ESAPI: Fix Codingstyle and inline comments
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
index ff9dab3..3cd5086 100644
--- a/src/tss2-esys/esys_crypto.c
+++ b/src/tss2-esys/esys_crypto.c
@@ -144,7 +144,7 @@
mycontext->hash.hash_len = hash_len;
gcry_error_t r = gcry_md_open(&mycontext->hash.gcry_context,
- mycontext->hash.gcry_hash_alg, 0);
+ mycontext->hash.gcry_hash_alg, 0);
if (r != 0) {
LOG_ERROR("GCry error.");
free(mycontext);
@@ -409,15 +409,15 @@
*/
TSS2_RC
iesys_cryptogcry_hmac_start2b(IESYS_CRYPTO_CONTEXT_BLOB ** context,
- TPM2_ALG_ID hmacAlg, TPM2B * b)
+ TPM2_ALG_ID hmacAlg, TPM2B * key)
{
- LOG_TRACE("called for context-pointer %p and 2b-pointer %p", context, b);
- if (context == NULL || b == NULL) {
+ LOG_TRACE("called for context-pointer %p and 2b-pointer %p", context, key);
+ if (context == NULL || key == NULL) {
LOG_ERROR("Null-Pointer passed");
return TSS2_ESYS_RC_BAD_REFERENCE;
}
- TSS2_RC ret = iesys_cryptogcry_hmac_start(context, hmacAlg, &b->buffer[0],
- b->size);
+ TSS2_RC ret = iesys_cryptogcry_hmac_start(context, hmacAlg, &key->buffer[0],
+ key->size);
return ret;
}
@@ -537,16 +537,16 @@
* @retval TSS2_ESYS_RC_GENERAL_FAILURE for errors of the crypto library.
*/
TSS2_RC
-iesys_cryptogcry_hmac_finish2b(IESYS_CRYPTO_CONTEXT_BLOB ** context, TPM2B * b)
+iesys_cryptogcry_hmac_finish2b(IESYS_CRYPTO_CONTEXT_BLOB ** context, TPM2B * hmac)
{
- LOG_TRACE("called for context-pointer %p and 2b-pointer %p", context, b);
- if (context == NULL || *context == NULL || b == NULL) {
+ LOG_TRACE("called for context-pointer %p and 2b-pointer %p", context, hmac);
+ if (context == NULL || *context == NULL || hmac == NULL) {
LOG_ERROR("Null-Pointer passed");
return TSS2_ESYS_RC_BAD_REFERENCE;
}
- size_t s = b->size;
- TSS2_RC ret = iesys_cryptogcry_hmac_finish(context, &b->buffer[0], &s);
- b->size = s;
+ size_t s = hmac->size;
+ TSS2_RC ret = iesys_cryptogcry_hmac_finish(context, &hmac->buffer[0], &s);
+ hmac->size = s;
return ret;
}
@@ -847,7 +847,10 @@
const char *label,
TPM2B_NONCE * contextU,
TPM2B_NONCE * contextV,
- uint32_t bitLength, uint32_t * counterInOut, BYTE * outKey, BOOL use_digest_size)
+ uint32_t bitLength,
+ uint32_t * counterInOut,
+ BYTE * outKey,
+ BOOL use_digest_size)
{
LOG_DEBUG("IESYS KDFa hmac key hashAlg: %i label: %s bitLength: %i",
hashAlg, label, bitLength);
@@ -869,6 +872,8 @@
counter = *counterInOut;
bytes = use_digest_size ? hlen : (bitLength + 7) / 8;
LOG_DEBUG("IESYS KDFa hmac key bytes: %i", bytes);
+
+ /* Fill outKey with results from KDFaHmac */
for (; bytes > 0; subKey = &subKey[hlen], bytes = bytes - hlen) {
LOG_TRACE("IESYS KDFa hmac key bytes: %i", bytes);
//if(bytes < (INT32)hlen)
@@ -963,7 +968,7 @@
offset = 0;
r = Tss2_MU_UINT32_Marshal(counter, &counter_buffer[0], 4, &offset);
- goto_if_error(r, "Error Tss2_MU_UINT32_Marshal", error);
+ goto_if_error(r, "Error marshaling counter", error);
r = iesys_crypto_hash_update(cryptoContext, &counter_buffer[0], 4);
goto_if_error(r, "Error hash update", error);
@@ -1137,7 +1142,6 @@
#define SEXP_ECC_POINT "(ecc (curve %s) (q.x %sb) (q.y %sb))"
TSS2_RC r;
- gcry_error_t err;
char *curveId;
gcry_sexp_t mpi_tpm_sq = NULL; /* sexp for public part of TPM key*/
gcry_sexp_t mpi_sd = NULL; /* sexp for private part of ephemeral key */
@@ -1186,8 +1190,7 @@
if (gcry_sexp_build(&ekey_spec, NULL,
sexp_ecc_key) != GPG_ERR_NO_ERROR) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "gcry_sexp_build",
- cleanup);
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "gcry_sexp_build", cleanup);
}
}
@@ -1225,8 +1228,7 @@
/* Check whether point is on curve */
if (!gcry_mpi_ec_curve_point(mpi_q, ctx)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Point not on curve",
- cleanup);
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Point not on curve", cleanup);
}
/* Store ephemeral public key in Q */
@@ -1262,27 +1264,25 @@
goto_error(r, TSS2_ESYS_RC_MEMORY, "asprintf", cleanup);
}
- err = gcry_sexp_build(&mpi_tpm_sq, NULL,
+ if ( gcry_sexp_build(&mpi_tpm_sq, NULL,
sexp_point,
key->publicArea.unique.ecc.x.size,
&key->publicArea.unique.ecc.x.buffer[0],
key->publicArea.unique.ecc.y.size,
- &key->publicArea.unique.ecc.y.buffer[0]);
- if (err != GPG_ERR_NO_ERROR) {
- LOG_ERROR("Function gcry_mpi_scan");
- return TSS2_ESYS_RC_GENERAL_FAILURE;
+ &key->publicArea.unique.ecc.y.buffer[0])) {
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+ "Function gcry_mpi_scan", cleanup);
+
}
}
offset = 0;
- r = Tss2_MU_TPMS_ECC_POINT_Marshal(Q, &out_buffer[0], max_out_size,
- &offset);
+ r = Tss2_MU_TPMS_ECC_POINT_Marshal(Q, &out_buffer[0], max_out_size, &offset);
return_if_error(r, "Error marshaling");
*out_size = offset;
/* Multiply d and Q */
- if (gcry_mpi_ec_new (&ctx, mpi_tpm_sq, curveId) != GPG_ERR_NO_ERROR) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "gcry_mpi_ec_new",
- cleanup);
+ if (gcry_mpi_ec_new (&ctx, mpi_tpm_sq, curveId)) {
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "create ec curve", cleanup);
}
mpi_tpm_q = gcry_mpi_ec_get_point ("q", ctx, 1);
mpi_qd = gcry_mpi_point_new(256);
@@ -1290,8 +1290,8 @@
/* Store the x coordinate of d*Q in Z which will be used for KDFe */
if (gcry_mpi_ec_get_affine (mpi_x, mpi_y, mpi_qd, ctx)) {
- goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Point is at infinity",
- cleanup);
+ goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+ "Point is at infinity", cleanup);
}
if (gcry_mpi_print(GCRYMPI_FMT_USG, &Z->buffer[0], TPM2_MAX_ECC_KEY_BYTES,
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index e0a0b2b..fd86a8e 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -200,7 +200,8 @@
if (session->rsrc.misc.rsrc_session.
sessionAttributes & TPMA_SESSION_ENCRYPT) {
if (*encryptNonce != NULL) {
- return_error(TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS,
+ /* Encrypt nonce already found */
+ return_error(TSS2_ESYS_RC_MULTIPLE_ENCRYPT_SESSIONS,
"More than one encrypt session");
}
*encryptNonceIdx = i;
@@ -357,9 +358,11 @@
if (new_esys_object == NULL)
return_error(TSS2_ESYS_RC_MEMORY, "Out of memory.");
if (esys_context->rsrc_list == NULL) {
+ /* The first object of the list will be added */
esys_context->rsrc_list = new_esys_object;
new_esys_object->next = NULL;
} else {
+ /* The new object will become the first element of the list */
new_esys_object->next = esys_context->rsrc_list;
esys_context->rsrc_list = new_esys_object;
}
@@ -489,7 +492,8 @@
switch (pub->publicArea.type) {
case TPM2_ALG_RSA:
- iesys_crypto_random2b((TPM2B_NONCE *) & esys_context->salt,
+
+ iesys_crypto_random2b((TPM2B_NONCE *) & esys_context->salt,
keyHash_size);
/* When encrypting salts, the encryption scheme of a key is ignored and
@@ -507,9 +511,8 @@
case TPM2_ALG_ECC:
r = iesys_crypto_get_ecdh_point(pub, sizeof(TPMU_ENCRYPTED_SECRET),
&Z, &Q,
- (BYTE *) &encryptedSalt->secret[0],
+ (BYTE *) &encryptedSalt->secret[0],
&cSize);
-
return_if_error(r, "During computation of ECC public key.");
encryptedSalt->size = cSize;
@@ -602,6 +605,8 @@
encryptNonce = &rsrc_session->nonceTPM;
esys_context->encryptNonce = encryptNonce;
}
+
+ /* Session for encryption found */
if (rsrc_session->sessionAttributes & TPMA_SESSION_DECRYPT) {
return_if_notnull(*decryptNonce, "More than one decrypt session",
TSS2_ESYS_RC_MULTIPLE_DECRYPT_SESSIONS);
@@ -618,11 +623,15 @@
const uint8_t *paramBuffer;
r = Tss2_Sys_GetDecryptParam(esys_context->sys, ¶mSize,
¶mBuffer);
- return_if_error(r, "Encrypt parameter not possible");
+ if (r != TSS2_RC_SUCCESS) {
+ return_error(TSS2_ESYS_RC_NO_DECRYPT_PARAM, "Encryption not possible");
+ }
BYTE encrypt_buffer[paramSize];
memcpy(&encrypt_buffer[0], paramBuffer, paramSize);
LOGBLOB_DEBUG(paramBuffer, paramSize, "param to encrypt");
+
+ /* AES encryption with key derived with KDFa */
if (symDef->algorithm == TPM2_ALG_AES) {
if (symDef->mode.aes != TPM2_ALG_CFB) {
return_error(TSS2_ESYS_RC_BAD_VALUE,
@@ -649,8 +658,9 @@
r = Tss2_Sys_SetDecryptParam(esys_context->sys, paramSize,
&encrypt_buffer[0]);
return_if_error(r, "Set encrypt parameter not possible");
-
- } else if (symDef->algorithm == TPM2_ALG_XOR) {
+ }
+ /* XOR obfuscation of parameter */
+ else if (symDef->algorithm == TPM2_ALG_XOR) {
r = iesys_xor_parameter_obfuscation(rsrc_session->authHash,
&rsrc_session->sessionValue[0],
rsrc_session->sizeSessionValue,
@@ -712,7 +722,10 @@
"Invalid length encrypted response.");
}
LOGBLOB_DEBUG(rpBuffer, p2BSize, "IESYS encrypt data");
+
if (symDef->algorithm == TPM2_ALG_AES) {
+
+ /* Parameter decryption with a symmetric AES key derived by KDFa */
if (symDef->mode.aes != TPM2_ALG_CFB) {
return_error(TSS2_ESYS_RC_BAD_VALUE,
"Invalid symmetric mode (must be CFB)");
@@ -746,6 +759,8 @@
return_if_error(r, "Decryption error");
} else if (symDef->algorithm == TPM2_ALG_XOR) {
+
+ /* Parameter decryption with XOR obfuscation */
r = iesys_xor_parameter_obfuscation(rsrc_session->authHash,
&rsrc_session->sessionValue[0],
rsrc_session->sizeSessionValue,
@@ -997,7 +1012,7 @@
&esys_object_aux->rsrc.name.name[0],
sizeof(esys_object_aux->rsrc.name.name),
&offset);
- return_if_error(r, "Marshalling TPM handle.");
+ return_if_error(r, "Marshaling TPM handle.");
esys_object_aux->rsrc.name.size = offset;
*esys_object = esys_object_aux;