aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Bottomley <James.Bottomley@HansenPartnership.com>2023-12-15 17:43:48 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2023-12-17 10:36:10 -0500
commit12c06b5555aff1edc4cf3007d5ce9cc3f55b722d (patch)
treea25bf754ea417f926c7efd1f4e250e2b63b57f8e
parentd5eeceff61adfc529670359808424c7e811865f4 (diff)
downloadopenssl_tpm2_engine-12c06b5555aff1edc4cf3007d5ce9cc3f55b722d.tar.gz
Rethread handling of authorizations for TPM2_PolicySecret
In theory, TPM2_PolicySecret allows multiple different passwords to be specified to use an object. However, this is incompatible with the single password model of openssl (and all other crypto systems), so we make the rule that if a policy contains TPM2_PolicySecret, meaning the auth has to be passed in to the policy session, then it can't also be required to authorize the main command as well (i.e. only a single authorization string per policy). We implement this by making the authorization string a return from tpm2_init_session. If authorization hasn't been consumed by policy sessions, it will be the value of app_data->auth otherwise if it has been consumed, it will be NULL. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat
-rw-r--r--src/include/intel-tss.h1
-rw-r--r--src/include/tpm2-common.h2
-rw-r--r--src/libcommon/tpm2-common.c50
-rw-r--r--src/tools/unseal_tpm2_data.c15
4 files changed, 34 insertions, 34 deletions
diff --git a/src/include/intel-tss.h b/src/include/intel-tss.h
index 47d5683..1cc18fe 100644
--- a/src/include/intel-tss.h
+++ b/src/include/intel-tss.h
@@ -81,6 +81,7 @@
#define TPM_RH_NULL ESYS_TR_NONE
#define TPM_HT_NV_INDEX TPM2_HT_NV_INDEX
+#define TPM_HT_POLICY_SESSION TPM2_HT_POLICY_SESSION
#define TPM_HT_PERMANENT TPM2_HT_PERMANENT
#define TPM_HT_TRANSIENT TPM2_HT_TRANSIENT
#define TPM_HT_PERSISTENT TPM2_HT_PERSISTENT
diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h
index 29dcb40..8939ebc 100644
--- a/src/include/tpm2-common.h
+++ b/src/include/tpm2-common.h
@@ -62,7 +62,7 @@ TPM_RC tpm2_get_session_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle,
TPM_HANDLE salt_key, TPM_SE sessionType,
TPM_ALG_ID name_alg);
TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
- const struct app_data *app_data, TPM_ALG_ID name_alg);
+ const struct app_data *app_data, const char **auth);
TPM_RC tpm2_get_bound_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle,
TPM_HANDLE bind, const char *auth);
TPMI_ECC_CURVE tpm2_curve_name_to_TPMI(const char *name);
diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c
index 11c4f88..030bd6a 100644
--- a/src/libcommon/tpm2-common.c
+++ b/src/libcommon/tpm2-common.c
@@ -475,6 +475,7 @@ int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText,
PUBLIC_KEY_RSA_2B message;
TPM_HANDLE authHandle;
TPM_SE sessionType;
+ const char *auth;
keyHandle = tpm2_load_key(&tssContext, ad, srk_auth, NULL);
@@ -505,15 +506,12 @@ int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText,
if (rc)
goto out;
- if (sessionType == TPM_SE_POLICY) {
- rc = tpm2_init_session(tssContext, authHandle,
- ad, ad->Public.publicArea.nameAlg);
- if (rc)
- goto out;
- }
+ rc = tpm2_init_session(tssContext, authHandle, ad, &auth);
+ if (rc)
+ goto out;
rc = tpm2_RSA_Decrypt(tssContext, keyHandle, cipherText, &inScheme,
- &message, authHandle, ad->auth, protection);
+ &message, authHandle, auth, protection);
if (rc) {
tpm2_error(rc, "TPM2_RSA_Decrypt");
@@ -543,6 +541,7 @@ ECDSA_SIG *tpm2_sign_ecc(const struct app_data *ad, const unsigned char *dgst,
TPM_SE sessionType;
ECDSA_SIG *sig;
BIGNUM *r, *s;
+ const char *auth;
int len = tpm2_curve_to_order(ad->Public.publicArea.parameters.eccDetail.curveID);
/* so we give it a digest equal to the key length, except if that
@@ -590,15 +589,12 @@ ECDSA_SIG *tpm2_sign_ecc(const struct app_data *ad, const unsigned char *dgst,
if (rc)
goto out;
- if (sessionType == TPM_SE_POLICY) {
- rc = tpm2_init_session(tssContext, authHandle,
- ad, ad->Public.publicArea.nameAlg);
- if (rc)
- goto out;
- }
+ rc = tpm2_init_session(tssContext, authHandle, ad, &auth);
+ if (rc)
+ goto out;
rc = tpm2_Sign(tssContext, keyHandle, &digest, &inScheme, &signature,
- authHandle, ad->auth);
+ authHandle, auth);
if (rc) {
tpm2_error(rc, "TPM2_Sign");
tpm2_flush_handle(tssContext, authHandle);
@@ -638,6 +634,7 @@ int tpm2_ecdh_x(struct app_data *ad, unsigned char **psec, size_t *pseclen,
TPM_SE sessionType;
size_t len;
int ret;
+ const char *auth;
keyHandle = tpm2_load_key(&tssContext, ad, srk_auth, NULL);
if (keyHandle == 0) {
@@ -654,12 +651,9 @@ int tpm2_ecdh_x(struct app_data *ad, unsigned char **psec, size_t *pseclen,
if (rc)
goto out;
- if (sessionType == TPM_SE_POLICY) {
- rc = tpm2_init_session(tssContext, authHandle,
- ad, ad->Public.publicArea.nameAlg);
- if (rc)
- goto out;
- }
+ rc = tpm2_init_session(tssContext, authHandle, ad, &auth);
+ if (rc)
+ goto out;
rc = tpm2_ECDH_ZGen(tssContext, keyHandle, inPoint, &outPoint,
authHandle, ad->auth);
@@ -1034,7 +1028,8 @@ TPM_RC tpm2_get_session_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle,
static TPM_RC tpm2_try_policy(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
int num_commands, struct policy_command *commands,
- TPM_ALG_ID name_alg, const char *prefix)
+ TPM_ALG_ID name_alg, const char *prefix,
+ const struct app_data *ad, const char **auth)
{
INT32 size;
BYTE *policy;
@@ -1217,12 +1212,18 @@ static TPM_RC tpm2_try_policy(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
}
TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
- const struct app_data *app_data, TPM_ALG_ID name_alg)
+ const struct app_data *app_data, const char **auth)
{
int num_commands;
struct policy_command *commands;
char prefix[128];
TPM_RC rc;
+ TPM_ALG_ID name_alg = app_data->Public.publicArea.nameAlg;
+
+ *auth = app_data->auth;
+
+ if (!tpm2_handle_mso(tssContext, handle, TPM_HT_POLICY_SESSION))
+ return TPM_RC_SUCCESS;
if (app_data->pols == NULL)
return TPM_RC_SUCCESS;
@@ -1251,7 +1252,8 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
rc = tpm2_try_policy(tssContext, handle,
pols->num_commands,
pols->commands,
- name_alg, prefix);
+ name_alg, prefix,
+ app_data, auth);
if (rc == TPM_RC_SUCCESS)
break;
}
@@ -1262,7 +1264,7 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
}
rc = tpm2_try_policy(tssContext, handle, num_commands, commands,
- name_alg, "");
+ name_alg, "", app_data, auth);
out:
if (rc != TPM_RC_SUCCESS)
tpm2_flush_handle(tssContext, handle);
diff --git a/src/tools/unseal_tpm2_data.c b/src/tools/unseal_tpm2_data.c
index bde3d3b..8027cbf 100644
--- a/src/tools/unseal_tpm2_data.c
+++ b/src/tools/unseal_tpm2_data.c
@@ -73,6 +73,7 @@ int main(int argc, char **argv)
uint32_t parent, session;
UI_METHOD *ui = UI_create_method("unseal");
struct app_data *app_data;
+ const char *auth;
while (1) {
option_index = 0;
@@ -156,17 +157,13 @@ int main(int argc, char **argv)
goto out_flush_data;
}
- if (app_data->req_policy_session) {
- rc = tpm2_init_session(tssContext, session,
- app_data, name_alg);
- if (rc) {
- reason = "tpm2_init_session";
- goto out_flush_session;
- }
+ rc = tpm2_init_session(tssContext, session, app_data, &auth);
+ if (rc) {
+ reason = "tpm2_init_session";
+ goto out_flush_session;
}
- rc = tpm2_Unseal(tssContext, itemHandle, &outData, session,
- app_data->auth);
+ rc = tpm2_Unseal(tssContext, itemHandle, &outData, session, auth);
if (rc) {
reason = "TPM2_Unseal";
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-16 04:46:03 +0000