esys: fix auth value handling in ChangeAuth programs.

* The trailing zeros are now removed in this programs. * The new auth value now is stored in objects where the auth value is changed with Esys_ObjectChangeAuth Signed-off-by: Juergen Repp <[email protected]>
JuergenReppSIT · Jul 24, 2023 · abe6369 · abe6369
1 parent e9d7ebe
commit abe6369
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 1 deletion.
diff --git a/src/tss2-esys/api/Esys_HierarchyChangeAuth.c b/src/tss2-esys/api/Esys_HierarchyChangeAuth.c
@@ -175,7 +175,9 @@ Esys_HierarchyChangeAuth_Async(
     /* Check input parameters */
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
+
     store_input_parameters(esysContext, authHandle, newAuth);
+    iesys_strip_trailing_zeros(&esysContext->in.HierarchyChangeAuth.newAuth);
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, authHandle, &authHandleNode);

diff --git a/src/tss2-esys/api/Esys_NV_ChangeAuth.c b/src/tss2-esys/api/Esys_NV_ChangeAuth.c
@@ -159,6 +159,8 @@ Esys_NV_ChangeAuth_Async(
               esysContext, nvIndex, newAuth);
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *nvIndexNode;
+    TPM2B_AUTH *authCopy;
+    TPMI_ALG_HASH hashAlg;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -174,10 +176,14 @@ Esys_NV_ChangeAuth_Async(
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
     store_input_parameters(esysContext, nvIndex, newAuth);
+    authCopy = &esysContext->in.HierarchyChangeAuth.newAuth;
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, nvIndex, &nvIndexNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "nvIndex unknown.");
+    hashAlg = nvIndexNode->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
 
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_NV_ChangeAuth_Prepare(esysContext->sys,

diff --git a/src/tss2-esys/api/Esys_ObjectChangeAuth.c b/src/tss2-esys/api/Esys_ObjectChangeAuth.c
@@ -19,6 +19,20 @@
 #include "util/log.h"
 #include "util/aux_util.h"
 
+/** Store command parameters inside the ESYS_CONTEXT for use during _Finish */
+static void store_input_parameters (
+    ESYS_CONTEXT *esysContext,
+    ESYS_TR authHandle,
+    const TPM2B_AUTH *newAuth)
+{
+    esysContext->in.ObjectChangeAuth.authHandle = authHandle;
+    if (newAuth == NULL)
+        memset(&esysContext->in.ObjectChangeAuth.newAuth, 0,
+                sizeof(esysContext->in.ObjectChangeAuth.newAuth));
+    else
+        esysContext->in.ObjectChangeAuth.newAuth = *newAuth;
+}
+
 /** One-Call function for TPM2_ObjectChangeAuth
  *
  * This function invokes the TPM2_ObjectChangeAuth command in a one-call
@@ -148,6 +162,8 @@ Esys_ObjectChangeAuth_Async(
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *objectHandleNode;
     RSRC_NODE_T *parentHandleNode;
+    TPM2B_AUTH *authCopy;
+    TPMI_ALG_HASH hashAlg = 0;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -163,12 +179,22 @@ Esys_ObjectChangeAuth_Async(
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
 
+    store_input_parameters(esysContext, objectHandle, newAuth);
+
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, objectHandle, &objectHandleNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "objectHandle unknown.");
     r = esys_GetResourceObject(esysContext, parentHandle, &parentHandleNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "parentHandle unknown.");
 
+    if (objectHandleNode->rsrc.rsrcType == IESYSC_KEY_RSRC) {
+        hashAlg = objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea.nameAlg;
+    }
+
+    authCopy = &esysContext->in.ObjectChangeAuth.newAuth;
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
+
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_ObjectChangeAuth_Prepare(esysContext->sys,
                                           (objectHandleNode == NULL)
@@ -177,7 +203,7 @@ Esys_ObjectChangeAuth_Async(
                                           (parentHandleNode == NULL)
                                            ? TPM2_RH_NULL
                                            : parentHandleNode->rsrc.handle,
-                                          newAuth);
+                                          authCopy);
     return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
 
     /* Calculate the cpHash Values */
@@ -247,6 +273,8 @@ Esys_ObjectChangeAuth_Finish(
     ESYS_CONTEXT *esysContext,
     TPM2B_PRIVATE **outPrivate)
 {
+    ESYS_TR authHandle;
+    RSRC_NODE_T *authHandleNode;
     TSS2_RC r;
     LOG_TRACE("context=%p, outPrivate=%p",
               esysContext, outPrivate);
@@ -312,6 +340,14 @@ Esys_ObjectChangeAuth_Finish(
         goto error_cleanup;
     }
 
+    /*
+     * Store the new auth value in the object.
+     */
+    authHandle = esysContext->in.ObjectChangeAuth.authHandle;
+    r = esys_GetResourceObject(esysContext, authHandle, &authHandleNode);
+    return_if_error(r, "get resource");
+
+    authHandleNode->auth = esysContext->in.ObjectChangeAuth.newAuth;
     /*
      * Now the verification of the response (hmac check) and if necessary the
      * parameter decryption have to be done.

diff --git a/src/tss2-esys/esys_int.h b/src/tss2-esys/esys_int.h
@@ -90,6 +90,12 @@ typedef struct {
     TPM2B_AUTH newAuth;
 } HierarchyChangeAuth_IN;
 
+typedef struct {
+    ESYS_TR authHandle;
+    TPM2B_AUTH newAuth;
+} ObjectChangeAuth_IN;
+
+
 typedef struct {
     ESYS_TR sequenceHandle;
 } SequenceComplete_IN;
@@ -132,6 +138,7 @@ typedef union {
     HMAC_Start_IN HMAC_Start;
     MAC_Start_IN MAC_Start;
     HierarchyChangeAuth_IN HierarchyChangeAuth;
+    ObjectChangeAuth_IN ObjectChangeAuth;
     SequenceComplete_IN SequenceComplete;
     Policy_IN Policy;
     NV_IN NV;

diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
@@ -479,6 +479,8 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
             name_alg = esys_object->rsrc.misc.rsrc_key_pub.publicArea.nameAlg;
         } else if (esys_object->rsrc.rsrcType == IESYSC_NV_RSRC) {
             name_alg = esys_object->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
+        } else {
+            name_alg = TPM2_ALG_NULL;
         }
         esys_object->auth = *authValue;
 
@@ -487,7 +489,10 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
             r = iesys_adapt_auth_value(&esys_context->crypto_backend,
                     &esys_object->auth, name_alg);
             return_if_error(r, "Hashing overlength authValue failed.");
+        } else {
+            iesys_strip_trailing_zeros(&esys_object->auth);
         }
+
         /* Remove trailing zeroes */
         while (esys_object->auth.size > 0 &&
                esys_object->auth.buffer[esys_object->auth.size - 1] == 0) {