diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2021-02-20 13:11:51 -0800 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2021-02-26 14:46:20 -0800 |
commit | 30c6c83817862f2adc06161767ed510dbf65ae7a (patch) | |
tree | 04b5ee4b78ddee5d7389feeb140d92d63dd58c7c | |
parent | b58a76aa8bf4f11441435538d8bdd2fd717bdd62 (diff) | |
download | openssl_tpm2_engine-30c6c83817862f2adc06161767ed510dbf65ae7a.tar.gz |
move to functional TSS form
The IBM TSS uses a single execute primitive whereas the Intel one uses
a functional primitive. Neither can be exactly mapped, so create a
new functional primitive which can fill the gap between them. Since
the Intel TSS has no in/out structures, unwrap all the IBM in/out
structures into their respective components.
Finally, make tpm2_create used everywhere to become a wrapper for the
different context mechanisms.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | create_tpm2_key.c | 163 | ||||
-rw-r--r-- | e_tpm2-ecc.c | 82 | ||||
-rw-r--r-- | e_tpm2-rsa.c | 83 | ||||
-rw-r--r-- | e_tpm2.c | 13 | ||||
-rw-r--r-- | ibm-tss.h | 470 | ||||
-rw-r--r-- | load_tpm2_key.c | 16 | ||||
-rw-r--r-- | seal_tpm2_data.c | 33 | ||||
-rw-r--r-- | tpm2-common.c | 380 | ||||
-rw-r--r-- | unseal_tpm2_data.c | 22 |
9 files changed, 796 insertions, 466 deletions
diff --git a/create_tpm2_key.c b/create_tpm2_key.c index b2e5f9f..4d6b07e 100644 --- a/create_tpm2_key.c +++ b/create_tpm2_key.c @@ -690,36 +690,28 @@ TPM_RC wrap_key(TPMT_SENSITIVE *s, const char *password, EVP_PKEY *pkey) static void list_curves(void) { TSS_CONTEXT *tssContext; - GetCapability_In in; - GetCapability_Out out; + TPMS_CAPABILITY_DATA capabilityData; TPML_ECC_CURVE *c; const char *reason; TPM_RC rc; int i; - rc = TSS_Create(&tssContext); + rc = tpm2_create(&tssContext, NULL); if (rc) { reason = "TSS_Create"; goto out_err; } - in.capability = TPM_CAP_ECC_CURVES; - in.property = 0; - in.propertyCount = MAX_ECC_CURVES; + rc = tpm2_GetCapability(tssContext, TPM_CAP_ECC_CURVES, 0, + MAX_ECC_CURVES, NULL, &capabilityData); - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_GetCapability, - TPM_RH_NULL, NULL, 0); if (rc) { reason = "TPM2_GetCapability"; goto out_err; } TSS_Delete(tssContext); - c = (TPML_ECC_CURVE *)&(out.capabilityData.data); + c = (TPML_ECC_CURVE *)&(capabilityData.data); for (i = 0; i < c->count; i++) { const char *name = tpm2_curve_name_to_text(c->eccCurves[i]); @@ -757,8 +749,10 @@ void generate_symmetric(TPMT_PUBLIC *pub, TPMT_SENSITIVE *priv) switch (pub->type) { case TPM_ALG_RSA: TSS_Hash_Generate(&digest, - pub->unique.rsa.t.size, pub->unique.rsa.t.buffer, - priv->sensitive.rsa.t.size, priv->sensitive.rsa.t.buffer, + VAL_2B(pub->unique.rsa, size), + VAL_2B(pub->unique.rsa, buffer), + VAL_2B(priv->sensitive.rsa, size), + VAL_2B(priv->sensitive.rsa, buffer), 0, NULL); pub->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; pub->parameters.rsaDetail.symmetric.keyBits.aes = 128; @@ -766,9 +760,12 @@ void generate_symmetric(TPMT_PUBLIC *pub, TPMT_SENSITIVE *priv) break; case TPM_ALG_ECC: TSS_Hash_Generate(&digest, - pub->unique.ecc.x.t.size, pub->unique.ecc.x.t.buffer, - pub->unique.ecc.y.t.size, pub->unique.ecc.y.t.buffer, - priv->sensitive.ecc.t.size, priv->sensitive.ecc.t.buffer, + VAL_2B(pub->unique.ecc.x, size), + VAL_2B(pub->unique.ecc.x, buffer), + VAL_2B(pub->unique.ecc.y, size), + VAL_2B(pub->unique.ecc.y, buffer), + VAL_2B(priv->sensitive.ecc, size), + VAL_2B(priv->sensitive.ecc, buffer), 0, NULL); pub->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; pub->parameters.eccDetail.symmetric.keyBits.aes = 128; @@ -778,11 +775,12 @@ void generate_symmetric(TPMT_PUBLIC *pub, TPMT_SENSITIVE *priv) /* impossible */ break; } - priv->seedValue.b.size = TSS_GetDigestSize(digest.hashAlg); - memcpy(priv->seedValue.b.buffer, digest.digest.tssmax, priv->seedValue.b.size); - pub->objectAttributes.val |= TPMA_OBJECT_RESTRICTED; + VAL_2B(priv->seedValue, size) = TSS_GetDigestSize(digest.hashAlg); + memcpy(VAL_2B(priv->seedValue, buffer), + &digest.digest, VAL_2B(priv->seedValue, size)); + VAL(pub->objectAttributes) |= TPMA_OBJECT_RESTRICTED; /* a restricted key can't sign */ - pub->objectAttributes.val &= ~TPMA_OBJECT_SIGN; + VAL(pub->objectAttributes) &= ~TPMA_OBJECT_SIGN; } int main(int argc, char **argv) @@ -796,10 +794,14 @@ int main(int argc, char **argv) BYTE pubkey[sizeof(TPM2B_PUBLIC)],privkey[sizeof(TPM2B_PRIVATE)], *buffer; uint16_t pubkey_len, privkey_len; int32_t size, key_size = 0; - Import_In iin; - Import_Out iout; - Create_In cin; - Create_Out cout; + TPM2B_PUBLIC objectPublic; + DATA_2B encryptionKey; + PRIVATE_2B duplicate; + ENCRYPTED_SECRET_2B inSymSeed; + TPMT_SYM_DEF_OBJECT symmetricAlg; + TPM2B_SENSITIVE_CREATE inSensitive; + TPM2B_PUBLIC outPublic; + PRIVATE_2B outPrivate; TPM2B_PUBLIC *pub; PRIVATE_2B *priv; char *key = NULL, *parent_auth = NULL, *import = NULL; @@ -984,8 +986,8 @@ int main(int argc, char **argv) TPMT_SENSITIVE s; /* steal existing private and public areas */ - pub = &iin.objectPublic; - priv = &iout.outPrivate.t; + pub = &objectPublic; + priv = &outPrivate; rc = NOT_TPM_ERROR; @@ -1006,10 +1008,10 @@ int main(int argc, char **argv) goto out_err; } if (policyFilename) { - pub->publicArea.objectAttributes.val &= + VAL(pub->publicArea.objectAttributes) &= ~TPMA_OBJECT_USERWITHAUTH; rc = TSS_TPM2B_Create( - &pub->publicArea.authPolicy.b, + (TPM2B *)&pub->publicArea.authPolicy, (uint8_t *)&digest.digest, sizeInBytes, sizeof(TPMU_HA)); if (rc) { @@ -1025,7 +1027,7 @@ int main(int argc, char **argv) } /* set the NODA flag */ - pub->publicArea.objectAttributes.val |= noda; + VAL(pub->publicArea.objectAttributes) |= noda; if (restricted) generate_symmetric(&pub->publicArea, &s); @@ -1071,36 +1073,34 @@ int main(int argc, char **argv) goto out_flush; } - iin.parentHandle = phandle; - - rc = RAND_bytes(iin.encryptionKey.t.buffer, T2_AES_KEY_BYTES); + rc = RAND_bytes(encryptionKey.buffer, T2_AES_KEY_BYTES); if (!rc) { reason = "Can't get a random AES key for parameter encryption"; goto out_flush; } - iin.encryptionKey.t.size = T2_AES_KEY_BYTES; + encryptionKey.size = T2_AES_KEY_BYTES; /* set random iin.symSeed */ - iin.inSymSeed.t.size = 0; - iin.symmetricAlg.algorithm = TPM_ALG_AES; - iin.symmetricAlg.keyBits.aes = T2_AES_KEY_BITS; - iin.symmetricAlg.mode.aes = TPM_ALG_CFB; + inSymSeed.size = 0; + symmetricAlg.algorithm = TPM_ALG_AES; + symmetricAlg.keyBits.aes = T2_AES_KEY_BITS; + symmetricAlg.mode.aes = TPM_ALG_CFB; rc = wrap_key(&s, auth, pkey); if (rc) { reason = "wrap_key"; goto out_flush; } - rc = openssl_to_tpm_public(&iin.objectPublic, pkey); + rc = openssl_to_tpm_public(&objectPublic, pkey); if (rc) { reason = "openssl_to_tpm_public"; goto out_flush; } if (policyFilename) { - iin.objectPublic.publicArea.objectAttributes.val &= + VAL(objectPublic.publicArea.objectAttributes) &= ~TPMA_OBJECT_USERWITHAUTH; rc = TSS_TPM2B_Create( - &iin.objectPublic.publicArea.authPolicy.b, + (TPM2B *)&objectPublic.publicArea.authPolicy, (uint8_t *)&digest.digest, sizeInBytes, sizeof(TPMU_HA)); if (rc) { @@ -1110,15 +1110,15 @@ int main(int argc, char **argv) } /* set the NODA flag */ - iin.objectPublic.publicArea.objectAttributes.val |= noda; + VAL(objectPublic.publicArea.objectAttributes) |= noda; if (restricted) - generate_symmetric(&iin.objectPublic.publicArea, &s); + generate_symmetric(&objectPublic.publicArea, &s); - rc = tpm2_innerwrap(&s, &iin.objectPublic.publicArea, - &iin.symmetricAlg, - &iin.encryptionKey.t, - &iin.duplicate.t); + rc = tpm2_innerwrap(&s, &objectPublic.publicArea, + &symmetricAlg, + &encryptionKey, + &duplicate); if (rc) { reason = "tpm2_innerwrap"; goto out_flush; @@ -1132,38 +1132,35 @@ int main(int argc, char **argv) goto out_flush; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&iout, - (COMMAND_PARAMETERS *)&iin, - NULL, - TPM_CC_Import, - authHandle, parent_auth, TPMA_SESSION_DECRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_Import(tssContext, phandle, &encryptionKey, + &objectPublic, &duplicate, &inSymSeed, + &symmetricAlg, &outPrivate, authHandle, + parent_auth); if (rc) { reason = "TPM2_Import"; /* failure means auth handle is not flushed */ tpm2_flush_handle(tssContext, authHandle); goto out_flush; } - pub = &iin.objectPublic; - priv = &iout.outPrivate.t; + pub = &objectPublic; + priv = &outPrivate; } else { /* create a TPM resident key */ if (rsa) { - tpm2_public_template_rsa(&cin.inPublic.publicArea); - cin.inPublic.publicArea.parameters.rsaDetail.keyBits = key_size; - cin.inPublic.publicArea.parameters.rsaDetail.exponent = 0; - cin.inPublic.publicArea.unique.rsa.t.size = 0; + tpm2_public_template_rsa(&objectPublic.publicArea); + objectPublic.publicArea.parameters.rsaDetail.keyBits = key_size; + objectPublic.publicArea.parameters.rsaDetail.exponent = 0; + VAL_2B(objectPublic.publicArea.unique.rsa, size) = 0; } else { - tpm2_public_template_ecc(&cin.inPublic.publicArea, ecc); + tpm2_public_template_ecc(&objectPublic.publicArea, ecc); } if (policyFilename) { - cin.inPublic.publicArea.objectAttributes.val &= + VAL(objectPublic.publicArea.objectAttributes) &= ~TPMA_OBJECT_USERWITHAUTH; rc = TSS_TPM2B_Create( - &cin.inPublic.publicArea.authPolicy.b, + (TPM2B *)&objectPublic.publicArea.authPolicy, (uint8_t *)&digest.digest, sizeInBytes, sizeof(TPMU_HA)); if (rc) { @@ -1172,30 +1169,27 @@ int main(int argc, char **argv) } } - cin.inPublic.publicArea.objectAttributes.val |= + VAL(objectPublic.publicArea.objectAttributes) |= noda | TPMA_OBJECT_SENSITIVEDATAORIGIN; if (restricted) { - cin.inPublic.publicArea.objectAttributes.val |= + VAL(objectPublic.publicArea.objectAttributes) |= TPMA_OBJECT_RESTRICTED; - cin.inPublic.publicArea.objectAttributes.val &= + VAL(objectPublic.publicArea.objectAttributes) &= ~TPMA_OBJECT_SIGN; - cin.inPublic.publicArea.parameters.asymDetail.symmetric.algorithm = TPM_ALG_AES; - cin.inPublic.publicArea.parameters.asymDetail.symmetric.keyBits.aes = 128; - cin.inPublic.publicArea.parameters.asymDetail.symmetric.mode.aes = TPM_ALG_CFB; + objectPublic.publicArea.parameters.asymDetail.symmetric.algorithm = TPM_ALG_AES; + objectPublic.publicArea.parameters.asymDetail.symmetric.keyBits.aes = 128; + objectPublic.publicArea.parameters.asymDetail.symmetric.mode.aes = TPM_ALG_CFB; } if (auth) { int len = strlen(auth); - memcpy(&cin.inSensitive.sensitive.userAuth.b.buffer, + memcpy(&VAL_2B(inSensitive.sensitive.userAuth, buffer), auth, len); - cin.inSensitive.sensitive.userAuth.b.size = len; + VAL_2B(inSensitive.sensitive.userAuth, size) = len; } else { - cin.inSensitive.sensitive.userAuth.b.size = 0; + VAL_2B(inSensitive.sensitive.userAuth, size) = 0; } - cin.inSensitive.sensitive.data.t.size = 0; - cin.parentHandle = phandle; - cin.outsideInfo.t.size = 0; - cin.creationPCR.count = 0; + VAL_2B(inSensitive.sensitive.data, size) = 0; /* use salted parameter encryption to hide the key */ rc = tpm2_get_session_handle(tssContext, &authHandle, phandle, @@ -1205,13 +1199,10 @@ int main(int argc, char **argv) goto out_flush; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&cout, - (COMMAND_PARAMETERS *)&cin, - NULL, - TPM_CC_Create, - authHandle, parent_auth, TPMA_SESSION_DECRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_Create(tssContext, phandle, &inSensitive, + &objectPublic, &outPrivate, &outPublic, + authHandle, parent_auth); + if (rc) { reason = "TPM2_Create"; /* failure means auth handle is not flushed */ @@ -1219,8 +1210,8 @@ int main(int argc, char **argv) goto out_flush; } - pub = &cout.outPublic; - priv = &cout.outPrivate.t; + pub = &outPublic; + priv = &outPrivate; } tpm2_flush_srk(tssContext, phandle); TSS_Delete(tssContext); diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c index f0e9e9a..6ed7afa 100644 --- a/e_tpm2-ecc.c +++ b/e_tpm2-ecc.c @@ -122,8 +122,10 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, EC_KEY *eck) { TPM_RC rc; - Sign_In in; - Sign_Out out; + TPM_HANDLE keyHandle; + DIGEST_2B digest; + TPMT_SIG_SCHEME inScheme; + TPMT_SIGNATURE signature; TSS_CONTEXT *tssContext; char *auth; TPM_HANDLE authHandle; @@ -138,17 +140,17 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, * calculate that from the size */ switch (dgst_len) { case SHA_DIGEST_LENGTH: - in.inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA1; + inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA1; break; case SHA256_DIGEST_LENGTH: - in.inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA256; + inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA256; break; case SHA384_DIGEST_LENGTH: - in.inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA384; + inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA384; break; #ifdef TPM_ALG_SHA512 case SHA512_DIGEST_LENGTH: - in.inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA512; + inScheme.details.ecdsa.hashAlg = TPM_ALG_SHA512; break; #endif default: @@ -156,20 +158,17 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, return NULL; } - in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, - &sessionType, &num_commands, - &commands, &nameAlg); - if (in.keyHandle == 0) { + keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, + &sessionType, &num_commands, + &commands, &nameAlg); + if (keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return NULL; } - in.inScheme.scheme = TPM_ALG_ECDSA; - in.digest.t.size = dgst_len; - memcpy(in.digest.t.buffer, dgst, dgst_len); - in.validation.tag = TPM_ST_HASHCHECK; - in.validation.hierarchy = TPM_RH_NULL; - in.validation.digest.t.size = 0; + inScheme.scheme = TPM_ALG_ECDSA; + digest.size = dgst_len; + memcpy(digest.buffer, dgst, dgst_len); sig = NULL; rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType, @@ -184,13 +183,8 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, goto out; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_Sign, - authHandle, auth, 0, - TPM_RH_NULL, NULL, 0); + rc = tpm2_Sign(tssContext, keyHandle, &digest, &inScheme, &signature, + authHandle, auth); if (rc) { tpm2_error(rc, "TPM2_Sign"); tpm2_flush_handle(tssContext, authHandle); @@ -201,11 +195,11 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, if (!sig) goto out; - r = BN_bin2bn(out.signature.signature.ecdsa.signatureR.t.buffer, - out.signature.signature.ecdsa.signatureR.t.size, + r = BN_bin2bn(VAL_2B(signature.signature.ecdsa.signatureR, buffer), + VAL_2B(signature.signature.ecdsa.signatureR, size), NULL); - s = BN_bin2bn(out.signature.signature.ecdsa.signatureS.t.buffer, - out.signature.signature.ecdsa.signatureS.t.size, + s = BN_bin2bn(VAL_2B(signature.signature.ecdsa.signatureS, buffer), + VAL_2B(signature.signature.ecdsa.signatureS, size), NULL); #if OPENSSL_VERSION_NUMBER < 0x10100000 @@ -215,7 +209,7 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len, ECDSA_SIG_set0(sig, r, s); #endif out: - tpm2_unload_key(tssContext, in.keyHandle); + tpm2_unload_key(tssContext, keyHandle); return sig; } @@ -223,8 +217,9 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, const EC_POINT *pt, const EC_KEY *eck) { TPM_RC rc; - ECDH_ZGen_In in; - ECDH_ZGen_Out out; + TPM_HANDLE keyHandle; + TPM2B_ECC_POINT inPoint; + TPM2B_ECC_POINT outPoint; TSS_CONTEXT *tssContext; TPM_HANDLE authHandle; TPM_SE sessionType; @@ -235,14 +230,14 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, TPM_ALG_ID nameAlg; int ret; - in.keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, - &sessionType, &num_commands, - &commands, &nameAlg); - if (in.keyHandle == 0) { + keyHandle = tpm2_load_key_from_ecc(eck, &tssContext, &auth, + &sessionType, &num_commands, + &commands, &nameAlg); + if (keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM EC key routines\n"); return 0; } - len = tpm2_get_public_point(&in.inPoint, EC_KEY_get0_group(eck), pt); + len = tpm2_get_public_point(&inPoint, EC_KEY_get0_group(eck), pt); if (!len) return 0; @@ -259,13 +254,8 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, goto out; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_ECDH_ZGen, - authHandle, auth, TPMA_SESSION_ENCRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_ECDH_ZGen(tssContext, keyHandle, &inPoint, &outPoint, + authHandle, auth); if (rc) { tpm2_error(rc, "TPM2_ECDH_ZGen"); tpm2_flush_handle(tssContext, authHandle); @@ -279,12 +269,12 @@ static int tpm2_ecc_compute_key(unsigned char **psec, size_t *pseclen, memset(*psec, 0, len); /* zero pad the X point */ - memcpy(*psec + len - out.outPoint.point.x.t.size, - out.outPoint.point.x.t.buffer, - out.outPoint.point.x.t.size); + memcpy(*psec + len - VAL_2B(outPoint.point.x, size), + VAL_2B(outPoint.point.x, buffer), + VAL_2B(outPoint.point.x, size)); ret = 1; out: - tpm2_unload_key(tssContext, in.keyHandle); + tpm2_unload_key(tssContext, keyHandle); return ret; } diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c index 3a5ef8d..c90b6d2 100644 --- a/e_tpm2-rsa.c +++ b/e_tpm2-rsa.c @@ -153,9 +153,11 @@ static int tpm2_rsa_priv_dec(int flen, { TPM_RC rc; int rv; - RSA_Decrypt_In in; - RSA_Decrypt_Out out; TSS_CONTEXT *tssContext; + TPM_HANDLE keyHandle; + PUBLIC_KEY_RSA_2B cipherText; + TPMT_RSA_DECRYPT inScheme; + PUBLIC_KEY_RSA_2B message; char *auth; TPM_HANDLE authHandle; TPM_SE sessionType; @@ -163,11 +165,11 @@ static int tpm2_rsa_priv_dec(int flen, struct policy_command *commands; TPM_ALG_ID nameAlg; - in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType, &num_commands, - &commands, &nameAlg); + keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, + &sessionType, &num_commands, + &commands, &nameAlg); - if (in.keyHandle == 0) { + if (keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA key routines\n"); return -1; @@ -175,21 +177,20 @@ static int tpm2_rsa_priv_dec(int flen, rv = -1; if (padding == RSA_PKCS1_PADDING) { - in.inScheme.scheme = TPM_ALG_RSAES; + inScheme.scheme = TPM_ALG_RSAES; } else if (padding == RSA_NO_PADDING) { - in.inScheme.scheme = TPM_ALG_NULL; + inScheme.scheme = TPM_ALG_NULL; } else if (padding == RSA_PKCS1_OAEP_PADDING) { - in.inScheme.scheme = TPM_ALG_OAEP; + inScheme.scheme = TPM_ALG_OAEP; /* for openssl RSA, the padding is hard coded */ - in.inScheme.details.oaep.hashAlg = TPM_ALG_SHA1; + inScheme.details.oaep.hashAlg = TPM_ALG_SHA1; } else { fprintf(stderr, "Can't process padding type: %d\n", padding); goto out; } - in.cipherText.t.size = flen; - memcpy(in.cipherText.t.buffer, from, flen); - in.label.t.size = 0; + cipherText.size = flen; + memcpy(cipherText.buffer, from, flen); rc = tpm2_get_session_handle(tssContext, &authHandle, 0, sessionType, nameAlg); @@ -203,13 +204,9 @@ static int tpm2_rsa_priv_dec(int flen, goto out; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_RSA_Decrypt, - authHandle, auth, TPMA_SESSION_ENCRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_RSA_Decrypt(tssContext, keyHandle, &cipherText, &inScheme, + &message, authHandle, auth, TPMA_SESSION_ENCRYPT); + if (rc) { tpm2_error(rc, "TPM2_RSA_Decrypt"); /* failure means auth handle is not flushed */ @@ -217,12 +214,11 @@ static int tpm2_rsa_priv_dec(int flen, goto out; } - memcpy(to, out.message.t.buffer, - out.message.t.size); + memcpy(to, message.buffer, message.size); - rv = out.message.t.size; + rv = message.size; out: - tpm2_unload_key(tssContext, in.keyHandle); + tpm2_unload_key(tssContext, keyHandle); return rv; } @@ -234,8 +230,10 @@ static int tpm2_rsa_priv_enc(int flen, { TPM_RC rc; int rv, size; - RSA_Decrypt_In in; - RSA_Decrypt_Out out; + TPM_HANDLE keyHandle; + PUBLIC_KEY_RSA_2B cipherText; + TPMT_RSA_DECRYPT inScheme; + PUBLIC_KEY_RSA_2B message; TSS_CONTEXT *tssContext; char *auth; TPM_HANDLE authHandle; @@ -251,29 +249,28 @@ static int tpm2_rsa_priv_enc(int flen, * TPM_ALG_NULL, which means no padding check, a decrypt * operation effectively becomes an encrypt */ size = RSA_size(rsa); - in.inScheme.scheme = TPM_ALG_NULL; - in.cipherText.t.size = size; - in.label.t.size = 0; + inScheme.scheme = TPM_ALG_NULL; + cipherText.size = size; /* note: currently openssl doesn't do OAEP signatures and all * PSS signatures are padded and handled in the RSA layer * as a no-padding private encryption */ if (padding == RSA_PKCS1_PADDING) { - RSA_padding_add_PKCS1_type_1(in.cipherText.t.buffer, size, + RSA_padding_add_PKCS1_type_1(cipherText.buffer, size, from, flen); } else if (padding == RSA_NO_PADDING) { /* do nothing, we're already doing a no padding encrypt */ - memcpy(in.cipherText.t.buffer, from, size); + memcpy(cipherText.buffer, from, size); } else { fprintf(stderr, "Can't process padding type: %d\n", padding); return -1; } - in.keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, - &sessionType, &num_commands, - &commands, &nameAlg); + keyHandle = tpm2_load_key_from_rsa(rsa, &tssContext, &auth, + &sessionType, &num_commands, + &commands, &nameAlg); - if (in.keyHandle == 0) { + if (keyHandle == 0) { fprintf(stderr, "Failed to get Key Handle in TPM RSA routines\n"); return -1; @@ -292,13 +289,8 @@ static int tpm2_rsa_priv_enc(int flen, goto out; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_RSA_Decrypt, - authHandle, auth, TPMA_SESSION_DECRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_RSA_Decrypt(tssContext, keyHandle, &cipherText, &inScheme, + &message, authHandle, auth, TPMA_SESSION_DECRYPT); if (rc) { tpm2_error(rc, "TPM2_RSA_Decrypt"); @@ -307,13 +299,12 @@ static int tpm2_rsa_priv_enc(int flen, goto out; } - memcpy(to, out.message.t.buffer, - out.message.t.size); + memcpy(to, message.buffer, message.size); - rv = out.message.t.size; + rv = message.size; out: - tpm2_unload_key(tssContext, in.keyHandle); + tpm2_unload_key(tssContext, keyHandle); return rv; } @@ -147,23 +147,14 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, } app_data->key = key; - if (p.objectAttributes.val & TPMA_OBJECT_NODA) { + if (VAL(p.objectAttributes) & TPMA_OBJECT_NODA) { /* no DA implications, try an authorization and see * if NULL is accepted */ - ReadPublic_In rin; - ReadPublic_Out rout; TPM_HANDLE session; - rin.objectHandle = key; rc = tpm2_get_bound_handle(tssContext, &session, key, NULL); if (rc == TPM_RC_SUCCESS) { - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&rout, - (COMMAND_PARAMETERS *)&rin, - NULL, - TPM_CC_ReadPublic, - session, NULL, TPMA_SESSION_ENCRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_ReadPublic(tssContext, key, NULL, session); if (rc) tpm2_flush_handle(tssContext, session); } @@ -10,3 +10,473 @@ #define VAL(X) X.val #define VAL_2B(X, MEMBER) X.b.MEMBER #define VAL_2B_P(X, MEMBER) X->b.MEMBER + +static inline void +tpm2_error(TPM_RC rc, const char *reason) +{ + const char *msg, *submsg, *num; + + fprintf(stderr, "%s failed with %d\n", reason, rc); + TSS_ResponseCode_toString(&msg, &submsg, &num, rc); + fprintf(stderr, "%s%s%s\n", msg, submsg, num); +} + + +static inline TPM_RC +tpm2_GetCapability(TSS_CONTEXT *tssContext, TPM_CAP capability, + UINT32 property, UINT32 propertyCount, + TPMI_YES_NO *moreData, TPMS_CAPABILITY_DATA *capabilityData) +{ + GetCapability_In in; + GetCapability_Out out; + TPM_RC rc; + + in.capability = capability; + in.property = property; + in.propertyCount = propertyCount; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_GetCapability, + TPM_RH_NULL, NULL, 0); + + if (moreData) + *moreData = out.moreData; + if (capabilityData) + *capabilityData = out.capabilityData; + + return rc; +} + +static inline TPM_RC +tpm2_Import(TSS_CONTEXT *tssContext, TPM_HANDLE parentHandle, + DATA_2B *encryptionKey, TPM2B_PUBLIC *objectPublic, + PRIVATE_2B *duplicate, ENCRYPTED_SECRET_2B *inSymSeed, + TPMT_SYM_DEF_OBJECT *symmetricAlg, PRIVATE_2B *outPrivate, + TPM_HANDLE auth, const char *authVal) +{ + Import_In iin; + Import_Out iout; + TPM_RC rc; + + iin.parentHandle = parentHandle; + iin.encryptionKey.t = *encryptionKey; + iin.objectPublic = *objectPublic; + iin.duplicate.t = *duplicate; + iin.inSymSeed.t = *inSymSeed; + iin.symmetricAlg = *symmetricAlg; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&iout, + (COMMAND_PARAMETERS *)&iin, + NULL, + TPM_CC_Import, + auth, authVal, TPMA_SESSION_DECRYPT, + TPM_RH_NULL, NULL, 0); + + *outPrivate = iout.outPrivate.t; + + return rc; +} + +static inline TPM_RC +tpm2_Create(TSS_CONTEXT *tssContext, TPM_HANDLE parentHandle, + TPM2B_SENSITIVE_CREATE *inSensitive, TPM2B_PUBLIC *inPublic, + PRIVATE_2B *outPrivate, TPM2B_PUBLIC *outPublic, + TPM_HANDLE auth, const char *authVal) +{ + Create_In cin; + Create_Out cout; + TPM_RC rc; + + cin.parentHandle = parentHandle; + cin.inSensitive = *inSensitive; + cin.inPublic = *inPublic; + cin.outsideInfo.t.size = 0; + cin.creationPCR.count = 0; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&cout, + (COMMAND_PARAMETERS *)&cin, + NULL, + TPM_CC_Create, + auth, authVal, TPMA_SESSION_DECRYPT, + TPM_RH_NULL, NULL, 0); + + *outPrivate = cout.outPrivate.t; + *outPublic = cout.outPublic; + + return rc; +} + +static inline TPM_RC +tpm2_Unseal(TSS_CONTEXT *tssContext, TPM_HANDLE itemHandle, + SENSITIVE_DATA_2B *outData, TPM_HANDLE auth, + const char *authVal) +{ + Unseal_In uin; + Unseal_Out uout; + TPM_RC rc; + + uin.itemHandle = itemHandle; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&uout, + (COMMAND_PARAMETERS *)&uin, + NULL, + TPM_CC_Unseal, + auth, authVal, TPMA_SESSION_ENCRYPT, + TPM_RH_NULL, NULL, 0); + + return rc; +} + +static inline TPM_RC +tpm2_EvictControl(TSS_CONTEXT *tssContext, TPM_HANDLE objectHandle, + TPM_HANDLE persistentHandle) +{ + EvictControl_In ein; + TPM_RC rc; + + ein.auth = TPM_RH_OWNER; + ein.objectHandle = objectHandle; + ein.persistentHandle = persistentHandle; + + rc = TSS_Execute(tssContext, + NULL, + (COMMAND_PARAMETERS *)&ein, + NULL, + TPM_CC_EvictControl, + TPM_RS_PW, NULL, 0, + TPM_RH_NULL, NULL, 0); + + return rc; +} + +static inline TPM_RC +tpm2_ReadPublic(TSS_CONTEXT *tssContext, TPM_HANDLE objectHandle, + TPMT_PUBLIC *pub, TPM_HANDLE auth) +{ + ReadPublic_In rin; + ReadPublic_Out rout; + TPM_RC rc; + UINT32 flags = 0; + + if (auth != TPM_RH_NULL) + flags = TPMA_SESSION_ENCRYPT; + + rin.objectHandle = objectHandle; + + rc = TSS_Execute (tssContext, + (RESPONSE_PARAMETERS *)&rout, + (COMMAND_PARAMETERS *)&rin, + NULL, + TPM_CC_ReadPublic, + auth, NULL, flags, + TPM_RH_NULL, NULL, 0); + + if (rc) { + tpm2_error(rc, "TPM2_ReadPublic"); + return rc; + } + + if (pub) + *pub = rout.outPublic.publicArea; + + return rc; +} + +static inline TPM_RC +tpm2_RSA_Decrypt(TSS_CONTEXT *tssContext, TPM_HANDLE keyHandle, + PUBLIC_KEY_RSA_2B *cipherText, TPMT_RSA_DECRYPT *inScheme, + PUBLIC_KEY_RSA_2B *message, + TPM_HANDLE auth, const char *authVal, int flags) +{ + RSA_Decrypt_In in; + RSA_Decrypt_Out out; + TPM_RC rc; + + in.keyHandle = keyHandle; + in.inScheme = *inScheme; + in.cipherText.t = *cipherText; + in.label.t.size = 0; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_RSA_Decrypt, + auth, authVal, flags, + TPM_RH_NULL, NULL, 0); + + *message = out.message.t; + + return rc; +} + +static inline TPM_RC +tpm2_Sign(TSS_CONTEXT *tssContext, TPM_HANDLE keyHandle, DIGEST_2B *digest, + TPMT_SIG_SCHEME *inScheme, TPMT_SIGNATURE *signature, + TPM_HANDLE auth, const char *authVal) +{ + Sign_In in; + Sign_Out out; + TPM_RC rc; + + in.keyHandle = keyHandle; + in.digest.t = *digest; + in.inScheme = *inScheme; + in.validation.tag = TPM_ST_HASHCHECK; + in.validation.hierarchy = TPM_RH_NULL; + in.validation.digest.t.size = 0; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_Sign, + auth, authVal, 0, + TPM_RH_NULL, NULL, 0); + + *signature = out.signature; + + return rc; +} + +static inline TPM_RC +tpm2_ECDH_ZGen(TSS_CONTEXT *tssContext, TPM_HANDLE keyHandle, + TPM2B_ECC_POINT *inPoint, TPM2B_ECC_POINT *outPoint, + TPM_HANDLE auth, const char *authVal) +{ + ECDH_ZGen_In in; + ECDH_ZGen_Out out; + TPM_RC rc; + + in.keyHandle = keyHandle; + in.inPoint = *inPoint; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_ECDH_ZGen, + auth, authVal, TPMA_SESSION_ENCRYPT, + TPM_RH_NULL, NULL, 0); + + *outPoint = out.outPoint; + + return rc; +} + +static inline TPM_RC +tpm2_CreatePrimary(TSS_CONTEXT *tssContext, TPM_HANDLE primaryHandle, + TPM2B_SENSITIVE_CREATE *inSensitive, + TPM2B_PUBLIC *inPublic, TPM_HANDLE *objectHandle, + TPM2B_PUBLIC *outPublic, + TPM_HANDLE auth, const char *authVal) +{ + CreatePrimary_In in; + CreatePrimary_Out out; + TPM_RC rc; + + in.primaryHandle = primaryHandle; + in.inSensitive = *inSensitive; + in.inPublic = *inPublic; + /* no outside info */ + in.outsideInfo.t.size = 0; + /* no PCR state */ + in.creationPCR.count = 0; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_CreatePrimary, + auth, authVal, TPMA_SESSION_DECRYPT, + TPM_RH_NULL, NULL, 0); + + *objectHandle = out.objectHandle; + if (outPublic) + *outPublic = out.outPublic; + + return rc; +} + +static inline TPM_RC +tpm2_FlushContext(TSS_CONTEXT *tssContext, TPM_HANDLE flushHandle) +{ + FlushContext_In in; + TPM_RC rc; + + in.flushHandle = flushHandle; + + rc = TSS_Execute(tssContext, + NULL, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_FlushContext, + TPM_RH_NULL, NULL, 0); + + return rc; +} + +static inline TPM_RC +tpm2_ECC_Parameters(TSS_CONTEXT *tssContext, TPMI_ECC_CURVE curveID, + TPMS_ALGORITHM_DETAIL_ECC *parameters) +{ + ECC_Parameters_In in; + ECC_Parameters_Out out; + TPM_RC rc; + + in.curveID = curveID; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_ECC_Parameters, + TPM_RH_NULL, NULL, 0); + + if (parameters) + *parameters = out.parameters; + + return rc; +} + +static inline TPM_RC +tpm2_StartAuthSession(TSS_CONTEXT *tssContext, TPM_HANDLE tpmKey, + TPM_HANDLE bind, TPM_SE sessionType, + TPMT_SYM_DEF *symmetric, TPMI_ALG_HASH authHash, + TPM_HANDLE *sessionHandle, + const char *bindPassword) +{ + StartAuthSession_In in; + StartAuthSession_Out out; + StartAuthSession_Extra extra; + TPM_RC rc; + + memset(&in, 0, sizeof(in)); + memset(&extra, 0 , sizeof(extra)); + + extra.bindPassword = bindPassword; + + in.tpmKey = tpmKey; + in.bind = bind; + in.sessionType = sessionType; + in.symmetric = *symmetric; + in.authHash = authHash; + + if (tpmKey != TPM_RH_NULL) { + /* For the TSS to use a key as salt, it must have + * access to the public part. It does this by keeping + * key files, but request the public part just to make + * sure*/ + tpm2_ReadPublic(tssContext, tpmKey, NULL, TPM_RH_NULL); + /* don't care what rout returns, the purpose of the + * operation was to get the public key parameters into + * the tss so it can construct the salt */ + } + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + (EXTRA_PARAMETERS *)&extra, + TPM_CC_StartAuthSession, + TPM_RH_NULL, NULL, 0); + + *sessionHandle = out.sessionHandle; + + return rc; +} + +static inline TPM_RC +tpm2_Load(TSS_CONTEXT *tssContext, TPM_HANDLE parentHandle, + PRIVATE_2B *inPrivate, TPM2B_PUBLIC *inPublic, + TPM_HANDLE *objectHandle, + TPM_HANDLE auth, const char *authVal) +{ + Load_In in; + Load_Out out; + TPM_RC rc; + + in.parentHandle = parentHandle; + in.inPrivate.t = *inPrivate; + in.inPublic = *inPublic; + + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&out, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_Load, + auth, authVal, 0, + TPM_RH_NULL, NULL, 0); + + if (rc == TPM_RC_SUCCESS) + *objectHandle = out.objectHandle; + + return rc; +} + +static inline TPM_RC +tpm2_PolicyPCR(TSS_CONTEXT *tssContext, TPM_HANDLE policySession, + DIGEST_2B *pcrDigest, TPML_PCR_SELECTION *pcrs) +{ + PolicyPCR_In in; + TPM_RC rc; + + in.policySession = policySession; + in.pcrDigest.t = *pcrDigest; + in.pcrs = *pcrs; + + rc = TSS_Execute(tssContext, + NULL, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_PolicyPCR, + TPM_RH_NULL, NULL, 0); + + return rc; +} + +static inline TPM_RC +tpm2_PolicyAuthValue(TSS_CONTEXT *tssContext, TPM_HANDLE policySession) +{ + PolicyAuthValue_In in; + TPM_RC rc; + + in.policySession = policySession; + + rc = TSS_Execute(tssContext, + NULL, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_PolicyAuthValue, + TPM_RH_NULL, NULL, 0); + + return rc; +} + +static inline TPM_RC +tpm2_PolicyCounterTimer(TSS_CONTEXT *tssContext, TPM_HANDLE policySession, + DIGEST_2B *operandB, UINT16 offset, + TPM_EO operation) +{ + PolicyCounterTimer_In in; + TPM_RC rc; + + in.policySession = policySession; + in.operandB.t = *operandB; + in.offset = offset; + in.operation = operation; + + rc = TSS_Execute(tssContext, + NULL, + (COMMAND_PARAMETERS *)&in, + NULL, + TPM_CC_PolicyCounterTimer, + TPM_RH_NULL, NULL, 0); + + return rc; +} diff --git a/load_tpm2_key.c b/load_tpm2_key.c index 124af6a..65148e6 100644 --- a/load_tpm2_key.c +++ b/load_tpm2_key.c @@ -73,7 +73,7 @@ int main(int argc, char **argv) int force = 0; TSS_CONTEXT *tssContext; TPM_RC rc; - EvictControl_In ein; + TPM_HANDLE objectHandle; char *auth = NULL; int ret = 1; struct app_data *app_data; @@ -147,23 +147,15 @@ int main(int argc, char **argv) goto out; }; - ein.auth = TPM_RH_OWNER; - ein.objectHandle = ret; + objectHandle = ret; ret = 1; /* set up error return */ - ein.persistentHandle = nvindex; - rc = TSS_Execute(tssContext, - NULL, - (COMMAND_PARAMETERS *)&ein, - NULL, - TPM_CC_EvictControl, - TPM_RS_PW, NULL, 0, - TPM_RH_NULL, NULL, 0); + rc = tpm2_EvictControl(tssContext, objectHandle, nvindex); if (rc) tpm2_error(rc, "TPM2_EvictControl"); else ret = 0; - tpm2_flush_handle(tssContext, ein.objectHandle); + tpm2_flush_handle(tssContext, objectHandle); out: TSS_Delete(tssContext); diff --git a/seal_tpm2_data.c b/seal_tpm2_data.c index d9e99a7..c18fbcd 100644 --- a/seal_tpm2_data.c +++ b/seal_tpm2_data.c @@ -93,10 +93,13 @@ int main(int argc, char **argv) uint32_t sizeInBytes; TPM_HANDLE authHandle; STACK_OF(TSSOPTPOLICY) *sk = NULL; - Create_In cin; - Create_Out cout; - TPMS_SENSITIVE_CREATE *s = &cin.inSensitive.sensitive; - TPMT_PUBLIC *p = &cin.inPublic.publicArea; + TPM2B_SENSITIVE_CREATE inSensitive; + TPM2B_PUBLIC inPublic; + PRIVATE_2B outPrivate; + TPM2B_PUBLIC outPublic; + + TPMS_SENSITIVE_CREATE *s = &inSensitive.sensitive; + TPMT_PUBLIC *p = &inPublic.publicArea; BYTE pubkey[sizeof(TPM2B_PUBLIC)]; BYTE privkey[sizeof(PRIVATE_2B)]; BYTE *buffer; @@ -237,15 +240,11 @@ int main(int argc, char **argv) tpm2_public_template_seal(p); - cin.parentHandle = phandle; - VAL_2B(cin.outsideInfo, size) = 0; - cin.creationPCR.count = 0; - if (policyFilename) { - p->objectAttributes.val &= + VAL(p->objectAttributes) &= ~TPMA_OBJECT_USERWITHAUTH; rc = TSS_TPM2B_Create( - &p->authPolicy.b, + (TPM2B *)&p->authPolicy, (uint8_t *)&digest.digest, sizeInBytes, sizeof(TPMU_HA)); if (rc) { @@ -279,13 +278,9 @@ int main(int argc, char **argv) goto out_flush; } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&cout, - (COMMAND_PARAMETERS *)&cin, - NULL, - TPM_CC_Create, - authHandle, parent_auth, TPMA_SESSION_DECRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_Create(tssContext, phandle, &inSensitive, &inPublic, + &outPrivate, &outPublic, authHandle, parent_auth); + if (rc) { reason = "TPM2_Create"; /* failure means auth handle is not flushed */ @@ -296,12 +291,12 @@ int main(int argc, char **argv) buffer = pubkey; pubkey_len = 0; size = sizeof(pubkey); - TSS_TPM2B_PUBLIC_Marshal(&cout.outPublic, &pubkey_len, + TSS_TPM2B_PUBLIC_Marshal(&outPublic, &pubkey_len, &buffer, &size); buffer = privkey; privkey_len = 0; size = sizeof(privkey); - TSS_TPM2B_PRIVATE_Marshal(&cout.outPrivate, &privkey_len, + TSS_TPM2B_PRIVATE_Marshal((TPM2B_PRIVATE *)&outPrivate, &privkey_len, &buffer, &size); tpm2_write_tpmfile(filename, pubkey, pubkey_len, privkey, privkey_len, data_auth == NULL, diff --git a/tpm2-common.c b/tpm2-common.c index 472a498..c420dd5 100644 --- a/tpm2-common.c +++ b/tpm2-common.c @@ -545,65 +545,49 @@ struct tpm2_ECC_Curves tpm2_supported_curves[] = { { .name = NULL, } }; -void tpm2_error(TPM_RC rc, const char *reason) -{ - const char *msg, *submsg, *num; - - fprintf(stderr, "%s failed with %d\n", reason, rc); - TSS_ResponseCode_toString(&msg, &submsg, &num, rc); - fprintf(stderr, "%s%s%s\n", msg, submsg, num); -} - - TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth, TPM2B_PUBLIC *pub, TPM_HANDLE hierarchy, enum tpm2_type type) { TPM_RC rc; - CreatePrimary_In in; - CreatePrimary_Out out; + TPM2B_SENSITIVE_CREATE inSensitive; + TPM2B_PUBLIC inPublic; TPM_HANDLE session; - /* SPS owner */ - in.primaryHandle = hierarchy; if (auth) { - in.inSensitive.sensitive.userAuth.t.size = strlen(auth); - memcpy(in.inSensitive.sensitive.userAuth.t.buffer, auth, strlen(auth)); + VAL_2B(inSensitive.sensitive.userAuth, size) = strlen(auth); + memcpy(VAL_2B(inSensitive.sensitive.userAuth, buffer), auth, strlen(auth)); } else { - in.inSensitive.sensitive.userAuth.t.size = 0; + VAL_2B(inSensitive.sensitive.userAuth, size) = 0; } /* no sensitive date for storage keys */ - in.inSensitive.sensitive.data.t.size = 0; - /* no outside info */ - in.outsideInfo.t.size = 0; - /* no PCR state */ - in.creationPCR.count = 0; + VAL_2B(inSensitive.sensitive.data, size) = 0; /* public parameters for an RSA2048 key */ - in.inPublic.publicArea.type = TPM_ALG_ECC; - in.inPublic.publicArea.nameAlg = TPM_ALG_SHA256; - in.inPublic.publicArea.objectAttributes.val = + inPublic.publicArea.type = TPM_ALG_ECC; + inPublic.publicArea.nameAlg = TPM_ALG_SHA256; + VAL(inPublic.publicArea.objectAttributes) = TPMA_OBJECT_NODA | TPMA_OBJECT_SENSITIVEDATAORIGIN | TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_RESTRICTED; if (type != TPM2_LEGACY) - in.inPublic.publicArea.objectAttributes.val |= + VAL(inPublic.publicArea.objectAttributes) |= TPMA_OBJECT_FIXEDPARENT | TPMA_OBJECT_FIXEDTPM; - in.inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; - in.inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; - in.inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; - in.inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; - in.inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256; - in.inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; + inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; + inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256; + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; - in.inPublic.publicArea.unique.ecc.x.t.size = 0; - in.inPublic.publicArea.unique.ecc.y.t.size = 0; - in.inPublic.publicArea.authPolicy.t.size = 0; + VAL_2B(inPublic.publicArea.unique.ecc.x, size) = 0; + VAL_2B(inPublic.publicArea.unique.ecc.y, size) = 0; + VAL_2B(inPublic.publicArea.authPolicy, size) = 0; /* use a bound session here because we have no known key objects * to encrypt a salt to */ @@ -611,25 +595,15 @@ TPM_RC tpm2_load_srk(TSS_CONTEXT *tssContext, TPM_HANDLE *h, const char *auth, if (rc) return rc; - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_CreatePrimary, - session, auth, TPMA_SESSION_DECRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_CreatePrimary(tssContext, hierarchy, &inSensitive, &inPublic, + h, pub, session, auth); if (rc) { tpm2_error(rc, "TSS_CreatePrimary"); tpm2_flush_handle(tssContext, session); - return rc; } - *h = out.objectHandle; - if (pub) - *pub = out.outPublic; - - return 0; + return rc; } void tpm2_flush_srk(TSS_CONTEXT *tssContext, TPM_HANDLE hSRK) @@ -641,17 +615,10 @@ void tpm2_flush_srk(TSS_CONTEXT *tssContext, TPM_HANDLE hSRK) void tpm2_flush_handle(TSS_CONTEXT *tssContext, TPM_HANDLE h) { - FlushContext_In in; - if (!h) return; - in.flushHandle = h; - TSS_Execute(tssContext, NULL, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_FlushContext, - TPM_RH_NULL, NULL, 0); + tpm2_FlushContext(tssContext, h); } int tpm2_get_ecc_group(EC_KEY *eck, TPMI_ECC_CURVE curveID) @@ -659,8 +626,7 @@ int tpm2_get_ecc_group(EC_KEY *eck, TPMI_ECC_CURVE curveID) const int nid = tpm2_curve_name_to_nid(curveID); BN_CTX *ctx = NULL; BIGNUM *p, *a, *b, *gX, *gY, *n, *h; - ECC_Parameters_In in; - ECC_Parameters_Out out; + TPMS_ALGORITHM_DETAIL_ECC parameters; TSS_CONTEXT *tssContext = NULL; TPM_RC rc; EC_GROUP *g = NULL; @@ -680,13 +646,8 @@ int tpm2_get_ecc_group(EC_KEY *eck, TPMI_ECC_CURVE curveID) tpm2_error(rc, "TSS_Create"); goto err; } - in.curveID = curveID; - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_ECC_Parameters, - TPM_RH_NULL, NULL, 0); + rc = tpm2_ECC_Parameters(tssContext, curveID, ¶meters); + TSS_Delete(tssContext); if (rc) { @@ -710,13 +671,13 @@ int tpm2_get_ecc_group(EC_KEY *eck, TPMI_ECC_CURVE curveID) if (!p || !a || !b || !gX || !gY || !n || !h) goto err; - BN_bin2bn(out.parameters.p.t.buffer, out.parameters.p.t.size, p); - BN_bin2bn(out.parameters.a.t.buffer, out.parameters.a.t.size, a); - BN_bin2bn(out.parameters.b.t.buffer, out.parameters.b.t.size, b); - BN_bin2bn(out.parameters.gX.t.buffer, out.parameters.gX.t.size, gX); - BN_bin2bn(out.parameters.gY.t.buffer, out.parameters.gY.t.size, gY); - BN_bin2bn(out.parameters.n.t.buffer, out.parameters.n.t.size, n); - BN_bin2bn(out.parameters.h.t.buffer, out.parameters.h.t.size, h); + BN_bin2bn(VAL_2B(parameters.p, buffer), VAL_2B(parameters.p, size), p); + BN_bin2bn(VAL_2B(parameters.a, buffer), VAL_2B(parameters.a, size), a); + BN_bin2bn(VAL_2B(parameters.b, buffer), VAL_2B(parameters.a, size), b); + BN_bin2bn(VAL_2B(parameters.gX, buffer), VAL_2B(parameters.gX, size), gX); + BN_bin2bn(VAL_2B(parameters.gY, buffer), VAL_2B(parameters.gY, size), gY); + BN_bin2bn(VAL_2B(parameters.n, buffer), VAL_2B(parameters.n, size), n); + BN_bin2bn(VAL_2B(parameters.h, buffer), VAL_2B(parameters.h, size), h); g = EC_GROUP_new_curve_GFp(p, a, b, ctx); if (!g) @@ -759,8 +720,10 @@ static EVP_PKEY *tpm2_to_openssl_public_ecc(TPMT_PUBLIC *pub) goto err_free_eck; if (!tpm2_get_ecc_group(eck, pub->parameters.eccDetail.curveID)) goto err_free_pkey; - x = BN_bin2bn(pub->unique.ecc.x.t.buffer, pub->unique.ecc.x.t.size, NULL); - y = BN_bin2bn(pub->unique.ecc.y.t.buffer, pub->unique.ecc.y.t.size, NULL); + x = BN_bin2bn(VAL_2B(pub->unique.ecc.x, buffer), + VAL_2B(pub->unique.ecc.x, size), NULL); + y = BN_bin2bn(VAL_2B(pub->unique.ecc.y, buffer), + VAL_2B(pub->unique.ecc.y, size), NULL); EC_KEY_set_public_key_affine_coordinates(eck, x, y); BN_free(y); BN_free(x); @@ -801,7 +764,8 @@ static EVP_PKEY *tpm2_to_openssl_public_rsa(TPMT_PUBLIC *pub) exp = pub->parameters.rsaDetail.exponent; if (!BN_set_word(e, exp)) goto err_free; - if (!BN_bin2bn(pub->unique.rsa.t.buffer, pub->unique.rsa.t.size, n)) + if (!BN_bin2bn(VAL_2B(pub->unique.rsa, buffer), + VAL_2B(pub->unique.rsa, size), n)) goto err_free; #if OPENSSL_VERSION_NUMBER < 0x10100000 rsa->n = n; @@ -842,59 +806,27 @@ EVP_PKEY *tpm2_to_openssl_public(TPMT_PUBLIC *pub) TPM_RC tpm2_readpublic(TSS_CONTEXT *tssContext, TPM_HANDLE handle, TPMT_PUBLIC *pub) { - ReadPublic_In rin; - ReadPublic_Out rout; - TPM_RC rc; - - rin.objectHandle = handle; - rc = TSS_Execute (tssContext, - (RESPONSE_PARAMETERS *)&rout, - (COMMAND_PARAMETERS *)&rin, - NULL, - TPM_CC_ReadPublic, - TPM_RH_NULL, NULL, 0); - if (rc) { - tpm2_error(rc, "TPM2_ReadPublic"); - return rc; - } - if (pub) - *pub = rout.outPublic.publicArea; - - return rc; + return tpm2_ReadPublic(tssContext, handle, pub, TPM_RH_NULL); } TPM_RC tpm2_get_bound_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle, TPM_HANDLE bind, const char *auth) { TPM_RC rc; - StartAuthSession_In in; - StartAuthSession_Out out; - StartAuthSession_Extra extra; - - memset(&in, 0, sizeof(in)); - memset(&extra, 0 , sizeof(extra)); - in.bind = bind; - extra.bindPassword = auth; - in.sessionType = TPM_SE_HMAC; - in.authHash = TPM_ALG_SHA256; - in.tpmKey = TPM_RH_NULL; - in.symmetric.algorithm = TPM_ALG_AES; - in.symmetric.keyBits.aes = 128; - in.symmetric.mode.aes = TPM_ALG_CFB; - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - (EXTRA_PARAMETERS *)&extra, - TPM_CC_StartAuthSession, - TPM_RH_NULL, NULL, 0); - if (rc) { + TPMT_SYM_DEF symmetric; + + symmetric.algorithm = TPM_ALG_AES; + symmetric.keyBits.aes = 128; + symmetric.mode.aes = TPM_ALG_CFB; + + rc = tpm2_StartAuthSession(tssContext, TPM_RH_NULL, bind, + TPM_SE_HMAC, &symmetric, + TPM_ALG_SHA256, handle, auth); + if (rc) tpm2_error(rc, "TPM2_StartAuthSession"); - return rc; - } - *handle = out.sessionHandle; - return TPM_RC_SUCCESS; + return rc; } TPM_RC tpm2_get_session_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle, @@ -902,44 +834,24 @@ TPM_RC tpm2_get_session_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle, TPM_ALG_ID name_alg) { TPM_RC rc; - StartAuthSession_In in; - StartAuthSession_Out out; - StartAuthSession_Extra extra; - - memset(&in, 0, sizeof(in)); - memset(&extra, 0 , sizeof(extra)); - in.bind = TPM_RH_NULL; - in.sessionType = sessionType; - in.authHash = name_alg; - in.tpmKey = TPM_RH_NULL; - in.symmetric.algorithm = TPM_ALG_AES; - in.symmetric.keyBits.aes = 128; - in.symmetric.mode.aes = TPM_ALG_CFB; - if (salt_key) { - /* For the TSS to use a key as salt, it must have - * access to the public part. It does this by keeping - * key files, but request the public part just to make - * sure*/ - tpm2_readpublic(tssContext, salt_key, NULL); - /* don't care what rout returns, the purpose of the - * operation was to get the public key parameters into - * the tss so it can construct the salt */ - in.tpmKey = salt_key; - } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - (EXTRA_PARAMETERS *)&extra, - TPM_CC_StartAuthSession, - TPM_RH_NULL, NULL, 0); - if (rc) { - tpm2_error(rc, "TPM2_StartAuthSession"); - return rc; - } + TPMT_SYM_DEF symmetric; - *handle = out.sessionHandle; + /* 0 means no key, which we express as TPM_RH_NULL to the TSS */ + if (!salt_key) + salt_key = TPM_RH_NULL; - return TPM_RC_SUCCESS; + symmetric.algorithm = TPM_ALG_AES; + symmetric.keyBits.aes = 128; + symmetric.mode.aes = TPM_ALG_CFB; + + rc = tpm2_StartAuthSession(tssContext, salt_key, TPM_RH_NULL, + sessionType, &symmetric, name_alg, + handle, NULL); + + if (rc) + tpm2_error(rc, "TPM2_StartAuthSession"); + + return rc; } TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, @@ -948,15 +860,12 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, { INT32 size; BYTE *policy; - TPM_RC rc = 0, reason_rc = 0; - COMMAND_PARAMETERS in; + TPM_RC rc, reason_rc = 0; int i; char reason[256]; int name_alg_size = TSS_GetDigestSize(name_alg); reason[0] = '\0'; - /* pick a random policy type: they all have the handle first */ - in.PolicyPCR.policySession = handle; for (i = 0; i < num_commands; i++) { size = commands[i].size; @@ -964,22 +873,31 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, switch (commands[i].code) { case TPM_CC_PolicyPCR: { - PolicyPCR_In *ppcrin = &in.PolicyPCR; + DIGEST_2B pcrDigest; + TPML_PCR_SELECTION pcrs; rc = TPML_PCR_SELECTION_Unmarshal( - &ppcrin->pcrs, &policy, &size); - ppcrin->pcrDigest.b.size = name_alg_size; - memcpy(ppcrin->pcrDigest.b.buffer, + &pcrs, &policy, &size); + if (rc) + goto unmarshal_failure; + pcrDigest.size = name_alg_size; + memcpy(pcrDigest.buffer, policy, name_alg_size); sprintf(reason, "PCR Mismatch"); reason_rc = TPM_RC_VALUE; + rc = tpm2_PolicyPCR(tssContext, handle, + &pcrDigest, &pcrs); + break; } case TPM_CC_PolicyAuthValue: + rc = tpm2_PolicyAuthValue(tssContext, handle); break; case TPM_CC_PolicyCounterTimer: { - PolicyCounterTimer_In *pctin = &in.PolicyCounterTimer; + DIGEST_2B operandB; + UINT16 offset; + TPM_EO operation; BYTE *p_buffer; INT32 p_size; int i, c; @@ -1001,26 +919,29 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, /* last UINT16 is the operand */ p_buffer = policy + size - 2; p_size = 2; - TPM_EO_Unmarshal(&pctin->operation, &p_buffer, - &p_size); + TPM_EO_Unmarshal(&operation, &p_buffer, &p_size); /* second to last UINT16 is the offset */ p_buffer = policy + size - 4; p_size = 2; - UINT16_Unmarshal(&pctin->offset, &p_buffer, &p_size); + UINT16_Unmarshal(&offset, &p_buffer, &p_size); /* and the rest is the OperandB */ - pctin->operandB.b.size = size - 4; - memcpy(pctin->operandB.b.buffer, policy, size - 4); + operandB.size = size - 4; + memcpy(operandB.buffer, policy, size - 4); c = sprintf(reason, "Counter Timer at offset %d is not %s ", - pctin->offset, operand[pctin->operation]); + offset, operand[operation]); for (i = 0; i < size - 4; i++) c += sprintf(&reason[c], "%02x", policy[i]); reason[c] = '\0'; reason_rc = TPM_RC_POLICY; + rc = tpm2_PolicyCounterTimer(tssContext, handle, + &operandB, offset, + operation); + break; } default: @@ -1031,17 +952,6 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, } if (rc) { - tpm2_error(rc, "unmarshal"); - goto out_flush; - } - - rc = TSS_Execute(tssContext, - NULL, - &in, - NULL, - commands[i].code, - TPM_RH_NULL, NULL, 0); - if (rc) { TPM_RC check_rc; /* strip additional parameter or session information */ @@ -1062,6 +972,9 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, return TPM_RC_SUCCESS; + unmarshal_failure: + tpm2_error(rc, "unmarshal"); + out_flush: tpm2_flush_handle(tssContext, handle); return rc; @@ -1209,10 +1122,12 @@ TPM_RC tpm2_create(TSS_CONTEXT **tsscp, const char *dir) tpm2_error(rc, "TSS_Create"); return rc; } - rc = TSS_SetProperty(*tsscp, TPM_DATA_DIR, dir); - if (rc) { - tpm2_error(rc, "TSS_SetProperty"); - return rc; + if (dir) { + rc = TSS_SetProperty(*tsscp, TPM_DATA_DIR, dir); + if (rc) { + tpm2_error(rc, "TSS_SetProperty"); + return rc; + } } return TPM_RC_SUCCESS; @@ -1236,10 +1151,10 @@ int tpm2_get_public_point(TPM2B_ECC_POINT *tpmpt, const EC_GROUP *group, len--; len >>= 1; - memcpy(tpmpt->point.x.t.buffer, point + 1, len); - tpmpt->point.x.t.size = len; - memcpy(tpmpt->point.y.t.buffer, point + 1 + len, len); - tpmpt->point.y.t.size = len; + memcpy(VAL_2B(tpmpt->point.x, buffer), point + 1, len); + VAL_2B(tpmpt->point.x, size) = len; + memcpy(VAL_2B(tpmpt->point.y, buffer), point + 1 + len, len); + VAL_2B(tpmpt->point.y, size) = len; return len; } @@ -1370,7 +1285,7 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, STACK_OF(TSSOPTPOLICY) *policy; ASN1_OCTET_STRING *privkey; ASN1_OCTET_STRING *secret = NULL; - Import_In iin; + TPM2B_PUBLIC objectPublic; bf = BIO_new_file(filename, "r"); if (!bf) { @@ -1475,12 +1390,12 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, buffer = ad->pub; size = ad->pub_len; - TPM2B_PUBLIC_Unmarshal(&iin.objectPublic, &buffer, &size, FALSE); - ad->name_alg = iin.objectPublic.publicArea.nameAlg; + TPM2B_PUBLIC_Unmarshal(&objectPublic, &buffer, &size, FALSE); + ad->name_alg = objectPublic.publicArea.nameAlg; /* create the new objects to return */ if (ppkey) { - *ppkey = tpm2_to_openssl_public(&iin.objectPublic.publicArea); + *ppkey = tpm2_to_openssl_public(&objectPublic.publicArea); if (!*ppkey) { fprintf(stderr, "Failed to allocate a new EVP_KEY\n"); goto err_free; @@ -1493,14 +1408,19 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, if (strcmp(OID_importableKey, oid) == 0) { TPM_HANDLE session; + TPM_HANDLE parentHandle; + DATA_2B encryptionKey; + PRIVATE_2B duplicate; + ENCRYPTED_SECRET_2B inSymSeed; + TPMT_SYM_DEF_OBJECT symmetricAlg; TSS_CONTEXT *tssContext; TPM_RC rc; const char *reason; PRIVATE_2B priv_2b; + PRIVATE_2B outPrivate; BYTE *buf; UINT16 written; INT32 size; - Import_Out iout; rc = tpm2_create(&tssContext, ad->dir); if (rc) { @@ -1509,46 +1429,44 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, } if ((ad->parent & 0xff000000) == 0x40000000) { - tpm2_load_srk(tssContext, &iin.parentHandle, + tpm2_load_srk(tssContext, &parentHandle, srk_auth, NULL, ad->parent, 1); } else { - iin.parentHandle = ad->parent; + parentHandle = ad->parent; } rc = tpm2_get_session_handle(tssContext, &session, - iin.parentHandle, + parentHandle, TPM_SE_HMAC, - iin.objectPublic.publicArea.nameAlg); + objectPublic.publicArea.nameAlg); if (rc) { reason="tpm2_get_session_handle"; goto import_err; } /* no inner encryption */ - iin.encryptionKey.t.size = 0; - iin.symmetricAlg.algorithm = TPM_ALG_NULL; + encryptionKey.size = 0; + symmetricAlg.algorithm = TPM_ALG_NULL; /* for importable keys the private key is actually the * outer wrapped duplicate structure */ buffer = privkey->data; size = privkey->length; - TPM2B_PRIVATE_Unmarshal(&iin.duplicate, &buffer, &size); + TPM2B_PRIVATE_Unmarshal((TPM2B_PRIVATE *)&duplicate, + &buffer, &size); buffer = secret->data; size = secret->length; - TPM2B_ENCRYPTED_SECRET_Unmarshal(&iin.inSymSeed, &buffer, &size); - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&iout, - (COMMAND_PARAMETERS *)&iin, - NULL, - TPM_CC_Import, - session, srk_auth, 0, - TPM_RH_NULL, NULL, 0); + TPM2B_ENCRYPTED_SECRET_Unmarshal((TPM2B_ENCRYPTED_SECRET *) + &inSymSeed, &buffer, &size); + rc = tpm2_Import(tssContext, parentHandle, &encryptionKey, + &objectPublic, &duplicate, &inSymSeed, + &symmetricAlg, &outPrivate, session, srk_auth); if (rc) tpm2_flush_handle(tssContext, session); reason = "TPM2_Import"; import_err: - tpm2_flush_srk(tssContext, iin.parentHandle); + tpm2_flush_srk(tssContext, parentHandle); TSS_Delete(tssContext); if (rc) { tpm2_error(rc, reason); @@ -1557,8 +1475,8 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, buf = priv_2b.buffer; size = sizeof(priv_2b.buffer); written = 0; - TSS_TPM2B_PRIVATE_Marshal(&iout.outPrivate, &written, - &buf, &size); + TSS_TPM2B_PRIVATE_Marshal((TPM2B_PRIVATE *)&outPrivate, + &written, &buf, &size); ad->priv = OPENSSL_malloc(written); if (!ad->priv) goto err_free_key; @@ -1579,7 +1497,7 @@ int tpm2_load_engine_file(const char *filename, struct app_data **app_data, goto err_free_key; } - if (!(iin.objectPublic.publicArea.objectAttributes.val & + if (!(VAL(objectPublic.publicArea.objectAttributes) & TPMA_OBJECT_USERWITHAUTH)) ad->req_policy_session = 1; @@ -1630,8 +1548,9 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data, const char *srk_auth, uint32_t *psrk) { TSS_CONTEXT *tssContext; - Load_In in; - Load_Out out; + PRIVATE_2B inPrivate; + TPM2B_PUBLIC inPublic; + TPM_HANDLE parentHandle; TPM_HANDLE key = 0; TPM_RC rc; BYTE *buffer; @@ -1649,42 +1568,37 @@ TPM_HANDLE tpm2_load_key(TSS_CONTEXT **tsscp, struct app_data *app_data, buffer = app_data->priv; size = app_data->priv_len; - TPM2B_PRIVATE_Unmarshal(&in.inPrivate, &buffer, &size); + TPM2B_PRIVATE_Unmarshal((TPM2B_PRIVATE *)&inPrivate, &buffer, &size); buffer = app_data->pub; size = app_data->pub_len; - TPM2B_PUBLIC_Unmarshal(&in.inPublic, &buffer, &size, FALSE); + TPM2B_PUBLIC_Unmarshal(&inPublic, &buffer, &size, FALSE); if ((app_data->parent & 0xff000000) == 0x81000000) { - in.parentHandle = app_data->parent; + parentHandle = app_data->parent; } else { - rc = tpm2_load_srk(tssContext, &in.parentHandle, srk_auth, NULL, app_data->parent, app_data->type); + rc = tpm2_load_srk(tssContext, &parentHandle, srk_auth, NULL, + app_data->parent, app_data->type); if (rc) goto out; } - rc = tpm2_get_session_handle(tssContext, &session, in.parentHandle, + rc = tpm2_get_session_handle(tssContext, &session, parentHandle, TPM_SE_HMAC, app_data->name_alg); if (rc) goto out_flush_srk; - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&out, - (COMMAND_PARAMETERS *)&in, - NULL, - TPM_CC_Load, - session, srk_auth, 0, - TPM_RH_NULL, NULL, 0); + + rc = tpm2_Load(tssContext, parentHandle, &inPrivate, &inPublic, + &key, session, srk_auth); if (rc) { tpm2_error(rc, "TPM2_Load"); tpm2_flush_handle(tssContext, session); - } else { - key = out.objectHandle; } out_flush_srk: if (key && psrk) - *psrk = in.parentHandle; + *psrk = parentHandle; else - tpm2_flush_srk(tssContext, in.parentHandle); + tpm2_flush_srk(tssContext, parentHandle); out: if (!key) TSS_Delete(tssContext); @@ -1845,7 +1759,7 @@ TPM_RC tpm2_parse_policy_file(const char *policy_file, while ((data_ptr = strsep(&data, "\n"))) { TPMT_HA hash_digest; - unsigned char *hash = (unsigned char *)hash_digest.digest.tssmax; + unsigned char *hash = (unsigned char *)&hash_digest.digest; INT32 hash_len; buf_ptr = buf; @@ -1877,7 +1791,7 @@ TPM_RC tpm2_parse_policy_file(const char *policy_file, hash_digest.hashAlg = digest->hashAlg; hash_len = TSS_GetDigestSize(digest->hashAlg); TSS_Hash_Generate(&hash_digest, buf_len, buf_ptr, 0, NULL); - hash = hash_digest.digest.tssmax; + hash = (unsigned char *)&hash_digest.digest; } else { hash = buf_ptr; hash_len = buf_len; diff --git a/unseal_tpm2_data.c b/unseal_tpm2_data.c index 1048812..38aaf9d 100644 --- a/unseal_tpm2_data.c +++ b/unseal_tpm2_data.c @@ -70,8 +70,8 @@ int main(int argc, char **argv) TPM_RC rc; TSS_CONTEXT *tssContext; const char *reason; - Unseal_In uin; - Unseal_Out uout; + TPM_HANDLE itemHandle; + SENSITIVE_DATA_2B outData; uint32_t parent, session; UI_METHOD *ui = UI_create_method("unseal"); struct app_data *app_data; @@ -144,7 +144,7 @@ int main(int argc, char **argv) goto out_free_app_data; } - uin.itemHandle = rc; + itemHandle = rc; rc = tpm2_get_session_handle(tssContext, &session, parent, app_data->req_policy_session ? @@ -166,24 +166,20 @@ int main(int argc, char **argv) } } - rc = TSS_Execute(tssContext, - (RESPONSE_PARAMETERS *)&uout, - (COMMAND_PARAMETERS *)&uin, - NULL, - TPM_CC_Unseal, - session, app_data->auth, TPMA_SESSION_ENCRYPT, - TPM_RH_NULL, NULL, 0); + rc = tpm2_Unseal(tssContext, itemHandle, &outData, session, + app_data->auth); + if (rc) { reason = "TPM2_Unseal"; out_flush_session: tpm2_flush_handle(tssContext, session); } else { - fwrite(VAL_2B(uout.outData, buffer), 1, - VAL_2B(uout.outData, size), stdout); + fwrite(outData.buffer, 1, + outData.size, stdout); } out_flush_data: - tpm2_flush_handle(tssContext, uin.itemHandle); + tpm2_flush_handle(tssContext, itemHandle); out_free_app_data: TSS_Delete(tssContext); tpm2_delete(app_data); |