From 517e94ee72b286e9942a5a6ecbffd05fc0b0bcf5 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 5 Nov 2021 23:08:47 +0100
Subject: [PATCH 07/23] FAPI: Fix loading of primary keys.

Problems caused by primary keys created with Fapi_CreateKey are fixed:

* For primary keys not in all cases the unique field was cleared before calling create
  primary.
* If the primary key was used for signing the object was cleared after loading. So
  access e.g. to the certificate did not work.
* For primary keys created with Fapi_Create with an auth value the auth_value was
  not used in inSensitive to recreate the primary key. Now the auth value callback
  is used to initialize inSensitive.

Fixes #2189.

Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
 src/tss2-fapi/fapi_int.h  |  1 +
 src/tss2-fapi/fapi_util.c | 62 +++++++++++++++++++++++++++++++++++++--
 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index d13ec413..7bcf442c 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -768,6 +768,7 @@ enum _FAPI_STATE_PRIMARY {
     PRIMARY_READ_HIERARCHY,
     PRIMARY_READ_HIERARCHY_FINISH,
     PRIMARY_AUTHORIZE_HIERARCHY,
+    PRIMARY_GET_AUTH_VALUE,
     PRIMARY_WAIT_FOR_PRIMARY,
     PRIMARY_HAUTH_SENT,
     PRIMARY_CREATED,
diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c
index a0fd714e..90f8b2aa 100644
--- a/src/tss2-fapi/fapi_util.c
+++ b/src/tss2-fapi/fapi_util.c
@@ -362,6 +362,52 @@ ifapi_get_object_path(IFAPI_OBJECT *object)
     return NULL;
 }
 
+/** Set authorization value for a primary key to be created.
+ *
+ * The callback which provides the auth value must be defined.
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @param[in]     object The auth value will be assigned to this object.
+ * @param[in,out] inSensitive The sensitive data to store the auth value.
+ *
+ * @retval TSS2_RC_SUCCESS on success.
+ * @retval TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN If the callback for getting
+ *         the auth value is not defined.
+ */
+TSS2_RC
+ifapi_set_auth_primary(
+    FAPI_CONTEXT *context,
+    IFAPI_OBJECT *object,
+    TPMS_SENSITIVE_CREATE *inSensitive)
+{
+    TSS2_RC r;
+    const char *auth = NULL;
+    const char *obj_path;
+
+    memset(inSensitive, 0, sizeof(TPMS_SENSITIVE_CREATE));
+
+    if (!object->misc.key.with_auth) {
+        return TSS2_RC_SUCCESS;
+    }
+
+    obj_path = ifapi_get_object_path(object);
+
+    /* Check whether callback is defined. */
+    if (context->callbacks.auth) {
+        r = context->callbacks.auth(obj_path, object->misc.key.description,
+                                    &auth, context->callbacks.authData);
+        return_if_error(r, "AuthCallback");
+        if (auth != NULL) {
+            inSensitive->userAuth.size = strlen(auth);
+            memcpy(&inSensitive->userAuth.buffer[0], auth,
+                   inSensitive->userAuth.size);
+        }
+        return TSS2_RC_SUCCESS;
+    }
+    SAFE_FREE(auth);
+    return_error( TSS2_FAPI_RC_AUTHORIZATION_UNKNOWN, "Authorization callback not defined.");
+}
+
 /** Set authorization value for a FAPI object.
  *
  * The callback which provides the auth value must be defined.
@@ -848,7 +894,7 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
     IFAPI_KEY *pkey = &context->createPrimary.pkey_object.misc.key;
     TPMS_CAPABILITY_DATA **capabilityData = &context->createPrimary.capabilityData;
     TPMI_YES_NO moreData;
-    ESYS_TR auth_session;
+    ESYS_TR auth_session = ESYS_TR_NONE; /* Initialized due to scanbuild */
 
     LOG_TRACE("call");
 
@@ -923,12 +969,23 @@ ifapi_load_primary_finish(FAPI_CONTEXT *context, ESYS_TR *handle)
         memset(&context->createPrimary.inSensitive, 0, sizeof(TPM2B_SENSITIVE_CREATE));
         memset(&context->createPrimary.outsideInfo, 0, sizeof(TPM2B_DATA));
         memset(&context->createPrimary.creationPCR, 0, sizeof(TPML_PCR_SELECTION));
+        fallthrough;
+
+    statecase(context->primary_state, PRIMARY_GET_AUTH_VALUE);
+        /* Get the auth value to be stored in inSensitive */
+        r = ifapi_set_auth_primary(context, pkey_object,
+                                   &context->createPrimary.inSensitive.sensitive);
+        return_try_again(r);
+        goto_if_error_reset_state(r, "Get auth value for primary", error_cleanup);
 
         /* Prepare primary creation. */
+        TPM2B_PUBLIC public = pkey->public;
+        memset(&public.publicArea.unique, 0, sizeof(TPMU_PUBLIC_ID));
+
         r = Esys_CreatePrimary_Async(context->esys, hierarchy->handle,
                                      auth_session, ESYS_TR_NONE, ESYS_TR_NONE,
                                      &context->createPrimary.inSensitive,
-                                     &pkey->public,
+                                     &public,
                                      &context->createPrimary.outsideInfo,
                                      &context->createPrimary.creationPCR);
         return_if_error(r, "CreatePrimary");
@@ -1905,7 +1962,6 @@ ifapi_load_key_finish(FAPI_CONTEXT *context, bool flush_parent)
         } else {
             LOG_TRACE("success");
             ifapi_cleanup_ifapi_object(context->loadKey.key_object);
-            ifapi_cleanup_ifapi_object(&context->loadKey.auth_object);
             return TSS2_RC_SUCCESS;
         }
         break;
-- 
2.34.3