Some time around rev169 a new function to generate RSA prime numbers was
introduced. Use this function for a 'new' SEED_COMPAT_LEVEL_LAST that now
gets value '2'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To enable RSA-4096 in the default-v2 profile, set the stateFormatLevel
to STATE_FORMAT_LEVEL_CURRENT (8).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Enable RSA_4096
- Add RSA_4096 to s_KeySizesRSA at stateFormatLevel 8
- Increase STATE_FORMAT_LEVEL_CURRENT to 8
- Update tests for larger object size and increased StateFormatLevel
- In NVMarshal.c replace MAX_RSA_KEY_BITS with old value 3072
so that the state is acceptable to older versions of libtpms;
if we wrote 4096, then older versions of libtpms would reject the
state.
- In NVMarshal.c replace RSA_4096 with '0' so it is acceptable to older
versions; if we wrote '1', then older versions of libtpms would reject
the state.
Fixes: #491
Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The 'default-v2' profile is currently just a copy of the 'default-v1'
profile, other than the change in the .description text to change
'v0.10' to 'v0.11'.
Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Avoid the following error message due to potentially
uninitialized variable:
base64decode.c:64:20: warning: The right operand of '!=' is a garbage \
value [core.UndefinedBinaryOperatorResult] <--[clang]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following gcc warning on Fedora rawhide:
tpm2_cve-2023-1017.c: In function ‘main’:
tpm2_cve-2023-1017.c:169:5: warning: ‘cmd’ may be used uninitialized [-Wmaybe-uninitialized]
169 | free(cmd);
| ^~~~~~~~~
tpm2_cve-2023-1017.c:125:20: note: ‘cmd’ was declared here
125 | unsigned char *cmd = malloc(maxcmdsize);
| ^~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the regex checking the JSON input to allow for empty string values,
which will be only used by 'Attributes' since they are all optional.
Then, allow the user to provide an empty string with the Attributes in the
JSON like this: {...,"Attributes":"", ...}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Per "TCG FIPS 140-3 guidance for TPM 2.0" document the following functions
must prevent an asymmetric ECC key derivation:
- Table 14: TPM2_CreateLoaded
- Table 18: TPM2_ZGen_2Phase
- Table 26: TPM2_Commit
- Table 26: TPM2_EC_Ephemeral
Return TPM_RC_TYPE as a return code to indicate failure of deriving a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow setting the minimum HMAC key size and add enforcement gates.
Check that the value of hmac=min-key-size given in the profile is not
larger than 1024. This value is taken from the maximum size of
TPM2B_SENSITIVE, which is MAX_SYM_DATA (=128), which can be provided as
key to an HMAC.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.
Extend an existing test case with this new attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the test case and renaming of the reference implementation of
CryptKDFe. Reverting this patch would bring the test case back in case
it was necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To still be able to run the KDFe test case when the OpenSSL replacement
for the KDFe is to be used, rename the reference implemention to
ReferenceCryptKDFe that coexists with the CryptKDFe function that then
calls OSSLCryptKDFe.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a KDFe replacement using OpenSSL's SSKDF and add a test
case that compares the current implementation against the one based
on the OpenSSL SSKDF.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature verification like FIPS mode on the host does
by implementing attribute no-sha1-signing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature generation like FIPS mode on the host does
for RSA and all ECC (ecdsa, ecdaa, ecschnorr, sm2) signing algorithms
by implementing attribute no-sha1-signing.
Since CryptRSASign and CryptEccSign are called from CryptSign the
check for SHA1 can be done there. The other call locations are
from the algorithm test functions where the default hash is SHA512.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for RuntimeAttributes which will be provided using
the Attribute key in the map.
Implement a fip-host attribute that at this point does not do much.
Add test case for fips-host attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use free rather than TPM_Free to avoid the following warning:
tpm2_setprofile.c:377:18: warning: passing 'char *' to parameter \
of type 'unsigned char *' converts between pointers to integer \
types with different sign [-Wpointer-sign]
TPM_Free(profile);
../include/libtpms/tpm_memory.h:57:36: note: passing argument to \
parameter 'buffer' here
void TPM_Free(unsigned char *buffer);
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Bump up the StateFormatLevel to 6 and use it to introduce a new OBJECT
marshalling format version '4' that slighly changes how an OBJECT is
marshalled:
- only marshal the private exponent for an RSA key
- always marshal the new hierarchy field
The marshalling code can still write previous version '3' when an older
StateFormatLevel is used to support backwards compatibility.
Adjust the test cases marshalling an RSA key OBJECT to check against
expected sizes across a series of StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add new field hierarchy to OBJECT and assign values to it and access it.
Beyond the sync with upstream we need to also set the hierachy when
- an older OBJECT is converted to the current OBJECT
- an OBJECT is unmarshalled
Remove ObjectGetHierarchy since it is not needed anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test that a user is able to choose a specific StateFormatLevel that is not
required by any of the chosen commands but enables a bugfix in the TPM 2
code for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Intercept newly added unsupported external and permanent NV indices when
trying to unmarshal and NV index. Add a test case that was using an
unsupported external NV index.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable Camellia-192 and AES-192 and bump up the stateFormatLevel to '4'.
This now prevents using this state with previous stateFormatLevels (< 4)
because there Camellia-192 or AES-192 was not enabled and the user would
otherwise not be able to decrypt data with either one if it was usable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable new commands ECC_Decrypt and ECC_Encrypt in the TPmProfile.h
and also in the 'default' profile. Since the additional commands extend
the ppList and auditCommands array, bump up the version of the stateLevel
to '2' and use the new marshalling functions by using the PERSISTENT_DATA
blob_version '5'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch the implementation to uncompressed lists (from now on it must
remain uncompressed lists forever) and adapt functions who marshal
and unmarshal arrays that are affected by this switch:
- PERSISTENT_DATA.ppList
- PERSISTENT_DATA.auditCommands
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Introduce the #define MAX_MARSHALLED_OBJECT_SIZE to be used for a size of
a byte buffer that is supposed to hold a marshalled OBJECT. The number
is not exact but provides for a 'safe' size of a buffer.
Add a test case to check that MAX_MARSHALLED_OBJECT_SIZE is sufficient.
The test case needs access to ANY_OBJECT_Marshal, which is only available
when -static can be used for linking since otherwise the function is
private to the library. Static linking the test case does not work when
test-coverage is enabled, therefore disable statically linked test cases
in when test-coverage is enabled and give control to the user to disable
statically linked test cases in other cases as well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
After adding BOOL allowNull parameter to TPMI_ECC_CURVE_Unmarshal rearrange
the order in which this command is listed in the unmarshalArray so that the
caller passes an addtional parameter to this function now.
Also add a fuzzer test case.
Fixes: 44f0cb0535 ("rev180: Sync TPMI_ECC_CURVE_Unmarshal")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The new TPM 2 code casts bigNum's to Crypt_Int, which has an array 'd' of
type 'crypt_uword_t[2]' which then leads to the following types of errors
that we haven't found another solution for so far.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-2675de6341d4e056d04ab49179b8e5b8bd456589
/src/libtpms/src/tpm2/crypto/openssl/CryptPrime.c:377:20: runtime error: index 23 out of bounds for type 'crypt_uword_t[2]' (aka 'unsigned long[2]')
#0 0x5b4196 in RsaAdjustPrimeCandidate_New libtpms/src/tpm2/crypto/openssl/CryptPrime.c:377:20
#1 0x5b4196 in RsaAdjustPrimeCandidate libtpms/src/tpm2/crypto/openssl/CryptPrime.c:405:9
#2 0x5b4366 in TpmRsa_GeneratePrimeForRSA libtpms/src/tpm2/crypto/openssl/CryptPrime.c:454:6
#3 0x590953 in CryptRsaGenerateKey libtpms/src/tpm2/crypto/openssl/CryptRsa.c:1433:9
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When building the tests with `make check` and slibtool the tests will
then all fail to load libtpms.so.0.
$ ./base64decode
/tmp/libtpms/tests/.libs/base64decode: error while loading shared libraries: libtpms.so.0: cannot open shared object file: No such file or directory
This happens because they are linked with -ltpms rather than the
libtpms.la file which has unexpected results with slibtool. GNU libtool
does some magic to make this work while slibtool fails to link the
dependency.
The correct way to link internal dependencies is directly with the
libtool archive (.la) files where the -lfoo linker flags should be only
used with external dependencies. Additionally -no-undefined is added to
the LDFLAGS to ensure there aren't undefined references in the future.
Note:
* This doesn't happen if libtpms is installed to the system and the tests
find the already installs libtpms rather than the newly built library.
* GNU libtool silently ignores -no-undefined, but slibtool will respect
it.
Signed-off-by: orbea <orbea@riseup.net>
We have to store the permall state blob once it has been initialized since
otherwise some fields are not having proper values in the internal state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the TPM 2's state suspended and resumed at every step to
ensure that we can marshal and unmarshal it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Call die() causing as assert() to be triggered if an API call
returned an unexpected failure result.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When testing downgrading from libtpms 0.8 to 0.7 (which is not
possible), the error message which is reported is:
libtpms/tpm2: Unexpect value for MAX_RSA_KEY_BITS; its value 3072 is
not = 2048; (version: 2).
codespell (https://github.com/codespell-project/codespell) reports a
misspelling for "Unexpect", which should be "Unexpected". As the project
contains many more misspellings in comments, error messages and
documentation, fix all misspellings reported by codespell.
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
