Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using tpm2_ptool verify --sopin leads to local variable referenced before assignment #624

Closed
fishilico opened this issue Nov 11, 2020 · 0 comments · Fixed by #635
Closed

Using tpm2_ptool verify --sopin leads to local variable referenced before assignment #624

fishilico opened this issue Nov 11, 2020 · 0 comments · Fixed by #635
Labels
bug Something isn't working

Comments

@fishilico
Copy link

Hello,
While testing some arguments of tpm2_ptool, I encountered the following error:

$ ./tpm2_ptool verify --sopin $PIN --label tpm-ssh1
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/user/github/tpm2-pkcs11/tools/tpm2_pkcs11/tpm2_ptool.py", line 30, in <module>
    main()
  File "/home/user/github/tpm2-pkcs11/tools/tpm2_pkcs11/tpm2_ptool.py", line 26, in main
    commandlet.init('A tool for manipulating the tpm2-pkcs11 database')
  File "/home/user/github/tpm2-pkcs11/tools/tpm2_pkcs11/command.py", line 102, in init
    commandlet.get()[d['which']](d)
  File "/home/user/github/tpm2-pkcs11/tools/tpm2_pkcs11/commandlets_token.py", line 181, in __call__
    VerifyCommand.verify(db, args)
  File "/home/user/github/tpm2-pkcs11/tools/tpm2_pkcs11/commandlets_token.py", line 136, in verify
    'auth' : usersealauth['hash']
UnboundLocalError: local variable 'usersealauth' referenced before assignment

There is a bug in

tpm2-pkcs11/tools/tpm2_pkcs11/commandlets_token.py

Lines 104 to 137 in a9d7b81

if sopin != None:
sosealctx = tpm2.load(pobj_handle, pobjauth,
sealobj['sopriv'], sealobj['sopub'])
# Unseal the wrapping key auth
sosealauthsalt = sealobj['soauthsalt']
sosealauth = hash_pass(sopin, salt=sosealauthsalt)
wrappingkeyauth = tpm2.unseal(sosealctx, sosealauth['hash'])
verify_output['pin']['so'] = {'seal-auth' : sosealauth['hash'] }
if userpin != None:
usersealctx = tpm2.load(pobj_handle, pobjauth,
sealobj['userpriv'],
sealobj['userpub'])
# Unseal the wrapping key auth
usersealauthsalt = sealobj['userauthsalt']
usersealauth = hash_pass(userpin, salt=usersealauthsalt)
wrappingkeyauth = tpm2.unseal(usersealctx,
usersealauth['hash'])
verify_output['pin']['user'] = {'seal-auth' : usersealauth['hash'] }
verify_output['wrappingkey'] = {
'hex' : bytes.hex(wrappingkeyauth),
'auth' : usersealauth['hash']
}

When sopin != None and userpin is None, sosealauth is set but not usersealauth and then on line 136, usersealauth is used while being uninitialized.
@williamcroberts williamcroberts added the bug Something isn't working label Nov 16, 2020
niooss-ledger added a commit to niooss-ledger/tpm2-pkcs11 that referenced this issue Dec 28, 2020
@niooss-ledger
Fix "tpm2_ptool verify --sopin" without "--userpin"
2a82d32 
When using option `--sopin` in `tpm2_ptool verify`, `usersealauth` is
not initialized but is being used. In practise, the value in
`verify_output['wrappingkey']['auth']` is the same as the one in
`verify_output['pin']['user']`, so make sure this is set only when the
user PIN is really used.

Fixes: tpm2-software#624
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
@niooss-ledger niooss-ledger mentioned this issue Dec 28, 2020
Merged
williamcroberts pushed a commit that referenced this issue Dec 28, 2020
@niooss-ledger
Fix "tpm2_ptool verify --sopin" without "--userpin"
fea144f 
When using option `--sopin` in `tpm2_ptool verify`, `usersealauth` is
not initialized but is being used. In practise, the value in
`verify_output['wrappingkey']['auth']` is the same as the one in
`verify_output['pin']['user']`, so make sure this is set only when the
user PIN is really used.

Fixes: #624
Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix "tpm2_ptool verify --sopin" without "--userpin" niooss-ledger/tpm2-pkcs11
2 participants
@fishilico @williamcroberts