diff --git a/0001-revert-sm2-sign-and-verifysignature.patch b/0001-revert-sm2-sign-and-verifysignature.patch deleted file mode 100644 index b9d080dda8719cefafed6f73f2f84a307b15602b..0000000000000000000000000000000000000000 --- a/0001-revert-sm2-sign-and-verifysignature.patch +++ /dev/null @@ -1,409 +0,0 @@ -From fb1df19b95fe5987a17903b6ae11b02b2e3dd543 Mon Sep 17 00:00:00 2001 -From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> -Date: Thu, 5 Jan 2023 21:46:55 +0800 -Subject: [PATCH] revert: sm2 sign and verifysignature. - -commit 4b4e075858f36fd52334fd4656fe43ac9f4e5aef upstream. - -Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard, -sm2 only sign and verifysignature the digest in the tpm2. so keep pace -with tpm2 and remove the code. - -Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> -Change-Id: I574327e7ca0bf7089fc67d14b4bf87db4b555a68 ---- - lib/tpm2_alg_util.c | 93 ------------------------- - lib/tpm2_alg_util.h | 27 -------- - lib/tpm2_hash.c | 127 ----------------------------------- - lib/tpm2_hash.h | 49 -------------- - tools/tpm2_sign.c | 16 +---- - tools/tpm2_verifysignature.c | 16 +---- - 6 files changed, 4 insertions(+), 324 deletions(-) - -diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c -index 9b7f3d7..65739fc 100644 ---- a/lib/tpm2_alg_util.c -+++ b/lib/tpm2_alg_util.c -@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) { - Esys_Free(name); - return name_alg; - } -- --tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) { -- -- TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL; -- TPM2B_PUBLIC *public = NULL; -- TPM2B *id_input = NULL; -- TPM2B_DIGEST *tmp_digest = NULL; -- -- if (!id || !result) { -- return tool_rc_general_error; -- } -- -- /* 2-byte id length in bits */ -- if (strlen(id) != idlen) { -- LOG_ERR("invalid sm2 id!"); -- return tool_rc_general_error; -- } -- -- if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) { -- LOG_ERR("invalid id length!"); -- return tool_rc_general_error; -- } -- -- tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, ¶meters, -- NULL, TPM2_ALG_NULL); -- if (rc != tool_rc_success) { -- LOG_ERR("Could not get ecc parameters!"); -- goto out; -- } -- -- rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL); -- if (rc != tool_rc_success) { -- LOG_ERR("Could not read public!"); -- goto out; -- } -- -- UINT16 key_nbytes = parameters->keySize/8; -- if (public->publicArea.type != TPM2_ALG_ECC || -- public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 || -- public->publicArea.unique.ecc.x.size != key_nbytes || -- public->publicArea.unique.ecc.y.size != key_nbytes) { -- LOG_ERR("invalid sm2 public key!"); -- rc = tool_rc_general_error; -- goto out; -- } -- -- BYTE idbits[2]; -- idbits[0] = ((idlen * 8) >> 8) % 256; -- idbits[1] = (idlen * 8) % 256; -- -- UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes; -- -- id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size); -- if (id_input == NULL) { -- LOG_ERR("Could not calloc memory!"); -- rc = tool_rc_general_error; -- goto out; -- } -- -- id_input->size = total_size; -- -- UINT16 pos = 0; -- memcpy(id_input->buffer + pos, idbits, sizeof(idbits)); -- pos += sizeof(idbits); -- memcpy(id_input->buffer + pos, id, idlen); -- pos += idlen; -- memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes); -- -- rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER, -- id_input->buffer, id_input->size, &tmp_digest, NULL); -- if (rc != tool_rc_success) { -- goto out; -- } -- -- *result = *tmp_digest; -- --out: -- free(id_input); -- Esys_Free(public); -- Esys_Free(tmp_digest); -- Esys_Free(parameters); -- return rc; --} -diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h -index 83cecb1..ae5e3fb 100644 ---- a/lib/tpm2_alg_util.h -+++ b/lib/tpm2_alg_util.h -@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes); - */ - TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle); - --#define SM2_MAX_ID_BITS 65535 --#define SM2_MAX_ID_LENGTH (SM2_MAX_ID_BITS/8) --#define SM2_DEFAULT_ID_GMT09 "1234567812345678" --#define SM2_DEFAULT_ID SM2_DEFAULT_ID_GMT09 --#define SM2_DEFAULT_ID_LENGTH (sizeof(SM2_DEFAULT_ID) - 1) -- --/** -- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters -- * with making a geteccparameters call, retrieves the public key with -- * making a readpublic call, and compute id digest. -- * -- * @param ectx -- * The ESAPI context. -- * @param handle -- * The handle of the object to query. -- * @param id -- * sm2 id. -- * @param idlen -- * sm2 id length. -- * @param result -- * sm2 id digest output. -- * @return -- * tool_rc indicating status. -- */ --tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, -- const char *id, size_t idlen, TPM2B_DIGEST *result); -- - #endif /* LIB_TPM2_ALG_UTIL_H_ */ -diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c -index c0ad2bc..a3c0dd7 100644 ---- a/lib/tpm2_hash.c -+++ b/lib/tpm2_hash.c -@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, - return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result, - validation); - } -- --static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx, -- TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep, -- BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- /* if we're using infilep, get file size */ -- bool use_left = true; -- unsigned long left = inbuffer_len; -- if (!!infilep) { -- /* Suppress error reporting with NULL path */ -- use_left = files_get_file_size(infilep, &left, NULL); -- } -- -- TPM2B_MAX_BUFFER buffer = {0}; -- if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) { -- buffer.size = z_digest->size; -- memcpy(buffer.buffer, z_digest->buffer, z_digest->size); -- } else { -- return tool_rc_general_error; -- } -- -- /* -- * length is either unknown because the FILE * is a fifo, or it's too -- * big to do in a single hash call. Based on the size figure out the -- * chunks to loop over, if possible. This way we can call Complete with -- * data. -- */ -- TPMI_DH_OBJECT sequence_handle; -- TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT; -- tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle); -- if (rc != tool_rc_success) { -- return rc; -- } -- -- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); -- if (rc != tool_rc_success) { -- return rc; -- } -- /* If we know the file size, we decrement the amount read and terminate -- * the loop when 1 block is left, else we go till feof. -- */ -- bool done = false; -- if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) { -- done = true; -- } else { -- done = false; -- } -- -- size_t bytes_read; -- while (!done) { -- /* if we're using infilep, read the file. Otherwise, directly -- copy into our local buffer. */ -- buffer.size = BUFFER_SIZE(typeof(buffer), buffer); -- if (!!infilep) { -- bytes_read = fread(buffer.buffer, 1, buffer.size, infilep); -- if (ferror(infilep)) { -- LOG_ERR("Error reading from input file"); -- return tool_rc_general_error; -- } else { -- buffer.size = bytes_read; -- } -- } else { -- memcpy(buffer.buffer, inbuffer, buffer.size); -- inbuffer = inbuffer + buffer.size; -- } -- -- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); -- if (rc != tool_rc_success) { -- return rc; -- } -- -- if (use_left) { -- left -= buffer.size; -- if (left <= TPM2_MAX_DIGEST_BUFFER) { -- done = true; -- continue; -- } -- } else if (!!infilep && feof(infilep)) { -- done = true; -- } -- } /* end file read/hash update loop */ -- -- /* if there is data left, get the last bit of data from the file or -- buffer or set the size to zero */ -- if (use_left) { -- buffer.size = left; -- if (!!infilep) { -- bool res = files_read_bytes(infilep, buffer.buffer, buffer.size); -- if (!res) { -- LOG_ERR("Error reading from input file."); -- return tool_rc_general_error; -- } -- } else { -- memcpy(buffer.buffer, inbuffer, buffer.size); -- } -- } else { -- buffer.size = 0; -- } -- -- return tpm2_sequence_complete(ectx, sequence_handle, -- &buffer, hierarchy, result, validation); --} -- --tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, -- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- if (!buffer || !z) { -- return tool_rc_general_error; -- } -- -- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length, -- z, result, validation); --} -- --tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- if (!input || !z) { -- return tool_rc_general_error; -- } -- -- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z, -- result, validation); --} -diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h -index ac4729b..12e8e0b 100644 ---- a/lib/tpm2_hash.h -+++ b/lib/tpm2_hash.h -@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, - TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result, - TPMT_TK_HASHCHECK **validation); - --/** -- * Hashes a BYTE array via the tpm. -- * @param context -- * The esapi context. -- * @param hash_alg -- * The hashing algorithm to use. -- * @param hierarchy -- * The hierarchy. -- * @param buffer -- * The data to hash. -- * @param length -- * The length of the data. -- * @param input -- * The sm2 id digest. -- * @param result -- * The digest result. -- * @param validation -- * The validation ticket. Note that some hierarchies don't produce a -- * validation ticket and thus size will be 0. -- * @return -- * A tool_rc indicating status. -- */ --tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, -- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); -- --/** -- * Hashes a FILE * object via the tpm. -- * @param context -- * The esapi context. -- * @param hash_alg -- * The hashing algorithm to use. -- * @param hierarchy -- * The hierarchy. -- * @param input -- * The FILE object to hash. -- * @param input -- * The sm2 id digest. -- * @param result -- * The digest result. -- * @param validation -- * The validation ticket. Note that some hierarchies don't produce a -- * validation ticket and thus size will be 0. -- * @return -- * A tool_rc indicating status. -- */ --tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); - #endif /* SRC_TPM_HASH_H_ */ -diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c -index 7c7b3ce..77d7c2a 100644 ---- a/tools/tpm2_sign.c -+++ b/tools/tpm2_sign.c -@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { - return tool_rc_general_error; - } - -- if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { -- TPM2B_DIGEST z_digest; -- rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle, -- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); -- if (rc != tool_rc_success) { -- LOG_ERR("Sign could not compute id digest"); -- } else { -- rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest, -- &ctx.digest, &temp_validation_ticket); -- } -- } else { -- rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, -- &temp_validation_ticket); -- } -+ rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, -+ &temp_validation_ticket); - if (input != stdin) { - fclose(input); - } -diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c -index a0f7607..240165d 100644 ---- a/tools/tpm2_verifysignature.c -+++ b/tools/tpm2_verifysignature.c -@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) { - goto err; - } - -- if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { -- TPM2B_DIGEST z_digest; -- tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle, -- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); -- if (tmp_rc != tool_rc_success) { -- LOG_ERR("Verify could not compute id digest"); -- } else { -- tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL, -- msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL); -- } -- } else { -- tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, -- msg->buffer, msg->size, &ctx.msg_hash, NULL); -- } -+ tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, -+ msg->buffer, msg->size, &ctx.msg_hash, NULL); - if (tmp_rc != tool_rc_success) { - rc = tmp_rc; - LOG_ERR("Compute message hash failed!"); --- -2.17.1 - diff --git a/tpm2-tools-5.5.tar.gz b/tpm2-tools-5.5.tar.gz deleted file mode 100644 index 127cb3e84f1566940f0b0377181abb6dd86820be..0000000000000000000000000000000000000000 Binary files a/tpm2-tools-5.5.tar.gz and /dev/null differ diff --git a/tpm2-tools-5.7.tar.gz b/tpm2-tools-5.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8883c10d9dca5ad997d575463cbf387ba5439f9b Binary files /dev/null and b/tpm2-tools-5.7.tar.gz differ diff --git a/tpm2-tools.spec b/tpm2-tools.spec index 8c63723d2b574d873bd3aec35e17dc72223977d7..169919772c4cd2d9fff9b04b4eb07b766bb419a4 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,7 +1,7 @@ -%define anolis_release 2 +%define anolis_release 1 Name: tpm2-tools -Version: 5.5 +Version: 5.7 Release: %{anolis_release}%{?dist} Summary: A bunch of TPM testing toolS build upon tpm2-tss @@ -9,7 +9,6 @@ License: BSD URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0: 0001-revert-sm2-sign-and-verifysignature.patch BuildRequires: make BuildRequires: gcc-c++ @@ -63,6 +62,9 @@ Doc files for %{name} %doc docs/README.md docs/CHANGELOG.md %changelog +* Fri Jul 5 2024 Cui lichen -5.7-1 +- fix cve-2024-29038 + * Thu Dec 28 2023 chench -5.5-2 - revert sm2 sign and verifysignature from upstream