uint32_t TPM_OwnerClear(unsigned char *ownpass) { unsigned char clear_owner_fmt[] = "00 c2 T l l % 00 %"; uint32_t ret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; unsigned char nonceeven[TPM_HASH_SIZE]; /* fields to be inserted into Owner Clear Request Buffer */ uint32_t command; uint32_t authhandle; unsigned char nonceodd[TPM_HASH_SIZE]; unsigned char authdata[TPM_HASH_SIZE]; /* check that parameters are valid */ if (ownpass == NULL) return ERR_NULL_ARG; command = htonl(91); /* generate odd nonce */ ret = TSS_gennonce(nonceodd); if (ret == 0) return ret; /* start OIAP Protocol */ ret = TSS_OIAPopen(&authhandle, nonceeven); if (ret != 0) return ret; ret = TSS_authhmac(authdata, ownpass, TPM_HASH_SIZE, nonceeven, nonceodd, 0, TPM_U32_SIZE, &command, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } ret = TSS_buildbuff(clear_owner_fmt, tpmdata, command, authhandle, TPM_HASH_SIZE, nonceodd, TPM_HASH_SIZE, authdata); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle); return ret; } ret = TPM_Transmit(tpmdata, "Owner Clear"); TSS_OIAPclose(authhandle); return ret; }
int main(int argc, char *argv[]) { uint32_t ret; STACK_TPM_BUFFER(resp); int index = 0; STACK_TPM_BUFFER( subcap );; TPM_setlog(0); /* turn off verbose output */ ParseArgs(argc, argv); while ((int)matrx[index].cap != -1) { if (cap == matrx[index].cap) { break; } index++; } if (-1 == (int)matrx[index].cap) { printf("Unknown or unsupported capability!\n"); exit(-1); } subcap.used = 0; if (matrx[index].subcap_size > 0) { if ((int)scap == -1) { printf("Need subcap parameter for this capability!\n"); exit(-1); } if (0 == prepare_subcap(cap, &subcap, scap)) { if (2 == matrx[index].subcap_size) { STORE16(subcap.buffer,0,scap); subcap.used = 2; } else if (matrx[index].subcap_size >= 4) { STORE32(subcap.buffer,0,scap); subcap.used = 4; } } } #if 0 /* This was for VTPM extensions and needs retest */ if (cap == TPM_CAP_MFR) { int idx2 = 0; while ((int)mfr_matrix[idx2].cap != -1) { if (mfr_matrix[idx2].cap == scap) { break; } idx2++; } if (mfr_matrix[idx2].subcap_size > 0) { uint32_t used = subcap.used + mfr_matrix[idx2].subcap_size; while (subcap.used < used) { if (argc <= nxtarg) { printf("Need one more parameter for this " "capability!\n"); exit(-1); } if (!strncmp("0x",argv[nxtarg],2)) { sscanf(argv[nxtarg],"%x",&sscap); } else { sscanf(argv[nxtarg],"%d",&sscap); } nxtarg++; if (2 == matrx[index].subcap_size) { STORE16(subcap.buffer, subcap.used,sscap); subcap.used += 2; } else if (matrx[index].subcap_size >= 4) { STORE32(subcap.buffer, subcap.used,sscap); subcap.used += 4; } } } } #endif if (0 == sikeyhandle) { ret = TPM_GetCapability(cap, &subcap, &resp); if (0 != ret) { printf("TPM_GetCapability returned %s.\n", TPM_GetErrMsg(ret)); exit(ret); } } else { unsigned char antiReplay[TPM_HASH_SIZE]; unsigned char signature[2048]; uint32_t signaturelen = sizeof(signature); pubkeydata pubkey; RSA * rsa; unsigned char sighash[TPM_HASH_SIZE]; unsigned char * buffer = NULL; unsigned char * sigkeyhashptr = NULL; unsigned char sigkeypasshash[TPM_HASH_SIZE]; if (NULL != sikeypass) { TSS_sha1(sikeypass,strlen(sikeypass),sigkeypasshash); sigkeyhashptr = sigkeypasshash; } TSS_gennonce(antiReplay); ret = TPM_GetPubKey(sikeyhandle, sigkeyhashptr, &pubkey); if (0 != ret) { printf("Error while trying to access the signing key's public key.\n"); exit(-1); } rsa = TSS_convpubkey(&pubkey); ret = TPM_GetCapabilitySigned(sikeyhandle, sigkeyhashptr, antiReplay, cap, &subcap, &resp, signature, &signaturelen); if (0 != ret) { printf("TPM_GetCapabilitySigned returned %s.\n", TPM_GetErrMsg(ret)); exit(ret); } buffer = malloc(resp.used+TPM_NONCE_SIZE); if (NULL == buffer) { printf("Could not allocate buffer.\n"); exit(-1); } memcpy(&buffer[0], resp.buffer, resp.used); memcpy(&buffer[resp.used], antiReplay, TPM_NONCE_SIZE); TSS_sha1(buffer, resp.used+TPM_NONCE_SIZE, sighash); free(buffer); ret = RSA_verify(NID_sha1, sighash,TPM_HASH_SIZE, signature,signaturelen, rsa); if (1 != ret) { printf("Error: Signature verification failed.\n"); exit(-1); } } if (0 == resp.used) { printf("Empty response.\n"); } else { if (-1 == (int)scap) { printf("Result for capability 0x%x is : ",cap); } else { printf("Result for capability 0x%x, subcapability 0x%x is : ",cap,scap); } if (TYPE_BOOL == matrx[index].result_size) { if (resp.buffer[0] == 0) { printf("FALSE\n"); } else { printf("TRUE\n"); } } else if (TYPE_UINT32 == matrx[index].result_size) { uint32_t rsp; rsp = LOAD32(resp.buffer,0); printf("0x%08X = %d\n",rsp,rsp); } else if (TYPE_UINT32_ARRAY == matrx[index].result_size) { int i = 0; printf("\n"); while (i+3 < (int)resp.used) { uint32_t rsp = LOAD32(resp.buffer,i); i+=4; if (TPM_CAP_NV_LIST == cap) { /* don't zero extend, grep needs the exact value for test suite */ printf("%d. Index : %d = 0x%x.\n", i/4, rsp, rsp); } else if (TPM_CAP_KEY_HANDLE == cap) { printf("%d. keyhandle : %d.\n", i/4, rsp); } else { printf("%d. item : %d.\n", i/4, rsp); } } } else if (TYPE_STRUCTURE == matrx[index].result_size) { switch(cap) { case TPM_CAP_FLAG: { if (scap == TPM_CAP_FLAG_PERMANENT) { TPM_PERMANENT_FLAGS pf; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadPermanentFlags(&tb, 0, &pf, resp.used); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showPermanentFlags(&pf, resp.used); } else if (scap == TPM_CAP_FLAG_VOLATILE) { TPM_STCLEAR_FLAGS sf; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadSTClearFlags(&tb, 0, &sf); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showVolatileFlags(&sf); } } break; case TPM_CAP_KEY_HANDLE: { uint16_t num = LOAD16(resp.buffer, 0); uint32_t i = 0; uint32_t handle; printf("\n"); while (i < num) { handle = LOAD32(resp.buffer,2+i*4); printf("%d. handle: 0x%08X\n", i, handle); i++; } } break; case TPM_CAP_NV_INDEX: { //char scratch_info[256]; unsigned char scratch_info[256]; uint32_t scratch_info_len; TPM_NV_DATA_PUBLIC ndp; uint32_t i, c; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadNVDataPublic(&tb, 0, &ndp); if ( ( ret & ERR_MASK) != 0) { printf("Could not deserialize the TPM_NV_DATA_PUBLIC structure.\n"); exit(-1); } printf("permission.attributes : %08X\n",(unsigned int)ndp.permission.attributes); printf("ReadSTClear : %02X\n",ndp.bReadSTClear); printf("WriteSTClear : %02X\n",ndp.bWriteSTClear); printf("WriteDefine : %02X\n",ndp.bWriteDefine); printf("dataSize : %08X = %d",(unsigned int)ndp.dataSize, (unsigned int)ndp.dataSize); c = 0; for (i = 0; i < ndp.pcrInfoRead.pcrSelection.sizeOfSelect*8; i++) { if (ndp.pcrInfoRead.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) { if (!c) printf("\nRead PCRs selected: "); else printf(", "); printf("%d", i); c++; } } if (c) { char pcrmap[4], *pf; memcpy(pcrmap, ndp.pcrInfoRead.pcrSelection.pcrSelect, ndp.pcrInfoRead.pcrSelection.sizeOfSelect); // printf("\npcrmap: %02x%02x%02x%02x\n", pcrmap[0], pcrmap[1], // pcrmap[2], pcrmap[3]); ret = TSS_GenPCRInfo(*(uint32_t *)pcrmap, scratch_info, &scratch_info_len); printf("\nRead PCR Composite: "); for (i = 0; i < 20; i++) printf("%02x", ndp.pcrInfoRead.digestAtRelease[i] & 0xff); printf("\n"); #if 1 pf = &scratch_info[5]; printf("\nCurrent PCR composite: "); for (i = 0; i < 20; i++) //printf("%02x", scratch_info.digestAtRelease[i] & 0xff); printf("%02x", pf[i] & 0xff); printf("\n"); #endif if (!ret) { printf("Matches current TPM state: "); if (!memcmp(&scratch_info[5], &ndp.pcrInfoRead.digestAtRelease, 20)) { printf("Yes\n"); } else { printf("No\n"); } } } c = 0; for (i = 0; i < ndp.pcrInfoWrite.pcrSelection.sizeOfSelect*8; i++) { if (ndp.pcrInfoWrite.pcrSelection.pcrSelect[(i / 8)] & (1 << (i & 0x7))) { if (!c) printf("\nWrite PCRs selected: "); else printf(", "); printf("%d", i); c++; } } if (c) { printf("\nWrite PCR Composite: "); for (i = 0; i < 20; i++) printf("%02x", ndp.pcrInfoWrite.digestAtRelease[i] & 0xff); printf("\n"); } } break; case TPM_CAP_HANDLE: { uint16_t num = LOAD16(resp.buffer, 0); uint16_t x = 0; while (x < num) { uint32_t handle = LOAD32(resp.buffer, sizeof(num)+4*x); printf("%02d. 0x%08X\n",x,handle); x++; } } break; case TPM_CAP_VERSION_VAL: { int i = 0; TPM_CAP_VERSION_INFO cvi; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadCapVersionInfo(&tb, 0, &cvi); if ( ( ret & ERR_MASK) != 0) { printf("Could not read the version info structure.\n"); exit(-1); } printf("\n"); printf("major : 0x%02X\n",cvi.version.major); printf("minor : 0x%02X\n",cvi.version.minor); printf("revMajor : 0x%02X\n",cvi.version.revMajor); printf("revMinor : 0x%02X\n",cvi.version.revMinor); printf("specLevel : 0x%04X\n",cvi.specLevel); printf("errataRev : 0x%02X\n",cvi.errataRev); printf("VendorID : "); while (i < 4) { printf("%02X ",cvi.tpmVendorID[i]); i++; } printf("\n"); /* Print vendor ID in text if printable */ for (i=0 ; i<4 ; i++) { if (isprint(cvi.tpmVendorID[i])) { if (i == 0) { printf("VendorID : "); } printf("%c", cvi.tpmVendorID[i]); } else { break; } } printf("\n"); printf("[not displaying vendor specific information]\n"); } break; #if 0 /* kgold: I don't think these are valid cap values */ case TPM_CAP_FLAG_PERMANENT: { TPM_PERMANENT_FLAGS pf; STACK_TPM_BUFFER(tb) TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); if (resp.used == 21) { ret = TPM_ReadPermanentFlagsPre103(&tb, 0, &pf); } else { ret = TPM_ReadPermanentFlags(&tb, 0, &pf); } if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showPermanentFlags(&pf, resp.used); } break; case TPM_CAP_FLAG_VOLATILE: { TPM_STCLEAR_FLAGS sf; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadSTClearFlags(&tb, 0, &sf); if ( ( ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } printf("\n"); showVolatileFlags(&sf); } break; #endif case TPM_CAP_DA_LOGIC: { uint32_t ctr; TPM_BOOL lim = FALSE; TPM_DA_INFO dainfo; TPM_DA_INFO_LIMITED dainfo_lim; STACK_TPM_BUFFER(tb); TSS_SetTPMBuffer(&tb, resp.buffer, resp.used); ret = TPM_ReadDAInfo(&tb, 0, &dainfo); if ( ( ret & ERR_MASK) != 0 || ret > resp.used) { ret = TPM_ReadDAInfoLimited(&tb, 0, &dainfo_lim); if ( (ret & ERR_MASK ) != 0 || ret > resp.used) { printf("ret=%x, responselen=%d\n",ret,resp.used); printf("Error parsing response!\n"); exit(-1); } else { lim = TRUE; } } printf("\n"); if (lim) { printf("State : %d\n",dainfo_lim.state); printf("Actions : 0x%08x\n",dainfo_lim.actionAtThreshold.actions); ctr = 0; while (ctr < dainfo_lim.vendorData.size) { printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]); ctr++; } } else { printf("State : %d\n",dainfo.state); printf("currentCount : %d\n",dainfo.currentCount); printf("thresholdCount : %d\n",dainfo.thresholdCount); printf("Actions : 0x%08x\n",dainfo.actionAtThreshold.actions); printf("actionDependValue : %d\n",dainfo.actionDependValue); #if 0 ctr = 0; while (ctr < dainfo_lim.vendorData.size) { printf("%02x ",(unsigned char)dainfo_lim.vendorData.buffer[ctr]); ctr++; } #endif } } break; } } else if (TYPE_VARIOUS == matrx[index].result_size) { switch(cap) { case TPM_CAP_MFR: switch (scap) { case TPM_CAP_PROCESS_ID: { uint32_t rsp; rsp = LOAD32(resp.buffer,0); printf("%d\n",rsp); } break; } break; /* TPM_CAP_MFR */ default: /* Show booleans */ if (scap == TPM_CAP_PROP_OWNER || scap == TPM_CAP_PROP_DAA_INTERRUPT ) { if (0 == resp.buffer[0]) { printf("FALSE\n"); } else { printf("TRUE\n"); } } else /* check for array of 4 UINTs */ if (scap == TPM_CAP_PROP_TIS_TIMEOUT /* || scap == TPM_CAP_PROP_TIMEOUTS */) { int i = 0; while (i < 4) { uint32_t val = LOAD32(resp.buffer,i * 4); printf("%d ", val); i++; } printf("\n"); } else /* check for TPM_STARTUP_EFFECTS */ if (scap == TPM_CAP_PROP_STARTUP_EFFECT) { TPM_STARTUP_EFFECTS se = 0; ret = TPM_ReadStartupEffects(resp.buffer, &se); if ( ( ret & ERR_MASK ) != 0 ) { printf("Could not read startup effects structure.\n"); exit(-1); } printf("0x%08X=%d\n", (unsigned int)se, (unsigned int)se); printf("\n"); printf("Startup effects:\n"); printf("Effect on audit digest: %s\n", (se & (1 << 7)) ? "none" : "active"); printf("Audit Digest on TPM_Startup(ST_CLEAR): %s\n", ( se & (1 << 6)) ? "set to NULL" : "not set to NULL" ); printf("Audit Digest on TPM_Startup(any) : %s\n", ( se & (1 << 5)) ? "set to NULL" : "not set to NULL" ); printf("TPM_RT_KEY resource initialized on TPM_Startup(ST_ANY) : %s\n", (se & ( 1 << 4)) ? "yes" : "no"); printf("TPM_RT_AUTH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 3)) ? "yes" : "no"); printf("TPM_RT_HASH resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 2)) ? "yes" : "no"); printf("TPM_RT_TRANS resource initialized on TPM_Startup(ST_STATE) : %s\n", (se & ( 1 << 1)) ? "yes" : "no"); printf("TPM_RT_CONTEXT session initialized on TPM_Startup(ST_STATE): %s\n", (se & ( 1 << 0)) ? "yes" : "no"); } else /* check for array of 3 UINTs */ if (scap == TPM_CAP_PROP_DURATION) { int i = 0; while (i < 4*3) { uint32_t val = LOAD32(resp.buffer,i); printf("%d ", val); i+= 4; } printf("\n"); } else /* check for TPM_COUNT_ID */ if (scap == TPM_CAP_PROP_ACTIVE_COUNTER) { uint32_t val = LOAD32(resp.buffer,0); printf("0x%08X=%d",val,val); if (0xffffffff == val) { printf(" (no counter is active)"); } printf("\n"); } else { /* just a single UINT32 */ printf("%ld=0x%08lX.\n", (long)LOAD32(resp.buffer, 0), (long)LOAD32(resp.buffer, 0)); } } } } printf("\n"); exit(0); }
int main(int argc, char *argv[]) { unsigned char nonce[TPM_NONCE_SIZE]; unsigned char digest[TPM_DIGEST_SIZE]; unsigned char calcdigest[TPM_DIGEST_SIZE]; uint32_t ret; struct keydata key; STACK_TPM_BUFFER(serKeyData) uint32_t serKeySize; char * pubKeyFile = NULL; uint32_t buffersize; char * buffer = NULL; int index = 1; if (argc >= 3 && 0 == strcmp(argv[index],"-v")) { TPM_setlog(1); index++; } else { TPM_setlog(0); } if (index >= argc) { usage(); exit(-1); } pubKeyFile = argv[index]; if (NULL == pubKeyFile) { usage(); exit(-1); } TSS_gennonce(nonce); ret = TPM_ReadKeyfile(pubKeyFile, &key); if ( ( ret & ERR_MASK ) != 0 ) { printf("Error - could not read key file.\n"); exit (-1); } ret = TPM_WriteKeyPub(&serKeyData, &key); if ( ( ret & ERR_MASK ) != 0 ) { exit (-1); } serKeySize = ret; ret = TPM_ReadManuMaintPub(nonce, digest); if ( 0 != ret ) { printf("Error %s from ReadManuMainPub.\n", TPM_GetErrMsg(ret)); exit(ret); } /* * Now check the digest against the serialized public key * and the hash. */ buffersize = serKeySize + sizeof(nonce); buffer = malloc(buffersize); if (NULL == buffer) { exit (-1); } memcpy(buffer, serKeyData.buffer, serKeySize); memcpy(&buffer[serKeySize], nonce, sizeof(nonce)); TSS_sha1(buffer, buffersize, calcdigest); free(buffer); if (0 == memcmp(calcdigest, digest, sizeof(digest))) { printf("The same public key is in the TPM.\n"); ret = 0; } else { printf("Another public key is in the TPM.\n"); ret = -1; } exit(ret); }
uint32_t TPM_GetCapabilityOwner(unsigned char *ownpass, uint32_t * volflags, uint32_t * nvolflags) { uint32_t ret; STACK_TPM_BUFFER(tpmdata) /* data to be inserted into Request Buffer (in Network Byte Order) */ /* the uint32_t and uint16_t values are stored in network byte order so they ** are in the correct format when being hashed by the HMAC calculation */ uint32_t command; /* command ordinal */ unsigned char nonceodd[TPM_HASH_SIZE]; /* odd nonce */ unsigned char authdata[TPM_HASH_SIZE]; /* auth data */ session sess; /* check that parameters are valid */ if (ownpass == NULL || volflags == NULL || nvolflags == NULL) return ERR_NULL_ARG; /* set up command and protocol values for TakeOwnership function */ command = htonl(TPM_ORD_GetCapabilityOwner); /* generate the odd nonce */ ret = TSS_gennonce(nonceodd); if (ret == 0) return ret; /* initiate the OSAP protocol */ ret = TSS_SessionOpen(SESSION_OSAP, &sess, ownpass, TPM_OWNER_ETYPE, TPM_OWNER_EVALUE); if (ret) return ret; /* calculate the Authorization Data */ ret = TSS_authhmac(authdata, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TSS_Session_GetENonce(&sess), nonceodd, 0, TPM_U32_SIZE, &command, 0, 0); if (ret) { TSS_SessionClose(&sess); return ret; } /* insert all the calculated fields into the request buffer */ ret = TSS_buildbuff("00 c2 T l L % 00 %", &tpmdata, command, TSS_Session_GetHandle(&sess), TPM_HASH_SIZE, nonceodd, TPM_HASH_SIZE, authdata); if (ret & ERR_MASK) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata, "GetCapabilityOwner"); TSS_SessionClose(&sess); if (ret) return ret; ret = TSS_checkhmac1(&tpmdata, command, nonceodd, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE, 0, 0); if (ret) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + 4, nvolflags); if (ret & ERR_MASK) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + 4 + TPM_U32_SIZE, volflags); if (ret & ERR_MASK) return ret; return 0; }
uint32_t TPM_GetCapabilitySigned(uint32_t keyhandle, unsigned char *keypass, unsigned char *antiReplay, uint32_t caparea, struct tpm_buffer * scap, struct tpm_buffer * resp, unsigned char *sig, uint32_t * siglen) { uint32_t ret; uint32_t rlen; STACK_TPM_BUFFER(tpmdata) /* request/response buffer */ uint32_t ordinal_no = htonl(TPM_ORD_GetCapabilitySigned); uint32_t keyhandle_no = htonl(keyhandle); uint32_t caparea_no = htonl(caparea); unsigned char c = 0; unsigned char authdata[TPM_HASH_SIZE]; uint32_t ssize; unsigned char *buffer = NULL; uint32_t subcaplen = 0; uint32_t subcaplen_no; /* check arguments */ if (scap) { subcaplen = scap->used; buffer = scap->buffer; } subcaplen_no = htonl(subcaplen); ret = needKeysRoom(keyhandle, 0, 0, 0); if (ret) return ret; if (resp == NULL) return ERR_NULL_ARG; if (keypass) { unsigned char nonceodd[TPM_HASH_SIZE]; session sess; ret = TSS_gennonce(nonceodd); if (ret == 0) return ERR_CRYPT_ERR; ret = TSS_SessionOpen(SESSION_OSAP | SESSION_OIAP, &sess, keypass, TPM_ET_KEYHANDLE, keyhandle); if (ret) return ret; /* move Network byte order data to variable for hmac calculation */ ret = TSS_authhmac(authdata, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TSS_Session_GetENonce(&sess), nonceodd, c, TPM_U32_SIZE, &ordinal_no, TPM_NONCE_SIZE, antiReplay, TPM_U32_SIZE, &caparea_no, TPM_U32_SIZE, &subcaplen_no, subcaplen, buffer, 0, 0); if (ret) { TSS_SessionClose(&sess); return ret; } ret = TSS_buildbuff("00 c2 T l l % l @ L % o %", &tpmdata, ordinal_no, keyhandle_no, TPM_NONCE_SIZE, antiReplay, caparea_no, subcaplen, buffer, TSS_Session_GetHandle(&sess), TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata); if (ret & ERR_MASK) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata, "GetCapability - AUTH1"); TSS_SessionClose(&sess); if (ret) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET+TPM_U32_SIZE, &rlen); if (ret & ERR_MASK) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE + rlen, &ssize); if (ret & ERR_MASK) return ret; ret = TSS_checkhmac1(&tpmdata, ordinal_no, nonceodd, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TPM_U32_SIZE + TPM_U32_SIZE + rlen + TPM_U32_SIZE + ssize, TPM_DATA_OFFSET, 0, 0); if (ret) return ret; } else { ret = TSS_buildbuff("00 c1 T l l % l @", &tpmdata, ordinal_no, keyhandle_no, TPM_NONCE_SIZE, antiReplay, caparea_no, subcaplen, buffer); if (ret & ERR_MASK) return ret; /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata, "GetCapability - NO AUTH"); if (ret) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET+TPM_U32_SIZE, &rlen); if (ret & ERR_MASK) return ret; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE + rlen, &ssize); if (ret & ERR_MASK) return ret; } if (resp) SET_TPM_BUFFER(resp, &tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE], rlen); if (sig) { *siglen = MIN(*siglen, ssize); memcpy(sig, &tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE + rlen + TPM_U32_SIZE], *siglen); } return ret; }
uint32_t TPM_AuthorizeMigrationKey(unsigned char *ownpass, int migtype, unsigned char *keyblob, unsigned int keyblen, unsigned char *migblob, unsigned int *migblen) { unsigned char auth_mig_fmt[] = "00 c2 T l s % l % o %"; uint32_t ret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char evennonce[TPM_NONCE_SIZE]; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char c; uint32_t ordinal; uint16_t migscheme; uint32_t authhandle; int size; /* check input arguments */ if (keyblob == NULL || migblob == NULL || migblen == NULL) return ERR_NULL_ARG; if (migtype != 1 && migtype != 2) return ERR_BAD_ARG; /* generate odd nonce */ TSS_gennonce(nonceodd); /* Open OIAP Session */ ret = TSS_OIAPopen(&authhandle, evennonce); if (ret != 0) return ret; /* move Network byte order data to variables for hmac calculation */ ordinal = htonl(0x2B); migscheme = htons(migtype); c = 0; /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth, ownpass, TPM_HASH_SIZE, evennonce, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U16_SIZE, &migscheme, keyblen, keyblob, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } /* build the request buffer */ ret = TSS_buildbuff(auth_mig_fmt, tpmdata, ordinal, migscheme, keyblen, keyblob, authhandle, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, pubauth); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "AuthMigrationKey"); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } TSS_OIAPclose(authhandle); size = TSS_PubKeySize(tpmdata + TPM_DATA_OFFSET, 0); size += TPM_U16_SIZE + TPM_HASH_SIZE; ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, ownpass, TPM_HASH_SIZE, size, TPM_DATA_OFFSET, 0, 0); if (ret != 0) return ret; memcpy(migblob, tpmdata + TPM_DATA_OFFSET, size); *migblen = size; return 0; }
uint32_t TPM_ConvertMigrationBlob(unsigned int keyhandle, unsigned char *keyauth, unsigned char *rndblob, unsigned int rndblen, unsigned char *keyblob, unsigned int keyblen, unsigned char *encblob, unsigned int *encblen) { unsigned char convert_mig_fmt[] = "00 c2 T l l @ @ l % o %"; uint32_t ret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char evennonce[TPM_NONCE_SIZE]; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char c; uint32_t ordinal; uint32_t authhandle; uint32_t keyhndl; uint32_t rndsize; uint32_t datsize; int size; /* check input arguments */ if (keyauth == NULL || rndblob == NULL || keyblob == NULL || encblob == NULL || encblen == NULL) return ERR_NULL_ARG; /* generate odd nonce */ TSS_gennonce(nonceodd); /* Open OIAP Session */ ret = TSS_OIAPopen(&authhandle, evennonce); if (ret != 0) return ret; /* move Network byte order data to variables for hmac calculation */ ordinal = htonl(0x2A); keyhndl = htonl(keyhandle); rndsize = htonl(rndblen); datsize = htonl(keyblen); c = 0; /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth, keyauth, TPM_HASH_SIZE, evennonce, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U32_SIZE, &datsize, keyblen, keyblob, TPM_U32_SIZE, &rndsize, rndblen, rndblob, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } /* build the request buffer */ ret = TSS_buildbuff(convert_mig_fmt, tpmdata, ordinal, keyhndl, keyblen, keyblob, rndblen, rndblob, authhandle, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, pubauth); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "ConvertMigrationBlob"); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } TSS_OIAPclose(authhandle); size = LOAD32(tpmdata, TPM_DATA_OFFSET); ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, keyauth, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, size, TPM_DATA_OFFSET + TPM_U32_SIZE, 0, 0); if (ret != 0) return ret; memcpy(encblob, tpmdata + TPM_DATA_OFFSET + TPM_U32_SIZE, size); *encblen = size; return 0; }
uint32_t TPM_CreateMigrationBlob(unsigned int keyhandle, unsigned char *keyauth, unsigned char *migauth, int migtype, unsigned char *migblob, unsigned int migblen, unsigned char *keyblob, unsigned int keyblen, unsigned char *rndblob, unsigned int *rndblen, unsigned char *outblob, unsigned int *outblen) { unsigned char create_mig_fmt[] = "00 c3 T l l s % @ l % o % l % o %"; unsigned char create_mig_fmt_noauth[] = "00 c2 T l l s % @ l % o %"; uint32_t ret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char enonce1[TPM_NONCE_SIZE]; unsigned char enonce2[TPM_NONCE_SIZE]; unsigned char c; uint32_t ordinal; uint32_t keyhndl; uint32_t datsize; uint16_t migscheme; uint32_t authhandle1; uint32_t authhandle2; unsigned char authdata1[TPM_HASH_SIZE]; unsigned char authdata2[TPM_HASH_SIZE]; uint32_t size1; uint32_t size2; keydata k; /* check input arguments */ if (migauth == NULL || migblob == NULL || keyblob == NULL) return ERR_NULL_ARG; if (rndblob == NULL || rndblen == NULL || outblob == NULL || outblen == NULL) return ERR_NULL_ARG; if (migtype != 1 && migtype != 2) return ERR_BAD_ARG; TSS_KeyExtract(keyblob, &k); /* move data to Network byte order variables for HMAC calculation */ ordinal = htonl(0x28); keyhndl = htonl(keyhandle); migscheme = htons(migtype); datsize = htonl(k.privkeylen); /* generate odd nonce */ TSS_gennonce(nonceodd); c = 0; if (keyauth != NULL) { /* parent key password is required */ /* open TWO OIAP sessions: Parent and Migrating Key */ ret = TSS_OIAPopen(&authhandle1, enonce1); if (ret != 0) return ret; ret = TSS_OIAPopen(&authhandle2, enonce2); if (ret != 0) return ret; /* calculate Parent KEY authorization HMAC value */ ret = TSS_authhmac(authdata1, keyauth, TPM_HASH_SIZE, enonce1, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U16_SIZE, &migscheme, migblen, migblob, TPM_U32_SIZE, &datsize, k.privkeylen, k.encprivkey, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* calculate Migration authorization HMAC value */ ret = TSS_authhmac(authdata2, migauth, TPM_HASH_SIZE, enonce2, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U16_SIZE, &migscheme, migblen, migblob, TPM_U32_SIZE, &datsize, k.privkeylen, k.encprivkey, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* build the request buffer */ ret = TSS_buildbuff(create_mig_fmt, tpmdata, ordinal, keyhndl, migscheme, migblen, migblob, k.privkeylen, k.encprivkey, authhandle1, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata1, authhandle2, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata2); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* transmit buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "CreateMigrationBlob"); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* validate HMAC in response */ size1 = LOAD32(tpmdata, TPM_DATA_OFFSET); size2 = LOAD32(tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE + size1); if (size1 != 0) { ret = TSS_checkhmac2(tpmdata, ordinal, nonceodd, keyauth, TPM_HASH_SIZE, migauth, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, size1, TPM_DATA_OFFSET + TPM_U32_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE + size1, size2, TPM_DATA_OFFSET + TPM_U32_SIZE + size1 + TPM_U32_SIZE, 0, 0); } else { ret = TSS_checkhmac2(tpmdata, ordinal, nonceodd, keyauth, TPM_HASH_SIZE, migauth, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE, size2, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE, 0, 0); } TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); if (ret != 0) return ret; } else { /* no parent key password required */ /* open OIAP session for the Migrating Key */ ret = TSS_OIAPopen(&authhandle1, enonce1); if (ret != 0) return ret; /* calculate Migration authorization HMAC value */ ret = TSS_authhmac(authdata1, migauth, TPM_HASH_SIZE, enonce1, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U16_SIZE, &migscheme, migblen, migblob, TPM_U32_SIZE, &datsize, k.privkeylen, k.encprivkey, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle1); return ret; } /* build the request buffer */ ret = TSS_buildbuff(create_mig_fmt_noauth, tpmdata, ordinal, keyhndl, migscheme, migblen, migblob, k.privkeylen, k.encprivkey, authhandle1, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata1); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle1); return ret; } /* transmit buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "CreateMigrationBlob"); if (ret != 0) { TSS_OIAPclose(authhandle1); return ret; } /* check HMAC in response */ size1 = LOAD32(tpmdata, TPM_DATA_OFFSET); size2 = LOAD32(tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE + size1); if (size1 != 0) { ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, migauth, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, size1, TPM_DATA_OFFSET + TPM_U32_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE + size1, size2, TPM_DATA_OFFSET + TPM_U32_SIZE + size1 + TPM_U32_SIZE, 0, 0); } else { ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, migauth, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, TPM_U32_SIZE, TPM_DATA_OFFSET + TPM_U32_SIZE, size2, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE, 0, 0); } TSS_OIAPclose(authhandle1); if (ret != 0) return ret; } memcpy(rndblob, tpmdata + TPM_DATA_OFFSET + TPM_U32_SIZE, size1); memcpy(outblob, tpmdata + TPM_DATA_OFFSET + TPM_U32_SIZE + size1 + TPM_U32_SIZE, size2); *rndblen = size1; *outblen = size2; return 0; }
int main(int argc, char *argv[]) { uint32_t startOrdinal = -1; int ret; int verbose = FALSE; TPM_COUNTER_VALUE counter; int i = 1; char * keypass = NULL; unsigned char keyAuth[TPM_HASH_SIZE]; unsigned char * keyAuthPtr = NULL; uint32_t keyhandle = -1; STACK_TPM_BUFFER(signature); unsigned char digest[TPM_DIGEST_SIZE]; unsigned char ordinalDigest[TPM_DIGEST_SIZE]; unsigned char antiReplay[TPM_NONCE_SIZE]; TPM_setlog(0); TSS_gennonce(antiReplay); while (i < argc) { if (!strcmp("-s",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%d",&startOrdinal); } else { printf("Missing parameter for -s.\n"); usage(); } } else if (!strcmp("-h",argv[i])) { i++; if (i < argc) { sscanf(argv[i],"%x",&keyhandle); } else { printf("Missing parameter for -h.\n"); usage(); } } else if (!strcmp("-p",argv[i])) { i++; if (i < argc) { keypass = argv[i]; } else { printf("Missing parameter for -p.\n"); usage(); } } else if (!strcmp("-v",argv[i])) { verbose = TRUE; TPM_setlog(1); } else { printf("\n%s is not a valid option\n", argv[i]); usage(); } i++; } (void)verbose; if (-1 == (int)startOrdinal || -1 == (int)keyhandle) { printf("Missing command line parameter.\n"); usage(); } if (NULL != keypass) { TSS_sha1(keypass,strlen(keypass),keyAuth); keyAuthPtr = keyAuth; } ret = TPM_GetAuditDigestSigned(keyhandle, FALSE, keyAuthPtr, antiReplay, &counter, digest, ordinalDigest, &signature); if (0 != ret) { printf("Error %s from GetAuditDigestSigned.\n", TPM_GetErrMsg(ret)); } else { TPM_SIGN_INFO tsi; STACK_TPM_BUFFER(tsi_ser); STACK_TPM_BUFFER(serial); STACK_TPM_BUFFER(ctr_ser); pubkeydata pubkey; RSA *rsa; i = 0; printf("AuditDigest : "); while (i < (int)sizeof(digest)) { printf("%02X",digest[i]); i++; } printf("\n"); i = 0; printf("OrdinalDigest : "); while (i < (int)sizeof(digest)) { printf("%02X",ordinalDigest[i]); i++; } printf("\n"); ret = TPM_GetPubKey(keyhandle, keyAuthPtr, &pubkey); if (ret != 0) { printf("Could not get public key of signing key.\n"); exit(-1); } rsa = TSS_convpubkey(&pubkey); if (!rsa) { printf("Could not convert public key.\n"); exit(-1); } tsi.tag = TPM_TAG_SIGNINFO; memcpy(tsi.fixed, "ADIG", 4); memcpy(tsi.replay, antiReplay, sizeof(antiReplay)); /* D4=ordinalDigest */ TPM_WriteCounterValue(&ctr_ser, &counter); memcpy(&serial.buffer[0], digest, sizeof(digest)); memcpy(&serial.buffer[sizeof(digest)], ctr_ser.buffer, ctr_ser.used); memcpy(&serial.buffer[sizeof(digest)+ctr_ser.used], ordinalDigest, sizeof(ordinalDigest)); serial.used = sizeof(digest) + ctr_ser.used + sizeof(ordinalDigest); tsi.data.size = serial.used; tsi.data.buffer = serial.buffer; ret = TPM_WriteSignInfo(&tsi_ser, &tsi); if ((ret & ERR_MASK)) { printf("Error serializing TPM_SIGN_INFO.\n"); exit(-1); } ret = TPM_ValidateSignature(TPM_SS_RSASSAPKCS1v15_SHA1, &tsi_ser, &signature, rsa); if (ret != 0) { printf("Error validating signature.\n"); exit(-1); } printf("Signature verification successful.\n"); } exit(ret); }
uint32_t TPM_Seal(uint32_t keyhandle, unsigned char *pcrinfo, uint32_t pcrinfosize, unsigned char *keyauth, unsigned char *dataauth, unsigned char *data, unsigned int datalen, unsigned char *blob, unsigned int *bloblen) { unsigned char seal_fmt[] = "00 C2 T l l % @ @ l % o %"; uint32_t ret; int i; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; osapsess sess; unsigned char encauth[TPM_HASH_SIZE]; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char xorwork[TPM_HASH_SIZE * 2]; unsigned char xorhash[TPM_HASH_SIZE]; unsigned char dummyauth[TPM_HASH_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char c; uint32_t ordinal; uint32_t pcrsize; uint32_t datsize; uint32_t keyhndl; uint16_t keytype; unsigned char *passptr1; unsigned char *passptr2; int sealinfosize; int encdatasize; int storedsize; memset(dummyauth, 0, sizeof dummyauth); /* check input arguments */ if (data == NULL || blob == NULL) return ERR_NULL_ARG; if (pcrinfosize != 0 && pcrinfo == NULL) return ERR_NULL_ARG; if (keyhandle == 0x40000000) keytype = 0x0004; else keytype = 0x0001; if (keyauth == NULL) passptr1 = dummyauth; else passptr1 = keyauth; if (dataauth == NULL) passptr2 = dummyauth; else passptr2 = dataauth; /* Open OSAP Session */ ret = TSS_OSAPopen(&sess, passptr1, keytype, keyhandle); if (ret != 0) return ret; /* calculate encrypted authorization value */ memcpy(xorwork, sess.ssecret, TPM_HASH_SIZE); memcpy(xorwork + TPM_HASH_SIZE, sess.enonce, TPM_HASH_SIZE); TSS_sha1(xorwork, TPM_HASH_SIZE * 2, xorhash); /* generate odd nonce */ TSS_gennonce(nonceodd); /* move Network byte order data to variables for hmac calculation */ ordinal = htonl(0x17); datsize = htonl(datalen); keyhndl = htonl(keyhandle); pcrsize = htonl(pcrinfosize); c = 0; /* encrypt data authorization key */ for (i = 0; i < TPM_HASH_SIZE; ++i) encauth[i] = xorhash[i] ^ passptr2[i]; /* calculate authorization HMAC value */ if (pcrinfosize == 0) { /* no pcr info specified */ ret = TSS_authhmac(pubauth, sess.ssecret, TPM_HASH_SIZE, sess.enonce, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_HASH_SIZE, encauth, TPM_U32_SIZE, &pcrsize, TPM_U32_SIZE, &datsize, datalen, data, 0, 0); } else { /* pcr info specified */ ret = TSS_authhmac(pubauth, sess.ssecret, TPM_HASH_SIZE, sess.enonce, nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_HASH_SIZE, encauth, TPM_U32_SIZE, &pcrsize, pcrinfosize, pcrinfo, TPM_U32_SIZE, &datsize, datalen, data, 0, 0); } if (ret != 0) { TSS_OSAPclose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff(seal_fmt, tpmdata, ordinal, keyhndl, TPM_HASH_SIZE, encauth, pcrinfosize, pcrinfo, datalen, data, sess.handle, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, pubauth); if ((ret & ERR_MASK) != 0) { TSS_OSAPclose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "Seal"); if (ret != 0) { TSS_OSAPclose(&sess); return ret; } /* calculate the size of the returned Blob */ sealinfosize = LOAD32(tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE); encdatasize = LOAD32(tpmdata, TPM_DATA_OFFSET + TPM_U32_SIZE + TPM_U32_SIZE + sealinfosize); storedsize = TPM_U32_SIZE + TPM_U32_SIZE + sealinfosize + TPM_U32_SIZE + encdatasize; /* check the HMAC in the response */ ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, sess.ssecret, TPM_HASH_SIZE, storedsize, TPM_DATA_OFFSET, 0, 0); if (ret != 0) { TSS_OSAPclose(&sess); return ret; } /* copy the returned blob to caller */ memcpy(blob, tpmdata + TPM_DATA_OFFSET, storedsize); *bloblen = storedsize; TSS_OSAPclose(&sess); return 0; }
uint32_t TPM_Unseal(uint32_t keyhandle, unsigned char *keyauth, unsigned char *dataauth, unsigned char *blob, unsigned int bloblen, unsigned char *rawdata, unsigned int *datalen) { unsigned char unseal_fmt[] = "00 C3 T l l % l % o % l % o %"; unsigned char unseal_fmt_noauth[] = "00 C2 T l l % l % o %"; uint32_t ret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char enonce1[TPM_NONCE_SIZE]; unsigned char enonce2[TPM_NONCE_SIZE]; unsigned char dummyauth[TPM_NONCE_SIZE]; unsigned char *passptr2; unsigned char c; uint32_t ordinal; uint32_t keyhndl; uint32_t authhandle1; uint32_t authhandle2; unsigned char authdata1[TPM_HASH_SIZE]; unsigned char authdata2[TPM_HASH_SIZE]; memset(dummyauth, 0, sizeof dummyauth); /* check input arguments */ if (rawdata == NULL || blob == NULL) return ERR_NULL_ARG; if (dataauth == NULL) passptr2 = dummyauth; else passptr2 = dataauth; if (keyauth != NULL) { /* key password specified */ /* open TWO OIAP sessions, Key and Data */ ret = TSS_OIAPopen(&authhandle1, enonce1); if (ret != 0) return ret; ret = TSS_OIAPopen(&authhandle2, enonce2); if (ret != 0) return ret; /* data to Network byte order variables for HMAC calculation */ ordinal = htonl(0x18); keyhndl = htonl(keyhandle); /* generate odd nonce */ TSS_gennonce(nonceodd); c = 0; /* calculate KEY authorization HMAC value */ ret = TSS_authhmac(authdata1, keyauth, TPM_HASH_SIZE, enonce1, nonceodd, c, TPM_U32_SIZE, &ordinal, bloblen, blob, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* calculate DATA authorization HMAC value */ ret = TSS_authhmac(authdata2, passptr2, TPM_NONCE_SIZE, enonce2, nonceodd, c, TPM_U32_SIZE, &ordinal, bloblen, blob, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* build the request buffer */ ret = TSS_buildbuff(unseal_fmt, tpmdata, ordinal, keyhndl, bloblen, blob, authhandle1, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata1, authhandle2, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata2); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } /* transmit buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "Unseal"); if (ret != 0) { TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); return ret; } *datalen = LOAD32(tpmdata, TPM_DATA_OFFSET); /* check HMAC in response */ ret = TSS_checkhmac2(tpmdata, ordinal, nonceodd, keyauth, TPM_HASH_SIZE, passptr2, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, *datalen, TPM_DATA_OFFSET + TPM_U32_SIZE, 0, 0); TSS_OIAPclose(authhandle1); TSS_OIAPclose(authhandle2); if (ret != 0) return ret; } else { /* no key password */ /* open ONE OIAP session, for the Data */ ret = TSS_OIAPopen(&authhandle2, enonce2); if (ret != 0) return ret; /* data to Network byte order variables for HMAC calculation */ ordinal = htonl(0x18); keyhndl = htonl(keyhandle); /* generate odd nonce */ TSS_gennonce(nonceodd); c = 0; /* calculate DATA authorization HMAC value */ ret = TSS_authhmac(authdata2, passptr2, TPM_NONCE_SIZE, enonce2, nonceodd, c, TPM_U32_SIZE, &ordinal, bloblen, blob, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle2); return ret; } /* build the request buffer */ ret = TSS_buildbuff(unseal_fmt_noauth, tpmdata, ordinal, keyhndl, bloblen, blob, authhandle2, TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata2); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle2); return ret; } /* transmit buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "Unseal"); if (ret != 0) { TSS_OIAPclose(authhandle2); return ret; } *datalen = LOAD32(tpmdata, TPM_DATA_OFFSET); /* check HMAC in response */ ret = TSS_checkhmac1(tpmdata, ordinal, nonceodd, passptr2, TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, *datalen, TPM_DATA_OFFSET + TPM_U32_SIZE, 0, 0); TSS_OIAPclose(authhandle2); if (ret != 0) return ret; } /* copy decrypted data back to caller */ memcpy(rawdata, tpmdata + TPM_DATA_OFFSET + TPM_U32_SIZE, *datalen); return 0; }
uint32_t TPM_TakeOwnership(unsigned char *ownpass, unsigned char *srkpass, keydata * key) { unsigned char take_owner_fmt[] = "00 c2 T l s @ @ % l % 00 %"; /* required OAEP padding P parameter */ unsigned char tpm_oaep_pad_str[] = { 'T', 'C', 'P', 'A' }; uint32_t ret; int iret; unsigned char tpmdata[TPM_MAX_BUFF_SIZE]; pubkeydata tpmpubkey; /* public endorsement key data */ uint32_t srkparamsize; /* SRK parameter buffer size */ unsigned char nonceeven[TPM_HASH_SIZE]; /* even nonce (from OIAPopen) */ RSA *pubkey; /* PubEK converted to OpenSSL format */ unsigned char padded[RSA_MODULUS_BYTE_SIZE]; keydata srk; /* key info for SRK */ unsigned char dummypass[TPM_HASH_SIZE]; /* dummy srk password */ unsigned char *spass; /* pointer to srkpass or dummy */ unsigned int i; /* data to be inserted into Take Owner Request Buffer */ /* the uint32_t and uint16_t values are stored in network byte order */ uint32_t command; /* command ordinal */ uint16_t protocol; /* protocol ID */ uint32_t oencdatasize; /* owner auth data encrypted size */ unsigned char ownerencr[RSA_MODULUS_BYTE_SIZE]; uint32_t sencdatasize; /* srk auth data encrypted size */ unsigned char srkencr[RSA_MODULUS_BYTE_SIZE]; unsigned char srk_param_buff[TPM_SRK_PARAM_BUFF_SIZE]; uint32_t authhandle; /* auth handle (from OIAPopen) */ unsigned char nonceodd[TPM_HASH_SIZE]; /* odd nonce */ unsigned char authdata[TPM_HASH_SIZE]; /* auth data */ /* check that parameters are valid */ if (ownpass == NULL) return ERR_NULL_ARG; if (srkpass == NULL) { memset(dummypass, 0, sizeof dummypass); spass = dummypass; } else spass = srkpass; /* set up command and protocol values for TakeOwnership function */ command = htonl(0x0d); protocol = htons(0x05); /* get the TPM Endorsement Public Key */ ret = TPM_ReadPubek(&tpmpubkey); if (ret) return ret; /* convert the public key to OpenSSL format */ pubkey = TSS_convpubkey(&tpmpubkey); if (pubkey == NULL) return ERR_CRYPT_ERR; memset(ownerencr, 0, sizeof ownerencr); memset(srkencr, 0, sizeof srkencr); /* Pad and then encrypt the owner data using the RSA public key */ iret = RSA_padding_add_PKCS1_OAEP(padded, RSA_MODULUS_BYTE_SIZE, ownpass, TPM_HASH_SIZE, tpm_oaep_pad_str, sizeof tpm_oaep_pad_str); if (iret == 0) return ERR_CRYPT_ERR; iret = RSA_public_encrypt(RSA_MODULUS_BYTE_SIZE, padded, ownerencr, pubkey, RSA_NO_PADDING); if (iret < 0) return ERR_CRYPT_ERR; oencdatasize = htonl(iret); /* Pad and then encrypt the SRK data using the RSA public key */ iret = RSA_padding_add_PKCS1_OAEP(padded, RSA_MODULUS_BYTE_SIZE, spass, TPM_HASH_SIZE, tpm_oaep_pad_str, sizeof tpm_oaep_pad_str); if (iret == 0) return ERR_CRYPT_ERR; iret = RSA_public_encrypt(RSA_MODULUS_BYTE_SIZE, padded, srkencr, pubkey, RSA_NO_PADDING); if (iret < 0) return ERR_CRYPT_ERR; sencdatasize = htonl(iret); RSA_free(pubkey); if (ntohl(oencdatasize) < 0) return ERR_CRYPT_ERR; if (ntohl(sencdatasize) < 0) return ERR_CRYPT_ERR; /* fill the SRK-params key structure */ /* get tpm version */ ret = TPM_GetCapability(0x00000006, NULL, 0, &(srk.version[0]), &i); if (ret != 0) return ret; srk.keyusage = 0x0011; /* Storage Key */ srk.keyflags = 0; if (srkpass != NULL) srk.authdatausage = 0x01; else srk.authdatausage = 0x00; srk.privkeylen = 0; /* private key not specified here */ srk.pub.algorithm = 0x00000001; /* RSA */ srk.pub.encscheme = 0x0003; /* RSA OAEP SHA1 MGF1 */ srk.pub.sigscheme = 0x0001; /* NONE */ srk.pub.keybitlen = RSA_MODULUS_BIT_SIZE; srk.pub.numprimes = 2; srk.pub.expsize = 0; /* defaults to 0x010001 */ srk.pub.keylength = 0; /* not used here */ srk.pub.pcrinfolen = 0; /* not used here */ /* convert to a memory buffer */ srkparamsize = TPM_BuildKey(srk_param_buff, &srk); /* generate the odd nonce */ ret = TSS_gennonce(nonceodd); if (ret == 0) return ret; /* initiate the OIAP protocol */ ret = TSS_OIAPopen(&authhandle, nonceeven); if (ret != 0) return ret; /* calculate the Authorization Data */ ret = TSS_authhmac(authdata, ownpass, TPM_HASH_SIZE, nonceeven, nonceodd, 0, TPM_U32_SIZE, &command, TPM_U16_SIZE, &protocol, TPM_U32_SIZE, &oencdatasize, ntohl(oencdatasize), ownerencr, TPM_U32_SIZE, &sencdatasize, ntohl(sencdatasize), srkencr, srkparamsize, srk_param_buff, 0, 0); if (ret != 0) { TSS_OIAPclose(authhandle); return ret; } /* insert all the calculated fields into the request buffer */ ret = TSS_buildbuff(take_owner_fmt, tpmdata, command, protocol, ntohl(oencdatasize), ownerencr, ntohl(sencdatasize), srkencr, srkparamsize, srk_param_buff, authhandle, TPM_HASH_SIZE, nonceodd, TPM_HASH_SIZE, authdata); if ((ret & ERR_MASK) != 0) { TSS_OIAPclose(authhandle); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(tpmdata, "Take Ownership"); TSS_OIAPclose(authhandle); if (ret != 0) return ret; /* check the response HMAC */ srkparamsize = TSS_KeySize(tpmdata + TPM_DATA_OFFSET); ret = TSS_checkhmac1(tpmdata, command, nonceodd, ownpass, TPM_HASH_SIZE, srkparamsize, TPM_DATA_OFFSET, 0, 0); if (ret != 0) return ret; /* convert the returned key to a structure */ if (key == NULL) return 0; TSS_KeyExtract(tpmdata + TPM_DATA_OFFSET, key); return 0; }
uint32_t TPM_DirWriteAuth(uint32_t dirIndex, unsigned char * newValue, unsigned char * ownerAuth) { STACK_TPM_BUFFER(tpmdata) uint32_t ordinal_no = htonl(TPM_ORD_DirWriteAuth); uint32_t ret; uint32_t dirIndex_no = htonl(dirIndex); unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char authdata[TPM_NONCE_SIZE]; session sess; int c = 0; /* check input arguments */ if (NULL == ownerAuth || NULL == newValue) { return ERR_NULL_ARG; } /* Open OSAP Session */ ret = TSS_SessionOpen(SESSION_DSAP | SESSION_OSAP | SESSION_OIAP, &sess, ownerAuth, TPM_ET_OWNER, 0); if (ret != 0) return ret; /* generate odd nonce */ ret = TSS_gennonce(nonceodd); if (0 == ret) return ERR_CRYPT_ERR; /* move Network byte order data to varaible for hmac calcualtion */ ret = TSS_authhmac(authdata,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, TPM_U32_SIZE,&ordinal_no, TPM_U32_SIZE,&dirIndex_no, TPM_HASH_SIZE, newValue, 0,0); if (0 != ret) { TSS_SessionClose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff("00 c2 T l l % L % o %", &tpmdata, ordinal_no, dirIndex_no, TPM_HASH_SIZE, newValue, TSS_Session_GetHandle(&sess), TPM_HASH_SIZE, nonceodd, c, TPM_HASH_SIZE, authdata); if ((ret & ERR_MASK)) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"DirWriteAuth"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } /* check the HMAC in the response */ ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, 0,0); return ret; }
uint32_t TPM_Quote2(uint32_t keyhandle, TPM_PCR_SELECTION * selection, TPM_BOOL addVersion, unsigned char *keyauth, unsigned char *antiReplay, TPM_PCR_INFO_SHORT * pcrinfo, struct tpm_buffer *versionblob, struct tpm_buffer *signature) { uint32_t ret; uint32_t rc; STACK_TPM_BUFFER( tpmdata ) session sess; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char c = 0; uint32_t ordinal_no = htonl(TPM_ORD_Quote2); uint16_t pcrselsize; uint32_t verinfosize; uint32_t sigsize; uint32_t storedsize; uint32_t keyhndl = htonl(keyhandle); uint16_t keytype; struct tpm_buffer * serPCRSelection; uint32_t serPCRSelectionSize; /* check input arguments */ if (pcrinfo == NULL || selection == NULL || antiReplay == NULL) return ERR_NULL_ARG; keytype = 0x0001; ret = needKeysRoom(keyhandle, 0, 0, 0); if (ret != 0) { return ret; } TSS_gennonce(antiReplay); serPCRSelection = TSS_AllocTPMBuffer(TPM_U16_SIZE + selection->sizeOfSelect); if (NULL == serPCRSelection) { return ERR_MEM_ERR; } ret = TPM_WritePCRSelection(serPCRSelection, selection); if (( ret & ERR_MASK) != 0) { TSS_FreeTPMBuffer(serPCRSelection); return ret; } serPCRSelectionSize = ret; if (keyauth != NULL) { /* Open OSAP Session */ ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess,keyauth,keytype,keyhandle); if (ret != 0) { TSS_FreeTPMBuffer(serPCRSelection); return ret; } /* generate odd nonce */ TSS_gennonce(nonceodd); /* move Network byte order data to variables for hmac calculation */ /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, TPM_U32_SIZE,&ordinal_no, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize, serPCRSelection->buffer, sizeof(TPM_BOOL), &addVersion, 0,0); if (ret != 0) { TSS_FreeTPMBuffer(serPCRSelection); TSS_SessionClose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff("00 C2 T l l % % o L % o %",&tpmdata, ordinal_no, keyhndl, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize,serPCRSelection->buffer, addVersion, TSS_Session_GetHandle(&sess), TPM_NONCE_SIZE,nonceodd, c, TPM_HASH_SIZE,pubauth); TSS_FreeTPMBuffer(serPCRSelection); if ((ret & ERR_MASK) != 0) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote2 - AUTH1"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } } else { /* build the request buffer */ ret = TSS_buildbuff("00 C1 T l l % % o",&tpmdata, ordinal_no, keyhndl, TPM_HASH_SIZE,antiReplay, serPCRSelectionSize,serPCRSelection->buffer, addVersion); TSS_FreeTPMBuffer(serPCRSelection); if ((ret & ERR_MASK) != 0) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote2"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } } /* calculate the size of the returned Blob */ ret = tpm_buffer_load16(&tpmdata,TPM_DATA_OFFSET, &pcrselsize); if ((ret & ERR_MASK)) { return ret; } pcrselsize += TPM_U16_SIZE + 1 + TPM_HASH_SIZE; ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize, &verinfosize); if ((ret & ERR_MASK)) { return ret; } ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET + pcrselsize + TPM_U32_SIZE + verinfosize, &sigsize); if ((ret & ERR_MASK)) { return ret; } storedsize = pcrselsize + TPM_U32_SIZE + verinfosize + TPM_U32_SIZE + sigsize; if (keyauth != NULL) { /* check the HMAC in the response */ ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, storedsize,TPM_DATA_OFFSET, 0,0); if (ret != 0) { return ret; } } /* copy the returned PCR composite to caller */ if (pcrselsize != (rc = TPM_ReadPCRInfoShort(&tpmdata, TPM_DATA_OFFSET, pcrinfo))) { if ((rc & ERR_MASK)) return rc; return ERR_BUFFER; } if (NULL != versionblob) { SET_TPM_BUFFER( versionblob, &tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE], verinfosize); } if (NULL != signature) { SET_TPM_BUFFER(signature, &tpmdata.buffer[TPM_DATA_OFFSET+pcrselsize+TPM_U32_SIZE+verinfosize+TPM_U32_SIZE], sigsize); } return ret; }
uint32_t TPM_Quote(uint32_t keyhandle, unsigned char *keyauth, unsigned char *externalData, TPM_PCR_SELECTION *tps, TPM_PCR_COMPOSITE *tpc, struct tpm_buffer *signature) { uint32_t ret; STACK_TPM_BUFFER( tpmdata ) session sess; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char c; uint32_t ordinal = htonl(TPM_ORD_Quote); uint32_t keyhndl = htonl(keyhandle); uint16_t pcrselsize; uint32_t valuesize; uint32_t sigsize; uint32_t offset; STACK_TPM_BUFFER( serPcrSel ); /* check input arguments */ if (tpc == NULL || externalData == NULL || signature == NULL) return ERR_NULL_ARG; ret = needKeysRoom(keyhandle, 0, 0, 0); if (ret != 0) { return ret; } ret = TPM_WritePCRSelection(&serPcrSel, tps); if ((ret & ERR_MASK)) return ret; if (keyauth != NULL) /* authdata required */ { /* Open OSAP Session */ ret = TSS_SessionOpen(SESSION_OSAP|SESSION_DSAP,&sess, keyauth,TPM_ET_KEYHANDLE,keyhandle); if (ret != 0) return ret; /* generate odd nonce */ TSS_gennonce(nonceodd); /* move Network byte order data to variables for hmac calculation */ c = 0; /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, TPM_U32_SIZE,&ordinal, TPM_HASH_SIZE,externalData, serPcrSel.used,serPcrSel.buffer, 0,0); if (ret != 0) { TSS_SessionClose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff("00 C2 T l l % % L % o %",&tpmdata, ordinal, keyhndl, TPM_HASH_SIZE,externalData, serPcrSel.used, serPcrSel.buffer, TSS_Session_GetHandle(&sess), TPM_NONCE_SIZE,nonceodd, c, TPM_HASH_SIZE,pubauth); if ((ret & ERR_MASK) != 0) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote"); TSS_SessionClose(&sess); if (ret != 0) { return ret; } offset = TPM_DATA_OFFSET; /* calculate the size of the returned Blob */ ret = tpm_buffer_load16(&tpmdata,offset,&pcrselsize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U16_SIZE + pcrselsize; ret = tpm_buffer_load32(&tpmdata,offset,&valuesize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U32_SIZE + valuesize; ret = tpm_buffer_load32(&tpmdata,offset, &sigsize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U32_SIZE; /* check the HMAC in the response */ ret = TSS_checkhmac1(&tpmdata,ordinal,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, offset-TPM_DATA_OFFSET+sigsize,TPM_DATA_OFFSET, 0,0); if (ret != 0) { return ret; } ret = TPM_ReadPCRComposite(&tpmdata, TPM_DATA_OFFSET, tpc); if ((ret & ERR_MASK)) { return ret; } /* copy the returned blob to caller */ SET_TPM_BUFFER(signature, &tpmdata.buffer[offset], sigsize); } else /* no authdata required */ { /* build the request buffer */ ret = TSS_buildbuff("00 C1 T l l % %",&tpmdata, ordinal, keyhndl, TPM_HASH_SIZE,externalData, serPcrSel.used,serPcrSel.buffer); if ((ret & ERR_MASK) != 0) return ret; /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata,"Quote"); if (ret != 0) return ret; /* calculate the size of the returned Blob */ offset = TPM_DATA_OFFSET; ret = tpm_buffer_load16(&tpmdata,offset, &pcrselsize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U16_SIZE + pcrselsize; ret = tpm_buffer_load32(&tpmdata,offset, &valuesize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U32_SIZE + valuesize; ret = tpm_buffer_load32(&tpmdata,offset, &sigsize); if ((ret & ERR_MASK)) { return ret; } offset += TPM_U32_SIZE; /* copy the returned PCR composite to caller */ ret = TPM_ReadPCRComposite(&tpmdata, TPM_DATA_OFFSET, tpc); if ((ret & ERR_MASK)) { return ret; } /* copy the returned blob to caller */ SET_TPM_BUFFER(signature, &tpmdata.buffer[offset], sigsize); } return 0; }
uint32_t TPM_UnBind(uint32_t keyhandle, unsigned char *keyauth, unsigned char *data, uint32_t datalen, unsigned char *blob, uint32_t * bloblen) { uint32_t ret = 0; STACK_TPM_BUFFER(tpmdata) session sess; unsigned char pubauth[TPM_HASH_SIZE]; unsigned char nonceodd[TPM_NONCE_SIZE]; unsigned char c = 0; uint32_t ordinal = htonl(TPM_ORD_UnBind); uint32_t datsize = htonl(datalen); uint32_t keyhndl = htonl(keyhandle); uint16_t keytype; uint32_t infosize; /* check input arguments */ if (data == NULL || blob == NULL) return ERR_NULL_ARG; if (keyhandle == 0x40000000) keytype = TPM_ET_SRK; else keytype = TPM_ET_KEYHANDLE; ret = needKeysRoom(keyhandle, 0, 0, 0); if (ret) return ret; if (keyauth != NULL) { /* key needs authorization */ /* Open OSAP Session */ ret = TSS_SessionOpen(SESSION_OSAP | SESSION_DSAP, &sess, keyauth, keytype, keyhandle); if (ret) return ret; /* generate odd nonce */ TSS_gennonce(nonceodd); /* move Network byte order data to variables for HMAC calculation */ /* calculate authorization HMAC value */ ret = TSS_authhmac(pubauth, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TSS_Session_GetENonce(&sess), nonceodd, c, TPM_U32_SIZE, &ordinal, TPM_U32_SIZE, &datsize, datalen, data, 0, 0); if (ret) { TSS_SessionClose(&sess); return ret; } /* build the request buffer */ ret = TSS_buildbuff("00 C2 T l l @ L % o %", &tpmdata, ordinal, keyhndl, datalen, data, TSS_Session_GetHandle(&sess), TPM_NONCE_SIZE, nonceodd, c, TPM_HASH_SIZE, pubauth); if (ret & ERR_MASK) { TSS_SessionClose(&sess); return ret; } /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata, "UnBind"); TSS_SessionClose(&sess); if (ret) return ret; /* calculate the size of the returned Blob */ ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &infosize); if (ret & ERR_MASK) return ret; /* check the HMAC in the response */ ret = TSS_checkhmac1(&tpmdata, ordinal, nonceodd, TSS_Session_GetAuth(&sess), TPM_HASH_SIZE, TPM_U32_SIZE, TPM_DATA_OFFSET, infosize, TPM_DATA_OFFSET + TPM_U32_SIZE, 0, 0); if (ret) return ret; /* copy the returned blob to caller */ memcpy(blob, &tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE], infosize); *bloblen = infosize; } else { /* key needs NO authorization */ /* move Network byte order data to variables for HMAC calculation */ /* build the request buffer */ ret = TSS_buildbuff("00 C1 T l l @", &tpmdata, ordinal, keyhndl, datalen, data); if (ret & ERR_MASK) return ret; /* transmit the request buffer to the TPM device and read the reply */ ret = TPM_Transmit(&tpmdata, "UnBind"); if (ret) return ret; /* calculate the size of the returned Blob */ ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &infosize); if (ret & ERR_MASK) return ret; /* copy the returned blob to caller */ memcpy(blob, &tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE], infosize); *bloblen = infosize; } return ret; }