policyutil: expose the session algorithm to PolicyResources.SignedAut…

…horization
canonical · Apr 4, 2024 · 5ea965f · 5ea965f
1 parent 01969ea
commit 5ea965f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 39 deletions.
diff --git a/policyutil/policy.go b/policyutil/policy.go
@@ -475,7 +475,7 @@ func (e *policySignedElement) run(runner policyRunner) error {
 		}
 	}
 
-	auth, err := runner.resources().signedAuthorization(runner.session().NonceTPM(), authKeyName, e.PolicyRef)
+	auth, err := runner.resources().signedAuthorization(authKeyName, e.PolicyRef)
 	if err != nil {
 		return &PolicyAuthorizationError{
 			AuthName:  authKeyName,

diff --git a/policyutil/policy_test.go b/policyutil/policy_test.go
@@ -81,14 +81,14 @@ func (h *mockAuthorizer) Authorize(resource tpm2.ResourceContext) error {
 }
 
 type mockSignedAuthorizer struct {
-	signAuthorization func(tpm2.Nonce, tpm2.Name, tpm2.Nonce) (*PolicySignedAuthorization, error)
+	signAuthorization func(tpm2.HashAlgorithmId, tpm2.Nonce, tpm2.Name, tpm2.Nonce) (*PolicySignedAuthorization, error)
 }
 
-func (h *mockSignedAuthorizer) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+func (h *mockSignedAuthorizer) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
 	if h.signAuthorization == nil {
 		return nil, errors.New("not implemented")
 	}
-	return h.signAuthorization(sessionNonce, authKey, policyRef)
+	return h.signAuthorization(sessionAlg, sessionNonce, authKey, policyRef)
 }
 
 type mockExternalSensitiveResources struct {
@@ -1380,7 +1380,8 @@ func (s *policySuite) testPolicySigned(c *C, data *testExecutePolicySignedData)
 	session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256)
 
 	authorizer := &mockSignedAuthorizer{
-		signAuthorization: func(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+		signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+			c.Check(sessionAlg, Equals, session.Params().HashAlg)
 			c.Check(sessionNonce, DeepEquals, session.State().NonceTPM)
 			c.Check(authKey, DeepEquals, data.authKey.Name())
 			c.Check(policyRef, DeepEquals, data.policyRef)
@@ -1598,7 +1599,8 @@ func (s *policySuite) TestPolicySignedWithTicket(c *C) {
 	session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256)
 
 	authorizer := &mockSignedAuthorizer{
-		signAuthorization: func(sessionNonce tpm2.Nonce, authKeyName tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+		signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKeyName tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+			c.Check(sessionAlg, Equals, session.Params().HashAlg)
 			c.Check(sessionNonce, DeepEquals, session.State().NonceTPM)
 			c.Check(authKeyName, DeepEquals, authKey.Name())
 			c.Check(policyRef, IsNil)
@@ -2200,7 +2202,7 @@ func (s *policySuite) testPolicyBranches(c *C, data *testExecutePolicyBranchesDa
 		},
 	}
 	signedAuthorizer := &mockSignedAuthorizer{
-		signAuthorization: func(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+		signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
 			return SignPolicySignedAuthorization(rand.Reader, nil, pubKey, policyRef, key, crypto.SHA256)
 		},
 	}

diff --git a/policyutil/resources.go b/policyutil/resources.go
@@ -52,8 +52,9 @@ type PolicyResources interface {
 	Authorize(resource tpm2.ResourceContext) error
 
 	// SignedAuthorization signs a TPM2_PolicySigned authorization for the specified key, policy ref
-	// and session nonce.
-	SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
+	// and session nonce. The supplied algorithm is the session algorithm, which should be
+	// used to construct a cpHash if desired.
+	SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
 
 	// ContextSave saves the context of the transient resource associated with the supplied
 	// handle. This will return nil if it fails.
@@ -80,7 +81,7 @@ type Authorizer interface {
 type SignedAuthorizer interface {
 	// SignedAuthorization signs a TPM2_PolicySigned authorization for the specified key, policy ref
 	// and session nonce.
-	SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
+	SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
 }
 
 type ExternalSensitiveResources interface {
@@ -438,11 +439,11 @@ func (r *tpmPolicyResources) Authorize(resource tpm2.ResourceContext) error {
 	return r.authorizer.Authorize(resource)
 }
 
-func (r *tpmPolicyResources) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+func (r *tpmPolicyResources) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
 	if r.signedAuthorizer == nil {
 		return nil, errors.New("no SignedAuthorizer")
 	}
-	return r.signedAuthorizer.SignedAuthorization(sessionNonce, authKey, policyRef)
+	return r.signedAuthorizer.SignedAuthorization(sessionAlg, sessionNonce, authKey, policyRef)
 }
 
 func (r *tpmPolicyResources) ContextSave(resource tpm2.ResourceContext) *tpm2.Context {
@@ -487,7 +488,7 @@ func (*nullPolicyResources) Authorize(resource tpm2.ResourceContext) error {
 	return errors.New("no PolicyResources")
 }
 
-func (*nullPolicyResources) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+func (*nullPolicyResources) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
 	return nil, errors.New("no PolicyResources")
 }
 
@@ -506,7 +507,7 @@ func (*nullPolicyResources) ExternalSensitive(name tpm2.Name) (*tpm2.Sensitive,
 type policyResources interface {
 	loadedResource(name tpm2.Name) (ResourceContext, error)
 	authorizedPolicies(keySign tpm2.Name, policyRef tpm2.Nonce) ([]*Policy, error)
-	signedAuthorization(nonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
+	signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error)
 }
 
 type cachedResourceType int
@@ -663,8 +664,8 @@ func (r *executePolicyResources) authorizedPolicies(keySign tpm2.Name, policyRef
 	return policies, nil
 }
 
-func (r *executePolicyResources) signedAuthorization(nonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
-	return r.resources.SignedAuthorization(nonce, authKey, policyRef)
+func (r *executePolicyResources) signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+	return r.resources.SignedAuthorization(r.session.Session().Params().HashAlg, r.session.Session().State().NonceTPM, authKey, policyRef)
 }
 
 type mockPolicyResources struct{}
@@ -682,6 +683,6 @@ func (r *mockPolicyResources) authorizedPolicies(keySign tpm2.Name, policyRef tp
 	return nil, nil
 }
 
-func (*mockPolicyResources) signedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
+func (*mockPolicyResources) signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) {
 	return new(PolicySignedAuthorization), nil
 }
diff --git a/policyutil/session.go b/policyutil/session.go
@@ -18,7 +18,6 @@ import (
 type policySession interface {
 	Name() tpm2.Name
 	HashAlg() tpm2.HashAlgorithmId
-	NonceTPM() tpm2.Nonce
 
 	PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error)
 	PolicySecret(authObject tpm2.ResourceContext, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, authObjectAuthSession tpm2.SessionContext) (tpm2.Timeout, *tpm2.TkAuth, error)
@@ -51,7 +50,6 @@ type PolicySession interface {
 
 	Name() tpm2.Name
 	HashAlg() tpm2.HashAlgorithmId
-	NonceTPM() tpm2.Nonce
 
 	PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error)
 	PolicySecret(authObject tpm2.ResourceContext, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, authObjectAuthSession tpm2.SessionContext) (tpm2.Timeout, *tpm2.TkAuth, error)
@@ -147,10 +145,6 @@ func (s *tpmPolicySession) HashAlg() tpm2.HashAlgorithmId {
 	return s.policySession.Session().Params().HashAlg
 }
 
-func (s *tpmPolicySession) NonceTPM() tpm2.Nonce {
-	return s.policySession.Session().State().NonceTPM
-}
-
 func (s *tpmPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) {
 	return s.tpm.PolicySigned(authKey, s.policySession.Session(), includeNonceTPM, cpHashA, policyRef, expiration, auth, s.sessions...)
 }
@@ -263,10 +257,6 @@ func (s *computePolicySession) HashAlg() tpm2.HashAlgorithmId {
 	return s.digest.HashAlg
 }
 
-func (*computePolicySession) NonceTPM() tpm2.Nonce {
-	return nil
-}
-
 func (s *computePolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) {
 	if !authKey.Name().IsValid() {
 		return nil, nil, errors.New("invalid authKey name")
@@ -399,10 +389,6 @@ func (s *nullPolicySession) HashAlg() tpm2.HashAlgorithmId {
 	return s.alg
 }
 
-func (*nullPolicySession) NonceTPM() tpm2.Nonce {
-	return nil
-}
-
 func (*nullPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) {
 	return nil, nil, nil
 }
@@ -505,10 +491,6 @@ func (s *teePolicySession) HashAlg() tpm2.HashAlgorithmId {
 	return s.head().HashAlg()
 }
 
-func (s *teePolicySession) NonceTPM() tpm2.Nonce {
-	return s.head().NonceTPM()
-}
-
 func (s *teePolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) {
 	timeout, ticket, err := s.head().PolicySigned(authKey, includeNonceTPM, cpHashA, policyRef, expiration, auth)
 	if err != nil {
@@ -639,10 +621,6 @@ func (s *recorderPolicySession) HashAlg() tpm2.HashAlgorithmId {
 	return s.alg
 }
 
-func (*recorderPolicySession) NonceTPM() tpm2.Nonce {
-	return nil
-}
-
 func (s *recorderPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) {
 	s.details.Signed = append(s.details.Signed, PolicyAuthorizationDetails{
 		AuthName:  authKey.Name(),