8 changed files with 456 additions and 3 deletions
--- a/SOURCES/0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
+++ b/SOURCES/0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
@ -0,0 +1,39 @@
 From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
 From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
 Date: Mon, 27 Apr 2020 16:33:16 +0200
 Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
 (Fixes #1704).
 An unintended free of the tcti parameter in cleanup was possible.
 Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
 ---
 src/tss2-esys/esys_context.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
 index b912a688..150a3495 100644
 --- a/src/tss2-esys/esys_context.c
 +++ b/src/tss2-esys/esys_context.c
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
     *esys_context = calloc(1, sizeof(ESYS_CONTEXT));
     return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
 +    /* Store the application provided tcti to be return on Esys_GetTcti(). */
 +    (*esys_context)->tcti_app_param = tcti;
 +
     /* Allocate memory for the SYS context */
     syssize = Tss2_Sys_GetContextSize(0);
     (*esys_context)->sys = calloc(1, syssize);
     goto_if_null((*esys_context)->sys, "Error: During malloc.",
                  TSS2_ESYS_RC_MEMORY, cleanup_return);
 -    /* Store the application provided tcti to be return on Esys_GetTcti(). */
 -    (*esys_context)->tcti_app_param = tcti;
 -
     /* If no tcti was provided, initialize the default one. */
     if (tcti == NULL) {
         r = Tss2_TctiLdr_Initialize (NULL, &tcti);
 -- 
 2.41.0
--- a/SOURCES/0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
+++ b/SOURCES/0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
@ -0,0 +1,39 @@
 From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
 From: Tadeusz Struk <tadeusz.struk@intel.com>
 Date: Mon, 2 Mar 2020 14:45:52 -0800
 Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
 After tpm2_clear command is executed it sets all ownerAuth,
 endorsementAuth, and lockoutAuth to the Empty Buffer and then
 this is used for a response auth calculation.
 This requires to recalculate the esys session auth value after
 tpm2_clear is executed or the calculated response HMAC value
 will be invalid and the command will fail with
 err: 0x0007001b "Authorizing the TPM response failed"
 Fixes: #1641
 Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
 ---
 src/tss2-esys/api/Esys_Clear.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
 index f5c0b827425a..0f43f7e9b85f 100644
 --- a/src/tss2-esys/api/Esys_Clear.c
 +++ b/src/tss2-esys/api/Esys_Clear.c
@@ -199,6 +199,11 @@ Esys_Clear_Async(
     return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
                           "Finish (Execute Async)");
 +    /* If the command authorization is LOCKOUT we need to
 +     * recompute session value with an empty auth */
 +    if (authHandle == ESYS_TR_RH_LOCKOUT)
 +        iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
 +
     esysContext->state = _ESYS_STATE_SENT;
     return r;
 -- 
 2.30.1
--- a/SOURCES/0001-tctildr-remove-the-private-implementation-of-strndup.patch
+++ b/SOURCES/0001-tctildr-remove-the-private-implementation-of-strndup.patch
@ -0,0 +1,96 @@
 From 464da22b71e26421f55d4e8abc14711f89c89a28 Mon Sep 17 00:00:00 2001
 From: Tadeusz Struk <tadeusz.struk@intel.com>
 Date: Thu, 20 Feb 2020 14:11:43 -0800
 Subject: [PATCH] tctildr: remove the private implementation of strndup
 In fact the private implementation of strndup is only
 needed for windows.
 Fixes: #1633
 Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
 ---
 configure.ac            |  2 +-
 src/tss2-tcti/tctildr.c | 37 +++++++++++++++++--------------------
 2 files changed, 18 insertions(+), 21 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index d7724805966b..aa4ffb1b78a1 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -45,7 +45,6 @@ case "${host_os}" in
 esac
 AC_SUBST([LIBSOCKET_LDFLAGS])
 -AC_CHECK_FUNCS([strndup])
 AC_ARG_ENABLE([unit],
             [AS_HELP_STRING([--enable-unit],
                             [build cmocka unit tests])],,
@@ -65,6 +64,7 @@ AC_ARG_ENABLE([esapi],
 AM_CONDITIONAL(ESAPI, test "x$enable_esapi" = "xyes")
 +AC_CHECK_FUNC([strndup],[],[AC_MSG_ERROR([strndup function not found])])
 AC_ARG_ENABLE([tcti-device-async],
     AS_HELP_STRING([--enable-tcti-device-async],
 	           [Enable asynchronus operation on TCTI device
 diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
 index a46b301b3ea7..92af1d3a787d 100644
 --- a/src/tss2-tcti/tctildr.c
 +++ b/src/tss2-tcti/tctildr.c
@@ -15,8 +15,25 @@
 #include <linux/limits.h>
 #elif defined(_MSC_VER)
 #include <windows.h>
 +#include <limits.h>
 #ifndef PATH_MAX
 #define PATH_MAX MAX_PATH
 +
 +static char *strndup(const char* s, size_t n)
 +{
 +    char *dst = NULL;
 +
 +    if (n + 1 >= USHRT_MAX)
 +        return NULL;
 +
 +    dst = calloc(1, n + 1);
 +
 +    if (dst == NULL)
 +        return NULL;
 +
 +    memcpy(dst, s, n);
 +    return dst;
 +}
 #endif
 #else
 #include <limits.h>
@@ -268,26 +285,6 @@ Tss2_TctiLdr_Finalize (TSS2_TCTI_CONTEXT **tctiContext)
     *tctiContext = NULL;
 }
 -#if !defined(HAVE_STRNDUP)
 -char*
 -strndup (const char* s,
 -         size_t n)
 -{
 -    char* dst = NULL;
 -
 -    if (n + 1 < n) {
 -        return NULL;
 -    }
 -    dst = calloc(1, n + 1);
 -    if (dst == NULL) {
 -        return NULL;
 -    }
 -    memcpy(dst, s, n);
 -
 -    return dst;
 -}
 -#endif /* HAVE_STRNDUP */
 -
 TSS2_RC
 copy_info (const TSS2_TCTI_INFO *info_src,
            TSS2_TCTI_INFO *info_dst)
 -- 
 2.30.1
--- a/SOURCES/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
+++ b/SOURCES/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
@ -0,0 +1,139 @@
 From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
 From: William Roberts <william.c.roberts@intel.com>
 Date: Thu, 19 Jan 2023 11:53:06 -0600
 Subject: [PATCH] tss2_rc: ensure layer number is in bounds
 The layer handler array was defined as 255, the max number of uint8,
 which is the size of the layer field, however valid values are 0-255
 allowing for 256 possibilities and thus the array was off by one and
 needed to be sized to 256 entries. Update the size and add tests.
 Note: previous implementations incorrectly dropped bits on unknown error
 output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
 but earlier implementations returned 255:0xFFFF, dropping the middle
 bits, this patch fixes that.
 Fixes: CVE-2023-22745
 Signed-off-by: William Roberts <william.c.roberts@intel.com>
 ---
 src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
 test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
 2 files changed, 41 insertions(+), 11 deletions(-)
 diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
 index 93743048..0a64958f 100644
 --- a/src/tss2-rc/tss2_rc.c
 +++ b/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
 /* SPDX-License-Identifier: BSD-2-Clause */
 -
 +#ifdef HAVE_CONFIG_H
 +#include "config.h"
 +#endif
 +#include <assert.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
 static struct {
     char name[TSS2_ERR_LAYER_NAME_MAX];
     TSS2_RC_HANDLER handler;
 -} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
 +} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
     ADD_HANDLER("tpm" , tpm2_ehandler),
     ADD_NULL_HANDLER,                       /* layer 1  is unused */
     ADD_NULL_HANDLER,                       /* layer 2  is unused */
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
     static __thread char buf[32];
     clearbuf(buf);
 -    catbuf(buf, "0x%X", tpm2_error_get(rc));
 +    catbuf(buf, "0x%X", rc);
     return buf;
 }
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
         catbuf(buf, "%u:", layer);
     }
 -    handler = !handler ? unknown_layer_handler : handler;
 -
     /*
      * Handlers only need the error bits. This way they don't
      * need to concern themselves with masking off the layer
      * bits or anything else.
      */
 -    UINT16 err_bits = tpm2_error_get(rc);
 -    const char *e = err_bits ? handler(err_bits) : "success";
 -    if (e) {
 -        catbuf(buf, "%s", e);
 +    if (handler) {
 +        UINT16 err_bits = tpm2_error_get(rc);
 +        const char *e = err_bits ? handler(err_bits) : "success";
 +        if (e) {
 +            catbuf(buf, "%s", e);
 +        } else {
 +            catbuf(buf, "0x%X", err_bits);
 +        }
     } else {
 -        catbuf(buf, "0x%X", err_bits);
 +        /*
 +         * we don't want to drop any bits if we don't know what to do with it
 +         * so drop the layer byte since we we already have that.
 +         */
 +        const char *e = unknown_layer_handler(rc >> 8);
 +        assert(e);
 +        catbuf(buf, "%s", e);
     }
     return buf;
 diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
 index 1c8d66c9..9369beda 100644
 --- a/test/unit/test_tss2_rc.c
 +++ b/test/unit/test_tss2_rc.c
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
      * Test an unknown layer
      */
     e = Tss2_RC_Decode(rc);
 -    assert_string_equal(e, "1:0x2A");
 +    assert_string_equal(e, "1:0x100");
 }
 static void
@@ -281,6 +281,23 @@ test_tcti(void **state)
     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
 }
 +static void
 +test_all_FFs(void **state)
 +{
 +    (void) state;
 +
 +    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
 +    assert_string_equal(e, "255:0xFFFFFF");
 +}
 +
 +static void
 +test_all_FFs_set_handler(void **state)
 +{
 +    (void) state;
 +    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
 +    Tss2_RC_SetHandler(0xFF, NULL, NULL);
 +}
 +
 /* link required symbol, but tpm2_tool.c declares it AND main, which
  * we have a main below for cmocka tests.
  */
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
             cmocka_unit_test(test_esys),
             cmocka_unit_test(test_mu),
             cmocka_unit_test(test_tcti),
 +            cmocka_unit_test(test_all_FFs),
 +            cmocka_unit_test(test_all_FFs_set_handler)
     };
     return cmocka_run_group_tests(tests, NULL, NULL);
 -- 
 2.40.1
--- a/SOURCES/0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
+++ b/SOURCES/0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
@ -0,0 +1,31 @@
 From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
 From: Stefan Thom <mail@LordOfDorks.com>
 Date: Fri, 5 Jun 2020 12:11:39 -0700
 Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
 Refer to specification part 1 Architecture, Section 20.1 AuditSession
 Introduction: If the session was bound when created (see 19.6.10 and
 19.6.12), the bind value is lost and any further use of the session for
 authorization will require that the authValue be used in the HMAC.
 Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
 ---
 src/tss2-esys/esys_tr.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
 index c9ea537a..d14c7d35 100644
 --- a/src/tss2-esys/esys_tr.c
 +++ b/src/tss2-esys/esys_tr.c
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
     esys_object->rsrc.misc.rsrc_session.sessionAttributes =
         (esys_object->rsrc.misc.rsrc_session.
          sessionAttributes & ~mask) | (flags & mask);
 +    if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
 +        esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
     return TSS2_RC_SUCCESS;
 }
 -- 
 2.41.0
--- a/SOURCES/0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
+++ b/SOURCES/0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
@ -0,0 +1,45 @@
 From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
 From: Imran Desai <imran.desai@intel.com>
 Date: Mon, 22 Mar 2021 16:43:36 -0700
 Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
 in hmac
 Fixes #2037
 TPM2.0 Architecture 19.6.5 Note 7
 If the same session (not the first session) is used for decrypt and
 encrypt, its nonceTPM is only used once. If different sessions are
 used for decrypt and encrypt, both nonceTPMs are included.
 Signed-off-by: Imran Desai <imran.desai@intel.com>
 ---
 src/tss2-esys/esys_iutil.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
 index 08a9b7df..1910c570 100644
 --- a/src/tss2-esys/esys_iutil.c
 +++ b/src/tss2-esys/esys_iutil.c
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
                                     &encryptNonce);
     return_if_error(r, "More than one crypt session");
 +    /*
 +     * TPM2.0 Architecture 19.6.5 Note 7
 +     *
 +     * If the same session (not the first session) is used for decrypt and
 +     * encrypt, its nonceTPM is only used once. If different sessions are used
 +     * for decrypt and encrypt, both nonceTPMs are included
 +     */
 +    if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
 +        decryptNonceIdx = 0;
 +    }
 +
 +
     /* Compute cp hash values for command buffer for all used algorithms */
     r = iesys_compute_cp_hashtab(esys_context,
 -- 
 2.41.0
--- a/SOURCES/0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
+++ b/SOURCES/0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
@ -0,0 +1,42 @@
 From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
 From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
 Date: Mon, 12 Jul 2021 10:52:53 +0200
 Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
 If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
 the obfuscated data. Fixes #2115.
 Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
 ---
 src/tss2-esys/esys_crypto.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
 index aef3e50b..a2b7b937 100644
 --- a/src/tss2-esys/esys_crypto.c
 +++ b/src/tss2-esys/esys_crypto.c
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
     size_t data_size_bits = data_size * 8;
     size_t rest_size = data_size;
     BYTE *kdfa_byte_ptr;
 +    BYTE *data_start = data;
     if (key == NULL || data == NULL) {
         LOG_ERROR("Bad reference");
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
         return_if_error(r, "iesys_crypto_KDFa failed");
         /* XOR next data sub block with KDFa result  */
         kdfa_byte_ptr = kdfa_result;
 -        LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
 +        LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
         for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
             i--)
             *data++ ^= *kdfa_byte_ptr++;
 -        LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
 +        LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
         rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
     }
     return TSS2_RC_SUCCESS;
 -- 
 2.41.0
--- a/SPECS/tpm2-tss.spec
+++ b/SPECS/tpm2-tss.spec
@ -1,6 +1,6 @@
 Name:           tpm2-tss
 Version:        2.3.2
-Release:        3%{?dist}
+Release:        6%{?dist}
 Summary:        TPM2.0 Software Stack
 # The entire source code is under BSD except implementation.h and tpmb.h which
@ -24,6 +24,13 @@ Patch10:        0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch
 Patch11:        0001-Esys_CreateLoaded-fix-resource-name-calculation.patch
 Patch12:        0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
 Patch13:        0001-Return-proper-error-code-on-memory-allocation-failur.patch
 Patch14:        0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
 Patch15:        0001-tctildr-remove-the-private-implementation-of-strndup.patch
 Patch16:        0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
 Patch17:        0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
 Patch18:        0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
 Patch19:        0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
 Patch20:        0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
 %global udevrules_prefix 60-
@ -36,6 +43,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  systemd
 BuildRequires:  libgcrypt-devel
 BuildRequires:  openssl-devel
 Requires(pre):  shadow-utils
 %description
 tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system
@ -63,9 +71,9 @@ find %{buildroot}%{_libdir} -type f -name \*.la -delete
 getent group tss >/dev/null || groupadd -f -g 59 -r tss
 if ! getent passwd tss >/dev/null ; then
    if ! getent passwd 59 >/dev/null ; then
-      useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
+      useradd -r -u 59 -g tss -d / -s /sbin/nologin -c "Account used for TPM access" tss
    else
-      useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss
+      useradd -r -g tss -d / -s /sbin/nologin -c "Account used for TPM access" tss
    fi
 fi
 exit 0
@ -116,6 +124,20 @@ use tpm2-tss.
 %postun -p /sbin/ldconfig
 %changelog
 * Wed Oct 18 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-6
 - Fix home directory of the tss user
  Related: RHEL-14439
 * Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
 - Ensure layer number is in bounds
  Resolves: rhbz#2160302
  Resolves: rhbz#2162611 
 * Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
 - Fix hmac calculation for tpm2_clear command.
 - Remove private implementation of strndup.
 resolves: rhbz#1920825 rhbz#1940861
 * Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-3
 - Add tss user if doesn't exist.
 - Update exported symbols map for libtss2-mu