diff options
| author | Igor <igorcov@chromium.org> | 2018-06-21 16:39:57 +0200 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-11-07 11:40:45 -0800 |
| commit | a771ac1213c4b0066d81ded4b8132f9506d7634d (patch) | |
| tree | 892bfd2b0a654fef263d055cb54d95f70435a6a2 /test | |
| parent | 8d48f6e390823d2a89808ea6f9dc8c7348134440 (diff) | |
| download | chrome-ec-a771ac1213c4b0066d81ded4b8132f9506d7634d.tar.gz | |
Cr50: Add valid PCR value for pinweaver
In order to bind the PIN authentication to PCR4, required for
additional security, a set of valid PCR criteria is added as metadata
in the leaf of the tree. Each criteria has a bitmask of PCR indexes
and the digest sha256 that should be obtained from concatenation of
PCR values for the respective indexes. Pinweaver will handle
both types of requests, in old and the new format.
For migration of old leaves that don't have the new field, the
process expects cryptohome to detect that the leaf needs migration
based on protocol used, leaf version and if the list of PCR
criteria is empty. In case the leaf needs migration, cryptohome
should insert a new leaf with the same data and remove the old one.
The PCR criteria set is created on Chrome OS side. Details of that
implementation is in
https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1124856
BRANCH=none
BUG=chromium:812165
TEST=sudo V=1 make run-pinweaver -j
pinweaver_client selftest
Deploy old image on a device and create an account setting a PIN code
as well. Deploy the new image and new CR50 build. Login and check that the
migration works well. Also try to put device to sleep and unlock. Check
that a new credential creation with new version works as well and sleep +
unlock work as expected. Extend PCR4 on device and check that login/unlock
works only for the user which obfuscated_username was used to extend the
PCR. Also check that authentication works with cases when old cryptohome
and new pinweaver is deployed, or old pinweaver and new cryptohome.
CQ-DEPEND=CL:1124856
Change-Id: If778c4e46b9945afadfd2af7d58353005624d668
Signed-off-by: igorcov@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/1112014
Commit-Ready: Igor <igorcov@chromium.org>
Tested-by: Igor <igorcov@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'test')
| -rw-r--r-- | test/pinweaver.c | 238 |
1 files changed, 210 insertions, 28 deletions
diff --git a/test/pinweaver.c b/test/pinweaver.c index e832a8a2d9..71f8f0387d 100644 --- a/test/pinweaver.c +++ b/test/pinweaver.c @@ -67,6 +67,8 @@ const struct leaf_data_t DEFAULT_LEAF = { {0, 0}, /* attempt_count */ {0}, + /* valid_pcr_criteria */ + {{{0, 0}, {0} }, {{0, 0}, {0} } }, }, /*sec*/ { @@ -139,6 +141,13 @@ const uint8_t ROOT_WITH_OTHER_HMAC[] = { 0xaf, 0x66, 0xb6, 0xf0, 0x61, 0x05, 0x9d, 0xc0, }; +const uint8_t DEFAULT_PCR_DIGEST[] = { + 0xdf, 0xce, 0xf4, 0xba, 0x18, 0xe8, 0xd0, 0x1d, + 0xcb, 0x3b, 0x29, 0x41, 0x44, 0x01, 0x6e, 0x72, + 0xe3, 0x19, 0x9a, 0x44, 0x62, 0x44, 0x2a, 0xf1, + 0xaf, 0x66, 0xb6, 0xf0, 0x61, 0x05, 0x9d, 0xc0, +}; + /******************************************************************************/ /* Config Variables and defines for Mocks. */ @@ -167,12 +176,33 @@ int MOCK_aes_fail; int MOCK_appkey_derive_fail; enum dcrypto_appid MOCK_hwctx_appkey; +#define PW_VALID_PCR_CRITERIA_SIZE \ + (sizeof(struct valid_pcr_value_t) * PW_MAX_PCR_CRITERIA_COUNT) + /******************************************************************************/ /* Helper functions */ + +static void convert_response_to_new_version(uint8_t req_type, + struct pw_response_t *response) +{ + if (response->header.version == 0) { + if (req_type == PW_TRY_AUTH) { + unsigned char *src = (unsigned char *) + (&response->data.try_auth.reset_secret); + memmove(src + PW_SECRET_SIZE, src, + PW_LEAF_PAYLOAD_SIZE); + memcpy(src, DEFAULT_LEAF.sec.reset_secret, + PW_SECRET_SIZE); + response->header.data_length += PW_SECRET_SIZE; + } + } +} + static int do_request(struct merkle_tree_t *merkle_tree, struct pw_test_data_t *buf) { + uint8_t req_type = buf->request.header.type.v; int ret = pw_handle_request(merkle_tree, &buf->request, &buf->response); size_t offset = buf->response.header.data_length + sizeof(buf->response.header); @@ -180,6 +210,10 @@ static int do_request(struct merkle_tree_t *merkle_tree, /* Zero out bytes that won't be sent for testing.*/ memset(buf->tpm_buffer_size + offset, 0, sizeof(buf->tpm_buffer_size) - offset); + + if (buf->request.header.version < PW_PROTOCOL_VERSION) + convert_response_to_new_version(req_type, &buf->response); + return ret; } @@ -398,18 +432,19 @@ static void setup_default_empty_path(uint8_t hashes[][PW_HASH_SIZE]) static void setup_default_unimported_leaf_data_and_hashes( const struct leaf_data_t *leaf_data, const uint8_t hmac[PW_HASH_SIZE], + const struct leaf_header_t *header, struct unimported_leaf_data_t *data) { - memcpy(&data->head, &DEFAULT_HEAD, sizeof(DEFAULT_HEAD)); + memcpy(&data->head, header, sizeof(*header)); memcpy(data->hmac, hmac, sizeof(data->hmac)); memcpy(data->iv, DEFAULT_IV, sizeof(DEFAULT_IV)); - memcpy(data->payload, &leaf_data->pub, sizeof(leaf_data->pub)); - DCRYPTO_aes_ctr(data->payload + sizeof(leaf_data->pub), + memcpy(data->payload, &leaf_data->pub, header->pub_len); + DCRYPTO_aes_ctr(data->payload + header->pub_len, EMPTY_TREE.wrap_key, sizeof(EMPTY_TREE.wrap_key) * 8, DEFAULT_IV, (const uint8_t *)&leaf_data->sec, - sizeof(leaf_data->sec)); - setup_default_empty_path((void *)(data->payload + DEFAULT_HEAD.pub_len + - DEFAULT_HEAD.sec_len)); + header->sec_len); + setup_default_empty_path((void *)(data->payload + header->pub_len + + header->sec_len)); } static void setup_reset_tree_defaults(struct merkle_tree_t *merkle_tree, @@ -457,6 +492,9 @@ static void setup_insert_leaf_defaults(struct merkle_tree_t *merkle_tree, memcpy(&request->data.insert_leaf.delay_schedule, &DEFAULT_LEAF.pub.delay_schedule, sizeof(DEFAULT_LEAF.pub.delay_schedule)); + memcpy(&request->data.insert_leaf.valid_pcr_criteria, + &DEFAULT_LEAF.pub.valid_pcr_criteria, + sizeof(DEFAULT_LEAF.pub.valid_pcr_criteria)); memcpy(&request->data.insert_leaf.low_entropy_secret, &DEFAULT_LEAF.sec.low_entropy_secret, sizeof(DEFAULT_LEAF.sec.low_entropy_secret)); @@ -507,9 +545,13 @@ static void setup_remove_leaf_defaults(struct merkle_tree_t *merkle_tree, static void setup_try_auth_defaults_with_leaf( const struct leaf_data_t *leaf_data, + uint8_t protocol_version, + uint8_t minor_version, struct merkle_tree_t *merkle_tree, struct pw_request_t *request) { + struct leaf_header_t header = DEFAULT_HEAD; + MOCK_DECRYPTO_init_counter = 0; MOCK_DECRYPTO_release_counter = 0; @@ -525,9 +567,10 @@ static void setup_try_auth_defaults_with_leaf( /* Gets overwritten by auth_hash_update_cb. */ MOCK_hmac = EMPTY_HMAC; + header.leaf_version.minor = minor_version; memset(&MOCK_pw_log_storage, 0, sizeof(MOCK_pw_log_storage)); - request->header.version = PW_PROTOCOL_VERSION; + request->header.version = protocol_version; request->header.type.v = PW_TRY_AUTH; request->header.data_length = sizeof(struct pw_request_try_auth_t) + @@ -535,11 +578,16 @@ static void setup_try_auth_defaults_with_leaf( get_path_auxiliary_hash_count(&EMPTY_TREE) * PW_HASH_SIZE; + if (minor_version == 0) { + header.pub_len -= PW_VALID_PCR_CRITERIA_SIZE; + request->header.data_length -= PW_VALID_PCR_CRITERIA_SIZE; + } + memcpy(request->data.try_auth.low_entropy_secret, DEFAULT_LEAF.sec.low_entropy_secret, sizeof(request->data.try_auth.low_entropy_secret)); setup_default_unimported_leaf_data_and_hashes( - leaf_data, MOCK_hmac, + leaf_data, MOCK_hmac, &header, &request->data.try_auth.unimported_leaf_data); force_restart_count(0); @@ -556,7 +604,9 @@ static void setup_try_auth_defaults_with_leaf( static void setup_try_auth_defaults(struct merkle_tree_t *merkle_tree, struct pw_request_t *request) { - setup_try_auth_defaults_with_leaf(&DEFAULT_LEAF, merkle_tree, request); + setup_try_auth_defaults_with_leaf(&DEFAULT_LEAF, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, merkle_tree, + request); } static void setup_reset_auth_defaults(struct merkle_tree_t *merkle_tree, @@ -584,7 +634,7 @@ static void setup_reset_auth_defaults(struct merkle_tree_t *merkle_tree, sizeof(request->data.reset_auth.reset_secret)); setup_default_unimported_leaf_data_and_hashes( - &DEFAULT_LEAF, EMPTY_HMAC, + &DEFAULT_LEAF, EMPTY_HMAC, &DEFAULT_HEAD, &request->data.try_auth.unimported_leaf_data); pub->attempt_count.v = 6; @@ -646,7 +696,7 @@ static void setup_log_replay_defaults_with_leaf( sizeof(ROOT_WITH_DEFAULT_HMAC)); setup_default_unimported_leaf_data_and_hashes( - leaf_data, MOCK_hmac, + leaf_data, MOCK_hmac, &DEFAULT_HEAD, &request->data.try_auth.unimported_leaf_data); MOCK_hash_update_cb = auth_hash_update_cb; @@ -740,6 +790,13 @@ void get_storage_seed(void *buf, size_t *len) memcpy(buf, DEFAULT_STORAGE_SEED, *len); } +uint8_t get_current_pcr_digest(const uint8_t bitmask[2], + uint8_t sha256_of_selected_pcr[32]) +{ + memcpy(sha256_of_selected_pcr, DEFAULT_PCR_DIGEST, 32); + return 0; +} + /******************************************************************************/ /* Mock implementations of nvmem_vars functionality. */ @@ -1362,6 +1419,66 @@ static int handle_insert_leaf_success(void) return check_dcrypto_mutex_usage(); } +static int handle_insert_leaf_old_protocol_success(void) +{ + struct merkle_tree_t merkle_tree; + struct pw_test_data_t buf; + size_t x; + int hash_count; + unsigned char *src; + const uint8_t *plain_text = (const uint8_t *)&DEFAULT_LEAF.sec; + struct wrapped_leaf_data_t *wrapped_leaf_data = + (void *)&buf.response.data.insert_leaf + .unimported_leaf_data; + + setup_insert_leaf_defaults(&merkle_tree, &buf.request); + + // Make changes to simulate the protocol 0 request. + buf.request.header.version = 0; + hash_count = + get_path_auxiliary_hash_count(&merkle_tree); + src = (unsigned char *) + (&buf.request.data.insert_leaf.valid_pcr_criteria); + memmove(src, src + PW_VALID_PCR_CRITERIA_SIZE, + hash_count * PW_HASH_SIZE); + buf.request.header.data_length -= PW_VALID_PCR_CRITERIA_SIZE; + + TEST_RET_EQ(do_request(&merkle_tree, &buf), EC_SUCCESS); + + TEST_ASSERT(buf.response.header.version == 0); + TEST_ASSERT(buf.response.header.data_length == + sizeof(buf.response.data.insert_leaf) + + PW_LEAF_PAYLOAD_SIZE); + TEST_RET_EQ(buf.response.header.result_code, EC_SUCCESS); + + TEST_ASSERT_ARRAY_EQ(buf.response.header.root, ROOT_WITH_DEFAULT_HMAC, + sizeof(ROOT_WITH_DEFAULT_HMAC)); + TEST_ASSERT_ARRAY_EQ(buf.response.header.root, merkle_tree.root, + PW_HASH_SIZE); + TEST_ASSERT_ARRAY_EQ( + buf.response.data.insert_leaf.unimported_leaf_data.hmac, + DEFAULT_HMAC, sizeof(DEFAULT_HMAC)); + TEST_ASSERT_ARRAY_EQ( + (uint8_t *)&wrapped_leaf_data->pub, + (uint8_t *)&DEFAULT_LEAF.pub, sizeof(DEFAULT_LEAF.pub)); + for (x = 0; x < sizeof(DEFAULT_LEAF.sec); ++x) + TEST_ASSERT(plain_text[x] == + (wrapped_leaf_data->cipher_text[x] ^ + MOCK_AES_XOR_BYTE(x))); + + TEST_ASSERT(MOCK_pw_log_storage.entries[0].type.v == PW_INSERT_LEAF); + TEST_ASSERT(MOCK_pw_log_storage.entries[0].label.v == + DEFAULT_LEAF.pub.label.v); + TEST_ASSERT_ARRAY_EQ(MOCK_pw_log_storage.entries[0].root, + ROOT_WITH_DEFAULT_HMAC, + sizeof(ROOT_WITH_DEFAULT_HMAC)); + TEST_ASSERT_ARRAY_EQ(MOCK_pw_log_storage.entries[0].leaf_hmac, + DEFAULT_HMAC, + sizeof(DEFAULT_HMAC)); + + return check_dcrypto_mutex_usage(); +} + /******************************************************************************/ /* Remove leaf test cases. */ @@ -1481,7 +1598,8 @@ static int handle_try_auth_label_invalid(void) memcpy(&leaf_data, &DEFAULT_LEAF, sizeof(DEFAULT_LEAF)); leaf_data.pub.label.v |= 0x030000; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); TEST_RET_EQ(test_handle_short_msg(&merkle_tree, &buf, @@ -1585,7 +1703,8 @@ static int handle_try_auth_rate_limit_reached(void) leaf_data.pub.attempt_count.v = 51; force_restart_count(1); force_time((timestamp_t){.val = 7200llu * SECOND}); - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); TEST_RET_EQ(check_try_auth_rate_limit_reached_response( @@ -1601,7 +1720,8 @@ static int handle_try_auth_rate_limit_reached(void) leaf_data.pub.attempt_count.v = 6; force_restart_count(1); force_time((timestamp_t){.val = 7200llu * SECOND}); - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); TEST_RET_EQ(check_try_auth_rate_limit_reached_response( @@ -1617,7 +1737,8 @@ static int handle_try_auth_rate_limit_reached(void) leaf_data.pub.attempt_count.v = 6; force_restart_count(1); force_time((timestamp_t){.val = 7200llu * SECOND}); - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); TEST_RET_EQ(check_try_auth_rate_limit_reached_response( @@ -1630,7 +1751,8 @@ static int handle_try_auth_rate_limit_reached(void) leaf_data.pub.attempt_count.v = 10; leaf_data.pub.timestamp.boot_count = 0; leaf_data.pub.timestamp.timer_value = 7200llu; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); force_restart_count(0); force_time((timestamp_t){.val = (leaf_data.pub.timestamp.timer_value + @@ -1645,7 +1767,8 @@ static int handle_try_auth_rate_limit_reached(void) leaf_data.pub.attempt_count.v = 10; leaf_data.pub.timestamp.boot_count = 0; leaf_data.pub.timestamp.timer_value = 7200llu; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); force_restart_count(1); force_time((timestamp_t){.val = 3599llu * SECOND}); @@ -1690,8 +1813,11 @@ static int handle_try_auth_lowent_auth_failed(void) sizeof(leaf_data.sec.low_entropy_secret) - 1] = ~leaf_data.sec.low_entropy_secret[ sizeof(leaf_data.sec.low_entropy_secret) - 1]; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, &buf.request); + force_restart_count(1); force_time((timestamp_t){.val = (65ull * SECOND)}); @@ -1750,7 +1876,30 @@ static int handle_try_auth_lowent_auth_failed(void) return check_dcrypto_mutex_usage(); } -static int handle_try_auth_success(void) +static int handle_try_auth_pcr_mismatch(void) +{ + struct merkle_tree_t merkle_tree; + struct pw_test_data_t buf; + struct leaf_data_t leaf_data = {}; + + /* Test same boot_count case. */ + memcpy(&leaf_data, &DEFAULT_LEAF, sizeof(leaf_data)); + leaf_data.pub.attempt_count.v = 6; + leaf_data.pub.valid_pcr_criteria[0].bitmask[0] = 1; + memset(leaf_data.pub.valid_pcr_criteria[0].digest, 0, 32); + setup_try_auth_defaults_with_leaf(&leaf_data, PW_PROTOCOL_VERSION, + PW_LEAF_MINOR_VERSION, &merkle_tree, + &buf.request); + force_restart_count(0); + force_time((timestamp_t){.val = 65 * SECOND}); + + TEST_RET_EQ(do_request(&merkle_tree, &buf), PW_ERR_PCR_NOT_MATCH); + + return check_dcrypto_mutex_usage(); +} + +static int try_auth_success(uint8_t protocol_version, + uint8_t minor_version) { struct merkle_tree_t merkle_tree; struct pw_test_data_t buf; @@ -1764,14 +1913,18 @@ static int handle_try_auth_success(void) /* Test same boot_count case. */ memcpy(&leaf_data, &DEFAULT_LEAF, sizeof(leaf_data)); leaf_data.pub.attempt_count.v = 6; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + leaf_data.pub.valid_pcr_criteria[0].bitmask[0] = 1; + memcpy(leaf_data.pub.valid_pcr_criteria[0].digest, + DEFAULT_PCR_DIGEST, 32); + setup_try_auth_defaults_with_leaf(&leaf_data, protocol_version, + minor_version, &merkle_tree, &buf.request); force_restart_count(0); force_time((timestamp_t){.val = 65 * SECOND}); TEST_RET_EQ(do_request(&merkle_tree, &buf), EC_SUCCESS); - TEST_ASSERT(buf.response.header.version == PW_PROTOCOL_VERSION); + TEST_ASSERT(buf.response.header.version == protocol_version); TEST_ASSERT(buf.response.header.data_length == sizeof(struct pw_response_try_auth_t) + PW_LEAF_PAYLOAD_SIZE); @@ -1795,14 +1948,21 @@ static int handle_try_auth_success(void) (uint8_t *)&pub->delay_schedule, (uint8_t *)&leaf_data.pub.delay_schedule, sizeof(leaf_data.pub.delay_schedule)); - TEST_ASSERT_ARRAY_EQ((uint8_t *)&sec, (uint8_t *)&DEFAULT_LEAF.sec, - sizeof(DEFAULT_LEAF.sec)); + if (protocol_version == PW_PROTOCOL_VERSION) { + TEST_ASSERT_ARRAY_EQ((uint8_t *)&sec, + (uint8_t *)&DEFAULT_LEAF.sec, + sizeof(DEFAULT_LEAF.sec)); + } TEST_ASSERT(pub->attempt_count.v == 0); TEST_ASSERT_ARRAY_EQ(buf.response.data.try_auth.high_entropy_secret, DEFAULT_LEAF.sec.high_entropy_secret, sizeof(DEFAULT_LEAF.sec.high_entropy_secret)); + TEST_ASSERT_ARRAY_EQ(buf.response.data.try_auth.reset_secret, + DEFAULT_LEAF.sec.reset_secret, + sizeof(DEFAULT_LEAF.sec.reset_secret)); + /* Validate the log entry on success. */ TEST_ASSERT(MOCK_pw_log_storage.entries[0].type.v == PW_TRY_AUTH); TEST_ASSERT(MOCK_pw_log_storage.entries[0].label.v == @@ -1820,14 +1980,15 @@ static int handle_try_auth_success(void) leaf_data.pub.attempt_count.v = 6; leaf_data.pub.timestamp.boot_count = 0; leaf_data.pub.timestamp.timer_value = 7200llu; - setup_try_auth_defaults_with_leaf(&leaf_data, &merkle_tree, + setup_try_auth_defaults_with_leaf(&leaf_data, protocol_version, + minor_version, &merkle_tree, &buf.request); force_restart_count(1); force_time((timestamp_t){.val = 65llu * SECOND}); TEST_RET_EQ(do_request(&merkle_tree, &buf), EC_SUCCESS); - TEST_ASSERT(buf.response.header.version == PW_PROTOCOL_VERSION); + TEST_ASSERT(buf.response.header.version == protocol_version); TEST_ASSERT(buf.response.header.data_length == sizeof(struct pw_response_try_auth_t) + PW_LEAF_PAYLOAD_SIZE); @@ -1851,16 +2012,33 @@ static int handle_try_auth_success(void) (uint8_t *)&pub->delay_schedule, (uint8_t *)&leaf_data.pub.delay_schedule, sizeof(leaf_data.pub.delay_schedule)); - TEST_ASSERT_ARRAY_EQ((uint8_t *)&sec, (uint8_t *)&DEFAULT_LEAF.sec, - sizeof(DEFAULT_LEAF.sec)); + if (protocol_version == PW_PROTOCOL_VERSION) { + TEST_ASSERT_ARRAY_EQ((uint8_t *)&sec, + (uint8_t *)&DEFAULT_LEAF.sec, + sizeof(DEFAULT_LEAF.sec)); + } TEST_ASSERT(pub->attempt_count.v == 0); - TEST_ASSERT_ARRAY_EQ(buf.response.data.try_auth.high_entropy_secret, DEFAULT_LEAF.sec.high_entropy_secret, sizeof(DEFAULT_LEAF.sec.high_entropy_secret)); return check_dcrypto_mutex_usage(); } +static int handle_try_auth_success(void) +{ + return try_auth_success(PW_PROTOCOL_VERSION, PW_LEAF_MINOR_VERSION); +} + +static int handle_try_auth_old_protocol_old_leaf_success(void) +{ + return try_auth_success(0, 0); +} + +static int handle_try_auth_old_protocol_new_leaf_success(void) +{ + return try_auth_success(0, PW_LEAF_MINOR_VERSION); +} + /******************************************************************************/ /* Reset auth test cases. */ @@ -2437,6 +2615,7 @@ void run_test(void) RUN_TEST(handle_insert_leaf_crypto_failure); RUN_TEST(handle_insert_leaf_nv_fail); RUN_TEST(handle_insert_leaf_success); + RUN_TEST(handle_insert_leaf_old_protocol_success); /* Test remove leaf. */ RUN_TEST(handle_remove_leaf_invalid_length); @@ -2455,7 +2634,10 @@ void run_test(void) RUN_TEST(handle_try_auth_rate_limit_reached); RUN_TEST(handle_try_auth_nv_fail); RUN_TEST(handle_try_auth_lowent_auth_failed); + RUN_TEST(handle_try_auth_pcr_mismatch); RUN_TEST(handle_try_auth_success); + RUN_TEST(handle_try_auth_old_protocol_old_leaf_success); + RUN_TEST(handle_try_auth_old_protocol_new_leaf_success); /* Test reset auth. */ RUN_TEST(handle_reset_auth_invalid_length); |