systemd/SOURCES/0520-tpm2-replace-hash_pin-with-tpm2_digest_-functions.patch

66 lines
2.2 KiB
Diff
Raw Permalink Normal View History

2024-04-30 11:42:21 +00:00
From 3bd6a10eeaaa863d54573226828f6e0c204442ee Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Wed, 14 Dec 2022 10:46:13 -0500
Subject: [PATCH] tpm2: replace hash_pin() with tpm2_digest_*() functions
The hash_pin() function is just a specific use case of the digest functions.
(cherry picked from commit 94a4ff2dc1e753fc5715b5d240092e38456898f0)
Related: RHEL-16182
---
src/shared/tpm2-util.c | 26 ++++++++------------------
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index d397c505f5..f1950189d5 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -1369,21 +1369,6 @@ int tpm2_get_good_pcr_banks_strv(
return 0;
}
-static void hash_pin(const char *pin, size_t len, TPM2B_AUTH *auth) {
- struct sha256_ctx hash;
-
- assert(auth);
- assert(pin);
-
- auth->size = SHA256_DIGEST_SIZE;
-
- CLEANUP_ERASE(hash);
-
- sha256_init_ctx(&hash);
- sha256_process_bytes(pin, len, &hash);
- sha256_finish_ctx(&hash, auth->buffer);
-}
-
/* Hash data into the digest.
*
* If 'extend' is true, the hashing operation starts with the existing digest hash (and the digest is
@@ -1507,7 +1492,9 @@ static int tpm2_make_encryption_session(
CLEANUP_ERASE(auth);
- hash_pin(pin, strlen(pin), &auth);
+ r = tpm2_digest_buffer(TPM2_ALG_SHA256, &auth, pin, strlen(pin), /* extend= */ false);
+ if (r < 0)
+ return r;
rc = sym_Esys_TR_SetAuth(c->esys_context, bind_key->esys_handle, &auth);
if (rc != TSS2_RC_SUCCESS)
@@ -2182,8 +2169,11 @@ int tpm2_seal(const char *device,
.size = sizeof(hmac_sensitive.sensitive),
.sensitive.data.size = 32,
};
- if (pin)
- hash_pin(pin, strlen(pin), &hmac_sensitive.sensitive.userAuth);
+ if (pin) {
+ r = tpm2_digest_buffer(TPM2_ALG_SHA256, &hmac_sensitive.sensitive.userAuth, pin, strlen(pin), /* extend= */ false);
+ if (r < 0)
+ return r;
+ }
assert(sizeof(hmac_sensitive.sensitive.data.buffer) >= hmac_sensitive.sensitive.data.size);