#2043

Committed 29 Dec 2025 06:12PM UTC coverage: 77.222% (-0.005%) from 77.227%

Build # #2043

Build Type

push

travis-ci

Committed by

web-flow

Commit Message

Merge dad4446a5 into a3917cb92

Run Details

36065 of 46703 relevant lines covered (77.22%)

101207.87 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.37

/src/tpm2/SessionProcess.c

/********************************************************************************/
/*                                                                                */
/*                Process the Authorization Sessions                                     */
/*                             Written by Ken Goldman                                */
/*                       IBM Thomas J. Watson Research Center                        */
/*                                                                                */
/*  Licenses and Notices                                                        */
/*                                                                                */
/*  1. Copyright Licenses:                                                        */
/*                                                                                */
/*  - Trusted Computing Group (TCG) grants to the user of the source code in        */
/*    this specification (the "Source Code") a worldwide, irrevocable,                 */
/*    nonexclusive, royalty free, copyright license to reproduce, create         */
/*    derivative works, distribute, display and perform the Source Code and        */
/*    derivative works thereof, and to grant others the rights granted herein.        */
/*                                                                                */
/*  - The TCG grants to the user of the other parts of the specification         */
/*    (other than the Source Code) the rights to reproduce, distribute,         */
/*    display, and perform the specification solely for the purpose of                 */
/*    developing products based on such documents.                                */
/*                                                                                */
/*  2. Source Code Distribution Conditions:                                        */
/*                                                                                */
/*  - Redistributions of Source Code must retain the above copyright licenses,         */
/*    this list of conditions and the following disclaimers.                        */
/*                                                                                */
/*  - Redistributions in binary form must reproduce the above copyright         */
/*    licenses, this list of conditions        and the following disclaimers in the         */
/*    documentation and/or other materials provided with the distribution.        */
/*                                                                                */
/*  3. Disclaimers:                                                                */
/*                                                                                */
/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF        */
/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH        */
/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)        */
/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.                */
/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for                 */
/*  information on specification licensing rights available through TCG         */
/*  membership agreements.                                                        */
/*                                                                                */
/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED         */
/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR         */
/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR                 */
/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY                 */
/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.                */
/*                                                                                */
/*  - Without limitation, TCG and its members and licensors disclaim all         */
/*    liability, including liability for infringement of any proprietary         */
/*    rights, relating to use of information in this specification and to the        */
/*    implementation of this specification, and TCG disclaims all liability for        */
/*    cost of procurement of substitute goods or services, lost profits, loss         */
/*    of use, loss of data or any incidental, consequential, direct, indirect,         */
/*    or special damages, whether under contract, tort, warranty or otherwise,         */
/*    arising in any way out of use or reliance upon this specification or any         */
/*    information herein.                                                        */
/*                                                                                */
/*  (c) Copyright IBM Corp. and others, 2016 - 2023                                */
/*                                                                                */
/********************************************************************************/

//**  Introduction
// This file contains the subsystem that process the authorization sessions
// including implementation of the Dictionary Attack logic. ExecCommand() uses
// ParseSessionBuffer() to process the authorization session area of a command and
// BuildResponseSession() to create the authorization session area of a response.

//**  Includes and Data Definitions

#define SESSION_PROCESS_C

#include "Tpm.h"
#include "ACT.h"
#include "Marshal.h"

//
//**  Authorization Support Functions
//

//*** IsDAExempted()
// This function indicates if a handle is exempted from DA logic.
// A handle is exempted if it is:
//  a) a primary seed handle;
//  b) an object with noDA bit SET;
//  c) an NV Index with TPMA_NV_NO_DA bit SET; or
//  d) a PCR handle.
//
//  Return Type: BOOL
//      TRUE(1)         handle is exempted from DA logic
//      FALSE(0)        handle is not exempted from DA logic
BOOL IsDAExempted(TPM_HANDLE handle  // IN: entity handle
                  )
{
    BOOL result = FALSE;
    //
    switch(HandleGetType(handle))
        {
          case TPM_HT_PERMANENT:
            // All permanent handles, other than TPM_RH_LOCKOUT, are exempt from
            // DA protection.
            result = (handle != TPM_RH_LOCKOUT);
            break;
            // When this function is called, a persistent object will have been loaded
            // into an object slot and assigned a transient handle.
          case TPM_HT_TRANSIENT:
              {
                  TPMA_OBJECT attributes = ObjectGetPublicAttributes(handle);
                  result                 = IS_ATTRIBUTE(attributes, TPMA_OBJECT, noDA);
                  break;
              }
          case TPM_HT_NV_INDEX:
              {
                  NV_INDEX* nvIndex = NvGetIndexInfo(handle, NULL);
                  result = IS_ATTRIBUTE(nvIndex->publicArea.attributes, TPMA_NV, NO_DA);
                  break;
              }
          case TPM_HT_PCR:
            // PCRs are always exempted from DA.
            result = TRUE;
            break;
          default:
            break;
        }
    return result;
}

//*** IncrementLockout()
// This function is called after an authorization failure that involves use of
// an authValue. If the entity referenced by the handle is not exempt from DA
// protection, then the failedTries counter will be incremented.
//
//  Return Type: TPM_RC
//      TPM_RC_AUTH_FAIL    authorization failure that caused DA lockout to increment
//      TPM_RC_BAD_AUTH     authorization failure did not cause DA lockout to
//                          increment
static TPM_RC IncrementLockout(UINT32 sessionIndex)
{
    TPM_HANDLE handle        = s_associatedHandles[sessionIndex];
    TPM_HANDLE sessionHandle = s_sessionHandles[sessionIndex];
    SESSION*   session       = NULL;
    //
    // Don't increment lockout unless the handle associated with the session
    // is DA protected or the session is bound to a DA protected entity.
    if(sessionHandle == TPM_RS_PW)
        {
            if(IsDAExempted(handle))
                return TPM_RC_BAD_AUTH;
        }
    else
        {
            session = SessionGet(sessionHandle);
            // If the session is bound to lockout, then use that as the relevant
            // handle. This means that an authorization failure with a bound session
            // bound to lockoutAuth will take precedence over any other
            // lockout check
            if(session->attributes.isLockoutBound == SET)
                handle = TPM_RH_LOCKOUT;
            if(session->attributes.isDaBound == CLEAR
               && (IsDAExempted(handle) || session->attributes.includeAuth == CLEAR))
                // If the handle was changed to TPM_RH_LOCKOUT, this will not return
                // TPM_RC_BAD_AUTH
                return TPM_RC_BAD_AUTH;
        }
    if(handle == TPM_RH_LOCKOUT)
        {
            pAssert(gp.lockOutAuthEnabled == TRUE);

            // lockout is no longer enabled
            gp.lockOutAuthEnabled = FALSE;

            // For TPM_RH_LOCKOUT, if lockoutRecovery is 0, no need to update NV since
            // the lockout authorization will be reset at startup.
            if(gp.lockoutRecovery != 0)
                {
                    if(NV_IS_AVAILABLE)
                        // Update NV.
                        NV_SYNC_PERSISTENT(lockOutAuthEnabled);
                    else
                        // No NV access for now. Put the TPM in pending mode.
                        s_DAPendingOnNV = TRUE;
                }
        }
    else
        {
            if(gp.recoveryTime != 0)
                {
                    gp.failedTries++;
                    if(NV_IS_AVAILABLE)
                        // Record changes to NV. NvWrite will SET g_updateNV
                        NV_SYNC_PERSISTENT(failedTries);
                    else
                        // No NV access for now.  Put the TPM in pending mode.
                        s_DAPendingOnNV = TRUE;
                }
        }
    // Register a DA failure and reset the timers.
    DARegisterFailure(handle);

    return TPM_RC_AUTH_FAIL;
}

//*** IsSessionBindEntity()
// This function indicates if the entity associated with the handle is the entity,
// to which this session is bound. The binding would occur by making the "bind"
// parameter in TPM2_StartAuthSession() not equal to TPM_RH_NULL. The binding only
// occurs if the session is an HMAC session. The bind value is a combination of
// the Name and the authValue of the entity.
//
//  Return Type: BOOL
//      TRUE(1)         handle points to the session start entity
//      FALSE(0)        handle does not point to the session start entity
static BOOL IsSessionBindEntity(
                                TPM_HANDLE associatedHandle,  // IN: handle to be authorized
                                SESSION*   session            // IN: associated session
                                )
{
    TPM2B_NAME entity;  // The bind value for the entity
    //
    // If the session is not bound, return FALSE.
    if(session->attributes.isBound)
        {
            // Compute the bind value for the entity.
            SessionComputeBoundEntity(associatedHandle, &entity);

            // Compare to the bind value in the session.
            return MemoryEqual2B(&entity.b, &session->u1.boundEntity.b);
        }
    return FALSE;
}

//*** IsPolicySessionRequired()
// Checks if a policy session is required for a command. If a command requires
// DUP or ADMIN role authorization, then the handle that requires that role is the
// first handle in the command. This simplifies this checking. If a new command
// is created that requires multiple ADMIN role authorizations, then it will
// have to be special-cased in this function.
// A policy session is required if:
// a) the command requires the DUP role;
// b) the command requires the ADMIN role and the authorized entity
//    is an object and its adminWithPolicy bit is SET;
// c) the command requires the ADMIN role and the authorized entity
//    is a permanent handle or an NV Index; or
// d) the authorized entity is a PCR belonging to a policy group, and
//    has its policy initialized
//  Return Type: BOOL
//      TRUE(1)         policy session is required
//      FALSE(0)        policy session is not required
static BOOL IsPolicySessionRequired(COMMAND_INDEX commandIndex,  // IN: command index
                                    UINT32        sessionIndex   // IN: session index
                                    )
{
    AUTH_ROLE role = CommandAuthRole(commandIndex, sessionIndex);
    TPM_HT    type = HandleGetType(s_associatedHandles[sessionIndex]);
    //
    if(role == AUTH_DUP)
        return TRUE;
    if(role == AUTH_ADMIN)
        {
            // We allow an exception for ADMIN role in a transient object. If the object
            // allows ADMIN role actions with authorization, then policy is not
            // required. For all other cases, there is no way to override the command
            // requirement that a policy be used
            if(type == TPM_HT_TRANSIENT)
                {
                    OBJECT* object = HandleToObject(s_associatedHandles[sessionIndex]);

                    if(!IS_ATTRIBUTE(object->publicArea.objectAttributes, TPMA_OBJECT, adminWithPolicy))
                        return FALSE;
                }
            return TRUE;
        }

    if(type == TPM_HT_PCR)
        {
            if(PCRPolicyIsAvailable(s_associatedHandles[sessionIndex]))
                {
                    TPM2B_DIGEST  policy;
                    TPMI_ALG_HASH policyAlg;
                    policyAlg = PCRGetAuthPolicy(s_associatedHandles[sessionIndex], &policy);
                    if(policyAlg != TPM_ALG_NULL)
                        return TRUE;
                }
        }
    return FALSE;
}

//*** IsAuthValueAvailable()
// This function indicates if authValue is available and allowed for USER role
// authorization of an entity.
//
// This function is similar to IsAuthPolicyAvailable() except that it does not
// check the size of the authValue as IsAuthPolicyAvailable() does (a null
// authValue is a valid authorization, but a null policy is not a valid policy).
//
// This function does not check that the handle reference is valid or if the entity
// is in an enabled hierarchy. Those checks are assumed to have been performed
// during the handle unmarshaling.
//
//  Return Type: BOOL
//      TRUE(1)         authValue is available
//      FALSE(0)        authValue is not available
static BOOL IsAuthValueAvailable(TPM_HANDLE    handle,        // IN: handle of entity
                                 COMMAND_INDEX commandIndex,  // IN: command index
                                 UINT32        sessionIndex   // IN: session index
                                 )
{
    BOOL result = FALSE;
    //
    switch(HandleGetType(handle))
        {
          case TPM_HT_PERMANENT:
            switch(handle)
                {
                    // At this point hierarchy availability has already been
                    // checked so primary seed handles are always available here
                  case TPM_RH_OWNER:
                  case TPM_RH_ENDORSEMENT:
                  case TPM_RH_PLATFORM:
#if VENDOR_PERMANENT_AUTH_ENABLED == YES
                    // This vendor defined handle associated with the
                    // manufacturer's shared secret
                  case VENDOR_PERMANENT_AUTH_HANDLE:
#endif
                    // The DA checking has been performed on LockoutAuth but we
                    // bypass the DA logic if we are using lockout policy. The
                    // policy would allow execution to continue an lockoutAuth
                    // could be used, even if direct use of lockoutAuth is disabled
                  case TPM_RH_LOCKOUT:
                    // NullAuth is always available.
                  case TPM_RH_NULL:
                    result = TRUE;
                    break;

#ifndef __ACT_DISABLED        // libtpms changed
                    FOR_EACH_ACT(CASE_ACT_HANDLE)
                        {
                            // The ACT auth value is not available if the platform is disabled
                            result = g_phEnable == SET;
                            break;
                        }
#endif  // ACT_SUPPORT

                  default:
                    // Otherwise authValue is not available.
                    break;
                }
            break;
          case TPM_HT_TRANSIENT:
            // A persistent object has already been loaded and the internal
            // handle changed.
              {
                  OBJECT*     object;
                  TPMA_OBJECT attributes;
                  //
                  object     = HandleToObject(handle);
                  attributes = object->publicArea.objectAttributes;

                  // authValue is always available for a sequence object.
                  // An alternative for this is to
                  // SET_ATTRIBUTE(object->publicArea, TPMA_OBJECT, userWithAuth) when the
                  // sequence is started.
                  if(ObjectIsSequence(object))
                      {
                          result = TRUE;
                          break;
                      }
                  // authValue is available for an object if it has its sensitive
                  // portion loaded and
                  //  a) userWithAuth bit is SET, or
                  //  b) ADMIN role is required
                  if(object->attributes.publicOnly == CLEAR
                     && (IS_ATTRIBUTE(attributes, TPMA_OBJECT, userWithAuth)
                         || (CommandAuthRole(commandIndex, sessionIndex) == AUTH_ADMIN
                             && !IS_ATTRIBUTE(
                                              attributes, TPMA_OBJECT, adminWithPolicy))))
                      result = TRUE;
              }
              break;
          case TPM_HT_NV_INDEX:
            // NV Index.
              {
                  NV_REF    locator;
                  NV_INDEX* nvIndex = NvGetIndexInfo(handle, &locator);
                  TPMA_NV   nvAttributes;
                  //
                  pAssert(nvIndex != 0);

                  nvAttributes = nvIndex->publicArea.attributes;

                  if(IsWriteOperation(commandIndex))
                      {
                          // AuthWrite can't be set for a PIN index
                          if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, AUTHWRITE))
                              result = TRUE;
                      }
                  else
                      {
                          // A "read" operation
                          // For a PIN Index, the authValue is available as long as the
                          // Index has been written and the pinCount is less than pinLimit
                          if(IsNvPinFailIndex(nvAttributes)
                             || IsNvPinPassIndex(nvAttributes))
                              {
                                  NV_PIN pin;
                                  if(!IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN))
                                      break;  // return false
                                  // get the index values
                                  pin.intVal = NvGetUINT64Data(nvIndex, locator);
                                  if(pin.pin.pinCount < pin.pin.pinLimit)
                                      result = TRUE;
                              }
                          // For non-PIN Indexes, need to allow use of the authValue
                          else if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, AUTHREAD))
                              result = TRUE;
                      }
              }
              break;
          case TPM_HT_PCR:
            // PCR handle.
            // authValue is always allowed for PCR
            result = TRUE;
            break;
          default:
            // Otherwise, authValue is not available
            break;
        }
    return result;
}

//*** IsAuthPolicyAvailable()
// This function indicates if an authPolicy is available and allowed.
//
// This function does not check that the handle reference is valid or if the entity
// is in an enabled hierarchy. Those checks are assumed to have been performed
// during the handle unmarshaling.
//
//  Return Type: BOOL
//      TRUE(1)         authPolicy is available
//      FALSE(0)        authPolicy is not available
static BOOL IsAuthPolicyAvailable(TPM_HANDLE    handle,        // IN: handle of entity
                                  COMMAND_INDEX commandIndex,  // IN: command index
                                  UINT32        sessionIndex   // IN: session index
                                  )
{
    BOOL result = FALSE;
    //
    switch(HandleGetType(handle))
        {
          case TPM_HT_PERMANENT:
            switch(handle)
                {
                    // At this point hierarchy availability has already been checked.
                  case TPM_RH_OWNER:
                    if(gp.ownerPolicy.t.size != 0)
                        result = TRUE;
                    break;
                  case TPM_RH_ENDORSEMENT:
                    if(gp.endorsementPolicy.t.size != 0)
                        result = TRUE;
                    break;
                  case TPM_RH_PLATFORM:
                    if(gc.platformPolicy.t.size != 0)
                        result = TRUE;
                    break;
#if ACT_SUPPORT || 1        // libtpms changed

#  define ACT_GET_POLICY(N)                                                \
                    case TPM_RH_ACT_##N:                                \
                      if(go.ACT_##N.authPolicy.t.size != 0)                \
                          result = TRUE;                                \
                      break;

                    FOR_EACH_ACT(ACT_GET_POLICY)
#endif  // ACT_SUPPORT

                  case TPM_RH_LOCKOUT:
                    if(gp.lockoutPolicy.t.size != 0)
                        result = TRUE;
                    break;
                  default:
                    break;
                }
            break;
          case TPM_HT_TRANSIENT:
              {
                  // Object handle.
                  // An evict object would already have been loaded and given a
                  // transient object handle by this point.
                  OBJECT* object = HandleToObject(handle);
                  // Policy authorization is not available for an object with only
                  // public portion loaded.
                  if(object->attributes.publicOnly == CLEAR)
                      {
                          // Policy authorization is always available for an object but
                          // is never available for a sequence.
                          if(!ObjectIsSequence(object))
                              result = TRUE;
                      }
                  break;
              }
          case TPM_HT_NV_INDEX:
            // An NV Index.
              {
                  NV_INDEX* nvIndex      = NvGetIndexInfo(handle, NULL);
                  TPMA_NV   nvAttributes = nvIndex->publicArea.attributes;
                  //
                  // If the policy size is not zero, check if policy can be used.
                  if(nvIndex->publicArea.authPolicy.t.size != 0)
                      {
                          // If policy session is required for this handle, always
                          // uses policy regardless of the attributes bit setting
                          if(IsPolicySessionRequired(commandIndex, sessionIndex))
                              result = TRUE;
                          // Otherwise, the presence of the policy depends on the NV
                          // attributes.
                          else if(IsWriteOperation(commandIndex))
                              {
                                  if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, POLICYWRITE))
                                      result = TRUE;
                              }
                          else
                              {
                                  if(IS_ATTRIBUTE(nvAttributes, TPMA_NV, POLICYREAD))
                                      result = TRUE;
                              }
                      }
              }
              break;
          case TPM_HT_PCR:
            // PCR handle.
            if(PCRPolicyIsAvailable(handle))
                result = TRUE;
            break;
          default:
            break;
        }
    return result;
}

//**  Session Parsing Functions

//*** ClearCpRpHashes()
void ClearCpRpHashes(COMMAND* command)
{
    // The macros expand according to the implemented hash algorithms. An IDE may
    // complain that COMMAND does not contain SHA1CpHash or SHA1RpHash because of the
    // complexity of the macro expansion where the data space is defined; but, if SHA1
    // is implemented, it actually does  and the compiler is happy.
#define CLEAR_CP_HASH(HASH, Hash) command->Hash##CpHash.b.size = 0;
    FOR_EACH_HASH(CLEAR_CP_HASH)
#define CLEAR_RP_HASH(HASH, Hash) command->Hash##RpHash.b.size = 0;
        FOR_EACH_HASH(CLEAR_RP_HASH)
        }

//*** GetCpHashPointer()
// Function to get a pointer to the cpHash of the command
static TPM2B_DIGEST* GetCpHashPointer(COMMAND* command, TPMI_ALG_HASH hashAlg)
{
    TPM2B_DIGEST* retVal;
    //
    // Define the macro that will expand for each implemented algorithm in the switch
    // statement below.
#define GET_CP_HASH_POINTER(HASH, Hash)                                    \
    case ALG_##HASH##_VALUE:                                            \
      retVal = (TPM2B_DIGEST*)&command->Hash##CpHash;                    \
      break;

    switch(hashAlg)
        {
            // For each implemented hash, this will expand as defined above
            // by GET_CP_HASH_POINTER. Your IDE may complain that
            // 'struct "COMMAND" has no field "SHA1CpHash"' but the compiler says
            // it does, so...
            FOR_EACH_HASH(GET_CP_HASH_POINTER)
          default:
            retVal = NULL;
            break;
        }
    return retVal;
}

//*** GetRpHashPointer()
// Function to get a pointer to the RpHash of the command
static TPM2B_DIGEST* GetRpHashPointer(COMMAND* command, TPMI_ALG_HASH hashAlg)
{
    TPM2B_DIGEST* retVal;
    //
    // Define the macro that will expand for each implemented algorithm in the switch
    // statement below.
#define GET_RP_HASH_POINTER(HASH, Hash)                                    \
    case ALG_##HASH##_VALUE:                                            \
      retVal = (TPM2B_DIGEST*)&command->Hash##RpHash;                    \
      break;

    switch(hashAlg)
        {
            // For each implemented hash, this will expand as defined above
            // by GET_RP_HASH_POINTER. Your IDE may complain that
            // 'struct "COMMAND" has no field 'SHA1RpHash'" but the compiler says
            // it does, so...
            FOR_EACH_HASH(GET_RP_HASH_POINTER)
          default:
            retVal = NULL;
            break;
        }
    return retVal;
}

//*** ComputeCpHash()
// This function computes the cpHash as defined in Part 2 and described in Part 1.
static TPM2B_DIGEST* ComputeCpHash(COMMAND* command,  // IN: command parsing structure
                                   TPMI_ALG_HASH hashAlg  // IN: hash algorithm
                                   )
{
    UINT32        i;
    HASH_STATE    hashState;
    TPM2B_NAME    name;
    TPM2B_DIGEST* cpHash;
    //
    // cpHash = hash(commandCode [ || authName1
    //                           [ || authName2
    //                           [ || authName 3 ]]]
    //                           [ || parameters])
    // A cpHash can contain just a commandCode only if the lone session is
    // an audit session.
    // Get pointer to the hash value
    cpHash = GetCpHashPointer(command, hashAlg);
    if(cpHash->t.size == 0)
        {
            cpHash->t.size = CryptHashStart(&hashState, hashAlg);
            //  Add commandCode.
            CryptDigestUpdateInt(&hashState, sizeof(TPM_CC), command->code);
            //  Add authNames for each of the handles.
            for(i = 0; i < command->handleNum; i++)
                CryptDigestUpdate2B(&hashState,
                                    &EntityGetName(command->handles[i], &name)->b);
            //  Add the parameters.
            CryptDigestUpdate(
                              &hashState, command->parameterSize, command->parameterBuffer);
            //  Complete the hash.
            CryptHashEnd2B(&hashState, &cpHash->b);
        }
    return cpHash;
}

//*** GetCpHash()
// This function is used to access a precomputed cpHash.
static TPM2B_DIGEST* GetCpHash(COMMAND* command, TPMI_ALG_HASH hashAlg)
{
    TPM2B_DIGEST* cpHash = GetCpHashPointer(command, hashAlg);
    //
    pAssert(cpHash->t.size != 0);
    return cpHash;
}

//*** CompareTemplateHash()
// This function computes the template hash and compares it to the session
// templateHash. It is the hash of the second parameter
// assuming that the command is TPM2_Create(), TPM2_CreatePrimary(), or
// TPM2_CreateLoaded()
//  Return Type: BOOL
//      TRUE(1)         template hash equal to session->templateHash
//      FALSE(0)        template hash not equal to session->templateHash
static BOOL CompareTemplateHash(COMMAND* command,  // IN: parsing structure
                                SESSION* session   // IN: session data
                                )
{
    BYTE*        pBuffer = command->parameterBuffer;
    INT32        pSize   = command->parameterSize;
    TPM2B_DIGEST tHash;
    UINT16       size;
    //
    // Only try this for the three commands for which it is intended
    if(command->code != TPM_CC_Create && command->code != TPM_CC_CreatePrimary
#if CC_CreateLoaded
       && command->code != TPM_CC_CreateLoaded
#endif
       )
        return FALSE;
    // Assume that the first parameter is a TPM2B and unmarshal the size field
    // Note: this will not affect the parameter buffer and size in the calling
    // function.
    if(UINT16_Unmarshal(&size, &pBuffer, &pSize) != TPM_RC_SUCCESS)
        return FALSE;
    // reduce the space in the buffer.
    // NOTE: this could make pSize go negative if the parameters are not correct but
    // the unmarshaling code does not try to unmarshal if the remaining size is
    // negative.
    pSize -= size;

    // Advance the pointer
    pBuffer += size;

    // Get the size of what should be the template
    if(UINT16_Unmarshal(&size, &pBuffer, &pSize) != TPM_RC_SUCCESS)
        return FALSE;
    // See if this is reasonable
    if(size > pSize)
        return FALSE;
    // Hash the template data
    tHash.t.size = CryptHashBlock(
                                  session->authHashAlg, size, pBuffer, sizeof(tHash.t.buffer), tHash.t.buffer);
    return (MemoryEqual2B(&session->u1.templateHash.b, &tHash.b));
}

//*** CompareNameHash()
// This function computes the name hash and compares it to the nameHash in the
// session data, returning true if they are equal.
BOOL CompareNameHash(COMMAND* command,  // IN: main parsing structure
                     SESSION* session   // IN: session structure with nameHash
                     )
{
    HASH_STATE   hashState;
    TPM2B_DIGEST nameHash;
    UINT32       i;
    TPM2B_NAME   name;
    //
    nameHash.t.size = CryptHashStart(&hashState, session->authHashAlg);
    //  Add names.
    for(i = 0; i < command->handleNum; i++)
        CryptDigestUpdate2B(&hashState,
                            &EntityGetName(command->handles[i], &name)->b);
    //  Complete hash.
    CryptHashEnd2B(&hashState, &nameHash.b);
    // and compare
    return MemoryEqual(
                       session->u1.nameHash.t.buffer, nameHash.t.buffer, nameHash.t.size);
}

//*** CompareParametersHash()
// This function computes the parameters hash and compares it to the pHash in
// the session data, returning true if they are equal.
BOOL CompareParametersHash(COMMAND* command,  // IN: main parsing structure
                           SESSION* session   // IN: session structure with pHash
                           )
{
    HASH_STATE   hashState;
    TPM2B_DIGEST pHash;
    //
    pHash.t.size = CryptHashStart(&hashState, session->authHashAlg);
    //  Add commandCode.
    CryptDigestUpdateInt(&hashState, sizeof(TPM_CC), command->code);
    //  Add the parameters.
    CryptDigestUpdate(&hashState, command->parameterSize, command->parameterBuffer);
    //  Complete hash.
    CryptHashEnd2B(&hashState, &pHash.b);
    // and compare
    return MemoryEqual2B(&session->u1.pHash.b, &pHash.b);
}

//*** CheckPWAuthSession()
// This function validates the authorization provided in a PWAP session. It
// compares the input value to authValue of the authorized entity. Argument
// sessionIndex is used to get handles handle of the referenced entities from
// s_inputAuthValues[] and s_associatedHandles[].
//
//  Return Type: TPM_RC
//        TPM_RC_AUTH_FAIL          authorization fails and increments DA failure
//                                  count
//        TPM_RC_BAD_AUTH           authorization fails but DA does not apply
//
static TPM_RC CheckPWAuthSession(
                                 UINT32 sessionIndex  // IN: index of session to be processed
                                 )
{
    TPM2B_AUTH authValue;
    TPM_HANDLE associatedHandle = s_associatedHandles[sessionIndex];
    //
    // Strip trailing zeros from the password.
    MemoryRemoveTrailingZeros(&s_inputAuthValues[sessionIndex]);

    // Get the authValue with trailing zeros removed
    EntityGetAuthValue(associatedHandle, &authValue);

    // Success if the values are identical.
    if(MemoryEqual2B(&s_inputAuthValues[sessionIndex].b, &authValue.b))
        {
            return TPM_RC_SUCCESS;
        }
    else  // if the digests are not identical
        {
            // Invoke DA protection if applicable.
            return IncrementLockout(sessionIndex);
        }
}

//*** ComputeCommandHMAC()
// This function computes the HMAC for an authorization session in a command.
/*(See part 1 specification -- this tag keeps this comment from showing up in
// merged document which is probably good because this comment doesn't look right.
//      The sessionAuth value
//      authHMAC := HMACsHash((sessionKey | authValue),
//                  (pHash | nonceNewer | nonceOlder  | nonceTPMencrypt-only
//                   | nonceTPMaudit   | sessionAttributes))
// Where:
//      HMACsHash()     The HMAC algorithm using the hash algorithm specified
//                      when the session was started.
//
//      sessionKey      A value that is computed in a protocol-dependent way,
//                      using KDFa. When used in an HMAC or KDF, the size field
//                      for this value is not included.
//
//      authValue       A value that is found in the sensitive area of an entity.
//                      When used in an HMAC or KDF, the size field for this
//                      value is not included.
//
//      pHash           Hash of the command (cpHash) using the session hash.
//                      When using a pHash in an HMAC computation, only the
//                      digest is used.
//
//      nonceNewer      A value that is generated by the entity using the
//                      session. A new nonce is generated on each use of the
//                      session. For a command, this will be nonceCaller.
//                      When used in an HMAC or KDF, the size field is not used.
//
//      nonceOlder      A TPM2B_NONCE that was received the previous time the
//                      session was used. For a command, this is nonceTPM.
//                      When used in an HMAC or KDF, the size field is not used.
//
//      nonceTPMdecrypt     The nonceTPM of the decrypt session is included in
//                          the HMAC, but only in the command.
//
//      nonceTPMencrypt     The nonceTPM of the encrypt session is included in
//                          the HMAC but only in the command.
//
//      sessionAttributes   A byte indicating the attributes associated with the
//                          particular use of the session.
*/
static TPM2B_DIGEST* ComputeCommandHMAC(
                                        COMMAND*      command,       // IN: primary control structure
                                        UINT32        sessionIndex,  // IN: index of session to be processed
                                        TPM2B_DIGEST* hmac           // OUT: authorization HMAC
                                        )
{
    TPM2B_TYPE(KEY, (sizeof(AUTH_VALUE) * 2));
    TPM2B_KEY    key;
    BYTE         marshalBuffer[sizeof(TPMA_SESSION)];
    BYTE*        buffer;
    UINT32       marshalSize;
    HMAC_STATE   hmacState;
    TPM2B_NONCE* nonceDecrypt;
    TPM2B_NONCE* nonceEncrypt;
    SESSION*     session;
    //
    nonceDecrypt = NULL;
    nonceEncrypt = NULL;

    // Determine if extra nonceTPM values are going to be required.
    // If this is the first session (sessionIndex = 0) and it is an authorization
    // session that uses an HMAC, then check if additional session nonces are to be
    // included.
    if(sessionIndex == 0 && s_associatedHandles[sessionIndex] != TPM_RH_UNASSIGNED)
        {
            // If there is a decrypt session and if this is not the decrypt session,
            // then an extra nonce may be needed.
            if(s_decryptSessionIndex != UNDEFINED_INDEX
               && s_decryptSessionIndex != sessionIndex)
                {
                    // Will add the nonce for the decrypt session.
                    SESSION* decryptSession =
                        SessionGet(s_sessionHandles[s_decryptSessionIndex]);
                    nonceDecrypt = &decryptSession->nonceTPM;
                }
            // Now repeat for the encrypt session.
            if(s_encryptSessionIndex != UNDEFINED_INDEX
               && s_encryptSessionIndex != sessionIndex
               && s_encryptSessionIndex != s_decryptSessionIndex)
                {
                    // Have to have the nonce for the encrypt session.
                    SESSION* encryptSession =
                        SessionGet(s_sessionHandles[s_encryptSessionIndex]);
                    nonceEncrypt = &encryptSession->nonceTPM;
                }
        }

    // Continue with the HMAC processing.
    session = SessionGet(s_sessionHandles[sessionIndex]);

    // Generate HMAC key.
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));

    // Check if the session has an associated handle and if the associated entity
    // is the one to which the session is bound. If not, add the authValue of
    // this entity to the HMAC key.
    // If the session is bound to the object or the session is a policy session
    // with no authValue required, do not include the authValue in the HMAC key.
    // Note: For a policy session, its isBound attribute is CLEARED.
    //
    // Include the entity authValue if it is needed
    if(session->attributes.includeAuth == SET)
        {
            TPM2B_AUTH authValue;
            // Get the entity authValue with trailing zeros removed
            EntityGetAuthValue(s_associatedHandles[sessionIndex], &authValue);
            // add the authValue to the HMAC key
            MemoryConcat2B(&key.b, &authValue.b, sizeof(key.t.buffer));
        }
    // if the HMAC key size is 0, a NULL string HMAC is allowed
    if(key.t.size == 0 && s_inputAuthValues[sessionIndex].t.size == 0)
        {
            hmac->t.size = 0;
            return hmac;
        }
    // Start HMAC
    hmac->t.size = CryptHmacStart2B(&hmacState, session->authHashAlg, &key.b);

    //  Add cpHash
    CryptDigestUpdate2B(&hmacState.hashState,
                        &ComputeCpHash(command, session->authHashAlg)->b);
    //  Add nonces as required
    CryptDigestUpdate2B(&hmacState.hashState, &s_nonceCaller[sessionIndex].b);
    CryptDigestUpdate2B(&hmacState.hashState, &session->nonceTPM.b);
    if(nonceDecrypt != NULL)
        CryptDigestUpdate2B(&hmacState.hashState, &nonceDecrypt->b);
    if(nonceEncrypt != NULL)
        CryptDigestUpdate2B(&hmacState.hashState, &nonceEncrypt->b);
    //  Add sessionAttributes
    buffer      = marshalBuffer;
    marshalSize = TPMA_SESSION_Marshal(&(s_attributes[sessionIndex]), &buffer, NULL);
    CryptDigestUpdate(&hmacState.hashState, marshalSize, marshalBuffer);
    // Complete the HMAC computation
    CryptHmacEnd2B(&hmacState, &hmac->b);

    return hmac;
}

//*** CheckSessionHMAC()
// This function checks the HMAC of in a session. It uses ComputeCommandHMAC()
// to compute the expected HMAC value and then compares the result with the
// HMAC in the authorization session. The authorization is successful if they
// are the same.
//
// If the authorizations are not the same, IncrementLockout() is called. It will
// return TPM_RC_AUTH_FAIL if the failure caused the failureCount to increment.
// Otherwise, it will return TPM_RC_BAD_AUTH.
//
//  Return Type: TPM_RC
//      TPM_RC_AUTH_FAIL        authorization failure caused failureCount increment
//      TPM_RC_BAD_AUTH         authorization failure did not cause failureCount
//                              increment
//
static TPM_RC CheckSessionHMAC(
                               COMMAND* command,      // IN: primary control structure
                               UINT32   sessionIndex  // IN: index of session to be processed
                               )
{
    TPM2B_DIGEST hmac;  // authHMAC for comparing
    //
    // Compute authHMAC
    ComputeCommandHMAC(command, sessionIndex, &hmac);

    // Compare the input HMAC with the authHMAC computed above.
    if(!MemoryEqual2B(&s_inputAuthValues[sessionIndex].b, &hmac.b))
        {
            // If an HMAC session has a failure, invoke the anti-hammering
            // if it applies to the authorized entity or the session.
            // Otherwise, just indicate that the authorization is bad.
            return IncrementLockout(sessionIndex);
        }
    return TPM_RC_SUCCESS;
}

//*** CheckPolicyAuthSession()
//  This function is used to validate the authorization in a policy session.
//  This function performs the following comparisons to see if a policy
//  authorization is properly provided. The check are:
//  a) compare policyDigest in session with authPolicy associated with
//     the entity to be authorized;
//  b) compare timeout if applicable;
//  c) compare commandCode if applicable;
//  d) compare cpHash if applicable; and
//  e) see if PCR values have changed since computed.
//
// If all the above checks succeed, the handle is authorized.
// The order of these comparisons is not important because any failure will
// result in the same error code.
//
//  Return Type: TPM_RC
//      TPM_RC_PCR_CHANGED          PCR value is not current
//      TPM_RC_POLICY_FAIL          policy session fails
//      TPM_RC_LOCALITY             command locality is not allowed
//      TPM_RC_POLICY_CC            CC doesn't match
//      TPM_RC_EXPIRED              policy session has expired
//      TPM_RC_PP                   PP is required but not asserted
//      TPM_RC_NV_UNAVAILABLE       NV is not available for write
//      TPM_RC_NV_RATE              NV is rate limiting
static TPM_RC CheckPolicyAuthSession(
                                     COMMAND* command,      // IN: primary parsing structure
                                     UINT32   sessionIndex  // IN: index of session to be processed
                                     )
{
    SESSION*      session;
    TPM2B_DIGEST  authPolicy;
    TPMI_ALG_HASH policyAlg;
    UINT8         locality;
    //
    // Initialize pointer to the authorization session.
    session = SessionGet(s_sessionHandles[sessionIndex]);

    // If the command is TPM2_PolicySecret(), make sure that
    // either password or authValue is required
    if(command->code == TPM_CC_PolicySecret
       && session->attributes.isPasswordNeeded == CLEAR
       && session->attributes.isAuthValueNeeded == CLEAR)
        return TPM_RC_MODE;
    // See if the PCR counter for the session is still valid.
    if(!SessionPCRValueIsCurrent(session))
        return TPM_RC_PCR_CHANGED;
    // Get authPolicy.
    policyAlg = EntityGetAuthPolicy(s_associatedHandles[sessionIndex], &authPolicy);
    // Compare authPolicy.
    if(!MemoryEqual2B(&session->u2.policyDigest.b, &authPolicy.b))
        return TPM_RC_POLICY_FAIL;
    // Policy is OK so check if the other factors are correct

    // Compare policy hash algorithm.
    if(policyAlg != session->authHashAlg)
        return TPM_RC_POLICY_FAIL;

    // Compare timeout.
    if(session->timeout != 0)
        {
            // Cannot compare time if clock stop advancing.  An TPM_RC_NV_UNAVAILABLE
            // or TPM_RC_NV_RATE error may be returned here. This doesn't mean that
            // a new nonce will be created just that, because TPM time can't advance
            // we can't do time-based operations.
            RETURN_IF_NV_IS_NOT_AVAILABLE;

            if((session->timeout < g_time) || (session->epoch != g_timeEpoch))
                return TPM_RC_EXPIRED;
        }
    // If command code is provided it must match
    if(session->commandCode != 0)
        {
            if(session->commandCode != command->code)
                return TPM_RC_POLICY_CC;
        }
    else
        {
            // If command requires a DUP or ADMIN authorization, the session must have
            // command code set.
            AUTH_ROLE role = CommandAuthRole(command->index, sessionIndex);
            if(role == AUTH_ADMIN || role == AUTH_DUP)
                return TPM_RC_POLICY_FAIL;
        }
    // Check command locality.
    {
        BYTE  sessionLocality[sizeof(TPMA_LOCALITY)];
        BYTE* buffer = sessionLocality;

        // Get existing locality setting in canonical form
        sessionLocality[0] = 0;
        TPMA_LOCALITY_Marshal(&session->commandLocality, &buffer, NULL);

        // See if the locality has been set
        if(sessionLocality[0] != 0)
            {
                // If so, get the current locality
                locality = _plat__LocalityGet();
                if(locality < 5)
                    {
                        if(((sessionLocality[0] & (1 << locality)) == 0)
                           || sessionLocality[0] > 31)
                            return TPM_RC_LOCALITY;
                    }
                else if(locality > 31)
                    {
                        if(sessionLocality[0] != locality)
                            return TPM_RC_LOCALITY;
                    }
                else
                    {
                        // Could throw an assert here but a locality error is just
                        // as good. It just means that, whatever the locality is, it isn't
                        // the locality requested so...
                        return TPM_RC_LOCALITY;
                    }
            }
    }  // end of locality check
    // Check physical presence.
    if(session->attributes.isPPRequired == SET && !_plat__PhysicalPresenceAsserted())
        return TPM_RC_PP;
    // Compare cpHash/nameHash/pHash/templateHash if defined.
    if(session->u1.cpHash.b.size != 0)
        {
            BOOL OK = FALSE;
            if(session->attributes.isCpHashDefined)
                // Compare cpHash.
                OK = MemoryEqual2B(&session->u1.cpHash.b,
                                   &ComputeCpHash(command, session->authHashAlg)->b);
            else if(g_RuntimeProfile.stateFormatLevel >= 4                // libtpms added
                    && session->attributes.isNameHashDefined)
                OK = CompareNameHash(command, session);
            else if(session->attributes.isParametersHashDefined)
                OK = CompareParametersHash(command, session);
            else if(session->attributes.isTemplateHashDefined)
                OK = CompareTemplateHash(command, session);
            else if (g_RuntimeProfile.stateFormatLevel < 4)                // libtpms added: backwards compatibility
                OK = CompareNameHash(command, session);                        // libtpms added: backwards compatibility
            if(!OK)
                return TPM_RCS_POLICY_FAIL;
        }
    if(session->attributes.checkNvWritten)
        {
            NV_REF    locator;
            NV_INDEX* nvIndex;
            //
            // If this is not an NV index, the policy makes no sense so fail it.
            if(HandleGetType(s_associatedHandles[sessionIndex]) != TPM_HT_NV_INDEX)
                return TPM_RC_POLICY_FAIL;
            // Get the index data
            nvIndex = NvGetIndexInfo(s_associatedHandles[sessionIndex], &locator);

            // Make sure that the TPMA_WRITTEN_ATTRIBUTE has the desired state
            if((IS_ATTRIBUTE(nvIndex->publicArea.attributes, TPMA_NV, WRITTEN))
               != (session->attributes.nvWrittenState == SET))
                return TPM_RC_POLICY_FAIL;
        }
    return TPM_RC_SUCCESS;
}

//*** RetrieveSessionData()
// This function will unmarshal the sessions in the session area of a command. The
// values are placed in the arrays that are defined at the beginning of this file.
// The normal unmarshaling errors are possible.
//
//  Return Type: TPM_RC
//      TPM_RC_SUCCSS       unmarshaled without error
//      TPM_RC_SIZE         the number of bytes unmarshaled is not the same
//                          as the value for authorizationSize in the command
//
static TPM_RC RetrieveSessionData(
                                  COMMAND* command  // IN: main parsing structure for command
                                  )
{
    int          i;
    TPM_RC       result;
    SESSION*     session;
    TPMA_SESSION sessionAttributes;
    TPM_HT       sessionType;
    INT32        sessionIndex;
    TPM_RC       errorIndex;
    //
    s_decryptSessionIndex = UNDEFINED_INDEX;
    s_encryptSessionIndex = UNDEFINED_INDEX;
    s_auditSessionIndex   = UNDEFINED_INDEX;

    for(sessionIndex = 0; command->authSize > 0; sessionIndex++)
        {
            errorIndex = TPM_RC_S + g_rcIndex[sessionIndex];

            // If maximum allowed number of sessions has been parsed, return a size
            // error with a session number that is larger than the number of allowed
            // sessions
            if(sessionIndex == MAX_SESSION_NUM)
                return TPM_RCS_SIZE + errorIndex;
            // make sure that the associated handle for each session starts out
            // unassigned
            s_associatedHandles[sessionIndex] = TPM_RH_UNASSIGNED;

            // First parameter: Session handle.
            result = TPMI_SH_AUTH_SESSION_Unmarshal(&s_sessionHandles[sessionIndex],
                                                    &command->parameterBuffer,
                                                    &command->authSize,
                                                    TRUE);
            if(result != TPM_RC_SUCCESS)
                return result + TPM_RC_S + g_rcIndex[sessionIndex];
            // Second parameter: Nonce.
            result = TPM2B_NONCE_Unmarshal(&s_nonceCaller[sessionIndex],
                                           &command->parameterBuffer,
                                           &command->authSize);
            if(result != TPM_RC_SUCCESS)
                return result + TPM_RC_S + g_rcIndex[sessionIndex];
            // Third parameter: sessionAttributes.
            result = TPMA_SESSION_Unmarshal(&s_attributes[sessionIndex],
                                            &command->parameterBuffer,
                                            &command->authSize);
            if(result != TPM_RC_SUCCESS)
                return result + TPM_RC_S + g_rcIndex[sessionIndex];
            // Fourth parameter: authValue (PW or HMAC).
            result = TPM2B_AUTH_Unmarshal(&s_inputAuthValues[sessionIndex],
                                          &command->parameterBuffer,
                                          &command->authSize);
            if(result != TPM_RC_SUCCESS)
                return result + errorIndex;

            sessionAttributes = s_attributes[sessionIndex];
            if(s_sessionHandles[sessionIndex] == TPM_RS_PW)
                {
                    // A PWAP session needs additional processing.
                    //     Can't have any attributes set other than continueSession bit
                    if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, encrypt)
                       || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, decrypt)
                       || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, audit)
                       || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditExclusive)
                       || IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditReset))
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    //     The nonce size must be zero.
                    if(s_nonceCaller[sessionIndex].t.size != 0)
                        return TPM_RCS_NONCE + errorIndex;
                    continue;
                }
            // For not password sessions...
            // Find out if the session is loaded.
            if(!SessionIsLoaded(s_sessionHandles[sessionIndex]))
                return TPM_RC_REFERENCE_S0 + sessionIndex;
            sessionType = HandleGetType(s_sessionHandles[sessionIndex]);
            session     = SessionGet(s_sessionHandles[sessionIndex]);

            // Check if the session is an HMAC/policy session.
            if((session->attributes.isPolicy == SET && sessionType == TPM_HT_HMAC_SESSION)
               || (session->attributes.isPolicy == CLEAR
                   && sessionType == TPM_HT_POLICY_SESSION))
                return TPM_RCS_HANDLE + errorIndex;
            // Check that this handle has not previously been used.
            for(i = 0; i < sessionIndex; i++)
                {
                    if(s_sessionHandles[i] == s_sessionHandles[sessionIndex])
                        return TPM_RCS_HANDLE + errorIndex;
                }
            // If the session is used for parameter encryption or audit as well, set
            // the corresponding Indexes.

            // First process decrypt.
            if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, decrypt))
                {
                    // Check if the commandCode allows command parameter encryption.
                    if(DecryptSize(command->index) == 0)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // Encrypt attribute can only appear in one session
                    if(s_decryptSessionIndex != UNDEFINED_INDEX)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // Can't decrypt if the session's symmetric algorithm is TPM_ALG_NULL
                    if(session->symmetric.algorithm == TPM_ALG_NULL)
                        return TPM_RCS_SYMMETRIC + errorIndex;
                    // All checks passed, so set the index for the session used to decrypt
                    // a command parameter.
                    s_decryptSessionIndex = sessionIndex;
                }
            // Now process encrypt.
            if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, encrypt))
                {
                    // Check if the commandCode allows response parameter encryption.
                    if(EncryptSize(command->index) == 0)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // Encrypt attribute can only appear in one session.
                    if(s_encryptSessionIndex != UNDEFINED_INDEX)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // Can't encrypt if the session's symmetric algorithm is TPM_ALG_NULL
                    if(session->symmetric.algorithm == TPM_ALG_NULL)
                        return TPM_RCS_SYMMETRIC + errorIndex;
                    // All checks passed, so set the index for the session used to encrypt
                    // a response parameter.
                    s_encryptSessionIndex = sessionIndex;
                }
            // At last process audit.
            if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, audit))
                {
                    // Audit attribute can only appear in one session.
                    if(s_auditSessionIndex != UNDEFINED_INDEX)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // An audit session can not be policy session.
                    if(HandleGetType(s_sessionHandles[sessionIndex]) == TPM_HT_POLICY_SESSION)
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    // If this is a reset of the audit session, or the first use
                    // of the session as an audit session, it doesn't matter what
                    // the exclusive state is. The session will become exclusive.
                    if(!IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditReset)
                       && session->attributes.isAudit == SET)
                        {
                            // Not first use or reset. If auditExlusive is SET, then this
                            // session must be the current exclusive session.
                            if(IS_ATTRIBUTE(sessionAttributes, TPMA_SESSION, auditExclusive)
                               && g_exclusiveAuditSession != s_sessionHandles[sessionIndex])
                                return TPM_RC_EXCLUSIVE;
                        }
                    s_auditSessionIndex = sessionIndex;
                }
            // Initialize associated handle as undefined. This will be changed when
            // the handles are processed.
            s_associatedHandles[sessionIndex] = TPM_RH_UNASSIGNED;
        }
    command->sessionNum = sessionIndex;
    return TPM_RC_SUCCESS;
}

//*** CheckLockedOut()
// This function checks to see if the TPM is in lockout. This function should only
// be called if the entity being checked is subject to DA protection. The TPM
// is in lockout if the NV is not available and a DA write is pending. Otherwise
// the TPM is locked out if checking for lockoutAuth ('lockoutAuthCheck' == TRUE)
// and use of lockoutAuth is disabled, or 'failedTries' >= 'maxTries'
//  Return Type: TPM_RC
//      TPM_RC_NV_RATE          NV is rate limiting
//      TPM_RC_NV_UNAVAILABLE   NV is not available at this time
//      TPM_RC_LOCKOUT          TPM is in lockout
static TPM_RC CheckLockedOut(
                             BOOL lockoutAuthCheck  // IN: TRUE if checking is for lockoutAuth
                             )
{
    // If NV is unavailable, and current cycle state recorded in NV is not
    // SU_NONE_VALUE, refuse to check any authorization because we would
    // not be able to handle a DA failure.
    if(!NV_IS_AVAILABLE && NV_IS_ORDERLY)
        return g_NvStatus;
    // Check if DA info needs to be updated in NV.
    if(s_DAPendingOnNV)
        {
            // If NV is accessible,
            RETURN_IF_NV_IS_NOT_AVAILABLE;

            // ... write the pending DA data and proceed.
            NV_SYNC_PERSISTENT(lockOutAuthEnabled);
            NV_SYNC_PERSISTENT(failedTries);
            s_DAPendingOnNV = FALSE;
        }
    // Lockout is in effect if checking for lockoutAuth and use of lockoutAuth
    // is disabled...
    if(lockoutAuthCheck)
        {
            if(gp.lockOutAuthEnabled == FALSE)
                return TPM_RC_LOCKOUT;
        }
    else
        {
            // ... or if the number of failed tries has been maxed out.
            if(gp.failedTries >= gp.maxTries)
                return TPM_RC_LOCKOUT;
#if USE_DA_USED
            // If the daUsed flag is not SET, then no DA validation until the
            // daUsed state is written to NV
            if(!g_daUsed)
                {
                    RETURN_IF_NV_IS_NOT_AVAILABLE;
                    g_daUsed        = TRUE;
                    gp.orderlyState = SU_DA_USED_VALUE;
                    NV_SYNC_PERSISTENT(orderlyState);
                    return TPM_RC_SUCCESS; // libtpms changed: was TPM_RC_RETRY;
                }
#endif
        }
    return TPM_RC_SUCCESS;
}

//*** CheckAuthSession()
// This function checks that the authorization session properly authorizes the
// use of the associated handle.
//
//  Return Type: TPM_RC
//      TPM_RC_LOCKOUT              entity is protected by DA and TPM is in
//                                  lockout, or TPM is locked out on NV update
//                                  pending on DA parameters
//
//      TPM_RC_PP                   Physical Presence is required but not provided
//      TPM_RC_AUTH_FAIL            HMAC or PW authorization failed
//                                  with DA side-effects (can be a policy session)
//
//      TPM_RC_BAD_AUTH             HMAC or PW authorization failed without DA
//                                  side-effects (can be a policy session)
//
//      TPM_RC_POLICY_FAIL          if policy session fails
//      TPM_RC_POLICY_CC            command code of policy was wrong
//      TPM_RC_EXPIRED              the policy session has expired
//      TPM_RC_PCR
//      TPM_RC_AUTH_UNAVAILABLE     authValue or authPolicy unavailable
static TPM_RC CheckAuthSession(
                               COMMAND* command,      // IN: primary parsing structure
                               UINT32   sessionIndex  // IN: index of session to be processed
                               )
{
    TPM_RC     result            = TPM_RC_SUCCESS;
    SESSION*   session           = NULL;
    TPM_HANDLE sessionHandle     = s_sessionHandles[sessionIndex];
    TPM_HANDLE associatedHandle  = s_associatedHandles[sessionIndex];
    TPM_HT     sessionHandleType = HandleGetType(sessionHandle);
    BOOL       authUsed;
    //
    pAssert(sessionHandle != TPM_RH_UNASSIGNED);

    // Take care of physical presence
    if(associatedHandle == TPM_RH_PLATFORM)
        {
            // If the physical presence is required for this command, check for PP
            // assertion. If it isn't asserted, no point going any further.
            if(PhysicalPresenceIsRequired(command->index)
               && !_plat__PhysicalPresenceAsserted())
                return TPM_RC_PP;
        }
    if(sessionHandle != TPM_RS_PW)
        {
            session = SessionGet(sessionHandle);

            // Set includeAuth to indicate if DA checking will be required and if the
            // authValue will be included in any HMAC.
            if(sessionHandleType == TPM_HT_POLICY_SESSION)
                {
                    // For a policy session, will check the DA status of the entity if either
                    // isAuthValueNeeded or isPasswordNeeded is SET.
                    session->attributes.includeAuth = session->attributes.isAuthValueNeeded
                                                      || session->attributes.isPasswordNeeded;
                }
            else
                {
                    // For an HMAC session, need to check unless the session
                    // is bound.
                    session->attributes.includeAuth =
                        !IsSessionBindEntity(s_associatedHandles[sessionIndex], session);
                }
            authUsed = session->attributes.includeAuth;
        }
    else
        // Password session
        authUsed = TRUE;
    // If the authorization session is going to use an authValue, then make sure
    // that access to that authValue isn't locked out.
    if(authUsed)
        {
            // See if entity is subject to lockout.
            if(!IsDAExempted(associatedHandle))
                {
                    // See if in lockout
                    result = CheckLockedOut(associatedHandle == TPM_RH_LOCKOUT);
                    if(result != TPM_RC_SUCCESS)
                        return result;
                }
        }
    // Policy or HMAC+PW?
    if(sessionHandleType != TPM_HT_POLICY_SESSION)
        {
            // for non-policy session make sure that a policy session is not required
            if(IsPolicySessionRequired(command->index, sessionIndex))
                return TPM_RC_AUTH_TYPE;
            // The authValue must be available.
            // Note: The authValue is going to be "used" even if it is an EmptyAuth.
            // and the session is bound.
            if(!IsAuthValueAvailable(associatedHandle, command->index, sessionIndex))
                return TPM_RC_AUTH_UNAVAILABLE;
        }
    else
        {
            // ... see if the entity has a policy, ...
            // Note: IsAuthPolicyAvalable will return FALSE if the sensitive area of the
            // object is not loaded
            if(!IsAuthPolicyAvailable(associatedHandle, command->index, sessionIndex))
                return TPM_RC_AUTH_UNAVAILABLE;
            // ... and check the policy session.
            result = CheckPolicyAuthSession(command, sessionIndex);
            if(result != TPM_RC_SUCCESS)
                return result;
        }
    // Check authorization according to the type
    if((TPM_RS_PW == sessionHandle) || (session->attributes.isPasswordNeeded == SET))
        result = CheckPWAuthSession(sessionIndex);
    else
        result = CheckSessionHMAC(command, sessionIndex);
    // Do processing for PIN Indexes are only three possibilities for 'result' at
    // this point: TPM_RC_SUCCESS, TPM_RC_AUTH_FAIL, and TPM_RC_BAD_AUTH.
    // For all these cases, we would have to process a PIN index if the
    // authValue of the index was used for authorization.
    if((TPM_HT_NV_INDEX == HandleGetType(associatedHandle)) && authUsed)
        {
            NV_REF    locator;
            NV_INDEX* nvIndex = NvGetIndexInfo(associatedHandle, &locator);
            NV_PIN    pinData;
            TPMA_NV   nvAttributes;
            //
            pAssert(nvIndex != NULL);
            nvAttributes = nvIndex->publicArea.attributes;
            // If this is a PIN FAIL index and the value has been written
            // then we can update the counter (increment or clear)
            if(IsNvPinFailIndex(nvAttributes)
               && IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN))
                {
                    pinData.intVal = NvGetUINT64Data(nvIndex, locator);
                    if(result != TPM_RC_SUCCESS)
                        pinData.pin.pinCount++;
                    else
                        pinData.pin.pinCount = 0;
                    NvWriteUINT64Data(nvIndex, pinData.intVal);
                }
            // If this is a PIN PASS Index, increment if we have used the
            // authorization value.
            // NOTE: If the counter has already hit the limit, then we
            // would not get here because the authorization value would not
            // be available and the TPM would have returned before it gets here
            else if(IsNvPinPassIndex(nvAttributes)
                    && IS_ATTRIBUTE(nvAttributes, TPMA_NV, WRITTEN)
                    && result == TPM_RC_SUCCESS)
                {
                    // If the access is valid, then increment the use counter
                    pinData.intVal = NvGetUINT64Data(nvIndex, locator);
                    pinData.pin.pinCount++;
                    NvWriteUINT64Data(nvIndex, pinData.intVal);
                }
        }
    return result;
}

#if CC_GetCommandAuditDigest
//*** CheckCommandAudit()
// This function is called before the command is processed if audit is enabled
// for the command. It will check to see if the audit can be performed and
// will ensure that the cpHash is available for the audit.
//  Return Type: TPM_RC
//      TPM_RC_NV_UNAVAILABLE       NV is not available for write
//      TPM_RC_NV_RATE              NV is rate limiting
static TPM_RC CheckCommandAudit(COMMAND* command)
{
    // If the audit digest is clear and command audit is required, NV must be
    // available so that TPM2_GetCommandAuditDigest() is able to increment
    // audit counter. If NV is not available, the function bails out to prevent
    // the TPM from attempting an operation that would fail anyway.
    if(gr.commandAuditDigest.t.size == 0
       || GetCommandCode(command->index) == TPM_CC_GetCommandAuditDigest)
        {
            RETURN_IF_NV_IS_NOT_AVAILABLE;
        }
    // Make sure that the cpHash is computed for the algorithm
    ComputeCpHash(command, gp.auditHashAlg);
    return TPM_RC_SUCCESS;
}
#endif

//*** ParseSessionBuffer()
// This function is the entry function for command session processing.
// It iterates sessions in session area and reports if the required authorization
// has been properly provided. It also processes audit session and passes the
// information of encryption sessions to parameter encryption module.
//
//  Return Type: TPM_RC
//        various           parsing failure or authorization failure
//
TPM_RC
ParseSessionBuffer(COMMAND* command  // IN: the structure that contains
                   )
{
    TPM_RC     result;
    UINT32     i;
    INT32      size = 0;
    TPM2B_AUTH extraKey;
    UINT32     sessionIndex;
    TPM_RC     errorIndex;
    SESSION*   session = NULL;
    //
    // Check if a command allows any session in its session area.
    if(!IsSessionAllowed(command->index))
        return TPM_RC_AUTH_CONTEXT;
    // Default-initialization.
    command->sessionNum = 0;

    result              = RetrieveSessionData(command);
    if(result != TPM_RC_SUCCESS)
        return result;
    // There is no command in the TPM spec that has more handles than
    // MAX_SESSION_NUM.
    pAssert(command->handleNum <= MAX_SESSION_NUM);

    // Associate the session with an authorization handle.
    for(i = 0; i < command->handleNum; i++)
        {
            if(CommandAuthRole(command->index, i) != AUTH_NONE)
                {
                    // If the received session number is less than the number of handles
                    // that requires authorization, an error should be returned.
                    // Note: for all the TPM 2.0 commands, handles requiring
                    // authorization come first in a command input and there are only ever
                    // two values requiring authorization
                    if(command->sessionNum == 0)                // libtpms added begin (Coverity 1550499)
                        return TPM_RC_AUTH_MISSING;                // libtpms added end
                    if(i > (command->sessionNum - 1))
                        return TPM_RC_AUTH_MISSING;
                    // Record the handle associated with the authorization session
                    s_associatedHandles[i] = HierarchyNormalizeHandle(command->handles[i]);
                }
        }
    // Consistency checks are done first to avoid authorization failure when the
    // command will not be executed anyway.
    for(sessionIndex = 0; sessionIndex < command->sessionNum; sessionIndex++)
        {
            errorIndex = TPM_RC_S + g_rcIndex[sessionIndex];
            // PW session must be an authorization session
            if(s_sessionHandles[sessionIndex] == TPM_RS_PW)
                {
                    if(s_associatedHandles[sessionIndex] == TPM_RH_UNASSIGNED)
                        return TPM_RCS_HANDLE + errorIndex;
                    // a password session can't be audit, encrypt or decrypt
                    if(IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit)
                       || IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, encrypt)
                       || IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, decrypt))
                        return TPM_RCS_ATTRIBUTES + errorIndex;
                    session = NULL;
                }
            else
                {
                    session = SessionGet(s_sessionHandles[sessionIndex]);

                    // A trial session can not appear in session area, because it cannot
                    // be used for authorization, audit or encrypt/decrypt.
                    if(session->attributes.isTrialPolicy == SET)
                        return TPM_RCS_ATTRIBUTES + errorIndex;

                    // See if the session is bound to a DA protected entity
                    // NOTE: Since a policy session is never bound, a policy is still
                    // usable even if the object is DA protected and the TPM is in
                    // lockout.
                    if(session->attributes.isDaBound == SET)
                        {
                            result = CheckLockedOut(session->attributes.isLockoutBound == SET);
                            if(result != TPM_RC_SUCCESS)
                                return result;
                        }
                    // If this session is for auditing, make sure the cpHash is computed.
                    if(IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit))
                        ComputeCpHash(command, session->authHashAlg);
                }

            // if the session has an associated handle, check the authorization
            if(s_associatedHandles[sessionIndex] != TPM_RH_UNASSIGNED)
                {
                    result = CheckAuthSession(command, sessionIndex);
                    if(result != TPM_RC_SUCCESS)
                        return RcSafeAddToResult(result, errorIndex);
                }
            else
                {
                    // a session that is not for authorization must either be encrypt,
                    // decrypt, or audit
                    if(!IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, audit)
                       && !IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, encrypt)
                       && !IS_ATTRIBUTE(s_attributes[sessionIndex], TPMA_SESSION, decrypt))
                        return TPM_RCS_ATTRIBUTES + errorIndex;

                    // no authValue included in any of the HMAC computations
                    pAssert(session != NULL);
                    session->attributes.includeAuth = CLEAR;

                    // check HMAC for encrypt/decrypt/audit only sessions
                    result = CheckSessionHMAC(command, sessionIndex);
                    if(result != TPM_RC_SUCCESS)
                        return RcSafeAddToResult(result, errorIndex);
                }
        }
#if CC_GetCommandAuditDigest
    // Check if the command should be audited. Need to do this before any parameter
    // encryption so that the cpHash for the audit is correct
    if(CommandAuditIsRequired(command->index))
        {
            result = CheckCommandAudit(command);
            if(result != TPM_RC_SUCCESS)
                return result;  // No session number to reference
        }
#endif
    // Decrypt the first parameter if applicable. This should be the last operation
    // in session processing.
    // If the encrypt session is associated with a handle and the handle's
    // authValue is available, then authValue is concatenated with sessionKey to
    // generate encryption key, no matter if the handle is the session bound entity
    // or not.
    if(s_decryptSessionIndex != UNDEFINED_INDEX)
        {
            // If this is an authorization session, include the authValue in the
            // generation of the decryption key
            if(s_associatedHandles[s_decryptSessionIndex] != TPM_RH_UNASSIGNED)
                {
                    EntityGetAuthValue(s_associatedHandles[s_decryptSessionIndex], &extraKey);
                }
            else
                {
                    extraKey.b.size = 0;
                }
            size   = DecryptSize(command->index);
            result = CryptParameterDecryption(s_sessionHandles[s_decryptSessionIndex],
                                              &s_nonceCaller[s_decryptSessionIndex].b,
                                              command->parameterSize,
                                              (UINT16)size,
                                              &extraKey,
                                              command->parameterBuffer);
            if(result != TPM_RC_SUCCESS)
                return RcSafeAddToResult(result,
                                         TPM_RC_S + g_rcIndex[s_decryptSessionIndex]);
        }

    return TPM_RC_SUCCESS;
}

//*** CheckAuthNoSession()
// Function to process a command with no session associated.
// The function makes sure all the handles in the command require no authorization.
//
//  Return Type: TPM_RC
//      TPM_RC_AUTH_MISSING         failure - one or more handles require
//                                  authorization
TPM_RC
CheckAuthNoSession(COMMAND* command  // IN: command parsing structure
                   )
{
    UINT32 i;
#if CC_GetCommandAuditDigest
    TPM_RC result = TPM_RC_SUCCESS;
#endif
    //
    // Check if the command requires authorization
    for(i = 0; i < command->handleNum; i++)
        {
            if(CommandAuthRole(command->index, i) != AUTH_NONE)
                return TPM_RC_AUTH_MISSING;
        }
#if CC_GetCommandAuditDigest
    // Check if the command should be audited.
    if(CommandAuditIsRequired(command->index))
        {
            result = CheckCommandAudit(command);
            if(result != TPM_RC_SUCCESS)
                return result;
        }
#endif
    // Initialize number of sessions to be 0
    command->sessionNum = 0;

    return TPM_RC_SUCCESS;
}

//** Response Session Processing
//*** Introduction
//
//  The following functions build the session area in a response and handle
//  the audit sessions (if present).
//

//*** ComputeRpHash()
// Function to compute rpHash (Response Parameter Hash). The rpHash is only
// computed if there is an HMAC authorization session and the return code is
// TPM_RC_SUCCESS.
static TPM2B_DIGEST* ComputeRpHash(
                                   COMMAND*   command,  // IN: command structure
                                   TPM_ALG_ID hashAlg   // IN: hash algorithm to compute rpHash
                                   )
{
    TPM2B_DIGEST* rpHash = GetRpHashPointer(command, hashAlg);
    HASH_STATE    hashState;
    //
    if(rpHash->t.size == 0)
        {
            //   rpHash := hash(responseCode || commandCode || parameters)

            // Initiate hash creation.
            rpHash->t.size = CryptHashStart(&hashState, hashAlg);

            // Add hash constituents.
            CryptDigestUpdateInt(&hashState, sizeof(TPM_RC), TPM_RC_SUCCESS);
            CryptDigestUpdateInt(&hashState, sizeof(TPM_CC), command->code);
            CryptDigestUpdate(
                              &hashState, command->parameterSize, command->parameterBuffer);
            // Complete hash computation.
            CryptHashEnd2B(&hashState, &rpHash->b);
        }
    return rpHash;
}

//*** InitAuditSession()
// This function initializes the audit data in an audit session.
static void InitAuditSession(SESSION* session  // session to be initialized
                             )
{
    // Mark session as an audit session.
    session->attributes.isAudit = SET;

    // Audit session can not be bound.
    session->attributes.isBound = CLEAR;

    // Size of the audit log is the size of session hash algorithm digest.
    session->u2.auditDigest.t.size = CryptHashGetDigestSize(session->authHashAlg);

    // Set the original digest value to be 0.
    MemorySet(&session->u2.auditDigest.t.buffer, 0, session->u2.auditDigest.t.size);
    return;
}

//*** UpdateAuditDigest
// Function to update an audit digest
static void UpdateAuditDigest(
                              COMMAND* command, TPMI_ALG_HASH hashAlg, TPM2B_DIGEST* digest)
{
    HASH_STATE    hashState;
    TPM2B_DIGEST* cpHash = GetCpHash(command, hashAlg);
    TPM2B_DIGEST* rpHash = ComputeRpHash(command, hashAlg);
    //
    pAssert(cpHash != NULL);

    // digestNew :=  hash (digestOld || cpHash || rpHash)
    // Start hash computation.
    digest->t.size = CryptHashStart(&hashState, hashAlg);
    // Add old digest.
    CryptDigestUpdate2B(&hashState, &digest->b);
    // Add cpHash
    CryptDigestUpdate2B(&hashState, &cpHash->b);
    // Add rpHash
    CryptDigestUpdate2B(&hashState, &rpHash->b);
    // Finalize the hash.
    CryptHashEnd2B(&hashState, &digest->b);
}

//*** Audit()
//This function updates the audit digest in an audit session.
static void Audit(COMMAND* command,      // IN: primary control structure
                  SESSION* auditSession  // IN: loaded audit session
                  )
{
    UpdateAuditDigest(
                      command, auditSession->authHashAlg, &auditSession->u2.auditDigest);
    return;
}

#if CC_GetCommandAuditDigest
//*** CommandAudit()
// This function updates the command audit digest.
static void CommandAudit(COMMAND* command  // IN:
                         )
{
    // If the digest.size is one, it indicates the special case of changing
    // the audit hash algorithm. For this case, no audit is done on exit.
    // NOTE: When the hash algorithm is changed, g_updateNV is set in order to
    // force an update to the NV on exit so that the change in digest will
    // be recorded. So, it is safe to exit here without setting any flags
    // because the digest change will be written to NV when this code exits.
    if(gr.commandAuditDigest.t.size == 1)
        {
            gr.commandAuditDigest.t.size = 0;
            return;
        }
    // If the digest size is zero, need to start a new digest and increment
    // the audit counter.
    if(gr.commandAuditDigest.t.size == 0)
        {
            gr.commandAuditDigest.t.size = CryptHashGetDigestSize(gp.auditHashAlg);
            MemorySet(gr.commandAuditDigest.t.buffer, 0, gr.commandAuditDigest.t.size);

            // Bump the counter and save its value to NV.
            gp.auditCounter++;
            NV_SYNC_PERSISTENT(auditCounter);
        }
    UpdateAuditDigest(command, gp.auditHashAlg, &gr.commandAuditDigest);
    return;
}
#endif

//*** UpdateAuditSessionStatus()
// This function updates the internal audit related states of a session. It will:
//  a) initialize the session as audit session and set it to be exclusive if this
//     is the first time it is used for audit or audit reset was requested;
//  b) report exclusive audit session;
//  c) extend audit log; and
//  d) clear exclusive audit session if no audit session found in the command.
static void UpdateAuditSessionStatus(
                                     COMMAND* command  // IN: primary control structure
                                     )
{
    UINT32     i;
    TPM_HANDLE auditSession = TPM_RH_UNASSIGNED;
    //
    // Iterate through sessions
    for(i = 0; i < command->sessionNum; i++)
        {
            SESSION* session;
            //
            // PW session do not have a loaded session and can not be an audit
            // session either.  Skip it.
            if(s_sessionHandles[i] == TPM_RS_PW)
                continue;
            session = SessionGet(s_sessionHandles[i]);

            // If a session is used for audit
            if(IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, audit))
                {
                    // An audit session has been found
                    auditSession = s_sessionHandles[i];

                    // If the session has not been an audit session yet, or
                    // the auditSetting bits indicate a reset, initialize it and set
                    // it to be the exclusive session
                    if(session->attributes.isAudit == CLEAR
                       || IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditReset))
                        {
                            InitAuditSession(session);
                            g_exclusiveAuditSession = auditSession;
                        }
                    else
                        {
                            // Check if the audit session is the current exclusive audit
                            // session and, if not, clear previous exclusive audit session.
                            if(g_exclusiveAuditSession != auditSession)
                                g_exclusiveAuditSession = TPM_RH_UNASSIGNED;
                        }
                    // Report audit session exclusivity.
                    if(g_exclusiveAuditSession == auditSession)
                        {
                            SET_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditExclusive);
                        }
                    else
                        {
                            CLEAR_ATTRIBUTE(s_attributes[i], TPMA_SESSION, auditExclusive);
                        }
                    // Extend audit log.
                    Audit(command, session);
                }
        }
    // If no audit session is found in the command, and the command allows
    // a session then, clear the current exclusive
    // audit session.
    if(auditSession == TPM_RH_UNASSIGNED && IsSessionAllowed(command->index))
        {
            g_exclusiveAuditSession = TPM_RH_UNASSIGNED;
        }
    return;
}

//*** ComputeResponseHMAC()
// Function to compute HMAC for authorization session in a response.
/*(See part 1 specification)
// Function: Compute HMAC for response sessions
//      The sessionAuth value
//          authHMAC := HMACsHASH((sessionAuth | authValue),
//                    (pHash | nonceTPM | nonceCaller | sessionAttributes))
//  Where:
//      HMACsHASH()     The HMAC algorithm using the hash algorithm specified when
//                      the session was started.
//
//      sessionAuth     A TPMB_MEDIUM computed in a protocol-dependent way, using
//                      KDFa. In an HMAC or KDF, only sessionAuth.buffer is used.
//
//      authValue       A TPM2B_AUTH that is found in the sensitive area of an
//                      object. In an HMAC or KDF, only authValue.buffer is used
//                      and all trailing zeros are removed.
//
//      pHash           Response parameters (rpHash) using the session hash. When
//                      using a pHash in an HMAC computation, both the algorithm ID
//                      and the digest are included.
//
//      nonceTPM        A TPM2B_NONCE that is generated by the entity using the
//                      session. In an HMAC or KDF, only nonceTPM.buffer is used.
//
//      nonceCaller     a TPM2B_NONCE that was received the previous time the
//                      session was used. In an HMAC or KDF, only
//                      nonceCaller.buffer is used.
//
//      sessionAttributes   A TPMA_SESSION that indicates the attributes associated
//                          with a particular use of the session.
*/
static void ComputeResponseHMAC(
                                COMMAND*      command,       // IN: command structure
                                UINT32        sessionIndex,  // IN: session index to be processed
                                SESSION*      session,       // IN: loaded session
                                TPM2B_DIGEST* hmac           // OUT: authHMAC
                                )
{
    TPM2B_TYPE(KEY, (sizeof(AUTH_VALUE) * 2));
    TPM2B_KEY     key;  // HMAC key
    BYTE          marshalBuffer[sizeof(TPMA_SESSION)];
    BYTE*         buffer;
    UINT32        marshalSize;
    HMAC_STATE    hmacState;
    TPM2B_DIGEST* rpHash = ComputeRpHash(command, session->authHashAlg);
    //
    // Generate HMAC key
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));

    // Add the object authValue if required
    if(session->attributes.includeAuth == SET)
        {
            // Note: includeAuth may be SET for a policy that is used in
            // UndefineSpaceSpecial(). At this point, the Index has been deleted
            // so the includeAuth will have no meaning. However, the
            // s_associatedHandles[] value for the session is now set to TPM_RH_NULL so
            // this will return the authValue associated with TPM_RH_NULL and that is
            // and empty buffer.
            TPM2B_AUTH authValue;
            //
            // Get the authValue with trailing zeros removed
            EntityGetAuthValue(s_associatedHandles[sessionIndex], &authValue);

            // Add it to the key
            MemoryConcat2B(&key.b, &authValue.b, sizeof(key.t.buffer));
        }

    // if the HMAC key size is 0, the response HMAC is computed according to the
    // input HMAC
    if(key.t.size == 0 && s_inputAuthValues[sessionIndex].t.size == 0)
        {
            hmac->t.size = 0;
            return;
        }
    // Start HMAC computation.
    hmac->t.size = CryptHmacStart2B(&hmacState, session->authHashAlg, &key.b);

    // Add hash components.
    CryptDigestUpdate2B(&hmacState.hashState, &rpHash->b);
    CryptDigestUpdate2B(&hmacState.hashState, &session->nonceTPM.b);
    CryptDigestUpdate2B(&hmacState.hashState, &s_nonceCaller[sessionIndex].b);

    // Add session attributes.
    buffer      = marshalBuffer;
    marshalSize = TPMA_SESSION_Marshal(&s_attributes[sessionIndex], &buffer, NULL);
    CryptDigestUpdate(&hmacState.hashState, marshalSize, marshalBuffer);

    // Finalize HMAC.
    CryptHmacEnd2B(&hmacState, &hmac->b);

    return;
}

//*** UpdateInternalSession()
// This function updates internal sessions by:
// a) restarting session time; and
// b) clearing a policy session since nonce is rolling.
static void UpdateInternalSession(SESSION* session,  // IN: the session structure
                                  UINT32   i         // IN: session number
                                  )
{
    // If nonce is rolling in a policy session, the policy related data
    // will be re-initialized.
    if(HandleGetType(s_sessionHandles[i]) == TPM_HT_POLICY_SESSION
       && IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession))
        {
            // When the nonce rolls it starts a new timing interval for the
            // policy session.
            SessionResetPolicyData(session);
            SessionSetStartTime(session);
        }
    return;
}

//*** BuildSingleResponseAuth()
//   Function to compute response HMAC value for a policy or HMAC session.
static TPM2B_NONCE* BuildSingleResponseAuth(
                                            COMMAND*    command,       // IN: command structure
                                            UINT32      sessionIndex,  // IN: session index to be processed
                                            TPM2B_AUTH* auth           // OUT: authHMAC
                                            )
{
    // Fill in policy/HMAC based session response.
    SESSION* session = SessionGet(s_sessionHandles[sessionIndex]);
    //
    // If the session is a policy session with isPasswordNeeded SET, the
    // authorization field is empty.
    if(HandleGetType(s_sessionHandles[sessionIndex]) == TPM_HT_POLICY_SESSION
       && session->attributes.isPasswordNeeded == SET)
        auth->t.size = 0;
    else
        // Compute response HMAC.
        ComputeResponseHMAC(command, sessionIndex, session, auth);

    UpdateInternalSession(session, sessionIndex);
    return &session->nonceTPM;
}

//*** UpdateAllNonceTPM()
// Updates TPM nonce for all sessions in command.
static void UpdateAllNonceTPM(COMMAND* command  // IN: controlling structure
                              )
{
    UINT32   i;
    SESSION* session;
    //
    for(i = 0; i < command->sessionNum; i++)
        {
            // If not a PW session, compute the new nonceTPM.
            if(s_sessionHandles[i] != TPM_RS_PW)
                {
                    session = SessionGet(s_sessionHandles[i]);
                    // Update nonceTPM in both internal session and response.
                    CryptRandomGenerate(session->nonceTPM.t.size, session->nonceTPM.t.buffer);
                }
        }
    return;
}

//*** BuildResponseSession()
// Function to build Session buffer in a response. The authorization data is added
// to the end of command->responseBuffer. The size of the authorization area is
// accumulated in command->authSize.
// When this is called, command->responseBuffer is pointing at the next location
// in the response buffer to be filled. This is where the authorization sessions
// will go, if any. command->parameterSize is the number of bytes that have been
// marshaled as parameters in the output buffer.
TPM_RC
BuildResponseSession(COMMAND* command  // IN: structure that has relevant command
                     //     information
                     )
{
    TPM_RC result = TPM_RC_SUCCESS;

    pAssert(command->authSize == 0);

    // Reset the parameter buffer to point to the start of the parameters so that
    // there is a starting point for any rpHash that might be generated and so there
    // is a place where parameter encryption would start
    command->parameterBuffer = command->responseBuffer - command->parameterSize;

    // Session nonces should be updated before parameter encryption
    if(command->tag == TPM_ST_SESSIONS)
        {
            UpdateAllNonceTPM(command);

            // Encrypt first parameter if applicable. Parameter encryption should
            // happen after nonce update and before any rpHash is computed.
            // If the encrypt session is associated with a handle, the authValue of
            // this handle will be concatenated with sessionKey to generate
            // encryption key, no matter if the handle is the session bound entity
            // or not. The authValue is added to sessionKey only when the authValue
            // is available.
            if(s_encryptSessionIndex != UNDEFINED_INDEX)
                {
                    UINT32     size;
                    TPM2B_AUTH extraKey;
                    //
                    extraKey.b.size = 0;
                    // If this is an authorization session, include the authValue in the
                    // generation of the encryption key
                    if(s_associatedHandles[s_encryptSessionIndex] != TPM_RH_UNASSIGNED)
                        {
                            EntityGetAuthValue(s_associatedHandles[s_encryptSessionIndex],
                                               &extraKey);
                        }
                    size = EncryptSize(command->index);
                    // This function operates on internally-generated data that is
                    // expected to be well-formed for parameter encryption.
                    // In the event that there is a bug elsewhere in the code and the
                    // input data is not well-formed, CryptParameterEncryption will
                    // put the TPM into failure mode instead of allowing the out-of-
                    // band write.
                    CryptParameterEncryption(s_sessionHandles[s_encryptSessionIndex],
                                             &s_nonceCaller[s_encryptSessionIndex].b,
                                             command->parameterSize,
                                             (UINT16)size,
                                             &extraKey,
                                             command->parameterBuffer);
                    if(g_inFailureMode)
                        {
                            result = TPM_RC_FAILURE;
                            goto Cleanup;
                        }
                }
        }
    // Audit sessions should be processed regardless of the tag because
    // a command with no session may cause a change of the exclusivity state.
    UpdateAuditSessionStatus(command);
#if CC_GetCommandAuditDigest
    // Command Audit
    if(CommandAuditIsRequired(command->index))
        CommandAudit(command);
#endif
    // Process command with sessions.
    if(command->tag == TPM_ST_SESSIONS)
        {
            UINT32 i;
            //
            pAssert(command->sessionNum > 0);

            // Iterate over each session in the command session area, and create
            // corresponding sessions for response.
            for(i = 0; i < command->sessionNum; i++)
                {
                    TPM2B_NONCE* nonceTPM;
                    TPM2B_DIGEST responseAuth;
                    // Make sure that continueSession is SET on any Password session.
                    // This makes it marginally easier for the management software
                    // to keep track of the closed sessions.
                    if(s_sessionHandles[i] == TPM_RS_PW)
                        {
                            SET_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession);
                            responseAuth.t.size = 0;
                            nonceTPM            = (TPM2B_NONCE*)&responseAuth;
                        }
                    else
                        {
                            // Compute the response HMAC and get a pointer to the nonce used.
                            // This function will also update the values if needed. Note, the
                            nonceTPM = BuildSingleResponseAuth(command, i, &responseAuth);
                        }
                    command->authSize +=
                        TPM2B_NONCE_Marshal(nonceTPM, &command->responseBuffer, NULL);
                    command->authSize += TPMA_SESSION_Marshal(
                                                              &s_attributes[i], &command->responseBuffer, NULL);
                    command->authSize +=
                        TPM2B_DIGEST_Marshal(&responseAuth, &command->responseBuffer, NULL);
                    if(!IS_ATTRIBUTE(s_attributes[i], TPMA_SESSION, continueSession))
                        SessionFlush(s_sessionHandles[i]);
                }
        }

 Cleanup:
    return result;
}

//*** SessionRemoveAssociationToHandle()
// This function deals with the case where an entity associated with an authorization
// is deleted during command processing. The primary use of this is to support
// UndefineSpaceSpecial().
void SessionRemoveAssociationToHandle(TPM_HANDLE handle)
{
    UINT32 i;
    //
    for(i = 0; i < MAX_SESSION_NUM; i++)
        {
            if(s_associatedHandles[i] == HierarchyNormalizeHandle(handle))
                {
                    s_associatedHandles[i] = TPM_RH_NULL;
                }
        }
}

stefanberger / libtpms / #2043

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous