diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-02-22 18:12:32 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-17 12:25:26 -0400 |
commit | f2b31105f4042f23f155502627f802aec0156552 (patch) | |
tree | c15837f9eab22489c1eebd4e78242d2c03df755a | |
parent | 989c6cc75c953b5c580324d2c5ca77e912ea67a2 (diff) | |
download | openssl_tpm2_engine-f2b31105f4042f23f155502627f802aec0156552.tar.gz |
tpm2-common: reshuffle pieces for openssl3 provider
Separate out bio loading (openssl3 uses bios not file names) of TPM
keys and export tpm2_curve_get_order(). Use TPM2B_PUBLIC for the public
key (saves multiple unmarshals in the provider). Also allows the
elimination of the name_alg field which can now be picked out of the
TPM2B_PUBLIC.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | src/engine/Makefile.am | 2 | ||||
-rw-r--r-- | src/engine/e_tpm2-ecc.c | 2 | ||||
-rw-r--r-- | src/engine/e_tpm2-rsa.c | 2 | ||||
-rw-r--r-- | src/engine/e_tpm2.c | 8 | ||||
-rw-r--r-- | src/include/tpm2-common.h | 7 | ||||
-rw-r--r-- | src/libcommon/Makefile.am | 2 | ||||
-rw-r--r-- | src/libcommon/tpm2-common.c | 187 | ||||
-rw-r--r-- | src/tools/Makefile.am | 2 | ||||
-rw-r--r-- | src/tools/unseal_tpm2_data.c | 2 |
10 files changed, 110 insertions, 107 deletions
diff --git a/configure.ac b/configure.ac index f189e24..bc6409c 100644 --- a/configure.ac +++ b/configure.ac @@ -140,9 +140,10 @@ AM_CONDITIONAL(HAVE_XML2RFC, test -n "${XML2RFC}") CFLAGS="$CFLAGS -Wall -Werror" SHREXT=$shrext_cmds if test -n "$ac_have_openssl3"; then - CFLAGS="$CFLAGS -DOPENSSL_API_COMPAT=0x10100000L" + DEPRECATION="-DOPENSSL_API_COMPAT=0x10100000L" fi AC_SUBST(CFLAGS) +AC_SUBST(DEPRECATION) AC_SUBST(TSS_INCLUDE) AC_SUBST(SHREXT) TSSTYPE=$tsslibs diff --git a/src/engine/Makefile.am b/src/engine/Makefile.am index f9bebb7..9ce2a25 100644 --- a/src/engine/Makefile.am +++ b/src/engine/Makefile.am @@ -1,4 +1,4 @@ -AM_CPPFLAGS = -I ../include +AM_CPPFLAGS = -I ../include ${DEPRECATION} openssl_engine_LTLIBRARIES=libtpm2.la openssl_enginedir=@enginesdir@ diff --git a/src/engine/e_tpm2-ecc.c b/src/engine/e_tpm2-ecc.c index 92ea12d..bbc86da 100644 --- a/src/engine/e_tpm2-ecc.c +++ b/src/engine/e_tpm2-ecc.c @@ -78,7 +78,7 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, *auth = (*app_data)->auth; *sessionType = (*app_data)->req_policy_session ? TPM_SE_POLICY : TPM_SE_HMAC; - *nameAlg = (*app_data)->name_alg; + *nameAlg = (*app_data)->Public.publicArea.nameAlg; return tpm2_load_key(tssContext, *app_data, srk_auth, NULL); } diff --git a/src/engine/e_tpm2-rsa.c b/src/engine/e_tpm2-rsa.c index a886f96..ca6a162 100644 --- a/src/engine/e_tpm2-rsa.c +++ b/src/engine/e_tpm2-rsa.c @@ -109,7 +109,7 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, *auth = (*app_data)->auth; *sessionType = (*app_data)->req_policy_session ? TPM_SE_POLICY : TPM_SE_HMAC; - *nameAlg = (*app_data)->name_alg; + *nameAlg = (*app_data)->Public.publicArea.nameAlg; return tpm2_load_key(tssContext, *app_data, srk_auth, NULL); } diff --git a/src/engine/e_tpm2.c b/src/engine/e_tpm2.c index 22772a0..9f55647 100644 --- a/src/engine/e_tpm2.c +++ b/src/engine/e_tpm2.c @@ -134,7 +134,6 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, TPM_HANDLE key, UI_METHOD *ui, void *cb_data, int public_only) { - TPMT_PUBLIC p; TSS_CONTEXT *tssContext; TPM_RC rc; struct app_data *app_data; @@ -158,11 +157,10 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, if (rc) goto err; key = tpm2_handle_int(tssContext, key); - rc = tpm2_readpublic(tssContext, key, &p); + rc = tpm2_readpublic(tssContext, key, &app_data->Public.publicArea); if (rc) goto err_del; - app_data->name_alg = p.nameAlg; - pkey = tpm2_to_openssl_public(&p); + pkey = tpm2_to_openssl_public(&app_data->Public.publicArea); if (!pkey) { fprintf(stderr, "Failed to allocate a new EVP_KEY\n"); goto err_del; @@ -172,7 +170,7 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, } app_data->key = tpm2_handle_ext(tssContext, key); - if (VAL(p.objectAttributes) & TPMA_OBJECT_NODA) { + if (VAL(app_data->Public.publicArea.objectAttributes) & TPMA_OBJECT_NODA) { /* no DA implications, try an authorization and see * if NULL is accepted */ TPM_HANDLE session; diff --git a/src/include/tpm2-common.h b/src/include/tpm2-common.h index 526591c..48dd694 100644 --- a/src/include/tpm2-common.h +++ b/src/include/tpm2-common.h @@ -40,15 +40,14 @@ struct app_data { /* otherwise key is specified by blobs */ void *priv; int priv_len; - void *pub; - int pub_len; + TPM2B_PUBLIC Public; char *auth; const char *dir; int req_policy_session; - unsigned int name_alg; /* pols[0] is key policy pols[1+] is authorized policy */ struct policies *pols; int num_pols; + int empty_auth; ENGINE *e; }; @@ -66,6 +65,7 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, TPM_RC tpm2_get_bound_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle, TPM_HANDLE bind, const char *auth); TPMI_ECC_CURVE tpm2_curve_name_to_TPMI(const char *name); +int tpm2_curve_to_order(TPMI_ECC_CURVE curve); int tpm2_curve_name_to_nid(TPMI_ECC_CURVE curve); TPMI_ECC_CURVE tpm2_nid_to_curve_name(int nid); TPMI_ECC_CURVE tpm2_get_curve_name(const EC_GROUP *g); @@ -120,4 +120,5 @@ TPM_RC tpm2_outerwrap(EVP_PKEY *parent, TPMT_PUBLIC *pub, PRIVATE_2B *p, ENCRYPTED_SECRET_2B *enc_secret); +int tpm2_load_bf(BIO *bf, struct app_data *app_data, const char *srk_auth); #endif diff --git a/src/libcommon/Makefile.am b/src/libcommon/Makefile.am index a142014..ad566ff 100644 --- a/src/libcommon/Makefile.am +++ b/src/libcommon/Makefile.am @@ -1,6 +1,6 @@ noinst_LIBRARIES = libcommon.a -AM_CPPFLAGS = -I ../include/ +AM_CPPFLAGS = -I ../include/ ${DEPRECATION} libcommon_a_SOURCES = tpm2-common.c libcommon_a_CFLAGS = -fPIC diff --git a/src/libcommon/tpm2-common.c b/src/libcommon/tpm2-common.c index 17159ab..c65b2c6 100644 --- a/src/libcommon/tpm2-common.c +++ b/src/libcommon/tpm2-common.c @@ -1640,17 +1640,12 @@ TPM_RC tpm2_sign_digest(EVP_PKEY *pkey, TPMT_HA *digest, TPMT_SIGNATURE *sig) return TPM_RC_SUCCESS; } -int tpm2_load_engine_file(const char *filename, struct app_data **app_data, - EVP_PKEY **ppkey, UI_METHOD *ui, void *cb_data, - const char *srk_auth, int get_key_auth, - int public_only) +int tpm2_load_bf(BIO *bf, struct app_data *app_data, const char *srk_auth) { - BIO *bf; TSSLOADABLE *tssl = NULL; TSSPRIVKEY *tpk = NULL; BYTE *buffer; INT32 size; - struct app_data *ad; char oid[128]; int empty_auth; enum tpm2_type tpm2_type = TPM2_NONE; @@ -1660,16 +1655,8 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, STACK_OF(TSSOPTPOLICY) *policy; ASN1_OCTET_STRING *privkey; ASN1_OCTET_STRING *secret = NULL; - TPM2B_PUBLIC objectPublic; STACK_OF(TSSAUTHPOLICY) *authPolicy; - bf = BIO_new_file(filename, "r"); - if (!bf) { - fprintf(stderr, "File %s does not exist or cannot be read\n", - filename); - return 0; - } - tpk = PEM_read_bio_TSSPRIVKEY(bf, NULL, NULL, NULL); if (!tpk) { BIO_seek(bf, 0); @@ -1690,11 +1677,14 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, BIO_seek(bf, 0); tssl = PEM_read_bio_TSSLOADABLE(bf, NULL, NULL, NULL); if (!tssl) { - BIO_free(bf); - fprintf(stderr, "Failed to parse file %s\n", filename); - return 0; + BIO_seek(bf, 0); + ERR_clear_error(); + tssl = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TSSLOADABLE), bf, NULL); } + if (!tssl) + return 0; + /* have error from failed TSSPRIVKEY load */ ERR_clear_error(); type = tssl->type; @@ -1706,8 +1696,6 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, authPolicy = NULL; } - BIO_free(bf); - if (OBJ_obj2txt(oid, sizeof(oid), type, 1) == 0) { fprintf(stderr, "Failed to parse object type\n"); goto err; @@ -1741,48 +1729,18 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, /* not present means auth is not empty */ empty_auth = 0; - ad = OPENSSL_malloc(sizeof(*ad)); - - if (!ad) { - fprintf(stderr, "Failed to allocate app_data\n"); - goto err; - } - memset(ad, 0, sizeof(*ad)); - - *app_data = ad; - - ad->type = tpm2_type; - ad->dir = tpm2_set_unique_tssdir(); + app_data->type = tpm2_type; + app_data->dir = tpm2_set_unique_tssdir(); if (parent) - ad->parent = ASN1_INTEGER_get(parent); + app_data->parent = ASN1_INTEGER_get(parent); else /* older keys have absent parent */ - ad->parent = EXT_TPM_RH_OWNER; - - ad->pub = OPENSSL_malloc(pubkey->length); - if (!ad->pub) - goto err_free; - ad->pub_len = pubkey->length; - memcpy(ad->pub, pubkey->data, ad->pub_len); + app_data->parent = EXT_TPM_RH_OWNER; - buffer = ad->pub; - size = ad->pub_len; - TPM2B_PUBLIC_Unmarshal(&objectPublic, &buffer, &size, FALSE); - ad->name_alg = objectPublic.publicArea.nameAlg; - - /* create the new objects to return */ - if (ppkey) { - *ppkey = tpm2_to_openssl_public(&objectPublic.publicArea); - if (!*ppkey) { - fprintf(stderr, "Failed to allocate a new EVP_KEY\n"); - goto err_free; - } - if (public_only) { - tpm2_delete(ad); - goto out; - } - } + buffer = pubkey->data; + size = pubkey->length; + TPM2B_PUBLIC_Unmarshal(&app_data->Public, &buffer, &size, FALSE); if (secret) { TPM_HANDLE session; @@ -1800,13 +1758,13 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, UINT16 written; INT32 size; - rc = tpm2_create(&tssContext, ad->dir); + rc = tpm2_create(&tssContext, app_data->dir); if (rc) { reason="tpm2_create"; goto import_no_flush_err; } - parentHandle = tpm2_handle_int(tssContext, ad->parent); + parentHandle = tpm2_handle_int(tssContext, app_data->parent); if (tpm2_handle_mso(tssContext, parentHandle, TPM_HT_PERMANENT)) { tpm2_load_srk(tssContext, &parentHandle, srk_auth, NULL, parentHandle, 1); @@ -1815,7 +1773,7 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, rc = tpm2_get_session_handle(tssContext, &session, parentHandle, TPM_SE_HMAC, - objectPublic.publicArea.nameAlg); + app_data->Public.publicArea.nameAlg); if (rc) { reason="tpm2_get_session_handle"; goto import_err; @@ -1837,7 +1795,7 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, TPM2B_ENCRYPTED_SECRET_Unmarshal((TPM2B_ENCRYPTED_SECRET *) &inSymSeed, &buffer, &size); rc = tpm2_Import(tssContext, parentHandle, &encryptionKey, - &objectPublic, &duplicate, &inSymSeed, + &app_data->Public, &duplicate, &inSymSeed, &symmetricAlg, &outPrivate, session, srk_auth); if (rc) tpm2_flush_handle(tssContext, session); @@ -1849,45 +1807,99 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, TSS_Delete(tssContext); if (rc) { tpm2_error(rc, reason); - goto err_free_key; + goto err; } buf = priv_2b.buffer; size = sizeof(priv_2b.buffer); written = 0; TSS_TPM2B_PRIVATE_Marshal((TPM2B_PRIVATE *)&outPrivate, &written, &buf, &size); - ad->priv = OPENSSL_malloc(written); - if (!ad->priv) - goto err_free_key; - ad->priv_len = written; - memcpy(ad->priv, priv_2b.buffer, written); + app_data->priv = OPENSSL_malloc(written); + if (!app_data->priv) + goto err; + app_data->priv_len = written; + memcpy(app_data->priv, priv_2b.buffer, written); } else { - ad->priv = OPENSSL_malloc(privkey->length); - if (!ad->priv) - goto err_free_key; + app_data->priv = OPENSSL_malloc(privkey->length); + if (!app_data->priv) + goto err; - ad->priv_len = privkey->length; - memcpy(ad->priv, privkey->data, ad->priv_len); + app_data->priv_len = privkey->length; + memcpy(app_data->priv, privkey->data, app_data->priv_len); } - if (empty_auth == 0 && get_key_auth) { - ad->auth = tpm2_get_auth(ui, "TPM Key Password: ", cb_data); - if (!ad->auth) - goto err_free_key; - } + app_data->empty_auth = empty_auth; - if (!(VAL(objectPublic.publicArea.objectAttributes) & + if (!(VAL(app_data->Public.publicArea.objectAttributes) & TPMA_OBJECT_USERWITHAUTH)) - ad->req_policy_session = 1; + app_data->req_policy_session = 1; - if (!tpm2_engine_load_key_policy(ad, policy, authPolicy)) - goto err_free_key; + if (!tpm2_engine_load_key_policy(app_data, policy, authPolicy)) + goto err; - out: TSSLOADABLE_free(tssl); TSSPRIVKEY_free(tpk); return 1; + + err: + TSSLOADABLE_free(tssl); + TSSPRIVKEY_free(tpk); + + return 0; +} + +int tpm2_load_engine_file(const char *filename, struct app_data **app_data, + EVP_PKEY **ppkey, UI_METHOD *ui, void *cb_data, + const char *srk_auth, int get_key_auth, + int public_only) +{ + BIO *bf; + struct app_data *ad; + int ret; + + bf = BIO_new_file(filename, "r"); + if (!bf) { + fprintf(stderr, "File %s does not exist or cannot be read\n", + filename); + return 0; + } + + ad = OPENSSL_zalloc(sizeof(*ad)); + + if (!ad) { + fprintf(stderr, "Failed to allocate app_data\n"); + BIO_free(bf); + return 0; + } + + ret = tpm2_load_bf(bf, ad, srk_auth); + BIO_free(bf); + if (!ret) + goto err_free; + + if (ppkey) { + *ppkey = tpm2_to_openssl_public(&ad->Public.publicArea); + if (!*ppkey) { + fprintf(stderr, "Failed to allocate a new EVP_KEY\n"); + goto err_free; + } + if (public_only) { + tpm2_delete(ad); + goto out; + } + } + + if (ad->empty_auth == 0 && get_key_auth) { + ad->auth = tpm2_get_auth(ui, "TPM Key Password: ", cb_data); + if (!ad->auth) + goto err_free_key; + } + + out: + *app_data = ad; + + return 1; err_free_key: if (ppkey) EVP_PKEY_free(*ppkey); @@ -1896,9 +1908,6 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, *ppkey = NULL; tpm2_delete(ad); - err: - TSSLOADABLE_free(tssl); - TSSPRIVKEY_free(tpk); return 0; } @@ -1919,7 +1928,6 @@ void tpm2_delete(struct app_data *app_data) OPENSSL_free(app_data->pols); } OPENSSL_free(app_data->priv); - OPENSSL_free(app_data->pub); if (app_data->auth) OPENSSL_clear_free(app_data->auth, strlen(app_data->auth)); @@ -1939,7 +1947,6 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data, { TSS_CONTEXT *tssContext; PRIVATE_2B inPrivate; - TPM2B_PUBLIC inPublic; TPM_HANDLE parentHandle; TPM_HANDLE key = 0; TPM_RC rc; @@ -1960,10 +1967,6 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data, size = app_data->priv_len; TPM2B_PRIVATE_Unmarshal((TPM2B_PRIVATE *)&inPrivate, &buffer, &size); - buffer = app_data->pub; - size = app_data->pub_len; - TPM2B_PUBLIC_Unmarshal(&inPublic, &buffer, &size, FALSE); - parentHandle = tpm2_handle_int(tssContext, app_data->parent); if (tpm2_handle_mso(tssContext, parentHandle, TPM_HT_PERMANENT)) { rc = tpm2_load_srk(tssContext, &parentHandle, srk_auth, NULL, @@ -1972,11 +1975,11 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data, goto out; } rc = tpm2_get_session_handle(tssContext, &session, parentHandle, - TPM_SE_HMAC, app_data->name_alg); + TPM_SE_HMAC, app_data->Public.publicArea.nameAlg); if (rc) goto out_flush_srk; - rc = tpm2_Load(tssContext, parentHandle, &inPrivate, &inPublic, + rc = tpm2_Load(tssContext, parentHandle, &inPrivate, &app_data->Public, &key, session, srk_auth); if (rc) { tpm2_error(rc, "TPM2_Load"); diff --git a/src/tools/Makefile.am b/src/tools/Makefile.am index 187d3fc..62fb329 100644 --- a/src/tools/Makefile.am +++ b/src/tools/Makefile.am @@ -7,7 +7,7 @@ man1_MANS = create_tpm2_key.1 load_tpm2_key.1 seal_tpm2_data.1 \ CLEANFILES = $(man1_MANS) endif -AM_CPPFLAGS = -I ../include +AM_CPPFLAGS = -I ../include ${DEPRECATION} bin_PROGRAMS=create_tpm2_key load_tpm2_key seal_tpm2_data unseal_tpm2_data \ signed_tpm2_policy diff --git a/src/tools/unseal_tpm2_data.c b/src/tools/unseal_tpm2_data.c index 43b846d..afd7698 100644 --- a/src/tools/unseal_tpm2_data.c +++ b/src/tools/unseal_tpm2_data.c @@ -142,7 +142,7 @@ int main(int argc, char **argv) goto out_free_app_data; } - name_alg = app_data->name_alg; + name_alg = app_data->Public.publicArea.nameAlg; itemHandle = rc; |