Skip to content

Commit 6177a5d

Browse files
aidangarskeaidangarske
committed
F-2984 - https://fenrir.wolfssl.com/finding/2984 - Add boundary validation tests for CreateKeySeal_ex and LoadKeyedHashKey
1 parent 3e98b30 commit 6177a5d

1 file changed

Lines changed: 57 additions & 0 deletions

File tree

tests/unit_tests.c

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1110,6 +1110,62 @@ static void test_KeySealTemplate(void)
11101110
printf("Test TPM Wrapper:\tKeySealTemplate:\t\tPassed\n");
11111111
}
11121112

1113+
/* Test boundary validation for seal size and keyed hash key size */
1114+
static void test_SealAndKeyedHash_Boundaries(void)
1115+
{
1116+
int rc;
1117+
WOLFTPM2_DEV dev;
1118+
WOLFTPM2_KEYBLOB keyBlob;
1119+
WOLFTPM2_KEY key;
1120+
WOLFTPM2_HANDLE parent;
1121+
TPMT_PUBLIC tmpl;
1122+
byte data[MAX_SYM_DATA + 1];
1123+
1124+
XMEMSET(&dev, 0, sizeof(dev));
1125+
XMEMSET(&keyBlob, 0, sizeof(keyBlob));
1126+
XMEMSET(&key, 0, sizeof(key));
1127+
XMEMSET(&parent, 0, sizeof(parent));
1128+
XMEMSET(&tmpl, 0, sizeof(tmpl));
1129+
XMEMSET(data, 0xAA, sizeof(data));
1130+
1131+
/* NULL arg checks */
1132+
rc = wolfTPM2_CreateKeySeal_ex(NULL, &keyBlob, &parent, &tmpl,
1133+
NULL, 0, TPM_ALG_NULL, NULL, 0, data, 1);
1134+
AssertIntEQ(rc, BAD_FUNC_ARG);
1135+
1136+
/* sealSize = MAX_SYM_DATA+1 (129) must be rejected */
1137+
rc = wolfTPM2_CreateKeySeal_ex(&dev, &keyBlob, &parent, &tmpl,
1138+
NULL, 0, TPM_ALG_NULL, NULL, 0, data, MAX_SYM_DATA + 1);
1139+
AssertIntEQ(rc, BAD_FUNC_ARG);
1140+
1141+
/* sealSize = -1 must be rejected */
1142+
rc = wolfTPM2_CreateKeySeal_ex(&dev, &keyBlob, &parent, &tmpl,
1143+
NULL, 0, TPM_ALG_NULL, NULL, 0, data, -1);
1144+
AssertIntEQ(rc, BAD_FUNC_ARG);
1145+
1146+
/* sealSize > 0 with NULL sealData must be rejected */
1147+
rc = wolfTPM2_CreateKeySeal_ex(&dev, &keyBlob, &parent, &tmpl,
1148+
NULL, 0, TPM_ALG_NULL, NULL, 0, NULL, 1);
1149+
AssertIntEQ(rc, BAD_FUNC_ARG);
1150+
1151+
/* keySz = MAX_SYM_DATA+1 (129) must be rejected */
1152+
rc = wolfTPM2_LoadKeyedHashKey(&dev, &key, &parent,
1153+
TPM_ALG_SHA256, data, MAX_SYM_DATA + 1, NULL, 0);
1154+
AssertIntEQ(rc, BUFFER_E);
1155+
1156+
/* keySz = 0 must be rejected */
1157+
rc = wolfTPM2_LoadKeyedHashKey(&dev, &key, &parent,
1158+
TPM_ALG_SHA256, data, 0, NULL, 0);
1159+
AssertIntEQ(rc, BUFFER_E);
1160+
1161+
/* NULL keyBuf must be rejected */
1162+
rc = wolfTPM2_LoadKeyedHashKey(&dev, &key, &parent,
1163+
TPM_ALG_SHA256, NULL, MAX_SYM_DATA, NULL, 0);
1164+
AssertIntEQ(rc, BAD_FUNC_ARG);
1165+
1166+
printf("Test TPM Wrapper:\tSealKeyedHash Boundary:\t\tPassed\n");
1167+
}
1168+
11131169
static void test_GetAlgId(void)
11141170
{
11151171
TPM_ALG_ID alg = TPM2_GetAlgId("SHA256");
@@ -1858,6 +1914,7 @@ int unit_tests(int argc, char *argv[])
18581914
#endif
18591915
test_TPM2_SchemeSerialize();
18601916
test_KeySealTemplate();
1917+
test_SealAndKeyedHash_Boundaries();
18611918
test_GetAlgId();
18621919
test_wolfTPM2_ReadPublicKey();
18631920
test_wolfTPM2_CSR();

0 commit comments

Comments
 (0)