diff --git a/src/tpm2.c b/src/tpm2.c index 84258c31..c62c92f0 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -5866,7 +5866,8 @@ int TPM2_GetNonceNoLock(byte* nonceBuf, int nonceSz) } TPM2_Packet_ParseU16(&packet, &outSz); - if (outSz > MAX_RNG_REQ_SIZE) { + if (outSz == 0 || outSz > MAX_RNG_REQ_SIZE || + randSz > nonceSz || outSz > (nonceSz - randSz)) { #ifdef DEBUG_WOLFTPM printf("TPM2_GetNonce out size error\n"); #endif diff --git a/src/tpm2_swtpm.c b/src/tpm2_swtpm.c index 98f038b5..758bc354 100644 --- a/src/tpm2_swtpm.c +++ b/src/tpm2_swtpm.c @@ -260,7 +260,7 @@ static TPM_RC SwTpmDisconnect(TPM2_CTX* ctx) */ int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet) { - int rc = TPM_RC_FAILURE; + int rc = TPM_RC_SUCCESS; int rspSz = 0; uint32_t tss_word; diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 93e19e52..7a3e0f2c 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -540,6 +540,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer, runner += sizeof(key->pub.size); done_reading += sizeof(key->pub.size); + if (key->pub.size > sizeof(pubAreaBuffer) - sizeof(UINT16)) { +#ifdef DEBUG_WOLFTPM + printf("Public key size too large (%d > %d)\n", + key->pub.size, (int)(sizeof(pubAreaBuffer) - sizeof(UINT16))); +#endif + return BUFFER_E; + } + if (bufferSz < done_reading + sizeof(UINT16) + key->pub.size) { #ifdef DEBUG_WOLFTPM printf("Buffer size check failed (%d)\n", bufferSz); @@ -569,6 +577,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer, runner += sizeof(key->priv.size); done_reading += sizeof(key->priv.size); + if (key->priv.size > sizeof(key->priv.buffer)) { +#ifdef DEBUG_WOLFTPM + printf("Private key size too large (%d > %d)\n", + key->priv.size, (int)sizeof(key->priv.buffer)); +#endif + return BUFFER_E; + } + if (bufferSz < done_reading + key->priv.size) { #ifdef DEBUG_WOLFTPM printf("Buffer size check failed (%d)\n", bufferSz); @@ -1032,7 +1048,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, { const TPM2B_AUTH* auth = NULL; const TPM2B_NAME* name = NULL; - if (dev == NULL || index >= MAX_SESSION_NUM) { + if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) { return BAD_FUNC_ARG; } @@ -1063,8 +1079,11 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, session->auth.size = authDigestSz + handle->auth.size; XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, handle->auth.size); + if (handle->name.size > sizeof(session->name.name)) { + return BUFFER_E; + } session->name.size = handle->name.size; - XMEMCPY(session->name.name, handle->name.name, handle->name.size); + XMEMCPY(session->name.name, handle->name.name, session->name.size); return TPM_RC_SUCCESS; } auth = &handle->auth; @@ -1079,7 +1098,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index, const TPM2B_NAME* name = NULL; TPM2_AUTH_SESSION* session; - if (dev == NULL || handle == NULL || index >= MAX_SESSION_NUM) { + if (dev == NULL || handle == NULL || index < 0 || index >= MAX_SESSION_NUM) { return BAD_FUNC_ARG; } @@ -1136,7 +1155,7 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index, { int rc; - if (dev == NULL || index >= MAX_SESSION_NUM) { + if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) { return BAD_FUNC_ARG; } @@ -2939,6 +2958,9 @@ int wolfTPM2_ImportEccPrivateKeySeed(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* pare if (rc == 0) { rc = wolfTPM2_ImportPrivateKey(dev, parentKey, keyBlob, &pub, &sens); } + + TPM2_ForceZero(&sens, sizeof(sens)); + return rc; } @@ -3684,6 +3706,10 @@ int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, /* not used */ (void)p; + TPM2_ForceZero(d, sizeof(d)); + TPM2_ForceZero(p, sizeof(p)); + TPM2_ForceZero(q, sizeof(q)); + return rc; } @@ -3728,6 +3754,10 @@ int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKe /* not used */ (void)p; + + TPM2_ForceZero(d, sizeof(d)); + TPM2_ForceZero(p, sizeof(p)); + TPM2_ForceZero(q, sizeof(q)); } else { /* export the raw public RSA portion */ @@ -3911,6 +3941,8 @@ int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, qx, qxSz, qy, qySz, d, dSz); } + TPM2_ForceZero(d, sizeof(d)); + return rc; } @@ -3986,6 +4018,8 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey, rc = wolfTPM2_LoadEccPrivateKey(dev, parentKey, tpmKey, curve_id, qx, qxSz, qy, qySz, d, dSz); } + + TPM2_ForceZero(d, sizeof(d)); } else { /* export the raw public ECC portion */ @@ -5231,6 +5265,10 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle, WOLFTPM2_NV nv; TPMS_NV_PUBLIC nvPublic; + if (len == NULL) { + return BAD_FUNC_ARG; + } + XMEMSET(&nvPublic, 0, sizeof(nvPublic)); XMEMSET(&nv, 0, sizeof(nv)); @@ -5530,7 +5568,7 @@ int wolfTPM2_GetRandom(WOLFTPM2_DEV* dev, byte* buf, word32 len) } sz = out.randomBytes.size; /* use actual returned size */ - if (sz > MAX_RNG_REQ_SIZE) { + if (sz == 0 || sz > MAX_RNG_REQ_SIZE || sz > (len - pos)) { #ifdef DEBUG_WOLFTPM printf("wolfTPM2_GetRandom out size error\n"); #endif @@ -5857,6 +5895,8 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg, exit: + TPM2_ForceZero(&loadExtIn.inPrivate, sizeof(loadExtIn.inPrivate)); + if (rc != TPM_RC_SUCCESS) { #ifdef DEBUG_WOLFTPM printf("TPM2_LoadExternal: failed %d: %s\n", @@ -6097,6 +6137,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, (word32)key->handle.hndl); #endif + TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive)); + return rc; }