Fix some of the example TODO's. Fixes for seal/unseal example. Fixes for TLS with param enc.

Author: dgarske

examples/run_examples.sh

@@ -77,12 +77,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
-
     ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
-    # TODO: TPM2_Load (TPM_RC_INTEGRITY)
-    #./examples/keygen/keyload ecckeyblob.bin >> run.out
 fi
 rm -f ecckeyblob.bin
 
@@ -197,12 +194,12 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     echo -e "TLS test (TPM as client) $1 $2"
     generate_port
     pushd $WOLFSSL_PATH >> run.out
-    ./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
+    echo ./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> run.out
-    sleep 0.2
-    ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
+    sleep 0.4
+    echo ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
 }
@@ -214,7 +211,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> run.out
-    sleep 0.2
+    sleep 0.4
     ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
@@ -223,18 +220,14 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     run_tpm_tls_client "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "rsa" "-aes"
+    run_tpm_tls_client "rsa" "-aes"
     run_tpm_tls_client "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "ecc" "-aes"
+    run_tpm_tls_client "ecc" "-aes"
 
     run_tpm_tls_server "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "rsa" "-aes"
+    run_tpm_tls_server "rsa" "-aes"
     run_tpm_tls_server "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "ecc" "-aes"
+    run_tpm_tls_server "ecc" "-aes"
 fi
 
 
@@ -350,11 +343,21 @@ fi
 echo -e "Seal/Unseal (PCR policy)"
 ./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out
 RESULT=$?
-[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1
-# TODO (TPM2_Load TPM_RC_BAD_AUTH)
-#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1
+./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
 rm -f sealedkeyblob.bin
 
+if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
+    ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
+    rm -f sealedkeyblob.bin
+fi
 
 # Seal/Unseal (Policy auth)
 echo -e "Seal/Unseal (Policy auth)"

examples/seal/seal.c

@@ -40,9 +40,9 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/seal [filename] [userdata]\n");
-    printf("* filename: Name of the file where the TPM key will be stored\n");
-    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces)\n");
-    printf("Demo usage, without parameters, uses keyblob.bin as a filename\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Name of the file where the TPM key will be stored (default: keyblob.bin)\n");
+    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces) (default: My1Pass2Phrase3)\n");
 }
 
 int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
@@ -95,6 +95,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
 
     printf("TPM2.0 Simple Seal example\n");
     printf("\tKey Blob: %s\n", outputFile);
+    printf("\tUser Data: %s\n", userData);
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -159,6 +160,9 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
         printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
     }
 
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
+
     /* Close handles */
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);

examples/seal/unseal.c

@@ -41,16 +41,20 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/unseal [filename] [inkey_filename]\n");
-    printf("* filename - File contaning a TPM seal key\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Output for unsealed data (default: unseal.bin)\n");
+    printf("* inkey_filename: File with sealed keyed hashed object (keyblob.bin)\n");
     printf("Demo usage, without arguments, uses keyblob.bin file input.\n");
 }
 
 int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
-    WOLFTPM2_KEY key;
-    TPM2B_AUTH auth;
+    WOLFTPM2_KEYBLOB newKey;
+    WOLFTPM2_KEY storage; /* SRK */
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
+    WOLFTPM2_SESSION tpmSession;
     const char *filename = "unseal.bin";
     const char *inkeyfilename = "keyblob.bin";
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
@@ -60,14 +64,11 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     Unseal_In cmdIn_unseal;
     Unseal_Out cmdOut_unseal;
 
-    WOLFTPM2_KEYBLOB newKey;
-    WOLFTPM2_KEY storage; /* SRK */
-
-
+    XMEMSET(&storage, 0, sizeof(storage));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
     XMEMSET(&cmdIn_unseal, 0, sizeof(cmdIn_unseal));
     XMEMSET(&cmdOut_unseal, 0, sizeof(cmdOut_unseal));
-    XMEMSET(&key, 0, sizeof(key));
-    XMEMSET(&auth, 0, sizeof(auth));
+    XMEMSET(&newKey, 0, sizeof(newKey));
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
@@ -85,6 +86,23 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
            inkeyfilename = argv[2];
         }
     }
+    while (argc > 1) {
+        if (XSTRCMP(argv[argc-1], "-aes") == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
+            paramEncAlg = TPM_ALG_XOR;
+        }
+        else if (argv[argc-1][0] == '-') {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
+        argc--;
+    }
+
+    printf("TPM2.0 Simple Unseal example\n");
+    printf("\tKey Blob: %s\n", inkeyfilename);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
+
 
     printf("Example how to unseal data using TPM2.0\n");
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -97,6 +115,21 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+
+    }
+
     rc = readKeyBlob(inkeyfilename, &newKey);
     if (rc != 0) goto exit;
 
@@ -109,9 +142,9 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
         (word32)newKey.handle.hndl);
 
     /* Set authorization for using the seal key */
-    auth.size = (int)sizeof(gKeyAuth) - 1;
-    XMEMCPY(auth.buffer, gKeyAuth, auth.size);
-    wolfTPM2_SetAuthPassword(&dev, 0, &auth);
+    newKey.handle.auth.size = (int)sizeof(gKeyAuth) - 1;
+    XMEMCPY(newKey.handle.auth.buffer, gKeyAuth, newKey.handle.auth.size);
+    wolfTPM2_SetAuthHandle(&dev, 0, &newKey.handle);
 
     cmdIn_unseal.itemHandle = newKey.handle.hndl;
 
@@ -146,12 +179,13 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     (void)filename;
 #endif
 
-    /* Remove the loaded TPM seal object */
-    wolfTPM2_SetAuthPassword(&dev, 0, NULL);
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
 
 exit:
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
     return rc;

examples/tls/tls_client.c

@@ -207,7 +207,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
             (word32)tpmSession.handle.hndl);
 
         /* set session for authorization of the storage key */
-        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
             (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }

examples/tls/tls_server.c

@@ -222,7 +222,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
             (word32)tpmSession.handle.hndl);
 
         /* set session for authorization of the storage key */
-        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
             (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
              TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;