diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch new file mode 100644 index 0000000..e1ce4c5 --- /dev/null +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch @@ -0,0 +1,252 @@ +From a53f01711b840ba6ab2f127ea4f0512e60a56728 Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 20:21:01 +0200 +Subject: [PATCH] Drop support for OpenSSL < 1.1.0 + +Delete code written to support OpenSSL < 1.1.0 + +Delete functions that have no effect in OpenSSL >= 1.1.0 + - ENGINE_load_builtin_engines() + - OpenSSL_add_all_algorithms() + - ERR_load_crypto_strings() + - EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE) + +Switch AppVeyor to use pre-built OpenSSL 1.1.0 + +Signed-off-by: Petr Gotthard + +Upstream-Status: Backport +[https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0] + +Signed-off-by: Yi Zhao +--- + src/tss2-esys/esys_crypto_ossl.c | 19 ---------------- + src/tss2-fapi/fapi_crypto.c | 37 -------------------------------- + test/helper/tpm_getek.c | 11 ---------- + test/helper/tpm_getek_ecc.c | 9 -------- + 4 files changed, 76 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 2746856..12dc6d9 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + nonce->size = num_bytes; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RAND_set_rand_method(RAND_OpenSSL()); +-#else +- RAND_set_rand_method(RAND_SSLeay()); +-#endif + if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { + RAND_set_rand_method(rand_save); + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + size_t * out_size, const char *label) + { + const RAND_METHOD *rand_save = RAND_get_rand_method(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RAND_set_rand_method(RAND_OpenSSL()); +-#else +- RAND_set_rand_method(RAND_SSLeay()); +-#endif + + TSS2_RC r = TSS2_RC_SUCCESS; + const EVP_MD * hashAlg = NULL; +@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not create evp key.", cleanup); + } +-#if OPENSSL_VERSION_NUMBER < 0x10100000L +- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, +- pub_tpm_key->publicArea.unique.rsa.size, +- rsa_key->n)) { +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create rsa n.", cleanup); +- } +-#else + BIGNUM *n = NULL; + if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, + pub_tpm_key->publicArea.unique.rsa.size, +@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not set rsa n.", cleanup); + } +-#endif + + if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + */ + TSS2_RC + iesys_cryptossl_init() { +- ENGINE_load_builtin_engines(); +- OpenSSL_add_all_algorithms(); + return TSS2_RC_SUCCESS; + } +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index ea68197..5e8fbc8 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der( + tpmSignature->signature.ecdsa.signatureR.size, NULL); + goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- ecdsaSignature->s = bns; +- ecdsaSignature->r = bnr; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + ECDSA_SIG_set0(ecdsaSignature, bnr, bns); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL); + if (osslRC == -1) { +@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + "Could not set exponent.", error_cleanup); + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- rsa->e = e; +- rsa->n = n; +- rsa->d = d; +- rsa->p = p; +- rsa->q = q; +- rsa->dmp1 = dmp1; +- rsa->dmq1 = dmq1; +- rsa->iqmp = iqmp; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_set0_key(rsa, n, e, d); + RSA_set0_factors(rsa, p, q); + RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + /* Assign the parameters to the key */ + if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { +@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", + error_cleanup); + } +- /* Needed for older OSSL versions. */ +- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE); + OSSL_FREE(y, BN); + OSSL_FREE(x, BN); + return TSS2_RC_SUCCESS; +@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm( + + /* Initialize the ECDSA signature components */ + ECDSA_SIG *ecdsaSignature = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- BIGNUM *bnr; +- BIGNUM *bns; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + const BIGNUM *bnr; + const BIGNUM *bns; +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize); + return_if_null(ecdsaSignature, "Invalid DER signature", + TSS2_FAPI_RC_GENERAL_FAILURE); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- bns = ecdsaSignature->s; +- bnr = ecdsaSignature->r; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + /* Writing them to the TPM format signature */ + tpmSignature->signature.ecdsa.hash = hashAlgorithm; +@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp( + const BIGNUM *e = NULL, *n = NULL; + int rsaKeySize = RSA_size(rsaKey); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- e = rsaKey->e; +- n = rsaKey->n; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_get0_key(rsaKey, &n, &e, NULL); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + tpmPublic->publicArea.unique.rsa.size = rsaKeySize; + if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], + rsaKeySize)) { +@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl) + goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup); + } + +- OpenSSL_add_all_algorithms(); +- + unsigned const char* tmp_ptr1 = crl_buffer; + unsigned const char** tmp_ptr2 = &tmp_ptr1; + +@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert( + r, TSS2_FAPI_RC_BAD_VALUE, cleanup); + } else { + /* Get uri for ek intermediate certificate. */ +- OpenSSL_add_all_algorithms(); + info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL); + + for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { +@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert( + goto_if_null2(cert_buffer, "No certificate downloaded", r, + TSS2_FAPI_RC_NO_CERT, cleanup); + +- OpenSSL_add_all_algorithms(); + intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size); + + SAFE_FREE(cert_buffer); +diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c +index 02d88b0..3cd7b9f 100644 +--- a/test/helper/tpm_getek.c ++++ b/test/helper/tpm_getek.c +@@ -134,20 +134,9 @@ main (int argc, char *argv[]) + exp = out_public.publicArea.parameters.rsaDetail.exponent; + BN_set_word(e, exp); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 +- rsa->e = e; +- rsa->n = n; +- rsa->d = d; +- rsa->p = p; +- rsa->q = q; +- rsa->dmp1 = dmp1; +- rsa->dmq1 = dmq1; +- rsa->iqmp = iqmp; +-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + RSA_set0_key(rsa, n, e, d); + RSA_set0_factors(rsa, p, q); + RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + + EVP_PKEY_assign_RSA(evp, rsa); + +diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c +index e7f3dec..e389f18 100644 +--- a/test/helper/tpm_getek_ecc.c ++++ b/test/helper/tpm_getek_ecc.c +@@ -128,14 +128,6 @@ main (int argc, char *argv[]) + /* Convert the key from out_public to PEM */ + + EVP_PKEY *evp = EVP_PKEY_new(); +- +- OpenSSL_add_all_algorithms(); +- +- OpenSSL_add_all_algorithms(); +- +- ERR_load_crypto_strings(); +- +- + EC_KEY *ecc_key = EC_KEY_new(); + BIGNUM *x = NULL, *y = NULL; + BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); +@@ -147,7 +139,6 @@ main (int argc, char *argv[]) + if (!EC_KEY_set_group(ecc_key, ecgroup)) + exit(1); + +- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE); + EC_GROUP_free(ecgroup); + + /* Set the ECC parameters in the OpenSSL key */ +-- +2.17.1 + diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch new file mode 100644 index 0000000..1013b4c --- /dev/null +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch @@ -0,0 +1,1001 @@ +From 2452e8863562a4e5c4f172cf40cb7e713e2b7a6c Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 18 Jul 2021 21:30:59 +0200 +Subject: [PATCH] Implement EVP_PKEY export/import for OpenSSL 3.0 + +The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and +the generic `EVP_PKEY` must be used instead. +Since export/import of raw keys still requires access to the internal structures +the OpenSSL 3.0 introduced a completely new approach to access key internals. + +This PR: + - preserves the current export/import impementation for OpenSSL 1.1.x + - implements key export/import for OpenSSL 3.0.0 + +Signed-off-by: Petr Gotthard + +Upstream-Status: Backport +[https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5] + +Signed-off-by: Yi Zhao +--- + src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++----- + src/tss2-fapi/fapi_crypto.c | 275 +++++++++++++++++++++---------- + test/helper/tpm_getek.c | 53 +++--- + test/helper/tpm_getek_ecc.c | 61 +++++-- + 4 files changed, 386 insertions(+), 157 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 12dc6d9..a0e200f 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -8,9 +8,17 @@ + #include + #endif + ++#include + #include +-#include + #include ++#include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#include ++#else ++#include ++#include ++#include ++#endif + #include + #include + +@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context, + "Error EVP_MD_CTX_create", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x10101000L + if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) { ++#else ++ /* this is preferred, but available since OpenSSL 1.1.1 only */ ++ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) { ++#endif + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "EVP_PKEY_new_mac_key", cleanup); ++ "Failed to create HMAC key", cleanup); + } + + if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL, +@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context) + TSS2_RC + iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + const RAND_METHOD *rand_save = RAND_get_rand_method(); ++ RAND_set_rand_method(RAND_OpenSSL()); ++#endif + + if (num_bytes == 0) { + nonce->size = sizeof(TPMU_HA); +@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes) + nonce->size = num_bytes; + } + +- RAND_set_rand_method(RAND_OpenSSL()); + if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return_error(TSS2_ESYS_RC_GENERAL_FAILURE, + "Failure in random number generator."); + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return TSS2_RC_SUCCESS; + } + +@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + BYTE * out_buffer, + size_t * out_size, const char *label) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ RSA *rsa_key = NULL; + const RAND_METHOD *rand_save = RAND_get_rand_method(); ++ + RAND_set_rand_method(RAND_OpenSSL()); ++#else ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *build = NULL; ++#endif + + TSS2_RC r = TSS2_RC_SUCCESS; + const EVP_MD * hashAlg = NULL; +- RSA * rsa_key = NULL; + EVP_PKEY *evp_rsa_key = NULL; +- EVP_PKEY_CTX *ctx = NULL; +- BIGNUM* bne = NULL; ++ EVP_PKEY_CTX *genctx = NULL, *ctx = NULL; ++ BIGNUM *bne = NULL, *n = NULL; + int padding; + char *label_copy = NULL; + + if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) { + LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", + pub_tpm_key->publicArea.nameAlg); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RAND_set_rand_method(rand_save); ++#endif + return TSS2_ESYS_RC_NOT_IMPLEMENTED; + } + +- if (!(bne = BN_new())) { +- goto_error(r, TSS2_ESYS_RC_MEMORY, +- "Could not allocate Big Number", cleanup); +- } +- + switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) { + case TPM2_ALG_NULL: + padding = RSA_NO_PADDING; +@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + exp = 65537; + else + exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent; +- if (1 != BN_set_word(bne, exp)) { ++ ++ if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, ++ pub_tpm_key->publicArea.unique.rsa.size, ++ NULL))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not set exponent.", cleanup); ++ "Could not create rsa n.", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (!(rsa_key = RSA_new())) { + goto_error(r, TSS2_ESYS_RC_MEMORY, + "Could not allocate RSA key", cleanup); + } + +- if (1 != RSA_generate_key_ex(rsa_key, +- pub_tpm_key->publicArea.parameters.rsaDetail.keyBits, +- bne, NULL)) { +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key", +- cleanup); ++ if (!(bne = BN_new())) { ++ goto_error(r, TSS2_ESYS_RC_MEMORY, ++ "Could not allocate Big Number", cleanup); + } +- +- if (!(evp_rsa_key = EVP_PKEY_new())) { ++ if (1 != BN_set_word(bne, exp)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create evp key.", cleanup); ++ "Could not set exponent.", cleanup); + } +- BIGNUM *n = NULL; +- if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer, +- pub_tpm_key->publicArea.unique.rsa.size, +- NULL))) { ++ ++ if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not create rsa n.", cleanup); ++ "Could not set rsa n.", cleanup); + } ++ /* ownership got transferred */ ++ n = NULL; ++ bne = NULL; + +- if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) { ++ if (!(evp_rsa_key = EVP_PKEY_new())) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Could not set rsa n.", cleanup); ++ "Could not create evp key.", cleanup); + } + +- if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) { ++ if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not set rsa key.", cleanup); + } ++ /* ownership got transferred */ ++ rsa_key = NULL; ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) ++ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.", ++ cleanup); ++ } ++ ++ if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(genctx) <= 0 ++ || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.", ++ cleanup); ++ } ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + r = TSS2_RC_SUCCESS; + + cleanup: ++ OSSL_FREE(genctx, EVP_PKEY_CTX); + OSSL_FREE(ctx, EVP_PKEY_CTX); + OSSL_FREE(evp_rsa_key, EVP_PKEY); +- OSSL_FREE(rsa_key, RSA); + OSSL_FREE(bne, BN); ++ OSSL_FREE(n, BN); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ OSSL_FREE(rsa_key, RSA); + RAND_set_rand_method(rand_save); ++#else ++ OSSL_FREE(params, OSSL_PARAM); ++ OSSL_FREE(build, OSSL_PARAM_BLD); ++#endif + return r; + } + +@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + { + TSS2_RC r = TSS2_RC_SUCCESS; + EC_GROUP *group = NULL; /* Group defines the used curve */ +- EC_KEY *eph_ec_key = NULL; /* Ephemeral ec key of application */ ++ EVP_PKEY_CTX *ctx = NULL; ++ EVP_PKEY *eph_pkey = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + const EC_POINT *eph_pub_key = NULL; /* Public part of ephemeral key */ ++ const BIGNUM *eph_priv_key = NULL; ++#else ++ BIGNUM *eph_priv_key = NULL; ++#endif + EC_POINT *tpm_pub_key = NULL; /* Public part of TPM key */ + EC_POINT *mul_eph_tpm = NULL; + BIGNUM *bn_x = NULL; +@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + } + + /* Create ephemeral key */ +- if (!(eph_ec_key = EC_KEY_new())) { ++ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL ++ || EVP_PKEY_keygen_init(ctx) <= 0) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Create ec key", cleanup); ++ "Initialize ec key generation", cleanup); + } +- if (1 != EC_KEY_set_group(eph_ec_key , group)) { + +- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup); +- } +- +- if (1 != EC_KEY_generate_key(eph_ec_key)) { ++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0 ++ || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup); + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey); ++ + if (!(eph_pub_key = EC_KEY_get0_public_key(eph_ec_key))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup); + } + ++ eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); + if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Ephemeral public key is on curve",cleanup); +@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x, + bn_y, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +- "Get affine x coordinate", cleanup); ++ "Get affine coordinates", cleanup); ++ } ++#else ++ if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key) ++ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x) ++ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, ++ "Get ephemeral key", cleanup); + } ++#endif + + if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key); + goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup); + +- /* Multiply the ephemeral private key with TPM public key */ +- const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key); +- + if (!(mul_eph_tpm = EC_POINT_new(group))) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup); + } + ++ /* Multiply the ephemeral private key with TPM public key */ + if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL, + tpm_pub_key, eph_priv_key, NULL)) { + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, +@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + OSSL_FREE(mul_eph_tpm, EC_POINT); + OSSL_FREE(tpm_pub_key, EC_POINT); + OSSL_FREE(group,EC_GROUP); +- OSSL_FREE(eph_ec_key, EC_KEY); ++ OSSL_FREE(ctx, EVP_PKEY_CTX); ++ OSSL_FREE(eph_pkey, EVP_PKEY); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + /* Note: free of eph_pub_key already done by free of eph_ec_key */ ++#else ++ OSSL_FREE(eph_priv_key, BN); ++#endif + OSSL_FREE(bn_x, BN); + OSSL_FREE(bn_y, BN); + return r; +diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c +index 5e8fbc8..9cee10f 100644 +--- a/src/tss2-fapi/fapi_crypto.c ++++ b/src/tss2-fapi/fapi_crypto.c +@@ -11,10 +11,15 @@ + #include + + #include +-#include + #include +-#include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#include ++#else ++#include ++#include ++#include ++#endif + #include + #include + #include +@@ -380,66 +385,89 @@ cleanup: + * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated. + */ + static TSS2_RC +-ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) ++ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ RSA *rsa = NULL; ++#else ++ OSSL_PARAM_BLD *build = NULL; ++ OSSL_PARAM *params = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++#endif ++ + /* Check for NULL parameters */ + return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + ++ TSS2_RC r = TSS2_RC_SUCCESS; + /* Initialize the RSA parameters */ +- TSS2_RC r; +- RSA *rsa = RSA_new(); +- BIGNUM *e = BN_new(); +- BIGNUM *d = BN_new(); +- BIGNUM *p = BN_new(); +- BIGNUM *q = BN_new(); +- BIGNUM *dmp1 = BN_new(); +- BIGNUM *dmq1 = BN_new(); +- BIGNUM *iqmp = BN_new(); ++ BIGNUM *e = NULL; + BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer, + tpmPublicKey->publicArea.unique.rsa.size, NULL); +- +- if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) { ++ if (!n) { + goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); + } + +- BN_set_word(d, 0); +- BN_set_word(p, 0); +- BN_set_word(q, 0); +- BN_set_word(dmp1, 0); +- BN_set_word(dmq1, 0); +- BN_set_word(iqmp, 0); + uint32_t exp; + if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0) + exp = 65537; + else + exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ if ((rsa = RSA_new()) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); ++ } ++ ++ if ((e = BN_new()) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); ++ } + if (1 != BN_set_word(e, exp)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Could not set exponent.", error_cleanup); + } + +- RSA_set0_key(rsa, n, e, d); +- RSA_set0_factors(rsa, p, q); +- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); ++ if (!RSA_set0_key(rsa, n, e, NULL)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Could not set public key.", error_cleanup); ++ } ++ n = NULL; /* ownership transferred */ ++ e = NULL; ++ ++ *evpPublicKey = EVP_PKEY_new(); ++ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); + + /* Assign the parameters to the key */ +- if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) { ++ if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) { ++ EVP_PKEY_free(*evpPublicKey); + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key", + error_cleanup); + } +- return TSS2_RC_SUCCESS; +- ++ rsa = NULL; /* ownership transferred */ + error_cleanup: + OSSL_FREE(rsa, RSA); ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n) ++ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters", ++ error_cleanup); ++ } ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(ctx) <= 0 ++ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key", ++ error_cleanup); ++ } ++error_cleanup: ++ OSSL_FREE(ctx, EVP_PKEY_CTX); ++ OSSL_FREE(params, OSSL_PARAM); ++ OSSL_FREE(build, OSSL_PARAM_BLD); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + OSSL_FREE(e, BN); + OSSL_FREE(n, BN); +- OSSL_FREE(d, BN); +- OSSL_FREE(p, BN); +- OSSL_FREE(q, BN); +- OSSL_FREE(dmp1, BN); +- OSSL_FREE(dmq1, BN); +- OSSL_FREE(iqmp, BN); + return r; + } + +@@ -459,18 +487,26 @@ error_cleanup: + * the function. + */ + static TSS2_RC +-ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) ++ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey) + { + /* Check for NULL parameters */ + return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + +- TSS2_RC r; ++ TSS2_RC r = TSS2_RC_SUCCESS; + EC_GROUP *ecgroup = NULL; + int curveId; + BIGNUM *x = NULL, *y = NULL; +- EC_KEY *ecKey = EC_KEY_new(); +- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); ++ EC_POINT *ecPoint = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ EC_KEY *ecKey = NULL; ++#else ++ OSSL_PARAM_BLD *build = NULL; ++ OSSL_PARAM *params = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ unsigned char *puboct = NULL; ++ size_t bsize; ++#endif + + /* Find the curve of the ECC key */ + switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) { +@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE, + error_cleanup); + +- if (!EC_KEY_set_group(ecKey, ecgroup)) { +- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", +- error_cleanup); +- } +- EC_GROUP_free(ecgroup); +- + /* Set the ECC parameters in the OpenSSL key */ + x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer, + tpmPublicKey->publicArea.unique.ecc.x.size, NULL); +@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey) + goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); + } + +- if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) { ++ if ((ecPoint = EC_POINT_new(ecgroup)) == NULL ++ || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates", ++ error_cleanup); ++ } ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ ecKey = EC_KEY_new(); ++ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); ++ ++ if (!EC_KEY_set_group(ecKey, ecgroup)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group", ++ error_cleanup); ++ } ++ ++ if (!EC_KEY_set_public_key(ecKey, ecPoint)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, +- "EC_KEY_set_public_key_affine_coordinates", error_cleanup); ++ "EC_KEY_set_public_key", error_cleanup); + } + +- if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) { ++ *evpPublicKey = EVP_PKEY_new(); ++ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup); ++ ++ if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) { ++ EVP_PKEY_free(*evpPublicKey); + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key", + error_cleanup); + } +- OSSL_FREE(y, BN); +- OSSL_FREE(x, BN); +- return TSS2_RC_SUCCESS; ++ ecKey = NULL; /* ownership transferred */ ++error_cleanup: ++ OSSL_FREE(ecKey, EC_KEY); ++#else ++ if ((build = OSSL_PARAM_BLD_new()) == NULL ++ || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, ++ (char *)OBJ_nid2sn(curveId), 0) ++ || (bsize = EC_POINT_point2buf(ecgroup, ecPoint, ++ POINT_CONVERSION_COMPRESSED, ++ &puboct, NULL)) == 0 ++ || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, ++ puboct, bsize) ++ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters", ++ error_cleanup); ++ } + ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ++ || EVP_PKEY_fromdata_init(ctx) <= 0 ++ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key", ++ error_cleanup); ++ } + error_cleanup: ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++ OPENSSL_free(puboct); ++#endif ++ OSSL_FREE(ecPoint, EC_POINT); ++ OSSL_FREE(ecgroup, EC_GROUP); + OSSL_FREE(y, BN); + OSSL_FREE(x, BN); +- OSSL_FREE(ecKey, EC_KEY); + return r; + } + +@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm( + BIO *bio = NULL; + TSS2_RC r = TPM2_RC_SUCCESS; + +- evpPublicKey = EVP_PKEY_new(); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); +- + /* Memory IO will be used for OSSL key conversion */ + bio = BIO_new(BIO_s_mem()); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); ++ goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); + + if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { +- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); +- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) +- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); +- else { ++ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { ++ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else { + goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); + } + goto_if_error(r, "Get ossl public key.", cleanup); +@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm( + signatureSize); + } else { + return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme."); +- + } + } else if (tpmPublic->type == TPM2_ALG_ECC) { + return ifapi_ecc_der_sig_to_tpm(signature, signatureSize, +@@ -856,12 +926,16 @@ ecdsa_verify_signature( + return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE); + + TSS2_RC r = TSS2_RC_SUCCESS; +- EC_KEY *eccKey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; + +- eccKey = EVP_PKEY_get1_EC_KEY(publicKey); ++ if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL ++ || !EVP_PKEY_verify_init(ctx)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Cannot initialize signature verification.", error_cleanup); ++ } + + /* Try to verify the signature using ECDSA, note that param 0 is unused */ +- int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey); ++ int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize); + if (rc == 0) { + goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED, + "ECDSA signature verification failed.", error_cleanup); +@@ -871,7 +945,7 @@ ecdsa_verify_signature( + } + + error_cleanup: +- OSSL_FREE(eccKey, EC_KEY); ++ OSSL_FREE(ctx, EVP_PKEY_CTX); + return r; + } + +@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp( + + /* Extract the public information */ + TSS2_RC r = TSS2_RC_SUCCESS; ++ int keyBits, keySize; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ const BIGNUM *e = NULL, *n = NULL; + RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey); + return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); +- const BIGNUM *e = NULL, *n = NULL; +- int rsaKeySize = RSA_size(rsaKey); + ++ keySize = RSA_size(rsaKey); ++ keyBits = keySize * 8; + RSA_get0_key(rsaKey, &n, &e, NULL); +- tpmPublic->publicArea.unique.rsa.size = rsaKeySize; ++#else ++ BIGNUM *e = NULL, *n = NULL; ++ ++ keyBits = EVP_PKEY_get_bits(publicKey); ++ keySize = (keyBits + 7) / 8; ++ if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) { ++ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, ++ "Retrieve pubkey", cleanup); ++ } ++#endif ++ tpmPublic->publicArea.unique.rsa.size = keySize; + if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0], +- rsaKeySize)) { ++ keySize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Write big num byte buffer", cleanup); + } +- tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8; ++ tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits; + tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e); + + cleanup: ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + OSSL_FREE(rsaKey, RSA); ++#else ++ BN_free(e); ++ BN_free(n); ++#endif + return r; + } + +@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp( + + /* Initialize variables that will contain the relevant information */ + TSS2_RC r = TSS2_RC_SUCCESS; +- EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); +- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); +- const EC_GROUP *ecGroup; +- const EC_POINT *publicPoint; + int curveId; + size_t ecKeySize; + BIGNUM *bnX = NULL; + BIGNUM *bnY = NULL; + TPMI_ECC_CURVE tpmCurveId; +- +- if (!ecKey) { +- return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!"); +- } ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ const EC_GROUP *ecGroup; ++ const EC_POINT *publicPoint; ++ EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey); ++ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY); + + /* Retrieve the relevant information and write it to tpmPublic */ + ecGroup = EC_KEY_get0_group(ecKey); + publicPoint = EC_KEY_get0_public_key(ecKey); + curveId = EC_GROUP_get_curve_name(ecGroup); +- ecKeySize = EC_GROUP_get_degree(ecGroup) / 8; +- tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; +- tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; ++ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; + + if (!(bnX = BN_new())) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup); +@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp( + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, + "Get affine coordinates", cleanup); + } ++#else ++ char curveName[80]; ++ ++ if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME, ++ curveName, sizeof(curveName), NULL) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX) ++ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) { ++ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, ++ "Get public key", cleanup); ++ } ++ curveId = OBJ_txt2nid(curveName); ++ EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId); ++ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8; ++ EC_GROUP_free(ecGroup); ++#endif ++ tpmPublic->publicArea.unique.ecc.x.size = ecKeySize; ++ tpmPublic->publicArea.unique.ecc.y.size = ecKeySize; + if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0], + ecKeySize)) { + goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, +@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp( + tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId; + + cleanup: ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + OSSL_FREE(ecKey, EC_KEY); ++#endif + OSSL_FREE(bnX, BN); + OSSL_FREE(bnY, BN); + return r; +@@ -2075,14 +2183,11 @@ ifapi_get_tpm_key_fingerprint( + "Unsupported hash algorithm (%" PRIu16 ")", cleanup, + hashAlg); + +- evpPublicKey = EVP_PKEY_new(); +- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup); +- + if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) { +- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey); +- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) +- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey); +- else { ++ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) { ++ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey); ++ } else { + goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup); + } + goto_if_error(r, "Get ossl public key.", cleanup); +diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c +index 3cd7b9f..bbe8770 100644 +--- a/test/helper/tpm_getek.c ++++ b/test/helper/tpm_getek.c +@@ -7,8 +7,14 @@ + #include + #include + #include +-#include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#include ++#else ++#include ++#include ++#include ++#endif + + #include "tss2_sys.h" + #include "tss2_mu.h" +@@ -109,36 +115,37 @@ main (int argc, char *argv[]) + + /* Convert the key from out_public to PEM */ + +- EVP_PKEY *evp = EVP_PKEY_new(); ++ EVP_PKEY *evp = NULL; + BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); +- RSA *rsa = RSA_new(); +- BIGNUM *e = BN_new(); +- BIGNUM *d = BN_new(); +- BIGNUM *p = BN_new(); +- BIGNUM *q = BN_new(); +- BIGNUM *dmp1 = BN_new(); +- BIGNUM *dmq1 = BN_new(); +- BIGNUM *iqmp = BN_new(); + BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer, + out_public.publicArea.unique.rsa.size, NULL); +- BN_set_word(d, 0); +- BN_set_word(p, 0); +- BN_set_word(q, 0); +- BN_set_word(dmp1, 0); +- BN_set_word(dmq1, 0); +- BN_set_word(iqmp, 0); + uint32_t exp; + if (out_public.publicArea.parameters.rsaDetail.exponent == 0) + exp = 65537; + else + exp = out_public.publicArea.parameters.rsaDetail.exponent; ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ BIGNUM *e = BN_new(); + BN_set_word(e, exp); + +- RSA_set0_key(rsa, n, e, d); +- RSA_set0_factors(rsa, p, q); +- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); ++ RSA *rsa = RSA_new(); ++ RSA_set0_key(rsa, n, e, NULL); ++ n = NULL; ++ e = NULL; + ++ evp = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(evp, rsa); ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ ++ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); ++ OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n); ++ OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp); ++ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); ++ ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); ++ EVP_PKEY_fromdata_init(ctx); ++ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ + + if (!PEM_write_bio_PUBKEY(bio, evp)) { + LOG_ERROR("PEM_write failed"); +@@ -146,6 +153,14 @@ main (int argc, char *argv[]) + } + + EVP_PKEY_free(evp); ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* ownership was taken by the EVP_PKEY */ ++#else ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++#endif ++ BN_free(n); + BIO_free(bio); + + return 0; +diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c +index e389f18..29e6f1f 100644 +--- a/test/helper/tpm_getek_ecc.c ++++ b/test/helper/tpm_getek_ecc.c +@@ -7,9 +7,15 @@ + #include + #include + #include +-#include + #include + #include ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#include ++#else ++#include ++#include ++#include ++#endif + #include + + #include "tss2_sys.h" +@@ -127,8 +133,7 @@ main (int argc, char *argv[]) + + /* Convert the key from out_public to PEM */ + +- EVP_PKEY *evp = EVP_PKEY_new(); +- EC_KEY *ecc_key = EC_KEY_new(); ++ EVP_PKEY *evp = NULL; + BIGNUM *x = NULL, *y = NULL; + BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); + int nid; +@@ -136,11 +141,6 @@ main (int argc, char *argv[]) + nid = EC_curve_nist2nid("P-256"); + EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid); + +- if (!EC_KEY_set_group(ecc_key, ecgroup)) +- exit(1); +- +- EC_GROUP_free(ecgroup); +- + /* Set the ECC parameters in the OpenSSL key */ + x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer, + out_public.publicArea.unique.ecc.x.size, NULL); +@@ -152,15 +152,46 @@ main (int argc, char *argv[]) + exit(1); + } + +- if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) { ++ EC_POINT *point = EC_POINT_new(ecgroup); ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++ EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL); ++#else ++ EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL); ++#endif ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ EC_KEY *ecc_key = EC_KEY_new(); ++ if (!EC_KEY_set_group(ecc_key, ecgroup)) ++ exit(1); ++ ++ if (!EC_KEY_set_public_key(ecc_key, point)) { + exit(1); + } + ++ evp = EVP_PKEY_new(); + if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) { + handleErrors(); + LOG_ERROR("PEM_write failed"); + exit(1); + } ++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */ ++ unsigned char *puboct = NULL; ++ size_t bsize; ++ ++ bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED, ++ &puboct, NULL); ++ ++ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new(); ++ OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME, ++ (char *)OBJ_nid2sn(nid), 0); ++ OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY, ++ puboct, bsize); ++ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build); ++ ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); ++ EVP_PKEY_fromdata_init(ctx); ++ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params); ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */ + + if (!PEM_write_bio_PUBKEY(bio, evp)) { + handleErrors(); +@@ -168,9 +199,19 @@ main (int argc, char *argv[]) + exit(1); + } + ++ EVP_PKEY_free(evp); ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* ownership was taken by the EVP_PKEY */ ++#else ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(build); ++ OPENSSL_free(puboct); ++#endif ++ EC_POINT_free(point); ++ EC_GROUP_free(ecgroup); + BN_free(y); + BN_free(x); +- EVP_PKEY_free(evp); + BIO_free(bio); + + return 0; +-- +2.17.1 + diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch new file mode 100644 index 0000000..79c912c --- /dev/null +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch @@ -0,0 +1,49 @@ +From cde750dd594a6f5d7c463030ecbb9947fad2a12d Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Mon, 2 Aug 2021 15:50:26 +0200 +Subject: [PATCH] Remove deprecated OpenSSL_add_all_algorithms + +From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or +de-initialisation is required. + +Signed-off-by: Petr Gotthard + +Upstream-Status: Backport +[https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8] + +Signed-off-by: Yi Zhao +--- + src/tss2-esys/esys_crypto_ossl.c | 2 +- + src/tss2-fapi/ifapi_get_intl_cert.c | 3 --- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index a0e200f..e599ac7 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -1174,7 +1174,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key, + * + * Initialize OpenSSL internal tables. + * +- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms ++ * @retval TSS2_RC_SUCCESS always returned + * does not deliver + * a return code. + */ +diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c +index 613f408..deda7fb 100644 +--- a/src/tss2-fapi/ifapi_get_intl_cert.c ++++ b/src/tss2-fapi/ifapi_get_intl_cert.c +@@ -369,9 +369,6 @@ out_free_json: + json_object_put(jso); + + out: +- /* In some case this call was necessary after curl usage */ +- OpenSSL_add_all_algorithms(); +- + free(hash); + if (rc == 0) { + return TSS2_RC_SUCCESS; +-- +2.17.1 + diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb index 96339a5..4e3346b 100644 --- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb @@ -6,7 +6,11 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ + file://0001-Drop-support-for-OpenSSL-1.1.0.patch \ + file://0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch \ + file://0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch \ + " SRC_URI[md5sum] = "515cf2c53799e7d498481eb2569dcb03" SRC_URI[sha256sum] = "20e6da532a7ef90c8e50cca51f276053ec505eee0167c18e2b07c1e747118b58"