diff --git a/Makefile.am b/Makefile.am index 5b5e5dc423..b0c570199f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -261,7 +261,12 @@ man8_MANS = \ man/man8/tpm2_createpolicy.8 \ man/man8/tpm2_pcrextend.8 -man/man8/%.8 : man/%.8.in man/common-options.troff man/tcti-options.troff man/tcti-environment.troff man/alg-common.troff man/hash-alg-common.troff man/object-alg-common.troff man/sign-alg-common.troff +MAN_DEPS := man/common-options.troff man/tcti-options.troff \ + man/tcti-environment.troff man/alg-common.troff \ + man/hash-alg-common.troff man/object-alg-common.troff \ + man/sign-alg-common.troff man/password-fmt-common.troff + +man/man8/%.8 : man/%.8.in $(MAN_DEPS) rm -f $@ mkdir -p man/man8 if HAVE_TCTI_DEV @@ -284,6 +289,8 @@ endif -e '/@OBJECT_ALG_COMMON_INCLUDE@/d' \ -e '/@SIGN_ALG_COMMON_INCLUDE@/r man/sign-alg-common.troff' \ -e '/@SIGN_ALG_COMMON_INCLUDE@/d' \ + -e '/@PASSWORD_FORMAT_COMMON_INCLUDE@/r man/password-fmt-common.troff' \ + -e '/@PASSWORD_FORMAT_COMMON_INCLUDE@/d' \ < $< >> $@ CLEANFILES = $(man8_MANS) diff --git a/man/password-fmt-common.troff b/man/password-fmt-common.troff new file mode 100644 index 0000000000..92c91ecb46 --- /dev/null +++ b/man/password-fmt-common.troff @@ -0,0 +1,11 @@ + +Passwords are interpreted in two forms, string and hex-string. A string password is not +interpreted, and is directly used for authorization. A hex-string, is converted from +a hexidecimal form into a byte array form, thus allowing passwords with non-printable +and/or terminal un-friendly characters. + +By default passwords are assumed to be in the string form. Password form is specified +with special prefix values, they are: + str: - Used to indicate it is a raw string. Useful for escaping a password that starts + with the "hex:" prefix. + hex: - Used when specifying a password in hex string format. diff --git a/man/tpm2_create.8.in b/man/tpm2_create.8.in index 9634f7ed3a..345ccfe204 100644 --- a/man/tpm2_create.8.in +++ b/man/tpm2_create.8.in @@ -48,10 +48,11 @@ parent handle filename for parent context .TP \fB\-P ,\-\-pwdp\fR -password for parent key, optional +password for parent key, optional. +@PASSWORD_FORMAT_COMMON_INCLUDE@ .TP \fB\-K ,\-\-pwdk\fR -password for key, optional +password for key, optional. Follows the password formatting of the "password for parent key" option: -P. .TP \fB\-g ,\-\-halg\fR The hash algorithm to use. @@ -81,9 +82,6 @@ the output file which contains the public key, optional \fB\-O ,\-\-opr\fR the output file which contains the private key, optional .TP -\fB\-X ,\-\-passwdInHex\fR -passwords given by any options are hex format. -.TP \fB\-S ,\-\-input-session-handle\fR Optional Input session handle from a policy session for authorization. @COMMON_OPTIONS_INCLUDE@ diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c index dd268ed11b..8398529428 100644 --- a/tools/tpm2_create.c +++ b/tools/tpm2_create.c @@ -41,7 +41,7 @@ #include -#include "../lib/tpm2_password_util.h" +#include "tpm2_password_util.h" #include "tpm2_util.h" #include "files.h" #include "main.h" @@ -57,8 +57,6 @@ TPMS_AUTH_COMMAND sessionData = { .sessionAttributes = SESSION_ATTRIBUTES_INIT(0), }; -bool hexPasswd = false; - int setAlg(TPMI_ALG_PUBLIC type,TPMI_ALG_HASH nameAlg,TPM2B_PUBLIC *inPublic, int I_flag, bool is_policy_enforced) { switch(nameAlg) @@ -168,29 +166,7 @@ int create(TPMI_DH_OBJECT parentHandle, TPM2B_PUBLIC *inPublic, TPM2B_SENSITIVE_ sessionsData.cmdAuthsCount = 1; sessionsData.cmdAuths[0] = &sessionData; - if (sessionData.hmac.t.size > 0 && hexPasswd) - { - sessionData.hmac.t.size = sizeof(sessionData.hmac) - 2; - if (tpm2_util_hex_to_byte_structure((char *)sessionData.hmac.t.buffer, - &sessionData.hmac.t.size, - sessionData.hmac.t.buffer) != 0) - { - printf( "Failed to convert Hex format password for parent Passwd.\n"); - return -1; - } - } - if (inSensitive->t.sensitive.userAuth.t.size > 0 && hexPasswd) - { - inSensitive->t.sensitive.userAuth.t.size = sizeof(inSensitive->t.sensitive.userAuth) - 2; - if (tpm2_util_hex_to_byte_structure((char *)inSensitive->t.sensitive.userAuth.t.buffer, - &inSensitive->t.sensitive.userAuth.t.size, - inSensitive->t.sensitive.userAuth.t.buffer) != 0) - { - printf( "Failed to convert Hex format password for object Passwd.\n"); - return -1; - } - } inSensitive->t.size = inSensitive->t.sensitive.userAuth.b.size + 2; if(setAlg(type, nameAlg, inPublic, I_flag, is_policy_enforced)) @@ -256,7 +232,7 @@ execute_tool (int argc, setvbuf (stdout, NULL, _IONBF, BUFSIZ); int opt = -1; - const char *optstring = "H:P:K:g:G:A:I:L:o:O:c:S:XE"; + const char *optstring = "H:P:K:g:G:A:I:L:o:O:c:S:E"; static struct option long_options[] = { {"parent",1,NULL,'H'}, {"pwdp",1,NULL,'P'}, @@ -270,7 +246,6 @@ execute_tool (int argc, {"opu",1,NULL,'o'}, {"opr",1,NULL,'O'}, {"contextParent",1,NULL,'c'}, - {"passwdInHex",0,NULL,'X'}, {"input-session-handle",1,NULL,'S'}, {0,0,0,0} }; @@ -304,20 +279,22 @@ execute_tool (int argc, H_flag = 1; break; - case 'P': - if(!tpm2_password_util_copy_password(optarg, "Parent key password", &sessionData.hmac)) - { + case 'P': { + bool res = tpm2_password_util_from_optarg(optarg, &sessionData.hmac); + if (!res) { + LOG_ERR("Invalid parent key password, got\"%s\"", optarg); return 1; } P_flag = 1; - break; - case 'K': - if(!tpm2_password_util_copy_password(optarg, "Key password", &inSensitive.t.sensitive.userAuth)) - { + } break; + case 'K': { + bool res = tpm2_password_util_from_optarg(optarg, &inSensitive.t.sensitive.userAuth); + if (!res) { + LOG_ERR("Invalid key password, got\"%s\"", optarg); return 1; } K_flag = 1; - break; + } break; case 'g': nameAlg = tpm2_alg_util_from_optarg(optarg); if(nameAlg == TPM_ALG_ERROR) @@ -403,9 +380,6 @@ execute_tool (int argc, printf("contextParentFile = %s\n", contextParentFilePath); c_flag = 1; break; - case 'X': - hexPasswd = true; - break; case ':': LOG_ERR("Argument %c needs a value!\n", optopt); return 1;