import swtpm-0.7.0-3.20211109gitb79fd91.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:37:28 -05:00 committed by Stepan Oksanichenko
parent d985470c80
commit eb0b4b2efa
3 changed files with 344 additions and 1 deletions

View File

@ -0,0 +1,54 @@
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
index 437088370e11..144d8975ec54 100644
--- a/src/swtpm/swtpm_nvstore.c
+++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;
--
2.34.1.428.gdcc0cd074f0c

View File

@ -0,0 +1,279 @@
From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 8 Jun 2022 09:19:07 -0400
Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
configure.ac | 9 ++++
src/swtpm/Makefile.am | 2 +
src/swtpm/cuse_tpm.c | 5 ++
src/swtpm/fips.c | 100 ++++++++++++++++++++++++++++++++++++++
src/swtpm/fips.h | 43 ++++++++++++++++
src/swtpm/swtpm.c | 3 ++
src/swtpm/swtpm_chardev.c | 3 ++
src/swtpm/utils.h | 2 +
8 files changed, 167 insertions(+)
create mode 100644 src/swtpm/fips.c
create mode 100644 src/swtpm/fips.h
diff --git a/configure.ac b/configure.ac
index ad3054e..30288c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,15 @@ openssl)
AC_MSG_RESULT([Building with openssl crypto library])
LIBCRYPTO_LIBS=$(pkg-config --libs libcrypto)
AC_SUBST([LIBCRYPTO_LIBS])
+ AC_CHECK_HEADERS([openssl/fips.h],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_H], 1,
+ [whether openssl/fips.h is available])]
+ )
+ AC_CHECK_LIB(crypto,
+ [FIPS_mode_set],
+ [AC_DEFINE_UNQUOTED([HAVE_OPENSSL_FIPS_MODE_SET_API], 1,
+ [whether FIPS_mode_set API is available])]
+ )
;;
esac
diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
index 5454a6f..2a65950 100644
--- a/src/swtpm/Makefile.am
+++ b/src/swtpm/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS = \
capabilities.h \
common.h \
ctrlchannel.h \
+ fips.h \
key.h \
locality.h \
logging.h \
@@ -40,6 +41,7 @@ libswtpm_libtpms_la_SOURCES = \
capabilities.c \
common.c \
ctrlchannel.c \
+ fips.c \
key.c \
logging.c \
mainloop.c \
diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
index 9dbc00d..3026e26 100644
--- a/src/swtpm/cuse_tpm.c
+++ b/src/swtpm/cuse_tpm.c
@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
goto exit;
}
+ if (disable_fips_mode() < 0) {
+ ret = -1;
+ goto exit;
+ }
+
if (tpmlib_register_callbacks(&cbs) != TPM_SUCCESS) {
ret = -1;
goto exit;
diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
new file mode 100644
index 0000000..eeb2a0c
--- /dev/null
+++ b/src/swtpm/fips.c
@@ -0,0 +1,100 @@
+/*
+ * fips.c -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2022.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "fips.h"
+#include "logging.h"
+
+#if defined(HAVE_OPENSSL_FIPS_H)
+# include <openssl/fips.h>
+#elif defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+/* Cygwin has no fips.h but API exists */
+extern int FIPS_mode(void);
+extern int FIPS_mode_set(int);
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/evp.h>
+#endif
+
+#include <openssl/err.h>
+
+/*
+ * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
+ *
+ * While libtpms does not provide a solution to disable deactivated algorithms
+ * avoid libtpms failures due to FIPS mode enablement by disabling FIPS mode.
+ *
+ * Returns < 0 on error, 0 otherwise.
+ */
+#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
+int disable_fips_mode(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int mode = EVP_default_properties_is_fips_enabled(NULL);
+#else
+ int mode = FIPS_mode();
+#endif
+ int ret = 0;
+
+ if (mode != 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int rc = EVP_default_properties_enable_fips(NULL, 0);
+#else
+ int rc = FIPS_mode_set(0);
+#endif
+ if (rc == 1) {
+ logprintf(STDOUT_FILENO,
+ "Warning: Disabled OpenSSL FIPS mode\n");
+ } else {
+ unsigned long err = ERR_get_error();
+ logprintf(STDERR_FILENO,
+ "Failed to disable OpenSSL FIPS mode: %s\n",
+ ERR_error_string(err, NULL));
+ ret = -1;
+ }
+ }
+ return ret;
+}
+#else
+/* OpenBSD & DragonFlyBSD case */
+int disable_fips_mode(void)
+{
+ return 0;
+}
+#endif
diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
new file mode 100644
index 0000000..14d4e9f
--- /dev/null
+++ b/src/swtpm/fips.h
@@ -0,0 +1,43 @@
+/*
+ * fips.h -- FIPS mode related functions
+ *
+ * (c) Copyright IBM Corporation 2015.
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the names of the IBM Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SWTPM_UTILS_H_
+#define _SWTPM_UTILS_H_
+
+int disable_fips_mode(void);
+
+#endif /* _SWTPM_UTILS_H_ */
diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
index 722a743..e618c56 100644
--- a/src/swtpm/swtpm.c
+++ b/src/swtpm/swtpm.c
@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
index 9710927..ab6d8fd 100644
--- a/src/swtpm/swtpm_chardev.c
+++ b/src/swtpm/swtpm_chardev.c
@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
daemonize_finish();
}
+ if (disable_fips_mode() < 0)
+ goto error_seccomp_profile;
+
rc = mainLoop(&mlp, notify_fd[0]);
error_seccomp_profile:
diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
index 7502442..b8acd89 100644
--- a/src/swtpm/utils.h
+++ b/src/swtpm/utils.h
@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
ssize_t read_eintr(int fd, void *buffer, size_t buflen);
+int disable_fips_mode(void);
+
#endif /* _SWTPM_UTILS_H_ */
--
2.36.1

View File

@ -12,10 +12,12 @@
Summary: TPM Emulator
Name: swtpm
Version: 0.7.0
Release: 1.%{gitdate}git%{gitshortcommit}%{?dist}
Release: 3.%{gitdate}git%{gitshortcommit}%{?dist}
License: BSD
Url: http://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
BuildRequires: make
BuildRequires: git-core
@ -178,6 +180,14 @@ fi
%{_datadir}/swtpm/swtpm-create-tpmca
%changelog
* Fri Jun 17 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
- Disable OpenSSL FIPS mode to avoid libtpms failures
Resolves: rhbz#2090219
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Add fix for CVE-2022-23645.
Resolves: rhbz#2056518
* Fri Nov 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
- Update to v0.7.0 release
Resolves: rhbz#2021580 & rhbz#1990153