3
* Licensed Materials - Property of IBM
5
* trousers - An open source TCG Software Stack
7
* (C) Copyright International Business Machines Corp. 2004-2006
18
#include "trousers/tss.h"
19
#include "trousers/trousers.h"
20
#include "trousers_types.h"
21
#include "trousers_types.h"
22
#include "spi_utils.h"
23
#include "capabilities.h"
30
Trspi_UnloadBlob_STORED_DATA(UINT64 *offset, BYTE *blob, TCPA_STORED_DATA *data)
32
Trspi_UnloadBlob_TCPA_VERSION(offset, blob, &data->ver);
33
Trspi_UnloadBlob_UINT32(offset, &data->sealInfoSize, blob);
35
if (data->sealInfoSize > 0) {
36
data->sealInfo = malloc(data->sealInfoSize);
37
if (data->sealInfo == NULL) {
38
LogError("malloc of %d bytes failed.", data->sealInfoSize);
39
return TSPERR(TSS_E_OUTOFMEMORY);
41
Trspi_UnloadBlob(offset, data->sealInfoSize, blob, data->sealInfo);
43
data->sealInfo = NULL;
46
Trspi_UnloadBlob_UINT32(offset, &data->encDataSize, blob);
48
if (data->encDataSize > 0) {
49
data->encData = malloc(data->encDataSize);
50
if (data->encData == NULL) {
51
LogError("malloc of %d bytes failed.", data->encDataSize);
53
data->sealInfo = NULL;
54
return TSPERR(TSS_E_OUTOFMEMORY);
57
Trspi_UnloadBlob(offset, data->encDataSize, blob, data->encData);
66
Trspi_LoadBlob_STORED_DATA(UINT64 *offset, BYTE *blob, TCPA_STORED_DATA *data)
68
Trspi_LoadBlob_TCPA_VERSION(offset, blob, data->ver);
69
Trspi_LoadBlob_UINT32(offset, data->sealInfoSize, blob);
70
Trspi_LoadBlob(offset, data->sealInfoSize, blob, data->sealInfo);
71
Trspi_LoadBlob_UINT32(offset, data->encDataSize, blob);
72
Trspi_LoadBlob(offset, data->encDataSize, blob, data->encData);
76
changeauth_owner(TSS_HCONTEXT tspContext,
77
TSS_HOBJECT hObjectToChange,
78
TSS_HOBJECT hParentObject,
79
TSS_HPOLICY hNewPolicy)
83
Trspi_HashCtx hashCtx;
84
struct authsess *xsap = NULL;
86
if ((result = authsess_xsap_init(tspContext, hObjectToChange, hNewPolicy,
87
TSS_AUTH_POLICY_REQUIRED, TPM_ORD_ChangeAuthOwner,
88
TPM_ET_OWNER, &xsap)))
91
/* calculate auth data */
92
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
93
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuthOwner);
94
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_PID_ADCP);
95
result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
96
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_ET_OWNER);
97
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
100
if ((result = authsess_xsap_hmac(xsap, &digest)))
103
if ((result = TCS_API(tspContext)->ChangeAuthOwner(tspContext, TCPA_PID_ADCP,
104
&xsap->encAuthUse, TPM_ET_OWNER,
108
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
109
result |= Trspi_Hash_UINT32(&hashCtx, TPM_SUCCESS);
110
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuthOwner);
111
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
114
result = authsess_xsap_verify(xsap, &digest);
122
changeauth_srk(TSS_HCONTEXT tspContext,
123
TSS_HOBJECT hObjectToChange,
124
TSS_HOBJECT hParentObject,
125
TSS_HPOLICY hNewPolicy)
129
Trspi_HashCtx hashCtx;
130
struct authsess *xsap = NULL;
133
if ((result = authsess_xsap_init(tspContext, hParentObject, hNewPolicy,
134
TSS_AUTH_POLICY_REQUIRED, TPM_ORD_ChangeAuthOwner,
135
TPM_ET_OWNER, &xsap)))
138
/* calculate auth data */
139
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
140
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuthOwner);
141
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_PID_ADCP);
142
result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
143
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_ET_SRK);
144
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
147
if ((result = authsess_xsap_hmac(xsap, &digest)))
150
if ((result = TCS_API(tspContext)->ChangeAuthOwner(tspContext, TCPA_PID_ADCP,
151
&xsap->encAuthUse, TPM_ET_SRK,
155
/* Validate the Auths */
156
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
157
result |= Trspi_Hash_UINT32(&hashCtx, TPM_SUCCESS);
158
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuthOwner);
159
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
162
result = authsess_xsap_verify(xsap, &digest);
170
changeauth_encdata(TSS_HCONTEXT tspContext,
171
TSS_HOBJECT hObjectToChange,
172
TSS_HOBJECT hParentObject,
173
TSS_HPOLICY hNewPolicy)
177
Trspi_HashCtx hashCtx;
179
TCS_KEY_HANDLE keyHandle;
181
struct authsess *xsap = NULL;
182
TPM_STORED_DATA storedData;
183
UINT32 dataBlobLength, newEncSize;
184
BYTE *dataBlob, *newEncData;
187
/* get the secret for the parent */
188
if ((result = obj_encdata_get_policy(hObjectToChange, TSS_POLICY_USAGE, &hPolicy)))
191
/* get the data Object */
192
if ((result = obj_encdata_get_data(hObjectToChange, &dataBlobLength, &dataBlob)))
196
if ((result = Trspi_UnloadBlob_STORED_DATA(&offset, dataBlob, &storedData)))
199
if ((result = obj_rsakey_get_tcs_handle(hParentObject, &keyHandle)))
202
if ((result = authsess_xsap_init(tspContext, hParentObject, hNewPolicy,
203
TSS_AUTH_POLICY_REQUIRED, TPM_ORD_ChangeAuth,
204
TPM_ET_KEYHANDLE, &xsap)))
207
/* caluculate auth data */
208
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
209
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuth);
210
result |= Trspi_Hash_UINT16(&hashCtx, TPM_PID_ADCP);
211
result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
212
result |= Trspi_Hash_UINT16(&hashCtx, TPM_ET_DATA);
213
result |= Trspi_Hash_UINT32(&hashCtx, storedData.encDataSize);
214
result |= Trspi_HashUpdate(&hashCtx, storedData.encDataSize, storedData.encData);
215
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
218
if ((result = authsess_xsap_hmac(xsap, &digest)))
221
if ((result = secret_PerformAuth_OIAP(hObjectToChange, TPM_ORD_ChangeAuth,
222
hPolicy, FALSE, &digest, &auth2)))
225
if ((result = TCS_API(tspContext)->ChangeAuth(tspContext, keyHandle, TPM_PID_ADCP,
226
&xsap->encAuthUse, TPM_ET_DATA,
227
storedData.encDataSize, storedData.encData,
228
xsap->pAuth, &auth2, &newEncSize,
232
/* Validate the Auths */
233
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
234
result |= Trspi_Hash_UINT32(&hashCtx, TPM_SUCCESS);
235
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuth);
236
result |= Trspi_Hash_UINT32(&hashCtx, newEncSize);
237
result |= Trspi_HashUpdate(&hashCtx, newEncSize, newEncData);
238
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
241
if ((result = authsess_xsap_verify(xsap, &digest)))
244
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth2)))
247
memcpy(storedData.encData, newEncData, newEncSize);
249
storedData.encDataSize = newEncSize;
252
Trspi_LoadBlob_STORED_DATA(&offset, dataBlob, &storedData);
254
result = obj_encdata_set_data(hObjectToChange, offset, dataBlob);
258
free(storedData.sealInfo);
259
free(storedData.encData);
266
changeauth_key(TSS_HCONTEXT tspContext,
267
TSS_HOBJECT hObjectToChange,
268
TSS_HOBJECT hParentObject,
269
TSS_HPOLICY hNewPolicy)
272
Trspi_HashCtx hashCtx;
275
TCS_KEY_HANDLE keyHandle;
276
struct authsess *xsap = NULL;
286
if ((result = obj_rsakey_get_blob(hObjectToChange, &objectLength, &keyBlob)))
290
if ((result = UnloadBlob_TSS_KEY(&offset, keyBlob, &keyToChange))) {
291
LogDebug("UnloadBlob_TSS_KEY failed. "
292
"result=0x%x", result);
296
if ((result = obj_rsakey_get_policy(hObjectToChange, TSS_POLICY_USAGE, &hPolicy, NULL)))
299
if ((result = obj_rsakey_get_tcs_handle(hParentObject, &keyHandle)))
302
if ((result = authsess_xsap_init(tspContext, hParentObject, hNewPolicy,
303
TSS_AUTH_POLICY_REQUIRED, TPM_ORD_ChangeAuth,
304
keyHandle == TPM_KEYHND_SRK ?
305
TPM_ET_SRK : TPM_ET_KEYHANDLE, &xsap)))
308
/* caluculate auth data */
309
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
310
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuth);
311
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_PID_ADCP);
312
result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
313
result |= Trspi_Hash_UINT16(&hashCtx, TCPA_ET_KEY);
314
result |= Trspi_Hash_UINT32(&hashCtx, keyToChange.encSize);
315
result |= Trspi_HashUpdate(&hashCtx, keyToChange.encSize,
316
keyToChange.encData);
317
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
320
if ((result = authsess_xsap_hmac(xsap, &digest)))
323
if ((result = secret_PerformAuth_OIAP(hObjectToChange, TPM_ORD_ChangeAuth,
324
hPolicy, FALSE, &digest, &auth2)))
327
if ((result = TCS_API(tspContext)->ChangeAuth(tspContext, keyHandle, TPM_PID_ADCP,
328
&xsap->encAuthUse, TPM_ET_KEY,
329
keyToChange.encSize, keyToChange.encData,
330
xsap->pAuth, &auth2, &newEncSize,
334
/* Validate the Auths */
335
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
336
result |= Trspi_Hash_UINT32(&hashCtx, result);
337
result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_ChangeAuth);
338
result |= Trspi_Hash_UINT32(&hashCtx, newEncSize);
339
result |= Trspi_HashUpdate(&hashCtx, newEncSize, newEncData);
340
if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
343
if ((result = authsess_xsap_verify(xsap, &digest)))
346
if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, &auth2)))
349
memcpy(keyToChange.encData, newEncData, newEncSize);
353
LoadBlob_TSS_KEY(&offset, keyBlob, &keyToChange);
354
objectLength = offset;
356
result = obj_rsakey_set_tcpakey(hObjectToChange, objectLength, keyBlob);
364
#ifdef TSS_BUILD_TRANSPORT
366
Transport_ChangeAuth(TSS_HCONTEXT tspContext, /* in */
367
TCS_KEY_HANDLE parentHandle, /* in */
368
TCPA_PROTOCOL_ID protocolID, /* in */
369
TCPA_ENCAUTH *newAuth, /* in */
370
TCPA_ENTITY_TYPE entityType, /* in */
371
UINT32 encDataSize, /* in */
372
BYTE * encData, /* in */
373
TPM_AUTH * ownerAuth, /* in, out */
374
TPM_AUTH * entityAuth, /* in, out */
375
UINT32 * outDataSize, /* out */
376
BYTE ** outData) /* out */
379
UINT32 handlesLen, dataLen, decLen;
380
TCS_HANDLE *handles, handle;
382
TPM_DIGEST pubKeyHash;
383
Trspi_HashCtx hashCtx;
387
if ((result = obj_context_transport_init(tspContext)))
390
LogDebugFn("Executing in a transport session");
392
if ((result = obj_tcskey_get_pubkeyhash(parentHandle, pubKeyHash.digest)))
395
result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
396
result |= Trspi_Hash_DIGEST(&hashCtx, pubKeyHash.digest);
397
if ((result |= Trspi_HashFinal(&hashCtx, pubKeyHash.digest)))
401
handle = parentHandle;
404
dataLen = sizeof(TCPA_PROTOCOL_ID) + sizeof(TCPA_ENCAUTH)
405
+ sizeof(TCPA_ENTITY_TYPE)
408
if ((data = malloc(dataLen)) == NULL) {
409
LogError("malloc of %u bytes failed", dataLen);
410
return TSPERR(TSS_E_OUTOFMEMORY);
414
Trspi_LoadBlob_UINT16(&offset, protocolID, data);
415
Trspi_LoadBlob(&offset, sizeof(TCPA_ENCAUTH), data, newAuth->authdata);
416
Trspi_LoadBlob_UINT16(&offset, entityType, data);
417
Trspi_LoadBlob_UINT32(&offset, encDataSize, data);
418
Trspi_LoadBlob(&offset, encDataSize, data, encData);
420
if ((result = obj_context_transport_execute(tspContext, TPM_ORD_ChangeAuth, dataLen, data,
421
&pubKeyHash, &handlesLen, &handles,
422
ownerAuth, entityAuth, &decLen, &dec))) {
429
Trspi_UnloadBlob_UINT32(&offset, outDataSize, dec);
431
if ((*outData = malloc(*outDataSize)) == NULL) {
433
LogError("malloc of %u bytes failed", *outDataSize);
435
return TSPERR(TSS_E_OUTOFMEMORY);
437
Trspi_UnloadBlob(&offset, *outDataSize, dec, *outData);
445
Transport_ChangeAuthOwner(TSS_HCONTEXT tspContext, /* in */
446
TCPA_PROTOCOL_ID protocolID, /* in */
447
TCPA_ENCAUTH *newAuth, /* in */
448
TCPA_ENTITY_TYPE entityType, /* in */
449
TPM_AUTH * ownerAuth) /* in, out */
452
UINT32 handlesLen = 0;
454
BYTE data[sizeof(TCPA_PROTOCOL_ID) + sizeof(TCPA_ENCAUTH) + sizeof(TCPA_ENTITY_TYPE)];
456
if ((result = obj_context_transport_init(tspContext)))
459
LogDebugFn("Executing in a transport session");
462
Trspi_LoadBlob_UINT16(&offset, protocolID, data);
463
Trspi_LoadBlob(&offset, sizeof(TCPA_ENCAUTH), data, newAuth->authdata);
464
Trspi_LoadBlob_UINT16(&offset, entityType, data);
466
return obj_context_transport_execute(tspContext, TPM_ORD_ChangeAuthOwner, sizeof(data),
467
data, NULL, &handlesLen, NULL, ownerAuth, NULL, NULL,