engine: retrieve policy commands from the key

Retrieve the policy commands from the key and store in the app_data
structure.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

4 files changed, 105 insertions, 6 deletions

diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c
index 7e8b753..833cc0a 100644
--- a/e_tpm2-ecc.c
+++ b/e_tpm2-ecc.c
@@ -65,7 +65,8 @@ static int ec_app_data = TPM2_ENGINE_EX_DATA_UNINIT;
 
 static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck,
 					 TSS_CONTEXT **tssContext, char **auth,
-					 TPM_SE *sessionType)
+					 TPM_SE *sessionType, int *num_commands,
+					 struct policy_command **commands)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	/*  const mess up in openssl 1.0.2 */
@@ -81,6 +82,8 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck,
 	*auth = app_data->auth;
 	*sessionType = app_data->req_policy_session ?
 		       TPM_SE_POLICY : TPM_SE_HMAC;
+	*commands = app_data->commands;
+	*num_commands = app_data->num_commands;
 
 	return tpm2_load_key(tssContext, app_data);
 }
@@ -131,6 +134,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 	TPM_SE sessionType;
 	ECDSA_SIG *sig;
 	BIGNUM *r, *s;
+	int num_commands;
+	struct policy_command *commands;
 
 	/* The TPM insists on knowing the digest type, so
 	 * calculate that from the size */
@@ -155,7 +160,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 	}
 
 	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth,
-					      &sessionType);
+					      &sessionType, &num_commands,
+					      &commands);
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n");
 		return NULL;
@@ -173,6 +179,13 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 	if (rc)
 		goto out;
 
+	if (sessionType == TPM_SE_POLICY) {
+		rc = tpm2_init_session(tssContext, authHandle,
+				       num_commands, commands);
+		if (rc)
+			goto out;
+	}
+
 	rc = TSS_Execute(tssContext,
 			 (RESPONSE_PARAMETERS *)&out,
 			 (COMMAND_PARAMETERS *)&in,
@@ -222,6 +235,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	const EC_GROUP *group;
 	BN_CTX *ctx;
 	unsigned char point[MAX_ECC_KEY_BYTES*2 + 1];
+	int num_commands;
+	struct policy_command *commands;
 	int ret;
 
 	group = EC_KEY_get0_group(eck);
@@ -237,7 +252,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	len >>= 1;
 
 	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth,
-					      &sessionType);
+					      &sessionType, &num_commands,
+					      &commands);
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n");
 		return 0;
@@ -252,6 +268,13 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	if (rc)
 		goto out;
 
+	if (sessionType == TPM_SE_POLICY) {
+		rc = tpm2_init_session(tssContext, authHandle,
+				       num_commands, commands);
+		if (rc)
+			goto out;
+	}
+
 	rc = TSS_Execute(tssContext,
 			 (RESPONSE_PARAMETERS *)&out,
 			 (COMMAND_PARAMETERS *)&in,
diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c
index 210e046..3177624 100644
--- a/e_tpm2-rsa.c
+++ b/e_tpm2-rsa.c
@@ -102,7 +102,9 @@ static int tpm2_rsa_pub_enc(int flen,
 #endif
 
 static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext,
-					 char **auth, TPM_SE *sessionType)
+					 char **auth, TPM_SE *sessionType,
+					 int *num_commands,
+					 struct policy_command **commands)
 {
 	struct app_data *app_data = RSA_get_ex_data(rsa, ex_app_data);
 
@@ -112,6 +114,9 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext,
 	*auth = app_data->auth;
 	*sessionType = app_data->req_policy_session ?
 		       TPM_SE_POLICY : TPM_SE_HMAC;
+	*commands = app_data->commands;
+	*num_commands = app_data->num_commands;
+
 	return tpm2_load_key(tssContext, app_data);
 }
 
@@ -158,9 +163,12 @@ static int tpm2_rsa_priv_dec(int flen,
 	char *auth;
 	TPM_HANDLE authHandle;
 	TPM_SE sessionType;
+	int num_commands;
+	struct policy_command *commands;
 
 	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth,
-					      &sessionType);
+					      &sessionType, &num_commands,
+					      &commands);
 
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n");
@@ -183,6 +191,13 @@ static int tpm2_rsa_priv_dec(int flen,
 	if (rc)
 		goto out;
 
+	if (sessionType == TPM_SE_POLICY) {
+		rc = tpm2_init_session(tssContext, authHandle,
+				       num_commands, commands);
+		if (rc)
+			goto out;
+	}
+
 	rc = TSS_Execute(tssContext,
 			 (RESPONSE_PARAMETERS *)&out,
 			 (COMMAND_PARAMETERS *)&in,
@@ -220,6 +235,8 @@ static int tpm2_rsa_priv_enc(int flen,
 	char *auth;
 	TPM_HANDLE authHandle;
 	TPM_SE sessionType;
+	int num_commands;
+	struct policy_command *commands;
 
 	if (padding != RSA_PKCS1_PADDING) {
 		fprintf(stderr, "Non PKCS1 padding asked for\n");
@@ -227,7 +244,8 @@ static int tpm2_rsa_priv_enc(int flen,
 	}
 
 	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth,
-					      &sessionType);
+					      &sessionType, &num_commands,
+					      &commands);
 
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n");
@@ -240,6 +258,13 @@ static int tpm2_rsa_priv_enc(int flen,
 	if (rc)
 		goto out;
 
+	if (sessionType == TPM_SE_POLICY) {
+		rc = tpm2_init_session(tssContext, authHandle,
+				       num_commands, commands);
+		if (rc)
+			goto out;
+	}
+
 	/* this is slightly paradoxical that we're doing a Decrypt
 	 * operation: the only material difference between decrypt and
 	 * encrypt is where the padding is applied or checked, so if
diff --git a/e_tpm2.c b/e_tpm2.c
index aa43a50..75030b8 100644
--- a/e_tpm2.c
+++ b/e_tpm2.c
@@ -270,6 +270,46 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey,
 	return 0;
 }
 
+static int tpm2_engine_load_key_policy(struct app_data *app_data,
+				       TSSLOADABLE *tssl)
+{
+	struct policy_command *command;
+	TSSOPTPOLICY *policy;
+	int i, commands_len;
+
+	app_data->num_commands = sk_TSSOPTPOLICY_num(tssl->policy);
+	if (app_data->num_commands <= 0)
+		return 1;
+
+	commands_len = sizeof(struct policy_command) * app_data->num_commands;
+	app_data->commands = OPENSSL_malloc(commands_len);
+	if (!app_data->commands)
+		return 0;
+
+	for (i = 0; i < app_data->num_commands; i++) {
+		policy = sk_TSSOPTPOLICY_value(tssl->policy, i);
+		if (!policy)
+			return 0;
+
+		command = app_data->commands + i;
+		command->code = ASN1_INTEGER_get(policy->CommandCode);
+		command->size = policy->CommandPolicy->length;
+		command->policy = NULL;
+
+		if (!command->size)
+			continue;
+
+		command->policy = OPENSSL_malloc(command->size);
+		if (!command->policy)
+			return 0;
+
+		memcpy(command->policy, policy->CommandPolicy->data,
+		       command->size);
+	}
+
+	return 1;
+}
+
 static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey,
 				     const char *key_id,  BIO *bio,
 				     struct tpm_ui *ui, void *cb_data)
@@ -393,6 +433,9 @@ static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey,
 	if (!(p.publicArea.objectAttributes.val & TPMA_OBJECT_USERWITHAUTH))
 		app_data->req_policy_session = 1;
 
+	if (!tpm2_engine_load_key_policy(app_data, tssl))
+		goto err_free_key;
+
 	TSSLOADABLE_free(tssl);
 
 	tpm2_bind_key_to_engine(pkey, app_data);
@@ -539,6 +582,12 @@ void tpm2_unload_key(TSS_CONTEXT *tssContext, TPM_HANDLE key)
 
 void tpm2_delete(struct app_data *app_data)
 {
+	int i;
+
+	for (i = 0; i < app_data->num_commands; i++)
+		OPENSSL_free(app_data->commands[i].policy);
+
+	OPENSSL_free(app_data->commands);
 	OPENSSL_free(app_data->priv);
 	OPENSSL_free(app_data->pub);
 
diff --git a/e_tpm2.h b/e_tpm2.h
index 4aa9fab..ef9fd38 100644
--- a/e_tpm2.h
+++ b/e_tpm2.h
@@ -19,6 +19,8 @@ struct app_data {
 	char *auth;
 	const char *dir;
 	int req_policy_session;
+	int num_commands;
+	struct policy_command *commands;
 };
 
 TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data);