diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-02-28 11:51:41 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-17 12:27:36 -0400 |
commit | 07344a654c2bb17bfabbdbbd7422ba8864818493 (patch) | |
tree | 7f426a1f63228cef05e010a89d078e7c19e621b9 | |
parent | 2375eaeb8bc7f4b5cd8f0428eb89df6906dbc214 (diff) | |
download | openssl_tpm2_engine-07344a654c2bb17bfabbdbbd7422ba8864818493.tar.gz |
tpm2-common: factor out RSA decryption
We'll need to use this inside both the provider and the engine.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | src/engine/e_tpm2-rsa.c | 153 | ||||
-rw-r--r-- | src/include/tpm2-common.h | 3 | ||||
-rw-r--r-- | src/libcommon/tpm2-common.c | 67 |
3 files changed, 84 insertions, 139 deletions
diff --git a/src/engine/e_tpm2-rsa.c b/src/engine/e_tpm2-rsa.c index ca6a162..936649a 100644 --- a/src/engine/e_tpm2-rsa.c +++ b/src/engine/e_tpm2-rsa.c @@ -96,24 +96,6 @@ static int tpm2_rsa_pub_enc(int flen, #endif -static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, - char **auth, TPM_SE *sessionType, - struct app_data **app_data, - TPM_ALG_ID *nameAlg) -{ - *app_data = RSA_get_ex_data(rsa, ex_app_data); - - if (!*app_data) - return 0; - - *auth = (*app_data)->auth; - *sessionType = (*app_data)->req_policy_session ? - TPM_SE_POLICY : TPM_SE_HMAC; - *nameAlg = (*app_data)->Public.publicArea.nameAlg; - - return tpm2_load_key(tssContext, *app_data, srk_auth, NULL); -} - void tpm2_bind_key_to_engine_rsa(ENGINE *e, EVP_PKEY *pkey, struct app_data *data) { RSA *rsa = EVP_PKEY_get1_RSA(pkey); @@ -159,73 +141,14 @@ static int tpm2_rsa_priv_dec(int flen, RSA *rsa, int padding) { - TPM_RC rc; - int rv; - TSS_CONTEXT *tssContext; - TPM_HANDLE keyHandle; + const struct app_data *ad = RSA_get_ex_data(rsa, ex_app_data); PUBLIC_KEY_RSA_2B cipherText; - TPMT_RSA_DECRYPT inScheme; - PUBLIC_KEY_RSA_2B message; - char *auth; - TPM_HANDLE authHandle; - TPM_SE sessionType; - TPM_ALG_ID nameAlg; - struct app_data *app_data; - - keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType, &app_data, &nameAlg); - - if (keyHandle == 0) { - fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n"); - - return -1; - } - - rv = -1; - if (padding == RSA_PKCS1_PADDING) { - inScheme.scheme = TPM_ALG_RSAES; - } else if (padding == RSA_NO_PADDING) { - inScheme.scheme = TPM_ALG_NULL; - } else if (padding == RSA_PKCS1_OAEP_PADDING) { - inScheme.scheme = TPM_ALG_OAEP; - /* for openssl RSA, the padding is hard coded */ - inScheme.details.oaep.hashAlg = TPM_ALG_SHA1; - } else { - fprintf(stderr, "Can't process padding type: %d\n", padding); - goto out; - } cipherText.size = flen; memcpy(cipherText.buffer, from, flen); - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType, - nameAlg); - if (rc) - goto out; - - if (sessionType == TPM_SE_POLICY) { - rc = tpm2_init_session(tssContext, authHandle, - app_data, nameAlg); - if (rc) - goto out; - } - - rc = tpm2_RSA_Decrypt(tssContext, keyHandle, &cipherText, &inScheme, - &message, authHandle, auth, TPMA_SESSION_ENCRYPT); - - if (rc) { - tpm2_error(rc, "TPM2_RSA_Decrypt"); - /* failure means auth handle is not flushed */ - tpm2_flush_handle(tssContext, authHandle); - goto out; - } - - memcpy(to, message.buffer, message.size); - - rv = message.size; - out: - tpm2_unload_key(tssContext, keyHandle); - return rv; + return tpm2_rsa_decrypt(ad, &cipherText, to, padding, + TPMA_SESSION_ENCRYPT, srk_auth); } static int tpm2_rsa_priv_enc(int flen, @@ -234,27 +157,10 @@ static int tpm2_rsa_priv_enc(int flen, RSA *rsa, int padding) { - TPM_RC rc; - int rv, size; - TPM_HANDLE keyHandle; + const struct app_data *ad = RSA_get_ex_data(rsa, ex_app_data); PUBLIC_KEY_RSA_2B cipherText; - TPMT_RSA_DECRYPT inScheme; - PUBLIC_KEY_RSA_2B message; - TSS_CONTEXT *tssContext; - char *auth; - TPM_HANDLE authHandle; - TPM_SE sessionType; - TPM_ALG_ID nameAlg; - struct app_data *app_data; + const int size = RSA_size(rsa); - /* this is slightly paradoxical that we're doing a Decrypt - * operation: the only material difference between decrypt and - * encrypt is where the padding is applied or checked, so if - * you apply your own padding up to the RSA block size and use - * TPM_ALG_NULL, which means no padding check, a decrypt - * operation effectively becomes an encrypt */ - size = RSA_size(rsa); - inScheme.scheme = TPM_ALG_NULL; cipherText.size = size; /* note: currently openssl doesn't do OAEP signatures and all @@ -271,46 +177,15 @@ static int tpm2_rsa_priv_enc(int flen, return -1; } - keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType, &app_data, &nameAlg); - - if (keyHandle == 0) { - fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n"); - - return -1; - } - - rv = -1; - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType, - nameAlg); - if (rc) - goto out; - - if (sessionType == TPM_SE_POLICY) { - rc = tpm2_init_session(tssContext, authHandle, - app_data, nameAlg); - if (rc) - goto out; - } - - rc = tpm2_RSA_Decrypt(tssContext, keyHandle, &cipherText, &inScheme, - &message, authHandle, auth, TPMA_SESSION_DECRYPT); - - if (rc) { - tpm2_error(rc, "TPM2_RSA_Decrypt"); - /* failure means auth handle is not flushed */ - tpm2_flush_handle(tssContext, authHandle); - goto out; - } - - memcpy(to, message.buffer, message.size); - - rv = message.size; - - out: - tpm2_unload_key(tssContext, keyHandle); - - return rv; + /* this is slightly paradoxical that we're doing a Decrypt + * operation: the only material difference between decrypt and + * encrypt is where the padding is applied or checked, so if + * you apply your own padding up to the RSA block size and use + * TPM_ALG_NULL (RSA_NO_PADDING), which means no padding + * check, a decrypt operation effectively becomes an + * encrypt */ + return tpm2_rsa_decrypt(ad, &cipherText, to, RSA_NO_PADDING, + TPMA_SESSION_DECRYPT, srk_auth); } int tpm2_setup_rsa_methods(void) diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h index 2f14e83..610750b 100644 --- a/src/include/tpm2-common.h +++ b/src/include/tpm2-common.h @@ -125,4 +125,7 @@ ECDSA_SIG *tpm2_sign_ecc(const struct app_data *ad, const unsigned char *dgst, int dgst_len, char *srk_auth); int tpm2_ecdh_x(struct app_data *ad, unsigned char **psec, size_t *pseclen, const TPM2B_ECC_POINT *inPoint, const char *srk_auth); +int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText, + unsigned char *to, int padding, int protection, + char *srk_auth); #endif diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c index 4c37589..c6e0461 100644 --- a/src/libcommon/tpm2-common.c +++ b/src/libcommon/tpm2-common.c @@ -573,6 +573,73 @@ struct tpm2_ECC_Curves tpm2_supported_curves[] = { { .name = NULL, } }; +int tpm2_rsa_decrypt(const struct app_data *ad, PUBLIC_KEY_RSA_2B *cipherText, + unsigned char *to, int padding, int protection, + char *srk_auth) +{ + TPM_RC rc; + int rv; + TSS_CONTEXT *tssContext; + TPM_HANDLE keyHandle; + TPMT_RSA_DECRYPT inScheme; + PUBLIC_KEY_RSA_2B message; + TPM_HANDLE authHandle; + TPM_SE sessionType; + + keyHandle = tpm2_load_key(&tssContext, ad, srk_auth, NULL); + + if (keyHandle == 0) { + fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n"); + + return -1; + } + + rv = -1; + if (padding == RSA_PKCS1_PADDING) { + inScheme.scheme = TPM_ALG_RSAES; + } else if (padding == RSA_NO_PADDING) { + inScheme.scheme = TPM_ALG_NULL; + } else if (padding == RSA_PKCS1_OAEP_PADDING) { + inScheme.scheme = TPM_ALG_OAEP; + /* for openssl RSA, the padding is hard coded */ + inScheme.details.oaep.hashAlg = TPM_ALG_SHA1; + } else { + fprintf(stderr, "Can't process padding type: %d\n", padding); + goto out; + } + + sessionType = ad->req_policy_session ? TPM_SE_POLICY : TPM_SE_HMAC; + + rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType, + ad->Public.publicArea.nameAlg); + if (rc) + goto out; + + if (sessionType == TPM_SE_POLICY) { + rc = tpm2_init_session(tssContext, authHandle, + ad, ad->Public.publicArea.nameAlg); + if (rc) + goto out; + } + + rc = tpm2_RSA_Decrypt(tssContext, keyHandle, cipherText, &inScheme, + &message, authHandle, ad->auth, protection); + + if (rc) { + tpm2_error(rc, "TPM2_RSA_Decrypt"); + /* failure means auth handle is not flushed */ + tpm2_flush_handle(tssContext, authHandle); + goto out; + } + + memcpy(to, message.buffer, message.size); + + rv = message.size; + out: + tpm2_unload_key(tssContext, keyHandle); + return rv; +} + ECDSA_SIG *tpm2_sign_ecc(const struct app_data *ad, const unsigned char *dgst, int dgst_len, char *srk_auth) { |