From fb86111ca96848e86de65cab89aaaa52d64cf64c Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 6 Mar 2023 15:55:58 -0500 Subject: [PATCH] tpm2: Fix issue related to CryptGenerateKeyDes (TPM 2 errata v1.4) Fix the following issue from TPM 2 errata v1.4 2.6.3: "The function CryptGenerateKeyDes() in the reference code in Part 4, 0.2.9.2.3 does not correctly check the symmetric key size provided in the sensitive parameter. To fix the issue, the function will check that the size of the requested TDES key is a multiple of 8 bytes or otherwise the TPM will return TPM_RC_SYMMETRIC." Signed-off-by: Stefan Berger --- src/tpm2/crypto/openssl/CryptDes.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/tpm2/crypto/openssl/CryptDes.c b/src/tpm2/crypto/openssl/CryptDes.c index 9efa3cee..52ae723d 100644 --- a/src/tpm2/crypto/openssl/CryptDes.c +++ b/src/tpm2/crypto/openssl/CryptDes.c @@ -3,7 +3,6 @@ /* Functions Required for TDES */ /* Written by Ken Goldman */ /* IBM Thomas J. Watson Research Center */ -/* $Id: CryptDes.c 1398 2018-12-17 22:37:57Z kgoldman $ */ /* */ /* Licenses and Notices */ /* */ @@ -55,7 +54,7 @@ /* arising in any way out of use or reliance upon this specification or any */ /* information herein. */ /* */ -/* (c) Copyright IBM Corp. and others, 2016 - 2018 */ +/* (c) Copyright IBM Corp. and others, 2016 - 2023 */ /* */ /********************************************************************************/ @@ -166,6 +165,12 @@ CryptGenerateKeyDes( // number of bits. sensitive->sensitive.sym.t.size = BITS_TO_BYTES(publicArea->parameters.symDetail.sym.keyBits.sym); + // Because we use BYTE_ARRAY_TO_UINT64 below, require the requested DES key + // to be a multiple of 8 bytes in size. + if((sensitive->sensitive.sym.t.size % 8) != 0) + { + return TPM_RC_SYMMETRIC; + } #if USE_OPENSSL_FUNCTIONS_SYMMETRIC // libtpms added begin if (rand == NULL) return OpenSSLCryptGenerateKeyDes(sensitive);