FAPI: Add ECC encryption/decryption to Fapi_Encrypt/Decrypt

The cipher produced by Fapi_Encrypt contains the marshaled data for
the c1, c2, and c3 parameter described in the TPM Spec 1.83.
TPM2B_ECC_POINT c1;
TPM2B_MAX_BUFFER c2;
TPM2B_DIGEST c3;

Signed-off-by: Juergen Repp <juergen_repp@web.de>

Author: JuergenReppSIT

Makefile-test.am

@@ -51,7 +51,7 @@ test_helper_tpm_cmd_tcti_dummy_LDFLAGS = $(TESTS_LDFLAGS)
 test_helper_tpm_cmd_tcti_dummy_LDADD = $(TESTS_LDADD)
 endif #UNIT
 
-### Rules to enumerate binary test files for FAPI from b64 files.
+### Rules to enerate binary test files for FAPI from b64 files.
 
 if FAPI
 FAPI_TEST_BINS = \
@@ -356,6 +356,7 @@ FAPI_TESTS_INTEGRATION = \
     test/integration/fapi-data-crypt-persistent.fint \
     test/integration/fapi-data-crypt-rsa.fint \
     test/integration/fapi-data-crypt-rsa-persistent.fint \
+    test/integration/fapi-ecc-encrypt-decrypt.fint \
     test/integration/fapi-duplicate.fint \
     test/integration/fapi-export-policy.fint \
     test/integration/fapi-ext-public-key.fint \
@@ -2514,6 +2515,13 @@ test_integration_fapi_data_crypt_rsa_persistent_fint_SOURCES = \
     test/integration/fapi-data-crypt.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
+test_integration_fapi_ecc_encrypt_decrypt_fint_CFLAGS  = $(JSONC_CFLAGS) $(TESTS_CFLAGS)
+test_integration_fapi_ecc_encrypt_decrypt_fint_LDADD   = $(TESTS_LDADD)
+test_integration_fapi_ecc_encrypt_decrypt_fint_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_fapi_ecc_encrypt_decrypt_fint_SOURCES = \
+    test/integration/fapi-ecc-encrypt-decrypt.int.c \
+    test/integration/main-fapi.c test/integration/test-fapi.h
+
 test_integration_fapi_duplicate_fint_CFLAGS  = $(JSONC_CFLAGS) $(TESTS_CFLAGS)
 test_integration_fapi_duplicate_fint_LDADD   = $(TESTS_LDADD)
 test_integration_fapi_duplicate_fint_LDFLAGS = $(TESTS_LDFLAGS)

dist/fapi-profiles/P_ECCP256SHA256.json

@@ -11,6 +11,10 @@
             "hashAlg":"sha256"
         }
     },
+    "ecc_crypt_scheme": {
+        "scheme": "kdf2",
+        "details": { "hashAlg": "sha256"}
+    },
     "sym_mode":"cfb",
     "sym_parameters": {
         "algorithm":"aes",

dist/fapi-profiles/P_ECCP384SHA384.json

@@ -11,6 +11,10 @@
             "hashAlg":"sha384"
         }
     },
+    "ecc_crypt_scheme": {
+        "scheme": "kdf2",
+        "details": { "hashAlg": "sha384"}
+    },
     "sym_mode":"cfb",
     "sym_parameters": {
         "algorithm":"aes",

src/tss2-fapi/api/Fapi_Decrypt.c

@@ -21,12 +21,39 @@
 #include "tss2_common.h"     // for TSS2_RC, BYTE, TSS2_RC_SUCCESS, TSS2_BA...
 #include "tss2_esys.h"       // for Esys_SetTimeout, ESYS_TR_NONE, Esys_Flu...
 #include "tss2_fapi.h"       // for FAPI_CONTEXT, Fapi_Decrypt, Fapi_Decryp...
+#include "tss2_mu.h"         // for unmarshaling of encrypted ecc data.
 #include "tss2_tcti.h"       // for TSS2_TCTI_TIMEOUT_BLOCK
 #include "tss2_tpm2_types.h" // for TPM2B_PUBLIC_KEY_RSA, TPM2B_PUBLIC, TPM...
 
 #define LOGMODULE fapi
 #include "util/log.h" // for SAFE_FREE, LOG_TRACE, goto_if_error
 
+static TPM2_RC
+unmarshal_ecc_crypt_result(const uint8_t    *crypt_buf,
+                           size_t            size_crypt_buf,
+                           TPM2B_ECC_POINT  *c1,
+                           TPM2B_MAX_BUFFER *c2,
+                           TPM2B_DIGEST     *c3) {
+    TSS2_RC rc;
+    size_t  pos = 0;
+    size_t  offset = 0;
+
+    rc = Tss2_MU_TPM2B_ECC_POINT_Unmarshal(&crypt_buf[pos], size_crypt_buf, &offset, c1);
+    return_if_error(rc, "Unmarshal Point.");
+
+    pos += offset;
+    offset = 0;
+    rc = Tss2_MU_TPM2B_MAX_BUFFER_Unmarshal(&crypt_buf[pos], size_crypt_buf, &offset, c2);
+    return_if_error(rc, "Unmarshal Max Buffer.");
+
+    pos += offset;
+    offset = 0;
+    rc = Tss2_MU_TPM2B_DIGEST_Unmarshal(&crypt_buf[pos], size_crypt_buf, &offset, c3);
+    return_if_error(rc, "Unmarshal Digest.");
+
+    return rc;
+}
+
 /** One-Call function for Fapi_Decrypt
  *
  * Decrypts data that was previously encrypted with Fapi_Encrypt.
@@ -242,6 +269,7 @@ Fapi_Decrypt_Finish(FAPI_CONTEXT *context, uint8_t **plainText, size_t *plainTex
 
     TSS2_RC               r;
     TPM2B_PUBLIC_KEY_RSA *tpmPlainText = NULL;
+    TPM2B_MAX_BUFFER     *ecc_plain_text;
 
     /* Check for NULL parameters */
     check_not_null(context);
@@ -297,6 +325,12 @@ Fapi_Decrypt_Finish(FAPI_CONTEXT *context, uint8_t **plainText, size_t *plainTex
         r = ifapi_authorize_object(context, command->key_object, &command->auth_session);
         return_try_again(r);
         goto_if_error(r, "Authorize key.", error_cleanup);
+
+        if (command->key_object->misc.key.public.publicArea.type == TPM2_ALG_ECC) {
+            context->state = DATA_DECRYPT_PREPARE_ECC_ENCRYPTION;
+            return TSS2_FAPI_RC_TRY_AGAIN;
+        }
+
         TPM2B_DATA null_data = { .size = 0, .buffer = {} };
 
         /* Copy cipher data to tpm object */
@@ -319,15 +353,17 @@ Fapi_Decrypt_Finish(FAPI_CONTEXT *context, uint8_t **plainText, size_t *plainTex
         goto_if_error_reset_state(r, "RSA decryption.", error_cleanup);
 
         /* Duplicate the decrypted plaintext for returning to the user. */
-        if (plainTextSize)
-            command->plainTextSize = tpmPlainText->size;
         if (plainText) {
+            command->plainTextSize = tpmPlainText->size;
             command->plainText = malloc(tpmPlainText->size);
             goto_if_null(command->plainText, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
 
             memcpy(command->plainText, &tpmPlainText->buffer[0], tpmPlainText->size);
             SAFE_FREE(tpmPlainText);
         }
+        fallthrough;
+
+    statecase(context->state, DATA_DECRYPT_PREPARE_FLUSH);
 
         /* Flush the used key. */
         if (!command->key_object->misc.key.persistent_handle) {
@@ -358,6 +394,37 @@ Fapi_Decrypt_Finish(FAPI_CONTEXT *context, uint8_t **plainText, size_t *plainTex
             *plainTextSize = command->plainTextSize;
         break;
 
+    statecase(context->state, DATA_DECRYPT_PREPARE_ECC_ENCRYPTION)
+        /* Decrypt the actual data. */
+        TPM2B_ECC_POINT  c1;
+        TPM2B_MAX_BUFFER c2;
+        TPM2B_DIGEST     c3;
+
+        r = unmarshal_ecc_crypt_result(command->in_data, command->numBytes, &c1, &c2, &c3);
+        goto_if_error(r, "Unmarshal ECC cipher", error_cleanup);
+
+        r = Esys_ECC_Decrypt_Async(context->esys, context->cmd.Data_EncryptDecrypt.key_handle,
+                                   command->auth_session,
+                                   ENC_SESSION_IF_POLICY(command->auth_session), ESYS_TR_NONE, &c1,
+                                   &c2, &c3, &command->profile->ecc_crypt_scheme);
+        goto_if_error(r, "Error esys rsa decrypt", error_cleanup);
+        fallthrough;
+
+    statecase(context->state, DATA_DECRYPT_WAIT_FOR_ECC_DECRYPTION);
+        r = Esys_ECC_Decrypt_Finish(context->esys, &ecc_plain_text);
+        return_try_again(r);
+        goto_if_error_reset_state(r, "ECC decryption.", error_cleanup);
+        if (ecc_plain_text) {
+            command->plainTextSize = ecc_plain_text->size;
+            command->plainText = malloc(ecc_plain_text->size);
+            goto_if_null(command->plainText, "Out of memory", TSS2_FAPI_RC_MEMORY, error_cleanup);
+
+            memcpy(command->plainText, &ecc_plain_text->buffer[0], ecc_plain_text->size);
+            SAFE_FREE(ecc_plain_text);
+        }
+        context->state = DATA_DECRYPT_PREPARE_FLUSH;
+        return TSS2_FAPI_RC_TRY_AGAIN;
+
     statecasedefault(context->state);
     }
 

src/tss2-fapi/api/Fapi_Encrypt.c

@@ -21,6 +21,7 @@
 #include "tss2_common.h"     // for TSS2_RC, BYTE, TSS2_FAPI_RC_MEMORY, TSS...
 #include "tss2_esys.h"       // for Esys_SetTimeout, ESYS_TR_NONE, Esys_Flu...
 #include "tss2_fapi.h"       // for FAPI_CONTEXT, Fapi_Encrypt, Fapi_Encryp...
+#include "tss2_mu.h"         // for mashaling the result of ECC encryption.
 #include "tss2_tcti.h"       // for TSS2_TCTI_TIMEOUT_BLOCK
 #include "tss2_tpm2_types.h" // for TPM2B_PUBLIC_KEY_RSA, TPM2B_PUBLIC, TPM...
 
@@ -30,6 +31,45 @@
 
 #define IV_SIZE 16
 
+static TPM2_RC
+marshal_ecc_crypt_result(TPM2B_ECC_POINT  *c1,
+                         TPM2B_MAX_BUFFER *c2,
+                         TPM2B_DIGEST     *c3,
+                         uint8_t         **crypt_buf,
+                         size_t           *crypt_buf_size) {
+    TSS2_RC rc;
+    size_t  pos = 0;
+    size_t  offset = 0;
+    size_t  size_crypt_buf = c1->size + c2->size + c3->size + 3 * (sizeof(UINT16));
+
+    *crypt_buf = calloc(1, size_crypt_buf);
+
+    return_if_null(*crypt_buf, "Out of Memory", TSS2_FAPI_RC_MEMORY);
+
+    rc = Tss2_MU_TPM2B_ECC_POINT_Marshal(c1, &(*crypt_buf)[pos], size_crypt_buf, &offset);
+    goto_if_error(rc, "Error Marshal Point", error);
+
+    pos += offset;
+    offset = 0;
+
+    rc = Tss2_MU_TPM2B_MAX_BUFFER_Marshal(c2, &(*crypt_buf)[pos], size_crypt_buf, &offset);
+    goto_if_error(rc, "Marshal Max Digest", error);
+
+    pos += offset;
+    offset = 0;
+
+    rc = Tss2_MU_TPM2B_DIGEST_Marshal(c3, &(*crypt_buf)[pos], size_crypt_buf, &offset);
+    goto_if_error(rc, "Marshal Digest", error);
+
+    *crypt_buf_size = pos + offset;
+
+    return rc;
+
+error:
+    SAFE_FREE(*crypt_buf);
+    return rc;
+}
+
 /** One-Call function for Fapi_Encrypt
  *
  * Encrypt the provided data for the target key using the TPM encryption
@@ -334,8 +374,23 @@ Fapi_Encrypt_Finish(FAPI_CONTEXT *context, uint8_t **cipherText, size_t *cipherT
 
             context->state = DATA_ENCRYPT_WAIT_FOR_RSA_ENCRYPTION;
         } else if (public->publicArea.type == TPM2_ALG_ECC) {
-            goto_error(r, TSS2_FAPI_RC_NOT_IMPLEMENTED, "ECC Encryption not yet supported",
-                       error_cleanup);
+            TPM2B_MAX_BUFFER *ecc_message = (TPM2B_MAX_BUFFER *)&context->aux_data;
+            ecc_message->size = context->cmd.Data_EncryptDecrypt.in_dataSize;
+            memcpy(&ecc_message->buffer[0], context->cmd.Data_EncryptDecrypt.in_data,
+                   context->cmd.Data_EncryptDecrypt.in_dataSize);
+
+            r = Esys_TRSess_SetAttributes(context->esys, context->session1,
+                                          TPMA_SESSION_CONTINUESESSION | TPMA_SESSION_DECRYPT,
+                                          0xff);
+            goto_if_error_reset_state(r, "Set session attributes.", error_cleanup);
+
+            r = Esys_ECC_Encrypt_Async(context->esys, context->cmd.Data_EncryptDecrypt.key_handle,
+                                       context->session1, ESYS_TR_NONE, ESYS_TR_NONE, ecc_message,
+                                       &command->profile->ecc_crypt_scheme);
+            goto_if_error(r, "Error esys ecc encrypt", error_cleanup);
+
+            context->state = DATA_ENCRYPT_WAIT_FOR_ECC_ENCRYPTION;
+            return TSS2_FAPI_RC_TRY_AGAIN;
         } else {
             goto_error(r, TSS2_FAPI_RC_NOT_IMPLEMENTED, "Unsupported algorithm (%" PRIu16 ")",
                        error_cleanup, public->publicArea.type);
@@ -361,6 +416,9 @@ Fapi_Encrypt_Finish(FAPI_CONTEXT *context, uint8_t **cipherText, size_t *cipherT
 
         memcpy(command->cipherText, &tpmCipherText->buffer[0], tpmCipherText->size);
         SAFE_FREE(tpmCipherText);
+        fallthrough;
+
+    statecase(context->state, DATA_ENCRYPT_PREPARE_FLUSH)
 
         /* Flush the key from the TPM. */
         if (strncmp(command->keyPath, "/ext", 4) == 0
@@ -410,6 +468,27 @@ Fapi_Encrypt_Finish(FAPI_CONTEXT *context, uint8_t **cipherText, size_t *cipherT
             *cipherTextSize = command->cipherTextSize;
         break;
 
+    statecase(context->state, DATA_ENCRYPT_WAIT_FOR_ECC_ENCRYPTION);
+        TPM2B_ECC_POINT  *c1 = NULL;
+        TPM2B_MAX_BUFFER *c2 = NULL;
+        TPM2B_DIGEST     *c3 = NULL;
+
+        r = Esys_ECC_Encrypt_Finish(context->esys, &c1, &c2, &c3);
+        return_try_again(r);
+        if (r == 0x00000084) {
+            LOG_ERROR("The data to be encrypted might be too large.");
+        }
+        goto_if_error_reset_state(r, "ECC encryption.", error_cleanup);
+
+        r = marshal_ecc_crypt_result(c1, c2, c3, &command->cipherText, &command->cipherTextSize);
+        goto_if_error_reset_state(r, "Marshaling c1 c2 c3..", error_cleanup);
+
+        SAFE_FREE(c1);
+        SAFE_FREE(c2);
+        SAFE_FREE(c3);
+        context->state = DATA_ENCRYPT_PREPARE_FLUSH;
+        return TSS2_FAPI_RC_TRY_AGAIN;
+
     statecasedefault(context->state);
     }
 

src/tss2-fapi/fapi_int.h

@@ -1076,17 +1076,22 @@ enum FAPI_STATE {
     DATA_ENCRYPT_WAIT_FOR_SESSION,
     DATA_ENCRYPT_WAIT_FOR_KEY,
     DATA_ENCRYPT_WAIT_FOR_EXT_KEY,
+    DATA_ENCRYPT_PREPARE_FLUSH,
     DATA_ENCRYPT_WAIT_FOR_FLUSH,
     DATA_ENCRYPT_WAIT_FOR_RSA_ENCRYPTION,
+    DATA_ENCRYPT_WAIT_FOR_ECC_ENCRYPTION,
     DATA_ENCRYPT_CLEAN,
 
     DATA_DECRYPT_WAIT_FOR_PROFILE,
     DATA_DECRYPT_WAIT_FOR_SESSION,
     DATA_DECRYPT_WAIT_FOR_KEY,
+    DATA_DECRYPT_PREPARE_FLUSH,
     DATA_DECRYPT_WAIT_FOR_FLUSH,
     DATA_DECRYPT_WAIT_FOR_RSA_DECRYPTION,
     DATA_DECRYPT_AUTHORIZE_KEY,
     DATA_DECRYPT_CLEANUP,
+    DATA_DECRYPT_PREPARE_ECC_ENCRYPTION,
+    DATA_DECRYPT_WAIT_FOR_ECC_DECRYPTION,
 
     PCR_EXTEND_WAIT_FOR_SESSION,
     PCR_EXTEND_WAIT_FOR_GET_CAP,

src/tss2-fapi/ifapi_profiles.c

@@ -417,6 +417,14 @@ ifapi_profile_json_deserialize(json_object *jso, IFAPI_PROFILE *out) {
     r = ifapi_json_TPMI_ALG_HASH_deserialize(jso2, &out->nameAlg);
     return_if_error(r, "Bad value for field \"nameAlg\".");
 
+    if (!ifapi_get_sub_object(jso, "ecc_crypt_scheme", &jso2)) {
+        out->ecc_crypt_scheme.scheme = TPM2_ALG_KDF2;
+        out->ecc_crypt_scheme.details.kdf2.hashAlg = out->nameAlg;
+    } else {
+        r = ifapi_json_TPMT_KDF_SCHEME_deserialize(jso2, &out->ecc_crypt_scheme);
+        return_if_error(r, "Bad value for field \"ecc_crypt_scheme\".");
+    }
+
     if (out->type == TPM2_ALG_RSA) {
         if (!ifapi_get_sub_object(jso, "exponent", &jso2)) {
             LOG_ERROR("Field \"exponent\" not found.");

src/tss2-fapi/ifapi_profiles.h

@@ -25,6 +25,7 @@ typedef struct IFAPI_PROFILE {
     TPMT_SIG_SCHEME      ecc_signing_scheme; /**< Signing scheme for the ECC key. */
     TPMT_SIG_SCHEME      rsa_signing_scheme; /**< Signing scheme for the RSA key. */
     TPMT_RSA_DECRYPT     rsa_decrypt_scheme; /**< Decrypt scheme for the RSA key. */
+    TPMT_KDF_SCHEME      ecc_crypt_scheme;   /**< Scheme for the ECC encryption. */
     TPMI_ALG_CIPHER_MODE sym_mode;           /**< Mode for symmectric encryption. */
     TPMT_SYM_DEF_OBJECT  sym_parameters;     /**< Parameters for symmectric encryption. */
     UINT16               sym_block_size;     /**< Block size for symmectric encryption. */

src/tss2-fapi/tpm_json_deserialize.c

@@ -1523,7 +1523,7 @@ ifapi_json_TPMI_ALG_CIPHER_MODE_deserialize(json_object *jso, TPMI_ALG_CIPHER_MO
  */
 TSS2_RC
 ifapi_json_TPMI_ALG_KDF_deserialize(json_object *jso, TPMI_ALG_KDF *out) {
-    SUBTYPE_FILTER(TPMI_ALG_KDF, TPM2_ALG_ID, TPM2_ALG_MGF1, TPM2_ALG_KDF1_SP800_56A,
+    SUBTYPE_FILTER(TPMI_ALG_KDF, TPM2_ALG_ID, TPM2_ALG_KDF2, TPM2_ALG_MGF1, TPM2_ALG_KDF1_SP800_56A,
                    TPM2_ALG_KDF1_SP800_108, TPM2_ALG_NULL);
 }
 
@@ -3022,6 +3022,22 @@ ifapi_json_TPMS_KEY_SCHEME_ECDH_deserialize(json_object *jso, TPMS_KEY_SCHEME_EC
 
 /*** Table 154 - Definition of Types for KDF Schemes ***/
 
+/** Deserialize a TPMS_SCHEME_MGF1 json object.
+ *
+ * @param[in]  jso the json object to be deserialized.
+ * @param[out] out the deserialzed binary object.
+ * @retval TSS2_RC_SUCCESS if the function call was a success.
+ * @retval TSS2_FAPI_RC_BAD_VALUE if the json object can't be deserialized.
+ * @retval TSS2_FAPI_RC_BAD_REFERENCE a invalid null pointer is passed.
+ */
+TSS2_RC
+ifapi_json_TPMS_SCHEME_KDF2_deserialize(json_object *jso, TPMS_SCHEME_KDF2 *out) {
+    LOG_TRACE("call");
+    return ifapi_json_TPMS_SCHEME_HASH_deserialize(jso, out);
+}
+
+/*** Table 154 - Definition of Types for KDF Schemes ***/
+
 /** Deserialize a TPMS_SCHEME_MGF1 json object.
  *
  * @param[in]  jso the json object to be deserialized.
@@ -3087,6 +3103,9 @@ ifapi_json_TPMU_KDF_SCHEME_deserialize(UINT32 selector, json_object *jso, TPMU_K
     case TPM2_ALG_KDF1_SP800_108:
         return ifapi_json_TPMS_SCHEME_KDF1_SP800_108_deserialize(jso, &out->kdf1_sp800_108);
 
+    case TPM2_ALG_KDF2:
+        return ifapi_json_TPMS_SCHEME_KDF1_SP800_108_deserialize(jso, &out->kdf1_sp800_108);
+
     case TPM2_ALG_NULL: {
         return TSS2_RC_SUCCESS;
     }

src/tss2-fapi/tpm_json_deserialize.h

@@ -319,6 +319,9 @@ ifapi_json_TPMI_ECC_CURVE_deserialize(json_object *jso, TPMI_ECC_CURVE *out);
 TSS2_RC
 ifapi_json_TPMT_ECC_SCHEME_deserialize(json_object *jso, TPMT_ECC_SCHEME *out);
 
+TSS2_RC
+ifapi_json_TPMS_SCHEME_KDF2_deserialize(json_object *jso, TPMS_SCHEME_KDF2 *out);
+
 TSS2_RC
 ifapi_json_TPMS_SIGNATURE_RSA_deserialize(json_object *jso, TPMS_SIGNATURE_RSA *out);