1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
// This file was extracted from the TCG Published
// Trusted Platform Module Library
// Part 3: Commands
// Family "2.0"
// Level 00 Revision 01.16
// October 30, 2014
#include "InternalRoutines.h"
#include "PolicySecret_fp.h"
#include "Policy_spt_fp.h"
//
//
// Error Returns Meaning
//
// TPM_RC_CPHASH cpHash for policy was previously set to a value that is not the same
// as cpHashA
// TPM_RC_EXPIRED expiration indicates a time in the past
// TPM_RC_NONCE nonceTPM does not match the nonce associated with policySession
// TPM_RC_SIZE cpHashA is not the size of a digest for the hash associated with
// policySession
// TPM_RC_VALUE input policyID or expiration does not match the internal data in policy
// session
//
TPM_RC
TPM2_PolicySecret(
PolicySecret_In *in, // IN: input parameter list
PolicySecret_Out *out // OUT: output parameter list
)
{
TPM_RC result;
SESSION *session;
TPM2B_NAME entityName;
UINT32 expiration = (in->expiration < 0)
? -(in->expiration) : in->expiration;
UINT64 authTimeout = 0;
// Input Validation
// Get pointer to the session structure
session = SessionGet(in->policySession);
//Only do input validation if this is not a trial policy session
if(session->attributes.isTrialPolicy == CLEAR)
{
if(expiration != 0)
authTimeout = expiration * 1000 + session->startTime;
result = PolicyParameterChecks(session, authTimeout,
&in->cpHashA, &in->nonceTPM,
RC_PolicySecret_nonceTPM,
RC_PolicySecret_cpHashA,
RC_PolicySecret_expiration);
if(result != TPM_RC_SUCCESS)
return result;
}
// Internal Data Update
// Need the name of the authorizing entity
entityName.t.size = EntityGetName(in->authHandle, &entityName.t.name);
// Update policy context with input policyRef and name of auth key
// This value is computed even for trial sessions. Possibly update the cpHash
PolicyContextUpdate(TPM_CC_PolicySecret, &entityName, &in->policyRef,
&in->cpHashA, authTimeout, session);
// Command Output
// Create ticket and timeout buffer if in->expiration < 0 and this is not
// a trial session.
// NOTE: PolicyParameterChecks() makes sure that nonceTPM is present
// when expiration is non-zero.
if( in->expiration < 0
&& session->attributes.isTrialPolicy == CLEAR
)
{
// Generate timeout buffer. The format of output timeout buffer is
// TPM-specific.
// Note: can't do a direct copy because the output buffer is a byte
// array and it may not be aligned to accept a 64-bit value. The method
// used has the side-effect of making the returned value a big-endian,
// 64-bit value that is byte aligned.
out->timeout.t.size = sizeof(UINT64);
UINT64_TO_BYTE_ARRAY(authTimeout, out->timeout.t.buffer);
// Compute policy ticket
TicketComputeAuth(TPM_ST_AUTH_SECRET, EntityGetHierarchy(in->authHandle),
authTimeout, &in->cpHashA, &in->policyRef,
&entityName, &out->policyTicket);
}
else
{
// timeout buffer is null
out->timeout.t.size = 0;
// auth ticket is null
out->policyTicket.tag = TPM_ST_AUTH_SECRET;
out->policyTicket.hierarchy = TPM_RH_NULL;
out->policyTicket.digest.t.size = 0;
}
return TPM_RC_SUCCESS;
}
|
