RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson
Root: /v/rpm/cvs Email: j...@rpm5.org
Module: libtpm Date: 29-Mar-2016 00:04:03
Branch: HEAD Handle: 2016032822040101
Modified files:
libtpm CHANGELOG configure.ac
libtpm/libtpm Makefile.am
libtpm/libtpm/utils .cvsignore Makefile.am activateidentity.c
chgtpmauth.c clearown.c counter_create.c
counter_release.c createownerdelegation.c
delegatemanage.c dirwrite.c disableownerclear.c
disablepubek.c enableaudit.c
getauditdigestsigned.c getpubek.c identity.c
keycontrol.c killmaintenancefeature.c
loadownerdelegation.c migrate.c nv_definespace.c
nv_readvalue.c nv_writevalue.c
ownerreadinternalpub.c ownersetdisable.c quote.c
resetlockvalue.c setcapability.c takeown.c
updateverification.c
Log:
- sanity.
Summary:
Revision Changes Path
1.2 +45 -2 libtpm/CHANGELOG
1.6 +3 -3 libtpm/configure.ac
1.4 +1 -1 libtpm/libtpm/Makefile.am
1.3 +1 -0 libtpm/libtpm/utils/.cvsignore
1.8 +3 -1 libtpm/libtpm/utils/Makefile.am
1.2 +233 -371 libtpm/libtpm/utils/activateidentity.c
1.15 +3 -1 libtpm/libtpm/utils/chgtpmauth.c
1.13 +2 -1 libtpm/libtpm/utils/clearown.c
1.16 +1 -0 libtpm/libtpm/utils/counter_create.c
1.18 +6 -3 libtpm/libtpm/utils/counter_release.c
1.21 +3 -1 libtpm/libtpm/utils/createownerdelegation.c
1.16 +2 -1 libtpm/libtpm/utils/delegatemanage.c
1.14 +1 -1 libtpm/libtpm/utils/dirwrite.c
1.16 +1 -1 libtpm/libtpm/utils/disableownerclear.c
1.13 +2 -1 libtpm/libtpm/utils/disablepubek.c
1.15 +4 -3 libtpm/libtpm/utils/enableaudit.c
1.16 +0 -3 libtpm/libtpm/utils/getauditdigestsigned.c
1.14 +2 -1 libtpm/libtpm/utils/getpubek.c
1.24 +4 -2 libtpm/libtpm/utils/identity.c
1.20 +3 -2 libtpm/libtpm/utils/keycontrol.c
1.15 +2 -2 libtpm/libtpm/utils/killmaintenancefeature.c
1.19 +4 -1 libtpm/libtpm/utils/loadownerdelegation.c
1.22 +3 -1 libtpm/libtpm/utils/migrate.c
1.14 +2 -1 libtpm/libtpm/utils/nv_definespace.c
1.23 +6 -3 libtpm/libtpm/utils/nv_readvalue.c
1.18 +6 -2 libtpm/libtpm/utils/nv_writevalue.c
1.20 +5 -3 libtpm/libtpm/utils/ownerreadinternalpub.c
1.15 +2 -1 libtpm/libtpm/utils/ownersetdisable.c
1.16 +5 -1 libtpm/libtpm/utils/quote.c
1.13 +2 -1 libtpm/libtpm/utils/resetlockvalue.c
1.15 +1 -1 libtpm/libtpm/utils/setcapability.c
1.21 +2 -1 libtpm/libtpm/utils/takeown.c
1.20 +3 -3 libtpm/libtpm/utils/updateverification.c
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: libtpm/CHANGELOG
============================================================================
$ cvs diff -u -r1.1.1.1 -r1.2 CHANGELOG
--- libtpm/CHANGELOG 27 Aug 2013 20:20:51 -0000 1.1.1.1
+++ libtpm/CHANGELOG 28 Mar 2016 22:04:01 -0000 1.2
@@ -1,7 +1,7 @@
TPM Change Log
Written by Ken Goldman
IBM Thomas J. Watson Research Center
- $Id: CHANGELOG 4657 2011-12-22 22:26:12Z kgoldman $
+ $Id: CHANGELOG 4717 2013-12-26 14:51:00Z kgoldman $
(c) Copyright IBM Corporation 2010:
@@ -36,8 +36,51 @@
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Changes from 4665 to current
-Changes from 4078 to current
+Major
+____
+
+TPM
+- - -
+
+Don't use physical presence flag if CMD enable is false
+
+Utilities:
+- - - - -
+
+mv_writevalue
+ added write from file
+ added write with certificate prefix
+nv_readvalue
+ added read to file
+ added read to strip certificate prefix
+separated activateidentity and makeidentity
+added option to activateidentity to read and decrypt AIK certificate with
symmetric key
+added quote option to validate against certificate
+create revokable EK used wrong encryption algorithm
+takeown, counter, delegation, migration accept ownerAuth from file
+added tpm_proxy for Windows 7
+
+Minor
+-----
+
+TPM:
+- - -
+
+Fixed debug print plus some style errors reported by Coverity
+
+Utilities:
+- - - - -
+
+Skip exponent tests for HW TPM
+When setting CMD physical presence, permit error setting CMD enable because
+ lifetime lock may be set
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Changes from 4078 to 4665
Major
____
@@ .
patch -p0 <<'@@ .'
Index: libtpm/configure.ac
============================================================================
$ cvs diff -u -r1.5 -r1.6 configure.ac
--- libtpm/configure.ac 13 Aug 2014 18:09:13 -0000 1.5
+++ libtpm/configure.ac 28 Mar 2016 22:04:01 -0000 1.6
@@ -30,7 +30,7 @@
dnl (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
dnl OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-dnl $Id: configure.ac,v 1.5 2014/08/13 18:09:13 jbj Exp $
+dnl $Id: configure.ac,v 1.6 2016/03/28 22:04:01 jbj Exp $
dnl Process this file with autoconf to produce a configure script.
@@ -274,8 +274,8 @@
[yes,external:internal:none], [../popt],
[ if test ".$RPM_CHECK_LIB_LOCATION" = .internal; then
WITH_LIBTPM_UTILS_SUBDIR="# utils"
- RPMIO_LDADD="../rpmio/librpmio.la ../misc/librpmmisc.la"
- RPMIO_CFLAGS="-I../rpmio"
+ RPMIO_LDADD="$(top_builddir)/rpmio/librpmio.la
$(top_builddir)/misc/librpmmisc.la"
+ RPMIO_CFLAGS="-I$(top_srcdir)/rpmio"
fi
], [])
AC_SUBST(WITH_LIBTPM_UTILS_SUBDIR)
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/Makefile.am
============================================================================
$ cvs diff -u -r1.3 -r1.4 Makefile.am
--- libtpm/libtpm/Makefile.am 13 Aug 2014 18:09:13 -0000 1.3
+++ libtpm/libtpm/Makefile.am 28 Mar 2016 22:04:02 -0000 1.4
@@ -1,6 +1,6 @@
#################################################################################
# Makefile for libtpm top directory
#
-# $Id: Makefile.am 4261 2011-01-05 16:47:20Z stefanb $
#
+# $Id: Makefile.am 4702 2013-01-03 21:26:29Z kgoldman $
#
################################################################################
EXTRA_DIST =
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/.cvsignore
============================================================================
$ cvs diff -u -r1.2 -r1.3 .cvsignore
--- libtpm/libtpm/utils/.cvsignore 3 Sep 2013 09:43:32 -0000 1.2
+++ libtpm/libtpm/utils/.cvsignore 28 Mar 2016 22:04:02 -0000 1.3
@@ -2,6 +2,7 @@
.libs
Makefile
Makefile.in
+activateidentity
bindfile
calcfuturepcr
certifykey
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/Makefile.am
============================================================================
$ cvs diff -u -r1.7 -r1.8 Makefile.am
--- libtpm/libtpm/utils/Makefile.am 13 Aug 2014 18:09:13 -0000 1.7
+++ libtpm/libtpm/utils/Makefile.am 28 Mar 2016 22:04:02 -0000 1.8
@@ -7,7 +7,7 @@
LDADD = \
$(top_builddir)/libtpm/lib/.libs/libtpm.a \
- @RPMIO_LIBS@ \
+ @RPMIO_LDADD@ \
@UDXTK_LD_PATHS@ @UDXTK_LD_LIBS@ \
@LIBTPMS_LIBRARY_PATH@ @LIBTPMS_LIBRARY@
@@ -47,6 +47,7 @@
unixiotest.c
bin_PROGRAMS = \
+ activateidentity \
bindfile \
calcfuturepcr \
certifykey \
@@ -161,6 +162,7 @@
bin_PROGRAMS += tis_test
endif
+activateidentity_SOURCES = activateidentity.c
bindfile_SOURCES = bindfile.c
calcfuturepcr_SOURCES = calcfuturepcr.c
certifykey_SOURCES = certifykey.c
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/activateidentity.c
============================================================================
$ cvs diff -u -r1.1 -r1.2 activateidentity.c
--- libtpm/libtpm/utils/activateidentity.c 6 May 2015 19:14:26 -0000
1.1
+++ libtpm/libtpm/utils/activateidentity.c 28 Mar 2016 22:04:02 -0000
1.2
@@ -3,66 +3,28 @@
/* Activate Identity
*/
/* Written by Ken Goldman
*/
/* IBM Thomas J. Watson Research Center
*/
-/* $Id: activateidentity.c,v 1.1 2015/05/06 19:14:26 jbj Exp $
*/
-/*
*/
-/* (c) Copyright IBM Corporation 2012.
*/
-/*
*/
-/* All rights reserved.
*/
-/*
*/
-/* Redistribution and use in source and binary forms, with or without
*/
-/* modification, are permitted provided that the following conditions are
*/
-/* met:
*/
-/*
*/
-/* Redistributions of source code must retain the above copyright notice,
*/
-/* this list of conditions and the following disclaimer.
*/
-/*
*/
-/* Redistributions in binary form must reproduce the above copyright
*/
-/* notice, this list of conditions and the following disclaimer in the
*/
-/* documentation and/or other materials provided with the distribution.
*/
-/*
*/
-/* Neither the names of the IBM Corporation nor the names of its
*/
-/* contributors may be used to endorse or promote products derived from
*/
-/* this software without specific prior written permission.
*/
-/*
*/
-/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
*/
-/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
*/
-/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
*/
-/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
*/
-/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
*/
-/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
*/
-/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
*/
-/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
*/
-/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
*/
-/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
*/
-/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+/* $Id: activateidentity.c,v 1.2 2016/03/28 22:04:02 jbj Exp $
*/
/********************************************************************************/
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef TPM_POSIX
-#include <netinet/in.h>
-#endif
-#ifdef TPM_WINDOWS
-#include <winsock2.h>
-#endif
+#include "copyright.h"
+
+#include "system.h"
+
+#include <tpmfunc.h>
+
+#define _RPMTPM_INTERNAL
+#include <rpmtpm.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
-#include "tpm.h"
-#include "tpmutil.h"
-#include "tpmfunc.h"
-#include "tpm_constants.h"
-#include "tpm_structures.h"
-#include "tpm_error.h"
+#include "debug.h"
/* AES requires data lengths that are a multiple of the block size */
#define AES_BITS 128
+/* FIXME move to library */
int Ossl_AES_Decrypt(unsigned char **decrypt_data,
uint32_t *decrypt_length,
const unsigned char *encrypt_data,
@@ -70,283 +32,6 @@
const unsigned char *initialization_vector,
const unsigned char *aes_key);
-/* local prototypes */
-
-static void PrintUsage() {
- printf("activateidentity activates the identity blob agains the loaded
AIK\n"
- "It optionally outputs the symmetric key. If the AIK certificate is
supplied, "
- "it is decrypted with the symmetric key");
- printf("\n");
- printf("\n");
- printf("Usage: activateidentity-hk keyhandle -pwdo <owner password>\n"
- "\t-if identity blob[options]\n");
- printf("\n");
- printf("Inputs\n");
- printf(" -hk <keyhandle> AIK key handle in hex\n");
- printf(" -pwdo pwd : The TPM owner password\n");
- printf(" [-pwdk idpwd : A password for the identity]\n");
- printf(" -if filename : the filename of the identity blob\n");
- printf(" [-aikcertenc : Encrypted AIK certificate]\n");
- printf("Outputs\n");
- printf(" [-ok filename : Symmetric key file name]\n");
- printf(" [-aikcert : AIK certificate (DER)\n]");
- printf(" [-v : to enable verbose output]\n");
- printf(" [-h : usage help]\n");
- printf("\n");
- printf("Examples:\n");
- exit(-1);
-}
-
-int main(int argc, char * argv[])
-{
- uint32_t ret = 0;
-
- /* command line parameters */
- const char *blobFilename = NULL; /* input EK blob */
- const char *aikPassword = NULL; /* AIK password */
- const char *ownerPassword = NULL; /* owner password */
- const char *keyFilename = NULL; /* output symmetric key */
- const char *aikCertificateFileName = NULL;
- const char *aikCertificateEncFileName = NULL;
- int verbose = FALSE;
-
-
- unsigned char usagehash[20]; /* hash of aikPassword if supplied */
- unsigned char * usageAuth = NULL; /* AIK usageAuth */
- unsigned char ownerHash[20];
- unsigned char * ownerAuth = NULL;
- uint32_t aikHandle = 0; /* IAK key handle */
- unsigned char *blobData = NULL; /* blob to be activated, free @1 */
- uint32_t blobSize;
-
-
- STACK_TPM_BUFFER(returnbuffer); /* decrypted symmetric key */
- TPM_SYMMETRIC_KEY retkey; /* decrypted symmetric key */
-
-
- int i = 0;
-
- i = 1;
-
- TPM_setlog(0);
-
- for (i=1 ; i<argc ; i++) {
- if (strcmp(argv[i],"-hk") == 0) {
- i++;
- if (i < argc) {
- /* convert key handle from hex */
- if (1 != sscanf(argv[i], "%x", &aikHandle )) {
- printf("Invalid -hk argument '%s'\n",argv[i]);
- exit(2);
- }
- if (aikHandle == 0) {
- printf("Invalid -hk argument '%s'\n",argv[i]);
- exit(2);
- }
- }
- else {
- printf("-hk option needs a value\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-pwdo",argv[i])) {
- i++;
- if (i < argc) {
- ownerPassword = argv[i];
- } else {
- printf("Missing parameter for -pwdo.\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-pwdk",argv[i])) {
- i++;
- if (i < argc) {
- aikPassword = argv[i];
- } else {
- printf("Missing parameter for -pwdk.\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-if",argv[i])) {
- i++;
- if (i < argc) {
- blobFilename = argv[i];
- } else {
- printf("Missing parameter for -if.\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-ok",argv[i])) {
- i++;
- if (i < argc) {
- keyFilename = argv[i];
- }
- else {
- printf("Missing parameter for -ok\n");
- PrintUsage();
- }
- }
- else if (strcmp(argv[i],"-aikcert") == 0) {
- i++;
- if (i < argc) {
- aikCertificateFileName = argv[i];
- }
- else {
- printf("ERROR1007: -aikcert option needs a value\n");
- PrintUsage();
- }
- }
- else if (strcmp(argv[i],"-aikcertenc") == 0) {
- i++;
- if (i < argc) {
- aikCertificateEncFileName = argv[i];
- }
- else {
- printf("ERROR1007: -aikcertenc option needs a value\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-ok",argv[i])) {
- i++;
- if (i < argc) {
- keyFilename = argv[i];
- }
- else {
- printf("Missing parameter for -ok\n");
- PrintUsage();
- }
- }
- else if (!strcmp("-v",argv[i])) {
- TPM_setlog(1);
- verbose = TRUE;
- }
- else if (!strcmp("-h",argv[i])) {
- PrintUsage();
- }
- else {
- printf("\n%s is not a valid option\n", argv[i]);
- PrintUsage();
- }
- }
- /* validate command line arguments */
- if (aikHandle == 0) {
- printf("Missing AIK handle\n");
- PrintUsage();
- }
- if (ownerPassword == NULL) {
- printf("Missing owner password.\n");
- PrintUsage();
- }
- if (blobFilename == NULL) {
- printf("Missing input file name\n");
- }
- if ((aikCertificateEncFileName == NULL) && (aikCertificateFileName !=
NULL)) {
- printf("AIK certificate output requires encrypted AIK certificate
input\n");
- }
-
- /* calculate ownerAuth */
- if (ownerPassword != NULL) {
- TSS_sha1((char *)ownerPassword, strlen(ownerPassword), ownerHash);
- ownerAuth = ownerHash;
- } else {
- ownerAuth = NULL;
- }
- /* calculate usageAuth */
- if (aikPassword != NULL) {
- TSS_sha1((char *)aikPassword, strlen(aikPassword), usagehash);
- usageAuth = usagehash;
- } else {
- usageAuth = NULL;
- }
- /* read the blob */
- if (ret == 0) {
- ret = TPM_ReadFile(blobFilename,
- &blobData, &blobSize); /* freed @1 */
- if ( (ret & ERR_MASK) != 0) {
- printf("Error while reading blob file.\n");
- ret = -1;
- }
- }
- /*
- * Activate the identity.
- */
- if (ret == 0) {
- ret = TPM_ActivateIdentity(aikHandle,
- blobData, blobSize,
- usageAuth,
- ownerAuth,
- &returnbuffer);
- if (ret != 0) {
- printf("ActivateIdentity returned error '%s' (0x%x).\n",
- TPM_GetErrMsg(ret),
- ret);
- }
- }
- if (ret == 0) {
- if (verbose) printf("Successfully activated the identity.\n");
- ret = TPM_ReadSymmetricKey(&returnbuffer,
- 0,
- &retkey);
- if (ret & ERR_MASK) {
- printf("TPM_ReadSymmetricKey returned error '%s' (0x%x).\n",
- TPM_GetErrMsg(ret),
- ret);
- }
- else {
- ret = 0;
- }
- }
- if ((ret == 0) && verbose) {
- uint32_t j = 0;
- printf("Received the following symmetric key:\n");
- printf("algId : 0x%x\n",(uint32_t)retkey.algId);
- printf("encScheme : 0x%x\n",(uint32_t)retkey.encScheme);
- printf("data : ");
- while (j < retkey.size) {
- printf("%02X ",retkey.data[j]);
- j++;
- }
- printf("\n");
- }
- /* optionally write the symmetric key to a file */
- if ((ret == 0) && (keyFilename != NULL)) {
- ret = TPM_WriteFile(keyFilename , retkey.data, retkey.size);
- }
-
- unsigned char *aikCertificate = NULL; /* freed @6 */
- uint32_t aikCertificateLength;
- unsigned char *aikCertificateEnc = NULL; /* freed @7 */
- uint32_t aikCertificateEncLength;
- unsigned char initializationVector[16];
-
-
- /* optionally decrypt the AIK certificate */
- if ((ret == 0) && (aikCertificateEncFileName != NULL)) {
- ret = TPM_ReadFile(aikCertificateEncFileName,
- &aikCertificateEnc, /* freed @6 */
- &aikCertificateEncLength);
- }
- if ((ret == 0) && (aikCertificateEncFileName != NULL)) {
- memset(initializationVector, 0, sizeof(initializationVector));
- ret = Ossl_AES_Decrypt(&aikCertificate, &aikCertificateLength, /*
freed @7 */
- aikCertificateEnc, aikCertificateEncLength,
- initializationVector,
- retkey.data);
- }
- /* optionally write the AIK certificate */
- if ((ret == 0) && (aikCertificateFileName != NULL)) {
- ret = TPM_WriteFile(aikCertificateFileName,
- aikCertificate ,
- aikCertificateLength);
- }
- free(blobData); /* @1 */
- free(aikCertificate); /* @6 */
- free(aikCertificateEnc); /* @7 */
- return ret;
-}
-
-/* FIXME move to library */
-
/* Ossl_AES_Decrypt() is AES non-portable code to decrypt 'encrypt_data' to
'decrypt_data'
@@ -362,37 +47,30 @@
const unsigned char *initialization_vector, /*
input */
const unsigned char *aes_key) /*
input */
{
- int rc = 0;
size_t pad_length;
unsigned int i;
unsigned char *pad_data;
AES_KEY aes_dec_key;
- unsigned char ivec[AES_BLOCK_SIZE]; /* initial chaining
vector */
+ int rc = -1; /* assume failure */
+ int xx;
- if (rc == 0) {
- rc = AES_set_decrypt_key(aes_key,
- AES_BITS,
- &aes_dec_key);
- if (rc != 0) {
- rc = -1;
- }
- }
+ xx = AES_set_decrypt_key(aes_key, AES_BITS, &aes_dec_key);
+ if (xx != 0)
+ goto exit;
+
/* sanity check encrypted length */
- if (rc == 0) {
- if (encrypt_length < AES_BLOCK_SIZE) {
- printf("Ossl_AES_Decrypt: Error, bad length\n");
- rc = -1;
- }
+ if (encrypt_length < AES_BLOCK_SIZE) {
+ printf("Ossl_AES_Decrypt: Error, bad length\n");
+ goto exit;
}
+
/* allocate memory for the padded decrypted data */
- if (rc == 0) {
- *decrypt_data = malloc(encrypt_length);
- if (*decrypt_data == NULL) {
- rc = -1;
- }
- }
+ *decrypt_data = malloc(encrypt_length);
+ if (*decrypt_data == NULL)
+ goto exit;
+
/* decrypt the input to the padded output */
- if (rc == 0) {
+ { unsigned char ivec[AES_BLOCK_SIZE];
/* make a copy of the initialization vector */
memcpy(ivec, initialization_vector, sizeof(ivec));
/* decrypt the padded input to the output */
@@ -403,32 +81,216 @@
ivec,
AES_DECRYPT);
}
- /* get the pad length */
- if (rc == 0) {
- /* get the pad length from the last byte */
- pad_length = (size_t)*(*decrypt_data + encrypt_length - 1);
- /* sanity check the pad length */
- if ((pad_length == 0) ||
- (pad_length > AES_BLOCK_SIZE)) {
- printf("Ossl_AES_Decrypt: Error, illegal pad length\n");
- rc = -1;
- }
- }
- if (rc == 0) {
- /* get the unpadded length */
- *decrypt_length = encrypt_length - pad_length;
- /* pad starting point */
- pad_data = *decrypt_data + *decrypt_length;
- /* sanity check the pad */
- for (i = 0 ; i < pad_length ; i++, pad_data++) {
- if (*pad_data != pad_length) {
- printf("Ossl_AES_Decrypt: Error, bad pad %02x at index
%u\n", *pad_data, i);
- rc = -1;
- }
- }
+
+ /* get the pad length from the last byte */
+ pad_length = (size_t)*(*decrypt_data + encrypt_length - 1);
+ /* sanity check the pad length */
+ if (pad_length == 0 || pad_length > AES_BLOCK_SIZE) {
+ printf("Ossl_AES_Decrypt: Error, illegal pad length\n");
+ goto exit;
+ }
+
+ /* get the unpadded length */
+ *decrypt_length = encrypt_length - pad_length;
+ /* pad starting point */
+ pad_data = *decrypt_data + *decrypt_length;
+ /* sanity check the pad */
+ for (i = 0 ; i < pad_length ; i++, pad_data++) {
+ if (*pad_data == pad_length)
+ continue;
+ printf("Ossl_AES_Decrypt: Error, bad pad %02x at index %u\n",
+ *pad_data, i);
+ goto exit;
}
+
+ rc = 0;
+
+exit:
return rc;
}
+static const char *aikCertificateEncFileName;
+static const char *aikCertificateFileName;
+
+static struct poptOption optionsTable[] = {
+ { "hk", '\0', POPT_ARG_STRING | POPT_ARGFLAG_ONEDASH, &__tpm.hk_str, 0,
+ N_("Specify the AIK key <handle>"), N_(" <handle>") },
+
+ { "pwdo", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ownerpass, 0,
+ N_("Specify TPM owner <password>"), N_(" <password>") },
+ { "pwdk", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.keypass, 0,
+ N_("Specify AIK key <password>"), N_(" <password>") },
+ { "if", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ifn, 0,
+ N_("Specify <fn> of an input data file"), N_(" <fn>") },
+ { "aikcertenc", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH,
&aikCertificateEncFileName, 0,
+ N_("Specify input <fn> of encrypted AIK certificate"), N_(" <fn>") },
+
+ { "ok", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH, &__tpm.ofn, 0,
+ N_("Specify symmetrickey <fn>"), N_(" <fn>") },
+
+ { "aikcert", '\0', POPT_ARG_STRING|POPT_ARGFLAG_ONEDASH,
&aikCertificateFileName, 0,
+ N_("Specify output <fn> of AIK certificate (DER)"), N_(" <fn>") },
+
+
+
+ { NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
+ N_("\
+activateidentity activates the identity blob agains the loaded AIK\n\
+It optionally outputs the symmetric key.\n\
+If the AIK certificate is supplied, it is decrypted with the symmetric
key.\n\
+\n\
+\n\
+Usage: activateidentity-hk keyhandle -pwdo <owner password>\n\
+\t-if identity blob[options]\n\
+\n\
+Inputs\n\
+ -hk <keyhandle> AIK key handle in hex\n\
+ -pwdo pwd : The TPM owner password\n\
+ [-pwdk idpwd : A password for the identity]\n\
+ -if filename : the filename of the identity blob\n\
+ [-aikcertenc : Encrypted AIK certificate]\n\
+Outputs\n\
+ [-ok filename : Symmetric key file name]\n\
+ [-aikcert : AIK certificate (DER)]\n\
+ [-v : to enable verbose output]\n\
+ [-h : usage help]\n\
+\n\
+Examples:\n\
+"), NULL },
+
+ { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
+ N_("Common options:"), NULL },
+
+ POPT_AUTOALIAS
+ POPT_AUTOHELP
+ POPT_TABLEEND
+};
+
+int main(int argc, char * argv[])
+{
+ rpmtpm tpm = rpmtpmNew(argc, argv, optionsTable, 0);
+ int ec = -1; /* assume failure */
+
+ uint32_t aikHandle = 0;
+ unsigned char *blobData = NULL; /* blob to be activated, free @1 */
+ uint32_t blobSize;
+
+ STACK_TPM_BUFFER(returnbuffer); /* decrypted symmetric key */
+ TPM_SYMMETRIC_KEY retkey; /* decrypted symmetric key */
+ TPM_setlog(rpmIsVerbose() ? 1 : 0);
+ /* validate command line arguments */
+
+ if (tpm->hk_str == NULL
+ || 1 != sscanf(tpm->hk_str, "%x", &aikHandle )
+ || aikHandle == 0)
+ {
+ printf("Missing or invalid -hk argument\n");
+ ec = 2;
+ goto exit;
+ }
+
+ if (tpm->pwdo == NULL) {
+ printf("Missing owner password.\n");
+ goto exit;
+ }
+
+ if (tpm->ifn == NULL) {
+ printf("Missing input file name\n");
+ }
+
+ if (aikCertificateEncFileName == NULL
+ && aikCertificateFileName != NULL) {
+ printf("AIK certificate output requires encrypted AIK certificate
input\n");
+ goto exit;
+ }
+
+ /* Read the blob */
+ ec = rpmtpmErr(tpm, "ReadFile", ERR_MASK,
+ TPM_ReadFile(tpm->ifn, &blobData, &blobSize));
+ if (ec & ERR_MASK) {
+ printf("Error while reading blob file.\n");
+ ec = -1;
+ goto exit;
+ }
+
+ /* Activate the identity. */
+ ec = rpmtpmErr(tpm, "ActivateIdentity", 0,
+ TPM_ActivateIdentity(aikHandle,
+ blobData, blobSize,
+ tpm->pwdk,
+ tpm->pwdo,
+ &returnbuffer));
+ free(blobData);
+ if (ec) {
+ printf("ActivateIdentity returned error '%s' (0x%x).\n",
+ TPM_GetErrMsg(ec), ec);
+ goto exit;
+ }
+
+ if (rpmIsVerbose()) printf("Successfully activated the identity.\n");
+ ec = rpmtpmErr(tpm, "ReadSymmetricKey", ERR_MASK,
+ TPM_ReadSymmetricKey(&returnbuffer, 0, &retkey));
+ if (ec & ERR_MASK) {
+ printf("TPM_ReadSymmetricKey returned error '%s' (0x%x).\n",
+ TPM_GetErrMsg(ec), ec);
+ goto exit;
+ }
+ ec = 0;
+
+ if (rpmIsVerbose()) {
+ printf("Received the following symmetric key:\n");
+ printf("algId : 0x%x\n",(uint32_t)retkey.algId);
+ printf("encScheme : 0x%x\n",(uint32_t)retkey.encScheme);
+ rpmtpmDump(tpm, "data : ", retkey.data, retkey.size);
+ }
+
+ /* Optionally write the symmetric key to a file */
+ if (tpm->ofn != NULL) {
+ ec = rpmtpmErr(tpm, "WriteFile", 0,
+ TPM_WriteFile(tpm->ofn, retkey.data, retkey.size));
+ if (ec)
+ goto exit;
+ }
+
+ /* Optionally decrypt and write the AIK certificate */
+ if (aikCertificateEncFileName != NULL) {
+ unsigned char *aikCertificate = NULL;
+ uint32_t aikCertificateLength;
+ unsigned char *aikCertificateEnc = NULL;
+ uint32_t aikCertificateEncLength;
+ unsigned char initializationVector[16];
+
+ ec = rpmtpmErr(tpm, "ReadFile", 0,
+ TPM_ReadFile(aikCertificateEncFileName,
+ &aikCertificateEnc,
+ &aikCertificateEncLength));
+ if (ec)
+ goto exit;
+
+ memset(initializationVector, 0, sizeof(initializationVector));
+ ec = rpmtpmErr(tpm, "AES_Decrypt", 0,
+ Ossl_AES_Decrypt(&aikCertificate,
+ &aikCertificateLength,
+ aikCertificateEnc, aikCertificateEncLength,
+ initializationVector,
+ retkey.data));
+ free(aikCertificateEnc);
+ if (ec)
+ goto exit;
+
+ ec = rpmtpmErr(tpm, "WriteFile", 0,
+ TPM_WriteFile(aikCertificateFileName,
+ aikCertificate, aikCertificateLength));
+ free(aikCertificate);
+ if (ec)
+ goto exit;
+ }
+
+exit:
+
+ tpm = rpmtpmFree(tpm);
+
+ return ec;
+}
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/chgtpmauth.c
============================================================================
$ cvs diff -u -r1.14 -r1.15 chgtpmauth.c
--- libtpm/libtpm/utils/chgtpmauth.c 26 Sep 2013 16:34:09 -0000 1.14
+++ libtpm/libtpm/utils/chgtpmauth.c 28 Mar 2016 22:04:02 -0000 1.15
@@ -26,7 +26,9 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: chgtpmauth [-own] -pwdo <TPM owner password> -pwdn <new SRK or Owner
password>\n\
+Usage: chgtpmauth [-own]> -pwdn <new SRK or Owner password>\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
+ [-pwdn <new password> -pwdnf <new authorization file name>\n\
Runs TPM_ChangeOwnAuth or TPM_ChangeSRKAuth\n\
\n\
-own to specify the TPM Owner password is to be changed\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/clearown.c
============================================================================
$ cvs diff -u -r1.12 -r1.13 clearown.c
--- libtpm/libtpm/utils/clearown.c 26 Sep 2013 16:34:09 -0000 1.12
+++ libtpm/libtpm/utils/clearown.c 28 Mar 2016 22:04:02 -0000 1.13
@@ -21,7 +21,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: clearown -pwdo <owner password>\n\
+Usage: clearown\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/counter_create.c
============================================================================
$ cvs diff -u -r1.15 -r1.16 counter_create.c
--- libtpm/libtpm/utils/counter_create.c 26 Sep 2013 16:34:09 -0000
1.15
+++ libtpm/libtpm/utils/counter_create.c 28 Mar 2016 22:04:02 -0000
1.16
@@ -31,6 +31,7 @@
Usage: counter_create -pwdo <owner password> -la label -pwdc cntrpwd [-v]\n\
\n\
-pwdo : The TPM owner password \n\
+ -pwdof : The TPM owner authorization file\n\
-pwdc : The counter password.\n\
-la : The label of the counter.\n\
-v : Enable verbose output.\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/counter_release.c
============================================================================
$ cvs diff -u -r1.17 -r1.18 counter_release.c
--- libtpm/libtpm/utils/counter_release.c 26 Sep 2013 16:34:09 -0000
1.17
+++ libtpm/libtpm/utils/counter_release.c 28 Mar 2016 22:04:02 -0000
1.18
@@ -27,9 +27,12 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: counter_release -pwdo <owner password> -ix id -pwdc cntrpwd[-v]\n\
- n\
- -pwdo ownerpass : the TPM owner password; not necessary if -pwdc is
provided\n\
+Usage: counter_release -ix id [-v]\n\
+\n\
+One of these authorizations:\n\
+[-pwdo <owner password>\n\
+[-pwdof <owner authorization file name>\n\
+[-pwdc <counter password\n\
-ix id : The id of the counter.\n\
-pwdc cntrpwd : The counter password; not necessary if -pwdo is provided
\n\
-v : Enable verbose output.\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/createownerdelegation.c
============================================================================
$ cvs diff -u -r1.20 -r1.21 createownerdelegation.c
--- libtpm/libtpm/utils/createownerdelegation.c 26 Sep 2013 16:34:09
-0000 1.20
+++ libtpm/libtpm/utils/createownerdelegation.c 28 Mar 2016 22:04:02
-0000 1.21
@@ -45,7 +45,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: createownerdelegation Parameters -pwdd <delegate password> -of
<filename>\n\
+Usage: createownerdelegation pwdd <delegate password> -of <filename>\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
Valid parameters are:\n\
-inc : to increment the verificationCount\n\
@@ -55,6 +56,7 @@
-per2 <permissions> : to set the permission2 parameter\n\
-v : turns on verbose mode\n\
-pwdo <owner password> : TPM owner password\n\
+-pwdof <owner auth> : TPM owner authorization file name\n\
-pwdd <password> : Delegate password\n\
\n\
Example:\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/delegatemanage.c
============================================================================
$ cvs diff -u -r1.15 -r1.16 delegatemanage.c
--- libtpm/libtpm/utils/delegatemanage.c 26 Sep 2013 16:34:09 -0000
1.15
+++ libtpm/libtpm/utils/delegatemanage.c 28 Mar 2016 22:04:02 -0000
1.16
@@ -33,7 +33,8 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: delegate_manage -<op code> [-pwdo <owner password>]\n\
+Usage: delegate_manage -<op code>\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
Valid options are:\n\
\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/dirwrite.c
============================================================================
$ cvs diff -u -r1.13 -r1.14 dirwrite.c
--- libtpm/libtpm/utils/dirwrite.c 26 Sep 2013 16:34:09 -0000 1.13
+++ libtpm/libtpm/utils/dirwrite.c 28 Mar 2016 22:04:02 -0000 1.14
@@ -30,7 +30,7 @@
N_("\
Usage: dirwrite -pwdo <ownerpass> -ix <index> -ic <message>\n\
\n\
--pwdo ownerpass : the TPM owner password\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
-ix index : The index of the DIR to write into; give hex number\n\
-ic message : The message to write into; the SHA1 of this message will be
calculated\n\
\n" "Examples:\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/disableownerclear.c
============================================================================
$ cvs diff -u -r1.15 -r1.16 disableownerclear.c
--- libtpm/libtpm/utils/disableownerclear.c 26 Sep 2013 16:34:09 -0000
1.15
+++ libtpm/libtpm/utils/disableownerclear.c 28 Mar 2016 22:04:02 -0000
1.16
@@ -24,7 +24,7 @@
N_("\
Usage: disableownerclear -pwdo <owner password> [-v]\n\
\n\
- -pwdo pwd : the TPM owner password\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
-v : to enable verbose output\n\
\n\
Examples:\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/disablepubek.c
============================================================================
$ cvs diff -u -r1.12 -r1.13 disablepubek.c
--- libtpm/libtpm/utils/disablepubek.c 26 Sep 2013 16:34:09 -0000
1.12
+++ libtpm/libtpm/utils/disablepubek.c 28 Mar 2016 22:04:02 -0000
1.13
@@ -22,7 +22,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: disablepubek -pwdo <owner password>\n\
+Usage: disablepubek\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/enableaudit.c
============================================================================
$ cvs diff -u -r1.14 -r1.15 enableaudit.c
--- libtpm/libtpm/utils/enableaudit.c 26 Sep 2013 16:34:09 -0000 1.14
+++ libtpm/libtpm/utils/enableaudit.c 28 Mar 2016 22:04:02 -0000 1.15
@@ -28,10 +28,11 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: enableaudit -o <ordinal> -p <owner password> [-d] [-v]\n\
+Usage: enableaudit -o <ordinal> [-d] [-v]\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
--o : option to pass the ordinal for the audit\n\
--p : the owner password\n\
+-ord : option to pass the ordinal for the audit\n\
+-pwdo : the owner password\n\
-d : to disable the audit; default is enabling\n\
-v : turns on verbose mode\n\
"), NULL },
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/getauditdigestsigned.c
============================================================================
$ cvs diff -u -r1.15 -r1.16 getauditdigestsigned.c
--- libtpm/libtpm/utils/getauditdigestsigned.c 26 Sep 2013 16:34:09
-0000 1.15
+++ libtpm/libtpm/utils/getauditdigestsigned.c 28 Mar 2016 22:04:02
-0000 1.16
@@ -48,7 +48,6 @@
int ec = -1; /* assume failure */
TPM_COUNTER_VALUE counter;
- uint32_t lowest = 0;
STACK_TPM_BUFFER(signature);
unsigned char digest[TPM_DIGEST_SIZE];
unsigned char ordinalDigest[TPM_DIGEST_SIZE];
@@ -69,8 +68,6 @@
goto exit;
}
- lowest = tpm->ordinal;
-
ec = rpmtpmErr(tpm, "GetAuditDigestSigned", 0,
TPM_GetAuditDigestSigned(tpm->keyhandle,
FALSE,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/getpubek.c
============================================================================
$ cvs diff -u -r1.13 -r1.14 getpubek.c
--- libtpm/libtpm/utils/getpubek.c 26 Sep 2013 16:34:09 -0000 1.13
+++ libtpm/libtpm/utils/getpubek.c 28 Mar 2016 22:04:02 -0000 1.14
@@ -25,7 +25,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-getpubek [-pwdo owner password]\n\
+getpubek (to pubkek.pem)\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
With owner password - runs TPM_OwnerReadPubek\n\
Without owner password - runs TPM_ReadPubek\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/identity.c
============================================================================
$ cvs diff -u -r1.23 -r1.24 identity.c
--- libtpm/libtpm/utils/identity.c 26 Sep 2013 16:34:09 -0000 1.23
+++ libtpm/libtpm/utils/identity.c 28 Mar 2016 22:04:02 -0000 1.24
@@ -156,6 +156,7 @@
if (ec & ERR_MASK)
goto exit;
ser_symkey_len = ec;
+ (void)ser_symkey_len;
activate.tag = TPM_TAG_EK_BLOB_ACTIVATE;
activate.sessionKey = tpm_symkey;
@@ -246,6 +247,7 @@
if (ec & ERR_MASK)
return ret;
ser_symkey_len = ec;
+ (void)ser_symkey_len;
memset(&data, 0x0, sizeof(data));
// symmetric key
@@ -310,9 +312,9 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: identity -pwdo <owner password> -la <label> [options]\n\
+Usage: identity -la <label> [options]\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
- -pwdo pwd : The TPM owner password.\n\
-la label : Some label for the identity.\n\
-pwdk idpwd : A password for the identity.\n\
-pwds srkpwd : The password for the storage root key.\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/keycontrol.c
============================================================================
$ cvs diff -u -r1.19 -r1.20 keycontrol.c
--- libtpm/libtpm/utils/keycontrol.c 26 Sep 2013 16:34:09 -0000 1.19
+++ libtpm/libtpm/utils/keycontrol.c 28 Mar 2016 22:04:02 -0000 1.20
@@ -31,11 +31,12 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
Usage: keycontrol -pwdk <keypassword> -hk <key handle> -bn <bit name>\n\
- -bv <bit value> -pwdo <owner password>\n\n\
+ -bv <bit value> \n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
+\n\
-hk key handle : handle of a loaded key; pass hex number\n\
-bn bit name : name of the bit to change; use hex number\n\
-bv bit value : 0 for false, 1 for true\n\
--pwdo owner password : the owner password\n\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/killmaintenancefeature.c
============================================================================
$ cvs diff -u -r1.14 -r1.15 killmaintenancefeature.c
--- libtpm/libtpm/utils/killmaintenancefeature.c 26 Sep 2013 16:34:09
-0000 1.14
+++ libtpm/libtpm/utils/killmaintenancefeature.c 28 Mar 2016 22:04:02
-0000 1.15
@@ -24,11 +24,11 @@
N_("\
Usage: killmaintenancefeature -pwdo <owner password> [-v]\n\
\n\
- -o pwd : the TPM owner password\n\
+ -pwdo pwd : the TPM owner password\n\
-v : to enable verbose output\n\
\n\
Examples:\n\
-killmaintenancefeature -o aaa\n\
+killmaintenancefeature -pwdo aaa\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/loadownerdelegation.c
============================================================================
$ cvs diff -u -r1.18 -r1.19 loadownerdelegation.c
--- libtpm/libtpm/utils/loadownerdelegation.c 26 Sep 2013 16:34:09 -0000
1.18
+++ libtpm/libtpm/utils/loadownerdelegation.c 28 Mar 2016 22:04:02 -0000
1.19
@@ -28,8 +28,11 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
Usage: loadownerdelegation -row index -if filename\n\
-\t[-pwdo owner password>] [-v]\n\
+\t[-pwdo <owner password> -pwdof <owner authorization file name>\n\
+\t[-v]\n\
+\n\
-pwdo : password of the TPM owner\n\
+-pwdof: authorization file of the TPM owner\n\
-row : delegate row index\n\
-if : owner delegation file name\n\
\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/migrate.c
============================================================================
$ cvs diff -u -r1.21 -r1.22 migrate.c
--- libtpm/libtpm/utils/migrate.c 26 Sep 2013 16:34:09 -0000 1.21
+++ libtpm/libtpm/utils/migrate.c 28 Mar 2016 22:04:02 -0000 1.22
@@ -55,7 +55,9 @@
[-rewrap] [-v]\n\
-hp : parent key handle\n\
-pwdp : parent key password used for encryption\n\
--pwdo : TPM owner password\n" "-pwdm : migration password\n\
+-pwdo : TPM owner password\n\
+-pwdof : TPM owner authorization file name\n\
+-pwdm : migration password\n\
-im : file containing the migration key or\n\
-hm : handle of the migration key\n\
-pwdk : the password of the migration key\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/nv_definespace.c
============================================================================
$ cvs diff -u -r1.13 -r1.14 nv_definespace.c
--- libtpm/libtpm/utils/nv_definespace.c 26 Sep 2013 16:34:09 -0000
1.13
+++ libtpm/libtpm/utils/nv_definespace.c 28 Mar 2016 22:04:02 -0000
1.14
@@ -19,7 +19,8 @@
static void printUsage(void)
{
printf("usage: nv_definespace -in index -sz size\n"
- "\t[-pwdo <owner password>] [-per permission] [-pwdd <area
password>] [-v]\n"
+ "\t[-pwdo <owner password> -pwdof <owner authorization file
name>\n"
+ "\t[-per permission] [-pwdd <area password>] [-v]\n"
"\t[-ixr <pcr num> <digest> require PCR authorization for read]\n"
"\t[-ixw <pcr num> <digest> require PCR authorization for write]\n"
"\n"
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/nv_readvalue.c
============================================================================
$ cvs diff -u -r1.22 -r1.23 nv_readvalue.c
--- libtpm/libtpm/utils/nv_readvalue.c 26 Sep 2013 16:34:09 -0000
1.22
+++ libtpm/libtpm/utils/nv_readvalue.c 28 Mar 2016 22:04:02 -0000
1.23
@@ -37,18 +37,21 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: nv_readvalue -in index -sz size [-off offset] \n\
-\t[-pwdo <owner password>] [-pwdd <area password>] [-of <data file name>]\n\
+Usage: nv_readvalue -in index [-sz size -cert] [-off offset] \n\
+\t[-pwdo <owner password> -pwdof <owner authorization file name>]\
+\t[-pwdd <area password>] [-of <data file name>]\n\
\n\
-pwdo pwd : The TPM owner password.\n\
+ -pwdof file : The TPM owner authorization file name.\n\
-in index : The index of the memory to use in hex.\n\
-sz size : The number of bytes to read.\n\
+ -cert : The number of bytes is embedded in the certificate
prefix.\n\
-off offset : The offset in memory where to start reading from (default
0)\n\
-pwdd password : The password for the memory area.\n\
-of file : File to store the read bytes.\n\
-ee num : Expected error number.\n\
\n\
-With -pwdo, does TPM_ReadValue\n\
+With -pwdo or -pwdof, does TPM_ReadValue\n\
With -pwdd, does TPM_ReadValueAuth\n\
With neither, does TPM_ReadValue with no authorization\n\
\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/nv_writevalue.c
============================================================================
$ cvs diff -u -r1.17 -r1.18 nv_writevalue.c
--- libtpm/libtpm/utils/nv_writevalue.c 26 Sep 2013 16:34:09 -0000
1.17
+++ libtpm/libtpm/utils/nv_writevalue.c 28 Mar 2016 22:04:02 -0000
1.18
@@ -33,10 +33,13 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: nv_writevalue -in index -ic data\n\
-\t[-pwdo <owner password>] [-pwdd <area password>] [-off offset]\n\
+Usage: nv_writevalue -in index -ic data -if file\n\
+\t[-pwdo <owner password> -pwdof <owner authorization file name>]\n\
+\t[-pwdd <area password>] [-off offset] [-cert]\n\
\n\
-pwdo pwd : The TPM owner password.\n\
+ -ic data string : The data to write into the memory (default data length
0.\n\
+ -if data file : The data to write into the memory (default data length
0.\n\
-in index : The index of the memory to use in hex.\n\
-ic data : The data to write into the memory (default data length
0.\n\
-off offset : The offset where to start writing (default 0).\n\
@@ -50,6 +53,7 @@
Examples:\n\
nv_writevalue -pwdo ooo -in 1 -ic Hello\n\
nv_writevalue -pwdd aaa -in 2 -ic Hello -off 5\n\
+nv_writevalue -pwdo ooo -in 1000f000 -if ekcert.cer -cert\n\
"), NULL},
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/ownerreadinternalpub.c
============================================================================
$ cvs diff -u -r1.19 -r1.20 ownerreadinternalpub.c
--- libtpm/libtpm/utils/ownerreadinternalpub.c 26 Sep 2013 16:34:09
-0000 1.19
+++ libtpm/libtpm/utils/ownerreadinternalpub.c 28 Mar 2016 22:04:02
-0000 1.20
@@ -26,7 +26,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: ownerreadinternalpub [Options] -hk <keyhandle> -of <filename> -pwdo
<owner password>\n\
+Usage: ownerreadinternalpub [Options] -hk <keyhandle> -of <filename>\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
Reads the internally held public key protion of either the endorsement\n\
key or the storage root key. The handle of the endorsement key is
0x40000006\n\
@@ -50,7 +51,6 @@
{
rpmtpm tpm = rpmtpmNew(argc, argv, optionsTable, 0);
int ec = -1; /* assume failure */
- uint32_t xx;
STACK_TPM_BUFFER(keybuf);
keydata k;
@@ -65,8 +65,10 @@
if (ec)
goto exit;
- xx = rpmtpmErr(tpm, "WriteKeyPub", ERR_MASK,
+ ec = rpmtpmErr(tpm, "WriteKeyPub", ERR_MASK,
TPM_WriteKeyPub(&keybuf, &k));
+ if (ec)
+ goto exit;
ec = rpmtpmErr(tpm, "WriteFile", 0,
TPM_WriteFile(tpm->ofn, keybuf.buffer, keybuf.used));
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/ownersetdisable.c
============================================================================
$ cvs diff -u -r1.14 -r1.15 ownersetdisable.c
--- libtpm/libtpm/utils/ownersetdisable.c 26 Sep 2013 16:34:09 -0000
1.14
+++ libtpm/libtpm/utils/ownersetdisable.c 28 Mar 2016 22:04:02 -0000
1.15
@@ -24,7 +24,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: ownersetdisable -pwdo <owner password> [-en]\n\
+Usage: ownersetdisable [-en]\n\
+[-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
-pwdo pwd : the TPM owner password\n\
-en : to set the TPM into 'enable' state (default disable)\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/quote.c
============================================================================
$ cvs diff -u -r1.15 -r1.16 quote.c
--- libtpm/libtpm/utils/quote.c 26 Sep 2013 16:34:09 -0000 1.15
+++ libtpm/libtpm/utils/quote.c 28 Mar 2016 22:04:02 -0000 1.16
@@ -28,7 +28,11 @@
{ NULL, (char) -1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: quote -hk <key handle in hex> -bm <pcr mask in hex> [-pwdk <key
password>]\n\
+Usage: quote\n\
+-hk <key handle in hex>\n\
+-bm <pcr mask in hex>\n\
+[-pwdk <key password>]\n\
+[-cert <key certificate to verify the quote signature]\n\
\n\
"), NULL},
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/resetlockvalue.c
============================================================================
$ cvs diff -u -r1.12 -r1.13 resetlockvalue.c
--- libtpm/libtpm/utils/resetlockvalue.c 26 Sep 2013 16:34:09 -0000
1.12
+++ libtpm/libtpm/utils/resetlockvalue.c 28 Mar 2016 22:04:02 -0000
1.13
@@ -22,7 +22,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: resetlockvalue -pwdo <owner password>\n\
+Usage: resetlockvalue\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
\n\
-h help\n\
"), NULL },
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/setcapability.c
============================================================================
$ cvs diff -u -r1.14 -r1.15 setcapability.c
--- libtpm/libtpm/utils/setcapability.c 26 Sep 2013 16:34:09 -0000
1.14
+++ libtpm/libtpm/utils/setcapability.c 28 Mar 2016 22:04:02 -0000
1.15
@@ -134,7 +134,7 @@
Usage: setcapability [options] <capability (hex)> <sub cap (hex)> <value
(hex)>\n\
\n\
Possible options are:\n\
- -pwdo : password of the TPM owner\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/takeown.c
============================================================================
$ cvs diff -u -r1.20 -r1.21 takeown.c
--- libtpm/libtpm/utils/takeown.c 26 Sep 2013 16:34:10 -0000 1.20
+++ libtpm/libtpm/utils/takeown.c 28 Mar 2016 22:04:02 -0000 1.21
@@ -33,7 +33,8 @@
{ NULL, (char)-1, POPT_ARG_INCLUDE_TABLE, NULL, 0,
N_("\
-Usage: takeown [-v12] [-sz keysize] -pwdo <owner password> \n\
+Usage: takeown [-v12] [-sz keylen]\n\
+ [-pwdo <owner password> -pwdof <owner authorization file name>\n\
[-pwds <storage root key password>]\n\
[-ix <pcr num> <digest> PCR authorization for SRK]\n\
\tOmitting -pwds sets the SRK auth to all zeros\n\
@@ .
patch -p0 <<'@@ .'
Index: libtpm/libtpm/utils/updateverification.c
============================================================================
$ cvs diff -u -r1.19 -r1.20 updateverification.c
--- libtpm/libtpm/utils/updateverification.c 26 Sep 2013 16:34:10 -0000
1.19
+++ libtpm/libtpm/utils/updateverification.c 28 Mar 2016 22:04:02 -0000
1.20
@@ -30,9 +30,9 @@
Usage: updateverification -if input-file -of output-file\n\
\t[-pwdo owner password>] [-v] \n\
\n\
--pwdo : password of the TPM owner\n\
--if : current delegation file\n\
--of : new delegation file\n\n\
+\t[-pwdo <owner password> -pwdof <owner authorization file name>\n\
+\t-if : current delegation file\n\
+\t-of : new delegation file\n\n\
"), NULL },
{ NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmioAllPoptTable, 0,
@@ .
______________________________________________________________________
RPM Package Manager http://rpm5.org
CVS Sources Repository rpm-cvs@rpm5.org
