                        case 'a':
+                                initFlags |= TSS_KEY_AUTHORIZATION;
+                                auth = 1;
+@@ -293,6 +300,8 @@ int main(int argc, char **argv)
+ 
+        if (srk_authusage) {
+                char *authdata = calloc(1, 128);
+               TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
+               int authlen = 0;
+ 
+                if (!authdata) {
+                        fprintf(stderr, "malloc failed.\n");
+@@ -309,17 +318,26 @@ int main(int argc, char **argv)
+                        exit(result);
+                }
+ 
+-               if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
+-                       Tspi_Context_CloseObject(hContext, hKey);
+-                       Tspi_Context_Close(hContext);
+-                       free(authdata);
+-                       exit(result);
+               if (wellknownkey) {
+                       memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
+                       secretMode = TSS_SECRET_MODE_SHA1;
+                       authlen = TPM_WELL_KNOWN_KEY_LEN;
+               }
+               else {
+                       if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
+                               Tspi_Context_CloseObject(hContext, hKey);
+                               Tspi_Context_Close(hContext);
+                               free(authdata);
+                               exit(result);
+                       }
+                       secretMode = TSS_SECRET_MODE_PLAIN;
+                       authlen = strlen(authdata);
+                }
+ 
+                //Set Secret
+                if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
+-                                                   TSS_SECRET_MODE_PLAIN,
+-                                                   strlen(authdata),
+                                                   secretMode,
+                                                   authlen,
+                                                    (BYTE *)authdata))) {
+                        print_error("Tspi_Policy_SetSecret", result);
+                        free(authdata);
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
new file mode 100644
index 0000000..f718f2e
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -0,0 +1,80 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date:   Wed Jun 19 18:57:13 2013 +0800
+support reading SRK password from env TPM_SRK_PW
+Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
+use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+diff --git a/e_tpm.c b/e_tpm.c
+index f3e8bcf..7dcb75a 100644
+--- a/e_tpm.c
+++ b/e_tpm.c
+@@ -38,6 +38,8 @@
+ 
+ #include "e_tpm.h"
+ 
+#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
+
+ //#define DLOPEN_TSPI
+ 
+ #ifndef OPENSSL_NO_HW
+@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+        TSS_RESULT result;
+        UINT32 authusage;
+        BYTE *auth;
+       char *srkPasswd = NULL;
+       TSS_FLAG secretMode = secret_mode;
+       int authlen = 0;
+
+ 
+        if (hSRK != NULL_HKEY) {
+                DBGFN("SRK is already loaded.");
+@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+                return 0;
+        }
+ 
+-       if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
+-                               cb_data)) {
+-               Tspi_Context_CloseObject(hContext, hSRK);
+-               free(auth);
+-               TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+-               return 0;
+       srkPasswd = getenv("TPM_SRK_PW");
+       if (NULL != srkPasswd) {
+               if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+                       memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+                       secretMode = TSS_SECRET_MODE_SHA1;
+                       authlen = TPM_WELL_KNOWN_KEY_LEN;
+               } else {
+                       int authbuflen = 128;
+                       memset(auth, 0, authbuflen);
+                       strncpy(auth, srkPasswd, authbuflen-1);
+                       secretMode = TSS_SECRET_MODE_PLAIN;
+                       authlen = strlen(auth);
+               }
+       }
+       else {
+               if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+                               "SRK authorization: ", cb_data)) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+               secretMode = secret_mode;
+               authlen = strlen(auth);
+        }
+ 
+        /* secret_mode is a global that may be set by engine ctrl
+         * commands.  By default, its set to TSS_SECRET_MODE_PLAIN */
+-       if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
+-                                             strlen((char *)auth), auth))) {
+       if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
+                                             authlen, auth))) {
+                Tspi_Context_CloseObject(hContext, hSRK);
+                free(auth);
+                TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
new file mode 100644
index 0000000..d24a150
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
@@ -0,0 +1,25 @@
+From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Mon, 19 Jun 2017 14:54:28 +0800
+Subject: [PATCH] Fix not building libtpm.la
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Makefile.am | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/Makefile.am b/Makefile.am
+index 6695656..634a7e6 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
+ libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
+ 
+ create_tpm_key_SOURCES=create_tpm_key.c
+-create_tpm_key_LDADD=-ltspi
+create_tpm_key_LDFLAGS=-ltspi
+
+LDADD=libtpm.la
+-- 
+2.7.5
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
new file mode 100644
index 0000000..a88148f
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
+From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 23 Jun 2017 11:39:04 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password 
+ from env
+Before, we support reading SRK password from env TPM_SRK_PW,
+but it is a plain password and not secure.
+So, we improve it and support to get an encrypted (AES algorithm)
+SRK password from env, and then parse it. The default decrypting
+AES password and salt is set in bb file.
+When we initialize TPM, and set a SRK pw, and then we need to
+encrypt it with the same AES password and salt by AES algorithm.
+At last, we set a env as below:
+export TPM_SRK_ENC_PW=xxxxxxxx
+"xxxxxxxx" is the encrypted SRK password for libtpm.so.
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ e_tpm.c     | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ e_tpm.h     |   4 ++
+ e_tpm_err.c |   4 ++
+ 3 files changed, 164 insertions(+), 1 deletion(-)
+diff --git a/e_tpm.c b/e_tpm.c
+index 7dcb75a..11bf74b 100644
+--- a/e_tpm.c
+++ b/e_tpm.c
+@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
+        ERR_clear_error();
+ }
+ 
+static int tpm_decode_base64(unsigned char *indata,
+                               int in_len,
+                               unsigned char *outdata,
+                               int *out_len)
+{
+       int total_len, len, ret;
+       EVP_ENCODE_CTX dctx;
+
+       EVP_DecodeInit(&dctx);
+
+       total_len = 0;
+       ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
+       if (ret < 0) {
+               TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+               return 1;
+       }
+
+       total_len += len;
+       ret = EVP_DecodeFinal(&dctx, outdata, &len);
+       if (ret < 0) {
+               TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+               return 1;
+       }
+       total_len += len;
+
+       *out_len = total_len;
+
+       return 0;
+}
+
+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
+                               unsigned char *outdata,
+                               int *out_len)
+{
+       int dec_data_len, dec_data_lenfinal;
+       unsigned char dec_data[256];
+       unsigned char *aes_pw;
+       unsigned char aes_salt[PKCS5_SALT_LEN];
+       unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+       const EVP_CIPHER *cipher = NULL;
+       const EVP_MD *dgst = NULL;
+       EVP_CIPHER_CTX *ctx = NULL;
+
+       if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               return 1;
+       }
+
+       aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
+       if (aes_pw == NULL) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               return 1;
+       }
+
+       memset(aes_salt, 0x00, sizeof(aes_salt));
+       memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
+       memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
+
+       cipher = EVP_get_cipherbyname("aes-128-cbc");
+       if (cipher == NULL) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+       dgst = EVP_sha256();
+
+       EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
+
+       ctx = EVP_CIPHER_CTX_new();
+       /* Don't set key or IV right away; we want to check lengths */
+       if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+
+       OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
+       OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
+
+       if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               return 1;
+       }
+
+       if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
+               /* Error */
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               EVP_CIPHER_CTX_free(ctx);
+               return 1;
+       }
+
+       if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
+               /* Error */
+               TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+               free(aes_pw);
+               EVP_CIPHER_CTX_free(ctx);
+               return 1;
+       }
+
+       dec_data_len = dec_data_len + dec_data_lenfinal;
+
+       memcpy(outdata, dec_data, dec_data_len);
+       *out_len = dec_data_len;
+
+       free(aes_pw);
+       EVP_CIPHER_CTX_free(ctx);
+
+       return 0;
+}
+
+ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ {
+        TSS_RESULT result;
+@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+                return 0;
+        }
+ 
+-       srkPasswd = getenv("TPM_SRK_PW");
+       srkPasswd = getenv("TPM_SRK_ENC_PW");
+        if (NULL != srkPasswd) {
+               int in_len = strlen(srkPasswd);
+               int out_len;
+               unsigned char *out_buf;
+
+               if (!in_len || in_len % 4) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               out_len = in_len * 3 / 4;
+               out_buf = malloc(out_len);
+               if (NULL == out_buf) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
+                                       out_buf, &out_len)) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       free(out_buf);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+
+               if (tpm_decrypt_srk_pw(out_buf, out_len,
+                                                       auth, &authlen)) {
+                       Tspi_Context_CloseObject(hContext, hSRK);
+                       free(auth);
+                       free(out_buf);
+                       TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+                       return 0;
+               }
+               secretMode = TSS_SECRET_MODE_PLAIN;
+               free(out_buf);
+       }
+#ifdef TPM_SRK_PLAIN_PW
+       else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
+                if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+                        memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+                        secretMode = TSS_SECRET_MODE_SHA1;
+@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+                        authlen = strlen(auth);
+                }
+        }
+#endif
+        else {
+                if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+                                "SRK authorization: ", cb_data)) {
+diff --git a/e_tpm.h b/e_tpm.h
+index 6316e0b..56ff202 100644
+--- a/e_tpm.h
+++ b/e_tpm.h
+@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_F_TPM_FILL_RSA_OBJECT              116
+ #define TPM_F_TPM_ENGINE_GET_AUTH              117
+ #define TPM_F_TPM_CREATE_SRK_POLICY            118
+#define TPM_F_TPM_DECODE_BASE64                        119
+#define TPM_F_TPM_DECRYPT_SRK_PW               120
+ 
+ /* Reason codes. */
+ #define TPM_R_ALREADY_LOADED                   100
+@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_R_ID_INVALID                       125
+ #define TPM_R_UI_METHOD_FAILED                 126
+ #define TPM_R_UNKNOWN_SECRET_MODE              127
+#define TPM_R_DECODE_BASE64_FAILED             128
+#define TPM_R_DECRYPT_SRK_PW_FAILED            129
+ 
+ /* structure pointed to by the RSA object's app_data pointer */
+ struct rsa_app_data
+diff --git a/e_tpm_err.c b/e_tpm_err.c
+index 25a5d0f..439e267 100644
+--- a/e_tpm_err.c
+++ b/e_tpm_err.c
+@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
+        {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
+        {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
+        {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
+       {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
+       {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
+        {0, NULL}
+ };
+ 
+@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
+        {TPM_R_FILE_READ_FAILED, "failed reading the key file"},
+        {TPM_R_ID_INVALID, "engine id doesn't match"},
+        {TPM_R_UI_METHOD_FAILED, "ui function failed"},
+       {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
+       {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
+        {0, NULL}
+ };
+ 
+-- 
+2.9.3
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
new file mode 100644
index 0000000..076704d
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -0,0 +1,34 @@
+From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 21 Jul 2017 16:32:02 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
+ into int
+refer to getopt_long() function definition, its return value type is
+int. So, change variable c type from char into int.
+On arm platform, when getopt_long() calling fails, if we define c as
+char type, its value will be 255, not -1. This will cause code enter
+wrong case.
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ create_tpm_key.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index 7b94d62..f30af90 100644
+--- a/create_tpm_key.c
+++ b/create_tpm_key.c
+@@ -148,7 +148,8 @@ int main(int argc, char **argv)
+        ASN1_OCTET_STRING *blob_str;
+        unsigned char   *blob_asn1 = NULL;
+        int             asn1_len;
+-       char            *filename, c, *openssl_key = NULL;
+       char            *filename, *openssl_key = NULL;
+       int             c;
+        int             option_index, auth = 0, popup = 0, wrap = 0;
+        int             wellknownkey = 0;
+        UINT32          enc_scheme = TSS_ES_RSAESPKCSV15;
+-- 
+1.7.9.5
diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
new file mode 100644
index 0000000..4854f70
--- /dev/null
+++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -0,0 +1,78 @@
+DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
+HOMEPAGE = "https://sourceforge.net/projects/trousers/"
+SECTION = "security/tpm"
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
+DEPENDS += "openssl trousers"
+SRC_URI = "\
+    git://git.code.sf.net/p/trousers/openssl_tpm_engine \
+    file://0001-create-tpm-key-support-well-known-key-option.patch \
+    file://0002-libtpm-support-env-TPM_SRK_PW.patch \
+    file://0003-Fix-not-building-libtpm.la.patch \
+    file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
+    file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
+"
+SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
+S = "${WORKDIR}/git"
+inherit autotools-brokensep
+# The definitions below are used to decrypt the srk password.
+# It is allowed to define the values in 3 forms: string, hex number and
+# the hybrid, e.g,
+# srk_dec_pw = "incendia"
+# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
+# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
+#
+# Due to the limit of escape character, the hybrid must be written in
+# above style. The actual values defined below in C code style are:
+# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
+# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
+srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
+srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
+CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+# Uncomment below line if using the plain srk password for development
+#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+do_configure_prepend() {
+    cd "${S}"
+    cp LICENSE COPYING
+    touch NEWS AUTHORS ChangeLog
+}
+do_install_append() {
+    install -m 0755 -d "${D}${libdir}/engines"
+    install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
+    install -m 0755 -d "${D}${libdir}/ssl/engines"
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
+    mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
+    mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
+    rm -rf "${D}${libdir}/openssl"
+}
+FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
+FILES_${PN}-dbg += "\
+    ${libdir}/ssl/engines/.debug \
+    ${libdir}/engines/.debug \
+    ${prefix}/local/ssl/lib/engines/.debug \
+"
+FILES_${PN} += "\
+    ${libdir}/ssl/engines/libtpm.so* \
+    ${libdir}/engines/libtpm.so* \
+    ${libdir}/libtpm.so* \
+    ${prefix}/local/ssl/lib/engines/libtpm.so* \
+"
+RDEPENDS_${PN} += "libcrypto libtspi"
+INSANE_SKIP_${PN} = "libdir"
+INSANE_SKIP_${PN}-dbg = "libdir"
author	Armin Kuster <akuster808@gmail.com>	2017-10-08 10:24:48 -0700
committer	Armin Kuster <akuster808@gmail.com>	2017-10-10 07:24:59 -0700
commit	aeb9e6c571d572b320fae730770760258d15fc5b (patch)
tree	f283a1dcc0553a64fd70baf4af93831ded9671b7
parent	ef1e8d914462cfce093b84e9917250270be60569 (diff)
download	meta-security-aeb9e6c571d572b320fae730770760258d15fc5b.tar.gz

diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch new file mode 100644 index 0000000..67071b6 --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -0,0 +1,99 @@
	1	commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
	2	Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
	3	Date: Wed Jun 19 18:57:13 2013 +0800
	4
	5	support well-known password in openssl-tpm-engine.
	6
	7	Add "-z" option to select well known password in create_tpm_key tool.
	8
	9	Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
	10
	11	diff --git a/create_tpm_key.c b/create_tpm_key.c
	12	index fee917f..7b94d62 100644
	13	--- a/create_tpm_key.c
	14	+++ b/create_tpm_key.c
	15	@@ -46,6 +46,8 @@
	16	#include <trousers/tss.h>
	17	#include <trousers/trousers.h>
	18
	19	+#define TPM_WELL_KNOWN_KEY_LEN 20 /well know key length is 20 bytes zero/
	20	+
	21	#define print_error(a,b) \
	22	fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
	23	a, b, Trspi_Error_String(b))
	24	@@ -70,6 +72,7 @@ usage(char *argv0)
	25	"\t\t-e\|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n"
	26	"\t\t-q\|--sig-scheme signature scheme to use [DER] or SHA1\n"
	27	"\t\t-s\|--key-size key size in bits [2048]\n"
	28	+ "\t\t-z\|--zerokey use well known 20 bytes zero as SRK password.\n"
	29	"\t\t-a\|--auth require a password for the key [NO]\n"
	30	"\t\t-p\|--popup use TSS GUI popup dialogs to get the password "
	31	"for the\n\t\t\t\t key [NO] (implies --auth)\n"
	32	@@ -147,6 +150,7 @@ int main(int argc, char **argv)
	33	int asn1_len;
	34	char filename, c, openssl_key = NULL;
	35	int option_index, auth = 0, popup = 0, wrap = 0;
	36	+ int wellknownkey = 0;
	37	UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
	38	UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
	39	UINT32 key_size = 2048;
	40	@@ -154,12 +158,15 @@ int main(int argc, char **argv)
	41
	42	while (1) {
	43	option_index = 0;
	44	- c = getopt_long(argc, argv, "pe:q:s:ahw:",
	45	+ c = getopt_long(argc, argv, "pe:q:s:zahw:",
	46	long_options, &option_index);
	47	if (c == -1)
	48	break;
	49
	50	switch (c) {
	51	+ case 'z':
	52	+ wellknownkey = 1;
	53	+ break;
	54	case 'a':
	55	initFlags \|= TSS_KEY_AUTHORIZATION;
	56	auth = 1;
	57	@@ -293,6 +300,8 @@ int main(int argc, char **argv)
	58
	59	if (srk_authusage) {
	60	char *authdata = calloc(1, 128);
	61	+ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
	62	+ int authlen = 0;
	63
	64	if (!authdata) {
	65	fprintf(stderr, "malloc failed.\n");
	66	@@ -309,17 +318,26 @@ int main(int argc, char **argv)
	67	exit(result);
	68	}
	69
	70	- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
	71	- Tspi_Context_CloseObject(hContext, hKey);
	72	- Tspi_Context_Close(hContext);
	73	- free(authdata);
	74	- exit(result);
	75	+ if (wellknownkey) {
	76	+ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
	77	+ secretMode = TSS_SECRET_MODE_SHA1;
	78	+ authlen = TPM_WELL_KNOWN_KEY_LEN;
	79	+ }
	80	+ else {
	81	+ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
	82	+ Tspi_Context_CloseObject(hContext, hKey);
	83	+ Tspi_Context_Close(hContext);
	84	+ free(authdata);
	85	+ exit(result);
	86	+ }
	87	+ secretMode = TSS_SECRET_MODE_PLAIN;
	88	+ authlen = strlen(authdata);
	89	}
	90
	91	//Set Secret
	92	if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
	93	- TSS_SECRET_MODE_PLAIN,
	94	- strlen(authdata),
	95	+ secretMode,
	96	+ authlen,
	97	(BYTE *)authdata))) {
	98	print_error("Tspi_Policy_SetSecret", result);
	99	free(authdata);


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch new file mode 100644 index 0000000..f718f2e --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -0,0 +1,80 @@
	1	commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
	2	Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
	3	Date: Wed Jun 19 18:57:13 2013 +0800
	4
	5	support reading SRK password from env TPM_SRK_PW
	6
	7	Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
	8	use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
	9
	10	Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
	11
	12	diff --git a/e_tpm.c b/e_tpm.c
	13	index f3e8bcf..7dcb75a 100644
	14	--- a/e_tpm.c
	15	+++ b/e_tpm.c
	16	@@ -38,6 +38,8 @@
	17
	18	#include "e_tpm.h"
	19
	20	+#define TPM_WELL_KNOWN_KEY_LEN 20 /well know key length is 20 bytes zero/
	21	+
	22	//#define DLOPEN_TSPI
	23
	24	#ifndef OPENSSL_NO_HW
	25	@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
	26	TSS_RESULT result;
	27	UINT32 authusage;
	28	BYTE *auth;
	29	+ char *srkPasswd = NULL;
	30	+ TSS_FLAG secretMode = secret_mode;
	31	+ int authlen = 0;
	32	+
	33
	34	if (hSRK != NULL_HKEY) {
	35	DBGFN("SRK is already loaded.");
	36	@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
	37	return 0;
	38	}
	39
	40	- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
	41	- cb_data)) {
	42	- Tspi_Context_CloseObject(hContext, hSRK);
	43	- free(auth);
	44	- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	45	- return 0;
	46	+ srkPasswd = getenv("TPM_SRK_PW");
	47	+ if (NULL != srkPasswd) {
	48	+ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
	49	+ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
	50	+ secretMode = TSS_SECRET_MODE_SHA1;
	51	+ authlen = TPM_WELL_KNOWN_KEY_LEN;
	52	+ } else {
	53	+ int authbuflen = 128;
	54	+ memset(auth, 0, authbuflen);
	55	+ strncpy(auth, srkPasswd, authbuflen-1);
	56	+ secretMode = TSS_SECRET_MODE_PLAIN;
	57	+ authlen = strlen(auth);
	58	+ }
	59	+ }
	60	+ else {
	61	+ if (!tpm_engine_get_auth(ui, (char *)auth, 128,
	62	+ "SRK authorization: ", cb_data)) {
	63	+ Tspi_Context_CloseObject(hContext, hSRK);
	64	+ free(auth);
	65	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	66	+ return 0;
	67	+ }
	68	+ secretMode = secret_mode;
	69	+ authlen = strlen(auth);
	70	}
	71
	72	/* secret_mode is a global that may be set by engine ctrl
	73	* commands. By default, its set to TSS_SECRET_MODE_PLAIN */
	74	- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
	75	- strlen((char *)auth), auth))) {
	76	+ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
	77	+ authlen, auth))) {
	78	Tspi_Context_CloseObject(hContext, hSRK);
	79	free(auth);
	80	TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch new file mode 100644 index 0000000..d24a150 --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
@@ -0,0 +1,25 @@
	1	From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
	2	From: Lans Zhang <jia.zhang@windriver.com>
	3	Date: Mon, 19 Jun 2017 14:54:28 +0800
	4	Subject: [PATCH] Fix not building libtpm.la
	5
	6	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
	7	---
	8	Makefile.am \| 4 +++-
	9	1 file changed, 3 insertions(+), 1 deletion(-)
	10
	11	diff --git a/Makefile.am b/Makefile.am
	12	index 6695656..634a7e6 100644
	13	--- a/Makefile.am
	14	+++ b/Makefile.am
	15	@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
	16	libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
	17
	18	create_tpm_key_SOURCES=create_tpm_key.c
	19	-create_tpm_key_LDADD=-ltspi
	20	+create_tpm_key_LDFLAGS=-ltspi
	21	+
	22	+LDADD=libtpm.la
	23	--
	24	2.7.5
	25


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch new file mode 100644 index 0000000..a88148f --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
	1	From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
	2	From: Limeng <Meng.Li@windriver.com>
	3	Date: Fri, 23 Jun 2017 11:39:04 +0800
	4	Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password
	5	from env
	6
	7	Before, we support reading SRK password from env TPM_SRK_PW,
	8	but it is a plain password and not secure.
	9	So, we improve it and support to get an encrypted (AES algorithm)
	10	SRK password from env, and then parse it. The default decrypting
	11	AES password and salt is set in bb file.
	12	When we initialize TPM, and set a SRK pw, and then we need to
	13	encrypt it with the same AES password and salt by AES algorithm.
	14	At last, we set a env as below:
	15	export TPM_SRK_ENC_PW=xxxxxxxx
	16	"xxxxxxxx" is the encrypted SRK password for libtpm.so.
	17
	18	Signed-off-by: Meng Li <Meng.Li@windriver.com>
	19	---
	20	e_tpm.c \| 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
	21	e_tpm.h \| 4 ++
	22	e_tpm_err.c \| 4 ++
	23	3 files changed, 164 insertions(+), 1 deletion(-)
	24
	25	diff --git a/e_tpm.c b/e_tpm.c
	26	index 7dcb75a..11bf74b 100644
	27	--- a/e_tpm.c
	28	+++ b/e_tpm.c
	29	@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
	30	ERR_clear_error();
	31	}
	32
	33	+static int tpm_decode_base64(unsigned char *indata,
	34	+ int in_len,
	35	+ unsigned char *outdata,
	36	+ int *out_len)
	37	+{
	38	+ int total_len, len, ret;
	39	+ EVP_ENCODE_CTX dctx;
	40	+
	41	+ EVP_DecodeInit(&dctx);
	42	+
	43	+ total_len = 0;
	44	+ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
	45	+ if (ret < 0) {
	46	+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
	47	+ return 1;
	48	+ }
	49	+
	50	+ total_len += len;
	51	+ ret = EVP_DecodeFinal(&dctx, outdata, &len);
	52	+ if (ret < 0) {
	53	+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
	54	+ return 1;
	55	+ }
	56	+ total_len += len;
	57	+
	58	+ *out_len = total_len;
	59	+
	60	+ return 0;
	61	+}
	62	+
	63	+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
	64	+ unsigned char *outdata,
	65	+ int *out_len)
	66	+{
	67	+ int dec_data_len, dec_data_lenfinal;
	68	+ unsigned char dec_data[256];
	69	+ unsigned char *aes_pw;
	70	+ unsigned char aes_salt[PKCS5_SALT_LEN];
	71	+ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
	72	+ const EVP_CIPHER *cipher = NULL;
	73	+ const EVP_MD *dgst = NULL;
	74	+ EVP_CIPHER_CTX *ctx = NULL;
	75	+
	76	+ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
	77	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	78	+ return 1;
	79	+ }
	80	+
	81	+ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
	82	+ if (aes_pw == NULL) {
	83	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	84	+ return 1;
	85	+ }
	86	+
	87	+ memset(aes_salt, 0x00, sizeof(aes_salt));
	88	+ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
	89	+ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
	90	+
	91	+ cipher = EVP_get_cipherbyname("aes-128-cbc");
	92	+ if (cipher == NULL) {
	93	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	94	+ free(aes_pw);
	95	+ return 1;
	96	+ }
	97	+ dgst = EVP_sha256();
	98	+
	99	+ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
	100	+
	101	+ ctx = EVP_CIPHER_CTX_new();
	102	+ /* Don't set key or IV right away; we want to check lengths */
	103	+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
	104	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	105	+ free(aes_pw);
	106	+ return 1;
	107	+ }
	108	+
	109	+ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
	110	+ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
	111	+
	112	+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
	113	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	114	+ free(aes_pw);
	115	+ return 1;
	116	+ }
	117	+
	118	+ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
	119	+ /* Error */
	120	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	121	+ free(aes_pw);
	122	+ EVP_CIPHER_CTX_free(ctx);
	123	+ return 1;
	124	+ }
	125	+
	126	+ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
	127	+ /* Error */
	128	+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
	129	+ free(aes_pw);
	130	+ EVP_CIPHER_CTX_free(ctx);
	131	+ return 1;
	132	+ }
	133	+
	134	+ dec_data_len = dec_data_len + dec_data_lenfinal;
	135	+
	136	+ memcpy(outdata, dec_data, dec_data_len);
	137	+ *out_len = dec_data_len;
	138	+
	139	+ free(aes_pw);
	140	+ EVP_CIPHER_CTX_free(ctx);
	141	+
	142	+ return 0;
	143	+}
	144	+
	145	int tpm_load_srk(UI_METHOD ui, void cb_data)
	146	{
	147	TSS_RESULT result;
	148	@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
	149	return 0;
	150	}
	151
	152	- srkPasswd = getenv("TPM_SRK_PW");
	153	+ srkPasswd = getenv("TPM_SRK_ENC_PW");
	154	if (NULL != srkPasswd) {
	155	+ int in_len = strlen(srkPasswd);
	156	+ int out_len;
	157	+ unsigned char *out_buf;
	158	+
	159	+ if (!in_len \|\| in_len % 4) {
	160	+ Tspi_Context_CloseObject(hContext, hSRK);
	161	+ free(auth);
	162	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	163	+ return 0;
	164	+ }
	165	+
	166	+ out_len = in_len * 3 / 4;
	167	+ out_buf = malloc(out_len);
	168	+ if (NULL == out_buf) {
	169	+ Tspi_Context_CloseObject(hContext, hSRK);
	170	+ free(auth);
	171	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	172	+ return 0;
	173	+ }
	174	+
	175	+ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
	176	+ out_buf, &out_len)) {
	177	+ Tspi_Context_CloseObject(hContext, hSRK);
	178	+ free(auth);
	179	+ free(out_buf);
	180	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	181	+ return 0;
	182	+ }
	183	+
	184	+ if (tpm_decrypt_srk_pw(out_buf, out_len,
	185	+ auth, &authlen)) {
	186	+ Tspi_Context_CloseObject(hContext, hSRK);
	187	+ free(auth);
	188	+ free(out_buf);
	189	+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
	190	+ return 0;
	191	+ }
	192	+ secretMode = TSS_SECRET_MODE_PLAIN;
	193	+ free(out_buf);
	194	+ }
	195	+#ifdef TPM_SRK_PLAIN_PW
	196	+ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
	197	if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
	198	memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
	199	secretMode = TSS_SECRET_MODE_SHA1;
	200	@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD ui, void cb_data)
	201	authlen = strlen(auth);
	202	}
	203	}
	204	+#endif
	205	else {
	206	if (!tpm_engine_get_auth(ui, (char *)auth, 128,
	207	"SRK authorization: ", cb_data)) {
	208	diff --git a/e_tpm.h b/e_tpm.h
	209	index 6316e0b..56ff202 100644
	210	--- a/e_tpm.h
	211	+++ b/e_tpm.h
	212	@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
	213	#define TPM_F_TPM_FILL_RSA_OBJECT 116
	214	#define TPM_F_TPM_ENGINE_GET_AUTH 117
	215	#define TPM_F_TPM_CREATE_SRK_POLICY 118
	216	+#define TPM_F_TPM_DECODE_BASE64 119
	217	+#define TPM_F_TPM_DECRYPT_SRK_PW 120
	218
	219	/* Reason codes. */
	220	#define TPM_R_ALREADY_LOADED 100
	221	@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
	222	#define TPM_R_ID_INVALID 125
	223	#define TPM_R_UI_METHOD_FAILED 126
	224	#define TPM_R_UNKNOWN_SECRET_MODE 127
	225	+#define TPM_R_DECODE_BASE64_FAILED 128
	226	+#define TPM_R_DECRYPT_SRK_PW_FAILED 129
	227
	228	/* structure pointed to by the RSA object's app_data pointer */
	229	struct rsa_app_data
	230	diff --git a/e_tpm_err.c b/e_tpm_err.c
	231	index 25a5d0f..439e267 100644
	232	--- a/e_tpm_err.c
	233	+++ b/e_tpm_err.c
	234	@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
	235	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
	236	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
	237	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
	238	+ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
	239	+ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
	240	{0, NULL}
	241	};
	242
	243	@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
	244	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
	245	{TPM_R_ID_INVALID, "engine id doesn't match"},
	246	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
	247	+ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
	248	+ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
	249	{0, NULL}
	250	};
	251
	252	--
	253	2.9.3
	254


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch new file mode 100644 index 0000000..076704d --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -0,0 +1,34 @@
	1	From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
	2	From: Limeng <Meng.Li@windriver.com>
	3	Date: Fri, 21 Jul 2017 16:32:02 +0800
	4	Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
	5	into int
	6
	7	refer to getopt_long() function definition, its return value type is
	8	int. So, change variable c type from char into int.
	9	On arm platform, when getopt_long() calling fails, if we define c as
	10	char type, its value will be 255, not -1. This will cause code enter
	11	wrong case.
	12
	13	Signed-off-by: Meng Li <Meng.Li@windriver.com>
	14	---
	15	create_tpm_key.c \| 3 ++-
	16	1 file changed, 2 insertions(+), 1 deletion(-)
	17
	18	diff --git a/create_tpm_key.c b/create_tpm_key.c
	19	index 7b94d62..f30af90 100644
	20	--- a/create_tpm_key.c
	21	+++ b/create_tpm_key.c
	22	@@ -148,7 +148,8 @@ int main(int argc, char **argv)
	23	ASN1_OCTET_STRING *blob_str;
	24	unsigned char *blob_asn1 = NULL;
	25	int asn1_len;
	26	- char filename, c, openssl_key = NULL;
	27	+ char filename, openssl_key = NULL;
	28	+ int c;
	29	int option_index, auth = 0, popup = 0, wrap = 0;
	30	int wellknownkey = 0;
	31	UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
	32	--
	33	1.7.9.5
	34


diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb new file mode 100644 index 0000000..4854f70 --- /dev/null +++ b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -0,0 +1,78 @@
	1	DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
	2	HOMEPAGE = "https://sourceforge.net/projects/trousers/"
	3	SECTION = "security/tpm"
	4
	5	LICENSE = "openssl"
	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
	7
	8	DEPENDS += "openssl trousers"
	9
	10	SRC_URI = "\
	11	git://git.code.sf.net/p/trousers/openssl_tpm_engine \
	12	file://0001-create-tpm-key-support-well-known-key-option.patch \
	13	file://0002-libtpm-support-env-TPM_SRK_PW.patch \
	14	file://0003-Fix-not-building-libtpm.la.patch \
	15	file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
	16	file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
	17	"
	18	SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
	19
	20	S = "${WORKDIR}/git"
	21
	22	inherit autotools-brokensep
	23
	24	# The definitions below are used to decrypt the srk password.
	25	# It is allowed to define the values in 3 forms: string, hex number and
	26	# the hybrid, e.g,
	27	# srk_dec_pw = "incendia"
	28	# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
	29	# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
	30	#
	31	# Due to the limit of escape character, the hybrid must be written in
	32	# above style. The actual values defined below in C code style are:
	33	# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
	34	# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
	35	srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
	36	srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
	37
	38	CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
	39
	40	# Uncomment below line if using the plain srk password for development
	41	#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
	42
	43	do_configure_prepend() {
	44	cd "${S}"
	45	cp LICENSE COPYING
	46	touch NEWS AUTHORS ChangeLog
	47	}
	48
	49	do_install_append() {
	50	install -m 0755 -d "${D}${libdir}/engines"
	51	install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
	52	install -m 0755 -d "${D}${libdir}/ssl/engines"
	53
	54	cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
	55	cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
	56	cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
	57	mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
	58	mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
	59	rm -rf "${D}${libdir}/openssl"
	60	}
	61
	62	FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
	63	FILES_${PN}-dbg += "\
	64	${libdir}/ssl/engines/.debug \
	65	${libdir}/engines/.debug \
	66	${prefix}/local/ssl/lib/engines/.debug \
	67	"
	68	FILES_${PN} += "\
	69	${libdir}/ssl/engines/libtpm.so* \
	70	${libdir}/engines/libtpm.so* \
	71	${libdir}/libtpm.so* \
	72	${prefix}/local/ssl/lib/engines/libtpm.so* \
	73	"
	74
	75	RDEPENDS_${PN} += "libcrypto libtspi"
	76
	77	INSANE_SKIP_${PN} = "libdir"
	78	INSANE_SKIP_${PN}-dbg = "libdir"