diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2018-06-26 16:56:33 +0200 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-06-28 11:33:46 -0700 |
commit | d8338385ef65ed3a60cc18e64fb104ad7361624f (patch) | |
tree | 46b39da5df239fed5bff0e7d8201b594caebacbd | |
parent | fa8fcc229ca74b66a44e81c36c9356aaeae3e2fa (diff) | |
download | openssl_tpm2_engine-d8338385ef65ed3a60cc18e64fb104ad7361624f.tar.gz |
engine: determine the required session type from USERWITHAUTH flag
Determine the type of session required to use a key from USERWITHAUTH flag.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | e_tpm2-ecc.c | 18 | ||||
-rw-r--r-- | e_tpm2-rsa.c | 17 | ||||
-rw-r--r-- | e_tpm2.c | 3 | ||||
-rw-r--r-- | e_tpm2.h | 1 |
4 files changed, 29 insertions, 10 deletions
diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c index d6a87b6..7e8b753 100644 --- a/e_tpm2-ecc.c +++ b/e_tpm2-ecc.c @@ -63,7 +63,9 @@ static EC_KEY_METHOD *tpm2_eck; /* varibles used to get/set CRYPTO_EX_DATA values */ static int ec_app_data = TPM2_ENGINE_EX_DATA_UNINIT; -static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, TSS_CONTEXT **tssContext, char **auth) +static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, + TSS_CONTEXT **tssContext, char **auth, + TPM_SE *sessionType) { #if OPENSSL_VERSION_NUMBER < 0x10100000 /* const mess up in openssl 1.0.2 */ @@ -77,6 +79,8 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, TSS_CONTEXT **tssCon return 0; *auth = app_data->auth; + *sessionType = app_data->req_policy_session ? + TPM_SE_POLICY : TPM_SE_HMAC; return tpm2_load_key(tssContext, app_data); } @@ -124,6 +128,7 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, TSS_CONTEXT *tssContext; char *auth; TPM_HANDLE authHandle; + TPM_SE sessionType; ECDSA_SIG *sig; BIGNUM *r, *s; @@ -149,7 +154,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, return NULL; } - in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth); + in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, + &sessionType); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return NULL; @@ -163,7 +169,7 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, in.validation.digest.t.size = 0; sig = NULL; - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC); + rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType); if (rc) goto out; @@ -210,6 +216,7 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, ECDH_ZGen_Out out; TSS_CONTEXT *tssContext; TPM_HANDLE authHandle; + TPM_SE sessionType; char *auth; size_t len; const EC_GROUP *group; @@ -229,7 +236,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, len--; len >>= 1; - in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth); + in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, + &sessionType); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return 0; @@ -240,7 +248,7 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, in.inPoint.point.y.t.size = len; ret = 0; - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC); + rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType); if (rc) goto out; diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c index c89dd5d..210e046 100644 --- a/e_tpm2-rsa.c +++ b/e_tpm2-rsa.c @@ -101,7 +101,8 @@ static int tpm2_rsa_pub_enc(int flen, #endif -static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, char **auth) +static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, + char **auth, TPM_SE *sessionType) { struct app_data *app_data = RSA_get_ex_data(rsa, ex_app_data); @@ -109,6 +110,8 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, cha return 0; *auth = app_data->auth; + *sessionType = app_data->req_policy_session ? + TPM_SE_POLICY : TPM_SE_HMAC; return tpm2_load_key(tssContext, app_data); } @@ -154,8 +157,10 @@ static int tpm2_rsa_priv_dec(int flen, TSS_CONTEXT *tssContext; char *auth; TPM_HANDLE authHandle; + TPM_SE sessionType; - in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth); + in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, + &sessionType); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n"); @@ -174,7 +179,7 @@ static int tpm2_rsa_priv_dec(int flen, memcpy(in.cipherText.t.buffer, from, flen); in.label.t.size = 0; - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC); + rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType); if (rc) goto out; @@ -214,13 +219,15 @@ static int tpm2_rsa_priv_enc(int flen, TSS_CONTEXT *tssContext; char *auth; TPM_HANDLE authHandle; + TPM_SE sessionType; if (padding != RSA_PKCS1_PADDING) { fprintf(stderr, "Non PKCS1 padding asked for\n"); return -1; } - in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth); + in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, + &sessionType); if (in.keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n"); @@ -229,7 +236,7 @@ static int tpm2_rsa_priv_enc(int flen, } rv = -1; - rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC); + rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType); if (rc) goto out; @@ -390,6 +390,9 @@ static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey, goto err_free_key; } + if (!(p.publicArea.objectAttributes.val & TPMA_OBJECT_USERWITHAUTH)) + app_data->req_policy_session = 1; + TSSLOADABLE_free(tssl); tpm2_bind_key_to_engine(pkey, app_data); @@ -18,6 +18,7 @@ struct app_data { int pub_len; char *auth; const char *dir; + int req_policy_session; }; TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data); |