import CS tpm2-tss-2.3.2-5.el8
This commit is contained in:
parent
d40ad5b5e6
commit
dd228c9f93
@ -0,0 +1,39 @@
|
|||||||
|
From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||||
|
Date: Mon, 27 Apr 2020 16:33:16 +0200
|
||||||
|
Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
|
||||||
|
(Fixes #1704).
|
||||||
|
|
||||||
|
An unintended free of the tcti parameter in cleanup was possible.
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||||
|
---
|
||||||
|
src/tss2-esys/esys_context.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
|
||||||
|
index b912a688..150a3495 100644
|
||||||
|
--- a/src/tss2-esys/esys_context.c
|
||||||
|
+++ b/src/tss2-esys/esys_context.c
|
||||||
|
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
|
||||||
|
*esys_context = calloc(1, sizeof(ESYS_CONTEXT));
|
||||||
|
return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
|
||||||
|
|
||||||
|
+ /* Store the application provided tcti to be return on Esys_GetTcti(). */
|
||||||
|
+ (*esys_context)->tcti_app_param = tcti;
|
||||||
|
+
|
||||||
|
/* Allocate memory for the SYS context */
|
||||||
|
syssize = Tss2_Sys_GetContextSize(0);
|
||||||
|
(*esys_context)->sys = calloc(1, syssize);
|
||||||
|
goto_if_null((*esys_context)->sys, "Error: During malloc.",
|
||||||
|
TSS2_ESYS_RC_MEMORY, cleanup_return);
|
||||||
|
|
||||||
|
- /* Store the application provided tcti to be return on Esys_GetTcti(). */
|
||||||
|
- (*esys_context)->tcti_app_param = tcti;
|
||||||
|
-
|
||||||
|
/* If no tcti was provided, initialize the default one. */
|
||||||
|
if (tcti == NULL) {
|
||||||
|
r = Tss2_TctiLdr_Initialize (NULL, &tcti);
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
139
SOURCES/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
139
SOURCES/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Thu, 19 Jan 2023 11:53:06 -0600
|
||||||
|
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
|
||||||
|
|
||||||
|
The layer handler array was defined as 255, the max number of uint8,
|
||||||
|
which is the size of the layer field, however valid values are 0-255
|
||||||
|
allowing for 256 possibilities and thus the array was off by one and
|
||||||
|
needed to be sized to 256 entries. Update the size and add tests.
|
||||||
|
|
||||||
|
Note: previous implementations incorrectly dropped bits on unknown error
|
||||||
|
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
|
||||||
|
but earlier implementations returned 255:0xFFFF, dropping the middle
|
||||||
|
bits, this patch fixes that.
|
||||||
|
|
||||||
|
Fixes: CVE-2023-22745
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
|
||||||
|
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
|
||||||
|
2 files changed, 41 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
|
||||||
|
index 93743048..0a64958f 100644
|
||||||
|
--- a/src/tss2-rc/tss2_rc.c
|
||||||
|
+++ b/src/tss2-rc/tss2_rc.c
|
||||||
|
@@ -1,5 +1,8 @@
|
||||||
|
/* SPDX-License-Identifier: BSD-2-Clause */
|
||||||
|
-
|
||||||
|
+#ifdef HAVE_CONFIG_H
|
||||||
|
+#include "config.h"
|
||||||
|
+#endif
|
||||||
|
+#include <assert.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
|
||||||
|
static struct {
|
||||||
|
char name[TSS2_ERR_LAYER_NAME_MAX];
|
||||||
|
TSS2_RC_HANDLER handler;
|
||||||
|
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
|
||||||
|
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
|
||||||
|
ADD_HANDLER("tpm" , tpm2_ehandler),
|
||||||
|
ADD_NULL_HANDLER, /* layer 1 is unused */
|
||||||
|
ADD_NULL_HANDLER, /* layer 2 is unused */
|
||||||
|
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
|
||||||
|
static __thread char buf[32];
|
||||||
|
|
||||||
|
clearbuf(buf);
|
||||||
|
- catbuf(buf, "0x%X", tpm2_error_get(rc));
|
||||||
|
+ catbuf(buf, "0x%X", rc);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
|
||||||
|
catbuf(buf, "%u:", layer);
|
||||||
|
}
|
||||||
|
|
||||||
|
- handler = !handler ? unknown_layer_handler : handler;
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Handlers only need the error bits. This way they don't
|
||||||
|
* need to concern themselves with masking off the layer
|
||||||
|
* bits or anything else.
|
||||||
|
*/
|
||||||
|
- UINT16 err_bits = tpm2_error_get(rc);
|
||||||
|
- const char *e = err_bits ? handler(err_bits) : "success";
|
||||||
|
- if (e) {
|
||||||
|
- catbuf(buf, "%s", e);
|
||||||
|
+ if (handler) {
|
||||||
|
+ UINT16 err_bits = tpm2_error_get(rc);
|
||||||
|
+ const char *e = err_bits ? handler(err_bits) : "success";
|
||||||
|
+ if (e) {
|
||||||
|
+ catbuf(buf, "%s", e);
|
||||||
|
+ } else {
|
||||||
|
+ catbuf(buf, "0x%X", err_bits);
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
- catbuf(buf, "0x%X", err_bits);
|
||||||
|
+ /*
|
||||||
|
+ * we don't want to drop any bits if we don't know what to do with it
|
||||||
|
+ * so drop the layer byte since we we already have that.
|
||||||
|
+ */
|
||||||
|
+ const char *e = unknown_layer_handler(rc >> 8);
|
||||||
|
+ assert(e);
|
||||||
|
+ catbuf(buf, "%s", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
|
||||||
|
index 1c8d66c9..9369beda 100644
|
||||||
|
--- a/test/unit/test_tss2_rc.c
|
||||||
|
+++ b/test/unit/test_tss2_rc.c
|
||||||
|
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
|
||||||
|
* Test an unknown layer
|
||||||
|
*/
|
||||||
|
e = Tss2_RC_Decode(rc);
|
||||||
|
- assert_string_equal(e, "1:0x2A");
|
||||||
|
+ assert_string_equal(e, "1:0x100");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -281,6 +281,23 @@ test_tcti(void **state)
|
||||||
|
assert_string_equal(e, "tcti:Fails to connect to next lower layer");
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+test_all_FFs(void **state)
|
||||||
|
+{
|
||||||
|
+ (void) state;
|
||||||
|
+
|
||||||
|
+ const char *e = Tss2_RC_Decode(0xFFFFFFFF);
|
||||||
|
+ assert_string_equal(e, "255:0xFFFFFF");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+test_all_FFs_set_handler(void **state)
|
||||||
|
+{
|
||||||
|
+ (void) state;
|
||||||
|
+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
|
||||||
|
+ Tss2_RC_SetHandler(0xFF, NULL, NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* link required symbol, but tpm2_tool.c declares it AND main, which
|
||||||
|
* we have a main below for cmocka tests.
|
||||||
|
*/
|
||||||
|
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
|
||||||
|
cmocka_unit_test(test_esys),
|
||||||
|
cmocka_unit_test(test_mu),
|
||||||
|
cmocka_unit_test(test_tcti),
|
||||||
|
+ cmocka_unit_test(test_all_FFs),
|
||||||
|
+ cmocka_unit_test(test_all_FFs_set_handler)
|
||||||
|
};
|
||||||
|
|
||||||
|
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Thom <mail@LordOfDorks.com>
|
||||||
|
Date: Fri, 5 Jun 2020 12:11:39 -0700
|
||||||
|
Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
|
||||||
|
|
||||||
|
Refer to specification part 1 Architecture, Section 20.1 AuditSession
|
||||||
|
Introduction: If the session was bound when created (see 19.6.10 and
|
||||||
|
19.6.12), the bind value is lost and any further use of the session for
|
||||||
|
authorization will require that the authValue be used in the HMAC.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
|
||||||
|
---
|
||||||
|
src/tss2-esys/esys_tr.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
|
||||||
|
index c9ea537a..d14c7d35 100644
|
||||||
|
--- a/src/tss2-esys/esys_tr.c
|
||||||
|
+++ b/src/tss2-esys/esys_tr.c
|
||||||
|
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
|
||||||
|
esys_object->rsrc.misc.rsrc_session.sessionAttributes =
|
||||||
|
(esys_object->rsrc.misc.rsrc_session.
|
||||||
|
sessionAttributes & ~mask) | (flags & mask);
|
||||||
|
+ if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
|
||||||
|
+ esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
|
||||||
|
return TSS2_RC_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Imran Desai <imran.desai@intel.com>
|
||||||
|
Date: Mon, 22 Mar 2021 16:43:36 -0700
|
||||||
|
Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
|
||||||
|
in hmac
|
||||||
|
|
||||||
|
Fixes #2037
|
||||||
|
|
||||||
|
TPM2.0 Architecture 19.6.5 Note 7
|
||||||
|
|
||||||
|
If the same session (not the first session) is used for decrypt and
|
||||||
|
encrypt, its nonceTPM is only used once. If different sessions are
|
||||||
|
used for decrypt and encrypt, both nonceTPMs are included.
|
||||||
|
|
||||||
|
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||||
|
---
|
||||||
|
src/tss2-esys/esys_iutil.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
|
||||||
|
index 08a9b7df..1910c570 100644
|
||||||
|
--- a/src/tss2-esys/esys_iutil.c
|
||||||
|
+++ b/src/tss2-esys/esys_iutil.c
|
||||||
|
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
|
||||||
|
&encryptNonce);
|
||||||
|
return_if_error(r, "More than one crypt session");
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * TPM2.0 Architecture 19.6.5 Note 7
|
||||||
|
+ *
|
||||||
|
+ * If the same session (not the first session) is used for decrypt and
|
||||||
|
+ * encrypt, its nonceTPM is only used once. If different sessions are used
|
||||||
|
+ * for decrypt and encrypt, both nonceTPMs are included
|
||||||
|
+ */
|
||||||
|
+ if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
|
||||||
|
+ decryptNonceIdx = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Compute cp hash values for command buffer for all used algorithms */
|
||||||
|
|
||||||
|
r = iesys_compute_cp_hashtab(esys_context,
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||||
|
Date: Mon, 12 Jul 2021 10:52:53 +0200
|
||||||
|
Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
|
||||||
|
|
||||||
|
If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
|
||||||
|
the obfuscated data. Fixes #2115.
|
||||||
|
|
||||||
|
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||||
|
---
|
||||||
|
src/tss2-esys/esys_crypto.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
|
||||||
|
index aef3e50b..a2b7b937 100644
|
||||||
|
--- a/src/tss2-esys/esys_crypto.c
|
||||||
|
+++ b/src/tss2-esys/esys_crypto.c
|
||||||
|
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
|
||||||
|
size_t data_size_bits = data_size * 8;
|
||||||
|
size_t rest_size = data_size;
|
||||||
|
BYTE *kdfa_byte_ptr;
|
||||||
|
+ BYTE *data_start = data;
|
||||||
|
|
||||||
|
if (key == NULL || data == NULL) {
|
||||||
|
LOG_ERROR("Bad reference");
|
||||||
|
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
|
||||||
|
return_if_error(r, "iesys_crypto_KDFa failed");
|
||||||
|
/* XOR next data sub block with KDFa result */
|
||||||
|
kdfa_byte_ptr = kdfa_result;
|
||||||
|
- LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
|
||||||
|
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
|
||||||
|
for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
|
||||||
|
i--)
|
||||||
|
*data++ ^= *kdfa_byte_ptr++;
|
||||||
|
- LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
|
||||||
|
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
|
||||||
|
rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
|
||||||
|
}
|
||||||
|
return TSS2_RC_SUCCESS;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: tpm2-tss
|
Name: tpm2-tss
|
||||||
Version: 2.3.2
|
Version: 2.3.2
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: TPM2.0 Software Stack
|
Summary: TPM2.0 Software Stack
|
||||||
|
|
||||||
# The entire source code is under BSD except implementation.h and tpmb.h which
|
# The entire source code is under BSD except implementation.h and tpmb.h which
|
||||||
@ -26,6 +26,11 @@ Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
|
|||||||
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
|
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
|
||||||
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
|
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
|
||||||
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
|
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
|
||||||
|
Patch16: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
|
||||||
|
Patch17: 0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
|
||||||
|
Patch18: 0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
|
||||||
|
Patch19: 0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
|
||||||
|
Patch20: 0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
|
||||||
|
|
||||||
%global udevrules_prefix 60-
|
%global udevrules_prefix 60-
|
||||||
|
|
||||||
@ -119,6 +124,11 @@ use tpm2-tss.
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
|
||||||
|
- Ensure layer number is in bounds
|
||||||
|
Resolves: rhbz#2160302
|
||||||
|
Resolves: rhbz#2162611
|
||||||
|
|
||||||
* Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
|
* Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
|
||||||
- Fix hmac calculation for tpm2_clear command.
|
- Fix hmac calculation for tpm2_clear command.
|
||||||
- Remove private implementation of strndup.
|
- Remove private implementation of strndup.
|
||||||
|
Loading…
Reference in New Issue
Block a user