There's no way to give the well known authority via the password prompt, so try it first. If that succeeds, we have the key authority and if not, we can prompt for a password.
This allows the engine and create_tpm_key to work on systems where the SRK has the well known authority value. Signed-off-by: James Bottomley <[email protected]> --- create_tpm_key.c | 28 ++++++++++++++++++++-------- e_tpm.c | 9 +++++++++ 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/create_tpm_key.c b/create_tpm_key.c index fee917f..1c1e556 100644 --- a/create_tpm_key.c +++ b/create_tpm_key.c @@ -81,6 +81,7 @@ usage(char *argv0) } TSS_UUID SRK_UUID = TSS_UUID_SRK; +static BYTE well_known[] = TSS_WELL_KNOWN_SECRET; void openssl_print_errors() @@ -292,20 +293,29 @@ int main(int argc, char **argv) } if (srk_authusage) { - char *authdata = calloc(1, 128); - - if (!authdata) { - fprintf(stderr, "malloc failed.\n"); - Tspi_Context_Close(hContext); - exit(result); - } + char *authdata; if ((result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &srkUsagePolicy))) { print_error("Tspi_GetPolicyObject", result); Tspi_Context_CloseObject(hContext, hKey); Tspi_Context_Close(hContext); - free(authdata); + exit(result); + } + + /* first try the well known secret */ + if (Tspi_Policy_SetSecret(srkUsagePolicy, + TSS_SECRET_MODE_SHA1, + sizeof(well_known), + well_known) + == TSS_SUCCESS) + goto found_secret; + + authdata = calloc(1, 128); + + if (!authdata) { + fprintf(stderr, "malloc failed.\n"); + Tspi_Context_Close(hContext); exit(result); } @@ -328,6 +338,8 @@ int main(int argc, char **argv) } free(authdata); + found_secret: + ; } if (auth) { diff --git a/e_tpm.c b/e_tpm.c index f3e8bcf..3e20f8e 100644 --- a/e_tpm.c +++ b/e_tpm.c @@ -127,6 +127,7 @@ static TSS_HKEY hSRK = NULL_HKEY; static TSS_HPOLICY hSRKPolicy = NULL_HPOLICY; static TSS_HTPM hTPM = NULL_HTPM; static TSS_UUID SRK_UUID = TSS_UUID_SRK; +static BYTE well_known[] = TSS_WELL_KNOWN_SECRET; static UINT32 secret_mode = TSS_SECRET_MODE_PLAIN; /* varibles used to get/set CRYPTO_EX_DATA values */ @@ -299,6 +300,14 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) return 0; } + /* first try the well known secret */ + if (Tspi_Policy_SetSecret(hSRKPolicy, + TSS_SECRET_MODE_SHA1, + sizeof(well_known), + well_known) + == TSS_SUCCESS) + return 1; + if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", cb_data)) { Tspi_Context_CloseObject(hContext, hSRK); -- 2.6.6 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ TrouSerS-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-tech
