smoke test update
diff --git a/tpm2.py b/tpm2.py index d32a86e..ac420e2 100644 --- a/tpm2.py +++ b/tpm2.py
@@ -12,6 +12,7 @@ TPM2_CC_CREATE_PRIMARY = 0x0131 TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139 +TPM2_CC_OBJECT_CHANGE_AUTH = 0x0150 TPM2_CC_CREATE = 0x0153 TPM2_CC_LOAD = 0x0157 TPM2_CC_UNSEAL = 0x015E
diff --git a/tpm2_sessions_smoke.py b/tpm2_sessions_smoke.py index f9ce342..d233d08 100755 --- a/tpm2_sessions_smoke.py +++ b/tpm2_sessions_smoke.py
@@ -9,7 +9,7 @@ import tss2 pwd1 = "wibble" - +pwd2 = "newpassword" class SessionTest(unittest.TestCase): def setUp(self): @@ -31,7 +31,7 @@ raise e return ha - def test_handle_clearing(self): + def test_handle_flush_on_space_close(self): i = self.open_handles() print "Ran out of handles at %d" %len(i) self.c.close() @@ -52,19 +52,33 @@ def test_session_consumption(self): self.c.read_public(self.c.SRK) + # authorization hmac session hmac = self.c.start_session(tpm2.TPM2_SE_HMAC) + # parameter encryption session enc = self.c.start_session(tpm2.TPM2_SE_HMAC, self.c.SRK) + # fill all remaing handles i = self.open_handles() # create rsa key continuing both hmac and encryption sessions - k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 1) + self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 1) # should be no handles left i = self.open_handles() self.assertEqual(len(i),0) - k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 0, enc, 0) - # now should be two handles left + # now create rsa key continuing hmac and consuming encryption + k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 0) + # now should be one handle remaining i = self.open_handles() - self.assertEqual(len(i),2) + self.assertEqual(len(i),1) + self.c.flush_context(i[0]) + # check the hmac continuation actually works k = self.c.load(self.c.SRK, k.outPrivate, k.outPublic, None) + print "Loaded key at handle %x" %k + # and finally verify with an authenticated encrypted operation + # consuming both handles + enc = self.c.start_session(tpm2.TPM2_SE_HMAC, k) + self.c.change_auth(self.c.SRK, k, pwd1, pwd2, hmac, 0, enc, 0) + i = self.open_handles() + self.assertEqual(len(i), 2) +
diff --git a/tss2.py b/tss2.py index 2ef0568..67f5a4f 100644 --- a/tss2.py +++ b/tss2.py
@@ -117,6 +117,14 @@ _fields_ = [("objectHandle", ctypes.c_uint32), ("name", TPM2B_NONCE)] +class ObjectChangeAuth_In(ctypes.Structure): + _fields_ = [("objectHandle", ctypes.c_uint32), + ("parentHandle", ctypes.c_uint32), + ("newAuth", TPM2B_NONCE)] + +class ObjectChangeAuth_Out(ctypes.Structure): + _fields_ = [("outPrivate", TPM2B_PRIVATE)] + class tpm_error(Exception): def __init__(self, rc): @@ -197,8 +205,10 @@ inp.parentHandle = parent if (auth != None): - inp.inSensitive.sensitive.userAuth.b = ctypes.c_ubyte_Array_128(auth) - inp.inSensitive.sensitive.userAuth.s = strlen(auth) + lenauth = len(auth) + print "AUTh len is %d" %lenauth + inp.inSensitive.sensitive.userAuth.b[0:lenauth] = bytearray(auth) + inp.inSensitive.sensitive.userAuth.s = lenauth inp.inPublic.publicArea.Type = tpm2.TPM2_ALG_RSA inp.inPublic.publicArea.nameAlg = tpm2.TPM2_ALG_SHA256 inp.inPublic.publicArea.objectAttributes = tpm2.TPMA_OBJECT_NODA | tpm2.TPMA_OBJECT_DECRYPT | tpm2.TPMA_OBJECT_USERWITHAUTH | tpm2.TPMA_OBJECT_SENSITIVEDATAORIGIN @@ -231,3 +241,20 @@ tpm2.TPM2_RH_NULL, None, 0); return out.objectHandle + + def change_auth(self, parent, handle, oldauth, newauth, hmacSession = tpm2.TPM2_RS_PW, hmacCont = 0, encSession = tpm2.TPM2_RH_NULL, encCont = 0): + inp = ObjectChangeAuth_In() + out = ObjectChangeAuth_Out() + + inp.parentHandle = parent + inp.objectHandle = handle + inp.newAuth.b[0:len(newauth)] = bytearray(newauth) + inp.newAuth.s = len(newauth) + + self.TSS_Execute(ctypes.byref(out), ctypes.byref(inp), None, + tpm2.TPM2_CC_OBJECT_CHANGE_AUTH, + hmacSession, oldauth, hmacCont, + encSession, None, encCont | 0x20, + tpm2.TPM2_RH_NULL, None, 0) + + return out.outPrivate