Home | History | Annotate | Download | only in tpm2
      1 // This file was extracted from the TCG Published
      2 // Trusted Platform Module Library
      3 // Part 4: Supporting Routines
      4 // Family "2.0"
      5 // Level 00 Revision 01.16
      6 // October 30, 2014
      7 
      8 #include        "TPM_Types.h"
      9 #include        "CryptoEngine.h"        // types shared by CryptUtil and CryptoEngine.
     10                                        // Includes the function prototypes for the
     11                                        // CryptoEngine functions.
     12 #include        "Global.h"
     13 #include        "InternalRoutines.h"
     14 #include        "MemoryLib_fp.h"
     15 //#include        "CryptSelfTest_fp.h"
     16 //
     17 //
     18 //     10.2.2     TranslateCryptErrors()
     19 //
     20 //     This function converts errors from the cryptographic library into TPM_RC_VALUES.
     21 //
     22 //     Error Returns                     Meaning
     23 //
     24 //     TPM_RC_VALUE                      CRYPT_FAIL
     25 //     TPM_RC_NO_RESULT                  CRYPT_NO_RESULT
     26 //     TPM_RC_SCHEME                     CRYPT_SCHEME
     27 //     TPM_RC_VALUE                      CRYPT_PARAMETER
     28 //     TPM_RC_SIZE                       CRYPT_UNDERFLOW
     29 //     TPM_RC_ECC_POINT                  CRYPT_POINT
     30 //     TPM_RC_CANCELLED                  CRYPT_CANCEL
     31 //
     32 static TPM_RC
     33 TranslateCryptErrors (
     34       CRYPT_RESULT            retVal                 // IN: crypt error to evaluate
     35 )
     36 {
     37       switch (retVal)
     38       {
     39       case CRYPT_SUCCESS:
     40           return TPM_RC_SUCCESS;
     41       case CRYPT_FAIL:
     42           return TPM_RC_VALUE;
     43       case CRYPT_NO_RESULT:
     44           return TPM_RC_NO_RESULT;
     45       case CRYPT_SCHEME:
     46           return TPM_RC_SCHEME;
     47       case CRYPT_PARAMETER:
     48           return TPM_RC_VALUE;
     49       case CRYPT_UNDERFLOW:
     50           return TPM_RC_SIZE;
     51       case CRYPT_POINT:
     52           return TPM_RC_ECC_POINT;
     53       case CRYPT_CANCEL:
     54        return TPM_RC_CANCELED;
     55    default: // Other unknown warnings
     56        return TPM_RC_FAILURE;
     57    }
     58 }
     59 //
     60 //
     61 //     10.2.3     Random Number Generation Functions
     62 //
     63 #ifdef TPM_ALG_NULL //%
     64 #ifdef _DRBG_STATE_SAVE //%
     65 //
     66 //
     67 //     10.2.3.1    CryptDrbgGetPutState()
     68 //
     69 //     Read or write the current state from the DRBG in the cryptoEngine.
     70 //
     71 void
     72 CryptDrbgGetPutState(
     73    GET_PUT              direction         // IN: Get from or put to DRBG
     74    )
     75 {
     76    _cpri__DrbgGetPutState(direction,
     77                           sizeof(go.drbgState),
     78                           (BYTE *)&go.drbgState);
     79 }
     80 #else   //% 00
     81 //%#define CryptDrbgGetPutState(ignored)            // If not doing state save, turn this
     82 //%                                                  // into a null macro
     83 #endif //%
     84 //
     85 //
     86 //     10.2.3.2    CryptStirRandom()
     87 //
     88 //     Stir random entropy
     89 //
     90 void
     91 CryptStirRandom(
     92    UINT32               entropySize,      // IN: size of entropy buffer
     93    BYTE                *buffer            // IN: entropy buffer
     94    )
     95 {
     96    // RNG self testing code may be inserted here
     97    // Call crypto engine random number stirring function
     98    _cpri__StirRandom(entropySize, buffer);
     99    return;
    100 }
    101 //
    102 //
    103 //     10.2.3.3    CryptGenerateRandom()
    104 //
    105 //     This is the interface to _cpri__GenerateRandom().
    106 //
    107 UINT16
    108 CryptGenerateRandom(
    109    UINT16               randomSize,       // IN: size of random number
    110    BYTE                *buffer            // OUT: buffer of random number
    111    )
    112 {
    113    UINT16               result;
    114    pAssert(randomSize <= MAX_RSA_KEY_BYTES || randomSize <= PRIMARY_SEED_SIZE);
    115    if(randomSize == 0)
    116           return 0;
    117     // Call crypto engine random number generation
    118     result = _cpri__GenerateRandom(randomSize, buffer);
    119     if(result != randomSize)
    120         FAIL(FATAL_ERROR_INTERNAL);
    121    return result;
    122 }
    123 #endif //TPM_ALG_NULL //%
    124 //
    125 //
    126 //      10.2.4     Hash/HMAC Functions
    127 //
    128 //      10.2.4.1    CryptGetContextAlg()
    129 //
    130 //      This function returns the hash algorithm associated with a hash context.
    131 //
    132 #ifdef TPM_ALG_KEYEDHASH                 //% 1
    133 TPM_ALG_ID
    134 CryptGetContextAlg(
    135     void                *state                // IN: the context to check
    136     )
    137 {
    138     HASH_STATE *context = (HASH_STATE *)state;
    139     return _cpri__GetContextAlg(&context->state);
    140 }
    141 //
    142 //
    143 //      10.2.4.2    CryptStartHash()
    144 //
    145 //      This function starts a hash and return the size, in bytes, of the digest.
    146 //
    147 //      Return Value                      Meaning
    148 //
    149 //      >0                                the digest size of the algorithm
    150 //      =0                                the hashAlg was TPM_ALG_NULL
    151 //
    152 UINT16
    153 CryptStartHash(
    154     TPMI_ALG_HASH        hashAlg,             // IN: hash algorithm
    155     HASH_STATE          *hashState            // OUT: the state of hash stack. It will be used
    156                                               //     in hash update and completion
    157     )
    158 {
    159     CRYPT_RESULT            retVal = 0;
    160     pAssert(hashState != NULL);
    161     TEST_HASH(hashAlg);
    162     hashState->type = HASH_STATE_EMPTY;
    163     // Call crypto engine start hash function
    164     if((retVal = _cpri__StartHash(hashAlg, FALSE, &hashState->state)) > 0)
    165         hashState->type = HASH_STATE_HASH;
    166     return retVal;
    167 }
    168 //
    169 //
    170 //
    171 //      10.2.4.3    CryptStartHashSequence()
    172 //
    173 //      Start a hash stack for a sequence object and return the size, in bytes, of the digest. This call uses the
    174 //      form of the hash state that requires context save and restored.
    175 //
    176 //      Return Value                    Meaning
    177 //
    178 //      >0                              the digest size of the algorithm
    179 //      =0                              the hashAlg was TPM_ALG_NULL
    180 //
    181 UINT16
    182 CryptStartHashSequence(
    183     TPMI_ALG_HASH       hashAlg,            // IN: hash algorithm
    184     HASH_STATE         *hashState           // OUT: the state of hash stack. It will be used
    185                                             //     in hash update and completion
    186     )
    187 {
    188     CRYPT_RESULT      retVal = 0;
    189     pAssert(hashState != NULL);
    190     TEST_HASH(hashAlg);
    191     hashState->type = HASH_STATE_EMPTY;
    192     // Call crypto engine start hash function
    193     if((retVal = _cpri__StartHash(hashAlg, TRUE, &hashState->state)) > 0)
    194         hashState->type = HASH_STATE_HASH;
    195     return retVal;
    196 }
    197 //
    198 //
    199 //      10.2.4.4    CryptStartHMAC()
    200 //
    201 //      This function starts an HMAC sequence and returns the size of the digest that will be produced.
    202 //      The caller must provide a block of memory in which the hash sequence state is kept. The caller should
    203 //      not alter the contents of this buffer until the hash sequence is completed or abandoned.
    204 //
    205 //      Return Value                    Meaning
    206 //
    207 //      >0                              the digest size of the algorithm
    208 //      =0                              the hashAlg was TPM_ALG_NULL
    209 //
    210 UINT16
    211 CryptStartHMAC(
    212     TPMI_ALG_HASH       hashAlg,            //   IN: hash algorithm
    213     UINT16              keySize,            //   IN: the size of HMAC key in byte
    214     BYTE               *key,                //   IN: HMAC key
    215     HMAC_STATE         *hmacState           //   OUT: the state of HMAC stack. It will be used
    216                                             //       in HMAC update and completion
    217     )
    218 {
    219     HASH_STATE         *hashState = (HASH_STATE *)hmacState;
    220     CRYPT_RESULT       retVal;
    221     // This has to come before the pAssert in case we             all calling this function
    222     // during testing. If so, the first instance will             have no arguments but the
    223     // hash algorithm. The call from the test routine             will have arguments. When
    224     // the second call is done, then we return to the             test dispatcher.
    225     TEST_HASH(hashAlg);
    226     pAssert(hashState != NULL);
    227     hashState->type = HASH_STATE_EMPTY;
    228     if((retVal =    _cpri__StartHMAC(hashAlg, FALSE, &hashState->state, keySize, key,
    229                                      &hmacState->hmacKey.b)) > 0)
    230           hashState->type = HASH_STATE_HMAC;
    231     return retVal;
    232 }
    233 //
    234 //
    235 //      10.2.4.5    CryptStartHMACSequence()
    236 //
    237 //      This function starts an HMAC sequence and returns the size of the digest that will be produced.
    238 //      The caller must provide a block of memory in which the hash sequence state is kept. The caller should
    239 //      not alter the contents of this buffer until the hash sequence is completed or abandoned.
    240 //      This call is used to start a sequence HMAC that spans multiple TPM commands.
    241 //
    242 //      Return Value                      Meaning
    243 //
    244 //      >0                                the digest size of the algorithm
    245 //      =0                                the hashAlg was TPM_ALG_NULL
    246 //
    247 UINT16
    248 CryptStartHMACSequence(
    249     TPMI_ALG_HASH       hashAlg,              //   IN: hash algorithm
    250     UINT16              keySize,              //   IN: the size of HMAC key in byte
    251     BYTE               *key,                  //   IN: HMAC key
    252     HMAC_STATE         *hmacState             //   OUT: the state of HMAC stack. It will be used
    253                                               //       in HMAC update and completion
    254     )
    255 {
    256     HASH_STATE         *hashState = (HASH_STATE *)hmacState;
    257     CRYPT_RESULT       retVal;
    258     TEST_HASH(hashAlg);
    259     hashState->type = HASH_STATE_EMPTY;
    260     if((retVal =    _cpri__StartHMAC(hashAlg, TRUE, &hashState->state,
    261                                      keySize, key, &hmacState->hmacKey.b)) > 0)
    262           hashState->type = HASH_STATE_HMAC;
    263     return retVal;
    264 }
    265 //
    266 //
    267 //      10.2.4.6    CryptStartHMAC2B()
    268 //
    269 //      This function starts an HMAC and returns the size of the digest that will be produced.
    270 //      This function is provided to support the most common use of starting an HMAC with a TPM2B key.
    271 //      The caller must provide a block of memory in which the hash sequence state is kept. The caller should
    272 //      not alter the contents of this buffer until the hash sequence is completed or abandoned.
    273 //
    274 //
    275 //
    276 //
    277 //      Return Value                    Meaning
    278 //
    279 //      >0                              the digest size of the algorithm
    280 //      =0                              the hashAlg was TPM_ALG_NULL
    281 //
    282 LIB_EXPORT UINT16
    283 CryptStartHMAC2B(
    284     TPMI_ALG_HASH       hashAlg,            // IN: hash algorithm
    285     TPM2B              *key,                // IN: HMAC key
    286     HMAC_STATE         *hmacState           // OUT: the state of HMAC stack. It will be used
    287                                             //     in HMAC update and completion
    288     )
    289 {
    290     return CryptStartHMAC(hashAlg, key->size, key->buffer, hmacState);
    291 }
    292 //
    293 //
    294 //      10.2.4.7    CryptStartHMACSequence2B()
    295 //
    296 //      This function starts an HMAC sequence and returns the size of the digest that will be produced.
    297 //      This function is provided to support the most common use of starting an HMAC with a TPM2B key.
    298 //      The caller must provide a block of memory in which the hash sequence state is kept. The caller should
    299 //      not alter the contents of this buffer until the hash sequence is completed or abandoned.
    300 //
    301 //      Return Value                    Meaning
    302 //
    303 //      >0                              the digest size of the algorithm
    304 //      =0                              the hashAlg was TPM_ALG_NULL
    305 //
    306 UINT16
    307 CryptStartHMACSequence2B(
    308     TPMI_ALG_HASH       hashAlg,            // IN: hash algorithm
    309     TPM2B              *key,                // IN: HMAC key
    310     HMAC_STATE         *hmacState           // OUT: the state of HMAC stack. It will be used
    311                                             //     in HMAC update and completion
    312     )
    313 {
    314     return CryptStartHMACSequence(hashAlg, key->size, key->buffer, hmacState);
    315 }
    316 //
    317 //
    318 //      10.2.4.8    CryptUpdateDigest()
    319 //
    320 //      This function updates a digest (hash or HMAC) with an array of octets.
    321 //      This function can be used for both HMAC and hash functions so the digestState is void so that either
    322 //      state type can be passed.
    323 //
    324 LIB_EXPORT void
    325 CryptUpdateDigest(
    326     void               *digestState,        // IN: the state of hash stack
    327     UINT32              dataSize,           // IN: the size of data
    328     BYTE               *data                // IN: data to be hashed
    329     )
    330 {
    331     HASH_STATE         *hashState = (HASH_STATE *)digestState;
    332     pAssert(digestState != NULL);
    333     if(hashState->type != HASH_STATE_EMPTY && data != NULL && dataSize != 0)
    334     {
    335           // Call crypto engine update hash function
    336           _cpri__UpdateHash(&hashState->state, dataSize, data);
    337     }
    338     return;
    339 }
    340 //
    341 //
    342 //      10.2.4.9     CryptUpdateDigest2B()
    343 //
    344 //      This function updates a digest (hash or HMAC) with a TPM2B.
    345 //      This function can be used for both HMAC and hash functions so the digestState is void so that either
    346 //      state type can be passed.
    347 //
    348 LIB_EXPORT void
    349 CryptUpdateDigest2B(
    350     void                *digestState,       // IN: the digest state
    351     TPM2B               *bIn                // IN: 2B containing the data
    352     )
    353 {
    354     // Only compute the digest if a pointer to the 2B is provided.
    355     // In CryptUpdateDigest(), if size is zero or buffer is NULL, then no change
    356     // to the digest occurs. This function should not provide a buffer if bIn is
    357     // not provided.
    358     if(bIn != NULL)
    359         CryptUpdateDigest(digestState, bIn->size, bIn->buffer);
    360     return;
    361 }
    362 //
    363 //
    364 //      10.2.4.10 CryptUpdateDigestInt()
    365 //
    366 //      This function is used to include an integer value to a hash stack. The function marshals the integer into its
    367 //      canonical form before calling CryptUpdateHash().
    368 //
    369 LIB_EXPORT void
    370 CryptUpdateDigestInt(
    371     void                *state,             // IN: the state of hash stack
    372     UINT32               intSize,           // IN: the size of 'intValue' in byte
    373     void                *intValue           // IN: integer value to be hashed
    374     )
    375 {
    376 #if BIG_ENDIAN_TPM == YES
    377    pAssert(    intValue != NULL && (intSize == 1 || intSize == 2
    378            || intSize == 4 || intSize == 8));
    379    CryptUpdateHash(state, inSize, (BYTE *)intValue);
    380 #else
    381     BYTE        marshalBuffer[8];
    382     // Point to the big end of an little-endian value
    383     BYTE        *p = &((BYTE *)intValue)[intSize - 1];
    384     // Point to the big end of an big-endian value
    385     BYTE        *q = marshalBuffer;
    386     pAssert(intValue != NULL);
    387     switch (intSize)
    388     {
    389     case 8:
    390         *q++ = *p--;
    391         *q++ = *p--;
    392         *q++ = *p--;
    393         *q++ = *p--;
    394     case 4:
    395         *q++ = *p--;
    396          *q++ = *p--;
    397      case 2:
    398          *q++ = *p--;
    399      case 1:
    400          *q = *p;
    401          // Call update the hash
    402          CryptUpdateDigest(state, intSize, marshalBuffer);
    403          break;
    404      default:
    405          FAIL(0);
    406      }
    407 #endif
    408    return;
    409 }
    410 //
    411 //
    412 //      10.2.4.11 CryptCompleteHash()
    413 //
    414 //      This function completes a hash sequence and returns the digest.
    415 //      This function can be called to complete either an HMAC or hash sequence. The state type determines if
    416 //      the context type is a hash or HMAC. If an HMAC, then the call is forwarded to CryptCompleteHash().
    417 //      If digestSize is smaller than the digest size of hash/HMAC algorithm, the most significant bytes of
    418 //      required size will be returned
    419 //
    420 //      Return Value                     Meaning
    421 //
    422 //      >=0                              the number of bytes placed in digest
    423 //
    424 LIB_EXPORT UINT16
    425 CryptCompleteHash(
    426      void               *state,             // IN: the state of hash stack
    427      UINT16              digestSize,        // IN: size of digest buffer
    428      BYTE               *digest             // OUT: hash digest
    429      )
    430 {
    431      HASH_STATE         *hashState = (HASH_STATE *)state;              // local value
    432      // If the session type is HMAC, then could forward this to
    433      // the HMAC processing and not cause an error. However, if no
    434      // function calls this routine to forward it, then we can't get
    435      // test coverage. The decision is to assert if this is called with
    436      // the type == HMAC and fix anything that makes the wrong call.
    437      pAssert(hashState->type == HASH_STATE_HASH);
    438      // Set the state to empty so that it doesn't get used again
    439      hashState->type = HASH_STATE_EMPTY;
    440      // Call crypto engine complete hash function
    441      return     _cpri__CompleteHash(&hashState->state, digestSize, digest);
    442 }
    443 //
    444 //
    445 //      10.2.4.12 CryptCompleteHash2B()
    446 //
    447 //      This function is the same as CypteCompleteHash() but the digest is placed in a TPM2B. This is the most
    448 //      common use and this is provided for specification clarity. 'digest.size' should be set to indicate the number
    449 //      of bytes to place in the buffer
    450 //
    451 //
    452 //
    453 //
    454 //      Return Value                      Meaning
    455 //
    456 //      >=0                               the number of bytes placed in 'digest.buffer'
    457 //
    458 LIB_EXPORT UINT16
    459 CryptCompleteHash2B(
    460      void               *state,               // IN: the state of hash stack
    461      TPM2B              *digest               // IN: the size of the buffer Out: requested
    462                                               //     number of byte
    463      )
    464 {
    465      UINT16                  retVal = 0;
    466      if(digest != NULL)
    467          retVal = CryptCompleteHash(state, digest->size, digest->buffer);
    468      return retVal;
    469 }
    470 //
    471 //
    472 //      10.2.4.13 CryptHashBlock()
    473 //
    474 //      Hash a block of data and return the results. If the digest is larger than retSize, it is truncated and with the
    475 //      least significant octets dropped.
    476 //
    477 //      Return Value                      Meaning
    478 //
    479 //      >=0                               the number of bytes placed in ret
    480 //
    481 LIB_EXPORT UINT16
    482 CryptHashBlock(
    483      TPM_ALG_ID          algId,               //   IN: the hash algorithm to use
    484      UINT16              blockSize,           //   IN: size of the data block
    485      BYTE               *block,               //   IN: address of the block to hash
    486      UINT16              retSize,             //   IN: size of the return buffer
    487      BYTE               *ret                  //   OUT: address of the buffer
    488      )
    489 {
    490      TEST_HASH(algId);
    491      return _cpri__HashBlock(algId, blockSize, block, retSize, ret);
    492 }
    493 //
    494 //
    495 //      10.2.4.14 CryptCompleteHMAC()
    496 //
    497 //      This function completes a HMAC sequence and returns the digest. If digestSize is smaller than the digest
    498 //      size of the HMAC algorithm, the most significant bytes of required size will be returned.
    499 //
    500 //      Return Value                      Meaning
    501 //
    502 //      >=0                               the number of bytes placed in digest
    503 //
    504 LIB_EXPORT UINT16
    505 CryptCompleteHMAC(
    506      HMAC_STATE         *hmacState,           // IN: the state of HMAC stack
    507      UINT32              digestSize,          // IN: size of digest buffer
    508      BYTE               *digest               // OUT: HMAC digest
    509      )
    510 {
    511      HASH_STATE         *hashState;
    512      pAssert(hmacState != NULL);
    513      hashState = &hmacState->hashState;
    514      pAssert(hashState->type == HASH_STATE_HMAC);
    515      hashState->type = HASH_STATE_EMPTY;
    516      return _cpri__CompleteHMAC(&hashState->state, &hmacState->hmacKey.b,
    517                                 digestSize, digest);
    518 }
    519 //
    520 //
    521 //      10.2.4.15 CryptCompleteHMAC2B()
    522 //
    523 //      This function is the same as CryptCompleteHMAC() but the HMAC result is returned in a TPM2B which is
    524 //      the most common use.
    525 //
    526 //      Return Value                     Meaning
    527 //
    528 //      >=0                              the number of bytes placed in digest
    529 //
    530 LIB_EXPORT UINT16
    531 CryptCompleteHMAC2B(
    532      HMAC_STATE         *hmacState,           // IN: the state of HMAC stack
    533      TPM2B              *digest               // OUT: HMAC
    534      )
    535 {
    536      UINT16               retVal = 0;
    537      if(digest != NULL)
    538          retVal = CryptCompleteHMAC(hmacState, digest->size, digest->buffer);
    539      return retVal;
    540 }
    541 //
    542 //
    543 //      10.2.4.16 CryptHashStateImportExport()
    544 //
    545 //      This function is used to prepare a hash state context for LIB_EXPORT or to import it into the internal
    546 //      format. It is used by TPM2_ContextSave() and TPM2_ContextLoad() via SequenceDataImportExport().
    547 //      This is just a pass-through function to the crypto library.
    548 //
    549 void
    550 CryptHashStateImportExport(
    551      HASH_STATE         *internalFmt,         // IN: state to LIB_EXPORT
    552      HASH_STATE         *externalFmt,         // OUT: exported state
    553      IMPORT_EXPORT       direction
    554      )
    555 {
    556      _cpri__ImportExportHashState(&internalFmt->state,
    557                                   (EXPORT_HASH_STATE *)&externalFmt->state,
    558                                   direction);
    559 }
    560 //
    561 //
    562 //      10.2.4.17 CryptGetHashDigestSize()
    563 //
    564 //      This function returns the digest size in bytes for a hash algorithm.
    565 //
    566 //      Return Value                     Meaning
    567 //
    568 //      0                                digest size for TPM_ALG_NULL
    569 //      >0                               digest size
    570 //
    571 LIB_EXPORT UINT16
    572 CryptGetHashDigestSize(
    573     TPM_ALG_ID           hashAlg              // IN: hash algorithm
    574     )
    575 {
    576     return _cpri__GetDigestSize(hashAlg);
    577 }
    578 //
    579 //
    580 //      10.2.4.18 CryptGetHashBlockSize()
    581 //
    582 //      Get the digest size in byte of a hash algorithm.
    583 //
    584 //      Return Value                      Meaning
    585 //
    586 //      0                                 block size for TPM_ALG_NULL
    587 //      >0                                block size
    588 //
    589 LIB_EXPORT UINT16
    590 CryptGetHashBlockSize(
    591     TPM_ALG_ID           hash                 // IN: hash algorithm to look up
    592     )
    593 {
    594     return _cpri__GetHashBlockSize(hash);
    595 }
    596 //
    597 //
    598 //      10.2.4.19 CryptGetHashAlgByIndex()
    599 //
    600 //      This function is used to iterate through the hashes. TPM_ALG_NULL is returned for all indexes that are
    601 //      not valid hashes. If the TPM implements 3 hashes, then an index value of 0 will return the first
    602 //      implemented hash and an index value of 2 will return the last implemented hash. All other index values
    603 //      will return TPM_ALG_NULL.
    604 //
    605 //      Return Value                      Meaning
    606 //
    607 //      TPM_ALG_xxx()                     a hash algorithm
    608 //      TPM_ALG_NULL                      this can be used as a stop value
    609 //
    610 LIB_EXPORT TPM_ALG_ID
    611 CryptGetHashAlgByIndex(
    612     UINT32               index                // IN: the index
    613     )
    614 {
    615     return _cpri__GetHashAlgByIndex(index);
    616 }
    617 //
    618 //
    619 //      10.2.4.20 CryptSignHMAC()
    620 //
    621 //      Sign a digest using an HMAC key. This an HMAC of a digest, not an HMAC of a message.
    622 //
    623 //      Error Returns                     Meaning
    624 //
    625 static TPM_RC
    626 CryptSignHMAC(
    627     OBJECT                   *signKey,              //   IN: HMAC key sign the hash
    628     TPMT_SIG_SCHEME          *scheme,               //   IN: signing scheme
    629     TPM2B_DIGEST             *hashData,             //   IN: hash to be signed
    630     TPMT_SIGNATURE           *signature             //   OUT: signature
    631     )
    632 {
    633 //
    634    HMAC_STATE           hmacState;
    635    UINT32               digestSize;
    636    // HMAC algorithm self testing code may be inserted here
    637    digestSize = CryptStartHMAC2B(scheme->details.hmac.hashAlg,
    638                                  &signKey->sensitive.sensitive.bits.b,
    639                                  &hmacState);
    640    // The hash algorithm must be a valid one.
    641    pAssert(digestSize > 0);
    642    CryptUpdateDigest2B(&hmacState, &hashData->b);
    643    CryptCompleteHMAC(&hmacState, digestSize,
    644                      (BYTE *) &signature->signature.hmac.digest);
    645    // Set HMAC algorithm
    646    signature->signature.hmac.hashAlg = scheme->details.hmac.hashAlg;
    647    return TPM_RC_SUCCESS;
    648 }
    649 //
    650 //
    651 //      10.2.4.21 CryptHMACVerifySignature()
    652 //
    653 //      This function will verify a signature signed by a HMAC key.
    654 //
    655 //      Error Returns                   Meaning
    656 //
    657 //      TPM_RC_SIGNATURE                if invalid input or signature is not genuine
    658 //
    659 static TPM_RC
    660 CryptHMACVerifySignature(
    661    OBJECT              *signKey,            // IN: HMAC key signed the hash
    662    TPM2B_DIGEST        *hashData,           // IN: digest being verified
    663    TPMT_SIGNATURE      *signature           // IN: signature to be verified
    664    )
    665 {
    666    HMAC_STATE                hmacState;
    667    TPM2B_DIGEST              digestToCompare;
    668    digestToCompare.t.size = CryptStartHMAC2B(signature->signature.hmac.hashAlg,
    669                             &signKey->sensitive.sensitive.bits.b, &hmacState);
    670    CryptUpdateDigest2B(&hmacState, &hashData->b);
    671    CryptCompleteHMAC2B(&hmacState, &digestToCompare.b);
    672    // Compare digest
    673    if(MemoryEqual(digestToCompare.t.buffer,
    674                   (BYTE *) &signature->signature.hmac.digest,
    675                   digestToCompare.t.size))
    676        return TPM_RC_SUCCESS;
    677    else
    678        return TPM_RC_SIGNATURE;
    679 }
    680 //
    681 //
    682 //      10.2.4.22 CryptGenerateKeyedHash()
    683 //
    684 //      This function creates a keyedHash object.
    685 //
    686 //
    687 //
    688 //      Error Returns                     Meaning
    689 //
    690 //      TPM_RC_SIZE                       sensitive data size is larger than allowed for the scheme
    691 //
    692 static TPM_RC
    693 CryptGenerateKeyedHash(
    694    TPMT_PUBLIC                    *publicArea,                //   IN/OUT: the public area template
    695                                                               //       for the new key.
    696    TPMS_SENSITIVE_CREATE          *sensitiveCreate,           //   IN: sensitive creation data
    697    TPMT_SENSITIVE                 *sensitive,                 //   OUT: sensitive area
    698    TPM_ALG_ID                      kdfHashAlg,                //   IN: algorithm for the KDF
    699    TPM2B_SEED                     *seed,                      //   IN: the seed
    700    TPM2B_NAME                     *name                       //   IN: name of the object
    701    )
    702 {
    703    TPMT_KEYEDHASH_SCHEME          *scheme;
    704    TPM_ALG_ID                      hashAlg;
    705    UINT16                          hashBlockSize;
    706    scheme = &publicArea->parameters.keyedHashDetail.scheme;
    707    pAssert(publicArea->type == TPM_ALG_KEYEDHASH);
    708    // Pick the limiting hash algorithm
    709    if(scheme->scheme == TPM_ALG_NULL)
    710        hashAlg = publicArea->nameAlg;
    711    else if(scheme->scheme == TPM_ALG_XOR)
    712        hashAlg = scheme->details.xor_.hashAlg;
    713    else
    714        hashAlg = scheme->details.hmac.hashAlg;
    715    hashBlockSize = CryptGetHashBlockSize(hashAlg);
    716    // if this is a signing or a decryption key, then then the limit
    717    // for the data size is the block size of the hash. This limit
    718    // is set because larger values have lower entropy because of the
    719    // HMAC function.
    720    if(publicArea->objectAttributes.sensitiveDataOrigin == CLEAR)
    721    {
    722        if(    (    publicArea->objectAttributes.decrypt
    723                 || publicArea->objectAttributes.sign)
    724            && sensitiveCreate->data.t.size > hashBlockSize)
    725            return TPM_RC_SIZE;
    726    }
    727    else
    728    {
    729        // If the TPM is going to generate the data, then set the size to be the
    730        // size of the digest of the algorithm
    731        sensitive->sensitive.sym.t.size = CryptGetHashDigestSize(hashAlg);
    732        sensitiveCreate->data.t.size = 0;
    733    }
    734    // Fill in the sensitive area
    735    CryptGenerateNewSymmetric(sensitiveCreate, sensitive, kdfHashAlg,
    736                              seed, name);
    737    // Create unique area in public
    738    CryptComputeSymmetricUnique(publicArea->nameAlg,
    739                                sensitive, &publicArea->unique.sym);
    740    return TPM_RC_SUCCESS;
    741 }
    742 //
    743 //
    744 //      10.2.4.25 KDFa()
    745 //
    746 //      This function is used by functions outside of CryptUtil() to access _cpri_KDFa().
    747 //
    748 void
    749 KDFa(
    750    TPM_ALG_ID           hash,              //   IN: hash algorithm used in HMAC
    751    TPM2B               *key,               //   IN: HMAC key
    752    const char          *label,             //   IN: a null-terminated label for KDF
    753    TPM2B               *contextU,          //   IN: context U
    754    TPM2B               *contextV,          //   IN: context V
    755    UINT32               sizeInBits,        //   IN: size of generated key in bit
    756    BYTE                *keyStream,         //   OUT: key buffer
    757    UINT32              *counterInOut       //   IN/OUT: caller may provide the iteration
    758                                            //       counter for incremental operations to
    759                                            //       avoid large intermediate buffers.
    760    )
    761 {
    762    CryptKDFa(hash, key, label, contextU, contextV, sizeInBits,
    763              keyStream, counterInOut);
    764 }
    765 #endif //TPM_ALG_KEYEDHASH     //% 1
    766 //
    767 //
    768 //      10.2.5     RSA Functions
    769 //
    770 //      10.2.5.1    BuildRSA()
    771 //
    772 //      Function to set the cryptographic elements of an RSA key into a structure to simplify the interface to
    773 //      _cpri__ RSA function. This can/should be eliminated by building this structure into the object structure.
    774 //
    775 #ifdef TPM_ALG_RSA                 //% 2
    776 static void
    777 BuildRSA(
    778    OBJECT              *rsaKey,
    779    RSA_KEY             *key
    780    )
    781 {
    782    key->exponent = rsaKey->publicArea.parameters.rsaDetail.exponent;
    783    if(key->exponent == 0)
    784        key->exponent = RSA_DEFAULT_PUBLIC_EXPONENT;
    785    key->publicKey = &rsaKey->publicArea.unique.rsa.b;
    786    if(rsaKey->attributes.publicOnly || rsaKey->privateExponent.t.size == 0)
    787        key->privateKey = NULL;
    788    else
    789        key->privateKey = &(rsaKey->privateExponent.b);
    790 }
    791 //
    792 //
    793 //      10.2.5.2    CryptTestKeyRSA()
    794 //
    795 //      This function provides the interface to _cpri__TestKeyRSA(). If both p and q are provided, n will be set to
    796 //      p*q.
    797 //      If only p is provided, q is computed by q = n/p. If n mod p != 0, TPM_RC_BINDING is returned.
    798 //      The key is validated by checking that a d can be found such that e d mod ((p-1)*(q-1)) = 1. If d is found
    799 //      that satisfies this requirement, it will be placed in d.
    800 //      Page 286                                     TCG Published                                   Family "2.0"
    801 //      October 30, 2014                     Copyright  TCG 2006-2014                  Level 00 Revision 01.16
    802 //      Part 4: Supporting Routines                                                    Trusted Platform Module Library
    804 //
    805 //
    806 //      Error Returns                   Meaning
    807 //
    808 //      TPM_RC_BINDING                  the public and private portions of the key are not matched
    809 //
    810 TPM_RC
    811 CryptTestKeyRSA(
    812    TPM2B              *d,                   //   OUT: receives the private exponent
    813    UINT32              e,                   //   IN: public exponent
    814    TPM2B              *n,                   //   IN/OUT: public modulu
    815    TPM2B              *p,                   //   IN: a first prime
    816    TPM2B              *q                    //   IN: an optional second prime
    817    )
    818 {
    819    CRYPT_RESULT       retVal;
    820    TEST(ALG_NULL_VALUE);
    821    pAssert(d != NULL && n != NULL && p != NULL);
    822    // Set the exponent
    823    if(e == 0)
    824        e = RSA_DEFAULT_PUBLIC_EXPONENT;
    825    // CRYPT_PARAMETER
    826    retVal =_cpri__TestKeyRSA(d, e, n, p, q);
    827    if(retVal == CRYPT_SUCCESS)
    828        return TPM_RC_SUCCESS;
    829    else
    830        return TPM_RC_BINDING; // convert CRYPT_PARAMETER
    831 }
    832 //
    833 //
    834 //      10.2.5.3   CryptGenerateKeyRSA()
    835 //
    836 //      This function is called to generate an RSA key from a provided seed. It calls _cpri__GenerateKeyRSA()
    837 //      to perform the computations. The implementation is vendor specific.
    838 //
    839 //      Error Returns                   Meaning
    840 //
    841 //      TPM_RC_RANGE                    the exponent value is not supported
    842 //      TPM_RC_CANCELLED                key generation has been canceled
    843 //      TPM_RC_VALUE                    exponent is not prime or is less than 3; or could not find a prime using
    844 //                                      the provided parameters
    845 //
    846 static TPM_RC
    847 CryptGenerateKeyRSA(
    848    TPMT_PUBLIC               *publicArea,              //   IN/OUT: The public area template for
    849                                                        //        the new key. The public key
    850                                                        //        area will be replaced by the
    851                                                        //        product of two primes found by
    852                                                        //        this function
    853    TPMT_SENSITIVE            *sensitive,               //   OUT: the sensitive area will be
    854                                                        //        updated to contain the first
    855                                                        //        prime and the symmetric
    856                                                        //        encryption key
    857    TPM_ALG_ID                 hashAlg,                 //   IN: the hash algorithm for the KDF
    858    TPM2B_SEED                *seed,                    //   IN: Seed for the creation
    859    TPM2B_NAME                *name,                    //   IN: Object name
    860    UINT32                    *counter                  //   OUT: last iteration of the counter
    861 )
    862 {
    863    CRYPT_RESULT       retVal;
    864    UINT32             exponent = publicArea->parameters.rsaDetail.exponent;
    865    TEST_HASH(hashAlg);
    866    TEST(ALG_NULL_VALUE);
    867    // In this implementation, only the default exponent is allowed
    868    if(exponent != 0 && exponent != RSA_DEFAULT_PUBLIC_EXPONENT)
    869        return TPM_RC_RANGE;
    870    exponent = RSA_DEFAULT_PUBLIC_EXPONENT;
    871    *counter = 0;
    872    // _cpri_GenerateKeyRSA can return CRYPT_CANCEL or CRYPT_FAIL
    873    retVal = _cpri__GenerateKeyRSA(&publicArea->unique.rsa.b,
    874                                   &sensitive->sensitive.rsa.b,
    875                                   publicArea->parameters.rsaDetail.keyBits,
    876                                   exponent,
    877                                   hashAlg,
    878                                   &seed->b,
    879                                   "RSA key by vendor",
    880                                   &name->b,
    881                                   counter);
    882    // CRYPT_CANCEL -> TPM_RC_CANCELLED; CRYPT_FAIL -> TPM_RC_VALUE
    883    return TranslateCryptErrors(retVal);
    884 }
    885 //
    886 //
    887 //      10.2.5.4    CryptLoadPrivateRSA()
    888 //
    889 //      This function is called to generate the private exponent of an RSA key. It uses CryptTestKeyRSA().
    890 //
    891 //      Error Returns                     Meaning
    892 //
    893 //      TPM_RC_BINDING                    public and private parts of rsaKey are not matched
    894 //
    895 TPM_RC
    896 CryptLoadPrivateRSA(
    897    OBJECT              *rsaKey               // IN: the RSA key object
    898    )
    899 {
    900    TPM_RC               result;
    901    TPMT_PUBLIC         *publicArea = &rsaKey->publicArea;
    902    TPMT_SENSITIVE      *sensitive = &rsaKey->sensitive;
    903    // Load key by computing the private exponent
    904    // TPM_RC_BINDING
    905    result = CryptTestKeyRSA(&(rsaKey->privateExponent.b),
    906                             publicArea->parameters.rsaDetail.exponent,
    907                             &(publicArea->unique.rsa.b),
    908                             &(sensitive->sensitive.rsa.b),
    909                             NULL);
    910    if(result == TPM_RC_SUCCESS)
    911        rsaKey->attributes.privateExp = SET;
    912    return result;
    913 }
    914 //
    915 //
    916 //      10.2.5.5    CryptSelectRSAScheme()
    917 //
    918 //      This function is used by TPM2_RSA_Decrypt() and TPM2_RSA_Encrypt(). It sets up the rules to select a
    919 //      scheme between input and object default. This function assume the RSA object is loaded. If a default
    920 //      scheme is defined in object, the default scheme should be chosen, otherwise, the input scheme should
    921 //      be chosen. In the case that both the object and scheme are not TPM_ALG_NULL, then if the schemes
    922 //
    923 //
    924 //      are the same, the input scheme will be chosen. if the scheme are not compatible, a NULL pointer will be
    925 //      returned.
    926 //      The return pointer may point to a TPM_ALG_NULL scheme.
    927 //
    928 TPMT_RSA_DECRYPT*
    929 CryptSelectRSAScheme(
    930    TPMI_DH_OBJECT             rsaHandle,         // IN: handle of sign key
    931    TPMT_RSA_DECRYPT          *scheme             // IN: a sign or decrypt scheme
    932    )
    933 {
    934    OBJECT                    *rsaObject;
    935    TPMT_ASYM_SCHEME          *keyScheme;
    936    TPMT_RSA_DECRYPT          *retVal = NULL;
    937    // Get sign object pointer
    938    rsaObject = ObjectGet(rsaHandle);
    939    keyScheme = &rsaObject->publicArea.parameters.asymDetail.scheme;
    940    // if the default scheme of the object is TPM_ALG_NULL, then select the
    941    // input scheme
    942    if(keyScheme->scheme == TPM_ALG_NULL)
    943    {
    944        retVal = scheme;
    945    }
    946    // if the object scheme is not TPM_ALG_NULL and the input scheme is
    947    // TPM_ALG_NULL, then select the default scheme of the object.
    948    else if(scheme->scheme == TPM_ALG_NULL)
    949    {
    950        // if input scheme is NULL
    951        retVal = (TPMT_RSA_DECRYPT *)keyScheme;
    952    }
    953    // get here if both the object scheme and the input scheme are
    954    // not TPM_ALG_NULL. Need to insure that they are the same.
    955    // The hash algorithm match has to be verified for OAEP.
    956    // IMPLEMENTATION NOTE: This could cause problems if future versions have
    957    // schemes that have more values than just a hash algorithm. A new function
    958    // (IsSchemeSame()) might be needed then.
    959    else if (keyScheme->scheme == scheme->scheme
    960             && ((keyScheme->scheme != TPM_ALG_OAEP) ||
    961                 (keyScheme->details.anySig.hashAlg == scheme->details.anySig.hashAlg)))
    962    {
    963        retVal = scheme;
    964    }
    965    // two different, incompatible schemes specified will return NULL
    966    return retVal;
    967 }
    968 //
    969 //
    970 //      10.2.5.6    CryptDecryptRSA()
    971 //
    972 //      This function is the interface to _cpri__DecryptRSA(). It handles the return codes from that function and
    973 //      converts them from CRYPT_RESULT to TPM_RC values. The rsaKey parameter must reference an RSA
    974 //      decryption key
    975 //
    976 //      Error Returns                   Meaning
    977 //
    978 //      TPM_RC_BINDING                  Public and private parts of the key are not cryptographically bound.
    979 //      TPM_RC_SIZE                     Size of data to decrypt is not the same as the key size.
    980 //      TPM_RC_VALUE                    Numeric value of the encrypted data is greater than the public
    981 //                                      exponent, or output buffer is too small for the decrypted message.
    982 //
    983 TPM_RC
    984 CryptDecryptRSA(
    985    UINT16                    *dataOutSize,       // OUT: size of plain text in byte
    986    BYTE                    *dataOut,        //   OUT: plain text
    987    OBJECT                  *rsaKey,         //   IN: internal RSA key
    988    TPMT_RSA_DECRYPT        *scheme,         //   IN: selects the padding scheme
    989    UINT16                   cipherInSize,   //   IN: size of cipher text in byte
    990    BYTE                    *cipherIn,       //   IN: cipher text
    991    const char              *label           //   IN: a label, when needed
    992    )
    993 {
    994    RSA_KEY            key;
    995    CRYPT_RESULT       retVal = CRYPT_SUCCESS;
    996    UINT32             dSize;                   //   Place to put temporary value for the
    997                                                //   returned data size
    998    TPMI_ALG_HASH      hashAlg = TPM_ALG_NULL; //    hash algorithm in the selected
    999                                                //   padding scheme
   1000    TPM_RC             result = TPM_RC_SUCCESS;
   1001    // pointer checks
   1002    pAssert(    (dataOutSize != NULL) && (dataOut != NULL)
   1003            && (rsaKey != NULL) && (cipherIn != NULL));
   1004    // The public type is a RSA decrypt key
   1005    pAssert(    (rsaKey->publicArea.type == TPM_ALG_RSA
   1006            && rsaKey->publicArea.objectAttributes.decrypt == SET));
   1007    // Must have the private portion loaded. This check is made before this
   1008    // function is called.
   1009    pAssert(rsaKey->attributes.publicOnly == CLEAR);
   1010    // decryption requires that the private modulus be present
   1011    if(rsaKey->attributes.privateExp == CLEAR)
   1012    {
   1013         // Load key by computing the private exponent
   1014         // CryptLoadPrivateRSA may return TPM_RC_BINDING
   1015         result = CryptLoadPrivateRSA(rsaKey);
   1016    }
   1017    // the input buffer must be the size of the key
   1018    if(result == TPM_RC_SUCCESS)
   1019    {
   1020        if(cipherInSize != rsaKey->publicArea.unique.rsa.t.size)
   1021             result = TPM_RC_SIZE;
   1022        else
   1023        {
   1024             BuildRSA(rsaKey, &key);
   1025              // Initialize the dOutSize parameter
   1026              dSize = *dataOutSize;
   1027              // For OAEP scheme, initialize the hash algorithm for padding
   1028              if(scheme->scheme == TPM_ALG_OAEP)
   1029              {
   1030                  hashAlg = scheme->details.oaep.hashAlg;
   1031                  TEST_HASH(hashAlg);
   1032              }
   1033              // See if the padding mode needs to be tested
   1034              TEST(scheme->scheme);
   1035              // _cpri__DecryptRSA may return CRYPT_PARAMETER CRYPT_FAIL CRYPT_SCHEME
   1036              retVal = _cpri__DecryptRSA(&dSize, dataOut, &key, scheme->scheme,
   1037                                         cipherInSize, cipherIn, hashAlg, label);
   1038              // Scheme must have been validated when the key was loaded/imported
   1039              pAssert(retVal != CRYPT_SCHEME);
   1040              // Set the return size
   1041                pAssert(dSize <= UINT16_MAX);
   1042                *dataOutSize = (UINT16)dSize;
   1043                // CRYPT_PARAMETER -> TPM_RC_VALUE, CRYPT_FAIL -> TPM_RC_VALUE
   1044                result = TranslateCryptErrors(retVal);
   1045        }
   1046    }
   1047    return result;
   1048 }
   1049 //
   1050 //
   1051 //      10.2.5.7   CryptEncryptRSA()
   1052 //
   1053 //      This function provides the interface to _cpri__EncryptRSA(). The object referenced by rsaKey is required
   1054 //      to be an RSA decryption key.
   1055 //
   1056 //      Error Returns                   Meaning
   1057 //
   1058 //      TPM_RC_SCHEME                   scheme is not supported
   1059 //      TPM_RC_VALUE                    numeric value of dataIn is greater than the key modulus
   1060 //
   1061 TPM_RC
   1062 CryptEncryptRSA(
   1063    UINT16                    *cipherOutSize,    //   OUT: size of cipher text in byte
   1064    BYTE                      *cipherOut,        //   OUT: cipher text
   1065    OBJECT                    *rsaKey,           //   IN: internal RSA key
   1066    TPMT_RSA_DECRYPT          *scheme,           //   IN: selects the padding scheme
   1067    UINT16                     dataInSize,       //   IN: size of plain text in byte
   1068    BYTE                      *dataIn,           //   IN: plain text
   1069    const char                *label             //   IN: an optional label
   1070    )
   1071 {
   1072    RSA_KEY                    key;
   1073    CRYPT_RESULT               retVal;
   1074    UINT32                     cOutSize;                         // Conversion variable
   1075    TPMI_ALG_HASH              hashAlg = TPM_ALG_NULL;           // hash algorithm in selected
   1076                                                                 // padding scheme
   1077    // must have a pointer to a key and some data to encrypt
   1078    pAssert(rsaKey != NULL && dataIn != NULL);
   1079    // The public type is a RSA decryption key
   1080    pAssert(   rsaKey->publicArea.type == TPM_ALG_RSA
   1081            && rsaKey->publicArea.objectAttributes.decrypt == SET);
   1082    // If the cipher buffer must be provided and it must be large enough
   1083    // for the result
   1084    pAssert(   cipherOut != NULL
   1085            && cipherOutSize != NULL
   1086            && *cipherOutSize >= rsaKey->publicArea.unique.rsa.t.size);
   1087    // Only need the public key and exponent for encryption
   1088    BuildRSA(rsaKey, &key);
   1089    // Copy the size to the conversion buffer
   1090    cOutSize = *cipherOutSize;
   1091    // For OAEP scheme, initialize the hash algorithm for padding
   1092    if(scheme->scheme == TPM_ALG_OAEP)
   1093    {
   1094        hashAlg = scheme->details.oaep.hashAlg;
   1095        TEST_HASH(hashAlg);
   1096    }
   1097    // This is a public key operation and does not require that the private key
   1098    // be loaded. To verify this, need to do the full algorithm
   1099    TEST(scheme->scheme);
   1100    // Encrypt the data with the public exponent
   1101    // _cpri__EncryptRSA may return CRYPT_PARAMETER or CRYPT_SCHEME
   1102    retVal = _cpri__EncryptRSA(&cOutSize,cipherOut, &key, scheme->scheme,
   1103                               dataInSize, dataIn, hashAlg, label);
   1104    pAssert (cOutSize <= UINT16_MAX);
   1105    *cipherOutSize = (UINT16)cOutSize;
   1106    // CRYPT_PARAMETER -> TPM_RC_VALUE, CRYPT_SCHEME -> TPM_RC_SCHEME
   1107    return TranslateCryptErrors(retVal);
   1108 }
   1109 //
   1110 //
   1111 //      10.2.5.8     CryptSignRSA()
   1112 //
   1113 //      This function is used to sign a digest with an RSA signing key.
   1114 //
   1115 //      Error Returns                     Meaning
   1116 //
   1117 //      TPM_RC_BINDING                    public and private part of signKey are not properly bound
   1118 //      TPM_RC_SCHEME                     scheme is not supported
   1119 //      TPM_RC_VALUE                      hashData is larger than the modulus of signKey, or the size of
   1120 //                                        hashData does not match hash algorithm in scheme
   1121 //
   1122 static TPM_RC
   1123 CryptSignRSA(
   1124    OBJECT                   *signKey,              //   IN: RSA key signs the hash
   1125    TPMT_SIG_SCHEME          *scheme,               //   IN: sign scheme
   1126    TPM2B_DIGEST             *hashData,             //   IN: hash to be signed
   1127    TPMT_SIGNATURE           *sig                   //   OUT: signature
   1128    )
   1129 {
   1130    UINT32                     signSize;
   1131    RSA_KEY                    key;
   1132    CRYPT_RESULT               retVal;
   1133    TPM_RC                     result = TPM_RC_SUCCESS;
   1134    pAssert(       (signKey != NULL) && (scheme != NULL)
   1135                   && (hashData != NULL) && (sig != NULL));
   1136    // assume that the key has private part loaded and that it is a signing key.
   1137    pAssert(   (signKey->attributes.publicOnly == CLEAR)
   1138            && (signKey->publicArea.objectAttributes.sign == SET));
   1139    // check if the private exponent has been computed
   1140    if(signKey->attributes.privateExp == CLEAR)
   1141        // May return TPM_RC_BINDING
   1142        result = CryptLoadPrivateRSA(signKey);
   1143    if(result == TPM_RC_SUCCESS)
   1144    {
   1145        BuildRSA(signKey, &key);
   1146           // Make sure that the hash is tested
   1147           TEST_HASH(sig->signature.any.hashAlg);
   1148           // Run a test of the RSA sign
   1149           TEST(scheme->scheme);
   1150           // _crypi__SignRSA can return CRYPT_SCHEME and CRYPT_PARAMETER
   1151           retVal = _cpri__SignRSA(&signSize,
   1152                                   sig->signature.rsassa.sig.t.buffer,
   1153                                   &key,
   1154                                   sig->sigAlg,
   1155                                   sig->signature.any.hashAlg,
   1156                                   hashData->t.size, hashData->t.buffer);
   1157           pAssert(signSize <= UINT16_MAX);
   1158           sig->signature.rsassa.sig.t.size = (UINT16)signSize;
   1159           // CRYPT_SCHEME -> TPM_RC_SCHEME; CRYPT_PARAMTER -> TPM_RC_VALUE
   1160           result = TranslateCryptErrors(retVal);
   1161    }
   1162    return result;
   1163 }
   1164 //
   1165 //
   1166 //      10.2.5.9    CryptRSAVerifySignature()
   1167 //
   1168 //      This function is used to verify signature signed by a RSA key.
   1169 //
   1170 //      Error Returns                   Meaning
   1171 //
   1172 //      TPM_RC_SIGNATURE                if signature is not genuine
   1173 //      TPM_RC_SCHEME                   signature scheme not supported
   1174 //
   1175 static TPM_RC
   1176 CryptRSAVerifySignature(
   1177    OBJECT              *signKey,            // IN: RSA key signed the hash
   1178    TPM2B_DIGEST        *digestData,         // IN: digest being signed
   1179    TPMT_SIGNATURE      *sig                 // IN: signature to be verified
   1180    )
   1181 {
   1182    RSA_KEY                   key;
   1183    CRYPT_RESULT              retVal;
   1184    TPM_RC                    result;
   1185    // Validate parameter assumptions
   1186    pAssert((signKey != NULL) && (digestData != NULL) && (sig != NULL));
   1187    TEST_HASH(sig->signature.any.hashAlg);
   1188    TEST(sig->sigAlg);
   1189    // This is a public-key-only operation
   1190    BuildRSA(signKey, &key);
   1191    // Call crypto engine to verify signature
   1192    // _cpri_ValidateSignaturRSA may return CRYPT_FAIL or CRYPT_SCHEME
   1193    retVal = _cpri__ValidateSignatureRSA(&key,
   1194                                         sig->sigAlg,
   1195                                         sig->signature.any.hashAlg,
   1196                                         digestData->t.size,
   1197                                         digestData->t.buffer,
   1198                                         sig->signature.rsassa.sig.t.size,
   1199                                         sig->signature.rsassa.sig.t.buffer,
   1200                                         0);
   1201    // _cpri__ValidateSignatureRSA can return CRYPT_SUCCESS, CRYPT_FAIL, or
   1202    // CRYPT_SCHEME. Translate CRYPT_FAIL to TPM_RC_SIGNATURE
   1203    if(retVal == CRYPT_FAIL)
   1204        result = TPM_RC_SIGNATURE;
   1205    else
   1206        // CRYPT_SCHEME -> TPM_RC_SCHEME
   1207        result = TranslateCryptErrors(retVal);
   1208    return result;
   1209 }
   1210 //
   1211 #endif //TPM_ALG_RSA             //% 2
   1212 //
   1213 //
   1214 //      10.2.6     ECC Functions
   1215 //
   1216 //      10.2.6.1    CryptEccGetCurveDataPointer()
   1217 //
   1218 //      This function returns a pointer to an ECC_CURVE_VALUES structure that contains the parameters for
   1219 //      the key size and schemes for a given curve.
   1220 //
   1221 #ifdef TPM_ALG_ECC //% 3
   1222 static const ECC_CURVE    *
   1223 CryptEccGetCurveDataPointer(
   1224     TPM_ECC_CURVE        curveID             // IN: id of the curve
   1225     )
   1226 {
   1227     return _cpri__EccGetParametersByCurveId(curveID);
   1228 }
   1229 //
   1230 //
   1231 //      10.2.6.2    CryptEccGetKeySizeInBits()
   1232 //
   1233 //      This function returns the size in bits of the key associated with a curve.
   1234 //
   1235 UINT16
   1236 CryptEccGetKeySizeInBits(
   1237     TPM_ECC_CURVE        curveID             // IN: id of the curve
   1238     )
   1239 {
   1240     const ECC_CURVE               *curve = CryptEccGetCurveDataPointer(curveID);
   1241     UINT16                         keySizeInBits = 0;
   1242     if(curve != NULL)
   1243         keySizeInBits = curve->keySizeBits;
   1244     return keySizeInBits;
   1245 }
   1246 //
   1247 //
   1248 //      10.2.6.4    CryptEccGetParameter()
   1249 //
   1250 //      This function returns a pointer to an ECC curve parameter. The parameter is selected by a single
   1251 //      character designator from the set of {pnabxyh}.
   1252 //
   1253 LIB_EXPORT const TPM2B *
   1254 CryptEccGetParameter(
   1255     char                 p,                  // IN: the parameter selector
   1256     TPM_ECC_CURVE        curveId             // IN: the curve id
   1257     )
   1258 {
   1259     const ECC_CURVE          *curve = _cpri__EccGetParametersByCurveId(curveId);
   1260     const TPM2B              *parameter = NULL;
   1261     if(curve != NULL)
   1262     {
   1263           switch (p)
   1264           {
   1265           case 'p':
   1266               parameter    = curve->curveData->p;
   1267               break;
   1268           case 'n':
   1269               parameter    =   curve->curveData->n;
   1270               break;
   1271           case 'a':
   1272               parameter    =   curve->curveData->a;
   1273               break;
   1274           case 'b':
   1275               parameter    =   curve->curveData->b;
   1276               break;
   1277           case 'x':
   1278               parameter    =   curve->curveData->x;
   1279               break;
   1280           case 'y':
   1281               parameter    =   curve->curveData->y;
   1282               break;
   1283           case 'h':
   1284               parameter    =   curve->curveData->h;
   1285               break;
   1286           default:
   1287               break;
   1288           }
   1289     }
   1290     return parameter;
   1291 }
   1292 //
   1293 //
   1294 //       10.2.6.5    CryptGetCurveSignScheme()
   1295 //
   1296 //       This function will return a pointer to the scheme of the curve.
   1297 //
   1298 const TPMT_ECC_SCHEME *
   1299 CryptGetCurveSignScheme(
   1300     TPM_ECC_CURVE         curveId            // IN: The curve selector
   1301     )
   1302 {
   1303     const ECC_CURVE               *curve = _cpri__EccGetParametersByCurveId(curveId);
   1304     const TPMT_ECC_SCHEME         *scheme = NULL;
   1305     if(curve != NULL)
   1306         scheme = &(curve->sign);
   1307     return scheme;
   1308 }
   1309 //
   1310 //
   1311 //       10.2.6.6    CryptEccIsPointOnCurve()
   1312 //
   1313 //       This function will validate that an ECC point is on the curve of given curveID.
   1314 //
   1315 //       Return Value                     Meaning
   1316 //
   1317 //       TRUE                             if the point is on curve
   1318 //       FALSE                            if the point is not on curve
   1319 //
   1320 BOOL
   1321 CryptEccIsPointOnCurve(
   1322     TPM_ECC_CURVE        curveID,            // IN: ECC curve ID
   1323     TPMS_ECC_POINT      *Q                   // IN: ECC point
   1324     )
   1325 {
   1326    // Make sure that point multiply is working
   1327    TEST(TPM_ALG_ECC);
   1328    // Check point on curve logic by seeing if the test key is on the curve
   1329    // Call crypto engine function to check if a ECC public point is on the
   1330    // given curve
   1331    if(_cpri__EccIsPointOnCurve(curveID, Q))
   1332        return TRUE;
   1333    else
   1334        return FALSE;
   1335 }
   1336 //
   1337 //
   1338 //       10.2.6.7    CryptNewEccKey()
   1339 //
   1340 //       This function creates a random ECC key that is not derived from other parameters as is a Primary Key.
   1341 //
   1342 TPM_RC
   1343 CryptNewEccKey(
   1344    TPM_ECC_CURVE                    curveID,               // IN: ECC curve
   1345    TPMS_ECC_POINT                  *publicPoint,           // OUT: public point
   1346    TPM2B_ECC_PARAMETER             *sensitive              // OUT: private area
   1347    )
   1348 {
   1349    TPM_RC               result = TPM_RC_SUCCESS;
   1350    // _cpri__GetEphemeralECC may return CRYPT_PARAMETER
   1351    if(_cpri__GetEphemeralEcc(publicPoint, sensitive, curveID) != CRYPT_SUCCESS)
   1352        // Something is wrong with the key.
   1353        result = TPM_RC_KEY;
   1354    return result;
   1355 }
   1356 //
   1357 //
   1358 //       10.2.6.8    CryptEccPointMultiply()
   1359 //
   1360 //       This function is used to perform a point multiply R = [d]Q. If Q is not provided, the multiplication is
   1361 //       performed using the generator point of the curve.
   1362 //
   1363 //       Error Returns                     Meaning
   1364 //
   1365 //       TPM_RC_ECC_POINT                  invalid optional ECC point pIn
   1366 //       TPM_RC_NO_RESULT                  multiplication resulted in a point at infinity
   1367 //       TPM_RC_CANCELED                   if a self-test was done, it might have been aborted
   1368 //
   1369 TPM_RC
   1370 CryptEccPointMultiply(
   1371    TPMS_ECC_POINT                  *pOut,                  //   OUT: output point
   1372    TPM_ECC_CURVE                    curveId,               //   IN: curve selector
   1373    TPM2B_ECC_PARAMETER             *dIn,                   //   IN: public scalar
   1374    TPMS_ECC_POINT                  *pIn                    //   IN: optional point
   1375    )
   1376 {
   1377    TPM2B_ECC_PARAMETER             *n = NULL;
   1378    CRYPT_RESULT                    retVal;
   1379    pAssert(pOut != NULL && dIn != NULL);
   1380    if(pIn != NULL)
   1381    {
   1382        n = dIn;
   1383        dIn = NULL;
   1384    }
   1385    // Do a test of point multiply
   1386    TEST(TPM_ALG_ECC);
   1387    // _cpri__EccPointMultiply may return CRYPT_POINT or CRYPT_NO_RESULT
   1388    retVal = _cpri__EccPointMultiply(pOut, curveId, dIn, pIn, n);
   1389    // CRYPT_POINT->TPM_RC_ECC_POINT and CRYPT_NO_RESULT->TPM_RC_NO_RESULT
   1390    return TranslateCryptErrors(retVal);
   1391 }
   1392 //
   1393 //
   1394 //       10.2.6.9    CryptGenerateKeyECC()
   1395 //
   1396 //       This function generates an ECC key from a seed value.
   1397 //       The method here may not work for objects that have an order (G) that with a different size than a private
   1398 //       key.
   1399 //
   1400 //       Error Returns                   Meaning
   1401 //
   1402 //       TPM_RC_VALUE                    hash algorithm is not supported
   1403 //
   1404 static TPM_RC
   1405 CryptGenerateKeyECC(
   1406    TPMT_PUBLIC         *publicArea,        //   IN/OUT: The public area template for the new
   1407                                            //       key.
   1408    TPMT_SENSITIVE      *sensitive,         //   IN/OUT: the sensitive area
   1409    TPM_ALG_ID           hashAlg,           //   IN: algorithm for the KDF
   1410    TPM2B_SEED          *seed,              //   IN: the seed value
   1411    TPM2B_NAME          *name,              //   IN: the name of the object
   1412    UINT32              *counter            //   OUT: the iteration counter
   1413    )
   1414 {
   1415    CRYPT_RESULT              retVal;
   1416    TEST_HASH(hashAlg);
   1417    TEST(ALG_ECDSA_VALUE); // ECDSA is used to verify each key
   1418    // The iteration counter has no meaning for ECC key generation. The parameter
   1419    // will be overloaded for those implementations that have a requirement for
   1420    // doing pair-wise consistency checks on signing keys. If the counter parameter
   1421    // is 0 or NULL, then no consistency check is done. If it is other than 0, then
   1422    // a consistency check is run. This modification allow this code to work with
   1423    // the existing versions of the CrytpoEngine and with FIPS-compliant versions
   1424    // as well.
   1425    *counter = (UINT32)(publicArea->objectAttributes.sign == SET);
   1426    // _cpri__GenerateKeyEcc only has one error return (CRYPT_PARAMETER) which means
   1427    // that the hash algorithm is not supported. This should not be possible
   1428    retVal = _cpri__GenerateKeyEcc(&publicArea->unique.ecc,
   1429                                   &sensitive->sensitive.ecc,
   1430                                   publicArea->parameters.eccDetail.curveID,
   1431                                   hashAlg, &seed->b, "ECC key by vendor",
   1432                                   &name->b, counter);
   1433    // This will only be useful if _cpri__GenerateKeyEcc return CRYPT_CANCEL
   1434    return TranslateCryptErrors(retVal);
   1435 }
   1436 //
   1437 //
   1438 //       10.2.6.10 CryptSignECC()
   1439 //
   1440 //       This function is used for ECC signing operations. If the signing scheme is a split scheme, and the signing
   1441 //       operation is successful, the commit value is retired.
   1442 //
   1443 //
   1444 //       Error Returns                     Meaning
   1445 //
   1446 //       TPM_RC_SCHEME                     unsupported scheme
   1447 //       TPM_RC_VALUE                      invalid commit status (in case of a split scheme) or failed to generate
   1448 //                                         r value.
   1449 //
   1450 static TPM_RC
   1451 CryptSignECC(
   1452    OBJECT                   *signKey,                //   IN: ECC key to sign the hash
   1453    TPMT_SIG_SCHEME          *scheme,                 //   IN: sign scheme
   1454    TPM2B_DIGEST             *hashData,               //   IN: hash to be signed
   1455    TPMT_SIGNATURE           *signature               //   OUT: signature
   1456    )
   1457 {
   1458    TPM2B_ECC_PARAMETER              r;
   1459    TPM2B_ECC_PARAMETER             *pr = NULL;
   1460    CRYPT_RESULT                     retVal;
   1461    // Run a test of the ECC sign and verify if it has not already been run
   1462    TEST_HASH(scheme->details.any.hashAlg);
   1463    TEST(scheme->scheme);
   1464    if(CryptIsSplitSign(scheme->scheme))
   1465    {
   1466        // When this code was written, the only split scheme was ECDAA
   1467        // (which can also be used for U-Prove).
   1468        if(!CryptGenerateR(&r,
   1469                           &scheme->details.ecdaa.count,
   1470                           signKey->publicArea.parameters.eccDetail.curveID,
   1471                           &signKey->name))
   1472            return TPM_RC_VALUE;
   1473        pr = &r;
   1474    }
   1475    // Call crypto engine function to sign
   1476    // _cpri__SignEcc may return CRYPT_SCHEME
   1477    retVal = _cpri__SignEcc(&signature->signature.ecdsa.signatureR,
   1478                            &signature->signature.ecdsa.signatureS,
   1479                            scheme->scheme,
   1480                            scheme->details.any.hashAlg,
   1481                            signKey->publicArea.parameters.eccDetail.curveID,
   1482                            &signKey->sensitive.sensitive.ecc,
   1483                            &hashData->b,
   1484                            pr
   1485                            );
   1486    if(CryptIsSplitSign(scheme->scheme) && retVal == CRYPT_SUCCESS)
   1487        CryptEndCommit(scheme->details.ecdaa.count);
   1488    // CRYPT_SCHEME->TPM_RC_SCHEME
   1489    return TranslateCryptErrors(retVal);
   1490 }
   1491 //
   1492 //
   1493 //       10.2.6.11 CryptECCVerifySignature()
   1494 //
   1495 //       This function is used to verify a signature created with an ECC key.
   1496 //
   1497 //       Error Returns                     Meaning
   1498 //
   1499 //       TPM_RC_SIGNATURE                  if signature is not valid
   1500 //       TPM_RC_SCHEME                     the signing scheme or hashAlg is not supported
   1501 //
   1502 static TPM_RC
   1503 CryptECCVerifySignature(
   1504    OBJECT              *signKey,               // IN: ECC key signed the hash
   1505    TPM2B_DIGEST        *digestData,       // IN: digest being signed
   1506    TPMT_SIGNATURE      *signature         // IN: signature to be verified
   1507    )
   1508 {
   1509    CRYPT_RESULT              retVal;
   1510    TEST_HASH(signature->signature.any.hashAlg);
   1511    TEST(signature->sigAlg);
   1512    // This implementation uses the fact that all the defined ECC signing
   1513    // schemes have the hash as the first parameter.
   1514    // _cpriValidateSignatureEcc may return CRYPT_FAIL or CRYP_SCHEME
   1515    retVal = _cpri__ValidateSignatureEcc(&signature->signature.ecdsa.signatureR,
   1516                                   &signature->signature.ecdsa.signatureS,
   1517                                   signature->sigAlg,
   1518                                   signature->signature.any.hashAlg,
   1519                                   signKey->publicArea.parameters.eccDetail.curveID,
   1520                                   &signKey->publicArea.unique.ecc,
   1521                                   &digestData->b);
   1522    if(retVal == CRYPT_FAIL)
   1523        return TPM_RC_SIGNATURE;
   1524    // CRYPT_SCHEME->TPM_RC_SCHEME
   1525    return TranslateCryptErrors(retVal);
   1526 }
   1527 //
   1528 //
   1529 //       10.2.6.12 CryptGenerateR()
   1530 //
   1531 //       This function computes the commit random value for a split signing scheme.
   1532 //       If c is NULL, it indicates that r is being generated for TPM2_Commit(). If c is not NULL, the TPM will
   1533 //       validate that the gr.commitArray bit associated with the input value of c is SET. If not, the TPM returns
   1534 //       FALSE and no r value is generated.
   1535 //
   1536 //       Return Value                    Meaning
   1537 //
   1538 //       TRUE                            r value computed
   1539 //       FALSE                           no r value computed
   1540 //
   1541 BOOL
   1542 CryptGenerateR(
   1543    TPM2B_ECC_PARAMETER           *r,                 //   OUT: the generated random value
   1544    UINT16                        *c,                 //   IN/OUT: count value.
   1545    TPMI_ECC_CURVE                 curveID,           //   IN: the curve for the value
   1546    TPM2B_NAME                    *name               //   IN: optional name of a key to
   1547                                                      //       associate with 'r'
   1548    )
   1549 {
   1550    // This holds the marshaled g_commitCounter.
   1551    TPM2B_TYPE(8B, 8);
   1552    TPM2B_8B                cntr = {.b.size = 8};
   1553    UINT32                   iterations;
   1554    const TPM2B             *n;
   1555    UINT64                   currentCount = gr.commitCounter;
   1556    // This is just to suppress a compiler warning about a conditional expression
   1557    // being a constant. This is because of the macro expansion of ryptKDFa
   1558    TPMI_ALG_HASH            hashAlg = CONTEXT_INTEGRITY_HASH_ALG;
   1559    n = CryptEccGetParameter('n', curveID);
   1560    pAssert(r != NULL && n != NULL);
   1561    // If this is the commit phase, use the current value of the commit counter
   1562    if(c != NULL)
   1563 //
   1564    {
   1565         UINT16      t1;
   1566         // if the array bit is not set, can't use the value.
   1567         if(!BitIsSet((*c & COMMIT_INDEX_MASK), gr.commitArray,
   1568                      sizeof(gr.commitArray)))
   1569             return FALSE;
   1570         //   If it is the sign phase, figure out what the counter value was
   1571         //   when the commitment was made.
   1572         //
   1573         //   When gr.commitArray has less than 64K bits, the extra
   1574         //   bits of 'c' are used as a check to make sure that the
   1575         //   signing operation is not using an out of range count value
   1576         t1   = (UINT16)currentCount;
   1577         // If the lower bits of c are greater or equal to the lower bits of t1
   1578         // then the upper bits of t1 must be one more than the upper bits
   1579         // of c
   1580         if((*c & COMMIT_INDEX_MASK) >= (t1 & COMMIT_INDEX_MASK))
   1581             // Since the counter is behind, reduce the current count
   1582             currentCount = currentCount - (COMMIT_INDEX_MASK + 1);
   1583         t1 = (UINT16)currentCount;
   1584         if((t1 & ~COMMIT_INDEX_MASK) != (*c & ~COMMIT_INDEX_MASK))
   1585             return FALSE;
   1586         // set the counter to the value that was
   1587         // present when the commitment was made
   1588         currentCount = (currentCount & 0xffffffffffff0000) | *c;
   1589    }
   1590    // Marshal the count value to a TPM2B buffer for the KDF
   1591    cntr.t.size = sizeof(currentCount);
   1592    UINT64_TO_BYTE_ARRAY(currentCount, cntr.t.buffer);
   1593    //   Now can do the KDF to create the random value for the signing operation
   1594    //   During the creation process, we may generate an r that does not meet the
   1595    //   requirements of the random value.
   1596    //   want to generate a new r.
   1597    r->t.size = n->size;
   1598    // Arbitrary upper limit on the number of times that we can look for
   1599    // a suitable random value. The normally number of tries will be 1.
   1600    for(iterations = 1; iterations < 1000000;)
   1601    {
   1602        BYTE    *pr = &r->b.buffer[0];
   1603        int     i;
   1604        CryptKDFa(hashAlg, &gr.commitNonce.b, "ECDAA Commit",
   1605                  name, &cntr.b, n->size * 8, r->t.buffer, &iterations);
   1606         // random value must be less than the prime
   1607         if(CryptCompare(r->b.size, r->b.buffer, n->size, n->buffer) >= 0)
   1608             continue;
   1609         // in this implementation it is required that at least bit
   1610         // in the upper half of the number be set
   1611         for(i = n->size/2; i > 0; i--)
   1612             if(*pr++ != 0)
   1613                 return TRUE;
   1614    }
   1615    return FALSE;
   1616 }
   1617 //
   1618 //
   1619 //
   1620 //       10.2.6.13 CryptCommit()
   1621 //
   1622 //       This function is called when the count value is committed. The gr.commitArray value associated with the
   1623 //       current count value is SET and g_commitCounter is incremented. The low-order 16 bits of old value of the
   1624 //       counter is returned.
   1625 //
   1626 UINT16
   1627 CryptCommit(
   1628    void
   1629    )
   1630 {
   1631    UINT16      oldCount = (UINT16)gr.commitCounter;
   1632    gr.commitCounter++;
   1633    BitSet(oldCount & COMMIT_INDEX_MASK, gr.commitArray, sizeof(gr.commitArray));
   1634    return oldCount;
   1635 }
   1636 //
   1637 //
   1638 //       10.2.6.14 CryptEndCommit()
   1639 //
   1640 //       This function is called when the signing operation using the committed value is completed. It clears the
   1641 //       gr.commitArray bit associated with the count value so that it can't be used again.
   1642 //
   1643 void
   1644 CryptEndCommit(
   1645    UINT16               c                    // IN: the counter value of the commitment
   1646    )
   1647 {
   1648    BitClear((c & COMMIT_INDEX_MASK), gr.commitArray, sizeof(gr.commitArray));
   1649 }
   1650 //
   1651 //
   1652 //       10.2.6.15 CryptCommitCompute()
   1653 //
   1654 //       This function performs the computations for the TPM2_Commit() command. This could be a macro.
   1655 //
   1656 //       Error Returns                   Meaning
   1657 //
   1658 //       TPM_RC_NO_RESULT                K, L, or E is the point at infinity
   1659 //       TPM_RC_CANCELLED                command was canceled
   1660 //
   1661 TPM_RC
   1662 CryptCommitCompute(
   1663    TPMS_ECC_POINT                *K,                     //   OUT: [d]B
   1664    TPMS_ECC_POINT                *L,                     //   OUT: [r]B
   1665    TPMS_ECC_POINT                *E,                     //   OUT: [r]M
   1666    TPM_ECC_CURVE                  curveID,               //   IN: The curve for the computation
   1667    TPMS_ECC_POINT                *M,                     //   IN: M (P1)
   1668    TPMS_ECC_POINT                *B,                     //   IN: B (x2, y2)
   1669    TPM2B_ECC_PARAMETER           *d,                     //   IN: the private scalar
   1670    TPM2B_ECC_PARAMETER           *r                      //   IN: the computed r value
   1671    )
   1672 {
   1673    TEST(ALG_ECDH_VALUE);
   1674    // CRYPT_NO_RESULT->TPM_RC_NO_RESULT CRYPT_CANCEL->TPM_RC_CANCELLED
   1675    return TranslateCryptErrors(
   1676               _cpri__EccCommitCompute(K, L , E, curveID, M, B, d, r));
   1677 }
   1678 //
   1679 //
   1680 //
   1681 //       10.2.6.16 CryptEccGetParameters()
   1682 //
   1683 //       This function returns the ECC parameter details of the given curve
   1684 //
   1685 //       Return Value                      Meaning
   1686 //
   1687 //       TRUE                              Get parameters success
   1688 //       FALSE                             Unsupported ECC curve ID
   1689 //
   1690 BOOL
   1691 CryptEccGetParameters(
   1692    TPM_ECC_CURVE                        curveId,            // IN: ECC curve ID
   1693    TPMS_ALGORITHM_DETAIL_ECC           *parameters          // OUT: ECC parameter
   1694    )
   1695 {
   1696    const ECC_CURVE                     *curve = _cpri__EccGetParametersByCurveId(curveId);
   1697    const ECC_CURVE_DATA                *data;
   1698    BOOL                                 found = curve != NULL;
   1699    if(found)
   1700    {
   1701         data = curve->curveData;
   1702         parameters->curveID = curve->curveId;
   1703         // Key size in bit
   1704         parameters->keySize = curve->keySizeBits;
   1705         // KDF
   1706         parameters->kdf = curve->kdf;
   1707         // Sign
   1708         parameters->sign = curve->sign;
   1709         // Copy p value
   1710         MemoryCopy2B(&parameters->p.b, data->p, sizeof(parameters->p.t.buffer));
   1711         // Copy a value
   1712         MemoryCopy2B(&parameters->a.b, data->a, sizeof(parameters->a.t.buffer));
   1713         // Copy b value
   1714         MemoryCopy2B(&parameters->b.b, data->b, sizeof(parameters->b.t.buffer));
   1715         // Copy Gx value
   1716         MemoryCopy2B(&parameters->gX.b, data->x, sizeof(parameters->gX.t.buffer));
   1717         // Copy Gy value
   1718         MemoryCopy2B(&parameters->gY.b, data->y, sizeof(parameters->gY.t.buffer));
   1719         // Copy n value
   1720         MemoryCopy2B(&parameters->n.b, data->n, sizeof(parameters->n.t.buffer));
   1721         // Copy h value
   1722         MemoryCopy2B(&parameters->h.b, data->h, sizeof(parameters->h.t.buffer));
   1723    }
   1724    return found;
   1725 }
   1726 #if CC_ZGen_2Phase == YES
   1727 //
   1728 //       CryptEcc2PhaseKeyExchange() This is the interface to the key exchange function.
   1729 //
   1730 TPM_RC
   1731 CryptEcc2PhaseKeyExchange(
   1732    TPMS_ECC_POINT                *outZ1,            //   OUT: the computed point
   1733    TPMS_ECC_POINT                *outZ2,            //   OUT: optional second point
   1734    TPM_ALG_ID                     scheme,           //   IN: the key exchange scheme
   1735    TPM_ECC_CURVE                  curveId,          //   IN: the curve for the computation
   1736    TPM2B_ECC_PARAMETER           *dsA,              //   IN: static private TPM key
   1737    TPM2B_ECC_PARAMETER           *deA,              //   IN: ephemeral private TPM key
   1738    TPMS_ECC_POINT                *QsB,              //   IN: static public party B key
   1739    TPMS_ECC_POINT                *QeB               //   IN: ephemeral public party B key
   1740    )
   1741 {
   1742    return (TranslateCryptErrors(_cpri__C_2_2_KeyExchange(outZ1,
   1743                                                          outZ2,
   1744                                                          scheme,
   1745                                                          curveId,
   1746                                                          dsA,
   1747                                                          deA,
   1748                                                          QsB,
   1749                                                          QeB)));
   1750 }
   1751 #endif // CC_ZGen_2Phase
   1752 #endif //TPM_ALG_ECC //% 3
   1753 //
   1754 //
   1755 //       10.2.6.17 CryptIsSchemeAnonymous()
   1756 //
   1757 //       This function is used to test a scheme to see if it is an anonymous scheme The only anonymous scheme
   1758 //       is ECDAA. ECDAA can be used to do things like U-Prove.
   1759 //
   1760 BOOL
   1761 CryptIsSchemeAnonymous(
   1762    TPM_ALG_ID           scheme            // IN: the scheme algorithm to test
   1763    )
   1764 {
   1765 #ifdef TPM_ALG_ECDAA
   1766    return (scheme == TPM_ALG_ECDAA);
   1767 #else
   1768    UNREFERENCED(scheme);
   1769    return 0;
   1770 #endif
   1771 }
   1772 //
   1773 //
   1774 //       10.2.7     Symmetric Functions
   1775 //
   1776 //       10.2.7.1    ParmDecryptSym()
   1777 //
   1778 //       This function performs parameter decryption using symmetric block cipher.
   1779 //
   1780 void
   1781 ParmDecryptSym(
   1782    TPM_ALG_ID          symAlg,            //   IN: the symmetric algorithm
   1783    TPM_ALG_ID          hash,              //   IN: hash algorithm for KDFa
   1784    UINT16              keySizeInBits,     //   IN: key key size in bit
   1785    TPM2B              *key,               //   IN: KDF HMAC key
   1786    TPM2B              *nonceCaller,       //   IN: nonce caller
   1787    TPM2B              *nonceTpm,          //   IN: nonce TPM
   1788    UINT32              dataSize,          //   IN: size of parameter buffer
   1789    BYTE               *data               //   OUT: buffer to be decrypted
   1790    )
   1791 {
   1792    // KDF output buffer
   1793    // It contains parameters for the CFB encryption
   1794    // From MSB to LSB, they are the key and iv
   1795    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
   1796    // Symmetric key size in byte
   1797    UINT16           keySize = (keySizeInBits + 7) / 8;
   1798    TPM2B_IV         iv;
   1799    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
   1800    // If there is decryption to do...
   1801    if(iv.t.size > 0)
   1802    {
   1803        // Generate key and iv
   1804        CryptKDFa(hash, key, "CFB", nonceCaller, nonceTpm,
   1805                  keySizeInBits + (iv.t.size * 8), symParmString, NULL);
   1806        MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size,
   1807                   sizeof(iv.t.buffer));
   1808           CryptSymmetricDecrypt(data, symAlg, keySizeInBits, TPM_ALG_CFB,
   1809                                 symParmString, &iv, dataSize, data);
   1810    }
   1811    return;
   1812 }
   1813 //
   1814 //
   1815 //       10.2.7.2     ParmEncryptSym()
   1816 //
   1817 //       This function performs parameter encryption using symmetric block cipher.
   1818 //
   1819 void
   1820 ParmEncryptSym(
   1821    TPM_ALG_ID          symAlg,            //   IN: symmetric algorithm
   1822    TPM_ALG_ID          hash,              //   IN: hash algorithm for KDFa
   1823    UINT16              keySizeInBits,     //   IN: AES key size in bit
   1824    TPM2B              *key,               //   IN: KDF HMAC key
   1825    TPM2B              *nonceCaller,       //   IN: nonce caller
   1826    TPM2B              *nonceTpm,          //   IN: nonce TPM
   1827    UINT32              dataSize,          //   IN: size of parameter buffer
   1828    BYTE               *data               //   OUT: buffer to be encrypted
   1829    )
   1830 {
   1831    // KDF output buffer
   1832    // It contains parameters for the CFB encryption
   1833    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
   1834    // Symmetric key size in bytes
   1835    UINT16           keySize = (keySizeInBits + 7) / 8;
   1836    TPM2B_IV             iv;
   1837    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
   1838    // See if there is any encryption to do
   1839    if(iv.t.size > 0)
   1840    {
   1841        // Generate key and iv
   1842        CryptKDFa(hash, key, "CFB", nonceTpm, nonceCaller,
   1843                  keySizeInBits + (iv.t.size * 8), symParmString, NULL);
   1844           MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size,
   1845                      sizeof(iv.t.buffer));
   1846           CryptSymmetricEncrypt(data, symAlg, keySizeInBits, TPM_ALG_CFB,
   1847                                 symParmString, &iv, dataSize, data);
   1848    }
   1849    return;
   1850 }
   1851 //
   1852 //
   1853 //
   1854 //       10.2.7.3     CryptGenerateNewSymmetric()
   1855 //
   1856 //       This function creates the sensitive symmetric values for an HMAC or symmetric key. If the sensitive area
   1857 //       is zero, then the sensitive creation key data is copied. If it is not zero, then the TPM will generate a
   1858 //       random value of the selected size.
   1859 //
   1860 void
   1861 CryptGenerateNewSymmetric(
   1862    TPMS_SENSITIVE_CREATE        *sensitiveCreate,       //   IN: sensitive creation data
   1863    TPMT_SENSITIVE               *sensitive,             //   OUT: sensitive area
   1864    TPM_ALG_ID                    hashAlg,               //   IN: hash algorithm for the KDF
   1865    TPM2B_SEED                   *seed,                  //   IN: seed used in creation
   1866    TPM2B_NAME                   *name                   //   IN: name of the object
   1867    )
   1868 {
   1869    // This function is called to create a key and obfuscation value for a
   1870    // symmetric key that can either be a block cipher or an XOR key. The buffer
   1871    // in sensitive->sensitive will hold either. When we call the function
   1872    // to copy the input value or generated value to the sensitive->sensitive
   1873    // buffer we will need to have a size for the output buffer. This define
   1874    // computes the maximum that it might need to be and uses that. It will always
   1875    // be smaller than the largest value that will fit.
   1876    #define MAX_SENSITIVE_SIZE                                                   \
   1877        (MAX(sizeof(sensitive->sensitive.bits.t.buffer),                         \
   1878            sizeof(sensitive->sensitive.sym.t.buffer)))
   1879    // set the size of the obfuscation value
   1880    sensitive->seedValue.t.size = CryptGetHashDigestSize(hashAlg);
   1881    // If the input sensitive size is zero, then create both the sensitive data
   1882    // and the obfuscation value
   1883    if(sensitiveCreate->data.t.size == 0)
   1884    {
   1885        BYTE                     symValues[MAX(MAX_DIGEST_SIZE, MAX_SYM_KEY_BYTES)
   1886                                           + MAX_DIGEST_SIZE];
   1887        UINT16                  requestSize;
   1888           // Set the size of the request to be the size of the key and the
   1889           // obfuscation value
   1890           requestSize =   sensitive->sensitive.sym.t.size
   1891                         + sensitive->seedValue.t.size;
   1892           pAssert(requestSize <= sizeof(symValues));
   1893           requestSize = _cpri__GenerateSeededRandom(requestSize, symValues, hashAlg,
   1894                                                     &seed->b,
   1895                                                     "symmetric sensitive", &name->b,
   1896                                                     NULL);
   1897           pAssert(requestSize != 0);
   1898           // Copy the new key
   1899           MemoryCopy(sensitive->sensitive.sym.t.buffer,
   1900                      symValues, sensitive->sensitive.sym.t.size,
   1901                      MAX_SENSITIVE_SIZE);
   1902           // copy the obfuscation value
   1903           MemoryCopy(sensitive->seedValue.t.buffer,
   1904                      &symValues[sensitive->sensitive.sym.t.size],
   1905                      sensitive->seedValue.t.size,
   1906                      sizeof(sensitive->seedValue.t.buffer));
   1907    }
   1908    else
   1909    {
   1910        // Copy input symmetric key to sensitive area as long as it will fit
   1911        MemoryCopy2B(&sensitive->sensitive.sym.b, &sensitiveCreate->data.b,
   1912                     MAX_SENSITIVE_SIZE);
   1913           // Create the obfuscation value
   1914           _cpri__GenerateSeededRandom(sensitive->seedValue.t.size,
   1915                                       sensitive->seedValue.t.buffer,
   1916                                       hashAlg, &seed->b,
   1917                                       "symmetric obfuscation", &name->b, NULL);
   1918    }
   1919    return;
   1920 }
   1921 //
   1922 //
   1923 //       10.2.7.4    CryptGenerateKeySymmetric()
   1924 //
   1925 //       This function derives a symmetric cipher key from the provided seed.
   1926 //
   1927 //       Error Returns                     Meaning
   1928 //
   1929 //       TPM_RC_KEY_SIZE                   key size in the public area does not match the size in the sensitive
   1930 //                                         creation area
   1931 //
   1932 static TPM_RC
   1933 CryptGenerateKeySymmetric(
   1934    TPMT_PUBLIC                    *publicArea,               //   IN/OUT: The public area template
   1935                                                              //       for the new key.
   1936    TPMS_SENSITIVE_CREATE          *sensitiveCreate,          //   IN: sensitive creation data
   1937    TPMT_SENSITIVE                 *sensitive,                //   OUT: sensitive area
   1938    TPM_ALG_ID                      hashAlg,                  //   IN: hash algorithm for the KDF
   1939    TPM2B_SEED                     *seed,                     //   IN: seed used in creation
   1940    TPM2B_NAME                     *name                      //   IN: name of the object
   1941    )
   1942 {
   1943    // If this is not a new key, then the provided key data must be the right size
   1944    if(publicArea->objectAttributes.sensitiveDataOrigin == CLEAR)
   1945    {
   1946        if(     (sensitiveCreate->data.t.size * 8)
   1947            != publicArea->parameters.symDetail.sym.keyBits.sym)
   1948            return TPM_RC_KEY_SIZE;
   1949        // Make sure that the key size is OK.
   1950        // This implementation only supports symmetric key sizes that are
   1951        // multiples of 8
   1952        if(publicArea->parameters.symDetail.sym.keyBits.sym % 8 != 0)
   1953            return TPM_RC_KEY_SIZE;
   1954    }
   1955    else
   1956    {
   1957        // TPM is going to generate the key so set the size
   1958        sensitive->sensitive.sym.t.size
   1959            = publicArea->parameters.symDetail.sym.keyBits.sym / 8;
   1960        sensitiveCreate->data.t.size = 0;
   1961    }
   1962    // Fill in the sensitive area
   1963    CryptGenerateNewSymmetric(sensitiveCreate, sensitive, hashAlg,
   1964                              seed, name);
   1965    // Create unique area in public
   1966    CryptComputeSymmetricUnique(publicArea->nameAlg,
   1967                                sensitive, &publicArea->unique.sym);
   1968    return TPM_RC_SUCCESS;
   1969 }
   1970 //
   1971 //
   1972 //
   1973 //       10.2.7.5     CryptXORObfuscation()
   1974 //
   1975 //       This function implements XOR obfuscation. It should not be called if the hash algorithm is not
   1976 //       implemented. The only return value from this function is TPM_RC_SUCCESS.
   1977 //
   1978 #ifdef TPM_ALG_KEYEDHASH //% 5
   1979 void
   1980 CryptXORObfuscation(
   1981    TPM_ALG_ID             hash,                  //   IN: hash algorithm for KDF
   1982    TPM2B                 *key,                   //   IN: KDF key
   1983    TPM2B                 *contextU,              //   IN: contextU
   1984    TPM2B                 *contextV,              //   IN: contextV
   1985    UINT32                 dataSize,              //   IN: size of data buffer
   1986    BYTE                  *data                   //   IN/OUT: data to be XORed in place
   1987    )
   1988 {
   1989    BYTE                   mask[MAX_DIGEST_SIZE]; // Allocate a digest sized buffer
   1990    BYTE                  *pm;
   1991    UINT32                 i;
   1992    UINT32                 counter = 0;
   1993    UINT16                 hLen = CryptGetHashDigestSize(hash);
   1994    UINT32                 requestSize = dataSize * 8;
   1995    INT32                  remainBytes = (INT32) dataSize;
   1996    pAssert((key != NULL) && (data != NULL) && (hLen != 0));
   1997    // Call KDFa to generate XOR mask
   1998    for(; remainBytes > 0; remainBytes -= hLen)
   1999    {
   2000        // Make a call to KDFa to get next iteration
   2001        CryptKDFaOnce(hash, key, "XOR", contextU, contextV,
   2002                      requestSize, mask, &counter);
   2003           // XOR next piece of the data
   2004           pm = mask;
   2005           for(i = hLen < remainBytes ? hLen : remainBytes; i > 0; i--)
   2006               *data++ ^= *pm++;
   2007    }
   2008    return;
   2009 }
   2010 #endif //TPM_ALG_KEYED_HASH //%5
   2011 //
   2012 //
   2013 //       10.2.8     Initialization and shut down
   2014 //
   2015 //       10.2.8.1     CryptInitUnits()
   2016 //
   2017 //       This function is called when the TPM receives a _TPM_Init() indication. After function returns, the hash
   2018 //       algorithms should be available.
   2019 //
   2020 //       NOTE:           The hash algorithms do not have to be tested, they just need to be available. They have to be tested before the
   2021 //                       TPM can accept HMAC authorization or return any result that relies on a hash algorithm.
   2022 //
   2023 void
   2024 CryptInitUnits(
   2025    void
   2026    )
   2027 {
   2028    // Initialize the vector of implemented algorithms
   2029    AlgorithmGetImplementedVector(&g_implementedAlgorithms);
   2030    // Indicate that all test are necessary
   2031    CryptInitializeToTest();
   2032 //
   2033    // Call crypto engine unit initialization
   2034    // It is assumed that crypt engine initialization should always succeed.
   2035    // Otherwise, TPM should go to failure mode.
   2036    if(_cpri__InitCryptoUnits(&TpmFail) != CRYPT_SUCCESS)
   2037        FAIL(FATAL_ERROR_INTERNAL);
   2038    return;
   2039 }
   2040 //
   2041 //
   2042 //       10.2.8.2    CryptStopUnits()
   2043 //
   2044 //       This function is only used in a simulated environment. There should be no reason to shut down the
   2045 //       cryptography on an actual TPM other than loss of power. After receiving TPM2_Startup(), the TPM should
   2046 //       be able to accept commands until it loses power and, unless the TPM is in Failure Mode, the
   2047 //       cryptographic algorithms should be available.
   2048 //
   2049 void
   2050 CryptStopUnits(
   2051    void
   2052    )
   2053 {
   2054    // Call crypto engine unit stopping
   2055    _cpri__StopCryptoUnits();
   2056    return;
   2057 }
   2058 //
   2059 //
   2060 //       10.2.8.3    CryptUtilStartup()
   2061 //
   2062 //       This function is called by TPM2_Startup() to initialize the functions in this crypto library and in the
   2063 //       provided CryptoEngine(). In this implementation, the only initialization required in this library is
   2064 //       initialization of the Commit nonce on TPM Reset.
   2065 //       This function returns false if some problem prevents the functions from starting correctly. The TPM should
   2066 //       go into failure mode.
   2067 //
   2068 BOOL
   2069 CryptUtilStartup(
   2070    STARTUP_TYPE         type               // IN: the startup type
   2071    )
   2072 {
   2073    // Make sure that the crypto library functions are ready.
   2074    // NOTE: need to initialize the crypto before loading
   2075    // the RND state may trigger a self-test which
   2076    // uses the
   2077    if( !_cpri__Startup())
   2078        return FALSE;
   2079    // Initialize the state of the RNG.
   2080    CryptDrbgGetPutState(PUT_STATE);
   2081    if(type == SU_RESET)
   2082    {
   2083 #ifdef TPM_ALG_ECC
   2084        // Get a new random commit nonce
   2085        gr.commitNonce.t.size = sizeof(gr.commitNonce.t.buffer);
   2086        _cpri__GenerateRandom(gr.commitNonce.t.size, gr.commitNonce.t.buffer);
   2087        // Reset the counter and commit array
   2088        gr.commitCounter = 0;
   2089        MemorySet(gr.commitArray, 0, sizeof(gr.commitArray));
   2090 #endif // TPM_ALG_ECC
   2091    }
   2092     // If the shutdown was orderly, then the values recovered from NV will
   2093     // be OK to use. If the shutdown was not orderly, then a TPM Reset was required
   2094     // and we would have initialized in the code above.
   2095     return TRUE;
   2096 }
   2097 //
   2098 //
   2099 //       10.2.9     Algorithm-Independent Functions
   2100 //
   2101 //       10.2.9.1    Introduction
   2102 //
   2103 //       These functions are used generically when a function of a general type (e.g., symmetric encryption) is
   2104 //       required. The functions will modify the parameters as required to interface to the indicated algorithms.
   2105 //
   2106 //       10.2.9.2    CryptIsAsymAlgorithm()
   2107 //
   2108 //       This function indicates if an algorithm is an asymmetric algorithm.
   2109 //
   2110 //       Return Value                      Meaning
   2111 //
   2112 //       TRUE                              if it is an asymmetric algorithm
   2113 //       FALSE                             if it is not an asymmetric algorithm
   2114 //
   2115 BOOL
   2116 CryptIsAsymAlgorithm(
   2117     TPM_ALG_ID           algID                // IN: algorithm ID
   2118     )
   2119 {
   2120    return (
   2121 #ifdef TPM_ALG_RSA
   2122             algID == TPM_ALG_RSA
   2123 #endif
   2124 #if defined TPM_ALG_RSA && defined TPM_ALG_ECC
   2125             ||
   2126 #endif
   2127 #ifdef TPM_ALG_ECC
   2128             algID == TPM_ALG_ECC
   2129 #endif
   2130           );
   2131 }
   2132 //
   2133 //
   2134 //       10.2.9.3    CryptGetSymmetricBlockSize()
   2135 //
   2136 //       This function returns the size in octets of the symmetric encryption block used by an algorithm and key
   2137 //       size combination.
   2138 //
   2139 INT16
   2140 CryptGetSymmetricBlockSize(
   2141     TPMI_ALG_SYM         algorithm,           // IN: symmetric algorithm
   2142     UINT16               keySize              // IN: key size in bit
   2143     )
   2144 {
   2145     return _cpri__GetSymmetricBlockSize(algorithm, keySize);
   2146 }
   2147 //
   2148 //
   2149 //
   2150 //       10.2.9.4    CryptSymmetricEncrypt()
   2151 //
   2152 //       This function does in-place encryption of a buffer using the indicated symmetric algorithm, key, IV, and
   2153 //       mode. If the symmetric algorithm and mode are not defined, the TPM will fail.
   2154 //
   2155 void
   2156 CryptSymmetricEncrypt(
   2157    BYTE                    *encrypted,         //   OUT: the encrypted data
   2158    TPM_ALG_ID               algorithm,         //   IN: algorithm for encryption
   2159    UINT16                   keySizeInBits,     //   IN: key size in bit
   2160    TPMI_ALG_SYM_MODE        mode,              //   IN: symmetric encryption mode
   2161    BYTE                    *key,               //   IN: encryption key
   2162    TPM2B_IV                *ivIn,              //   IN/OUT: Input IV and output chaining
   2163                                                //       value for the next block
   2164    UINT32                   dataSize,          //   IN: data size in byte
   2165    BYTE                    *data               //   IN/OUT: data buffer
   2166    )
   2167 {
   2168    TPM2B_IV                 defaultIv = {};
   2169    TPM2B_IV                *iv = (ivIn != NULL) ? ivIn : &defaultIv;
   2170    TEST(algorithm);
   2171    pAssert(encrypted != NULL && key != NULL);
   2172    // this check can pass but the case below can fail. ALG_xx_VALUE values are
   2173    // defined for all algorithms but the TPM_ALG_xx might not be.
   2174    if(algorithm == ALG_AES_VALUE || algorithm == ALG_SM4_VALUE)
   2175    {
   2176        if(mode != TPM_ALG_ECB)
   2177            defaultIv.t.size = 16;
   2178        // A provided IV has to be the right size
   2179        pAssert(mode == TPM_ALG_ECB || iv->t.size == 16);
   2180    }
   2181    switch(algorithm)
   2182    {
   2183 #ifdef TPM_ALG_AES
   2184        case TPM_ALG_AES:
   2185        {
   2186            switch (mode)
   2187            {
   2188                case TPM_ALG_CTR:
   2189                    _cpri__AESEncryptCTR(encrypted, keySizeInBits, key,
   2190                                         iv->t.buffer, dataSize, data);
   2191                    break;
   2192                case TPM_ALG_OFB:
   2193                    _cpri__AESEncryptOFB(encrypted, keySizeInBits, key,
   2194                                         iv->t.buffer, dataSize, data);
   2195                    break;
   2196                case TPM_ALG_CBC:
   2197                    _cpri__AESEncryptCBC(encrypted, keySizeInBits, key,
   2198                                         iv->t.buffer, dataSize, data);
   2199                    break;
   2200                case TPM_ALG_CFB:
   2201                    _cpri__AESEncryptCFB(encrypted, keySizeInBits, key,
   2202                                         iv->t.buffer, dataSize, data);
   2203                    break;
   2204                case TPM_ALG_ECB:
   2205                    _cpri__AESEncryptECB(encrypted, keySizeInBits, key,
   2206                                         dataSize, data);
   2207                    break;
   2208                default:
   2209                    pAssert(0);
   2210            }
   2211           }
   2212           break;
   2213 #endif
   2214 #ifdef TPM_ALG_SM4
   2215        case TPM_ALG_SM4:
   2216        {
   2217            switch (mode)
   2218            {
   2219                case TPM_ALG_CTR:
   2220                    _cpri__SM4EncryptCTR(encrypted, keySizeInBits, key,
   2221                                         iv->t.buffer, dataSize, data);
   2222                    break;
   2223                case TPM_ALG_OFB:
   2224                    _cpri__SM4EncryptOFB(encrypted, keySizeInBits, key,
   2225                                         iv->t.buffer, dataSize, data);
   2226                    break;
   2227                case TPM_ALG_CBC:
   2228                    _cpri__SM4EncryptCBC(encrypted, keySizeInBits, key,
   2229                                         iv->t.buffer, dataSize, data);
   2230                    break;
   2231                    case TPM_ALG_CFB:
   2232                        _cpri__SM4EncryptCFB(encrypted, keySizeInBits, key,
   2233                                             iv->t.buffer, dataSize, data);
   2234                        break;
   2235                    case TPM_ALG_ECB:
   2236                        _cpri__SM4EncryptECB(encrypted, keySizeInBits, key,
   2237                                             dataSize, data);
   2238                        break;
   2239                    default:
   2240                        pAssert(0);
   2241               }
   2242           }
   2243           break;
   2244 #endif
   2245           default:
   2246               pAssert(FALSE);
   2247               break;
   2248    }
   2249    return;
   2250 }
   2251 //
   2252 //
   2253 //       10.2.9.5    CryptSymmetricDecrypt()
   2254 //
   2255 //       This function does in-place decryption of a buffer using the indicated symmetric algorithm, key, IV, and
   2256 //       mode. If the symmetric algorithm and mode are not defined, the TPM will fail.
   2257 //
   2258 void
   2259 CryptSymmetricDecrypt(
   2260    BYTE                      *decrypted,
   2261    TPM_ALG_ID                 algorithm,       //   IN: algorithm for encryption
   2262    UINT16                     keySizeInBits,   //   IN: key size in bit
   2263    TPMI_ALG_SYM_MODE          mode,            //   IN: symmetric encryption mode
   2264    BYTE                      *key,             //   IN: encryption key
   2265    TPM2B_IV                  *ivIn,            //   IN/OUT: IV for next block
   2266    UINT32                     dataSize,        //   IN: data size in byte
   2267    BYTE                      *data             //   IN/OUT: data buffer
   2268    )
   2269 {
   2270    BYTE                      *iv = NULL;
   2271    BYTE                       defaultIV[sizeof(TPMT_HA)];
   2272    TEST(algorithm);
   2273    if(
   2274 #ifdef TPM_ALG_AES
   2275          algorithm == TPM_ALG_AES
   2276 #endif
   2277 #if defined TPM_ALG_AES && defined TPM_ALG_SM4
   2278       ||
   2279 #endif
   2280 #ifdef TPM_ALG_SM4
   2281          algorithm == TPM_ALG_SM4
   2282 #endif
   2283      )
   2284    {
   2285        // Both SM4 and AES have block size of 128 bits
   2286        // If the iv is not provided, create a default of 0
   2287        if(ivIn == NULL)
   2288        {
   2289             // Initialize the default IV
   2290             iv = defaultIV;
   2291             MemorySet(defaultIV, 0, 16);
   2292        }
   2293        else
   2294        {
   2295             // A provided IV has to be the right size
   2296             pAssert(mode == TPM_ALG_ECB || ivIn->t.size == 16);
   2297             iv = &(ivIn->t.buffer[0]);
   2298        }
   2299    }
   2300    switch(algorithm)
   2301    {
   2302 #ifdef TPM_ALG_AES
   2303    case TPM_ALG_AES:
   2304    {
   2305         switch (mode)
   2306         {
   2307             case TPM_ALG_CTR:
   2308                 _cpri__AESDecryptCTR(decrypted, keySizeInBits,   key, iv,
   2309                                      dataSize, data);
   2310                 break;
   2311             case TPM_ALG_OFB:
   2312                 _cpri__AESDecryptOFB(decrypted, keySizeInBits,   key, iv,
   2313                                      dataSize, data);
   2314                 break;
   2315             case TPM_ALG_CBC:
   2316                 _cpri__AESDecryptCBC(decrypted, keySizeInBits,   key, iv,
   2317                                      dataSize, data);
   2318                 break;
   2319             case TPM_ALG_CFB:
   2320                 _cpri__AESDecryptCFB(decrypted, keySizeInBits,   key, iv,
   2321                                      dataSize, data);
   2322                 break;
   2323             case TPM_ALG_ECB:
   2324                 _cpri__AESDecryptECB(decrypted, keySizeInBits,   key,
   2325                                      dataSize, data);
   2326                 break;
   2327             default:
   2328                 pAssert(0);
   2329         }
   2330         break;
   2331    }
   2332 #endif //TPM_ALG_AES
   2333 #ifdef TPM_ALG_SM4
   2334    case TPM_ALG_SM4 :
   2335        switch (mode)
   2336        {
   2337            case TPM_ALG_CTR:
   2338                _cpri__SM4DecryptCTR(decrypted, keySizeInBits,                       key, iv,
   2339                                     dataSize, data);
   2340                break;
   2341            case TPM_ALG_OFB:
   2342                _cpri__SM4DecryptOFB(decrypted, keySizeInBits,                       key, iv,
   2343                                     dataSize, data);
   2344                break;
   2345            case TPM_ALG_CBC:
   2346                _cpri__SM4DecryptCBC(decrypted, keySizeInBits,                       key, iv,
   2347                                     dataSize, data);
   2348                break;
   2349            case TPM_ALG_CFB:
   2350                _cpri__SM4DecryptCFB(decrypted, keySizeInBits,                       key, iv,
   2351                                     dataSize, data);
   2352                break;
   2353            case TPM_ALG_ECB:
   2354                _cpri__SM4DecryptECB(decrypted, keySizeInBits,                       key,
   2355                                     dataSize, data);
   2356                break;
   2357            default:
   2358                pAssert(0);
   2359        }
   2360        break;
   2361 #endif //TPM_ALG_SM4
   2362    default:
   2363        pAssert(FALSE);
   2364        break;
   2365    }
   2366    return;
   2367 }
   2368 //
   2369 //
   2370 //       10.2.9.6    CryptSecretEncrypt()
   2371 //
   2372 //       This function creates a secret value and its associated secret structure using an asymmetric algorithm.
   2373 //       This function is used by TPM2_Rewrap() TPM2_MakeCredential(), and TPM2_Duplicate().
   2374 //
   2375 //       Error Returns                   Meaning
   2376 //
   2377 //       TPM_RC_ATTRIBUTES               keyHandle does not reference a valid decryption key
   2378 //       TPM_RC_KEY                      invalid ECC key (public point is not on the curve)
   2379 //       TPM_RC_SCHEME                   RSA key with an unsupported padding scheme
   2380 //       TPM_RC_VALUE                    numeric value of the data to be decrypted is greater than the RSA
   2381 //                                       key modulus
   2382 //
   2383 TPM_RC
   2384 CryptSecretEncrypt(
   2385    TPMI_DH_OBJECT                 keyHandle,           //   IN: encryption key handle
   2386    const char                    *label,               //   IN: a null-terminated string as L
   2387    TPM2B_DATA                    *data,                //   OUT: secret value
   2388    TPM2B_ENCRYPTED_SECRET        *secret               //   OUT: secret structure
   2389    )
   2390 {
   2391    TPM_RC          result = TPM_RC_SUCCESS;
   2392    OBJECT         *encryptKey = ObjectGet(keyHandle);              // TPM key used for encrypt
   2393    pAssert(data != NULL && secret != NULL);
   2394    // The output secret value has the size of the digest produced by the nameAlg.
   2395    data->t.size = CryptGetHashDigestSize(encryptKey->publicArea.nameAlg);
   2396    pAssert(encryptKey->publicArea.objectAttributes.decrypt == SET);
   2397    switch(encryptKey->publicArea.type)
   2398    {
   2399 #ifdef TPM_ALG_RSA
   2400        case TPM_ALG_RSA:
   2401        {
   2402            TPMT_RSA_DECRYPT            scheme;
   2403              // Use OAEP scheme
   2404              scheme.scheme = TPM_ALG_OAEP;
   2405              scheme.details.oaep.hashAlg = encryptKey->publicArea.nameAlg;
   2406              // Create secret data from RNG
   2407              CryptGenerateRandom(data->t.size, data->t.buffer);
   2408              // Encrypt the data by RSA OAEP into encrypted secret
   2409              result = CryptEncryptRSA(&secret->t.size, secret->t.secret,
   2410                                       encryptKey, &scheme,
   2411                                       data->t.size, data->t.buffer, label);
   2412        }
   2413        break;
   2414 #endif //TPM_ALG_RSA
   2415 #ifdef TPM_ALG_ECC
   2416        case TPM_ALG_ECC:
   2417        {
   2418            TPMS_ECC_POINT         eccPublic;
   2419            TPM2B_ECC_PARAMETER    eccPrivate;
   2420            TPMS_ECC_POINT         eccSecret;
   2421            BYTE                   *buffer = secret->t.secret;
   2422            INT32                  bufferSize = sizeof(TPMS_ECC_POINT);
   2423              // Need to make sure that the public point of the key is on the
   2424              // curve defined by the key.
   2425              if(!_cpri__EccIsPointOnCurve(
   2426                          encryptKey->publicArea.parameters.eccDetail.curveID,
   2427                          &encryptKey->publicArea.unique.ecc))
   2428                  result = TPM_RC_KEY;
   2429              else
   2430              {
   2431                   // Call crypto engine to create an auxiliary ECC key
   2432                   // We assume crypt engine initialization should always success.
   2433                   // Otherwise, TPM should go to failure mode.
   2434                   CryptNewEccKey(encryptKey->publicArea.parameters.eccDetail.curveID,
   2435                                  &eccPublic, &eccPrivate);
   2436                   // Marshal ECC public to secret structure. This will be used by the
   2437                   // recipient to decrypt the secret with their private key.
   2438                   secret->t.size = TPMS_ECC_POINT_Marshal(&eccPublic, &buffer, &bufferSize);
   2439                   // Compute ECDH shared secret which is R = [d]Q where d is the
   2440                   // private part of the ephemeral key and Q is the public part of a
   2441                   // TPM key. TPM_RC_KEY error return from CryptComputeECDHSecret
   2442                   // because the auxiliary ECC key is just created according to the
   2443                   // parameters of input ECC encrypt key.
   2444                   if(     CryptEccPointMultiply(&eccSecret,
   2445                                   encryptKey->publicArea.parameters.eccDetail.curveID,
   2446                                   &eccPrivate,
   2447                                   &encryptKey->publicArea.unique.ecc)
   2448                       != CRYPT_SUCCESS)
   2449                        result = TPM_RC_KEY;
   2450                   else
   2451                       //     The secret value is computed from Z using KDFe as:
   2452                       //     secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
   2453                       //     Where:
   2454                       //      HashID the nameAlg of the decrypt key
   2455                       //      Z    the x coordinate (Px) of the product (P) of the point
   2456                       //           (Q) of the secret and the private x coordinate (de,V)
   2457                       //           of the decryption key
   2458                       //      Use a null-terminated string containing "SECRET"
   2459                       //      PartyUInfo the x coordinate of the point in the secret
   2460                       //                   (Qe,U )
   2461                       //      PartyVInfo the x coordinate of the public key (Qs,V )
   2462                       //      bits     the number of bits in the digest of HashID
   2463                       //     Retrieve seed from KDFe
   2464                       CryptKDFe(encryptKey->publicArea.nameAlg, &eccSecret.x.b,
   2465                                 label, &eccPublic.x.b,
   2466                                 &encryptKey->publicArea.unique.ecc.x.b,
   2467                                 data->t.size * 8, data->t.buffer);
   2468            }
   2469        }
   2470        break;
   2471 #endif //TPM_ALG_ECC
   2472    default:
   2473        FAIL(FATAL_ERROR_INTERNAL);
   2474        break;
   2475    }
   2476    return result;
   2477 }
   2478 //
   2479 //
   2480 //       10.2.9.7   CryptSecretDecrypt()
   2481 //
   2482 //       Decrypt a secret value by asymmetric (or symmetric) algorithm This function is used for
   2483 //       ActivateCredential() and Import for asymmetric decryption, and StartAuthSession() for both asymmetric
   2484 //       and symmetric decryption process
   2485 //
   2486 //       Error Returns                    Meaning
   2487 //
   2488 //       TPM_RC_ATTRIBUTES                RSA key is not a decryption key
   2489 //       TPM_RC_BINDING                   Invalid RSA key (public and private parts are not cryptographically
   2490 //                                        bound.
   2491 //       TPM_RC_ECC_POINT                 ECC point in the secret is not on the curve
   2492 //       TPM_RC_INSUFFICIENT              failed to retrieve ECC point from the secret
   2493 //       TPM_RC_NO_RESULT                 multiplication resulted in ECC point at infinity
   2494 //       TPM_RC_SIZE                      data to decrypt is not of the same size as RSA key
   2495 //       TPM_RC_VALUE                     For RSA key, numeric value of the encrypted data is greater than the
   2496 //                                        modulus, or the recovered data is larger than the output buffer. For
   2497 //                                        keyedHash or symmetric key, the secret is larger than the size of the
   2498 //                                        digest produced by the name algorithm.
   2499 //       TPM_RC_FAILURE                   internal error
   2500 //
   2501 TPM_RC
   2502 CryptSecretDecrypt(
   2503    TPM_HANDLE                      tpmKey,               // IN: decrypt key
   2504    TPM2B_NONCE                    *nonceCaller,          // IN: nonceCaller. It is needed for
   2505                                                          //     symmetric decryption. For
   2506                                                    //     asymmetric decryption, this
   2507                                                    //     parameter is NULL
   2508    const char                    *label,           // IN: a null-terminated string as L
   2509    TPM2B_ENCRYPTED_SECRET        *secret,          // IN: input secret
   2510    TPM2B_DATA                    *data             // OUT: decrypted secret value
   2511    )
   2512 {
   2513    TPM_RC         result = TPM_RC_SUCCESS;
   2514    OBJECT         *decryptKey = ObjectGet(tpmKey);          //TPM key used for decrypting
   2515    // Decryption for secret
   2516    switch(decryptKey->publicArea.type)
   2517    {
   2518 #ifdef TPM_ALG_RSA
   2519        case TPM_ALG_RSA:
   2520        {
   2521            TPMT_RSA_DECRYPT             scheme;
   2522              // Use OAEP scheme
   2523              scheme.scheme = TPM_ALG_OAEP;
   2524              scheme.details.oaep.hashAlg = decryptKey->publicArea.nameAlg;
   2525              // Set the output buffer capacity
   2526              data->t.size = sizeof(data->t.buffer);
   2527              // Decrypt seed by RSA OAEP
   2528              result = CryptDecryptRSA(&data->t.size, data->t.buffer, decryptKey,
   2529                                        &scheme,
   2530                                        secret->t.size, secret->t.secret,label);
   2531              if(    (result == TPM_RC_SUCCESS)
   2532                  && (data->t.size
   2533                       > CryptGetHashDigestSize(decryptKey->publicArea.nameAlg)))
   2534                   result = TPM_RC_VALUE;
   2535        }
   2536        break;
   2537 #endif //TPM_ALG_RSA
   2538 #ifdef TPM_ALG_ECC
   2539        case TPM_ALG_ECC:
   2540        {
   2541            TPMS_ECC_POINT            eccPublic;
   2542            TPMS_ECC_POINT            eccSecret;
   2543            BYTE                     *buffer = secret->t.secret;
   2544            INT32                     size = secret->t.size;
   2545              // Retrieve ECC point from secret buffer
   2546              result = TPMS_ECC_POINT_Unmarshal(&eccPublic, &buffer, &size);
   2547              if(result == TPM_RC_SUCCESS)
   2548              {
   2549                  result = CryptEccPointMultiply(&eccSecret,
   2550                                 decryptKey->publicArea.parameters.eccDetail.curveID,
   2551                                 &decryptKey->sensitive.sensitive.ecc,
   2552                                 &eccPublic);
   2553                   if(result == TPM_RC_SUCCESS)
   2554                   {
   2555                       // Set the size of the "recovered" secret value to be the size
   2556                       // of the digest produced by the nameAlg.
   2557                       data->t.size =
   2558                               CryptGetHashDigestSize(decryptKey->publicArea.nameAlg);
   2559                       // The secret value is computed from Z using KDFe as:
   2560                       // secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
   2561                       // Where:
   2562                       // HashID -- the nameAlg of the decrypt key
   2563                       // Z -- the x coordinate (Px) of the product (P) of the point
   2564                       //        (Q) of the secret and the private x coordinate (de,V)
   2565                       //        of the decryption key
   2566                       // Use -- a null-terminated string containing "SECRET"
   2567                       // PartyUInfo -- the x coordinate of the point in the secret
   2568                       //              (Qe,U )
   2569                       // PartyVInfo -- the x coordinate of the public key (Qs,V )
   2570                       // bits -- the number of bits in the digest of HashID
   2571                       // Retrieve seed from KDFe
   2572                       CryptKDFe(decryptKey->publicArea.nameAlg, &eccSecret.x.b, label,
   2573                                 &eccPublic.x.b,
   2574                                 &decryptKey->publicArea.unique.ecc.x.b,
   2575                                 data->t.size * 8, data->t.buffer);
   2576                   }
   2577               }
   2578        }
   2579        break;
   2580 #endif //TPM_ALG_ECC
   2581         case TPM_ALG_KEYEDHASH:
   2582             // The seed size can not be bigger than the digest size of nameAlg
   2583             if(secret->t.size >
   2584                     CryptGetHashDigestSize(decryptKey->publicArea.nameAlg))
   2585                 result = TPM_RC_VALUE;
   2586             else
   2587             {
   2588                 // Retrieve seed by XOR Obfuscation:
   2589                 //    seed = XOR(secret, hash, key, nonceCaller, nullNonce)
   2590                 //    where:
   2591                 //    secret the secret parameter from the TPM2_StartAuthHMAC
   2592                 //             command
   2593                 //             which contains the seed value
   2594                 //    hash     nameAlg of tpmKey
   2595                 //    key      the key or data value in the object referenced by
   2596                 //             entityHandle in the TPM2_StartAuthHMAC command
   2597                 //    nonceCaller the parameter from the TPM2_StartAuthHMAC command
   2598                 //    nullNonce    a zero-length nonce
   2599                 // XOR Obfuscation in place
   2600                 CryptXORObfuscation(decryptKey->publicArea.nameAlg,
   2601                                      &decryptKey->sensitive.sensitive.bits.b,
   2602                                      &nonceCaller->b, NULL,
   2603                                      secret->t.size, secret->t.secret);
   2604                 // Copy decrypted seed
   2605                 MemoryCopy2B(&data->b, &secret->b, sizeof(data->t.buffer));
   2606             }
   2607             break;
   2608         case TPM_ALG_SYMCIPHER:
   2609             {
   2610                 TPM2B_IV                 iv = {};
   2611                 TPMT_SYM_DEF_OBJECT      *symDef;
   2612                 // The seed size can not be bigger than the digest size of nameAlg
   2613                 if(secret->t.size >
   2614                          CryptGetHashDigestSize(decryptKey->publicArea.nameAlg))
   2615                     result = TPM_RC_VALUE;
   2616                 else
   2617                 {
   2618                     symDef = &decryptKey->publicArea.parameters.symDetail.sym;
   2619                     iv.t.size = CryptGetSymmetricBlockSize(symDef->algorithm,
   2620                                                              symDef->keyBits.sym);
   2621                     pAssert(iv.t.size != 0);
   2622                     if(nonceCaller->t.size >= iv.t.size)
   2623                          MemoryCopy(iv.t.buffer, nonceCaller->t.buffer, iv.t.size,
   2624                                      sizeof(iv.t.buffer));
   2625                     else
   2626                          MemoryCopy(iv.b.buffer, nonceCaller->t.buffer,
   2627                                       nonceCaller->t.size, sizeof(iv.t.buffer));
   2628                        // CFB decrypt in place, using nonceCaller as iv
   2629                        CryptSymmetricDecrypt(secret->t.secret, symDef->algorithm,
   2630                                           symDef->keyBits.sym, TPM_ALG_CFB,
   2631                                           decryptKey->sensitive.sensitive.sym.t.buffer,
   2632                                           &iv, secret->t.size, secret->t.secret);
   2633                        // Copy decrypted seed
   2634                        MemoryCopy2B(&data->b, &secret->b, sizeof(data->t.buffer));
   2635                    }
   2636               }
   2637               break;
   2638           default:
   2639               pAssert(0);
   2640               break;
   2641    }
   2642    return result;
   2643 }
   2644 //
   2645 //
   2646 //       10.2.9.8    CryptParameterEncryption()
   2647 //
   2648 //       This function does in-place encryption of a response parameter.
   2649 //
   2650 void
   2651 CryptParameterEncryption(
   2652    TPM_HANDLE           handle,            // IN: encrypt session handle
   2653    TPM2B               *nonceCaller,       // IN: nonce caller
   2654    UINT16               leadingSizeInByte, // IN: the size of the leading size field in
   2655                                            //     byte
   2656    TPM2B_AUTH          *extraKey,          // IN: additional key material other than
   2657                                            //     session auth
   2658    BYTE                *buffer             // IN/OUT: parameter buffer to be encrypted
   2659    )
   2660 {
   2661    SESSION     *session = SessionGet(handle); // encrypt session
   2662    TPM2B_TYPE(SYM_KEY, ( sizeof(extraKey->t.buffer)
   2663                         + sizeof(session->sessionKey.t.buffer)));
   2664    TPM2B_SYM_KEY        key;               // encryption key
   2665    UINT32               cipherSize = 0;    // size of cipher text
   2666    pAssert(session->sessionKey.t.size + extraKey->t.size <= sizeof(key.t.buffer));
   2667    // Retrieve encrypted data size.
   2668    if(leadingSizeInByte == 2)
   2669    {
   2670        // Extract the first two bytes as the size field as the data size
   2671        // encrypt
   2672        cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
   2673        // advance the buffer
   2674        buffer = &buffer[2];
   2675    }
   2676 #ifdef      TPM4B
   2677    else if(leadingSizeInByte == 4)
   2678    {
   2679        // use the first four bytes to indicate the number of bytes to encrypt
   2680        cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
   2681        //advance pointer
   2682        buffer = &buffer[4];
   2683    }
   2684 #endif
   2685    else
   2686    {
   2687        pAssert(FALSE);
   2688    }
   2689 //
   2690    // Compute encryption key by concatenating sessionAuth with extra key
   2691    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
   2692    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
   2693    if (session->symmetric.algorithm == TPM_ALG_XOR)
   2694        // XOR parameter encryption formulation:
   2695        //    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
   2696        CryptXORObfuscation(session->authHashAlg, &(key.b),
   2697                                   &(session->nonceTPM.b),
   2698                                   nonceCaller, cipherSize, buffer);
   2699    else
   2700        ParmEncryptSym(session->symmetric.algorithm, session->authHashAlg,
   2701                              session->symmetric.keyBits.aes, &(key.b),
   2702                              nonceCaller, &(session->nonceTPM.b),
   2703                              cipherSize, buffer);
   2704    return;
   2705 }
   2706 //
   2707 //
   2708 //       10.2.9.9   CryptParameterDecryption()
   2709 //
   2710 //       This function does in-place decryption of a command parameter.
   2711 //
   2712 //       Error Returns                  Meaning
   2713 //
   2714 //       TPM_RC_SIZE                    The number of bytes in the input buffer is less than the number of
   2715 //                                      bytes to be decrypted.
   2716 //
   2717 TPM_RC
   2718 CryptParameterDecryption(
   2719    TPM_HANDLE          handle,                 //   IN: encrypted session handle
   2720    TPM2B              *nonceCaller,            //   IN: nonce caller
   2721    UINT32              bufferSize,             //   IN: size of parameter buffer
   2722    UINT16              leadingSizeInByte,      //   IN: the size of the leading size field in
   2723                                                //       byte
   2724    TPM2B_AUTH         *extraKey,               //   IN: the authValue
   2725    BYTE               *buffer                  //   IN/OUT: parameter buffer to be decrypted
   2726    )
   2727 {
   2728    SESSION         *session = SessionGet(handle); // encrypt session
   2729    // The HMAC key is going to be the concatenation of the session key and any
   2730    // additional key material (like the authValue). The size of both of these
   2731    // is the size of the buffer which can contain a TPMT_HA.
   2732    TPM2B_TYPE(HMAC_KEY, ( sizeof(extraKey->t.buffer)
   2733                          + sizeof(session->sessionKey.t.buffer)));
   2734    TPM2B_HMAC_KEY          key;            // decryption key
   2735    UINT32                  cipherSize = 0; // size of cipher text
   2736    pAssert(session->sessionKey.t.size + extraKey->t.size <= sizeof(key.t.buffer));
   2737    // Retrieve encrypted data size.
   2738    if(leadingSizeInByte == 2)
   2739    {
   2740        // The first two bytes of the buffer are the size of the
   2741        // data to be decrypted
   2742        cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
   2743        buffer = &buffer[2];    // advance the buffer
   2744    }
   2745 #ifdef TPM4B
   2746    else if(leadingSizeInByte == 4)
   2747    {
   2748        // the leading size is four bytes so get the four byte size field
   2749        cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
   2750        buffer = &buffer[4];    //advance pointer
   2751    }
   2752 #endif
   2753    else
   2754    {
   2755        pAssert(FALSE);
   2756    }
   2757    if(cipherSize > bufferSize)
   2758        return TPM_RC_SIZE;
   2759    // Compute decryption key by concatenating sessionAuth with extra input key
   2760    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
   2761    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
   2762    if(session->symmetric.algorithm == TPM_ALG_XOR)
   2763        // XOR parameter decryption formulation:
   2764        //    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
   2765        // Call XOR obfuscation function
   2766        CryptXORObfuscation(session->authHashAlg, &key.b, nonceCaller,
   2767                                   &(session->nonceTPM.b), cipherSize, buffer);
   2768    else
   2769        // Assume that it is one of the symmetric block ciphers.
   2770        ParmDecryptSym(session->symmetric.algorithm, session->authHashAlg,
   2771                              session->symmetric.keyBits.sym,
   2772                              &key.b, nonceCaller, &session->nonceTPM.b,
   2773                              cipherSize, buffer);
   2774    return TPM_RC_SUCCESS;
   2775 }
   2776 //
   2777 //
   2778 //       10.2.9.10 CryptComputeSymmetricUnique()
   2779 //
   2780 //       This function computes the unique field in public area for symmetric objects.
   2781 //
   2782 void
   2783 CryptComputeSymmetricUnique(
   2784    TPMI_ALG_HASH        nameAlg,           // IN: object name algorithm
   2785    TPMT_SENSITIVE      *sensitive,         // IN: sensitive area
   2786    TPM2B_DIGEST        *unique             // OUT: unique buffer
   2787    )
   2788 {
   2789    HASH_STATE     hashState;
   2790    pAssert(sensitive != NULL && unique != NULL);
   2791    // Compute the public value as the hash of sensitive.symkey || unique.buffer
   2792    unique->t.size = CryptGetHashDigestSize(nameAlg);
   2793    CryptStartHash(nameAlg, &hashState);
   2794    // Add obfuscation value
   2795    CryptUpdateDigest2B(&hashState, &sensitive->seedValue.b);
   2796    // Add sensitive value
   2797    CryptUpdateDigest2B(&hashState, &sensitive->sensitive.any.b);
   2798    CryptCompleteHash2B(&hashState, &unique->b);
   2799    return;
   2800 }
   2801 #if 0 //%
   2802 //
   2803 //
   2804 //
   2805 //       10.2.9.11 CryptComputeSymValue()
   2806 //
   2807 //       This function computes the seedValue field in asymmetric sensitive areas.
   2808 //
   2809 void
   2810 CryptComputeSymValue(
   2811     TPM_HANDLE            parentHandle,      //   IN: parent handle of the object to be created
   2812     TPMT_PUBLIC          *publicArea,        //   IN/OUT: the public area template
   2813     TPMT_SENSITIVE       *sensitive,         //   IN: sensitive area
   2814     TPM2B_SEED           *seed,              //   IN: the seed
   2815     TPMI_ALG_HASH         hashAlg,           //   IN: hash algorithm for KDFa
   2816     TPM2B_NAME           *name               //   IN: object name
   2817     )
   2818 {
   2819     TPM2B_AUTH       *proof = NULL;
   2820     if(CryptIsAsymAlgorithm(publicArea->type))
   2821     {
   2822         // Generate seedValue only when an asymmetric key is a storage key
   2823         if(publicArea->objectAttributes.decrypt == SET
   2824                   && publicArea->objectAttributes.restricted == SET)
   2825         {
   2826              // If this is a primary object in the endorsement hierarchy, use
   2827              // ehProof in the creation of the symmetric seed so that child
   2828              // objects in the endorsement hierarchy are voided on TPM2_Clear()
   2829              // or TPM2_ChangeEPS()
   2830              if(    parentHandle == TPM_RH_ENDORSEMENT
   2831                  && publicArea->objectAttributes.fixedTPM == SET)
   2832                   proof = &gp.ehProof;
   2833         }
   2834         else
   2835         {
   2836              sensitive->seedValue.t.size = 0;
   2837              return;
   2838         }
   2839     }
   2840     // For all object types, the size of seedValue is the digest size of nameAlg
   2841     sensitive->seedValue.t.size = CryptGetHashDigestSize(publicArea->nameAlg);
   2842     // Compute seedValue using implementation-dependent method
   2843     _cpri__GenerateSeededRandom(sensitive->seedValue.t.size,
   2844                                 sensitive->seedValue.t.buffer,
   2845                                 hashAlg,
   2846                                 &seed->b,
   2847                                 "seedValue",
   2848                                 &name->b,
   2849                                 (TPM2B *)proof);
   2850     return;
   2851 }
   2852 #endif //%
   2853 //
   2854 //
   2855 //       10.2.9.12 CryptCreateObject()
   2856 //
   2857 //       This function creates an object. It:
   2858 //       a) fills in the created key in public and sensitive area;
   2859 //       b) creates a random number in sensitive area for symmetric keys; and
   2860 //       c) compute the unique id in public area for symmetric keys.
   2861 //
   2862 //
   2863 //
   2864 //
   2865 //       Error Returns                     Meaning
   2866 //
   2867 //       TPM_RC_KEY_SIZE                   key size in the public area does not match the size in the sensitive
   2868 //                                         creation area for a symmetric key
   2869 //       TPM_RC_RANGE                      for an RSA key, the exponent is not supported
   2870 //       TPM_RC_SIZE                       sensitive data size is larger than allowed for the scheme for a keyed
   2871 //                                         hash object
   2872 //       TPM_RC_VALUE                      exponent is not prime or could not find a prime using the provided
   2873 //                                         parameters for an RSA key; unsupported name algorithm for an ECC
   2874 //                                         key
   2875 //
   2876 TPM_RC
   2877 CryptCreateObject(
   2878    TPM_HANDLE                       parentHandle,            //   IN/OUT: indication of the seed
   2879                                                              //       source
   2880    TPMT_PUBLIC                    *publicArea,               //   IN/OUT: public area
   2881    TPMS_SENSITIVE_CREATE          *sensitiveCreate,          //   IN: sensitive creation
   2882    TPMT_SENSITIVE                 *sensitive                 //   OUT: sensitive area
   2883    )
   2884 {
   2885    // Next value is a placeholder for a random seed that is used in
   2886    // key creation when the parent is not a primary seed. It has the same
   2887    // size as the primary seed.
   2888    TPM2B_SEED          localSeed;            // data to seed key creation if this
   2889                                              // is not a primary seed
   2890    TPM2B_SEED         *seed = NULL;
   2891    TPM_RC              result = TPM_RC_SUCCESS;
   2892    TPM2B_NAME          name;
   2893    TPM_ALG_ID          hashAlg = CONTEXT_INTEGRITY_HASH_ALG;
   2894    OBJECT             *parent;
   2895    UINT32              counter;
   2896    // Set the sensitive type for the object
   2897    sensitive->sensitiveType = publicArea->type;
   2898    ObjectComputeName(publicArea, &name);
   2899    // For all objects, copy the initial auth data
   2900    sensitive->authValue = sensitiveCreate->userAuth;
   2901    // If this is a permanent handle assume that it is a hierarchy
   2902    if(HandleGetType(parentHandle) == TPM_HT_PERMANENT)
   2903    {
   2904        seed = HierarchyGetPrimarySeed(parentHandle);
   2905    }
   2906    else
   2907    {
   2908        // If not hierarchy handle, get parent
   2909        parent = ObjectGet(parentHandle);
   2910        hashAlg = parent->publicArea.nameAlg;
   2911         // Use random value as seed for non-primary objects
   2912         localSeed.t.size = PRIMARY_SEED_SIZE;
   2913         CryptGenerateRandom(PRIMARY_SEED_SIZE, localSeed.t.buffer);
   2914         seed = &localSeed;
   2915    }
   2916    switch(publicArea->type)
   2917    {
   2918 #ifdef TPM_ALG_RSA
   2919        // Create RSA key
   2920    case TPM_ALG_RSA:
   2921        result = CryptGenerateKeyRSA(publicArea, sensitive,
   2922                                     hashAlg, seed, &name, &counter);
   2923        break;
   2924 #endif // TPM_ALG_RSA
   2925 #ifdef TPM_ALG_ECC
   2926        // Create ECC key
   2927    case TPM_ALG_ECC:
   2928        result = CryptGenerateKeyECC(publicArea, sensitive,
   2929                                         hashAlg, seed, &name, &counter);
   2930        break;
   2931 #endif // TPM_ALG_ECC
   2932        // Collect symmetric key information
   2933    case TPM_ALG_SYMCIPHER:
   2934        return CryptGenerateKeySymmetric(publicArea, sensitiveCreate,
   2935                                         sensitive, hashAlg, seed, &name);
   2936        break;
   2937    case TPM_ALG_KEYEDHASH:
   2938        return CryptGenerateKeyedHash(publicArea, sensitiveCreate,
   2939                                      sensitive, hashAlg, seed, &name);
   2940        break;
   2941    default:
   2942        pAssert(0);
   2943        break;
   2944    }
   2945    if(result == TPM_RC_SUCCESS)
   2946    {
   2947        TPM2B_AUTH          *proof = NULL;
   2948         if(publicArea->objectAttributes.decrypt == SET
   2949                  && publicArea->objectAttributes.restricted == SET)
   2950         {
   2951             // If this is a primary object in the endorsement hierarchy, use
   2952             // ehProof in the creation of the symmetric seed so that child
   2953             // objects in the endorsement hierarchy are voided on TPM2_Clear()
   2954             // or TPM2_ChangeEPS()
   2955             if(    parentHandle == TPM_RH_ENDORSEMENT
   2956                 && publicArea->objectAttributes.fixedTPM == SET)
   2957                  proof = &gp.ehProof;
   2958               // For all object types, the size of seedValue is the digest size
   2959               // of its nameAlg
   2960               sensitive->seedValue.t.size
   2961                   = CryptGetHashDigestSize(publicArea->nameAlg);
   2962               // Compute seedValue using implementation-dependent method
   2963               _cpri__GenerateSeededRandom(sensitive->seedValue.t.size,
   2964                                           sensitive->seedValue.t.buffer,
   2965                                           hashAlg,
   2966                                           &seed->b,
   2967                                           "seedValuea",
   2968                                           &name.b,
   2969                                           (TPM2B *)proof);
   2970         }
   2971         else
   2972         {
   2973               sensitive->seedValue.t.size = 0;
   2974         }
   2975    }
   2976    return result;
   2977 }
   2978 //
   2979 //       10.2.9.13 CryptObjectIsPublicConsistent()
   2980 //
   2981 //       This function checks that the key sizes in the public area are consistent. For an asymmetric key, the size
   2982 //       of the public key must match the size indicated by the public->parameters.
   2983 //       Checks for the algorithm types matching the key type are handled by the unmarshaling operation.
   2984 //
   2985 //       Return Value                      Meaning
   2986 //
   2987 //       TRUE                              sizes are consistent
   2988 //       FALSE                             sizes are not consistent
   2989 //
   2990 BOOL
   2991 CryptObjectIsPublicConsistent(
   2992    TPMT_PUBLIC         *publicArea           // IN: public area
   2993    )
   2994 {
   2995    BOOL                  OK = TRUE;
   2996    switch (publicArea->type)
   2997    {
   2998 #ifdef TPM_ALG_RSA
   2999        case TPM_ALG_RSA:
   3000            OK = CryptAreKeySizesConsistent(publicArea);
   3001            break;
   3002 #endif //TPM_ALG_RSA
   3003 #ifdef TPM_ALG_ECC
   3004        case TPM_ALG_ECC:
   3005            {
   3006                const ECC_CURVE                              *curveValue;
   3007                   // Check that the public point is on the indicated curve.
   3008                   OK = CryptEccIsPointOnCurve(
   3009                                   publicArea->parameters.eccDetail.curveID,
   3010                                   &publicArea->unique.ecc);
   3011                   if(OK)
   3012                   {
   3013                       curveValue = CryptEccGetCurveDataPointer(
   3014                                            publicArea->parameters.eccDetail.curveID);
   3015                       pAssert(curveValue != NULL);
   3016                        // The input ECC curve must be a supported curve
   3017                        // IF a scheme is defined for the curve, then that scheme must
   3018                        // be used.
   3019                        OK =    (curveValue->sign.scheme == TPM_ALG_NULL
   3020                             || (   publicArea->parameters.eccDetail.scheme.scheme
   3021                                 == curveValue->sign.scheme));
   3022                        OK = OK && CryptAreKeySizesConsistent(publicArea);
   3023                }
   3024            }
   3025            break;
   3026 #endif //TPM_ALG_ECC
   3027         default:
   3028             // Symmetric object common checks
   3029             // There is noting to check with a symmetric key that is public only.
   3030             // Also not sure that there is anything useful to be done with it
   3031             // either.
   3032             break;
   3033    }
   3034    return OK;
   3035 }
   3036 //
   3037 //
   3038 //
   3039 //       10.2.9.14 CryptObjectPublicPrivateMatch()
   3040 //
   3041 //       This function checks the cryptographic binding between the public and sensitive areas.
   3042 //
   3043 //       Error Returns                   Meaning
   3044 //
   3045 //       TPM_RC_TYPE                     the type of the public and private areas are not the same
   3046 //       TPM_RC_FAILURE                  crypto error
   3047 //       TPM_RC_BINDING                  the public and private areas are not cryptographically matched.
   3048 //
   3049 TPM_RC
   3050 CryptObjectPublicPrivateMatch(
   3051    OBJECT              *object                // IN: the object to check
   3052    )
   3053 {
   3054    TPMT_PUBLIC               *publicArea;
   3055    TPMT_SENSITIVE            *sensitive;
   3056    TPM_RC                     result = TPM_RC_SUCCESS;
   3057    BOOL                       isAsymmetric = FALSE;
   3058    pAssert(object != NULL);
   3059    publicArea = &object->publicArea;
   3060    sensitive = &object->sensitive;
   3061    if(publicArea->type != sensitive->sensitiveType)
   3062        return TPM_RC_TYPE;
   3063    switch(publicArea->type)
   3064    {
   3065 #ifdef TPM_ALG_RSA
   3066    case TPM_ALG_RSA:
   3067        isAsymmetric = TRUE;
   3068        // The public and private key sizes need to be consistent
   3069        if(sensitive->sensitive.rsa.t.size != publicArea->unique.rsa.t.size/2)
   3070             result = TPM_RC_BINDING;
   3071        else
   3072        // Load key by computing the private exponent
   3073             result = CryptLoadPrivateRSA(object);
   3074        break;
   3075 #endif
   3076 #ifdef TPM_ALG_ECC
   3077        // This function is called from ObjectLoad() which has already checked to
   3078        // see that the public point is on the curve so no need to repeat that
   3079        // check.
   3080    case TPM_ALG_ECC:
   3081        isAsymmetric = TRUE;
   3082        if(    publicArea->unique.ecc.x.t.size
   3083                  != sensitive->sensitive.ecc.t.size)
   3084             result = TPM_RC_BINDING;
   3085        else if(publicArea->nameAlg != TPM_ALG_NULL)
   3086        {
   3087             TPMS_ECC_POINT           publicToCompare;
   3088             // Compute ECC public key
   3089             CryptEccPointMultiply(&publicToCompare,
   3090                                    publicArea->parameters.eccDetail.curveID,
   3091                                    &sensitive->sensitive.ecc, NULL);
   3092             // Compare ECC public key
   3093             if(    (!Memory2BEqual(&publicArea->unique.ecc.x.b,
   3094                                    &publicToCompare.x.b))
   3095                 || (!Memory2BEqual(&publicArea->unique.ecc.y.b,
   3096                                    &publicToCompare.y.b)))
   3097                  result = TPM_RC_BINDING;
   3098        }
   3099        break;
   3100 //
   3101 #endif
   3102    case TPM_ALG_KEYEDHASH:
   3103        break;
   3104    case TPM_ALG_SYMCIPHER:
   3105        if(    (publicArea->parameters.symDetail.sym.keyBits.sym + 7)/8
   3106            != sensitive->sensitive.sym.t.size)
   3107             result = TPM_RC_BINDING;
   3108        break;
   3109    default:
   3110        // The choice here is an assert or a return of a bad type for the object
   3111        pAssert(0);
   3112        break;
   3113    }
   3114    // For asymmetric keys, the algorithm for validating the linkage between
   3115    // the public and private areas is algorithm dependent. For symmetric keys
   3116    // the linkage is based on hashing the symKey and obfuscation values.
   3117    if(   result == TPM_RC_SUCCESS && !isAsymmetric
   3118       && publicArea->nameAlg != TPM_ALG_NULL)
   3119    {
   3120        TPM2B_DIGEST    uniqueToCompare;
   3121         // Compute unique for symmetric key
   3122         CryptComputeSymmetricUnique(publicArea->nameAlg, sensitive,
   3123                                      &uniqueToCompare);
   3124         // Compare unique
   3125         if(!Memory2BEqual(&publicArea->unique.sym.b,
   3126                           &uniqueToCompare.b))
   3127             result = TPM_RC_BINDING;
   3128    }
   3129    return result;
   3130 }
   3131 //
   3132 //
   3133 //       10.2.9.15 CryptGetSignHashAlg()
   3134 //
   3135 //       Get the hash algorithm of signature from a TPMT_SIGNATURE structure. It assumes the signature is not
   3136 //       NULL This is a function for easy access
   3137 //
   3138 TPMI_ALG_HASH
   3139 CryptGetSignHashAlg(
   3140    TPMT_SIGNATURE     *auth             // IN: signature
   3141    )
   3142 {
   3143    pAssert(auth->sigAlg != TPM_ALG_NULL);
   3144    // Get authHash algorithm based on signing scheme
   3145    switch(auth->sigAlg)
   3146    {
   3147 #ifdef   TPM_ALG_RSA
   3148         case TPM_ALG_RSASSA:
   3149             return auth->signature.rsassa.hash;
   3150         case TPM_ALG_RSAPSS:
   3151             return auth->signature.rsapss.hash;
   3152    #endif //TPM_ALG_RSA
   3153    #ifdef TPM_ALG_ECC
   3154        case TPM_ALG_ECDSA:
   3155            return auth->signature.ecdsa.hash;
   3156    #endif //TPM_ALG_ECC
   3157             case TPM_ALG_HMAC:
   3158                 return auth->signature.hmac.hashAlg;
   3159             default:
   3160                 return TPM_ALG_NULL;
   3161     }
   3162 }
   3163 //
   3164 //
   3165 //       10.2.9.16 CryptIsSplitSign()
   3166 //
   3167 //       This function us used to determine if the signing operation is a split signing operation that required a
   3168 //       TPM2_Commit().
   3169 //
   3170 BOOL
   3171 CryptIsSplitSign(
   3172     TPM_ALG_ID           scheme             // IN: the algorithm selector
   3173     )
   3174 {
   3175     if(   scheme != scheme
   3176 #    ifdef   TPM_ALG_ECDAA
   3177        || scheme == TPM_ALG_ECDAA
   3178 #    endif   // TPM_ALG_ECDAA
   3179         )
   3180         return TRUE;
   3181     return FALSE;
   3182 }
   3183 //
   3184 //
   3185 //       10.2.9.17 CryptIsSignScheme()
   3186 //
   3187 //       This function indicates if a scheme algorithm is a sign algorithm.
   3188 //
   3189 BOOL
   3190 CryptIsSignScheme(
   3191     TPMI_ALG_ASYM_SCHEME           scheme
   3192     )
   3193 {
   3194     BOOL                isSignScheme = FALSE;
   3195    switch(scheme)
   3196    {
   3197 #ifdef TPM_ALG_RSA
   3198        // If RSA is implemented, then both signing schemes are required
   3199    case TPM_ALG_RSASSA:
   3200    case TPM_ALG_RSAPSS:
   3201        isSignScheme = TRUE;
   3202        break;
   3203 #endif //TPM_ALG_RSA
   3204 #ifdef TPM_ALG_ECC
   3205        // If ECC is implemented ECDSA is required
   3206    case TPM_ALG_ECDSA:
   3207 #ifdef TPM_ALG_ECDAA
   3208        // ECDAA is optional
   3209    case TPM_ALG_ECDAA:
   3210 #endif
   3211 #ifdef   TPM_ALG_ECSCHNORR
   3212        // Schnorr is also optional
   3213    case TPM_ALG_ECSCHNORR:
   3214 #endif
   3215 #ifdef TPM_ALG_SM2
   3216    case TPM_ALG_SM2:
   3217 #endif
   3218        isSignScheme = TRUE;
   3219        break;
   3220 #endif //TPM_ALG_ECC
   3221    default:
   3222        break;
   3223    }
   3224    return isSignScheme;
   3225 }
   3226 //
   3227 //
   3228 //       10.2.9.18 CryptIsDecryptScheme()
   3229 //
   3230 //       This function indicate if a scheme algorithm is a decrypt algorithm.
   3231 //
   3232 BOOL
   3233 CryptIsDecryptScheme(
   3234     TPMI_ALG_ASYM_SCHEME           scheme
   3235     )
   3236 {
   3237     BOOL           isDecryptScheme = FALSE;
   3238    switch(scheme)
   3239    {
   3240 #ifdef TPM_ALG_RSA
   3241        // If RSA is implemented, then both decrypt schemes are required
   3242    case TPM_ALG_RSAES:
   3243    case TPM_ALG_OAEP:
   3244         isDecryptScheme = TRUE;
   3245        break;
   3246 #endif //TPM_ALG_RSA
   3247 #ifdef TPM_ALG_ECC
   3248        // If ECC is implemented ECDH is required
   3249    case TPM_ALG_ECDH:
   3250 #ifdef TPM_ALG_SM2
   3251    case TPM_ALG_SM2:
   3252 #endif
   3253 #ifdef TPM_ALG_ECMQV
   3254    case TPM_ALG_ECMQV:
   3255 #endif
   3256        isDecryptScheme = TRUE;
   3257        break;
   3258 #endif //TPM_ALG_ECC
   3259    default:
   3260        break;
   3261    }
   3262    return isDecryptScheme;
   3263 }
   3264 //
   3265 //
   3266 //       10.2.9.19 CryptSelectSignScheme()
   3267 //
   3268 //       This function is used by the attestation and signing commands. It implements the rules for selecting the
   3269 //       signature scheme to use in signing. This function requires that the signing key either be TPM_RH_NULL
   3270 //       or be loaded.
   3271 //       If a default scheme is defined in object, the default scheme should be chosen, otherwise, the input
   3272 //       scheme should be chosen. In the case that both object and input scheme has a non-NULL scheme
   3273 //       algorithm, if the schemes are compatible, the input scheme will be chosen.
   3274 //
   3275 //
   3276 //
   3277 //
   3278 //       Error Returns                   Meaning
   3279 //
   3280 //       TPM_RC_KEY                      key referenced by signHandle is not a signing key
   3281 //       TPM_RC_SCHEME                   both scheme and key's default scheme are empty; or scheme is
   3282 //                                       empty while key's default scheme requires explicit input scheme (split
   3283 //                                       signing); or non-empty default key scheme differs from scheme
   3284 //
   3285 TPM_RC
   3286 CryptSelectSignScheme(
   3287    TPMI_DH_OBJECT             signHandle,        // IN: handle of signing key
   3288    TPMT_SIG_SCHEME           *scheme             // IN/OUT: signing scheme
   3289    )
   3290 {
   3291    OBJECT                    *signObject;
   3292    TPMT_SIG_SCHEME           *objectScheme;
   3293    TPMT_PUBLIC               *publicArea;
   3294    TPM_RC                     result = TPM_RC_SUCCESS;
   3295    // If the signHandle is TPM_RH_NULL, then the NULL scheme is used, regardless
   3296    // of the setting of scheme
   3297    if(signHandle == TPM_RH_NULL)
   3298    {
   3299        scheme->scheme = TPM_ALG_NULL;
   3300        scheme->details.any.hashAlg = TPM_ALG_NULL;
   3301    }
   3302    else
   3303    {
   3304        // sign handle is not NULL so...
   3305        // Get sign object pointer
   3306        signObject = ObjectGet(signHandle);
   3307        publicArea = &signObject->publicArea;
   3308         // is this a signing key?
   3309         if(!publicArea->objectAttributes.sign)
   3310              result = TPM_RC_KEY;
   3311         else
   3312         {
   3313              // "parms" defined to avoid long code lines.
   3314              TPMU_PUBLIC_PARMS    *parms = &publicArea->parameters;
   3315              if(CryptIsAsymAlgorithm(publicArea->type))
   3316                  objectScheme = (TPMT_SIG_SCHEME *)&parms->asymDetail.scheme;
   3317              else
   3318                  objectScheme = (TPMT_SIG_SCHEME *)&parms->keyedHashDetail.scheme;
   3319                // If the object doesn't have a default scheme, then use the
   3320                // input scheme.
   3321                if(objectScheme->scheme == TPM_ALG_NULL)
   3322                {
   3323                    // Input and default can't both be NULL
   3324                    if(scheme->scheme == TPM_ALG_NULL)
   3325                        result = TPM_RC_SCHEME;
   3326                    // Assume that the scheme is compatible with the key. If not,
   3327                    // we will generate an error in the signing operation.
   3328                }
   3329                else if(scheme->scheme == TPM_ALG_NULL)
   3330                {
   3331                    // input scheme is NULL so use default
   3332                    // First, check to see if the default requires that the caller
   3333                    // provided scheme data
   3334                    if(CryptIsSplitSign(objectScheme->scheme))
   3335                        result = TPM_RC_SCHEME;
   3336                    else
   3337                    {
   3338                        scheme->scheme = objectScheme->scheme;
   3339                        scheme->details.any.hashAlg
   3340                                    = objectScheme->details.any.hashAlg;
   3341                    }
   3342                }
   3343                else
   3344                {
   3345                    // Both input and object have scheme selectors
   3346                    // If the scheme and the hash are not the same then...
   3347                    if(    objectScheme->scheme != scheme->scheme
   3348                        || (   objectScheme->details.any.hashAlg
   3349                            != scheme->details.any.hashAlg))
   3350                         result = TPM_RC_SCHEME;
   3351                }
   3352         }
   3353    }
   3354    return result;
   3355 }
   3356 //
   3357 //
   3358 //       10.2.9.20 CryptSign()
   3359 //
   3360 //       Sign a digest with asymmetric key or HMAC. This function is called by attestation commands and the
   3361 //       generic TPM2_Sign() command. This function checks the key scheme and digest size. It does not check
   3362 //       if the sign operation is allowed for restricted key. It should be checked before the function is called. The
   3363 //       function will assert if the key is not a signing key.
   3364 //
   3365 //       Error Returns                     Meaning
   3366 //
   3367 //       TPM_RC_SCHEME                     signScheme is not compatible with the signing key type
   3368 //       TPM_RC_VALUE                      digest value is greater than the modulus of signHandle or size of
   3369 //                                         hashData does not match hash algorithm insignScheme (for an RSA
   3370 //                                         key); invalid commit status or failed to generate r value (for an ECC
   3371 //                                         key)
   3372 //
   3373 TPM_RC
   3374 CryptSign(
   3375    TPMI_DH_OBJECT            signHandle,          //   IN: The handle of sign key
   3376    TPMT_SIG_SCHEME          *signScheme,          //   IN: sign scheme.
   3377    TPM2B_DIGEST             *digest,              //   IN: The digest being signed
   3378    TPMT_SIGNATURE           *signature            //   OUT: signature
   3379    )
   3380 {
   3381    OBJECT                   *signKey = ObjectGet(signHandle);
   3382    TPM_RC                    result = TPM_RC_SCHEME;
   3383    // check if input handle is a sign key
   3384    pAssert(signKey->publicArea.objectAttributes.sign == SET);
   3385    // Must have the private portion loaded. This check is made during
   3386    // authorization.
   3387    pAssert(signKey->attributes.publicOnly == CLEAR);
   3388    // Initialize signature scheme
   3389    signature->sigAlg = signScheme->scheme;
   3390    // If the signature algorithm is TPM_ALG_NULL, then we are done
   3391    if(signature->sigAlg == TPM_ALG_NULL)
   3392        return TPM_RC_SUCCESS;
   3393    // All the schemes other than TPM_ALG_NULL have a hash algorithm
   3394     TEST_HASH(signScheme->details.any.hashAlg);
   3395     // Initialize signature hash
   3396     // Note: need to do the check for alg null first because the null scheme
   3397     // doesn't have a hashAlg member.
   3398     signature->signature.any.hashAlg = signScheme->details.any.hashAlg;
   3399     // perform sign operation based on different key type
   3400     switch (signKey->publicArea.type)
   3401     {
   3402 #ifdef TPM_ALG_RSA
   3403        case TPM_ALG_RSA:
   3404            result = CryptSignRSA(signKey, signScheme, digest, signature);
   3405            break;
   3406 #endif //TPM_ALG_RSA
   3407 #ifdef TPM_ALG_ECC
   3408        case TPM_ALG_ECC:
   3409            result = CryptSignECC(signKey, signScheme, digest, signature);
   3410            break;
   3411 #endif //TPM_ALG_ECC
   3412        case TPM_ALG_KEYEDHASH:
   3413            result = CryptSignHMAC(signKey, signScheme, digest, signature);
   3414            break;
   3415        default:
   3416            break;
   3417    }
   3418     return result;
   3419 }
   3420 //
   3421 //
   3422 //       10.2.9.21 CryptVerifySignature()
   3423 //
   3424 //       This function is used to verify a signature.               It is called by TPM2_VerifySignature() and
   3425 //       TPM2_PolicySigned().
   3426 //       Since this operation only requires use of a public key, no consistency checks are necessary for the key to
   3427 //       signature type because a caller can load any public key that they like with any scheme that they like. This
   3428 //       routine simply makes sure that the signature is correct, whatever the type.
   3429 //       This function requires that auth is not a NULL pointer.
   3430 //
   3431 //       Error Returns                    Meaning
   3432 //
   3433 //       TPM_RC_SIGNATURE                 the signature is not genuine
   3434 //       TPM_RC_SCHEME                    the scheme is not supported
   3435 //       TPM_RC_HANDLE                    an HMAC key was selected but the private part of the key is not
   3436 //                                        loaded
   3437 //
   3438 TPM_RC
   3439 CryptVerifySignature(
   3440     TPMI_DH_OBJECT       keyHandle,         // IN: The handle of sign key
   3441     TPM2B_DIGEST        *digest,            // IN: The digest being validated
   3442     TPMT_SIGNATURE      *signature          // IN: signature
   3443     )
   3444 {
   3445     // NOTE: ObjectGet will either return a pointer to a loaded object or
   3446     // will assert. It will never return a non-valid value. This makes it save
   3447     // to initialize 'publicArea' with the return value from ObjectGet() without
   3448     // checking it first.
   3449     OBJECT              *authObject = ObjectGet(keyHandle);
   3450     TPMT_PUBLIC         *publicArea = &authObject->publicArea;
   3451     TPM_RC                    result = TPM_RC_SCHEME;
   3452     // The input unmarshaling should prevent any input signature from being
   3453     // a NULL signature, but just in case
   3454     if(signature->sigAlg == TPM_ALG_NULL)
   3455         return TPM_RC_SIGNATURE;
   3456     switch (publicArea->type)
   3457     {
   3458 #ifdef TPM_ALG_RSA
   3459    case TPM_ALG_RSA:
   3460        result = CryptRSAVerifySignature(authObject, digest, signature);
   3461        break;
   3462 #endif //TPM_ALG_RSA
   3463 #ifdef TPM_ALG_ECC
   3464    case TPM_ALG_ECC:
   3465        result = CryptECCVerifySignature(authObject, digest, signature);
   3466        break;
   3467 #endif // TPM_ALG_ECC
   3468     case TPM_ALG_KEYEDHASH:
   3469         if(authObject->attributes.publicOnly)
   3470              result = TPM_RC_HANDLE;
   3471         else
   3472              result = CryptHMACVerifySignature(authObject, digest, signature);
   3473         break;
   3474     default:
   3475         break;
   3476     }
   3477     return result;
   3478 }
   3479 //
   3480 //
   3481 //       10.2.10 Math functions
   3482 //
   3483 //       10.2.10.1 CryptDivide()
   3484 //
   3485 //       This function interfaces to the math library for large number divide.
   3486 //
   3487 //       Error Returns                     Meaning
   3488 //
   3489 //       TPM_RC_SIZE                       quotient or remainder is too small to receive the result
   3490 //
   3491 TPM_RC
   3492 CryptDivide(
   3493     TPM2B               *numerator,           //   IN: numerator
   3494     TPM2B               *denominator,         //   IN: denominator
   3495     TPM2B               *quotient,            //   OUT: quotient = numerator / denominator.
   3496     TPM2B               *remainder            //   OUT: numerator mod denominator.
   3497     )
   3498 {
   3499     pAssert(   numerator != NULL         && denominator!= NULL
   3500             && (quotient != NULL         || remainder != NULL)
   3501            );
   3502     // assume denominator is not         0
   3503     pAssert(denominator->size !=         0);
   3504     return TranslateCryptErrors(_math__Div(numerator,
   3505                                            denominator,
   3506                                                               quotient,
   3507                                                               remainder)
   3508                                            );
   3509 }
   3510 //
   3511 //
   3512 //       10.2.10.2 CryptCompare()
   3513 //
   3514 //       This function interfaces to the math library for large number, unsigned compare.
   3515 //
   3516 //       Return Value                         Meaning
   3517 //
   3518 //       1                                    if a > b
   3519 //       0                                    if a = b
   3520 //       -1                                   if a < b
   3521 //
   3522 LIB_EXPORT int
   3523 CryptCompare(
   3524     const   UINT32         aSize,                  //   IN:   size of a
   3525     const   BYTE          *a,                      //   IN:   a buffer
   3526     const   UINT32         bSize,                  //   IN:   size of b
   3527     const   BYTE          *b                       //   IN:   b buffer
   3528     )
   3529 {
   3530     return _math__uComp(aSize, a, bSize, b);
   3531 }
   3532 //
   3533 //
   3534 //       10.2.10.3 CryptCompareSigned()
   3535 //
   3536 //       This function interfaces to the math library for large number, signed compare.
   3537 //
   3538 //       Return Value                         Meaning
   3539 //
   3540 //       1                                    if a > b
   3541 //       0                                    if a = b
   3542 //       -1                                   if a < b
   3543 //
   3544 int
   3545 CryptCompareSigned(
   3546     UINT32                 aSize,                  //   IN:   size of a
   3547     BYTE                  *a,                      //   IN:   a buffer
   3548     UINT32                 bSize,                  //   IN:   size of b
   3549     BYTE                  *b                       //   IN:   b buffer
   3550     )
   3551 {
   3552     return _math__Comp(aSize, a, bSize, b);
   3553 }
   3554 //
   3555 //
   3556 //       10.2.10.4 CryptGetTestResult
   3557 //
   3558 //       This function returns the results of a self-test function.
   3559 //
   3560 //       NOTE:            the behavior in this function is NOT the correct behavior for a real TPM implementation. An artificial behavior is
   3561 //                        placed here due to the limitation of a software simulation environment. For the correct behavior, consult the
   3562 //                        part 3 specification for TPM2_GetTestResult().
   3563 //
   3564 TPM_RC
   3565 CryptGetTestResult(
   3566     TPM2B_MAX_BUFFER            *outData                 // OUT: test result data
   3567      )
   3568 {
   3569      outData->t.size = 0;
   3570      return TPM_RC_SUCCESS;
   3571 }
   3572 //
   3573 //
   3574 //       10.2.11 Capability Support
   3575 //
   3576 //       10.2.11.1 CryptCapGetECCCurve()
   3577 //
   3578 //       This function returns the list of implemented ECC curves.
   3579 //
   3580 //       Return Value                      Meaning
   3581 //
   3582 //       YES                               if no more ECC curve is available
   3583 //       NO                                if there are more ECC curves not reported
   3584 //
   3585 #ifdef TPM_ALG_ECC //% 5
   3586 TPMI_YES_NO
   3587 CryptCapGetECCCurve(
   3588      TPM_ECC_CURVE      curveID,             // IN: the starting ECC curve
   3589      UINT32             maxCount,            // IN: count of returned curve
   3590      TPML_ECC_CURVE    *curveList            // OUT: ECC curve list
   3591      )
   3592 {
   3593      TPMI_YES_NO         more = NO;
   3594      UINT16              i;
   3595      UINT32              count = _cpri__EccGetCurveCount();
   3596      TPM_ECC_CURVE       curve;
   3597      // Initialize output property list
   3598      curveList->count = 0;
   3599      // The maximum count of curves we may return is MAX_ECC_CURVES
   3600      if(maxCount > MAX_ECC_CURVES) maxCount = MAX_ECC_CURVES;
   3601      // Scan the eccCurveValues array
   3602      for(i = 0; i < count; i++)
   3603      {
   3604          curve = _cpri__GetCurveIdByIndex(i);
   3605          // If curveID is less than the starting curveID, skip it
   3606          if(curve < curveID)
   3607              continue;
   3608          if(curveList->count < maxCount)
   3609          {
   3610               // If we have not filled up the return list, add more curves to
   3611               // it
   3612               curveList->eccCurves[curveList->count] = curve;
   3613               curveList->count++;
   3614          }
   3615          else
   3616          {
   3617               // If the return list is full but we still have curves
   3618               // available, report this and stop iterating
   3619               more = YES;
   3620               break;
   3621          }
   3622      }
   3623      return more;
   3624 }
   3625 //
   3626 //
   3627 //       10.2.11.2 CryptCapGetEccCurveNumber()
   3628 //
   3629 //       This function returns the number of ECC curves supported by the TPM.
   3630 //
   3631 UINT32
   3632 CryptCapGetEccCurveNumber(
   3633    void
   3634    )
   3635 {
   3636    // There is an array that holds the curve data. Its size divided by the
   3637    // size of an entry is the number of values in the table.
   3638    return _cpri__EccGetCurveCount();
   3639 }
   3640 #endif //TPM_ALG_ECC //% 5
   3641 //
   3642 //
   3643 //       10.2.11.3 CryptAreKeySizesConsistent()
   3644 //
   3645 //       This function validates that the public key size values are consistent for an asymmetric key.
   3646 //
   3647 //       NOTE:           This is not a comprehensive test of the public key.
   3648 //
   3649 //
   3650 //       Return Value                        Meaning
   3651 //
   3652 //       TRUE                                sizes are consistent
   3653 //       FALSE                               sizes are not consistent
   3654 //
   3655 BOOL
   3656 CryptAreKeySizesConsistent(
   3657    TPMT_PUBLIC           *publicArea              // IN: the public area to check
   3658    )
   3659 {
   3660    BOOL                  consistent = FALSE;
   3661    switch (publicArea->type)
   3662    {
   3663 #ifdef TPM_ALG_RSA
   3664        case TPM_ALG_RSA:
   3665            // The key size in bits is filtered by the unmarshaling
   3666            consistent = (     ((publicArea->parameters.rsaDetail.keyBits+7)/8)
   3667                            == publicArea->unique.rsa.t.size);
   3668            break;
   3669 #endif //TPM_ALG_RSA
   3670 #ifdef TPM_ALG_ECC
   3671        case TPM_ALG_ECC:
   3672            {
   3673                UINT16                        keySizeInBytes;
   3674                TPM_ECC_CURVE                 curveId = publicArea->parameters.eccDetail.curveID;
   3675                    keySizeInBytes = CryptEccGetKeySizeInBytes(curveId);
   3676                    consistent =         keySizeInBytes > 0
   3677                                      && publicArea->unique.ecc.x.t.size <= keySizeInBytes
   3678                                      && publicArea->unique.ecc.y.t.size <= keySizeInBytes;
   3679            }
   3680            break;
   3681 #endif //TPM_ALG_ECC
   3682        default:
   3683            break;
   3684       }
   3685       return consistent;
   3686 }
   3687 //
   3688 //
   3689 //       10.2.11.4 CryptAlgSetImplemented()
   3690 //
   3691 //       This function initializes the bit vector with one bit for each implemented algorithm. This function is called
   3692 //       from _TPM_Init(). The vector of implemented algorithms should be generated by the part 2 parser so that
   3693 //       the g_implementedAlgorithms vector can be a const. That's not how it is now
   3694 //
   3695 void
   3696 CryptAlgsSetImplemented(
   3697       void
   3698       )
   3699 {
   3700       AlgorithmGetImplementedVector(&g_implementedAlgorithms);
   3701 }
   3702