Browse Source

import swtpm-0.7.0-4.20211109gitb79fd91.module+el8.7.0+15999+d24f860e

c8s-stream-rhel imports/c8s-stream-rhel/swtpm-0.7.0-4.20211109gitb79fd91.module+el8.7.0+15999+d24f860e
CentOS Sources 2 months ago
committed by Stepan Oksanichenko
parent
commit
72f3e3a4bb
  1. 54
      SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
  2. 279
      SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
  3. 65
      SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
  4. 17
      SPECS/swtpm.spec

54
SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch

@ -0,0 +1,54 @@
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
index 437088370e11..144d8975ec54 100644
--- a/src/swtpm/swtpm_nvstore.c
+++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;
--
2.34.1.428.gdcc0cd074f0c

279
SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch

@ -0,0 +1,279 @@
From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 8 Jun 2022 09:19:07 -0400
Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
configure.ac | 9 ++++
src/swtpm/Makefile.am | 2 +
src/swtpm/cuse_tpm.c | 5 ++
src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++
src/swtpm/fips.h | 43 ++++++++++++++++
src/swtpm/swtpm.c | 3 ++
src/swtpm/swtpm_chardev.c | 3 ++
src/swtpm/utils.h | 2 +
8 files changed, 167 insertions(+)
create mode 100644 src/swtpm/fips.c
create mode 100644 src/swtpm/fips.h
diff --git a/configure.ac b/configure.ac
index ad3054e..30288c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,15 @@ openssl)
AC_MSG_RESULT([Building with openssl crypto library])
LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto)
AC_SUBST([LIBCRYPTO_LIBS])
+ AC_CHECK_HEADERS([openssl/fips.h],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1,
+ [whether openssl/fips.h is available])]
+ )
+ AC_CHECK_LIB(crypto,
+ [FIPS_mode_set],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1,
+ [whether FIPS_mode_set API is available])]
+ )
;;
esac
diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
index 5454a6f..2a65950 100644
--- a/src/swtpm/Makefile.am
+++ b/src/swtpm/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS = \
capabilities.h \
common.h \
ctrlchannel.h \
+ fips.h \
key.h \
locality.h \
logging.h \
@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \
capabilities.c \
common.c \
ctrlchannel.c \
+ fips.c \
key.c \
logging.c \
mainloop.c \
diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
index 9dbc00d..3026e26 100644
--- a/src/swtpm/cuse_tpm.c
+++ b/src/swtpm/cuse_tpm.c
@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
goto exit;
}
+ if (disable_fips_mode() < 0) {
+ ret = -1;
+ goto exit;
+ }
+
if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) {
ret = -1;
goto exit;
diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
new file mode 100644
index 0000000..eeb2a0c
--- /dev/null
+++ b/src/swtpm/fips.c
@@ -0,0 +1,100 @@
+/*
+ * fips.c -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2022.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "fips.h"
+#include "logging.h"
+
+#if defined(HAVE_OPENSSL_FIPS_H)
+# include <openssl/fips.h>
+#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+/* Cygwin has no fips.h but API exists */
+extern int FIPS_mode(void);
+extern int FIPS_mode_set(int);
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/evp.h>
+#endif
+
+#include <openssl/err.h>
+
+/*
+ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
+ *
+ * While libtpms does not provide a solution to disable deactivated algorithms
+ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode.
+ *
+ * Returns < 0 on error, 0 otherwise.
+ */
+#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+int disable_fips_mode(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int mode = EVP_default_properties_is_fips_enabled(NULL);
+#else
+ int mode = FIPS_mode();
+#endif
+ int ret = 0;
+
+ if (mode != 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int rc = EVP_default_properties_enable_fips(NULL, 0);
+#else
+ int rc = FIPS_mode_set(0);
+#endif
+ if (rc == 1) {
+ logprintf(STDOUT_FILENO,
+ "Warning: Disabled OpenSSL FIPS mode\n");
+ } else {
+ unsigned long err = ERR_get_error();
+ logprintf(STDERR_FILENO,
+ "Failed to disable OpenSSL FIPS mode: %s\n",
+ ERR_error_string(err, NULL));
+ ret = -1;
+ }
+ }
+ return ret;
+}
+#else
+/* OpenBSD & DragonFlyBSD case */
+int disable_fips_mode(void)
+{
+ return 0;
+}
+#endif
diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
new file mode 100644
index 0000000..14d4e9f
--- /dev/null
+++ b/src/swtpm/fips.h
@@ -0,0 +1,43 @@
+/*
+ * fips.h -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2015.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SWTPM_UTILS_H_
+#define _SWTPM_UTILS_H_
+
+int disable_fips_mode(void);
+
+#endif /* _SWTPM_UTILS_H_ */
diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
index 722a743..e618c56 100644
--- a/src/swtpm/swtpm.c
+++ b/src/swtpm/swtpm.c
@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
index 9710927..ab6d8fd 100644
--- a/src/swtpm/swtpm_chardev.c
+++ b/src/swtpm/swtpm_chardev.c
@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
index 7502442..b8acd89 100644
--- a/src/swtpm/utils.h
+++ b/src/swtpm/utils.h
@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
ssize_t read_eintr(int fd, void *buffer, size_t buflen);
+int disable_fips_mode(void);
+
#endif /* _SWTPM_UTILS_H_ */
--
2.36.1

65
SOURCES/0001-swtpm_localca-Test-for-available-issuercert-before-c.patch

@ -0,0 +1,65 @@
From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 1 Feb 2022 12:40:06 -0500
Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
CA
Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: https://github.com/stefanberger/swtpm/issues/644
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
index 037bfd5266bb..089e4e0db4ce 100644
--- a/src/swtpm_localca/swtpm_localca.c
+++ b/src/swtpm_localca/swtpm_localca.c
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
goto error;
}
- if (access(signkey, R_OK) != 0) {
+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
g_autofree gchar *directory = g_path_get_dirname(signkey);
g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
if (ret != 0)
goto error;
} else {
+ int create_certs = 0;
+
+ /* create certificate if either the signing key or issuer cert are missing */
if (access(signkey, R_OK) != 0) {
if (stat(signkey, &statbuf) == 0) {
logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
signkey, curr_user ? curr_user->pw_name : "<unknown>");
goto error;
}
+ create_certs = 1;
+ }
+
+ if (access(issuercert, R_OK) != 0) {
+ if (stat(issuercert, &statbuf) == 0) {
+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
+ issuercert, curr_user ? curr_user->pw_name : "<unknown>");
+ goto error;
+ }
+ create_certs = 1;
+ }
+ if (create_certs) {
logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
issuercert) != 0) {
--
2.37.0.rc0

17
SPECS/swtpm.spec

@ -12,11 +12,14 @@
Summary: TPM Emulator
Name: swtpm
Version: 0.7.0
Release: 1.%{gitdate}git%{gitshortcommit}%{?dist}
Release: 4.%{gitdate}git%{gitshortcommit}%{?dist}
License: BSD
Url: http://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
ExcludeArch: i686
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
BuildRequires: make
BuildRequires: git-core
@ -179,6 +182,18 @@ fi
%{_datadir}/swtpm/swtpm-create-tpmca
%changelog
* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
- swtpm_localca: Test for available issuercert before creating CA
Resolves: rhbz#2100508
* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
- Disable OpenSSL FIPS mode to avoid libtpms failures
Resolves: rhbz#2097947
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Add fix for CVE-2022-23645.
Resolves: rhbz#2056517
* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
- Rebase to 0.7.0, disable TPM 1.2.
Resovles: rhbz#2029612

Loading…
Cancel
Save