1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #define LOGMODULE test
17 #include "util/log.h"
18 #include "util/aux_util.h"
19
20 /** This test is intended to test the change of an authorization value of
21 * a hierarchy.
22 *
23 * To check whether the change was successful a primary key is created
24 * with the handle of this hierarchy and the new authorization.
25 * Also second primary is created after a call of Esys_TR_SetAuth with
26 * the new auth value.
27 *
28 * Tested ESAPI commands:
29 * - Esys_CreatePrimary() (M)
30 * - Esys_FlushContext() (M)
31 * - Esys_HierarchyChangeAuth() (M)
32 *
33 * @param[in,out] esys_context The ESYS_CONTEXT.
34 * @retval EXIT_FAILURE
35 * @retval EXIT_SUCCESS
36 */
37
38 int
test_esys_hierarchychangeauth(ESYS_CONTEXT * esys_context)39 test_esys_hierarchychangeauth(ESYS_CONTEXT * esys_context)
40 {
41 TSS2_RC r;
42 ESYS_TR primaryHandle = ESYS_TR_NONE;
43 bool auth_changed = false;
44 ESYS_TR authHandle_handle = ESYS_TR_RH_OWNER;
45
46 TPM2B_PUBLIC *outPublic = NULL;
47 TPM2B_CREATION_DATA *creationData = NULL;
48 TPM2B_DIGEST *creationHash = NULL;
49 TPMT_TK_CREATION *creationTicket = NULL;
50
51 TPM2B_AUTH newAuth = {
52 .size = 5,
53 .buffer = {1, 2, 3, 4, 5}
54 };
55
56 TPM2B_AUTH emptyAuth = {
57 .size = 0,
58 .buffer = {}
59 };
60
61 r = Esys_HierarchyChangeAuth(esys_context,
62 authHandle_handle,
63 ESYS_TR_PASSWORD,
64 ESYS_TR_NONE,
65 ESYS_TR_NONE,
66 &newAuth);
67 goto_if_error(r, "Error: HierarchyChangeAuth", error);
68
69 auth_changed = true;
70
71 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
72 .size = 0,
73 .sensitive = {
74 .userAuth = {
75 .size = 0,
76 .buffer = {0 },
77 },
78 .data = {
79 .size = 0,
80 .buffer = {0},
81 },
82 },
83 };
84
85 TPM2B_PUBLIC inPublic = {
86 .size = 0,
87 .publicArea = {
88 .type = TPM2_ALG_RSA,
89 .nameAlg = TPM2_ALG_SHA256,
90 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
91 TPMA_OBJECT_RESTRICTED |
92 TPMA_OBJECT_DECRYPT |
93 TPMA_OBJECT_FIXEDTPM |
94 TPMA_OBJECT_FIXEDPARENT |
95 TPMA_OBJECT_SENSITIVEDATAORIGIN),
96 .authPolicy = {
97 .size = 0,
98 },
99 .parameters.rsaDetail = {
100 .symmetric = {
101 .algorithm = TPM2_ALG_AES,
102 .keyBits.aes = 128,
103 .mode.aes = TPM2_ALG_CFB},
104 .scheme = {
105 .scheme = TPM2_ALG_NULL
106 },
107 .keyBits = 2048,
108 .exponent = 0,
109 },
110 .unique.rsa = {
111 .size = 0,
112 .buffer = {},
113 },
114 },
115 };
116 LOG_INFO("\nRSA key will be created.");
117
118 TPM2B_DATA outsideInfo = {
119 .size = 0,
120 .buffer = {},
121 };
122
123 TPML_PCR_SELECTION creationPCR = {
124 .count = 0,
125 };
126
127 goto_if_error(r, "Error: TR_SetAuth", error);
128
129 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
130 ESYS_TR_NONE, ESYS_TR_NONE, &inSensitivePrimary, &inPublic,
131 &outsideInfo, &creationPCR, &primaryHandle,
132 &outPublic, &creationData, &creationHash,
133 &creationTicket);
134 goto_if_error(r, "Error esys create primary", error);
135
136 r = Esys_FlushContext(esys_context, primaryHandle);
137 goto_if_error(r, "Flushing context", error);
138
139 primaryHandle = ESYS_TR_NONE;
140
141 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &newAuth);
142 goto_if_error(r, "Error SetAuth", error);
143
144 Esys_Free(outPublic);
145 Esys_Free(creationData);
146 Esys_Free(creationHash);
147 Esys_Free(creationTicket);
148
149 /* Check whether HierarchyChangeAuth with auth equal NULL works */
150
151 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
152 ESYS_TR_NONE, ESYS_TR_NONE, &inSensitivePrimary, &inPublic,
153 &outsideInfo, &creationPCR, &primaryHandle,
154 &outPublic, &creationData, &creationHash,
155 &creationTicket);
156 goto_if_error(r, "Error esys create primary", error);
157
158 r = Esys_FlushContext(esys_context, primaryHandle);
159 goto_if_error(r, "Flushing context", error);
160
161 r = Esys_HierarchyChangeAuth(esys_context,
162 authHandle_handle,
163 ESYS_TR_PASSWORD,
164 ESYS_TR_NONE,
165 ESYS_TR_NONE,
166 NULL);
167 goto_if_error(r, "Error: HierarchyChangeAuth", error);
168
169 Esys_Free(outPublic);
170 Esys_Free(creationData);
171 Esys_Free(creationHash);
172 Esys_Free(creationTicket);
173 return EXIT_SUCCESS;
174
175 error:
176
177 if (primaryHandle != ESYS_TR_NONE) {
178 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
179 LOG_ERROR("Cleanup primaryHandle failed.");
180 }
181 }
182
183 if (auth_changed) {
184 if (Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &newAuth) != TSS2_RC_SUCCESS) {
185 LOG_ERROR("Error SetAuth");
186 }
187 if (Esys_HierarchyChangeAuth(esys_context,
188 authHandle_handle,
189 ESYS_TR_PASSWORD,
190 ESYS_TR_NONE,
191 ESYS_TR_NONE,
192 &emptyAuth) != TSS2_RC_SUCCESS) {
193 LOG_ERROR("Error: HierarchyChangeAuth");
194 }
195 }
196
197 Esys_Free(outPublic);
198 Esys_Free(creationData);
199 Esys_Free(creationHash);
200 Esys_Free(creationTicket);
201 return EXIT_FAILURE;
202 }
203
204 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)205 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
206 return test_esys_hierarchychangeauth(esys_context);
207 }
208