7123028 Problem with crypto/tss
7041927 tcsd and libtspi should not use TCP/IP sockets
7002966 libtspi can segv in .fini section
6896514 tss code doesn't do correct privilege check when using mlock
7162897 tcsd daemon goes into maintenance mode after reboot
--- a/components/trousers/patches/Makefile.in.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
---- src/tcsd/Makefile.in.old Thu Jan 28 13:56:46 2010
-+++ src/tcsd/Makefile.in Wed Mar 3 16:35:23 2010
-@@ -47,7 +47,7 @@
- mkinstalldirs = $(install_sh) -d
- CONFIG_CLEAN_FILES =
- CONFIG_CLEAN_VPATH_FILES =
--am__installdirs = "$(DESTDIR)$(sbindir)"
-+am__installdirs = "$(DESTDIR)$(libdir)"
- PROGRAMS = $(sbin_PROGRAMS)
- am_tcsd_OBJECTS = tcsd-svrside.$(OBJEXT) tcsd-tcsd_conf.$(OBJEXT) \
- tcsd-tcsd_threads.$(OBJEXT) tcsd-platform.$(OBJEXT)
-@@ -185,7 +185,7 @@
- prefix = @prefix@
- program_transform_name = @program_transform_name@
- psdir = @psdir@
--sbindir = @sbindir@
-+sbindir = @libdir@
- sharedstatedir = @sharedstatedir@
- srcdir = @srcdir@
- sysconfdir = @sysconfdir@
-@@ -200,7 +200,8 @@
- tcsd_CFLAGS = -DAPPID=\"TCSD\" -DVAR_PREFIX=\"@localstatedir@\" \
- -DETC_PREFIX=\"@sysconfdir@\" -I${top_srcdir}/src/include \
- $(am__append_1) $(am__append_2)
--tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a -lpthread @CRYPTOLIB@
-+tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a \
-+ -lpthread -lbsm -lscf -lresolv @CRYPTOLIB@
- tcsd_SOURCES = svrside.c tcsd_conf.c tcsd_threads.c platform.c
- all: all-am
-
--- a/components/trousers/patches/configure.in.patch Fri Oct 19 16:06:19 2012 -0700
+++ b/components/trousers/patches/configure.in.patch Sat Oct 20 00:06:08 2012 -0700
@@ -1,10 +1,21 @@
---- configure.in.orig Thu Jan 28 13:56:20 2010
-+++ configure.in Wed Mar 3 16:40:12 2010
-@@ -351,6 +351,7 @@
+--- configure.in 2010-07-08 13:35:18.000000000 -0700
++++ configure.in 2012-04-10 17:37:23.820532000 -0700
+@@ -143,7 +143,9 @@
+ #
+ # The default port that the TCS daemon listens on
+ #
+-AC_SUBST(TCSD_DEFAULT_PORT, 30003)
++#AC_SUBST(TCSD_DEFAULT_PORT, 30003)
++# 0 designates UNIX Domain socket. For TCP sockets, 30003 is the traditional TCP port.
++AC_SUBST(TCSD_DEFAULT_PORT, 0)
+ #
+ # The RPC mechanism to build into both libtspi and the tcsd
+ #
+@@ -351,6 +353,7 @@
AC_C_BIGENDIAN([AC_DEFINE(_BIG_ENDIAN, 1, [big-endian host])])
AC_CHECK_DECL(htole32, [AC_DEFINE(HTOLE_DEFINED, 1, [htole32 function is available])])
+AC_CHECK_HEADER(endian.h, [AC_DEFINE(HAVE_ENDIAN_H, 1, [endian.h header])])
AC_CHECK_HEADER(sys/byteorder.h, [AC_DEFINE(HAVE_BYTEORDER_H, 1, [sys/byteorder.h header])])
AC_CHECK_FUNC(daemon, [ AC_DEFINE(HAVE_DAEMON, 1, [daemon function is available]) ])
-
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/dist_tcsd.conf.in.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,38 @@
+--- dist/tcsd.conf.in 2010-01-28 08:27:50.000000000 -0800
++++ dist/tcsd.conf.in 2012-04-12 14:52:21.154590000 -0700
+@@ -9,10 +9,16 @@
+ #
+
+ # Option: port
+-# Values: 1 - 65535
++# Values: 0 - 65535
+ # Description: The port that the tcsd will listen on.
++# If 0, use UNIX Domain socket /var/tpm/tcsd-socket,
++# otherwise use the specified TCP port (30003 is the traditional tcsd TCP port).
+ #
+-# port = 30003
++# If using a TCP Port (that is, port is not 0), clients such as tpmadm must set
++# the port with shell environment variable TSS_TCSD_PORT. For example,
++# export TSS_TCSD_PORT=30003
++#
++# port = 0
+ #
+
+ # Option: num_threads
+@@ -37,6 +43,7 @@
+ #
+ # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
+ #
++firmware_log_file=/var/tpm/system/pcrevent.log
+
+ # Option: kernel_log_file
+ # Values: Any absolute directory path
+@@ -54,7 +61,7 @@
+ # Description: A list of PCR indices that are manipulated only by the system
+ # firmware and therefore are not extended or logged by the TCSD.
+ #
+-# firmware_pcrs =
++firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,20,21
+ #
+
+ # Option: kernel_pcrs
--- a/components/trousers/patches/hash.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,87 +0,0 @@
---- src/trspi/crypto/openssl/hash.c.old 2011-05-09 06:20:09.505021734 -0700
-+++ src/trspi/crypto/openssl/hash.c 2011-05-09 06:19:04.603252090 -0700
-@@ -56,45 +56,21 @@
- TSS_RESULT
- Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
- {
-- EVP_MD_CTX md_ctx;
-- unsigned int result_size;
-- int rv;
-+ Trspi_HashCtx ctx;
-+ TSS_RESULT rv;
-
-- switch (HashType) {
-- case TSS_HASH_SHA1:
-- rv = EVP_DigestInit(&md_ctx, EVP_sha1());
-- break;
-- default:
-- rv = TSPERR(TSS_E_BAD_PARAMETER);
-- goto out;
-- break;
-- }
-+ rv = Trspi_HashInit(&ctx, HashType);
-+ if (rv != TSS_SUCCESS)
-+ return rv;
-
-- if (rv != EVP_SUCCESS) {
-- rv = TSPERR(TSS_E_INTERNAL_ERROR);
-- goto err;
-- }
--
-- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
-- if (rv != EVP_SUCCESS) {
-- rv = TSPERR(TSS_E_INTERNAL_ERROR);
-- goto err;
-+ rv = Trspi_HashUpdate(&ctx, BufSize, Buf);
-+ if (rv != TSS_SUCCESS) {
-+ EVP_MD_CTX_destroy(ctx.ctx);
-+ return rv;
- }
-+ rv = Trspi_HashFinal(&ctx, Digest);
-
-- result_size = EVP_MD_CTX_size(&md_ctx);
-- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
-- if (rv != EVP_SUCCESS) {
-- rv = TSPERR(TSS_E_INTERNAL_ERROR);
-- goto err;
-- } else
-- rv = TSS_SUCCESS;
--
-- goto out;
--
--err:
-- DEBUG_print_openssl_errors();
--out:
-- return rv;
-+ return (rv);
- }
-
- TSS_RESULT
-@@ -112,7 +88,8 @@
- break;
- }
-
-- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL)
-+ ctx->ctx = EVP_MD_CTX_create();
-+ if (ctx->ctx == NULL)
- return TSPERR(TSS_E_OUTOFMEMORY);
-
- rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md);
-@@ -142,7 +119,7 @@
- rv = EVP_DigestUpdate(ctx->ctx, data, size);
- if (rv != EVP_SUCCESS) {
- DEBUG_print_openssl_errors();
-- free(ctx->ctx);
-+ EVP_MD_CTX_destroy(ctx->ctx);
- ctx->ctx = NULL;
- return TSPERR(TSS_E_INTERNAL_ERROR);
- }
-@@ -164,7 +141,7 @@
- if (rv != EVP_SUCCESS)
- return TSPERR(TSS_E_INTERNAL_ERROR);
-
-- free(ctx->ctx);
-+ EVP_MD_CTX_destroy(ctx->ctx);
- ctx->ctx = NULL;
-
- return TSS_SUCCESS;
--- a/components/trousers/patches/hosttable.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,53 +0,0 @@
---- src/tspi/rpc/hosttable.c.old Thu Jan 28 13:27:59 2010
-+++ src/tspi/rpc/hosttable.c Thu Aug 5 14:24:00 2010
-@@ -22,7 +22,7 @@
- struct host_table *ht = NULL;
-
- TSS_RESULT
--host_table_init()
-+static host_table_init()
- {
- ht = calloc(1, sizeof(struct host_table));
- if (ht == NULL) {
-@@ -36,8 +36,7 @@
- }
-
- #ifdef SOLARIS
--#pragma init(_init)
--void _init(void)
-+static void my_init(void)
- #else
- void __attribute__ ((constructor)) my_init(void)
- #endif
-@@ -46,7 +45,7 @@
- __tspi_obj_list_init();
- }
-
--void
-+static void
- host_table_final()
- {
- struct host_table_entry *hte, *next = NULL;
-@@ -70,8 +69,7 @@
- }
-
- #ifdef SOLARIS
--#pragma fini(_fini)
--void _fini(void)
-+static void my_fini(void)
- #else
- void __attribute__ ((destructor)) my_fini(void)
- #endif
-@@ -79,6 +77,11 @@
- host_table_final();
- }
-
-+#ifdef SOLARIS
-+#pragma init(my_init)
-+#pragma fini(my_fini)
-+#endif
-+
- TSS_RESULT
- __tspi_add_table_entry(TSS_HCONTEXT tspContext, BYTE *host, int type, struct host_table_entry **ret)
- {
-
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/include_tcsd.h.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,27 @@
+--- src/include/tcsd.h 2010-05-02 19:54:15.000000000 -0700
++++ src/include/tcsd.h 2012-04-11 12:43:21.508009000 -0700
+@@ -48,14 +48,24 @@
+ of this TCS System */
+ };
+
++#ifdef SOLARIS
++#define TCSD_CONFIG_FILE "/etc/security/tcsd.conf"
++#else
+ #define TCSD_CONFIG_FILE ETC_PREFIX "/tcsd.conf"
++#endif
+
+ #define TSS_USER_NAME "tss"
+ #define TSS_GROUP_NAME "tss"
+
+ #define TCSD_DEFAULT_MAX_THREADS 10
++#ifdef SOLARIS
++#define TCSD_DEFAULT_SYSTEM_PS_DIR "/var/tpm/system"
++#define TCSD_DEFAULT_SYSTEM_PS_FILE "/var/tpm/system/system.data"
++#define TCSD_DEFAULT_SOCKET "/var/tpm/tcsd-socket"
++#else
+ #define TCSD_DEFAULT_SYSTEM_PS_FILE VAR_PREFIX "/lib/tpm/system.data"
+ #define TCSD_DEFAULT_SYSTEM_PS_DIR VAR_PREFIX "/lib/tpm"
++#endif /* SOLARIS */
+ #define TCSD_DEFAULT_FIRMWARE_LOG_FILE "/sys/kernel/security/tpm0/binary_bios_measurements"
+ #define TCSD_DEFAULT_KERNEL_LOG_FILE "/sys/kernel/security/ima/binary_runtime_measurements"
+ #define TCSD_DEFAULT_FIRMWARE_PCRS 0x00000000
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/include_tspps.h.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,22 @@
+--- src/include/tspps.h.old 2009-09-08 07:39:30.000000000 -0700
++++ src/include/tspps.h 2010-09-16 08:09:37.980051068 -0700
+@@ -13,13 +13,17 @@
+
+ #define PASSWD_BUFSIZE 4096
+
++#ifdef SOLARIS
++#define TSS_USER_PS_DIR "/var/user/"
++#else
+ #define TSS_USER_PS_DIR ".trousers"
++#endif
+ #define TSS_USER_PS_FILE "user.data"
+
+ TSS_RESULT get_file(int *);
+ int put_file(int);
+-inline TSS_RESULT read_data(int, void *, UINT32);
+-inline TSS_RESULT write_data(int, void *, UINT32);
++TSS_RESULT read_data(int, void *, UINT32);
++TSS_RESULT write_data(int, void *, UINT32);
+ UINT32 psfile_get_num_keys(int);
+ TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *);
+ TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/include_tss_tss_defines.h.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,12 @@
+--- src/include/tss/tss_defines.h.old Tue May 31 07:39:12 2011
++++ src/include/tss/tss_defines.h Tue May 31 07:39:52 2011
+@@ -1214,6 +1214,9 @@
+ #define TSS_UUID_USK5 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 9}} // user storage key 5
+ #define TSS_UUID_USK6 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 10}}// user storage key 6
+
++/* SOLARIS: Migratable Root Key UUID */
++#define TSS_UUID_MRK {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 11}}
++
+ // macro to derive UUIDs for keys whose "OwnerEvict" key is set.
+ #define TSS_UUID_OWNEREVICT(i) {0, 0, 0, 0, 0, {0, 0, 0, 0, 1, (i)}}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/man_man5_tcsd.conf.5.in.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,29 @@
+--- man/man5/tcsd.conf.5.in 2010-01-28 08:27:51.000000000 -0800
++++ man/man5/tcsd.conf.5.in 2012-04-12 14:52:28.257160000 -0700
+@@ -32,8 +32,16 @@
+ .SH "OPTIONS"
+ .PP
+ .BI port
+-The port that TCSD will listen on for connections, local and remote, from
++The TCP port that TCSD will listen on for connections, local and remote, from
+ applications.
++If 0, TCSD uses UNIX Domain socket /var/tpm/tcsd-socket,
++otherwise TCSD uses the TCP port specified
++(30003 is the traditional tcsd TCP port).
++If using a TCP Port (that is, port is not 0), clients such as tpmadm must set
++the port with shell environment variable TSS_TCSD_PORT. For example,
++.nf
++export TSS_TCSD_PORT=30003
++.fi
+
+ .BI num_threads
+ The maximum number of threads that the TCSD will spawn simultaneously to service
+@@ -106,7 +114,7 @@
+ .PP
+ .IP
+ .nf
+-port = 30003
++port = 0
+ num_threads = 10
+ system_ps_file = /usr/local/var/tpm/system.data
+ firmware_log_file = /proc/tpm/firmware_events
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/man_man8_tcsd.8.in.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,92 @@
+--- man/man8/tcsd.8.in 2010-01-28 08:27:51.000000000 -0800
++++ man/man8/tcsd.8.in 2012-04-16 17:46:52.763527000 -0700
+@@ -51,10 +51,11 @@
+ There are two types of access control for the \fBtcsd\fR, access to the
+ daemon's socket itself and access to specific commands internal to the
+ \fBtcsd\fR. Access to the \fBtcsd\fR's port should be controlled by the system
+-administrator using firewall rules. If using iptables, the following rule
+-will allow a specific host access to the tcsd:
+-
+-# iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port @TCSD_DEFAULT_PORT@ -j ACCEPT
++administrator using firewall rules.
++If port = 0 in /etc/security/tcsd.conf, \fBtcsd\R uses a UNIX Domain socket.
++Otherwise, \fBtcsd\fR uses a TCP port.
++By default the TCP port, when enabled, is accessible only from localhost,
++unless "remote_ops" in tcsd.conf is not empty.
+
+ Access to individual commands internal to the tcsd is configured by the
+ \fBtcsd\fR configuration file's "remote_ops" directive. Each function call
+@@ -74,12 +75,32 @@
+ the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and
+ system resets. Data registered in system PS stays valid until an application
+ requests that it be removed. User PS files are by default stored as
+-/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data.
+-The system PS file is initially created when ownership of the TPM is first
+-taken.
++/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is
++/var/tpm/system/system.data. The system PS file is initially created when
++ownership of the TPM is first taken.
++.PP
++\fB/var/tpm/system/system.data\fR
++.ad
++.RS 4n
++Contains the system PS (persistent storage) data controlled by the TCS. By default,
++the SRK key is installed in PS and does not require owner authorization to use. If the
++TPM has previously been provisioned and owner-auth is required to load the SRK,
++then the /var/tpm/system/system.data.auth file should be moved to
++/var/tpm/system/system.data before starting the TCS (See NOTES).
++.RE
++.sp
++.PP
++\fB/var/tpm/system/system.data.auth\fR
++.ad
++.RS 4n
++This is the default PS data file to use if the TPM has been previously
++configured to require owner-auth to access the SRK. Copy this file
++to /var/tpm/system/system.data prior to starting the TCS if owner-auth is
++needed, otherwise this file can be ignored.
++.RE
+
+ .SH "CONFIGURATION"
+-\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf
++\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf
+
+ .SH "DEBUG OUTPUT"
+ If TrouSerS has been compiled with debugging enabled, the debugging output
+@@ -88,8 +109,9 @@
+ .SH "DEVICE DRIVERS"
+ .PP
+ \fBtcsd\fR is compatible with the IBM Research TPM device driver available
+-from http://www.research.ibm.com/gsal/tcpa and the TPM device driver available
+-from http://sf.net/projects/tmpdd
++from http://www.research.ibm.com/gsal/tcpa and the TPM device driver for
++Linux available from http://sf.net/projects/tmpdd. It is also compatible
++with the TPM device driver for Solaris which is available in the driver/crypto/tpm package.
+
+ .SH "CONFORMING TO"
+ .PP
+@@ -98,7 +120,23 @@
+
+ .SH "SEE ALSO"
+ .PP
+-\fBtcsd.conf\fR(5)
++\fBtcsd.conf\fR(5), \fBsvcadm\fR(1M), \fBsmf\fR(5)
++
++.SH "NOTES"
++.sp
++.LP
++The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(5), under
++the service identifier:
++.sp
++.in +2
++.nf
++svc:/application/security/tcsd:default
++.fi
++.in -2
++.sp
++.LP
++Administrative actions on this service, such as enabling, disabling, or requesting restart, can be
++performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
+
+ .SH "AUTHOR"
+ Kent Yoder
--- a/components/trousers/patches/rpc_ps.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,54 +0,0 @@
---- src/tcs/rpc/tcstp/rpc_ps.c.orig 2011-03-23 11:01:54.707428173 -0700
-+++ src/tcs/rpc/tcstp/rpc_ps.c 2011-03-23 11:27:00.753845441 -0700
-@@ -26,6 +26,29 @@
- #include "tcs_utils.h"
- #include "rpc_tcstp_tcs.h"
-
-+#ifdef SOLARIS
-+#include <ucred.h>
-+#include <errno.h>
-+
-+static TSS_RESULT
-+verify_peer(struct tcsd_thread_data *data)
-+{
-+ ucred_t *uc = NULL;
-+ if (getpeerucred(data->sock, &uc)) {
-+ LogError("Failed to get peer credential (%s)",
-+ strerror(errno));
-+ return TCSERR(TSS_E_TSP_AUTHFAIL);
-+ }
-+ if (ucred_geteuid(uc) != 0) {
-+ LogError("Unauthorized attempt to modify a system key",
-+ strerror(errno));
-+ ucred_free(uc);
-+ return TCSERR(TSS_E_TSP_AUTHFAIL);
-+ }
-+ ucred_free(uc);
-+ return (TSS_SUCCESS);
-+}
-+#endif
-
- TSS_RESULT
- tcs_wrap_RegisterKey(struct tcsd_thread_data *data)
-@@ -38,6 +61,10 @@
- UINT32 cVendorData;
- BYTE *gbVendorData;
- TSS_RESULT result;
-+#ifdef SOLARIS
-+ if ( (result = verify_peer(data)) != TSS_SUCCESS)
-+ return (result);
-+#endif
-
- if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm))
- return TCSERR(TSS_E_INTERNAL_ERROR);
-@@ -99,6 +126,10 @@
- TCS_CONTEXT_HANDLE hContext;
- TSS_UUID uuid;
- TSS_RESULT result;
-+#ifdef SOLARIS
-+ if ( (result = verify_peer(data)) != TSS_SUCCESS)
-+ return (result);
-+#endif
-
- if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm))
- return TCSERR(TSS_E_INTERNAL_ERROR);
--- a/components/trousers/patches/svrside.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,118 +0,0 @@
---- src/tcsd/svrside.c.orig Thu Jan 21 15:18:55 2010
-+++ src/tcsd/svrside.c Thu Jan 28 17:37:07 2010
-@@ -27,6 +27,13 @@
- #include <arpa/inet.h>
- #include <errno.h>
- #include <getopt.h>
-+#ifdef SOLARIS
-+#include <priv.h>
-+#endif
-+#ifndef HAVE_DAEMON
-+#include <fcntl.h>
-+#endif
-+
- #include "trousers/tss.h"
- #include "trousers_types.h"
- #include "tcs_tsp.h"
-@@ -207,6 +214,79 @@
- }
-
-
-+#ifdef SOLARIS
-+
-+/*
-+ * For Solaris, make the tcsd privilege aware and drop
-+ * risky privileges if they are not needed.
-+ */
-+static int
-+drop_privs()
-+{
-+ priv_set_t *myprivs;
-+ int rv;
-+
-+ /*
-+ * Drop unneeded privs such as fork/exec.
-+ *
-+ * Get "basic" privs and remove the ones we don't want.
-+ */
-+ if ((myprivs = priv_str_to_set("basic", ",", NULL)) == NULL) {
-+ LogError("priv_str_to_set failed: %s", strerror(errno));
-+ return (1);
-+ } else {
-+ (void) priv_delset(myprivs, PRIV_PROC_EXEC);
-+ (void) priv_delset(myprivs, PRIV_PROC_FORK);
-+ (void) priv_delset(myprivs, PRIV_FILE_LINK_ANY);
-+ (void) priv_delset(myprivs, PRIV_PROC_INFO);
-+ (void) priv_delset(myprivs, PRIV_PROC_SESSION);
-+ (void) priv_delset(myprivs, PRIV_PROC_SETID);
-+
-+ /* for auditing */
-+ (void) priv_addset(myprivs, PRIV_PROC_AUDIT);
-+
-+ if ((rv = setppriv(PRIV_SET, PRIV_PERMITTED, myprivs)))
-+ return (rv);
-+ if ((rv = setppriv(PRIV_SET, PRIV_LIMIT, myprivs)))
-+ return (rv);
-+ if ((rv = setppriv(PRIV_SET, PRIV_INHERITABLE, myprivs)))
-+ return (rv);
-+
-+ (void) priv_freeset(myprivs);
-+ }
-+ return (0);
-+}
-+#endif /* SOLARIS */
-+
-+#ifndef HAVE_DAEMON
-+static int
-+daemon(int nochdir, int noclose) {
-+ int rv, fd;
-+
-+ switch (fork()) {
-+ case -1:
-+ return (-1);
-+ case 0:
-+ break;
-+ default:
-+ exit (0);
-+ }
-+
-+ if (setsid() == -1)
-+ return (-1);
-+ if (!nochdir)
-+ (void) chdir("/");
-+ if (!noclose && (fd = open("/dev/null", O_RDWR, 0)) != -1) {
-+ (void) dup2(fd, STDIN_FILENO);
-+ (void) dup2(fd, STDOUT_FILENO);
-+ (void) dup2(fd, STDERR_FILENO);
-+ if (fd > 2)
-+ (void)close (fd);
-+ }
-+ return (0);
-+}
-+#endif /* !HAVE_DAEMON */
-+
- int
- main(int argc, char **argv)
- {
-@@ -222,6 +302,9 @@
- {"foreground", 0, NULL, 'f'},
- {0, 0, 0, 0}
- };
-+#ifdef SOLARIS
-+ int rv;
-+#endif
-
- while ((c = getopt_long(argc, argv, "fh", long_options, &option_index)) != -1) {
- switch (c) {
-@@ -287,6 +372,11 @@
- return -1;
- }
- }
-+#ifdef SOLARIS
-+ /* For Solaris, drop privileges for security. */
-+ if ((rv = drop_privs()))
-+ return (rv);
-+#endif /* SOLARIS */
-
- LogInfo("%s: TCSD up and running.", PACKAGE_STRING);
- do {
--- a/components/trousers/patches/tcs_caps.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
---- src/tcs/tcs_caps.c.old Wed Jun 9 13:20:44 2010
-+++ src/tcs/tcs_caps.c Fri Jul 1 16:26:51 2011
-@@ -149,6 +149,7 @@
- {
- TSS_RESULT result;
- UINT32 subCap, rv = 0;
-+ UINT32 manuf;
-
- if ((result = get_current_version(&p->version)))
- goto err;
-@@ -181,8 +182,9 @@
-
- UINT32ToArray(TPM_CAP_PROP_MANUFACTURER, (BYTE *)&subCap);
- if ((result = get_cap_uint32(TCPA_CAP_PROPERTY, (BYTE *)&subCap, sizeof(UINT32),
-- (UINT32 *)&p->manufacturer)))
-+ (UINT32 *)&manuf)))
- goto err;
-+ (void) memcpy(p->manufacturer, &manuf, sizeof (UINT32));
-
- result = get_max_auths(&(p->num_auths));
-
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tcs_rpc_tcstp_rpc.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,473 @@
+--- src/tcs/rpc/tcstp/rpc.c.orig Fri Jun 5 12:45:50 2009
++++ src/tcs/rpc/tcstp/rpc.c Thu Sep 10 13:05:33 2009
+@@ -385,134 +385,134 @@
+ typedef struct tdDispatchTable {
+ TSS_RESULT (*Func) (struct tcsd_thread_data *);
+ const char *name;
++ UINT32 ordinal;
+ } DispatchTable;
+
+ DispatchTable tcs_func_table[TCSD_MAX_NUM_ORDS] = {
+- {tcs_wrap_Error,"Error"}, /* 0 */
+- {tcs_wrap_OpenContext,"OpenContext"},
+- {tcs_wrap_CloseContext,"CloseContext"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_TCSGetCapability,"TCSGetCapability"},
+- {tcs_wrap_RegisterKey,"RegisterKey"}, /* 5 */
+- {tcs_wrap_UnregisterKey,"UnregisterKey"},
+- {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob"},
+- {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo"}, /* 10 */
+- {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob"},
+- {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID"},
+- {tcs_wrap_EvictKey,"EvictKey"},
+- {tcs_wrap_CreateWrapKey,"CreateWrapKey"},
+- {tcs_wrap_GetPubkey,"GetPubkey"}, /* 15 */
+- {tcs_wrap_MakeIdentity,"MakeIdentity"},
+- {tcs_wrap_LogPcrEvent,"LogPcrEvent"},
+- {tcs_wrap_GetPcrEvent,"GetPcrEvent"},
+- {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr"},
+- {tcs_wrap_GetPcrEventLog,"GetPcrEventLog"}, /* 20 */
+- {tcs_wrap_SetOwnerInstall,"SetOwnerInstall"},
+- {tcs_wrap_TakeOwnership,"TakeOwnership"},
+- {tcs_wrap_OIAP,"OIAP"},
+- {tcs_wrap_OSAP,"OSAP"},
+- {tcs_wrap_ChangeAuth,"ChangeAuth"}, /* 25 */
+- {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_TerminateHandle,"TerminateHandle"},
+- {tcs_wrap_ActivateIdentity,"ActivateIdentity"}, /* 30 */
+- {tcs_wrap_Extend,"Extend"},
+- {tcs_wrap_PcrRead,"PcrRead"},
+- {tcs_wrap_Quote,"Quote"},
+- {tcs_wrap_DirWriteAuth,"DirWriteAuth"},
+- {tcs_wrap_DirRead,"DirRead"}, /* 35 */
+- {tcs_wrap_Seal,"Seal"},
+- {tcs_wrap_UnSeal,"UnSeal"},
+- {tcs_wrap_UnBind,"UnBind"},
+- {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob"},
+- {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob"}, /* 40 */
+- {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey"},
+- {tcs_wrap_CertifyKey,"CertifyKey"},
+- {tcs_wrap_Sign,"Sign"},
+- {tcs_wrap_GetRandom,"GetRandom"},
+- {tcs_wrap_StirRandom,"StirRandom"}, /* 45 */
+- {tcs_wrap_GetCapability,"GetCapability"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner"},
+- {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair"},
+- {tcs_wrap_ReadPubek,"ReadPubek"}, /* 50 */
+- {tcs_wrap_DisablePubekRead,"DisablePubekRead"},
+- {tcs_wrap_OwnerReadPubek,"OwnerReadPubek"},
+- {tcs_wrap_SelfTestFull,"SelfTestFull"},
+- {tcs_wrap_CertifySelfTest,"CertifySelfTest"},
+- {tcs_wrap_Error,"Error"}, /* 55 */
+- {tcs_wrap_GetTestResult,"GetTestResult"},
+- {tcs_wrap_OwnerSetDisable,"OwnerSetDisable"},
+- {tcs_wrap_OwnerClear,"OwnerClear"},
+- {tcs_wrap_DisableOwnerClear,"DisableOwnerClear"},
+- {tcs_wrap_ForceClear,"ForceClear"}, /* 60 */
+- {tcs_wrap_DisableForceClear,"DisableForceClear"},
+- {tcs_wrap_PhysicalDisable,"PhysicalDisable"},
+- {tcs_wrap_PhysicalEnable,"PhysicalEnable"},
+- {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated"},
+- {tcs_wrap_SetTempDeactivated,"SetTempDeactivated"}, /* 65 */
+- {tcs_wrap_PhysicalPresence,"PhysicalPresence"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_Error,"Error"},
+- {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive"},
+- {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive"}, /* 70 */
+- {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature"},
+- {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub"},
+- {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub"},
+- {tcs_wrap_DaaJoin,"DaaJoin"},
+- {tcs_wrap_DaaSign,"DaaSign"}, /* 75 */
+- {tcs_wrap_SetCapability,"SetCapability"},
+- {tcs_wrap_ResetLockValue,"ResetLockValue"},
+- {tcs_wrap_PcrReset,"PcrReset"},
+- {tcs_wrap_ReadCounter,"ReadCounter"},
+- {tcs_wrap_CreateCounter,"CreateCounter"}, /* 80 */
+- {tcs_wrap_IncrementCounter,"IncrementCounter"},
+- {tcs_wrap_ReleaseCounter,"ReleaseCounter"},
+- {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner"},
+- {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks"},
+- {tcs_wrap_TickStampBlob,"TicksStampBlob"}, /* 85 */
+- {tcs_wrap_GetCredential,"GetCredential"},
+- {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace"},
+- {tcs_wrap_NV_WriteValue,"NVWriteValue"},
+- {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth"},
+- {tcs_wrap_NV_ReadValue,"NVReadValue"}, /* 90 */
+- {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth"},
+- {tcs_wrap_EstablishTransport,"EstablishTransport"},
+- {tcs_wrap_ExecuteTransport,"ExecuteTransport"},
+- {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned"},
+- {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus"}, /* 95 */
+- {tcs_wrap_GetAuditDigest,"GetAuditDigest"},
+- {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned"},
+- {tcs_wrap_Sealx,"Sealx"},
+- {tcs_wrap_SetOperatorAuth,"SetOperatorAuth"},
+- {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub"}, /* 100 */
+- {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2"},
+- {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2"},
+- {tcs_wrap_Delegate_Manage,"Delegate_Manage"},
+- {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation"},
+- {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation"}, /* 105 */
+- {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation"},
+- {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable"},
+- {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount"},
+- {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation"},
+- {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair"}, /* 110 */
+- {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair"},
+- {tcs_wrap_Error,"Error - was MakeIdentity2"},
+- {tcs_wrap_Quote2,"Quote2"},
+- {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions"},
+- {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA"}, /* 115 */
+- {tcs_wrap_CMK_CreateKey,"CMK_CreateKey"},
+- {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket"},
+- {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob"},
+- {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration"},
+- {tcs_wrap_FlushSpecific,"FlushSpecific"}, /* 120 */
+- {tcs_wrap_KeyControlOwner, "KeyControlOwner"},
+- {tcs_wrap_DSAP, "DSAP"}
+-};
+-
++ {tcs_wrap_Error,"Error", 0}, /* 0 */
++ {tcs_wrap_OpenContext,"OpenContext", 0},
++ {tcs_wrap_CloseContext,"CloseContext", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_TCSGetCapability,"TCSGetCapability", 0},
++ {tcs_wrap_RegisterKey,"RegisterKey", 0}, /* 5 */
++ {tcs_wrap_UnregisterKey,"UnregisterKey", 0},
++ {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob", 0},
++ {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo", 0}, /* 10 */
++ {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob", 0},
++ {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID", 0},
++ {tcs_wrap_EvictKey,"EvictKey", 0},
++ {tcs_wrap_CreateWrapKey,"CreateWrapKey", 0},
++ {tcs_wrap_GetPubkey,"GetPubkey", 0}, /* 15 */
++ {tcs_wrap_MakeIdentity,"MakeIdentity", 0},
++ {tcs_wrap_LogPcrEvent,"LogPcrEvent", 0},
++ {tcs_wrap_GetPcrEvent,"GetPcrEvent", 0},
++ {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr", 0},
++ {tcs_wrap_GetPcrEventLog,"GetPcrEventLog", 0}, /* 20 */
++ {tcs_wrap_SetOwnerInstall,"SetOwnerInstall", TPM_ORD_SetOwnerInstall},
++ {tcs_wrap_TakeOwnership,"TakeOwnership", TPM_ORD_TakeOwnership},
++ {tcs_wrap_OIAP,"OIAP", 0},
++ {tcs_wrap_OSAP,"OSAP", 0},
++ {tcs_wrap_ChangeAuth,"ChangeAuth", 0}, /* 25 */
++ {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_TerminateHandle,"TerminateHandle", 0},
++ {tcs_wrap_ActivateIdentity,"ActivateIdentity", 0}, /* 30 */
++ {tcs_wrap_Extend,"Extend", 0},
++ {tcs_wrap_PcrRead,"PcrRead", 0},
++ {tcs_wrap_Quote,"Quote", 0},
++ {tcs_wrap_DirWriteAuth,"DirWriteAuth", 0},
++ {tcs_wrap_DirRead,"DirRead", 0}, /* 35 */
++ {tcs_wrap_Seal,"Seal", 0},
++ {tcs_wrap_UnSeal,"UnSeal", 0},
++ {tcs_wrap_UnBind,"UnBind", 0},
++ {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob", 0},
++ {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob", 0}, /* 40 */
++ {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey", 0},
++ {tcs_wrap_CertifyKey,"CertifyKey", 0},
++ {tcs_wrap_Sign,"Sign", 0},
++ {tcs_wrap_GetRandom,"GetRandom", 0},
++ {tcs_wrap_StirRandom,"StirRandom", 0}, /* 45 */
++ {tcs_wrap_GetCapability,"GetCapability", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner", 0},
++ {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair", 0},
++ {tcs_wrap_ReadPubek,"ReadPubek", 0}, /* 50 */
++ {tcs_wrap_DisablePubekRead,"DisablePubekRead", 0},
++ {tcs_wrap_OwnerReadPubek,"OwnerReadPubek", 0},
++ {tcs_wrap_SelfTestFull,"SelfTestFull", TPM_ORD_SelfTestFull},
++ {tcs_wrap_CertifySelfTest,"CertifySelfTest", TPM_ORD_CertifySelfTest},
++ {tcs_wrap_Error,"Error", 0}, /* 55 */
++ {tcs_wrap_GetTestResult,"GetTestResult", 0},
++ {tcs_wrap_OwnerSetDisable,"OwnerSetDisable", TPM_ORD_OwnerSetDisable},
++ {tcs_wrap_OwnerClear,"OwnerClear", TPM_ORD_OwnerClear},
++ {tcs_wrap_DisableOwnerClear,"DisableOwnerClear", TPM_ORD_DisableOwnerClear},
++ {tcs_wrap_ForceClear,"ForceClear", TPM_ORD_ForceClear}, /* 60 */
++ {tcs_wrap_DisableForceClear,"DisableForceClear", TPM_ORD_DisableForceClear},
++ {tcs_wrap_PhysicalDisable,"PhysicalDisable", TPM_ORD_PhysicalDisable},
++ {tcs_wrap_PhysicalEnable,"PhysicalEnable", TPM_ORD_PhysicalEnable},
++ {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated", TPM_ORD_PhysicalSetDeactivated},
++ {tcs_wrap_SetTempDeactivated,"SetTempDeactivated", TPM_ORD_SetTempDeactivated}, /* 65 */
++ {tcs_wrap_PhysicalPresence,"PhysicalPresence", TSC_ORD_PhysicalPresence},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_Error,"Error", 0},
++ {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive", 0},
++ {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive", 0}, /* 70 */
++ {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature", 0},
++ {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub", 0},
++ {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub", 0},
++ {tcs_wrap_DaaJoin,"DaaJoin", 0},
++ {tcs_wrap_DaaSign,"DaaSign", 0}, /* 75 */
++ {tcs_wrap_SetCapability,"SetCapability", 0},
++ {tcs_wrap_ResetLockValue,"ResetLockValue", TPM_ORD_ResetLockValue},
++ {tcs_wrap_PcrReset,"PcrReset", 0},
++ {tcs_wrap_ReadCounter,"ReadCounter", 0},
++ {tcs_wrap_CreateCounter,"CreateCounter", 0}, /* 80 */
++ {tcs_wrap_IncrementCounter,"IncrementCounter", 0},
++ {tcs_wrap_ReleaseCounter,"ReleaseCounter", 0},
++ {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner", 0},
++ {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks", 0},
++ {tcs_wrap_TickStampBlob,"TicksStampBlob", 0}, /* 85 */
++ {tcs_wrap_GetCredential,"GetCredential", 0},
++ {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace", 0},
++ {tcs_wrap_NV_WriteValue,"NVWriteValue", 0},
++ {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth", 0},
++ {tcs_wrap_NV_ReadValue,"NVReadValue", 0}, /* 90 */
++ {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth", 0},
++ {tcs_wrap_EstablishTransport,"EstablishTransport", 0},
++ {tcs_wrap_ExecuteTransport,"ExecuteTransport", 0},
++ {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned", 0},
++ {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus", 0}, /* 95 */
++ {tcs_wrap_GetAuditDigest,"GetAuditDigest", 0},
++ {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned", 0},
++ {tcs_wrap_Sealx,"Sealx", 0},
++ {tcs_wrap_SetOperatorAuth,"SetOperatorAuth", TPM_ORD_SetOperatorAuth},
++ {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub", 0}, /* 100 */
++ {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2", 0},
++ {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2", 0},
++ {tcs_wrap_Delegate_Manage,"Delegate_Manage", 0},
++ {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation", 0},
++ {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation", 0}, /* 105 */
++ {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation", 0},
++ {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable", 0},
++ {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount", 0},
++ {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation", 0},
++ {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair", 0}, /* 110 */
++ {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair", 0},
++ {tcs_wrap_Error,"Error - was MakeIdentity2", 0},
++ {tcs_wrap_Quote2,"Quote2", 0},
++ {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions", 0},
++ {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA", 0}, /* 115 */
++ {tcs_wrap_CMK_CreateKey,"CMK_CreateKey", 0},
++ {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket", 0},
++ {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob", 0},
++ {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration", 0},
++ {tcs_wrap_FlushSpecific,"FlushSpecific", 0}, /* 120 */
++ {tcs_wrap_KeyControlOwner, "KeyControlOwner", 0},
++ {tcs_wrap_DSAP, "DSAP", 0}
++ };
+ int
+ access_control(struct tcsd_thread_data *thread_data)
+ {
+@@ -562,11 +562,190 @@
+ return 1;
+ }
+
++#if defined (SOLARIS)
++
++#include <ucred.h>
++#include <bsm/adt.h>
++#include <bsm/adt_event.h>
++
++static void
++audit_tpm(UINT32 cmd, struct tcsd_thread_data *data)
++{
++ adt_session_data_t *ah = NULL;
++ adt_event_data_t *event = NULL;
++ ucred_t *uc = NULL;
++ int adterr, msgid;
++ int adtstatus = ADT_FAILURE;
++
++ if (getpeerucred(data->sock, &uc)) {
++ LogError("Audit Failed - getpeerucred failed (%s)",
++ strerror(errno));
++ return;
++ }
++ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
++ LogError("Audit Failed - adt_start_session failed (%s)",
++ strerror(errno));
++ goto end;
++ }
++
++ if (adt_set_from_ucred(ah, uc, ADT_NEW) != 0) {
++ LogError("Audit Failed - adt_set_from_ucred failed (%s)",
++ strerror(errno));
++ goto end;
++ }
++
++ /*
++ * NOTE: It is important that the ordering of the
++ * error message definitions in the adt.xml IDL from the
++ * libbsm library source matches the numerical ordering of
++ * the TPM_E_* error codes in /usr/include/tss/tpm_error.h
++ */
++ if (data->comm.hdr.u.result == TSS_SUCCESS) {
++ adtstatus = ADT_SUCCESS;
++ adterr = ADT_SUCCESS;
++ /*
++ * Use literal value here until the
++ * build system is updated with latest adt_event.h
++ * 4102 = ADT_TPM_E_NO_MSG (build 123).
++ * Change this later.
++ */
++ msgid = 4102;
++ } else if (data->comm.hdr.u.result & TPM_E_NON_FATAL) {
++ /*
++ * NON_FATAL TPM errors are masked (0x800) so they are not in numerical
++ * sequence with the rest of the TPM errors.
++ */
++ msgid = ADT_TPM_E_RETRY +
++ (data->comm.hdr.u.result - TPM_E_RETRY);
++ adterr = ADT_FAIL_VALUE_PROGRAM;
++ } else {
++ msgid = ADT_TPM_E_AUTHFAIL +
++ (data->comm.hdr.u.result - TPM_E_AUTHFAIL);
++ adterr = ADT_FAIL_VALUE_PROGRAM;
++ }
++ switch(cmd) {
++ case TPM_ORD_CertifySelfTest:
++ event = adt_alloc_event(ah, ADT_tpm_certifyselftest);
++ if (event != NULL)
++ event->adt_tpm_certifyselftest.message = msgid;
++ break;
++ case TPM_ORD_OwnerClear:
++ event = adt_alloc_event(ah, ADT_tpm_ownerclear);
++ if (event != NULL)
++ event->adt_tpm_ownerclear.message = msgid;
++ break;
++ case TPM_ORD_ContinueSelfTest:
++ event = adt_alloc_event(ah, ADT_tpm_continueselftest);
++ if (event != NULL)
++ event->adt_tpm_continueselftest.message = msgid;
++ break;
++ case TPM_ORD_DisableForceClear:
++ event = adt_alloc_event(ah, ADT_tpm_disableforceclear);
++ if (event != NULL)
++ event->adt_tpm_disableforceclear.message = msgid;
++ break;
++ case TPM_ORD_DisableOwnerClear:
++ event = adt_alloc_event(ah, ADT_tpm_disableownerclear);
++ if (event != NULL)
++ event->adt_tpm_disableownerclear.message = msgid;
++ break;
++ case TPM_ORD_FieldUpgrade:
++ event = adt_alloc_event(ah, ADT_tpm_fieldupgrade);
++ if (event != NULL)
++ event->adt_tpm_fieldupgrade.message = msgid;
++ break;
++ case TPM_ORD_ForceClear:
++ event = adt_alloc_event(ah, ADT_tpm_forceclear);
++ if (event != NULL)
++ event->adt_tpm_forceclear.message = msgid;
++ break;
++ case TPM_ORD_OwnerSetDisable:
++ event = adt_alloc_event(ah, ADT_tpm_ownersetdisable);
++ if (event != NULL)
++ event->adt_tpm_ownersetdisable.message = msgid;
++ break;
++ case TPM_ORD_PhysicalEnable:
++ event = adt_alloc_event(ah, ADT_tpm_physicalenable);
++ if (event != NULL)
++ event->adt_tpm_physicalenable.message = msgid;
++ break;
++ case TPM_ORD_PhysicalDisable:
++ event = adt_alloc_event(ah, ADT_tpm_physicaldisable);
++ if (event != NULL)
++ event->adt_tpm_physicaldisable.message = msgid;
++ break;
++ case TPM_ORD_PhysicalSetDeactivated:
++ event = adt_alloc_event(ah, ADT_tpm_physicaldeactivate);
++ if (event != NULL)
++ event->adt_tpm_physicaldeactivate.message = msgid;
++ break;
++ case TSC_ORD_PhysicalPresence:
++ event = adt_alloc_event(ah, ADT_tpm_physicalpresence);
++ if (event != NULL)
++ event->adt_tpm_physicalpresence.message = msgid;
++ break;
++ case TPM_ORD_ResetLockValue:
++ event = adt_alloc_event(ah, ADT_tpm_resetlockvalue);
++ if (event != NULL)
++ event->adt_tpm_resetlockvalue.message = msgid;
++ break;
++ case TPM_ORD_SelfTestFull:
++ event = adt_alloc_event(ah, ADT_tpm_selftestfull);
++ if (event != NULL)
++ event->adt_tpm_selftestfull.message = msgid;
++ break;
++ case TPM_ORD_SetOperatorAuth:
++ event = adt_alloc_event(ah, ADT_tpm_setoperatorauth);
++ if (event != NULL)
++ event->adt_tpm_setoperatorauth.message = msgid;
++ break;
++ case TPM_ORD_SetOwnerInstall:
++ event = adt_alloc_event(ah, ADT_tpm_setownerinstall);
++ if (event != NULL)
++ event->adt_tpm_setownerinstall.message = msgid;
++ break;
++ case TPM_ORD_SetTempDeactivated:
++ event = adt_alloc_event(ah, ADT_tpm_settempdeactivated);
++ if (event != NULL)
++ event->adt_tpm_settempdeactivated.message = msgid;
++ break;
++ case TPM_ORD_TakeOwnership:
++ event = adt_alloc_event(ah, ADT_tpm_takeownership);
++ if (event != NULL)
++ event->adt_tpm_takeownership.message = msgid;
++ break;
++ default:
++ /* command not audited */
++ goto end;
++ }
++ if (event == NULL) {
++ LogError("Audit Failed - Failed to allocate event (%s)",
++ strerror(errno));
++ goto end;
++ }
++
++ if (adt_put_event(event, adtstatus, adterr)) {
++ LogError("Audit Failed - Failed to put audit event (%s)",
++ strerror(errno));
++ }
++
++end:
++ ucred_free(uc);
++ adt_free_event(event);
++ (void) adt_end_session(ah);
++
++ return;
++}
++#endif /* SOLARIS */
++
+ TSS_RESULT
+ dispatchCommand(struct tcsd_thread_data *data)
+ {
+ UINT64 offset;
+ TSS_RESULT result;
++#if defined (SOLARIS)
++ UINT32 cmd;
++#endif
+
+ /* First, check the ordinal bounds */
+ if (data->comm.hdr.u.ordinal >= TCSD_MAX_NUM_ORDS) {
+@@ -596,6 +775,9 @@
+ }
+
+ /* Now, dispatch */
++#if defined (SOLARIS)
++ cmd = tcs_func_table[data->comm.hdr.u.ordinal].ordinal;
++#endif
+ if ((result = tcs_func_table[data->comm.hdr.u.ordinal].Func(data)) == TSS_SUCCESS) {
+ /* set the comm buffer */
+ offset = 0;
+@@ -607,6 +789,9 @@
+ LoadBlob_UINT32(&offset, data->comm.hdr.parm_size, data->comm.buf);
+ LoadBlob_UINT32(&offset, data->comm.hdr.parm_offset, data->comm.buf);
+ }
++#if defined (SOLARIS)
++ audit_tpm(cmd, data);
++#endif
+
+ return result;
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tcs_rpc_tcstp_rpc_ps.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,54 @@
+--- src/tcs/rpc/tcstp/rpc_ps.c.orig 2011-03-23 11:01:54.707428173 -0700
++++ src/tcs/rpc/tcstp/rpc_ps.c 2011-03-23 11:27:00.753845441 -0700
+@@ -26,6 +26,29 @@
+ #include "tcs_utils.h"
+ #include "rpc_tcstp_tcs.h"
+
++#ifdef SOLARIS
++#include <ucred.h>
++#include <errno.h>
++
++static TSS_RESULT
++verify_peer(struct tcsd_thread_data *data)
++{
++ ucred_t *uc = NULL;
++ if (getpeerucred(data->sock, &uc)) {
++ LogError("Failed to get peer credential (%s)",
++ strerror(errno));
++ return TCSERR(TSS_E_TSP_AUTHFAIL);
++ }
++ if (ucred_geteuid(uc) != 0) {
++ LogError("Unauthorized attempt to modify a system key",
++ strerror(errno));
++ ucred_free(uc);
++ return TCSERR(TSS_E_TSP_AUTHFAIL);
++ }
++ ucred_free(uc);
++ return (TSS_SUCCESS);
++}
++#endif
+
+ TSS_RESULT
+ tcs_wrap_RegisterKey(struct tcsd_thread_data *data)
+@@ -38,6 +61,10 @@
+ UINT32 cVendorData;
+ BYTE *gbVendorData;
+ TSS_RESULT result;
++#ifdef SOLARIS
++ if ( (result = verify_peer(data)) != TSS_SUCCESS)
++ return (result);
++#endif
+
+ if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm))
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+@@ -99,6 +126,10 @@
+ TCS_CONTEXT_HANDLE hContext;
+ TSS_UUID uuid;
+ TSS_RESULT result;
++#ifdef SOLARIS
++ if ( (result = verify_peer(data)) != TSS_SUCCESS)
++ return (result);
++#endif
+
+ if (getData(TCSD_PACKET_TYPE_UINT32, 0, &hContext, 0, &data->comm))
+ return TCSERR(TSS_E_INTERNAL_ERROR);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tcs_tcs_caps.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,21 @@
+--- src/tcs/tcs_caps.c.old Wed Jun 9 13:20:44 2010
++++ src/tcs/tcs_caps.c Fri Jul 1 16:26:51 2011
+@@ -149,6 +149,7 @@
+ {
+ TSS_RESULT result;
+ UINT32 subCap, rv = 0;
++ UINT32 manuf;
+
+ if ((result = get_current_version(&p->version)))
+ goto err;
+@@ -181,8 +182,9 @@
+
+ UINT32ToArray(TPM_CAP_PROP_MANUFACTURER, (BYTE *)&subCap);
+ if ((result = get_cap_uint32(TCPA_CAP_PROPERTY, (BYTE *)&subCap, sizeof(UINT32),
+- (UINT32 *)&p->manufacturer)))
++ (UINT32 *)&manuf)))
+ goto err;
++ (void) memcpy(p->manufacturer, &manuf, sizeof (UINT32));
+
+ result = get_max_auths(&(p->num_auths));
+
--- a/components/trousers/patches/tcsd.8.in.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,76 +0,0 @@
---- man/man8/tcsd.8.in 2009-09-08 07:39:30.000000000 -0700
-+++ man/man8/tcsd.8.in.new 2010-09-16 08:13:25.613336616 -0700
-@@ -74,12 +74,32 @@
- the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and
- system resets. Data registered in system PS stays valid until an application
- requests that it be removed. User PS files are by default stored as
--/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data.
--The system PS file is initially created when ownership of the TPM is first
--taken.
-+/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is
-+/var/tpm/system/system.data. The system PS file is initially created when
-+ownership of the TPM is first taken.
-+.PP
-+\fB/var/tpm/system/system.data\fR
-+.ad
-+.RS 4n
-+Contains the system PS (persistent storage) data controlled by the TCS. By default,
-+the SRK key is installed in PS and does not require owner authorization to use. If the
-+TPM has previously been provisioned and owner-auth is required to load the SRK,
-+then the /var/tpm/system/system.data.auth file should be moved to
-+/var/tpm/system/system.data before starting the TCS (See NOTES).
-+.RE
-+.sp
-+.PP
-+\fB/var/tpm/system/system.data.auth\fR
-+.ad
-+.RS 4n
-+This is the default PS data file to use if the TPM has been previously
-+configured to require owner-auth to access the SRK. Copy this file
-+to /var/tpm/system/system.data prior to starting the TCS if owner-auth is
-+needed, otherwise this file can be ignored.
-+.RE
-
- .SH "CONFIGURATION"
--\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf
-+\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf
-
- .SH "DEBUG OUTPUT"
- If TrouSerS has been compiled with debugging enabled, the debugging output
-@@ -88,8 +108,9 @@
- .SH "DEVICE DRIVERS"
- .PP
- \fBtcsd\fR is compatible with the IBM Research TPM device driver available
--from http://www.research.ibm.com/gsal/tcpa and the TPM device driver available
--from http://sf.net/projects/tmpdd
-+from http://www.research.ibm.com/gsal/tcpa and the TPM device driver for
-+Linux available from http://sf.net/projects/tmpdd. It is also compatible
-+with the TPM device driver for Solaris which is available in the driver/crypto/tpm package.
-
- .SH "CONFORMING TO"
- .PP
-@@ -98,7 +119,23 @@
-
- .SH "SEE ALSO"
- .PP
--\fBtcsd.conf\fR(5)
-+\fBtcsd.conf\fR(5), \fBsvcadm\fR(1M), \fBsmf\fR(5)
-+
-+.SH "NOTES"
-+.sp
-+.LP
-+The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(5), under
-+the service identifier:
-+.sp
-+.in +2
-+.nf
-+svc:/application/security/tcsd:default
-+.fi
-+.in -2
-+.sp
-+.LP
-+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be
-+performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
-
- .SH "AUTHOR"
- Kent Yoder
--- a/components/trousers/patches/tcsd.conf.in.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- dist/tcsd.conf.in.old Thu Apr 7 07:53:52 2011
-+++ dist/tcsd.conf.in Thu Apr 7 07:55:18 2011
-@@ -54,7 +54,7 @@
- # Description: A list of PCR indices that are manipulated only by the system
- # firmware and therefore are not extended or logged by the TCSD.
- #
--# firmware_pcrs =
-+firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- #
-
- # Option: kernel_pcrs
--- a/components/trousers/patches/tcsd.h.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-*** src/include/tcsd.h.old Fri Dec 5 07:47:11 2008
---- src/include/tcsd.h Fri Dec 5 07:48:44 2008
-***************
-*** 48,61 ****
---- 48,70 ----
- of this TCS System */
- };
-
-+ #ifdef SOLARIS
-+ #define TCSD_CONFIG_FILE "/etc/security/tcsd.conf"
-+ #else
- #define TCSD_CONFIG_FILE ETC_PREFIX "/tcsd.conf"
-+ #endif
-
- #define TSS_USER_NAME "tss"
- #define TSS_GROUP_NAME "tss"
-
- #define TCSD_DEFAULT_MAX_THREADS 10
-+ #ifdef SOLARIS
-+ #define TCSD_DEFAULT_SYSTEM_PS_FILE "/var/tpm/system/system.data"
-+ #define TCSD_DEFAULT_SYSTEM_PS_DIR "/var/tpm/system"
-+ #else
- #define TCSD_DEFAULT_SYSTEM_PS_FILE VAR_PREFIX "/lib/tpm/system.data"
- #define TCSD_DEFAULT_SYSTEM_PS_DIR VAR_PREFIX "/lib/tpm"
-+ #endif /* SOLARIS */
- #define TCSD_DEFAULT_FIRMWARE_LOG_FILE "/sys/kernel/security/tpm0/binary_bios_measurements"
- #define TCSD_DEFAULT_KERNEL_LOG_FILE "/sys/kernel/security/ima/binary_runtime_measurements"
- #define TCSD_DEFAULT_FIRMWARE_PCRS 0x00000000
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tcsd_Makefile.in.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,30 @@
+--- src/tcsd/Makefile.in.old Thu Jan 28 13:56:46 2010
++++ src/tcsd/Makefile.in Wed Mar 3 16:35:23 2010
+@@ -47,7 +47,7 @@
+ mkinstalldirs = $(install_sh) -d
+ CONFIG_CLEAN_FILES =
+ CONFIG_CLEAN_VPATH_FILES =
+-am__installdirs = "$(DESTDIR)$(sbindir)"
++am__installdirs = "$(DESTDIR)$(libdir)"
+ PROGRAMS = $(sbin_PROGRAMS)
+ am_tcsd_OBJECTS = tcsd-svrside.$(OBJEXT) tcsd-tcsd_conf.$(OBJEXT) \
+ tcsd-tcsd_threads.$(OBJEXT) tcsd-platform.$(OBJEXT)
+@@ -185,7 +185,7 @@
+ prefix = @prefix@
+ program_transform_name = @program_transform_name@
+ psdir = @psdir@
+-sbindir = @sbindir@
++sbindir = @libdir@
+ sharedstatedir = @sharedstatedir@
+ srcdir = @srcdir@
+ sysconfdir = @sysconfdir@
+@@ -200,7 +200,8 @@
+ tcsd_CFLAGS = -DAPPID=\"TCSD\" -DVAR_PREFIX=\"@localstatedir@\" \
+ -DETC_PREFIX=\"@sysconfdir@\" -I${top_srcdir}/src/include \
+ $(am__append_1) $(am__append_2)
+-tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a -lpthread @CRYPTOLIB@
++tcsd_LDADD = ${top_builddir}/src/tcs/libtcs.a ${top_builddir}/src/tddl/libtddl.a \
++ -lpthread -lbsm -lscf -lresolv @CRYPTOLIB@
+ tcsd_SOURCES = svrside.c tcsd_conf.c tcsd_threads.c platform.c
+ all: all-am
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tcsd_svrside.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,337 @@
+--- src/tcsd/svrside.c 2010-06-09 13:19:00.000000000 -0700
++++ src/tcsd/svrside.c 2012-04-19 11:27:31.232524632 -0700
+@@ -27,6 +27,15 @@
+ #include <arpa/inet.h>
+ #include <errno.h>
+ #include <getopt.h>
++#ifdef SOLARIS
++#include <priv.h>
++#include <fcntl.h>
++#endif
++#ifndef HAVE_DAEMON
++#include <fcntl.h>
++#include <syslog.h>
++#endif
++
+ #include "trousers/tss.h"
+ #include "trousers_types.h"
+ #include "tcs_tsp.h"
+@@ -44,6 +53,10 @@
+ static volatile int hup = 0, term = 0;
+ extern char *optarg;
+
++#ifdef SOLARIS
++static int get_event_log_from_kernel(void);
++#endif
++
+ static void
+ tcsd_shutdown(void)
+ {
+@@ -170,6 +183,10 @@
+ (void)req_mgr_final();
+ return result;
+ }
++#ifdef SOLARIS
++ /* Not fatal if this fails */
++ (void) get_event_log_from_kernel();
++#endif
+
+ result = owner_evict_init();
+ if (result != TSS_SUCCESS) {
+@@ -208,13 +225,169 @@
+ }
+
+
++#ifdef SOLARIS
++
++extern int get_device_fd(void);
++
++#define TPM_IOCTL_GETEVTABLE 1
++struct tpm_evtable_ioblk {
++ uint32_t buflen;
++ caddr_t buf;
++};
++
++static int
++store_eventlog(char *filename, struct tpm_evtable_ioblk *evlog)
++{
++ int fd;
++ int bytes = 0;
++
++ fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, 0600);
++ if (fd == -1) {
++ LogError("Error opening logfile %s: %s", filename,
++ strerror(errno));
++ return (-1);
++ }
++ while (bytes < evlog->buflen) {
++ int n;
++ n = write(fd, evlog->buf, evlog->buflen - bytes);
++ if (n == -1 && errno != EAGAIN) {
++ LogError("Error writing logfile %s: %s",
++ filename, strerror(errno));
++ close(fd);
++ return (-1);
++ }
++ if (n != -1)
++ bytes += n;
++ }
++ close(fd);
++
++ return (0);
++}
++
++static int
++get_event_log_from_kernel(void)
++{
++ int fd = get_device_fd();
++ struct tpm_evtable_ioblk ioblk;
++
++ if (fd == -1)
++ return (-1);
++
++ (void) memset(&ioblk, 0, sizeof (ioblk));
++ if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) {
++ LogDebug("Cannot get event log from kernel: %s",
++ strerror(errno));
++ return (-1);
++ }
++ if (ioblk.buflen == 0)
++ return (0);
++
++ ioblk.buf = calloc(1, ioblk.buflen);
++ if (ioblk.buf == NULL) {
++ return (-1);
++ }
++ if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) {
++ free(ioblk.buf);
++ LogDebug("Cannot get event log from kernel: %s",
++ strerror(errno));
++ return (-1);
++ }
++
++ return (store_eventlog(tcsd_options.firmware_log_file, &ioblk));
++}
++
++/*
++ * For Solaris, make the tcsd privilege aware and drop
++ * risky privileges if they are not needed.
++ */
++static int
++drop_privs(void)
++{
++ priv_set_t *myprivs;
++ int rv;
++
++ /*
++ * Drop unneeded privs such as fork/exec.
++ *
++ * Get "basic" privs and remove the ones we don't want.
++ */
++ if ((myprivs = priv_str_to_set("basic", ",", NULL)) == NULL) {
++ LogError("priv_str_to_set failed: %s", strerror(errno));
++ return (1);
++ } else {
++ (void) priv_delset(myprivs, PRIV_PROC_EXEC);
++ (void) priv_delset(myprivs, PRIV_PROC_FORK);
++ (void) priv_delset(myprivs, PRIV_FILE_LINK_ANY);
++ (void) priv_delset(myprivs, PRIV_PROC_INFO);
++ (void) priv_delset(myprivs, PRIV_PROC_SESSION);
++ (void) priv_delset(myprivs, PRIV_PROC_SETID);
++
++ /* for auditing */
++ (void) priv_addset(myprivs, PRIV_PROC_AUDIT);
++
++ if ((rv = setppriv(PRIV_SET, PRIV_PERMITTED, myprivs)))
++ return (rv);
++ if ((rv = setppriv(PRIV_SET, PRIV_LIMIT, myprivs)))
++ return (rv);
++ if ((rv = setppriv(PRIV_SET, PRIV_INHERITABLE, myprivs)))
++ return (rv);
++
++ (void) priv_freeset(myprivs);
++ }
++ return (0);
++}
++#endif /* SOLARIS */
++
++#ifndef HAVE_DAEMON
++static int
++daemon(int nochdir, int noclose) {
++ int rv, fd;
++
++ if (!noclose) {
++ closelog();
++ closefrom(0);
++ }
++
++ switch (fork()) {
++ case -1: /* failure: parent process */
++ return (-1);
++ case 0: /* success: child process */
++ break;
++ default: /* success: parent process */
++ exit (0);
++ }
++
++ /* Create a new SID for the child process */
++ if (setsid() == -1)
++ return (-1);
++ /* Prevent cwd from being left open and unremovable */
++ if (!nochdir)
++ (void) chdir("/");
++ (void) umask(0);
++ /* Redirect stdin, stdout, and stderr to /dev/null */
++ if (!noclose && (fd = open("/dev/null", O_RDWR, 0)) != -1) {
++ (void) dup2(fd, STDIN_FILENO);
++ (void) dup2(fd, STDOUT_FILENO);
++ (void) dup2(fd, STDERR_FILENO);
++ if (fd > 2)
++ (void)close (fd);
++ }
++ return (0);
++}
++#endif /* !HAVE_DAEMON */
++
+ int
+ main(int argc, char **argv)
+ {
+- struct sockaddr_in serv_addr, client_addr;
++ typedef union {
++ struct sockaddr_in in;
++ struct sockaddr_un un;
++ } sockaddr_un_in_t;
++ sockaddr_un_in_t serv_addr, client_addr;
++ int rv;
+ TSS_RESULT result;
+ int sd, newsd, c, option_index = 0;
+- unsigned client_len;
++ unsigned client_len, serv_len;
+ char *hostname = NULL;
+ struct passwd *pwd;
+ struct hostent *client_hostent = NULL;
+@@ -245,26 +418,50 @@
+ if ((result = tcsd_startup()))
+ return (int)result;
+
+- sd = socket(AF_INET, SOCK_STREAM, 0);
+- if (sd < 0) {
+- LogError("Failed socket: %s", strerror(errno));
+- return -1;
+- }
++ if (tcsd_options.port == 0) { /* UNIX Domain socket */
++ /* Use UNIX Domain socket instead of TCP/IP socket */
++ sd = socket(AF_UNIX, SOCK_STREAM, 0);
++ if (sd < 0) {
++ LogError("Failed socket: %s", strerror(errno));
++ return -1;
++ }
++
++ memset(&serv_addr, 0, sizeof (serv_addr));
++ serv_addr.un.sun_family = AF_UNIX;
++ strncpy(serv_addr.un.sun_path, TCSD_DEFAULT_SOCKET,
++ sizeof (serv_addr.un.sun_path));
++ (void) unlink(TCSD_DEFAULT_SOCKET);
++
++ } else { /* TCP socket */
++ sd = socket(AF_INET, SOCK_STREAM, 0);
++ if (sd < 0) {
++ LogError("Failed socket: %s", strerror(errno));
++ return -1;
++ }
+
+- memset(&serv_addr, 0, sizeof (serv_addr));
+- serv_addr.sin_family = AF_INET;
+- serv_addr.sin_port = htons(tcsd_options.port);
+-
+- /* If no remote_ops are defined, restrict connections to localhost
+- * only at the socket. */
+- if (tcsd_options.remote_ops[0] == 0)
+- serv_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+- else
+- serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
+-
+- c = 1;
+- setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &c, sizeof(c));
+- if (bind(sd, (struct sockaddr *) &serv_addr, sizeof (serv_addr)) < 0) {
++ memset(&serv_addr, 0, sizeof (serv_addr));
++ serv_addr.in.sin_family = AF_INET;
++ serv_addr.in.sin_port = htons(tcsd_options.port);
++
++ /* If no remote_ops are defined, restrict connections to localhost
++ * only at the socket. */
++ if (tcsd_options.remote_ops[0] == 0)
++ serv_addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
++ else
++ serv_addr.in.sin_addr.s_addr = htonl(INADDR_ANY);
++
++ c = 1;
++ setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &c, sizeof(c));
++ }
++
++ if (tcsd_options.port == 0) { /* UNIX Domain socket */
++ serv_len = (unsigned)sizeof(serv_addr.un);
++ client_len = (unsigned)sizeof(client_addr.un);
++ } else { /* TCP socket */
++ serv_len = (unsigned)sizeof(serv_addr.in);
++ client_len = (unsigned)sizeof(client_addr.in);
++ }
++ if (bind(sd, (struct sockaddr *) &serv_addr, serv_len) < 0) {
+ LogError("Failed bind: %s", strerror(errno));
+ return -1;
+ }
+@@ -285,7 +482,6 @@
+ LogError("Failed listen: %s", strerror(errno));
+ return -1;
+ }
+- client_len = (unsigned)sizeof(client_addr);
+
+ if (getenv("TCSD_FOREGROUND") == NULL) {
+ if (daemon(0, 0) == -1) {
+@@ -295,6 +491,12 @@
+ }
+ }
+
++#ifdef SOLARIS
++ /* For Solaris, drop privileges for security. */
++ if ((rv = drop_privs()))
++ return (rv);
++#endif /* SOLARIS */
++
+ LogInfo("%s: TCSD up and running.", PACKAGE_STRING);
+ do {
+ newsd = accept(sd, (struct sockaddr *) &client_addr, &client_len);
+@@ -314,20 +516,22 @@
+ }
+ LogDebug("accepted socket %i", newsd);
+
+- if ((client_hostent = gethostbyaddr((char *) &client_addr.sin_addr,
+- sizeof(client_addr.sin_addr),
++ if (tcsd_options.port != 0) { /* TCP socket */
++ if ((client_hostent = gethostbyaddr((char *) &client_addr.in.sin_addr,
++ sizeof(client_addr.in.sin_addr),
+ AF_INET)) == NULL) {
+- char buf[16];
+- uint32_t addr = htonl(client_addr.sin_addr.s_addr);
++ char buf[16];
++ uint32_t addr = htonl(client_addr.in.sin_addr.s_addr);
+
+- snprintf(buf, 16, "%d.%d.%d.%d", (addr & 0xff000000) >> 24,
+- (addr & 0x00ff0000) >> 16, (addr & 0x0000ff00) >> 8,
+- addr & 0x000000ff);
++ snprintf(buf, 16, "%d.%d.%d.%d", (addr & 0xff000000) >> 24,
++ (addr & 0x00ff0000) >> 16, (addr & 0x0000ff00) >> 8,
++ addr & 0x000000ff);
+
+- LogWarn("Host name for connecting IP %s could not be resolved", buf);
+- hostname = strdup(buf);
+- } else {
+- hostname = strdup(client_hostent->h_name);
++ LogWarn("Host name for connecting IP %s could not be resolved", buf);
++ hostname = strdup(buf);
++ } else {
++ hostname = strdup(client_hostent->h_name);
++ }
+ }
+
+ tcsd_thread_create(newsd, hostname);
--- a/components/trousers/patches/tcstp_rpc.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,473 +0,0 @@
---- src/tcs/rpc/tcstp/rpc.c.orig Fri Jun 5 12:45:50 2009
-+++ src/tcs/rpc/tcstp/rpc.c Thu Sep 10 13:05:33 2009
-@@ -385,134 +385,134 @@
- typedef struct tdDispatchTable {
- TSS_RESULT (*Func) (struct tcsd_thread_data *);
- const char *name;
-+ UINT32 ordinal;
- } DispatchTable;
-
- DispatchTable tcs_func_table[TCSD_MAX_NUM_ORDS] = {
-- {tcs_wrap_Error,"Error"}, /* 0 */
-- {tcs_wrap_OpenContext,"OpenContext"},
-- {tcs_wrap_CloseContext,"CloseContext"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_TCSGetCapability,"TCSGetCapability"},
-- {tcs_wrap_RegisterKey,"RegisterKey"}, /* 5 */
-- {tcs_wrap_UnregisterKey,"UnregisterKey"},
-- {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob"},
-- {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo"}, /* 10 */
-- {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob"},
-- {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID"},
-- {tcs_wrap_EvictKey,"EvictKey"},
-- {tcs_wrap_CreateWrapKey,"CreateWrapKey"},
-- {tcs_wrap_GetPubkey,"GetPubkey"}, /* 15 */
-- {tcs_wrap_MakeIdentity,"MakeIdentity"},
-- {tcs_wrap_LogPcrEvent,"LogPcrEvent"},
-- {tcs_wrap_GetPcrEvent,"GetPcrEvent"},
-- {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr"},
-- {tcs_wrap_GetPcrEventLog,"GetPcrEventLog"}, /* 20 */
-- {tcs_wrap_SetOwnerInstall,"SetOwnerInstall"},
-- {tcs_wrap_TakeOwnership,"TakeOwnership"},
-- {tcs_wrap_OIAP,"OIAP"},
-- {tcs_wrap_OSAP,"OSAP"},
-- {tcs_wrap_ChangeAuth,"ChangeAuth"}, /* 25 */
-- {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_TerminateHandle,"TerminateHandle"},
-- {tcs_wrap_ActivateIdentity,"ActivateIdentity"}, /* 30 */
-- {tcs_wrap_Extend,"Extend"},
-- {tcs_wrap_PcrRead,"PcrRead"},
-- {tcs_wrap_Quote,"Quote"},
-- {tcs_wrap_DirWriteAuth,"DirWriteAuth"},
-- {tcs_wrap_DirRead,"DirRead"}, /* 35 */
-- {tcs_wrap_Seal,"Seal"},
-- {tcs_wrap_UnSeal,"UnSeal"},
-- {tcs_wrap_UnBind,"UnBind"},
-- {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob"},
-- {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob"}, /* 40 */
-- {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey"},
-- {tcs_wrap_CertifyKey,"CertifyKey"},
-- {tcs_wrap_Sign,"Sign"},
-- {tcs_wrap_GetRandom,"GetRandom"},
-- {tcs_wrap_StirRandom,"StirRandom"}, /* 45 */
-- {tcs_wrap_GetCapability,"GetCapability"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner"},
-- {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair"},
-- {tcs_wrap_ReadPubek,"ReadPubek"}, /* 50 */
-- {tcs_wrap_DisablePubekRead,"DisablePubekRead"},
-- {tcs_wrap_OwnerReadPubek,"OwnerReadPubek"},
-- {tcs_wrap_SelfTestFull,"SelfTestFull"},
-- {tcs_wrap_CertifySelfTest,"CertifySelfTest"},
-- {tcs_wrap_Error,"Error"}, /* 55 */
-- {tcs_wrap_GetTestResult,"GetTestResult"},
-- {tcs_wrap_OwnerSetDisable,"OwnerSetDisable"},
-- {tcs_wrap_OwnerClear,"OwnerClear"},
-- {tcs_wrap_DisableOwnerClear,"DisableOwnerClear"},
-- {tcs_wrap_ForceClear,"ForceClear"}, /* 60 */
-- {tcs_wrap_DisableForceClear,"DisableForceClear"},
-- {tcs_wrap_PhysicalDisable,"PhysicalDisable"},
-- {tcs_wrap_PhysicalEnable,"PhysicalEnable"},
-- {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated"},
-- {tcs_wrap_SetTempDeactivated,"SetTempDeactivated"}, /* 65 */
-- {tcs_wrap_PhysicalPresence,"PhysicalPresence"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_Error,"Error"},
-- {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive"},
-- {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive"}, /* 70 */
-- {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature"},
-- {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub"},
-- {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub"},
-- {tcs_wrap_DaaJoin,"DaaJoin"},
-- {tcs_wrap_DaaSign,"DaaSign"}, /* 75 */
-- {tcs_wrap_SetCapability,"SetCapability"},
-- {tcs_wrap_ResetLockValue,"ResetLockValue"},
-- {tcs_wrap_PcrReset,"PcrReset"},
-- {tcs_wrap_ReadCounter,"ReadCounter"},
-- {tcs_wrap_CreateCounter,"CreateCounter"}, /* 80 */
-- {tcs_wrap_IncrementCounter,"IncrementCounter"},
-- {tcs_wrap_ReleaseCounter,"ReleaseCounter"},
-- {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner"},
-- {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks"},
-- {tcs_wrap_TickStampBlob,"TicksStampBlob"}, /* 85 */
-- {tcs_wrap_GetCredential,"GetCredential"},
-- {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace"},
-- {tcs_wrap_NV_WriteValue,"NVWriteValue"},
-- {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth"},
-- {tcs_wrap_NV_ReadValue,"NVReadValue"}, /* 90 */
-- {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth"},
-- {tcs_wrap_EstablishTransport,"EstablishTransport"},
-- {tcs_wrap_ExecuteTransport,"ExecuteTransport"},
-- {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned"},
-- {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus"}, /* 95 */
-- {tcs_wrap_GetAuditDigest,"GetAuditDigest"},
-- {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned"},
-- {tcs_wrap_Sealx,"Sealx"},
-- {tcs_wrap_SetOperatorAuth,"SetOperatorAuth"},
-- {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub"}, /* 100 */
-- {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2"},
-- {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2"},
-- {tcs_wrap_Delegate_Manage,"Delegate_Manage"},
-- {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation"},
-- {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation"}, /* 105 */
-- {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation"},
-- {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable"},
-- {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount"},
-- {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation"},
-- {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair"}, /* 110 */
-- {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair"},
-- {tcs_wrap_Error,"Error - was MakeIdentity2"},
-- {tcs_wrap_Quote2,"Quote2"},
-- {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions"},
-- {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA"}, /* 115 */
-- {tcs_wrap_CMK_CreateKey,"CMK_CreateKey"},
-- {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket"},
-- {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob"},
-- {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration"},
-- {tcs_wrap_FlushSpecific,"FlushSpecific"}, /* 120 */
-- {tcs_wrap_KeyControlOwner, "KeyControlOwner"},
-- {tcs_wrap_DSAP, "DSAP"}
--};
--
-+ {tcs_wrap_Error,"Error", 0}, /* 0 */
-+ {tcs_wrap_OpenContext,"OpenContext", 0},
-+ {tcs_wrap_CloseContext,"CloseContext", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_TCSGetCapability,"TCSGetCapability", 0},
-+ {tcs_wrap_RegisterKey,"RegisterKey", 0}, /* 5 */
-+ {tcs_wrap_UnregisterKey,"UnregisterKey", 0},
-+ {tcs_wrap_EnumRegisteredKeys,"EnumRegisteredKeys", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_GetRegisteredKeyBlob,"GetRegisteredKeyBlob", 0},
-+ {tcs_wrap_GetRegisteredKeyByPublicInfo,"GetRegisteredKeyByPublicInfo", 0}, /* 10 */
-+ {tcs_wrap_LoadKeyByBlob,"LoadKeyByBlob", 0},
-+ {tcs_wrap_LoadKeyByUUID,"LoadKeyByUUID", 0},
-+ {tcs_wrap_EvictKey,"EvictKey", 0},
-+ {tcs_wrap_CreateWrapKey,"CreateWrapKey", 0},
-+ {tcs_wrap_GetPubkey,"GetPubkey", 0}, /* 15 */
-+ {tcs_wrap_MakeIdentity,"MakeIdentity", 0},
-+ {tcs_wrap_LogPcrEvent,"LogPcrEvent", 0},
-+ {tcs_wrap_GetPcrEvent,"GetPcrEvent", 0},
-+ {tcs_wrap_GetPcrEventsByPcr,"GetPcrEventsByPcr", 0},
-+ {tcs_wrap_GetPcrEventLog,"GetPcrEventLog", 0}, /* 20 */
-+ {tcs_wrap_SetOwnerInstall,"SetOwnerInstall", TPM_ORD_SetOwnerInstall},
-+ {tcs_wrap_TakeOwnership,"TakeOwnership", TPM_ORD_TakeOwnership},
-+ {tcs_wrap_OIAP,"OIAP", 0},
-+ {tcs_wrap_OSAP,"OSAP", 0},
-+ {tcs_wrap_ChangeAuth,"ChangeAuth", 0}, /* 25 */
-+ {tcs_wrap_ChangeAuthOwner,"ChangeAuthOwner", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_TerminateHandle,"TerminateHandle", 0},
-+ {tcs_wrap_ActivateIdentity,"ActivateIdentity", 0}, /* 30 */
-+ {tcs_wrap_Extend,"Extend", 0},
-+ {tcs_wrap_PcrRead,"PcrRead", 0},
-+ {tcs_wrap_Quote,"Quote", 0},
-+ {tcs_wrap_DirWriteAuth,"DirWriteAuth", 0},
-+ {tcs_wrap_DirRead,"DirRead", 0}, /* 35 */
-+ {tcs_wrap_Seal,"Seal", 0},
-+ {tcs_wrap_UnSeal,"UnSeal", 0},
-+ {tcs_wrap_UnBind,"UnBind", 0},
-+ {tcs_wrap_CreateMigrationBlob,"CreateMigrationBlob", 0},
-+ {tcs_wrap_ConvertMigrationBlob,"ConvertMigrationBlob", 0}, /* 40 */
-+ {tcs_wrap_AuthorizeMigrationKey,"AuthorizeMigrationKey", 0},
-+ {tcs_wrap_CertifyKey,"CertifyKey", 0},
-+ {tcs_wrap_Sign,"Sign", 0},
-+ {tcs_wrap_GetRandom,"GetRandom", 0},
-+ {tcs_wrap_StirRandom,"StirRandom", 0}, /* 45 */
-+ {tcs_wrap_GetCapability,"GetCapability", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_GetCapabilityOwner,"GetCapabilityOwner", 0},
-+ {tcs_wrap_CreateEndorsementKeyPair,"CreateEndorsementKeyPair", 0},
-+ {tcs_wrap_ReadPubek,"ReadPubek", 0}, /* 50 */
-+ {tcs_wrap_DisablePubekRead,"DisablePubekRead", 0},
-+ {tcs_wrap_OwnerReadPubek,"OwnerReadPubek", 0},
-+ {tcs_wrap_SelfTestFull,"SelfTestFull", TPM_ORD_SelfTestFull},
-+ {tcs_wrap_CertifySelfTest,"CertifySelfTest", TPM_ORD_CertifySelfTest},
-+ {tcs_wrap_Error,"Error", 0}, /* 55 */
-+ {tcs_wrap_GetTestResult,"GetTestResult", 0},
-+ {tcs_wrap_OwnerSetDisable,"OwnerSetDisable", TPM_ORD_OwnerSetDisable},
-+ {tcs_wrap_OwnerClear,"OwnerClear", TPM_ORD_OwnerClear},
-+ {tcs_wrap_DisableOwnerClear,"DisableOwnerClear", TPM_ORD_DisableOwnerClear},
-+ {tcs_wrap_ForceClear,"ForceClear", TPM_ORD_ForceClear}, /* 60 */
-+ {tcs_wrap_DisableForceClear,"DisableForceClear", TPM_ORD_DisableForceClear},
-+ {tcs_wrap_PhysicalDisable,"PhysicalDisable", TPM_ORD_PhysicalDisable},
-+ {tcs_wrap_PhysicalEnable,"PhysicalEnable", TPM_ORD_PhysicalEnable},
-+ {tcs_wrap_PhysicalSetDeactivated,"PhysicalSetDeactivated", TPM_ORD_PhysicalSetDeactivated},
-+ {tcs_wrap_SetTempDeactivated,"SetTempDeactivated", TPM_ORD_SetTempDeactivated}, /* 65 */
-+ {tcs_wrap_PhysicalPresence,"PhysicalPresence", TSC_ORD_PhysicalPresence},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_Error,"Error", 0},
-+ {tcs_wrap_CreateMaintenanceArchive,"CreateMaintenanceArchive", 0},
-+ {tcs_wrap_LoadMaintenanceArchive,"LoadMaintenanceArchive", 0}, /* 70 */
-+ {tcs_wrap_KillMaintenanceFeature,"KillMaintenanceFeature", 0},
-+ {tcs_wrap_LoadManuMaintPub,"LoadManuMaintPub", 0},
-+ {tcs_wrap_ReadManuMaintPub,"ReadManuMaintPub", 0},
-+ {tcs_wrap_DaaJoin,"DaaJoin", 0},
-+ {tcs_wrap_DaaSign,"DaaSign", 0}, /* 75 */
-+ {tcs_wrap_SetCapability,"SetCapability", 0},
-+ {tcs_wrap_ResetLockValue,"ResetLockValue", TPM_ORD_ResetLockValue},
-+ {tcs_wrap_PcrReset,"PcrReset", 0},
-+ {tcs_wrap_ReadCounter,"ReadCounter", 0},
-+ {tcs_wrap_CreateCounter,"CreateCounter", 0}, /* 80 */
-+ {tcs_wrap_IncrementCounter,"IncrementCounter", 0},
-+ {tcs_wrap_ReleaseCounter,"ReleaseCounter", 0},
-+ {tcs_wrap_ReleaseCounterOwner,"ReleaseCounterOwner", 0},
-+ {tcs_wrap_ReadCurrentTicks,"ReadCurrentTicks", 0},
-+ {tcs_wrap_TickStampBlob,"TicksStampBlob", 0}, /* 85 */
-+ {tcs_wrap_GetCredential,"GetCredential", 0},
-+ {tcs_wrap_NV_DefineOrReleaseSpace,"NVDefineOrReleaseSpace", 0},
-+ {tcs_wrap_NV_WriteValue,"NVWriteValue", 0},
-+ {tcs_wrap_NV_WriteValueAuth,"NVWriteValueAuth", 0},
-+ {tcs_wrap_NV_ReadValue,"NVReadValue", 0}, /* 90 */
-+ {tcs_wrap_NV_ReadValueAuth,"NVReadValueAuth", 0},
-+ {tcs_wrap_EstablishTransport,"EstablishTransport", 0},
-+ {tcs_wrap_ExecuteTransport,"ExecuteTransport", 0},
-+ {tcs_wrap_ReleaseTransportSigned,"ReleaseTransportSigned", 0},
-+ {tcs_wrap_SetOrdinalAuditStatus,"SetOrdinalAuditStatus", 0}, /* 95 */
-+ {tcs_wrap_GetAuditDigest,"GetAuditDigest", 0},
-+ {tcs_wrap_GetAuditDigestSigned,"GetAuditDigestSigned", 0},
-+ {tcs_wrap_Sealx,"Sealx", 0},
-+ {tcs_wrap_SetOperatorAuth,"SetOperatorAuth", TPM_ORD_SetOperatorAuth},
-+ {tcs_wrap_OwnerReadInternalPub,"OwnerReadInternalPub", 0}, /* 100 */
-+ {tcs_wrap_EnumRegisteredKeys2,"EnumRegisteredKeys2", 0},
-+ {tcs_wrap_SetTempDeactivated2,"SetTempDeactivated2", 0},
-+ {tcs_wrap_Delegate_Manage,"Delegate_Manage", 0},
-+ {tcs_wrap_Delegate_CreateKeyDelegation,"Delegate_CreateKeyDelegation", 0},
-+ {tcs_wrap_Delegate_CreateOwnerDelegation,"Delegate_CreateOwnerDelegation", 0}, /* 105 */
-+ {tcs_wrap_Delegate_LoadOwnerDelegation,"Delegate_LoadOwnerDelegation", 0},
-+ {tcs_wrap_Delegate_ReadTable,"Delegate_ReadTable", 0},
-+ {tcs_wrap_Delegate_UpdateVerificationCount,"Delegate_UpdateVerificationCount", 0},
-+ {tcs_wrap_Delegate_VerifyDelegation,"Delegate_VerifyDelegation", 0},
-+ {tcs_wrap_CreateRevocableEndorsementKeyPair,"CreateRevocableEndorsementKeyPair", 0}, /* 110 */
-+ {tcs_wrap_RevokeEndorsementKeyPair,"RevokeEndorsementKeyPair", 0},
-+ {tcs_wrap_Error,"Error - was MakeIdentity2", 0},
-+ {tcs_wrap_Quote2,"Quote2", 0},
-+ {tcs_wrap_CMK_SetRestrictions,"CMK_SetRestrictions", 0},
-+ {tcs_wrap_CMK_ApproveMA,"CMK_ApproveMA", 0}, /* 115 */
-+ {tcs_wrap_CMK_CreateKey,"CMK_CreateKey", 0},
-+ {tcs_wrap_CMK_CreateTicket,"CMK_CreateTicket", 0},
-+ {tcs_wrap_CMK_CreateBlob,"CMK_CreateBlob", 0},
-+ {tcs_wrap_CMK_ConvertMigration,"CMK_ConvertMigration", 0},
-+ {tcs_wrap_FlushSpecific,"FlushSpecific", 0}, /* 120 */
-+ {tcs_wrap_KeyControlOwner, "KeyControlOwner", 0},
-+ {tcs_wrap_DSAP, "DSAP", 0}
-+ };
- int
- access_control(struct tcsd_thread_data *thread_data)
- {
-@@ -562,11 +562,190 @@
- return 1;
- }
-
-+#if defined (SOLARIS)
-+
-+#include <ucred.h>
-+#include <bsm/adt.h>
-+#include <bsm/adt_event.h>
-+
-+static void
-+audit_tpm(UINT32 cmd, struct tcsd_thread_data *data)
-+{
-+ adt_session_data_t *ah = NULL;
-+ adt_event_data_t *event = NULL;
-+ ucred_t *uc = NULL;
-+ int adterr, msgid;
-+ int adtstatus = ADT_FAILURE;
-+
-+ if (getpeerucred(data->sock, &uc)) {
-+ LogError("Audit Failed - getpeerucred failed (%s)",
-+ strerror(errno));
-+ return;
-+ }
-+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
-+ LogError("Audit Failed - adt_start_session failed (%s)",
-+ strerror(errno));
-+ goto end;
-+ }
-+
-+ if (adt_set_from_ucred(ah, uc, ADT_NEW) != 0) {
-+ LogError("Audit Failed - adt_set_from_ucred failed (%s)",
-+ strerror(errno));
-+ goto end;
-+ }
-+
-+ /*
-+ * NOTE: It is important that the ordering of the
-+ * error message definitions in the adt.xml IDL from the
-+ * libbsm library source matches the numerical ordering of
-+ * the TPM_E_* error codes in /usr/include/tss/tpm_error.h
-+ */
-+ if (data->comm.hdr.u.result == TSS_SUCCESS) {
-+ adtstatus = ADT_SUCCESS;
-+ adterr = ADT_SUCCESS;
-+ /*
-+ * Use literal value here until the
-+ * build system is updated with latest adt_event.h
-+ * 4102 = ADT_TPM_E_NO_MSG (build 123).
-+ * Change this later.
-+ */
-+ msgid = 4102;
-+ } else if (data->comm.hdr.u.result & TPM_E_NON_FATAL) {
-+ /*
-+ * NON_FATAL TPM errors are masked (0x800) so they are not in numerical
-+ * sequence with the rest of the TPM errors.
-+ */
-+ msgid = ADT_TPM_E_RETRY +
-+ (data->comm.hdr.u.result - TPM_E_RETRY);
-+ adterr = ADT_FAIL_VALUE_PROGRAM;
-+ } else {
-+ msgid = ADT_TPM_E_AUTHFAIL +
-+ (data->comm.hdr.u.result - TPM_E_AUTHFAIL);
-+ adterr = ADT_FAIL_VALUE_PROGRAM;
-+ }
-+ switch(cmd) {
-+ case TPM_ORD_CertifySelfTest:
-+ event = adt_alloc_event(ah, ADT_tpm_certifyselftest);
-+ if (event != NULL)
-+ event->adt_tpm_certifyselftest.message = msgid;
-+ break;
-+ case TPM_ORD_OwnerClear:
-+ event = adt_alloc_event(ah, ADT_tpm_ownerclear);
-+ if (event != NULL)
-+ event->adt_tpm_ownerclear.message = msgid;
-+ break;
-+ case TPM_ORD_ContinueSelfTest:
-+ event = adt_alloc_event(ah, ADT_tpm_continueselftest);
-+ if (event != NULL)
-+ event->adt_tpm_continueselftest.message = msgid;
-+ break;
-+ case TPM_ORD_DisableForceClear:
-+ event = adt_alloc_event(ah, ADT_tpm_disableforceclear);
-+ if (event != NULL)
-+ event->adt_tpm_disableforceclear.message = msgid;
-+ break;
-+ case TPM_ORD_DisableOwnerClear:
-+ event = adt_alloc_event(ah, ADT_tpm_disableownerclear);
-+ if (event != NULL)
-+ event->adt_tpm_disableownerclear.message = msgid;
-+ break;
-+ case TPM_ORD_FieldUpgrade:
-+ event = adt_alloc_event(ah, ADT_tpm_fieldupgrade);
-+ if (event != NULL)
-+ event->adt_tpm_fieldupgrade.message = msgid;
-+ break;
-+ case TPM_ORD_ForceClear:
-+ event = adt_alloc_event(ah, ADT_tpm_forceclear);
-+ if (event != NULL)
-+ event->adt_tpm_forceclear.message = msgid;
-+ break;
-+ case TPM_ORD_OwnerSetDisable:
-+ event = adt_alloc_event(ah, ADT_tpm_ownersetdisable);
-+ if (event != NULL)
-+ event->adt_tpm_ownersetdisable.message = msgid;
-+ break;
-+ case TPM_ORD_PhysicalEnable:
-+ event = adt_alloc_event(ah, ADT_tpm_physicalenable);
-+ if (event != NULL)
-+ event->adt_tpm_physicalenable.message = msgid;
-+ break;
-+ case TPM_ORD_PhysicalDisable:
-+ event = adt_alloc_event(ah, ADT_tpm_physicaldisable);
-+ if (event != NULL)
-+ event->adt_tpm_physicaldisable.message = msgid;
-+ break;
-+ case TPM_ORD_PhysicalSetDeactivated:
-+ event = adt_alloc_event(ah, ADT_tpm_physicaldeactivate);
-+ if (event != NULL)
-+ event->adt_tpm_physicaldeactivate.message = msgid;
-+ break;
-+ case TSC_ORD_PhysicalPresence:
-+ event = adt_alloc_event(ah, ADT_tpm_physicalpresence);
-+ if (event != NULL)
-+ event->adt_tpm_physicalpresence.message = msgid;
-+ break;
-+ case TPM_ORD_ResetLockValue:
-+ event = adt_alloc_event(ah, ADT_tpm_resetlockvalue);
-+ if (event != NULL)
-+ event->adt_tpm_resetlockvalue.message = msgid;
-+ break;
-+ case TPM_ORD_SelfTestFull:
-+ event = adt_alloc_event(ah, ADT_tpm_selftestfull);
-+ if (event != NULL)
-+ event->adt_tpm_selftestfull.message = msgid;
-+ break;
-+ case TPM_ORD_SetOperatorAuth:
-+ event = adt_alloc_event(ah, ADT_tpm_setoperatorauth);
-+ if (event != NULL)
-+ event->adt_tpm_setoperatorauth.message = msgid;
-+ break;
-+ case TPM_ORD_SetOwnerInstall:
-+ event = adt_alloc_event(ah, ADT_tpm_setownerinstall);
-+ if (event != NULL)
-+ event->adt_tpm_setownerinstall.message = msgid;
-+ break;
-+ case TPM_ORD_SetTempDeactivated:
-+ event = adt_alloc_event(ah, ADT_tpm_settempdeactivated);
-+ if (event != NULL)
-+ event->adt_tpm_settempdeactivated.message = msgid;
-+ break;
-+ case TPM_ORD_TakeOwnership:
-+ event = adt_alloc_event(ah, ADT_tpm_takeownership);
-+ if (event != NULL)
-+ event->adt_tpm_takeownership.message = msgid;
-+ break;
-+ default:
-+ /* command not audited */
-+ goto end;
-+ }
-+ if (event == NULL) {
-+ LogError("Audit Failed - Failed to allocate event (%s)",
-+ strerror(errno));
-+ goto end;
-+ }
-+
-+ if (adt_put_event(event, adtstatus, adterr)) {
-+ LogError("Audit Failed - Failed to put audit event (%s)",
-+ strerror(errno));
-+ }
-+
-+end:
-+ ucred_free(uc);
-+ adt_free_event(event);
-+ (void) adt_end_session(ah);
-+
-+ return;
-+}
-+#endif /* SOLARIS */
-+
- TSS_RESULT
- dispatchCommand(struct tcsd_thread_data *data)
- {
- UINT64 offset;
- TSS_RESULT result;
-+#if defined (SOLARIS)
-+ UINT32 cmd;
-+#endif
-
- /* First, check the ordinal bounds */
- if (data->comm.hdr.u.ordinal >= TCSD_MAX_NUM_ORDS) {
-@@ -596,6 +775,9 @@
- }
-
- /* Now, dispatch */
-+#if defined (SOLARIS)
-+ cmd = tcs_func_table[data->comm.hdr.u.ordinal].ordinal;
-+#endif
- if ((result = tcs_func_table[data->comm.hdr.u.ordinal].Func(data)) == TSS_SUCCESS) {
- /* set the comm buffer */
- offset = 0;
-@@ -607,6 +789,9 @@
- LoadBlob_UINT32(&offset, data->comm.hdr.parm_size, data->comm.buf);
- LoadBlob_UINT32(&offset, data->comm.hdr.parm_offset, data->comm.buf);
- }
-+#if defined (SOLARIS)
-+ audit_tpm(cmd, data);
-+#endif
-
- return result;
-
--- a/components/trousers/patches/tddl.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,79 +0,0 @@
---- src/tddl/tddl.c.old 2010-04-12 22:24:21.000000000 -0700
-+++ src/tddl/tddl.c 2011-07-12 13:14:57.362305220 -0700
-@@ -18,13 +18,17 @@
-
- #include "trousers/tss.h"
- #include "trousers_types.h"
-+#ifndef SOLARIS
- #include "linux/tpm.h"
-+#endif
- #include "tcslog.h"
- #include "tddl.h"
-
- struct tpm_device_node tpm_device_nodes[] = {
-+#ifndef SOLARIS
- {"/dev/tpm0", TDDL_UNDEF, TDDL_UNDEF},
- {"/udev/tpm0", TDDL_UNDEF, TDDL_UNDEF},
-+#endif
- {"/dev/tpm", TDDL_UNDEF, TDDL_UNDEF},
- {NULL, 0, 0}
- };
-@@ -63,7 +67,7 @@
-
-
- fd = socket(AF_INET, SOCK_STREAM, 0);
-- if (fd > 0) {
-+ if (fd >= 0) {
- struct hostent *host = gethostbyname(tcp_device_hostname);
- if (host != NULL) {
- struct sockaddr_in addr;
-@@ -105,12 +109,16 @@
- /* tpm_device_paths is filled out in tddl.h */
- for (i = 0; tpm_device_nodes[i].path != NULL; i++) {
- errno = 0;
-- if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0)
-+ if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) {
- break;
-+ } else {
-+ fprintf(stderr, "Error opening %s: %s\n",
-+ tpm_device_nodes[i].path, strerror(errno));
-+ }
- }
- }
--
-- if (fd > 0) {
-+
-+ if (fd >= 0) {
- opened_device = &(tpm_device_nodes[i]);
- tpm_device_nodes[i].fd = fd;
- }
-@@ -181,11 +189,13 @@
- /* fall through */
- case TDDL_TRANSMIT_IOCTL:
- errno = 0;
-+#ifndef SOLARIS
- if ((sizeResult = ioctl(opened_device->fd, TPMIOC_TRANSMIT, txBuffer)) != -1) {
- opened_device->transmit = TDDL_TRANSMIT_IOCTL;
- break;
- }
- LogWarn("ioctl: (%d) %s", errno, strerror(errno));
-+#endif
- LogInfo("Falling back to Read/Write device support.");
- /* fall through */
- case TDDL_TRANSMIT_RW:
-@@ -255,6 +265,7 @@
-
- TSS_RESULT Tddli_Cancel(void)
- {
-+#ifndef SOLARIS
- int rc;
-
- if (opened_device->transmit == TDDL_TRANSMIT_IOCTL) {
-@@ -270,4 +281,7 @@
- } else {
- return TDDLERR(TSS_E_NOTIMPL);
- }
-+#else
-+ return TDDLERR(TSS_E_NOTIMPL);
-+#endif /* SOLARIS */
- }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tddl_tddl.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,93 @@
+--- src/tddl/tddl.c Mon Apr 12 22:24:21 2010
++++ src/tddl/tddl.c.new Thu Sep 22 12:28:25 2011
+@@ -18,13 +18,17 @@
+
+ #include "trousers/tss.h"
+ #include "trousers_types.h"
++#ifndef SOLARIS
+ #include "linux/tpm.h"
++#endif
+ #include "tcslog.h"
+ #include "tddl.h"
+
+ struct tpm_device_node tpm_device_nodes[] = {
++#ifndef SOLARIS
+ {"/dev/tpm0", TDDL_UNDEF, TDDL_UNDEF},
+ {"/udev/tpm0", TDDL_UNDEF, TDDL_UNDEF},
++#endif
+ {"/dev/tpm", TDDL_UNDEF, TDDL_UNDEF},
+ {NULL, 0, 0}
+ };
+@@ -42,6 +46,13 @@
+ #include <netdb.h>
+ #include <fcntl.h>
+
++#ifdef SOLARIS
++int
++get_device_fd()
++{
++ return (opened_device->fd);
++}
++#endif
+
+ int
+ open_device()
+@@ -63,7 +74,7 @@
+
+
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+- if (fd > 0) {
++ if (fd >= 0) {
+ struct hostent *host = gethostbyname(tcp_device_hostname);
+ if (host != NULL) {
+ struct sockaddr_in addr;
+@@ -105,12 +116,16 @@
+ /* tpm_device_paths is filled out in tddl.h */
+ for (i = 0; tpm_device_nodes[i].path != NULL; i++) {
+ errno = 0;
+- if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0)
++ if ((fd = open(tpm_device_nodes[i].path, O_RDWR)) >= 0) {
+ break;
++ } else {
++ fprintf(stderr, "Error opening %s: %s\n",
++ tpm_device_nodes[i].path, strerror(errno));
++ }
+ }
+ }
+-
+- if (fd > 0) {
++
++ if (fd >= 0) {
+ opened_device = &(tpm_device_nodes[i]);
+ tpm_device_nodes[i].fd = fd;
+ }
+@@ -181,11 +196,13 @@
+ /* fall through */
+ case TDDL_TRANSMIT_IOCTL:
+ errno = 0;
++#ifndef SOLARIS
+ if ((sizeResult = ioctl(opened_device->fd, TPMIOC_TRANSMIT, txBuffer)) != -1) {
+ opened_device->transmit = TDDL_TRANSMIT_IOCTL;
+ break;
+ }
+ LogWarn("ioctl: (%d) %s", errno, strerror(errno));
++#endif
+ LogInfo("Falling back to Read/Write device support.");
+ /* fall through */
+ case TDDL_TRANSMIT_RW:
+@@ -255,6 +272,7 @@
+
+ TSS_RESULT Tddli_Cancel(void)
+ {
++#ifndef SOLARIS
+ int rc;
+
+ if (opened_device->transmit == TDDL_TRANSMIT_IOCTL) {
+@@ -270,4 +288,7 @@
+ } else {
+ return TDDLERR(TSS_E_NOTIMPL);
+ }
++#else
++ return TDDLERR(TSS_E_NOTIMPL);
++#endif /* SOLARIS */
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/trspi_crypto_openssl_hash.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,87 @@
+--- src/trspi/crypto/openssl/hash.c.old 2011-05-09 06:20:09.505021734 -0700
++++ src/trspi/crypto/openssl/hash.c 2011-05-09 06:19:04.603252090 -0700
+@@ -56,45 +56,21 @@
+ TSS_RESULT
+ Trspi_Hash(UINT32 HashType, UINT32 BufSize, BYTE* Buf, BYTE* Digest)
+ {
+- EVP_MD_CTX md_ctx;
+- unsigned int result_size;
+- int rv;
++ Trspi_HashCtx ctx;
++ TSS_RESULT rv;
+
+- switch (HashType) {
+- case TSS_HASH_SHA1:
+- rv = EVP_DigestInit(&md_ctx, EVP_sha1());
+- break;
+- default:
+- rv = TSPERR(TSS_E_BAD_PARAMETER);
+- goto out;
+- break;
+- }
++ rv = Trspi_HashInit(&ctx, HashType);
++ if (rv != TSS_SUCCESS)
++ return rv;
+
+- if (rv != EVP_SUCCESS) {
+- rv = TSPERR(TSS_E_INTERNAL_ERROR);
+- goto err;
+- }
+-
+- rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
+- if (rv != EVP_SUCCESS) {
+- rv = TSPERR(TSS_E_INTERNAL_ERROR);
+- goto err;
++ rv = Trspi_HashUpdate(&ctx, BufSize, Buf);
++ if (rv != TSS_SUCCESS) {
++ EVP_MD_CTX_destroy(ctx.ctx);
++ return rv;
+ }
++ rv = Trspi_HashFinal(&ctx, Digest);
+
+- result_size = EVP_MD_CTX_size(&md_ctx);
+- rv = EVP_DigestFinal(&md_ctx, Digest, &result_size);
+- if (rv != EVP_SUCCESS) {
+- rv = TSPERR(TSS_E_INTERNAL_ERROR);
+- goto err;
+- } else
+- rv = TSS_SUCCESS;
+-
+- goto out;
+-
+-err:
+- DEBUG_print_openssl_errors();
+-out:
+- return rv;
++ return (rv);
+ }
+
+ TSS_RESULT
+@@ -112,7 +88,8 @@
+ break;
+ }
+
+- if ((ctx->ctx = malloc(sizeof(EVP_MD_CTX))) == NULL)
++ ctx->ctx = EVP_MD_CTX_create();
++ if (ctx->ctx == NULL)
+ return TSPERR(TSS_E_OUTOFMEMORY);
+
+ rv = EVP_DigestInit((EVP_MD_CTX *)ctx->ctx, (const EVP_MD *)md);
+@@ -142,7 +119,7 @@
+ rv = EVP_DigestUpdate(ctx->ctx, data, size);
+ if (rv != EVP_SUCCESS) {
+ DEBUG_print_openssl_errors();
+- free(ctx->ctx);
++ EVP_MD_CTX_destroy(ctx->ctx);
+ ctx->ctx = NULL;
+ return TSPERR(TSS_E_INTERNAL_ERROR);
+ }
+@@ -164,7 +141,7 @@
+ if (rv != EVP_SUCCESS)
+ return TSPERR(TSS_E_INTERNAL_ERROR);
+
+- free(ctx->ctx);
++ EVP_MD_CTX_destroy(ctx->ctx);
+ ctx->ctx = NULL;
+
+ return TSS_SUCCESS;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tspi_ps_tspps.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,55 @@
+--- src/tspi/ps/tspps.c.orig 2011-03-24 13:06:14.607907754 -0700
++++ src/tspi/ps/tspps.c 2011-03-24 13:07:30.668528209 -0700
+@@ -70,9 +70,12 @@
+ TSS_RESULT result;
+ char *file_name = NULL, *home_dir = NULL;
+ struct passwd *pwp;
+-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
++#if (defined (__linux) || defined (linux) || defined(__GLIBC__) || defined(SOLARIS))
+ struct passwd pw;
+ #endif
++#ifdef SOLARIS
++ char pwbuf[PASSWD_BUFSIZE];
++#endif
+ struct stat stat_buf;
+ char buf[PASSWD_BUFSIZE];
+ uid_t euid;
+@@ -94,9 +97,16 @@
+ * in the user's home directory, which may be shared
+ * by multiple systems.
+ *
+- * The directory path on Solaris is /var/tpm/userps/[EUID]/
++ * The directory path on Solaris is /var/user[USERNAME]/tpm/userps
+ */
+- rc = snprintf(buf, sizeof (buf), "%s/%d", TSS_USER_PS_DIR, euid);
++
++ pwp = getpwuid_r(euid, &pw, pwbuf, sizeof (pwbuf));
++ if (pwp != NULL) {
++ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps",
++ pwp->pw_name);
++ } else {
++ return TSPERR(TSS_E_INTERNAL_ERROR);
++ }
+ #else
+ setpwent();
+ while (1) {
+@@ -142,7 +152,7 @@
+ if (errno == ENOENT) {
+ errno = 0;
+ /* Create the user's ps directory if it is not there. */
+- if ((rc = mkdir(buf, 0700)) == -1) {
++ if ((rc = mkdirp(buf, 0700)) == -1) {
+ LogDebugFn("USER PS: Error creating dir: %s: %s", buf,
+ strerror(errno));
+ result = TSPERR(TSS_E_INTERNAL_ERROR);
+@@ -157,8 +167,8 @@
+
+ /* Directory exists or has been created, return the path to the file */
+ #if defined (SOLARIS)
+- rc = snprintf(buf, sizeof (buf), "%s/%d/%s", TSS_USER_PS_DIR, euid,
+- TSS_USER_PS_FILE);
++ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps/%s",
++ pwp->pw_name, TSS_USER_PS_FILE);
+ #else
+ rc = snprintf(buf, sizeof (buf), "%s/%s/%s", home_dir, TSS_USER_PS_DIR,
+ TSS_USER_PS_FILE);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tspi_rpc_hosttable.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,59 @@
+--- src/tspi/rpc/hosttable.c 2010-05-01 19:39:11.000000000 -0700
++++ src/tspi/rpc/hosttable.c 2012-03-23 16:21:30.018582000 -0700
+@@ -22,7 +22,7 @@
+ struct host_table *ht = NULL;
+
+ TSS_RESULT
+-host_table_init()
++static host_table_init(void)
+ {
+ ht = calloc(1, sizeof(struct host_table));
+ if (ht == NULL) {
+@@ -36,8 +36,7 @@
+ }
+
+ #ifdef SOLARIS
+-#pragma init(_init)
+-void _init(void)
++static void my_init(void)
+ #else
+ void __attribute__ ((constructor)) my_init(void)
+ #endif
+@@ -46,11 +45,14 @@
+ __tspi_obj_list_init();
+ }
+
+-void
++static void
+ host_table_final()
+ {
+ struct host_table_entry *hte, *next = NULL;
+
++ if (ht == NULL) /* no host table to free */
++ return;
++
+ MUTEX_LOCK(ht->lock);
+
+ for (hte = ht->entries; hte; hte = next) {
+@@ -70,8 +72,7 @@
+ }
+
+ #ifdef SOLARIS
+-#pragma fini(_fini)
+-void _fini(void)
++static void my_fini(void)
+ #else
+ void __attribute__ ((destructor)) my_fini(void)
+ #endif
+@@ -79,6 +80,11 @@
+ host_table_final();
+ }
+
++#ifdef SOLARIS
++#pragma init(my_init)
++#pragma fini(my_fini)
++#endif
++
+ TSS_RESULT
+ __tspi_add_table_entry(TSS_HCONTEXT tspContext, BYTE *host, int type, struct host_table_entry **ret)
+ {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tspi_rpc_tcstp_rpc.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,98 @@
+--- src/tspi/rpc/tcstp/rpc.c 2010-03-11 12:26:51.000000000 -0800
++++ src/tspi/rpc/tcstp/rpc.c 2012-04-11 14:28:08.181630000 -0700
+@@ -345,41 +345,67 @@
+ BYTE *buffer;
+ TSS_RESULT result;
+
+- struct sockaddr_in addr;
+- struct hostent *hEnt = NULL;
++ if (get_port() == 0) { /* use UNIX Domain socket */
++ struct sockaddr_un addr;
+
+- sd = socket(PF_INET, SOCK_STREAM, 0);
+- if (sd == -1) {
+- LogError("socket: %s", strerror(errno));
+- result = TSPERR(TSS_E_COMM_FAILURE);
+- goto err_exit;
+- }
+-
+- memset(&addr, 0, sizeof(addr));
+- addr.sin_family = AF_INET;
+- addr.sin_port = htons(get_port());
++ sd = socket(PF_UNIX, SOCK_STREAM, 0);
++ if (sd == -1) {
++ LogError("socket(PF_UNIX): %s", strerror(errno));
++ result = TSPERR(TSS_E_COMM_FAILURE);
++ goto err_exit;
++ }
+
+- LogDebug("Sending TSP packet to host %s.", hte->hostname);
++ memset(&addr, 0, sizeof(addr));
++ addr.sun_family = AF_UNIX;
++ strncpy(addr.sun_path, TCSD_DEFAULT_SOCKET,
++ sizeof(addr.sun_path));
++
++ LogDebug("Connecting to UNIX Domain socket %s",
++ TCSD_DEFAULT_SOCKET);
++
++ if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) {
++ LogError("connect: %s", strerror(errno));
++ result = TSPERR(TSS_E_COMM_FAILURE);
++ goto err_exit;
++ }
+
+- /* try to resolve by hostname first */
+- hEnt = gethostbyname((char *)hte->hostname);
+- if (hEnt == NULL) {
+- /* if by hostname fails, try by dot notation */
+- if (inet_aton((char *)hte->hostname, &addr.sin_addr) == 0) {
+- LogError("hostname %s does not resolve to a valid address.", hte->hostname);
+- result = TSPERR(TSS_E_CONNECTION_FAILED);
++ } else { /* use TCP socket */
++ struct sockaddr_in addr;
++ struct hostent *hEnt = NULL;
++
++ sd = socket(PF_INET, SOCK_STREAM, 0);
++ if (sd == -1) {
++ LogError("socket: %s", strerror(errno));
++ result = TSPERR(TSS_E_COMM_FAILURE);
+ goto err_exit;
+ }
+- } else {
+- memcpy(&addr.sin_addr, hEnt->h_addr_list[0], 4);
+- }
+
+- LogDebug("Connecting to %s", inet_ntoa(addr.sin_addr));
++ memset(&addr, 0, sizeof(addr));
++ addr.sin_family = AF_INET;
++ addr.sin_port = htons(get_port());
++
++ LogDebug("Sending TSP packet to host %s.", hte->hostname);
++
++ /* try to resolve by hostname first */
++ hEnt = gethostbyname((char *)hte->hostname);
++ if (hEnt == NULL) {
++ /* if by hostname fails, try by dot notation */
++ if (inet_aton((char *)hte->hostname, &addr.sin_addr) == 0) {
++ LogError("hostname %s does not resolve to a valid address.", hte->hostname);
++ result = TSPERR(TSS_E_CONNECTION_FAILED);
++ goto err_exit;
++ }
++ } else {
++ memcpy(&addr.sin_addr, hEnt->h_addr_list[0], 4);
++ }
+
+- if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) {
+- LogError("connect: %s", strerror(errno));
+- result = TSPERR(TSS_E_COMM_FAILURE);
+- goto err_exit;
++ LogDebug("Connecting to %s", inet_ntoa(addr.sin_addr));
++
++ if (connect(sd, (struct sockaddr *) &addr, sizeof (addr))) {
++ LogError("connect: %s", strerror(errno));
++ result = TSPERR(TSS_E_COMM_FAILURE);
++ goto err_exit;
++ }
+ }
+
+ if (send_to_socket(sd, hte->comm.buf, hte->comm.hdr.packet_size) < 0) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tspi_tsp_policy.c.patch Sat Oct 20 00:06:08 2012 -0700
@@ -0,0 +1,40 @@
+--- src/tspi/tsp_policy.c 2010-05-01 19:39:11.000000000 -0700
++++ src/tspi/tsp_policy.c 2012-04-20 18:10:16.757128000 -0700
+@@ -86,15 +86,13 @@
+ int
+ pin_mem(void *addr, size_t len)
+ {
+- /* only root can lock pages into RAM */
+- if (getuid() != (uid_t)0) {
+- LogWarn("Not pinning secrets in memory due to insufficient perms.");
+- return 0;
+- }
+-
+ len += (uintptr_t)addr & PGOFFSET;
+ addr = (void *)((uintptr_t)addr & PGMASK);
+ if (mlock(addr, len) == -1) {
++ if (errno == EPERM) {
++ LogWarn("Not pinning secrets in memory due to insufficient perms.");
++ return 0;
++ }
+ LogError("mlock: %s", strerror(errno));
+ return 1;
+ }
+@@ -105,14 +103,12 @@
+ int
+ unpin_mem(void *addr, size_t len)
+ {
+- /* only root can lock pages into RAM */
+- if (getuid() != (uid_t)0) {
+- return 0;
+- }
+-
+ len += (uintptr_t)addr & PGOFFSET;
+ addr = (void *)((uintptr_t)addr & PGMASK);
+ if (munlock(addr, len) == -1) {
++ if (errno == EPERM) {
++ return 0;
++ }
+ LogError("mlock: %s", strerror(errno));
+ return 1;
+ }
--- a/components/trousers/patches/tspps.c.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
---- src/tspi/ps/tspps.c.orig 2011-03-24 13:06:14.607907754 -0700
-+++ src/tspi/ps/tspps.c 2011-03-24 13:07:30.668528209 -0700
-@@ -70,9 +70,12 @@
- TSS_RESULT result;
- char *file_name = NULL, *home_dir = NULL;
- struct passwd *pwp;
--#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
-+#if (defined (__linux) || defined (linux) || defined(__GLIBC__) || defined(SOLARIS))
- struct passwd pw;
- #endif
-+#ifdef SOLARIS
-+ char pwbuf[PASSWD_BUFSIZE];
-+#endif
- struct stat stat_buf;
- char buf[PASSWD_BUFSIZE];
- uid_t euid;
-@@ -94,9 +97,16 @@
- * in the user's home directory, which may be shared
- * by multiple systems.
- *
-- * The directory path on Solaris is /var/tpm/userps/[EUID]/
-+ * The directory path on Solaris is /var/user[USERNAME]/tpm/userps
- */
-- rc = snprintf(buf, sizeof (buf), "%s/%d", TSS_USER_PS_DIR, euid);
-+
-+ pwp = getpwuid_r(euid, &pw, pwbuf, sizeof (pwbuf));
-+ if (pwp != NULL) {
-+ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps",
-+ pwp->pw_name);
-+ } else {
-+ return TSPERR(TSS_E_INTERNAL_ERROR);
-+ }
- #else
- setpwent();
- while (1) {
-@@ -142,7 +152,7 @@
- if (errno == ENOENT) {
- errno = 0;
- /* Create the user's ps directory if it is not there. */
-- if ((rc = mkdir(buf, 0700)) == -1) {
-+ if ((rc = mkdirp(buf, 0700)) == -1) {
- LogDebugFn("USER PS: Error creating dir: %s: %s", buf,
- strerror(errno));
- result = TSPERR(TSS_E_INTERNAL_ERROR);
-@@ -157,8 +167,8 @@
-
- /* Directory exists or has been created, return the path to the file */
- #if defined (SOLARIS)
-- rc = snprintf(buf, sizeof (buf), "%s/%d/%s", TSS_USER_PS_DIR, euid,
-- TSS_USER_PS_FILE);
-+ rc = snprintf(buf, sizeof (buf), "/var/user/%s/tpm/userps/%s",
-+ pwp->pw_name, TSS_USER_PS_FILE);
- #else
- rc = snprintf(buf, sizeof (buf), "%s/%s/%s", home_dir, TSS_USER_PS_DIR,
- TSS_USER_PS_FILE);
--- a/components/trousers/patches/tspps.h.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
---- src/include/tspps.h.old 2009-09-08 07:39:30.000000000 -0700
-+++ src/include/tspps.h 2010-09-16 08:09:37.980051068 -0700
-@@ -13,13 +13,17 @@
-
- #define PASSWD_BUFSIZE 4096
-
-+#ifdef SOLARIS
-+#define TSS_USER_PS_DIR "/var/user/"
-+#else
- #define TSS_USER_PS_DIR ".trousers"
-+#endif
- #define TSS_USER_PS_FILE "user.data"
-
- TSS_RESULT get_file(int *);
- int put_file(int);
--inline TSS_RESULT read_data(int, void *, UINT32);
--inline TSS_RESULT write_data(int, void *, UINT32);
-+TSS_RESULT read_data(int, void *, UINT32);
-+TSS_RESULT write_data(int, void *, UINT32);
- UINT32 psfile_get_num_keys(int);
- TSS_RESULT psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *);
- TSS_RESULT psfile_remove_key_by_uuid(int, TSS_UUID *);
--- a/components/trousers/patches/tss_defines.h.patch Fri Oct 19 16:06:19 2012 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,12 +0,0 @@
---- src/include/tss/tss_defines.h.old Tue May 31 07:39:12 2011
-+++ src/include/tss/tss_defines.h Tue May 31 07:39:52 2011
-@@ -1214,6 +1214,9 @@
- #define TSS_UUID_USK5 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 9}} // user storage key 5
- #define TSS_UUID_USK6 {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 10}}// user storage key 6
-
-+/* SOLARIS: Migratable Root Key UUID */
-+#define TSS_UUID_MRK {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 11}}
-+
- // macro to derive UUIDs for keys whose "OwnerEvict" key is set.
- #define TSS_UUID_OWNEREVICT(i) {0, 0, 0, 0, 0, {0, 0, 0, 0, 1, (i)}}
-
--- a/components/trousers/tcsd.xml Fri Oct 19 16:06:19 2012 -0700
+++ b/components/trousers/tcsd.xml Sat Oct 20 00:06:08 2012 -0700
@@ -21,7 +21,7 @@
CDDL HEADER END
- Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
NOTE: This service manifest is not editable; its contents will
be overwritten by package or patch operations, including
@@ -38,20 +38,25 @@
<create_default_instance enabled='false' />
<single_instance/>
- <!--
- Wait for network interfaces to be initialized.
- -->
- <dependency
- name='network'
- grouping='require_all'
- restart_on='none'
- type='service'>
- <service_fmri value='svc:/milestone/network:default' />
- </dependency>
+
+ <!-- Wait for network interfaces to be initialized. -->
+ <dependency
+ name='network'
+ grouping='require_all'
+ restart_on='none'
+ type='service'>
+ <service_fmri value='svc:/milestone/network:default' />
+ </dependency>
- <!--
- Wait for all local filesystems to be mounted.
- -->
+ <!-- Need / & /usr filesystems mounted, /var mounted read/write -->
+ <dependency
+ name='filesystem'
+ grouping='require_all'
+ restart_on='none'
+ type='service'>
+ <service_fmri value='svc:/system/filesystem/minimal' />
+ </dependency>
+
<exec_method
type='method'
name='stop'
@@ -77,8 +82,7 @@
value='solaris.smf.manage.tcsd' />
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.tcsd' />
- </property_group>
-
+ </property_group>
<property_group name='config' type='application'>
<propval
@@ -91,17 +95,17 @@
value='solaris.smf.value.tcsd' />
</property_group>
- <stability value='Unstable' />
+ <stability value='Unstable' />
- <template>
- <common_name>
- <loctext xml:lang='C'>
- TCS Daemon
- </loctext>
- </common_name>
- <documentation>
- <manpage title='tcsd' section='8' />
- </documentation>
- </template>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>
+ TCS Daemon
+ </loctext>
+ </common_name>
+ <documentation>
+ <manpage title='tcsd' section='8' />
+ </documentation>
+ </template>
</service>
</service_bundle>