projects / GitHub / LineageOS / android_hardware_samsung_slsi_exynos7580.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import exynos 7570 bsp
[GitHub/LineageOS/android_hardware_samsung_slsi_exynos7580.git] / libkeymaster / ver1 / test / test_km_aes.cpp
1 /*
2 * Copyright (c) 2015 TRUSTONIC LIMITED
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * 3. Neither the name of the TRUSTONIC LIMITED nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
26 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
28 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
29 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include <hardware/keymaster1.h>
33 #include <assert.h>
34
35 #include "test_km_aes.h"
36 #include "test_km_util.h"
37
38 #undef LOG_ANDROID
39 #undef LOG_TAG
40 #define LOG_TAG "TlcTeeKeyMasterTest"
41 #include "log.h"
42
43 static keymaster_error_t test_km_aes_roundtrip(
44 keymaster1_device_t *device,
45 const keymaster_key_blob_t *key_blob,
46 keymaster_block_mode_t mode,
47 size_t msg_part1_len,
48 size_t msg_part2_len)
49 {
50 keymaster_error_t res = KM_ERROR_OK;
51 keymaster_key_param_t key_param[2];
52 keymaster_key_param_set_t paramset = {key_param, 0};
53 keymaster_operation_handle_t handle;
54 keymaster_blob_t nonce;
55 uint8_t nonce_bytes[16];
56 uint8_t input[64];
57 keymaster_blob_t input_blob = {0, 0};
58 keymaster_blob_t enc_output1 = {0, 0};
59 keymaster_blob_t enc_output2 = {0, 0};
60 keymaster_blob_t dec_output1 = {0, 0};
61 keymaster_blob_t dec_output2 = {0, 0};
62 size_t input_consumed = 0;
63
64 assert(msg_part1_len + msg_part2_len <= 64);
65
66 /* populate input message */
67 memset(input, 7, sizeof(input));
68
69 /* populate nonce */
70 memset(nonce_bytes, 3, 16);
71 nonce.data = &nonce_bytes[0];
72 nonce.data_length = (mode == KM_MODE_GCM) ? 12 : 16;
73
74 key_param[0].tag = KM_TAG_BLOCK_MODE;
75 key_param[0].enumerated = mode;
76 key_param[1].tag = KM_TAG_NONCE; // ignored for ECB
77 key_param[1].blob = nonce;
78 paramset.length = 2;
79 CHECK_RESULT_OK(device->begin(device,
80 KM_PURPOSE_ENCRYPT,
81 key_blob,
82 &paramset,
83 NULL, // no out_params
84 &handle));
85
86 input_blob.data = &input[0];
87 input_blob.data_length = msg_part1_len;
88 CHECK_RESULT_OK(device->update(device,
89 handle,
90 NULL, // no params
91 &input_blob, // first half of message
92 &input_consumed,
93 NULL, // no out_params
94 &enc_output1));
95 CHECK_TRUE(input_consumed == msg_part1_len);
96 CHECK_TRUE(enc_output1.data_length == msg_part1_len);
97
98 input_blob.data = input + msg_part1_len;
99 input_blob.data_length = msg_part2_len;
100 CHECK_RESULT_OK(device->update(device,
101 handle,
102 NULL, // no params
103 &input_blob, // second half of message
104 &input_consumed,
105 NULL, // no out_params
106 &enc_output2));
107 CHECK_TRUE(input_consumed == msg_part2_len);
108 CHECK_TRUE(enc_output2.data_length == msg_part2_len);
109
110 CHECK_RESULT_OK(device->finish(device,
111 handle,
112 NULL, // no params
113 NULL, // no signature
114 NULL, // no out_params
115 NULL));
116
117 // key_params as for encrypt above
118 CHECK_RESULT_OK(device->begin(device,
119 KM_PURPOSE_DECRYPT,
120 key_blob,
121 &paramset,
122 NULL, // no out_params
123 &handle));
124
125 CHECK_RESULT_OK(device->update(device,
126 handle,
127 NULL, // no params
128 &enc_output1, // first half of ciphertext
129 &input_consumed,
130 NULL, // no out_params
131 &dec_output1));
132 CHECK_TRUE(input_consumed == msg_part1_len);
133 CHECK_TRUE(dec_output1.data_length == msg_part1_len);
134
135 CHECK_RESULT_OK(device->update(device,
136 handle,
137 NULL, // no params
138 &enc_output2, // second half of ciphertext
139 &input_consumed,
140 NULL, // no out_params
141 &dec_output2));
142 CHECK_TRUE(input_consumed == msg_part2_len);
143 CHECK_TRUE(dec_output2.data_length == msg_part2_len);
144
145 CHECK_RESULT_OK(device->finish(device,
146 handle,
147 NULL, // no params
148 NULL, // no signature
149 NULL, // no out_params
150 NULL));
151
152 CHECK_TRUE((memcmp(&input[0], dec_output1.data, msg_part1_len) == 0) &&
153 (memcmp(&input[msg_part1_len], dec_output2.data, msg_part2_len) == 0));
154
155 end:
156 km_free_blob(&enc_output1);
157 km_free_blob(&enc_output2);
158 km_free_blob(&dec_output1);
159 km_free_blob(&dec_output2);
160
161 return res;
162 }
163
164 static keymaster_error_t test_km_aes_roundtrip_noncegen(
165 keymaster1_device_t *device,
166 const keymaster_key_blob_t *key_blob,
167 keymaster_block_mode_t mode)
168 {
169 keymaster_error_t res = KM_ERROR_OK;
170 keymaster_key_param_t param[2];
171 keymaster_key_param_set_t paramset = {param, 0};
172 keymaster_key_param_set_t out_paramset = {NULL, 0};
173 keymaster_operation_handle_t handle;
174 uint8_t input[16];
175 keymaster_blob_t input_blob = {input, sizeof(input)};
176 keymaster_blob_t enc_output = {0, 0};
177 keymaster_blob_t enc_output1 = {0, 0};
178 keymaster_blob_t dec_output = {0, 0};
179 size_t input_consumed = 0;
180 keymaster_blob_t nonce;
181 uint8_t nonce_bytes[16];
182
183 /* populate input message */
184 memset(input, 7, sizeof(input));
185
186 /* initialize nonce */
187 nonce.data = nonce_bytes;
188 nonce.data_length = (mode == KM_MODE_GCM) ? 12 : 16;
189
190 param[0].tag = KM_TAG_BLOCK_MODE;
191 param[0].enumerated = mode;
192 paramset.length = 1;
193 CHECK_RESULT_OK(device->begin(device,
194 KM_PURPOSE_ENCRYPT, key_blob, &paramset, &out_paramset, &handle));
195 CHECK_TRUE(out_paramset.length == 1);
196 CHECK_TRUE(out_paramset.params[0].tag == KM_TAG_NONCE);
197 CHECK_TRUE(out_paramset.params[0].blob.data_length == 16);
198 memcpy(nonce_bytes, out_paramset.params[0].blob.data, 16);
199
200 CHECK_RESULT_OK(device->update(device,
201 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output));
202 CHECK_TRUE(input_consumed == sizeof(input));
203 CHECK_TRUE(enc_output.data_length == sizeof(input));
204
205 CHECK_RESULT_OK(device->finish(device,
206 handle, NULL, NULL, NULL, NULL));
207
208 // Try again supplying same nonce -- should get same ciphertext.
209 param[1].tag = KM_TAG_NONCE;
210 param[1].blob = nonce;
211 paramset.length = 2;
212 CHECK_RESULT_OK(device->begin(device,
213 KM_PURPOSE_ENCRYPT, key_blob, &paramset, NULL, &handle));
214
215 CHECK_RESULT_OK(device->update(device,
216 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output1));
217 CHECK_TRUE(input_consumed == sizeof(input));
218 CHECK_TRUE(enc_output1.data_length == sizeof(input));
219 CHECK_TRUE(memcmp(enc_output.data, enc_output1.data, sizeof(input)) == 0);
220
221 CHECK_RESULT_OK(device->finish(device,
222 handle, NULL, NULL, NULL, NULL));
223
224 // And now decrypt
225 CHECK_RESULT_OK(device->begin(device,
226 KM_PURPOSE_DECRYPT, key_blob, &paramset, NULL, &handle));
227
228 CHECK_RESULT_OK(device->update(device,
229 handle, NULL, &enc_output, &input_consumed, NULL, &dec_output));
230 CHECK_TRUE(input_consumed == sizeof(input));
231 CHECK_TRUE(dec_output.data_length == sizeof(input));
232
233 CHECK_RESULT_OK(device->finish(device,
234 handle, NULL, NULL, NULL, NULL));
235
236 CHECK_TRUE(memcmp(input, dec_output.data, sizeof(input)) == 0);
237
238 end:
239 km_free_blob(&enc_output);
240 km_free_blob(&enc_output1);
241 km_free_blob(&dec_output);
242 keymaster_free_param_set(&out_paramset);
243
244 return res;
245 }
246
247 static keymaster_error_t test_km_aes_gcm_roundtrip_noncegen(
248 keymaster1_device_t *device,
249 const keymaster_key_blob_t *key_blob)
250 {
251 keymaster_error_t res = KM_ERROR_OK;
252 keymaster_key_param_t param[3];
253 keymaster_key_param_set_t paramset = {param, 0};
254 keymaster_key_param_set_t out_paramset = {NULL, 0};
255 keymaster_operation_handle_t handle;
256 uint8_t input[16];
257 keymaster_blob_t input_blob = {input, sizeof(input)};
258 keymaster_blob_t enc_output = {0, 0};
259 keymaster_blob_t enc_output1 = {0, 0};
260 keymaster_blob_t dec_output = {0, 0};
261 keymaster_blob_t dec_final_output = {0, 0};
262 keymaster_blob_t tag = {0, 0};
263 keymaster_blob_t tag1 = {0, 0};
264 size_t input_consumed = 0;
265 keymaster_blob_t nonce;
266 uint8_t nonce_bytes[12];
267
268 /* populate input message */
269 memset(input, 7, sizeof(input));
270
271 /* initialize nonce */
272 nonce.data = nonce_bytes;
273 nonce.data_length = sizeof(nonce_bytes);
274
275 param[0].tag = KM_TAG_BLOCK_MODE;
276 param[0].enumerated = KM_MODE_GCM;
277 param[1].tag = KM_TAG_MAC_LENGTH;
278 param[1].integer = 128;
279 paramset.length = 2;
280 CHECK_RESULT_OK(device->begin(device,
281 KM_PURPOSE_ENCRYPT, key_blob, &paramset, &out_paramset, &handle));
282 CHECK_TRUE(out_paramset.length == 1);
283 CHECK_TRUE(out_paramset.params[0].tag == KM_TAG_NONCE);
284 CHECK_TRUE(out_paramset.params[0].blob.data_length == 12);
285 memcpy(nonce_bytes, out_paramset.params[0].blob.data, 12);
286
287 CHECK_RESULT_OK(device->update(device,
288 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output));
289 CHECK_TRUE(input_consumed == sizeof(input));
290
291 CHECK_RESULT_OK(device->finish(device,
292 handle, NULL, NULL, NULL, &tag));
293
294 // Try again supplying same nonce -- should get same ciphertext.
295 param[2].tag = KM_TAG_NONCE;
296 param[2].blob = nonce;
297 paramset.length = 3;
298 CHECK_RESULT_OK(device->begin(device,
299 KM_PURPOSE_ENCRYPT, key_blob, &paramset, NULL, &handle));
300
301 CHECK_RESULT_OK(device->update(device,
302 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output1));
303 CHECK_TRUE(input_consumed == sizeof(input));
304 CHECK_TRUE(
305 (enc_output.data_length == enc_output1.data_length) &&
306 (memcmp(enc_output.data, enc_output1.data, enc_output.data_length) == 0));
307
308 CHECK_RESULT_OK(device->finish(device,
309 handle, NULL, NULL, NULL, &tag1));
310 CHECK_TRUE(
311 (tag.data_length == tag1.data_length) &&
312 (memcmp(tag.data, tag1.data, tag.data_length) == 0));
313
314 // And now decrypt
315 CHECK_RESULT_OK(device->begin(device,
316 KM_PURPOSE_DECRYPT, key_blob, &paramset, NULL, &handle));
317
318 CHECK_RESULT_OK(device->update(device,
319 handle, NULL, &enc_output, &input_consumed, NULL, &dec_output));
320 CHECK_TRUE(input_consumed == sizeof(input));
321
322 CHECK_RESULT_OK(device->update(device,
323 handle, NULL, &tag, &input_consumed, NULL, &dec_final_output));
324 CHECK_TRUE(input_consumed == tag.data_length);
325
326 CHECK_RESULT_OK(device->finish(device,
327 handle, NULL, NULL, NULL, NULL));
328
329 CHECK_TRUE(
330 (dec_output.data_length + dec_final_output.data_length == sizeof(input)) &&
331 (memcmp(&input[0], dec_output.data, dec_output.data_length) == 0) &&
332 (memcmp(&input[dec_output.data_length], dec_final_output.data, dec_final_output.data_length) == 0));
333
334 end:
335 km_free_blob(&enc_output);
336 km_free_blob(&enc_output1);
337 km_free_blob(&dec_output);
338 km_free_blob(&dec_final_output);
339 km_free_blob(&tag);
340 km_free_blob(&tag1);
341 keymaster_free_param_set(&out_paramset);
342
343 return res;
344 }
345
346 static keymaster_error_t test_km_aes_pkcs7(
347 keymaster1_device_t *device,
348 const keymaster_key_blob_t *key_blob,
349 keymaster_block_mode_t mode,
350 size_t message_len)
351 {
352 keymaster_error_t res = KM_ERROR_OK;
353 keymaster_key_param_t key_param[3];
354 keymaster_key_param_set_t paramset = {key_param, 0};
355 keymaster_operation_handle_t handle;
356 keymaster_blob_t nonce;
357 uint8_t nonce_bytes[16];
358 uint8_t input[64];
359 keymaster_blob_t input_blob = {0, 0};
360 keymaster_blob_t enc_output = {0, 0};
361 keymaster_blob_t enc_output1 = {0, 0};
362 keymaster_blob_t dec_output = {0, 0};
363 keymaster_blob_t dec_output1 = {0, 0};
364 keymaster_blob_t dec_output2 = {0, 0};
365 size_t input_consumed = 0;
366
367 assert(message_len <= 64);
368
369 /* populate input message */
370 memset(input, 7, sizeof(input));
371
372 /* populate nonce */
373 memset(nonce_bytes, 3, sizeof(nonce_bytes));
374 nonce.data = nonce_bytes;
375 nonce.data_length = sizeof(nonce_bytes);
376
377 key_param[0].tag = KM_TAG_BLOCK_MODE;
378 key_param[0].enumerated = mode;
379 key_param[1].tag = KM_TAG_NONCE; // ignored for ECB
380 key_param[1].blob = nonce;
381 key_param[2].tag = KM_TAG_PADDING;
382 key_param[2].enumerated = KM_PAD_PKCS7;
383 paramset.length = 3;
384
385 CHECK_RESULT_OK(device->begin(device,
386 KM_PURPOSE_ENCRYPT, key_blob, &paramset, NULL, &handle));
387
388 input_blob.data = input;
389 input_blob.data_length = message_len;
390 CHECK_RESULT_OK(device->update(device,
391 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output));
392 CHECK_TRUE(input_consumed == message_len);
393
394 CHECK_RESULT_OK(device->finish(device,
395 handle, NULL, NULL, NULL, &enc_output1));
396 CHECK_TRUE((enc_output.data_length + enc_output1.data_length > message_len) &&
397 (enc_output.data_length + enc_output1.data_length <= message_len + 16) &&
398 ((enc_output.data_length + enc_output1.data_length) % 16 == 0));
399
400 // key_params as for encrypt above
401 CHECK_RESULT_OK(device->begin(device,
402 KM_PURPOSE_DECRYPT, key_blob, &paramset, NULL, &handle));
403
404 CHECK_RESULT_OK(device->update(device,
405 handle, NULL, &enc_output, &input_consumed, NULL, &dec_output));
406 CHECK_TRUE(input_consumed == enc_output.data_length);
407
408 CHECK_RESULT_OK(device->update(device,
409 handle, NULL, &enc_output1, &input_consumed, NULL, &dec_output1));
410 CHECK_TRUE(input_consumed == enc_output1.data_length);
411
412 CHECK_RESULT_OK(device->finish(device,
413 handle, NULL, NULL, NULL, &dec_output2));
414
415 CHECK_TRUE(dec_output.data_length + dec_output1.data_length + dec_output2.data_length == message_len);
416 CHECK_TRUE((memcmp(input, dec_output.data, dec_output.data_length) == 0) &&
417 (memcmp(input + dec_output.data_length, dec_output1.data, dec_output1.data_length) == 0) &&
418 (memcmp(input + dec_output.data_length + dec_output1.data_length, dec_output2.data, dec_output2.data_length) == 0));
419
420 end:
421 km_free_blob(&enc_output);
422 km_free_blob(&enc_output1);
423 km_free_blob(&dec_output);
424 km_free_blob(&dec_output1);
425 km_free_blob(&dec_output2);
426
427 return res;
428 }
429
430 static keymaster_error_t test_km_aes_gcm_roundtrip(
431 keymaster1_device_t *device,
432 const keymaster_key_blob_t *key_blob,
433 uint32_t tagsize,
434 size_t msg_part1_len,
435 size_t msg_part2_len)
436 {
437 keymaster_error_t res = KM_ERROR_OK;
438 keymaster_key_param_t key_param[4];
439 keymaster_key_param_set_t paramset = {key_param, 0};
440 keymaster_operation_handle_t handle;
441 keymaster_blob_t nonce;
442 uint8_t nonce_bytes[12];
443 keymaster_blob_t aad;
444 uint8_t aad_bytes[23];
445 uint8_t input[64];
446 keymaster_blob_t input_blob = {0, 0};
447 keymaster_blob_t enc_output1 = {0, 0};
448 keymaster_blob_t enc_output2 = {0, 0};
449 keymaster_blob_t enc_output3 = {0, 0};
450 keymaster_blob_t dec_output1 = {0, 0};
451 keymaster_blob_t dec_output2 = {0, 0};
452 keymaster_blob_t dec_output3 = {0, 0};
453 size_t input_consumed = 0;
454
455 LOG_I("Using %u-bit tag ...", tagsize);
456
457 assert(msg_part1_len + msg_part2_len <= 64);
458
459 /* populate input message */
460 memset(input, 7, sizeof(input));
461
462 /* populate nonce */
463 memset(nonce_bytes, 3, sizeof(nonce_bytes));
464 nonce.data = &nonce_bytes[0];
465 nonce.data_length = sizeof(nonce_bytes);
466
467 /* populate AAD */
468 memset(aad_bytes, 11, sizeof(aad_bytes));
469 aad.data = &aad_bytes[0];
470 aad.data_length = sizeof(aad_bytes);
471
472 key_param[0].tag = KM_TAG_BLOCK_MODE;
473 key_param[0].enumerated = KM_MODE_GCM;
474 key_param[1].tag = KM_TAG_NONCE;
475 key_param[1].blob = nonce;
476 key_param[2].tag = KM_TAG_MAC_LENGTH;
477 key_param[2].integer = tagsize;
478 paramset.length = 3;
479 CHECK_RESULT_OK(device->begin(device,
480 KM_PURPOSE_ENCRYPT,
481 key_blob,
482 &paramset,
483 NULL, // no out_params
484 &handle));
485
486 input_blob.data = &input[0];
487 input_blob.data_length = msg_part1_len;
488 key_param[0].tag = KM_TAG_ASSOCIATED_DATA;
489 key_param[0].blob = aad;
490 paramset.length = 1;
491 CHECK_RESULT_OK(device->update(device,
492 handle,
493 &paramset, // AAD
494 &input_blob, // first half of message
495 &input_consumed,
496 NULL, // no out_params
497 &enc_output1));
498 CHECK_TRUE(input_consumed == msg_part1_len);
499
500 input_blob.data = &input[msg_part1_len];
501 input_blob.data_length = msg_part2_len;
502 CHECK_RESULT_OK(device->update(device,
503 handle,
504 NULL, // no params
505 &input_blob, // second half of message
506 &input_consumed,
507 NULL, // no params
508 &enc_output2));
509 CHECK_TRUE(input_consumed == msg_part2_len);
510
511 CHECK_RESULT_OK(device->finish(device,
512 handle,
513 NULL, // no params
514 NULL, // no signature
515 NULL, // no out_params
516 &enc_output3));
517 CHECK_TRUE(enc_output1.data_length + enc_output2.data_length + enc_output3.data_length == msg_part1_len + msg_part2_len + tagsize/8);
518
519 key_param[0].tag = KM_TAG_BLOCK_MODE;
520 key_param[0].enumerated = KM_MODE_GCM;
521 paramset.length = 3;
522 CHECK_RESULT_OK(device->begin(device,
523 KM_PURPOSE_DECRYPT,
524 key_blob,
525 &paramset, // as for 'begin encrypt' above
526 NULL, // no out_params
527 &handle));
528
529 key_param[0].tag = KM_TAG_ASSOCIATED_DATA;
530 key_param[0].blob = aad;
531 paramset.length = 1;
532 CHECK_RESULT_OK(device->update(device,
533 handle,
534 &paramset, // as for 'update encrypt (1)' above
535 &enc_output1, // first half of ciphertext
536 &input_consumed,
537 NULL, // no out_params
538 &dec_output1));
539 CHECK_TRUE(input_consumed == enc_output1.data_length);
540
541 CHECK_RESULT_OK(device->update(device,
542 handle,
543 NULL, // no params
544 &enc_output2, // second half of ciphertext
545 &input_consumed,
546 NULL, // no out_params
547 &dec_output2));
548 CHECK_TRUE(input_consumed == enc_output2.data_length);
549
550 CHECK_RESULT_OK(device->update(device,
551 handle, NULL, &enc_output3, &input_consumed, NULL, &dec_output3));
552 CHECK_TRUE(input_consumed == enc_output3.data_length);
553
554 CHECK_RESULT_OK(device->finish(device,
555 handle,
556 NULL, // no params
557 NULL, // no signature
558 NULL, // no out_params
559 NULL));
560
561 CHECK_TRUE((dec_output1.data_length + dec_output2.data_length + dec_output3.data_length == msg_part1_len + msg_part2_len) &&
562 (memcmp(&input[0], dec_output1.data, dec_output1.data_length) == 0) &&
563 (memcmp(&input[dec_output1.data_length], dec_output2.data, dec_output2.data_length) == 0) &&
564 (memcmp(&input[dec_output1.data_length + dec_output2.data_length], dec_output3.data, dec_output3.data_length) == 0));
565
566 end:
567 km_free_blob(&enc_output1);
568 km_free_blob(&enc_output2);
569 km_free_blob(&enc_output3);
570 km_free_blob(&dec_output1);
571 km_free_blob(&dec_output2);
572 km_free_blob(&dec_output3);
573
574 return res;
575 }
576
577 /**
578 * Update AAD twice, then update cipher twice, each time with a single byte.
579 */
580 static keymaster_error_t test_km_aes_gcm_roundtrip_incr(
581 keymaster1_device_t *device,
582 const keymaster_key_blob_t *key_blob)
583 {
584 keymaster_error_t res = KM_ERROR_OK;
585 keymaster_key_param_t param[4];
586 keymaster_key_param_set_t paramset = {param, 0};
587 keymaster_operation_handle_t handle;
588 keymaster_blob_t nonce;
589 uint8_t nonce_bytes[12];
590 keymaster_blob_t aad;
591 uint8_t aad_byte = 11;
592 uint8_t input_byte = 7;
593 keymaster_blob_t input_blob = {0, 0};
594 keymaster_blob_t enc_output1 = {0, 0};
595 keymaster_blob_t enc_output2 = {0, 0};
596 keymaster_blob_t enc_output3 = {0, 0};
597 keymaster_blob_t dec_output1 = {0, 0};
598 keymaster_blob_t dec_output2 = {0, 0};
599 keymaster_blob_t dec_output3 = {0, 0};
600 size_t input_consumed = 0;
601
602 /* populate input blob */
603 input_blob.data = &input_byte;
604 input_blob.data_length = 1;
605
606 /* populate nonce */
607 memset(nonce_bytes, 3, sizeof(nonce_bytes));
608 nonce.data = &nonce_bytes[0];
609 nonce.data_length = sizeof(nonce_bytes);
610
611 /* populate AAD */
612 aad.data = &aad_byte;
613 aad.data_length = 1;
614
615 /* begin encrypt */
616 param[0].tag = KM_TAG_BLOCK_MODE;
617 param[0].enumerated = KM_MODE_GCM;
618 param[1].tag = KM_TAG_NONCE;
619 param[1].blob = nonce;
620 param[2].tag = KM_TAG_MAC_LENGTH;
621 param[2].integer = 128;
622 paramset.length = 3;
623 CHECK_RESULT_OK(device->begin(device,
624 KM_PURPOSE_ENCRYPT, key_blob, &paramset, NULL, &handle));
625
626 /* update AAD (twice) */
627 param[0].tag = KM_TAG_ASSOCIATED_DATA;
628 param[0].blob = aad;
629 paramset.length = 1;
630 for (int i = 0; i < 2; i++) {
631 CHECK_RESULT_OK(device->update(device,
632 handle, &paramset, NULL, &input_consumed, NULL, NULL));
633 CHECK_TRUE(input_consumed == 0);
634 }
635
636 /* update cipher (twice) */
637 CHECK_RESULT_OK(device->update(device,
638 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output1));
639 CHECK_TRUE(input_consumed == 1);
640 CHECK_RESULT_OK(device->update(device,
641 handle, NULL, &input_blob, &input_consumed, NULL, &enc_output2));
642 CHECK_TRUE(input_consumed == 1);
643
644 /* finish */
645 CHECK_RESULT_OK(device->finish(device,
646 handle, NULL, NULL, NULL, &enc_output3));
647 CHECK_TRUE(enc_output1.data_length + enc_output2.data_length + enc_output3.data_length == 2 + 16);
648
649 /* begin decrypt */
650 param[0].tag = KM_TAG_BLOCK_MODE;
651 param[0].enumerated = KM_MODE_GCM;
652 paramset.length = 3;
653 CHECK_RESULT_OK(device->begin(device,
654 KM_PURPOSE_DECRYPT, key_blob, &paramset, NULL, &handle));
655
656 /* update AAD (twice) */
657 param[0].tag = KM_TAG_ASSOCIATED_DATA;
658 param[0].blob = aad;
659 paramset.length = 1;
660 for (int i = 0; i < 2; i++) {
661 CHECK_RESULT_OK(device->update(device,
662 handle, &paramset, NULL, &input_consumed, NULL, NULL));
663 CHECK_TRUE(input_consumed == 0);
664 }
665
666 /* update cipher (three times) */
667 CHECK_RESULT_OK(device->update(device,
668 handle, NULL, &enc_output1, &input_consumed, NULL, &dec_output1));
669 CHECK_TRUE(input_consumed == enc_output1.data_length);
670 CHECK_RESULT_OK(device->update(device,
671 handle, NULL, &enc_output2, &input_consumed, NULL, &dec_output2));
672 CHECK_TRUE(input_consumed == enc_output2.data_length);
673 CHECK_RESULT_OK(device->update(device,
674 handle, NULL, &enc_output3, &input_consumed, NULL, &dec_output3));
675 CHECK_TRUE(input_consumed == enc_output3.data_length);
676
677 /* finish */
678 CHECK_RESULT_OK(device->finish(device,
679 handle, NULL, NULL, NULL, NULL));
680
681 end:
682 km_free_blob(&enc_output1);
683 km_free_blob(&enc_output2);
684 km_free_blob(&enc_output3);
685 km_free_blob(&dec_output1);
686 km_free_blob(&dec_output2);
687 km_free_blob(&dec_output3);
688
689 return res;
690 }
691
692 keymaster_error_t test_km_aes_import(
693 keymaster1_device_t *device)
694 {
695 keymaster_error_t res = KM_ERROR_OK;
696 keymaster_key_param_t key_param[5];
697 keymaster_key_param_set_t paramset = {key_param, 0};
698 keymaster_key_blob_t key_blob = {0, 0};
699 keymaster_operation_handle_t handle;
700 keymaster_blob_t enc_output1 = {0, 0};
701 size_t input_consumed = 0;
702
703 /* First NIST test vector from ECBVarKey128.rsp
704 http://csrc.nist.gov/groups/STM/cavp/documents/aes/KAT_AES.zip
705 KEY = 80000000000000000000000000000000
706 PLAINTEXT = 00000000000000000000000000000000
707 CIPHERTEXT = 0edd33d3c621e546455bd8ba1418bec8
708 */
709
710 const uint8_t key[16] = {
711 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
713 const uint8_t plaintext[16] = {
714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
716 const uint8_t ciphertext[16] = {
717 0x0e, 0xdd, 0x33, 0xd3, 0xc6, 0x21, 0xe5, 0x46,
718 0x45, 0x5b, 0xd8, 0xba, 0x14, 0x18, 0xbe, 0xc8};
719
720 const keymaster_blob_t key_data = {key, sizeof(key)};
721 const keymaster_blob_t plainblob = {plaintext, sizeof(plaintext)};
722
723 key_param[0].tag = KM_TAG_ALGORITHM;
724 key_param[0].enumerated = KM_ALGORITHM_AES;
725 key_param[1].tag = KM_TAG_KEY_SIZE;
726 key_param[1].integer = 128;
727 key_param[2].tag = KM_TAG_NO_AUTH_REQUIRED;
728 key_param[2].boolean = true;
729 key_param[3].tag = KM_TAG_PURPOSE;
730 key_param[3].enumerated = KM_PURPOSE_ENCRYPT;
731 key_param[4].tag = KM_TAG_BLOCK_MODE;
732 key_param[4].enumerated = KM_MODE_ECB;
733 paramset.length = 5;
734 CHECK_RESULT_OK(device->import_key(device,
735 &paramset,
736 KM_KEY_FORMAT_RAW,
737 &key_data,
738 &key_blob,
739 NULL));
740
741 key_param[0].tag = KM_TAG_BLOCK_MODE;
742 key_param[0].enumerated = KM_MODE_ECB;
743 paramset.length = 1;
744 CHECK_RESULT_OK(device->begin(device,
745 KM_PURPOSE_ENCRYPT,
746 &key_blob,
747 &paramset,
748 NULL, // no out_params
749 &handle));
750
751 CHECK_RESULT_OK(device->update(device,
752 handle,
753 NULL, // no params
754 &plainblob,
755 &input_consumed,
756 NULL, // no out_params
757 &enc_output1));
758 CHECK_TRUE(input_consumed == 16);
759 CHECK_TRUE(enc_output1.data_length == 16);
760
761 CHECK_RESULT_OK(device->finish(device,
762 handle,
763 NULL, // no params
764 NULL, // no signature
765 NULL, // no out_params
766 NULL));
767
768 CHECK_TRUE(memcmp(enc_output1.data, ciphertext, 16) == 0);
769
770 end:
771 km_free_key_blob(&key_blob);
772 km_free_blob(&enc_output1);
773
774 return res;
775 }
776
777 keymaster_error_t test_km_aes_import_bad_length(
778 keymaster1_device_t *device)
779 {
780 keymaster_error_t res = KM_ERROR_OK;
781 keymaster_key_param_t key_param[5];
782 keymaster_key_param_set_t paramset = {key_param, 0};
783 keymaster_key_blob_t key_blob = {0, 0};
784
785 const uint8_t key[16] = {
786 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
788
789 keymaster_blob_t key_data = {key, sizeof(key)};
790
791 key_param[0].tag = KM_TAG_ALGORITHM;
792 key_param[0].enumerated = KM_ALGORITHM_AES;
793 key_param[1].tag = KM_TAG_KEY_SIZE;
794 key_param[1].integer = 128;
795 key_param[2].tag = KM_TAG_NO_AUTH_REQUIRED;
796 key_param[2].boolean = true;
797 key_param[3].tag = KM_TAG_PURPOSE;
798 key_param[3].enumerated = KM_PURPOSE_ENCRYPT;
799 key_param[4].tag = KM_TAG_BLOCK_MODE;
800 key_param[4].enumerated = KM_MODE_ECB;
801 paramset.length = 5;
802
803 CHECK_RESULT_OK(device->import_key(device,
804 &paramset, KM_KEY_FORMAT_RAW, &key_data, &key_blob, NULL));
805
806 km_free_key_blob(&key_blob);
807 key_data.data_length = 1;
808 key_param[1].integer = 8;
809 CHECK_RESULT(KM_ERROR_INVALID_ARGUMENT, device->import_key(device,
810 &paramset, KM_KEY_FORMAT_RAW, &key_data, &key_blob, NULL));
811
812 km_free_key_blob(&key_blob);
813 key_data.data_length = 0;
814 key_param[1].integer = 0;
815 CHECK_RESULT(KM_ERROR_INVALID_ARGUMENT, device->import_key(device,
816 &paramset, KM_KEY_FORMAT_RAW, &key_data, &key_blob, NULL));
817
818 end:
819 km_free_key_blob(&key_blob);
820
821 return res;
822 }
823
824 keymaster_error_t test_km_aes(
825 keymaster1_device_t *device,
826 uint32_t keysize)
827 {
828 keymaster_error_t res = KM_ERROR_OK;
829 keymaster_key_param_t key_param[12];
830 keymaster_key_param_set_t paramset = {key_param, 0};
831 keymaster_key_blob_t key_blob = {0, 0};
832 keymaster_key_characteristics_t *pkey_characteristics = NULL;
833
834 LOG_I("Generate %d-bit key ...", keysize);
835 key_param[0].tag = KM_TAG_ALGORITHM;
836 key_param[0].enumerated = KM_ALGORITHM_AES;
837 key_param[1].tag = KM_TAG_KEY_SIZE;
838 key_param[1].integer = keysize;
839 key_param[2].tag = KM_TAG_NO_AUTH_REQUIRED;
840 key_param[2].boolean = true;
841 key_param[3].tag = KM_TAG_PURPOSE;
842 key_param[3].enumerated = KM_PURPOSE_ENCRYPT;
843 key_param[4].tag = KM_TAG_PURPOSE;
844 key_param[4].enumerated = KM_PURPOSE_DECRYPT;
845 key_param[5].tag = KM_TAG_BLOCK_MODE;
846 key_param[5].enumerated = KM_MODE_ECB;
847 key_param[6].tag = KM_TAG_BLOCK_MODE;
848 key_param[6].enumerated = KM_MODE_CBC;
849 key_param[7].tag = KM_TAG_BLOCK_MODE;
850 key_param[7].enumerated = KM_MODE_CTR;
851 key_param[8].tag = KM_TAG_BLOCK_MODE;
852 key_param[8].enumerated = KM_MODE_GCM;
853 key_param[9].tag = KM_TAG_CALLER_NONCE;
854 key_param[9].boolean = true;
855 key_param[10].tag = KM_TAG_PADDING;
856 key_param[10].enumerated = KM_PAD_PKCS7;
857 key_param[11].tag = KM_TAG_MIN_MAC_LENGTH;
858 key_param[11].integer = 96;
859 paramset.length = 12;
860 CHECK_RESULT_OK(device->generate_key(device,
861 &paramset,
862 &key_blob,
863 NULL));
864
865 LOG_I("Test key characteristics ...");
866 CHECK_RESULT_OK(device->get_key_characteristics(device,
867 &key_blob,
868 NULL, // client_id
869 NULL, // app_data
870 &pkey_characteristics));
871 print_characteristics(pkey_characteristics);
872
873 LOG_I("ECB round trip ...");
874 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_ECB, 32, 32));
875
876 LOG_I("CBC round trip ...");
877 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CBC, 32, 32));
878 CHECK_RESULT_OK(test_km_aes_roundtrip_noncegen(device, &key_blob, KM_MODE_CBC));
879
880 LOG_I("CTR round trip ...");
881 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 32, 32));
882 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 32, 31));
883 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 15, 17));
884 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 33, 16));
885 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 16, 1));
886 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 16, 17));
887 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 16, 33));
888 CHECK_RESULT_OK(test_km_aes_roundtrip(device, &key_blob, KM_MODE_CTR, 15, 33));
889 CHECK_RESULT_OK(test_km_aes_roundtrip_noncegen(device, &key_blob, KM_MODE_CTR));
890
891 LOG_I("GCM round trip ...");
892 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device, &key_blob, 96, 32, 32));
893 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device, &key_blob, 128, 32, 32));
894 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device, &key_blob, 96, 16, 2));
895 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip(device, &key_blob, 128, 13, 15));
896 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip_noncegen(device, &key_blob));
897 CHECK_RESULT_OK(test_km_aes_gcm_roundtrip_incr(device, &key_blob));
898
899 LOG_I("PKCS7 padding (ECB)...");
900 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_ECB, 3));
901 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_ECB, 16));
902 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_ECB, 37));
903
904 LOG_I("PKCS7 padding (CBC)...");
905 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_CBC, 3));
906 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_CBC, 16));
907 CHECK_RESULT_OK(test_km_aes_pkcs7(device, &key_blob, KM_MODE_CBC, 37));
908
909 end:
910 keymaster_free_characteristics(pkey_characteristics);
911 free(pkey_characteristics);
912 km_free_key_blob(&key_blob);
913
914 return res;
915 }