Merge pull request #311 from dgarske/tpm_cryptocb_keygen

Add TPM crypto callback support for RSA key generation

README.md

@@ -130,7 +130,7 @@ Mfg NTC (0), Vendor NPCT75x"!!4rls, Fw 7.2 (131072), FIPS 140-2 1, CC-EAL4 0
 git clone https://github.com/wolfSSL/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptocb --enable-aescfb
+./configure --enable-wolftpm
 make
 sudo make install
 sudo ldconfig

examples/pcr/policy_sign.c

@@ -109,7 +109,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
     if (rc == 0) {
         /* handle PEM conversion to DER */
         if (encType == ENCODING_TYPE_PEM) {
-        #if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER)
+        #ifdef WOLFTPM2_PEM_DECODE
             /* der size is base 64 decode length */
             word32 derSz = (word32)bufSz * 3 / 4 + 1;
             byte* derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -185,12 +185,16 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
                     rc = wc_ecc_sign_hash_ex(hash, hashSz, &rng, &key.ecc, &r, &s);
                 }
                 if (rc == 0) {
-                    word32 keySz = key.ecc.dp->size;
-                    mp_to_unsigned_bin(&r, sig);
-                    mp_to_unsigned_bin(&s, sig + keySz);
+                    word32 keySz = key.ecc.dp->size, rSz, sSz;
+                    *sigSz = keySz * 2;
+                    XMEMSET(sig, 0, *sigSz);
+                    /* export sign r/s - zero pad to key size */
+                    rSz = mp_unsigned_bin_size(&r);
+                    mp_to_unsigned_bin(&r, &sig[keySz - rSz]);
+                    sSz = mp_unsigned_bin_size(&s);
+                    mp_to_unsigned_bin(&s, &sig[keySz + (keySz - sSz)]);
                     mp_clear(&r);
                     mp_clear(&s);
-                    *sigSz = keySz * 2;
                 }
             }
             wc_ecc_free(&key.ecc);

examples/run_examples.sh

@@ -179,26 +179,20 @@ fi
 # TLS Tests RSA
 echo -e "TLS tests"
 generate_port() { # function to produce a random port number
-    if [[ "$OSTYPE" == "linux"* ]]; then
-        port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
-    elif [[ "$OSTYPE" == "darwin"* ]]; then
-        port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
-    else
-        echo "Unknown OS TYPE"
-        exit 1
-    fi
+    port=11111
+    echo -e "Using port $port"
     echo -e "Using port $port" >> run.out
 }
 
 run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     echo -e "TLS test (TPM as client) $1 $2"
     generate_port
     pushd $WOLFSSL_PATH >> run.out
-    ./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
+    ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> run.out
-    sleep 0.4
+    sleep 0.1
     ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
@@ -207,12 +201,14 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
 run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
     echo -e "TLS test (TPM as server) $1 $2"
     generate_port
+
     ./examples/tls/tls_server -p=$port -$1 $2 2>&1 >> run.out &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> run.out
-    sleep 0.4
-    ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
+    sleep 0.1
+
+    ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
     popd >> run.out

examples/tls/tls_client.c

@@ -130,6 +130,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     XMEMSET(&storageKey, 0, sizeof(storageKey));
     XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
     sockIoCtx.fd = -1;
+    sockIoCtx.listenFd = -1;
     XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
     XMEMSET(&rsaKey, 0, sizeof(rsaKey));
@@ -558,6 +559,15 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
         printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
     }
 
+    /* Bidirectional shutdown */
+    while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
+        printf("Shutdown not complete\n");
+    }
+
+    CloseAndCleanupSocket(&sockIoCtx);
+    wolfSSL_free(ssl);
+    wolfSSL_CTX_free(ctx);
+
     wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
 #ifndef NO_RSA
     wc_FreeRsaKey(&wolfRsaKey);
@@ -572,12 +582,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #endif
     wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
-    wolfSSL_shutdown(ssl);
-
-    CloseAndCleanupSocket(&sockIoCtx);
-    wolfSSL_free(ssl);
-    wolfSSL_CTX_free(ctx);
-
     wolfTPM2_Cleanup(&dev);
 
     return rc;

examples/tls/tls_common.h

@@ -209,7 +209,7 @@ static inline int SockIOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
 static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
 {
     struct sockaddr_in servAddr;
-    int optval  = 1;
+    int optval;
 
 #ifdef _WIN32
     WSADATA wsd;
@@ -230,17 +230,26 @@ static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
         return -1;
     }
 
-    /* allow reuse */
+    /* allow reuse of port and address */
+    optval = 1;
     if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEADDR,
                    (void*)&optval, sizeof(optval)) == -1) {
         printf("setsockopt SO_REUSEADDR failed\n");
         return -1;
     }
+#ifdef SO_REUSEPORT
+    optval = 1;
+    if (setsockopt(sockIoCtx->listenFd, SOL_SOCKET, SO_REUSEPORT,
+                   (void*)&optval, sizeof(optval)) == -1) {
+        printf("setsockopt SO_REUSEPORT failed\n");
+        return -1;
+    }
+#endif
 
     /* Connect to the server */
     if (bind(sockIoCtx->listenFd, (struct sockaddr*)&servAddr,
                                                     sizeof(servAddr)) == -1) {
-        printf("ERROR: failed to bind\n");
+        printf("ERROR: failed to bind! errno %d\n", errno);
         return -1;
     }
 

examples/tls/tls_server.c

@@ -137,6 +137,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     XMEMSET(&storageKey, 0, sizeof(storageKey));
     XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
     sockIoCtx.fd = -1;
+    sockIoCtx.listenFd = -1;
     XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
     XMEMSET(&rsaKey, 0, sizeof(rsaKey));
@@ -534,12 +535,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
         printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
     }
 
-    wolfSSL_shutdown(ssl);
+    /* Bidirectional shutdown */
+    while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) {
+        printf("Shutdown not complete\n");
+    }
 
-    CloseAndCleanupSocket(&sockIoCtx);
     wolfSSL_free(ssl);
     wolfSSL_CTX_free(ctx);
 
+    CloseAndCleanupSocket(&sockIoCtx);
+
     wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
 #ifndef NO_RSA
     wc_FreeRsaKey(&wolfRsaKey);

src/tpm2.c

@@ -2952,7 +2952,9 @@ TPM_RC TPM2_Sign(Sign_In* in, Sign_Out* out)
         TPM2_Packet_AppendBytes(&packet, in->digest.buffer, in->digest.size);
 
         TPM2_Packet_AppendU16(&packet, in->inScheme.scheme);
-        TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
+        if (in->inScheme.scheme != TPM_ALG_NULL) {
+            TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
+        }
 
         TPM2_Packet_AppendU16(&packet, in->validation.tag);
         TPM2_Packet_AppendU32(&packet, in->validation.hierarchy);