Skip to content

Commit

Permalink
Merge pull request #311 from dgarske/tpm_cryptocb_keygen
Browse files Browse the repository at this point in the history
Add TPM crypto callback support for RSA key generation
  • Loading branch information
embhorn authored Nov 29, 2023
2 parents 4d65e9f + 5013754 commit 18e6177
Show file tree
Hide file tree
Showing 13 changed files with 288 additions and 144 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ Mfg NTC (0), Vendor NPCT75x"!!4rls, Fw 7.2 (131072), FIPS 140-2 1, CC-EAL4 0
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptocb --enable-aescfb
./configure --enable-wolftpm
make
sudo make install
sudo ldconfig
Expand Down
14 changes: 9 additions & 5 deletions examples/pcr/policy_sign.c
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
if (rc == 0) {
/* handle PEM conversion to DER */
if (encType == ENCODING_TYPE_PEM) {
#if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER)
#ifdef WOLFTPM2_PEM_DECODE
/* der size is base 64 decode length */
word32 derSz = (word32)bufSz * 3 / 4 + 1;
byte* derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
Expand Down Expand Up @@ -185,12 +185,16 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
rc = wc_ecc_sign_hash_ex(hash, hashSz, &rng, &key.ecc, &r, &s);
}
if (rc == 0) {
word32 keySz = key.ecc.dp->size;
mp_to_unsigned_bin(&r, sig);
mp_to_unsigned_bin(&s, sig + keySz);
word32 keySz = key.ecc.dp->size, rSz, sSz;
*sigSz = keySz * 2;
XMEMSET(sig, 0, *sigSz);
/* export sign r/s - zero pad to key size */
rSz = mp_unsigned_bin_size(&r);
mp_to_unsigned_bin(&r, &sig[keySz - rSz]);
sSz = mp_unsigned_bin_size(&s);
mp_to_unsigned_bin(&s, &sig[keySz + (keySz - sSz)]);
mp_clear(&r);
mp_clear(&s);
*sigSz = keySz * 2;
}
}
wc_ecc_free(&key.ecc);
Expand Down
20 changes: 8 additions & 12 deletions examples/run_examples.sh
Original file line number Diff line number Diff line change
Expand Up @@ -179,26 +179,20 @@ fi
# TLS Tests RSA
echo -e "TLS tests"
generate_port() { # function to produce a random port number
if [[ "$OSTYPE" == "linux"* ]]; then
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
elif [[ "$OSTYPE" == "darwin"* ]]; then
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
else
echo "Unknown OS TYPE"
exit 1
fi
port=11111
echo -e "Using port $port"
echo -e "Using port $port" >> run.out
}

run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as client) $1 $2"
generate_port
pushd $WOLFSSL_PATH >> run.out
./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out
sleep 0.4
sleep 0.1
./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
Expand All @@ -207,12 +201,14 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as server) $1 $2"
generate_port

./examples/tls/tls_server -p=$port -$1 $2 2>&1 >> run.out &
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
pushd $WOLFSSL_PATH >> run.out
sleep 0.4
./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
sleep 0.1

./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
popd >> run.out
Expand Down
16 changes: 10 additions & 6 deletions examples/tls/tls_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
sockIoCtx.listenFd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
Expand Down Expand Up @@ -558,6 +559,15 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
}

/* Bidirectional shutdown */
while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand All @@ -572,12 +582,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);

wolfSSL_shutdown(ssl);

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

wolfTPM2_Cleanup(&dev);

return rc;
Expand Down
15 changes: 12 additions & 3 deletions examples/tls/tls_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ static inline int SockIOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
{
struct sockaddr_in servAddr;
int optval = 1;
int optval;

#ifdef _WIN32
WSADATA wsd;
Expand All @@ -230,17 +230,26 @@ static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
return -1;
}

/* allow reuse */
/* allow reuse of port and address */
optval = 1;
if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEADDR,
(void*)&optval, sizeof(optval)) == -1) {
printf("setsockopt SO_REUSEADDR failed\n");
return -1;
}
#ifdef SO_REUSEPORT
optval = 1;
if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEPORT,
(void*)&optval, sizeof(optval)) == -1) {
printf("setsockopt SO_REUSEPORT failed\n");
return -1;
}
#endif

/* Connect to the server */
if (bind(sockIoCtx->listenFd, (struct sockaddr*)&servAddr,
sizeof(servAddr)) == -1) {
printf("ERROR: failed to bind\n");
printf("ERROR: failed to bind! errno %d\n", errno);
return -1;
}

Expand Down
9 changes: 7 additions & 2 deletions examples/tls/tls_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
XMEMSET(&storageKey, 0, sizeof(storageKey));
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
sockIoCtx.listenFd = -1;
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&rsaKey, 0, sizeof(rsaKey));
Expand Down Expand Up @@ -534,12 +535,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
}

wolfSSL_shutdown(ssl);
/* Bidirectional shutdown */
while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

CloseAndCleanupSocket(&sockIoCtx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand Down
4 changes: 3 additions & 1 deletion src/tpm2.c
Original file line number Diff line number Diff line change
Expand Up @@ -2952,7 +2952,9 @@ TPM_RC TPM2_Sign(Sign_In* in, Sign_Out* out)
TPM2_Packet_AppendBytes(&packet, in->digest.buffer, in->digest.size);

TPM2_Packet_AppendU16(&packet, in->inScheme.scheme);
TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
if (in->inScheme.scheme != TPM_ALG_NULL) {
TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
}

TPM2_Packet_AppendU16(&packet, in->validation.tag);
TPM2_Packet_AppendU32(&packet, in->validation.hierarchy);
Expand Down
Loading

0 comments on commit 18e6177

Please sign in to comment.