Compare commits

...

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

27 changed files with 2534 additions and 225 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tpm2-tss-3.2.3.tar.gz SOURCES/tpm2-tss-2.3.2.tar.gz

View File

@ -1 +1 @@
79248e4597db1424d981c93af278bb7d141c6a12 SOURCES/tpm2-tss-3.2.3.tar.gz c24ce8b20a8686ada775239389292f6d78020668 SOURCES/tpm2-tss-2.3.2.tar.gz

View File

@ -0,0 +1,39 @@
From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 27 Apr 2020 16:33:16 +0200
Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
(Fixes #1704).
An unintended free of the tcti parameter in cleanup was possible.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_context.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
index b912a688..150a3495 100644
--- a/src/tss2-esys/esys_context.c
+++ b/src/tss2-esys/esys_context.c
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
*esys_context = calloc(1, sizeof(ESYS_CONTEXT));
return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
+ /* Store the application provided tcti to be return on Esys_GetTcti(). */
+ (*esys_context)->tcti_app_param = tcti;
+
/* Allocate memory for the SYS context */
syssize = Tss2_Sys_GetContextSize(0);
(*esys_context)->sys = calloc(1, syssize);
goto_if_null((*esys_context)->sys, "Error: During malloc.",
TSS2_ESYS_RC_MEMORY, cleanup_return);
- /* Store the application provided tcti to be return on Esys_GetTcti(). */
- (*esys_context)->tcti_app_param = tcti;
-
/* If no tcti was provided, initialize the default one. */
if (tcti == NULL) {
r = Tss2_TctiLdr_Initialize (NULL, &tcti);
--
2.41.0

View File

@ -0,0 +1,128 @@
From 70e9fae7ef535e7cf27a72ddbc818dfefcbdbdbb Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 18 Sep 2019 11:29:57 -0700
Subject: [PATCH] Esys_CreateLoaded: fix resource name calculation
The name calculated and cached for the ESYS_TR resource object was based
on the user supplied TPMT_PUBLIC. However, this template is often
missing data that the TPM fills in and returns in the TPM2B_PUBLIC
structure. Because of this, the cached name returned from
Esys_TR_GetName() and the name read from Esys_ReadPublic() would differ.
Add a test to detect this condition and correct it by copying the
returned TPM2B_PUBLIC to the ESYS_TR resource nodes TPM2B_PUBLIC cache
and calculate the name off of that.
Fixes: #1516
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/api/Esys_CreateLoaded.c | 14 ++++-----
test/integration/esys-createloaded.int.c | 37 ++++++++++++++++++++++++
2 files changed, 42 insertions(+), 9 deletions(-)
diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c
index a92649cade27..44c4400fcff9 100644
--- a/src/tss2-esys/api/Esys_CreateLoaded.c
+++ b/src/tss2-esys/api/Esys_CreateLoaded.c
@@ -317,14 +317,6 @@ Esys_CreateLoaded_Finish(
goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup);
}
- /* Update the meta data of the ESYS_TR object */
- objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC;
- size_t offset = 0;
- r = Tss2_MU_TPMT_PUBLIC_Unmarshal(&esysContext->in.CreateLoaded.inPublic->buffer[0],
- sizeof(TPMT_PUBLIC), &offset ,
- &objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea);
- goto_if_error(r, "Unmarshal TPMT_PUBULIC", error_cleanup);
-
/*Receive the TPM response and handle resubmissions if necessary. */
r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout);
if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) {
@@ -386,8 +378,12 @@ Esys_CreateLoaded_Finish(
error_cleanup);
+ /* Update the meta data of the ESYS_TR object */
+ objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC;
+ objectHandleNode->rsrc.misc.rsrc_key_pub = *loutPublic;
+
/* Check name and outPublic for consistency */
- if (!iesys_compare_name(loutPublic, &name))
+ if (!iesys_compare_name(&objectHandleNode->rsrc.misc.rsrc_key_pub, &name))
goto_error(r, TSS2_ESYS_RC_MALFORMED_RESPONSE,
"in Public name not equal name in response", error_cleanup);
diff --git a/test/integration/esys-createloaded.int.c b/test/integration/esys-createloaded.int.c
index ec8d68a0d43d..118f2a3bb1ff 100644
--- a/test/integration/esys-createloaded.int.c
+++ b/test/integration/esys-createloaded.int.c
@@ -8,6 +8,7 @@
#include <config.h>
#endif
+#include <stdbool.h>
#include <stdlib.h>
#include "tss2_esys.h"
@@ -19,6 +20,35 @@
#include "util/log.h"
#include "util/aux_util.h"
+static bool check_name(ESYS_CONTEXT * esys_context, ESYS_TR object_handle)
+{
+ bool result = false;
+
+ TPM2B_NAME *read_name = NULL;
+ TPM2B_NAME *get_name = NULL;
+
+ TSS2_RC r = Esys_ReadPublic(esys_context, object_handle,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+ NULL, &read_name, NULL);
+ goto_if_error(r, "Error esys readpublic", out);
+
+ r = Esys_TR_GetName(esys_context, object_handle, &get_name);
+ goto_if_error(r, "Error esys getname", out);
+
+ if (read_name->size != get_name->size) {
+ LOG_ERROR("name size mismatch %u != %u",
+ read_name->size, get_name->size);
+ goto out;
+ }
+
+ result = memcmp(read_name->name, get_name->name, get_name->size) == 0;
+
+out:
+ free(read_name);
+ free(get_name);
+
+ return result;
+}
/** This test is intended to test the ESAPI command CreateLoaded.
*
* We start by creating a primary key (Esys_CreatePrimary).
@@ -29,6 +59,8 @@
* - Esys_CreatePrimary() (M)
* - Esys_FlushContext() (M)
* - Esys_StartAuthSession() (M)
+ * - Esys_TR_GetName() (M)
+ * - Esys_TR_ReadPublic() (M)
*
* Used compiler defines: TEST_SESSION
*
@@ -239,6 +271,11 @@ test_esys_createloaded(ESYS_CONTEXT * esys_context)
goto_if_error(r, "Error During CreateLoaded", error);
+ bool names_match = check_name(esys_context, objectHandle);
+ if (!names_match) {
+ goto error;
+ }
+
r = Esys_FlushContext(esys_context, primaryHandle);
goto_if_error(r, "Flushing context", error);
--
2.27.0

View File

@ -0,0 +1,25 @@
From 93aab9433b5d66a916e28016a4b60c4a1c39acfc Mon Sep 17 00:00:00 2001
From: Pieter Agten <pieter.agten@gmail.com>
Date: Tue, 3 Dec 2019 20:52:29 +0100
Subject: [PATCH] Return proper error code on memory allocation failure
Signed-off-by: Pieter Agten <pieter.agten@gmail.com>
---
src/tss2-tcti/tctildr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index ff967317b57b..1528f6e52fd0 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -421,6 +421,7 @@ Tss2_TctiLdr_Initialize_Ex (const char *name,
}
ldr_ctx = calloc (1, sizeof (TSS2_TCTILDR_CONTEXT));
if (ldr_ctx == NULL) {
+ rc = TSS2_TCTI_RC_MEMORY;
goto err;
}
TSS2_TCTI_MAGIC (ldr_ctx) = TCTILDR_MAGIC;
--
2.27.0

View File

@ -0,0 +1,51 @@
From b27956422d1b5bb53a56366e9b7e978f6b95e2f9 Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 2 Dec 2019 11:21:02 +0100
Subject: [PATCH] build: update exported symbols map for libtss2-mu
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
lib/tss2-mu.def | 4 ++++
lib/tss2-mu.map | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/tss2-mu.def b/lib/tss2-mu.def
index 36f4ba37b9fc..3c80cf225f77 100644
--- a/lib/tss2-mu.def
+++ b/lib/tss2-mu.def
@@ -226,6 +226,10 @@ EXPORTS
Tss2_MU_TPMU_PUBLIC_PARMS_Unmarshal
Tss2_MU_TPMU_PUBLIC_ID_Marshal
Tss2_MU_TPMU_PUBLIC_ID_Unmarshal
+ Tss2_MU_TPMU_NAME_Marshal
+ Tss2_MU_TPMU_NAME_Unmarshal
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal
Tss2_MU_TPMT_HA_Marshal
Tss2_MU_TPMT_HA_Unmarshal
Tss2_MU_TPMT_SYM_DEF_Marshal
diff --git a/lib/tss2-mu.map b/lib/tss2-mu.map
index 8ac754ed096a..09d9317e6749 100644
--- a/lib/tss2-mu.map
+++ b/lib/tss2-mu.map
@@ -228,6 +228,8 @@
Tss2_MU_TPMU_PUBLIC_ID_Unmarshal;
Tss2_MU_TPMU_NAME_Marshal;
Tss2_MU_TPMU_NAME_Unmarshal;
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal;
+ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal;
Tss2_MU_TPMT_HA_Marshal;
Tss2_MU_TPMT_HA_Unmarshal;
Tss2_MU_TPMT_SYM_DEF_Marshal;
@@ -274,8 +276,6 @@
Tss2_MU_TPM2_NT_Unmarshal;
Tss2_MU_TPMI_ALG_HASH_Marshal;
Tss2_MU_TPMI_ALG_HASH_Unmarshal;
- Tss2_MU_TPMI_BYTE_Marshal;
- Tss2_MU_TPMI_BYTE_Unmarshal;
local:
*;
};
--
2.27.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,45 @@
From 0bd19b61c8cd07d03b6efffc05f95d5ec427a3d6 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Tue, 14 Jan 2020 10:55:20 -0800
Subject: [PATCH] esys: fix Esys_StartAuthSession called with optional params
For an HMAC session if any of the optional params are ESYS_TR_NONE
we need to use the same tpm2_handles TPM2_RH_NULL (0x40000007)
as in the prepare call to correctly calculate cpHash and HMAC
values for the session.
Fixes: #1590
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 313604a2077c..3ccd842a7572 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -260,7 +260,19 @@ Esys_StartAuthSession_Async(
iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL);
/* Generate the auth values and set them in the SAPI command buffer */
- r = iesys_gen_auths(esysContext, tpmKeyNode, bindNode, NULL, &auths);
+
+ RSRC_NODE_T none;
+ size_t offset = 0;
+ none.rsrc.handle = TPM2_RH_NULL;
+ none.rsrc.rsrcType = IESYSC_WITHOUT_MISC_RSRC;
+ r = Tss2_MU_TPM2_HANDLE_Marshal(TPM2_RH_NULL,
+ none.rsrc.name.name,
+ sizeof(none.rsrc.name.name),
+ &offset);
+ return_state_if_error(r, _ESYS_STATE_INIT, "Marshaling TPM handle.");
+ none.rsrc.name.size = offset;
+ r = iesys_gen_auths(esysContext, tpmKeyNode ? tpmKeyNode : &none,
+ bindNode ? bindNode : &none, NULL, &auths);
return_state_if_error(r, _ESYS_STATE_INIT,
"Error in computation of auth values");
--
2.27.0

View File

@ -0,0 +1,39 @@
From 3d3808c3eb02c27f1b114baddd03960892044909 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Mon, 2 Mar 2020 14:45:52 -0800
Subject: [PATCH] esys: fix hmac calculation for tpm2_clear command
After tpm2_clear command is executed it sets all ownerAuth,
endorsementAuth, and lockoutAuth to the Empty Buffer and then
this is used for a response auth calculation.
This requires to recalculate the esys session auth value after
tpm2_clear is executed or the calculated response HMAC value
will be invalid and the command will fail with
err: 0x0007001b "Authorizing the TPM response failed"
Fixes: #1641
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_Clear.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c
index f5c0b827425a..0f43f7e9b85f 100644
--- a/src/tss2-esys/api/Esys_Clear.c
+++ b/src/tss2-esys/api/Esys_Clear.c
@@ -199,6 +199,11 @@ Esys_Clear_Async(
return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
"Finish (Execute Async)");
+ /* If the command authorization is LOCKOUT we need to
+ * recompute session value with an empty auth */
+ if (authHandle == ESYS_TR_RH_LOCKOUT)
+ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
+
esysContext->state = _ESYS_STATE_SENT;
return r;
--
2.30.1

View File

@ -0,0 +1,29 @@
From 76641c1e6b016979973fead7a24bb8fca4ee8325 Mon Sep 17 00:00:00 2001
From: Johannes Holland <johannes.holland@infineon.com>
Date: Thu, 26 Sep 2019 09:46:09 +0100
Subject: [PATCH] esys: fix keysize of ECC curve TPM2_ECC_NISTP224
In esys_crypto_ossl.c, for the ECC curve TPM2_ECC_NISTP244 a key size of
38 is selected. However, 224 bit / 8 bit/byte = 28 byte.
Signed-off-by: Johannes Holland <johannes.holland@infineon.com>
---
src/tss2-esys/esys_crypto_ossl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
index 124501964ae7..3c5d86d69705 100644
--- a/src/tss2-esys/esys_crypto_ossl.c
+++ b/src/tss2-esys/esys_crypto_ossl.c
@@ -804,7 +804,7 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
break;
case TPM2_ECC_NIST_P224:
curveId = NID_secp224r1;
- key_size = 38;
+ key_size = 28;
break;
case TPM2_ECC_NIST_P256:
curveId = NID_X9_62_prime256v1;
--
2.27.0

View File

@ -0,0 +1,47 @@
From 380d5f9ec3aa1f5e456598fe66d275467660177b Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Thu, 16 Jan 2020 09:27:04 -0800
Subject: [PATCH] esys: fixup compute_encrypted_salt err handling in
Esys_StartAuthSession
Use return_state_if_error() macro for compute_encrypted_salt()
error handling in Esys_StartAuthSession to maintain the correct
context state.
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 3ccd842a7572..1717928a717d 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -223,20 +223,15 @@ Esys_StartAuthSession_Async(
TSS2_RC r2;
r2 = iesys_compute_encrypted_salt(esysContext, tpmKeyNode,
&encryptedSaltAux);
- return_if_error(r2, "Error in parameter encryption.");
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in parameter encryption.");
if (nonceCaller == NULL) {
r2 = iesys_crypto_hash_get_digest_size(authHash,&authHash_size);
- if (r2 != TSS2_RC_SUCCESS) {
- LOG_ERROR("Error: initialize auth session (%x).", r2);
- return r2;
- }
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in hash_get_digest_size.");
+
r2 = iesys_crypto_random2b(&esysContext->in.StartAuthSession.nonceCallerData,
authHash_size);
- if (r2 != TSS2_RC_SUCCESS) {
- LOG_ERROR("Error: initialize auth session (%x).", r2);
- return r2;
- }
+ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in crypto_random2b.");
esysContext->in.StartAuthSession.nonceCaller
= &esysContext->in.StartAuthSession.nonceCallerData;
nonceCaller = esysContext->in.StartAuthSession.nonceCaller;
--
2.27.0

View File

@ -0,0 +1,38 @@
From 1ec07af70925ece698b733d55dedd1d9878b70f2 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Fri, 24 Jan 2020 19:05:34 -0800
Subject: [PATCH] esys: zero out ctx->salt after on startAuthSession_finish
The ctx->salt is used to calculate session key during
startAuthSession call if the caller pass a valid tpmKey
parameter. There salt is calculated in the _Async call
and the the session key is calculated in the _Finish call.
The problem is that if in the same context an unsalted
session is created after a salted session the ctx->salt
will still hold the old value and it will incorrectly
be used for session key calculation in the the subsequent
_Finish call. To fix this the salt needs to be set to
cleaned after no longer needed.
Fixes: #1574
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
src/tss2-esys/api/Esys_StartAuthSession.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 1717928a717d..6367419d7c9a 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -497,6 +497,7 @@ Esys_StartAuthSession_Finish(
goto_if_error(r, "Marshal session name", error_cleanup);
sessionHandleNode->rsrc.name.size = offset;
+ memset(&esysContext->salt, '\0', sizeof(esysContext->salt));
esysContext->state = _ESYS_STATE_INIT;
return TSS2_RC_SUCCESS;
--
2.27.0

View File

@ -1,41 +0,0 @@
From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 3 Jun 2022 11:51:02 -0500
Subject: [PATCH 1/2] esys_iutil: fix possible NPD
Clang-10 scan-build reports:
src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
^~~~~~~~~~~~~~~~~~~~
1 warning generated.
The code above the report checks that session might be NULL:
RSRC_NODE_T *session = esys_context->session_tab[session_idx];
if (session != NULL) {
IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session;
if (rsrc_session->type_policy_session == POLICY_PASSWORD) {
Thus suggesting/indicating session may be NULL in subsequent code where
session is dereferenced.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 4d31cef8..b364dd73 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&& encryptNonceIdx > 0) ? encryptNonce : NULL,
&auths->auths[session_idx]);
return_if_error(r, "Error while computing hmacs");
- if (esys_context->session_tab[session_idx] != NULL) {
+ if (esys_context->session_tab[session_idx] != NULL && session != NULL) {
auths->auths[auths->count].sessionHandle = session->rsrc.handle;
auths->count++;
}
--
2.39.2

View File

@ -0,0 +1,62 @@
From 0bf42a4489973005ddd912a800dfb92eff2806e8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 16 Sep 2019 17:12:23 -0700
Subject: [PATCH] esys_iutil: use memcmp in byte array comparison
Rather than a byte for byte forloop, use memcmp() so the compiler can
use architectural optimizations.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-esys/esys_iutil.c | 27 +++++----------------------
1 file changed, 5 insertions(+), 22 deletions(-)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 94d0332c5b7d..08a9b7dffcbd 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -35,23 +35,6 @@ cmp_UINT16(const UINT16 * in1, const UINT16 * in2)
}
}
-/**
- * Compare variables of type BYTE.
- * @param[in] in1 Variable to be compared with:
- * @param[in] in2
- */
-static bool
-cmp_BYTE(const BYTE * in1, const BYTE * in2)
-{
- LOG_TRACE("call");
- if (*in1 == *in2)
- return true;
- else {
- LOG_TRACE("cmp false");
- return false;
- }
-}
-
/**
* Compare two arrays of type BYTE.
* @param[in] in1 array to be compared with:.
@@ -65,12 +48,12 @@ cmp_BYTE_array(const BYTE * in1, size_t count1, const BYTE * in2, size_t count2)
LOG_TRACE("cmp false");
return false;
}
- for (size_t i = 0; i < count1; i++) {
- if (!cmp_BYTE(&in1[i], &in2[i])) {
- LOG_TRACE("cmp false");
- return false;
- }
+
+ if (memcmp(in1, in2, count2) != 0) {
+ LOG_TRACE("cmp false");
+ return false;
}
+
return true;
}
--
2.27.0

View File

@ -0,0 +1,84 @@
From d696645b147eaac5d5c90ff3dca672e52d89d7f0 Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Mon, 27 Apr 2020 12:16:47 -0700
Subject: [PATCH] man: Clean up libmandoc parser warnings
- Fix typo in Tss2_Tcti_Device_Init.3.in.
- Remove .RE macros that had no preceding .RS macro in Tss2_TctiLdr_Initialize.3.in.
Replace .RE .sp with .LP.
- ' is a control character, format function names to be similar to
other manpages, and use \(oq and \(cq for quotes instead in tss2-tctildr.7.in.
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
man/Tss2_TctiLdr_Initialize.3.in | 6 ++----
man/Tss2_Tcti_Device_Init.3.in | 2 +-
man/tss2-tctildr.7.in | 12 ++++++++----
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/man/Tss2_TctiLdr_Initialize.3.in b/man/Tss2_TctiLdr_Initialize.3.in
index 8e5fffaa247b..eb5ea1f8315f 100644
--- a/man/Tss2_TctiLdr_Initialize.3.in
+++ b/man/Tss2_TctiLdr_Initialize.3.in
@@ -65,8 +65,7 @@ libtss2-tcti-tabrmd.so.0
libtss2-tcti-device.so.0
.IP \[bu]
libtss2-tcti-mssim.so.0
-.RE
-.sp
+.LP
When the
.I name
string is neither NULL nor the empty string the implementation will attempt
@@ -81,8 +80,7 @@ name with the following permutations:
libtss2-tcti-<name>.so.0
.IP \[bu]
libtss2-tcti-<name>.so
-.RE
-.sp
+.LP
The
.I config
string is not interpreted by the TctiLdr init functions and is passed
diff --git a/man/Tss2_Tcti_Device_Init.3.in b/man/Tss2_Tcti_Device_Init.3.in
index 3cd2eed7fb0b..122ede1536bc 100644
--- a/man/Tss2_Tcti_Device_Init.3.in
+++ b/man/Tss2_Tcti_Device_Init.3.in
@@ -86,7 +86,7 @@ is returned if any parameters contain unexpected values.
is returned if any parameters are NULL when they should not be.
.B TSS2_TCTI_RC_BAD_CONTEXT
is returned if the size of the provided
-.i tctiContext
+.I tctiContext
is insufficient.
.SH EXAMPLE
TCTI initialization fragment:
diff --git a/man/tss2-tctildr.7.in b/man/tss2-tctildr.7.in
index a907aec0cd64..7432316ec6bb 100644
--- a/man/tss2-tctildr.7.in
+++ b/man/tss2-tctildr.7.in
@@ -10,13 +10,17 @@ instances.
.SH DESCRIPTION
The TCTI dynamic loading and initialization protocol requires a lot of
boilerplate code. To reduce duplication the tss2-tctildr library adds the
-'Tss2_TctiLdr_Initialize', 'Tss2_TctiLdr_Initialize_Ex' and
-'Tss2_TctiLdr_Finalize' functions to abstract away the machinery required
+.BR Tss2_TctiLdr_Initialize (),
+.BR Tss2_TctiLdr_Initialize_Ex (),
+and
+.BR Tss2_TctiLdr_Finalize ()
+functions to abstract away the machinery required
to load, initialize, and finalize a TCTI context.
To assist in the discovery of TCTIs this library provides the
-'Tss2_TctiLdr_GetInfo' function. This function, paired with a 'free'
-function to free the memory allocated by 'GetInfo', provides a simple
+.BR Tss2_TctiLdr_GetInfo ()
+function. This function, paired with a \(oqfree\(cq
+function to free the memory allocated by \(oqGetInfo\(cq, provides a simple
query interface for discovery of the available and default TCTIs
available to the tss2-tctildr implementation
--
2.24.0

View File

@ -0,0 +1,71 @@
From 58ee0fd916671942e62ac9930f18225761a6dd66 Mon Sep 17 00:00:00 2001
From: Joe Richey <joerichey@google.com>
Date: Tue, 21 Jan 2020 20:04:45 -0800
Subject: [PATCH] mu: Remove use of VLAs for Marshalling TPML types
All of the `Tss2_MU_*_Marshal()` functions have the property that
`buffer` can be NULL, `offset` can be NULL, but both cannot be
NULL. Some Marshal functions check this directly (returning
`TSS2_MU_RC_BAD_REFERENCE` on error), but most do this by composing
existing Marshalling functions together.
The TMPL Marshal functions does things differently, it creates a local
VLA `local_buffer[buffer_size]` and uses that as the buffer pointer if
a NULL buffer is given. This is unnecessary, as this pointer is only
used for debug logging and passed to other Marshalling functions, which
will correctly handle a NULL buffer.
Note that the VLA in the existing code is of length `buffer_size` (the
length of the _entire_ buffer, _not_ the length of the data being
unmarshaled). This can potentially result in a very large stack
allocation, or stack overflow.
Signed-off-by: Joe Richey <joerichey@google.com>
---
src/tss2-mu/tpml-types.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
index 9506a26efd14..ae1ed6177d75 100644
--- a/src/tss2-mu/tpml-types.c
+++ b/src/tss2-mu/tpml-types.c
@@ -29,8 +29,6 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
size_t local_offset = 0; \
UINT32 i, count = 0; \
TSS2_RC ret = TSS2_RC_SUCCESS; \
- uint8_t *buf_ptr = buffer; \
- uint8_t local_buffer[buffer_size]; \
\
if (offset != NULL) { \
LOG_TRACE("offset non-NULL, initial value: %zu", *offset); \
@@ -60,24 +58,21 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
LOG_WARNING("count too big"); \
return TSS2_SYS_RC_BAD_VALUE; \
} \
-\
- if (buf_ptr == NULL) \
- buf_ptr = local_buffer; \
\
LOG_DEBUG(\
"Marshalling " #type " from 0x%" PRIxPTR " to buffer 0x%" PRIxPTR \
" at index 0x%zx", \
(uintptr_t)&src, \
- (uintptr_t)buf_ptr, \
+ (uintptr_t)buffer, \
local_offset); \
\
- ret = Tss2_MU_UINT32_Marshal(src->count, buf_ptr, buffer_size, &local_offset); \
+ ret = Tss2_MU_UINT32_Marshal(src->count, buffer, buffer_size, &local_offset); \
if (ret) \
return ret; \
\
for (i = 0; i < src->count; i++) \
{ \
- ret = marshal_func(op src->buf_name[i], buf_ptr, buffer_size, &local_offset); \
+ ret = marshal_func(op src->buf_name[i], buffer, buffer_size, &local_offset); \
if (ret) \
return ret; \
} \
--
2.27.0

View File

@ -0,0 +1,29 @@
From 5ab8190843597ff6a255c59f91582e4dca117927 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Thu, 21 Nov 2019 14:49:27 +0100
Subject: [PATCH] sys: match counter variable type for cmdAuthsArray->count
TSS2L_SYS_AUTH_COMMAND.count is defined as uint16_t, so the counter
variable should be uint16_t as well.
Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
index 1bc3f3c2556f..d946c14e5cfb 100644
--- a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
+++ b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c
@@ -20,7 +20,7 @@ TSS2_RC Tss2_Sys_SetCmdAuths(
const TSS2L_SYS_AUTH_COMMAND *cmdAuthsArray)
{
_TSS2_SYS_CONTEXT_BLOB *ctx = syscontext_cast(sysContext);
- uint8_t i;
+ uint16_t i;
UINT32 authSize = 0;
UINT32 newCmdSize = 0;
size_t authOffset;
--
2.27.0

View File

@ -0,0 +1,39 @@
From c42450a294c4267998aa16a477e9218ee5953aa9 Mon Sep 17 00:00:00 2001
From: Jeffrey Ferreira <jeffpferreira@gmail.com>
Date: Thu, 19 Sep 2019 13:32:00 -0700
Subject: [PATCH] tcti-device: getPollHandles should allow num_handles query
Signed-off-by: Jeffrey Ferreira <jeffpferreira@gmail.com>
---
src/tss2-tcti/tcti-device.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c
index 44c9fe2083d5..53a698cad061 100644
--- a/src/tss2-tcti/tcti-device.c
+++ b/src/tss2-tcti/tcti-device.c
@@ -368,12 +368,19 @@ tcti_device_get_poll_handles (
return TSS2_TCTI_RC_BAD_CONTEXT;
}
- if (handles == NULL || num_handles == NULL) {
+ if (num_handles == NULL) {
return TSS2_TCTI_RC_BAD_REFERENCE;
}
+ if (handles != NULL && *num_handles < 1) {
+ return TSS2_TCTI_RC_INSUFFICIENT_BUFFER;
+ }
+
*num_handles = 1;
- handles->fd = tcti_dev->fd;
+ if (handles != NULL) {
+ handles->fd = tcti_dev->fd;
+ }
+
return TSS2_RC_SUCCESS;
#else
(void)(tctiContext);
--
2.27.0

View File

@ -0,0 +1,39 @@
From ffca561b2de43df0a9f7f9c0e717fca943f2c38b Mon Sep 17 00:00:00 2001
From: Johannes Holland <joh.ho@gmx.de>
Date: Tue, 20 Aug 2019 16:58:09 +0200
Subject: [PATCH] tctildr: fix segmentation fault if name_conf is too big
When strlen(name_conf) is too big and logging is set to at least DEBUG,
tctildr_conf_parse will cause a segmentation fault. This happens when
the unit tests are run with logging set to DEBUG. Hence, the logging
call has to be done after the check for strlen(name_conf).
Signed-off-by: Johannes Holland <joh.ho@gmx.de>
---
src/tss2-tcti/tctildr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index 76248f358860..ff967317b57b 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -117,7 +117,6 @@ tctildr_conf_parse (const char *name_conf,
char *split;
size_t combined_length;
- LOG_DEBUG ("name_conf: \"%s\"", name_conf);
if (name_conf == NULL) {
LOG_ERROR ("'name_conf' param may NOT be NULL");
return TSS2_TCTI_RC_BAD_REFERENCE;
@@ -127,6 +126,8 @@ tctildr_conf_parse (const char *name_conf,
LOG_ERROR ("combined conf length must be between 0 and PATH_MAX");
return TSS2_TCTI_RC_BAD_VALUE;
}
+
+ LOG_DEBUG ("name_conf: \"%s\"", name_conf);
if (combined_length == 0)
return TSS2_RC_SUCCESS;
split = strchr (name_conf, ':');
--
2.27.0

View File

@ -0,0 +1,96 @@
From 464da22b71e26421f55d4e8abc14711f89c89a28 Mon Sep 17 00:00:00 2001
From: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Thu, 20 Feb 2020 14:11:43 -0800
Subject: [PATCH] tctildr: remove the private implementation of strndup
In fact the private implementation of strndup is only
needed for windows.
Fixes: #1633
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
---
configure.ac | 2 +-
src/tss2-tcti/tctildr.c | 37 +++++++++++++++++--------------------
2 files changed, 18 insertions(+), 21 deletions(-)
diff --git a/configure.ac b/configure.ac
index d7724805966b..aa4ffb1b78a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,7 +45,6 @@ case "${host_os}" in
esac
AC_SUBST([LIBSOCKET_LDFLAGS])
-AC_CHECK_FUNCS([strndup])
AC_ARG_ENABLE([unit],
[AS_HELP_STRING([--enable-unit],
[build cmocka unit tests])],,
@@ -65,6 +64,7 @@ AC_ARG_ENABLE([esapi],
AM_CONDITIONAL(ESAPI, test "x$enable_esapi" = "xyes")
+AC_CHECK_FUNC([strndup],[],[AC_MSG_ERROR([strndup function not found])])
AC_ARG_ENABLE([tcti-device-async],
AS_HELP_STRING([--enable-tcti-device-async],
[Enable asynchronus operation on TCTI device
diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c
index a46b301b3ea7..92af1d3a787d 100644
--- a/src/tss2-tcti/tctildr.c
+++ b/src/tss2-tcti/tctildr.c
@@ -15,8 +15,25 @@
#include <linux/limits.h>
#elif defined(_MSC_VER)
#include <windows.h>
+#include <limits.h>
#ifndef PATH_MAX
#define PATH_MAX MAX_PATH
+
+static char *strndup(const char* s, size_t n)
+{
+ char *dst = NULL;
+
+ if (n + 1 >= USHRT_MAX)
+ return NULL;
+
+ dst = calloc(1, n + 1);
+
+ if (dst == NULL)
+ return NULL;
+
+ memcpy(dst, s, n);
+ return dst;
+}
#endif
#else
#include <limits.h>
@@ -268,26 +285,6 @@ Tss2_TctiLdr_Finalize (TSS2_TCTI_CONTEXT **tctiContext)
*tctiContext = NULL;
}
-#if !defined(HAVE_STRNDUP)
-char*
-strndup (const char* s,
- size_t n)
-{
- char* dst = NULL;
-
- if (n + 1 < n) {
- return NULL;
- }
- dst = calloc(1, n + 1);
- if (dst == NULL) {
- return NULL;
- }
- memcpy(dst, s, n);
-
- return dst;
-}
-#endif /* HAVE_STRNDUP */
-
TSS2_RC
copy_info (const TSS2_TCTI_INFO *info_src,
TSS2_TCTI_INFO *info_dst)
--
2.30.1

View File

@ -0,0 +1,139 @@
From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Jan 2023 11:53:06 -0600
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
The layer handler array was defined as 255, the max number of uint8,
which is the size of the layer field, however valid values are 0-255
allowing for 256 possibilities and thus the array was off by one and
needed to be sized to 256 entries. Update the size and add tests.
Note: previous implementations incorrectly dropped bits on unknown error
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
but earlier implementations returned 255:0xFFFF, dropping the middle
bits, this patch fixes that.
Fixes: CVE-2023-22745
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
2 files changed, 41 insertions(+), 11 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 93743048..0a64958f 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
/* SPDX-License-Identifier: BSD-2-Clause */
-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
static struct {
char name[TSS2_ERR_LAYER_NAME_MAX];
TSS2_RC_HANDLER handler;
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
ADD_HANDLER("tpm" , tpm2_ehandler),
ADD_NULL_HANDLER, /* layer 1 is unused */
ADD_NULL_HANDLER, /* layer 2 is unused */
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
static __thread char buf[32];
clearbuf(buf);
- catbuf(buf, "0x%X", tpm2_error_get(rc));
+ catbuf(buf, "0x%X", rc);
return buf;
}
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
catbuf(buf, "%u:", layer);
}
- handler = !handler ? unknown_layer_handler : handler;
-
/*
* Handlers only need the error bits. This way they don't
* need to concern themselves with masking off the layer
* bits or anything else.
*/
- UINT16 err_bits = tpm2_error_get(rc);
- const char *e = err_bits ? handler(err_bits) : "success";
- if (e) {
- catbuf(buf, "%s", e);
+ if (handler) {
+ UINT16 err_bits = tpm2_error_get(rc);
+ const char *e = err_bits ? handler(err_bits) : "success";
+ if (e) {
+ catbuf(buf, "%s", e);
+ } else {
+ catbuf(buf, "0x%X", err_bits);
+ }
} else {
- catbuf(buf, "0x%X", err_bits);
+ /*
+ * we don't want to drop any bits if we don't know what to do with it
+ * so drop the layer byte since we we already have that.
+ */
+ const char *e = unknown_layer_handler(rc >> 8);
+ assert(e);
+ catbuf(buf, "%s", e);
}
return buf;
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 1c8d66c9..9369beda 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x2A");
+ assert_string_equal(e, "1:0x100");
}
static void
@@ -281,6 +281,23 @@ test_tcti(void **state)
assert_string_equal(e, "tcti:Fails to connect to next lower layer");
}
+static void
+test_all_FFs(void **state)
+{
+ (void) state;
+
+ const char *e = Tss2_RC_Decode(0xFFFFFFFF);
+ assert_string_equal(e, "255:0xFFFFFF");
+}
+
+static void
+test_all_FFs_set_handler(void **state)
+{
+ (void) state;
+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
+ Tss2_RC_SetHandler(0xFF, NULL, NULL);
+}
+
/* link required symbol, but tpm2_tool.c declares it AND main, which
* we have a main below for cmocka tests.
*/
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
cmocka_unit_test(test_esys),
cmocka_unit_test(test_mu),
cmocka_unit_test(test_tcti),
+ cmocka_unit_test(test_all_FFs),
+ cmocka_unit_test(test_all_FFs_set_handler)
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.40.1

View File

@ -0,0 +1,31 @@
From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
From: Stefan Thom <mail@LordOfDorks.com>
Date: Fri, 5 Jun 2020 12:11:39 -0700
Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
Refer to specification part 1 Architecture, Section 20.1 AuditSession
Introduction: If the session was bound when created (see 19.6.10 and
19.6.12), the bind value is lost and any further use of the session for
authorization will require that the authValue be used in the HMAC.
Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
---
src/tss2-esys/esys_tr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index c9ea537a..d14c7d35 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
esys_object->rsrc.misc.rsrc_session.sessionAttributes =
(esys_object->rsrc.misc.rsrc_session.
sessionAttributes & ~mask) | (flags & mask);
+ if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
+ esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
return TSS2_RC_SUCCESS;
}
--
2.41.0

View File

@ -0,0 +1,45 @@
From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Mon, 22 Mar 2021 16:43:36 -0700
Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
in hmac
Fixes #2037
TPM2.0 Architecture 19.6.5 Note 7
If the same session (not the first session) is used for decrypt and
encrypt, its nonceTPM is only used once. If different sessions are
used for decrypt and encrypt, both nonceTPMs are included.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
src/tss2-esys/esys_iutil.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 08a9b7df..1910c570 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&encryptNonce);
return_if_error(r, "More than one crypt session");
+ /*
+ * TPM2.0 Architecture 19.6.5 Note 7
+ *
+ * If the same session (not the first session) is used for decrypt and
+ * encrypt, its nonceTPM is only used once. If different sessions are used
+ * for decrypt and encrypt, both nonceTPMs are included
+ */
+ if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
+ decryptNonceIdx = 0;
+ }
+
+
/* Compute cp hash values for command buffer for all used algorithms */
r = iesys_compute_cp_hashtab(esys_context,
--
2.41.0

View File

@ -0,0 +1,42 @@
From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 12 Jul 2021 10:52:53 +0200
Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
the obfuscated data. Fixes #2115.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_crypto.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
index aef3e50b..a2b7b937 100644
--- a/src/tss2-esys/esys_crypto.c
+++ b/src/tss2-esys/esys_crypto.c
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
size_t data_size_bits = data_size * 8;
size_t rest_size = data_size;
BYTE *kdfa_byte_ptr;
+ BYTE *data_start = data;
if (key == NULL || data == NULL) {
LOG_ERROR("Bad reference");
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
return_if_error(r, "iesys_crypto_KDFa failed");
/* XOR next data sub block with KDFa result */
kdfa_byte_ptr = kdfa_result;
- LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
i--)
*data++ ^= *kdfa_byte_ptr++;
- LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
}
return TSS2_RC_SUCCESS;
--
2.41.0

View File

@ -1,15 +0,0 @@
diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in
--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200
+++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200
@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM
+EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \
+ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \
+ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \
+ IESYS_CMD_IN_PARAM
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include

View File

@ -1,2 +0,0 @@
#Type Name ID GECOS Home directory Shell
u tss 59 "Account used for TPM access" - -

View File

@ -1,32 +1,49 @@
Name: tpm2-tss Name: tpm2-tss
Version: 3.2.3 Version: 2.3.2
Release: 1%{?dist} Release: 6%{?dist}
Summary: TPM2.0 Software Stack Summary: TPM2.0 Software Stack
License: BSD # The entire source code is under BSD except implementation.h and tpmb.h which
URL: https://github.com/tpm2-software/tpm2-tss # is under TCGL(Trusted Computing Group License).
Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz License: BSD
Source1: tpm2-tss-systemd-sysusers.conf URL: https://github.com/tpm2-software/tpm2-tss
# doxygen patch Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: tpm2-tss-3.0.0-doxygen.patch # patch submitted upstream https://github.com/tpm2-software/tpm2-tss/pull/1707
Patch2: 0001-esys_iutil-fix-possible-NPD.patch Patch0: 0001-man-Clean-up-libmandoc-parser-warnings.patch
# Upstream patches
Patch1: 0001-esys-Check-object-handle-node-before-calling-compute.patch
Patch2: 0001-build-update-exported-symbols-map-for-libtss2-mu.patch
Patch3: 0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch
Patch4: 0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch
Patch5: 0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch
Patch6: 0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch
Patch7: 0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch
Patch8: 0001-tcti-device-getPollHandles-should-allow-num_handles-.patch
Patch9: 0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch
Patch10: 0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch
Patch11: 0001-Esys_CreateLoaded-fix-resource-name-calculation.patch
Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
Patch16: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Patch17: 0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
Patch18: 0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
Patch19: 0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
Patch20: 0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
%global udevrules_prefix 60- %global udevrules_prefix 60-
BuildRequires: make BuildRequires: gcc
BuildRequires: autoconf-archive BuildRequires: gcc-c++
BuildRequires: doxygen BuildRequires: doxygen
BuildRequires: gcc BuildRequires: autoconf-archive
BuildRequires: gcc-c++ BuildRequires: libtool
BuildRequires: json-c-devel BuildRequires: pkgconfig
BuildRequires: libcurl-devel BuildRequires: systemd
BuildRequires: libgcrypt-devel BuildRequires: libgcrypt-devel
BuildRequires: libtool BuildRequires: openssl-devel
BuildRequires: openssl-devel Requires(pre): shadow-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
Requires(pre): shadow-utils
%description %description
tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system
@ -38,10 +55,7 @@ APIs for applications to access TPM module through kernel TPM drivers.
%build %build
# Use built-in tpm-udev.rules, with specified installation path and prefix. # Use built-in tpm-udev.rules, with specified installation path and prefix.
%configure --disable-static --disable-silent-rules \ %configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix}
--disable-tcti-pcap --disable-tcti-libtpms \
--with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \
--with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath # This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
@ -52,33 +66,31 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%install %install
%make_install %make_install
find %{buildroot}%{_libdir} -type f -name \*.la -delete find %{buildroot}%{_libdir} -type f -name \*.la -delete
rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tpm2-tss.conf
%pre %pre
%sysusers_create_compat %{SOURCE1} getent group tss >/dev/null || groupadd -f -g 59 -r tss
if ! getent passwd tss >/dev/null ; then
if ! getent passwd 59 >/dev/null ; then
useradd -r -u 59 -g tss -d / -s /sbin/nologin -c "Account used for TPM access" tss
else
useradd -r -g tss -d / -s /sbin/nologin -c "Account used for TPM access" tss
fi
fi
exit 0 exit 0
%ldconfig_scriptlets
%files %files
%doc README.md CHANGELOG.md %doc README.md CHANGELOG.md
%license LICENSE %license LICENSE
%{_sysconfdir}/tpm2-tss/ %{_libdir}/libtss2-mu.so.*
%{_libdir}/libtss2-mu.so.0* %{_libdir}/libtss2-sys.so.*
%{_libdir}/libtss2-sys.so.1* %{_libdir}/libtss2-esys.so.*
%{_libdir}/libtss2-esys.so.0* %{_libdir}/libtss2-rc.so.*
%{_libdir}/libtss2-fapi.so.1* %{_libdir}/libtss2-tctildr.so.*
%{_libdir}/libtss2-rc.so.0* %{_libdir}/libtss2-tcti-device.so.*
%{_libdir}/libtss2-tctildr.so.0* %{_libdir}/libtss2-tcti-mssim.so.*
%{_libdir}/libtss2-tcti-cmd.so.0*
%{_libdir}/libtss2-tcti-device.so.0*
%{_libdir}/libtss2-tcti-mssim.so.0*
%{_libdir}/libtss2-tcti-swtpm.so.0*
%{_sysusersdir}/tpm2-tss.conf
%{_tmpfilesdir}/tpm2-tss-fapi.conf
%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules %{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules
%package devel %package devel
Summary: Headers and libraries for building apps that use tpm2-tss Summary: Headers and libraries for building apps that use tpm2-tss
Requires: %{name}%{_isa} = %{version}-%{release} Requires: %{name}%{_isa} = %{version}-%{release}
@ -92,148 +104,71 @@ use tpm2-tss.
%{_libdir}/libtss2-mu.so %{_libdir}/libtss2-mu.so
%{_libdir}/libtss2-sys.so %{_libdir}/libtss2-sys.so
%{_libdir}/libtss2-esys.so %{_libdir}/libtss2-esys.so
%{_libdir}/libtss2-fapi.so
%{_libdir}/libtss2-rc.so %{_libdir}/libtss2-rc.so
%{_libdir}/libtss2-tctildr.so %{_libdir}/libtss2-tctildr.so
%{_libdir}/libtss2-tcti-cmd.so %{_libdir}/libtss2-tcti-default.so
%{_libdir}/libtss2-tcti-device.so %{_libdir}/libtss2-tcti-device.so
%{_libdir}/libtss2-tcti-mssim.so %{_libdir}/libtss2-tcti-mssim.so
%{_libdir}/libtss2-tcti-swtpm.so
%{_libdir}/pkgconfig/tss2-mu.pc %{_libdir}/pkgconfig/tss2-mu.pc
%{_libdir}/pkgconfig/tss2-sys.pc %{_libdir}/pkgconfig/tss2-sys.pc
%{_libdir}/pkgconfig/tss2-esys.pc %{_libdir}/pkgconfig/tss2-esys.pc
%{_libdir}/pkgconfig/tss2-fapi.pc
%{_libdir}/pkgconfig/tss2-rc.pc %{_libdir}/pkgconfig/tss2-rc.pc
%{_libdir}/pkgconfig/tss2-tctildr.pc %{_libdir}/pkgconfig/tss2-tctildr.pc
%{_libdir}/pkgconfig/tss2-tcti-cmd.pc
%{_libdir}/pkgconfig/tss2-tcti-device.pc %{_libdir}/pkgconfig/tss2-tcti-device.pc
%{_libdir}/pkgconfig/tss2-tcti-mssim.pc %{_libdir}/pkgconfig/tss2-tcti-mssim.pc
%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc
%{_mandir}/man3/*.3.gz %{_mandir}/man3/*.3.gz
%{_mandir}/man5/*.5.gz
%{_mandir}/man7/tss2*.7.gz %{_mandir}/man7/tss2*.7.gz
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%changelog %changelog
* Thu May 30 2024 Štěpán Horáček <shoracek@redhat.com> - 3.2.3-1 * Wed Oct 18 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-6
- Rebase to 3.2.3 - Fix home directory of the tss user
Resolves: RHEL-23206 Related: RHEL-14439
* Mon Jul 3 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-2 * Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
- Remove misapplied license - Ensure layer number is in bounds
Resolves: rhbz#2160307 Resolves: rhbz#2160302
Resolves: rhbz#2162611
* Fri Jun 23 2023 Štěpán Horáček <shoracek@redhat.com> - 3.2.2-1 * Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
- Rebase to 3.2.2 - Fix hmac calculation for tpm2_clear command.
- Use systemd-sysusers to create user - Remove private implementation of strndup.
Resolves: CVE-2023-22745 resolves: rhbz#1920825 rhbz#1940861
Resolves: rhbz#2095479
Resolves: rhbz#2160307
Resolves: rhbz#2162613
* Wed Aug 10 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-8 * Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-3
- Fix memory leaks, potential crashes, upgrade to OpenSSL 3 - Add tss user if doesn't exist.
Resolves: rhbz#2041919 - Update exported symbols map for libtss2-mu
- esys: Check object handle node before calling compute_session_value
- esys: fix resource name calculation
- esys: fix Esys_StartAuthSession called with optional params
- esys: fix keysize of ECC curve TPM2_ECC_NISTP224
- esys: fixup compute_encrypted_salt error handling
- esys: use memcmp in byte array comparison
- esys: zero out ctx->salt after startAuthSession_finish
- mu: Remove use of VLAs for Marshalling TPML types
- return proper error code on memory allocation failure
- sys: match counter variable type for cmdAuthsArray->count
- tcti-device: getPollHandles should allow num_handles query
- tctildr: fix segmentation fault if name_conf is too big
resolves: rhbz#1879071 rhbz#1855180
* Thu Feb 17 2022 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-7 * Mon Apr 27 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-2
- Rebuild with latest json-c library - Clean up libmandoc parser errors.
Related: rhbz#2023328 resolves: rhbz#1789684
* Wed Aug 18 2021 Štěpán Horáček <shoracek@redhat.com> - 3.0.3-6 * Thu Feb 20 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-1
- Fix failures while using OpenSSL 3
Resolves: rhbz#1984634
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.3-1
- Update to 3.0.2
* Sun Nov 22 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.2-1
- Update to 3.0.2
* Wed Sep 23 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.1-1
- Update to 3.0.1
* Tue Sep 15 2020 Than Ngo <than@redhat.com> - 3.0.0-4
- Fix doxygen crash
* Tue Sep 15 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-3
- Create tss user, if it doesn't exist, for userspace TPM access
* Fri Aug 07 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-2
- Install sysusers config in sysusersdir (rhbz #1834519)
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 3.0.0-1
- Update to 3.0.0
* Wed Aug 05 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.2-1
- Update to 2.4.2
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 14 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.1-1
- Update to 2.4.1
* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.4.0-3
- Use proper rundir and tmpfiles macros so proper directories are used
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 2.4.0-2
- Rebuild (json-c)
* Thu Mar 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.4.0-1
- Update to 2.4.0 release
* Mon Feb 24 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 2.3.3-1
- Update to 2.3.3 release
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 13 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.2-1
- Update to 2.3.2 release - Update to 2.3.2 release
resolves: rhbz#1789684
* Fri Sep 6 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.1-1 * Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 2.0.0-5
- Update to 2.3.1 release - Add CI gating support
resolves: rhbz#1682418
* Thu Aug 15 2019 Yunying Sun <yunying.sun@intel.com> - 2.3.0-1 * Mon Jul 23 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 2.0.0-4
- Update to 2.3.0 release - Remove TCGL from spec license list.
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed May 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.3-1
- Update to 2.2.3 release
* Fri Mar 29 2019 Yunying Sun <yunying.sun@intel.com> - 2.2.2-1
- Update to 2.2.2 release
* Mon Mar 4 2019 Peter Robinson <pbrobinson@fedoraproject.org> 2.2.1-1
- Update to 2.2.1 release
* Wed Feb 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.2.0-1
- Update to 2.2.0 release
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 10 2018 Yunying Sun <yunying.sun@intel.com> - 2.1.0-1
- Update to 2.1.0 release
* Thu Aug 30 2018 Yunying Sun <yunying.sun@intel.com> - 2.0.1-1
- Update to 2.0.1 release
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild