Pass the new privateExponent to RsaPrivateKeyOp replacing the P parameter.
To be able to use MakePgreaterThanQ(Z), make sure that both callers of
this function have Z->P and Z->Q values properly set.
This function has the following two callers:
- CryptRsaPrivateKey: Z->P and Z->Q are already holding valid values
- RSADP: Copy the value of privateExponent.Q to Z->Q.
An inconsequential side effect of the changes to RsaPrivateKeyOp()
is that Z->P is greater than Z->Q upon return from this function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the local variable bnP with Z->P. Initialize Z->P with the
value that bnP had been initialized with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the P and Q parameters of ComputePrivateExponent with the new
privateExponent struct (sync with upstream).
ComputePrivateExponent has two callers:
- CryptRsaGenerateKey: Z already holds P and Q from previous change
- CryptRsaLoadPrivateExponent: Sync the code with upstream so that we can also
use the privateExponent Z as parameter to ComputePrivateExponent holding
valid values in Z->P and Z->Q.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Import RsaInitializeExponent from upstream
- CryptRsaGenerateKey: Replace local bnP and bnQ variables by using Z->P
and Z->Q respectively
The only side-effect this change has is that it costs more initialization
time when NEW_PRIVATE_EXPONENT initializes the currently unused variables
dP_unused, dQ_unused, and qInv_unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The upstream function switches entirely to publicArea and sensitive
parameters for CrytpRsaGenerateKey getting rid of the OBJECT. We still
need the OBJECT at this point, so keep it for now but annotate the
code and add a consitency check that ensures that the publicArea and
sensitive parameters are from the OBJECT. This holds for the single
caller.
Adjust the single caller to the change in parameters.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Previously the key check was done when object == NULL. Now this
particular case is handle by a check being done when parent == NULL
since the only caller of ObjectLoad() with object == NULL also has
parent == NULL, so there's no behavior change. All other cases
are handled as before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use UnsignedCompareB() rather than BnUnsignedCmp()
- Use VERIFY to check results and add failure exit.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove code related to CRT_FORMAT_RSA == NO.
- Remove N parameter from function and adjust callers
- Use VERIFY after each statement
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Remove support for CRT_FORMAT_RSA == NO
- Remove now unused parameter N from function signature; adjust callers
- Rename E to pubExp
- Rename temp to pT
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Continue the prime number generation while retVal == TPM_RC_NO_RESULT
- Terminate the loop when BnGeneratePrimeForRSA() returns a failure
The changes should not lead to any different primary keys than before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RSA_PRIVATE_SIZE is the correct size to use since this is the size that
TPM2B_PRIVATE_KEY_RSA has been defined with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When an object is later marshalled in TPM2_ContextSave, the publicOnly
attribute isn't taken into account and therefore potentially stale
sensitive information can be marshalled, which is a problem if the
buffer sizes it contains have values that are too large - this
triggers assertion failures.
Avoid this by clearing out the sensitive area upon ObjectLoad if not
provided, making the behaviour consistent with when a fresh, unused,
object entry is used.
Signed-off-by: Rob Shearman <rob@graphiant.com>
Fix two locations where s_ccAttr[0].commandIndex is used to access the
commandIndex, which does not work when bitfields are not used. Use
GET_ATTRIBUTE() to access the field so that it works when bitfields are
used and when they are not used. There are several locations in this
file where GET_ATTRIBUTE() is already used to access commandIndex.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address a false positive issue detect by Coverity (CID 1517797)
about *buflen.
Per this assignment of buflen
cached_blobs[st].buflen = buffer ? buflen : BUFLEN_EMPTY_BUFFER;
the following is true:
If cached_blobs[].buffer is NULL then *buflen = BUFLEN_EMPTY_BUFFER
If cached_blobs[].buffer is not NULL then *buflen != BUFLEN_EMPTY_BUFFER
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the implementation for TPM2_ECC_Encrypt/Decrypt. It cannot be
easily enabled due to possible downgrading requirements and also
issues with size-expansion of the PERSISTENT_DATA.auditCommands from
14 to 15 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Sync with upstream to fix issue in CryptParameterEncryption() from TPM 2
errate v1.4 2.6.1:
"The functions CryptParameterEncryption() and CryptParameterDecryption() in
the reference code in Part 4, 10.2.6.6.5 and 10.2.6.6.6 do not correctly
check the size of the parameter buffer to be encrypted or decrypted. To fix
the issue, the functions should be corrected to check that the parameter
buffer (a TPM2B type field) is at least 2 bytes in length and should use
the function UINT16_Unmarshal() to read the size of the buffer instead of"
BYTE_ARRAY_TO_UINT16().
[...]
The fixed CryptParameterEncryption() function will enter failure mode and
return TPM_RC_FAILURE if the internal response buffer does not contain
enough data for the UINT16 size field."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issue from TPM 2 errata v1.4 2.6.3:
"The function CryptGenerateKeyDes() in the reference code in Part 4,
0.2.9.2.3 does not correctly check the symmetric key size provided in the
sensitive parameter. To fix the issue, the function will check that the
size of the requested TDES key is a multiple of 8 bytes or otherwise the
TPM will return TPM_RC_SYMMETRIC."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
