Fix libtpms <-> SymCrypt provider compatibility (#9511)

Recent testing found an incompatibility between libtpms and the SymCrypt provider. Version 0.9.6 of libtpms is using the old OpenSSL APIs and does not export the RSA key primes as part of RSA private key export. SymCrypt expects these primes to import the RSA private key. This PR adds a patch to libtpms to export the expected primes. The latest changes to libtpms appear to fix this issue and update to the OpenSSL 3 APIs, so this patch is only necessary until those changes make it to release.
2024-06-26 09:17:18 -07:00 · 2024-06-26 09:17:18 -07:00 · 1bc408c6fb
--- a/SPECS/libtpms/0001-Export-RSA-private-key-primes-to-OpenSSL.patch
+++ b/SPECS/libtpms/0001-Export-RSA-private-key-primes-to-OpenSSL.patch
@ -0,0 +1,42 @@
+From 4a64addb941bf4db53f688a4396702542dc70289 Mon Sep 17 00:00:00 2001
+From: Maxwell Moyer-McKee <mamckee@microsoft.com>
+Date: Tue, 25 Jun 2024 21:12:48 +0000
+Subject: [PATCH] Export RSA private key primes to OpenSSL
+
+---
+ src/tpm2/crypto/openssl/Helpers.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/tpm2/crypto/openssl/Helpers.c b/src/tpm2/crypto/openssl/Helpers.c
+index 896e37d..8344bac 100644
+--- a/src/tpm2/crypto/openssl/Helpers.c
+++ b/src/tpm2/crypto/openssl/Helpers.c
+@@ -527,7 +527,8 @@ InitOpenSSLRSAPrivateKey(OBJECT     *rsaKey,   // IN
+             ERROR_RETURN(TPM_RC_FAILURE);
+         ExpDCacheAdd(P, N, E, Q, D);
+     }
+-    if (RSA_set0_key(key, NULL, NULL, D) != 1)
+    if (RSA_set0_key(key, NULL, NULL, D) != 1 ||
+        RSA_set0_factors(key, P, Q) != 1)
+         ERROR_RETURN(TPM_RC_FAILURE);
+ 
+     DoRSACheckKey(P, Q, N, E, D);
+@@ -548,13 +549,13 @@ InitOpenSSLRSAPrivateKey(OBJECT     *rsaKey,   // IN
+ 
+  Exit:
+     BN_CTX_free(ctx);
+-    BN_clear_free(P);
+-    BN_clear_free(Q);
+     BN_free(Qr);
+     RSA_free(key); // undo reference from EVP_PKEY_get1_RSA()
+ 
+     if (retVal != TPM_RC_SUCCESS) {
+         BN_clear_free(D);
+        BN_clear_free(P);
+        BN_clear_free(Q);
+ #if CRT_FORMAT_RSA == YES
+         BN_clear_free(dP);
+         BN_clear_free(dQ);
+-- 
+2.43.0
+
--- a/SPECS/libtpms/libtpms.spec
+++ b/SPECS/libtpms/libtpms.spec
@ -1,6 +1,6 @@
 Name:           libtpms
 Version:        0.9.6
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Library providing Trusted Platform Module (TPM) functionality
 License:        BSD and TCGL

@ -9,6 +9,7 @@ Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:        %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc
 # https://github.com/stefanberger.gpg
 Source2:        gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc
+Patch1:         0001-Export-RSA-private-key-primes-to-OpenSSL.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -35,7 +36,7 @@ Libtpms header files and documentation.

 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup
+%autosetup -p1 -n %{name}-%{version}

 %build
 NOCONFIGURE=1 ./autogen.sh
@ -63,6 +64,9 @@ make check
 %{_mandir}/man3/TPM*

 %changelog
+* Tue Jun 25 2024 Maxwell Moyer-McKee <bfjelds@microsoft.com> - 0.9.6-6
+- Add patch for compatibility with SymCrypt provider
+
 * Mon Jan 22 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 0.9.6-5
 - Initial CBL-Mariner import from Fedora 39 (license: MIT).
 - license verified (TCG license in LICENSE file)