import tpm2-tools-4.1.1-5.el8

2021-10-06 07:28:46 -04:00 · 2021-10-06 07:28:46 -04:00 · e5fd40248c
commit e5fd40248c
parent 1dc0c74749
9 changed files with 334 additions and 1 deletions
--- a/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch
+++ b/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch
@ -0,0 +1,26 @@
+From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001
+From: Radoslav Gerganov <rgerganov@vmware.com>
+Date: Wed, 26 Feb 2020 10:40:26 +0200
+Subject: [PATCH] lib/files: fix an error message in files_load_##name
+
+Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
+---
+ lib/files.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/files.c b/lib/files.c
+index a6beea5b8ff2..ef2170b079e1 100644
+--- a/lib/files.c
+++ b/lib/files.c
+@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path)
+         size_t offset = 0; \
+         TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \
+         if (rc != TSS2_RC_SUCCESS) { \
+-            LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \
+            LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \
+             LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \
+             return false; \
+         } \
+-- 
+2.31.0
+
--- a/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
+++ b/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
@ -0,0 +1,42 @@
+From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:14:28 -0700
+Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach
+ function return
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/files.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/files.c b/lib/files.c
+index ef2170b079e1..501f88d11b48 100644
+--- a/lib/files.c
+++ b/lib/files.c
+@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
+         return true;
+     }
+ 
+-//    printf("Reading file: %s\n", path);
+-//    printf("size: %u\n", *size);
+-
+    bool retval = true;
+     /* Read from stdin */
+     if (!input_buffer && !path) {
+         UINT16 read_bytes = 0;
+@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
+             return true;
+         }
+     } else if (path) {
+-        return files_load_bytes_from_path(path, buf, size);
+        retval = files_load_bytes_from_path(path, buf, size);
+     }
+ 
+-    return false;
+    return retval;
+ }
+ 
+ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) {
+-- 
+2.31.0
+
--- a/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
+++ b/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
@ -0,0 +1,63 @@
+From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:22:42 -0700
+Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that
+ may cause memory leak
+
+Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is
+"unsigned short" (16 bits, unsigned) but is dereferenced as a wider
+"unsigned int" (32 bits, unsigned). This may lead to memory corruption.
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_nvcertify.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c
+index b49f38dbff20..414cbea85574 100644
+--- a/tools/tpm2_nvcertify.c
+++ b/tools/tpm2_nvcertify.c
+@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) {
+ static bool on_option(char key, char *value) {
+ 
+     bool result = true;
+    uint32_t input_value;
+ 
+     switch (key) {
+     case 'C':
+@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) {
+         ctx.policy_qualifier_arg = value;
+         break;
+     case 0:
+-        result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size);
+        result = tpm2_util_string_to_uint32(value, &input_value);
+         if (!result) {
+             LOG_ERR("Could not convert size to number, got: \"%s\"", value);
+             return false;
+         }
+        if (input_value > UINT16_MAX) {
+            LOG_ERR("Specified size is larger than that allowed by command");
+            return false;
+        } else {
+            ctx.size = input_value;
+        }
+         break;
+     case 1:
+-        result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset);
+        result = tpm2_util_string_to_uint32(value, &input_value);
+         if (!result) {
+             LOG_ERR("Could not convert offset to number, got: \"%s\"", value);
+             return false;
+         }
+        if (input_value > UINT16_MAX) {
+            LOG_ERR("Specified offset is larger than that allowed by command");
+            return false;
+        } else {
+            ctx.offset = input_value;
+        }
+         break;
+     case 2:
+         ctx.certify_info_path = value;
+-- 
+2.31.0
+
--- a/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
+++ b/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
@ -0,0 +1,25 @@
+From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:49:12 -0700
+Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_nvreadpublic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c
+index 7f8e46cbf863..eca1fd715a79 100644
+--- a/tools/tpm2_nvreadpublic.c
+++ b/tools/tpm2_nvreadpublic.c
+@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP
+     rc = tpm2_tr_get_name(context, tr_handle,
+             &name);
+     if (rc != tool_rc_success) {
+        free(attrs);
+         return rc;
+     }
+ 
+-- 
+2.31.0
+
--- a/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch
+++ b/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch
@ -0,0 +1,49 @@
+From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Thu, 23 Jan 2020 11:21:58 -0700
+Subject: [PATCH] tpm2_getekcertificate: add default web address
+
+Currently only Intel (R) PTT certificates are hosted online.
+A default web address pointing to the endorsement key certificate
+hosting will help reduce user input.
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ test/integration/tests/getekcertificate.sh | 6 ++----
+ tools/tpm2_getekcertificate.c              | 1 +
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh
+index 33f4f8b2e4c0..e8c521756d2a 100755
+--- a/test/integration/tests/getekcertificate.sh
+++ b/test/integration/tests/getekcertificate.sh
+@@ -38,12 +38,10 @@ else
+     fi
+ fi
+ 
+-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \
+-https://ekop.intel.com/ekcertservice/
+tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin
+ 
+ # Test that stdoutput is the same
+-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \
+--X > ECcert2.bin
+tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin
+ 
+ # stdout file should match -E file.
+ cmp ECcert.bin ECcert2.bin
+diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
+index 233d04d8b3d7..6a8fe894bb1c 100644
+--- a/tools/tpm2_getekcertificate.c
+++ b/tools/tpm2_getekcertificate.c
+@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx {
+ 
+ static tpm_getekcertificate_ctx ctx = {
+     .is_tpm2_device_active = true,
+    .ek_server_addr = "https://ekop.intel.com/ekcertservice/",
+ };
+ 
+ static unsigned char *hash_ek_public(void) {
+-- 
+2.31.0
+
--- a/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
+++ b/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f207ba9c..f44326c87e7e 100644
+--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+    if(enc_sensitive_key.size < 16) {
+        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+        return tool_rc_general_error;
+    }
+
+    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+    if (ossl_rc != 1) {
+        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+        return tool_rc_general_error;
+    }
+ 
+     /*
+      * Calculate the object name.
+-- 
+2.31.0
+
--- a/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch
+++ b/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch
@ -0,0 +1,28 @@
+From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Tue, 10 Mar 2020 09:15:55 -0700
+Subject: [PATCH] tpm2_policy.c: restrict policy digest size
+
+Fixes #1916
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/tpm2_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
+index 6c352b2b41ae..01387ba01645 100644
+--- a/lib/tpm2_policy.c
+++ b/lib/tpm2_policy.c
+@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx,
+     bool result = true;
+     TPM2B_DIGEST approved_policy = { .size = 0 };
+     if (policy_digest_path) {
+-        approved_policy.size = UINT16_MAX;
+        approved_policy.size = sizeof(TPMU_HA);
+         result = files_load_bytes_from_path(policy_digest_path,
+             approved_policy.buffer, &approved_policy.size);
+     }
+-- 
+2.31.0
+
--- a/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
+++ b/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
@ -0,0 +1,30 @@
+From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Tue, 10 Mar 2020 18:19:04 -0700
+Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array
+ was reversed
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_policycountertimer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c
+index 1c72d525dab7..170a544f2203 100644
+--- a/tools/tpm2_policycountertimer.c
+++ b/tools/tpm2_policycountertimer.c
+@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value,
+     }
+ 
+     ctx.operand_b.size = size;
+-    memcpy(ctx.operand_b.buffer, &data.b, size);
+    size_t i = 0;
+    for (i = 0; i < size; i++) {
+        ctx.operand_b.buffer[i] = *(&data.b + size - i - 1);
+    }
+ 
+     return true;
+ }
+-- 
+2.31.0
+
--- a/SPECS/tpm2-tools.spec
+++ b/SPECS/tpm2-tools.spec
@ -1,6 +1,6 @@
 Name: tpm2-tools
 Version: 4.1.1
-Release: 2%{?dist}
+Release: 5%{?dist}
 Summary: A TPM2.0 testing tool build upon TPM2.0-TSS

 License: BSD
@ -13,6 +13,14 @@ Patch3:  0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
 Patch4:  0001-Fix-ESYS_TR-hierarchy-transition.patch
 Patch5:  0001-Refactor-fix_esys_hierarchies.patch
 Patch6:  0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
+Patch7:  0001-tpm2_getekcertificate-add-default-web-address.patch
+Patch8:  0001-lib-files-fix-an-error-message-in-files_load_-name.patch
+Patch9:  0001-tpm2_policy.c-restrict-policy-digest-size.patch
+Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
+Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
+Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
+Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
+Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch

 BuildRequires: gcc-c++
 BuildRequires: libtool
@ -53,6 +61,22 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
 %{_mandir}/man1/tpm2_*.1.gz

 %changelog
+* Mon Aug 09 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-5
+- Bump nvr to trigger osci.
+resolves: rhbz#1965981
+
+* Tue Jun 01 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-4
+- Fix CVE-2021-3565
+resolves: rhbz#1965981
+
+* Fri May 14 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-3
+- Fix resource leak.
+- Fix to restrict policy digest size.
+- Fix incompatible pointer cast.
+- Fix error message in files_load_##name
+- Fix issue where execution couldn't reach function return.
+resolves: rhbz#1920821
+
 * Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
 - Fix ESYS_TR hierarchy transition.
 - Refactor fix_esys_hierarchies to return actual TSS2_RC return code.