diff options
Diffstat (limited to '')
-rw-r--r-- | src/tpm2/AlgorithmTests.c | 964 |
1 files changed, 964 insertions, 0 deletions
diff --git a/src/tpm2/AlgorithmTests.c b/src/tpm2/AlgorithmTests.c new file mode 100644 index 0000000..08ee6b0 --- /dev/null +++ b/src/tpm2/AlgorithmTests.c @@ -0,0 +1,964 @@ +/********************************************************************************/ +/* */ +/* Code to perform the various self-test functions. */ +/* Written by Ken Goldman */ +/* IBM Thomas J. Watson Research Center */ +/* $Id: AlgorithmTests.c 1658 2021-01-22 23:14:01Z kgoldman $ */ +/* */ +/* Licenses and Notices */ +/* */ +/* 1. Copyright Licenses: */ +/* */ +/* - Trusted Computing Group (TCG) grants to the user of the source code in */ +/* this specification (the "Source Code") a worldwide, irrevocable, */ +/* nonexclusive, royalty free, copyright license to reproduce, create */ +/* derivative works, distribute, display and perform the Source Code and */ +/* derivative works thereof, and to grant others the rights granted herein. */ +/* */ +/* - The TCG grants to the user of the other parts of the specification */ +/* (other than the Source Code) the rights to reproduce, distribute, */ +/* display, and perform the specification solely for the purpose of */ +/* developing products based on such documents. */ +/* */ +/* 2. Source Code Distribution Conditions: */ +/* */ +/* - Redistributions of Source Code must retain the above copyright licenses, */ +/* this list of conditions and the following disclaimers. */ +/* */ +/* - Redistributions in binary form must reproduce the above copyright */ +/* licenses, this list of conditions and the following disclaimers in the */ +/* documentation and/or other materials provided with the distribution. */ +/* */ +/* 3. Disclaimers: */ +/* */ +/* - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF */ +/* LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH */ +/* RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES) */ +/* THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE. */ +/* Contact TCG Administration (admin@trustedcomputinggroup.org) for */ +/* information on specification licensing rights available through TCG */ +/* membership agreements. */ +/* */ +/* - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED */ +/* WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR */ +/* FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR */ +/* NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY */ +/* OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. */ +/* */ +/* - Without limitation, TCG and its members and licensors disclaim all */ +/* liability, including liability for infringement of any proprietary */ +/* rights, relating to use of information in this specification and to the */ +/* implementation of this specification, and TCG disclaims all liability for */ +/* cost of procurement of substitute goods or services, lost profits, loss */ +/* of use, loss of data or any incidental, consequential, direct, indirect, */ +/* or special damages, whether under contract, tort, warranty or otherwise, */ +/* arising in any way out of use or reliance upon this specification or any */ +/* information herein. */ +/* */ +/* (c) Copyright IBM Corp. and others, 2016 - 2021 */ +/* */ +/********************************************************************************/ + +/* 10.2.1 AlgorithmTests.c */ +/* 10.2.1.1 Introduction */ +/* This file contains the code to perform the various self-test functions. */ +/* 10.2.1.2 Includes and Defines */ +#include "Tpm.h" +#define SELF_TEST_DATA +#if SELF_TEST +/* These includes pull in the data structures. They contain data definitions for the various + tests. */ +#include "SelfTest.h" +#include "SymmetricTest.h" +#include "RsaTestData.h" +#include "EccTestData.h" +#include "HashTestData.h" +#include "KdfTestData.h" +#define TEST_DEFAULT_TEST_HASH(vector) \ + if(TEST_BIT(DEFAULT_TEST_HASH, g_toTest)) \ + TestHash(DEFAULT_TEST_HASH, vector); +/* Make sure that the algorithm has been tested */ +#define CLEAR_BOTH(alg) { CLEAR_BIT(alg, *toTest); \ + if(toTest != &g_toTest) \ + CLEAR_BIT(alg, g_toTest); } +#define SET_BOTH(alg) { SET_BIT(alg, *toTest); \ + if(toTest != &g_toTest) \ + SET_BIT(alg, g_toTest); } +#define TEST_BOTH(alg) ((toTest != &g_toTest) \ + ? TEST_BIT(alg, *toTest) || TEST_BIT(alg, g_toTest) \ + : TEST_BIT(alg, *toTest)) +/* Can only cancel if doing a list. */ +#define CHECK_CANCELED \ + if(_plat__IsCanceled() && toTest != &g_toTest) \ + return TPM_RC_CANCELED; +/* 10.2.1.3 Hash Tests */ +/* 10.2.1.3.1 Description */ +/* The hash test does a known-value HMAC using the specified hash algorithm. */ +/* 10.2.1.3.2 TestHash() */ +/* The hash test function. */ +static TPM_RC +TestHash( + TPM_ALG_ID hashAlg, + ALGORITHM_VECTOR *toTest + ) +{ + TPM2B_DIGEST computed; // value computed + HMAC_STATE state; + UINT16 digestSize; + const TPM2B *testDigest = NULL; + // TPM2B_TYPE(HMAC_BLOCK, DEFAULT_TEST_HASH_BLOCK_SIZE); + pAssert(hashAlg != TPM_ALG_NULL); +#define HASH_CASE_FOR_TEST(HASH, hash) case ALG_##HASH##_VALUE: \ + testDigest = &c_##HASH##_digest.b; \ + break; + switch(hashAlg) + { + FOR_EACH_HASH(HASH_CASE_FOR_TEST) + + default: + FAIL(FATAL_ERROR_INTERNAL); + } + // Clear the to-test bits + CLEAR_BOTH(hashAlg); + + // If there is an algorithm without test vectors, then assume that things are OK. + if(testDigest == NULL || testDigest->size == 0) + return TPM_RC_SUCCESS; + + // Set the HMAC key to twice the digest size + digestSize = CryptHashGetDigestSize(hashAlg); + CryptHmacStart(&state, hashAlg, digestSize * 2, + (BYTE *)c_hashTestKey.t.buffer); + CryptDigestUpdate(&state.hashState, 2 * CryptHashGetBlockSize(hashAlg), + (BYTE *)c_hashTestData.t.buffer); + computed.t.size = digestSize; + CryptHmacEnd(&state, digestSize, computed.t.buffer); + if((testDigest->size != computed.t.size) + || (memcmp(testDigest->buffer, computed.t.buffer, computed.b.size) != 0)) { + SELF_TEST_FAILURE; + } + return TPM_RC_SUCCESS; +} +// libtpms added begin +#if SMAC_IMPLEMENTED && ALG_CMAC +static TPM_RC +TestSMAC( + ALGORITHM_VECTOR *toTest + ) +{ + HMAC_STATE state; + UINT16 copied; + BYTE out[MAX_SYM_BLOCK_SIZE]; + UINT32 outSize = sizeof(out); + UINT16 blocksize; + int i; + TPMU_PUBLIC_PARMS cmac_keyParms; + + // initializing this statically seems impossible with gcc... + cmac_keyParms.symDetail.sym.algorithm = TPM_ALG_AES; + cmac_keyParms.symDetail.sym.keyBits.sym = 128; + + for (i = 0; CMACTests[i].key; i++ ) + { + blocksize = CryptMacStart(&state, &cmac_keyParms, + TPM_ALG_CMAC, CMACTests[i].key); + pAssert(blocksize <= outSize); + CryptDigestUpdate(&state.hashState, CMACTests[i].datalen, + CMACTests[i].data); + copied = CryptMacEnd(&state, outSize, out); + if((CMACTests[i].outlen != copied) + || (memcmp(out, CMACTests[i].out, CMACTests[i].outlen) != 0)) { + SELF_TEST_FAILURE; + } + } + return TPM_RC_SUCCESS; +} +#endif +// libtpms added end +/* 10.2.1.4 Symmetric Test Functions */ +/* 10.2.1.4.1 MakeIv() */ +/* Internal function to make the appropriate IV depending on the mode. */ +static UINT32 +MakeIv( + TPM_ALG_ID mode, // IN: symmetric mode + UINT32 size, // IN: block size of the algorithm + BYTE *iv // OUT: IV to fill in + ) +{ + BYTE i; + if(mode == TPM_ALG_ECB) + return 0; + if(mode == TPM_ALG_CTR) + { + // The test uses an IV that has 0xff in the last byte + for(i = 1; i <= size; i++) + *iv++ = 0xff - (BYTE)(size - i); + } + else + { + for(i = 0; i < size; i++) + *iv++ = i; + } + return size; +} +/* 10.2.1.4.2 TestSymmetricAlgorithm() */ +/* Function to test a specific algorithm, key size, and mode. */ +static void +TestSymmetricAlgorithm( + const SYMMETRIC_TEST_VECTOR *test, // + TPM_ALG_ID mode // + ) +{ + BYTE encrypted[MAX_SYM_BLOCK_SIZE * 2]; + BYTE decrypted[MAX_SYM_BLOCK_SIZE * 2]; + TPM2B_IV iv; + + // libtpms added beging + if (test->dataOut[mode - TPM_ALG_CTR] == NULL) + return; + // libtpms added end + + // + // Get the appropriate IV + iv.t.size = (UINT16)MakeIv(mode, test->ivSize, iv.t.buffer); + // Encrypt known data + CryptSymmetricEncrypt(encrypted, test->alg, test->keyBits, test->key, &iv, + mode, test->dataInOutSize, test->dataIn); + // Check that it matches the expected value + if(!MemoryEqual(encrypted, test->dataOut[mode - TPM_ALG_CTR], + test->dataInOutSize)) { + SELF_TEST_FAILURE; + } + // Reinitialize the iv for decryption + MakeIv(mode, test->ivSize, iv.t.buffer); + CryptSymmetricDecrypt(decrypted, test->alg, test->keyBits, test->key, &iv, + mode, test->dataInOutSize, + test->dataOut[mode - TPM_ALG_CTR]); + // Make sure that it matches what we started with + if(!MemoryEqual(decrypted, test->dataIn, test->dataInOutSize)) { + SELF_TEST_FAILURE; + } +} +/* 10.2.1.4.3 AllSymsAreDone() */ +/* Checks if both symmetric algorithms have been tested. This is put here so that addition of a + symmetric algorithm will be relatively easy to handle */ +/* Return Value Meaning */ +/* TRUE(1) all symmetric algorithms tested */ +/* FALSE(0) not all symmetric algorithms tested */ +static BOOL +AllSymsAreDone( + ALGORITHM_VECTOR *toTest + ) +{ + return (!TEST_BOTH(TPM_ALG_AES) && !TEST_BOTH(TPM_ALG_SM4)); +} +/* 10.2.1.4.4 AllModesAreDone() */ +/* Checks if all the modes have been tested */ +/* Return Value Meaning */ +/* TRUE(1) all modes tested */ +/* FALSE(0) all modes not tested */ +static BOOL +AllModesAreDone( + ALGORITHM_VECTOR *toTest + ) +{ + TPM_ALG_ID alg; + for(alg = SYM_MODE_FIRST; alg <= SYM_MODE_LAST; alg++) + if(TEST_BOTH(alg)) + return FALSE; + return TRUE; +} +/* 10.2.1.4.5 TestSymmetric() */ +/* If alg is a symmetric block cipher, then all of the modes that are selected are tested. If alg is + a mode, then all algorithms of that mode are tested. */ +static TPM_RC +TestSymmetric( + TPM_ALG_ID alg, + ALGORITHM_VECTOR *toTest + ) +{ + SYM_INDEX index; + TPM_ALG_ID mode; + // + if(!TEST_BIT(alg, *toTest)) + return TPM_RC_SUCCESS; + if(alg == TPM_ALG_AES || alg == TPM_ALG_SM4 || alg == TPM_ALG_CAMELLIA || alg == TPM_ALG_TDES) + { + // Will test the algorithm for all modes and key sizes + CLEAR_BOTH(alg); + // A test this algorithm for all modes + for(index = 0; index < NUM_SYMS; index++) + { + if(c_symTestValues[index].alg == alg) + { + for(mode = SYM_MODE_FIRST; + mode <= SYM_MODE_LAST; + mode++) + { + if(TEST_BIT(mode, g_implementedAlgorithms)) // libtpms always test implemented modes + TestSymmetricAlgorithm(&c_symTestValues[index], mode); + } + } + } + // if all the symmetric tests are done + if(AllSymsAreDone(toTest)) + { + // all symmetric algorithms tested so no modes should be set + for(alg = SYM_MODE_FIRST; alg <= SYM_MODE_LAST; alg++) + CLEAR_BOTH(alg); + } + } + else if(SYM_MODE_FIRST <= alg && alg <= SYM_MODE_LAST) + { + // Test this mode for all key sizes and algorithms + for(index = 0; index < NUM_SYMS; index++) + { + // The mode testing only comes into play when doing self tests + // by command. When doing self tests by command, the block ciphers are + // tested first. That means that all of their modes would have been + // tested for all key sizes. If there is no block cipher left to + // test, then clear this mode bit. + if(!TEST_BIT(TPM_ALG_AES, *toTest) + && !TEST_BIT(TPM_ALG_SM4, *toTest)) + { + CLEAR_BOTH(alg); + } + else + { + for(index = 0; index < NUM_SYMS; index++) + { + if(TEST_BIT(c_symTestValues[index].alg, *toTest)) + TestSymmetricAlgorithm(&c_symTestValues[index], alg); + } + // have tested this mode for all algorithms + CLEAR_BOTH(alg); + } + } + if(AllModesAreDone(toTest)) + { + CLEAR_BOTH(TPM_ALG_AES); + CLEAR_BOTH(TPM_ALG_SM4); + } + } + else + pAssert(alg == 0 && alg != 0); + return TPM_RC_SUCCESS; +} +/* 10.2.1.5 RSA Tests */ +#if ALG_RSA +/* 10.2.1.5.1 Introduction */ +/* The tests are for public key only operations and for private key operations. Signature + verification and encryption are public key operations. They are tested by using a KVT. For + signature verification, this means that a known good signature is checked by + CryptRsaValidateSignature(). If it fails, then the TPM enters failure mode. For encryption, the + TPM encrypts known values using the selected scheme and checks that the returned value matches + the expected value. */ +/* For private key operations, a full scheme check is used. For a signing key, a known key is used + to sign a known message. Then that signature is verified. since the signature may involve use of + random values, the signature will be different each time and we can't always check that the + signature matches a known value. The same technique is used for decryption (RSADP/RSAEP). */ +/* When an operation uses the public key and the verification has not been tested, the TPM will do a + KVT. */ +/* The test for the signing algorithm is built into the call for the algorithm */ +/* 10.2.1.5.2 RsaKeyInitialize() */ +/* The test key is defined by a public modulus and a private prime. The TPM's RSA code computes the + second prime and the private exponent. */ +static void +RsaKeyInitialize( + OBJECT *testObject + ) +{ + MemoryCopy2B(&testObject->publicArea.unique.rsa.b, (P2B)&c_rsaPublicModulus, + sizeof(c_rsaPublicModulus)); + MemoryCopy2B(&testObject->sensitive.sensitive.rsa.b, (P2B)&c_rsaPrivatePrime, + sizeof(testObject->sensitive.sensitive.rsa.t.buffer)); + testObject->publicArea.parameters.rsaDetail.keyBits = RSA_TEST_KEY_SIZE * 8; + // Use the default exponent + testObject->publicArea.parameters.rsaDetail.exponent = 0; + testObject->attributes.privateExp = 0; +} +/* 10.2.1.5.3 TestRsaEncryptDecrypt() */ +/* These tests are for a public key encryption that uses a random value. */ +static TPM_RC +TestRsaEncryptDecrypt( + TPM_ALG_ID scheme, // IN: the scheme + ALGORITHM_VECTOR *toTest // + ) +{ + TPM2B_PUBLIC_KEY_RSA testInput; + TPM2B_PUBLIC_KEY_RSA testOutput; + OBJECT testObject; + const TPM2B_RSA_TEST_KEY *kvtValue = NULL; + TPM_RC result = TPM_RC_SUCCESS; + const TPM2B *testLabel = NULL; + TPMT_RSA_DECRYPT rsaScheme; + // + // Don't need to initialize much of the test object but do need to initialize + // the flag indicating that the private exponent has been computed. + testObject.attributes.privateExp = CLEAR; + RsaKeyInitialize(&testObject); + rsaScheme.scheme = scheme; + rsaScheme.details.anySig.hashAlg = DEFAULT_TEST_HASH; + CLEAR_BOTH(scheme); + CLEAR_BOTH(TPM_ALG_NULL); + if(scheme == TPM_ALG_NULL) + { + // This is an encryption scheme using the private key without any encoding. + memcpy(testInput.t.buffer, c_RsaTestValue, sizeof(c_RsaTestValue)); + testInput.t.size = sizeof(c_RsaTestValue); + if(TPM_RC_SUCCESS != CryptRsaEncrypt(&testOutput, &testInput.b, + &testObject, &rsaScheme, NULL, NULL)) { + SELF_TEST_FAILURE; + } + if(!MemoryEqual(testOutput.t.buffer, c_RsaepKvt.buffer, c_RsaepKvt.size)) { + SELF_TEST_FAILURE; + } + MemoryCopy2B(&testInput.b, &testOutput.b, sizeof(testInput.t.buffer)); + if(TPM_RC_SUCCESS != CryptRsaDecrypt(&testOutput.b, &testInput.b, + &testObject, &rsaScheme, NULL)) { + SELF_TEST_FAILURE; + } + if(!MemoryEqual(testOutput.t.buffer, c_RsaTestValue, + sizeof(c_RsaTestValue))) { + SELF_TEST_FAILURE; + } + } + else + { + // TPM_ALG_RSAES: + // This is an decryption scheme using padding according to + // PKCS#1v2.1, 7.2. This padding uses random bits. To test a public + // key encryption that uses random data, encrypt a value and then + // decrypt the value and see that we get the encrypted data back. + // The hash is not used by this encryption so it can be TMP_ALG_NULL + // TPM_ALG_OAEP_: + // This is also an decryption scheme and it also uses a + // pseudo-random + // value. However, this also uses a hash algorithm. So, we may need + // to test that algorithm before use. + if(scheme == TPM_ALG_OAEP) + { + TEST_DEFAULT_TEST_HASH(toTest); + kvtValue = &c_OaepKvt; + testLabel = OAEP_TEST_STRING; + } + else if(scheme == TPM_ALG_RSAES) + { + kvtValue = &c_RsaesKvt; + testLabel = NULL; + } + else { + SELF_TEST_FAILURE; + } + // Only use a digest-size portion of the test value + memcpy(testInput.t.buffer, c_RsaTestValue, DEFAULT_TEST_DIGEST_SIZE); + testInput.t.size = DEFAULT_TEST_DIGEST_SIZE; + // See if the encryption works + if(TPM_RC_SUCCESS != CryptRsaEncrypt(&testOutput, &testInput.b, + &testObject, &rsaScheme, testLabel, + NULL)) { + SELF_TEST_FAILURE; + } + MemoryCopy2B(&testInput.b, &testOutput.b, sizeof(testInput.t.buffer)); + // see if we can decrypt this value and get the original data back + if(TPM_RC_SUCCESS != CryptRsaDecrypt(&testOutput.b, &testInput.b, + &testObject, &rsaScheme, testLabel)) { + SELF_TEST_FAILURE; + } + // See if the results compare + if(testOutput.t.size != DEFAULT_TEST_DIGEST_SIZE + || !MemoryEqual(testOutput.t.buffer, c_RsaTestValue, + DEFAULT_TEST_DIGEST_SIZE)) { + SELF_TEST_FAILURE; + } + // Now check that the decryption works on a known value + MemoryCopy2B(&testInput.b, (P2B)kvtValue, + sizeof(testInput.t.buffer)); + if(TPM_RC_SUCCESS != CryptRsaDecrypt(&testOutput.b, &testInput.b, + &testObject, &rsaScheme, testLabel)) { + SELF_TEST_FAILURE; + } + if(testOutput.t.size != DEFAULT_TEST_DIGEST_SIZE + || !MemoryEqual(testOutput.t.buffer, c_RsaTestValue, + DEFAULT_TEST_DIGEST_SIZE)) { + SELF_TEST_FAILURE; + } + } + return result; +} +/* 10.2.1.5.4 TestRsaSignAndVerify() */ +/* This function does the testing of the RSA sign and verification functions. This test does a + KVT. */ +static TPM_RC +TestRsaSignAndVerify( + TPM_ALG_ID scheme, + ALGORITHM_VECTOR *toTest + ) +{ + TPM_RC result = TPM_RC_SUCCESS; + OBJECT testObject; + TPM2B_DIGEST testDigest; + TPMT_SIGNATURE testSig; + // Do a sign and signature verification. + // RSASSA: + // This is a signing scheme according to PKCS#1-v2.1 8.2. It does not + // use random data so there is a KVT for the signing operation. On + // first use of the scheme for signing, use the TPM's RSA key to + // sign a portion of c_RsaTestData and compare the results to c_RsassaKvt. Then + // decrypt the data to see that it matches the starting value. This verifies + // the signature with a KVT + // Clear the bits indicating that the function has not been checked. This is to + // prevent looping + CLEAR_BOTH(scheme); + CLEAR_BOTH(TPM_ALG_NULL); + CLEAR_BOTH(TPM_ALG_RSA); + RsaKeyInitialize(&testObject); + memcpy(testDigest.t.buffer, (BYTE *)c_RsaTestValue, DEFAULT_TEST_DIGEST_SIZE); + testDigest.t.size = DEFAULT_TEST_DIGEST_SIZE; + testSig.sigAlg = scheme; + testSig.signature.rsapss.hash = DEFAULT_TEST_HASH; + // RSAPSS: + // This is a signing scheme a according to PKCS#1-v2.2 8.1 it uses + // random data in the signature so there is no KVT for the signing + // operation. To test signing, the TPM will use the TPM's RSA key + // to sign a portion of c_RsaTestValue and then it will verify the + // signature. For verification, c_RsapssKvt is verified before the + // user signature blob is verified. The worst case for testing of this + // algorithm is two private and one public key operation. + // The process is to sign known data. If RSASSA is being done, verify that the + // signature matches the precomputed value. For both, use the signed value and + // see that the verification says that it is a good signature. Then + // if testing RSAPSS, do a verify of a known good signature. This ensures that + // the validation function works. + if(TPM_RC_SUCCESS != CryptRsaSign(&testSig, &testObject, &testDigest, NULL)) { + SELF_TEST_FAILURE; + } + // For RSASSA, make sure the results is what we are looking for + if(testSig.sigAlg == TPM_ALG_RSASSA) + { + if(testSig.signature.rsassa.sig.t.size != RSA_TEST_KEY_SIZE + || !MemoryEqual(c_RsassaKvt.buffer, + testSig.signature.rsassa.sig.t.buffer, + RSA_TEST_KEY_SIZE)) { + SELF_TEST_FAILURE; + } + } + // See if the TPM will validate its own signatures + if(TPM_RC_SUCCESS != CryptRsaValidateSignature(&testSig, &testObject, + &testDigest)) { + SELF_TEST_FAILURE; + } + // If this is RSAPSS, check the verification with known signature + // Have to copy because CrytpRsaValidateSignature() eats the signature + if(TPM_ALG_RSAPSS == scheme) + { + MemoryCopy2B(&testSig.signature.rsapss.sig.b, (P2B)&c_RsapssKvt, + sizeof(testSig.signature.rsapss.sig.t.buffer)); + if(TPM_RC_SUCCESS != CryptRsaValidateSignature(&testSig, &testObject, + &testDigest)) { + SELF_TEST_FAILURE; + } + } + return result; +} +/* 10.2.1.5.5 TestRSA() */ +/* Function uses the provided vector to indicate which tests to run. It will clear the vector after + each test is run and also clear g_toTest */ +static TPM_RC +TestRsa( + TPM_ALG_ID alg, + ALGORITHM_VECTOR *toTest + ) +{ + TPM_RC result = TPM_RC_SUCCESS; + // + switch(alg) + { + case TPM_ALG_NULL: + // This is the RSAEP/RSADP function. If we are processing a list, don't + // need to test these now because any other test will validate + // RSAEP/RSADP. Can tell this is list of test by checking to see if + // 'toTest' is pointing at g_toTest. If so, this is an isolated test + // an need to go ahead and do the test; + if((toTest == &g_toTest) + || (!TEST_BIT(TPM_ALG_RSASSA, *toTest) + && !TEST_BIT(TPM_ALG_RSAES, *toTest) + && !TEST_BIT(TPM_ALG_RSAPSS, *toTest) + && !TEST_BIT(TPM_ALG_OAEP, *toTest))) + // Not running a list of tests or no other tests on the list + // so run the test now + result = TestRsaEncryptDecrypt(alg, toTest); + // if not running the test now, leave the bit on, just in case things + // get interrupted + break; + case TPM_ALG_OAEP: + case TPM_ALG_RSAES: + result = TestRsaEncryptDecrypt(alg, toTest); + break; + case TPM_ALG_RSAPSS: + case TPM_ALG_RSASSA: + result = TestRsaSignAndVerify(alg, toTest); + break; + default: + SELF_TEST_FAILURE; + } + return result; +} +#endif // TPM_ALG_RSA +/* 10.2.1.6 ECC Tests */ +#if ALG_ECC +/* 10.2.1.6.1 LoadEccParameter() */ +/* This function is mostly for readability and type checking */ +static void +LoadEccParameter( + TPM2B_ECC_PARAMETER *to, // target + const TPM2B_EC_TEST *from // source + ) +{ + MemoryCopy2B(&to->b, &from->b, sizeof(to->t.buffer)); +} +/* 10.2.1.6.2 LoadEccPoint() */ +static void +LoadEccPoint( + TPMS_ECC_POINT *point, // target + const TPM2B_EC_TEST *x, // source + const TPM2B_EC_TEST *y + ) +{ + MemoryCopy2B(&point->x.b, (TPM2B *)x, sizeof(point->x.t.buffer)); + MemoryCopy2B(&point->y.b, (TPM2B *)y, sizeof(point->y.t.buffer)); +} +/* 10.2.1.6.3 TestECDH() */ +/* This test does a KVT on a point multiply. */ +static TPM_RC +TestECDH( + TPM_ALG_ID scheme, // IN: for consistency + ALGORITHM_VECTOR *toTest // IN/OUT: modified after test is run + ) +{ + TPMS_ECC_POINT Z; + TPMS_ECC_POINT Qe; + TPM2B_ECC_PARAMETER ds; + TPM_RC result = TPM_RC_SUCCESS; + // + NOT_REFERENCED(scheme); + CLEAR_BOTH(TPM_ALG_ECDH); + LoadEccParameter(&ds, &c_ecTestKey_ds); + LoadEccPoint(&Qe, &c_ecTestKey_QeX, &c_ecTestKey_QeY); + if(TPM_RC_SUCCESS != CryptEccPointMultiply(&Z, c_testCurve, &Qe, &ds, + NULL, NULL)) { + SELF_TEST_FAILURE; + } + if(!MemoryEqual2B(&c_ecTestEcdh_X.b, &Z.x.b) + || !MemoryEqual2B(&c_ecTestEcdh_Y.b, &Z.y.b)) { + SELF_TEST_FAILURE; + } + return result; +} +/* 10.2.1.6.4 TestEccSignAndVerify() */ +static TPM_RC +TestEccSignAndVerify( + TPM_ALG_ID scheme, + ALGORITHM_VECTOR *toTest + ) +{ + OBJECT testObject; + TPMT_SIGNATURE testSig; + TPMT_ECC_SCHEME eccScheme; + testSig.sigAlg = scheme; + testSig.signature.ecdsa.hash = DEFAULT_TEST_HASH; + eccScheme.scheme = scheme; + eccScheme.details.anySig.hashAlg = DEFAULT_TEST_HASH; + CLEAR_BOTH(scheme); + CLEAR_BOTH(TPM_ALG_ECDH); + // ECC signature verification testing uses a KVT. + switch(scheme) + { + case TPM_ALG_ECDSA: + LoadEccParameter(&testSig.signature.ecdsa.signatureR, &c_TestEcDsa_r); + LoadEccParameter(&testSig.signature.ecdsa.signatureS, &c_TestEcDsa_s); + break; + case TPM_ALG_ECSCHNORR: + LoadEccParameter(&testSig.signature.ecschnorr.signatureR, + &c_TestEcSchnorr_r); + LoadEccParameter(&testSig.signature.ecschnorr.signatureS, + &c_TestEcSchnorr_s); + break; + case TPM_ALG_SM2: + // don't have a test for SM2 + return TPM_RC_SUCCESS; + default: + SELF_TEST_FAILURE; + break; + } + TEST_DEFAULT_TEST_HASH(toTest); + // Have to copy the key. This is because the size used in the test vectors + // is the size of the ECC parameter for the test key while the size of a point + // is TPM dependent + MemoryCopy2B(&testObject.sensitive.sensitive.ecc.b, &c_ecTestKey_ds.b, + sizeof(testObject.sensitive.sensitive.ecc.t.buffer)); + LoadEccPoint(&testObject.publicArea.unique.ecc, &c_ecTestKey_QsX, + &c_ecTestKey_QsY); + testObject.publicArea.parameters.eccDetail.curveID = c_testCurve; + if(TPM_RC_SUCCESS != CryptEccValidateSignature(&testSig, &testObject, + (TPM2B_DIGEST *)&c_ecTestValue.b)) + { + SELF_TEST_FAILURE; + } + CHECK_CANCELED; + // Now sign and verify some data + if(TPM_RC_SUCCESS != CryptEccSign(&testSig, &testObject, + (TPM2B_DIGEST *)&c_ecTestValue, + &eccScheme, NULL)) { + SELF_TEST_FAILURE; + } + CHECK_CANCELED; + if(TPM_RC_SUCCESS != CryptEccValidateSignature(&testSig, &testObject, + (TPM2B_DIGEST *)&c_ecTestValue)) { + SELF_TEST_FAILURE; + } + CHECK_CANCELED; + return TPM_RC_SUCCESS; +} +/* 10.2.1.6.5 TestKDFa() */ + +static TPM_RC +TestKDFa( + ALGORITHM_VECTOR *toTest + ) +{ + static TPM2B_KDF_TEST_KEY keyOut; + UINT32 counter = 0; + // + CLEAR_BOTH(TPM_ALG_KDF1_SP800_108); + keyOut.t.size = CryptKDFa(KDF_TEST_ALG, &c_kdfTestKeyIn.b, &c_kdfTestLabel.b, + &c_kdfTestContextU.b, &c_kdfTestContextV.b, + TEST_KDF_KEY_SIZE * 8, keyOut.t.buffer, + &counter, FALSE); + if ( keyOut.t.size != TEST_KDF_KEY_SIZE + || !MemoryEqual(keyOut.t.buffer, c_kdfTestKeyOut.t.buffer, + TEST_KDF_KEY_SIZE)) + SELF_TEST_FAILURE; + return TPM_RC_SUCCESS; +} +/* 10.2.1.6.6 TestEcc() */ +static TPM_RC +TestEcc( + TPM_ALG_ID alg, + ALGORITHM_VECTOR *toTest + ) +{ + TPM_RC result = TPM_RC_SUCCESS; + NOT_REFERENCED(toTest); + switch(alg) + { + case TPM_ALG_ECC: + case TPM_ALG_ECDH: + // If this is in a loop then see if another test is going to deal with + // this. + // If toTest is not a self-test list + if((toTest == &g_toTest) + // or this is the only ECC test in the list + || !(TEST_BIT(TPM_ALG_ECDSA, *toTest) + || TEST_BIT(TPM_ALG_ECSCHNORR, *toTest) + || TEST_BIT(TPM_ALG_SM2, *toTest))) + { + result = TestECDH(alg, toTest); + } + break; + case TPM_ALG_ECDSA: + case TPM_ALG_ECSCHNORR: + case TPM_ALG_SM2: + result = TestEccSignAndVerify(alg, toTest); + break; + default: + SELF_TEST_FAILURE; + break; + } + return result; +} +#endif // TPM_ALG_ECC +/* 10.2.1.6.4 TestAlgorithm() */ +/* Dispatches to the correct test function for the algorithm or gets a list of testable + algorithms. */ +/* If toTest is not NULL, then the test decisions are based on the algorithm selections in + toTest. Otherwise, g_toTest is used. When bits are clear in g_toTest they will also be cleared + toTest. */ +/* If there doesn't happen to be a test for the algorithm, its associated bit is quietly cleared. */ +/* If alg is zero (TPM_ALG_ERROR), then the toTest vector is cleared of any bits for which there is + no test (i.e. no tests are actually run but the vector is cleared). */ +/* NOTE: toTest will only ever have bits set for implemented algorithms but alg can be anything. */ +/* Error Returns Meaning */ +/* TPM_RC_CANCELED test was canceled */ +LIB_EXPORT +TPM_RC +TestAlgorithm( + TPM_ALG_ID alg, + ALGORITHM_VECTOR *toTest + ) +{ + TPM_ALG_ID first = (alg == TPM_ALG_ERROR) ? TPM_ALG_FIRST : alg; + TPM_ALG_ID last = (alg == TPM_ALG_ERROR) ? TPM_ALG_LAST : alg; + BOOL doTest = (alg != TPM_ALG_ERROR); + TPM_RC result = TPM_RC_SUCCESS; + if(toTest == NULL) + toTest = &g_toTest; + // This is kind of strange. This function will either run a test of the selected + // algorithm or just clear a bit if there is no test for the algorithm. So, + // either this loop will be executed once for the selected algorithm or once for + // each of the possible algorithms. If it is executed more than once ('alg' == + // TPM_ALG_ERROR), then no test will be run but bits will be cleared for + // unimplemented algorithms. This was done this way so that there is only one + // case statement with all of the algorithms. It was easier to have one case + // statement than to have multiple ones to manage whenever an algorithm ID is + // added. + for(alg = first; (alg <= last); alg++) + { + // if 'alg' was TPM_ALG_ERROR, then we will be cycling through + // values, some of which may not be implemented. If the bit in toTest + // happens to be set, then we could either generated an assert, or just + // silently CLEAR it. Decided to just clear. + if(!TEST_BIT(alg, g_implementedAlgorithms)) + { + CLEAR_BIT(alg, *toTest); + continue; + } + // Process whatever is left. + // NOTE: since this switch will only be called if the algorithm is + // implemented, it is not necessary to modify this list except to comment + // out the algorithms for which there is no test + switch(alg) + { + // Symmetric block ciphers +#if ALG_AES + case TPM_ALG_AES: +// libtpms added begin +#if SMAC_IMPLEMENTED && ALG_CMAC + if (doTest) { + result = TestSMAC(toTest); + if (result != TPM_RC_SUCCESS) + break; + } +#endif +// libtpms added end +#endif +#if ALG_SM4 + // if SM4 is implemented, its test is like other block ciphers but there + // aren't any test vectors for it yet + // case TPM_ALG_SM4: +#endif +#if ALG_CAMELLIA + case TPM_ALG_CAMELLIA: // libtpms activated +#endif +#if ALG_TDES + case TPM_ALG_TDES: // libtpms added +#endif + // Symmetric modes +#if !ALG_CFB +# error CFB is required in all TPM implementations +#endif // !TPM_ALG_CFB + case TPM_ALG_CFB: + if(doTest) + result = TestSymmetric(alg, toTest); + break; +#if ALG_CTR + case TPM_ALG_CTR: +#endif // TPM_ALG_CRT +#if ALG_OFB + case TPM_ALG_OFB: +#endif // TPM_ALG_OFB +#if ALG_CBC + case TPM_ALG_CBC: +#endif // TPM_ALG_CBC +#if ALG_ECB + case TPM_ALG_ECB: +#endif + if(doTest) + result = TestSymmetric(alg, toTest); + else + // If doing the initialization of g_toTest vector, only need + // to test one of the modes for the symmetric algorithms. If + // initializing for a SelfTest(FULL_TEST), allow all the modes. + if(toTest == &g_toTest) + CLEAR_BIT(alg, *toTest); + break; +#if !ALG_HMAC +# error HMAC is required in all TPM implementations +#endif + case TPM_ALG_HMAC: + // Clear the bit that indicates that HMAC is required because + // HMAC is used as the basic test for all hash algorithms. + CLEAR_BOTH(alg); + // Testing HMAC means test the default hash + if(doTest) + TestHash(DEFAULT_TEST_HASH, toTest); + else + // If not testing, then indicate that the hash needs to be + // tested because this uses HMAC + SET_BOTH(DEFAULT_TEST_HASH); + break; + // Have to use two arguments for the macro even though only the first is used in the + // expansion. +#define HASH_CASE_TEST(HASH, hash) \ + case ALG_##HASH##_VALUE: + FOR_EACH_HASH(HASH_CASE_TEST) +#undef HASH_CASE_TEST + if(doTest) + result = TestHash(alg, toTest); + break; + // RSA-dependent +#if ALG_RSA + case TPM_ALG_RSA: + CLEAR_BOTH(alg); + if(doTest) + result = TestRsa(TPM_ALG_NULL, toTest); + else + SET_BOTH(TPM_ALG_NULL); + break; + case TPM_ALG_RSASSA: + case TPM_ALG_RSAES: + case TPM_ALG_RSAPSS: + case TPM_ALG_OAEP: + case TPM_ALG_NULL: // used or RSADP + if(doTest) + result = TestRsa(alg, toTest); + break; +#endif // ALG_RSA +#if ALG_KDF1_SP800_108 + case TPM_ALG_KDF1_SP800_108: + if(doTest) + result = TestKDFa(toTest); + break; +#endif // ALG_KDF1_SP800_108 +#if ALG_ECC + // ECC dependent but no tests + // case TPM_ALG_ECDAA: + // case TPM_ALG_ECMQV: + // case TPM_ALG_KDF1_SP800_56a: + // case TPM_ALG_KDF2: + // case TPM_ALG_MGF1: + case TPM_ALG_ECC: + CLEAR_BOTH(alg); + if(doTest) + result = TestEcc(TPM_ALG_ECDH, toTest); + else + SET_BOTH(TPM_ALG_ECDH); + break; + case TPM_ALG_ECDSA: + case TPM_ALG_ECDH: + case TPM_ALG_ECSCHNORR: + // case TPM_ALG_SM2: + if(doTest) + result = TestEcc(alg, toTest); + break; +#endif // ALG_ECC + default: + CLEAR_BIT(alg, *toTest); + break; + } + if(result != TPM_RC_SUCCESS) + break; + } + return result; +} +#endif // SELF_TESTS |