packages/libtpms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 tpm2: CryptSym: fix AES output IV

Browse Source 
From: @jackjf
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-04-14 17:46:16 +08:00 committed by Gitee
commit dc637d59e5
2 changed files with 98 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
0001-tpm2-CryptSym-fix-AES-output-IV.patch Normal file
View File

@ -0,0 +1,85 @@
From 8a1716c3bb18bac169f68d24cdd095cf617eb908 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 6 Apr 2021 16:22:04 +0800
Subject: [PATCH] tpm2: CryptSym: fix AES output IV The TPM is supposed to
provide the output IV in the ivInOut parameter in CryptSymmetricEncrypt. In
the case of using the openssl routines, the output IV is missed, and the
resulting output from the TPM is in the input IV.
OpenSSL unfortunately does not export EVP_CIPHER_CTX_iv() until
tags/OpenSSL_1_1_0, so we have to fall back to the reference code for
previous OpenSSL versions.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
configure.ac | 1 +
src/tpm2/crypto/openssl/CryptSym.c | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/configure.ac b/configure.ac
index 1bb45d1..0c57ef3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -165,6 +165,7 @@ AS_IF([test "x$enable_use_openssl_functions" != "xno"], [
AC_CHECK_LIB([crypto], [EVP_aes_128_cbc],, not_found=1)
AC_CHECK_LIB([crypto], [EVP_des_ede3_cbc],, not_found=1)
AC_CHECK_LIB([crypto], [DES_random_key],, not_found=1)
+ AC_CHECK_LIB([crypto], [EVP_CIPHER_CTX_iv],, not_found=1)
if test "x$not_found" = "x0"; then
use_openssl_functions_symmetric=1
use_openssl_functions_for="symmetric (AES, TDES) "
diff --git a/src/tpm2/crypto/openssl/CryptSym.c b/src/tpm2/crypto/openssl/CryptSym.c
index 7aa90da..856def6 100644
--- a/src/tpm2/crypto/openssl/CryptSym.c
+++ b/src/tpm2/crypto/openssl/CryptSym.c
@@ -531,6 +531,7 @@ CryptSymmetricEncrypt(
BYTE keyToUse[MAX_SYM_KEY_BYTES];
UINT16 keyToUseLen = (UINT16)sizeof(keyToUse);
TPM_RC retVal = TPM_RC_SUCCESS;
+ int ivLen;
pAssert(dOut != NULL && key != NULL && dIn != NULL);
if(dSize == 0)
@@ -595,6 +596,14 @@ CryptSymmetricEncrypt(
if (EVP_EncryptFinal_ex(ctx, pOut + outlen1, &outlen2) != 1)
ERROR_RETURN(TPM_RC_FAILURE);
+ if (ivInOut) {
+ ivLen = EVP_CIPHER_CTX_iv_length(ctx);
+ if (ivLen < 0 || (size_t)ivLen > sizeof(ivInOut->t.buffer))
+ ERROR_RETURN(TPM_RC_FAILURE);
+
+ ivInOut->t.size = ivLen;
+ memcpy(ivInOut->t.buffer, EVP_CIPHER_CTX_iv(ctx), ivInOut->t.size);
+ }
Exit:
if (retVal == TPM_RC_SUCCESS && pOut != dOut)
memcpy(dOut, pOut, outlen1 + outlen2);
@@ -636,6 +645,7 @@ CryptSymmetricDecrypt(
BYTE keyToUse[MAX_SYM_KEY_BYTES];
UINT16 keyToUseLen = (UINT16)sizeof(keyToUse);
TPM_RC retVal = TPM_RC_SUCCESS;
+ int ivLen;
// These are used but the compiler can't tell because they are initialized
// in case statements and it can't tell if they are always initialized
@@ -707,6 +717,15 @@ CryptSymmetricDecrypt(
pAssert((int)buffersize >= outlen1 + outlen2);
+ if (ivInOut) {
+ ivLen = EVP_CIPHER_CTX_iv_length(ctx);
+ if (ivLen < 0 || (size_t)ivLen > sizeof(ivInOut->t.buffer))
+ ERROR_RETURN(TPM_RC_FAILURE);
+
+ ivInOut->t.size = ivLen;
+ memcpy(ivInOut->t.buffer, EVP_CIPHER_CTX_iv(ctx), ivInOut->t.size);
+ }
+
Exit:
if (retVal == TPM_RC_SUCCESS) {
pAssert(dSize >= outlen1 + outlen2);
--
2.27.0

17
libtpms.spec
View File

@ -5,8 +5,8 @@
%define name libtpms %define name libtpms
%define versionx 0.7.3 %define versionx 0.7.3
%define release 2 %define release 3
# Valid crypto subsystems are 'freebl' and 'openssl' # Valid crypto subsystems are 'freebl' and 'openssl'
%if "%{?crypto_subsystem}" == "" %if "%{?crypto_subsystem}" == ""
@ -19,13 +19,15 @@
Summary: Library providing Trusted Platform Module (TPM) functionality Summary: Library providing Trusted Platform Module (TPM) functionality
Name: %{name} Name: %{name}
Version: %{versionx} Version: %{versionx}
Release: 2 Release: 3
License: BSD License: BSD
Group: Development/Libraries Group: Development/Libraries
Url: http://github.com/stefanberger/libtpms Url: http://github.com/stefanberger/libtpms
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
Provides: libtpms-%{crypto_subsystem} = %{version}-%{release} Provides: libtpms-%{crypto_subsystem} = %{version}-%{release}
Patch0: 0001-tpm2-CryptSym-fix-AES-output-IV.patch
%if "%{crypto_subsystem}" == "openssl" %if "%{crypto_subsystem}" == "openssl"
BuildRequires: openssl-devel BuildRequires: openssl-devel
%else %else
@ -74,7 +76,8 @@ Libtpms header files and documentation.
%attr(644, root, root) %{_mandir}/man3/* %attr(644, root, root) %{_mandir}/man3/*
%prep %prep
%autosetup -n %{name}-%{gitcommit} %setup -n %{name}-%{gitcommit}
%autopatch -p1
%build %build
@ -116,6 +119,12 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Mon Apr 5 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-3
- Type:CVE
- ID:NA
- SUG:NA
- DESC: fix CVE-2021-3446
* Mon Sep 14 2020 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-2 * Mon Sep 14 2020 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-2
- update spec file including source0 and update source file - update spec file including source0 and update source file