Merge pull request #503 from aidangarske/fenrir-fixes-11

Hardening fixes for examples, fwTPM command handlers, and crypto helpers

Author: dgarske

examples/attestation/make_credential.c

@@ -133,7 +133,7 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_LoadExternal: failed %d: %s\n", rc,
             wolfTPM2_GetRCString(rc));
-        return rc;
+        goto exit;
     }
     printf("Public key for encryption loaded\n");
     handle.hndl = loadExtOut.objectHandle;

examples/boot/secret_unseal.c

@@ -167,6 +167,12 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
                 usage();
                 return 0;
             }
+            if (pcrArraySz >= sizeof(pcrArray) / sizeof(pcrArray[0])) {
+                printf("Too many -pcr= arguments (max %zu)\n",
+                    sizeof(pcrArray) / sizeof(pcrArray[0]));
+                usage();
+                return 0;
+            }
             pcrArray[pcrArraySz] = pcrIndex;
             pcrArraySz++;
         }

examples/firmware/ifx_fw_extract.c

@@ -129,16 +129,20 @@ static int extractFW(
 
     READ_BE16(size16, fw, fw_size, offset);
     offset += size16 + 1;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, fw_size, offset);
     offset += size16;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, fw_size, offset);
     offset2 = offset;
     offset += size16;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, offset, offset2);
     offset2 += size16;
+    if (offset2 > offset) { LOG("Bad manifest header size"); return -1; }
 
     READ_BE16(num, fw, offset, offset2);
 
@@ -149,6 +153,10 @@ static int extractFW(
 
         READ_BE16(size16, fw, offset, offset2);
 
+        if ((size_t)offset2 + size16 > offset) {
+            LOG("Bad manifest entry size");
+            return -1;
+        }
         if (group == keygroup_id) {
             printf("Chosen group found: %08x\n", group);
             *manifest = &fw[offset2];

examples/keygen/external_import.c

@@ -127,12 +127,19 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
         argc--;
     }
 
+    XMEMSET(&dev, 0, sizeof(dev));
+    XMEMSET(&storage, 0, sizeof(storage));
+    primary = &storage;
+
 #ifndef WOLFTPM2_NO_HEAP
     key2 = wolfTPM2_NewKeyBlob();
     rsaKey3 = wolfTPM2_NewKeyBlob();
+    if (key2 == NULL || rsaKey3 == NULL) {
+        printf("wolfTPM2_NewKeyBlob allocation failed\n");
+        rc = MEMORY_E;
+        goto exit;
+    }
 #endif
-    XMEMSET(&storage, 0, sizeof(storage));
-    primary = &storage;
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
     if (rc != TPM_RC_SUCCESS) {
@@ -237,8 +244,15 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     }
 
 exit:
+#ifndef WOLFTPM2_NO_HEAP
+    if (rsaKey3 != NULL)
+        wolfTPM2_UnloadHandle(&dev, &rsaKey3->handle);
+    if (key2 != NULL)
+        wolfTPM2_UnloadHandle(&dev, &key2->handle);
+#else
     wolfTPM2_UnloadHandle(&dev, &rsaKey3->handle);
     wolfTPM2_UnloadHandle(&dev, &key2->handle);
+#endif
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
 
 #ifndef WOLFTPM2_NO_HEAP

examples/keygen/keygen.c

@@ -286,6 +286,12 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         }
         else if (XSTRNCMP(argv[argc-1], "-auth=", XSTRLEN("-auth=")) == 0) {
             authStr = argv[argc-1] + XSTRLEN("-auth=");
+            if (XSTRLEN(authStr) > sizeof(auth.buffer)) {
+                printf("-auth value too long (max %zu)\n",
+                    sizeof(auth.buffer));
+                usage();
+                return 0;
+            }
         }
         else if (argv[argc-1][0] != '-') {
             outputFile = argv[argc-1];

examples/keygen/keyimport.c

@@ -191,7 +191,15 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
 
     /* setup an auth value */
     if (password != NULL) {
-        impKey.handle.auth.size = (int)XSTRLEN(password);
+        size_t pwLen;
+        pwLen = XSTRLEN(password);
+        if (pwLen > sizeof(impKey.handle.auth.buffer)) {
+            printf("-password too long (max %zu)\n",
+                sizeof(impKey.handle.auth.buffer));
+            rc = BUFFER_E;
+            goto exit;
+        }
+        impKey.handle.auth.size = (UINT16)pwLen;
         XMEMCPY(impKey.handle.auth.buffer, password, impKey.handle.auth.size);
     }
 

examples/native/native_test.c

@@ -1232,7 +1232,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_ObjectChangeAuth failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
-        //goto exit;
+        goto exit;
     }
     hmacKey.priv = cmdOut.objChgAuth.outPrivate;
     printf("TPM2_ObjectChangeAuth: private %d\n", hmacKey.priv.size);

examples/nvram/seal_nv.c

@@ -196,7 +196,15 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
     /* Set owner auth */
     parent.hndl = TPM_RH_OWNER;
     if (XSTRLEN(ownerAuth) > 0) {
-        parent.auth.size = (int)XSTRLEN(ownerAuth);
+        size_t authLen;
+        authLen = XSTRLEN(ownerAuth);
+        if (authLen > sizeof(parent.auth.buffer)) {
+            fprintf(stderr, "-ownerauth value too long (max %zu)\n",
+                sizeof(parent.auth.buffer));
+            rc = BUFFER_E;
+            goto exit;
+        }
+        parent.auth.size = (UINT16)authLen;
         XMEMCPY(parent.auth.buffer, ownerAuth, parent.auth.size);
     }
 

examples/pcr/policy_sign.c

@@ -274,6 +274,12 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[])
                 usage();
                 return 0;
             }
+            if (pcrArraySz >= sizeof(pcrArray) / sizeof(pcrArray[0])) {
+                printf("Too many -pcr= arguments (max %zu)\n",
+                    sizeof(pcrArray) / sizeof(pcrArray[0]));
+                usage();
+                return 0;
+            }
             pcrArray[pcrArraySz] = pcrIndex;
             pcrArraySz++;
         }

examples/tls/tls_client_notpm.c

@@ -131,13 +131,15 @@ int TLS_ClientArgs(int argc, char *argv[])
                 ca_cert_der_2048, sizeof_ca_cert_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
             printf("Error loading ca_cert_der_2048 DER cert\n");
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #elif defined(HAVE_ECC)
         if (wolfSSL_CTX_load_verify_buffer(ctx,
                 ca_ecc_cert_der_256, sizeof_ca_ecc_cert_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
             printf("Error loading ca_ecc_cert_der_256 DER cert\n");
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #endif
@@ -149,22 +151,26 @@ int TLS_ClientArgs(int argc, char *argv[])
         if (wolfSSL_CTX_use_certificate_buffer(ctx,
                 client_cert_der_2048, sizeof_client_cert_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
         if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                 client_key_der_2048, sizeof_client_key_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #elif defined(HAVE_ECC)
         if (wolfSSL_CTX_use_certificate_buffer(ctx,
                 cliecc_cert_der_256, sizeof_cliecc_cert_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
         if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                 ecc_clikey_der_256, sizeof_ecc_clikey_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #endif