ESAPI: Have Esys_TR_SetAuth() handle large passwords #1008
Labels
Milestone
Comments
|
This of course also has to touch Esys_Create, Esys_CreatePrimary, Esys_CreateLoaded, Esys_NV_DefineSpace |
|
@AndreasFuchsSIT I don't get that. Since The TPM 2.0 spec recommends this, why do we need to propose it to TCG? |
|
@tstruk TPM2 spec recommends it. TSS spec does not contain it. We need to propose it as mandatory behaviour for the TSS spec. |
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Nov 27, 2020
…-software#1008). * The size of the auth value for keys and NV objects is restricted to the size of the name hash algorithm of these objects. Esapi will use the hash of the user auth values as auth value for these object. The maximal size will be sizeof(TPMU_HA). * Test cases for keys and NV objects with large auth values were added. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Nov 27, 2020
…-software#1008). * The size of the auth value for keys and NV objects is restricted to the size of the name hash algorithm of these objects. Esapi will use the hash of the user auth values as auth value for these object. The maximal size will be sizeof(TPMU_HA). * Test cases for keys and NV objects with large auth values were added. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
williamcroberts
pushed a commit
to williamcroberts/tpm2-tss
that referenced
this issue
Feb 1, 2021
…-software#1008). * The size of the auth value for keys and NV objects is restricted to the size of the name hash algorithm of these objects. Esapi will use the hash of the user auth values as auth value for these object. The maximal size will be sizeof(TPMU_HA). * Test cases for keys and NV objects with large auth values were added. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
Feb 2, 2021
…-software#1008). * The size of the auth value for keys and NV objects is restricted to the size of the name hash algorithm of these objects. Esapi will use the hash of the user auth values as auth value for these object. The maximal size will be sizeof(TPMU_HA). * Test cases for keys and NV objects with large auth values were added. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de> Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
So does PR #1929 address all of this? What about hierarchy authorizations? Do sequence objects come through that API? |
williamcroberts
pushed a commit
that referenced
this issue
Feb 2, 2021
* The size of the auth value for keys and NV objects is restricted to the size of the name hash algorithm of these objects. Esapi will use the hash of the user auth values as auth value for these object. The maximal size will be sizeof(TPMU_HA). * Test cases for keys and NV objects with large auth values were added. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de> Signed-off-by: William Roberts <william.c.roberts@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, Esys_TR_SetAuth() is restricted to authValues shorter or equal to the nameAlg digest size.
The TPM 2.0 library spec part 1 recommends hashing authVaules with the nameAlg if they exceed the nameAlg digest size, but to keep then in the plain if they are shorter.
The ESAPI should adopt this behavior. We shall implement this here and also propose it to TCG.
The text was updated successfully, but these errors were encountered: