!52 移除tpm2-tools中SM2签名验签计算之前进行的Z值计算的过程

From: @bian-xiuning 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CVE-2024-29038.patch

@@ -0,0 +1,37 @@
+From 66d922d6547b7b4fe4f274fb2ec10b376e0e259 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Thu, 2 May 2024 09:00:17 +0800
+Subject: [PATCH] tpm2_checkquote: Fix check of magic number.
+It was not checked whether the magic number in the
+attest is equal to TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by tpm2 checkquote.
+
+Fixes: CVE-2024-29038
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index fe8ef11..b3947e7 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -128,6 +128,13 @@ static bool verify(void) {
+         goto err;
+     }
+ 
++    // check magic
++    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
++        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
++                ctx.attest.magic, TPM2_GENERATED_VALUE);
++        return false;
++    }
++
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
+-- 
+2.23.0
+

backport-CVE-2024-29039.patch

@@ -0,0 +1,85 @@
+From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Thu, 2 May 2024 09:10:01 +0800
+Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection.
+The pcr selection which is passed with the --pcr parameter it not
+compared with the attest. So it's possible to fake a valid
+attestation.
+
+Fixes: CVE-2024-29039
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index b3947e7..81de000 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify(void) {
+ 
+     bool result = false;
+@@ -394,7 +425,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs *pcrs;
+     tpm2_pcrs temp_pcrs = {};
+     tool_rc return_value = tool_rc_general_error;
+@@ -557,6 +588,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.23.0
+

backport-Don-t-assume-end-of-argv-is-NULL.patch

@@ -1,43 +0,0 @@
-From fb1e0d98eca5279bf33304deedd9019b0130393a Mon Sep 17 00:00:00 2001
-From: Erik Larsson <who+github@cnackers.org>
-Date: Sat, 21 Nov 2020 10:59:13 +0100
-Subject: [PATCH] Don't assume end of argv is NULL
-
-On a musl based system argv[optind] && strcmp(...) where optind > argc might read random memory and segfault.
-
-Signed-off-by: Erik Larsson <who+github@cnackers.org>
----
- lib/tpm2_options.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
-index e9aaa0364..9fa583c60 100644
---- a/lib/tpm2_options.c
-+++ b/lib/tpm2_options.c
-@@ -300,7 +300,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
-             if (argv[optind - 1]) {
-                 if (!strcmp(argv[optind - 1], "--help=no-man") ||
-                     !strcmp(argv[optind - 1], "-h=no-man") ||
--                    (argv[optind] && !strcmp(argv[optind], "no-man"))) {
-+                    (argc < optind && !strcmp(argv[optind], "no-man"))) {
-                     manpager = false;
-                     optind++;
-                 /*
-@@ -309,7 +309,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
-                  */
-                 } else if (!strcmp(argv[optind - 1], "--help=man") ||
-                            !strcmp(argv[optind - 1], "-h=man") ||
--                           (argv[optind] && !strcmp(argv[optind], "man"))) {
-+                           (argc < optind && !strcmp(argv[optind], "man"))) {
-                     manpager = true;
-                     explicit_manpager = true;
-                     optind++;
-@@ -318,7 +318,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
-                      * argv[0] = "tool name"
-                      * argv[1] = "--help" argv[2] = 0
-                      */
--                    if (!argv[optind] && argc == 2) {
-+                    if (optind >= argc && argc == 2) {
-                         manpager = false;
-                     } else {
-                         /*

revert-sm2-sign-and-verifysignature.patch

@@ -0,0 +1,406 @@
+From 7acc98aec8925b938212bdd0aabc1b6d176c24c1 Mon Sep 17 00:00:00 2001
+From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
+Date: Thu, 5 Jan 2023 21:46:55 +0800
+Subject: [PATCH] revert: sm2 sign and verifysignature.
+
+Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard,
+sm2 only sign and verifysignature the digest in the tpm2. so keep pace
+with tpm2 and remove the code.
+
+Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
+---
+ lib/tpm2_alg_util.c          |  93 -------------------------
+ lib/tpm2_alg_util.h          |  27 --------
+ lib/tpm2_hash.c              | 127 -----------------------------------
+ lib/tpm2_hash.h              |  49 --------------
+ tools/tpm2_sign.c            |  16 +----
+ tools/tpm2_verifysignature.c |  16 +----
+ 6 files changed, 4 insertions(+), 324 deletions(-)
+
+diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
+index 9b7f3d73..65739fc7 100644
+--- a/lib/tpm2_alg_util.c
++++ b/lib/tpm2_alg_util.c
+@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) {
+     Esys_Free(name);
+     return name_alg;
+ }
+-
+-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) {
+-
+-    TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL;
+-    TPM2B_PUBLIC *public = NULL;
+-    TPM2B *id_input = NULL;
+-    TPM2B_DIGEST *tmp_digest = NULL;
+-
+-    if (!id || !result) {
+-        return tool_rc_general_error;
+-    }
+-
+-    /* 2-byte id length in bits */
+-    if (strlen(id) != idlen) {
+-        LOG_ERR("invalid sm2 id!");
+-        return tool_rc_general_error;
+-    }
+-
+-    if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) {
+-        LOG_ERR("invalid id length!");
+-        return tool_rc_general_error;
+-    }
+-
+-    tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, &parameters,
+-        NULL, TPM2_ALG_NULL);
+-    if (rc != tool_rc_success) {
+-        LOG_ERR("Could not get ecc parameters!");
+-        goto out;
+-    }
+-
+-    rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL);
+-    if (rc != tool_rc_success) {
+-        LOG_ERR("Could not read public!");
+-        goto out;
+-    }
+-
+-    UINT16 key_nbytes = parameters->keySize/8;
+-    if (public->publicArea.type != TPM2_ALG_ECC ||
+-            public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 ||
+-            public->publicArea.unique.ecc.x.size != key_nbytes ||
+-            public->publicArea.unique.ecc.y.size != key_nbytes) {
+-        LOG_ERR("invalid sm2 public key!");
+-        rc = tool_rc_general_error;
+-        goto out;
+-    }
+-
+-    BYTE idbits[2];
+-    idbits[0] = ((idlen * 8) >> 8) % 256;
+-    idbits[1] = (idlen * 8) % 256;
+-
+-    UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes;
+-
+-    id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size);
+-    if (id_input == NULL) {
+-        LOG_ERR("Could not calloc memory!");
+-        rc = tool_rc_general_error;
+-        goto out;
+-    }
+-
+-    id_input->size = total_size;
+-
+-    UINT16 pos = 0;
+-    memcpy(id_input->buffer + pos, idbits, sizeof(idbits));
+-    pos += sizeof(idbits);
+-    memcpy(id_input->buffer + pos, id, idlen);
+-    pos += idlen;
+-    memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes);
+-    pos += key_nbytes;
+-    memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes);
+-    pos += key_nbytes;
+-    memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes);
+-    pos += key_nbytes;
+-    memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes);
+-    pos += key_nbytes;
+-    memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes);
+-    pos += key_nbytes;
+-    memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes);
+-
+-    rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER,
+-                        id_input->buffer, id_input->size, &tmp_digest, NULL);
+-    if (rc != tool_rc_success) {
+-        goto out;
+-    }
+-
+-    *result = *tmp_digest;
+-
+-out:
+-    free(id_input);
+-    Esys_Free(public);
+-    Esys_Free(tmp_digest);
+-    Esys_Free(parameters);
+-    return rc;
+-}
+diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h
+index 83cecb17..ae5e3fbb 100644
+--- a/lib/tpm2_alg_util.h
++++ b/lib/tpm2_alg_util.h
+@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes);
+  */
+ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle);
+ 
+-#define SM2_MAX_ID_BITS             65535
+-#define SM2_MAX_ID_LENGTH           (SM2_MAX_ID_BITS/8)
+-#define SM2_DEFAULT_ID_GMT09            "1234567812345678"
+-#define SM2_DEFAULT_ID              SM2_DEFAULT_ID_GMT09
+-#define SM2_DEFAULT_ID_LENGTH           (sizeof(SM2_DEFAULT_ID) - 1)
+-
+-/**
+- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters
+- * with making a geteccparameters call, retrieves the public key with
+- * making a readpublic call, and compute id digest.
+- *
+- * @param ectx
+- *  The ESAPI context.
+- * @param handle
+- *  The handle of the object to query.
+- * @param id
+- *  sm2 id.
+- * @param idlen
+- *  sm2 id length.
+- * @param result
+- *  sm2 id digest output.
+- * @return
+- *  tool_rc indicating status.
+- */
+-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle,
+-        const char *id, size_t idlen, TPM2B_DIGEST *result);
+-
+ #endif /* LIB_TPM2_ALG_UTIL_H_ */
+diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c
+index c0ad2bc5..a3c0dd7d 100644
+--- a/lib/tpm2_hash.c
++++ b/lib/tpm2_hash.c
+@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+     return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result,
+         validation);
+ }
+-
+-static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx,
+-    TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep,
+-    BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest,
+-    TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
+-
+-    /*  if we're using infilep, get file size */
+-    bool use_left = true;
+-    unsigned long left = inbuffer_len;
+-    if (!!infilep) {
+-        /* Suppress error reporting with NULL path */
+-        use_left = files_get_file_size(infilep, &left, NULL);
+-    }
+-
+-    TPM2B_MAX_BUFFER buffer = {0};
+-    if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) {
+-        buffer.size = z_digest->size;
+-        memcpy(buffer.buffer, z_digest->buffer, z_digest->size);
+-    } else {
+-        return tool_rc_general_error;
+-    }
+-
+-    /*
+-     * length is either unknown because the FILE * is a fifo, or it's too
+-     * big to do in a single hash call. Based on the size figure out the
+-     * chunks to loop over, if possible. This way we can call Complete with
+-     * data.
+-     */
+-    TPMI_DH_OBJECT sequence_handle;
+-    TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT;
+-    tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle);
+-    if (rc != tool_rc_success) {
+-        return rc;
+-    }
+-
+-    rc = tpm2_sequence_update(ectx, sequence_handle, &buffer);
+-    if (rc != tool_rc_success) {
+-        return rc;
+-    }
+-    /* If we know the file size, we decrement the amount read and terminate
+-     * the loop when 1 block is left, else we go till feof.
+-     */
+-    bool done = false;
+-    if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) {
+-        done = true;
+-    } else {
+-        done = false;
+-    }
+-
+-    size_t bytes_read;
+-    while (!done) {
+-        /*  if we're using infilep, read the file. Otherwise, directly
+-         copy into our local buffer. */
+-        buffer.size = BUFFER_SIZE(typeof(buffer), buffer);
+-        if (!!infilep) {
+-            bytes_read = fread(buffer.buffer, 1, buffer.size, infilep);
+-            if (ferror(infilep)) {
+-                LOG_ERR("Error reading from input file");
+-                return tool_rc_general_error;
+-            } else {
+-                buffer.size = bytes_read;
+-            }
+-        } else {
+-            memcpy(buffer.buffer, inbuffer, buffer.size);
+-            inbuffer = inbuffer + buffer.size;
+-        }
+-
+-        rc = tpm2_sequence_update(ectx, sequence_handle, &buffer);
+-        if (rc != tool_rc_success) {
+-            return rc;
+-        }
+-
+-        if (use_left) {
+-            left -= buffer.size;
+-            if (left <= TPM2_MAX_DIGEST_BUFFER) {
+-                done = true;
+-                continue;
+-            }
+-        } else if (!!infilep && feof(infilep)) {
+-            done = true;
+-        }
+-    } /* end file read/hash update loop */
+-
+-    /*  if there is data left, get the last bit of data from the file or
+-     buffer or set the size to zero */
+-    if (use_left) {
+-        buffer.size = left;
+-        if (!!infilep) {
+-            bool res = files_read_bytes(infilep, buffer.buffer, buffer.size);
+-            if (!res) {
+-                LOG_ERR("Error reading from input file.");
+-                return tool_rc_general_error;
+-            }
+-        } else {
+-            memcpy(buffer.buffer, inbuffer, buffer.size);
+-        }
+-    } else {
+-        buffer.size = 0;
+-    }
+-
+-    return tpm2_sequence_complete(ectx, sequence_handle,
+-            &buffer, hierarchy, result, validation);
+-}
+-
+-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+-        TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length,
+-        TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
+-
+-    if (!buffer || !z) {
+-        return tool_rc_general_error;
+-    }
+-
+-    return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length,
+-            z, result, validation);
+-}
+-
+-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+-        TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z,
+-        TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
+-
+-    if (!input || !z) {
+-        return tool_rc_general_error;
+-    }
+-
+-    return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z,
+-            result, validation);
+-}
+diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h
+index ac4729ba..12e8e0bd 100644
+--- a/lib/tpm2_hash.h
++++ b/lib/tpm2_hash.h
+@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+         TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result,
+         TPMT_TK_HASHCHECK **validation);
+ 
+-/**
+- * Hashes a BYTE array via the tpm.
+- * @param context
+- *  The esapi context.
+- * @param hash_alg
+- *  The hashing algorithm to use.
+- * @param hierarchy
+- *  The hierarchy.
+- * @param buffer
+- *  The data to hash.
+- * @param length
+- *  The length of the data.
+- * @param input
+- *  The sm2 id digest.
+- * @param result
+- *  The digest result.
+- * @param validation
+- *  The validation ticket. Note that some hierarchies don't produce a
+- *  validation ticket and thus size will be 0.
+- * @return
+- *  A tool_rc indicating status.
+- */
+-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+-        TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length,
+-        TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation);
+-
+-/**
+- * Hashes a FILE * object via the tpm.
+- * @param context
+- *  The esapi context.
+- * @param hash_alg
+- *  The hashing algorithm to use.
+- * @param hierarchy
+- *  The hierarchy.
+- * @param input
+- *  The FILE object to hash.
+- * @param input
+- *  The sm2 id digest.
+- * @param result
+- *  The digest result.
+- * @param validation
+- *  The validation ticket. Note that some hierarchies don't produce a
+- *  validation ticket and thus size will be 0.
+- * @return
+- *  A tool_rc indicating status.
+- */
+-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
+-        TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z,
+-        TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation);
+ #endif /* SRC_TPM_HASH_H_ */
+diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c
+index 7c7b3ce7..77d7c2a8 100644
+--- a/tools/tpm2_sign.c
++++ b/tools/tpm2_sign.c
+@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+             return tool_rc_general_error;
+         }
+ 
+-        if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) {
+-            TPM2B_DIGEST z_digest;
+-            rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle,
+-                    SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest);
+-            if (rc != tool_rc_success) {
+-                LOG_ERR("Sign could not compute id digest");
+-            } else {
+-                rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest,
+-                        &ctx.digest, &temp_validation_ticket);
+-            }
+-        } else {
+-            rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest,
+-                    &temp_validation_ticket);
+-        }
++        rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest,
++                &temp_validation_ticket);
+         if (input != stdin) {
+             fclose(input);
+         }
+diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c
+index a0f76077..240165d6 100644
+--- a/tools/tpm2_verifysignature.c
++++ b/tools/tpm2_verifysignature.c
+@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) {
+             goto err;
+         }
+ 
+-        if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) {
+-            TPM2B_DIGEST z_digest;
+-            tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle,
+-                    SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest);
+-            if (tmp_rc != tool_rc_success) {
+-                LOG_ERR("Verify could not compute id digest");
+-            } else {
+-                tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL,
+-                        msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL);
+-            }
+-        } else {
+-            tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL,
+-                    msg->buffer, msg->size, &ctx.msg_hash, NULL);
+-        }
++        tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL,
++                msg->buffer, msg->size, &ctx.msg_hash, NULL);
+         if (tmp_rc != tool_rc_success) {
+             rc = tmp_rc;
+             LOG_ERR("Compute message hash failed!");
+-- 
+2.27.0
+

tpm2-tools.spec

@@ -1,12 +1,14 @@
 Name:          tpm2-tools
-Version:       5.0
-Release:       4
+Version:       5.5
+Release:       3
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
 Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
 
-Patch0:        backport-Don-t-assume-end-of-argv-is-NULL.patch
+Patch0:        backport-CVE-2024-29038.patch
+Patch1:        backport-CVE-2024-29039.patch
+Patch2:	       revert-sm2-sign-and-verifysignature.patch
 
 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
 BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt
@@ -48,16 +50,31 @@ make check
 
 %files
 %defattr(-,root,root)
-%license doc/LICENSE
+%license docs/LICENSE
 %{_bindir}/*
 %{_datadir}/bash-completion/completions/tpm2*
 %{_datadir}/bash-completion/completions/tss2*
 
 %files help
-%doc README.md doc/CHANGELOG.md
+%doc docs/README.md docs/CHANGELOG.md
 %{_mandir}/*/*
 
 %changelog
+* Fri Jun 21 2024 bianxiuning <bianxiuning@kylinos.cn> - 5.5-3
+- revert sm2 sign and verifysignature
+
+* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.5-2
+- fix CVE-2024-29038 CVE-2024-29039
+
+* Tue Jul 18 2023 jinlun <jinlun@huawei.com> - 5.5-1
+- update to 5.5
+
+* Tue Dec 20 2022 wangyunjia <yunjia.wang@huawei.com> - 5.4-1
+- update to 5.4
+
+* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-5
+- fix CVE-2021-3565
+
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 5.0-4
 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git