[tpm2] Unable to encrypt larger buffers

[tpm2] Unable to encrypt larger buffers

[Arvind Kumar]

[-- Attachment #1: Type: text/plain, Size: 498 bytes --]

Previously, I used tpm2_rsaencrypt to encrypt larger buffers. I installed
tpm2-tools, tpm2-abrmd, tpm2-tss from master and observe that tpm2_rsaencrypt
does not encrypt buffers larger than 128 bit. This will break all our use
cases, any clues why such a limitation?

ERROR:

$tpm2_rsaencrypt keyfile -c context_load_out -o encryptfile

ERROR: File "keyfile" size is larger than buffer, got 4096 expected less
than 512

ERROR: Data to be sealed larger than expected. Got 512 expected 1

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 1806 bytes --]

Re: [tpm2] Unable to encrypt larger buffers

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 3111 bytes --]

I think this is not a bug and is finally working as intended… but I could be wrong.

FYI some information is here as well:
https://github.com/intel/tpm2-tools/issues/680

For RSA:
I don’t think it’s a bug. You can’t encrypt data larger than the keysize and sometimes
smaller based on padding scheme. I don’t see a way to do a sequence with RSA
algorithms.

I think the code before in the tools was glossing over this bug and you are not getting what you
expect.

On 1.1.1 the input file was read with: loadDataFromFile. Both tools re using this routine.

The code below, looks like it would just read size bytes. Size has remained
constant through all revisions as the message size of a TPM2B_PUBLIC_KEY_RSA
type for the RSA tool. It looks like size has also remained constant in the tpm2_create
tool.

int loadDataFromFile(const char *fileName, UINT8 *buf, UINT16 *size)
{
    UINT16 count = 1, left;
    FILE *f;
    if ( size == NULL || buf == NULL || fileName == NULL )
        return -1;

    f = fopen(fileName, "rb+");
    if( f == NULL )
    {
        printf("File(%s) open error.\n", fileName);
        return -2;
    }

    left = *size;
    *size = 0;
    while( left > 0 && count > 0 )
    {
        count = fread(buf, 1, left, f);
        *size += count;
        left -= count;
        buf += count;
    }

    if( *size == 0 )
    {
        printf("File read error\n");
        fclose(f);
        return -3;
    }
    fclose(f);
    return 0;
}



From: tpm2 [mailto:tpm2-bounces(a)lists.01.org] On Behalf Of Ian Oliver
Sent: Thursday, December 7, 2017 1:22 AM
To: Arvind Kumar <arvind.kumar(a)iotium.io>
Cc: tpm2(a)lists.01.org
Subject: Re: [tpm2] Unable to encrypt larger buffers

Hello,
can confirm with 1.3.0rc1.... tpm2_create does not work with over 128 byte files:

tpm2_create -g sha256 -G keyedhash -u unseal.pub -r unseal.priv -I ethkey.gz -H 0x81010000
ERROR: File "ethkey.gz" size is larger than buffer, got 412 expected less than 128
ERROR: Data to be sealed larger than expected. Got 128 expected 1
ls -l ethkey.gz
-rw------- 1 ioliver ioliver 412 joulu  7 11:18 ethkey.gz
Ian


On 6 December 2017 at 23:57, Arvind Kumar <arvind.kumar(a)iotium.io<mailto:arvind.kumar(a)iotium.io>> wrote:
Previously, I used tpm2_rsaencrypt to encrypt larger buffers. I installed tpm2-tools, tpm2-abrmd, tpm2-tss from master and observe that tpm2_rsaencrypt does not encrypt buffers larger than 128 bit. This will break all our use cases, any clues why such a limitation?

ERROR:

$tpm2_rsaencrypt keyfile -c context_load_out -o encryptfile

ERROR: File "keyfile" size is larger than buffer, got 4096 expected less than 512

ERROR: Data to be sealed larger than expected. Got 512 expected 1

_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
https://lists.01.org/mailman/listinfo/tpm2



--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon<http://www.amazon.co.uk/dp/1497569710>
Twitter: @i_j_oliver

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 16619 bytes --]

Re: [tpm2] Unable to encrypt larger buffers

[Ian Oliver]

[-- Attachment #1: Type: text/plain, Size: 1335 bytes --]

Hello,

can confirm with 1.3.0rc1.... tpm2_create does not work with over 128 byte
files:

tpm2_create -g sha256 -G keyedhash -u unseal.pub -r unseal.priv -I
ethkey.gz -H 0x81010000
ERROR: File "ethkey.gz" size is larger than buffer, got 412 expected less
than 128
ERROR: Data to be sealed larger than expected. Got 128 expected 1
ls -l ethkey.gz
-rw------- 1 ioliver ioliver 412 joulu  7 11:18 ethkey.gz

Ian


On 6 December 2017 at 23:57, Arvind Kumar <arvind.kumar(a)iotium.io> wrote:

> Previously, I used tpm2_rsaencrypt to encrypt larger buffers. I installed
> tpm2-tools, tpm2-abrmd, tpm2-tss from master and observe that tpm2_rsaencrypt
> does not encrypt buffers larger than 128 bit. This will break all our use
> cases, any clues why such a limitation?
>
> ERROR:
>
> $tpm2_rsaencrypt keyfile -c context_load_out -o encryptfile
>
> ERROR: File "keyfile" size is larger than buffer, got 4096 expected less
> than 512
>
> ERROR: Data to be sealed larger than expected. Got 512 expected 1
>
> _______________________________________________
> tpm2 mailing list
> tpm2(a)lists.01.org
> https://lists.01.org/mailman/listinfo/tpm2
>
>


-- 
*Dr. Ian Oliver*
===============================
Privacy Engineering:  via Amazon <http://www.amazon.co.uk/dp/1497569710>
*Twitter: @i_j_oliver*

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 3707 bytes --]