tpm2-software/tpm2-tss

PolicyTemplate calculation incorrect

Closed this issue · 1 comments

Spec Command Spec:

policyDigest_new ≔ H_policyAlg(policyDigest_old || TPM_CC_PolicyTemplate || templateHash)

However, we do not include policyDigest_old in the policy digest calculation. I am working on a fix.

r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg);
return_if_error(r, "crypto hash start");
HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyTemplate, r,
cleanup);
HASH_UPDATE_BUFFER(cryptoContext, &used_template_hash->buffer[0],
used_template_hash->size, r, cleanup);
r = ifapi_crypto_hash_finish(&cryptoContext,
(uint8_t *) & current_digest->
digests[digest_idx].digest, &hash_size);
goto_if_error(r, "crypto hash finish", cleanup);

@JuergenReppSIT Please correct me if I have missed something

I think this was not caught by our tests due to a bug in tpm2-tss/test/integration/policy-execute.int.c where if an error occurs (see line 787), we do not set the return code variable r accordingly.

} else {
if (memcmp(digest->buffer, userdata.update_digest.buffer,
digest->size)) {
char a[64 + 64 + 1] = { 0 };
bin2hex(digest->buffer, digest->size, a);
char b[64 + 64 + 1] = { 0 };
bin2hex(userdata.update_digest.buffer, userdata.update_digest.size,
b);
LOG_ERROR("Expected digest to match, got \"%s\" expected \"%s\"", b,
a);
goto cleanup;
}
}
cleanup:
Esys_Free(digest);
TSS2_RC rc = Esys_FlushContext(esys_context, session);
if (rc != TSS2_RC_SUCCESS) {
LOG_ERROR("Flush should not fail, got: 0x%x", rc);
r = rc;
}
Tss2_PolicyFinalize(&policy_ctx);
session = ESYS_TR_NONE;
SAFE_FREE(json);
return r;
}

I will also have this be part of the fix.