1.6.0-rc0

1.6.0-rc0 - 2021-04-26

• Spelling and grammar fixes throughout the project.
• tpm2_ptool: fix bug in verify commandlet where --sopin leads to local variable referenced before assignment. See #624.
• Docs: add a document describing SSH Hostkey configuration using tpm2-pkcs11.
• Support changes in tpm2-tss-engine using TPM2_RH_OWNER instead of 0.
  • Since upstream commit tpm2-software/tpm2-tss-engine@06f57a3.
• Fix endian issue in test_db.
• Fix tpm2_ptool error messages when exceptions are raised during execution of tpm2-tools commands.
• Support CKA_DERIVE=true which will support the newest pkcs11-tool EC template.
• Fix requirement of having ESYS >= 2.4, see #632 for details.
• Fix docs/INITIALIZING.md reference to --pobj-pin, should be --hierarchy-auth.
• Fix missing libyaml dependency in documentation.
• Fix bug in DB update logic where errors in handlers were ignored.
• Fix NPD bug when ESAPI and FAPI return 0 tokens.
• Add support for over TPM sized AES buffers.
• Add support for mechanism CKM_AES_CBC_PAD.
• Add support for mechanism CKM_AES_CTR.
• Add support for RSA 3072 (3k) keys.
• Remove usage of function Esys_TR_GetTpmHandle. FAPI Backend will no longer depend on ESAPI 2.4 or
  greater.
• Add Experimental RSA 4096 support. Use at your own risk.

1.5.0

1.5.0 - 2020-11-16

• C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext.
• C_Digest/C_DigestFinal: Fix Section 5.2 style returns.
• C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec.
• C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds.
• Support swtpm in testing infrastructure.
• Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL.
• Fix warning ../configure: line 14383: ]: command not found
• Fix CKM_RSA_PKCS_PSS mechanism.
• C_GetMechanismList: Fix index 0 of the returned list being invalid.
• C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd.
• Docs: use full paths from project root to help fix 404 errors.
• tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to
  first available address on failure.

1.5.0-rc0

1.5.0-rc0 - 2020-11-04

• C_Decrypt: Fix CKM_RSA_PKCS11 scheme not removing PKCS v1.5 block padding from returned plaintext.
• C_Digest/C_DigestFinal: Fix Section 5.2 style returns.
• C_OpenSession: fix valid session handles starting at 0, 0 is invalid per the spec.
• C_OpenSession: fix handle issuance bug where handles could be exhausted at out of bounds.
• Support swtpm in testing infrastructure.
• Fix C_Encrypt/C_Decrypt interface not setting size when output buffer in NULL.
• Fix warning ../configure: line 14383: ]: command not found
• Fix CKM_RSA_PKCS_PSS mechanism.
• C_GetMechanismList: Fix index 0 of the returned list being invalid.
• C_GetMechanismInfo: Fix errors like ERROR: Unknown mechanism, got: 0xd.
• Docs: use full paths from project root to help fix 404 errors.
• tpm2_ptool init to attempt to persistent created primary object at 0x81000001 and fallback to
  first available address on failure.

1.4.0

1.4.0 - 2020-08-24

• Fix superflous error message when falling back from TPM2_EncryptDecrypt2 interface.

• Support importing EC keys via tpm2_ptool import.

• C_InitToken: Fix improper SRK handle of 0x81000000, it should be 0x81000001.

• Fix a leak in in tpm.c of an EVP_PKEY object.

• C_GenerateKeyPair: was not adding PSS signatures as supported by RSA objects, add it.

• Fix PSS signatures. Non-FIPS mode TPMs produce PSS signatures with a
  max salt len that poses interoperability issues with verifying clients,
  notably TLS in OpenSSL.

• Fix Java PKCS11 Provider Signature Verification: #401

• VerifyRecover support, known working with Public Key RSA objects and
  mechanism CKM_RSA_PKCS.

• db: Modfiy search and create behavior. See
  docs/INITIALIZING.md
  for details.

• Fix printf(3) format specifier errors.

• ci: increase CI coverage to: Fedora 30, Ubuntu 16.04, Ubuntu 18.04.

• configure: check for Python version >= 3.7 and pass to Automake. No
  need to set PYTHON_INTERPRETER anymore.

• Fix segfault/memory corruption bugs in C_Destroy().

• Fix segfault when no user pin is provisioned.

• Support C_SetAttributeValue.

• Support for selectable backend using TPM2_PKCS11_BACKEND=esysdb being current version.

• Support for backend fapi that uses the tss2-fapi keystore instead of an sqlite db.

  • This is auto-detected based on tss2-fapi being installed at configure time, and can be controlled
    via --enable/disable-fapi.

• C_CreateObject: Support for CKO_DATA objects only with CKA_PRIVATE set to CK_TRUE. Token
  defaults to CK_TRUE.

• Fix: src/lib/ssl_util.c:555:54: error: passing argument 3 of ‘EVP_PKEY_verify_recover’ from incompatible pointer type

• Added tpm2_ptool link commandlet for linking existing tpm2 objects into a compatible token. For details see
  this document.

  Supported tpm2 objects are:

  • serialized TPM2B_PUBLIC and TPM2B_PRIVATE data structures, as produced by
    tpm2_create -u and -r outputs
    respectively.
  • PEM encoded keys produced by
    tpm2tss-genkey

1.4.0-RC0

1.4.0-RC0 - 2020-08-17

• Fix superflous error message when falling back from TPM2_EncryptDecrypt2 interface.

• Support importing EC keys via tpm2_ptool import.

• C_InitToken: Fix improper SRK handle of 0x81000000, it should be 0x81000001.

• Fix a leak in in tpm.c of an EVP_PKEY object.

• C_GenerateKeyPair: was not adding PSS signatures as supported by RSA objects, add it.

• Fix PSS signatures. Non-FIPS mode TPMs produce PSS signatures with a
  max salt len that poses interoperability issues with verifying clients,
  notably TLS in OpenSSL.

• Fix Java PKCS11 Provider Signature Verification: #401

• VerifyRecover support, known working with Public Key RSA objects and
  mechanism CKM_RSA_PKCS.

• db: Modfiy search and create behavior. See
  docs/INITIALIZING.md
  for details.

• Fix printf(3) format specifier errors.

• ci: increase CI coverage to: Fedora 30, Ubuntu 16.04, Ubuntu 18.04.

• configure: check for Python version >= 3.7 and pass to Automake. No
  need to set PYTHON_INTERPRETER anymore.

• Fix segfault/memory corruption bugs in C_Destroy().

• Fix segfault when no user pin is provisioned.

• Support C_SetAttributeValue.

• Support for selectable backend using TPM2_PKCS11_BACKEND=esysdb being current version.

• Support for backend fapi that uses the tss2-fapi keystore instead of an sqlite db.

  • This is auto-detected based on tss2-fapi being installed at configure time, and can be controlled
    via --enable/disable-fapi.

• C_CreateObject: Support for CKO_DATA objects only with CKA_PRIVATE set to CK_TRUE. Token
  defaults to CK_TRUE.

• Fix: src/lib/ssl_util.c:555:54: error: passing argument 3 of ‘EVP_PKEY_verify_recover’ from incompatible pointer type

• Added tpm2_ptool link commandlet for linking existing tpm2 objects into a compatible token. For details see
  this document.

  Supported tpm2 objects are:

  • serialized TPM2B_PUBLIC and TPM2B_PRIVATE data structures, as produced by
    tpm2_create -u and -r outputs
    respectively.
  • PEM encoded keys produced by
    tpm2tss-genkey

1.3.2

+### 1.3.2 - 2020-08-10

• • Fix C_InitToken, ensure no embedded nul byte.
• • Fix free of mutex being held in C_InitToken failures: #573
• • Fix C_Login CKU_USER login attempt before pin is setup: #563

1.3.2-RC0

1.3.2-RC0 - 2020-08-04

• Fix C_InitToken, ensure no embedded nul byte.
• Fix free of mutex being held in C_InitToken failures: #573
• Fix C_Login CKU_USER login attempt before pin is setup: #563
• Fix C_InitToken double init issues #577

1.3.1

1.3.1 - 2020-07-27

• Fix double free.

1.3.1-RC0

1.3.1-RC0 - 2020-07-21

• Fix double free.

1.3.0

1.3.0 - 2020-07-7

• C_CreateObject: Support for CKO_DATA objects only with CKA_PRIVATE set to CK_TRUE.
  Token defaults to CK_TRUE.
• Fix Tests against simulator that support RSA 3072 keys