rpms/tpm2-tss
7
0
Fork 0
Code Issues Pull Requests Releases Activity
94b2079a24
tpm2-tss/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch
Štěpán Horáček 94b2079a24 Rebase to 3.2.2 
Resolves: CVE-2023-22745
Resolves: rhbz#2160307
Resolves: rhbz#2162613

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
2023-06-28 17:14:03 +02:00

102 lines
4.5 KiB
Diff
Raw Blame History

From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 3 Mar 2023 11:17:43 +0100
Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy
sessions.
The parameter encryption for policy sessions was not enabled.
Now the parameter encryption is enabled and the auth value of
objects is added to the session key.
One exception is the cp hash policy. In this case the
the cp hash check forced by this policy would fail with an
encrypted parameter.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------
src/tss2-fapi/ifapi_policy_execute.c | 5 +++++
src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++
3 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index ded0d247..55ce3327 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
statecase(object->authorization_state, AUTH_INIT)
LOG_TRACE("**STATE** AUTH_INIT");
- if (!policy_digest_size(object)) {
- /* No policy used authorization callbacks have to be called if necessary. */
- if (object_with_auth(object)) {
- /* Check whether hierarchy was already authorized. */
- if (object->objectType != IFAPI_HIERARCHY_OBJ ||
- !object->misc.hierarchy.authorized) {
- char *description = NULL;
- r = ifapi_get_description(object, &description);
- return_if_error(r, "Get description");
-
- r = ifapi_set_auth(context, object, description);
- SAFE_FREE(description);
- return_if_error(r, "Set auth value");
- }
+ if (object_with_auth(object)) {
+ /* Check whether hierarchy was already authorized. */
+ if (object->objectType != IFAPI_HIERARCHY_OBJ ||
+ !object->misc.hierarchy.authorized) {
+ char *description = NULL;
+ r = ifapi_get_description(object, &description);
+ return_if_error(r, "Get description");
+
+ r = ifapi_set_auth(context, object, description);
+ SAFE_FREE(description);
+ return_if_error(r, "Set auth value");
}
+ }
+ if (!policy_digest_size(object)) {
/* No policy session needed current fapi session can be used */
if (context->session1 && context->session1 != ESYS_TR_NONE)
*session = context->session1;
@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses
*session = ESYS_TR_PASSWORD;
break;
}
+
/* Save current object to be authorized in context. */
context->current_auth_object = object;
r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object),
diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c
index c2ce3301..0e7de316 100644
--- a/src/tss2-fapi/ifapi_policy_execute.c
+++ b/src/tss2-fapi/ifapi_policy_execute.c
@@ -1245,6 +1245,11 @@ execute_policy_cp_hash(
r = Esys_PolicyCpHash_Finish(esys_ctx);
try_again_or_error(r, "Execute PolicyCpHash_Finish.");
+ /* Disable encryption to enable check of cp hash defined in
+ policy cp. */
+ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session,
+ 0, 0xff);
+
current_policy->state = POLICY_EXECUTE_INIT;
return r;
diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c
index 997fb504..0e2823cb 100644
--- a/src/tss2-fapi/ifapi_policyutil_execute.c
+++ b/src/tss2-fapi/ifapi_policyutil_execute.c
@@ -119,6 +119,10 @@ create_session(
r = Esys_StartAuthSession_Finish(context->esys, session);
if (r != TSS2_RC_SUCCESS)
return r;
+
+ r = Esys_TRSess_SetAttributes(context->esys, *session,
+ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT,
+ 0xff);
context->policy.create_session_state = CREATE_SESSION_INIT;
break;
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink