Lines Matching full:session
88 SESSION *session = NULL;
89 // Don't increment lockout unless the handle associated with the session
90 // is DA protected or the session is bound to a DA protected entity.
98 session = SessionGet(sessionHandle);
99 // If the session is bound to lockout, then use that as the relevant
100 // handle. This means that an auth failure with a bound session
103 if(session->attributes.isLockoutBound == SET)
105 if( session->attributes.isDaBound == CLEAR
161 // This function indicates if the entity associated with the handle is the entity, to which this session is bound.
163 // TPM_RH_NULL. The binding only occurs if the session is an HMAC session. The bind value is a
168 // TRUE handle points to the session start entity
169 // FALSE handle does not point to the session start entity
174 SESSION *session // IN: associated session
178 // If the session is not bound, return FALSE.
179 if(!session->attributes.isBound)
183 // Compare to the bind value in the session.
184 session->attributes.requestWasBound =
185 Memory2BEqual(&entity.b, &session->u1.boundEntity.b);
186 return session->attributes.requestWasBound;
192 // Checks if a policy session is required for a command. If a command requires DUP or ADMIN role
195 // have to be special-cased in this function. A policy session is required if:
205 // TRUE policy session is required
206 // FALSE policy session is not required
211 UINT32 sessionIndex // IN: session index
262 UINT32 sessionIndex // IN: session index
266 // If a policy session is required, the entity can not be authorized by
267 // authValue. However, at this point, the policy session requirement should
368 UINT32 sessionIndex // IN: session index
423 // If policy session is required for this handle, always
456 // Session Parsing Functions
482 // A cpHash can contain just a commandCode only if the lone session is
483 // an audit session.
518 // This function validates the authorization provided in a PWAP session. It compares the input value to
529 UINT32 sessionIndex // IN: index of session to be processed
553 // This function computes the HMAC for an authorization session in a command.
557 UINT32 sessionIndex, // IN: index of session to be processed
571 SESSION *session;
577 // If this is the first session (sessionIndex = 0) and it is an authorization
578 // session that uses an HMAC, then check if additional session nonces are to be
583 // If there is a decrypt session and if this is not the decrypt session,
588 // Will add the nonce for the decrypt session.
589 SESSION *decryptSession
593 // Now repeat for the encrypt session.
599 // Have to have the nonce for the encrypt session.
600 SESSION *encryptSession
606 session = SessionGet(s_sessionHandles[sessionIndex]);
608 MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
609 // Check if the session has an associated handle and if the associated entity
610 // is the one to which the session is bound. If not, add the authValue of
612 // If the session is bound to the object or the session is a policy session
614 // Note: For a policy session, its isBound attribute is CLEARED.
615 // If the session isn't used for authorization, then there is no auth value
619 // used for auth so see if this is a policy session with authValue needed
620 // or an hmac session that is not bound
622 && (session->attributes.isAuthValueNeeded == SET))
624 && !IsSessionBindEntity(s_associatedHandles[sessionIndex], session))
642 hmac->t.size = CryptStartHMAC2B(session->authHashAlg, &key.b, &hmacState);
648 CryptUpdateDigest2B(&hmacState, &session->nonceTPM.b);
649 // If needed, add nonceTPM for decrypt session
652 // If needed, add nonceTPM for encrypt session
669 // This function checks the HMAC of in a session. It uses ComputeCommandHMAC() to compute the
670 // expected HMAC value and then compares the result with the HMAC in the authorization session. The
682 UINT32 sessionIndex, // IN: index of session to be processed
692 // If an HMAC session has a failure, invoke the anti-hammering
693 // if it applies to the authorized entity or the session.
703 // This function is used to validate the authorization in a policy session. This function performs the following
705 // a) compare policyDigest in session with authPolicy associated with the entity to be authorized;
717 // TPM_RC_POLICY_FAIL policy session fails
720 // TPM_RC_EXPIRED policy session has expired
727 UINT32 sessionIndex, // IN: index of session to be processed
730 // session
731 TPM2B_DIGEST *nameHash // IN: nameHash using the session algorithm
735 SESSION *session;
739 // Initialize pointer to the auth session.
740 session = SessionGet(s_sessionHandles[sessionIndex]);
744 && session->attributes.isPasswordNeeded == CLEAR
745 && session->attributes.isAuthValueNeeded == CLEAR)
747 // See if the PCR counter for the session is still valid.
754 if(!Memory2BEqual(&session->u2.policyDigest.b, &authPolicy.b))
758 if(policyAlg != session->authHashAlg)
761 if(session->timeOut != 0)
768 if(session->timeOut < go.clock)
772 if(session->commandCode != 0)
774 if(session->commandCode != commandCode)
779 // If command requires a DUP or ADMIN authorization, the session must have
791 TPMA_LOCALITY_Marshal(&session->commandLocality, &buffer, &bufferSize);
818 if( session->attributes.isPPRequired == SET
823 if(session->u1.cpHash.b.size != 0)
825 if(session->attributes.iscpHashDefined)
828 if(!Memory2BEqual(&session->u1.cpHash.b, &cpHash->b))
835 if(!Memory2BEqual(&session->u1.cpHash.b, &nameHash->b))
839 if(session->attributes.checkNvWritten)
849 != (session->attributes.nvWrittenState == SET))
858 // This function will unmarshal the sessions in the session area of a command. The values are placed in the
871 BYTE *sessionBuffer, // IN: pointer to the session buffer
872 INT32 bufferSize // IN: size of the session buffer
878 SESSION *session;
886 // error with a session number that is larger than the number of allowed
890 // make sure that the associated handle for each session starts out
893 // First parameter: Session handle.
915 // A PWAP session needs additional processing.
930 // Find out if the session is loaded.
934 session = SessionGet(s_sessionHandles[sessionIndex]);
935 // Check if the session is an HMAC/policy session.
936 if( ( session->attributes.isPolicy == SET
939 || ( session->attributes.isPolicy == CLEAR
950 // If the session is used for parameter encryption or audit as well, set
958 // Encrypt attribute can only appear in one session
961 // Can't decrypt if the session's symmetric algorithm is TPM_ALG_NULL
962 if(session->symmetric.algorithm == TPM_ALG_NULL)
964 // All checks passed, so set the index for the session used to decrypt
974 // Encrypt attribute can only appear in one session.
977 // Can't encrypt if the session's symmetric algorithm is TPM_ALG_NULL
978 if(session->symmetric.algorithm == TPM_ALG_NULL)
980 // All checks passed, so set the index for the session used to encrypt
987 // Audit attribute can only appear in one session.
990 // An audit session can not be policy session.
994 // If this is a reset of the audit session, or the first use
995 // of the session as an audit session, it doesn't matter what
996 // the exclusive state is. The session will become exclusive.
998 && session->attributes.isAudit == SET)
1001 // session must be the current exclusive session.
1081 // This function checks that the authorization session properly authorizes the use of the associated handle.
1089 // policy session)
1091 // policy session)
1092 // TPM_RC_POLICY_FAIL if policy session fails
1094 // TPM_RC_EXPIRED the policy session has expired
1101 UINT32 sessionIndex, // IN: index of session to be processed
1108 SESSION *session = NULL;
1114 session = SessionGet(sessionHandle);
1115 pAssert(sessionHandleType != TPM_HT_POLICY_SESSION || session != NULL);
1116 // If the authorization session is not a policy session, or if the policy
1117 // session requires authorization, then check lockout.
1119 || session->attributes.isAuthValueNeeded
1120 || session->attributes.isPasswordNeeded)
1142 // If a policy session is required, make sure that it is being used.
1154 // If this is a policy session, ...
1160 // ... and check the policy session.
1174 // At this point, the session must be either a policy or an HMAC session.
1175 session = SessionGet(s_sessionHandles[sessionIndex]);
1177 && session->attributes.isPasswordNeeded == SET)
1179 // For policy session that requires a password, check it as PWAP session.
1237 // This function is the entry function for command session processing. It iterates sessions in session area
1238 // and reports if the required authorization has been properly provided. It also processes audit session and
1250 BYTE *sessionBufferStart, // IN: start of session buffer
1251 UINT32 sessionBufferSize, // IN: size of session buffer
1261 SESSION *session;
1266 // Check if a command allows any session in its session area.
1279 // Associate the session with an authorization handle.
1284 // If the received session number is less than the number of handle
1290 // Record the handle associated with the authorization session
1298 // PW session must be an authorization session
1306 session = SessionGet(s_sessionHandles[sessionIndex]);
1307 // A trial session can not appear in session area, because it cannot
1309 if(session->attributes.isTrialPolicy == SET)
1311 // See if the session is bound to a DA protected entity
1312 // NOTE: Since a policy session is never bound, a policy is still
1315 if(session->attributes.isDaBound == SET)
1317 result = CheckLockedOut(session->attributes.isLockoutBound == SET);
1322 if(cpHashAlg != session->authHashAlg) // different so compute
1324 cpHashAlg = session->authHashAlg; // save this new algID
1325 ComputeCpHash(session->authHashAlg, commandCode, handleNum,
1329 // If this session is for auditing, save the cpHash.
1333 // if the session has an associated handle, check the auth
1344 // a session that is not for authorization must either be encrypt,
1362 return result; // No session number to reference
1365 // in session processing.
1366 // If the encrypt session is associated with a handle and the handle's
1368 // generate encryption key, no matter if the handle is the session bound entity
1404 // Function to process a command with no session associated. The function makes sure all the handles in
1442 // Response Session Processing
1446 // The following functions build the session area in a response, and handle the audit sessions (if present).
1451 // HMAC authorization session and the return code is TPM_RC_SUCCESS.
1480 // This function initializes the audit data in an audit session.
1484 SESSION *session // session to be initialized
1487 // Mark session as an audit session.
1488 session->attributes.isAudit = SET;
1489 // Audit session can not be bound.
1490 session->attributes.isBound = CLEAR;
1491 // Size of the audit log is the size of session hash algorithm digest.
1492 session->u2.auditDigest.t.size = CryptGetHashDigestSize(session->authHashAlg);
1494 MemorySet(&session->u2.auditDigest.t.buffer,
1496 session->u2.auditDigest.t.size);
1503 // This function updates the audit digest in an audit session.
1507 SESSION *auditSession, // IN: loaded audit session
1598 // Function to update the internal audit related states of a session. It
1599 // a) initializes the session as audit session and sets it to be exclusive if this is the first time it is used for
1601 // b) reports exclusive audit session;
1603 // d) clears exclusive audit session if no audit session found in the command.
1617 SESSION *session;
1618 // PW session do not have a loaded session and can not be an audit
1619 // session either. Skip it.
1621 session = SessionGet(s_sessionHandles[i]);
1622 // If a session is used for audit
1625 // An audit session has been found
1627 // If the session has not been an audit session yet, or
1629 // it to be the exclusive session
1630 if( session->attributes.isAudit == CLEAR
1634 InitAuditSession(session);
1639 // Check if the audit session is the current exclusive audit
1640 // session and, if not, clear previous exclusive audit session.
1644 // Report audit session exclusivity.
1654 Audit(session, commandCode, resParmBufferSize, resParmBuffer);
1657 // If no audit session is found in the command, and the command allows
1658 // a session then, clear the current exclusive
1659 // audit session.
1670 // Function to compute HMAC for authorization session in a response.
1674 UINT32 sessionIndex, // IN: session index to be processed
1675 SESSION *session, // IN: loaded session
1693 ComputeRpHash(session->authHashAlg, commandCode, resParmBufferSize,
1696 MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
1697 // Check if the session has an associated handle and the associated entity is
1698 // the one that the session is bound to.
1703 && session->attributes.isAuthValueNeeded == CLEAR)
1704 && !session->attributes.requestWasBound)
1711 // if the HMAC key size for a policy session is 0, the response HMAC is
1721 hmac->t.size = CryptStartHMAC2B(session->authHashAlg, &key.b, &hmacState);
1726 // Add session attributes.
1739 // Function to compute response for an authorization session.
1743 UINT32 sessionIndex, // IN: session index to be processed
1758 // Fill in policy/HMAC based session response.
1759 SESSION *session = SessionGet(s_sessionHandles[sessionIndex]);
1760 // If the session is a policy session with isPasswordNeeded SET, the auth
1763 && session->attributes.isPasswordNeeded == SET)
1768 session,
1770 &session->nonceTPM,
1781 // Updates TPM nonce in both internal session or response if applicable.
1793 SESSION *session;
1794 // For PW session, nonce is 0.
1800 session = SessionGet(s_sessionHandles[i]);
1801 // Update nonceTPM in both internal session and response.
1802 CryptGenerateRandom(session->nonceTPM.t.size, session->nonceTPM.t.buffer);
1803 nonces[i] = session->nonceTPM;
1814 // a) Restarts session time, and
1815 // b) Clears a policy session since nonce is rolling.
1825 // For PW session, no update.
1829 // Close internal session.
1834 // If nonce is rolling in a policy session, the policy related data
1838 SESSION *session = SessionGet(s_sessionHandles[i]);
1840 // policy session.
1841 SessionResetPolicyData(session);
1842 session->startTime = go.clock;
1852 // Function to build Session buffer in a response.
1860 UINT32 *resSessionSize // OUT: response session area
1876 // Session nonce should be updated before parameter encryption
1882 // If the encrypt session is associated with a handle, the authValue of
1884 // encryption key, no matter if the handle is the session bound entity
1913 // Audit session should be updated first regardless of the tag.
1914 // A command with no session may trigger a change of the exclusivity state.
1925 // Iterate over each session in the command session area, and create
1935 // Make sure that continueSession is SET on any Password session.
1962 // Process command with no session.
