From c5d6495055283cc5c74a20e31474c1254f7122f4 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 13 Feb 2026 15:44:20 +0100
Subject: [PATCH] Fix registrar authentication bypass (CVE-2026-1709)

Resolves: RHEL-145391

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 0022-CVE-2026-1709.patch | 20 ++++++++++++++++++++
 keylime.spec             | 10 +++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 0022-CVE-2026-1709.patch

diff --git a/0022-CVE-2026-1709.patch b/0022-CVE-2026-1709.patch
new file mode 100644
index 0000000..b494256
--- /dev/null
+++ b/0022-CVE-2026-1709.patch
@@ -0,0 +1,20 @@
+diff --git a/keylime/web/base/server.py b/keylime/web/base/server.py
+index 1d9a9c2..859b23a 100644
+--- a/keylime/web/base/server.py
++++ b/keylime/web/base/server.py
+@@ -2,7 +2,6 @@ import asyncio
+ import multiprocessing
+ from abc import ABC, abstractmethod
+ from functools import wraps
+-from ssl import CERT_OPTIONAL
+ from typing import TYPE_CHECKING, Any, Callable, Optional
+
+ import tornado
+@@ -252,7 +251,6 @@ class Server(ABC):
+         self._https_port = config.getint(component, "tls_port", fallback=0)
+         self._max_upload_size = config.getint(component, "max_upload_size", fallback=104857600)
+         self._ssl_ctx = web_util.init_mtls(component)
+-        self._ssl_ctx.verify_mode = CERT_OPTIONAL
+
+     def _get(self, pattern: str, controller: type["Controller"], action: str, allow_insecure: bool = False) -> None:
+         """Creates a new route to handle incoming GET requests issued for paths which match the given
diff --git a/keylime.spec b/keylime.spec
index e9352fa..2d89fd0 100644
--- a/keylime.spec
+++ b/keylime.spec
@@ -9,7 +9,7 @@
 
 Name:    keylime
 Version: 7.12.1
-Release: 14%{?dist}
+Release: 15%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
@@ -60,6 +60,10 @@ Patch: 0019-tpm-fix-ECC-P-521-coordinate-validation.patch
 Patch: 0020-tpm-fix-ECC-P-521-credential-activation-with-consist.patch
 Patch: 0021-tpm-fix-ECC-signature-parsing-to-support-variable-le.patch
 
+# CVE-2026-1709
+# Fix registrar authentication bypass
+Patch: 0022-CVE-2026-1709.patch
+
 License: ASL 2.0 and MIT
 
 BuildRequires: git-core
@@ -454,6 +458,10 @@ fi
 %license LICENSE
 
 %changelog
+* Fri Feb 13 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-15
+- Fix registrar authentication bypass (CVE-2026-1709)
+  Resolves: RHEL-145391
+
 * Wed Feb 04 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-14
 - Add support for TPM quotes using ECC keys
   Resolves: RHEL-118150