Skip to content

Commit

Permalink
Merge pull request wolfSSL#312 from dgarske/tls_pkcb
Browse files Browse the repository at this point in the history
Added support for TLS PK callbacks with ECC and RSA Sign using PKCSv1.5 and PSS padding
  • Loading branch information
embhorn authored Dec 8, 2023
2 parents 60f86ed + a50e4fe commit 88bff51
Show file tree
Hide file tree
Showing 13 changed files with 840 additions and 144 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/make-test-swtpm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
run: ./autogen.sh
- name: wolfssl configure
working-directory: ./wolfssl
run: ./configure --enable-wolftpm
run: ./configure --enable-wolftpm --enable-pkcallbacks
- name: wolfssl make install
working-directory: ./wolfssl
run: sudo make install
Expand Down
2 changes: 2 additions & 0 deletions docs/WindowTBS.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ make
./examples
```

Note: To install the development base tools on MSYS2 use: `pacman -s base-devel` and `pacman -S mingw-w64-x86_64-toolchain`.

## Building on linux

Tested using mingw-w32-bin_x86_64-linux_20131221.tar.bz2
Expand Down
12 changes: 7 additions & 5 deletions examples/csr/csr.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@

#include <stdio.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
defined(WOLFTPM_CRYPTOCB)

#include <hal/tpm_io.h>
#include <examples/tpm_test.h>
Expand Down Expand Up @@ -72,11 +73,11 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
/* make sure each subject is unique */
if (keyType == RSA_TYPE) {
subject = "/C=US/ST=Oregon/L=Portland/SN=Test/O=wolfSSL"
"/OU=RSA/CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
"/OU=RSA/CN=127.0.0.1/emailAddress=info@wolfssl.com";
}
else if (keyType == ECC_TYPE) {
subject = "/C=US/ST=Oregon/L=Portland/SN=Test/O=wolfSSL"
"/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
"/OU=ECC/CN=127.0.0.1/emailAddress=info@wolfssl.com";
}

outputSz = (int)sizeof(output);
Expand Down Expand Up @@ -252,14 +253,15 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
/* --- END TPM2 CSR Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN */
#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN && WOLFTPM_CRYPTOCB */

#ifndef NO_MAIN_DRIVER
int main(int argc, char *argv[])
{
int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
defined(WOLFTPM_CRYPTOCB)
rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
#else
(void)argc;
Expand Down
19 changes: 17 additions & 2 deletions examples/run_examples.sh
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,11 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
[ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
fi

# TLS Tests RSA
# TLS Tests
echo -e "TLS tests"
generate_port() { # function to produce a random port number
generate_port() {
# for now it is okay to use the same port
# Note: The SW TPM uses many local ports, which can cause bind() issue
port=11111
echo -e "Using port $port"
echo -e "Using port $port" >> run.out
Expand All @@ -193,6 +195,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out
sleep 0.1

./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
Expand All @@ -215,6 +218,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
}

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
# Run with Crypto CB
run_tpm_tls_client "rsa" ""
run_tpm_tls_client "rsa" "-aes"
run_tpm_tls_client "ecc" ""
Expand All @@ -224,6 +228,17 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
run_tpm_tls_server "rsa" "-aes"
run_tpm_tls_server "ecc" ""
run_tpm_tls_server "ecc" "-aes"

# Run with PK
run_tpm_tls_client "rsa" "-pk"
run_tpm_tls_client "rsa" "-pk -aes"
run_tpm_tls_client "ecc" "-pk"
run_tpm_tls_client "ecc" "-pk -aes"

run_tpm_tls_server "rsa" "-pk "
run_tpm_tls_server "rsa" "-pk -aes"
run_tpm_tls_server "ecc" "-pk"
run_tpm_tls_server "ecc" "-pk -aes"
fi


Expand Down
79 changes: 60 additions & 19 deletions examples/tls/tls_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

#include <stdio.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)

#include <hal/tpm_io.h>
Expand All @@ -36,11 +36,14 @@

#include <wolfssl/ssl.h>

#undef USE_CERT_BUFFERS_2048
#define USE_CERT_BUFFERS_2048
#undef USE_CERT_BUFFERS_256
#define USE_CERT_BUFFERS_256
#include <wolfssl/certs_test.h>
#ifdef NO_FILESYSTEM
/* Load test certificates / keys from wolfSSL */
#undef USE_CERT_BUFFERS_2048
#define USE_CERT_BUFFERS_2048
#undef USE_CERT_BUFFERS_256
#define USE_CERT_BUFFERS_256
#include <wolfssl/certs_test.h>
#endif

#ifdef TLS_BENCH_MODE
double benchStart;
Expand Down Expand Up @@ -83,6 +86,9 @@ static void usage(void)
printf("* -ecc: Use RSA or ECC key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
printf("* -pk: Use PK callbacks, not crypto callbacks\n");
#endif
}

int TPM2_TLS_Client(void* userCtx)
Expand All @@ -108,7 +114,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif
TpmCryptoDevCtx tpmCtx;
SockIoCbCtx sockIoCtx;
int tpmDevId;
int tpmDevId = INVALID_DEVID;
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
#ifndef TLS_BENCH_MODE
Expand All @@ -121,6 +127,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
int i;
#endif
int useECC = 0;
int usePK = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
TPMT_PUBLIC publicTemplate;
Expand All @@ -139,6 +146,10 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#ifdef HAVE_ECC
XMEMSET(&eccKey, 0, sizeof(eccKey));
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
#endif
#endif
XMEMSET(&tpmSession, 0, sizeof(tpmSession));

Expand All @@ -163,17 +174,26 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
else if (XSTRCMP(argv[argc-1], "-pk") == 0) {
usePK = 1;
}
#endif
else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) {
const char* portStr = argv[argc-1] + XSTRLEN("-p=");
port = (word32)XATOI(portStr);
}
else {
printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
}
argc--;
}

printf("TPM2 TLS Client Example\n");
printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
printf("\tUsing Port: %d\n", port);
printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");

/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
Expand All @@ -183,6 +203,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
}

/* Setup the wolf crypto device callback */
tpmCtx.dev = &dev;
#ifndef NO_RSA
tpmCtx.rsaKey = &rsaKey;
#endif
Expand All @@ -193,9 +214,14 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#ifdef WOLFTPM_USE_SYMMETRIC
tpmCtx.useSymmetricOnTPM = 1;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;

#ifdef WOLFTPM_CRYPTOCB
if (!usePK) {
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
}
#endif
/* See if primary storage key already exists */
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;

Expand All @@ -209,7 +235,8 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])

/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}

Expand Down Expand Up @@ -251,7 +278,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])

#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
tpmCtx.ecdhKey = &ecdhKey;
#endif
#endif /* HAVE_ECC */
Expand All @@ -269,6 +295,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
wolfSSL_CTX_SetIORecv(ctx, SockIORecv);
wolfSSL_CTX_SetIOSend(ctx, SockIOSend);

/* Setup PK callbacks */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCb(ctx);
}
#endif

/* Server certificate validation */
/* Note: Can use "WOLFSSL_VERIFY_NONE" to skip server cert validation */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
Expand Down Expand Up @@ -365,7 +398,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
goto exit;
}
#else
printf("RSA not supported in this build\n");
printf("Error: RSA not compiled in\n");
rc = -1;
goto exit;
#endif /* !NO_RSA */
Expand Down Expand Up @@ -414,7 +447,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
goto exit;
}
#else
printf("RSA not supported in this build\n");
printf("Error: ECC not compiled in\n");
rc = -1;
goto exit;
#endif /* !NO_RSA */
Expand Down Expand Up @@ -456,6 +489,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
goto exit;
}

/* Setup PK Callback context */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCbCtx(ssl, &tpmCtx);
}
#endif

/* Setup socket and connection */
rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, port);
if (rc != 0) goto exit;
Expand Down Expand Up @@ -564,10 +604,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

CloseAndCleanupSocket(&sockIoCtx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand All @@ -591,23 +632,23 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
/* --- END TPM TLS Client Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM_CRYPTOCB && !NO_WOLFSSL_CLIENT && \
* !WOLFCRYPT_ONLY */
#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT && !NO_WOLFSSL_CLIENT \
* && !WOLFCRYPT_ONLY */

#ifndef NO_MAIN_DRIVER
int main(int argc, char* argv[])
{
int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

printf("Wrapper/Crypto callback code or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-cryptocb\n");
printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-wolftpm\n");
#endif

return rc;
Expand Down
Loading

0 comments on commit 88bff51

Please sign in to comment.