Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA

.github/workflows/make-test-swtpm.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-#pull wolfTPM
+# pull wolfTPM
     - uses: actions/checkout@master
 
-#setup wolfssl
+# setup wolfssl
     - uses: actions/checkout@master
       with:
         repository: wolfssl/wolfssl
@@ -28,9 +28,11 @@ jobs:
       run: ./configure --enable-wolftpm --enable-pkcallbacks
     - name: wolfssl make install
       working-directory: ./wolfssl
-      run: sudo make install
+      run: |
+        make
+        sudo make install
 
-#setup ibmswtpm2
+# setup ibmswtpm2
     - uses: actions/checkout@master
       with:
         repository: kgoldman/ibmswtpm2
@@ -41,7 +43,7 @@ jobs:
           make
           ./tpm_server &
 
-#setup and test defaults (with simulator)
+# setup and test defaults (with simulator)
     - name: autogen
       run: ./autogen.sh
     - name: configure
@@ -74,17 +76,17 @@ jobs:
       run: |
         LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll
 
-#test no wolfcrypt
+# test no wolfcrypt
     - name: configure no wolfCrypt
       run: ./configure --enable-swtpm --disable-wolfcrypt
     - name: make no wolfCrypt
       run: make
     - name: make check no wolfCrypt
       run: |
         make check
-        WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0  ./examples/run_examples.sh
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
 
-#test no wrapper
+# test no wrapper
     - name: configure no wrapper
       run: ./configure --enable-swtpm --disable-wrapper
     - name: make no wrapper
@@ -138,10 +140,52 @@ jobs:
     - name: make pedantic
       run: make
 
+# test without ECC
+    - name: wolfssl no ECC
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm --disable-ecc
+        make
+        sudo make install
+    - name: wolftpm no ECC
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh
+
+# test without RSA
+    - name: wolfssl no RSA
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm --disable-rsa
+        make
+        sudo make install
+    - name: wolftpm no RSA
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh
+
+# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen)
+    - name: wolfssl default configure
+      working-directory: ./wolfssl
+      run: |
+        ./configure CFLAGS="-DWOLFSSL_PUBLIC_MP"
+        make
+        sudo make install
+    - name: wolftpm default configure
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh
+
 # capture logs on failure
     - name: Upload failure logs
       if: failure()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: wolftpm-test-logs
         path: |

IDE/QNX/README.md

@@ -41,9 +41,8 @@ Here is a template:
 
 /* Reduce stack use */
 #define MAX_COMMAND_SIZE    1024
-#define MAX_RESPONSE_SIZE   1024
-#define WOLFTPM2_MAX_BUFFER 1500
-#define MAX_DIGEST_BUFFER   973
+#define MAX_RESPONSE_SIZE   1350
+#define MAX_DIGEST_BUFFER   896
 
 /* Debugging */
 #if 1
@@ -113,7 +112,7 @@ Edit the following QNX BSP files:
 @@ -442,7 +442,7 @@ static void xzynq_setup(xzynq_spi_t *dev, uint32_t device)
      spi_debug1("%s: CONFIG_SPI_REG = 0x%x", __func__, dev->ctrl[id]);
  #endif
- 
+
 -    if(dev->fcs) {
 +    if(dev->fcs || (devlist[id].cfg.mode & SPI_MODE_MAN_CS)) {
          out32(base + XZYNQ_SPI_CR_OFFSET, dev->ctrl[id] | XZYNQ_SPI_CR_MAN_CS);
@@ -122,7 +121,7 @@ Edit the following QNX BSP files:
 @@ -621,7 +621,7 @@ void *xzynq_xfer(void *hdl, uint32_t device, uint8_t *buf, int *len)
          reset = 1;
      }
- 
+
 -    if(!dev->fcs) {
 +    if(!dev->fcs && !(devlist[id].cfg.mode & SPI_MODE_MAN_CS)) {
          xzynq_spi_slave_select(dev, id, 0);
@@ -135,12 +134,12 @@ Edit the following QNX BSP files:
 @@ -72,6 +73,16 @@ int xzynq_cfg(void *hdl, spi_cfg_t *cfg, int cs)
      /* Enable ModeFail generation */
      ctrl |= XZYNQ_SPI_CR_MFAIL_EN;
- 
+
 +    if (cfg->mode & SPI_MODE_MAN_CS)
 +        ctrl |= XZYNQ_SPI_CR_MAN_CS; /* enable manual CS mode */
 +
 +    if (cfg->mode & SPI_MODE_CLEAR_CS) {
-+        /* make sure all chip selects are de-asserted */ 
++        /* make sure all chip selects are de-asserted */
 +        /* set all CS bits high to de-assert */
 +        out32(base + XZYNQ_SPI_CR_OFFSET,
 +            in32(base + XZYNQ_SPI_CR_OFFSET) | XZYNQ_SPI_CR_CS);
@@ -156,7 +155,7 @@ Edit the following QNX BSP files:
  #define	SPI_MODE_IDLE_INSERT	(1 << 16)
 +#define	SPI_MODE_MAN_CS			(1 << 17)   /* Manual Chip select */
 +#define	SPI_MODE_CLEAR_CS		(1 << 18)   /* Clear all chip selects (used with SPI_MODE_MAN_CS) */
- 
+
  #define	SPI_MODE_LOCKED			(1 << 31)	/* The device is locked by another client */
 ```
 

configure.ac

@@ -355,7 +355,7 @@ then
 
     # Reduces max packet and buffer sizes to 1024 bytes
     # RSA KeyGen AES response is 1329 MAX_RESPONSE_SIZE
-    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973"
+    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DMAX_DIGEST_BUFFER=896"
 
     # If parameter encryption is not used then maximum session count is one
     if test "x$ENABLED_WOLFCRYPT" = "xno"

examples/bench/bench.c

@@ -269,8 +269,12 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 
     if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = &storageKey;
+    #ifdef NO_RSA
+        bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
         /* Start an authenticated session (salted / unbound) with parameter encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

examples/boot/secret_seal.c

@@ -64,7 +64,7 @@ static void usage(void)
 }
 
 /* Load Key Public Info */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
 static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     TPM_ALG_ID alg, const char* file)
 {
@@ -99,7 +99,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     }
     return rc;
 }
-#endif /* !NO_FILESYSTEM */
+#endif /* !NO_FILESYSTEM && !NO_ASN */
 
 int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
 {
@@ -232,7 +232,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
         else if (alg == TPM_ALG_ECC)
             publicKeyFile = "./certs/example-ecc256-key-pub.der";
     }
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
     /* Policy Authorization */
     if (policyFile) {
         policyDigestSz = (word32)sizeof(policyDigest);

examples/boot/secret_unseal.c

@@ -62,7 +62,7 @@ static void usage(void)
 }
 
 /* Load Key Public Info */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
 static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     TPM_ALG_ID alg, const char* file)
 {
@@ -103,7 +103,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     }
     return rc;
 }
-#endif /* !NO_FILESYSTEM */
+#endif /* !NO_FILESYSTEM && !NO_ASN */
 
 int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
 {
@@ -251,7 +251,7 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
     printHexString(policyDigest, policyDigestSz, policyDigestSz);
 
     /* Load external public key and signature */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
     /* Policy Authorization Signature */
     if (pcrSigFile) {
         sigSz = (word32)sizeof(sig);

examples/boot/secure_rot.c

@@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[])
     XMEMSET(&parent, 0, sizeof(parent));
     XMEMSET(authBuf, 0, sizeof(authBuf));
     XMEMSET(digest, 0, sizeof(digest));
+    XMEMSET(&nv, 0, sizeof(nv));
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||

examples/endorsement/get_ek_certs.c

@@ -107,7 +107,7 @@ static void show_ek_public(const TPM2B_PUBLIC* pub)
     }
 }
 
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
 static int compare_ek_public(const TPM2B_PUBLIC* ekpub,
     const TPM2B_PUBLIC* certpub)
 {
@@ -154,7 +154,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     uint32_t certSz;
     TPMT_PUBLIC publicTemplate;
     word32 nvIndex;
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     #ifndef WOLFCRYPT_ONLY
     int i;
     WOLFSSL_CERT_MANAGER* cm = NULL;
@@ -196,7 +196,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     rc = 0;
     printf("Found %d TCG handles\n", handles.count);
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) && \
+    !defined(NO_ASN)
     /* load trusted certificates to cert manager */
     certSz = 0;
     cm = wolfSSL_CertManagerNew();
@@ -208,12 +209,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
                 WOLFSSL_FILETYPE_PEM);
             if (rc == WOLFSSL_SUCCESS) {
                 certSz++;
-                rc = 0;
             }
             else {
-                printf("Warning: Failed to load trusted PEM at index %d\n", i);
+                printf("Warning: Failed to load trusted PEM at index %d. "
+                    "Error %s (rc %d)\n", i, TPM2_GetRCString(rc), rc);
                 /* not fatal, continue loading trusted certs */
             }
+            rc = 0; /* reset return code */
         }
         printf("Loaded %d trusted certificates\n", certSz);
     }
@@ -272,7 +274,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             show_ek_public(&endorse.pub);
         }
 
-    #ifndef WOLFTPM2_NO_WOLFCRYPT
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
         if (rc == 0) {
             /* Attempt to parse certificate */
             printf("Parsing certificate (%d bytes)\n", certSz);
@@ -376,15 +378,15 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             }
         #endif /* WOLFSSL_DER_TO_PEM */
         }
-    #endif /* !WOLFTPM2_NO_WOLFCRYPT */
+    #endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_ASN */
 
         wolfTPM2_UnloadHandle(&dev, &endorse.handle);
         XMEMSET(&endorse, 0, sizeof(endorse));
     }
 
 exit:
 
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     #ifdef WOLFSSL_DER_TO_PEM
     XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     #endif

examples/keygen/external_import.c

@@ -172,13 +172,17 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     printf("Import Seed %d\n", seedValue.size);
     TPM2_PrintBin(seedValue.buffer, seedValue.size);
 
+#ifndef NO_ASN
     rc = wolfTPM2_ImportPrivateKeyBuffer(&dev, &storage, TPM_ALG_RSA, key2,
         ENCODING_TYPE_PEM, extRSAPrivatePem, (word32)strlen(extRSAPrivatePem),
         NULL, attributes, seedValue.buffer, seedValue.size);
     if (rc != 0) {
         printf("wolfTPM2_ImportPrivateKeyBuffer failed import\n");
         goto exit;
     }
+#else
+    (void)attributes;
+#endif
 
     rc = wolfTPM2_LoadKey(&dev, key2, &primary->handle);
     if (rc != 0) {