From 4b0b70861c4a1afb0959cde055936e7368083973 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Nov 2020 09:16:54 -0800 Subject: [PATCH] Added parameter encryption support to more examples. Fix to not set "encrypt" or "decrypt" if command doesn't allow it. Updated documentation. --- .gitignore | 3 - README.md | 5 + examples/README.md | 22 +- examples/bench/bench.c | 60 ++++- examples/bench/bench.h | 3 +- examples/csr/csr.c | 8 +- examples/csr/csr.h | 3 +- examples/keygen/keygen.c | 28 +- examples/keygen/keygen.h | 2 - examples/keygen/keyimport.c | 25 +- examples/keygen/keyload.c | 21 +- examples/native/native_test.c | 15 +- examples/native/native_test.h | 3 +- examples/pcr/extend.c | 4 +- examples/pcr/quote.c | 65 ++--- examples/pkcs7/pkcs7.c | 9 +- examples/pkcs7/pkcs7.h | 3 +- examples/timestamp/clock_set.c | 2 +- examples/timestamp/include.am | 3 +- examples/timestamp/signed_timestamp.c | 185 ++++++------- examples/timestamp/signed_timestamp.h | 3 +- examples/tls/tls_client.c | 72 +++++- examples/tls/tls_client.h | 6 +- examples/tls/tls_client_notpm.c | 8 +- examples/tls/tls_common.h | 2 +- examples/tls/tls_server.c | 73 +++++- examples/tls/tls_server.h | 3 +- examples/tpm_test_keys.c | 4 +- examples/wrap/wrap_test.c | 71 ++++- examples/wrap/wrap_test.h | 3 +- scripts/tls_setup.sh | 4 +- src/tpm2.c | 357 ++++++++------------------ src/tpm2_param_enc.c | 144 +++++++++++ src/tpm2_wrap.c | 44 ++-- wolftpm/tpm2.h | 9 +- wolftpm/tpm2_param_enc.h | 10 + wolftpm/tpm2_types.h | 1 + wolftpm/tpm2_wrap.h | 5 + 38 files changed, 776 insertions(+), 512 deletions(-) diff --git a/.gitignore b/.gitignore index df886ea..abdf4b1 100644 --- a/.gitignore +++ b/.gitignore @@ -38,7 +38,6 @@ examples/tls/tls_client examples/pkcs7/pkcs7 examples/timestamp/signed_timestamp examples/pcr/quote -examples/pcr/quote_paramenc examples/pcr/extend examples/pcr/reset examples/timestamp/clock_set @@ -51,8 +50,6 @@ tests/unit.test examples/keygen/keyload examples/keygen/keygen examples/keygen/keyimport -examples/keygen/keygen_paramenc -examples/keygen/keyload_paramenc # Generated Cert Files certs/ca-*.pem diff --git a/README.md b/README.md index 16758ed..59d688f 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ Portable TPM 2.0 project designed for embedded use. * TLS Client * TLS Server * Benchmarking TPM algorithms and TLS +* Parameter encryption support using AES-CFB or XOR. Supports salted unbound authenticated sessions. Note: See [examples/README.md](examples/README.md) for details on using the examples. @@ -637,6 +638,10 @@ Connection: close ## Todo * Update to v1.59 of specification. +* Add HMAC support for "authValue". +* Add ECC encrypted salt. +* Add bound auth session support. +* Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support. ## Support diff --git a/examples/README.md b/examples/README.md index 3775d6e..548c23c 100644 --- a/examples/README.md +++ b/examples/README.md @@ -6,6 +6,8 @@ The examples create RSA and ECC keys in NV for testing using handles defined in The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below. +To enable parameter encryption use `-aes` for AES-CFB mode or `-xor` for XOR mode. Only some TPM commands / responses support parameter encryption. If the TPM2_ API has .flags `CMD_FLAG_ENC2` or `CMD_FLAG_DEC2` set then the command will use parameter encryption / decryption. + ## Native API Test Demonstrates calling native TPM2_* API's. @@ -110,8 +112,8 @@ To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`. Generation of the Client and Server Certificates requires running: -1. `./examples/keygen/keygen rsa_test_blob.raw -RSA -T` -2. `./examples/keygen/keygen ecc_test_blob.raw -ECC -T` +1. `./examples/keygen/keygen rsa_test_blob.raw -rsa -t` +2. `./examples/keygen/keygen ecc_test_blob.raw -ecc -t` 3. `./examples/csr/csr` 4. `./certs/certreq.sh` 5. Copy the CA files from wolfTPM to wolfSSL certs directory. @@ -134,9 +136,9 @@ or `./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V` Then run the wolfTPM TLS client example: -`./examples/tls/tls_client RSA` +`./examples/tls/tls_client -rsa` or -`./examples/tls/tls_client ECC` +`./examples/tls/tls_client -ecc` ### TLS Server @@ -146,9 +148,9 @@ This example shows using a TPM key and certificate for a TLS server. By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro. Run the wolfTPM TLS server example: -`./examples/tls/tls_server RSA` +`./examples/tls/tls_server -rsa` or -`./examples/tls/tls_server ECC` +`./examples/tls/tls_server -ecc` Then run the wolfSSL example client this like: `./examples/client/client -h localhost -p 11111 -g -d` @@ -194,7 +196,7 @@ Performance benchmarks. Examples for generating a TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle. ``` -$ ./examples/keygen/keygen keyblob.bin -RSA +$ ./examples/keygen/keygen keyblob.bin -rsa TPM2.0 Key generation example Loading SRK: Storage 0x81000200 (282 bytes) Creating new RSA key... @@ -208,7 +210,7 @@ Reading 840 bytes from keyblob.bin Loaded key to 0x80000001 -$ ./examples/keygen/keygen keyblob.bin -ECC +$ ./examples/keygen/keygen keyblob.bin -ecc TPM2.0 Key generation example Loading SRK: Storage 0x81000200 (282 bytes) Creating new ECC key... @@ -225,7 +227,7 @@ Loaded key to 0x80000001 Example for importing a private key as TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle. ``` -$ ./examples/keygen/keyimport keyblob.bin -RSA +$ ./examples/keygen/keyimport keyblob.bin -rsa TPM2.0 Key import example Loading SRK: Storage 0x81000200 (282 bytes) Imported key (pub 278, priv 222 bytes) @@ -238,7 +240,7 @@ Reading 840 bytes from keyblob.bin Loaded key to 0x80000001 -$ ./examples/keygen/keyimport keyblob.bin -ECC +$ ./examples/keygen/keyimport keyblob.bin -ecc TPM2.0 Key Import example Loading SRK: Storage 0x81000200 (282 bytes) Imported key (pub 86, priv 126 bytes) diff --git a/examples/bench/bench.c b/examples/bench/bench.c index d449b4f..de52ecd 100644 --- a/examples/bench/bench.c +++ b/examples/bench/bench.c @@ -181,11 +181,22 @@ exit: return rc; } +static void usage(void) +{ + printf("Expected usage:\n"); + printf("./examples/bench/bench [-aes/xor]\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); +} + /******************************************************************************/ /* --- BEGIN Bench Wrapper -- */ /******************************************************************************/ +int TPM2_Wrapper_Bench(void* userCtx) +{ + return TPM2_Wrapper_BenchArgs(userCtx, 0, NULL); +} -int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]) +int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; @@ -199,11 +210,35 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]) TPM2B_ECC_POINT pubPoint; double start; int count; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; + + if (argc >= 2) { + if (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0) { + usage(); + return 0; + } + } + while (argc > 1) { + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; + } + argc--; + } + + XMEMSET(&storageKey, 0, sizeof(storageKey)); + XMEMSET(&eccKey, 0, sizeof(eccKey)); + XMEMSET(&rsaKey, 0, sizeof(rsaKey)); + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); + printf("TPM2 Benchmark using Wrapper API's\n"); - - (void)argc; - (void)argv; + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -213,6 +248,20 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); if (rc != 0) goto exit; + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + } + /* RNG Benchmark */ bench_stats_start(&count, &start); do { @@ -423,6 +472,7 @@ exit: wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); wolfTPM2_UnloadHandle(&dev, &eccKey.handle); + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_Cleanup(&dev); @@ -441,7 +491,7 @@ int main(int argc, char *argv[]) int rc = -1; #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(NO_TPM_BENCH) - rc = TPM2_Wrapper_Bench(NULL, argc, argv); + rc = TPM2_Wrapper_BenchArgs(NULL, argc, argv); #else printf("Wrapper code not compiled in\n"); #endif diff --git a/examples/bench/bench.h b/examples/bench/bench.h index ab04f8a..02ff7ea 100644 --- a/examples/bench/bench.h +++ b/examples/bench/bench.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]); +int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]); +int TPM2_Wrapper_Bench(void* userCtx); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/csr/csr.c b/examples/csr/csr.c index 07b1042..2ac8865 100644 --- a/examples/csr/csr.c +++ b/examples/csr/csr.c @@ -137,7 +137,11 @@ exit: return rc; } -int TPM2_CSR_Example(void* userCtx, int argc, char *argv[]) +int TPM2_CSR_Example(void* userCtx) +{ + return TPM2_CSR_ExampleArgs(userCtx, 0, NULL); +} +int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; @@ -243,7 +247,7 @@ int main(int argc, char *argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ defined(WOLFSSL_CERT_REQ) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) - rc = TPM2_CSR_Example(NULL, argc, argv); + rc = TPM2_CSR_ExampleArgs(NULL, argc, argv); #else (void)argc; (void)argv; diff --git a/examples/csr/csr.h b/examples/csr/csr.h index 84a1883..f47862d 100644 --- a/examples/csr/csr.h +++ b/examples/csr/csr.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_CSR_Example(void* userCtx, int argc, char *argv[]); +int TPM2_CSR_Example(void* userCtx); +int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index a73dcef..d7ea1fd 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -37,9 +37,10 @@ static void usage(void) { printf("Expected usage:\n"); - printf("keygen [keyblob.bin] [-ECC/-RSA] [-T] [-e]\n"); - printf("-T: Use default template (otherwise AIK)\n"); - printf("-e: Use Parameter Encryption\n"); + printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa] [-t] [-aes/xor]\n"); + printf("* -ecc: Use RSA or ECC for keys\n"); + printf("* -t: Use default template (otherwise AIK)\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); } int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) @@ -50,7 +51,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_KEYBLOB newKey; TPMT_PUBLIC publicTemplate; TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */ - int useParamEnc = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; TPM2B_AUTH auth; int bAIK = 1; @@ -71,14 +72,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) outputFile = argv[1]; } while (argc > 1) { - if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) { + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { alg = TPM_ALG_ECC; } - if (XSTRNCMP(argv[argc-1], "-T", 2) == 0) { + if (XSTRNCMP(argv[argc-1], "-t", 2) == 0) { bAIK = 0; } - if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) { - useParamEnc = 1; + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; } argc--; } @@ -92,7 +96,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) printf("\tKey Blob: %s\n", outputFile); printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg)); printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default"); - printf("\tUse Parameter Encryption: %d\n", useParamEnc); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { @@ -104,10 +108,10 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); if (rc != 0) goto exit; - if (useParamEnc) { - /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */ + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, - TPM_SE_POLICY, TPM_ALG_CFB); + TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)tpmSession.handle.hndl); diff --git a/examples/keygen/keygen.h b/examples/keygen/keygen.h index 41e0266..5354ad9 100644 --- a/examples/keygen/keygen.h +++ b/examples/keygen/keygen.h @@ -29,8 +29,6 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]); int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]); int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]); -int TPM2_Keygen_ParamEnc_Example(void* userCtx, int argc, char *argv[]); -int TPM2_Keyload_ParamEnc_Example(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/keygen/keyimport.c b/examples/keygen/keyimport.c index 7021375..b922afa 100644 --- a/examples/keygen/keyimport.c +++ b/examples/keygen/keyimport.c @@ -38,11 +38,11 @@ static void usage(void) { printf("Expected usage:\n"); - printf("keyimport [keyblob.bin] [-ECC/-RSA] [-e]\n"); - printf("-e: Use Parameter Encryption\n"); + printf("./examples/keygen/keyimport [keyblob.bin] [-ecc/-rsa] [-aes/xor]\n"); + printf("* -ecc: Use RSA or ECC for keys\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); } - int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) { int rc; @@ -50,7 +50,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_KEY storage; /* SRK */ WOLFTPM2_KEYBLOB impKey; TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */ - int useParamEnc = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) XFILE f; @@ -70,11 +70,14 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) outputFile = argv[1]; } while (argc > 1) { - if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) { + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { alg = TPM_ALG_ECC; } - if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) { - useParamEnc = 1; + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; } argc--; } @@ -86,7 +89,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) printf("TPM2.0 Key Import example\n"); printf("\tKey Blob: %s\n", outputFile); printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg)); - printf("\tUse Parameter Encryption: %d\n", useParamEnc); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { @@ -98,10 +101,10 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); if (rc != 0) goto exit; - if (useParamEnc) { - /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */ + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, - TPM_SE_POLICY, TPM_ALG_CFB); + TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)tpmSession.handle.hndl); diff --git a/examples/keygen/keyload.c b/examples/keygen/keyload.c index 1a74208..42d05f4 100644 --- a/examples/keygen/keyload.c +++ b/examples/keygen/keyload.c @@ -46,8 +46,8 @@ static void usage(void) { printf("Expected usage:\n"); - printf("keyload [keyblob.bin] [-e]\n"); - printf("-e: Use Parameter Encryption\n"); + printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor]\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); } int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) @@ -56,7 +56,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_DEV dev; WOLFTPM2_KEY storage; /* SRK */ WOLFTPM2_KEYBLOB newKey; - int useParamEnc = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) XFILE f; @@ -75,8 +75,11 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) inputFile = argv[1]; } while (argc > 1) { - if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) { - useParamEnc = 1; + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; } argc--; } @@ -87,7 +90,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) printf("TPM2.0 Key load example\n"); printf("\tKey Blob: %s\n", inputFile); - printf("\tUse Parameter Encryption: %d\n", useParamEnc); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { @@ -99,10 +102,10 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); if (rc != 0) goto exit; - if (useParamEnc) { - /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */ + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, - TPM_SE_POLICY, TPM_ALG_CFB); + TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)tpmSession.handle.hndl); diff --git a/examples/native/native_test.c b/examples/native/native_test.c index 69c643b..c7e9226 100644 --- a/examples/native/native_test.c +++ b/examples/native/native_test.c @@ -53,7 +53,11 @@ typedef struct tmpHandle { } TpmHandle; -int TPM2_Native_Test(void* userCtx, int argc, char *argv[]) +int TPM2_Native_Test(void* userCtx) +{ + return TPM2_Native_TestArgs(userCtx, 0, NULL); +} +int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) { int rc; TPM2_CTX tpm2Ctx; @@ -377,7 +381,8 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[]) } /* PCR Extend and Verify */ - pcrIndex = 16; /* Working with PCR16 because of next PCR Reset test */ + /* Working with PCR16 because of next PCR Reset test */ + pcrIndex = TPM2_TEST_PCR; XMEMSET(&cmdIn.pcrExtend, 0, sizeof(cmdIn.pcrExtend)); cmdIn.pcrExtend.pcrHandle = pcrIndex; cmdIn.pcrExtend.digests.count = 1; @@ -414,9 +419,9 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[]) /* PCR Reset Only PCR16(DEBUG) and PCR23(Application specific) can be reset - in locality 0. This is the only locality supoprted by wolfTPM. + in locality 0. This is the only locality supported by wolfTPM. */ - pcrIndex = 16; + pcrIndex = TPM2_TEST_PCR; XMEMSET(&cmdIn.pcrReset, 0, sizeof(cmdIn.pcrReset)); cmdIn.pcrReset.pcrHandle = pcrIndex; rc = TPM2_PCR_Reset(&cmdIn.pcrReset); @@ -1373,7 +1378,7 @@ int main(int argc, char *argv[]) { int rc; - rc = TPM2_Native_Test(NULL, argc, argv); + rc = TPM2_Native_TestArgs(NULL, argc, argv); return rc; } diff --git a/examples/native/native_test.h b/examples/native/native_test.h index 9bd4c4c..77ab41d 100644 --- a/examples/native/native_test.h +++ b/examples/native/native_test.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_Native_Test(void* userCtx, int argc, char *argv[]); +int TPM2_Native_Test(void* userCtx); +int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/pcr/extend.c b/examples/pcr/extend.c index e15ca94..c5e1d82 100644 --- a/examples/pcr/extend.c +++ b/examples/pcr/extend.c @@ -45,8 +45,8 @@ static void usage(void) { printf("Expected usage:\n"); printf("./examples/pcr/extend [pcr] [filename]\n"); - printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR); - printf("* filename points to file(data) to measure\n"); + printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR); + printf("* filename: points to file(data) to measure\n"); printf("\tIf wolfTPM is built with --disable-wolfcrypt the file\n" "\tmust contain SHA256 digest ready for extend operation.\n" "\tOtherwise, the extend tool computes the hash using wolfcrypt.\n"); diff --git a/examples/pcr/quote.c b/examples/pcr/quote.c index 6cffdac..a83b7f8 100644 --- a/examples/pcr/quote.c +++ b/examples/pcr/quote.c @@ -41,13 +41,14 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/pcr/quote [pcr] [filename] [-e]\n"); - printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR); - printf("* filename for saving the TPMS_ATTEST structure to a file\n"); + printf("./examples/pcr/quote [pcr] [filename] [-ecc] [-aes/xor]\n"); + printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR); + printf("* filename: for saving the TPMS_ATTEST structure to a file\n"); + printf("* -ecc: Use RSA or ECC for EK/AIK\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); printf("Demo usage without parameters, generates quote over PCR%d and\n" "saves the output TPMS_ATTEST structure to \"quote.blob\" file.\n", TPM2_TEST_PCR); - printf("-e: Use Parameter Encryption\n"); } int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) @@ -58,11 +59,10 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) int dataSz; WOLFTPM2_DEV dev; TPMS_ATTEST attestedData; - + TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */ WOLFTPM2_KEY endorse; /* EK */ WOLFTPM2_KEY storage; /* SRK */ - WOLFTPM2_KEY rsaKey; /* AIK */ - + WOLFTPM2_KEY aik; /* AIK */ union { Quote_In quoteAsk; byte maxInput[MAX_COMMAND_SIZE]; @@ -71,12 +71,17 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) Quote_Out quoteResult; byte maxOutput[MAX_RESPONSE_SIZE]; } cmdOut; - int useParamEnc = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) XFILE f; #endif + XMEMSET(&endorse, 0, sizeof(endorse)); + XMEMSET(&storage, 0, sizeof(storage)); + XMEMSET(&aik, 0, sizeof(aik)); + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); + if (argc >= 2) { if (XSTRNCMP(argv[1], "-?", 2) == 0 || XSTRNCMP(argv[1], "-h", 2) == 0 || @@ -98,21 +103,23 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) outputFile = argv[2]; } while (argc > 1) { - if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) { - useParamEnc = 1; + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { + alg = TPM_ALG_ECC; + } + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; } argc--; } - XMEMSET(&endorse, 0, sizeof(endorse)); - XMEMSET(&storage, 0, sizeof(storage)); - XMEMSET(&rsaKey, 0, sizeof(rsaKey)); - XMEMSET(&tpmSession, 0, sizeof(tpmSession)); - printf("PCR Quote example - Demo of signed PCR measurement\n"); printf("\tOutput file: %s\n", outputFile); printf("\tPCR Index: %d\n", pcrIndex); - printf("\tUse Parameter Encryption: %d\n", useParamEnc); + printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg)); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { @@ -122,7 +129,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) printf("wolfTPM2_Init: success\n"); /* Create Endorsement Key, also called EK */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); + rc = wolfTPM2_CreateEK(&dev, &endorse, alg); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -132,11 +139,11 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) (word32)endorse.handle.hndl, endorse.pub.size); /* get SRK */ - rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); + rc = getPrimaryStoragekey(&dev, &storage, alg); if (rc != 0) goto exit; - /* Create an RSA key for Attestation purposes */ - rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage, + /* Create key for Attestation purposes */ + rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage, (const byte*)gUsageAuth, sizeof(gUsageAuth)-1); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc, @@ -144,12 +151,12 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) goto exit; } printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n", - (word32)rsaKey.handle.hndl, rsaKey.pub.size); + (word32)aik.handle.hndl, aik.pub.size); - if (useParamEnc) { - /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */ + if (paramEncAlg != TPM_ALG_NULL) { + /* Start an authenticated session (salted / unbound) with parameter encryption */ rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, - TPM_SE_POLICY, TPM_ALG_CFB); + TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)tpmSession.handle.hndl); @@ -161,14 +168,14 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) } /* set auth for using the AIK */ - wolfTPM2_SetAuthHandle(&dev, 0, &rsaKey.handle); + wolfTPM2_SetAuthHandle(&dev, 0, &aik.handle); /* Prepare Quote request */ XMEMSET(&cmdIn.quoteAsk, 0, sizeof(cmdIn.quoteAsk)); XMEMSET(&cmdOut.quoteResult, 0, sizeof(cmdOut.quoteResult)); - cmdIn.quoteAsk.signHandle = rsaKey.handle.hndl; - cmdIn.quoteAsk.inScheme.scheme = TPM_ALG_RSASSA; - cmdIn.quoteAsk.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256; + cmdIn.quoteAsk.signHandle = aik.handle.hndl; + cmdIn.quoteAsk.inScheme.scheme = alg == TPM_ALG_RSA ? TPM_ALG_RSASSA : TPM_ALG_ECDSA; + cmdIn.quoteAsk.inScheme.details.any.hashAlg = TPM_ALG_SHA256; cmdIn.quoteAsk.qualifyingData.size = 0; /* optional */ /* Choose PCR for signing */ TPM2_SetupPCRSel(&cmdIn.quoteAsk.PCRselect, TPM_ALG_SHA256, pcrIndex); @@ -223,7 +230,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[]) exit: /* Close key handles */ - wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); + wolfTPM2_UnloadHandle(&dev, &aik.handle); wolfTPM2_UnloadHandle(&dev, &storage.handle); wolfTPM2_UnloadHandle(&dev, &endorse.handle); wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c index 5eb952b..0760499 100644 --- a/examples/pkcs7/pkcs7.c +++ b/examples/pkcs7/pkcs7.c @@ -292,8 +292,11 @@ exit: return rc; } - -int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[]) +int TPM2_PKCS7_Example(void* userCtx) +{ + return TPM2_PKCS7_ExampleArgs(userCtx, 0, NULL); +} +int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; @@ -409,7 +412,7 @@ int main(int argc, char *argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ defined(HAVE_PKCS7) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) - rc = TPM2_PKCS7_Example(NULL, argc, argv); + rc = TPM2_PKCS7_ExampleArgs(NULL, argc, argv); #else (void)argc; (void)argv; diff --git a/examples/pkcs7/pkcs7.h b/examples/pkcs7/pkcs7.h index dcb07da..814814e 100644 --- a/examples/pkcs7/pkcs7.h +++ b/examples/pkcs7/pkcs7.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[]); +int TPM2_PKCS7_Example(void* userCtx); +int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/timestamp/clock_set.c b/examples/timestamp/clock_set.c index bba3b5c..aad6c60 100644 --- a/examples/timestamp/clock_set.c +++ b/examples/timestamp/clock_set.c @@ -39,7 +39,7 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/clock/clockSet [time]\n"); + printf("./examples/clock/clock_set [time]\n"); printf("* time is a value in miliseconds used as increment (optional)\n"); printf("* Default time value is 50000 ms (50 seconds)\n"); printf("\tThe TPM clock can be set only forward.\n"); diff --git a/examples/timestamp/include.am b/examples/timestamp/include.am index 580dbf0..109bffe 100644 --- a/examples/timestamp/include.am +++ b/examples/timestamp/include.am @@ -5,7 +5,8 @@ if BUILD_EXAMPLES noinst_PROGRAMS += examples/timestamp/signed_timestamp noinst_HEADERS += examples/timestamp/signed_timestamp.h examples_timestamp_signed_timestamp_SOURCES = examples/timestamp/signed_timestamp.c \ - examples/tpm_io.c + examples/tpm_io.c \ + examples/tpm_test_keys.c examples_timestamp_signed_timestamp_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD) examples_timestamp_signed_timestamp_DEPENDENCIES = src/libwolftpm.la endif diff --git a/examples/timestamp/signed_timestamp.c b/examples/timestamp/signed_timestamp.c index db48d2c..3c01ec2 100644 --- a/examples/timestamp/signed_timestamp.c +++ b/examples/timestamp/signed_timestamp.c @@ -29,6 +29,7 @@ #include #include +#include #include "signed_timestamp.h" #include @@ -38,48 +39,72 @@ /* --- BEGIN TPM Timestamp Test -- */ /******************************************************************************/ -int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) +static void usage(void) +{ + printf("Expected usage:\n"); + printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n"); + printf("* -ecc: Use RSA or ECC for EK/AIK\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); +} + +int TPM2_Timestamp_Test(void* userCtx) +{ + return TPM2_Timestamp_TestArgs(userCtx, 0, NULL); +} +int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; TPMS_ATTEST attestedData; -#ifdef WOLFTPM_WINAPI - int tryNVkey = 0; -#else - int tryNVkey = 1; -#endif - union { - /* For managing TPM session */ - StartAuthSession_In authSes; PolicySecret_In policySecret; - /* For removing keys after use */ - FlushContext_In flushCtx; byte maxInput[MAX_COMMAND_SIZE]; } cmdIn; union { ReadClock_Out readClock; GetTime_Out getTime; - /* Output from session operations */ - StartAuthSession_Out authSes; PolicySecret_Out policySecret; byte maxOutput[MAX_RESPONSE_SIZE]; } cmdOut; - - TPM_HANDLE sessionHandle = TPM_RH_NULL; - WOLFTPM2_KEY endorse; /* EK */ WOLFTPM2_KEY storage; /* SRK */ - WOLFTPM2_KEY rsaKey; /* AIK */ - - (void)argc; - (void)argv; + WOLFTPM2_KEY aik; /* AIK */ + TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */ + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; + TPMA_SESSION sessionAttributes; XMEMSET(&endorse, 0, sizeof(endorse)); XMEMSET(&storage, 0, sizeof(storage)); - XMEMSET(&rsaKey, 0, sizeof(rsaKey)); + XMEMSET(&aik, 0, sizeof(aik)); + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); + + if (argc >= 2) { + if (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0) { + usage(); + return 0; + } + } + while (argc > 1) { + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { + alg = TPM_ALG_ECC; + } + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; + } + argc--; + } printf("TPM2 Demo of generating signed timestamp from the TPM\n"); + printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg)); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); + + rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -99,7 +124,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) /* Create Endorsement Key, also called EK */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); + rc = wolfTPM2_CreateEK(&dev, &endorse, alg); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -109,45 +134,8 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) (word32)endorse.handle.hndl, endorse.pub.size); - /* Create RSA Storage Key, also called SRK */ - /* See if SRK already exists */ - if (tryNVkey) { - rc = wolfTPM2_ReadPublicKey(&dev, &storage, TPM2_DEMO_STORAGE_KEY_HANDLE); -#ifdef TEST_WRAP_DELETE_KEY - if (rc == 0) { - storage.handle.hndl = TPM2_DEMO_STORAGE_KEY_HANDLE; - rc = wolfTPM2_NVDeleteKey(&dev, TPM_RH_OWNER, &storage); - if (rc != 0) goto exit; - rc = TPM_RC_HANDLE; /* mark handle as missing */ - } -#endif - } - - if (!tryNVkey || (tryNVkey && rc != 0)) { - /* Create primary storage key (RSA) */ - rc = wolfTPM2_CreateSRK(&dev, &storage, TPM_ALG_RSA, - (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1); - if (rc != 0) goto exit; - - if (tryNVkey) { - /* Move storage key into persistent NV */ - rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storage, - TPM2_DEMO_STORAGE_KEY_HANDLE); - if (rc != 0) { - wolfTPM2_UnloadHandle(&dev, &storage.handle); - goto exit; - } - } - - printf("Created new RSA Primary Storage Key at 0x%x\n", - storage.handle.hndl); - } - else { - /* specify auth password for storage key */ - storage.handle.auth.size = sizeof(gStorageKeyAuth)-1; - XMEMCPY(storage.handle.auth.buffer, gStorageKeyAuth, - storage.handle.auth.size); - } + /* Create Storage Key, also called SRK */ + rc = getPrimaryStoragekey(&dev, &storage, alg); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_CreateSRK: Storage failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -156,36 +144,21 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) printf("wolfTPM2_CreateSRK: Storage 0x%x (%d bytes)\n", (word32)storage.handle.hndl, storage.pub.size); + /* Start an authenticated session (salted / unbound) */ + rc = wolfTPM2_StartSession(&dev, &tpmSession, NULL, NULL, + TPM_SE_POLICY, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); - /* Start Auth Session */ - XMEMSET(&cmdIn.authSes, 0, sizeof(cmdIn.authSes)); - cmdIn.authSes.sessionType = TPM_SE_POLICY; - cmdIn.authSes.tpmKey = TPM_RH_NULL; - cmdIn.authSes.bind = TPM_RH_NULL; - cmdIn.authSes.symmetric.algorithm = TPM_ALG_NULL; - cmdIn.authSes.authHash = TPM_ALG_SHA256; - cmdIn.authSes.nonceCaller.size = TPM_SHA256_DIGEST_SIZE; - rc = TPM2_GetNonce(cmdIn.authSes.nonceCaller.buffer, - cmdIn.authSes.nonceCaller.size); - if (rc < 0) { - printf("TPM2_GetNonce failed 0x%x: %s\n", rc, - TPM2_GetRCString(rc)); - goto exit; - } - rc = TPM2_StartAuthSession(&cmdIn.authSes, &cmdOut.authSes); - if (rc != TPM_RC_SUCCESS) { - printf("TPM2_StartAuthSession failed 0x%x: %s\n", rc, - TPM2_GetRCString(rc)); - goto exit; - } - sessionHandle = cmdOut.authSes.sessionHandle; - printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)sessionHandle); - + /* Set the endorsement password (blank) */ + rc = wolfTPM2_SetAuthPassword(&dev, 0, NULL); + if (rc != 0) goto exit; /* Set PolicySecret for our session to enable use of the Endorsement Hierarchy */ XMEMSET(&cmdIn.policySecret, 0, sizeof(cmdIn.policySecret)); cmdIn.policySecret.authHandle = TPM_RH_ENDORSEMENT; - cmdIn.policySecret.policySession = sessionHandle; + cmdIn.policySecret.policySession = tpmSession.handle.hndl; rc = TPM2_PolicySecret(&cmdIn.policySecret, &cmdOut.policySecret); if (rc != TPM_RC_SUCCESS) { printf("policySecret failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -193,14 +166,13 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) } printf("TPM2_policySecret success\n"); /* No use of the output */ - /* At this stage, the EK is created and NULL password has already been set * The EH is enabled through policySecret over the active TPM session and * the creation of Attestation Identity Key (AIK) under the EH can take place. */ - /* Create an Attestation RSA key (AIK) */ - rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage, + /* Create an Attestation key (AIK) */ + rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage, (const byte*)gAiKeyAuth, sizeof(gAiKeyAuth)-1); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc, @@ -208,14 +180,27 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) goto exit; } printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n", - (word32)rsaKey.handle.hndl, rsaKey.pub.size); + (word32)aik.handle.hndl, aik.pub.size); /* set NULL password auth for using EK */ wolfTPM2_SetAuthPassword(&dev, 0, NULL); /* set auth for using the AIK */ - wolfTPM2_SetAuthHandle(&dev, 1, &rsaKey.handle); + wolfTPM2_SetAuthHandle(&dev, 1, &aik.handle); + + /* set session for authorization of the storage key */ + sessionAttributes = TPMA_SESSION_continueSession; + if (paramEncAlg != TPM_ALG_NULL) { + sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt); + } +#if 0 + /* TODO: Investigate param enc with signed timestamp */ + rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes); + if (rc != 0) goto exit; +#else + (void)sessionAttributes; +#endif /* At this stage: The EK is created, AIK is created and loaded, * Endorsement Hierarchy is enabled through policySecret, @@ -224,7 +209,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]) */ /* Get signed by the TPM timestamp using the AIK key */ - rc = wolfTPM2_GetTime(&rsaKey, &cmdOut.getTime); + rc = wolfTPM2_GetTime(&aik, &cmdOut.getTime); if (rc != TPM_RC_SUCCESS) { printf("wolfTPM2_GetTime failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); @@ -269,19 +254,9 @@ exit: printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc)); } - /* Close session */ - if (sessionHandle != TPM_RH_NULL) { - cmdIn.flushCtx.flushHandle = sessionHandle; - TPM2_FlushContext(&cmdIn.flushCtx); - } - - /* Close key handles */ - if (!tryNVkey) { - wolfTPM2_UnloadHandle(&dev, &storage.handle); - } - - wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); + wolfTPM2_UnloadHandle(&dev, &aik.handle); wolfTPM2_UnloadHandle(&dev, &endorse.handle); + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); wolfTPM2_Cleanup(&dev); return rc; @@ -300,7 +275,7 @@ int main(int argc, char *argv[]) int rc = -1; #ifndef WOLFTPM2_NO_WRAPPER - rc = TPM2_Timestamp_Test(NULL, argc, argv); + rc = TPM2_Timestamp_TestArgs(NULL, argc, argv); #else printf("Wrapper code not compiled in\n"); #endif /* !WOLFTPM2_NO_WRAPPER */ diff --git a/examples/timestamp/signed_timestamp.h b/examples/timestamp/signed_timestamp.h index a7f3a20..b33d679 100644 --- a/examples/timestamp/signed_timestamp.h +++ b/examples/timestamp/signed_timestamp.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]); +int TPM2_Timestamp_Test(void* userCtx); +int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 530c2df..2dff856 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -77,7 +77,20 @@ /******************************************************************************/ /* --- BEGIN TPM TLS Client Example -- */ /******************************************************************************/ -int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]) +static void usage(void) +{ + printf("Expected usage:\n"); + printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n"); + printf("* -ecc: Use RSA or ECC key\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); +} + +int TPM2_TLS_Client(void* userCtx) +{ + return TPM2_TLS_ClientArgs(userCtx, 0, NULL); +} + +int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; @@ -108,18 +121,46 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]) int i; #endif int useECC = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; /* initialize variables */ + XMEMSET(&storageKey, 0, sizeof(storageKey)); XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx)); sockIoCtx.fd = -1; + XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); +#ifndef NO_RSA + XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); +#endif +#ifdef HAVE_ECC + XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); +#endif + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); - printf("TPM2 TLS Client Example\n"); - - if (argc > 1) { - if (XSTRNCMP(argv[1], "ECC", 3) == 0) { - useECC = 1; + if (argc >= 2) { + if (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0) { + usage(); + return 0; } } + while (argc > 1) { + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { + useECC = 1; + } + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; + } + argc--; + } + + printf("TPM2 TLS Client Example\n"); + printf("\tUse %s keys\n", useECC ? "ECC" : "RSA"); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -129,13 +170,10 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]) } /* Setup the wolf crypto device callback */ - XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); #ifndef NO_RSA - XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); tpmCtx.rsaKey = &rsaKey; #endif #ifdef HAVE_ECC - XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); tpmCtx.eccKey = &eccKey; #endif tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */ @@ -149,6 +187,20 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); if (rc != 0) goto exit; + /* Start an authenticated session (salted / unbound) with parameter encryption */ + if (paramEncAlg != TPM_ALG_NULL) { + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + } + #ifndef NO_RSA if (!useECC) { /* Create/Load RSA key for TLS authentication */ @@ -497,7 +549,7 @@ int main(int argc, char* argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ !defined(NO_WOLFSSL_CLIENT) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) - rc = TPM2_TLS_Client(NULL, argc, argv); + rc = TPM2_TLS_ClientArgs(NULL, argc, argv); #else (void)argc; (void)argv; diff --git a/examples/tls/tls_client.h b/examples/tls/tls_client.h index 230c8e9..fa5b59e 100644 --- a/examples/tls/tls_client.h +++ b/examples/tls/tls_client.h @@ -26,8 +26,10 @@ extern "C" { #endif -int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]); -int TLS_Client(int argc, char *argv[]); +int TPM2_TLS_Client(void* userCtx); +int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]); +int TLS_Client(void); +int TLS_ClientArgs(int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/tls/tls_client_notpm.c b/examples/tls/tls_client_notpm.c index 12275a0..75ef58c 100644 --- a/examples/tls/tls_client_notpm.c +++ b/examples/tls/tls_client_notpm.c @@ -62,7 +62,11 @@ /******************************************************************************/ /* --- BEGIN TLS Client Example -- */ /******************************************************************************/ -int TLS_Client(int argc, char *argv[]) +int TLS_Client(void) +{ + return TLS_ClientArgs(0, NULL); +} +int TLS_ClientArgs(int argc, char *argv[]) { int rc = 0; SockIoCbCtx sockIoCtx; @@ -302,7 +306,7 @@ int main(int argc, char *argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ !defined(NO_WOLFSSL_CLIENT) - rc = TLS_Client(argc, argv); + rc = TLS_ClientArgs(argc, argv); #else printf("WolfSSL Client code not compiled in\n"); (void)argc; diff --git a/examples/tls/tls_common.h b/examples/tls/tls_common.h index 8ca481e..682d374 100644 --- a/examples/tls/tls_common.h +++ b/examples/tls/tls_common.h @@ -60,7 +60,7 @@ /* force use of a TLS cipher suite */ #if 0 #ifndef TLS_CIPHER_SUITE - #define TLS_CIPHER_SUITE "ECDHE-RSA-AES128-SHA256" + #define TLS_CIPHER_SUITE "ECDHE-rsa-AES128-SHA256" #endif #endif diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index c9fcbb7..8f50c70 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -74,7 +74,19 @@ /******************************************************************************/ /* --- BEGIN TLS SERVER Example -- */ /******************************************************************************/ -int TPM2_TLS_Server(void* userCtx, int argc, char *argv[]) +static void usage(void) +{ + printf("Expected usage:\n"); + printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n"); + printf("* -ecc: Use RSA or ECC key\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); +} + +int TPM2_TLS_Server(void* userCtx) +{ + return TPM2_TLS_ServerArgs(userCtx, 0, NULL); +} +int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) { int rc; WOLFTPM2_DEV dev; @@ -116,18 +128,46 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[]) int total_size; #endif int useECC = 0; + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; /* initialize variables */ + XMEMSET(&storageKey, 0, sizeof(storageKey)); XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx)); sockIoCtx.fd = -1; + XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); +#ifndef NO_RSA + XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); +#endif +#ifdef HAVE_ECC + XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); +#endif + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); - printf("TPM2 TLS Server Example\n"); - - if (argc > 1) { - if (XSTRNCMP(argv[1], "ECC", 3) == 0) { - useECC = 1; + if (argc >= 2) { + if (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0) { + usage(); + return 0; } } + while (argc > 1) { + if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) { + useECC = 1; + } + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; + } + argc--; + } + + printf("TPM2 TLS Server Example\n"); + printf("\tUse %s keys\n", useECC ? "ECC" : "RSA"); + printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -137,13 +177,10 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[]) } /* Setup the wolf crypto device callback */ - XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); #ifndef NO_RSA - XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); tpmCtx.rsaKey = &rsaKey; #endif #ifdef HAVE_ECC - XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); tpmCtx.eccKey = &eccKey; #endif tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */ @@ -158,6 +195,20 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[]) rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); if (rc != 0) goto exit; + /* Start an authenticated session (salted / unbound) with parameter encryption */ + if (paramEncAlg != TPM_ALG_NULL) { + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + } + #ifndef NO_RSA if (!useECC) { /* Create/Load RSA key for TLS authentication */ @@ -323,7 +374,7 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[]) #if 0 /* Optionally choose the cipher suite */ - rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256"); + rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-rsa-AES128-GCM-SHA256"); if (rc != WOLFSSL_SUCCESS) { goto exit; } @@ -466,7 +517,7 @@ int main(int argc, char* argv[]) #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ !defined(NO_WOLFSSL_SERVER) && \ (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)) - rc = TPM2_TLS_Server(NULL, argc, argv); + rc = TPM2_TLS_ServerArgs(NULL, argc, argv); #else (void)argc; (void)argv; diff --git a/examples/tls/tls_server.h b/examples/tls/tls_server.h index 0626386..d7fa45c 100644 --- a/examples/tls/tls_server.h +++ b/examples/tls/tls_server.h @@ -26,7 +26,8 @@ extern "C" { #endif -int TPM2_TLS_Server(void* userCtx, int argc, char* argv[]); +int TPM2_TLS_Server(void* userCtx); +int TPM2_TLS_ServerArgs(void* userCtx, int argc, char* argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c index 51732b8..5f39562 100644 --- a/examples/tpm_test_keys.c +++ b/examples/tpm_test_keys.c @@ -104,8 +104,8 @@ static int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key) rc = BUFFER_E; printf("File %s not found!\n", filename); printf("Keys can be generated by running:\n" - " ./examples/keygen/keygen rsa_test_blob.raw -RSA -T\n" - " ./examples/keygen/keygen ecc_test_blob.raw -ECC -T\n"); + " ./examples/keygen/keygen rsa_test_blob.raw -rsa -t\n" + " ./examples/keygen/keygen ecc_test_blob.raw -ecc -t\n"); } exit: diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 3d9e792..0916928 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -49,7 +49,19 @@ void TPM2_Wrapper_SetReset(int reset) resetTPM = reset; } -int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) +static void usage(void) +{ + printf("Expected Usage:\n"); + printf("./examples/wrap/wrap_test [-aes/xor]\n"); + printf("* -aes/xor: Use Parameter Encryption\n"); + +} + +int TPM2_Wrapper_Test(void* userCtx) +{ + return TPM2_Wrapper_TestArgs(userCtx, 0, NULL); +} +int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) { int rc, i; WOLFTPM2_DEV dev; @@ -105,6 +117,8 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) ecc_key wolfEccPubKey; ecc_key wolfEccPrivKey; #endif + TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; + WOLFTPM2_SESSION tpmSession; #ifndef NO_RSA XMEMSET(&wolfRsaPubKey, 0, sizeof(wolfRsaPubKey)); @@ -114,13 +128,30 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) XMEMSET(&wolfEccPubKey, 0, sizeof(wolfEccPubKey)); XMEMSET(&wolfEccPrivKey, 0, sizeof(wolfEccPrivKey)); #endif + XMEMSET(&tpmSession, 0, sizeof(tpmSession)); #endif /* !WOLFTPM2_NO_WOLFCRYPT */ - (void)argc; - (void)argv; + if (argc >= 2) { + if (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0) { + usage(); + return 0; + } + } + while (argc > 1) { + if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) { + paramEncAlg = TPM_ALG_CFB; + } + if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) { + paramEncAlg = TPM_ALG_XOR; + } + argc--; + } printf("TPM2 Demo for Wrapper API's\n"); + /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != 0) return rc; @@ -205,6 +236,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) storageKey.handle.auth.size); } + /* Start an authenticated session (salted / unbound) with parameter encryption */ + if (paramEncAlg != TPM_ALG_NULL) { + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + } /* Create RSA key for sign/verify */ rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate, @@ -367,6 +411,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); if (rc != 0) goto exit; + /* Close TPM session based on RSA storage key */ + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); + /*------------------------------------------------------------------------*/ /* ECC TESTS */ @@ -413,6 +460,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) storageKey.handle.auth.size); } + /* Start an authenticated session (salted / unbound) with parameter encryption */ + if (paramEncAlg != TPM_ALG_NULL) { + rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + TPM_SE_HMAC, paramEncAlg); + if (rc != 0) goto exit; + printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", + (word32)tpmSession.handle.hndl); + + /* set session for authorization of the storage key */ + rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + if (rc != 0) goto exit; + } /* Create an ECC key for ECDSA */ rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, @@ -568,6 +628,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; + /* Close TPM session based on ECC storage key */ + wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); + /*------------------------------------------------------------------------*/ /* NV TESTS */ @@ -866,7 +929,7 @@ int main(int argc, char *argv[]) (void)argv; #ifndef WOLFTPM2_NO_WRAPPER - rc = TPM2_Wrapper_Test(NULL, argc, argv); + rc = TPM2_Wrapper_TestArgs(NULL, argc, argv); #else printf("Wrapper code not compiled in\n"); #endif diff --git a/examples/wrap/wrap_test.h b/examples/wrap/wrap_test.h index 6c18490..2e15f1d 100644 --- a/examples/wrap/wrap_test.h +++ b/examples/wrap/wrap_test.h @@ -27,7 +27,8 @@ #endif void TPM2_Wrapper_SetReset(int reset); -int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]); +int TPM2_Wrapper_Test(void* userCtx); +int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]); #ifdef __cplusplus } /* extern "C" */ diff --git a/scripts/tls_setup.sh b/scripts/tls_setup.sh index 1b26eac..6dc05f3 100755 --- a/scripts/tls_setup.sh +++ b/scripts/tls_setup.sh @@ -3,8 +3,8 @@ # Generate keyblobs and certs needed for TLS examples # -./examples/keygen/keygen rsa_test_blob.raw -RSA -T -./examples/keygen/keygen ecc_test_blob.raw -ECC -T +./examples/keygen/keygen rsa_test_blob.raw -rsa -t +./examples/keygen/keygen ecc_test_blob.raw -ecc -t ./examples/csr/csr ./certs/certreq.sh diff --git a/src/tpm2.c b/src/tpm2.c index 9939b53..2c9d403 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -88,191 +88,20 @@ static void TPM2_ReleaseLock(TPM2_CTX* ctx) /* Send Command Wrapper */ typedef enum CmdFlags { CMD_FLAG_NONE = 0x00, - CMD_FLAG_ENC2 = 0x01, /* size of first command parameter */ - CMD_FLAG_ENC4 = 0x02, - CMD_FLAG_DEC2 = 0x04, /* size of first response parameter */ - CMD_FLAG_DEC4 = 0x08, + CMD_FLAG_ENC2 = 0x01, /* 16-bit size of first command parameter */ + CMD_FLAG_ENC4 = 0x02, /* 32-bit size (not used) */ + CMD_FLAG_DEC2 = 0x04, /* 16-bit size of first response parameter */ + CMD_FLAG_DEC4 = 0x08, /* 32-bit size (not used) */ } CmdFlags_t; +/* Command Details */ typedef struct { - int authCnt; - int inHandleCnt; - int outHandleCnt; - int flags; + int authCnt; /* number of authentication handles - determined at run-time */ + int inHandleCnt; /* number of input handles - fixed */ + int outHandleCnt; /* number of output handles - fixed */ + int flags; /* If command allows param enc or dec - fixed */ } CmdInfo_t; -#ifndef WOLFTPM2_NO_WOLFCRYPT -/* Get name for object/handle */ -static int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name) -{ - TPM2_AUTH_SESSION* session; - - XMEMSET(name, 0, sizeof(TPM2B_NAME)); - - if (idx >= handleCnt) - return TPM_RC_SUCCESS; - - session = &ctx->session[idx]; - if (session->name.size > 0) { - name->size = session->name.size; - XMEMCPY(name->name, session->name.name, name->size); - } - return TPM_RC_SUCCESS; -} - -/* Compute the command parameter hash */ -/* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */ -static int TPM2_CalcCpHash(TPM2_CTX* ctx, CmdInfo_t* info, - TPMI_ALG_HASH authHash, TPM_CC cmdCode, BYTE* param, UINT32 paramSz, - TPM2B_DIGEST* hash) -{ - int rc; - wc_HashAlg hash_ctx; - enum wc_HashType hashType; - TPM2B_NAME name1, name2, name3; - - rc = TPM2_GetName(ctx, info->inHandleCnt, 0, &name1); - rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2); - rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3); - if (rc != TPM_RC_SUCCESS) - return BAD_FUNC_ARG; - - rc = TPM2_GetHashType(authHash); - hashType = (enum wc_HashType)rc; - rc = wc_HashGetDigestSize(hashType); - if (rc < 0) - return rc; - hash->size = rc; - - /* Hash of data (name) goes into remainder */ - rc = wc_HashInit(&hash_ctx, hashType); - if (rc == 0) { - /* Hash Command Code */ - UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode); - rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); - - /* For Command's only hash each session name */ - if (rc == 0 && name1.size > 0) - rc = wc_HashUpdate(&hash_ctx, hashType, name1.name, name1.size); - if (rc == 0 && name2.size > 0) - rc = wc_HashUpdate(&hash_ctx, hashType, name2.name, name2.size); - if (rc == 0 && name3.size > 0) - rc = wc_HashUpdate(&hash_ctx, hashType, name3.name, name3.size); - - /* Hash Remainder of parameters - after handles and auth */ - if (rc == 0) - rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz); - - if (rc == 0) - rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer); - - wc_HashFree(&hash_ctx, hashType); - } - (void)ctx; - - return rc; -} - -/* Compute the response parameter hash */ -/* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */ -static int TPM2_CalcRpHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, - TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash) -{ - int rc; - wc_HashAlg hash_ctx; - enum wc_HashType hashType; - - rc = TPM2_GetHashType(authHash); - hashType = (enum wc_HashType)rc; - rc = wc_HashGetDigestSize(hashType); - if (rc < 0) - return rc; - hash->size = rc; - - /* Hash of data (name) goes into remainder */ - rc = wc_HashInit(&hash_ctx, hashType); - if (rc == 0) { - UINT32 ccSwap; - - /* Hash Response Code - HMAC only calculated with success - always 0 */ - ccSwap = 0; - rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); - - /* Hash Command Code */ - if (rc == 0) { - ccSwap = TPM2_Packet_SwapU32(cmdCode); - rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); - } - - /* Hash Remainder of parameters - after handles */ - if (rc == 0) - rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz); - - if (rc == 0) - rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer); - - wc_HashFree(&hash_ctx, hashType); - } - (void)ctx; - - return rc; -} - -/* Compute the HMAC using cpHash, nonces and session attributes */ -/* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */ -static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, - const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, - const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes, - TPM2B_AUTH* hmac) -{ - int rc; - Hmac hmac_ctx; - enum wc_HashType hashType; - - /* use authHash for hmac hash algorithm */ - rc = TPM2_GetHashType(authHash); - hashType = (enum wc_HashType)rc; - hmac->size = TPM2_GetHashDigestSize(authHash); - if (hmac->size <= 0) - return BAD_FUNC_ARG; - - /* setup HMAC */ - rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID); - if (rc != 0) - return rc; - /* start HMAC - sessionKey || authValue */ - rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size); - - /* pHash - hash of command code and parameters */ - if (rc == 0) - rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size); - - /* nonce new (on cmd caller, on resp tpm) */ - if (rc == 0) - rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size); - - /* nonce old (on cmd TPM, on resp caller) */ - if (rc == 0) - rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size); - - /* TODO: nonceTPMDecrypt */ - /* TODO: nonceTPMEncrypt */ - - /* sessionAttributes */ - if (rc == 0) - rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1); - - /* finalize return into hmac buffer */ - if (rc == 0) - rc = wc_HmacFinal(&hmac_ctx, hmac->buffer); - wc_HmacFree(&hmac_ctx); - - (void)ctx; - - return rc; -} -#endif /* !WOLFTPM2_NO_WOLFCRYPT */ - static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet, CmdInfo_t* info, TPM_CC cmdCode, UINT32 cmdSz) { @@ -330,9 +159,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet, if (session->sessionHandle != TPM_RS_PW) { #ifndef WOLFTPM2_NO_WOLFCRYPT + TPM2B_NAME name1, name2, name3; TPM2B_DIGEST hash; #endif + /* if param enc is not supported for this command then clear flag */ + /* session attribute flags are from TPM perspective */ + if ((info->flags & (CMD_FLAG_ENC2 | CMD_FLAG_ENC4)) == 0) { + authCmd.sessionAttributes &= ~TPMA_SESSION_decrypt; + } + if ((info->flags & (CMD_FLAG_DEC2 | CMD_FLAG_DEC4)) == 0) { + authCmd.sessionAttributes &= ~TPMA_SESSION_encrypt; + } + /* Handle session request for encryption */ if (encParam && session->sessionAttributes & TPMA_SESSION_decrypt) { /* Encrypt the first command parameter */ @@ -346,9 +185,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet, } #ifndef WOLFTPM2_NO_WOLFCRYPT + rc = TPM2_GetName(ctx, info->inHandleCnt, 0, &name1); + rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2); + rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3); + if (rc != TPM_RC_SUCCESS) { + #ifdef DEBUG_WOLFTPM + printf("Error getting names for cpHash!\n"); + #endif + return BAD_FUNC_ARG; + } + /* calculate "cpHash" hash for command code, names and parameters */ - rc = TPM2_CalcCpHash(ctx, info, session->authHash, cmdCode, - param, paramSz, &hash); + rc = TPM2_CalcCpHash(session->authHash, cmdCode, &name1, + &name2, &name3, param, paramSz, &hash); if (rc != TPM_RC_SUCCESS) { #ifdef DEBUG_WOLFTPM printf("Error calculating cpHash!\n"); @@ -357,7 +206,7 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet, } /* Calculate HMAC for policy, hmac or salted sessions */ /* this is done after encryption */ - rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash, + rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash, &session->nonceCaller, &session->nonceTPM, session->sessionAttributes, &authCmd.hmac); if (rc != TPM_RC_SUCCESS) { @@ -439,8 +288,8 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet, TPM2B_AUTH hmac; /* calculate "rpHash" hash for command code and parameters */ - rc = TPM2_CalcRpHash(ctx, session->authHash, cmdCode, - param, paramSz, &hash); + rc = TPM2_CalcRpHash(session->authHash, cmdCode, param, paramSz, + &hash); if (rc != TPM_RC_SUCCESS) { #ifdef DEBUG_WOLFTPM printf("Error calculating rpHash!\n"); @@ -449,7 +298,7 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet, } /* Calculate HMAC prior to decryption */ - rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash, + rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash, &session->nonceTPM, &session->nonceCaller, session->sessionAttributes, &hmac); if (rc != TPM_RC_SUCCESS) { @@ -570,8 +419,11 @@ static TPM_RC TPM2_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet) static TPM_ST TPM2_GetTag(TPM2_CTX* ctx) { TPM_ST st = TPM_ST_NO_SESSIONS; - if (ctx && ctx->session && TPM2_GetSessionAuthCount(ctx) > 0) { - st = TPM_ST_SESSIONS; + if (ctx && ctx->session) { + int authCount = TPM2_GetSessionAuthCount(ctx); + if (authCount == 1 && ctx->session[0].sessionHandle != TPM_RS_PW) { + st = TPM_ST_SESSIONS; + } } return st; } @@ -594,6 +446,61 @@ static inline void TPM2_WolfCrypt_Init(void) /******************************************************************************/ /* --- Public Functions -- */ /******************************************************************************/ +TPM2_CTX* TPM2_GetActiveCtx(void) +{ + return gActiveTPM; +} + +void TPM2_SetActiveCtx(TPM2_CTX* ctx) +{ + gActiveTPM = ctx; +} + +TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session) +{ + TPM_RC rc; + TPM2_CTX* ctx = TPM2_GetActiveCtx(); + + if (ctx == NULL) + return BAD_FUNC_ARG; + + rc = TPM2_AcquireLock(ctx); + if (rc == TPM_RC_SUCCESS) { + ctx->session = session; + + TPM2_ReleaseLock(ctx); + } + return rc; +} + +/* Finds the number of active Auth Session in the given TPM2 context */ +int TPM2_GetSessionAuthCount(TPM2_CTX* ctx) +{ + int sessionCount, sessionHandle; + + if (ctx == NULL || ctx->session == NULL) + return BAD_FUNC_ARG; + + for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) { + sessionHandle = ctx->session[sessionCount].sessionHandle; + /* According to the TCG Spec, Part 1, Chapter 15.4 + * Session Handles have most significant octet at + * 0x02 for HMAC sessions + * 0x03 for Policy sessions + * Password sessions use predefined value of TPM_RS_PW + * Trial sessions are not of interest + */ + if (sessionHandle != TPM_RS_PW) { + /* Not a password session, mask the most significant octet(MSO) */ + sessionHandle &= 0xFF000000; + /* Check MSO for an HMAC or Policy session, otherwise invalid */ + if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000)) + break; + } + } + + return sessionCount; +} TPM_RC TPM2_ChipStartup(TPM2_CTX* ctx, int timeoutTries) { @@ -5316,62 +5223,6 @@ int TPM2_GetHashType(TPMI_ALG_HASH hashAlg) return 0; } -TPM2_CTX* TPM2_GetActiveCtx(void) -{ - return gActiveTPM; -} - -void TPM2_SetActiveCtx(TPM2_CTX* ctx) -{ - gActiveTPM = ctx; -} - -TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session) -{ - TPM_RC rc; - TPM2_CTX* ctx = TPM2_GetActiveCtx(); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - rc = TPM2_AcquireLock(ctx); - if (rc == TPM_RC_SUCCESS) { - ctx->session = session; - - TPM2_ReleaseLock(ctx); - } - return rc; -} - -/* Finds the number of active Auth Session in the given TPM2 context */ -int TPM2_GetSessionAuthCount(TPM2_CTX* ctx) -{ - int sessionCount, sessionHandle; - - if (ctx == NULL || ctx->session == NULL) - return BAD_FUNC_ARG; - - for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) { - sessionHandle = ctx->session[sessionCount].sessionHandle; - /* According to the TCG Spec, Part 1, Chapter 15.4 - * Session Handles have most significant octet at - * 0x02 for HMAC sessions - * 0x03 for Policy sessions - * Password sessions use predefined value of TPM_RS_PW - * Trial sessions are not of interest - */ - if (sessionHandle != TPM_RS_PW) { - /* Not a password session, mask the most significant octet(MSO) */ - sessionHandle &= 0xFF000000; - /* Check MSO for an HMAC or Policy session, otherwise invalid */ - if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000)) - break; - } - } - - return sessionCount; -} - /* Can optionally define WOLFTPM2_USE_HW_RNG to force using TPM hardware for RNG source */ int TPM2_GetNonce(byte* nonceBuf, int nonceSz) { @@ -5414,6 +5265,24 @@ int TPM2_GetNonce(byte* nonceBuf, int nonceSz) return rc; } +/* Get name for object/handle */ +int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name) +{ + TPM2_AUTH_SESSION* session; + + XMEMSET(name, 0, sizeof(TPM2B_NAME)); + + if (idx >= handleCnt) + return TPM_RC_SUCCESS; + + session = &ctx->session[idx]; + if (session->name.size > 0) { + name->size = session->name.size; + XMEMCPY(name->name, session->name.name, name->size); + } + return TPM_RC_SUCCESS; +} + void TPM2_SetupPCRSel(TPML_PCR_SELECTION* pcr, TPM_ALG_ID alg, int pcrIndex) { if (pcr) { diff --git a/src/tpm2_param_enc.c b/src/tpm2_param_enc.c index e0d5c76..8fb6a69 100644 --- a/src/tpm2_param_enc.c +++ b/src/tpm2_param_enc.c @@ -338,6 +338,150 @@ static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn, /* --- Public Functions -- */ /******************************************************************************/ +#ifndef WOLFTPM2_NO_WOLFCRYPT +/* Compute the command parameter hash */ +/* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */ +int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode, + TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3, + BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash) +{ + int rc; + wc_HashAlg hash_ctx; + enum wc_HashType hashType; + + rc = TPM2_GetHashType(authHash); + hashType = (enum wc_HashType)rc; + rc = wc_HashGetDigestSize(hashType); + if (rc < 0) + return rc; + hash->size = rc; + + /* Hash of data (name) goes into remainder */ + rc = wc_HashInit(&hash_ctx, hashType); + if (rc == 0) { + /* Hash Command Code */ + UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode); + rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); + + /* For Command's only hash each session name */ + if (rc == 0 && name1 && name1->size > 0) + rc = wc_HashUpdate(&hash_ctx, hashType, name1->name, name1->size); + if (rc == 0 && name2 && name2->size > 0) + rc = wc_HashUpdate(&hash_ctx, hashType, name2->name, name2->size); + if (rc == 0 && name3 && name3->size > 0) + rc = wc_HashUpdate(&hash_ctx, hashType, name3->name, name3->size); + + /* Hash Remainder of parameters - after handles and auth */ + if (rc == 0) + rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz); + + if (rc == 0) + rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer); + + wc_HashFree(&hash_ctx, hashType); + } + + return rc; +} + +/* Compute the response parameter hash */ +/* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */ +int TPM2_CalcRpHash(TPMI_ALG_HASH authHash, + TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash) +{ + int rc; + wc_HashAlg hash_ctx; + enum wc_HashType hashType; + + rc = TPM2_GetHashType(authHash); + hashType = (enum wc_HashType)rc; + rc = wc_HashGetDigestSize(hashType); + if (rc < 0) + return rc; + hash->size = rc; + + /* Hash of data (name) goes into remainder */ + rc = wc_HashInit(&hash_ctx, hashType); + if (rc == 0) { + UINT32 ccSwap; + + /* Hash Response Code - HMAC only calculated with success - always 0 */ + ccSwap = 0; + rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); + + /* Hash Command Code */ + if (rc == 0) { + ccSwap = TPM2_Packet_SwapU32(cmdCode); + rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap)); + } + + /* Hash Remainder of parameters - after handles */ + if (rc == 0) + rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz); + + if (rc == 0) + rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer); + + wc_HashFree(&hash_ctx, hashType); + } + + return rc; +} + +/* Compute the HMAC using cpHash, nonces and session attributes */ +/* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */ +int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, + const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, + const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes, + TPM2B_AUTH* hmac) +{ + int rc; + Hmac hmac_ctx; + enum wc_HashType hashType; + + /* use authHash for hmac hash algorithm */ + rc = TPM2_GetHashType(authHash); + hashType = (enum wc_HashType)rc; + hmac->size = TPM2_GetHashDigestSize(authHash); + if (hmac->size <= 0) + return BAD_FUNC_ARG; + + /* setup HMAC */ + rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID); + if (rc != 0) + return rc; + /* start HMAC - sessionKey || authValue */ + /* TODO: Handle "authValue" case "a value that is found in the sensitive area of an entity" */ + rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size); + + /* pHash - hash of command code and parameters */ + if (rc == 0) + rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size); + + /* nonce new (on cmd caller, on resp tpm) */ + if (rc == 0) + rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size); + + /* nonce old (on cmd TPM, on resp caller) */ + if (rc == 0) + rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size); + + /* TODO: nonceTPMDecrypt */ + /* TODO: nonceTPMEncrypt */ + + /* sessionAttributes */ + if (rc == 0) + rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1); + + /* finalize return into hmac buffer */ + if (rc == 0) + rc = wc_HmacFinal(&hmac_ctx, hmac->buffer); + wc_HmacFree(&hmac_ctx); + + return rc; +} +#endif /* !WOLFTPM2_NO_WOLFCRYPT */ + TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session, BYTE *paramData, UINT32 paramSz) { diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 46de247..d32fcf6 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -21,10 +21,6 @@ #include #include -#ifndef WOLFTPM2_NO_WOLFCRYPT -#include -#include -#endif #ifndef WOLFTPM2_NO_WRAPPER @@ -398,7 +394,7 @@ int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index, TPM2_SetSessionAuth(dev->session); - return 0; + return TPM_RC_SUCCESS; } int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index, @@ -410,31 +406,27 @@ int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index, int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, const WOLFTPM2_HANDLE* handle) { - return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, &handle->auth, 0, &handle->name); + const TPM2B_AUTH* auth = NULL; + const TPM2B_NAME* name = NULL; + if (handle) { + auth = &handle->auth; + name = &handle->name; + } + return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, auth, 0, name); } int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index, const WOLFTPM2_SESSION* tpmSession, TPMA_SESSION sessionAttributes) { int rc; - TPM2B_AUTH* auth = NULL; if (dev == NULL || index >= MAX_SESSION_NUM) { return BAD_FUNC_ARG; } - /* use auth from earlier session */ - if (index > 1) { - auth = &dev->session[index-1].auth; - } - - /* TODO: Make use of auth for an earlier session? */ - /* If the encrypt session is associated with a handle, the authValue of the - handle will be concatenated with sessionKey to generate encryption key */ - (void)auth; rc = wolfTPM2_SetAuth(dev, index, tpmSession->handle.hndl, &tpmSession->handle.auth, sessionAttributes, NULL); - if (rc == 0) { + if (rc == TPM_RC_SUCCESS) { TPM2_AUTH_SESSION* session = &dev->session[index]; /* define the symmetric algorithm */ @@ -497,7 +489,7 @@ int wolfTPM2_Cleanup(WOLFTPM2_DEV* dev) #ifndef WOLFTPM2_NO_WOLFCRYPT #ifndef NO_RSA /* returns both the plaintext and encrypted salt, based on the salt key bPublic. */ -static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, +int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea) { int rc; @@ -563,7 +555,7 @@ static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, } #endif /* !NO_RSA */ -static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, +int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt) { int rc; @@ -632,10 +624,15 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session, } /* set session auth for key */ - wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle); - - authSesIn.tpmKey = tpmKey ? tpmKey->handle.hndl : - (TPMI_DH_OBJECT)TPM_RH_NULL; + if (tpmKey) { + wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle); + authSesIn.tpmKey = tpmKey->handle.hndl; + } + else { + wolfTPM2_SetAuthPassword(dev, 0, NULL); + authSesIn.tpmKey = (TPMI_DH_OBJECT)TPM_RH_NULL; + } + /* setup bind key */ authSesIn.bind = (TPMI_DH_ENTITY)TPM_RH_NULL; if (bind) { authSesIn.bind = bind->hndl; @@ -716,6 +713,7 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session, } /* return session */ + session->type = authSesIn.sessionType; session->authHash = authSesIn.authHash; session->handle.hndl = authSesOut.sessionHandle; session->handle.symmetric = authSesIn.symmetric; diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h index b214be9..34dad54 100644 --- a/wolftpm/tpm2.h +++ b/wolftpm/tpm2.h @@ -1679,10 +1679,10 @@ typedef struct TPM2_CTX { /* Pointer to current TPM auth sessions */ TPM2_AUTH_SESSION* session; - /* Command Buffer */ + /* Command / Response Buffer */ byte cmdBuf[MAX_COMMAND_SIZE]; - /* Informational Bits */ + /* Informational Bits - use unsigned int for best compiler compatibility */ #ifndef WOLFTPM2_NO_WOLFCRYPT #ifndef SINGLE_THREADED unsigned int hwLockInit:1; @@ -2762,8 +2762,8 @@ WOLFTPM_API int TPM2_SetMode(SetMode_In* in); /* Non-standard API's */ #define _TPM_Init TPM2_Init -/* In when using devtpm or swtpm, the ioCb and userCtx are not used - * and must be set to NULL. TPM2_Init_minimal() call TPM2_Init_ex() +/* When using devtpm or swtpm, the ioCb and userCtx are not used + * and should be NULL. TPM2_Init_minimal() calls TPM2_Init_ex() * with them set to NULL. * * In other modes, the ioCb shall be set in order to use TIS. @@ -2800,6 +2800,7 @@ WOLFTPM_API int TPM2_GetTpmCurve(int curveID); WOLFTPM_API int TPM2_GetWolfCurve(int curve_id); WOLFTPM_API int TPM2_ParseAttest(const TPM2B_ATTEST* in, TPMS_ATTEST* out); +WOLFTPM_LOCAL int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name); #ifdef WOLFTPM2_USE_WOLF_RNG WOLFTPM_API int TPM2_GetWolfRng(WC_RNG** rng); diff --git a/wolftpm/tpm2_param_enc.h b/wolftpm/tpm2_param_enc.h index 2856460..1573ba5 100644 --- a/wolftpm/tpm2_param_enc.h +++ b/wolftpm/tpm2_param_enc.h @@ -35,6 +35,16 @@ WOLFTPM_API int TPM2_KDFa( BYTE *key, UINT32 keySz ); +WOLFTPM_LOCAL int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, + const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, + const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes, + TPM2B_AUTH* hmac); +WOLFTPM_LOCAL int TPM2_CalcRpHash(TPMI_ALG_HASH authHash, + TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash); +WOLFTPM_LOCAL int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode, + TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3, + BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash); + /* Perform encryption over the first parameter of a TPM packet */ WOLFTPM_LOCAL TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session, BYTE *paramData, UINT32 paramSz); diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index 2a7e5ae..b7476d7 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -81,6 +81,7 @@ typedef int64_t INT64; #include #include #include + #include #ifdef WOLF_CRYPTO_CB #include #elif defined(WOLF_CRYPTO_DEV) diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 00da65c..16d5357 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -366,6 +366,11 @@ WOLFTPM_API int wolfTPM2_GetTime(WOLFTPM2_KEY* aikKey, GetTime_Out* getTimeOut); #define wolfTPM2_GetRCString TPM2_GetRCString #define wolfTPM2_GetCurveSize TPM2_GetCurveSize +/* for salted auth sessions */ +WOLFTPM_LOCAL int wolfTPM2_RSA_Salt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, + TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea); +WOLFTPM_LOCAL int wolfTPM2_EncryptSalt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, + StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt); #if defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)