WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added parameter encryption support to more examples. Fix to not set "encrypt" or "decrypt" if command doesn't allow it. Updated documentation.

pull/129/head
David Garske 2020-11-30 09:16:54 -08:00
parent 4c2e8d3f43
commit 4b0b70861c
38 changed files with 776 additions and 512 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -38,7 +38,6 @@ examples/tls/tls_client
examples/pkcs7/pkcs7
examples/timestamp/signed_timestamp
examples/pcr/quote
examples/pcr/quote_paramenc
examples/pcr/extend
examples/pcr/reset
examples/timestamp/clock_set
@ -51,8 +50,6 @@ tests/unit.test
examples/keygen/keyload
examples/keygen/keygen
examples/keygen/keyimport
examples/keygen/keygen_paramenc
examples/keygen/keyload_paramenc
# Generated Cert Files
certs/ca-*.pem

5
README.md
View File

@ -24,6 +24,7 @@ Portable TPM 2.0 project designed for embedded use.
* TLS Client
* TLS Server
* Benchmarking TPM algorithms and TLS
* Parameter encryption support using AES-CFB or XOR. Supports salted unbound authenticated sessions.
Note: See [examples/README.md](examples/README.md) for details on using the examples.
@ -637,6 +638,10 @@ Connection: close
## Todo
* Update to v1.59 of specification.
* Add HMAC support for "authValue".
* Add ECC encrypted salt.
* Add bound auth session support.
* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
## Support

22
examples/README.md
View File

@ -6,6 +6,8 @@ The examples create RSA and ECC keys in NV for testing using handles defined in
The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
To enable parameter encryption use `-aes` for AES-CFB mode or `-xor` for XOR mode. Only some TPM commands / responses support parameter encryption. If the TPM2_ API has .flags `CMD_FLAG_ENC2` or `CMD_FLAG_DEC2` set then the command will use parameter encryption / decryption.
## Native API Test
Demonstrates calling native TPM2_* API's.
@ -110,8 +112,8 @@ To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`.
Generation of the Client and Server Certificates requires running:
1. `./examples/keygen/keygen rsa_test_blob.raw -RSA -T`
2. `./examples/keygen/keygen ecc_test_blob.raw -ECC -T`
1. `./examples/keygen/keygen rsa_test_blob.raw -rsa -t`
2. `./examples/keygen/keygen ecc_test_blob.raw -ecc -t`
3. `./examples/csr/csr`
4. `./certs/certreq.sh`
5. Copy the CA files from wolfTPM to wolfSSL certs directory.
@ -134,9 +136,9 @@ or
`./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
Then run the wolfTPM TLS client example:
`./examples/tls/tls_client RSA`
`./examples/tls/tls_client -rsa`
or
`./examples/tls/tls_client ECC`
`./examples/tls/tls_client -ecc`
### TLS Server
@ -146,9 +148,9 @@ This example shows using a TPM key and certificate for a TLS server.
By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
Run the wolfTPM TLS server example:
`./examples/tls/tls_server RSA`
`./examples/tls/tls_server -rsa`
or
`./examples/tls/tls_server ECC`
`./examples/tls/tls_server -ecc`
Then run the wolfSSL example client this like:
`./examples/client/client -h localhost -p 11111 -g -d`
@ -194,7 +196,7 @@ Performance benchmarks.
Examples for generating a TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
```
$ ./examples/keygen/keygen keyblob.bin -RSA
$ ./examples/keygen/keygen keyblob.bin -rsa
TPM2.0 Key generation example
Loading SRK: Storage 0x81000200 (282 bytes)
Creating new RSA key...
@ -208,7 +210,7 @@ Reading 840 bytes from keyblob.bin
Loaded key to 0x80000001
$ ./examples/keygen/keygen keyblob.bin -ECC
$ ./examples/keygen/keygen keyblob.bin -ecc
TPM2.0 Key generation example
Loading SRK: Storage 0x81000200 (282 bytes)
Creating new ECC key...
@ -225,7 +227,7 @@ Loaded key to 0x80000001
Example for importing a private key as TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
```
$ ./examples/keygen/keyimport keyblob.bin -RSA
$ ./examples/keygen/keyimport keyblob.bin -rsa
TPM2.0 Key import example
Loading SRK: Storage 0x81000200 (282 bytes)
Imported key (pub 278, priv 222 bytes)
@ -238,7 +240,7 @@ Reading 840 bytes from keyblob.bin
Loaded key to 0x80000001
$ ./examples/keygen/keyimport keyblob.bin -ECC
$ ./examples/keygen/keyimport keyblob.bin -ecc
TPM2.0 Key Import example
Loading SRK: Storage 0x81000200 (282 bytes)
Imported key (pub 86, priv 126 bytes)

60
examples/bench/bench.c
View File

@ -181,11 +181,22 @@ exit:
return rc;
}
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/bench/bench [-aes/xor]\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
/******************************************************************************/
/* --- BEGIN Bench Wrapper -- */
/******************************************************************************/
int TPM2_Wrapper_Bench(void* userCtx)
{
return TPM2_Wrapper_BenchArgs(userCtx, 0, NULL);
}
int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
@ -199,11 +210,35 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
TPM2B_ECC_POINT pubPoint;
double start;
int count;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
XSTRNCMP(argv[1], "--help", 6) == 0) {
usage();
return 0;
}
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&eccKey, 0, sizeof(eccKey));
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
printf("TPM2 Benchmark using Wrapper API's\n");
(void)argc;
(void)argv;
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -213,6 +248,20 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;
if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}
/* RNG Benchmark */
bench_stats_start(&count, &start);
do {
@ -423,6 +472,7 @@ exit:
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
wolfTPM2_Cleanup(&dev);
@ -441,7 +491,7 @@ int main(int argc, char *argv[])
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(NO_TPM_BENCH)
rc = TPM2_Wrapper_Bench(NULL, argc, argv);
rc = TPM2_Wrapper_BenchArgs(NULL, argc, argv);
#else
printf("Wrapper code not compiled in\n");
#endif

3
examples/bench/bench.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]);
int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]);
int TPM2_Wrapper_Bench(void* userCtx);
#ifdef __cplusplus
} /* extern "C" */

8
examples/csr/csr.c
View File

@ -137,7 +137,11 @@ exit:
return rc;
}
int TPM2_CSR_Example(void* userCtx, int argc, char *argv[])
int TPM2_CSR_Example(void* userCtx)
{
return TPM2_CSR_ExampleArgs(userCtx, 0, NULL);
}
int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
@ -243,7 +247,7 @@ int main(int argc, char *argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
defined(WOLFSSL_CERT_REQ) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
rc = TPM2_CSR_Example(NULL, argc, argv);
rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

3
examples/csr/csr.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_CSR_Example(void* userCtx, int argc, char *argv[]);
int TPM2_CSR_Example(void* userCtx);
int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

28
examples/keygen/keygen.c
View File

@ -37,9 +37,10 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("keygen [keyblob.bin] [-ECC/-RSA] [-T] [-e]\n");
printf("-T: Use default template (otherwise AIK)\n");
printf("-e: Use Parameter Encryption\n");
printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa] [-t] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC for keys\n");
printf("* -t: Use default template (otherwise AIK)\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
@ -50,7 +51,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEYBLOB newKey;
TPMT_PUBLIC publicTemplate;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
int useParamEnc = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
TPM2B_AUTH auth;
int bAIK = 1;
@ -71,14 +72,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
outputFile = argv[1];
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) {
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
alg = TPM_ALG_ECC;
}
if (XSTRNCMP(argv[argc-1], "-T", 2) == 0) {
if (XSTRNCMP(argv[argc-1], "-t", 2) == 0) {
bAIK = 0;
}
if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
useParamEnc = 1;
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
@ -92,7 +96,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
printf("\tUse Parameter Encryption: %d\n", useParamEnc);
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
@ -104,10 +108,10 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
if (rc != 0) goto exit;
if (useParamEnc) {
/* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
TPM_SE_POLICY, TPM_ALG_CFB);
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);

2
examples/keygen/keygen.h
View File

@ -29,8 +29,6 @@
int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]);
int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]);
int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]);
int TPM2_Keygen_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
int TPM2_Keyload_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

25
examples/keygen/keyimport.c
View File

@ -38,11 +38,11 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("keyimport [keyblob.bin] [-ECC/-RSA] [-e]\n");
printf("-e: Use Parameter Encryption\n");
printf("./examples/keygen/keyimport [keyblob.bin] [-ecc/-rsa] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC for keys\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
{
int rc;
@ -50,7 +50,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEYBLOB impKey;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
int useParamEnc = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
XFILE f;
@ -70,11 +70,14 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
outputFile = argv[1];
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) {
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
alg = TPM_ALG_ECC;
}
if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
useParamEnc = 1;
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
@ -86,7 +89,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
printf("TPM2.0 Key Import example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
printf("\tUse Parameter Encryption: %d\n", useParamEnc);
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
@ -98,10 +101,10 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
if (rc != 0) goto exit;
if (useParamEnc) {
/* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
TPM_SE_POLICY, TPM_ALG_CFB);
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);

21
examples/keygen/keyload.c
View File

@ -46,8 +46,8 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("keyload [keyblob.bin] [-e]\n");
printf("-e: Use Parameter Encryption\n");
printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor]\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
@ -56,7 +56,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEYBLOB newKey;
int useParamEnc = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
XFILE f;
@ -75,8 +75,11 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
inputFile = argv[1];
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
useParamEnc = 1;
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
@ -87,7 +90,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
printf("TPM2.0 Key load example\n");
printf("\tKey Blob: %s\n", inputFile);
printf("\tUse Parameter Encryption: %d\n", useParamEnc);
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
@ -99,10 +102,10 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
if (rc != 0) goto exit;
if (useParamEnc) {
/* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
TPM_SE_POLICY, TPM_ALG_CFB);
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);

15
examples/native/native_test.c
View File

@ -53,7 +53,11 @@ typedef struct tmpHandle {
} TpmHandle;
int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
int TPM2_Native_Test(void* userCtx)
{
return TPM2_Native_TestArgs(userCtx, 0, NULL);
}
int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
{
int rc;
TPM2_CTX tpm2Ctx;
@ -377,7 +381,8 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
}
/* PCR Extend and Verify */
pcrIndex = 16; /* Working with PCR16 because of next PCR Reset test */
/* Working with PCR16 because of next PCR Reset test */
pcrIndex = TPM2_TEST_PCR;
XMEMSET(&cmdIn.pcrExtend, 0, sizeof(cmdIn.pcrExtend));
cmdIn.pcrExtend.pcrHandle = pcrIndex;
cmdIn.pcrExtend.digests.count = 1;
@ -414,9 +419,9 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
/* PCR Reset
Only PCR16(DEBUG) and PCR23(Application specific) can be reset
in locality 0. This is the only locality supoprted by wolfTPM.
in locality 0. This is the only locality supported by wolfTPM.
*/
pcrIndex = 16;
pcrIndex = TPM2_TEST_PCR;
XMEMSET(&cmdIn.pcrReset, 0, sizeof(cmdIn.pcrReset));
cmdIn.pcrReset.pcrHandle = pcrIndex;
rc = TPM2_PCR_Reset(&cmdIn.pcrReset);
@ -1373,7 +1378,7 @@ int main(int argc, char *argv[])
{
int rc;
rc = TPM2_Native_Test(NULL, argc, argv);
rc = TPM2_Native_TestArgs(NULL, argc, argv);
return rc;
}

3
examples/native/native_test.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_Native_Test(void* userCtx, int argc, char *argv[]);
int TPM2_Native_Test(void* userCtx);
int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

4
examples/pcr/extend.c
View File

@ -45,8 +45,8 @@ static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/pcr/extend [pcr] [filename]\n");
printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename points to file(data) to measure\n");
printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename: points to file(data) to measure\n");
printf("\tIf wolfTPM is built with --disable-wolfcrypt the file\n"
"\tmust contain SHA256 digest ready for extend operation.\n"
"\tOtherwise, the extend tool computes the hash using wolfcrypt.\n");

65
examples/pcr/quote.c
View File

@ -41,13 +41,14 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/pcr/quote [pcr] [filename] [-e]\n");
printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename for saving the TPMS_ATTEST structure to a file\n");
printf("./examples/pcr/quote [pcr] [filename] [-ecc] [-aes/xor]\n");
printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
printf("* filename: for saving the TPMS_ATTEST structure to a file\n");
printf("* -ecc: Use RSA or ECC for EK/AIK\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("Demo usage without parameters, generates quote over PCR%d and\n"
"saves the output TPMS_ATTEST structure to \"quote.blob\" file.\n",
TPM2_TEST_PCR);
printf("-e: Use Parameter Encryption\n");
}
int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
@ -58,11 +59,10 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
int dataSz;
WOLFTPM2_DEV dev;
TPMS_ATTEST attestedData;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
WOLFTPM2_KEY endorse; /* EK */
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEY rsaKey; /* AIK */
WOLFTPM2_KEY aik; /* AIK */
union {
Quote_In quoteAsk;
byte maxInput[MAX_COMMAND_SIZE];
@ -71,12 +71,17 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
Quote_Out quoteResult;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
int useParamEnc = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
XFILE f;
#endif
XMEMSET(&endorse, 0, sizeof(endorse));
XMEMSET(&storage, 0, sizeof(storage));
XMEMSET(&aik, 0, sizeof(aik));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
@ -98,21 +103,23 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
outputFile = argv[2];
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
useParamEnc = 1;
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
alg = TPM_ALG_ECC;
}
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
XMEMSET(&endorse, 0, sizeof(endorse));
XMEMSET(&storage, 0, sizeof(storage));
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
printf("PCR Quote example - Demo of signed PCR measurement\n");
printf("\tOutput file: %s\n", outputFile);
printf("\tPCR Index: %d\n", pcrIndex);
printf("\tUse Parameter Encryption: %d\n", useParamEnc);
printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
@ -122,7 +129,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
printf("wolfTPM2_Init: success\n");
/* Create Endorsement Key, also called EK */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, alg);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n",
rc, TPM2_GetRCString(rc));
@ -132,11 +139,11 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
(word32)endorse.handle.hndl, endorse.pub.size);
/* get SRK */
rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
rc = getPrimaryStoragekey(&dev, &storage, alg);
if (rc != 0) goto exit;
/* Create an RSA key for Attestation purposes */
rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage,
/* Create key for Attestation purposes */
rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage,
(const byte*)gUsageAuth, sizeof(gUsageAuth)-1);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc,
@ -144,12 +151,12 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
goto exit;
}
printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n",
(word32)rsaKey.handle.hndl, rsaKey.pub.size);
(word32)aik.handle.hndl, aik.pub.size);
if (useParamEnc) {
/* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
if (paramEncAlg != TPM_ALG_NULL) {
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
TPM_SE_POLICY, TPM_ALG_CFB);
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
@ -161,14 +168,14 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
}
/* set auth for using the AIK */
wolfTPM2_SetAuthHandle(&dev, 0, &rsaKey.handle);
wolfTPM2_SetAuthHandle(&dev, 0, &aik.handle);
/* Prepare Quote request */
XMEMSET(&cmdIn.quoteAsk, 0, sizeof(cmdIn.quoteAsk));
XMEMSET(&cmdOut.quoteResult, 0, sizeof(cmdOut.quoteResult));
cmdIn.quoteAsk.signHandle = rsaKey.handle.hndl;
cmdIn.quoteAsk.inScheme.scheme = TPM_ALG_RSASSA;
cmdIn.quoteAsk.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256;
cmdIn.quoteAsk.signHandle = aik.handle.hndl;
cmdIn.quoteAsk.inScheme.scheme = alg == TPM_ALG_RSA ? TPM_ALG_RSASSA : TPM_ALG_ECDSA;
cmdIn.quoteAsk.inScheme.details.any.hashAlg = TPM_ALG_SHA256;
cmdIn.quoteAsk.qualifyingData.size = 0; /* optional */
/* Choose PCR for signing */
TPM2_SetupPCRSel(&cmdIn.quoteAsk.PCRselect, TPM_ALG_SHA256, pcrIndex);
@ -223,7 +230,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
exit:
/* Close key handles */
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
wolfTPM2_UnloadHandle(&dev, &aik.handle);
wolfTPM2_UnloadHandle(&dev, &storage.handle);
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);

9
examples/pkcs7/pkcs7.c
View File

@ -292,8 +292,11 @@ exit:
return rc;
}
int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[])
int TPM2_PKCS7_Example(void* userCtx)
{
return TPM2_PKCS7_ExampleArgs(userCtx, 0, NULL);
}
int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
@ -409,7 +412,7 @@ int main(int argc, char *argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
defined(HAVE_PKCS7) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
rc = TPM2_PKCS7_Example(NULL, argc, argv);
rc = TPM2_PKCS7_ExampleArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

3
examples/pkcs7/pkcs7.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[]);
int TPM2_PKCS7_Example(void* userCtx);
int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

2
examples/timestamp/clock_set.c
View File

@ -39,7 +39,7 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/clock/clockSet [time]\n");
printf("./examples/clock/clock_set [time]\n");
printf("* time is a value in miliseconds used as increment (optional)\n");
printf("* Default time value is 50000 ms (50 seconds)\n");
printf("\tThe TPM clock can be set only forward.\n");

3
examples/timestamp/include.am
View File

@ -5,7 +5,8 @@ if BUILD_EXAMPLES
noinst_PROGRAMS += examples/timestamp/signed_timestamp
noinst_HEADERS += examples/timestamp/signed_timestamp.h
examples_timestamp_signed_timestamp_SOURCES = examples/timestamp/signed_timestamp.c \
examples/tpm_io.c
examples/tpm_io.c \
examples/tpm_test_keys.c
examples_timestamp_signed_timestamp_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
examples_timestamp_signed_timestamp_DEPENDENCIES = src/libwolftpm.la
endif

185
examples/timestamp/signed_timestamp.c
View File

@ -29,6 +29,7 @@
#include <examples/tpm_io.h>
#include <examples/tpm_test.h>
#include <examples/tpm_test_keys.h>
#include "signed_timestamp.h"
#include <stdio.h>
@ -38,48 +39,72 @@
/* --- BEGIN TPM Timestamp Test -- */
/******************************************************************************/
int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC for EK/AIK\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_Timestamp_Test(void* userCtx)
{
return TPM2_Timestamp_TestArgs(userCtx, 0, NULL);
}
int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
TPMS_ATTEST attestedData;
#ifdef WOLFTPM_WINAPI
int tryNVkey = 0;
#else
int tryNVkey = 1;
#endif
union {
/* For managing TPM session */
StartAuthSession_In authSes;
PolicySecret_In policySecret;
/* For removing keys after use */
FlushContext_In flushCtx;
byte maxInput[MAX_COMMAND_SIZE];
} cmdIn;
union {
ReadClock_Out readClock;
GetTime_Out getTime;
/* Output from session operations */
StartAuthSession_Out authSes;
PolicySecret_Out policySecret;
byte maxOutput[MAX_RESPONSE_SIZE];
} cmdOut;
TPM_HANDLE sessionHandle = TPM_RH_NULL;
WOLFTPM2_KEY endorse; /* EK */
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEY rsaKey; /* AIK */
(void)argc;
(void)argv;
WOLFTPM2_KEY aik; /* AIK */
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
TPMA_SESSION sessionAttributes;
XMEMSET(&endorse, 0, sizeof(endorse));
XMEMSET(&storage, 0, sizeof(storage));
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
XMEMSET(&aik, 0, sizeof(aik));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
XSTRNCMP(argv[1], "--help", 6) == 0) {
usage();
return 0;
}
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
alg = TPM_ALG_ECC;
}
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
printf("TPM2 Demo of generating signed timestamp from the TPM\n");
printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
@ -99,7 +124,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
/* Create Endorsement Key, also called EK */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, alg);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n",
rc, TPM2_GetRCString(rc));
@ -109,45 +134,8 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
(word32)endorse.handle.hndl, endorse.pub.size);
/* Create RSA Storage Key, also called SRK */
/* See if SRK already exists */
if (tryNVkey) {
rc = wolfTPM2_ReadPublicKey(&dev, &storage, TPM2_DEMO_STORAGE_KEY_HANDLE);
#ifdef TEST_WRAP_DELETE_KEY
if (rc == 0) {
storage.handle.hndl = TPM2_DEMO_STORAGE_KEY_HANDLE;
rc = wolfTPM2_NVDeleteKey(&dev, TPM_RH_OWNER, &storage);
if (rc != 0) goto exit;
rc = TPM_RC_HANDLE; /* mark handle as missing */
}
#endif
}
if (!tryNVkey || (tryNVkey && rc != 0)) {
/* Create primary storage key (RSA) */
rc = wolfTPM2_CreateSRK(&dev, &storage, TPM_ALG_RSA,
(byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
if (rc != 0) goto exit;
if (tryNVkey) {
/* Move storage key into persistent NV */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storage,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
wolfTPM2_UnloadHandle(&dev, &storage.handle);
goto exit;
}
}
printf("Created new RSA Primary Storage Key at 0x%x\n",
storage.handle.hndl);
}
else {
/* specify auth password for storage key */
storage.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storage.handle.auth.buffer, gStorageKeyAuth,
storage.handle.auth.size);
}
/* Create Storage Key, also called SRK */
rc = getPrimaryStoragekey(&dev, &storage, alg);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateSRK: Storage failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
@ -156,36 +144,21 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
printf("wolfTPM2_CreateSRK: Storage 0x%x (%d bytes)\n",
(word32)storage.handle.hndl, storage.pub.size);
/* Start an authenticated session (salted / unbound) */
rc = wolfTPM2_StartSession(&dev, &tpmSession, NULL, NULL,
TPM_SE_POLICY, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* Start Auth Session */
XMEMSET(&cmdIn.authSes, 0, sizeof(cmdIn.authSes));
cmdIn.authSes.sessionType = TPM_SE_POLICY;
cmdIn.authSes.tpmKey = TPM_RH_NULL;
cmdIn.authSes.bind = TPM_RH_NULL;
cmdIn.authSes.symmetric.algorithm = TPM_ALG_NULL;
cmdIn.authSes.authHash = TPM_ALG_SHA256;
cmdIn.authSes.nonceCaller.size = TPM_SHA256_DIGEST_SIZE;
rc = TPM2_GetNonce(cmdIn.authSes.nonceCaller.buffer,
cmdIn.authSes.nonceCaller.size);
if (rc < 0) {
printf("TPM2_GetNonce failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
goto exit;
}
rc = TPM2_StartAuthSession(&cmdIn.authSes, &cmdOut.authSes);
if (rc != TPM_RC_SUCCESS) {
printf("TPM2_StartAuthSession failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
goto exit;
}
sessionHandle = cmdOut.authSes.sessionHandle;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)sessionHandle);
/* Set the endorsement password (blank) */
rc = wolfTPM2_SetAuthPassword(&dev, 0, NULL);
if (rc != 0) goto exit;
/* Set PolicySecret for our session to enable use of the Endorsement Hierarchy */
XMEMSET(&cmdIn.policySecret, 0, sizeof(cmdIn.policySecret));
cmdIn.policySecret.authHandle = TPM_RH_ENDORSEMENT;
cmdIn.policySecret.policySession = sessionHandle;
cmdIn.policySecret.policySession = tpmSession.handle.hndl;
rc = TPM2_PolicySecret(&cmdIn.policySecret, &cmdOut.policySecret);
if (rc != TPM_RC_SUCCESS) {
printf("policySecret failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
@ -193,14 +166,13 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
}
printf("TPM2_policySecret success\n"); /* No use of the output */
/* At this stage, the EK is created and NULL password has already been set
* The EH is enabled through policySecret over the active TPM session and
* the creation of Attestation Identity Key (AIK) under the EH can take place.
*/
/* Create an Attestation RSA key (AIK) */
rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage,
/* Create an Attestation key (AIK) */
rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage,
(const byte*)gAiKeyAuth, sizeof(gAiKeyAuth)-1);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc,
@ -208,14 +180,27 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
goto exit;
}
printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n",
(word32)rsaKey.handle.hndl, rsaKey.pub.size);
(word32)aik.handle.hndl, aik.pub.size);
/* set NULL password auth for using EK */
wolfTPM2_SetAuthPassword(&dev, 0, NULL);
/* set auth for using the AIK */
wolfTPM2_SetAuthHandle(&dev, 1, &rsaKey.handle);
wolfTPM2_SetAuthHandle(&dev, 1, &aik.handle);
/* set session for authorization of the storage key */
sessionAttributes = TPMA_SESSION_continueSession;
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt);
}
#if 0
/* TODO: Investigate param enc with signed timestamp */
rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes);
if (rc != 0) goto exit;
#else
(void)sessionAttributes;
#endif
/* At this stage: The EK is created, AIK is created and loaded,
* Endorsement Hierarchy is enabled through policySecret,
@ -224,7 +209,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
*/
/* Get signed by the TPM timestamp using the AIK key */
rc = wolfTPM2_GetTime(&rsaKey, &cmdOut.getTime);
rc = wolfTPM2_GetTime(&aik, &cmdOut.getTime);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_GetTime failed 0x%x: %s\n", rc,
TPM2_GetRCString(rc));
@ -269,19 +254,9 @@ exit:
printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
}
/* Close session */
if (sessionHandle != TPM_RH_NULL) {
cmdIn.flushCtx.flushHandle = sessionHandle;
TPM2_FlushContext(&cmdIn.flushCtx);
}
/* Close key handles */
if (!tryNVkey) {
wolfTPM2_UnloadHandle(&dev, &storage.handle);
}
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
wolfTPM2_UnloadHandle(&dev, &aik.handle);
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
wolfTPM2_Cleanup(&dev);
return rc;
@ -300,7 +275,7 @@ int main(int argc, char *argv[])
int rc = -1;
#ifndef WOLFTPM2_NO_WRAPPER
rc = TPM2_Timestamp_Test(NULL, argc, argv);
rc = TPM2_Timestamp_TestArgs(NULL, argc, argv);
#else
printf("Wrapper code not compiled in\n");
#endif /* !WOLFTPM2_NO_WRAPPER */

3
examples/timestamp/signed_timestamp.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]);
int TPM2_Timestamp_Test(void* userCtx);
int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

72
examples/tls/tls_client.c
View File

@ -77,7 +77,20 @@
/******************************************************************************/
/* --- BEGIN TPM TLS Client Example -- */
/******************************************************************************/
int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_TLS_Client(void* userCtx)
{
return TPM2_TLS_ClientArgs(userCtx, 0, NULL);
}
int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
@ -108,18 +121,46 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
int i;
#endif
int useECC = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
/* initialize variables */
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
#endif
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
printf("TPM2 TLS Client Example\n");
if (argc > 1) {
if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
useECC = 1;
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
XSTRNCMP(argv[1], "--help", 6) == 0) {
usage();
return 0;
}
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
useECC = 1;
}
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
printf("TPM2 TLS Client Example\n");
printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -129,13 +170,10 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
}
/* Setup the wolf crypto device callback */
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
@ -149,6 +187,20 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}
#ifndef NO_RSA
if (!useECC) {
/* Create/Load RSA key for TLS authentication */
@ -497,7 +549,7 @@ int main(int argc, char* argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
rc = TPM2_TLS_Client(NULL, argc, argv);
rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

6
examples/tls/tls_client.h
View File

@ -26,8 +26,10 @@
extern "C" {
#endif
int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]);
int TLS_Client(int argc, char *argv[]);
int TPM2_TLS_Client(void* userCtx);
int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]);
int TLS_Client(void);
int TLS_ClientArgs(int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

8
examples/tls/tls_client_notpm.c
View File

@ -62,7 +62,11 @@
/******************************************************************************/
/* --- BEGIN TLS Client Example -- */
/******************************************************************************/
int TLS_Client(int argc, char *argv[])
int TLS_Client(void)
{
return TLS_ClientArgs(0, NULL);
}
int TLS_ClientArgs(int argc, char *argv[])
{
int rc = 0;
SockIoCbCtx sockIoCtx;
@ -302,7 +306,7 @@ int main(int argc, char *argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT)
rc = TLS_Client(argc, argv);
rc = TLS_ClientArgs(argc, argv);
#else
printf("WolfSSL Client code not compiled in\n");
(void)argc;

2
examples/tls/tls_common.h
View File

@ -60,7 +60,7 @@
/* force use of a TLS cipher suite */
#if 0
#ifndef TLS_CIPHER_SUITE
#define TLS_CIPHER_SUITE "ECDHE-RSA-AES128-SHA256"
#define TLS_CIPHER_SUITE "ECDHE-rsa-AES128-SHA256"
#endif
#endif

73
examples/tls/tls_server.c
View File

@ -74,7 +74,19 @@
/******************************************************************************/
/* --- BEGIN TLS SERVER Example -- */
/******************************************************************************/
int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_TLS_Server(void* userCtx)
{
return TPM2_TLS_ServerArgs(userCtx, 0, NULL);
}
int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
{
int rc;
WOLFTPM2_DEV dev;
@ -116,18 +128,46 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
int total_size;
#endif
int useECC = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
/* initialize variables */
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
#endif
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
printf("TPM2 TLS Server Example\n");
if (argc > 1) {
if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
useECC = 1;
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
XSTRNCMP(argv[1], "--help", 6) == 0) {
usage();
return 0;
}
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
useECC = 1;
}
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
printf("TPM2 TLS Server Example\n");
printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -137,13 +177,10 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
}
/* Setup the wolf crypto device callback */
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
@ -158,6 +195,20 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}
#ifndef NO_RSA
if (!useECC) {
/* Create/Load RSA key for TLS authentication */
@ -323,7 +374,7 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
#if 0
/* Optionally choose the cipher suite */
rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256");
rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-rsa-AES128-GCM-SHA256");
if (rc != WOLFSSL_SUCCESS) {
goto exit;
}
@ -466,7 +517,7 @@ int main(int argc, char* argv[])
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_SERVER) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
rc = TPM2_TLS_Server(NULL, argc, argv);
rc = TPM2_TLS_ServerArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

3
examples/tls/tls_server.h
View File

@ -26,7 +26,8 @@
extern "C" {
#endif
int TPM2_TLS_Server(void* userCtx, int argc, char* argv[]);
int TPM2_TLS_Server(void* userCtx);
int TPM2_TLS_ServerArgs(void* userCtx, int argc, char* argv[]);
#ifdef __cplusplus
} /* extern "C" */

4
examples/tpm_test_keys.c
View File

@ -104,8 +104,8 @@ static int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
rc = BUFFER_E;
printf("File %s not found!\n", filename);
printf("Keys can be generated by running:\n"
" ./examples/keygen/keygen rsa_test_blob.raw -RSA -T\n"
" ./examples/keygen/keygen ecc_test_blob.raw -ECC -T\n");
" ./examples/keygen/keygen rsa_test_blob.raw -rsa -t\n"
" ./examples/keygen/keygen ecc_test_blob.raw -ecc -t\n");
}
exit:

71
examples/wrap/wrap_test.c
View File

@ -49,7 +49,19 @@ void TPM2_Wrapper_SetReset(int reset)
resetTPM = reset;
}
int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
static void usage(void)
{
printf("Expected Usage:\n");
printf("./examples/wrap/wrap_test [-aes/xor]\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
int TPM2_Wrapper_Test(void* userCtx)
{
return TPM2_Wrapper_TestArgs(userCtx, 0, NULL);
}
int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
{
int rc, i;
WOLFTPM2_DEV dev;
@ -105,6 +117,8 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
ecc_key wolfEccPubKey;
ecc_key wolfEccPrivKey;
#endif
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
#ifndef NO_RSA
XMEMSET(&wolfRsaPubKey, 0, sizeof(wolfRsaPubKey));
@ -114,13 +128,30 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
XMEMSET(&wolfEccPubKey, 0, sizeof(wolfEccPubKey));
XMEMSET(&wolfEccPrivKey, 0, sizeof(wolfEccPrivKey));
#endif
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
(void)argc;
(void)argv;
if (argc >= 2) {
if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
XSTRNCMP(argv[1], "-h", 2) == 0 ||
XSTRNCMP(argv[1], "--help", 6) == 0) {
usage();
return 0;
}
}
while (argc > 1) {
if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
paramEncAlg = TPM_ALG_CFB;
}
if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
paramEncAlg = TPM_ALG_XOR;
}
argc--;
}
printf("TPM2 Demo for Wrapper API's\n");
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
@ -205,6 +236,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
storageKey.handle.auth.size);
}
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}
/* Create RSA key for sign/verify */
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
@ -367,6 +411,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
if (rc != 0) goto exit;
/* Close TPM session based on RSA storage key */
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
/*------------------------------------------------------------------------*/
/* ECC TESTS */
@ -413,6 +460,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
storageKey.handle.auth.size);
}
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
(word32)tpmSession.handle.hndl);
/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}
/* Create an ECC key for ECDSA */
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
@ -568,6 +628,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
if (rc != 0) goto exit;
/* Close TPM session based on ECC storage key */
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
/*------------------------------------------------------------------------*/
/* NV TESTS */
@ -866,7 +929,7 @@ int main(int argc, char *argv[])
(void)argv;
#ifndef WOLFTPM2_NO_WRAPPER
rc = TPM2_Wrapper_Test(NULL, argc, argv);
rc = TPM2_Wrapper_TestArgs(NULL, argc, argv);
#else
printf("Wrapper code not compiled in\n");
#endif

3
examples/wrap/wrap_test.h
View File

@ -27,7 +27,8 @@
#endif
void TPM2_Wrapper_SetReset(int reset);
int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]);
int TPM2_Wrapper_Test(void* userCtx);
int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

4
scripts/tls_setup.sh
View File

@ -3,8 +3,8 @@
# Generate keyblobs and certs needed for TLS examples
#
./examples/keygen/keygen rsa_test_blob.raw -RSA -T
./examples/keygen/keygen ecc_test_blob.raw -ECC -T
./examples/keygen/keygen rsa_test_blob.raw -rsa -t
./examples/keygen/keygen ecc_test_blob.raw -ecc -t
./examples/csr/csr
./certs/certreq.sh

357
src/tpm2.c
View File

@ -88,191 +88,20 @@ static void TPM2_ReleaseLock(TPM2_CTX* ctx)
/* Send Command Wrapper */
typedef enum CmdFlags {
CMD_FLAG_NONE = 0x00,
CMD_FLAG_ENC2 = 0x01, /* size of first command parameter */
CMD_FLAG_ENC4 = 0x02,
CMD_FLAG_DEC2 = 0x04, /* size of first response parameter */
CMD_FLAG_DEC4 = 0x08,
CMD_FLAG_ENC2 = 0x01, /* 16-bit size of first command parameter */
CMD_FLAG_ENC4 = 0x02, /* 32-bit size (not used) */
CMD_FLAG_DEC2 = 0x04, /* 16-bit size of first response parameter */
CMD_FLAG_DEC4 = 0x08, /* 32-bit size (not used) */
} CmdFlags_t;
/* Command Details */
typedef struct {
int authCnt;
int inHandleCnt;
int outHandleCnt;
int flags;
int authCnt; /* number of authentication handles - determined at run-time */
int inHandleCnt; /* number of input handles - fixed */
int outHandleCnt; /* number of output handles - fixed */
int flags; /* If command allows param enc or dec - fixed */
} CmdInfo_t;
#ifndef WOLFTPM2_NO_WOLFCRYPT
/* Get name for object/handle */
static int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name)
{
TPM2_AUTH_SESSION* session;
XMEMSET(name, 0, sizeof(TPM2B_NAME));
if (idx >= handleCnt)
return TPM_RC_SUCCESS;
session = &ctx->session[idx];
if (session->name.size > 0) {
name->size = session->name.size;
XMEMCPY(name->name, session->name.name, name->size);
}
return TPM_RC_SUCCESS;
}
/* Compute the command parameter hash */
/* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */
static int TPM2_CalcCpHash(TPM2_CTX* ctx, CmdInfo_t* info,
TPMI_ALG_HASH authHash, TPM_CC cmdCode, BYTE* param, UINT32 paramSz,
TPM2B_DIGEST* hash)
{
int rc;
wc_HashAlg hash_ctx;
enum wc_HashType hashType;
TPM2B_NAME name1, name2, name3;
rc = TPM2_GetName(ctx, info->inHandleCnt, 0, &name1);
rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2);
rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3);
if (rc != TPM_RC_SUCCESS)
return BAD_FUNC_ARG;
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
rc = wc_HashGetDigestSize(hashType);
if (rc < 0)
return rc;
hash->size = rc;
/* Hash of data (name) goes into remainder */
rc = wc_HashInit(&hash_ctx, hashType);
if (rc == 0) {
/* Hash Command Code */
UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode);
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
/* For Command's only hash each session name */
if (rc == 0 && name1.size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name1.name, name1.size);
if (rc == 0 && name2.size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name2.name, name2.size);
if (rc == 0 && name3.size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name3.name, name3.size);
/* Hash Remainder of parameters - after handles and auth */
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
if (rc == 0)
rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
wc_HashFree(&hash_ctx, hashType);
}
(void)ctx;
return rc;
}
/* Compute the response parameter hash */
/* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */
static int TPM2_CalcRpHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash,
TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
{
int rc;
wc_HashAlg hash_ctx;
enum wc_HashType hashType;
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
rc = wc_HashGetDigestSize(hashType);
if (rc < 0)
return rc;
hash->size = rc;
/* Hash of data (name) goes into remainder */
rc = wc_HashInit(&hash_ctx, hashType);
if (rc == 0) {
UINT32 ccSwap;
/* Hash Response Code - HMAC only calculated with success - always 0 */
ccSwap = 0;
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
/* Hash Command Code */
if (rc == 0) {
ccSwap = TPM2_Packet_SwapU32(cmdCode);
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
}
/* Hash Remainder of parameters - after handles */
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
if (rc == 0)
rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
wc_HashFree(&hash_ctx, hashType);
}
(void)ctx;
return rc;
}
/* Compute the HMAC using cpHash, nonces and session attributes */
/* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */
static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM2B_AUTH* auth,
const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew,
const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
TPM2B_AUTH* hmac)
{
int rc;
Hmac hmac_ctx;
enum wc_HashType hashType;
/* use authHash for hmac hash algorithm */
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
hmac->size = TPM2_GetHashDigestSize(authHash);
if (hmac->size <= 0)
return BAD_FUNC_ARG;
/* setup HMAC */
rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID);
if (rc != 0)
return rc;
/* start HMAC - sessionKey || authValue */
rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size);
/* pHash - hash of command code and parameters */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size);
/* nonce new (on cmd caller, on resp tpm) */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size);
/* nonce old (on cmd TPM, on resp caller) */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size);
/* TODO: nonceTPMDecrypt */
/* TODO: nonceTPMEncrypt */
/* sessionAttributes */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1);
/* finalize return into hmac buffer */
if (rc == 0)
rc = wc_HmacFinal(&hmac_ctx, hmac->buffer);
wc_HmacFree(&hmac_ctx);
(void)ctx;
return rc;
}
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
CmdInfo_t* info, TPM_CC cmdCode, UINT32 cmdSz)
{
@ -330,9 +159,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
if (session->sessionHandle != TPM_RS_PW) {
#ifndef WOLFTPM2_NO_WOLFCRYPT
TPM2B_NAME name1, name2, name3;
TPM2B_DIGEST hash;
#endif
/* if param enc is not supported for this command then clear flag */
/* session attribute flags are from TPM perspective */
if ((info->flags & (CMD_FLAG_ENC2 | CMD_FLAG_ENC4)) == 0) {
authCmd.sessionAttributes &= ~TPMA_SESSION_decrypt;
}
if ((info->flags & (CMD_FLAG_DEC2 | CMD_FLAG_DEC4)) == 0) {
authCmd.sessionAttributes &= ~TPMA_SESSION_encrypt;
}
/* Handle session request for encryption */
if (encParam && session->sessionAttributes & TPMA_SESSION_decrypt) {
/* Encrypt the first command parameter */
@ -346,9 +185,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
}
#ifndef WOLFTPM2_NO_WOLFCRYPT
rc = TPM2_GetName(ctx, info->inHandleCnt, 0, &name1);
rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2);
rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Error getting names for cpHash!\n");
#endif
return BAD_FUNC_ARG;
}
/* calculate "cpHash" hash for command code, names and parameters */
rc = TPM2_CalcCpHash(ctx, info, session->authHash, cmdCode,
param, paramSz, &hash);
rc = TPM2_CalcCpHash(session->authHash, cmdCode, &name1,
&name2, &name3, param, paramSz, &hash);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Error calculating cpHash!\n");
@ -357,7 +206,7 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
}
/* Calculate HMAC for policy, hmac or salted sessions */
/* this is done after encryption */
rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash,
rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash,
&session->nonceCaller, &session->nonceTPM,
session->sessionAttributes, &authCmd.hmac);
if (rc != TPM_RC_SUCCESS) {
@ -439,8 +288,8 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
TPM2B_AUTH hmac;
/* calculate "rpHash" hash for command code and parameters */
rc = TPM2_CalcRpHash(ctx, session->authHash, cmdCode,
param, paramSz, &hash);
rc = TPM2_CalcRpHash(session->authHash, cmdCode, param, paramSz,
&hash);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Error calculating rpHash!\n");
@ -449,7 +298,7 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
}
/* Calculate HMAC prior to decryption */
rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash,
rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash,
&session->nonceTPM, &session->nonceCaller,
session->sessionAttributes, &hmac);
if (rc != TPM_RC_SUCCESS) {
@ -570,8 +419,11 @@ static TPM_RC TPM2_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
static TPM_ST TPM2_GetTag(TPM2_CTX* ctx)
{
TPM_ST st = TPM_ST_NO_SESSIONS;
if (ctx && ctx->session && TPM2_GetSessionAuthCount(ctx) > 0) {
st = TPM_ST_SESSIONS;
if (ctx && ctx->session) {
int authCount = TPM2_GetSessionAuthCount(ctx);
if (authCount == 1 && ctx->session[0].sessionHandle != TPM_RS_PW) {
st = TPM_ST_SESSIONS;
}
}
return st;
}
@ -594,6 +446,61 @@ static inline void TPM2_WolfCrypt_Init(void)
/******************************************************************************/
/* --- Public Functions -- */
/******************************************************************************/
TPM2_CTX* TPM2_GetActiveCtx(void)
{
return gActiveTPM;
}
void TPM2_SetActiveCtx(TPM2_CTX* ctx)
{
gActiveTPM = ctx;
}
TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session)
{
TPM_RC rc;
TPM2_CTX* ctx = TPM2_GetActiveCtx();
if (ctx == NULL)
return BAD_FUNC_ARG;
rc = TPM2_AcquireLock(ctx);
if (rc == TPM_RC_SUCCESS) {
ctx->session = session;
TPM2_ReleaseLock(ctx);
}
return rc;
}
/* Finds the number of active Auth Session in the given TPM2 context */
int TPM2_GetSessionAuthCount(TPM2_CTX* ctx)
{
int sessionCount, sessionHandle;
if (ctx == NULL || ctx->session == NULL)
return BAD_FUNC_ARG;
for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) {
sessionHandle = ctx->session[sessionCount].sessionHandle;
/* According to the TCG Spec, Part 1, Chapter 15.4
* Session Handles have most significant octet at
* 0x02 for HMAC sessions
* 0x03 for Policy sessions
* Password sessions use predefined value of TPM_RS_PW
* Trial sessions are not of interest
*/
if (sessionHandle != TPM_RS_PW) {
/* Not a password session, mask the most significant octet(MSO) */
sessionHandle &= 0xFF000000;
/* Check MSO for an HMAC or Policy session, otherwise invalid */
if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000))
break;
}
}
return sessionCount;
}
TPM_RC TPM2_ChipStartup(TPM2_CTX* ctx, int timeoutTries)
{
@ -5316,62 +5223,6 @@ int TPM2_GetHashType(TPMI_ALG_HASH hashAlg)
return 0;
}
TPM2_CTX* TPM2_GetActiveCtx(void)
{
return gActiveTPM;
}
void TPM2_SetActiveCtx(TPM2_CTX* ctx)
{
gActiveTPM = ctx;
}
TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session)
{
TPM_RC rc;
TPM2_CTX* ctx = TPM2_GetActiveCtx();
if (ctx == NULL)
return BAD_FUNC_ARG;
rc = TPM2_AcquireLock(ctx);
if (rc == TPM_RC_SUCCESS) {
ctx->session = session;
TPM2_ReleaseLock(ctx);
}
return rc;
}
/* Finds the number of active Auth Session in the given TPM2 context */
int TPM2_GetSessionAuthCount(TPM2_CTX* ctx)
{
int sessionCount, sessionHandle;
if (ctx == NULL || ctx->session == NULL)
return BAD_FUNC_ARG;
for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) {
sessionHandle = ctx->session[sessionCount].sessionHandle;
/* According to the TCG Spec, Part 1, Chapter 15.4
* Session Handles have most significant octet at
* 0x02 for HMAC sessions
* 0x03 for Policy sessions
* Password sessions use predefined value of TPM_RS_PW
* Trial sessions are not of interest
*/
if (sessionHandle != TPM_RS_PW) {
/* Not a password session, mask the most significant octet(MSO) */
sessionHandle &= 0xFF000000;
/* Check MSO for an HMAC or Policy session, otherwise invalid */
if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000))
break;
}
}
return sessionCount;
}
/* Can optionally define WOLFTPM2_USE_HW_RNG to force using TPM hardware for RNG source */
int TPM2_GetNonce(byte* nonceBuf, int nonceSz)
{
@ -5414,6 +5265,24 @@ int TPM2_GetNonce(byte* nonceBuf, int nonceSz)
return rc;
}
/* Get name for object/handle */
int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name)
{
TPM2_AUTH_SESSION* session;
XMEMSET(name, 0, sizeof(TPM2B_NAME));
if (idx >= handleCnt)
return TPM_RC_SUCCESS;
session = &ctx->session[idx];
if (session->name.size > 0) {
name->size = session->name.size;
XMEMCPY(name->name, session->name.name, name->size);
}
return TPM_RC_SUCCESS;
}
void TPM2_SetupPCRSel(TPML_PCR_SELECTION* pcr, TPM_ALG_ID alg, int pcrIndex)
{
if (pcr) {

144
src/tpm2_param_enc.c
View File

@ -338,6 +338,150 @@ static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn,
/* --- Public Functions -- */
/******************************************************************************/
#ifndef WOLFTPM2_NO_WOLFCRYPT
/* Compute the command parameter hash */
/* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */
int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode,
TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3,
BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
{
int rc;
wc_HashAlg hash_ctx;
enum wc_HashType hashType;
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
rc = wc_HashGetDigestSize(hashType);
if (rc < 0)
return rc;
hash->size = rc;
/* Hash of data (name) goes into remainder */
rc = wc_HashInit(&hash_ctx, hashType);
if (rc == 0) {
/* Hash Command Code */
UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode);
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
/* For Command's only hash each session name */
if (rc == 0 && name1 && name1->size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name1->name, name1->size);
if (rc == 0 && name2 && name2->size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name2->name, name2->size);
if (rc == 0 && name3 && name3->size > 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name3->name, name3->size);
/* Hash Remainder of parameters - after handles and auth */
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
if (rc == 0)
rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
wc_HashFree(&hash_ctx, hashType);
}
return rc;
}
/* Compute the response parameter hash */
/* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */
int TPM2_CalcRpHash(TPMI_ALG_HASH authHash,
TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
{
int rc;
wc_HashAlg hash_ctx;
enum wc_HashType hashType;
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
rc = wc_HashGetDigestSize(hashType);
if (rc < 0)
return rc;
hash->size = rc;
/* Hash of data (name) goes into remainder */
rc = wc_HashInit(&hash_ctx, hashType);
if (rc == 0) {
UINT32 ccSwap;
/* Hash Response Code - HMAC only calculated with success - always 0 */
ccSwap = 0;
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
/* Hash Command Code */
if (rc == 0) {
ccSwap = TPM2_Packet_SwapU32(cmdCode);
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
}
/* Hash Remainder of parameters - after handles */
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
if (rc == 0)
rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
wc_HashFree(&hash_ctx, hashType);
}
return rc;
}
/* Compute the HMAC using cpHash, nonces and session attributes */
/* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */
int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth,
const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew,
const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
TPM2B_AUTH* hmac)
{
int rc;
Hmac hmac_ctx;
enum wc_HashType hashType;
/* use authHash for hmac hash algorithm */
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
hmac->size = TPM2_GetHashDigestSize(authHash);
if (hmac->size <= 0)
return BAD_FUNC_ARG;
/* setup HMAC */
rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID);
if (rc != 0)
return rc;
/* start HMAC - sessionKey || authValue */
/* TODO: Handle "authValue" case "a value that is found in the sensitive area of an entity" */
rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size);
/* pHash - hash of command code and parameters */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size);
/* nonce new (on cmd caller, on resp tpm) */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size);
/* nonce old (on cmd TPM, on resp caller) */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size);
/* TODO: nonceTPMDecrypt */
/* TODO: nonceTPMEncrypt */
/* sessionAttributes */
if (rc == 0)
rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1);
/* finalize return into hmac buffer */
if (rc == 0)
rc = wc_HmacFinal(&hmac_ctx, hmac->buffer);
wc_HmacFree(&hmac_ctx);
return rc;
}
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session,
BYTE *paramData, UINT32 paramSz)
{

44
src/tpm2_wrap.c
View File

@ -21,10 +21,6 @@
#include <wolftpm/tpm2_wrap.h>
#include <wolftpm/tpm2_param_enc.h>
#ifndef WOLFTPM2_NO_WOLFCRYPT
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/hmac.h>
#endif
#ifndef WOLFTPM2_NO_WRAPPER
@ -398,7 +394,7 @@ int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
TPM2_SetSessionAuth(dev->session);
return 0;
return TPM_RC_SUCCESS;
}
int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index,
@ -410,31 +406,27 @@ int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index,
int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
const WOLFTPM2_HANDLE* handle)
{
return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, &handle->auth, 0, &handle->name);
const TPM2B_AUTH* auth = NULL;
const TPM2B_NAME* name = NULL;
if (handle) {
auth = &handle->auth;
name = &handle->name;
}
return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, auth, 0, name);
}
int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
const WOLFTPM2_SESSION* tpmSession, TPMA_SESSION sessionAttributes)
{
int rc;
TPM2B_AUTH* auth = NULL;
if (dev == NULL || index >= MAX_SESSION_NUM) {
return BAD_FUNC_ARG;
}
/* use auth from earlier session */
if (index > 1) {
auth = &dev->session[index-1].auth;
}
/* TODO: Make use of auth for an earlier session? */
/* If the encrypt session is associated with a handle, the authValue of the
handle will be concatenated with sessionKey to generate encryption key */
(void)auth;
rc = wolfTPM2_SetAuth(dev, index, tpmSession->handle.hndl,
&tpmSession->handle.auth, sessionAttributes, NULL);
if (rc == 0) {
if (rc == TPM_RC_SUCCESS) {
TPM2_AUTH_SESSION* session = &dev->session[index];
/* define the symmetric algorithm */
@ -497,7 +489,7 @@ int wolfTPM2_Cleanup(WOLFTPM2_DEV* dev)
#ifndef WOLFTPM2_NO_WOLFCRYPT
#ifndef NO_RSA
/* returns both the plaintext and encrypted salt, based on the salt key bPublic. */
static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea)
{
int rc;
@ -563,7 +555,7 @@ static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
}
#endif /* !NO_RSA */
static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt)
{
int rc;
@ -632,10 +624,15 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
}
/* set session auth for key */
wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle);
authSesIn.tpmKey = tpmKey ? tpmKey->handle.hndl :
(TPMI_DH_OBJECT)TPM_RH_NULL;
if (tpmKey) {
wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle);
authSesIn.tpmKey = tpmKey->handle.hndl;
}
else {
wolfTPM2_SetAuthPassword(dev, 0, NULL);
authSesIn.tpmKey = (TPMI_DH_OBJECT)TPM_RH_NULL;
}
/* setup bind key */
authSesIn.bind = (TPMI_DH_ENTITY)TPM_RH_NULL;
if (bind) {
authSesIn.bind = bind->hndl;
@ -716,6 +713,7 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
}
/* return session */
session->type = authSesIn.sessionType;
session->authHash = authSesIn.authHash;
session->handle.hndl = authSesOut.sessionHandle;
session->handle.symmetric = authSesIn.symmetric;

9
wolftpm/tpm2.h
View File

@ -1679,10 +1679,10 @@ typedef struct TPM2_CTX {
/* Pointer to current TPM auth sessions */
TPM2_AUTH_SESSION* session;
/* Command Buffer */
/* Command / Response Buffer */
byte cmdBuf[MAX_COMMAND_SIZE];
/* Informational Bits */
/* Informational Bits - use unsigned int for best compiler compatibility */
#ifndef WOLFTPM2_NO_WOLFCRYPT
#ifndef SINGLE_THREADED
unsigned int hwLockInit:1;
@ -2762,8 +2762,8 @@ WOLFTPM_API int TPM2_SetMode(SetMode_In* in);
/* Non-standard API's */
#define _TPM_Init TPM2_Init
/* In when using devtpm or swtpm, the ioCb and userCtx are not used
* and must be set to NULL. TPM2_Init_minimal() call TPM2_Init_ex()
/* When using devtpm or swtpm, the ioCb and userCtx are not used
* and should be NULL. TPM2_Init_minimal() calls TPM2_Init_ex()
* with them set to NULL.
*
* In other modes, the ioCb shall be set in order to use TIS.
@ -2800,6 +2800,7 @@ WOLFTPM_API int TPM2_GetTpmCurve(int curveID);
WOLFTPM_API int TPM2_GetWolfCurve(int curve_id);
WOLFTPM_API int TPM2_ParseAttest(const TPM2B_ATTEST* in, TPMS_ATTEST* out);
WOLFTPM_LOCAL int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name);
#ifdef WOLFTPM2_USE_WOLF_RNG
WOLFTPM_API int TPM2_GetWolfRng(WC_RNG** rng);

10
wolftpm/tpm2_param_enc.h
View File

@ -35,6 +35,16 @@ WOLFTPM_API int TPM2_KDFa(
BYTE *key, UINT32 keySz
);
WOLFTPM_LOCAL int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth,
const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew,
const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
TPM2B_AUTH* hmac);
WOLFTPM_LOCAL int TPM2_CalcRpHash(TPMI_ALG_HASH authHash,
TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash);
WOLFTPM_LOCAL int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode,
TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3,
BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash);
/* Perform encryption over the first parameter of a TPM packet */
WOLFTPM_LOCAL TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session,
BYTE *paramData, UINT32 paramSz);

1
wolftpm/tpm2_types.h
View File

@ -81,6 +81,7 @@ typedef int64_t INT64;
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/hmac.h>
#include <wolfssl/wolfcrypt/aes.h>
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#elif defined(WOLF_CRYPTO_DEV)

5
wolftpm/tpm2_wrap.h
View File

@ -366,6 +366,11 @@ WOLFTPM_API int wolfTPM2_GetTime(WOLFTPM2_KEY* aikKey, GetTime_Out* getTimeOut);
#define wolfTPM2_GetRCString TPM2_GetRCString
#define wolfTPM2_GetCurveSize TPM2_GetCurveSize
/* for salted auth sessions */
WOLFTPM_LOCAL int wolfTPM2_RSA_Salt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea);
WOLFTPM_LOCAL int wolfTPM2_EncryptSalt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt);
#if defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)