Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"

Resolves: RHEL-58056

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
Marc-André Lureau 2024-09-04 11:05:57 +04:00
parent 5b9f1fa30a
commit bc044e0d4c
2 changed files with 37 additions and 1 deletions

View File

@ -0,0 +1,31 @@
From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 29 Jul 2024 10:19:00 -0400
Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure
When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE.
The old error code could indicate to an application or driver that
something is wrong with the TPM (has possibly gone into failure mode) even
though only the decryption failed, possibly due to a wrong key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/tpm2/crypto/openssl/CryptRsa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
index b5d6b6c3..88ee3bac 100644
--- a/src/tpm2/crypto/openssl/CryptRsa.c
+++ b/src/tpm2/crypto/openssl/CryptRsa.c
@@ -1457,7 +1457,7 @@ CryptRsaDecrypt(
outlen = sizeof(buffer);
if (EVP_PKEY_decrypt(ctx, buffer, &outlen,
cIn->buffer, cIn->size) <= 0)
- ERROR_RETURN(TPM_RC_FAILURE);
+ ERROR_RETURN(TPM_RC_VALUE);
if (outlen > dOut->size)
ERROR_RETURN(TPM_RC_FAILURE);
--
2.41.0.28.gd7d8841f67

View File

@ -3,7 +3,7 @@
Name: libtpms
Version: 0.9.1
Release: 3.%{gitdate}git%{gitversion}%{?dist}
Release: 4.%{gitdate}git%{gitversion}%{?dist}
Summary: Library providing Trusted Platform Module (TPM) functionality
License: BSD
@ -13,6 +13,7 @@ Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
Patch0005: 0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
BuildRequires: openssl-devel
BuildRequires: pkgconfig gawk sed
@ -59,6 +60,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
%{_mandir}/man3/*
%changelog
* Wed Sep 04 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-4.20211126git1ff6fe1f43
- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"
Resolves: RHEL-58056
* Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
Resolves: rhbz#2173960