xref: /netbsd-src/crypto/external/cpl/trousers/dist/src/tspi/daa/daa_platform/platform.c (revision 1023804e3833a0bd94414f2545512128f6502c74)
1 
2 /*
3  * Licensed Materials - Property of IBM
4  *
5  * trousers - An open source TCG Software Stack
6  *
7  * (C) Copyright International Business Machines Corp. 2006
8  *
9  */
10 
11 
12 #include <stdlib.h>
13 #include <stdio.h>
14 #include <string.h>
15 
16 // for message digest
17 #include <openssl/evp.h>
18 #include <openssl/hmac.h>
19 #include <openssl/err.h>
20 #include <openssl/rsa.h>
21 #include <openssl/sha.h>
22 
23 #include <stdlib.h>
24 
25 #include "daa_structs.h"
26 #include "daa_parameter.h"
27 #include "trousers/tss.h"
28 #include "spi_internal_types.h"
29 #include "spi_utils.h"
30 #include <trousers/trousers.h>
31 #include <spi_utils.h>
32 #include <obj.h>
33 #include "tsplog.h"
34 #include "tss/tcs.h"
35 #include "platform.h"
36 #include "issuer.h"
37 #include "verifier.h"
38 
39 #define EVP_SUCCESS 1
40 
41 TSS_RESULT
Tcsip_TPM_DAA_Join(TCS_CONTEXT_HANDLE tcsContext,TSS_HDAA hDAA,BYTE stage,UINT32 inputSize0,BYTE * inputData0,UINT32 inputSize1,BYTE * inputData1,TPM_AUTH * ownerAuth,UINT32 * outputSize,BYTE ** outputData)42 Tcsip_TPM_DAA_Join(TCS_CONTEXT_HANDLE tcsContext, // in
43 			TSS_HDAA hDAA, // in
44 			BYTE stage, // in
45 			UINT32 inputSize0, // in
46 			BYTE* inputData0, // in
47 			UINT32 inputSize1, // in
48 			BYTE* inputData1, // in
49 			TPM_AUTH* ownerAuth, // in/out
50 			UINT32* outputSize, // out
51 			BYTE** outputData // out
52 ) {
53 	TSS_RESULT result;
54 	TSS_HPOLICY hPolicy;
55 	TCPA_DIGEST digest;
56 	UINT16 offset = 0;
57 	BYTE hashblob[10000];
58 	TPM_HANDLE hTPM;
59 	TPM_HANDLE join_session;
60 	// TPM_HANDLE hTPM;
61 
62 	if( (result = obj_daa_get_handle_tpm( hDAA, &hTPM)) != TSS_SUCCESS)
63 		return result;
64 	if( (result = obj_daa_get_session_handle( hDAA, &join_session)) != TSS_SUCCESS)
65 		return result;
66 	LogDebug("Tcsip_TPM_DAA_Join(tcsContext=%x,hDAA=%x,join_session=%x, hTPM=%x stage=%d)",
67 		tcsContext,
68 		hDAA,
69 		join_session,
70 		hTPM,
71 		stage);
72 
73 	LogDebug("obj_tpm_get_policy(hTPM=%X)", hTPM);
74 	if( (result = obj_tpm_get_policy( hTPM, &hPolicy)) != TSS_SUCCESS)
75 		return result;
76 	LogDebug("Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Join, hashblob)");
77 	// hash TPM_COMMAND_CODE
78 	Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Join, hashblob);
79 	LogDebug("Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest)");
80 	// hash stage
81 	Trspi_LoadBlob_BYTE(&offset, stage, hashblob);
82 	LogDebug("Trspi_LoadBlob_UINT32(&offset, 0, hashblob)");
83 	// hash inputSize0
84 	Trspi_LoadBlob_UINT32(&offset, inputSize0, hashblob);
85 	LogDebug("Trspi_LoadBlob_UINT32(&offset, inputSize0:%d", inputSize0);
86 	// hash inputData0
87 	Trspi_LoadBlob( &offset, inputSize0, hashblob, inputData0);
88 	// hash inputSize1
89 	Trspi_LoadBlob_UINT32(&offset, inputSize1, hashblob);
90 	LogDebug("Trspi_LoadBlob_UINT32(&offset, inputSize1:%d", inputSize1);
91 	// hash inputData1
92 	Trspi_LoadBlob( &offset, inputSize1, hashblob, inputData1);
93 	Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
94 
95 	if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_DAA_Join,
96 	     hPolicy, &digest,
97 	     ownerAuth)) != TSS_SUCCESS) return result;
98 	LogDebug("secret_PerformAuth_OIAP(hTPM, TPM_ORD_DAA_Join ret=%d", result);
99 	LogDebug("TCSP_DAAJoin(%x,%x,stage=%x,%x,%x,%x,%x,%x)\n",
100 		tcsContext,
101 		hTPM,
102 		stage,
103 		inputSize0,
104 		(int)inputData0,
105 		inputSize1,
106 		(int)inputData1,
107 		(int)&ownerAuth);
108 	/* step of the following call:
109 	TCSP_DAAJoin 		tcsd_api/calltcsapi.c (define in spi_utils.h)
110 	TCSP_DAAJoin_TP 	tcsd_api/tcstp.c (define in	trctp.h)
111 	*/
112 	result =  TCSP_DaaJoin( tcsContext,
113 				join_session,
114 				stage,
115 				inputSize0, inputData0,
116 				inputSize1, inputData1,
117 				ownerAuth,
118 				outputSize, outputData);
119 	if( result != TSS_SUCCESS) return result;
120 
121 	offset = 0;
122 	Trspi_LoadBlob_UINT32(&offset, result, hashblob);
123 	Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Join, hashblob);
124 	Trspi_LoadBlob_UINT32(&offset, *outputSize, hashblob);
125 	Trspi_LoadBlob(&offset, *outputSize, hashblob, *outputData);
126 	LogDebug("TCSP_DAAJoin stage=%d outputSize=%d outputData=%x RESULT=%d",
127 		(int)stage, (int)*outputSize, (int)outputData, (int)result);
128 	Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
129 	if( (result = obj_policy_validate_auth_oiap( hPolicy, &digest, ownerAuth))) {
130 		LogError("obj_policy_validate_auth=%d", result);
131 	}
132 	return result;
133 }
134 
Tcsip_TPM_DAA_Sign(TCS_CONTEXT_HANDLE hContext,TPM_HANDLE handle,BYTE stage,UINT32 inputSize0,BYTE * inputData0,UINT32 inputSize1,BYTE * inputData1,TPM_AUTH * ownerAuth,UINT32 * outputSize,BYTE ** outputData)135 TSS_RESULT Tcsip_TPM_DAA_Sign( TCS_CONTEXT_HANDLE hContext,	// in
136 				TPM_HANDLE handle,	// in
137 				BYTE stage,	// in
138 				UINT32 inputSize0,	// in
139 				BYTE* inputData0,	// in
140 				UINT32 inputSize1,	// in
141 				BYTE* inputData1,	// in
142 				TPM_AUTH* ownerAuth,	// in, out
143 				UINT32* outputSize,	// out
144 				BYTE** outputData	// out
145 ) {
146 	TSS_RESULT result;
147 	TSS_HPOLICY hPolicy;
148 	TCPA_DIGEST digest;
149 	UINT16 offset = 0;
150 	BYTE hashblob[1000];
151 	TPM_HANDLE hTPM;
152 	TPM_HANDLE session_handle;
153 	TSS_HDAA hDAA = (TSS_HDAA)handle;
154 	// TPM_HANDLE hTPM;
155 
156 	if( (result = obj_daa_get_handle_tpm( hDAA, &hTPM)) != TSS_SUCCESS)
157 		return result;
158 	if( (result = obj_daa_get_session_handle( hDAA, &session_handle)) != TSS_SUCCESS)
159 		return result;
160 	LogDebug("Tcsip_TPM_DAA_Sign(tcsContext=%x,hDAA=%x,sign_session=%x, hTPM=%x stage=%d)",
161 		hContext,
162 		hDAA,
163 		session_handle,
164 		hTPM,
165 		stage);
166 
167 	LogDebug("obj_tpm_get_policy(hTPM=%X)", hTPM);
168 	if( (result = obj_tpm_get_policy( hTPM, &hPolicy)) != TSS_SUCCESS)
169 		return result;
170 	LogDebug("Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Sign, hashblob)");
171 	// hash TPM_COMMAND_CODE
172 	Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Sign, hashblob);
173 	LogDebug("Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest)");
174 	// hash stage
175 	Trspi_LoadBlob_BYTE(&offset, stage, hashblob);
176 	LogDebug("Trspi_LoadBlob_UINT32(&offset, 0, hashblob)");
177 	// hash inputSize0
178 	Trspi_LoadBlob_UINT32(&offset, inputSize0, hashblob);
179 	LogDebug("Trspi_LoadBlob_UINT32(&offset, inputSize0:%d", inputSize0);
180 	// hash inputData0
181 	Trspi_LoadBlob( &offset, inputSize0, hashblob, inputData0);
182 	// hash inputSize1
183 	Trspi_LoadBlob_UINT32(&offset, inputSize1, hashblob);
184 	LogDebug("Trspi_LoadBlob_UINT32(&offset, inputSize1:%d", inputSize1);
185 	// hash inputData1
186 	Trspi_LoadBlob( &offset, inputSize1, hashblob, inputData1);
187 	Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
188 
189 	if ((result = secret_PerformAuth_OIAP(hTPM, TPM_ORD_DAA_Join,
190 	     hPolicy, &digest,
191 	     ownerAuth)) != TSS_SUCCESS) return result;
192 	LogDebug("secret_PerformAuth_OIAP(hTPM, TPM_ORD_DAA_Join ret=%d", result);
193 	LogDebug("TCSP_DAASign(%x,%x,stage=%x,%x,%x,%x,%x,%x)",
194 		hContext,
195 		hTPM,
196 		stage,
197 		inputSize0,(int)inputData0,
198 		inputSize1,(int)inputData1,
199 		(int)&ownerAuth);
200 	/* step of the following call:
201 	TCSP_DAASign 		tcsd_api/calltcsapi.c (define in spi_utils.h)
202 	TCSP_DAASign_TP 	tcsd_api/tcstp.c (define in	trctp.h)
203 	*/
204 	result =  TCSP_DaaSign( hContext,
205 				session_handle,
206 				stage,
207 				inputSize0, inputData0,
208 				inputSize1, inputData1,
209 				ownerAuth,
210 				outputSize, outputData);
211 	if( result != TSS_SUCCESS) return result;
212 
213 	offset = 0;
214 	Trspi_LoadBlob_UINT32(&offset, result, hashblob);
215 	Trspi_LoadBlob_UINT32(&offset, TPM_ORD_DAA_Sign, hashblob);
216 	Trspi_LoadBlob_UINT32(&offset, *outputSize, hashblob);
217 	Trspi_LoadBlob(&offset, *outputSize, hashblob, *outputData);
218 	LogDebug("TCSP_DAASign stage=%d outputSize=%d outputData=%x RESULT=%d",
219 		(int)stage, (int)*outputSize, (int)outputData, (int)result);
220 	Trspi_Hash(TSS_HASH_SHA1, offset, hashblob, digest.digest);
221 	if( (result = obj_policy_validate_auth_oiap( hPolicy, &digest, ownerAuth)))
222 	{
223 		LogError("obj_policy_validate_auth=%d", result);
224 	}
225 	return result;
226 }
227 
228 /**
229 	Only used for the logging
230 */
231 static TSS_RESULT
Tcsip_TPM_DAA_Join_encapsulate(TCS_CONTEXT_HANDLE tcsContext,TSS_HDAA hDAA,BYTE stage,UINT32 inputSize0,BYTE * inputData0,UINT32 inputSize1,BYTE * inputData1,TPM_AUTH * ownerAuth,UINT32 * outputSize,BYTE ** outputData)232 Tcsip_TPM_DAA_Join_encapsulate(TCS_CONTEXT_HANDLE tcsContext, // in
233 				TSS_HDAA	hDAA,				// in
234 				BYTE stage, // in
235 				UINT32 inputSize0, // in
236 				BYTE* inputData0, // in
237 				UINT32 inputSize1, // in
238 				BYTE* inputData1, // in
239 				TPM_AUTH* ownerAuth, // in/out
240 				UINT32* outputSize, // out
241 				BYTE** outputData // out
242 ) {
243 	TSS_RESULT result;
244 
245 	LogDebug("Tcsip_DAA_Join(TCS_CONTEXT=%X,TSS_HDAA=%X,stage=%d,\
246 				inputSize0=%u,inputData0=%s\ninputSize1=%u,inputData1=%s,ownerAuth=%X)",
247 		tcsContext, hDAA, stage,
248 		inputSize0, dump_byte_array(inputSize0, inputData0),
249 		inputSize1,dump_byte_array(inputSize1, inputData1),
250 		(int)ownerAuth);
251 	result = Tcsip_TPM_DAA_Join(
252 		tcsContext, // in
253 		hDAA,	// in
254 		stage, // in
255 		inputSize0, // in
256 		inputData0, // in
257 		inputSize1, // in
258 		inputData1, // in
259 		ownerAuth, // in/out
260 		outputSize, // out
261 		outputData // out
262 	);
263 	LogDebug("Tcsip_DAA_Join(stage=%d,outputSize=%u outputData=%s ownerAuth=%X) result=%d",
264 		 (int)stage, *outputSize, dump_byte_array( *outputSize, *outputData), (int)ownerAuth, result);
265 	return result;
266 }
267 
268 #if 0
269 /* from TSS.java */
270 /* openssl RSA (struct rsa_st) could manage RSA Key */
271 TSS_RESULT
272 Tspi_TPM_DAA_JoinInit_internal(	TSS_HDAA hDAA,
273 				TSS_HTPM hTPM,
274 				int daa_counter,
275 				TSS_DAA_PK *issuer_pk,
276 				int issuer_authentication_PKLengh,
277 				RSA **issuer_authentication_PK,
278 				int issuer_authentication_PK_signaturesLength,
279 				BYTE **issuer_authentication_PK_signatures,
280 				int *capital_UprimeLength,
281 				BYTE **capital_Uprime,
282 				TSS_DAA_IDENTITY_PROOF *identity_proof,
283 				TSS_DAA_JOIN_SESSION *join_session)
284 {
285 	// Optional: verification of the PKDAA and issuer settings (authen. by the RSA Public Key chain)
286 	TSS_RESULT result;
287 	TCS_CONTEXT_HANDLE tcsContext;
288 	TPM_AUTH ownerAuth;
289 	int i, modulus_length, outputSize, length, length1;
290 	UINT32 return_join_session;
291 	BYTE *outputData, *issuer_settings_bytes;
292 	BYTE *buffer_modulus;
293 	TPM_DAA_ISSUER *issuer_settings;
294 	char buffer[1000], buffer1[1000];
295 	TSS_DAA_PK_internal *pk_internal = e_2_i_TSS_DAA_PK( issuer_pk);
296 	bi_ptr issuer_authentication_PK_i = NULL;
297 
298 	if( (result = obj_tpm_is_connected(  hTPM, &tcsContext)) != TSS_SUCCESS)
299 		return result;
300 	obj_daa_set_handle_tpm( hDAA, hTPM);
301 
302 	// stages 0-2 explained in the diagram "Keys of DAA Issuer"
303 	// issuer_authentication_PKLengh should be converted to Network Based integer
304 	i = htonl(issuer_authentication_PKLengh);
305 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
306 			0,
307 			sizeof(int), (BYTE *)(&i),
308 			0, NULL,
309 			&ownerAuth, &outputSize, &outputData);
310 	if( result != TSS_SUCCESS) { goto close;}
311 	// set the sessionHandle to the returned value
312 	return_join_session = ntohl( *((UINT32 *)outputData));
313 	free( outputData);
314 	obj_daa_set_session_handle( hDAA, return_join_session);
315 
316 	LogDebug("done join 0 settings join_session:%x\n", return_join_session);
317 	modulus_length = DAA_PARAM_SIZE_RSA_MODULUS / 8;
318 	buffer_modulus = malloc(modulus_length);
319 	if (buffer_modulus == NULL) {
320 		LogError("malloc of %d bytes failed", modulus_length);
321 		result = TSPERR(TSS_E_OUTOFMEMORY);
322 		goto close;
323 	}
324 	issuer_authentication_PK_i = bi_new_ptr();
325 	for(i =0; i< issuer_authentication_PKLengh; i++) {
326 		bi_set_as_BIGNUM( issuer_authentication_PK_i, issuer_authentication_PK[i]->n);
327 		bi_2_byte_array( buffer_modulus,
328 				modulus_length,
329 				issuer_authentication_PK_i);
330 		if ( i==0) {
331 			result = Tcsip_TPM_DAA_Join_encapsulate(
332 				tcsContext, hDAA,
333 				1,
334 				modulus_length, buffer_modulus,
335 				0, NULL,
336 				&ownerAuth, &outputSize, &outputData);
337 			if( result != TSS_SUCCESS) {
338 				free( buffer_modulus);
339 				goto close;
340 			}
341 		} else {
342 			result = Tcsip_TPM_DAA_Join_encapsulate(
343 				tcsContext,  hDAA,
344 				1,
345 				modulus_length, buffer_modulus,
346 				DAA_PARAM_KEY_SIZE / 8, issuer_authentication_PK_signatures[i -1],
347 				&ownerAuth, &outputSize, &outputData);
348 			if( result != TSS_SUCCESS) {
349 				free( buffer_modulus);
350 				goto close;
351 			}
352 		}
353 	}
354 	free( buffer_modulus);
355 	LogDebug("done join 1-%d\n", issuer_authentication_PKLengh);
356 	// define issuer_settings
357 	issuer_settings = convert2issuer_settings( pk_internal);
358 	issuer_settings_bytes = issuer_2_byte_array( issuer_settings, &length);
359 	result = Tcsip_TPM_DAA_Join_encapsulate(
360 		tcsContext, hDAA,
361 		2,
362 		length, issuer_settings_bytes,
363 		modulus_length,
364 		issuer_authentication_PK_signatures[issuer_authentication_PKLengh-1],
365 		&ownerAuth, &outputSize, &outputData);
366 	if( result != TSS_SUCCESS) { goto close;}
367 	LogDebug("done join 2\n");
368 	i = htonl( daa_counter);
369 	result = Tcsip_TPM_DAA_Join_encapsulate(
370 		tcsContext, hDAA,
371 		3,
372 		sizeof(UINT32), (BYTE *)(&i),
373 		0, NULL,
374 		&ownerAuth, &outputSize, &outputData);
375 	if( result != TSS_SUCCESS) { goto close;}
376 	LogDebug("done join 3\n");
377 	// reserved another buffer for storing Big Integer
378 	bi_2_nbin1( &length, buffer, pk_internal->capitalR0);
379 	bi_2_nbin1( &length1, buffer1, pk_internal->modulus);
380 	result = Tcsip_TPM_DAA_Join_encapsulate(
381 		tcsContext, hDAA,
382 		4,
383 		length, buffer,
384 		length1, buffer1,
385 		&ownerAuth, &outputSize, &outputData);
386 	if( result != TSS_SUCCESS) { goto close;}
387 	LogDebug("done join 4\n");
388 	bi_2_nbin1( &length, buffer, pk_internal->capitalR1);
389 	result = Tcsip_TPM_DAA_Join_encapsulate(
390 		tcsContext, hDAA,
391 		5,
392 		length, buffer,
393 		length1, buffer1,
394 		&ownerAuth, &outputSize, &outputData);
395 	if( result != TSS_SUCCESS) { goto close;}
396 	LogDebug("done join 5\n");
397 	bi_2_nbin1( &length, buffer, pk_internal->capitalS);
398 	result = Tcsip_TPM_DAA_Join_encapsulate(
399 		tcsContext, hDAA,
400 		6,
401 		length, buffer,
402 		length1, buffer1,
403 		&ownerAuth, &outputSize, &outputData);
404 	if( result != TSS_SUCCESS) { goto close;}
405 	LogDebug("done join 6\n");
406 	bi_2_nbin1( &length, buffer, pk_internal->capitalSprime);
407 	// define Uprime
408 	result = Tcsip_TPM_DAA_Join_encapsulate(
409 		tcsContext, hDAA,
410 		7,
411 		length, buffer,
412 		length1, buffer1,
413 		&ownerAuth, &outputSize, &outputData);
414 	// 5 : save PKDAA, U, daaCount and sessionHandle in joinSession
415 	join_session->issuerPk = (TSS_HKEY)issuer_pk;
416 	if( result == TSS_SUCCESS) {
417 		*capital_UprimeLength = outputSize;
418 		*capital_Uprime = convert_alloc( tcsContext, outputSize, outputData);
419 		if (*capital_Uprime == NULL) {
420 			LogError("malloc of %d bytes failed", outputSize);
421 			result = TSPERR(TSS_E_OUTOFMEMORY);
422 			goto close;
423 		}
424 		join_session->capitalUPrime = copy_alloc( tcsContext,
425 							*capital_UprimeLength,
426 							*capital_Uprime);
427 		if (join_session->capitalUPrime == NULL) {
428 			LogError("malloc of %d bytes failed", *capital_UprimeLength);
429 			result = TSPERR(TSS_E_OUTOFMEMORY);
430 			goto close;
431 		}
432 		join_session->capitalUPrimeLength = *capital_UprimeLength;
433 	}
434 	join_session->sessionHandle = return_join_session;
435 	// get the endorsement Key (public part)
436 	result = get_public_EK(
437 		hTPM,	// in
438 		&( identity_proof->endorsementLength),
439 		&( identity_proof->endorsementCredential)
440 	);
441 
442 close:
443 	FREE_BI( issuer_authentication_PK_i);
444 	LogDebug("result = %d", result);
445 	LogDebug("outputSize=%d", outputSize);
446 	LogDebug("outputData=%s", dump_byte_array( outputSize, outputData));
447   	return result;
448 }
449 #else
450 TSS_RESULT
Tspi_TPM_DAA_JoinInit_internal(TSS_HTPM hTPM,TSS_HDAA_ISSUER_KEY hIssuerKey UINT32 daa_counter,UINT32 issuerAuthPKsLength,TSS_HKEY * issuerAuthPKs,UINT32 issuerAuthPKSignaturesLength,UINT32 issuerAuthPKSignaturesLength2,BYTE ** issuerAuthPKSignatures,UINT32 * capitalUprimeLength,BYTE ** capitalUprime,TSS_DAA_IDENTITY_PROOF ** identity_proof,UINT32 * joinSessionLength,BYTE ** joinSession)451 Tspi_TPM_DAA_JoinInit_internal(TSS_HTPM			hTPM,
452 			       TSS_HDAA_ISSUER_KEY	hIssuerKey
453 			       UINT32			daa_counter,
454 			       UINT32			issuerAuthPKsLength,
455 			       TSS_HKEY*		issuerAuthPKs,
456 			       UINT32			issuerAuthPKSignaturesLength,
457 			       UINT32			issuerAuthPKSignaturesLength2,
458 			       BYTE**			issuerAuthPKSignatures,
459 			       UINT32*			capitalUprimeLength,
460 			       BYTE**			capitalUprime,
461 			       TSS_DAA_IDENTITY_PROOF** identity_proof,
462 			       UINT32*			joinSessionLength,
463 			       BYTE**			joinSession)
464 {
465 	// Optional: verification of the PKDAA and issuer settings (authen. by the RSA Public Key chain)
466 	TSS_RESULT result;
467 	TSS_HCONTEXT tspContext;
468 	TPM_AUTH ownerAuth;
469 	int length, length1;
470 	UINT32 i, modulus_length, outputSize, buf_len;
471 	BYTE *outputData, *issuer_settings_bytes;
472 	BYTE *modulus, stage, *buf;
473 	//TPM_DAA_ISSUER *issuer_settings;
474 	//char buffer[1000], buffer1[1000];
475 	//TSS_DAA_PK_internal *pk_internal = e_2_i_TSS_DAA_PK(issuer_pk);
476 	bi_ptr issuerAuthPK = NULL;
477 	TPM_HANDLE daaHandle;
478 	Trspi_HashCtx hashCtx;
479 	TPM_DIGEST digest;
480 	TSS_DAA_IDENTITY_PROOF daaIdentityProof;
481 
482 	if ((result = obj_tpm_is_connected(hTPM, &tspContext)))
483 		return result;
484 
485 	if ((result = obj_daaissuerkey_get_daa_handle(hIssuerKey, &daaHandle)))
486 		return result;
487 
488 	stage = 0;
489 	inputSize0 = (UINT32)sizeof(UINT32);
490 	inputData0 = issuerAuthPKsLength;
491 	inputSize1 = 0;
492 	inputData1 = NULL;
493 
494 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
495 	result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_DAA_Join);
496 	result |= Trspi_Hash_BYTE(&hashCtx, stage);
497 	result |= Trspi_Hash_UINT32(&hashCtx, inputSize0);
498 	result |= Trspi_HashUpdate(&hashCtx, inputSize0, inputData0);
499 	result |= Trspi_Hash_UINT32(&hashCtx, inputSize1);
500 	result |= Trspi_HashUpdate(&hashCtx, inputSize1, inputData1);
501 	if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
502 		return result;
503 
504 	// stages 0-2 explained in the diagram "Keys of DAA Issuer"
505 	if ((result = TCS_API(tspContext)->DaaJoin(tspContext, daaHandle, stage, inputSize1,
506 						   inputData0, inputSize1, inputData1, &ownerAuth,
507 						   &outputSize, &outputData)))
508 		goto close;
509 
510 	if (outputSize != sizeof(UINT32)) {
511 		result = TSPERR(TSS_E_INTERNAL_ERROR);
512 		goto close;
513 	}
514 
515 	// set the sessionHandle to the returned value
516 	Trspi_UnloadBlob_UINT32(&offset, &daaHandle, outputData);
517 	free(outputData);
518 	if ((result = obj_daaissuerkey_set_daa_handle(hIssuerKey, daaHandle)))
519 		goto close;
520 
521 	LogDebug("done join 0 settings join_session:%x", daaHandle);
522 
523 	modulus_length = DAA_PARAM_SIZE_RSA_MODULUS / 8;
524 	if ((buffer_modulus = malloc(modulus_length)) == NULL) {
525 		LogError("malloc of %d bytes failed", modulus_length);
526 		result = TSPERR(TSS_E_OUTOFMEMORY);
527 		goto close;
528 	}
529 
530 	stage = 1;
531 	for (i = 0; i < issuerAuthPKsLength; i++) {
532 		if ((result = obj_rsakey_get_modulus(issuerAuthPKs[i], &modulus_length, &modulus)))
533 			goto close;
534 
535 		outputData = NULL;
536 		if (i==0) {
537 			result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage,
538 								modulus_length, modulus, 0, NULL,
539 								&ownerAuth, &outputSize,
540 								&outputData);
541 		} else {
542 			result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage,
543 								modulus_length, modulus,
544 								issuerAuthPKSignaturesLength2,
545 								issuerAuthPKSignatures[i - 1],
546 								&ownerAuth, &outputSize,
547 								&outputData);
548 		}
549 
550 		free(outputData);
551 		free_tspi(tspContext, modulus);
552 		if (result != TSS_SUCCESS) {
553 			LogDebugFn("Stage 1 iteration %u failed", i);
554 			goto close;
555 		}
556 	}
557 
558 	LogDebug("done join 1-%d\n", issuer_authentication_PKLengh);
559 
560 	stage = 2;
561 	// define issuer_settings
562 #if 0
563 	issuer_settings = convert2issuer_settings(pk_internal);
564 	issuer_settings_bytes = issuer_2_byte_array(issuer_settings, &length);
565 #else
566 	if ((result = obj_daaissuerkey_get_daa_issuer(hIssuerKey, &issuer_length, &issuer)))
567 		goto close;
568 
569 	if ((result = obj_daaissuerkey_get_modulus(hIssuerKey, &modulus_length, &modulus))) {
570 		free_tspi(tspContext, issuer);
571 		goto close;
572 	}
573 #endif
574 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, issuer_length,
575 						     issuer, issuerAuthPKSignaturesLength2,
576 						     issuerAuthPKSignatures[i - 1], &ownerAuth,
577 						     &outputSize, &outputData))) {
578 		free_tspi(tspContext, issuer);
579 		free_tspi(tspContext, modulus);
580 		goto close;
581 	}
582 	free_tspi(tspContext, issuer);
583 
584 	LogDebug("done join 2\n");
585 
586 	stage = 3;
587 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, sizeof(UINT32),
588 						     (BYTE *)(&daa_counter), 0, NULL, &ownerAuth,
589 						     &outputSize, &outputData)))
590 		goto close;
591 
592 	LogDebug("done join 3\n");
593 
594 	stage = 4;
595 #if 0
596 	// reserved another buffer for storing Big Integer
597 	bi_2_nbin1( &length, buffer, pk_internal->capitalR0);
598 	bi_2_nbin1( &length1, buffer1, pk_internal->modulus);
599 #else
600 	if ((result = obj_daaissuerkey_get_capitalR0(hIssuerKey, &buf_len, &buf)))
601 		return result;
602 #endif
603 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, buf_len, buf,
604 						     modulus_length, modulus, &ownerAuth,
605 						     &outputSize, &outputData))) {
606 		free_tspi(tspContext, buf);
607 		free_tspi(tspContext, modulus);
608 		goto close;
609 	}
610 	free_tspi(tspContext, buf);
611 
612 	LogDebug("done join 4\n");
613 
614 	stage = 5;
615 #if 0
616 	bi_2_nbin1( &length, buffer, pk_internal->capitalR1);
617 #else
618 	if ((result = obj_daaissuerkey_get_capitalR1(hIssuerKey, &buf_len, &buf)))
619 		return result;
620 #endif
621 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, buf_len,
622 						     buf, modulus_length, modulus, &ownerAuth,
623 						     &outputSize, &outputData))) {
624 		free_tspi(tspContext, buf);
625 		free_tspi(tspContext, modulus);
626 		goto close;
627 	}
628 	free_tspi(tspContext, buf);
629 
630 	LogDebug("done join 5\n");
631 
632 	stage = 6;
633 #if 0
634 	bi_2_nbin1( &length, buffer, pk_internal->capitalS);
635 #else
636 	if ((result = obj_daaissuerkey_get_capitalS(hIssuerKey, &buf_len, &buf)))
637 		return result;
638 #endif
639 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, buf_len, buf,
640 						     modulus_length, modulus, &ownerAuth,
641 						     &outputSize, &outputData))) {
642 		free_tspi(tspContext, buf);
643 		free_tspi(tspContext, modulus);
644 		goto close;
645 	}
646 	free_tspi(tspContext, buf);
647 
648 	LogDebug("done join 6\n");
649 
650 	stage = 7;
651 #if 0
652 	bi_2_nbin1( &length, buffer, pk_internal->capitalSprime);
653 #else
654 	if ((result = obj_daaissuerkey_get_capitalSprime(hIssuerKey, &buf_len, &buf)))
655 		return result;
656 #endif
657 	// define Uprime
658 	if ((result = Tcsip_TPM_DAA_Join_encapsulate(tspContext, daaHandle, stage, buf_len, buf,
659 						     modulus_length, modulus, &ownerAuth,
660 						     &outputSize, &outputData))) {
661 		free_tspi(tspContext, buf);
662 		free_tspi(tspContext, modulus);
663 		goto close;
664 	}
665 	free_tspi(tspContext, buf);
666 
667 #if 0
668 	// 5 : save PKDAA, U, daaCount and sessionHandle in joinSession
669 	join_session->issuerPk = (TSS_HKEY)issuer_pk;
670 	if( result == TSS_SUCCESS) {
671 		*capital_UprimeLength = outputSize;
672 		*capital_Uprime = convert_alloc( tspContext, outputSize, outputData);
673 		if (*capital_Uprime == NULL) {
674 			LogError("malloc of %d bytes failed", outputSize);
675 			result = TSPERR(TSS_E_OUTOFMEMORY);
676 			goto close;
677 		}
678 		join_session->capitalUPrime = copy_alloc( tspContext,
679 							*capital_UprimeLength,
680 							*capital_Uprime);
681 		if (join_session->capitalUPrime == NULL) {
682 			LogError("malloc of %d bytes failed", *capital_UprimeLength);
683 			result = TSPERR(TSS_E_OUTOFMEMORY);
684 			goto close;
685 		}
686 		join_session->capitalUPrimeLength = *capital_UprimeLength;
687 	}
688 	join_session->sessionHandle = return_join_session;
689 	// get the endorsement Key (public part)
690 	result = get_public_EK(
691 		hTPM,	// in
692 		&( identity_proof->endorsementLength),
693 		&( identity_proof->endorsementCredential)
694 	);
695 #else
696 	/* fill out the identity proof struct */
697 	if ((result = TCS_API(obj->tspContext)->GetTPMCapability(obj->tspContext, TPM_CAP_VERSION,
698 								 0, NULL, &buf_len, &buf)))
699 		goto close;
700 
701 	offset = 0;
702 	Trspi_UnloadBlob_VERSION(&offset, buf, &daaIdentityProof.versionInfo);
703 	free_tspi(tspContext, buf);
704 
705 #error set all 3 credentials in the daaIdentityProof struct here
706 
707 	/* set the U data */
708 	if ((result = __tspi_add_mem_entry(tspContext, outputData)))
709 		goto close;
710 	*capitalUPrime = outputData;
711 	*capitalUPrimeLength = outputSize;
712 
713 	/* return the TSS specific stuff */
714 #endif
715 
716 close:
717 	FREE_BI( issuer_authentication_PK_i);
718 	LogDebug("result = %d", result);
719 	LogDebug("outputSize=%d", outputSize);
720 	LogDebug("outputData=%s", dump_byte_array( outputSize, outputData));
721   	return result;
722 }
723 #endif
724 
725 
726 /* allocation:
727 	endorsementKey as BYTE *
728 */
729 TSS_RESULT
get_public_EK(TSS_HTPM hTPM,UINT32 * endorsementKeyLength,BYTE ** endorsementKey)730 get_public_EK(TSS_HTPM hTPM,
731 		UINT32 *endorsementKeyLength,
732 		BYTE **endorsementKey
733 
734 ) {
735 	TSS_RESULT result;
736 	TSS_HKEY hEk;
737 	TSS_HPOLICY hTpmPolicy;
738 	UINT32 uiAttrSize;
739 	BYTE *pAttr;
740 
741 	if( (result = obj_tpm_get_policy( hTPM, &hTpmPolicy)) != TSS_SUCCESS) {
742 		LogError("can not retrieve policy from the TPM handler");
743 		goto out_close;
744 	}
745 
746 	if( (result = Tspi_TPM_GetPubEndorsementKey(hTPM, TRUE, NULL, &hEk)) != TSS_SUCCESS) {
747 		LogError("can not retrieve the Public endorsed Key");
748 		goto out_close;
749 	}
750 
751 	result = Tspi_GetAttribData(
752 		hEk,
753 		TSS_TSPATTRIB_KEY_INFO,
754 		TSS_TSPATTRIB_KEYINFO_VERSION,
755 		&uiAttrSize,
756 		&pAttr);
757 
758 	if (result != TSS_SUCCESS) goto out_close;
759 	LogDebug("keyinfo:%s", dump_byte_array( uiAttrSize, pAttr));
760 
761 	result = Tspi_GetAttribData(
762 		hEk,
763 		TSS_TSPATTRIB_KEY_BLOB,
764 		TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
765 		endorsementKeyLength,
766 		endorsementKey);
767 
768 	LogDebug("Public Endorsement Key:%s",
769 		dump_byte_array( *endorsementKeyLength, *endorsementKey));
770 out_close:
771       return result;
772 }
773 
774 // from TSS.java (479)
775 TSS_RESULT
compute_join_challenge_host(TSS_HDAA hDAA,TSS_DAA_PK_internal * pk_internal,bi_ptr capitalU,bi_ptr capital_Uprime,bi_ptr capital_utilde,bi_ptr capital_utilde_prime,bi_ptr capital_ni,bi_ptr capital_ni_tilde,UINT32 commitments_proofLength,TSS_DAA_ATTRIB_COMMIT_internal * commitments_proof,UINT32 nonceIssuerLength,BYTE * nonceIssuer,UINT32 * resultLength,BYTE ** result)776 compute_join_challenge_host(TSS_HDAA hDAA,
777 						TSS_DAA_PK_internal *pk_internal,
778 						bi_ptr capitalU,
779 						bi_ptr capital_Uprime,
780 						bi_ptr capital_utilde,
781 						bi_ptr capital_utilde_prime,
782 						bi_ptr capital_ni,
783 						bi_ptr capital_ni_tilde,
784 						UINT32 commitments_proofLength,
785 						TSS_DAA_ATTRIB_COMMIT_internal *
786 						commitments_proof,
787 						UINT32 nonceIssuerLength,
788 						BYTE* nonceIssuer,
789 						UINT32 *resultLength,
790 						BYTE **result) {
791 	EVP_MD_CTX *mdctx;
792 	BYTE *encoded_pk = NULL, *buffer;
793 	UINT32 encoded_pkLength;
794 	int rv, length;
795 
796 	buffer = (BYTE *)malloc( 10000); // to be sure, and it will be free quickly
797 	if (buffer == NULL) {
798 		LogError("malloc of %d bytes failed", 10000);
799 		return TSPERR(TSS_E_OUTOFMEMORY);
800 	}
801 
802 	mdctx = EVP_MD_CTX_create();
803 	rv = EVP_DigestInit(mdctx, DAA_PARAM_get_message_digest());
804 	if (rv != EVP_SUCCESS) goto err;
805 	// allocation
806 	encoded_pk = encoded_DAA_PK_internal( &encoded_pkLength, pk_internal);
807 	LogDebug("encoded issuerPk[%d]: %s",
808 		encoded_pkLength,
809 		dump_byte_array( encoded_pkLength, encoded_pk));
810 	rv = EVP_DigestUpdate(mdctx,  encoded_pk, encoded_pkLength);
811 	if (rv != EVP_SUCCESS) goto err;
812 	// capitalU
813 	length = DAA_PARAM_SIZE_RSA_MODULUS / 8;
814 	bi_2_byte_array( buffer, length, capitalU);
815 	LogDebug("capitalU[%ld]: %s",
816 		bi_nbin_size(capitalU) ,
817 		dump_byte_array( length, buffer));
818 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
819 	if (rv != EVP_SUCCESS) goto err;
820 	// capital UPrime
821 	bi_2_byte_array( buffer, length, capital_Uprime);
822 	LogDebug("capitalUPrime[%d]: %s",
823 		length,
824 		dump_byte_array( length, buffer));
825 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
826 	if (rv != EVP_SUCCESS) goto err;
827 	// capital Utilde
828 	bi_2_byte_array( buffer, length, capital_utilde);
829 	LogDebug("capitalUTilde[%d]: %s",
830 		length,
831 		dump_byte_array( length, buffer));
832 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
833 	if (rv != EVP_SUCCESS) goto err;
834 	// capital UtildePrime
835 	bi_2_byte_array( buffer, length, capital_utilde_prime);
836 	LogDebug("capital_utilde_prime[%d]: %s",
837 		length,
838 		dump_byte_array( length, buffer));
839 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
840 	if (rv != EVP_SUCCESS) goto err;
841 	//capital_ni
842 	length = DAA_PARAM_SIZE_MODULUS_GAMMA / 8;
843 	bi_2_byte_array( buffer, length, capital_ni);
844 	LogDebug("capital_ni[%d]: %s",
845 		length,
846 		dump_byte_array( length, buffer));
847 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
848 	if (rv != EVP_SUCCESS) goto err;
849 	//capital_ni_tilde
850 	bi_2_byte_array( buffer, length, capital_ni_tilde);
851 	LogDebug("capital_ni_tilde[%d]: %s",
852 		length,
853 		dump_byte_array( length, buffer));
854 	rv = EVP_DigestUpdate(mdctx,  buffer, length);
855 	if (rv != EVP_SUCCESS) goto err;
856 	// TODO: commitments
857 	LogDebug("nonceIssuer[%d]: %s",
858 		nonceIssuerLength,
859 		dump_byte_array( nonceIssuerLength, nonceIssuer));
860 	rv = EVP_DigestUpdate(mdctx,  nonceIssuer, nonceIssuerLength);
861 	if (rv != EVP_SUCCESS) goto err;
862 	*resultLength = EVP_MD_CTX_size(mdctx);
863 	*result = (BYTE *)malloc( *resultLength);
864 	if (*result == NULL) {
865 		LogError("malloc of %d bytes failed", *resultLength);
866 		free( buffer);
867 		free( encoded_pk);
868 		return TSPERR(TSS_E_OUTOFMEMORY);
869 	}
870 	rv = EVP_DigestFinal(mdctx, *result, NULL);
871 	if (rv != EVP_SUCCESS) goto err;
872 	EVP_MD_CTX_destroy(mdctx);
873 	free( buffer);
874 	free( encoded_pk);
875 	return TSS_SUCCESS;
876 err:
877 	EVP_MD_CTX_destroy(mdctx);
878 	free( buffer);
879 	free( encoded_pk);
880 	DEBUG_print_openssl_errors();
881 	return TSPERR(TSS_E_INTERNAL_ERROR);
882 }
883 
884 /*
885 This is the second out of 3 functions to execute in order to receive a DAA Credential. It
886 computes the credential request for the DAA Issuer, which also includes the Platforms & DAA
887 public key and the attributes that were chosen by the Platform, and which are not visible to \
888 the DAA Issuer. The Platform can commit to the attribute values it has chosen.
889 Code influenced by TSS.java (TssDaaCredentialRequest)
890 */
891 TSPICALL
Tspi_TPM_DAA_JoinCreateDaaPubKey_internal(TSS_HDAA hDAA,TSS_HTPM hTPM,UINT32 authenticationChallengeLength,BYTE * authenticationChallenge,UINT32 nonceIssuerLength,BYTE * nonceIssuer,UINT32 attributesPlatformLength,BYTE ** attributesPlatform,TSS_DAA_JOIN_SESSION * joinSession,TSS_DAA_CREDENTIAL_REQUEST * credentialRequest)892 Tspi_TPM_DAA_JoinCreateDaaPubKey_internal(
893 	TSS_HDAA hDAA,	// in
894 	TSS_HTPM hTPM,	// in
895 	UINT32 authenticationChallengeLength,	// in
896 	BYTE* authenticationChallenge,	// in
897 	UINT32 nonceIssuerLength,	// in
898 	BYTE* nonceIssuer,	// in
899 	UINT32 attributesPlatformLength,	// in
900 	BYTE** attributesPlatform,	// in
901 	TSS_DAA_JOIN_SESSION* joinSession,	// in, out
902 	TSS_DAA_CREDENTIAL_REQUEST* credentialRequest	// out
903 ) {
904 	TSS_RESULT result;
905 	TCS_CONTEXT_HANDLE tcsContext;
906 	TPM_AUTH ownerAuth;
907 	bi_ptr tmp1 = bi_new_ptr();
908 	bi_ptr tmp2 = bi_new_ptr();
909 	bi_ptr capital_utilde = bi_new_ptr();
910 	bi_ptr v_tilde_prime = bi_new_ptr();
911 	bi_ptr rv_tilde_prime = bi_new_ptr();
912 	bi_ptr capitalU = bi_new_ptr();
913 	bi_ptr product_attributes = bi_new_ptr();
914 	bi_ptr capital_ni = NULL;
915 	bi_ptr capital_utilde_prime = NULL;
916 	bi_ptr capital_ni_tilde = NULL;
917 	bi_ptr n = NULL;
918 	bi_ptr attributePlatform = NULL;
919 	bi_ptr c = NULL;
920 	bi_ptr zeta = NULL;
921 	bi_ptr capital_Uprime = NULL;
922 	bi_ptr sv_tilde_prime = NULL;
923 	bi_ptr s_f0 = NULL;
924 	bi_ptr s_f1 = NULL;
925 	bi_ptr sv_prime = NULL;
926 	bi_ptr sv_prime1 = NULL;
927 	bi_ptr sv_prime2 = NULL;
928 	bi_array_ptr ra = NULL;
929 	bi_array_ptr sa = NULL;
930 	TSS_DAA_PK* pk_extern = (TSS_DAA_PK *)joinSession->issuerPk;
931 	TSS_DAA_PK_internal* pk_internal = e_2_i_TSS_DAA_PK( pk_extern);
932 	UINT32 i, outputSize, authentication_proofLength, nonce_tpmLength;
933 	UINT32 capitalSprime_byte_arrayLength, size_bits, length, chLength, c_byteLength;
934 	UINT32 internal_cbyteLength, noncePlatformLength;
935 	BYTE *outputData, *authentication_proof, *capitalSprime_byte_array = NULL, *buffer;
936 	BYTE *ch = NULL;
937 	BYTE *c_byte, *noncePlatform, *nonce_tpm;
938 	BYTE *internal_cbyte = NULL;
939 	EVP_MD_CTX *mdctx;
940 
941 	if( tmp1 == NULL || tmp2 == NULL || capital_utilde == NULL ||
942 		v_tilde_prime == NULL || rv_tilde_prime == NULL ||
943 		capitalU == NULL || product_attributes == NULL) {
944 		LogError("malloc of bi(s) failed");
945 		result = TSPERR(TSS_E_OUTOFMEMORY);
946 		goto close;
947 	}
948 	if( pk_internal == NULL) {
949 		LogError("malloc of pk_internal failed");
950 		result = TSPERR(TSS_E_OUTOFMEMORY);
951 		goto close;
952 	}
953 	if( (result = obj_tpm_is_connected(  hTPM, &tcsContext)) != TSS_SUCCESS) {
954 		 goto close;
955 	}
956 	obj_daa_set_handle_tpm( hDAA, hTPM);
957 	// allocation
958 	n = bi_set_as_nbin( pk_extern->modulusLength, pk_extern->modulus);
959 	if( n == NULL) {
960 		LogError("malloc of %d bytes failed", pk_extern->modulusLength);
961 		result = TSPERR(TSS_E_OUTOFMEMORY);
962 		goto close;
963 	}
964 	// allocation
965 	capitalSprime_byte_array = bi_2_nbin( &capitalSprime_byte_arrayLength,
966 								pk_internal->capitalSprime);
967 	if( capitalSprime_byte_array == NULL) {
968 		LogError("malloc of %d bytes failed", capitalSprime_byte_arrayLength);
969 		result = TSPERR(TSS_E_OUTOFMEMORY);
970 		goto close;
971 	}
972 	// compute second part of the credential request
973 	// encode plateform attributes (the one visible only by the receiver)
974 	bi_set( product_attributes, bi_1);
975 	for( i=0; i<attributesPlatformLength; i++) {
976 		attributePlatform = bi_set_as_nbin( DAA_PARAM_SIZE_F_I / 8,
977 									attributesPlatform[i]); // allocation
978 		if( attributePlatform == NULL) {
979 			LogError("malloc of bi <%s> failed", "attributePlatform");
980 			result = TSPERR(TSS_E_OUTOFMEMORY);
981 			goto close;
982 		}
983 		// bi_tmp1 = ( capitalRReceiver[i] ^ attributesPlatform ) % n
984 		bi_mod_exp( tmp1, pk_internal->capitalRReceiver->array[i], attributePlatform, n);
985 		// bi_tmp1 = bi_tmp1 * product_attributes
986 		bi_mul( tmp1, tmp1, product_attributes);
987 		// product_attributes = bi_tmp1 % n
988 		bi_mod( product_attributes, tmp1, n);
989 		bi_free_ptr( attributePlatform);
990 	}
991 	bi_urandom( v_tilde_prime, DAA_PARAM_SIZE_RSA_MODULUS +
992 							DAA_PARAM_SAFETY_MARGIN);
993 	// tmp1 = capitalUPrime * capitalS
994 	bi_free_ptr( tmp1);
995 	tmp1 = bi_set_as_nbin( joinSession->capitalUPrimeLength,
996 						joinSession->capitalUPrime); // allocation
997 	if( tmp1 == NULL) {
998 		LogError("malloc of %d bytes failed", joinSession->capitalUPrimeLength);
999 		result = TSPERR(TSS_E_OUTOFMEMORY);
1000 		goto close;
1001 	}
1002 	// U = ( U' * ( ( pk->S ^ v~' ) % n) ) % n
1003 	// tmp2 = ( pk->S ^ v~') % n
1004 	bi_mod_exp( tmp2, pk_internal->capitalS, v_tilde_prime, n);
1005 	// U = tmp1( U') * tmp2
1006 	bi_mul( capitalU, tmp1, tmp2);
1007 	bi_mod( capitalU, capitalU, n);
1008 	// U = ( U * product_attributes ) % n
1009 	bi_mul( capitalU, capitalU, product_attributes);
1010 	bi_mod( capitalU, capitalU, n);
1011 	// 2  : call the TPM to compute authentication proof with U'
1012 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1013 		8,
1014 		authenticationChallengeLength, authenticationChallenge,
1015 		0, NULL,
1016 		&ownerAuth, &outputSize, &outputData);
1017 	if( result != TSS_SUCCESS) goto close;
1018 	LogDebug("Done Join 8");
1019 	authentication_proof = calloc_tspi( tcsContext, outputSize);
1020 	if( authentication_proof == NULL) {
1021 		LogError("malloc of %d bytes failed", outputSize);
1022 		result = TSPERR(TSS_E_OUTOFMEMORY);
1023 		goto close;
1024 	}
1025 	memcpy( authentication_proof, outputData, outputSize);
1026 	free( outputData);
1027 	authentication_proofLength = outputSize;
1028 
1029 	// 3 : call the TPM to compute U' (first part of correctness proof of the credential
1030 	// request
1031 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1032 		9,
1033 		pk_extern->capitalR0Length, pk_extern->capitalR0,
1034 		pk_extern->modulusLength, pk_extern->modulus,
1035 		&ownerAuth, &outputSize, &outputData);
1036 	if( result != TSS_SUCCESS) goto close;
1037 	LogDebug("Done Join 9: capitalR0");
1038 	free( outputData);
1039 
1040 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1041 		10,
1042 		pk_extern->capitalR1Length, pk_extern->capitalR1,
1043 		pk_extern->modulusLength, pk_extern->modulus,
1044 		&ownerAuth, &outputSize, &outputData);
1045 	if( result != TSS_SUCCESS) goto close;
1046 	LogDebug("Done Join 10: capitalR1");
1047 	free( outputData);
1048 
1049 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1050 		11,
1051 		pk_extern->capitalSLength, pk_extern->capitalS,
1052 		pk_extern->modulusLength, pk_extern->modulus,
1053 		&ownerAuth, &outputSize, &outputData);
1054 	if( result != TSS_SUCCESS) goto close;
1055 	LogDebug("Done Join 11: capitalS");
1056 	free( outputData);
1057 
1058 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1059 		12,
1060 		capitalSprime_byte_arrayLength, capitalSprime_byte_array,
1061 		pk_extern->modulusLength, pk_extern->modulus,
1062 		&ownerAuth, &outputSize, &outputData);
1063 	if( result != TSS_SUCCESS) goto close;
1064 	LogDebug("Done Join 12: capitalUTildePrime");
1065 	capital_utilde_prime = bi_set_as_nbin( outputSize, outputData); // allocation
1066 	if( capital_utilde_prime == NULL) {
1067 		LogError("malloc of %d bytes failed", outputSize);
1068 		result = TSPERR(TSS_E_OUTOFMEMORY);
1069 		goto close;
1070 	}
1071 	free( outputData);
1072 	// 4 compute pseudonym with respect to the DAA Issuer
1073 	// allocation
1074 	zeta = compute_zeta( pk_internal->issuerBaseNameLength,
1075 					pk_internal->issuerBaseName,
1076 					pk_internal);
1077 	if( zeta == NULL) {
1078 		LogError("malloc of bi <%s> failed", "zeta");
1079 		result = TSPERR(TSS_E_OUTOFMEMORY);
1080 		goto close;
1081 	}
1082 	buffer = (BYTE *)malloc( TPM_DAA_SIZE_w);
1083 	if( buffer == NULL) {
1084 		LogError("malloc of %d bytes failed", TPM_DAA_SIZE_w);
1085 		result = TSPERR(TSS_E_OUTOFMEMORY);
1086 		goto close;
1087 	}
1088 	LogDebug("zeta[%ld] = %s", bi_nbin_size( zeta), bi_2_hex_char( zeta));
1089 	bi_2_byte_array( buffer, TPM_DAA_SIZE_w, zeta);
1090 	LogDebug("zeta[%d] = %s", TPM_DAA_SIZE_w, dump_byte_array( TPM_DAA_SIZE_w, buffer));
1091 
1092 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1093 		13,
1094 		pk_extern->capitalGammaLength, pk_extern->capitalGamma,
1095 		TPM_DAA_SIZE_w, buffer, // zeta
1096 		&ownerAuth, &outputSize, &outputData);
1097 	free( buffer);
1098 	if( result != TSS_SUCCESS) goto close;
1099 	LogDebug("Done Join 13: capitalGamma / zeta");
1100 	free( outputData);
1101 
1102 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1103 		14,
1104 		pk_extern->capitalGammaLength, pk_extern->capitalGamma,
1105 		0, NULL,
1106 		&ownerAuth, &outputSize, &outputData);
1107 	if( result != TSS_SUCCESS) goto close;
1108 	LogDebug("Done Join 14: capitalGamma");
1109 	capital_ni = bi_set_as_nbin( outputSize, outputData); // allocation
1110 	if( capital_ni == NULL) {
1111 		LogError("malloc of bi <%s> failed", "capital_ni");
1112 		result = TSPERR(TSS_E_OUTOFMEMORY);
1113 		goto close;
1114 	}
1115 	free( outputData);
1116 
1117 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1118 		15,
1119 		pk_extern->capitalGammaLength, pk_extern->capitalGamma,
1120 		0, NULL,
1121 		&ownerAuth, &outputSize, &outputData);
1122 	if( result != TSS_SUCCESS) goto close;
1123 	LogDebug("Done Join 15: capitalGamma");
1124 	capital_ni_tilde = bi_set_as_nbin( outputSize, outputData); // allocation
1125 	if( capital_ni_tilde == NULL) {
1126 		LogError("malloc of bi <%s> failed", "capital_ni_tilde");
1127 		result = TSPERR(TSS_E_OUTOFMEMORY);
1128 		goto close;
1129 	}
1130 	free( outputData);
1131 
1132 	// 5 : compute the second part of the correctness proof of the credential request
1133 	// (with attributes not visible to issuer)
1134 	// randomize/blind attributesReceiver
1135 	size_bits = DAA_PARAM_SIZE_RANDOMIZED_ATTRIBUTES;
1136 	bi_set( product_attributes, bi_1);
1137 	ra = (bi_array_ptr)malloc( sizeof( struct _bi_array));
1138 	if( ra == NULL) {
1139 		LogError("malloc of %d bytes failed", sizeof( struct _bi_array));
1140 		result = TSPERR(TSS_E_OUTOFMEMORY);
1141 		goto close;
1142 	}
1143 	bi_new_array( ra, attributesPlatformLength);
1144 	if( ra->array == NULL) {
1145 		LogError("malloc of bi_array <%s> failed", "ra");
1146 		result = TSPERR(TSS_E_OUTOFMEMORY);
1147 		goto close;
1148 	}
1149 	for( i=0; i < attributesPlatformLength; i++) {
1150 		bi_urandom( ra->array[i], size_bits);
1151 		LogDebug("ra[i]=%s size=%d", bi_2_hex_char( ra->array[i]), size_bits);
1152 		// product_attributes=(((capitalYplatform ^ ra[i]) % n)*<product_attributes-1>)%n
1153 		bi_mod_exp( tmp1, pk_internal->capitalRReceiver->array[i], ra->array[i], n);
1154 		bi_mul( tmp1, tmp1, product_attributes);
1155 		bi_mod( product_attributes, tmp1, n);
1156 	}
1157 	size_bits = DAA_PARAM_SIZE_F_I+2*DAA_PARAM_SAFETY_MARGIN+DAA_PARAM_SIZE_MESSAGE_DIGEST;
1158 	bi_urandom( rv_tilde_prime, size_bits);
1159 	// capital_utilde = ( capitalS ^ rv_tilde_prime) % n
1160 	bi_mod_exp( capital_utilde, pk_internal->capitalS, rv_tilde_prime, n);
1161 	// capital_utilde = capital_utilde * product_attributes
1162 	bi_mul( capital_utilde, capital_utilde, product_attributes);
1163 	// capital_utilde = capital_utilde % n
1164 	bi_mod( capital_utilde, capital_utilde, n);
1165 	// 5e
1166 	capital_Uprime = bi_set_as_nbin( joinSession->capitalUPrimeLength,
1167 					joinSession->capitalUPrime); // allocation
1168 	if( capital_Uprime == NULL) {
1169 		LogError("malloc of bi <%s> failed", "capital_Uprime");
1170 		result = TSPERR(TSS_E_OUTOFMEMORY);
1171 		goto close;
1172 	}
1173 	LogDebug("calculation UTilde:                capitalS:%s\n", bi_2_hex_char( pk_internal->capitalS));
1174 	LogDebug("calculation UTilde:       rv_tilde_prime:%s\n", bi_2_hex_char( rv_tilde_prime));
1175 	LogDebug("calculation UTilde:                          n:%s\n", bi_2_hex_char( n));
1176 	LogDebug("calculation UTilde: product_attributes:%s\n", bi_2_hex_char( product_attributes));
1177 	LogDebug("calculation NItilde:                     ntilde:%s\n", bi_2_hex_char( capital_ni_tilde));
1178 
1179 	result = compute_join_challenge_host(
1180 		hDAA,
1181 		pk_internal,
1182 		capitalU,
1183 		capital_Uprime,
1184 		capital_utilde,
1185 		capital_utilde_prime,
1186 		capital_ni,
1187 		capital_ni_tilde,
1188 		0,		// TODO commitmentProofLength
1189 		NULL,	// TODO commitment
1190 		nonceIssuerLength,
1191 		nonceIssuer,
1192 		&chLength, // out
1193 		&ch // out allocation
1194 	);
1195 	if( result != TSS_SUCCESS) goto close;
1196 
1197 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1198 		16,
1199 		chLength, ch,
1200 		0, NULL,
1201 		&ownerAuth, &outputSize, &outputData);
1202 	if( result != TSS_SUCCESS) goto close;
1203 	nonce_tpm = outputData;
1204 	nonce_tpmLength = outputSize;
1205 	LogDebug("Done Join 16: compute_join_challenge_host return nonce_tpm:%s",
1206 		dump_byte_array(nonce_tpmLength, nonce_tpm));
1207 
1208 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1209 		17,
1210 		0, NULL,
1211 		0, NULL,
1212 		&ownerAuth, &outputSize, &outputData);
1213 	if( result != TSS_SUCCESS) goto close;
1214 	s_f0 = bi_set_as_nbin( outputSize, outputData); // allocation
1215 	if( s_f0 == NULL) {
1216 		LogError("malloc of <bi> %s failed", "s_f0");
1217 		result = TSPERR(TSS_E_OUTOFMEMORY);
1218 		goto close;
1219 	}
1220 	LogDebug("Done Join 17: return sF0:%s", dump_byte_array(outputSize, outputData) );
1221 	free( outputData);
1222 
1223 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1224 		18,
1225 		0, NULL,
1226 		0, NULL,
1227 		&ownerAuth, &outputSize, &outputData);
1228 	if( result != TSS_SUCCESS) goto close;
1229 	s_f1 = bi_set_as_nbin( outputSize, outputData); // allocation
1230 	if( s_f1 == NULL) {
1231 		LogError("malloc of <bi> %s failed", "s_f1");
1232 		result = TSPERR(TSS_E_OUTOFMEMORY);
1233 		goto close;
1234 	}
1235 	LogDebug("Done Join 18: return sF1:%s", dump_byte_array(outputSize, outputData) );
1236 	free( outputData);
1237 
1238 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1239 		19,
1240 		0, NULL,
1241 		0, NULL,
1242 		&ownerAuth, &outputSize, &outputData);
1243 	if( result != TSS_SUCCESS) goto close;
1244 	LogDebug("Done Join 19: return sv_prime1");
1245 	sv_prime1 = bi_set_as_nbin( outputSize, outputData); // allocation
1246 	if( sv_prime1 == NULL) {
1247 		LogError("malloc of <bi> %s failed", "sv_prime1");
1248 		result = TSPERR(TSS_E_OUTOFMEMORY);
1249 		goto close;
1250 	}
1251 	free( outputData);
1252 
1253 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1254 		20,
1255 		0, NULL,
1256 		0, NULL,
1257 		&ownerAuth, &outputSize, &outputData);
1258 	if( result != TSS_SUCCESS) goto close;
1259 	LogDebug("Done Join 20: return cByte");
1260 	c_byte = (BYTE *)calloc_tspi( tcsContext, outputSize);
1261 	if( c_byte == NULL) {
1262 		LogError("malloc of %d bytes failed", outputSize);
1263 		result = TSPERR(TSS_E_OUTOFMEMORY);
1264 		goto close;
1265 	}
1266 	memcpy( c_byte, outputData, outputSize);
1267 	free( outputData);
1268 	c_byteLength = outputSize;
1269 	c = bi_set_as_nbin( c_byteLength, c_byte); // allocation
1270 	if( c == NULL) {
1271 		LogError("malloc of <bi> %s failed", "c");
1272 		result = TSPERR(TSS_E_OUTOFMEMORY);
1273 		goto close;
1274 	}
1275 
1276 	// verify computation of c by TPM
1277 	mdctx = EVP_MD_CTX_create();
1278 	EVP_DigestInit(mdctx, DAA_PARAM_get_message_digest());
1279 	EVP_DigestUpdate(mdctx,  ch, chLength);
1280 	EVP_DigestUpdate(mdctx,  nonce_tpm, nonce_tpmLength);
1281 	nonce_tpm = convert_alloc( tcsContext, nonce_tpmLength, nonce_tpm); // allocation
1282 	if( nonce_tpm == NULL) {
1283 		LogError("malloc of %d bytes failed", nonce_tpmLength);
1284 		result = TSPERR(TSS_E_OUTOFMEMORY);
1285 		goto close;
1286 	}
1287 	internal_cbyteLength = EVP_MD_CTX_size(mdctx);
1288 	internal_cbyte = (BYTE *)malloc( internal_cbyteLength);
1289 	if( internal_cbyte == NULL) {
1290 		LogError("malloc of %d bytes failed", internal_cbyteLength);
1291 		result = TSPERR(TSS_E_OUTOFMEMORY);
1292 		goto close;
1293 	}
1294 	EVP_DigestFinal(mdctx, internal_cbyte, NULL);
1295 	if( c_byteLength != internal_cbyteLength ||
1296 		memcmp( c_byte, internal_cbyte, c_byteLength) != 0) {
1297 		LogError( "Computation of c in TPM DAA Join command is incorrect. Affected stages: 16,20\n");
1298 		LogError( "\t            c_byte[%d] %s",
1299 				c_byteLength,
1300 				dump_byte_array( c_byteLength, c_byte));
1301 		LogError( "\tc_internal_byte[%d] %s",
1302 				internal_cbyteLength,
1303 				dump_byte_array( internal_cbyteLength, internal_cbyte));
1304 		result = TSS_E_INTERNAL_ERROR;
1305 		goto close;
1306 	}
1307 
1308 	// 5m) blind attributesReceiver
1309 	sa = (bi_array_ptr)malloc( sizeof( struct _bi_array));
1310 	if( sa == NULL) {
1311 		LogError("malloc of %d bytes failed", sizeof( struct _bi_array));
1312 		result = TSPERR(TSS_E_OUTOFMEMORY);
1313 		goto close;
1314 	}
1315 	bi_new_array( sa, attributesPlatformLength);
1316 	for( i=0; i < attributesPlatformLength; i++) {
1317 		attributePlatform = bi_set_as_nbin( DAA_PARAM_SIZE_F_I / 8,
1318 								attributesPlatform[i]); // allocation
1319 		if( attributePlatform == NULL) {
1320 			LogError("malloc of <bi> %s failed", "attributePlatform");
1321 			result = TSPERR(TSS_E_OUTOFMEMORY);
1322 			goto close;
1323 		}
1324 		LogDebug("calculating sa[%d]: raLength=%ld cLength=%ld attributesPlatformLength=%ld\n",
1325 				i, bi_nbin_size( ra->array[i]), bi_nbin_size( c), bi_nbin_size( attributePlatform));
1326 		bi_add( sa->array[i], ra->array[i], bi_mul( tmp1, c, attributePlatform));
1327 		bi_free_ptr( attributePlatform);
1328 	}
1329 	attributePlatform = NULL;
1330 	// 5o) Commitments
1331 	// TODO
1332 
1333 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1334 		21,
1335 		0, NULL,
1336 		0, NULL,
1337 		&ownerAuth, &outputSize, &outputData);
1338 	if( result != TSS_SUCCESS) goto close;
1339 	LogDebug("Done Join 21: return sv_prime2");
1340 	sv_prime2 = bi_set_as_nbin( outputSize, outputData); // allocation
1341 	if( sv_prime2 == NULL) {
1342 		LogError("malloc of <bi> %s failed", "sv_prime2");
1343 		result = TSPERR(TSS_E_OUTOFMEMORY);
1344 		goto close;
1345 	}
1346 	free( outputData);
1347 	sv_prime = bi_new_ptr();
1348 	if( sv_prime == NULL) {
1349 		LogError("malloc of <bi> %s failed", "sv_prime");
1350 		result = TSPERR(TSS_E_OUTOFMEMORY);
1351 		goto close;
1352 	}
1353 	// sv_prime = sv_prime2 << DAA_PARAM_SIZE_SPLIT_EXPONENT
1354 	bi_shift_left( sv_prime, sv_prime2, DAA_PARAM_SIZE_SPLIT_EXPONENT);
1355 	// sv_prime = sv_prime + sv_prime1
1356 	bi_add( sv_prime, sv_prime, sv_prime1);
1357 
1358 	sv_tilde_prime = bi_new_ptr();
1359 	// tmp1 = c * v_tilde_prime
1360 	bi_mul( tmp1, c, v_tilde_prime);
1361 	// sv_tilde_prime = rv_tilde_prime + tmp1
1362 	bi_add( sv_tilde_prime, rv_tilde_prime, tmp1);
1363 
1364 	// step 6) - choose nonce
1365 	bi_urandom( tmp1, DAA_PARAM_SAFETY_MARGIN * 8);
1366 	noncePlatform = (BYTE *)calloc_tspi( tcsContext, DAA_PARAM_SAFETY_MARGIN);
1367 	if( noncePlatform == NULL) {
1368 		LogError("malloc of <bi> %s failed", "noncePlatform");
1369 		result = TSPERR(TSS_E_OUTOFMEMORY);
1370 		goto close;
1371 	}
1372 	bi_2_nbin1( &noncePlatformLength, noncePlatform, tmp1);
1373 
1374 	LogDebug("challenge:%s", dump_byte_array( c_byteLength, c_byte));
1375 	LogDebug("sF0 [%ld]:%s", bi_length( s_f0), bi_2_hex_char( s_f0));
1376 	LogDebug("sF1 [%ld]:%s", bi_length( s_f1), bi_2_hex_char( s_f1));
1377 	LogDebug("sv_prime [%ld]:%s", bi_length( sv_prime), bi_2_hex_char( sv_prime));
1378 	LogDebug("sv_tilde_prime [%ld]:%s", bi_length( sv_tilde_prime), bi_2_hex_char( sv_tilde_prime));
1379 	// update joinSession
1380 	joinSession->capitalU = calloc_tspi( tcsContext, bi_nbin_size( capitalU));
1381 	if( joinSession->capitalU == NULL) {
1382 		LogError("malloc of %ld bytes failed", bi_nbin_size( capitalU));
1383 		result = TSPERR(TSS_E_OUTOFMEMORY);
1384 		goto close;
1385 	}
1386 	bi_2_nbin1( &(joinSession->capitalULength),
1387 			joinSession->capitalU,
1388 			capitalU);
1389 	joinSession->attributesPlatformLength = attributesPlatformLength;
1390 	joinSession->attributesPlatform = calloc_tspi( tcsContext, sizeof(BYTE *));
1391 	for( i=0; i<joinSession->attributesPlatformLength; i++) {
1392 		joinSession->attributesPlatform[i] =
1393 				calloc_tspi( tcsContext,DAA_PARAM_SIZE_F_I / 8);
1394 		memcpy( joinSession->attributesPlatform[i],
1395 				attributesPlatform[i],
1396 				DAA_PARAM_SIZE_F_I / 8);
1397 	}
1398 	joinSession->noncePlatform = noncePlatform;
1399 	joinSession->noncePlatformLength = noncePlatformLength;
1400 	joinSession->vTildePrime = calloc_tspi( tcsContext, bi_nbin_size( v_tilde_prime));
1401 	if( joinSession->vTildePrime == NULL) {
1402 		LogError("malloc of %ld bytes failed", bi_nbin_size( v_tilde_prime));
1403 		result = TSPERR(TSS_E_OUTOFMEMORY);
1404 		goto close;
1405 	}
1406 	bi_2_nbin1( &(joinSession->vTildePrimeLength),
1407 			joinSession->vTildePrime,
1408 			v_tilde_prime);
1409 	// update credentialRequest
1410 	credentialRequest->capitalU = calloc_tspi( tcsContext, bi_nbin_size( capitalU));
1411 	if( credentialRequest->capitalU == NULL) {
1412 		LogError("malloc of %ld bytes failed", bi_nbin_size( capitalU));
1413 		result = TSPERR(TSS_E_OUTOFMEMORY);
1414 		goto close;
1415 	}
1416 	bi_2_nbin1( &(credentialRequest->capitalULength),
1417 			credentialRequest->capitalU,
1418 			capitalU);
1419 	credentialRequest->capitalNi = calloc_tspi( tcsContext, bi_nbin_size( capital_ni));
1420 	if( credentialRequest->capitalNi == NULL) {
1421 		LogError("malloc of %ld bytes failed", bi_nbin_size( capital_ni));
1422 		result = TSPERR(TSS_E_OUTOFMEMORY);
1423 		goto close;
1424 	}
1425 	bi_2_nbin1( &(credentialRequest->capitalNiLength),
1426 			credentialRequest->capitalNi,
1427 			capital_ni);
1428 	credentialRequest->authenticationProofLength = authentication_proofLength;
1429 	credentialRequest->authenticationProof = authentication_proof;
1430 	credentialRequest->challenge = c_byte;
1431 	credentialRequest->challengeLength = c_byteLength;
1432 	credentialRequest->nonceTpm = nonce_tpm;
1433 	credentialRequest->nonceTpmLength = nonce_tpmLength;
1434 	credentialRequest->noncePlatform = noncePlatform;
1435 	credentialRequest->noncePlatformLength = DAA_PARAM_SAFETY_MARGIN;
1436 	credentialRequest->sF0 = calloc_tspi( tcsContext, bi_nbin_size( s_f0));
1437 	if( credentialRequest->sF0 == NULL) {
1438 		LogError("malloc of %ld bytes failed", bi_nbin_size( s_f0));
1439 		result = TSPERR(TSS_E_OUTOFMEMORY);
1440 		goto close;
1441 	}
1442 	bi_2_nbin1( &(credentialRequest->sF0Length), credentialRequest->sF0, s_f0);
1443 	credentialRequest->sF1 = calloc_tspi( tcsContext, bi_nbin_size( s_f1));
1444 	if( credentialRequest->sF1 == NULL) {
1445 		LogError("malloc of %ld bytes failed", bi_nbin_size( s_f1));
1446 		result = TSPERR(TSS_E_OUTOFMEMORY);
1447 		goto close;
1448 	}
1449 	bi_2_nbin1( &(credentialRequest->sF1Length), credentialRequest->sF1, s_f1);
1450 	credentialRequest->sVprime = calloc_tspi( tcsContext, bi_nbin_size( sv_prime));
1451 	if( credentialRequest->sVprime == NULL) {
1452 		LogError("malloc of %ld bytes failed", bi_nbin_size( sv_prime));
1453 		result = TSPERR(TSS_E_OUTOFMEMORY);
1454 		goto close;
1455 	}
1456 	bi_2_nbin1( &(credentialRequest->sVprimeLength),
1457 			credentialRequest->sVprime,
1458 			sv_prime);
1459 	credentialRequest->sVtildePrime = calloc_tspi( tcsContext, bi_nbin_size( sv_tilde_prime));
1460 	if( credentialRequest->sVtildePrime == NULL) {
1461 		LogError("malloc of %ld bytes failed", bi_nbin_size( sv_tilde_prime));
1462 		result = TSPERR(TSS_E_OUTOFMEMORY);
1463 		goto close;
1464 	}
1465 	bi_2_nbin1( &(credentialRequest->sVtildePrimeLength),
1466 			credentialRequest->sVtildePrime,
1467 			sv_tilde_prime);
1468 	length = (DAA_PARAM_SIZE_RANDOMIZED_ATTRIBUTES + 7) / 8;
1469 	LogDebug("SA length=%d", sa->length);
1470 	credentialRequest->sA = calloc_tspi( tcsContext, sizeof( BYTE *) * sa->length);
1471 	if( credentialRequest->sA == NULL) {
1472 		LogError("malloc of %d bytes failed", sizeof( BYTE *) * sa->length);
1473 		result = TSPERR(TSS_E_OUTOFMEMORY);
1474 		goto close;
1475 	}
1476 
1477 	for( i=0; i<(UINT32)sa->length; i++) {
1478 		LogDebug("sa[%d].size=%d", i, (int)bi_nbin_size( sa->array[i]));
1479 		credentialRequest->sA[i] = calloc_tspi( tcsContext, length);
1480 		if( credentialRequest->sA[i] == NULL) {
1481 			LogError("malloc of %d bytes failed", length);
1482 			result = TSPERR(TSS_E_OUTOFMEMORY);
1483 			goto close;
1484 		}
1485 		// size used only as repository
1486 		bi_2_byte_array( credentialRequest->sA[i], length, sa->array[i]);
1487 	}
1488 	credentialRequest->sALength = sa->length;
1489 close:
1490 	EVP_MD_CTX_destroy(mdctx);
1491 	if( capitalSprime_byte_array!=NULL) free( capitalSprime_byte_array);
1492 	if( ch!=NULL) free( ch);
1493 	if( internal_cbyte != NULL) free( internal_cbyte);
1494 	bi_free_ptr( rv_tilde_prime);
1495 	bi_free_ptr( v_tilde_prime);
1496 	bi_free_ptr( capital_utilde);
1497 	bi_free_ptr( tmp1);
1498 	bi_free_ptr( tmp2);
1499 	bi_free_ptr( capitalU);
1500 	if( ra != NULL) {
1501 		bi_free_array( ra);
1502 		free( ra);
1503 	}
1504 	if( sa != NULL) {
1505 		bi_free_array( sa);
1506 		free( sa);
1507 	}
1508 	FREE_BI( capital_ni);
1509 	FREE_BI( capital_utilde_prime);
1510 	FREE_BI( capital_ni_tilde);
1511 	FREE_BI( n);
1512 	FREE_BI( attributePlatform);
1513 	FREE_BI( c);
1514 	FREE_BI( zeta);
1515 	FREE_BI( capital_Uprime);
1516 	FREE_BI( sv_tilde_prime);
1517 	FREE_BI( s_f0);
1518 	FREE_BI( s_f1);
1519 	FREE_BI( sv_prime);
1520 	FREE_BI( sv_prime1);
1521 	FREE_BI( sv_prime2);
1522 	FREE_BI( product_attributes);
1523 	free_TSS_DAA_PK_internal( pk_internal);
1524 	return result;
1525 }
1526 
1527 /*
1528 Code influenced by TSS.java (joinStoreCredential)
1529 */
Tspi_TPM_DAA_JoinStoreCredential_internal(TSS_HDAA hDAA,TSS_HTPM hTPM,TSS_DAA_CRED_ISSUER credIssuer,TSS_DAA_JOIN_SESSION joinSession,TSS_HKEY * hDaaCredential)1530 TSPICALL Tspi_TPM_DAA_JoinStoreCredential_internal
1531 (
1532 	TSS_HDAA	hDAA,	// in
1533 	TSS_HTPM	hTPM,	// in
1534 	TSS_DAA_CRED_ISSUER	credIssuer,	// in
1535 	TSS_DAA_JOIN_SESSION	joinSession,	// in
1536 	TSS_HKEY*	hDaaCredential	// out
1537 ) {
1538 	TCS_CONTEXT_HANDLE tcsContext;
1539 	TPM_AUTH ownerAuth;
1540 	bi_ptr tmp1 = bi_new_ptr();
1541 	bi_ptr tmp2 = bi_new_ptr();
1542 	bi_ptr n = NULL;
1543 	bi_ptr e = NULL;
1544 	bi_ptr fraction_A = NULL;
1545 	bi_ptr v_prime_prime = NULL;
1546 	bi_ptr capital_U = NULL;
1547 	bi_ptr product_attributes = NULL;
1548 	bi_ptr capital_Atilde = NULL;
1549 	bi_ptr s_e = NULL;
1550 	bi_ptr c_prime = NULL;
1551 	bi_ptr capital_A = NULL;
1552 	bi_ptr product = NULL;
1553 	bi_ptr v_tilde_prime = NULL;
1554 	bi_ptr v_prime_prime0 = NULL;
1555 	bi_ptr v_prime_prime1 = NULL;
1556 	TSS_DAA_PK *daa_pk_extern;
1557 	TSS_DAA_PK_internal *pk_intern = NULL;
1558 	TSS_DAA_CREDENTIAL *daaCredential;
1559 	bi_array_ptr attributes_issuer;
1560 	TSS_RESULT result = TSS_SUCCESS;
1561 	UINT32 i;
1562 	UINT32  c_byteLength, v0Length, v1Length, tpm_specificLength;
1563  	BYTE *c_byte = NULL;
1564 	BYTE *v0 = NULL;
1565 	BYTE *v1 = NULL;
1566 	BYTE *tpm_specific = NULL;
1567 
1568 	if( tmp1 == NULL || tmp2 == NULL) {
1569 		LogError("malloc of bi(s) failed");
1570 		result = TSPERR(TSS_E_OUTOFMEMORY);
1571 		goto close;
1572 	}
1573 	if( (result = obj_tpm_is_connected(  hTPM, &tcsContext)) != TSS_SUCCESS) return result;
1574 	obj_daa_set_handle_tpm( hDAA, hTPM);
1575 
1576 	LogDebug("Converting issuer public");
1577 	daa_pk_extern = (TSS_DAA_PK *)joinSession.issuerPk;
1578 	pk_intern = e_2_i_TSS_DAA_PK( daa_pk_extern);
1579 	if( pk_intern == NULL) {
1580 		LogError("malloc of pk_intern failed");
1581 		result = TSPERR(TSS_E_OUTOFMEMORY);
1582 		goto close;
1583 	}
1584 	n = bi_new_ptr();
1585 	if( n == NULL) {
1586 		LogError("malloc of bi <%s> failed", "n");
1587 		result = TSPERR(TSS_E_OUTOFMEMORY);
1588 		goto close;
1589 	}
1590 	bi_set( n, pk_intern->modulus);
1591 	attributes_issuer = (bi_array_ptr)malloc( sizeof( struct _bi_array));
1592 	if( attributes_issuer == NULL) {
1593 		LogError("malloc of %d bytes failed", sizeof( struct _bi_array));
1594 		result = TSPERR(TSS_E_OUTOFMEMORY);
1595 		goto close;
1596 	}
1597 	bi_new_array( attributes_issuer, credIssuer.attributesIssuerLength);
1598 	if( attributes_issuer->array == NULL) {
1599 		LogError("malloc of bi_array <%s> failed", "attributes_issuer->array");
1600 		result = TSPERR(TSS_E_OUTOFMEMORY);
1601 		goto close;
1602 	}
1603 	for( i=0; i < credIssuer.attributesIssuerLength; i++) {
1604 		// allocation
1605 		attributes_issuer->array[i] = bi_set_as_nbin( DAA_PARAM_SIZE_F_I / 8,
1606 								credIssuer.attributesIssuer[i]);
1607 		if( attributes_issuer->array[i] == NULL) {
1608 			LogError("malloc of bi <attributes_issuer->array[%d]> failed", i);
1609 			result = TSPERR(TSS_E_OUTOFMEMORY);
1610 			goto close;
1611 		}
1612 	}
1613 	LogDebug("verify credential of issuer ( part 1)");
1614 	e = bi_set_as_nbin( credIssuer.eLength, credIssuer.e); // allocation
1615 	if( e == NULL) {
1616 		LogError("malloc of bi <%s> failed", "e");
1617 		result = TSPERR(TSS_E_OUTOFMEMORY);
1618 		goto close;
1619 	}
1620 	bi_set( tmp1, bi_0);
1621 	bi_setbit( tmp1, DAA_PARAM_SIZE_EXPONENT_CERTIFICATE - 1);
1622 	bi_set( tmp2, bi_0);
1623 	bi_setbit( tmp1, DAA_PARAM_SIZE_INTERVAL_EXPONENT_CERTIFICATE - 1);
1624 	bi_add( tmp1, tmp1, tmp2);
1625 	if( bi_is_probable_prime( e) == 0 ||
1626 		bi_length(e) < DAA_PARAM_SIZE_EXPONENT_CERTIFICATE ||
1627 		bi_cmp( e, tmp1) > 0) {
1628 			LogError("Verification e failed - Step 1.a");
1629 			LogError("\tPrime(e):%d", bi_is_probable_prime( e));
1630 			LogError("\tbit_length(e):%ld", bi_length(e));
1631 			LogError("\te > (2^(l_e) + 2^(l_prime_e)):%d", bi_cmp( e, tmp1));
1632 			result = TSS_E_DAA_CREDENTIAL_PROOF_ERROR;
1633 			goto close;
1634 	}
1635 	LogDebug("verify credential of issuer (part 2) with proof");
1636 	fraction_A = bi_new_ptr();
1637 	if( fraction_A == NULL) {
1638 		LogError("malloc of bi <%s> failed", "fraction_A");
1639 		result = TSPERR(TSS_E_OUTOFMEMORY);
1640 		goto close;
1641 	}
1642 	v_prime_prime = bi_set_as_nbin( credIssuer.vPrimePrimeLength,
1643 						credIssuer.vPrimePrime); // allocation
1644 	if( v_prime_prime == NULL) {
1645 		LogError("malloc of bi <%s> failed", "v_prime_prime");
1646 		result = TSPERR(TSS_E_OUTOFMEMORY);
1647 		goto close;
1648 	}
1649 	capital_U = bi_set_as_nbin( joinSession.capitalULength,
1650 						joinSession.capitalU); // allocation
1651 	if( capital_U == NULL) {
1652 		LogError("malloc of bi <%s> failed", "capital_U");
1653 		result = TSPERR(TSS_E_OUTOFMEMORY);
1654 		goto close;
1655 	}
1656 	bi_mod_exp( fraction_A, pk_intern->capitalS, v_prime_prime, n);
1657 	bi_mul( fraction_A, fraction_A, capital_U);
1658 	bi_mod( fraction_A, fraction_A, n);
1659 	LogDebug("encode attributes");
1660 	product_attributes = bi_new_ptr();
1661 	bi_set( product_attributes, bi_1);
1662 	for( i=0; i<(UINT32)attributes_issuer->length; i++) {
1663 		bi_mod_exp( tmp1, pk_intern->capitalRIssuer->array[i],
1664 					attributes_issuer->array[i], n);
1665 		bi_mul( product_attributes, tmp1, product_attributes);
1666 		bi_mod( product_attributes, product_attributes, n);
1667 	}
1668 	bi_mul( fraction_A, fraction_A, product_attributes);
1669 	bi_mod( fraction_A, fraction_A, n);
1670 	capital_Atilde = bi_new_ptr();
1671 	if( capital_Atilde == NULL) {
1672 		LogError("malloc of bi <%s> failed", "capital_Atilde");
1673 		result = TSPERR(TSS_E_OUTOFMEMORY);
1674 		goto close;
1675 	}
1676 	bi_invert_mod( capital_Atilde, fraction_A, n);
1677 	bi_mul( capital_Atilde, capital_Atilde, pk_intern->capitalZ);
1678 	bi_mod( capital_Atilde, capital_Atilde, n);
1679 	s_e = bi_set_as_nbin( credIssuer.sELength, credIssuer.sE); // allocation
1680 	if( s_e == NULL) {
1681 		LogError("malloc of bi <%s> failed", "s_e");
1682 		result = TSPERR(TSS_E_OUTOFMEMORY);
1683 		goto close;
1684 	}
1685 	bi_mod_exp( capital_Atilde, capital_Atilde, s_e, n);
1686 	c_prime = bi_set_as_nbin( credIssuer.cPrimeLength, credIssuer.cPrime); // allocation
1687 	if( c_prime == NULL) {
1688 		LogError("malloc of bi <%s> failed", "c_prime");
1689 		result = TSPERR(TSS_E_OUTOFMEMORY);
1690 		goto close;
1691 	}
1692 	capital_A = bi_set_as_nbin( credIssuer.capitalALength, credIssuer.capitalA); // allocation
1693 	if( capital_A == NULL) {
1694 		LogError("malloc of bi <%s> failed", "capital_A");
1695 		result = TSPERR(TSS_E_OUTOFMEMORY);
1696 		goto close;
1697 	}
1698 	bi_mod_exp( tmp1, capital_A, c_prime, n);
1699 	bi_mul( capital_Atilde, capital_Atilde, tmp1);
1700 	bi_mod( capital_Atilde, capital_Atilde, n);
1701 
1702 	result = compute_join_challenge_issuer( pk_intern,
1703 						v_prime_prime,
1704 						capital_A,
1705 						capital_Atilde,
1706 						joinSession.noncePlatformLength,
1707 						joinSession.noncePlatform,
1708 						&c_byteLength,
1709 						&c_byte); // out allocation
1710 	if( result != TSS_SUCCESS) goto close;
1711 	if( credIssuer.cPrimeLength != c_byteLength ||
1712 		memcmp( credIssuer.cPrime, c_byte, c_byteLength)!=0) {
1713 		LogError("Verification of c failed - Step 1.c.i");
1714 		LogError("credentialRequest.cPrime[%d]=%s",
1715 			credIssuer.cPrimeLength,
1716 			dump_byte_array( credIssuer.cPrimeLength, credIssuer.cPrime) );
1717 		LogError("challenge[%d]=%s",
1718 			c_byteLength,
1719 			dump_byte_array( c_byteLength, c_byte) );
1720 		result = TSS_E_DAA_CREDENTIAL_PROOF_ERROR;
1721 		goto close;
1722 	}
1723 	product = bi_new_ptr();
1724 	if( product == NULL) {
1725 		LogError("malloc of bi <%s> failed", "product");
1726 		result = TSPERR(TSS_E_OUTOFMEMORY);
1727 		goto close;
1728 	}
1729 	bi_mod_exp( product, capital_A, e, n);
1730 	bi_mul( product, product, fraction_A);
1731 	bi_mod( product, product, n);
1732 	if( bi_equals( pk_intern->capitalZ, product) == 0) {
1733 		LogError("Verification of A failed - Step 1.c.ii");
1734 		LogError("\tcapitalZ=%s", bi_2_hex_char( pk_intern->capitalZ));
1735 		LogError("\tproduct=%s", bi_2_hex_char( product));
1736 		result = TSS_E_DAA_CREDENTIAL_PROOF_ERROR;
1737 		goto close;
1738 	}
1739 	v_tilde_prime = bi_set_as_nbin( joinSession.vTildePrimeLength,
1740 					joinSession.vTildePrime); // allocation
1741 	bi_add( v_prime_prime, v_prime_prime, v_tilde_prime);
1742 	bi_shift_left( tmp1, bi_1, DAA_PARAM_SIZE_SPLIT_EXPONENT);
1743 	v_prime_prime0 = bi_new_ptr();
1744 	if( v_prime_prime0 == NULL) {
1745 		LogError("malloc of bi <%s> failed", "v_prime_prime0");
1746 		result = TSPERR(TSS_E_OUTOFMEMORY);
1747 		goto close;
1748 	}
1749 	bi_mod( v_prime_prime0, v_prime_prime, tmp1);
1750 	v_prime_prime1 = bi_new_ptr();
1751 	if( v_prime_prime1 == NULL) {
1752 		LogError("malloc of bi <%s> failed", "v_prime_prime1");
1753 		result = TSPERR(TSS_E_OUTOFMEMORY);
1754 		goto close;
1755 	}
1756 	bi_shift_right( v_prime_prime1, v_prime_prime, DAA_PARAM_SIZE_SPLIT_EXPONENT);
1757 	free( c_byte);
1758 	c_byte = (BYTE *)malloc( TPM_DAA_SIZE_v0);
1759 	if( c_byte == NULL) {
1760 		LogError("malloc of %d bytes failed", TPM_DAA_SIZE_v0);
1761 		result = TSPERR(TSS_E_OUTOFMEMORY);
1762 		goto close;
1763 	}
1764 	bi_2_byte_array( c_byte, TPM_DAA_SIZE_v0, v_prime_prime0);
1765 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1766 		22,
1767 		TPM_DAA_SIZE_v0, c_byte,
1768 		0, NULL,
1769 		&ownerAuth, &v0Length, &v0);
1770 	if( result != TSS_SUCCESS) goto close;
1771 	LogDebug("Done Join 22: return v0");
1772 	free( c_byte);
1773 	c_byte = (BYTE *)malloc( TPM_DAA_SIZE_v1);
1774 	if( c_byte == NULL) {
1775 		LogError("malloc of %d bytes failed", TPM_DAA_SIZE_v1);
1776 		result = TSPERR(TSS_E_OUTOFMEMORY);
1777 		goto close;
1778 	}
1779 	bi_2_byte_array( c_byte, TPM_DAA_SIZE_v1, v_prime_prime1);
1780 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1781 		23,
1782 		TPM_DAA_SIZE_v1, c_byte,
1783 		0, NULL,
1784 		&ownerAuth, &v1Length, &v1);
1785 	if( result != TSS_SUCCESS) goto close;
1786 	LogDebug("Done Join 23: return v1");
1787 	result = Tcsip_TPM_DAA_Join_encapsulate( tcsContext, hDAA,
1788 		24,
1789 		0, NULL,
1790 		0, NULL,
1791 		&ownerAuth, &tpm_specificLength, &tpm_specific);
1792 	if( result != TSS_SUCCESS) goto close;
1793 
1794 	daaCredential = (TSS_DAA_CREDENTIAL *)hDaaCredential;
1795 	daaCredential->capitalA = calloc_tspi( tcsContext, bi_nbin_size( capital_A));
1796 	if( daaCredential->capitalA == NULL) {
1797 		LogError("malloc of %ld bytes failed", bi_nbin_size( capital_A));
1798 		result = TSPERR(TSS_E_OUTOFMEMORY);
1799 		goto close;
1800 	}
1801 	bi_2_nbin1( &(daaCredential->capitalALength), daaCredential->capitalA, capital_A);
1802 	daaCredential->exponent = calloc_tspi( tcsContext, bi_nbin_size( e));
1803 	if( daaCredential->exponent == NULL) {
1804 		LogError("malloc of %ld bytes failed", bi_nbin_size( e));
1805 		result = TSPERR(TSS_E_OUTOFMEMORY);
1806 		goto close;
1807 	}
1808 	bi_2_nbin1( &(daaCredential->exponentLength), daaCredential->exponent, e);
1809 	daaCredential->vBar0 = calloc_tspi( tcsContext, v0Length);
1810 	if( daaCredential->vBar0 == NULL) {
1811 		LogError("malloc of %d bytes failed", v0Length);
1812 		result = TSPERR(TSS_E_OUTOFMEMORY);
1813 		goto close;
1814 	}
1815 	daaCredential->vBar0Length = v0Length;
1816 	memcpy( daaCredential->vBar0, v0, v0Length);
1817 	LogDebug("vBar0[%d]=%s",
1818 			daaCredential->vBar0Length,
1819 			dump_byte_array( daaCredential->vBar0Length, daaCredential->vBar0));
1820 	daaCredential->vBar1 = calloc_tspi( tcsContext, v1Length);
1821 	if( daaCredential->vBar1 == NULL) {
1822 		LogError("malloc of %d bytes failed", v1Length);
1823 		result = TSPERR(TSS_E_OUTOFMEMORY);
1824 		goto close;
1825 	}
1826 	daaCredential->vBar1Length = v1Length;
1827 	memcpy( daaCredential->vBar1, v1, v1Length);
1828 	LogDebug("vBar1[%d]=%s",
1829 		daaCredential->vBar1Length,
1830 		dump_byte_array( daaCredential->vBar1Length, daaCredential->vBar1));
1831 	//TODO remove
1832 	LogDebug("[BUSS] joinSession.attributesPlatformLength=%d",
1833 			joinSession.attributesPlatformLength);
1834 	LogDebug("[BUSS]       credIssuer.attributesIssuerLength=%d",
1835 			credIssuer.attributesIssuerLength);
1836 	daaCredential->attributesLength = joinSession.attributesPlatformLength +
1837 		credIssuer.attributesIssuerLength;
1838 	daaCredential->attributes = (BYTE **)calloc_tspi( tcsContext,
1839 						sizeof(BYTE *) * daaCredential->attributesLength);
1840 	if( daaCredential->attributes == NULL) {
1841 		LogError("malloc of %d bytes failed",
1842 			sizeof(BYTE *) * daaCredential->attributesLength);
1843 		result = TSPERR(TSS_E_OUTOFMEMORY);
1844 		goto close;
1845 	}
1846 	for( i=0; i < joinSession.attributesPlatformLength; i++) {
1847 		daaCredential->attributes[i] = calloc_tspi( tcsContext, DAA_PARAM_SIZE_F_I / 8);
1848 		if( daaCredential->attributes[i] == NULL) {
1849 			LogError("malloc of %d bytes failed", DAA_PARAM_SIZE_F_I / 8);
1850 			result = TSPERR(TSS_E_OUTOFMEMORY);
1851 			goto close;
1852 		}
1853 		LogDebug("allocation attributes[%d]=%lx", i, (long)daaCredential->attributes[i]);
1854 		memcpy( daaCredential->attributes[i],
1855 				joinSession.attributesPlatform[i],
1856 				DAA_PARAM_SIZE_F_I / 8);
1857 	}
1858 	for( i=0; i < credIssuer.attributesIssuerLength; i++) {
1859 		daaCredential->attributes[i+joinSession.attributesPlatformLength] =
1860 			calloc_tspi( tcsContext, DAA_PARAM_SIZE_F_I / 8);
1861 		if( daaCredential->attributes[i+joinSession.attributesPlatformLength] == NULL) {
1862 			LogError("malloc of %d bytes failed", DAA_PARAM_SIZE_F_I / 8);
1863 			result = TSPERR(TSS_E_OUTOFMEMORY);
1864 			goto close;
1865 		}
1866 		memcpy( daaCredential->attributes[i+joinSession.attributesPlatformLength],
1867 			credIssuer.attributesIssuer[i], DAA_PARAM_SIZE_F_I / 8);
1868 	}
1869 	memcpy( &(daaCredential->issuerPK), daa_pk_extern, sizeof( TSS_DAA_PK));
1870 	daaCredential->tpmSpecificEnc = calloc_tspi( tcsContext, tpm_specificLength);
1871 	if( daaCredential->tpmSpecificEnc == NULL) {
1872 		LogError("malloc of %d bytes failed", tpm_specificLength);
1873 		result = TSPERR(TSS_E_OUTOFMEMORY);
1874 		goto close;
1875 	}
1876 	daaCredential->tpmSpecificEncLength = tpm_specificLength;
1877 	memcpy( daaCredential->tpmSpecificEnc, tpm_specific, tpm_specificLength);
1878 	// TODO store in TSS this TSS_DAA_CREDENTIAL_REQUEST
1879 	*hDaaCredential = (TSS_HKEY)daaCredential;
1880 close:
1881 	if( v0 != NULL) free( v0);
1882 	if( v1 != NULL) free( v1);
1883 	if( tpm_specific != NULL) free( tpm_specific);
1884 	if( c_byte != NULL) free( c_byte);
1885 	bi_free_ptr( tmp2);
1886 	bi_free_ptr( tmp1);
1887 	if( attributes_issuer != NULL) {
1888 		bi_free_array( attributes_issuer);
1889 		free( attributes_issuer);
1890 	}
1891 	FREE_BI( v_prime_prime1);
1892 	FREE_BI( v_prime_prime0);
1893 	FREE_BI( v_tilde_prime);
1894 	FREE_BI( product);
1895 	FREE_BI( capital_A);
1896 	FREE_BI( c_prime);
1897 	FREE_BI( s_e);
1898 	FREE_BI( capital_Atilde);
1899 	FREE_BI( product_attributes);
1900 	FREE_BI( capital_U);
1901 	FREE_BI( v_prime_prime);
1902 	FREE_BI( fraction_A);
1903 	FREE_BI( e);
1904 	FREE_BI( n);
1905 	if( pk_intern!=NULL) free_TSS_DAA_PK_internal( pk_intern);
1906 	return result;
1907 }
1908 
add_splitet(bi_ptr result,bi_ptr a,bi_ptr b)1909 static void add_splitet( bi_ptr result, bi_ptr a, bi_ptr b) {
1910 	bi_shift_left( result, bi_1, DAA_PARAM_SIZE_SPLIT_EXPONENT);
1911 	bi_mul( result, result, b);
1912 	bi_add( result, result, a);
1913 }
1914 
1915 /* code influenced by TSS.java (signStep) */
Tspi_TPM_DAA_Sign_internal(TSS_HDAA hDAA,TSS_HTPM hTPM,TSS_HKEY hDaaCredential,TSS_DAA_SELECTED_ATTRIB revealAttributes,UINT32 verifierBaseNameLength,BYTE * verifierBaseName,UINT32 verifierNonceLength,BYTE * verifierNonce,TSS_DAA_SIGN_DATA signData,TSS_DAA_SIGNATURE * daaSignature)1916 TSS_RESULT Tspi_TPM_DAA_Sign_internal
1917 (
1918 	TSS_HDAA	hDAA,	// in
1919 	TSS_HTPM	hTPM,	// in
1920 	TSS_HKEY	hDaaCredential,	// in
1921 	TSS_DAA_SELECTED_ATTRIB	revealAttributes,	// in
1922 	UINT32	verifierBaseNameLength,	// in
1923 	BYTE*	verifierBaseName,	// in
1924 	UINT32	verifierNonceLength,	// in
1925 	BYTE*	verifierNonce,	// in
1926 	TSS_DAA_SIGN_DATA	signData,	// in
1927 	TSS_DAA_SIGNATURE*	daaSignature	// out
1928 )
1929 {
1930 	TCS_CONTEXT_HANDLE tcsContext;
1931 	TSS_DAA_CREDENTIAL *daaCredential;
1932 	TPM_DAA_ISSUER *tpm_daa_issuer;
1933 	TPM_AUTH ownerAuth;
1934 	TSS_RESULT result = TSS_SUCCESS;
1935 	TSS_DAA_PK *pk;
1936 	TSS_DAA_PK_internal *pk_intern;
1937 	int i;
1938 	bi_ptr tmp1 = bi_new_ptr(), tmp2;
1939 	bi_ptr n = NULL;
1940 	bi_ptr capital_gamma = NULL;
1941 	bi_ptr gamma = NULL;
1942 	bi_ptr zeta = NULL;
1943 	bi_ptr r = NULL;
1944 	bi_ptr t_tilde_T = NULL;
1945 	bi_ptr capital_Nv = NULL;
1946 	bi_ptr capital_N_tilde_v = NULL;
1947 	bi_ptr w = NULL;
1948 	bi_ptr capital_T = NULL;
1949 	bi_ptr r_E = NULL;
1950 	bi_ptr r_V = NULL;
1951 	bi_ptr capital_T_tilde = NULL;
1952 	bi_ptr capital_A = NULL;
1953 	bi_array_ptr capital_R;
1954 	bi_ptr product_R = NULL;
1955 	bi_array_ptr r_A = NULL;
1956 	bi_array_ptr s_A = NULL;
1957 	bi_ptr c = NULL;
1958 	bi_ptr sF0 = NULL;
1959 	bi_ptr sF1 = NULL;
1960 	bi_ptr sV1 = NULL;
1961 	bi_ptr sV2 = NULL;
1962 	bi_ptr e = NULL;
1963 	bi_ptr s_E = NULL;
1964 	bi_ptr s_V = NULL;
1965 	CS_ENCRYPTION_RESULT_RANDOMNESS *encryption_result_rand = NULL;
1966 	BYTE *issuer_settings = NULL, *outputData, byte;
1967 	BYTE *buffer = NULL, *ch = NULL, *nonce_tpm = NULL, *c_bytes = NULL;
1968 	UINT32 issuer_settingsLength, outputSize, length, size_bits, chLength;
1969 	UINT32 nonce_tpmLength;
1970 	UINT32 c_bytesLength, return_sign_session;
1971 	// for anonymity revocation
1972 	CS_ENCRYPTION_RESULT *encryption_result = NULL;
1973 	CS_ENCRYPTION_RESULT *encryption_result_tilde = NULL;
1974 	TSS_DAA_PSEUDONYM *signature_pseudonym;
1975 	TSS_DAA_PSEUDONYM_PLAIN *pseudonym_plain = NULL;
1976 	TSS_DAA_PSEUDONYM_PLAIN *pseudonym_plain_tilde = NULL;
1977 	TSS_DAA_ATTRIB_COMMIT *signed_commitments;
1978 
1979 	if( (result = obj_tpm_is_connected(  hTPM, &tcsContext)) != TSS_SUCCESS)
1980 		return result;
1981 	if( tmp1 == NULL) {
1982 		LogError("malloc of bi <%s> failed", "tmp1");
1983 		result = TSPERR(TSS_E_OUTOFMEMORY);
1984 		goto close;
1985 	}
1986 	obj_daa_set_handle_tpm( hDAA, hTPM);
1987 	// TODO retrieve the daaCredential from the persistence storage
1988 	daaCredential = (TSS_DAA_CREDENTIAL *)hDaaCredential;
1989 	pk = (TSS_DAA_PK *)&(daaCredential->issuerPK);
1990 	pk_intern = e_2_i_TSS_DAA_PK( pk);
1991 	if( pk_intern == NULL) {
1992 		LogError("malloc of <%s> failed", "pk_intern");
1993 		result = TSPERR(TSS_E_OUTOFMEMORY);
1994 		goto close;
1995 	}
1996 	tpm_daa_issuer = convert2issuer_settings( pk_intern);
1997 	if( daaCredential->attributesLength == 0 ||
1998 		daaCredential->attributesLength != revealAttributes.indicesListLength) {
1999 		LogDebug("Problem with the reveal attribs: attributes length:%d reveal length:%d",
2000 			daaCredential->attributesLength, revealAttributes.indicesListLength);
2001 		result = TSS_E_BAD_PARAMETER;
2002 		goto close;
2003 	}
2004 	if( verifierNonce == NULL ||
2005 		verifierNonceLength != DAA_PARAM_LENGTH_MESSAGE_DIGEST) {
2006 		LogDebug("Problem with the nonce verifier: nonce verifier length:%d",
2007 			verifierNonceLength);
2008 		result = TSS_E_BAD_PARAMETER;
2009 		goto close;
2010 	}
2011 	n = bi_new_ptr();
2012 	if( n == NULL) {
2013 		LogError("malloc of bi <%s> failed", "n");
2014 		result = TSPERR(TSS_E_OUTOFMEMORY);
2015 		goto close;
2016 	}
2017 	bi_set( n, pk_intern->modulus);
2018 	capital_gamma = bi_new_ptr();
2019 	if( capital_gamma == NULL) {
2020 		LogError("malloc of bi <%s> failed", "capital_gamma");
2021 		result = TSPERR(TSS_E_OUTOFMEMORY);
2022 		goto close;
2023 	}
2024 	bi_set( capital_gamma, pk_intern->capitalGamma);
2025 	gamma = bi_new_ptr();
2026 	if( gamma == NULL) {
2027 		LogError("malloc of bi <%s> failed", "gamma");
2028 		result = TSPERR(TSS_E_OUTOFMEMORY);
2029 		goto close;
2030 	}
2031 	bi_set( gamma, pk_intern->gamma);
2032 	if( verifierBaseNameLength == 0 || verifierBaseName == NULL) {
2033 		r = bi_new_ptr();
2034 		compute_random_number( r, capital_gamma);
2035 		zeta = project_into_group_gamma( r, pk_intern); // allocation
2036 		if( zeta == NULL) {
2037 			LogError("malloc of bi <%s> failed", "zeta");
2038 			result = TSPERR(TSS_E_OUTOFMEMORY);
2039 			goto close;
2040 		}
2041 	} else {
2042 		zeta = compute_zeta( verifierBaseNameLength, verifierBaseName, pk_intern);
2043 		if( zeta == NULL) {
2044 			LogError("malloc of bi <%s> failed", "zeta");
2045 			result = TSPERR(TSS_E_OUTOFMEMORY);
2046 			goto close;
2047 		}
2048 	}
2049 	issuer_settings = issuer_2_byte_array( tpm_daa_issuer,
2050 						&issuer_settingsLength); // allocation
2051 	if( issuer_settings == NULL) {
2052 		LogError("malloc of %d bytes failed", issuer_settingsLength);
2053 		result = TSPERR(TSS_E_OUTOFMEMORY);
2054 		goto close;
2055 	}
2056 	LogDebug( "Issuer Settings:[%s]",
2057 		dump_byte_array(issuer_settingsLength, issuer_settings) );
2058 	result = Tcsip_TPM_DAA_Sign(
2059 		tcsContext, hDAA,
2060 		0,
2061 		issuer_settingsLength, issuer_settings,
2062 		0, NULL,
2063 		&ownerAuth, &outputSize, &outputData);
2064 	if( result != TSS_SUCCESS) goto close;
2065 	// set the sessionHandle to the returned value
2066 	return_sign_session = ntohl( *((UINT32 *)outputData));
2067 	obj_daa_set_session_handle( hDAA, return_sign_session);
2068 	free( outputData);
2069 	result = Tcsip_TPM_DAA_Sign(
2070 		tcsContext, hDAA,
2071 		1,
2072 		daaCredential->tpmSpecificEncLength, daaCredential->tpmSpecificEnc,
2073 		0, NULL,
2074 		&ownerAuth, &outputSize, &outputData);
2075 	if( result != TSS_SUCCESS) goto close;
2076 	free( outputData);
2077 	LogDebug( "done Sign 1 - TPM specific");
2078 	result = Tcsip_TPM_DAA_Sign(
2079 		tcsContext, hDAA,
2080 		2,
2081 		pk->capitalR0Length, pk->capitalR0,
2082 		pk->modulusLength, pk->modulus,
2083 		&ownerAuth, &outputSize, &outputData);
2084 	if( result != TSS_SUCCESS) goto close;
2085 	free( outputData);
2086 	LogDebug( "done Sign 2 - capitalR0");
2087 	result = Tcsip_TPM_DAA_Sign(
2088 		tcsContext, hDAA,
2089 		3,
2090 		pk->capitalR1Length, pk->capitalR1,
2091 		pk->modulusLength, pk->modulus,
2092 		&ownerAuth, &outputSize, &outputData);
2093 	if( result != TSS_SUCCESS) goto close;
2094 	free( outputData);
2095 	LogDebug( "done Sign 3 - capitalR1");
2096 	result = Tcsip_TPM_DAA_Sign(
2097 		tcsContext, hDAA,
2098 		4,
2099 		pk->capitalSLength, pk->capitalS,
2100 		pk->modulusLength, pk->modulus,
2101 		&ownerAuth, &outputSize, &outputData);
2102 	if( outputSize > 0 && outputData != NULL) free( outputData);
2103 	if( result != TSS_SUCCESS) goto close;
2104 	LogDebug( "done Sign 4 - capitalS");
2105 	buffer = bi_2_nbin( &length, pk_intern->capitalSprime); // allocation
2106 	if( buffer == NULL) {
2107 		LogError("malloc of %d bytes failed", length);
2108 		result = TSPERR(TSS_E_OUTOFMEMORY);
2109 		goto close;
2110 	}
2111 	result = Tcsip_TPM_DAA_Sign(
2112 		tcsContext, hDAA,
2113 		5,
2114 		length, buffer,
2115 		pk->modulusLength, pk->modulus,
2116 		&ownerAuth, &outputSize, &outputData);
2117 	free( buffer);
2118 	if( result != TSS_SUCCESS) goto close;
2119 	LogDebug( "done Sign 5 - capitalSPrime. Return t_tilde_T");
2120 	t_tilde_T = bi_set_as_nbin( outputSize, outputData); // allocation
2121 	if( t_tilde_T == NULL) {
2122 		LogError("malloc of bi <%s> failed", "t_tilde_T");
2123 		result = TSPERR(TSS_E_OUTOFMEMORY);
2124 		goto close;
2125 	}
2126 	free( outputData);
2127 	// first precomputation until here possible (verifier independent)
2128 	length = TPM_DAA_SIZE_w;
2129 	buffer = (BYTE *)malloc( length);
2130 	if( buffer == NULL) {
2131 		LogError("malloc of %d bytes failed", length);
2132 		result = TSPERR(TSS_E_OUTOFMEMORY);
2133 		goto close;
2134 	}
2135 	bi_2_byte_array( buffer, length, zeta);
2136 	result = Tcsip_TPM_DAA_Sign(
2137 		tcsContext, hDAA,
2138 		6,
2139 		pk->capitalGammaLength, pk->capitalGamma,
2140 		length, buffer,
2141 		&ownerAuth, &outputSize, &outputData);
2142 	free( buffer);
2143 	if( result != TSS_SUCCESS) goto close;
2144 	LogDebug( "done Sign 6 - capitalGamma & zeta");
2145 	result = Tcsip_TPM_DAA_Sign(
2146 		tcsContext, hDAA,
2147 		7,
2148 		pk->capitalGammaLength, pk->capitalGamma,
2149 		0, NULL,
2150 		&ownerAuth, &outputSize, &outputData);
2151 	if( result != TSS_SUCCESS) goto close;
2152 	LogDebug( "done Sign 7 - capitalGamma. Return capital_Nv");
2153 	capital_Nv = bi_set_as_nbin( outputSize, outputData); // allocation
2154 	if( capital_Nv == NULL) {
2155 		LogError("malloc of bi <%s> failed", "capital_Nv");
2156 		result = TSPERR(TSS_E_OUTOFMEMORY);
2157 		goto close;
2158 	}
2159 	free( outputData);
2160 	// TODO Step 6 a.b - anonymity revocation
2161 
2162 	result = Tcsip_TPM_DAA_Sign(
2163 		tcsContext, hDAA,
2164 		8,
2165 		pk->capitalGammaLength, pk->capitalGamma,
2166 		0, NULL,
2167 		&ownerAuth, &outputSize, &outputData);
2168 	if( result != TSS_SUCCESS) goto close;
2169 	LogDebug( "done Sign 8 - capitalGamma. Return capital_N_tilde_v");
2170 	capital_N_tilde_v = bi_set_as_nbin( outputSize, outputData); // allocation
2171 	if( capital_N_tilde_v == NULL) {
2172 		LogError("malloc of bi <%s> failed", "capital_N_tilde_v");
2173 		result = TSPERR(TSS_E_OUTOFMEMORY);
2174 		goto close;
2175 	}
2176 	free( outputData);
2177 	// TODO  Step 6 c,d - anonymity revocation
2178 
2179 	// Second precomputation until here possible (verifier dependent)
2180 	size_bits = DAA_PARAM_SIZE_RSA_MODULUS + DAA_PARAM_SAFETY_MARGIN;
2181 	w = bi_new_ptr();
2182 	if( w == NULL) {
2183 		LogError("malloc of bi <%s> failed", "w");
2184 		result = TSPERR(TSS_E_OUTOFMEMORY);
2185 		goto close;
2186 	}
2187 	bi_urandom( w, size_bits);
2188 	capital_A = bi_set_as_nbin( daaCredential->capitalALength,
2189 					daaCredential->capitalA); // allocation
2190 	if( capital_A == NULL) {
2191 		LogError("malloc of bi <%s> failed", "capital_A");
2192 		result = TSPERR(TSS_E_OUTOFMEMORY);
2193 		goto close;
2194 	}
2195 	capital_T = bi_new_ptr();
2196 	if( capital_T == NULL) {
2197 		LogError("malloc of bi <%s> failed", "capital_T");
2198 		result = TSPERR(TSS_E_OUTOFMEMORY);
2199 		goto close;
2200 	}
2201 	bi_mod_exp( tmp1, pk_intern->capitalS, w, n);
2202 	bi_mul( capital_T, capital_A, tmp1);
2203 	bi_mod( capital_T, capital_T, n);
2204 	size_bits = DAA_PARAM_SIZE_INTERVAL_EXPONENT_CERTIFICATE +
2205 		DAA_PARAM_SAFETY_MARGIN + DAA_PARAM_SIZE_MESSAGE_DIGEST;
2206 	r_E = bi_new_ptr();
2207 	if( r_E == NULL) {
2208 		LogError("malloc of bi <%s> failed", "r_E");
2209 		result = TSPERR(TSS_E_OUTOFMEMORY);
2210 		goto close;
2211 	}
2212 	bi_urandom( r_E, size_bits);
2213 	size_bits = DAA_PARAM_SIZE_EXPONENT_CERTIFICATE + DAA_PARAM_SIZE_RSA_MODULUS +
2214 		2 * DAA_PARAM_SAFETY_MARGIN + DAA_PARAM_SIZE_MESSAGE_DIGEST + 1;
2215 	r_V = bi_new_ptr();
2216 	if( r_V == NULL) {
2217 		LogError("malloc of bi <%s> failed", "r_V");
2218 		result = TSPERR(TSS_E_OUTOFMEMORY);
2219 		goto close;
2220 	}
2221 	bi_urandom( r_V, size_bits);
2222 	capital_T_tilde = bi_new_ptr();
2223 	if( capital_T_tilde == NULL) {
2224 		LogError("malloc of bi <%s> failed", "capital_T_tilde");
2225 		result = TSPERR(TSS_E_OUTOFMEMORY);
2226 		goto close;
2227 	}
2228 	bi_mod_exp( tmp1, capital_T, r_E, n);
2229 	bi_mul( capital_T_tilde, t_tilde_T, tmp1);
2230 	bi_mod( capital_T_tilde, capital_T_tilde, n);
2231 
2232 	bi_mod_exp( tmp1, pk_intern->capitalS, r_V, n);
2233 	bi_mul( capital_T_tilde, capital_T_tilde, tmp1);
2234 	bi_mod( capital_T_tilde, capital_T_tilde, n);
2235 
2236 	// attributes extension
2237 	size_bits = DAA_PARAM_SIZE_F_I +
2238 			DAA_PARAM_SAFETY_MARGIN +
2239 			DAA_PARAM_SIZE_MESSAGE_DIGEST;
2240 	capital_R = pk_intern->capitalY;
2241 	r_A = (bi_array_ptr)malloc( sizeof( struct _bi_array));
2242 	if( r_A == NULL) {
2243 		LogError("malloc of %d bytes failed", sizeof( struct _bi_array));
2244 		result = TSPERR(TSS_E_OUTOFMEMORY);
2245 		goto close;
2246 	}
2247 	bi_new_array2( r_A, revealAttributes.indicesListLength);
2248 	product_R = bi_new_ptr();
2249 	if( product_R == NULL) {
2250 		LogError("malloc of bi <%s> failed", "product_R");
2251 		result = TSPERR(TSS_E_OUTOFMEMORY);
2252 		goto close;
2253 	}
2254 	bi_set( product_R, bi_1);
2255 	for( i=0; i<(int)revealAttributes.indicesListLength; i++) {
2256 		if( revealAttributes.indicesList[i] == 0) {
2257 			// only non selected
2258 			r_A->array[i] = bi_new_ptr();
2259 			if( r_A->array[i] == NULL) {
2260 				LogError("malloc of bi <%s> failed", "r_A->array[i]");
2261 				result = TSPERR(TSS_E_OUTOFMEMORY);
2262 				goto close;
2263 			}
2264 			bi_urandom( r_A->array[i] , size_bits);
2265 			bi_mod_exp( tmp1, capital_R->array[i], r_A->array[i], n);
2266 			bi_mul( product_R, product_R, tmp1);
2267 			bi_mod( product_R, product_R, n);
2268 		} else r_A->array[i] = NULL;
2269 	}
2270 	bi_mul( capital_T_tilde, capital_T_tilde, product_R);
2271 	bi_mod( capital_T_tilde, capital_T_tilde, n);
2272 	//TODO Step 8 - Commitments
2273 	// compute commitment to attributes not revealed to the verifier
2274 
2275 	//TODO Step 9 - callback functions
2276 
2277 	// only when revocation not enabled
2278 	pseudonym_plain = (TSS_DAA_PSEUDONYM_PLAIN *)calloc_tspi( tcsContext,
2279 								sizeof(TSS_DAA_PSEUDONYM_PLAIN));
2280 	if( pseudonym_plain == NULL) {
2281 		LogError("malloc of %d bytes failed", sizeof(TSS_DAA_PSEUDONYM_PLAIN));
2282 		result = TSPERR(TSS_E_OUTOFMEMORY);
2283 		goto close;
2284 	}
2285 	init_tss_version( pseudonym_plain);
2286 	pseudonym_plain->capitalNv = calloc_tspi( tcsContext,
2287 						bi_nbin_size( capital_Nv));
2288 	if( pseudonym_plain->capitalNv == NULL) {
2289 		LogError("malloc of bi <%s> failed", "pseudonym_plain->capitalNv");
2290 		result = TSPERR(TSS_E_OUTOFMEMORY);
2291 		goto close;
2292 	}
2293 	bi_2_nbin1( &(pseudonym_plain->capitalNvLength),
2294 				pseudonym_plain->capitalNv,
2295 				capital_Nv);
2296 	pseudonym_plain_tilde = (TSS_DAA_PSEUDONYM_PLAIN *)
2297 		calloc_tspi( tcsContext,sizeof(TSS_DAA_PSEUDONYM_PLAIN));
2298 	if( pseudonym_plain_tilde == NULL) {
2299 		LogError("malloc of %d bytes failed", sizeof(TSS_DAA_PSEUDONYM_PLAIN));
2300 		result = TSPERR(TSS_E_OUTOFMEMORY);
2301 		goto close;
2302 	}
2303 	init_tss_version( pseudonym_plain_tilde);
2304 	pseudonym_plain_tilde->capitalNv = calloc_tspi( tcsContext,
2305 							bi_nbin_size( capital_N_tilde_v));
2306 	if( pseudonym_plain_tilde->capitalNv == NULL) {
2307 		LogError("malloc of bi <%s> failed", "pseudonym_plain_tilde->capitalNv");
2308 		result = TSPERR(TSS_E_OUTOFMEMORY);
2309 		goto close;
2310 	}
2311 	bi_2_nbin1( &(pseudonym_plain_tilde->capitalNvLength),
2312 				pseudonym_plain_tilde->capitalNv,
2313 				capital_N_tilde_v);
2314 
2315 	// Step 10 - compute challenge
2316 	ch = compute_sign_challenge_host(
2317 		&chLength,
2318 		DAA_PARAM_get_message_digest(),
2319 		pk_intern,
2320 		verifierNonceLength,
2321 		verifierNonce,
2322 		0,	// int selected_attributes2commitLength,
2323 		NULL,	// TSS_DAA_SELECTED_ATTRIB **selected_attributes2commit,
2324 		0,	// 	int is_anonymity_revocation_enabled,
2325 		zeta,
2326 		capital_T,
2327 		capital_T_tilde,
2328 		0, //	int attribute_commitmentsLength,
2329 		NULL, //	TSS_DAA_ATTRIB_COMMIT_internal **attribute_commitments,
2330 		NULL, //	TSS_DAA_ATTRIB_COMMIT_internal **attribute_commitment_proofs,
2331 		capital_Nv,
2332 		capital_N_tilde_v,
2333 		NULL, // CS_PUBLIC_KEY *anonymity_revocator_pk,
2334 		NULL, // CS_ENCRYPTION_RESULT *encryption_result_rand,
2335 		NULL //CS_ENCRYPTION_RESULT *encryption_result_proof)
2336 	);
2337 	if( ch == NULL) {
2338 		LogError("malloc in compute_sign_challenge_host failed");
2339 		result = TSPERR(TSS_E_OUTOFMEMORY);
2340 		goto close;
2341 	}
2342 	result = Tcsip_TPM_DAA_Sign( tcsContext, hDAA,
2343 			9,
2344 			chLength, ch,
2345 			0, NULL,
2346 			&ownerAuth, &nonce_tpmLength, &nonce_tpm);
2347 	if( result != TSS_SUCCESS) goto close;
2348 	LogDebug( "done Sign 9 - compute sign challenge host. Return nonce_tpm");
2349 	byte = (BYTE)signData.payloadFlag; // 0 -> payload contains a handle to an AIK
2350 					// 1 -> payload contains a hashed message
2351 	result = Tcsip_TPM_DAA_Sign( tcsContext, hDAA,
2352 			10,
2353 			sizeof(BYTE), &byte,
2354 			signData.payloadLength, signData.payload,
2355 			&ownerAuth, &c_bytesLength, &c_bytes);
2356 	LogDebug("calculation of c: ch[%d]%s", chLength, dump_byte_array( chLength, ch));
2357 	LogDebug("calculation of c: nonce_tpm[%d]%s",
2358 			nonce_tpmLength,
2359 			dump_byte_array( nonce_tpmLength, nonce_tpm));
2360 	LogDebug("calculation of c: sign_data.payloadFlag[%d]%x",
2361 		1,
2362 		(int)signData.payloadFlag);
2363 	LogDebug("calculation of c: signdata.payload[%d]%s",
2364 			signData.payloadLength,
2365 			dump_byte_array( signData.payloadLength, signData.payload));
2366 
2367 	if( result != TSS_SUCCESS) goto close;
2368 	LogDebug( "done Sign 10 - compute signData.payload.");
2369 	LogDebug(" Return c_bytes[%d]%s",
2370 		c_bytesLength,
2371 		dump_byte_array( c_bytesLength, c_bytes));
2372 	c = bi_set_as_nbin( c_bytesLength, c_bytes); // allocation
2373 	if( c == NULL) {
2374 		LogError("malloc of bi <%s> failed", "c");
2375 		result = TSPERR(TSS_E_OUTOFMEMORY);
2376 		goto close;
2377 	}
2378 	result = Tcsip_TPM_DAA_Sign(
2379 		tcsContext, hDAA,
2380 		11,
2381 		0, NULL,
2382 		0, NULL,
2383 		&ownerAuth, &outputSize, &outputData);
2384 	if( result != TSS_SUCCESS)goto close;
2385 	LogDebug( "done Sign 11. Return sF0");
2386 	sF0 = bi_set_as_nbin( outputSize, outputData); // allocation
2387 	if( sF0 == NULL) {
2388 		LogError("malloc of bi <%s> failed", "sF0");
2389 		result = TSPERR(TSS_E_OUTOFMEMORY);
2390 		goto close;
2391 	}
2392 	free( outputData);
2393 	result = Tcsip_TPM_DAA_Sign(
2394 		tcsContext, hDAA,
2395 		12,
2396 		0, NULL,
2397 		0, NULL,
2398 		&ownerAuth, &outputSize, &outputData);
2399 	if( result != TSS_SUCCESS) goto close;
2400 	LogDebug( "done Sign 12. Return sF1");
2401 	sF1 = bi_set_as_nbin( outputSize, outputData); // allocation
2402 	if( sF1 == NULL) {
2403 		LogError("malloc of bi <%s> failed", "sF1");
2404 		result = TSPERR(TSS_E_OUTOFMEMORY);
2405 		goto close;
2406 	}
2407 	free( outputData);
2408 	result = Tcsip_TPM_DAA_Sign(
2409 		tcsContext, hDAA,
2410 		13,
2411 		daaCredential->vBar0Length,  daaCredential->vBar0,
2412 		0, NULL,
2413 		&ownerAuth, &outputSize, &outputData);
2414 	if( result != TSS_SUCCESS) goto close;
2415 	LogDebug( "done Sign 13. Return sV1");
2416 	sV1 = bi_set_as_nbin( outputSize, outputData); // allocation
2417 	if( sV1 == NULL) {
2418 		LogError("malloc of bi <%s> failed", "sV1");
2419 		result = TSPERR(TSS_E_OUTOFMEMORY);
2420 		goto close;
2421 	}
2422 	free( outputData);
2423 	result = Tcsip_TPM_DAA_Sign(
2424 		tcsContext, hDAA,
2425 		14,
2426 		daaCredential->vBar0Length,  daaCredential->vBar0,
2427 		0, NULL,
2428 		&ownerAuth, &outputSize, &outputData);
2429 	if( result != TSS_SUCCESS) goto close;
2430 	free( outputData);
2431 	LogDebug( "done Sign 14.");
2432 	result = Tcsip_TPM_DAA_Sign(
2433 		tcsContext, hDAA,
2434 		15,
2435 		daaCredential->vBar1Length,  daaCredential->vBar1,
2436 		0, NULL,
2437 		&ownerAuth, &outputSize, &outputData);
2438 	if( result != TSS_SUCCESS) goto close;
2439 	LogDebug( "done Sign 15. Return sV2");
2440 	sV2 = bi_set_as_nbin( outputSize, outputData); // allocation
2441 	if( sV2 == NULL) {
2442 		LogError("malloc of bi <%s> failed", "sV2");
2443 		result = TSPERR(TSS_E_OUTOFMEMORY);
2444 		goto close;
2445 	}
2446 	free( outputData);
2447 	// allocation
2448 	e = bi_set_as_nbin( daaCredential->exponentLength, daaCredential->exponent);
2449 	if( e == NULL) {
2450 		LogError("malloc of bi <%s> failed", "e");
2451 		result = TSPERR(TSS_E_OUTOFMEMORY);
2452 		goto close;
2453 	}
2454 	// s_e = r_E + ( c * ( e - ( 1 << (sizeExponentCertificate -1))))
2455 	s_E = bi_new_ptr();
2456 	if( s_E == NULL) {
2457 		LogError("malloc of bi <%s> failed", "s_E");
2458 		result = TSPERR(TSS_E_OUTOFMEMORY);
2459 		goto close;
2460 	}
2461 	bi_shift_left( tmp1, bi_1, DAA_PARAM_SIZE_EXPONENT_CERTIFICATE - 1);
2462 	bi_sub( tmp1, e, tmp1);
2463 	bi_mul( tmp1, c, tmp1);
2464 	bi_add( s_E, r_E, tmp1);
2465 	s_V = bi_new_ptr();
2466 	if( s_V == NULL) {
2467 		LogError("malloc of bi <%s> failed", "s_V");
2468 		result = TSPERR(TSS_E_OUTOFMEMORY);
2469 		goto close;
2470 	}
2471 	add_splitet( s_V, sV1, sV2);
2472 	bi_add( s_V, s_V, r_V);
2473 	bi_mul( tmp1, c, w);
2474 	bi_mul( tmp1, tmp1, e);
2475 	bi_sub( s_V, s_V, tmp1);
2476 	// attributes extension
2477 	// TODO verify the size of each selected attributes
2478 	s_A = (bi_array_ptr)malloc( sizeof( struct _bi_array));
2479 	if( s_A == NULL) {
2480 		LogError("malloc of bi_array <%s> failed", "s_A");
2481 		result = TSPERR(TSS_E_OUTOFMEMORY);
2482 		goto close;
2483 	}
2484 	bi_new_array2( s_A, revealAttributes.indicesListLength);
2485 	if( s_A->array == NULL) {
2486 		LogError("malloc of bi_array <%s> failed", "s_A");
2487 		result = TSPERR(TSS_E_OUTOFMEMORY);
2488 		goto close;
2489 	}
2490 	for( i=0; i<(int)revealAttributes.indicesListLength; i++) {
2491 		if( revealAttributes.indicesList[i] == 0) {
2492 			s_A->array[i] = bi_new_ptr();
2493 			if( s_A->array[i] == NULL) {
2494 				LogError("malloc of bi <%s> failed", "s_A->array[i]");
2495 				result = TSPERR(TSS_E_OUTOFMEMORY);
2496 				goto close;
2497 			}
2498 			tmp2 = bi_set_as_nbin( DAA_PARAM_SIZE_F_I / 8,
2499 						daaCredential->attributes[i]); // allocation
2500 			if( tmp2 == NULL) {
2501 				LogError("malloc of %d bytes failed", DAA_PARAM_SIZE_F_I / 8);
2502 				result = TSPERR(TSS_E_OUTOFMEMORY);
2503 				goto close;
2504 			}
2505 			bi_mul( tmp1, c, tmp2);
2506 			// TODEL
2507 			LogDebug("daaCredential->attributes[i]=%ld", bi_nbin_size( tmp2));
2508 			LogDebug("r_A:%ld", bi_nbin_size( r_A->array[i]));
2509 			LogDebug("c:%ld", bi_nbin_size( c));
2510 			LogDebug("c*daaCredential->attributes[i]=%ld", bi_nbin_size( tmp1));
2511 			// END TODEL
2512 			bi_add( s_A->array[i], r_A->array[i], tmp1);
2513 			bi_free_ptr( tmp2);
2514 		} else s_A->array[i] = NULL;
2515 	}
2516 
2517 	// Compose result structure
2518 
2519 	// DAASignaturePseudonym TODO: implement anonymity revocation
2520 	// if ( !revocation_enabled)
2521 	signature_pseudonym = pseudonym_plain;
2522 
2523 	// populate the signature (TSS_DAA_SIGNATURE)
2524 	daaSignature->zeta = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( zeta));
2525 	if (daaSignature->zeta == NULL) {
2526 		LogError("malloc of %ld bytes failed", bi_nbin_size( zeta));
2527 		result = TSPERR(TSS_E_OUTOFMEMORY);
2528 		goto close;
2529 	}
2530 	bi_2_nbin1( &(daaSignature->zetaLength), daaSignature->zeta, zeta);
2531 	daaSignature->capitalT = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( capital_T));
2532 	if (daaSignature->capitalT == NULL) {
2533 		LogError("malloc of %ld bytes failed", bi_nbin_size( capital_T));
2534 		result = TSPERR(TSS_E_OUTOFMEMORY);
2535 		goto close;
2536 	}
2537 	bi_2_nbin1( &(daaSignature->capitalTLength), daaSignature->capitalT, capital_T);
2538 	daaSignature->challenge = (BYTE *)calloc_tspi( tcsContext, c_bytesLength);
2539 	if (daaSignature->challenge == NULL) {
2540 		LogError("malloc of %d bytes failed", c_bytesLength);
2541 		result = TSPERR(TSS_E_OUTOFMEMORY);
2542 		goto close;
2543 	}
2544 	daaSignature->challengeLength = c_bytesLength;
2545 	memcpy( daaSignature->challenge, c_bytes, c_bytesLength);
2546 	daaSignature->nonceTpm = (BYTE *)calloc_tspi( tcsContext, nonce_tpmLength);
2547 	if (daaSignature->nonceTpm == NULL) {
2548 		LogError("malloc of %d bytes failed", nonce_tpmLength);
2549 		result = TSPERR(TSS_E_OUTOFMEMORY);
2550 		goto close;
2551 	}
2552 	daaSignature->nonceTpmLength = nonce_tpmLength;
2553 	memcpy( daaSignature->nonceTpm, nonce_tpm, nonce_tpmLength);
2554 	daaSignature->sV = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( s_V));
2555 	if (daaSignature->sV == NULL) {
2556 		LogError("malloc of %ld bytes failed", bi_nbin_size( s_V));
2557 		result = TSPERR(TSS_E_OUTOFMEMORY);
2558 		goto close;
2559 	}
2560 	bi_2_nbin1( &(daaSignature->sVLength), daaSignature->sV, s_V);
2561 	daaSignature->sF0 = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( sF0));
2562 	if (daaSignature->sF0 == NULL) {
2563 		LogError("malloc of %ld bytes failed", bi_nbin_size( sF0));
2564 		result = TSPERR(TSS_E_OUTOFMEMORY);
2565 		goto close;
2566 	}
2567 	bi_2_nbin1( &(daaSignature->sF0Length), daaSignature->sF0, sF0);
2568 	daaSignature->sF1 = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( sF1));
2569 	if (daaSignature->sF1 == NULL) {
2570 		LogError("malloc of %ld bytes failed", bi_nbin_size( sF1));
2571 		result = TSPERR(TSS_E_OUTOFMEMORY);
2572 		goto close;
2573 	}
2574 	bi_2_nbin1( &(daaSignature->sF1Length), daaSignature->sF1, sF1);
2575 	daaSignature->sE = (BYTE *)calloc_tspi( tcsContext, bi_nbin_size( s_E));
2576 	if (daaSignature->sE == NULL) {
2577 		LogError("malloc of %ld bytes failed", bi_nbin_size( s_E));
2578 		result = TSPERR(TSS_E_OUTOFMEMORY);
2579 		goto close;
2580 	}
2581 	bi_2_nbin1( &(daaSignature->sELength), daaSignature->sE, s_E);
2582 	daaSignature->sALength = revealAttributes.indicesListLength;
2583 	daaSignature->sA = (BYTE **)calloc_tspi(
2584 		tcsContext,
2585 		sizeof(BYTE *)*revealAttributes.indicesListLength);
2586 	if (daaSignature->sA == NULL) {
2587 		LogError("malloc of %d bytes failed",
2588 			sizeof(BYTE *)*revealAttributes.indicesListLength);
2589 		result = TSPERR(TSS_E_OUTOFMEMORY);
2590 		goto close;
2591 	}
2592 	length = (DAA_PARAM_SIZE_RANDOMIZED_ATTRIBUTES + 7) / 8;
2593 	for( i=0; i<(int)revealAttributes.indicesListLength; i++) {
2594 		daaSignature->sA[i] = calloc_tspi( tcsContext, length);
2595 		if (daaSignature->sA[i] == NULL) {
2596 			LogError("malloc of %d bytes failed", length);
2597 			result = TSPERR(TSS_E_OUTOFMEMORY);
2598 			goto close;
2599 		}
2600 		if( s_A->array[i] == NULL)
2601 			bi_2_byte_array( daaSignature->sA[i], length, bi_0);
2602 		else {
2603 			bi_2_byte_array( daaSignature->sA[i], length, s_A->array[i]);
2604 			LogDebug("size big_integer s_A[i] = %ld   size daaSignature->sA[i]=%d",
2605 				bi_nbin_size( s_A->array[i]), length);
2606 		}
2607 	}
2608 	daaSignature->attributeCommitmentsLength = 0;
2609 	daaSignature->signedPseudonym = signature_pseudonym;
2610 close:
2611 	bi_free_ptr( tmp1);
2612 	if( c_bytes != NULL) free( c_bytes);
2613 	if( ch != NULL) free( ch);
2614 	if( nonce_tpm != NULL) free( nonce_tpm);
2615 	if( encryption_result !=NULL) free( encryption_result);
2616 	if( encryption_result_tilde !=NULL) free( encryption_result_tilde);
2617 	if( issuer_settings != NULL) free( issuer_settings);
2618 	if( r_A != NULL) {
2619 		for( i=0; i<(int)revealAttributes.indicesListLength; i++)
2620 			if( r_A->array[i] != NULL) bi_free_ptr( r_A->array[i]);
2621 		free( r_A);
2622 	}
2623 	FREE_BI( s_V);
2624 	FREE_BI( s_E);
2625 	FREE_BI( e);
2626 	FREE_BI( sV2);
2627 	FREE_BI( sV1);
2628         FREE_BI( sF1);
2629 	FREE_BI( sF0);
2630 	FREE_BI( c);
2631 	FREE_BI( product_R);
2632 	FREE_BI( capital_A);
2633 	FREE_BI( capital_T_tilde);
2634 	FREE_BI( r_V);
2635 	FREE_BI( r_E);
2636 	FREE_BI( capital_T);
2637 	FREE_BI( w);
2638 	FREE_BI( capital_N_tilde_v);
2639 	FREE_BI( capital_Nv);
2640 	FREE_BI( t_tilde_T);
2641 	FREE_BI( n);
2642 	FREE_BI( capital_gamma);
2643 	FREE_BI( gamma);
2644 	FREE_BI( zeta);
2645 	FREE_BI( r);
2646 	free_TSS_DAA_PK_internal( pk_intern);
2647 	free_TPM_DAA_ISSUER( tpm_daa_issuer);
2648 	return result;
2649 }
2650