• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Microsoft Reference Implementation for TPM 2.0
2  *
3  *  The copyright in this software is being made available under the BSD License,
4  *  included below. This software may be subject to other third party and
5  *  contributor rights, including patent rights, and no such rights are granted
6  *  under this license.
7  *
8  *  Copyright (c) Microsoft Corporation
9  *
10  *  All rights reserved.
11  *
12  *  BSD License
13  *
14  *  Redistribution and use in source and binary forms, with or without modification,
15  *  are permitted provided that the following conditions are met:
16  *
17  *  Redistributions of source code must retain the above copyright notice, this list
18  *  of conditions and the following disclaimer.
19  *
20  *  Redistributions in binary form must reproduce the above copyright notice, this
21  *  list of conditions and the following disclaimer in the documentation and/or
22  *  other materials provided with the distribution.
23  *
24  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS""
25  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
27  *  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
28  *  ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
29  *  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
30  *  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
31  *  ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
32  *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 //** Includes and Defines
36 #include "Tpm.h"
37 
38 #if CC_ECC_Encrypt || CC_ECC_Encrypt
39 
40 //** Functions
41 
42 //*** CryptEccSelectScheme()
43 // This function is used by TPM2_ECC_Decrypt and TPM2_ECC_Encrypt.  It sets scheme
44 // either the input scheme or the key scheme. If they key scheme is not TPM_ALG_NULL
45 // then the input scheme must be TPM_ALG_NULL or the same as the key scheme. If
46 // not, then the function returns FALSE.
47 //  Return Type: BOOL
48 //      TRUE        'scheme' is set
49 //      FALSE       'scheme' is not valid (it may have been changed).
50 BOOL
CryptEccSelectScheme(OBJECT * key,TPMT_KDF_SCHEME * scheme)51 CryptEccSelectScheme(
52     OBJECT              *key,           //IN: key containing default scheme
53     TPMT_KDF_SCHEME     *scheme         // IN: a decrypt scheme
54 )
55 {
56     TPMT_KDF_SCHEME    *keyScheme = &key->publicArea.parameters.eccDetail.kdf;
57 
58     // Get sign object pointer
59     if(scheme->scheme == TPM_ALG_NULL)
60         *scheme = *keyScheme;
61     if(keyScheme->scheme == TPM_ALG_NULL)
62         keyScheme = scheme;
63     return (scheme->scheme != TPM_ALG_NULL &&
64                 (keyScheme->scheme == scheme->scheme
65             && keyScheme->details.anyKdf.hashAlg == scheme->details.anyKdf.hashAlg));
66 }
67 
68 
69 
70 //*** CryptEccEncrypt()
71 //This function performs ECC-based data obfuscation. The only scheme that is currently
72 // supported is MGF1 based. See Part 1, Annex D for details.
73 //  Return Type: TPM_RC
74 //      TPM_RC_CURVE            unsupported curve
75 //      TPM_RC_HASH             hash not allowed
76 //      TPM_RC_SCHEME           'scheme' is not supported
77 //      TPM_RC_NO_RESULT        internal error in big number processing
78 LIB_EXPORT TPM_RC
CryptEccEncrypt(OBJECT * key,TPMT_KDF_SCHEME * scheme,TPM2B_MAX_BUFFER * plainText,TPMS_ECC_POINT * c1,TPM2B_MAX_BUFFER * c2,TPM2B_DIGEST * c3)79 CryptEccEncrypt(
80     OBJECT                  *key,           // IN: public key of recipient
81     TPMT_KDF_SCHEME         *scheme,        // IN: scheme to use.
82     TPM2B_MAX_BUFFER        *plainText,     // IN: the text to obfuscate
83     TPMS_ECC_POINT          *c1,            // OUT: public ephemeral key
84     TPM2B_MAX_BUFFER        *c2,            // OUT: obfuscated text
85     TPM2B_DIGEST            *c3             // OUT: digest of ephemeral key
86                                             //      and plainText
87 )
88 {
89     CURVE_INITIALIZED(E, key->publicArea.parameters.eccDetail.curveID);
90     POINT_INITIALIZED(PB, &key->publicArea.unique.ecc);
91     POINT_VAR(Px, MAX_ECC_KEY_BITS);
92     TPMS_ECC_POINT          p2;
93     ECC_NUM(D);
94     TPM2B_TYPE(2ECC, MAX_ECC_KEY_BYTES * 2);
95     TPM2B_2ECC              z;
96     int                     i;
97     HASH_STATE              hashState;
98     TPM_RC                  retVal = TPM_RC_SUCCESS;
99     //
100 #if defined DEBUG_ECC_ENCRYPT && DEBUG_ECC_ENCRYPT == YES
101     RND_DEBUG           dbg;
102     // This value is one less than the value from the reference so that it
103     // will become the correct value after having one added
104     TPM2B_ECC_PARAMETER k = {24, {
105         0x38, 0x4F, 0x30, 0x35, 0x30, 0x73, 0xAE, 0xEC,
106         0xE7, 0xA1, 0x65, 0x43, 0x30, 0xA9, 0x62, 0x04,
107         0xD3, 0x79, 0x82, 0xA3, 0xE1, 0x5B, 0x2C, 0xB4}};
108     RND_DEBUG_Instantiate(&dbg, &k.b);
109 #   define RANDOM      (RAND_STATE *)&dbg
110 
111 #else
112 #   define RANDOM      NULL
113 #endif
114     if (E == NULL)
115         ERROR_RETURN(TPM_RC_CURVE);
116     if (TPM_ALG_KDF2 != scheme->scheme)
117         ERROR_RETURN(TPM_RC_SCHEME);
118     // generate an ephemeral key from a random k
119     if (!BnEccGenerateKeyPair(D, Px, E, RANDOM)
120         // C1 is the public part of the ephemeral key
121         || !BnPointTo2B(c1, Px, E)
122         // Compute P2
123         || (BnPointMult(Px, PB, D, NULL, NULL, E) != TPM_RC_SUCCESS)
124         || !BnPointTo2B(&p2, Px, E))
125         ERROR_RETURN(TPM_RC_NO_RESULT);
126 
127     //Compute the C3 value hash(x2 || M || y2)
128     if (0 == CryptHashStart(&hashState, scheme->details.mgf1.hashAlg))
129         ERROR_RETURN(TPM_RC_HASH);
130     CryptDigestUpdate2B(&hashState, &p2.x.b);
131     CryptDigestUpdate2B(&hashState, &plainText->b);
132     CryptDigestUpdate2B(&hashState, &p2.y.b);
133     c3->t.size = CryptHashEnd(&hashState, sizeof(c3->t.buffer), c3->t.buffer);
134 
135     MemoryCopy2B(&z.b, &p2.x.b, sizeof(z.t.buffer));
136     MemoryConcat2B(&z.b, &p2.y.b, sizeof(z.t.buffer));
137     // Generate the mask value from MGF1 and put it in the return buffer
138     c2->t.size = CryptMGF_KDF(plainText->t.size, c2->t.buffer,
139                            scheme->details.mgf1.hashAlg, z.t.size, z.t.buffer, 1);
140     // XOR the plainText into the generated mask to create the obfuscated data
141     for (i = 0; i < plainText->t.size; i++)
142         c2->t.buffer[i] ^= plainText->t.buffer[i];
143 Exit:
144     CURVE_FREE(E);
145     return retVal;
146 }
147 
148 //*** CryptEccDecrypt()
149 // This function performs ECC decryption and integrity check of the input data.
150 //  Return Type: TPM_RC
151 //      TPM_RC_CURVE            unsupported curve
152 //      TPM_RC_HASH             hash not allowed
153 //      TPM_RC_SCHEME           'scheme' is not supported
154 //      TPM_RC_NO_RESULT        internal error in big number processing
155 //      TPM_RC_VALUE            C3 did not match hash of recovered data
156 LIB_EXPORT TPM_RC
CryptEccDecrypt(OBJECT * key,TPMT_KDF_SCHEME * scheme,TPM2B_MAX_BUFFER * plainText,TPMS_ECC_POINT * c1,TPM2B_MAX_BUFFER * c2,TPM2B_DIGEST * c3)157 CryptEccDecrypt(
158     OBJECT                  *key,           // IN: key used for data recovery
159     TPMT_KDF_SCHEME         *scheme,        // IN: scheme to use.
160     TPM2B_MAX_BUFFER        *plainText,     // OUT: the recovered text
161     TPMS_ECC_POINT          *c1,            // IN: public ephemeral key
162     TPM2B_MAX_BUFFER        *c2,            // IN: obfuscated text
163     TPM2B_DIGEST            *c3             // IN: digest of ephemeral key
164                                             //      and plainText
165 )
166 {
167     CURVE_INITIALIZED(E, key->publicArea.parameters.eccDetail.curveID);
168     ECC_INITIALIZED(D, &key->sensitive.sensitive.ecc.b);
169     POINT_INITIALIZED(C1, c1);
170     TPMS_ECC_POINT          p2;
171     TPM2B_TYPE(2ECC, MAX_ECC_KEY_BYTES * 2);
172     TPM2B_DIGEST            check;
173     TPM2B_2ECC              z;
174     int                     i;
175     HASH_STATE              hashState;
176     TPM_RC                  retVal = TPM_RC_SUCCESS;
177  //
178     if (E == NULL)
179         ERROR_RETURN(TPM_RC_CURVE);
180     if (TPM_ALG_KDF2 != scheme->scheme)
181         ERROR_RETURN(TPM_RC_SCHEME);
182     // Generate the Z value
183     BnPointMult(C1, C1, D, NULL, NULL, E);
184     BnPointTo2B(&p2, C1, E);
185 
186     // Start the hash to check the algorithm
187     if (0 == CryptHashStart(&hashState, scheme->details.mgf1.hashAlg))
188         ERROR_RETURN(TPM_RC_HASH);
189     CryptDigestUpdate2B(&hashState, &p2.x.b);
190 
191     MemoryCopy2B(&z.b, &p2.x.b, sizeof(z.t.buffer));
192     MemoryConcat2B(&z.b, &p2.y.b, sizeof(z.t.buffer));
193 
194     // Generate the mask
195     plainText->t.size = CryptMGF_KDF(c2->t.size, plainText->t.buffer,
196                                   scheme->details.mgf1.hashAlg, z.t.size,
197                                   z.t.buffer, 1);
198     // XOR the obfuscated data into the generated mask to create the plainText data
199     for (i = 0; i < plainText->t.size; i++)
200         plainText->t.buffer[i] ^= c2->t.buffer[i];
201 
202     // Complete the hash and verify the data
203     CryptDigestUpdate2B(&hashState, &plainText->b);
204     CryptDigestUpdate2B(&hashState, &p2.y.b);
205     check.t.size = CryptHashEnd(&hashState, sizeof(check.t.buffer), check.t.buffer);
206     if (!MemoryEqual2B(&check.b, &c3->b))
207         ERROR_RETURN(TPM_RC_VALUE);
208 Exit:
209     CURVE_FREE(E);
210     return retVal;
211 }
212 
213 
214 #endif  // CC_ECC_Encrypt || CC_ECC_Encrypt
215