Skip to content

Commit

Permalink
Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA…
Browse files Browse the repository at this point in the history 
…. Fixes ZD 18470.
  • Loading branch information
@dgarske
dgarske committed Aug 16, 2024
1 parent f1ce2d2 commit 1184cd8
Show file tree
Hide file tree
Showing 9 changed files with 204 additions and 68 deletions.
56 changes: 49 additions & 7 deletions .github/workflows/make-test-swtpm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ jobs:
runs-on: ubuntu-latest

steps:
#pull wolfTPM
# pull wolfTPM
- uses: actions/checkout@master

#setup wolfssl
# setup wolfssl
- uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
Expand All @@ -30,7 +30,7 @@ jobs:
working-directory: ./wolfssl
run: sudo make install

#setup ibmswtpm2
# setup ibmswtpm2
- uses: actions/checkout@master
with:
repository: kgoldman/ibmswtpm2
Expand All @@ -41,7 +41,7 @@ jobs:
make
./tpm_server &
#setup and test defaults (with simulator)
# setup and test defaults (with simulator)
- name: autogen
run: ./autogen.sh
- name: configure
Expand Down Expand Up @@ -74,17 +74,17 @@ jobs:
run: |
LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll
#test no wolfcrypt
# test no wolfcrypt
- name: configure no wolfCrypt
run: ./configure --enable-swtpm --disable-wolfcrypt
- name: make no wolfCrypt
run: make
- name: make check no wolfCrypt
run: |
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
#test no wrapper
# test no wrapper
- name: configure no wrapper
run: ./configure --enable-swtpm --disable-wrapper
- name: make no wrapper
Expand Down Expand Up @@ -138,6 +138,48 @@ jobs:
- name: make pedantic
run: make

# test without ECC
- name: wolfssl no ECC
working-directory: ./wolfssl
run: |
./configure --enable-wolftpm --disable-ecc
make
sudo make install
- name: wolftpm no ECC
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh
# test without RSA
- name: wolfssl no RSA
working-directory: ./wolfssl
run: |
./configure --enable-wolftpm --disable-rsa
make
sudo make install
- name: wolftpm no RSA
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh
# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen)
- name: wolfssl default configure
working-directory: ./wolfssl
run: |
./configure CFLAGS="-DWOLFSSL_PUBLIC_MP"
make
sudo make install
- name: wolftpm default configure
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh
# capture logs on failure
- name: Upload failure logs
if: failure()
Expand Down
1 change: 1 addition & 0 deletions examples/boot/secure_rot.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&parent, 0, sizeof(parent));
XMEMSET(authBuf, 0, sizeof(authBuf));
XMEMSET(digest, 0, sizeof(digest));
XMEMSET(&nv, 0, sizeof(nv));

if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
Expand Down
145 changes: 102 additions & 43 deletions examples/run_examples.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ fi
if [ -z "$WOLFCRYPT_ENABLE" ]; then
WOLFCRYPT_ENABLE=1
fi
if [ -z "$WOLFCRYPT_DEFAULT" ]; then
WOLFCRYPT_DEFAULT=0
fi

rm -f run.out
touch run.out
Expand Down Expand Up @@ -100,20 +103,29 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1
./examples/keygen/keygen keyblob.bin -rsa -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc xor failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc xor failed! $RESULT" && exit 1

./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1
RESULT=$?
rm -f rsakeyblob.bin
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc aes failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc aes failed! $RESULT" && exit 1
./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1

RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa load failed! $RESULT" && exit 1
rm -f rsakeyblob.bin
fi
fi
# keeping keyblob.bin for later tests

Expand All @@ -124,15 +136,17 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
fi
fi
rm -f ecckeyblob.bin

Expand Down Expand Up @@ -173,12 +187,21 @@ fi
# NV Tests
echo -e "NV Tests"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/nvram/store -aes >> run.out 2>&1
./examples/nvram/store -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1
./examples/nvram/read -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1
./examples/nvram/read -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/nvram/store -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1
./examples/nvram/read -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/nvram/store -priv >> run.out 2>&1
RESULT=$?
Expand All @@ -187,12 +210,21 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/nvram/store -priv -aes >> run.out 2>&1
./examples/nvram/store -priv -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1
./examples/nvram/read -priv -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1
./examples/nvram/read -priv -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/nvram/store -priv -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1
./examples/nvram/read -priv -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/nvram/store -pub >> run.out 2>&1
RESULT=$?
Expand All @@ -217,7 +249,7 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/csr/csr -cert >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1
Expand All @@ -236,7 +268,7 @@ fi

# PKCS7 Tests
echo -e "PKCS7 tests"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pkcs7/pkcs7 >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
Expand Down Expand Up @@ -291,7 +323,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
popd >> run.out 2>&1
}

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
# Run with Crypto CB
run_tpm_tls_client "rsa" ""
run_tpm_tls_client "rsa" "-aes"
Expand Down Expand Up @@ -382,17 +414,29 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1
./examples/pcr/quote 16 zip.quote -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc xor failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1
./examples/pcr/quote 16 zip.quote -ecc -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc xor failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc aes failed! $RESULT" && exit 1
fi
fi
rm -f zip.quote

Expand All @@ -403,14 +447,20 @@ echo -e "Benchmark tests"
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1
./examples/bench/bench -maxdur=25 -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "bench (XOR param enc) failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1
fi
fi

# Secure Boot ROT
echo -e "Secure Boot ROT (Root of Trust) test"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1
Expand Down Expand Up @@ -456,18 +506,27 @@ RESULT=$?
rm -f sealedkeyblob.bin

if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1
./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1

if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
fi
rm -f sealedkeyblob.bin
fi

# Seal/Unseal (Policy auth)
echo -e "Seal/Unseal (Policy auth)"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
# Extend "aaa" to test PCR 16
echo aaa > aaa.bin
./examples/pcr/reset 16 >> run.out 2>&1
Expand Down
11 changes: 10 additions & 1 deletion examples/tls/tls_client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export RSA public key!\n");
Expand Down
11 changes: 10 additions & 1 deletion examples/tls/tls_server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
Expand Down
Loading

0 comments on commit 1184cd8

Please sign in to comment.