Fix tpm2-tss CI; update patches

tests/ci/integration/run_tpm2_tss_integration.sh

@@ -60,7 +60,7 @@ function tpm2_tss_build() {
 function tpm2_abrmd_build() {
   export PKG_CONFIG_PATH="${AWS_LC_INSTALL_FOLDER}/lib/pkgconfig:${TPM2_TSS_INSTALL_FOLDER}/lib/pkgconfig"
   /bin/sh ./bootstrap
-  ./configure --enable-unit --with-crypto=ossl --prefix="${TPM2_ABRMD_INSTALL_FOLDER}" 
+  ./configure --enable-unit --with-crypto=ossl --prefix="${TPM2_ABRMD_INSTALL_FOLDER}"
   make -j "${NUM_CPU_THREADS}" all VERBOSE=1
   make -j "${NUM_CPU_THREADS}" check VERBOSE=1
   make -j "${NUM_CPU_THREADS}" install
@@ -108,5 +108,3 @@ tpm2_tools_build
 popd
 
 popd
-
-

tests/ci/integration/tpm2_tools_patch/aws-lc-tpm2-tools.patch

@@ -1,14 +1,13 @@
-From dea6a384d56f631eba23188f57dd4e4d84c10657 Mon Sep 17 00:00:00 2001
+From c27eac2efc587eae07f62136a4a50725d0660240 Mon Sep 17 00:00:00 2001
 From: Justin W Smith <justsmth@amazon.com>
-Date: Fri, 25 Apr 2025 21:19:12 +0000
-Subject: [PATCH] AWS-LC Support
+Date: Fri, 14 Nov 2025 13:48:40 +0000
+Subject: [PATCH] Support AWS-LC
 
 ---
- lib/tpm2_identity_util.c      | 2 +-
- lib/tpm2_openssl.c            | 4 ++--
- tools/misc/tpm2_checkquote.c  | 2 +-
- tools/tpm2_getekcertificate.c | 4 ++--
- 4 files changed, 6 insertions(+), 6 deletions(-)
+ lib/tpm2_identity_util.c     | 2 +-
+ lib/tpm2_openssl.c           | 4 ++--
+ tools/misc/tpm2_checkquote.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/lib/tpm2_identity_util.c b/lib/tpm2_identity_util.c
 index fbf1e938..2c6448d3 100644
@@ -24,15 +23,15 @@ index fbf1e938..2c6448d3 100644
          LOG_ERR("Failed EVP_PKEY_CTX_set0_rsa_oaep_label");
          free(newlabel);
 diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c
-index d2f07a7c..ca1a6b40 100644
+index d2f07a7c..6b6c16ef 100644
 --- a/lib/tpm2_openssl.c
 +++ b/lib/tpm2_openssl.c
 @@ -36,7 +36,7 @@ int tpm2_openssl_halgid_from_tpmhalg(TPMI_ALG_HASH algorithm) {
          return NID_sha384;
      case TPM2_ALG_SHA512:
          return NID_sha512;
 -#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && HAVE_EVP_SM3
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L  && HAVE_EVP_SM3
  	case TPM2_ALG_SM3_256:
  		return NID_sm3;
  #endif
@@ -41,15 +40,15 @@ index d2f07a7c..ca1a6b40 100644
      { TPM2_ECC_NIST_P384, NID_secp384r1        },
      { TPM2_ECC_NIST_P521, NID_secp521r1        },
 -#if OPENSSL_VERSION_NUMBER >= 0x10101003L
-+#if OPENSSL_VERSION_NUMBER >= 0x10101003L && HAVE_EVP_SM3
++#if OPENSSL_VERSION_NUMBER >= 0x10101003L  && HAVE_EVP_SM3
      { TPM2_ECC_SM2_P256,  NID_sm2              },
  #endif
      /*
 diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
-index 498dffbc..d5bef7af 100644
+index 259d9c62..051dafe7 100644
 --- a/tools/misc/tpm2_checkquote.c
 +++ b/tools/misc/tpm2_checkquote.c
-@@ -110,7 +110,7 @@ static bool verify(void) {
+@@ -115,7 +115,7 @@ static bool verify(void) {
          return false;
      }
 
@@ -58,28 +57,15 @@ index 498dffbc..d5bef7af 100644
  #if OPENSSL_VERSION_MAJOR < 3
      if (ctx.halg == TPM2_ALG_SM3_256) {
          ret = EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
-diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
-index 79d859c7..fb525c63 100644
---- a/tools/tpm2_getekcertificate.c
-+++ b/tools/tpm2_getekcertificate.c
-@@ -519,7 +519,7 @@ static bool retrieve_web_endorsement_certificate(char *uri) {
-      * should not be used - Used only on platforms with older CA certificates.
-      */
-     if (ctx.SSL_NO_VERIFY) {
--        rc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
-+        rc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
-         if (rc != CURLE_OK) {
-             LOG_ERR("curl_easy_setopt for CURLOPT_SSL_VERIFYPEER failed: %s",
-                     curl_easy_strerror(rc));
-@@ -564,7 +564,7 @@ static bool retrieve_web_endorsement_certificate(char *uri) {
-         goto out_easy_cleanup;
+@@ -356,7 +356,7 @@ static bool parse_selection_data_from_file(FILE *pcr_input,
+     for (i = 0; i < pcr_select->count; i++) {
+         pcr_select->pcrSelections[i].hash = le16toh(pcr_select->pcrSelections[i].hash);
      }
-
--    rc = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
-+    rc = curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1L);
-     if (rc != CURLE_OK) {
-         LOG_ERR("curl_easy_setopt for CURLOPT_FAILONERROR failed: %s",
-                 curl_easy_strerror(rc));
+- 
++
+     // Import PCR digests to pcr outfile
+     if (fread(&pcrs->count, sizeof(UINT32), 1, pcr_input) != 1) {
+         LOG_ERR("Failed to read PCR digests header from file");
 -- 
 2.43.0
 

tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch

@@ -1,18 +1,18 @@
-From 6eb70474d5767afc3a9111cfbfab8ed83f673d87 Mon Sep 17 00:00:00 2001
+From addb67ba10371f03a7ab42a82016f117f2efde10 Mon Sep 17 00:00:00 2001
 From: Justin W Smith <justsmth@amazon.com>
-Date: Fri, 25 Apr 2025 21:18:07 +0000
-Subject: [PATCH] AWS-LC support
+Date: Fri, 14 Nov 2025 13:26:27 +0000
+Subject: [PATCH] Support AWS-LC
 
 ---
  configure.ac                            | 6 ------
  src/tss2-esys/esys_crypto_ossl.c        | 2 +-
- src/tss2-fapi/ifapi_curl.c              | 8 ++++----
+ src/tss2-fapi/ifapi_curl.c              | 6 +++---
  src/tss2-fapi/ifapi_verify_cert_chain.c | 2 +-
- test/unit/fapi-eventlog.c               | 8 +++++---
- 5 files changed, 11 insertions(+), 15 deletions(-)
+ test/unit/fapi-eventlog.c               | 2 +-
+ 5 files changed, 6 insertions(+), 12 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 6cc3efc8..9029383d 100644
+index 9df86bce..d5f3bbe2 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -189,12 +189,6 @@ AS_IF([test "x$enable_esys" = xyes],
@@ -29,98 +29,65 @@ index 6cc3efc8..9029383d 100644
             TSS2_ESYS_LDFLAGS_CRYPTO="$CRYPTO_LIBS"
         ], [test "x$with_crypto" = xmbed], [
 diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
-index 15e534ce..75043897 100644
+index 50d00c4b..84b16347 100644
 --- a/src/tss2-esys/esys_crypto_ossl.c
 +++ b/src/tss2-esys/esys_crypto_ossl.c
-@@ -752,7 +752,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
-                    "Could not duplicate OAEP label", cleanup);
+@@ -711,7 +711,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC *pub_tpm_key,
+         goto_error(r, TSS2_ESYS_RC_MEMORY, "Could not duplicate OAEP label", cleanup);
      }
 
--    if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, (int) strlen(label_copy)+1)) {
-+    if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, (uint8_t*)label_copy, strlen(label_copy)+1)) {
+-    if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, (int)strlen(label_copy) + 1)) {
++    if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, (uint8_t*)label_copy, (int)strlen(label_copy) + 1)) {
          OPENSSL_free(label_copy);
-         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
-                    "Could not set RSA label.", cleanup);
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not set RSA label.", cleanup);
+     }
 diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c
-index 75e81141..79f77fdf 100644
+index 2b92210d..65096b5f 100644
 --- a/src/tss2-fapi/ifapi_curl.c
 +++ b/src/tss2-fapi/ifapi_curl.c
-@@ -88,13 +88,13 @@ ifapi_get_crl_from_cert(X509 *cert, X509_CRL **crl)
+@@ -89,11 +89,11 @@ ifapi_get_crl_from_cert(X509 *cert, X509_CRL **crl) {
      int curl_rc;
 
      *crl = NULL;
--    for (int i = 0; i < sk_DIST_POINT_num(dist_points); i++)
-+    for (size_t i = 0; i < sk_DIST_POINT_num(dist_points); i++)
-     {
-         DIST_POINT *dp = sk_DIST_POINT_value(dist_points, i);
-         DIST_POINT_NAME    *distpoint = dp->distpoint;
-         if (distpoint->type==0)
-         {
--            for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++)
-+            for (size_t j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++)
-             {
-                 GENERAL_NAME *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
+-    for (int i = 0; i < sk_DIST_POINT_num(dist_points); i++) {
++    for (size_t i = 0; i < sk_DIST_POINT_num(dist_points); i++) {
+         DIST_POINT      *dp = sk_DIST_POINT_value(dist_points, i);
+         DIST_POINT_NAME *distpoint = dp->distpoint;
+         if (distpoint->type == 0) {
+-            for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
++            for (size_t j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
+                 GENERAL_NAME   *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
                  ASN1_IA5STRING *asn1_str = gen_name->d.uniformResourceIdentifier;
-@@ -179,7 +179,7 @@ ifapi_curl_verify_ek_cert(
-     X509_STORE_CTX *ctx = NULL;
-     X509_CRL *crl_intermed = NULL;
-     X509_CRL *crl_ek = NULL;
--    int i;
-+    size_t i;
-     size_t ui;
+                 SAFE_FREE(url);
+@@ -173,7 +173,7 @@ ifapi_curl_verify_ek_cert(char *root_cert_pem, char *intermed_cert_pem, char *ek
+     X509_STORE_CTX        *ctx = NULL;
+     X509_CRL              *crl_intermed = NULL;
+     X509_CRL              *crl_ek = NULL;
+-    int                    i;
++    size_t                    i;
+     size_t                 ui;
      AUTHORITY_INFO_ACCESS *info = NULL;
-     ASN1_IA5STRING *uri = NULL;
+     ASN1_IA5STRING        *uri = NULL;
 diff --git a/src/tss2-fapi/ifapi_verify_cert_chain.c b/src/tss2-fapi/ifapi_verify_cert_chain.c
-index b495e512..c741c8ad 100644
+index df295d99..3fb475dc 100644
 --- a/src/tss2-fapi/ifapi_verify_cert_chain.c
 +++ b/src/tss2-fapi/ifapi_verify_cert_chain.c
-@@ -64,7 +64,7 @@ char* get_issuer_url(X509 *cert) {
-     AUTHORITY_INFO_ACCESS *info = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
-     if (!info) return NULL;
+@@ -65,7 +65,7 @@ get_issuer_url(X509 *cert) {
+     if (!info)
+         return NULL;
 
 -    for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
 +    for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
          ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
          if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location->type == GEN_URI) {
              ASN1_IA5STRING *uri = ad->location->d.uniformResourceIdentifier;
 diff --git a/test/unit/fapi-eventlog.c b/test/unit/fapi-eventlog.c
-index 3b859e39..796894ee 100644
+index 7e49e112..d3077a96 100644
 --- a/test/unit/fapi-eventlog.c
 +++ b/test/unit/fapi-eventlog.c
-@@ -130,6 +130,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
-     uint8_t *eventlog;
-     size_t size;
-     json_object *json_event_list = NULL;
-+#if HAVE_EVP_SM3
-     IFAPI_PCR_REG pcrs[TPM2_MAX_PCRS];
-
-     TPML_PCR_SELECTION pcr_selection =
-@@ -149,19 +150,20 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
-          .buffer = { 0x15, 0xf4, 0xe6, 0xca, 0x45, 0x7d, 0x1a, 0xf6, 0xbc, 0x49,
-                      0x51, 0x1a, 0x93, 0xba, 0x35, 0x00, 0xad, 0x69, 0xac, 0xc5 },
-         };
--
-+#endif
-     /* Read file to get file size for comparison. */
-     eventlog = file_to_buffer(file, &size);
-     assert_non_null(eventlog);
-
-     r = ifapi_get_tcg_firmware_event_list(file, pcr_list, pcr_list_size, &json_event_list);
-     assert_int_equal (r, TSS2_RC_SUCCESS);
--
-+#if HAVE_EVP_SM3
-     r = ifapi_calculate_pcrs(json_event_list, &pcr_selection, TPM2_ALG_SHA1, NULL, &pcrs[0]);
-     assert_int_equal (r, TSS2_RC_SUCCESS);
-
-     /* Compare with the pcr0 value got from system with HCRTM events */
-     assert_true(!memcmp(&expected_pcr0.buffer[0], &pcrs[0].value.buffer[0], 20));
-+#endif
-
-     json_object_put(json_event_list);
-     SAFE_FREE(eventlog);
-@@ -171,7 +173,7 @@ static void
- check_bios_hcrtm(void **state)
- {
+@@ -163,7 +163,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size,
+ static void
+ check_bios_hcrtm(void **state) {
 
 -#ifdef __FreeBSD__
 +#ifndef HAVE_EVP_SM3