2 * Copyright (c) 2015 TRUSTONIC LIMITED
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the TRUSTONIC LIMITED nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
26 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
28 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
29 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #include <hardware/keymaster1.h>
35 #include "test_km_aes.h"
36 #include "test_km_util.h"
40 #define LOG_TAG "TlcTeeKeyMasterTest"
43 static keymaster_error_t
test_km_aes_roundtrip(
44 keymaster1_device_t
*device
,
45 const keymaster_key_blob_t
*key_blob
,
46 keymaster_block_mode_t mode
,
50 keymaster_error_t res
= KM_ERROR_OK
;
51 keymaster_key_param_t key_param
[2];
52 keymaster_key_param_set_t paramset
= {key_param
, 0};
53 keymaster_operation_handle_t handle
;
54 keymaster_blob_t nonce
;
55 uint8_t nonce_bytes
[16];
57 keymaster_blob_t input_blob
= {0, 0};
58 keymaster_blob_t enc_output1
= {0, 0};
59 keymaster_blob_t enc_output2
= {0, 0};
60 keymaster_blob_t dec_output1
= {0, 0};
61 keymaster_blob_t dec_output2
= {0, 0};
62 size_t input_consumed
= 0;
64 assert(msg_part1_len
+ msg_part2_len
<= 64);
66 /* populate input message */
67 memset(input
, 7, sizeof(input
));
70 memset(nonce_bytes
, 3, 16);
71 nonce
.data
= &nonce_bytes
[0];
72 nonce
.data_length
= (mode
== KM_MODE_GCM
) ? 12 : 16;
74 key_param
[0].tag
= KM_TAG_BLOCK_MODE
;
75 key_param
[0].enumerated
= mode
;
76 key_param
[1].tag
= KM_TAG_NONCE
; // ignored for ECB
77 key_param
[1].blob
= nonce
;
79 CHECK_RESULT_OK(device
->begin(device
,
83 NULL
, // no out_params
86 input_blob
.data
= &input
[0];
87 input_blob
.data_length
= msg_part1_len
;
88 CHECK_RESULT_OK(device
->update(device
,
91 &input_blob
, // first half of message
93 NULL
, // no out_params
95 CHECK_TRUE(input_consumed
== msg_part1_len
);
96 CHECK_TRUE(enc_output1
.data_length
== msg_part1_len
);
98 input_blob
.data
= input
+ msg_part1_len
;
99 input_blob
.data_length
= msg_part2_len
;
100 CHECK_RESULT_OK(device
->update(device
,
103 &input_blob
, // second half of message
105 NULL
, // no out_params
107 CHECK_TRUE(input_consumed
== msg_part2_len
);
108 CHECK_TRUE(enc_output2
.data_length
== msg_part2_len
);
110 CHECK_RESULT_OK(device
->finish(device
,
113 NULL
, // no signature
114 NULL
, // no out_params
117 // key_params as for encrypt above
118 CHECK_RESULT_OK(device
->begin(device
,
122 NULL
, // no out_params
125 CHECK_RESULT_OK(device
->update(device
,
128 &enc_output1
, // first half of ciphertext
130 NULL
, // no out_params
132 CHECK_TRUE(input_consumed
== msg_part1_len
);
133 CHECK_TRUE(dec_output1
.data_length
== msg_part1_len
);
135 CHECK_RESULT_OK(device
->update(device
,
138 &enc_output2
, // second half of ciphertext
140 NULL
, // no out_params
142 CHECK_TRUE(input_consumed
== msg_part2_len
);
143 CHECK_TRUE(dec_output2
.data_length
== msg_part2_len
);
145 CHECK_RESULT_OK(device
->finish(device
,
148 NULL
, // no signature
149 NULL
, // no out_params
152 CHECK_TRUE((memcmp(&input
[0], dec_output1
.data
, msg_part1_len
) == 0) &&
153 (memcmp(&input
[msg_part1_len
], dec_output2
.data
, msg_part2_len
) == 0));
156 km_free_blob(&enc_output1
);
157 km_free_blob(&enc_output2
);
158 km_free_blob(&dec_output1
);
159 km_free_blob(&dec_output2
);
164 static keymaster_error_t
test_km_aes_roundtrip_noncegen(
165 keymaster1_device_t
*device
,
166 const keymaster_key_blob_t
*key_blob
,
167 keymaster_block_mode_t mode
)
169 keymaster_error_t res
= KM_ERROR_OK
;
170 keymaster_key_param_t param
[2];
171 keymaster_key_param_set_t paramset
= {param
, 0};
172 keymaster_key_param_set_t out_paramset
= {NULL
, 0};
173 keymaster_operation_handle_t handle
;
175 keymaster_blob_t input_blob
= {input
, sizeof(input
)};
176 keymaster_blob_t enc_output
= {0, 0};
177 keymaster_blob_t enc_output1
= {0, 0};
178 keymaster_blob_t dec_output
= {0, 0};
179 size_t input_consumed
= 0;
180 keymaster_blob_t nonce
;
181 uint8_t nonce_bytes
[16];
183 /* populate input message */
184 memset(input
, 7, sizeof(input
));
186 /* initialize nonce */
187 nonce
.data
= nonce_bytes
;
188 nonce
.data_length
= (mode
== KM_MODE_GCM
) ? 12 : 16;
190 param
[0].tag
= KM_TAG_BLOCK_MODE
;
191 param
[0].enumerated
= mode
;
193 CHECK_RESULT_OK(device
->begin(device
,
194 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, &out_paramset
, &handle
));
195 CHECK_TRUE(out_paramset
.length
== 1);
196 CHECK_TRUE(out_paramset
.params
[0].tag
== KM_TAG_NONCE
);
197 CHECK_TRUE(out_paramset
.params
[0].blob
.data_length
== 16);
198 memcpy(nonce_bytes
, out_paramset
.params
[0].blob
.data
, 16);
200 CHECK_RESULT_OK(device
->update(device
,
201 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output
));
202 CHECK_TRUE(input_consumed
== sizeof(input
));
203 CHECK_TRUE(enc_output
.data_length
== sizeof(input
));
205 CHECK_RESULT_OK(device
->finish(device
,
206 handle
, NULL
, NULL
, NULL
, NULL
));
208 // Try again supplying same nonce -- should get same ciphertext.
209 param
[1].tag
= KM_TAG_NONCE
;
210 param
[1].blob
= nonce
;
212 CHECK_RESULT_OK(device
->begin(device
,
213 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
215 CHECK_RESULT_OK(device
->update(device
,
216 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output1
));
217 CHECK_TRUE(input_consumed
== sizeof(input
));
218 CHECK_TRUE(enc_output1
.data_length
== sizeof(input
));
219 CHECK_TRUE(memcmp(enc_output
.data
, enc_output1
.data
, sizeof(input
)) == 0);
221 CHECK_RESULT_OK(device
->finish(device
,
222 handle
, NULL
, NULL
, NULL
, NULL
));
225 CHECK_RESULT_OK(device
->begin(device
,
226 KM_PURPOSE_DECRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
228 CHECK_RESULT_OK(device
->update(device
,
229 handle
, NULL
, &enc_output
, &input_consumed
, NULL
, &dec_output
));
230 CHECK_TRUE(input_consumed
== sizeof(input
));
231 CHECK_TRUE(dec_output
.data_length
== sizeof(input
));
233 CHECK_RESULT_OK(device
->finish(device
,
234 handle
, NULL
, NULL
, NULL
, NULL
));
236 CHECK_TRUE(memcmp(input
, dec_output
.data
, sizeof(input
)) == 0);
239 km_free_blob(&enc_output
);
240 km_free_blob(&enc_output1
);
241 km_free_blob(&dec_output
);
242 keymaster_free_param_set(&out_paramset
);
247 static keymaster_error_t
test_km_aes_gcm_roundtrip_noncegen(
248 keymaster1_device_t
*device
,
249 const keymaster_key_blob_t
*key_blob
)
251 keymaster_error_t res
= KM_ERROR_OK
;
252 keymaster_key_param_t param
[3];
253 keymaster_key_param_set_t paramset
= {param
, 0};
254 keymaster_key_param_set_t out_paramset
= {NULL
, 0};
255 keymaster_operation_handle_t handle
;
257 keymaster_blob_t input_blob
= {input
, sizeof(input
)};
258 keymaster_blob_t enc_output
= {0, 0};
259 keymaster_blob_t enc_output1
= {0, 0};
260 keymaster_blob_t dec_output
= {0, 0};
261 keymaster_blob_t dec_final_output
= {0, 0};
262 keymaster_blob_t tag
= {0, 0};
263 keymaster_blob_t tag1
= {0, 0};
264 size_t input_consumed
= 0;
265 keymaster_blob_t nonce
;
266 uint8_t nonce_bytes
[12];
268 /* populate input message */
269 memset(input
, 7, sizeof(input
));
271 /* initialize nonce */
272 nonce
.data
= nonce_bytes
;
273 nonce
.data_length
= sizeof(nonce_bytes
);
275 param
[0].tag
= KM_TAG_BLOCK_MODE
;
276 param
[0].enumerated
= KM_MODE_GCM
;
277 param
[1].tag
= KM_TAG_MAC_LENGTH
;
278 param
[1].integer
= 128;
280 CHECK_RESULT_OK(device
->begin(device
,
281 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, &out_paramset
, &handle
));
282 CHECK_TRUE(out_paramset
.length
== 1);
283 CHECK_TRUE(out_paramset
.params
[0].tag
== KM_TAG_NONCE
);
284 CHECK_TRUE(out_paramset
.params
[0].blob
.data_length
== 12);
285 memcpy(nonce_bytes
, out_paramset
.params
[0].blob
.data
, 12);
287 CHECK_RESULT_OK(device
->update(device
,
288 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output
));
289 CHECK_TRUE(input_consumed
== sizeof(input
));
291 CHECK_RESULT_OK(device
->finish(device
,
292 handle
, NULL
, NULL
, NULL
, &tag
));
294 // Try again supplying same nonce -- should get same ciphertext.
295 param
[2].tag
= KM_TAG_NONCE
;
296 param
[2].blob
= nonce
;
298 CHECK_RESULT_OK(device
->begin(device
,
299 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
301 CHECK_RESULT_OK(device
->update(device
,
302 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output1
));
303 CHECK_TRUE(input_consumed
== sizeof(input
));
305 (enc_output
.data_length
== enc_output1
.data_length
) &&
306 (memcmp(enc_output
.data
, enc_output1
.data
, enc_output
.data_length
) == 0));
308 CHECK_RESULT_OK(device
->finish(device
,
309 handle
, NULL
, NULL
, NULL
, &tag1
));
311 (tag
.data_length
== tag1
.data_length
) &&
312 (memcmp(tag
.data
, tag1
.data
, tag
.data_length
) == 0));
315 CHECK_RESULT_OK(device
->begin(device
,
316 KM_PURPOSE_DECRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
318 CHECK_RESULT_OK(device
->update(device
,
319 handle
, NULL
, &enc_output
, &input_consumed
, NULL
, &dec_output
));
320 CHECK_TRUE(input_consumed
== sizeof(input
));
322 CHECK_RESULT_OK(device
->update(device
,
323 handle
, NULL
, &tag
, &input_consumed
, NULL
, &dec_final_output
));
324 CHECK_TRUE(input_consumed
== tag
.data_length
);
326 CHECK_RESULT_OK(device
->finish(device
,
327 handle
, NULL
, NULL
, NULL
, NULL
));
330 (dec_output
.data_length
+ dec_final_output
.data_length
== sizeof(input
)) &&
331 (memcmp(&input
[0], dec_output
.data
, dec_output
.data_length
) == 0) &&
332 (memcmp(&input
[dec_output
.data_length
], dec_final_output
.data
, dec_final_output
.data_length
) == 0));
335 km_free_blob(&enc_output
);
336 km_free_blob(&enc_output1
);
337 km_free_blob(&dec_output
);
338 km_free_blob(&dec_final_output
);
341 keymaster_free_param_set(&out_paramset
);
346 static keymaster_error_t
test_km_aes_pkcs7(
347 keymaster1_device_t
*device
,
348 const keymaster_key_blob_t
*key_blob
,
349 keymaster_block_mode_t mode
,
352 keymaster_error_t res
= KM_ERROR_OK
;
353 keymaster_key_param_t key_param
[3];
354 keymaster_key_param_set_t paramset
= {key_param
, 0};
355 keymaster_operation_handle_t handle
;
356 keymaster_blob_t nonce
;
357 uint8_t nonce_bytes
[16];
359 keymaster_blob_t input_blob
= {0, 0};
360 keymaster_blob_t enc_output
= {0, 0};
361 keymaster_blob_t enc_output1
= {0, 0};
362 keymaster_blob_t dec_output
= {0, 0};
363 keymaster_blob_t dec_output1
= {0, 0};
364 keymaster_blob_t dec_output2
= {0, 0};
365 size_t input_consumed
= 0;
367 assert(message_len
<= 64);
369 /* populate input message */
370 memset(input
, 7, sizeof(input
));
373 memset(nonce_bytes
, 3, sizeof(nonce_bytes
));
374 nonce
.data
= nonce_bytes
;
375 nonce
.data_length
= sizeof(nonce_bytes
);
377 key_param
[0].tag
= KM_TAG_BLOCK_MODE
;
378 key_param
[0].enumerated
= mode
;
379 key_param
[1].tag
= KM_TAG_NONCE
; // ignored for ECB
380 key_param
[1].blob
= nonce
;
381 key_param
[2].tag
= KM_TAG_PADDING
;
382 key_param
[2].enumerated
= KM_PAD_PKCS7
;
385 CHECK_RESULT_OK(device
->begin(device
,
386 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
388 input_blob
.data
= input
;
389 input_blob
.data_length
= message_len
;
390 CHECK_RESULT_OK(device
->update(device
,
391 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output
));
392 CHECK_TRUE(input_consumed
== message_len
);
394 CHECK_RESULT_OK(device
->finish(device
,
395 handle
, NULL
, NULL
, NULL
, &enc_output1
));
396 CHECK_TRUE((enc_output
.data_length
+ enc_output1
.data_length
> message_len
) &&
397 (enc_output
.data_length
+ enc_output1
.data_length
<= message_len
+ 16) &&
398 ((enc_output
.data_length
+ enc_output1
.data_length
) % 16 == 0));
400 // key_params as for encrypt above
401 CHECK_RESULT_OK(device
->begin(device
,
402 KM_PURPOSE_DECRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
404 CHECK_RESULT_OK(device
->update(device
,
405 handle
, NULL
, &enc_output
, &input_consumed
, NULL
, &dec_output
));
406 CHECK_TRUE(input_consumed
== enc_output
.data_length
);
408 CHECK_RESULT_OK(device
->update(device
,
409 handle
, NULL
, &enc_output1
, &input_consumed
, NULL
, &dec_output1
));
410 CHECK_TRUE(input_consumed
== enc_output1
.data_length
);
412 CHECK_RESULT_OK(device
->finish(device
,
413 handle
, NULL
, NULL
, NULL
, &dec_output2
));
415 CHECK_TRUE(dec_output
.data_length
+ dec_output1
.data_length
+ dec_output2
.data_length
== message_len
);
416 CHECK_TRUE((memcmp(input
, dec_output
.data
, dec_output
.data_length
) == 0) &&
417 (memcmp(input
+ dec_output
.data_length
, dec_output1
.data
, dec_output1
.data_length
) == 0) &&
418 (memcmp(input
+ dec_output
.data_length
+ dec_output1
.data_length
, dec_output2
.data
, dec_output2
.data_length
) == 0));
421 km_free_blob(&enc_output
);
422 km_free_blob(&enc_output1
);
423 km_free_blob(&dec_output
);
424 km_free_blob(&dec_output1
);
425 km_free_blob(&dec_output2
);
430 static keymaster_error_t
test_km_aes_gcm_roundtrip(
431 keymaster1_device_t
*device
,
432 const keymaster_key_blob_t
*key_blob
,
434 size_t msg_part1_len
,
435 size_t msg_part2_len
)
437 keymaster_error_t res
= KM_ERROR_OK
;
438 keymaster_key_param_t key_param
[4];
439 keymaster_key_param_set_t paramset
= {key_param
, 0};
440 keymaster_operation_handle_t handle
;
441 keymaster_blob_t nonce
;
442 uint8_t nonce_bytes
[12];
443 keymaster_blob_t aad
;
444 uint8_t aad_bytes
[23];
446 keymaster_blob_t input_blob
= {0, 0};
447 keymaster_blob_t enc_output1
= {0, 0};
448 keymaster_blob_t enc_output2
= {0, 0};
449 keymaster_blob_t enc_output3
= {0, 0};
450 keymaster_blob_t dec_output1
= {0, 0};
451 keymaster_blob_t dec_output2
= {0, 0};
452 keymaster_blob_t dec_output3
= {0, 0};
453 size_t input_consumed
= 0;
455 LOG_I("Using %u-bit tag ...", tagsize
);
457 assert(msg_part1_len
+ msg_part2_len
<= 64);
459 /* populate input message */
460 memset(input
, 7, sizeof(input
));
463 memset(nonce_bytes
, 3, sizeof(nonce_bytes
));
464 nonce
.data
= &nonce_bytes
[0];
465 nonce
.data_length
= sizeof(nonce_bytes
);
468 memset(aad_bytes
, 11, sizeof(aad_bytes
));
469 aad
.data
= &aad_bytes
[0];
470 aad
.data_length
= sizeof(aad_bytes
);
472 key_param
[0].tag
= KM_TAG_BLOCK_MODE
;
473 key_param
[0].enumerated
= KM_MODE_GCM
;
474 key_param
[1].tag
= KM_TAG_NONCE
;
475 key_param
[1].blob
= nonce
;
476 key_param
[2].tag
= KM_TAG_MAC_LENGTH
;
477 key_param
[2].integer
= tagsize
;
479 CHECK_RESULT_OK(device
->begin(device
,
483 NULL
, // no out_params
486 input_blob
.data
= &input
[0];
487 input_blob
.data_length
= msg_part1_len
;
488 key_param
[0].tag
= KM_TAG_ASSOCIATED_DATA
;
489 key_param
[0].blob
= aad
;
491 CHECK_RESULT_OK(device
->update(device
,
494 &input_blob
, // first half of message
496 NULL
, // no out_params
498 CHECK_TRUE(input_consumed
== msg_part1_len
);
500 input_blob
.data
= &input
[msg_part1_len
];
501 input_blob
.data_length
= msg_part2_len
;
502 CHECK_RESULT_OK(device
->update(device
,
505 &input_blob
, // second half of message
509 CHECK_TRUE(input_consumed
== msg_part2_len
);
511 CHECK_RESULT_OK(device
->finish(device
,
514 NULL
, // no signature
515 NULL
, // no out_params
517 CHECK_TRUE(enc_output1
.data_length
+ enc_output2
.data_length
+ enc_output3
.data_length
== msg_part1_len
+ msg_part2_len
+ tagsize
/8);
519 key_param
[0].tag
= KM_TAG_BLOCK_MODE
;
520 key_param
[0].enumerated
= KM_MODE_GCM
;
522 CHECK_RESULT_OK(device
->begin(device
,
525 ¶mset
, // as for 'begin encrypt' above
526 NULL
, // no out_params
529 key_param
[0].tag
= KM_TAG_ASSOCIATED_DATA
;
530 key_param
[0].blob
= aad
;
532 CHECK_RESULT_OK(device
->update(device
,
534 ¶mset
, // as for 'update encrypt (1)' above
535 &enc_output1
, // first half of ciphertext
537 NULL
, // no out_params
539 CHECK_TRUE(input_consumed
== enc_output1
.data_length
);
541 CHECK_RESULT_OK(device
->update(device
,
544 &enc_output2
, // second half of ciphertext
546 NULL
, // no out_params
548 CHECK_TRUE(input_consumed
== enc_output2
.data_length
);
550 CHECK_RESULT_OK(device
->update(device
,
551 handle
, NULL
, &enc_output3
, &input_consumed
, NULL
, &dec_output3
));
552 CHECK_TRUE(input_consumed
== enc_output3
.data_length
);
554 CHECK_RESULT_OK(device
->finish(device
,
557 NULL
, // no signature
558 NULL
, // no out_params
561 CHECK_TRUE((dec_output1
.data_length
+ dec_output2
.data_length
+ dec_output3
.data_length
== msg_part1_len
+ msg_part2_len
) &&
562 (memcmp(&input
[0], dec_output1
.data
, dec_output1
.data_length
) == 0) &&
563 (memcmp(&input
[dec_output1
.data_length
], dec_output2
.data
, dec_output2
.data_length
) == 0) &&
564 (memcmp(&input
[dec_output1
.data_length
+ dec_output2
.data_length
], dec_output3
.data
, dec_output3
.data_length
) == 0));
567 km_free_blob(&enc_output1
);
568 km_free_blob(&enc_output2
);
569 km_free_blob(&enc_output3
);
570 km_free_blob(&dec_output1
);
571 km_free_blob(&dec_output2
);
572 km_free_blob(&dec_output3
);
578 * Update AAD twice, then update cipher twice, each time with a single byte.
580 static keymaster_error_t
test_km_aes_gcm_roundtrip_incr(
581 keymaster1_device_t
*device
,
582 const keymaster_key_blob_t
*key_blob
)
584 keymaster_error_t res
= KM_ERROR_OK
;
585 keymaster_key_param_t param
[4];
586 keymaster_key_param_set_t paramset
= {param
, 0};
587 keymaster_operation_handle_t handle
;
588 keymaster_blob_t nonce
;
589 uint8_t nonce_bytes
[12];
590 keymaster_blob_t aad
;
591 uint8_t aad_byte
= 11;
592 uint8_t input_byte
= 7;
593 keymaster_blob_t input_blob
= {0, 0};
594 keymaster_blob_t enc_output1
= {0, 0};
595 keymaster_blob_t enc_output2
= {0, 0};
596 keymaster_blob_t enc_output3
= {0, 0};
597 keymaster_blob_t dec_output1
= {0, 0};
598 keymaster_blob_t dec_output2
= {0, 0};
599 keymaster_blob_t dec_output3
= {0, 0};
600 size_t input_consumed
= 0;
602 /* populate input blob */
603 input_blob
.data
= &input_byte
;
604 input_blob
.data_length
= 1;
607 memset(nonce_bytes
, 3, sizeof(nonce_bytes
));
608 nonce
.data
= &nonce_bytes
[0];
609 nonce
.data_length
= sizeof(nonce_bytes
);
612 aad
.data
= &aad_byte
;
616 param
[0].tag
= KM_TAG_BLOCK_MODE
;
617 param
[0].enumerated
= KM_MODE_GCM
;
618 param
[1].tag
= KM_TAG_NONCE
;
619 param
[1].blob
= nonce
;
620 param
[2].tag
= KM_TAG_MAC_LENGTH
;
621 param
[2].integer
= 128;
623 CHECK_RESULT_OK(device
->begin(device
,
624 KM_PURPOSE_ENCRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
626 /* update AAD (twice) */
627 param
[0].tag
= KM_TAG_ASSOCIATED_DATA
;
630 for (int i
= 0; i
< 2; i
++) {
631 CHECK_RESULT_OK(device
->update(device
,
632 handle
, ¶mset
, NULL
, &input_consumed
, NULL
, NULL
));
633 CHECK_TRUE(input_consumed
== 0);
636 /* update cipher (twice) */
637 CHECK_RESULT_OK(device
->update(device
,
638 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output1
));
639 CHECK_TRUE(input_consumed
== 1);
640 CHECK_RESULT_OK(device
->update(device
,
641 handle
, NULL
, &input_blob
, &input_consumed
, NULL
, &enc_output2
));
642 CHECK_TRUE(input_consumed
== 1);
645 CHECK_RESULT_OK(device
->finish(device
,
646 handle
, NULL
, NULL
, NULL
, &enc_output3
));
647 CHECK_TRUE(enc_output1
.data_length
+ enc_output2
.data_length
+ enc_output3
.data_length
== 2 + 16);
650 param
[0].tag
= KM_TAG_BLOCK_MODE
;
651 param
[0].enumerated
= KM_MODE_GCM
;
653 CHECK_RESULT_OK(device
->begin(device
,
654 KM_PURPOSE_DECRYPT
, key_blob
, ¶mset
, NULL
, &handle
));
656 /* update AAD (twice) */
657 param
[0].tag
= KM_TAG_ASSOCIATED_DATA
;
660 for (int i
= 0; i
< 2; i
++) {
661 CHECK_RESULT_OK(device
->update(device
,
662 handle
, ¶mset
, NULL
, &input_consumed
, NULL
, NULL
));
663 CHECK_TRUE(input_consumed
== 0);
666 /* update cipher (three times) */
667 CHECK_RESULT_OK(device
->update(device
,
668 handle
, NULL
, &enc_output1
, &input_consumed
, NULL
, &dec_output1
));
669 CHECK_TRUE(input_consumed
== enc_output1
.data_length
);
670 CHECK_RESULT_OK(device
->update(device
,
671 handle
, NULL
, &enc_output2
, &input_consumed
, NULL
, &dec_output2
));
672 CHECK_TRUE(input_consumed
== enc_output2
.data_length
);
673 CHECK_RESULT_OK(device
->update(device
,
674 handle
, NULL
, &enc_output3
, &input_consumed
, NULL
, &dec_output3
));
675 CHECK_TRUE(input_consumed
== enc_output3
.data_length
);
678 CHECK_RESULT_OK(device
->finish(device
,
679 handle
, NULL
, NULL
, NULL
, NULL
));
682 km_free_blob(&enc_output1
);
683 km_free_blob(&enc_output2
);
684 km_free_blob(&enc_output3
);
685 km_free_blob(&dec_output1
);
686 km_free_blob(&dec_output2
);
687 km_free_blob(&dec_output3
);
692 keymaster_error_t
test_km_aes_import(
693 keymaster1_device_t
*device
)
695 keymaster_error_t res
= KM_ERROR_OK
;
696 keymaster_key_param_t key_param
[5];
697 keymaster_key_param_set_t paramset
= {key_param
, 0};
698 keymaster_key_blob_t key_blob
= {0, 0};
699 keymaster_operation_handle_t handle
;
700 keymaster_blob_t enc_output1
= {0, 0};
701 size_t input_consumed
= 0;
703 /* First NIST test vector from ECBVarKey128.rsp
704 http://csrc.nist.gov/groups/STM/cavp/documents/aes/KAT_AES.zip
705 KEY = 80000000000000000000000000000000
706 PLAINTEXT = 00000000000000000000000000000000
707 CIPHERTEXT = 0edd33d3c621e546455bd8ba1418bec8
710 const uint8_t key
[16] = {
711 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
713 const uint8_t plaintext
[16] = {
714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
716 const uint8_t ciphertext
[16] = {
717 0x0e, 0xdd, 0x33, 0xd3, 0xc6, 0x21, 0xe5, 0x46,
718 0x45, 0x5b, 0xd8, 0xba, 0x14, 0x18, 0xbe, 0xc8};
720 const keymaster_blob_t key_data
= {key
, sizeof(key
)};
721 const keymaster_blob_t plainblob
= {plaintext
, sizeof(plaintext
)};
723 key_param
[0].tag
= KM_TAG_ALGORITHM
;
724 key_param
[0].enumerated
= KM_ALGORITHM_AES
;
725 key_param
[1].tag
= KM_TAG_KEY_SIZE
;
726 key_param
[1].integer
= 128;
727 key_param
[2].tag
= KM_TAG_NO_AUTH_REQUIRED
;
728 key_param
[2].boolean
= true;
729 key_param
[3].tag
= KM_TAG_PURPOSE
;
730 key_param
[3].enumerated
= KM_PURPOSE_ENCRYPT
;
731 key_param
[4].tag
= KM_TAG_BLOCK_MODE
;
732 key_param
[4].enumerated
= KM_MODE_ECB
;
734 CHECK_RESULT_OK(device
->import_key(device
,
741 key_param
[0].tag
= KM_TAG_BLOCK_MODE
;
742 key_param
[0].enumerated
= KM_MODE_ECB
;
744 CHECK_RESULT_OK(device
->begin(device
,
748 NULL
, // no out_params
751 CHECK_RESULT_OK(device
->update(device
,
756 NULL
, // no out_params
758 CHECK_TRUE(input_consumed
== 16);
759 CHECK_TRUE(enc_output1
.data_length
== 16);
761 CHECK_RESULT_OK(device
->finish(device
,
764 NULL
, // no signature
765 NULL
, // no out_params
768 CHECK_TRUE(memcmp(enc_output1
.data
, ciphertext
, 16) == 0);
771 km_free_key_blob(&key_blob
);
772 km_free_blob(&enc_output1
);
777 keymaster_error_t
test_km_aes_import_bad_length(
778 keymaster1_device_t
*device
)
780 keymaster_error_t res
= KM_ERROR_OK
;
781 keymaster_key_param_t key_param
[5];
782 keymaster_key_param_set_t paramset
= {key_param
, 0};
783 keymaster_key_blob_t key_blob
= {0, 0};
785 const uint8_t key
[16] = {
786 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
789 keymaster_blob_t key_data
= {key
, sizeof(key
)};
791 key_param
[0].tag
= KM_TAG_ALGORITHM
;
792 key_param
[0].enumerated
= KM_ALGORITHM_AES
;
793 key_param
[1].tag
= KM_TAG_KEY_SIZE
;
794 key_param
[1].integer
= 128;
795 key_param
[2].tag
= KM_TAG_NO_AUTH_REQUIRED
;
796 key_param
[2].boolean
= true;
797 key_param
[3].tag
= KM_TAG_PURPOSE
;
798 key_param
[3].enumerated
= KM_PURPOSE_ENCRYPT
;
799 key_param
[4].tag
= KM_TAG_BLOCK_MODE
;
800 key_param
[4].enumerated
= KM_MODE_ECB
;
803 CHECK_RESULT_OK(device
->import_key(device
,
804 ¶mset
, KM_KEY_FORMAT_RAW
, &key_data
, &key_blob
, NULL
));
806 km_free_key_blob(&key_blob
);
807 key_data
.data_length
= 1;
808 key_param
[1].integer
= 8;
809 CHECK_RESULT(KM_ERROR_INVALID_ARGUMENT
, device
->import_key(device
,
810 ¶mset
, KM_KEY_FORMAT_RAW
, &key_data
, &key_blob
, NULL
));
812 km_free_key_blob(&key_blob
);
813 key_data
.data_length
= 0;
814 key_param
[1].integer
= 0;
815 CHECK_RESULT(KM_ERROR_INVALID_ARGUMENT
, device
->import_key(device
,
816 ¶mset
, KM_KEY_FORMAT_RAW
, &key_data
, &key_blob
, NULL
));
819 km_free_key_blob(&key_blob
);
824 keymaster_error_t
test_km_aes(
825 keymaster1_device_t
*device
,
828 keymaster_error_t res
= KM_ERROR_OK
;
829 keymaster_key_param_t key_param
[12];
830 keymaster_key_param_set_t paramset
= {key_param
, 0};
831 keymaster_key_blob_t key_blob
= {0, 0};
832 keymaster_key_characteristics_t
*pkey_characteristics
= NULL
;
834 LOG_I("Generate %d-bit key ...", keysize
);
835 key_param
[0].tag
= KM_TAG_ALGORITHM
;
836 key_param
[0].enumerated
= KM_ALGORITHM_AES
;
837 key_param
[1].tag
= KM_TAG_KEY_SIZE
;
838 key_param
[1].integer
= keysize
;
839 key_param
[2].tag
= KM_TAG_NO_AUTH_REQUIRED
;
840 key_param
[2].boolean
= true;
841 key_param
[3].tag
= KM_TAG_PURPOSE
;
842 key_param
[3].enumerated
= KM_PURPOSE_ENCRYPT
;
843 key_param
[4].tag
= KM_TAG_PURPOSE
;
844 key_param
[4].enumerated
= KM_PURPOSE_DECRYPT
;
845 key_param
[5].tag
= KM_TAG_BLOCK_MODE
;
846 key_param
[5].enumerated
= KM_MODE_ECB
;
847 key_param
[6].tag
= KM_TAG_BLOCK_MODE
;
848 key_param
[6].enumerated
= KM_MODE_CBC
;
849 key_param
[7].tag
= KM_TAG_BLOCK_MODE
;
850 key_param
[7].enumerated
= KM_MODE_CTR
;
851 key_param
[8].tag
= KM_TAG_BLOCK_MODE
;
852 key_param
[8].enumerated
= KM_MODE_GCM
;
853 key_param
[9].tag
= KM_TAG_CALLER_NONCE
;
854 key_param
[9].boolean
= true;
855 key_param
[10].tag
= KM_TAG_PADDING
;
856 key_param
[10].enumerated
= KM_PAD_PKCS7
;
857 key_param
[11].tag
= KM_TAG_MIN_MAC_LENGTH
;
858 key_param
[11].integer
= 96;
859 paramset
.length
= 12;
860 CHECK_RESULT_OK(device
->generate_key(device
,
865 LOG_I("Test key characteristics ...");
866 CHECK_RESULT_OK(device
->get_key_characteristics(device
,
870 &pkey_characteristics
));
871 print_characteristics(pkey_characteristics
);
873 LOG_I("ECB round trip ...");
874 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_ECB
, 32, 32));
876 LOG_I("CBC round trip ...");
877 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CBC
, 32, 32));
878 CHECK_RESULT_OK(test_km_aes_roundtrip_noncegen(device
, &key_blob
, KM_MODE_CBC
));
880 LOG_I("CTR round trip ...");
881 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 32, 32));
882 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 32, 31));
883 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 15, 17));
884 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 33, 16));
885 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 16, 1));
886 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 16, 17));
887 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 16, 33));
888 CHECK_RESULT_OK(test_km_aes_roundtrip(device
, &key_blob
, KM_MODE_CTR
, 15, 33));
889 CHECK_RESULT_OK(test_km_aes_roundtrip_noncegen(device
, &key_blob
, KM_MODE_CTR
));
891 LOG_I("GCM round trip ...");
892 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device
, &key_blob
, 96, 32, 32));
893 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device
, &key_blob
, 128, 32, 32));
894 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device
, &key_blob
, 96, 16, 2));
895 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device
, &key_blob
, 128, 13, 15));
896 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip_noncegen(device
, &key_blob
));
897 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip_incr(device
, &key_blob
));
899 LOG_I("PKCS7 padding (ECB)...");
900 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_ECB
, 3));
901 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_ECB
, 16));
902 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_ECB
, 37));
904 LOG_I("PKCS7 padding (CBC)...");
905 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_CBC
, 3));
906 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_CBC
, 16));
907 CHECK_RESULT_OK(test_km_aes_pkcs7(device
, &key_blob
, KM_MODE_CBC
, 37));
910 keymaster_free_characteristics(pkey_characteristics
);
911 free(pkey_characteristics
);
912 km_free_key_blob(&key_blob
);