summaryrefslogtreecommitdiffstats
path: root/src/tpm2/CryptUtil.c
blob: 9879f918acb6880886a37fe2c3eb3e6164752732 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
/********************************************************************************/
/*										*/
/*			Interfaces to the Crypto Engine				*/
/*			     Written by Ken Goldman				*/
/*		       IBM Thomas J. Watson Research Center			*/
/*            $Id: CryptUtil.c 1658 2021-01-22 23:14:01Z kgoldman $		*/
/*										*/
/*  Licenses and Notices							*/
/*										*/
/*  1. Copyright Licenses:							*/
/*										*/
/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
/*    derivative works, distribute, display and perform the Source Code and	*/
/*    derivative works thereof, and to grant others the rights granted herein.	*/
/*										*/
/*  - The TCG grants to the user of the other parts of the specification 	*/
/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
/*    display, and perform the specification solely for the purpose of 		*/
/*    developing products based on such documents.				*/
/*										*/
/*  2. Source Code Distribution Conditions:					*/
/*										*/
/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
/*    this list of conditions and the following disclaimers.			*/
/*										*/
/*  - Redistributions in binary form must reproduce the above copyright 	*/
/*    licenses, this list of conditions	and the following disclaimers in the 	*/
/*    documentation and/or other materials provided with the distribution.	*/
/*										*/
/*  3. Disclaimers:								*/
/*										*/
/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
/*  information on specification licensing rights available through TCG 	*/
/*  membership agreements.							*/
/*										*/
/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
/*										*/
/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
/*    liability, including liability for infringement of any proprietary 	*/
/*    rights, relating to use of information in this specification and to the	*/
/*    implementation of this specification, and TCG disclaims all liability for	*/
/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
/*    arising in any way out of use or reliance upon this specification or any 	*/
/*    information herein.							*/
/*										*/
/*  (c) Copyright IBM Corp. and others, 2016 - 2021				*/
/*										*/
/********************************************************************************/

/* 10.2.6 CryptUtil.c */
/* 10.2.6.1 Introduction */
/* This module contains the interfaces to the CryptoEngine() and provides miscellaneous
   cryptographic functions in support of the TPM. */
/* 10.2.6.2 Includes */
#include "Tpm.h"
/* 10.2.6.3 Hash/HMAC Functions */
/* 10.2.6.3.1 CryptHmacSign() */
/* Sign a digest using an HMAC key. This an HMAC of a digest, not an HMAC of a message. */
/* Error Returns Meaning */
/* TPM_RC_HASH not a valid hash */
static TPM_RC
CryptHmacSign(
	      TPMT_SIGNATURE      *signature,     // OUT: signature
	      OBJECT              *signKey,       // IN: HMAC key sign the hash
	      TPM2B_DIGEST        *hashData       // IN: hash to be signed
	      )
{
    HMAC_STATE       hmacState;
    UINT32           digestSize;
    digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
				  &signKey->sensitive.sensitive.bits.b);
    CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
    CryptHmacEnd(&hmacState, digestSize,
		 (BYTE *)&signature->signature.hmac.digest);
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.2 CryptHMACVerifySignature() */
/* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
   signature with the signature algorithm (TPM_ALG_HMAC) and the hash algorithm to use. This
   function then builds a signature of that type. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME not the proper scheme for this key type */
/* TPM_RC_SIGNATURE if invalid input or signature is not genuine */
static TPM_RC
CryptHMACVerifySignature(
			 OBJECT              *signKey,       // IN: HMAC key signed the hash
			 TPM2B_DIGEST        *hashData,      // IN: digest being verified
			 TPMT_SIGNATURE      *signature      // IN: signature to be verified
			 )
{
    TPMT_SIGNATURE           test;
    TPMT_KEYEDHASH_SCHEME   *keyScheme =
	&signKey->publicArea.parameters.keyedHashDetail.scheme;
    //
    if((signature->sigAlg != TPM_ALG_HMAC)
       || (signature->signature.hmac.hashAlg == TPM_ALG_NULL))
	return TPM_RC_SCHEME;
    // This check is not really needed for verification purposes. However, it does
    // prevent someone from trying to validate a signature using a weaker hash
    // algorithm than otherwise allowed by the key. That is, a key with a scheme
    // other than TMP_ALG_NULL can only be used to validate signatures that have
    // a matching scheme.
    if((keyScheme->scheme != TPM_ALG_NULL)
       && ((keyScheme->scheme != signature->sigAlg)
	   || (keyScheme->details.hmac.hashAlg != signature->signature.any.hashAlg)))
	return TPM_RC_SIGNATURE;
    test.sigAlg = signature->sigAlg;
    test.signature.hmac.hashAlg = signature->signature.hmac.hashAlg;
    CryptHmacSign(&test, signKey, hashData);
    // Compare digest
    if(!MemoryEqual(&test.signature.hmac.digest,
		    &signature->signature.hmac.digest,
		    CryptHashGetDigestSize(signature->signature.any.hashAlg)))
	return TPM_RC_SIGNATURE;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.3 CryptGenerateKeyedHash() */
/* This function creates a keyedHash object. */
/* Error Returns Meaning */
/* TPM_RC_NO_RESULT cannot get values from random number generator */
/* TPM_RC_SIZE sensitive data size is larger than allowed for the scheme */
static TPM_RC
CryptGenerateKeyedHash(
		       TPMT_PUBLIC             *publicArea,        // IN/OUT: the public area template
		       //     for the new key.
		       TPMT_SENSITIVE          *sensitive,         // OUT: sensitive area
		       TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation data
		       RAND_STATE              *rand               // IN: "entropy" source
		       )
{
    TPMT_KEYEDHASH_SCHEME   *scheme;
    TPM_ALG_ID               hashAlg;
    UINT16                   digestSize;
    
    scheme = &publicArea->parameters.keyedHashDetail.scheme;
    
    if(publicArea->type != TPM_ALG_KEYEDHASH)
	return TPM_RC_FAILURE;
    // Pick the limiting hash algorithm
    if(scheme->scheme == TPM_ALG_NULL)
	hashAlg = publicArea->nameAlg;
    else if(scheme->scheme == TPM_ALG_XOR)
	hashAlg = scheme->details.xorr.hashAlg;
    else
	hashAlg = scheme->details.hmac.hashAlg;
    /* hashBlockSize = CryptHashGetBlockSize(hashAlg); */
    digestSize = CryptHashGetDigestSize(hashAlg);
    
    // if this is a signing or a decryption key, then the limit
    // for the data size is the block size of the hash. This limit
    // is set because larger values have lower entropy because of the
    // HMAC function. The lower limit is 1/2 the size of the digest
    //
    //If the user provided the key, check that it is a proper size
    if(sensitiveCreate->data.t.size != 0)
	{
	    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt)
	       || IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign))
		{
		    if(sensitiveCreate->data.t.size > CryptHashGetBlockSize(hashAlg))
			return TPM_RC_SIZE;
#if 0   // May make this a FIPS-mode requirement
		    if(sensitiveCreate->data.t.size < (digestSize / 2))
			return TPM_RC_SIZE;
#endif
		}
	    // If this is a data blob, then anything that will get past the unmarshaling
	    // is OK
	    MemoryCopy2B(&sensitive->sensitive.bits.b, &sensitiveCreate->data.b,
			 sizeof(sensitive->sensitive.bits.t.buffer));
	}
    else
	{
	    // The TPM is going to generate the data so set the size to be the
	    // size of the digest of the algorithm
	    sensitive->sensitive.bits.t.size =
		DRBG_Generate(rand, sensitive->sensitive.bits.t.buffer, digestSize);
	    if(sensitive->sensitive.bits.t.size == 0)
		return (g_inFailureMode) ? TPM_RC_FAILURE : TPM_RC_NO_RESULT;
	}
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.4 CryptIsSchemeAnonymous() */
/* This function is used to test a scheme to see if it is an anonymous scheme The only anonymous
   scheme is ECDAA. ECDAA can be used to do things like U-Prove. */
BOOL
CryptIsSchemeAnonymous(
		       TPM_ALG_ID       scheme         // IN: the scheme algorithm to test
		       )
{
    return scheme == TPM_ALG_ECDAA;
}
/* 10.2.6.4 Symmetric Functions */
/* 10.2.6.4.1 ParmDecryptSym() */
/* This function performs parameter decryption using symmetric block cipher. */
void
ParmDecryptSym(
	       TPM_ALG_ID       symAlg,        // IN: the symmetric algorithm
	       TPM_ALG_ID       hash,          // IN: hash algorithm for KDFa
	       UINT16           keySizeInBits, // IN: the key size in bits
	       TPM2B           *key,           // IN: KDF HMAC key
	       TPM2B           *nonceCaller,   // IN: nonce caller
	       TPM2B           *nonceTpm,      // IN: nonce TPM
	       UINT32           dataSize,      // IN: size of parameter buffer
	       BYTE            *data           // OUT: buffer to be decrypted
	       )
{
    // KDF output buffer
    // It contains parameters for the CFB encryption
    // From MSB to LSB, they are the key and iv
    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
    // Symmetric key size in byte
    UINT16           keySize = (keySizeInBits + 7) / 8;
    TPM2B_IV         iv;
    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
    // If there is decryption to do...
    if(iv.t.size > 0)
	{
	    // Generate key and iv
	    CryptKDFa(hash, key, CFB_KEY, nonceCaller, nonceTpm,
		      keySizeInBits + (iv.t.size * 8), symParmString, NULL, FALSE);
	    MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size);
	    CryptSymmetricDecrypt(data, symAlg, keySizeInBits, symParmString,
				  &iv, TPM_ALG_CFB, dataSize, data);
	}
    return;
}
/* 10.2.6.4.2 ParmEncryptSym() */
/* This function performs parameter encryption using symmetric block cipher. */
void
ParmEncryptSym(
	       TPM_ALG_ID       symAlg,        // IN: symmetric algorithm
	       TPM_ALG_ID       hash,          // IN: hash algorithm for KDFa
	       UINT16           keySizeInBits, // IN: AES symmetric key size in bits
	       TPM2B           *key,           // IN: KDF HMAC key
	       TPM2B           *nonceCaller,   // IN: nonce caller
	       TPM2B           *nonceTpm,      // IN: nonce TPM
	       UINT32           dataSize,      // IN: size of parameter buffer
	       BYTE            *data           // OUT: buffer to be encrypted
	       )
{
    // KDF output buffer
    // It contains parameters for the CFB encryption
    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
    // Symmetric key size in bytes
    UINT16           keySize = (keySizeInBits + 7) / 8;
    TPM2B_IV         iv;
    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
    // See if there is any encryption to do
    if(iv.t.size > 0)
	{
	    // Generate key and iv
	    CryptKDFa(hash, key, CFB_KEY, nonceTpm, nonceCaller,
		      keySizeInBits + (iv.t.size * 8), symParmString, NULL, FALSE);
	    MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size);
	    CryptSymmetricEncrypt(data, symAlg, keySizeInBits, symParmString, &iv,
				  TPM_ALG_CFB, dataSize, data);
	}
    return;
}
/* 10.2.6.4.3 CryptGenerateKeySymmetric() */
/* This function generates a symmetric cipher key. The derivation process is determined by the type
   of the provided rand */
/* Error Returns Meaning */
/* TPM_RC_NO_RESULT cannot get a random value */
/* TPM_RC_KEY_SIZE key size in the public area does not match the size in the sensitive creation
   area */
/* TPM_RC_KEY provided key value is not allowed */
static TPM_RC
CryptGenerateKeySymmetric(
			  TPMT_PUBLIC             *publicArea,        // IN/OUT: The public area template
			  //     for the new key.
			  TPMT_SENSITIVE          *sensitive,         // OUT: sensitive area
			  TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation data
			  RAND_STATE              *rand               // IN: the "entropy" source for
			  )
{
    UINT16           keyBits = publicArea->parameters.symDetail.sym.keyBits.sym;
    TPM_RC           result;
    //
    // only do multiples of RADIX_BITS
    if((keyBits % RADIX_BITS) != 0)
	return TPM_RC_KEY_SIZE;
    // If this is not a new key, then the provided key data must be the right size
    if(sensitiveCreate->data.t.size != 0)
	{
	    result = CryptSymKeyValidate(&publicArea->parameters.symDetail.sym,
					 (TPM2B_SYM_KEY *)&sensitiveCreate->data);
	    if(result == TPM_RC_SUCCESS)
		MemoryCopy2B(&sensitive->sensitive.sym.b, &sensitiveCreate->data.b,
			     sizeof(sensitive->sensitive.sym.t.buffer));
	}
#if ALG_TDES
    else if(publicArea->parameters.symDetail.sym.algorithm == TPM_ALG_TDES)
	{
	    sensitive->sensitive.sym.t.size = keyBits / 8;
	    result = CryptGenerateKeyDes(publicArea, sensitive, rand);
	}
#endif
    else
    {
	sensitive->sensitive.sym.t.size =
	    DRBG_Generate(rand, sensitive->sensitive.sym.t.buffer,
			  BITS_TO_BYTES(keyBits));
	if(g_inFailureMode)
	    result = TPM_RC_FAILURE;
	else if(sensitive->sensitive.sym.t.size == 0)
	    result = TPM_RC_NO_RESULT;
	else
	    result = TPM_RC_SUCCESS;
    }
    return result;
}
/* 10.2.6.4.4 CryptXORObfuscation() */
/* This function implements XOR obfuscation. It should not be called if the hash algorithm is not
   implemented. The only return value from this function is TPM_RC_SUCCESS. */
void
CryptXORObfuscation(
		    TPM_ALG_ID       hash,          // IN: hash algorithm for KDF
		    TPM2B           *key,           // IN: KDF key
		    TPM2B           *contextU,      // IN: contextU
		    TPM2B           *contextV,      // IN: contextV
		    UINT32           dataSize,      // IN: size of data buffer
		    BYTE            *data           // IN/OUT: data to be XORed in place
		    )
{
    BYTE             mask[MAX_DIGEST_SIZE]; // Allocate a digest sized buffer
    BYTE            *pm;
    UINT32           i;
    UINT32           counter = 0;
    UINT16           hLen = CryptHashGetDigestSize(hash);
    UINT32           requestSize = dataSize * 8;
    INT32            remainBytes = (INT32)dataSize;
    pAssert((key != NULL) && (data != NULL) && (hLen != 0));
    // Call KDFa to generate XOR mask
    for(; remainBytes > 0; remainBytes -= hLen)
	{
	    // Make a call to KDFa to get next iteration
	    CryptKDFa(hash, key, XOR_KEY, contextU, contextV,
		      requestSize, mask, &counter, TRUE);
	    // XOR next piece of the data
	    pm = mask;
	    for(i = hLen < remainBytes ? hLen : remainBytes; i > 0; i--)
		*data++ ^= *pm++;
	}
    return;
}
/* 10.2.6.5 Initialization and shut down */
/* 10.2.6.5.1 CryptInit() */
/* This function is called when the TPM receives a _TPM_Init() indication. */
/* NOTE: The hash algorithms do not have to be tested, they just need to be available. They have to
   be tested before the TPM can accept HMAC authorization or return any result that relies on a hash
   algorithm. */
/* Return Values Meaning */
/* TRUE initializations succeeded */
/* FALSE initialization failed and caller should place the TPM into Failure Mode */
BOOL
CryptInit(
	  void
	  )
{
    BOOL         ok;
    // Initialize the vector of implemented algorithms
    AlgorithmGetImplementedVector(&g_implementedAlgorithms);
    // Indicate that all test are necessary
    CryptInitializeToTest();
    // Do any library initializations that are necessary. If any fails,
    // the caller should go into failure mode;
    ok = SupportLibInit();
    ok = ok && CryptSymInit();
    ok = ok && CryptRandInit();
    ok = ok && CryptHashInit();
#if ALG_RSA
    ok = ok && CryptRsaInit();
#endif // TPM_ALG_RSA
#if ALG_ECC
    ok = ok && CryptEccInit();
#endif // TPM_ALG_ECC
    return ok;
}
/* 10.2.6.5.2 CryptStartup() */
/* This function is called by TPM2_Startup() to initialize the functions in this cryptographic
   library and in the provided CryptoLibrary(). This function and CryptUtilInit() are both provided
   so that the implementation may move the initialization around to get the best interaction. */
/* Return Values Meaning */
/* TRUE startup succeeded */
/* FALSE startup failed and caller should place the TPM into Failure Mode */
BOOL
CryptStartup(
	     STARTUP_TYPE     type           // IN: the startup type
	     )
{
    BOOL            OK;
    NOT_REFERENCED(type);
    OK = CryptSymStartup();
    OK = OK && CryptRandStartup();
    OK = OK && CryptHashStartup();
#if ALG_RSA
    OK = OK && CryptRsaStartup();
#endif // TPM_ALG_RSA
#if ALG_ECC
    OK = OK && CryptEccStartup();
#endif // TPM_ALG_ECC
	 ;
#if ALG_ECC
    // Don't directly check for SU_RESET because that is the default
    if(OK && (type != SU_RESTART) && (type != SU_RESUME))
	{
	    // If the shutdown was orderly, then the values recovered from NV will
	    // be OK to use.
	    // Get a new  random commit nonce
	    gr.commitNonce.t.size = sizeof(gr.commitNonce.t.buffer);
	    CryptRandomGenerate(gr.commitNonce.t.size, gr.commitNonce.t.buffer);
	    // Reset the counter and commit array
	    gr.commitCounter = 0;
	    MemorySet(gr.commitArray, 0, sizeof(gr.commitArray));
	}
#endif // TPM_ALG_ECC
    return OK;
}
/* 10.2.6.6 Algorithm-Independent Functions */
/* 10.2.6.6.1 Introduction */
/* These functions are used generically when a function of a general type (e.g., symmetric
   encryption) is required.  The functions will modify the parameters as required to interface to
   the indicated algorithms. */
/* 10.2.6.6.2 CryptIsAsymAlgorithm() */
/* This function indicates if an algorithm is an asymmetric algorithm. */
/* Return Values Meaning */
/* TRUE if it is an asymmetric algorithm */
/* FALSE if it is not an asymmetric algorithm */
BOOL
CryptIsAsymAlgorithm(
		     TPM_ALG_ID       algID          // IN: algorithm ID
		     )
{
    switch(algID)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
#endif
#if ALG_ECC
	  case TPM_ALG_ECC:
#endif
	    return TRUE;
	    break;
	  default:
	    break;
	}
    return FALSE;
}
/* 10.2.6.6.3 CryptSecretEncrypt() */
/* This function creates a secret value and its associated secret structure using an asymmetric
   algorithm. */
/* This function is used by TPM2_Rewrap() TPM2_MakeCredential(), and TPM2_Duplicate(). */
/* Error Returns Meaning */
/* TPM_RC_ATTRIBUTES keyHandle does not reference a valid decryption key */
/* TPM_RC_KEY invalid ECC key (public point is not on the curve) */
/* TPM_RC_SCHEME RSA key with an unsupported padding scheme */
/* TPM_RC_VALUE numeric value of the data to be decrypted is greater than the RSA key modulus */
TPM_RC
CryptSecretEncrypt(
		   OBJECT                  *encryptKey,    // IN: encryption key object
		   const TPM2B             *label,         // IN: a null-terminated string as L
		   TPM2B_DATA              *data,          // OUT: secret value
		   TPM2B_ENCRYPTED_SECRET  *secret         // OUT: secret structure
		   )
{
    TPMT_RSA_DECRYPT         scheme;
    TPM_RC                   result = TPM_RC_SUCCESS;
    //
    if(data == NULL || secret == NULL)
	return TPM_RC_FAILURE;
    // The output secret value has the size of the digest produced by the nameAlg.
    data->t.size = CryptHashGetDigestSize(encryptKey->publicArea.nameAlg);
    // The encryption scheme is OAEP using the nameAlg of the encrypt key.
    scheme.scheme = TPM_ALG_OAEP;
    scheme.details.anySig.hashAlg = encryptKey->publicArea.nameAlg;
    if(!IS_ATTRIBUTE(encryptKey->publicArea.objectAttributes, TPMA_OBJECT, decrypt))
	return TPM_RC_ATTRIBUTES;
    switch(encryptKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  // Create secret data from RNG
		  CryptRandomGenerate(data->t.size, data->t.buffer);
		  // Encrypt the data by RSA OAEP into encrypted secret
		  result = CryptRsaEncrypt((TPM2B_PUBLIC_KEY_RSA *)secret, &data->b,
					   encryptKey, &scheme, label, NULL);
	      }
	      break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMS_ECC_POINT      eccPublic;
		  TPM2B_ECC_PARAMETER eccPrivate;
		  TPMS_ECC_POINT      eccSecret;
		  BYTE                *buffer = secret->t.secret;
		  // Need to make sure that the public point of the key is on the
		  // curve defined by the key.
		  if(!CryptEccIsPointOnCurve(
					     encryptKey->publicArea.parameters.eccDetail.curveID,
					     &encryptKey->publicArea.unique.ecc))
		      result = TPM_RC_KEY;
		  else
		      {
			  // Call crypto engine to create an auxiliary ECC key
			  // We assume crypt engine initialization should always success.
			  // Otherwise, TPM should go to failure mode.
			  CryptEccNewKeyPair(&eccPublic, &eccPrivate,
					     encryptKey->publicArea.parameters.eccDetail.curveID);
			  // Marshal ECC public to secret structure. This will be used by the
			  // recipient to decrypt the secret with their private key.
			  secret->t.size = TPMS_ECC_POINT_Marshal(&eccPublic, &buffer, NULL);
			  // Compute ECDH shared secret which is R = [d]Q where d is the
			  // private part of the ephemeral key and Q is the public part of a
			  // TPM key. TPM_RC_KEY error return from CryptComputeECDHSecret
			  // because the auxiliary ECC key is just created according to the
			  // parameters of input ECC encrypt key.
			  if(CryptEccPointMultiply(&eccSecret,
						   encryptKey->publicArea.parameters.eccDetail.curveID,
						   &encryptKey->publicArea.unique.ecc, &eccPrivate,
						   NULL, NULL) != TPM_RC_SUCCESS)
			      result = TPM_RC_KEY;
			  else
			      {
				  // The secret value is computed from Z using KDFe as:
				  // secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
				  // Where:
				  //  HashID  the nameAlg of the decrypt key
				  //  Z   the x coordinate (Px) of the product (P) of the point
				  //      (Q) of the secret and the private x coordinate (de,V)
				  //      of the decryption key
				  //  Use a null-terminated string containing "SECRET"
				  //  PartyUInfo  the x coordinate of the point in the secret
				  //              (Qe,U )
				  //  PartyVInfo  the x coordinate of the public key (Qs,V )
				  //  bits    the number of bits in the digest of HashID
				  // Retrieve seed from KDFe
				  CryptKDFe(encryptKey->publicArea.nameAlg, &eccSecret.x.b,
					    label, &eccPublic.x.b,
					    &encryptKey->publicArea.unique.ecc.x.b,
					    data->t.size * 8, data->t.buffer);
			      }
		      }
	      }
	      break;
#endif //TPM_ALG_ECC
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.4 CryptSecretDecrypt() */
/* Decrypt a secret value by asymmetric (or symmetric) algorithm This function is used for
   ActivateCredential() and Import for asymmetric decryption, and StartAuthSession() for both
   asymmetric and symmetric decryption process */
/* Error Returns Meaning */
/* TPM_RC_ATTRIBUTES RSA key is not a decryption key */
/* TPM_RC_BINDING Invalid RSA key (public and private parts are not cryptographically bound. */
/* TPM_RC_ECC_POINT ECC point in the secret is not on the curve */
/* TPM_RC_INSUFFICIENT failed to retrieve ECC point from the secret */
/* TPM_RC_NO_RESULT multiplication resulted in ECC point at infinity */
/* TPM_RC_SIZE data to decrypt is not of the same size as RSA key */
/* TPM_RC_VALUE For RSA key, numeric value of the encrypted data is greater than the modulus, or the
   recovered data is larger than the output buffer. For keyedHash or symmetric key, the secret is
   larger than the size of the digest produced by the name algorithm. */
/* TPM_RC_FAILURE internal error */
TPM_RC
CryptSecretDecrypt(
		   OBJECT                 *decryptKey,    // IN: decrypt key
		   TPM2B_NONCE             *nonceCaller,   // IN: nonceCaller.  It is needed for
		   //     symmetric decryption.  For
		   //     asymmetric decryption, this
		   //     parameter is NULL
		   const TPM2B             *label,         // IN: a value for L
		   TPM2B_ENCRYPTED_SECRET  *secret,        // IN: input secret
		   TPM2B_DATA              *data           // OUT: decrypted secret value
		   )
{
    TPM_RC      result = TPM_RC_SUCCESS;
    // Decryption for secret
    switch(decryptKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  TPMT_RSA_DECRYPT        scheme;
		  TPMT_RSA_SCHEME         *keyScheme
		      = &decryptKey->publicArea.parameters.rsaDetail.scheme;
		  UINT16                   digestSize;
		  scheme = *(TPMT_RSA_DECRYPT *)keyScheme;
		  // If the key scheme is TPM_ALG_NULL, set the scheme to OAEP and
		  // set the algorithm to the name algorithm.
		  if(scheme.scheme == TPM_ALG_NULL)
		      {
			  // Use OAEP scheme
			  scheme.scheme = TPM_ALG_OAEP;
			  scheme.details.oaep.hashAlg = decryptKey->publicArea.nameAlg;
		      }
		  // use the digestSize as an indicator of whether or not the scheme
		  // is using a supported hash algorithm.
		  // Note: depending on the scheme used for encryption, a hashAlg might
		  // not be needed. However, the return value has to have some upper
		  // limit on the size. In this case, it is the size of the digest of the
		  // hash algorithm. It is checked after the decryption is done but, there
		  // is no point in doing the decryption if the size is going to be
		  // 'wrong' anyway.
		  digestSize = CryptHashGetDigestSize(scheme.details.oaep.hashAlg);
		  if(scheme.scheme != TPM_ALG_OAEP || digestSize == 0)
		      return TPM_RC_SCHEME;
		  // Set the output buffer capacity
		  data->t.size = sizeof(data->t.buffer);
		  // Decrypt seed by RSA OAEP
		  result = CryptRsaDecrypt(&data->b, &secret->b,
					   decryptKey, &scheme, label);
		  if((result == TPM_RC_SUCCESS) && (data->t.size > digestSize))
		      result = TPM_RC_VALUE;
	      }
	      break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMS_ECC_POINT       eccPublic;
		  TPMS_ECC_POINT       eccSecret;
		  BYTE                *buffer = secret->t.secret;
		  INT32                size = secret->t.size;
		  // Retrieve ECC point from secret buffer
		  result = TPMS_ECC_POINT_Unmarshal(&eccPublic, &buffer, &size);
		  if(result == TPM_RC_SUCCESS)
		      {
			  result = CryptEccPointMultiply(&eccSecret,
							 decryptKey->publicArea.parameters.eccDetail.curveID,
							 &eccPublic, &decryptKey->sensitive.sensitive.ecc,
							 NULL, NULL);
			  if(result == TPM_RC_SUCCESS)
			      {
				  // Set the size of the "recovered" secret value to be the size
				  // of the digest produced by the nameAlg.
				  data->t.size =
				      CryptHashGetDigestSize(decryptKey->publicArea.nameAlg);
				  // The secret value is computed from Z using KDFe as:
				  // secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
				  // Where:
				  //  HashID -- the nameAlg of the decrypt key
				  //  Z --  the x coordinate (Px) of the product (P) of the point
				  //        (Q) of the secret and the private x coordinate (de,V)
				  //        of the decryption key
				  //  Use -- a null-terminated string containing "SECRET"
				  //  PartyUInfo -- the x coordinate of the point in the secret
				  //              (Qe,U )
				  //  PartyVInfo -- the x coordinate of the public key (Qs,V )
				  //  bits -- the number of bits in the digest of HashID
				  // Retrieve seed from KDFe
				  CryptKDFe(decryptKey->publicArea.nameAlg, &eccSecret.x.b, label,
					    &eccPublic.x.b,
					    &decryptKey->publicArea.unique.ecc.x.b,
					    data->t.size * 8, data->t.buffer);
			      }
		      }
	      }
	      break;
#endif //TPM_ALG_ECC
#if !ALG_KEYEDHASH
#   error   "KEYEDHASH support is required"
#endif
	  case TPM_ALG_KEYEDHASH:
	    // The seed size can not be bigger than the digest size of nameAlg
	    if(secret->t.size >
	       CryptHashGetDigestSize(decryptKey->publicArea.nameAlg))
		result = TPM_RC_VALUE;
	    else
		{
		    // Retrieve seed by XOR Obfuscation:
		    //    seed = XOR(secret, hash, key, nonceCaller, nullNonce)
		    //    where:
		    //    secret  the secret parameter from the TPM2_StartAuthHMAC
		    //            command that contains the seed value
		    //    hash    nameAlg  of tpmKey
		    //    key     the key or data value in the object referenced by
		    //            entityHandle in the TPM2_StartAuthHMAC command
		    //    nonceCaller the parameter from the TPM2_StartAuthHMAC command
		    //    nullNonce   a zero-length nonce
		    // XOR Obfuscation in place
		    CryptXORObfuscation(decryptKey->publicArea.nameAlg,
					&decryptKey->sensitive.sensitive.bits.b,
					&nonceCaller->b, NULL,
					secret->t.size, secret->t.secret);
		    // Copy decrypted seed
		    MemoryCopy2B(&data->b, &secret->b, sizeof(data->t.buffer));
		}
	    break;
	  case TPM_ALG_SYMCIPHER:
	      {
		  TPM2B_IV                iv = {{0}};
		  TPMT_SYM_DEF_OBJECT     *symDef;
		  // The seed size can not be bigger than the digest size of nameAlg
		  if(secret->t.size >
		     CryptHashGetDigestSize(decryptKey->publicArea.nameAlg))
		      result = TPM_RC_VALUE;
		  else
		      {
			  symDef = &decryptKey->publicArea.parameters.symDetail.sym;
			  iv.t.size = CryptGetSymmetricBlockSize(symDef->algorithm,
								 symDef->keyBits.sym);
			  if(iv.t.size == 0)
			      return TPM_RC_FAILURE;
			  if(nonceCaller->t.size >= iv.t.size)
			      {
				  MemoryCopy(iv.t.buffer, nonceCaller->t.buffer, iv.t.size);
			      }
			  else
			      {
				  if(nonceCaller->t.size > sizeof(iv.t.buffer))
				      return TPM_RC_FAILURE;
				  MemoryCopy(iv.t.buffer, nonceCaller->t.buffer,  // libtpms changed: use iv.t.buffer
					     nonceCaller->t.size);
			      }
			  // make sure secret will fit
			  if(secret->t.size > data->t.size)
			      return TPM_RC_FAILURE;
			  data->t.size = secret->t.size;
			  // CFB decrypt, using nonceCaller as iv
			  CryptSymmetricDecrypt(data->t.buffer, symDef->algorithm,
						symDef->keyBits.sym,
						decryptKey->sensitive.sensitive.sym.t.buffer,
						&iv, TPM_ALG_CFB, secret->t.size,
						secret->t.secret);
		      }
	      }
	      break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.5 CryptParameterEncryption() */
/* This function does in-place encryption of a response parameter. */
void
CryptParameterEncryption(
			 TPM_HANDLE       handle,            // IN: encrypt session handle
			 TPM2B           *nonceCaller,       // IN: nonce caller
			 UINT16           leadingSizeInByte, // IN: the size of the leading size field in
			 //     bytes
			 TPM2B_AUTH      *extraKey,          // IN: additional key material other than
			 //     sessionAuth
			 BYTE            *buffer             // IN/OUT: parameter buffer to be encrypted
			 )
{
    SESSION     *session = SessionGet(handle);  // encrypt session
    TPM2B_TYPE(TEMP_KEY, (sizeof(extraKey->t.buffer)
			  + sizeof(session->sessionKey.t.buffer)));
    TPM2B_TEMP_KEY        key;               // encryption key
    UINT32               cipherSize = 0;    // size of cipher text
    // Retrieve encrypted data size.
    if(leadingSizeInByte == 2)
	{
	    // Extract the first two bytes as the size field as the data size
	    // encrypt
	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
	    // advance the buffer
	    buffer = &buffer[2];
	}
#ifdef      TPM4B
    else if(leadingSizeInByte == 4)
	{
	    // use the first four bytes to indicate the number of bytes to encrypt
	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
	    //advance pointer
	    buffer = &buffer[4];
	}
#endif
    else
	{
	    FAIL(FATAL_ERROR_INTERNAL);
	}
    // Compute encryption key by concatenating sessionKey with extra key
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
    if(session->symmetric.algorithm == TPM_ALG_XOR)
	// XOR parameter encryption formulation:
	//    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
	CryptXORObfuscation(session->authHashAlg, &(key.b),
			    &(session->nonceTPM.b),
			    nonceCaller, cipherSize, buffer);
    else
	ParmEncryptSym(session->symmetric.algorithm, session->authHashAlg,
		       session->symmetric.keyBits.aes, &(key.b),
		       nonceCaller, &(session->nonceTPM.b),
		       cipherSize, buffer);
    return;
}
/* 10.2.6.6.6 CryptParameterDecryption() */
/* This function does in-place decryption of a command parameter. */
/* Error Returns Meaning */
/* TPM_RC_SIZE The number of bytes in the input buffer is less than the number of bytes to be
   decrypted. */
TPM_RC
CryptParameterDecryption(
			 TPM_HANDLE       handle,            // IN: encrypted session handle
			 TPM2B           *nonceCaller,       // IN: nonce caller
			 UINT32           bufferSize,        // IN: size of parameter buffer
			 UINT16           leadingSizeInByte, // IN: the size of the leading size field in
			 //     byte
			 TPM2B_AUTH      *extraKey,          // IN: the authValue
			 BYTE            *buffer             // IN/OUT: parameter buffer to be decrypted
			 )
{
    SESSION         *session = SessionGet(handle);  // encrypt session
    // The HMAC key is going to be the concatenation of the session key and any
    // additional key material (like the authValue). The size of both of these
    // is the size of the buffer which can contain a TPMT_HA.
    TPM2B_TYPE(HMAC_KEY, (sizeof(extraKey->t.buffer)
			  + sizeof(session->sessionKey.t.buffer)));
    TPM2B_HMAC_KEY          key;            // decryption key
    UINT32                  cipherSize = 0; // size of cipher text
    // Retrieve encrypted data size.
    if(leadingSizeInByte == 2)
	{
	    // The first two bytes of the buffer are the size of the
	    // data to be decrypted
	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
	    buffer = &buffer[2];   // advance the buffer
	}
#ifdef  TPM4B
    else if(leadingSizeInByte == 4)
	{
	    // the leading size is four bytes so get the four byte size field
	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
	    buffer = &buffer[4];   //advance pointer
	}
#endif
    else
	{
	    FAIL(FATAL_ERROR_INTERNAL);
	}
    if(cipherSize > bufferSize)
	return TPM_RC_SIZE;
    // Compute decryption key by concatenating sessionAuth with extra input key
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
    if(session->symmetric.algorithm == TPM_ALG_XOR)
	// XOR parameter decryption formulation:
	//    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
	// Call XOR obfuscation function
	CryptXORObfuscation(session->authHashAlg, &key.b, nonceCaller,
			    &(session->nonceTPM.b), cipherSize, buffer);
    else
	// Assume that it is one of the symmetric block ciphers.
	ParmDecryptSym(session->symmetric.algorithm, session->authHashAlg,
		       session->symmetric.keyBits.sym,
		       &key.b, nonceCaller, &session->nonceTPM.b,
		       cipherSize, buffer);
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.7 CryptComputeSymmetricUnique() */
/* This function computes the unique field in public area for symmetric objects. */
void
CryptComputeSymmetricUnique(
			    TPMT_PUBLIC     *publicArea,    // IN: the object's public area
			    TPMT_SENSITIVE  *sensitive,     // IN: the associated sensitive area
			    TPM2B_DIGEST    *unique         // OUT: unique buffer
			    )
{
    // For parents (symmetric and derivation), use an HMAC to compute
    // the 'unique' field
    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted)
       && IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt))
	{
	    // Unique field is HMAC(sensitive->seedValue, sensitive->sensitive)
	    HMAC_STATE      hmacState;
	    unique->b.size = CryptHmacStart2B(&hmacState, publicArea->nameAlg,
					      &sensitive->seedValue.b);
	    CryptDigestUpdate2B(&hmacState.hashState,
				&sensitive->sensitive.any.b);
	    CryptHmacEnd2B(&hmacState, &unique->b);
	}
    else
	{
	    HASH_STATE  hashState;
	    // Unique := Hash(sensitive->seedValue || sensitive->sensitive)
	    unique->t.size = CryptHashStart(&hashState, publicArea->nameAlg);
	    CryptDigestUpdate2B(&hashState, &sensitive->seedValue.b);
	    CryptDigestUpdate2B(&hashState, &sensitive->sensitive.any.b);
	    CryptHashEnd2B(&hashState, &unique->b);
	}
    return;
}
/* 10.2.6.6.8 CryptCreateObject() */
/* This function creates an object. For an asymmetric key, it will create a key pair and, for a
   parent key, a seed value for child protections. */
/* For an symmetric object, (TPM_ALG_SYMCIPHER or TPM_ALG_KEYEDHASH), it will create a secret key if
   the caller did not provide one. It will create a random secret seed value that is hashed with the
   secret value to create the public unique value. */
/* publicArea, sensitive, and sensitiveCreate are the only required parameters and are the only ones
   that are used by TPM2_Create(). The other parameters are optional and are used when the generated
   Object needs to be deterministic. This is the case for both Primary Objects and Derived
   Objects. */
/* When a seed value is provided, a RAND_STATE will be populated and used for all operations in the
   object generation that require a random number. In the simplest case, TPM2_CreatePrimary() will
   use seed, label and context with context being the hash of the template. If the Primary Object is
   in the Endorsement hierarchy, it will also populate proof with ehProof. */
/* For derived keys, seed will be the secret value from the parent, label and context will be set
   according to the parameters of TPM2_CreateLoaded() and hashAlg will be set which causes the RAND_STATE
   to be a KDF generator. */
/* Error Returns Meaning */
/* TPM_RC_KEY a provided key is not an allowed value */
/* TPM_RC_KEY_SIZE key size in the public area does not match the size in the sensitive creation
   area for a symmetric key */
/* TPM_RC_NO_RESULT unable to get random values (only in derivation) */
/* TPM_RC_RANGE for an RSA key, the exponent is not supported */
/* TPM_RC_SIZE sensitive data size is larger than allowed for the scheme for a keyed hash object */
/* TPM_RC_VALUE exponent is not prime or could not find a prime using the provided parameters for an
   RSA key; unsupported name algorithm for an ECC key */
TPM_RC
CryptCreateObject(
		  OBJECT                  *object,            // IN: new object structure pointer
		  TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation
		  RAND_STATE              *rand               // IN: the random number generator
		  //      to use
		  )
{
    TPMT_PUBLIC             *publicArea = &object->publicArea;
    TPMT_SENSITIVE          *sensitive = &object->sensitive;
    TPM_RC                   result = TPM_RC_SUCCESS;
    //
    // Set the sensitive type for the object
    sensitive->sensitiveType = publicArea->type;
    // For all objects, copy the initial authorization data
    sensitive->authValue = sensitiveCreate->userAuth;
    // If the TPM is the source of the data, set the size of the provided data to
    // zero so that there's no confusion about what to do.
    if(IS_ATTRIBUTE(publicArea->objectAttributes,
		    TPMA_OBJECT, sensitiveDataOrigin))
	sensitiveCreate->data.t.size = 0;
    // Generate the key and unique fields for the asymmetric keys and just the
    // sensitive value for symmetric object
    switch(publicArea->type)
	{
#if ALG_RSA
	    // Create RSA key
	  case TPM_ALG_RSA:
	    // RSA uses full object so that it has a place to put the private
	    // exponent
	    result = CryptRsaGenerateKey(object, rand);
	    break;
#endif // TPM_ALG_RSA
#if ALG_ECC
	    // Create ECC key
	  case TPM_ALG_ECC:
	    result = CryptEccGenerateKey(publicArea, sensitive, rand);
	    break;
#endif // TPM_ALG_ECC
	  case TPM_ALG_SYMCIPHER:
	    result = CryptGenerateKeySymmetric(publicArea, sensitive,
					       sensitiveCreate, rand);
	    break;
	  case TPM_ALG_KEYEDHASH:
	    result = CryptGenerateKeyedHash(publicArea, sensitive,
					    sensitiveCreate, rand);
	    break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    if(result != TPM_RC_SUCCESS)
	return result;
    // Create the sensitive seed value
    // If this is a primary key in the endorsement hierarchy, stir the DRBG state
    // This implementation uses both shProof and ehProof to make sure that there
    // is no leakage of either.
    if(object->attributes.primary && object->attributes.epsHierarchy)
	{
	    DRBG_AdditionalData((DRBG_STATE *)rand, &gp.shProof.b);
	    DRBG_AdditionalData((DRBG_STATE *)rand, &gp.ehProof.b);
	}
    // Generate a seedValue that is the size of the digest produced by nameAlg
    sensitive->seedValue.t.size =
	DRBG_Generate(rand, object->sensitive.seedValue.t.buffer,
		      CryptHashGetDigestSize(publicArea->nameAlg));
    if(g_inFailureMode)
	return TPM_RC_FAILURE;
    else if(sensitive->seedValue.t.size == 0)
	return TPM_RC_NO_RESULT;
    // For symmetric objects, need to compute the unique value for the public area
    if(publicArea->type == TPM_ALG_SYMCIPHER
       || publicArea->type == TPM_ALG_KEYEDHASH)
	{
	    CryptComputeSymmetricUnique(publicArea, sensitive,
					&publicArea->unique.sym);
	}
    else
	{
	    // if this is an asymmetric key and it isn't a parent, then
	    // get rid of the seed.
	    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign)
	       || !IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted))
		memset(&sensitive->seedValue, 0,
		       sizeof(sensitive->seedValue));
	}
    // Compute the name
    PublicMarshalAndComputeName(publicArea, &object->name);
    return result;
}
/* 10.2.6.6.9 CryptGetSignHashAlg() */
/* Get the hash algorithm of signature from a TPMT_SIGNATURE structure. It assumes the signature is
   not NULL This is a function for easy access */
TPMI_ALG_HASH
CryptGetSignHashAlg(
		    TPMT_SIGNATURE  *auth           // IN: signature
		    )
{
    if(auth->sigAlg == TPM_ALG_NULL)
	FAIL(FATAL_ERROR_INTERNAL);
    // Get authHash algorithm based on signing scheme
    switch(auth->sigAlg)
	{
#if ALG_RSA
	    // If RSA is supported, both RSASSA and RSAPSS are required
#   if !defined TPM_ALG_RSASSA || !defined TPM_ALG_RSAPSS
#       error "RSASSA and RSAPSS are required for RSA"
#   endif
	  case TPM_ALG_RSASSA:
	    return auth->signature.rsassa.hash;
	  case TPM_ALG_RSAPSS:
	    return auth->signature.rsapss.hash;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is defined, ECDSA is mandatory
#   ifndef  TPM_ALG_ECDSA
#       error "ECDSA is required for ECC"
#   endif
	  case TPM_ALG_ECDSA:
	    // SM2 and ECSCHNORR are optional
#   if ALG_SM2
	  case TPM_ALG_SM2:
#   endif
#   if ALG_ECSCHNORR
	  case TPM_ALG_ECSCHNORR:
#   endif
	    //all ECC signatures look the same
	    return auth->signature.ecdsa.hash;
#   if ALG_ECDAA
	    // Don't know how to verify an ECDAA signature
	  case TPM_ALG_ECDAA:
	    break;
#   endif
#endif //TPM_ALG_ECC
	  case TPM_ALG_HMAC:
	    return auth->signature.hmac.hashAlg;
	  default:
	    break;
	}
    return TPM_ALG_NULL;
}
/* 10.2.6.6.10 CryptIsSplitSign() */
/* This function us used to determine if the signing operation is a split signing operation that
   required a TPM2_Commit(). */
BOOL
CryptIsSplitSign(
		 TPM_ALG_ID       scheme         // IN: the algorithm selector
		 )
{
    switch(scheme)
	{
#   if ALG_ECDAA
	  case TPM_ALG_ECDAA:
	    return TRUE;
	    break;
#   endif   // TPM_ALG_ECDAA
	  default:
	    return FALSE;
	    break;
	}
}
/* 10.2.6.6.11 CryptIsAsymSignScheme() */
/* This function indicates if a scheme algorithm is a sign algorithm. */
BOOL
CryptIsAsymSignScheme(
		      TPMI_ALG_PUBLIC          publicType,        // IN: Type of the object
		      TPMI_ALG_ASYM_SCHEME     scheme             // IN: the scheme
		      )
{
    BOOL            isSignScheme = TRUE;
    switch(publicType)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    switch(scheme)
		{
#   if !defined TPM_ALG_RSASSA  || !defined TPM_ALG_RSAPSS
#       error "RSASSA and PSAPSS required if RSA used."
#   endif
		  case TPM_ALG_RSASSA:
		  case TPM_ALG_RSAPSS:
		    break;
		  default:
		    isSignScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is implemented ECDSA is required
	  case TPM_ALG_ECC:
	    switch(scheme)
		{
		    // Support for ECDSA is required for ECC
		  case TPM_ALG_ECDSA:
#if ALG_ECDAA // ECDAA is optional
		  case TPM_ALG_ECDAA:
#endif
#if ALG_ECSCHNORR // Schnorr is also optional
		  case TPM_ALG_ECSCHNORR:
#endif
#if ALG_SM2 // SM2 is optional
		  case TPM_ALG_SM2:
#endif
		    break;
		  default:
		    isSignScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_ECC
	  default:
	    isSignScheme = FALSE;
	    break;
	}
    return isSignScheme;
}
/* 10.2.6.6.12 CryptIsAsymDecryptScheme() */
/* This function indicate if a scheme algorithm is a decrypt algorithm. */
BOOL
CryptIsAsymDecryptScheme(
			 TPMI_ALG_PUBLIC          publicType,        // IN: Type of the object
			 TPMI_ALG_ASYM_SCHEME     scheme             // IN: the scheme
			 )
{
    BOOL        isDecryptScheme = TRUE;
    switch(publicType)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    switch(scheme)
		{
		  case TPM_ALG_RSAES:
		  case TPM_ALG_OAEP:
		    break;
		  default:
		    isDecryptScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is implemented ECDH is required
	  case TPM_ALG_ECC:
	    switch(scheme)
		{
#if !ALG_ECDH
#   error "ECDH is required for ECC"
#endif
		  case TPM_ALG_ECDH:
#if ALG_SM2
		  case TPM_ALG_SM2:
#endif
#if ALG_ECMQV
		  case TPM_ALG_ECMQV:
#endif
		    break;
		  default:
		    isDecryptScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_ECC
	  default:
	    isDecryptScheme = FALSE;
	    break;
	}
    return isDecryptScheme;
}
/* 10.2.6.6.13 CryptSelectSignScheme() */
/* This function is used by the attestation and signing commands.  It implements the rules for
   selecting the signature scheme to use in signing. This function requires that the signing key
   either be TPM_RH_NULL or be loaded. */
/* If a default scheme is defined in object, the default scheme should be chosen, otherwise, the
   input scheme should be chosen. In the case that both object and input scheme has a non-NULL
   scheme algorithm, if the schemes are compatible, the input scheme will be chosen. */
/* This function should not be called if 'signObject->publicArea.type' == TPM_ALG_SYMCIPHER. */
/* Return Values Meaning */
/* TRUE scheme selected */
/* FALSE both scheme and key's default scheme are empty; or scheme is empty while key's default
   scheme requires explicit input scheme (split signing); or non-empty default key scheme differs
   from scheme */
BOOL
CryptSelectSignScheme(
		      OBJECT              *signObject,    // IN: signing key
		      TPMT_SIG_SCHEME     *scheme         // IN/OUT: signing scheme
		      )
{
    TPMT_SIG_SCHEME     *objectScheme;
    TPMT_PUBLIC         *publicArea;
    BOOL                 OK;
    // If the signHandle is TPM_RH_NULL, then the NULL scheme is used, regardless
    // of the setting of scheme
    if(signObject == NULL)
	{
	    OK = TRUE;
	    scheme->scheme = TPM_ALG_NULL;
	    scheme->details.any.hashAlg = TPM_ALG_NULL;
	}
    else
	{
	    // assignment to save typing.
	    publicArea = &signObject->publicArea;
	    // A symmetric cipher can be used to encrypt and decrypt but it can't
	    // be used for signing
	    if(publicArea->type == TPM_ALG_SYMCIPHER)
		return FALSE;
	    // Point to the scheme object
	    if(CryptIsAsymAlgorithm(publicArea->type))
		objectScheme =
		    (TPMT_SIG_SCHEME *)&publicArea->parameters.asymDetail.scheme;
	    else
		objectScheme =
		    (TPMT_SIG_SCHEME *)&publicArea->parameters.keyedHashDetail.scheme;
	    // If the object doesn't have a default scheme, then use the
	    // input scheme.
	    if(objectScheme->scheme == TPM_ALG_NULL)
		{
		    // Input and default can't both be NULL
		    OK = (scheme->scheme != TPM_ALG_NULL);
		    // Assume that the scheme is compatible with the key. If not,
		    // an error will be generated in the signing operation.
		}
	    else if(scheme->scheme == TPM_ALG_NULL)
		{
		    // input scheme is NULL so use default
		    // First, check to see if the default requires that the caller
		    // provided scheme data
		    OK = !CryptIsSplitSign(objectScheme->scheme);
		    if(OK)
			{
			    // The object has a scheme and the input is TPM_ALG_NULL so copy
			    // the object scheme as the final scheme. It is better to use a
			    // structure copy than a copy of the individual fields.
			    *scheme = *objectScheme;
			}
		}
	    else
		{
		    // Both input and object have scheme selectors
		    // If the scheme and the hash are not the same then...
		    // NOTE: the reason that there is no copy here is that the input
		    // might contain extra data for a split signing scheme and that
		    // data is not in the object so, it has to be preserved.
		    OK = (objectScheme->scheme == scheme->scheme)
			 && (objectScheme->details.any.hashAlg
			     == scheme->details.any.hashAlg);
		}
	}
    return OK;
}
/* 10.2.6.6.14 CryptSign() */
/* Sign a digest with asymmetric key or HMAC. This function is called by attestation commands and
   the generic TPM2_Sign() command. This function checks the key scheme and digest size.  It does
   not check if the sign operation is allowed for restricted key.  It should be checked before the
   function is called. The function will assert if the key is not a signing key. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME signScheme is not compatible with the signing key type */
/* TPM_RC_VALUE digest value is greater than the modulus of signHandle or size of hashData does not
   match hash algorithm insignScheme (for an RSA key); invalid commit status or failed to generate r
   value (for an ECC key) */
TPM_RC
CryptSign(
	  OBJECT              *signKey,       // IN: signing key
	  TPMT_SIG_SCHEME     *signScheme,    // IN: sign scheme.
	  TPM2B_DIGEST        *digest,        // IN: The digest being signed
	  TPMT_SIGNATURE      *signature      // OUT: signature
	  )
{
    TPM_RC               result = TPM_RC_SCHEME;
    // Initialize signature scheme
    signature->sigAlg = signScheme->scheme;
    // If the signature algorithm is TPM_ALG_NULL or the signing key is NULL,
    // then we are done
    if((signature->sigAlg == TPM_ALG_NULL) || (signKey == NULL))
	return TPM_RC_SUCCESS;
    // Initialize signature hash
    // Note: need to do the check for TPM_ALG_NULL first because the null scheme
    // doesn't have a hashAlg member.
    signature->signature.any.hashAlg = signScheme->details.any.hashAlg;
    // perform sign operation based on different key type
    switch(signKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    result = CryptRsaSign(signature, signKey, digest, NULL);
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	    // The reason that signScheme is passed to CryptEccSign but not to the
	    // other signing methods is that the signing for ECC may be split and
	    // need the 'r' value that is in the scheme but not in the signature.
	    result = CryptEccSign(signature, signKey, digest,
				  (TPMT_ECC_SCHEME *)signScheme, NULL);
	    break;
#endif //TPM_ALG_ECC
	  case TPM_ALG_KEYEDHASH:
	    result = CryptHmacSign(signature, signKey, digest);
	    break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.15 CryptValidateSignature() */
/* This function is used to verify a signature.  It is called by TPM2_VerifySignature() and
   TPM2_PolicySigned(). */
/* Since this operation only requires use of a public key, no consistency checks are necessary for
   the key to signature type because a caller can load any public key that they like with any scheme
   that they like. This routine simply makes sure that the signature is correct, whatever the
   type. */
/* Error Returns Meaning */
/* TPM_RC_SIGNATURE the signature is not genuine */
/* TPM_RC_SCHEME the scheme is not supported */
/* TPM_RC_HANDLE an HMAC key was selected but the private part of the key is not loaded */
TPM_RC
CryptValidateSignature(
		       TPMI_DH_OBJECT   keyHandle,     // IN: The handle of sign key
		       TPM2B_DIGEST    *digest,        // IN: The digest being validated
		       TPMT_SIGNATURE  *signature      // IN: signature
		       )
{
    // NOTE: HandleToObject will either return a pointer to a loaded object or
    // will assert. It will never return a non-valid value. This makes it save
    // to initialize 'publicArea' with the return value from HandleToObject()
    // without checking it first.
    OBJECT              *signObject = HandleToObject(keyHandle);
    TPMT_PUBLIC         *publicArea = &signObject->publicArea;
    TPM_RC               result = TPM_RC_SCHEME;
    // The input unmarshaling should prevent any input signature from being
    // a NULL signature, but just in case
    if(signature->sigAlg == TPM_ALG_NULL)
	return TPM_RC_SIGNATURE;
    switch(publicArea->type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  //
		  // Call RSA code to verify signature
		  result = CryptRsaValidateSignature(signature, signObject, digest);
		  break;
	      }
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	    result = CryptEccValidateSignature(signature, signObject, digest);
	    break;
#endif // TPM_ALG_ECC
	  case TPM_ALG_KEYEDHASH:
	    if(signObject->attributes.publicOnly)
		result = TPM_RCS_HANDLE;
	    else
		result = CryptHMACVerifySignature(signObject, digest, signature);
	    break;
	  default:
	    break;
	}
    return result;
}
/* 10.2.6.6.16 CryptGetTestResult */
/* This function returns the results of a self-test function. */
/* NOTE: the behavior in this function is NOT the correct behavior for a real TPM implementation.
   An artificial behavior is placed here due to the limitation of a software simulation environment.
   For the correct behavior, consult the part 3 specification for TPM2_GetTestResult(). */
TPM_RC
CryptGetTestResult(
		   TPM2B_MAX_BUFFER    *outData        // OUT: test result data
		   )
{
    outData->t.size = 0;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.17 CryptValidateKeys() */
/* This function is used to verify that the key material of an object is valid. For a publicOnly
   object, the key is verified for size and, if it is an ECC key, it is verified to be on the
   specified curve. For a key with a sensitive area, the binding between the public and private
   parts of the key are verified. If the nameAlg of the key is TPM_ALG_NULL, then the size of the
   sensitive area is verified but the public portion is not verified, unless the key is an RSA
   key. For an RSA key, the reason for loading the sensitive area is to use it. The only way to use
   a private RSA key is to compute the private exponent. To compute the private exponent, the public
   modulus is used. */
/* Error Returns Meaning */
/* TPM_RC_BINDING the public and private parts are not cryptographically bound */
/* TPM_RC_HASH cannot have a publicOnly key with nameAlg of TPM_ALG_NULL */
/* TPM_RC_KEY the public unique is not valid */
/* TPM_RC_KEY_SIZE the private area key is not valid */
/* TPM_RC_TYPE the types of the sensitive and private parts do not match */
TPM_RC
CryptValidateKeys(
		  TPMT_PUBLIC      *publicArea,
		  TPMT_SENSITIVE   *sensitive,
		  TPM_RC            blamePublic,
		  TPM_RC            blameSensitive
		  )
{
    TPM_RC               result;
    UINT16               keySizeInBytes;
    UINT16               digestSize = CryptHashGetDigestSize(publicArea->nameAlg);
    TPMU_PUBLIC_PARMS   *params = &publicArea->parameters;
    TPMU_PUBLIC_ID      *unique = &publicArea->unique;
    if(sensitive != NULL)
	{
	    // Make sure that the types of the public and sensitive are compatible
	    if(publicArea->type != sensitive->sensitiveType)
		return TPM_RCS_TYPE + blameSensitive;
	    // Make sure that the authValue is not bigger than allowed
	    // If there is no name algorithm, then the size just needs to be less than
	    // the maximum size of the buffer used for authorization. That size check
	    // was made during unmarshaling of the sensitive area
	    if((sensitive->authValue.t.size) > digestSize && (digestSize > 0))
		return TPM_RCS_SIZE + blameSensitive;
	}
    switch(publicArea->type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    keySizeInBytes = BITS_TO_BYTES(params->rsaDetail.keyBits);
	    // Regardless of whether there is a sensitive area, the public modulus
	    // needs to have the correct size. Otherwise, it can't be used for
	    // any public key operation nor can it be used to compute the private
	    // exponent.
	    // NOTE: This implementation only supports key sizes that are multiples
	    // of 1024 bits which means that the MSb of the 0th byte will always be
	    // SET in either a prime or the public modulus.
	    if((unique->rsa.t.size != keySizeInBytes)
	       || (unique->rsa.t.buffer[0] < 0x80))
		return TPM_RCS_KEY + blamePublic;
	    if(params->rsaDetail.exponent != 0
	       && params->rsaDetail.exponent < 7)
		return TPM_RCS_VALUE + blamePublic;
	    if(sensitive != NULL)
		{
		    // If there is a sensitive area, it has to be the correct size
		    // including having the correct high order bit SET.
		    if(((sensitive->sensitive.rsa.t.size * 2) != keySizeInBytes)
		       || (sensitive->sensitive.rsa.t.buffer[0] < 0x80))
			return TPM_RCS_KEY_SIZE + blameSensitive;
		}
	    break;
#endif
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMI_ECC_CURVE      curveId;
		  curveId = params->eccDetail.curveID;
		  keySizeInBytes = BITS_TO_BYTES(CryptEccGetKeySizeForCurve(curveId));
		  if(sensitive == NULL)
		      {
			  // Validate the public key size
			  if(unique->ecc.x.t.size != keySizeInBytes
			     || unique->ecc.y.t.size != keySizeInBytes)
			      return TPM_RCS_KEY + blamePublic;
			  if(publicArea->nameAlg != TPM_ALG_NULL)
			      {
				  if(!CryptEccIsPointOnCurve(curveId, &unique->ecc))
				      return TPM_RCS_ECC_POINT + blamePublic;
			      }
		      }
		  else
		      {
			  // If the nameAlg is TPM_ALG_NULL, then only verify that the
			  // private part of the key is OK.
			  if(!CryptEccIsValidPrivateKey(&sensitive->sensitive.ecc,
							curveId))
			      return TPM_RCS_KEY_SIZE;
			  if(publicArea->nameAlg != TPM_ALG_NULL)
			      {
				  // Full key load, verify that the public point belongs to the
				  // private key.
				  TPMS_ECC_POINT          toCompare;
				  result = CryptEccPointMultiply(&toCompare, curveId, NULL,
								 &sensitive->sensitive.ecc,
								 NULL, NULL);
				  if(result != TPM_RC_SUCCESS)
				      return TPM_RCS_BINDING;
				  else
				      {
					  // Make sure that the private key generated the public key.
					  // The input values and the values produced by the point
					  // multiply may not be the same size so adjust the computed
					  // value to match the size of the input value by adding or
					  // removing zeros.
					  AdjustNumberB(&toCompare.x.b, unique->ecc.x.t.size);
					  AdjustNumberB(&toCompare.y.b, unique->ecc.y.t.size);
					  if(!MemoryEqual2B(&unique->ecc.x.b, &toCompare.x.b)
					     || !MemoryEqual2B(&unique->ecc.y.b, &toCompare.y.b))
					      return TPM_RCS_BINDING;
				      }
			      }
		      }
		  break;
	      }
#endif
	  default:
	    // Checks for SYMCIPHER and KEYEDHASH are largely the same
	    // If public area has a nameAlg, then validate the public area size
	    // and if there is also a sensitive area, validate the binding
	    // For consistency, if the object is public-only just make sure that
	    // the unique field is consistent with the name algorithm
	    if(sensitive == NULL)
		{
		    if(unique->sym.t.size != digestSize)
			return TPM_RCS_KEY + blamePublic;
		}
	    else
		{
		    // Make sure that the key size in the sensitive area is consistent.
		    if(publicArea->type == TPM_ALG_SYMCIPHER)
			{
			    result = CryptSymKeyValidate(&params->symDetail.sym,
							 &sensitive->sensitive.sym);
			    if(result != TPM_RC_SUCCESS)
				return result + blameSensitive;
			}
		    else
			{
			    // For a keyed hash object, the key has to be less than the
			    // smaller of the block size of the hash used in the scheme or
			    // 128 bytes. The worst case value is limited by the
			    // unmarshaling code so the only thing left to be checked is
			    // that it does not exceed the block size of the hash.
			    // by the hash algorithm of the scheme.
			    TPMT_KEYEDHASH_SCHEME       *scheme;
			    UINT16                       maxSize;
			    scheme = &params->keyedHashDetail.scheme;
			    if(scheme->scheme == TPM_ALG_XOR)
				{
				    maxSize = CryptHashGetBlockSize(scheme->details.xorr.hashAlg);
				}
			    else if(scheme->scheme == TPM_ALG_HMAC)
				{
				    maxSize = CryptHashGetBlockSize(scheme->details.hmac.hashAlg);
				}
			    else if(scheme->scheme == TPM_ALG_NULL)
				{
				    // Not signing or xor so must be a data block
				    maxSize = 128;
				}
			    else
				return TPM_RCS_SCHEME + blamePublic;
			    if(sensitive->sensitive.bits.t.size > maxSize)
				return TPM_RCS_KEY_SIZE + blameSensitive;
			}
		    // If there is a nameAlg, check the binding
		    if(publicArea->nameAlg != TPM_ALG_NULL)
			{
			    TPM2B_DIGEST            compare;
			    if(sensitive->seedValue.t.size != digestSize)
				return TPM_RCS_KEY_SIZE + blameSensitive;
			    CryptComputeSymmetricUnique(publicArea, sensitive, &compare);
			    if(!MemoryEqual2B(&unique->sym.b, &compare.b))
				return TPM_RC_BINDING;
			}
		}
	    break;
	}
    // For a parent, need to check that the seedValue is the correct size for
    // protections. It should be at least half the size of the nameAlg
    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted)
       && IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt)
       && sensitive != NULL
       && publicArea->nameAlg != TPM_ALG_NULL)
	{
	    if((sensitive->seedValue.t.size < (digestSize / 2))
	       || (sensitive->seedValue.t.size > digestSize))
		return TPM_RCS_SIZE + blameSensitive;
	}
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.18 CryptSelectMac() */
/* This function is used to set the MAC scheme based on the key parameters and the input scheme. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME the scheme is not a valid mac scheme */
/* TPM_RC_TYPE the input key is not a type that supports a mac */
/* TPM_RC_VALUE the input scheme and the key scheme are not compatible */
TPM_RC
CryptSelectMac(
	       TPMT_PUBLIC             *publicArea,
	       TPMI_ALG_MAC_SCHEME     *inMac
	       )
{
    TPM_ALG_ID              macAlg = TPM_ALG_NULL;
    switch(publicArea->type)
	{
	  case TPM_ALG_KEYEDHASH:
	      {
		  // Local value to keep lines from getting too long
		  TPMT_KEYEDHASH_SCHEME   *scheme;
		  scheme = &publicArea->parameters.keyedHashDetail.scheme;
		  // Expect that the scheme is either HMAC or NULL
		  if(scheme->scheme != TPM_ALG_NULL)
		      macAlg = scheme->details.hmac.hashAlg;
		  break;
	      }
	  case TPM_ALG_SYMCIPHER:
	      {
		  TPMT_SYM_DEF_OBJECT     *scheme;
		  scheme = &publicArea->parameters.symDetail.sym;
		  // Expect that the scheme is either valid symmetric cipher or NULL
		  if(scheme->algorithm != TPM_ALG_NULL)
		      macAlg = scheme->mode.sym;
		  break;
	      }
	  default:
	    return TPM_RCS_TYPE;
	}
    // If the input value is not TPM_ALG_NULL ...
    if(*inMac != TPM_ALG_NULL)
	{
	    // ... then either the scheme in the key must be TPM_ALG_NULL or the input
	    // value must match
	    if((macAlg != TPM_ALG_NULL) && (*inMac != macAlg))
		return TPM_RCS_VALUE;
	}
    else
	{
	    // Since the input value is TPM_ALG_NULL, then the key value can't be
	    // TPM_ALG_NULL
	    if(macAlg == TPM_ALG_NULL)
		return TPM_RCS_VALUE;
	    *inMac = macAlg;
	}
    if(!CryptMacIsValidForKey(publicArea->type, *inMac, FALSE))
	return TPM_RCS_SCHEME;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.19 CryptMacIsValidForKey() */
/* Check to see if the key type is compatible with the mac type */
BOOL
CryptMacIsValidForKey(
		      TPM_ALG_ID          keyType,
		      TPM_ALG_ID          macAlg,
		      BOOL                flag
		      )
{
    switch(keyType)
	{
	  case TPM_ALG_KEYEDHASH:
	    return CryptHashIsValidAlg(macAlg, flag);
	    break;
	  case TPM_ALG_SYMCIPHER:
	    return CryptSmacIsValidAlg(macAlg, flag);
	    break;
	  default:
	    break;
	}
    return FALSE;
}
/* 10.2.6.6.20 CryptSmacIsValidAlg() */
/* This function is used to test if an algorithm is a supported SMAC algorithm. It needs to be
   updated as new algorithms are added. */
BOOL
CryptSmacIsValidAlg(
		    TPM_ALG_ID      alg,
		    BOOL            FLAG        // IN: Indicates if TPM_ALG_NULL is valid
		    )
{
    switch (alg)
	{
#if ALG_CMAC
	  case TPM_ALG_CMAC:
	    return TRUE;
	    break;
#endif
	  case TPM_ALG_NULL:
	    return FLAG;
	    break;
	  default:
	    return FALSE;
	}
}
/* 10.2.6.6.21 CryptSymModeIsValid() */
/* Function checks to see if an algorithm ID is a valid, symmetric block cipher mode for the TPM. If
   flag is SET, them TPM_ALG_NULL is a valid mode. not include the modes used for SMAC */
BOOL
CryptSymModeIsValid(
		    TPM_ALG_ID          mode,
		    BOOL                flag
		    )
{
    switch(mode)
	{
#if         ALG_CTR
	  case TPM_ALG_CTR:
#endif // ALG_CTR
#if         ALG_OFB
	  case TPM_ALG_OFB:
#endif // ALG_OFB
#if         ALG_CBC
	  case TPM_ALG_CBC:
#endif // ALG_CBC
#if         ALG_CFB
	  case TPM_ALG_CFB:
#endif // ALG_CFB
#if         ALG_ECB
	  case TPM_ALG_ECB:
#endif // ALG_ECB
	    return TRUE;
	  case TPM_ALG_NULL:
	    return flag;
	    break;
	  default:
	    break;
	}
    return FALSE;
}