esys: remove trailing zeros in auth value

When TPM Calulates the HMAC trailing zeros are rmoved. Therfore the trailing zeros are removed in Esys_TR_SetAuth, Esys_Create, Esys_CreateLoded, Esys_NV_DefineSpace, and Esys_CreatePrimary. The removing is added to the function iesys_hash_long_auth_value. Therefore this function is renamed to iesys_adapt_auth_value. An integration test which uses trailing zeros in auth values is added. The auth value handling in ChangeAuth programs is fixed: * The trailing zeros are now removed in these programs. * The new auth value now is stored in objects where the auth value is changed with Esys_ObjectChangeAuth. * the integration test which checkd trailing zeros is extend. Fixes: tpm2-software#2664 Signed-off-by: Juergen Repp <juergen_repp@web.de>
JuergenReppSIT · Dec 13, 2023 · d103e84 · d103e84
1 parent fe83020
commit d103e84
Show file tree

Hide file tree

Showing 12 changed files with 781 additions and 34 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -254,6 +254,7 @@ ESYS_TESTS_INTEGRATION_MANDATORY = \
     test/integration/esys-certify-creation.int \
     test/integration/esys-certifyX509.int \
     test/integration/esys-certify.int \
+    test/integration/esys-check-auth-with-trailing-zero.int \
     test/integration/esys-clear-control.int \
     test/integration/esys-clockset.int \
     test/integration/esys-clockset-audit.int \
@@ -1272,6 +1273,13 @@ test_integration_esys_change_eps_int_SOURCES = \
     test/integration/esys-change-eps.int.c \
     test/integration/main-esys.c test/integration/test-esys.h
 
+test_integration_esys_check_auth_with_trailing_zero_int_CFLAGS  = $(TESTS_CFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_LDADD   = $(TESTS_LDADD)
+test_integration_esys_check_auth_with_trailing_zero_int_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_SOURCES = \
+    test/integration/esys-check-auth-with-trailing-zero.int.c \
+    test/integration/main-esys.c test/integration/test-esys.h
+
 test_integration_esys_clear_int_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_esys_clear_int_LDADD   = $(TESTS_LDADD)
 test_integration_esys_clear_int_LDFLAGS = $(TESTS_LDFLAGS)

diff --git a/src/tss2-esys/api/Esys_Create.c b/src/tss2-esys/api/Esys_Create.c
@@ -206,10 +206,10 @@ Esys_Create_Async(
 
     store_input_parameters (esysContext, inSensitive);
     if (inPublic) {
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
                 &esysContext->crypto_backend,
-           &esysContext->in.Create.inSensitive->sensitive.userAuth,
-            inPublic->publicArea.nameAlg);
+                &esysContext->in.Create.inSensitive->sensitive.userAuth,
+                inPublic->publicArea.nameAlg);
         return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value.");
     }
 

diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c
@@ -203,7 +203,7 @@ Esys_CreateLoaded_Async(
                                           &publicArea);
         return_if_error(r, "Unmarshalling inPublic failed");
 
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
             &esysContext->crypto_backend,
             &esysContext->in.CreateLoaded.inSensitive->sensitive.userAuth,
              publicArea.nameAlg);

diff --git a/src/tss2-esys/api/Esys_CreatePrimary.c b/src/tss2-esys/api/Esys_CreatePrimary.c
@@ -208,7 +208,7 @@ Esys_CreatePrimary_Async(
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
     store_input_parameters (esysContext, inSensitive);
     if (inPublic) {
-        r = iesys_hash_long_auth_values(
+        r = iesys_adapt_auth_value(
             &esysContext->crypto_backend,
             &esysContext->in.CreatePrimary.inSensitive->sensitive.userAuth,
              inPublic->publicArea.nameAlg);

diff --git a/src/tss2-esys/api/Esys_HierarchyChangeAuth.c b/src/tss2-esys/api/Esys_HierarchyChangeAuth.c
@@ -26,11 +26,13 @@ static void store_input_parameters (
     const TPM2B_AUTH *newAuth)
 {
     esysContext->in.HierarchyChangeAuth.authHandle = authHandle;
-    if (newAuth == NULL)
+    if (newAuth == NULL) {
         memset(&esysContext->in.HierarchyChangeAuth.newAuth, 0,
                 sizeof(esysContext->in.HierarchyChangeAuth.newAuth));
-    else
+    } else {
         esysContext->in.HierarchyChangeAuth.newAuth = *newAuth;
+        iesys_strip_trailing_zeros(&esysContext->in.HierarchyChangeAuth.newAuth);
+    }
 }
 
 /** One-Call function for TPM2_HierarchyChangeAuth
@@ -175,7 +177,9 @@ Esys_HierarchyChangeAuth_Async(
     /* Check input parameters */
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
+
     store_input_parameters(esysContext, authHandle, newAuth);
+    iesys_strip_trailing_zeros(&esysContext->in.HierarchyChangeAuth.newAuth);
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, authHandle, &authHandleNode);
@@ -186,7 +190,7 @@ Esys_HierarchyChangeAuth_Async(
                                              (authHandleNode == NULL)
                                               ? TPM2_RH_NULL
                                               : authHandleNode->rsrc.handle,
-                                             newAuth);
+                                             &esysContext->in.HierarchyChangeAuth.newAuth);
     return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
 
     /* Calculate the cpHash Values */

diff --git a/src/tss2-esys/api/Esys_NV_ChangeAuth.c b/src/tss2-esys/api/Esys_NV_ChangeAuth.c
@@ -159,6 +159,8 @@ Esys_NV_ChangeAuth_Async(
               esysContext, nvIndex, newAuth);
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *nvIndexNode;
+    TPM2B_AUTH *authCopy;
+    TPMI_ALG_HASH hashAlg;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -174,10 +176,14 @@ Esys_NV_ChangeAuth_Async(
     r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
     return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
     store_input_parameters(esysContext, nvIndex, newAuth);
+    authCopy = &esysContext->in.HierarchyChangeAuth.newAuth;
 
     /* Retrieve the metadata objects for provided handles */
     r = esys_GetResourceObject(esysContext, nvIndex, &nvIndexNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "nvIndex unknown.");
+    hashAlg = nvIndexNode->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
 
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_NV_ChangeAuth_Prepare(esysContext->sys,

diff --git a/src/tss2-esys/api/Esys_NV_DefineSpace.c b/src/tss2-esys/api/Esys_NV_DefineSpace.c
@@ -200,9 +200,9 @@ Esys_NV_DefineSpace_Async(
     store_input_parameters(esysContext, auth, publicInfo);
 
     if (publicInfo) {
-        r = iesys_hash_long_auth_values(&esysContext->crypto_backend,
-                                        &esysContext->in.NV.authData,
-                                        publicInfo->nvPublic.nameAlg);
+        r = iesys_adapt_auth_value(&esysContext->crypto_backend,
+                                   &esysContext->in.NV.authData,
+                                   publicInfo->nvPublic.nameAlg);
         return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value.");
     }
 

diff --git a/src/tss2-esys/api/Esys_ObjectChangeAuth.c b/src/tss2-esys/api/Esys_ObjectChangeAuth.c
@@ -148,6 +148,11 @@ Esys_ObjectChangeAuth_Async(
     TSS2L_SYS_AUTH_COMMAND auths;
     RSRC_NODE_T *objectHandleNode;
     RSRC_NODE_T *parentHandleNode;
+    TPM2B_AUTH authCopy =
+        { .size = 0,
+          .buffer = {}
+        };
+    TPMI_ALG_HASH hashAlg = 0;
 
     /* Check context, sequence correctness and set state to error for now */
     if (esysContext == NULL) {
@@ -169,6 +174,17 @@ Esys_ObjectChangeAuth_Async(
     r = esys_GetResourceObject(esysContext, parentHandle, &parentHandleNode);
     return_state_if_error(r, _ESYS_STATE_INIT, "parentHandle unknown.");
 
+    if (objectHandleNode->rsrc.rsrcType == IESYSC_KEY_RSRC) {
+        hashAlg = objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea.nameAlg;
+    }
+
+    if (newAuth) {
+        authCopy = *newAuth;
+    };
+
+    r = iesys_adapt_auth_value(&esysContext->crypto_backend, &authCopy, hashAlg);
+    return_state_if_error(r, _ESYS_STATE_INIT, "Adapt auth value");
+
     /* Initial invocation of SAPI to prepare the command buffer with parameters */
     r = Tss2_Sys_ObjectChangeAuth_Prepare(esysContext->sys,
                                           (objectHandleNode == NULL)
@@ -177,7 +193,7 @@ Esys_ObjectChangeAuth_Async(
                                           (parentHandleNode == NULL)
                                            ? TPM2_RH_NULL
                                            : parentHandleNode->rsrc.handle,
-                                          newAuth);
+                                          &authCopy);
     return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
 
     /* Calculate the cpHash Values */

diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
@@ -1653,11 +1653,28 @@ iesys_tpm_error(TSS2_RC r)
              (r & TSS2_RC_LAYER_MASK) == TSS2_RESMGR_RC_LAYER));
 }
 
+/** Remove trailing spaces includes auth value.
+ *
+ * Trailing zeros will be removed.
+ *
+ * @param[in,out] auth_value The auth value to be adapted.
+ */
+void iesys_strip_trailing_zeros(TPM2B_DIGEST *digest)
+{
+    /* Remove trailing zeroes */
+    if (digest) {
+        while (digest->size > 0 &&
+               digest->buffer[digest->size - 1] == 0) {
+            digest->size--;
+        }
+    }
+}
 
-/** Replace auth value with Hash for long auth values.
+/** Adapt auth value.
  *
  * if the size of auth value exceeds hash_size the auth value
  * will be replaced with the hash of the auth value.
+ * Trailing zeros will be removed.
  *
  * @param[in,out] auth_value The auth value to be adapted.
  * @param[in] hash_alg The hash alg used for adaption.
@@ -1668,37 +1685,46 @@ iesys_tpm_error(TSS2_RC r)
  *         computation.
  */
 TSS2_RC
-iesys_hash_long_auth_values(
+iesys_adapt_auth_value(
     ESYS_CRYPTO_CALLBACKS *crypto_cb,
     TPM2B_AUTH *auth_value,
     TPMI_ALG_HASH hash_alg)
 {
-    TSS2_RC r;
+    TSS2_RC r = TSS2_RC_SUCCESS;
     ESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
     TPM2B_AUTH hash2b;
     size_t hash_size;
 
-    r = iesys_crypto_hash_get_digest_size(hash_alg, &hash_size);
-    return_if_error(r, "Get digest size.");
+    /* Remove trailing zeroes */
+    iesys_strip_trailing_zeros(auth_value);
+
+    if (hash_alg) {
+        r = iesys_crypto_hash_get_digest_size(hash_alg, &hash_size);
+        return_if_error(r, "Get digest size.");
 
-    if (auth_value && auth_value->size > hash_size) {
-        /* The auth value has to be adapted. */
-        r = iesys_crypto_hash_start(crypto_cb,
-                &cryptoContext, hash_alg);
-        return_if_error(r, "crypto hash start");
+        if (auth_value && auth_value->size > hash_size) {
+            /* The auth value has to be adapted. */
+            r = iesys_crypto_hash_start(crypto_cb,
+                     &cryptoContext, hash_alg);
+            return_if_error(r, "crypto hash start");
 
-        r = iesys_crypto_hash_update(crypto_cb,
-                cryptoContext, &auth_value->buffer[0],
-                auth_value->size);
-        goto_if_error(r, "crypto hash update", error_cleanup);
+            r = iesys_crypto_hash_update(crypto_cb,
+                    cryptoContext, &auth_value->buffer[0],
+                    auth_value->size);
+            goto_if_error(r, "crypto hash update", error_cleanup);
 
-        r = iesys_crypto_hash_finish(crypto_cb,
-                &cryptoContext, &hash2b.buffer[0], &hash_size);
-        goto_if_error(r, "crypto hash finish", error_cleanup);
+            r = iesys_crypto_hash_finish(crypto_cb,
+                    &cryptoContext, &hash2b.buffer[0], &hash_size);
+            goto_if_error(r, "crypto hash finish", error_cleanup);
 
-        memcpy(&auth_value->buffer[0], &hash2b.buffer[0], hash_size);
-        auth_value->size = hash_size;
+            memcpy(&auth_value->buffer[0], &hash2b.buffer[0], hash_size);
+            auth_value->size = hash_size;
+
+            /* Remove trailing zeroes */
+            iesys_strip_trailing_zeros(auth_value);
+        }
     }
+
     return r;
 
  error_cleanup:

diff --git a/src/tss2-esys/esys_iutil.h b/src/tss2-esys/esys_iutil.h
@@ -171,11 +171,14 @@ TSS2_RC iesys_get_name(
 bool iesys_tpm_error(
     TSS2_RC r);
 
-TSS2_RC iesys_hash_long_auth_values(
+TSS2_RC iesys_adapt_auth_value(
     ESYS_CRYPTO_CALLBACKS *crypto_cb,
     TPM2B_AUTH *auth_value,
     TPMI_ALG_HASH hash_alg);
 
+void iesys_strip_trailing_zeros(
+    TPM2B_AUTH *auth_value);
+
 #ifdef __cplusplus
 } /* extern "C" */
 #endif

diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
@@ -479,14 +479,20 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
             name_alg = esys_object->rsrc.misc.rsrc_key_pub.publicArea.nameAlg;
         } else if (esys_object->rsrc.rsrcType == IESYSC_NV_RSRC) {
             name_alg = esys_object->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
+        } else {
+            name_alg = TPM2_ALG_NULL;
         }
         esys_object->auth = *authValue;
-        /* Adapt auth value to hash for large auth values. */
+
+        /* Adapt auth value. */
         if (name_alg != TPM2_ALG_NULL) {
-            r = iesys_hash_long_auth_values(&esys_context->crypto_backend,
+            r = iesys_adapt_auth_value(&esys_context->crypto_backend,
                     &esys_object->auth, name_alg);
             return_if_error(r, "Hashing overlength authValue failed.");
+        } else {
+            iesys_strip_trailing_zeros(&esys_object->auth);
         }
+
     }
     return TSS2_RC_SUCCESS;
 }