From 220b7e0afa943693a4fdafd9a5b8d9e38ea4e785 Mon Sep 17 00:00:00 2001 From: Petr Gotthard Date: Sat, 7 Aug 2021 15:54:51 +0200 Subject: [PATCH 09/17] openssl: Convert deprecated SHA256|384 digesters to EVP_Digest The EVP_Digest function is available since OpenSSL 1.1.0 Signed-off-by: Petr Gotthard --- lib/tpm2_identity_util.c | 34 ++++++++++++++++++++++++---------- lib/tpm2_kdfe.c | 13 +++++++++++-- lib/tpm2_openssl.c | 17 ----------------- lib/tpm2_openssl.h | 28 ---------------------------- lib/tpm2_util.c | 15 +++++++++++---- 5 files changed, 46 insertions(+), 61 deletions(-) diff --git a/lib/tpm2_identity_util.c b/lib/tpm2_identity_util.c index a268295f..e0c3f404 100644 --- a/lib/tpm2_identity_util.c +++ b/lib/tpm2_identity_util.c @@ -391,11 +391,20 @@ bool tpm2_identity_util_calculate_inner_integrity(TPMI_ALG_HASH name_alg, Tss2_MU_UINT16_Marshal(hash_size, marshalled_sensitive_and_name_digest, sizeof(uint16_t), &digest_size_info); - digester d = tpm2_openssl_halg_to_digester(name_alg); - d(buffer_marshalled_sensitiveArea, - marshalled_sensitive_size_info + marshalled_sensitive_size - + pubname->size, - marshalled_sensitive_and_name_digest + digest_size_info); + const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg); + if (!md) { + LOG_ERR("Algorithm not supported: %x", name_alg); + return false; + } + int rc = EVP_Digest(buffer_marshalled_sensitiveArea, + marshalled_sensitive_size_info + marshalled_sensitive_size + + pubname->size, + marshalled_sensitive_and_name_digest + digest_size_info, + NULL, md, NULL); + if (!rc) { + LOG_ERR("Hash calculation failed"); + return false; + } //Inner integrity encrypted_inner_integrity->size = marshalled_sensitive_size_info @@ -452,16 +461,21 @@ bool tpm2_identity_create_name(TPM2B_PUBLIC *public, TPM2B_NAME *pubname) { &tpmt_marshalled_size); // Step 3 - Hash the data into name just past the alg type. - digester d = tpm2_openssl_halg_to_digester(name_alg); - if (!d) { + const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg); + if (!md) { + LOG_ERR("Algorithm not supported: %x", name_alg); return false; } - d((const unsigned char *) &marshaled_tpmt, tpmt_marshalled_size, - pubname->name + hash_offset); + unsigned int hash_size; + int rc = EVP_Digest(&marshaled_tpmt, tpmt_marshalled_size, + pubname->name + hash_offset, &hash_size, md, NULL); + if (!rc) { + LOG_ERR("Hash calculation failed"); + return false; + } //Set the name size, UINT16 followed by HASH - UINT16 hash_size = tpm2_alg_util_get_hash_size(name_alg); pubname->size = hash_size + hash_offset; return true; diff --git a/lib/tpm2_kdfe.c b/lib/tpm2_kdfe.c index e8aeb04c..aa4d3e0b 100644 --- a/lib/tpm2_kdfe.c +++ b/lib/tpm2_kdfe.c @@ -42,13 +42,22 @@ TSS2_RC tpm2_kdfe( tpm2_util_concat_buffer(&hash_input, (TPM2B *) party_u); tpm2_util_concat_buffer(&hash_input, (TPM2B *) party_v); - digester d = tpm2_openssl_halg_to_digester(hash_alg); + const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(hash_alg); + if (!md) { + LOG_ERR("Algorithm not supported: %x", hash_alg); + return TPM2_RC_HASH; + } for (done = 0, counter = 1; done < bytes; done += hash_size, counter++) { counter_be = tpm2_util_hton_32(counter); memcpy(hash_input.buffer, &counter_be, 4); - d(hash_input.buffer, hash_input.size, result_key->buffer + done); + int rc = EVP_Digest(hash_input.buffer, hash_input.size, + result_key->buffer + done, NULL, md, NULL); + if (!rc) { + LOG_ERR("Hash calculation failed"); + return TPM2_RC_MEMORY; + } } // truncate the result to the desired size result_key->size = bytes; diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c index 1752525e..cdce92f8 100644 --- a/lib/tpm2_openssl.c +++ b/lib/tpm2_openssl.c @@ -368,23 +368,6 @@ out: return result; } -digester tpm2_openssl_halg_to_digester(TPMI_ALG_HASH halg) { - - switch (halg) { - case TPM2_ALG_SHA1: - return SHA1; - case TPM2_ALG_SHA256: - return SHA256; - case TPM2_ALG_SHA384: - return SHA384; - case TPM2_ALG_SHA512: - return SHA512; - /* no default */ - } - - return NULL; -} - /* * Per man openssl(1), handle the following --passin formats: * pass:password diff --git a/lib/tpm2_openssl.h b/lib/tpm2_openssl.h index 642e4635..78cb826a 100644 --- a/lib/tpm2_openssl.h +++ b/lib/tpm2_openssl.h @@ -28,23 +28,6 @@ EC_POINT_get_affine_coordinates_GFp(group, tpm_pub_key, bn_x, bn_y, dmy) #endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */ -/** - * Function prototype for a hashing routine. - * - * This is a wrapper around OSSL SHA256|384 and etc digesters. - * - * @param d - * The data to digest. - * @param n - * The length of the data to digest. - * @param md - * The output message digest. - * @return - * A pointer to the digest or NULL on error. - */ -typedef unsigned char *(*digester)(const unsigned char *d, size_t n, - unsigned char *md); - static inline const char *tpm2_openssl_get_err(void) { return ERR_error_string(ERR_get_error(), NULL); } @@ -147,17 +130,6 @@ bool tpm2_openssl_hash_pcr_banks_le(TPMI_ALG_HASH hashAlg, bool tpm2_openssl_pcr_extend(TPMI_ALG_HASH halg, BYTE *pcr, const BYTE *data, UINT16 length); -/** - * Returns a function pointer capable of performing the - * given digest from a TPMI_HASH_ALG. - * - * @param halg - * The hashing algorithm to use. - * @return - * NULL on failure or a valid digester on success. - */ -digester tpm2_openssl_halg_to_digester(TPMI_ALG_HASH halg); - typedef enum tpm2_openssl_load_rc tpm2_openssl_load_rc; enum tpm2_openssl_load_rc { lprc_error = 0, /* an error has occurred */ diff --git a/lib/tpm2_util.c b/lib/tpm2_util.c index 4125a4b9..d2c654db 100644 --- a/lib/tpm2_util.c +++ b/lib/tpm2_util.c @@ -579,13 +579,20 @@ bool tpm2_util_calc_unique(TPMI_ALG_HASH name_alg, memcpy(buf.buffer, seed->buffer, seed->size); memcpy(&buf.buffer[seed->size], key->buffer, key->size); - digester d = tpm2_openssl_halg_to_digester(name_alg); - if (!d) { + const EVP_MD *md = tpm2_openssl_halg_from_tpmhalg(name_alg); + if (!md) { + LOG_ERR("Algorithm not supported: %x", name_alg); return false; } - unique_data->size = tpm2_alg_util_get_hash_size(name_alg); - d(buf.buffer, buf.size, unique_data->buffer); + unsigned int hash_size; + int rc = EVP_Digest(buf.buffer, buf.size, unique_data->buffer, &hash_size, + md, NULL); + if (!rc) { + LOG_ERR("Hash calculation failed"); + return false; + } + unique_data->size = hash_size; return true; } -- 2.31.1