15679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// This file was extracted from the TCG Published 25679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Trusted Platform Module Library 35679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Part 3: Commands 45679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Family "2.0" 55679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Level 00 Revision 01.16 65679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// October 30, 2014 75679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 85679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "InternalRoutines.h" 95679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "PolicyAuthorize_fp.h" 105679752bf24c21135884e987c4077e2f7184897Vadim Bendebury#include "Policy_spt_fp.h" 115679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 125679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 135679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Error Returns Meaning 145679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 155679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_HASH hash algorithm in keyName is not supported 165679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_SIZE keyName is not the correct size for its hash algorithm 175679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// TPM_RC_VALUE the current policyDigest of policySession does not match 185679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// approvedPolicy; or checkTicket doesn't match the provided values 195679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// 205679752bf24c21135884e987c4077e2f7184897Vadim BendeburyTPM_RC 215679752bf24c21135884e987c4077e2f7184897Vadim BendeburyTPM2_PolicyAuthorize( 225679752bf24c21135884e987c4077e2f7184897Vadim Bendebury PolicyAuthorize_In *in // IN: input parameter list 235679752bf24c21135884e987c4077e2f7184897Vadim Bendebury ) 245679752bf24c21135884e987c4077e2f7184897Vadim Bendebury{ 255679752bf24c21135884e987c4077e2f7184897Vadim Bendebury SESSION *session; 265679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPM2B_DIGEST authHash; 275679752bf24c21135884e987c4077e2f7184897Vadim Bendebury HASH_STATE hashState; 285679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPMT_TK_VERIFIED ticket; 295679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TPM_ALG_ID hashAlg; 305679752bf24c21135884e987c4077e2f7184897Vadim Bendebury UINT16 digestSize; 315679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 325679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Input Validation 335679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 345679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Get pointer to the session structure 355679752bf24c21135884e987c4077e2f7184897Vadim Bendebury session = SessionGet(in->policySession); 365679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 375679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Extract from the Name of the key, the algorithm used to compute it's Name 38e85c65bf85bc6251895cdfe6bb6213d125cc2366ChromeOS Developer hashAlg = BYTE_ARRAY_TO_UINT16(in->keySign.t.name); 395679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 405679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // 'keySign' parameter needs to use a supported hash algorithm, otherwise 415679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // can't tell how large the digest should be 425679752bf24c21135884e987c4077e2f7184897Vadim Bendebury digestSize = CryptGetHashDigestSize(hashAlg); 435679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(digestSize == 0) 445679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_HASH + RC_PolicyAuthorize_keySign; 455679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 465679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(digestSize != (in->keySign.t.size - 2)) 475679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_SIZE + RC_PolicyAuthorize_keySign; 485679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 495679752bf24c21135884e987c4077e2f7184897Vadim Bendebury //If this is a trial policy, skip all validations 505679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(session->attributes.isTrialPolicy == CLEAR) 515679752bf24c21135884e987c4077e2f7184897Vadim Bendebury { 525679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Check that "approvedPolicy" matches the current value of the 535679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // policyDigest in policy session 545679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(!Memory2BEqual(&session->u2.policyDigest.b, 555679752bf24c21135884e987c4077e2f7184897Vadim Bendebury &in->approvedPolicy.b)) 565679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_VALUE + RC_PolicyAuthorize_approvedPolicy; 575679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 585679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Validate ticket TPMT_TK_VERIFIED 595679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Compute aHash. The authorizing object sign a digest 605679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // aHash := hash(approvedPolicy || policyRef). 615679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Start hash 625679752bf24c21135884e987c4077e2f7184897Vadim Bendebury authHash.t.size = CryptStartHash(hashAlg, &hashState); 635679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 645679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // add approvedPolicy 655679752bf24c21135884e987c4077e2f7184897Vadim Bendebury CryptUpdateDigest2B(&hashState, &in->approvedPolicy.b); 665679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 675679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // add policyRef 685679752bf24c21135884e987c4077e2f7184897Vadim Bendebury CryptUpdateDigest2B(&hashState, &in->policyRef.b); 695679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 705679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // complete hash 715679752bf24c21135884e987c4077e2f7184897Vadim Bendebury CryptCompleteHash2B(&hashState, &authHash.b); 725679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 735679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // re-compute TPMT_TK_VERIFIED 745679752bf24c21135884e987c4077e2f7184897Vadim Bendebury TicketComputeVerified(in->checkTicket.hierarchy, &authHash, 755679752bf24c21135884e987c4077e2f7184897Vadim Bendebury &in->keySign, &ticket); 765679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 775679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Compare ticket digest. If not match, return error 785679752bf24c21135884e987c4077e2f7184897Vadim Bendebury if(!Memory2BEqual(&in->checkTicket.digest.b, &ticket.digest.b)) 795679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_VALUE+ RC_PolicyAuthorize_checkTicket; 805679752bf24c21135884e987c4077e2f7184897Vadim Bendebury } 815679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 825679752bf24c21135884e987c4077e2f7184897Vadim Bendebury// Internal Data Update 835679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 845679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Set policyDigest to zero digest 855679752bf24c21135884e987c4077e2f7184897Vadim Bendebury MemorySet(session->u2.policyDigest.t.buffer, 0, 865679752bf24c21135884e987c4077e2f7184897Vadim Bendebury session->u2.policyDigest.t.size); 875679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 885679752bf24c21135884e987c4077e2f7184897Vadim Bendebury // Update policyDigest 895679752bf24c21135884e987c4077e2f7184897Vadim Bendebury PolicyContextUpdate(TPM_CC_PolicyAuthorize, &in->keySign, &in->policyRef, 905679752bf24c21135884e987c4077e2f7184897Vadim Bendebury NULL, 0, session); 915679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 925679752bf24c21135884e987c4077e2f7184897Vadim Bendebury return TPM_RC_SUCCESS; 935679752bf24c21135884e987c4077e2f7184897Vadim Bendebury 945679752bf24c21135884e987c4077e2f7184897Vadim Bendebury} 95