tpm2-tss: 3.2.0 -> 4.0.1

This fixes CVE-2023-22745
2023-06-27 09:21:32 -07:00 · 2023-06-27 09:21:32 -07:00 · 90acc83140
parent d409d42ce7
commit 90acc83140
2 changed files with 41 additions and 27 deletions
--- a/pkgs/development/libraries/tpm2-tss/default.nix
+++ b/pkgs/development/libraries/tpm2-tss/default.nix
@ -1,8 +1,8 @@
-{ stdenv, lib, fetchFromGitHub
+{ stdenv, lib, fetchFromGitHub, fetchurl
 , autoreconfHook, autoconf-archive, pkg-config, doxygen, perl
 , openssl, json_c, curl, libgcrypt
 , cmocka, uthash, ibm-sw-tpm2, iproute2, procps, which
-, shadow
+, shadow, libuuid
 }:
 let
  # Avoid a circular dependency on Linux systems (systemd depends on tpm2-tss,
@ -15,13 +15,13 @@ in

 stdenv.mkDerivation rec {
  pname = "tpm2-tss";
-  version = "3.2.0";
+  version = "4.0.1";

  src = fetchFromGitHub {
    owner = "tpm2-software";
    repo = pname;
    rev = version;
-    sha256 = "1jijxnvjcsgz5yw4i9fj7ycdnnz90r3l0zicpwinswrw47ac3yy5";
+    sha256 = "sha256-75yiKVZrR1vcCwKp4tDO4A9JB0KDM0MXPJ1N85kAaRk=";
  };

  outputs = [ "out" "man" "dev" ];
@ -33,7 +33,7 @@ stdenv.mkDerivation rec {

  # cmocka is checked / used(?) in the configure script
  # when unit and/or integration testing is enabled
-  buildInputs = [ openssl json_c curl libgcrypt uthash ]
+  buildInputs = [ openssl json_c curl libgcrypt uthash libuuid ]
    # cmocka doesn't build with pkgsStatic, and we don't need it anyway
    # when tests are not run
    ++ lib.optionals (stdenv.buildPlatform == stdenv.hostPlatform) [
@ -53,6 +53,11 @@ stdenv.mkDerivation rec {
    # Do not rely on dynamic loader path
    # TCTI loader relies on dlopen(), this patch prefixes all calls with the output directory
    ./no-dynamic-loader-path.patch
+    (fetchurl {
+      name = "skip-test-fapi-fix-provisioning-with template-if-no-certificate-available.patch";
+      url = "https://github.com/tpm2-software/tpm2-tss/commit/218c0da8d9f675766b1de502a52e23a3aa52648e.patch";
+      sha256 = "sha256-dnl9ZAknCdmvix2TdQvF0fHoYeWp+jfCTg8Uc7h0voA=";
+    })
  ];

  postPatch = ''
@ -61,8 +66,8 @@ stdenv.mkDerivation rec {
      --replace '@PREFIX@' $out/lib/
    substituteInPlace ./test/unit/tctildr-dl.c \
      --replace '@PREFIX@' $out/lib
-    substituteInPlace ./configure.ac \
-      --replace 'm4_esyscmd_s([git describe --tags --always --dirty])' '${version}'
+    substituteInPlace ./bootstrap \
+      --replace 'git describe --tags --always --dirty' 'echo "${version}"'
  '';

  configureFlags = lib.optionals (stdenv.buildPlatform == stdenv.hostPlatform) [
--- a/pkgs/development/libraries/tpm2-tss/no-dynamic-loader-path.patch
+++ b/pkgs/development/libraries/tpm2-tss/no-dynamic-loader-path.patch
@ -1,8 +1,17 @@
 diff --git a/src/tss2-tcti/tctildr-dl.c b/src/tss2-tcti/tctildr-dl.c
-index b364695c..d026de71 100644
+index 622637dc..88fc3d8f 100644
 --- a/src/tss2-tcti/tctildr-dl.c
 +++ b/src/tss2-tcti/tctildr-dl.c
-@@ -116,6 +116,50 @@ handle_from_name(const char *file,
+@@ -92,7 +92,7 @@ handle_from_name(const char *file,
+         LOG_DEBUG("Could not load TCTI file: \"%s\": %s", file, dlerror());
+     }
+ 
+-    len = snprintf(NULL, 0, TCTI_NAME_TEMPLATE_0, file);
+    len = snprintf(NULL, 0, "@PREFIX@" TCTI_NAME_TEMPLATE_0, file);
+     if (len >= PATH_MAX) {
+         LOG_ERROR("TCTI name truncated in transform.");
+         return TSS2_TCTI_RC_BAD_VALUE;
+@@ -129,6 +129,50 @@ handle_from_name(const char *file,
         return TSS2_TCTI_RC_BAD_VALUE;
     }
     *handle = dlopen(file_xfrm, RTLD_NOW);
@ -12,10 +21,10 @@ index b364695c..d026de71 100644
 +        LOG_DEBUG("Failed to load TCTI for name \"%s\": %s", file, dlerror());
 +    }
 +    size = snprintf(file_xfrm,
-+                    sizeof (file_xfrm),
+                    len + 1,
 +                    "@PREFIX@%s",
 +                    file);
-+    if (size >= sizeof (file_xfrm)) {
+    if (size >= len + 1) {
 +        LOG_ERROR("TCTI name truncated in transform.");
 +        return TSS2_TCTI_RC_BAD_VALUE;
 +    }
@ -27,10 +36,10 @@ index b364695c..d026de71 100644
 +    }
 +    /* 'name' alone didn't work, try libtss2-tcti-<name>.so.0 */
 +    size = snprintf(file_xfrm,
-+                    sizeof (file_xfrm),
+                    len + 1,
 +                    "@PREFIX@" TCTI_NAME_TEMPLATE_0,
 +                    file);
-+    if (size >= sizeof (file_xfrm)) {
+    if (size >= len + 1) {
 +        LOG_ERROR("TCTI name truncated in transform.");
 +        return TSS2_TCTI_RC_BAD_VALUE;
 +    }
@ -42,22 +51,22 @@ index b364695c..d026de71 100644
 +    }
 +    /* libtss2-tcti-<name>.so.0 didn't work, try libtss2-tcti-<name>.so */
 +    size = snprintf(file_xfrm,
-+                    sizeof (file_xfrm),
+                    len + 1,
 +                    "@PREFIX@" TCTI_NAME_TEMPLATE,
 +                    file);
-+    if (size >= sizeof (file_xfrm)) {
+    if (size >= len + 1) {
 +        LOG_ERROR("TCTI name truncated in transform.");
 +        return TSS2_TCTI_RC_BAD_VALUE;
 +    }
 +    *handle = dlopen(file_xfrm, RTLD_NOW);
     if (*handle == NULL) {
         LOG_DEBUG("Failed to load TCTI for name \"%s\": %s", file, dlerror());
-         return TSS2_TCTI_RC_NOT_SUPPORTED;
+         SAFE_FREE(file_xfrm);
 diff --git a/test/unit/tctildr-dl.c b/test/unit/tctildr-dl.c
-index 873a4531..c17b939e 100644
+index 4279baee..6685c811 100644
 --- a/test/unit/tctildr-dl.c
 +++ b/test/unit/tctildr-dl.c
-@@ -223,6 +223,18 @@ test_get_info_default_success (void **state)
+@@ -229,6 +229,18 @@ test_get_info_default_success (void **state)
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
 
@ -76,7 +85,7 @@ index 873a4531..c17b939e 100644
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-tabrmd.so.0");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, HANDLE);
-@@ -255,6 +267,18 @@ test_get_info_default_info_fail (void **state)
+@@ -261,6 +273,18 @@ test_get_info_default_info_fail (void **state)
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
 
@ -95,7 +104,7 @@ index 873a4531..c17b939e 100644
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-tabrmd.so.0");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, HANDLE);
-@@ -407,6 +431,15 @@ test_tcti_fail_all (void **state)
+@@ -413,6 +437,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-default.so.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -111,7 +120,7 @@ index 873a4531..c17b939e 100644
 
     /* Skip over libtss2-tcti-tabrmd.so */
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-tabrmd.so.0");
-@@ -418,6 +451,15 @@ test_tcti_fail_all (void **state)
+@@ -424,6 +457,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-tabrmd.so.0.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -127,7 +136,7 @@ index 873a4531..c17b939e 100644
 
     /* Skip over libtss2-tcti-device.so, /dev/tpmrm0 */
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-device.so.0");
-@@ -429,6 +471,15 @@ test_tcti_fail_all (void **state)
+@@ -435,6 +477,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-device.so.0.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -143,7 +152,7 @@ index 873a4531..c17b939e 100644
 
     /* Skip over libtss2-tcti-device.so, /dev/tpm0 */
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-device.so.0");
-@@ -440,6 +491,15 @@ test_tcti_fail_all (void **state)
+@@ -446,6 +497,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-device.so.0.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -159,7 +168,7 @@ index 873a4531..c17b939e 100644
 
     /* Skip over libtss2-tcti-swtpm.so */
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-swtpm.so.0");
-@@ -451,6 +511,15 @@ test_tcti_fail_all (void **state)
+@@ -457,6 +517,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-swtpm.so.0.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -175,7 +184,7 @@ index 873a4531..c17b939e 100644
 
     /* Skip over libtss2-tcti-mssim.so */
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-mssim.so.0");
-@@ -462,6 +531,15 @@ test_tcti_fail_all (void **state)
+@@ -468,6 +537,15 @@ test_tcti_fail_all (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-libtss2-tcti-mssim.so.0.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -191,7 +200,7 @@ index 873a4531..c17b939e 100644
 
     TSS2_RC r;
     TSS2_TCTI_CONTEXT *tcti;
-@@ -490,6 +568,15 @@ test_info_from_name_handle_fail (void **state)
+@@ -496,6 +574,15 @@ test_info_from_name_handle_fail (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-foo.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);
@ -207,7 +216,7 @@ index 873a4531..c17b939e 100644
 
     TSS2_RC rc = info_from_name ("foo", &info, &data);
     assert_int_equal (rc, TSS2_TCTI_RC_NOT_SUPPORTED);
-@@ -606,6 +693,15 @@ test_tctildr_get_info_from_name (void **state)
+@@ -612,6 +699,15 @@ test_tctildr_get_info_from_name (void **state)
     expect_string(__wrap_dlopen, filename, "libtss2-tcti-foo.so");
     expect_value(__wrap_dlopen, flags, RTLD_NOW);
     will_return(__wrap_dlopen, NULL);