3.2.0

Fixed

• FAPI: fix curl_url_set call
• FAPI: Fix usage of curl url (Should fix Ubuntu 22.04)
• Fix buffer upcast leading to misalignment
• Fix check whether SM3 is available
• Update git.mk to support R/O src-dir
• Fixed file descriptor leak when tcti initialization failed.
• 32 Bit builds of the integration tests.
• Primary key creation, in some cases the unique field was not cleared before calling create primary.
• Primary keys was used for signing the object were cleared after loading. So access e.g. to the certificate did not work.
• Primary keys created with Fapi_Create with an auth value, the auth_value was not used in inSensitive to recreate the primary key. Now the auth value callback is used to initialize inSensitive.
• The not possible usage of policies for primary keys generated with Fapi_CreatePrimary has been fixed.
• An infinite loop when parsing erroneous JSON was fixed in FAPI.
• A buffer overflow in ESAPI xor parameter obfuscation was fixed.
• Certificates could be read only once in one application The setting the init state of the state automaton for getting certificates was fixed.
• A double free when executing policy action was fixed.
• A leak in Fapi_Quote was fixed.
• The wrong file locking in FAPI IO was fixed.
• Enable creation of tss group and user on systems with busybox for fapi.
• One fapi integration test did change the auth value of the storage hierarchy.
• A leak in fapi crypto with ossl3 was fixed.
• Add initial camelia support to FAPI
• Fix tests of fapi PCR
• Fix tests of ACT functionality if not supported by pTPM
• Fix compiler (unused) warning when building without debug logging
• Fix leaks in error cases of integration tests
• Fix memory leak after ifapi_init_primary_finish failed
• Fix double-close of stream in FAPI
• Fix segfault when ESYS_TR_NONE is passed to Esys_TR_GetName
• Fix the authorization of hierarchy objects used in policy secret.
• Fix check of qualifying data in Fapi_VerifyQuote.
• Fix some leaks in FAPI error cases.
• Make scripts compatible with non-posix shells where test does not know -a and -o.
• Fix usage of variable not initialized when fapi keystore is empty.

Added

• Add additional IFX root CAs
• Added support for SM2, SM3 and SM4.
• Added support for OpenSSL 3.0.0.
• Added authPolicy field to the TPMU_CAPABILITIES union.
• Added actData field to the TPMU_CAPABILITIES union.
• Added TPM2_CAP_AUTH_POLICIES
• Added TPM2_CAP_ACT constants.
• Added updates to the marshalling and unmarshalling of the TPMU_CAPABILITIES union.
• Added updated to the FAPI serializations and deserializations of the TPMU_CAPABILITIES union and associated types.
• Add CODE_OF_CONDUCT
• tcti-mssim and tcti-swtpm gained support for UDX communication
• Missing constant for TPM2_RH_PW

Removed

• Removed support for OpenSSL < 1.1.0.
• Marked TPMS_ALGORITHM_DESCRIPTION and corresponding MU routines as deprecated.
  Those were errorous typedefs that are not use and not useful. So we will remove this with 3.3
• Marked TPM2_RS_PW as deprecated. Use TPM2_RH_PW instead.

3.1.1

This is the last release of the 3.1.x series

Fixed

• Fixed file descriptor leak when tcti initialization failed.
• Primary key creation, in some cases the unique field was not cleared before calling create primary.
• Primary keys was used for signing the object were cleared after loading. So access e.g. to the certificate did not work.
• Primary keys created with Fapi_Create with an auth value, the auth_value was not used in inSensitive to recreate the primary key. Now the auth value callback is used to initialize inSensitive.
• The not possible usage of policies for primary keys generated with Fapi_CreatePrimary has been fixed.
• An infinite loop when parsing erroneous JSON was fixed in FAPI.
• A buffer overflow in ESAPI xor parameter obfuscation was fixed.
• Certificates could be read only once in one application The setting the init state of the state automaton for getting certificates was fixed.
• A double free when executing policy action was fixed.
• A leak in Fapi_Quote was fixed.
• The wrong file locking in FAPI IO was fixed.
• One fapi integration test did change the auth value of the storage hierarchy.
• Fix test of FAPI PCR
• Fix leaks in error cases of integration tests
• Fix segfault when ESYS_TR_NONE is passed to Esys_TR_GetName
• Fix the authorization of hierarchy objects used in policy secret.
• Fix check of qualifying data in Fapi_VerifyQuote.
• Fix some leaks in FAPI error cases.
• Fix usage of variable not initialized when fapi keystore is empty.

Added

• Add additional IFX root CAs

3.0.5

This is the last release of the 3.0.x series

Fixed

• Fix buffer upcast leading to misalignment
• Fixed file descriptor leak when tcti initialization failed.
• Primary key creation, in some cases the unique field was not cleared before calling create primary.
• Primary keys was used for signing the object were cleared after loading. So access e.g. to the certificate did not work.
• Primary keys created with Fapi_Create with an auth value, the auth_value was not used in inSensitive to recreate the
  primary key. Now the auth value callback is used to initialize inSensitive.
• The not possible usage of policies for primary keys generated with Fapi_CreatePrimary has been fixed.
• An infinite loop when parsing erroneous JSON was fixed in FAPI.
• A buffer overflow in ESAPI xor parameter obfuscation was fixed.
• Certificates could be read only once in one application The setting the init state of the state automaton for getting certificates was fixed.
• A double free when executing policy action was fixed.
• A leak in Fapi_Quote was fixed.
• The wrong file locking in FAPI IO was fixed.
• One fapi integration test did change the auth value of the storage hierarchy.
• Fix test of FAPI PCR
• Fix leaks in error cases of integration tests
• Fix segfault when ESYS_TR_NONE is passed to Esys_TR_GetName
• Fix the authorization of hierarchy objects used in policy secret.
• Fix check of qualifying data in Fapi_VerifyQuote.
• Fix some leaks in FAPI error cases.
• Fix usage of variable not initialized when fapi keystore is empty.

Added

• Add additional IFX root CAs

3.1.0

[3.1.0] - 2021-05-17

Fixed

• Fixed possible access outside the array in ifapi_calculate_tree.
• Fix CVE-2020-24455 FAPI PolicyPCR not instatiating correctly
  Note: that all TPM object created with a PolicyPCR with the currentPcrs
  and currentPcrsAndBank options have been created with an incorrect policy
  that ommits PCR checks. All these objects have to be recreated!
• Fixed segfault in Fapi_Finalize where a free of a constant string could occur.
• Fixed binding to ESYS_TR_RH_NULL for ESYS auth sessions.
• Fixed read eagain error handling for freeBSD.
• Fixed error cleanup for key loading and policy execution.
• Fixed initialization of default log_dir.
• Fixed cleanup in several error cases in Fapi.
• Added initialise 'out' parameter in ifapi_json_IFAPI_CONFIG_deserialize.
• Fixed Regression in Fapi_List.
• Fixed memory leak in policy calculation.
• Fixed setting of the system flag of NV objects:
  This will let NV object metadata be created system-wide always instead of
  locally in the user. Existing metadata will remain in the user directory.
  It can be moved to the corresponding systemstore manually if needed.
• Fixed fapi policy searching, when a policyRef was provided.
• Fapi accepts EK-Certs without CRL dist point.
• Fixed bad return codes in Fapi_List.
• Fixed memleak in Fapi policy execution.
• Fixed coverity NULL-pointer check in Fapi.
• Fixed the written flag of NV objects in FAPI PolicyNV commands being unset.
• Fixed deleting of policy files.
• Fixed wrong file loading during object search.
• Fixed a memory leak in async keystore load.
• Fixed bug in FAPI NV creation with custom index values.
• Fixed leftover sessions in error cases in FAPI.
• Fixed execution of FAPI policies in some cases.
• Fixed handling 0x hex prefixes for TPMU_HA in JSON encoding.
• Fixed fix doxygen header of function iesys_update_session_flags.
• Fixed issue where nonceTPM was included twice in HMAC.
• Fixed issue of unused variable when enabling lower default log levels.
• Fixed 'partial' may be used uninitialized in tcti-device.

Added

• Added two new TPM commands TPM2_CC_CertifyX509 and TPM2_CC_ACT_SetTimeout
  along with SYS and ESYS API calls, new structures definitions, and marshal
  funtions for them. This make the TSS2 alligned with TPM2 1.59 specification.
• Support for auth values larger than an objects nameAlg for NV and key objects.
• Async mode of operation for mssim TCTI module
• Added pcap TCTI.
• Added GlobalSign TPM Root CA certs to FAPI cert store.
• Added support for auth value sizes bigger than the size of the name hash alg.
  for keys and NV objects.
• Added better error messages in several FAPI errors.
• Added checks to FAPI policy paths.
• Added checks if FAPI is correctly provisioned.

Changed

• Changed CI from Travis to GH actions
• Changed the default hash algorithm from sha1 to sha256 in all FAPI
  integration tests
• Changed tests to use SHA256 over SHA1.
• Changed EncryptDecrypt mode type to align with TPM2.0 spec 1.59.

3.0.4

[3.0.4] - 2021-05-17

Changed or Fixed

• Fixed possible access outside the array in ifapi_calculate_tree.
• Fixed make install on systems without systemd
• Fixed segfault in Fapi_Finalize where a free of a constant string could occur.
• Fixed binding to ESYS_TR_RH_NULL for ESYS auth sessions.
• Fixed read eagain error handling for freeBSD.
• Fixed potential memory corruption in Fapi_Import.
• Fixed binding of ESYS_TR_RH_NULL (Fixes #1993)
• Added initialise 'out' parameter in ifapi_json_IFAPI_CONFIG_deserialize.
• Fixed cleanup in several error cases.
• Fixed initialization of default log_dir.
• Fixed error cleanup for key loading and policy execution.
• Fixed state handling in policy execution.
• Fixed determination of object type from path.
• Fixed fix doxygen header of function iesys_update_session_flags
• Fixed issue where nonceTPM was included twice in HMAC.
• Fixed issue of unused variable when enabling lower default log levels.
• Fixed tcti-device: 'partial' may be used uninitialized.
• Fixed double define in tss2_mu.h.

2.4.6

[2.4.6] - 2021-05-17

Changed or Fixed

• Fixed possible access outside the array in ifapi_calculate_tree.
• Fixed binding of ESYS_TR_RH_NULL (Fixes #1993)
• Added initialise 'out' parameter in ifapi_json_IFAPI_CONFIG_deserialize.
• Fixed cleanup in several error cases.
• Fixed initialization of default log_dir.
• Fixed error cleanup for key loading and policy execution.
• Fixed state handling in policy execution.
• Fixed determination of object type from path.
• Fixed unused variable warnings when maxloglevel was set to lower default.
• Fixed issue where nonceTPM was include twice in HMAC calculation.

3.0.3

[3.0.3] - 2020-11-25

Changed or Fixed

• Fix Regression in Fapi_List
• Fix memory leak in policy calculation

2.4.5

[2.4.5] - 2020-11-25

Changed or Fixed

• Fix Regression in Fapi_List
• Fix memory leak in policy calculation

3.0.2

[3.0.2] - 2020-11-20

Changed or Fixed

• FAPI: Fix setting of the system flag of NV objects
  This will let NV object metadata be created system-wide always instead of
  locally in the user. Existing metadata will remain in the user directory.
  It can be moved to the corresponding systemstore manually if needed.
• FAPI: Fix policy searching, when a policyRef was provided
• FAPI: Accept EK-Certs without CRL dist point
• FAPI: Fix return codes of Fapi_List
• FAPI: Fix memleak in policy execution
• FAPI: Fix coverity NULL-pointer check
• FAPI: Set the written flag of NV objects in FAPI PolicyNV commands
• FAPI: Fix deleting of policy files.
• FAPI: Fix wrong file loading during object search.
• Fapi: Fix memory leak
• Fapi: Fix potential NULL-Dereference
• Fapi: Remove superfluous NULL check
• Fix a memory leak in async keystore load.

2.4.4

[2.4.4] - 2020-11-20

Changed or Fixed

• FAPI: Fix policy searching, when a policyRef was provided
• FAPI: Accept EK-Certs without CRL dist point
• FAPI: Fix memleak in policy execution
• FAPI: Fix setting of the system flag of NV objects
  This will let NV object metadata be created system-wide always instead of
  locally in the user. Existing metadata will remain in the user directory.
  It can be moved to the corresponding systemstore manually if needed.
• FAPI: Set the written flag of NV objects in FAPI PolicyNV commands
• FAPI: Fix deleting of policy files.
• FAPI: Fix wrong file loading during object search.
• Fapi: Fix memory leak
• Fapi: Fix potential NULL-Dereference
• Fapi: Remove superfluous NULL check