1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 ******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include "tss2_mu.h"
12 #include "tss2_sys.h"
13 #include "tss2_esys.h"
14
15 #include "esys_types.h"
16 #include "esys_iutil.h"
17 #include "esys_mu.h"
18 #define LOGMODULE esys
19 #include "util/log.h"
20 #include "util/aux_util.h"
21
22 /** One-Call function for TPM2_DictionaryAttackParameters
23 *
24 * This function invokes the TPM2_DictionaryAttackParameters command in a one-call
25 * variant. This means the function will block until the TPM response is
26 * available. All input parameters are const. The memory for non-simple output
27 * parameters is allocated by the function implementation.
28 *
29 * @param[in,out] esysContext The ESYS_CONTEXT.
30 * @param[in] lockHandle TPM2_RH_LOCKOUT.
31 * @param[in] shandle1 Session handle for authorization of lockHandle
32 * @param[in] shandle2 Second session handle.
33 * @param[in] shandle3 Third session handle.
34 * @param[in] newMaxTries Count of authorization failures before the lockout
35 * is imposed.
36 * @param[in] newRecoveryTime Time in seconds before the authorization failure
37 * count is automatically decremented.
38 * @param[in] lockoutRecovery Time in seconds after a lockoutAuth failure
39 * before use of lockoutAuth is allowed.
40 * @retval TSS2_RC_SUCCESS if the function call was a success.
41 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
42 * pointers or required output handle references are NULL.
43 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
44 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
45 * internal operations or return parameters.
46 * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous
47 * operation already pending.
48 * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not
49 * at least contain the tag, response length, and response code.
50 * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted.
51 * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM
52 did not verify.
53 * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has
54 * the 'decrypt' attribute bit set.
55 * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has
56 * the 'encrypt' attribute bit set.
57 * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown
58 * to the ESYS_CONTEXT or are of the wrong type or if required
59 * ESYS_TR objects are ESYS_TR_NONE.
60 * @retval TSS2_ESYS_RC_NO_DECRYPT_PARAM: if one of the sessions has the
61 * 'decrypt' attribute set and the command does not support encryption
62 * of the first command parameter.
63 * @retval TSS2_ESYS_RC_NO_ENCRYPT_PARAM: if one of the sessions has the
64 * 'encrypt' attribute set and the command does not support encryption
65 * of the first response parameter.
66 * @retval TSS2_RCs produced by lower layers of the software stack may be
67 * returned to the caller unaltered unless handled internally.
68 */
69 TSS2_RC
Esys_DictionaryAttackParameters(ESYS_CONTEXT * esysContext,ESYS_TR lockHandle,ESYS_TR shandle1,ESYS_TR shandle2,ESYS_TR shandle3,UINT32 newMaxTries,UINT32 newRecoveryTime,UINT32 lockoutRecovery)70 Esys_DictionaryAttackParameters(
71 ESYS_CONTEXT *esysContext,
72 ESYS_TR lockHandle,
73 ESYS_TR shandle1,
74 ESYS_TR shandle2,
75 ESYS_TR shandle3,
76 UINT32 newMaxTries,
77 UINT32 newRecoveryTime,
78 UINT32 lockoutRecovery)
79 {
80 TSS2_RC r;
81
82 r = Esys_DictionaryAttackParameters_Async(esysContext, lockHandle, shandle1,
83 shandle2, shandle3, newMaxTries,
84 newRecoveryTime, lockoutRecovery);
85 return_if_error(r, "Error in async function");
86
87 /* Set the timeout to indefinite for now, since we want _Finish to block */
88 int32_t timeouttmp = esysContext->timeout;
89 esysContext->timeout = -1;
90 /*
91 * Now we call the finish function, until return code is not equal to
92 * from TSS2_BASE_RC_TRY_AGAIN.
93 * Note that the finish function may return TSS2_RC_TRY_AGAIN, even if we
94 * have set the timeout to -1. This occurs for example if the TPM requests
95 * a retransmission of the command via TPM2_RC_YIELDED.
96 */
97 do {
98 r = Esys_DictionaryAttackParameters_Finish(esysContext);
99 /* This is just debug information about the reattempt to finish the
100 command */
101 if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN)
102 LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32
103 " => resubmitting command", r);
104 } while ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN);
105
106 /* Restore the timeout value to the original value */
107 esysContext->timeout = timeouttmp;
108 return_if_error(r, "Esys Finish");
109
110 return TSS2_RC_SUCCESS;
111 }
112
113 /** Asynchronous function for TPM2_DictionaryAttackParameters
114 *
115 * This function invokes the TPM2_DictionaryAttackParameters command in a asynchronous
116 * variant. This means the function will return as soon as the command has been
117 * sent downwards the stack to the TPM. All input parameters are const.
118 * In order to retrieve the TPM's response call Esys_DictionaryAttackParameters_Finish.
119 *
120 * @param[in,out] esysContext The ESYS_CONTEXT.
121 * @param[in] lockHandle TPM2_RH_LOCKOUT.
122 * @param[in] shandle1 Session handle for authorization of lockHandle
123 * @param[in] shandle2 Second session handle.
124 * @param[in] shandle3 Third session handle.
125 * @param[in] newMaxTries Count of authorization failures before the lockout
126 * is imposed.
127 * @param[in] newRecoveryTime Time in seconds before the authorization failure
128 * count is automatically decremented.
129 * @param[in] lockoutRecovery Time in seconds after a lockoutAuth failure
130 * before use of lockoutAuth is allowed.
131 * @retval ESYS_RC_SUCCESS if the function call was a success.
132 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
133 * pointers or required output handle references are NULL.
134 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
135 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
136 * internal operations or return parameters.
137 * @retval TSS2_RCs produced by lower layers of the software stack may be
138 returned to the caller unaltered unless handled internally.
139 * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has
140 * the 'decrypt' attribute bit set.
141 * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has
142 * the 'encrypt' attribute bit set.
143 * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown
144 * to the ESYS_CONTEXT or are of the wrong type or if required
145 * ESYS_TR objects are ESYS_TR_NONE.
146 * @retval TSS2_ESYS_RC_NO_DECRYPT_PARAM: if one of the sessions has the
147 * 'decrypt' attribute set and the command does not support encryption
148 * of the first command parameter.
149 * @retval TSS2_ESYS_RC_NO_ENCRYPT_PARAM: if one of the sessions has the
150 * 'encrypt' attribute set and the command does not support encryption
151 * of the first response parameter.
152 */
153 TSS2_RC
Esys_DictionaryAttackParameters_Async(ESYS_CONTEXT * esysContext,ESYS_TR lockHandle,ESYS_TR shandle1,ESYS_TR shandle2,ESYS_TR shandle3,UINT32 newMaxTries,UINT32 newRecoveryTime,UINT32 lockoutRecovery)154 Esys_DictionaryAttackParameters_Async(
155 ESYS_CONTEXT *esysContext,
156 ESYS_TR lockHandle,
157 ESYS_TR shandle1,
158 ESYS_TR shandle2,
159 ESYS_TR shandle3,
160 UINT32 newMaxTries,
161 UINT32 newRecoveryTime,
162 UINT32 lockoutRecovery)
163 {
164 TSS2_RC r;
165 LOG_TRACE("context=%p, lockHandle=%"PRIx32 ", newMaxTries=%"PRIx32 ","
166 "newRecoveryTime=%"PRIx32 ", lockoutRecovery=%"PRIx32 "",
167 esysContext, lockHandle, newMaxTries, newRecoveryTime, lockoutRecovery);
168 TSS2L_SYS_AUTH_COMMAND auths;
169 RSRC_NODE_T *lockHandleNode;
170
171 /* Check context, sequence correctness and set state to error for now */
172 if (esysContext == NULL) {
173 LOG_ERROR("esyscontext is NULL.");
174 return TSS2_ESYS_RC_BAD_REFERENCE;
175 }
176 r = iesys_check_sequence_async(esysContext);
177 if (r != TSS2_RC_SUCCESS)
178 return r;
179 esysContext->state = _ESYS_STATE_INTERNALERROR;
180
181 /* Check input parameters */
182 r = check_session_feasibility(shandle1, shandle2, shandle3, 1);
183 return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage");
184
185 /* Retrieve the metadata objects for provided handles */
186 r = esys_GetResourceObject(esysContext, lockHandle, &lockHandleNode);
187 return_state_if_error(r, _ESYS_STATE_INIT, "lockHandle unknown.");
188
189 /* Initial invocation of SAPI to prepare the command buffer with parameters */
190 r = Tss2_Sys_DictionaryAttackParameters_Prepare(esysContext->sys,
191 (lockHandleNode == NULL)
192 ? TPM2_RH_NULL
193 : lockHandleNode->rsrc.handle,
194 newMaxTries, newRecoveryTime,
195 lockoutRecovery);
196 return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error.");
197
198 /* Calculate the cpHash Values */
199 r = init_session_tab(esysContext, shandle1, shandle2, shandle3);
200 return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources");
201 if (lockHandleNode != NULL)
202 iesys_compute_session_value(esysContext->session_tab[0],
203 &lockHandleNode->rsrc.name, &lockHandleNode->auth);
204 else
205 iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL);
206
207 iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL);
208 iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL);
209
210 /* Generate the auth values and set them in the SAPI command buffer */
211 r = iesys_gen_auths(esysContext, lockHandleNode, NULL, NULL, &auths);
212 return_state_if_error(r, _ESYS_STATE_INIT,
213 "Error in computation of auth values");
214
215 esysContext->authsCount = auths.count;
216 if (auths.count > 0) {
217 r = Tss2_Sys_SetCmdAuths(esysContext->sys, &auths);
218 return_state_if_error(r, _ESYS_STATE_INIT, "SAPI error on SetCmdAuths");
219 }
220
221 /* Trigger execution and finish the async invocation */
222 r = Tss2_Sys_ExecuteAsync(esysContext->sys);
223 return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
224 "Finish (Execute Async)");
225
226 esysContext->state = _ESYS_STATE_SENT;
227
228 return r;
229 }
230
231 /** Asynchronous finish function for TPM2_DictionaryAttackParameters
232 *
233 * This function returns the results of a TPM2_DictionaryAttackParameters command
234 * invoked via Esys_DictionaryAttackParameters_Finish. All non-simple output parameters
235 * are allocated by the function's implementation. NULL can be passed for every
236 * output parameter if the value is not required.
237 *
238 * @param[in,out] esysContext The ESYS_CONTEXT.
239 * @retval TSS2_RC_SUCCESS on success
240 * @retval ESYS_RC_SUCCESS if the function call was a success.
241 * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input
242 * pointers or required output handle references are NULL.
243 * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected.
244 * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for
245 * internal operations or return parameters.
246 * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous
247 * operation already pending.
248 * @retval TSS2_ESYS_RC_TRY_AGAIN: if the timeout counter expires before the
249 * TPM response is received.
250 * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not
251 * at least contain the tag, response length, and response code.
252 * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM did
253 * not verify.
254 * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted.
255 * @retval TSS2_RCs produced by lower layers of the software stack may be
256 * returned to the caller unaltered unless handled internally.
257 */
258 TSS2_RC
Esys_DictionaryAttackParameters_Finish(ESYS_CONTEXT * esysContext)259 Esys_DictionaryAttackParameters_Finish(
260 ESYS_CONTEXT *esysContext)
261 {
262 TSS2_RC r;
263 LOG_TRACE("context=%p",
264 esysContext);
265
266 if (esysContext == NULL) {
267 LOG_ERROR("esyscontext is NULL.");
268 return TSS2_ESYS_RC_BAD_REFERENCE;
269 }
270
271 /* Check for correct sequence and set sequence to irregular for now */
272 if (esysContext->state != _ESYS_STATE_SENT &&
273 esysContext->state != _ESYS_STATE_RESUBMISSION) {
274 LOG_ERROR("Esys called in bad sequence.");
275 return TSS2_ESYS_RC_BAD_SEQUENCE;
276 }
277 esysContext->state = _ESYS_STATE_INTERNALERROR;
278
279 /*Receive the TPM response and handle resubmissions if necessary. */
280 r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout);
281 if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) {
282 LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32, r);
283 esysContext->state = _ESYS_STATE_SENT;
284 return r;
285 }
286 /* This block handle the resubmission of TPM commands given a certain set of
287 * TPM response codes. */
288 if (r == TPM2_RC_RETRY || r == TPM2_RC_TESTING || r == TPM2_RC_YIELDED) {
289 LOG_DEBUG("TPM returned RETRY, TESTING or YIELDED, which triggers a "
290 "resubmission: %" PRIx32, r);
291 if (esysContext->submissionCount++ >= _ESYS_MAX_SUBMISSIONS) {
292 LOG_WARNING("Maximum number of (re)submissions has been reached.");
293 esysContext->state = _ESYS_STATE_INIT;
294 return r;
295 }
296 esysContext->state = _ESYS_STATE_RESUBMISSION;
297 r = Tss2_Sys_ExecuteAsync(esysContext->sys);
298 if (r != TSS2_RC_SUCCESS) {
299 LOG_WARNING("Error attempting to resubmit");
300 /* We do not set esysContext->state here but inherit the most recent
301 * state of the _async function. */
302 return r;
303 }
304 r = TSS2_ESYS_RC_TRY_AGAIN;
305 LOG_DEBUG("Resubmission initiated and returning RC_TRY_AGAIN.");
306 return r;
307 }
308 /* The following is the "regular error" handling. */
309 if (iesys_tpm_error(r)) {
310 LOG_WARNING("Received TPM Error");
311 esysContext->state = _ESYS_STATE_INIT;
312 return r;
313 } else if (r != TSS2_RC_SUCCESS) {
314 LOG_ERROR("Received a non-TPM Error");
315 esysContext->state = _ESYS_STATE_INTERNALERROR;
316 return r;
317 }
318
319 /*
320 * Now the verification of the response (hmac check) and if necessary the
321 * parameter decryption have to be done.
322 */
323 r = iesys_check_response(esysContext);
324 return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
325 "Error: check response");
326
327 /*
328 * After the verification of the response we call the complete function
329 * to deliver the result.
330 */
331 r = Tss2_Sys_DictionaryAttackParameters_Complete(esysContext->sys);
332 return_state_if_error(r, _ESYS_STATE_INTERNALERROR,
333 "Received error from SAPI unmarshaling" );
334
335 esysContext->state = _ESYS_STATE_INIT;
336
337 return TSS2_RC_SUCCESS;
338 }
339