1//
2// Copyright (C) 2014 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17#include "trunks/password_authorization_delegate.h"
18
19#include <base/logging.h>
20
21#include "trunks/tpm_generated.h"
22
23namespace trunks {
24
25const uint8_t kContinueSession = 1;
26
27PasswordAuthorizationDelegate::PasswordAuthorizationDelegate(
28    const std::string& password) {
29  password_ = Make_TPM2B_DIGEST(password);
30}
31
32PasswordAuthorizationDelegate::~PasswordAuthorizationDelegate() {}
33
34bool PasswordAuthorizationDelegate::GetCommandAuthorization(
35    const std::string& command_hash,
36    bool is_command_parameter_encryption_possible,
37    bool is_response_parameter_encryption_possible,
38    std::string* authorization) {
39  TPMS_AUTH_COMMAND auth;
40  auth.session_handle = TPM_RS_PW;
41  auth.nonce.size = 0;
42  auth.session_attributes = kContinueSession;
43  auth.hmac = password_;
44
45  TPM_RC serialize_error = Serialize_TPMS_AUTH_COMMAND(auth, authorization);
46  if (serialize_error != TPM_RC_SUCCESS) {
47    LOG(ERROR) << __func__ << ": could not serialize command auth.";
48    return false;
49  }
50  return true;
51}
52
53bool PasswordAuthorizationDelegate::CheckResponseAuthorization(
54    const std::string& response_hash,
55    const std::string& authorization) {
56  TPMS_AUTH_RESPONSE auth_response;
57  std::string mutable_auth_string(authorization);
58  std::string auth_bytes;
59  TPM_RC parse_error;
60  parse_error = Parse_TPMS_AUTH_RESPONSE(&mutable_auth_string, &auth_response,
61                                         &auth_bytes);
62  if (authorization.size() != auth_bytes.size()) {
63    LOG(ERROR) << __func__ << ": Authorization string was of wrong length.";
64    return false;
65  }
66  if (parse_error != TPM_RC_SUCCESS) {
67    LOG(ERROR) << __func__ << ": could not parse authorization response.";
68    return false;
69  }
70  if (auth_response.nonce.size != 0) {
71    LOG(ERROR) << __func__ << ": received a non zero length nonce.";
72    return false;
73  }
74  if (auth_response.hmac.size != 0) {
75    LOG(ERROR) << __func__ << ": received a non zero length hmac.";
76    return false;
77  }
78  if (auth_response.session_attributes != kContinueSession) {
79    LOG(ERROR) << __func__ << ": received wrong session attributes.";
80    return false;
81  }
82  return true;
83}
84
85bool PasswordAuthorizationDelegate::EncryptCommandParameter(
86    std::string* parameter) {
87  return true;
88}
89
90bool PasswordAuthorizationDelegate::DecryptResponseParameter(
91    std::string* parameter) {
92  return true;
93}
94
95}  // namespace trunks
96