esys: remove trailing zeros in auth value.

Esys_TR_SetAuth doesn't remove trailing zeros, but when the TPM calculates an HMAC, the trailing zeros are removed. An integration test to compare the behavior with and without a call of Esys_TR_SetAuth was added. Also the trailing zeros in auth values for: Esys_Create, Esys_CreateLoded, Esys_NV_DefineSpace, and Esys_CreatePrimary will be removed. Fixes: #2664 Signed-off-by: Juergen Repp <juergen_repp@web.de>
tpm2-software · Jul 20, 2023 · 361a436 · 361a436
1 parent dcec28b
commit 361a436
Show file tree

Hide file tree

Showing 4 changed files with 375 additions and 0 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -254,6 +254,7 @@ ESYS_TESTS_INTEGRATION_MANDATORY = \
     test/integration/esys-certify-creation.int \
     test/integration/esys-certifyX509.int \
     test/integration/esys-certify.int \
+    test/integration/esys-check-auth-with-trailing-zero.int \
     test/integration/esys-clear-control.int \
     test/integration/esys-clockset.int \
     test/integration/esys-clockset-audit.int \
@@ -1272,6 +1273,13 @@ test_integration_esys_change_eps_int_SOURCES = \
     test/integration/esys-change-eps.int.c \
     test/integration/main-esys.c test/integration/test-esys.h
 
+test_integration_esys_check_auth_with_trailing_zero_int_CFLAGS  = $(TESTS_CFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_LDADD   = $(TESTS_LDADD)
+test_integration_esys_check_auth_with_trailing_zero_int_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_esys_check_auth_with_trailing_zero_int_SOURCES = \
+    test/integration/esys-check-auth-with-trailing-zero.int.c \
+    test/integration/main-esys.c test/integration/test-esys.h
+
 test_integration_esys_clear_int_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_esys_clear_int_LDADD   = $(TESTS_LDADD)
 test_integration_esys_clear_int_LDFLAGS = $(TESTS_LDFLAGS)

diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
@@ -1699,6 +1699,15 @@ iesys_hash_long_auth_values(
         memcpy(&auth_value->buffer[0], &hash2b.buffer[0], hash_size);
         auth_value->size = hash_size;
     }
+
+    /* Remove trailing zeroes */
+    if (auth_value) {
+        while (auth_value->size > 0 &&
+               auth_value->buffer[auth_value->size - 1] == 0) {
+            auth_value->size--;
+        }
+    }
+
     return r;
 
  error_cleanup:

diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
@@ -481,12 +481,18 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
             name_alg = esys_object->rsrc.misc.rsrc_nv_pub.nvPublic.nameAlg;
         }
         esys_object->auth = *authValue;
+
         /* Adapt auth value to hash for large auth values. */
         if (name_alg != TPM2_ALG_NULL) {
             r = iesys_hash_long_auth_values(&esys_context->crypto_backend,
                     &esys_object->auth, name_alg);
             return_if_error(r, "Hashing overlength authValue failed.");
         }
+        /* Remove trailing zeroes */
+        while (esys_object->auth.size > 0 &&
+               esys_object->auth.buffer[esys_object->auth.size - 1] == 0) {
+            esys_object->auth.size--;
+        }
     }
     return TSS2_RC_SUCCESS;
 }