tpm2_identity_util!: add buffer size check in hmac_outer_integrity to prevent potential oob

lib/tpm2_identity_util.c

@@ -285,11 +285,18 @@ static bool aes_encrypt_buffers(TPMT_SYM_DEF_OBJECT *sym,
     return result;
 }
 
-static void hmac_outer_integrity(TPMI_ALG_HASH parent_name_alg,
+static bool hmac_outer_integrity(TPMI_ALG_HASH parent_name_alg,
         uint8_t *buffer1, uint16_t buffer1_size, uint8_t *buffer2,
         uint16_t buffer2_size, uint8_t *hmac_key,
         TPM2B_DIGEST *outer_integrity_hmac) {
 
+    if ((size_t)buffer1_size + buffer2_size > TPM2_MAX_DIGEST_BUFFER) {
+        LOG_ERR("Necessary buffer size (%u) exceeds TPM2_MAX_DIGEST_BUFFER (%zu)",
+                (unsigned)(buffer1_size + buffer2_size),
+                (size_t)TPM2_MAX_DIGEST_BUFFER);
+        return false;
+    }
+
     uint8_t to_hmac_buffer[TPM2_MAX_DIGEST_BUFFER];
     memcpy(to_hmac_buffer, buffer1, buffer1_size);
     memcpy(to_hmac_buffer + buffer1_size, buffer2, buffer2_size);
@@ -301,6 +308,7 @@ static void hmac_outer_integrity(TPMI_ALG_HASH parent_name_alg,
             to_hmac_buffer, buffer1_size + buffer2_size,
             outer_integrity_hmac->buffer, &size);
     outer_integrity_hmac->size = size;
+    return true;
 }
 
 bool tpm2_identity_util_calculate_inner_integrity(TPMI_ALG_HASH name_alg,
@@ -376,7 +384,7 @@ bool tpm2_identity_util_calculate_inner_integrity(TPMI_ALG_HASH name_alg,
             encrypted_inner_integrity);
 }
 
-void tpm2_identity_util_calculate_outer_integrity(TPMI_ALG_HASH parent_name_alg,
+bool tpm2_identity_util_calculate_outer_integrity(TPMI_ALG_HASH parent_name_alg,
         TPM2B_NAME *pubname, TPM2B_MAX_BUFFER *marshalled_sensitive,
         TPM2B_MAX_BUFFER *protection_hmac_key,
         TPM2B_MAX_BUFFER *protection_enc_key, TPMT_SYM_DEF_OBJECT *sym_alg,
@@ -390,7 +398,8 @@ void tpm2_identity_util_calculate_outer_integrity(TPMI_ALG_HASH parent_name_alg,
             marshalled_sensitive->buffer, marshalled_sensitive->size,
             NULL, 0, encrypted_duplicate_sensitive);
     //Calculate outerHMAC
-    hmac_outer_integrity(parent_name_alg, encrypted_duplicate_sensitive->buffer,
+    return hmac_outer_integrity(parent_name_alg,
+            encrypted_duplicate_sensitive->buffer,
             encrypted_duplicate_sensitive->size, pubname->name, pubname->size,
             protection_hmac_key->buffer, outer_hmac);
 }

lib/tpm2_identity_util.h

@@ -95,7 +95,7 @@ bool tpm2_identity_util_calculate_inner_integrity(TPMI_ALG_HASH name_alg,
  * @param outer_hmac
  *  The outer HMAC structure to populate.
  */
-void tpm2_identity_util_calculate_outer_integrity(TPMI_ALG_HASH parent_name_alg,
+bool tpm2_identity_util_calculate_outer_integrity(TPMI_ALG_HASH parent_name_alg,
         TPM2B_NAME *pubname, TPM2B_MAX_BUFFER *marshalled_sensitive,
         TPM2B_MAX_BUFFER *protection_hmac_key,
         TPM2B_MAX_BUFFER *protection_enc_key, TPMT_SYM_DEF_OBJECT *sym_alg,

tools/tpm2_duplicate.c

@@ -147,11 +147,14 @@ static tool_rc openssl_create_duplicate(void) {
      */
     TPM2B_DIGEST outer_hmac = TPM2B_EMPTY_INIT;
     TPM2B_MAX_BUFFER encrypted_duplicate_sensitive = TPM2B_EMPTY_INIT;
-    tpm2_identity_util_calculate_outer_integrity(
+    bool outer_res = tpm2_identity_util_calculate_outer_integrity(
         ctx.in_parent_public_key_data.publicArea.nameAlg,
         &pubname, &marshalled_sensitive, &hmac_key, &enc_key,
         &ctx.in_parent_public_key_data.publicArea.parameters.rsaDetail.symmetric,
         &encrypted_duplicate_sensitive, &outer_hmac);
+    if (!outer_res) {
+        return tool_rc_general_error;
+    }
 
     /*
      * Build the private data structure for writing out

tools/tpm2_import.c

@@ -375,10 +375,15 @@ static tool_rc process_input_ossl_import(ESYS_CONTEXT *ectx) {
 
     TPM2B_DIGEST outer_hmac = TPM2B_EMPTY_INIT;
     TPM2B_MAX_BUFFER encrypted_duplicate_sensitive = TPM2B_EMPTY_INIT;
-    tpm2_identity_util_calculate_outer_integrity(parent_pub->publicArea.nameAlg,
+    bool outer_res = tpm2_identity_util_calculate_outer_integrity(
+        parent_pub->publicArea.nameAlg,
         &pubname, &encrypted_inner_integrity, &hmac_key, &enc_key,
         &parent_pub->publicArea.parameters.rsaDetail.symmetric,
         &encrypted_duplicate_sensitive, &outer_hmac);
+    if (!outer_res) {
+        rc = tool_rc_general_error;
+        goto out;
+    }
 
     result = create_import_key_private_data(parent_pub->publicArea.nameAlg,
         &encrypted_duplicate_sensitive, &outer_hmac);

tools/tpm2_makecredential.c

@@ -137,10 +137,13 @@ static tool_rc make_external_credential_and_save(void) {
      */
     TPM2B_DIGEST outer_hmac = TPM2B_EMPTY_INIT;
     TPM2B_MAX_BUFFER encrypted_sensitive = TPM2B_EMPTY_INIT;
-    tpm2_identity_util_calculate_outer_integrity(name_alg, &ctx.object_name,
-            &marshalled_inner_integrity, &hmac_key, &enc_key,
+    bool outer_res = tpm2_identity_util_calculate_outer_integrity(name_alg,
+            &ctx.object_name, &marshalled_inner_integrity, &hmac_key, &enc_key,
             &ctx.public.publicArea.parameters.rsaDetail.symmetric,
             &encrypted_sensitive, &outer_hmac);
+    if (!outer_res) {
+        return tool_rc_general_error;
+    }
 
     /*
      * Package up the info to save