From 1184cd89179159fcc3c89ee4c4e29c10ee3e067b Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 16 Aug 2024 08:35:31 -0700 Subject: [PATCH] Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA. Fixes ZD 18470. --- .github/workflows/make-test-swtpm.yml | 56 ++++++++-- examples/boot/secure_rot.c | 1 + examples/run_examples.sh | 145 ++++++++++++++++++-------- examples/tls/tls_client.c | 11 +- examples/tls/tls_server.c | 11 +- examples/wrap/wrap_test.c | 12 ++- src/tpm2_cryptocb.c | 7 +- src/tpm2_wrap.c | 17 ++- wolftpm/tpm2_types.h | 12 ++- 9 files changed, 204 insertions(+), 68 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index e61e8528..a8a4d679 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: -#pull wolfTPM +# pull wolfTPM - uses: actions/checkout@master -#setup wolfssl +# setup wolfssl - uses: actions/checkout@master with: repository: wolfssl/wolfssl @@ -30,7 +30,7 @@ jobs: working-directory: ./wolfssl run: sudo make install -#setup ibmswtpm2 +# setup ibmswtpm2 - uses: actions/checkout@master with: repository: kgoldman/ibmswtpm2 @@ -41,7 +41,7 @@ jobs: make ./tpm_server & -#setup and test defaults (with simulator) +# setup and test defaults (with simulator) - name: autogen run: ./autogen.sh - name: configure @@ -74,7 +74,7 @@ jobs: run: | LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -#test no wolfcrypt +# test no wolfcrypt - name: configure no wolfCrypt run: ./configure --enable-swtpm --disable-wolfcrypt - name: make no wolfCrypt @@ -82,9 +82,9 @@ jobs: - name: make check no wolfCrypt run: | make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh + WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh -#test no wrapper +# test no wrapper - name: configure no wrapper run: ./configure --enable-swtpm --disable-wrapper - name: make no wrapper @@ -138,6 +138,48 @@ jobs: - name: make pedantic run: make +# test without ECC + - name: wolfssl no ECC + working-directory: ./wolfssl + run: | + ./configure --enable-wolftpm --disable-ecc + make + sudo make install + - name: wolftpm no ECC + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + +# test without RSA + - name: wolfssl no RSA + working-directory: ./wolfssl + run: | + ./configure --enable-wolftpm --disable-rsa + make + sudo make install + - name: wolftpm no RSA + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + +# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen) + - name: wolfssl default configure + working-directory: ./wolfssl + run: | + ./configure CFLAGS="-DWOLFSSL_PUBLIC_MP" + make + sudo make install + - name: wolftpm default configure + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh + # capture logs on failure - name: Upload failure logs if: failure() diff --git a/examples/boot/secure_rot.c b/examples/boot/secure_rot.c index dfc86be6..7deaec95 100644 --- a/examples/boot/secure_rot.c +++ b/examples/boot/secure_rot.c @@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[]) XMEMSET(&parent, 0, sizeof(parent)); XMEMSET(authBuf, 0, sizeof(authBuf)); XMEMSET(digest, 0, sizeof(digest)); + XMEMSET(&nv, 0, sizeof(nv)); if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || diff --git a/examples/run_examples.sh b/examples/run_examples.sh index e6d037c4..769585fd 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -10,6 +10,9 @@ fi if [ -z "$WOLFCRYPT_ENABLE" ]; then WOLFCRYPT_ENABLE=1 fi +if [ -z "$WOLFCRYPT_DEFAULT" ]; then + WOLFCRYPT_DEFAULT=0 +fi rm -f run.out touch run.out @@ -100,20 +103,29 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1 + ./examples/keygen/keygen keyblob.bin -rsa -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc xor failed! $RESULT" && exit 1 + ./examples/keygen/keyload keyblob.bin -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc xor failed! $RESULT" && exit 1 - ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 - ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1 - RESULT=$? - rm -f rsakeyblob.bin - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc aes failed! $RESULT" && exit 1 + ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc aes failed! $RESULT" && exit 1 + ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload rsa load failed! $RESULT" && exit 1 + rm -f rsakeyblob.bin + fi fi # keeping keyblob.bin for later tests @@ -124,15 +136,17 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 + ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 + ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 + fi fi rm -f ecckeyblob.bin @@ -173,12 +187,21 @@ fi # NV Tests echo -e "NV Tests" if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -aes >> run.out 2>&1 + ./examples/nvram/store -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1 - ./examples/nvram/read -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1 + ./examples/nvram/read -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/nvram/store -priv >> run.out 2>&1 RESULT=$? @@ -187,12 +210,21 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -priv -aes >> run.out 2>&1 + ./examples/nvram/store -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1 - ./examples/nvram/read -priv -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/nvram/store -pub >> run.out 2>&1 RESULT=$? @@ -217,7 +249,7 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1 -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/csr/csr -cert >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1 @@ -236,7 +268,7 @@ fi # PKCS7 Tests echo -e "PKCS7 tests" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/pkcs7/pkcs7 >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 @@ -291,7 +323,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] popd >> run.out 2>&1 } -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then # Run with Crypto CB run_tpm_tls_client "rsa" "" run_tpm_tls_client "rsa" "-aes" @@ -382,17 +414,29 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1 + ./examples/pcr/quote 16 zip.quote -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "pcr quote param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "pcr quote param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1 + ./examples/pcr/quote 16 zip.quote -ecc -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc aes failed! $RESULT" && exit 1 + fi fi rm -f zip.quote @@ -403,14 +447,20 @@ echo -e "Benchmark tests" RESULT=$? [ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1 + ./examples/bench/bench -maxdur=25 -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "bench (XOR param enc) failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 + fi fi # Secure Boot ROT echo -e "Secure Boot ROT (Root of Trust) test" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1 @@ -456,18 +506,27 @@ RESULT=$? rm -f sealedkeyblob.bin if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 - ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + fi rm -f sealedkeyblob.bin fi # Seal/Unseal (Policy auth) echo -e "Seal/Unseal (Policy auth)" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then # Extend "aaa" to test PCR 16 echo aaa > aaa.bin ./examples/pcr/reset 16 >> run.out 2>&1 diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 575b2be5..97b970a5 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -394,7 +394,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) /* Export TPM public key as DER */ byte der[1024]; word32 derSz = (word32)sizeof(der); - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, + #if defined(HAVE_ECC) && !defined(NO_RSA) + void* pkey = !useECC ? &rsaKey : &eccKey; + #elif !defined(NO_RSA) + void* pkey = &rsaKey; + #elif defined(HAVE_ECC) + void* pkey = &eccKey; + #else + void* pkey = NULL; + #endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey, ENCODING_TYPE_ASN1, der, &derSz); if (rc < 0) { printf("Failed to export RSA public key!\n"); diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index ec021379..e5c51bbe 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -390,7 +390,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) /* Export TPM public key as DER */ byte der[1024]; word32 derSz = (word32)sizeof(der); - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, + #if defined(HAVE_ECC) && !defined(NO_RSA) + void* pkey = !useECC ? &rsaKey : &eccKey; + #elif !defined(NO_RSA) + void* pkey = &rsaKey; + #elif defined(HAVE_ECC) + void* pkey = &eccKey; + #else + void* pkey = NULL; + #endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey, ENCODING_TYPE_ASN1, der, &derSz); if (rc < 0) { printf("Failed to export TPM public key!\n"); diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 0ead4b3b..e9eb3027 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -447,7 +447,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle); if (rc != 0) goto exit; -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA) && !defined(NO_ASN) +#if defined(WOLFTPM2_PRIVATE_IMPORT) && !defined(NO_RSA) /* Load RSA private key into TPM */ rc = wc_InitRsaKey(&wolfRsaPrivKey, NULL); if (rc != 0) goto exit; @@ -470,13 +470,15 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) kRsaKeyPubModulus, (word32)sizeof(kRsaKeyPubModulus), kRsaKeyPubExponent, kRsaKeyPrivQ, (word32)sizeof(kRsaKeyPrivQ)); - if (rc != 0) goto exit; + if (rc != 0) { + goto exit; + } /* Use TPM Handle... */ printf("RSA Private Key Loaded into TPM: Handle 0x%x\n", (word32)rsaKey.handle.hndl); rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */ +#endif /* WOLFTPM2_PRIVATE_IMPORT && !NO_RSA */ /* Close TPM session based on RSA storage key */ wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); @@ -666,7 +668,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle); if (rc != 0) goto exit; -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) +#if defined(WOLFTPM2_PRIVATE_IMPORT) && defined(HAVE_ECC) /* Load ECC DER Private Key into TPM */ rc = wc_ecc_init(&wolfEccPrivKey); if (rc != 0) goto exit; @@ -701,7 +703,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) (word32)eccKey.handle.hndl); rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */ +#endif /* WOLFTPM2_PRIVATE_IMPORT && HAVE_ECC */ #if 0 /* disabled until ECC Encrypted salt is added */ /* Close TPM session based on ECC storage key */ diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c index 7fc4757d..c8edb566 100644 --- a/src/tpm2_cryptocb.c +++ b/src/tpm2_cryptocb.c @@ -27,9 +27,8 @@ #if !defined(WOLFTPM2_NO_WRAPPER) -#if defined(WOLFTPM_CRYPTOCB) || \ - (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY)) - +#if defined(HAVE_ECC) && (defined(WOLFTPM_CRYPTOCB) || \ + (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY))) /* Helper to trim leading zeros when not required */ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len) { @@ -41,7 +40,7 @@ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len) *len -= idx; return in; } -#endif /* WOLFTPM_CRYPTOCB || HAVE_PK_CALLBACKS */ +#endif #ifdef WOLFTPM_CRYPTOCB diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 852b35fa..b9c30aa2 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -970,8 +970,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, #ifdef WOLFTPM_DEBUG_VERBOSE printf("Session %d: Edit (PolicyAuth)\n", index); printf("\tHandle 0x%x (not touching)\n", session->sessionHandle); - printf("\tPolicyAuth %d->%d\n", session->policyAuth, handle->policyAuth); - printf("\tAuth Sz %d -> %d\n", session->auth.size, authDigestSz + handle->auth.size); + printf("\tPolicyAuth %d->%d\n", + session->policyAuth, handle->policyAuth); + printf("\tAuth Sz %d -> %d\n", session->auth.size, + authDigestSz + handle->auth.size); TPM2_PrintBin(session->auth.buffer, session->auth.size); TPM2_PrintBin(handle->auth.buffer, handle->auth.size); printf("\tName Sz %d -> %d\n", session->name.size, handle->name.size); @@ -979,8 +981,13 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, TPM2_PrintBin(handle->name.name, handle->name.size); #endif session->policyAuth = handle->policyAuth; + if ((word32)handle->auth.size + authDigestSz > + sizeof(session->auth.buffer)) { + return BUFFER_E; + } session->auth.size = authDigestSz + handle->auth.size; - XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, handle->auth.size); + XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, + handle->auth.size); session->name.size = handle->name.size; XMEMCPY(session->name.name, handle->name.name, handle->name.size); return TPM_RC_SUCCESS; @@ -2085,8 +2092,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv, TPMT_SYM_DEF_OBJECT* sym, TPM2B_DATA* symSeed, int useIv) { int rc = 0; -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC) +#ifdef WOLFTPM2_PRIVATE_IMPORT int outerWrap = 0, innerWrap = 0; int digestSz = 0; int integritySz = 0; @@ -2967,6 +2973,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, } } #else + (void)out; rc = NOT_COMPILED_IN; #endif } diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index 3635ef62..2fd545ea 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -646,6 +646,7 @@ typedef int64_t INT64; #ifndef WOLFTPM2_WRAP_DIGEST #define WOLFTPM2_WRAP_DIGEST TPM_ALG_SHA256 #endif + /* Defines the default RSA key bits for the wrapper functions */ #ifndef WOLFTPM2_WRAP_RSA_KEY_BITS #define WOLFTPM2_WRAP_RSA_KEY_BITS MAX_RSA_KEY_BITS @@ -672,17 +673,24 @@ typedef int64_t INT64; #if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER) && \ (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) && \ !defined(NO_ASN) + /* Enable the certificate PEM decode support */ #define WOLFTPM2_PEM_DECODE #endif -/* Firmware upgrade requires wolfCrypt for hash and supported - * only for Infineon SLB9672/SLB9673 */ +/* Firmware upgrade requires wolfCrypt for hashing. + * Supported only for Infineon SLB9672/SLB9673 */ #if defined(WOLFTPM_FIRMWARE_UPGRADE) && \ (defined(WOLFTPM2_NO_WOLFCRYPT) || \ (!defined(WOLFTPM_SLB9672) && !defined(WOLFTPM_SLB9673))) #undef WOLFTPM_FIRMWARE_UPGRADE #endif +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \ + !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC) + /* Support for importing external private keys */ + #define WOLFTPM2_PRIVATE_IMPORT +#endif + /* ---------------------------------------------------------------------------*/ /* ENDIANESS HELPERS */