4 changed files with 42 additions and 181 deletions
--- a/SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
+++ b/SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
@ -1,37 +0,0 @@
-From e4261984374556da65c9d46097d5a1200b335c0c Mon Sep 17 00:00:00 2001
-From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
-Date: Sat, 19 Feb 2022 12:59:32 +0100
-Subject: [PATCH] tpm2: Do not call EVP_PKEY_CTX_set0_rsa_oaep_label() for
- label of size 0 (OSSL 3)
-
-Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called
-with label size 0. The function should only be called if the size of the label
-is greater 0.
-With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0
-for encryption without label.
-
-Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
- src/tpm2/crypto/openssl/CryptRsa.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
-index 4ed04384feb0..b5d6b6c3be82 100644
--- a/src/tpm2/crypto/openssl/CryptRsa.c
-+++ b/src/tpm2/crypto/openssl/CryptRsa.c
-@@ -1356,10 +1356,9 @@ CryptRsaEncrypt(
-                 if (tmp == NULL)
-                     ERROR_RETURN(TPM_RC_FAILURE);
-                 memcpy(tmp, label->buffer, label->size);
-+                if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)
-+                    ERROR_RETURN(TPM_RC_FAILURE);
-             }
-            // label->size == 0 is supported
-            if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)
-                ERROR_RETURN(TPM_RC_FAILURE);
-             tmp = NULL;
-             break;
-           default:
-- 
-2.36.0.44.g0f828332d5ac
-
--- a/SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
+++ b/SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
@ -1,31 +0,0 @@
-From 3d2bbe2f1947784506ba0a7f9e8ab81eefb69929 Mon Sep 17 00:00:00 2001
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-Date: Mon, 23 May 2022 14:16:57 +0100
-Subject: [PATCH] tpm2: Fix size check in CryptSecretDecrypt
-
-Check the secret size against the size of the buffer, not the size
-member that has not been set yet.
-
-Reported by Coverity.
-
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
---
- src/tpm2/CryptUtil.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
-index 9879f918acb6..002fde0987a9 100644
--- a/src/tpm2/CryptUtil.c
-+++ b/src/tpm2/CryptUtil.c
-@@ -732,7 +732,7 @@ CryptSecretDecrypt(
- 					     nonceCaller->t.size);
- 			      }
- 			  // make sure secret will fit
-			  if(secret->t.size > data->t.size)
-+			  if(secret->t.size > sizeof(data->t.buffer))
- 			      return TPM_RC_FAILURE;
- 			  data->t.size = secret->t.size;
- 			  // CFB decrypt, using nonceCaller as iv
-- 
-2.36.0.44.g0f828332d5ac
-
--- a/SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
+++ b/SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
@ -1,31 +0,0 @@
-From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.ibm.com>
-Date: Mon, 29 Jul 2024 10:19:00 -0400
-Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure
-
-When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE.
-The old error code could indicate to an application or driver that
-something is wrong with the TPM (has possibly gone into failure mode) even
-though only the decryption failed, possibly due to a wrong key.
-
-Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
- src/tpm2/crypto/openssl/CryptRsa.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
-index b5d6b6c3..88ee3bac 100644
--- a/src/tpm2/crypto/openssl/CryptRsa.c
-+++ b/src/tpm2/crypto/openssl/CryptRsa.c
-@@ -1457,7 +1457,7 @@ CryptRsaDecrypt(
-     outlen = sizeof(buffer);
-     if (EVP_PKEY_decrypt(ctx, buffer, &outlen,
-                          cIn->buffer, cIn->size) <= 0)
-        ERROR_RETURN(TPM_RC_FAILURE);
-+        ERROR_RETURN(TPM_RC_VALUE);
- 
-     if (outlen > dOut->size)
-         ERROR_RETURN(TPM_RC_FAILURE);
-- 
-2.41.0.28.gd7d8841f67
-
--- a/SPECS/libtpms.spec
+++ b/SPECS/libtpms.spec
@ -3,22 +3,21 @@

 Name:           libtpms
 Version:        0.9.1
-Release:        4.%{gitdate}git%{gitversion}%{?dist}
+Release:        2.%{gitdate}git%{gitversion}%{?dist}

 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
 Url:            http://github.com/stefanberger/libtpms
 Source0:        libtpms-%{gitdate}.tar.xz
-Patch0001:      0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
-Patch0002:      0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
+ExcludeArch:    i686
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
 Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
-Patch0005:      0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch

 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
 BuildRequires:  automake autoconf libtool bash coreutils gcc-c++
-BuildRequires: make
+BuildRequires:  git
+BuildRequires:  make

 %description
 A library providing TPM functionality for VMs. Targeted for integration
@ -32,7 +31,7 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 Libtpms header files and documentation.

 %prep
-%autosetup -p1 -n %{name}-%{gitdate}
+%autosetup -S git -n %{name}-%{gitdate}
 %build
 NOCONFIGURE=1 sh autogen.sh
 %configure --disable-static --with-tpm2 --without-tpm1 --with-openssl
@ -60,105 +59,66 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*

 %changelog
-* Wed Sep 04 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-4.20211126git1ff6fe1f43
- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"
-  Resolves: RHEL-58056
-
-* Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
+* Tue Mar 21 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
 - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
-  Resolves: rhbz#2173960
-  Resolves: rhbz#2173967
+  Resolves: rhbz#2173964
+  Resolves: rhbz#2173970

-* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
+* Thu Jul 28 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
 - Backport s_ContextSlotMask initialization fix
-  Resolves: rhbz#2035731
-
-* Mon Jun 13 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
- Backport RSA/OAEP fixes.
-  Resolves: rhbz#2093651
-
-* Wed Dec 01 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-0.20211126git1ff6fe1f43
- Rebase to 0.9.1
-  Resolves: rhbz#2027951
-
-* Tue Nov  9 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-0.20211004gitdc4e3f6313
- Rebase to 0.9.0, disable TPM 1.2
-  Resolves: rhbz#1990152 & rhbz#2021628
-
-* Tue Aug 31 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.7
- Fixes CVE-2021-3746 libtpms: out-of-bounds access via specially crafted TPM 2 command packets
-  Resolves: rhbz#1999303
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Wed Jun 30 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.5
- Fixes CVE-2021-3623: out-of-bounds access when trying to resume the state of the vTPM
-  Resolves: rhbz#1976814
+  Resolves: rhbz#2111433

-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.4
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Thu Dec 09 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-0.20211126git1ff6fe1f43
+- Rebase to 0.9.1 (sync with RHEL9)
+  Resolves: rhbz#2029355

-* Tue May 18 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.3
- Add -Wno-error=deprecated-declarations, to ignore OpenSSL 3.0 deprecation warnings.
-  Fixes: rhbz#1958054
+* Tue Aug 31 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.4-6.20201106git2452a24dab
+- Fix CVE-2021-3746 libtpms: out-of-bounds access via specially crafted TPM 2 command packets
+  Resolves: rhbz#1999307

-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Mon Jun 28 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.4-5.20201106git2452a24dab
+- Fix CVE-2021-3623: out-of-bounds access when trying to resume the state of the vTPM
+  Fixes: rhbz#1976816

-* Mon Mar 01 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.8.2-0.20210301git729fc6a4ca
- tpm2: CryptSym: fix AES output IV; a CVE has been filed for this issue
+* Wed Mar 17 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.4-4.20201106git2452a24dab
+- tpm2: CryptSym: fix AES output IV
+  Fixes: rhbz#1942904

-* Sat Feb 27 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.8.1-0.20210227git5bf2746e47
- Fixed a context save and suspend/resume problem when public keys are loaded
+* Fri Feb 19 2021 Eduardo Lima (Etrunko) <etrunko@redhat.com> - 0.7.4-3.20201106git2452a24dab
+- Add git as build dependency
+  Related: rhbz#1858821

-* Thu Feb 18 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.7.5-0.20210218gite271498466
- Addressed UBSAN and cppcheck detected issues
- Return proper size of ECC Parameters to pass HLK tests
+* Wed Feb 17 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.4-2.20201106git2452a24dab
+- tpm2: Return properly sized array for b parameter for NIST P521 (HLK) #180 
+  Fixes: rhbz#1858821

-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.4-0.20201031git2452a24dab.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Fri Nov  6 18:46:36 +04 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.4-1.20201106git2452a24dab
+- Follow stable-0.7.0 branch to v0.7.4 with security-related fixes.
+  Fixes: rhbz#1893444

-* Sat Oct 31 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.7.4-0.20201031git2452a24dab
- Follow stable-0.7.0 branch to v0.7.4 with security-related fixes
+* Tue Aug 18 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.3-1.20200818git1d392d466a
+- Update to v0.7.3 stable, fixes rhbz#1868447
+- (includes "tpm2: fix PCRBelongsTCBGroup for PCClient")

-* Fri Jul 31 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.7.3-0.20200731git1d392d466a
- Follow stable-0.7.0 branch to v0.7.3
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-0.20200527git7325acb477.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed May 27 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.7.2-0.20200527git7325acb477
+* Thu May 28 2020 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.2-1.20200527git7325acb477
+- Update to v0.7.2 stable snapshot, fixes rhbz#1809676
+- exclude i686 build
 - Following stable-0.7.0 branch for TPM 2 related fixes: RSA decryption,
  PSS salt length, symmetric decryption (padding)
 - Under certain circumstances an RSA decryption could cause a buffer overflow causing
  termination of the program (swtpm)
-
-* Wed May 20 2020 Stefan Berger <stefanb@linux.ibm.com> - 0.7.1-0.20200520git8fe99d1fd0
 - Following stable-0.7.0 branch for TPM 2 related fixes; v0.7.1 + gcc related patch
 - elliptic curve fixes
 - MANUFACTURER changed from "IBM " to "IBM"
 - gcc 10 related fix
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-0.20191018gitdc116933b7.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Oct 18 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.7.0-0.20191018gitdc116933b7
 - Following stable-0.7.0 branch for TPM 1.2 related bugfix

-* Tue Oct 08 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.7.0-0.20191008gitc26e8f7b08
- Following stable-0.7.0 branch for bug fix
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-0.20190719gitd061d8065b.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Jul 19 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.7.0-0.20190719gitd061d8065b
- Update to v0.7.0
+* Fri Oct 18 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20191018gitdc116933b7
+- RHEL8.1.1 update
+- Update to v0.7.0 stable snapshot

-* Fri May 10 2019 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20190510gitb244bdf6e2
- Applied bugfix for CMAC
+* Tue Apr 16 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.6.1-0.20190121git9dc915572b.2
+- RHEL8.1 build

 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-0.20190121git9dc915572b.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild