3
* Licensed Materials - Property of IBM
5
* trousers - An open source TCG Software Stack
7
* (C) Copyright International Business Machines Corp. 2004-2006
16
#include "trousers/tss.h"
17
#include "trousers/trousers.h"
18
#include "spi_internal_types.h"
19
#include "spi_utils.h"
20
#include "capabilities.h"
25
Tspi_Data_Bind(TSS_HENCDATA hEncData, /* in */
26
TSS_HKEY hEncKey, /* in */
27
UINT32 ulDataLength, /* in */
28
BYTE *rgbDataToBind) /* in */
34
TCPA_BOUND_DATA boundData;
38
TCPA_KEY keyContainer;
39
TSS_HCONTEXT tspContext;
41
if (rgbDataToBind == NULL)
42
return TSPERR(TSS_E_BAD_PARAMETER);
44
if (!obj_is_encdata(hEncData))
45
return TSPERR(TSS_E_INVALID_HANDLE);
47
if ((result = obj_rsakey_get_tsp_context(hEncKey, &tspContext)))
50
if ((result = obj_rsakey_get_blob(hEncKey, &keyDataLength, &keyData)))
54
if ((result = Trspi_UnloadBlob_KEY(&offset, keyData, &keyContainer))) {
55
free_tspi(tspContext, keyData);
58
free_tspi(tspContext, keyData);
60
if (keyContainer.keyUsage != TPM_KEY_BIND &&
61
keyContainer.keyUsage != TPM_KEY_LEGACY) {
62
result = TSPERR(TSS_E_INVALID_KEYUSAGE);
66
if (keyContainer.pubKey.keyLength < ulDataLength) {
67
result = TSPERR(TSS_E_ENC_INVALID_LENGTH);
71
if (keyContainer.algorithmParms.encScheme == TCPA_ES_RSAESPKCSv15 &&
72
keyContainer.keyUsage == TPM_KEY_LEGACY) {
73
if ((result = Trspi_RSA_PKCS15_Encrypt(rgbDataToBind, ulDataLength, encData,
74
&encDataLength, keyContainer.pubKey.key,
75
keyContainer.pubKey.keyLength)))
77
} else if (keyContainer.algorithmParms.encScheme == TCPA_ES_RSAESPKCSv15 &&
78
keyContainer.keyUsage == TPM_KEY_BIND) {
79
boundData.payload = TCPA_PT_BIND;
81
memcpy(&boundData.ver, &VERSION_1_1, sizeof(TCPA_VERSION));
83
boundData.payloadData = malloc(ulDataLength);
84
if (boundData.payloadData == NULL) {
85
result = TSPERR(TSS_E_OUTOFMEMORY);
88
memcpy(boundData.payloadData, rgbDataToBind, ulDataLength);
91
Trspi_LoadBlob_BOUND_DATA(&offset, boundData, ulDataLength, bdblob);
93
if ((result = Trspi_RSA_PKCS15_Encrypt(bdblob, offset, encData,
94
&encDataLength, keyContainer.pubKey.key,
95
keyContainer.pubKey.keyLength))) {
96
free(boundData.payloadData);
99
free(boundData.payloadData);
101
boundData.payload = TCPA_PT_BIND;
103
memcpy(&boundData.ver, &VERSION_1_1, sizeof(TCPA_VERSION));
105
boundData.payloadData = malloc(ulDataLength);
106
if (boundData.payloadData == NULL) {
107
LogError("malloc of %u bytes failed.", ulDataLength);
108
result = TSPERR(TSS_E_OUTOFMEMORY);
111
memcpy(boundData.payloadData, rgbDataToBind, ulDataLength);
114
Trspi_LoadBlob_BOUND_DATA(&offset, boundData, ulDataLength, bdblob);
116
if ((result = Trspi_RSA_Encrypt(bdblob, offset, encData, &encDataLength,
117
keyContainer.pubKey.key,
118
keyContainer.pubKey.keyLength))) {
119
free(boundData.payloadData);
123
free(boundData.payloadData);
126
if ((result = obj_encdata_set_data(hEncData, encDataLength, encData))) {
127
LogError("Error in calling SetAttribData on the encrypted "
129
result = TSPERR(TSS_E_INTERNAL_ERROR);
133
free_key_refs(&keyContainer);
138
Tspi_Data_Unbind(TSS_HENCDATA hEncData, /* in */
139
TSS_HKEY hKey, /* in */
140
UINT32 * pulUnboundDataLength, /* out */
141
BYTE ** prgbUnboundData) /* out */
151
TCS_KEY_HANDLE tcsKeyHandle;
154
TSS_HCONTEXT tspContext;
156
if (pulUnboundDataLength == NULL || prgbUnboundData == NULL)
157
return TSPERR(TSS_E_BAD_PARAMETER);
159
if ((result = obj_encdata_get_tsp_context(hEncData, &tspContext)))
162
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE, &hPolicy, &usesAuth)))
165
if ((result = obj_encdata_get_data(hEncData, &encDataSize, &encData)))
166
return result == TSPERR(TSS_E_INVALID_OBJ_ACCESS) ?
167
TSPERR(TSS_E_ENC_NO_DATA) :
170
if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
175
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_UnBind, hashBlob);
176
Trspi_LoadBlob_UINT32(&offset, encDataSize, hashBlob);
177
Trspi_LoadBlob(&offset, encDataSize, hashBlob, encData);
179
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
181
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_UnBind,
185
pPrivAuth = &privAuth;
190
if ((result = TCSP_UnBind(tspContext, tcsKeyHandle, encDataSize,
191
encData, pPrivAuth, pulUnboundDataLength,
197
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
198
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_UnBind, hashBlob);
199
Trspi_LoadBlob_UINT32(&offset, *pulUnboundDataLength, hashBlob);
200
Trspi_LoadBlob(&offset, *pulUnboundDataLength, hashBlob, *prgbUnboundData);
201
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
203
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &privAuth))) {
204
free_tspi(tspContext, *prgbUnboundData);
213
Tspi_Data_Seal(TSS_HENCDATA hEncData, /* in */
214
TSS_HKEY hEncKey, /* in */
215
UINT32 ulDataLength, /* in */
216
BYTE * rgbDataToSeal, /* in */
217
TSS_HPCRS hPcrComposite) /* in */
220
BYTE hashBlob[0x1000];
221
BYTE sharedSecret[20];
223
TCPA_ENCAUTH encAuthUsage;
224
TCPA_ENCAUTH encAuthMig;
227
TSS_HPOLICY hPolicy, hEncPolicy;
228
BYTE *encData = NULL;
232
TCS_KEY_HANDLE tcsKeyHandle;
233
TCPA_NONCE nonceEvenOSAP;
234
TCPA_DIGEST digAtCreation;
235
TSS_HCONTEXT tspContext;
236
TCPA_PCR_SELECTION pcrSelect = { 0, NULL };
238
if (rgbDataToSeal == NULL)
239
return TSPERR(TSS_E_BAD_PARAMETER);
241
if ((result = obj_encdata_get_tsp_context(hEncData, &tspContext)))
244
if ((result = obj_rsakey_get_policy(hEncKey, TSS_POLICY_USAGE,
248
if ((result = obj_encdata_get_policy(hEncData, &hEncPolicy)))
251
if ((result = obj_rsakey_get_tcs_handle(hEncKey, &tcsKeyHandle)))
254
/* If PCR's are of interest */
257
if ((result = obj_pcrs_get_composite(hPcrComposite,
261
if ((result = obj_pcrs_get_selection(hPcrComposite,
265
LogDebug("Digest at Creation:");
266
LogDebugData(sizeof(digAtCreation), (BYTE *)&digAtCreation);
269
Trspi_LoadBlob_PCR_SELECTION(&offset, pcrData, &pcrSelect);
270
free(pcrSelect.pcrSelect);
271
Trspi_LoadBlob(&offset, TCPA_SHA1_160_HASH_LEN, pcrData,
272
digAtCreation.digest);
274
Trspi_LoadBlob(&offset, TCPA_SHA1_160_HASH_LEN, pcrData,
275
digAtCreation.digest);
276
pcrDataSize = offset;
279
if ((result = secret_PerformXOR_OSAP(hPolicy, hEncPolicy, hEncPolicy,
280
hEncKey, TCPA_ET_KEYHANDLE,
282
&encAuthUsage, &encAuthMig,
288
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_Seal, hashBlob);
289
Trspi_LoadBlob(&offset, 20, hashBlob, encAuthUsage.authdata);
290
Trspi_LoadBlob_UINT32(&offset, pcrDataSize, hashBlob);
291
Trspi_LoadBlob(&offset, pcrDataSize, hashBlob, pcrData);
292
Trspi_LoadBlob_UINT32(&offset, ulDataLength, hashBlob);
293
Trspi_LoadBlob(&offset, ulDataLength, hashBlob, rgbDataToSeal);
294
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
296
if ((result = secret_PerformAuth_OSAP(hEncKey, TPM_ORD_Seal, hPolicy,
297
hEncPolicy, hEncPolicy,
299
digest.digest, &nonceEvenOSAP)))
302
if ((result = TCSP_Seal(tspContext, tcsKeyHandle, encAuthUsage,
303
pcrDataSize, pcrData, ulDataLength,
304
rgbDataToSeal, &auth, &encDataSize, &encData)))
308
Trspi_LoadBlob_UINT32(&offset, result, hashBlob);
309
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_Seal, hashBlob);
310
Trspi_LoadBlob(&offset, encDataSize, hashBlob, encData);
311
Trspi_Hash(TSS_HASH_SHA1, offset, hashBlob, digest.digest);
313
if ((result = secret_ValidateAuth_OSAP(hEncKey, TPM_ORD_Seal, hPolicy,
314
hEncPolicy, hEncPolicy,
322
/* Need to set the object with the blob and the pcr's */
323
if ((result = obj_encdata_set_data(hEncData, encDataSize, encData)))
329
if ((result = obj_encdata_set_pcr_info(hEncData, pcrData)))
337
Tspi_Data_Unseal(TSS_HENCDATA hEncData, /* in */
338
TSS_HKEY hKey, /* in */
339
UINT32 * pulUnsealedDataLength,/* out */
340
BYTE ** prgbUnsealedData) /* out */
342
TPM_AUTH privAuth, privAuth2;
344
BYTE hashblob[0x400];
347
TSS_HPOLICY hPolicy, hEncPolicy;
348
TCS_KEY_HANDLE tcsKeyHandle;
349
TSS_HCONTEXT tspContext;
353
if (pulUnsealedDataLength == NULL || prgbUnsealedData == NULL)
354
return TSPERR(TSS_E_BAD_PARAMETER);
356
if ((result = obj_encdata_get_tsp_context(hEncData, &tspContext)))
359
if ((result = obj_rsakey_get_policy(hKey, TSS_POLICY_USAGE,
363
if ((result = obj_encdata_get_policy(hEncData, &hEncPolicy)))
366
if ((result = obj_encdata_get_data(hEncData, &ulDataLen, &data)))
367
return result == TSPERR(TSS_E_INVALID_OBJ_ACCESS) ?
368
TSPERR(TSS_E_ENC_NO_DATA) :
371
if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
375
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_Unseal, hashblob);
376
Trspi_LoadBlob(&offset, ulDataLen, hashblob, data);
377
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
379
if ((result = secret_PerformAuth_OIAP(hKey, TPM_ORD_Unseal,
384
if ((result = secret_PerformAuth_OIAP(hEncData, TPM_ORD_Unseal,
389
if ((result = TCSP_Unseal(tspContext, tcsKeyHandle,
390
ulDataLen, data, &privAuth,
391
&privAuth2, pulUnsealedDataLength,
396
Trspi_LoadBlob_UINT32(&offset, result, hashblob);
397
Trspi_LoadBlob_UINT32(&offset, TPM_ORD_Unseal, hashblob);
398
Trspi_LoadBlob_UINT32(&offset, *pulUnsealedDataLength, hashblob);
399
Trspi_LoadBlob(&offset, *pulUnsealedDataLength, hashblob,
401
Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
403
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest,
405
free_tspi(tspContext, *prgbUnsealedData);
409
if ((result = obj_policy_validate_auth_oiap(hEncPolicy, &digest,
411
free_tspi(tspContext, *prgbUnsealedData);