WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Refactor of the command authentication. If command does not require auth do not supply it. ZD 16689

pull/305/head
David Garske 2023-10-09 17:41:32 -07:00
parent ddbf4ef5fc
commit f3e1bbbf3d
5 changed files with 283 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
examples/nvram/store.c
View File

@ -73,6 +73,8 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
byte pubAreaBuffer[sizeof(TPM2B_PUBLIC)];
int pubAreaSize;
word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX;
byte* auth = (byte*)gNvAuth;
word32 authSz = (word32)sizeof(gNvAuth)-1;
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
@ -133,6 +135,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
printf("Parameter Encryption: Not enabled (try -aes or -xor).\n\n");
}
XMEMSET(&nv, 0, sizeof(nv));
XMEMSET(&keyBlob, 0, sizeof(keyBlob));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
XMEMSET(&parent, 0, sizeof(parent));
@ -164,11 +167,17 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;
/* Our wolfTPM2 wrapper for NV_Define */
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
/* Try and open existing NV */
rc = wolfTPM2_NVOpen(&dev, &nv, nvIndex, auth, authSz);
if (rc != 0) {
/* In not found try create using wolfTPM2 wrapper for NV_Define */
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, auth, authSz);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
}
/* The set auth is done already in NVOpen and NVCreateAuth, but shown here
* as example for how to set the authentication on a handle */
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
printf("Storing key at TPM NV index 0x%x with password protection\n\n",

420
src/tpm2.c
View File

File diff suppressed because it is too large Load Diff

86
src/tpm2_packet.c
View File

@ -286,23 +286,83 @@ void TPM2_Packet_AppendAuthCmd(TPM2_Packet* packet, TPMS_AUTH_COMMAND* authCmd)
TPM2_Packet_AppendBytes(packet, authCmd->hmac.buffer, authCmd->hmac.size);
}
int TPM2_Packet_AppendAuth(TPM2_Packet* packet, TPM2_CTX* ctx)
/* Finds the number of active Auth Session in the given TPM2 context.
* If the info is not provided then returns the populated ctx->session,
* otherwise adjusted based on the command information provided.
*/
int TPM2_GetCmdAuthCount(TPM2_CTX* ctx, CmdInfo_t* info)
{
int authCount, i, tmpSz = 0;
if (ctx == NULL || ctx->session == NULL)
return BAD_FUNC_ARG;
authCount = TPM2_GetSessionAuthCount(ctx);
int authSessCount = 0, sessionCount;
TPMI_SH_AUTH_SESSION sessionHandle;
TPMA_SESSION sessionAttributes;
unsigned char flags = 0xFF;
TPM2_Packet_MarkU32(packet, &tmpSz);
for (i=0; i<authCount; i++) {
/* Note: Casting a TPM2_AUTH_SESSION to TPMS_AUTH_COMMAND here,
this is allowed because top of structure matches */
TPM2_Packet_AppendAuthCmd(packet, (TPMS_AUTH_COMMAND*)&ctx->session[i]);
if (info != NULL)
flags = info->flags;
/* The auth sessions must be first in the list */
for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) {
int authReq = 0;
sessionHandle = ctx->session[sessionCount].sessionHandle;
sessionAttributes = ctx->session[sessionCount].sessionAttributes;
if (info != NULL &&
((sessionCount == 0 && (flags &
(CMD_FLAG_AUTH_USER1 |
CMD_FLAG_AUTH_ADMIN |
CMD_FLAG_AUTH_DUP))) ||
(sessionCount == 1 && (flags &
(CMD_FLAG_AUTH_USER2))))) {
authReq = 1;
}
/* Only a password auth if command user auth set */
if (sessionHandle == TPM_RS_PW && authReq) {
authSessCount++;
}
/* Only an HMAC session with encrypt, decrypt or audit set */
else if (authSessCount > 0 && TPM2_IS_HMAC_SESSION(sessionHandle)) {
if (((sessionAttributes & TPMA_SESSION_decrypt) && (flags &
(CMD_FLAG_ENC2 | CMD_FLAG_ENC4))) ||
((sessionAttributes & TPMA_SESSION_encrypt) && (flags &
(CMD_FLAG_DEC2 | CMD_FLAG_DEC4))) ||
(sessionAttributes & TPMA_SESSION_audit))
authSessCount++;
}
#ifdef DEBUG_WOLFTPM
else if (authReq) {
printf("Warning: Command requires auth at index %d!\n",
sessionCount);
}
#endif
}
/* based on position difference places calculated size at marked U32 above */
TPM2_Packet_PlaceU32(packet, tmpSz);
return authSessCount;
}
return authCount;
TPM_ST TPM2_Packet_AppendAuth(TPM2_Packet* packet, TPM2_CTX* ctx, CmdInfo_t* info)
{
TPM_ST st = TPM_ST_NO_SESSIONS;
if (ctx == NULL || info == NULL)
return BAD_FUNC_ARG;
if (ctx->session == NULL)
return st;
info->authCnt = TPM2_GetCmdAuthCount(ctx, info);
if (info->authCnt > 0) {
int i, tmpSz = 0;
TPM2_Packet_MarkU32(packet, &tmpSz);
for (i=0; i<info->authCnt; i++) {
/* Note: Casting a TPM2_AUTH_SESSION to TPMS_AUTH_COMMAND here,
* this is allowed because top of structure matches */
TPM2_Packet_AppendAuthCmd(packet, (TPMS_AUTH_COMMAND*)&ctx->session[i]);
}
/* based on position difference places calculated size at marked U32 above */
TPM2_Packet_PlaceU32(packet, tmpSz);
st = TPM_ST_SESSIONS;
}
return st;
}
void TPM2_Packet_ParseAuth(TPM2_Packet* packet, TPMS_AUTH_RESPONSE* authRsp)

2
src/tpm2_wrap.c
View File

@ -4052,7 +4052,7 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent,
XMEMCPY(in.auth.buffer, auth, in.auth.size);
}
in.publicInfo.nvPublic.nvIndex = nvIndex;
in.publicInfo.nvPublic.nameAlg = TPM_ALG_SHA256;
in.publicInfo.nvPublic.nameAlg = WOLFTPM2_WRAP_DIGEST;
in.publicInfo.nvPublic.attributes = nvAttributes;
in.publicInfo.nvPublic.dataSize = (UINT16)maxSize;

29
wolftpm/tpm2_packet.h
View File

@ -47,6 +47,30 @@ typedef struct TPM2_Packet {
int size;
} TPM2_Packet;
/* Send Command Wrapper */
typedef enum CmdFlags {
CMD_FLAG_NONE = 0x00,
CMD_FLAG_ENC2 = 0x01, /* 16-bit size of first command parameter */
CMD_FLAG_ENC4 = 0x02, /* 32-bit size (not used) */
CMD_FLAG_DEC2 = 0x04, /* 16-bit size of first response parameter */
CMD_FLAG_DEC4 = 0x08, /* 32-bit size (not used) */
CMD_FLAG_AUTH_USER1 = 0x10,
CMD_FLAG_AUTH_USER2 = 0x20,
CMD_FLAG_AUTH_ADMIN = 0x40,
CMD_FLAG_AUTH_DUP = 0x80,
} CmdFlags_t;
/* Command Details */
typedef struct {
unsigned char authCnt; /* number of authentication handles - determined at run-time */
unsigned char inHandleCnt; /* number of input handles - fixed */
unsigned char outHandleCnt; /* number of output handles - fixed */
unsigned char flags; /* see CmdFlags_t - fixed */
} CmdInfo_t;
WOLFTPM_LOCAL void TPM2_Packet_U16ToByteArray(UINT16 val, BYTE* b);
WOLFTPM_LOCAL void TPM2_Packet_U32ToByteArray(UINT32 val, BYTE* b);
@ -71,7 +95,7 @@ WOLFTPM_LOCAL void TPM2_Packet_MarkU16(TPM2_Packet* packet, int* markSz);
WOLFTPM_LOCAL int TPM2_Packet_PlaceU16(TPM2_Packet* packet, int markSz);
WOLFTPM_LOCAL void TPM2_Packet_MarkU32(TPM2_Packet* packet, int* markSz);
WOLFTPM_LOCAL void TPM2_Packet_PlaceU32(TPM2_Packet* packet, int markSz);
WOLFTPM_LOCAL int TPM2_Packet_AppendAuth(TPM2_Packet* packet, TPM2_CTX* ctx);
WOLFTPM_LOCAL TPM_ST TPM2_Packet_AppendAuth(TPM2_Packet* packet, TPM2_CTX* ctx, CmdInfo_t* info);
WOLFTPM_LOCAL void TPM2_Packet_AppendAuthCmd(TPM2_Packet* packet, TPMS_AUTH_COMMAND* authCmd);
WOLFTPM_LOCAL void TPM2_Packet_ParseAuth(TPM2_Packet* packet, TPMS_AUTH_RESPONSE* auth);
WOLFTPM_LOCAL void TPM2_Packet_AppendPCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr);
@ -106,6 +130,9 @@ WOLFTPM_LOCAL void TPM2_Packet_ParseAttest(TPM2_Packet* packet, TPMS_ATTEST* out
WOLFTPM_LOCAL TPM_RC TPM2_Packet_Parse(TPM_RC rc, TPM2_Packet* packet);
WOLFTPM_LOCAL int TPM2_Packet_Finalize(TPM2_Packet* packet, TPM_ST tag, TPM_CC cc);
WOLFTPM_LOCAL int TPM2_GetCmdAuthCount(TPM2_CTX* ctx, CmdInfo_t* info);
#ifdef __cplusplus
} /* extern "C" */
#endif