Some time around rev169 a new function to generate RSA prime numbers was
introduced. Use this function for a 'new' SEED_COMPAT_LEVEL_LAST that now
gets value '2'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the RSA prime number generation logic was again changed some time
around rev 169, rename the identifier for the current method from
SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_FIX to
SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_PREREV169 and use it to replace
SEED_COMPAT_LEVEL_LAST where necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Revision 1.69 received new code for RsaAdjustPrimeCandidate and therefore
rename the existing function by appending a suffix _PreRev169 to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix an HMAC signing issue that may causes an out-of-bounds access in a
TPM2B that in turn was running into an assert() in libtpms causing an
abort. The signing issue was due to an inconsistent pairing of the signKey
and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
inScheme is an ECC or RSA scheme.
This fixes CVE-2025-49133.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In CheckLockedOut replace the return code of TPM_RC_RETRY with
TPM_RC_SUCCESS since it does not seem to be necessary to run the TPM2
command again but the TPM2 can continue executing the current command.
If NVRAM wasn't available then the code in CheckLockedOut would return
with an error already.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To enable RSA-4096 in the default-v2 profile, set the stateFormatLevel
to STATE_FORMAT_LEVEL_CURRENT (8).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following bugs in RuntimeProfileDedupStrItems:
- RuntimeProfileDedupStrItems did not memmove the correct number of bytes,
leading to potential crashes.
- Also, it did not handle deduplicating the last item in the comma-
separated list correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Enable RSA_4096
- Add RSA_4096 to s_KeySizesRSA at stateFormatLevel 8
- Increase STATE_FORMAT_LEVEL_CURRENT to 8
- Update tests for larger object size and increased StateFormatLevel
- In NVMarshal.c replace MAX_RSA_KEY_BITS with old value 3072
so that the state is acceptable to older versions of libtpms;
if we wrote 4096, then older versions of libtpms would reject the
state.
- In NVMarshal.c replace RSA_4096 with '0' so it is acceptable to older
versions; if we wrote '1', then older versions of libtpms would reject
the state.
Fixes: #491
Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The 'default-v2' profile is currently just a copy of the 'default-v1'
profile, other than the change in the .description text to change
'v0.10' to 'v0.11'.
Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Resolve an issue reported by Coverity caused by the maximum value of
datasize (max. size of an NV index) that was allowed to be 0x10100
(17 bits) even though later on it tried to read an array of maximum size
expressed by 16 bits (Coverity complaint). However, the maximum value of
datasize could only ever have been MAX_NV_INDEX_SIZE, which is gated by
restrictions on the size of an NV index. Therefore, restrict the maximum
datasize of an NV index to MAX_NV_INDEX_SIZE (2048 bytes) since this is
the maximum size that an NV index can be defined for.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The following error occurrs on Fedora build servers. To silence the
compiler warning add runtime asserts:
tpm2/crypto/openssl/CryptCmac.c: In function 'CryptCmacEnd':
tpm2/crypto/openssl/CryptCmac.c:194:48: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
194 | subkey.t.buffer[subkey.t.size - 1] ^= xorVal;
| ^
tpm2/TpmTypes.h:1477:33: note: at offset -1 into destination object 'buffer' of size 16
1477 | BYTE buffer[MAX_SYM_BLOCK_SIZE];
| ^
lto1: all warnings being treated as errors
In CryptCmacStart the following initialization is done:
cState->iv.t.size = CryptGetSymmetricBlockSize(def->algorithm, def->keyBits.sym);
Also ensure that CryptGetSymmetricBlockSize in this case also always returns
a valid size to the TPM2B_IV that it is initializing, which would be the root
cause of any error.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
There seems to be a well known error in setuptools 71.x that prevents
installation of cpp-coveralls on Travis now:
File "/usr/local/lib/python3.10/dist-packages/setuptools/_core_metadata.py", line 285, in _distribution_fullname
canonicalize_version(version, strip_trailing_zero=False),
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Fall back to the default version that is used in Ubuntu Jammy (59.6.0)
since later versions also lead to the same error.
Link: https://github.com/pypa/setuptools/issues/4483
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The nvram_offsets test fails on 32bit targets due to an unexpected size
of an OBJECT. This was due to missing padding.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid the following error message due to potentially
uninitialized variable:
base64decode.c:64:20: warning: The right operand of '!=' is a garbage \
value [core.UndefinedBinaryOperatorResult] <--[clang]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When --disable-static is used statically linked tests cannot be run.
Therefore, put the evaluation of --enable-static-tests after
--disable-static has been tested for and only set ENABLE_STATIC_TESTS
if both are 'yes'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following gcc warning on Fedora rawhide:
tpm2_cve-2023-1017.c: In function ‘main’:
tpm2_cve-2023-1017.c:169:5: warning: ‘cmd’ may be used uninitialized [-Wmaybe-uninitialized]
169 | free(cmd);
| ^~~~~~~~~
tpm2_cve-2023-1017.c:125:20: note: ‘cmd’ was declared here
125 | unsigned char *cmd = malloc(maxcmdsize);
| ^~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user provides no Attributes field in the profile then do not copy
the attributes from the internal profile if that profile may be modified.
In this case assume that the the user wanted no attributes. It now is
also unnecessary that any Attributes be set in a modifyable profile ever,
since they will not be copied.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the regex checking the JSON input to allow for empty string values,
which will be only used by 'Attributes' since they are all optional.
Then, allow the user to provide an empty string with the Attributes in the
JSON like this: {...,"Attributes":"", ...}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Per "TCG FIPS 140-3 guidance for TPM 2.0" document the following functions
must prevent an asymmetric ECC key derivation:
- Table 14: TPM2_CreateLoaded
- Table 18: TPM2_ZGen_2Phase
- Table 26: TPM2_Commit
- Table 26: TPM2_EC_Ephemeral
Return TPM_RC_TYPE as a return code to indicate failure of deriving a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict profile names to 32 characters to avoid having to carry
excessively long names in the TPM's state file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow setting the minimum HMAC key size and add enforcement gates.
Check that the value of hmac=min-key-size given in the profile is not
larger than 1024. This value is taken from the maximum size of
TPM2B_SENSITIVE, which is MAX_SYM_DATA (=128), which can be provided as
key to an HMAC.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some function parameters are unused due to OpenSSL usage and other changes
by libtpms. Mark those as unused to avoid static analyzer warnings.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid static analyzer warnings due to non-literal format strings being
used, wrap asprintf in TPMLIB_asprintf and call vasprintf from there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implemewnt a pairwise consistency test for RSA keys that is to be enabled
with FIPS_COMPLIANT #define temporarily. Test encryption+decryption and
sign+verify with the created key on random input data.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.
Extend an existing test case with this new attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
