From d08607bb4f329821a1bf55519b58153cbd4f52d0 Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Wed, 10 Jul 2024 09:23:46 +0200 Subject: [PATCH 1/8] test: remove SHA1 from policy-execute/tss2_policy Signed-off-by: Johannes Holland --- Makefile.am | 1 + .../fapi/policy/pol_authorize_ecc_pem.json | 3 +- .../policy/pol_authorize_ecc_pem_sha384.json | 3 +- .../fapi/policy/pol_authorize_rsa_pem.json | 3 +- .../fapi/policy/pol_ek_high_range_sha384.json | 62 ++++ .../policy/pol_pcr16_0_ecc_authorized.json | 1 + .../pol_pcr16_0_ecc_authorized_sha384.json | 1 + .../policy/pol_pcr16_0_rsa_authorized.json | 1 + test/data/fapi/policy/pol_signed.json | 3 +- test/data/fapi/policy/pol_signed_ecc.json | 3 +- test/data/test-fapi-policies.h | 113 ++++--- test/integration/policy-execute.int.c | 311 ++++++++++-------- test/unit/tss2_policy.c | 35 +- 13 files changed, 321 insertions(+), 219 deletions(-) create mode 100644 test/data/fapi/policy/pol_ek_high_range_sha384.json diff --git a/Makefile.am b/Makefile.am index f14bc4b6f..8af86fd3e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -783,6 +783,7 @@ EXTRA_DIST += \ test/data/fapi/policy/pol_cphash.json \ test/data/fapi/policy/pol_or_read_write_secret.json \ test/data/fapi/policy/pol_ek_high_range_sha256.json \ + test/data/fapi/policy/pol_ek_high_range_sha384.json \ test/data/fapi/P_ECC_sh_eh_policy_sha384.json \ test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json \ test/data/fapi/policy/pol_authorize_nv_complex_tpm2b_sha384.json \ diff --git a/test/data/fapi/policy/pol_authorize_ecc_pem.json b/test/data/fapi/policy/pol_authorize_ecc_pem.json index 9ac0fe212..c7c7528fa 100644 --- a/test/data/fapi/policy/pol_authorize_ecc_pem.json +++ b/test/data/fapi/policy/pol_authorize_ecc_pem.json @@ -4,7 +4,8 @@ { "type": "POLICYAUTHORIZE", "policyRef": [ 1, 2, 3, 4, 5 ], - "keyPEM": "-----BEGIN PUBLIC KEY----- + // private key: test/data/fapi/policy/ecc.pem + "keyPEM": "-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwl7xkJ8nywaYBzTzfr/Or0Phg2XY ufUHcIYJvC+x8NjOoPTFcE8CKGup6+Q7LOq21S9YmnXrt8xLiHBIxM7YOQ== -----END PUBLIC KEY-----" diff --git a/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json b/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json index 2adf86852..734c0fc38 100644 --- a/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json +++ b/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json @@ -5,7 +5,8 @@ "type": "POLICYAUTHORIZE", "policyRef": [ 1, 2, 3, 4, 5 ], "keyPEMhashAlg": "SHA384", - "keyPEM": "-----BEGIN PUBLIC KEY----- + // private key: ? + "keyPEM": "-----BEGIN PUBLIC KEY----- MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPnzYHCTqHAJnCcLRQC4bL/r2t9P1bJJE 27tHWVxxRtdUNPQceF9sFPE1AgafveTyLrf/V2TwYqpOgMw3hseFlpXAgQl0klqN ZPX3zQ+iOfcHhZ7YPjSXzBghWF67oxat diff --git a/test/data/fapi/policy/pol_authorize_rsa_pem.json b/test/data/fapi/policy/pol_authorize_rsa_pem.json index b8b7cdd44..fc17daf1e 100644 --- a/test/data/fapi/policy/pol_authorize_rsa_pem.json +++ b/test/data/fapi/policy/pol_authorize_rsa_pem.json @@ -4,7 +4,8 @@ { "type": "POLICYAUTHORIZE", "policyRef": [ 1, 2, 3, 4, 5 ], - "keyPEM": "-----BEGIN PUBLIC KEY----- + // private key: test/data/fapi/policy/rsa2.pem + "keyPEM": "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI mW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy EnkFdOMa1hszSJnp6cJvx7ILngLvFUxzbVki/ehvgS3nRk67Njal+nMTe8hpe3UK diff --git a/test/data/fapi/policy/pol_ek_high_range_sha384.json b/test/data/fapi/policy/pol_ek_high_range_sha384.json new file mode 100644 index 000000000..f65ddba01 --- /dev/null +++ b/test/data/fapi/policy/pol_ek_high_range_sha384.json @@ -0,0 +1,62 @@ +{ + "description":"Policy for EK", + "policy":[ + { + "type":"POLICYOR", + "branches":[ + { + "name":"PolicySecret", + "description":"Policy Secret for EK", + "policy":[ + { + "type":"POLICYSECRET", + "objectName": "4000000b", + } + ], + }, + { + "name":"PolicyNV", + "description":"Policy NV for EK", + "policy":[ + { + "type": "POLICYAUTHORIZENV", + "nvPublic": { + "size":0, + "nvPublic":{ + "nvIndex":"0x01c07f01", + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa", + "dataSize":34 + } + } + } + ], + } + ] + } + ] +} diff --git a/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json b/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json index 89275d8c5..d88294246 100644 --- a/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json +++ b/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json @@ -10,6 +10,7 @@ { "type": "pem", "policyRef": [ 1, 2, 3, 4, 5 ], + // private key: test/data/fapi/policy/ecc.pem "key": "-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwl7xkJ8nywaYBzTzfr/Or0Phg2XY ufUHcIYJvC+x8NjOoPTFcE8CKGup6+Q7LOq21S9YmnXrt8xLiHBIxM7YOQ== diff --git a/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json b/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json index ea53a1ae5..679d003b4 100644 --- a/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json +++ b/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json @@ -10,6 +10,7 @@ "type": "pem", "policyRef": [ 1, 2, 3, 4, 5 ], "keyPEMhashAlg": "sha384", + // private key: ? "key": "-----BEGIN PUBLIC KEY----- MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPnzYHCTqHAJnCcLRQC4bL/r2t9P1bJJE 27tHWVxxRtdUNPQceF9sFPE1AgafveTyLrf/V2TwYqpOgMw3hseFlpXAgQl0klqN diff --git a/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json b/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json index 9c9023a8f..c9e218ef0 100644 --- a/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json +++ b/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json @@ -10,6 +10,7 @@ { "type": "pem", "policyRef": [ 1, 2, 3, 4, 5 ], + // private key: test/data/fapi/policy/rsa2.pem "key": "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI mW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy diff --git a/test/data/fapi/policy/pol_signed.json b/test/data/fapi/policy/pol_signed.json index 08607c57d..a6ed7b2e0 100644 --- a/test/data/fapi/policy/pol_signed.json +++ b/test/data/fapi/policy/pol_signed.json @@ -4,8 +4,9 @@ { "type": "POLICYSIGNED", "publicKeyHint": "Test key hint", + // private key: test/data/fapi/policy/rsa2.pem "keyPEM": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\nmW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy\nEnkFdOMa1hszSJnp6cJvx7ILngLvFUxzbVki\/ehvgS3nRk67Njal+nMTe8hpe3UK\nQeV\/Ij+F0r6Yz91W+4LPmncAiUesRZLetI2BZsKwHYRMznmpIYpoua1NtS8QpEXR\nMmsUue19eS\/XRAPmmCfnb5BX2Tn06iCpk6wO+RfMo9etcX5cLSAuIYEQYCvV2\/0X\nTfEw607vttBN0Y54LrVOKno1vRXd5sxyRlfB0WL42F4VG5TfcJo5u1Xq7k9m9K57\n8wIDAQAB\n-----END PUBLIC KEY-----\n", - "keyPEMhashAlg": "SHA256" + "keyPEMhashAlg": "SHA384" } ] } diff --git a/test/data/fapi/policy/pol_signed_ecc.json b/test/data/fapi/policy/pol_signed_ecc.json index 848b235c3..9021535d5 100644 --- a/test/data/fapi/policy/pol_signed_ecc.json +++ b/test/data/fapi/policy/pol_signed_ecc.json @@ -3,8 +3,9 @@ "policy":[ { "type": "POLICYSIGNED", + // private key: test/data/fapi/policy/ecc.pem "keyPEM": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7\npEiLMi03Jd0oP0aYnnXFjolzIB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n-----END PUBLIC KEY-----\n", - "keyPEMhashAlg": "SHA256" + "keyPEMhashAlg": "SHA384" } ] } diff --git a/test/data/test-fapi-policies.h b/test/data/test-fapi-policies.h index b4b574664..99c8640f0 100644 --- a/test/data/test-fapi-policies.h +++ b/test/data/test-fapi-policies.h @@ -7,87 +7,94 @@ struct policy_digests { char *path; char *sha1; char *sha256; + char *sha384; }; /* * Table with expected policy digests. - * If computation is not possible sha1 and sha256 has to be set to NULL. + * If computation is not possible sha256 and sha384 has to be set to NULL. * If a policy digest will be computed for these cases an error will be signalled. */ static policy_digests _test_fapi_policy_policies[] = { { .path = "/policy/pol_action", - .sha1 = "0000000000000000000000000000000000000000", - .sha256 = "0000000000000000000000000000000000000000000000000000000000000000" }, + .sha256 = "0000000000000000000000000000000000000000000000000000000000000000", + .sha384 = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" }, { .path = "/policy/pol_pcr16_0_ecc_authorized", - .sha1 = "eab0d71ae6088009cbd0b50729fde69eb453649c", - .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36" }, + .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36", + .sha384 = "c1923346b6d44a154b58b57b4327ee70c29ac536f9209d94880de6834f370587846a2834e3e88af61efd8679fcccedd5" }, + { .path = "/policy/pol_pcr16_0_ecc_authorized_sha384", + .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36", + .sha384 = "c1923346b6d44a154b58b57b4327ee70c29ac536f9209d94880de6834f370587846a2834e3e88af61efd8679fcccedd5" }, { .path = "/policy/pol_authorize_ecc_pem", - .sha1 = "9d2c365dd9ccba3962041d7f9b3e276588338c94", - .sha256 = "b9b370c6b4f84887518634ab408ce23dfc092ae42281a1b8438b3f34d9ceb18e" }, - { .path = "/policy/pol_nv_counter", .sha1 = NULL, .sha256 = NULL }, + .sha256 = "b9b370c6b4f84887518634ab408ce23dfc092ae42281a1b8438b3f34d9ceb18e", + .sha384 = "117b1812194dd8764a3a44c98126fc41ec4b07eead537c29bb3da3712a4aaec5393d4a26442f354b235060d99793fe40" }, + { .path = "/policy/pol_nv_counter", .sha256 = NULL, .sha384 = NULL }, { .path = "/policy/pol_authorize_rsa_pem", - .sha1 = "33e656768aa977ff42cdc60799c48f1a8ab6c1ec", - .sha256 = "5164b89fcfdc398806c0fde7a3eb52371595fcbec1b1fcea57524c56fff67f46" }, + .sha256 = "5164b89fcfdc398806c0fde7a3eb52371595fcbec1b1fcea57524c56fff67f46", + .sha384 = "e424b7ebd622258a40af3a89e541a84fcccff93a54cd9605fda545c650462c4d2d4c7f385b58975bc9b63355b0ca78f9" }, { .path = "/policy/pol_locality", - .sha1 = "9d2af7c7235047d90719bb07e699bc266554997f", - .sha256 = "ddee6af14bf3c4e8127ced87bcf9a57e1c0c8ddb5e67735c8505f96f07b8dbb8" }, + .sha256 = "ddee6af14bf3c4e8127ced87bcf9a57e1c0c8ddb5e67735c8505f96f07b8dbb8", + .sha384 = "3c6a526ff03d42da670f1cba535f9f1ea8a27e3c810fdb56f4470432b1da5f9ded3e5e330fc094026082a7018a1005ae" }, { .path = "/policy/pol_nv_change_auth", - .sha1 = "9ebf6fd0f5547da6c57280ae4032c2de62b773da", - .sha256 = "363ac945b6457c47c31f3355dba0db27de8db213d6250c6bf79685003f9fe7ab" }, + .sha256 = "363ac945b6457c47c31f3355dba0db27de8db213d6250c6bf79685003f9fe7ab", + .sha384 = "ff675514b27969d171ad33e1ecca800819aca8af2636ce1dcf8a6f91193fb0fc55a19726ec85b795cf6ec14114bfda71" }, { .path = "/policy/pol_password", - .sha1 = "af6038c78c5c962d37127e319124e3a8dc582e9b", - .sha256 = "8fcd2169ab92694e0c633f1ab772842b8241bbc20288981fc7ac1eddc1fddb0e" }, + .sha256 = "8fcd2169ab92694e0c633f1ab772842b8241bbc20288981fc7ac1eddc1fddb0e", + .sha384 = "0eb13321e885c9603d394e1c33976d4660517111f440d377585f66a94a0eee0a7f73d10b68edc48f61bd3c8385dcddf5" }, { .path = "/policy/pol_pcr16_0_or", - .sha1 = "be5ea4b5e7de56f883968667f1f12f02b7c3c99b", - .sha256 = "04b01d728fc1ea060d943b3ca6e3e5ea9d3bbb61126542677ad7591c092eafba" }, + .sha256 = "04b01d728fc1ea060d943b3ca6e3e5ea9d3bbb61126542677ad7591c092eafba", + .sha384 = "2ec9bcccab324ba5f50eedb045853993a37a9eab65bc00b742f85ac5ac809d234e4ac82ac70c10c3aff8196a6cf78515" }, { .path = "/policy/pol_physical_presence", - .sha1 = "9acb06395f831f88e89eeac29442cb0ebe9485ab", - .sha256 = "0d7c6747b1b9facbba03492097aa9d5af792e5efc07346e05f9daa8b3d9e13b5" }, - { .path = "/policy/pol_secret", .sha1 = NULL, .sha256 = NULL }, - { .path = "/policy/pol_authorize", .sha1 = NULL, .sha256 = NULL }, - { .path = "/policy/pol_authorize_nv", .sha1 = NULL, .sha256 = NULL }, + .sha256 = "0d7c6747b1b9facbba03492097aa9d5af792e5efc07346e05f9daa8b3d9e13b5", + .sha384 = "f743b33cdfcad64b6f85105907895732ca9d4002b5167d52ca82cb65879665e29ef753b5f548eb894b1b2d67a1376ff8" }, + { .path = "/policy/pol_secret", .sha256 = NULL, .sha384 = NULL }, + { .path = "/policy/pol_authorize", .sha256 = NULL, .sha384 = NULL }, + { .path = "/policy/pol_authorize_nv", .sha256 = NULL, .sha384 = NULL }, { .path = "/policy/pol_auth_value", - .sha1 = "af6038c78c5c962d37127e319124e3a8dc582e9b", - .sha256 = "8fcd2169ab92694e0c633f1ab772842b8241bbc20288981fc7ac1eddc1fddb0e" }, + .sha256 = "8fcd2169ab92694e0c633f1ab772842b8241bbc20288981fc7ac1eddc1fddb0e", + .sha384 = "0eb13321e885c9603d394e1c33976d4660517111f440d377585f66a94a0eee0a7f73d10b68edc48f61bd3c8385dcddf5" }, { .path = "/policy/pol_command_code", - .sha1 = "2a2a1493809bbc1b4b46fc325dc54a815cbb980e", - .sha256 = "cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811" }, - { .path = "/policy/pol_duplicate", .sha1 = NULL, .sha256 = NULL }, + .sha256 = "cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811", + .sha384 = "5093ebce18eacac2fef5a1f4dcb9c8167ee1f45479b189ea362e20f9f86cc93deb6ca4270098915db6dec7d56c9f1979" }, + { .path = "/policy/pol_duplicate", .sha256 = NULL, .sha384 = NULL }, { .path = "/policy/pol_pcr16_0", - .sha1 = "eab0d71ae6088009cbd0b50729fde69eb453649c", - .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36" }, - { .path = "/policy/pol_nv", .sha1 = NULL, .sha256 = NULL }, - { .path = "/policy/pol_authorize_outer", .sha1 = NULL, .sha256 = NULL }, + .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36", + .sha384 = "c1923346b6d44a154b58b57b4327ee70c29ac536f9209d94880de6834f370587846a2834e3e88af61efd8679fcccedd5" }, + { .path = "/policy/pol_nv", .sha256 = NULL, .sha384 = NULL }, + { .path = "/policy/pol_authorize_outer", .sha256 = NULL, .sha384 = NULL }, { .path = "/policy/pol_countertimer", - .sha1 = "969a04fb820cc4a3aa4436e02cd5a71a87fd95b9", - .sha256 = "7c67802209683d17c1d94f3fc9df7afb2a0d7955c3c5d0fa3f602d58ffdaf984" }, + .sha256 = "7c67802209683d17c1d94f3fc9df7afb2a0d7955c3c5d0fa3f602d58ffdaf984", + .sha384 = "5735b3080af6597ba9249c692fbb9689da67937d167850a9bdd3e82f08e02bb85eb1f451899bfd5607702257cc68a0ce" }, { .path = "/policy/pol_cphash", - .sha1 = "b2b2763b9a638a8e4f38897a47468e09fe0a0853", - .sha256 = "2d7038734b12258ae7108ab70d0e7ee36f4e64c64d53f8adb6c2bed602c95d09" }, - { .path = "/policy/pol_name_hash", .sha1 = NULL, .sha256 = NULL }, + .sha256 = "2d7038734b12258ae7108ab70d0e7ee36f4e64c64d53f8adb6c2bed602c95d09", + .sha384 = "cc26ea5fef3eff5ebc2c1e1c143039bb4c4c20e80ac2480857182623ac29c18e3cb82792dc20ebacf9ca9e32b3eae9b7" }, + { .path = "/policy/pol_name_hash", .sha256 = NULL, .sha384 = NULL }, { .path = "/policy/pol_nv_written", - .sha1 = "5a91e7105386bd547a15aad40369b1e25e462873", - .sha256 = "3c326323670e28ad37bd57f63b4cc34d26ab205ef22f275c58d47fab2485466e" }, + .sha256 = "3c326323670e28ad37bd57f63b4cc34d26ab205ef22f275c58d47fab2485466e", + .sha384 = "0e017d9a6f87b88af9d8497937e825f688a4bd6681da533191a5fa6d0825ef2e3de21ef2bd4e20578313c6ec5137e79c" }, { .path = "/policy/pol_pcr16_0_fail", - .sha1 = "904fbcef1d6cb3ecaf085259b40b55fa3025232f", - .sha256 = "b740077197d46009b9c18f5ad181b7a3ac5bef1d9a881cc5dde808f1a6b8c787" }, + .sha256 = "b740077197d46009b9c18f5ad181b7a3ac5bef1d9a881cc5dde808f1a6b8c787", + .sha384 = "2f5c390f14e2587d26f1b7853703208999ca6e66da38b1c7990bce478c08662c560ae74b41003b3cdb58999b365b0e82" }, { .path = "/policy/pol_pcr16_read", - .sha1 = "eab0d71ae6088009cbd0b50729fde69eb453649c", - .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36" }, + .sha256 = "bff2d58e9813f97cefc14f72ad8133bc7092d652b7c877959254af140c841f36", + .sha384 = "c1923346b6d44a154b58b57b4327ee70c29ac536f9209d94880de6834f370587846a2834e3e88af61efd8679fcccedd5" }, { .path = "/policy/pol_pcr8_0", - .sha1 = "d6756ffbe88b1d082ee7048500ff9cc1a718de40", - .sha256 = "2a90ac03196573f129e70a9e04485bff581d2890fe5882d3c2667290d84b497b" }, + .sha256 = "2a90ac03196573f129e70a9e04485bff581d2890fe5882d3c2667290d84b497b", + .sha384 = "895abaad2fc5af9828963a4f7d093e35f004ab4ab9819ff44745c4d8fcb9df1deca5a7d4503f93335a110042943aeb6c" }, { .path = "/policy/pol_signed_ecc", - .sha1 = "c18fc6f175bd17e41c257184443a81c99ced9225", - .sha256 = "07aefc36fb098f5f59f2f74d8854235a29d1f93b4ddd488f6ec667d9c1d716b6" }, + .sha256 = "516ce6f16c4c3fa86cbab245a174c2f981aef825e98a705f561d3d519ecb0a1f", + .sha384 = "bfe6bc620f466d82fc1662b41be27ccd1461bc3d8bda8ad737e54bf24c64ac6d7ed849d86b687f0d332d66f71feb0217" }, { .path = "/policy/pol_signed", - .sha1 = "85bf0403e87d3c29c3daa5c87efb111cb717875d", - .sha256 = "b1969529af7796c5b4f5e4781713f4525049f36cb12ec63f996dad1c4401c068" }, + .sha256 = "b641d22197928e4b527501b2dedd11a2ef93651faa6e84dfedc931faaf9e2e7f", + .sha384 = "b88c6c01425b681b456bb548724d9bf4c72fc0e93043315808a05df563521eb4f8402872da1d724d5594f6ef67253854" }, { .path = "/policy/pol_ek_high_range_sha256", - .sha1 = "23694f69a8f33f588a93879021a294f3ed73b361", - .sha256 = "ca3d0a99a2b93906f7a3342414efcfb3a385d44cd1fd459089d19b5071c0b7a0" }, + .sha256 = "ca3d0a99a2b93906f7a3342414efcfb3a385d44cd1fd459089d19b5071c0b7a0", + .sha384 = "ad6634775155ce801c6d8371f24e570a5b4f3955c07146d7f3c476c8ac48ab30b922e1d7854b79e21c6e7287385e841e" }, + { .path = "/policy/pol_ek_high_range_sha384", + .sha256 = "c1c7fbac75abb45675550fcf2e2128eb2f4f2bb57b291de05a87f380ecfb1261", + .sha384 = "02feb9362e0c8a1b2074daf9fc51d82a142732365887b985c118874988004ed22cfe7bb484671b38286b8ccc9cec824e" }, { .path = "/policy/pol_template", - .sha1 = "acfec8114dee366fa5451cfcbfe2111cf324e18d", - .sha256 = "4f94fe9a608e6efc376ee1589f43581b8eb1fea60fe6ae94d60f88b67312825d" }, + .sha256 = "8beacb2d1cb3318856f9a51bbdede1499892b5bbe7fc491f37cf5c6ed56c7d73", + .sha384 = "48e4538b32d25890d49e8f695c2eae3b1a523bc162d1e82a4842fb7da260e51e8f615e38b3ae18f41899b339bc590f70" }, }; #endif diff --git a/test/integration/policy-execute.int.c b/test/integration/policy-execute.int.c index 7b7e60a0e..3c43b5757 100644 --- a/test/integration/policy-execute.int.c +++ b/test/integration/policy-execute.int.c @@ -121,17 +121,20 @@ static TSS2_RC sign_cb ( const char *priv_key_pem = NULL; /* these also exist in fapi-key-create-policy-signed.int.c */ + /* see test/data/fapi/policy/ecc.pem */ static const char *priv_ecc_pem = "-----BEGIN EC PRIVATE KEY-----\n" "MHcCAQEEILE8jic/6w/lKoFTVblkNQ4Ls5IYibQNQ4Dk5B9R09ONoAoGCCqGSM49\n" "AwEHoUQDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7pEiLMi03Jd0oP0aYnnXFjolz\n" "IB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n" "-----END EC PRIVATE KEY-----\n"; + /* see test/data/fapi/policy/ecc.pem */ static const char *pub_ecc_pem = "-----BEGIN PUBLIC KEY-----\n" "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7\n" "pEiLMi03Jd0oP0aYnnXFjolzIB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n" "-----END PUBLIC KEY-----\n"; + /* see test/data/fapi/policy/rsa2.pem */ static const char *priv_rsa_pem = "-----BEGIN PRIVATE KEY-----\n" "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCgYvoisJIDOeYg\n" "jMF6ywiZbu085TLvy5ZMhq5vfYqdgefvwpemutnfKSnpYOs5B4yO/gAD7XiYluDv\n" @@ -161,6 +164,7 @@ static TSS2_RC sign_cb ( "i8Kp6jR2wY0suObmZHKvbCB1Dw==\n" "-----END PRIVATE KEY-----\n"; + /* see test/data/fapi/policy/rsa2.pem */ static const char *pub_rsa_pem = "-----BEGIN PUBLIC KEY-----\n" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\n" "mW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy\n" @@ -181,7 +185,7 @@ static TSS2_RC sign_cb ( return TSS2_RC_TEST_KEY_NOT_FOUND; } - assert(key_pem_hash_alg == TPM2_ALG_SHA256); + assert(key_pem_hash_alg == TPM2_ALG_SHA384); BIO *bio = BIO_new_mem_buf(priv_key_pem, strlen(priv_key_pem)); EVP_PKEY *priv_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); @@ -191,7 +195,7 @@ static TSS2_RC sign_cb ( EVP_MD_CTX *mdctx = NULL; EVP_PKEY_CTX *pctx = NULL; - const EVP_MD *ossl_hash = EVP_sha256(); + const EVP_MD *ossl_hash = EVP_sha384(); mdctx = EVP_MD_CTX_create(); assert(mdctx); @@ -308,110 +312,125 @@ static TSS2_RC polauth_cb ( * The key for these policies can be found in: * - test/data/fapi/policy/ecc.pem */ - static const unsigned char der_sig_ecdsa_sha256[] = { 0x30, 0x46, 0x02, - 0x21, 0x00, 0xfc, 0x85, 0x35, 0xc9, 0x3e, 0xc2, 0x49, 0x99, 0x13, - 0xdf, 0x8b, 0x2c, 0xfe, 0x6b, 0x02, 0xd7, 0x1a, 0x9a, 0xb6, 0x62, - 0x3b, 0xed, 0xa2, 0x3f, 0x44, 0x89, 0x38, 0x1c, 0xf2, 0x6c, 0xef, - 0x4e, 0x02, 0x21, 0x00, 0xe9, 0x93, 0x3f, 0x64, 0x60, 0x8f, 0x72, - 0x89, 0xde, 0xf4, 0xd2, 0x9d, 0xe2, 0xe7, 0xcd, 0x32, 0x79, 0x3c, - 0x92, 0xa4, 0x97, 0x49, 0x44, 0x4a, 0xa2, 0xe0, 0xd3, 0x58, 0x68, - 0x9e, 0xc5, 0x96 }; - - static const unsigned char policy_digest_sha256[] = { 0xbf, 0xf2, 0xd5, - 0x8e, 0x98, 0x13, 0xf9, 0x7c, 0xef, 0xc1, 0x4f, 0x72, 0xad, 0x81, - 0x33, 0xbc, 0x70, 0x92, 0xd6, 0x52, 0xb7, 0xc8, 0x77, 0x95, 0x92, - 0x54, 0xaf, 0x14, 0x0c, 0x84, 0x1f, 0x36 }; - - static const unsigned char der_sig_ecdsa_sha1[] = { 0x30, 0x44, 0x02, 0x20, - 0x35, 0xfd, 0xbc, 0xa0, 0xac, 0x4a, 0xd2, 0xd9, 0x06, 0xa4, 0x57, - 0xbe, 0x0a, 0xd9, 0xe9, 0x36, 0x3e, 0xbc, 0x7d, 0xc5, 0x0c, 0xf6, - 0x0f, 0xad, 0x79, 0x04, 0x13, 0xf6, 0x42, 0x8b, 0x33, 0x78, 0x02, - 0x20, 0x17, 0x38, 0x44, 0x15, 0x10, 0x4c, 0x46, 0x08, 0x56, 0x86, - 0xca, 0xe9, 0xfd, 0x45, 0x8a, 0xf8, 0x6e, 0x0f, 0x0b, 0x43, 0xe0, - 0xbc, 0x03, 0x9b, 0x72, 0xc5, 0xdf, 0x4b, 0xc9, 0xf8, 0xf7, 0x02 }; - - static const unsigned char policy_digest_sha1[] = { 0xea, 0xb0, 0xd7, 0x1a, - 0xe6, 0x08, 0x80, 0x09, 0xcb, 0xd0, 0xb5, 0x07, 0x29, 0xfd, 0xe6, - 0x9e, 0xb4, 0x53, 0x64, 0x9c }; + static const unsigned char der_sig_ecdsa_sha384[] = { + 0x30, 0x46, 0x02, 0x21, 0x00, 0xd1, 0xe4, 0x9d, 0x3c, 0x3e, 0xc5, 0x39, + 0x95, 0xd9, 0x0d, 0x72, 0xaf, 0xe1, 0xd6, 0x61, 0x83, 0xce, 0x8b, 0x10, + 0x8d, 0x45, 0xa5, 0x03, 0xe0, 0x25, 0x4e, 0xd8, 0xde, 0xa0, 0xe1, 0xae, + 0x5d, 0x02, 0x21, 0x00, 0xb0, 0x81, 0x12, 0x8d, 0xb0, 0x75, 0x23, 0x99, + 0x64, 0xd2, 0x14, 0xcc, 0xe8, 0xab, 0xb9, 0x1e, 0xc4, 0x34, 0x52, 0x26, + 0xcf, 0x81, 0x3b, 0x18, 0xc3, 0x62, 0x9d, 0x32, 0xcd, 0x22, 0x30, 0xf0 }; + + static const unsigned char policy_digest_sha384[] = { + 0xc1, 0x92, 0x33, 0x46, 0xb6, 0xd4, 0x4a, 0x15, 0x4b, 0x58, 0xb5, 0x7b, + 0x43, 0x27, 0xee, 0x70, 0xc2, 0x9a, 0xc5, 0x36, 0xf9, 0x20, 0x9d, 0x94, + 0x88, 0x0d, 0xe6, 0x83, 0x4f, 0x37, 0x05, 0x87, 0x84, 0x6a, 0x28, 0x34, + 0xe3, 0xe8, 0x8a, 0xf6, 0x1e, 0xfd, 0x86, 0x79, 0xfc, 0xcc, 0xed, 0xd5 }; + + /* x=deadbeef # can be obtained via tcti-pcap/tpmstream + * printf $x | xxd -r -p | openssl pkeyutl -sign -inkey test/data/fapi/policy/ecc.pem | xxd -p + * https://bits.ondrovo.com/hexc.html + */ + static const unsigned char der_sig_ecdsa_sha256[] = { + 0x30, 0x45, 0x02, 0x20, 0x2a, 0xc4, 0x01, 0x4e, 0xf8, 0x29, 0xff, 0x97, + 0xa1, 0xae, 0xa3, 0x4c, 0x78, 0xa5, 0x86, 0x12, 0xea, 0xad, 0x9e, 0x3c, + 0xca, 0xe8, 0x7d, 0x5e, 0x9f, 0x6a, 0xbf, 0x16, 0xbc, 0xdd, 0xe5, 0x64, + 0x02, 0x21, 0x00, 0xf0, 0xb3, 0xda, 0x8d, 0x70, 0xe4, 0x36, 0x70, 0x35, + 0x31, 0x8a, 0xe5, 0x49, 0xf1, 0xbf, 0x08, 0x5c, 0x3d, 0x28, 0x98, 0xa9, + 0x15, 0x74, 0xe3, 0x37, 0x5b, 0x6c, 0x47, 0xd3, 0xcb, 0xb2, 0xaa }; + + static const unsigned char policy_digest_sha256[] = { + 0xbf, 0xf2, 0xd5, 0x8e, 0x98, 0x13, 0xf9, 0x7c, 0xef, 0xc1, 0x4f, + 0x72, 0xad, 0x81, 0x33, 0xbc, 0x70, 0x92, 0xd6, 0x52, 0xb7, 0xc8, + 0x77, 0x95, 0x92, 0x54, 0xaf, 0x14, 0x0c, 0x84, 0x1f, 0x36 }; /* on success, the policy digest is set to zero's and the digest is updated * to halg(CC_PolicyAuth | key_name | policyRef */ - static const unsigned char policy_digest_update_ecdsa_sha1[] = { 0x46, 0x10, - 0x86, 0x37, 0xa3, 0xc4, 0x62, 0x18, 0xaf, 0x31, 0x8f, 0xc4, 0x0f, - 0xe1, 0xc9, 0x77, 0xb9, 0x2e, 0xfc, 0xe6 }; - - static const unsigned char policy_digest_update_ecdsa_sha256[] = { 0xb9, - 0xb3, 0x70, 0xc6, 0xb4, 0xf8, 0x48, 0x87, 0x51, 0x86, 0x34, 0xab, - 0x40, 0x8c, 0xe2, 0x3d, 0xfc, 0x09, 0x2a, 0xe4, 0x22, 0x81, 0xa1, - 0xb8, 0x43, 0x8b, 0x3f, 0x34, 0xd9, 0xce, 0xb1, 0x8e }; - - static const unsigned char rsapss_sig_sha256[] = { 0x1c, 0xfa, 0x1d, 0xbc, - 0xab, 0x6f, 0x6b, 0x00, 0x97, 0x25, 0xa6, 0x32, 0xf4, 0x2a, 0x9d, - 0xe1, 0x2d, 0xa9, 0xb8, 0xd7, 0xb5, 0xaf, 0x96, 0x99, 0xd8, 0x07, - 0xbb, 0xba, 0x4d, 0xbe, 0x4f, 0xe9, 0x31, 0x17, 0xf8, 0xea, 0xd6, - 0xf9, 0x4e, 0x67, 0x6b, 0x59, 0x15, 0x7c, 0xce, 0xd4, 0x30, 0x9b, - 0x32, 0x38, 0x89, 0x79, 0x52, 0x3b, 0x82, 0x0c, 0x88, 0xa1, 0x16, - 0x05, 0x0a, 0xb9, 0x93, 0x0b, 0xd9, 0x79, 0xde, 0xfe, 0x35, 0xb2, - 0xa5, 0x21, 0x66, 0x12, 0x86, 0x07, 0xe8, 0x09, 0x71, 0xa6, 0x16, - 0x64, 0x31, 0x80, 0xe6, 0x30, 0xe4, 0xa5, 0xbb, 0xe1, 0x15, 0xa1, - 0x2a, 0xbb, 0xeb, 0xab, 0x4b, 0x0e, 0xd5, 0x5e, 0x07, 0x69, 0x74, - 0x8d, 0x39, 0x7a, 0xb5, 0x8f, 0x31, 0x18, 0x24, 0x23, 0x04, 0x40, - 0xed, 0x95, 0x56, 0xbe, 0x96, 0x71, 0x81, 0xdb, 0xfc, 0xcb, 0x27, - 0x5b, 0x02, 0x84, 0xf4, 0x9c, 0xa9, 0x60, 0xd9, 0x54, 0x37, 0x87, - 0xb7, 0xe6, 0x96, 0x90, 0x82, 0xe3, 0x6a, 0x63, 0xbf, 0xab, 0x41, - 0x8a, 0xde, 0xbd, 0xf9, 0x72, 0x08, 0x51, 0x2c, 0x8b, 0xa6, 0x2f, - 0x36, 0xe7, 0x47, 0x61, 0x6f, 0x06, 0x5a, 0x33, 0x95, 0xd9, 0x14, - 0xaa, 0xde, 0x02, 0xab, 0x5c, 0xb8, 0xe4, 0x05, 0x70, 0xe4, 0x59, - 0x20, 0x39, 0x58, 0x3e, 0xf0, 0x80, 0x50, 0x9b, 0xf9, 0xb2, 0xa3, - 0xe1, 0xc6, 0x79, 0xd8, 0x33, 0x8e, 0x71, 0x64, 0x02, 0x5c, 0xbf, - 0x85, 0xd5, 0x30, 0xc3, 0x2c, 0x7d, 0x16, 0x35, 0x48, 0x24, 0x48, - 0x41, 0x12, 0xf6, 0x5b, 0x56, 0x7b, 0xf2, 0xbf, 0x8b, 0x1e, 0x5e, - 0xa5, 0xeb, 0x53, 0xf8, 0x56, 0x6e, 0xe9, 0xd7, 0xcb, 0xfd, 0xce, - 0x49, 0xca, 0x6c, 0x8e, 0x2c, 0x05, 0x5e, 0xe2, 0xe6, 0x38, 0x1d, - 0x53, 0xc2, 0x35, 0xcf, 0xec, 0xb3, 0xaa, 0xb5, 0x93, 0x36 }; - - static const unsigned char rsapss_sig_sha1[] = { 0x45, 0xb2, 0x23, 0x45, - 0xad, 0x9c, 0xb6, 0x02, 0x18, 0x9e, 0xb2, 0x38, 0x7e, 0x19, 0xa6, - 0x2c, 0x1d, 0x54, 0x83, 0xa7, 0x6e, 0xcd, 0xdc, 0x06, 0xa3, 0x8b, - 0x69, 0x43, 0x56, 0xf1, 0x61, 0x84, 0x17, 0x50, 0x76, 0x78, 0x13, - 0xed, 0x96, 0x73, 0xb7, 0x8d, 0xc7, 0x03, 0xba, 0x1f, 0x87, 0xab, - 0x00, 0x1f, 0xaf, 0x40, 0xae, 0xf7, 0x58, 0x97, 0xbd, 0xc6, 0xce, - 0xe3, 0x4a, 0xf6, 0x1a, 0x6c, 0xf8, 0x28, 0x8c, 0x9a, 0x1e, 0x41, - 0xf8, 0x11, 0x01, 0x7a, 0x4c, 0x4e, 0xde, 0x29, 0xa4, 0xf0, 0x44, - 0x43, 0xf8, 0x60, 0x21, 0x5a, 0x6f, 0x85, 0xe0, 0x6b, 0xb8, 0xe7, - 0x95, 0x77, 0x28, 0x66, 0x5a, 0xcc, 0xd9, 0x0e, 0x63, 0x02, 0x84, - 0x8b, 0x4f, 0x6d, 0x6f, 0xd1, 0xc8, 0x99, 0x65, 0x71, 0x6e, 0xa5, - 0x58, 0xf2, 0xa5, 0xc1, 0x4b, 0xd9, 0xbd, 0x58, 0xc5, 0xe0, 0x2c, - 0x64, 0x27, 0xd4, 0x08, 0xa4, 0xab, 0xe3, 0x6b, 0xfd, 0x78, 0x44, - 0x42, 0xc7, 0x06, 0x53, 0x62, 0xa5, 0xed, 0x50, 0x9e, 0x19, 0x91, - 0xe5, 0x67, 0x36, 0xb6, 0xdc, 0x40, 0x0a, 0x87, 0xd2, 0xe7, 0x3f, - 0xaf, 0x08, 0xf6, 0x9e, 0x62, 0xc9, 0xd3, 0x6d, 0x35, 0x76, 0x5c, - 0x02, 0x0a, 0x24, 0xde, 0x52, 0x91, 0x10, 0x7a, 0xa7, 0xa6, 0x15, - 0xdf, 0xd0, 0xee, 0xd6, 0x80, 0xa7, 0x91, 0x23, 0x73, 0xbe, 0xf8, - 0xb8, 0x50, 0x77, 0x90, 0xde, 0x99, 0x4f, 0x24, 0x8b, 0xc4, 0x69, - 0x64, 0x42, 0xd9, 0x51, 0xc6, 0x7e, 0x68, 0xb7, 0x60, 0xf9, 0xd6, - 0x18, 0x27, 0xa1, 0xeb, 0xd4, 0x90, 0x5c, 0x80, 0x38, 0x72, 0x89, - 0x5f, 0x8d, 0x1c, 0xf1, 0x91, 0x52, 0x8e, 0xce, 0xfd, 0xd4, 0x1f, - 0x60, 0xe8, 0x1b, 0x5c, 0xf7, 0xe0, 0xba, 0x7f, 0x82, 0x82, 0x85, - 0x92, 0x41, 0xa5, 0x56, 0xc8, 0x50, 0xec, 0x76, 0x75, 0x8c }; - - static const unsigned char rsassa_sig_sha256[] = { + static const unsigned char policy_digest_update_ecdsa_sha256[] = { + 0xb9, 0xb3, 0x70, 0xc6, 0xb4, 0xf8, 0x48, 0x87, 0x51, 0x86, 0x34, + 0xab, 0x40, 0x8c, 0xe2, 0x3d, 0xfc, 0x09, 0x2a, 0xe4, 0x22, 0x81, + 0xa1, 0xb8, 0x43, 0x8b, 0x3f, 0x34, 0xd9, 0xce, 0xb1, 0x8e }; + + static const unsigned char policy_digest_update_ecdsa_sha384[] = { + 0xb6, 0xae, 0x94, 0x3e, 0xc8, 0x3e, 0xc7, 0x7e, 0xa5, 0x71, 0x9f, 0x5e, + 0x9e, 0xea, 0xd0, 0x34, 0xf6, 0xa2, 0xb8, 0xe3, 0xb7, 0x5e, 0xf8, 0xc6, + 0x4d, 0xa7, 0x7e, 0xba, 0x10, 0x13, 0x22, 0x8d, 0xbd, 0xcd, 0xe3, 0x09, + 0xd3, 0xa1, 0x77, 0xa6, 0xcf, 0xf2, 0x8d, 0x39, 0x19, 0x5f, 0x77, 0xec }; + + /* x=deadbeef # can be obtained via tcti-pcap/tpmstream + * printf $x | xxd -r -p | openssl pkeyutl -sign -inkey test/data/fapi/policy/rsa2.pem -pkeyopt digest:sha384 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 | xxd -p + * https://bits.ondrovo.com/hexc.html + */ + static const unsigned char rsapss_sig_sha384[] = { + 0x84, 0x2a, 0x2e, 0xd4, 0xf2, 0xf6, 0x5f, 0x1a, 0xcb, 0x18, 0x38, 0x5a, + 0x1d, 0xdc, 0x87, 0x6b, 0x45, 0xcc, 0xf5, 0x07, 0xcb, 0x6f, 0x3f, 0xc0, + 0x0c, 0xfc, 0x5f, 0x41, 0x1e, 0x7f, 0xd4, 0xb6, 0xc5, 0x20, 0xd1, 0xf9, + 0x0c, 0x8e, 0x4f, 0x24, 0x1f, 0xe4, 0x47, 0x95, 0xb9, 0x52, 0x5b, 0x4a, + 0x40, 0xa0, 0x9f, 0xe3, 0x46, 0xf7, 0x0a, 0x2c, 0x61, 0xe5, 0xdc, 0xd9, + 0x61, 0x3c, 0xe2, 0x4a, 0xde, 0x68, 0xc4, 0xfb, 0x2d, 0x88, 0x22, 0x43, + 0x67, 0xab, 0xe3, 0xe7, 0xd4, 0x86, 0x65, 0x81, 0x96, 0xc3, 0x5d, 0x94, + 0x31, 0xc4, 0x90, 0x75, 0x9c, 0x68, 0x24, 0x31, 0xd6, 0x5f, 0x09, 0x7f, + 0x08, 0x7e, 0xbe, 0x0c, 0x7b, 0x73, 0x60, 0x34, 0x66, 0xbe, 0x3b, 0x1d, + 0x02, 0x88, 0xb7, 0xa7, 0xb4, 0xe3, 0xdb, 0x95, 0xe8, 0xde, 0x87, 0x89, + 0x69, 0x24, 0x18, 0xb9, 0x06, 0x0f, 0xb3, 0xb9, 0x29, 0x72, 0x6b, 0x0a, + 0x15, 0x1b, 0x4d, 0x97, 0x88, 0x65, 0x36, 0xf1, 0x4a, 0x54, 0xe1, 0xf9, + 0x04, 0x44, 0x91, 0xad, 0x37, 0xe7, 0xb9, 0x0b, 0x99, 0x74, 0x86, 0x23, + 0x23, 0x02, 0x17, 0xf3, 0xf4, 0x62, 0x7c, 0xa1, 0xcc, 0x03, 0x68, 0x6c, + 0xc3, 0x42, 0x93, 0x73, 0x27, 0xba, 0x0f, 0xb6, 0xaa, 0xaa, 0x4e, 0x5a, + 0xc0, 0xd8, 0xd5, 0x01, 0x52, 0xa2, 0x95, 0xd2, 0x82, 0xc1, 0xc2, 0x39, + 0xf6, 0xaa, 0x28, 0x69, 0x58, 0x08, 0x1c, 0xcd, 0xe7, 0xf2, 0x7f, 0x2b, + 0xaf, 0x06, 0xc8, 0x8d, 0xfc, 0xa2, 0xf3, 0x60, 0x4f, 0xe2, 0x7a, 0xe6, + 0x54, 0x51, 0xa1, 0xd9, 0x6a, 0xe6, 0xea, 0x1b, 0x7d, 0xa8, 0xa8, 0x58, + 0x7d, 0x18, 0xa6, 0x87, 0x23, 0xe4, 0x32, 0x76, 0x4b, 0x72, 0xf6, 0x01, + 0x38, 0xfb, 0x69, 0xc2, 0xa0, 0xd2, 0x95, 0xee, 0x58, 0xe4, 0x1d, 0xbf, + 0xae, 0xf3, 0x6f, 0x5b }; + + /* x=deadbeef # can be obtained via tcti-pcap/tpmstream + * printf $x | xxd -r -p | openssl pkeyutl -sign -inkey test/data/fapi/policy/rsa2.pem -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 | xxd -p + * https://bits.ondrovo.com/hexc.html + */ + static const unsigned char rsapss_sig_sha256[] = { + 0x75, 0x7c, 0xe3, 0xcf, 0xd3, 0x8a, 0x7c, 0x01, 0xbe, 0x76, 0xef, 0xe6, + 0x8f, 0x7b, 0xce, 0x91, 0x7d, 0x0e, 0xb8, 0x4c, 0xf4, 0x96, 0x05, 0x53, + 0x66, 0xd5, 0x9b, 0xc6, 0xf9, 0x58, 0xd4, 0xf5, 0x4f, 0x3b, 0x05, 0xba, + 0x46, 0x47, 0x23, 0xc8, 0x3e, 0x2e, 0xbc, 0x7a, 0xbc, 0xbf, 0xb3, 0x0a, + 0xef, 0x87, 0xf5, 0xbf, 0xd0, 0x84, 0xac, 0x56, 0x1f, 0xab, 0xa6, 0x8c, + 0x9d, 0xd5, 0x88, 0xb4, 0xa1, 0xa4, 0x2b, 0xe9, 0x77, 0xa6, 0x6e, 0xa0, + 0x6e, 0xd0, 0x16, 0x1e, 0x9f, 0x86, 0xed, 0x44, 0x85, 0x32, 0x14, 0xb0, + 0xb9, 0x1b, 0xee, 0xce, 0xc1, 0x32, 0xd2, 0xaa, 0x21, 0xe5, 0x81, 0x2d, + 0x85, 0x27, 0x5d, 0x9f, 0x54, 0x03, 0xe6, 0xc7, 0x68, 0xb0, 0x57, 0x91, + 0xbc, 0x43, 0x20, 0x4c, 0x4a, 0xdb, 0x2d, 0x75, 0xc6, 0xbe, 0x9b, 0x65, + 0xaf, 0x8e, 0x49, 0xee, 0xa1, 0x38, 0x93, 0xaa, 0x5c, 0x73, 0xfe, 0xab, + 0x94, 0xba, 0x6e, 0xbb, 0xae, 0x26, 0xdb, 0xe0, 0x87, 0xcd, 0x3a, 0x03, + 0x7d, 0xfe, 0x4c, 0x06, 0x84, 0x03, 0xae, 0xce, 0x5f, 0xe0, 0x9a, 0x42, + 0x8c, 0xb4, 0x2e, 0xb3, 0x42, 0x18, 0xcf, 0xe9, 0xe0, 0xaa, 0x39, 0xe1, + 0x53, 0x67, 0xe9, 0x6d, 0xfb, 0x5e, 0xaa, 0x78, 0xaa, 0xc0, 0xfc, 0xec, + 0xda, 0x39, 0x0c, 0xb7, 0xf1, 0x44, 0xb9, 0x96, 0x5a, 0xc7, 0x46, 0x28, + 0x85, 0x90, 0x4a, 0x79, 0x13, 0xcb, 0xbe, 0x4b, 0xdb, 0xbb, 0x47, 0x46, + 0xec, 0x28, 0x03, 0x9e, 0xb0, 0xe8, 0xa3, 0xc4, 0xa7, 0x6b, 0x59, 0x5b, + 0xc8, 0x53, 0x6e, 0x55, 0x42, 0x26, 0xc4, 0x7a, 0x8c, 0x66, 0x1e, 0x44, + 0xdd, 0x59, 0x3c, 0x47, 0x34, 0x4e, 0x66, 0xf8, 0x69, 0x14, 0x2c, 0x7c, + 0x23, 0x21, 0x5f, 0xc1, 0x7d, 0x03, 0x39, 0x97, 0x50, 0x3b, 0x08, 0x5e, + 0x1c, 0x10, 0x21, 0xd5 }; + + static const unsigned char rsassa_sig_sha384[] = { }; - static const unsigned char rsassa_sig_sha1[] = { + static const unsigned char rsassa_sig_sha256[] = { }; - static const unsigned char policy_digest_update_rsa_pss_sha1[] = { 0x95, - 0x50, 0x43, 0xc0, 0xb1, 0xaf, 0x0f, 0xc9, 0x73, 0xe2, 0x98, 0x8d, - 0x63, 0x61, 0x72, 0xfa, 0xd2, 0xdc, 0x36, 0xb0 }; + static const unsigned char policy_digest_update_rsa_pss_sha256[] = { + 0x51, 0x64, 0xb8, 0x9f, 0xcf, 0xdc, 0x39, 0x88, 0x06, 0xc0, 0xfd, 0xe7, + 0xa3, 0xeb, 0x52, 0x37, 0x15, 0x95, 0xfc, 0xbe, 0xc1, 0xb1, 0xfc, 0xea, + 0x57, 0x52, 0x4c, 0x56, 0xff, 0xf6, 0x7f, 0x46 }; - static const unsigned char policy_digest_update_rsa_pss_sha256[] = { 0xff, - 0x9f, 0xc3, 0x7f, 0x5b, 0xed, 0x0b, 0xf0, 0x81, 0x49, 0xaf, 0x54, - 0x82, 0x1d, 0xb3, 0x41, 0xb0, 0xee, 0xa7, 0x3e, 0xb3, 0x80, 0xeb, - 0x9e, 0x46, 0x0e, 0x5e, 0x59, 0x91, 0x12, 0x8b, 0xd9 }; + static const unsigned char policy_digest_update_rsa_pss_sha384[] = { + 0x32, 0x20, 0x3f, 0x84, 0x64, 0x92, 0xcd, 0xb1, 0x31, 0xfa, 0x1e, 0x72, + 0xdb, 0xb9, 0x25, 0x7c, 0x57, 0xc1, 0x05, 0xb9, 0xca, 0x2e, 0xa4, 0xb3, + 0x1f, 0xdb, 0x73, 0x47, 0xb5, 0xd5, 0xf2, 0xe0, 0x91, 0xc7, 0x81, 0x9d, + 0x5a, 0xf6, 0x39, 0xa0, 0x25, 0x46, 0xdc, 0x41, 0x84, 0xd7, 0x4d, 0x9e }; /* Convert the signature */ if (key_public->type == TPM2_ALG_ECC) { @@ -421,12 +440,12 @@ static TSS2_RC polauth_cb ( const BIGNUM *bns; const unsigned char *p = - hash_alg == TPM2_ALG_SHA1 ? - der_sig_ecdsa_sha1 : der_sig_ecdsa_sha256; + hash_alg == TPM2_ALG_SHA256 ? + der_sig_ecdsa_sha256 : der_sig_ecdsa_sha384; size_t len = - hash_alg == TPM2_ALG_SHA1 ? - sizeof(der_sig_ecdsa_sha1) : - sizeof(der_sig_ecdsa_sha256); + hash_alg == TPM2_ALG_SHA256 ? + sizeof(der_sig_ecdsa_sha256) : + sizeof(der_sig_ecdsa_sha384); d2i_ECDSA_SIG(&ecdsaSignature, &p, len); return_if_null(ecdsaSignature, "Invalid DER signature", TSS2_FAPI_RC_GENERAL_FAILURE); @@ -450,11 +469,11 @@ static TSS2_RC polauth_cb ( if (key_public->parameters.rsaDetail.scheme.scheme == TPM2_ALG_RSAPSS) { const unsigned char *p = - hash_alg == TPM2_ALG_SHA1 ? - rsapss_sig_sha1 : rsapss_sig_sha256; + hash_alg == TPM2_ALG_SHA256 ? + rsapss_sig_sha256 : rsapss_sig_sha384; size_t len = - hash_alg == TPM2_ALG_SHA1 ? - sizeof(rsapss_sig_sha1) : sizeof(rsapss_sig_sha256); + hash_alg == TPM2_ALG_SHA256 ? + sizeof(rsapss_sig_sha256) : sizeof(rsapss_sig_sha384); signature->sigAlg = TPM2_ALG_RSAPSS; signature->signature.rsapss.hash = hash_alg; @@ -464,11 +483,11 @@ static TSS2_RC polauth_cb ( == TPM2_ALG_RSASSA) { const unsigned char *p = - hash_alg == TPM2_ALG_SHA1 ? - rsassa_sig_sha1 : rsassa_sig_sha256; + hash_alg == TPM2_ALG_SHA256 ? + rsassa_sig_sha256 : rsassa_sig_sha384; size_t len = - hash_alg == TPM2_ALG_SHA1 ? - sizeof(rsassa_sig_sha1) : sizeof(rsassa_sig_sha256); + hash_alg == TPM2_ALG_SHA256 ? + sizeof(rsassa_sig_sha256) : sizeof(rsassa_sig_sha384); signature->sigAlg = TPM2_ALG_RSASSA; signature->signature.rsassa.hash = hash_alg; @@ -480,17 +499,17 @@ static TSS2_RC polauth_cb ( } /* copy the policy hash into the buffer*/ - if (hash_alg == TPM2_ALG_SHA1) { - digest->size = sizeof(policy_digest_sha1); - memcpy(digest->buffer, policy_digest_sha1, digest->size); - } else { + if (hash_alg == TPM2_ALG_SHA256) { digest->size = sizeof(policy_digest_sha256); memcpy(digest->buffer, policy_digest_sha256, digest->size); + } else { + digest->size = sizeof(policy_digest_sha384); + memcpy(digest->buffer, policy_digest_sha384, digest->size); } /* the name algorithm is used to calculate the verification ticket for policy - * authorize, so if the name halg is sha256 and the hash_alg coming in is for - * sha1, we need to manipulate that here + * authorize, so if the name halg is sha384 and the hash_alg coming in is for + * sha256, we need to manipulate that here */ if (hash_alg != key_public->nameAlg) { key_public->nameAlg = hash_alg; @@ -520,13 +539,13 @@ static TSS2_RC polauth_cb ( if (key_public->type == TPM2_ALG_ECC) { cbdata->update_digest.size = - hash_alg == TPM2_ALG_SHA1 ? - sizeof(policy_digest_update_ecdsa_sha1) : - sizeof(policy_digest_update_ecdsa_sha256); + hash_alg == TPM2_ALG_SHA256 ? + sizeof(policy_digest_update_ecdsa_sha256) : + sizeof(policy_digest_update_ecdsa_sha384); const unsigned char *buffer = - hash_alg == TPM2_ALG_SHA1 ? - policy_digest_update_ecdsa_sha1 : - policy_digest_update_ecdsa_sha256; + hash_alg == TPM2_ALG_SHA256 ? + policy_digest_update_ecdsa_sha256 : + policy_digest_update_ecdsa_sha384; memcpy(cbdata->update_digest.buffer, buffer, cbdata->update_digest.size); } else { @@ -535,13 +554,13 @@ static TSS2_RC polauth_cb ( if (key_public->parameters.rsaDetail.scheme.scheme == TPM2_ALG_RSAPSS) { cbdata->update_digest.size = - hash_alg == TPM2_ALG_SHA1 ? - sizeof(policy_digest_update_rsa_pss_sha1) : - sizeof(policy_digest_update_rsa_pss_sha256); + hash_alg == TPM2_ALG_SHA256 ? + sizeof(policy_digest_update_rsa_pss_sha256) : + sizeof(policy_digest_update_rsa_pss_sha384); buffer = - hash_alg == TPM2_ALG_SHA1 ? - policy_digest_update_rsa_pss_sha1 : - policy_digest_update_rsa_pss_sha256; + hash_alg == TPM2_ALG_SHA256 ? + policy_digest_update_rsa_pss_sha256 : + policy_digest_update_rsa_pss_sha384; } else { LOG_ERROR("Non RSAPSS signature schemes are unsupported, got: 0x%x", key_public->parameters.rsaDetail.scheme.scheme); @@ -630,7 +649,7 @@ static TSS2_RC policy_cb_pcr ( /* fake a read */ if (pcr_select.hash == TPM2_ALG_SHA256) { - pcr_digests.digests[pcr_digests.count].size = 32; + pcr_digests.digests[pcr_digests.count].size = 48; } else { LOG_ERROR("Can not support hash 0x%x", pcr_select.hash); return TSS2_RC_TEST_NOT_SUPPORTED; @@ -766,6 +785,7 @@ static TSS2_RC check_policy ( } if (userdata.update_digest.size == 0) { + /* compare actual policyDigest to the one specified in test/data/test-fapi-policies.h */ /* SHA512 buffer size, times 2 for text, + 1 for NUL byte */ char hexdigest[64 + 64 + 1] = { 0 }; bin2hex(digest->buffer, digest->size, hexdigest); @@ -773,9 +793,11 @@ static TSS2_RC check_policy ( if (strcmp(expected_hash, hexdigest) != 0) { LOG_ERROR("Expected digest to match, got \"%s\" expected \"%s\"", hexdigest, expected_hash); + r = TSS2_RC_TEST_FAIL; goto cleanup; } } else { + /* compare actual policyDigest to the one specified by callback */ if (memcmp(digest->buffer, userdata.update_digest.buffer, digest->size)) { char a[64 + 64 + 1] = { 0 }; @@ -786,6 +808,7 @@ static TSS2_RC check_policy ( LOG_ERROR("Expected digest to match, got \"%s\" expected \"%s\"", b, a); + r = TSS2_RC_TEST_FAIL; goto cleanup; } } @@ -883,37 +906,37 @@ static int test_policy_execute ( continue; } - /* - * Per the IBM simulator code: - * A valid cpHash must have the same size as session hash digest - * - * NOTE: the size of the digest can't be zero because TPM_ALG_NULL - * can't be used for the authHashAlg. - */ - if (p->sha1 - && strcmp(_test_fapi_policy_policies[i].path, - "/policy/pol_cphash")) { - TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA1, - p->sha1, expected_fail); + if (p->sha256) { + fprintf(stderr, " - SHA256\n"); + TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA256, + p->sha256, expected_fail); if ((r == TPM2_RC_COMMAND_CODE) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) { LOG_WARNING("Policy %s not supported by TPM.", p->path); } else { - goto_if_error(r, "Checking policy digest for sha1 failed", error); + goto_if_error(r, "Checking policy digest for sha256 failed", error); } } SAFE_FREE(global_signature); - if (p->sha256) { - TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA256, - p->sha256, expected_fail); + /* + * Per the IBM simulator code: + * A valid cpHash must have the same size as session hash digest + * + * NOTE: the size of the digest can't be zero because TPM_ALG_NULL + * can't be used for the authHashAlg. + */ + if (p->sha384 && strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_cphash")) { + fprintf(stderr, " - SHA384\n"); + TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA384, + p->sha384, expected_fail); if ((r == TPM2_RC_COMMAND_CODE) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) { LOG_WARNING("Policy %s not supported by TPM.", p->path); } else { - goto_if_error(r, "Checking policy digest for sha256 failed", error); + goto_if_error(r, "Checking policy digest for sha384 failed", error); } } SAFE_FREE(global_signature); diff --git a/test/unit/tss2_policy.c b/test/unit/tss2_policy.c index abe65f90e..1206a40e0 100644 --- a/test/unit/tss2_policy.c +++ b/test/unit/tss2_policy.c @@ -171,30 +171,31 @@ static void test_policy_instantiate ( fprintf(stderr, "Calculating policy (%u): %s\n", i, p->path); unsigned expected_hash_size = 0; - char hexdigest[32 + 32 + 1] = { 0 }; + /* buffer for displaying a hash as a hex string */ + char hexdigest[2 * sizeof(TPMU_HA) + 1] = { 0 }; TPM2B_DIGEST digest = { 0 }; TSS2_POLICY_CTX *ctx = NULL; /* for each hash alg set... */ TPM2_ALG_ID halgs[] = { - TPM2_ALG_SHA1, - TPM2_ALG_SHA256 + TPM2_ALG_SHA256, + TPM2_ALG_SHA384 }; unsigned j; for (j = 0; j < ARRAY_LEN(halgs); j++) { TPM2_ALG_ID halg = halgs[j]; - if (halg == TPM2_ALG_SHA1) { - if (!p->sha1) { - continue; - } - expected_hash_size = 20; - } else if (halg == TPM2_ALG_SHA256) { + if (halg == TPM2_ALG_SHA256) { if (!p->sha256) { continue; } expected_hash_size = 32; + } else if (halg == TPM2_ALG_SHA384) { + if (!p->sha384) { + continue; + } + expected_hash_size = 48; } char *json = read_all(abs_path); @@ -214,12 +215,12 @@ static void test_policy_instantiate ( assert_int_equal(rc, TSS2_RC_SUCCESS); assert_int_equal(digest.size, expected_hash_size); - if (halg == TPM2_ALG_SHA1) { - bin2hex(digest.buffer, digest.size, hexdigest); - assert_string_equal(p->sha1, hexdigest); - } else if (halg == TPM2_ALG_SHA256) { + if (halg == TPM2_ALG_SHA256) { bin2hex(digest.buffer, digest.size, hexdigest); assert_string_equal(p->sha256, hexdigest); + } else if (halg == TPM2_ALG_SHA384) { + bin2hex(digest.buffer, digest.size, hexdigest); + assert_string_equal(p->sha384, hexdigest); } /* Get the calculated policy digest */ @@ -257,12 +258,12 @@ static void test_policy_instantiate ( assert_int_equal(rc, TSS2_RC_SUCCESS); assert_int_equal(digest.size, expected_hash_size); - if (halg == TPM2_ALG_SHA1) { - bin2hex(digest.buffer, digest.size, hexdigest); - assert_string_equal(p->sha1, hexdigest); - } else if (halg == TPM2_ALG_SHA256) { + if (halg == TPM2_ALG_SHA256) { bin2hex(digest.buffer, digest.size, hexdigest); assert_string_equal(p->sha256, hexdigest); + } else if (halg == TPM2_ALG_SHA384) { + bin2hex(digest.buffer, digest.size, hexdigest); + assert_string_equal(p->sha384, hexdigest); } SAFE_FREE(json); From 3e41512c84f8586072d741ae445d43308b6b24a8 Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Mon, 15 Jul 2024 14:51:11 +0200 Subject: [PATCH 2/8] fapi: fix PolicyTemplate policyDigest calculation. We forgot to input the old policyDigest for the hash calculation of the new policyDigest. Bug was not caught due to missing return code assignment in policy-execute, see 80ffbf825f127. Fixes: #2862 Signed-off-by: Johannes Holland --- src/tss2-fapi/ifapi_policy_calculate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tss2-fapi/ifapi_policy_calculate.c b/src/tss2-fapi/ifapi_policy_calculate.c index 8d0c6aa32..86d1493f3 100644 --- a/src/tss2-fapi/ifapi_policy_calculate.c +++ b/src/tss2-fapi/ifapi_policy_calculate.c @@ -1271,6 +1271,9 @@ ifapi_calculate_policy_template( r = ifapi_crypto_hash_start(&cryptoContext, current_hash_alg); return_if_error(r, "crypto hash start"); + HASH_UPDATE_BUFFER(cryptoContext, + ¤t_digest->digests[digest_idx].digest, hash_size, + r, cleanup); HASH_UPDATE(cryptoContext, TPM2_CC, TPM2_CC_PolicyTemplate, r, cleanup); HASH_UPDATE_BUFFER(cryptoContext, &used_template_hash->buffer[0], From 8841194ca4d1f7cf44c9cea8166f0653e3033c3c Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Mon, 15 Jul 2024 15:00:43 +0200 Subject: [PATCH 3/8] test: purge sha1 from the tests (and their profiles) Also add some comments about hardcoded keys. Signed-off-by: Johannes Holland --- test/data/fapi/P_ECC.json | 6 +-- test/data/fapi/P_ECC384.json | 6 +-- test/data/fapi/P_ECC_error.json | 6 +-- test/data/fapi/P_ECC_sh_eh_policy.json | 6 +-- test/data/fapi/P_ECC_sh_eh_policy_sha384.json | 6 +-- test/data/fapi/P_RSA.json | 6 +-- test/data/fapi/P_RSA2.json | 6 +-- test/data/fapi/P_RSA256.json | 10 ++--- test/data/fapi/P_RSA3072.json | 6 +-- test/data/fapi/P_RSA_EK_persistent.json | 8 ++-- test/data/fapi/P_RSA_nameAlg_sha1.json | 8 ++-- test/data/fapi/P_RSA_sh_policy.json | 12 +++--- .../esys-tr-fromTpmPublic-nv.int.c | 6 +-- test/integration/fapi-data-crypt.int.c | 10 +++-- test/integration/fapi-export-policy.int.c | 38 +++++++++++------ test/integration/fapi-ext-public-key.int.c | 2 +- test/integration/fapi-key-change-auth.int.c | 6 ++- .../fapi-key-create-ckda-sign.int.c | 6 ++- .../fapi-key-create-policies-sign.int.c | 6 ++- ...-key-create-policy-authorize-nv-sign.int.c | 4 +- ...pi-key-create-policy-nv-counter-sign.int.c | 6 ++- .../fapi-key-create-policy-nv-sign.int.c | 6 ++- .../fapi-key-create-policy-or-sign.int.c | 6 ++- .../fapi-key-create-policy-pcr-sign.int.c | 7 ++-- ...i-key-create-policy-signed-keyedhash.int.c | 6 ++- .../fapi-key-create-policy-signed.int.c | 18 +++++--- ...i-key-create-sign-password-provision.int.c | 6 ++- ...api-key-create-sign-policy-provision.int.c | 6 ++- test/integration/fapi-pcr-test.int.c | 28 +++++++++++++ .../fapi-quote-destructive-eventlog.int.c | 17 +++++--- test/integration/fapi-quote-destructive.int.c | 10 +++-- .../integration/fapi-quote-with-primary.int.c | 38 +++++++++++++++-- test/integration/fapi-quote.int.c | 42 ++++++++++++++++--- test/integration/fapi-unseal.int.c | 6 ++- .../sys-create-keyedhash-sha1-hmac.int.c | 4 +- test/integration/sys-nv-policy-locality.int.c | 8 ++-- test/integration/sys-nv-readwrite.int.c | 6 +-- test/integration/sys-read-clock.int.c | 9 ++-- test/integration/test-fapi.h | 2 +- 39 files changed, 266 insertions(+), 129 deletions(-) diff --git a/test/data/fapi/P_ECC.json b/test/data/fapi/P_ECC.json index dbf43caa7..f556a82d6 100644 --- a/test/data/fapi/P_ECC.json +++ b/test/data/fapi/P_ECC.json @@ -20,11 +20,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ], } ], "curveID": "TPM2_ECC_NIST_P256", diff --git a/test/data/fapi/P_ECC384.json b/test/data/fapi/P_ECC384.json index a2335f8ac..d93f4cad3 100644 --- a/test/data/fapi/P_ECC384.json +++ b/test/data/fapi/P_ECC384.json @@ -20,11 +20,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ], } ], "curveID": "TPM2_ECC_NIST_P384", diff --git a/test/data/fapi/P_ECC_error.json b/test/data/fapi/P_ECC_error.json index e2053bad5..b55170b16 100644 --- a/test/data/fapi/P_ECC_error.json +++ b/test/data/fapi/P_ECC_error.json @@ -20,11 +20,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ], } ], "curveID": "TPM2_ECC_NIST_P256", diff --git a/test/data/fapi/P_ECC_sh_eh_policy.json b/test/data/fapi/P_ECC_sh_eh_policy.json index 5b202149d..0ff6125f6 100644 --- a/test/data/fapi/P_ECC_sh_eh_policy.json +++ b/test/data/fapi/P_ECC_sh_eh_policy.json @@ -18,11 +18,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ], } ], "curveID": "TPM2_ECC_NIST_P256", diff --git a/test/data/fapi/P_ECC_sh_eh_policy_sha384.json b/test/data/fapi/P_ECC_sh_eh_policy_sha384.json index ee53c3689..ab822e1c2 100644 --- a/test/data/fapi/P_ECC_sh_eh_policy_sha384.json +++ b/test/data/fapi/P_ECC_sh_eh_policy_sha384.json @@ -20,11 +20,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ], - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ], } ], "curveID": "TPM2_ECC_NIST_P384", diff --git a/test/data/fapi/P_RSA.json b/test/data/fapi/P_RSA.json index 867878263..6f7fb1f2b 100644 --- a/test/data/fapi/P_RSA.json +++ b/test/data/fapi/P_RSA.json @@ -26,11 +26,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9 , 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/data/fapi/P_RSA2.json b/test/data/fapi/P_RSA2.json index ad204156d..4c523c277 100644 --- a/test/data/fapi/P_RSA2.json +++ b/test/data/fapi/P_RSA2.json @@ -26,11 +26,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9 , 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/data/fapi/P_RSA256.json b/test/data/fapi/P_RSA256.json index 2aa939f1a..d403f67a1 100644 --- a/test/data/fapi/P_RSA256.json +++ b/test/data/fapi/P_RSA256.json @@ -9,7 +9,7 @@ "ecc_signing_scheme": { "scheme":"TPM2_ALG_ECDSA", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" }, }, "rsa_signing_scheme": { @@ -21,7 +21,7 @@ "rsa_decrypt_scheme": { "scheme":"TPM2_ALG_OAEP", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" } }, "sym_mode":"TPM2_ALG_CFB", @@ -32,11 +32,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/data/fapi/P_RSA3072.json b/test/data/fapi/P_RSA3072.json index 50486c4c2..b23605a97 100644 --- a/test/data/fapi/P_RSA3072.json +++ b/test/data/fapi/P_RSA3072.json @@ -26,11 +26,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/data/fapi/P_RSA_EK_persistent.json b/test/data/fapi/P_RSA_EK_persistent.json index 3c4ab4d1a..e2e99e0f9 100644 --- a/test/data/fapi/P_RSA_EK_persistent.json +++ b/test/data/fapi/P_RSA_EK_persistent.json @@ -9,19 +9,19 @@ "ecc_signing_scheme": { "scheme":"TPM2_ALG_ECDSA", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" }, }, "rsa_signing_scheme": { "scheme":"TPM2_ALG_RSAPSS", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" } }, "rsa_decrypt_scheme": { "scheme":"TPM2_ALG_OAEP", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" } }, "sym_mode":"TPM2_ALG_CFB", @@ -32,7 +32,7 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", + { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ ] }, { "hash": "TPM2_ALG_SHA256", diff --git a/test/data/fapi/P_RSA_nameAlg_sha1.json b/test/data/fapi/P_RSA_nameAlg_sha1.json index 1476ec6e9..11306b7d3 100644 --- a/test/data/fapi/P_RSA_nameAlg_sha1.json +++ b/test/data/fapi/P_RSA_nameAlg_sha1.json @@ -32,11 +32,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, - { "hash": "TPM2_ALG_SHA256", + { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9 , 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/data/fapi/P_RSA_sh_policy.json b/test/data/fapi/P_RSA_sh_policy.json index 7401edb9c..aa06d9dee 100644 --- a/test/data/fapi/P_RSA_sh_policy.json +++ b/test/data/fapi/P_RSA_sh_policy.json @@ -9,13 +9,13 @@ "rsa_signing_scheme": { "scheme":"TPM2_ALG_RSAPSS", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" } }, "rsa_decrypt_scheme": { "scheme":"TPM2_ALG_OAEP", "details":{ - "hashAlg":"TPM2_ALG_SHA1" + "hashAlg":"TPM2_ALG_SHA256" } }, "sym_mode":"TPM2_ALG_CFB", @@ -26,11 +26,11 @@ }, "sym_block_size": 16, "pcr_selection": [ - { "hash": "TPM2_ALG_SHA1", - "pcrSelect": [ ] - }, - { "hash": "TPM2_ALG_SHA256", + { "hash": "TPM2_ALG_SHA256", "pcrSelect": [ 8, 9 , 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + }, + { "hash": "TPM2_ALG_SHA384", + "pcrSelect": [ ] } ], "exponent": 0, diff --git a/test/integration/esys-tr-fromTpmPublic-nv.int.c b/test/integration/esys-tr-fromTpmPublic-nv.int.c index 8b55d9e6d..c5f60f66d 100644 --- a/test/integration/esys-tr-fromTpmPublic-nv.int.c +++ b/test/integration/esys-tr-fromTpmPublic-nv.int.c @@ -99,7 +99,7 @@ test_esys_tr_fromTpmPublic_nv(ESYS_CONTEXT * ectx) r = Esys_StartAuthSession(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, NULL, - TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA256, &session); goto_if_error(r, "Error: During initialization of session", error); @@ -111,7 +111,7 @@ test_esys_tr_fromTpmPublic_nv(ESYS_CONTEXT * ectx) r = Esys_StartAuthSession(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, NULL, - TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA256, &session2); goto_if_error(r, "Error: During initialization of session", error); @@ -132,7 +132,7 @@ test_esys_tr_fromTpmPublic_nv(ESYS_CONTEXT * ectx) r = Esys_StartAuthSession(ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, NULL, - TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1, + TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA256, &session); goto_if_error(r, "Error: During initialization of session", error); diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c index aa02e07da..0b83f404f 100644 --- a/test/integration/fapi-data-crypt.int.c +++ b/test/integration/fapi-data-crypt.int.c @@ -21,13 +21,14 @@ #include "test-fapi.h" // for pcr_reset, EXIT_SKIP, FAPI_PROFILE, tes... #include "tss2_common.h" // for TSS2_FAPI_RC_GENERAL_FAILURE, TSS2_RC #include "tss2_fapi.h" // for Fapi_Free, Fapi_Delete, Fapi_Decrypt -#include "tss2_tpm2_types.h" // for TPM2_ALG_SHA256 +#include "tss2_tpm2_types.h" // for TPM2_ALG_SHA384 #define LOGMODULE test #include "util/log.h" // for LOG_ERROR, goto_if_error, SAFE_FREE #define SIZE 128 +/* see test/data/fapi/policy/rsa2.pem */ const char *priv_pem = "-----BEGIN PRIVATE KEY-----\n" "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCgYvoisJIDOeYg\n" @@ -58,6 +59,7 @@ const char *priv_pem = "i8Kp6jR2wY0suObmZHKvbCB1Dw==\n" "-----END PRIVATE KEY-----\n"; +/* see test/data/fapi/policy/rsa2.pem */ const char *pub_pem = "-----BEGIN PUBLIC KEY-----\n" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\n" @@ -108,8 +110,8 @@ signatureCallback( return TSS2_FAPI_RC_GENERAL_FAILURE; } - if (hashAlg != TPM2_ALG_SHA256) { - LOG_ERROR("hashAlg is not correct, %u != %u", hashAlg, TPM2_ALG_SHA256); + if (hashAlg != TPM2_ALG_SHA384) { + LOG_ERROR("hashAlg is not correct, %u != %u", hashAlg, TPM2_ALG_SHA384); return TSS2_FAPI_RC_GENERAL_FAILURE; } @@ -119,7 +121,7 @@ signatureCallback( EVP_MD_CTX *mdctx =NULL; EVP_PKEY_CTX *pctx = NULL; - const EVP_MD *ossl_hash = EVP_sha256(); + const EVP_MD *ossl_hash = EVP_sha384(); chknull(ossl_hash); LOGBLOB_DEBUG(dataToSign, dataToSignSize, "Data to be signed"); diff --git a/test/integration/fapi-export-policy.int.c b/test/integration/fapi-export-policy.int.c index c316065ce..a9ba40618 100644 --- a/test/integration/fapi-export-policy.int.c +++ b/test/integration/fapi-export-policy.int.c @@ -23,7 +23,7 @@ #define LOGMODULE test #include "util/log.h" // for LOG_ERROR, goto_if_error, SAFE_FREE -/** Check the digest values from result table for sha1 and sha256. */ +/** Check the digest values from result table for sha256 and sha384. */ static bool check_policy(char *policy, policy_digests *digests) { json_object *jso = NULL; @@ -31,8 +31,8 @@ check_policy(char *policy, policy_digests *digests) { json_object *jso_digest_list = NULL; json_object *jso_digest = NULL; const char *digest_str= NULL; - bool check_sha1 = false; bool check_sha256 = false; + bool check_sha384 = false; int i, n; jso = json_tokener_parse(policy); @@ -46,11 +46,12 @@ check_policy(char *policy, policy_digests *digests) { } n = json_object_array_length(jso_digest_list); if (n > 0) { - if (!digests->sha1 || !digests->sha256) { + if (!digests->sha256 || !digests->sha384) { LOG_ERROR("Digest computation for %s should not be possible.", digests->path); goto error; } } + /* verify that all hashes in policy (first param) match with digests (second param) */ for (i = 0; i < n; i++) { jso_digest_struct = json_object_array_get_idx(jso_digest_list, i); if (!jso_digest_struct) { @@ -63,22 +64,32 @@ check_policy(char *policy, policy_digests *digests) { } digest_str = json_object_get_string(jso_digest); - if (strlen(digest_str) == 40) { - LOG_INFO("Digest SHA1: %s", digest_str); - if (strcmp(digest_str, digests->sha1) == 0) { - check_sha1 = true; - } - } else if (strlen(digest_str) == 64) { - LOG_INFO("Digest SHA256: %s", digest_str); + LOG_ERROR("Searching for hash: %s", json_object_get_string(jso_digest)); + if (strlen(digest_str) == 64 && strcmp(digest_str, digests->sha256) != 0) + printf(" "); + if (strlen(digest_str) == 64) { + LOG_ERROR("%i - Digest SHA256: %s", i, digests->sha256); + LOG_INFO("Digest SHA256: %s", digests->sha256); if (strcmp(digest_str, digests->sha256) == 0) { + LOG_ERROR(" -> sha256 pass"); check_sha256 = true; } + } else if (strlen(digest_str) == 96) { + LOG_ERROR("%i - Digest SHA384: %s", i, digests->sha384); + LOG_INFO("Digest SHA384: %s", digests->sha384); + if (strcmp(digest_str, digests->sha384) == 0) { + LOG_ERROR(" -> sha384 pass"); + check_sha384 = true; + } } else { - LOG_WARNING("Hash alg not in result table."); + LOG_WARNING("%i - Hash alg not in result table.", i); } + if (n > 0 && i == n - 1 && (!check_sha256 || !check_sha384)) + printf(" "); } json_object_put(jso); - if (n > 0 && (!check_sha1 || !check_sha256)) { + if (n > 0 && (!check_sha256 || !check_sha384)) { + LOG_ERROR("Hash not found: %s", digest_str); LOG_ERROR("Policy check failed for: %s", digests->path); goto error; } @@ -145,7 +156,8 @@ test_fapi_export_policy(FAPI_CONTEXT *context) r = pcr_reset(context, 16); goto_if_error(r, "Error pcr_reset", error); - for (i = 0; i < sizeof(_test_fapi_policy_policies) / sizeof(_test_fapi_policy_policies[0]); i++) { + //for (i = 0; i < sizeof(_test_fapi_policy_policies) / sizeof(_test_fapi_policy_policies[0]); i++) { + for (i = 25; i < 26; i++) { fprintf(stderr, "\nTest policy: %s\n", _test_fapi_policy_policies[i].path); json_policy = read_policy(context, _test_fapi_policy_policies[i].path); if (!json_policy) diff --git a/test/integration/fapi-ext-public-key.int.c b/test/integration/fapi-ext-public-key.int.c index 7f0a31dbd..18abe1490 100644 --- a/test/integration/fapi-ext-public-key.int.c +++ b/test/integration/fapi-ext-public-key.int.c @@ -243,7 +243,7 @@ test_fapi_ext_public_key(FAPI_CONTEXT *context) goto_if_error(r, "Error Fapi_Import", error); r = Fapi_VerifyQuote(context, "/ext/myExtPubKey", - qualifying_data, 20, quote_info, + qualifying_data, sizeof(qualifying_data), quote_info, test_signature, test_signature_size, NULL); goto_if_error(r, "Error Fapi_Verfiy_Quote", error); diff --git a/test/integration/fapi-key-change-auth.int.c b/test/integration/fapi-key-change-auth.int.c index 40108fba8..b69d31bf5 100644 --- a/test/integration/fapi-key-change-auth.int.c +++ b/test/integration/fapi-key-change-auth.int.c @@ -105,10 +105,12 @@ test_fapi_key_change_auth(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-ckda-sign.int.c b/test/integration/fapi-key-create-ckda-sign.int.c index 20de0ced5..27a556dba 100644 --- a/test/integration/fapi-key-create-ckda-sign.int.c +++ b/test/integration/fapi-key-create-ckda-sign.int.c @@ -87,10 +87,12 @@ test_fapi_key_create_ckda_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policies-sign.int.c b/test/integration/fapi-key-create-policies-sign.int.c index 112766815..455d2065b 100644 --- a/test/integration/fapi-key-create-policies-sign.int.c +++ b/test/integration/fapi-key-create-policies-sign.int.c @@ -147,10 +147,12 @@ test_fapi_key_create_policies_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c index 6ad202d9d..3078c3970 100644 --- a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c @@ -202,12 +202,12 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, - 0x41, 0x42 + 0x41, 0x42, 0x00 } }; diff --git a/test/integration/fapi-key-create-policy-nv-counter-sign.int.c b/test/integration/fapi-key-create-policy-nv-counter-sign.int.c index 0de3b8139..db2ac26b4 100644 --- a/test/integration/fapi-key-create-policy-nv-counter-sign.int.c +++ b/test/integration/fapi-key-create-policy-nv-counter-sign.int.c @@ -101,10 +101,12 @@ test_fapi_key_create_policy_nv_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-nv-sign.int.c b/test/integration/fapi-key-create-policy-nv-sign.int.c index e30051d17..bde2664a4 100644 --- a/test/integration/fapi-key-create-policy-nv-sign.int.c +++ b/test/integration/fapi-key-create-policy-nv-sign.int.c @@ -109,10 +109,12 @@ test_fapi_key_create_policy_nv_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-or-sign.int.c b/test/integration/fapi-key-create-policy-or-sign.int.c index 74781ddb6..cf969eb3a 100644 --- a/test/integration/fapi-key-create-policy-or-sign.int.c +++ b/test/integration/fapi-key-create-policy-or-sign.int.c @@ -135,10 +135,12 @@ test_fapi_key_create_policy_or_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-pcr-sign.int.c b/test/integration/fapi-key-create-policy-pcr-sign.int.c index 0a30e5475..6841350f9 100644 --- a/test/integration/fapi-key-create-policy-pcr-sign.int.c +++ b/test/integration/fapi-key-create-policy-pcr-sign.int.c @@ -256,10 +256,11 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { - 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c index f21462079..165104c02 100644 --- a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c +++ b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c @@ -263,10 +263,12 @@ test_fapi_key_create_policy_signed(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-policy-signed.int.c b/test/integration/fapi-key-create-policy-signed.int.c index 55ba5860b..4723a49bc 100644 --- a/test/integration/fapi-key-create-policy-signed.int.c +++ b/test/integration/fapi-key-create-policy-signed.int.c @@ -21,13 +21,14 @@ #include "test-fapi.h" // for ASSERT, pcr_reset, ASSERT_SIZE, test_in... #include "tss2_common.h" // for TSS2_FAPI_RC_GENERAL_FAILURE, TSS2_RC #include "tss2_fapi.h" // for Fapi_Delete, Fapi_CreateKey, Fapi_Import -#include "tss2_tpm2_types.h" // for TPM2B_DIGEST, TPM2_ALG_SHA256 +#include "tss2_tpm2_types.h" // for TPM2B_DIGEST, TPM2_ALG_SHA384 #define LOGMODULE test #include "util/log.h" // for SAFE_FREE, LOG_ERROR, goto_if_error #ifdef TEST_ECC const char *priv_pem = + /* see test/data/fapi/policy/ecc.pem */ "-----BEGIN EC PRIVATE KEY-----\n" "MHcCAQEEILE8jic/6w/lKoFTVblkNQ4Ls5IYibQNQ4Dk5B9R09ONoAoGCCqGSM49\n" "AwEHoUQDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7pEiLMi03Jd0oP0aYnnXFjolz\n" @@ -35,11 +36,13 @@ const char *priv_pem = "-----END EC PRIVATE KEY-----\n"; const char *pub_pem = + /* see test/data/fapi/policy/ecc.pem */ "-----BEGIN PUBLIC KEY-----\n" "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7\n" "pEiLMi03Jd0oP0aYnnXFjolzIB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n" "-----END PUBLIC KEY-----\n"; #else +/* see test/data/fapi/policy/rsa2.pem */ const char *priv_pem = "-----BEGIN PRIVATE KEY-----\n" "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCgYvoisJIDOeYg\n" @@ -70,6 +73,7 @@ const char *priv_pem = "i8Kp6jR2wY0suObmZHKvbCB1Dw==\n" "-----END PRIVATE KEY-----\n"; +/* see test/data/fapi/policy/rsa2.pem */ const char *pub_pem = "-----BEGIN PUBLIC KEY-----\n" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\n" @@ -119,8 +123,8 @@ signatureCallback( return TSS2_FAPI_RC_GENERAL_FAILURE; } - if (hashAlg != TPM2_ALG_SHA256) { - LOG_ERROR("hashAlg is not correct, %u != %u", hashAlg, TPM2_ALG_SHA256); + if (hashAlg != TPM2_ALG_SHA384) { + LOG_ERROR("hashAlg is not correct, %u != %u", hashAlg, TPM2_ALG_SHA384); return TSS2_FAPI_RC_GENERAL_FAILURE; } @@ -130,7 +134,7 @@ signatureCallback( EVP_MD_CTX *mdctx = NULL; EVP_PKEY_CTX *pctx = NULL; - const EVP_MD *ossl_hash = EVP_sha256(); + const EVP_MD *ossl_hash = EVP_sha384(); chknull(ossl_hash); LOGBLOB_DEBUG(dataToSign, dataToSignSize, "Data to be signed"); @@ -263,10 +267,12 @@ test_fapi_key_create_policy_signed(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-sign-password-provision.int.c b/test/integration/fapi-key-create-sign-password-provision.int.c index e8e2c678a..c708cd88b 100644 --- a/test/integration/fapi-key-create-sign-password-provision.int.c +++ b/test/integration/fapi-key-create-sign-password-provision.int.c @@ -149,10 +149,12 @@ test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-key-create-sign-policy-provision.int.c b/test/integration/fapi-key-create-sign-policy-provision.int.c index d68783c60..2d9f15522 100644 --- a/test/integration/fapi-key-create-sign-policy-provision.int.c +++ b/test/integration/fapi-key-create-sign-policy-provision.int.c @@ -112,10 +112,12 @@ test_fapi_key_create_sign_policy_provision(FAPI_CONTEXT *context) size_t signatureSize = 0; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/fapi-pcr-test.int.c b/test/integration/fapi-pcr-test.int.c index ba2af95b4..734251ff3 100644 --- a/test/integration/fapi-pcr-test.int.c +++ b/test/integration/fapi-pcr-test.int.c @@ -92,6 +92,34 @@ const char *log_exp[] = { }\n\ }\n\ ]", +/* same as above, just without sha1 */ +"[\n\ + {\n\ + \"recnum\":0,\n\ + \"pcr\":16,\n\ + \"digests\":[\n\ + {\n\ + \"hashAlg\":\"sha256\",\n\ + \"digest\":\"1f825aa2f0020ef7cf91dfa30da4668d791c5d4824fc8e41354b89ec05795ab3\"\n\ + },\n\ + {\n\ + \"hashAlg\":\"sha384\",\n\ + \"digest\":\"182e95266adff49059e706c61483478fe0688150c8d08b95fab5cfde961f12d903aaf44104af4ce72ba6a4bf20302b2e\"\n\ + },\n\ + {\n\ + \"hashAlg\":\"sha512\",\n\ + \"digest\":\"0f89ee1fcb7b0a4f7809d1267a029719004c5a5e5ec323a7c3523a20974f9a3f202f56fadba4cd9e8d654ab9f2e96dc5c795ea176fa20ede8d854c342f903533\"\n\ + }\n\ + ],\n\ + \"" CONTENT_TYPE "\":\"tss2\",\n\ + \"" CONTENT "\":{\n\ + \"data\":\"00010203040506070809\",\n\ + \"event\":{\n\ + \"test\":\"myfile\"\n\ + }\n\ + }\n\ + }\n\ +]", "[\n\ {\n\ \"recnum\":0,\n\ diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c index df1f8072b..3e5da1085 100644 --- a/test/integration/fapi-quote-destructive-eventlog.int.c +++ b/test/integration/fapi-quote-destructive-eventlog.int.c @@ -1013,7 +1013,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) #endif r = pcr_bank_sha1_exists(context, &sha1_bank_exists); - goto_if_error(r, "Test sha1 bank", error); + goto_if_error(r, "Test sha1 bank", skip_test); if (!sha1_bank_exists) { return EXIT_SKIP; @@ -1036,9 +1036,11 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) "CERTIFICATE-----[...]-----END CERTIFICATE-----"); goto_if_error(r, "Error Fapi_SetCertificate", error); - uint8_t qualifyingData[20] = { + uint8_t qualifyingData[32] = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, }; r = pcr_reset(context, 16); @@ -1055,7 +1057,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) r = Fapi_Quote(context, pcrList, 12, "HS/SRK/mySignKey", "TPM-Quote", - qualifyingData, 20, + qualifyingData, sizeof(qualifyingData), "eInfo, &signature, &signatureSize, &pcrEventLog, &certificate); @@ -1073,7 +1075,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) LOG_INFO("\npcrEventLog: %s\n", pcrEventLog); r = Fapi_VerifyQuote(context, "HS/SRK/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, pcrEventLog); goto_if_error(r, "Error Fapi_Verfiy_Quote", error); @@ -1103,7 +1105,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) LOG_WARNING("*** TEST ERROR CASE WITH INVALID EVENT LIST ***"); r = Fapi_VerifyQuote(context, "HS/SRK/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, pcrEventLog2); if (r != TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED) { @@ -1150,6 +1152,9 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) if (jso_log2) json_object_put(jso_log2); return EXIT_FAILURE; + +skip_test: + return EXIT_SKIP; } int diff --git a/test/integration/fapi-quote-destructive.int.c b/test/integration/fapi-quote-destructive.int.c index af3232058..21cd8ce16 100644 --- a/test/integration/fapi-quote-destructive.int.c +++ b/test/integration/fapi-quote-destructive.int.c @@ -81,9 +81,11 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) "CERTIFICATE-----[...]-----END CERTIFICATE-----"); goto_if_error(r, "Error Fapi_SetCertificate", error); - uint8_t qualifyingData[20] = { + uint8_t qualifyingData[32] = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, }; r = pcr_reset(context, 16); @@ -100,7 +102,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) r = Fapi_Quote(context, pcrList, 2, "HS/SRK/mySignKey", "TPM-Quote", - qualifyingData, 20, + qualifyingData, sizeof(qualifyingData), "eInfo, &signature, &signatureSize, &pcrEventLog, &certificate); @@ -116,7 +118,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) LOG_INFO("\npcrEventLog: %s\n", pcrEventLog); r = Fapi_VerifyQuote(context, "HS/SRK/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, pcrEventLog); goto_if_error(r, "Error Fapi_Verfiy_Quote", error); diff --git a/test/integration/fapi-quote-with-primary.int.c b/test/integration/fapi-quote-with-primary.int.c index c06f7737d..468376d31 100644 --- a/test/integration/fapi-quote-with-primary.int.c +++ b/test/integration/fapi-quote-with-primary.int.c @@ -73,9 +73,11 @@ test_fapi_quote(FAPI_CONTEXT *context) "CERTIFICATE-----[...]-----END CERTIFICATE-----"); goto_if_error(r, "Error Fapi_SetCertificate", error); - uint8_t qualifyingData[20] = { + uint8_t qualifyingData[32] = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, }; r = pcr_reset(context, 16); @@ -86,7 +88,7 @@ test_fapi_quote(FAPI_CONTEXT *context) r = Fapi_Quote(context, pcrList, 1, "HS/mySignKey", "TPM-Quote", - qualifyingData, 20, + qualifyingData, sizeof(qualifyingData), "eInfo, &signature, &signatureSize, &pcrEventLog, &certificate); @@ -172,6 +174,34 @@ test_fapi_quote(FAPI_CONTEXT *context) " }" " }" "]", + /* same as above, just without sha1 */ + "[" + " {" + " \"recnum\":0," + " \"pcr\":16," + " \"digests\":[" + " {" + " \"hashAlg\":\"sha256\"," + " \"digest\":\"1f825aa2f0020ef7cf91dfa30da4668d791c5d4824fc8e41354b89ec05795ab3\"" + " }," + " {" + " \"hashAlg\":\"sha384\"," + " \"digest\":\"182e95266adff49059e706c61483478fe0688150c8d08b95fab5cfde961f12d903aaf44104af4ce72ba6a4bf20302b2e\"" + " }," + " {" + " \"hashAlg\":\"sha512\"," + " \"digest\":\"0f89ee1fcb7b0a4f7809d1267a029719004c5a5e5ec323a7c3523a20974f9a3f202f56fadba4cd9e8d654ab9f2e96dc5c795ea176fa20ede8d854c342f903533\"" + " }" + " ]," + " \"" CONTENT_TYPE "\":\"tss2\"," + " \"" CONTENT "\":{" + " \"data\":\"00010203040506070809\"," + " \"event\":{" + " \"test\":\"myfile\"" + " }" + " }" + " }" + "]", "[" " {" " \"recnum\":0," @@ -246,7 +276,7 @@ test_fapi_quote(FAPI_CONTEXT *context) CHECK_JSON_LIST(log_check_list, log, error); r = Fapi_VerifyQuote(context, "HS/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, log); goto_if_error(r, "Error Fapi_Verfiy_Quote", error); diff --git a/test/integration/fapi-quote.int.c b/test/integration/fapi-quote.int.c index f804f20a2..b112c669e 100644 --- a/test/integration/fapi-quote.int.c +++ b/test/integration/fapi-quote.int.c @@ -70,13 +70,15 @@ test_fapi_quote(FAPI_CONTEXT *context) r = Fapi_CreateKey(context, "HS/SRK/mySignKey", "sign,noDa", "", NULL); goto_if_error(r, "Error Fapi_CreateKey", error); - r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", "-----BEGIN " \ + r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", "-----BEGIN " \ "CERTIFICATE-----[...]-----END CERTIFICATE-----"); goto_if_error(r, "Error Fapi_SetCertificate", error); - uint8_t qualifyingData[20] = { + uint8_t qualifyingData[32] = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, }; r = pcr_reset(context, 16); @@ -87,7 +89,7 @@ test_fapi_quote(FAPI_CONTEXT *context) r = Fapi_Quote(context, pcrList, 1, "HS/SRK/mySignKey", "TPM-Quote", - qualifyingData, 20, + qualifyingData, sizeof(qualifyingData), "eInfo, &signature, &signatureSize, &pcrEventLog, &certificate); @@ -208,6 +210,34 @@ test_fapi_quote(FAPI_CONTEXT *context) " }" " }" "]", + /* same as above, just without sha1 */ + "[" + " {" + " \"recnum\":0," + " \"pcr\":16," + " \"digests\":[" + " {" + " \"hashAlg\":\"sha256\"," + " \"digest\":\"1f825aa2f0020ef7cf91dfa30da4668d791c5d4824fc8e41354b89ec05795ab3\"" + " }," + " {" + " \"hashAlg\":\"sha384\"," + " \"digest\":\"182e95266adff49059e706c61483478fe0688150c8d08b95fab5cfde961f12d903aaf44104af4ce72ba6a4bf20302b2e\"" + " }," + " {" + " \"hashAlg\":\"sha512\"," + " \"digest\":\"0f89ee1fcb7b0a4f7809d1267a029719004c5a5e5ec323a7c3523a20974f9a3f202f56fadba4cd9e8d654ab9f2e96dc5c795ea176fa20ede8d854c342f903533\"" + " }" + " ]," + " \"" CONTENT_TYPE "\":\"tss2\"," + " \"" CONTENT "\":{" + " \"data\":\"00010203040506070809\"," + " \"event\":{" + " \"test\":\"myfile\"" + " }" + " }" + " }" + "]", "[" " {" " \"recnum\":0," @@ -281,7 +311,7 @@ test_fapi_quote(FAPI_CONTEXT *context) CHECK_JSON_LIST(log_check_list, log, error); r = Fapi_VerifyQuote(context, "HS/SRK/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, log); goto_if_error(r, "Error Fapi_Verfiy_Quote", error); @@ -304,7 +334,7 @@ test_fapi_quote(FAPI_CONTEXT *context) qualifyingData[0] = 0; r = Fapi_VerifyQuote(context, "HS/SRK/mySignKey", - qualifyingData, 20, quoteInfo, + qualifyingData, sizeof(qualifyingData), quoteInfo, signature, signatureSize, log); if (r == TPM2_RC_SUCCESS) { LOG_ERROR("Invalid qualifying data was not detected."); diff --git a/test/integration/fapi-unseal.int.c b/test/integration/fapi-unseal.int.c index 458c62079..f154bf999 100644 --- a/test/integration/fapi-unseal.int.c +++ b/test/integration/fapi-unseal.int.c @@ -41,10 +41,12 @@ test_fapi_unseal(FAPI_CONTEXT *context) uint8_t *result = NULL; TPM2B_DIGEST digest = { - .size = 20, + .size = 32, .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0, - 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f + 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, } }; diff --git a/test/integration/sys-create-keyedhash-sha1-hmac.int.c b/test/integration/sys-create-keyedhash-sha1-hmac.int.c index ff16cd302..19da164af 100644 --- a/test/integration/sys-create-keyedhash-sha1-hmac.int.c +++ b/test/integration/sys-create-keyedhash-sha1-hmac.int.c @@ -55,12 +55,12 @@ test_invoke (TSS2_SYS_CONTEXT *sys_context) return 99; /* fatal error */ } - inPublic.publicArea.nameAlg = TPM2_ALG_SHA1; + inPublic.publicArea.nameAlg = TPM2_ALG_SHA256; inPublic.publicArea.type = TPM2_ALG_KEYEDHASH; inPublic.publicArea.objectAttributes |= TPMA_OBJECT_SIGN_ENCRYPT; inPublic.publicArea.objectAttributes |= TPMA_OBJECT_SENSITIVEDATAORIGIN; inPublic.publicArea.parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_HMAC; - inPublic.publicArea.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA1; + inPublic.publicArea.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA256; LOG_INFO("Create keyedhash SHA1 HMAC"); rc = TSS2_RETRY_EXP (Tss2_Sys_Create (sys_context, diff --git a/test/integration/sys-nv-policy-locality.int.c b/test/integration/sys-nv-policy-locality.int.c index 583aa94d4..cbe0f5ba3 100644 --- a/test/integration/sys-nv-policy-locality.int.c +++ b/test/integration/sys-nv-policy-locality.int.c @@ -47,7 +47,7 @@ create_policy_session (TSS2_SYS_CONTEXT *sys_ctx, { TPMA_LOCALITY locality = TPMA_LOCALITY_TPM2_LOC_THREE | TPMA_LOCALITY_TPM2_LOC_FOUR; - TPM2B_NONCE nonce = { .size = GetDigestSize (TPM2_ALG_SHA1), }; + TPM2B_NONCE nonce = { .size = GetDigestSize (TPM2_ALG_SHA256), }; TPM2B_NONCE nonce_tpm = { 0, }; TSS2_RC rc; TPM2B_ENCRYPTED_SECRET salt = { 0, }; @@ -61,7 +61,7 @@ create_policy_session (TSS2_SYS_CONTEXT *sys_ctx, &salt, TPM2_SE_POLICY, &symmetric, - TPM2_ALG_SHA1, + TPM2_ALG_SHA256, handle, &nonce_tpm, 0); @@ -92,9 +92,9 @@ setup_nv (TSS2_SYS_CONTEXT *sys_ctx) .nvPublic = { .attributes = TPMA_NV_AUTHREAD | TPMA_NV_POLICYWRITE | TPMA_NV_PLATFORMCREATE, /* POLICYDELETE? */ - .authPolicy = { .size = GetDigestSize (TPM2_ALG_SHA1), }, + .authPolicy = { .size = GetDigestSize (TPM2_ALG_SHA256), }, .dataSize = NV_SIZE, - .nameAlg = TPM2_ALG_SHA1, + .nameAlg = TPM2_ALG_SHA256, .nvIndex = NV_INDEX, }, }; diff --git a/test/integration/sys-nv-readwrite.int.c b/test/integration/sys-nv-readwrite.int.c index 40455bef9..26e97edc2 100644 --- a/test/integration/sys-nv-readwrite.int.c +++ b/test/integration/sys-nv-readwrite.int.c @@ -40,7 +40,7 @@ create_policy_session ( TSS2_RC rc; TPM2B_ENCRYPTED_SECRET salt = { 0 }; TPM2B_NONCE nonce = { - .size = GetDigestSize (TPM2_ALG_SHA1), + .size = GetDigestSize (TPM2_ALG_SHA256), }; TPM2B_NONCE nonce_tpm = { 0, }; TPMT_SYM_DEF symmetric = { @@ -55,7 +55,7 @@ create_policy_session ( &salt, TPM2_SE_POLICY, &symmetric, - TPM2_ALG_SHA1, + TPM2_ALG_SHA256, handle, &nonce_tpm, 0); @@ -76,7 +76,7 @@ setup_nv (TSS2_SYS_CONTEXT *sys_ctx, TSS2L_SYS_AUTH_RESPONSE auth_rsp; TPM2B_NV_PUBLIC public_info = { .nvPublic = { - .nameAlg = TPM2_ALG_SHA1, + .nameAlg = TPM2_ALG_SHA256, .attributes = TPMA_NV_AUTHREAD | TPMA_NV_AUTHWRITE | TPMA_NV_PLATFORMCREATE | TPMA_NV_WRITEDEFINE | TPMA_NV_ORDERLY, .dataSize = NV_PS_INDEX_SIZE, diff --git a/test/integration/sys-read-clock.int.c b/test/integration/sys-read-clock.int.c index 8b693eb8b..2d3939424 100644 --- a/test/integration/sys-read-clock.int.c +++ b/test/integration/sys-read-clock.int.c @@ -30,15 +30,16 @@ test_invoke (TSS2_SYS_CONTEXT *sys_context) { TSS2_RC rc, rc2; TPM2B_NONCE nonce_caller = { - .size = TPM2_SHA1_DIGEST_SIZE, + .size = TPM2_SHA256_DIGEST_SIZE, .buffer = { 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, - 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, } }; TPM2B_NONCE nonce_tpm = { - .size = TPM2_SHA1_DIGEST_SIZE, + .size = TPM2_SHA256_DIGEST_SIZE, .buffer = { 0 } }; TPM2B_ENCRYPTED_SECRET encrypted_salt = { 0 }; @@ -54,7 +55,7 @@ test_invoke (TSS2_SYS_CONTEXT *sys_context) &encrypted_salt, TPM2_SE_HMAC, &symmetric, - TPM2_ALG_SHA1, + TPM2_ALG_SHA256, &session, &nonce_tpm, NULL); diff --git a/test/integration/test-fapi.h b/test/integration/test-fapi.h index ccf4c9119..be1f8b69c 100644 --- a/test/integration/test-fapi.h +++ b/test/integration/test-fapi.h @@ -115,7 +115,7 @@ } \ if (i >= n) { \ json_object_put(jso1); \ - LOG_ERROR("Mismatch" ); \ + LOG_ERROR("Could not find JSON in list: %s", JSO_STRING); \ goto LABEL; \ } \ json_object_put(jso1); \ From 724720a6da3fa818a2c60435d88619ce84260cca Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Mon, 15 Jul 2024 15:02:48 +0200 Subject: [PATCH 4/8] test: gracefully handle TPM2_RC_COMMAND_CODE in various tests Signed-off-by: Johannes Holland --- test/integration/esys-audit.int.c | 6 ++-- test/integration/sys-create-loaded.int.c | 3 ++ test/integration/sys-policy-authorizeNV.int.c | 32 ++++++++++++++++++- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/test/integration/esys-audit.int.c b/test/integration/esys-audit.int.c index 06d2160a0..e0f45ec2c 100644 --- a/test/integration/esys-audit.int.c +++ b/test/integration/esys-audit.int.c @@ -236,10 +236,12 @@ test_esys_audit(ESYS_CONTEXT * esys_context) LOG_WARNING("Platform authorization not possible."); failure_return = EXIT_SKIP; goto error; + } else if (r == TPM2_RC_COMMAND_CODE) { + /* Ignore command not supported */ + } else { + goto_if_error(r, "Error: SetCommandCodeAuditStatus", error); } - goto_if_error(r, "Error: SetCommandCodeAuditStatus", error); - r = Esys_FlushContext(esys_context, signHandle); goto_if_error(r, "Error: FlushContext", error); diff --git a/test/integration/sys-create-loaded.int.c b/test/integration/sys-create-loaded.int.c index b92b984c0..46f8dc3da 100644 --- a/test/integration/sys-create-loaded.int.c +++ b/test/integration/sys-create-loaded.int.c @@ -12,6 +12,7 @@ #include // for exit, NULL, size_t #include // for memset, memcpy +#include "test-esys.h" // for EXIT_SKIP #include "tss2_common.h" // for TSS2_RC, TSS2_RC_SUCCESS, TSS2_BASE_RC_... #include "tss2_mu.h" // for Tss2_MU_TPMT_PUBLIC_Marshal #include "tss2_sys.h" // for Tss2_Sys_CreateLoaded, Tss2_Sys_FlushCo... @@ -86,6 +87,8 @@ test_invoke (TSS2_SYS_CONTEXT *sys_context) &auth_rsp); if (rc == TPM2_RC_SUCCESS) { LOG_INFO("success object handle: 0x%x", object_handle); + } else if (rc == TPM2_RC_COMMAND_CODE) { + return EXIT_SKIP; } else { LOG_ERROR("CreateLoaded FAILED! Response Code : 0x%x", rc); exit(1); diff --git a/test/integration/sys-policy-authorizeNV.int.c b/test/integration/sys-policy-authorizeNV.int.c index 1c19cec0e..e81418aa4 100644 --- a/test/integration/sys-policy-authorizeNV.int.c +++ b/test/integration/sys-policy-authorizeNV.int.c @@ -201,7 +201,37 @@ test_invoke (TSS2_SYS_CONTEXT *sys_context) &out_public, &name, &rsp_auth); - if (rc != TPM2_RC_SUCCESS) { + if (rc == TPM2_RC_COMMAND_CODE) { + TPM2B_PUBLIC in_public_with_size = { + .size = sizeof(TPMT_PUBLIC), + .publicArea = { 0 }, + }; + memcpy(&in_public_with_size.publicArea, &in_public, sizeof(TPMT_PUBLIC)); + + TPM2B_DATA outside_info = {0}; + TPM2B_CREATION_DATA creation_data = {0}; + TPML_PCR_SELECTION creation_pcr = {0}; + TPM2B_DIGEST creation_hash = {0}; + TPMT_TK_CREATION creation_ticket = {0}; + rc = Tss2_Sys_CreatePrimary (sys_context, + TPM2_RH_OWNER, + &cmd_auth, + &in_sensitive, + &in_public_with_size, + &outside_info, + &creation_pcr, + &object_handle, + &out_public, + &creation_data, + &creation_hash, + &creation_ticket, + &name, + &rsp_auth); + if (rc != TPM2_RC_SUCCESS) { + LOG_ERROR("CreatePrimary FAILED! Response Code: 0x%x", rc); + exit(1); + } + } else if (rc != TPM2_RC_SUCCESS) { LOG_ERROR("CreateLoaded FAILED! Response Code: 0x%x", rc); exit(1); } From e389c05addcb9b183c63c4cc06da2c6a505b4d14 Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Mon, 15 Jul 2024 15:10:17 +0200 Subject: [PATCH 5/8] test: add RSA key hard-coded in some tests for convenience Signed-off-by: Johannes Holland --- test/data/fapi/policy/rsa2.pem | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 test/data/fapi/policy/rsa2.pem diff --git a/test/data/fapi/policy/rsa2.pem b/test/data/fapi/policy/rsa2.pem new file mode 100644 index 000000000..992d1d216 --- /dev/null +++ b/test/data/fapi/policy/rsa2.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCgYvoisJIDOeYg +jMF6ywiZbu085TLvy5ZMhq5vfYqdgefvwpemutnfKSnpYOs5B4yO/gAD7XiYluDv +tqlVhfISeQV04xrWGzNImenpwm/HsgueAu8VTHNtWSL96G+BLedGTrs2NqX6cxN7 +yGl7dQpB5X8iP4XSvpjP3Vb7gs+adwCJR6xFkt60jYFmwrAdhEzOeakhimi5rU21 +LxCkRdEyaxS57X15L9dEA+aYJ+dvkFfZOfTqIKmTrA75F8yj161xflwtIC4hgRBg +K9Xb/RdN8TDrTu+20E3RjngutU4qejW9Fd3mzHJGV8HRYvjYXhUblN9wmjm7Veru +T2b0rnvzAgMBAAECggEBAIwHvoJ5DRJ6A50Zp3dROxHTEphfOEi6xF/OGxBGWLbK +C7l+eS9d5gj8BJa5QsXI/IR/6X2EYQ1AdeV04oVD7CUKuqPiALU8jFrv3pV0aGm+ +3nu37gv3crPe5jkvLeNoM4tkA/oCXom63SDuyoG6nxkHiSdatLlaJUse4em3vRAL +QivziZIMyswcleMe0xAoMi7LO+nUFFxBS8/xGya0vsU0dsMQEl1SRITv1VCXmPQD +T4dEI4+1cufv6Ax0EDbFKmnjyiGTjOeQKrGIqETUSQolbg5PgL1XZehaaxM822OY +Qpnp5T0XhUEmVrOb2Wrboj+dC/2tgAN/fWXjAAxnm2ECgYEA02UTZuZ+QnD6tqo3 +/y3n5kaM9uA2mdOIqgECI9psGF1IBIC/iP2diKyuvmQL8hzymComb5YzZl3TOAga +WHQYbIeU3JhnYTG75/Dv5Zh32H4NjkIJHT2/8LUM25Ove9u6QAniVgIQpBZ47LjX +9jHjTYCW5n79qNSfu0egYJUvypECgYEAwjqWzzEINqnX/xIVCoB4XpuDuSdkM0JW +MZDIH9xHjZPp07/5XYEoITylk6Zwbh+djvWDNP4gzPtuK26VsqrNxoWMsFZeXn6U +xSOYL2UNCZiOgchdZCOr+6r8LRUuo8xHjbawVoJVK1+tZ2WsR3ilt3Gw34O8Z5ep +f4v7GOXw+EMCgYAUHjFrgJIRhqkFi0uK+HZyXtJ5iDsKBqyh6Tin6tiQtQfujcYs +pl5ArJZwvhq47vJTcud3hSbdHh7E3ViMhHfylDChkct833vPhgl+ozT8oHpvyG8P +nlnO8ZwIpZR0yCOAhrBImSe2RgE6HhlHb9X/ATbbNsizMZEGBLoJlwkWUQKBgQCy +4U7fh2LvJUF+82JZh7RUPZn1Pmg0JVZI0/TcEv37UEy77kR1b2xMIBTGhTVq1sc/ +ULIEbkA7SR1P9sr7//8AZSMLjJ/hG2dcoMmabNCzE8O7l5MblRbh87nIs4d+57bG +t4h0RBi4l6eWYLdoI59L8fNaB3PPXIiIpZ0eczeZDQKBgQC2vuFYpUZqDb9CaJsn +Luee6P6n5v3ZBTAT4E+GG1kWS28BiebcCuLKNAY4ZtLo08ozaTWcMxooOTeka2ux +fQDE4M/LTNpam8QOJ2hqECF5a0uBYNcbmaGtfA9KwIgwCZZYuwb5IDq/DRPuR690 +i8Kp6jR2wY0suObmZHKvbCB1Dw== +-----END PRIVATE KEY----- From 09abcd1bf14cf2f644bd63adee92a7d68bff564d Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Wed, 17 Jul 2024 11:19:40 +0200 Subject: [PATCH 6/8] libtpms: fix reset handling Signed-off-by: Johannes Holland --- configure.ac | 2 + src/tss2-tcti/tcti-libtpms.c | 31 +++++++++++++++- test/tpmclient/tpmclient.int.c | 67 +++++++++++++++++++++------------- 3 files changed, 74 insertions(+), 26 deletions(-) diff --git a/configure.ac b/configure.ac index eb6051ea1..e2d579b8c 100644 --- a/configure.ac +++ b/configure.ac @@ -287,6 +287,8 @@ AC_ARG_ENABLE([tcti-libtpms], [enable_tcti_libtpms=no] [AC_MSG_WARN([library libtpms missing])])]) AM_CONDITIONAL([ENABLE_TCTI_LIBTPMS], [test "x$enable_tcti_libtpms" != xno]) +AS_IF([test "x$enable_tcti_libtpms" = "xyes"], + [AC_DEFINE([TCTI_LIBTPMS],[1], [TCTI FOR LIBTPMS BASED ACCESS TO TPM2 DEVICE])]) AC_ARG_ENABLE([tcti-cmd], [AS_HELP_STRING([--disable-tcti-cmd], diff --git a/src/tss2-tcti/tcti-libtpms.c b/src/tss2-tcti/tcti-libtpms.c index 517d1684d..9c63b777c 100644 --- a/src/tss2-tcti/tcti-libtpms.c +++ b/src/tss2-tcti/tcti-libtpms.c @@ -367,9 +367,38 @@ Tss2_Tcti_Libtpms_Reset(TSS2_TCTI_CONTEXT *tcti_ctx) int ret; TSS2_TCTI_LIBTPMS_CONTEXT *tcti_libtpms = tcti_libtpms_context_cast(tcti_ctx); - LIBTPMS_API_CALL(fail, tcti_libtpms, TPM_IO_TpmEstablished_Reset); + if (TSS2_TCTI_MAGIC(tcti_libtpms) != TCTI_LIBTPMS_MAGIC) { + return TSS2_TCTI_RC_BAD_CONTEXT; + } + + /* Get NV (i.e. permanent state) */ + unsigned char *permanent_state; + uint32_t permanent_state_len; + LIBTPMS_API_CALL(fail, + tcti_libtpms, + TPMLIB_GetState, + TPMLIB_STATE_PERMANENT, + &permanent_state, + &permanent_state_len); + + /* TPM power off */ + tcti_libtpms->TPMLIB_Terminate(); + + /* Set NV to the same value, will be picked up by MainInit() */ + LIBTPMS_API_CALL(cleanup, + tcti_libtpms, + TPMLIB_SetState, + TPMLIB_STATE_PERMANENT, + permanent_state, + permanent_state_len); + + /* Load state and power on */ + LIBTPMS_API_CALL(cleanup, tcti_libtpms, TPMLIB_MainInit); + rc = TSS2_RC_SUCCESS; +cleanup: + free(permanent_state); fail: return rc; } diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c index aff2c1247..479257986 100644 --- a/test/tpmclient/tpmclient.int.c +++ b/test/tpmclient/tpmclient.int.c @@ -24,10 +24,16 @@ #include "util/tpm2b.h" // for TPM2B #ifdef TCTI_MSSIM #include "tss2_tcti_mssim.h" // for tcti_platform_command, MS_S... +#include "tss2-tcti/tcti-mssim.h" // for TCTI_MSSIM_MAGIC #endif /* TCTI_MSSIM */ #ifdef TCTI_SWTPM #include "tss2_tcti_swtpm.h" // for Tss2_Tcti_Swtpm_Reset +#include "tss2-tcti/tcti-swtpm.h" // for TCTI_SWTPM_MAGIC #endif /* TCTI_SWTPM */ +#ifdef TCTI_LIBTPMS +#include "tss2_tcti_libtpms.h" // for Tss2_Tcti_Libtpms_Reset +#include "tss2-tcti/tcti-libtpms.h" // for TCTI_LIBTPMS_MAGIC +#endif /* TCTI_LIBTPMS */ #include "../integration/session-util.h" // for SESSION, create_auth_session #include "../integration/sys-util.h" // for CopySizedByteBuffer, Define... @@ -170,46 +176,57 @@ static TSS2_RC TpmReset() while (magic == 0 || magic == TCTILDR_MAGIC || magic == TCTI_PCAP_MAGIC) { magic = *((uint64_t*) tcti); if (magic == TCTILDR_MAGIC) { + LOG_TRACE("TCTI is tctildr (0x%" PRIx64 "). Unwrapping...", magic); tcti = ((TSS2_TCTILDR_CONTEXT *) tcti)->tcti; } else if (magic == TCTI_PCAP_MAGIC) { + LOG_TRACE("TCTI is tcti-pcap (0x%" PRIx64 "). Unwrapping...", magic); tcti = ((TSS2_TCTI_PCAP_CONTEXT *) tcti)->tcti_child; } } -#ifdef TCTI_LIBTPMS - rval = Tss2_Tcti_Libtpms_Reset(tcti); + switch (magic) { - /* If TCTI is not libtpms, bad context is returned. */ - if (rval != TSS2_TCTI_RC_BAD_CONTEXT) { - return rval; - } else { - LOG_WARNING("TPM Reset failed: wrong TCTI type retrying with swtpm..."); - } +#ifdef TCTI_LIBTPMS + case TCTI_LIBTPMS_MAGIC: + LOG_DEBUG("Calling Tss2_Tcti_Libtpms_Reset()"); + rval = Tss2_Tcti_Libtpms_Reset(tcti); + break; #endif /* TCTI_LIBTPMS */ #ifdef TCTI_SWTPM - rval = Tss2_Tcti_Swtpm_Reset(tcti); - - /* If TCTI is not swtpm, bad context is returned. */ - if (rval != TSS2_TCTI_RC_BAD_CONTEXT) { - return rval; - } else { - LOG_WARNING("TPM Reset failed: wrong TCTI type retrying with mssim..."); - } + case TCTI_SWTPM_MAGIC: + LOG_DEBUG("Calling Tss2_Tcti_Swtpm_Reset()"); + rval = Tss2_Tcti_Swtpm_Reset(tcti); + break; #endif /* TCTI_SWTPM */ #ifdef TCTI_MSSIM - rval = (TSS2_RC)tcti_platform_command( tcti, MS_SIM_POWER_OFF ); - if (rval == TSS2_RC_SUCCESS) { - rval = (TSS2_RC)tcti_platform_command( tcti, MS_SIM_POWER_ON ); - } else { - LOG_WARNING("TPM Reset failed: mssim returned 0x%x.", rval); - } + case TCTI_MSSIM_MAGIC: + LOG_DEBUG("Calling tcti_platform_command()"); + rval = (TSS2_RC)tcti_platform_command( tcti, MS_SIM_POWER_OFF ); + if (rval == TSS2_RC_SUCCESS) { + rval = (TSS2_RC)tcti_platform_command( tcti, MS_SIM_POWER_ON ); + } + break; #endif /* TCTI_MSSIM */ - if (rval == TSS2_TCTI_RC_BAD_CONTEXT) { - LOG_WARNING("TPM Reset failed: could not reset using known TCTI types. TCTI magic: %" PRIx64, *((uint64_t *) tcti)); - rval = EXIT_SKIP; + default: + LOG_WARNING("TPM reset failed. TCTI unknown. Got TCTI magic: 0x%" PRIx64 ". Enabled TCTIs with reset support: " +#ifdef TCTI_LIBTPMS + "libtpms (" xstr(TCTI_LIBTPMS_MAGIC) "), " +#endif /* TCTI_LIBTPMS */ +#ifdef TCTI_SWTPM + "swtpm (" xstr(TCTI_SWTPM_MAGIC) "), " +#endif /* TCTI_SWTPM */ +#ifdef TCTI_MSSIM + "mssim (" xstr(TCTI_MSSIM_MAGIC) "), " +#endif /* TCTI_MSSIM */ + "", magic); + return EXIT_SKIP; + } + + if (rval != TSS2_RC_SUCCESS) { + LOG_WARNING("TPM reset failed: 0x%08x", rval); } return rval; From cee26d4bc2fa172967ad7d6d04216d996236ed65 Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Wed, 17 Jul 2024 11:21:01 +0200 Subject: [PATCH 7/8] tpmclient: remove SHA1 from tpmclient Signed-off-by: Johannes Holland --- test/integration/sys-util.c | 2 +- test/tpmclient/tpmclient.int.c | 35 +++++++++++++++++++--------------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/test/integration/sys-util.c b/test/integration/sys-util.c index e7a96cdb4..3428a523b 100644 --- a/test/integration/sys-util.c +++ b/test/integration/sys-util.c @@ -194,7 +194,7 @@ create_keyedhash_key ( TPMA_OBJECT_SENSITIVEDATAORIGIN | TPMA_OBJECT_USERWITHAUTH, .publicArea.parameters.keyedHashDetail.scheme.scheme = TPM2_ALG_HMAC, - .publicArea.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA1, + .publicArea.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = TPM2_ALG_SHA256, .publicArea.unique.keyedHash.size = 0, }; diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c index 479257986..47165f1ae 100644 --- a/test/tpmclient/tpmclient.int.c +++ b/test/tpmclient/tpmclient.int.c @@ -626,7 +626,7 @@ static void TestHierarchyChangeAuth() #define PCR_16 16 #define PCR_17 17 #define PCR_18 18 -#define PCR_SIZE 20 +#define PCR_SIZE 32 static void TestPcrExtend() { @@ -640,7 +640,7 @@ static void TestPcrExtend() TPML_DIGEST pcrValues; TPML_DIGEST_VALUES digests; TPML_PCR_SELECTION pcrSelectionOut; - UINT8 pcrAfterExtend[20]; + UINT8 pcrAfterExtend[PCR_SIZE]; TSS2_TCTI_CONTEXT *tctiContext; TSS2L_SYS_AUTH_COMMAND sessionsData = { .count = 1, .auths = {{ @@ -653,7 +653,7 @@ static void TestPcrExtend() /* Init digests */ digests.count = 1; - digests.digests[0].hashAlg = TPM2_ALG_SHA1; + digests.digests[0].hashAlg = TPM2_ALG_SHA256; digestSize = GetDigestSize( digests.digests[0].hashAlg ); for( i = 0; i < digestSize; i++ ) @@ -662,7 +662,7 @@ static void TestPcrExtend() } pcrSelection.count = 1; - pcrSelection.pcrSelections[0].hash = TPM2_ALG_SHA1; + pcrSelection.pcrSelections[0].hash = TPM2_ALG_SHA256; pcrSelection.pcrSelections[0].sizeofSelect = 3; /* Clear out PCR select bit field */ @@ -701,7 +701,7 @@ static void TestPcrExtend() Cleanup(); } - if( 0 == memcmp( &( pcrBeforeExtend[0] ), &( pcrAfterExtend[0] ), 20 ) ) + if( 0 == memcmp( &( pcrBeforeExtend[0] ), &( pcrAfterExtend[0] ), PCR_SIZE ) ) { LOG_ERROR("ERROR!! PCR didn't change value" ); Cleanup(); @@ -774,7 +774,7 @@ static void TestNV() publicInfo.size = 0; publicInfo.nvPublic.nvIndex = TPM20_INDEX_TEST1; - publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA1; + publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA256; /* First zero out attributes. */ *(UINT32 *)&( publicInfo.nvPublic.attributes ) = 0; @@ -912,7 +912,7 @@ static void TestHierarchyControl() publicInfo.size = 0; publicInfo.nvPublic.nvIndex = TPM20_INDEX_TEST1; - publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA1; + publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA256; /* First zero out attributes. */ *(UINT32 *)&( publicInfo.nvPublic.attributes ) = 0; @@ -1175,7 +1175,7 @@ static TSS2_RC CreateDataBlob( TSS2_SYS_CONTEXT *sysContext, SESSION **policySes inPublic.size = 0; inPublic.publicArea.type = TPM2_ALG_RSA; - inPublic.publicArea.nameAlg = TPM2_ALG_SHA1; + inPublic.publicArea.nameAlg = TPM2_ALG_SHA256; *(UINT32 *)&( inPublic.publicArea.objectAttributes) = 0; inPublic.publicArea.objectAttributes |= TPMA_OBJECT_RESTRICTED; inPublic.publicArea.objectAttributes |= TPMA_OBJECT_USERWITHAUTH; @@ -1186,7 +1186,7 @@ static TSS2_RC CreateDataBlob( TSS2_SYS_CONTEXT *sysContext, SESSION **policySes inPublic.publicArea.authPolicy.size = 0; inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM2_ALG_AES; inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128; - inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM2_ALG_CBC; + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM2_ALG_CFB; inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM2_ALG_NULL; inPublic.publicArea.parameters.rsaDetail.keyBits = 2048; inPublic.publicArea.parameters.rsaDetail.exponent = 0; @@ -1444,15 +1444,17 @@ static void TestHash() 0xde, 0xad, 0xbe, 0xef }; UINT8 goodHashValue[] = - { 0xB3, 0xFD, 0x6A, 0xD2, 0x9F, 0xD0, 0x13, 0x52, 0xBA, 0xFC, - 0x8B, 0x22, 0xC9, 0x6D, 0x88, 0x42, 0xA3, 0x3C, 0xB0, 0xC9 }; + { 0x4d, 0xb2, 0x5f, 0xa7, 0x94, 0xbc, 0x58, 0xa2, 0x43, 0x57, + 0xf8, 0xdc, 0x98, 0x98, 0x0c, 0xc5, 0x44, 0xe4, 0x51, 0xbf, + 0xb0, 0xd1, 0xab, 0x7a, 0x65, 0x14, 0xbd, 0xa7, 0x55, 0x9f, + 0x02, 0x2f }; LOG_INFO("HASH TESTS:" ); auth.size = 2; auth.buffer[0] = 0; auth.buffer[1] = 0xff; - rval = Tss2_Sys_HashSequenceStart ( sysContext, 0, &auth, TPM2_ALG_SHA1, &sequenceHandle[0], 0 ); + rval = Tss2_Sys_HashSequenceStart ( sysContext, 0, &auth, TPM2_ALG_SHA256, &sequenceHandle[0], 0 ); CheckPassed( rval ); sessionsData.auths[0].sessionHandle = TPM2_RH_PW; @@ -1636,7 +1638,7 @@ static void TestUnseal() creationPCR.count = 0; inPublic.publicArea.type = TPM2_ALG_KEYEDHASH; - inPublic.publicArea.nameAlg = TPM2_ALG_SHA1; + inPublic.publicArea.nameAlg = TPM2_ALG_SHA256; *(UINT32 *)&( inPublic.publicArea.objectAttributes) = 0; inPublic.publicArea.objectAttributes |= TPMA_OBJECT_USERWITHAUTH; @@ -1711,7 +1713,7 @@ static void CreatePasswordTestNV( TPMI_RH_NV_INDEX nvIndex, char * password ) publicInfo.size = 0; publicInfo.nvPublic.nvIndex = nvIndex; - publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA1; + publicInfo.nvPublic.nameAlg = TPM2_ALG_SHA256; /* First zero out attributes. */ *(UINT32 *)&( publicInfo.nvPublic.attributes ) = 0; @@ -2085,7 +2087,7 @@ static void GetSetEncryptParamTests() nvAttributes |= TPMA_NV_PLATFORMCREATE; rval = DefineNvIndex( sysContext, TPM2_RH_PLATFORM, &nvAuth, &authPolicy, - TPM20_INDEX_PASSWORD_TEST, TPM2_ALG_SHA1, nvAttributes, 32 ); + TPM20_INDEX_PASSWORD_TEST, TPM2_ALG_SHA256, nvAttributes, 32 ); CheckPassed( rval ); /* #4 */ /* Write the index. */ @@ -2219,6 +2221,9 @@ static void EcEphemeralTest() Q.size = 0; rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); + if (rval == TPM2_RC_COMMAND_CODE) { + return; + } CheckPassed( rval ); } From b25467de5852d188b61b4a3b601ddb13750d087f Mon Sep 17 00:00:00 2001 From: Johannes Holland Date: Wed, 17 Jul 2024 11:21:35 +0200 Subject: [PATCH 8/8] tpmclient: rename log module to test (see other tests) Signed-off-by: Johannes Holland --- test/tpmclient/tpmclient.int.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c index 47165f1ae..7aec89ee5 100644 --- a/test/tpmclient/tpmclient.int.c +++ b/test/tpmclient/tpmclient.int.c @@ -41,7 +41,7 @@ #include "sysapi_util.h" // for _TSS2_SYS_CONTEXT_BLOB, res... #include "util/tss2_endian.h" // for BE_TO_HOST_32 -#define LOGMODULE testtpmclient +#define LOGMODULE test #include "util/log.h" // for LOG_INFO, LOG_ERROR, LOGBLO... /*