engine: determine the required session type from USERWITHAUTH flag

Determine the type of session required to use a key from USERWITHAUTH flag.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

4 files changed, 29 insertions, 10 deletions

diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c
index d6a87b6..7e8b753 100644
--- a/e_tpm2-ecc.c
+++ b/e_tpm2-ecc.c
@@ -63,7 +63,9 @@ static EC_KEY_METHOD *tpm2_eck;
 /* varibles used to get/set CRYPTO_EX_DATA values */
 static int ec_app_data = TPM2_ENGINE_EX_DATA_UNINIT;
 
-static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, TSS_CONTEXT **tssContext, char **auth)
+static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck,
+					 TSS_CONTEXT **tssContext, char **auth,
+					 TPM_SE *sessionType)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	/*  const mess up in openssl 1.0.2 */
@@ -77,6 +79,8 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, TSS_CONTEXT **tssCon
 		return 0;
 
 	*auth = app_data->auth;
+	*sessionType = app_data->req_policy_session ?
+		       TPM_SE_POLICY : TPM_SE_HMAC;
 
 	return tpm2_load_key(tssContext, app_data);
 }
@@ -124,6 +128,7 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 	TSS_CONTEXT *tssContext;
 	char *auth;
 	TPM_HANDLE authHandle;
+	TPM_SE sessionType;
 	ECDSA_SIG *sig;
 	BIGNUM *r, *s;
 
@@ -149,7 +154,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 		return NULL;
 	}
 
-	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth);
+	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth,
+					      &sessionType);
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n");
 		return NULL;
@@ -163,7 +169,7 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
 	in.validation.digest.t.size = 0;
 
 	sig = NULL;
-	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC);
+	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType);
 	if (rc)
 		goto out;
 
@@ -210,6 +216,7 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	ECDH_ZGen_Out out;
 	TSS_CONTEXT *tssContext;
 	TPM_HANDLE authHandle;
+	TPM_SE sessionType;
 	char *auth;
 	size_t len;
 	const EC_GROUP *group;
@@ -229,7 +236,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	len--;
 	len >>= 1;
 
-	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth);
+	in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth,
+					      &sessionType);
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n");
 		return 0;
@@ -240,7 +248,7 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen,
 	in.inPoint.point.y.t.size = len;
 
 	ret = 0;
-	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC);
+	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType);
 	if (rc)
 		goto out;
 
diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c
index c89dd5d..210e046 100644
--- a/e_tpm2-rsa.c
+++ b/e_tpm2-rsa.c
@@ -101,7 +101,8 @@ static int tpm2_rsa_pub_enc(int flen,
 
 #endif
 
-static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, char **auth)
+static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext,
+					 char **auth, TPM_SE *sessionType)
 {
 	struct app_data *app_data = RSA_get_ex_data(rsa, ex_app_data);
 
@@ -109,6 +110,8 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, cha
 		return 0;
 
 	*auth = app_data->auth;
+	*sessionType = app_data->req_policy_session ?
+		       TPM_SE_POLICY : TPM_SE_HMAC;
 	return tpm2_load_key(tssContext, app_data);
 }
 
@@ -154,8 +157,10 @@ static int tpm2_rsa_priv_dec(int flen,
 	TSS_CONTEXT *tssContext;
 	char *auth;
 	TPM_HANDLE authHandle;
+	TPM_SE sessionType;
 
-	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth);
+	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth,
+					      &sessionType);
 
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n");
@@ -174,7 +179,7 @@ static int tpm2_rsa_priv_dec(int flen,
 	memcpy(in.cipherText.t.buffer, from, flen);
 	in.label.t.size = 0;
 
-	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC);
+	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType);
 	if (rc)
 		goto out;
 
@@ -214,13 +219,15 @@ static int tpm2_rsa_priv_enc(int flen,
 	TSS_CONTEXT *tssContext;
 	char *auth;
 	TPM_HANDLE authHandle;
+	TPM_SE sessionType;
 
 	if (padding != RSA_PKCS1_PADDING) {
 		fprintf(stderr, "Non PKCS1 padding asked for\n");
 		return -1;
 	}
 
-	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth);
+	in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth,
+					      &sessionType);
 
 	if (in.keyHandle == 0) {
 		fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n");
@@ -229,7 +236,7 @@ static int tpm2_rsa_priv_enc(int flen,
 	}
 
 	rv = -1;
-	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, TPM_SE_HMAC);
+	rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType);
 	if (rc)
 		goto out;
 
diff --git a/e_tpm2.c b/e_tpm2.c
index 57dc290..aa43a50 100644
--- a/e_tpm2.c
+++ b/e_tpm2.c
@@ -390,6 +390,9 @@ static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey,
 			goto err_free_key;
 	}
 
+	if (!(p.publicArea.objectAttributes.val & TPMA_OBJECT_USERWITHAUTH))
+		app_data->req_policy_session = 1;
+
 	TSSLOADABLE_free(tssl);
 
 	tpm2_bind_key_to_engine(pkey, app_data);
diff --git a/e_tpm2.h b/e_tpm2.h
index 6d5b8c3..4aa9fab 100644
--- a/e_tpm2.h
+++ b/e_tpm2.h
@@ -18,6 +18,7 @@ struct app_data {
 	int pub_len;
 	char *auth;
 	const char *dir;
+	int req_policy_session;
 };
 
 TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data);