diff --git a/policyutil/policy.go b/policyutil/policy.go index a4f5dfd..09668ac 100644 --- a/policyutil/policy.go +++ b/policyutil/policy.go @@ -475,7 +475,7 @@ func (e *policySignedElement) run(runner policyRunner) error { } } - auth, err := runner.resources().signedAuthorization(runner.session().NonceTPM(), authKeyName, e.PolicyRef) + auth, err := runner.resources().signedAuthorization(authKeyName, e.PolicyRef) if err != nil { return &PolicyAuthorizationError{ AuthName: authKeyName, diff --git a/policyutil/policy_test.go b/policyutil/policy_test.go index f3eaaff..d33e8d6 100644 --- a/policyutil/policy_test.go +++ b/policyutil/policy_test.go @@ -81,14 +81,14 @@ func (h *mockAuthorizer) Authorize(resource tpm2.ResourceContext) error { } type mockSignedAuthorizer struct { - signAuthorization func(tpm2.Nonce, tpm2.Name, tpm2.Nonce) (*PolicySignedAuthorization, error) + signAuthorization func(tpm2.HashAlgorithmId, tpm2.Nonce, tpm2.Name, tpm2.Nonce) (*PolicySignedAuthorization, error) } -func (h *mockSignedAuthorizer) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { +func (h *mockSignedAuthorizer) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { if h.signAuthorization == nil { return nil, errors.New("not implemented") } - return h.signAuthorization(sessionNonce, authKey, policyRef) + return h.signAuthorization(sessionAlg, sessionNonce, authKey, policyRef) } type mockExternalSensitiveResources struct { @@ -1380,7 +1380,8 @@ func (s *policySuite) testPolicySigned(c *C, data *testExecutePolicySignedData) session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256) authorizer := &mockSignedAuthorizer{ - signAuthorization: func(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + c.Check(sessionAlg, Equals, session.Params().HashAlg) c.Check(sessionNonce, DeepEquals, session.State().NonceTPM) c.Check(authKey, DeepEquals, data.authKey.Name()) c.Check(policyRef, DeepEquals, data.policyRef) @@ -1598,7 +1599,8 @@ func (s *policySuite) TestPolicySignedWithTicket(c *C) { session := s.StartAuthSession(c, nil, nil, tpm2.SessionTypePolicy, nil, tpm2.HashAlgorithmSHA256) authorizer := &mockSignedAuthorizer{ - signAuthorization: func(sessionNonce tpm2.Nonce, authKeyName tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKeyName tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + c.Check(sessionAlg, Equals, session.Params().HashAlg) c.Check(sessionNonce, DeepEquals, session.State().NonceTPM) c.Check(authKeyName, DeepEquals, authKey.Name()) c.Check(policyRef, IsNil) @@ -2200,7 +2202,7 @@ func (s *policySuite) testPolicyBranches(c *C, data *testExecutePolicyBranchesDa }, } signedAuthorizer := &mockSignedAuthorizer{ - signAuthorization: func(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + signAuthorization: func(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { return SignPolicySignedAuthorization(rand.Reader, nil, pubKey, policyRef, key, crypto.SHA256) }, } diff --git a/policyutil/resources.go b/policyutil/resources.go index a4a2140..b794c9d 100644 --- a/policyutil/resources.go +++ b/policyutil/resources.go @@ -52,8 +52,9 @@ type PolicyResources interface { Authorize(resource tpm2.ResourceContext) error // SignedAuthorization signs a TPM2_PolicySigned authorization for the specified key, policy ref - // and session nonce. - SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) + // and session nonce. The supplied algorithm is the session algorithm, which should be + // used to construct a cpHash if desired. + SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) // ContextSave saves the context of the transient resource associated with the supplied // handle. This will return nil if it fails. @@ -80,7 +81,7 @@ type Authorizer interface { type SignedAuthorizer interface { // SignedAuthorization signs a TPM2_PolicySigned authorization for the specified key, policy ref // and session nonce. - SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) + SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) } type ExternalSensitiveResources interface { @@ -438,11 +439,11 @@ func (r *tpmPolicyResources) Authorize(resource tpm2.ResourceContext) error { return r.authorizer.Authorize(resource) } -func (r *tpmPolicyResources) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { +func (r *tpmPolicyResources) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { if r.signedAuthorizer == nil { return nil, errors.New("no SignedAuthorizer") } - return r.signedAuthorizer.SignedAuthorization(sessionNonce, authKey, policyRef) + return r.signedAuthorizer.SignedAuthorization(sessionAlg, sessionNonce, authKey, policyRef) } func (r *tpmPolicyResources) ContextSave(resource tpm2.ResourceContext) *tpm2.Context { @@ -487,7 +488,7 @@ func (*nullPolicyResources) Authorize(resource tpm2.ResourceContext) error { return errors.New("no PolicyResources") } -func (*nullPolicyResources) SignedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { +func (*nullPolicyResources) SignedAuthorization(sessionAlg tpm2.HashAlgorithmId, sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { return nil, errors.New("no PolicyResources") } @@ -506,7 +507,7 @@ func (*nullPolicyResources) ExternalSensitive(name tpm2.Name) (*tpm2.Sensitive, type policyResources interface { loadedResource(name tpm2.Name) (ResourceContext, error) authorizedPolicies(keySign tpm2.Name, policyRef tpm2.Nonce) ([]*Policy, error) - signedAuthorization(nonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) + signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) } type cachedResourceType int @@ -663,8 +664,8 @@ func (r *executePolicyResources) authorizedPolicies(keySign tpm2.Name, policyRef return policies, nil } -func (r *executePolicyResources) signedAuthorization(nonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { - return r.resources.SignedAuthorization(nonce, authKey, policyRef) +func (r *executePolicyResources) signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { + return r.resources.SignedAuthorization(r.session.Session().Params().HashAlg, r.session.Session().State().NonceTPM, authKey, policyRef) } type mockPolicyResources struct{} @@ -682,6 +683,6 @@ func (r *mockPolicyResources) authorizedPolicies(keySign tpm2.Name, policyRef tp return nil, nil } -func (*mockPolicyResources) signedAuthorization(sessionNonce tpm2.Nonce, authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { +func (*mockPolicyResources) signedAuthorization(authKey tpm2.Name, policyRef tpm2.Nonce) (*PolicySignedAuthorization, error) { return new(PolicySignedAuthorization), nil } diff --git a/policyutil/session.go b/policyutil/session.go index b7429b0..bcdf06b 100644 --- a/policyutil/session.go +++ b/policyutil/session.go @@ -18,7 +18,6 @@ import ( type policySession interface { Name() tpm2.Name HashAlg() tpm2.HashAlgorithmId - NonceTPM() tpm2.Nonce PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) PolicySecret(authObject tpm2.ResourceContext, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, authObjectAuthSession tpm2.SessionContext) (tpm2.Timeout, *tpm2.TkAuth, error) @@ -51,7 +50,6 @@ type PolicySession interface { Name() tpm2.Name HashAlg() tpm2.HashAlgorithmId - NonceTPM() tpm2.Nonce PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) PolicySecret(authObject tpm2.ResourceContext, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, authObjectAuthSession tpm2.SessionContext) (tpm2.Timeout, *tpm2.TkAuth, error) @@ -147,10 +145,6 @@ func (s *tpmPolicySession) HashAlg() tpm2.HashAlgorithmId { return s.policySession.Session().Params().HashAlg } -func (s *tpmPolicySession) NonceTPM() tpm2.Nonce { - return s.policySession.Session().State().NonceTPM -} - func (s *tpmPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) { return s.tpm.PolicySigned(authKey, s.policySession.Session(), includeNonceTPM, cpHashA, policyRef, expiration, auth, s.sessions...) } @@ -263,10 +257,6 @@ func (s *computePolicySession) HashAlg() tpm2.HashAlgorithmId { return s.digest.HashAlg } -func (*computePolicySession) NonceTPM() tpm2.Nonce { - return nil -} - func (s *computePolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) { if !authKey.Name().IsValid() { return nil, nil, errors.New("invalid authKey name") @@ -399,10 +389,6 @@ func (s *nullPolicySession) HashAlg() tpm2.HashAlgorithmId { return s.alg } -func (*nullPolicySession) NonceTPM() tpm2.Nonce { - return nil -} - func (*nullPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) { return nil, nil, nil } @@ -505,10 +491,6 @@ func (s *teePolicySession) HashAlg() tpm2.HashAlgorithmId { return s.head().HashAlg() } -func (s *teePolicySession) NonceTPM() tpm2.Nonce { - return s.head().NonceTPM() -} - func (s *teePolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) { timeout, ticket, err := s.head().PolicySigned(authKey, includeNonceTPM, cpHashA, policyRef, expiration, auth) if err != nil { @@ -639,10 +621,6 @@ func (s *recorderPolicySession) HashAlg() tpm2.HashAlgorithmId { return s.alg } -func (*recorderPolicySession) NonceTPM() tpm2.Nonce { - return nil -} - func (s *recorderPolicySession) PolicySigned(authKey tpm2.ResourceContext, includeNonceTPM bool, cpHashA tpm2.Digest, policyRef tpm2.Nonce, expiration int32, auth *tpm2.Signature) (tpm2.Timeout, *tpm2.TkAuth, error) { s.details.Signed = append(s.details.Signed, PolicyAuthorizationDetails{ AuthName: authKey.Name(),