diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2018-06-26 16:56:36 +0200 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-06-28 13:58:25 -0700 |
commit | e9fa309a825361a54da22e912d3be913f3cf0d7a (patch) | |
tree | c249dd463b13b115d9b51486726b0d6e90e48105 | |
parent | 14799bf92b2b63cc4c476ff51b1a2007165606b2 (diff) | |
download | openssl_tpm2_engine-e9fa309a825361a54da22e912d3be913f3cf0d7a.tar.gz |
engine: retrieve policy commands from the key
Retrieve the policy commands from the key and store in the app_data
structure.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | e_tpm2-ecc.c | 29 | ||||
-rw-r--r-- | e_tpm2-rsa.c | 31 | ||||
-rw-r--r-- | e_tpm2.c | 49 | ||||
-rw-r--r-- | e_tpm2.h | 2 |
4 files changed, 105 insertions, 6 deletions
diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c index 7e8b753..833cc0a 100644 --- a/e_tpm2-ecc.c +++ b/e_tpm2-ecc.c @@ -65,7 +65,8 @@ static int ec_app_data = TPM2_ENGINE_EX_DATA_UNINIT; static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, TSS_CONTEXT **tssContext, char **auth, - TPM_SE *sessionType) + TPM_SE *sessionType, int *num_commands, + struct policy_command **commands) { #if OPENSSL_VERSION_NUMBER < 0x10100000 /* const mess up in openssl 1.0.2 */ @@ -81,6 +82,8 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, *auth = app_data->auth; *sessionType = app_data->req_policy_session ? TPM_SE_POLICY : TPM_SE_HMAC; + *commands = app_data->commands; + *num_commands = app_data->num_commands; return tpm2_load_key(tssContext, app_data); } @@ -131,6 +134,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, TPM_SE sessionType; ECDSA_SIG *sig; BIGNUM *r, *s; + int num_commands; + struct policy_command *commands; /* The TPM insists on knowing the digest type, so * calculate that from the size */ @@ -155,7 +160,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, } in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, - &sessionType); + &sessionType, &num_commands, + &commands); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return NULL; @@ -173,6 +179,13 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, if (rc) goto out; + if (sessionType == TPM_SE_POLICY) { + rc = tpm2_init_session(tssContext, authHandle, + num_commands, commands); + if (rc) + goto out; + } + rc = TSS_Execute(tssContext, (RESPONSE_PARAMETERS *)&out, (COMMAND_PARAMETERS *)&in, @@ -222,6 +235,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, const EC_GROUP *group; BN_CTX *ctx; unsigned char point[MAX_ECC_KEY_BYTES*2 + 1]; + int num_commands; + struct policy_command *commands; int ret; group = EC_KEY_get0_group(eck); @@ -237,7 +252,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, len >>= 1; in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, - &sessionType); + &sessionType, &num_commands, + &commands); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return 0; @@ -252,6 +268,13 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, if (rc) goto out; + if (sessionType == TPM_SE_POLICY) { + rc = tpm2_init_session(tssContext, authHandle, + num_commands, commands); + if (rc) + goto out; + } + rc = TSS_Execute(tssContext, (RESPONSE_PARAMETERS *)&out, (COMMAND_PARAMETERS *)&in, diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c index 210e046..3177624 100644 --- a/e_tpm2-rsa.c +++ b/e_tpm2-rsa.c @@ -102,7 +102,9 @@ static int tpm2_rsa_pub_enc(int flen, #endif static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, - char **auth, TPM_SE *sessionType) + char **auth, TPM_SE *sessionType, + int *num_commands, + struct policy_command **commands) { struct app_data *app_data = RSA_get_ex_data(rsa, ex_app_data); @@ -112,6 +114,9 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, *auth = app_data->auth; *sessionType = app_data->req_policy_session ? TPM_SE_POLICY : TPM_SE_HMAC; + *commands = app_data->commands; + *num_commands = app_data->num_commands; + return tpm2_load_key(tssContext, app_data); } @@ -158,9 +163,12 @@ static int tpm2_rsa_priv_dec(int flen, char *auth; TPM_HANDLE authHandle; TPM_SE sessionType; + int num_commands; + struct policy_command *commands; in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType); + &sessionType, &num_commands, + &commands); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n"); @@ -183,6 +191,13 @@ static int tpm2_rsa_priv_dec(int flen, if (rc) goto out; + if (sessionType == TPM_SE_POLICY) { + rc = tpm2_init_session(tssContext, authHandle, + num_commands, commands); + if (rc) + goto out; + } + rc = TSS_Execute(tssContext, (RESPONSE_PARAMETERS *)&out, (COMMAND_PARAMETERS *)&in, @@ -220,6 +235,8 @@ static int tpm2_rsa_priv_enc(int flen, char *auth; TPM_HANDLE authHandle; TPM_SE sessionType; + int num_commands; + struct policy_command *commands; if (padding != RSA_PKCS1_PADDING) { fprintf(stderr, "Non PKCS1 padding asked for\n"); @@ -227,7 +244,8 @@ static int tpm2_rsa_priv_enc(int flen, } in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType); + &sessionType, &num_commands, + &commands); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n"); @@ -240,6 +258,13 @@ static int tpm2_rsa_priv_enc(int flen, if (rc) goto out; + if (sessionType == TPM_SE_POLICY) { + rc = tpm2_init_session(tssContext, authHandle, + num_commands, commands); + if (rc) + goto out; + } + /* this is slightly paradoxical that we're doing a Decrypt * operation: the only material difference between decrypt and * encrypt is where the padding is applied or checked, so if @@ -270,6 +270,46 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, return 0; } +static int tpm2_engine_load_key_policy(struct app_data *app_data, + TSSLOADABLE *tssl) +{ + struct policy_command *command; + TSSOPTPOLICY *policy; + int i, commands_len; + + app_data->num_commands = sk_TSSOPTPOLICY_num(tssl->policy); + if (app_data->num_commands <= 0) + return 1; + + commands_len = sizeof(struct policy_command) * app_data->num_commands; + app_data->commands = OPENSSL_malloc(commands_len); + if (!app_data->commands) + return 0; + + for (i = 0; i < app_data->num_commands; i++) { + policy = sk_TSSOPTPOLICY_value(tssl->policy, i); + if (!policy) + return 0; + + command = app_data->commands + i; + command->code = ASN1_INTEGER_get(policy->CommandCode); + command->size = policy->CommandPolicy->length; + command->policy = NULL; + + if (!command->size) + continue; + + command->policy = OPENSSL_malloc(command->size); + if (!command->policy) + return 0; + + memcpy(command->policy, policy->CommandPolicy->data, + command->size); + } + + return 1; +} + static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey, const char *key_id, BIO *bio, struct tpm_ui *ui, void *cb_data) @@ -393,6 +433,9 @@ static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey, if (!(p.publicArea.objectAttributes.val & TPMA_OBJECT_USERWITHAUTH)) app_data->req_policy_session = 1; + if (!tpm2_engine_load_key_policy(app_data, tssl)) + goto err_free_key; + TSSLOADABLE_free(tssl); tpm2_bind_key_to_engine(pkey, app_data); @@ -539,6 +582,12 @@ void tpm2_unload_key(TSS_CONTEXT *tssContext, TPM_HANDLE key) void tpm2_delete(struct app_data *app_data) { + int i; + + for (i = 0; i < app_data->num_commands; i++) + OPENSSL_free(app_data->commands[i].policy); + + OPENSSL_free(app_data->commands); OPENSSL_free(app_data->priv); OPENSSL_free(app_data->pub); @@ -19,6 +19,8 @@ struct app_data { char *auth; const char *dir; int req_policy_session; + int num_commands; + struct policy_command *commands; }; TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data); |