AuthSession encapsulates HMAC, policy, encryption/decryption, and audit sessions, i.e. all session types that are represented by a TPM handle created by means of TPM2_StartAuthSession command.
Inheritance: SessionBase
Example #1
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     tpm.PolicyLocality(authSession, AllowedLocality);
     return tpm._GetLastResponseCode();
 }
Example #2
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     throw new Exception("Do not include in running policies");
 }
Example #3
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     tpm.PolicyNameHash(authSession, NameHash);
     return tpm._GetLastResponseCode();
 }
Example #4
0
        private void CheckParamEncSessCandidate(AuthSession candidate, SessionAttr directionFlag)
        {
            if (!candidate.Attrs.HasFlag(directionFlag))
            {
                return;
            }

            bool decrypt = directionFlag == SessionAttr.Decrypt;

            if (!_Behavior.Passthrough)
            {
                if (!candidate.CanEncrypt())
                {
                    throw new Exception(string.Format("{0} session is missing symmetric algorithm",
                                                      decrypt ? "Decryption" : "Encryption"));
                }
                if ((decrypt ? DecSession : EncSession) != null)
                {
                    throw new Exception(string.Format("Multiple {0} sessions",
                                                      decrypt ? "decryption" : "encryption"));
                }
            }
            if (decrypt)
            {
                DecSession = candidate;
            }
            else
            {
                EncSession = candidate;
            }
        }
Example #5
0
 /// <summary>
 /// Called from TpmPolicySecret.
 /// </summary>
 /// <returns></returns>
 internal void ExecutePolicySecretCallback(TpmPolicySecret ace, out SessionBase authorizingSession, out TpmHandle authorizedEntityHandle, out bool flushAuthEntity)
 {
     if (PolicySecretCallback == null)
     {
         Globs.Throw("No policy secret callback installed.");
         authorizingSession = new AuthSession(new TpmHandle());
         authorizedEntityHandle = new TpmHandle();
         flushAuthEntity = false;
         return;
     }
     PolicySecretCallback(this, ace, out authorizingSession, out authorizedEntityHandle, out flushAuthEntity);
 }
Example #6
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     tpm.PolicyPassword(authSession);
     authSession.SessIncludesAuth = true;
     authSession.PlaintextAuth = true;
     return tpm._GetLastResponseCode();
 }
Example #7
0
        // ReSharper disable once InconsistentNaming
        internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
        {
            byte[] nonceTpm = UseNonceTpm ? Globs.CopyData(authSession.NonceTpm) : new byte[0];

            var dataToSign = new Marshaller();
            dataToSign.Put(nonceTpm, "");
            ISignatureUnion signature;
            // If the library has been given a signing key we can do the challenge here (else we need to call out)
            TpmHandle verificationKey;
            if (SigningKey != null)
            {
                dataToSign.Put(ExpirationTime, "");
                dataToSign.Put(CpHash, "");
                dataToSign.Put(PolicyRef, "");
                // Just ask the key to sign the challenge
                signature = SigningKey.Sign(dataToSign.GetBytes());
                verificationKey = tpm.LoadExternal(null, SigningKeyPub, TpmRh.Owner);
            }
            else
            {
                TpmPublic verifier;
                signature = AssociatedPolicy.ExecuteSignerCallback(this, nonceTpm, out verifier);
                verificationKey = tpm.LoadExternal(null, verifier, TpmRh.Owner);
            }
            TkAuth policyTicket;

            Timeout = tpm.PolicySigned(verificationKey,
                                       authSession,
                                       nonceTpm,
                                       CpHash,
                                       PolicyRef,
                                       ExpirationTime,
                                       signature,
                                       out policyTicket);

            TpmRc responseCode = tpm._GetLastResponseCode();
            // Save the policyTicket in case it is needed later
            PolicyTicket = policyTicket;
            tpm.FlushContext(verificationKey);
            return responseCode;
        }
Example #8
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     return TpmRc.Success;
 }
Example #9
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     policy.ExecutePolicyActionCallback(this);
     return TpmRc.Success;
 }
Example #10
0
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     tpm.PolicyAuthorizeNV(AuthHandle, NvIndex, authSession);
     return tpm._GetLastResponseCode();
 }
Example #11
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     byte includeName = IncludeObjectNameInPolicyHash ? (byte)1 : (byte)0;
     tpm.PolicyDuplicationSelect(authSession, NameOfObject, NameOfNewParent, includeName);
     return tpm._GetLastResponseCode();
 }
Example #12
0
        // ReSharper disable once InconsistentNaming
        internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
        {
            byte[] dataToSign = Globs.Concatenate(PolicyToReplace, PolicyRef);
            byte[] aHash = CryptoLib.HashData(SigningHash, dataToSign);

            TpmHandle verifierHandle = tpm.LoadExternal(null, SigningKey, TpmRh.Owner);
            if (policy.AllowErrorsInPolicyEval)
            {
                tpm._AllowErrors();
            }

            // todo - fix the serialization so that we can persist the interface
            ISignatureUnion theSig = null;
            if(null!= (Object) Sig1)
            {
                theSig = Sig1;
            }
            if (null != (Object)Sig2)
            {
                theSig = Sig2;
            }

            if (theSig != null)
            {
                Ticket = tpm.VerifySignature(verifierHandle, aHash, theSig);
                TpmRc intermediateError = tpm._GetLastResponseCode();
                if (intermediateError != TpmRc.Success)
                {
                    tpm.FlushContext(verifierHandle);
                    return intermediateError;
                }
            }
            else
            {
                // create a dummy ticket = e.g. for a trial session
                Ticket = new TkVerified(TpmRh.Owner, new byte[0]);
            }
            tpm.FlushContext(verifierHandle);


            byte[] keySign = SigningKey.GetName();
            TpmHandle policySession = authSession;
            if (TheParamsCallback != null)
            {
                TheParamsCallback(tpm, ref policySession, ref PolicyToReplace, ref PolicyRef, keySign, ref Ticket);
            }
            if (policy.AllowErrorsInPolicyEval)
            {
                tpm._AllowErrors();
            }
            tpm.PolicyAuthorize(policySession, PolicyToReplace, PolicyRef, keySign, Ticket);

            return tpm._GetLastResponseCode();
        }
Example #13
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     if (ObjectName == null)
     {
         ObjectName = AuthorizingKey.GetName();
     }
     tpm.PolicyTicket(authSession,
                      ExpirationTime,
                      CpHash,
                      PolicyRef,
                      Marshaller.GetTpmRepresentation(ObjectName),
                      Ticket);
     return tpm._GetLastResponseCode();
 }
Example #14
0
        // ReSharper disable once InconsistentNaming
        internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
        {
            TpmRc res;
            byte[] nonceTpm = UseNonceTpm ? Globs.CopyData(authSession.NonceTpm) : new byte[0];

            if (AuthVal == null)
            {
                SessionBase session;
                TpmHandle authorizedEntity;
                bool flushHandleOnCompletion;

                AssociatedPolicy.ExecutePolicySecretCallback(this,
                                                              out session,
                                                              out authorizedEntity,
                                                              out flushHandleOnCompletion);

                Timeout = tpm[session].PolicySecret(authorizedEntity,
                                                    authSession,
                                                    nonceTpm,
                                                    CpHash,
                                                    PolicyRef,
                                                    ExpirationTime,
                                                    out PolicyTicket);
                res = tpm._GetLastResponseCode();
                if (flushHandleOnCompletion)
                {
                    tpm.FlushContext(authorizedEntity);
                }
                if (!(session is Pwap))
                {
                    tpm.FlushContext(session);
                }
            }
            else
            {
                Timeout = tpm[AuthVal].PolicySecret(AuthorityHandle,
                                                    authSession,
                                                    nonceTpm,
                                                    CpHash,
                                                    PolicyRef,
                                                    ExpirationTime,
                                                    out PolicyTicket);
                res = tpm._GetLastResponseCode();
            }
            return res;
        }
Example #15
0
        // ReSharper disable once InconsistentNaming
        internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
        {
            TpmRc res;

            if (AuthorizationHandle == null)
            {
                TpmHandle nvHandle, authHandle;
                SessionBase nvAuth;
                AssociatedPolicy.ExecutePolicyNvCallback(this, out authHandle, out nvHandle, out nvAuth);
                tpm[nvAuth].PolicyNV(authHandle, nvHandle, authSession,
                                     OperandB, Offset, Operation);
                res = tpm._GetLastResponseCode();

                if (!(nvAuth is Pwap))
                {
                    tpm.FlushContext(nvAuth);
                }
            }
            else
            {
                tpm[NvAccessAuth].PolicyNV(AuthorizationHandle, NvIndex, authSession,
                    OperandB, Offset, Operation);
                res = tpm._GetLastResponseCode();
            }
            return res;
        }
Example #16
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     byte writtenName = IsNvIndexRequiredToHaveBeenWritten ? (byte)1 : (byte)0;
     tpm.PolicyNvWritten(authSession, writtenName);
     return tpm._GetLastResponseCode();
 }
Example #17
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     Globs.Throw("Do not include PolicyRestart in running policies");
     return TpmRc.Policy;
 }
Example #18
0
 // ReSharper disable once InconsistentNaming
 internal abstract TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy);
Example #19
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     tpm.PolicyPhysicalPresence(authSession);
     return tpm._GetLastResponseCode();
 }
Example #20
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession authSession, PolicyTree policy)
 {
     Tpm2bDigest[] branchList = GetPolicyHashArray(policy.PolicyHash.HashAlg);
     tpm.PolicyOR(authSession, branchList);
     return tpm._GetLastResponseCode();
 }
Example #21
0
 /// <summary>
 /// Copies parameters associated with the session handle encapsulated in the
 /// sess argument into the sess object. These parameters are the ones passed
 /// to the StartAuthSession command. They are remembered by this Tpm2 object,
 /// until this method is called.
 /// 
 /// Note that _InitializeSession() can be used only once for the given session
 /// handle, as the associated parameters are erased from Tpm2 Object after
 /// they were copied into AuthSession object for the first time.
 /// </summary>
 /// <param name="sess"></param>
 internal bool _InitializeSession(AuthSession sess)
 {
     if (!sess.Initialized())
     {
         if (!SessionParams.ContainsKey(sess))
         {
             // There are no session parameters associated with the session
             // handle (e.g., when the session was created by other Tpm2 object).
             return false;
         }
         sess.Init(SessionParams[sess]);
         sess.CalcSessionKey();
         SessionParams.Remove(sess);
     }
     return true;
 }
Example #22
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession policySession, PolicyTree policy)
 {
     tpm.PolicyPCR(policySession, Pcrs.GetSelectionHash(policy.PolicyHash.HashAlg), Pcrs.GetPcrSelectionArray());
     return tpm._GetLastResponseCode();
 }
Example #23
0
 /// <summary>
 /// Sets parameters associated with the session.
 /// </summary>
 internal void Init (AuthSession Params)
 {
     SessionType = Params.SessionType;
     BindObject = Params.BindObject;
     NonceCaller = Params.NonceCaller;
     NonceTpm = Params.NonceTpm;
     Symmetric = Params.Symmetric;
     AuthHash = Params.AuthHash;
     AuthHandle = Params.AuthHandle;
     // When salt is required, destination session will have it set directly by the user
     if (Params.Salt != SaltNeeded)
         Salt = null;
 }
Example #24
0
 // ReSharper disable once InconsistentNaming
 internal override TpmRc Execute(Tpm2 tpm, AuthSession policySession, PolicyTree policy)
 {
     tpm.PolicyCounterTimer(policySession, OperandB, Offset, Operation);
     return tpm._GetLastResponseCode();
 }
Example #25
0
 /// <summary>
 /// Called from TpmPolicyNV.
 /// </summary>
 /// <returns></returns>
 internal void ExecutePolicyNvCallback(TpmPolicyNV ace, out TpmHandle authHandle, out TpmHandle nvHandle, out SessionBase authSession)
 {
     if (PolicyNVCallback == null)
     {
         Globs.Throw("No policyNV callback installed.");
         authHandle = new TpmHandle();
         nvHandle = new TpmHandle();
         authSession = new AuthSession(new TpmHandle());
         return;
     }
     PolicyNVCallback(this, ace, out authSession, out authHandle, out nvHandle);
 }
Example #26
0
        /// <summary>
        /// This sample illustrates the use of the resource manager built into 
        /// Tpm2Lib.  Using the resource manager relieves the programmer of the 
        /// (sometimes burdensome) chore of juggling a small number of TPM slots
        /// </summary>
        /// <param name="tpm">Reference to the TPM object.</param>
        static void ResourceManager(Tpm2 tpm)
        {
            //
            // The Tbs device class has a built-in resource manager. We create an
            // instance of the Tbs device class, but hook it up to the TCP device
            // created above. We also tell the Tbs device class to clean the TPM
            // before we start using it.
            // This sample won't work on top of the default Windows resource manager
            // (TBS).
            // 
            var tbs = new Tbs(tpm._GetUnderlyingDevice(), false);
            var tbsTpm = new Tpm2(tbs.CreateTbsContext());

            //
            // Make more sessions than the TPM has room for
            // 
            const int count = 32;
            var sessions = new AuthSession[count];
            for (int j = 0; j < count; j++)
            {
                sessions[j] = tbsTpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha1);
            }

            Console.WriteLine("Created {0} sessions.", count);

            //
            // And now use them. The resource manager will use ContextLoad and 
            // ContextSave to bring them into the TPM
            // 
            for (int j = 0; j < count; j++)
            {
                tbsTpm.PolicyAuthValue(sessions[j].Handle);
            }

            Console.WriteLine("Used {0} sessions.", count);

            //
            // And now clean up
            // 
            for (int j = 0; j < count; j++)
            {
                tbsTpm.FlushContext(sessions[j].Handle);
            }

            Console.WriteLine("Cleaned up.");

            //
            // Dispose of the Tbs device object.
            // 
            tbsTpm.Dispose();
        }