esys: fix auth value handling in ChangeAuth programs.

* The trailing zeros are now removed in these programs. * The new auth value now is stored in objects where the auth value is changed with Esys_ObjectChangeAuth. * the integration test which checkd trailing zeros is extend. Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT · Aug 15, 2023 · 0f4e2c8 · 0f4e2c8
1 parent 6b0dc5a
commit 0f4e2c8
Show file tree

Hide file tree

Showing 4 changed files with 439 additions and 5 deletions.
diff --git a/src/tss2-esys/api/Esys_HierarchyChangeAuth.c b/src/tss2-esys/api/Esys_HierarchyChangeAuth.c
@@ -26,11 +26,13 @@ static void store_input_parameters (
     const TPM2B_AUTH *newAuth)
 {
     esysContext->in.HierarchyChangeAuth.authHandle = authHandle;
-    if (newAuth == NULL)
+    if (newAuth == NULL) {
         memset(&esysContext->in.HierarchyChangeAuth.newAuth, 0,
                 sizeof(esysContext->in.HierarchyChangeAuth.newAuth));
-    else
+    } else {
         esysContext->in.HierarchyChangeAuth.newAuth = *newAuth;
+        iesys_strip_trailing_zeros(&esysContext->in.HierarchyChangeAuth.newAuth);
+    }
 }
 
 /** One-Call function for TPM2_HierarchyChangeAuth
@@ -175,7 +177,9 @@ Esys_HierarchyChangeAuth_Async(
     /* Check input parameters */
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
+
     store_input_parameters(esysContext, authHandle, newAuth);
+    iesys_strip_trailing_zeros(&esysContext->in.HierarchyChangeAuth.newAuth);
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, authHandle, &authHandleNode);
@@ -186,7 +190,7 @@ Esys_HierarchyChangeAuth_Async(
                                              (authHandleNode == NULL)
                                               ? TPM2_RH_NULL
                                               : authHandleNode->rsrc.handle,
-                                             newAuth);
+                                             &esysContext->in.HierarchyChangeAuth.newAuth);
     return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
 
     /* Calculate the cpHash Values */

diff --git a/src/tss2-esys/api/Esys_NV_ChangeAuth.c b/src/tss2-esys/api/Esys_NV_ChangeAuth.c
@@ -159,6 +159,8 @@ Esys_NV_ChangeAuth_Async(
               esysContext, nvIndex, newAuth);
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *nvIndexNode;
+    TPM2B_AUTH *authCopy;
+    TPMI_ALG_HASH hashAlg;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -174,10 +176,14 @@ Esys_NV_ChangeAuth_Async(
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
     store_input_parameters(esysContext, nvIndex, newAuth);
+    authCopy = &esysContext->in.HierarchyChangeAuth.newAuth;
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, nvIndex, &nvIndexNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "nvIndex unknown.");
+    hashAlg = nvIndexNode->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
 
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_NV_ChangeAuth_Prepare(esysContext->sys,

diff --git a/src/tss2-esys/api/Esys_ObjectChangeAuth.c b/src/tss2-esys/api/Esys_ObjectChangeAuth.c
@@ -148,6 +148,11 @@ Esys_ObjectChangeAuth_Async(
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *objectHandleNode;
     RSRC_NODE_T *parentHandleNode;
+    TPM2B_AUTH authCopy =
+        { .size = 0,
+          .buffer = {}
+        };
+    TPMI_ALG_HASH hashAlg = 0;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -169,6 +174,17 @@ Esys_ObjectChangeAuth_Async(
     r = esys_GetResourceObject(esysContext, parentHandle, &parentHandleNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "parentHandle unknown.");
 
+    if (objectHandleNode->rsrc.rsrcType == IESYSC_KEY_RSRC) {
+        hashAlg = objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea.nameAlg;
+    }
+
+    if (newAuth) {
+        authCopy = *newAuth;
+    };
+
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, &authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
+
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_ObjectChangeAuth_Prepare(esysContext->sys,
                                           (objectHandleNode == NULL)
@@ -177,7 +193,7 @@ Esys_ObjectChangeAuth_Async(
                                           (parentHandleNode == NULL)
                                            ? TPM2_RH_NULL
                                            : parentHandleNode->rsrc.handle,
-                                          newAuth);
+                                          &authCopy);
     return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
 
     /* Calculate the cpHash Values */