packages/tpm2-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3565

Browse Source
This commit is contained in:
fuanan 2021-09-27 10:52:00 +08:00
parent f836af15ad
commit 9bab90c699
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-CVE-2021-3565.patch Normal file
View File

@ -0,0 +1,46 @@
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 21 May 2021 12:22:31 -0500
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.
To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.
Fixes: #2738
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_import.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
index cfb6f20..f44326c 100644
--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
TPM2B_DATA enc_sensitive_key = {
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
};
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+ if(enc_sensitive_key.size < 16) {
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+ return tool_rc_general_error;
+ }
+
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+ if (ossl_rc != 1) {
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ return tool_rc_general_error;
+ }
/*
* Calculate the object name.
--
1.8.3.1

6
tpm2-tools.spec
View File

@ -1,12 +1,13 @@
Name: tpm2-tools Name: tpm2-tools
Version: 5.0 Version: 5.0
Release: 4 Release: 5
Summary: A TPM2.0 testing tool based on TPM2.0-TSS Summary: A TPM2.0 testing tool based on TPM2.0-TSS
License: BSD License: BSD
URL: https://github.com/tpm2-software/tpm2-tools URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch
Patch1: backport-CVE-2021-3565.patch
BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl) BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt
@ -58,6 +59,9 @@ make check
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-5
- fix CVE-2021-3565
* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 5.0-4 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 5.0-4
- DESC: delete -Sgit from %autosetup, and delete BuildRequires git - DESC: delete -Sgit from %autosetup, and delete BuildRequires git