xref: /netbsd-src/crypto/external/cpl/trousers/dist/src/tspi/tsp_delegate.c (revision d90047b5d07facf36e6c01dcc0bded8997ce9cc2) 
1 
2 /*
3  * Licensed Materials - Property of IBM
4  *
5  * trousers - An open source TCG Software Stack
6  *
7  * (C) Copyright International Business Machines Corp. 2007
8  *
9  */
10 
11 
12 #include <stdlib.h>
13 #include <stdio.h>
14 #include <string.h>
15 
16 #include "trousers/tss.h"
17 #include "trousers/trousers.h"
18 #include "trousers_types.h"
19 #include "spi_utils.h"
20 #include "obj.h"
21 #include "tsplog.h"
22 #include "tsp_delegate.h"
23 #include "authsess.h"
24 
25 
26 TSS_RESULT
27 do_delegate_manage(TSS_HTPM hTpm, UINT32 familyID, UINT32 opFlag,
28 		   UINT32 opDataSize, BYTE *opData, UINT32 *outDataSize, BYTE **outData)
29 {
30 	TSS_HCONTEXT hContext;
31 	TSS_HPOLICY hPolicy;
32 	UINT32 secretMode = TSS_SECRET_MODE_NONE;
33 	Trspi_HashCtx hashCtx;
34 	TCPA_DIGEST digest;
35 	TPM_AUTH ownerAuth, *pAuth;
36 	UINT32 retDataSize;
37 	BYTE *retData = NULL;
38 	TSS_RESULT result;
39 
40 	if ((result = obj_tpm_get_tsp_context(hTpm, &hContext)))
41 		return result;
42 
43 	if ((result = obj_tpm_get_policy(hTpm, TSS_POLICY_USAGE, &hPolicy)))
44 		return result;
45 
46 	if (hPolicy != NULL_HPOLICY) {
47 		if ((result = obj_policy_get_mode(hPolicy, &secretMode)))
48 			return result;
49 	}
50 
51 	if (secretMode != TSS_SECRET_MODE_NONE) {
52 		result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
53 		result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_Manage);
54 		result |= Trspi_Hash_UINT32(&hashCtx, familyID);
55 		result |= Trspi_Hash_UINT32(&hashCtx, opFlag);
56 		result |= Trspi_Hash_UINT32(&hashCtx, opDataSize);
57 		result |= Trspi_HashUpdate(&hashCtx, opDataSize, opData);
58 		if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
59 			return result;
60 
61 		pAuth = &ownerAuth;
62 		if ((result = secret_PerformAuth_OIAP(hTpm, TPM_ORD_Delegate_Manage, hPolicy, FALSE,
63 						      &digest, pAuth)))
64 			return result;
65 	} else
66 		pAuth = NULL;
67 
68 	/* Perform the delegation operation */
69 	if ((result = TCS_API(hContext)->Delegate_Manage(hContext, familyID, opFlag, opDataSize,
70 							 opData, pAuth, &retDataSize, &retData)))
71 		return result;
72 
73 	if (pAuth) {
74 		result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
75 		result |= Trspi_Hash_UINT32(&hashCtx, result);
76 		result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_Manage);
77 		result |= Trspi_Hash_UINT32(&hashCtx, retDataSize);
78 		result |= Trspi_HashUpdate(&hashCtx, retDataSize, retData);
79 		if ((result |= Trspi_HashFinal(&hashCtx, digest.digest))) {
80 			free(retData);
81 			goto done;
82 		}
83 
84 		if ((result = obj_policy_validate_auth_oiap(hPolicy, &digest, pAuth))) {
85 			free(retData);
86 			goto done;
87 		}
88 	}
89 
90 	*outDataSize = retDataSize;
91 	*outData = retData;
92 
93 done:
94 	return result;
95 }
96 
97 TSS_RESULT
98 create_owner_delegation(TSS_HTPM       hTpm,
99 			BYTE           bLabel,
100 			UINT32         ulFlags,
101 			TSS_HPCRS      hPcrs,
102 			TSS_HDELFAMILY hFamily,
103 			TSS_HPOLICY    hDelegation)
104 {
105 	TSS_HCONTEXT hContext;
106 	TSS_BOOL incrementCount = FALSE;
107 	UINT32 type;
108 	UINT32 publicInfoSize;
109 	BYTE *publicInfo = NULL;
110 	Trspi_HashCtx hashCtx;
111 	TCPA_DIGEST digest;
112 	UINT32 blobSize;
113 	BYTE *blob = NULL;
114 	TSS_RESULT result;
115 	struct authsess *xsap = NULL;
116 
117 	if ((result = obj_tpm_get_tsp_context(hTpm, &hContext)))
118 		return result;
119 
120 	if ((ulFlags & ~TSS_DELEGATE_INCREMENTVERIFICATIONCOUNT) > 0)
121 		return TSPERR(TSS_E_BAD_PARAMETER);
122 
123 	if (ulFlags & TSS_DELEGATE_INCREMENTVERIFICATIONCOUNT)
124 		incrementCount = TRUE;
125 
126 	if ((result = obj_policy_get_delegation_type(hDelegation, &type)))
127 		return result;
128 
129 	if (type != TSS_DELEGATIONTYPE_OWNER)
130 		return TSPERR(TSS_E_BAD_PARAMETER);
131 
132 	if ((result = __tspi_build_delegate_public_info(bLabel, hPcrs, hFamily, hDelegation,
133 			&publicInfoSize, &publicInfo)))
134 		return result;
135 
136 	if ((result = authsess_xsap_init(hContext, hTpm, hDelegation, TSS_AUTH_POLICY_NOT_REQUIRED,
137 					 TPM_ORD_Delegate_CreateOwnerDelegation, TPM_ET_OWNER,
138 					 &xsap))) {
139 		free(publicInfo);
140 		return result;
141 	}
142 
143 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
144 	result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_CreateOwnerDelegation);
145 	result |= Trspi_Hash_BOOL(&hashCtx, incrementCount);
146 	result |= Trspi_HashUpdate(&hashCtx, publicInfoSize, publicInfo);
147 	result |= Trspi_Hash_DIGEST(&hashCtx, xsap->encAuthUse.authdata);
148 	if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
149 		goto done;
150 
151 	if ((result = authsess_xsap_hmac(xsap, &digest)))
152 		goto done;
153 
154 	/* Create the delegation */
155 	if ((result = TCS_API(hContext)->Delegate_CreateOwnerDelegation(hContext, incrementCount,
156 									publicInfoSize, publicInfo,
157 									&xsap->encAuthUse,
158 									xsap->pAuth, &blobSize,
159 									&blob)))
160 		goto done;
161 
162 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
163 	result |= Trspi_Hash_UINT32(&hashCtx, result);
164 	result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_CreateOwnerDelegation);
165 	result |= Trspi_Hash_UINT32(&hashCtx, blobSize);
166 	result |= Trspi_HashUpdate(&hashCtx, blobSize, blob);
167 	if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
168 		goto done;
169 
170 	if (authsess_xsap_verify(xsap, &digest)) {
171 		result = TSPERR(TSS_E_TSP_AUTHFAIL);
172 		goto done;
173 	}
174 
175 	result = obj_policy_set_delegation_blob(hDelegation, TSS_DELEGATIONTYPE_OWNER,
176 			blobSize, blob);
177 
178 done:
179 	authsess_free(xsap);
180 	free(publicInfo);
181 	free(blob);
182 
183 	return result;
184 }
185 
186 TSS_RESULT
187 create_key_delegation(TSS_HKEY       hKey,
188 		      BYTE           bLabel,
189 		      UINT32         ulFlags,
190 		      TSS_HPCRS      hPcrs,
191 		      TSS_HDELFAMILY hFamily,
192 		      TSS_HPOLICY    hDelegation)
193 {
194 	TSS_HCONTEXT hContext;
195 	UINT32 type;
196 	TCS_KEY_HANDLE tcsKeyHandle;
197 	UINT32 publicInfoSize;
198 	BYTE *publicInfo = NULL;
199 	Trspi_HashCtx hashCtx;
200 	TCPA_DIGEST digest;
201 	UINT32 blobSize;
202 	BYTE *blob = NULL;
203 	TSS_RESULT result;
204 	struct authsess *xsap = NULL;
205 
206 	if ((result = obj_rsakey_get_tsp_context(hKey, &hContext)))
207 		return result;
208 
209 	if (ulFlags != 0)
210 		return TSPERR(TSS_E_BAD_PARAMETER);
211 
212 	if ((result = obj_policy_get_delegation_type(hDelegation, &type)))
213 		return result;
214 
215 	if (type != TSS_DELEGATIONTYPE_KEY)
216 		return TSPERR(TSS_E_BAD_PARAMETER);
217 
218 	if ((result = obj_rsakey_get_tcs_handle(hKey, &tcsKeyHandle)))
219 		return result;
220 
221 	if ((result = __tspi_build_delegate_public_info(bLabel, hPcrs, hFamily, hDelegation,
222 			&publicInfoSize, &publicInfo)))
223 		return result;
224 
225 	if ((result = authsess_xsap_init(hContext, hKey, hDelegation, TSS_AUTH_POLICY_REQUIRED,
226 					 TPM_ORD_Delegate_CreateKeyDelegation, TPM_ET_KEYHANDLE,
227 					 &xsap))) {
228 		free(publicInfo);
229 		return result;
230 	}
231 
232 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
233 	result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_CreateKeyDelegation);
234 	result |= Trspi_HashUpdate(&hashCtx, publicInfoSize, publicInfo);
235 	result |= Trspi_Hash_ENCAUTH(&hashCtx, xsap->encAuthUse.authdata);
236 	if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
237 		goto done;
238 
239 	if ((result = authsess_xsap_hmac(xsap, &digest)))
240 		goto done;
241 
242 	/* Create the delegation */
243 	if ((result = TCS_API(hContext)->Delegate_CreateKeyDelegation(hContext, tcsKeyHandle,
244 								      publicInfoSize, publicInfo,
245 								      &xsap->encAuthUse,
246 								      xsap->pAuth, &blobSize,
247 								      &blob)))
248 		goto done;
249 
250 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
251 	result |= Trspi_Hash_UINT32(&hashCtx, result);
252 	result |= Trspi_Hash_UINT32(&hashCtx, TPM_ORD_Delegate_CreateKeyDelegation);
253 	result |= Trspi_Hash_UINT32(&hashCtx, blobSize);
254 	result |= Trspi_HashUpdate(&hashCtx, blobSize, blob);
255 	if ((result |= Trspi_HashFinal(&hashCtx, digest.digest)))
256 		goto done;
257 
258 	if (authsess_xsap_verify(xsap, &digest)) {
259 		result = TSPERR(TSS_E_TSP_AUTHFAIL);
260 		goto done;
261 	}
262 
263 	result = obj_policy_set_delegation_blob(hDelegation, TSS_DELEGATIONTYPE_KEY, blobSize,
264 						blob);
265 
266 done:
267 	free(blob);
268 	authsess_free(xsap);
269 	free(publicInfo);
270 
271 	return result;
272 }
273 
274 TSS_RESULT
275 update_delfamily_object(TSS_HTPM hTpm, UINT32 familyID)
276 {
277 	TSS_HCONTEXT hContext;
278 	UINT32 familyTableSize, delegateTableSize;
279 	BYTE *familyTable = NULL, *delegateTable = NULL;
280 	UINT64 offset;
281 	TPM_FAMILY_TABLE_ENTRY familyTableEntry;
282 	TSS_BOOL familyState;
283 	TSS_HDELFAMILY hFamily;
284 	TSS_RESULT result;
285 
286 	if ((result = obj_tpm_get_tsp_context(hTpm, &hContext)))
287 		return result;
288 
289 	if ((result = TCS_API(hContext)->Delegate_ReadTable(hContext, &familyTableSize,
290 							    &familyTable, &delegateTableSize,
291 							    &delegateTable)))
292 		return result;
293 
294 	for (offset = 0; offset < familyTableSize;) {
295 		Trspi_UnloadBlob_TPM_FAMILY_TABLE_ENTRY(&offset, familyTable, &familyTableEntry);
296 		if (familyTableEntry.familyID == familyID) {
297 			obj_delfamily_find_by_familyid(hContext, familyID, &hFamily);
298 			if (hFamily == NULL_HDELFAMILY) {
299 				if ((result = obj_delfamily_add(hContext, &hFamily)))
300 					goto done;
301 				if ((result = obj_delfamily_set_familyid(hFamily,
302 									 familyTableEntry.familyID)))
303 					goto done;
304 				if ((result = obj_delfamily_set_label(hFamily,
305 								      familyTableEntry.label.label)))
306 					goto done;
307 			}
308 
309 			/* Set/Update the family attributes */
310 			familyState = (familyTableEntry.flags & TPM_FAMFLAG_DELEGATE_ADMIN_LOCK) ?
311 				      TRUE : FALSE;
312 			if ((result = obj_delfamily_set_locked(hFamily, familyState, FALSE)))
313 				goto done;
314 			familyState = (familyTableEntry.flags & TPM_FAMFLAG_ENABLE) ? TRUE : FALSE;
315 			if ((result = obj_delfamily_set_enabled(hFamily, familyState, FALSE)))
316 				goto done;
317 			if ((result = obj_delfamily_set_vercount(hFamily,
318 								 familyTableEntry.verificationCount)))
319 				goto done;
320 
321 			break;
322 		}
323 	}
324 
325 done:
326 	free(familyTable);
327 	free(delegateTable);
328 
329 	return result;
330 }
331 
332 TSS_RESULT
333 get_delegate_index(TSS_HCONTEXT hContext, UINT32 index, TPM_DELEGATE_PUBLIC *public)
334 {
335 	UINT32 familyTableSize, delegateTableSize;
336 	BYTE *familyTable = NULL, *delegateTable = NULL;
337 	UINT64 offset;
338 	UINT32 tpmIndex;
339 	TPM_DELEGATE_PUBLIC tempPublic;
340 	TSS_RESULT result;
341 
342 	if ((result = TCS_API(hContext)->Delegate_ReadTable(hContext, &familyTableSize,
343 							    &familyTable, &delegateTableSize,
344 							    &delegateTable)))
345 		goto done;
346 
347 	for (offset = 0; offset < delegateTableSize;) {
348 		Trspi_UnloadBlob_UINT32(&offset, &tpmIndex, delegateTable);
349 		if (tpmIndex == index) {
350 			result = Trspi_UnloadBlob_TPM_DELEGATE_PUBLIC(&offset, delegateTable, public);
351 			goto done;
352 		} else {
353 			if ((result = Trspi_UnloadBlob_TPM_DELEGATE_PUBLIC(&offset, delegateTable, &tempPublic)))
354 				goto done;
355 		}
356 
357 		free(tempPublic.pcrInfo.pcrSelection.pcrSelect);
358 	}
359 
360 	/* Didn't find a matching index */
361 	result = TSPERR(TSS_E_BAD_PARAMETER);
362 
363 done:
364 	free(familyTable);
365 	free(delegateTable);
366 
367 	return result;
368 }
369 
370 TSS_RESULT
371 __tspi_build_delegate_public_info(BYTE           bLabel,
372 			   TSS_HPCRS      hPcrs,
373 			   TSS_HDELFAMILY hFamily,
374 			   TSS_HPOLICY    hDelegation,
375 			   UINT32        *publicInfoSize,
376 			   BYTE         **publicInfo)
377 {
378 	TPM_DELEGATE_PUBLIC public;
379 	UINT32 delegateType;
380 	UINT32 pcrInfoSize;
381 	BYTE *pcrInfo = NULL;
382 	UINT64 offset;
383 	TSS_RESULT result = TSS_SUCCESS;
384 
385 	if (hDelegation == NULL_HPOLICY)
386 		return TSPERR(TSS_E_BAD_PARAMETER);
387 
388 	if ((result = obj_policy_get_delegation_type(hDelegation, &delegateType)))
389 		return result;
390 
391 	/* This call will create a "null" PCR_INFO_SHORT if hPcrs is null */
392 	if ((result = obj_pcrs_create_info_short(hPcrs, &pcrInfoSize, &pcrInfo)))
393 		return result;
394 
395 	__tspi_memset(&public, 0, sizeof(public));
396 	public.tag = TPM_TAG_DELEGATE_PUBLIC;
397 	public.label.label = bLabel;
398 	offset = 0;
399 	if ((result = Trspi_UnloadBlob_PCR_INFO_SHORT(&offset, pcrInfo, &public.pcrInfo)))
400 		goto done;
401 	public.permissions.tag = TPM_TAG_DELEGATIONS;
402 	public.permissions.delegateType =
403 		(delegateType == TSS_DELEGATIONTYPE_OWNER) ? TPM_DEL_OWNER_BITS : TPM_DEL_KEY_BITS;
404 	if ((result = obj_policy_get_delegation_per1(hDelegation, &public.permissions.per1)))
405 		goto done;
406 	if ((result = obj_policy_get_delegation_per2(hDelegation, &public.permissions.per2)))
407 		goto done;
408 	if ((result = obj_delfamily_get_familyid(hFamily, &public.familyID)))
409 		goto done;
410 	if ((result = obj_delfamily_get_vercount(hFamily, &public.verificationCount)))
411 		goto done;
412 
413 	offset = 0;
414 	Trspi_LoadBlob_TPM_DELEGATE_PUBLIC(&offset, NULL, &public);
415 	*publicInfoSize = offset;
416 	*publicInfo = malloc(*publicInfoSize);
417 	if (*publicInfo == NULL) {
418 		LogError("malloc of %u bytes failed.", *publicInfoSize);
419 		result = TSPERR(TSS_E_OUTOFMEMORY);
420 		goto done;
421 	}
422 	offset = 0;
423 	Trspi_LoadBlob_TPM_DELEGATE_PUBLIC(&offset, *publicInfo, &public);
424 
425 done:
426 	free(pcrInfo);
427 	free(public.pcrInfo.pcrSelection.pcrSelect);
428 
429 	return result;
430 }
431 
432 #ifdef TSS_BUILD_TRANSPORT
433 TSS_RESULT
434 Transport_Delegate_Manage(TSS_HCONTEXT tspContext,              /* in */
435 			  TPM_FAMILY_ID familyID,             /* in */
436 			  TPM_FAMILY_OPERATION opFlag,        /* in */
437 			  UINT32 opDataSize,                  /* in */
438 			  BYTE *opData,                       /* in */
439 			  TPM_AUTH *ownerAuth,                /* in, out */
440 			  UINT32 *retDataSize,                /* out */
441 			  BYTE **retData)                     /* out */
442 {
443 	TSS_RESULT result;
444 	UINT32 handlesLen = 0, decLen, dataLen;
445 	UINT64 offset;
446 	BYTE *data, *dec = NULL;
447 
448 
449 	if ((result = obj_context_transport_init(tspContext)))
450 		return result;
451 
452 	LogDebugFn("Executing in a transport session");
453 
454 	dataLen = sizeof(TPM_FAMILY_ID)
455 		  + sizeof(TPM_FAMILY_OPERATION)
456 		  + sizeof(UINT32)
457 		  + opDataSize;
458 	if ((data = malloc(dataLen)) == NULL) {
459 		LogError("malloc of %u bytes failed", dataLen);
460 		return TSPERR(TSS_E_OUTOFMEMORY);
461 	}
462 
463 	offset = 0;
464 	Trspi_LoadBlob_UINT32(&offset, familyID, data);
465 	Trspi_LoadBlob_UINT32(&offset, opFlag, data);
466 	Trspi_LoadBlob_UINT32(&offset, opDataSize, data);
467 	Trspi_LoadBlob(&offset, opDataSize, data, opData);
468 
469 	if ((result = obj_context_transport_execute(tspContext, TPM_ORD_Delegate_Manage, dataLen,
470 						    data, NULL, &handlesLen, NULL, ownerAuth,
471 						    NULL, &decLen, &dec))) {
472 		free(data);
473 		return result;
474 	}
475 	free(data);
476 
477 	offset = 0;
478 	Trspi_UnloadBlob_UINT32(&offset, retDataSize, dec);
479 
480 	if ((*retData = malloc(*retDataSize)) == NULL) {
481 		free(dec);
482 		LogError("malloc of %u bytes failed", *retDataSize);
483 		*retDataSize = 0;
484 		return TSPERR(TSS_E_OUTOFMEMORY);
485 	}
486 	Trspi_UnloadBlob(&offset, *retDataSize, dec, *retData);
487 
488 	free(dec);
489 
490 	return result;
491 }
492 
493 TSS_RESULT
494 Transport_Delegate_CreateKeyDelegation(TSS_HCONTEXT tspContext,         /* in */
495 				       TCS_KEY_HANDLE hKey,           /* in */
496 				       UINT32 publicInfoSize,         /* in */
497 				       BYTE *publicInfo,              /* in */
498 				       TPM_ENCAUTH *encDelAuth,        /* in */
499 				       TPM_AUTH *keyAuth,             /* in, out */
500 				       UINT32 *blobSize,              /* out */
501 				       BYTE **blob)                   /* out */
502 {
503 	TSS_RESULT result;
504 	UINT32 handlesLen, decLen, dataLen;
505 	TCS_HANDLE *handles, handle;
506 	TPM_DIGEST pubKeyHash;
507 	Trspi_HashCtx hashCtx;
508 	UINT64 offset;
509 	BYTE *data, *dec = NULL;
510 
511 	if ((result = obj_context_transport_init(tspContext)))
512 		return result;
513 
514 	LogDebugFn("Executing in a transport session");
515 
516 	if ((result = obj_tcskey_get_pubkeyhash(hKey, pubKeyHash.digest)))
517 		return result;
518 
519 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
520 	result |= Trspi_Hash_DIGEST(&hashCtx, pubKeyHash.digest);
521 	if ((result |= Trspi_HashFinal(&hashCtx, pubKeyHash.digest)))
522 		return result;
523 
524 	handlesLen = 1;
525 	handle = hKey;
526 	handles = &handle;
527 
528 	dataLen = publicInfoSize + sizeof(TPM_ENCAUTH);
529 	if ((data = malloc(dataLen)) == NULL) {
530 		LogError("malloc of %u bytes failed", dataLen);
531 		return TSPERR(TSS_E_OUTOFMEMORY);
532 	}
533 
534 	offset = 0;
535 	Trspi_LoadBlob(&offset, publicInfoSize, data, publicInfo);
536 	Trspi_LoadBlob(&offset, sizeof(TPM_ENCAUTH), data, encDelAuth->authdata);
537 
538 	if ((result = obj_context_transport_execute(tspContext,
539 						    TPM_ORD_Delegate_CreateKeyDelegation, dataLen,
540 						    data, &pubKeyHash, &handlesLen, &handles,
541 						    keyAuth, NULL, &decLen, &dec))) {
542 		free(data);
543 		return result;
544 	}
545 	free(data);
546 
547 	offset = 0;
548 	Trspi_UnloadBlob_UINT32(&offset, blobSize, dec);
549 
550 	if ((*blob = malloc(*blobSize)) == NULL) {
551 		free(dec);
552 		LogError("malloc of %u bytes failed", *blobSize);
553 		*blobSize = 0;
554 		return TSPERR(TSS_E_OUTOFMEMORY);
555 	}
556 	Trspi_UnloadBlob(&offset, *blobSize, dec, *blob);
557 
558 	free(dec);
559 
560 	return result;
561 }
562 
563 TSS_RESULT
564 Transport_Delegate_CreateOwnerDelegation(TSS_HCONTEXT tspContext,       /* in */
565 					 TSS_BOOL increment,          /* in */
566 					 UINT32 publicInfoSize,       /* in */
567 					 BYTE *publicInfo,            /* in */
568 					 TPM_ENCAUTH *encDelAuth,      /* in */
569 					 TPM_AUTH *ownerAuth,         /* in, out */
570 					 UINT32 *blobSize,            /* out */
571 					 BYTE **blob)                 /* out */
572 {
573 	TSS_RESULT result;
574 	UINT32 handlesLen = 0, decLen, dataLen;
575 	UINT64 offset;
576 	BYTE *data, *dec = NULL;
577 
578 	if ((result = obj_context_transport_init(tspContext)))
579 		return result;
580 
581 	LogDebugFn("Executing in a transport session");
582 
583 	dataLen = sizeof(TSS_BOOL) + publicInfoSize + sizeof(TPM_ENCAUTH);
584 	if ((data = malloc(dataLen)) == NULL) {
585 		LogError("malloc of %u bytes failed", dataLen);
586 		return TSPERR(TSS_E_OUTOFMEMORY);
587 	}
588 
589 	offset = 0;
590 	Trspi_LoadBlob_BOOL(&offset, increment, data);
591 	Trspi_LoadBlob(&offset, publicInfoSize, data, publicInfo);
592 	Trspi_LoadBlob(&offset, sizeof(TPM_ENCAUTH), data, encDelAuth->authdata);
593 
594 	if ((result = obj_context_transport_execute(tspContext,
595 						    TPM_ORD_Delegate_CreateOwnerDelegation, dataLen,
596 						    data, NULL, &handlesLen, NULL, ownerAuth,
597 						    NULL, &decLen, &dec))) {
598 		free(data);
599 		return result;
600 	}
601 	free(data);
602 
603 	offset = 0;
604 	Trspi_UnloadBlob_UINT32(&offset, blobSize, dec);
605 
606 	if ((*blob = malloc(*blobSize)) == NULL) {
607 		free(dec);
608 		LogError("malloc of %u bytes failed", *blobSize);
609 		*blobSize = 0;
610 		return TSPERR(TSS_E_OUTOFMEMORY);
611 	}
612 	Trspi_UnloadBlob(&offset, *blobSize, dec, *blob);
613 
614 	free(dec);
615 
616 	return result;
617 }
618 
619 TSS_RESULT
620 Transport_Delegate_LoadOwnerDelegation(TSS_HCONTEXT tspContext, /* in */
621 				       TPM_DELEGATE_INDEX index,      /* in */
622 				       UINT32 blobSize,               /* in */
623 				       BYTE *blob,                    /* in */
624 				       TPM_AUTH *ownerAuth)           /* in, out */
625 {
626 	TSS_RESULT result;
627 	UINT32 handlesLen = 0, dataLen, decLen;
628 	UINT64 offset;
629 	BYTE *data, *dec = NULL;
630 
631 	if ((result = obj_context_transport_init(tspContext)))
632 		return result;
633 
634 	LogDebugFn("Executing in a transport session");
635 
636 	dataLen = sizeof(TPM_DELEGATE_INDEX) + sizeof(UINT32) + blobSize;
637 	if ((data = malloc(dataLen)) == NULL) {
638 		LogError("malloc of %u bytes failed", dataLen);
639 		return TSPERR(TSS_E_OUTOFMEMORY);
640 	}
641 
642 	offset = 0;
643 	Trspi_LoadBlob_UINT32(&offset, index, data);
644 	Trspi_LoadBlob_UINT32(&offset, blobSize, data);
645 	Trspi_LoadBlob(&offset, blobSize, data, blob);
646 
647 	if ((result = obj_context_transport_execute(tspContext,
648 						    TPM_ORD_Delegate_LoadOwnerDelegation, dataLen,
649 						    data, NULL, &handlesLen, NULL, ownerAuth,
650 						    NULL, &decLen, &dec))) {
651 		free(data);
652 		return result;
653 	}
654 	free(data);
655 	free(dec);
656 
657 	return result;
658 }
659 
660 TSS_RESULT
661 Transport_Delegate_ReadTable(TSS_HCONTEXT tspContext,           /* in */
662 			     UINT32 *familyTableSize,         /* out */
663 			     BYTE **familyTable,              /* out */
664 			     UINT32 *delegateTableSize,       /* out */
665 			     BYTE **delegateTable)            /* out */
666 {
667 	TSS_RESULT result;
668 	UINT32 handlesLen = 0, decLen;
669 	UINT64 offset;
670 	BYTE *dec = NULL;
671 
672 	if ((result = obj_context_transport_init(tspContext)))
673 		return result;
674 
675 	LogDebugFn("Executing in a transport session");
676 
677 	if ((result = obj_context_transport_execute(tspContext, TPM_ORD_Delegate_ReadTable, 0, NULL,
678 						    NULL, &handlesLen, NULL, NULL, NULL, &decLen,
679 						    &dec)))
680 		return result;
681 
682 	offset = 0;
683 	Trspi_UnloadBlob_UINT32(&offset, familyTableSize, dec);
684 
685 	if ((*familyTable = malloc(*familyTableSize)) == NULL) {
686 		free(dec);
687 		LogError("malloc of %u bytes failed", *familyTableSize);
688 		*familyTableSize = 0;
689 		return TSPERR(TSS_E_OUTOFMEMORY);
690 	}
691 	Trspi_UnloadBlob(&offset, *familyTableSize, dec, *familyTable);
692 
693 	Trspi_UnloadBlob_UINT32(&offset, delegateTableSize, dec);
694 
695 	if ((*delegateTable = malloc(*delegateTableSize)) == NULL) {
696 		free(dec);
697 		free(*familyTable);
698 		*familyTable = NULL;
699 		*familyTableSize = 0;
700 		LogError("malloc of %u bytes failed", *delegateTableSize);
701 		*delegateTableSize = 0;
702 		return TSPERR(TSS_E_OUTOFMEMORY);
703 	}
704 	Trspi_UnloadBlob(&offset, *delegateTableSize, dec, *delegateTable);
705 
706 	free(dec);
707 
708 	return result;
709 }
710 
711 TSS_RESULT
712 Transport_Delegate_UpdateVerificationCount(TSS_HCONTEXT tspContext,     /* in */
713 					   UINT32 inputSize,          /* in */
714 					   BYTE *input,               /* in */
715 					   TPM_AUTH *ownerAuth,       /* in, out */
716 					   UINT32 *outputSize,        /* out */
717 					   BYTE **output)             /* out */
718 {
719 	TSS_RESULT result;
720 	UINT32 handlesLen = 0, decLen, dataLen;
721 	UINT64 offset;
722 	BYTE *data, *dec = NULL;
723 
724 
725 	if ((result = obj_context_transport_init(tspContext)))
726 		return result;
727 
728 	LogDebugFn("Executing in a transport session");
729 
730 	dataLen = sizeof(UINT32) + inputSize;
731 	if ((data = malloc(dataLen)) == NULL) {
732 		LogError("malloc of %u bytes failed", dataLen);
733 		return TSPERR(TSS_E_OUTOFMEMORY);
734 	}
735 
736 	offset = 0;
737 	Trspi_LoadBlob_UINT32(&offset, inputSize, data);
738 	Trspi_LoadBlob(&offset, inputSize, data, input);
739 
740 	if ((result = obj_context_transport_execute(tspContext, TPM_ORD_Delegate_UpdateVerification,
741 						    dataLen, data, NULL, &handlesLen, NULL,
742 						    ownerAuth, NULL, &decLen, &dec))) {
743 		free(data);
744 		return result;
745 	}
746 	free(data);
747 
748 	offset = 0;
749 	Trspi_UnloadBlob_UINT32(&offset, outputSize, dec);
750 
751 	if ((*output = malloc(*outputSize)) == NULL) {
752 		free(dec);
753 		LogError("malloc of %u bytes failed", *outputSize);
754 		*outputSize = 0;
755 		return TSPERR(TSS_E_OUTOFMEMORY);
756 	}
757 	Trspi_UnloadBlob(&offset, *outputSize, dec, *output);
758 
759 	free(dec);
760 
761 	return result;
762 }
763 
764 TSS_RESULT
765 Transport_Delegate_VerifyDelegation(TSS_HCONTEXT tspContext,    /* in */
766 				    UINT32 delegateSize,      /* in */
767 				    BYTE *delegate)           /* in */
768 {
769 	TSS_RESULT result;
770 	UINT32 handlesLen = 0, dataLen, decLen;
771 	UINT64 offset;
772 	BYTE *data, *dec = NULL;
773 
774 
775 	if ((result = obj_context_transport_init(tspContext)))
776 		return result;
777 
778 	LogDebugFn("Executing in a transport session");
779 
780 	dataLen = + sizeof(UINT32) + delegateSize;
781 	if ((data = malloc(dataLen)) == NULL) {
782 		LogError("malloc of %u bytes failed", dataLen);
783 		return TSPERR(TSS_E_OUTOFMEMORY);
784 	}
785 
786 	offset = 0;
787 	Trspi_LoadBlob_UINT32(&offset, delegateSize, data);
788 	Trspi_LoadBlob(&offset, delegateSize, data, delegate);
789 
790 	result = obj_context_transport_execute(tspContext, TPM_ORD_Delegate_VerifyDelegation,
791 					       dataLen, data, NULL, &handlesLen, NULL, NULL, NULL,
792 					       &decLen, &dec);
793 	free(data);
794 	free(dec);
795 
796 	return result;
797 }
798 
799 TSS_RESULT
800 Transport_DSAP(TSS_HCONTEXT tspContext,		/* in */
801 	       TPM_ENTITY_TYPE entityType,	/* in */
802 	       TCS_KEY_HANDLE keyHandle,	/* in */
803 	       TPM_NONCE *nonceOddDSAP,		/* in */
804 	       UINT32 entityValueSize,		/* in */
805 	       BYTE * entityValue,		/* in */
806 	       TCS_AUTHHANDLE *authHandle,	/* out */
807 	       TPM_NONCE *nonceEven,		/* out */
808 	       TPM_NONCE *nonceEvenDSAP)	/* out */
809 {
810 	TSS_RESULT result;
811 	UINT32 handlesLen, dataLen, decLen;
812 	TCS_HANDLE *handles, handle;
813 	TPM_DIGEST pubKeyHash;
814 	Trspi_HashCtx hashCtx;
815 	UINT64 offset;
816 	BYTE *data, *dec = NULL;
817 
818 	if ((result = obj_context_transport_init(tspContext)))
819 		return result;
820 
821 	LogDebugFn("Executing in a transport session");
822 
823 	if ((result = obj_tcskey_get_pubkeyhash(keyHandle, pubKeyHash.digest)))
824 		return result;
825 
826 	result = Trspi_HashInit(&hashCtx, TSS_HASH_SHA1);
827 	result |= Trspi_Hash_DIGEST(&hashCtx, pubKeyHash.digest);
828 	if ((result |= Trspi_HashFinal(&hashCtx, pubKeyHash.digest)))
829 		return result;
830 
831 	dataLen = sizeof(TPM_ENTITY_TYPE) + sizeof(TPM_KEY_HANDLE)
832 					  + sizeof(TPM_NONCE)
833 					  + sizeof(UINT32)
834 					  + entityValueSize;
835 	if ((data = malloc(dataLen)) == NULL) {
836 		LogError("malloc of %u bytes failed", dataLen);
837 		return TSPERR(TSS_E_OUTOFMEMORY);
838 	}
839 
840 	handlesLen = 1;
841 	handle = keyHandle;
842 	handles = &handle;
843 
844 	offset = 0;
845 	Trspi_LoadBlob_UINT32(&offset, entityType, data);
846 	Trspi_LoadBlob_UINT32(&offset, keyHandle, data);
847 	Trspi_LoadBlob(&offset, sizeof(TPM_NONCE), data, nonceEvenDSAP->nonce);
848 	Trspi_LoadBlob_UINT32(&offset, entityValueSize, data);
849 	Trspi_LoadBlob(&offset, entityValueSize, data, entityValue);
850 
851 	if ((result = obj_context_transport_execute(tspContext, TPM_ORD_DSAP, dataLen, data,
852 						    &pubKeyHash, &handlesLen, &handles, NULL, NULL,
853 						    &decLen, &dec))) {
854 		free(data);
855 		return result;
856 	}
857 	free(data);
858 
859 	offset = 0;
860 	Trspi_UnloadBlob_UINT32(&offset, authHandle, dec);
861 
862 	Trspi_UnloadBlob(&offset, sizeof(TPM_NONCE), dec, nonceEven->nonce);
863 	Trspi_UnloadBlob(&offset, sizeof(TPM_NONCE), dec, nonceEvenDSAP->nonce);
864 
865 	free(dec);
866 
867 	return result;
868 }
869 #endif
870