From b9d6464529a88df914ee8e357fae2b9e8fea2f84 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 24 2020 10:11:25 +0000 Subject: import tpm2-tss-2.3.2-3.el8 --- diff --git a/SOURCES/0001-Esys_CreateLoaded-fix-resource-name-calculation.patch b/SOURCES/0001-Esys_CreateLoaded-fix-resource-name-calculation.patch new file mode 100644 index 0000000..a6db576 --- /dev/null +++ b/SOURCES/0001-Esys_CreateLoaded-fix-resource-name-calculation.patch @@ -0,0 +1,128 @@ +From 70e9fae7ef535e7cf27a72ddbc818dfefcbdbdbb Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Wed, 18 Sep 2019 11:29:57 -0700 +Subject: [PATCH] Esys_CreateLoaded: fix resource name calculation + +The name calculated and cached for the ESYS_TR resource object was based +on the user supplied TPMT_PUBLIC. However, this template is often +missing data that the TPM fills in and returns in the TPM2B_PUBLIC +structure. Because of this, the cached name returned from +Esys_TR_GetName() and the name read from Esys_ReadPublic() would differ. + +Add a test to detect this condition and correct it by copying the +returned TPM2B_PUBLIC to the ESYS_TR resource nodes TPM2B_PUBLIC cache +and calculate the name off of that. + +Fixes: #1516 + +Signed-off-by: William Roberts +--- + src/tss2-esys/api/Esys_CreateLoaded.c | 14 ++++----- + test/integration/esys-createloaded.int.c | 37 ++++++++++++++++++++++++ + 2 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c +index a92649cade27..44c4400fcff9 100644 +--- a/src/tss2-esys/api/Esys_CreateLoaded.c ++++ b/src/tss2-esys/api/Esys_CreateLoaded.c +@@ -317,14 +317,6 @@ Esys_CreateLoaded_Finish( + goto_error(r, TSS2_ESYS_RC_MEMORY, "Out of memory", error_cleanup); + } + +- /* Update the meta data of the ESYS_TR object */ +- objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC; +- size_t offset = 0; +- r = Tss2_MU_TPMT_PUBLIC_Unmarshal(&esysContext->in.CreateLoaded.inPublic->buffer[0], +- sizeof(TPMT_PUBLIC), &offset , +- &objectHandleNode->rsrc.misc.rsrc_key_pub.publicArea); +- goto_if_error(r, "Unmarshal TPMT_PUBULIC", error_cleanup); +- + /*Receive the TPM response and handle resubmissions if necessary. */ + r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout); + if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) { +@@ -386,8 +378,12 @@ Esys_CreateLoaded_Finish( + error_cleanup); + + ++ /* Update the meta data of the ESYS_TR object */ ++ objectHandleNode->rsrc.rsrcType = IESYSC_KEY_RSRC; ++ objectHandleNode->rsrc.misc.rsrc_key_pub = *loutPublic; ++ + /* Check name and outPublic for consistency */ +- if (!iesys_compare_name(loutPublic, &name)) ++ if (!iesys_compare_name(&objectHandleNode->rsrc.misc.rsrc_key_pub, &name)) + goto_error(r, TSS2_ESYS_RC_MALFORMED_RESPONSE, + "in Public name not equal name in response", error_cleanup); + +diff --git a/test/integration/esys-createloaded.int.c b/test/integration/esys-createloaded.int.c +index ec8d68a0d43d..118f2a3bb1ff 100644 +--- a/test/integration/esys-createloaded.int.c ++++ b/test/integration/esys-createloaded.int.c +@@ -8,6 +8,7 @@ + #include + #endif + ++#include + #include + + #include "tss2_esys.h" +@@ -19,6 +20,35 @@ + #include "util/log.h" + #include "util/aux_util.h" + ++static bool check_name(ESYS_CONTEXT * esys_context, ESYS_TR object_handle) ++{ ++ bool result = false; ++ ++ TPM2B_NAME *read_name = NULL; ++ TPM2B_NAME *get_name = NULL; ++ ++ TSS2_RC r = Esys_ReadPublic(esys_context, object_handle, ++ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ++ NULL, &read_name, NULL); ++ goto_if_error(r, "Error esys readpublic", out); ++ ++ r = Esys_TR_GetName(esys_context, object_handle, &get_name); ++ goto_if_error(r, "Error esys getname", out); ++ ++ if (read_name->size != get_name->size) { ++ LOG_ERROR("name size mismatch %u != %u", ++ read_name->size, get_name->size); ++ goto out; ++ } ++ ++ result = memcmp(read_name->name, get_name->name, get_name->size) == 0; ++ ++out: ++ free(read_name); ++ free(get_name); ++ ++ return result; ++} + /** This test is intended to test the ESAPI command CreateLoaded. + * + * We start by creating a primary key (Esys_CreatePrimary). +@@ -29,6 +59,8 @@ + * - Esys_CreatePrimary() (M) + * - Esys_FlushContext() (M) + * - Esys_StartAuthSession() (M) ++ * - Esys_TR_GetName() (M) ++ * - Esys_TR_ReadPublic() (M) + * + * Used compiler defines: TEST_SESSION + * +@@ -239,6 +271,11 @@ test_esys_createloaded(ESYS_CONTEXT * esys_context) + + goto_if_error(r, "Error During CreateLoaded", error); + ++ bool names_match = check_name(esys_context, objectHandle); ++ if (!names_match) { ++ goto error; ++ } ++ + r = Esys_FlushContext(esys_context, primaryHandle); + goto_if_error(r, "Flushing context", error); + +-- +2.27.0 + diff --git a/SOURCES/0001-Return-proper-error-code-on-memory-allocation-failur.patch b/SOURCES/0001-Return-proper-error-code-on-memory-allocation-failur.patch new file mode 100644 index 0000000..bb70296 --- /dev/null +++ b/SOURCES/0001-Return-proper-error-code-on-memory-allocation-failur.patch @@ -0,0 +1,25 @@ +From 93aab9433b5d66a916e28016a4b60c4a1c39acfc Mon Sep 17 00:00:00 2001 +From: Pieter Agten +Date: Tue, 3 Dec 2019 20:52:29 +0100 +Subject: [PATCH] Return proper error code on memory allocation failure + +Signed-off-by: Pieter Agten +--- + src/tss2-tcti/tctildr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c +index ff967317b57b..1528f6e52fd0 100644 +--- a/src/tss2-tcti/tctildr.c ++++ b/src/tss2-tcti/tctildr.c +@@ -421,6 +421,7 @@ Tss2_TctiLdr_Initialize_Ex (const char *name, + } + ldr_ctx = calloc (1, sizeof (TSS2_TCTILDR_CONTEXT)); + if (ldr_ctx == NULL) { ++ rc = TSS2_TCTI_RC_MEMORY; + goto err; + } + TSS2_TCTI_MAGIC (ldr_ctx) = TCTILDR_MAGIC; +-- +2.27.0 + diff --git a/SOURCES/0001-build-update-exported-symbols-map-for-libtss2-mu.patch b/SOURCES/0001-build-update-exported-symbols-map-for-libtss2-mu.patch new file mode 100644 index 0000000..07dde22 --- /dev/null +++ b/SOURCES/0001-build-update-exported-symbols-map-for-libtss2-mu.patch @@ -0,0 +1,51 @@ +From b27956422d1b5bb53a56366e9b7e978f6b95e2f9 Mon Sep 17 00:00:00 2001 +From: Erik Larsson +Date: Mon, 2 Dec 2019 11:21:02 +0100 +Subject: [PATCH] build: update exported symbols map for libtss2-mu + +Signed-off-by: Erik Larsson +--- + lib/tss2-mu.def | 4 ++++ + lib/tss2-mu.map | 4 ++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/tss2-mu.def b/lib/tss2-mu.def +index 36f4ba37b9fc..3c80cf225f77 100644 +--- a/lib/tss2-mu.def ++++ b/lib/tss2-mu.def +@@ -226,6 +226,10 @@ EXPORTS + Tss2_MU_TPMU_PUBLIC_PARMS_Unmarshal + Tss2_MU_TPMU_PUBLIC_ID_Marshal + Tss2_MU_TPMU_PUBLIC_ID_Unmarshal ++ Tss2_MU_TPMU_NAME_Marshal ++ Tss2_MU_TPMU_NAME_Unmarshal ++ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal ++ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal + Tss2_MU_TPMT_HA_Marshal + Tss2_MU_TPMT_HA_Unmarshal + Tss2_MU_TPMT_SYM_DEF_Marshal +diff --git a/lib/tss2-mu.map b/lib/tss2-mu.map +index 8ac754ed096a..09d9317e6749 100644 +--- a/lib/tss2-mu.map ++++ b/lib/tss2-mu.map +@@ -228,6 +228,8 @@ + Tss2_MU_TPMU_PUBLIC_ID_Unmarshal; + Tss2_MU_TPMU_NAME_Marshal; + Tss2_MU_TPMU_NAME_Unmarshal; ++ Tss2_MU_TPMU_ENCRYPTED_SECRET_Marshal; ++ Tss2_MU_TPMU_ENCRYPTED_SECRET_Unmarshal; + Tss2_MU_TPMT_HA_Marshal; + Tss2_MU_TPMT_HA_Unmarshal; + Tss2_MU_TPMT_SYM_DEF_Marshal; +@@ -274,8 +276,6 @@ + Tss2_MU_TPM2_NT_Unmarshal; + Tss2_MU_TPMI_ALG_HASH_Marshal; + Tss2_MU_TPMI_ALG_HASH_Unmarshal; +- Tss2_MU_TPMI_BYTE_Marshal; +- Tss2_MU_TPMI_BYTE_Unmarshal; + local: + *; + }; +-- +2.27.0 + diff --git a/SOURCES/0001-esys-Check-object-handle-node-before-calling-compute.patch b/SOURCES/0001-esys-Check-object-handle-node-before-calling-compute.patch new file mode 100644 index 0000000..2bee867 --- /dev/null +++ b/SOURCES/0001-esys-Check-object-handle-node-before-calling-compute.patch @@ -0,0 +1,1314 @@ +From f9a2e69bbc0e5f11ec2fe351ed8e610853857aba Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 9 Jan 2020 14:16:50 -0800 +Subject: [PATCH] esys: Check object handle node before calling + compute_session_value() + +Fixes: #1593 +Signed-off-by: Tadeusz Struk +--- + src/tss2-esys/api/Esys_ActivateCredential.c | 15 +++++++++++---- + src/tss2-esys/api/Esys_Certify.c | 12 ++++++++++-- + src/tss2-esys/api/Esys_CertifyCreation.c | 8 ++++++-- + src/tss2-esys/api/Esys_ChangeEPS.c | 8 ++++++-- + src/tss2-esys/api/Esys_ChangePPS.c | 6 +++++- + src/tss2-esys/api/Esys_Clear.c | 6 +++++- + src/tss2-esys/api/Esys_ClearControl.c | 6 +++++- + src/tss2-esys/api/Esys_ClockRateAdjust.c | 8 ++++++-- + src/tss2-esys/api/Esys_ClockSet.c | 6 +++++- + src/tss2-esys/api/Esys_Commit.c | 6 +++++- + src/tss2-esys/api/Esys_Create.c | 7 ++++++- + src/tss2-esys/api/Esys_CreateLoaded.c | 6 +++++- + src/tss2-esys/api/Esys_CreatePrimary.c | 6 +++++- + .../api/Esys_DictionaryAttackLockReset.c | 6 +++++- + .../api/Esys_DictionaryAttackParameters.c | 6 +++++- + src/tss2-esys/api/Esys_Duplicate.c | 6 +++++- + src/tss2-esys/api/Esys_ECDH_ZGen.c | 6 +++++- + src/tss2-esys/api/Esys_EncryptDecrypt.c | 6 +++++- + src/tss2-esys/api/Esys_EncryptDecrypt2.c | 6 +++++- + src/tss2-esys/api/Esys_EventSequenceComplete.c | 15 +++++++++++---- + src/tss2-esys/api/Esys_EvictControl.c | 6 +++++- + src/tss2-esys/api/Esys_FieldUpgradeStart.c | 6 +++++- + src/tss2-esys/api/Esys_GetCommandAuditDigest.c | 6 +++++- + src/tss2-esys/api/Esys_GetSessionAuditDigest.c | 6 +++++- + src/tss2-esys/api/Esys_GetTime.c | 6 +++++- + src/tss2-esys/api/Esys_HMAC.c | 6 +++++- + src/tss2-esys/api/Esys_HMAC_Start.c | 6 +++++- + src/tss2-esys/api/Esys_HierarchyChangeAuth.c | 6 +++++- + src/tss2-esys/api/Esys_HierarchyControl.c | 6 +++++- + src/tss2-esys/api/Esys_Import.c | 6 +++++- + src/tss2-esys/api/Esys_Load.c | 6 +++++- + src/tss2-esys/api/Esys_NV_Certify.c | 12 ++++++++++-- + src/tss2-esys/api/Esys_NV_ChangeAuth.c | 6 +++++- + src/tss2-esys/api/Esys_NV_DefineSpace.c | 6 +++++- + src/tss2-esys/api/Esys_NV_Extend.c | 6 +++++- + src/tss2-esys/api/Esys_NV_GlobalWriteLock.c | 6 +++++- + src/tss2-esys/api/Esys_NV_Increment.c | 6 +++++- + src/tss2-esys/api/Esys_NV_Read.c | 6 +++++- + src/tss2-esys/api/Esys_NV_ReadLock.c | 6 +++++- + src/tss2-esys/api/Esys_NV_SetBits.c | 6 +++++- + src/tss2-esys/api/Esys_NV_UndefineSpace.c | 6 +++++- + src/tss2-esys/api/Esys_NV_UndefineSpaceSpecial.c | 12 ++++++++++-- + src/tss2-esys/api/Esys_NV_Write.c | 6 +++++- + src/tss2-esys/api/Esys_NV_WriteLock.c | 6 +++++- + src/tss2-esys/api/Esys_ObjectChangeAuth.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_Allocate.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_Event.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_Extend.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_Reset.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_SetAuthPolicy.c | 6 +++++- + src/tss2-esys/api/Esys_PCR_SetAuthValue.c | 6 +++++- + src/tss2-esys/api/Esys_PP_Commands.c | 6 +++++- + src/tss2-esys/api/Esys_PolicyAuthorizeNV.c | 6 +++++- + src/tss2-esys/api/Esys_PolicyNV.c | 6 +++++- + src/tss2-esys/api/Esys_PolicySecret.c | 6 +++++- + src/tss2-esys/api/Esys_Quote.c | 6 +++++- + src/tss2-esys/api/Esys_RSA_Decrypt.c | 6 +++++- + src/tss2-esys/api/Esys_Rewrap.c | 6 +++++- + src/tss2-esys/api/Esys_SequenceComplete.c | 9 ++++++--- + src/tss2-esys/api/Esys_SequenceUpdate.c | 9 ++++++--- + src/tss2-esys/api/Esys_SetAlgorithmSet.c | 6 +++++- + .../api/Esys_SetCommandCodeAuditStatus.c | 6 +++++- + src/tss2-esys/api/Esys_SetPrimaryPolicy.c | 6 +++++- + src/tss2-esys/api/Esys_Sign.c | 6 +++++- + src/tss2-esys/api/Esys_Unseal.c | 6 +++++- + src/tss2-esys/api/Esys_ZGen_2Phase.c | 6 +++++- + 66 files changed, 363 insertions(+), 82 deletions(-) + +diff --git a/src/tss2-esys/api/Esys_ActivateCredential.c b/src/tss2-esys/api/Esys_ActivateCredential.c +index 3d332521528e..9377ad2a0627 100644 +--- a/src/tss2-esys/api/Esys_ActivateCredential.c ++++ b/src/tss2-esys/api/Esys_ActivateCredential.c +@@ -194,10 +194,17 @@ Esys_ActivateCredential_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- &activateHandleNode->rsrc.name, &activateHandleNode->auth); +- iesys_compute_session_value(esysContext->session_tab[1], +- &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ if (activateHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &activateHandleNode->rsrc.name, &activateHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[1], ++ &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +diff --git a/src/tss2-esys/api/Esys_Certify.c b/src/tss2-esys/api/Esys_Certify.c +index d34d70b88ff7..96c627606684 100644 +--- a/src/tss2-esys/api/Esys_Certify.c ++++ b/src/tss2-esys/api/Esys_Certify.c +@@ -193,10 +193,18 @@ Esys_Certify_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (objectHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &objectHandleNode->rsrc.name, &objectHandleNode->auth); +- iesys_compute_session_value(esysContext->session_tab[1], ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ ++ if (signHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[1], + &signHandleNode->rsrc.name, &signHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +diff --git a/src/tss2-esys/api/Esys_CertifyCreation.c b/src/tss2-esys/api/Esys_CertifyCreation.c +index 04c07a9bf33c..3135a49f77ca 100644 +--- a/src/tss2-esys/api/Esys_CertifyCreation.c ++++ b/src/tss2-esys/api/Esys_CertifyCreation.c +@@ -209,8 +209,12 @@ Esys_CertifyCreation_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- &signHandleNode->rsrc.name, &signHandleNode->auth); ++ if (signHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &signHandleNode->rsrc.name, &signHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ChangeEPS.c b/src/tss2-esys/api/Esys_ChangeEPS.c +index 954c442547f3..d76a613d417e 100644 +--- a/src/tss2-esys/api/Esys_ChangeEPS.c ++++ b/src/tss2-esys/api/Esys_ChangeEPS.c +@@ -175,8 +175,12 @@ Esys_ChangeEPS_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- &authHandleNode->rsrc.name, &authHandleNode->auth); ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ChangePPS.c b/src/tss2-esys/api/Esys_ChangePPS.c +index c182533cebc5..ea0f9746c247 100644 +--- a/src/tss2-esys/api/Esys_ChangePPS.c ++++ b/src/tss2-esys/api/Esys_ChangePPS.c +@@ -175,8 +175,12 @@ Esys_ChangePPS_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Clear.c b/src/tss2-esys/api/Esys_Clear.c +index 96ffb470309f..f5c0b827425a 100644 +--- a/src/tss2-esys/api/Esys_Clear.c ++++ b/src/tss2-esys/api/Esys_Clear.c +@@ -174,8 +174,12 @@ Esys_Clear_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ClearControl.c b/src/tss2-esys/api/Esys_ClearControl.c +index a9fcd1b5e2e9..a4d8b4d0bab6 100644 +--- a/src/tss2-esys/api/Esys_ClearControl.c ++++ b/src/tss2-esys/api/Esys_ClearControl.c +@@ -181,8 +181,12 @@ Esys_ClearControl_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ClockRateAdjust.c b/src/tss2-esys/api/Esys_ClockRateAdjust.c +index cb25c8502d23..931645c95296 100644 +--- a/src/tss2-esys/api/Esys_ClockRateAdjust.c ++++ b/src/tss2-esys/api/Esys_ClockRateAdjust.c +@@ -179,8 +179,12 @@ Esys_ClockRateAdjust_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- &authNode->rsrc.name, &authNode->auth); ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ClockSet.c b/src/tss2-esys/api/Esys_ClockSet.c +index 7191576aec6b..b38219e7cbf3 100644 +--- a/src/tss2-esys/api/Esys_ClockSet.c ++++ b/src/tss2-esys/api/Esys_ClockSet.c +@@ -179,8 +179,12 @@ Esys_ClockSet_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Commit.c b/src/tss2-esys/api/Esys_Commit.c +index 52298e4c7c6c..8992c20ca419 100644 +--- a/src/tss2-esys/api/Esys_Commit.c ++++ b/src/tss2-esys/api/Esys_Commit.c +@@ -190,8 +190,12 @@ Esys_Commit_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (signHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &signHandleNode->rsrc.name, &signHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Create.c b/src/tss2-esys/api/Esys_Create.c +index c7e59f7ed5ff..c21ed7bc7d42 100644 +--- a/src/tss2-esys/api/Esys_Create.c ++++ b/src/tss2-esys/api/Esys_Create.c +@@ -204,8 +204,13 @@ Esys_Create_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ ++ if (parentHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &parentHandleNode->rsrc.name, &parentHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_CreateLoaded.c b/src/tss2-esys/api/Esys_CreateLoaded.c +index a92649cade27..7b366045e5eb 100644 +--- a/src/tss2-esys/api/Esys_CreateLoaded.c ++++ b/src/tss2-esys/api/Esys_CreateLoaded.c +@@ -210,8 +210,12 @@ Esys_CreateLoaded_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (parentHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &parentHandleNode->rsrc.name, &parentHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_CreatePrimary.c b/src/tss2-esys/api/Esys_CreatePrimary.c +index 9eb19042e7bb..a9b9e8f2dfe6 100644 +--- a/src/tss2-esys/api/Esys_CreatePrimary.c ++++ b/src/tss2-esys/api/Esys_CreatePrimary.c +@@ -223,8 +223,12 @@ Esys_CreatePrimary_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (primaryHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &primaryHandleNode->rsrc.name, &primaryHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_DictionaryAttackLockReset.c b/src/tss2-esys/api/Esys_DictionaryAttackLockReset.c +index 1e8207fe7cfc..bada24bd3dbd 100644 +--- a/src/tss2-esys/api/Esys_DictionaryAttackLockReset.c ++++ b/src/tss2-esys/api/Esys_DictionaryAttackLockReset.c +@@ -176,8 +176,12 @@ Esys_DictionaryAttackLockReset_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (lockHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &lockHandleNode->rsrc.name, &lockHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_DictionaryAttackParameters.c b/src/tss2-esys/api/Esys_DictionaryAttackParameters.c +index f10aa2f06b46..a61a5b4d4f26 100644 +--- a/src/tss2-esys/api/Esys_DictionaryAttackParameters.c ++++ b/src/tss2-esys/api/Esys_DictionaryAttackParameters.c +@@ -198,8 +198,12 @@ Esys_DictionaryAttackParameters_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (lockHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &lockHandleNode->rsrc.name, &lockHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Duplicate.c b/src/tss2-esys/api/Esys_Duplicate.c +index d0e5799897e2..c587fd740af7 100644 +--- a/src/tss2-esys/api/Esys_Duplicate.c ++++ b/src/tss2-esys/api/Esys_Duplicate.c +@@ -202,8 +202,12 @@ Esys_Duplicate_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (objectHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &objectHandleNode->rsrc.name, &objectHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ECDH_ZGen.c b/src/tss2-esys/api/Esys_ECDH_ZGen.c +index 24e487363f0f..dad825960e62 100644 +--- a/src/tss2-esys/api/Esys_ECDH_ZGen.c ++++ b/src/tss2-esys/api/Esys_ECDH_ZGen.c +@@ -171,8 +171,12 @@ Esys_ECDH_ZGen_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_EncryptDecrypt.c b/src/tss2-esys/api/Esys_EncryptDecrypt.c +index 506f22e68317..e3b6cc64f58a 100644 +--- a/src/tss2-esys/api/Esys_EncryptDecrypt.c ++++ b/src/tss2-esys/api/Esys_EncryptDecrypt.c +@@ -196,8 +196,12 @@ Esys_EncryptDecrypt_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_EncryptDecrypt2.c b/src/tss2-esys/api/Esys_EncryptDecrypt2.c +index a6fa4b1f2185..bdbae8392f57 100644 +--- a/src/tss2-esys/api/Esys_EncryptDecrypt2.c ++++ b/src/tss2-esys/api/Esys_EncryptDecrypt2.c +@@ -190,8 +190,12 @@ Esys_EncryptDecrypt2_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_EventSequenceComplete.c b/src/tss2-esys/api/Esys_EventSequenceComplete.c +index c318a67a4369..6ee7904a358d 100644 +--- a/src/tss2-esys/api/Esys_EventSequenceComplete.c ++++ b/src/tss2-esys/api/Esys_EventSequenceComplete.c +@@ -189,11 +189,18 @@ Esys_EventSequenceComplete_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (pcrHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &pcrHandleNode->rsrc.name, &pcrHandleNode->auth); +- iesys_compute_session_value(esysContext->session_tab[1], +- sequenceHandleNode ? &sequenceHandleNode->rsrc.name : NULL, +- sequenceHandleNode ? &sequenceHandleNode->auth : NULL); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ ++ if (sequenceHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[1], ++ &sequenceHandleNode->rsrc.name, &sequenceHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +diff --git a/src/tss2-esys/api/Esys_EvictControl.c b/src/tss2-esys/api/Esys_EvictControl.c +index fe7aaaccf888..faade51c7060 100644 +--- a/src/tss2-esys/api/Esys_EvictControl.c ++++ b/src/tss2-esys/api/Esys_EvictControl.c +@@ -209,8 +209,12 @@ Esys_EvictControl_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_FieldUpgradeStart.c b/src/tss2-esys/api/Esys_FieldUpgradeStart.c +index 27f963accf40..2e1a07e29700 100644 +--- a/src/tss2-esys/api/Esys_FieldUpgradeStart.c ++++ b/src/tss2-esys/api/Esys_FieldUpgradeStart.c +@@ -196,8 +196,12 @@ Esys_FieldUpgradeStart_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authorizationNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authorizationNode->rsrc.name, &authorizationNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_GetCommandAuditDigest.c b/src/tss2-esys/api/Esys_GetCommandAuditDigest.c +index 0c3b642b3c51..714b3706bf40 100644 +--- a/src/tss2-esys/api/Esys_GetCommandAuditDigest.c ++++ b/src/tss2-esys/api/Esys_GetCommandAuditDigest.c +@@ -196,8 +196,12 @@ Esys_GetCommandAuditDigest_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (privacyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &privacyHandleNode->rsrc.name, &privacyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], + &signHandleNode->rsrc.name, &signHandleNode->auth); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); +diff --git a/src/tss2-esys/api/Esys_GetSessionAuditDigest.c b/src/tss2-esys/api/Esys_GetSessionAuditDigest.c +index 9d7ef314a637..38a62787d892 100644 +--- a/src/tss2-esys/api/Esys_GetSessionAuditDigest.c ++++ b/src/tss2-esys/api/Esys_GetSessionAuditDigest.c +@@ -210,8 +210,12 @@ Esys_GetSessionAuditDigest_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (privacyAdminHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &privacyAdminHandleNode->rsrc.name, &privacyAdminHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], + &signHandleNode->rsrc.name, &signHandleNode->auth); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); +diff --git a/src/tss2-esys/api/Esys_GetTime.c b/src/tss2-esys/api/Esys_GetTime.c +index 2142b8ec47df..6948dcbdcba6 100644 +--- a/src/tss2-esys/api/Esys_GetTime.c ++++ b/src/tss2-esys/api/Esys_GetTime.c +@@ -194,8 +194,12 @@ Esys_GetTime_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (privacyAdminHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &privacyAdminHandleNode->rsrc.name, &privacyAdminHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], + &signHandleNode->rsrc.name, &signHandleNode->auth); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); +diff --git a/src/tss2-esys/api/Esys_HMAC.c b/src/tss2-esys/api/Esys_HMAC.c +index 0d92f1c0c363..0e57c647d959 100644 +--- a/src/tss2-esys/api/Esys_HMAC.c ++++ b/src/tss2-esys/api/Esys_HMAC.c +@@ -177,8 +177,12 @@ Esys_HMAC_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (handleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &handleNode->rsrc.name, &handleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_HMAC_Start.c b/src/tss2-esys/api/Esys_HMAC_Start.c +index afecbfbaf0a6..b129be39a4d2 100644 +--- a/src/tss2-esys/api/Esys_HMAC_Start.c ++++ b/src/tss2-esys/api/Esys_HMAC_Start.c +@@ -194,8 +194,12 @@ Esys_HMAC_Start_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (handleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &handleNode->rsrc.name, &handleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_HierarchyChangeAuth.c b/src/tss2-esys/api/Esys_HierarchyChangeAuth.c +index 90d87bb5d76c..39672ed6823b 100644 +--- a/src/tss2-esys/api/Esys_HierarchyChangeAuth.c ++++ b/src/tss2-esys/api/Esys_HierarchyChangeAuth.c +@@ -194,8 +194,12 @@ Esys_HierarchyChangeAuth_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_HierarchyControl.c b/src/tss2-esys/api/Esys_HierarchyControl.c +index 16fd593a6484..55207f20e6d2 100644 +--- a/src/tss2-esys/api/Esys_HierarchyControl.c ++++ b/src/tss2-esys/api/Esys_HierarchyControl.c +@@ -189,8 +189,12 @@ Esys_HierarchyControl_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Import.c b/src/tss2-esys/api/Esys_Import.c +index d7c36352b21f..8c24ed410c37 100644 +--- a/src/tss2-esys/api/Esys_Import.c ++++ b/src/tss2-esys/api/Esys_Import.c +@@ -199,8 +199,12 @@ Esys_Import_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (parentHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &parentHandleNode->rsrc.name, &parentHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Load.c b/src/tss2-esys/api/Esys_Load.c +index b695991924c8..410d9c8bcc73 100644 +--- a/src/tss2-esys/api/Esys_Load.c ++++ b/src/tss2-esys/api/Esys_Load.c +@@ -191,8 +191,12 @@ Esys_Load_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (parentHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &parentHandleNode->rsrc.name, &parentHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_Certify.c b/src/tss2-esys/api/Esys_NV_Certify.c +index 8f0eb6e65536..8b79fb69dae0 100644 +--- a/src/tss2-esys/api/Esys_NV_Certify.c ++++ b/src/tss2-esys/api/Esys_NV_Certify.c +@@ -215,10 +215,18 @@ Esys_NV_Certify_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (signHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &signHandleNode->rsrc.name, &signHandleNode->auth); +- iesys_compute_session_value(esysContext->session_tab[1], ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[1], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +diff --git a/src/tss2-esys/api/Esys_NV_ChangeAuth.c b/src/tss2-esys/api/Esys_NV_ChangeAuth.c +index d2aced330113..3004a3dd4b1d 100644 +--- a/src/tss2-esys/api/Esys_NV_ChangeAuth.c ++++ b/src/tss2-esys/api/Esys_NV_ChangeAuth.c +@@ -190,8 +190,12 @@ Esys_NV_ChangeAuth_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (nvIndexNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &nvIndexNode->rsrc.name, &nvIndexNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_DefineSpace.c b/src/tss2-esys/api/Esys_NV_DefineSpace.c +index 01b6a3e3fd7b..70ae2a73d0be 100644 +--- a/src/tss2-esys/api/Esys_NV_DefineSpace.c ++++ b/src/tss2-esys/api/Esys_NV_DefineSpace.c +@@ -213,8 +213,12 @@ Esys_NV_DefineSpace_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_Extend.c b/src/tss2-esys/api/Esys_NV_Extend.c +index 23eeabddc24d..0b3d61b99405 100644 +--- a/src/tss2-esys/api/Esys_NV_Extend.c ++++ b/src/tss2-esys/api/Esys_NV_Extend.c +@@ -194,8 +194,12 @@ Esys_NV_Extend_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_GlobalWriteLock.c b/src/tss2-esys/api/Esys_NV_GlobalWriteLock.c +index f84ec4f0994e..56a9b1171462 100644 +--- a/src/tss2-esys/api/Esys_NV_GlobalWriteLock.c ++++ b/src/tss2-esys/api/Esys_NV_GlobalWriteLock.c +@@ -176,8 +176,12 @@ Esys_NV_GlobalWriteLock_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_Increment.c b/src/tss2-esys/api/Esys_NV_Increment.c +index 17504c6db1f1..6248b4b6c007 100644 +--- a/src/tss2-esys/api/Esys_NV_Increment.c ++++ b/src/tss2-esys/api/Esys_NV_Increment.c +@@ -195,8 +195,12 @@ Esys_NV_Increment_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_Read.c b/src/tss2-esys/api/Esys_NV_Read.c +index f97784f72b85..40f54ec7fea4 100644 +--- a/src/tss2-esys/api/Esys_NV_Read.c ++++ b/src/tss2-esys/api/Esys_NV_Read.c +@@ -192,8 +192,12 @@ Esys_NV_Read_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_ReadLock.c b/src/tss2-esys/api/Esys_NV_ReadLock.c +index ee15450f3e09..529446a02b30 100644 +--- a/src/tss2-esys/api/Esys_NV_ReadLock.c ++++ b/src/tss2-esys/api/Esys_NV_ReadLock.c +@@ -195,8 +195,12 @@ Esys_NV_ReadLock_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_SetBits.c b/src/tss2-esys/api/Esys_NV_SetBits.c +index a3d5508c0cbe..17d769880e16 100644 +--- a/src/tss2-esys/api/Esys_NV_SetBits.c ++++ b/src/tss2-esys/api/Esys_NV_SetBits.c +@@ -200,8 +200,12 @@ Esys_NV_SetBits_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_UndefineSpace.c b/src/tss2-esys/api/Esys_NV_UndefineSpace.c +index e816299dddbf..14a04789eb6e 100644 +--- a/src/tss2-esys/api/Esys_NV_UndefineSpace.c ++++ b/src/tss2-esys/api/Esys_NV_UndefineSpace.c +@@ -193,8 +193,12 @@ Esys_NV_UndefineSpace_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_UndefineSpaceSpecial.c b/src/tss2-esys/api/Esys_NV_UndefineSpaceSpecial.c +index c3df73f80a25..bd5aa2ef838d 100644 +--- a/src/tss2-esys/api/Esys_NV_UndefineSpaceSpecial.c ++++ b/src/tss2-esys/api/Esys_NV_UndefineSpaceSpecial.c +@@ -195,10 +195,18 @@ Esys_NV_UndefineSpaceSpecial_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (nvIndexNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &nvIndexNode->rsrc.name, &nvIndexNode->auth); +- iesys_compute_session_value(esysContext->session_tab[1], ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ ++ if (platformNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[1], + &platformNode->rsrc.name, &platformNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +diff --git a/src/tss2-esys/api/Esys_NV_Write.c b/src/tss2-esys/api/Esys_NV_Write.c +index f18e9d9724d7..c132def44c4a 100644 +--- a/src/tss2-esys/api/Esys_NV_Write.c ++++ b/src/tss2-esys/api/Esys_NV_Write.c +@@ -198,8 +198,12 @@ Esys_NV_Write_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_NV_WriteLock.c b/src/tss2-esys/api/Esys_NV_WriteLock.c +index b2a8f646aaf4..c8b7ef4d2bc6 100644 +--- a/src/tss2-esys/api/Esys_NV_WriteLock.c ++++ b/src/tss2-esys/api/Esys_NV_WriteLock.c +@@ -195,8 +195,12 @@ Esys_NV_WriteLock_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ObjectChangeAuth.c b/src/tss2-esys/api/Esys_ObjectChangeAuth.c +index e7e018893f68..408b354f057a 100644 +--- a/src/tss2-esys/api/Esys_ObjectChangeAuth.c ++++ b/src/tss2-esys/api/Esys_ObjectChangeAuth.c +@@ -183,8 +183,12 @@ Esys_ObjectChangeAuth_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (objectHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &objectHandleNode->rsrc.name, &objectHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_Allocate.c b/src/tss2-esys/api/Esys_PCR_Allocate.c +index ea82b45182ae..d9a426ce8bab 100644 +--- a/src/tss2-esys/api/Esys_PCR_Allocate.c ++++ b/src/tss2-esys/api/Esys_PCR_Allocate.c +@@ -194,8 +194,12 @@ Esys_PCR_Allocate_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_Event.c b/src/tss2-esys/api/Esys_PCR_Event.c +index 30ef453adc17..a01335629141 100644 +--- a/src/tss2-esys/api/Esys_PCR_Event.c ++++ b/src/tss2-esys/api/Esys_PCR_Event.c +@@ -176,8 +176,12 @@ Esys_PCR_Event_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (pcrHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &pcrHandleNode->rsrc.name, &pcrHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_Extend.c b/src/tss2-esys/api/Esys_PCR_Extend.c +index bbb1e4133aa2..8e2d4ad39403 100644 +--- a/src/tss2-esys/api/Esys_PCR_Extend.c ++++ b/src/tss2-esys/api/Esys_PCR_Extend.c +@@ -179,8 +179,12 @@ Esys_PCR_Extend_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (pcrHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &pcrHandleNode->rsrc.name, &pcrHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_Reset.c b/src/tss2-esys/api/Esys_PCR_Reset.c +index ed5a9aa49089..178a7924632c 100644 +--- a/src/tss2-esys/api/Esys_PCR_Reset.c ++++ b/src/tss2-esys/api/Esys_PCR_Reset.c +@@ -175,8 +175,12 @@ Esys_PCR_Reset_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (pcrHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &pcrHandleNode->rsrc.name, &pcrHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_SetAuthPolicy.c b/src/tss2-esys/api/Esys_PCR_SetAuthPolicy.c +index a98817d36cd6..a7197c945103 100644 +--- a/src/tss2-esys/api/Esys_PCR_SetAuthPolicy.c ++++ b/src/tss2-esys/api/Esys_PCR_SetAuthPolicy.c +@@ -184,8 +184,12 @@ Esys_PCR_SetAuthPolicy_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PCR_SetAuthValue.c b/src/tss2-esys/api/Esys_PCR_SetAuthValue.c +index 8bd1e37b3bc5..68e7c8a6d95f 100644 +--- a/src/tss2-esys/api/Esys_PCR_SetAuthValue.c ++++ b/src/tss2-esys/api/Esys_PCR_SetAuthValue.c +@@ -175,8 +175,12 @@ Esys_PCR_SetAuthValue_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (pcrHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &pcrHandleNode->rsrc.name, &pcrHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PP_Commands.c b/src/tss2-esys/api/Esys_PP_Commands.c +index 188a5a459124..a7b803482a19 100644 +--- a/src/tss2-esys/api/Esys_PP_Commands.c ++++ b/src/tss2-esys/api/Esys_PP_Commands.c +@@ -189,8 +189,12 @@ Esys_PP_Commands_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PolicyAuthorizeNV.c b/src/tss2-esys/api/Esys_PolicyAuthorizeNV.c +index bf52ec0d7041..4b71768872d7 100644 +--- a/src/tss2-esys/api/Esys_PolicyAuthorizeNV.c ++++ b/src/tss2-esys/api/Esys_PolicyAuthorizeNV.c +@@ -199,8 +199,12 @@ Esys_PolicyAuthorizeNV_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PolicyNV.c b/src/tss2-esys/api/Esys_PolicyNV.c +index 752856e2eda7..cfff5fc33da1 100644 +--- a/src/tss2-esys/api/Esys_PolicyNV.c ++++ b/src/tss2-esys/api/Esys_PolicyNV.c +@@ -206,8 +206,12 @@ Esys_PolicyNV_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_PolicySecret.c b/src/tss2-esys/api/Esys_PolicySecret.c +index 671c40cdba0c..c755578e9da7 100644 +--- a/src/tss2-esys/api/Esys_PolicySecret.c ++++ b/src/tss2-esys/api/Esys_PolicySecret.c +@@ -208,8 +208,12 @@ Esys_PolicySecret_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Quote.c b/src/tss2-esys/api/Esys_Quote.c +index 3c3f7f10f852..44ba57f2fe1a 100644 +--- a/src/tss2-esys/api/Esys_Quote.c ++++ b/src/tss2-esys/api/Esys_Quote.c +@@ -185,8 +185,12 @@ Esys_Quote_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (signHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &signHandleNode->rsrc.name, &signHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_RSA_Decrypt.c b/src/tss2-esys/api/Esys_RSA_Decrypt.c +index 30ec54e3d0d2..a4c953be1f3b 100644 +--- a/src/tss2-esys/api/Esys_RSA_Decrypt.c ++++ b/src/tss2-esys/api/Esys_RSA_Decrypt.c +@@ -182,8 +182,12 @@ Esys_RSA_Decrypt_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Rewrap.c b/src/tss2-esys/api/Esys_Rewrap.c +index f31538d008fc..f1127ce47706 100644 +--- a/src/tss2-esys/api/Esys_Rewrap.c ++++ b/src/tss2-esys/api/Esys_Rewrap.c +@@ -197,8 +197,12 @@ Esys_Rewrap_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (oldParentNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &oldParentNode->rsrc.name, &oldParentNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_SequenceComplete.c b/src/tss2-esys/api/Esys_SequenceComplete.c +index c6afd9097366..2227afc1f453 100644 +--- a/src/tss2-esys/api/Esys_SequenceComplete.c ++++ b/src/tss2-esys/api/Esys_SequenceComplete.c +@@ -190,9 +190,12 @@ Esys_SequenceComplete_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- sequenceHandleNode ? &sequenceHandleNode->rsrc.name : NULL, +- sequenceHandleNode ? &sequenceHandleNode->auth : NULL); ++ if (sequenceHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &sequenceHandleNode->rsrc.name, &sequenceHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_SequenceUpdate.c b/src/tss2-esys/api/Esys_SequenceUpdate.c +index add3ec4f33bf..c1bc93daeb03 100644 +--- a/src/tss2-esys/api/Esys_SequenceUpdate.c ++++ b/src/tss2-esys/api/Esys_SequenceUpdate.c +@@ -175,9 +175,12 @@ Esys_SequenceUpdate_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], +- sequenceHandleNode ? &sequenceHandleNode->rsrc.name : NULL, +- sequenceHandleNode ? &sequenceHandleNode->auth : NULL); ++ if (sequenceHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], ++ &sequenceHandleNode->rsrc.name, &sequenceHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_SetAlgorithmSet.c b/src/tss2-esys/api/Esys_SetAlgorithmSet.c +index d73771e3f74a..4716f04b8793 100644 +--- a/src/tss2-esys/api/Esys_SetAlgorithmSet.c ++++ b/src/tss2-esys/api/Esys_SetAlgorithmSet.c +@@ -182,8 +182,12 @@ Esys_SetAlgorithmSet_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_SetCommandCodeAuditStatus.c b/src/tss2-esys/api/Esys_SetCommandCodeAuditStatus.c +index 1290a87b7563..38268b94e1cb 100644 +--- a/src/tss2-esys/api/Esys_SetCommandCodeAuditStatus.c ++++ b/src/tss2-esys/api/Esys_SetCommandCodeAuditStatus.c +@@ -196,8 +196,12 @@ Esys_SetCommandCodeAuditStatus_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authNode->rsrc.name, &authNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_SetPrimaryPolicy.c b/src/tss2-esys/api/Esys_SetPrimaryPolicy.c +index 51272d57c8e2..73b676870704 100644 +--- a/src/tss2-esys/api/Esys_SetPrimaryPolicy.c ++++ b/src/tss2-esys/api/Esys_SetPrimaryPolicy.c +@@ -183,8 +183,12 @@ Esys_SetPrimaryPolicy_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (authHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &authHandleNode->rsrc.name, &authHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Sign.c b/src/tss2-esys/api/Esys_Sign.c +index 06a0a451e4d9..374c17d35543 100644 +--- a/src/tss2-esys/api/Esys_Sign.c ++++ b/src/tss2-esys/api/Esys_Sign.c +@@ -188,8 +188,12 @@ Esys_Sign_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyHandleNode->rsrc.name, &keyHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_Unseal.c b/src/tss2-esys/api/Esys_Unseal.c +index 1ac785809fe8..b3203a0e5aae 100644 +--- a/src/tss2-esys/api/Esys_Unseal.c ++++ b/src/tss2-esys/api/Esys_Unseal.c +@@ -172,8 +172,12 @@ Esys_Unseal_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (itemHandleNode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &itemHandleNode->rsrc.name, &itemHandleNode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +diff --git a/src/tss2-esys/api/Esys_ZGen_2Phase.c b/src/tss2-esys/api/Esys_ZGen_2Phase.c +index cb30880c3c71..c59996d35aea 100644 +--- a/src/tss2-esys/api/Esys_ZGen_2Phase.c ++++ b/src/tss2-esys/api/Esys_ZGen_2Phase.c +@@ -190,8 +190,12 @@ Esys_ZGen_2Phase_Async( + /* Calculate the cpHash Values */ + r = init_session_tab(esysContext, shandle1, shandle2, shandle3); + return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); +- iesys_compute_session_value(esysContext->session_tab[0], ++ if (keyANode != NULL) ++ iesys_compute_session_value(esysContext->session_tab[0], + &keyANode->rsrc.name, &keyANode->auth); ++ else ++ iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); ++ + iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + +-- +2.27.0 + diff --git a/SOURCES/0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch b/SOURCES/0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch new file mode 100644 index 0000000..5299421 --- /dev/null +++ b/SOURCES/0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch @@ -0,0 +1,45 @@ +From 0bd19b61c8cd07d03b6efffc05f95d5ec427a3d6 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Tue, 14 Jan 2020 10:55:20 -0800 +Subject: [PATCH] esys: fix Esys_StartAuthSession called with optional params + +For an HMAC session if any of the optional params are ESYS_TR_NONE +we need to use the same tpm2_handles TPM2_RH_NULL (0x40000007) +as in the prepare call to correctly calculate cpHash and HMAC +values for the session. + +Fixes: #1590 + +Signed-off-by: Tadeusz Struk +--- + src/tss2-esys/api/Esys_StartAuthSession.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c +index 313604a2077c..3ccd842a7572 100644 +--- a/src/tss2-esys/api/Esys_StartAuthSession.c ++++ b/src/tss2-esys/api/Esys_StartAuthSession.c +@@ -260,7 +260,19 @@ Esys_StartAuthSession_Async( + iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); + + /* Generate the auth values and set them in the SAPI command buffer */ +- r = iesys_gen_auths(esysContext, tpmKeyNode, bindNode, NULL, &auths); ++ ++ RSRC_NODE_T none; ++ size_t offset = 0; ++ none.rsrc.handle = TPM2_RH_NULL; ++ none.rsrc.rsrcType = IESYSC_WITHOUT_MISC_RSRC; ++ r = Tss2_MU_TPM2_HANDLE_Marshal(TPM2_RH_NULL, ++ none.rsrc.name.name, ++ sizeof(none.rsrc.name.name), ++ &offset); ++ return_state_if_error(r, _ESYS_STATE_INIT, "Marshaling TPM handle."); ++ none.rsrc.name.size = offset; ++ r = iesys_gen_auths(esysContext, tpmKeyNode ? tpmKeyNode : &none, ++ bindNode ? bindNode : &none, NULL, &auths); + return_state_if_error(r, _ESYS_STATE_INIT, + "Error in computation of auth values"); + +-- +2.27.0 + diff --git a/SOURCES/0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch b/SOURCES/0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch new file mode 100644 index 0000000..71accc8 --- /dev/null +++ b/SOURCES/0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch @@ -0,0 +1,29 @@ +From 76641c1e6b016979973fead7a24bb8fca4ee8325 Mon Sep 17 00:00:00 2001 +From: Johannes Holland +Date: Thu, 26 Sep 2019 09:46:09 +0100 +Subject: [PATCH] esys: fix keysize of ECC curve TPM2_ECC_NISTP224 + +In esys_crypto_ossl.c, for the ECC curve TPM2_ECC_NISTP244 a key size of +38 is selected. However, 224 bit / 8 bit/byte = 28 byte. + +Signed-off-by: Johannes Holland +--- + src/tss2-esys/esys_crypto_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 124501964ae7..3c5d86d69705 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -804,7 +804,7 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key, + break; + case TPM2_ECC_NIST_P224: + curveId = NID_secp224r1; +- key_size = 38; ++ key_size = 28; + break; + case TPM2_ECC_NIST_P256: + curveId = NID_X9_62_prime256v1; +-- +2.27.0 + diff --git a/SOURCES/0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch b/SOURCES/0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch new file mode 100644 index 0000000..3b4fc20 --- /dev/null +++ b/SOURCES/0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch @@ -0,0 +1,47 @@ +From 380d5f9ec3aa1f5e456598fe66d275467660177b Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 16 Jan 2020 09:27:04 -0800 +Subject: [PATCH] esys: fixup compute_encrypted_salt err handling in + Esys_StartAuthSession + +Use return_state_if_error() macro for compute_encrypted_salt() +error handling in Esys_StartAuthSession to maintain the correct +context state. + +Signed-off-by: Tadeusz Struk +--- + src/tss2-esys/api/Esys_StartAuthSession.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c +index 3ccd842a7572..1717928a717d 100644 +--- a/src/tss2-esys/api/Esys_StartAuthSession.c ++++ b/src/tss2-esys/api/Esys_StartAuthSession.c +@@ -223,20 +223,15 @@ Esys_StartAuthSession_Async( + TSS2_RC r2; + r2 = iesys_compute_encrypted_salt(esysContext, tpmKeyNode, + &encryptedSaltAux); +- return_if_error(r2, "Error in parameter encryption."); ++ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in parameter encryption."); + + if (nonceCaller == NULL) { + r2 = iesys_crypto_hash_get_digest_size(authHash,&authHash_size); +- if (r2 != TSS2_RC_SUCCESS) { +- LOG_ERROR("Error: initialize auth session (%x).", r2); +- return r2; +- } ++ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in hash_get_digest_size."); ++ + r2 = iesys_crypto_random2b(&esysContext->in.StartAuthSession.nonceCallerData, + authHash_size); +- if (r2 != TSS2_RC_SUCCESS) { +- LOG_ERROR("Error: initialize auth session (%x).", r2); +- return r2; +- } ++ return_state_if_error(r2, _ESYS_STATE_INIT, "Error in crypto_random2b."); + esysContext->in.StartAuthSession.nonceCaller + = &esysContext->in.StartAuthSession.nonceCallerData; + nonceCaller = esysContext->in.StartAuthSession.nonceCaller; +-- +2.27.0 + diff --git a/SOURCES/0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch b/SOURCES/0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch new file mode 100644 index 0000000..eed03d3 --- /dev/null +++ b/SOURCES/0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch @@ -0,0 +1,38 @@ +From 1ec07af70925ece698b733d55dedd1d9878b70f2 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Fri, 24 Jan 2020 19:05:34 -0800 +Subject: [PATCH] esys: zero out ctx->salt after on startAuthSession_finish + +The ctx->salt is used to calculate session key during +startAuthSession call if the caller pass a valid tpmKey +parameter. There salt is calculated in the _Async call +and the the session key is calculated in the _Finish call. +The problem is that if in the same context an unsalted +session is created after a salted session the ctx->salt +will still hold the old value and it will incorrectly +be used for session key calculation in the the subsequent +_Finish call. To fix this the salt needs to be set to +cleaned after no longer needed. + +Fixes: #1574 + +Signed-off-by: Tadeusz Struk +--- + src/tss2-esys/api/Esys_StartAuthSession.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c +index 1717928a717d..6367419d7c9a 100644 +--- a/src/tss2-esys/api/Esys_StartAuthSession.c ++++ b/src/tss2-esys/api/Esys_StartAuthSession.c +@@ -497,6 +497,7 @@ Esys_StartAuthSession_Finish( + goto_if_error(r, "Marshal session name", error_cleanup); + + sessionHandleNode->rsrc.name.size = offset; ++ memset(&esysContext->salt, '\0', sizeof(esysContext->salt)); + esysContext->state = _ESYS_STATE_INIT; + + return TSS2_RC_SUCCESS; +-- +2.27.0 + diff --git a/SOURCES/0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch b/SOURCES/0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch new file mode 100644 index 0000000..511378f --- /dev/null +++ b/SOURCES/0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch @@ -0,0 +1,62 @@ +From 0bf42a4489973005ddd912a800dfb92eff2806e8 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Mon, 16 Sep 2019 17:12:23 -0700 +Subject: [PATCH] esys_iutil: use memcmp in byte array comparison + +Rather than a byte for byte forloop, use memcmp() so the compiler can +use architectural optimizations. + +Signed-off-by: William Roberts +--- + src/tss2-esys/esys_iutil.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c +index 94d0332c5b7d..08a9b7dffcbd 100644 +--- a/src/tss2-esys/esys_iutil.c ++++ b/src/tss2-esys/esys_iutil.c +@@ -35,23 +35,6 @@ cmp_UINT16(const UINT16 * in1, const UINT16 * in2) + } + } + +-/** +- * Compare variables of type BYTE. +- * @param[in] in1 Variable to be compared with: +- * @param[in] in2 +- */ +-static bool +-cmp_BYTE(const BYTE * in1, const BYTE * in2) +-{ +- LOG_TRACE("call"); +- if (*in1 == *in2) +- return true; +- else { +- LOG_TRACE("cmp false"); +- return false; +- } +-} +- + /** + * Compare two arrays of type BYTE. + * @param[in] in1 array to be compared with:. +@@ -65,12 +48,12 @@ cmp_BYTE_array(const BYTE * in1, size_t count1, const BYTE * in2, size_t count2) + LOG_TRACE("cmp false"); + return false; + } +- for (size_t i = 0; i < count1; i++) { +- if (!cmp_BYTE(&in1[i], &in2[i])) { +- LOG_TRACE("cmp false"); +- return false; +- } ++ ++ if (memcmp(in1, in2, count2) != 0) { ++ LOG_TRACE("cmp false"); ++ return false; + } ++ + return true; + } + +-- +2.27.0 + diff --git a/SOURCES/0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch b/SOURCES/0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch new file mode 100644 index 0000000..867293b --- /dev/null +++ b/SOURCES/0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch @@ -0,0 +1,71 @@ +From 58ee0fd916671942e62ac9930f18225761a6dd66 Mon Sep 17 00:00:00 2001 +From: Joe Richey +Date: Tue, 21 Jan 2020 20:04:45 -0800 +Subject: [PATCH] mu: Remove use of VLAs for Marshalling TPML types + +All of the `Tss2_MU_*_Marshal()` functions have the property that +`buffer` can be NULL, `offset` can be NULL, but both cannot be +NULL. Some Marshal functions check this directly (returning +`TSS2_MU_RC_BAD_REFERENCE` on error), but most do this by composing +existing Marshalling functions together. + +The TMPL Marshal functions does things differently, it creates a local +VLA `local_buffer[buffer_size]` and uses that as the buffer pointer if +a NULL buffer is given. This is unnecessary, as this pointer is only +used for debug logging and passed to other Marshalling functions, which +will correctly handle a NULL buffer. + +Note that the VLA in the existing code is of length `buffer_size` (the +length of the _entire_ buffer, _not_ the length of the data being +unmarshaled). This can potentially result in a very large stack +allocation, or stack overflow. + +Signed-off-by: Joe Richey +--- + src/tss2-mu/tpml-types.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c +index 9506a26efd14..ae1ed6177d75 100644 +--- a/src/tss2-mu/tpml-types.c ++++ b/src/tss2-mu/tpml-types.c +@@ -29,8 +29,6 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \ + size_t local_offset = 0; \ + UINT32 i, count = 0; \ + TSS2_RC ret = TSS2_RC_SUCCESS; \ +- uint8_t *buf_ptr = buffer; \ +- uint8_t local_buffer[buffer_size]; \ + \ + if (offset != NULL) { \ + LOG_TRACE("offset non-NULL, initial value: %zu", *offset); \ +@@ -60,24 +58,21 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \ + LOG_WARNING("count too big"); \ + return TSS2_SYS_RC_BAD_VALUE; \ + } \ +-\ +- if (buf_ptr == NULL) \ +- buf_ptr = local_buffer; \ + \ + LOG_DEBUG(\ + "Marshalling " #type " from 0x%" PRIxPTR " to buffer 0x%" PRIxPTR \ + " at index 0x%zx", \ + (uintptr_t)&src, \ +- (uintptr_t)buf_ptr, \ ++ (uintptr_t)buffer, \ + local_offset); \ + \ +- ret = Tss2_MU_UINT32_Marshal(src->count, buf_ptr, buffer_size, &local_offset); \ ++ ret = Tss2_MU_UINT32_Marshal(src->count, buffer, buffer_size, &local_offset); \ + if (ret) \ + return ret; \ + \ + for (i = 0; i < src->count; i++) \ + { \ +- ret = marshal_func(op src->buf_name[i], buf_ptr, buffer_size, &local_offset); \ ++ ret = marshal_func(op src->buf_name[i], buffer, buffer_size, &local_offset); \ + if (ret) \ + return ret; \ + } \ +-- +2.27.0 + diff --git a/SOURCES/0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch b/SOURCES/0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch new file mode 100644 index 0000000..b8e4098 --- /dev/null +++ b/SOURCES/0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch @@ -0,0 +1,29 @@ +From 5ab8190843597ff6a255c59f91582e4dca117927 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Thu, 21 Nov 2019 14:49:27 +0100 +Subject: [PATCH] sys: match counter variable type for cmdAuthsArray->count + +TSS2L_SYS_AUTH_COMMAND.count is defined as uint16_t, so the counter +variable should be uint16_t as well. + +Signed-off-by: Jonas Witschel +--- + src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c +index 1bc3f3c2556f..d946c14e5cfb 100644 +--- a/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c ++++ b/src/tss2-sys/api/Tss2_Sys_SetCmdAuths.c +@@ -20,7 +20,7 @@ TSS2_RC Tss2_Sys_SetCmdAuths( + const TSS2L_SYS_AUTH_COMMAND *cmdAuthsArray) + { + _TSS2_SYS_CONTEXT_BLOB *ctx = syscontext_cast(sysContext); +- uint8_t i; ++ uint16_t i; + UINT32 authSize = 0; + UINT32 newCmdSize = 0; + size_t authOffset; +-- +2.27.0 + diff --git a/SOURCES/0001-tcti-device-getPollHandles-should-allow-num_handles-.patch b/SOURCES/0001-tcti-device-getPollHandles-should-allow-num_handles-.patch new file mode 100644 index 0000000..776d11b --- /dev/null +++ b/SOURCES/0001-tcti-device-getPollHandles-should-allow-num_handles-.patch @@ -0,0 +1,39 @@ +From c42450a294c4267998aa16a477e9218ee5953aa9 Mon Sep 17 00:00:00 2001 +From: Jeffrey Ferreira +Date: Thu, 19 Sep 2019 13:32:00 -0700 +Subject: [PATCH] tcti-device: getPollHandles should allow num_handles query + +Signed-off-by: Jeffrey Ferreira +--- + src/tss2-tcti/tcti-device.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/tss2-tcti/tcti-device.c b/src/tss2-tcti/tcti-device.c +index 44c9fe2083d5..53a698cad061 100644 +--- a/src/tss2-tcti/tcti-device.c ++++ b/src/tss2-tcti/tcti-device.c +@@ -368,12 +368,19 @@ tcti_device_get_poll_handles ( + return TSS2_TCTI_RC_BAD_CONTEXT; + } + +- if (handles == NULL || num_handles == NULL) { ++ if (num_handles == NULL) { + return TSS2_TCTI_RC_BAD_REFERENCE; + } + ++ if (handles != NULL && *num_handles < 1) { ++ return TSS2_TCTI_RC_INSUFFICIENT_BUFFER; ++ } ++ + *num_handles = 1; +- handles->fd = tcti_dev->fd; ++ if (handles != NULL) { ++ handles->fd = tcti_dev->fd; ++ } ++ + return TSS2_RC_SUCCESS; + #else + (void)(tctiContext); +-- +2.27.0 + diff --git a/SOURCES/0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch b/SOURCES/0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch new file mode 100644 index 0000000..3a0f962 --- /dev/null +++ b/SOURCES/0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch @@ -0,0 +1,39 @@ +From ffca561b2de43df0a9f7f9c0e717fca943f2c38b Mon Sep 17 00:00:00 2001 +From: Johannes Holland +Date: Tue, 20 Aug 2019 16:58:09 +0200 +Subject: [PATCH] tctildr: fix segmentation fault if name_conf is too big + +When strlen(name_conf) is too big and logging is set to at least DEBUG, +tctildr_conf_parse will cause a segmentation fault. This happens when +the unit tests are run with logging set to DEBUG. Hence, the logging +call has to be done after the check for strlen(name_conf). + +Signed-off-by: Johannes Holland +--- + src/tss2-tcti/tctildr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tss2-tcti/tctildr.c b/src/tss2-tcti/tctildr.c +index 76248f358860..ff967317b57b 100644 +--- a/src/tss2-tcti/tctildr.c ++++ b/src/tss2-tcti/tctildr.c +@@ -117,7 +117,6 @@ tctildr_conf_parse (const char *name_conf, + char *split; + size_t combined_length; + +- LOG_DEBUG ("name_conf: \"%s\"", name_conf); + if (name_conf == NULL) { + LOG_ERROR ("'name_conf' param may NOT be NULL"); + return TSS2_TCTI_RC_BAD_REFERENCE; +@@ -127,6 +126,8 @@ tctildr_conf_parse (const char *name_conf, + LOG_ERROR ("combined conf length must be between 0 and PATH_MAX"); + return TSS2_TCTI_RC_BAD_VALUE; + } ++ ++ LOG_DEBUG ("name_conf: \"%s\"", name_conf); + if (combined_length == 0) + return TSS2_RC_SUCCESS; + split = strchr (name_conf, ':'); +-- +2.27.0 + diff --git a/SPECS/tpm2-tss.spec b/SPECS/tpm2-tss.spec index 26cb23c..d51a096 100644 --- a/SPECS/tpm2-tss.spec +++ b/SPECS/tpm2-tss.spec @@ -1,6 +1,6 @@ Name: tpm2-tss Version: 2.3.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: TPM2.0 Software Stack # The entire source code is under BSD except implementation.h and tpmb.h which @@ -10,6 +10,20 @@ URL: https://github.com/tpm2-software/tpm2-tss Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz # patch submitted upstream https://github.com/tpm2-software/tpm2-tss/pull/1707 Patch0: 0001-man-Clean-up-libmandoc-parser-warnings.patch +# Upstream patches +Patch1: 0001-esys-Check-object-handle-node-before-calling-compute.patch +Patch2: 0001-build-update-exported-symbols-map-for-libtss2-mu.patch +Patch3: 0001-esys-fix-Esys_StartAuthSession-called-with-optional-.patch +Patch4: 0001-esys-fixup-compute_encrypted_salt-err-handling-in-Es.patch +Patch5: 0001-esys-zero-out-ctx-salt-after-on-startAuthSession_fin.patch +Patch6: 0001-mu-Remove-use-of-VLAs-for-Marshalling-TPML-types.patch +Patch7: 0001-esys_iutil-use-memcmp-in-byte-array-comparison.patch +Patch8: 0001-tcti-device-getPollHandles-should-allow-num_handles-.patch +Patch9: 0001-tctildr-fix-segmentation-fault-if-name_conf-is-too-b.patch +Patch10: 0001-esys-fix-keysize-of-ECC-curve-TPM2_ECC_NISTP224.patch +Patch11: 0001-Esys_CreateLoaded-fix-resource-name-calculation.patch +Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch +Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch %global udevrules_prefix 60- @@ -45,6 +59,17 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool %make_install find %{buildroot}%{_libdir} -type f -name \*.la -delete +%pre +getent group tss >/dev/null || groupadd -f -g 59 -r tss +if ! getent passwd tss >/dev/null ; then + if ! getent passwd 59 >/dev/null ; then + useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + else + useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + fi +fi +exit 0 + %files %doc README.md CHANGELOG.md %license LICENSE @@ -91,6 +116,23 @@ use tpm2-tss. %postun -p /sbin/ldconfig %changelog +* Mon Nov 16 2020 Jerry Snitselaar - 2.3.2-3 +- Add tss user if doesn't exist. +- Update exported symbols map for libtss2-mu +- esys: Check object handle node before calling compute_session_value +- esys: fix resource name calculation +- esys: fix Esys_StartAuthSession called with optional params +- esys: fix keysize of ECC curve TPM2_ECC_NISTP224 +- esys: fixup compute_encrypted_salt error handling +- esys: use memcmp in byte array comparison +- esys: zero out ctx->salt after startAuthSession_finish +- mu: Remove use of VLAs for Marshalling TPML types +- return proper error code on memory allocation failure +- sys: match counter variable type for cmdAuthsArray->count +- tcti-device: getPollHandles should allow num_handles query +- tctildr: fix segmentation fault if name_conf is too big +resolves: rhbz#1879071 rhbz#1855180 + * Mon Apr 27 2020 Jerry Snitselaar - 2.3.2-2 - Clean up libmandoc parser errors. resolves: rhbz#1789684