Since GLOBAL_C is now set in Platform.h it is necessary to adjust the usage
of this #define in NVMarshal.c.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rename the functions and adjust callers everywhere:
- BnGetRandomBits to TpmMath_GetRandomInteger
- BnGenerateRandomInRange to TpmMath_GetRandomInRange
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Set ALLOW_FORCE_FAILURE_MODE to 'NO' and used it in some places where
SIMULATION was used, which is also set to 'NO'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
VENDOR_PERMANENT was not defined by libtpms and therefore it was not
used. Now libtpms sets VENDOR_PERMANENT_AUTH_ENABLED to NO to replace
the VENDOR_PERMANENT from before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since libtpms sets RSA_KEY_SIEVE = YES the TpmMath_IsProbablyPrime is
unused and can be modified in any way without affecting anything.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add new #define's for Crypt_Int* numbers, which are compatible to bigNum
anf bitConst. Only add some functions that support Crypt_Int* in this step.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The value returned from a call to this function is written into
g_platformUniqueDetails but not used by libtpms since VENDOR_PERMANENT is
not set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some of the defines are used in JSON strings and to have them properly
formatted, remove the surrounding '()' from numbers.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The function has been tested to show that the PCRs are initialized
with the same values as before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since none of the authValuesGroup'd and policyAuthGroup's are != 0,
the two functions will now always return false even though they
returned TRUE before for 20 <= PCR <= 22.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Disable some PCR functions that are not needed in this step, use
other ones and adjust call sites.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace _plat__IsNvAvailable with _plat__GetNvReadyState and use #define's
as return values. Adjust call sites.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace _plat__ClockAdjustRate with _plat__ClockRateAdjust and use its
new #defines at the call sites.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add platform_public_interface.h from upstream and disable some prototypes
and #defines for functions that are not needed or not needed yet. Remove
prototypes in other header files to avoid duplicates.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a simplified version of HierarchyNormalizeHandle that simply returns
the passed handle and sync the callers with upstream.
HierarchyNormalizeHandle will be extended at some later point.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since HierarchyGetPrimarySeedCompatLevel may in the future be called with
some other hierachies than the currently existing ones, return the value
SEED_COMPAT_LEVEL_LAST in this case instead of causing an internal
failure.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add compiler dependencies files for gcc and msvc and remove some of
the existing #define from CompilerDependencies.h
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Like OpenSSL use the Carmichael function for the RSA private exponent D
when an RSA key has >= 2048 bits and public exponent e uses more than
2 bytes. Otherwise use the Euler totient function.
The main difference is that by TPM 2 using the Carmichael function OpenSSL
now behaves the same way as when it is used by other programs that for
example load keys from PEM files where the private exponent D was
calculated with this function. The difference is seen when for example
blobs cannot be decrypted where newer versions of OpenSSL (with implicit
rejection enabled) returned results of 48 bytes every time rather than a
deterministic (for same input blob) but varying number of bytes (Euler
totient).
Switching to the Carmichael function does not have any negative impact
on interoperatibility with OpenSSL nor does it affect interoperability
between versions of TPM 2 code that did not use it. This means that
data encrypted or signed by OpenSSL or TPM 2 can be decrypted or verified
by TPM 2 or OpenSSL and that data encrypted or signed with either new
or old code in TPM 2 can be decrypted or verified with either old or
new code in TPM 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rearrange the call to RsaInitializeExponentOld in CryptyRsaGenerateKey
so that this function can be removed from the OpenSSLCryptRsaGenerateKey
implementations.
Sync the PackExponent and UnpackExponent functions calls with upstream
but comment them since libtpms does not used them (will not remove
privateExponent from OBJECT).
Add comments to diffs between libtpms and upstream.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since we never set the RSA_prime_flag or pack Q, dP, dQ, qInv into the
sensitive->rsa TPM 2, dactivate the block checking this flag because
it will never be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Sync ObjectLoad with upstream. Now CryptRsaLoadPrivateExponent may be
called with the object parameter being NULL, which happens only when
it is called from TPM2_Import().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In the next patch there will be ObjectLoad calling
CryptRsaLoadPrivateExponent without providing an OBJECT to this function
but only to use it to check the consistency of TPMT_PUBLIC and
TPMT_SENSITIVE parameters. To allow this, add these two parameter to the
function (= sync with upstream) but also keep the rsaKey as an optional
parameter (libtpms only) so that the flag attributes.privateExp can still
be set on the key in case the values for dP, dQ, qINv are valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also use the new privatExponent for dP, dQ and qInv.
There are two functions that need to be adapted:
- ComputePrivateExponent: producer of these parameters
- RsaPrivateKeyOp : consumer of these parameters
ComputePrivateExponent is converted to store the results into Z->dP,
Z->dQ, and Z->qInv. Therefore, remove the old privateExponent parameter
*pExp, that was previously used to store them, from the signature of this
function and pull out the initialization of pExp and preservation of Q
to be done before calling this function. This is done in the 2 calling
functions. After returning from the function copy the values of Z->dP,
Z->dQ, and Z->qInv to the old privateExponent where the results had
been stored previously and where we need to have them.
This change results in a sequence like this for the 2 callers:
RsaInitializeExponentOld(&rsaKey->privateExponent);
BnCopy((bigNum)&rsaKey->privateExponent.Q, Z->Q); // preserve Q
VERIFY(ComputePrivateExponent(bnE, Z));
RsaSetExponentOld(&rsaKey->privateExponent, Z); // duplicate dP, dQ, qInv
The values for dP, dQ, ad qInv are consumed by RsaPrivateKeyOp. Therefore,
adjust this functions signature by removing the old privateExponent
parameter *pExp from it and make sure that callers initialize Z->dP,
Z->dQ, and Z->qInv before calling this functions. There are two call-sites
where the one in RSADP looks like this:
RsaSetExponentFromOld(Z, &key->privateExponent); // copy Q, dP, dQ, qInv to Z
VERIFY(RsaPrivateKeyOp(bnM, Z));
The call site in CryptRsaGenerateKey has called ComputePrivateExponent
before, therefore it already holds the values in Z.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the new privateExponent to RsaPrivateKeyOp replacing the P parameter.
To be able to use MakePgreaterThanQ(Z), make sure that both callers of
this function have Z->P and Z->Q values properly set.
This function has the following two callers:
- CryptRsaPrivateKey: Z->P and Z->Q are already holding valid values
- RSADP: Copy the value of privateExponent.Q to Z->Q.
An inconsequential side effect of the changes to RsaPrivateKeyOp()
is that Z->P is greater than Z->Q upon return from this function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the local variable bnP with Z->P. Initialize Z->P with the
value that bnP had been initialized with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the P and Q parameters of ComputePrivateExponent with the new
privateExponent struct (sync with upstream).
ComputePrivateExponent has two callers:
- CryptRsaGenerateKey: Z already holds P and Q from previous change
- CryptRsaLoadPrivateExponent: Sync the code with upstream so that we can also
use the privateExponent Z as parameter to ComputePrivateExponent holding
valid values in Z->P and Z->Q.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Import RsaInitializeExponent from upstream
- CryptRsaGenerateKey: Replace local bnP and bnQ variables by using Z->P
and Z->Q respectively
The only side-effect this change has is that it costs more initialization
time when NEW_PRIVATE_EXPONENT initializes the currently unused variables
dP_unused, dQ_unused, and qInv_unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The upstream function switches entirely to publicArea and sensitive
parameters for CrytpRsaGenerateKey getting rid of the OBJECT. We still
need the OBJECT at this point, so keep it for now but annotate the
code and add a consitency check that ensures that the publicArea and
sensitive parameters are from the OBJECT. This holds for the single
caller.
Adjust the single caller to the change in parameters.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Previously the key check was done when object == NULL. Now this
particular case is handle by a check being done when parent == NULL
since the only caller of ObjectLoad() with object == NULL also has
parent == NULL, so there's no behavior change. All other cases
are handled as before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use UnsignedCompareB() rather than BnUnsignedCmp()
- Use VERIFY to check results and add failure exit.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove code related to CRT_FORMAT_RSA == NO.
- Remove N parameter from function and adjust callers
- Use VERIFY after each statement
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove support for CRT_FORMAT_RSA == NO
- Remove now unused parameter N from function signature; adjust callers
- Rename E to pubExp
- Rename temp to pT
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Continue the prime number generation while retVal == TPM_RC_NO_RESULT
- Terminate the loop when BnGeneratePrimeForRSA() returns a failure
The changes should not lead to any different primary keys than before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RSA_PRIVATE_SIZE is the correct size to use since this is the size that
TPM2B_PRIVATE_KEY_RSA has been defined with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When an object is later marshalled in TPM2_ContextSave, the publicOnly
attribute isn't taken into account and therefore potentially stale
sensitive information can be marshalled, which is a problem if the
buffer sizes it contains have values that are too large - this
triggers assertion failures.
Avoid this by clearing out the sensitive area upon ObjectLoad if not
provided, making the behaviour consistent with when a fresh, unused,
object entry is used.
Signed-off-by: Rob Shearman <rob@graphiant.com>
Fix two locations where s_ccAttr[0].commandIndex is used to access the
commandIndex, which does not work when bitfields are not used. Use
GET_ATTRIBUTE() to access the field so that it works when bitfields are
used and when they are not used. There are several locations in this
file where GET_ATTRIBUTE() is already used to access commandIndex.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address a false positive issue detect by Coverity (CID 1517797)
about *buflen.
Per this assignment of buflen
cached_blobs[st].buflen = buffer ? buflen : BUFLEN_EMPTY_BUFFER;
the following is true:
If cached_blobs[].buffer is NULL then *buflen = BUFLEN_EMPTY_BUFFER
If cached_blobs[].buffer is not NULL then *buflen != BUFLEN_EMPTY_BUFFER
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the implementation for TPM2_ECC_Encrypt/Decrypt. It cannot be
easily enabled due to possible downgrading requirements and also
issues with size-expansion of the PERSISTENT_DATA.auditCommands from
14 to 15 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Sync with upstream to fix issue in CryptParameterEncryption() from TPM 2
errate v1.4 2.6.1:
"The functions CryptParameterEncryption() and CryptParameterDecryption() in
the reference code in Part 4, 10.2.6.6.5 and 10.2.6.6.6 do not correctly
check the size of the parameter buffer to be encrypted or decrypted. To fix
the issue, the functions should be corrected to check that the parameter
buffer (a TPM2B type field) is at least 2 bytes in length and should use
the function UINT16_Unmarshal() to read the size of the buffer instead of"
BYTE_ARRAY_TO_UINT16().
[...]
The fixed CryptParameterEncryption() function will enter failure mode and
return TPM_RC_FAILURE if the internal response buffer does not contain
enough data for the UINT16 size field."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issue from TPM 2 errata v1.4 2.6.3:
"The function CryptGenerateKeyDes() in the reference code in Part 4,
0.2.9.2.3 does not correctly check the symmetric key size provided in the
sensitive parameter. To fix the issue, the function will check that the
size of the requested TDES key is a multiple of 8 bytes or otherwise the
TPM will return TPM_RC_SYMMETRIC."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the missing buffer size check that the TPM 2 errata v1.4 mentions in
2.6.2 by adding a buffer size check before reading 2 bytes from a
TPM2B_NAME buffer. There's no known CVE for this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check that there are sufficient bytes in the buffer before reading the
cipherSize from it. Also, reduce the bufferSize variable by the number
of bytes that make up the cipherSize to avoid reading and writing bytes
beyond the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a caching layer to GetEVPCipher() to avoid having to call evpfn()
mulitple times. Instead, return the 'const EVP_CIPHER *' that a single
call to evpfn() (for a particular algorithm + mode + key size) returned
and cache it for subsequent calls.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
