packages/tpm2-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revert sm2 sign and verifysignature

Browse Source
This commit is contained in:
bianxiuning 2024-06-21 14:11:54 +08:00
parent 783c21ea47
commit d830c3fddb
2 changed files with 411 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

406
revert-sm2-sign-and-verifysignature.patch Normal file
View File

@ -0,0 +1,406 @@
From 7acc98aec8925b938212bdd0aabc1b6d176c24c1 Mon Sep 17 00:00:00 2001
From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
Date: Thu, 5 Jan 2023 21:46:55 +0800
Subject: [PATCH] revert: sm2 sign and verifysignature.
Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard,
sm2 only sign and verifysignature the digest in the tpm2. so keep pace
with tpm2 and remove the code.
Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
---
lib/tpm2_alg_util.c | 93 -------------------------
lib/tpm2_alg_util.h | 27 --------
lib/tpm2_hash.c | 127 -----------------------------------
lib/tpm2_hash.h | 49 --------------
tools/tpm2_sign.c | 16 +----
tools/tpm2_verifysignature.c | 16 +----
6 files changed, 4 insertions(+), 324 deletions(-)
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
index 9b7f3d73..65739fc7 100644
--- a/lib/tpm2_alg_util.c
+++ b/lib/tpm2_alg_util.c
@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) {
Esys_Free(name);
return name_alg;
}
-
-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) {
-
- TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL;
- TPM2B_PUBLIC *public = NULL;
- TPM2B *id_input = NULL;
- TPM2B_DIGEST *tmp_digest = NULL;
-
- if (!id || !result) {
- return tool_rc_general_error;
- }
-
- /* 2-byte id length in bits */
- if (strlen(id) != idlen) {
- LOG_ERR("invalid sm2 id!");
- return tool_rc_general_error;
- }
-
- if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) {
- LOG_ERR("invalid id length!");
- return tool_rc_general_error;
- }
-
- tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, &parameters,
- NULL, TPM2_ALG_NULL);
- if (rc != tool_rc_success) {
- LOG_ERR("Could not get ecc parameters!");
- goto out;
- }
-
- rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL);
- if (rc != tool_rc_success) {
- LOG_ERR("Could not read public!");
- goto out;
- }
-
- UINT16 key_nbytes = parameters->keySize/8;
- if (public->publicArea.type != TPM2_ALG_ECC ||
- public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 ||
- public->publicArea.unique.ecc.x.size != key_nbytes ||
- public->publicArea.unique.ecc.y.size != key_nbytes) {
- LOG_ERR("invalid sm2 public key!");
- rc = tool_rc_general_error;
- goto out;
- }
-
- BYTE idbits[2];
- idbits[0] = ((idlen * 8) >> 8) % 256;
- idbits[1] = (idlen * 8) % 256;
-
- UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes;
-
- id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size);
- if (id_input == NULL) {
- LOG_ERR("Could not calloc memory!");
- rc = tool_rc_general_error;
- goto out;
- }
-
- id_input->size = total_size;
-
- UINT16 pos = 0;
- memcpy(id_input->buffer + pos, idbits, sizeof(idbits));
- pos += sizeof(idbits);
- memcpy(id_input->buffer + pos, id, idlen);
- pos += idlen;
- memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes);
- pos += key_nbytes;
- memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes);
- pos += key_nbytes;
- memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes);
- pos += key_nbytes;
- memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes);
- pos += key_nbytes;
- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes);
- pos += key_nbytes;
- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes);
-
- rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER,
- id_input->buffer, id_input->size, &tmp_digest, NULL);
- if (rc != tool_rc_success) {
- goto out;
- }
-
- *result = *tmp_digest;
-
-out:
- free(id_input);
- Esys_Free(public);
- Esys_Free(tmp_digest);
- Esys_Free(parameters);
- return rc;
-}
diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h
index 83cecb17..ae5e3fbb 100644
--- a/lib/tpm2_alg_util.h
+++ b/lib/tpm2_alg_util.h
@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes);
*/
TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle);
-#define SM2_MAX_ID_BITS 65535
-#define SM2_MAX_ID_LENGTH (SM2_MAX_ID_BITS/8)
-#define SM2_DEFAULT_ID_GMT09 "1234567812345678"
-#define SM2_DEFAULT_ID SM2_DEFAULT_ID_GMT09
-#define SM2_DEFAULT_ID_LENGTH (sizeof(SM2_DEFAULT_ID) - 1)
-
-/**
- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters
- * with making a geteccparameters call, retrieves the public key with
- * making a readpublic call, and compute id digest.
- *
- * @param ectx
- * The ESAPI context.
- * @param handle
- * The handle of the object to query.
- * @param id
- * sm2 id.
- * @param idlen
- * sm2 id length.
- * @param result
- * sm2 id digest output.
- * @return
- * tool_rc indicating status.
- */
-tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle,
- const char *id, size_t idlen, TPM2B_DIGEST *result);
-
#endif /* LIB_TPM2_ALG_UTIL_H_ */
diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c
index c0ad2bc5..a3c0dd7d 100644
--- a/lib/tpm2_hash.c
+++ b/lib/tpm2_hash.c
@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result,
validation);
}
-
-static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx,
- TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep,
- BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest,
- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
-
- /* if we're using infilep, get file size */
- bool use_left = true;
- unsigned long left = inbuffer_len;
- if (!!infilep) {
- /* Suppress error reporting with NULL path */
- use_left = files_get_file_size(infilep, &left, NULL);
- }
-
- TPM2B_MAX_BUFFER buffer = {0};
- if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) {
- buffer.size = z_digest->size;
- memcpy(buffer.buffer, z_digest->buffer, z_digest->size);
- } else {
- return tool_rc_general_error;
- }
-
- /*
- * length is either unknown because the FILE * is a fifo, or it's too
- * big to do in a single hash call. Based on the size figure out the
- * chunks to loop over, if possible. This way we can call Complete with
- * data.
- */
- TPMI_DH_OBJECT sequence_handle;
- TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT;
- tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle);
- if (rc != tool_rc_success) {
- return rc;
- }
-
- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer);
- if (rc != tool_rc_success) {
- return rc;
- }
- /* If we know the file size, we decrement the amount read and terminate
- * the loop when 1 block is left, else we go till feof.
- */
- bool done = false;
- if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) {
- done = true;
- } else {
- done = false;
- }
-
- size_t bytes_read;
- while (!done) {
- /* if we're using infilep, read the file. Otherwise, directly
- copy into our local buffer. */
- buffer.size = BUFFER_SIZE(typeof(buffer), buffer);
- if (!!infilep) {
- bytes_read = fread(buffer.buffer, 1, buffer.size, infilep);
- if (ferror(infilep)) {
- LOG_ERR("Error reading from input file");
- return tool_rc_general_error;
- } else {
- buffer.size = bytes_read;
- }
- } else {
- memcpy(buffer.buffer, inbuffer, buffer.size);
- inbuffer = inbuffer + buffer.size;
- }
-
- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer);
- if (rc != tool_rc_success) {
- return rc;
- }
-
- if (use_left) {
- left -= buffer.size;
- if (left <= TPM2_MAX_DIGEST_BUFFER) {
- done = true;
- continue;
- }
- } else if (!!infilep && feof(infilep)) {
- done = true;
- }
- } /* end file read/hash update loop */
-
- /* if there is data left, get the last bit of data from the file or
- buffer or set the size to zero */
- if (use_left) {
- buffer.size = left;
- if (!!infilep) {
- bool res = files_read_bytes(infilep, buffer.buffer, buffer.size);
- if (!res) {
- LOG_ERR("Error reading from input file.");
- return tool_rc_general_error;
- }
- } else {
- memcpy(buffer.buffer, inbuffer, buffer.size);
- }
- } else {
- buffer.size = 0;
- }
-
- return tpm2_sequence_complete(ectx, sequence_handle,
- &buffer, hierarchy, result, validation);
-}
-
-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length,
- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
-
- if (!buffer || !z) {
- return tool_rc_general_error;
- }
-
- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length,
- z, result, validation);
-}
-
-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z,
- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) {
-
- if (!input || !z) {
- return tool_rc_general_error;
- }
-
- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z,
- result, validation);
-}
diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h
index ac4729ba..12e8e0bd 100644
--- a/lib/tpm2_hash.h
+++ b/lib/tpm2_hash.h
@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result,
TPMT_TK_HASHCHECK **validation);
-/**
- * Hashes a BYTE array via the tpm.
- * @param context
- * The esapi context.
- * @param hash_alg
- * The hashing algorithm to use.
- * @param hierarchy
- * The hierarchy.
- * @param buffer
- * The data to hash.
- * @param length
- * The length of the data.
- * @param input
- * The sm2 id digest.
- * @param result
- * The digest result.
- * @param validation
- * The validation ticket. Note that some hierarchies don't produce a
- * validation ticket and thus size will be 0.
- * @return
- * A tool_rc indicating status.
- */
-tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length,
- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation);
-
-/**
- * Hashes a FILE * object via the tpm.
- * @param context
- * The esapi context.
- * @param hash_alg
- * The hashing algorithm to use.
- * @param hierarchy
- * The hierarchy.
- * @param input
- * The FILE object to hash.
- * @param input
- * The sm2 id digest.
- * @param result
- * The digest result.
- * @param validation
- * The validation ticket. Note that some hierarchies don't produce a
- * validation ticket and thus size will be 0.
- * @return
- * A tool_rc indicating status.
- */
-tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg,
- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z,
- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation);
#endif /* SRC_TPM_HASH_H_ */
diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c
index 7c7b3ce7..77d7c2a8 100644
--- a/tools/tpm2_sign.c
+++ b/tools/tpm2_sign.c
@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
return tool_rc_general_error;
}
- if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) {
- TPM2B_DIGEST z_digest;
- rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle,
- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest);
- if (rc != tool_rc_success) {
- LOG_ERR("Sign could not compute id digest");
- } else {
- rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest,
- &ctx.digest, &temp_validation_ticket);
- }
- } else {
- rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest,
- &temp_validation_ticket);
- }
+ rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest,
+ &temp_validation_ticket);
if (input != stdin) {
fclose(input);
}
diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c
index a0f76077..240165d6 100644
--- a/tools/tpm2_verifysignature.c
+++ b/tools/tpm2_verifysignature.c
@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) {
goto err;
}
- if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) {
- TPM2B_DIGEST z_digest;
- tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle,
- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest);
- if (tmp_rc != tool_rc_success) {
- LOG_ERR("Verify could not compute id digest");
- } else {
- tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL,
- msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL);
- }
- } else {
- tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL,
- msg->buffer, msg->size, &ctx.msg_hash, NULL);
- }
+ tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL,
+ msg->buffer, msg->size, &ctx.msg_hash, NULL);
if (tmp_rc != tool_rc_success) {
rc = tmp_rc;
LOG_ERR("Compute message hash failed!");
--
2.27.0

6
tpm2-tools.spec
View File

@ -1,6 +1,6 @@
Name: tpm2-tools
Version: 5.5
Release: 2
Release: 3
Summary: A TPM2.0 testing tool based on TPM2.0-TSS
License: BSD
URL: https://github.com/tpm2-software/tpm2-tools
@ -8,6 +8,7 @@ Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{v
Patch0: backport-CVE-2024-29038.patch
Patch1: backport-CVE-2024-29039.patch
Patch2: revert-sm2-sign-and-verifysignature.patch
BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt
@ -59,6 +60,9 @@ make check
%{_mandir}/*/*
%changelog
* Fri Jun 21 2024 bianxiuning <bianxiuning@kylinos.cn> - 5.5-3
- revert sm2 sign and verifysignature
* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.5-2
- fix CVE-2024-29038 CVE-2024-29039