Ken Goldman
2015-03-16 16:58:54 UTC
I believe that this is a bug. Please check.
~~
The call tree is:
./testsuite-0.3/tcg/nv/Tspi_NV_DefineSpace02.c
result = Tspi_Policy_SetSecret(hPolicy, TESTSUITE_OWNER_SECRET_MODE,
TESTSUITE_WRONG_OWNER_SECRET_LEN,
TESTSUITE_WRONG_OWNER_SECRET);
./trousers-0.3.13/src/tspi/tspi_policy.c
return obj_policy_set_secret(hPolicy, secretMode, ulSecretLength,
rgbSecret);
,/trousers-0.3.13/src/tspi/obj_policy.c:
if ((result = Trspi_Hash(TSS_HASH_SHA1, size, data,
(BYTE *)&digest.digest)))
/trousers-0.3.13/src/trspi/crypto/openssl/hash.c
rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
~~
This all looks OK until one notices that TESTSUITE_WRONG_OWNER_SECRET
is not a constant string. It's a (IMHO far too clever) macro, hiding
an getenv call.
./testsuite-0.3/tcg/include/common.h:
#define TESTSUITE_WRONG_OWNER_SECRET getenv("TESTSUITE_WRONG_OWNER_SECRET")
When the env variable isn't defined, the macro hides the fact that a
NULL pointer is passed into the code, which crashes deep within openssl.
~~
As a minimum, not checking for a NULL anywhere is a bug.
IMHO, the real bug is use of the clever macro to trick the user into
using what they think is a simple constant but is really code that can
fail with no error checking.
~~
The call tree is:
./testsuite-0.3/tcg/nv/Tspi_NV_DefineSpace02.c
result = Tspi_Policy_SetSecret(hPolicy, TESTSUITE_OWNER_SECRET_MODE,
TESTSUITE_WRONG_OWNER_SECRET_LEN,
TESTSUITE_WRONG_OWNER_SECRET);
./trousers-0.3.13/src/tspi/tspi_policy.c
return obj_policy_set_secret(hPolicy, secretMode, ulSecretLength,
rgbSecret);
,/trousers-0.3.13/src/tspi/obj_policy.c:
if ((result = Trspi_Hash(TSS_HASH_SHA1, size, data,
(BYTE *)&digest.digest)))
/trousers-0.3.13/src/trspi/crypto/openssl/hash.c
rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
~~
This all looks OK until one notices that TESTSUITE_WRONG_OWNER_SECRET
is not a constant string. It's a (IMHO far too clever) macro, hiding
an getenv call.
./testsuite-0.3/tcg/include/common.h:
#define TESTSUITE_WRONG_OWNER_SECRET getenv("TESTSUITE_WRONG_OWNER_SECRET")
When the env variable isn't defined, the macro hides the fact that a
NULL pointer is passed into the code, which crashes deep within openssl.
~~
As a minimum, not checking for a NULL anywhere is a bug.
IMHO, the real bug is use of the clever macro to trick the user into
using what they think is a simple constant but is really code that can
fail with no error checking.