tpm2_create: switch to use tpm2_password_util_from_optarg

Drop the -X argument and use tpm2_password_util_from_optarg. Update the manpage to include new string password formating options. Signed-off-by: William Roberts <william.c.roberts@intel.com>
tpm2-software · Aug 17, 2017 · 8ec1eb8 · 8ec1eb8
1 parent a6e3a5e
commit 8ec1eb8
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 44 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -261,7 +261,12 @@ man8_MANS = \
     man/man8/tpm2_createpolicy.8 \
     man/man8/tpm2_pcrextend.8
 
-man/man8/%.8 : man/%.8.in man/common-options.troff man/tcti-options.troff man/tcti-environment.troff man/alg-common.troff man/hash-alg-common.troff man/object-alg-common.troff man/sign-alg-common.troff
+MAN_DEPS := man/common-options.troff man/tcti-options.troff \
+           man/tcti-environment.troff man/alg-common.troff \
+           man/hash-alg-common.troff man/object-alg-common.troff \
+           man/sign-alg-common.troff man/password-fmt-common.troff
+
+man/man8/%.8 : man/%.8.in $(MAN_DEPS)
 	rm -f $@
 	mkdir -p man/man8
 if HAVE_TCTI_DEV
@@ -284,6 +289,8 @@ endif
 	    -e '/@OBJECT_ALG_COMMON_INCLUDE@/d' \
 	    -e '/@SIGN_ALG_COMMON_INCLUDE@/r man/sign-alg-common.troff' \
 	    -e '/@SIGN_ALG_COMMON_INCLUDE@/d' \
+	    -e '/@PASSWORD_FORMAT_COMMON_INCLUDE@/r man/password-fmt-common.troff' \
+	    -e '/@PASSWORD_FORMAT_COMMON_INCLUDE@/d' \
 	    < $< >> $@
 
 CLEANFILES = $(man8_MANS)
diff --git a/man/password-fmt-common.troff b/man/password-fmt-common.troff
@@ -0,0 +1,11 @@
+
+Passwords are interpreted in two forms, string and hex-string. A string password is not
+interpreted, and is directly used for authorization. A hex-string, is converted from
+a hexidecimal form into a byte array form, thus allowing passwords with non-printable
+and/or terminal un-friendly characters.
+
+By default passwords are assumed to be in the string form. Password form is specified
+with special prefix values, they are:
+  str: - Used to indicate it is a raw string. Useful for escaping a password that starts
+         with the "hex:" prefix.
+  hex: - Used when specifying a password in hex string format.
diff --git a/man/tpm2_create.8.in b/man/tpm2_create.8.in
@@ -48,10 +48,11 @@ parent handle
 filename for parent context
 .TP
 \fB\-P ,\-\-pwdp\fR
-password for parent key, optional
+password for parent key, optional.
+@PASSWORD_FORMAT_COMMON_INCLUDE@
 .TP
 \fB\-K ,\-\-pwdk\fR
-password for key, optional
+password for key, optional. Follows the password formatting of the "password for parent key" option: -P.
 .TP
 \fB\-g ,\-\-halg\fR
 The hash algorithm to use.
@@ -81,9 +82,6 @@ the output file which contains the public key,  optional
 \fB\-O ,\-\-opr\fR
 the output file which contains the private key,  optional 
 .TP
-\fB\-X ,\-\-passwdInHex\fR
-passwords given by any options are hex format.
-.TP
 \fB\-S ,\-\-input-session-handle\fR
 Optional Input session handle from a policy session for authorization.
 @COMMON_OPTIONS_INCLUDE@

diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
@@ -41,7 +41,7 @@
 
 #include <sapi/tpm20.h>
 
-#include "../lib/tpm2_password_util.h"
+#include "tpm2_password_util.h"
 #include "tpm2_util.h"
 #include "files.h"
 #include "main.h"
@@ -57,8 +57,6 @@ TPMS_AUTH_COMMAND sessionData = {
     .sessionAttributes = SESSION_ATTRIBUTES_INIT(0),
 };
 
-bool hexPasswd = false;
-
 int setAlg(TPMI_ALG_PUBLIC type,TPMI_ALG_HASH nameAlg,TPM2B_PUBLIC *inPublic, int I_flag, bool is_policy_enforced)
 {
     switch(nameAlg)
@@ -168,29 +166,7 @@ int create(TPMI_DH_OBJECT parentHandle, TPM2B_PUBLIC *inPublic, TPM2B_SENSITIVE_
 
     sessionsData.cmdAuthsCount = 1;
     sessionsData.cmdAuths[0] = &sessionData;
-    if (sessionData.hmac.t.size > 0 && hexPasswd)
-    {
-        sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2;
-        if (tpm2_util_hex_to_byte_structure((char *)sessionData.hmac.t.buffer,
-                              &sessionData.hmac.t.size,
-                              sessionData.hmac.t.buffer) != 0)
-        {
-            printf( "Failed to convert Hex format password for parent Passwd.\n");
-            return -1;
-        }
-    }
 
-    if (inSensitive->t.sensitive.userAuth.t.size > 0 && hexPasswd)
-    {
-        inSensitive->t.sensitive.userAuth.t.size = sizeof(inSensitive->t.sensitive.userAuth) - 2;
-        if (tpm2_util_hex_to_byte_structure((char *)inSensitive->t.sensitive.userAuth.t.buffer,
-                              &inSensitive->t.sensitive.userAuth.t.size,
-                              inSensitive->t.sensitive.userAuth.t.buffer) != 0)
-        {
-            printf( "Failed to convert Hex format password for object Passwd.\n");
-            return -1;
-        }
-    }
     inSensitive->t.size = inSensitive->t.sensitive.userAuth.b.size + 2;
 
     if(setAlg(type, nameAlg, inPublic, I_flag, is_policy_enforced))
@@ -256,7 +232,7 @@ execute_tool (int              argc,
     setvbuf (stdout, NULL, _IONBF, BUFSIZ);
 
     int opt = -1;
-    const char *optstring = "H:P:K:g:G:A:I:L:o:O:c:S:XE";
+    const char *optstring = "H:P:K:g:G:A:I:L:o:O:c:S:E";
     static struct option long_options[] = {
       {"parent",1,NULL,'H'},
       {"pwdp",1,NULL,'P'},
@@ -270,7 +246,6 @@ execute_tool (int              argc,
       {"opu",1,NULL,'o'},
       {"opr",1,NULL,'O'},
       {"contextParent",1,NULL,'c'},
-      {"passwdInHex",0,NULL,'X'},
       {"input-session-handle",1,NULL,'S'},
       {0,0,0,0}
     };
@@ -304,20 +279,22 @@ execute_tool (int              argc,
             H_flag = 1;
             break;
 
-        case 'P':
-            if(!tpm2_password_util_copy_password(optarg, "Parent key password", &sessionData.hmac))
-            {
+        case 'P': {
+            bool res = tpm2_password_util_from_optarg(optarg, &sessionData.hmac);
+            if (!res) {
+                LOG_ERR("Invalid parent key password, got\"%s\"", optarg);
                 return 1;
             }
             P_flag = 1;
-            break;
-        case 'K':
-            if(!tpm2_password_util_copy_password(optarg, "Key password", &inSensitive.t.sensitive.userAuth))
-            {
+        } break;
+        case 'K': {
+            bool res = tpm2_password_util_from_optarg(optarg, &inSensitive.t.sensitive.userAuth);
+            if (!res) {
+                LOG_ERR("Invalid key password, got\"%s\"", optarg);
                 return 1;
             }
             K_flag = 1;
-            break;
+        } break;
         case 'g':
             nameAlg = tpm2_alg_util_from_optarg(optarg);
             if(nameAlg == TPM_ALG_ERROR)
@@ -403,9 +380,6 @@ execute_tool (int              argc,
             printf("contextParentFile = %s\n", contextParentFilePath);
             c_flag = 1;
             break;
-        case 'X':
-            hexPasswd = true;
-            break;
         case ':':
             LOG_ERR("Argument %c needs a value!\n", optopt);
             return 1;