int main(int argc, char *argv[])
{
int ret = 0;
char *filename = NULL;
int i = 1;
unsigned char * buffer;
uint32_t buffersize;
TPM_CONTEXT_BLOB context;
STACK_TPM_BUFFER(tpmbuffer)
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -if.\n");
print_usage();
}
}
else if (!strcmp(argv[i],"-v")) {
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
print_usage();
}
else if (!strcmp(argv[i],"-h")) {
print_usage();
}
else {
printf("\n%s is not a valid option\n", argv[i]);
print_usage();
}
i++;
}
if (NULL == filename) {
printf("Missing -if argument.\n");
print_usage();
}
ret = TPM_ReadFile(filename, &buffer, &buffersize);
if (ret != 0) {
printf("Error while reading file '%s'.\n",filename);
exit(-1);
}
SET_TPM_BUFFER(&tpmbuffer, buffer, buffersize);
ret = TPM_ReadContextBlob(&tpmbuffer, 0, &context);
if ((ret & ERR_MASK)) {
printf("Error while parsing the context blob.\n");
exit(-1);
}
printf("ContextCount: 0x%08X\n",context.contextCount);
ret = 0;
exit(ret);
}
static uint32_t swapInKey(uint32_t handle)
{
char *filename = createKeyFilename(handle);
STACK_TPM_BUFFER(context);
unsigned char * mycontext = NULL;
uint32_t contextSize;
uint32_t newhandle;
uint32_t ret;
if (NULL == filename) {
ret = ERR_MEM_ERR;
}
ret = TPM_ReadFile(filename,&mycontext,&contextSize);
if ((ret & ERR_MASK)) {
#if 0
printf("level: %d\n",g_num_transports);
#endif
printf("Could not read from keyfile %s.\n",filename);
return ret;
}
SET_TPM_BUFFER(&context, mycontext, contextSize);
free(mycontext);
ret = TPM_LoadContext(handle,
1,
&context,
&newhandle);
if (ret != 0) {
printf("Got error '%s' while swapping in key 0x%08x.\n",
TPM_GetErrMsg(ret),
handle);
}
if (handle != newhandle) {
printf("keyswap: "
"new handle 0x%08x not the same as old one 0x%08x.\n",
newhandle, handle);
}
if (ret == 0) {
unlink(filename);
}
free(filename);
#if 0
if (ret == 0) {
printf("Swapped in key with handle %08x.\n",handle);
} else {
printf("Could NOT swap in key with handle %08x.\n",handle);
}
#endif
return ret;
}
uint32_t TPM_ReadPubKeyfile(const char *filename, pubkeydata * pubk)
{
unsigned char *buffer = NULL;
uint32_t buffersize = 0;
uint32_t ret = TPM_ReadFile(filename, &buffer, &buffersize);
if ((ret & ERR_MASK) == 0) {
STACK_TPM_BUFFER(buf);
SET_TPM_BUFFER(&buf, buffer, buffersize);
memset(pubk, 0x0, sizeof(*pubk));
if (buffersize != TSS_PubKeyExtract(&buf, 0, pubk))
ret = ERR_BAD_FILE;
free(buffer);
}
return ret;
}
static uint32_t TPM_GetCapability_Internal(uint32_t caparea,
struct tpm_buffer *scap,
struct tpm_buffer *response,
int allowTransport)
{
uint32_t ret;
uint32_t rlen;
uint32_t ordinal_no = htonl(TPM_ORD_GetCapability);
STACK_TPM_BUFFER(tpmdata) /* request/response buffer */
uint32_t scaplen = 0;
unsigned char *buffer = NULL;
/* check arguments */
if (scap) {
scaplen = scap->used;
buffer = scap->buffer;
}
if (response == NULL)
return ERR_NULL_ARG;
ret = TSS_buildbuff("00 c1 T l L @", &tpmdata,
ordinal_no, caparea, scaplen, buffer);
if (ret & ERR_MASK)
return ret;
/* transmit the request buffer to the TPM device and read the reply */
if (allowTransport)
ret = TPM_Transmit(&tpmdata, "GetCapability");
else
ret = TPM_Transmit_NoTransport(&tpmdata, "GetCapability");
if (ret)
return ret;
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &rlen);
if (ret & ERR_MASK)
return ret;
if (response)
SET_TPM_BUFFER(response,
&tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE],
rlen);
return 0;
}
uint32_t TPM_SaveKeyContext(uint32_t keyhandle,
struct tpm_buffer *context)
{
uint32_t ret;
uint32_t ordinal_no = htonl(TPM_ORD_SaveKeyContext);
STACK_TPM_BUFFER(tpmdata)
uint32_t keyhandle_no = htonl(keyhandle);
uint32_t len;
ret = needKeysRoom(keyhandle, 0, 0, 0);
if (ret != 0) {
return ret;
}
ret = TSS_buildbuff("00 c1 T l l",&tpmdata,
ordinal_no,
keyhandle_no);
if (( ret & ERR_MASK )!= 0) {
return ret;
}
ret = TPM_Transmit(&tpmdata,"SaveKeyContext");
if (ret != 0) {
return ret;
}
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &len);
if ((ret & ERR_MASK)) {
return ret;
}
if (NULL != context) {
SET_TPM_BUFFER(context,
&tpmdata.buffer[TPM_DATA_OFFSET+TPM_U32_SIZE],
len);
}
return ret;
}
static int loadKey(char * filename, keydata * key)
{
int ret = 0;
FILE * kinfile;
kinfile = fopen(filename,"rb");
if (kinfile == NULL) {
printf("Could not open key file.\n");
ret = -1;
} else {
struct stat sbuf;
if (0 ==stat(filename,&sbuf)) {
unsigned int keyblen;
unsigned char * keyblob = NULL;
keyblen = (int)sbuf.st_size;
keyblob = malloc(keyblen);
if (NULL != keyblob) {
ret = fread(keyblob,1,keyblen,kinfile);
if (ret != (int)keyblen) {
printf("Unable to read key file\n");
ret = -1;
} else {
STACK_TPM_BUFFER(tb)
SET_TPM_BUFFER(&tb, keyblob, keyblen);
TSS_KeyExtract(&tb,0,key);
ret = 0;
}
fclose(kinfile);
free(keyblob);
} else {
printf("Could not allocate memory.\n");
ret = -1;
}
} else {
printf("Could not determine size of key file.\n");
ret = -1;
}
}
return ret;
}
uint32_t TPM_GetCapabilitySigned(uint32_t keyhandle,
unsigned char *keypass,
unsigned char *antiReplay,
uint32_t caparea,
struct tpm_buffer * scap,
struct tpm_buffer * resp,
unsigned char *sig, uint32_t * siglen)
{
uint32_t ret;
uint32_t rlen;
STACK_TPM_BUFFER(tpmdata) /* request/response buffer */
uint32_t ordinal_no = htonl(TPM_ORD_GetCapabilitySigned);
uint32_t keyhandle_no = htonl(keyhandle);
uint32_t caparea_no = htonl(caparea);
unsigned char c = 0;
unsigned char authdata[TPM_HASH_SIZE];
uint32_t ssize;
unsigned char *buffer = NULL;
uint32_t subcaplen = 0;
uint32_t subcaplen_no;
/* check arguments */
if (scap) {
subcaplen = scap->used;
buffer = scap->buffer;
}
subcaplen_no = htonl(subcaplen);
ret = needKeysRoom(keyhandle, 0, 0, 0);
if (ret)
return ret;
if (resp == NULL)
return ERR_NULL_ARG;
if (keypass) {
unsigned char nonceodd[TPM_HASH_SIZE];
session sess;
ret = TSS_gennonce(nonceodd);
if (ret == 0)
return ERR_CRYPT_ERR;
ret = TSS_SessionOpen(SESSION_OSAP | SESSION_OIAP,
&sess, keypass, TPM_ET_KEYHANDLE, keyhandle);
if (ret)
return ret;
/* move Network byte order data to variable for hmac calculation */
ret = TSS_authhmac(authdata, TSS_Session_GetAuth(&sess),
TPM_HASH_SIZE, TSS_Session_GetENonce(&sess),
nonceodd, c, TPM_U32_SIZE, &ordinal_no,
TPM_NONCE_SIZE, antiReplay, TPM_U32_SIZE,
&caparea_no, TPM_U32_SIZE, &subcaplen_no,
subcaplen, buffer, 0, 0);
if (ret) {
TSS_SessionClose(&sess);
return ret;
}
ret = TSS_buildbuff("00 c2 T l l % l @ L % o %", &tpmdata,
ordinal_no,
keyhandle_no,
TPM_NONCE_SIZE, antiReplay,
caparea_no,
subcaplen, buffer,
TSS_Session_GetHandle(&sess),
TPM_NONCE_SIZE, nonceodd,
c, TPM_HASH_SIZE, authdata);
if (ret & ERR_MASK) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata, "GetCapability - AUTH1");
TSS_SessionClose(&sess);
if (ret)
return ret;
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET+TPM_U32_SIZE, &rlen);
if (ret & ERR_MASK)
return ret;
ret = tpm_buffer_load32(&tpmdata,
TPM_DATA_OFFSET + TPM_U32_SIZE +
TPM_U32_SIZE + rlen, &ssize);
if (ret & ERR_MASK)
return ret;
ret = TSS_checkhmac1(&tpmdata, ordinal_no, nonceodd,
TSS_Session_GetAuth(&sess), TPM_HASH_SIZE,
TPM_U32_SIZE + TPM_U32_SIZE + rlen +
TPM_U32_SIZE + ssize, TPM_DATA_OFFSET, 0, 0);
if (ret)
return ret;
} else {
ret = TSS_buildbuff("00 c1 T l l % l @", &tpmdata,
ordinal_no,
keyhandle_no,
TPM_NONCE_SIZE, antiReplay,
caparea_no, subcaplen, buffer);
if (ret & ERR_MASK)
return ret;
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata, "GetCapability - NO AUTH");
if (ret)
return ret;
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET+TPM_U32_SIZE, &rlen);
if (ret & ERR_MASK)
return ret;
ret = tpm_buffer_load32(&tpmdata,
TPM_DATA_OFFSET + TPM_U32_SIZE +
TPM_U32_SIZE + rlen, &ssize);
if (ret & ERR_MASK)
return ret;
}
if (resp)
SET_TPM_BUFFER(resp,
&tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE +
TPM_U32_SIZE], rlen);
if (sig) {
*siglen = MIN(*siglen, ssize);
memcpy(sig,
&tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE +
TPM_U32_SIZE + rlen + TPM_U32_SIZE],
*siglen);
}
return ret;
}
/*
* make sure the given keys are in the TPM and there is
* enough room for 'room' keys in the TPM
*/
static uint32_t
needKeysRoom_General(uint32_t key1, uint32_t key2, uint32_t key3,
uint32_t room)
{
uint32_t ret = 0;
uint32_t scap_no;
STACK_TPM_BUFFER(context);
STACK_TPM_BUFFER(scap);
STACK_TPM_BUFFER(capabilities);
uint32_t tpmkeyroom;
uint32_t keysintpm;
int intpm1, intpm2, intpm3;
uint32_t neededslots;
static int in_swapping = 0;
char *tmp1;
char *tmp2;
char *tmp3;
/* do NOT allow recursion */
if (in_swapping) {
return 0;
}
tmp1 = getenv("TPM_AUDITING");
tmp2 = getenv("TPM_TRANSPORT");
tmp3 = getenv("TPM_NO_KEY_SWAP");
if ((tmp1 && !strcmp(tmp1,"1") &&
tmp2 && !strcmp(tmp2,"1")) ||
(tmp3 && !strcmp(tmp3,"1")) ) {
return 0;
}
in_swapping = 1;
#if 0
printf("level: %d\n",g_num_transports);
#endif
/*
* Support for 1.1 TPMs is not possible since the key handle
* must be maintained and the old SaveKeyContext functions don't
* do that.
*
* Strategy for 1.2 TPMs:
* Check the number of keys the TPM can handle.
* Check which keys are in the TPM and how many.
* If there's enough room for all keys that need to be loaded in,
* just load them in, otherwise swap an unneeded key out first.
* If necessary, swap as many keys out such that there's enough
* room for 'room' keys.
*/
scap_no = htonl(TPM_CAP_PROP_MAX_KEYS); // 0x110
SET_TPM_BUFFER(&scap, &scap_no, sizeof(scap_no));
ret = TPM_GetCapability(TPM_CAP_PROPERTY, // 0x5
&scap,
&capabilities);
if (ret != 0) {
/* call may fail at very beginning */
in_swapping = 0;
return 0;
} else {
ret = tpm_buffer_load32(&capabilities, 0, &tpmkeyroom);
if (ret != 0) {
in_swapping = 0;
return ret;
}
//tpmkeyroom = 10;
}
scap_no = ntohl(TPM_RT_KEY);
SET_TPM_BUFFER(&scap, &scap_no, sizeof(scap_no));
ret = TPM_GetCapability(TPM_CAP_KEY_HANDLE,
&scap,
&capabilities);
if (ret != 0) {
in_swapping = 0;
printf("Error %s from TPM_GetCapability.\n",
TPM_GetErrMsg(ret));
return ret;
}
neededslots = room;
intpm1 = IsKeyInTPM(&capabilities, key1);
if (!intpm1)
neededslots++;
intpm2 = IsKeyInTPM(&capabilities, key2);
if (!intpm2)
neededslots++;
intpm3 = IsKeyInTPM(&capabilities, key3);
if (!intpm2)
neededslots++;
#if 0
uint32_t ctr, handle;
for (ctr = 2; ctr < capabilities.used; ctr += sizeof(handle)) {
ret = tpm_buffer_load32(&capabilities,
ctr,
&handle);
if (ret != 0) {
break;
}
printf("available key: %08x\n",handle);
}
#endif
keysintpm = (capabilities.used - 2 ) / 4;
#if 0
printf("TPM has room for %d keys, holds %d keys.\n",
tpmkeyroom,keysintpm);
#endif
if ((int)neededslots > ((int)tpmkeyroom - (int)keysintpm)) {
ret = swapOutKeys((int)neededslots - ((int)tpmkeyroom-(int)keysintpm),
key1,
key2,
key3,
&capabilities);
#if 0
} else {
printf("No need to swap out keys.\n");
#endif
}
if (ret == 0 && !intpm1) {
ret = swapInKey(key1);
}
if (ret == 0 && !intpm2) {
ret = swapInKey(key2);
}
if (ret == 0 && !intpm3) {
ret = swapInKey(key3);
}
in_swapping = 0;
return ret;
}
int main(int argc, char * argv[]) {
uint32_t ret = 0;
int i = 0;
int verbose = FALSE;
uint32_t migkeyhandle = 0;
char * filename = NULL;
unsigned char * buffer = NULL;
unsigned char keypasshash[TPM_HASH_SIZE];
char * keypass = NULL;
uint16_t migscheme = TPM_MS_MIGRATE;
unsigned char * keyhashptr = NULL;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing mandatory parameter for -if.\n");
usage();
}
}
else if (!strcmp("-hp",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&migkeyhandle);
} else {
printf("Missing mandatory parameter for -hp.\n");
usage();
}
}
else if (!strcmp("-pwdp",argv[i])) {
i++;
if (i < argc) {
keypass = argv[i];
} else {
printf("Missing mandatory parameter for -pwdp.\n");
usage();
}
}
else if (!strcmp("-rewrap",argv[i])) {
migscheme = TPM_MS_REWRAP;
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
}
else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
}
i++;
}
if (0 == migkeyhandle ||
NULL == filename) {
printf("Missing mandatory parameter.\n");
usage();
}
if (NULL != keypass) {
TSS_sha1(keypass,strlen(keypass),keypasshash);
keyhashptr = keypasshash;
} else {
keyhashptr = NULL;
}
buffer = readFile(filename);
if (NULL != buffer) {
int offset = 0;
unsigned char * encblob = NULL;
uint32_t encsize = 0;
unsigned char * rndblob = NULL;
uint32_t rndsize = 0;
uint32_t keysize = 0;
unsigned char * keyblob = NULL;
unsigned char * outblob = NULL;
uint32_t outblen;
keydata newkey;
STACK_TPM_BUFFER( tb );
rndsize = LOAD32(buffer,offset); offset += 4;
rndblob = &buffer[offset]; offset += rndsize;
encsize = LOAD32(buffer,offset); offset += 4;
encblob = &buffer[offset]; offset += encsize;
keysize = LOAD32(buffer,offset); offset += 4;
keyblob = &buffer[offset]; offset += keysize;
SET_TPM_BUFFER(&tb, keyblob, keysize);
TSS_KeyExtract(&tb, 0,&newkey);
outblob = malloc(encsize);
if (NULL == outblob) {
printf("Error allocating memory for decrypted blob.\n");
exit(-1);
}
outblen = encsize;
if (TPM_MS_REWRAP == migscheme || 0 == rndsize) {
memcpy(newkey.encData.buffer,
encblob,
encsize);
newkey.encData.size = outblen;
ret = 0;
} else {
ret = TPM_ConvertMigrationBlob(migkeyhandle,
keyhashptr,
rndblob, rndsize,
encblob, encsize,
outblob, &outblen);
if (0 == ret) {
memcpy(newkey.encData.buffer,
outblob,
outblen);
newkey.encData.size = outblen;
} else {
printf("ConvertMigrationBlob returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
if (0 == ret) {
uint32_t newhandle;
ret = TPM_LoadKey(migkeyhandle,
keyhashptr,
&newkey,
&newhandle);
if (0 == ret) {
printf("Successfully loaded key into TPM.\n"
"New Key Handle = %08X\n",
newhandle);
} else {
printf("LoadKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
}
}
return ret;
}
int main(int argc, char *argv[])
{
int ret;
unsigned char familyTable[256];
uint32_t familyTableSize = sizeof(familyTable);
unsigned char delegateTable[256];
uint32_t delegateTableSize = sizeof(delegateTable);
uint32_t i = 0;
(void)argv;
(void)argc;
TPM_setlog(0);
ret = TPM_Delegate_ReadTable(familyTable, &familyTableSize,
delegateTable, &delegateTableSize);
if (0 != ret) {
printf("Delegate_ReadTable returned error '%s' (%d).\n",
TPM_GetErrMsg(ret),
ret);
} else {
STACK_TPM_BUFFER( buffer )
i = 0;
SET_TPM_BUFFER( &buffer, familyTable, familyTableSize)
while (i < familyTableSize) {
TPM_FAMILY_TABLE_ENTRY fte;
ret = TPM_ReadFamilyTableEntry(&buffer, i, &fte);
if (0 == (ret & ERR_MASK) && ret > 0) {
printf("Family Table Entry:\n"
"familyLabel : %d\n"
"familyID : "OUT_FORMAT("%d","%d")"\n"
"verificationCount : "OUT_FORMAT("%d","%d")"\n"
"flags : "OUT_FORMAT("0x%x","0x%x")"\n\n",
fte.familyLabel,
fte.familyID,
fte.verificationCount,
fte.flags);
} else {
printf("Error %s from TPM_ReadFamilyTableEntry.\n",
TPM_GetErrMsg(ret));
return ret;
}
i += ret;
}
SET_TPM_BUFFER( &buffer, delegateTable, delegateTableSize);
i = 0;
while (i < delegateTableSize) {
TPM_DELEGATE_PUBLIC dtp;
TPM_DELEGATE_INDEX didx = LOAD32(buffer.buffer, i);
i += 4;
ret = TPM_ReadDelegatePublic(&buffer, i, &dtp);
if (0 == (ret & ERR_MASK) && ret > 0) {
printf("\n\nDelegate Table Entry:\n"
"index : "OUT_FORMAT("%d","%d")"\n"
"rowLabel : %d\n"
"permissions : "OUT_FORMAT("0x%08x, 0x%08x","0x%08x, 0x%08x")"\n"
"familyID : "OUT_FORMAT("%d","%d")"\n"
"verificationCount : "OUT_FORMAT("%d","%d")"\n",
didx,
dtp.rowLabel,
dtp.permissions.per1, dtp.permissions.per2,
dtp.familyID,
dtp.verificationCount);
} else {
printf("Error %s from TPM_ReadDelegatePublic.\n",
TPM_GetErrMsg(ret));
exit(ret);
}
i += ret;
}
printf("\n");
ret = 0;
}
exit(ret);
}
uint32_t TPM_Quote2(uint32_t keyhandle,
TPM_PCR_SELECTION * selection,
TPM_BOOL addVersion,
unsigned char *keyauth,
unsigned char *antiReplay,
TPM_PCR_INFO_SHORT * pcrinfo,
struct tpm_buffer *versionblob,
struct tpm_buffer *signature)
{
uint32_t ret;
uint32_t rc;
STACK_TPM_BUFFER( tpmdata )
session sess;
unsigned char pubauth[TPM_HASH_SIZE];
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char c = 0;
uint32_t ordinal_no = htonl(TPM_ORD_Quote2);
uint16_t pcrselsize;
uint32_t verinfosize;
uint32_t sigsize;
uint32_t storedsize;
uint32_t keyhndl = htonl(keyhandle);
uint16_t keytype;
struct tpm_buffer * serPCRSelection;
uint32_t serPCRSelectionSize;
/* check input arguments */
if (pcrinfo == NULL ||
selection == NULL ||
antiReplay == NULL) return ERR_NULL_ARG;
keytype = 0x0001;
ret = needKeysRoom(keyhandle, 0, 0, 0);
if (ret != 0) {
return ret;
}
TSS_gennonce(antiReplay);
serPCRSelection = TSS_AllocTPMBuffer(TPM_U16_SIZE +
selection->sizeOfSelect);
if (NULL == serPCRSelection) {
return ERR_MEM_ERR;
}
ret = TPM_WritePCRSelection(serPCRSelection, selection);
if (( ret & ERR_MASK) != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
return ret;
}
serPCRSelectionSize = ret;
if (keyauth != NULL) {
/* Open OSAP Session */
ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess,keyauth,keytype,keyhandle);
if (ret != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
return ret;
}
/* generate odd nonce */
TSS_gennonce(nonceodd);
/* move Network byte order data to variables for hmac calculation */
/* calculate authorization HMAC value */
ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c,
TPM_U32_SIZE,&ordinal_no,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize, serPCRSelection->buffer,
sizeof(TPM_BOOL), &addVersion,
0,0);
if (ret != 0) {
TSS_FreeTPMBuffer(serPCRSelection);
TSS_SessionClose(&sess);
return ret;
}
/* build the request buffer */
ret = TSS_buildbuff("00 C2 T l l % % o L % o %",&tpmdata,
ordinal_no,
keyhndl,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize,serPCRSelection->buffer,
addVersion,
TSS_Session_GetHandle(&sess),
TPM_NONCE_SIZE,nonceodd,
c,
TPM_HASH_SIZE,pubauth);
TSS_FreeTPMBuffer(serPCRSelection);
if ((ret & ERR_MASK) != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote2 - AUTH1");
TSS_SessionClose(&sess);
if (ret != 0) {
return ret;
}
} else {
/* build the request buffer */
ret = TSS_buildbuff("00 C1 T l l % % o",&tpmdata,
ordinal_no,
keyhndl,
TPM_HASH_SIZE,antiReplay,
serPCRSelectionSize,serPCRSelection->buffer,
addVersion);
TSS_FreeTPMBuffer(serPCRSelection);
if ((ret & ERR_MASK) != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote2");
TSS_SessionClose(&sess);
if (ret != 0) {
return ret;
}
}
/* calculate the size of the returned Blob */
ret = tpm_buffer_load16(&tpmdata,TPM_DATA_OFFSET, &pcrselsize);
if ((ret & ERR_MASK)) {
return ret;
}
pcrselsize += TPM_U16_SIZE + 1 + TPM_HASH_SIZE;
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize, &verinfosize);
if ((ret & ERR_MASK)) {
return ret;
}
ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize + TPM_U32_SIZE + verinfosize, &sigsize);
if ((ret & ERR_MASK)) {
return ret;
}
storedsize = pcrselsize + TPM_U32_SIZE + verinfosize +
TPM_U32_SIZE + sigsize;
if (keyauth != NULL) {
/* check the HMAC in the response */
ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,
storedsize,TPM_DATA_OFFSET,
0,0);
if (ret != 0) {
return ret;
}
}
/* copy the returned PCR composite to caller */
if (pcrselsize != (rc =
TPM_ReadPCRInfoShort(&tpmdata, TPM_DATA_OFFSET,
pcrinfo))) {
if ((rc & ERR_MASK))
return rc;
return ERR_BUFFER;
}
if (NULL != versionblob) {
SET_TPM_BUFFER(
versionblob,
&tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE],
verinfosize);
}
if (NULL != signature) {
SET_TPM_BUFFER(signature,
&tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE+verinfosize+TPM_U32_SIZE],
sigsize);
}
return ret;
}
uint32_t TPM_Quote(uint32_t keyhandle,
unsigned char *keyauth,
unsigned char *externalData,
TPM_PCR_SELECTION *tps,
TPM_PCR_COMPOSITE *tpc,
struct tpm_buffer *signature)
{
uint32_t ret;
STACK_TPM_BUFFER( tpmdata )
session sess;
unsigned char pubauth[TPM_HASH_SIZE];
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char c;
uint32_t ordinal = htonl(TPM_ORD_Quote);
uint32_t keyhndl = htonl(keyhandle);
uint16_t pcrselsize;
uint32_t valuesize;
uint32_t sigsize;
uint32_t offset;
STACK_TPM_BUFFER( serPcrSel );
/* check input arguments */
if (tpc == NULL || externalData == NULL || signature == NULL) return ERR_NULL_ARG;
ret = needKeysRoom(keyhandle, 0, 0, 0);
if (ret != 0) {
return ret;
}
ret = TPM_WritePCRSelection(&serPcrSel, tps);
if ((ret & ERR_MASK))
return ret;
if (keyauth != NULL) /* authdata required */ {
/* Open OSAP Session */
ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess,
keyauth,TPM_ET_KEYHANDLE,keyhandle);
if (ret != 0) return ret;
/* generate odd nonce */
TSS_gennonce(nonceodd);
/* move Network byte order data to variables for hmac calculation */
c = 0;
/* calculate authorization HMAC value */
ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c,
TPM_U32_SIZE,&ordinal,
TPM_HASH_SIZE,externalData,
serPcrSel.used,serPcrSel.buffer,
0,0);
if (ret != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* build the request buffer */
ret = TSS_buildbuff("00 C2 T l l % % L % o %",&tpmdata,
ordinal,
keyhndl,
TPM_HASH_SIZE,externalData,
serPcrSel.used, serPcrSel.buffer,
TSS_Session_GetHandle(&sess),
TPM_NONCE_SIZE,nonceodd,
c,
TPM_HASH_SIZE,pubauth);
if ((ret & ERR_MASK) != 0) {
TSS_SessionClose(&sess);
return ret;
}
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote");
TSS_SessionClose(&sess);
if (ret != 0) {
return ret;
}
offset = TPM_DATA_OFFSET;
/* calculate the size of the returned Blob */
ret = tpm_buffer_load16(&tpmdata,offset,&pcrselsize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U16_SIZE + pcrselsize;
ret = tpm_buffer_load32(&tpmdata,offset,&valuesize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U32_SIZE + valuesize;
ret = tpm_buffer_load32(&tpmdata,offset, &sigsize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U32_SIZE;
/* check the HMAC in the response */
ret = TSS_checkhmac1(&tpmdata,ordinal,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,
offset-TPM_DATA_OFFSET+sigsize,TPM_DATA_OFFSET,
0,0);
if (ret != 0) {
return ret;
}
ret = TPM_ReadPCRComposite(&tpmdata,
TPM_DATA_OFFSET,
tpc);
if ((ret & ERR_MASK)) {
return ret;
}
/* copy the returned blob to caller */
SET_TPM_BUFFER(signature,
&tpmdata.buffer[offset],
sigsize);
} else /* no authdata required */ {
/* build the request buffer */
ret = TSS_buildbuff("00 C1 T l l % %",&tpmdata,
ordinal,
keyhndl,
TPM_HASH_SIZE,externalData,
serPcrSel.used,serPcrSel.buffer);
if ((ret & ERR_MASK) != 0) return ret;
/* transmit the request buffer to the TPM device and read the reply */
ret = TPM_Transmit(&tpmdata,"Quote");
if (ret != 0) return ret;
/* calculate the size of the returned Blob */
offset = TPM_DATA_OFFSET;
ret = tpm_buffer_load16(&tpmdata,offset, &pcrselsize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U16_SIZE + pcrselsize;
ret = tpm_buffer_load32(&tpmdata,offset, &valuesize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U32_SIZE + valuesize;
ret = tpm_buffer_load32(&tpmdata,offset, &sigsize);
if ((ret & ERR_MASK)) {
return ret;
}
offset += TPM_U32_SIZE;
/* copy the returned PCR composite to caller */
ret = TPM_ReadPCRComposite(&tpmdata,
TPM_DATA_OFFSET,
tpc);
if ((ret & ERR_MASK)) {
return ret;
}
/* copy the returned blob to caller */
SET_TPM_BUFFER(signature,
&tpmdata.buffer[offset],
sigsize);
}
return 0;
}
int main(int argc, char * argv[]) {
char * migrationkeyfile = NULL;
char * filename = NULL;
char * migrationKeyPassword = NULL;
unsigned char migrationkeyUsageAuth[TPM_DIGEST_SIZE];
unsigned char * passptr = NULL;
uint32_t ret = 0;
int i = 0;
keydata migrationkey;
int verbose = FALSE;
uint32_t migrationkeyhandle = 0;
unsigned char * buffer = NULL;
uint32_t bufferSize = 0;
i = 1;
TPM_setlog(0);
while (i < argc) {
if (!strcmp("-if",argv[i])) {
i++;
if (i < argc) {
filename = argv[i];
} else {
printf("Missing parameter for -if.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-pwdm",argv[i])) {
i++;
if (i < argc) {
migrationKeyPassword = argv[i];
} else {
printf("Missing parameter for -pwdm.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-hm",argv[i])) {
i++;
if (i < argc) {
sscanf(argv[i],"%x",&migrationkeyhandle);
} else {
printf("Missing parameter for -hm.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-ik",argv[i])) {
i++;
if (i < argc) {
migrationkeyfile = argv[i];
} else {
printf("Missing parameter for -ik.\n");
usage();
exit(-1);
}
}
else if (!strcmp("-v",argv[i])) {
verbose = TRUE;
TPM_setlog(1);
}
else if (!strcmp("-h",argv[i])) {
usage();
exit(-1);
} else {
printf("\n%s is not a valid option\n", argv[i]);
usage();
exit(-1);
}
i++;
}
if (NULL == migrationkeyfile ||
NULL == filename ||
-1 == (int)migrationkeyhandle) {
printf("Missing or wrong parameter.\n");
usage();
exit(-1);
}
if (NULL != migrationKeyPassword) {
TSS_sha1(migrationKeyPassword,
strlen(migrationKeyPassword),
migrationkeyUsageAuth);
passptr = migrationkeyUsageAuth;
}
/*
* load the key to be migrated from a file.
*/
ret = 0;
buffer = readFile(filename, &bufferSize);
if (NULL != buffer) {
unsigned int offset = 0;
unsigned char * encblob = NULL;
uint32_t encsize = 0;
unsigned char * rndblob = NULL;
uint32_t rndsize = 0;
uint32_t keysize = 0;
unsigned char * keyblob = NULL;
keydata tobemigkey;
STACK_TPM_BUFFER(tb)
rndsize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
rndblob = &buffer[offset];
offset += rndsize;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
encsize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
encblob = &buffer[offset];
offset += encsize;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
keysize = LOAD32(buffer,offset);
offset += 4;
if (offset > bufferSize) {
printf("Bad input file. Exiting.\n");
return -1;
}
keyblob = &buffer[offset];
offset += keysize;
if (offset != bufferSize) {
printf("Bad input file. Exiting");
return -1;
}
SET_TPM_BUFFER(&tb, keyblob, keysize);
TSS_KeyExtract(&tb,0,&tobemigkey);
/*
* load the migration key from the destination
* TPM from a file. Need the public key part of
* that key.
*/
ret = loadKey(migrationkeyfile, &migrationkey);
if (0 == ret) {
STACK_TPM_BUFFER(keyblob)
uint32_t keyblen = 0;
unsigned char * reencData = malloc(encsize);
uint32_t reencDataSize = encsize;
if (NULL == encblob || NULL == reencData) {
printf("Could not get memory for encryted private key blob.\n");
exit (-1);
}
ret = TPM_WriteKeyPub(&keyblob, &migrationkey);
if (ret & ERR_MASK) {
printf("Could not serialize the keydata!\n");
free(reencData);
exit(-1);
}
keyblen = ret;
ret = TPM_MigrateKey(migrationkeyhandle,
passptr,
keyblob.buffer, keyblen,
encblob, encsize,
reencData, &reencDataSize);
if (0 == ret) {
STACK_TPM_BUFFER(keybuf)
// serialize the key to be migrated
ret = TPM_WriteKey(&keybuf,&tobemigkey);
if (ret > 0) {
unsigned int keybuflen = ret;
FILE * f = fopen(filename,"wb");
if (NULL != f) {
struct tpm_buffer *filebuf = TSS_AllocTPMBuffer(10240);
if (NULL != filebuf) {
int l;
l = TSS_buildbuff("@ @ @",filebuf,
rndsize, rndblob,
reencDataSize, reencData,
keybuflen, keybuf.buffer);
fwrite(filebuf->buffer,
l,
1,
f);
fclose(f);
printf("Wrote migration blob and associated data to file.\n");
ret = 0;
TSS_FreeTPMBuffer(filebuf);
} else {
printf("Error. Could not allocate memory.\n");
ret = -1;
}
}
}
} else {
printf("MigrateKey returned '%s' (0x%x).\n",
TPM_GetErrMsg(ret),
ret);
}
free(reencData);
} else {
printf("Error. Could not load the migration key.");
}
} else {
printf("Error. Could not load the blob from file '%s'.\n",
filename);
}
return ret;
}
