Call EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, -1) when creating an RSA
signature to set the PSS salt length to the digest length. Without
this call we previously set the salt length to the maximum
permissible value, but this is not how TPM 2 implements it.
Per interoperability testing between signatures created previously
with the max. permissible value and the new code, which does not
modify the signature verification code, old signatures still verify.
New signatures also verify.
This patch may solve interoperability with hardware TPMs that signatures
created following this patch now verify on hardware TPMs as well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Always use a temporary buffer large enough to meet the requirements of the
EVP_DecryptUpdate() call.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add missing call of EVP_CIPHER_CTX_set_padding(ctx, 0) in the symmetric
decryption case. This was missing and failed some decryption cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a missing input size check for CryptSymmetricDecrypt so that we return
the proper error code TPM_RC_SIZE in case the input size is not a multiple
of the block size. Before TPM_RC_FAILURE was returned.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
For the RSA decryption we have to use an output buffer of the size of the
(largest possible) RSA key for the decryption to always work.
This fixes a stack corruption bug that caused a SIGBUS and termination of
'swtpm'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add missing EC Curve cases in Unmarshal function.
Also, don't accept curves that are not usable during runtime because OpenSSL
may not support them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
PrimeSieve was accessing the sieveMarks array at out-of-bounds index 5
due to a bug in other parts of the code. This patch fixes the issue
and prevents this access by limiting the values that 'next' can take on.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return the RSAKeySizes in the JSON produced by TPM2_GetInfo() under
a new flag with value '4'. This helps higher level tools and users
to easily determine what key sizes are supported for RSA.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Start supporting RSA 3072 keys.
NVMarshal.c: We now accept state that was written by libtpms when RSA keys
sizes were 2048 or are 3072, basically less-or-equal than 3072.
Also increase the NVRAM memory size by ~45 kb to accommodate the worst
case where the USER NVRAM is full of 65 2048 bit persisted keys whose 65
OBJECTs are now expanding and need to again fit into the NVRAM. We have
to add exactly 45760 bytes to accomodate this case. See swtpm test
case test_tpm2_save_load_state_2. 65 * 704 = 45760.
NOTE: BETTER TO NOT BACKPORT!!! MAY NEGATIVELY AFFECT UPGRADE PATH!
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Increase the MAX_CONTEXT_SIZE to 2680 to support the increased context
size when using 3072 bit keys.
NVMarhsal.c: Accept MAX_CONTEXT_SIZE values of less-or-equal the 2680,
which also accepts context sizes of the old value 2474.
NOTE: BETTER TO NOT BACKPORT!
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is the Coverity complaint about the line
infoDataSize = TimeGetMarshaled(&infoData);
CID 1402057: Out-of-bounds access (OVERRUN)
1. overrun-buffer-val: Overrunning array infoData of 32 bytes by passing
it to a function which accesses it at byte offset 255.
TimeGetMarshaled() correctly serializes into &infoData, which is casted to
a buffer and then the data are written into the buffer. Also only 25 bytes,
as indicated by infoDataSize, are used, which is less than sizeof(infoData),
which is 32.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
TPM 2 support has been in libtpms for quite some time now
and the experimental tag can be removed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
