tomoveu
commented
1 month ago good find @throwException
Closed throwException closed 1 month ago
tomoveu
commented
1 month ago good find @throwException
AndreasFuchsTPM
commented
1 month ago I am wondering, why https://github.com/tpm2-software/tpm2-tss/blob/80f87339fb73fd50b581b5927711e45e64279348/src/tss2-esys/esys_tr.c#L510 and https://github.com/tpm2-software/tpm2-tss/blob/a19ac4c61c3f3bbdfc61cf01040a30729d6ba441/src/tss2-esys/esys_iutil.c#L1734 are not effective in this case of bind ?
The idea was and is that the auth values carried in the metadata are always free of trailing zeros to begin with. Thus I don't like the fix at this place but rather want to find out the call path that circumvented the previous cases.
throwException
commented
1 month ago @AndreasFuchsTPM I'm sorry, this bug was already fixed in 4.0.2 by commit d3bcce8c7ed13d7eef6a0fbcb536fcf217804289.
AndreasFuchsTPM
commented
1 month ago No worries, PRs are always welcome !
When StartAuthSession is called with a bind entity with a auth value containing trailing zeroes, the HMAC or policy session computation of ESYS does not match the computation on the TPM2.
The fix is to remove trailing zeroes from the auth value according to the specification (TPM2 Architecture, 19.6.5, Note 2) before computation of the session key.
The fixed bug is especially tricky as a randomly generated auth value of the bind object can cause HMAC or policy session to fail occassionally.