diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-27 16:39:56 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-28 09:56:49 -0500 |
commit | 034c7733c643b06529515be228b974079ea10a99 (patch) | |
tree | be27bd26ebd8f5928d0742e260d20bbc2b9bf59b | |
parent | ab988e0cf2b050159ead87d9a7f1d08f9905f853 (diff) | |
download | openssl_tpm2_engine-034c7733c643b06529515be228b974079ea10a99.tar.gz |
Add test for dynamic engine keys to detect possible use after free
Add a test to make sure that the engine isn't torn down while keys are
currently active (this is succeeding for statically configured engines
but failing for dynamic engines).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/dynamic_engine.sh | 29 |
2 files changed, 30 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index b1ea531..c983389 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -26,6 +26,7 @@ TESTS += check_curves.sh \ check_rsa_oaep_pss.sh \ restricted_parent.sh \ seal_unseal.sh \ + dynamic_engine.sh \ stop_sw_tpm.sh fail_connect.sh: tpm_server_found diff --git a/tests/dynamic_engine.sh b/tests/dynamic_engine.sh new file mode 100755 index 0000000..d0a0615 --- /dev/null +++ b/tests/dynamic_engine.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -x + +bindir=${srcdir}/.. + +# to work with the dynamic engine, we unset the openssl.cnf that +# specifies a built in engine +unset OPENSSL_CONF +export OPENSSL_ENGINES=${srcdir}/../.libs +ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so + +testkey() { + openssl pkey -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 + # must be 32 bytes exactly for ECDSA signatures + echo -n "12345678901234567890123456789012" > tmp.plain + openssl pkeyutl -sign -engine tpm2 -keyform engine -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1 + openssl pkeyutl -verify -in tmp.plain -sigfile tmp.msg -inkey key.pub -pubin || exit 1 +} + +# check use of rsa key +${bindir}/create_tpm2_key --rsa key.tpm || exit 1 + +testkey + +${bindir}/create_tpm2_key --ec prime256v1 key.tpm || exit 1 + +testkey + +exit 0 |