xref: /aosp_15_r20/external/ms-tpm-20-ref/TPMCmd/tpm/src/crypt/CryptEccCrypt.c (revision 5c591343844d1f9da7da26467c4bf7efc8a7a413)

/* Microsoft Reference Implementation for TPM 2.0
 *
 *  The copyright in this software is being made available under the BSD License,
 *  included below. This software may be subject to other third party and
 *  contributor rights, including patent rights, and no such rights are granted
 *  under this license.
 *
 *  Copyright (c) Microsoft Corporation
 *
 *  All rights reserved.
 *
 *  BSD License
 *
 *  Redistribution and use in source and binary forms, with or without modification,
 *  are permitted provided that the following conditions are met:
 *
 *  Redistributions of source code must retain the above copyright notice, this list
 *  of conditions and the following disclaimer.
 *
 *  Redistributions in binary form must reproduce the above copyright notice, this
 *  list of conditions and the following disclaimer in the documentation and/or
 *  other materials provided with the distribution.
 *
 *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS""
 *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 *  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
 *  ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 *  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 *  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
 *  ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
//** Includes and Defines
#include "Tpm.h"

#if CC_ECC_Encrypt || CC_ECC_Encrypt

//** Functions

//*** CryptEccSelectScheme()
// This function is used by TPM2_ECC_Decrypt and TPM2_ECC_Encrypt.  It sets scheme
// either the input scheme or the key scheme. If they key scheme is not TPM_ALG_NULL
// then the input scheme must be TPM_ALG_NULL or the same as the key scheme. If
// not, then the function returns FALSE.
//  Return Type: BOOL
//      TRUE        'scheme' is set
//      FALSE       'scheme' is not valid (it may have been changed).
BOOL
CryptEccSelectScheme(
    OBJECT              *key,           //IN: key containing default scheme
    TPMT_KDF_SCHEME     *scheme         // IN: a decrypt scheme
)
{
    TPMT_KDF_SCHEME    *keyScheme = &key->publicArea.parameters.eccDetail.kdf;

    // Get sign object pointer
    if(scheme->scheme == TPM_ALG_NULL)
        *scheme = *keyScheme;
    if(keyScheme->scheme == TPM_ALG_NULL)
        keyScheme = scheme;
    return (scheme->scheme != TPM_ALG_NULL &&
                (keyScheme->scheme == scheme->scheme
            && keyScheme->details.anyKdf.hashAlg == scheme->details.anyKdf.hashAlg));
}



//*** CryptEccEncrypt()
//This function performs ECC-based data obfuscation. The only scheme that is currently
// supported is MGF1 based. See Part 1, Annex D for details.
//  Return Type: TPM_RC
//      TPM_RC_CURVE            unsupported curve
//      TPM_RC_HASH             hash not allowed
//      TPM_RC_SCHEME           'scheme' is not supported
//      TPM_RC_NO_RESULT        internal error in big number processing
LIB_EXPORT TPM_RC
CryptEccEncrypt(
    OBJECT                  *key,           // IN: public key of recipient
    TPMT_KDF_SCHEME         *scheme,        // IN: scheme to use.
    TPM2B_MAX_BUFFER        *plainText,     // IN: the text to obfuscate
    TPMS_ECC_POINT          *c1,            // OUT: public ephemeral key
    TPM2B_MAX_BUFFER        *c2,            // OUT: obfuscated text
    TPM2B_DIGEST            *c3             // OUT: digest of ephemeral key
                                            //      and plainText
)
{
    CURVE_INITIALIZED(E, key->publicArea.parameters.eccDetail.curveID);
    POINT_INITIALIZED(PB, &key->publicArea.unique.ecc);
    POINT_VAR(Px, MAX_ECC_KEY_BITS);
    TPMS_ECC_POINT          p2;
    ECC_NUM(D);
    TPM2B_TYPE(2ECC, MAX_ECC_KEY_BYTES * 2);
    TPM2B_2ECC              z;
    int                     i;
    HASH_STATE              hashState;
    TPM_RC                  retVal = TPM_RC_SUCCESS;
    //
#if defined DEBUG_ECC_ENCRYPT && DEBUG_ECC_ENCRYPT == YES
    RND_DEBUG           dbg;
    // This value is one less than the value from the reference so that it
    // will become the correct value after having one added
    TPM2B_ECC_PARAMETER k = {24, {
        0x38, 0x4F, 0x30, 0x35, 0x30, 0x73, 0xAE, 0xEC,
        0xE7, 0xA1, 0x65, 0x43, 0x30, 0xA9, 0x62, 0x04,
        0xD3, 0x79, 0x82, 0xA3, 0xE1, 0x5B, 0x2C, 0xB4}};
    RND_DEBUG_Instantiate(&dbg, &k.b);
#   define RANDOM      (RAND_STATE *)&dbg

#else
#   define RANDOM      NULL
#endif
    if (E == NULL)
        ERROR_RETURN(TPM_RC_CURVE);
    if (TPM_ALG_KDF2 != scheme->scheme)
        ERROR_RETURN(TPM_RC_SCHEME);
    // generate an ephemeral key from a random k
    if (!BnEccGenerateKeyPair(D, Px, E, RANDOM)
        // C1 is the public part of the ephemeral key
        || !BnPointTo2B(c1, Px, E)
        // Compute P2
        || (BnPointMult(Px, PB, D, NULL, NULL, E) != TPM_RC_SUCCESS)
        || !BnPointTo2B(&p2, Px, E))
        ERROR_RETURN(TPM_RC_NO_RESULT);

    //Compute the C3 value hash(x2 || M || y2)
    if (0 == CryptHashStart(&hashState, scheme->details.mgf1.hashAlg))
        ERROR_RETURN(TPM_RC_HASH);
    CryptDigestUpdate2B(&hashState, &p2.x.b);
    CryptDigestUpdate2B(&hashState, &plainText->b);
    CryptDigestUpdate2B(&hashState, &p2.y.b);
    c3->t.size = CryptHashEnd(&hashState, sizeof(c3->t.buffer), c3->t.buffer);

    MemoryCopy2B(&z.b, &p2.x.b, sizeof(z.t.buffer));
    MemoryConcat2B(&z.b, &p2.y.b, sizeof(z.t.buffer));
    // Generate the mask value from MGF1 and put it in the return buffer
    c2->t.size = CryptMGF_KDF(plainText->t.size, c2->t.buffer,
                           scheme->details.mgf1.hashAlg, z.t.size, z.t.buffer, 1);
    // XOR the plainText into the generated mask to create the obfuscated data
    for (i = 0; i < plainText->t.size; i++)
        c2->t.buffer[i] ^= plainText->t.buffer[i];
Exit:
    CURVE_FREE(E);
    return retVal;
}

//*** CryptEccDecrypt()
// This function performs ECC decryption and integrity check of the input data.
//  Return Type: TPM_RC
//      TPM_RC_CURVE            unsupported curve
//      TPM_RC_HASH             hash not allowed
//      TPM_RC_SCHEME           'scheme' is not supported
//      TPM_RC_NO_RESULT        internal error in big number processing
//      TPM_RC_VALUE            C3 did not match hash of recovered data
LIB_EXPORT TPM_RC
CryptEccDecrypt(
    OBJECT                  *key,           // IN: key used for data recovery
    TPMT_KDF_SCHEME         *scheme,        // IN: scheme to use.
    TPM2B_MAX_BUFFER        *plainText,     // OUT: the recovered text
    TPMS_ECC_POINT          *c1,            // IN: public ephemeral key
    TPM2B_MAX_BUFFER        *c2,            // IN: obfuscated text
    TPM2B_DIGEST            *c3             // IN: digest of ephemeral key
                                            //      and plainText
)
{
    CURVE_INITIALIZED(E, key->publicArea.parameters.eccDetail.curveID);
    ECC_INITIALIZED(D, &key->sensitive.sensitive.ecc.b);
    POINT_INITIALIZED(C1, c1);
    TPMS_ECC_POINT          p2;
    TPM2B_TYPE(2ECC, MAX_ECC_KEY_BYTES * 2);
    TPM2B_DIGEST            check;
    TPM2B_2ECC              z;
    int                     i;
    HASH_STATE              hashState;
    TPM_RC                  retVal = TPM_RC_SUCCESS;
 //
    if (E == NULL)
        ERROR_RETURN(TPM_RC_CURVE);
    if (TPM_ALG_KDF2 != scheme->scheme)
        ERROR_RETURN(TPM_RC_SCHEME);
    // Generate the Z value
    BnPointMult(C1, C1, D, NULL, NULL, E);
    BnPointTo2B(&p2, C1, E);

    // Start the hash to check the algorithm
    if (0 == CryptHashStart(&hashState, scheme->details.mgf1.hashAlg))
        ERROR_RETURN(TPM_RC_HASH);
    CryptDigestUpdate2B(&hashState, &p2.x.b);

    MemoryCopy2B(&z.b, &p2.x.b, sizeof(z.t.buffer));
    MemoryConcat2B(&z.b, &p2.y.b, sizeof(z.t.buffer));

    // Generate the mask
    plainText->t.size = CryptMGF_KDF(c2->t.size, plainText->t.buffer,
                                  scheme->details.mgf1.hashAlg, z.t.size,
                                  z.t.buffer, 1);
    // XOR the obfuscated data into the generated mask to create the plainText data
    for (i = 0; i < plainText->t.size; i++)
        plainText->t.buffer[i] ^= c2->t.buffer[i];

    // Complete the hash and verify the data
    CryptDigestUpdate2B(&hashState, &plainText->b);
    CryptDigestUpdate2B(&hashState, &p2.y.b);
    check.t.size = CryptHashEnd(&hashState, sizeof(check.t.buffer), check.t.buffer);
    if (!MemoryEqual2B(&check.b, &c3->b))
        ERROR_RETURN(TPM_RC_VALUE);
Exit:
    CURVE_FREE(E);
    return retVal;
}


#endif  // CC_ECC_Encrypt || CC_ECC_Encrypt