import tpm2-tss-2.3.2-4.el8

SOURCES/0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch

@@ -0,0 +1,39 @@
+From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Mon, 2 Mar 2020 14:45:52 -0800
+Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
+
+After tpm2_clear command is executed it sets all ownerAuth,
+endorsementAuth, and lockoutAuth to the Empty Buffer and then
+this is used for a response auth calculation.
+This requires to recalculate the esys session auth value after
+tpm2_clear is executed or the calculated response HMAC value
+will be invalid and the command will fail with
+err: 0x0007001b "Authorizing the TPM response failed"
+
+Fixes: #1641
+
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+---
+ src/tss2-esys/api/Esys_Clear.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
+index f5c0b827425a..0f43f7e9b85f 100644
+--- a/src/tss2-esys/api/Esys_Clear.c
++++ b/src/tss2-esys/api/Esys_Clear.c
+@@ -199,6 +199,11 @@ Esys_Clear_Async(
+     return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
+                           "Finish (Execute Async)");
+ 
++    /* If the command authorization is LOCKOUT we need to
++     * recompute session value with an empty auth */
++    if (authHandle == ESYS_TR_RH_LOCKOUT)
++        iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
++
+     esysContext->state = _ESYS_STATE_SENT;
+ 
+     return r;
+-- 
+2.30.1
+

SOURCES/0001-tctildr-remove-the-private-implementation-of-strndup.patch

@@ -0,0 +1,96 @@
+From 464da22b71e26421f55d4e8abc14711f89c89a28 Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Thu, 20 Feb 2020 14:11:43 -0800
+Subject: [PATCH] tctildr: remove the private implementation of strndup
+
+In fact the private implementation of strndup is only
+needed for windows.
+
+Fixes: #1633
+
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+---
+ configure.ac            |  2 +-
+ src/tss2-tcti/tctildr.c | 37 +++++++++++++++++--------------------
+ 2 files changed, 18 insertions(+), 21 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d7724805966b..aa4ffb1b78a1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -45,7 +45,6 @@ case "${host_os}" in
+ esac
+ AC_SUBST([LIBSOCKET_LDFLAGS])
+ 
+-AC_CHECK_FUNCS([strndup])
+ AC_ARG_ENABLE([unit],
+             [AS_HELP_STRING([--enable-unit],
+                             [build cmocka unit tests])],,
+@@ -65,6 +64,7 @@ AC_ARG_ENABLE([esapi],
+ 
+ AM_CONDITIONAL(ESAPI, test "x$enable_esapi" = "xyes")
+ 
++AC_CHECK_FUNC([strndup],[],[AC_MSG_ERROR([strndup function not found])])
+ AC_ARG_ENABLE([tcti-device-async],
+     AS_HELP_STRING([--enable-tcti-device-async],
+ 	           [Enable asynchronus operation on TCTI device
+diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
+index a46b301b3ea7..92af1d3a787d 100644
+--- a/src/tss2-tcti/tctildr.c
++++ b/src/tss2-tcti/tctildr.c
+@@ -15,8 +15,25 @@
+ #include <linux/limits.h>
+ #elif defined(_MSC_VER)
+ #include <windows.h>
++#include <limits.h>
+ #ifndef PATH_MAX
+ #define PATH_MAX MAX_PATH
++
++static char *strndup(const char* s, size_t n)
++{
++    char *dst = NULL;
++
++    if (n + 1 >= USHRT_MAX)
++        return NULL;
++
++    dst = calloc(1, n + 1);
++
++    if (dst == NULL)
++        return NULL;
++
++    memcpy(dst, s, n);
++    return dst;
++}
+ #endif
+ #else
+ #include <limits.h>
+@@ -268,26 +285,6 @@ Tss2_TctiLdr_Finalize (TSS2_TCTI_CONTEXT **tctiContext)
+     *tctiContext = NULL;
+ }
+ 
+-#if !defined(HAVE_STRNDUP)
+-char*
+-strndup (const char* s,
+-         size_t n)
+-{
+-    char* dst = NULL;
+-
+-    if (n + 1 < n) {
+-        return NULL;
+-    }
+-    dst = calloc(1, n + 1);
+-    if (dst == NULL) {
+-        return NULL;
+-    }
+-    memcpy(dst, s, n);
+-
+-    return dst;
+-}
+-#endif /* HAVE_STRNDUP */
+-
+ TSS2_RC
+ copy_info (const TSS2_TCTI_INFO *info_src,
+            TSS2_TCTI_INFO *info_dst)
+-- 
+2.30.1
+

SPECS/tpm2-tss.spec

@@ -1,6 +1,6 @@
 Name:           tpm2-tss
 Version:        2.3.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        TPM2.0 Software Stack
 
 # The entire source code is under BSD except implementation.h and tpmb.h which
@@ -24,6 +24,8 @@ Patch10:        0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch
 Patch11:        0001-Esys_CreateLoaded-fix-resource-name-calculation.patch
 Patch12:        0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
 Patch13:        0001-Return-proper-error-code-on-memory-allocation-failur.patch
+Patch14:        0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
+Patch15:        0001-tctildr-remove-the-private-implementation-of-strndup.patch
 
 %global udevrules_prefix 60-
 
@@ -36,6 +38,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  systemd
 BuildRequires:  libgcrypt-devel
 BuildRequires:  openssl-devel
+Requires(pre):  shadow-utils
 
 %description
 tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system
@@ -116,6 +119,11 @@ use tpm2-tss.
 %postun -p /sbin/ldconfig
 
 %changelog
+* Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
+- Fix hmac calculation for tpm2_clear command.
+- Remove private implementation of strndup.
+resolves: rhbz#1920825 rhbz#1940861
+
 * Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-3
 - Add tss user if doesn't exist.
 - Update exported symbols map for libtss2-mu