ESYS: StartAuthSession bind auth trailing zeroes

When StartAuthSession is called with a bind entity with a auth value containing trailing zeroes, the HMAC or policy session computation of ESYS does not match the computation on the TPM2. The fix is to remove trailing zeroes from the auth value according to the specification (TPM2 Architecture, 19.6.5, Note 2) before computation of the session key. The fixed bug is especially tricky as a randomly generated auth value of the bind object can cause HMAC or policy session to fail occassionally. Signed-off-by: Stefan Thöni <stefan.thoeni@gapfruit.com>
tpm2-software · May 13, 2024 · d5af351 · d5af351
1 parent a19ac4c
commit d5af351
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -458,8 +458,19 @@ Esys_StartAuthSession_Finish(
             size_t secret_size = 0;
             if (tpmKey != ESYS_TR_NONE)
                 secret_size += keyHash_size;
-            if (bind != ESYS_TR_NONE && bindNode != NULL)
-                secret_size += bindNode->auth.size;
+            size_t bind_auth_size = 0;
+            if (bind != ESYS_TR_NONE && bindNode != NULL) {
+                /*
+                 * TPM2.0 Architecture 19.6.5 Note 2
+                 *
+                 * Remove tailing zeroes from the auth value
+                 */
+                bind_auth_size = bindNode->auth.size;
+                while ((bind_auth_size > 0) &&
+                       (bindNode->auth.buffer[bind_auth_size - 1] == 0x00))
+                    bind_auth_size--;
+                secret_size += bind_auth_size;
+            }
             /*
              * A non null pointer for secret is required by the subsequent functions,
              * hence a malloc is called with size 1 if secret_size is zero.
@@ -470,11 +481,11 @@ Esys_StartAuthSession_Finish(
                 return TSS2_ESYS_RC_MEMORY;
             }
             if  (bind != ESYS_TR_NONE && bindNode != NULL
-                 && bindNode->auth.size > 0)
-                memcpy(&secret[0], &bindNode->auth.buffer[0], bindNode->auth.size);
+                 && bind_auth_size > 0)
+                memcpy(&secret[0], &bindNode->auth.buffer[0], bind_auth_size);
             if (tpmKey != ESYS_TR_NONE)
                 memcpy(&secret[(bind == ESYS_TR_NONE || bindNode == NULL) ? 0
-                               : bindNode->auth.size],
+                               : bind_auth_size],
                        &esysContext->salt.buffer[0], keyHash_size);
             if (bind != ESYS_TR_NONE &&  bindNode != NULL)
                 iesys_compute_bound_entity(&bindNode->rsrc.name,