test: move session bits from tpmclient to test/integration
Move session HMAC related bits from tpmclient to test/integration.
This will allow it to be reused by all integration test.
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
diff --git a/Makefile-test.am b/Makefile-test.am
index 887455d..66ddc2d 100644
--- a/Makefile-test.am
+++ b/Makefile-test.am
@@ -262,8 +262,6 @@
test_tpmclient_tpmclient_int_LDADD = $(TESTS_LDADD)
test_tpmclient_tpmclient_int_SOURCES = \
test/tpmclient/DecryptEncrypt.c \
- test/tpmclient/Entity.c test/tpmclient/kdfa.c \
- test/tpmclient/StartAuthSession.c test/tpmclient/SessionHmac.c \
test/tpmclient/tpmclient.int.c test/tpmclient/tpmclient.int.h \
test/integration/main.c
@@ -273,7 +271,7 @@
test/integration/sapi-util.c test/integration/sapi-util.h \
test/integration/session-util.c test/integration/session-util.h \
test/integration/test-options.c test/integration/test-options.h \
- test/integration/test.h
+ test/integration/entity-util.c test/integration/test.h
test_integration_asymmetric_encrypt_decrypt_int_CFLAGS = $(AM_CFLAGS) $(TESTS_CFLAGS)
test_integration_asymmetric_encrypt_decrypt_int_LDADD = $(TESTS_LDADD)
diff --git a/test/tpmclient/Entity.c b/test/integration/entity-util.c
similarity index 96%
rename from test/tpmclient/Entity.c
rename to test/integration/entity-util.c
index 4b64a46..1d5b5e8 100644
--- a/test/tpmclient/Entity.c
+++ b/test/integration/entity-util.c
@@ -26,9 +26,9 @@
//**********************************************************************;
#include "tss2_tpm2_types.h"
-#include "tpmclient.int.h"
#include "sysapi_util.h"
-#include "../integration/sapi-util.h"
+#include "sapi-util.h"
+#include "session-util.h"
static ENTITY *entities = NULL;
diff --git a/test/integration/session-util.c b/test/integration/session-util.c
index 11325f5..dfb3f37 100644
--- a/test/integration/session-util.c
+++ b/test/integration/session-util.c
@@ -31,6 +31,312 @@
#define LOGMODULE test
#include "util/log.h"
+static SESSION *sessions = NULL;
+
+SESSION *
+get_session(TPMI_SH_AUTH_SESSION hndl)
+{
+ SESSION *s;
+
+ HASH_FIND_INT(sessions, &hndl, s);
+ return s;
+}
+
+static TSS2_RC
+StartAuthSession(
+ SESSION *session,
+ TSS2_TCTI_CONTEXT *tctiContext)
+{
+ TSS2_RC rval;
+ TPM2B_ENCRYPTED_SECRET key;
+ char label[] = "ATH";
+ TSS2_SYS_CONTEXT *tmpSysContext;
+ UINT16 bytes;
+
+ key.size = 0;
+
+ tmpSysContext = sapi_init_from_tcti_ctx(tctiContext);
+ if (tmpSysContext == NULL)
+ return TSS2_SYS_RC_GENERAL_FAILURE;
+
+ if (session->nonceOlder.size == 0)
+ session->nonceOlder.size = GetDigestSize(session->authHash);
+
+ memset(session->nonceOlder.buffer, '\0', session->nonceOlder.size);
+ session->nonceNewer.size = session->nonceOlder.size;
+ session->nonceTpmDecrypt.size = 0;
+ session->nonceTpmEncrypt.size = 0;
+
+ rval = Tss2_Sys_StartAuthSession(
+ tmpSysContext, session->tpmKey, session->bind, 0,
+ &session->nonceOlder, &session->encryptedSalt,
+ session->sessionType, &session->symmetric,
+ session->authHash, &session->sessionHandle,
+ &session->nonceNewer, 0);
+ if (rval != TPM2_RC_SUCCESS)
+ goto out;
+
+ if (session->tpmKey == TPM2_RH_NULL)
+ session->salt.size = 0;
+
+ if (session->bind == TPM2_RH_NULL)
+ session->authValueBind.size = 0;
+
+ session->sessionKey.size = 0;
+ if (session->tpmKey == TPM2_RH_NULL && session->bind == TPM2_RH_NULL)
+ goto out;
+
+ /* Generate the key used as input to the KDF. */
+ rval = ConcatSizedByteBuffer((TPM2B_MAX_BUFFER *)&key,
+ (TPM2B *)&session->authValueBind);
+ if (rval != TPM2_RC_SUCCESS) {
+ Tss2_Sys_FlushContext(tmpSysContext, session->sessionHandle);
+ goto out;
+ }
+
+ rval = ConcatSizedByteBuffer((TPM2B_MAX_BUFFER *)&key,
+ (TPM2B *)&session->salt);
+ if (rval != TPM2_RC_SUCCESS) {
+ Tss2_Sys_FlushContext(tmpSysContext, session->sessionHandle);
+ goto out;
+ }
+
+ bytes = GetDigestSize(session->authHash) * 8;
+
+ rval = KDFa(session->authHash, (TPM2B *)&key, label,
+ (TPM2B *)&session->nonceNewer,
+ (TPM2B *)&session->nonceOlder,
+ bytes, (TPM2B_MAX_BUFFER *)&session->sessionKey);
+out:
+ sapi_teardown(tmpSysContext);
+ return rval;
+}
+
+static TSS2_RC
+TpmComputeSessionHmac(
+ TSS2_SYS_CONTEXT *sysContext,
+ SESSION *session,
+ TPMS_AUTH_COMMAND *pSessionDataIn,
+ bool command,
+ TPM2_HANDLE handle1,
+ TPM2_HANDLE handle2,
+ TPM2_HANDLE handle3,
+ TPM2B_MAX_BUFFER *hmacKey)
+{
+ TPM2B_DIGEST *bufferList[7];
+ TPM2B_DIGEST pHash = TPM2B_DIGEST_INIT;
+ TPM2B sessionAttributesByteBuffer = {
+ .size = 1,
+ .buffer = pSessionDataIn->sessionAttributes
+ };
+ UINT16 i;
+ TSS2_RC rval;
+ TPM2_CC cmdCode;
+
+ rval = TpmCalcPHash(sysContext, handle1, handle2, handle3,
+ session->authHash, command, &pHash);
+ if (rval != TPM2_RC_SUCCESS)
+ return rval;
+
+ rval = Tss2_Sys_GetCommandCode(sysContext, (UINT8 *)&cmdCode);
+ if (rval != TPM2_RC_SUCCESS)
+ return rval;
+
+ /* cmdCode comes back as BigEndian; not suited for comparisons below. */
+ cmdCode = BE_TO_HOST_32(cmdCode);
+ LOGBLOB_DEBUG(hmacKey->buffer, hmacKey->size, "hmacKey=");
+
+ i = 0;
+ bufferList[i++] = (TPM2B_DIGEST *)&pHash;
+ bufferList[i++] = (TPM2B_DIGEST *)&session->nonceNewer;
+ bufferList[i++] = (TPM2B_DIGEST *)&session->nonceOlder;
+ bufferList[i++] = (TPM2B_DIGEST *)&session->nonceTpmDecrypt;
+ bufferList[i++] = (TPM2B_DIGEST *)&session->nonceTpmEncrypt;
+ bufferList[i++] = (TPM2B_DIGEST *)&sessionAttributesByteBuffer;
+ bufferList[i++] = 0;
+
+ for (int j = 0; bufferList[j] != 0; j++) {
+ LOGBLOB_DEBUG(&bufferList[j]->buffer[0],
+ bufferList[j]->size, "bufferlist[%d]:", j);
+ ;
+ }
+
+ rval = hmac(session->authHash, hmacKey->buffer,
+ hmacKey->size, bufferList,
+ (TPM2B_DIGEST *)&pSessionDataIn->hmac);
+
+ if (rval != TPM2_RC_SUCCESS) {
+ LOGBLOB_ERROR(pSessionDataIn->hmac.buffer,
+ pSessionDataIn->hmac.size,
+ "HMAC Failed rval = %d !!!", rval);
+ return rval;
+ }
+ return rval;
+}
+
+TSS2_RC ComputeCommandHmacs(
+ TSS2_SYS_CONTEXT *sysContext,
+ TPM2_HANDLE handle1,
+ TPM2_HANDLE handle2,
+ TPM2_HANDLE handle3,
+ TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn)
+{
+ TPM2_HANDLE handles[3] = {handle1, handle2, handle3};
+ ENTITY *entity;
+ SESSION *session;
+ TPM2B_MAX_BUFFER hmac_key;
+ TSS2_RC rval = TPM2_RC_SUCCESS;
+ unsigned int i;
+
+ for (i = 0; i < pSessionsDataIn->count; i++) {
+ if (handles[i] == TPM2_RH_NULL)
+ break;
+
+ entity = GetEntity(handles[i]);
+ if (!entity)
+ return TSS2_SYS_RC_GENERAL_FAILURE;
+
+ session = get_session(pSessionsDataIn->auths[i].sessionHandle);
+ if (!session)
+ return TPM2_RC_SUCCESS;
+
+ CopySizedByteBuffer((TPM2B *)&hmac_key, (TPM2B *)&session->sessionKey);
+
+ if (handles[i] != session->bind || handles[i] == TPM2_RH_NULL)
+ ConcatSizedByteBuffer(&hmac_key, (TPM2B *)&entity->entityAuth);
+
+ rval = TpmComputeSessionHmac(sysContext,
+ session,
+ &pSessionsDataIn->auths[i],
+ true,
+ handle1,
+ handle2,
+ handle3,
+ &hmac_key);
+ if (rval != TPM2_RC_SUCCESS)
+ break;
+ }
+ return rval;
+}
+
+TSS2_RC CheckResponseHMACs(
+ TSS2_SYS_CONTEXT *sysContext,
+ TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn,
+ TPM2_HANDLE handle1,
+ TPM2_HANDLE handle2,
+ TPM2_HANDLE handle3,
+ TSS2L_SYS_AUTH_RESPONSE *pSessionsDataOut)
+{
+ TPM2_HANDLE handles[3] = {handle1, handle2, handle3};
+ ENTITY *entity;
+ SESSION *session;
+ TPM2B_MAX_BUFFER hmac_key;
+ TSS2_RC rval = TPM2_RC_SUCCESS;
+ unsigned int i;
+
+ for (i = 0; i < pSessionsDataIn->count; i++) {
+ if (handles[i] == TPM2_RH_NULL)
+ break;
+
+ entity = GetEntity(handles[i]);
+ if (!entity)
+ return TSS2_SYS_RC_GENERAL_FAILURE;
+
+ session = get_session(pSessionsDataIn->auths[i].sessionHandle);
+ if (!session)
+ return TPM2_RC_SUCCESS;
+
+ CopySizedByteBuffer((TPM2B *)&hmac_key, (TPM2B *)&session->sessionKey);
+
+ if (handles[i] != session->bind)
+ ConcatSizedByteBuffer(&hmac_key, (TPM2B *)&entity->entityAuth);
+
+ rval = TpmComputeSessionHmac(sysContext,
+ session,
+ &pSessionsDataIn->auths[i],
+ false,
+ handle1,
+ handle2,
+ handle3,
+ &hmac_key);
+
+ if (rval != TPM2_RC_SUCCESS)
+ return rval;
+
+ rval = CompareSizedByteBuffer((TPM2B *)&pSessionsDataIn->auths[i].hmac,
+ (TPM2B *)&pSessionsDataOut->auths[i].hmac);
+ if (rval != TPM2_RC_SUCCESS)
+ return TSS2_SYS_RC_GENERAL_FAILURE;
+ }
+ return rval;
+}
+
+TSS2_RC StartAuthSessionWithParams(
+ SESSION **psession,
+ TPMI_DH_OBJECT tpmKey,
+ TPM2B_MAX_BUFFER *salt,
+ TPMI_DH_ENTITY bind,
+ TPM2B_AUTH *bindAuth,
+ TPM2B_NONCE *nonceCaller,
+ TPM2B_ENCRYPTED_SECRET *encryptedSalt,
+ TPM2_SE sessionType,
+ TPMT_SYM_DEF *symmetric,
+ TPMI_ALG_HASH algId,
+ TSS2_TCTI_CONTEXT *tctiContext)
+{
+ TSS2_RC rval;
+ SESSION *session, *tmp;
+
+ if (psession == NULL)
+ return TSS2_SYS_RC_BAD_REFERENCE;
+
+ session = calloc(1, sizeof(SESSION));
+
+ if (!session)
+ return TSS2_SYS_RC_GENERAL_FAILURE;
+
+ session->bind = bind;
+ session->tpmKey = tpmKey;
+ CopySizedByteBuffer((TPM2B *)&session->nonceOlder, (TPM2B *)nonceCaller);
+ CopySizedByteBuffer((TPM2B *)&session->encryptedSalt, (TPM2B *)encryptedSalt);
+ session->sessionType = sessionType;
+ session->symmetric.algorithm = symmetric->algorithm;
+ session->symmetric.keyBits.sym = symmetric->keyBits.sym;
+ session->symmetric.mode.sym = symmetric->mode.sym;
+ session->authHash = algId;
+ if (bindAuth != NULL)
+ CopySizedByteBuffer((TPM2B *)&session->authValueBind, (TPM2B *)bindAuth);
+
+ if (session->tpmKey != TPM2_RH_NULL)
+ CopySizedByteBuffer((TPM2B *)&session->salt, (TPM2B *)salt);
+
+ rval = StartAuthSession(session, tctiContext);
+ if (rval != TSS2_RC_SUCCESS) {
+ free(session);
+ return rval;
+ }
+ /* Make sure this session handle is not already in the table */
+ HASH_FIND_INT(sessions, &session->sessionHandle, tmp);
+ if (tmp)
+ HASH_DEL(sessions, tmp);
+
+ HASH_ADD_INT(sessions, sessionHandle, session);
+ *psession = session;
+ return TSS2_RC_SUCCESS;
+}
+
+void EndAuthSession(SESSION *session)
+{
+ HASH_DEL(sessions, session);
+ free(session);
+}
+
+void RollNonces(SESSION *session, TPM2B_NONCE *new_nonce)
+{
+ session->nonceOlder = session->nonceNewer;
+ session->nonceNewer = *new_nonce;
+}
+
TSS2_RC
TpmCalcPHash(
TSS2_SYS_CONTEXT *sysContext,
@@ -181,3 +487,65 @@
}
return rval;
}
+
+TSS2_RC
+KDFa(
+ TPMI_ALG_HASH hashAlg,
+ TPM2B *key,
+ const char *label,
+ TPM2B *contextU,
+ TPM2B *contextV,
+ UINT16 bits,
+ TPM2B_MAX_BUFFER *resultKey)
+{
+ TPM2B_DIGEST digest;
+ TPM2B_DIGEST tpm2bLabel, tpm2bBits, tpm2bi;
+ TPM2B_DIGEST *bufferList[8];
+ UINT32 val;
+ TSS2_RC rval;
+ int i, j;
+ UINT16 bytes = bits / 8;
+
+ resultKey->size = 0;
+ tpm2bi.size = 4;
+ tpm2bBits.size = 4;
+ val = BE_TO_HOST_32(bits);
+ memcpy(tpm2bBits.buffer, &val, 4);
+ tpm2bLabel.size = strlen(label) + 1;
+ memcpy(tpm2bLabel.buffer, label, tpm2bLabel.size);
+
+ LOG_DEBUG("KDFA, hashAlg = %4.4x", hashAlg);
+ LOGBLOB_DEBUG(&key->buffer[0], key->size, "KDFA, key =");
+ LOGBLOB_DEBUG(&tpm2bLabel.buffer[0], tpm2bLabel.size, "KDFA, tpm2bLabel =");
+ LOGBLOB_DEBUG(&contextU->buffer[0], contextU->size, "KDFA, contextU =");
+ LOGBLOB_DEBUG(&contextV->buffer[0], contextV->size, "KDFA, contextV =");
+
+ for (i = 1, j = 0; resultKey->size < bytes; j = 0) {
+ val = BE_TO_HOST_32(i++);
+ memcpy(tpm2bi.buffer, &val, 4);
+ bufferList[j++] = (TPM2B_DIGEST *)&tpm2bi;
+ bufferList[j++] = (TPM2B_DIGEST *)&tpm2bLabel;
+ bufferList[j++] = (TPM2B_DIGEST *)contextU;
+ bufferList[j++] = (TPM2B_DIGEST *)contextV;
+ bufferList[j++] = (TPM2B_DIGEST *)&tpm2bBits;
+ bufferList[j++] = NULL;
+
+ for (j = 0; bufferList[j] != NULL; j++) {
+ LOGBLOB_DEBUG(&bufferList[j]->buffer[0], bufferList[j]->size, "bufferlist[%d]:", j);
+ ;
+ }
+
+ rval = hmac(hashAlg, key->buffer, key->size, bufferList, &digest);
+ if (rval != TPM2_RC_SUCCESS) {
+ LOGBLOB_ERROR(digest.buffer, digest.size, "HMAC Failed rval = %d", rval);
+ return rval;
+ }
+
+ ConcatSizedByteBuffer(resultKey, (TPM2B *)&digest);
+ }
+
+ /* Truncate the result to the desired size. */
+ resultKey->size = bytes;
+ LOGBLOB_DEBUG(&resultKey->buffer[0], resultKey->size, "KDFA, resultKey = ");
+ return TPM2_RC_SUCCESS;
+}
diff --git a/test/integration/session-util.h b/test/integration/session-util.h
index 52ed82d..6df25a9 100644
--- a/test/integration/session-util.h
+++ b/test/integration/session-util.h
@@ -28,8 +28,37 @@
#define _SESSION_UTIL_H_
#include <stdbool.h>
+#include <uthash.h>
#include "tss2_tpm2_types.h"
#include "tss2_sys.h"
+#include "util/tpm2b.h"
+
+typedef struct {
+ TPMI_DH_OBJECT tpmKey;
+ TPMI_DH_ENTITY bind;
+ TPM2B_ENCRYPTED_SECRET encryptedSalt;
+ TPM2B_MAX_BUFFER salt;
+ TPM2_SE sessionType;
+ TPMT_SYM_DEF symmetric;
+ TPMI_ALG_HASH authHash;
+ TPMI_SH_AUTH_SESSION sessionHandle;
+ TPM2B_NONCE nonceTPM;
+ TPM2B_DIGEST sessionKey;
+ TPM2B_DIGEST authValueBind;
+ TPM2B_NONCE nonceNewer;
+ TPM2B_NONCE nonceOlder;
+ TPM2B_NONCE nonceTpmDecrypt;
+ TPM2B_NONCE nonceTpmEncrypt;
+ TPM2B_NAME name;
+ void *hmacPtr;
+ UT_hash_handle hh;
+} SESSION;
+
+typedef struct{
+ TPM2_HANDLE entityHandle;
+ TPM2B_AUTH entityAuth;
+ UT_hash_handle hh;
+} ENTITY;
/*
* Helper function used to calculate cpHash and rpHash
@@ -51,4 +80,68 @@
TSS2_TCTI_CONTEXT *tcti_context,
TPM2_HANDLE handle,
TPM2B_NAME *name);
+
+void
+RollNonces(
+ SESSION *session,
+ TPM2B_NONCE *new_nonce);
+
+TSS2_RC
+KDFa(TPMI_ALG_HASH hash,
+ TPM2B *key,
+ const char *label,
+ TPM2B *contextU,
+ TPM2B *contextV,
+ UINT16 bits,
+ TPM2B_MAX_BUFFER *resultKey );
+
+SESSION *
+get_session(TPMI_SH_AUTH_SESSION hndl);
+
+TSS2_RC StartAuthSessionWithParams(
+ SESSION **psession,
+ TPMI_DH_OBJECT tpmKey,
+ TPM2B_MAX_BUFFER *salt,
+ TPMI_DH_ENTITY bind,
+ TPM2B_AUTH *bindAuth,
+ TPM2B_NONCE *nonceCaller,
+ TPM2B_ENCRYPTED_SECRET *encryptedSalt,
+ TPM2_SE sessionType,
+ TPMT_SYM_DEF *symmetric,
+ TPMI_ALG_HASH algId,
+ TSS2_TCTI_CONTEXT *tctiContext);
+
+TSS2_RC
+ComputeCommandHmacs(
+ TSS2_SYS_CONTEXT *sysContext,
+ TPM2_HANDLE handle1,
+ TPM2_HANDLE handle2,
+ TPM2_HANDLE handle3,
+ TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn);
+
+TSS2_RC
+CheckResponseHMACs(
+ TSS2_SYS_CONTEXT *sysContext,
+ TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn,
+ TPM2_HANDLE handle1,
+ TPM2_HANDLE handle2,
+ TPM2_HANDLE handle3,
+ TSS2L_SYS_AUTH_RESPONSE *pSessionsDataOut);
+
+void
+EndAuthSession(SESSION *session);
+
+int
+AddEntity(TPM2_HANDLE handle, TPM2B_AUTH *auth);
+
+void
+DeleteEntity(TPM2_HANDLE handle);
+
+int
+GetEntityAuth(TPM2_HANDLE handle, TPM2B_AUTH *auth);
+
+ENTITY *
+GetEntity(TPM2_HANDLE handle);
+
+
#endif
diff --git a/test/tpmclient/SessionHmac.c b/test/tpmclient/SessionHmac.c
deleted file mode 100644
index efd7e0c..0000000
--- a/test/tpmclient/SessionHmac.c
+++ /dev/null
@@ -1,199 +0,0 @@
-//**********************************************************************;
-// Copyright (c) 2015, Intel Corporation
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice,
-// this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
-// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-// THE POSSIBILITY OF SUCH DAMAGE.
-//**********************************************************************;
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "tss2_sys.h"
-
-#include "../integration/sapi-util.h"
-#include "../integration/session-util.h"
-#include "tpmclient.int.h"
-#include "sysapi_util.h"
-#include "util/tss2_endian.h"
-#define LOGMODULE test
-#include "util/log.h"
-
-static TSS2_RC
-TpmComputeSessionHmac(
- TSS2_SYS_CONTEXT *sysContext,
- SESSION *session,
- TPMS_AUTH_COMMAND *pSessionDataIn,
- bool command,
- TPM2_HANDLE handle1,
- TPM2_HANDLE handle2,
- TPM2_HANDLE handle3,
- TPM2B_MAX_BUFFER *hmacKey)
-{
- TPM2B_DIGEST *bufferList[7];
- TPM2B_DIGEST pHash;
- TPM2B sessionAttributesByteBuffer = {
- .size = 1,
- .buffer = pSessionDataIn->sessionAttributes
- };
- UINT16 i;
- TSS2_RC rval;
- TPM2_CC cmdCode;
-
- INIT_SIMPLE_TPM2B_SIZE(pHash);
- rval = TpmCalcPHash(sysContext, handle1, handle2, handle3,
- session->authHash, command, &pHash);
- if (rval != TPM2_RC_SUCCESS)
- return rval;
-
- rval = Tss2_Sys_GetCommandCode(sysContext, (UINT8 *)&cmdCode);
- if (rval != TPM2_RC_SUCCESS)
- return rval;
-
- /* cmdCode comes back as BigEndian; not suited for comparisons below. */
- cmdCode = BE_TO_HOST_32(cmdCode);
- LOGBLOB_DEBUG(hmacKey->buffer, hmacKey->size, "hmacKey=");
-
- i = 0;
- bufferList[i++] = (TPM2B_DIGEST *)&pHash;
- bufferList[i++] = (TPM2B_DIGEST *)&session->nonceNewer;
- bufferList[i++] = (TPM2B_DIGEST *)&session->nonceOlder;
- bufferList[i++] = (TPM2B_DIGEST *)&session->nonceTpmDecrypt;
- bufferList[i++] = (TPM2B_DIGEST *)&session->nonceTpmEncrypt;
- bufferList[i++] = (TPM2B_DIGEST *)&sessionAttributesByteBuffer;
- bufferList[i++] = 0;
-
- for (int j = 0; bufferList[j] != 0; j++) {
- LOGBLOB_DEBUG(&bufferList[j]->buffer[0],
- bufferList[j]->size, "bufferlist[%d]:", j);
- ;
- }
-
- rval = hmac(session->authHash, hmacKey->buffer,
- hmacKey->size, bufferList,
- (TPM2B_DIGEST *)&pSessionDataIn->hmac);
-
- if (rval != TPM2_RC_SUCCESS) {
- LOGBLOB_ERROR(pSessionDataIn->hmac.buffer,
- pSessionDataIn->hmac.size,
- "HMAC Failed rval = %d !!!", rval);
- return rval;
- }
- return rval;
-}
-
-TSS2_RC ComputeCommandHmacs(
- TSS2_SYS_CONTEXT *sysContext,
- TPM2_HANDLE handle1,
- TPM2_HANDLE handle2,
- TPM2_HANDLE handle3,
- TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn)
-{
- TPM2_HANDLE handles[3] = {handle1, handle2, handle3};
- ENTITY *entity;
- SESSION *session;
- TPM2B_MAX_BUFFER hmac_key;
- TSS2_RC rval = TPM2_RC_SUCCESS;
- unsigned int i;
-
- for (i = 0; i < pSessionsDataIn->count; i++) {
- if (handles[i] == TPM2_RH_NULL)
- break;
-
- entity = GetEntity(handles[i]);
- if (!entity)
- return APPLICATION_HMAC_ERROR(i+1);
-
- session = get_session(pSessionsDataIn->auths[i].sessionHandle);
- if (!session)
- return TPM2_RC_SUCCESS;
-
- CopySizedByteBuffer((TPM2B *)&hmac_key, (TPM2B *)&session->sessionKey);
-
- if (handles[i] != session->bind || handles[i] == TPM2_RH_NULL)
- ConcatSizedByteBuffer(&hmac_key, (TPM2B *)&entity->entityAuth);
-
- rval = TpmComputeSessionHmac(sysContext,
- session,
- &pSessionsDataIn->auths[i],
- true,
- handle1,
- handle2,
- handle3,
- &hmac_key);
- if (rval != TPM2_RC_SUCCESS)
- break;
- }
- return rval;
-}
-
-TSS2_RC CheckResponseHMACs(
- TSS2_SYS_CONTEXT *sysContext,
- TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn,
- TPM2_HANDLE handle1,
- TPM2_HANDLE handle2,
- TPM2_HANDLE handle3,
- TSS2L_SYS_AUTH_RESPONSE *pSessionsDataOut)
-{
- TPM2_HANDLE handles[3] = {handle1, handle2, handle3};
- ENTITY *entity;
- SESSION *session;
- TPM2B_MAX_BUFFER hmac_key;
- TSS2_RC rval = TPM2_RC_SUCCESS;
- unsigned int i;
-
- for (i = 0; i < pSessionsDataIn->count; i++) {
- if (handles[i] == TPM2_RH_NULL)
- break;
-
- entity = GetEntity(handles[i]);
- if (!entity)
- return APPLICATION_HMAC_ERROR(i+1);
-
- session = get_session(pSessionsDataIn->auths[i].sessionHandle);
- if (!session)
- return TPM2_RC_SUCCESS;
-
- CopySizedByteBuffer((TPM2B *)&hmac_key, (TPM2B *)&session->sessionKey);
-
- if (handles[i] != session->bind)
- ConcatSizedByteBuffer(&hmac_key, (TPM2B *)&entity->entityAuth);
-
- rval = TpmComputeSessionHmac(sysContext,
- session,
- &pSessionsDataIn->auths[i],
- false,
- handle1,
- handle2,
- handle3,
- &hmac_key);
-
- if (rval != TPM2_RC_SUCCESS)
- return rval;
-
- rval = CompareSizedByteBuffer((TPM2B *)&pSessionsDataIn->auths[i].hmac,
- (TPM2B *)&pSessionsDataOut->auths[i].hmac);
- if (rval != TPM2_RC_SUCCESS)
- return APPLICATION_HMAC_ERROR(i+1);
- }
- return rval;
-}
diff --git a/test/tpmclient/StartAuthSession.c b/test/tpmclient/StartAuthSession.c
deleted file mode 100644
index 2fdb4c7..0000000
--- a/test/tpmclient/StartAuthSession.c
+++ /dev/null
@@ -1,185 +0,0 @@
-//**********************************************************************;
-// Copyright (c) 2015, Intel Corporation
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice,
-// this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
-// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-// THE POSSIBILITY OF SUCH DAMAGE.
-//**********************************************************************;
-
-#include <stdlib.h>
-
-#include "tss2_sys.h"
-#include "sysapi_util.h"
-
-#include "tpmclient.int.h"
-#include "../integration/context-util.h"
-#include "../integration/sapi-util.h"
-#define LOGMODULE testtpmclient
-#include "util/log.h"
-
-void RollNonces(SESSION *session, TPM2B_NONCE *newNonce)
-{
- session->nonceOlder = session->nonceNewer;
- session->nonceNewer = *newNonce;
-}
-
-static SESSION *sessions = NULL;
-
-SESSION *
-get_session(TPMI_SH_AUTH_SESSION hndl)
-{
- SESSION *s;
-
- HASH_FIND_INT(sessions, &hndl, s);
- return s;
-}
-
-static TSS2_RC
-StartAuthSession(
- SESSION *session,
- TSS2_TCTI_CONTEXT *tctiContext)
-{
- TSS2_RC rval;
- TPM2B_ENCRYPTED_SECRET key;
- char label[] = "ATH";
- TSS2_SYS_CONTEXT *tmpSysContext;
- UINT16 bytes;
-
- key.size = 0;
-
- tmpSysContext = sapi_init_from_tcti_ctx(tctiContext);
- if (tmpSysContext == NULL)
- return TSS2_APP_RC_INIT_SYS_CONTEXT_FAILED;
-
- if (session->nonceOlder.size == 0)
- session->nonceOlder.size = GetDigestSize(session->authHash);
-
- memset(session->nonceOlder.buffer, '\0', session->nonceOlder.size);
- session->nonceNewer.size = session->nonceOlder.size;
- session->nonceTpmDecrypt.size = 0;
- session->nonceTpmEncrypt.size = 0;
- session->nvNameChanged = 0;
-
- rval = Tss2_Sys_StartAuthSession(
- tmpSysContext, session->tpmKey, session->bind, 0,
- &session->nonceOlder, &session->encryptedSalt,
- session->sessionType, &session->symmetric,
- session->authHash, &session->sessionHandle,
- &session->nonceNewer, 0);
- if (rval != TPM2_RC_SUCCESS)
- goto out;
-
- if (session->tpmKey == TPM2_RH_NULL)
- session->salt.size = 0;
-
- if (session->bind == TPM2_RH_NULL)
- session->authValueBind.size = 0;
-
- session->sessionKey.size = 0;
- if (session->tpmKey == TPM2_RH_NULL && session->bind == TPM2_RH_NULL)
- goto out;
-
- /* Generate the key used as input to the KDF. */
- rval = ConcatSizedByteBuffer((TPM2B_MAX_BUFFER *)&key,
- (TPM2B *)&session->authValueBind);
- if (rval != TPM2_RC_SUCCESS) {
- Tss2_Sys_FlushContext(tmpSysContext, session->sessionHandle);
- goto out;
- }
-
- rval = ConcatSizedByteBuffer((TPM2B_MAX_BUFFER *)&key,
- (TPM2B *)&session->salt);
- if (rval != TPM2_RC_SUCCESS) {
- Tss2_Sys_FlushContext(tmpSysContext, session->sessionHandle);
- goto out;
- }
-
- bytes = GetDigestSize(session->authHash) * 8;
-
- rval = KDFa(session->authHash, (TPM2B *)&key, label,
- (TPM2B *)&session->nonceNewer,
- (TPM2B *)&session->nonceOlder,
- bytes, (TPM2B_MAX_BUFFER *)&session->sessionKey);
-out:
- sapi_teardown(tmpSysContext);
- return rval;
-}
-
-TSS2_RC StartAuthSessionWithParams(
- SESSION **psession,
- TPMI_DH_OBJECT tpmKey,
- TPM2B_MAX_BUFFER *salt,
- TPMI_DH_ENTITY bind,
- TPM2B_AUTH *bindAuth,
- TPM2B_NONCE *nonceCaller,
- TPM2B_ENCRYPTED_SECRET *encryptedSalt,
- TPM2_SE sessionType,
- TPMT_SYM_DEF *symmetric,
- TPMI_ALG_HASH algId,
- TSS2_TCTI_CONTEXT *tctiContext)
-{
- TSS2_RC rval;
- SESSION *session, *tmp;
-
- if (psession == NULL)
- return TSS2_APP_RC_BAD_REFERENCE;
-
- session = calloc(1, sizeof(SESSION));
-
- if (!session)
- return TSS2_APP_ERROR(TSS2_BASE_RC_MEMORY);
-
- session->bind = bind;
- session->tpmKey = tpmKey;
- CopySizedByteBuffer((TPM2B *)&session->nonceOlder, (TPM2B *)nonceCaller);
- CopySizedByteBuffer((TPM2B *)&session->encryptedSalt, (TPM2B *)encryptedSalt);
- session->sessionType = sessionType;
- session->symmetric.algorithm = symmetric->algorithm;
- session->symmetric.keyBits.sym = symmetric->keyBits.sym;
- session->symmetric.mode.sym = symmetric->mode.sym;
- session->authHash = algId;
- if (bindAuth != NULL)
- CopySizedByteBuffer((TPM2B *)&session->authValueBind, (TPM2B *)bindAuth);
-
- if (session->tpmKey != TPM2_RH_NULL)
- CopySizedByteBuffer((TPM2B *)&session->salt, (TPM2B *)salt);
-
- rval = StartAuthSession(session, tctiContext);
- if (rval != TSS2_RC_SUCCESS) {
- free(session);
- return rval;
- }
- /* Make sure this session handle is not already in the table */
- HASH_FIND_INT(sessions, &session->sessionHandle, tmp);
- if (tmp)
- HASH_DEL(sessions, tmp);
-
- HASH_ADD_INT(sessions, sessionHandle, session);
- *psession = session;
- return TSS2_RC_SUCCESS;
-}
-
-void EndAuthSession(SESSION *session)
-{
- HASH_DEL(sessions, session);
- free(session);
-}
diff --git a/test/tpmclient/kdfa.c b/test/tpmclient/kdfa.c
deleted file mode 100644
index 18a37cf..0000000
--- a/test/tpmclient/kdfa.c
+++ /dev/null
@@ -1,99 +0,0 @@
-//**********************************************************************;
-// Copyright (c) 2015, Intel Corporation
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice,
-// this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
-// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-// THE POSSIBILITY OF SUCH DAMAGE.
-//**********************************************************************;
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "tss2_tpm2_types.h"
-#include "../integration/sapi-util.h"
-
-#include "tpmclient.int.h"
-#include "sysapi_util.h"
-#include "util/tss2_endian.h"
-#define LOGMODULE test
-#include "util/log.h"
-
-TSS2_RC KDFa(
- TPMI_ALG_HASH hashAlg,
- TPM2B *key,
- char *label,
- TPM2B *contextU,
- TPM2B *contextV,
- UINT16 bits,
- TPM2B_MAX_BUFFER *resultKey)
-{
- TPM2B_DIGEST digest;
- TPM2B_DIGEST tpm2bLabel, tpm2bBits, tpm2bi;
- TPM2B_DIGEST *bufferList[8];
- UINT32 val;
- TSS2_RC rval;
- int i, j;
- UINT16 bytes = bits / 8;
-
- resultKey->size = 0;
- tpm2bi.size = 4;
- tpm2bBits.size = 4;
- val = BE_TO_HOST_32(bits);
- memcpy(tpm2bBits.buffer, &val, 4);
- tpm2bLabel.size = strlen(label) + 1;
- memcpy(tpm2bLabel.buffer, label, tpm2bLabel.size);
-
- LOG_DEBUG("KDFA, hashAlg = %4.4x", hashAlg);
- LOGBLOB_DEBUG(&key->buffer[0], key->size, "KDFA, key =");
- LOGBLOB_DEBUG(&tpm2bLabel.buffer[0], tpm2bLabel.size, "KDFA, tpm2bLabel =");
- LOGBLOB_DEBUG(&contextU->buffer[0], contextU->size, "KDFA, contextU =");
- LOGBLOB_DEBUG(&contextV->buffer[0], contextV->size, "KDFA, contextV =");
-
- for (i = 1, j = 0; resultKey->size < bytes; j = 0) {
- val = BE_TO_HOST_32(i++);
- memcpy(tpm2bi.buffer, &val, 4);
- bufferList[j++] = (TPM2B_DIGEST *)&tpm2bi;
- bufferList[j++] = (TPM2B_DIGEST *)&tpm2bLabel;
- bufferList[j++] = (TPM2B_DIGEST *)contextU;
- bufferList[j++] = (TPM2B_DIGEST *)contextV;
- bufferList[j++] = (TPM2B_DIGEST *)&tpm2bBits;
- bufferList[j++] = NULL;
-
- for (j = 0; bufferList[j] != NULL; j++) {
- LOGBLOB_DEBUG(&bufferList[j]->buffer[0], bufferList[j]->size, "bufferlist[%d]:", j);
- ;
- }
-
- rval = hmac(hashAlg, key->buffer, key->size, bufferList, &digest);
- if (rval != TPM2_RC_SUCCESS) {
- LOGBLOB_ERROR(digest.buffer, digest.size, "HMAC Failed rval = %d", rval);
- return rval;
- }
-
- ConcatSizedByteBuffer(resultKey, (TPM2B *)&digest);
- }
-
- /* Truncate the result to the desired size. */
- resultKey->size = bytes;
- LOGBLOB_DEBUG(&resultKey->buffer[0], resultKey->size, "KDFA, resultKey = ");
- return TPM2_RC_SUCCESS;
-}
diff --git a/test/tpmclient/tpmclient.int.h b/test/tpmclient/tpmclient.int.h
index ae5dff3..387a635 100644
--- a/test/tpmclient/tpmclient.int.h
+++ b/test/tpmclient/tpmclient.int.h
@@ -38,6 +38,7 @@
#include "tss2_mu.h"
#include "tss2_sys.h"
#include "util/tpm2b.h"
+#include "../integration/session-util.h"
extern TSS2_TCTI_CONTEXT *resMgrTctiContext;
@@ -94,102 +95,9 @@
#define APPLICATION_HMAC_ERROR(i) \
( TSS2_APP_RC_LAYER + TPM2_RC_S + TPM2_RC_AUTH_FAIL + ( (i ) << 8 ) )
-typedef struct {
- // Inputs to StartAuthSession; these need to be saved
- // so that HMACs can be calculated.
- TPMI_DH_OBJECT tpmKey;
- TPMI_DH_ENTITY bind;
- TPM2B_ENCRYPTED_SECRET encryptedSalt;
- TPM2B_MAX_BUFFER salt;
- TPM2_SE sessionType;
- TPMT_SYM_DEF symmetric;
- TPMI_ALG_HASH authHash;
+TSS2_RC EncryptCommandParam(SESSION *session, TPM2B_MAX_BUFFER *encryptedData, TPM2B_MAX_BUFFER *clearData, TPM2B_AUTH *authValue );
- // Outputs from StartAuthSession; these also need
- // to be saved for calculating HMACs and
- // other session related functions.
- TPMI_SH_AUTH_SESSION sessionHandle;
- TPM2B_NONCE nonceTPM;
-
- // Internal state for the session
- TPM2B_DIGEST sessionKey;
- TPM2B_DIGEST authValueBind; // authValue of bind object
- TPM2B_NONCE nonceNewer;
- TPM2B_NONCE nonceOlder;
- TPM2B_NONCE nonceTpmDecrypt;
- TPM2B_NONCE nonceTpmEncrypt;
- TPM2B_NAME name; // Name of the object the session handle
- // points to. Used for computing HMAC for
- // any HMAC sessions present.
- //
- void *hmacPtr; // Pointer to HMAC field in the marshalled
- // data stream for the session.
- // This allows the function to calculate
- // and fill in the HMAC after marshalling
- // of all the inputs.
- //
- // This is only used if the session is an
- // HMAC session.
- //
- UINT8 nvNameChanged; // Used for some special case code
- // dealing with the NV written state.
- UT_hash_handle hh;
-} SESSION;
-
-typedef struct{
- TPM2_HANDLE entityHandle;
- TPM2B_AUTH entityAuth;
- UT_hash_handle hh;
-} ENTITY;
-
-int AddEntity(TPM2_HANDLE entityHandle, TPM2B_AUTH *auth);
-void DeleteEntity(TPM2_HANDLE entityHandle);
-int GetEntityAuth(TPM2_HANDLE entityHandle, TPM2B_AUTH *auth);
-ENTITY *GetEntity(TPM2_HANDLE entityHandle);
-
-void
-EndAuthSession(SESSION *session);
-
-SESSION *
-get_session(TPMI_SH_AUTH_SESSION hndl);
-
-TSS2_RC ComputeCommandHmacs(
- TSS2_SYS_CONTEXT *sysContext,
- TPM2_HANDLE handle1,
- TPM2_HANDLE handle2,
- TPM2_HANDLE handle3,
- TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn);
-
-TSS2_RC CheckResponseHMACs(
- TSS2_SYS_CONTEXT *sysContext,
- TSS2L_SYS_AUTH_COMMAND *pSessionsDataIn,
- TPM2_HANDLE handle1,
- TPM2_HANDLE handle2,
- TPM2_HANDLE handle3,
- TSS2L_SYS_AUTH_RESPONSE *pSessionsDataOut);
-
-TSS2_RC
-StartAuthSessionWithParams(
- SESSION **session,
- TPMI_DH_OBJECT tpmKey,
- TPM2B_MAX_BUFFER *salt,
- TPMI_DH_ENTITY bind,
- TPM2B_AUTH *bindAuth,
- TPM2B_NONCE *nonceCaller,
- TPM2B_ENCRYPTED_SECRET *encryptedSalt,
- TPM2_SE sessionType,
- TPMT_SYM_DEF *symmetric,
- TPMI_ALG_HASH algId,
- TSS2_TCTI_CONTEXT *tctiContext);
-
-TSS2_RC EncryptCommandParam( SESSION *session, TPM2B_MAX_BUFFER *encryptedData, TPM2B_MAX_BUFFER *clearData, TPM2B_AUTH *authValue );
-
-TSS2_RC DecryptResponseParam( SESSION *session, TPM2B_MAX_BUFFER *clearData, TPM2B_MAX_BUFFER *encryptedData, TPM2B_AUTH *authValue );
-
-TSS2_RC KDFa( TPMI_ALG_HASH hashAlg, TPM2B *key, char *label, TPM2B *contextU, TPM2B *contextV,
- UINT16 bits, TPM2B_MAX_BUFFER *resultKey );
-
-void RollNonces( SESSION *session, TPM2B_NONCE *newNonce );
+TSS2_RC DecryptResponseParam(SESSION *session, TPM2B_MAX_BUFFER *clearData, TPM2B_MAX_BUFFER *encryptedData, TPM2B_AUTH *authValue );
#define INIT_SIMPLE_TPM2B_SIZE(type) (type).size = sizeof(type) - 2;