This reverts commit 9afebc712a.
The issue is that opensslv.h is not included and thus the
OPENSSL_VERSION_NUMBER is not getting set.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Delay the creation of the EVP_PKEY in InitOpenSSLRSAPrivateKey
so that we can create the key with all the parameters at once.
We have to do this since with the OpenSSL 3.0 API we cannot set
parameters after the initial creation of the key anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get the BIGNUMs N and E from an RSA key OBJECT. The purpose of
this refactoring is be able to reuse the new function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement BuildRSAKey for building an RSA EVP_PKEY from copies
of the BIGNUMs it gets passed. This way it is clear that the
caller has to free the BIGNUMs it passed itself also in case of
error returned by BuildRSAKey.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Exit the loop when the variable could not be filled with data from the
byte stream. This avoids accessing the variable 'element' in case it
wasn't initialized. The old could would have accessed the possibly
uninitialized variable but exited the loop immediately after.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only access the entrysize variable if it was read from the buffer. In case
of an error just head towards the exit. Previously, an error would also
have lead the function to do no more useful processing and exited it with
an error code bug Coverity complains that the entrysize variable would be
access while it wasn't initialized.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Update the description of the tpm_io_getlocality() callback function
that the TPM 2 code invokes to get the currently active locality.
It is expected that the called software is trusted and returns a valid
locality number at all times and thus also always return TPM_SUCCESS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the secret size against the size of the buffer, not the size
member that has not been set yet.
Reported by Coverity.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
In TPM_NVRAM_LoadData(), there is an unlikely path where the function
will return an error code but still expect the caller to free the
allocated data. At least some of the callers don't handle this correctly
so ensure that the caller only needs to free data if the function
returns success.
Reported by Coverity.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
The build environment used by OSS-Fuzz reports this error.
In file included from /src/libtpms/src/tpm_debug.c:42:
/src/libtpms/src/tpm_debug.h:69:9: error: 'printf' macro redefined [-Werror,-Wmacro-redefined]
#define printf(...) TPMLIB_LogPrintf(__VA_ARGS__);
: ^
/usr/include/x86_64-linux-gnu/bits/stdio2.h:110:11: note: previous definition is here
# define printf(...) \
^
1 error generated.
The simple fix is to #undef printf in case it is #define'd.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
gcc 12.1 supports _FORTIFY_SOURCE=3. Modify the existing check for whether
_FORTIFY_SOURCE=2 can be used to test compile with the user provided
CFLAGS and only add _D_FORTIFY_SOURCE=2 to the HARDENING_CFLAGS if the
user doesn't provide anything that's not compatible.
Following an online article _FORTIFY_SOURCE=3 may add more overhead, so
we only go up to level 2 for now and let build servers or user provide
the higher level via the CFLAGS.
https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source#what_s_next_for__fortify_source
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address an issue reported by cppcheck that raises the issue that
tpm_state_path could be NULL when the #define TPM_NV_DISK is not set.
Require that the #define TPM_NV_DISK always be set.
Resolves: https://github.com/stefanberger/libtpms/issues/313
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize a variable in ExecuteCommand following Coverity report
CID 1461252.
Down the callpath as reported in CID 1461252 in
TPMI_ST_COMMAND_TAG_Unmarshal() the passed-in value of
TPMI_ST_COMMAND_TAG *target is stored and possibly restored later on in
case of failure. Coverity complains that the variable is uninitialized.
While this is correct, there's no harm reading the uninitialized value
from the structure and possibly restoring it later on while not doing
anything else with it otherwise. Therefore, it's a false positive.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize a variable in TPM2_PolicyAuthorizeNV() following Coverity
report CID 1470811.
Down the callpath as reported in CID 1470811 in TPMI_ALG_HASH_Unmarshal()
the passed-in value of TPMI_ALG_HASH *target is stored and possibly
restored later on in case of failure. Coverity complains that the variable
is uninitialized. While this is correct, there's no harm reading the
uninitialized value from the structure and possibly restoring it later
on while not doing anything else with it otherwise. Therefore, it's a
false positive.
Resolves: https://github.com/stefanberger/libtpms/issues/311
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize a variable in USER_NVRAM_Unmarshal() follow Coverity
report CID 1470812.
Down the callpath as reported in CID 1470812 in TPMA_NV_Unmarshal() the
passed-in value of TPMA_NV *target is stored and possibly restored later
on in case of failure. Coverity complains that the variable is
uninitialized. While this is correct, there's no harm reading the
uninitialized value from the structure and possibly restoring it later
on while not doing anything else with it otherwise. Therefore, it's a
false positive.
Resolves: https://github.com/stefanberger/libtpms/issues/310
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add probing for -fstack-protector to the existing
-fstack-protector-strong since not all platforms support either one
of them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called
with label size 0. The function should only be called if the size of the label
is greater 0.
With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0
for encryption without label.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Only access the variable 'nvi' when the previous unmarshalling worked.
Before this change the undefined value of nvi would have been written
to memory but the error code from the failed marshalling propagated to
the caller so that it was working correctly before as well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cast the '1' to UINT64 before shifting it.
Since the shift value is always below 32 it would have never exceeded
the 32bit value it was using before the cast.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix typo in the __GNUC_MINOR__ preprocessor symbol.
This change is unlikely to have any impact since it was used for
comparions for gcc version 4.2, which is not in use anymore by now.
Resolves: https://github.com/stefanberger/libtpms/issues/289
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If s_ContextSlotMask was not set since the TPM 2 was not initialized
by a call to TPM_Manufacture() or the state was not resumed, then
initialize the s_ContextSlotMask to 0xffff.
This situation can occur if a VM with an attached swtpm was started
and the VM's firmware either doesn't support TPM or didn't get to
initialize the vTPM.
The following commands recreated the issue with a SeaBIOS-only VM that
had no attached hard disk but an attached TPM 2:
virsh start BIOS-only-VM ; virsh save BIOS-only-VM save.bin ; \
virsh restore save.bin
Error: Failed to restore domain from save.bin
error: internal error: qemu unexpectedly closed the monitor: \
2022-01-04T19:26:18.835851Z qemu-system-x86_64: tpm-emulator: Setting the stateblob (type 2) failed with a TPM error 0x3 a parameter is bad
2022-01-04T19:26:18.835899Z qemu-system-x86_64: error while loading state for instance 0x0 of device 'tpm-emulator'
2022-01-04T19:26:18.835929Z qemu-system-x86_64: load of migration failed: Input/output error
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2035731
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
exp_array_size is always initialized if `rc == TPM_RC_SUCCESS` and never used
if `rc != TPM_RC_SUCCESS` but some compilers have trouble noticing this.
Signed-off-by: kpcyrd <git@rxv.cc>
To avoid timeouts on short-running commands, such as TPM2_PCR_Extend,
avoid triggering the writing of the permanent state of the TPM 2
if only the clock was updated. So the clock by itself will not cause
the permanent state to be written out anymore but there have to be
other reasons as well.
The state will still be written out upon a TPM2_Shutdown, which is
supposed to be the last command to be sent to the TPM when shutting
down the VM/vTPM. Also, the permanent state will still carry the
latest clock value if it is retrieved via control channel for
VM/VTPM suspend.
The case that may be affected, but is of lesser importance, is the one
where swtpm's volatile state is written to storage using 'swtpm_ioctl -v'
and then swtpm is terminated and restarted (similar to suspend/resume)
and the permanent state file is read from storage but does not contain
the latest clock value. In this case the go.clock will be updated when
the first command after resume is executed.
This fixes the swtpm issue https://github.com/stefanberger/swtpm/issues/597.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
