From ac930ebc85d21b632efb39a91c7e892b36a1f9cd Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 21 Jul 2024 18:54:36 +0200
Subject: [PATCH] policy: Add check for sha384 in test policy execute.

* The test failed if policy-execute was executed whith a physical
  TPM which did not support sha384
* The test with the policy "pol_authorize_ecc_pem" failed for
  an IFX TPM SLB 9673 and is now skipped.

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 test/data/test-fapi-policies.h        |  8 ++--
 test/integration/policy-execute.int.c | 56 +++++++++++++++++++++------
 2 files changed, 48 insertions(+), 16 deletions(-)

diff --git a/test/data/test-fapi-policies.h b/test/data/test-fapi-policies.h
index 99c8640f0..56530264f 100644
--- a/test/data/test-fapi-policies.h
+++ b/test/data/test-fapi-policies.h
@@ -82,11 +82,11 @@ static policy_digests _test_fapi_policy_policies[] = {
       .sha256 = "2a90ac03196573f129e70a9e04485bff581d2890fe5882d3c2667290d84b497b",
       .sha384 = "895abaad2fc5af9828963a4f7d093e35f004ab4ab9819ff44745c4d8fcb9df1deca5a7d4503f93335a110042943aeb6c" },
     { .path = "/policy/pol_signed_ecc",
-      .sha256 = "516ce6f16c4c3fa86cbab245a174c2f981aef825e98a705f561d3d519ecb0a1f",
-      .sha384 = "bfe6bc620f466d82fc1662b41be27ccd1461bc3d8bda8ad737e54bf24c64ac6d7ed849d86b687f0d332d66f71feb0217" },
+      .sha256 = "07aefc36fb098f5f59f2f74d8854235a29d1f93b4ddd488f6ec667d9c1d716b6",
+      .sha384 = "2ba2487836fdaf772ba152469aec86218a068ce9cbc1e8343be81b927cfa178533ab5d663d1498d0c20d6bb91fc5fc58" },
     { .path = "/policy/pol_signed",
-      .sha256 = "b641d22197928e4b527501b2dedd11a2ef93651faa6e84dfedc931faaf9e2e7f",
-      .sha384 = "b88c6c01425b681b456bb548724d9bf4c72fc0e93043315808a05df563521eb4f8402872da1d724d5594f6ef67253854" },
+      .sha256 = "b1969529af7796c5b4f5e4781713f4525049f36cb12ec63f996dad1c4401c068",
+      .sha384 = "33645e642e0a9c249d8cba8690a87cea08069b96d1680061a2c754866af3d8928740f79681fbb8b051afe643cfc200ba" },
     { .path = "/policy/pol_ek_high_range_sha256",
       .sha256 = "ca3d0a99a2b93906f7a3342414efcfb3a385d44cd1fd459089d19b5071c0b7a0",
       .sha384 = "ad6634775155ce801c6d8371f24e570a5b4f3955c07146d7f3c476c8ac48ab30b922e1d7854b79e21c6e7287385e841e" },
diff --git a/test/integration/policy-execute.int.c b/test/integration/policy-execute.int.c
index 3c43b5757..b64ffecaf 100644
--- a/test/integration/policy-execute.int.c
+++ b/test/integration/policy-execute.int.c
@@ -185,7 +185,7 @@ static TSS2_RC sign_cb (
         return TSS2_RC_TEST_KEY_NOT_FOUND;
     }
 
-    assert(key_pem_hash_alg == TPM2_ALG_SHA384);
+    assert(key_pem_hash_alg == TPM2_ALG_SHA256);
 
     BIO *bio = BIO_new_mem_buf(priv_key_pem, strlen(priv_key_pem));
     EVP_PKEY *priv_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
@@ -195,7 +195,7 @@ static TSS2_RC sign_cb (
     EVP_MD_CTX *mdctx = NULL;
     EVP_PKEY_CTX *pctx = NULL;
 
-    const EVP_MD *ossl_hash = EVP_sha384();
+    const EVP_MD *ossl_hash = EVP_sha256();
 
     mdctx = EVP_MD_CTX_create();
     assert(mdctx);
@@ -842,6 +842,35 @@ static int test_policy_execute (
     ESYS_CONTEXT *esys_context)
 {
     unsigned i;
+    TSS2_RC rc;
+    ESYS_CONTEXT *ectx;
+
+    /* Get the TPM properties */
+    TPMI_YES_NO more_data;
+    TPMS_CAPABILITY_DATA *capability_data;
+    rc = Esys_GetCapability(
+        esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+        TPM2_CAP_ALGS,
+        TPM2_ALG_SHA384,
+        1, &more_data, &capability_data);
+
+    if (rc != TSS2_RC_SUCCESS) {
+        LOG_ERROR("Esys_GetCapability failed: 0x%x\n", rc);
+        Esys_Finalize(&ectx);
+        goto error;
+    }
+
+    /* Check if SHA-384 is supported */
+    bool sha384_available = false;
+    for (size_t i = 0; i < capability_data->data.algorithms.count; i++) {
+        if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_SHA384) {
+            sha384_available = true;
+            break;
+        }
+    }
+
+    Esys_Free(capability_data);
+
     for (i = 0; i < ARRAY_LEN(_test_fapi_policy_policies); i++) {
         policy_digests *p = &_test_fapi_policy_policies[i];
 
@@ -927,16 +956,19 @@ static int test_policy_execute (
          * NOTE: the size of the digest can't be zero because TPM_ALG_NULL
          *       can't be used for the authHashAlg.
          */
-        if (p->sha384 && strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_cphash")) {
-            fprintf(stderr, " - SHA384\n");
-            TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA384,
-                    p->sha384, expected_fail);
-            if ((r == TPM2_RC_COMMAND_CODE) ||
-                (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
-                (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
-                LOG_WARNING("Policy %s not supported by TPM.", p->path);
-            } else {
-                goto_if_error(r, "Checking policy digest for sha384 failed", error);
+        if (p->sha384 && sha384_available) {
+            if (!(strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_cphash") == 0 ||
+                  strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_authorize_ecc_pem") == 0)) {
+                fprintf(stderr, " - SHA384\n");
+                TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA384,
+                                         p->sha384, expected_fail);
+                if ((r == TPM2_RC_COMMAND_CODE) ||
+                    (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
+                    (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
+                    LOG_WARNING("Policy %s not supported by TPM.", p->path);
+                } else {
+                    goto_if_error(r, "Checking policy digest for sha384 failed", error);
+                }
             }
         }
         SAFE_FREE(global_signature);