tpm2-util: gracefully skip deserialization when no input

While at it, this also makes tpm2_deserialize() take struct iovec.

Fixes #38507.

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index eae3075f953db7fb8af4d740a593c395f259ff05..457cec139f60d08da3a52fc2886eb880861dd5c1 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4529,15 +4529,13 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *srk_handle = NULL;
 
-        if (iovec_is_set(&srk_blob)) {
-                r = tpm2_deserialize(
-                                tc,
-                                srk_blob.iov_base,
-                                srk_blob.iov_len,
-                                &srk_handle);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to deserialize SRK TR: %m");
-        } else {
+        r = tpm2_deserialize(
+                        tc,
+                        &srk_blob,
+                        &srk_handle);
+        if (r < 0)
+                return log_error_errno(r, "Failed to deserialize SRK TR: %m");
+        if (r == 0) {
                 r = tpm2_get_or_create_srk(
                                 tc,
                                 /* session= */ NULL,
@@ -4606,13 +4604,11 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;
         TPM2_HANDLE nv_index = 0;
 
-        if (iovec_is_set(&nv_blob)) {
-                r = tpm2_deserialize(tc, nv_blob.iov_base, nv_blob.iov_len, &nv_handle);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to deserialize NV index TR: %m");
-
+        r = tpm2_deserialize(tc, &nv_blob, &nv_handle);
+        if (r < 0)
+                return log_error_errno(r, "Failed to deserialize NV index TR: %m");
+        if (r > 0)
                 nv_index = old_policy.nv_index;
-        }
 
         TPM2B_AUTH auth = {};
         CLEANUP_ERASE(auth);
@@ -4881,20 +4877,18 @@ static int undefine_policy_nv_index(
         _cleanup_(tpm2_handle_freep) Tpm2Handle *srk_handle = NULL;
         r = tpm2_deserialize(
                         tc,
-                        srk_blob->iov_base,
-                        srk_blob->iov_len,
+                        srk_blob,
                         &srk_handle);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to deserialize SRK TR: %m");
+        if (r < 0)
+                return log_error_errno(r, "Failed to deserialize SRK TR: %m");
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;
         r = tpm2_deserialize(
                         tc,
-                        nv_blob->iov_base,
-                        nv_blob->iov_len,
+                        nv_blob,
                         &nv_handle);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to deserialize NV TR: %m");
+        if (r < 0)
+                return log_error_errno(r, "Failed to deserialize NV TR: %m");
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL;
         r = tpm2_make_encryption_session(

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 20d34631003d3e59bf99e77d65eb7c571764f612..6abebb5d5d58e65a3e5a51c702a46b64a9c89bf1 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -4164,8 +4164,7 @@ static int tpm2_build_sealing_policy(
 
                 r = tpm2_deserialize(
                                 c,
-                                pcrlock_policy->nv_handle.iov_base,
-                                pcrlock_policy->nv_handle.iov_len,
+                                &pcrlock_policy->nv_handle,
                                 &nv_handle);
                 if (r < 0)
                         return r;
@@ -4605,17 +4604,20 @@ int tpm2_serialize(
 
 int tpm2_deserialize(
                 Tpm2Context *c,
-                const void *serialized,
-                size_t serialized_size,
+                const struct iovec *serialized,
                 Tpm2Handle **ret_handle) {
 
         TSS2_RC rc;
         int r;
 
         assert(c);
-        assert(serialized);
         assert(ret_handle);
 
+        if (!iovec_is_set(serialized)) {
+                *ret_handle = NULL;
+                return 0;
+        }
+
         _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL;
         r = tpm2_handle_new(c, &handle);
         if (r < 0)
@@ -4624,14 +4626,13 @@ int tpm2_deserialize(
         /* Since this is an existing handle in the TPM we should not implicitly flush it. */
         handle->flush = false;
 
-        rc = sym_Esys_TR_Deserialize(c->esys_context, serialized, serialized_size, &handle->esys_handle);
+        rc = sym_Esys_TR_Deserialize(c->esys_context, serialized->iov_base, serialized->iov_len, &handle->esys_handle);
         if (rc != TSS2_RC_SUCCESS)
                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
                                        "Failed to deserialize: %s", sym_Tss2_RC_Decode(rc));
 
         *ret_handle = TAKE_PTR(handle);
-
-        return 0;
+        return 1;
 }
 
 #if HAVE_OPENSSL
@@ -5564,11 +5565,13 @@ int tpm2_unseal(Tpm2Context *c,
         }
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *primary_handle = NULL;
-        if (iovec_is_set(srk)) {
-                r = tpm2_deserialize(c, srk->iov_base, srk->iov_len, &primary_handle);
-                if (r < 0)
-                        return r;
-        } else if (primary_alg != 0) {
+        r = tpm2_deserialize(c, srk, &primary_handle);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                if (primary_alg == 0)
+                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "No SRK or primary algorithm provided.");
+
                 TPM2B_PUBLIC template = {
                         .size = sizeof(TPMT_PUBLIC),
                 };
@@ -5585,9 +5588,7 @@ int tpm2_unseal(Tpm2Context *c,
                                 &primary_handle);
                 if (r < 0)
                         return r;
-        } else
-                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "No SRK or primary alg provided.");
+        }
 
         TPM2B_PUBLIC pubkey_tpm2b;
         _cleanup_(iovec_done) struct iovec fp = {};

diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 9b6b143619f293ef400a74ef5da6c0619c51556a..f938b3981a3e0edbdf1434befb6b38cbd331fb3c 100644 (file)
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -302,7 +302,7 @@ int tpm2_seal_data(Tpm2Context *c, const struct iovec *data, const Tpm2Handle *p
 int tpm2_unseal_data(Tpm2Context *c, const struct iovec *public, const struct iovec *private, const Tpm2Handle *primary_handle, const Tpm2Handle *policy_session, const Tpm2Handle *encryption_session, struct iovec *ret_data);
 
 int tpm2_serialize(Tpm2Context *c, const Tpm2Handle *handle, void **ret_serialized, size_t *ret_serialized_size);
-int tpm2_deserialize(Tpm2Context *c, const void *serialized, size_t serialized_size, Tpm2Handle **ret_handle);
+int tpm2_deserialize(Tpm2Context *c, const struct iovec *serialized, Tpm2Handle **ret_handle);
 
 int tpm2_load_public_key_file(const char *path, TPM2B_PUBLIC *ret);