Fix an HMAC signing issue that may causes an out-of-bounds access in a
TPM2B that in turn was running into an assert() in libtpms causing an
abort. The signing issue was due to an inconsistent pairing of the signKey
and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
inScheme is an ECC or RSA scheme.
This fixes CVE-2025-49133.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Backport the github actions script from the master branch. In the
coveralls build, use the stable-0.9 branch of swtpm since later versions
of swtpm need later versions of libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address a false positive issue detect by Coverity (CID 1517797)
about *buflen.
Per this assignment of buflen
cached_blobs[st].buflen = buffer ? buflen : BUFLEN_EMPTY_BUFFER;
the following is true:
If cached_blobs[].buffer is NULL then *buflen = BUFLEN_EMPTY_BUFFER
If cached_blobs[].buffer is not NULL then *buflen != BUFLEN_EMPTY_BUFFER
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cast the '1' to UINT64 before shifting it.
Since the shift value is always below 32 it would have never exceeded
the 32bit value it was using before the cast.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address the following Coverity complaint (1550494) by filtering out bad
input values:
"Expression i--, which is equal to 65535, where i is known to be equal
to 0, underflows the type that receives it, an unsigned integer 16 bits
wide."
aSize is typcially 2048 and n is always >= 1 per the input parameter.
Therefore no side-effects are expected from this filter.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint:
"Expression command->sessionNum - 1U, which is equal to 4294967295,
where command->sessionNum is known to be equal to 0, underflows the
type that receives it, an unsigned integer 32 bits wide."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint by removing assignment to offset:
"Assigning value from offset + 148UL to offset here, but that stored
value is overwritten before it can be used."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint:
"Using uninitialized value eccPublic when calling TPMS_ECC_POINT_Unmarshal."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE.
The old error code could indicate to an application or driver that
something is wrong with the TPM (has possibly gone into failure mode) even
though only the decryption failed, possibly due to a wrong key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fedora Rawhide and CentOS 10 do not support OpenSSL engine anymore.
Therefore, replace include of engine.h with err.h since the engine is not
needed anyway but we only need the prototype of ERR_get_error_line_data.
Add missing includes for evp.h and rsa.h.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When an object is later marshalled in TPM2_ContextSave, the publicOnly
attribute isn't taken into account and therefore potentially stale
sensitive information can be marshalled, which is a problem if the
buffer sizes it contains have values that are too large - this
triggers assertion failures.
Avoid this by clearing out the sensitive area upon ObjectLoad if not
provided, making the behaviour consistent with when a fresh, unused,
object entry is used.
Signed-off-by: Rob Shearman <rob@graphiant.com>
Sync with upstream to fix issue in CryptParameterEncryption() from TPM 2
errate v1.4 2.6.1:
"The functions CryptParameterEncryption() and CryptParameterDecryption() in
the reference code in Part 4, 10.2.6.6.5 and 10.2.6.6.6 do not correctly
check the size of the parameter buffer to be encrypted or decrypted. To fix
the issue, the functions should be corrected to check that the parameter
buffer (a TPM2B type field) is at least 2 bytes in length and should use
the function UINT16_Unmarshal() to read the size of the buffer instead of"
BYTE_ARRAY_TO_UINT16().
[...]
The fixed CryptParameterEncryption() function will enter failure mode and
return TPM_RC_FAILURE if the internal response buffer does not contain
enough data for the UINT16 size field."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issue from TPM 2 errata v1.4 2.6.3:
"The function CryptGenerateKeyDes() in the reference code in Part 4,
0.2.9.2.3 does not correctly check the symmetric key size provided in the
sensitive parameter. To fix the issue, the function will check that the
size of the requested TDES key is a multiple of 8 bytes or otherwise the
TPM will return TPM_RC_SYMMETRIC."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the missing buffer size check that the TPM 2 errata v1.4 mentions in
2.6.2 by adding a buffer size check before reading 2 bytes from a
TPM2B_NAME buffer. There's no known CVE for this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check that there are sufficient bytes in the buffer before reading the
cipherSize from it. Also, reduce the bufferSize variable by the number
of bytes that make up the cipherSize to avoid reading and writing bytes
beyond the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not set the RSA_FLAG_NO_BLINDING on RSA keys anymore. The BoringSSL
documentation states the following:
"RSA_FLAG_NO_BLINDING disables blinding of private operations, which is
a dangerous thing to do. It is deprecated and should not be used. It will
be ignored whenever possible."
So, follow this documentation. OpenSSL does not seem to say much about it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the secret size against the size of the buffer, not the size
member that has not been set yet.
Reported by Coverity.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
The build environment used by OSS-Fuzz reports this error.
In file included from /src/libtpms/src/tpm_debug.c:42:
/src/libtpms/src/tpm_debug.h:69:9: error: 'printf' macro redefined [-Werror,-Wmacro-redefined]
#define printf(...) TPMLIB_LogPrintf(__VA_ARGS__);
: ^
/usr/include/x86_64-linux-gnu/bits/stdio2.h:110:11: note: previous definition is here
# define printf(...) \
^
1 error generated.
The simple fix is to #undef printf in case it is #define'd.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
gcc 12.1 supports _FORTIFY_SOURCE=3. Modify the existing check for whether
_FORTIFY_SOURCE=2 can be used to test compile with the user provided
CFLAGS and only add _D_FORTIFY_SOURCE=2 to the HARDENING_CFLAGS if the
user doesn't provide anything that's not compatible.
Following an online article _FORTIFY_SOURCE=3 may add more overhead, so
we only go up to level 2 for now and let build servers or user provide
the higher level via the CFLAGS.
https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source#what_s_next_for__fortify_source
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add probing for -fstack-protector to the existing
-fstack-protector-strong since not all platforms support either one
of them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called
with label size 0. The function should only be called if the size of the label
is greater 0.
With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0
for encryption without label.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
