Change symmetric encryption mode available

Signed-off-by: Gael Guegan <[email protected]>
tpm2-software · May 2, 2019 · 94d9454 · 94d9454
1 parent 573fbc3
commit 94d9454
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 41 deletions.
diff --git a/src/tpm2-tss-engine-ciphers.c b/src/tpm2-tss-engine-ciphers.c
@@ -42,9 +42,7 @@
 #define HANDLE_SIZE 8
 
 static int tpm2_cipher_nids[] = {
-    NID_aes_192_cbc,
     NID_aes_256_cfb128,
-    NID_aes_256_cbc,
     NID_aes_256_ofb128,
     0
 };
@@ -268,13 +266,13 @@ tpm2_cipher_cleanup(EVP_CIPHER_CTX *ctx)
 }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000
-static EVP_CIPHER tpm2_aes_256_cbc =
+static EVP_CIPHER tpm2_aes_256_ofb =
 {
-    NID_aes_256_cbc,                    // ID
+    NID_aes_256_ofb128,                 // ID
     TPM2_MAX_SYM_BLOCK_SIZE,            // Block size
     TPM2_MAX_SYM_KEY_BYTES,             // Key length
     TPM2_MAX_SYM_BLOCK_SIZE,            // IV length
-    EVP_CIPH_CBC_MODE,                  // Flags
+    EVP_CIPH_OFB_MODE,                  // Flags
     tpm2_cipher_init_key,               // Init key
     tpm2_do_cipher,                     // Encrypt/Decrypt
     tpm2_cipher_cleanup,                // Cleanup
@@ -285,25 +283,25 @@ static EVP_CIPHER tpm2_aes_256_cbc =
     NULL                                // App data
 };
 #else
-static EVP_CIPHER *_tpm2_aes_256_cbc = NULL;
-const EVP_CIPHER *tpm2_aes_256_cbc(void)
+static EVP_CIPHER *_tpm2_aes_256_ofb = NULL;
+const EVP_CIPHER *tpm2_aes_256_ofb(void)
 {
-    if (_tpm2_aes_256_cbc == NULL &&
-        ((_tpm2_aes_256_cbc = EVP_CIPHER_meth_new(NID_aes_256_cbc, TPM2_MAX_SYM_BLOCK_SIZE, TPM2_MAX_SYM_KEY_BYTES)) == NULL
-         || !EVP_CIPHER_meth_set_iv_length(_tpm2_aes_256_cbc, TPM2_MAX_SYM_BLOCK_SIZE)
-         || !EVP_CIPHER_meth_set_flags(_tpm2_aes_256_cbc, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_CUSTOM_CIPHER)
-         || !EVP_CIPHER_meth_set_init(_tpm2_aes_256_cbc, tpm2_cipher_init_key)
-         || !EVP_CIPHER_meth_set_do_cipher(_tpm2_aes_256_cbc, tpm2_do_cipher)
-         || !EVP_CIPHER_meth_set_cleanup(_tpm2_aes_256_cbc, tpm2_cipher_cleanup)
-         || !EVP_CIPHER_meth_set_impl_ctx_size(_tpm2_aes_256_cbc, sizeof(TPM2_DATA))
-         || !EVP_CIPHER_meth_set_set_asn1_params(_tpm2_aes_256_cbc, NULL)
-         || !EVP_CIPHER_meth_set_get_asn1_params(_tpm2_aes_256_cbc, NULL)
-         || !EVP_CIPHER_meth_set_ctrl(_tpm2_aes_256_cbc, NULL)))
+    if (_tpm2_aes_256_ofb == NULL &&
+        ((_tpm2_aes_256_ofb = EVP_CIPHER_meth_new(NID_aes_256_ofb128, TPM2_MAX_SYM_BLOCK_SIZE, TPM2_MAX_SYM_KEY_BYTES)) == NULL
+         || !EVP_CIPHER_meth_set_iv_length(_tpm2_aes_256_ofb, TPM2_MAX_SYM_BLOCK_SIZE)
+         || !EVP_CIPHER_meth_set_flags(_tpm2_aes_256_ofb, EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_CUSTOM_CIPHER)
+         || !EVP_CIPHER_meth_set_init(_tpm2_aes_256_ofb, tpm2_cipher_init_key)
+         || !EVP_CIPHER_meth_set_do_cipher(_tpm2_aes_256_ofb, tpm2_do_cipher)
+         || !EVP_CIPHER_meth_set_cleanup(_tpm2_aes_256_ofb, tpm2_cipher_cleanup)
+         || !EVP_CIPHER_meth_set_impl_ctx_size(_tpm2_aes_256_ofb, sizeof(TPM2_DATA))
+         || !EVP_CIPHER_meth_set_set_asn1_params(_tpm2_aes_256_ofb, NULL)
+         || !EVP_CIPHER_meth_set_get_asn1_params(_tpm2_aes_256_ofb, NULL)
+         || !EVP_CIPHER_meth_set_ctrl(_tpm2_aes_256_ofb, NULL)))
     {
-        EVP_CIPHER_meth_free(_tpm2_aes_256_cbc);
-        _tpm2_aes_256_cbc = NULL;
+        EVP_CIPHER_meth_free(_tpm2_aes_256_ofb);
+        _tpm2_aes_256_ofb = NULL;
     }
-    return _tpm2_aes_256_cbc;
+    return _tpm2_aes_256_ofb;
 }
 #endif
 
@@ -359,11 +357,11 @@ tpm2_ciphers_selector(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, in
     }
 
    switch (nid) {
-    case NID_aes_256_cbc:
+    case NID_aes_256_ofb128:
 #if OPENSSL_VERSION_NUMBER < 0x10100000
-        *cipher = &tpm2_aes_256_cbc;
+        *cipher = &tpm2_aes_256_ofb;
 #else
-        *cipher = tpm2_aes_256_cbc();
+        *cipher = tpm2_aes_256_ofb();
 #endif
         break;
 
@@ -374,11 +372,6 @@ tpm2_ciphers_selector(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, in
         *cipher = tpm2_aes_256_cfb();
 #endif
         break;
-    /*
-    case NID_aes_256_ocb:
-        *cipher = tpm2_aes_256_ocb();
-        break;
-    */
     default:
         *cipher = NULL;
         ret = 0;

diff --git a/test/ciphers.sh b/test/ciphers.sh
@@ -7,12 +7,6 @@ export LD_LIBRARY_PATH=$OPENSSL_ENGINES:${LD_LIBRARY_PATH-}
 export PATH=${PWD}:${PATH}
 
 DIR=$(mktemp -d)
-if openssl version | grep "OpenSSL 1.0.2" > /dev/null; then
-    echo -n "hello" > ${DIR}/data.txt
-else
-    echo -n "hello world goodbye world tpm2 tss openssl" > ${DIR}/data.txt
-    echo -n "1234567812345678" > ${DIR}/data1.txt
-fi
 
 # Create an Primary key pair
 echo "Generating primary key"
@@ -28,7 +22,7 @@ echo "Generating SYM key"
 TPM_RSA_PUBKEY=${DIR}/rsakey.pub
 TPM_RSA_KEY=${DIR}/rsakey
 ALGO="aes"
-tpm2_create -C ${PARENT_CTX} -g sha256 -G ${ALGO} -u ${TPM_RSA_PUBKEY} -r ${TPM_RSA_KEY} -A sign\|decrypt\|fixedtpm\|fixedparent\|sensitivedataorigin\|userwithauth
+tpm2_create -C ${PARENT_CTX} -g sha256 -G ${ALGO} -u ${TPM_RSA_PUBKEY} -r ${TPM_RSA_KEY} -b  sign\|decrypt\|fixedtpm\|fixedparent\|sensitivedataorigin\|userwithauth
 tpm2_flushcontext -t
 
 # Load Key to persistent handle
@@ -41,17 +35,21 @@ tpm2_flushcontext -t
 
 KEY=$(echo ${HANDLE} | cut -d 'x' -f 2)
 IV="0123456789012345"
+if openssl version | grep "OpenSSL 1.0.2" > /dev/null; then
+    echo -n "hello" > ${DIR}/data.txt
+else
+    echo -n "hello world goodbye world tpm2 tss openssl" > ${DIR}/data.txt
+fi
 
 # Encrypt, Decrypt, Diff Data
 openssl enc -aes-256-cfb -e -engine tpm2tss -in ${DIR}/data.txt -out ${DIR}/enc_data -K ${KEY} -iv ${IV}
 openssl enc -aes-256-cfb -d -engine tpm2tss -in ${DIR}/enc_data -out ${DIR}/dec_data -K ${KEY} -iv ${IV}
 diff ${DIR}/data.txt ${DIR}/dec_data
+rm ${DIR}/enc_data ${DIR}/dec_data
 
-if openssl version | grep "OpenSSL 1.1.0" > /dev/null; then
-    openssl enc -aes-256-cbc -e -engine tpm2tss -in ${DIR}/data1.txt -out ${DIR}/enc_data1 -K ${KEY} -iv ${IV}
-    openssl enc -aes-256-cbc -d -engine tpm2tss -in ${DIR}/enc_data1 -out ${DIR}/dec_data1 -K ${KEY} -iv ${IV}
-    diff ${DIR}/data1.txt ${DIR}/dec_data1
-fi
+openssl enc -aes-256-ofb -e -engine tpm2tss -in ${DIR}/data.txt -out ${DIR}/enc_data -K ${KEY} -iv ${IV}
+openssl enc -aes-256-ofb -d -engine tpm2tss -in ${DIR}/enc_data -out ${DIR}/dec_data -K ${KEY} -iv ${IV}
+diff ${DIR}/data.txt ${DIR}/dec_data
 
 # Release persistent HANDLE
 tpm2_evictcontrol -a o -c ${HANDLE}