3 files changed, 114 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/tools/security/tpm-luks/default.nix b/nixpkgs/pkgs/tools/security/tpm-luks/default.nix
new file mode 100644
index 000000000000..4aab72cb5dfc
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tpm-luks/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchgit, autoreconfHook, gawk, trousers, cryptsetup, openssl }:
+
+stdenv.mkDerivation {
+  pname = "tpm-luks";
+  version = "unstable-2015-07-11";
+
+  src = fetchgit {
+    url = "https://github.com/momiji/tpm-luks";
+    rev = "c9c5b7fdddbcdac1cd4d2ea6baddd0617cc88ffa";
+    sha256 = "1ms2v57f13r9km6mvf9rha5ndmlmjvrz3mcikai6nzhpj0nrjz0w";
+  };
+
+  patches = [
+    ./openssl-1.1.patch
+    ./signed-ptr.patch
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ gawk trousers cryptsetup openssl ];
+
+  installPhase = ''
+    mkdir -p $out
+    make install DESTDIR=$out
+    mv $out/$out/sbin $out/bin
+    rm -r $out/nix
+  '';
+
+  meta = with lib; {
+    description = "LUKS key storage in TPM NVRAM";
+    homepage = "https://github.com/shpedoikal/tpm-luks/";
+    maintainers = [ maintainers.tstrobel ];
+    license = with licenses; [ gpl2Only ];
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/nixpkgs/pkgs/tools/security/tpm-luks/openssl-1.1.patch b/nixpkgs/pkgs/tools/security/tpm-luks/openssl-1.1.patch
new file mode 100644
index 000000000000..10132242b345
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tpm-luks/openssl-1.1.patch
@@ -0,0 +1,63 @@
+diff --git a/swtpm-utils/lib/hmac.c b/swtpm-utils/lib/hmac.c
+index 5545375..f9bedea 100644
+--- a/swtpm-utils/lib/hmac.c
++++ b/swtpm-utils/lib/hmac.c
+@@ -381,15 +381,19 @@ uint32_t TSS_authhmac(unsigned char *digest, unsigned char *key, unsigned int ke
+ /****************************************************************************/
+ uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, ...)
+    {
+-   HMAC_CTX hmac;
++   HMAC_CTX* hmac;
+    unsigned int dlen;
+    unsigned char *data;
+    va_list argp;
+-   
+-#ifdef HAVE_HMAC_CTX_CLEANUP
+-   HMAC_CTX_init(&hmac);
+-#endif
+-   HMAC_Init(&hmac,key,keylen,EVP_sha1());
++
++   hmac = HMAC_CTX_new();
++
++   if (hmac == NULL)
++     {
++     return ERR_MEM_ERR;
++     }
++
++   HMAC_Init_ex(hmac,key,keylen,EVP_sha1(),NULL);
+ 
+    va_start(argp,keylen);
+    for (;;)
+@@ -398,15 +402,11 @@ uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned i
+       if (dlen == 0) break;
+       data = (unsigned char *)va_arg(argp,unsigned char *);
+       if (data == NULL) return ERR_NULL_ARG;
+-      HMAC_Update(&hmac,data,dlen);
++      HMAC_Update(hmac,data,dlen);
+       }
+-   HMAC_Final(&hmac,digest,&dlen);
++   HMAC_Final(hmac,digest,&dlen);
+ 
+-#ifdef HAVE_HMAC_CTX_CLEANUP
+-   HMAC_CTX_cleanup(&hmac);
+-#else
+-   HMAC_cleanup(&hmac);
+-#endif
++   HMAC_CTX_free(hmac);
+    va_end(argp);
+    return 0;
+    }
+diff --git a/swtpm-utils/lib/keys.c b/swtpm-utils/lib/keys.c
+index 99691b6..6627a1f 100644
+--- a/swtpm-utils/lib/keys.c
++++ b/swtpm-utils/lib/keys.c
+@@ -1249,8 +1249,7 @@ RSA *TSS_convpubkey(pubkeydata *k)
+                 exp);
+    }
+    /* set up the RSA public key structure */
+-   rsa->n = mod;
+-   rsa->e = exp;
++   RSA_set0_key(rsa, mod, exp, NULL);
+    return rsa;
+    }
+ 
diff --git a/nixpkgs/pkgs/tools/security/tpm-luks/signed-ptr.patch b/nixpkgs/pkgs/tools/security/tpm-luks/signed-ptr.patch
new file mode 100644
index 000000000000..83e356a4ef9e
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tpm-luks/signed-ptr.patch
@@ -0,0 +1,15 @@
+diff --git a/swtpm-utils/getcapability.c b/swtpm-utils/getcapability.c
+index 7359ba3..17b4324 100644
+--- a/swtpm-utils/getcapability.c
++++ b/swtpm-utils/getcapability.c
+@@ -480,7 +480,8 @@ int main(int argc, char *argv[])
+ 				  }
+ 
+ 				  if (c) {
+-				      char pcrmap[4], *pf;
++				      char pcrmap[4];
++				      unsigned char *pf;
+ 
+ 				      memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect,
+ 					     ndp.pcrInfoRead.pcrSelection.sizeOfSelect);
+