Options: Add option to allow usage of password session. #3426
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JuergenReppSIT
force-pushed
the
allow_password_session
branch
from
9edd24a to
680599a
Compare
JuergenReppSIT
force-pushed
the
allow_password_session
branch
from
680599a to
5248d1e
Compare
For authentication of an object always an HMAC session was used. For an unsalted session an openssl HMAC key with the size of the auth value was created. This caused problems with the OpenSSL FIPS mode if the key length is less than 112 bits. To avoid this the option --pwd-session (-z) is added. Here the session handle ESYS_TR_PASSWORD will be used. For example, now the EK can be used to create a salted session: tpm2_createek --pwd-session -Q --key-algorithm rsa --ek-context ek.ctx tpm2_startauthsession -Q --session salted_session.ctx --hmac-session --tpmkey-context ek.ctx tpm2_sessionconfig -Q salted_session.ctx --enable-decrypt tpm2_createprimary -c prim.ctx -P session:salted_session.ctx Adresses: tpm2-software#3420 Signed-off-by: Juergen Repp <juergen_repp@web.de>
JuergenReppSIT
force-pushed
the
allow_password_session
branch
from
5248d1e to
d8a7a06
Compare
AndreasFuchsTPM
approved these changes
Dec 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For authentication of an object always an HMAC session was used. For an unsalted session an openssl HMAC key with the size of the auth value was created. This caused problems with the OpenSSL FIPS mode if the key length is less than 112 bits. To avoid this the option --pwd-session (-z) is added. Here the session handle ESYS_TR_PASSWORD will be used. For example, now the EK can be used to create a salted session:
Adresses: #3420