!7 tpm2: CryptSym: fix AES output IV
From: @jackjf Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot
Gitee
commit
dc637d59e5
85
0001-tpm2-CryptSym-fix-AES-output-IV.patch
Normal file
85
0001-tpm2-CryptSym-fix-AES-output-IV.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From 8a1716c3bb18bac169f68d24cdd095cf617eb908 Mon Sep 17 00:00:00 2001
|
||||
From: root <root@localhost.localdomain>
|
||||
Date: Tue, 6 Apr 2021 16:22:04 +0800
|
||||
Subject: [PATCH] tpm2: CryptSym: fix AES output IV The TPM is supposed to
|
||||
provide the output IV in the ivInOut parameter in CryptSymmetricEncrypt. In
|
||||
the case of using the openssl routines, the output IV is missed, and the
|
||||
resulting output from the TPM is in the input IV.
|
||||
|
||||
OpenSSL unfortunately does not export EVP_CIPHER_CTX_iv() until
|
||||
tags/OpenSSL_1_1_0, so we have to fall back to the reference code for
|
||||
previous OpenSSL versions.
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
configure.ac | 1 +
|
||||
src/tpm2/crypto/openssl/CryptSym.c | 19 +++++++++++++++++++
|
||||
2 files changed, 20 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 1bb45d1..0c57ef3 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -165,6 +165,7 @@ AS_IF([test "x$enable_use_openssl_functions" != "xno"], [
|
||||
AC_CHECK_LIB([crypto], [EVP_aes_128_cbc],, not_found=1)
|
||||
AC_CHECK_LIB([crypto], [EVP_des_ede3_cbc],, not_found=1)
|
||||
AC_CHECK_LIB([crypto], [DES_random_key],, not_found=1)
|
||||
+ AC_CHECK_LIB([crypto], [EVP_CIPHER_CTX_iv],, not_found=1)
|
||||
if test "x$not_found" = "x0"; then
|
||||
use_openssl_functions_symmetric=1
|
||||
use_openssl_functions_for="symmetric (AES, TDES) "
|
||||
diff --git a/src/tpm2/crypto/openssl/CryptSym.c b/src/tpm2/crypto/openssl/CryptSym.c
|
||||
index 7aa90da..856def6 100644
|
||||
--- a/src/tpm2/crypto/openssl/CryptSym.c
|
||||
+++ b/src/tpm2/crypto/openssl/CryptSym.c
|
||||
@@ -531,6 +531,7 @@ CryptSymmetricEncrypt(
|
||||
BYTE keyToUse[MAX_SYM_KEY_BYTES];
|
||||
UINT16 keyToUseLen = (UINT16)sizeof(keyToUse);
|
||||
TPM_RC retVal = TPM_RC_SUCCESS;
|
||||
+ int ivLen;
|
||||
|
||||
pAssert(dOut != NULL && key != NULL && dIn != NULL);
|
||||
if(dSize == 0)
|
||||
@@ -595,6 +596,14 @@ CryptSymmetricEncrypt(
|
||||
if (EVP_EncryptFinal_ex(ctx, pOut + outlen1, &outlen2) != 1)
|
||||
ERROR_RETURN(TPM_RC_FAILURE);
|
||||
|
||||
+ if (ivInOut) {
|
||||
+ ivLen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
+ if (ivLen < 0 || (size_t)ivLen > sizeof(ivInOut->t.buffer))
|
||||
+ ERROR_RETURN(TPM_RC_FAILURE);
|
||||
+
|
||||
+ ivInOut->t.size = ivLen;
|
||||
+ memcpy(ivInOut->t.buffer, EVP_CIPHER_CTX_iv(ctx), ivInOut->t.size);
|
||||
+ }
|
||||
Exit:
|
||||
if (retVal == TPM_RC_SUCCESS && pOut != dOut)
|
||||
memcpy(dOut, pOut, outlen1 + outlen2);
|
||||
@@ -636,6 +645,7 @@ CryptSymmetricDecrypt(
|
||||
BYTE keyToUse[MAX_SYM_KEY_BYTES];
|
||||
UINT16 keyToUseLen = (UINT16)sizeof(keyToUse);
|
||||
TPM_RC retVal = TPM_RC_SUCCESS;
|
||||
+ int ivLen;
|
||||
|
||||
// These are used but the compiler can't tell because they are initialized
|
||||
// in case statements and it can't tell if they are always initialized
|
||||
@@ -707,6 +717,15 @@ CryptSymmetricDecrypt(
|
||||
|
||||
pAssert((int)buffersize >= outlen1 + outlen2);
|
||||
|
||||
+ if (ivInOut) {
|
||||
+ ivLen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
+ if (ivLen < 0 || (size_t)ivLen > sizeof(ivInOut->t.buffer))
|
||||
+ ERROR_RETURN(TPM_RC_FAILURE);
|
||||
+
|
||||
+ ivInOut->t.size = ivLen;
|
||||
+ memcpy(ivInOut->t.buffer, EVP_CIPHER_CTX_iv(ctx), ivInOut->t.size);
|
||||
+ }
|
||||
+
|
||||
Exit:
|
||||
if (retVal == TPM_RC_SUCCESS) {
|
||||
pAssert(dSize >= outlen1 + outlen2);
|
||||
--
|
||||
2.27.0
|
||||
|
||||
17
libtpms.spec
17
libtpms.spec
@ -5,8 +5,8 @@
|
||||
|
||||
|
||||
%define name libtpms
|
||||
%define versionx 0.7.3
|
||||
%define release 2
|
||||
%define versionx 0.7.3
|
||||
%define release 3
|
||||
|
||||
# Valid crypto subsystems are 'freebl' and 'openssl'
|
||||
%if "%{?crypto_subsystem}" == ""
|
||||
@ -19,13 +19,15 @@
|
||||
Summary: Library providing Trusted Platform Module (TPM) functionality
|
||||
Name: %{name}
|
||||
Version: %{versionx}
|
||||
Release: 2
|
||||
Release: 3
|
||||
License: BSD
|
||||
Group: Development/Libraries
|
||||
Url: http://github.com/stefanberger/libtpms
|
||||
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
|
||||
Provides: libtpms-%{crypto_subsystem} = %{version}-%{release}
|
||||
|
||||
Patch0: 0001-tpm2-CryptSym-fix-AES-output-IV.patch
|
||||
|
||||
%if "%{crypto_subsystem}" == "openssl"
|
||||
BuildRequires: openssl-devel
|
||||
%else
|
||||
@ -74,7 +76,8 @@ Libtpms header files and documentation.
|
||||
%attr(644, root, root) %{_mandir}/man3/*
|
||||
|
||||
%prep
|
||||
%autosetup -n %{name}-%{gitcommit}
|
||||
%setup -n %{name}-%{gitcommit}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
|
||||
@ -116,6 +119,12 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Mon Apr 5 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-3
|
||||
- Type:CVE
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2021-3446
|
||||
|
||||
* Mon Sep 14 2020 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-2
|
||||
- update spec file including source0 and update source file
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user