Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TPM crypto callback support for RSA key generation #311

Merged
merged 16 commits into from
Nov 29, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ Mfg NTC (0), Vendor NPCT75x"!!4rls, Fw 7.2 (131072), FIPS 140-2 1, CC-EAL4 0
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptocb --enable-aescfb
./configure --enable-wolftpm
make
sudo make install
sudo ldconfig
Expand Down
14 changes: 9 additions & 5 deletions examples/pcr/policy_sign.c
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
if (rc == 0) {
/* handle PEM conversion to DER */
if (encType == ENCODING_TYPE_PEM) {
#if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER)
#ifdef WOLFTPM2_PEM_DECODE
/* der size is base 64 decode length */
word32 derSz = (word32)bufSz * 3 / 4 + 1;
byte* derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
Expand Down Expand Up @@ -185,12 +185,16 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
rc = wc_ecc_sign_hash_ex(hash, hashSz, &rng, &key.ecc, &r, &s);
}
if (rc == 0) {
word32 keySz = key.ecc.dp->size;
mp_to_unsigned_bin(&r, sig);
mp_to_unsigned_bin(&s, sig + keySz);
word32 keySz = key.ecc.dp->size, rSz, sSz;
*sigSz = keySz * 2;
XMEMSET(sig, 0, *sigSz);
/* export sign r/s - zero pad to key size */
rSz = mp_unsigned_bin_size(&r);
mp_to_unsigned_bin(&r, &sig[keySz - rSz]);
sSz = mp_unsigned_bin_size(&s);
mp_to_unsigned_bin(&s, &sig[keySz + (keySz - sSz)]);
mp_clear(&r);
mp_clear(&s);
*sigSz = keySz * 2;
}
}
wc_ecc_free(&key.ecc);
Expand Down
20 changes: 8 additions & 12 deletions examples/run_examples.sh
Original file line number Diff line number Diff line change
Expand Up @@ -179,26 +179,20 @@ fi
# TLS Tests RSA
echo -e "TLS tests"
generate_port() { # function to produce a random port number
if [[ "$OSTYPE" == "linux"* ]]; then
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
port=11111
echo -e "Using port $port"
echo -e "Using port $port" >> run.out
}

run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as client) $1 $2"
generate_port
pushd $WOLFSSL_PATH >> run.out
./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out
sleep 0.4
sleep 0.1
./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
Expand All @@ -207,12 +201,14 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as server) $1 $2"
generate_port

./examples/tls/tls_server -p=$port -$1 $2 2>&1 >> run.out &
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
pushd $WOLFSSL_PATH >> run.out
sleep 0.4
./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
sleep 0.1

./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
popd >> run.out
Expand Down
16 changes: 10 additions & 6 deletions examples/tls/tls_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
sockIoCtx.listenFd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
Expand Down Expand Up @@ -558,6 +559,15 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
}

/* Bidirectional shutdown */
while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand All @@ -572,12 +582,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);

wolfSSL_shutdown(ssl);

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

wolfTPM2_Cleanup(&dev);

return rc;
Expand Down
15 changes: 12 additions & 3 deletions examples/tls/tls_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ static inline int SockIOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
{
struct sockaddr_in servAddr;
int optval = 1;
int optval;

#ifdef _WIN32
WSADATA wsd;
Expand All @@ -230,17 +230,26 @@ static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
return -1;
}

/* allow reuse */
/* allow reuse of port and address */
optval = 1;
if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEADDR,
(void*)&optval, sizeof(optval)) == -1) {
printf("setsockopt SO_REUSEADDR failed\n");
return -1;
}
#ifdef SO_REUSEPORT
optval = 1;
if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEPORT,
(void*)&optval, sizeof(optval)) == -1) {
printf("setsockopt SO_REUSEPORT failed\n");
return -1;
}
#endif

/* Connect to the server */
if (bind(sockIoCtx->listenFd, (struct sockaddr*)&servAddr,
sizeof(servAddr)) == -1) {
printf("ERROR: failed to bind\n");
printf("ERROR: failed to bind! errno %d\n", errno);
return -1;
}

Expand Down
9 changes: 7 additions & 2 deletions examples/tls/tls_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
sockIoCtx.listenFd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
Expand Down Expand Up @@ -534,12 +535,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
}

wolfSSL_shutdown(ssl);
/* Bidirectional shutdown */
while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

CloseAndCleanupSocket(&sockIoCtx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand Down
4 changes: 3 additions & 1 deletion src/tpm2.c
Original file line number Diff line number Diff line change
Expand Up @@ -2952,7 +2952,9 @@ TPM_RC TPM2_Sign(Sign_In* in, Sign_Out* out)
TPM2_Packet_AppendBytes(&packet, in->digest.buffer, in->digest.size);

TPM2_Packet_AppendU16(&packet, in->inScheme.scheme);
TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
if (in->inScheme.scheme != TPM_ALG_NULL) {
TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
}

TPM2_Packet_AppendU16(&packet, in->validation.tag);
TPM2_Packet_AppendU32(&packet, in->validation.hierarchy);
Expand Down
Loading