1 //
2 // Copyright (C) 2014 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "trunks/password_authorization_delegate.h"
18 
19 #include <base/logging.h>
20 
21 #include "trunks/tpm_generated.h"
22 
23 namespace trunks {
24 
25 const uint8_t kContinueSession = 1;
26 
PasswordAuthorizationDelegate(const std::string & password)27 PasswordAuthorizationDelegate::PasswordAuthorizationDelegate(
28     const std::string& password) {
29   password_ = Make_TPM2B_DIGEST(password);
30 }
31 
~PasswordAuthorizationDelegate()32 PasswordAuthorizationDelegate::~PasswordAuthorizationDelegate() {}
33 
GetCommandAuthorization(const std::string & command_hash,bool is_command_parameter_encryption_possible,bool is_response_parameter_encryption_possible,std::string * authorization)34 bool PasswordAuthorizationDelegate::GetCommandAuthorization(
35     const std::string& command_hash,
36     bool is_command_parameter_encryption_possible,
37     bool is_response_parameter_encryption_possible,
38     std::string* authorization) {
39   TPMS_AUTH_COMMAND auth;
40   auth.session_handle = TPM_RS_PW;
41   auth.nonce.size = 0;
42   auth.session_attributes = kContinueSession;
43   auth.hmac = password_;
44 
45   TPM_RC serialize_error = Serialize_TPMS_AUTH_COMMAND(auth, authorization);
46   if (serialize_error != TPM_RC_SUCCESS) {
47     LOG(ERROR) << __func__ << ": could not serialize command auth.";
48     return false;
49   }
50   return true;
51 }
52 
CheckResponseAuthorization(const std::string & response_hash,const std::string & authorization)53 bool PasswordAuthorizationDelegate::CheckResponseAuthorization(
54     const std::string& response_hash,
55     const std::string& authorization) {
56   TPMS_AUTH_RESPONSE auth_response;
57   std::string mutable_auth_string(authorization);
58   std::string auth_bytes;
59   TPM_RC parse_error;
60   parse_error = Parse_TPMS_AUTH_RESPONSE(&mutable_auth_string, &auth_response,
61                                          &auth_bytes);
62   if (authorization.size() != auth_bytes.size()) {
63     LOG(ERROR) << __func__ << ": Authorization string was of wrong length.";
64     return false;
65   }
66   if (parse_error != TPM_RC_SUCCESS) {
67     LOG(ERROR) << __func__ << ": could not parse authorization response.";
68     return false;
69   }
70   if (auth_response.nonce.size != 0) {
71     LOG(ERROR) << __func__ << ": received a non zero length nonce.";
72     return false;
73   }
74   if (auth_response.hmac.size != 0) {
75     LOG(ERROR) << __func__ << ": received a non zero length hmac.";
76     return false;
77   }
78   if (auth_response.session_attributes != kContinueSession) {
79     LOG(ERROR) << __func__ << ": received wrong session attributes.";
80     return false;
81   }
82   return true;
83 }
84 
EncryptCommandParameter(std::string * parameter)85 bool PasswordAuthorizationDelegate::EncryptCommandParameter(
86     std::string* parameter) {
87   return true;
88 }
89 
DecryptResponseParameter(std::string * parameter)90 bool PasswordAuthorizationDelegate::DecryptResponseParameter(
91     std::string* parameter) {
92   return true;
93 }
94 
95 }  // namespace trunks
96