15679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// This file was extracted from the TCG Published 25679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Trusted Platform Module Library 35679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Part 3: Commands 45679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Family "2.0" 55679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Level 00 Revision 01.16 65679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// October 30, 2014 75679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 85679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "InternalRoutines.h" 95679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "PolicyTicket_fp.h" 105679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "Policy_spt_fp.h" 115679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 125679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 135679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Error Returns Meaning 145679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 155679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_CPHASH policy's cpHash was previously set to a different value 165679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_EXPIRED timeout value in the ticket is in the past and the ticket has expired 175679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_SIZE timeout or cpHash has invalid size for the 185679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_TICKET ticket is not valid 195679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 205679752bf24c21135884e987c4077e2f7184897Vadim BendeburyTPM_RC 215679752bf24c21135884e987c4077e2f7184897Vadim BendeburyTPM2_PolicyTicket( 225679752bf24c21135884e987c4077e2f7184897Vadim Bendebury PolicyTicket_In *in // IN: input parameter list 235679752bf24c21135884e987c4077e2f7184897Vadim Bendebury ) 245679752bf24c21135884e987c4077e2f7184897Vadim Bendebury{ 255679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPM_RC result; 265679752bf24c21135884e987c4077e2f7184897Vadim Bendebury SESSION *session; 275679752bf24c21135884e987c4077e2f7184897Vadim Bendebury UINT64 timeout; 285679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPMT_TK_AUTH ticketToCompare; 295679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPM_CC commandCode = TPM_CC_PolicySecret; 305679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 315679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Input Validation 325679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 335679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Get pointer to the session structure 345679752bf24c21135884e987c4077e2f7184897Vadim Bendebury session = SessionGet(in->policySession); 355679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 365679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // NOTE: A trial policy session is not allowed to use this command. 375679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // A ticket is used in place of a previously given authorization. Since 385679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // a trial policy doesn't actually authenticate, the validated 395679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // ticket is not necessary and, in place of using a ticket, one 405679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // should use the intended authorization for which the ticket 415679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // would be a substitute. 425679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(session->attributes.isTrialPolicy) 43065e0d7552ad876e067e56dcd8cc2a8f84bd8cc4Vadim Bendebury return TPM_RC_ATTRIBUTES + RC_PolicyTicket_policySession; 445679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 455679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Restore timeout data. The format of timeout buffer is TPM-specific. 465679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // In this implementation, we simply copy the value of timeout to the 475679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // buffer. 485679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(in->timeout.t.size != sizeof(UINT64)) 495679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_SIZE + RC_PolicyTicket_timeout; 505679752bf24c21135884e987c4077e2f7184897Vadim Bendebury timeout = BYTE_ARRAY_TO_UINT64(in->timeout.t.buffer); 515679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 525679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Do the normal checks on the cpHashA and timeout values 535679752bf24c21135884e987c4077e2f7184897Vadim Bendebury result = PolicyParameterChecks(session, timeout, 545679752bf24c21135884e987c4077e2f7184897Vadim Bendebury &in->cpHashA, NULL, 555679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 0, // no bad nonce return 565679752bf24c21135884e987c4077e2f7184897Vadim Bendebury RC_PolicyTicket_cpHashA, 575679752bf24c21135884e987c4077e2f7184897Vadim Bendebury RC_PolicyTicket_timeout); 585679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(result != TPM_RC_SUCCESS) 595679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return result; 605679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 615679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Validate Ticket 625679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Re-generate policy ticket by input parameters 635679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TicketComputeAuth(in->ticket.tag, in->ticket.hierarchy, timeout, &in->cpHashA, 645679752bf24c21135884e987c4077e2f7184897Vadim Bendebury &in->policyRef, &in->authName, &ticketToCompare); 655679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 665679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Compare generated digest with input ticket digest 675679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(!Memory2BEqual(&in->ticket.digest.b, &ticketToCompare.digest.b)) 685679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_TICKET + RC_PolicyTicket_ticket; 695679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 705679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Internal Data Update 715679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 725679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Is this ticket to take the place of a TPM2_PolicySigned() or 735679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // a TPM2_PolicySecret()? 745679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(in->ticket.tag == TPM_ST_AUTH_SIGNED) 755679752bf24c21135884e987c4077e2f7184897Vadim Bendebury commandCode = TPM_CC_PolicySigned; 765679752bf24c21135884e987c4077e2f7184897Vadim Bendebury else if(in->ticket.tag == TPM_ST_AUTH_SECRET) 775679752bf24c21135884e987c4077e2f7184897Vadim Bendebury commandCode = TPM_CC_PolicySecret; 785679752bf24c21135884e987c4077e2f7184897Vadim Bendebury else 795679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // There could only be two possible tag values. Any other value should 805679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // be caught by the ticket validation process. 815679752bf24c21135884e987c4077e2f7184897Vadim Bendebury pAssert(FALSE); 825679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 835679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Update policy context 845679752bf24c21135884e987c4077e2f7184897Vadim Bendebury PolicyContextUpdate(commandCode, &in->authName, &in->policyRef, 855679752bf24c21135884e987c4077e2f7184897Vadim Bendebury &in->cpHashA, timeout, session); 865679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 875679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_SUCCESS; 885679752bf24c21135884e987c4077e2f7184897Vadim Bendebury} 89