Options: Add option to allow usage of password session.

For authentication of an object always an HMAC session was used.
For an unsalted session an openssl HMAC key with the size of the
auth value was created. This caused problems with the OpenSSL
FIPS mode if the key length is less than 112 bits.
To avoid this the option --pwd-session (-z) is added.
Here the session handle ESYS_TR_PASSWORD will be used.
For example, now the EK can be used to create a salted session:

tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx
tpm2_startauthsession -Q  --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx
tpm2_sessionconfig -Q  salted_session.ctx --enable-decrypt
tpm2_createprimary -c prim.ctx -P session:salted_session.ctx

Adresses: #3420

Signed-off-by: Juergen Repp <juergen_repp@web.de>

Author: JuergenReppSIT

lib/tpm2_auth_util.c

@@ -467,7 +467,13 @@ tool_rc tpm2_auth_util_from_optarg(ESYS_CONTEXT *ectx, const char *password,
     }
 
     /* must be a password */
-    return handle_password_session(ectx, password, session);
+    if (is_restricted) {
+        /* ESYS_TR_PASSWORD will be used as handle. */
+        return handle_password_session(NULL, password, session);
+    } else {
+        /* A hmac session will be created. */
+        return handle_password_session(ectx, password, session);
+    }
 }
 
 tool_rc tpm2_auth_util_get_shandle(ESYS_CONTEXT *ectx, ESYS_TR object,

lib/tpm2_options.c

@@ -288,11 +288,12 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         { "quiet",         no_argument,       NULL, 'Q' },
         { "version",       no_argument,       NULL, 'v' },
         { "enable-errata", no_argument,       NULL, 'Z' },
+        { "pwd-session",   no_argument,       NULL, 'z' },
     };
 
 
     /* handle any options */
-    const char* common_short_opts = "T:h::vVQZ";
+    const char* common_short_opts = "T:h::vVQZz";
     tpm2_options *opts = tpm2_options_new(common_short_opts,
             ARRAY_LEN(long_options), long_options, NULL, NULL, 0);
     if (!opts) {
@@ -373,6 +374,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         case 'V':
             flags->verbose = 1;
             break;
+        case 'z':
+            flags->restricted_pwd_session = 1;
+            break;
         case 'Q':
             flags->quiet = 1;
             break;

lib/tpm2_options.h

@@ -22,6 +22,8 @@ union tpm2_option_flags {
         uint8_t quiet :1;
         uint8_t enable_errata :1;
         uint8_t tcti_none :1;
+        uint8_t restricted_pwd_session :1;
+        
     };
     uint8_t all;
 };

man/common/options.md

@@ -22,11 +22,16 @@ information that many users may expect.
 
   * **-Q**, **\--quiet**:
     Silence normal tool output to stdout.
-
+x
   * **-Z**, **\--enable-errata**:
     Enable the application of errata fixups. Useful if an errata fixup needs to be
     applied to commands sent to the TPM. Defining the environment
     TPM2TOOLS\_ENABLE\_ERRATA is equivalent.
+  * **-z**, **\--pwd-session**:
+    Use password session instead of a HMAC session for authentication. A clear text password
+    is passed to the TPM to authorize the action. This option can be used to avoid problems
+    when unsalted sessions are used in OpenSSL FIPS mode. If auth values are used
+    a salted session should be used for authentication.
   * **-R**, **\--autoflush**:
     Enable autoflush for transient objects created by the command. If a parent
     object is loaded from a context file also the transient parent object will

tools/misc/tpm2_encodeobject.c

@@ -113,7 +113,7 @@ static tool_rc check_opts(void) {
     return rc;
 }
 
-static tool_rc init(ESYS_CONTEXT *ectx) {
+static tool_rc init(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
     if (!res) {
         return tool_rc_general_error;
@@ -125,7 +125,7 @@ static tool_rc init(ESYS_CONTEXT *ectx) {
     }
 
     return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
-            ctx.parent.auth_str, &ctx.parent.object, false,
+            ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session,
             TPM2_HANDLE_ALL_W_NV);
 }
 
@@ -212,14 +212,13 @@ static int encode(ESYS_CONTEXT *ectx) {
 }
 
 static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
-    UNUSED(flags);
 
     tool_rc rc = check_opts();
     if (rc != tool_rc_success) {
         return rc;
     }
 
-    rc = init(ectx);
+    rc = init(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_activatecredential.c

@@ -173,7 +173,7 @@ static bool read_cert_secret(void) {
     return result;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -189,14 +189,14 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.credential_key.ctx_path,
-        ctx.credential_key.auth_str, &ctx.credential_key.object, false,
+        ctx.credential_key.auth_str, &ctx.credential_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.credentialed_key.ctx_path,
-        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, false,
+        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -341,7 +341,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_certify.c

@@ -137,7 +137,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -152,15 +152,15 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      */
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.certified_key.ctx_path,
-        ctx.certified_key.auth_str, &ctx.certified_key.object, false,
+        ctx.certified_key.auth_str, &ctx.certified_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
 
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -333,7 +333,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_certifycreation.c

@@ -135,7 +135,7 @@ static tool_rc process_output(void) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -149,7 +149,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid signing key/ authorization.");
@@ -413,7 +413,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
    /*
      * 2. Process inputs
      */
-    tool_rc rc = process_inputs(ectx);
+    tool_rc rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_changeauth.c

@@ -181,7 +181,7 @@ static inline bool object_needs_parent(tpm2_loaded_object *obj) {
     return (h == TPM2_HR_TRANSIENT) || (h == TPM2_HR_PERSISTENT);
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -206,7 +206,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     rc = tpm2_util_object_load_auth(ectx, ctx.object.ctx,
-        ctx.object.auth_current, &ctx.object.obj, false, TPM2_HANDLE_ALL_W_NV);
+        ctx.object.auth_current, &ctx.object.obj, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
@@ -377,7 +377,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_clear.c

@@ -70,7 +70,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
 }
 
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -86,7 +86,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -199,7 +199,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }