From 5e3b3cd503574716df271d93d1476f141d347b79 Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Tue, 3 Mar 2020 09:53:57 -0800 Subject: esys: iutil - zero out resource list in the context after delete all objs Zero out resource list in the context after delete all objects to prevent double free when iesys_DeleteAllResourceObjects() is called again. Signed-off-by: Tadeusz Struk --- src/tss2-esys/esys_iutil.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c index 9234a3fc..8046a307 100644 --- a/src/tss2-esys/esys_iutil.c +++ b/src/tss2-esys/esys_iutil.c @@ -151,6 +151,7 @@ iesys_DeleteAllResourceObjects(ESYS_CONTEXT * esys_context) next_node_rsrc = node_rsrc->next; SAFE_FREE(node_rsrc); } + esys_context->rsrc_list = NULL; } /** Compute the TPM nonce of the session used for parameter encryption. * -- cgit v1.2.3 From 34a8a62dd146aa25294c163986a3e3c9e88b8eba Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Mon, 2 Mar 2020 14:45:52 -0800 Subject: esys: fix hmac calculation for tpm2_clear command After tpm2_clear command is executed it sets all ownerAuth, endorsementAuth, and lockoutAuth to the Empty Buffer and then this is used for a response auth calculation. This requires to recalculate the esys session auth value after tpm2_clear is executed or the calculated response HMAC value will be invalid and the command will fail with err: 0x0007001b "Authorizing the TPM response failed" Fixes: #1641 Signed-off-by: Tadeusz Struk --- src/tss2-esys/api/Esys_Clear.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c index f5c0b827..0f43f7e9 100644 --- a/src/tss2-esys/api/Esys_Clear.c +++ b/src/tss2-esys/api/Esys_Clear.c @@ -199,6 +199,11 @@ Esys_Clear_Async( return_state_if_error(r, _ESYS_STATE_INTERNALERROR, "Finish (Execute Async)"); + /* If the command authorization is LOCKOUT we need to + * recompute session value with an empty auth */ + if (authHandle == ESYS_TR_RH_LOCKOUT) + iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); + esysContext->state = _ESYS_STATE_SENT; return r; -- cgit v1.2.3 From 23a264b041e836a0e485f7c10e1da2e2bce6bd6c Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Tue, 3 Mar 2020 09:36:27 -0800 Subject: test: esys: add test for a tpm2_clear command Signed-off-by: Tadeusz Struk --- Makefile-test.am | 8 ++ test/integration/esys-tpm-clear-auth.int.c | 135 +++++++++++++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 test/integration/esys-tpm-clear-auth.int.c diff --git a/Makefile-test.am b/Makefile-test.am index 5ccdd4a1..e619d98a 100644 --- a/Makefile-test.am +++ b/Makefile-test.am @@ -145,6 +145,7 @@ if ESAPI ESYS_TESTS_INTEGRATION_DESTRUCTIVE = \ test/integration/esys-change-eps.int \ test/integration/esys-clear.int \ + test/integration/esys-tpm-clear-auth.int \ test/integration/esys-clear-session.int \ test/integration/esys-field-upgrade.int \ test/integration/esys-firmware-read.int \ @@ -1306,6 +1307,13 @@ test_integration_esys_auto_session_flags_int_SOURCES = \ test/integration/esys-auto-session-flags.int.c \ test/integration/main-esapi.c test/integration/test-esapi.h +test_integration_esys_tpm_clear_auth_int_CFLAGS = $(TESTS_CFLAGS) +test_integration_esys_tpm_clear_auth_int_LDADD = $(TESTS_LDADD) +test_integration_esys_tpm_clear_auth_int_LDFLAGS = $(TESTS_LDFLAGS) +test_integration_esys_tpm_clear_auth_int_SOURCES = \ + test/integration/esys-tpm-clear-auth.int.c \ + test/integration/main-esapi.c test/integration/test-esapi.h + endif #ESAPI test_integration_sapi_policy_template_int_CFLAGS = $(TESTS_CFLAGS) diff --git a/test/integration/esys-tpm-clear-auth.int.c b/test/integration/esys-tpm-clear-auth.int.c new file mode 100644 index 00000000..a9ee336b --- /dev/null +++ b/test/integration/esys-tpm-clear-auth.int.c @@ -0,0 +1,135 @@ +/* SPDX-License-Identifier: BSD-2-Clause */ +/******************************************************************************* + * Copyright (c) 2020, Intel Corporation + * All rights reserved. + *******************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include + +#include "tss2_esys.h" + +#include "esys_iutil.h" +#include "test-esapi.h" +#define LOGDEFAULT LOGLEVEL_INFO +#define LOGMODULE test +#include "util/log.h" +#include "util/aux_util.h" + +/** Test auth verification in clear command + * + * After TPM2_Clear command is executed all auth values for + * owner, platofrm and lockout are set to empty buffers and + * the empty auth values should be used fot HMAC verification + * in the response. + * + * @param[in,out] esys_context The ESYS_CONTEXT. + * @retval EXIT_SUCCESS + * @retval EXIT_SKIP + * @retval EXIT_FAILURE + */ +int +test_esys_clear_auth(ESYS_CONTEXT * esys_context) +{ + TSS2_RC r; + ESYS_TR session = ESYS_TR_NONE; + int failure_return = EXIT_FAILURE; + + TPMT_SYM_DEF symmetric = {.algorithm = TPM2_ALG_XOR, + .keyBits = { .exclusiveOr = TPM2_ALG_SHA1 }, + .mode = {.aes = TPM2_ALG_CFB}}; + + /* Test lockout authorization */ + LOG_DEBUG("Test LOCKOUT authorization"); + LOG_DEBUG("Start Auth Session"); + r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + NULL, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + &session); + goto_if_error(r, "Error: During initialization of session", error); + + TPM2B_AUTH auth = { + .size = 16, + .buffer = "deadbeefdeadbeef", + }; + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_LOCKOUT, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + &auth); + + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_LOCKOUT, &auth); + + LOG_DEBUG("Clear"); + r = Esys_Clear(esys_context, ESYS_TR_RH_LOCKOUT, session, + ESYS_TR_NONE, ESYS_TR_NONE); + goto_if_error(r, "Error: During Esys_Clear", error); + + r = Esys_FlushContext(esys_context, session); + goto_if_error(r, "Error: During Esys_FlushContext", error); + + /* Test platform authorization */ + LOG_DEBUG("Test PLATFORM authorization"); + LOG_DEBUG("Start Auth Session"); + r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + NULL, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + &session); + goto_if_error(r, "Error: During initialization of session", error); + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + &auth); + + if ((r & ~TPM2_RC_N_MASK) == TPM2_RC_BAD_AUTH || + (r & ~TPM2_RC_N_MASK) == TPM2_RC_HIERARCHY) { + /* Platform authorization not possible test will be skipped */ + LOG_WARNING("Platform authorization not possible."); + failure_return = EXIT_SKIP; + goto error; + } + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth); + + LOG_DEBUG("Clear"); + r = Esys_Clear(esys_context, ESYS_TR_RH_PLATFORM, session, + ESYS_TR_NONE, ESYS_TR_NONE); + goto_if_error(r, "Error: During Esys_Clear", error); + + r = Esys_FlushContext(esys_context, session); + goto_if_error(r, "Error: During Esys_FlushContext", error); + + Esys_TR_SetAuth(esys_context, ESYS_TR_RH_PLATFORM, &auth); + + LOG_DEBUG("Set Auth"); + r = Esys_HierarchyChangeAuth(esys_context, ESYS_TR_RH_PLATFORM, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, + NULL); + + goto_if_error(r, "Error: During Esys_ObjectChangeAuth", error); + + return EXIT_SUCCESS; + + error: + LOG_ERROR("\nError Code: %x\n", r); + + if (session != ESYS_TR_NONE) { + if (Esys_FlushContext(esys_context, session) != TSS2_RC_SUCCESS) { + LOG_ERROR("Cleanup session failed."); + } + } + return failure_return; +} + +int +test_invoke_esapi(ESYS_CONTEXT * esys_context) { + return test_esys_clear_auth(esys_context); +} -- cgit v1.2.3 From 4f811fdf13e2950c21d3b990a8069a0783f83cf6 Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Fri, 6 Mar 2020 13:46:47 -0800 Subject: CHANGELOG.md: update changelog Signed-off-by: Tadeusz Struk --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47833421..0912c7df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) - Changed tcti-device in non-async mode to allways block ### Fixed +- Fixed hmac calculation for tpm2_clear command in ESAPI - Fixed mixing salted and unsalted sessions in the same ESAPI context - Removed use of VLAs from TPML marshal code - Fixed setting C++ compiler for non-fuzzing builds at configure -- cgit v1.2.3 From 9dd5cc404ce79896e70a7e5d9a8cbe013d978100 Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Fri, 6 Mar 2020 13:47:45 -0800 Subject: configure.ac: bump version number to 2.4.0-rc4 Signed-off-by: Tadeusz Struk --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index b8c3c069..8aaf79ae 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ # All rights reserved. AC_INIT([tpm2-tss], - [2.4.0-rc3], + [2.4.0-rc4], [https://github.com/tpm2-software/tpm2-tss/issues], [], [https://github.com/tpm2-software/tpm2-tss]) -- cgit v1.2.3 From e96292eb2eb2f0abe5dfcd91f4112ccf302a9838 Mon Sep 17 00:00:00 2001 From: John Andersen Date: Mon, 9 Mar 2020 16:10:16 -0700 Subject: FAPI: Ensure default config adheres to JSON spec Remove a trailing comma from the last line of the default FAPI config file, making it valid JSON. Fixes: #1650 Signed-off-by: John Andersen --- dist/fapi-config.json.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/fapi-config.json.in b/dist/fapi-config.json.in index 72fe38e2..e32a3c36 100644 --- a/dist/fapi-config.json.in +++ b/dist/fapi-config.json.in @@ -5,5 +5,5 @@ "system_dir": "@localstatedir@/lib/tpm2-tss/system/keystore", "tcti": "", "system_pcrs" : [], - "log_dir" : "@runstatedir@/tpm2-tss/eventlog/", + "log_dir" : "@runstatedir@/tpm2-tss/eventlog/" } -- cgit v1.2.3 From 2256086bfbd9c3bbe9309c245c21675ba662d437 Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Wed, 11 Mar 2020 16:14:17 +0100 Subject: test/esys: Check unsupported symmetric cipher used for Esys_EncryptDecrypt test. The key type TPM2_ALG_SYMCIPHER might not be supported. In this case the test will be skipped. Signed-off-by: Juergen Repp --- test/integration/esys-encrypt-decrypt.int.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/integration/esys-encrypt-decrypt.int.c b/test/integration/esys-encrypt-decrypt.int.c index 3204a549..e357f0bb 100644 --- a/test/integration/esys-encrypt-decrypt.int.c +++ b/test/integration/esys-encrypt-decrypt.int.c @@ -207,6 +207,12 @@ test_esys_encrypt_decrypt(ESYS_CONTEXT * esys_context) &outPrivate2, &outPublic2, &creationData2, &creationHash2, &creationTicket2); + + if (r == 0x2c2) { /*<< tpm:parameter(2):inconsistent attributes */ + LOG_WARNING("Unsupported symmetric cipher."); + failure_return = EXIT_SKIP; + goto error; + } goto_if_error(r, "Error esys create ", error); LOG_INFO("AES key created."); -- cgit v1.2.3 From 9e80db604d2e523965cd6aa5d275c5c71c36ace8 Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Wed, 11 Mar 2020 15:40:32 -0700 Subject: CHANGELOG.md: version bump to 2.4.0 Signed-off-by: Tadeusz Struk --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0912c7df..afa075bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) -## [2.4.0-rc3] - 2020-02-24 +## [2.4.0] - 2020-03-11 ### Added - Added a new Feature API (FAPI) implementation - Added Esys_TRSess_GetAuthRequired() ESAPI function -- cgit v1.2.3 From 70da4f245a575948712a7c2cf52de84213dc9db8 Mon Sep 17 00:00:00 2001 From: Tadeusz Struk Date: Wed, 11 Mar 2020 15:42:08 -0700 Subject: configure.ac: version bump to 2.4.0 Signed-off-by: Tadeusz Struk --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 8aaf79ae..4d7b6b26 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ # All rights reserved. AC_INIT([tpm2-tss], - [2.4.0-rc4], + [2.4.0], [https://github.com/tpm2-software/tpm2-tss/issues], [], [https://github.com/tpm2-software/tpm2-tss]) -- cgit v1.2.3