Google Git
Sign in
fuchsia / third_party / github.com / tpm2-software / tpm2-tss / refs/heads/upstream/3.0.x / . / test / integration / esys-encrypt-decrypt.int.c
blob: 2105f005c3e63d5109d8cd815e7ffebf7a436b93 [file] [log] [blame]
/* SPDX-License-Identifier: BSD-2-Clause */
/*******************************************************************************
* Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
* All rights reserved.
*******************************************************************************/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdlib.h>
#include "tss2_esys.h"
#include "esys_iutil.h"
#include "test-esys.h"
#define LOGMODULE test
#include "util/log.h"
#include "util/aux_util.h"
/** This test is intended to test the ESYS function Esys_EncryptDecrypt.
*
* First a primary key is generated. This key will be uses as parent fo a
* symmetric key, which will be used to encrypt and decrypt a tpm2b. The
* result will be compared.
*
* Tested ESYS commands:
* - Esys_Create() (M)
* - Esys_CreatePrimary() (M)
* - Esys_EncryptDecrypt() (O)
* - Esys_FlushContext() (M)
* - Esys_Load() (M)
*
* @param[in,out] esys_context The ESYS_CONTEXT.
* @retval EXIT_FAILURE
* @retval EXIT_SKIP
* @retval EXIT_SUCCESS
*/
int
test_esys_encrypt_decrypt(ESYS_CONTEXT * esys_context)
{
TSS2_RC r;
ESYS_TR primaryHandle = ESYS_TR_NONE;
ESYS_TR loadedKeyHandle = ESYS_TR_NONE;
int failure_return = EXIT_FAILURE;
TPM2B_PUBLIC *outPublic = NULL;
TPM2B_CREATION_DATA *creationData = NULL;
TPM2B_DIGEST *creationHash = NULL;
TPMT_TK_CREATION *creationTicket = NULL;
TPM2B_MAX_BUFFER *outData = NULL;
TPM2B_IV *ivOut = NULL;
TPM2B_PUBLIC *outPublic2 = NULL;
TPM2B_PRIVATE *outPrivate2 = NULL;
TPM2B_CREATION_DATA *creationData2 = NULL;
TPM2B_DIGEST *creationHash2 = NULL;
TPMT_TK_CREATION *creationTicket2 = NULL;
TPM2B_MAX_BUFFER *outData2 = NULL;
TPM2B_IV *ivOut2 = NULL;
TPM2B_AUTH authValuePrimary = {
.size = 5,
.buffer = {1, 2, 3, 4, 5}
};
TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
.size = 0,
.sensitive = {
.userAuth = {
.size = 0,
.buffer = {0 },
},
.data = {
.size = 0,
.buffer = {0},
},
},
};
inSensitivePrimary.sensitive.userAuth = authValuePrimary;
TPM2B_PUBLIC inPublic = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_RSA,
.nameAlg = TPM2_ALG_SHA256,
.objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
TPMA_OBJECT_RESTRICTED |
TPMA_OBJECT_DECRYPT |
TPMA_OBJECT_FIXEDTPM |
TPMA_OBJECT_FIXEDPARENT |
TPMA_OBJECT_SENSITIVEDATAORIGIN),
.authPolicy = {
.size = 0,
},
.parameters.rsaDetail = {
.symmetric = {
.algorithm = TPM2_ALG_AES,
.keyBits.aes = 128,
.mode.aes = TPM2_ALG_CFB},
.scheme = {
.scheme = TPM2_ALG_NULL
},
.keyBits = 2048,
.exponent = 0,
},
.unique.rsa = {
.size = 0,
.buffer = {},
},
},
};
TPM2B_DATA outsideInfo = {
.size = 0,
.buffer = {},
};
TPML_PCR_SELECTION creationPCR = {
.count = 0,
};
TPM2B_AUTH authValue = {
.size = 0,
.buffer = {}
};
r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
goto_if_error(r, "Error: TR_SetAuth", error);
r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
ESYS_TR_NONE, ESYS_TR_NONE,
&inSensitivePrimary, &inPublic,
&outsideInfo, &creationPCR, &primaryHandle,
&outPublic, &creationData, &creationHash,
&creationTicket);
goto_if_error(r, "Error esys create primary", error);
r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
goto_if_error(r, "Error: TR_SetAuth", error);
TPM2B_AUTH authKey2 = {
.size = 6,
.buffer = {6, 7, 8, 9, 10, 11}
};
TPM2B_SENSITIVE_CREATE inSensitive2 = {
.size = 0,
.sensitive = {
.userAuth = {
.size = 0,
.buffer = {0}
},
.data = {
.size = 16,
.buffer = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16}
}
}
};
inSensitive2.sensitive.userAuth = authKey2;
TPM2B_PUBLIC inPublic2 = {
.size = 0,
.publicArea = {
.type = TPM2_ALG_SYMCIPHER,
.nameAlg = TPM2_ALG_SHA256,
.objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
TPMA_OBJECT_SIGN_ENCRYPT |
TPMA_OBJECT_DECRYPT),
.authPolicy = {
.size = 0,
},
.parameters.symDetail = {
.sym = {
.algorithm = TPM2_ALG_AES,
.keyBits = {.aes = 128},
.mode = {.aes = TPM2_ALG_CFB}}
},
.unique.sym = {
.size = 0,
.buffer = {}
}
}
};
TPM2B_DATA outsideInfo2 = {
.size = 0,
.buffer = {}
,
};
TPML_PCR_SELECTION creationPCR2 = {
.count = 0,
};
r = Esys_Create(esys_context,
primaryHandle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&inSensitive2,
&inPublic2,
&outsideInfo2,
&creationPCR2,
&outPrivate2,
&outPublic2,
&creationData2, &creationHash2, &creationTicket2);
if (r == 0x2c2) { /*<< tpm:parameter(2):inconsistent attributes */
LOG_WARNING("Unsupported symmetric cipher.");
failure_return = EXIT_SKIP;
goto error;
}
goto_if_error(r, "Error esys create ", error);
LOG_INFO("AES key created.");
r = Esys_Load(esys_context,
primaryHandle,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle);
goto_if_error(r, "Error esys load ", error);
LOG_INFO("AES key loaded.");
r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2);
goto_if_error(r, "Error esys TR_SetAuth ", error);
ESYS_TR keyHandle_handle = loadedKeyHandle;
TPMI_YES_NO decrypt = TPM2_YES;
TPMI_YES_NO encrypt = TPM2_NO;
TPMI_ALG_SYM_MODE mode = TPM2_ALG_NULL;
TPM2B_IV ivIn = {
.size = 16,
.buffer = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16}
};
TPM2B_MAX_BUFFER inData = {
.size = 16,
.buffer = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16}
};
r = Esys_EncryptDecrypt(
esys_context,
keyHandle_handle,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
ESYS_TR_NONE,
encrypt,
mode,
&ivIn,
&inData,
&outData,
&ivOut);
if ((r == TPM2_RC_COMMAND_CODE) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
LOG_WARNING("Command TPM2_EncryptDecrypt not supported by TPM.");
failure_return = EXIT_SKIP;
goto error;
}
goto_if_error(r, "Error: EncryptDecrypt", error);
r = Esys_EncryptDecrypt(
esys_context,
keyHandle_handle,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
ESYS_TR_NONE,
decrypt,
mode,
&ivIn,
outData,
&outData2,
&ivOut2);
if ((r == TPM2_RC_COMMAND_CODE) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
LOG_WARNING("Command TPM2_EncryptDecrypt not supported by TPM.");
failure_return = EXIT_SKIP;
goto error;
}
goto_if_error(r, "Error: EncryptDecrypt", error);
LOGBLOB_DEBUG(&outData2->buffer[0], outData2->size, "** Decrypted data **");
if (outData2->size != inData.size ||
memcmp(&outData2->buffer, &inData.buffer[0], outData2->size) != 0) {
LOG_ERROR("Error: decrypted text not equal to origin");
goto error;
}
r = Esys_FlushContext(esys_context, primaryHandle);
goto_if_error(r, "Error during FlushContext", error);
primaryHandle = ESYS_TR_NONE;
r = Esys_FlushContext(esys_context, loadedKeyHandle);
goto_if_error(r, "Error during FlushContext", error);
Esys_Free(outPublic);
Esys_Free(creationData);
Esys_Free(creationHash);
Esys_Free(creationTicket);
Esys_Free(outData);
Esys_Free(ivOut);
Esys_Free(outPublic2);
Esys_Free(outPrivate2);
Esys_Free(creationData2);
Esys_Free(creationHash2);
Esys_Free(creationTicket2);
Esys_Free(outData2);
Esys_Free(ivOut2);
return EXIT_SUCCESS;
error:
if (primaryHandle != ESYS_TR_NONE) {
if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
LOG_ERROR("Cleanup primaryHandle failed.");
}
}
if (loadedKeyHandle != ESYS_TR_NONE) {
if (Esys_FlushContext(esys_context, loadedKeyHandle) != TSS2_RC_SUCCESS) {
LOG_ERROR("Cleanup loadedKeyHandle failed.");
}
}
Esys_Free(outPublic);
Esys_Free(creationData);
Esys_Free(creationHash);
Esys_Free(creationTicket);
Esys_Free(outData);
Esys_Free(ivOut);
Esys_Free(outPublic2);
Esys_Free(outPrivate2);
Esys_Free(creationData2);
Esys_Free(creationHash2);
Esys_Free(creationTicket2);
Esys_Free(outData2);
Esys_Free(ivOut2);
return failure_return;
}
int
test_invoke_esys(ESYS_CONTEXT * esys_context) {
return test_esys_encrypt_decrypt(esys_context);
}