From df8d6a816ddd7ba6a42d9d7b0735b619c076de206a6ade7e9166b547c5bddac9 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 21 Aug 2017 16:23:48 +0000 Subject: [PATCH] Accepting request 517963 from home:mgerstner:branches:security - update to version 2.1.0: - dropped 0002-kdfa-use-openssl-for-hmac-not-tpm.patch, was backported upstream in commit 788a17abbe0000c560935ef9f31c9a6892d9ea33 - this version now can interact with the new resource manager tpm2.0-abrmd - Upstream changes: * Fix readx and writex on multiple EINTR returns. * Add support for the tabrmd TCTI. This is the new default. * Change default socket port from 2323 (the old resourcemgr) to 2321 (default simulator port). * Cherry-pick fix for CVE-2017-7524. * Fix tpm2_listpcr command line option handling. * Fix tpm2_getmanufec memory issues. OBS-URL: https://build.opensuse.org/request/show/517963 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=28 --- ...e-TPM2_GetCapability-to-determine-PC.patch | 57 +++-- 0002-kdfa-use-openssl-for-hmac-not-tpm.patch | 207 ------------------ 2.0.0.zip | 3 - 2.1.0.zip | 3 + tpm2.0-tools-fix-gcc7.patch | 12 +- tpm2.0-tools-fix-hardening.patch | 8 +- tpm2.0-tools.changes | 16 ++ tpm2.0-tools.spec | 7 +- 8 files changed, 61 insertions(+), 252 deletions(-) delete mode 100644 0002-kdfa-use-openssl-for-hmac-not-tpm.patch delete mode 100644 2.0.0.zip create mode 100644 2.1.0.zip diff --git a/0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch b/0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch index 5873f01..1349df0 100644 --- a/0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch +++ b/0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch @@ -22,11 +22,11 @@ Signed-off-by: Jerry Snitselaar tools/tpm2_listpcrs.c | 55 +++++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 28 deletions(-) -diff --git a/tools/tpm2_listpcrs.c b/tools/tpm2_listpcrs.c -index f50c200..42bb8c6 100644 ---- a/tools/tpm2_listpcrs.c -+++ b/tools/tpm2_listpcrs.c -@@ -173,38 +173,35 @@ static bool read_pcr_values(listpcr_context *context) { +Index: tpm2-tools-2.1.0/tools/tpm2_listpcrs.c +=================================================================== +--- tpm2-tools-2.1.0.orig/tools/tpm2_listpcrs.c ++++ tpm2-tools-2.1.0/tools/tpm2_listpcrs.c +@@ -173,38 +173,35 @@ static bool read_pcr_values(listpcr_cont return true; } @@ -38,14 +38,15 @@ index f50c200..42bb8c6 100644 - pcr_selections->pcrSelections[0].hash = alg_id; - set_pcr_select_size(&pcr_selections->pcrSelections[0], 3); - clear_pcr_select_bits(&pcr_selections->pcrSelections[0]); +- +- UINT32 pcr_id; +- for (pcr_id = 0; pcr_id < 24; pcr_id++) { +- set_pcr_select_bit(&pcr_selections->pcrSelections[0], pcr_id); + TPMI_YES_NO moreData; + TPMS_CAPABILITY_DATA cap_data; + TPML_PCR_SELECTION *pcr_sel = &context->pcr_selections; + UINT32 rval, i, j; - -- UINT32 pcr_id; -- for (pcr_id = 0; pcr_id < 24; pcr_id++) { -- set_pcr_select_bit(&pcr_selections->pcrSelections[0], pcr_id); ++ + rval = Tss2_Sys_GetCapability(context->sapi_context, 0, TPM_CAP_PCRS, 0, 1, &moreData, &cap_data, 0); + if (rval != TPM_RC_SUCCESS) { + LOG_ERR("GetCapability: Get PCR allocation status Error. TPM Error:0x%x......\n", rval); @@ -56,9 +57,21 @@ index f50c200..42bb8c6 100644 -/* XXX Could this internally call init_pcr_selection_from_algorithm to reduce duplicate code? */ -static void init_pcr_selection_all(tpm2_algorithm *algorithm, - TPML_PCR_SELECTION *pcr_selections) { +- +- pcr_selections->count = 0; +- +- int i; +- for (i = 0; i < algorithm->count; i++) { +- pcr_selections->pcrSelections[i].hash = algorithm->alg[i]; +- set_pcr_select_size(&pcr_selections->pcrSelections[i], 3); +- clear_pcr_select_bits(&pcr_selections->pcrSelections[i]); + pcr_sel->count = 0; -- pcr_selections->count = 0; +- UINT32 pcr_id; +- for (pcr_id = 0; pcr_id < 24; pcr_id++) { +- set_pcr_select_bit(&pcr_selections->pcrSelections[i], pcr_id); +- } +- pcr_selections->count++; + for (i = 0; i < cap_data.data.assignedPCR.count; i++) { + if (alg_id && (cap_data.data.assignedPCR.pcrSelections[i].hash != alg_id)) + continue; @@ -67,27 +80,16 @@ index f50c200..42bb8c6 100644 + for (j = 0; j < pcr_sel->pcrSelections[pcr_sel->count].sizeofSelect; j++) + pcr_sel->pcrSelections[pcr_sel->count].pcrSelect[j] = cap_data.data.assignedPCR.pcrSelections[i].pcrSelect[j]; + pcr_sel->count++; -+ } - -- int i; -- for (i = 0; i < algorithm->count; i++) { -- pcr_selections->pcrSelections[i].hash = algorithm->alg[i]; -- set_pcr_select_size(&pcr_selections->pcrSelections[i], 3); -- clear_pcr_select_bits(&pcr_selections->pcrSelections[i]); + } ++ + if (pcr_sel->count == 0) + return false; - -- UINT32 pcr_id; -- for (pcr_id = 0; pcr_id < 24; pcr_id++) { -- set_pcr_select_bit(&pcr_selections->pcrSelections[i], pcr_id); -- } -- pcr_selections->count++; -- } ++ + return true; } // show all PCR banks according to g_pcrSelection & g_pcrs-> -@@ -220,7 +217,7 @@ static bool show_pcr_values(listpcr_context *context) { +@@ -220,7 +217,7 @@ static bool show_pcr_values(listpcr_cont context->pcr_selections.pcrSelections[i].hash); UINT32 pcr_id; @@ -96,7 +98,7 @@ index f50c200..42bb8c6 100644 if (!is_pcr_select_bit_set(&context->pcr_selections.pcrSelections[i], pcr_id)) { continue; -@@ -271,14 +268,16 @@ static bool show_selected_pcr_values(listpcr_context *context) { +@@ -271,14 +268,16 @@ static bool show_selected_pcr_values(lis static bool show_all_pcr_values(listpcr_context *context) { @@ -115,6 +117,3 @@ index f50c200..42bb8c6 100644 return show_selected_pcr_values(context); } --- -2.12.3 - diff --git a/0002-kdfa-use-openssl-for-hmac-not-tpm.patch b/0002-kdfa-use-openssl-for-hmac-not-tpm.patch deleted file mode 100644 index 66019a3..0000000 --- a/0002-kdfa-use-openssl-for-hmac-not-tpm.patch +++ /dev/null @@ -1,207 +0,0 @@ -From c5d72beaab1cbbbe68271f4bc4b6670d69985157 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Wed, 21 Jun 2017 09:32:32 -0700 -Subject: [PATCH] kdfa: use openssl for hmac not tpm - -While not reachable in the current code base tools, a potential -security bug lurked in tpm_kdfa(). - -If using that routine for an hmac authorization, the hmac was -calculated using the tpm. A user of an object wishing to -authenticate via hmac, would expect that the password is never -sent to the tpm. However, since the hmac calculation relies on -password, and is performed by the tpm, the password ends up -being sent in plain text to the tpm. - -The fix is to use openssl to generate the hmac on the host. - -Fixes: CVE-2017-7524 - -Signed-off-by: William Roberts ---- - Makefile.am | 4 +-- - configure.ac | 3 ++- - lib/tpm_kdfa.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++-------- - lib/tpm_kdfa.h | 2 +- - lib/tpm_session.c | 2 +- - 5 files changed, 72 insertions(+), 15 deletions(-) - -Index: tpm2.0-tools-2.0.0/Makefile.am -=================================================================== ---- tpm2.0-tools-2.0.0.orig/Makefile.am -+++ tpm2.0-tools-2.0.0/Makefile.am -@@ -35,10 +35,10 @@ ACLOCAL_AMFLAGS = -I m4 - INCLUDE_DIRS = -I$(srcdir)/src -I$(srcdir)/lib - LIB_COMMON := lib/libcommon.a - --AM_CFLAGS := $(INCLUDE_DIRS) $(TPM20_TSS_CFLAGS) $(EXTRA_CFLAGS) -+AM_CFLAGS := $(INCLUDE_DIRS) $(TPM20_TSS_CFLAGS) $(EXTRA_CFLAGS) $(CRYPTO_FLAGS) - AM_LDFLAGS := $(EXTRA_LDFLAGS) - --LDADD = $(LIB_COMMON) $(TPM20_TSS_LIBS) $(TCTI_SOCK_LIBS) $(TCTI_DEV_LIBS) -+LDADD = $(LIB_COMMON) $(TPM20_TSS_LIBS) $(TCTI_SOCK_LIBS) $(TCTI_DEV_LIBS) $(CRYPTO_LIBS) - - sbin_PROGRAMS = \ - tools/tpm2_create \ -Index: tpm2.0-tools-2.0.0/configure.ac -=================================================================== ---- tpm2.0-tools-2.0.0.orig/configure.ac -+++ tpm2.0-tools-2.0.0/configure.ac -@@ -49,7 +49,8 @@ AS_IF( - [AC_MSG_ERROR( - [no TCTIs: at least one TCTI library must be enabled], - [1])]) --PKG_CHECK_MODULES([CURL],[libcurl libcrypto]) -+PKG_CHECK_MODULES([CRYPTO],[libcrypto]) -+PKG_CHECK_MODULES([CURL],[libcurl]) - AC_ARG_ENABLE([unit], - [AS_HELP_STRING([--enable-unit], - [build cmocka unit tests (default is no)])], -Index: tpm2.0-tools-2.0.0/lib/tpm_kdfa.c -=================================================================== ---- tpm2.0-tools-2.0.0.orig/lib/tpm_kdfa.c -+++ tpm2.0-tools-2.0.0/lib/tpm_kdfa.c -@@ -27,20 +27,40 @@ - - #include - -+ #include -+#include -+ - #include "string-bytes.h" - #include "tpm_hmac.h" -+#include "log.h" -+ -+static const EVP_MD *tpm_algorithm_to_openssl_digest(TPMI_ALG_HASH algorithm) { - --TPM_RC tpm_kdfa(TSS2_SYS_CONTEXT *sapi_context, TPMI_ALG_HASH hashAlg, -+ switch(algorithm) { -+ case TPM_ALG_SHA1: -+ return EVP_sha1(); -+ case ALG_SHA256_VALUE: -+ return EVP_sha256(); -+ case TPM_ALG_SHA384: -+ return EVP_sha384(); -+ case TPM_ALG_SHA512: -+ return EVP_sha512(); -+ default: -+ return NULL; -+ } -+ /* no return, not possible */ -+} -+ -+TPM_RC tpm_kdfa(TPMI_ALG_HASH hashAlg, - TPM2B *key, char *label, TPM2B *contextU, TPM2B *contextV, UINT16 bits, - TPM2B_MAX_BUFFER *resultKey ) - { -- TPM2B_DIGEST tmpResult; - TPM2B_DIGEST tpm2bLabel, tpm2bBits, tpm2b_i_2; - UINT8 *tpm2bBitsPtr = &tpm2bBits.t.buffer[0]; - UINT8 *tpm2b_i_2Ptr = &tpm2b_i_2.t.buffer[0]; - TPM2B_DIGEST *bufferList[8]; - UINT32 bitsSwizzled, i_Swizzled; -- TPM_RC rval; -+ TPM_RC rval = TPM_RC_SUCCESS; - int i, j; - UINT16 bytes = bits / 8; - -@@ -64,8 +84,24 @@ TPM_RC tpm_kdfa(TSS2_SYS_CONTEXT *sapi_c - - i = 1; - -+ const EVP_MD *md = tpm_algorithm_to_openssl_digest(hashAlg); -+ if (!md) { -+ LOG_ERR("Algorithm not supported for hmac: %x", hashAlg); -+ return TPM_RC_HASH; -+ } -+ -+ HMAC_CTX ctx; -+ HMAC_CTX_init(&ctx); -+ int rc = HMAC_Init_ex(&ctx, key->buffer, key->size, md, NULL); -+ if (!rc) { -+ LOG_ERR("HMAC Init failed: %s", ERR_error_string(rc, NULL)); -+ return TPM_RC_MEMORY; -+ } -+ -+ // TODO Why is this a loop? It appears to only execute once. - while( resultKey->t.size < bytes ) - { -+ TPM2B_DIGEST tmpResult; - // Inner loop - - i_Swizzled = string_bytes_endian_convert_32( i ); -@@ -77,21 +113,41 @@ TPM_RC tpm_kdfa(TSS2_SYS_CONTEXT *sapi_c - bufferList[j++] = (TPM2B_DIGEST *)contextU; - bufferList[j++] = (TPM2B_DIGEST *)contextV; - bufferList[j++] = (TPM2B_DIGEST *)&(tpm2bBits.b); -- bufferList[j++] = (TPM2B_DIGEST *)0; -- rval = tpm_hmac(sapi_context, hashAlg, key, (TPM2B **)&( bufferList[0] ), &tmpResult ); -- if( rval != TPM_RC_SUCCESS ) -- { -- return( rval ); -+ bufferList[j] = (TPM2B_DIGEST *)0; -+ -+ int c; -+ for(c=0; c < j; c++) { -+ TPM2B_DIGEST *digest = bufferList[c]; -+ int rc = HMAC_Update(&ctx, digest->b.buffer, digest->b.size); -+ if (!rc) { -+ LOG_ERR("HMAC Update failed: %s", ERR_error_string(rc, NULL)); -+ rval = TPM_RC_MEMORY; -+ goto err; -+ } - } - -+ unsigned size = sizeof(tmpResult.t.buffer); -+ int rc = HMAC_Final(&ctx, tmpResult.t.buffer, &size); -+ if (!rc) { -+ LOG_ERR("HMAC Final failed: %s", ERR_error_string(rc, NULL)); -+ rval = TPM_RC_MEMORY; -+ goto err; -+ } -+ -+ tmpResult.t.size = size; -+ - bool res = string_bytes_concat_buffer(resultKey, &(tmpResult.b)); - if (!res) { -- return TSS2_SYS_RC_BAD_VALUE; -+ rval = TSS2_SYS_RC_BAD_VALUE; -+ goto err; - } - } - - // Truncate the result to the desired size. - resultKey->t.size = bytes; - -- return TPM_RC_SUCCESS; -+err: -+ HMAC_CTX_cleanup(&ctx); -+ -+ return rval; - } -Index: tpm2.0-tools-2.0.0/lib/tpm_kdfa.h -=================================================================== ---- tpm2.0-tools-2.0.0.orig/lib/tpm_kdfa.h -+++ tpm2.0-tools-2.0.0/lib/tpm_kdfa.h -@@ -42,7 +42,7 @@ - * @param resultKey - * @return - */ --TPM_RC tpm_kdfa(TSS2_SYS_CONTEXT *sapi_context, TPMI_ALG_HASH hashAlg, -+TPM_RC tpm_kdfa(TPMI_ALG_HASH hashAlg, - TPM2B *key, char *label, TPM2B *contextU, TPM2B *contextV, - UINT16 bits, TPM2B_MAX_BUFFER *resultKey ); - -Index: tpm2.0-tools-2.0.0/lib/tpm_session.c -=================================================================== ---- tpm2.0-tools-2.0.0.orig/lib/tpm_session.c -+++ tpm2.0-tools-2.0.0/lib/tpm_session.c -@@ -198,7 +198,7 @@ static TPM_RC StartAuthSession(TSS2_SYS_ - } - else - { -- rval = tpm_kdfa(sapi_context, session->authHash, &(key.b), label, &( session->nonceNewer.b ), -+ rval = tpm_kdfa(session->authHash, &(key.b), label, &( session->nonceNewer.b ), - &( session->nonceOlder.b ), bytes * 8, (TPM2B_MAX_BUFFER *)&( session->sessionKey ) ); - } - diff --git a/2.0.0.zip b/2.0.0.zip deleted file mode 100644 index a1d4027..0000000 --- a/2.0.0.zip +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:677458f94a1d29662cb2d02401c086d381c3642c1288374b802975e6581c9231 -size 318022 diff --git a/2.1.0.zip b/2.1.0.zip new file mode 100644 index 0000000..6e2ed09 --- /dev/null +++ b/2.1.0.zip @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d570da952af40584caf7bedd8adb3d7f2ed2deb273eba65cfe953ca67ec905f4 +size 321817 diff --git a/tpm2.0-tools-fix-gcc7.patch b/tpm2.0-tools-fix-gcc7.patch index 8eb684e..44d7667 100644 --- a/tpm2.0-tools-fix-gcc7.patch +++ b/tpm2.0-tools-fix-gcc7.patch @@ -1,7 +1,7 @@ -Index: tpm2.0-tools-2.0.0/tools/main.c +Index: tpm2-tools-2.1.0/tools/main.c =================================================================== ---- tpm2.0-tools-2.0.0.orig/tools/main.c -+++ tpm2.0-tools-2.0.0/tools/main.c +--- tpm2-tools-2.1.0.orig/tools/main.c ++++ tpm2-tools-2.1.0/tools/main.c @@ -61,7 +61,7 @@ main (int argc, execute_man (argv[0], envp); fprintf (stderr, @@ -11,10 +11,10 @@ Index: tpm2.0-tools-2.0.0/tools/main.c case 2: exit (1); } -Index: tpm2.0-tools-2.0.0/tools/tpm2_dump_capability.c +Index: tpm2-tools-2.1.0/tools/tpm2_dump_capability.c =================================================================== ---- tpm2.0-tools-2.0.0.orig/tools/tpm2_dump_capability.c -+++ tpm2.0-tools-2.0.0/tools/tpm2_dump_capability.c +--- tpm2-tools-2.1.0.orig/tools/tpm2_dump_capability.c ++++ tpm2-tools-2.1.0/tools/tpm2_dump_capability.c @@ -595,7 +595,7 @@ dump_tpm_capability (TPMU_CAPABILITIES case TPM_CAP_COMMANDS: dump_command_attr_array (capabilities->command.commandAttributes, diff --git a/tpm2.0-tools-fix-hardening.patch b/tpm2.0-tools-fix-hardening.patch index c140801..6ee2b1c 100644 --- a/tpm2.0-tools-fix-hardening.patch +++ b/tpm2.0-tools-fix-hardening.patch @@ -1,6 +1,8 @@ ---- tpm2.0-tools-2.0.0/configure.ac.fix 2017-06-02 09:15:49.118425187 +0200 -+++ tpm2.0-tools-2.0.0/configure.ac 2017-06-02 09:15:59.698416673 +0200 -@@ -100,11 +100,9 @@ +Index: tpm2-tools-2.1.0/configure.ac +=================================================================== +--- tpm2-tools-2.1.0.orig/configure.ac ++++ tpm2-tools-2.1.0/configure.ac +@@ -121,11 +121,9 @@ AS_IF([test x"$hardening" != x"no"], [ add_hardened_c_flag([-Wformat]) add_hardened_c_flag([-Wformat-security]) diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes index 646681f..89d716e 100644 --- a/tpm2.0-tools.changes +++ b/tpm2.0-tools.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Mon Aug 21 14:32:13 UTC 2017 - matthias.gerstner@suse.com + +- update to version 2.1.0: + - dropped 0002-kdfa-use-openssl-for-hmac-not-tpm.patch, was backported + upstream in commit 788a17abbe0000c560935ef9f31c9a6892d9ea33 + - this version now can interact with the new resource manager tpm2.0-abrmd + - Upstream changes: + * Fix readx and writex on multiple EINTR returns. + * Add support for the tabrmd TCTI. This is the new default. + * Change default socket port from 2323 (the old resourcemgr) to 2321 + (default simulator port). + * Cherry-pick fix for CVE-2017-7524. + * Fix tpm2_listpcr command line option handling. + * Fix tpm2_getmanufec memory issues. + ------------------------------------------------------------------- Thu Jul 20 13:50:28 UTC 2017 - matthias.gerstner@suse.com diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec index 4ba41a4..a2ba479 100644 --- a/tpm2.0-tools.spec +++ b/tpm2.0-tools.spec @@ -17,7 +17,7 @@ Name: tpm2.0-tools -Version: 2.0.0 +Version: 2.1.0 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause @@ -29,7 +29,6 @@ Patch1: tpm2.0-tools-fix-gcc7.patch # this fixes an error with an unexpectedly large number of PCRS (bnc#1044419) # there's no release containing this fix yet Patch2: 0001-tpm2_listpcrs-use-TPM2_GetCapability-to-determine-PC.patch -Patch3: 0002-kdfa-use-openssl-for-hmac-not-tpm.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: gcc-c++ @@ -38,6 +37,7 @@ BuildRequires: libopenssl-devel BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: tpm2-0-tss-devel +BuildRequires: tpm2.0-abrmd-devel BuildRequires: unzip Recommends: tpm2.0-abrmd BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -50,11 +50,10 @@ provides tools for enablement and configuration of the TPM 2.0 and associated interfaces. %prep -%setup -q +%setup -q -n tpm2-tools-2.1.0 %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build bash ./bootstrap