esys: remove trailing zeros in auth value.

When TPM Calulates the HMAC trailing zeros are rmoved. Therfore the trailing zeros are removed in Esys_TR_SetAuth, Esys_Create, Esys_CreateLoded, Esys_NV_DefineSpace, and Esys_CreatePrimary. The removing is added to the function iesys_hash_long_auth_value. Therefore this function is renamed to iesys_adapt_auth_value. An integration test which uses trailing zeros in auth values is added. Fixes: tpm2-software#2664 Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT · Jul 22, 2023 · 6a6bcce · 6a6bcce
1 parent dcec28b
commit 6a6bcce
Show file tree

Hide file tree

Showing 9 changed files with 424 additions and 29 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -254,6 +254,7 @@ ESYS_TESTS_INTEGRATION_MANDATORY = \
     test/integration/esys-certify-creation.int \
     test/integration/esys-certifyX509.int \
     test/integration/esys-certify.int \
+    test/integration/esys-check-auth-with-trailing-zero.int \
     test/integration/esys-clear-control.int \
     test/integration/esys-clockset.int \
     test/integration/esys-clockset-audit.int \
@@ -1272,6 +1273,13 @@ test_integration_esys_change_eps_int_SOURCES = \
     test/integration/esys-change-eps.int.c \
     test/integration/main-esys.c test/integration/test-esys.h
 
+test_integration_esys_check_auth_with_trailing_zero_int_CFLAGS  = $(TESTS_CFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_LDADD   = $(TESTS_LDADD)
+test_integration_esys_check_auth_with_trailing_zero_int_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_SOURCES = \
+    test/integration/esys-check-auth-with-trailing-zero.int.c \
+    test/integration/main-esys.c test/integration/test-esys.h
+
 test_integration_esys_clear_int_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_esys_clear_int_LDADD   = $(TESTS_LDADD)
 test_integration_esys_clear_int_LDFLAGS = $(TESTS_LDFLAGS)

diff --git a/src/tss2-esys/api/Esys_Create.c b/src/tss2-esys/api/Esys_Create.c
@@ -206,10 +206,10 @@ Esys_Create_Async(
 
     store_input_parameters (esysContext, inSensitive);
     if (inPublic) {
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
                 &esysContext->crypto_backend,
-           &esysContext->in.Create.inSensitive->sensitive.userAuth,
-            inPublic->publicArea.nameAlg);
+                &esysContext->in.Create.inSensitive->sensitive.userAuth,
+                inPublic->publicArea.nameAlg);
         return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value.");
     }
 

diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c
@@ -203,7 +203,7 @@ Esys_CreateLoaded_Async(
                                           &publicArea);
         return_if_error(r, "Unmarshalling inPublic failed");
 
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
             &esysContext->crypto_backend,
             &esysContext->in.CreateLoaded.inSensitive->sensitive.userAuth,
              publicArea.nameAlg);

diff --git a/src/tss2-esys/api/Esys_CreatePrimary.c b/src/tss2-esys/api/Esys_CreatePrimary.c
@@ -208,7 +208,7 @@ Esys_CreatePrimary_Async(
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
     store_input_parameters (esysContext, inSensitive);
     if (inPublic) {
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
             &esysContext->crypto_backend,
             &esysContext->in.CreatePrimary.inSensitive->sensitive.userAuth,
              inPublic->publicArea.nameAlg);

diff --git a/src/tss2-esys/api/Esys_NV_DefineSpace.c b/src/tss2-esys/api/Esys_NV_DefineSpace.c
@@ -200,9 +200,9 @@ Esys_NV_DefineSpace_Async(
     store_input_parameters(esysContext, auth, publicInfo);
 
     if (publicInfo) {
-        r = iesys_hash_long_auth_values(&esysContext->crypto_backend,
-                                        &esysContext->in.NV.authData,
-                                        publicInfo->nvPublic.nameAlg);
+        r = iesys_adapt_auth_value(&esysContext->crypto_backend,
+                                   &esysContext->in.NV.authData,
+                                   publicInfo->nvPublic.nameAlg);
         return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value.");
     }
 

diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
@@ -1653,11 +1653,28 @@ iesys_tpm_error(TSS2_RC r)
              (r & TSS2_RC_LAYER_MASK) == TSS2_RESMGR_RC_LAYER));
 }
 
+/** Remove trailing spaces includes auth value.
+ *
+ * Trailing zeros will be removed.
+ *
+ * @param[in,out] auth_value The auth value to be adapted.
+ */
+void iesys_strip_trailing_zeros(TPM2B_DIGEST *digest)
+{
+    /* Remove trailing zeroes */
+    if (digest) {
+        while (digest->size > 0 &&
+               digest->buffer[digest->size - 1] == 0) {
+            digest->size--;
+        }
+    }
+}
 
-/** Replace auth value with Hash for long auth values.
+/** Adapt auth value.
  *
  * if the size of auth value exceeds hash_size the auth value
  * will be replaced with the hash of the auth value.
+ * Trailing zeros will be removed.
  *
  * @param[in,out] auth_value The auth value to be adapted.
  * @param[in] hash_alg The hash alg used for adaption.
@@ -1668,37 +1685,46 @@ iesys_tpm_error(TSS2_RC r)
  *         computation.
  */
 TSS2_RC
-iesys_hash_long_auth_values(
+iesys_adapt_auth_value(
     ESYS_CRYPTO_CALLBACKS *crypto_cb,
     TPM2B_AUTH *auth_value,
     TPMI_ALG_HASH hash_alg)
 {
-    TSS2_RC r;
+    TSS2_RC r = TSS2_RC_SUCCESS;
     ESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
     TPM2B_AUTH hash2b;
     size_t hash_size;
 
-    r = iesys_crypto_hash_get_digest_size(hash_alg, &hash_size);
-    return_if_error(r, "Get digest size.");
+    /* Remove trailing zeroes */
+    iesys_strip_trailing_zeros(auth_value);
+
+    if (hash_alg) {
+        r = iesys_crypto_hash_get_digest_size(hash_alg, &hash_size);
+        return_if_error(r, "Get digest size.");
 
-    if (auth_value && auth_value->size > hash_size) {
-        /* The auth value has to be adapted. */
-        r = iesys_crypto_hash_start(crypto_cb,
-                &cryptoContext, hash_alg);
-        return_if_error(r, "crypto hash start");
+        if (auth_value && auth_value->size > hash_size) {
+            /* The auth value has to be adapted. */
+            r = iesys_crypto_hash_start(crypto_cb,
+                     &cryptoContext, hash_alg);
+            return_if_error(r, "crypto hash start");
 
-        r = iesys_crypto_hash_update(crypto_cb,
-                cryptoContext, &auth_value->buffer[0],
-                auth_value->size);
-        goto_if_error(r, "crypto hash update", error_cleanup);
+            r = iesys_crypto_hash_update(crypto_cb,
+                    cryptoContext, &auth_value->buffer[0],
+                    auth_value->size);
+            goto_if_error(r, "crypto hash update", error_cleanup);
 
-        r = iesys_crypto_hash_finish(crypto_cb,
-                &cryptoContext, &hash2b.buffer[0], &hash_size);
-        goto_if_error(r, "crypto hash finish", error_cleanup);
+            r = iesys_crypto_hash_finish(crypto_cb,
+                    &cryptoContext, &hash2b.buffer[0], &hash_size);
+            goto_if_error(r, "crypto hash finish", error_cleanup);
 
-        memcpy(&auth_value->buffer[0], &hash2b.buffer[0], hash_size);
-        auth_value->size = hash_size;
+            memcpy(&auth_value->buffer[0], &hash2b.buffer[0], hash_size);
+            auth_value->size = hash_size;
+
+            /* Remove trailing zeroes */
+            iesys_strip_trailing_zeros(auth_value);
+        }
     }
+
     return r;
 
  error_cleanup:

diff --git a/src/tss2-esys/esys_iutil.h b/src/tss2-esys/esys_iutil.h
@@ -171,11 +171,14 @@ TSS2_RC iesys_get_name(
 bool iesys_tpm_error(
     TSS2_RC r);
 
-TSS2_RC iesys_hash_long_auth_values(
+TSS2_RC iesys_adapt_auth_value(
     ESYS_CRYPTO_CALLBACKS *crypto_cb,
     TPM2B_AUTH *auth_value,
     TPMI_ALG_HASH hash_alg);
 
+void iesys_strip_trailing_zeros(
+    TPM2B_AUTH *auth_value);
+
 #ifdef __cplusplus
 } /* extern "C" */
 #endif

diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
@@ -481,12 +481,18 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
             name_alg = esys_object->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
         }
         esys_object->auth = *authValue;
+
         /* Adapt auth value to hash for large auth values. */
         if (name_alg != TPM2_ALG_NULL) {
-            r = iesys_hash_long_auth_values(&esys_context->crypto_backend,
+            r = iesys_adapt_auth_value(&esys_context->crypto_backend,
                     &esys_object->auth, name_alg);
             return_if_error(r, "Hashing overlength authValue failed.");
         }
+        /* Remove trailing zeroes */
+        while (esys_object->auth.size > 0 &&
+               esys_object->auth.buffer[esys_object->auth.size - 1] == 0) {
+            esys_object->auth.size--;
+        }
     }
     return TSS2_RC_SUCCESS;
 }