diff --git a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch new file mode 100644 index 0000000..7a5aed3 --- /dev/null +++ b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch @@ -0,0 +1,279 @@ +From 12c1bfab1f21fdc28039219a1a159a900ca97283 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 8 Jun 2022 09:19:07 -0400 +Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures + +While libtpms does not provide any means to disable FIPS-disabled crypto +algorithms from being used, work around the issue by simply disabling the +FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit +swtpm with a failure message that it cannot be disabled. If FIPS mode +was successfully disabled, print out a message as well. + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219 +Signed-off-by: Stefan Berger +--- + configure.ac | 9 ++++ + src/swtpm/Makefile.am | 2 + + src/swtpm/cuse_tpm.c | 5 ++ + src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++ + src/swtpm/fips.h | 43 ++++++++++++++++ + src/swtpm/swtpm.c | 3 ++ + src/swtpm/swtpm_chardev.c | 3 ++ + src/swtpm/utils.h | 2 + + 8 files changed, 167 insertions(+) + create mode 100644 src/swtpm/fips.c + create mode 100644 src/swtpm/fips.h + +diff --git a/configure.ac b/configure.ac +index ad3054e5c7e3..30288c7a24ac 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -156,6 +156,15 @@ openssl) + AC_MSG_RESULT([Building with openssl crypto library]) + LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto) + AC_SUBST([LIBCRYPTO_LIBS]) ++ AC_CHECK_HEADERS([openssl/fips.h], ++ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1, ++ [whether openssl/fips.h is available])] ++ ) ++ AC_CHECK_LIB(crypto, ++ [FIPS_mode_set], ++ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1, ++ [whether FIPS_mode_set API is available])] ++ ) + ;; + esac + +diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am +index 5454a6f7b747..2a659500a17f 100644 +--- a/src/swtpm/Makefile.am ++++ b/src/swtpm/Makefile.am +@@ -11,6 +11,7 @@ noinst_HEADERS = \ + capabilities.h \ + common.h \ + ctrlchannel.h \ ++ fips.h \ + key.h \ + locality.h \ + logging.h \ +@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \ + capabilities.c \ + common.c \ + ctrlchannel.c \ ++ fips.c \ + key.c \ + logging.c \ + mainloop.c \ +diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c +index 9dbc00df2825..3026e26fffb3 100644 +--- a/src/swtpm/cuse_tpm.c ++++ b/src/swtpm/cuse_tpm.c +@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac + goto exit; + } + ++ if (disable_fips_mode() < 0) { ++ ret = -1; ++ goto exit; ++ } ++ + if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) { + ret = -1; + goto exit; +diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c +new file mode 100644 +index 000000000000..eeb2a0ca4187 +--- /dev/null ++++ b/src/swtpm/fips.c +@@ -0,0 +1,100 @@ ++/* ++ * fips.c -- FIPS mode related functions ++ * ++ * (c) Copyright IBM Corporation 2022. ++ * ++ * Author: Stefan Berger ++ * ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are ++ * met: ++ * ++ * Redistributions of source code must retain the above copyright notice, ++ * this list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * Neither the names of the IBM Corporation nor the names of its ++ * contributors may be used to endorse or promote products derived from ++ * this software without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include "fips.h" ++#include "logging.h" ++ ++#if defined(HAVE_OPENSSL_FIPS_H) ++# include ++#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API) ++/* Cygwin has no fips.h but API exists */ ++extern int FIPS_mode(void); ++extern int FIPS_mode_set(int); ++#endif ++ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++# include ++#endif ++ ++#include ++ ++/* ++ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures ++ * ++ * While libtpms does not provide a solution to disable deactivated algorithms ++ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode. ++ * ++ * Returns < 0 on error, 0 otherwise. ++ */ ++#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API) ++int disable_fips_mode(void) ++{ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ int mode = EVP_default_properties_is_fips_enabled(NULL); ++#else ++ int mode = FIPS_mode(); ++#endif ++ int ret = 0; ++ ++ if (mode != 0) { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ int rc = EVP_default_properties_enable_fips(NULL, 0); ++#else ++ int rc = FIPS_mode_set(0); ++#endif ++ if (rc == 1) { ++ logprintf(STDOUT_FILENO, ++ "Warning: Disabled OpenSSL FIPS mode\n"); ++ } else { ++ unsigned long err = ERR_get_error(); ++ logprintf(STDERR_FILENO, ++ "Failed to disable OpenSSL FIPS mode: %s\n", ++ ERR_error_string(err, NULL)); ++ ret = -1; ++ } ++ } ++ return ret; ++} ++#else ++/* OpenBSD & DragonFlyBSD case */ ++int disable_fips_mode(void) ++{ ++ return 0; ++} ++#endif +diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h +new file mode 100644 +index 000000000000..14d4e9fe926d +--- /dev/null ++++ b/src/swtpm/fips.h +@@ -0,0 +1,43 @@ ++/* ++ * fips.h -- FIPS mode related functions ++ * ++ * (c) Copyright IBM Corporation 2015. ++ * ++ * Author: Stefan Berger ++ * ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are ++ * met: ++ * ++ * Redistributions of source code must retain the above copyright notice, ++ * this list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * Neither the names of the IBM Corporation nor the names of its ++ * contributors may be used to endorse or promote products derived from ++ * this software without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef _SWTPM_UTILS_H_ ++#define _SWTPM_UTILS_H_ ++ ++int disable_fips_mode(void); ++ ++#endif /* _SWTPM_UTILS_H_ */ +diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c +index 722a7432f251..e618c567b1d2 100644 +--- a/src/swtpm/swtpm.c ++++ b/src/swtpm/swtpm.c +@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface) + daemonize_finish(); + } + ++ if (disable_fips_mode() < 0) ++ goto error_seccomp_profile; ++ + rc = mainLoop(&mlp, notify_fd[0]); + + error_seccomp_profile: +diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c +index 9710927ec626..ab6d8fd417c6 100644 +--- a/src/swtpm/swtpm_chardev.c ++++ b/src/swtpm/swtpm_chardev.c +@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i + daemonize_finish(); + } + ++ if (disable_fips_mode() < 0) ++ goto error_seccomp_profile; ++ + rc = mainLoop(&mlp, notify_fd[0]); + + error_seccomp_profile: +diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h +index 75024425d4b0..b8acd895a2ac 100644 +--- a/src/swtpm/utils.h ++++ b/src/swtpm/utils.h +@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt); + + ssize_t read_eintr(int fd, void *buffer, size_t buflen); + ++int disable_fips_mode(void); ++ + #endif /* _SWTPM_UTILS_H_ */ +-- +2.36.0.44.g0f828332d5ac + diff --git a/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch new file mode 100644 index 0000000..201620b --- /dev/null +++ b/SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch @@ -0,0 +1,65 @@ +From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 1 Feb 2022 12:40:06 -0500 +Subject: [PATCH] swtpm_localca: Test for available issuercert before creating + CA + +Avoid trying to create TPM certificates while the issuer certificate has +not been created, yet (in a 2nd step). + +To resolve this do not just test for availability of the signing key, which +is created first, but also test for the issuer certifcate, which is created +in a 2nd step when the local CA is created. If either one is missing, +attempt to create the CA. + +Resolves: https://github.com/stefanberger/swtpm/issues/644 +Signed-off-by: Stefan Berger +--- + src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c +index 037bfd5266bb..089e4e0db4ce 100644 +--- a/src/swtpm_localca/swtpm_localca.c ++++ b/src/swtpm_localca/swtpm_localca.c +@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir, + goto error; + } + +- if (access(signkey, R_OK) != 0) { ++ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) { + g_autofree gchar *directory = g_path_get_dirname(signkey); + g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); + g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); +@@ -808,13 +808,28 @@ int main(int argc, char *argv[]) + if (ret != 0) + goto error; + } else { ++ int create_certs = 0; ++ ++ /* create certificate if either the signing key or issuer cert are missing */ + if (access(signkey, R_OK) != 0) { + if (stat(signkey, &statbuf) == 0) { + logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", + signkey, curr_user ? curr_user->pw_name : ""); + goto error; + } ++ create_certs = 1; ++ } ++ ++ if (access(issuercert, R_OK) != 0) { ++ if (stat(issuercert, &statbuf) == 0) { ++ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n", ++ issuercert, curr_user ? curr_user->pw_name : ""); ++ goto error; ++ } ++ create_certs = 1; ++ } + ++ if (create_certs) { + logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); + if (create_localca_cert(lockfile, statedir, signkey, signkey_password, + issuercert) != 0) { +-- +2.37.0.rc0 + diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec index e3d10c6..d010097 100644 --- a/SPECS/swtpm.spec +++ b/SPECS/swtpm.spec @@ -12,10 +12,12 @@ Summary: TPM Emulator Name: swtpm Version: 0.7.0 -Release: 1.%{gitdate}git%{gitshortcommit}%{?dist} +Release: 3.%{gitdate}git%{gitshortcommit}%{?dist} License: BSD Url: http://github.com/stefanberger/swtpm Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz +Patch0001: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch +Patch0002: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch ExcludeArch: i686 BuildRequires: make @@ -179,6 +181,14 @@ fi %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Mon Jul 18 2022 Marc-André Lureau - 0.7.0-3.20211109gitb79fd91 +- swtpm_localca: Test for available issuercert before creating CA + Resolves: rhbz#2109987 + +* Thu Jun 09 2022 Marc-André Lureau - 0.7.0-2.20211109gitb79fd91 +- Disable FIPS mode. + Resolves: rhbz#2109568 + * Tue Jan 04 2022 Marc-André Lureau - 0.7.0-1.20211109gitb79fd91 - Rebase to 0.7.0, disable TPM 1.2. Resovles: rhbz#2029612