diff --git a/src/tpm2.c b/src/tpm2.c index 38ead282..30ddb482 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -1069,17 +1069,35 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out) { TPML_TAGGED_PCR_PROPERTY* pcrProp = &out->capabilityData.data.pcrProperties; - TPM2_Packet_ParseU32(&packet, &pcrProp->count); + UINT32 wireCount; + UINT32 tag; + UINT8 wireSizeofSelect; + TPM2_Packet_ParseU32(&packet, &wireCount); + pcrProp->count = wireCount; if (pcrProp->count > MAX_PCR_PROPERTIES) pcrProp->count = MAX_PCR_PROPERTIES; - for (i=0; i<(int)pcrProp->count; i++) { - TPMS_TAGGED_PCR_SELECT* sel = &pcrProp->pcrProperty[i]; - TPM2_Packet_ParseU32(&packet, &sel->tag); - TPM2_Packet_ParseU8(&packet, &sel->sizeofSelect); - if (sel->sizeofSelect > PCR_SELECT_MAX) - sel->sizeofSelect = PCR_SELECT_MAX; - TPM2_Packet_ParseBytes(&packet, sel->pcrSelect, - sel->sizeofSelect); + for (i=0; i<(int)wireCount; i++) { + TPM2_Packet_ParseU32(&packet, &tag); + TPM2_Packet_ParseU8(&packet, &wireSizeofSelect); + if (i < (int)pcrProp->count) { + TPMS_TAGGED_PCR_SELECT* sel = + &pcrProp->pcrProperty[i]; + sel->tag = tag; + sel->sizeofSelect = wireSizeofSelect; + if (sel->sizeofSelect > PCR_SELECT_MAX) + sel->sizeofSelect = PCR_SELECT_MAX; + TPM2_Packet_ParseBytes(&packet, sel->pcrSelect, + sel->sizeofSelect); + if (wireSizeofSelect > sel->sizeofSelect) { + TPM2_Packet_ParseBytes(&packet, NULL, + wireSizeofSelect - sel->sizeofSelect); + } + } + else { + /* Skip entries beyond array capacity */ + TPM2_Packet_ParseBytes(&packet, NULL, + wireSizeofSelect); + } } break; } diff --git a/src/tpm2_packet.c b/src/tpm2_packet.c index 12c33195..14c0589d 100644 --- a/src/tpm2_packet.c +++ b/src/tpm2_packet.c @@ -445,17 +445,34 @@ void TPM2_Packet_AppendPCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr) void TPM2_Packet_ParsePCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr) { int i; - TPM2_Packet_ParseU32(packet, &pcr->count); + UINT32 wireCount; + UINT16 hash; + UINT8 wireSizeofSelect; + TPM2_Packet_ParseU32(packet, &wireCount); + pcr->count = wireCount; if (pcr->count > HASH_COUNT) pcr->count = HASH_COUNT; - for (i=0; i<(int)pcr->count; i++) { - TPM2_Packet_ParseU16(packet, &pcr->pcrSelections[i].hash); - TPM2_Packet_ParseU8(packet, &pcr->pcrSelections[i].sizeofSelect); - if (pcr->pcrSelections[i].sizeofSelect > PCR_SELECT_MIN) - pcr->pcrSelections[i].sizeofSelect = PCR_SELECT_MIN; - TPM2_Packet_ParseBytes(packet, - pcr->pcrSelections[i].pcrSelect, - pcr->pcrSelections[i].sizeofSelect); + for (i = 0; i < (int)wireCount; i++) { + TPM2_Packet_ParseU16(packet, &hash); + TPM2_Packet_ParseU8(packet, &wireSizeofSelect); + if (i < (int)pcr->count) { + pcr->pcrSelections[i].hash = hash; + pcr->pcrSelections[i].sizeofSelect = wireSizeofSelect; + if (pcr->pcrSelections[i].sizeofSelect > PCR_SELECT_MIN) + pcr->pcrSelections[i].sizeofSelect = PCR_SELECT_MIN; + TPM2_Packet_ParseBytes(packet, + pcr->pcrSelections[i].pcrSelect, + pcr->pcrSelections[i].sizeofSelect); + /* Skip excess select bytes */ + if (wireSizeofSelect > pcr->pcrSelections[i].sizeofSelect) { + TPM2_Packet_ParseBytes(packet, NULL, + wireSizeofSelect - pcr->pcrSelections[i].sizeofSelect); + } + } + else { + /* Skip entire entry for overflow iterations */ + TPM2_Packet_ParseBytes(packet, NULL, wireSizeofSelect); + } } } diff --git a/src/tpm2_param_enc.c b/src/tpm2_param_enc.c index 7a91d84c..f1973bff 100644 --- a/src/tpm2_param_enc.c +++ b/src/tpm2_param_enc.c @@ -196,7 +196,7 @@ int TPM2_KDFa( /* Perform XOR encryption over the first parameter of a TPM packet */ -static int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, +int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, BYTE *paramData, UINT32 paramSz) { @@ -259,7 +259,7 @@ static int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, } /* Perform XOR decryption over the first parameter of a TPM packet */ -static int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, +int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, BYTE *paramData, UINT32 paramSz) { @@ -322,7 +322,7 @@ static int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_AES_CFB) /* Perform AES CFB encryption over the first parameter of a TPM packet */ -static int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, +int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, BYTE *paramData, UINT32 paramSz) { @@ -396,7 +396,7 @@ static int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, } /* Perform AES CFB decryption over the first parameter of a TPM packet */ -static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, +int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, BYTE *paramData, UINT32 paramSz) { diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 68d86186..9dfbb10b 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -6805,6 +6805,7 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, #ifdef DEBUG_WOLFTPM printf("TPM2_Create key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc)); #endif + TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive)); return rc; } @@ -6827,6 +6828,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, #ifdef DEBUG_WOLFTPM printf("TPM2_Load key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc)); #endif + TPM2_ForceZero(&createIn.inSensitive, + sizeof(createIn.inSensitive)); return rc; } key->handle.hndl = loadOut.objectHandle; @@ -7894,6 +7897,7 @@ int wolfTPM2_CreateKeySeal_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob, printf("wolfTPM2_CreateKeySeal failed %d: %s\n", rc, wolfTPM2_GetRCString(rc)); #endif + TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive)); return rc; } diff --git a/tests/unit_tests.c b/tests/unit_tests.c index 5185467e..2844722c 100644 --- a/tests/unit_tests.c +++ b/tests/unit_tests.c @@ -540,6 +540,291 @@ static void test_TPM2_KDFa(void) rc >= 0 ? "Passed" : "Failed"); } +static void test_TPM2_ConstantCompare(void) +{ + const byte a[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08}; + const byte b[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08}; + const byte c[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x09}; + const byte d[] = {0xFF, 0xFE, 0xFD, 0xFC, 0xFB, 0xFA, 0xF9, 0xF8}; + + /* Identical buffers must return 0 */ + AssertIntEQ(0, TPM2_ConstantCompare(a, b, sizeof(a))); + + /* Single-byte difference must return non-zero */ + AssertIntNE(0, TPM2_ConstantCompare(a, c, sizeof(a))); + + /* Completely different buffers must return non-zero */ + AssertIntNE(0, TPM2_ConstantCompare(a, d, sizeof(a))); + + /* Zero length must return 0 (no bytes to compare) */ + AssertIntEQ(0, TPM2_ConstantCompare(a, d, 0)); + + printf("Test TPM Wrapper:\tConstantCompare:\tPassed\n"); +} + +static void test_TPM2_ResponseHmacVerification(void) +{ +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_HMAC) + int rc; + TPM2B_AUTH auth; + TPM2B_DIGEST hash; + TPM2B_NONCE nonceNew, nonceOld; + TPMA_SESSION sessionAttr = TPMA_SESSION_continueSession; + TPM2B_AUTH hmac1, hmac2; + + /* Set up known auth key */ + auth.size = 8; + XMEMSET(auth.buffer, 0xAA, auth.size); + + /* Set up known cpHash/rpHash */ + hash.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(hash.buffer, 0x55, hash.size); + + /* Set up nonces */ + nonceNew.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceNew.buffer, 0x11, nonceNew.size); + nonceOld.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceOld.buffer, 0x22, nonceOld.size); + + /* Compute valid HMAC */ + rc = TPM2_CalcHmac(TPM_ALG_SHA256, &auth, &hash, &nonceNew, &nonceOld, + sessionAttr, &hmac1); + AssertIntEQ(0, rc); + AssertIntGT(hmac1.size, 0); + + /* Compute same HMAC again — must be identical */ + rc = TPM2_CalcHmac(TPM_ALG_SHA256, &auth, &hash, &nonceNew, &nonceOld, + sessionAttr, &hmac2); + AssertIntEQ(0, rc); + AssertIntEQ(0, TPM2_ConstantCompare(hmac1.buffer, hmac2.buffer, + hmac1.size)); + + /* Tamper one byte of the HMAC — verification must detect mismatch */ + hmac2.buffer[0] ^= 0xFF; + AssertIntNE(0, TPM2_ConstantCompare(hmac1.buffer, hmac2.buffer, + hmac1.size)); + + printf("Test TPM Wrapper:\tResponseHmacVerification:\tPassed\n"); +#endif +} + +static void test_TPM2_CalcHmac(void) +{ +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_HMAC) + int rc; + TPM2B_AUTH auth; + TPM2B_DIGEST hash; + TPM2B_NONCE nonceA, nonceB; + TPMA_SESSION attr = TPMA_SESSION_continueSession; + TPM2B_AUTH hmac1, hmac2; + + /* Known auth key */ + auth.size = 4; + auth.buffer[0] = 't'; auth.buffer[1] = 'e'; + auth.buffer[2] = 's'; auth.buffer[3] = 't'; + + /* Known cpHash */ + hash.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(hash.buffer, 0xAB, hash.size); + + /* Two distinct nonces */ + nonceA.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceA.buffer, 0x11, nonceA.size); + nonceB.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceB.buffer, 0x22, nonceB.size); + + /* Compute HMAC with (nonceA, nonceB) order */ + rc = TPM2_CalcHmac(TPM_ALG_SHA256, &auth, &hash, &nonceA, &nonceB, + attr, &hmac1); + AssertIntEQ(0, rc); + + /* Compute HMAC with (nonceB, nonceA) — reversed order */ + rc = TPM2_CalcHmac(TPM_ALG_SHA256, &auth, &hash, &nonceB, &nonceA, + attr, &hmac2); + AssertIntEQ(0, rc); + + /* Reversed nonces MUST produce different HMAC */ + AssertIntNE(0, XMEMCMP(hmac1.buffer, hmac2.buffer, hmac1.size)); + + printf("Test TPM Wrapper:\tCalcHmac:\tPassed\n"); +#endif +} + +static void test_TPM2_ParamEnc_XOR_Vector(void) +{ +#ifndef WOLFTPM2_NO_WOLFCRYPT + int rc; + TPM2_AUTH_SESSION session; + TPM2B_AUTH sessKey; + TPM2B_NONCE nonceCaller, nonceTPM; + const byte original[] = "XOR parameter encryption round-trip test"; + byte data[sizeof(original)]; + + XMEMSET(&session, 0, sizeof(session)); + session.authHash = TPM_ALG_SHA256; + + sessKey.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(sessKey.buffer, 0xCC, sessKey.size); + + nonceCaller.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceCaller.buffer, 0x11, nonceCaller.size); + nonceTPM.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceTPM.buffer, 0x22, nonceTPM.size); + + XMEMCPY(data, original, sizeof(original)); + + /* Encrypt */ + rc = TPM2_ParamEnc_XOR(&session, &sessKey, NULL, &nonceCaller, &nonceTPM, + data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Data must differ from original */ + AssertIntNE(0, XMEMCMP(data, original, sizeof(original))); + + /* Encrypt again with same args — XOR is self-inverse */ + rc = TPM2_ParamEnc_XOR(&session, &sessKey, NULL, &nonceCaller, &nonceTPM, + data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Must match original */ + AssertIntEQ(0, XMEMCMP(data, original, sizeof(original))); + + printf("Test TPM Wrapper:\tParamEnc_XOR:\tPassed\n"); +#endif +} + +static void test_TPM2_ParamEnc_AESCFB_Vector(void) +{ +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_AES_CFB) + int rc; + TPM2_AUTH_SESSION session; + TPM2B_AUTH sessKey; + TPM2B_NONCE nonceCaller, nonceTPM; + const byte original[] = "AES-CFB parameter encryption round-trip test"; + byte data[sizeof(original)]; + + XMEMSET(&session, 0, sizeof(session)); + session.authHash = TPM_ALG_SHA256; + session.symmetric.keyBits.aes = MAX_AES_KEY_BITS; + + sessKey.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(sessKey.buffer, 0xDD, sessKey.size); + + nonceCaller.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceCaller.buffer, 0x33, nonceCaller.size); + nonceTPM.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceTPM.buffer, 0x44, nonceTPM.size); + + XMEMCPY(data, original, sizeof(original)); + + /* Encrypt with (nonceCaller, nonceTPM) */ + rc = TPM2_ParamEnc_AESCFB(&session, &sessKey, NULL, &nonceCaller, + &nonceTPM, data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Data must differ from original */ + AssertIntNE(0, XMEMCMP(data, original, sizeof(original))); + + /* Decrypt: swap nonce args so KDFa produces same key */ + rc = TPM2_ParamDec_AESCFB(&session, &sessKey, NULL, &nonceTPM, + &nonceCaller, data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Must match original */ + AssertIntEQ(0, XMEMCMP(data, original, sizeof(original))); + + printf("Test TPM Wrapper:\tParamEnc_AESCFB:\tPassed\n"); +#endif +} + +static void test_TPM2_ParamDec_XOR_Roundtrip(void) +{ +#ifndef WOLFTPM2_NO_WOLFCRYPT + int rc; + TPM2_AUTH_SESSION session; + TPM2B_AUTH sessKey; + TPM2B_NONCE nonceCaller, nonceTPM; + const byte original[] = "XOR parameter decryption round-trip test"; + byte data[sizeof(original)]; + + XMEMSET(&session, 0, sizeof(session)); + session.authHash = TPM_ALG_SHA256; + + sessKey.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(sessKey.buffer, 0xEE, sessKey.size); + + nonceCaller.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceCaller.buffer, 0x55, nonceCaller.size); + nonceTPM.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceTPM.buffer, 0x66, nonceTPM.size); + + XMEMCPY(data, original, sizeof(original)); + + /* Decrypt direction: XOR with (nonceCaller, nonceTPM) mask */ + rc = TPM2_ParamDec_XOR(&session, &sessKey, NULL, &nonceCaller, &nonceTPM, + data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Data must differ from original */ + AssertIntNE(0, XMEMCMP(data, original, sizeof(original))); + + /* Apply same XOR again — self-inverse recovers original */ + rc = TPM2_ParamDec_XOR(&session, &sessKey, NULL, &nonceCaller, &nonceTPM, + data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Must match original */ + AssertIntEQ(0, XMEMCMP(data, original, sizeof(original))); + + printf("Test TPM Wrapper:\tParamDec_XOR_Roundtrip:\tPassed\n"); +#endif +} + +static void test_TPM2_ParamDec_AESCFB_Roundtrip(void) +{ +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_AES_CFB) + int rc; + TPM2_AUTH_SESSION session; + TPM2B_AUTH sessKey; + TPM2B_NONCE nonceCaller, nonceTPM; + const byte original[] = "AES-CFB parameter decryption round-trip test"; + byte data[sizeof(original)]; + + XMEMSET(&session, 0, sizeof(session)); + session.authHash = TPM_ALG_SHA256; + session.symmetric.keyBits.aes = MAX_AES_KEY_BITS; + + sessKey.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(sessKey.buffer, 0xFF, sessKey.size); + + nonceCaller.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceCaller.buffer, 0x77, nonceCaller.size); + nonceTPM.size = TPM_SHA256_DIGEST_SIZE; + XMEMSET(nonceTPM.buffer, 0x88, nonceTPM.size); + + XMEMCPY(data, original, sizeof(original)); + + /* Encrypt with ParamEnc_AESCFB (command direction) */ + rc = TPM2_ParamEnc_AESCFB(&session, &sessKey, NULL, &nonceCaller, + &nonceTPM, data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Data must differ from original */ + AssertIntNE(0, XMEMCMP(data, original, sizeof(original))); + + /* Decrypt with ParamDec_AESCFB: swap nonce args so internal KDFa + * produces the same key as encryption */ + rc = TPM2_ParamDec_AESCFB(&session, &sessKey, NULL, &nonceTPM, + &nonceCaller, data, sizeof(data)); + AssertIntEQ(TPM_RC_SUCCESS, rc); + + /* Must match original */ + AssertIntEQ(0, XMEMCMP(data, original, sizeof(original))); + + printf("Test TPM Wrapper:\tParamDec_AESCFB_Roundtrip:\tPassed\n"); +#endif +} + static void test_GetAlgId(void) { TPM_ALG_ID alg = TPM2_GetAlgId("SHA256"); @@ -1175,6 +1460,13 @@ int unit_tests(int argc, char *argv[]) test_TPM2_PCRSel(); test_TPM2_Policy_NULL_Args(); test_TPM2_KDFa(); + test_TPM2_ConstantCompare(); + test_TPM2_ResponseHmacVerification(); + test_TPM2_CalcHmac(); + test_TPM2_ParamEnc_XOR_Vector(); + test_TPM2_ParamEnc_AESCFB_Vector(); + test_TPM2_ParamDec_XOR_Roundtrip(); + test_TPM2_ParamDec_AESCFB_Roundtrip(); test_GetAlgId(); test_wolfTPM2_ReadPublicKey(); test_wolfTPM2_CSR(); diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h index 3acbaf40..6309b717 100644 --- a/wolftpm/tpm2.h +++ b/wolftpm/tpm2.h @@ -4010,7 +4010,7 @@ WOLFTPM_API UINT16 TPM2_GetVendorID(void); WOLFTPM_LOCAL void TPM2_ForceZero(void* mem, word32 len); /* Constant time memory comparison */ -WOLFTPM_LOCAL int TPM2_ConstantCompare(const byte* a, const byte* b, word32 len); +WOLFTPM_TEST_API int TPM2_ConstantCompare(const byte* a, const byte* b, word32 len); #ifdef DEBUG_WOLFTPM diff --git a/wolftpm/tpm2_param_enc.h b/wolftpm/tpm2_param_enc.h index fa139725..7d77f930 100644 --- a/wolftpm/tpm2_param_enc.h +++ b/wolftpm/tpm2_param_enc.h @@ -35,7 +35,7 @@ WOLFTPM_API int TPM2_KDFa( BYTE *key, UINT32 keySz ); -WOLFTPM_LOCAL int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, +WOLFTPM_TEST_API int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes, TPM2B_AUTH* hmac); @@ -45,6 +45,28 @@ WOLFTPM_LOCAL int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode, TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash); +/* Low-level XOR param encryption/decryption */ +WOLFTPM_TEST_API int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, + TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, + TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, + BYTE *paramData, UINT32 paramSz); +WOLFTPM_TEST_API int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, + TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, + TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, + BYTE *paramData, UINT32 paramSz); + +/* Low-level AES-CFB param encryption/decryption */ +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_AES_CFB) +WOLFTPM_TEST_API int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, + TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, + TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, + BYTE *paramData, UINT32 paramSz); +WOLFTPM_TEST_API int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, + TPM2B_AUTH* sessKey, TPM2B_AUTH* bindKey, + TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM, + BYTE *paramData, UINT32 paramSz); +#endif + /* Perform encryption over the first parameter of a TPM packet */ WOLFTPM_LOCAL TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session, BYTE *paramData, UINT32 paramSz); diff --git a/wolftpm/visibility.h b/wolftpm/visibility.h index 241b960d..eb0bacf1 100644 --- a/wolftpm/visibility.h +++ b/wolftpm/visibility.h @@ -49,6 +49,12 @@ #define WOLFTPM_API #define WOLFTPM_LOCAL #endif /* HAVE_VISIBILITY */ + + #ifdef WOLFTPM_PRIVATE_TEST_VIS + #define WOLFTPM_TEST_API WOLFTPM_LOCAL + #else + #define WOLFTPM_TEST_API WOLFTPM_API + #endif #else /* BUILDING_WOLFTPM */ #if defined(_MSC_VER) || defined(__MINGW32__) || defined(__CYGWIN__) || \ defined(_WIN32_WCE) @@ -62,6 +68,8 @@ #define WOLFTPM_API #define WOLFTPM_LOCAL #endif + + #define WOLFTPM_TEST_API WOLFTPM_API #endif /* BUILDING_WOLFTPM */ #endif /* WOLFTPM_VISIBILITY_H */