/* This file includes functions that were extracted from the TPM2 * source, but were present in files not included in compilation. */ #include "Global.h" #include "CryptoEngine.h" #include UINT16 _cpri__StartHMAC( TPM_ALG_ID hashAlg, // IN: the algorithm to use BOOL sequence, // IN: indicates if the state should be saved CPRI_HASH_STATE * state, // IN/OUT: the state buffer UINT16 keySize, // IN: the size of the HMAC key BYTE * key, // IN: the HMAC key TPM2B * oPadKey // OUT: the key prepared for the oPad round ) { CPRI_HASH_STATE localState; UINT16 blockSize = _cpri__GetHashBlockSize(hashAlg); UINT16 digestSize; BYTE *pb; // temp pointer UINT32 i; // If the key size is larger than the block size, then the hash of the key // is used as the key if(keySize > blockSize) { // large key so digest if((digestSize = _cpri__StartHash(hashAlg, FALSE, &localState)) == 0) return 0; _cpri__UpdateHash(&localState, keySize, key); _cpri__CompleteHash(&localState, digestSize, oPadKey->buffer); oPadKey->size = digestSize; } else { // key size is ok memcpy(oPadKey->buffer, key, keySize); oPadKey->size = keySize; } // XOR the key with iPad (0x36) pb = oPadKey->buffer; for(i = oPadKey->size; i > 0; i--) *pb++ ^= 0x36; // if the keySize is smaller than a block, fill the rest with 0x36 for(i = blockSize - oPadKey->size; i > 0; i--) *pb++ = 0x36; // Increase the oPadSize to a full block oPadKey->size = blockSize; // Start a new hash with the HMAC key // This will go in the caller's state structure and may be a sequence or not if((digestSize = _cpri__StartHash(hashAlg, sequence, state)) > 0) { _cpri__UpdateHash(state, oPadKey->size, oPadKey->buffer); // XOR the key block with 0x5c ^ 0x36 for(pb = oPadKey->buffer, i = blockSize; i > 0; i--) *pb++ ^= (0x5c ^ 0x36); } return digestSize; } UINT16 _cpri__CompleteHMAC( CPRI_HASH_STATE * hashState, // IN: the state of hash stack TPM2B * oPadKey, // IN: the HMAC key in oPad format UINT32 dOutSize, // IN: size of digest buffer BYTE * dOut // OUT: hash digest ) { BYTE digest[MAX_DIGEST_SIZE]; CPRI_HASH_STATE *state = (CPRI_HASH_STATE *)hashState; CPRI_HASH_STATE localState; UINT16 digestSize = _cpri__GetDigestSize(state->hashAlg); _cpri__CompleteHash(hashState, digestSize, digest); // Using the local hash state, do a hash with the oPad if(_cpri__StartHash(state->hashAlg, FALSE, &localState) != digestSize) return 0; _cpri__UpdateHash(&localState, oPadKey->size, oPadKey->buffer); _cpri__UpdateHash(&localState, digestSize, digest); return _cpri__CompleteHash(&localState, dOutSize, dOut); } UINT16 _cpri__KDFa( TPM_ALG_ID hashAlg, // IN: hash algorithm used in HMAC TPM2B * key, // IN: HMAC key const char *label, // IN: a 0-byte terminated label used in KDF TPM2B * contextU, // IN: context U TPM2B * contextV, // IN: context V UINT32 sizeInBits, // IN: size of generated key in bit BYTE * keyStream, // OUT: key buffer UINT32 * counterInOut, // IN/OUT: caller may provide the iteration // counter for incremental operations to // avoid large intermediate buffers. BOOL once // IN: TRUE if only one iteration is // performed FALSE if iteration count determined by "sizeInBits" ) { UINT32 counter = 0; // counter value INT32 lLen = 0; // length of the label INT16 hLen; // length of the hash INT16 bytes; // number of bytes to produce BYTE *stream = keyStream; BYTE marshaledUint32[4]; CPRI_HASH_STATE hashState; TPM2B_MAX_HASH_BLOCK hmacKey; pAssert(key != NULL && keyStream != NULL); pAssert(once == FALSE || (sizeInBits & 7) == 0); if(counterInOut != NULL) counter = *counterInOut; // Prepare label buffer. Calculate its size and keep the last 0 byte if(label != NULL) for(lLen = 0; label[lLen++] != 0; ); // Get the hash size. If it is less than or 0, either the // algorithm is not supported or the hash is TPM_ALG_NULL // // In either case the digest size is zero. This is the only return // other than the one at the end. All other exits from this function // are fatal errors. After we check that the algorithm is supported // anything else that goes wrong is an implementation flaw. if((hLen = (INT16) _cpri__GetDigestSize(hashAlg)) == 0) return 0; // If the size of the request is larger than the numbers will handle, // it is a fatal error. pAssert(((sizeInBits + 7)/ 8) <= INT16_MAX); bytes = once ? hLen : (INT16)((sizeInBits + 7) / 8); // Generate required bytes for (; bytes > 0; stream = &stream[hLen], bytes = bytes - hLen) { if(bytes < hLen) hLen = bytes; counter++; // Start HMAC if(_cpri__StartHMAC(hashAlg, FALSE, &hashState, key->size, &key->buffer[0], &hmacKey.b) <= 0) FAIL(FATAL_ERROR_INTERNAL); // Adding counter UINT32_TO_BYTE_ARRAY(counter, marshaledUint32); _cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32); // Adding label if(label != NULL) _cpri__UpdateHash(&hashState, lLen, (BYTE *)label); // Adding contextU if(contextU != NULL) _cpri__UpdateHash(&hashState, contextU->size, contextU->buffer); // Adding contextV if(contextV != NULL) _cpri__UpdateHash(&hashState, contextV->size, contextV->buffer); // Adding size in bits UINT32_TO_BYTE_ARRAY(sizeInBits, marshaledUint32); _cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32); // Compute HMAC. At the start of each iteration, hLen is set // to the smaller of hLen and bytes. This causes bytes to decrement // exactly to zero to complete the loop _cpri__CompleteHMAC(&hashState, &hmacKey.b, hLen, stream); } // Mask off bits if the required bits is not a multiple of byte size if((sizeInBits % 8) != 0) keyStream[0] &= ((1 << (sizeInBits % 8)) - 1); if(counterInOut != NULL) *counterInOut = counter; return (CRYPT_RESULT)((sizeInBits + 7)/8); } UINT16 _cpri__KDFe( TPM_ALG_ID hashAlg, // IN: hash algorithm used in HMAC TPM2B * Z, // IN: Z const char *label, // IN: a 0 terminated label using in KDF TPM2B * partyUInfo, // IN: PartyUInfo TPM2B * partyVInfo, // IN: PartyVInfo UINT32 sizeInBits, // IN: size of generated key in bit BYTE * keyStream // OUT: key buffer ) { UINT32 counter = 0; // counter value UINT32 lSize = 0; BYTE *stream = keyStream; CPRI_HASH_STATE hashState; INT16 hLen = (INT16) _cpri__GetDigestSize(hashAlg); INT16 bytes; // number of bytes to generate BYTE marshaledUint32[4]; pAssert( keyStream != NULL && Z != NULL && ((sizeInBits + 7) / 8) < INT16_MAX); if(hLen == 0) return 0; bytes = (INT16)((sizeInBits + 7) / 8); // Prepare label buffer. Calculate its size and keep the last 0 byte if(label != NULL) for(lSize = 0; label[lSize++] != 0;); // Generate required bytes //The inner loop of that KDF uses: // Hashi := H(counter | Z | OtherInfo) (5) // Where: // Hashi the hash generated on the i-th iteration of the loop. // H() an approved hash function // counter a 32-bit counter that is initialized to 1 and incremented // on each iteration // Z the X coordinate of the product of a public ECC key and a // different private ECC key. // OtherInfo a collection of qualifying data for the KDF defined below. // In this specification, OtherInfo will be constructed by: // OtherInfo := Use | PartyUInfo | PartyVInfo for (; bytes > 0; stream = &stream[hLen], bytes = bytes - hLen) { if(bytes < hLen) hLen = bytes; // counter++; // Start hash if(_cpri__StartHash(hashAlg, FALSE, &hashState) == 0) return 0; // Add counter UINT32_TO_BYTE_ARRAY(counter, marshaledUint32); _cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32); // Add Z if(Z != NULL) _cpri__UpdateHash(&hashState, Z->size, Z->buffer); // Add label if(label != NULL) _cpri__UpdateHash(&hashState, lSize, (BYTE *)label); else // The SP800-108 specification requires a zero between the label // and the context. _cpri__UpdateHash(&hashState, 1, (BYTE *)""); // Add PartyUInfo if(partyUInfo != NULL) _cpri__UpdateHash(&hashState, partyUInfo->size, partyUInfo->buffer); // Add PartyVInfo if(partyVInfo != NULL) _cpri__UpdateHash(&hashState, partyVInfo->size, partyVInfo->buffer); // Compute Hash. hLen was changed to be the smaller of bytes or hLen // at the start of each iteration. _cpri__CompleteHash(&hashState, hLen, stream); } // Mask off bits if the required bits is not a multiple of byte size if((sizeInBits % 8) != 0) keyStream[0] &= ((1 << (sizeInBits % 8)) - 1); return (CRYPT_RESULT)((sizeInBits + 7) / 8); } UINT16 _cpri__GenerateSeededRandom( INT32 randomSize, // IN: the size of the request BYTE * random, // OUT: receives the data TPM_ALG_ID hashAlg, // IN: used by KDF version but not here TPM2B * seed, // IN: the seed value const char *label, // IN: a label string (optional) TPM2B * partyU, // IN: other data (oprtional) TPM2B * partyV // IN: still more (optional) ) { return (_cpri__KDFa(hashAlg, seed, label, partyU, partyV, randomSize * 8, random, NULL, FALSE)); }