Skip to content

Commit

Permalink
FAPI: Use a second session for parameter encryption.
Browse files Browse the repository at this point in the history 
For policy sessions the auth value is needed to generate the
key for parameter encryption if the encryption is activated.
To avoid the usage of the auth value for policy sessions
a second session will be used to activate parameter encryption.

Signed-off-by: Juergen Repp <juergen_repp@web.de>
  • Loading branch information
@JuergenReppSIT
JuergenReppSIT committed Aug 15, 2023
1 parent 86949f7 commit e2c2b8e
Show file tree
Hide file tree
Showing 18 changed files with 103 additions and 49 deletions.
5 changes: 3 additions & 2 deletions src/tss2-fapi/api/Fapi_ChangeAuth.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,8 @@ Fapi_ChangeAuth_Finish(
command->handle,
context->loadKey.parent_handle,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
&command->newAuthValue);
goto_if_error(r, "Error: Sign", error_cleanup);

Expand Down Expand Up @@ -481,7 +482,7 @@ Fapi_ChangeAuth_Finish(
r = Esys_NV_ChangeAuth_Async(context->esys,
command->object.public.handle,
auth_session,
ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
&command->newAuthValue);
goto_if_error(r, "Error: NV_ChangeAuth", error_cleanup);
Expand Down
2 changes: 1 addition & 1 deletion src/tss2-fapi/api/Fapi_CreateNv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,7 +421,7 @@ Fapi_CreateNv_Finish(
r = Esys_NV_DefineSpace_Async(context->esys,
hierarchy->public.handle,
auth_session,
ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
auth,
publicInfo);
Expand Down
4 changes: 3 additions & 1 deletion src/tss2-fapi/api/Fapi_Decrypt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,9 @@ Fapi_Decrypt_Finish(
/* Decrypt the actual data. */
r = Esys_RSA_Decrypt_Async(context->esys,
context->cmd.Data_EncryptDecrypt.key_handle,
command->auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
command->auth_session,
ENC_SESSION_IF_POLICY(command->auth_session),
ESYS_TR_NONE,
aux_data,
&command->profile->rsa_decrypt_scheme,
&null_data);
Expand Down
7 changes: 4 additions & 3 deletions src/tss2-fapi/api/Fapi_Delete.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -614,7 +614,7 @@ Fapi_Delete_Finish(
command->auth_index,
object->public.handle,
auth_session,
ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE);
goto_if_error_reset_state(r, " Fapi_NV_UndefineSpace_Async", error_cleanup);

Expand Down Expand Up @@ -658,8 +658,9 @@ Fapi_Delete_Finish(
r = Esys_EvictControl_Async(context->esys, ESYS_TR_RH_OWNER,
object->public.handle,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE,
object->misc.key.persistent_handle);
ESYS_TR_NONE,
ESYS_TR_NONE,
object->misc.key.persistent_handle);
goto_if_error(r, "Evict Control", error_cleanup);
context->state = ENTITY_DELETE_NULL_AUTH_SENT_FOR_KEY;
}
Expand Down
3 changes: 2 additions & 1 deletion src/tss2-fapi/api/Fapi_ExportKey.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,8 @@ Fapi_ExportKey_Finish(
command->key_object->public.handle,
command->handle_ext_key,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
&encryptionKey, &symmetric);
goto_if_error(r, "Duplicate", cleanup);

Expand Down
6 changes: 4 additions & 2 deletions src/tss2-fapi/api/Fapi_Import.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -427,7 +427,8 @@ Fapi_Import_Finish(

r = Esys_Load_Async(context->esys, context->loadKey.handle,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
&private, &object->misc.key.public);
goto_if_error(r, "Load async", error_cleanup);
fallthrough;
Expand Down Expand Up @@ -534,7 +535,8 @@ Fapi_Import_Finish(
r = Esys_Import_Async(context->esys,
command->parent_object->public.handle,
session,
ESYS_TR_NONE, ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(session),
ESYS_TR_NONE,
NULL, &keyTree->public,
&keyTree->duplicate,
&keyTree->encrypted_seed,
Expand Down
2 changes: 1 addition & 1 deletion src/tss2-fapi/api/Fapi_NvExtend.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,7 @@ Fapi_NvExtend_Finish(
command->auth_index,
nvIndex,
auth_session,
ESYS_TR_NONE,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
auxData);
goto_if_error_reset_state(r, " Fapi_NvExtend_Async", error_cleanup);
Expand Down
3 changes: 2 additions & 1 deletion src/tss2-fapi/api/Fapi_NvIncrement.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,8 @@ Fapi_NvIncrement_Finish(
r = Esys_NV_Increment_Async(context->esys, command->auth_index,
nvIndex,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE);
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE);
goto_if_error_reset_state(r, " Fapi_NvIncrement_Async", error_cleanup);

fallthrough;
Expand Down
4 changes: 3 additions & 1 deletion src/tss2-fapi/api/Fapi_Provision.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1022,7 +1022,9 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)

/* Prepare the setting of the dictionary attack parameters. */
r = Esys_DictionaryAttackParameters_Async(context->esys, ESYS_TR_RH_LOCKOUT,
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
auth_session,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
defaultProfile->newMaxTries, defaultProfile->newRecoveryTime,
defaultProfile->lockoutRecovery);
goto_if_error(r, "Error Esys_DictionaryAttackParameters",
Expand Down
4 changes: 3 additions & 1 deletion src/tss2-fapi/api/Fapi_Quote.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,9 @@ Fapi_Quote_Finish(

/* Perform the Quote operation. */
r = Esys_Quote_Async(context->esys, command->handle,
auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
auth_session,
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE,
&command->qualifyingData,
&command->key_object->misc.key.signing_scheme,
&command->pcr_selection);
Expand Down
3 changes: 2 additions & 1 deletion src/tss2-fapi/api/Fapi_Unseal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,8 @@ Fapi_Unseal_Finish(
/* Perform the unseal operation with the TPM. */
r = Esys_Unseal_Async(context->esys, command->object->public.handle,
auth_session,
ESYS_TR_NONE, ESYS_TR_NONE);
ENC_SESSION_IF_POLICY(auth_session),
ESYS_TR_NONE);
goto_if_error(r, "Error esys Unseal ", error_cleanup);

fallthrough;
Expand Down
4 changes: 4 additions & 0 deletions src/tss2-fapi/fapi_int.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ typedef struct {
goto label; \
}

#define ENC_SESSION_IF_POLICY(auth_session) \
(auth_session == ESYS_TR_PASSWORD || auth_session == ESYS_TR_NONE || \
auth_session == context->session2) ? ESYS_TR_NONE : context->session2

/** The states for the FAPI's object authorization state*/
enum IFAPI_GET_CERT_STATE {
GET_CERT_INIT = 0,
Expand Down
Loading

0 comments on commit e2c2b8e

Please sign in to comment.