From ae4efe5fa03095cf266696fa7821592bc953afd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 11 Sep 2024 11:44:13 +0400 Subject: [PATCH] Backport "tpm2: Return TPM_RC_VALUE upon decryption failure" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: RHEL-52968 Signed-off-by: Marc-André Lureau --- ...TPM_RC_VALUE-upon-decryption-failure.patch | 31 +++++++++++++++++++ libtpms.spec | 10 ++++-- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch diff --git a/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch b/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch new file mode 100644 index 0000000..28ad2b9 --- /dev/null +++ b/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch @@ -0,0 +1,31 @@ +From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 29 Jul 2024 10:19:00 -0400 +Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure + +When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE. +The old error code could indicate to an application or driver that +something is wrong with the TPM (has possibly gone into failure mode) even +though only the decryption failed, possibly due to a wrong key. + +Signed-off-by: Stefan Berger +--- + src/tpm2/crypto/openssl/CryptRsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c +index b5d6b6c3..88ee3bac 100644 +--- a/src/tpm2/crypto/openssl/CryptRsa.c ++++ b/src/tpm2/crypto/openssl/CryptRsa.c +@@ -1457,7 +1457,7 @@ CryptRsaDecrypt( + outlen = sizeof(buffer); + if (EVP_PKEY_decrypt(ctx, buffer, &outlen, + cIn->buffer, cIn->size) <= 0) +- ERROR_RETURN(TPM_RC_FAILURE); ++ ERROR_RETURN(TPM_RC_VALUE); + + if (outlen > dOut->size) + ERROR_RETURN(TPM_RC_FAILURE); +-- +2.41.0.28.gd7d8841f67 + diff --git a/libtpms.spec b/libtpms.spec index db33de7..d9a3c58 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -1,6 +1,6 @@ Name: libtpms Version: 0.9.6 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD-3-Clause AND LicenseRef-TCGL @@ -10,6 +10,8 @@ Source1: %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{n # https://github.com/stefanberger.gpg Source2: gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc +Patch0001: 0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -35,7 +37,7 @@ Libtpms header files and documentation. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup +%autosetup -p1 %build NOCONFIGURE=1 ./autogen.sh @@ -63,6 +65,10 @@ make check %{_mandir}/man3/TPM* %changelog +* Wed Sep 11 2024 Marc-André Lureau - 0.9.6-9 +- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure" + Resolves: RHEL-52968 + * Tue Aug 06 2024 Marc-André Lureau - 0.9.6-8 - Disable TPM 1.2 support, as it is not supported by RHEL.