From 9bab90c6998b255b0026868544bcf05133ca56b3 Mon Sep 17 00:00:00 2001
From: fuanan <2385803914@qq.com>
Date: Mon, 27 Sep 2021 10:52:00 +0800
Subject: [PATCH] fix CVE-2021-3565

---
 backport-CVE-2021-3565.patch | 46 ++++++++++++++++++++++++++++++++++++
 tpm2-tools.spec              |  6 ++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-3565.patch

diff --git a/backport-CVE-2021-3565.patch b/backport-CVE-2021-3565.patch
new file mode 100644
index 0000000..7fc946d
--- /dev/null
+++ b/backport-CVE-2021-3565.patch
@@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f20..f44326c 100644
+--- a/tools/tpm2_import.c
++++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++    if(enc_sensitive_key.size < 16) {
++        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++        return tool_rc_general_error;
++    }
++
++    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++    if (ossl_rc != 1) {
++        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++        return tool_rc_general_error;
++    }
+ 
+     /*
+      * Calculate the object name.
+-- 
+1.8.3.1
+
diff --git a/tpm2-tools.spec b/tpm2-tools.spec
index 9559dbc..87e76a1 100644
--- a/tpm2-tools.spec
+++ b/tpm2-tools.spec
@@ -1,12 +1,13 @@
 Name:          tpm2-tools
 Version:       5.0
-Release:       4
+Release:       5
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
 Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
 
 Patch0:        backport-Don-t-assume-end-of-argv-is-NULL.patch
+Patch1:        backport-CVE-2021-3565.patch
 
 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
 BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt
@@ -58,6 +59,9 @@ make check
 %{_mandir}/*/*
 
 %changelog
+* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-5
+- fix CVE-2021-3565
+
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 5.0-4
 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git
 
-- 
Gitee