Rearrange the call to RsaInitializeExponentOld in CryptyRsaGenerateKey
so that this function can be removed from the OpenSSLCryptRsaGenerateKey
implementations.
Sync the PackExponent and UnpackExponent functions calls with upstream
but comment them since libtpms does not used them (will not remove
privateExponent from OBJECT).
Add comments to diffs between libtpms and upstream.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since we never set the RSA_prime_flag or pack Q, dP, dQ, qInv into the
sensitive->rsa TPM 2, dactivate the block checking this flag because
it will never be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Sync ObjectLoad with upstream. Now CryptRsaLoadPrivateExponent may be
called with the object parameter being NULL, which happens only when
it is called from TPM2_Import().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In the next patch there will be ObjectLoad calling
CryptRsaLoadPrivateExponent without providing an OBJECT to this function
but only to use it to check the consistency of TPMT_PUBLIC and
TPMT_SENSITIVE parameters. To allow this, add these two parameter to the
function (= sync with upstream) but also keep the rsaKey as an optional
parameter (libtpms only) so that the flag attributes.privateExp can still
be set on the key in case the values for dP, dQ, qINv are valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also use the new privatExponent for dP, dQ and qInv.
There are two functions that need to be adapted:
- ComputePrivateExponent: producer of these parameters
- RsaPrivateKeyOp : consumer of these parameters
ComputePrivateExponent is converted to store the results into Z->dP,
Z->dQ, and Z->qInv. Therefore, remove the old privateExponent parameter
*pExp, that was previously used to store them, from the signature of this
function and pull out the initialization of pExp and preservation of Q
to be done before calling this function. This is done in the 2 calling
functions. After returning from the function copy the values of Z->dP,
Z->dQ, and Z->qInv to the old privateExponent where the results had
been stored previously and where we need to have them.
This change results in a sequence like this for the 2 callers:
RsaInitializeExponentOld(&rsaKey->privateExponent);
BnCopy((bigNum)&rsaKey->privateExponent.Q, Z->Q); // preserve Q
VERIFY(ComputePrivateExponent(bnE, Z));
RsaSetExponentOld(&rsaKey->privateExponent, Z); // duplicate dP, dQ, qInv
The values for dP, dQ, ad qInv are consumed by RsaPrivateKeyOp. Therefore,
adjust this functions signature by removing the old privateExponent
parameter *pExp from it and make sure that callers initialize Z->dP,
Z->dQ, and Z->qInv before calling this functions. There are two call-sites
where the one in RSADP looks like this:
RsaSetExponentFromOld(Z, &key->privateExponent); // copy Q, dP, dQ, qInv to Z
VERIFY(RsaPrivateKeyOp(bnM, Z));
The call site in CryptRsaGenerateKey has called ComputePrivateExponent
before, therefore it already holds the values in Z.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the new privateExponent to RsaPrivateKeyOp replacing the P parameter.
To be able to use MakePgreaterThanQ(Z), make sure that both callers of
this function have Z->P and Z->Q values properly set.
This function has the following two callers:
- CryptRsaPrivateKey: Z->P and Z->Q are already holding valid values
- RSADP: Copy the value of privateExponent.Q to Z->Q.
An inconsequential side effect of the changes to RsaPrivateKeyOp()
is that Z->P is greater than Z->Q upon return from this function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the local variable bnP with Z->P. Initialize Z->P with the
value that bnP had been initialized with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the P and Q parameters of ComputePrivateExponent with the new
privateExponent struct (sync with upstream).
ComputePrivateExponent has two callers:
- CryptRsaGenerateKey: Z already holds P and Q from previous change
- CryptRsaLoadPrivateExponent: Sync the code with upstream so that we can also
use the privateExponent Z as parameter to ComputePrivateExponent holding
valid values in Z->P and Z->Q.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Import RsaInitializeExponent from upstream
- CryptRsaGenerateKey: Replace local bnP and bnQ variables by using Z->P
and Z->Q respectively
The only side-effect this change has is that it costs more initialization
time when NEW_PRIVATE_EXPONENT initializes the currently unused variables
dP_unused, dQ_unused, and qInv_unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The upstream function switches entirely to publicArea and sensitive
parameters for CrytpRsaGenerateKey getting rid of the OBJECT. We still
need the OBJECT at this point, so keep it for now but annotate the
code and add a consitency check that ensures that the publicArea and
sensitive parameters are from the OBJECT. This holds for the single
caller.
Adjust the single caller to the change in parameters.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Previously the key check was done when object == NULL. Now this
particular case is handle by a check being done when parent == NULL
since the only caller of ObjectLoad() with object == NULL also has
parent == NULL, so there's no behavior change. All other cases
are handled as before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use UnsignedCompareB() rather than BnUnsignedCmp()
- Use VERIFY to check results and add failure exit.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove code related to CRT_FORMAT_RSA == NO.
- Remove N parameter from function and adjust callers
- Use VERIFY after each statement
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove support for CRT_FORMAT_RSA == NO
- Remove now unused parameter N from function signature; adjust callers
- Rename E to pubExp
- Rename temp to pT
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Continue the prime number generation while retVal == TPM_RC_NO_RESULT
- Terminate the loop when BnGeneratePrimeForRSA() returns a failure
The changes should not lead to any different primary keys than before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RSA_PRIVATE_SIZE is the correct size to use since this is the size that
TPM2B_PRIVATE_KEY_RSA has been defined with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When an object is later marshalled in TPM2_ContextSave, the publicOnly
attribute isn't taken into account and therefore potentially stale
sensitive information can be marshalled, which is a problem if the
buffer sizes it contains have values that are too large - this
triggers assertion failures.
Avoid this by clearing out the sensitive area upon ObjectLoad if not
provided, making the behaviour consistent with when a fresh, unused,
object entry is used.
Signed-off-by: Rob Shearman <rob@graphiant.com>
Fix two locations where s_ccAttr[0].commandIndex is used to access the
commandIndex, which does not work when bitfields are not used. Use
GET_ATTRIBUTE() to access the field so that it works when bitfields are
used and when they are not used. There are several locations in this
file where GET_ATTRIBUTE() is already used to access commandIndex.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address a false positive issue detect by Coverity (CID 1517797)
about *buflen.
Per this assignment of buflen
cached_blobs[st].buflen = buffer ? buflen : BUFLEN_EMPTY_BUFFER;
the following is true:
If cached_blobs[].buffer is NULL then *buflen = BUFLEN_EMPTY_BUFFER
If cached_blobs[].buffer is not NULL then *buflen != BUFLEN_EMPTY_BUFFER
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the implementation for TPM2_ECC_Encrypt/Decrypt. It cannot be
easily enabled due to possible downgrading requirements and also
issues with size-expansion of the PERSISTENT_DATA.auditCommands from
14 to 15 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
