Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"

Resolves: RHEL-52968 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2024-09-11 11:44:13 +04:00 · 2024-09-11 11:44:13 +04:00 · ae4efe5fa0
commit ae4efe5fa0
parent 98af908e6e
2 changed files with 39 additions and 2 deletions
--- a/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
+++ b/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
@ -0,0 +1,31 @@
+From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 29 Jul 2024 10:19:00 -0400
+Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure
+
+When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE.
+The old error code could indicate to an application or driver that
+something is wrong with the TPM (has possibly gone into failure mode) even
+though only the decryption failed, possibly due to a wrong key.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/crypto/openssl/CryptRsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
+index b5d6b6c3..88ee3bac 100644
+--- a/src/tpm2/crypto/openssl/CryptRsa.c
+++ b/src/tpm2/crypto/openssl/CryptRsa.c
+@@ -1457,7 +1457,7 @@ CryptRsaDecrypt(
+     outlen = sizeof(buffer);
+     if (EVP_PKEY_decrypt(ctx, buffer, &outlen,
+                          cIn->buffer, cIn->size) <= 0)
+-        ERROR_RETURN(TPM_RC_FAILURE);
+        ERROR_RETURN(TPM_RC_VALUE);
+ 
+     if (outlen > dOut->size)
+         ERROR_RETURN(TPM_RC_FAILURE);
+-- 
+2.41.0.28.gd7d8841f67
+
--- a/libtpms.spec
+++ b/libtpms.spec
@ -1,6 +1,6 @@
 Name:           libtpms
 Version:        0.9.6
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Library providing Trusted Platform Module (TPM) functionality
 License:        BSD-3-Clause AND LicenseRef-TCGL

@ -10,6 +10,8 @@ Source1:        %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{n
 # https://github.com/stefanberger.gpg
 Source2:        gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc

+Patch0001:      0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
+
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -35,7 +37,7 @@ Libtpms header files and documentation.

 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup
+%autosetup -p1

 %build
 NOCONFIGURE=1 ./autogen.sh
@ -63,6 +65,10 @@ make check
 %{_mandir}/man3/TPM*

 %changelog
+* Wed Sep 11 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.6-9
+- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"
+  Resolves: RHEL-52968
+
 * Tue Aug 06 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.6-8
 - Disable TPM 1.2 support, as it is not supported by RHEL.