# HG changeset patch # User Tsu-Phong Wu # Date 1350716768 25200 # Node ID 811524a2620b882e819b186c96b752c160739115 # Parent 5b1bfaf90eeb9b6d0a394d72c17c246f24c63383 7123028 Problem with crypto/tss 7041927 tcsd and libtspi should not use TCP/IP sockets 7002966 libtspi can segv in .fini section 6896514 tss code doesn't do correct privilege check when using mlock 7162897 tcsd daemon goes into maintenance mode after reboot diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/Makefile.in.patch --- a/components/trousers/patches/Makefile.in.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,30 +0,0 @@ ---- src/tcsd/Makefile.in.old Thu Jan 28 13:56:46 2010 -+++ src/tcsd/Makefile.in Wed Mar 3 16:35:23 2010 -@@ -47,7 +47,7 @@ - mkinstalldirs = $(install_sh) -d - CONFIG_CLEAN_FILES = - CONFIG_CLEAN_VPATH_FILES = --am__installdirs = "$(DESTDIR)$(sbindir)" -+am__installdirs = "$(DESTDIR)$(libdir)" - PROGRAMS = $(sbin_PROGRAMS) - am_tcsd_OBJECTS = tcsd-svrside.$(OBJEXT) tcsd-tcsd_conf.$(OBJEXT) \ - tcsd-tcsd_threads.$(OBJEXT) tcsd-platform.$(OBJEXT) -@@ -185,7 +185,7 @@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ --sbindir = @sbindir@ -+sbindir = @libdir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ - sysconfdir = @sysconfdir@ -@@ -200,7 +200,8 @@ - tcsd_CFLAGS = -DAPPID=\"TCSD\" -DVAR_PREFIX=\"@localstatedir@\" \ - -DETC_PREFIX=\"@sysconfdir@\" -I${top_srcdir}/src/include \ - $(am__append_1) $(am__append_2) --tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a -lpthread @CRYPTOLIB@ -+tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a \ -+ -lpthread -lbsm -lscf -lresolv @CRYPTOLIB@ - tcsd_SOURCES = svrside.c tcsd_conf.c tcsd_threads.c platform.c - all: all-am - diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/configure.in.patch --- a/components/trousers/patches/configure.in.patch Fri Oct 19 16:06:19 2012 -0700 +++ b/components/trousers/patches/configure.in.patch Sat Oct 20 00:06:08 2012 -0700 @@ -1,10 +1,21 @@ ---- configure.in.orig Thu Jan 28 13:56:20 2010 -+++ configure.in Wed Mar 3 16:40:12 2010 -@@ -351,6 +351,7 @@ +--- configure.in 2010-07-08 13:35:18.000000000 -0700 ++++ configure.in 2012-04-10 17:37:23.820532000 -0700 +@@ -143,7 +143,9 @@ + # + # The default port that the TCS daemon listens on + # +-AC_SUBST(TCSD_DEFAULT_PORT, 30003) ++#AC_SUBST(TCSD_DEFAULT_PORT, 30003) ++# 0 designates UNIX Domain socket. For TCP sockets, 30003 is the traditional TCP port. ++AC_SUBST(TCSD_DEFAULT_PORT, 0) + # + # The RPC mechanism to build into both libtspi and the tcsd + # +@@ -351,6 +353,7 @@ AC_C_BIGENDIAN([AC_DEFINE(_BIG_ENDIAN, 1, [big-endian host])]) AC_CHECK_DECL(htole32, [AC_DEFINE(HTOLE_DEFINED, 1, [htole32 function is available])]) +AC_CHECK_HEADER(endian.h, [AC_DEFINE(HAVE_ENDIAN_H, 1, [endian.h header])]) AC_CHECK_HEADER(sys/byteorder.h, [AC_DEFINE(HAVE_BYTEORDER_H, 1, [sys/byteorder.h header])]) AC_CHECK_FUNC(daemon, [ AC_DEFINE(HAVE_DAEMON, 1, [daemon function is available]) ]) - + diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/dist_tcsd.conf.in.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/dist_tcsd.conf.in.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,38 @@ +--- dist/tcsd.conf.in 2010-01-28 08:27:50.000000000 -0800 ++++ dist/tcsd.conf.in 2012-04-12 14:52:21.154590000 -0700 +@@ -9,10 +9,16 @@ + # + + # Option: port +-# Values: 1 - 65535 ++# Values: 0 - 65535 + # Description: The port that the tcsd will listen on. ++# If 0, use UNIX Domain socket /var/tpm/tcsd-socket, ++# otherwise use the specified TCP port (30003 is the traditional tcsd TCP port). + # +-# port = 30003 ++# If using a TCP Port (that is, port is not 0), clients such as tpmadm must set ++# the port with shell environment variable TSS_TCSD_PORT. For example, ++# export TSS_TCSD_PORT=30003 ++# ++# port = 0 + # + + # Option: num_threads +@@ -37,6 +43,7 @@ + # + # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements + # ++firmware_log_file=/var/tpm/system/pcrevent.log + + # Option: kernel_log_file + # Values: Any absolute directory path +@@ -54,7 +61,7 @@ + # Description: A list of PCR indices that are manipulated only by the system + # firmware and therefore are not extended or logged by the TCSD. + # +-# firmware_pcrs = ++firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,20,21 + # + + # Option: kernel_pcrs diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/hash.c.patch --- a/components/trousers/patches/hash.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,87 +0,0 @@ ---- src/trspi/crypto/openssl/hash.c.old 2011-05-09 06:20:09.505021734 -0700 -+++ src/trspi/crypto/openssl/hash.c 2011-05-09 06:19:04.603252090 -0700 -@@ -56,45 +56,21 @@ - TSS_RESULT - Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) - { -- EVP_MD_CTX md_ctx; -- unsigned int result_size; -- int rv; -+ Trspi_HashCtx ctx; -+ TSS_RESULT rv; - -- switch (HashType) { -- case TSS_HASH_SHA1: -- rv = EVP_DigestInit(&md_ctx, EVP_sha1()); -- break; -- default: -- rv = TSPERR(TSS_E_BAD_PARAMETER); -- goto out; -- break; -- } -+ rv = Trspi_HashInit(&ctx, HashType); -+ if (rv != TSS_SUCCESS) -+ return rv; - -- if (rv != EVP_SUCCESS) { -- rv = TSPERR(TSS_E_INTERNAL_ERROR); -- goto err; -- } -- -- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); -- if (rv != EVP_SUCCESS) { -- rv = TSPERR(TSS_E_INTERNAL_ERROR); -- goto err; -+ rv = Trspi_HashUpdate(&ctx, BufSize, Buf); -+ if (rv != TSS_SUCCESS) { -+ EVP_MD_CTX_destroy(ctx.ctx); -+ return rv; - } -+ rv = Trspi_HashFinal(&ctx, Digest); - -- result_size = EVP_MD_CTX_size(&md_ctx); -- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); -- if (rv != EVP_SUCCESS) { -- rv = TSPERR(TSS_E_INTERNAL_ERROR); -- goto err; -- } else -- rv = TSS_SUCCESS; -- -- goto out; -- --err: -- DEBUG_print_openssl_errors(); --out: -- return rv; -+ return (rv); - } - - TSS_RESULT -@@ -112,7 +88,8 @@ - break; - } - -- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL) -+ ctx->ctx = EVP_MD_CTX_create(); -+ if (ctx->ctx == NULL) - return TSPERR(TSS_E_OUTOFMEMORY); - - rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md); -@@ -142,7 +119,7 @@ - rv = EVP_DigestUpdate(ctx->ctx, data, size); - if (rv != EVP_SUCCESS) { - DEBUG_print_openssl_errors(); -- free(ctx->ctx); -+ EVP_MD_CTX_destroy(ctx->ctx); - ctx->ctx = NULL; - return TSPERR(TSS_E_INTERNAL_ERROR); - } -@@ -164,7 +141,7 @@ - if (rv != EVP_SUCCESS) - return TSPERR(TSS_E_INTERNAL_ERROR); - -- free(ctx->ctx); -+ EVP_MD_CTX_destroy(ctx->ctx); - ctx->ctx = NULL; - - return TSS_SUCCESS; diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/hosttable.c.patch --- a/components/trousers/patches/hosttable.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,53 +0,0 @@ ---- src/tspi/rpc/hosttable.c.old Thu Jan 28 13:27:59 2010 -+++ src/tspi/rpc/hosttable.c Thu Aug 5 14:24:00 2010 -@@ -22,7 +22,7 @@ - struct host_table *ht = NULL; - - TSS_RESULT --host_table_init() -+static host_table_init() - { - ht = calloc(1, sizeof(struct host_table)); - if (ht == NULL) { -@@ -36,8 +36,7 @@ - } - - #ifdef SOLARIS --#pragma init(_init) --void _init(void) -+static void my_init(void) - #else - void __attribute__ ((constructor)) my_init(void) - #endif -@@ -46,7 +45,7 @@ - __tspi_obj_list_init(); - } - --void -+static void - host_table_final() - { - struct host_table_entry *hte, *next = NULL; -@@ -70,8 +69,7 @@ - } - - #ifdef SOLARIS --#pragma fini(_fini) --void _fini(void) -+static void my_fini(void) - #else - void __attribute__ ((destructor)) my_fini(void) - #endif -@@ -79,6 +77,11 @@ - host_table_final(); - } - -+#ifdef SOLARIS -+#pragma init(my_init) -+#pragma fini(my_fini) -+#endif -+ - TSS_RESULT - __tspi_add_table_entry(TSS_HCONTEXT tspContext, BYTE *host, int type, struct host_table_entry **ret) - { - diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/include_tcsd.h.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/include_tcsd.h.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,27 @@ +--- src/include/tcsd.h 2010-05-02 19:54:15.000000000 -0700 ++++ src/include/tcsd.h 2012-04-11 12:43:21.508009000 -0700 +@@ -48,14 +48,24 @@ + of this TCS System */ + }; + ++#ifdef SOLARIS ++#define TCSD_CONFIG_FILE "/etc/security/tcsd.conf" ++#else + #define TCSD_CONFIG_FILE ETC_PREFIX "/tcsd.conf" ++#endif + + #define TSS_USER_NAME "tss" + #define TSS_GROUP_NAME "tss" + + #define TCSD_DEFAULT_MAX_THREADS 10 ++#ifdef SOLARIS ++#define TCSD_DEFAULT_SYSTEM_PS_DIR "/var/tpm/system" ++#define TCSD_DEFAULT_SYSTEM_PS_FILE "/var/tpm/system/system.data" ++#define TCSD_DEFAULT_SOCKET "/var/tpm/tcsd-socket" ++#else + #define TCSD_DEFAULT_SYSTEM_PS_FILE VAR_PREFIX "/lib/tpm/system.data" + #define TCSD_DEFAULT_SYSTEM_PS_DIR VAR_PREFIX "/lib/tpm" ++#endif /* SOLARIS */ + #define TCSD_DEFAULT_FIRMWARE_LOG_FILE "/sys/kernel/security/tpm0/binary_bios_measurements" + #define TCSD_DEFAULT_KERNEL_LOG_FILE "/sys/kernel/security/ima/binary_runtime_measurements" + #define TCSD_DEFAULT_FIRMWARE_PCRS 0x00000000 diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/include_tspps.h.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/include_tspps.h.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,22 @@ +--- src/include/tspps.h.old 2009-09-08 07:39:30.000000000 -0700 ++++ src/include/tspps.h 2010-09-16 08:09:37.980051068 -0700 +@@ -13,13 +13,17 @@ + + #define PASSWD_BUFSIZE 4096 + ++#ifdef SOLARIS ++#define TSS_USER_PS_DIR "/var/user/" ++#else + #define TSS_USER_PS_DIR ".trousers" ++#endif + #define TSS_USER_PS_FILE "user.data" + + TSS_RESULT get_file(int *); + int put_file(int); +-inline TSS_RESULT read_data(int, void *, UINT32); +-inline TSS_RESULT write_data(int, void *, UINT32); ++TSS_RESULT read_data(int, void *, UINT32); ++TSS_RESULT write_data(int, void *, UINT32); + UINT32 psfile_get_num_keys(int); + TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *); + TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/include_tss_tss_defines.h.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/include_tss_tss_defines.h.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,12 @@ +--- src/include/tss/tss_defines.h.old Tue May 31 07:39:12 2011 ++++ src/include/tss/tss_defines.h Tue May 31 07:39:52 2011 +@@ -1214,6 +1214,9 @@ + #define TSS_UUID_USK5 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 9}} // user storage key 5 + #define TSS_UUID_USK6 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 10}}// user storage key 6 + ++/* SOLARIS: Migratable Root Key UUID */ ++#define TSS_UUID_MRK {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 11}} ++ + // macro to derive UUIDs for keys whose "OwnerEvict" key is set. + #define TSS_UUID_OWNEREVICT(i) {0, 0, 0, 0, 0, {0, 0, 0, 0, 1, (i)}} + diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/man_man5_tcsd.conf.5.in.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/man_man5_tcsd.conf.5.in.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,29 @@ +--- man/man5/tcsd.conf.5.in 2010-01-28 08:27:51.000000000 -0800 ++++ man/man5/tcsd.conf.5.in 2012-04-12 14:52:28.257160000 -0700 +@@ -32,8 +32,16 @@ + .SH "OPTIONS" + .PP + .BI port +-The port that TCSD will listen on for connections, local and remote, from ++The TCP port that TCSD will listen on for connections, local and remote, from + applications. ++If 0, TCSD uses UNIX Domain socket /var/tpm/tcsd-socket, ++otherwise TCSD uses the TCP port specified ++(30003 is the traditional tcsd TCP port). ++If using a TCP Port (that is, port is not 0), clients such as tpmadm must set ++the port with shell environment variable TSS_TCSD_PORT. For example, ++.nf ++export TSS_TCSD_PORT=30003 ++.fi + + .BI num_threads + The maximum number of threads that the TCSD will spawn simultaneously to service +@@ -106,7 +114,7 @@ + .PP + .IP + .nf +-port = 30003 ++port = 0 + num_threads = 10 + system_ps_file = /usr/local/var/tpm/system.data + firmware_log_file = /proc/tpm/firmware_events diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/man_man8_tcsd.8.in.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/man_man8_tcsd.8.in.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,92 @@ +--- man/man8/tcsd.8.in 2010-01-28 08:27:51.000000000 -0800 ++++ man/man8/tcsd.8.in 2012-04-16 17:46:52.763527000 -0700 +@@ -51,10 +51,11 @@ + There are two types of access control for the \fBtcsd\fR, access to the + daemon's socket itself and access to specific commands internal to the + \fBtcsd\fR. Access to the \fBtcsd\fR's port should be controlled by the system +-administrator using firewall rules. If using iptables, the following rule +-will allow a specific host access to the tcsd: +- +-# iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port @TCSD_DEFAULT_PORT@ -j ACCEPT ++administrator using firewall rules. ++If port = 0 in /etc/security/tcsd.conf, \fBtcsd\R uses a UNIX Domain socket. ++Otherwise, \fBtcsd\fR uses a TCP port. ++By default the TCP port, when enabled, is accessible only from localhost, ++unless "remote_ops" in tcsd.conf is not empty. + + Access to individual commands internal to the tcsd is configured by the + \fBtcsd\fR configuration file's "remote_ops" directive. Each function call +@@ -74,12 +75,32 @@ + the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and + system resets. Data registered in system PS stays valid until an application + requests that it be removed. User PS files are by default stored as +-/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data. +-The system PS file is initially created when ownership of the TPM is first +-taken. ++/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is ++/var/tpm/system/system.data. The system PS file is initially created when ++ownership of the TPM is first taken. ++.PP ++\fB/var/tpm/system/system.data\fR ++.ad ++.RS 4n ++Contains the system PS (persistent storage) data controlled by the TCS. By default, ++the SRK key is installed in PS and does not require owner authorization to use. If the ++TPM has previously been provisioned and owner-auth is required to load the SRK, ++then the /var/tpm/system/system.data.auth file should be moved to ++/var/tpm/system/system.data before starting the TCS (See NOTES). ++.RE ++.sp ++.PP ++\fB/var/tpm/system/system.data.auth\fR ++.ad ++.RS 4n ++This is the default PS data file to use if the TPM has been previously ++configured to require owner-auth to access the SRK. Copy this file ++to /var/tpm/system/system.data prior to starting the TCS if owner-auth is ++needed, otherwise this file can be ignored. ++.RE + + .SH "CONFIGURATION" +-\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf ++\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf + + .SH "DEBUG OUTPUT" + If TrouSerS has been compiled with debugging enabled, the debugging output +@@ -88,8 +109,9 @@ + .SH "DEVICE DRIVERS" + .PP + \fBtcsd\fR is compatible with the IBM Research TPM device driver available +-from http://www.research.ibm.com/gsal/tcpa and the TPM device driver available +-from http://sf.net/projects/tmpdd ++from http://www.research.ibm.com/gsal/tcpa and the TPM device driver for ++Linux available from http://sf.net/projects/tmpdd. It is also compatible ++with the TPM device driver for Solaris which is available in the driver/crypto/tpm package. + + .SH "CONFORMING TO" + .PP +@@ -98,7 +120,23 @@ + + .SH "SEE ALSO" + .PP +-\fBtcsd.conf\fR(5) ++\fBtcsd.conf\fR(5), \fBsvcadm\fR(1M), \fBsmf\fR(5) ++ ++.SH "NOTES" ++.sp ++.LP ++The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(5), under ++the service identifier: ++.sp ++.in +2 ++.nf ++svc:/application/security/tcsd:default ++.fi ++.in -2 ++.sp ++.LP ++Administrative actions on this service, such as enabling, disabling, or requesting restart, can be ++performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. + + .SH "AUTHOR" + Kent Yoder diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/rpc_ps.c.patch --- a/components/trousers/patches/rpc_ps.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,54 +0,0 @@ ---- src/tcs/rpc/tcstp/rpc_ps.c.orig 2011-03-23 11:01:54.707428173 -0700 -+++ src/tcs/rpc/tcstp/rpc_ps.c 2011-03-23 11:27:00.753845441 -0700 -@@ -26,6 +26,29 @@ - #include "tcs_utils.h" - #include "rpc_tcstp_tcs.h" - -+#ifdef SOLARIS -+#include -+#include -+ -+static TSS_RESULT -+verify_peer(struct tcsd_thread_data *data) -+{ -+ ucred_t *uc = NULL; -+ if (getpeerucred(data->sock, &uc)) { -+ LogError("Failed to get peer credential (%s)", -+ strerror(errno)); -+ return TCSERR(TSS_E_TSP_AUTHFAIL); -+ } -+ if (ucred_geteuid(uc) != 0) { -+ LogError("Unauthorized attempt to modify a system key", -+ strerror(errno)); -+ ucred_free(uc); -+ return TCSERR(TSS_E_TSP_AUTHFAIL); -+ } -+ ucred_free(uc); -+ return (TSS_SUCCESS); -+} -+#endif - - TSS_RESULT - tcs_wrap_RegisterKey(struct tcsd_thread_data *data) -@@ -38,6 +61,10 @@ - UINT32 cVendorData; - BYTE *gbVendorData; - TSS_RESULT result; -+#ifdef SOLARIS -+ if ( (result = verify_peer(data)) != TSS_SUCCESS) -+ return (result); -+#endif - - if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm)) - return TCSERR(TSS_E_INTERNAL_ERROR); -@@ -99,6 +126,10 @@ - TCS_CONTEXT_HANDLE hContext; - TSS_UUID uuid; - TSS_RESULT result; -+#ifdef SOLARIS -+ if ( (result = verify_peer(data)) != TSS_SUCCESS) -+ return (result); -+#endif - - if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm)) - return TCSERR(TSS_E_INTERNAL_ERROR); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/svrside.c.patch --- a/components/trousers/patches/svrside.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,118 +0,0 @@ ---- src/tcsd/svrside.c.orig Thu Jan 21 15:18:55 2010 -+++ src/tcsd/svrside.c Thu Jan 28 17:37:07 2010 -@@ -27,6 +27,13 @@ - #include - #include - #include -+#ifdef SOLARIS -+#include -+#endif -+#ifndef HAVE_DAEMON -+#include -+#endif -+ - #include "trousers/tss.h" - #include "trousers_types.h" - #include "tcs_tsp.h" -@@ -207,6 +214,79 @@ - } - - -+#ifdef SOLARIS -+ -+/* -+ * For Solaris, make the tcsd privilege aware and drop -+ * risky privileges if they are not needed. -+ */ -+static int -+drop_privs() -+{ -+ priv_set_t *myprivs; -+ int rv; -+ -+ /* -+ * Drop unneeded privs such as fork/exec. -+ * -+ * Get "basic" privs and remove the ones we don't want. -+ */ -+ if ((myprivs = priv_str_to_set("basic", ",", NULL)) == NULL) { -+ LogError("priv_str_to_set failed: %s", strerror(errno)); -+ return (1); -+ } else { -+ (void) priv_delset(myprivs, PRIV_PROC_EXEC); -+ (void) priv_delset(myprivs, PRIV_PROC_FORK); -+ (void) priv_delset(myprivs, PRIV_FILE_LINK_ANY); -+ (void) priv_delset(myprivs, PRIV_PROC_INFO); -+ (void) priv_delset(myprivs, PRIV_PROC_SESSION); -+ (void) priv_delset(myprivs, PRIV_PROC_SETID); -+ -+ /* for auditing */ -+ (void) priv_addset(myprivs, PRIV_PROC_AUDIT); -+ -+ if ((rv = setppriv(PRIV_SET, PRIV_PERMITTED, myprivs))) -+ return (rv); -+ if ((rv = setppriv(PRIV_SET, PRIV_LIMIT, myprivs))) -+ return (rv); -+ if ((rv = setppriv(PRIV_SET, PRIV_INHERITABLE, myprivs))) -+ return (rv); -+ -+ (void) priv_freeset(myprivs); -+ } -+ return (0); -+} -+#endif /* SOLARIS */ -+ -+#ifndef HAVE_DAEMON -+static int -+daemon(int nochdir, int noclose) { -+ int rv, fd; -+ -+ switch (fork()) { -+ case -1: -+ return (-1); -+ case 0: -+ break; -+ default: -+ exit (0); -+ } -+ -+ if (setsid() == -1) -+ return (-1); -+ if (!nochdir) -+ (void) chdir("/"); -+ if (!noclose && (fd = open("/dev/null", O_RDWR, 0)) != -1) { -+ (void) dup2(fd, STDIN_FILENO); -+ (void) dup2(fd, STDOUT_FILENO); -+ (void) dup2(fd, STDERR_FILENO); -+ if (fd > 2) -+ (void)close (fd); -+ } -+ return (0); -+} -+#endif /* !HAVE_DAEMON */ -+ - int - main(int argc, char **argv) - { -@@ -222,6 +302,9 @@ - {"foreground", 0, NULL, 'f'}, - {0, 0, 0, 0} - }; -+#ifdef SOLARIS -+ int rv; -+#endif - - while ((c = getopt_long(argc, argv, "fh", long_options, &option_index)) != -1) { - switch (c) { -@@ -287,6 +372,11 @@ - return -1; - } - } -+#ifdef SOLARIS -+ /* For Solaris, drop privileges for security. */ -+ if ((rv = drop_privs())) -+ return (rv); -+#endif /* SOLARIS */ - - LogInfo("%s: TCSD up and running.", PACKAGE_STRING); - do { diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcs_caps.c.patch --- a/components/trousers/patches/tcs_caps.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,21 +0,0 @@ ---- src/tcs/tcs_caps.c.old Wed Jun 9 13:20:44 2010 -+++ src/tcs/tcs_caps.c Fri Jul 1 16:26:51 2011 -@@ -149,6 +149,7 @@ - { - TSS_RESULT result; - UINT32 subCap, rv = 0; -+ UINT32 manuf; - - if ((result = get_current_version(&p->version))) - goto err; -@@ -181,8 +182,9 @@ - - UINT32ToArray(TPM_CAP_PROP_MANUFACTURER, (BYTE *)&subCap); - if ((result = get_cap_uint32(TCPA_CAP_PROPERTY, (BYTE *)&subCap, sizeof(UINT32), -- (UINT32 *)&p->manufacturer))) -+ (UINT32 *)&manuf))) - goto err; -+ (void) memcpy(p->manufacturer, &manuf, sizeof (UINT32)); - - result = get_max_auths(&(p->num_auths)); - diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcs_rpc_tcstp_rpc.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tcs_rpc_tcstp_rpc.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,473 @@ +--- src/tcs/rpc/tcstp/rpc.c.orig Fri Jun 5 12:45:50 2009 ++++ src/tcs/rpc/tcstp/rpc.c Thu Sep 10 13:05:33 2009 +@@ -385,134 +385,134 @@ + typedef struct tdDispatchTable { + TSS_RESULT (*Func) (struct tcsd_thread_data *); + const char *name; ++ UINT32 ordinal; + } DispatchTable; + + DispatchTable tcs_func_table[TCSD_MAX_NUM_ORDS] = { +- {tcs_wrap_Error,"Error"}, /* 0 */ +- {tcs_wrap_OpenContext,"OpenContext"}, +- {tcs_wrap_CloseContext,"CloseContext"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_TCSGetCapability,"TCSGetCapability"}, +- {tcs_wrap_RegisterKey,"RegisterKey"}, /* 5 */ +- {tcs_wrap_UnregisterKey,"UnregisterKey"}, +- {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob"}, +- {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo"}, /* 10 */ +- {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob"}, +- {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID"}, +- {tcs_wrap_EvictKey,"EvictKey"}, +- {tcs_wrap_CreateWrapKey,"CreateWrapKey"}, +- {tcs_wrap_GetPubkey,"GetPubkey"}, /* 15 */ +- {tcs_wrap_MakeIdentity,"MakeIdentity"}, +- {tcs_wrap_LogPcrEvent,"LogPcrEvent"}, +- {tcs_wrap_GetPcrEvent,"GetPcrEvent"}, +- {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr"}, +- {tcs_wrap_GetPcrEventLog,"GetPcrEventLog"}, /* 20 */ +- {tcs_wrap_SetOwnerInstall,"SetOwnerInstall"}, +- {tcs_wrap_TakeOwnership,"TakeOwnership"}, +- {tcs_wrap_OIAP,"OIAP"}, +- {tcs_wrap_OSAP,"OSAP"}, +- {tcs_wrap_ChangeAuth,"ChangeAuth"}, /* 25 */ +- {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_TerminateHandle,"TerminateHandle"}, +- {tcs_wrap_ActivateIdentity,"ActivateIdentity"}, /* 30 */ +- {tcs_wrap_Extend,"Extend"}, +- {tcs_wrap_PcrRead,"PcrRead"}, +- {tcs_wrap_Quote,"Quote"}, +- {tcs_wrap_DirWriteAuth,"DirWriteAuth"}, +- {tcs_wrap_DirRead,"DirRead"}, /* 35 */ +- {tcs_wrap_Seal,"Seal"}, +- {tcs_wrap_UnSeal,"UnSeal"}, +- {tcs_wrap_UnBind,"UnBind"}, +- {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob"}, +- {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob"}, /* 40 */ +- {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey"}, +- {tcs_wrap_CertifyKey,"CertifyKey"}, +- {tcs_wrap_Sign,"Sign"}, +- {tcs_wrap_GetRandom,"GetRandom"}, +- {tcs_wrap_StirRandom,"StirRandom"}, /* 45 */ +- {tcs_wrap_GetCapability,"GetCapability"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner"}, +- {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair"}, +- {tcs_wrap_ReadPubek,"ReadPubek"}, /* 50 */ +- {tcs_wrap_DisablePubekRead,"DisablePubekRead"}, +- {tcs_wrap_OwnerReadPubek,"OwnerReadPubek"}, +- {tcs_wrap_SelfTestFull,"SelfTestFull"}, +- {tcs_wrap_CertifySelfTest,"CertifySelfTest"}, +- {tcs_wrap_Error,"Error"}, /* 55 */ +- {tcs_wrap_GetTestResult,"GetTestResult"}, +- {tcs_wrap_OwnerSetDisable,"OwnerSetDisable"}, +- {tcs_wrap_OwnerClear,"OwnerClear"}, +- {tcs_wrap_DisableOwnerClear,"DisableOwnerClear"}, +- {tcs_wrap_ForceClear,"ForceClear"}, /* 60 */ +- {tcs_wrap_DisableForceClear,"DisableForceClear"}, +- {tcs_wrap_PhysicalDisable,"PhysicalDisable"}, +- {tcs_wrap_PhysicalEnable,"PhysicalEnable"}, +- {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated"}, +- {tcs_wrap_SetTempDeactivated,"SetTempDeactivated"}, /* 65 */ +- {tcs_wrap_PhysicalPresence,"PhysicalPresence"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_Error,"Error"}, +- {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive"}, +- {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive"}, /* 70 */ +- {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature"}, +- {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub"}, +- {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub"}, +- {tcs_wrap_DaaJoin,"DaaJoin"}, +- {tcs_wrap_DaaSign,"DaaSign"}, /* 75 */ +- {tcs_wrap_SetCapability,"SetCapability"}, +- {tcs_wrap_ResetLockValue,"ResetLockValue"}, +- {tcs_wrap_PcrReset,"PcrReset"}, +- {tcs_wrap_ReadCounter,"ReadCounter"}, +- {tcs_wrap_CreateCounter,"CreateCounter"}, /* 80 */ +- {tcs_wrap_IncrementCounter,"IncrementCounter"}, +- {tcs_wrap_ReleaseCounter,"ReleaseCounter"}, +- {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner"}, +- {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks"}, +- {tcs_wrap_TickStampBlob,"TicksStampBlob"}, /* 85 */ +- {tcs_wrap_GetCredential,"GetCredential"}, +- {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace"}, +- {tcs_wrap_NV_WriteValue,"NVWriteValue"}, +- {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth"}, +- {tcs_wrap_NV_ReadValue,"NVReadValue"}, /* 90 */ +- {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth"}, +- {tcs_wrap_EstablishTransport,"EstablishTransport"}, +- {tcs_wrap_ExecuteTransport,"ExecuteTransport"}, +- {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned"}, +- {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus"}, /* 95 */ +- {tcs_wrap_GetAuditDigest,"GetAuditDigest"}, +- {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned"}, +- {tcs_wrap_Sealx,"Sealx"}, +- {tcs_wrap_SetOperatorAuth,"SetOperatorAuth"}, +- {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub"}, /* 100 */ +- {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2"}, +- {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2"}, +- {tcs_wrap_Delegate_Manage,"Delegate_Manage"}, +- {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation"}, +- {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation"}, /* 105 */ +- {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation"}, +- {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable"}, +- {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount"}, +- {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation"}, +- {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair"}, /* 110 */ +- {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair"}, +- {tcs_wrap_Error,"Error - was MakeIdentity2"}, +- {tcs_wrap_Quote2,"Quote2"}, +- {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions"}, +- {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA"}, /* 115 */ +- {tcs_wrap_CMK_CreateKey,"CMK_CreateKey"}, +- {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket"}, +- {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob"}, +- {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration"}, +- {tcs_wrap_FlushSpecific,"FlushSpecific"}, /* 120 */ +- {tcs_wrap_KeyControlOwner, "KeyControlOwner"}, +- {tcs_wrap_DSAP, "DSAP"} +-}; +- ++ {tcs_wrap_Error,"Error", 0}, /* 0 */ ++ {tcs_wrap_OpenContext,"OpenContext", 0}, ++ {tcs_wrap_CloseContext,"CloseContext", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_TCSGetCapability,"TCSGetCapability", 0}, ++ {tcs_wrap_RegisterKey,"RegisterKey", 0}, /* 5 */ ++ {tcs_wrap_UnregisterKey,"UnregisterKey", 0}, ++ {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob", 0}, ++ {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo", 0}, /* 10 */ ++ {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob", 0}, ++ {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID", 0}, ++ {tcs_wrap_EvictKey,"EvictKey", 0}, ++ {tcs_wrap_CreateWrapKey,"CreateWrapKey", 0}, ++ {tcs_wrap_GetPubkey,"GetPubkey", 0}, /* 15 */ ++ {tcs_wrap_MakeIdentity,"MakeIdentity", 0}, ++ {tcs_wrap_LogPcrEvent,"LogPcrEvent", 0}, ++ {tcs_wrap_GetPcrEvent,"GetPcrEvent", 0}, ++ {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr", 0}, ++ {tcs_wrap_GetPcrEventLog,"GetPcrEventLog", 0}, /* 20 */ ++ {tcs_wrap_SetOwnerInstall,"SetOwnerInstall", TPM_ORD_SetOwnerInstall}, ++ {tcs_wrap_TakeOwnership,"TakeOwnership", TPM_ORD_TakeOwnership}, ++ {tcs_wrap_OIAP,"OIAP", 0}, ++ {tcs_wrap_OSAP,"OSAP", 0}, ++ {tcs_wrap_ChangeAuth,"ChangeAuth", 0}, /* 25 */ ++ {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_TerminateHandle,"TerminateHandle", 0}, ++ {tcs_wrap_ActivateIdentity,"ActivateIdentity", 0}, /* 30 */ ++ {tcs_wrap_Extend,"Extend", 0}, ++ {tcs_wrap_PcrRead,"PcrRead", 0}, ++ {tcs_wrap_Quote,"Quote", 0}, ++ {tcs_wrap_DirWriteAuth,"DirWriteAuth", 0}, ++ {tcs_wrap_DirRead,"DirRead", 0}, /* 35 */ ++ {tcs_wrap_Seal,"Seal", 0}, ++ {tcs_wrap_UnSeal,"UnSeal", 0}, ++ {tcs_wrap_UnBind,"UnBind", 0}, ++ {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob", 0}, ++ {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob", 0}, /* 40 */ ++ {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey", 0}, ++ {tcs_wrap_CertifyKey,"CertifyKey", 0}, ++ {tcs_wrap_Sign,"Sign", 0}, ++ {tcs_wrap_GetRandom,"GetRandom", 0}, ++ {tcs_wrap_StirRandom,"StirRandom", 0}, /* 45 */ ++ {tcs_wrap_GetCapability,"GetCapability", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner", 0}, ++ {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair", 0}, ++ {tcs_wrap_ReadPubek,"ReadPubek", 0}, /* 50 */ ++ {tcs_wrap_DisablePubekRead,"DisablePubekRead", 0}, ++ {tcs_wrap_OwnerReadPubek,"OwnerReadPubek", 0}, ++ {tcs_wrap_SelfTestFull,"SelfTestFull", TPM_ORD_SelfTestFull}, ++ {tcs_wrap_CertifySelfTest,"CertifySelfTest", TPM_ORD_CertifySelfTest}, ++ {tcs_wrap_Error,"Error", 0}, /* 55 */ ++ {tcs_wrap_GetTestResult,"GetTestResult", 0}, ++ {tcs_wrap_OwnerSetDisable,"OwnerSetDisable", TPM_ORD_OwnerSetDisable}, ++ {tcs_wrap_OwnerClear,"OwnerClear", TPM_ORD_OwnerClear}, ++ {tcs_wrap_DisableOwnerClear,"DisableOwnerClear", TPM_ORD_DisableOwnerClear}, ++ {tcs_wrap_ForceClear,"ForceClear", TPM_ORD_ForceClear}, /* 60 */ ++ {tcs_wrap_DisableForceClear,"DisableForceClear", TPM_ORD_DisableForceClear}, ++ {tcs_wrap_PhysicalDisable,"PhysicalDisable", TPM_ORD_PhysicalDisable}, ++ {tcs_wrap_PhysicalEnable,"PhysicalEnable", TPM_ORD_PhysicalEnable}, ++ {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated", TPM_ORD_PhysicalSetDeactivated}, ++ {tcs_wrap_SetTempDeactivated,"SetTempDeactivated", TPM_ORD_SetTempDeactivated}, /* 65 */ ++ {tcs_wrap_PhysicalPresence,"PhysicalPresence", TSC_ORD_PhysicalPresence}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_Error,"Error", 0}, ++ {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive", 0}, ++ {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive", 0}, /* 70 */ ++ {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature", 0}, ++ {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub", 0}, ++ {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub", 0}, ++ {tcs_wrap_DaaJoin,"DaaJoin", 0}, ++ {tcs_wrap_DaaSign,"DaaSign", 0}, /* 75 */ ++ {tcs_wrap_SetCapability,"SetCapability", 0}, ++ {tcs_wrap_ResetLockValue,"ResetLockValue", TPM_ORD_ResetLockValue}, ++ {tcs_wrap_PcrReset,"PcrReset", 0}, ++ {tcs_wrap_ReadCounter,"ReadCounter", 0}, ++ {tcs_wrap_CreateCounter,"CreateCounter", 0}, /* 80 */ ++ {tcs_wrap_IncrementCounter,"IncrementCounter", 0}, ++ {tcs_wrap_ReleaseCounter,"ReleaseCounter", 0}, ++ {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner", 0}, ++ {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks", 0}, ++ {tcs_wrap_TickStampBlob,"TicksStampBlob", 0}, /* 85 */ ++ {tcs_wrap_GetCredential,"GetCredential", 0}, ++ {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace", 0}, ++ {tcs_wrap_NV_WriteValue,"NVWriteValue", 0}, ++ {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth", 0}, ++ {tcs_wrap_NV_ReadValue,"NVReadValue", 0}, /* 90 */ ++ {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth", 0}, ++ {tcs_wrap_EstablishTransport,"EstablishTransport", 0}, ++ {tcs_wrap_ExecuteTransport,"ExecuteTransport", 0}, ++ {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned", 0}, ++ {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus", 0}, /* 95 */ ++ {tcs_wrap_GetAuditDigest,"GetAuditDigest", 0}, ++ {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned", 0}, ++ {tcs_wrap_Sealx,"Sealx", 0}, ++ {tcs_wrap_SetOperatorAuth,"SetOperatorAuth", TPM_ORD_SetOperatorAuth}, ++ {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub", 0}, /* 100 */ ++ {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2", 0}, ++ {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2", 0}, ++ {tcs_wrap_Delegate_Manage,"Delegate_Manage", 0}, ++ {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation", 0}, ++ {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation", 0}, /* 105 */ ++ {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation", 0}, ++ {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable", 0}, ++ {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount", 0}, ++ {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation", 0}, ++ {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair", 0}, /* 110 */ ++ {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair", 0}, ++ {tcs_wrap_Error,"Error - was MakeIdentity2", 0}, ++ {tcs_wrap_Quote2,"Quote2", 0}, ++ {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions", 0}, ++ {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA", 0}, /* 115 */ ++ {tcs_wrap_CMK_CreateKey,"CMK_CreateKey", 0}, ++ {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket", 0}, ++ {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob", 0}, ++ {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration", 0}, ++ {tcs_wrap_FlushSpecific,"FlushSpecific", 0}, /* 120 */ ++ {tcs_wrap_KeyControlOwner, "KeyControlOwner", 0}, ++ {tcs_wrap_DSAP, "DSAP", 0} ++ }; + int + access_control(struct tcsd_thread_data *thread_data) + { +@@ -562,11 +562,190 @@ + return 1; + } + ++#if defined (SOLARIS) ++ ++#include ++#include ++#include ++ ++static void ++audit_tpm(UINT32 cmd, struct tcsd_thread_data *data) ++{ ++ adt_session_data_t *ah = NULL; ++ adt_event_data_t *event = NULL; ++ ucred_t *uc = NULL; ++ int adterr, msgid; ++ int adtstatus = ADT_FAILURE; ++ ++ if (getpeerucred(data->sock, &uc)) { ++ LogError("Audit Failed - getpeerucred failed (%s)", ++ strerror(errno)); ++ return; ++ } ++ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { ++ LogError("Audit Failed - adt_start_session failed (%s)", ++ strerror(errno)); ++ goto end; ++ } ++ ++ if (adt_set_from_ucred(ah, uc, ADT_NEW) != 0) { ++ LogError("Audit Failed - adt_set_from_ucred failed (%s)", ++ strerror(errno)); ++ goto end; ++ } ++ ++ /* ++ * NOTE: It is important that the ordering of the ++ * error message definitions in the adt.xml IDL from the ++ * libbsm library source matches the numerical ordering of ++ * the TPM_E_* error codes in /usr/include/tss/tpm_error.h ++ */ ++ if (data->comm.hdr.u.result == TSS_SUCCESS) { ++ adtstatus = ADT_SUCCESS; ++ adterr = ADT_SUCCESS; ++ /* ++ * Use literal value here until the ++ * build system is updated with latest adt_event.h ++ * 4102 = ADT_TPM_E_NO_MSG (build 123). ++ * Change this later. ++ */ ++ msgid = 4102; ++ } else if (data->comm.hdr.u.result & TPM_E_NON_FATAL) { ++ /* ++ * NON_FATAL TPM errors are masked (0x800) so they are not in numerical ++ * sequence with the rest of the TPM errors. ++ */ ++ msgid = ADT_TPM_E_RETRY + ++ (data->comm.hdr.u.result - TPM_E_RETRY); ++ adterr = ADT_FAIL_VALUE_PROGRAM; ++ } else { ++ msgid = ADT_TPM_E_AUTHFAIL + ++ (data->comm.hdr.u.result - TPM_E_AUTHFAIL); ++ adterr = ADT_FAIL_VALUE_PROGRAM; ++ } ++ switch(cmd) { ++ case TPM_ORD_CertifySelfTest: ++ event = adt_alloc_event(ah, ADT_tpm_certifyselftest); ++ if (event != NULL) ++ event->adt_tpm_certifyselftest.message = msgid; ++ break; ++ case TPM_ORD_OwnerClear: ++ event = adt_alloc_event(ah, ADT_tpm_ownerclear); ++ if (event != NULL) ++ event->adt_tpm_ownerclear.message = msgid; ++ break; ++ case TPM_ORD_ContinueSelfTest: ++ event = adt_alloc_event(ah, ADT_tpm_continueselftest); ++ if (event != NULL) ++ event->adt_tpm_continueselftest.message = msgid; ++ break; ++ case TPM_ORD_DisableForceClear: ++ event = adt_alloc_event(ah, ADT_tpm_disableforceclear); ++ if (event != NULL) ++ event->adt_tpm_disableforceclear.message = msgid; ++ break; ++ case TPM_ORD_DisableOwnerClear: ++ event = adt_alloc_event(ah, ADT_tpm_disableownerclear); ++ if (event != NULL) ++ event->adt_tpm_disableownerclear.message = msgid; ++ break; ++ case TPM_ORD_FieldUpgrade: ++ event = adt_alloc_event(ah, ADT_tpm_fieldupgrade); ++ if (event != NULL) ++ event->adt_tpm_fieldupgrade.message = msgid; ++ break; ++ case TPM_ORD_ForceClear: ++ event = adt_alloc_event(ah, ADT_tpm_forceclear); ++ if (event != NULL) ++ event->adt_tpm_forceclear.message = msgid; ++ break; ++ case TPM_ORD_OwnerSetDisable: ++ event = adt_alloc_event(ah, ADT_tpm_ownersetdisable); ++ if (event != NULL) ++ event->adt_tpm_ownersetdisable.message = msgid; ++ break; ++ case TPM_ORD_PhysicalEnable: ++ event = adt_alloc_event(ah, ADT_tpm_physicalenable); ++ if (event != NULL) ++ event->adt_tpm_physicalenable.message = msgid; ++ break; ++ case TPM_ORD_PhysicalDisable: ++ event = adt_alloc_event(ah, ADT_tpm_physicaldisable); ++ if (event != NULL) ++ event->adt_tpm_physicaldisable.message = msgid; ++ break; ++ case TPM_ORD_PhysicalSetDeactivated: ++ event = adt_alloc_event(ah, ADT_tpm_physicaldeactivate); ++ if (event != NULL) ++ event->adt_tpm_physicaldeactivate.message = msgid; ++ break; ++ case TSC_ORD_PhysicalPresence: ++ event = adt_alloc_event(ah, ADT_tpm_physicalpresence); ++ if (event != NULL) ++ event->adt_tpm_physicalpresence.message = msgid; ++ break; ++ case TPM_ORD_ResetLockValue: ++ event = adt_alloc_event(ah, ADT_tpm_resetlockvalue); ++ if (event != NULL) ++ event->adt_tpm_resetlockvalue.message = msgid; ++ break; ++ case TPM_ORD_SelfTestFull: ++ event = adt_alloc_event(ah, ADT_tpm_selftestfull); ++ if (event != NULL) ++ event->adt_tpm_selftestfull.message = msgid; ++ break; ++ case TPM_ORD_SetOperatorAuth: ++ event = adt_alloc_event(ah, ADT_tpm_setoperatorauth); ++ if (event != NULL) ++ event->adt_tpm_setoperatorauth.message = msgid; ++ break; ++ case TPM_ORD_SetOwnerInstall: ++ event = adt_alloc_event(ah, ADT_tpm_setownerinstall); ++ if (event != NULL) ++ event->adt_tpm_setownerinstall.message = msgid; ++ break; ++ case TPM_ORD_SetTempDeactivated: ++ event = adt_alloc_event(ah, ADT_tpm_settempdeactivated); ++ if (event != NULL) ++ event->adt_tpm_settempdeactivated.message = msgid; ++ break; ++ case TPM_ORD_TakeOwnership: ++ event = adt_alloc_event(ah, ADT_tpm_takeownership); ++ if (event != NULL) ++ event->adt_tpm_takeownership.message = msgid; ++ break; ++ default: ++ /* command not audited */ ++ goto end; ++ } ++ if (event == NULL) { ++ LogError("Audit Failed - Failed to allocate event (%s)", ++ strerror(errno)); ++ goto end; ++ } ++ ++ if (adt_put_event(event, adtstatus, adterr)) { ++ LogError("Audit Failed - Failed to put audit event (%s)", ++ strerror(errno)); ++ } ++ ++end: ++ ucred_free(uc); ++ adt_free_event(event); ++ (void) adt_end_session(ah); ++ ++ return; ++} ++#endif /* SOLARIS */ ++ + TSS_RESULT + dispatchCommand(struct tcsd_thread_data *data) + { + UINT64 offset; + TSS_RESULT result; ++#if defined (SOLARIS) ++ UINT32 cmd; ++#endif + + /* First, check the ordinal bounds */ + if (data->comm.hdr.u.ordinal >= TCSD_MAX_NUM_ORDS) { +@@ -596,6 +775,9 @@ + } + + /* Now, dispatch */ ++#if defined (SOLARIS) ++ cmd = tcs_func_table[data->comm.hdr.u.ordinal].ordinal; ++#endif + if ((result = tcs_func_table[data->comm.hdr.u.ordinal].Func(data)) == TSS_SUCCESS) { + /* set the comm buffer */ + offset = 0; +@@ -607,6 +789,9 @@ + LoadBlob_UINT32(&offset, data->comm.hdr.parm_size, data->comm.buf); + LoadBlob_UINT32(&offset, data->comm.hdr.parm_offset, data->comm.buf); + } ++#if defined (SOLARIS) ++ audit_tpm(cmd, data); ++#endif + + return result; + diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcs_rpc_tcstp_rpc_ps.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tcs_rpc_tcstp_rpc_ps.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,54 @@ +--- src/tcs/rpc/tcstp/rpc_ps.c.orig 2011-03-23 11:01:54.707428173 -0700 ++++ src/tcs/rpc/tcstp/rpc_ps.c 2011-03-23 11:27:00.753845441 -0700 +@@ -26,6 +26,29 @@ + #include "tcs_utils.h" + #include "rpc_tcstp_tcs.h" + ++#ifdef SOLARIS ++#include ++#include ++ ++static TSS_RESULT ++verify_peer(struct tcsd_thread_data *data) ++{ ++ ucred_t *uc = NULL; ++ if (getpeerucred(data->sock, &uc)) { ++ LogError("Failed to get peer credential (%s)", ++ strerror(errno)); ++ return TCSERR(TSS_E_TSP_AUTHFAIL); ++ } ++ if (ucred_geteuid(uc) != 0) { ++ LogError("Unauthorized attempt to modify a system key", ++ strerror(errno)); ++ ucred_free(uc); ++ return TCSERR(TSS_E_TSP_AUTHFAIL); ++ } ++ ucred_free(uc); ++ return (TSS_SUCCESS); ++} ++#endif + + TSS_RESULT + tcs_wrap_RegisterKey(struct tcsd_thread_data *data) +@@ -38,6 +61,10 @@ + UINT32 cVendorData; + BYTE *gbVendorData; + TSS_RESULT result; ++#ifdef SOLARIS ++ if ( (result = verify_peer(data)) != TSS_SUCCESS) ++ return (result); ++#endif + + if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm)) + return TCSERR(TSS_E_INTERNAL_ERROR); +@@ -99,6 +126,10 @@ + TCS_CONTEXT_HANDLE hContext; + TSS_UUID uuid; + TSS_RESULT result; ++#ifdef SOLARIS ++ if ( (result = verify_peer(data)) != TSS_SUCCESS) ++ return (result); ++#endif + + if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm)) + return TCSERR(TSS_E_INTERNAL_ERROR); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcs_tcs_caps.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tcs_tcs_caps.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,21 @@ +--- src/tcs/tcs_caps.c.old Wed Jun 9 13:20:44 2010 ++++ src/tcs/tcs_caps.c Fri Jul 1 16:26:51 2011 +@@ -149,6 +149,7 @@ + { + TSS_RESULT result; + UINT32 subCap, rv = 0; ++ UINT32 manuf; + + if ((result = get_current_version(&p->version))) + goto err; +@@ -181,8 +182,9 @@ + + UINT32ToArray(TPM_CAP_PROP_MANUFACTURER, (BYTE *)&subCap); + if ((result = get_cap_uint32(TCPA_CAP_PROPERTY, (BYTE *)&subCap, sizeof(UINT32), +- (UINT32 *)&p->manufacturer))) ++ (UINT32 *)&manuf))) + goto err; ++ (void) memcpy(p->manufacturer, &manuf, sizeof (UINT32)); + + result = get_max_auths(&(p->num_auths)); + diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcsd.8.in.patch --- a/components/trousers/patches/tcsd.8.in.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,76 +0,0 @@ ---- man/man8/tcsd.8.in 2009-09-08 07:39:30.000000000 -0700 -+++ man/man8/tcsd.8.in.new 2010-09-16 08:13:25.613336616 -0700 -@@ -74,12 +74,32 @@ - the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and - system resets. Data registered in system PS stays valid until an application - requests that it be removed. User PS files are by default stored as --/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data. --The system PS file is initially created when ownership of the TPM is first --taken. -+/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is -+/var/tpm/system/system.data. The system PS file is initially created when -+ownership of the TPM is first taken. -+.PP -+\fB/var/tpm/system/system.data\fR -+.ad -+.RS 4n -+Contains the system PS (persistent storage) data controlled by the TCS. By default, -+the SRK key is installed in PS and does not require owner authorization to use. If the -+TPM has previously been provisioned and owner-auth is required to load the SRK, -+then the /var/tpm/system/system.data.auth file should be moved to -+/var/tpm/system/system.data before starting the TCS (See NOTES). -+.RE -+.sp -+.PP -+\fB/var/tpm/system/system.data.auth\fR -+.ad -+.RS 4n -+This is the default PS data file to use if the TPM has been previously -+configured to require owner-auth to access the SRK. Copy this file -+to /var/tpm/system/system.data prior to starting the TCS if owner-auth is -+needed, otherwise this file can be ignored. -+.RE - - .SH "CONFIGURATION" --\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf -+\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf - - .SH "DEBUG OUTPUT" - If TrouSerS has been compiled with debugging enabled, the debugging output -@@ -88,8 +108,9 @@ - .SH "DEVICE DRIVERS" - .PP - \fBtcsd\fR is compatible with the IBM Research TPM device driver available --from http://www.research.ibm.com/gsal/tcpa and the TPM device driver available --from http://sf.net/projects/tmpdd -+from http://www.research.ibm.com/gsal/tcpa and the TPM device driver for -+Linux available from http://sf.net/projects/tmpdd. It is also compatible -+with the TPM device driver for Solaris which is available in the driver/crypto/tpm package. - - .SH "CONFORMING TO" - .PP -@@ -98,7 +119,23 @@ - - .SH "SEE ALSO" - .PP --\fBtcsd.conf\fR(5) -+\fBtcsd.conf\fR(5), \fBsvcadm\fR(1M), \fBsmf\fR(5) -+ -+.SH "NOTES" -+.sp -+.LP -+The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(5), under -+the service identifier: -+.sp -+.in +2 -+.nf -+svc:/application/security/tcsd:default -+.fi -+.in -2 -+.sp -+.LP -+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be -+performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. - - .SH "AUTHOR" - Kent Yoder diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcsd.conf.in.patch --- a/components/trousers/patches/tcsd.conf.in.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ ---- dist/tcsd.conf.in.old Thu Apr 7 07:53:52 2011 -+++ dist/tcsd.conf.in Thu Apr 7 07:55:18 2011 -@@ -54,7 +54,7 @@ - # Description: A list of PCR indices that are manipulated only by the system - # firmware and therefore are not extended or logged by the TCSD. - # --# firmware_pcrs = -+firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 - # - - # Option: kernel_pcrs diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcsd.h.patch --- a/components/trousers/patches/tcsd.h.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,28 +0,0 @@ -*** src/include/tcsd.h.old Fri Dec 5 07:47:11 2008 ---- src/include/tcsd.h Fri Dec 5 07:48:44 2008 -*************** -*** 48,61 **** ---- 48,70 ---- - of this TCS System */ - }; - -+ #ifdef SOLARIS -+ #define TCSD_CONFIG_FILE "/etc/security/tcsd.conf" -+ #else - #define TCSD_CONFIG_FILE ETC_PREFIX "/tcsd.conf" -+ #endif - - #define TSS_USER_NAME "tss" - #define TSS_GROUP_NAME "tss" - - #define TCSD_DEFAULT_MAX_THREADS 10 -+ #ifdef SOLARIS -+ #define TCSD_DEFAULT_SYSTEM_PS_FILE "/var/tpm/system/system.data" -+ #define TCSD_DEFAULT_SYSTEM_PS_DIR "/var/tpm/system" -+ #else - #define TCSD_DEFAULT_SYSTEM_PS_FILE VAR_PREFIX "/lib/tpm/system.data" - #define TCSD_DEFAULT_SYSTEM_PS_DIR VAR_PREFIX "/lib/tpm" -+ #endif /* SOLARIS */ - #define TCSD_DEFAULT_FIRMWARE_LOG_FILE "/sys/kernel/security/tpm0/binary_bios_measurements" - #define TCSD_DEFAULT_KERNEL_LOG_FILE "/sys/kernel/security/ima/binary_runtime_measurements" - #define TCSD_DEFAULT_FIRMWARE_PCRS 0x00000000 diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcsd_Makefile.in.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tcsd_Makefile.in.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,30 @@ +--- src/tcsd/Makefile.in.old Thu Jan 28 13:56:46 2010 ++++ src/tcsd/Makefile.in Wed Mar 3 16:35:23 2010 +@@ -47,7 +47,7 @@ + mkinstalldirs = $(install_sh) -d + CONFIG_CLEAN_FILES = + CONFIG_CLEAN_VPATH_FILES = +-am__installdirs = "$(DESTDIR)$(sbindir)" ++am__installdirs = "$(DESTDIR)$(libdir)" + PROGRAMS = $(sbin_PROGRAMS) + am_tcsd_OBJECTS = tcsd-svrside.$(OBJEXT) tcsd-tcsd_conf.$(OBJEXT) \ + tcsd-tcsd_threads.$(OBJEXT) tcsd-platform.$(OBJEXT) +@@ -185,7 +185,7 @@ + prefix = @prefix@ + program_transform_name = @program_transform_name@ + psdir = @psdir@ +-sbindir = @sbindir@ ++sbindir = @libdir@ + sharedstatedir = @sharedstatedir@ + srcdir = @srcdir@ + sysconfdir = @sysconfdir@ +@@ -200,7 +200,8 @@ + tcsd_CFLAGS = -DAPPID=\"TCSD\" -DVAR_PREFIX=\"@localstatedir@\" \ + -DETC_PREFIX=\"@sysconfdir@\" -I${top_srcdir}/src/include \ + $(am__append_1) $(am__append_2) +-tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a -lpthread @CRYPTOLIB@ ++tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a \ ++ -lpthread -lbsm -lscf -lresolv @CRYPTOLIB@ + tcsd_SOURCES = svrside.c tcsd_conf.c tcsd_threads.c platform.c + all: all-am + diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcsd_svrside.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tcsd_svrside.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,337 @@ +--- src/tcsd/svrside.c 2010-06-09 13:19:00.000000000 -0700 ++++ src/tcsd/svrside.c 2012-04-19 11:27:31.232524632 -0700 +@@ -27,6 +27,15 @@ + #include + #include + #include ++#ifdef SOLARIS ++#include ++#include ++#endif ++#ifndef HAVE_DAEMON ++#include ++#include ++#endif ++ + #include "trousers/tss.h" + #include "trousers_types.h" + #include "tcs_tsp.h" +@@ -44,6 +53,10 @@ + static volatile int hup = 0, term = 0; + extern char *optarg; + ++#ifdef SOLARIS ++static int get_event_log_from_kernel(void); ++#endif ++ + static void + tcsd_shutdown(void) + { +@@ -170,6 +183,10 @@ + (void)req_mgr_final(); + return result; + } ++#ifdef SOLARIS ++ /* Not fatal if this fails */ ++ (void) get_event_log_from_kernel(); ++#endif + + result = owner_evict_init(); + if (result != TSS_SUCCESS) { +@@ -208,13 +225,169 @@ + } + + ++#ifdef SOLARIS ++ ++extern int get_device_fd(void); ++ ++#define TPM_IOCTL_GETEVTABLE 1 ++struct tpm_evtable_ioblk { ++ uint32_t buflen; ++ caddr_t buf; ++}; ++ ++static int ++store_eventlog(char *filename, struct tpm_evtable_ioblk *evlog) ++{ ++ int fd; ++ int bytes = 0; ++ ++ fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, 0600); ++ if (fd == -1) { ++ LogError("Error opening logfile %s: %s", filename, ++ strerror(errno)); ++ return (-1); ++ } ++ while (bytes < evlog->buflen) { ++ int n; ++ n = write(fd, evlog->buf, evlog->buflen - bytes); ++ if (n == -1 && errno != EAGAIN) { ++ LogError("Error writing logfile %s: %s", ++ filename, strerror(errno)); ++ close(fd); ++ return (-1); ++ } ++ if (n != -1) ++ bytes += n; ++ } ++ close(fd); ++ ++ return (0); ++} ++ ++static int ++get_event_log_from_kernel(void) ++{ ++ int fd = get_device_fd(); ++ struct tpm_evtable_ioblk ioblk; ++ ++ if (fd == -1) ++ return (-1); ++ ++ (void) memset(&ioblk, 0, sizeof (ioblk)); ++ if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) { ++ LogDebug("Cannot get event log from kernel: %s", ++ strerror(errno)); ++ return (-1); ++ } ++ if (ioblk.buflen == 0) ++ return (0); ++ ++ ioblk.buf = calloc(1, ioblk.buflen); ++ if (ioblk.buf == NULL) { ++ return (-1); ++ } ++ if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) { ++ free(ioblk.buf); ++ LogDebug("Cannot get event log from kernel: %s", ++ strerror(errno)); ++ return (-1); ++ } ++ ++ return (store_eventlog(tcsd_options.firmware_log_file, &ioblk)); ++} ++ ++/* ++ * For Solaris, make the tcsd privilege aware and drop ++ * risky privileges if they are not needed. ++ */ ++static int ++drop_privs(void) ++{ ++ priv_set_t *myprivs; ++ int rv; ++ ++ /* ++ * Drop unneeded privs such as fork/exec. ++ * ++ * Get "basic" privs and remove the ones we don't want. ++ */ ++ if ((myprivs = priv_str_to_set("basic", ",", NULL)) == NULL) { ++ LogError("priv_str_to_set failed: %s", strerror(errno)); ++ return (1); ++ } else { ++ (void) priv_delset(myprivs, PRIV_PROC_EXEC); ++ (void) priv_delset(myprivs, PRIV_PROC_FORK); ++ (void) priv_delset(myprivs, PRIV_FILE_LINK_ANY); ++ (void) priv_delset(myprivs, PRIV_PROC_INFO); ++ (void) priv_delset(myprivs, PRIV_PROC_SESSION); ++ (void) priv_delset(myprivs, PRIV_PROC_SETID); ++ ++ /* for auditing */ ++ (void) priv_addset(myprivs, PRIV_PROC_AUDIT); ++ ++ if ((rv = setppriv(PRIV_SET, PRIV_PERMITTED, myprivs))) ++ return (rv); ++ if ((rv = setppriv(PRIV_SET, PRIV_LIMIT, myprivs))) ++ return (rv); ++ if ((rv = setppriv(PRIV_SET, PRIV_INHERITABLE, myprivs))) ++ return (rv); ++ ++ (void) priv_freeset(myprivs); ++ } ++ return (0); ++} ++#endif /* SOLARIS */ ++ ++#ifndef HAVE_DAEMON ++static int ++daemon(int nochdir, int noclose) { ++ int rv, fd; ++ ++ if (!noclose) { ++ closelog(); ++ closefrom(0); ++ } ++ ++ switch (fork()) { ++ case -1: /* failure: parent process */ ++ return (-1); ++ case 0: /* success: child process */ ++ break; ++ default: /* success: parent process */ ++ exit (0); ++ } ++ ++ /* Create a new SID for the child process */ ++ if (setsid() == -1) ++ return (-1); ++ /* Prevent cwd from being left open and unremovable */ ++ if (!nochdir) ++ (void) chdir("/"); ++ (void) umask(0); ++ /* Redirect stdin, stdout, and stderr to /dev/null */ ++ if (!noclose && (fd = open("/dev/null", O_RDWR, 0)) != -1) { ++ (void) dup2(fd, STDIN_FILENO); ++ (void) dup2(fd, STDOUT_FILENO); ++ (void) dup2(fd, STDERR_FILENO); ++ if (fd > 2) ++ (void)close (fd); ++ } ++ return (0); ++} ++#endif /* !HAVE_DAEMON */ ++ + int + main(int argc, char **argv) + { +- struct sockaddr_in serv_addr, client_addr; ++ typedef union { ++ struct sockaddr_in in; ++ struct sockaddr_un un; ++ } sockaddr_un_in_t; ++ sockaddr_un_in_t serv_addr, client_addr; ++ int rv; + TSS_RESULT result; + int sd, newsd, c, option_index = 0; +- unsigned client_len; ++ unsigned client_len, serv_len; + char *hostname = NULL; + struct passwd *pwd; + struct hostent *client_hostent = NULL; +@@ -245,26 +418,50 @@ + if ((result = tcsd_startup())) + return (int)result; + +- sd = socket(AF_INET, SOCK_STREAM, 0); +- if (sd < 0) { +- LogError("Failed socket: %s", strerror(errno)); +- return -1; +- } ++ if (tcsd_options.port == 0) { /* UNIX Domain socket */ ++ /* Use UNIX Domain socket instead of TCP/IP socket */ ++ sd = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (sd < 0) { ++ LogError("Failed socket: %s", strerror(errno)); ++ return -1; ++ } ++ ++ memset(&serv_addr, 0, sizeof (serv_addr)); ++ serv_addr.un.sun_family = AF_UNIX; ++ strncpy(serv_addr.un.sun_path, TCSD_DEFAULT_SOCKET, ++ sizeof (serv_addr.un.sun_path)); ++ (void) unlink(TCSD_DEFAULT_SOCKET); ++ ++ } else { /* TCP socket */ ++ sd = socket(AF_INET, SOCK_STREAM, 0); ++ if (sd < 0) { ++ LogError("Failed socket: %s", strerror(errno)); ++ return -1; ++ } + +- memset(&serv_addr, 0, sizeof (serv_addr)); +- serv_addr.sin_family = AF_INET; +- serv_addr.sin_port = htons(tcsd_options.port); +- +- /* If no remote_ops are defined, restrict connections to localhost +- * only at the socket. */ +- if (tcsd_options.remote_ops[0] == 0) +- serv_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); +- else +- serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); +- +- c = 1; +- setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &c, sizeof(c)); +- if (bind(sd, (struct sockaddr *) &serv_addr, sizeof (serv_addr)) < 0) { ++ memset(&serv_addr, 0, sizeof (serv_addr)); ++ serv_addr.in.sin_family = AF_INET; ++ serv_addr.in.sin_port = htons(tcsd_options.port); ++ ++ /* If no remote_ops are defined, restrict connections to localhost ++ * only at the socket. */ ++ if (tcsd_options.remote_ops[0] == 0) ++ serv_addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK); ++ else ++ serv_addr.in.sin_addr.s_addr = htonl(INADDR_ANY); ++ ++ c = 1; ++ setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &c, sizeof(c)); ++ } ++ ++ if (tcsd_options.port == 0) { /* UNIX Domain socket */ ++ serv_len = (unsigned)sizeof(serv_addr.un); ++ client_len = (unsigned)sizeof(client_addr.un); ++ } else { /* TCP socket */ ++ serv_len = (unsigned)sizeof(serv_addr.in); ++ client_len = (unsigned)sizeof(client_addr.in); ++ } ++ if (bind(sd, (struct sockaddr *) &serv_addr, serv_len) < 0) { + LogError("Failed bind: %s", strerror(errno)); + return -1; + } +@@ -285,7 +482,6 @@ + LogError("Failed listen: %s", strerror(errno)); + return -1; + } +- client_len = (unsigned)sizeof(client_addr); + + if (getenv("TCSD_FOREGROUND") == NULL) { + if (daemon(0, 0) == -1) { +@@ -295,6 +491,12 @@ + } + } + ++#ifdef SOLARIS ++ /* For Solaris, drop privileges for security. */ ++ if ((rv = drop_privs())) ++ return (rv); ++#endif /* SOLARIS */ ++ + LogInfo("%s: TCSD up and running.", PACKAGE_STRING); + do { + newsd = accept(sd, (struct sockaddr *) &client_addr, &client_len); +@@ -314,20 +516,22 @@ + } + LogDebug("accepted socket %i", newsd); + +- if ((client_hostent = gethostbyaddr((char *) &client_addr.sin_addr, +- sizeof(client_addr.sin_addr), ++ if (tcsd_options.port != 0) { /* TCP socket */ ++ if ((client_hostent = gethostbyaddr((char *) &client_addr.in.sin_addr, ++ sizeof(client_addr.in.sin_addr), + AF_INET)) == NULL) { +- char buf[16]; +- uint32_t addr = htonl(client_addr.sin_addr.s_addr); ++ char buf[16]; ++ uint32_t addr = htonl(client_addr.in.sin_addr.s_addr); + +- snprintf(buf, 16, "%d.%d.%d.%d", (addr & 0xff000000) >> 24, +- (addr & 0x00ff0000) >> 16, (addr & 0x0000ff00) >> 8, +- addr & 0x000000ff); ++ snprintf(buf, 16, "%d.%d.%d.%d", (addr & 0xff000000) >> 24, ++ (addr & 0x00ff0000) >> 16, (addr & 0x0000ff00) >> 8, ++ addr & 0x000000ff); + +- LogWarn("Host name for connecting IP %s could not be resolved", buf); +- hostname = strdup(buf); +- } else { +- hostname = strdup(client_hostent->h_name); ++ LogWarn("Host name for connecting IP %s could not be resolved", buf); ++ hostname = strdup(buf); ++ } else { ++ hostname = strdup(client_hostent->h_name); ++ } + } + + tcsd_thread_create(newsd, hostname); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tcstp_rpc.c.patch --- a/components/trousers/patches/tcstp_rpc.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,473 +0,0 @@ ---- src/tcs/rpc/tcstp/rpc.c.orig Fri Jun 5 12:45:50 2009 -+++ src/tcs/rpc/tcstp/rpc.c Thu Sep 10 13:05:33 2009 -@@ -385,134 +385,134 @@ - typedef struct tdDispatchTable { - TSS_RESULT (*Func) (struct tcsd_thread_data *); - const char *name; -+ UINT32 ordinal; - } DispatchTable; - - DispatchTable tcs_func_table[TCSD_MAX_NUM_ORDS] = { -- {tcs_wrap_Error,"Error"}, /* 0 */ -- {tcs_wrap_OpenContext,"OpenContext"}, -- {tcs_wrap_CloseContext,"CloseContext"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_TCSGetCapability,"TCSGetCapability"}, -- {tcs_wrap_RegisterKey,"RegisterKey"}, /* 5 */ -- {tcs_wrap_UnregisterKey,"UnregisterKey"}, -- {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob"}, -- {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo"}, /* 10 */ -- {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob"}, -- {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID"}, -- {tcs_wrap_EvictKey,"EvictKey"}, -- {tcs_wrap_CreateWrapKey,"CreateWrapKey"}, -- {tcs_wrap_GetPubkey,"GetPubkey"}, /* 15 */ -- {tcs_wrap_MakeIdentity,"MakeIdentity"}, -- {tcs_wrap_LogPcrEvent,"LogPcrEvent"}, -- {tcs_wrap_GetPcrEvent,"GetPcrEvent"}, -- {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr"}, -- {tcs_wrap_GetPcrEventLog,"GetPcrEventLog"}, /* 20 */ -- {tcs_wrap_SetOwnerInstall,"SetOwnerInstall"}, -- {tcs_wrap_TakeOwnership,"TakeOwnership"}, -- {tcs_wrap_OIAP,"OIAP"}, -- {tcs_wrap_OSAP,"OSAP"}, -- {tcs_wrap_ChangeAuth,"ChangeAuth"}, /* 25 */ -- {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_TerminateHandle,"TerminateHandle"}, -- {tcs_wrap_ActivateIdentity,"ActivateIdentity"}, /* 30 */ -- {tcs_wrap_Extend,"Extend"}, -- {tcs_wrap_PcrRead,"PcrRead"}, -- {tcs_wrap_Quote,"Quote"}, -- {tcs_wrap_DirWriteAuth,"DirWriteAuth"}, -- {tcs_wrap_DirRead,"DirRead"}, /* 35 */ -- {tcs_wrap_Seal,"Seal"}, -- {tcs_wrap_UnSeal,"UnSeal"}, -- {tcs_wrap_UnBind,"UnBind"}, -- {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob"}, -- {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob"}, /* 40 */ -- {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey"}, -- {tcs_wrap_CertifyKey,"CertifyKey"}, -- {tcs_wrap_Sign,"Sign"}, -- {tcs_wrap_GetRandom,"GetRandom"}, -- {tcs_wrap_StirRandom,"StirRandom"}, /* 45 */ -- {tcs_wrap_GetCapability,"GetCapability"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner"}, -- {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair"}, -- {tcs_wrap_ReadPubek,"ReadPubek"}, /* 50 */ -- {tcs_wrap_DisablePubekRead,"DisablePubekRead"}, -- {tcs_wrap_OwnerReadPubek,"OwnerReadPubek"}, -- {tcs_wrap_SelfTestFull,"SelfTestFull"}, -- {tcs_wrap_CertifySelfTest,"CertifySelfTest"}, -- {tcs_wrap_Error,"Error"}, /* 55 */ -- {tcs_wrap_GetTestResult,"GetTestResult"}, -- {tcs_wrap_OwnerSetDisable,"OwnerSetDisable"}, -- {tcs_wrap_OwnerClear,"OwnerClear"}, -- {tcs_wrap_DisableOwnerClear,"DisableOwnerClear"}, -- {tcs_wrap_ForceClear,"ForceClear"}, /* 60 */ -- {tcs_wrap_DisableForceClear,"DisableForceClear"}, -- {tcs_wrap_PhysicalDisable,"PhysicalDisable"}, -- {tcs_wrap_PhysicalEnable,"PhysicalEnable"}, -- {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated"}, -- {tcs_wrap_SetTempDeactivated,"SetTempDeactivated"}, /* 65 */ -- {tcs_wrap_PhysicalPresence,"PhysicalPresence"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_Error,"Error"}, -- {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive"}, -- {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive"}, /* 70 */ -- {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature"}, -- {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub"}, -- {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub"}, -- {tcs_wrap_DaaJoin,"DaaJoin"}, -- {tcs_wrap_DaaSign,"DaaSign"}, /* 75 */ -- {tcs_wrap_SetCapability,"SetCapability"}, -- {tcs_wrap_ResetLockValue,"ResetLockValue"}, -- {tcs_wrap_PcrReset,"PcrReset"}, -- {tcs_wrap_ReadCounter,"ReadCounter"}, -- {tcs_wrap_CreateCounter,"CreateCounter"}, /* 80 */ -- {tcs_wrap_IncrementCounter,"IncrementCounter"}, -- {tcs_wrap_ReleaseCounter,"ReleaseCounter"}, -- {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner"}, -- {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks"}, -- {tcs_wrap_TickStampBlob,"TicksStampBlob"}, /* 85 */ -- {tcs_wrap_GetCredential,"GetCredential"}, -- {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace"}, -- {tcs_wrap_NV_WriteValue,"NVWriteValue"}, -- {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth"}, -- {tcs_wrap_NV_ReadValue,"NVReadValue"}, /* 90 */ -- {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth"}, -- {tcs_wrap_EstablishTransport,"EstablishTransport"}, -- {tcs_wrap_ExecuteTransport,"ExecuteTransport"}, -- {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned"}, -- {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus"}, /* 95 */ -- {tcs_wrap_GetAuditDigest,"GetAuditDigest"}, -- {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned"}, -- {tcs_wrap_Sealx,"Sealx"}, -- {tcs_wrap_SetOperatorAuth,"SetOperatorAuth"}, -- {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub"}, /* 100 */ -- {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2"}, -- {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2"}, -- {tcs_wrap_Delegate_Manage,"Delegate_Manage"}, -- {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation"}, -- {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation"}, /* 105 */ -- {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation"}, -- {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable"}, -- {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount"}, -- {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation"}, -- {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair"}, /* 110 */ -- {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair"}, -- {tcs_wrap_Error,"Error - was MakeIdentity2"}, -- {tcs_wrap_Quote2,"Quote2"}, -- {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions"}, -- {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA"}, /* 115 */ -- {tcs_wrap_CMK_CreateKey,"CMK_CreateKey"}, -- {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket"}, -- {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob"}, -- {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration"}, -- {tcs_wrap_FlushSpecific,"FlushSpecific"}, /* 120 */ -- {tcs_wrap_KeyControlOwner, "KeyControlOwner"}, -- {tcs_wrap_DSAP, "DSAP"} --}; -- -+ {tcs_wrap_Error,"Error", 0}, /* 0 */ -+ {tcs_wrap_OpenContext,"OpenContext", 0}, -+ {tcs_wrap_CloseContext,"CloseContext", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_TCSGetCapability,"TCSGetCapability", 0}, -+ {tcs_wrap_RegisterKey,"RegisterKey", 0}, /* 5 */ -+ {tcs_wrap_UnregisterKey,"UnregisterKey", 0}, -+ {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob", 0}, -+ {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo", 0}, /* 10 */ -+ {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob", 0}, -+ {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID", 0}, -+ {tcs_wrap_EvictKey,"EvictKey", 0}, -+ {tcs_wrap_CreateWrapKey,"CreateWrapKey", 0}, -+ {tcs_wrap_GetPubkey,"GetPubkey", 0}, /* 15 */ -+ {tcs_wrap_MakeIdentity,"MakeIdentity", 0}, -+ {tcs_wrap_LogPcrEvent,"LogPcrEvent", 0}, -+ {tcs_wrap_GetPcrEvent,"GetPcrEvent", 0}, -+ {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr", 0}, -+ {tcs_wrap_GetPcrEventLog,"GetPcrEventLog", 0}, /* 20 */ -+ {tcs_wrap_SetOwnerInstall,"SetOwnerInstall", TPM_ORD_SetOwnerInstall}, -+ {tcs_wrap_TakeOwnership,"TakeOwnership", TPM_ORD_TakeOwnership}, -+ {tcs_wrap_OIAP,"OIAP", 0}, -+ {tcs_wrap_OSAP,"OSAP", 0}, -+ {tcs_wrap_ChangeAuth,"ChangeAuth", 0}, /* 25 */ -+ {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_TerminateHandle,"TerminateHandle", 0}, -+ {tcs_wrap_ActivateIdentity,"ActivateIdentity", 0}, /* 30 */ -+ {tcs_wrap_Extend,"Extend", 0}, -+ {tcs_wrap_PcrRead,"PcrRead", 0}, -+ {tcs_wrap_Quote,"Quote", 0}, -+ {tcs_wrap_DirWriteAuth,"DirWriteAuth", 0}, -+ {tcs_wrap_DirRead,"DirRead", 0}, /* 35 */ -+ {tcs_wrap_Seal,"Seal", 0}, -+ {tcs_wrap_UnSeal,"UnSeal", 0}, -+ {tcs_wrap_UnBind,"UnBind", 0}, -+ {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob", 0}, -+ {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob", 0}, /* 40 */ -+ {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey", 0}, -+ {tcs_wrap_CertifyKey,"CertifyKey", 0}, -+ {tcs_wrap_Sign,"Sign", 0}, -+ {tcs_wrap_GetRandom,"GetRandom", 0}, -+ {tcs_wrap_StirRandom,"StirRandom", 0}, /* 45 */ -+ {tcs_wrap_GetCapability,"GetCapability", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner", 0}, -+ {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair", 0}, -+ {tcs_wrap_ReadPubek,"ReadPubek", 0}, /* 50 */ -+ {tcs_wrap_DisablePubekRead,"DisablePubekRead", 0}, -+ {tcs_wrap_OwnerReadPubek,"OwnerReadPubek", 0}, -+ {tcs_wrap_SelfTestFull,"SelfTestFull", TPM_ORD_SelfTestFull}, -+ {tcs_wrap_CertifySelfTest,"CertifySelfTest", TPM_ORD_CertifySelfTest}, -+ {tcs_wrap_Error,"Error", 0}, /* 55 */ -+ {tcs_wrap_GetTestResult,"GetTestResult", 0}, -+ {tcs_wrap_OwnerSetDisable,"OwnerSetDisable", TPM_ORD_OwnerSetDisable}, -+ {tcs_wrap_OwnerClear,"OwnerClear", TPM_ORD_OwnerClear}, -+ {tcs_wrap_DisableOwnerClear,"DisableOwnerClear", TPM_ORD_DisableOwnerClear}, -+ {tcs_wrap_ForceClear,"ForceClear", TPM_ORD_ForceClear}, /* 60 */ -+ {tcs_wrap_DisableForceClear,"DisableForceClear", TPM_ORD_DisableForceClear}, -+ {tcs_wrap_PhysicalDisable,"PhysicalDisable", TPM_ORD_PhysicalDisable}, -+ {tcs_wrap_PhysicalEnable,"PhysicalEnable", TPM_ORD_PhysicalEnable}, -+ {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated", TPM_ORD_PhysicalSetDeactivated}, -+ {tcs_wrap_SetTempDeactivated,"SetTempDeactivated", TPM_ORD_SetTempDeactivated}, /* 65 */ -+ {tcs_wrap_PhysicalPresence,"PhysicalPresence", TSC_ORD_PhysicalPresence}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_Error,"Error", 0}, -+ {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive", 0}, -+ {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive", 0}, /* 70 */ -+ {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature", 0}, -+ {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub", 0}, -+ {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub", 0}, -+ {tcs_wrap_DaaJoin,"DaaJoin", 0}, -+ {tcs_wrap_DaaSign,"DaaSign", 0}, /* 75 */ -+ {tcs_wrap_SetCapability,"SetCapability", 0}, -+ {tcs_wrap_ResetLockValue,"ResetLockValue", TPM_ORD_ResetLockValue}, -+ {tcs_wrap_PcrReset,"PcrReset", 0}, -+ {tcs_wrap_ReadCounter,"ReadCounter", 0}, -+ {tcs_wrap_CreateCounter,"CreateCounter", 0}, /* 80 */ -+ {tcs_wrap_IncrementCounter,"IncrementCounter", 0}, -+ {tcs_wrap_ReleaseCounter,"ReleaseCounter", 0}, -+ {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner", 0}, -+ {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks", 0}, -+ {tcs_wrap_TickStampBlob,"TicksStampBlob", 0}, /* 85 */ -+ {tcs_wrap_GetCredential,"GetCredential", 0}, -+ {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace", 0}, -+ {tcs_wrap_NV_WriteValue,"NVWriteValue", 0}, -+ {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth", 0}, -+ {tcs_wrap_NV_ReadValue,"NVReadValue", 0}, /* 90 */ -+ {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth", 0}, -+ {tcs_wrap_EstablishTransport,"EstablishTransport", 0}, -+ {tcs_wrap_ExecuteTransport,"ExecuteTransport", 0}, -+ {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned", 0}, -+ {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus", 0}, /* 95 */ -+ {tcs_wrap_GetAuditDigest,"GetAuditDigest", 0}, -+ {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned", 0}, -+ {tcs_wrap_Sealx,"Sealx", 0}, -+ {tcs_wrap_SetOperatorAuth,"SetOperatorAuth", TPM_ORD_SetOperatorAuth}, -+ {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub", 0}, /* 100 */ -+ {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2", 0}, -+ {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2", 0}, -+ {tcs_wrap_Delegate_Manage,"Delegate_Manage", 0}, -+ {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation", 0}, -+ {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation", 0}, /* 105 */ -+ {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation", 0}, -+ {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable", 0}, -+ {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount", 0}, -+ {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation", 0}, -+ {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair", 0}, /* 110 */ -+ {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair", 0}, -+ {tcs_wrap_Error,"Error - was MakeIdentity2", 0}, -+ {tcs_wrap_Quote2,"Quote2", 0}, -+ {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions", 0}, -+ {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA", 0}, /* 115 */ -+ {tcs_wrap_CMK_CreateKey,"CMK_CreateKey", 0}, -+ {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket", 0}, -+ {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob", 0}, -+ {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration", 0}, -+ {tcs_wrap_FlushSpecific,"FlushSpecific", 0}, /* 120 */ -+ {tcs_wrap_KeyControlOwner, "KeyControlOwner", 0}, -+ {tcs_wrap_DSAP, "DSAP", 0} -+ }; - int - access_control(struct tcsd_thread_data *thread_data) - { -@@ -562,11 +562,190 @@ - return 1; - } - -+#if defined (SOLARIS) -+ -+#include -+#include -+#include -+ -+static void -+audit_tpm(UINT32 cmd, struct tcsd_thread_data *data) -+{ -+ adt_session_data_t *ah = NULL; -+ adt_event_data_t *event = NULL; -+ ucred_t *uc = NULL; -+ int adterr, msgid; -+ int adtstatus = ADT_FAILURE; -+ -+ if (getpeerucred(data->sock, &uc)) { -+ LogError("Audit Failed - getpeerucred failed (%s)", -+ strerror(errno)); -+ return; -+ } -+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { -+ LogError("Audit Failed - adt_start_session failed (%s)", -+ strerror(errno)); -+ goto end; -+ } -+ -+ if (adt_set_from_ucred(ah, uc, ADT_NEW) != 0) { -+ LogError("Audit Failed - adt_set_from_ucred failed (%s)", -+ strerror(errno)); -+ goto end; -+ } -+ -+ /* -+ * NOTE: It is important that the ordering of the -+ * error message definitions in the adt.xml IDL from the -+ * libbsm library source matches the numerical ordering of -+ * the TPM_E_* error codes in /usr/include/tss/tpm_error.h -+ */ -+ if (data->comm.hdr.u.result == TSS_SUCCESS) { -+ adtstatus = ADT_SUCCESS; -+ adterr = ADT_SUCCESS; -+ /* -+ * Use literal value here until the -+ * build system is updated with latest adt_event.h -+ * 4102 = ADT_TPM_E_NO_MSG (build 123). -+ * Change this later. -+ */ -+ msgid = 4102; -+ } else if (data->comm.hdr.u.result & TPM_E_NON_FATAL) { -+ /* -+ * NON_FATAL TPM errors are masked (0x800) so they are not in numerical -+ * sequence with the rest of the TPM errors. -+ */ -+ msgid = ADT_TPM_E_RETRY + -+ (data->comm.hdr.u.result - TPM_E_RETRY); -+ adterr = ADT_FAIL_VALUE_PROGRAM; -+ } else { -+ msgid = ADT_TPM_E_AUTHFAIL + -+ (data->comm.hdr.u.result - TPM_E_AUTHFAIL); -+ adterr = ADT_FAIL_VALUE_PROGRAM; -+ } -+ switch(cmd) { -+ case TPM_ORD_CertifySelfTest: -+ event = adt_alloc_event(ah, ADT_tpm_certifyselftest); -+ if (event != NULL) -+ event->adt_tpm_certifyselftest.message = msgid; -+ break; -+ case TPM_ORD_OwnerClear: -+ event = adt_alloc_event(ah, ADT_tpm_ownerclear); -+ if (event != NULL) -+ event->adt_tpm_ownerclear.message = msgid; -+ break; -+ case TPM_ORD_ContinueSelfTest: -+ event = adt_alloc_event(ah, ADT_tpm_continueselftest); -+ if (event != NULL) -+ event->adt_tpm_continueselftest.message = msgid; -+ break; -+ case TPM_ORD_DisableForceClear: -+ event = adt_alloc_event(ah, ADT_tpm_disableforceclear); -+ if (event != NULL) -+ event->adt_tpm_disableforceclear.message = msgid; -+ break; -+ case TPM_ORD_DisableOwnerClear: -+ event = adt_alloc_event(ah, ADT_tpm_disableownerclear); -+ if (event != NULL) -+ event->adt_tpm_disableownerclear.message = msgid; -+ break; -+ case TPM_ORD_FieldUpgrade: -+ event = adt_alloc_event(ah, ADT_tpm_fieldupgrade); -+ if (event != NULL) -+ event->adt_tpm_fieldupgrade.message = msgid; -+ break; -+ case TPM_ORD_ForceClear: -+ event = adt_alloc_event(ah, ADT_tpm_forceclear); -+ if (event != NULL) -+ event->adt_tpm_forceclear.message = msgid; -+ break; -+ case TPM_ORD_OwnerSetDisable: -+ event = adt_alloc_event(ah, ADT_tpm_ownersetdisable); -+ if (event != NULL) -+ event->adt_tpm_ownersetdisable.message = msgid; -+ break; -+ case TPM_ORD_PhysicalEnable: -+ event = adt_alloc_event(ah, ADT_tpm_physicalenable); -+ if (event != NULL) -+ event->adt_tpm_physicalenable.message = msgid; -+ break; -+ case TPM_ORD_PhysicalDisable: -+ event = adt_alloc_event(ah, ADT_tpm_physicaldisable); -+ if (event != NULL) -+ event->adt_tpm_physicaldisable.message = msgid; -+ break; -+ case TPM_ORD_PhysicalSetDeactivated: -+ event = adt_alloc_event(ah, ADT_tpm_physicaldeactivate); -+ if (event != NULL) -+ event->adt_tpm_physicaldeactivate.message = msgid; -+ break; -+ case TSC_ORD_PhysicalPresence: -+ event = adt_alloc_event(ah, ADT_tpm_physicalpresence); -+ if (event != NULL) -+ event->adt_tpm_physicalpresence.message = msgid; -+ break; -+ case TPM_ORD_ResetLockValue: -+ event = adt_alloc_event(ah, ADT_tpm_resetlockvalue); -+ if (event != NULL) -+ event->adt_tpm_resetlockvalue.message = msgid; -+ break; -+ case TPM_ORD_SelfTestFull: -+ event = adt_alloc_event(ah, ADT_tpm_selftestfull); -+ if (event != NULL) -+ event->adt_tpm_selftestfull.message = msgid; -+ break; -+ case TPM_ORD_SetOperatorAuth: -+ event = adt_alloc_event(ah, ADT_tpm_setoperatorauth); -+ if (event != NULL) -+ event->adt_tpm_setoperatorauth.message = msgid; -+ break; -+ case TPM_ORD_SetOwnerInstall: -+ event = adt_alloc_event(ah, ADT_tpm_setownerinstall); -+ if (event != NULL) -+ event->adt_tpm_setownerinstall.message = msgid; -+ break; -+ case TPM_ORD_SetTempDeactivated: -+ event = adt_alloc_event(ah, ADT_tpm_settempdeactivated); -+ if (event != NULL) -+ event->adt_tpm_settempdeactivated.message = msgid; -+ break; -+ case TPM_ORD_TakeOwnership: -+ event = adt_alloc_event(ah, ADT_tpm_takeownership); -+ if (event != NULL) -+ event->adt_tpm_takeownership.message = msgid; -+ break; -+ default: -+ /* command not audited */ -+ goto end; -+ } -+ if (event == NULL) { -+ LogError("Audit Failed - Failed to allocate event (%s)", -+ strerror(errno)); -+ goto end; -+ } -+ -+ if (adt_put_event(event, adtstatus, adterr)) { -+ LogError("Audit Failed - Failed to put audit event (%s)", -+ strerror(errno)); -+ } -+ -+end: -+ ucred_free(uc); -+ adt_free_event(event); -+ (void) adt_end_session(ah); -+ -+ return; -+} -+#endif /* SOLARIS */ -+ - TSS_RESULT - dispatchCommand(struct tcsd_thread_data *data) - { - UINT64 offset; - TSS_RESULT result; -+#if defined (SOLARIS) -+ UINT32 cmd; -+#endif - - /* First, check the ordinal bounds */ - if (data->comm.hdr.u.ordinal >= TCSD_MAX_NUM_ORDS) { -@@ -596,6 +775,9 @@ - } - - /* Now, dispatch */ -+#if defined (SOLARIS) -+ cmd = tcs_func_table[data->comm.hdr.u.ordinal].ordinal; -+#endif - if ((result = tcs_func_table[data->comm.hdr.u.ordinal].Func(data)) == TSS_SUCCESS) { - /* set the comm buffer */ - offset = 0; -@@ -607,6 +789,9 @@ - LoadBlob_UINT32(&offset, data->comm.hdr.parm_size, data->comm.buf); - LoadBlob_UINT32(&offset, data->comm.hdr.parm_offset, data->comm.buf); - } -+#if defined (SOLARIS) -+ audit_tpm(cmd, data); -+#endif - - return result; - diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tddl.c.patch --- a/components/trousers/patches/tddl.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,79 +0,0 @@ ---- src/tddl/tddl.c.old 2010-04-12 22:24:21.000000000 -0700 -+++ src/tddl/tddl.c 2011-07-12 13:14:57.362305220 -0700 -@@ -18,13 +18,17 @@ - - #include "trousers/tss.h" - #include "trousers_types.h" -+#ifndef SOLARIS - #include "linux/tpm.h" -+#endif - #include "tcslog.h" - #include "tddl.h" - - struct tpm_device_node tpm_device_nodes[] = { -+#ifndef SOLARIS - {"/dev/tpm0", TDDL_UNDEF, TDDL_UNDEF}, - {"/udev/tpm0", TDDL_UNDEF, TDDL_UNDEF}, -+#endif - {"/dev/tpm", TDDL_UNDEF, TDDL_UNDEF}, - {NULL, 0, 0} - }; -@@ -63,7 +67,7 @@ - - - fd = socket(AF_INET, SOCK_STREAM, 0); -- if (fd > 0) { -+ if (fd >= 0) { - struct hostent *host = gethostbyname(tcp_device_hostname); - if (host != NULL) { - struct sockaddr_in addr; -@@ -105,12 +109,16 @@ - /* tpm_device_paths is filled out in tddl.h */ - for (i = 0; tpm_device_nodes[i].path != NULL; i++) { - errno = 0; -- if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) -+ if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) { - break; -+ } else { -+ fprintf(stderr, "Error opening %s: %s\n", -+ tpm_device_nodes[i].path, strerror(errno)); -+ } - } - } -- -- if (fd > 0) { -+ -+ if (fd >= 0) { - opened_device = &(tpm_device_nodes[i]); - tpm_device_nodes[i].fd = fd; - } -@@ -181,11 +189,13 @@ - /* fall through */ - case TDDL_TRANSMIT_IOCTL: - errno = 0; -+#ifndef SOLARIS - if ((sizeResult = ioctl(opened_device->fd, TPMIOC_TRANSMIT, txBuffer)) != -1) { - opened_device->transmit = TDDL_TRANSMIT_IOCTL; - break; - } - LogWarn("ioctl: (%d) %s", errno, strerror(errno)); -+#endif - LogInfo("Falling back to Read/Write device support."); - /* fall through */ - case TDDL_TRANSMIT_RW: -@@ -255,6 +265,7 @@ - - TSS_RESULT Tddli_Cancel(void) - { -+#ifndef SOLARIS - int rc; - - if (opened_device->transmit == TDDL_TRANSMIT_IOCTL) { -@@ -270,4 +281,7 @@ - } else { - return TDDLERR(TSS_E_NOTIMPL); - } -+#else -+ return TDDLERR(TSS_E_NOTIMPL); -+#endif /* SOLARIS */ - } diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tddl_tddl.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tddl_tddl.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,93 @@ +--- src/tddl/tddl.c Mon Apr 12 22:24:21 2010 ++++ src/tddl/tddl.c.new Thu Sep 22 12:28:25 2011 +@@ -18,13 +18,17 @@ + + #include "trousers/tss.h" + #include "trousers_types.h" ++#ifndef SOLARIS + #include "linux/tpm.h" ++#endif + #include "tcslog.h" + #include "tddl.h" + + struct tpm_device_node tpm_device_nodes[] = { ++#ifndef SOLARIS + {"/dev/tpm0", TDDL_UNDEF, TDDL_UNDEF}, + {"/udev/tpm0", TDDL_UNDEF, TDDL_UNDEF}, ++#endif + {"/dev/tpm", TDDL_UNDEF, TDDL_UNDEF}, + {NULL, 0, 0} + }; +@@ -42,6 +46,13 @@ + #include + #include + ++#ifdef SOLARIS ++int ++get_device_fd() ++{ ++ return (opened_device->fd); ++} ++#endif + + int + open_device() +@@ -63,7 +74,7 @@ + + + fd = socket(AF_INET, SOCK_STREAM, 0); +- if (fd > 0) { ++ if (fd >= 0) { + struct hostent *host = gethostbyname(tcp_device_hostname); + if (host != NULL) { + struct sockaddr_in addr; +@@ -105,12 +116,16 @@ + /* tpm_device_paths is filled out in tddl.h */ + for (i = 0; tpm_device_nodes[i].path != NULL; i++) { + errno = 0; +- if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) ++ if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) { + break; ++ } else { ++ fprintf(stderr, "Error opening %s: %s\n", ++ tpm_device_nodes[i].path, strerror(errno)); ++ } + } + } +- +- if (fd > 0) { ++ ++ if (fd >= 0) { + opened_device = &(tpm_device_nodes[i]); + tpm_device_nodes[i].fd = fd; + } +@@ -181,11 +196,13 @@ + /* fall through */ + case TDDL_TRANSMIT_IOCTL: + errno = 0; ++#ifndef SOLARIS + if ((sizeResult = ioctl(opened_device->fd, TPMIOC_TRANSMIT, txBuffer)) != -1) { + opened_device->transmit = TDDL_TRANSMIT_IOCTL; + break; + } + LogWarn("ioctl: (%d) %s", errno, strerror(errno)); ++#endif + LogInfo("Falling back to Read/Write device support."); + /* fall through */ + case TDDL_TRANSMIT_RW: +@@ -255,6 +272,7 @@ + + TSS_RESULT Tddli_Cancel(void) + { ++#ifndef SOLARIS + int rc; + + if (opened_device->transmit == TDDL_TRANSMIT_IOCTL) { +@@ -270,4 +288,7 @@ + } else { + return TDDLERR(TSS_E_NOTIMPL); + } ++#else ++ return TDDLERR(TSS_E_NOTIMPL); ++#endif /* SOLARIS */ + } diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/trspi_crypto_openssl_hash.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/trspi_crypto_openssl_hash.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,87 @@ +--- src/trspi/crypto/openssl/hash.c.old 2011-05-09 06:20:09.505021734 -0700 ++++ src/trspi/crypto/openssl/hash.c 2011-05-09 06:19:04.603252090 -0700 +@@ -56,45 +56,21 @@ + TSS_RESULT + Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest) + { +- EVP_MD_CTX md_ctx; +- unsigned int result_size; +- int rv; ++ Trspi_HashCtx ctx; ++ TSS_RESULT rv; + +- switch (HashType) { +- case TSS_HASH_SHA1: +- rv = EVP_DigestInit(&md_ctx, EVP_sha1()); +- break; +- default: +- rv = TSPERR(TSS_E_BAD_PARAMETER); +- goto out; +- break; +- } ++ rv = Trspi_HashInit(&ctx, HashType); ++ if (rv != TSS_SUCCESS) ++ return rv; + +- if (rv != EVP_SUCCESS) { +- rv = TSPERR(TSS_E_INTERNAL_ERROR); +- goto err; +- } +- +- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize); +- if (rv != EVP_SUCCESS) { +- rv = TSPERR(TSS_E_INTERNAL_ERROR); +- goto err; ++ rv = Trspi_HashUpdate(&ctx, BufSize, Buf); ++ if (rv != TSS_SUCCESS) { ++ EVP_MD_CTX_destroy(ctx.ctx); ++ return rv; + } ++ rv = Trspi_HashFinal(&ctx, Digest); + +- result_size = EVP_MD_CTX_size(&md_ctx); +- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size); +- if (rv != EVP_SUCCESS) { +- rv = TSPERR(TSS_E_INTERNAL_ERROR); +- goto err; +- } else +- rv = TSS_SUCCESS; +- +- goto out; +- +-err: +- DEBUG_print_openssl_errors(); +-out: +- return rv; ++ return (rv); + } + + TSS_RESULT +@@ -112,7 +88,8 @@ + break; + } + +- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL) ++ ctx->ctx = EVP_MD_CTX_create(); ++ if (ctx->ctx == NULL) + return TSPERR(TSS_E_OUTOFMEMORY); + + rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md); +@@ -142,7 +119,7 @@ + rv = EVP_DigestUpdate(ctx->ctx, data, size); + if (rv != EVP_SUCCESS) { + DEBUG_print_openssl_errors(); +- free(ctx->ctx); ++ EVP_MD_CTX_destroy(ctx->ctx); + ctx->ctx = NULL; + return TSPERR(TSS_E_INTERNAL_ERROR); + } +@@ -164,7 +141,7 @@ + if (rv != EVP_SUCCESS) + return TSPERR(TSS_E_INTERNAL_ERROR); + +- free(ctx->ctx); ++ EVP_MD_CTX_destroy(ctx->ctx); + ctx->ctx = NULL; + + return TSS_SUCCESS; diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspi_ps_tspps.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tspi_ps_tspps.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,55 @@ +--- src/tspi/ps/tspps.c.orig 2011-03-24 13:06:14.607907754 -0700 ++++ src/tspi/ps/tspps.c 2011-03-24 13:07:30.668528209 -0700 +@@ -70,9 +70,12 @@ + TSS_RESULT result; + char *file_name = NULL, *home_dir = NULL; + struct passwd *pwp; +-#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) ++#if (defined (__linux) || defined (linux) || defined(__GLIBC__) || defined(SOLARIS)) + struct passwd pw; + #endif ++#ifdef SOLARIS ++ char pwbuf[PASSWD_BUFSIZE]; ++#endif + struct stat stat_buf; + char buf[PASSWD_BUFSIZE]; + uid_t euid; +@@ -94,9 +97,16 @@ + * in the user's home directory, which may be shared + * by multiple systems. + * +- * The directory path on Solaris is /var/tpm/userps/[EUID]/ ++ * The directory path on Solaris is /var/user[USERNAME]/tpm/userps + */ +- rc = snprintf(buf, sizeof (buf), "%s/%d", TSS_USER_PS_DIR, euid); ++ ++ pwp = getpwuid_r(euid, &pw, pwbuf, sizeof (pwbuf)); ++ if (pwp != NULL) { ++ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps", ++ pwp->pw_name); ++ } else { ++ return TSPERR(TSS_E_INTERNAL_ERROR); ++ } + #else + setpwent(); + while (1) { +@@ -142,7 +152,7 @@ + if (errno == ENOENT) { + errno = 0; + /* Create the user's ps directory if it is not there. */ +- if ((rc = mkdir(buf, 0700)) == -1) { ++ if ((rc = mkdirp(buf, 0700)) == -1) { + LogDebugFn("USER PS: Error creating dir: %s: %s", buf, + strerror(errno)); + result = TSPERR(TSS_E_INTERNAL_ERROR); +@@ -157,8 +167,8 @@ + + /* Directory exists or has been created, return the path to the file */ + #if defined (SOLARIS) +- rc = snprintf(buf, sizeof (buf), "%s/%d/%s", TSS_USER_PS_DIR, euid, +- TSS_USER_PS_FILE); ++ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps/%s", ++ pwp->pw_name, TSS_USER_PS_FILE); + #else + rc = snprintf(buf, sizeof (buf), "%s/%s/%s", home_dir, TSS_USER_PS_DIR, + TSS_USER_PS_FILE); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspi_rpc_hosttable.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tspi_rpc_hosttable.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,59 @@ +--- src/tspi/rpc/hosttable.c 2010-05-01 19:39:11.000000000 -0700 ++++ src/tspi/rpc/hosttable.c 2012-03-23 16:21:30.018582000 -0700 +@@ -22,7 +22,7 @@ + struct host_table *ht = NULL; + + TSS_RESULT +-host_table_init() ++static host_table_init(void) + { + ht = calloc(1, sizeof(struct host_table)); + if (ht == NULL) { +@@ -36,8 +36,7 @@ + } + + #ifdef SOLARIS +-#pragma init(_init) +-void _init(void) ++static void my_init(void) + #else + void __attribute__ ((constructor)) my_init(void) + #endif +@@ -46,11 +45,14 @@ + __tspi_obj_list_init(); + } + +-void ++static void + host_table_final() + { + struct host_table_entry *hte, *next = NULL; + ++ if (ht == NULL) /* no host table to free */ ++ return; ++ + MUTEX_LOCK(ht->lock); + + for (hte = ht->entries; hte; hte = next) { +@@ -70,8 +72,7 @@ + } + + #ifdef SOLARIS +-#pragma fini(_fini) +-void _fini(void) ++static void my_fini(void) + #else + void __attribute__ ((destructor)) my_fini(void) + #endif +@@ -79,6 +80,11 @@ + host_table_final(); + } + ++#ifdef SOLARIS ++#pragma init(my_init) ++#pragma fini(my_fini) ++#endif ++ + TSS_RESULT + __tspi_add_table_entry(TSS_HCONTEXT tspContext, BYTE *host, int type, struct host_table_entry **ret) + { diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspi_rpc_tcstp_rpc.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tspi_rpc_tcstp_rpc.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,98 @@ +--- src/tspi/rpc/tcstp/rpc.c 2010-03-11 12:26:51.000000000 -0800 ++++ src/tspi/rpc/tcstp/rpc.c 2012-04-11 14:28:08.181630000 -0700 +@@ -345,41 +345,67 @@ + BYTE *buffer; + TSS_RESULT result; + +- struct sockaddr_in addr; +- struct hostent *hEnt = NULL; ++ if (get_port() == 0) { /* use UNIX Domain socket */ ++ struct sockaddr_un addr; + +- sd = socket(PF_INET, SOCK_STREAM, 0); +- if (sd == -1) { +- LogError("socket: %s", strerror(errno)); +- result = TSPERR(TSS_E_COMM_FAILURE); +- goto err_exit; +- } +- +- memset(&addr, 0, sizeof(addr)); +- addr.sin_family = AF_INET; +- addr.sin_port = htons(get_port()); ++ sd = socket(PF_UNIX, SOCK_STREAM, 0); ++ if (sd == -1) { ++ LogError("socket(PF_UNIX): %s", strerror(errno)); ++ result = TSPERR(TSS_E_COMM_FAILURE); ++ goto err_exit; ++ } + +- LogDebug("Sending TSP packet to host %s.", hte->hostname); ++ memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ strncpy(addr.sun_path, TCSD_DEFAULT_SOCKET, ++ sizeof(addr.sun_path)); ++ ++ LogDebug("Connecting to UNIX Domain socket %s", ++ TCSD_DEFAULT_SOCKET); ++ ++ if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) { ++ LogError("connect: %s", strerror(errno)); ++ result = TSPERR(TSS_E_COMM_FAILURE); ++ goto err_exit; ++ } + +- /* try to resolve by hostname first */ +- hEnt = gethostbyname((char *)hte->hostname); +- if (hEnt == NULL) { +- /* if by hostname fails, try by dot notation */ +- if (inet_aton((char *)hte->hostname, &addr.sin_addr) == 0) { +- LogError("hostname %s does not resolve to a valid address.", hte->hostname); +- result = TSPERR(TSS_E_CONNECTION_FAILED); ++ } else { /* use TCP socket */ ++ struct sockaddr_in addr; ++ struct hostent *hEnt = NULL; ++ ++ sd = socket(PF_INET, SOCK_STREAM, 0); ++ if (sd == -1) { ++ LogError("socket: %s", strerror(errno)); ++ result = TSPERR(TSS_E_COMM_FAILURE); + goto err_exit; + } +- } else { +- memcpy(&addr.sin_addr, hEnt->h_addr_list[0], 4); +- } + +- LogDebug("Connecting to %s", inet_ntoa(addr.sin_addr)); ++ memset(&addr, 0, sizeof(addr)); ++ addr.sin_family = AF_INET; ++ addr.sin_port = htons(get_port()); ++ ++ LogDebug("Sending TSP packet to host %s.", hte->hostname); ++ ++ /* try to resolve by hostname first */ ++ hEnt = gethostbyname((char *)hte->hostname); ++ if (hEnt == NULL) { ++ /* if by hostname fails, try by dot notation */ ++ if (inet_aton((char *)hte->hostname, &addr.sin_addr) == 0) { ++ LogError("hostname %s does not resolve to a valid address.", hte->hostname); ++ result = TSPERR(TSS_E_CONNECTION_FAILED); ++ goto err_exit; ++ } ++ } else { ++ memcpy(&addr.sin_addr, hEnt->h_addr_list[0], 4); ++ } + +- if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) { +- LogError("connect: %s", strerror(errno)); +- result = TSPERR(TSS_E_COMM_FAILURE); +- goto err_exit; ++ LogDebug("Connecting to %s", inet_ntoa(addr.sin_addr)); ++ ++ if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) { ++ LogError("connect: %s", strerror(errno)); ++ result = TSPERR(TSS_E_COMM_FAILURE); ++ goto err_exit; ++ } + } + + if (send_to_socket(sd, hte->comm.buf, hte->comm.hdr.packet_size) < 0) { diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspi_tsp_policy.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/trousers/patches/tspi_tsp_policy.c.patch Sat Oct 20 00:06:08 2012 -0700 @@ -0,0 +1,40 @@ +--- src/tspi/tsp_policy.c 2010-05-01 19:39:11.000000000 -0700 ++++ src/tspi/tsp_policy.c 2012-04-20 18:10:16.757128000 -0700 +@@ -86,15 +86,13 @@ + int + pin_mem(void *addr, size_t len) + { +- /* only root can lock pages into RAM */ +- if (getuid() != (uid_t)0) { +- LogWarn("Not pinning secrets in memory due to insufficient perms."); +- return 0; +- } +- + len += (uintptr_t)addr & PGOFFSET; + addr = (void *)((uintptr_t)addr & PGMASK); + if (mlock(addr, len) == -1) { ++ if (errno == EPERM) { ++ LogWarn("Not pinning secrets in memory due to insufficient perms."); ++ return 0; ++ } + LogError("mlock: %s", strerror(errno)); + return 1; + } +@@ -105,14 +103,12 @@ + int + unpin_mem(void *addr, size_t len) + { +- /* only root can lock pages into RAM */ +- if (getuid() != (uid_t)0) { +- return 0; +- } +- + len += (uintptr_t)addr & PGOFFSET; + addr = (void *)((uintptr_t)addr & PGMASK); + if (munlock(addr, len) == -1) { ++ if (errno == EPERM) { ++ return 0; ++ } + LogError("mlock: %s", strerror(errno)); + return 1; + } diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspps.c.patch --- a/components/trousers/patches/tspps.c.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,55 +0,0 @@ ---- src/tspi/ps/tspps.c.orig 2011-03-24 13:06:14.607907754 -0700 -+++ src/tspi/ps/tspps.c 2011-03-24 13:07:30.668528209 -0700 -@@ -70,9 +70,12 @@ - TSS_RESULT result; - char *file_name = NULL, *home_dir = NULL; - struct passwd *pwp; --#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) -+#if (defined (__linux) || defined (linux) || defined(__GLIBC__) || defined(SOLARIS)) - struct passwd pw; - #endif -+#ifdef SOLARIS -+ char pwbuf[PASSWD_BUFSIZE]; -+#endif - struct stat stat_buf; - char buf[PASSWD_BUFSIZE]; - uid_t euid; -@@ -94,9 +97,16 @@ - * in the user's home directory, which may be shared - * by multiple systems. - * -- * The directory path on Solaris is /var/tpm/userps/[EUID]/ -+ * The directory path on Solaris is /var/user[USERNAME]/tpm/userps - */ -- rc = snprintf(buf, sizeof (buf), "%s/%d", TSS_USER_PS_DIR, euid); -+ -+ pwp = getpwuid_r(euid, &pw, pwbuf, sizeof (pwbuf)); -+ if (pwp != NULL) { -+ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps", -+ pwp->pw_name); -+ } else { -+ return TSPERR(TSS_E_INTERNAL_ERROR); -+ } - #else - setpwent(); - while (1) { -@@ -142,7 +152,7 @@ - if (errno == ENOENT) { - errno = 0; - /* Create the user's ps directory if it is not there. */ -- if ((rc = mkdir(buf, 0700)) == -1) { -+ if ((rc = mkdirp(buf, 0700)) == -1) { - LogDebugFn("USER PS: Error creating dir: %s: %s", buf, - strerror(errno)); - result = TSPERR(TSS_E_INTERNAL_ERROR); -@@ -157,8 +167,8 @@ - - /* Directory exists or has been created, return the path to the file */ - #if defined (SOLARIS) -- rc = snprintf(buf, sizeof (buf), "%s/%d/%s", TSS_USER_PS_DIR, euid, -- TSS_USER_PS_FILE); -+ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps/%s", -+ pwp->pw_name, TSS_USER_PS_FILE); - #else - rc = snprintf(buf, sizeof (buf), "%s/%s/%s", home_dir, TSS_USER_PS_DIR, - TSS_USER_PS_FILE); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tspps.h.patch --- a/components/trousers/patches/tspps.h.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,22 +0,0 @@ ---- src/include/tspps.h.old 2009-09-08 07:39:30.000000000 -0700 -+++ src/include/tspps.h 2010-09-16 08:09:37.980051068 -0700 -@@ -13,13 +13,17 @@ - - #define PASSWD_BUFSIZE 4096 - -+#ifdef SOLARIS -+#define TSS_USER_PS_DIR "/var/user/" -+#else - #define TSS_USER_PS_DIR ".trousers" -+#endif - #define TSS_USER_PS_FILE "user.data" - - TSS_RESULT get_file(int *); - int put_file(int); --inline TSS_RESULT read_data(int, void *, UINT32); --inline TSS_RESULT write_data(int, void *, UINT32); -+TSS_RESULT read_data(int, void *, UINT32); -+TSS_RESULT write_data(int, void *, UINT32); - UINT32 psfile_get_num_keys(int); - TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *); - TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *); diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/patches/tss_defines.h.patch --- a/components/trousers/patches/tss_defines.h.patch Fri Oct 19 16:06:19 2012 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,12 +0,0 @@ ---- src/include/tss/tss_defines.h.old Tue May 31 07:39:12 2011 -+++ src/include/tss/tss_defines.h Tue May 31 07:39:52 2011 -@@ -1214,6 +1214,9 @@ - #define TSS_UUID_USK5 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 9}} // user storage key 5 - #define TSS_UUID_USK6 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 10}}// user storage key 6 - -+/* SOLARIS: Migratable Root Key UUID */ -+#define TSS_UUID_MRK {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 11}} -+ - // macro to derive UUIDs for keys whose "OwnerEvict" key is set. - #define TSS_UUID_OWNEREVICT(i) {0, 0, 0, 0, 0, {0, 0, 0, 0, 1, (i)}} - diff -r 5b1bfaf90eeb -r 811524a2620b components/trousers/tcsd.xml --- a/components/trousers/tcsd.xml Fri Oct 19 16:06:19 2012 -0700 +++ b/components/trousers/tcsd.xml Sat Oct 20 00:06:08 2012 -0700 @@ -21,7 +21,7 @@ CDDL HEADER END - Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved. NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -38,20 +38,25 @@ - - - - + + + + + - + + + + + - - + - + - +