summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch252
-rw-r--r--meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch1001
-rw-r--r--meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch49
-rw-r--r--meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb6
4 files changed, 1307 insertions, 1 deletions
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch
new file mode 100644
index 0000000..e1ce4c5
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch
@@ -0,0 +1,252 @@
1From a53f01711b840ba6ab2f127ea4f0512e60a56728 Mon Sep 17 00:00:00 2001
2From: Petr Gotthard <petr.gotthard@centrum.cz>
3Date: Sun, 18 Jul 2021 20:21:01 +0200
4Subject: [PATCH] Drop support for OpenSSL < 1.1.0
5
6Delete code written to support OpenSSL < 1.1.0
7
8Delete functions that have no effect in OpenSSL >= 1.1.0
9 - ENGINE_load_builtin_engines()
10 - OpenSSL_add_all_algorithms()
11 - ERR_load_crypto_strings()
12 - EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
13
14Switch AppVeyor to use pre-built OpenSSL 1.1.0
15
16Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
17
18Upstream-Status: Backport
19[https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0]
20
21Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
22---
23 src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
24 src/tss2-fapi/fapi_crypto.c | 37 --------------------------------
25 test/helper/tpm_getek.c | 11 ----------
26 test/helper/tpm_getek_ecc.c | 9 --------
27 4 files changed, 76 deletions(-)
28
29diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
30index 2746856..12dc6d9 100644
31--- a/src/tss2-esys/esys_crypto_ossl.c
32+++ b/src/tss2-esys/esys_crypto_ossl.c
33@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
34 nonce->size = num_bytes;
35 }
36
37-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
38 RAND_set_rand_method(RAND_OpenSSL());
39-#else
40- RAND_set_rand_method(RAND_SSLeay());
41-#endif
42 if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
43 RAND_set_rand_method(rand_save);
44 return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
45@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
46 size_t * out_size, const char *label)
47 {
48 const RAND_METHOD *rand_save = RAND_get_rand_method();
49-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
50 RAND_set_rand_method(RAND_OpenSSL());
51-#else
52- RAND_set_rand_method(RAND_SSLeay());
53-#endif
54
55 TSS2_RC r = TSS2_RC_SUCCESS;
56 const EVP_MD * hashAlg = NULL;
57@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
58 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
59 "Could not create evp key.", cleanup);
60 }
61-#if OPENSSL_VERSION_NUMBER < 0x10100000L
62- if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
63- pub_tpm_key->publicArea.unique.rsa.size,
64- rsa_key->n)) {
65- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
66- "Could not create rsa n.", cleanup);
67- }
68-#else
69 BIGNUM *n = NULL;
70 if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
71 pub_tpm_key->publicArea.unique.rsa.size,
72@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
73 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
74 "Could not set rsa n.", cleanup);
75 }
76-#endif
77
78 if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
79 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
80@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
81 */
82 TSS2_RC
83 iesys_cryptossl_init() {
84- ENGINE_load_builtin_engines();
85- OpenSSL_add_all_algorithms();
86 return TSS2_RC_SUCCESS;
87 }
88diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
89index ea68197..5e8fbc8 100644
90--- a/src/tss2-fapi/fapi_crypto.c
91+++ b/src/tss2-fapi/fapi_crypto.c
92@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
93 tpmSignature->signature.ecdsa.signatureR.size, NULL);
94 goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
95
96-#if OPENSSL_VERSION_NUMBER < 0x10100000
97- ecdsaSignature->s = bns;
98- ecdsaSignature->r = bnr;
99-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
100 ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
101-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
102
103 osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
104 if (osslRC == -1) {
105@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
106 "Could not set exponent.", error_cleanup);
107 }
108
109-#if OPENSSL_VERSION_NUMBER < 0x10100000
110- rsa->e = e;
111- rsa->n = n;
112- rsa->d = d;
113- rsa->p = p;
114- rsa->q = q;
115- rsa->dmp1 = dmp1;
116- rsa->dmq1 = dmq1;
117- rsa->iqmp = iqmp;
118-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
119 RSA_set0_key(rsa, n, e, d);
120 RSA_set0_factors(rsa, p, q);
121 RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
122-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
123
124 /* Assign the parameters to the key */
125 if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
126@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
127 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
128 error_cleanup);
129 }
130- /* Needed for older OSSL versions. */
131- EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
132 OSSL_FREE(y, BN);
133 OSSL_FREE(x, BN);
134 return TSS2_RC_SUCCESS;
135@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
136
137 /* Initialize the ECDSA signature components */
138 ECDSA_SIG *ecdsaSignature = NULL;
139-#if OPENSSL_VERSION_NUMBER < 0x10100000
140- BIGNUM *bnr;
141- BIGNUM *bns;
142-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
143 const BIGNUM *bnr;
144 const BIGNUM *bns;
145-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
146
147 d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
148 return_if_null(ecdsaSignature, "Invalid DER signature",
149 TSS2_FAPI_RC_GENERAL_FAILURE);
150
151-#if OPENSSL_VERSION_NUMBER < 0x10100000
152- bns = ecdsaSignature->s;
153- bnr = ecdsaSignature->r;
154-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
155 ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
156-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
157
158 /* Writing them to the TPM format signature */
159 tpmSignature->signature.ecdsa.hash = hashAlgorithm;
160@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
161 const BIGNUM *e = NULL, *n = NULL;
162 int rsaKeySize = RSA_size(rsaKey);
163
164-#if OPENSSL_VERSION_NUMBER < 0x10100000
165- e = rsaKey->e;
166- n = rsaKey->n;
167-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
168 RSA_get0_key(rsaKey, &n, &e, NULL);
169-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
170 tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
171 if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
172 rsaKeySize)) {
173@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
174 goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
175 }
176
177- OpenSSL_add_all_algorithms();
178-
179 unsigned const char* tmp_ptr1 = crl_buffer;
180 unsigned const char** tmp_ptr2 = &tmp_ptr1;
181
182@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
183 r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
184 } else {
185 /* Get uri for ek intermediate certificate. */
186- OpenSSL_add_all_algorithms();
187 info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
188
189 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
190@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
191 goto_if_null2(cert_buffer, "No certificate downloaded", r,
192 TSS2_FAPI_RC_NO_CERT, cleanup);
193
194- OpenSSL_add_all_algorithms();
195 intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
196
197 SAFE_FREE(cert_buffer);
198diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
199index 02d88b0..3cd7b9f 100644
200--- a/test/helper/tpm_getek.c
201+++ b/test/helper/tpm_getek.c
202@@ -134,20 +134,9 @@ main (int argc, char *argv[])
203 exp = out_public.publicArea.parameters.rsaDetail.exponent;
204 BN_set_word(e, exp);
205
206-#if OPENSSL_VERSION_NUMBER < 0x10100000
207- rsa->e = e;
208- rsa->n = n;
209- rsa->d = d;
210- rsa->p = p;
211- rsa->q = q;
212- rsa->dmp1 = dmp1;
213- rsa->dmq1 = dmq1;
214- rsa->iqmp = iqmp;
215-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
216 RSA_set0_key(rsa, n, e, d);
217 RSA_set0_factors(rsa, p, q);
218 RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
219-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
220
221 EVP_PKEY_assign_RSA(evp, rsa);
222
223diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
224index e7f3dec..e389f18 100644
225--- a/test/helper/tpm_getek_ecc.c
226+++ b/test/helper/tpm_getek_ecc.c
227@@ -128,14 +128,6 @@ main (int argc, char *argv[])
228 /* Convert the key from out_public to PEM */
229
230 EVP_PKEY *evp = EVP_PKEY_new();
231-
232- OpenSSL_add_all_algorithms();
233-
234- OpenSSL_add_all_algorithms();
235-
236- ERR_load_crypto_strings();
237-
238-
239 EC_KEY *ecc_key = EC_KEY_new();
240 BIGNUM *x = NULL, *y = NULL;
241 BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
242@@ -147,7 +139,6 @@ main (int argc, char *argv[])
243 if (!EC_KEY_set_group(ecc_key, ecgroup))
244 exit(1);
245
246- EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
247 EC_GROUP_free(ecgroup);
248
249 /* Set the ECC parameters in the OpenSSL key */
250--
2512.17.1
252
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
new file mode 100644
index 0000000..1013b4c
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
@@ -0,0 +1,1001 @@
1From 2452e8863562a4e5c4f172cf40cb7e713e2b7a6c Mon Sep 17 00:00:00 2001
2From: Petr Gotthard <petr.gotthard@centrum.cz>
3Date: Sun, 18 Jul 2021 21:30:59 +0200
4Subject: [PATCH] Implement EVP_PKEY export/import for OpenSSL 3.0
5
6The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and
7the generic `EVP_PKEY` must be used instead.
8Since export/import of raw keys still requires access to the internal structures
9the OpenSSL 3.0 introduced a completely new approach to access key internals.
10
11This PR:
12 - preserves the current export/import impementation for OpenSSL 1.1.x
13 - implements key export/import for OpenSSL 3.0.0
14
15Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
16
17Upstream-Status: Backport
18[https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5]
19
20Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
21---
22 src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++-----
23 src/tss2-fapi/fapi_crypto.c | 275 +++++++++++++++++++++----------
24 test/helper/tpm_getek.c | 53 +++---
25 test/helper/tpm_getek_ecc.c | 61 +++++--
26 4 files changed, 386 insertions(+), 157 deletions(-)
27
28diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
29index 12dc6d9..a0e200f 100644
30--- a/src/tss2-esys/esys_crypto_ossl.c
31+++ b/src/tss2-esys/esys_crypto_ossl.c
32@@ -8,9 +8,17 @@
33 #include <config.h>
34 #endif
35
36+#include <openssl/rand.h>
37 #include <openssl/evp.h>
38-#include <openssl/aes.h>
39 #include <openssl/rsa.h>
40+#include <openssl/ec.h>
41+#if OPENSSL_VERSION_NUMBER < 0x30000000L
42+#include <openssl/aes.h>
43+#else
44+#include <openssl/core_names.h>
45+#include <openssl/params.h>
46+#include <openssl/param_build.h>
47+#endif
48 #include <openssl/engine.h>
49 #include <stdio.h>
50
51@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
52 "Error EVP_MD_CTX_create", cleanup);
53 }
54
55+#if OPENSSL_VERSION_NUMBER < 0x10101000L
56 if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) {
57+#else
58+ /* this is preferred, but available since OpenSSL 1.1.1 only */
59+ if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) {
60+#endif
61 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
62- "EVP_PKEY_new_mac_key", cleanup);
63+ "Failed to create HMAC key", cleanup);
64 }
65
66 if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
67@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
68 TSS2_RC
69 iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
70 {
71+#if OPENSSL_VERSION_NUMBER < 0x30000000L
72 const RAND_METHOD *rand_save = RAND_get_rand_method();
73+ RAND_set_rand_method(RAND_OpenSSL());
74+#endif
75
76 if (num_bytes == 0) {
77 nonce->size = sizeof(TPMU_HA);
78@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
79 nonce->size = num_bytes;
80 }
81
82- RAND_set_rand_method(RAND_OpenSSL());
83 if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
84+#if OPENSSL_VERSION_NUMBER < 0x30000000L
85 RAND_set_rand_method(rand_save);
86+#endif
87 return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
88 "Failure in random number generator.");
89 }
90+#if OPENSSL_VERSION_NUMBER < 0x30000000L
91 RAND_set_rand_method(rand_save);
92+#endif
93 return TSS2_RC_SUCCESS;
94 }
95
96@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
97 BYTE * out_buffer,
98 size_t * out_size, const char *label)
99 {
100+#if OPENSSL_VERSION_NUMBER < 0x30000000L
101+ RSA *rsa_key = NULL;
102 const RAND_METHOD *rand_save = RAND_get_rand_method();
103+
104 RAND_set_rand_method(RAND_OpenSSL());
105+#else
106+ OSSL_PARAM *params = NULL;
107+ OSSL_PARAM_BLD *build = NULL;
108+#endif
109
110 TSS2_RC r = TSS2_RC_SUCCESS;
111 const EVP_MD * hashAlg = NULL;
112- RSA * rsa_key = NULL;
113 EVP_PKEY *evp_rsa_key = NULL;
114- EVP_PKEY_CTX *ctx = NULL;
115- BIGNUM* bne = NULL;
116+ EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
117+ BIGNUM *bne = NULL, *n = NULL;
118 int padding;
119 char *label_copy = NULL;
120
121 if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
122 LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
123 pub_tpm_key->publicArea.nameAlg);
124+#if OPENSSL_VERSION_NUMBER < 0x30000000L
125 RAND_set_rand_method(rand_save);
126+#endif
127 return TSS2_ESYS_RC_NOT_IMPLEMENTED;
128 }
129
130- if (!(bne = BN_new())) {
131- goto_error(r, TSS2_ESYS_RC_MEMORY,
132- "Could not allocate Big Number", cleanup);
133- }
134-
135 switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) {
136 case TPM2_ALG_NULL:
137 padding = RSA_NO_PADDING;
138@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
139 exp = 65537;
140 else
141 exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent;
142- if (1 != BN_set_word(bne, exp)) {
143+
144+ if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
145+ pub_tpm_key->publicArea.unique.rsa.size,
146+ NULL))) {
147 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
148- "Could not set exponent.", cleanup);
149+ "Could not create rsa n.", cleanup);
150 }
151
152+#if OPENSSL_VERSION_NUMBER < 0x30000000L
153 if (!(rsa_key = RSA_new())) {
154 goto_error(r, TSS2_ESYS_RC_MEMORY,
155 "Could not allocate RSA key", cleanup);
156 }
157
158- if (1 != RSA_generate_key_ex(rsa_key,
159- pub_tpm_key->publicArea.parameters.rsaDetail.keyBits,
160- bne, NULL)) {
161- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key",
162- cleanup);
163+ if (!(bne = BN_new())) {
164+ goto_error(r, TSS2_ESYS_RC_MEMORY,
165+ "Could not allocate Big Number", cleanup);
166 }
167-
168- if (!(evp_rsa_key = EVP_PKEY_new())) {
169+ if (1 != BN_set_word(bne, exp)) {
170 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
171- "Could not create evp key.", cleanup);
172+ "Could not set exponent.", cleanup);
173 }
174- BIGNUM *n = NULL;
175- if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
176- pub_tpm_key->publicArea.unique.rsa.size,
177- NULL))) {
178+
179+ if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) {
180 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
181- "Could not create rsa n.", cleanup);
182+ "Could not set rsa n.", cleanup);
183 }
184+ /* ownership got transferred */
185+ n = NULL;
186+ bne = NULL;
187
188- if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) {
189+ if (!(evp_rsa_key = EVP_PKEY_new())) {
190 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
191- "Could not set rsa n.", cleanup);
192+ "Could not create evp key.", cleanup);
193 }
194
195- if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
196+ if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) {
197 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
198 "Could not set rsa key.", cleanup);
199 }
200+ /* ownership got transferred */
201+ rsa_key = NULL;
202+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
203+ if ((build = OSSL_PARAM_BLD_new()) == NULL
204+ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
205+ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
206+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
207+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.",
208+ cleanup);
209+ }
210+
211+ if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
212+ || EVP_PKEY_fromdata_init(genctx) <= 0
213+ || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
214+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
215+ cleanup);
216+ }
217+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
218
219 if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) {
220 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
221@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
222 r = TSS2_RC_SUCCESS;
223
224 cleanup:
225+ OSSL_FREE(genctx, EVP_PKEY_CTX);
226 OSSL_FREE(ctx, EVP_PKEY_CTX);
227 OSSL_FREE(evp_rsa_key, EVP_PKEY);
228- OSSL_FREE(rsa_key, RSA);
229 OSSL_FREE(bne, BN);
230+ OSSL_FREE(n, BN);
231+#if OPENSSL_VERSION_NUMBER < 0x30000000L
232+ OSSL_FREE(rsa_key, RSA);
233 RAND_set_rand_method(rand_save);
234+#else
235+ OSSL_FREE(params, OSSL_PARAM);
236+ OSSL_FREE(build, OSSL_PARAM_BLD);
237+#endif
238 return r;
239 }
240
241@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
242 {
243 TSS2_RC r = TSS2_RC_SUCCESS;
244 EC_GROUP *group = NULL; /* Group defines the used curve */
245- EC_KEY *eph_ec_key = NULL; /* Ephemeral ec key of application */
246+ EVP_PKEY_CTX *ctx = NULL;
247+ EVP_PKEY *eph_pkey = NULL;
248+#if OPENSSL_VERSION_NUMBER < 0x30000000L
249 const EC_POINT *eph_pub_key = NULL; /* Public part of ephemeral key */
250+ const BIGNUM *eph_priv_key = NULL;
251+#else
252+ BIGNUM *eph_priv_key = NULL;
253+#endif
254 EC_POINT *tpm_pub_key = NULL; /* Public part of TPM key */
255 EC_POINT *mul_eph_tpm = NULL;
256 BIGNUM *bn_x = NULL;
257@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
258 }
259
260 /* Create ephemeral key */
261- if (!(eph_ec_key = EC_KEY_new())) {
262+ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL
263+ || EVP_PKEY_keygen_init(ctx) <= 0) {
264 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
265- "Create ec key", cleanup);
266+ "Initialize ec key generation", cleanup);
267 }
268- if (1 != EC_KEY_set_group(eph_ec_key , group)) {
269
270- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup);
271- }
272-
273- if (1 != EC_KEY_generate_key(eph_ec_key)) {
274+ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0
275+ || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) {
276 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup);
277 }
278
279+#if OPENSSL_VERSION_NUMBER < 0x30000000L
280+ EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey);
281+
282 if (!(eph_pub_key = EC_KEY_get0_public_key(eph_ec_key))) {
283 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup);
284 }
285
286+ eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
287 if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) {
288 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
289 "Ephemeral public key is on curve",cleanup);
290@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
291 if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x,
292 bn_y, NULL)) {
293 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
294- "Get affine x coordinate", cleanup);
295+ "Get affine coordinates", cleanup);
296+ }
297+#else
298+ if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key)
299+ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x)
300+ || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) {
301+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
302+ "Get ephemeral key", cleanup);
303 }
304+#endif
305
306 if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) {
307 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
308@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
309 r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key);
310 goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup);
311
312- /* Multiply the ephemeral private key with TPM public key */
313- const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
314-
315 if (!(mul_eph_tpm = EC_POINT_new(group))) {
316 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup);
317 }
318
319+ /* Multiply the ephemeral private key with TPM public key */
320 if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL,
321 tpm_pub_key, eph_priv_key, NULL)) {
322 goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
323@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
324 OSSL_FREE(mul_eph_tpm, EC_POINT);
325 OSSL_FREE(tpm_pub_key, EC_POINT);
326 OSSL_FREE(group,EC_GROUP);
327- OSSL_FREE(eph_ec_key, EC_KEY);
328+ OSSL_FREE(ctx, EVP_PKEY_CTX);
329+ OSSL_FREE(eph_pkey, EVP_PKEY);
330+#if OPENSSL_VERSION_NUMBER < 0x30000000L
331 /* Note: free of eph_pub_key already done by free of eph_ec_key */
332+#else
333+ OSSL_FREE(eph_priv_key, BN);
334+#endif
335 OSSL_FREE(bn_x, BN);
336 OSSL_FREE(bn_y, BN);
337 return r;
338diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
339index 5e8fbc8..9cee10f 100644
340--- a/src/tss2-fapi/fapi_crypto.c
341+++ b/src/tss2-fapi/fapi_crypto.c
342@@ -11,10 +11,15 @@
343 #include <string.h>
344
345 #include <openssl/evp.h>
346-#include <openssl/aes.h>
347 #include <openssl/rsa.h>
348-#include <openssl/engine.h>
349 #include <openssl/pem.h>
350+#if OPENSSL_VERSION_NUMBER < 0x30000000L
351+#include <openssl/aes.h>
352+#else
353+#include <openssl/core_names.h>
354+#include <openssl/params.h>
355+#include <openssl/param_build.h>
356+#endif
357 #include <openssl/x509v3.h>
358 #include <curl/curl.h>
359 #include <openssl/err.h>
360@@ -380,66 +385,89 @@ cleanup:
361 * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
362 */
363 static TSS2_RC
364-ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
365+ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
366 {
367+#if OPENSSL_VERSION_NUMBER < 0x30000000L
368+ RSA *rsa = NULL;
369+#else
370+ OSSL_PARAM_BLD *build = NULL;
371+ OSSL_PARAM *params = NULL;
372+ EVP_PKEY_CTX *ctx = NULL;
373+#endif
374+
375 /* Check for NULL parameters */
376 return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
377 return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
378
379+ TSS2_RC r = TSS2_RC_SUCCESS;
380 /* Initialize the RSA parameters */
381- TSS2_RC r;
382- RSA *rsa = RSA_new();
383- BIGNUM *e = BN_new();
384- BIGNUM *d = BN_new();
385- BIGNUM *p = BN_new();
386- BIGNUM *q = BN_new();
387- BIGNUM *dmp1 = BN_new();
388- BIGNUM *dmq1 = BN_new();
389- BIGNUM *iqmp = BN_new();
390+ BIGNUM *e = NULL;
391 BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer,
392 tpmPublicKey->publicArea.unique.rsa.size, NULL);
393-
394- if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) {
395+ if (!n) {
396 goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
397 }
398
399- BN_set_word(d, 0);
400- BN_set_word(p, 0);
401- BN_set_word(q, 0);
402- BN_set_word(dmp1, 0);
403- BN_set_word(dmq1, 0);
404- BN_set_word(iqmp, 0);
405 uint32_t exp;
406 if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0)
407 exp = 65537;
408 else
409 exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent;
410+
411+#if OPENSSL_VERSION_NUMBER < 0x30000000L
412+ if ((rsa = RSA_new()) == NULL) {
413+ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
414+ }
415+
416+ if ((e = BN_new()) == NULL) {
417+ goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
418+ }
419 if (1 != BN_set_word(e, exp)) {
420 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
421 "Could not set exponent.", error_cleanup);
422 }
423
424- RSA_set0_key(rsa, n, e, d);
425- RSA_set0_factors(rsa, p, q);
426- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
427+ if (!RSA_set0_key(rsa, n, e, NULL)) {
428+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
429+ "Could not set public key.", error_cleanup);
430+ }
431+ n = NULL; /* ownership transferred */
432+ e = NULL;
433+
434+ *evpPublicKey = EVP_PKEY_new();
435+ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
436
437 /* Assign the parameters to the key */
438- if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
439+ if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) {
440+ EVP_PKEY_free(*evpPublicKey);
441 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key",
442 error_cleanup);
443 }
444- return TSS2_RC_SUCCESS;
445-
446+ rsa = NULL; /* ownership transferred */
447 error_cleanup:
448 OSSL_FREE(rsa, RSA);
449+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
450+ if ((build = OSSL_PARAM_BLD_new()) == NULL
451+ || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
452+ || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
453+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
454+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters",
455+ error_cleanup);
456+ }
457+
458+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
459+ || EVP_PKEY_fromdata_init(ctx) <= 0
460+ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
461+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key",
462+ error_cleanup);
463+ }
464+error_cleanup:
465+ OSSL_FREE(ctx, EVP_PKEY_CTX);
466+ OSSL_FREE(params, OSSL_PARAM);
467+ OSSL_FREE(build, OSSL_PARAM_BLD);
468+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
469 OSSL_FREE(e, BN);
470 OSSL_FREE(n, BN);
471- OSSL_FREE(d, BN);
472- OSSL_FREE(p, BN);
473- OSSL_FREE(q, BN);
474- OSSL_FREE(dmp1, BN);
475- OSSL_FREE(dmq1, BN);
476- OSSL_FREE(iqmp, BN);
477 return r;
478 }
479
480@@ -459,18 +487,26 @@ error_cleanup:
481 * the function.
482 */
483 static TSS2_RC
484-ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
485+ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
486 {
487 /* Check for NULL parameters */
488 return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
489 return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
490
491- TSS2_RC r;
492+ TSS2_RC r = TSS2_RC_SUCCESS;
493 EC_GROUP *ecgroup = NULL;
494 int curveId;
495 BIGNUM *x = NULL, *y = NULL;
496- EC_KEY *ecKey = EC_KEY_new();
497- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
498+ EC_POINT *ecPoint = NULL;
499+#if OPENSSL_VERSION_NUMBER < 0x30000000L
500+ EC_KEY *ecKey = NULL;
501+#else
502+ OSSL_PARAM_BLD *build = NULL;
503+ OSSL_PARAM *params = NULL;
504+ EVP_PKEY_CTX *ctx = NULL;
505+ unsigned char *puboct = NULL;
506+ size_t bsize;
507+#endif
508
509 /* Find the curve of the ECC key */
510 switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) {
511@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
512 goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE,
513 error_cleanup);
514
515- if (!EC_KEY_set_group(ecKey, ecgroup)) {
516- goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
517- error_cleanup);
518- }
519- EC_GROUP_free(ecgroup);
520-
521 /* Set the ECC parameters in the OpenSSL key */
522 x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer,
523 tpmPublicKey->publicArea.unique.ecc.x.size, NULL);
524@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
525 goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
526 }
527
528- if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) {
529+ if ((ecPoint = EC_POINT_new(ecgroup)) == NULL
530+ || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) {
531+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates",
532+ error_cleanup);
533+ }
534+
535+#if OPENSSL_VERSION_NUMBER < 0x30000000
536+ ecKey = EC_KEY_new();
537+ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
538+
539+ if (!EC_KEY_set_group(ecKey, ecgroup)) {
540+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
541+ error_cleanup);
542+ }
543+
544+ if (!EC_KEY_set_public_key(ecKey, ecPoint)) {
545 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
546- "EC_KEY_set_public_key_affine_coordinates", error_cleanup);
547+ "EC_KEY_set_public_key", error_cleanup);
548 }
549
550- if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) {
551+ *evpPublicKey = EVP_PKEY_new();
552+ goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
553+
554+ if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) {
555+ EVP_PKEY_free(*evpPublicKey);
556 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
557 error_cleanup);
558 }
559- OSSL_FREE(y, BN);
560- OSSL_FREE(x, BN);
561- return TSS2_RC_SUCCESS;
562+ ecKey = NULL; /* ownership transferred */
563+error_cleanup:
564+ OSSL_FREE(ecKey, EC_KEY);
565+#else
566+ if ((build = OSSL_PARAM_BLD_new()) == NULL
567+ || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
568+ (char *)OBJ_nid2sn(curveId), 0)
569+ || (bsize = EC_POINT_point2buf(ecgroup, ecPoint,
570+ POINT_CONVERSION_COMPRESSED,
571+ &puboct, NULL)) == 0
572+ || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
573+ puboct, bsize)
574+ || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
575+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters",
576+ error_cleanup);
577+ }
578
579+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL
580+ || EVP_PKEY_fromdata_init(ctx) <= 0
581+ || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
582+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key",
583+ error_cleanup);
584+ }
585 error_cleanup:
586+ EVP_PKEY_CTX_free(ctx);
587+ OSSL_PARAM_free(params);
588+ OSSL_PARAM_BLD_free(build);
589+ OPENSSL_free(puboct);
590+#endif
591+ OSSL_FREE(ecPoint, EC_POINT);
592+ OSSL_FREE(ecgroup, EC_GROUP);
593 OSSL_FREE(y, BN);
594 OSSL_FREE(x, BN);
595- OSSL_FREE(ecKey, EC_KEY);
596 return r;
597 }
598
599@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm(
600 BIO *bio = NULL;
601 TSS2_RC r = TPM2_RC_SUCCESS;
602
603- evpPublicKey = EVP_PKEY_new();
604- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
605-
606 /* Memory IO will be used for OSSL key conversion */
607 bio = BIO_new(BIO_s_mem());
608- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
609+ goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
610
611 if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
612- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
613- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
614- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
615- else {
616+ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
617+ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
618+ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
619+ } else {
620 goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
621 }
622 goto_if_error(r, "Get ossl public key.", cleanup);
623@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm(
624 signatureSize);
625 } else {
626 return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme.");
627-
628 }
629 } else if (tpmPublic->type == TPM2_ALG_ECC) {
630 return ifapi_ecc_der_sig_to_tpm(signature, signatureSize,
631@@ -856,12 +926,16 @@ ecdsa_verify_signature(
632 return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
633
634 TSS2_RC r = TSS2_RC_SUCCESS;
635- EC_KEY *eccKey = NULL;
636+ EVP_PKEY_CTX *ctx = NULL;
637
638- eccKey = EVP_PKEY_get1_EC_KEY(publicKey);
639+ if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL
640+ || !EVP_PKEY_verify_init(ctx)) {
641+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
642+ "Cannot initialize signature verification.", error_cleanup);
643+ }
644
645 /* Try to verify the signature using ECDSA, note that param 0 is unused */
646- int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey);
647+ int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize);
648 if (rc == 0) {
649 goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
650 "ECDSA signature verification failed.", error_cleanup);
651@@ -871,7 +945,7 @@ ecdsa_verify_signature(
652 }
653
654 error_cleanup:
655- OSSL_FREE(eccKey, EC_KEY);
656+ OSSL_FREE(ctx, EVP_PKEY_CTX);
657 return r;
658 }
659
660@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp(
661
662 /* Extract the public information */
663 TSS2_RC r = TSS2_RC_SUCCESS;
664+ int keyBits, keySize;
665+
666+#if OPENSSL_VERSION_NUMBER < 0x30000000L
667+ const BIGNUM *e = NULL, *n = NULL;
668 RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey);
669 return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
670- const BIGNUM *e = NULL, *n = NULL;
671- int rsaKeySize = RSA_size(rsaKey);
672
673+ keySize = RSA_size(rsaKey);
674+ keyBits = keySize * 8;
675 RSA_get0_key(rsaKey, &n, &e, NULL);
676- tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
677+#else
678+ BIGNUM *e = NULL, *n = NULL;
679+
680+ keyBits = EVP_PKEY_get_bits(publicKey);
681+ keySize = (keyBits + 7) / 8;
682+ if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n)
683+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) {
684+ goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
685+ "Retrieve pubkey", cleanup);
686+ }
687+#endif
688+ tpmPublic->publicArea.unique.rsa.size = keySize;
689 if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
690- rsaKeySize)) {
691+ keySize)) {
692 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
693 "Write big num byte buffer", cleanup);
694 }
695- tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8;
696+ tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits;
697 tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e);
698
699 cleanup:
700+#if OPENSSL_VERSION_NUMBER < 0x30000000L
701 OSSL_FREE(rsaKey, RSA);
702+#else
703+ BN_free(e);
704+ BN_free(n);
705+#endif
706 return r;
707 }
708
709@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp(
710
711 /* Initialize variables that will contain the relevant information */
712 TSS2_RC r = TSS2_RC_SUCCESS;
713- EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
714- return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
715- const EC_GROUP *ecGroup;
716- const EC_POINT *publicPoint;
717 int curveId;
718 size_t ecKeySize;
719 BIGNUM *bnX = NULL;
720 BIGNUM *bnY = NULL;
721 TPMI_ECC_CURVE tpmCurveId;
722-
723- if (!ecKey) {
724- return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!");
725- }
726+#if OPENSSL_VERSION_NUMBER < 0x30000000
727+ const EC_GROUP *ecGroup;
728+ const EC_POINT *publicPoint;
729+ EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
730+ return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
731
732 /* Retrieve the relevant information and write it to tpmPublic */
733 ecGroup = EC_KEY_get0_group(ecKey);
734 publicPoint = EC_KEY_get0_public_key(ecKey);
735 curveId = EC_GROUP_get_curve_name(ecGroup);
736- ecKeySize = EC_GROUP_get_degree(ecGroup) / 8;
737- tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
738- tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
739+ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
740
741 if (!(bnX = BN_new())) {
742 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup);
743@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp(
744 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
745 "Get affine coordinates", cleanup);
746 }
747+#else
748+ char curveName[80];
749+
750+ if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME,
751+ curveName, sizeof(curveName), NULL)
752+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX)
753+ || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) {
754+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
755+ "Get public key", cleanup);
756+ }
757+ curveId = OBJ_txt2nid(curveName);
758+ EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId);
759+ ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
760+ EC_GROUP_free(ecGroup);
761+#endif
762+ tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
763+ tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
764 if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0],
765 ecKeySize)) {
766 goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
767@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp(
768 tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId;
769
770 cleanup:
771+#if OPENSSL_VERSION_NUMBER < 0x30000000
772 OSSL_FREE(ecKey, EC_KEY);
773+#endif
774 OSSL_FREE(bnX, BN);
775 OSSL_FREE(bnY, BN);
776 return r;
777@@ -2075,14 +2183,11 @@ ifapi_get_tpm_key_fingerprint(
778 "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
779 hashAlg);
780
781- evpPublicKey = EVP_PKEY_new();
782- goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
783-
784 if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
785- r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
786- } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
787- r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
788- else {
789+ r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
790+ } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
791+ r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
792+ } else {
793 goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
794 }
795 goto_if_error(r, "Get ossl public key.", cleanup);
796diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
797index 3cd7b9f..bbe8770 100644
798--- a/test/helper/tpm_getek.c
799+++ b/test/helper/tpm_getek.c
800@@ -7,8 +7,14 @@
801 #include <stdio.h>
802 #include <inttypes.h>
803 #include <openssl/evp.h>
804-#include <openssl/rsa.h>
805 #include <openssl/pem.h>
806+#if OPENSSL_VERSION_NUMBER < 0x30000000
807+#include <openssl/rsa.h>
808+#else
809+#include <openssl/core_names.h>
810+#include <openssl/params.h>
811+#include <openssl/param_build.h>
812+#endif
813
814 #include "tss2_sys.h"
815 #include "tss2_mu.h"
816@@ -109,36 +115,37 @@ main (int argc, char *argv[])
817
818 /* Convert the key from out_public to PEM */
819
820- EVP_PKEY *evp = EVP_PKEY_new();
821+ EVP_PKEY *evp = NULL;
822 BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
823- RSA *rsa = RSA_new();
824- BIGNUM *e = BN_new();
825- BIGNUM *d = BN_new();
826- BIGNUM *p = BN_new();
827- BIGNUM *q = BN_new();
828- BIGNUM *dmp1 = BN_new();
829- BIGNUM *dmq1 = BN_new();
830- BIGNUM *iqmp = BN_new();
831 BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer,
832 out_public.publicArea.unique.rsa.size, NULL);
833- BN_set_word(d, 0);
834- BN_set_word(p, 0);
835- BN_set_word(q, 0);
836- BN_set_word(dmp1, 0);
837- BN_set_word(dmq1, 0);
838- BN_set_word(iqmp, 0);
839 uint32_t exp;
840 if (out_public.publicArea.parameters.rsaDetail.exponent == 0)
841 exp = 65537;
842 else
843 exp = out_public.publicArea.parameters.rsaDetail.exponent;
844+
845+#if OPENSSL_VERSION_NUMBER < 0x30000000
846+ BIGNUM *e = BN_new();
847 BN_set_word(e, exp);
848
849- RSA_set0_key(rsa, n, e, d);
850- RSA_set0_factors(rsa, p, q);
851- RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
852+ RSA *rsa = RSA_new();
853+ RSA_set0_key(rsa, n, e, NULL);
854+ n = NULL;
855+ e = NULL;
856
857+ evp = EVP_PKEY_new();
858 EVP_PKEY_assign_RSA(evp, rsa);
859+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
860+ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
861+ OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n);
862+ OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp);
863+ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
864+
865+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
866+ EVP_PKEY_fromdata_init(ctx);
867+ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
868+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
869
870 if (!PEM_write_bio_PUBKEY(bio, evp)) {
871 LOG_ERROR("PEM_write failed");
872@@ -146,6 +153,14 @@ main (int argc, char *argv[])
873 }
874
875 EVP_PKEY_free(evp);
876+#if OPENSSL_VERSION_NUMBER < 0x30000000
877+ /* ownership was taken by the EVP_PKEY */
878+#else
879+ EVP_PKEY_CTX_free(ctx);
880+ OSSL_PARAM_free(params);
881+ OSSL_PARAM_BLD_free(build);
882+#endif
883+ BN_free(n);
884 BIO_free(bio);
885
886 return 0;
887diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
888index e389f18..29e6f1f 100644
889--- a/test/helper/tpm_getek_ecc.c
890+++ b/test/helper/tpm_getek_ecc.c
891@@ -7,9 +7,15 @@
892 #include <stdio.h>
893 #include <inttypes.h>
894 #include <openssl/evp.h>
895-#include <openssl/rsa.h>
896 #include <openssl/pem.h>
897 #include <openssl/err.h>
898+#if OPENSSL_VERSION_NUMBER < 0x30000000
899+#include <openssl/ec.h>
900+#else
901+#include <openssl/core_names.h>
902+#include <openssl/params.h>
903+#include <openssl/param_build.h>
904+#endif
905 #include <string.h>
906
907 #include "tss2_sys.h"
908@@ -127,8 +133,7 @@ main (int argc, char *argv[])
909
910 /* Convert the key from out_public to PEM */
911
912- EVP_PKEY *evp = EVP_PKEY_new();
913- EC_KEY *ecc_key = EC_KEY_new();
914+ EVP_PKEY *evp = NULL;
915 BIGNUM *x = NULL, *y = NULL;
916 BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
917 int nid;
918@@ -136,11 +141,6 @@ main (int argc, char *argv[])
919 nid = EC_curve_nist2nid("P-256");
920 EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid);
921
922- if (!EC_KEY_set_group(ecc_key, ecgroup))
923- exit(1);
924-
925- EC_GROUP_free(ecgroup);
926-
927 /* Set the ECC parameters in the OpenSSL key */
928 x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer,
929 out_public.publicArea.unique.ecc.x.size, NULL);
930@@ -152,15 +152,46 @@ main (int argc, char *argv[])
931 exit(1);
932 }
933
934- if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) {
935+ EC_POINT *point = EC_POINT_new(ecgroup);
936+#if OPENSSL_VERSION_NUMBER < 0x10101000L
937+ EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL);
938+#else
939+ EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL);
940+#endif
941+
942+#if OPENSSL_VERSION_NUMBER < 0x30000000
943+ EC_KEY *ecc_key = EC_KEY_new();
944+ if (!EC_KEY_set_group(ecc_key, ecgroup))
945+ exit(1);
946+
947+ if (!EC_KEY_set_public_key(ecc_key, point)) {
948 exit(1);
949 }
950
951+ evp = EVP_PKEY_new();
952 if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) {
953 handleErrors();
954 LOG_ERROR("PEM_write failed");
955 exit(1);
956 }
957+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
958+ unsigned char *puboct = NULL;
959+ size_t bsize;
960+
961+ bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED,
962+ &puboct, NULL);
963+
964+ OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
965+ OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
966+ (char *)OBJ_nid2sn(nid), 0);
967+ OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
968+ puboct, bsize);
969+ OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
970+
971+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
972+ EVP_PKEY_fromdata_init(ctx);
973+ EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
974+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
975
976 if (!PEM_write_bio_PUBKEY(bio, evp)) {
977 handleErrors();
978@@ -168,9 +199,19 @@ main (int argc, char *argv[])
979 exit(1);
980 }
981
982+ EVP_PKEY_free(evp);
983+#if OPENSSL_VERSION_NUMBER < 0x30000000
984+ /* ownership was taken by the EVP_PKEY */
985+#else
986+ EVP_PKEY_CTX_free(ctx);
987+ OSSL_PARAM_free(params);
988+ OSSL_PARAM_BLD_free(build);
989+ OPENSSL_free(puboct);
990+#endif
991+ EC_POINT_free(point);
992+ EC_GROUP_free(ecgroup);
993 BN_free(y);
994 BN_free(x);
995- EVP_PKEY_free(evp);
996 BIO_free(bio);
997
998 return 0;
999--
10002.17.1
1001
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch
new file mode 100644
index 0000000..79c912c
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch
@@ -0,0 +1,49 @@
1From cde750dd594a6f5d7c463030ecbb9947fad2a12d Mon Sep 17 00:00:00 2001
2From: Petr Gotthard <petr.gotthard@centrum.cz>
3Date: Mon, 2 Aug 2021 15:50:26 +0200
4Subject: [PATCH] Remove deprecated OpenSSL_add_all_algorithms
5
6From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
7de-initialisation is required.
8
9Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
10
11Upstream-Status: Backport
12[https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8]
13
14Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15---
16 src/tss2-esys/esys_crypto_ossl.c | 2 +-
17 src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
18 2 files changed, 1 insertion(+), 4 deletions(-)
19
20diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
21index a0e200f..e599ac7 100644
22--- a/src/tss2-esys/esys_crypto_ossl.c
23+++ b/src/tss2-esys/esys_crypto_ossl.c
24@@ -1174,7 +1174,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
25 *
26 * Initialize OpenSSL internal tables.
27 *
28- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
29+ * @retval TSS2_RC_SUCCESS always returned
30 * does not deliver
31 * a return code.
32 */
33diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
34index 613f408..deda7fb 100644
35--- a/src/tss2-fapi/ifapi_get_intl_cert.c
36+++ b/src/tss2-fapi/ifapi_get_intl_cert.c
37@@ -369,9 +369,6 @@ out_free_json:
38 json_object_put(jso);
39
40 out:
41- /* In some case this call was necessary after curl usage */
42- OpenSSL_add_all_algorithms();
43-
44 free(hash);
45 if (rc == 0) {
46 return TSS2_RC_SUCCESS;
47--
482.17.1
49
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
index 96339a5..4e3346b 100644
--- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
@@ -6,7 +6,11 @@ SECTION = "tpm"
6 6
7DEPENDS = "autoconf-archive-native libgcrypt openssl" 7DEPENDS = "autoconf-archive-native libgcrypt openssl"
8 8
9SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" 9SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
10 file://0001-Drop-support-for-OpenSSL-1.1.0.patch \
11 file://0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch \
12 file://0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch \
13 "
10SRC_URI[md5sum] = "515cf2c53799e7d498481eb2569dcb03" 14SRC_URI[md5sum] = "515cf2c53799e7d498481eb2569dcb03"
11SRC_URI[sha256sum] = "20e6da532a7ef90c8e50cca51f276053ec505eee0167c18e2b07c1e747118b58" 15SRC_URI[sha256sum] = "20e6da532a7ef90c8e50cca51f276053ec505eee0167c18e2b07c1e747118b58"
12 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 08:31:18 +0000