WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added object names to the command hash calculation (cpHash). Added HMAC key creation. Fixed outstanding TODO items.

pull/129/head
David Garske 2020-11-23 11:04:14 -08:00
parent dbd8e41b47
commit 5abeea75a9
11 changed files with 296 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -636,8 +636,6 @@ Connection: close
## Todo
* Add support for SensitiveToPrivate inner and outer.
* Add runtime support for detecting module type ST33, SLB9670 or ATTPM20.
* Update to v1.59 of specification.
## Support

2
examples/pcr/quote.c
View File

@ -161,7 +161,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
}
/* set auth for using the AIK */
wolfTPM2_SetAuthPassword(&dev, 0, &rsaKey.handle.auth, 0);
wolfTPM2_SetAuthPassword(&dev, 0, &rsaKey.handle.auth);
/* Prepare Quote request */
XMEMSET(&cmdIn.quoteAsk, 0, sizeof(cmdIn.quoteAsk));

2
examples/pkcs7/pkcs7.c
View File

@ -348,7 +348,7 @@ int TPM2_PKCS7_Example(void* userCtx)
rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
}
wolfTPM2_SetAuthPassword(&dev, 0, &rsaKey.handle.auth, 0);
wolfTPM2_SetAuthPassword(&dev, 0, &rsaKey.handle.auth);
/* load DER certificate for TPM key (obtained by running

4
examples/timestamp/signed_timestamp.c
View File

@ -211,10 +211,10 @@ int TPM2_Timestamp_Test(void* userCtx)
/* set NULL password auth for using EK */
wolfTPM2_SetAuthPassword(&dev, 0, NULL, 0);
wolfTPM2_SetAuthPassword(&dev, 0, NULL);
/* set auth for using the AIK */
wolfTPM2_SetAuthPassword(&dev, 1, &rsaKey.handle.auth, 0);
wolfTPM2_SetAuthPassword(&dev, 1, &rsaKey.handle.auth);
/* At this stage: The EK is created, AIK is created and loaded,
* Endorsement Hierarchy is enabled through policySecret,

1
examples/tpm_test_keys.c
View File

@ -144,7 +144,6 @@ static int readAndLoadKey(WOLFTPM2_DEV* pDev,
key->handle = keyblob.handle;
key->pub = keyblob.pub;
key->name = keyblob.name;
key->handle.auth.size = authSz;
XMEMCPY(key->handle.auth.buffer, auth, authSz);

231
src/tpm2.c
View File

@ -108,13 +108,69 @@ static TPM_RC TPM2_FreshNonceCaller(TPM2_CTX *ctx)
#ifndef WOLFTPM2_NO_WOLFCRYPT
/* Get name for object/handle */
static int TPM2_GetName(TPM2_CTX* ctx, int authCnt, int authIdx, TPM2B_NAME* name)
{
int rc = 0;
TPMS_AUTH_COMMAND* authCmd;
TPM_HANDLE handle;
TPM_HT handleType;
XMEMSET(name, 0, sizeof(TPM2B_NAME));
if (authIdx >= authCnt)
return 0;
authCmd = &ctx->authCmd[authIdx];
handle = authCmd->sessionHandle;
handleType = (TPM_HT)((handle & HR_RANGE_MASK) >> HR_SHIFT);
/* Table 3 - Equations for Computing Entity Names */
switch (handleType) {
/* for these, the Name is simply the handle value */
case TPM_HT_PCR:
case TPM_HT_HMAC_SESSION:
case TPM_HT_POLICY_SESSION:
case TPM_HT_PERMANENT:
name->size = sizeof(UINT32);
TPM2_Packet_U32ToByteArray(handle, name->name);
rc = 0;
break;
/* for NV, the Names was calculated at NV read public */
case TPM_HT_NV_INDEX:
/* for objects, the Name was returned at creation or load */
case TPM_HT_TRANSIENT:
case TPM_HT_PERSISTENT:
name->size = authCmd->name.size;
XMEMCPY(name->name, authCmd->name.name, name->size);
rc = 0;
break;
default:
rc = BAD_FUNC_ARG;
break;
}
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Name %d: %d\n", authIdx, name->size);
TPM2_PrintBin(name->name, name->size);
#endif
return rc;
}
/* Compute the command parameter hash */
static int TPM2_CalcHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM_CC cmdCode,
TPM2B_MAX_BUFFER* parameters, TPM2B_DIGEST* hash)
/* TCG TPM 2.0 Part 1 - 18.37 Command Parameter Hash cpHash */
static int TPM2_CalcHash(TPM2_CTX* ctx, int authCnt, TPMI_ALG_HASH authHash,
TPM_CC cmdCode, TPM2B_MAX_BUFFER* parameters, TPM2B_DIGEST* hash)
{
int rc;
wc_HashAlg hash_ctx;
enum wc_HashType hashType;
TPM2B_NAME name1, name2, name3;
rc = TPM2_GetName(ctx, authCnt, 0, &name1);
rc |= TPM2_GetName(ctx, authCnt, 1, &name2);
rc |= TPM2_GetName(ctx, authCnt, 2, &name3);
if (rc != 0)
return BAD_FUNC_ARG;
rc = TPM2_GetHashType(authHash);
hashType = (enum wc_HashType)rc;
@ -128,10 +184,15 @@ static int TPM2_CalcHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM_CC cmdCode,
if (rc == 0) {
/* Hash Command Code */
cmdCode = TPM2_Packet_SwapU16(cmdCode);
rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&cmdCode, sizeof(cmdCode));
/* TODO: For Command's only hash each session name */
/* For Command's only hash each session name */
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name1.name, name1.size);
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name2.name, name2.size);
if (rc == 0)
rc = wc_HashUpdate(&hash_ctx, hashType, name3.name, name3.size);
/* Hash Remainder of parameters - after handles and auth */
if (rc == 0)
@ -144,11 +205,17 @@ static int TPM2_CalcHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM_CC cmdCode,
}
(void)ctx;
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("cpHash: cmd %x, size %d\n", cmdCode, hash->size);
TPM2_PrintBin(hash->buffer, hash->size);
#endif
return rc;
}
/* Compute the HMAC using cpHash, nonces and session attributes */
static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMS_AUTH_COMMAND* authCmd,
/* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */
static int TPM2_CalcHmac(TPM2_CTX* ctx, int authCnt, TPMS_AUTH_COMMAND* authCmd,
TPM_CC cmdCode, TPM2B_MAX_BUFFER* parameters, TPM2B_AUTH* hmac)
{
int rc;
@ -166,7 +233,7 @@ static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMS_AUTH_COMMAND* authCmd,
return BAD_FUNC_ARG;
/* calculate "cpHash" hash for command code, names and parameters */
rc = TPM2_CalcHash(ctx, authHash, cmdCode, parameters, &hash);
rc = TPM2_CalcHash(ctx, authCnt, authHash, cmdCode, parameters, &hash);
if (rc != 0)
return rc;
@ -200,6 +267,11 @@ static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMS_AUTH_COMMAND* authCmd,
rc = wc_HmacFinal(&hmac_ctx, hmac->buffer);
wc_HmacFree(&hmac_ctx);
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("HMAC Auth %x: size %d\n", authCmd->sessionHandle, hmac->size);
TPM2_PrintBin(hmac->buffer, hmac->size);
#endif
return rc;
}
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
@ -223,7 +295,7 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
UINT16 requestParamSz = 0;
UINT32 responseParamSz;
TPM2B_MAX_BUFFER encryptedParameter;
int sessionParamEnc;
int i;
/* TODO: Check flags to avoid paramenc for command that don't support it */
(void)flags;
@ -234,11 +306,6 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
cmd = packet->buf;
cmdSz = packet->pos;
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Request command (size=%d):\n", cmdSz);
TPM2_PrintBin(cmd, cmdSz);
#endif
packet->pos = 0; /* restart the unmarshalling position */
TPM2_Packet_ParseU16(packet, &tag);
TPM2_Packet_ParseU32(packet, &packetSz); /* Extract packet size */
@ -254,6 +321,10 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
if (authCnt < 1 || ctx->authCmd == NULL)
return TPM_RC_AUTH_MISSING;
#ifdef DEBUG_WOLFTPM
printf("Found %d auth sessions\n", authCnt);
#endif
/* Pass the TPM header and Handles area */
param = cmd + TPM2_HEADER_SIZE + (inHandleCnt * sizeof(TPM_HANDLE));
packet->pos = TPM2_HEADER_SIZE + (inHandleCnt * sizeof(TPM_HANDLE));
@ -267,8 +338,8 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
UINT16 paramSz, tempSz;
TPM2_Packet_ParseU16(packet, &paramSz);
param += sizeof(UINT16);
/* TODO: Do we need table for special cases per command? */
if (cmdCode == TPM_CC_Create) {
/* TODO: Add lookup table or pass in as arg */
if (cmdCode == TPM_CC_Create || cmdCode == TPM_CC_Quote) {
/* Encrypt based on inner size field, not on total paramSz */
TPM2_Packet_ParseU16(packet, &paramSz);
param += sizeof(UINT16);
@ -281,42 +352,47 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
}
requestParamSz = paramSz;
}
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Request parameter (size=%d):\n", requestParamSz);
TPM2_PrintBin(param, requestParamSz);
#endif
/* Do encryption of the first parameter in the command request */
sessionParamEnc = TPM2_ParamEnc_FindDecryptSession(ctx);
if (sessionParamEnc < MAX_SESSION_NUM) {
#ifndef WOLFTPM2_NO_WOLFCRYPT
TPMS_AUTH_COMMAND authHmac[MAX_SESSION_NUM];
#endif
rc = TPM2_ParamEnc_CmdRequest(&ctx->authCmd[sessionParamEnc],
&encryptedParameter,
param, requestParamSz);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Request parameter encryption failed\n");
#endif
return rc;
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Request parameter (offset %d, size %d):\n",
cmdSz - requestParamSz, requestParamSz);
#endif
for (i=0; i<authCnt; i++) {
if (ctx->authCmd[i].sessionHandle != TPM_RS_PW) {
#ifndef WOLFTPM2_NO_WOLFCRYPT
TPMS_AUTH_COMMAND authHmac[MAX_SESSION_NUM];
#endif
/* Do encryption of the first parameter in the command request */
if (ctx->authCmd[i].sessionAttributes & TPMA_SESSION_decrypt) {
rc = TPM2_ParamEnc_CmdRequest(&ctx->authCmd[i],
&encryptedParameter,
param, requestParamSz);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Request parameter encryption failed\n");
#endif
return rc;
}
/* packet->pos already points at the first command parameter */
TPM2_Packet_AppendBytes(packet, encryptedParameter.buffer,
encryptedParameter.size);
}
#ifndef WOLFTPM2_NO_WOLFCRYPT
XMEMCPY(&authHmac, ctx->authCmd, sizeof(TPMS_AUTH_COMMAND) * authCnt);
/* Calculate HMAC for policy, hmac or salted sessions */
/* this is done after encryption */
rc = TPM2_CalcHmac(ctx, authCnt, &ctx->authCmd[i], cmdCode,
&encryptedParameter, &authHmac[i].auth);
/* Replace auth in session */
packet->pos = authPos;
rc = TPM2_Packet_AppendAuthCmd(packet, (TPMS_AUTH_COMMAND*)&authHmac);
#endif
}
/* packet->pos already points at the first command parameter */
TPM2_Packet_AppendBytes(packet, encryptedParameter.buffer,
encryptedParameter.size);
#ifndef WOLFTPM2_NO_WOLFCRYPT
XMEMCPY(&authHmac, ctx->authCmd, sizeof(TPMS_AUTH_COMMAND) * authCnt);
/* Calculate HMAC for policy, hmac or salted sessions */
/* this is done after encryption */
rc = TPM2_CalcHmac(ctx, &ctx->authCmd[sessionParamEnc], cmdCode,
&encryptedParameter, &authHmac[sessionParamEnc].auth);
/* Replace auth in session */
packet->pos = authPos;
rc = TPM2_Packet_AppendAuthCmd(packet, (TPMS_AUTH_COMMAND*)&authHmac);
#endif
}
}
/* reset packet->pos - it is used by send command for total length */
@ -328,11 +404,8 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
/* parse response */
cmd = packet->buf;
rc = TPM2_Packet_Parse(rc, packet);
#ifdef WOLFTPM_DEBUG_VERBOSE
cmdSz = packet->size;
printf("Response command (size=%d)\n", cmdSz);
TPM2_PrintBin(cmd, cmdSz);
#endif
cmdSz = packet->size; /* response size */
/* Extract tag */
packet->pos = 0;
TPM2_Packet_ParseU16(packet, &tag);
@ -346,25 +419,29 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
TPM2_Packet_ParseU32(packet, &responseParamSz);
param += sizeof(responseParamSz);
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Response parameter (size=%d):\n", responseParamSz);
TPM2_PrintBin(param, responseParamSz);
#endif
/* Should the first parameter in the command response be decrypted */
sessionParamEnc = TPM2_ParamEnc_FindEncryptSession(ctx);
if (sessionParamEnc < MAX_SESSION_NUM) {
rc = TPM2_ParamDec_CmdResponse(&ctx->authCmd[sessionParamEnc],
&encryptedParameter,
param, responseParamSz);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Response parameter encryption failed\n");
#endif
return TPM_RC_FAILURE;
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Response parameter (offset %d, size %d):\n",
cmdSz - responseParamSz, responseParamSz);
#endif
for (i=0; i<authCnt; i++) {
if (ctx->authCmd[i].sessionHandle != TPM_RS_PW) {
if (ctx->authCmd[i].sessionAttributes & TPMA_SESSION_encrypt) {
/* Should the first parameter in the command response be decrypted */
rc = TPM2_ParamDec_CmdResponse(&ctx->authCmd[i],
&encryptedParameter,
param, responseParamSz);
if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("Response parameter decryption failed\n");
#endif
return TPM_RC_FAILURE;
}
/* packet->pos already points at the parameter, copy the decrypted data */
TPM2_Packet_ParseBytes(packet, encryptedParameter.buffer,
encryptedParameter.size);
}
}
/* packet->pos already points at the parameter, copy the decrypted data */
TPM2_Packet_ParseBytes(packet, encryptedParameter.buffer,
encryptedParameter.size);
}
}
@ -372,6 +449,7 @@ static TPM_RC TPM2_SendCommandAuth(TPM2_CTX* ctx, TPM2_Packet* packet,
* Before returning to caller, set packet to expected position.
*/
packet->pos = TPM2_HEADER_SIZE;
(void)cmdSz;
return rc;
}
@ -391,10 +469,7 @@ static TPM_RC TPM2_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
static TPM_ST TPM2_GetTag(TPM2_CTX* ctx)
{
TPM_ST st = TPM_ST_NO_SESSIONS;
/* TODO: Fix bug, ST_SESSION shows need of auth Session, not paramEnc */
if (ctx && ctx->authCmd &&
(ctx->authCmd->sessionAttributes &
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt))) {
if (ctx && ctx->authCmd && TPM2_GetSessionAuthCount(ctx->authCmd) > 0) {
st = TPM_ST_SESSIONS;
}
return st;
@ -4954,9 +5029,7 @@ int TPM2_GetSessionAuthCount(TPMS_AUTH_COMMAND* authCmd)
break;
}
}
#ifdef DEBUG_WOLFTPM
printf("Found %d auth sessions\n", sessionCount);
#endif
return sessionCount;
}

64
src/tpm2_param_enc.c
View File

@ -72,14 +72,14 @@
*
* Return values:
* 0 hash algorithm is not supported or is TPM_ALG_NULL
* >0 the number of bytes in the 'keyStream' buffer
* >0 the number of bytes in the 'key' buffer
*
*/
int TPM2_KDFa(
TPM_ALG_ID hashAlg, /* IN: hash algorithm used in HMAC */
TPM2B_DATA *keyIn, /* IN: key */
const char *label, /* IN: a 0-byte terminated label used in KDF */
TPM2B_NONCE *contextU, /* IN: context U */
TPM2B_NONCE *contextU, /* IN: context U (newer) */
TPM2B_NONCE *contextV, /* IN: context V */
BYTE *key, /* OUT: key buffer */
UINT32 keySz /* IN: size of generated key in bytes */
@ -187,8 +187,8 @@ exit:
/* Perform XOR encryption over the first parameter of a TPM packet */
static int TPM2_ParamEnc_XOR(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, TPM2B_MAX_BUFFER *encryptedData,
const BYTE *paramData, UINT32 paramSz)
TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
TPM2B_MAX_BUFFER *encryptedData, const BYTE *paramData, UINT32 paramSz)
{
int rc = TPM_RC_FAILURE;
TPM2B_MAX_BUFFER mask;
@ -204,8 +204,8 @@ static int TPM2_ParamEnc_XOR(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
rc = TPM2_KDFa(session->authHash, (TPM2B_DATA*)keyIn, "XOR",
nonceCaller, nonceTPM, mask.buffer, paramSz);
if ((UINT32)rc != paramSz) {
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("KDFa size error! rc %d != %d\n", rc, paramSz);
#ifdef DEBUG_WOLFTPM
printf("KDFa XOR Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
@ -238,10 +238,10 @@ static int TPM2_ParamDec_XOR(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
/* Generate XOR Mask stream matching paramater size */
XMEMSET(mask.buffer, 0, sizeof(mask.buffer));
rc = TPM2_KDFa(session->authHash, (TPM2B_DATA*)keyIn, "XOR",
nonceCaller, nonceTPM, mask.buffer, encryptedDataSz);
nonceCaller, nonceTPM, mask.buffer, encryptedDataSz);
if ((UINT32)rc != encryptedDataSz) {
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("KDFa size error! rc %d != %d\n", rc, encryptedDataSz);
#ifdef DEBUG_WOLFTPM
printf("KDFa XOR Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
@ -260,8 +260,8 @@ static int TPM2_ParamDec_XOR(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
#ifdef WOLFSSL_AES_CFB
/* Perform AES CFB encryption over the first parameter of a TPM packet */
static int TPM2_ParamEnc_AESCFB(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, TPM2B_MAX_BUFFER *encryptedData,
const BYTE *paramData, UINT32 paramSz)
TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
TPM2B_MAX_BUFFER *encryptedData, const BYTE *paramData, UINT32 paramSz)
{
int rc = TPM_RC_FAILURE;
BYTE symKey[32 + 16]; /* AES key (max) + IV (block size) */
@ -278,6 +278,9 @@ static int TPM2_ParamEnc_AESCFB(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
rc = TPM2_KDFa(session->authHash, (TPM2B_DATA*)keyIn, "CFB",
nonceCaller, nonceTPM, symKey, symKeySz + symKeyIvSz);
if (rc != symKeySz + symKeyIvSz) {
#ifdef DEBUG_WOLFTPM
printf("KDFa CFB Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
@ -315,6 +318,9 @@ static int TPM2_ParamDec_AESCFB(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
rc = TPM2_KDFa(session->authHash, (TPM2B_DATA*)keyIn, "CFB",
nonceCaller, nonceTPM, symKey, symKeySz + symKeyIvSz);
if (rc != symKeySz + symKeyIvSz) {
#ifdef DEBUG_WOLFTPM
printf("KDFa CFB Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
@ -337,36 +343,6 @@ static int TPM2_ParamDec_AESCFB(TPMS_AUTH_COMMAND *session, TPM2B_AUTH* keyIn,
/* --- Public Functions -- */
/******************************************************************************/
/* Returns MAX_SESSION_NUM if no session is found, otherwise session index */
int TPM2_ParamEnc_FindDecryptSession(TPM2_CTX *ctx)
{
int i;
for (i=0; i<MAX_SESSION_NUM; i++) {
if ((ctx->authCmd[i].sessionAttributes & TPMA_SESSION_decrypt) &&
ctx->authCmd[i].sessionHandle != TPM_RS_PW) {
break;
}
}
return i;
}
/* Returns MAX_SESSION_NUM if no session is found, otherwise session index */
int TPM2_ParamEnc_FindEncryptSession(TPM2_CTX *ctx)
{
int i;
for (i=0; i<MAX_SESSION_NUM; i++) {
if ((ctx->authCmd[i].sessionAttributes & TPMA_SESSION_encrypt) &&
ctx->authCmd[i].sessionHandle != TPM_RS_PW) {
break;
}
}
return i;
}
TPM_RC TPM2_ParamEnc_CmdRequest(TPMS_AUTH_COMMAND *session,
TPM2B_MAX_BUFFER *encryptedParameter,
const BYTE *paramData, UINT32 paramSz)
@ -378,7 +354,8 @@ TPM_RC TPM2_ParamEnc_CmdRequest(TPMS_AUTH_COMMAND *session,
&session->nonceTPM, encryptedParameter, paramData, paramSz);
}
#ifdef WOLFSSL_AES_CFB
else if (session->symmetric.algorithm == TPM_ALG_AES && session->symmetric.mode.aes == TPM_ALG_CFB) {
else if (session->symmetric.algorithm == TPM_ALG_AES &&
session->symmetric.mode.aes == TPM_ALG_CFB) {
rc = TPM2_ParamEnc_AESCFB(session, &session->auth, &session->nonce,
&session->nonceTPM, encryptedParameter, paramData, paramSz);
}
@ -398,7 +375,8 @@ TPM_RC TPM2_ParamDec_CmdResponse(TPMS_AUTH_COMMAND *session,
&session->nonceTPM, decryptedParameter, paramData, paramSz);
}
#ifdef WOLFSSL_AES_CFB
else if (session->symmetric.algorithm == TPM_ALG_AES && session->symmetric.mode.aes == TPM_ALG_CFB) {
else if (session->symmetric.algorithm == TPM_ALG_AES &&
session->symmetric.mode.aes == TPM_ALG_CFB) {
rc = TPM2_ParamDec_AESCFB(session, &session->auth, &session->nonce,
&session->nonceTPM, decryptedParameter, paramData, paramSz);
}

175
src/tpm2_wrap.c
View File

@ -161,7 +161,7 @@ int wolfTPM2_Init(WOLFTPM2_DEV* dev, TPM2HalIoCb ioCb, void* userCtx)
/* define the default session auth */
XMEMSET(dev->session, 0, sizeof(dev->session));
wolfTPM2_SetAuthPassword(dev, 0, NULL, 0);
wolfTPM2_SetAuthPassword(dev, 0, NULL);
return rc;
}
@ -188,7 +188,7 @@ int wolfTPM2_OpenExisting(WOLFTPM2_DEV* dev, TPM2HalIoCb ioCb, void* userCtx)
/* define the default session auth */
XMEMSET(dev->session, 0, sizeof(dev->session));
wolfTPM2_SetAuthPassword(dev, 0, NULL, 0);
wolfTPM2_SetAuthPassword(dev, 0, NULL);
return rc;
}
@ -374,7 +374,8 @@ int wolfTPM2_GetCapabilities(WOLFTPM2_DEV* dev, WOLFTPM2_CAPS* cap)
}
int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
TPM_HANDLE sessionHandle, TPM2B_AUTH* auth, TPMA_SESSION sessionAttributes)
TPM_HANDLE sessionHandle, const TPM2B_AUTH* auth, TPMA_SESSION sessionAttributes,
const TPM2B_NAME* name)
{
TPMS_AUTH_COMMAND* authCmd;
@ -390,27 +391,30 @@ int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
authCmd->auth.size = auth->size;
XMEMCPY(authCmd->auth.buffer, auth->buffer, auth->size);
}
if (name) {
authCmd->name.size = name->size;
XMEMCPY(authCmd->name.name, name->name, name->size);
}
TPM2_SetSessionAuth(dev->session);
return 0;
}
int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index, TPM2B_AUTH* auth,
TPMA_SESSION sessionAttributes)
int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index,
const TPM2B_AUTH* auth)
{
return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, auth, sessionAttributes);
return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, auth, 0, NULL);
}
int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
WOLFTPM2_HANDLE* handle, TPMA_SESSION sessionAttributes)
int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
const WOLFTPM2_HANDLE* handle)
{
return wolfTPM2_SetAuth(dev, index, handle->hndl, &handle->auth,
sessionAttributes);
return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, &handle->auth, 0, &handle->name);
}
int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
WOLFTPM2_SESSION* session, TPMA_SESSION sessionAttributes)
const WOLFTPM2_SESSION* session, TPMA_SESSION sessionAttributes)
{
int rc;
TPM2B_AUTH* auth = NULL;
@ -423,13 +427,13 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
auth = &dev->session[index-1].auth;
}
rc = wolfTPM2_SetAuth(dev, index, session->handle.hndl, auth,
sessionAttributes);
rc = wolfTPM2_SetAuth(dev, index, session->handle.hndl,
&session->handle.auth, sessionAttributes, NULL);
if (rc == 0) {
TPMS_AUTH_COMMAND* authCmd = &dev->session[index];
/* define the symmetric algorithm */
authCmd->authHash = WOLFTPM2_WRAP_DIGEST;
authCmd->authHash = session->authHash;
authCmd->symmetric = session->handle.symmetric;
/* fresh nonce generated in TPM2_SendCommandAuth based on this size */
@ -555,7 +559,7 @@ static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
#endif /* !NO_RSA */
static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
StartAuthSession_In* in, const char* bindPassword, TPM2B_DIGEST* salt)
StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt)
{
int rc;
@ -574,10 +578,15 @@ static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
return rc;
}
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Session Salt %d\n", salt->size);
TPM2_PrintBin(salt->buffer, salt->size);
#endif
switch (tpmKey->pub.publicArea.type) {
#ifdef HAVE_ECC
case TPM_ALG_ECC:
/* TODO: */
/* TODO: Add ECC encrypted salt */
rc = NOT_COMPILED_IN;
break;
#endif
@ -592,7 +601,7 @@ static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
break;
}
(void)bindPassword; /* TODO: Add bind support */
(void)bindAuth; /* TODO: Add bind support */
return rc;
}
@ -605,19 +614,34 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
int rc;
StartAuthSession_In authSesIn;
StartAuthSession_Out authSesOut;
TPM2B_AUTH* bindAuth = NULL;
TPM2B_DATA keyIn;
TPMI_ALG_HASH authHash = WOLFTPM2_WRAP_DIGEST;
int hashDigestSz;
if (dev == NULL || session == NULL)
return BAD_FUNC_ARG;
/* set session auth for key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = tpmKey->handle.auth;
XMEMSET(session, 0, sizeof(WOLFTPM2_SESSION));
XMEMSET(&authSesIn, 0, sizeof(authSesIn));
authSesIn.authHash = authHash;
hashDigestSz = TPM2_GetHashDigestSize(authHash);
if (hashDigestSz <= 0) {
return NOT_COMPILED_IN;
}
XMEMSET(&authSesIn, 0, sizeof(authSesIn));
/* set session auth for key */
wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle);
authSesIn.tpmKey = tpmKey ? tpmKey->handle.hndl :
(TPMI_DH_OBJECT)TPM_RH_NULL;
authSesIn.bind = bind ? bind->hndl : (TPMI_DH_ENTITY)TPM_RH_NULL;
authSesIn.bind = (TPMI_DH_ENTITY)TPM_RH_NULL;
if (bind) {
authSesIn.bind = bind->hndl;
bindAuth = &bind->auth;
}
authSesIn.sessionType = sesType;
if (encDecAlg == TPM_ALG_CFB) {
authSesIn.symmetric.algorithm = TPM_ALG_AES;
@ -632,8 +656,7 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
else {
authSesIn.symmetric.algorithm = TPM_ALG_NULL;
}
authSesIn.authHash = WOLFTPM2_WRAP_DIGEST;
authSesIn.nonceCaller.size = TPM2_GetHashDigestSize(WOLFTPM2_WRAP_DIGEST);
authSesIn.nonceCaller.size = hashDigestSz;
rc = TPM2_GetNonce(authSesIn.nonceCaller.buffer,
authSesIn.nonceCaller.size);
if (rc < 0) {
@ -645,8 +668,7 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
#ifndef WOLFTPM2_NO_WOLFCRYPT
/* Generate and Encrypt salt using "SECRET" */
rc = wolfTPM2_EncryptSalt(dev, tpmKey, &authSesIn, session->bindPassword,
&session->salt);
rc = wolfTPM2_EncryptSalt(dev, tpmKey, &authSesIn, bindAuth, &session->salt);
if (rc != 0) {
#ifdef DEBUG_WOLFTPM
printf("Building encrypted salt failed %d: %s!\n", rc,
@ -664,9 +686,43 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
return rc;
}
/* Calculate "key" and store into auth */
/* key is bindAuthValue || salt */
XMEMSET(&keyIn, 0, sizeof(keyIn));
if (bindAuth && bindAuth->size > 0) {
XMEMCPY(&keyIn.buffer[keyIn.size], bindAuth->buffer, bindAuth->size);
keyIn.size += bindAuth->size;
}
if (session->salt.size > 0) {
XMEMCPY(&keyIn.buffer[keyIn.size], session->salt.buffer, session->salt.size);
keyIn.size += session->salt.size;
}
if (keyIn.size > 0) {
session->handle.auth.size = hashDigestSz;
rc = TPM2_KDFa(authSesIn.authHash, &keyIn, "ATH",
&authSesOut.nonceTPM, &authSesIn.nonceCaller,
session->handle.auth.buffer, session->handle.auth.size);
if (rc != hashDigestSz) {
#ifdef DEBUG_WOLFTPM
printf("KDFa ATH Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
rc = TPM_RC_SUCCESS;
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Session Key %d\n", session->handle.auth.size);
TPM2_PrintBin(session->handle.auth.buffer, session->handle.auth.size);
#endif
}
/* return session */
session->authHash = authSesIn.authHash;
session->handle.hndl = authSesOut.sessionHandle;
session->handle.symmetric = authSesIn.symmetric;
if (bind)
session->handle.name = bind->name;
session->nonceCaller = authSesIn.nonceCaller;
session->nonceTPM = authSesOut.nonceTPM;
@ -691,9 +747,7 @@ int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
return BAD_FUNC_ARG;
/* set session auth to blank */
if (dev->ctx.authCmd) {
XMEMSET(&dev->ctx.authCmd[0].auth, 0, sizeof(TPM2B_AUTH));
}
wolfTPM2_SetAuthPassword(dev, 0, NULL);
/* clear output key buffer */
XMEMSET(key, 0, sizeof(WOLFTPM2_KEY));
@ -725,10 +779,10 @@ int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
}
key->handle.hndl = createPriOut.objectHandle;
key->handle.auth = createPriIn.inSensitive.sensitive.userAuth;
key->handle.name = createPriOut.name;
key->handle.symmetric = createPriOut.outPublic.publicArea.parameters.asymDetail.symmetric;
key->pub = createPriOut.outPublic;
key->name = createPriOut.name;
#ifdef DEBUG_WOLFTPM
printf("TPM2_CreatePrimary: 0x%x (%d bytes)\n",
@ -751,9 +805,7 @@ int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
return BAD_FUNC_ARG;
/* set session auth for key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = key->handle.auth;
}
wolfTPM2_SetAuthHandle(dev, 0, &key->handle);
XMEMSET(&changeIn, 0, sizeof(changeIn));
changeIn.objectHandle = key->handle.hndl;
@ -778,9 +830,7 @@ int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
wolfTPM2_UnloadHandle(dev, &key->handle);
/* set session auth for parent key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = parent->auth;
}
wolfTPM2_SetAuthHandle(dev, 0, parent);
/* Load new key */
XMEMSET(&loadIn, 0, sizeof(loadIn));
@ -796,6 +846,7 @@ int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
}
key->handle.hndl = loadOut.objectHandle;
key->handle.auth = changeIn.newAuth;
key->handle.name = loadOut.name;
#ifdef DEBUG_WOLFTPM
printf("wolfTPM2_ChangeAuthKey: Key Handle 0x%x\n", (word32)key->handle.hndl);
@ -819,9 +870,7 @@ int wolfTPM2_CreateKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
XMEMSET(keyBlob, 0, sizeof(WOLFTPM2_KEYBLOB));
/* set session auth for parent key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = parent->auth;
}
wolfTPM2_SetAuthHandle(dev, 0, parent);
XMEMSET(&createIn, 0, sizeof(createIn));
createIn.parentHandle = parent->hndl;
@ -889,6 +938,7 @@ int wolfTPM2_LoadKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
return rc;
}
keyBlob->handle.hndl = loadOut.objectHandle;
keyBlob->handle.name = loadOut.name;
#ifdef DEBUG_WOLFTPM
printf("TPM2_Load Key Handle 0x%x\n", (word32)keyBlob->handle.hndl);
@ -942,6 +992,7 @@ int wolfTPM2_LoadPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
}
key->handle.hndl = loadExtOut.objectHandle;
key->handle.symmetric = loadExtIn.inPublic.publicArea.parameters.asymDetail.symmetric;
key->handle.name = loadExtOut.name;
key->pub = loadExtIn.inPublic;
@ -1072,8 +1123,12 @@ int wolfTPM2_SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
rc = TPM2_KDFa(innerAlg, (TPM2B_DATA*)&sens->sensitiveArea.seedValue,
"STORAGE", (TPM2B_NONCE*)name, NULL,
symKey.buffer, symKey.size);
if (rc != 0)
return rc;
if (rc != symKey.size) {
#ifdef DEBUG_WOLFTPM
printf("KDFa STORAGE Gen Error %d\n", rc);
#endif
return TPM_RC_FAILURE;
}
/* Encrypt the Sensitive Area using the generated symmetric key */
rc = wc_AesInit(&enc, NULL, INVALID_DEVID);
@ -1100,8 +1155,12 @@ int wolfTPM2_SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
rc = TPM2_KDFa(outerAlg, (TPM2B_DATA*)&sens->sensitiveArea.seedValue,
"INTEGRITY", NULL, NULL,
hmacKey.buffer, hmacKey.size);
if (rc != 0)
if (rc != hmacKey.size) {
#ifdef DEBUG_WOLFTPM
printf("KDFa INTEGRITY Gen Error %d\n", rc);
#endif
return rc;
}
/* setup HMAC */
rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID);
@ -1154,12 +1213,7 @@ int wolfTPM2_ImportPrivateKey(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
/* set session auth for key */
if (parentKey != NULL) {
/* set session auth for parent key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = parentKey->handle.auth;
dev->ctx.authCmd[0].symmetric =
parentKey->pub.publicArea.parameters.rsaDetail.symmetric;
}
wolfTPM2_SetAuthHandle(dev, 0, &parentKey->handle);
parentHandle = parentKey->handle.hndl;
}
else {
@ -1492,6 +1546,7 @@ int wolfTPM2_ReadPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
key->handle.hndl = readPubIn.objectHandle;
key->handle.symmetric = readPubOut.outPublic.publicArea.parameters.asymDetail.symmetric;
key->handle.name = readPubOut.name;
key->pub = readPubOut.outPublic;
#ifdef DEBUG_WOLFTPM
@ -1747,9 +1802,7 @@ int wolfTPM2_NVStoreKey(WOLFTPM2_DEV* dev, TPM_HANDLE primaryHandle,
return TPM_RC_SUCCESS;
/* set session auth to blank */
if (dev->ctx.authCmd) {
XMEMSET(&dev->ctx.authCmd[0].auth, 0, sizeof(TPM2B_AUTH));
}
wolfTPM2_SetAuthPassword(dev, 0, NULL);
/* Move key into NV to persist */
XMEMSET(&in, 0, sizeof(in));
@ -1853,9 +1906,7 @@ int wolfTPM2_SignHashScheme(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
if (dev->ctx.authCmd) {
/* set session auth for key */
dev->ctx.authCmd[0].auth = key->handle.auth;
dev->ctx.authCmd[0].symmetric =
key->pub.publicArea.parameters.eccDetail.symmetric;
wolfTPM2_SetAuthHandle(dev, 0, &key->handle);
}
XMEMSET(&signIn, 0, sizeof(signIn));
@ -1959,11 +2010,7 @@ int wolfTPM2_VerifyHashScheme(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
digestSz = (int)sizeof(verifySigIn.digest.buffer);
/* set session auth for key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = key->handle.auth;
dev->ctx.authCmd[0].symmetric =
key->pub.publicArea.parameters.eccDetail.symmetric;
}
wolfTPM2_SetAuthHandle(dev, 0, &key->handle);
XMEMSET(&verifySigIn, 0, sizeof(verifySigIn));
verifySigIn.keyHandle = key->handle.hndl;
@ -2079,11 +2126,7 @@ int wolfTPM2_ECDHGen(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* privKey,
}
/* set session auth for key */
if (dev->ctx.authCmd) {
dev->ctx.authCmd[0].auth = privKey->handle.auth;
dev->ctx.authCmd[0].symmetric =
privKey->pub.publicArea.parameters.eccDetail.symmetric;
}
wolfTPM2_SetAuthHandle(dev, 0, &privKey->handle);
XMEMSET(&ecdhIn, 0, sizeof(ecdhIn));
ecdhIn.keyHandle = privKey->handle.hndl;
@ -2701,6 +2744,7 @@ int wolfTPM2_NVReadPublic(WOLFTPM2_DEV* dev, word32 nvIndex,
if (nvPublic) {
XMEMCPY(nvPublic, &out.nvPublic.nvPublic, sizeof(*nvPublic));
}
/* TODO: For HMAC calc out.nvName will need captured */
return rc;
}
@ -3323,6 +3367,7 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
}
key->handle.hndl = loadOut.objectHandle;
key->handle.auth = createIn.inSensitive.sensitive.userAuth;
key->handle.name = loadOut.name;
#ifdef DEBUG_WOLFTPM
printf("wolfTPM2_LoadKeyedHashKey Key Handle 0x%x\n",
@ -3934,7 +3979,7 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
#ifndef NO_RSA
/* RSA */
if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN) {
/* TODO: */
/* TODO: Add crypto callback RSA keygen support */
#if 0
RsaKey* key;
int size;

3
wolftpm/tpm2.h
View File

@ -1572,12 +1572,13 @@ typedef struct TPMS_AUTH_COMMAND {
TPMA_SESSION sessionAttributes;
TPM2B_AUTH auth; /* spec has this as "hmac" */
/* Implementation specific */
/* Implementation specific - TODO: Consider finding a diff place */
/* These are used for parameter encrypt/decrypt */
TPM2B_NONCE nonceTPM;
/* The symmetric and hash algorithms to use */
TPMT_SYM_DEF symmetric;
TPMI_ALG_HASH authHash;
TPM2B_NAME name;
} TPMS_AUTH_COMMAND;
typedef struct TPMS_AUTH_RESPONSE {

2
wolftpm/tpm2_param_enc.h
View File

@ -35,8 +35,6 @@ WOLFTPM_API int TPM2_KDFa(
BYTE *key, UINT32 keySz
);
WOLFTPM_LOCAL int TPM2_ParamEnc_FindDecryptSession(TPM2_CTX *ctx);
WOLFTPM_LOCAL int TPM2_ParamEnc_FindEncryptSession(TPM2_CTX *ctx);
/* Perform encryption over the first parameter of a TPM packet */
WOLFTPM_LOCAL TPM_RC TPM2_ParamEnc_CmdRequest(TPMS_AUTH_COMMAND *session,
TPM2B_MAX_BUFFER *encryptedParameter,

15
wolftpm/tpm2_wrap.h
View File

@ -32,6 +32,7 @@ typedef struct WOLFTPM2_HANDLE {
TPM_HANDLE hndl;
TPM2B_AUTH auth;
TPMT_SYM_DEF symmetric;
TPM2B_NAME name;
} WOLFTPM2_HANDLE;
#define TPM_SES_PWD 0xFF /* Session type for Password that fits in one byte */
@ -42,7 +43,7 @@ typedef struct WOLFTPM2_SESSION {
TPM2B_NONCE nonceTPM; /* Value from StartAuthSession */
TPM2B_NONCE nonceCaller; /* Fresh nonce at each command */
TPM2B_DIGEST salt; /* User defined */
const char* bindPassword; /* User defined */
TPMI_ALG_HASH authHash;
} WOLFTPM2_SESSION;
typedef struct WOLFTPM2_DEV {
@ -53,7 +54,6 @@ typedef struct WOLFTPM2_DEV {
typedef struct WOLFTPM2_KEY {
WOLFTPM2_HANDLE handle;
TPM2B_PUBLIC pub;
TPM2B_NAME name;
} WOLFTPM2_KEY;
typedef struct WOLFTPM2_KEYBLOB {
@ -132,13 +132,12 @@ WOLFTPM_API int wolfTPM2_SelfTest(WOLFTPM2_DEV* dev);
WOLFTPM_API int wolfTPM2_GetCapabilities(WOLFTPM2_DEV* dev, WOLFTPM2_CAPS* caps);
WOLFTPM_API int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
TPM_HANDLE sessionHandle, TPM2B_AUTH* auth, TPMA_SESSION sessionAttributes);
WOLFTPM_API int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index,
TPM2B_AUTH* auth, TPMA_SESSION sessionAttributes);
WOLFTPM_API int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
WOLFTPM2_HANDLE* handle, TPMA_SESSION sessionAttributes);
TPM_HANDLE sessionHandle, const TPM2B_AUTH* auth, TPMA_SESSION sessionAttributes,
const TPM2B_NAME* name);
WOLFTPM_API int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index, const TPM2B_AUTH* auth);
WOLFTPM_API int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, const WOLFTPM2_HANDLE* handle);
WOLFTPM_API int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
WOLFTPM2_SESSION* session, TPMA_SESSION sessionAttributes);
const WOLFTPM2_SESSION* session, TPMA_SESSION sessionAttributes);
WOLFTPM_API int wolfTPM2_StartSession(WOLFTPM2_DEV* dev,
WOLFTPM2_SESSION* session, WOLFTPM2_KEY* tpmKey,