RPM Package Manager, CVS Repository http://rpm5.org/cvs/ ____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: libtpm Date: 29-Mar-2016 00:04:03 Branch: HEAD Handle: 2016032822040101 Modified files: libtpm CHANGELOG configure.ac libtpm/libtpm Makefile.am libtpm/libtpm/utils .cvsignore Makefile.am activateidentity.c chgtpmauth.c clearown.c counter_create.c counter_release.c createownerdelegation.c delegatemanage.c dirwrite.c disableownerclear.c disablepubek.c enableaudit.c getauditdigestsigned.c getpubek.c identity.c keycontrol.c killmaintenancefeature.c loadownerdelegation.c migrate.c nv_definespace.c nv_readvalue.c nv_writevalue.c ownerreadinternalpub.c ownersetdisable.c quote.c resetlockvalue.c setcapability.c takeown.c updateverification.c Log: - sanity. Summary: Revision Changes Path 1.2 +45 -2 libtpm/CHANGELOG 1.6 +3 -3 libtpm/configure.ac 1.4 +1 -1 libtpm/libtpm/Makefile.am 1.3 +1 -0 libtpm/libtpm/utils/.cvsignore 1.8 +3 -1 libtpm/libtpm/utils/Makefile.am 1.2 +233 -371 libtpm/libtpm/utils/activateidentity.c 1.15 +3 -1 libtpm/libtpm/utils/chgtpmauth.c 1.13 +2 -1 libtpm/libtpm/utils/clearown.c 1.16 +1 -0 libtpm/libtpm/utils/counter_create.c 1.18 +6 -3 libtpm/libtpm/utils/counter_release.c 1.21 +3 -1 libtpm/libtpm/utils/createownerdelegation.c 1.16 +2 -1 libtpm/libtpm/utils/delegatemanage.c 1.14 +1 -1 libtpm/libtpm/utils/dirwrite.c 1.16 +1 -1 libtpm/libtpm/utils/disableownerclear.c 1.13 +2 -1 libtpm/libtpm/utils/disablepubek.c 1.15 +4 -3 libtpm/libtpm/utils/enableaudit.c 1.16 +0 -3 libtpm/libtpm/utils/getauditdigestsigned.c 1.14 +2 -1 libtpm/libtpm/utils/getpubek.c 1.24 +4 -2 libtpm/libtpm/utils/identity.c 1.20 +3 -2 libtpm/libtpm/utils/keycontrol.c 1.15 +2 -2 libtpm/libtpm/utils/killmaintenancefeature.c 1.19 +4 -1 libtpm/libtpm/utils/loadownerdelegation.c 1.22 +3 -1 libtpm/libtpm/utils/migrate.c 1.14 +2 -1 libtpm/libtpm/utils/nv_definespace.c 1.23 +6 -3 libtpm/libtpm/utils/nv_readvalue.c 1.18 +6 -2 libtpm/libtpm/utils/nv_writevalue.c 1.20 +5 -3 libtpm/libtpm/utils/ownerreadinternalpub.c 1.15 +2 -1 libtpm/libtpm/utils/ownersetdisable.c 1.16 +5 -1 libtpm/libtpm/utils/quote.c 1.13 +2 -1 libtpm/libtpm/utils/resetlockvalue.c 1.15 +1 -1 libtpm/libtpm/utils/setcapability.c 1.21 +2 -1 libtpm/libtpm/utils/takeown.c 1.20 +3 -3 libtpm/libtpm/utils/updateverification.c ____________________________________________________________________________ patch -p0 <<'@@ .' Index: libtpm/CHANGELOG ============================================================================ $ cvs diff -u -r1.1.1.1 -r1.2 CHANGELOG --- libtpm/CHANGELOG 27 Aug 2013 20:20:51 -0000 1.1.1.1 +++ libtpm/CHANGELOG 28 Mar 2016 22:04:01 -0000 1.2 @@ -1,7 +1,7 @@ TPM Change Log Written by Ken Goldman IBM Thomas J. Watson Research Center - $Id: CHANGELOG 4657 2011-12-22 22:26:12Z kgoldman $ + $Id: CHANGELOG 4717 2013-12-26 14:51:00Z kgoldman $ (c) Copyright IBM Corporation 2010: @@ -36,8 +36,51 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Changes from 4665 to current -Changes from 4078 to current +Major +____ + +TPM +- - - + +Don't use physical presence flag if CMD enable is false + +Utilities: +- - - - - + +mv_writevalue + added write from file + added write with certificate prefix +nv_readvalue + added read to file + added read to strip certificate prefix +separated activateidentity and makeidentity +added option to activateidentity to read and decrypt AIK certificate with symmetric key +added quote option to validate against certificate +create revokable EK used wrong encryption algorithm +takeown, counter, delegation, migration accept ownerAuth from file +added tpm_proxy for Windows 7 + +Minor +----- + +TPM: +- - - + +Fixed debug print plus some style errors reported by Coverity + +Utilities: +- - - - - + +Skip exponent tests for HW TPM +When setting CMD physical presence, permit error setting CMD enable because + lifetime lock may be set + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Changes from 4078 to 4665 Major ____ @@ . patch -p0 <<'@@ .' Index: libtpm/configure.ac ============================================================================ $ cvs diff -u -r1.5 -r1.6 configure.ac --- libtpm/configure.ac 13 Aug 2014 18:09:13 -0000 1.5 +++ libtpm/configure.ac 28 Mar 2016 22:04:01 -0000 1.6 @@ -30,7 +30,7 @@ dnl (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE dnl OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -dnl $Id: configure.ac,v 1.5 2014/08/13 18:09:13 jbj Exp $ +dnl $Id: configure.ac,v 1.6 2016/03/28 22:04:01 jbj Exp $ dnl Process this file with autoconf to produce a configure script. @@ -274,8 +274,8 @@ [yes,external:internal:none], [../popt], [ if test ".$RPM_CHECK_LIB_LOCATION" = .internal; then WITH_LIBTPM_UTILS_SUBDIR="# utils" - RPMIO_LDADD="../rpmio/librpmio.la ../misc/librpmmisc.la" - RPMIO_CFLAGS="-I../rpmio" + RPMIO_LDADD="$(top_builddir)/rpmio/librpmio.la $(top_builddir)/misc/librpmmisc.la" + RPMIO_CFLAGS="-I$(top_srcdir)/rpmio" fi ], []) AC_SUBST(WITH_LIBTPM_UTILS_SUBDIR) @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/Makefile.am ============================================================================ $ cvs diff -u -r1.3 -r1.4 Makefile.am --- libtpm/libtpm/Makefile.am 13 Aug 2014 18:09:13 -0000 1.3 +++ libtpm/libtpm/Makefile.am 28 Mar 2016 22:04:02 -0000 1.4 @@ -1,6 +1,6 @@ ################################################################################# # Makefile for libtpm top directory # -# $Id: Makefile.am 4261 2011-01-05 16:47:20Z stefanb $ # +# $Id: Makefile.am 4702 2013-01-03 21:26:29Z kgoldman $ # ################################################################################ EXTRA_DIST = @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/.cvsignore ============================================================================ $ cvs diff -u -r1.2 -r1.3 .cvsignore --- libtpm/libtpm/utils/.cvsignore 3 Sep 2013 09:43:32 -0000 1.2 +++ libtpm/libtpm/utils/.cvsignore 28 Mar 2016 22:04:02 -0000 1.3 @@ -2,6 +2,7 @@ .libs Makefile Makefile.in +activateidentity bindfile calcfuturepcr certifykey @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/Makefile.am ============================================================================ $ cvs diff -u -r1.7 -r1.8 Makefile.am --- libtpm/libtpm/utils/Makefile.am 13 Aug 2014 18:09:13 -0000 1.7 +++ libtpm/libtpm/utils/Makefile.am 28 Mar 2016 22:04:02 -0000 1.8 @@ -7,7 +7,7 @@ LDADD = \ $(top_builddir)/libtpm/lib/.libs/libtpm.a \ - @RPMIO_LIBS@ \ + @RPMIO_LDADD@ \ @UDXTK_LD_PATHS@ @UDXTK_LD_LIBS@ \ @LIBTPMS_LIBRARY_PATH@ @LIBTPMS_LIBRARY@ @@ -47,6 +47,7 @@ unixiotest.c bin_PROGRAMS = \ + activateidentity \ bindfile \ calcfuturepcr \ certifykey \ @@ -161,6 +162,7 @@ bin_PROGRAMS += tis_test endif +activateidentity_SOURCES = activateidentity.c bindfile_SOURCES = bindfile.c calcfuturepcr_SOURCES = calcfuturepcr.c certifykey_SOURCES = certifykey.c @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/activateidentity.c ============================================================================ $ cvs diff -u -r1.1 -r1.2 activateidentity.c --- libtpm/libtpm/utils/activateidentity.c 6 May 2015 19:14:26 -0000 1.1 +++ libtpm/libtpm/utils/activateidentity.c 28 Mar 2016 22:04:02 -0000 1.2 @@ -3,66 +3,28 @@ /* Activate Identity */ /* Written by Ken Goldman */ /* IBM Thomas J. Watson Research Center */ -/* $Id: activateidentity.c,v 1.1 2015/05/06 19:14:26 jbj Exp $ */ -/* */ -/* (c) Copyright IBM Corporation 2012. */ -/* */ -/* All rights reserved. */ -/* */ -/* Redistribution and use in source and binary forms, with or without */ -/* modification, are permitted provided that the following conditions are */ -/* met: */ -/* */ -/* Redistributions of source code must retain the above copyright notice, */ -/* this list of conditions and the following disclaimer. */ -/* */ -/* Redistributions in binary form must reproduce the above copyright */ -/* notice, this list of conditions and the following disclaimer in the */ -/* documentation and/or other materials provided with the distribution. */ -/* */ -/* Neither the names of the IBM Corporation nor the names of its */ -/* contributors may be used to endorse or promote products derived from */ -/* this software without specific prior written permission. */ -/* */ -/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ -/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ -/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ -/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ -/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ -/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ -/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ -/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ -/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ -/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ -/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* $Id: activateidentity.c,v 1.2 2016/03/28 22:04:02 jbj Exp $ */ /********************************************************************************/ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#ifdef TPM_POSIX -#include <netinet/in.h> -#endif -#ifdef TPM_WINDOWS -#include <winsock2.h> -#endif +#include "copyright.h" + +#include "system.h" + +#include <tpmfunc.h> + +#define _RPMTPM_INTERNAL +#include <rpmtpm.h> #include <openssl/rsa.h> #include <openssl/pem.h> #include <openssl/evp.h> -#include "tpm.h" -#include "tpmutil.h" -#include "tpmfunc.h" -#include "tpm_constants.h" -#include "tpm_structures.h" -#include "tpm_error.h" +#include "debug.h" /* AES requires data lengths that are a multiple of the block size */ #define AES_BITS 128 +/* FIXME move to library */ int Ossl_AES_Decrypt(unsigned char **decrypt_data, uint32_t *decrypt_length, const unsigned char *encrypt_data, @@ -70,283 +32,6 @@ const unsigned char *initialization_vector, const unsigned char *aes_key); -/* local prototypes */ - -static void PrintUsage() { - printf("activateidentity activates the identity blob agains the loaded AIK\n" - "It optionally outputs the symmetric key. If the AIK certificate is supplied, " - "it is decrypted with the symmetric key"); - printf("\n"); - printf("\n"); - printf("Usage: activateidentity-hk keyhandle -pwdo <owner password>\n" - "\t-if identity blob[options]\n"); - printf("\n"); - printf("Inputs\n"); - printf(" -hk <keyhandle> AIK key handle in hex\n"); - printf(" -pwdo pwd : The TPM owner password\n"); - printf(" [-pwdk idpwd : A password for the identity]\n"); - printf(" -if filename : the filename of the identity blob\n"); - printf(" [-aikcertenc : Encrypted AIK certificate]\n"); - printf("Outputs\n"); - printf(" [-ok filename : Symmetric key file name]\n"); - printf(" [-aikcert : AIK certificate (DER)\n]"); - printf(" [-v : to enable verbose output]\n"); - printf(" [-h : usage help]\n"); - printf("\n"); - printf("Examples:\n"); - exit(-1); -} - -int main(int argc, char * argv[]) -{ - uint32_t ret = 0; - - /* command line parameters */ - const char *blobFilename = NULL; /* input EK blob */ - const char *aikPassword = NULL; /* AIK password */ - const char *ownerPassword = NULL; /* owner password */ - const char *keyFilename = NULL; /* output symmetric key */ - const char *aikCertificateFileName = NULL; - const char *aikCertificateEncFileName = NULL; - int verbose = FALSE; - - - unsigned char usagehash[20]; /* hash of aikPassword if supplied */ - unsigned char * usageAuth = NULL; /* AIK usageAuth */ - unsigned char ownerHash[20]; - unsigned char * ownerAuth = NULL; - uint32_t aikHandle = 0; /* IAK key handle */ - unsigned char *blobData = NULL; /* blob to be activated, free @1 */ - uint32_t blobSize; - - - STACK_TPM_BUFFER(returnbuffer); /* decrypted symmetric key */ - TPM_SYMMETRIC_KEY retkey; /* decrypted symmetric key */ - - - int i = 0; - - i = 1; - - TPM_setlog(0); - - for (i=1 ; i<argc ; i++) { - if (strcmp(argv[i],"-hk") == 0) { - i++; - if (i < argc) { - /* convert key handle from hex */ - if (1 != sscanf(argv[i], "%x", &aikHandle )) { - printf("Invalid -hk argument '%s'\n",argv[i]); - exit(2); - } - if (aikHandle == 0) { - printf("Invalid -hk argument '%s'\n",argv[i]); - exit(2); - } - } - else { - printf("-hk option needs a value\n"); - PrintUsage(); - } - } - else if (!strcmp("-pwdo",argv[i])) { - i++; - if (i < argc) { - ownerPassword = argv[i]; - } else { - printf("Missing parameter for -pwdo.\n"); - PrintUsage(); - } - } - else if (!strcmp("-pwdk",argv[i])) { - i++; - if (i < argc) { - aikPassword = argv[i]; - } else { - printf("Missing parameter for -pwdk.\n"); - PrintUsage(); - } - } - else if (!strcmp("-if",argv[i])) { - i++; - if (i < argc) { - blobFilename = argv[i]; - } else { - printf("Missing parameter for -if.\n"); - PrintUsage(); - } - } - else if (!strcmp("-ok",argv[i])) { - i++; - if (i < argc) { - keyFilename = argv[i]; - } - else { - printf("Missing parameter for -ok\n"); - PrintUsage(); - } - } - else if (strcmp(argv[i],"-aikcert") == 0) { - i++; - if (i < argc) { - aikCertificateFileName = argv[i]; - } - else { - printf("ERROR1007: -aikcert option needs a value\n"); - PrintUsage(); - } - } - else if (strcmp(argv[i],"-aikcertenc") == 0) { - i++; - if (i < argc) { - aikCertificateEncFileName = argv[i]; - } - else { - printf("ERROR1007: -aikcertenc option needs a value\n"); - PrintUsage(); - } - } - else if (!strcmp("-ok",argv[i])) { - i++; - if (i < argc) { - keyFilename = argv[i]; - } - else { - printf("Missing parameter for -ok\n"); - PrintUsage(); - } - } - else if (!strcmp("-v",argv[i])) { - TPM_setlog(1); - verbose = TRUE; - } - else if (!strcmp("-h",argv[i])) { - PrintUsage(); - } - else { - printf("\n%s is not a valid option\n", argv[i]); - PrintUsage(); - } - } - /* validate command line arguments */ - if (aikHandle == 0) { - printf("Missing AIK handle\n"); - PrintUsage(); - } - if (ownerPassword == NULL) { - printf("Missing owner password.\n"); - PrintUsage(); - } - if (blobFilename == NULL) { - printf("Missing input file name\n"); - } - if ((aikCertificateEncFileName == NULL) && (aikCertificateFileName != NULL)) { - printf("AIK certificate output requires encrypted AIK certificate input\n"); - } - - /* calculate ownerAuth */ - if (ownerPassword != NULL) { - TSS_sha1((char *)ownerPassword, strlen(ownerPassword), ownerHash); - ownerAuth = ownerHash; - } else { - ownerAuth = NULL; - } - /* calculate usageAuth */ - if (aikPassword != NULL) { - TSS_sha1((char *)aikPassword, strlen(aikPassword), usagehash); - usageAuth = usagehash; - } else { - usageAuth = NULL; - } - /* read the blob */ - if (ret == 0) { - ret = TPM_ReadFile(blobFilename, - &blobData, &blobSize); /* freed @1 */ - if ( (ret & ERR_MASK) != 0) { - printf("Error while reading blob file.\n"); - ret = -1; - } - } - /* - * Activate the identity. - */ - if (ret == 0) { - ret = TPM_ActivateIdentity(aikHandle, - blobData, blobSize, - usageAuth, - ownerAuth, - &returnbuffer); - if (ret != 0) { - printf("ActivateIdentity returned error '%s' (0x%x).\n", - TPM_GetErrMsg(ret), - ret); - } - } - if (ret == 0) { - if (verbose) printf("Successfully activated the identity.\n"); - ret = TPM_ReadSymmetricKey(&returnbuffer, - 0, - &retkey); - if (ret & ERR_MASK) { - printf("TPM_ReadSymmetricKey returned error '%s' (0x%x).\n", - TPM_GetErrMsg(ret), - ret); - } - else { - ret = 0; - } - } - if ((ret == 0) && verbose) { - uint32_t j = 0; - printf("Received the following symmetric key:\n"); - printf("algId : 0x%x\n",(uint32_t)retkey.algId); - printf("encScheme : 0x%x\n",(uint32_t)retkey.encScheme); - printf("data : "); - while (j < retkey.size) { - printf("%02X ",retkey.data[j]); - j++; - } - printf("\n"); - } - /* optionally write the symmetric key to a file */ - if ((ret == 0) && (keyFilename != NULL)) { - ret = TPM_WriteFile(keyFilename , retkey.data, retkey.size); - } - - unsigned char *aikCertificate = NULL; /* freed @6 */ - uint32_t aikCertificateLength; - unsigned char *aikCertificateEnc = NULL; /* freed @7 */ - uint32_t aikCertificateEncLength; - unsigned char initializationVector[16]; - - - /* optionally decrypt the AIK certificate */ - if ((ret == 0) && (aikCertificateEncFileName != NULL)) { - ret = TPM_ReadFile(aikCertificateEncFileName, - &aikCertificateEnc, /* freed @6 */ - &aikCertificateEncLength); - } - if ((ret == 0) && (aikCertificateEncFileName != NULL)) { - memset(initializationVector, 0, sizeof(initializationVector)); - ret = Ossl_AES_Decrypt(&aikCertificate, &aikCertificateLength, /* freed @7 */ - aikCertificateEnc, aikCertificateEncLength, - initializationVector, - retkey.data); - } - /* optionally write the AIK certificate */ - if ((ret == 0) && (aikCertificateFileName != NULL)) { - ret = TPM_WriteFile(aikCertificateFileName, - aikCertificate , - aikCertificateLength); - } - free(blobData); /* @1 */ - free(aikCertificate); /* @6 */ - free(aikCertificateEnc); /* @7 */ - return ret; -} - -/* FIXME move to library */ - /* Ossl_AES_Decrypt() is AES non-portable code to decrypt 'encrypt_data' to 'decrypt_data' @@ -362,37 +47,30 @@ const unsigned char *initialization_vector, /* input */ const unsigned char *aes_key) /* input */ { - int rc = 0; size_t pad_length; unsigned int i; unsigned char *pad_data; AES_KEY aes_dec_key; - unsigned char ivec[AES_BLOCK_SIZE]; /* initial chaining vector */ + int rc = -1; /* assume failure */ + int xx; - if (rc == 0) { - rc = AES_set_decrypt_key(aes_key, - AES_BITS, - &aes_dec_key); - if (rc != 0) { - rc = -1; - } - } + xx = AES_set_decrypt_key(aes_key, AES_BITS, &aes_dec_key); + if (xx != 0) + goto exit; + /* sanity check encrypted length */ - if (rc == 0) { - if (encrypt_length < AES_BLOCK_SIZE) { - printf("Ossl_AES_Decrypt: Error, bad length\n"); - rc = -1; - } + if (encrypt_length < AES_BLOCK_SIZE) { + printf("Ossl_AES_Decrypt: Error, bad length\n"); + goto exit; } + /* allocate memory for the padded decrypted data */ - if (rc == 0) { - *decrypt_data = malloc(encrypt_length); - if (*decrypt_data == NULL) { - rc = -1; - } - } + *decrypt_data = malloc(encrypt_length); + if (*decrypt_data == NULL) + goto exit; + /* decrypt the input to the padded output */ - if (rc == 0) { + { unsigned char ivec[AES_BLOCK_SIZE]; /* make a copy of the initialization vector */ memcpy(ivec, initialization_vector, sizeof(ivec)); /* decrypt the padded input to the output */ @@ -403,32 +81,216 @@ ivec, AES_DECRYPT); } - /* get the pad length */ - if (rc == 0) { - /* get the pad length from the last byte */ - pad_length = (size_t)*(*decrypt_data + encrypt_length - 1); - /* sanity check the pad length */ - if ((pad_length == 0) || - (pad_length > AES_BLOCK_SIZE)) { - printf("Ossl_AES_Decrypt: Error, illegal pad length\n"); - rc = -1; - } - } - if (rc == 0) { - /* get the unpadded length */ - *decrypt_length = encrypt_length - pad_length; - /* pad starting point */ - pad_data = *decrypt_data + *decrypt_length; - /* sanity check the pad */ - for (i = 0 ; i < pad_length ; i++, pad_data++) { - if (*pad_data != pad_length) { - printf("Ossl_AES_Decrypt: Error, bad pad %02x at index %u\n", *pad_data, i); - rc = -1; - } - } + + /* get the pad length from the last byte */ + pad_length = (size_t)*(*decrypt_data + encrypt_length - 1); + /* sanity check the pad length */ + if (pad_length == 0 || pad_length > AES_BLOCK_SIZE) { + printf("Ossl_AES_Decrypt: Error, illegal pad length\n"); + goto exit; + } + + /* get the unpadded length */ + *decrypt_length = encrypt_length - pad_length; + /* pad starting point */ + pad_data = *decrypt_data + *decrypt_length; + /* sanity check the pad */ + for (i = 0 ; i < pad_length ; i++, pad_data++) { + if (*pad_data == pad_length) + continue; + printf("Ossl_AES_Decrypt: Error, bad pad %02x at index %u\n", + *pad_data, i); + goto exit; } + + rc = 0; + +exit: return rc; } +static const char *aikCertificateEncFileName; +static const char *aikCertificateFileName; + +static struct poptOption optionsTable[] = { + { "hk", '\0', POPT_ARG_STRING | POPT_ARGFLAG_ONEDASH, &__tpm.hk_str, 0, + N_("Specify the AIK key <handle>"), N_(" <handle>") }, + + { "pwdo", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ownerpass, 0, + N_("Specify TPM owner <password>"), N_(" <password>") }, + { "pwdk", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.keypass, 0, + N_("Specify AIK key <password>"), N_(" <password>") }, + { "if", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ifn, 0, + N_("Specify <fn> of an input data file"), N_(" <fn>") }, + { "aikcertenc", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &aikCertificateEncFileName, 0, + N_("Specify input <fn> of encrypted AIK certificate"), N_(" <fn>") }, + + { "ok", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ofn, 0, + N_("Specify symmetrickey <fn>"), N_(" <fn>") }, + + { "aikcert", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &aikCertificateFileName, 0, + N_("Specify output <fn> of AIK certificate (DER)"), N_(" <fn>") }, + + + + { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, + N_("\ +activateidentity activates the identity blob agains the loaded AIK\n\ +It optionally outputs the symmetric key.\n\ +If the AIK certificate is supplied, it is decrypted with the symmetric key.\n\ +\n\ +\n\ +Usage: activateidentity-hk keyhandle -pwdo <owner password>\n\ +\t-if identity blob[options]\n\ +\n\ +Inputs\n\ + -hk <keyhandle> AIK key handle in hex\n\ + -pwdo pwd : The TPM owner password\n\ + [-pwdk idpwd : A password for the identity]\n\ + -if filename : the filename of the identity blob\n\ + [-aikcertenc : Encrypted AIK certificate]\n\ +Outputs\n\ + [-ok filename : Symmetric key file name]\n\ + [-aikcert : AIK certificate (DER)]\n\ + [-v : to enable verbose output]\n\ + [-h : usage help]\n\ +\n\ +Examples:\n\ +"), NULL }, + + { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, + N_("Common options:"), NULL }, + + POPT_AUTOALIAS + POPT_AUTOHELP + POPT_TABLEEND +}; + +int main(int argc, char * argv[]) +{ + rpmtpm tpm = rpmtpmNew(argc, argv, optionsTable, 0); + int ec = -1; /* assume failure */ + + uint32_t aikHandle = 0; + unsigned char *blobData = NULL; /* blob to be activated, free @1 */ + uint32_t blobSize; + + STACK_TPM_BUFFER(returnbuffer); /* decrypted symmetric key */ + TPM_SYMMETRIC_KEY retkey; /* decrypted symmetric key */ + TPM_setlog(rpmIsVerbose() ? 1 : 0); + /* validate command line arguments */ + + if (tpm->hk_str == NULL + || 1 != sscanf(tpm->hk_str, "%x", &aikHandle ) + || aikHandle == 0) + { + printf("Missing or invalid -hk argument\n"); + ec = 2; + goto exit; + } + + if (tpm->pwdo == NULL) { + printf("Missing owner password.\n"); + goto exit; + } + + if (tpm->ifn == NULL) { + printf("Missing input file name\n"); + } + + if (aikCertificateEncFileName == NULL + && aikCertificateFileName != NULL) { + printf("AIK certificate output requires encrypted AIK certificate input\n"); + goto exit; + } + + /* Read the blob */ + ec = rpmtpmErr(tpm, "ReadFile", ERR_MASK, + TPM_ReadFile(tpm->ifn, &blobData, &blobSize)); + if (ec & ERR_MASK) { + printf("Error while reading blob file.\n"); + ec = -1; + goto exit; + } + + /* Activate the identity. */ + ec = rpmtpmErr(tpm, "ActivateIdentity", 0, + TPM_ActivateIdentity(aikHandle, + blobData, blobSize, + tpm->pwdk, + tpm->pwdo, + &returnbuffer)); + free(blobData); + if (ec) { + printf("ActivateIdentity returned error '%s' (0x%x).\n", + TPM_GetErrMsg(ec), ec); + goto exit; + } + + if (rpmIsVerbose()) printf("Successfully activated the identity.\n"); + ec = rpmtpmErr(tpm, "ReadSymmetricKey", ERR_MASK, + TPM_ReadSymmetricKey(&returnbuffer, 0, &retkey)); + if (ec & ERR_MASK) { + printf("TPM_ReadSymmetricKey returned error '%s' (0x%x).\n", + TPM_GetErrMsg(ec), ec); + goto exit; + } + ec = 0; + + if (rpmIsVerbose()) { + printf("Received the following symmetric key:\n"); + printf("algId : 0x%x\n",(uint32_t)retkey.algId); + printf("encScheme : 0x%x\n",(uint32_t)retkey.encScheme); + rpmtpmDump(tpm, "data : ", retkey.data, retkey.size); + } + + /* Optionally write the symmetric key to a file */ + if (tpm->ofn != NULL) { + ec = rpmtpmErr(tpm, "WriteFile", 0, + TPM_WriteFile(tpm->ofn, retkey.data, retkey.size)); + if (ec) + goto exit; + } + + /* Optionally decrypt and write the AIK certificate */ + if (aikCertificateEncFileName != NULL) { + unsigned char *aikCertificate = NULL; + uint32_t aikCertificateLength; + unsigned char *aikCertificateEnc = NULL; + uint32_t aikCertificateEncLength; + unsigned char initializationVector[16]; + + ec = rpmtpmErr(tpm, "ReadFile", 0, + TPM_ReadFile(aikCertificateEncFileName, + &aikCertificateEnc, + &aikCertificateEncLength)); + if (ec) + goto exit; + + memset(initializationVector, 0, sizeof(initializationVector)); + ec = rpmtpmErr(tpm, "AES_Decrypt", 0, + Ossl_AES_Decrypt(&aikCertificate, + &aikCertificateLength, + aikCertificateEnc, aikCertificateEncLength, + initializationVector, + retkey.data)); + free(aikCertificateEnc); + if (ec) + goto exit; + + ec = rpmtpmErr(tpm, "WriteFile", 0, + TPM_WriteFile(aikCertificateFileName, + aikCertificate, aikCertificateLength)); + free(aikCertificate); + if (ec) + goto exit; + } + +exit: + + tpm = rpmtpmFree(tpm); + + return ec; +} @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/chgtpmauth.c ============================================================================ $ cvs diff -u -r1.14 -r1.15 chgtpmauth.c --- libtpm/libtpm/utils/chgtpmauth.c 26 Sep 2013 16:34:09 -0000 1.14 +++ libtpm/libtpm/utils/chgtpmauth.c 28 Mar 2016 22:04:02 -0000 1.15 @@ -26,7 +26,9 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: chgtpmauth [-own] -pwdo <TPM owner password> -pwdn <new SRK or Owner password>\n\ +Usage: chgtpmauth [-own]> -pwdn <new SRK or Owner password>\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ + [-pwdn <new password> -pwdnf <new authorization file name>\n\ Runs TPM_ChangeOwnAuth or TPM_ChangeSRKAuth\n\ \n\ -own to specify the TPM Owner password is to be changed\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/clearown.c ============================================================================ $ cvs diff -u -r1.12 -r1.13 clearown.c --- libtpm/libtpm/utils/clearown.c 26 Sep 2013 16:34:09 -0000 1.12 +++ libtpm/libtpm/utils/clearown.c 28 Mar 2016 22:04:02 -0000 1.13 @@ -21,7 +21,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: clearown -pwdo <owner password>\n\ +Usage: clearown\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/counter_create.c ============================================================================ $ cvs diff -u -r1.15 -r1.16 counter_create.c --- libtpm/libtpm/utils/counter_create.c 26 Sep 2013 16:34:09 -0000 1.15 +++ libtpm/libtpm/utils/counter_create.c 28 Mar 2016 22:04:02 -0000 1.16 @@ -31,6 +31,7 @@ Usage: counter_create -pwdo <owner password> -la label -pwdc cntrpwd [-v]\n\ \n\ -pwdo : The TPM owner password \n\ + -pwdof : The TPM owner authorization file\n\ -pwdc : The counter password.\n\ -la : The label of the counter.\n\ -v : Enable verbose output.\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/counter_release.c ============================================================================ $ cvs diff -u -r1.17 -r1.18 counter_release.c --- libtpm/libtpm/utils/counter_release.c 26 Sep 2013 16:34:09 -0000 1.17 +++ libtpm/libtpm/utils/counter_release.c 28 Mar 2016 22:04:02 -0000 1.18 @@ -27,9 +27,12 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: counter_release -pwdo <owner password> -ix id -pwdc cntrpwd[-v]\n\ - n\ - -pwdo ownerpass : the TPM owner password; not necessary if -pwdc is provided\n\ +Usage: counter_release -ix id [-v]\n\ +\n\ +One of these authorizations:\n\ +[-pwdo <owner password>\n\ +[-pwdof <owner authorization file name>\n\ +[-pwdc <counter password\n\ -ix id : The id of the counter.\n\ -pwdc cntrpwd : The counter password; not necessary if -pwdo is provided \n\ -v : Enable verbose output.\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/createownerdelegation.c ============================================================================ $ cvs diff -u -r1.20 -r1.21 createownerdelegation.c --- libtpm/libtpm/utils/createownerdelegation.c 26 Sep 2013 16:34:09 -0000 1.20 +++ libtpm/libtpm/utils/createownerdelegation.c 28 Mar 2016 22:04:02 -0000 1.21 @@ -45,7 +45,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: createownerdelegation Parameters -pwdd <delegate password> -of <filename>\n\ +Usage: createownerdelegation pwdd <delegate password> -of <filename>\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ Valid parameters are:\n\ -inc : to increment the verificationCount\n\ @@ -55,6 +56,7 @@ -per2 <permissions> : to set the permission2 parameter\n\ -v : turns on verbose mode\n\ -pwdo <owner password> : TPM owner password\n\ +-pwdof <owner auth> : TPM owner authorization file name\n\ -pwdd <password> : Delegate password\n\ \n\ Example:\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/delegatemanage.c ============================================================================ $ cvs diff -u -r1.15 -r1.16 delegatemanage.c --- libtpm/libtpm/utils/delegatemanage.c 26 Sep 2013 16:34:09 -0000 1.15 +++ libtpm/libtpm/utils/delegatemanage.c 28 Mar 2016 22:04:02 -0000 1.16 @@ -33,7 +33,8 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: delegate_manage -<op code> [-pwdo <owner password>]\n\ +Usage: delegate_manage -<op code>\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ Valid options are:\n\ \n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/dirwrite.c ============================================================================ $ cvs diff -u -r1.13 -r1.14 dirwrite.c --- libtpm/libtpm/utils/dirwrite.c 26 Sep 2013 16:34:09 -0000 1.13 +++ libtpm/libtpm/utils/dirwrite.c 28 Mar 2016 22:04:02 -0000 1.14 @@ -30,7 +30,7 @@ N_("\ Usage: dirwrite -pwdo <ownerpass> -ix <index> -ic <message>\n\ \n\ --pwdo ownerpass : the TPM owner password\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ -ix index : The index of the DIR to write into; give hex number\n\ -ic message : The message to write into; the SHA1 of this message will be calculated\n\ \n" "Examples:\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/disableownerclear.c ============================================================================ $ cvs diff -u -r1.15 -r1.16 disableownerclear.c --- libtpm/libtpm/utils/disableownerclear.c 26 Sep 2013 16:34:09 -0000 1.15 +++ libtpm/libtpm/utils/disableownerclear.c 28 Mar 2016 22:04:02 -0000 1.16 @@ -24,7 +24,7 @@ N_("\ Usage: disableownerclear -pwdo <owner password> [-v]\n\ \n\ - -pwdo pwd : the TPM owner password\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ -v : to enable verbose output\n\ \n\ Examples:\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/disablepubek.c ============================================================================ $ cvs diff -u -r1.12 -r1.13 disablepubek.c --- libtpm/libtpm/utils/disablepubek.c 26 Sep 2013 16:34:09 -0000 1.12 +++ libtpm/libtpm/utils/disablepubek.c 28 Mar 2016 22:04:02 -0000 1.13 @@ -22,7 +22,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: disablepubek -pwdo <owner password>\n\ +Usage: disablepubek\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/enableaudit.c ============================================================================ $ cvs diff -u -r1.14 -r1.15 enableaudit.c --- libtpm/libtpm/utils/enableaudit.c 26 Sep 2013 16:34:09 -0000 1.14 +++ libtpm/libtpm/utils/enableaudit.c 28 Mar 2016 22:04:02 -0000 1.15 @@ -28,10 +28,11 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: enableaudit -o <ordinal> -p <owner password> [-d] [-v]\n\ +Usage: enableaudit -o <ordinal> [-d] [-v]\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ --o : option to pass the ordinal for the audit\n\ --p : the owner password\n\ +-ord : option to pass the ordinal for the audit\n\ +-pwdo : the owner password\n\ -d : to disable the audit; default is enabling\n\ -v : turns on verbose mode\n\ "), NULL }, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/getauditdigestsigned.c ============================================================================ $ cvs diff -u -r1.15 -r1.16 getauditdigestsigned.c --- libtpm/libtpm/utils/getauditdigestsigned.c 26 Sep 2013 16:34:09 -0000 1.15 +++ libtpm/libtpm/utils/getauditdigestsigned.c 28 Mar 2016 22:04:02 -0000 1.16 @@ -48,7 +48,6 @@ int ec = -1; /* assume failure */ TPM_COUNTER_VALUE counter; - uint32_t lowest = 0; STACK_TPM_BUFFER(signature); unsigned char digest[TPM_DIGEST_SIZE]; unsigned char ordinalDigest[TPM_DIGEST_SIZE]; @@ -69,8 +68,6 @@ goto exit; } - lowest = tpm->ordinal; - ec = rpmtpmErr(tpm, "GetAuditDigestSigned", 0, TPM_GetAuditDigestSigned(tpm->keyhandle, FALSE, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/getpubek.c ============================================================================ $ cvs diff -u -r1.13 -r1.14 getpubek.c --- libtpm/libtpm/utils/getpubek.c 26 Sep 2013 16:34:09 -0000 1.13 +++ libtpm/libtpm/utils/getpubek.c 28 Mar 2016 22:04:02 -0000 1.14 @@ -25,7 +25,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -getpubek [-pwdo owner password]\n\ +getpubek (to pubkek.pem)\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ With owner password - runs TPM_OwnerReadPubek\n\ Without owner password - runs TPM_ReadPubek\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/identity.c ============================================================================ $ cvs diff -u -r1.23 -r1.24 identity.c --- libtpm/libtpm/utils/identity.c 26 Sep 2013 16:34:09 -0000 1.23 +++ libtpm/libtpm/utils/identity.c 28 Mar 2016 22:04:02 -0000 1.24 @@ -156,6 +156,7 @@ if (ec & ERR_MASK) goto exit; ser_symkey_len = ec; + (void)ser_symkey_len; activate.tag = TPM_TAG_EK_BLOB_ACTIVATE; activate.sessionKey = tpm_symkey; @@ -246,6 +247,7 @@ if (ec & ERR_MASK) return ret; ser_symkey_len = ec; + (void)ser_symkey_len; memset(&data, 0x0, sizeof(data)); // symmetric key @@ -310,9 +312,9 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: identity -pwdo <owner password> -la <label> [options]\n\ +Usage: identity -la <label> [options]\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ - -pwdo pwd : The TPM owner password.\n\ -la label : Some label for the identity.\n\ -pwdk idpwd : A password for the identity.\n\ -pwds srkpwd : The password for the storage root key.\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/keycontrol.c ============================================================================ $ cvs diff -u -r1.19 -r1.20 keycontrol.c --- libtpm/libtpm/utils/keycontrol.c 26 Sep 2013 16:34:09 -0000 1.19 +++ libtpm/libtpm/utils/keycontrol.c 28 Mar 2016 22:04:02 -0000 1.20 @@ -31,11 +31,12 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ Usage: keycontrol -pwdk <keypassword> -hk <key handle> -bn <bit name>\n\ - -bv <bit value> -pwdo <owner password>\n\n\ + -bv <bit value> \n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ +\n\ -hk key handle : handle of a loaded key; pass hex number\n\ -bn bit name : name of the bit to change; use hex number\n\ -bv bit value : 0 for false, 1 for true\n\ --pwdo owner password : the owner password\n\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/killmaintenancefeature.c ============================================================================ $ cvs diff -u -r1.14 -r1.15 killmaintenancefeature.c --- libtpm/libtpm/utils/killmaintenancefeature.c 26 Sep 2013 16:34:09 -0000 1.14 +++ libtpm/libtpm/utils/killmaintenancefeature.c 28 Mar 2016 22:04:02 -0000 1.15 @@ -24,11 +24,11 @@ N_("\ Usage: killmaintenancefeature -pwdo <owner password> [-v]\n\ \n\ - -o pwd : the TPM owner password\n\ + -pwdo pwd : the TPM owner password\n\ -v : to enable verbose output\n\ \n\ Examples:\n\ -killmaintenancefeature -o aaa\n\ +killmaintenancefeature -pwdo aaa\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/loadownerdelegation.c ============================================================================ $ cvs diff -u -r1.18 -r1.19 loadownerdelegation.c --- libtpm/libtpm/utils/loadownerdelegation.c 26 Sep 2013 16:34:09 -0000 1.18 +++ libtpm/libtpm/utils/loadownerdelegation.c 28 Mar 2016 22:04:02 -0000 1.19 @@ -28,8 +28,11 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ Usage: loadownerdelegation -row index -if filename\n\ -\t[-pwdo owner password>] [-v]\n\ +\t[-pwdo <owner password> -pwdof <owner authorization file name>\n\ +\t[-v]\n\ +\n\ -pwdo : password of the TPM owner\n\ +-pwdof: authorization file of the TPM owner\n\ -row : delegate row index\n\ -if : owner delegation file name\n\ \n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/migrate.c ============================================================================ $ cvs diff -u -r1.21 -r1.22 migrate.c --- libtpm/libtpm/utils/migrate.c 26 Sep 2013 16:34:09 -0000 1.21 +++ libtpm/libtpm/utils/migrate.c 28 Mar 2016 22:04:02 -0000 1.22 @@ -55,7 +55,9 @@ [-rewrap] [-v]\n\ -hp : parent key handle\n\ -pwdp : parent key password used for encryption\n\ --pwdo : TPM owner password\n" "-pwdm : migration password\n\ +-pwdo : TPM owner password\n\ +-pwdof : TPM owner authorization file name\n\ +-pwdm : migration password\n\ -im : file containing the migration key or\n\ -hm : handle of the migration key\n\ -pwdk : the password of the migration key\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/nv_definespace.c ============================================================================ $ cvs diff -u -r1.13 -r1.14 nv_definespace.c --- libtpm/libtpm/utils/nv_definespace.c 26 Sep 2013 16:34:09 -0000 1.13 +++ libtpm/libtpm/utils/nv_definespace.c 28 Mar 2016 22:04:02 -0000 1.14 @@ -19,7 +19,8 @@ static void printUsage(void) { printf("usage: nv_definespace -in index -sz size\n" - "\t[-pwdo <owner password>] [-per permission] [-pwdd <area password>] [-v]\n" + "\t[-pwdo <owner password> -pwdof <owner authorization file name>\n" + "\t[-per permission] [-pwdd <area password>] [-v]\n" "\t[-ixr <pcr num> <digest> require PCR authorization for read]\n" "\t[-ixw <pcr num> <digest> require PCR authorization for write]\n" "\n" @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/nv_readvalue.c ============================================================================ $ cvs diff -u -r1.22 -r1.23 nv_readvalue.c --- libtpm/libtpm/utils/nv_readvalue.c 26 Sep 2013 16:34:09 -0000 1.22 +++ libtpm/libtpm/utils/nv_readvalue.c 28 Mar 2016 22:04:02 -0000 1.23 @@ -37,18 +37,21 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: nv_readvalue -in index -sz size [-off offset] \n\ -\t[-pwdo <owner password>] [-pwdd <area password>] [-of <data file name>]\n\ +Usage: nv_readvalue -in index [-sz size -cert] [-off offset] \n\ +\t[-pwdo <owner password> -pwdof <owner authorization file name>]\ +\t[-pwdd <area password>] [-of <data file name>]\n\ \n\ -pwdo pwd : The TPM owner password.\n\ + -pwdof file : The TPM owner authorization file name.\n\ -in index : The index of the memory to use in hex.\n\ -sz size : The number of bytes to read.\n\ + -cert : The number of bytes is embedded in the certificate prefix.\n\ -off offset : The offset in memory where to start reading from (default 0)\n\ -pwdd password : The password for the memory area.\n\ -of file : File to store the read bytes.\n\ -ee num : Expected error number.\n\ \n\ -With -pwdo, does TPM_ReadValue\n\ +With -pwdo or -pwdof, does TPM_ReadValue\n\ With -pwdd, does TPM_ReadValueAuth\n\ With neither, does TPM_ReadValue with no authorization\n\ \n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/nv_writevalue.c ============================================================================ $ cvs diff -u -r1.17 -r1.18 nv_writevalue.c --- libtpm/libtpm/utils/nv_writevalue.c 26 Sep 2013 16:34:09 -0000 1.17 +++ libtpm/libtpm/utils/nv_writevalue.c 28 Mar 2016 22:04:02 -0000 1.18 @@ -33,10 +33,13 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: nv_writevalue -in index -ic data\n\ -\t[-pwdo <owner password>] [-pwdd <area password>] [-off offset]\n\ +Usage: nv_writevalue -in index -ic data -if file\n\ +\t[-pwdo <owner password> -pwdof <owner authorization file name>]\n\ +\t[-pwdd <area password>] [-off offset] [-cert]\n\ \n\ -pwdo pwd : The TPM owner password.\n\ + -ic data string : The data to write into the memory (default data length 0.\n\ + -if data file : The data to write into the memory (default data length 0.\n\ -in index : The index of the memory to use in hex.\n\ -ic data : The data to write into the memory (default data length 0.\n\ -off offset : The offset where to start writing (default 0).\n\ @@ -50,6 +53,7 @@ Examples:\n\ nv_writevalue -pwdo ooo -in 1 -ic Hello\n\ nv_writevalue -pwdd aaa -in 2 -ic Hello -off 5\n\ +nv_writevalue -pwdo ooo -in 1000f000 -if ekcert.cer -cert\n\ "), NULL}, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/ownerreadinternalpub.c ============================================================================ $ cvs diff -u -r1.19 -r1.20 ownerreadinternalpub.c --- libtpm/libtpm/utils/ownerreadinternalpub.c 26 Sep 2013 16:34:09 -0000 1.19 +++ libtpm/libtpm/utils/ownerreadinternalpub.c 28 Mar 2016 22:04:02 -0000 1.20 @@ -26,7 +26,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: ownerreadinternalpub [Options] -hk <keyhandle> -of <filename> -pwdo <owner password>\n\ +Usage: ownerreadinternalpub [Options] -hk <keyhandle> -of <filename>\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ Reads the internally held public key protion of either the endorsement\n\ key or the storage root key. The handle of the endorsement key is 0x40000006\n\ @@ -50,7 +51,6 @@ { rpmtpm tpm = rpmtpmNew(argc, argv, optionsTable, 0); int ec = -1; /* assume failure */ - uint32_t xx; STACK_TPM_BUFFER(keybuf); keydata k; @@ -65,8 +65,10 @@ if (ec) goto exit; - xx = rpmtpmErr(tpm, "WriteKeyPub", ERR_MASK, + ec = rpmtpmErr(tpm, "WriteKeyPub", ERR_MASK, TPM_WriteKeyPub(&keybuf, &k)); + if (ec) + goto exit; ec = rpmtpmErr(tpm, "WriteFile", 0, TPM_WriteFile(tpm->ofn, keybuf.buffer, keybuf.used)); @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/ownersetdisable.c ============================================================================ $ cvs diff -u -r1.14 -r1.15 ownersetdisable.c --- libtpm/libtpm/utils/ownersetdisable.c 26 Sep 2013 16:34:09 -0000 1.14 +++ libtpm/libtpm/utils/ownersetdisable.c 28 Mar 2016 22:04:02 -0000 1.15 @@ -24,7 +24,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: ownersetdisable -pwdo <owner password> [-en]\n\ +Usage: ownersetdisable [-en]\n\ +[-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ -pwdo pwd : the TPM owner password\n\ -en : to set the TPM into 'enable' state (default disable)\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/quote.c ============================================================================ $ cvs diff -u -r1.15 -r1.16 quote.c --- libtpm/libtpm/utils/quote.c 26 Sep 2013 16:34:09 -0000 1.15 +++ libtpm/libtpm/utils/quote.c 28 Mar 2016 22:04:02 -0000 1.16 @@ -28,7 +28,11 @@ { NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: quote -hk <key handle in hex> -bm <pcr mask in hex> [-pwdk <key password>]\n\ +Usage: quote\n\ +-hk <key handle in hex>\n\ +-bm <pcr mask in hex>\n\ +[-pwdk <key password>]\n\ +[-cert <key certificate to verify the quote signature]\n\ \n\ "), NULL}, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/resetlockvalue.c ============================================================================ $ cvs diff -u -r1.12 -r1.13 resetlockvalue.c --- libtpm/libtpm/utils/resetlockvalue.c 26 Sep 2013 16:34:09 -0000 1.12 +++ libtpm/libtpm/utils/resetlockvalue.c 28 Mar 2016 22:04:02 -0000 1.13 @@ -22,7 +22,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: resetlockvalue -pwdo <owner password>\n\ +Usage: resetlockvalue\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ \n\ -h help\n\ "), NULL }, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/setcapability.c ============================================================================ $ cvs diff -u -r1.14 -r1.15 setcapability.c --- libtpm/libtpm/utils/setcapability.c 26 Sep 2013 16:34:09 -0000 1.14 +++ libtpm/libtpm/utils/setcapability.c 28 Mar 2016 22:04:02 -0000 1.15 @@ -134,7 +134,7 @@ Usage: setcapability [options] <capability (hex)> <sub cap (hex)> <value (hex)>\n\ \n\ Possible options are:\n\ - -pwdo : password of the TPM owner\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/takeown.c ============================================================================ $ cvs diff -u -r1.20 -r1.21 takeown.c --- libtpm/libtpm/utils/takeown.c 26 Sep 2013 16:34:10 -0000 1.20 +++ libtpm/libtpm/utils/takeown.c 28 Mar 2016 22:04:02 -0000 1.21 @@ -33,7 +33,8 @@ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0, N_("\ -Usage: takeown [-v12] [-sz keysize] -pwdo <owner password> \n\ +Usage: takeown [-v12] [-sz keylen]\n\ + [-pwdo <owner password> -pwdof <owner authorization file name>\n\ [-pwds <storage root key password>]\n\ [-ix <pcr num> <digest> PCR authorization for SRK]\n\ \tOmitting -pwds sets the SRK auth to all zeros\n\ @@ . patch -p0 <<'@@ .' Index: libtpm/libtpm/utils/updateverification.c ============================================================================ $ cvs diff -u -r1.19 -r1.20 updateverification.c --- libtpm/libtpm/utils/updateverification.c 26 Sep 2013 16:34:10 -0000 1.19 +++ libtpm/libtpm/utils/updateverification.c 28 Mar 2016 22:04:02 -0000 1.20 @@ -30,9 +30,9 @@ Usage: updateverification -if input-file -of output-file\n\ \t[-pwdo owner password>] [-v] \n\ \n\ --pwdo : password of the TPM owner\n\ --if : current delegation file\n\ --of : new delegation file\n\n\ +\t[-pwdo <owner password> -pwdof <owner authorization file name>\n\ +\t-if : current delegation file\n\ +\t-of : new delegation file\n\n\ "), NULL }, { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0, @@ . ______________________________________________________________________ RPM Package Manager http://rpm5.org CVS Sources Repository rpm-cvs@rpm5.org