1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 ******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdio.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_crypto.h"
16 #include "esys_iutil.h"
17 #include "esys_mu.h"
18 #define LOGMODULE esys_crypto
19 #include "util/log.h"
20 #include "util/aux_util.h"
21
22 /** Provide the digest size for a given hash algorithm.
23 *
24 * This function provides the size of the digest for a given hash algorithm.
25 *
26 * @param[in] hashAlg The hash algorithm to get the size for.
27 * @param[out] size The side of a digest of the hash algorithm.
28 * @retval TSS2_RC_SUCCESS on success.
29 * @retval TSS2_ESYS_RC_BAD_VALUE if hashAlg is unknown or unsupported.
30 */
31 TSS2_RC
iesys_crypto_hash_get_digest_size(TPM2_ALG_ID hashAlg,size_t * size)32 iesys_crypto_hash_get_digest_size(TPM2_ALG_ID hashAlg, size_t * size)
33 {
34 LOG_TRACE("call: hashAlg=%"PRIu16" size=%p", hashAlg, size);
35 if (size == NULL) {
36 LOG_ERROR("Null-Pointer passed");
37 return TSS2_ESYS_RC_BAD_REFERENCE;
38 }
39 switch (hashAlg) {
40 case TPM2_ALG_SHA1:
41 *size = TPM2_SHA1_DIGEST_SIZE;
42 break;
43 case TPM2_ALG_SHA256:
44 *size = TPM2_SHA256_DIGEST_SIZE;
45 break;
46 case TPM2_ALG_SHA384:
47 *size = TPM2_SHA384_DIGEST_SIZE;
48 break;
49 case TPM2_ALG_SHA512:
50 *size = TPM2_SHA512_DIGEST_SIZE;
51 break;
52 case TPM2_ALG_SM3_256:
53 *size = TPM2_SM3_256_DIGEST_SIZE;
54 break;
55 default:
56 LOG_ERROR("Unsupported hash algorithm (%"PRIu16")", hashAlg);
57 return TSS2_ESYS_RC_BAD_VALUE;
58 }
59 LOG_TRACE("return: *size=%zu", *size);
60 return TSS2_RC_SUCCESS;
61 }
62
63 /** Compute the command or response parameter hash.
64 *
65 * These hashes are needed for the computation of the HMAC used for the
66 * authorization of commands, or for the HMAC used for checking the responses.
67 * The name parameters are only used for the command parameter hash (cp) and
68 * must be NULL for the computation of the response parameter rp hash (rp).
69 * @param[in] alg The hash algorithm.
70 * @param[in] rcBuffer The response code in marshaled form.
71 * @param[in] ccBuffer The command code in marshaled form.
72 * @param[in] name1, name2, name3 The names associated with the corresponding
73 * handle. Must be NULL if no handle is passed.
74 * @param[in] pBuffer The byte buffer or the command or the response.
75 * @param[in] pBuffer_size The size of the command or response.
76 * @param[out] pHash The result digest.
77 * @param[out] pHash_size The size of the result digest.
78 * @retval TSS2_RC_SUCCESS on success.
79 * @retval TSS2_ESYS_RC_BAD_REFERENCE for invalid parameters.
80 */
81
82 TSS2_RC
iesys_crypto_pHash(TPM2_ALG_ID alg,const uint8_t rcBuffer[4],const uint8_t ccBuffer[4],const TPM2B_NAME * name1,const TPM2B_NAME * name2,const TPM2B_NAME * name3,const uint8_t * pBuffer,size_t pBuffer_size,uint8_t * pHash,size_t * pHash_size)83 iesys_crypto_pHash(TPM2_ALG_ID alg,
84 const uint8_t rcBuffer[4],
85 const uint8_t ccBuffer[4],
86 const TPM2B_NAME * name1,
87 const TPM2B_NAME * name2,
88 const TPM2B_NAME * name3,
89 const uint8_t * pBuffer,
90 size_t pBuffer_size, uint8_t * pHash, size_t * pHash_size)
91 {
92 LOG_TRACE("called");
93 if (ccBuffer == NULL || pBuffer == NULL || pHash == NULL
94 || pHash_size == NULL) {
95 LOG_ERROR("Null-Pointer passed");
96 return TSS2_ESYS_RC_BAD_REFERENCE;
97 }
98
99 IESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
100
101 TSS2_RC r = iesys_crypto_hash_start(&cryptoContext, alg);
102 return_if_error(r, "Error");
103
104 if (rcBuffer != NULL) {
105 r = iesys_crypto_hash_update(cryptoContext, &rcBuffer[0], 4);
106 goto_if_error(r, "Error", error);
107 }
108
109 r = iesys_crypto_hash_update(cryptoContext, &ccBuffer[0], 4);
110 goto_if_error(r, "Error", error);
111
112 if (name1 != NULL) {
113 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) name1);
114 goto_if_error(r, "Error", error);
115 }
116
117 if (name2 != NULL) {
118 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) name2);
119 goto_if_error(r, "Error", error);
120 }
121
122 if (name3 != NULL) {
123 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) name3);
124 goto_if_error(r, "Error", error);
125 }
126
127 r = iesys_crypto_hash_update(cryptoContext, pBuffer, pBuffer_size);
128 goto_if_error(r, "Error", error);
129
130 r = iesys_crypto_hash_finish(&cryptoContext, pHash, pHash_size);
131 goto_if_error(r, "Error", error);
132
133 return r;
134
135 error:
136 iesys_crypto_hash_abort(&cryptoContext);
137 return r;
138 }
139
140 /** Compute the HMAC for authorization.
141 *
142 * Based on the session nonces, caller nonce, TPM nonce, if used encryption and
143 * decryption nonce, the command parameter hash, and the session attributes the
144 * HMAC used for authorization is computed.
145 * @param[in] alg The hash algorithm used for HMAC computation.
146 * @param[in] hmacKey The HMAC key byte buffer.
147 * @param[in] hmacKeySize The size of the HMAC key byte buffer.
148 * @param[in] pHash The command parameter hash byte buffer.
149 * @param[in] pHash_size The size of the command parameter hash byte buffer.
150 * @param[in] nonceNewer The TPM nonce.
151 * @param[in] nonceOlder The caller nonce.
152 * @param[in] nonceDecrypt The decrypt nonce (NULL if not used).
153 * @param[in] nonceEncrypt The encrypt nonce (NULL if not used).
154 * @param[in] sessionAttributes The attributes used for the current
155 * authentication.
156 * @param[out] hmac The computed HMAC.
157 * @retval TSS2_RC_SUCCESS on success
158 * @retval TSS2_ESYS_RC_BAD_REFERENCE If a pointer is invalid.
159 */
160 TSS2_RC
iesys_crypto_authHmac(TPM2_ALG_ID alg,uint8_t * hmacKey,size_t hmacKeySize,const uint8_t * pHash,size_t pHash_size,const TPM2B_NONCE * nonceNewer,const TPM2B_NONCE * nonceOlder,const TPM2B_NONCE * nonceDecrypt,const TPM2B_NONCE * nonceEncrypt,TPMA_SESSION sessionAttributes,TPM2B_AUTH * hmac)161 iesys_crypto_authHmac(TPM2_ALG_ID alg,
162 uint8_t * hmacKey, size_t hmacKeySize,
163 const uint8_t * pHash,
164 size_t pHash_size,
165 const TPM2B_NONCE * nonceNewer,
166 const TPM2B_NONCE * nonceOlder,
167 const TPM2B_NONCE * nonceDecrypt,
168 const TPM2B_NONCE * nonceEncrypt,
169 TPMA_SESSION sessionAttributes, TPM2B_AUTH * hmac)
170 {
171 LOG_TRACE("called");
172 if (hmacKey == NULL || pHash == NULL || nonceNewer == NULL ||
173 nonceOlder == NULL || hmac == NULL) {
174 LOG_ERROR("Null-Pointer passed");
175 return TSS2_ESYS_RC_BAD_REFERENCE;
176 }
177
178 uint8_t sessionAttribs[sizeof(sessionAttributes)];
179 size_t sessionAttribs_size = 0;
180
181 IESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
182
183 TSS2_RC r =
184 iesys_crypto_hmac_start(&cryptoContext, alg, hmacKey, hmacKeySize);
185 return_if_error(r, "Error");
186
187 r = iesys_crypto_hmac_update(cryptoContext, pHash, pHash_size);
188 goto_if_error(r, "Error", error);
189
190 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) nonceNewer);
191 goto_if_error(r, "Error", error);
192
193 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) nonceOlder);
194 goto_if_error(r, "Error", error);
195
196 if (nonceDecrypt != NULL) {
197 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) nonceDecrypt);
198 goto_if_error(r, "Error", error);
199 }
200
201 if (nonceEncrypt != NULL) {
202 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) nonceEncrypt);
203 goto_if_error(r, "Error", error);
204 }
205
206 r = Tss2_MU_TPMA_SESSION_Marshal(sessionAttributes,
207 &sessionAttribs[0],
208 sizeof(sessionAttribs),
209 &sessionAttribs_size);
210 goto_if_error(r, "Error", error);
211
212 r = iesys_crypto_hmac_update(cryptoContext, &sessionAttribs[0],
213 sessionAttribs_size);
214 goto_if_error(r, "Error", error);
215
216 r = iesys_crypto_hmac_finish2b(&cryptoContext, (TPM2B *) hmac);
217 goto_if_error(r, "Error", error);
218
219 return r;
220
221 error:
222 iesys_crypto_hmac_abort(&cryptoContext);
223 return r;
224
225 }
226
227 /**
228 * HMAC computation for inner loop of KDFa key derivation.
229 *
230 * Except of ECDH this function is used for key derivation.
231 * @param[in] alg The algorithm used for the HMAC.
232 * @param[in] hmacKey The hmacKey used in KDFa.
233 * @param[in] hmacKeySize The size of the HMAC key.
234 * @param[in] counter The curren iteration step.
235 * @param[in] label Indicates the use of the produced key.
236 * @param[in] contextU, contextV are used for construction of a binary string
237 * containing information related to the derived key.
238 * @param[in] bitlength The size of the generated key in bits.
239 * @param[out] hmac Byte buffer for the generated HMAC key (caller-allocated).
240 * @param[out] hmacSize Size of the generated HMAC key.
241 * @retval TSS2_RC_SUCCESS on success.
242 * @retval TSS2_ESYS_RC_BAD_REFERENCE for invalid parameters.
243 */
244 TSS2_RC
iesys_crypto_KDFaHmac(TPM2_ALG_ID alg,uint8_t * hmacKey,size_t hmacKeySize,uint32_t counter,const char * label,TPM2B_NONCE * contextU,TPM2B_NONCE * contextV,uint32_t bitlength,uint8_t * hmac,size_t * hmacSize)245 iesys_crypto_KDFaHmac(TPM2_ALG_ID alg,
246 uint8_t * hmacKey,
247 size_t hmacKeySize,
248 uint32_t counter,
249 const char *label,
250 TPM2B_NONCE * contextU,
251 TPM2B_NONCE * contextV,
252 uint32_t bitlength, uint8_t * hmac, size_t * hmacSize)
253 {
254 LOG_TRACE("called");
255 if (hmacKey == NULL || contextU == NULL || contextV == NULL) {
256 LOG_ERROR("Null-Pointer passed");
257 return TSS2_ESYS_RC_BAD_REFERENCE;
258 }
259
260 uint8_t buffer32[sizeof(uint32_t)];
261 size_t buffer32_size = 0;
262
263 IESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
264
265 TSS2_RC r =
266 iesys_crypto_hmac_start(&cryptoContext, alg, hmacKey, hmacKeySize);
267 return_if_error(r, "Error");
268
269 r = Tss2_MU_UINT32_Marshal(counter, &buffer32[0], sizeof(UINT32),
270 &buffer32_size);
271 goto_if_error(r, "Marsahling", error);
272 r = iesys_crypto_hmac_update(cryptoContext, &buffer32[0], buffer32_size);
273 goto_if_error(r, "HMAC-Update", error);
274
275 if (label != NULL) {
276 size_t lsize = strlen(label) + 1;
277 r = iesys_crypto_hmac_update(cryptoContext, (uint8_t *) label, lsize);
278 goto_if_error(r, "Error", error);
279 }
280
281 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) contextU);
282 goto_if_error(r, "Error", error);
283
284 r = iesys_crypto_hmac_update2b(cryptoContext, (TPM2B *) contextV);
285 goto_if_error(r, "Error", error);
286
287 buffer32_size = 0;
288 r = Tss2_MU_UINT32_Marshal(bitlength, &buffer32[0], sizeof(UINT32),
289 &buffer32_size);
290 goto_if_error(r, "Marsahling", error);
291 r = iesys_crypto_hmac_update(cryptoContext, &buffer32[0], buffer32_size);
292 goto_if_error(r, "Error", error);
293
294 r = iesys_crypto_hmac_finish(&cryptoContext, hmac, hmacSize);
295 goto_if_error(r, "Error", error);
296
297 return r;
298
299 error:
300 iesys_crypto_hmac_abort(&cryptoContext);
301 return r;
302 }
303
304 /**
305 * KDFa Key derivation.
306 *
307 * Except of ECDH this function is used for key derivation.
308 * @param[in] hashAlg The hash algorithm to use.
309 * @param[in] hmacKey The hmacKey used in KDFa.
310 * @param[in] hmacKeySize The size of the HMAC key.
311 * @param[in] label Indicates the use of the produced key.
312 * @param[in] contextU, contextV are used for construction of a binary string
313 * containing information related to the derived key.
314 * @param[in] bitLength The size of generated key in bits.
315 * @param[in,out] counterInOut Counter for the KDFa iterations. If set, the
316 * value will be used for the firt iteration step. The final
317 * counter value will be written to counterInOut.
318 * @param[out] outKey Byte buffer for the derived key (caller-allocated).
319 * @param[in] use_digest_size Indicate whether the digest size of hashAlg is
320 * used as size of the generated key or the bitLength parameter is
321 * used.
322 * @retval TSS2_RC_SUCCESS on success.
323 * @retval TSS2_ESYS_RC_BAD_VALUE if hashAlg is unknown or unsupported.
324 */
325 TSS2_RC
iesys_crypto_KDFa(TPM2_ALG_ID hashAlg,uint8_t * hmacKey,size_t hmacKeySize,const char * label,TPM2B_NONCE * contextU,TPM2B_NONCE * contextV,uint32_t bitLength,uint32_t * counterInOut,BYTE * outKey,BOOL use_digest_size)326 iesys_crypto_KDFa(TPM2_ALG_ID hashAlg,
327 uint8_t * hmacKey,
328 size_t hmacKeySize,
329 const char *label,
330 TPM2B_NONCE * contextU,
331 TPM2B_NONCE * contextV,
332 uint32_t bitLength,
333 uint32_t * counterInOut,
334 BYTE * outKey,
335 BOOL use_digest_size)
336 {
337 LOG_DEBUG("IESYS KDFa hmac key hashAlg: %i label: %s bitLength: %i",
338 hashAlg, label, bitLength);
339 if (counterInOut != NULL)
340 LOG_TRACE("IESYS KDFa hmac key counterInOut: %i", *counterInOut);
341 LOGBLOB_DEBUG(hmacKey, hmacKeySize, "IESYS KDFa hmac key");
342
343 LOGBLOB_DEBUG(&contextU->buffer[0], contextU->size,
344 "IESYS KDFa contextU key");
345 LOGBLOB_DEBUG(&contextV->buffer[0], contextV->size,
346 "IESYS KDFa contextV key");
347 BYTE *subKey = outKey;
348 UINT32 counter = 0;
349 INT32 bytes = 0;
350 size_t hlen = 0;
351 TSS2_RC r = iesys_crypto_hash_get_digest_size(hashAlg, &hlen);
352 return_if_error(r, "Error");
353 if (counterInOut != NULL)
354 counter = *counterInOut;
355 bytes = use_digest_size ? hlen : (bitLength + 7) / 8;
356 LOG_DEBUG("IESYS KDFa hmac key bytes: %i", bytes);
357
358 /* Fill outKey with results from KDFaHmac */
359 for (; bytes > 0; subKey = &subKey[hlen], bytes = bytes - hlen) {
360 LOG_TRACE("IESYS KDFa hmac key bytes: %i", bytes);
361 //if(bytes < (INT32)hlen)
362 // hlen = bytes;
363 counter++;
364 r = iesys_crypto_KDFaHmac(hashAlg, hmacKey,
365 hmacKeySize, counter, label, contextU,
366 contextV, bitLength, &subKey[0], &hlen);
367 return_if_error(r, "Error");
368 }
369 if ((bitLength % 8) != 0)
370 outKey[0] &= ((1 << (bitLength % 8)) - 1);
371 if (counterInOut != NULL)
372 *counterInOut = counter;
373 LOGBLOB_DEBUG(outKey, (bitLength + 7) / 8, "IESYS KDFa key");
374 return TPM2_RC_SUCCESS;
375 }
376
377 /** Compute KDFe as described in TPM spec part 1 C 6.1
378 *
379 * @param hashAlg [in] The nameAlg of the recipient key.
380 * @param Z [in] the x coordinate (xP) of the product (P) of a public point and a
381 * private key.
382 * @param label [in] KDF label.
383 * @param partyUInfo [in] The x-coordinate of the secret exchange value (Qe,U).
384 * @param partyVInfo [in] The x-coordinate of a public key (Qs,V).
385 * @param bit_size [in] Bit size of generated key.
386 * @param key [out] Key buffer.
387 * @retval TSS2_RC_SUCCESS on success
388 * @retval TSS2_ESYS_RC_BAD_REFERENCE for invalid parameters
389 * @retval TSS2_ESYS_RC_MEMORY Memory cannot be allocated.
390 */
391 TSS2_RC
iesys_crypto_KDFe(TPM2_ALG_ID hashAlg,TPM2B_ECC_PARAMETER * Z,const char * label,TPM2B_ECC_PARAMETER * partyUInfo,TPM2B_ECC_PARAMETER * partyVInfo,UINT32 bit_size,BYTE * key)392 iesys_crypto_KDFe(TPM2_ALG_ID hashAlg,
393 TPM2B_ECC_PARAMETER *Z,
394 const char *label,
395 TPM2B_ECC_PARAMETER *partyUInfo,
396 TPM2B_ECC_PARAMETER *partyVInfo,
397 UINT32 bit_size,
398 BYTE *key)
399 {
400 TSS2_RC r = TSS2_RC_SUCCESS;
401 size_t hash_len;
402 INT16 byte_size = (INT16)((bit_size +7) / 8);
403 BYTE *stream = key;
404 IESYS_CRYPTO_CONTEXT_BLOB *cryptoContext;
405 BYTE counter_buffer[4];
406 UINT32 counter = 0;
407 size_t offset;
408
409 LOG_DEBUG("IESYS KDFe hashAlg: %i label: %s bitLength: %i",
410 hashAlg, label, bit_size);
411 if (partyUInfo != NULL)
412 LOGBLOB_DEBUG(&partyUInfo->buffer[0], partyUInfo->size, "partyUInfo");
413 if (partyVInfo != NULL)
414 LOGBLOB_DEBUG(&partyVInfo->buffer[0], partyVInfo->size, "partyVInfo");
415 r = iesys_crypto_hash_get_digest_size(hashAlg, &hash_len);
416 return_if_error(r, "Hash algorithm not supported.");
417
418 if(hashAlg == TPM2_ALG_NULL || byte_size == 0) {
419 LOG_DEBUG("Bad parameters for KDFe");
420 return TSS2_ESYS_RC_BAD_VALUE;
421 }
422
423 /* Fill seed key with hash of counter, Z, label, partyUInfo, and partyVInfo */
424 for (; byte_size > 0; stream = &stream[hash_len], byte_size = byte_size - hash_len)
425 {
426 counter ++;
427 r = iesys_crypto_hash_start(&cryptoContext, hashAlg);
428 return_if_error(r, "Error hash start");
429
430 offset = 0;
431 r = Tss2_MU_UINT32_Marshal(counter, &counter_buffer[0], 4, &offset);
432 goto_if_error(r, "Error marshaling counter", error);
433
434 r = iesys_crypto_hash_update(cryptoContext, &counter_buffer[0], 4);
435 goto_if_error(r, "Error hash update", error);
436
437 if (Z != NULL) {
438 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) Z);
439 goto_if_error(r, "Error hash update2b", error);
440 }
441
442 if (label != NULL) {
443 size_t lsize = strlen(label) + 1;
444 r = iesys_crypto_hash_update(cryptoContext, (uint8_t *) label, lsize);
445 goto_if_error(r, "Error hash update", error);
446 }
447
448 if (partyUInfo != NULL) {
449 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) partyUInfo);
450 goto_if_error(r, "Error hash update2b", error);
451 }
452
453 if (partyVInfo != NULL) {
454 r = iesys_crypto_hash_update2b(cryptoContext, (TPM2B *) partyVInfo);
455 goto_if_error(r, "Error hash update2b", error);
456 }
457 r = iesys_crypto_hash_finish(&cryptoContext, (uint8_t *) stream, &hash_len);
458 goto_if_error(r, "Error", error);
459 }
460 LOGBLOB_DEBUG(key, bit_size/8, "Result KDFe");
461 if((bit_size % 8) != 0)
462 key[0] &= ((1 << (bit_size % 8)) - 1);
463 return r;
464
465 error:
466 iesys_crypto_hmac_abort(&cryptoContext);
467 return r;
468 }
469
470 /** Encryption/Decryption using XOR obfuscation.
471 *
472 * The application of this function to data encrypted with this function will
473 * produce the origin data. The key for XOR obfuscation will be derived with
474 * KDFa form the passed key the session nonces, and the hash algorithm.
475 * @param[in] hash_alg The algorithm used for key derivation.
476 * @param[in] key key used for obfuscation
477 * @param[in] key_size Key size in bits.
478 * @param[in] contextU, contextV are used for construction of a binary string
479 * containing information related to the derived key.
480 * @param[in,out] data Data to be encrypted/decrypted the result will be
481 * will be stored in this buffer.
482 * @param[in] data_size size of data to be encrypted/decrypted.
483 * @retval TSS2_RC_SUCCESS on success, or TSS2_ESYS_RC_BAD_VALUE and
484 * @retval TSS2_ESYS_RC_BAD_REFERENCE for invalid parameters.
485 */
486 TSS2_RC
iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,uint8_t * key,size_t key_size,TPM2B_NONCE * contextU,TPM2B_NONCE * contextV,BYTE * data,size_t data_size)487 iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
488 uint8_t *key,
489 size_t key_size,
490 TPM2B_NONCE * contextU,
491 TPM2B_NONCE * contextV,
492 BYTE *data,
493 size_t data_size)
494 {
495 TSS2_RC r;
496 uint32_t counter = 0;
497 BYTE kdfa_result[TPM2_MAX_DIGEST_BUFFER];
498 size_t digest_size;
499 size_t data_size_bits = data_size * 8;
500 size_t rest_size = data_size;
501 BYTE *kdfa_byte_ptr;
502
503 if (key == NULL || data == NULL) {
504 LOG_ERROR("Bad reference");
505 return TSS2_ESYS_RC_BAD_REFERENCE;
506 }
507
508 r = iesys_crypto_hash_get_digest_size(hash_alg, &digest_size);
509 return_if_error(r, "Hash alg not supported");
510 while(rest_size > 0) {
511 r = iesys_crypto_KDFa(hash_alg, key, key_size, "XOR",
512 contextU, contextV, data_size_bits, &counter,
513 kdfa_result, TRUE);
514 return_if_error(r, "iesys_crypto_KDFa failed");
515 /* XOR next data sub block with KDFa result */
516 kdfa_byte_ptr = kdfa_result;
517 LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
518 for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
519 i--)
520 *data++ ^= *kdfa_byte_ptr++;
521 LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
522 rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
523 }
524 return TSS2_RC_SUCCESS;
525 }
526
527
528 /** Initialize crypto backend.
529 *
530 * Initialize internal tables of crypto backend.
531 *
532 * @retval TSS2_RC_SUCCESS ong success.
533 * @retval TSS2_ESYS_RC_GENERAL_FAILURE if backend can't be initialized.
534 */
535 TSS2_RC
iesys_initialize_crypto()536 iesys_initialize_crypto() {
537 return iesys_crypto_init();
538 }
539