Merge branch 'master' into master

.gitignore

@@ -3,6 +3,7 @@
 Makefile
 Makefile.in
 aclocal.m4
+aminclude_static.am
 autom4te.cache/
 compile
 config.guess

INSTALL.md

@@ -2,6 +2,7 @@
 
 ## GNU/Linux
 * GNU Autoconf
+* GNU Autoconf Archive
 * GNU Automake
 * GNU Libtool
 * C compiler
@@ -16,6 +17,7 @@
 sudo apt -y install \
   build-essential \
   autoconf \
+  autoconf-archive \
   automake \
   m4 \
   libtool \

Makefile.am

@@ -31,7 +31,7 @@
 
 ### Initialize global variables used throughout the file ###
 INCLUDE_DIRS    = -I$(srcdir)/include -I$(srcdir)/src
-ACLOCAL_AMFLAGS = -I m4
+ACLOCAL_AMFLAGS = -I m4 --install
 AM_CFLAGS       = $(INCLUDE_DIRS) $(EXTRA_CFLAGS) $(TSS2_ESYS_CFLAGS) \
                   $(CRYPTO_CFLAGS) $(CODE_COVERAGE_CFLAGS)
 AM_LDFLAGS      = $(EXTRA_LDFLAGS) $(CODE_COVERAGE_LIBS)
@@ -50,7 +50,13 @@ bin_PROGRAMS =
 
 ### Add ax_* rules ###
 # ax_code_coverage
+if AUTOCONF_CODE_COVERAGE_2019_01_06
+include $(top_srcdir)/aminclude_static.am
+clean-local: code-coverage-clean
+distclean-local: code-coverage-dist-clean
+else
 @CODE_COVERAGE_RULES@
+endif
 
 ### OpenSSL Engine ###
 openssl_enginedir = $(ENGINESDIR)
@@ -111,7 +117,8 @@ TESTS_SHELL = test/ecdsa.sh \
               test/rsasign_parent.sh \
               test/rsasign_persistent.sh \
               test/rsasign_persistent_emptyauth.sh \
-              test/ciphers.sh
+              test/ciphers.sh \
+              test/sserver.sh
 EXTRA_DIST += $(TESTS_SHELL)
 
 check_PROGRAMS = $(TESTS_UNIT)

configure.ac

@@ -102,6 +102,10 @@ AX_ADD_LINK_FLAG([-Wl,-z,now])
 AX_ADD_LINK_FLAG([-Wl,-z,relro])
 
 AX_CODE_COVERAGE
+m4_ifdef([_AX_CODE_COVERAGE_RULES],
+         [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])],
+         [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])])
+AX_ADD_AM_MACRO_STATIC([])
 
 PKG_PROG_PKG_CONFIG([0.25])
 PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],

src/tpm2-tss-engine-ciphers.c

@@ -126,6 +126,8 @@ static TPMI_ALG_SYM_MODE tpm2_get_cipher_mode(EVP_CIPHER_CTX *ctx, TPM2_DATA_CIP
     if (mode_tpm2 == TPM2_ALG_NULL)
         mode_tpm2 = TPM2_ALG_CFB;
 
+    mode_tpm2 = tpm2DataCipher->tpm2Data->pub.publicArea.parameters.symDetail.sym.mode.sym;
+
     return mode_tpm2;
 }
 
@@ -209,7 +211,7 @@ tpm2_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
     in_data->size = inl;
 
     /* Get mode value */
-    mode = tpm2DataCipher->tpm2Data->pub.publicArea.parameters.symDetail.sym.mode.sym;
+    mode = tpm2_get_cipher_mode(ctx, tpm2DataCipher);
     enc = tpm2DataCipher->enc;
     iv_in = tpm2DataCipher->iv;
 
@@ -246,18 +248,18 @@ tpm2_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
                                    in_data,
                                    &out_data,
                                    &iv_out );
-        if(ret == TPM2_RC_SUCCESS)
+        if(ret == TPM2_RC_SUCCESS) {
             DBG("Esys_EncryptDecrypt  : SUCCESS\n");
-        else
-            DBG("Esys_EncryptDecrypt  : FAILED\n", ret);
+        }
+        else {
+            DBG("Esys_EncryptDecrypt  : FAILED\n");
+        }
     }
     ERRchktss(tpm2_do_cipher, ret, goto error);
 
     /* Copy out_data : TPM2B_MAX_BUFFER to unsigned char* */
     memcpy(out, out_data->buffer, out_data->size);
     out[out_data->size] = '\0';
-    printf("IN (%d)  : %s\n", in_data->size, in_data->buffer);
-    printf("OUT (%d) : %s\n", out_data->size, out);
 
     /* Close TPM session */
     if (keyHandle != ESYS_TR_NONE) {

src/tpm2-tss-engine-common.h

@@ -46,6 +46,7 @@ extern TPM2B_DIGEST ownerauth;
 int init_ecc(ENGINE *e);
 int init_rand(ENGINE *e);
 int init_rsa(ENGINE *e);
+int init_ciphers(ENGINE *e);
 
 typedef void* dl_handle_t;
 

src/tpm2-tss-engine-ecc.c

@@ -142,6 +142,20 @@ ecdsa_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
 
     TPMT_SIG_SCHEME inScheme = { .scheme = TPM2_ALG_ECDSA };
 
+    /* ECDSA says to truncate the incoming hash to fit the curve. */
+    switch (tpm2Data->pub.publicArea.parameters.eccDetail.curveID) {
+    case TPM2_ECC_NIST_P256:
+        if (dgst_len > 256/8)
+            dgst_len = 256/8;
+        break;
+    case TPM2_ECC_NIST_P384:
+        if (dgst_len > 384/8)
+            dgst_len = 384/8;
+        break;
+    default:
+        break;
+    }
+
     TPM2B_DIGEST digest = { .size = dgst_len };
     if (digest.size > sizeof(digest.buffer)) {
         ERR(rsa_priv_enc, TPM2TSS_R_DIGEST_TOO_LARGE);

test/ciphers.sh

@@ -33,7 +33,7 @@ tpm2_flushcontext -T mssim -t
 HANDLE=$(tpm2_evictcontrol -T mssim -a o -c ${RSA_CTX} | cut -d ' ' -f 2)
 tpm2_flushcontext -T mssim -t
 
-KEY=${HANDLE}
+KEY=$(echo ${HANDLE} | cut -d 'x' -f 2)
 IV=0123456789012345
 
 # Encrypt Data

test/sserver.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eufx
+
+export LANG=C
+export OPENSSL_ENGINES=${PWD}/.libs
+export LD_LIBRARY_PATH=$OPENSSL_ENGINES:${LD_LIBRARY_PATH-}
+export PATH=${PWD}:${PATH}
+#The following is for DESTDIR-installations of openssl
+export OPENSSL_CONF=$(find $(dirname $(which openssl))/../../ -name openssl.cnf | head -n 1)
+
+if openssl version | grep "OpenSSL 1.0.2" >/dev/null; then
+    echo "OpenSSL 1.0.2 does not load the certificate; private key mismatch ???"
+    exit 77
+fi
+
+DIR=$(mktemp -d)
+
+echo -n "WORKING !!!">${DIR}/index.html
+
+function cleanup()
+{
+    kill -term $SERVER
+}
+
+tpm2tss-genkey -a ecdsa ${DIR}/mykey
+
+echo -e "\n\n\n\n\n\n\n" | openssl req -new -x509 -engine tpm2tss -key ${DIR}/mykey  -keyform engine -out ${DIR}/mykey.crt
+
+openssl s_server -www -cert ${DIR}/mykey.crt -key ${DIR}/mykey -keyform engine -engine tpm2tss -accept 127.0.0.1:8443 &
+SERVER=$!
+trap "cleanup" EXIT
+
+sleep 1
+
+echo "GET index.html" | openssl s_client -connect localhost:8443