Options: Add option to allow usage of password session.

lib/tpm2_auth_util.c

@@ -467,7 +467,13 @@ tool_rc tpm2_auth_util_from_optarg(ESYS_CONTEXT *ectx, const char *password,
     }
 
     /* must be a password */
-    return handle_password_session(ectx, password, session);
+    if (is_restricted) {
+        /* ESYS_TR_PASSWORD will be used as handle. */
+        return handle_password_session(NULL, password, session);
+    } else {
+        /* A hmac session will be created. */
+        return handle_password_session(ectx, password, session);
+    }
 }
 
 tool_rc tpm2_auth_util_get_shandle(ESYS_CONTEXT *ectx, ESYS_TR object,

lib/tpm2_options.c

@@ -288,11 +288,12 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         { "quiet",         no_argument,       NULL, 'Q' },
         { "version",       no_argument,       NULL, 'v' },
         { "enable-errata", no_argument,       NULL, 'Z' },
+        { "pwd-session",   no_argument,       NULL, 'z' },
     };
 
 
     /* handle any options */
-    const char* common_short_opts = "T:h::vVQZ";
+    const char* common_short_opts = "T:h::vVQZz";
     tpm2_options *opts = tpm2_options_new(common_short_opts,
             ARRAY_LEN(long_options), long_options, NULL, NULL, 0);
     if (!opts) {
@@ -373,6 +374,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
         case 'V':
             flags->verbose = 1;
             break;
+        case 'z':
+            flags->restricted_pwd_session = 1;
+            break;
         case 'Q':
             flags->quiet = 1;
             break;

lib/tpm2_options.h

@@ -22,6 +22,8 @@ union tpm2_option_flags {
         uint8_t quiet :1;
         uint8_t enable_errata :1;
         uint8_t tcti_none :1;
+        uint8_t restricted_pwd_session :1;
+
     };
     uint8_t all;
 };

man/common/options.md

@@ -22,11 +22,16 @@ information that many users may expect.
 
   * **-Q**, **\--quiet**:
     Silence normal tool output to stdout.
-
+x
   * **-Z**, **\--enable-errata**:
     Enable the application of errata fixups. Useful if an errata fixup needs to be
     applied to commands sent to the TPM. Defining the environment
     TPM2TOOLS\_ENABLE\_ERRATA is equivalent.
+  * **-z**, **\--pwd-session**:
+    Use password session instead of a HMAC session for authentication. A clear text password
+    is passed to the TPM to authorize the action. This option can be used to avoid problems
+    when unsalted sessions are used in OpenSSL FIPS mode. If auth values are used
+    a salted session should be used for authentication.
   * **-R**, **\--autoflush**:
     Enable autoflush for transient objects created by the command. If a parent
     object is loaded from a context file also the transient parent object will

tools/misc/tpm2_encodeobject.c

@@ -113,7 +113,7 @@ static tool_rc check_opts(void) {
     return rc;
 }
 
-static tool_rc init(ESYS_CONTEXT *ectx) {
+static tool_rc init(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
     if (!res) {
         return tool_rc_general_error;
@@ -125,7 +125,7 @@ static tool_rc init(ESYS_CONTEXT *ectx) {
     }
 
     return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
-            ctx.parent.auth_str, &ctx.parent.object, false,
+            ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session,
             TPM2_HANDLE_ALL_W_NV);
 }
 
@@ -212,14 +212,13 @@ static int encode(ESYS_CONTEXT *ectx) {
 }
 
 static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
-    UNUSED(flags);
 
     tool_rc rc = check_opts();
     if (rc != tool_rc_success) {
         return rc;
     }
 
-    rc = init(ectx);
+    rc = init(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_activatecredential.c

@@ -173,7 +173,7 @@ static bool read_cert_secret(void) {
     return result;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -189,14 +189,14 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.credential_key.ctx_path,
-        ctx.credential_key.auth_str, &ctx.credential_key.object, false,
+        ctx.credential_key.auth_str, &ctx.credential_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.credentialed_key.ctx_path,
-        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, false,
+        ctx.credentialed_key.auth_str, &ctx.credentialed_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -341,7 +341,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_certify.c

@@ -137,7 +137,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -152,15 +152,15 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      */
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.certified_key.ctx_path,
-        ctx.certified_key.auth_str, &ctx.certified_key.object, false,
+        ctx.certified_key.auth_str, &ctx.certified_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
 
     /* Object #2 */
     rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
@@ -333,7 +333,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_certifycreation.c

@@ -135,7 +135,7 @@ static tool_rc process_output(void) {
     return is_file_op_success ? tool_rc_success : tool_rc_general_error;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -149,7 +149,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-        ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+        ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
         TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid signing key/ authorization.");
@@ -413,7 +413,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
    /*
      * 2. Process inputs
      */
-    tool_rc rc = process_inputs(ectx);
+    tool_rc rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_changeauth.c

@@ -181,7 +181,7 @@ static inline bool object_needs_parent(tpm2_loaded_object *obj) {
     return (h == TPM2_HR_TRANSIENT) || (h == TPM2_HR_PERSISTENT);
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -206,7 +206,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     rc = tpm2_util_object_load_auth(ectx, ctx.object.ctx,
-        ctx.object.auth_current, &ctx.object.obj, false, TPM2_HANDLE_ALL_W_NV);
+        ctx.object.auth_current, &ctx.object.obj, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
@@ -377,7 +377,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_clear.c

@@ -70,7 +70,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
 }
 
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -86,7 +86,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -199,7 +199,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_clearcontrol.c

@@ -78,7 +78,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return rc;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -94,7 +94,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_L | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -233,7 +233,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_clockrateadjust.c

@@ -77,7 +77,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
 }
 
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -93,7 +93,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
 
     /* Object #1 */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
-            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
+            ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, flags.restricted_pwd_session,
             TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P);
     if (rc != tool_rc_success) {
         LOG_ERR("Invalid lockout authorization");
@@ -225,7 +225,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_commit.c

@@ -110,7 +110,7 @@ static tool_rc process_outputs(ESYS_CONTEXT *ectx) {
     return tool_rc_success;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     UNUSED(ectx);
     /*
@@ -125,7 +125,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.signing_key.ctx_path,
-            ctx.signing_key.auth_str, &ctx.signing_key.object, false,
+            ctx.signing_key.auth_str, &ctx.signing_key.object, flags.restricted_pwd_session,
             TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT);
     if (rc != tool_rc_success) {
         return rc;
@@ -272,7 +272,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }

tools/tpm2_create.c

@@ -344,7 +344,7 @@ static tool_rc process_output(ESYS_CONTEXT *ectx) {
     return rc;
 }
 
-static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
+static tool_rc process_inputs(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
 
     /*
      * 1. Object and auth initializations
@@ -368,7 +368,7 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) {
      * 1.b Add object names and their auth sessions
      */
     rc = tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
-        ctx.parent.auth_str, &ctx.parent.object, false, TPM2_HANDLE_ALL_W_NV);
+        ctx.parent.auth_str, &ctx.parent.object, flags.restricted_pwd_session, TPM2_HANDLE_ALL_W_NV);
     if (rc != tool_rc_success) {
         return rc;
     }
@@ -626,7 +626,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
     /*
      * 2. Process inputs
      */
-    rc = process_inputs(ectx);
+    rc = process_inputs(ectx, flags);
     if (rc != tool_rc_success) {
         return rc;
     }