1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
/* This file includes functions that were extracted from the TPM2
* source, but were present in files not included in compilation.
*/
#include "Global.h"
#include "CryptoEngine.h"
#include <string.h>
UINT16 _cpri__StartHMAC(
TPM_ALG_ID hashAlg, // IN: the algorithm to use
BOOL sequence, // IN: indicates if the state should be saved
CPRI_HASH_STATE * state, // IN/OUT: the state buffer
UINT16 keySize, // IN: the size of the HMAC key
BYTE * key, // IN: the HMAC key
TPM2B * oPadKey // OUT: the key prepared for the oPad round
)
{
CPRI_HASH_STATE localState;
UINT16 blockSize = _cpri__GetHashBlockSize(hashAlg);
UINT16 digestSize;
BYTE *pb; // temp pointer
UINT32 i;
// If the key size is larger than the block size, then the hash of the key
// is used as the key
if(keySize > blockSize)
{
// large key so digest
if((digestSize = _cpri__StartHash(hashAlg, FALSE, &localState)) == 0)
return 0;
_cpri__UpdateHash(&localState, keySize, key);
_cpri__CompleteHash(&localState, digestSize, oPadKey->buffer);
oPadKey->size = digestSize;
}
else
{
// key size is ok
memcpy(oPadKey->buffer, key, keySize);
oPadKey->size = keySize;
}
// XOR the key with iPad (0x36)
pb = oPadKey->buffer;
for(i = oPadKey->size; i > 0; i--)
*pb++ ^= 0x36;
// if the keySize is smaller than a block, fill the rest with 0x36
for(i = blockSize - oPadKey->size; i > 0; i--)
*pb++ = 0x36;
// Increase the oPadSize to a full block
oPadKey->size = blockSize;
// Start a new hash with the HMAC key
// This will go in the caller's state structure and may be a sequence or not
if((digestSize = _cpri__StartHash(hashAlg, sequence, state)) > 0)
{
_cpri__UpdateHash(state, oPadKey->size, oPadKey->buffer);
// XOR the key block with 0x5c ^ 0x36
for(pb = oPadKey->buffer, i = blockSize; i > 0; i--)
*pb++ ^= (0x5c ^ 0x36);
}
return digestSize;
}
UINT16 _cpri__CompleteHMAC(
CPRI_HASH_STATE * hashState, // IN: the state of hash stack
TPM2B * oPadKey, // IN: the HMAC key in oPad format
UINT32 dOutSize, // IN: size of digest buffer
BYTE * dOut // OUT: hash digest
)
{
BYTE digest[MAX_DIGEST_SIZE];
CPRI_HASH_STATE *state = (CPRI_HASH_STATE *)hashState;
CPRI_HASH_STATE localState;
UINT16 digestSize = _cpri__GetDigestSize(state->hashAlg);
_cpri__CompleteHash(hashState, digestSize, digest);
// Using the local hash state, do a hash with the oPad
if(_cpri__StartHash(state->hashAlg, FALSE, &localState) != digestSize)
return 0;
_cpri__UpdateHash(&localState, oPadKey->size, oPadKey->buffer);
_cpri__UpdateHash(&localState, digestSize, digest);
return _cpri__CompleteHash(&localState, dOutSize, dOut);
}
UINT16 _cpri__KDFa(
TPM_ALG_ID hashAlg, // IN: hash algorithm used in HMAC
TPM2B * key, // IN: HMAC key
const char *label, // IN: a 0-byte terminated label used in KDF
TPM2B * contextU, // IN: context U
TPM2B * contextV, // IN: context V
UINT32 sizeInBits, // IN: size of generated key in bit
BYTE * keyStream, // OUT: key buffer
UINT32 * counterInOut, // IN/OUT: caller may provide the iteration
// counter for incremental operations to
// avoid large intermediate buffers.
BOOL once // IN: TRUE if only one iteration is
// performed FALSE if iteration count determined by "sizeInBits"
)
{
UINT32 counter = 0; // counter value
INT32 lLen = 0; // length of the label
INT16 hLen; // length of the hash
INT16 bytes; // number of bytes to produce
BYTE *stream = keyStream;
BYTE marshaledUint32[4];
CPRI_HASH_STATE hashState;
TPM2B_MAX_HASH_BLOCK hmacKey;
pAssert(key != NULL && keyStream != NULL);
pAssert(once == FALSE || (sizeInBits & 7) == 0);
if(counterInOut != NULL)
counter = *counterInOut;
// Prepare label buffer. Calculate its size and keep the last 0 byte
if(label != NULL)
for(lLen = 0; label[lLen++] != 0; );
// Get the hash size. If it is less than or 0, either the
// algorithm is not supported or the hash is TPM_ALG_NULL
//
// In either case the digest size is zero. This is the only return
// other than the one at the end. All other exits from this function
// are fatal errors. After we check that the algorithm is supported
// anything else that goes wrong is an implementation flaw.
if((hLen = (INT16) _cpri__GetDigestSize(hashAlg)) == 0)
return 0;
// If the size of the request is larger than the numbers will handle,
// it is a fatal error.
pAssert(((sizeInBits + 7)/ 8) <= INT16_MAX);
bytes = once ? hLen : (INT16)((sizeInBits + 7) / 8);
// Generate required bytes
for (; bytes > 0; stream = &stream[hLen], bytes = bytes - hLen)
{
if(bytes < hLen)
hLen = bytes;
counter++;
// Start HMAC
if(_cpri__StartHMAC(hashAlg,
FALSE,
&hashState,
key->size,
&key->buffer[0],
&hmacKey.b) <= 0)
FAIL(FATAL_ERROR_INTERNAL);
// Adding counter
UINT32_TO_BYTE_ARRAY(counter, marshaledUint32);
_cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32);
// Adding label
if(label != NULL)
_cpri__UpdateHash(&hashState, lLen, (BYTE *)label);
// Adding contextU
if(contextU != NULL)
_cpri__UpdateHash(&hashState, contextU->size, contextU->buffer);
// Adding contextV
if(contextV != NULL)
_cpri__UpdateHash(&hashState, contextV->size, contextV->buffer);
// Adding size in bits
UINT32_TO_BYTE_ARRAY(sizeInBits, marshaledUint32);
_cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32);
// Compute HMAC. At the start of each iteration, hLen is set
// to the smaller of hLen and bytes. This causes bytes to decrement
// exactly to zero to complete the loop
_cpri__CompleteHMAC(&hashState, &hmacKey.b, hLen, stream);
}
// Mask off bits if the required bits is not a multiple of byte size
if((sizeInBits % 8) != 0)
keyStream[0] &= ((1 << (sizeInBits % 8)) - 1);
if(counterInOut != NULL)
*counterInOut = counter;
return (CRYPT_RESULT)((sizeInBits + 7)/8);
}
UINT16 _cpri__KDFe(
TPM_ALG_ID hashAlg, // IN: hash algorithm used in HMAC
TPM2B * Z, // IN: Z
const char *label, // IN: a 0 terminated label using in KDF
TPM2B * partyUInfo, // IN: PartyUInfo
TPM2B * partyVInfo, // IN: PartyVInfo
UINT32 sizeInBits, // IN: size of generated key in bit
BYTE * keyStream // OUT: key buffer
)
{
UINT32 counter = 0; // counter value
UINT32 lSize = 0;
BYTE *stream = keyStream;
CPRI_HASH_STATE hashState;
INT16 hLen = (INT16) _cpri__GetDigestSize(hashAlg);
INT16 bytes; // number of bytes to generate
BYTE marshaledUint32[4];
pAssert( keyStream != NULL
&& Z != NULL
&& ((sizeInBits + 7) / 8) < INT16_MAX);
if(hLen == 0)
return 0;
bytes = (INT16)((sizeInBits + 7) / 8);
// Prepare label buffer. Calculate its size and keep the last 0 byte
if(label != NULL)
for(lSize = 0; label[lSize++] != 0;);
// Generate required bytes
//The inner loop of that KDF uses:
// Hashi := H(counter | Z | OtherInfo) (5)
// Where:
// Hashi the hash generated on the i-th iteration of the loop.
// H() an approved hash function
// counter a 32-bit counter that is initialized to 1 and incremented
// on each iteration
// Z the X coordinate of the product of a public ECC key and a
// different private ECC key.
// OtherInfo a collection of qualifying data for the KDF defined below.
// In this specification, OtherInfo will be constructed by:
// OtherInfo := Use | PartyUInfo | PartyVInfo
for (; bytes > 0; stream = &stream[hLen], bytes = bytes - hLen)
{
if(bytes < hLen)
hLen = bytes;
//
counter++;
// Start hash
if(_cpri__StartHash(hashAlg, FALSE, &hashState) == 0)
return 0;
// Add counter
UINT32_TO_BYTE_ARRAY(counter, marshaledUint32);
_cpri__UpdateHash(&hashState, sizeof(UINT32), marshaledUint32);
// Add Z
if(Z != NULL)
_cpri__UpdateHash(&hashState, Z->size, Z->buffer);
// Add label
if(label != NULL)
_cpri__UpdateHash(&hashState, lSize, (BYTE *)label);
else
// The SP800-108 specification requires a zero between the label
// and the context.
_cpri__UpdateHash(&hashState, 1, (BYTE *)"");
// Add PartyUInfo
if(partyUInfo != NULL)
_cpri__UpdateHash(&hashState, partyUInfo->size, partyUInfo->buffer);
// Add PartyVInfo
if(partyVInfo != NULL)
_cpri__UpdateHash(&hashState, partyVInfo->size, partyVInfo->buffer);
// Compute Hash. hLen was changed to be the smaller of bytes or hLen
// at the start of each iteration.
_cpri__CompleteHash(&hashState, hLen, stream);
}
// Mask off bits if the required bits is not a multiple of byte size
if((sizeInBits % 8) != 0)
keyStream[0] &= ((1 << (sizeInBits % 8)) - 1);
return (CRYPT_RESULT)((sizeInBits + 7) / 8);
}
UINT16 _cpri__GenerateSeededRandom(
INT32 randomSize, // IN: the size of the request
BYTE * random, // OUT: receives the data
TPM_ALG_ID hashAlg, // IN: used by KDF version but not here
TPM2B * seed, // IN: the seed value
const char *label, // IN: a label string (optional)
TPM2B * partyU, // IN: other data (oprtional)
TPM2B * partyV // IN: still more (optional)
)
{
return (_cpri__KDFa(hashAlg, seed, label, partyU, partyV,
randomSize * 8, random, NULL, FALSE));
}
|