diff --git a/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch b/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch new file mode 100644 index 0000000..0e0ccb2 --- /dev/null +++ b/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch @@ -0,0 +1,26 @@ +From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001 +From: Radoslav Gerganov +Date: Wed, 26 Feb 2020 10:40:26 +0200 +Subject: [PATCH] lib/files: fix an error message in files_load_##name + +Signed-off-by: Radoslav Gerganov +--- + lib/files.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/files.c b/lib/files.c +index a6beea5b8ff2..ef2170b079e1 100644 +--- a/lib/files.c ++++ b/lib/files.c +@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) + size_t offset = 0; \ + TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \ + if (rc != TSS2_RC_SUCCESS) { \ +- LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \ ++ LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \ + LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \ + return false; \ + } \ +-- +2.31.0 + diff --git a/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch b/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch new file mode 100644 index 0000000..2039f11 --- /dev/null +++ b/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch @@ -0,0 +1,42 @@ +From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:14:28 -0700 +Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach + function return + +Signed-off-by: Imran Desai +--- + lib/files.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/files.c b/lib/files.c +index ef2170b079e1..501f88d11b48 100644 +--- a/lib/files.c ++++ b/lib/files.c +@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer, + return true; + } + +-// printf("Reading file: %s\n", path); +-// printf("size: %u\n", *size); +- ++ bool retval = true; + /* Read from stdin */ + if (!input_buffer && !path) { + UINT16 read_bytes = 0; +@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer, + return true; + } + } else if (path) { +- return files_load_bytes_from_path(path, buf, size); ++ retval = files_load_bytes_from_path(path, buf, size); + } + +- return false; ++ return retval; + } + + tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) { +-- +2.31.0 + diff --git a/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch b/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch new file mode 100644 index 0000000..509e6dc --- /dev/null +++ b/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch @@ -0,0 +1,63 @@ +From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:22:42 -0700 +Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that + may cause memory leak + +Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is +"unsigned short" (16 bits, unsigned) but is dereferenced as a wider +"unsigned int" (32 bits, unsigned). This may lead to memory corruption. + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvcertify.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c +index b49f38dbff20..414cbea85574 100644 +--- a/tools/tpm2_nvcertify.c ++++ b/tools/tpm2_nvcertify.c +@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) { + static bool on_option(char key, char *value) { + + bool result = true; ++ uint32_t input_value; + + switch (key) { + case 'C': +@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) { + ctx.policy_qualifier_arg = value; + break; + case 0: +- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size); ++ result = tpm2_util_string_to_uint32(value, &input_value); + if (!result) { + LOG_ERR("Could not convert size to number, got: \"%s\"", value); + return false; + } ++ if (input_value > UINT16_MAX) { ++ LOG_ERR("Specified size is larger than that allowed by command"); ++ return false; ++ } else { ++ ctx.size = input_value; ++ } + break; + case 1: +- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset); ++ result = tpm2_util_string_to_uint32(value, &input_value); + if (!result) { + LOG_ERR("Could not convert offset to number, got: \"%s\"", value); + return false; + } ++ if (input_value > UINT16_MAX) { ++ LOG_ERR("Specified offset is larger than that allowed by command"); ++ return false; ++ } else { ++ ctx.offset = input_value; ++ } + break; + case 2: + ctx.certify_info_path = value; +-- +2.31.0 + diff --git a/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch b/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch new file mode 100644 index 0000000..7d53c71 --- /dev/null +++ b/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch @@ -0,0 +1,25 @@ +From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Sun, 29 Mar 2020 10:49:12 -0700 +Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvreadpublic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c +index 7f8e46cbf863..eca1fd715a79 100644 +--- a/tools/tpm2_nvreadpublic.c ++++ b/tools/tpm2_nvreadpublic.c +@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP + rc = tpm2_tr_get_name(context, tr_handle, + &name); + if (rc != tool_rc_success) { ++ free(attrs); + return rc; + } + +-- +2.31.0 + diff --git a/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch b/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch new file mode 100644 index 0000000..0183c76 --- /dev/null +++ b/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch @@ -0,0 +1,49 @@ +From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 11:21:58 -0700 +Subject: [PATCH] tpm2_getekcertificate: add default web address + +Currently only Intel (R) PTT certificates are hosted online. +A default web address pointing to the endorsement key certificate +hosting will help reduce user input. + +Signed-off-by: Imran Desai +--- + test/integration/tests/getekcertificate.sh | 6 ++---- + tools/tpm2_getekcertificate.c | 1 + + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh +index 33f4f8b2e4c0..e8c521756d2a 100755 +--- a/test/integration/tests/getekcertificate.sh ++++ b/test/integration/tests/getekcertificate.sh +@@ -38,12 +38,10 @@ else + fi + fi + +-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \ +-https://ekop.intel.com/ekcertservice/ ++tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin + + # Test that stdoutput is the same +-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \ +--X > ECcert2.bin ++tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin + + # stdout file should match -E file. + cmp ECcert.bin ECcert2.bin +diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c +index 233d04d8b3d7..6a8fe894bb1c 100644 +--- a/tools/tpm2_getekcertificate.c ++++ b/tools/tpm2_getekcertificate.c +@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx { + + static tpm_getekcertificate_ctx ctx = { + .is_tpm2_device_active = true, ++ .ek_server_addr = "https://ekop.intel.com/ekcertservice/", + }; + + static unsigned char *hash_ek_public(void) { +-- +2.31.0 + diff --git a/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch new file mode 100644 index 0000000..53814a4 --- /dev/null +++ b/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch @@ -0,0 +1,46 @@ +From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 21 May 2021 12:22:31 -0500 +Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 + +tpm2_import used a fixed AES key for the inner wrapper, which means that +a MITM attack would be able to unwrap the imported key. Even the +use of an encrypted session will not prevent this. The TPM only +encrypts the first parameter which is the fixed symmetric key. + +To fix this, ensure the key size is 16 bytes or bigger and use +OpenSSL to generate a secure random AES key. + +Fixes: #2738 + +Signed-off-by: William Roberts +--- + tools/tpm2_import.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c +index cfb6f207ba9c..f44326c87e7e 100644 +--- a/tools/tpm2_import.c ++++ b/tools/tpm2_import.c +@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, + TPM2B_DATA enc_sensitive_key = { + .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 + }; +- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); ++ ++ if(enc_sensitive_key.size < 16) { ++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); ++ return tool_rc_general_error; ++ } ++ ++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); ++ if (ossl_rc != 1) { ++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); ++ return tool_rc_general_error; ++ } + + /* + * Calculate the object name. +-- +2.31.0 + diff --git a/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch b/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch new file mode 100644 index 0000000..c481309 --- /dev/null +++ b/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch @@ -0,0 +1,28 @@ +From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Tue, 10 Mar 2020 09:15:55 -0700 +Subject: [PATCH] tpm2_policy.c: restrict policy digest size + +Fixes #1916 + +Signed-off-by: Imran Desai +--- + lib/tpm2_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c +index 6c352b2b41ae..01387ba01645 100644 +--- a/lib/tpm2_policy.c ++++ b/lib/tpm2_policy.c +@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx, + bool result = true; + TPM2B_DIGEST approved_policy = { .size = 0 }; + if (policy_digest_path) { +- approved_policy.size = UINT16_MAX; ++ approved_policy.size = sizeof(TPMU_HA); + result = files_load_bytes_from_path(policy_digest_path, + approved_policy.buffer, &approved_policy.size); + } +-- +2.31.0 + diff --git a/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch b/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch new file mode 100644 index 0000000..ea4bab1 --- /dev/null +++ b/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch @@ -0,0 +1,30 @@ +From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Tue, 10 Mar 2020 18:19:04 -0700 +Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array + was reversed + +Signed-off-by: Imran Desai +--- + tools/tpm2_policycountertimer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c +index 1c72d525dab7..170a544f2203 100644 +--- a/tools/tpm2_policycountertimer.c ++++ b/tools/tpm2_policycountertimer.c +@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value, + } + + ctx.operand_b.size = size; +- memcpy(ctx.operand_b.buffer, &data.b, size); ++ size_t i = 0; ++ for (i = 0; i < size; i++) { ++ ctx.operand_b.buffer[i] = *(&data.b + size - i - 1); ++ } + + return true; + } +-- +2.31.0 + diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec index 8a9b583..65f2e6f 100644 --- a/SPECS/tpm2-tools.spec +++ b/SPECS/tpm2-tools.spec @@ -1,6 +1,6 @@ Name: tpm2-tools Version: 4.1.1 -Release: 2%{?dist} +Release: 5%{?dist} Summary: A TPM2.0 testing tool build upon TPM2.0-TSS License: BSD @@ -13,6 +13,14 @@ Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch Patch5: 0001-Refactor-fix_esys_hierarchies.patch Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch +Patch7: 0001-tpm2_getekcertificate-add-default-web-address.patch +Patch8: 0001-lib-files-fix-an-error-message-in-files_load_-name.patch +Patch9: 0001-tpm2_policy.c-restrict-policy-digest-size.patch +Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch +Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch +Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch +Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch +Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch BuildRequires: gcc-c++ BuildRequires: libtool @@ -53,6 +61,22 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. %{_mandir}/man1/tpm2_*.1.gz %changelog +* Mon Aug 09 2021 Jerry Snitselaar - 4.1.1-5 +- Bump nvr to trigger osci. +resolves: rhbz#1965981 + +* Tue Jun 01 2021 Jerry Snitselaar - 4.1.1-4 +- Fix CVE-2021-3565 +resolves: rhbz#1965981 + +* Fri May 14 2021 Jerry Snitselaar - 4.1.1-3 +- Fix resource leak. +- Fix to restrict policy digest size. +- Fix incompatible pointer cast. +- Fix error message in files_load_##name +- Fix issue where execution couldn't reach function return. +resolves: rhbz#1920821 + * Mon Nov 16 2020 Jerry Snitselaar - 4.1.1-2 - Fix ESYS_TR hierarchy transition. - Refactor fix_esys_hierarchies to return actual TSS2_RC return code.