1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
# SPDX-License-Identifier: BSD-3-Clause
source helpers.sh
cleanup() {
rm -f primary.ctx decrypt.ctx key.pub key.priv key.name decrypt.out \
decrypt2.out encrypt.out encrypt2.out secret.dat secret2.dat \
iv.dat iv2.dat key128.ctx plain.dec128.tpm plain.dec256.tpm plain.enc128.tpm \
plain.enc256.tpm sym128.key key256.ctx plain.dec128.ssl plain.dec256.ssl \
plain.enc128.ssl plain.enc256.ssl plain.txt sym256.key
if [ "$1" != "no-shut-down" ]; then
shut_down
fi
}
trap cleanup EXIT
start_up
cleanup "no-shut-down"
if ! is_cmd_supported "EncryptDecrypt"; then
echo "Command EncryptDecrypt is not supported by your device, skipping..."
skip_test
fi
echo "12345678" > secret.dat
tpm2 clear -Q
tpm2 createprimary -Q -C e -g sha1 -G rsa -c primary.ctx
tpm2 create -Q -g sha256 -G aes -u key.pub -r key.priv -C primary.ctx
tpm2 load -Q -C primary.ctx -u key.pub -r key.priv -n key.name -c decrypt.ctx
tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out secret.dat
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out encrypt.out
# Test using stdin/stdout
cat secret.dat | tpm2 encryptdecrypt -c decrypt.ctx | tpm2 encryptdecrypt \
-c decrypt.ctx -d > secret2.dat
# test using IVs
dd if=/dev/urandom of=iv.dat bs=16 count=1
cat secret.dat | tpm2 encryptdecrypt -c decrypt.ctx --iv iv.dat | \
tpm2 encryptdecrypt -c decrypt.ctx --iv iv.dat:iv2.dat -d > secret2.dat
cmp secret.dat secret2.dat
# Test using specified object modes
tpm2 create -Q -G aes128cbc -u key.pub -r key.priv -C primary.ctx
rm decrypt.ctx
tpm2 load -Q -C primary.ctx -u key.pub -r key.priv -n key.name -c decrypt.ctx
# We need to perform cbc on blocksize of 16
echo -n 1234567812345678 > secret.dat
# specified mode
tpm2 encryptdecrypt -Q -c decrypt.ctx -G cbc --iv=iv.dat -o encrypt.out \
secret.dat
# Unspecified mode (figure out via readpublic)
tpm2 encryptdecrypt -Q -d -c decrypt.ctx --iv iv.dat -o decrypt.out encrypt.out
cmp secret.dat decrypt.out
# Test that iv looping works
tpm2 encryptdecrypt -Q -c decrypt.ctx -G cbc --iv=iv.dat:iv2.dat \
-o encrypt.out secret.dat
tpm2 encryptdecrypt -Q -c decrypt.ctx -G cbc --iv=iv2.dat -o encrypt2.out \
secret.dat
tpm2 encryptdecrypt -Q -d -c decrypt.ctx --iv iv.dat -o decrypt.out encrypt.out
tpm2 encryptdecrypt -Q -d -c decrypt.ctx --iv iv2.dat -o decrypt2.out \
encrypt2.out
cmp secret.dat decrypt.out
cmp secret.dat decrypt2.out
# Test that input data sizes greater than TPM2_MAX_BUFFER or 1024 work
dd if=/dev/zero bs=1 count=2048 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out encrypt.out
cmp secret2.dat decrypt.out
# Test that last block in input data shorter than block length has pkcs7 padding
dd if=/dev/zero bs=1 count=2050 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out -e
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out encrypt.out
## Last block is short 14 or hex 0E trailing bytes
echo 0e0e0e0e0e0e0e0e0e0e0e0e0e0e | xxd -r -p >> secret2.dat
cmp secret2.dat decrypt.out
# Test that pkcs7 padding is added as last block for block length aligned inputs
dd if=/dev/zero bs=1 count=2048 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out -e
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out encrypt.out
## Last block is short 16 or hex 10 trailing bytes
echo 10101010101010101010101010101010 | xxd -r -p >> secret2.dat
cmp secret2.dat decrypt.out
# Test pkcs7 padding is stripped from input data is shorter than block length
dd if=/dev/zero bs=1 count=2050 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out -e
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out -e encrypt.out
cmp secret2.dat decrypt.out
# Test pkcs7 padding is stripped after few blocks within the buffer.
dd if=/dev/zero bs=1 count=2114 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out -e
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out -e encrypt.out
cmp secret2.dat decrypt.out
# Test that pkcs7 pad is stripped off last block for block length aligned inputs
dd if=/dev/zero bs=1 count=2048 status=none of=secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out -e
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out -e encrypt.out
cmp secret2.dat decrypt.out
# Test pkcs7 padding larger than block size is ignored
dd if=/dev/zero bs=1 count=48 status=none of=secret2.dat
echo ffffffffffffffffffffffffffffffff | xxd -r -p >> secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out -e encrypt.out
cmp secret2.dat decrypt.out
# Test inconsistent pkcs7 padding is ignored
dd if=/dev/zero bs=1 count=48 status=none of=secret2.dat
echo 0102030405060708090a0b0c0d0e0f10 | xxd -r -p >> secret2.dat
cat secret2.dat | tpm2 encryptdecrypt -Q -c decrypt.ctx -o encrypt.out
tpm2 encryptdecrypt -Q -c decrypt.ctx -d -o decrypt.out -e encrypt.out
cmp secret2.dat decrypt.out
# Negative that bad mode fails
trap - ERR
# mode CFB should fail, since the object was explicitly created with mode CBC
tpm2 encryptdecrypt -Q -c decrypt.ctx -G cfb --iv=iv.dat -o encrypt.out \
secret.dat
# set the error handler for checking interoperability with openssl
trap onerror ERR
# Testing interoperability with openssl - Also exercises PKCS7 padding
dd if=/dev/urandom of=sym128.key bs=1 count=16
dd if=/dev/urandom of=sym256.key bs=1 count=32
tpm2 loadexternal -C n -G aes -r sym128.key -c key128.ctx
tpm2 loadexternal -C n -G aes -r sym256.key -c key256.ctx
echo "plaintext" > plain.txt
## Encrypt with ossl and tpm for cbc mode that requires padding
### Key size = 128
openssl enc -in plain.txt -out plain.enc128.ssl -K `xxd -c 128 -p sym128.key` \
-aes-128-cbc -iv 0
tpm2 encryptdecrypt -c key128.ctx -o plain.enc128.tpm -e -G cbc plain.txt
diff plain.enc128.ssl plain.enc128.tpm
### Key size = 256
openssl enc -in plain.txt -out plain.enc256.ssl -K `xxd -c 256 -p sym256.key` \
-aes-256-cbc -iv 0
tpm2 encryptdecrypt -c key256.ctx -o plain.enc256.tpm -e -G cbc plain.txt
diff plain.enc256.ssl plain.enc256.tpm
## Decrypt ciphertext from tpm in openssl and vice versa
### Key size = 128
tpm2 encryptdecrypt -c key128.ctx -o plain.dec128.tpm -e \
-G cbc -d plain.enc128.ssl
diff plain.dec128.tpm plain.txt
openssl enc -d -in plain.enc128.tpm -out plain.dec128.ssl -aes-128-cbc -iv 0 \
-K `xxd -c 128 -p sym128.key`
diff plain.dec128.ssl plain.txt
### Key size = 256
tpm2 encryptdecrypt -c key256.ctx -o plain.dec256.tpm -e \
-G cbc -d plain.enc256.ssl
diff plain.dec256.tpm plain.txt
openssl enc -d -in plain.enc256.tpm -out plain.dec256.ssl -aes-256-cbc -iv 0 \
-K `xxd -c 256 -p sym256.key`
diff plain.dec256.ssl plain.txt
## Encrypt with ossl and tpm for cfb mode that does not apply padding
### Key size = 128
openssl enc -in plain.txt -out plain.enc128.ssl -K `xxd -c 128 -p sym128.key` \
-aes-128-cfb -iv 0
tpm2 encryptdecrypt -c key128.ctx -o plain.enc128.tpm -G cfb plain.txt
diff plain.enc128.ssl plain.enc128.tpm
### Key size = 256
openssl enc -in plain.txt -out plain.enc256.ssl -K `xxd -c 256 -p sym256.key` \
-aes-256-cfb -iv 0
tpm2 encryptdecrypt -c key256.ctx -o plain.enc256.tpm -G cfb plain.txt
diff plain.enc256.ssl plain.enc256.tpm
## Decrypt ciphertext from tpm in openssl and vice versa
### Key size = 128
tpm2 encryptdecrypt -c key128.ctx -o plain.dec128.tpm \
-G cfb -d plain.enc128.ssl
diff plain.dec128.tpm plain.txt
openssl enc -d -in plain.enc128.tpm -out plain.dec128.ssl -aes-128-cfb -iv 0 \
-K `xxd -c 128 -p sym128.key`
diff plain.dec128.ssl plain.txt
### Key size = 256
tpm2 encryptdecrypt -c key256.ctx -o plain.dec256.tpm \
-G cfb -d plain.enc256.ssl
diff plain.dec256.tpm plain.txt
openssl enc -d -in plain.enc256.tpm -out plain.dec256.ssl -aes-256-cfb -iv 0 \
-K `xxd -c 256 -p sym256.key`
diff plain.dec256.ssl plain.txt
exit 0
|
