File tpm2-totp-20240326.33e1986.obscpio of Package tpm2-totp
07070100000000000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000001F00000000tpm2-totp-20240326.33e1986/.ci07070100000001000081ED0000000000000000000000016602CAFD00000C15000000000000000000000000000000000000002C00000000tpm2-totp-20240326.33e1986/.ci/coverity.run#!/usr/bin/env bash
# SPDX-License-Identifier: BSD-2
set -eo pipefail
echo "PROJECT=$PROJECT"
if [ -z "$COVERITY_SCAN_TOKEN" ]; then
echo "coverity.run invoked without COVERITY_SCAN_TOKEN set...exiting!"
exit 1
fi
if [ -z "$COVERITY_SUBMISSION_EMAIL" ]; then
echo "coverity.run invoked without COVERITY_SUBMISSION_EMAIL set...exiting!"
exit 1
fi
# Sanity check, this should only be executing on the coverity_scan branch
if [[ "$REPO_BRANCH" != *coverity_scan ]]; then
echo "coverity.run invoked for non-coverity branch $REPO_BRANCH...exiting!"
exit 1
fi
if [[ "$CC" == clang* ]]; then
echo "Coverity scan branch detected, not running with clang...exiting!"
exit 1
fi
# branch is coverity_scan
echo "Running coverity build"
# ensure coverity_scan tool is available to the container
# We cannot package these in the docker image, as we would be distributing their software
# for folks not coupled to our COVERITY_SCAN_TOKEN.
if [ ! -f "$(pwd)/cov-analysis/bin/cov-build" ]; then
curl --data-urlencode "project=$PROJECT" \
--data-urlencode "token=$COVERITY_SCAN_TOKEN" \
"https://scan.coverity.com/download/linux64" -o coverity_tool.tgz
stat coverity_tool.tgz
curl --data-urlencode "project=$PROJECT" \
--data-urlencode "token=$COVERITY_SCAN_TOKEN" \
--data-urlencode "md5=1" \
"https://scan.coverity.com/download/linux64" -o coverity_tool.md5
stat coverity_tool.md5
cat coverity_tool.md5
md5sum coverity_tool.tgz
echo "$(cat coverity_tool.md5)" coverity_tool.tgz | md5sum -c
echo "unpacking cov-analysis"
tar -xf coverity_tool.tgz
mv cov-analysis-* cov-analysis
fi
export PATH=$PATH:$(pwd)/cov-analysis/bin
echo "Which cov-build: $(which cov-build)"
# get the deps to build with
$DOCKER_BUILD_DIR/.ci/get_deps.sh "$(dirname $DOCKER_BUILD_DIR)"
pushd "$DOCKER_BUILD_DIR"
echo "Performing build with Coverity Scan"
rm -rf cov-int
./bootstrap && ./configure --disable-defaultflags --enable-debug && make clean
cov-build --dir $DOCKER_BUILD_DIR/cov-int make -j $(nproc)
echo "Collecting Coverity data for submission"
rm -fr README
AUTHOR="$(git log -1 $HEAD --pretty="%aN")"
AUTHOR_EMAIL="$(git log -1 $HEAD --pretty="%aE")"
VERSION="$(git rev-parse HEAD)"
echo "Name: $AUTHOR" >> README
echo "Email: $AUTHOR_EMAIL" >> README
echo "Project: $PROJECT" >> README
echo "Build-Version: $VERSION" >> README
echo "Description: $REPO_NAME $REPO_BRANCH" >> README
echo "Submitted-by: $PROJECT CI" >> README
echo "---README---"
cat README
echo "---EOF---"
rm -f "$PROJECT-scan.tgz"
tar -czf "$PROJECT-scan.tgz" README cov-int
rm -rf README cov-int
# upload the results
echo "Testing for scan results..."
scan_file=$(stat --printf='%n' "$PROJECT-scan.tgz")
echo "Submitting data to Coverity"
curl --form token="$COVERITY_SCAN_TOKEN" \
--form email="$COVERITY_SUBMISSION_EMAIL" \
--form project="$PROJECT" \
--form file=@"$scan_file" \
--form version="$VERSION" \
--form description="$REPO_NAME $REPO_BRANCH" \
"https://scan.coverity.com/builds?project=$PROJECT"
rm -rf "$PROJECT-scan.tgz"
popd
exit 0
07070100000002000081A40000000000000000000000016602CAFD000000FC000000000000000000000000000000000000002A00000000tpm2-totp-20240326.33e1986/.ci/docker.env# SPDX-License-Identifier: BSD-2
PROJECT
DOCKER_BUILD_DIR
LD_LIBRARY_PATH=/usr/local/lib/
CC
COVERITY_SCAN_TOKEN
COVERITY_SUBMISSION_EMAIL
PROJECT
REPO_BRANCH
REPO_NAME
ENABLE_COVERAGE
ENABLE_FUZZING
DOCKER_IMAGE
TPM2TSS_BRANCH
TPM2TOOLS_BRANCH
07070100000003000081ED0000000000000000000000016602CAFD0000030A000000000000000000000000000000000000002A00000000tpm2-totp-20240326.33e1986/.ci/docker.run#!/usr/bin/env bash
# SPDX-License-Identifier: BSD-2
set -exo pipefail
$DOCKER_BUILD_DIR/.ci/get_deps.sh "$(dirname $DOCKER_BUILD_DIR)"
pushd $DOCKER_BUILD_DIR
SCAN_PREFIX=""
CONFIGURE_OPTIONS=""
if [ -d build ]; then
rm -rf build
fi
./bootstrap
mkdir build
pushd build
if [ -z "$CC" -o "$CC" == "gcc" ]; then
export CONFIGURE_OPTIONS+=" --disable-defaultflags --enable-code-coverage";
else
export SCAN_PREFIX="scan-build --status-bugs"
fi
$SCAN_PREFIX ../configure $CONFIGURE_OPTIONS --enable-integration
$SCAN_PREFIX make -j$(nproc)
make -j$(nproc) check
cat test-suite.log config.log
../configure $CONFIGURE_OPTIONS
make -j$(nproc) distcheck
cat config.log
popd
if [ "x$ENABLE_COVERAGE" = "xtrue" ]; then
bash <(curl -s https://codecov.io/bash)
fi
popd
07070100000004000081ED0000000000000000000000016602CAFD00000519000000000000000000000000000000000000002B00000000tpm2-totp-20240326.33e1986/.ci/get_deps.sh#!/usr/bin/env bash
# SPDX-License-Identifier: BSD-2
set -exo pipefail
if [[ $DOCKER_IMAGE == fedora* ]]; then
yum -y install qrencode-devel liboath-devel plymouth-devel
elif [[ $DOCKER_IMAGE == opensuse* ]]; then
zypper -n in qrencode-devel liboath-devel plymouth-devel
elif [[ $DOCKER_IMAGE == ubuntu* ]]; then
apt-get update; apt-get -y install libqrencode-dev liboath-dev libplymouth-dev plymouth
fi
pushd "$1"
if [ -z "$TPM2TSS_BRANCH" ]; then
echo "TPM2TSS_BRANCH is unset, please specify TPM2TSS_BRANCH"
exit 1
fi
if [ -z "$TPM2TOOLS_BRANCH" ]; then
echo "TPM2TOOLS_BRANCH is unset, please specify TPM2TOOLS_BRANCH"
exit 1
fi
# Install tpm2-tss
if [ ! -d tpm2-tss ]; then
git clone --depth=1 -b "${TPM2TSS_BRANCH}" "https://github.com/tpm2-software/tpm2-tss.git"
pushd tpm2-tss
./bootstrap
./configure --enable-debug
make -j$(nproc)
make install
popd
else
echo "tpm2-tss already installed, skipping..."
fi
# Install tpm2-tools
if [ ! -d tpm2-tools ]; then
git clone --depth=1 -b "${TPM2TOOLS_BRANCH}" "https://github.com/tpm2-software/tpm2-tools.git"
pushd tpm2-tools
./bootstrap
./configure --enable-debug --disable-hardening
make -j$(nproc)
make install
popd
else
echo "tpm2-tss already installed, skipping..."
fi
popd
exit 0
07070100000005000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002300000000tpm2-totp-20240326.33e1986/.github07070100000006000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002D00000000tpm2-totp-20240326.33e1986/.github/workflows07070100000007000081A40000000000000000000000016602CAFD000006A7000000000000000000000000000000000000003800000000tpm2-totp-20240326.33e1986/.github/workflows/codeql.ymlname: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: "12 6 * * 6"
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ cpp ]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Packages
run: |
sudo apt-get update
sudo apt-get install --yes autoconf-archive libcurl4-openssl-dev libjson-c-dev libssl-dev acl
- name: After Prepare
run: |
cd "$RUNNER_TEMP"
mkdir installdir
wget https://github.com/tpm2-software/tpm2-tss/archive/master.tar.gz
git clone https://github.com/tpm2-software/tpm2-tss.git
cd tpm2-tss
./bootstrap
./configure --prefix="$RUNNER_TEMP/installdir/usr" --disable-doxygen-doc
make install
export PKG_CONFIG_PATH="$RUNNER_TEMP/installdir/usr/lib/pkgconfig:$PKG_CONFIG_PATH" && echo "PKG_CONFIG_PATH=$PKG_CONFIG_PATH" >> $GITHUB_ENV
export LD_LIBRARY_PATH="$RUNNER_TEMP/installdir/usr/lib:$LD_LIBRARY_PATH" && echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"
07070100000008000081A40000000000000000000000016602CAFD00000A40000000000000000000000000000000000000003600000000tpm2-totp-20240326.33e1986/.github/workflows/main.ymlname: Linux Build Status
on:
[push, pull_request]
jobs:
build-test:
runs-on: ubuntu-latest
if: "!contains(github.ref, 'coverity_scan')"
strategy:
matrix:
DOCKER_IMAGE: ["ubuntu-18.04", "ubuntu-20.04", "fedora-32", "opensuse-leap"]
TPM2TSS_BRANCH: ["3.0.x"]
TPM2TOOLS_BRANCH: ["4.0"]
CC: ["gcc", "clang"]
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Launch Action
uses:
tpm2-software/ci/runCI@main
with:
DOCKER_IMAGE: "${{ matrix.DOCKER_IMAGE }}"
TPM2TSS_BRANCH: "${{ matrix.TPM2TSS_BRANCH }}"
TPM2TOOLS_BRANCH: "${{ matrix.TPM2TOOLS_BRANCH }}"
CC: "${{ matrix.CC }}"
PROJECT_NAME: ${{ github.event.repository.name }}
- name: failure
if: ${{ failure() }}
run: cat build/test-suite.log || true
coverage-test:
runs-on: ubuntu-latest
if: "!contains(github.ref, 'coverity_scan')"
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Launch Action
uses:
tpm2-software/ci/runCI@main
with:
DOCKER_IMAGE: ubuntu-18.04
TPM2TSS_BRANCH: "3.0.x"
TPM2TOOLS_BRANCH: "4.0"
CC: gcc
ENABLE_COVERAGE: true
PROJECT_NAME: ${{ github.event.repository.name }}
- name: failure
if: ${{ failure() }}
run: cat build/test-suite.log || true
coverity-test:
runs-on: ubuntu-latest
environment: coverity
if: contains(github.ref, 'coverity_scan') && github.event_name == 'push'
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Launch Coverity Scan Action
uses:
tpm2-software/ci/coverityScan@main
with:
PROJECT_NAME: ${{ github.event.repository.name }}
ENABLE_COVERITY: true
TPM2TSS_BRANCH: "3.0.x"
TPM2TOOLS_BRANCH: "4.0"
REPO_BRANCH: ${{ github.ref }}
REPO_NAME: ${{ github.repository }}
DOCKER_IMAGE: ubuntu-18.04
CC: gcc
COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
COVERITY_SUBMISSION_EMAIL: diabonas@gmx.de
whitespace-check:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' && !contains(github.ref, 'coverity_scan')
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Perform Whitespace Check
env:
BASE_REF: ${{ github.base_ref }}
run: git fetch origin "$BASE_REF" && git diff --check "origin/$BASE_REF"
07070100000009000081A40000000000000000000000016602CAFD000002A2000000000000000000000000000000000000002500000000tpm2-totp-20240326.33e1986/.lgtm.ymlextraction:
cpp:
prepare:
packages:
- autoconf-archive
- libcurl4-openssl-dev
- libjson-c-dev
- libssl-dev
- acl
after_prepare:
- cd "$LGTM_WORKSPACE"
- mkdir installdir
- wget https://github.com/tpm2-software/tpm2-tss/archive/master.tar.gz
- git clone https://github.com/tpm2-software/tpm2-tss.git
- cd tpm2-tss
- ./bootstrap
- ./configure --prefix="$LGTM_WORKSPACE/installdir/usr" --disable-doxygen-doc
- make install
- export PKG_CONFIG_PATH="$LGTM_WORKSPACE/installdir/usr/lib/pkgconfig:$PKG_CONFIG_PATH"
- export LD_LIBRARY_PATH="$LGTM_WORKSPACE/installdir/usr/lib:$LD_LIBRARY_PATH"
0707010000000A000081A40000000000000000000000016602CAFD00000733000000000000000000000000000000000000002800000000tpm2-totp-20240326.33e1986/CHANGELOG.md# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.3.0] - 2020-09-13
### Added
- New option `--label` to specify the label to use in the TOTP authenticator app.
- User-friendly error messages for common error conditions.
- Support for running the integration tests with the swtpm simulator.
## [0.2.1] - 2019-12-28
### Fixed
- Fix `show-tpm2-totp` installation location when using dracut without plymouth.
- Add missing include `endian.h` to improve portability.
- Fix warning for dracut udev rule.
## [0.2.0] - 2019-10-22
### Added
- pkg-config file for libtpm2-totp.
- New option `-T`/`--tcti` to specify the TCTI to be used.
- New binary `plymouth-tpm2-totp` for integration with plymouth during boot.
- Integration into initramfs images using mkinitcpio, dracut and initramfs-tools.
- New option `--disable-defaultflags` to disable default compilation flags.
- tpm2-totp(3) man page for libtpm2-totp.
### Fixed
- Fix overlinking of libqrencode and libdl.
## [0.1.2] - 2019-07-25
### Changed
- Include pkg-config dependecy on libtss2-mu in order to work with tpm2-tss 2.3
- Fix compiler error on uninitialized variable
- Fix format strings for 32bit architectures.
## [0.1.1] - 2019-04-04
### Changed
- Removed SHA384 from default PCR banks since it's unsupported by many TPMs.
## [0.1.0] - 2019-03-25
### Added
- Initial release of the an TPM2.0-based library and executable for machine to
human authentication using the TCG's TPM Software Stack compliant tpm2-tss
libraries.
- libtpm2totp (the library) functional implementation for reuse.
- tpm2-totp (CLI tool) executable wrapper for library.
- man-pages are included.
0707010000000B000081A40000000000000000000000016602CAFD00001574000000000000000000000000000000000000002E00000000tpm2-totp-20240326.33e1986/CODE_OF_CONDUCT.md
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual
identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the overall
community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or advances of
any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email address,
without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
[MAINTAINERS](MAINTAINERS).
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of
actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or permanent
ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the
community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.1, available at
[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
Community Impact Guidelines were inspired by
[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
For answers to common questions about this code of conduct, see the FAQ at
[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
[https://www.contributor-covenant.org/translations][translations].
[homepage]: https://www.contributor-covenant.org
[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
[Mozilla CoC]: https://github.com/mozilla/diversity
[FAQ]: https://www.contributor-covenant.org/faq
[translations]: https://www.contributor-covenant.org/translations
0707010000000C000081A40000000000000000000000016602CAFD000007AB000000000000000000000000000000000000002B00000000tpm2-totp-20240326.33e1986/CONTRIBUTING.md# Guidelines for submitting bugs:
All non security bugs should be filed on the Issues tracker:
https://github.com/tpm2-software/tpm2-totp/issues
Security sensitive bugs should follow the instructions in SECURITY.md.
# Guideline for submitting changes:
All changes to the source code must follow the coding standard used in the
tpm2-tss project [here](https://github.com/tpm2-software/tpm2-tss/blob/master/doc/coding_standard_c.md).
All changes should be introduced via github pull requests. This allows anyone to
comment and provide feedback in lieu of having a mailing list. For pull requests
opened by non-maintainers, any maintainer may review and merge that pull
request. For maintainers, they either must have their pull request reviewed by
another maintainer if possible, or leave the PR open for at least 24 hours, we
consider this the window for comments.
## Patch requirements
* All tests must pass on Travis CI for the merge to occur.
* All changes must not introduce superfluous changes or whitespace errors.
* All commits should adhere to the git commit message guidelines described
here: https://chris.beams.io/posts/git-commit/ with the following exceptions.
* We allow commit subject lines up to 80 characters.
* All contributions must adhere to the Developers Certificate of Origin. The
full text of the DCO is here: https://developercertificate.org/. Contributors
must add a 'Signed-off-by' line to their commits. This indicates the
submitters acceptance of the DCO.
## Guideline for merging changes
Pull Requests MUST be assigned to an upcoming release tag. If a release milestone does
not exist, the maintainer SHALL create it per the [RELEASE.md](RELEASE.md) instructions.
When accepting and merging a change, the maintainer MUST edit the description field for
the release milestone to add the CHANGELOG entry.
Changes must be merged with the "rebase" option on github to avoid merge commits.
This provides for a clear linear history.
0707010000000D000081A40000000000000000000000016602CAFD0001BF90000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/Doxyfile.in# Doxyfile 1.9.1
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
#
# All text after a double hash (##) is considered a comment and is placed in
# front of the TAG it is preceding.
#
# All text after a single hash (#) is considered a comment and will be ignored.
# The format is:
# TAG = value [value, ...]
# For lists, items can also be appended using:
# TAG += value [value, ...]
# Values that contain spaces should be placed between quotes (\" \").
#---------------------------------------------------------------------------
# Project related configuration options
#---------------------------------------------------------------------------
# This tag specifies the encoding used for all characters in the configuration
# file that follow. The default is UTF-8 which is also the encoding used for all
# text before the first occurrence of this tag. Doxygen uses libiconv (or the
# iconv built into libc) for the transcoding. See
# https://www.gnu.org/software/libiconv/ for the list of possible encodings.
# The default value is: UTF-8.
DOXYFILE_ENCODING = UTF-8
# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
# double-quotes, unless you are using Doxywizard) that should identify the
# project for which the documentation is generated. This name is used in the
# title of most generated pages and in a few other places.
# The default value is: My Project.
PROJECT_NAME = @PACKAGE_NAME@
# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = @VERSION@
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
# quick idea about the purpose of the project. Keep the description short.
PROJECT_BRIEF = "Attest the trustworthiness of a device against a human using time-based one-time passwords"
# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
# in the documentation. The maximum height of the logo should not exceed 55
# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
# the logo to the output directory.
PROJECT_LOGO =
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
OUTPUT_DIRECTORY = @top_builddir@/doxygen-doc
# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
# putting all generated files in the same directory would otherwise causes
# performance problems for the file system.
# The default value is: NO.
CREATE_SUBDIRS = NO
# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
# characters to appear in the names of generated files. If set to NO, non-ASCII
# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
# U+3044.
# The default value is: NO.
ALLOW_UNICODE_NAMES = NO
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
# Ukrainian and Vietnamese.
# The default value is: English.
OUTPUT_LANGUAGE = English
# The OUTPUT_TEXT_DIRECTION tag is used to specify the direction in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all generated output in the proper direction.
# Possible values are: None, LTR, RTL and Context.
# The default value is: None.
OUTPUT_TEXT_DIRECTION = None
# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
# brief descriptions will be completely suppressed.
# The default value is: YES.
REPEAT_BRIEF = YES
# This tag implements a quasi-intelligent brief description abbreviator that is
# used to form the text in various listings. Each string in this list, if found
# as the leading text of the brief description, will be stripped from the text
# and the result, after processing the whole list, is used as the annotated
# text. Otherwise, the brief description is used as-is. If left blank, the
# following values are used ($name is automatically replaced with the name of
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
ABBREVIATE_BRIEF = "The $name class" \
"The $name widget" \
"The $name file" \
is \
provides \
specifies \
contains \
represents \
a \
an \
the
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
# description.
# The default value is: NO.
ALWAYS_DETAILED_SEC = NO
# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
# inherited members of a class in the documentation of that class as if those
# members were ordinary class members. Constructors, destructors and assignment
# operators of the base classes will not be shown.
# The default value is: NO.
INLINE_INHERITED_MEMB = NO
# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
FULL_PATH_NAMES = YES
# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
# Stripping is only done if one of the specified strings matches the left-hand
# part of the path. The tag can be used to show relative paths in the file list.
# If left blank the directory from which doxygen is run is used as the path to
# strip.
#
# Note that you can specify absolute paths here, but also relative paths, which
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
# header file to include in order to use a class. If left blank only the name of
# the header file containing the class definition is used. Otherwise one should
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
# support long names like on DOS, Mac, or CD-ROM.
# The default value is: NO.
SHORT_NAMES = NO
# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
# first line (until the first dot) of a Javadoc-style comment as the brief
# description. If set to NO, the Javadoc-style will behave just like regular Qt-
# style comments (thus requiring an explicit @brief command for a brief
# description.)
# The default value is: NO.
JAVADOC_AUTOBRIEF = NO
# If the JAVADOC_BANNER tag is set to YES then doxygen will interpret a line
# such as
# /***************
# as being the beginning of a Javadoc-style comment "banner". If set to NO, the
# Javadoc-style will behave just like regular comments and it will not be
# interpreted by doxygen.
# The default value is: NO.
JAVADOC_BANNER = NO
# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
# line (until the first dot) of a Qt-style comment as the brief description. If
# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
# requiring an explicit \brief command for a brief description.)
# The default value is: NO.
QT_AUTOBRIEF = NO
# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
# a brief description. This used to be the default behavior. The new default is
# to treat a multi-line C++ comment block as a detailed description. Set this
# tag to YES if you prefer the old behavior instead.
#
# Note that setting this tag to YES also means that rational rose comments are
# not recognized any more.
# The default value is: NO.
MULTILINE_CPP_IS_BRIEF = NO
# By default Python docstrings are displayed as preformatted text and doxygen's
# special commands cannot be used. By setting PYTHON_DOCSTRING to NO the
# doxygen's special commands can be used and the contents of the docstring
# documentation blocks is shown as doxygen documentation.
# The default value is: YES.
PYTHON_DOCSTRING = YES
# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
# documentation from any documented member that it re-implements.
# The default value is: YES.
INHERIT_DOCS = YES
# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
# page for each member. If set to NO, the documentation of a member will be part
# of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
# uses this value to replace tabs by spaces in code fragments.
# Minimum value: 1, maximum value: 16, default value: 4.
TAB_SIZE = 4
# This tag can be used to specify a number of aliases that act as commands in
# the documentation. An alias has the form:
# name=value
# For example adding
# "sideeffect=@par Side Effects:\n"
# will allow you to put the command \sideeffect (or @sideeffect) in the
# documentation, which will result in a user-defined paragraph with heading
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines (in the resulting output). You can put ^^ in the value part of an
# alias to insert a newline as if a physical newline was in the original file.
# When you need a literal { or } or , in the value part of an alias you have to
# escape them by means of a backslash (\), this can lead to conflicts with the
# commands \{ and \} for these it is advised to use the version @{ and @} or use
# a double escape (\\{ and \\})
ALIASES =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
# instance, some of the names that are used will be different. The list of all
# members will be omitted, etc.
# The default value is: NO.
OPTIMIZE_OUTPUT_FOR_C = YES
# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
# Python sources only. Doxygen will then generate output that is more tailored
# for that language. For instance, namespaces will be presented as packages,
# qualified scopes will look different, etc.
# The default value is: NO.
OPTIMIZE_OUTPUT_JAVA = NO
# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
# sources. Doxygen will then generate output that is tailored for Fortran.
# The default value is: NO.
OPTIMIZE_FOR_FORTRAN = NO
# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
# sources. Doxygen will then generate output that is tailored for VHDL.
# The default value is: NO.
OPTIMIZE_OUTPUT_VHDL = NO
# Set the OPTIMIZE_OUTPUT_SLICE tag to YES if your project consists of Slice
# sources only. Doxygen will then generate output that is more tailored for that
# language. For instance, namespaces will be presented as modules, types will be
# separated into more groups, etc.
# The default value is: NO.
OPTIMIZE_OUTPUT_SLICE = NO
# Doxygen selects the parser to use depending on the extension of the files it
# parses. With this tag you can assign which parser to use for a given
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, JavaScript,
# Csharp (C#), C, C++, D, PHP, md (Markdown), Objective-C, Python, Slice, VHDL,
# Fortran (fixed format Fortran: FortranFixed, free formatted Fortran:
# FortranFree, unknown formatted Fortran: Fortran. In the later case the parser
# tries to guess whether the code is fixed or free formatted code, this is the
# default for Fortran type files). For instance to make doxygen treat .inc files
# as Fortran files (default is PHP), and .f files as C (default is Fortran),
# use: inc=Fortran f=C.
#
# Note: For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen. When specifying no_extension you should add
# * to the FILE_PATTERNS.
#
# Note see also the list of default file extension mappings.
EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
# documentation. See https://daringfireball.net/projects/markdown/ for details.
# The output of markdown processing is further processed by doxygen, so you can
# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
# case of backward compatibilities issues.
# The default value is: YES.
MARKDOWN_SUPPORT = YES
# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
# to that level are automatically included in the table of contents, even if
# they do not have an id attribute.
# Note: This feature currently applies only to Markdown headings.
# Minimum value: 0, maximum value: 99, default value: 5.
# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
TOC_INCLUDE_HEADINGS = 0
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
# be prevented in individual cases by putting a % sign in front of the word or
# globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
# to include (a tag file for) the STL sources as input, then you should set this
# tag to YES in order to let doxygen match functions declarations and
# definitions whose arguments contain STL classes (e.g. func(std::string);
# versus func(std::string) {}). This also make the inheritance and collaboration
# diagrams that involve STL classes more complete and accurate.
# The default value is: NO.
BUILTIN_STL_SUPPORT = NO
# If you use Microsoft's C++/CLI language, you should set this option to YES to
# enable parsing support.
# The default value is: NO.
CPP_CLI_SUPPORT = NO
# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
# https://www.riverbankcomputing.com/software/sip/intro) sources only. Doxygen
# will parse them like normal C++ but will assume all classes use public instead
# of private inheritance when no explicit protection keyword is present.
# The default value is: NO.
SIP_SUPPORT = NO
# For Microsoft's IDL there are propget and propput attributes to indicate
# getter and setter methods for a property. Setting this option to YES will make
# doxygen to replace the get and set methods by a property in the documentation.
# This will only work if the methods are indeed getting or setting a simple
# type. If this is not the case, or you want to show the methods anyway, you
# should set this option to NO.
# The default value is: YES.
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
# tag is set to YES then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
# If one adds a struct or class to a group and this option is enabled, then also
# any nested class or struct is added to the same group. By default this option
# is disabled and one has to add nested compounds explicitly via \ingroup.
# The default value is: NO.
GROUP_NESTED_COMPOUNDS = NO
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
# subgrouping. Alternatively, this can be done per class using the
# \nosubgrouping command.
# The default value is: YES.
SUBGROUPING = YES
# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
# are shown inside the group in which they are included (e.g. using \ingroup)
# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
# and RTF).
#
# Note that this feature does not work in combination with
# SEPARATE_MEMBER_PAGES.
# The default value is: NO.
INLINE_GROUPED_CLASSES = NO
# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
# with only public data fields or simple typedef fields will be shown inline in
# the documentation of the scope in which they are defined (i.e. file,
# namespace, or group documentation), provided this scope is documented. If set
# to NO, structs, classes, and unions are shown on a separate page (for HTML and
# Man pages) or section (for LaTeX and RTF).
# The default value is: NO.
INLINE_SIMPLE_STRUCTS = NO
# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
# enum is documented as struct, union, or enum with the name of the typedef. So
# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
# with name TypeT. When disabled the typedef will appear as a member of a file,
# namespace, or class. And the struct will be named TypeS. This can typically be
# useful for C code in case the coding convention dictates that all compound
# types are typedef'ed and only the typedef is referenced, never the tag name.
# The default value is: NO.
TYPEDEF_HIDES_STRUCT = NO
# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
# cache is used to resolve symbols given their name and scope. Since this can be
# an expensive process and often the same symbol appears multiple times in the
# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
# doxygen will become slower. If the cache is too large, memory is wasted. The
# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
# symbols. At the end of a run doxygen will report the cache usage and suggest
# the optimal cache size from a speed point of view.
# Minimum value: 0, maximum value: 9, default value: 0.
LOOKUP_CACHE_SIZE = 0
# The NUM_PROC_THREADS specifies the number threads doxygen is allowed to use
# during processing. When set to 0 doxygen will based this on the number of
# cores available in the system. You can set it explicitly to a value larger
# than 0 to get more control over the balance between CPU load and processing
# speed. At this moment only the input processing can be done using multiple
# threads. Since this is still an experimental feature the default is set to 1,
# which efficively disables parallel processing. Please report any issues you
# encounter. Generating dot graphs in parallel is controlled by the
# DOT_NUM_THREADS setting.
# Minimum value: 0, maximum value: 32, default value: 1.
NUM_PROC_THREADS = 1
#---------------------------------------------------------------------------
# Build related configuration options
#---------------------------------------------------------------------------
# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
# Note: This will also disable the warnings about undocumented members that are
# normally produced when WARNINGS is set to YES.
# The default value is: NO.
EXTRACT_ALL = NO
# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
# If the EXTRACT_PRIV_VIRTUAL tag is set to YES, documented private virtual
# methods of a class will be included in the documentation.
# The default value is: NO.
EXTRACT_PRIV_VIRTUAL = NO
# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
# locally in source files will be included in the documentation. If set to NO,
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
# This flag is only useful for Objective-C code. If set to YES, local methods,
# which are defined in the implementation section but not in the interface are
# included in the documentation. If set to NO, only methods in the interface are
# included.
# The default value is: NO.
EXTRACT_LOCAL_METHODS = NO
# If this flag is set to YES, the members of anonymous namespaces will be
# extracted and appear in the documentation as a namespace called
# 'anonymous_namespace{file}', where file will be replaced with the base name of
# the file that contains the anonymous namespace. By default anonymous namespace
# are hidden.
# The default value is: NO.
EXTRACT_ANON_NSPACES = NO
# If this flag is set to YES, the name of an unnamed parameter in a declaration
# will be determined by the corresponding definition. By default unnamed
# parameters remain unnamed in the output.
# The default value is: YES.
RESOLVE_UNNAMED_PARAMS = YES
# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
# undocumented members inside documented classes or files. If set to NO these
# members will be included in the various overviews, but no documentation
# section is generated. This option has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
# to NO, these classes will be included in the various overviews. This option
# has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
# declarations. If set to NO, these declarations will be included in the
# documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
# documentation blocks found inside the body of a function. If set to NO, these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
HIDE_IN_BODY_DOCS = NO
# The INTERNAL_DOCS tag determines if documentation that is typed after a
# \internal command is included. If the tag is set to NO then the documentation
# will be excluded. Set it to YES to include the internal documentation.
# The default value is: NO.
INTERNAL_DOCS = NO
# With the correct setting of option CASE_SENSE_NAMES doxygen will better be
# able to match the capabilities of the underlying filesystem. In case the
# filesystem is case sensitive (i.e. it supports files in the same directory
# whose names only differ in casing), the option must be set to YES to properly
# deal with such files in case they appear in the input. For filesystems that
# are not case sensitive the option should be be set to NO to properly deal with
# output files written for symbols that only differ in casing, such as for two
# classes, one named CLASS and the other named Class, and to also support
# references to files without having to specify the exact matching casing. On
# Windows (including Cygwin) and MacOS, users should typically set this option
# to NO, whereas on Linux or other Unix flavors it should typically be set to
# YES.
# The default value is: system dependent.
CASE_SENSE_NAMES = YES
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
# their full class and namespace scopes in the documentation. If set to YES, the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = NO
# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
# append additional text to a page's title, such as Class Reference. If set to
# YES the compound reference will be hidden.
# The default value is: NO.
HIDE_COMPOUND_REFERENCE= NO
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
SHOW_INCLUDE_FILES = YES
# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
# grouped member an include statement to the documentation, telling the reader
# which file to include in order to use the member.
# The default value is: NO.
SHOW_GROUPED_MEMB_INC = NO
# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
# files with double quotes in the documentation rather than with sharp brackets.
# The default value is: NO.
FORCE_LOCAL_INCLUDES = NO
# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
# documentation for inline members.
# The default value is: YES.
INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
# name. If set to NO, the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
# name. If set to NO, the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
SORT_BRIEF_DOCS = NO
# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
# (brief and detailed) documentation of class members so that constructors and
# destructors are listed first. If set to NO the constructors will appear in the
# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
# member documentation.
# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
# detailed member documentation.
# The default value is: NO.
SORT_MEMBERS_CTORS_1ST = NO
# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
# of group names into alphabetical order. If set to NO the group names will
# appear in their defined order.
# The default value is: NO.
SORT_GROUP_NAMES = NO
# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
# fully-qualified names, including namespaces. If set to NO, the class list will
# be sorted only by class name, not including the namespace part.
# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
# Note: This option applies only to the class list, not to the alphabetical
# list.
# The default value is: NO.
SORT_BY_SCOPE_NAME = NO
# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
# type resolution of all parameters of a function it will reject a match between
# the prototype and the implementation of a member function even if there is
# only one candidate or it is obvious which candidate to choose by doing a
# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
# accept a match between prototype and implementation in such cases.
# The default value is: NO.
STRICT_PROTO_MATCHING = NO
# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
# list. This list is created by putting \todo commands in the documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
# list. This list is created by putting \test commands in the documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
GENERATE_DEPRECATEDLIST= YES
# The ENABLED_SECTIONS tag can be used to enable conditional documentation
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
# documentation. If the initializer consists of more lines than specified here
# it will be hidden. Use a value of 0 to hide initializers completely. The
# appearance of the value of individual variables and macros / defines can be
# controlled using \showinitializer or \hideinitializer command in the
# documentation regardless of this setting.
# Minimum value: 0, maximum value: 10000, default value: 30.
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
# the bottom of the documentation of classes and structs. If set to YES, the
# list will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
# will remove the Files entry from the Quick Index and from the Folder Tree View
# (if specified).
# The default value is: YES.
SHOW_FILES = YES
# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
# page. This will remove the Namespaces entry from the Quick Index and from the
# Folder Tree View (if specified).
# The default value is: YES.
SHOW_NAMESPACES = YES
# The FILE_VERSION_FILTER tag can be used to specify a program or script that
# doxygen should invoke to get the current version for each file (typically from
# the version control system). Doxygen will invoke the program by executing (via
# popen()) the command command input-file, where command is the value of the
# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
# output files in an output format independent way. To create the layout file
# that represents doxygen's defaults, run doxygen with the -l option. You can
# optionally specify a file name after the option, if omitted DoxygenLayout.xml
# will be used as the name of the layout file.
#
# Note that if you run doxygen from a directory containing a file called
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
# extension is automatically appended if omitted. This requires the bibtex tool
# to be installed. See also https://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
# search path. See also \cite for info how to create references.
CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
#---------------------------------------------------------------------------
# The QUIET tag can be used to turn on/off the messages that are generated to
# standard output by doxygen. If QUIET is set to YES this implies that the
# messages are off.
# The default value is: NO.
QUIET = YES
# The WARNINGS tag can be used to turn on/off the warning messages that are
# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
# The default value is: YES.
WARNINGS = YES
# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
WARN_IF_UNDOCUMENTED = YES
# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
# potential errors in the documentation, such as not documenting some parameters
# in a documented function, or documenting parameters that don't exist or using
# markup commands wrongly.
# The default value is: YES.
WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
# value. If set to NO, doxygen will only warn about wrong or incomplete
# parameter documentation, but not about the absence of documentation. If
# EXTRACT_ALL is set to YES then this flag will automatically be disabled.
# The default value is: NO.
WARN_NO_PARAMDOC = YES
# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
# a warning is encountered. If the WARN_AS_ERROR tag is set to FAIL_ON_WARNINGS
# then doxygen will continue running as if WARN_AS_ERROR tag is set to NO, but
# at the end of the doxygen process doxygen will return with a non-zero status.
# Possible values are: NO, YES and FAIL_ON_WARNINGS.
# The default value is: NO.
WARN_AS_ERROR = NO
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
# and the warning text. Optionally the format may contain $version, which will
# be replaced by the version of the file (if it could be obtained via
# FILE_VERSION_FILTER)
# The default value is: $file:$line: $text.
WARN_FORMAT = "$file:$line: $text"
# The WARN_LOGFILE tag can be used to specify a file to which warning and error
# messages should be written. If left blank the output is written to standard
# error (stderr).
WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
#---------------------------------------------------------------------------
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
# Note: If this tag is empty the current directory is searched.
INPUT = @top_srcdir@/src/libtpm2-totp.c
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
# documentation (see:
# https://www.gnu.org/software/libiconv/) for the list of possible encodings.
# The default value is: UTF-8.
INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
# *.h) to filter out the source-files in the directories.
#
# Note that for custom extensions or not directly supported extensions you also
# need to set EXTENSION_MAPPING for the extension otherwise the files are not
# read by doxygen.
#
# Note the list of default checked file patterns might differ from the list of
# default file extension mappings.
#
# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
# *.m, *.markdown, *.md, *.mm, *.dox (to be provided as doxygen C comment),
# *.py, *.pyw, *.f90, *.f95, *.f03, *.f08, *.f18, *.f, *.for, *.vhd, *.vhdl,
# *.ucf, *.qsf and *.ice.
FILE_PATTERNS = *.c \
*.cc \
*.cxx \
*.cpp \
*.c++ \
*.java \
*.ii \
*.ixx \
*.ipp \
*.i++ \
*.inl \
*.idl \
*.ddl \
*.odl \
*.h \
*.hh \
*.hxx \
*.hpp \
*.h++ \
*.cs \
*.d \
*.php \
*.php4 \
*.php5 \
*.phtml \
*.inc \
*.m \
*.markdown \
*.md \
*.mm \
*.dox \
*.py \
*.pyw \
*.f90 \
*.f95 \
*.f03 \
*.f08 \
*.f \
*.for \
*.tcl \
*.vhd \
*.vhdl \
*.ucf \
*.qsf \
*.ice
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
# The default value is: NO.
RECURSIVE = NO
# The EXCLUDE tag can be used to specify files and/or directories that should be
# excluded from the INPUT source files. This way you can easily exclude a
# subdirectory from a directory tree whose root is specified with the INPUT tag.
#
# Note that relative paths are relative to the directory from which doxygen is
# run.
EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
# from the input.
# The default value is: NO.
EXCLUDE_SYMLINKS = NO
# If the value of the INPUT tag contains directories, you can use the
# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
# certain files from those directories.
#
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
# output. The symbol name can be a fully qualified name, a word, or if the
# wildcard * is used, a substring. Examples: ANamespace, AClass,
# AClass::ANamespace, ANamespace::*Test
#
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
EXAMPLE_PATTERNS = *
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
# irrespective of the value of the RECURSIVE tag.
# The default value is: NO.
EXAMPLE_RECURSIVE = NO
# The IMAGE_PATH tag can be used to specify one or more files or directories
# that contain images that are to be included in the documentation (see the
# \image command).
IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
# by executing (via popen()) the command:
#
# <filter> <input-file>
#
# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
# name of an input file. Doxygen will then use the output that the filter
# program writes to standard output. If FILTER_PATTERNS is specified, this tag
# will be ignored.
#
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
#
# Note that for custom extensions or not directly supported extensions you also
# need to set EXTENSION_MAPPING for the extension otherwise the files are not
# properly processed by doxygen.
INPUT_FILTER =
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
# filter if there is a match. The filters are a list of the form: pattern=filter
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
#
# Note that for custom extensions or not directly supported extensions you also
# need to set EXTENSION_MAPPING for the extension otherwise the files are not
# properly processed by doxygen.
FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
# INPUT_FILTER) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
FILTER_SOURCE_FILES = NO
# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
# it is also possible to disable source filtering for a specific pattern using
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
#---------------------------------------------------------------------------
# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
# generated. Documented entities will be cross-referenced with these sources.
#
# Note: To get rid of all source code in the generated output, make sure that
# also VERBATIM_HEADERS is set to NO.
# The default value is: NO.
SOURCE_BROWSER = NO
# Setting the INLINE_SOURCES tag to YES will include the body of functions,
# classes and enums directly into the documentation.
# The default value is: NO.
INLINE_SOURCES = NO
# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
# special comment blocks from generated source code fragments. Normal C, C++ and
# Fortran comments will always remain visible.
# The default value is: YES.
STRIP_CODE_COMMENTS = YES
# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
# entity all documented functions referencing it will be listed.
# The default value is: NO.
REFERENCED_BY_RELATION = NO
# If the REFERENCES_RELATION tag is set to YES then for each documented function
# all documented entities called/used by that function will be listed.
# The default value is: NO.
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
# to YES then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
REFERENCES_LINK_SOURCE = YES
# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
# source code will show a tooltip with additional information such as prototype,
# brief description and links to the definition and documentation. Since this
# will make the HTML file larger and loading of large files a bit slower, you
# can opt to disable this feature.
# The default value is: YES.
# This tag requires that the tag SOURCE_BROWSER is set to YES.
SOURCE_TOOLTIPS = YES
# If the USE_HTAGS tag is set to YES then the references to source code will
# point to the HTML generated by the htags(1) tool instead of doxygen built-in
# source browser. The htags tool is part of GNU's global source tagging system
# (see https://www.gnu.org/software/global/global.html). You will need version
# 4.8.6 or higher.
#
# To use it do the following:
# - Install the latest version of global
# - Enable SOURCE_BROWSER and USE_HTAGS in the configuration file
# - Make sure the INPUT points to the root of the source tree
# - Run doxygen as normal
#
# Doxygen will invoke htags (and that will in turn invoke gtags), so these
# tools must be available from the command line (i.e. in the search path).
#
# The result: instead of the source browser generated by doxygen, the links to
# source code will now point to the output of htags.
# The default value is: NO.
# This tag requires that the tag SOURCE_BROWSER is set to YES.
USE_HTAGS = NO
# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
# verbatim copy of the header file for each class for which an include is
# specified. Set to NO to disable this.
# See also: Section \class.
# The default value is: YES.
VERBATIM_HEADERS = YES
#---------------------------------------------------------------------------
# Configuration options related to the alphabetical class index
#---------------------------------------------------------------------------
# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
# compounds will be generated. Enable this if the project contains a lot of
# classes, structs, unions or interfaces.
# The default value is: YES.
ALPHABETICAL_INDEX = YES
# In case all classes in a project start with a common prefix, all classes will
# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
# can be used to specify a prefix (or a list of prefixes) that should be ignored
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = NO
# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = html
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
# The default value is: .html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_FILE_EXTENSION = .html
# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
# each generated HTML page. If the tag is left blank doxygen will generate a
# standard header.
#
# To get valid HTML the header file that includes any scripts and style sheets
# that doxygen needs, which is dependent on the configuration options used (e.g.
# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
# default header using
# doxygen -w html new_header.html new_footer.html new_stylesheet.css
# YourConfigFile
# and then modify the file new_header.html. See also section "Doxygen usage"
# for information on how to generate the default header that doxygen normally
# uses.
# Note: The header is subject to change so you typically have to regenerate the
# default header when upgrading to a newer version of doxygen. For a description
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
# footer. See HTML_HEADER for more information on how to generate a default
# footer and what special commands can be used inside the footer. See also
# section "Doxygen usage" for information on how to generate the default footer
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
# the HTML output. If left blank doxygen will generate a default style sheet.
# See also section "Doxygen usage" for information on how to generate the style
# sheet that doxygen normally uses.
# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
# it is more robust and this tag (HTML_STYLESHEET) will in the future become
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_STYLESHEET =
# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
# cascading style sheets that are included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
# standard style sheet and is therefore more robust against future updates.
# Doxygen will copy the style sheet files to the output directory.
# Note: The order of the extra style sheet files is of importance (e.g. the last
# style sheet in the list overrules the setting of the previous ones in the
# list). For an example see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
# that these files will be copied to the base HTML output directory. Use the
# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
# will adjust the colors in the style sheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# https://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
# purple, and 360 is red again.
# Minimum value: 0, maximum value: 359, default value: 220.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_HUE = 220
# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
# in the HTML output. For a value of 0 the output will use grayscales only. A
# value of 255 will produce the most vivid colors.
# Minimum value: 0, maximum value: 255, default value: 100.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_SAT = 100
# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
# luminance component of the colors in the HTML output. Values below 100
# gradually make the output lighter, whereas values above 100 make the output
# darker. The value divided by 100 is the actual gamma applied, so 80 represents
# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
# change the gamma.
# Minimum value: 40, maximum value: 240, default value: 80.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
# to YES can help to show when doxygen was last run and thus if the
# documentation is up to date.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = NO
# If the HTML_DYNAMIC_MENUS tag is set to YES then the generated HTML
# documentation will contain a main index with vertical navigation menus that
# are dynamically created via JavaScript. If disabled, the navigation index will
# consists of multiple levels of tabs that are statically embedded in every HTML
# page. Disable this option to support browsers that do not have JavaScript,
# like the Qt help browser.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_DYNAMIC_MENUS = YES
# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
# documentation will contain sections that can be hidden and shown after the
# page has loaded.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_DYNAMIC_SECTIONS = NO
# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
# shown in the various tree structured indices initially; the user can expand
# and collapse entries dynamically later on. Doxygen will expand the tree to
# such a level that at most the specified number of entries are visible (unless
# a fully collapsed tree already exceeds this amount). So setting the number of
# entries 1 will produce a full collapsed tree by default. 0 is a special value
# representing an infinite number of entries and will result in a full expanded
# tree by default.
# Minimum value: 0, maximum value: 9999, default value: 100.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_INDEX_NUM_ENTRIES = 100
# If the GENERATE_DOCSET tag is set to YES, additional index files will be
# generated that can be used as input for Apple's Xcode 3 integrated development
# environment (see:
# https://developer.apple.com/xcode/), introduced with OSX 10.5 (Leopard). To
# create a documentation set, doxygen will generate a Makefile in the HTML
# output directory. Running make will produce the docset in that directory and
# running make install will install the docset in
# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
# startup. See https://developer.apple.com/library/archive/featuredarticles/Doxy
# genXcode/_index.html for more information.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_DOCSET = NO
# This tag determines the name of the docset feed. A documentation feed provides
# an umbrella under which multiple documentation sets from a single provider
# (such as a company or product suite) can be grouped.
# The default value is: Doxygen generated docs.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_FEEDNAME = "Doxygen generated docs"
# This tag specifies a string that should uniquely identify the documentation
# set bundle. This should be a reverse domain-name style string, e.g.
# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_BUNDLE_ID = org.doxygen.Project
# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
# the documentation publisher. This should be a reverse domain-name style
# string, e.g. com.mycompany.MyDocSet.documentation.
# The default value is: org.doxygen.Publisher.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_PUBLISHER_ID = org.doxygen.Publisher
# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
# The default value is: Publisher.
# This tag requires that the tag GENERATE_DOCSET is set to YES.
DOCSET_PUBLISHER_NAME = Publisher
# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
# (see:
# https://www.microsoft.com/en-us/download/details.aspx?id=21138) on Windows.
#
# The HTML Help Workshop contains a compiler that can convert all HTML output
# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
# files are now used as the Windows 98 help format, and will replace the old
# Windows help format (.hlp) on all Windows platforms in the future. Compressed
# HTML files also contain an index, a table of contents, and you can search for
# words in the documentation. The HTML workshop also contains a viewer for
# compressed HTML files.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_HTMLHELP = NO
# The CHM_FILE tag can be used to specify the file name of the resulting .chm
# file. You can add a path in front of the file if the result should not be
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
# including file name) of the HTML help compiler (hhc.exe). If non-empty,
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
HHC_LOCATION =
# The GENERATE_CHI flag controls if a separate .chi index file is generated
# (YES) or that it should be included in the main .chm file (NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
CHM_INDEX_ENCODING =
# The BINARY_TOC flag controls whether a binary table of contents is generated
# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
BINARY_TOC = NO
# The TOC_EXPAND flag can be set to YES to add extra items for group members to
# the table of contents of the HTML help documentation and to the tree view.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
TOC_EXPAND = NO
# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
# (.qch) of the generated HTML documentation.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_QHP = NO
# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
# the file name of the resulting .qch file. The path specified is relative to
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
# (see:
# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#namespace).
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_NAMESPACE = org.doxygen.Project
# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
# Help Project output. For more information please see Qt Help Project / Virtual
# Folders (see:
# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#virtual-folders).
# The default value is: doc.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_VIRTUAL_FOLDER = doc
# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
# filter to add. For more information please see Qt Help Project / Custom
# Filters (see:
# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
# Filters (see:
# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location (absolute path
# including file name) of Qt's qhelpgenerator. If non-empty doxygen will try to
# run qhelpgenerator on the generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
# install this plugin and make it available under the help contents menu in
# Eclipse, the contents of the directory containing the HTML and XML files needs
# to be copied into the plugins directory of eclipse. The name of the directory
# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
# After copying Eclipse needs to be restarted before the help appears.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_ECLIPSEHELP = NO
# A unique identifier for the Eclipse help plugin. When installing the plugin
# the directory name containing the HTML and XML files should also have this
# name. Each documentation set should have its own identifier.
# The default value is: org.doxygen.Project.
# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
ECLIPSE_DOC_ID = org.doxygen.Project
# If you want full control over the layout of the generated HTML pages it might
# be necessary to disable the index and replace it with your own. The
# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
# of each HTML page. A value of NO enables the index and the value YES disables
# it. Since the tabs in the index contain the same information as the navigation
# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
DISABLE_INDEX = NO
# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
# structure should be generated to display hierarchical information. If the tag
# value is set to YES, a side panel will be generated containing a tree-like
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
# the same information as the tab index, you could consider setting
# DISABLE_INDEX to YES when enabling this option.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_TREEVIEW = NO
# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
# doxygen will group on one line in the generated HTML documentation.
#
# Note that a value of 0 will completely suppress the enum values from appearing
# in the overview section.
# Minimum value: 0, maximum value: 20, default value: 4.
# This tag requires that the tag GENERATE_HTML is set to YES.
ENUM_VALUES_PER_LINE = 4
# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
# to set the initial width (in pixels) of the frame in which the tree is shown.
# Minimum value: 0, maximum value: 1500, default value: 250.
# This tag requires that the tag GENERATE_HTML is set to YES.
TREEVIEW_WIDTH = 250
# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
EXT_LINKS_IN_WINDOW = NO
# If the HTML_FORMULA_FORMAT option is set to svg, doxygen will use the pdf2svg
# tool (see https://github.com/dawbarton/pdf2svg) or inkscape (see
# https://inkscape.org) to generate formulas as SVG images instead of PNGs for
# the HTML output. These images will generally look nicer at scaled resolutions.
# Possible values are: png (the default) and svg (looks nicer but requires the
# pdf2svg or inkscape tool).
# The default value is: png.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_FORMULA_FORMAT = png
# Use this tag to change the font size of LaTeX formulas included as images in
# the HTML documentation. When you change the font size after a successful
# doxygen run you need to manually remove any form_*.png images from the HTML
# output directory to force them to be regenerated.
# Minimum value: 8, maximum value: 50, default value: 10.
# This tag requires that the tag GENERATE_HTML is set to YES.
FORMULA_FONTSIZE = 10
# Use the FORMULA_TRANSPARENT tag to determine whether or not the images
# generated for formulas are transparent PNGs. Transparent PNGs are not
# supported properly for IE 6.0, but are supported on all modern browsers.
#
# Note that when changing this option you need to delete any form_*.png files in
# the HTML output directory before the changes have effect.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
FORMULA_TRANSPARENT = YES
# The FORMULA_MACROFILE can contain LaTeX \newcommand and \renewcommand commands
# to create new LaTeX commands to be used in formulas as building blocks. See
# the section "Including formulas" for details.
FORMULA_MACROFILE =
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# https://www.mathjax.org) which uses client side JavaScript for the rendering
# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
USE_MATHJAX = NO
# When MathJax is enabled you can set the default output format to be used for
# the MathJax output. See the MathJax site (see:
# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details.
# Possible values are: HTML-CSS (which is slower, but has the best
# compatibility), NativeMML (i.e. MathML) and SVG.
# The default value is: HTML-CSS.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_FORMAT = HTML-CSS
# When MathJax is enabled you need to specify the location relative to the HTML
# output directory using the MATHJAX_RELPATH option. The destination directory
# should contain the MathJax.js script. For instance, if the mathjax directory
# is located at the same level as the HTML output directory, then
# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
# Content Delivery Network so you can quickly see the result without installing
# MathJax. However, it is strongly recommended to install a local copy of
# MathJax from https://www.mathjax.org before deployment.
# The default value is: https://cdn.jsdelivr.net/npm/mathjax@2.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_RELPATH = https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/
# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
# extension names that should be enabled during MathJax rendering. For example
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
# (see:
# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details. For an
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
# should work on any modern browser. Note that when using HTML help
# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
# there is already a search function so this one should typically be disabled.
# For large projects the javascript based search engine can be slow, then
# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
# search using the keyboard; to jump to the search box use <access key> + S
# (what the <access key> is depends on the OS and browser, but it is typically
# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
# key> to jump into the search results window, the results can be navigated
# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
# the search. The filter options can be selected when the cursor is inside the
# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
# to select a filter and <Enter> or <escape> to activate or cancel the filter
# option.
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.
SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using JavaScript. There
# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
# setting. When disabled, doxygen will generate a PHP script for searching and
# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
# and searching needs to be provided by external tools. See the section
# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
SERVER_BASED_SEARCH = NO
# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
# script for searching. Instead the search results are written to an XML file
# which needs to be processed by an external indexer. Doxygen will invoke an
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see:
# https://xapian.org/).
#
# See the section "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see:
# https://xapian.org/). See the section "External Indexing and Searching" for
# details.
# This tag requires that the tag SEARCHENGINE is set to YES.
SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
# SEARCHDATA_FILE tag the name of this file can be specified.
# The default file is: searchdata.xml.
# This tag requires that the tag SEARCHENGINE is set to YES.
SEARCHDATA_FILE = searchdata.xml
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
# all added to the same external search index. Each project needs to have a
# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
# to a relative location where the documentation can be found. The format is:
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = NO
# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: latex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_OUTPUT = latex
# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
# invoked.
#
# Note that when not enabling USE_PDFLATEX the default is latex when enabling
# USE_PDFLATEX the default is pdflatex and when in the later case latex is
# chosen this is overwritten by pdflatex. For specific output languages the
# default can have been set differently, this depends on the implementation of
# the output language.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_CMD_NAME =
# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
# index for LaTeX.
# Note: This tag is used in the Makefile / make.bat.
# See also: LATEX_MAKEINDEX_CMD for the part in the generated output file
# (.tex).
# The default file is: makeindex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
MAKEINDEX_CMD_NAME = makeindex
# The LATEX_MAKEINDEX_CMD tag can be used to specify the command name to
# generate index for LaTeX. In case there is no backslash (\) as first character
# it will be automatically added in the LaTeX code.
# Note: This tag is used in the generated output file (.tex).
# See also: MAKEINDEX_CMD_NAME for the part in the Makefile / make.bat.
# The default value is: makeindex.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_MAKEINDEX_CMD = \makeindex
# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
COMPACT_LATEX = NO
# The PAPER_TYPE tag can be used to set the paper type that is used by the
# printer.
# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
# 14 inches) and executive (7.25 x 10.5 inches).
# The default value is: a4.
# This tag requires that the tag GENERATE_LATEX is set to YES.
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
# that should be included in the LaTeX output. The package can be specified just
# by its name or with the correct syntax as to be used with the LaTeX
# \usepackage command. To get the times font for instance you can specify :
# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
# To use the option intlimits with the amsmath package you can specify:
# EXTRA_PACKAGES=[intlimits]{amsmath}
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
# chapter. If it is left blank doxygen will generate a standard header. See
# section "Doxygen usage" for information on how to let doxygen write the
# default header to a separate file.
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
# string, for the replacement values of the other commands the user is referred
# to HTML_HEADER.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
# chapter. If it is left blank doxygen will generate a standard footer. See
# LATEX_HEADER for more information on how to generate a default footer and what
# special commands can be used inside the footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_FOOTER =
# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
# LaTeX style sheets that are included after the standard style sheets created
# by doxygen. Using this option one can overrule certain style aspects. Doxygen
# will copy the style sheet files to the output directory.
# Note: The order of the extra style sheet files is of importance (e.g. the last
# style sheet in the list overrules the setting of the previous ones in the
# list).
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_EXTRA_STYLESHEET =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
# directory. Note that the files will be copied as-is; there are no commands or
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
# contain links (just like the HTML output) instead of page references. This
# makes the output suitable for online browsing using a PDF viewer.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
PDF_HYPERLINKS = YES
# If the USE_PDFLATEX tag is set to YES, doxygen will use the engine as
# specified with LATEX_CMD_NAME to generate the PDF file directly from the LaTeX
# files. Set this option to YES, to get a higher quality PDF documentation.
#
# See also section LATEX_CMD_NAME for selecting the engine.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
USE_PDFLATEX = YES
# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
# command to the generated LaTeX files. This will instruct LaTeX to keep running
# if errors occur, instead of asking the user for help. This option is also used
# when generating formulas in HTML.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_BATCHMODE = NO
# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
# index chapters (such as File Index, Compound Index, etc.) in the output.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_HIDE_INDICES = NO
# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
# code with syntax highlighting in the LaTeX output.
#
# Note that which sources are shown also depends on other settings such as
# SOURCE_BROWSER.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_SOURCE_CODE = NO
# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
# bibliography, e.g. plainnat, or ieeetr. See
# https://en.wikipedia.org/wiki/BibTeX and \cite for more info.
# The default value is: plain.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_BIB_STYLE = plain
# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
# page will contain the date and time when the page was generated. Setting this
# to NO can help when comparing the output of multiple runs.
# The default value is: NO.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_TIMESTAMP = NO
# The LATEX_EMOJI_DIRECTORY tag is used to specify the (relative or absolute)
# path from which the emoji images will be read. If a relative path is entered,
# it will be relative to the LATEX_OUTPUT directory. If left blank the
# LATEX_OUTPUT directory will be used.
# This tag requires that the tag GENERATE_LATEX is set to YES.
LATEX_EMOJI_DIRECTORY =
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
GENERATE_RTF = NO
# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: rtf.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_OUTPUT = rtf
# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
# This tag requires that the tag GENERATE_RTF is set to YES.
COMPACT_RTF = NO
# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
# contain hyperlink fields. The RTF file will contain links (just like the HTML
# output) instead of page references. This makes the output suitable for online
# browsing using Word or some other Word compatible readers that support those
# fields.
#
# Note: WordPad (write) and others do not support links.
# The default value is: NO.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_HYPERLINKS = NO
# Load stylesheet definitions from file. Syntax is similar to doxygen's
# configuration file, i.e. a series of assignments. You only have to provide
# replacements, missing definitions are set to their default value.
#
# See also section "Doxygen usage" for information on how to generate the
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's configuration file. A template extensions file can be
# generated using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_EXTENSIONS_FILE =
# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
# with syntax highlighting in the RTF output.
#
# Note that which sources are shown also depends on other settings such as
# SOURCE_BROWSER.
# The default value is: NO.
# This tag requires that the tag GENERATE_RTF is set to YES.
RTF_SOURCE_CODE = NO
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
# classes and files.
# The default value is: NO.
GENERATE_MAN = YES
# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it. A directory man3 will be created inside the directory specified by
# MAN_OUTPUT.
# The default directory is: man.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_OUTPUT = man
# The MAN_EXTENSION tag determines the extension that is added to the generated
# man pages. In case the manual section does not start with a number, the number
# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
# optional.
# The default value is: .3.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_EXTENSION = .3
# The MAN_SUBDIR tag determines the name of the directory created within
# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
# MAN_EXTENSION with the initial . removed.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_SUBDIR =
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
# them the man command would be unable to find the correct page.
# The default value is: NO.
# This tag requires that the tag GENERATE_MAN is set to YES.
MAN_LINKS = NO
#---------------------------------------------------------------------------
# Configuration options related to the XML output
#---------------------------------------------------------------------------
# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
GENERATE_XML = NO
# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
# it.
# The default directory is: xml.
# This tag requires that the tag GENERATE_XML is set to YES.
XML_OUTPUT = xml
# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
# The default value is: YES.
# This tag requires that the tag GENERATE_XML is set to YES.
XML_PROGRAMLISTING = YES
# If the XML_NS_MEMB_FILE_SCOPE tag is set to YES, doxygen will include
# namespace members in file scope as well, matching the HTML output.
# The default value is: NO.
# This tag requires that the tag GENERATE_XML is set to YES.
XML_NS_MEMB_FILE_SCOPE = NO
#---------------------------------------------------------------------------
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
GENERATE_DOCBOOK = NO
# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
# front of it.
# The default directory is: docbook.
# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
DOCBOOK_OUTPUT = docbook
# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
# program listings (including syntax highlighting and cross-referencing
# information) to the DOCBOOK output. Note that enabling this will significantly
# increase the size of the DOCBOOK output.
# The default value is: NO.
# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
DOCBOOK_PROGRAMLISTING = NO
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
# AutoGen Definitions (see http://autogen.sourceforge.net/) file that captures
# the structure of the code including all documentation. Note that this feature
# is still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
#---------------------------------------------------------------------------
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_PERLMOD = NO
# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_LATEX = NO
# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
# understand what is going on. On the other hand, if this tag is set to NO, the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_PRETTY = YES
# The names of the make variables in the generated doxyrules.make file are
# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
# so different doxyrules.make files included by the same Makefile don't
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
# in the source code. If set to NO, only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
MACRO_EXPANSION = NO
# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
# the macro expansion is limited to the macros specified with the PREDEFINED and
# EXPAND_AS_DEFINED tags.
# The default value is: NO.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
EXPAND_ONLY_PREDEF = NO
# If the SEARCH_INCLUDES tag is set to YES, the include files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
SEARCH_INCLUDES = YES
# The INCLUDE_PATH tag can be used to specify one or more directories that
# contain include files that are not input files but should be processed by the
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
INCLUDE_PATH =
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
# directories. If left blank, the patterns specified with FILE_PATTERNS will be
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
# gcc). The argument of the tag is a list of macros of the form: name or
# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
# is assumed. To prevent a macro definition from being undefined via #undef or
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
# macro definition that is found in the sources will be used. Use the PREDEFINED
# tag if you want to use a different macro definition that overrules the
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
# remove all references to function-like macros that are alone on a line, have
# an all uppercase name, and do not end with a semicolon. Such function macros
# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
# Configuration options related to external references
#---------------------------------------------------------------------------
# The TAGFILES tag can be used to specify one or more tag files. For each tag
# file the location of the external documentation should be added. The format of
# a tag file without this location is as follows:
# TAGFILES = file1 file2 ...
# Adding location for the tag files is done as follows:
# TAGFILES = file1=loc1 "file2 = loc2" ...
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
GENERATE_TAGFILE =
# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
# the class index. If set to NO, only the inherited external classes will be
# listed.
# The default value is: NO.
ALLEXTERNALS = NO
# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
# in the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
EXTERNAL_PAGES = YES
#---------------------------------------------------------------------------
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
# powerful graphs.
# The default value is: YES.
CLASS_DIAGRAMS = YES
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
DIA_PATH =
# If set to YES the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
HIDE_UNDOC_RELATIONS = YES
# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
# available from the path. This tool is part of Graphviz (see:
# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
# Bell Labs. The other options in this section have no effect if this option is
# set to NO
# The default value is: NO.
HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
# processors available in the system. You can set it explicitly to a value
# larger than 0 to get control over the balance between CPU load and processing
# speed.
# Minimum value: 0, maximum value: 32, default value: 0.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_NUM_THREADS = 0
# When you want a differently looking font in the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
# setting DOT_FONTPATH to the directory containing the font.
# The default value is: Helvetica.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTNAME = Helvetica
# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
# dot graphs.
# Minimum value: 4, maximum value: 24, default value: 10.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTSIZE = 10
# By default doxygen will tell dot to use the default font as specified with
# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
CLASS_GRAPH = YES
# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
# graph for each documented class showing the direct and indirect implementation
# dependencies (inheritance, containment, and class references variables) of the
# class with other documented classes.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
COLLABORATION_GRAPH = YES
# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
# groups, showing the direct groups dependencies.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GROUP_GRAPHS = YES
# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
UML_LOOK = NO
# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
# class node. If there are many fields or methods and many nodes the graph may
# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
# number of items for each type to make the size more manageable. Set this to 0
# for no limit. Note that the threshold may be exceeded by 50% before the limit
# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
# but if the number exceeds 15, the total amount of fields shown is limited to
# 10.
# Minimum value: 0, maximum value: 100, default value: 10.
# This tag requires that the tag UML_LOOK is set to YES.
UML_LIMIT_NUM_FIELDS = 10
# If the DOT_UML_DETAILS tag is set to NO, doxygen will show attributes and
# methods without types and arguments in the UML graphs. If the DOT_UML_DETAILS
# tag is set to YES, doxygen will add type and arguments for attributes and
# methods in the UML graphs. If the DOT_UML_DETAILS tag is set to NONE, doxygen
# will not generate fields with class member information in the UML graphs. The
# class diagrams will look similar to the default class diagrams but using UML
# notation for the relationships.
# Possible values are: NO, YES and NONE.
# The default value is: NO.
# This tag requires that the tag UML_LOOK is set to YES.
DOT_UML_DETAILS = NO
# The DOT_WRAP_THRESHOLD tag can be used to set the maximum number of characters
# to display on a single line. If the actual line length exceeds this threshold
# significantly it will wrapped across multiple lines. Some heuristics are apply
# to avoid ugly line breaks.
# Minimum value: 0, maximum value: 1000, default value: 17.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_WRAP_THRESHOLD = 17
# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
# collaboration graphs will show the relations between templates and their
# instances.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
TEMPLATE_RELATIONS = NO
# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
# YES then doxygen will generate a graph for each documented file showing the
# direct and indirect include dependencies of the file with other documented
# files.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
INCLUDE_GRAPH = YES
# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
# set to YES then doxygen will generate a graph for each documented file showing
# the direct and indirect include dependencies of the file with other documented
# files.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
INCLUDED_BY_GRAPH = YES
# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
# dependency graph for every global function or class method.
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
# functions only using the \callgraph command. Disabling a call graph can be
# accomplished by means of the command \hidecallgraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
CALL_GRAPH = NO
# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
# dependency graph for every global function or class method.
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
# functions only using the \callergraph command. Disabling a caller graph can be
# accomplished by means of the command \hidecallergraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
CALLER_GRAPH = NO
# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
# hierarchy of all classes instead of a textual one.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GRAPHICAL_HIERARCHY = YES
# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
# dependencies a directory has on other directories in a graphical way. The
# dependency relations are determined by the #include relations between the
# files in the directories.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
# generated by dot. For an explanation of the image formats see the section
# output formats in the documentation of the dot tool (Graphviz (see:
# http://www.graphviz.org/)).
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
# png:gdiplus:gdiplus.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_IMAGE_FORMAT = png
# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
# enable generation of interactive SVG images that allow zooming and panning.
#
# Note that this requires a modern browser other than Internet Explorer. Tested
# and working are Firefox, Chrome, Safari, and Opera.
# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
# the SVG files visible. Older versions of IE do not have SVG support.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
INTERACTIVE_SVG = NO
# The DOT_PATH tag can be used to specify the path where the dot tool can be
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
DIAFILE_DIRS =
# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
# path where java can find the plantuml.jar file. If left blank, it is assumed
# PlantUML is not used or called during a preprocessing step. Doxygen will
# generate a warning when it encounters a \startuml command in this case and
# will not generate output for the diagram.
PLANTUML_JAR_PATH =
# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
# configuration file for plantuml.
PLANTUML_CFG_FILE =
# When using plantuml, the specified paths are searched for files specified by
# the !include statement in a plantuml block.
PLANTUML_INCLUDE_PATH =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
# larger than this value, doxygen will truncate the graph, which is visualized
# by representing a node as a red box. Note that doxygen if the number of direct
# children of the root node in a graph is already larger than
# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
# Minimum value: 0, maximum value: 10000, default value: 50.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_GRAPH_MAX_NODES = 50
# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
# generated by dot. A depth value of 3 means that only nodes reachable from the
# root by following a path via at most 3 edges will be shown. Nodes that lay
# further from the root node will be omitted. Note that setting this option to 1
# or 2 may greatly reduce the computation time needed for large code bases. Also
# note that the size of a graph can be further restricted by
# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
# Minimum value: 0, maximum value: 1000, default value: 0.
# This tag requires that the tag HAVE_DOT is set to YES.
MAX_DOT_GRAPH_DEPTH = 0
# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
# background. This is disabled by default, because dot on Windows does not seem
# to support this out of the box.
#
# Warning: Depending on the platform used, enabling this option may lead to
# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
# read).
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_TRANSPARENT = NO
# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
DOT_MULTI_TARGETS = NO
# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
# explaining the meaning of the various boxes and arrows in the dot generated
# graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
GENERATE_LEGEND = YES
# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate
# files that are used to generate the various graphs.
#
# Note: This setting is not only used for dot files but also for msc and
# plantuml temporary files.
# The default value is: YES.
DOT_CLEANUP = YES
0707010000000E000081A40000000000000000000000016602CAFD0000076C000000000000000000000000000000000000002600000000tpm2-totp-20240326.33e1986/INSTALL.md# Dependencies
## GNU/Linux
* GNU Autoconf
* GNU Autoconf Archive
* GNU Automake
* GNU Libtool
* C compiler
* C library development libraries and header files
* pkg-config
* tpm2-tss >= 2.3
* libqrencode
* pandoc (optional, for man pages)
* doxygen (optional, for man pages)
* plymouth header files (optional, for initramfs integration)
For the integration test suite:
* liboath
* [swtpm](https://github.com/stefanberger/swtpm) or [tpm_server](https://sourceforge.net/projects/ibmswtpm2/)
* realpath
* ss
## Ubuntu
```
sudo apt -y install \
build-essential \
autoconf \
autoconf-archive \
automake \
m4 \
libtool \
gcc \
pkg-config \
libqrencode-dev \
pandoc \
doxygen \
liboath-dev \
iproute2 \
plymouth \
libplymouth-dev
git clone --depth=1 http://www.github.com/tpm2-software/tpm2-tss
cd tpm2-tss
./bootstrap
./configure
make -j$(nproc)
sudo make install
```
# Building from source
```
./bootstrap
./configure
make -j$(nproc)
make -j$(nproc) check
sudo make install
```
# Configuration options
You may pass the following options to `./configure`
## Debug messages
This option will enable a lot of debug printing during the invocation of the
library:
```
./configure --enable-debug
```
## Developer linking
In order to link against a developer version of tpm2-tss (not installed):
```
./configure \
PKG_CONFIG_PATH=${TPM2TSS}/lib:$PKG_CONFIG_PATH \
CFLAGS=-I${TPM2TSS}/include \
LDFLAGS=-L${TPM2TSS}/src/tss2-{tcti,mu,sys,esys}/.libs
```
# initramfs-tools and mkinitcpio integration
To make sure that the hooks get installed to the correct directory, either use
```
./configure --sysconfdir=/etc
```
or set the correct directory directly with the `--with-initramfstoolsdir`/
`--with-mkinitcpiodir` configuration option.
# Post installation
## ldconfig
You may need to run ldconfig after `make install` to update runtime bindings:
```
sudo ldconfig
```
0707010000000F000081A40000000000000000000000016602CAFD000005F6000000000000000000000000000000000000002300000000tpm2-totp-20240326.33e1986/LICENSEBSD 3-Clause License
Copyright (c) 2019, Linux TPM2 & TSS2 Software
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
07070100000010000081A40000000000000000000000016602CAFD0000008E000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/MAINTAINERSAndreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
Juergen Repp <juergen.repp@sit.fraunhofer.de> (occasionally)
Jonas Witschel <diabonas@gmx.de>
07070100000011000081A40000000000000000000000016602CAFD00001A95000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/Makefile.am# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2018 Fraunhofer SIT
# All rights reserved.
-include $(top_srcdir)/git.mk
### Initialize global variables used throughout the file ###
INCLUDE_DIRS = -I$(srcdir)/include -I$(srcdir)/src
ACLOCAL_AMFLAGS = -I m4 --install
AM_CFLAGS = $(INCLUDE_DIRS) $(EXTRA_CFLAGS) $(TSS2_ESYS_CFLAGS) \
$(TSS2_MU_CFLAGS) $(CODE_COVERAGE_CFLAGS)
AM_LDFLAGS = $(EXTRA_LDFLAGS) $(CODE_COVERAGE_LIBS)
AM_LDADD = $(TSS2_ESYS_LIBS) $(TSS2_MU_LIBS)
AM_DISTCHECK_CONFIGURE_FLAGS = --with-dracutmodulesdir='$$(libdir)/dracut/modules.d' \
--with-systemdsystemunitdir='$$(libdir)/systemd/system'
# Initialize empty variables to be extended throughout
bin_PROGRAMS =
libexec_PROGRAMS =
helpers_PROGRAMS =
noinst_PROGRAMS =
check_PROGRAMS =
include_HEADERS =
lib_LTLIBRARIES =
noinst_LTLIBRARIES =
EXTRA_DIST =
DISTCLEANFILES =
CLEANFILES =
MOSTLYCLEANFILES =
MAINTAINERCLEANFILES = \
$(DIST_ARCHIVES) \
AUTHORS
GITIGNOREFILES = \
$(GITIGNORE_MAINTAINERCLEANFILES_TOPLEVEL) \
$(GITIGNORE_MAINTAINERCLEANFILES_MAKEFILE_IN) \
$(GITIGNORE_MAINTAINERCLEANFILES_M4_LIBTOOL) \
aminclude_static.am \
m4/ax_ac_append_to_file.m4 \
m4/ax_ac_print_to_file.m4 \
m4/ax_add_am_macro_static.m4 \
m4/ax_add_fortify_source.m4 \
m4/ax_am_macros_static.m4 \
m4/ax_check_compile_flag.m4 \
m4/ax_check_enable_debug.m4 \
m4/ax_check_gnu_make.m4 \
m4/ax_check_link_flag.m4 \
m4/ax_code_coverage.m4 \
m4/ax_file_escapes.m4 \
m4/ax_is_release.m4 \
m4/ax_prog_doxygen.m4 \
m4/ax_recursive_eval.m4 \
m4/pkg.m4
### Add ax_* rules ###
# ax_code_coverage
if AUTOCONF_CODE_COVERAGE_2019_01_06
include $(top_srcdir)/aminclude_static.am
clean-local: code-coverage-clean
distclean-local: code-coverage-dist-clean
else
@CODE_COVERAGE_RULES@
endif
# ax_prog_doxygen
@DX_RULES@
MOSTLYCLEANFILES += $(DX_CLEANFILES)
### Library ###
lib_LTLIBRARIES += libtpm2-totp.la
include_HEADERS += include/tpm2-totp.h
libtpm2_totp_la_SOURCES = src/libtpm2-totp.c
libtpm2_totp_la_LIBADD = $(AM_LDADD)
libtpm2_totp_la_LDFLAGS = $(AM_LDFLAGS)
pkgconfig_DATA = dist/tpm2-totp.pc
### Executable ###
bin_PROGRAMS += tpm2-totp
tpm2_totp_SOURCES = src/tpm2-totp.c
tpm2_totp_CFLAGS = $(AM_CFLAGS) $(TSS2_TCTILDR_CFLAGS) $(TSS2_RC_CFLAGS) $(QRENCODE_CFLAGS)
tpm2_totp_LDADD = $(AM_LDADD) $(TSS2_TCTILDR_LIBS) $(TSS2_RC_LIBS) $(QRENCODE_LIBS) libtpm2-totp.la
tpm2_totp_LDFLAGS = $(AM_LDFLAGS)
if HAVE_PLYMOUTH
helpers_PROGRAMS += plymouth-tpm2-totp
plymouth_tpm2_totp_SOURCES = src/plymouth-tpm2-totp.c
plymouth_tpm2_totp_CFLAGS = $(AM_CFLAGS) $(TSS2_TCTILDR_CFLAGS) $(PLY_BOOT_CLIENT_CFLAGS)
plymouth_tpm2_totp_LDADD = $(AM_LDADD) $(TSS2_TCTILDR_LIBS) $(PLY_BOOT_CLIENT_LIBS) libtpm2-totp.la
plymouth_tpm2_totp_LDFLAGS = $(AM_LDFLAGS)
endif # HAVE_PLYMOUTH
### Tests ###
TESTS =
if INTEGRATION
TESTS += $(TESTS_SHELL)
if HAVE_PLYMOUTH
TESTS += $(TESTS_PLYMOUTH)
endif # HAVE_PLYMOUTH
endif #INTEGRATION
TESTS_SHELL = test/libtpm2-totp.sh \
test/tpm2-totp.sh
TESTS_PLYMOUTH = test/plymouth-tpm2-totp.sh
EXTRA_DIST += $(TESTS_SHELL) $(TESTS_PLYMOUTH)
TEST_EXTENSIONS = .sh
SH_LOG_COMPILER = $(srcdir)/test/sh_log_compiler.sh
EXTRA_DIST += $(SH_LOG_COMPILER)
if INTEGRATION
check_PROGRAMS += libtpm2-totp
libtpm2_totp_SOURCES = test/libtpm2-totp.c
libtpm2_totp_CFLAGS = $(AM_CFLAGS) $(TSS2_TCTILDR_CFLAGS) $(OATH_CFLAGS)
libtpm2_totp_LDADD = $(AM_LDADD) $(TSS2_TCTILDR_LIBS) $(OATH_LIBS) libtpm2-totp.la
libtpm2_totp_LDFLAGS = $(AM_LDFLAGS) $(OATH_LDFLAGS)
endif #INTEGRATION
# Adding user and developer information
EXTRA_DIST += \
CHANGELOG.md \
CONTRIBUTING.md \
INSTALL.md \
LICENSE \
README.md \
VERSION
# Generate the AUTHORS file from git log
AUTHORS:
$(AM_V_GEN)git log --format='%aN <%aE>' | \
grep -v 'users.noreply.github.com' | sort -u > $@
EXTRA_DIST += AUTHORS
CLEANFILES += AUTHORS
if HAVE_PANDOC_MAN_PAGES
### Man Pages
man1_MANS = \
man/man1/tpm2-totp.1
endif
if HAVE_PANDOC
# If pandoc is enabled, we want to generate the manpages for the dist tarball
EXTRA_DIST += \
$(man1_MANS)
else
# If pandoc is not enabled, we want to complain that you need pandoc for make dist,
# so hook the target and complain.
dist-hook:
@(>&2 echo "You do not have pandoc, a requirement for the distribution of manpages")
@exit 1
endif
man/man1/%.1: man/%.1.md
$(AM_V_GEN)mkdir -p man/man1 && cat $< | $(PANDOC) -s -t man >$@
EXTRA_DIST += \
man/tpm2-totp.1.md
CLEANFILES += \
$(man1_MANS)
if HAVE_DOXYGEN_MAN_PAGES
man3_MANS = doxygen-doc/man/man3/tpm2-totp.3
endif # HAVE_DOXYGEN_MAN_PAGES
if HAVE_DOXYGEN
$(man3_MANS): doxygen-doc
EXTRA_DIST += $(man3_MANS)
else # HAVE_DOXYGEN
dist-hook:
@(>&2 echo "You do not have doxygen, a requirement for the distribution of manpages")
@exit 1
endif # HAVE_DOXYGEN
### initramfs hooks ###
EXTRA_DIST += dist/show-tpm2-totp
if HAVE_DRACUT
helpers_SCRIPTS = dist/show-tpm2-totp
dracut_SCRIPTS = dist/dracut/module-setup.sh dist/dracut/show-tpm2-totp.sh \
dist/dracut/cleanup-tpm2-totp.sh
dracut_DATA = dist/dracut/README
endif # HAVE_DRACUT
EXTRA_DIST += dist/dracut/show-tpm2-totp.sh dist/dracut/cleanup-tpm2-totp.sh dist/dracut/README
if HAVE_INITRAMFSTOOLS
if HAVE_PLYMOUTH
initramfstools_hooks_SCRIPTS = dist/initramfs-tools/hooks/tpm2-totp
initramfstools_scripts_SCRIPTS = dist/initramfs-tools/scripts/init-premount/tpm2-totp
endif # HAVE_PLYMOUTH
endif # HAVE_INITRAMFSTOOLS
EXTRA_DIST += dist/initramfs-tools/scripts/init-premount/tpm2-totp
if HAVE_MKINITCPIO
helpers_SCRIPTS = dist/show-tpm2-totp
initcpio_install_DATA = dist/initcpio/install/tpm2-totp dist/initcpio/install/sd-tpm2-totp
initcpio_hooks_DATA = dist/initcpio/hooks/tpm2-totp
systemdsystemunit_DATA = dist/tpm2-totp.service dist/tpm2-totp.timer
install-systemd-service-hook:
mkdir -p $(DESTDIR)$(systemdsystemunitdir)/sysinit.target.wants && \
cd $(DESTDIR)$(systemdsystemunitdir)/sysinit.target.wants && \
$(LN_S) ../tpm2-totp.service && \
$(LN_S) ../tpm2-totp.timer
if HAVE_PLYMOUTH
initcpio_install_DATA += dist/initcpio/install/plymouth-tpm2-totp dist/initcpio/install/sd-plymouth-tpm2-totp
initcpio_hooks_DATA += dist/initcpio/hooks/plymouth-tpm2-totp
systemdsystemunit_DATA += dist/plymouth-tpm2-totp.service
install-plymouth-service-hook:
mkdir -p $(DESTDIR)$(systemdsystemunitdir)/sysinit.target.wants && \
cd $(DESTDIR)$(systemdsystemunitdir)/sysinit.target.wants && \
$(LN_S) ../plymouth-tpm2-totp.service
else
install-plymouth-service-hook:
endif # HAVE_PLYMOUTH
install-data-hook: install-systemd-service-hook install-plymouth-service-hook
endif # HAVE_MKINITCPIO
EXTRA_DIST += dist/initcpio/hooks/tpm2-totp dist/initcpio/hooks/plymouth-tpm2-totp
07070100000012000081A40000000000000000000000016602CAFD0000165B000000000000000000000000000000000000002500000000tpm2-totp-20240326.33e1986/README.md[](https://github.com/tpm2-software/tpm2-totp/actions)
[](https://codecov.io/gh/tpm2-software/tpm2-totp)
[](https://lgtm.com/projects/g/tpm2-software/tpm2-totp/context:cpp)
[](https://scan.coverity.com/projects/tpm2-totp)
# Overview
This is a reimplementation of Matthew Garrett's
[tpmtotp](https://github.com/mjg59/tpmtotp) software for TPM 2.0 using the
[tpm2-tss](https://github.com/tpm2-software/tpm2-tss) software stack. Its
purpose is to attest the trustworthiness of a device against a human using
time-based one-time passwords (TOTP), facilitating the Trusted Platform Module
(TPM) to bind the TOTP secret to the known trustworthy system state. In
addition to the original tpmtotp, given the new capabilities of in-TPM HMAC
calculation, the tpm2-totp's secret HMAC keys do not have to be exported from
the TPM to the CPU's RAM on boot anymore. Another addition is the ability to
rebind an old secret to the current PCRs in case a software component was
changed on purpose, using a user-defined password.
# Operations
## Setup
When the platform is in a known trustworthy state, the user will generate a
tpm2-totp secret that is sealed to the current PCR values of the TPM. The
secret is also exported (e.g. via QR-Code) so it can be recorded in a TOTP
application (e.g. freeotp on Android phones). The secret is also stored inside
the TPM's NV space.
## Boot
During boot the OS sends the current time to the TPM. The TPM checks that the
correct PCR values are present and calculates the HMAC of the time input. This
result is the TOTP value that will be displayed to the user. The user can
compare this value to the TOTP value of his/her external device (e.g. phone) and
thus assert the unalteredness and trustworthiness of his/her device.
## Recovery
If the TOTP secret on the external device gets lost, there is a way to recover
the secret, if a password was set during its generation. In this case the same
QR code will be displayed to the user again.
If an update occurs that changes one of the PCR values (e.g. BIOS or Bootloader)
then the secret can be resealed to the new PCR values using the password. Then
it will be available again on the next boot.
# Build and install instructions
Standard installation using
```
./bootstrap
./configure
make
make install
```
Followed by setting up the initrd, see below.
Instructions on packages needed to build and install tpm2-totp and different
build options are available in the [INSTALL](INSTALL.md) file.
# Initramfs integration
The project includes hooks for [dracut](https://dracut.wiki.kernel.org/),
[initramfs-tools](https://wiki.debian.org/initramfs-tools) and
[mkinitcpio](https://wiki.archlinux.org/index.php/Mkinitcpio) to display
the TOTP during boot using [Plymouth](https://www.freedesktop.org/wiki/Software/Plymouth/).
They are automatically installed if the corresponding tool is found on the
system (also see [INSTALL](INSTALL.md) regarding necessary configuration
options). To use them, install tpm2-totp and initialize a TOTP secret, then enable
the tpm2-totp hook in your initramfs generator and rebuild the initramfs.
# Usage
## Setup
The TOTP secret can be initialized with and without password. It is recommended to
set a password `-P` in order to enable recovery options. Further, it is strongly
recommended to provide the password via stdin, rather than directly as a
command line option, to protect it from other processes, shell history, etc.
Also the PCRs and PCR banks can be selected `-p` and `-b`. Default values are
PCRs `0,2,4` and banks `SHA1, SHA256`.
```
tpm2-totp init
tpm2-totp -P - init
verysecret<CTRL-D>
# or (recommended)
gpg --decrypt /path/to/password.gpg | tpm2-totp -P - init
# or (discouraged)
tpm2-totp -P verysecret init
tpm2-totp -P - -p 0,1,2,3,4,5,6 init
tpm2-totp -p 0,1,2,3,4,5,6 -b SHA1,SHA256 init
```
## Boot
During boot the TOTP value for the current time, together with the current time
should be shown to the user, e.g. using plymouth from mkinitrd or from dracut.
The command to be executed is:
```
tpm2-totp show
tpm2-totp -t show
```
## Recovery
In order to recover the QR code:
```
tpm2-totp -P - recover
```
In order to reseal the secret:
```
tpm2-totp -P - reseal
tpm2-totp -P - -p 1,3,5,6 reseal
```
## Deletion
In order to delete the created NV index:
```
tpm2-totp clean
```
## NV index
All command additionally take the `-N` option to specify the NV index to be
used. By default, 0x018094AF is used and recommended.
```
tpm2-totp -N 0x01800001 -P - init
tpm2-totp -N 0x01800001 show
tpm2-totp -N 0x01800001 -P - recover
tpm2-totp -N 0x01800001 -P - reseal
```
# Limitations
Whilst tpm2-totp provided the added security (in comparison to tpm-totp) that
the key will not leave the TPM during the calculate operation, the time source
is still not trustworthy and thus an attacker might in some situations be able
to calculate a set of TOTP values for the future. Depending on the size of the
possible attack window this can be very large though.
It is not yet possible to specify specific PCR values independent of the
currently set PCR values. This would allow disabling the password-less calculate
operation after booting the device. This makes most sense, once a TSS2 FAPI
is available that will enable an interface to a canonical PCR event log.
Currently, an empty owner password is assumed.
07070100000013000081A40000000000000000000000016602CAFD00001488000000000000000000000000000000000000002600000000tpm2-totp-20240326.33e1986/RELEASE.md# Release Process:
This document describes the general process that maintainers must follow when
making a release of the `tpm2-totp` library and cli-tool.
# Milestones
All releases should have a milestone used to track the release. If the release version is not known, as covered in [Version Numbers](#Version Numbers),
then an "x" may be used for the unknown number, or the generic term "next" may be used. The description field of the milestone will be used to record
the CHANGELOG for that release. See [CHANGELOG Update](#CHANGELOG Update) for details.
# Version Numbers
This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
In summary: Given a version number MAJOR.MINOR.PATCH, increment the:
1. MAJOR version when you make incompatible API changes,
2. MINOR version when you add functionality in a backwards-compatible manner, and
3. PATCH version when you make backwards-compatible bug fixes.
Additional labels for pre-release and build metadata are available as extensions
to the MAJOR.MINOR.PATCH format.
## Version String
The version string is set for the rest of the autotools bits by autoconf.
Autoconf gets this string from the `AC_INIT` macro in the configure.ac file.
Once you decide on the next version number (using the scheme above) you must set
it manually in configure.ac. The version string must be in the form `A.B.C`
where `A`, `B` and `C` are integers representing the major, minor and micro
components of the version number.
## Release Candidates
In the run up to a release the maintainers may create tags to identify progress
toward the release. In these cases we will append a string to the release number
to indicate progress using the abbreviation `rc` for 'release candidate'. This
string will take the form of `_rcX`. We append an incremental digit `X` in case
more than one release candidate is necessary to communicate progress as
development moves forward.
# CHANGELOG Update
Before tagging the repository with the release version, the maintainer MUST
update the CHANGELOG file with the contents from the description field from the
corresponding release milestone and update any missing version string details in
the CHANGELOG and milestone entry.
# Git Tags
When a release is made a tag is created in the git repo identifying the release
by the [version string](#Version String). The tag should be pushed to upstream
git repo as the last step in the release process.
**NOTE** tags for release candidates will be deleted from the git repository
after a release with the corresponding version number has been made.
**NOTE** release (not release candidate) tags should be considered immutable.
## Signed tags
Git supports GPG signed tags and releases will have tags signed by a maintainer.
For details on how to sign and verify git tags see:
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.
# Release tarballs
We use the git tag as a way to mark the point of the release in the projects
history. We do not however encourage users to build from git unless they intend
to modify the source code and contribute to the project. For the end user we
provide release tarballs following the GNU conventions as closely as possible.
To make a release tarball use the `distcheck` make target.
This target includes a number of sanity checks that are extremely helpful.
For more information on `automake` and release tarballs see:
https://www.gnu.org/software/automake/manual/html_node/Dist.html#Dist
## Hosting Releases on Github
Github automagically generates a page in their UI that maps git tags to
'releases' (even if the tag isn't for a release). Additionally they support
hosting release tarballs through this same interface. The release tarball
created in the previous step must be posted to github using the release
interface. Additionally, this tarball must be accompanied by a detached GPG
signature. The Debian wiki has an excellent description of how to post a signed
release to Github here:
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
**NOTE** release candidates must be taken down after a release with the
corresponding version number is available.
## Signing Release Tarballs
Signatures must be generated using the `--detach-sign` and `--armor` options to
the `gpg` command.
## Verifying Signatures
Verifying the signature on a release tarball requires the project maintainers
public keys be installed in the GPG keyring of the verifier. With both the
release tarball and signature file in the same directory the following command
will verify the signature:
```
$ gpg --verify tpm2-totp-X.Y.Z.tar.gz.asc
```
## Signing Keys
The GPG keys used to sign a release tag and the associated tarball must be the
same. Additionally they must:
* belong to a project maintainer
* be discoverable using a public GPG key server
* be associated with the maintainers github account
(https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/)
# Announcements
Release candidates and proper releases should be announced on the mailing list:
- https://lists.linuxfoundation.org/mailman/listinfo/tpm2
This announcement should be accompanied by a link to the release page on Github
as well as a link to the CHANGELOG.md accompanying the release.
07070100000014000081A40000000000000000000000016602CAFD0000061E000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/SECURITY.md# Security Policy
## Supported Versions
Currently supported versions:
| Version | Supported |
| ------- | ------------------ |
| any | :white_check_mark: |
## Reporting a Vulnerability
### Reporting
Security vulnerabilities can be disclosed in one of two ways:
- GitHub: *preferred* By following [these](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) instructions.
- Email: A descirption *should be emailed* to **all** members of the [MAINTAINERS](MAINTAINERS) file to coordinate the
disclosure of the vulnerability.
### Tracking
When a maintainer is notified of a security vulnerability, they *must* create a GitHub security advisory
per the instructions at:
- <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories>
Maintainers *should* use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's
in the past and *may* be used, but preference is on GitHub as the issuing CNA.
### Publishing
Once ready, maintainers should publish the security vulnerability as outlined in:
- <https://docs.github.com/en/code-security/repository-security-advisories/publishing-a-repository-security-advisory>
As well as ensuring the publishing of the CVE, maintainers *shal*l have new release versions ready to publish at the same time as
the CVE. Maintainers *should* should strive to adhere to a sub 60 say turn around from report to release.
07070100000015000081ED0000000000000000000000016602CAFD00000060000000000000000000000000000000000000002500000000tpm2-totp-20240326.33e1986/bootstrap#!/bin/bash
set -e
git describe --tags --always --dirty > VERSION
autoreconf --install --sym
07070100000016000081A40000000000000000000000016602CAFD000023FB000000000000000000000000000000000000002800000000tpm2-totp-20240326.33e1986/configure.ac# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2018 Fraunhofer SIT
# All rights reserved.
AC_PREREQ([2.68])
AC_INIT([tpm2-totp],
[m4_esyscmd_s([cat ./VERSION])],
[https://github.com/tpm2-software/tpm2-totp/issues],
[],
[https://github.com/tpm2-software/tpm2-totp])
dnl Avoid setting CFLAGS to anything by default; we use AC_CFLAGS below for this.
: ${CFLAGS=""}
dnl Let's be FHS-conform by default.
if test "$prefix" = '/usr'; then
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
test "$sharedstatedir" = '${prefix}/com' && sharedstatedir="/var"
test "$localstatedir" = '${prefix}/var' && localstatedir="/var"
fi
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_SRCDIR([src/tpm2-totp.c])
AC_CONFIG_AUX_DIR([build-aux])
# propagate configure arguments to distcheck
AC_SUBST([DISTCHECK_CONFIGURE_FLAGS],[$ac_configure_args])
AM_INIT_AUTOMAKE([foreign subdir-objects -Wall -Wno-portability])
#Backward compatible setting of "silent-rules"
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
AM_MAINTAINER_MODE([enable])
AX_IS_RELEASE([dash-version])
AX_CHECK_ENABLE_DEBUG([info])
AC_USE_SYSTEM_EXTENSIONS
AC_PROG_CC
LT_INIT()
PKG_INSTALLDIR()
helpersdir="$libexecdir/tpm2-totp"
AC_SUBST([helpersdir])
AX_RECURSIVE_EVAL([$helpersdir], [HELPERSDIR])
AC_SUBST([HELPERSDIR])
AC_CONFIG_FILES([Makefile Doxyfile dist/tpm2-totp.pc])
AC_ARG_ENABLE([defaultflags],
[AS_HELP_STRING([--disable-defaultflags],
[Disable default preprocessor, compiler, and linker flags.])],,
[enable_defaultflags=yes])
AS_IF([test "x$enable_defaultflags" = "xyes"],
[
AX_ADD_COMPILER_FLAG([-std=c99])
AX_ADD_COMPILER_FLAG([-Wall])
AX_ADD_COMPILER_FLAG([-Wextra])
AX_ADD_COMPILER_FLAG([-Wformat-security])
AS_IF([test "x$ax_is_release" = "xno"], [AX_ADD_COMPILER_FLAG([-Werror])])
AX_ADD_COMPILER_FLAG([-fstack-protector-all])
AX_ADD_COMPILER_FLAG([-fpic])
AX_ADD_COMPILER_FLAG([-fPIC])
AX_ADD_COMPILER_FLAG([-O2])
AX_ADD_FORTIFY_SOURCE
# work around GCC bug #53119
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
AX_ADD_COMPILER_FLAG([-Wno-missing-braces])
AX_ADD_LINK_FLAG([-Wl,--no-undefined])
AX_ADD_LINK_FLAG([-Wl,-z,noexecstack])
AX_ADD_LINK_FLAG([-Wl,-z,now])
AX_ADD_LINK_FLAG([-Wl,-z,relro])
])
AX_CODE_COVERAGE
m4_ifdef([_AX_CODE_COVERAGE_RULES],
[AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])],
[AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])])
AX_ADD_AM_MACRO_STATIC([])
PKG_PROG_PKG_CONFIG([0.25])
PKG_CHECK_MODULES([TSS2_ESYS],[tss2-esys])
PKG_CHECK_MODULES([TSS2_MU],[tss2-mu])
PKG_CHECK_MODULES([TSS2_TCTILDR],[tss2-tctildr])
PKG_CHECK_MODULES([TSS2_RC],[tss2-rc])
PKG_CHECK_VAR([TSS2_TCTI_DEVICE_LIBDIR], [tss2-tcti-device], [libdir], ,
[AC_MSG_ERROR([Required library tss2-tcti-device not found])])
AC_SUBST([TSS2_TCTI_DEVICE_LIBDIR])
PKG_CHECK_MODULES([QRENCODE],[libqrencode])
DX_DOXYGEN_FEATURE(ON)
DX_DOT_FEATURE(OFF)
DX_HTML_FEATURE(OFF)
DX_CHM_FEATURE(OFF)
DX_CHI_FEATURE(OFF)
DX_MAN_FEATURE(ON)
DX_RTF_FEATURE(OFF)
DX_XML_FEATURE(OFF)
DX_PDF_FEATURE(OFF)
DX_PS_FEATURE(OFF)
DX_INIT_DOXYGEN([$PACKAGE_NAME], [Doxyfile], [doxygen-doc])
AS_IF([test -z "$DX_DOXYGEN"],
[AC_MSG_WARN([Required executable doxygen not found, man pages will not be built])])
AM_CONDITIONAL([HAVE_DOXYGEN],[test -n "$DX_DOXYGEN"])
AM_CONDITIONAL([HAVE_DOXYGEN_MAN_PAGES],[test -d "${srcdir}/doxygen-doc/man/man3" -o -n "$DX_DOXYGEN"])
AC_PATH_PROG([PANDOC], [pandoc])
AS_IF([test -z "$PANDOC"],
[AC_MSG_WARN([Required executable pandoc not found, man pages will not be built])])
AM_CONDITIONAL([HAVE_PANDOC],[test -n "$PANDOC"])
AM_CONDITIONAL([HAVE_PANDOC_MAN_PAGES],[test -d "${srcdir}/man/man1" -o -n "$PANDOC"])
AC_ARG_WITH([dracutmodulesdir],
AS_HELP_STRING([--with-dracutmodulesdir=DIR], [directory for dracut hooks]),,
[PKG_CHECK_VAR([with_dracutmodulesdir], [dracut], [dracutmodulesdir])])
AM_CONDITIONAL(HAVE_DRACUT, [test -n "$with_dracutmodulesdir" -a "x$with_dracutmodulesdir" != xno])
AM_COND_IF([HAVE_DRACUT], [AC_SUBST([dracutdir], [$with_dracutmodulesdir/70tpm2-totp])])
AC_CONFIG_FILES([dist/dracut/module-setup.sh])
AC_CHECK_PROG([lsinitramfs], [lsinitramfs], [yes])
AC_ARG_WITH([initramfstoolsdir],
AS_HELP_STRING([--with-initramfstoolsdir=DIR], [directory for initramfs-tools scripts]),,
[AS_IF([test "x$lsinitramfs" = xyes], [with_initramfstoolsdir=$sysconfdir/initramfs-tools])])
AM_CONDITIONAL(HAVE_INITRAMFSTOOLS, [test -n "$with_initramfstoolsdir" -a "x$with_initramfstoolsdir" != xno])
AM_COND_IF([HAVE_INITRAMFSTOOLS],
[AC_SUBST([initramfstools_hooksdir], [$with_initramfstoolsdir/hooks])
AC_SUBST([initramfstools_scriptsdir], [$with_initramfstoolsdir/scripts/init-premount])
])
AC_CONFIG_FILES([dist/initramfs-tools/hooks/tpm2-totp])
AC_CHECK_PROG([mkinitcpio], [mkinitcpio], [yes])
AC_ARG_WITH([mkinitcpiodir],
AS_HELP_STRING([--with-mkinitcpiodir=DIR], [directory for mkinitcpio hooks]),,
[AS_IF([test "x$mkinitcpio" = xyes], [with_mkinitcpiodir=$sysconfdir/initcpio])])
AM_CONDITIONAL(HAVE_MKINITCPIO, [test -n "$with_mkinitcpiodir" -a "x$with_mkinitcpiodir" != xno])
AM_COND_IF([HAVE_MKINITCPIO],
[AC_SUBST([initcpio_installdir], [$with_mkinitcpiodir/install])
AC_SUBST([initcpio_hooksdir], [$with_mkinitcpiodir/hooks])
])
AC_CONFIG_FILES([dist/initcpio/install/tpm2-totp dist/initcpio/install/plymouth-tpm2-totp])
AC_ARG_WITH([udevdir],
AS_HELP_STRING([--with-udevdir=DIR], [udev directory]),,
[PKG_CHECK_VAR([with_udevdir], [udev], [udevdir],, [with_udevdir="$libdir/udev"])])
AC_SUBST([UDEVDIR], [$with_udevdir])
AC_ARG_WITH([systemdsystemunitdir],
AS_HELP_STRING([--with-systemdsystemunit=DIR], [systemd system unit directory]),,
[PKG_CHECK_VAR([with_systemdsystemunitdir], [systemd], [systemdsystemunitdir],,
[with_systemdsystemunitdir="$libdir/systemd/system"])])
AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
AC_CONFIG_FILES([dist/initcpio/install/sd-tpm2-totp dist/tpm2-totp.service dist/tpm2-totp.timer])
AC_ARG_ENABLE([plymouth],
AS_HELP_STRING([--disable-plymouth], [Disable plymouth support]))
AS_IF([test "x$enable_plymouth" != "xno"],
[PKG_CHECK_MODULES([PLY_BOOT_CLIENT], [ply-boot-client],
[have_plymouth=yes], [have_plymouth=no])],
[have_plymouth=no])
AM_CONDITIONAL([HAVE_PLYMOUTH], [test "x$have_plymouth" = "xyes"])
AM_COND_IF([HAVE_PLYMOUTH],
[PKG_CHECK_VAR([PLYMOUTHPLUGINSDIR], [ply-splash-core], [pluginsdir])
AC_SUBST([PLYMOUTHPLUGINSDIR])
],
[AS_IF([test "x$enable_plymouth" = "xyes"],
[AC_MSG_ERROR([plymouth requested but not found])])
])
AC_CONFIG_FILES([dist/initcpio/install/sd-plymouth-tpm2-totp dist/plymouth-tpm2-totp.service])
AC_ARG_ENABLE([integration],
[AS_HELP_STRING([--enable-integration],
[build integration tests against TPM])],,
[enable_integration=no])
AM_CONDITIONAL([INTEGRATION], [test "x$enable_integration" != xno])
AS_IF([test "x$enable_integration" != xno],
[PKG_CHECK_MODULES([OATH],[liboath])
AC_CHECK_PROG([swtpm], [swtpm], [yes])
AC_CHECK_PROG([tpm_server], [tpm_server], [yes])
AS_IF([test "x$swtpm" != xyes && test "x$tpm_server" != xyes],
[AC_MSG_ERROR([Integration tests require either the swtpm or the tpm_server executable])])
AC_CHECK_PROG([realpath], [realpath], [yes])
AS_IF([test "x$realpath" != xyes],
[AC_MSG_ERROR([Integration tests require the realpath executable])])
AC_CHECK_PROG([ss], [ss], [yes])
AS_IF([test "x$ss" != xyes],
[AC_MSG_ERROR([Integration tests require the ss executable])])
AM_COND_IF([HAVE_PLYMOUTH],
[AC_CHECK_PROG([plymouthd], [plymouthd], [yes])
AS_IF([test "x$plymouthd" != xyes],
[AC_MSG_ERROR([Integration tests require the plymouthd executable])])
AC_CHECK_PROG([fakeroot], [fakeroot], [yes])
AS_IF([test "x$fakeroot" != xyes],
[AC_MSG_WARN([Executable fakeroot not found, integration tests must be run as root])])
AC_CHECK_PROG([pgrep], [pgrep], [yes])
AS_IF([test "x$pgrep" != xyes],
[AC_MSG_ERROR([Integration tests require the pgrep executable])])
AC_CHECK_PROG([timeout], [timeout], [yes])
AS_IF([test "x$timeout" != xyes],
[AC_MSG_ERROR([Integration tests require the timeout executable])])
])
])
AC_OUTPUT
AC_MSG_RESULT([
$PACKAGE_NAME $VERSION
doxygen: $DX_DOXYGEN
pandoc: $PANDOC
dracut: $with_dracutmodulesdir
initramfs-tools: $with_initramfstoolsdir
mkinitcpio: $with_mkinitcpiodir
plymouth: $have_plymouth
])
07070100000017000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002000000000tpm2-totp-20240326.33e1986/dist07070100000018000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/dist/dracut07070100000019000081A40000000000000000000000016602CAFD000004FE000000000000000000000000000000000000002E00000000tpm2-totp-20240326.33e1986/dist/dracut/READMEThis dracut module displays a time-based one-time password (TOTP) sealed to a
Trusted Platform Module (TPM) to ensure that the boot process has not been
tampered with. To set this up, a secret needs to be generated first and sealed
to the TPM using 'tpm2-totp init'.
This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed together with the current time so that it can
be compared with the output of the second device. This will only be successful
and show a matching output if the boot process has not changed (new UEFI
firmware, different boot loader, ...).
When using a custom NV index with the '--nvindex index' option of tpm2-totp,
this index needs to be specified as 'rd.tpm2totp.nvindex=index' on the kernel
command line.
Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding 'random.trust_cpu=on' to the kernel command line or by loading the
'rngd' dracut module.
0707010000001A000081ED0000000000000000000000016602CAFD00000031000000000000000000000000000000000000003C00000000tpm2-totp-20240326.33e1986/dist/dracut/cleanup-tpm2-totp.sh#!/bin/sh
kill "$show_tpm2_totp_pid" 2>/dev/null
0707010000001B000081ED0000000000000000000000016602CAFD000003A9000000000000000000000000000000000000003A00000000tpm2-totp-20240326.33e1986/dist/dracut/module-setup.sh.in#!/bin/bash
check() {
if [ -n "$hostonly" ]; then
if tpm2-totp show >/dev/null 2>&1; then
return 0
else
dinfo "dracut module 'tpm2-totp' will not be installed because no TOTP is configured; run 'tpm2-totp init'!"
fi
fi
return 255
}
install() {
inst_libdir_file 'libtss2-tcti-device.so*'
if dracut_module_included "plymouth" && \
find_binary @HELPERSDIR@/plymouth-tpm2-totp; then
inst @HELPERSDIR@/plymouth-tpm2-totp /bin/show-tpm2-totp
inst_library @PLYMOUTHPLUGINSDIR@/label.so
inst_simple "$(fc-match --format '%{file}')"
else
inst @HELPERSDIR@/show-tpm2-totp /bin/show-tpm2-totp
inst tpm2-totp
inst date
inst_hook cleanup 70 "$moddir/cleanup-tpm2-totp.sh"
fi
inst_hook pre-udev 70 "$moddir/show-tpm2-totp.sh"
dracut_need_initqueue
}
installkernel() {
instmods =drivers/char/tpm
}
0707010000001C000081ED0000000000000000000000016602CAFD00000116000000000000000000000000000000000000003900000000tpm2-totp-20240326.33e1986/dist/dracut/show-tpm2-totp.sh#!/bin/sh
. /lib/dracut-lib.sh
nvindex="$(getarg rd.tpm2-totp.nvindex)"
printf 'KERNEL=="tpm0", RUN+="/sbin/initqueue --settled --onetime /bin/show-tpm2-totp %s & show_tpm2_totp_pid=$$!"\n' "${nvindex:+--nvindex "$nvindex"}" > /etc/udev/rules.d/80-tpm2-totp.rules
unset nvindex
0707010000001D000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002900000000tpm2-totp-20240326.33e1986/dist/initcpio0707010000001E000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002F00000000tpm2-totp-20240326.33e1986/dist/initcpio/hooks0707010000001F000081A40000000000000000000000016602CAFD0000008D000000000000000000000000000000000000004200000000tpm2-totp-20240326.33e1986/dist/initcpio/hooks/plymouth-tpm2-totp#!/usr/bin/ash
run_hook() {
plymouth-tpm2-totp ${tpm2_totp_nvindex:+--nvindex "$tpm2_totp_nvindex"} &
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000020000081A40000000000000000000000016602CAFD000000E5000000000000000000000000000000000000003900000000tpm2-totp-20240326.33e1986/dist/initcpio/hooks/tpm2-totp#!/usr/bin/ash
run_hook() {
show-tpm2-totp ${tpm2_totp_nvindex:+--nvindex "$tpm2_totp_nvindex"} &
show_tpm2_totp_pid=$!
}
run_cleanuphook() {
kill "$show_tpm2_totp_pid" 2>/dev/null
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000021000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000003100000000tpm2-totp-20240326.33e1986/dist/initcpio/install07070100000022000081A40000000000000000000000016602CAFD000006D2000000000000000000000000000000000000004700000000tpm2-totp-20240326.33e1986/dist/initcpio/install/plymouth-tpm2-totp.in#!/bin/bash
build() {
local mod
if [[ $TPM_MODULES ]]; then
for mod in $TPM_MODULES; do
add_module "$mod"
done
else
add_all_modules /tpm/
fi
add_binary @PLYMOUTHPLUGINSDIR@/label.so
add_file "$(fc-match --format '%{file}')"
add_binary @HELPERSDIR@/plymouth-tpm2-totp /usr/bin/plymouth-tpm2-totp
add_binary @TSS2_TCTI_DEVICE_LIBDIR@/libtss2-tcti-device.so.0
add_runscript
}
help() {
cat <<HELPEOF
This hook uses plymouth to display a time-based one-time password (TOTP) sealed
to a Trusted Platform Module (TPM) to ensure that the boot process has not been
tampered with. To set this up, a secret needs to be generated first and sealed
to the TPM using
tpm2-totp init
This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed using plymouth so that it can be compared with
the output of the second device. This will only be successful and show a
matching output if the boot process has not changed (new UEFI firmware,
different boot loader, ...).
When using a custom NV index with the '--nvindex index' option of tpm2-totp,
this index needs to be specified as 'tpm2_totp_nvindex=index' on the kernel
command line.
Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding
random.trust_cpu=on
to the kernel command line.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000023000081A40000000000000000000000016602CAFD0000062B000000000000000000000000000000000000004A00000000tpm2-totp-20240326.33e1986/dist/initcpio/install/sd-plymouth-tpm2-totp.in#!/bin/bash
build() {
local mod
if [[ $TPM_MODULES ]]; then
for mod in $TPM_MODULES; do
add_module "$mod"
done
else
add_all_modules /tpm/
fi
add_binary @PLYMOUTHPLUGINSDIR@/label.so
add_file "$(fc-match --format '%{file}')"
add_systemd_unit plymouth-tpm2-totp.service
add_file @UDEVDIR@/rules.d/*tpm-udev.rules
add_binary @TSS2_TCTI_DEVICE_LIBDIR@/libtss2-tcti-device.so.0
}
help() {
cat <<HELPEOF
This hook uses plymouth to display a time-based one-time password (TOTP) sealed
to a Trusted Platform Module (TPM) to ensure that the boot process has not been
tampered with. To set this up, a secret needs to be generated first and sealed
to the TPM using
tpm2-totp init
This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed using plymouth so that it can be compared with
the output of the second device. This will only be successful and show a
matching output if the boot process has not changed (new UEFI firmware,
different boot loader, ...).
Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding
random.trust_cpu=on
to the kernel command line.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000024000081A40000000000000000000000016602CAFD00000604000000000000000000000000000000000000004100000000tpm2-totp-20240326.33e1986/dist/initcpio/install/sd-tpm2-totp.in#!/bin/bash
build() {
local mod
if [[ $TPM_MODULES ]]; then
for mod in $TPM_MODULES; do
add_module "$mod"
done
else
add_all_modules /tpm/
fi
add_systemd_unit tpm2-totp.service
add_systemd_unit tpm2-totp.timer
add_file @UDEVDIR@/rules.d/*tpm-udev.rules
add_binary tpm2-totp
add_binary @TSS2_TCTI_DEVICE_LIBDIR@/libtss2-tcti-device.so.0
}
help() {
cat <<HELPEOF
This hook displays a time-based one-time password (TOTP) sealed to a Trusted
Platform Module (TPM) to ensure that the boot process has not been tampered
with. To set this up, a secret needs to be generated first and sealed to the
TPM using
tpm2-totp init
This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed together with the current time so that it can
be compared with the output of the second device. This will only be successful
and show a matching output if the boot process has not changed (new UEFI
firmware, different boot loader, ...).
Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding
random.trust_cpu=on
to the kernel command line.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000025000081A40000000000000000000000016602CAFD0000069B000000000000000000000000000000000000003E00000000tpm2-totp-20240326.33e1986/dist/initcpio/install/tpm2-totp.in#!/bin/bash
build() {
local mod
if [[ $TPM_MODULES ]]; then
for mod in $TPM_MODULES; do
add_module "$mod"
done
else
add_all_modules /tpm/
fi
add_binary tpm2-totp
add_binary @TSS2_TCTI_DEVICE_LIBDIR@/libtss2-tcti-device.so.0
add_binary @HELPERSDIR@/show-tpm2-totp /usr/bin/show-tpm2-totp
add_binary date
add_runscript
}
help() {
cat <<HELPEOF
This hook displays a time-based one-time password (TOTP) sealed to a Trusted
Platform Module (TPM) to ensure that the boot process has not been tampered
with. To set this up, a secret needs to be generated first and sealed to the
TPM using
tpm2-totp init
This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed together with the current time so that it can
be compared with the output of the second device. This will only be successful
and show a matching output if the boot process has not changed (new UEFI
firmware, different boot loader, ...).
When using a custom NV index with the '--nvindex index' option of tpm2-totp,
this index needs to be specified as 'tpm2_totp_nvindex=index' on the kernel
command line.
Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding
random.trust_cpu=on
to the kernel command line.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
07070100000026000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000003000000000tpm2-totp-20240326.33e1986/dist/initramfs-tools07070100000027000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000003600000000tpm2-totp-20240326.33e1986/dist/initramfs-tools/hooks07070100000028000081A40000000000000000000000016602CAFD00000149000000000000000000000000000000000000004300000000tpm2-totp-20240326.33e1986/dist/initramfs-tools/hooks/tpm2-totp.in#!/bin/sh
PREREQ='plymouth'
prereqs() {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec @HELPERSDIR@/plymouth-tpm2-totp /bin
copy_exec @TSS2_TCTI_DEVICE_LIBDIR@/libtss2-tcti-device.so.0
copy_modules_dir kernel/drivers/char/tpm
07070100000029000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000003800000000tpm2-totp-20240326.33e1986/dist/initramfs-tools/scripts0707010000002A000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000004600000000tpm2-totp-20240326.33e1986/dist/initramfs-tools/scripts/init-premount0707010000002B000081A40000000000000000000000016602CAFD0000016A000000000000000000000000000000000000005000000000tpm2-totp-20240326.33e1986/dist/initramfs-tools/scripts/init-premount/tpm2-totp#!/bin/sh
PREREQ='plymouth'
prereqs() {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
for arg in $(cat /proc/cmdline); do
case "$arg" in
rd.tpm2-totp.nvindex=*)
nvindex="${arg#rd.tpm2-totp.nvindex=}"
;;
esac
done
/bin/plymouth-tpm2-totp ${nvindex:+--nvindex "$nvindex"} &
0707010000002C000081A40000000000000000000000016602CAFD00000113000000000000000000000000000000000000003E00000000tpm2-totp-20240326.33e1986/dist/plymouth-tpm2-totp.service.in[Unit]
Description=Display a TOTP during boot using Plymouth
Requires=plymouth-start.service dev-tpm0.device
After=plymouth-start.service dev-tpm0.device
DefaultDependencies=no
[Service]
Type=exec
ExecStart=@HELPERSDIR@/plymouth-tpm2-totp
[Install]
WantedBy=sysinit.target
0707010000002D000081ED0000000000000000000000016602CAFD00000093000000000000000000000000000000000000002F00000000tpm2-totp-20240326.33e1986/dist/show-tpm2-totp#!/bin/sh
while true; do
totp="$(tpm2-totp --time "$@" show)" || break
printf '\n%s\n' "$totp"
sleep $(( 30 - $(date +%s) % 30 ))
done
0707010000002E000081A40000000000000000000000016602CAFD00000168000000000000000000000000000000000000003000000000tpm2-totp-20240326.33e1986/dist/tpm2-totp.pc.inprefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
Name: tpm2-totp
Description: Attest the trustworthiness of a device against a human using time-based one-time passwords
URL: https://github.com/tpm2-software/tpm2-totp
Version: @VERSION@
Requires.private: tss2-esys tss2-mu
Cflags: -I${includedir}
Libs: -L${libdir} -ltpm2-totp
0707010000002F000081A40000000000000000000000016602CAFD000001B8000000000000000000000000000000000000003500000000tpm2-totp-20240326.33e1986/dist/tpm2-totp.service.in[Unit]
Description=Display a TOTP during boot
Requires=dev-tpm0.device
Wants=systemd-vconsole-setup.service
After=systemd-vconsole-setup.service dev-tpm0.device
Before=systemd-ask-password-console.service
Conflicts=multi-user.target
DefaultDependencies=no
[Service]
Environment="TPM2TOTP_TCTI=device:/dev/tpm0"
Type=oneshot
ExecStart=/bin/sh -c 'echo "TOTP: $(tpm2-totp --time show)"'
StandardOutput=tty
[Install]
WantedBy=sysinit.target
07070100000030000081A40000000000000000000000016602CAFD00000176000000000000000000000000000000000000003300000000tpm2-totp-20240326.33e1986/dist/tpm2-totp.timer.in[Unit]
Description=Display a TOTP every 30s during boot
Requires=dev-tpm0.device
Wants=systemd-vconsole-setup.service
After=systemd-vconsole-setup.service dev-tpm0.device
Before=systemd-ask-password-console.service
Conflicts=multi-user.target
DefaultDependencies=no
[Timer]
OnCalendar=*-*-* *:*:00,30
AccuracySec=1
Unit=tpm2-totp.service
[Install]
WantedBy=sysinit.target
07070100000031000081A40000000000000000000000016602CAFD00003163000000000000000000000000000000000000002200000000tpm2-totp-20240326.33e1986/git.mk# git.mk, a small Makefile to autogenerate .gitignore files
# for autotools-based projects.
#
# Copyright 2009, Red Hat, Inc.
# Copyright 2010,2011,2012,2013 Behdad Esfahbod
# Written by Behdad Esfahbod
#
# Copying and distribution of this file, with or without modification,
# is permitted in any medium without royalty provided the copyright
# notice and this notice are preserved.
#
# The latest version of this file can be downloaded from:
GIT_MK_URL = https://raw.githubusercontent.com/behdad/git.mk/master/git.mk
#
# Bugs, etc, should be reported upstream at:
# https://github.com/behdad/git.mk
#
# To use in your project, import this file in your git repo's toplevel,
# then do "make -f git.mk". This modifies all Makefile.am files in
# your project to -include git.mk. Remember to add that line to new
# Makefile.am files you create in your project, or just rerun the
# "make -f git.mk".
#
# This enables automatic .gitignore generation. If you need to ignore
# more files, add them to the GITIGNOREFILES variable in your Makefile.am.
# But think twice before doing that. If a file has to be in .gitignore,
# chances are very high that it's a generated file and should be in one
# of MOSTLYCLEANFILES, CLEANFILES, DISTCLEANFILES, or MAINTAINERCLEANFILES.
#
# The only case that you need to manually add a file to GITIGNOREFILES is
# when remove files in one of mostlyclean-local, clean-local, distclean-local,
# or maintainer-clean-local make targets.
#
# Note that for files like editor backup, etc, there are better places to
# ignore them. See "man gitignore".
#
# If "make maintainer-clean" removes the files but they are not recognized
# by this script (that is, if "git status" shows untracked files still), send
# me the output of "git status" as well as your Makefile.am and Makefile for
# the directories involved and I'll diagnose.
#
# For a list of toplevel files that should be in MAINTAINERCLEANFILES, see
# Makefile.am.sample in the git.mk git repo.
#
# Don't EXTRA_DIST this file. It is supposed to only live in git clones,
# not tarballs. It serves no useful purpose in tarballs and clutters the
# build dir.
#
# This file knows how to handle autoconf, automake, libtool, gtk-doc,
# gnome-doc-utils, yelp.m4, mallard, intltool, gsettings, dejagnu, appdata,
# appstream, hotdoc.
#
# This makefile provides the following targets:
#
# - all: "make all" will build all gitignore files.
# - gitignore: makes all gitignore files in the current dir and subdirs.
# - .gitignore: make gitignore file for the current dir.
# - gitignore-recurse: makes all gitignore files in the subdirs.
#
# KNOWN ISSUES:
#
# - Recursive configure doesn't work as $(top_srcdir)/git.mk inside the
# submodule doesn't find us. If you have configure.{in,ac} files in
# subdirs, add a proxy git.mk file in those dirs that simply does:
# "include $(top_srcdir)/../git.mk". Add more ..'s to your taste.
# And add those files to git. See vte/gnome-pty-helper/git.mk for
# example.
#
###############################################################################
# Variables user modules may want to add to toplevel MAINTAINERCLEANFILES:
###############################################################################
#
# Most autotools-using modules should be fine including this variable in their
# toplevel MAINTAINERCLEANFILES:
GITIGNORE_MAINTAINERCLEANFILES_TOPLEVEL = \
$(srcdir)/aclocal.m4 \
$(srcdir)/autoscan.log \
$(srcdir)/configure.scan \
`AUX_DIR=$(srcdir)/$$(cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_AUX_DIR:$$1' ./configure.ac); \
test "x$$AUX_DIR" = "x$(srcdir)/" && AUX_DIR=$(srcdir); \
for x in \
ar-lib \
compile \
config.guess \
config.rpath \
config.sub \
depcomp \
install-sh \
ltmain.sh \
missing \
mkinstalldirs \
test-driver \
ylwrap \
; do echo "$$AUX_DIR/$$x"; done` \
`cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_HEADERS:$$1' ./configure.ac | \
head -n 1 | while read f; do echo "$(srcdir)/$$f.in"; done`
#
# All modules should also be fine including the following variable, which
# removes automake-generated Makefile.in files:
GITIGNORE_MAINTAINERCLEANFILES_MAKEFILE_IN = \
`cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_FILES:$$1' ./configure.ac | \
while read f; do \
case $$f in Makefile|*/Makefile) \
test -f "$(srcdir)/$$f.am" && echo "$(srcdir)/$$f.in";; esac; \
done`
#
# Modules that use libtool and use AC_CONFIG_MACRO_DIR() may also include this,
# though it's harmless to include regardless.
GITIGNORE_MAINTAINERCLEANFILES_M4_LIBTOOL = \
`MACRO_DIR=$(srcdir)/$$(cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_MACRO_DIR:$$1' ./configure.ac); \
if test "x$$MACRO_DIR" != "x$(srcdir)/"; then \
for x in \
libtool.m4 \
ltoptions.m4 \
ltsugar.m4 \
ltversion.m4 \
lt~obsolete.m4 \
; do echo "$$MACRO_DIR/$$x"; done; \
fi`
#
# Modules that use gettext and use AC_CONFIG_MACRO_DIR() may also include this,
# though it's harmless to include regardless.
GITIGNORE_MAINTAINERCLEANFILES_M4_GETTEXT = \
`MACRO_DIR=$(srcdir)/$$(cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_MACRO_DIR:$$1' ./configure.ac); \
if test "x$$MACRO_DIR" != "x$(srcdir)/"; then \
for x in \
codeset.m4 \
extern-inline.m4 \
fcntl-o.m4 \
gettext.m4 \
glibc2.m4 \
glibc21.m4 \
iconv.m4 \
intdiv0.m4 \
intl.m4 \
intldir.m4 \
intlmacosx.m4 \
intmax.m4 \
inttypes-pri.m4 \
inttypes_h.m4 \
lcmessage.m4 \
lib-ld.m4 \
lib-link.m4 \
lib-prefix.m4 \
lock.m4 \
longlong.m4 \
nls.m4 \
po.m4 \
printf-posix.m4 \
progtest.m4 \
size_max.m4 \
stdint_h.m4 \
threadlib.m4 \
uintmax_t.m4 \
visibility.m4 \
wchar_t.m4 \
wint_t.m4 \
xsize.m4 \
; do echo "$$MACRO_DIR/$$x"; done; \
fi`
###############################################################################
# Default rule is to install ourselves in all Makefile.am files:
###############################################################################
git-all: git-mk-install
git-mk-install:
@echo "Installing git makefile"
@any_failed=; \
find "`test -z "$(top_srcdir)" && echo . || echo "$(top_srcdir)"`" -name Makefile.am | while read x; do \
if grep 'include .*/git.mk' $$x >/dev/null; then \
echo "$$x already includes git.mk"; \
else \
failed=; \
echo "Updating $$x"; \
{ cat $$x; \
echo ''; \
echo '-include $$(top_srcdir)/git.mk'; \
} > $$x.tmp || failed=1; \
if test x$$failed = x; then \
mv $$x.tmp $$x || failed=1; \
fi; \
if test x$$failed = x; then : else \
echo "Failed updating $$x"; >&2 \
any_failed=1; \
fi; \
fi; done; test -z "$$any_failed"
git-mk-update:
wget $(GIT_MK_URL) -O $(top_srcdir)/git.mk
.PHONY: git-all git-mk-install git-mk-update
###############################################################################
# Actual .gitignore generation:
###############################################################################
$(srcdir)/.gitignore: Makefile.am $(top_srcdir)/git.mk $(top_srcdir)/configure.ac
@echo "git.mk: Generating $@"
@{ \
if test "x$(DOC_MODULE)" = x -o "x$(DOC_MAIN_SGML_FILE)" = x; then :; else \
for x in \
$(DOC_MODULE)-decl-list.txt \
$(DOC_MODULE)-decl.txt \
tmpl/$(DOC_MODULE)-unused.sgml \
"tmpl/*.bak" \
$(REPORT_FILES) \
$(DOC_MODULE).pdf \
xml html \
; do echo "/$$x"; done; \
FLAVOR=$$(cd $(top_srcdir); $(AUTOCONF) --trace 'GTK_DOC_CHECK:$$2' ./configure.ac); \
case $$FLAVOR in *no-tmpl*) echo /tmpl;; esac; \
if echo "$(SCAN_OPTIONS)" | grep -q "\-\-rebuild-types"; then \
echo "/$(DOC_MODULE).types"; \
fi; \
if echo "$(SCAN_OPTIONS)" | grep -q "\-\-rebuild-sections"; then \
echo "/$(DOC_MODULE)-sections.txt"; \
fi; \
if test "$(abs_srcdir)" != "$(abs_builddir)" ; then \
for x in \
$(SETUP_FILES) \
$(DOC_MODULE).types \
; do echo "/$$x"; done; \
fi; \
fi; \
if test "x$(DOC_MODULE)$(DOC_ID)" = x -o "x$(DOC_LINGUAS)" = x; then :; else \
for lc in $(DOC_LINGUAS); do \
for x in \
$(if $(DOC_MODULE),$(DOC_MODULE).xml) \
$(DOC_PAGES) \
$(DOC_INCLUDES) \
; do echo "/$$lc/$$x"; done; \
done; \
for x in \
$(_DOC_OMF_ALL) \
$(_DOC_DSK_ALL) \
$(_DOC_HTML_ALL) \
$(_DOC_MOFILES) \
$(DOC_H_FILE) \
"*/.xml2po.mo" \
"*/*.omf.out" \
; do echo /$$x; done; \
fi; \
if test "x$(HOTDOC)" = x; then :; else \
$(foreach project, $(HOTDOC_PROJECTS),echo "/$(call HOTDOC_TARGET,$(project))"; \
echo "/$(shell $(call HOTDOC_PROJECT_COMMAND,$(project)) --get-conf-path output)" ; \
echo "/$(shell $(call HOTDOC_PROJECT_COMMAND,$(project)) --get-private-folder)" ; \
) \
for x in \
.hotdoc.d \
; do echo "/$$x"; done; \
fi; \
if test "x$(HELP_ID)" = x -o "x$(HELP_LINGUAS)" = x; then :; else \
for lc in $(HELP_LINGUAS); do \
for x in \
$(HELP_FILES) \
"$$lc.stamp" \
"$$lc.mo" \
; do echo "/$$lc/$$x"; done; \
done; \
fi; \
if test "x$(gsettings_SCHEMAS)" = x; then :; else \
for x in \
$(gsettings_SCHEMAS:.xml=.valid) \
$(gsettings__enum_file) \
; do echo "/$$x"; done; \
fi; \
if test "x$(appdata_XML)" = x; then :; else \
for x in \
$(appdata_XML:.xml=.valid) \
; do echo "/$$x"; done; \
fi; \
if test "x$(appstream_XML)" = x; then :; else \
for x in \
$(appstream_XML:.xml=.valid) \
; do echo "/$$x"; done; \
fi; \
if test -f $(srcdir)/po/Makefile.in.in; then \
for x in \
ABOUT-NLS \
po/Makefile.in.in \
po/Makefile.in.in~ \
po/Makefile.in \
po/Makefile \
po/Makevars.template \
po/POTFILES \
po/Rules-quot \
po/stamp-it \
po/stamp-po \
po/.intltool-merge-cache \
"po/*.gmo" \
"po/*.header" \
"po/*.mo" \
"po/*.sed" \
"po/*.sin" \
po/$(GETTEXT_PACKAGE).pot \
intltool-extract.in \
intltool-merge.in \
intltool-update.in \
; do echo "/$$x"; done; \
fi; \
if test -f $(srcdir)/configure; then \
for x in \
autom4te.cache \
configure \
config.h \
stamp-h1 \
libtool \
config.lt \
; do echo "/$$x"; done; \
fi; \
if test "x$(DEJATOOL)" = x; then :; else \
for x in \
$(DEJATOOL) \
; do echo "/$$x.sum"; echo "/$$x.log"; done; \
echo /site.exp; \
fi; \
if test "x$(am__dirstamp)" = x; then :; else \
echo "$(am__dirstamp)"; \
fi; \
if test "x$(findstring libtool,$(LTCOMPILE))" = x -a "x$(findstring libtool,$(LTCXXCOMPILE))" = x -a "x$(GTKDOC_RUN)" = x; then :; else \
for x in \
"*.lo" \
".libs" "_libs" \
; do echo "$$x"; done; \
fi; \
for x in \
.gitignore \
$(GITIGNOREFILES) \
$(CLEANFILES) \
$(PROGRAMS) $(check_PROGRAMS) $(EXTRA_PROGRAMS) \
$(LIBRARIES) $(check_LIBRARIES) $(EXTRA_LIBRARIES) \
$(LTLIBRARIES) $(check_LTLIBRARIES) $(EXTRA_LTLIBRARIES) \
so_locations \
$(MOSTLYCLEANFILES) \
$(TEST_LOGS) \
$(TEST_LOGS:.log=.trs) \
$(TEST_SUITE_LOG) \
$(TESTS:=.test) \
"*.gcda" \
"*.gcno" \
$(DISTCLEANFILES) \
$(am__CONFIG_DISTCLEAN_FILES) \
$(CONFIG_CLEAN_FILES) \
TAGS ID GTAGS GRTAGS GSYMS GPATH tags \
"*.tab.c" \
$(MAINTAINERCLEANFILES) \
$(BUILT_SOURCES) \
$(patsubst %.vala,%.c,$(filter %.vala,$(SOURCES))) \
$(filter %_vala.stamp,$(DIST_COMMON)) \
$(filter %.vapi,$(DIST_COMMON)) \
$(filter $(addprefix %,$(notdir $(patsubst %.vapi,%.h,$(filter %.vapi,$(DIST_COMMON))))),$(DIST_COMMON)) \
Makefile \
Makefile.in \
"*.orig" \
"*.rej" \
"*.bak" \
"*~" \
".*.sw[nop]" \
".dirstamp" \
; do echo "/$$x"; done; \
for x in \
"*.$(OBJEXT)" \
$(DEPDIR) \
; do echo "$$x"; done; \
} | \
sed "s@^/`echo "$(srcdir)" | sed 's/\(.\)/[\1]/g'`/@/@" | \
sed 's@/[.]/@/@g' | \
LC_ALL=C sort | uniq > $@.tmp && \
mv $@.tmp $@;
all: $(srcdir)/.gitignore gitignore-recurse-maybe
gitignore: $(srcdir)/.gitignore gitignore-recurse
gitignore-recurse-maybe:
@for subdir in $(DIST_SUBDIRS); do \
case " $(SUBDIRS) " in \
*" $$subdir "*) :;; \
*) test "$$subdir" = . -o -e "$$subdir/.git" || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) gitignore || echo "Skipping $$subdir");; \
esac; \
done
gitignore-recurse:
@for subdir in $(DIST_SUBDIRS); do \
test "$$subdir" = . -o -e "$$subdir/.git" || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) gitignore || echo "Skipping $$subdir"); \
done
maintainer-clean: gitignore-clean
gitignore-clean:
-rm -f $(srcdir)/.gitignore
.PHONY: gitignore-clean gitignore gitignore-recurse gitignore-recurse-maybe
07070100000032000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002300000000tpm2-totp-20240326.33e1986/include07070100000033000081A40000000000000000000000016602CAFD000006BF000000000000000000000000000000000000002F00000000tpm2-totp-20240326.33e1986/include/tpm2-totp.h/* SPDX-License-Identifier: BSD-3-Clause */
/*******************************************************************************
* Copyright 2018, Fraunhofer SIT
* All rights reserved.
*******************************************************************************/
#ifndef TPM2_TOTP_H
#define TPM2_TOTP_H
#include <stdint.h>
#include <time.h>
#include <tss2/tss2_tcti.h>
#define TPM2TOTP_BANK_SHA1 (1 << 0)
#define TPM2TOTP_BANK_SHA256 (1 << 1)
#define TPM2TOTP_BANK_SHA384 (1 << 2)
int
tpm2totp_generateKey(uint32_t pcrs, uint32_t banks, const char *password,
TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **secret, size_t *secret_size,
uint8_t **keyBlob, size_t *keyBlob_size);
int
tpm2totp_reseal(const uint8_t *keyBlob, size_t keyBlob_size,
const char *password, uint32_t pcrs, uint32_t banks,
TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **newBlob, size_t *newBlob_size);
int
tpm2totp_storeKey_nv(const uint8_t *keyBlob, size_t keyBlob_size, uint32_t nv,
TSS2_TCTI_CONTEXT *tcti_context);
int
tpm2totp_loadKey_nv(uint32_t nv, TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **keyBlob, size_t *keyBlob_size);
int
tpm2totp_deleteKey_nv(uint32_t nv, TSS2_TCTI_CONTEXT *tcti_context);
int
tpm2totp_calculate(const uint8_t *keyBlob, size_t keyBlob_size,
TSS2_TCTI_CONTEXT *tcti_context,
time_t *now, uint64_t *otp);
int
tpm2totp_getSecret(const uint8_t *keyBlob, size_t keyBlob_size,
const char *password, TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **secret, size_t *secret_size);
#endif /* TPM2_TOTP_H */
07070100000034000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000001E00000000tpm2-totp-20240326.33e1986/m407070100000035000081A40000000000000000000000016602CAFD00000910000000000000000000000000000000000000002700000000tpm2-totp-20240326.33e1986/m4/flags.m4dnl AX_ADD_COMPILER_FLAG:
dnl A macro to add a CFLAG to the EXTRA_CFLAGS variable. This macro will
dnl check to be sure the compiler supports the flag. Flags can be made
dnl mandatory (configure will fail).
dnl $1: C compiler flag to add to EXTRA_CFLAGS.
dnl $2: Set to "required" to cause configure failure if flag not supported.
AC_DEFUN([AX_ADD_COMPILER_FLAG],[
AX_CHECK_COMPILE_FLAG([$1],[
EXTRA_CFLAGS="$EXTRA_CFLAGS $1"
AC_SUBST([EXTRA_CFLAGS])],[
AS_IF([test x$2 != xrequired],[
AC_MSG_WARN([Optional CFLAG "$1" not supported by your compiler, continuing.])],[
AC_MSG_ERROR([Required CFLAG "$1" not supported by your compiler, aborting.])]
)],[
-Wall -Werror]
)]
)
dnl AX_ADD_PREPROC_FLAG:
dnl Add the provided preprocessor flag to the EXTRA_CFLAGS variable. This
dnl macro will check to be sure the preprocessor supports the flag.
dnl The flag can be made mandatory by providing the string 'required' as
dnl the second parameter.
dnl $1: Preprocessor flag to add to EXTRA_CFLAGS.
dnl $2: Set to "required" t ocause configure failure if preprocesor flag
dnl is not supported.
AC_DEFUN([AX_ADD_PREPROC_FLAG],[
AX_CHECK_PREPROC_FLAG([$1],[
EXTRA_CFLAGS="$EXTRA_CFLAGS $1"
AC_SUBST([EXTRA_CFLAGS])],[
AS_IF([test x$2 != xrequired],[
AC_MSG_WARN([Optional preprocessor flag "$1" not supported by your compiler, continuing.])],[
AC_MSG_ERROR([Required preprocessor flag "$1" not supported by your compiler, aborting.])]
)],[
-Wall -Werror]
)]
)
dnl AX_ADD_LINK_FLAG:
dnl A macro to add a LDLAG to the EXTRA_LDFLAGS variable. This macro will
dnl check to be sure the linker supports the flag. Flags can be made
dnl mandatory (configure will fail).
dnl $1: linker flag to add to EXTRA_LDFLAGS.
dnl $2: Set to "required" to cause configure failure if flag not supported.
AC_DEFUN([AX_ADD_LINK_FLAG],[
AX_CHECK_LINK_FLAG([$1],[
EXTRA_LDFLAGS="$EXTRA_LDFLAGS $1"
AC_SUBST([EXTRA_LDFLAGS])],[
AS_IF([test x$2 != xrequired],[
AC_MSG_WARN([Optional LDFLAG "$1" not supported by your linker, continuing.])],[
AC_MSG_ERROR([Required LDFLAG "$1" not supported by your linker, aborting.])]
)]
)]
)
07070100000036000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000001F00000000tpm2-totp-20240326.33e1986/man07070100000037000081A40000000000000000000000016602CAFD00001157000000000000000000000000000000000000002E00000000tpm2-totp-20240326.33e1986/man/tpm2-totp.1.md% tpm2-totp(1) tpm2-totp | General Commands Manual
%
% DECEMBER 2018
# NAME
**tpm2-totp**(1) -- initialize or calculate and show TPM based TOTPs
# SYNOPSIS
**tpm2-totp** [*options*] <command>
# DESCRIPTION
**tpm2-totp** creates a key inside a TPM 2.0 that can be used to calculate
time-based onetime passwords (TOTPs) to demonstrate to the user that a platform
was not altered during his/her abscense and thus still trustworthy.
# ARGUMENTS
The `tpm2-totp` command expects one of five command and provides a set of
options.
## COMMANDS
* `init`:
Generate and store a new TOTP secret.
Possible options: `-b`, `-l`, `-N`, `-p`, `-P`, `-T`
* `show`:
Calculate and show a TOTP value.
Possible options: `-N`, `-t`, `-T`
* `reseal`:
Reseal TOTP secret to new PCRs, banks or values.
Possible options: `-b`, `-N`, `-p`, `-P` (required), `-T`
* `recover`:
Recover the TOTP secret and display it again.
Possible Options: `-N`, `-P` (required), `-T`
* `clean`:
Delete the consumed NV index.
Possible Options: `-N`, `-T`
## OPTIONS
* `-b <bank>[,<bank>[,...]]`, `--banks <bank>[,<bank>[,...]]`:
Selected PCR banks (default: SHA1,SHA256)
* `-h`, `--help`:
Print help
* `-l`, `--label`:
Label to use for display in the TOTP authenticator app (default: TPM2-TOTP)
* `-N <nvindex>`, `--nvindex <nvindex>`:
TPM NV index to store data (default: 0x018094AF)
* `-p <pcr>[,<pcr>[,...]]`, `--pcrs <pcr>[,<pcr>[,...]]`:
Selected PCR registers (default: 0,2,4,6)
* `-P <password>`, `--password <password>`:
Password for the secret (default: none) (commands: init, recover, reseal)
Read from stdin if `-` (recommended).
Must not contain `\0`.
* `-t`, `--time`:
Display the date/time of the TOTP calculation (commands: show)
* `-T <tcti-name>[:<tcti-config>]`, `--tcti <tcti-name>[:<tcti-config>]`:
Select the TCTI to use. *tcti-name* is the name of the TCTI library.
If present, the configuration string *tcti-config* is passed verbatim to the
chosen TCTI library.
The TCTI can additionally be specified using the environment variable
`TPM2TOTP_TCTI`. If both the command line option and the environment
variable are present, the command line option is used.
If no TCTI is specified, the default TCTI configured on the system is used.
* `-v`, `--verbose`:
Print verbose messages
# EXAMPLES
## Setup
The TOTP secret can be initialized with and without password. It is recommended to
set a password `-P` in order to enable recovery options. Further, it is strongly
recommended to provide the password via stdin, rather than directly as a
command line option, to protect it from other processes, shell history, etc.
Also the PCRs and PCR banks can be selected `-p` and `-b`. Default values are
PCRs `0,2,4` and banks `SHA1, SHA256`.
```
tpm2-totp init
tpm2-totp -P - init
verysecret<CTRL-D>
# or (recommended)
gpg --decrypt /path/to/password.gpg | tpm2-totp -P - init
# or (discouraged)
tpm2-totp -P verysecret init
tpm2-totp -P - -p 0,1,2,3,4,5,6 init
tpm2-totp -p 0,1,2,3,4,5,6 -b SHA1,SHA256 init
```
## Boot
During boot the TOTP value for the current time, together with the current time
should be shown to the user, e.g. using plymouth from mkinitrd or from dracut.
The command to be executed is:
```
tpm2-totp show
tpm2-totp -t show
```
## Recovery
In order to recover the QR code:
```
tpm2-totp -P - recover
```
In order to reseal the secret:
```
tpm2-totp -P - reseal
tpm2-totp -P - -p 1,3,5,6 reseal
```
## Deletion
In order to delete the created NV index:
```
tpm2-totp clean
```
## NV index
All command additionally take the `-N` option to specify the NV index to be
used. By default, 0x018094AF is used and recommended.
```
tpm2-totp -N 0x01800001 -P - init
tpm2-totp -N 0x01800001 show
tpm2-totp -N 0x01800001 -P - recover
tpm2-totp -N 0x01800001 -P - reseal
```
## TCTI configuration
All commands take the `-T` option or the `TPM2TOTP_TCTI` environment variable
to specify the TCTI to be used. If the TCTI is not specified explicitly, the
default TCTI configured on the system is used. To e.g. use the TPM simulator
bound to a given port, use
```
tpm2-totp -T mssim:port=2321 init
```
# RETURNS
0 on success or 1 on failure.
# AUTHOR
Written by Andreas Fuchs.
# COPYRIGHT
tpm2tss is Copyright (C) 2018 Fraunhofer SIT. License BSD 3-clause.
# SEE ALSO
tpm2totp_generateKey(3)
07070100000038000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000001F00000000tpm2-totp-20240326.33e1986/src07070100000039000081A40000000000000000000000016602CAFD00007FFB000000000000000000000000000000000000002E00000000tpm2-totp-20240326.33e1986/src/libtpm2-totp.c/* SPDX-License-Identifier: BSD-3-Clause */
/*******************************************************************************
* Copyright 2018, Fraunhofer SIT
* All rights reserved.
*******************************************************************************/
#define _DEFAULT_SOURCE
#include <tpm2-totp.h>
#include <endian.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <tss2/tss2_mu.h>
#include <tss2/tss2_esys.h>
/* RFC 6238 TOTP defines */
#define TIMESTEPSIZE 30
#define SECRETLEN 20
#define DEFAULT_PCRS (0b000000000000000000010101)
#define DEFAULT_BANKS (0b11)
#define DEFAULT_NV 0x018094AF
const TPM2B_DIGEST ownerauth = { .size = 0 };
#ifdef NDEBUG
#define dbg(m, ...)
#else
#define dbg(m, ...) fprintf(stderr, m "\n", ##__VA_ARGS__)
#endif
#define chkrc(rc, cmd) if (rc != TSS2_RC_SUCCESS) { cmd; }
#define TPM2B_PUBLIC_PRIMARY_TEMPLATE { .size = 0, \
.publicArea = { \
.type = TPM2_ALG_ECC, \
.nameAlg = TPM2_ALG_SHA256, \
.objectAttributes = ( TPMA_OBJECT_USERWITHAUTH | \
TPMA_OBJECT_RESTRICTED | \
TPMA_OBJECT_DECRYPT | \
TPMA_OBJECT_NODA | \
TPMA_OBJECT_FIXEDTPM | \
TPMA_OBJECT_FIXEDPARENT | \
TPMA_OBJECT_SENSITIVEDATAORIGIN ), \
.authPolicy = { .size = 0, }, \
.parameters.eccDetail = { \
.symmetric = { .algorithm = TPM2_ALG_AES, \
.keyBits.aes = 128, .mode.aes = TPM2_ALG_CFB, }, \
.scheme = { .scheme = TPM2_ALG_NULL, .details = {} }, \
.curveID = TPM2_ECC_NIST_P256, \
.kdf = { .scheme = TPM2_ALG_NULL, .details = {} }, }, \
.unique.ecc = { .x.size = 0, .y.size = 0 } \
} }
#define TPM2B_PUBLIC_KEY_TEMPLATE_UNSEAL { .size = 0, \
.publicArea = { \
.type = TPM2_ALG_KEYEDHASH, \
.nameAlg = TPM2_ALG_SHA256, \
.objectAttributes = ( TPMA_OBJECT_USERWITHAUTH ), \
.authPolicy = { .size = 0, .buffer = { 0 } }, \
.parameters.keyedHashDetail.scheme = { .scheme = TPM2_ALG_NULL, \
.details = { .hmac = { .hashAlg = TPM2_ALG_SHA1 } } }, \
.unique.keyedHash = { .size = 0, .buffer = { 0 }, }, \
} }
#define TPM2B_PUBLIC_KEY_TEMPLATE_HMAC { .size = 0, \
.publicArea = { \
.type = TPM2_ALG_KEYEDHASH, \
.nameAlg = TPM2_ALG_SHA256, \
.objectAttributes = ( TPMA_OBJECT_SIGN_ENCRYPT ), \
.authPolicy = { .size = 0, .buffer = { 0 } }, \
.parameters.keyedHashDetail.scheme = { .scheme = TPM2_ALG_HMAC, \
.details = { .hmac = { .hashAlg = TPM2_ALG_SHA1 } } }, \
.unique.keyedHash = { .size = 0, .buffer = { 0 }, }, \
} }
#define TPM2B_SENSITIVE_CREATE_TEMPLATE { .size = 0, \
.sensitive = { \
.userAuth = { .size = 0, .buffer = { 0 } }, \
.data = { .size = 0, .buffer = { 0 } }, \
} };
TPM2B_PUBLIC primaryPublic = TPM2B_PUBLIC_PRIMARY_TEMPLATE;
TPM2B_SENSITIVE_CREATE primarySensitive = TPM2B_SENSITIVE_CREATE_TEMPLATE;
TPM2B_DATA allOutsideInfo = { .size = 0, };
TPML_PCR_SELECTION allCreationPCR = { .count = 0 };
TPM2B_AUTH emptyAuth = { .size = 0, };
/** @defgroup tpm2-totp libtpm2-totp
* Attest the trustworthiness of a device against a human using time-based one-time passwords.
* @{
*/
/** Generate a key.
*
* @param[in] pcrs PCRs the key should be sealed against.
* @param[in] banks PCR banks the key should be sealed against.
* @param[in] password Optional password to recover or reseal the secret.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @param[out] secret Generated secret.
* @param[out] secret_size Size of the secret.
* @param[out] keyBlob Generated key.
* @param[out] keyBlob_size Size of the generated key.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_generateKey(uint32_t pcrs, uint32_t banks, const char *password,
TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **secret, size_t *secret_size,
uint8_t **keyBlob, size_t *keyBlob_size)
{
if (secret == NULL || secret_size == NULL ||
keyBlob == NULL || keyBlob_size == NULL) {
return -1;
}
TPM2B_DIGEST *t, *policyDigest;
ESYS_CONTEXT *ctx = NULL;
ESYS_TR primary, session;
TSS2_RC rc;
size_t off = 0;
TPMT_SYM_DEF sym = {.algorithm = TPM2_ALG_AES,
.keyBits = {.aes = 128},
.mode = {.aes = TPM2_ALG_CFB}
};
TPM2B_PUBLIC keyInPublicHmac = TPM2B_PUBLIC_KEY_TEMPLATE_HMAC;
TPM2B_PUBLIC keyInPublicSeal = TPM2B_PUBLIC_KEY_TEMPLATE_UNSEAL;
TPM2B_SENSITIVE_CREATE keySensitive = TPM2B_SENSITIVE_CREATE_TEMPLATE;
TPM2B_PUBLIC *keyPublicHmac = NULL;
TPM2B_PRIVATE *keyPrivateHmac = NULL;
TPM2B_PUBLIC *keyPublicSeal = NULL;
TPM2B_PRIVATE *keyPrivateSeal = NULL;
TPML_PCR_SELECTION *pcrcheck, pcrsel = { .count = 0 };
if (pcrs == 0) pcrs = DEFAULT_PCRS;
if (banks == 0) banks = DEFAULT_BANKS;
if ((banks & TPM2TOTP_BANK_SHA1)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA1;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA256)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA256;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA384)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA384;
pcrsel.count++;
}
for (size_t i = 0; i < pcrsel.count; i++) {
pcrsel.pcrSelections[i].sizeofSelect = 3;
pcrsel.pcrSelections[i].pcrSelect[0] = pcrs & 0xff;
pcrsel.pcrSelections[i].pcrSelect[1] = pcrs >>8 & 0xff;
pcrsel.pcrSelections[i].pcrSelect[2] = pcrs >>16 & 0xff;
}
*secret_size = 0;
*secret = malloc(SECRETLEN);
if (!*secret) {
return -1;
}
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, goto error);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
while (*secret_size < SECRETLEN) {
dbg("Calling Esys_GetRandom for %zu bytes", SECRETLEN - *secret_size);
rc = Esys_GetRandom(ctx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
SECRETLEN - *secret_size, &t);
chkrc(rc, goto error);
memcpy(&(*secret)[*secret_size], &t->buffer[0], t->size);
*secret_size += t->size;
free(t);
}
dbg("Calling Esys_CreatePrimary");
rc = Esys_CreatePrimary(ctx, ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&primarySensitive, &primaryPublic,
&allOutsideInfo, &allCreationPCR,
&primary, NULL, NULL, NULL, NULL);
chkrc(rc, goto error);
rc = Esys_PCR_Read(ctx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&pcrsel, NULL, &pcrcheck, NULL);
chkrc(rc, goto error);
if (pcrcheck->count == 0) {
dbg("No active banks selected");
return -1;
}
free(pcrcheck);
rc = Esys_StartAuthSession(ctx, ESYS_TR_NONE, ESYS_TR_NONE,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, TPM2_SE_POLICY, &sym, TPM2_ALG_SHA256,
&session);
chkrc(rc, goto error);
rc = Esys_PolicyPCR(ctx, session,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, &pcrsel);
chkrc(rc, Esys_FlushContext(ctx, session); goto error);
rc = Esys_PolicyGetDigest(ctx, session,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&policyDigest);
Esys_FlushContext(ctx, session);
chkrc(rc, goto error);
keyInPublicHmac.publicArea.authPolicy = *policyDigest;
free(policyDigest);
keySensitive.sensitive.data.size = *secret_size;
memcpy(&keySensitive.sensitive.data.buffer[0], &(*secret)[0],
*secret_size);
rc = Esys_Create(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keySensitive, &keyInPublicHmac,
&allOutsideInfo, &allCreationPCR,
&keyPrivateHmac, &keyPublicHmac, NULL, NULL, NULL);
chkrc(rc, Esys_FlushContext(ctx, primary); goto error);
if (password && strlen(password) > 0) {
keySensitive.sensitive.userAuth.size = strlen(password);
if (keySensitive.sensitive.userAuth.size)
memcpy(&keySensitive.sensitive.userAuth.buffer[0], password,
keySensitive.sensitive.userAuth.size);
rc = Esys_Create(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keySensitive, &keyInPublicSeal,
&allOutsideInfo, &allCreationPCR,
&keyPrivateSeal, &keyPublicSeal, NULL, NULL, NULL);
chkrc(rc, Esys_FlushContext(ctx, primary); goto error);
}
Esys_FlushContext(ctx, primary);
Esys_Finalize(&ctx);
*keyBlob_size = 4 + 4;
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicHmac, NULL, -1, keyBlob_size);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateHmac, NULL, -1, keyBlob_size);
chkrc(rc, goto error);
if (password && strlen(password) > 0) {
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicSeal, NULL, -1, keyBlob_size);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateSeal, NULL, -1, keyBlob_size);
chkrc(rc, goto error);
}
*keyBlob = malloc(*keyBlob_size);
rc = Tss2_MU_UINT32_Marshal(pcrs, *keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_UINT32_Marshal(banks, *keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicHmac,
*keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateHmac,
*keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
if (password && strlen(password) > 0) {
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicSeal,
*keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateSeal,
*keyBlob, *keyBlob_size, &off);
chkrc(rc, goto error_marshall);
}
return 0;
error_marshall:
free(*keyBlob);
*keyBlob = NULL;
return (rc)? (int)rc : -1;
error:
free(keyPublicHmac);
free(keyPrivateHmac);
free(keyPublicSeal);
free(keyPrivateSeal);
Esys_Finalize(&ctx);
free(*secret);
*secret = NULL;
*secret_size = 0;
return (rc)? (int)rc : -1;
}
/** Reseal a key to new PCR values.
*
* @param[in] keyBlob Original key.
* @param[in] keyBlob_size Size of the key.
* @param[in] password Password of the key.
* @param[in] pcrs PCRs the key should be sealed against.
* @param[in] banks PCR banks the key should be sealed against.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @param[out] newBlob New key.
* @param[out] newBlob_size Size of the new key.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval -10 on empty password.
* @retval -20 when no password-protected recovery copy of the secret has been stored.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_reseal(const uint8_t *keyBlob, size_t keyBlob_size,
const char *password, uint32_t pcrs, uint32_t banks,
TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **newBlob, size_t *newBlob_size)
{
if (keyBlob == NULL || !password || newBlob == NULL || newBlob_size == NULL) {
return -1;
}
if (!strlen(password)) {
dbg("Password required.");
return -10;
}
ESYS_CONTEXT *ctx = NULL;
ESYS_TR primary = ESYS_TR_NONE, key, session;
TSS2_RC rc;
size_t off = 0;
TPM2B_SENSITIVE_DATA *secret2b = NULL;
TPM2B_AUTH auth;
TPM2B_DIGEST *policyDigest;
TPM2B_PUBLIC keyInPublicHmac = TPM2B_PUBLIC_KEY_TEMPLATE_HMAC;
TPM2B_SENSITIVE_CREATE keySensitive = TPM2B_SENSITIVE_CREATE_TEMPLATE;
TPM2B_PUBLIC keyPublicSeal = { .size = 0 };
TPM2B_PRIVATE keyPrivateSeal = { .size = 0 };
TPM2B_PUBLIC *keyPublicHmac = NULL;
TPM2B_PRIVATE *keyPrivateHmac = NULL;
TPML_PCR_SELECTION *pcrcheck, pcrsel = { .count = 0 };
TPMT_SYM_DEF sym = {.algorithm = TPM2_ALG_AES,
.keyBits = {.aes = 128},
.mode = {.aes = TPM2_ALG_CFB}
};
if (pcrs == 0) pcrs = DEFAULT_PCRS;
if (banks == 0) banks = DEFAULT_BANKS;
if ((banks & TPM2TOTP_BANK_SHA1)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA1;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA256)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA256;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA384)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA384;
pcrsel.count++;
}
for (size_t i = 0; i < pcrsel.count; i++) {
pcrsel.pcrSelections[i].sizeofSelect = 3;
pcrsel.pcrSelections[i].pcrSelect[0] = pcrs & 0xff;
pcrsel.pcrSelections[i].pcrSelect[1] = pcrs >>8 & 0xff;
pcrsel.pcrSelections[i].pcrSelect[2] = pcrs >>16 & 0xff;
}
auth.size = strlen(password);
memcpy(&auth.buffer[0], password, auth.size);
/* We skip over the pcrs and banks from NV because they are not trustworthy */
rc = Tss2_MU_UINT32_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
rc = Tss2_MU_UINT32_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
if (off == keyBlob_size) {
dbg("No unseal blob included.");
return -20;
}
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off,
&keyPublicSeal);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off,
&keyPrivateSeal);
chkrc(rc, goto error);
if (off != keyBlob_size) {
dbg("bad blob size");
return -1;
}
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, goto error);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_CreatePrimary(ctx, ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&primarySensitive, &primaryPublic,
&allOutsideInfo, &allCreationPCR,
&primary, NULL, NULL, NULL, NULL);
chkrc(rc, goto error);
rc = Esys_Load(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keyPrivateSeal, &keyPublicSeal,
&key);
chkrc(rc, goto error);
Esys_TR_SetAuth(ctx, key, &auth);
rc = Esys_Unseal(ctx, key,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&secret2b);
Esys_FlushContext(ctx, key);
chkrc(rc, goto error);
rc = Esys_PCR_Read(ctx,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&pcrsel, NULL, &pcrcheck, NULL);
chkrc(rc, goto error);
if (pcrcheck->count == 0) {
dbg("No active banks selected");
return -1;
}
free(pcrcheck);
rc = Esys_StartAuthSession(ctx, ESYS_TR_NONE, ESYS_TR_NONE,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, TPM2_SE_POLICY, &sym, TPM2_ALG_SHA256,
&session);
chkrc(rc, goto error);
rc = Esys_PolicyPCR(ctx, session,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, &pcrsel);
chkrc(rc, Esys_FlushContext(ctx, session); goto error);
rc = Esys_PolicyGetDigest(ctx, session,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&policyDigest);
Esys_FlushContext(ctx, session);
chkrc(rc, goto error);
keyInPublicHmac.publicArea.authPolicy = *policyDigest;
free(policyDigest);
keySensitive.sensitive.data.size = secret2b->size;
memcpy(&keySensitive.sensitive.data.buffer[0], &secret2b->buffer[0],
keySensitive.sensitive.data.size);
free(secret2b);
rc = Esys_Create(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keySensitive, &keyInPublicHmac,
&allOutsideInfo, &allCreationPCR,
&keyPrivateHmac, &keyPublicHmac, NULL, NULL, NULL);
chkrc(rc, goto error);
Esys_FlushContext(ctx, primary);
Esys_Finalize(&ctx);
*newBlob_size = 4 + 4;
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicHmac, NULL, -1, newBlob_size);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateHmac, NULL, -1, newBlob_size);
chkrc(rc, goto error);
if (password && strlen(password) > 0) {
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(&keyPublicSeal, NULL, -1, newBlob_size);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(&keyPrivateSeal, NULL, -1, newBlob_size);
chkrc(rc, goto error);
}
*newBlob = malloc(*newBlob_size);
off = 0;
rc = Tss2_MU_UINT32_Marshal(pcrs, *newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_UINT32_Marshal(banks, *newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(keyPublicHmac,
*newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(keyPrivateHmac,
*newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PUBLIC_Marshal(&keyPublicSeal,
*newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
rc = Tss2_MU_TPM2B_PRIVATE_Marshal(&keyPrivateSeal,
*newBlob, *newBlob_size, &off);
chkrc(rc, goto error_marshall);
free(keyPublicHmac);
free(keyPrivateHmac);
return 0;
error_marshall:
free(keyPublicHmac);
free(keyPrivateHmac);
free(*newBlob);
*newBlob = 0;
*newBlob_size = 0;
return (rc)? (int)rc : -1;
error:
free(keyPublicHmac);
free(keyPrivateHmac);
if (primary != ESYS_TR_NONE) Esys_FlushContext(ctx, primary);
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** Store a key in a NV index.
*
* @param[in] keyBlob Key to store to NVRAM.
* @param[in] keyBlob_size Size of the key.
* @param[in] nv NV index to store the key.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_storeKey_nv(const uint8_t *keyBlob, size_t keyBlob_size, uint32_t nv,
TSS2_TCTI_CONTEXT *tcti_context)
{
if (!keyBlob)
return -1;
TSS2_RC rc;
ESYS_CONTEXT *ctx;
ESYS_TR nvHandle;
if (!nv) nv = DEFAULT_NV; /* Some random handle from owner space */
TPM2B_NV_PUBLIC publicInfo = { .size = 0,
.nvPublic = {
.nvIndex = nv,
.nameAlg = TPM2_ALG_SHA1,
.attributes = (TPMA_NV_OWNERWRITE |
TPMA_NV_AUTHWRITE |
TPMA_NV_WRITE_STCLEAR |
TPMA_NV_READ_STCLEAR |
TPMA_NV_AUTHREAD |
TPMA_NV_OWNERREAD ),
.authPolicy = { .size = 0, .buffer = {}, },
.dataSize = keyBlob_size,
} };
TPM2B_MAX_NV_BUFFER blob = { .size = keyBlob_size };
if (blob.size > sizeof(blob.buffer)) {
dbg("keyBlob too large");
return -1;
}
memcpy(&blob.buffer[0], keyBlob, blob.size);
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, return rc);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_NV_DefineSpace(ctx, ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&emptyAuth, &publicInfo, &nvHandle);
chkrc(rc, goto error);
rc = Esys_NV_Write(ctx, nvHandle, nvHandle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&blob, 0/*=offset*/);
Esys_TR_Close(ctx, &nvHandle);
chkrc(rc, goto error);
Esys_Finalize(&ctx);
return 0;
error:
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** Load a key from a NV index.
*
* @param[in] nv NV index of the key.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @param[out] keyBlob Loaded key.
* @param[out] keyBlob_size Size of the key.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_loadKey_nv(uint32_t nv, TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **keyBlob, size_t *keyBlob_size)
{
TSS2_RC rc;
ESYS_CONTEXT *ctx;
ESYS_TR nvHandle;
TPM2B_MAX_NV_BUFFER *blob;
TPM2B_NV_PUBLIC *publicInfo;
if (!nv) nv = DEFAULT_NV; /* Some random handle from owner space */
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, return rc);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_TR_FromTPMPublic(ctx, nv,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&nvHandle);
chkrc(rc, goto error);
rc = Esys_NV_ReadPublic(ctx, nvHandle,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&publicInfo, NULL);
chkrc(rc, goto error);
rc = Esys_NV_Read(ctx, nvHandle, nvHandle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
publicInfo->nvPublic.dataSize, 0/*=offset*/, &blob);
Esys_TR_Close(ctx, &nvHandle);
free(publicInfo);
chkrc(rc, goto error);
Esys_Finalize(&ctx);
*keyBlob_size = blob->size;
*keyBlob = malloc(blob->size);
memcpy(*keyBlob, &blob->buffer[0], *keyBlob_size);
return 0;
error:
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** Delete a key from a NV index.
*
* @param[in] nv NV index to delete.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_deleteKey_nv(uint32_t nv, TSS2_TCTI_CONTEXT *tcti_context)
{
TSS2_RC rc;
ESYS_CONTEXT *ctx;
ESYS_TR nvHandle;
if (!nv) nv = DEFAULT_NV; /* Some random handle from owner space */
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, return rc);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_TR_FromTPMPublic(ctx, nv,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&nvHandle);
chkrc(rc, goto error);
rc = Esys_NV_UndefineSpace(ctx, ESYS_TR_RH_OWNER, nvHandle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE);
chkrc(rc, Esys_TR_Close(ctx, &nvHandle); goto error);
Esys_Finalize(&ctx);
return 0;
error:
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** Calculate a time-based one-time password for a key.
*
* @param[in] keyBlob Key to generate the TOTP.
* @param[in] keyBlob_size Size of the key.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @param[out] nowp Current time.
* @param[out] otp Calculated TOTP.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_calculate(const uint8_t *keyBlob, size_t keyBlob_size,
TSS2_TCTI_CONTEXT *tcti_context,
time_t *nowp, uint64_t *otp)
{
if (keyBlob == NULL || otp == NULL) {
return -1;
}
ESYS_CONTEXT *ctx = NULL;
ESYS_TR primary, key, session;
TSS2_RC rc;
TPM2B_PUBLIC keyPublic = { .size=0 };
TPM2B_PRIVATE keyPrivate = { .size=0 };
size_t off = 0;
TPM2B_DIGEST *output;
uint32_t pcrs;
uint32_t banks;
time_t now;
uint64_t tmp;
int offset;
TPM2B_MAX_BUFFER input;
TPML_PCR_SELECTION pcrsel = { .count = 0 };
TPMT_SYM_DEF sym = {.algorithm = TPM2_ALG_AES,
.keyBits = {.aes = 128},
.mode = {.aes = TPM2_ALG_CFB}
};
rc = Tss2_MU_UINT32_Unmarshal(keyBlob, keyBlob_size, &off, &pcrs);
chkrc(rc, goto error);
rc = Tss2_MU_UINT32_Unmarshal(keyBlob, keyBlob_size, &off, &banks);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off, &keyPublic);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off,
&keyPrivate);
chkrc(rc, goto error);
if (off != keyBlob_size) {
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
}
if (off != keyBlob_size) {
dbg("bad blob size");
return -1;
}
if ((banks & TPM2TOTP_BANK_SHA1)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA1;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA256)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA256;
pcrsel.count++;
}
if ((banks & TPM2TOTP_BANK_SHA384)) {
pcrsel.pcrSelections[pcrsel.count].hash = TPM2_ALG_SHA384;
pcrsel.count++;
}
for (size_t i = 0; i < pcrsel.count; i++) {
pcrsel.pcrSelections[i].sizeofSelect = 3;
pcrsel.pcrSelections[i].pcrSelect[0] = pcrs & 0xff;
pcrsel.pcrSelections[i].pcrSelect[1] = pcrs >>8 & 0xff;
pcrsel.pcrSelections[i].pcrSelect[2] = pcrs >>16 & 0xff;
}
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, goto error);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_CreatePrimary(ctx, ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&primarySensitive, &primaryPublic,
&allOutsideInfo, &allCreationPCR,
&primary, NULL, NULL, NULL, NULL);
chkrc(rc, goto error);
rc = Esys_Load(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keyPrivate, &keyPublic,
&key);
Esys_FlushContext(ctx, primary);
chkrc(rc, goto error);
rc = Esys_StartAuthSession(ctx, ESYS_TR_NONE, ESYS_TR_NONE,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, TPM2_SE_POLICY, &sym, TPM2_ALG_SHA256,
&session);
chkrc(rc, goto error);
rc = Esys_PolicyPCR(ctx, session,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
NULL, &pcrsel);
chkrc(rc, Esys_FlushContext(ctx, session); goto error);
/* Construct the RFC 6238 input */
now = time(NULL);
tmp = now / TIMESTEPSIZE;
tmp = htobe64(tmp);
input.size = sizeof(tmp);
memcpy(&input.buffer[0], ((void*)&tmp), input.size);
rc = Esys_HMAC(ctx, key,
session, ESYS_TR_NONE, ESYS_TR_NONE,
&input, TPM2_ALG_SHA1, &output);
Esys_FlushContext(ctx, session);
Esys_FlushContext(ctx, key);
chkrc(rc, goto error);
Esys_Finalize(&ctx);
if (output->size != 20) {
free(output);
goto error;
}
/* Perform the RFC 6238 -> RFC 4226 HOTP truncing */
offset = output->buffer[output->size - 1] & 0x0f;
*otp = ((uint32_t)output->buffer[offset] & 0x7f) << 24
| ((uint32_t)output->buffer[offset+1] & 0xff) << 16
| ((uint32_t)output->buffer[offset+2] & 0xff) << 8
| ((uint32_t)output->buffer[offset+3] & 0xff);
*otp %= (1000000);
free(output);
if (nowp) *nowp = now;
return 0;
error:
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** Recover a secret from a key.
*
* @param[in] keyBlob Key to recover the secret from.
* @param[in] keyBlob_size Size of the key.
* @param[in] password Password of the key.
* @param[in] tcti_context Optional TCTI context to select TPM to use.
* @param[out] secret Recovered secret.
* @param[out] secret_size Size of the secret.
* @retval 0 on success.
* @retval -1 on undefined/general failure.
* @retval -10 on empty password.
* @retval -20 when no password-protected recovery copy of the secret has been stored.
* @retval TSS2_RC response code for failures relayed from the TSS library.
*/
int
tpm2totp_getSecret(const uint8_t *keyBlob, size_t keyBlob_size,
const char *password, TSS2_TCTI_CONTEXT *tcti_context,
uint8_t **secret, size_t *secret_size)
{
if (keyBlob == NULL || !password || secret == NULL || secret_size == NULL) {
return -1;
}
if (!strlen(password)) {
dbg("Password required.");
return -10;
}
ESYS_CONTEXT *ctx = NULL;
ESYS_TR primary, key;
TSS2_RC rc;
TPM2B_PUBLIC keyPublic = { .size=0 };
TPM2B_PRIVATE keyPrivate = { .size=0 };
size_t off = 4 + 4; /* Skipping over pcrs and banks */
TPM2B_SENSITIVE_DATA *secret2b;
TPM2B_AUTH auth;
auth.size = strlen(password);
memcpy(&auth.buffer[0], password, auth.size);
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off, NULL);
chkrc(rc, goto error);
if (off == keyBlob_size) {
dbg("No unseal blob included.");
return -20;
}
rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(keyBlob, keyBlob_size, &off, &keyPublic);
chkrc(rc, goto error);
rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(keyBlob, keyBlob_size, &off,
&keyPrivate);
chkrc(rc, goto error);
if (off != keyBlob_size) {
dbg("bad blob size");
return -1;
}
rc = Esys_Initialize(&ctx, tcti_context, NULL);
chkrc(rc, goto error);
rc = Esys_Startup(ctx, TPM2_SU_CLEAR);
if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
rc = Esys_CreatePrimary(ctx, ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&primarySensitive, &primaryPublic,
&allOutsideInfo, &allCreationPCR,
&primary, NULL, NULL, NULL, NULL);
chkrc(rc, goto error);
rc = Esys_Load(ctx, primary,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&keyPrivate, &keyPublic,
&key);
Esys_FlushContext(ctx, primary);
chkrc(rc, goto error);
Esys_TR_SetAuth(ctx, key, &auth);
rc = Esys_Unseal(ctx, key,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&secret2b);
Esys_FlushContext(ctx, key);
chkrc(rc, goto error);
Esys_Finalize(&ctx);
*secret = malloc(secret2b->size);
if (!*secret) goto error;
*secret_size = secret2b->size;
memcpy(&(*secret)[0], &secret2b->buffer[0], *secret_size);
return 0;
error:
Esys_Finalize(&ctx);
return (rc)? (int)rc : -1;
}
/** @} */
0707010000003A000081A40000000000000000000000016602CAFD00001ACB000000000000000000000000000000000000003400000000tpm2-totp-20240326.33e1986/src/plymouth-tpm2-totp.c/* SPDX-License-Identifier: BSD-3-Clause */
/*******************************************************************************
* Copyright 2019, Jonas Witschel
* All rights reserved.
*******************************************************************************/
#include <tpm2-totp.h>
#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
#include <getopt.h>
#include <ply-boot-client.h>
#include <tss2/tss2_tctildr.h>
#define VERB(...) if (opt.verbose) fprintf(stderr, __VA_ARGS__)
#define ERR(...) fprintf(stderr, __VA_ARGS__)
#define chkrc(rc, cmd) if (rc != TSS2_RC_SUCCESS) {\
ERR("ERROR in %s (%s:%i): 0x%08x\n", __func__, __FILE__, __LINE__, rc); cmd; }
#define TPM2TOTP_ENV_TCTI "TPM2TOTP_TCTI"
typedef struct {
ply_boot_client_t *boot_client;
ply_event_loop_t *event_loop;
TSS2_TCTI_CONTEXT *tcti_context;
uint8_t *key_blob;
size_t key_blob_size;
} state_t;
char *help =
"Usage: [options]\n"
"Options:\n"
" -h, --help print help\n"
" -N, --nvindex TPM NV index to store data (default: 0x018094AF)\n"
" -t, --time Show the time used for calculation\n"
" -T, --tcti TCTI to use\n"
" -v, --verbose print verbose messages\n"
"\n";
static const char *optstr = "hN:tT:v";
static const struct option long_options[] = {
{"help", no_argument, 0, 'h'},
{"nvindex", required_argument, 0, 'N'},
{"time", no_argument, 0, 't'},
{"tcti", required_argument, 0, 'T'},
{"verbose", no_argument, 0, 'v'},
{0, 0, 0, 0 }
};
static struct opt {
int nvindex;
int time;
char *tcti;
int verbose;
} opt;
/** Parse and set command line options.
*
* This function parses the command line options and sets the appropriate values
* in the opt struct.
* @param argc The argument count.
* @param argv The arguments.
* @retval 0 on success
* @retval 1 on failure
*/
int
parse_opts(int argc, char **argv)
{
/* set the default values */
opt.nvindex = 0;
opt.tcti = NULL;
opt.time = 0;
opt.verbose = 0;
/* parse the options */
int c;
int opt_idx = 0;
while (-1 != (c = getopt_long(argc, argv, optstr,
long_options, &opt_idx))) {
switch(c) {
case 'h':
printf("%s", help);
exit(0);
case 'N':
if (sscanf(optarg, "0x%x", &opt.nvindex) != 1
&& sscanf(optarg, "%i", &opt.nvindex) != 1) {
ERR("Error parsing nvindex.\n");
return -1;
}
break;
case 't':
opt.time = 1;
break;
case 'T':
opt.tcti = optarg;
break;
case 'v':
opt.verbose = 1;
break;
default:
ERR("Unknown option at index %i.\n\n", opt_idx);
ERR("%s", help);
return -1;
}
}
if (optind < argc) {
ERR("Unknown argument provided.\n\n");
ERR("%s", help);
return -1;
}
return 0;
}
/** Exit the plymouth event loop after plymouth quits.
*
* This function is called when plymouth quits after boot and exits the main
* event loop so that the program quits.
* @param event_loop The plymouth event loop.
* @param boot_client The plymouth boot client.
*/
void
on_disconnect(void *event_loop, ply_boot_client_t *boot_client __attribute__((unused)))
{
ply_event_loop_exit(event_loop, 0);
}
/** Display the TOTP.
*
* This function calculates and displays the TOTP using plymouth. If the
* calcuation is successful, the function is rescheduled in the plymouth event
* loop to run after the next full 30 seconds, otherwise the event loop is
* stopped with a non-zero return code.
* @param state a struct containing the boot client, TCTI context and key.
* @param event_loop The plymouth event loop.
*/
void
display_totp(state_t *state, ply_event_loop_t *event_loop)
{
int rc;
uint64_t totp;
time_t now;
struct tm now_local;
char timestr[30] = "";
char totpstr[40] = "";
rc = tpm2totp_calculate(state->key_blob, state->key_blob_size,
state->tcti_context, &now, &totp);
if (rc == TSS2_RC_SUCCESS) {
if (opt.time) {
localtime_r(&now, &now_local);
if (strftime(timestr, sizeof(timestr)-1, "%F %T: ", &now_local) == 0) {
timestr[0] = '\0';
}
}
snprintf(totpstr, sizeof(totpstr)-1, "%s%06" PRIu64, timestr, totp);
ply_boot_client_tell_daemon_to_display_message(state->boot_client, totpstr,
NULL, NULL, NULL);
ply_event_loop_watch_for_timeout(event_loop, 30-(now % 30),
(ply_event_loop_timeout_handler_t) display_totp,
state);
} else {
ERR("Couldn't calculate TOTP.\n");
ply_boot_client_tell_daemon_to_display_message(state->boot_client,
"TPM failure", NULL, NULL, NULL);
ply_event_loop_exit(event_loop, 1);
}
}
/** Main function
*
* This function connects to plymouth, loads the key from the TPM and calls
* the function to display the TOTP.
* @param argc The argument count.
* @param argv The arguments.
* @retval 0 on success
* @retval 1 on failure
*/
int
main(int argc, char **argv)
{
state_t state = { 0, };
int rc;
if (parse_opts(argc, argv) != 0) {
return 1;
}
state.event_loop = ply_event_loop_new();
state.boot_client = ply_boot_client_new();
if (!ply_boot_client_connect(state.boot_client, on_disconnect, state.event_loop)) {
ERR("plymouth daemon not running.\n");
goto err;
}
ply_boot_client_attach_to_event_loop(state.boot_client, state.event_loop);
if (!opt.tcti) {
opt.tcti = getenv(TPM2TOTP_ENV_TCTI);
}
rc = Tss2_TctiLdr_Initialize(opt.tcti, &state.tcti_context);
chkrc(rc, goto err);
rc = tpm2totp_loadKey_nv(opt.nvindex, state.tcti_context, &state.key_blob, &state.key_blob_size);
chkrc(rc, goto err);
display_totp(&state, state.event_loop);
rc = ply_event_loop_run(state.event_loop);
free(state.key_blob);
ply_boot_client_free(state.boot_client);
ply_event_loop_free(state.event_loop);
Tss2_TctiLdr_Finalize(&state.tcti_context);
return rc;
err:
/* The event loop needs to be run once so that it can be freed cleanly */
ply_event_loop_exit(state.event_loop, 1);
ply_event_loop_run(state.event_loop);
free(state.key_blob);
ply_boot_client_free(state.boot_client);
ply_event_loop_free(state.event_loop);
Tss2_TctiLdr_Finalize(&state.tcti_context);
return 1;
}
0707010000003B000081A40000000000000000000000016602CAFD00003A86000000000000000000000000000000000000002B00000000tpm2-totp-20240326.33e1986/src/tpm2-totp.c/* SPDX-License-Identifier: BSD-3-Clause */
/*******************************************************************************
* Copyright 2018, Fraunhofer SIT
* Copyright 2018, Jonas Witschel
* All rights reserved.
*******************************************************************************/
#include <tpm2-totp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <inttypes.h>
#include <getopt.h>
#include <qrencode.h>
#include <tss2/tss2_tctildr.h>
#include <tss2/tss2_rc.h>
#define VERB(...) if (opt.verbose) fprintf(stderr, __VA_ARGS__)
#define ERR(...) fprintf(stderr, __VA_ARGS__)
#define chkrc(rc, cmd) if (rc != TSS2_RC_SUCCESS) {\
const char* error_text = decode_totp_rc(rc); \
if (error_text) {\
ERR("%s\n", error_text);\
} else {\
ERR("ERROR in %s (%s:%i): 0x%x - %s\n", __func__, __FILE__, __LINE__, rc, Tss2_RC_Decode(rc));\
}\
cmd; }
#define TPM2TOTP_ENV_TCTI "TPM2TOTP_TCTI"
char *help =
"Usage: [options] {init|show|reseal|recover|clean}\n"
"Options:\n"
" -h, --help print help\n"
" -b, --banks Selected PCR banks (default: SHA1,SHA256)\n"
" -l, --label Label to use for display in the TOTP authenticator app (default: TPM2-TOTP)\n"
" -N, --nvindex TPM NV index to store data (default: 0x018094AF)\n"
" -P, --password Password for recovery/resealing (default: None). Read from stdin if '-' (recommended).\n"
" -p, --pcrs Selected PCR registers (default: 0,2,4,6)\n"
" -t, --time Show the time used for calculation\n"
" -T, --tcti TCTI to use\n"
" -v, --verbose print verbose messages\n"
"\n";
static const char *optstr = "hb:N:P:p:tT:l:v";
static const struct option long_options[] = {
{"help", no_argument, 0, 'h'},
{"banks", required_argument, 0, 'b'},
{"nvindex", required_argument, 0, 'N'},
{"password", required_argument, 0, 'P'},
{"pcrs", required_argument, 0, 'p'},
{"time", no_argument, 0, 't'},
{"tcti", required_argument, 0, 'T'},
{"label", required_argument, 0, 'l'},
{"verbose", no_argument, 0, 'v'},
{0, 0, 0, 0 }
};
static struct opt {
enum { CMD_NONE, CMD_INIT, CMD_SHOW, CMD_RESEAL, CMD_RECOVER, CMD_CLEAN } cmd;
int banks;
int nvindex;
char *password;
int pcrs;
int time;
char *tcti;
char *label;
int verbose;
} opt;
const char*
decode_totp_rc(int rc)
{
switch(rc) {
case -10:
return "No recovery password for the TOTP secret was given.";
break;
case -20:
return "The TOTP secret has not been stored with a recovery password and thus cannot be retrieved.";
break;
case TPM2_RC_NV_DEFINED:
return "A TOTP secret is already stored, use 'show' to calculate and show the TOTP or 'clean' to delete it.";
break;
case (TPM2_RC_HANDLE | TPM2_RC_1):
return "No TOTP secret is currently stored, use 'init' to generate and store one.";
break;
case (TPM2_RC_POLICY_FAIL | TPM2_RC_9):
return "The system state has changed, no TOTP could be calculated.";
break;
case (TPM2_RC_AUTH_FAIL | TPM2_RC_9):
return "Wrong recovery password for the TOTP secret.";
break;
case TPM2_RC_LOCKOUT:
return "The password has been entered wrongly too many times and the TPM is in lockout mode.";
break;
default:
return NULL;
}
}
int
parse_banks(char *str, int *banks)
{
char *token;
char *saveptr;
*banks = 0;
token = strtok_r(str, ",", &saveptr);
if (!token) {
return -1;
}
while (token) {
if (strcmp(token, "SHA1") == 0) {
*banks |= TPM2TOTP_BANK_SHA1;
} else if (strcmp(token, "SHA256") == 0) {
*banks |= TPM2TOTP_BANK_SHA256;
} else if (strcmp(token, "SHA384") == 0) {
*banks |= TPM2TOTP_BANK_SHA384;
} else {
return -1;
}
token = strtok_r(NULL, ",", &saveptr);
}
return 0;
}
int
parse_pcrs(char *str, int *pcrs)
{
char *token;
char *saveptr;
char *endptr;
long pcr;
*pcrs = 0;
if (!str) {
return -1;
}
token = strtok_r(str, ",", &saveptr);
if (!token) {
return -1;
}
while (token) {
errno = 0;
pcr = strtoul(token, &endptr, 0);
if (errno || endptr == token || *endptr != '\0') {
return -1;
} else {
*pcrs |= 1 << pcr;
}
token = strtok_r(NULL, ",", &saveptr);
}
return 0;
}
/** Parse and set command line options.
*
* This function parses the command line options and sets the appropriate values
* in the opt struct.
* @param argc The argument count.
* @param argv The arguments.
* @retval 0 on success
* @retval 1 on failure
*/
int
parse_opts(int argc, char **argv)
{
/* set the default values */
opt.cmd = CMD_NONE;
opt.banks = 0;
opt.nvindex = 0;
opt.password = "";
opt.pcrs = 0;
opt.time = 0;
opt.verbose = 0;
opt.label = "TPM2-TOTP";
/* parse the options */
int c;
int opt_idx = 0;
while (-1 != (c = getopt_long(argc, argv, optstr,
long_options, &opt_idx))) {
switch(c) {
case 'h':
printf("%s", help);
exit(0);
case 'b':
if (parse_banks(optarg, &opt.banks) != 0) {
ERR("Error parsing banks.\n");
return -1;
}
break;
case 'N':
if (sscanf(optarg, "0x%x", &opt.nvindex) != 1
&& sscanf(optarg, "%i", &opt.nvindex) != 1) {
ERR("Error parsing nvindex.\n");
return -1;
}
break;
case 'P':
if (!strcmp(optarg, "-")) {
int c;
char *buf = NULL;
size_t buf_size = 0;
while ((c = getc(stdin)) != EOF) {
char *buf_tmp = (char *)realloc(buf, buf_size + 2); /* + 2 for \0 termination */
if (buf_tmp == NULL) {
ERR("Error reading password from stdin. Out of memory after %lu bytes allocated.\n", buf_size);
free(buf);
return -1;
}
buf = buf_tmp;
if (c == '\0') {
ERR("Error reading password from stdin. Must not contain '\\0'.\n");
free(buf);
return -1;
}
buf[buf_size++] = c;
}
if (buf == NULL) {
ERR("Error reading password from stdin. Empty file.\n");
return -1;
} else {
buf[buf_size] = '\0';
opt.password = buf;
}
} else {
opt.password = optarg;
}
break;
case 'p':
if (parse_pcrs(optarg, &opt.pcrs) != 0) {
ERR("Error parsing pcrs.\n");
return -1;
}
break;
case 't':
opt.time = 1;
break;
case 'T':
opt.tcti = optarg;
break;
case 'l':
opt.label = optarg;
break;
case 'v':
opt.verbose = 1;
break;
default:
ERR("Unknown option at index %i.\n\n", opt_idx);
ERR("%s", help);
return -1;
}
}
/* parse the non-option arguments */
if (optind >= argc) {
ERR("Missing command: init, show, reseal, recover, clean.\n\n");
ERR("%s", help);
return -1;
}
if (!strcmp(argv[optind], "init")) {
opt.cmd = CMD_INIT;
} else if (!strcmp(argv[optind], "show")) {
opt.cmd = CMD_SHOW;
} else if (!strcmp(argv[optind], "reseal")) {
opt.cmd = CMD_RESEAL;
} else if (!strcmp(argv[optind], "recover")) {
opt.cmd = CMD_RECOVER;
} else if (!strcmp(argv[optind], "clean")) {
opt.cmd = CMD_CLEAN;
} else {
ERR("Unknown command: init, show, reseal, recover, clean.\n\n");
ERR("%s", help);
return -1;
}
optind++;
if (optind < argc) {
ERR("Unknown argument provided.\n\n");
ERR("%s", help);
return -1;
}
return 0;
}
static char *
base32enc(const uint8_t *in, size_t in_size) {
static unsigned char base32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
size_t i = 0, j = 0;
size_t out_size = ((in_size + 4) / 5) * 8;
unsigned char *r = malloc(out_size + 1);
while (1) {
r[i++] = in[j] >> 3 & 0x1F;
r[i++] = in[j] << 2 & 0x1F;
if (++j >= in_size) break; else i--;
r[i++] |= in[j] >> 6 & 0x1F;
r[i++] = in[j] >> 1 & 0x1F;
r[i++] = in[j] << 4 & 0x1F;
if (++j >= in_size) break; else i--;
r[i++] |= in[j] >> 4 & 0x1F;
r[i++] = in[j] << 1 & 0x1F;
if (++j >= in_size) break; else i--;
r[i++] |= in[j] >> 7 & 0x1F;
r[i++] = in[j] >> 2 & 0x1F;
r[i++] = in[j] << 3 & 0x1F;
if (++j >= in_size) break; else i--;
r[i++] |= in[j] >> 5 & 0x1F;
r[i++] = in[j] & 0x1F;
if (++j >= in_size) break;
}
for (j = 0; j < i; j++) {
r[j] = base32[r[j]];
}
while (i < out_size) {
r[i++] = '=';
}
r[i] = 0;
return (char *)r;
}
char *
qrencode(const char *url)
{
QRcode *qrcode = QRcode_encodeString(url, 0/*=version*/, QR_ECLEVEL_L,
QR_MODE_8, 1/*=case*/);
if (!qrcode) { ERR("QRcode failed."); return NULL; }
char *qrpic = malloc(/* Margins top / bot*/ 2 * (
(qrcode->width+2) * 2 - 2 +
strlen("\e[47m%*s\e[0m\n") ) +
/* lines */ qrcode->width * (
strlen("\e[47m ") * (qrcode->width + 1) +
strlen("\e[47m \e[0m\n")
) + 1 /* \0 */);
size_t idx = 0;
idx += sprintf(&qrpic[idx], "\e[47m%*s\e[0m\n", 2*(qrcode->width+2), "");
for (int y = 0; y < qrcode->width; y++) {
idx += sprintf(&qrpic[idx], "\e[47m ");
for (int x = 0; x < qrcode->width; x++) {
if (qrcode->data[y*qrcode->width + x] & 0x01) {
idx += sprintf(&qrpic[idx], "\e[40m ");
} else {
idx += sprintf(&qrpic[idx], "\e[47m ");
}
}
idx += sprintf(&qrpic[idx], "\e[47m \e[0m\n");
}
idx += sprintf(&qrpic[idx], "\e[47m%*s\e[0m\n", 2*(qrcode->width+2), "");
(void)(idx);
free(qrcode);
return qrpic;
}
#define URL_PREFIX "otpauth://totp/%s?secret="
static int
tpm2totp_qrencode(
const char * const totp_name,
const uint8_t * const secret,
const size_t secret_size
)
{
const char * const base32key = base32enc(secret, secret_size);
const size_t url_len = 1
+ strlen(base32key)
+ strlen(totp_name)
+ strlen(URL_PREFIX);
char * const url = calloc(1, url_len);
snprintf(url, url_len, URL_PREFIX "%s", totp_name, base32key);
free((void*) base32key);
const char * const qrpic = qrencode(url);
if (!qrpic) {
free((void*) url);
return -1;
}
printf("%s\n", qrpic);
printf("%s\n", url);
free((void*) qrpic);
free((void*) url);
return 0;
}
/** Main function
*
* This function initializes OpenSSL and then calls the key generation
* functions.
* @param argc The argument count.
* @param argv The arguments.
* @retval 0 on success
* @retval 1 on failure
*/
int
main(int argc, char **argv)
{
int rc;
uint8_t *secret, *keyBlob, *newBlob;
size_t secret_size, keyBlob_size, newBlob_size;
uint64_t totp;
time_t now;
struct tm now_local;
char timestr[100] = { 0, };
TSS2_TCTI_CONTEXT *tcti_context = NULL;
if (parse_opts(argc, argv) != 0) {
goto err;
}
if (!opt.tcti) {
opt.tcti = getenv(TPM2TOTP_ENV_TCTI);
}
rc = Tss2_TctiLdr_Initialize(opt.tcti, &tcti_context);
chkrc(rc, goto err);
switch(opt.cmd) {
case CMD_INIT:
rc = tpm2totp_generateKey(opt.pcrs, opt.banks, opt.password, tcti_context,
&secret, &secret_size,
&keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_storeKey_nv(keyBlob, keyBlob_size, opt.nvindex, tcti_context);
free(keyBlob);
chkrc(rc, goto err);
if (tpm2totp_qrencode(opt.label, secret, secret_size) < 0)
goto err;
break;
case CMD_SHOW:
rc = tpm2totp_loadKey_nv(opt.nvindex, tcti_context, &keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_calculate(keyBlob, keyBlob_size, tcti_context, &now, &totp);
free(keyBlob);
chkrc(rc, goto err);
if (opt.time) {
localtime_r(&now, &now_local);
rc = !strftime(timestr, sizeof(timestr)-1, "%Y-%m-%d %H:%M:%S: ",
&now_local);
chkrc(rc, goto err);
}
printf("%s%06" PRIu64, timestr, totp);
break;
case CMD_RESEAL:
rc = tpm2totp_loadKey_nv(opt.nvindex, tcti_context, &keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_reseal(keyBlob, keyBlob_size, opt.password, opt.pcrs,
opt.banks, tcti_context, &newBlob, &newBlob_size);
free(keyBlob);
chkrc(rc, goto err);
//TODO: Are your sure ?
rc = tpm2totp_deleteKey_nv(opt.nvindex, tcti_context);
chkrc(rc, goto err);
rc = tpm2totp_storeKey_nv(newBlob, newBlob_size, opt.nvindex,
tcti_context);
free(newBlob);
chkrc(rc, goto err);
break;
case CMD_RECOVER:
rc = tpm2totp_loadKey_nv(opt.nvindex, tcti_context,
&keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_getSecret(keyBlob, keyBlob_size, opt.password, tcti_context,
&secret, &secret_size);
free(keyBlob);
chkrc(rc, goto err);
if (tpm2totp_qrencode(opt.label, secret, secret_size) < 0)
goto err;
break;
case CMD_CLEAN:
//TODO: Are your sure ?
rc = tpm2totp_deleteKey_nv(opt.nvindex, tcti_context);
chkrc(rc, goto err);
break;
default:
goto err;
}
Tss2_TctiLdr_Finalize(&tcti_context);
return 0;
err:
Tss2_TctiLdr_Finalize(&tcti_context);
return 1;
}
0707010000003C000041ED0000000000000000000000026602CAFD00000000000000000000000000000000000000000000002000000000tpm2-totp-20240326.33e1986/test0707010000003D000081A40000000000000000000000016602CAFD00000C12000000000000000000000000000000000000002F00000000tpm2-totp-20240326.33e1986/test/libtpm2-totp.c/* SPDX-License-Identifier: BSD-3-Clause */
/*******************************************************************************
* Copyright 2018, Fraunhofer SIT
* All rights reserved.
*******************************************************************************/
#include <tpm2-totp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <liboath/oath.h>
#include <tss2/tss2_tctildr.h>
#define chkrc(rc, cmd) if (rc != TSS2_RC_SUCCESS) {\
fprintf(stderr, "ERROR in %s:%i: 0x%08x\n", __FILE__, __LINE__, rc); cmd; }
#define TPM2TOTP_ENV_TCTI "TPM2TOTP_TCTI"
#define PWD "hallo"
int
main(int argc, char **argv)
{
(void)(argc); (void)(argv);
int rc;
uint8_t *secret = NULL;
uint8_t *keyBlob = NULL;
uint8_t *newBlob = NULL;
size_t secret_size, keyBlob_size, newBlob_size;
uint64_t totp;
char totp_string[7], totp_check[7];
time_t now;
TSS2_TCTI_CONTEXT *tcti_context;
/**********/
rc = Tss2_TctiLdr_Initialize(getenv(TPM2TOTP_ENV_TCTI), &tcti_context);
chkrc(rc, goto err);
/**********/
rc = tpm2totp_generateKey(0x00, 0x00, PWD, tcti_context,
&secret, &secret_size, &keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_calculate(keyBlob, keyBlob_size, tcti_context, &now, &totp);
chkrc(rc, goto err);
snprintf(&totp_string[0], 7, "%.*" PRIu64, 6, totp);
rc = oath_totp_generate((char *)secret, secret_size, now, 30, 0, 6, &totp_check[0]);
chkrc(rc, goto err);
if (!!memcmp(&totp_string[0], &totp_check[0], 7)) {
fprintf(stderr, "TPM's %s != %s\n", totp_string, totp_check);
goto err;
}
/**********/
rc = tpm2totp_reseal(keyBlob, keyBlob_size, PWD, 0, 0, tcti_context, &newBlob, &newBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_calculate(newBlob, newBlob_size, tcti_context, &now, &totp);
chkrc(rc, goto err);
snprintf(&totp_string[0], 7, "%.*" PRIu64, 6, totp);
rc = oath_totp_generate((char *)secret, secret_size, now, 30, 0, 6, &totp_check[0]);
chkrc(rc, goto err);
if (!!memcmp(&totp_string[0], &totp_check[0], 7)) {
fprintf(stderr, "TPM's %s != %s\n", totp_string, totp_check);
goto err;
}
free(newBlob);
/**********/
rc = tpm2totp_getSecret(keyBlob, keyBlob_size, PWD, tcti_context,
&secret, &secret_size);
chkrc(rc, goto err);
/**********/
rc = tpm2totp_storeKey_nv(keyBlob, keyBlob_size, 0, tcti_context);
chkrc(rc, goto err);
free(keyBlob);
rc = tpm2totp_loadKey_nv(0, tcti_context, &keyBlob, &keyBlob_size);
chkrc(rc, goto err);
rc = tpm2totp_deleteKey_nv(0, tcti_context);
chkrc(rc, goto err);
rc = tpm2totp_storeKey_nv(keyBlob, keyBlob_size, 0, tcti_context);
chkrc(rc, goto err);
rc = tpm2totp_deleteKey_nv(0, tcti_context);
chkrc(rc, goto err);
/***********/
free(keyBlob);
free(secret);
Tss2_TctiLdr_Finalize(&tcti_context);
return 0;
err:
free(keyBlob);
free(secret);
Tss2_TctiLdr_Finalize(&tcti_context);
return 1;
}
0707010000003E000081ED0000000000000000000000016602CAFD00000088000000000000000000000000000000000000003000000000tpm2-totp-20240326.33e1986/test/libtpm2-totp.sh#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2018 Fraunhofer SIT
# All rights reserved.
set -eufx
libtpm2-totp
0707010000003F000081ED0000000000000000000000016602CAFD00000805000000000000000000000000000000000000003600000000tpm2-totp-20240326.33e1986/test/plymouth-tpm2-totp.sh#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2019 Jonas Witschel
# All rights reserved.
set -eufx
success_or_timeout() {
# 124 is the exit status GNU timeout returns when the timeout is reached
[ "$1" -eq 0 ] || [ "$1" -eq 124 ]
return $?
}
cleanup() {
kill "$plymouth_tpm2_totp_pid" || true
kill "$plymouthd_pid" || true
}
plymouthd_pid=''
plymouth_tpm2_totp_pid=''
trap "cleanup" EXIT
if pgrep plymouthd; then
echo "ERROR: plymouthd is already running."
exit 99
fi
plymouth-tpm2-totp --help
exit_status=0
timeout 10s plymouth-tpm2-totp || exit_status=$?
if success_or_timeout "$exit_status"; then
echo "plymouth-tpm2-totp should fail when plymouthd is not running."
exit 1
fi
if [ "$EUID" -eq 0 ]; then
plymouthd --no-daemon &
else
# plymouthd usually needs root access in order to display the splash screen.
# Since we are only interested in the messaging infrastructure, attempt to
# start plymouthd with fakeroot.
fakeroot plymouthd --no-daemon &
fi
sleep 1
# We need the PID of plymouthd, not the fakeroot PID, so we cannot use $!
plymouthd_pid="$(pgrep plymouthd)"
if [ -z "$plymouthd_pid" ]; then
echo "ERROR: Failed to start plymouthd."
exit 99
fi
tpm2-totp --banks SHA256 --pcrs 0 --nvindex 0x018094AF --password abc init
tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
exit_status=0
timeout 10s plymouth-tpm2-totp --nvindex 0x018094AF || exit_status=$?
if success_or_timeout "$exit_status"; then
echo "plymouth-tpm2-totp should fail when the PCR state is changed."
exit 1
fi
tpm2-totp --nvindex 0x018094AF --password abc reseal
plymouth-tpm2-totp --nvindex 0x018094AF --time &
plymouth_tpm2_totp_pid=$!
# Wait for the TOTP to refresh after 30 seconds
sleep 40
kill "$plymouthd_pid"
# Give plymouth-tpm2-totp some time to quit
timeout 10s tail --pid "$plymouth_tpm2_totp_pid" --follow /dev/null
# plymouthd-tpm2-totp should exit successfully after plymouthd has quit
wait "$plymouth_tpm2_totp_pid"
07070100000040000081ED0000000000000000000000016602CAFD000007DE000000000000000000000000000000000000003300000000tpm2-totp-20240326.33e1986/test/sh_log_compiler.sh#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2019 Jonas Witschel
# All rights reserved.
export LANG=C
export PATH="$PWD:$PATH"
test_script="$(realpath "$1")"
tmp_dir="$(mktemp --directory)"
echo "Switching to temporary directory $tmp_dir"
cd "$tmp_dir"
for simulator in 'swtpm' 'tpm_server'; do
simulator_binary="$(command -v "$simulator")" && break
done
if [ -z "$simulator_binary" ]; then
echo 'ERROR: No TPM simulator was found on PATH'
exit 99
fi
for attempt in $(seq 9 -1 0); do
simulator_port="$(shuf --input-range 1024-65534 --head-count 1)"
echo "Starting simulator on port $simulator_port"
case "$simulator_binary" in
*swtpm) "$simulator_binary" socket --tpm2 --server port="$simulator_port" \
--ctrl type=tcp,port="$(( simulator_port + 1 ))" \
--flags not-need-init --tpmstate dir="$tmp_dir" &;;
*tpm_server) "$simulator_binary" -port "$simulator_port" &;;
esac
simulator_pid="$!"
sleep 1
if ( ss --listening --tcp --ipv4 --processes | grep "$simulator_pid" | grep --quiet "$simulator_port" &&
ss --listening --tcp --ipv4 --processes | grep "$simulator_pid" | grep --quiet "$(( simulator_port + 1 ))" )
then
echo "Simulator with PID $simulator_pid started successfully"
break
else
echo "Failed to start simulator, the port might be in use"
kill "$simulator_pid"
if [ "$attempt" -eq 0 ]; then
echo 'ERROR: Reached maximum number of tries to start simulator, giving up'
exit 99
fi
fi
done
case "$simulator_binary" in
*swtpm) export TPM2TOTP_TCTI="swtpm:port=$simulator_port";;
*tpm_server) export TPM2TOTP_TCTI="mssim:port=$simulator_port";;
esac
export TPM2TOOLS_TCTI="$TPM2TOTP_TCTI"
tpm2_startup --clear
echo "Starting $test_script"
"$test_script"
test_status="$?"
kill "$simulator_pid"
rm -rf "$tmp_dir"
exit "$test_status"
07070100000041000081ED0000000000000000000000016602CAFD00000583000000000000000000000000000000000000002D00000000tpm2-totp-20240326.33e1986/test/tpm2-totp.sh#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) 2018 Fraunhofer SIT
# All rights reserved.
set -eufx
exit_status=0
tpm2-totp invalid-argument || exit_status=$?
if [ "$exit_status" -ne 1 ]; then
echo "tpm2-totp should have exit status 1 on invalid arguments!"
exit 1
fi
tpm2-totp -P abc -p 0,1,2,3,4,5,6 -b SHA1,SHA256 init
# Changing an unselected PCR bank should not affect the TOTP calculation
tpm2_pcrextend 0:sha384=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tpm2-totp -t show
tpm2_pcrextend 1:sha1=0000000000000000000000000000000000000000
if tpm2-totp -t show; then
echo "The TOTP was calculated despite a changed PCR state!"
exit 1
fi
tpm2-totp -P abc recover
# Test reading password from stdin
echo -n 'abc' | tpm2-totp -P - recover
if tpm2-totp -P wrongpassword recover; then
echo "The secret was recovered despite an incorrect password!"
exit 1
fi
tpm2-totp -P abc -p 0,1,2,3,4,5,6 -b SHA1,SHA256 reseal
# Changing an unselected PCR bank should not affect the TOTP calculation
tpm2_pcrextend 0:sha384=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tpm2-totp show
tpm2_pcrextend 1:sha1=0000000000000000000000000000000000000000
if tpm2-totp show; then
echo "The TOTP was calculated despite a changed PCR state!"
exit 1
fi
tpm2-totp clean
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!534 blocks
