| // This file was extracted from the TCG Published |
| // Trusted Platform Module Library |
| // Part 3: Commands |
| // Family "2.0" |
| // Level 00 Revision 01.16 |
| // October 30, 2014 |
| |
| #include "InternalRoutines.h" |
| #include "PolicyTicket_fp.h" |
| #include "Policy_spt_fp.h" |
| // |
| // |
| // Error Returns Meaning |
| // |
| // TPM_RC_CPHASH policy's cpHash was previously set to a different value |
| // TPM_RC_EXPIRED timeout value in the ticket is in the past and the ticket has expired |
| // TPM_RC_SIZE timeout or cpHash has invalid size for the |
| // TPM_RC_TICKET ticket is not valid |
| // |
| TPM_RC |
| TPM2_PolicyTicket( |
| PolicyTicket_In *in // IN: input parameter list |
| ) |
| { |
| TPM_RC result; |
| SESSION *session; |
| UINT64 timeout; |
| TPMT_TK_AUTH ticketToCompare; |
| TPM_CC commandCode = TPM_CC_PolicySecret; |
| |
| // Input Validation |
| |
| // Get pointer to the session structure |
| session = SessionGet(in->policySession); |
| |
| // NOTE: A trial policy session is not allowed to use this command. |
| // A ticket is used in place of a previously given authorization. Since |
| // a trial policy doesn't actually authenticate, the validated |
| // ticket is not necessary and, in place of using a ticket, one |
| // should use the intended authorization for which the ticket |
| // would be a substitute. |
| if(session->attributes.isTrialPolicy) |
| return TPM_RCS_ATTRIBUTES + RC_PolicyTicket_policySession; |
| |
| // Restore timeout data. The format of timeout buffer is TPM-specific. |
| // In this implementation, we simply copy the value of timeout to the |
| // buffer. |
| if(in->timeout.t.size != sizeof(UINT64)) |
| return TPM_RC_SIZE + RC_PolicyTicket_timeout; |
| timeout = BYTE_ARRAY_TO_UINT64(in->timeout.t.buffer); |
| |
| // Do the normal checks on the cpHashA and timeout values |
| result = PolicyParameterChecks(session, timeout, |
| &in->cpHashA, NULL, |
| 0, // no bad nonce return |
| RC_PolicyTicket_cpHashA, |
| RC_PolicyTicket_timeout); |
| if(result != TPM_RC_SUCCESS) |
| return result; |
| |
| // Validate Ticket |
| // Re-generate policy ticket by input parameters |
| TicketComputeAuth(in->ticket.tag, in->ticket.hierarchy, timeout, &in->cpHashA, |
| &in->policyRef, &in->authName, &ticketToCompare); |
| |
| // Compare generated digest with input ticket digest |
| if(!Memory2BEqual(&in->ticket.digest.b, &ticketToCompare.digest.b)) |
| return TPM_RC_TICKET + RC_PolicyTicket_ticket; |
| |
| // Internal Data Update |
| |
| // Is this ticket to take the place of a TPM2_PolicySigned() or |
| // a TPM2_PolicySecret()? |
| if(in->ticket.tag == TPM_ST_AUTH_SIGNED) |
| commandCode = TPM_CC_PolicySigned; |
| else if(in->ticket.tag == TPM_ST_AUTH_SECRET) |
| commandCode = TPM_CC_PolicySecret; |
| else |
| // There could only be two possible tag values. Any other value should |
| // be caught by the ticket validation process. |
| pAssert(FALSE); |
| |
| // Update policy context |
| PolicyContextUpdate(commandCode, &in->authName, &in->policyRef, |
| &in->cpHashA, timeout, session); |
| |
| return TPM_RC_SUCCESS; |
| } |