Skip to content

Commit

Permalink
Added support for PK callbacks with RSA Sign using PKCSv1.5 and PSS.
Browse files Browse the repository at this point in the history 
Fixes for building wolfTPM without crypto callbacks.
Fixes for building/running with FIPS.
  • Loading branch information
@dgarske
dgarske committed Dec 1, 2023
1 parent 18e6177 commit cba83d1
Show file tree
Hide file tree
Showing 12 changed files with 609 additions and 34 deletions.
2 changes: 2 additions & 0 deletions docs/WindowTBS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ make
./examples
```

Note: To install the development base tools on MSYS2 use: `pacman -s base-devel` and `pacman -S mingw-w64-x86_64-toolchain`.

## Building on linux

Tested using mingw-w32-bin_x86_64-linux_20131221.tar.bz2
Expand Down
8 changes: 5 additions & 3 deletions examples/csr/csr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@

#include <stdio.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
defined(WOLFTPM_CRYPTOCB)

#include <hal/tpm_io.h>
#include <examples/tpm_test.h>
Expand Down Expand Up @@ -252,14 +253,15 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
/* --- END TPM2 CSR Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN */
#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN && WOLFTPM_CRYPTOCB */

#ifndef NO_MAIN_DRIVER
int main(int argc, char *argv[])
{
int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
defined(WOLFTPM_CRYPTOCB)
rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
#else
(void)argc;
Expand Down
7 changes: 5 additions & 2 deletions examples/run_examples.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,11 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
[ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
fi

# TLS Tests RSA
# TLS Tests
echo -e "TLS tests"
generate_port() { # function to produce a random port number
generate_port() {
# for now it is okay to use the same port
# Note: The SW TPM uses many local ports, which can cause bind() issue
port=11111
echo -e "Using port $port"
echo -e "Using port $port" >> run.out
Expand All @@ -193,6 +195,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
popd >> run.out
sleep 0.1

./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
Expand Down
57 changes: 45 additions & 12 deletions examples/tls/tls_client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

#include <stdio.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)

#include <hal/tpm_io.h>
Expand Down Expand Up @@ -83,6 +83,9 @@ static void usage(void)
printf("* -ecc: Use RSA or ECC key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
printf("* -pk: Use PK callbacks, not crypto callbacks\n");
#endif
}

int TPM2_TLS_Client(void* userCtx)
Expand All @@ -108,7 +111,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif
TpmCryptoDevCtx tpmCtx;
SockIoCbCtx sockIoCtx;
int tpmDevId;
int tpmDevId = INVALID_DEVID;
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
#ifndef TLS_BENCH_MODE
Expand All @@ -121,6 +124,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
int i;
#endif
int useECC = 0;
int usePK = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
TPMT_PUBLIC publicTemplate;
Expand All @@ -139,6 +143,10 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#ifdef HAVE_ECC
XMEMSET(&eccKey, 0, sizeof(eccKey));
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
#endif
#endif
XMEMSET(&tpmSession, 0, sizeof(tpmSession));

Expand All @@ -163,6 +171,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
else if (XSTRCMP(argv[argc-1], "-pk") == 0) {
usePK = 1;
}
#endif
else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) {
const char* portStr = argv[argc-1] + XSTRLEN("-p=");
port = (word32)XATOI(portStr);
Expand All @@ -183,6 +196,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
}

/* Setup the wolf crypto device callback */
tpmCtx.dev = &dev;
#ifndef NO_RSA
tpmCtx.rsaKey = &rsaKey;
#endif
Expand All @@ -193,9 +207,14 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#ifdef WOLFTPM_USE_SYMMETRIC
tpmCtx.useSymmetricOnTPM = 1;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;

#ifdef WOLFTPM_CRYPTOCB
if (!usePK) {
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
}
#endif
/* See if primary storage key already exists */
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;

Expand All @@ -209,7 +228,8 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])

/* set session for authorization of the storage key */
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
(TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
TPMA_SESSION_continueSession));
if (rc != 0) goto exit;
}

Expand Down Expand Up @@ -251,7 +271,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])

#ifndef WOLFTPM2_USE_SW_ECDHE
/* Ephemeral Key */
XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
tpmCtx.ecdhKey = &ecdhKey;
#endif
#endif /* HAVE_ECC */
Expand All @@ -269,6 +288,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
wolfSSL_CTX_SetIORecv(ctx, SockIORecv);
wolfSSL_CTX_SetIOSend(ctx, SockIOSend);

/* Setup PK callbacks */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCb(ctx);
}
#endif

/* Server certificate validation */
/* Note: Can use "WOLFSSL_VERIFY_NONE" to skip server cert validation */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
Expand Down Expand Up @@ -456,6 +482,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
goto exit;
}

/* Setup PK Callback context */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCbCtx(ssl, &tpmCtx);
}
#endif

/* Setup socket and connection */
rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, port);
if (rc != 0) goto exit;
Expand Down Expand Up @@ -564,10 +597,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("Shutdown not complete\n");
}

CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);

CloseAndCleanupSocket(&sockIoCtx);

wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
Expand All @@ -591,23 +625,22 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
/* --- END TPM TLS Client Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM_CRYPTOCB && !NO_WOLFSSL_CLIENT && \
* !WOLFCRYPT_ONLY */
#endif /* !WOLFTPM2_NO_WRAPPER && !NO_WOLFSSL_CLIENT && !WOLFCRYPT_ONLY */

#ifndef NO_MAIN_DRIVER
int main(int argc, char* argv[])
{
int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && \
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

printf("Wrapper/Crypto callback code or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-cryptocb\n");
printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-wolftpm\n");
#endif

return rc;
Expand Down
45 changes: 36 additions & 9 deletions examples/tls/tls_server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

#include <stdio.h>

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && \
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY)

#include <hal/tpm_io.h>
Expand Down Expand Up @@ -80,6 +80,9 @@ static void usage(void)
printf("* -ecc: Use RSA or ECC key\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
printf("* -pk: Use PK callbacks, not crypto callbacks\n");
#endif
}

int TPM2_TLS_Server(void* userCtx)
Expand All @@ -104,7 +107,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#endif
TpmCryptoDevCtx tpmCtx;
SockIoCbCtx sockIoCtx;
int tpmDevId;
int tpmDevId = INVALID_DEVID;
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
#ifndef TLS_BENCH_MODE
Expand All @@ -128,6 +131,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
int total_size;
#endif
int useECC = 0;
int usePK = 0;
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
TPMT_PUBLIC publicTemplate;
Expand Down Expand Up @@ -174,6 +178,11 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
paramEncAlg = TPM_ALG_XOR;
}
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
else if (XSTRCMP(argv[argc-1], "-pk") == 0) {
usePK = 1;
}
#endif
else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) {
const char* portStr = argv[argc-1] + XSTRLEN("-p=");
port = (word32)XATOI(portStr);
Expand All @@ -197,6 +206,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
}

/* Setup the wolf crypto device callback */
tpmCtx.dev = &dev;
#ifndef NO_RSA
tpmCtx.rsaKey = &rsaKey;
#endif
Expand All @@ -207,9 +217,13 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#ifdef WOLFTPM_USE_SYMMETRIC
tpmCtx.useSymmetricOnTPM = 1;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;

#ifdef WOLFTPM_CRYPTOCB
if (!usePK) {
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
}
#endif
/* See if primary storage key already exists */
rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
if (rc != 0) goto exit;
Expand Down Expand Up @@ -285,6 +299,13 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
wolfSSL_CTX_SetIORecv(ctx, SockIORecv);
wolfSSL_CTX_SetIOSend(ctx, SockIOSend);

/* Setup PK callbacks */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCb(ctx);
}
#endif

/* Server certificate validation */
#if 0
/* skip server cert validation for this test */
Expand Down Expand Up @@ -439,6 +460,13 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
goto exit;
}

/* Setup PK Callback context */
#ifdef HAVE_PK_CALLBACKS
if (usePK) {
wolfTPM_PK_SetCbCtx(ssl, &tpmCtx);
}
#endif

/* Setup socket and connection */
rc = SetupSocketAndListen(&sockIoCtx, port);
if (rc != 0) goto exit;
Expand Down Expand Up @@ -568,23 +596,22 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
/* --- END TLS Server Example -- */
/******************************************************************************/

#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM_CRYPTOCB && !NO_WOLFSSL_SERVER && \
* !WOLFCRYPT_ONLY */
#endif /* !WOLFTPM2_NO_WRAPPER && !NO_WOLFSSL_SERVER && !WOLFCRYPT_ONLY */

#ifndef NO_MAIN_DRIVER
int main(int argc, char* argv[])
{
int rc = -1;

#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
#if !defined(WOLFTPM2_NO_WRAPPER) && \
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY)
rc = TPM2_TLS_ServerArgs(NULL, argc, argv);
#else
(void)argc;
(void)argv;

printf("Wrapper/Crypto callback code or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-cryptocb\n");
printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n");
printf("Build wolfssl with ./configure --enable-wolftpm\n");
#endif

return rc;
Expand Down
2 changes: 2 additions & 0 deletions examples/wrap/wrap_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,8 +437,10 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
rc = wc_InitRsaKey(&wolfRsaPrivKey, NULL);
if (rc != 0) goto exit;
idx = 0;
PRIVATE_KEY_UNLOCK();
rc = wc_RsaPrivateKeyDecode(kRsaKeyPrivDer, &idx, &wolfRsaPrivKey,
(word32)sizeof(kRsaKeyPrivDer));
PRIVATE_KEY_LOCK();
if (rc != 0) goto exit;
rc = wolfTPM2_RsaKey_WolfToTpm_ex(&dev, &storageKey, &wolfRsaPrivKey,
&rsaKey);
Expand Down
17 changes: 16 additions & 1 deletion src/tpm2.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,19 @@ static TPM_RC TPM2_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
}

#ifndef WOLFTPM2_NO_WOLFCRYPT
#ifdef HAVE_FIPS
static void WolfFipsCb(int ok, int err, const char* hash)
{
printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
printf("message = %s\n", wc_GetErrorString(err));
printf("hash = %s\n", hash);

if (err == IN_CORE_FIPS_E) {
printf("In core integrity hash check failure, copy above hash\n");
printf("into verifyCore[] in fips_test.c and rebuild\n");
}
}
#endif
static inline int TPM2_WolfCrypt_Init(void)
{
int rc = 0;
Expand All @@ -451,7 +464,9 @@ static inline int TPM2_WolfCrypt_Init(void)
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif

#ifdef HAVE_FIPS
wolfCrypt_SetCb_fips(WolfFipsCb);
#endif
rc = wolfCrypt_Init();
#ifdef WC_RNG_SEED_CB
if (rc == 0)
Expand Down
Loading

0 comments on commit cba83d1

Please sign in to comment.