TPW_RESULT create_key(TSS_HCONTEXT tss_context, TSS_FLAG aflags, TSS_HKEY *user_key, TSS_HKEY p_key, char *auth, int authlen)
{
TSS_RESULT result;
TSS_HPOLICY policy;
if(!authlen)
aflags |= TSS_KEY_NO_AUTHORIZATION;
else
aflags |= TSS_KEY_AUTHORIZATION;
result = Tspi_Context_CreateObject(tss_context, TSS_OBJECT_TYPE_RSAKEY, aflags, user_key);
if(TSS_SUCCESS != result)
{
Log_Text("create_key", TPW_KEY_ERROR);
return TPW_KEY_ERROR;
}
if(authlen)
{
result = Tspi_Context_CreateObject(tss_context, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &policy);
result = policySetSecret(policy, authlen, auth);
if(TSS_SUCCESS != result)
{
Log_Text("setPolicy_in_create_key", TPW_POLICY_ERROR);
return TPW_POLICY_ERROR;
}
result = policyAssign(policy, *user_key);
if(TSS_SUCCESS != result)
{
Log_Text("assignPolicy_in_create_key", TPW_POLICY_ERROR);
return TPW_KEY_ERROR;
}
}
result = keyCreateKey(*user_key, p_key, 0);
if(TSS_SUCCESS != result)
{
Log_Text("Create_in_create_key", TPW_KEY_ERROR);
return TPW_KEY_ERROR;
}
return TPW_SUCCESS;
}
TPW_RESULT load_key_and_auth(TSS_HCONTEXT tss_context, TSS_HKEY *h_srk, TSS_UUID key_uuid, TSS_FLAG aflags, BYTE *auth, int len)
{
TSS_RESULT result;
TSS_HPOLICY h_policy;
result = keyLoadKeyByUUID(tss_context, aflags, key_uuid, h_srk);
if(TSS_SUCCESS != result)
return TPW_KEY_ERROR;
result = policyGet(*h_srk, &h_policy);
if(TSS_SUCCESS != result)
return TPW_KEY_ERROR;
result = policySetSecret(h_policy, len, auth);
if(TSS_SUCCESS != result)
return TPW_KEY_ERROR;
}
/*
* Affect: Change owner or srk password
* Default: No action
* Required: Owner authentication
*/
int main(int argc, char **argv)
{
int i = 0, iRc = -1;
char *passwd = NULL;
int pswd_len;
TSS_HPOLICY hTpmPolicy, hNewPolicy;
TSS_HTPM hTpm;
TSS_HTPM hSrk;
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
struct option opts[] = { {"owner", no_argument, NULL, 'o'},
{"srk", no_argument, NULL, 's'},
{"original_password_unicode", no_argument, NULL, 'g'},
{"new_password_unicode", no_argument, NULL, 'n'},
{"well-known", no_argument, NULL, 'z'},
{"set-well-known", no_argument, NULL, 'r'},
};
initIntlSys();
if (genericOptHandler
(argc, argv, "zrsogn", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
//nothing selected
if ((!changeRequested && wellKnown) || (!changeRequested)) {
help(argv[0]);
goto out;
}
//Connect to TSS and TPM
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (wellKnown) {
passwd = (char *)well_known_secret;
pswd_len = TCPA_SHA1_160_HASH_LEN;
} else {
passwd = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hTpmPolicy, pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (!wellKnown && !setWellKnown) {
shredPasswd(passwd);
passwd = NULL;
}
do {
if (auths[i].change) {
logInfo(_("Changing password for: %s.\n"), _(auths[i].name));
if (setWellKnown) {
passwd = (char *)well_known_secret;
pswd_len = TCPA_SHA1_160_HASH_LEN;
} else {
passwd = _GETPASSWD(_(auths[i].prompt), &pswd_len,
TRUE, newUnicode || useUnicode );
if (!passwd) {
logError(_("Failed to get new password.\n"));
goto out_close;
}
}
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hNewPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret
(hNewPolicy, pswd_len,
(BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (i == owner) {
if (tpmChangeAuth(hTpm, NULL_HOBJECT, hNewPolicy) != TSS_SUCCESS)
goto out_close;
} else if (i == srk) {
if (keyLoadKeyByUUID
(hContext, TSS_PS_TYPE_SYSTEM,
SRK_UUID, &hSrk) != TSS_SUCCESS)
goto out_close;
if (tpmChangeAuth(hSrk, hTpm, hNewPolicy) != TSS_SUCCESS)
goto out_close;
}
logInfo(_("Change of %s password successful.\n"), _(auths[i].name));
if (!wellKnown && !setWellKnown) {
shredPasswd(passwd);
passwd = NULL;
}
}
} while (auths[++i].name);
iRc = 0;
out_close:
contextClose(hContext);
out:
if (passwd && !wellKnown && !setWellKnown)
shredPasswd(passwd);
return iRc;
}
int main(int argc, char **argv)
{
char *szTpmPasswd = NULL;
int pswd_len;
TSS_HTPM hTpm;
TSS_HPOLICY hTpmPolicy;
int iRc = -1;
struct option opts[] = {
{"force", no_argument, NULL, 'f'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE well_known[] = TSS_WELL_KNOWN_SECRET;
initIntlSys();
if (genericOptHandler
(argc, argv, "fz", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (!bValue) {
if (isWellKnown){
szTpmPasswd = (char *)well_known;
pswd_len = sizeof(well_known);
}else{
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hTpmPolicy, pswd_len,
(BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
//Setup complete attempt command
if (tpmClearOwner(hTpm, bValue) != TSS_SUCCESS)
goto out_close;
//Command successful
iRc = 0;
logSuccess(argv[0]);
logMsg( _("TPM Successfuly Cleared. You need to reboot to complete this operation. After reboot the TPM will be in the default state: unowned, disabled and inactive.\n") );
//Cleanup
out_close:
if (szTpmPasswd && !isWellKnown)
shredPasswd(szTpmPasswd);
contextClose(hContext);
out:
return iRc;
}
int main(int argc, char **argv)
{
char *szTpmPasswd = NULL;
int pswd_len;
TSS_HPOLICY hTpmPolicy;
TSS_HTPM hTpm;
int iRc = -1;
struct option opts[] = { {"allow", no_argument, NULL, 'a'},
{"status", no_argument, NULL, 's'},
{"restrict", no_argument, NULL, 'r'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE well_known[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
initIntlSys();
if (genericOptHandler
(argc, argv, "asrz", opts, sizeof(opts) / sizeof(struct option),
parse, help) != 0)
goto out;
/* If no args are given, the default should be to give status */
if (argc == 1)
bCheck = TRUE;
//Connect to TSS and TPM
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (isWellKnown) {
szTpmPasswd = (char *)well_known;
pswd_len = sizeof(well_known);
} else {
// Prompt for owner password
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get password\n"));
goto out_close;
}
}
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret
(hTpmPolicy, pswd_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
if (bCheck) {
TSS_BOOL bValue;
if (tpmGetStatus
(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD,
&bValue) != TSS_SUCCESS)
goto out;
logMsg(_("Storage Root Key readable with: %s\n"),
bValue ? _("owner auth") : _("SRK auth"));
} else {
if (tpmSetStatus(hTpm, TSS_TPMSTATUS_DISABLEPUBSRKREAD, bRestrict)
!= TSS_SUCCESS)
goto out_close;
}
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (szTpmPasswd && !isWellKnown)
shredPasswd(szTpmPasswd);
return iRc;
}
int
main( int argc, char **argv )
{
char *szTpmPasswd = NULL;
int tpm_len;
TSS_HTPM hTpm;
TSS_HPOLICY hTpmPolicy;
TSS_BOOL bValue = TRUE;
int iRc = -1;
struct option opts[] = {
{"use-hex", no_argument, NULL, 'x'},
{"well-known", no_argument, NULL, 'z'},
};
BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
BYTE* pTpmPasswd = NULL;
int iTpmPasswdLen;
initIntlSys();
if (genericOptHandler(argc, argv, "xz", opts, sizeof(opts) / sizeof(struct option), parse,
help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (!isWellKnown) {
// Prompt for owner password
szTpmPasswd = GETPASSWD(_("Enter owner password: "******"Failed to get Owner password\n"));
goto out;
}
if( decodeHexPassword ) {
if( hex2bytea(szTpmPasswd, &pTpmPasswd, &iTpmPasswdLen) != 0 ) {
logError(_("Invalid hex owner secret\n"));
goto out_close;
}
}
} else {
szTpmPasswd = (char *)wellKnown;
tpm_len = sizeof(wellKnown);
}
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if( decodeHexPassword ) {
if( Tspi_Policy_SetSecret(hTpmPolicy, TSS_SECRET_MODE_PLAIN, iTpmPasswdLen,
pTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
else {
if (policySetSecret(hTpmPolicy, tpm_len, (BYTE *)szTpmPasswd) != TSS_SUCCESS)
goto out_close;
}
if (tpmSetStatus(hTpm, TSS_TPMSTATUS_RESETLOCK, bValue) != TSS_SUCCESS)
goto out_close;
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (!isWellKnown && szTpmPasswd)
shredPasswd(szTpmPasswd);
if( pTpmPasswd )
shredByteArray(pTpmPasswd, iTpmPasswdLen);
return iRc;
}
int main(int argc, char **argv)
{
TSS_HTPM hTpm;
TSS_HNVSTORE nvObject;
TSS_FLAG fNvAttrs;
TSS_HPOLICY hTpmPolicy, hDataPolicy;
int iRc = -1;
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
int opswd_len = -1;
int dpswd_len = -1;
struct option hOpts[] = {
{"index" , required_argument, NULL, 'i'},
{"size" , required_argument, NULL, 's'},
{"permissions" , required_argument, NULL, 'p'},
{"pwdo" , optional_argument, NULL, 'o'},
{"pwda" , optional_argument, NULL, 'a'},
{"use-unicode" , no_argument, NULL, 'u'},
{"data-well-known" , no_argument, NULL, 'z'},
{"owner-well-known", no_argument, NULL, 'y'},
{NULL , no_argument, NULL, 0},
};
initIntlSys();
if (genericOptHandler
(argc, argv, "i:s:p:o:a:yzu", hOpts,
sizeof(hOpts) / sizeof(struct option), parse, help) != 0)
goto out;
if (end) {
iRc = 0;
goto out;
}
if (!nvindex_set) {
logError(_("You must provide an index for the NVRAM area.\n"));
goto out;
}
if (nvperm == 0 &&
(UINT32)nvindex != TPM_NV_INDEX_LOCK &&
(UINT32)nvindex != TPM_NV_INDEX0) {
logError(_("You must provide permission bits for the NVRAM area.\n"));
goto out;
}
logDebug("permissions = 0x%08x\n", nvperm);
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
fNvAttrs = 0;
if (contextCreateObject(hContext,
TSS_OBJECT_TYPE_NV,
fNvAttrs,
&nvObject) != TSS_SUCCESS)
goto out_close;
if (askOwnerPass) {
ownerpass = _GETPASSWD(_("Enter owner password: "******"Failed to get owner password\n"));
goto out_close;
}
}
if (ownerpass || ownerWellKnown) {
if (policyGet(hTpm, &hTpmPolicy) != TSS_SUCCESS)
goto out_close;
if (ownerpass) {
if (opswd_len < 0)
opswd_len = strlen(ownerpass);
if (policySetSecret(hTpmPolicy, opswd_len,
(BYTE *)ownerpass) != TSS_SUCCESS)
goto out_close;
} else {
if (policySetSecret(hTpmPolicy, TCPA_SHA1_160_HASH_LEN,
(BYTE *)well_known_secret) != TSS_SUCCESS)
goto out_close;
}
}
if (askDataPass) {
datapass = _GETPASSWD(_("Enter NVRAM data password: "******"Failed to get NVRAM data password\n"));
goto out_close;
}
}
if (datapass || dataWellKnown) {
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hDataPolicy) != TSS_SUCCESS)
goto out_close;
if (datapass) {
if (dpswd_len < 0)
dpswd_len = strlen(datapass);
if (policySetSecret(hDataPolicy, dpswd_len,
(BYTE *)datapass) != TSS_SUCCESS)
goto out_close;
} else {
if (policySetSecret(hDataPolicy, TCPA_SHA1_160_HASH_LEN,
(BYTE *)well_known_secret) != TSS_SUCCESS)
goto out_close;
}
if (Tspi_Policy_AssignToObject(hDataPolicy, nvObject) !=
TSS_SUCCESS)
goto out_close;
}
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_INDEX,
0,
nvindex) != TSS_SUCCESS)
goto out_close_obj;
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_PERMISSIONS,
0,
nvperm) != TSS_SUCCESS)
goto out_close_obj;
if (Tspi_SetAttribUint32(nvObject,
TSS_TSPATTRIB_NV_DATASIZE,
0,
nvsize) != TSS_SUCCESS)
goto out_close_obj;
if (NVDefineSpace(nvObject, (TSS_HPCRS)0, (TSS_HPCRS)0) !=
TSS_SUCCESS)
goto out_close;
logMsg(_("Successfully created NVRAM area at index 0x%x (%u).\n"),
nvindex, nvindex);
iRc = 0;
goto out_close;
out_close_obj:
contextCloseObject(hContext, nvObject);
out_close:
contextClose(hContext);
out:
return iRc;
}
int main(int argc, char **argv)
{
TSS_HKEY hSrk, hKey;
TSS_HENCDATA hEncdata;
TSS_HPOLICY hPolicy;
int iRc = -1;
struct option opts[] =
{ {"infile", required_argument, NULL, 'i'},
{"outfile", required_argument, NULL, 'o'},
{"pcr", required_argument, NULL, 'p'},
{"unicode", no_argument, NULL, 'u'},
{"well-known", no_argument, NULL, 'z'}
};
unsigned char line[EVP_CIPHER_block_size(EVP_aes_256_cbc()) * 16];
int lineLen;
unsigned char encData[sizeof(line) + EVP_CIPHER_block_size(EVP_aes_256_cbc())];
int encDataLen;
UINT32 encLen, i;
BYTE *encKey;
BYTE *randKey = NULL;
UINT32 sealKeyLen;
BYTE *sealKey;
TSS_FLAG keyFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 |
TSS_KEY_VOLATILE | TSS_KEY_AUTHORIZATION |
TSS_KEY_NOT_MIGRATABLE;
TSS_HPOLICY hSrkPolicy;
char *passwd = NULL;
int pswd_len;
BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET;
BIO *bin = NULL, *bdata=NULL, *b64=NULL;
initIntlSys();
if (genericOptHandler(argc, argv, "i:o:p:uz", opts,
sizeof(opts) / sizeof(struct option), parse,
help) != 0)
goto out;
if (contextCreate(&hContext) != TSS_SUCCESS)
goto out;
if (contextConnect(hContext) != TSS_SUCCESS)
goto out_close;
if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
goto out_close;
/* Create a BIO for the input file */
if ((bin = BIO_new(BIO_s_file())) == NULL) {
logError(_("Unable to open input BIO\n"));
goto out_close;
}
/* Assign the input file to the BIO */
if (strlen(in_filename) == 0)
BIO_set_fp(bin, stdin, BIO_NOCLOSE);
else if (!BIO_read_filename(bin, in_filename)) {
logError(_("Unable to open input file: %s\n"),
in_filename);
goto out_close;
}
/* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
* a 1.2 TSS/TPM */
if (selectedPcrsLen) {
TSS_FLAG initFlag = 0;
UINT32 pcrSize;
BYTE *pcrValue;
for (i = 0; i < selectedPcrsLen; i++) {
if (selectedPcrs[i] > 15) {
#ifdef TSS_LIB_IS_12
initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
#else
logError(_("This version of %s was compiled for a v1.1 TSS, which "
"can only seal\n data to PCRs 0-15. PCR %u is out of range"
"\n"), argv[0], selectedPcrs[i]);
goto out_close;
#endif
}
}
if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
&hPcrs) != TSS_SUCCESS)
goto out_close;
for (i = 0; i < selectedPcrsLen; i++) {
if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
goto out_close;
if (pcrcompositeSetPcrValue(hPcrs, selectedPcrs[i], pcrSize, pcrValue)
!= TSS_SUCCESS)
goto out_close;
}
#ifdef TSS_LIB_IS_12
if (initFlag) {
UINT32 localityValue =
TPM_LOC_ZERO | TPM_LOC_ONE | TPM_LOC_TWO | TPM_LOC_THREE |
TPM_LOC_FOUR;
if (pcrcompositeSetPcrLocality(hPcrs, localityValue) != TSS_SUCCESS)
goto out_close;
}
#endif
}
/* Retrieve random data to be used as the symmetric key
(this key will encrypt the input file contents) */
if (tpmGetRandom(hTpm, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
&randKey) != TSS_SUCCESS)
goto out_close;
/* Load the SRK and set the SRK policy (no password) */
if (keyLoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSrk)
!= TSS_SUCCESS)
goto out_close;
/* Use the context's default policy for the SRK secret */
if (policyGet(hSrk, &hSrkPolicy) != TSS_SUCCESS)
goto out_close;
/* Prompt for SRK password */
if (!isWellKnown) {
passwd = _GETPASSWD(_("Enter SRK password: "******"Failed to get SRK password\n"));
goto out_close;
}
} else {
passwd = (char *)wellKnown;
pswd_len = sizeof(wellKnown);
}
if (policySetSecret(hSrkPolicy, (UINT32)pswd_len, (BYTE *)passwd) != TSS_SUCCESS)
goto out_close;
if (!isWellKnown)
shredPasswd(passwd);
passwd = NULL;
/* Build an RSA key object that will be created by the TPM
(this will encrypt and protect the symmetric key) */
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_RSAKEY, keyFlags,
&hKey) != TSS_SUCCESS)
goto out_close;
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
!= TSS_SUCCESS)
goto out_close;
if (policyAssign(hPolicy, hKey) != TSS_SUCCESS)
goto out_close;
/* Create the RSA key (under the SRK) */
if (keyCreateKey(hKey, hSrk, NULL_HPCRS) != TSS_SUCCESS)
goto out_close;
/* Load the newly created RSA key */
if (keyLoadKey(hKey, hSrk) != TSS_SUCCESS)
goto out_close;
/* Build an encrypted data object that will hold the encrypted
version of the symmetric key */
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_SEAL,
&hEncdata) != TSS_SUCCESS)
goto out_close;
if (contextCreateObject
(hContext, TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
&hPolicy) != TSS_SUCCESS)
goto out_close;
if (policySetSecret(hPolicy, strlen(TPMSEAL_SECRET), (BYTE *)TPMSEAL_SECRET)
!= TSS_SUCCESS)
goto out_close;
if (policyAssign(hPolicy, hEncdata) != TSS_SUCCESS)
goto out_close;
/* Encrypt and seal the symmetric key */
if (dataSeal
(hEncdata, hKey, EVP_CIPHER_key_length(EVP_aes_256_cbc()),
randKey, hPcrs) != TSS_SUCCESS)
goto out_close;
if (getAttribData(hEncdata, TSS_TSPATTRIB_ENCDATA_BLOB,
TSS_TSPATTRIB_ENCDATABLOB_BLOB, &encLen,
&encKey) != TSS_SUCCESS)
goto out_close;
if (getAttribData
(hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_BLOB,
&sealKeyLen, &sealKey) != TSS_SUCCESS)
goto out_close;
/* Create a BIO to perform base64 encoding */
if ((b64 = BIO_new(BIO_f_base64())) == NULL) {
logError(_("Unable to open base64 BIO\n"));
goto out_close;
}
/* Create a BIO for the output file */
if ((bdata = BIO_new(BIO_s_file())) == NULL) {
logError(_("Unable to open output BIO\n"));
goto out_close;
}
/* Assign the output file to the BIO */
if (strlen(out_filename) == 0)
BIO_set_fp(bdata, stdout, BIO_NOCLOSE);
else if (BIO_write_filename(bdata, out_filename) <= 0) {
logError(_("Unable to open output file: %s\n"),
out_filename);
goto out_close;
}
/* Output the sealed data header string */
BIO_puts(bdata, TPMSEAL_HDR_STRING);
/* Sealing key used on the TPM */
BIO_puts(bdata, TPMSEAL_TSS_STRING);
bdata = BIO_push(b64, bdata);
BIO_write(bdata, sealKey, sealKeyLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
/* Sealed EVP Symmetric Key */
BIO_puts(bdata, TPMSEAL_EVP_STRING);
BIO_puts(bdata, TPMSEAL_KEYTYPE_SYM);
BIO_puts(bdata, TPMSEAL_CIPHER_AES256CBC);
bdata = BIO_push(b64, bdata);
BIO_write(bdata, encKey, encLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
/* Encrypted Data */
BIO_puts(bdata, TPMSEAL_ENC_STRING);
bdata = BIO_push(b64, bdata);
EVP_CIPHER_CTX ctx;
EVP_EncryptInit(&ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV);
while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) {
EVP_EncryptUpdate(&ctx, encData, &encDataLen,
line, lineLen);
BIO_write(bdata, encData, encDataLen);
}
EVP_EncryptFinal(&ctx, encData, &encDataLen);
BIO_write(bdata, encData, encDataLen);
if (BIO_flush(bdata) != 1) {
logError(_("Unable to flush output\n"));
goto out_close;
}
bdata = BIO_pop(b64);
BIO_puts( bdata, TPMSEAL_FTR_STRING);
iRc = 0;
logSuccess(argv[0]);
out_close:
contextClose(hContext);
out:
if (bin)
BIO_free(bin);
if (bdata)
BIO_free(bdata);
if (b64)
BIO_free(b64);
return iRc;
}
