The Null seed fails as a parent for any session based operation #1993
Comments
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Feb 26, 2021
If ESYS_TR_RH_NULL was used as bind parameter for Esys_StartAuthSession the wrong HMAC was computed, because the session was not treated as unbound session. It will be checked whether no tpm key is passed and ESYS_TR_RH_NULL is used as bind parameter to skip KDF computation of the session key. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Mar 1, 2021
If ESYS_TR_RH_NULL was used as bind parameter for Esys_StartAuthSession the wrong HMAC was computed, because the session was not treated as unbound session. It will be checked whether no tpm key is passed and ESYS_TR_RH_NULL is used as bind parameter to skip KDF computation of the session key. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Mar 1, 2021
If ESYS_TR_RH_NULL was used as bind parameter for Esys_StartAuthSession the wrong HMAC was computed, because the session was not treated as unbound session. It will be checked whether no tpm key is passed and ESYS_TR_RH_NULL is used as bind parameter to skip KDF computation of the session key. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
AndreasFuchsTPM
pushed a commit
that referenced
this issue
Mar 1, 2021
If ESYS_TR_RH_NULL was used as bind parameter for Esys_StartAuthSession the wrong HMAC was computed, because the session was not treated as unbound session. It will be checked whether no tpm key is passed and ESYS_TR_RH_NULL is used as bind parameter to skip KDF computation of the session key. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
tstruk
pushed a commit
that referenced
this issue
Mar 5, 2021
If ESYS_TR_RH_NULL was used as bind parameter for Esys_StartAuthSession the wrong HMAC was computed, because the session was not treated as unbound session. It will be checked whether no tpm key is passed and ESYS_TR_RH_NULL is used as bind parameter to skip KDF computation of the session key. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to do any session based operation on something with the NULL seed as a parent results in authentication errors. This is a trace from trying to do TPM2_CreatePrimary with the NULL seed as a primaryHandle:
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:393:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000009a2)
TSS_CreatePrimary failed with 2466
tpm:session(1):authorization failure without DA implications
The session that's failing was created as a bound session on the NULL permanent handle, so it's not like this has security implications, but it's something that should work.
If you do the same operation with TPM_RS_PW instead of a real authentication session, everything works, so I think something is wrong in the HMAC routines when the NULL seed is specified either for binding or as a parent.
The text was updated successfully, but these errors were encountered: