Date   
Re: TSS aligned with TPM2 engine

Doug Fraser
 

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am curious how you are determining your OpenSSL engine directory for your specific target?
We are actually building OpenSSL on our target, so I have two options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a small test application that does nothing more than "puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in chroot on target.

Those are the two methods I have at hand, did you use one of these? Or a third way?

Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom install variant in my bitbake recipe instead of relying on 'make install'.

Fredrik Ternerot

Re: TSS aligned with TPM2 engine

Fredrik Ternerot
 

On Fri, Dec 21, 2018 at 4:22 PM Doug Fraser <doug.fraser@...> wrote:

Good Morning in openssl-tpm2-engine land!

I deprecated libressl on my Alpine target to 'smooth the way'. That lines up with some application team members that required openssl on target so it is all good.

I still have a ton of testing to do, but I now have the full ibmtss2 library and tpm2_* tools cross built and installed on armhf target with MUSL C lib based gcc 6.4.0.
It all appears to be running (properly) under Linux 4.14.77 on armv7 running in 32 bit mode.

This is all handled in the cross build makefile I shared earlier.

On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling
for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom
install variant in my bitbake recipe instead of relying on 'make
install'.

Fredrik Ternerot


Here is my configure line, after editing Makefile.AM and running `bootstrap`

#$ ./configure CC="${CROSS_COMPILE}"gcc CPPFLAGS="--sysroot=${install_top} -I${build_top}/ibmtss/utils -I${build_top}/openssl_tpm2_engine -fPIC" LDFLAGS="--sysroot=${install_top}" --prefix="${install_top}"/usr --host=arm-linux-musleabihf

--prefix="${install_top}"/usr <<<< this is the base where I expect to everything installed.

I am going to look at that this morning and see what I have to change for that to configure/automake properly.

Douglas Fraser


-----Original Message-----
From: Doug Fraser
Sent: Thursday, December 20, 2018 3:50 PM
To: openssl-tpm2-engine@groups.io; 'James.Bottomley@...' <James.Bottomley@...>
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser


Re: TSS aligned with TPM2 engine

Doug Fraser
 

Good Morning in openssl-tpm2-engine land!

I deprecated libressl on my Alpine target to 'smooth the way'. That lines up with some application team members that required openssl on target so it is all good.

I still have a ton of testing to do, but I now have the full ibmtss2 library and tpm2_* tools cross built and installed on armhf target with MUSL C lib based gcc 6.4.0.
It all appears to be running (properly) under Linux 4.14.77 on armv7 running in 32 bit mode.

This is all handled in the cross build makefile I shared earlier.

On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.

In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.

Here is my configure line, after editing Makefile.AM and running `bootstrap`

#$ ./configure CC="${CROSS_COMPILE}"gcc CPPFLAGS="--sysroot=${install_top} -I${build_top}/ibmtss/utils -I${build_top}/openssl_tpm2_engine -fPIC" LDFLAGS="--sysroot=${install_top}" --prefix="${install_top}"/usr --host=arm-linux-musleabihf

--prefix="${install_top}"/usr <<<< this is the base where I expect to everything installed.

I am going to look at that this morning and see what I have to change for that to configure/automake properly.

Douglas Fraser

-----Original Message-----
From: Doug Fraser
Sent: Thursday, December 20, 2018 3:50 PM
To: openssl-tpm2-engine@groups.io; 'James.Bottomley@...' <James.Bottomley@...>
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser

Re: TSS aligned with TPM2 engine

Doug Fraser
 

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser

Re: TSS aligned with TPM2 engine

Doug Fraser
 

Updated cross make that builds ibmtss on an armhf target.
Built and linked properly, and installed, on target, and tested with Infineon HW TPM device.

I had to straighten out some -rpath -rpath-link issues from my first attempt.

-----Original Message-----
From: Doug Fraser
Sent: Wednesday, December 19, 2018 4:30 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>; James.Bottomley@...
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32) to build the libraries.
Everything builds and links with no errors. We are building TPM20 only.
Currently pulling ibm tss v1331...

It is being built against Alpine Libraries v3.8 main, libgcrypt libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for SYSROOT support (which is immensely helpful for cross building)

I'll let you know how it progresses, but thanks for the help getting me pointed in the right direction.

Douglas Fraser


-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of Doug Fraser
Sent: Wednesday, December 19, 2018 10:52 AM
To: openssl-tpm2-engine@groups.io; James.Bottomley@...
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser



-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Re: TSS aligned with TPM2 engine

James Bottomley
 

On Wed, 2018-12-19 at 21:30 +0000, Doug Fraser wrote:
James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32)
to build the libraries.
Everything builds and links with no errors. We are building TPM20
only. Currently pulling ibm tss v1331...
Sounds good. IBM is working on an autoconf based update internally
which should be released soon and which should make this easier.

It is being built against Alpine Libraries v3.8 main, libgcrypt
libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk
CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for
SYSROOT support (which is immensely helpful for cross building)
Ah, you'll hit my blind spot in the engine as well then: I never
really cross compile, I build pseudo natively using architecture
emulation containers (have to so make check works) and all the
automated multiple architecture build environments

https://build.opensuse.org/project/show/home:jejb1:TPM

Do the same, so although cross compiling should work because of
autoconf, I don't believe anyone's ever tested it.

I'll let you know how it progresses, but thanks for the help getting
me pointed in the right direction.
That's great, and you're welcome.

James

Re: TSS aligned with TPM2 engine

Doug Fraser
 

James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32) to build the libraries.
Everything builds and links with no errors. We are building TPM20 only.
Currently pulling ibm tss v1331...

It is being built against Alpine Libraries v3.8 main, libgcrypt libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for SYSROOT support (which is immensely helpful for cross building)

I'll let you know how it progresses, but thanks for the help getting me pointed in the right direction.

Douglas Fraser

-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of Doug Fraser
Sent: Wednesday, December 19, 2018 10:52 AM
To: openssl-tpm2-engine@groups.io; James.Bottomley@...
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser



-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Re: TSS aligned with TPM2 engine

Doug Fraser
 

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser

-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Re: TSS aligned with TPM2 engine

James Bottomley
 

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find
tss because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the
proper headers, but I would appreciate it if I am headed off a cliff
(or into a box canyon, pick your metaphor), and someone could yell
'STOP' now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a
totally different API. The IBM TSS uses the TPM command API, which is
what the engine also uses. The two TSSs are API and installation
orthogonal, ao you can install both at once and, eventually, we might
get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

TSS aligned with TPM2 engine

Doug Fraser
 

Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670 with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss (2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss because of library naming mismatches.

I am in the process of editing the configure script to pull the proper headers, but I would appreciate it if I am headed off a cliff (or into a box canyon, pick your metaphor), and someone could yell 'STOP' now.....

I had to pull a little configure 'magic' to get tpm2-tools to cross compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Re: [PATCH 3/4] Add importable keys

Fredrik Ternerot
 

On Sat, Nov 17, 2018 at 6:54 AM James Bottomley
<James.Bottomley@...> wrote:

On Thu, 2018-11-15 at 10:57 +0100, Fredrik Ternerot wrote:
On Wed, Nov 14, 2018 at 4:56 PM James Bottomley
<James.Bottomley@...> wrote:
[...]
diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in
index 0e52d86..6ec5f25 100644
--- a/create_tpm2_key.1.in
+++ b/create_tpm2_key.1.in
@@ -7,6 +7,13 @@ Can be used to create a TPM loadable
representation of a private key.
The key is either internal to the TPM or wrapped from an existing
private key.

+Note that this command can now create two different types of keys:
+importable and loadable (the default type being loadable). The
+difference between the two is that the creation of loadable keys
+requires the presence of the actual TPM the key will be loaded
on. An
+importable key can be created without any TPM contact provided you
+have the public key of the parent the new key will be imported to.
+
Consider to add that the tool currently requires the parent to be of
EC type and use sha256 as name alg.
That should be temporary: I just ran out of steam because openssl has
useful elliptic curve primitives. Apparently it has none for RSA-OAEP
so I'd have to write them from scratch.

[..]
+EVP_PKEY *
+openssl_read_public_key(char *filename)
+{
+ BIO *b = NULL;
+ EVP_PKEY *pkey;
+
+ b = BIO_new_file(filename, "r");
+ if (b == NULL) {
+ fprintf(stderr, "Error opening file for read:
%s\n", filename);
+ return NULL;
+ }
+
+ if ((pkey = PEM_read_bio_PUBKEY(b, NULL, NULL, NULL)) ==
NULL) {
+ fprintf(stderr, "Reading key %s from disk
failed.\n", filename);
+ openssl_print_errors();
+ }
+ BIO_free(b);
+
+ return pkey;
+}
Here you are using spaces instead of tabs for indentation. Same in
openssl_read_key().
Heh, well, it was obviously just copied over in the cut and paste.

[...]
@@ -910,21 +1074,9 @@ int main(int argc, char **argv)
rsa = 0;
}

- dir = tpm2_set_unique_tssdir();
- rc = tpm2_create(&tssContext, dir);
- if (rc) {
- reason = "TSS_Create";
- goto out_err;
- }
-
- if ((parent & 0xff000000) == 0x40000000) {
- rc = tpm2_load_srk(tssContext, &phandle,
parent_auth, NULL, parent, version);
- if (rc) {
- reason = "tpm2_load_srk";
- goto out_delete;
- }
- } else {
- phandle = parent;
+ if (import && !wrap) {
+ fprintf(stderr, "Can only wrap importable keys\n");
This print is a bit misleading. You can actually wrap a loadable key.
I guess this should be "Importable keys must be wrapped" or similar.
Yes, that sounds better, care to submit a patch?
Not really. My comments were just minor things I noticed when going
through the change, and I posted them just in case you wanted to fix
some of them before pushing the change.

--
Fredrik Ternerot

Re: [PATCH 3/4] Add importable keys

James Bottomley
 

On Thu, 2018-11-15 at 10:57 +0100, Fredrik Ternerot wrote:
On Wed, Nov 14, 2018 at 4:56 PM James Bottomley
<James.Bottomley@...> wrote:
[...]
diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in
index 0e52d86..6ec5f25 100644
--- a/create_tpm2_key.1.in
+++ b/create_tpm2_key.1.in
@@ -7,6 +7,13 @@ Can be used to create a TPM loadable
representation of a private key.
The key is either internal to the TPM or wrapped from an existing
private key.

+Note that this command can now create two different types of keys:
+importable and loadable (the default type being loadable). The
+difference between the two is that the creation of loadable keys
+requires the presence of the actual TPM the key will be loaded
on. An
+importable key can be created without any TPM contact provided you
+have the public key of the parent the new key will be imported to.
+
Consider to add that the tool currently requires the parent to be of
EC type and use sha256 as name alg.
That should be temporary: I just ran out of steam because openssl has
useful elliptic curve primitives. Apparently it has none for RSA-OAEP
so I'd have to write them from scratch.

[..]
+EVP_PKEY *
+openssl_read_public_key(char *filename)
+{
+ BIO *b = NULL;
+ EVP_PKEY *pkey;
+
+ b = BIO_new_file(filename, "r");
+ if (b == NULL) {
+ fprintf(stderr, "Error opening file for read:
%s\n", filename);
+ return NULL;
+ }
+
+ if ((pkey = PEM_read_bio_PUBKEY(b, NULL, NULL, NULL)) ==
NULL) {
+ fprintf(stderr, "Reading key %s from disk
failed.\n", filename);
+ openssl_print_errors();
+ }
+ BIO_free(b);
+
+ return pkey;
+}
Here you are using spaces instead of tabs for indentation. Same in
openssl_read_key().
Heh, well, it was obviously just copied over in the cut and paste.

[...]
@@ -910,21 +1074,9 @@ int main(int argc, char **argv)
rsa = 0;
}

- dir = tpm2_set_unique_tssdir();
- rc = tpm2_create(&tssContext, dir);
- if (rc) {
- reason = "TSS_Create";
- goto out_err;
- }
-
- if ((parent & 0xff000000) == 0x40000000) {
- rc = tpm2_load_srk(tssContext, &phandle,
parent_auth, NULL, parent, version);
- if (rc) {
- reason = "tpm2_load_srk";
- goto out_delete;
- }
- } else {
- phandle = parent;
+ if (import && !wrap) {
+ fprintf(stderr, "Can only wrap importable keys\n");
This print is a bit misleading. You can actually wrap a loadable key.
I guess this should be "Importable keys must be wrapped" or similar.
Yes, that sounds better, care to submit a patch?

James

Re: [PATCH 2/4] tpm2-common: remove interfaces only used by create-tpm2-key

James Bottomley
 

On Thu, 2018-11-15 at 11:09 +0100, Fredrik Ternerot wrote:
On Wed, Nov 14, 2018 at 4:56 PM James Bottomley
<James.Bottomley@...> wrote:

The sensitive to duplicate interface is really only used for key
wrapping, and this is only done at key creation time, not on key
processing, so it has no place in the common code.

When moving to create_tpm2_key.c we change the calling convention
to make it more clear that we're not doing full conversion, merely
inner wrapping the key.

Signed-off-by: James Bottomley <James.Bottomley@...
om>
---
create_tpm2_key.c | 153
+++++++++++++++++++++++++++++++++++++++++++++++++-----
tpm2-common.c | 136 +-----------------------------------------
------
tpm2-common.h | 9 ----
3 files changed, 142 insertions(+), 156 deletions(-)

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index 2c7f3c1..899e434 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -15,6 +15,8 @@
#include <fcntl.h>
#include <ctype.h>

+#include <arpa/inet.h>
+
#include <sys/stat.h>
#include <sys/mman.h>

@@ -29,6 +31,7 @@
#include TSSINCLUDE(tssutils.h)
#include TSSINCLUDE(tssmarshal.h)
#include TSSINCLUDE(Unmarshal_fp.h)
+#include TSSINCLUDE(tsscrypto.h)
#include TSSINCLUDE(tsscryptoh.h)

#include "tpm2-asn.h"
@@ -134,6 +137,139 @@ int hex2bin(unsigned char *dst, const char
*src, size_t count)
return 0;
}

+TPM_RC tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
+ TPMT_PUBLIC *tpmtPublic)
+{
+ TPM_RC rc = 0;
+ uint16_t written = 0;
+ TPMT_HA digest;
+ uint32_t sizeInBytes;
+ uint8_t buffer[MAX_RESPONSE_SIZE];
+
+ /* marshal the TPMT_PUBLIC */
+ if (rc == 0) {
+ INT32 size = MAX_RESPONSE_SIZE;
+ uint8_t *buffer1 = buffer;
+ rc = TSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written,
&buffer1, &size);
+ }
+ /* hash the public area */
+ if (rc == 0) {
+ sizeInBytes = TSS_GetDigestSize(tpmtPublic-
nameAlg);
+ digest.hashAlg = tpmtPublic->nameAlg; /* Name
digest algorithm */
+ /* generate the TPMT_HA */
+ rc = TSS_Hash_Generate(&digest,
+ written, buffer,
+ 0, NULL);
+ }
+ if (rc == 0) {
+ /* copy the digest */
+ memcpy(name->t.name + sizeof(TPMI_ALG_HASH),
(uint8_t *)&digest.digest, sizeInBytes);
+ /* copy the hash algorithm */
+ TPMI_ALG_HASH nameAlgNbo = htons(tpmtPublic-
nameAlg);
+ memcpy(name->t.name, (uint8_t *)&nameAlgNbo,
sizeof(TPMI_ALG_HASH));
+ /* set the size */
+ name->t.size = sizeInBytes + sizeof(TPMI_ALG_HASH);
+ }
+ return rc;
+}
+
+/*
+ * Cut down version of Part 4 Supporting Routines 7.6.3.10
I think this comment is confusing since neither the function name nor
the prototype follows the supporting routine anymore. I suggest to
either clarify or remove it.
The content of the routine was cut and pasted from the document (at
least the parts we need were) so I do think saying where it came from
is useful. The outer wrapper routine wasn't: I constructed that one by
reading the architecture manual, which is why that one doesn't have a
reference.

James

Re: [PATCH 1/1] create_tpm2_key: correct size of public area

Fredrik Ternerot <fredrik.ternerot@...>
 

On Thu, Nov 15, 2018 at 08:03:23 -0800, James Bottomley wrote:
On Thu, 2018-11-15 at 08:39 +0100, Fredrik Ternerot wrote:
On Wed, Oct 31, 2018 at 13:54:52 +0100, Fredrik Ternerot wrote:
TPM2B_PUBLIC.size should be the size of TPM2B_PUBLIC.publicArea and
not
the size of TPM2B_PUBLIC itself.

Signed-off-by: Fredrik Ternerot <fredrikt@...>
---
create_tpm2_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index 0be8e43..41b738e 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -414,7 +414,7 @@ TPM_RC openssl_to_tpm_public_rsa(TPMT_PUBLIC
*pub, EVP_PKEY *pkey)
TPM_RC openssl_to_tpm_public(TPM2B_PUBLIC *pub, EVP_PKEY *pkey)
{
TPMT_PUBLIC *tpub = &pub->publicArea;
- pub->size = sizeof(*pub);
+ pub->size = sizeof(*tpub);

switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
case EVP_PKEY_RSA:
--
2.11.0
Hi James,

I can not find this in the next branch. Would you mind take this in?
Actually, the whole line is wrong (or at least irrelevant) and should
probably be removed: the size of all named TPM2Bs is calculated on
marshal so while we deal with the unmarshalled publicArea, the value
has no meaning at all and will be ignored in the marshalled structure.
I see. Then I suggest to remove the line to not cause confusion for
more people in the future.

--
Fredrik Ternerot

Re: OpenVPN with OpenSSL engine not working on fedora 28

James Bottomley
 

On Thu, 2018-11-15 at 12:51 -0800, ignaciox.jaureguiberry@...
wrote:
Hi everyone!

We aren’t able to use OpenVPN with OpenSSL engine. When starting the
OpenVPN client, we get:

$ openvpn --engine tpm2 --config client.conf
Wed Nov 14 16:46:14 2018 WARNING: file '/etc/openvpn/client/key_file'
is group or others accessible
Wed Nov 14 16:46:14 2018 OpenVPN 2.5_git [git:tpm-patch-
v4/849006bf17bba524+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [MH/PKTINFO] [AEAD] built on Nov 13 2018
Wed Nov 14 16:46:14 2018 library versions: OpenSSL 1.0.2p 14 Aug
2018, LZO 2.08
Wed Nov 14 16:46:14 2018 Initializing OpenSSL support for engine
'tpm2'
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 PEM_read_bio failed, now trying engine
method to load private key
Wed Nov 14 16:46:14 2018 OpenSSL: error:26096075:engine
routines:ENGINE_load_private_key:not initialised
Wed Nov 14 16:46:14 2018 Engine could not load key file
Wed Nov 14 16:46:14 2018 Exiting due to fatal error
You're using my patch, I think? It has a bug in that it doesn't call
ENGINE_init() ENGINE_finish(). You can either add that or add an
initialisation line in openssl.cnf like this

[openssl_init]
engines = engines_section

[engines_section]
tpm2 = tpm2_section

[tpm2_section]
init = 1

I'll take an action to re-roll and resubmit that patch.

James

OpenVPN with OpenSSL engine not working on fedora 28

ignaciox.jaureguiberry@...
 

Hi everyone!

We aren’t able to use OpenVPN with OpenSSL engine. When starting the OpenVPN client, we get:

$ openvpn --engine tpm2 --config client.conf
Wed Nov 14 16:46:14 2018 WARNING: file '/etc/openvpn/client/key_file' is group or others accessible
Wed Nov 14 16:46:14 2018 OpenVPN 2.5_git [git:tpm-patch-v4/849006bf17bba524+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 13 2018
Wed Nov 14 16:46:14 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.08
Wed Nov 14 16:46:14 2018 Initializing OpenSSL support for engine 'tpm2'
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Wed Nov 14 16:46:14 2018 PEM_read_bio failed, now trying engine method to load private key
Wed Nov 14 16:46:14 2018 OpenSSL: error:26096075:engine routines:ENGINE_load_private_key:not initialised
Wed Nov 14 16:46:14 2018 Engine could not load key file
Wed Nov 14 16:46:14 2018 Exiting due to fatal error

About our environment:
• Fedora 28
• openssl-1.0.2p
• ibmtss1119
• openssl_tpm2_engine-2.0.0
• openvpn (patched with https://patchwork.openvpn.net/patch/231/, over OpenVPN commit 849006bf17bba524e6f3344598adcbe41bedf450)

We’ve successfully executed all the required steps documented in the README of openssl_tpm2_engine, including launching an https server on port 4433.
Maybe the problem is the OpenVPN configuration? We pointed the *key* parameter to the “key_file” (the file generated by *create_tpm2_key*, that has *BEGIN TSS2 PRIVATE KEY* in the first line).

ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
cipher AES-256-CBC
client
dev tun
key /etc/openvpn/client/key_file
nobind
persist-key
persist-tun
proto udp
remote x.x.x.x 1194
remote-cert-tls server
resolv-retry infinite
tls-auth /etc/openvpn/client/ta.key 1
verb 3

Also, we can see using strace that *client.crt* and *key_file* are opened and read, and after that OpenVPN exits with error.
We’re feeling we’ve advanced a lot, and this is failing for some minor configuration detail. Can anyone give us some hint?

Thanks in advance

Re: [PATCH 1/1] create_tpm2_key: correct size of public area

James Bottomley
 

On Thu, 2018-11-15 at 08:39 +0100, Fredrik Ternerot wrote:
On Wed, Oct 31, 2018 at 13:54:52 +0100, Fredrik Ternerot wrote:
TPM2B_PUBLIC.size should be the size of TPM2B_PUBLIC.publicArea and
not
the size of TPM2B_PUBLIC itself.

Signed-off-by: Fredrik Ternerot <fredrikt@...>
---
create_tpm2_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index 0be8e43..41b738e 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -414,7 +414,7 @@ TPM_RC openssl_to_tpm_public_rsa(TPMT_PUBLIC
*pub, EVP_PKEY *pkey)
TPM_RC openssl_to_tpm_public(TPM2B_PUBLIC *pub, EVP_PKEY *pkey)
{
TPMT_PUBLIC *tpub = &pub->publicArea;
- pub->size = sizeof(*pub);
+ pub->size = sizeof(*tpub);

switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
case EVP_PKEY_RSA:
--
2.11.0
Hi James,

I can not find this in the next branch. Would you mind take this in?
Actually, the whole line is wrong (or at least irrelevant) and should
probably be removed: the size of all named TPM2Bs is calculated on
marshal so while we deal with the unmarshalled publicArea, the value
has no meaning at all and will be ignored in the marshalled structure.

James

[PATCH] Correct engine name in README and man page

Fredrik Ternerot <fredrik.ternerot@...>
 

Engine is named tpm2 and not tpm.

Signed-off-by: Fredrik Ternerot <fredrikt@...>
---
README | 4 ++--
create_tpm2_key.1.in | 6 ++----
2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/README b/README
index 882d788..d83dcc2 100644
--- a/README
+++ b/README
@@ -108,8 +108,8 @@ Create a self-signed cert using the TPM engine:
need to do tssreadpublic -p 81000001 before it will work.

2. Make the openssl certificate request:
- $ openssl req -keyform engine -engine tpm -key <key file> -new -x509 -days 365 -out <certfilename>
+ $ openssl req -keyform engine -engine tpm2 -key <key file> -new -x509 -days 365 -out <certfilename>

3. Test using openssl:
- $ openssl s_server -cert <certfilename> -www -accept 4433 -keyform engine -engine tpm -key <keyfilename>
+ $ openssl s_server -cert <certfilename> -www -accept 4433 -keyform engine -engine tpm2 -key <keyfilename>
$ konqueror https://localhost:4433
diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in
index 6ec5f25..b49c931 100644
--- a/create_tpm2_key.1.in
+++ b/create_tpm2_key.1.in
@@ -70,12 +70,10 @@ Create a self-signed cert using the TPM engine:
need to do tssreadpublic -p 81000001 before it will work.

2. Make the openssl certificate request:
- $ openssl req -keyform engine -engine tpm -key <key file> -new -x509 -days 365
--out <certfilename>
+ $ openssl req -keyform engine -engine tpm2 -key <key file> -new -x509 -days 365 -out <certfilename>

3. Test using openssl:
- $ openssl s_server -cert <certfilename> -www -accept 4433 -keyform engine -engi
-ne tpm -key <keyfilename>
+ $ openssl s_server -cert <certfilename> -www -accept 4433 -keyform engine -engine tpm2 -key <keyfilename>

Creating an importable key:

--
2.11.0

Re: [PATCH 1/1] create_tpm2_key: correct size of public area

Fredrik Ternerot <fredrik.ternerot@...>
 

On Wed, Oct 31, 2018 at 13:54:52 +0100, Fredrik Ternerot wrote:
TPM2B_PUBLIC.size should be the size of TPM2B_PUBLIC.publicArea and not
the size of TPM2B_PUBLIC itself.

Signed-off-by: Fredrik Ternerot <fredrikt@...>
---
create_tpm2_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index 0be8e43..41b738e 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -414,7 +414,7 @@ TPM_RC openssl_to_tpm_public_rsa(TPMT_PUBLIC *pub, EVP_PKEY *pkey)
TPM_RC openssl_to_tpm_public(TPM2B_PUBLIC *pub, EVP_PKEY *pkey)
{
TPMT_PUBLIC *tpub = &pub->publicArea;
- pub->size = sizeof(*pub);
+ pub->size = sizeof(*tpub);

switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
case EVP_PKEY_RSA:
--
2.11.0
Hi James,

I can not find this in the next branch. Would you mind take this in?

Regards,
Fredrik Ternerot

Re: [PATCH 2/4] tpm2-common: remove interfaces only used by create-tpm2-key

Fredrik Ternerot
 

On Wed, Nov 14, 2018 at 4:56 PM James Bottomley
<James.Bottomley@...> wrote:

The sensitive to duplicate interface is really only used for key
wrapping, and this is only done at key creation time, not on key
processing, so it has no place in the common code.

When moving to create_tpm2_key.c we change the calling convention to
make it more clear that we're not doing full conversion, merely inner
wrapping the key.

Signed-off-by: James Bottomley <James.Bottomley@...>
---
create_tpm2_key.c | 153 +++++++++++++++++++++++++++++++++++++++++++++++++-----
tpm2-common.c | 136 +-----------------------------------------------
tpm2-common.h | 9 ----
3 files changed, 142 insertions(+), 156 deletions(-)

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index 2c7f3c1..899e434 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -15,6 +15,8 @@
#include <fcntl.h>
#include <ctype.h>

+#include <arpa/inet.h>
+
#include <sys/stat.h>
#include <sys/mman.h>

@@ -29,6 +31,7 @@
#include TSSINCLUDE(tssutils.h)
#include TSSINCLUDE(tssmarshal.h)
#include TSSINCLUDE(Unmarshal_fp.h)
+#include TSSINCLUDE(tsscrypto.h)
#include TSSINCLUDE(tsscryptoh.h)

#include "tpm2-asn.h"
@@ -134,6 +137,139 @@ int hex2bin(unsigned char *dst, const char *src, size_t count)
return 0;
}

+TPM_RC tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
+ TPMT_PUBLIC *tpmtPublic)
+{
+ TPM_RC rc = 0;
+ uint16_t written = 0;
+ TPMT_HA digest;
+ uint32_t sizeInBytes;
+ uint8_t buffer[MAX_RESPONSE_SIZE];
+
+ /* marshal the TPMT_PUBLIC */
+ if (rc == 0) {
+ INT32 size = MAX_RESPONSE_SIZE;
+ uint8_t *buffer1 = buffer;
+ rc = TSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
+ }
+ /* hash the public area */
+ if (rc == 0) {
+ sizeInBytes = TSS_GetDigestSize(tpmtPublic->nameAlg);
+ digest.hashAlg = tpmtPublic->nameAlg; /* Name digest algorithm */
+ /* generate the TPMT_HA */
+ rc = TSS_Hash_Generate(&digest,
+ written, buffer,
+ 0, NULL);
+ }
+ if (rc == 0) {
+ /* copy the digest */
+ memcpy(name->t.name + sizeof(TPMI_ALG_HASH), (uint8_t *)&digest.digest, sizeInBytes);
+ /* copy the hash algorithm */
+ TPMI_ALG_HASH nameAlgNbo = htons(tpmtPublic->nameAlg);
+ memcpy(name->t.name, (uint8_t *)&nameAlgNbo, sizeof(TPMI_ALG_HASH));
+ /* set the size */
+ name->t.size = sizeInBytes + sizeof(TPMI_ALG_HASH);
+ }
+ return rc;
+}
+
+/*
+ * Cut down version of Part 4 Supporting Routines 7.6.3.10
I think this comment is confusing since neither the function name nor
the prototype follows the supporting routine anymore. I suggest to
either clarify or remove it.

+ *
+ * Hard coded to symmetrically encrypt with aes128 as the inner
+ * wrapper and no outer wrapper but with a prototype that allows
+ * drop in replacement with a tss equivalent
+ */
+TPM_RC tpm2_innerwrap(TPMT_SENSITIVE *s,
+ TPMT_PUBLIC *pub,
+ TPMT_SYM_DEF_OBJECT *symdef,
+ TPM2B_DATA *innerkey,
+ TPM2B_PRIVATE *p)
+{
+ BYTE *buf = p->t.buffer;
+
+ p->t.size = 0;
+ memset(p, 0, sizeof(*p));
+
+ /* hard code AES CFB */
+ if (symdef->algorithm == TPM_ALG_AES
+ && symdef->mode.aes == TPM_ALG_CFB) {
+ TPMT_HA hash;
+ const TPM_ALG_ID nalg = pub->nameAlg;
+ const int hlen = TSS_GetDigestSize(nalg);
+ TPM2B *digest = (TPM2B *)buf;
+ TPM2B *s2b;
+ int32_t size;
+ unsigned char null_iv[AES_128_BLOCK_SIZE_BYTES];
+ UINT16 bsize, written = 0;
+ TPM2B_NAME name;
+
+ /* WARNING: don't use the static null_iv trick here:
+ * the AES routines alter the passed in iv */
+ memset(null_iv, 0, sizeof(null_iv));
+
+ /* reserve space for hash before the encrypted sensitive */
+ bsize = sizeof(digest->size) + hlen;
+ buf += bsize;
+ p->t.size += bsize;
+ s2b = (TPM2B *)buf;
+
+ /* marshal the digest size */
+ buf = (BYTE *)&digest->size;
+ bsize = hlen;
+ size = 2;
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+
+ /* marshal the unencrypted sensitive in place */
+ size = sizeof(*s);
+ bsize = 0;
+ buf = s2b->buffer;
+ TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+ buf = (BYTE *)&s2b->size;
+ size = 2;
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+
+ bsize = bsize + sizeof(s2b->size);
+ p->t.size += bsize;
+
+ tpm2_ObjectPublic_GetName(&name, pub);
+ /* compute hash of unencrypted marshalled sensitive and
+ * write to the digest buffer */
+ hash.hashAlg = nalg;
+ TSS_Hash_Generate(&hash, bsize, s2b,
+ name.t.size, name.t.name,
+ 0, NULL);
+ memcpy(digest->buffer, &hash.digest, hlen);
+
+ /* encrypt hash and sensitive in place */
+ TSS_AES_EncryptCFB(p->t.buffer,
+ symdef->keyBits.aes,
+ innerkey->b.buffer,
+ null_iv,
+ p->t.size,
+ p->t.buffer);
+ } else if (symdef->algorithm == TPM_ALG_NULL) {
+ TPM2B *s2b = (TPM2B *)buf;
+ int32_t size = sizeof(*s);
+ UINT16 bsize = 0, written = 0;
+
+ buf = s2b->buffer;
+
+ /* marshal the unencrypted sensitive in place */
+ TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
+ buf = (BYTE *)&s2b->size;
+ size = 2;
+ TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
+
+ p->b.size += bsize + sizeof(s2b->size);
+ } else {
+ printf("Unknown symmetric algorithm\n");
+ return TPM_RC_SYMMETRIC;
+ }
+
+ return TPM_RC_SUCCESS;
+}
+
TPM_RC
parse_policy_file(const char *policy_file, STACK_OF(TSSOPTPOLICY) *sk,
char *auth, TPMT_HA *digest)
@@ -827,7 +963,6 @@ int main(int argc, char **argv)
if (wrap) {
EVP_PKEY *pkey;
TPMT_SENSITIVE s;
- TPM2B_NAME name;

/* may be needed to decrypt the key */
OpenSSL_add_all_ciphers();
@@ -878,19 +1013,13 @@ int main(int argc, char **argv)

/* set the NODA flag */
iin.objectPublic.publicArea.objectAttributes.val |= noda;
- rc = tpm2_ObjectPublic_GetName(&name,
- &iin.objectPublic.publicArea);
- if (rc) {
- reason = "tpm2_ObjectPublic_GetName";
- goto out_flush;
- }

- rc = tpm2_SensitiveToDuplicate(&s, &name, name_alg, NULL,
- &iin.symmetricAlg,
- &iin.encryptionKey,
- &iin.duplicate);
+ rc = tpm2_innerwrap(&s, &iin.objectPublic.publicArea,
+ &iin.symmetricAlg,
+ &iin.encryptionKey,
+ &iin.duplicate);
if (rc) {
- reason = "tpm2_SensitiveToDuplicate";
+ reason = "tpm2_innerwrap";
goto out_flush;
}

diff --git a/tpm2-common.c b/tpm2-common.c
index 9d1737b..bf950ec 100644
--- a/tpm2-common.c
+++ b/tpm2-common.c
@@ -8,16 +8,14 @@
#include <string.h>
#include <unistd.h>

-#include <arpa/inet.h>
-
#include <openssl/evp.h>
#include <openssl/rsa.h>
+#include <openssl/ec.h>

#define TSSINCLUDE(x) < TSS_INCLUDE/x >
#include TSSINCLUDE(tss.h)
#include TSSINCLUDE(tssresponsecode.h)
#include TSSINCLUDE(tssmarshal.h)
-#include TSSINCLUDE(tsscrypto.h)
#include TSSINCLUDE(tsscryptoh.h)
#include TSSINCLUDE(Unmarshal_fp.h)

@@ -739,138 +737,6 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
return rc;
}

-/*
- * Cut down version of Part 4 Supporting Routines 7.6.3.10
- *
- * Hard coded to symmetrically encrypt with aes128 as the inner
- * wrapper and no outer wrapper but with a prototype that allows
- * drop in replacement with a tss equivalent
- */
-TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
- TPM2B_NAME *name,
- TPM_ALG_ID nalg,
- TPM2B_SEED *seed,
- TPMT_SYM_DEF_OBJECT *symdef,
- TPM2B_DATA *innerkey,
- TPM2B_PRIVATE *p)
-{
- BYTE *buf = p->t.buffer;
-
- p->t.size = 0;
- memset(p, 0, sizeof(*p));
-
- /* hard code AES CFB */
- if (symdef->algorithm == TPM_ALG_AES
- && symdef->mode.aes == TPM_ALG_CFB) {
- TPMT_HA hash;
- const int hlen = TSS_GetDigestSize(nalg);
- TPM2B *digest = (TPM2B *)buf;
- TPM2B *s2b;
- int32_t size;
- unsigned char null_iv[AES_128_BLOCK_SIZE_BYTES];
- UINT16 bsize, written = 0;
-
- /* WARNING: don't use the static null_iv trick here:
- * the AES routines alter the passed in iv */
- memset(null_iv, 0, sizeof(null_iv));
-
- /* reserve space for hash before the encrypted sensitive */
- bsize = sizeof(digest->size) + hlen;
- buf += bsize;
- p->t.size += bsize;
- s2b = (TPM2B *)buf;
-
- /* marshal the digest size */
- buf = (BYTE *)&digest->size;
- bsize = hlen;
- size = 2;
- TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
-
- /* marshal the unencrypted sensitive in place */
- size = sizeof(*s);
- bsize = 0;
- buf = s2b->buffer;
- TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
- buf = (BYTE *)&s2b->size;
- size = 2;
- TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
-
- bsize = bsize + sizeof(s2b->size);
- p->t.size += bsize;
-
- /* compute hash of unencrypted marshalled sensitive and
- * write to the digest buffer */
- hash.hashAlg = nalg;
- TSS_Hash_Generate(&hash, bsize, s2b,
- name->t.size, name->t.name,
- 0, NULL);
- memcpy(digest->buffer, &hash.digest, hlen);
-
- /* encrypt hash and sensitive in place */
- TSS_AES_EncryptCFB(p->t.buffer,
- symdef->keyBits.aes,
- innerkey->b.buffer,
- null_iv,
- p->t.size,
- p->t.buffer);
- } else if (symdef->algorithm == TPM_ALG_NULL) {
- TPM2B *s2b = (TPM2B *)buf;
- int32_t size = sizeof(*s);
- UINT16 bsize = 0, written = 0;
-
- buf = s2b->buffer;
-
- /* marshal the unencrypted sensitive in place */
- TSS_TPMT_SENSITIVE_Marshal(s, &bsize, &buf, &size);
- buf = (BYTE *)&s2b->size;
- size = 2;
- TSS_UINT16_Marshal(&bsize, &written, &buf, &size);
-
- p->b.size += bsize + sizeof(s2b->size);
- } else {
- printf("Unknown symmetric algorithm\n");
- return TPM_RC_SYMMETRIC;
- }
-
- return TPM_RC_SUCCESS;
-}
-
-TPM_RC tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
- TPMT_PUBLIC *tpmtPublic)
-{
- TPM_RC rc = 0;
- uint16_t written = 0;
- TPMT_HA digest;
- uint32_t sizeInBytes;
- uint8_t buffer[MAX_RESPONSE_SIZE];
-
- /* marshal the TPMT_PUBLIC */
- if (rc == 0) {
- INT32 size = MAX_RESPONSE_SIZE;
- uint8_t *buffer1 = buffer;
- rc = TSS_TPMT_PUBLIC_Marshal(tpmtPublic, &written, &buffer1, &size);
- }
- /* hash the public area */
- if (rc == 0) {
- sizeInBytes = TSS_GetDigestSize(tpmtPublic->nameAlg);
- digest.hashAlg = tpmtPublic->nameAlg; /* Name digest algorithm */
- /* generate the TPMT_HA */
- rc = TSS_Hash_Generate(&digest,
- written, buffer,
- 0, NULL);
- }
- if (rc == 0) {
- /* copy the digest */
- memcpy(name->t.name + sizeof(TPMI_ALG_HASH), (uint8_t *)&digest.digest, sizeInBytes);
- /* copy the hash algorithm */
- TPMI_ALG_HASH nameAlgNbo = htons(tpmtPublic->nameAlg);
- memcpy(name->t.name, (uint8_t *)&nameAlgNbo, sizeof(TPMI_ALG_HASH));
- /* set the size */
- name->t.size = sizeInBytes + sizeof(TPMI_ALG_HASH);
- }
- return rc;
-}
-
TPMI_ECC_CURVE tpm2_curve_name_to_TPMI(const char *name)
{
int i;
diff --git a/tpm2-common.h b/tpm2-common.h
index 1cf3b23..6111243 100644
--- a/tpm2-common.h
+++ b/tpm2-common.h
@@ -23,15 +23,6 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle,
TPM_ALG_ID name_alg);
TPM_RC tpm2_get_bound_handle(TSS_CONTEXT *tssContext, TPM_HANDLE *handle,
TPM_HANDLE bind, const char *auth);
-TPM_RC tpm2_SensitiveToDuplicate(TPMT_SENSITIVE *s,
- TPM2B_NAME *name,
- TPM_ALG_ID nalg,
- TPM2B_SEED *seed,
- TPMT_SYM_DEF_OBJECT *symdef,
- TPM2B_DATA *innerkey,
- TPM2B_PRIVATE *p);
-TPM_RC tpm2_ObjectPublic_GetName(TPM2B_NAME *name,
- TPMT_PUBLIC *tpmtPublic);
TPMI_ECC_CURVE tpm2_curve_name_to_TPMI(const char *name);
int tpm2_curve_name_to_nid(TPMI_ECC_CURVE curve);
TPMI_ECC_CURVE tpm2_nid_to_curve_name(int nid);
--
2.16.4