Options: Add option to allow usage of password session.

For authentication of an object always an HMAC session was used. For an unsalted session an openssl HMAC key with the size of the auth value was created. This caused problems with the OpenSSL FIPS mode if the key length is less than 112 bits. To avoid this the option --pwd-session (-z) is added. Here the session handle ESYS_TR_PASSWORD will be used. For example, now the EK can be used to create a salted session: tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx tpm2_startauthsession -Q --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx tpm2_sessionconfig -Q salted_session.ctx --enable-decrypt tpm2_createprimary -c prim.ctx -P session:salted_session.ctx Adresses: #3420 Signed-off-by: Juergen Repp <[email protected]>
tpm2-software · Oct 7, 2024 · d8a7a06 · d8a7a06
1 parent 58f5428
commit d8a7a06
Showing 50 changed files with 168 additions and 156 deletions.
diff --git a/lib/tpm2_auth_util.c b/lib/tpm2_auth_util.c
@@ -467,7 +467,13 @@ tool_rc tpm2_auth_util_from_optarg(ESYS_CONTEXT *ectx, const char *password,
     }
 
     /* must be a password */
-    return handle_password_session(ectx, password, session);
+    if (is_restricted) {
+        /* ESYS_TR_PASSWORD will be used as handle. */
+        return handle_password_session(NULL, password, session);
+    } else {
+        /* A hmac session will be created. */
+        return handle_password_session(ectx, password, session);
+    }
 }
 
 tool_rc tpm2_auth_util_get_shandle(ESYS_CONTEXT *ectx, ESYS_TR object,

diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
@@ -288,11 +288,12 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         { "quiet",         no_argument,       NULL, 'Q' },
         { "version",       no_argument,       NULL, 'v' },
         { "enable-errata", no_argument,       NULL, 'Z' },
+        { "pwd-session",   no_argument,       NULL, 'z' },
     };
 
 
     /* handle any options */
-    const char* common_short_opts = "T:h::vVQZ";
+    const char* common_short_opts = "T:h::vVQZz";
     tpm2_options *opts = tpm2_options_new(common_short_opts,
             ARRAY_LEN(long_options), long_options, NULL, NULL, 0);
     if (!opts) {
@@ -373,6 +374,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         case 'V':
             flags->verbose = 1;
             break;
+        case 'z':
+            flags->restricted_pwd_session = 1;
+            break;
         case 'Q':
             flags->quiet = 1;
             break;

diff --git a/lib/tpm2_options.h b/lib/tpm2_options.h
@@ -22,6 +22,8 @@ union tpm2_option_flags {
         uint8_t quiet :1;
         uint8_t enable_errata :1;
         uint8_t tcti_none :1;
+        uint8_t restricted_pwd_session :1;
+
     };
     uint8_t all;
 };

diff --git a/man/common/options.md b/man/common/options.md
@@ -22,11 +22,16 @@ information that many users may expect.
 
   * **-Q**, **\--quiet**:
     Silence normal tool output to stdout.
-
+x
   * **-Z**, **\--enable-errata**:
     Enable the application of errata fixups. Useful if an errata fixup needs to be
     applied to commands sent to the TPM. Defining the environment
     TPM2TOOLS\_ENABLE\_ERRATA is equivalent.
+  * **-z**, **\--pwd-session**:
+    Use password session instead of a HMAC session for authentication. A clear text password
+    is passed to the TPM to authorize the action. This option can be used to avoid problems
+    when unsalted sessions are used in OpenSSL FIPS mode. If auth values are used
+    a salted session should be used for authentication.
   * **-R**, **\--autoflush**:
     Enable autoflush for transient objects created by the command. If a parent
     object is loaded from a context file also the transient parent object will

diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
@@ -113,7 +113,7 @@ static tool_rc check_opts(void) {
     return rc;
 }
 
-static tool_rc init(ESYS_CONTEXT *ectx) {
+static tool_rc init(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
     if (!res) {
         return tool_rc_general_error;
@@ -125,7 +125,7 @@ static tool_rc init(ESYS_CONTEXT *ectx) {
     }
 
     return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
-            ctx.parent.auth_str, &ctx.parent.object, false,
+            ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session,
             TPM2_HANDLE_ALL_W_NV);
 }
 
@@ -212,14 +212,13 @@ static int encode(ESYS_CONTEXT *ectx) {
 }
 
 static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
-    UNUSED(flags);
 
     tool_rc rc = check_opts();
     if (rc != tool_rc_success) {
         return rc;
     }
 
-    rc = init(ectx);
+    rc = init(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_activatecredential.c b/tools/tpm2_activatecredential.c
@@ -173,7 +173,7 @@ static bool read_cert_secret(void) {
     return result;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -189,14 +189,14 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.credential_key.ctx_path,
-        ctx.credential_key.auth_str, &ctx.credential_key.object, false,
+        ctx.credential_key.auth_str, &ctx.credential_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.credentialed_key.ctx_path,
-        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, false,
+        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -341,7 +341,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_certify.c b/tools/tpm2_certify.c
@@ -137,7 +137,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -152,15 +152,15 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      */
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.certified_key.ctx_path,
-        ctx.certified_key.auth_str, &ctx.certified_key.object, false,
+        ctx.certified_key.auth_str, &ctx.certified_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
 
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -333,7 +333,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_certifycreation.c b/tools/tpm2_certifycreation.c
@@ -135,7 +135,7 @@ static tool_rc process_output(void) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -149,7 +149,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid signing key/ authorization.");
@@ -413,7 +413,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
    /*
      * 2. Process inputs
      */
-    tool_rc rc = process_inputs(ectx);
+    tool_rc rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_changeauth.c b/tools/tpm2_changeauth.c
@@ -181,7 +181,7 @@ static inline bool object_needs_parent(tpm2_loaded_object *obj) {
     return (h == TPM2_HR_TRANSIENT) || (h == TPM2_HR_PERSISTENT);
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -206,7 +206,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     rc = tpm2_util_object_load_auth(ectx, ctx.object.ctx,
-        ctx.object.auth_current, &ctx.object.obj, false, TPM2_HANDLE_ALL_W_NV);
+        ctx.object.auth_current, &ctx.object.obj, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
@@ -377,7 +377,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_clear.c b/tools/tpm2_clear.c
@@ -70,7 +70,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
 }
 
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -86,7 +86,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -199,7 +199,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_clearcontrol.c b/tools/tpm2_clearcontrol.c
@@ -78,7 +78,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return rc;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -94,7 +94,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -233,7 +233,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_clockrateadjust.c b/tools/tpm2_clockrateadjust.c
@@ -77,7 +77,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
 }
 
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -93,7 +93,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -225,7 +225,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_commit.c b/tools/tpm2_commit.c
@@ -110,7 +110,7 @@ static tool_rc process_outputs(ESYS_CONTEXT *ectx) {
     return tool_rc_success;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     UNUSED(ectx);
     /*
@@ -125,7 +125,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-            ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+            ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
             TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT);
     if (rc != tool_rc_success) {
         return rc;
@@ -272,7 +272,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
@@ -344,7 +344,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return rc;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -368,7 +368,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     rc = tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
-        ctx.parent.auth_str, &ctx.parent.object, false, TPM2_HANDLE_ALL_W_NV);
+        ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
@@ -626,7 +626,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }