| /* SPDX-License-Identifier: BSD-2 */ |
| /******************************************************************************* |
| * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG |
| * All rights reserved. |
| ******************************************************************************/ |
| |
| #include "tss2_mu.h" |
| #include "tss2_sys.h" |
| #include "tss2_esys.h" |
| |
| #include "esys_types.h" |
| #include "esys_iutil.h" |
| #include "esys_mu.h" |
| #define LOGMODULE esys |
| #include "util/log.h" |
| #include "util/aux_util.h" |
| |
| /** Store command parameters inside the ESYS_CONTEXT for use during _Finish */ |
| static void store_input_parameters ( |
| ESYS_CONTEXT *esysContext, |
| ESYS_TR tpmKey, |
| ESYS_TR bind, |
| const TPM2B_NONCE *nonceCaller, |
| TPM2_SE sessionType, |
| const TPMT_SYM_DEF *symmetric, |
| TPMI_ALG_HASH authHash) |
| { |
| esysContext->in.StartAuthSession.tpmKey = tpmKey; |
| esysContext->in.StartAuthSession.bind = bind; |
| esysContext->in.StartAuthSession.sessionType = sessionType; |
| esysContext->in.StartAuthSession.authHash = authHash; |
| if (nonceCaller == NULL) { |
| esysContext->in.StartAuthSession.nonceCaller = NULL; |
| } else { |
| esysContext->in.StartAuthSession.nonceCallerData = *nonceCaller; |
| esysContext->in.StartAuthSession.nonceCaller = |
| &esysContext->in.StartAuthSession.nonceCallerData; |
| } |
| if (symmetric == NULL) { |
| esysContext->in.StartAuthSession.symmetric = NULL; |
| } else { |
| esysContext->in.StartAuthSession.symmetricData = *symmetric; |
| esysContext->in.StartAuthSession.symmetric = |
| &esysContext->in.StartAuthSession.symmetricData; |
| } |
| } |
| |
| /** One-Call function for TPM2_StartAuthSession |
| * |
| * This function invokes the TPM2_StartAuthSession command in a one-call |
| * variant. This means the function will block until the TPM response is |
| * available. All input parameters are const. The memory for non-simple output |
| * parameters is allocated by the function implementation. |
| * |
| * @param[in,out] esysContext The ESYS_CONTEXT. |
| * @param[in] tpmKey Handle of a loaded decrypt key used to encrypt salt. |
| * @param[in] bind Entity providing the authValue. |
| * @param[in] shandle1 First session handle. |
| * @param[in] shandle2 Second session handle. |
| * @param[in] shandle3 Third session handle. |
| * @param[in] nonceCaller Initial nonceCaller, sets nonceTPM size for the |
| * session. |
| * @param[in] sessionType Indicates the type of the session; simple HMAC or |
| * policy (including a trial policy). |
| * @param[in] symmetric The algorithm and key size for parameter encryption. |
| * @param[in] authHash Hash algorithm to use for the session. |
| * @param[out] sessionHandle ESYS_TR handle of ESYS resource for TPMI_SH_AUTH_SESSION. |
| * @retval TSS2_RC_SUCCESS if the function call was a success. |
| * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input |
| * pointers or required output handle references are NULL. |
| * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected. |
| * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for |
| * internal operations or return parameters. |
| * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous |
| * operation already pending. |
| * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not |
| * at least contain the tag, response length, and response code. |
| * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted. |
| * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM |
| did not verify. |
| * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has |
| * the 'decrypt' attribute bit set. |
| * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has |
| * the 'encrypt' attribute bit set. |
| * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown |
| * to the ESYS_CONTEXT or are of the wrong type or if required |
| * ESYS_TR objects are ESYS_TR_NONE. |
| * @retval TSS2_RCs produced by lower layers of the software stack may be |
| * returned to the caller unaltered unless handled internally. |
| */ |
| TSS2_RC |
| Esys_StartAuthSession( |
| ESYS_CONTEXT *esysContext, |
| ESYS_TR tpmKey, |
| ESYS_TR bind, |
| ESYS_TR shandle1, |
| ESYS_TR shandle2, |
| ESYS_TR shandle3, |
| const TPM2B_NONCE *nonceCaller, |
| TPM2_SE sessionType, |
| const TPMT_SYM_DEF *symmetric, |
| TPMI_ALG_HASH authHash, ESYS_TR *sessionHandle) |
| { |
| TSS2_RC r; |
| |
| r = Esys_StartAuthSession_Async(esysContext, tpmKey, bind, shandle1, |
| shandle2, shandle3, nonceCaller, sessionType, |
| symmetric, authHash); |
| return_if_error(r, "Error in async function"); |
| |
| /* Set the timeout to indefinite for now, since we want _Finish to block */ |
| int32_t timeouttmp = esysContext->timeout; |
| esysContext->timeout = -1; |
| /* |
| * Now we call the finish function, until return code is not equal to |
| * from TSS2_BASE_RC_TRY_AGAIN. |
| * Note that the finish function may return TSS2_RC_TRY_AGAIN, even if we |
| * have set the timeout to -1. This occurs for example if the TPM requests |
| * a retransmission of the command via TPM2_RC_YIELDED. |
| */ |
| do { |
| r = Esys_StartAuthSession_Finish(esysContext, sessionHandle); |
| /* This is just debug information about the reattempt to finish the |
| command */ |
| if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) |
| LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32 |
| " => resubmitting command", r); |
| } while ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN); |
| |
| /* Restore the timeout value to the original value */ |
| esysContext->timeout = timeouttmp; |
| return_if_error(r, "Esys Finish"); |
| |
| return TSS2_RC_SUCCESS; |
| } |
| |
| /** Asynchronous function for TPM2_StartAuthSession |
| * |
| * This function invokes the TPM2_StartAuthSession command in a asynchronous |
| * variant. This means the function will return as soon as the command has been |
| * sent downwards the stack to the TPM. All input parameters are const. |
| * In order to retrieve the TPM's response call Esys_StartAuthSession_Finish. |
| * |
| * @param[in,out] esysContext The ESYS_CONTEXT. |
| * @param[in] tpmKey Handle of a loaded decrypt key used to encrypt salt. |
| * @param[in] bind Entity providing the authValue. |
| * @param[in] shandle1 First session handle. |
| * @param[in] shandle2 Second session handle. |
| * @param[in] shandle3 Third session handle. |
| * @param[in] nonceCaller Initial nonceCaller, sets nonceTPM size for the |
| * session. |
| * @param[in] sessionType Indicates the type of the session; simple HMAC or |
| * policy (including a trial policy). |
| * @param[in] symmetric The algorithm and key size for parameter encryption. |
| * @param[in] authHash Hash algorithm to use for the session. |
| * @retval ESYS_RC_SUCCESS if the function call was a success. |
| * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input |
| * pointers or required output handle references are NULL. |
| * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected. |
| * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for |
| * internal operations or return parameters. |
| * @retval TSS2_RCs produced by lower layers of the software stack may be |
| returned to the caller unaltered unless handled internally. |
| * @retval TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS: if more than one session has |
| * the 'decrypt' attribute bit set. |
| * @retval TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS: if more than one session has |
| * the 'encrypt' attribute bit set. |
| * @retval TSS2_ESYS_RC_BAD_TR: if any of the ESYS_TR objects are unknown |
| * to the ESYS_CONTEXT or are of the wrong type or if required |
| * ESYS_TR objects are ESYS_TR_NONE. |
| */ |
| TSS2_RC |
| Esys_StartAuthSession_Async( |
| ESYS_CONTEXT *esysContext, |
| ESYS_TR tpmKey, |
| ESYS_TR bind, |
| ESYS_TR shandle1, |
| ESYS_TR shandle2, |
| ESYS_TR shandle3, |
| const TPM2B_NONCE *nonceCaller, |
| TPM2_SE sessionType, |
| const TPMT_SYM_DEF *symmetric, |
| TPMI_ALG_HASH authHash) |
| { |
| TSS2_RC r; |
| LOG_TRACE("context=%p, tpmKey=%"PRIx32 ", bind=%"PRIx32 "," |
| "nonceCaller=%p, sessionType=%02"PRIx8", symmetric=%p," |
| "authHash=%04"PRIx16"", |
| esysContext, tpmKey, bind, nonceCaller, sessionType, |
| symmetric, authHash); |
| TPM2B_ENCRYPTED_SECRET encryptedSaltAux; |
| const TPM2B_ENCRYPTED_SECRET *encryptedSalt = &encryptedSaltAux; |
| TSS2L_SYS_AUTH_COMMAND auths; |
| RSRC_NODE_T *tpmKeyNode; |
| RSRC_NODE_T *bindNode; |
| |
| /* Check context, sequence correctness and set state to error for now */ |
| if (esysContext == NULL) { |
| LOG_ERROR("esyscontext is NULL."); |
| return TSS2_ESYS_RC_BAD_REFERENCE; |
| } |
| r = iesys_check_sequence_async(esysContext); |
| if (r != TSS2_RC_SUCCESS) |
| return r; |
| esysContext->state = _ESYS_STATE_INTERNALERROR; |
| |
| /* Check and store input parameters */ |
| r = check_session_feasibility(shandle1, shandle2, shandle3, 0); |
| return_state_if_error(r, _ESYS_STATE_INIT, "Check session usage"); |
| store_input_parameters(esysContext, tpmKey, bind, nonceCaller, sessionType, |
| symmetric, authHash); |
| |
| /* Retrieve the metadata objects for provided handles */ |
| r = esys_GetResourceObject(esysContext, tpmKey, &tpmKeyNode); |
| return_state_if_error(r, _ESYS_STATE_INIT, "tpmKey unknown."); |
| r = esys_GetResourceObject(esysContext, bind, &bindNode); |
| return_state_if_error(r, _ESYS_STATE_INIT, "bind unknown."); |
| size_t authHash_size = 0; |
| TSS2_RC r2; |
| r2 = iesys_compute_encrypted_salt(esysContext, tpmKeyNode, |
| &encryptedSaltAux); |
| return_if_error(r2, "Error in parameter encryption."); |
| |
| if (nonceCaller == NULL) { |
| r2 = iesys_crypto_hash_get_digest_size(authHash,&authHash_size); |
| if (r2 != TSS2_RC_SUCCESS) { |
| LOG_ERROR("Error: initialize auth session (%x).", r2); |
| return r2; |
| } |
| r2 = iesys_crypto_random2b(&esysContext->in.StartAuthSession.nonceCallerData, |
| authHash_size); |
| if (r2 != TSS2_RC_SUCCESS) { |
| LOG_ERROR("Error: initialize auth session (%x).", r2); |
| return r2; |
| } |
| esysContext->in.StartAuthSession.nonceCaller |
| = &esysContext->in.StartAuthSession.nonceCallerData; |
| nonceCaller = esysContext->in.StartAuthSession.nonceCaller; |
| } |
| |
| /* Initial invocation of SAPI to prepare the command buffer with parameters */ |
| r = Tss2_Sys_StartAuthSession_Prepare(esysContext->sys, |
| (tpmKeyNode == NULL) ? TPM2_RH_NULL |
| : tpmKeyNode->rsrc.handle, |
| (bindNode == NULL) ? TPM2_RH_NULL |
| : bindNode->rsrc.handle, nonceCaller, |
| encryptedSalt, sessionType, symmetric, |
| authHash); |
| return_state_if_error(r, _ESYS_STATE_INIT, "SAPI Prepare returned error."); |
| |
| /* Calculate the cpHash Values */ |
| r = init_session_tab(esysContext, shandle1, shandle2, shandle3); |
| return_state_if_error(r, _ESYS_STATE_INIT, "Initialize session resources"); |
| iesys_compute_session_value(esysContext->session_tab[0], NULL, NULL); |
| iesys_compute_session_value(esysContext->session_tab[1], NULL, NULL); |
| iesys_compute_session_value(esysContext->session_tab[2], NULL, NULL); |
| |
| /* Generate the auth values and set them in the SAPI command buffer */ |
| r = iesys_gen_auths(esysContext, tpmKeyNode, bindNode, NULL, &auths); |
| return_state_if_error(r, _ESYS_STATE_INIT, |
| "Error in computation of auth values"); |
| |
| esysContext->authsCount = auths.count; |
| r = Tss2_Sys_SetCmdAuths(esysContext->sys, &auths); |
| return_state_if_error(r, _ESYS_STATE_INIT, "SAPI error on SetCmdAuths"); |
| |
| /* Trigger execution and finish the async invocation */ |
| r = Tss2_Sys_ExecuteAsync(esysContext->sys); |
| return_state_if_error(r, _ESYS_STATE_INTERNALERROR, |
| "Finish (Execute Async)"); |
| |
| esysContext->state = _ESYS_STATE_SENT; |
| |
| return r; |
| } |
| |
| /** Asynchronous finish function for TPM2_StartAuthSession |
| * |
| * This function returns the results of a TPM2_StartAuthSession command |
| * invoked via Esys_StartAuthSession_Finish. All non-simple output parameters |
| * are allocated by the function's implementation. NULL can be passed for every |
| * output parameter if the value is not required. |
| * |
| * @param[in,out] esysContext The ESYS_CONTEXT. |
| * @param[out] sessionHandle ESYS_TR handle of ESYS resource for TPMI_SH_AUTH_SESSION. |
| * @retval TSS2_RC_SUCCESS on success |
| * @retval ESYS_RC_SUCCESS if the function call was a success. |
| * @retval TSS2_ESYS_RC_BAD_REFERENCE if the esysContext or required input |
| * pointers or required output handle references are NULL. |
| * @retval TSS2_ESYS_RC_BAD_CONTEXT: if esysContext corruption is detected. |
| * @retval TSS2_ESYS_RC_MEMORY: if the ESAPI cannot allocate enough memory for |
| * internal operations or return parameters. |
| * @retval TSS2_ESYS_RC_BAD_SEQUENCE: if the context has an asynchronous |
| * operation already pending. |
| * @retval TSS2_ESYS_RC_TRY_AGAIN: if the timeout counter expires before the |
| * TPM response is received. |
| * @retval TSS2_ESYS_RC_INSUFFICIENT_RESPONSE: if the TPM's response does not |
| * at least contain the tag, response length, and response code. |
| * @retval TSS2_ESYS_RC_RSP_AUTH_FAILED: if the response HMAC from the TPM did |
| * not verify. |
| * @retval TSS2_ESYS_RC_MALFORMED_RESPONSE: if the TPM's response is corrupted. |
| * @retval TSS2_RCs produced by lower layers of the software stack may be |
| * returned to the caller unaltered unless handled internally. |
| */ |
| TSS2_RC |
| Esys_StartAuthSession_Finish( |
| ESYS_CONTEXT *esysContext, ESYS_TR *sessionHandle) |
| { |
| TPM2B_NONCE lnonceTPM; |
| TSS2_RC r; |
| LOG_TRACE("context=%p, sessionHandle=%p", |
| esysContext, sessionHandle); |
| |
| if (esysContext == NULL) { |
| LOG_ERROR("esyscontext is NULL."); |
| return TSS2_ESYS_RC_BAD_REFERENCE; |
| } |
| |
| /* Check for correct sequence and set sequence to irregular for now */ |
| if (esysContext->state != _ESYS_STATE_SENT) { |
| LOG_ERROR("Esys called in bad sequence."); |
| return TSS2_ESYS_RC_BAD_SEQUENCE; |
| } |
| esysContext->state = _ESYS_STATE_INTERNALERROR; |
| RSRC_NODE_T *sessionHandleNode = NULL; |
| |
| /* Allocate memory for response parameters */ |
| if (sessionHandle == NULL) { |
| LOG_ERROR("Handle sessionHandle may not be NULL"); |
| return TSS2_ESYS_RC_BAD_REFERENCE; |
| } |
| *sessionHandle = esysContext->esys_handle_cnt++; |
| r = esys_CreateResourceObject(esysContext, *sessionHandle, &sessionHandleNode); |
| if (r != TSS2_RC_SUCCESS) |
| return r; |
| |
| IESYS_RESOURCE *rsrc = &sessionHandleNode->rsrc; |
| rsrc->misc.rsrc_session.sessionAttributes = |
| TPMA_SESSION_CONTINUESESSION; |
| rsrc->misc.rsrc_session.sessionType = |
| esysContext->in.StartAuthSession.sessionType; |
| rsrc->misc.rsrc_session.authHash = |
| esysContext->in.StartAuthSession.authHash; |
| rsrc->misc.rsrc_session.symmetric = |
| *esysContext->in.StartAuthSession.symmetric; |
| rsrc->misc.rsrc_session.nonceCaller = |
| esysContext->in.StartAuthSession.nonceCallerData; |
| |
| /*Receive the TPM response and handle resubmissions if necessary. */ |
| r = Tss2_Sys_ExecuteFinish(esysContext->sys, esysContext->timeout); |
| if ((r & ~TSS2_RC_LAYER_MASK) == TSS2_BASE_RC_TRY_AGAIN) { |
| LOG_DEBUG("A layer below returned TRY_AGAIN: %" PRIx32, r); |
| esysContext->state = _ESYS_STATE_SENT; |
| goto error_cleanup; |
| } |
| /* This block handle the resubmission of TPM commands given a certain set of |
| * TPM response codes. */ |
| if (r == TPM2_RC_RETRY || r == TPM2_RC_TESTING || r == TPM2_RC_YIELDED) { |
| LOG_DEBUG("TPM returned RETRY, TESTING or YIELDED, which triggers a " |
| "resubmission: %" PRIx32, r); |
| if (esysContext->submissionCount >= _ESYS_MAX_SUBMISSIONS) { |
| LOG_WARNING("Maximum number of (re)submissions has been reached."); |
| esysContext->state = _ESYS_STATE_INIT; |
| goto error_cleanup; |
| } |
| esysContext->state = _ESYS_STATE_RESUBMISSION; |
| r = Esys_StartAuthSession_Async(esysContext, |
| esysContext->in.StartAuthSession.tpmKey, |
| esysContext->in.StartAuthSession.bind, |
| esysContext->session_type[0], |
| esysContext->session_type[1], |
| esysContext->session_type[2], |
| esysContext->in.StartAuthSession.nonceCaller, |
| esysContext->in.StartAuthSession.sessionType, |
| esysContext->in.StartAuthSession.symmetric, |
| esysContext->in.StartAuthSession.authHash); |
| if (r != TSS2_RC_SUCCESS) { |
| LOG_WARNING("Error attempting to resubmit"); |
| /* We do not set esysContext->state here but inherit the most recent |
| * state of the _async function. */ |
| goto error_cleanup; |
| } |
| r = TSS2_ESYS_RC_TRY_AGAIN; |
| LOG_DEBUG("Resubmission initiated and returning RC_TRY_AGAIN."); |
| goto error_cleanup; |
| } |
| /* The following is the "regular error" handling. */ |
| if (iesys_tpm_error(r)) { |
| LOG_WARNING("Received TPM Error"); |
| esysContext->state = _ESYS_STATE_INIT; |
| goto error_cleanup; |
| } else if (r != TSS2_RC_SUCCESS) { |
| LOG_ERROR("Received a non-TPM Error"); |
| esysContext->state = _ESYS_STATE_INTERNALERROR; |
| goto error_cleanup; |
| } |
| |
| /* |
| * Now the verification of the response (hmac check) and if necessary the |
| * parameter decryption have to be done. |
| */ |
| r = iesys_check_response(esysContext); |
| goto_state_if_error(r, _ESYS_STATE_INTERNALERROR, "Error: check response", |
| error_cleanup); |
| |
| /* |
| * After the verification of the response we call the complete function |
| * to deliver the result. |
| */ |
| r = Tss2_Sys_StartAuthSession_Complete(esysContext->sys, |
| &sessionHandleNode->rsrc.handle, |
| &lnonceTPM); |
| goto_state_if_error(r, _ESYS_STATE_INTERNALERROR, |
| "Received error from SAPI unmarshaling" , |
| error_cleanup); |
| |
| sessionHandleNode->rsrc.misc.rsrc_session.nonceTPM = lnonceTPM; |
| sessionHandleNode->rsrc.rsrcType = IESYSC_SESSION_RSRC; |
| if (esysContext->in.StartAuthSession.bind != ESYS_TR_NONE || esysContext->salt.size > 0) { |
| ESYS_TR bind = esysContext->in.StartAuthSession.bind; |
| ESYS_TR tpmKey = esysContext->in.StartAuthSession.tpmKey; |
| RSRC_NODE_T *bindNode; |
| r = esys_GetResourceObject(esysContext, bind, &bindNode); |
| goto_if_error(r, "get resource", error_cleanup); |
| |
| RSRC_NODE_T *tpmKeyNode; |
| r = esys_GetResourceObject(esysContext, tpmKey, &tpmKeyNode); |
| goto_if_error(r, "get resource", error_cleanup); |
| |
| size_t keyHash_size = 0; |
| size_t authHash_size = 0; |
| if (tpmKeyNode != NULL) { |
| r = iesys_crypto_hash_get_digest_size( |
| tpmKeyNode->rsrc.misc.rsrc_key_pub.publicArea.nameAlg, & |
| keyHash_size); |
| if (r != TSS2_RC_SUCCESS) { |
| LOG_ERROR("Error: initialize auth session (%x).", r); |
| return r; |
| } |
| } |
| r = iesys_crypto_hash_get_digest_size(esysContext->in.StartAuthSession. |
| authHash,&authHash_size); |
| if (r != TSS2_RC_SUCCESS) { |
| LOG_ERROR("Error: initialize auth session (%x).", r); |
| return r; |
| } |
| /* compute session key */ |
| size_t secret_size = 0; |
| if (tpmKey != ESYS_TR_NONE) |
| secret_size += keyHash_size; |
| if (bind != ESYS_TR_NONE && bindNode != NULL) |
| secret_size += bindNode->auth.size; |
| if (secret_size == 0) { |
| return_error(TSS2_ESYS_RC_GENERAL_FAILURE, |
| "Invalid secret size (0)."); |
| } |
| uint8_t *secret = malloc(secret_size); |
| if (secret == NULL) { |
| LOG_ERROR("Out of memory."); |
| return TSS2_ESYS_RC_MEMORY; |
| } |
| if (bind != ESYS_TR_NONE && bindNode != NULL |
| && bindNode->auth.size > 0) |
| memcpy(&secret[0], &bindNode->auth.buffer[0], bindNode->auth.size); |
| if (tpmKey != ESYS_TR_NONE) |
| memcpy(&secret[(bind == ESYS_TR_NONE || bindNode == NULL) ? 0 |
| : bindNode->auth.size], |
| &esysContext->salt.buffer[0], keyHash_size); |
| if (bind != ESYS_TR_NONE && bindNode != NULL) |
| iesys_compute_bound_entity(&bindNode->rsrc.name, |
| &bindNode->auth, |
| &sessionHandleNode->rsrc.misc.rsrc_session.bound_entity); |
| LOGBLOB_DEBUG(secret, secret_size, "ESYS Session Secret"); |
| r = iesys_crypto_KDFa(esysContext->in.StartAuthSession.authHash, secret, |
| secret_size, "ATH", |
| &lnonceTPM, esysContext->in.StartAuthSession.nonceCaller, |
| authHash_size*8, NULL, |
| &sessionHandleNode->rsrc.misc.rsrc_session.sessionKey.buffer[0], FALSE); |
| free(secret); |
| return_if_error(r, "Error in KDFa computation."); |
| |
| sessionHandleNode->rsrc.misc.rsrc_session.sessionKey.size = authHash_size; |
| LOGBLOB_DEBUG(&sessionHandleNode->rsrc.misc.rsrc_session.sessionKey |
| .buffer[0], |
| sessionHandleNode->rsrc.misc.rsrc_session.sessionKey.size, |
| "Session Key"); |
| return_if_error(r,"Error KDFa"); |
| |
| sessionHandleNode->rsrc.misc.rsrc_session.sessionKey.size = authHash_size; |
| } |
| esysContext->state = _ESYS_STATE_INIT; |
| |
| return TSS2_RC_SUCCESS; |
| |
| error_cleanup: |
| Esys_TR_Close(esysContext, sessionHandle); |
| |
| return r; |
| } |