diff --git a/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch b/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch new file mode 100644 index 0000000..d39b0fb --- /dev/null +++ b/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch @@ -0,0 +1,37 @@ +From e4261984374556da65c9d46097d5a1200b335c0c Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sat, 19 Feb 2022 12:59:32 +0100 +Subject: [PATCH] tpm2: Do not call EVP_PKEY_CTX_set0_rsa_oaep_label() for + label of size 0 (OSSL 3) + +Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called +with label size 0. The function should only be called if the size of the label +is greater 0. +With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0 +for encryption without label. + +Signed-off-by: Juergen Repp +--- + src/tpm2/crypto/openssl/CryptRsa.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c +index 4ed04384feb0..b5d6b6c3be82 100644 +--- a/src/tpm2/crypto/openssl/CryptRsa.c ++++ b/src/tpm2/crypto/openssl/CryptRsa.c +@@ -1356,10 +1356,9 @@ CryptRsaEncrypt( + if (tmp == NULL) + ERROR_RETURN(TPM_RC_FAILURE); + memcpy(tmp, label->buffer, label->size); ++ if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) ++ ERROR_RETURN(TPM_RC_FAILURE); + } +- // label->size == 0 is supported +- if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) +- ERROR_RETURN(TPM_RC_FAILURE); + tmp = NULL; + break; + default: +-- +2.36.0.44.g0f828332d5ac + diff --git a/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch b/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch new file mode 100644 index 0000000..a886ee8 --- /dev/null +++ b/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch @@ -0,0 +1,31 @@ +From 3d2bbe2f1947784506ba0a7f9e8ab81eefb69929 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Mon, 23 May 2022 14:16:57 +0100 +Subject: [PATCH] tpm2: Fix size check in CryptSecretDecrypt + +Check the secret size against the size of the buffer, not the size +member that has not been set yet. + +Reported by Coverity. + +Signed-off-by: Ross Lagerwall +--- + src/tpm2/CryptUtil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 9879f918acb6..002fde0987a9 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -732,7 +732,7 @@ CryptSecretDecrypt( + nonceCaller->t.size); + } + // make sure secret will fit +- if(secret->t.size > data->t.size) ++ if(secret->t.size > sizeof(data->t.buffer)) + return TPM_RC_FAILURE; + data->t.size = secret->t.size; + // CFB decrypt, using nonceCaller as iv +-- +2.36.0.44.g0f828332d5ac + diff --git a/libtpms.spec b/libtpms.spec index 95562a5..a4d391e 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -3,12 +3,14 @@ Name: libtpms Version: 0.9.1 -Release: 0.%{gitdate}git%{gitversion}%{?dist} +Release: 1.%{gitdate}git%{gitversion}%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD Url: http://github.com/stefanberger/libtpms Source0: libtpms-%{gitdate}.tar.xz +Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch +Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch BuildRequires: openssl-devel BuildRequires: pkgconfig gawk sed @@ -55,6 +57,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : %{_mandir}/man3/* %changelog +* Mon Jun 13 2022 Marc-André Lureau - 0.9.1-1.20211126git1ff6fe1f43 +- Backport RSA/OAEP fixes. + Resolves: rhbz#2093651 + * Wed Dec 01 2021 Marc-André Lureau - 0.9.1-0.20211126git1ff6fe1f43 - Rebase to 0.9.1 Resolves: rhbz#2027951