6895727 tpmadm command needs to set prompts correctly for auth command

3 files changed, 55 insertions, 29 deletions

diff --git a/usr/src/cmd/cmd-crypto/tpmadm/admin_cmds.c b/usr/src/cmd/cmd-crypto/tpmadm/admin_cmds.c
index d770336bcc..fcdc801baa 100644
--- a/usr/src/cmd/cmd-crypto/tpmadm/admin_cmds.c
+++ b/usr/src/cmd/cmd-crypto/tpmadm/admin_cmds.c
@@ -190,7 +190,7 @@ print_tpm_pcrs(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM)
 int
 cmd_status(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 {
-	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
+	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, NULL, 0, NULL))
 		return (ERR_FAIL);
 
 	(void) print_tpm_version(hContext, hTPM);
@@ -429,7 +429,7 @@ cmd_keyinfo(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 	} uuid;
 
 	switch (argc) {
-		case 1:
+	case 1:
 		/* Print key hierarchy */
 		ret = Tspi_Context_GetRegisteredKeysByUUID2(hContext,
 		    TSS_PS_TYPE_USER, NULL, &num_keys, &keys);
@@ -456,7 +456,7 @@ cmd_keyinfo(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 		}
 		return (0);
 
-		case 2:
+	case 2:
 		/* Print detailed info about a single key */
 		if (uuid_parse(argv[1], uuid.arr_uuid))
 			return (ERR_FAIL);
@@ -473,7 +473,7 @@ cmd_keyinfo(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 		print_key_info(hContext, hKey);
 		return (0);
 
-		default:
+	default:
 		(void) fprintf(stderr, gettext("Usage:\n"));
 		(void) fprintf(stderr, "\tkeyinfo [uuid]\n");
 		return (ERR_USAGE);
@@ -520,7 +520,8 @@ clearowner(TSS_HTPM hTPM)
 {
 	TSS_RESULT ret;
 
-	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
+	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
+	    gettext("= TPM owner passphrase ="), 0, NULL))
 		return (ERR_FAIL);
 
 	ret = Tspi_TPM_ClearOwner(hTPM, FALSE);
@@ -536,7 +537,8 @@ resetlock(TSS_HTPM hTPM)
 {
 	TSS_RESULT ret;
 
-	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
+	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
+	    gettext("= TPM owner passphrase ="), 0, NULL))
 		return (ERR_FAIL);
 
 	ret = Tspi_TPM_SetStatus(hTPM, TSS_TPMSTATUS_RESETLOCK, TRUE);
@@ -644,7 +646,8 @@ cmd_init(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 	TSS_RESULT ret;
 	TSS_HOBJECT hKeySRK;
 
-	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
+	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
+	    gettext("= TPM owner passphrase ="), 0, NULL))
 		return (ERR_FAIL);
 
 	ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
@@ -654,7 +657,7 @@ cmd_init(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 		return (ERR_FAIL);
 	}
 
-	if (set_object_policy(hKeySRK, TSS_SECRET_MODE_SHA1,
+	if (set_object_policy(hKeySRK, TSS_SECRET_MODE_SHA1, NULL,
 	    sizeof (well_known), well_known))
 		return (ERR_FAIL);
 
@@ -683,27 +686,26 @@ cmd_auth(TSS_HCONTEXT hContext, TSS_HTPM hTPM, int argc, char *argv[])
 	TSS_RESULT ret;
 	TSS_HPOLICY hNewPolicy;
 
-	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP, 0, NULL))
+	if (set_object_policy(hTPM, TSS_SECRET_MODE_POPUP,
+	    gettext("= TPM owner passphrase ="), 0, NULL))
 		return (ERR_FAIL);
 
-	/* new policy object */
+	/* policy object for new passphrase */
 	ret = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_POLICY,
 	    TSS_POLICY_USAGE, &hNewPolicy);
 	if (ret) {
 		print_error(ret, gettext("Create policy object"));
 		return (ERR_FAIL);
 	}
-	ret = Tspi_Policy_SetSecret(hNewPolicy, TSS_SECRET_MODE_POPUP,
-	    0, NULL);
-	if (ret) {
-		print_error(ret, gettext("Set policy object secret"));
+	if (set_policy_options(hNewPolicy, TSS_SECRET_MODE_POPUP,
+	    gettext("= New TPM owner passphrase ="), 0, NULL))
 		return (ERR_FAIL);
-	}
 
 	ret = Tspi_ChangeAuth(hTPM, NULL, hNewPolicy);
-	if (ret) {
+	if (ret && ret != TSP_ERROR(TSS_E_POLICY_NO_SECRET)) {
 		print_error(ret, gettext("Change authorization"));
 		return (ERR_FAIL);
 	}
+
 	return (0);
 }
diff --git a/usr/src/cmd/cmd-crypto/tpmadm/main.c b/usr/src/cmd/cmd-crypto/tpmadm/main.c
index 5ddfd3a078..1cdc02b14d 100644
--- a/usr/src/cmd/cmd-crypto/tpmadm/main.c
+++ b/usr/src/cmd/cmd-crypto/tpmadm/main.c
@@ -33,6 +33,7 @@
 #include <locale.h>
 
 #include <tss/tspi.h>
+#include <trousers/trousers.h>
 #include "tpmadm.h"
 
 extern cmdtable_t commands[];
@@ -124,7 +125,6 @@ void
 print_error(TSS_RESULT ret, char *msg)
 {
 	char *err_string;
-	extern char *Trspi_Error_String();
 
 	/* Print the standard error string and error code. */
 	err_string = Trspi_Error_String(ret);
@@ -132,12 +132,12 @@ print_error(TSS_RESULT ret, char *msg)
 
 	/* For a few special cases, add a more verbose error message. */
 	switch (ret) {
-	    case TPM_E_DEACTIVATED:
-	    case TPM_E_DISABLED:
+	case TPM_E_DEACTIVATED:
+	case TPM_E_DISABLED:
 		(void) fprintf(stderr,
 		    gettext("Enable the TPM and restart Solaris.\n"));
 		break;
-	    case TSP_ERROR(TSS_E_COMM_FAILURE):
+	case TSP_ERROR(TSS_E_COMM_FAILURE):
 		(void) fprintf(stderr,
 		    gettext("Make sure the tcsd service "
 		    "(svc:/application/security/tcsd) is running.\n"));
@@ -178,24 +178,46 @@ UINT32 subcap, void *buf, size_t bufsize)
 }
 
 int
-set_object_policy(TSS_HOBJECT handle, TSS_FLAG mode, UINT32 len, BYTE *secret)
+set_policy_options(TSS_HPOLICY hPolicy, TSS_FLAG mode, char *prompt,
+UINT32 secret_len, BYTE *secret)
 {
-	TSS_HPOLICY hPolicy;
 	TSS_RESULT ret;
+	BYTE *unicode_prompt;
+	UINT32 len;
 
-	ret = Tspi_GetPolicyObject(handle, TSS_POLICY_USAGE, &hPolicy);
+	ret = Tspi_Policy_SetSecret(hPolicy, mode, secret_len, secret);
 	if (ret) {
-		print_error(ret, gettext("Get object policy"));
+		print_error(ret, gettext("Set policy secret"));
 		return (ERR_FAIL);
 	}
+	if (prompt != NULL) {
+		unicode_prompt = Trspi_Native_To_UNICODE((BYTE *)prompt, &len);
+		ret = Tspi_SetAttribData(hPolicy,
+		    TSS_TSPATTRIB_POLICY_POPUPSTRING,
+		    NULL, len, unicode_prompt);
+		if (ret) {
+			print_error(ret, gettext("Set policy prompt"));
+			return (ERR_FAIL);
+		}
+	}
+
+	return (0);
+}
 
-	ret = Tspi_Policy_SetSecret(hPolicy, mode, len, secret);
+int
+set_object_policy(TSS_HOBJECT handle, TSS_FLAG mode, char *prompt,
+UINT32 secret_len, BYTE *secret)
+{
+	TSS_HPOLICY hPolicy;
+	TSS_RESULT ret;
+
+	ret = Tspi_GetPolicyObject(handle, TSS_POLICY_USAGE, &hPolicy);
 	if (ret) {
-		print_error(ret, gettext("Set policy secret"));
+		print_error(ret, gettext("Get object policy"));
 		return (ERR_FAIL);
 	}
 
-	return (0);
+	return (set_policy_options(hPolicy, mode, prompt, secret_len, secret));
 }
 
 int
diff --git a/usr/src/cmd/cmd-crypto/tpmadm/tpmadm.h b/usr/src/cmd/cmd-crypto/tpmadm/tpmadm.h
index 97e39f4288..179b86d1ad 100644
--- a/usr/src/cmd/cmd-crypto/tpmadm/tpmadm.h
+++ b/usr/src/cmd/cmd-crypto/tpmadm/tpmadm.h
@@ -44,8 +44,10 @@ void print_bytes(BYTE *bytes, size_t len, int formatted);
 void print_error(TSS_RESULT ret, char *msg);
 int get_tpm_capability(TSS_HCONTEXT hContext, TSS_HOBJECT hTPM,
     UINT32 cap, UINT32 subcap, void *buf, size_t bufsize);
-int set_object_policy(TSS_HOBJECT handle, TSS_FLAG mode, UINT32 len,
-    BYTE *secret);
+int set_policy_options(TSS_HPOLICY hPolicy, TSS_FLAG mode, char *prompt,
+    UINT32 secret_len, BYTE *secret);
+int set_object_policy(TSS_HOBJECT handle, TSS_FLAG mode, char *prompt,
+    UINT32 secret_len, BYTE *secret);
 int tpm_preamble(TSS_HCONTEXT *hContext, TSS_HOBJECT *hTPM);
 int tpm_postamble(TSS_HCONTEXT hContext);