Merge pull request #312 from dgarske/tls_pkcb

Added support for TLS PK callbacks with ECC and RSA Sign using PKCSv1.5 and PSS padding

.github/workflows/make-test-swtpm.yml

@@ -25,7 +25,7 @@ jobs:
       run: ./autogen.sh
     - name: wolfssl configure
       working-directory: ./wolfssl
-      run: ./configure --enable-wolftpm
+      run: ./configure --enable-wolftpm --enable-pkcallbacks
     - name: wolfssl make install
       working-directory: ./wolfssl
       run: sudo make install

docs/WindowTBS.md

@@ -46,6 +46,8 @@ make
 ./examples
 ```
 
+Note: To install the development base tools on MSYS2 use: `pacman -s base-devel` and `pacman -S mingw-w64-x86_64-toolchain`.
+
 ## Building on linux
 
 Tested using mingw-w32-bin_x86_64-linux_20131221.tar.bz2

examples/csr/csr.c

@@ -25,7 +25,8 @@
 
 #include <stdio.h>
 
-#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
+#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
+    defined(WOLFTPM_CRYPTOCB)
 
 #include <hal/tpm_io.h>
 #include <examples/tpm_test.h>
@@ -72,11 +73,11 @@ static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int keyType, WOLFTPM2_KEY* key,
     /* make sure each subject is unique */
     if (keyType == RSA_TYPE) {
         subject = "/C=US/ST=Oregon/L=Portland/SN=Test/O=wolfSSL"
-                  "/OU=RSA/CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
+                  "/OU=RSA/CN=127.0.0.1/emailAddress=info@wolfssl.com";
     }
     else if (keyType == ECC_TYPE) {
         subject = "/C=US/ST=Oregon/L=Portland/SN=Test/O=wolfSSL"
-                  "/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com";
+                  "/OU=ECC/CN=127.0.0.1/emailAddress=info@wolfssl.com";
     }
 
     outputSz = (int)sizeof(output);
@@ -252,14 +253,15 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
 /* --- END TPM2 CSR Example -- */
 /******************************************************************************/
 
-#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN */
+#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM2_CERT_GEN && WOLFTPM_CRYPTOCB */
 
 #ifndef NO_MAIN_DRIVER
 int main(int argc, char *argv[])
 {
     int rc = -1;
 
-#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN)
+#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM2_CERT_GEN) && \
+    defined(WOLFTPM_CRYPTOCB)
     rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
 #else
     (void)argc;

examples/run_examples.sh

@@ -176,9 +176,11 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
 fi
 
-# TLS Tests RSA
+# TLS Tests
 echo -e "TLS tests"
-generate_port() { # function to produce a random port number
+generate_port() {
+    # for now it is okay to use the same port
+    # Note: The SW TPM uses many local ports, which can cause bind() issue
     port=11111
     echo -e "Using port $port"
     echo -e "Using port $port" >> run.out
@@ -193,6 +195,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> run.out
     sleep 0.1
+
     ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
@@ -215,6 +218,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
 }
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    # Run with Crypto CB
     run_tpm_tls_client "rsa" ""
     run_tpm_tls_client "rsa" "-aes"
     run_tpm_tls_client "ecc" ""
@@ -224,6 +228,17 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     run_tpm_tls_server "rsa" "-aes"
     run_tpm_tls_server "ecc" ""
     run_tpm_tls_server "ecc" "-aes"
+
+    # Run with PK
+    run_tpm_tls_client "rsa" "-pk"
+    run_tpm_tls_client "rsa" "-pk -aes"
+    run_tpm_tls_client "ecc" "-pk"
+    run_tpm_tls_client "ecc" "-pk -aes"
+
+    run_tpm_tls_server "rsa" "-pk "
+    run_tpm_tls_server "rsa" "-pk -aes"
+    run_tpm_tls_server "ecc" "-pk"
+    run_tpm_tls_server "ecc" "-pk -aes"
 fi
 
 

examples/tls/tls_client.c

@@ -25,7 +25,7 @@
 
 #include <stdio.h>
 
-#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
 
 #include <hal/tpm_io.h>
@@ -36,11 +36,14 @@
 
 #include <wolfssl/ssl.h>
 
-#undef  USE_CERT_BUFFERS_2048
-#define USE_CERT_BUFFERS_2048
-#undef  USE_CERT_BUFFERS_256
-#define USE_CERT_BUFFERS_256
-#include <wolfssl/certs_test.h>
+#ifdef NO_FILESYSTEM
+    /* Load test certificates / keys from wolfSSL */
+    #undef  USE_CERT_BUFFERS_2048
+    #define USE_CERT_BUFFERS_2048
+    #undef  USE_CERT_BUFFERS_256
+    #define USE_CERT_BUFFERS_256
+    #include <wolfssl/certs_test.h>
+#endif
 
 #ifdef TLS_BENCH_MODE
     double benchStart;
@@ -83,6 +86,9 @@ static void usage(void)
     printf("* -ecc: Use RSA or ECC key\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
+#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
+    printf("* -pk: Use PK callbacks, not crypto callbacks\n");
+#endif
 }
 
 int TPM2_TLS_Client(void* userCtx)
@@ -108,7 +114,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #endif
     TpmCryptoDevCtx tpmCtx;
     SockIoCbCtx sockIoCtx;
-    int tpmDevId;
+    int tpmDevId = INVALID_DEVID;
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL* ssl = NULL;
 #ifndef TLS_BENCH_MODE
@@ -121,6 +127,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     int i;
 #endif
     int useECC = 0;
+    int usePK = 0;
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     TPMT_PUBLIC publicTemplate;
@@ -139,6 +146,10 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #ifdef HAVE_ECC
     XMEMSET(&eccKey, 0, sizeof(eccKey));
     XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
+    #ifndef WOLFTPM2_USE_SW_ECDHE
+    /* Ephemeral Key */
+    XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
+    #endif
 #endif
     XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 
@@ -163,17 +174,26 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
         else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
             paramEncAlg = TPM_ALG_XOR;
         }
+    #if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
+        else if (XSTRCMP(argv[argc-1], "-pk") == 0) {
+            usePK = 1;
+        }
+    #endif
         else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) {
             const char* portStr = argv[argc-1] + XSTRLEN("-p=");
             port = (word32)XATOI(portStr);
         }
+        else {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
         argc--;
     }
 
     printf("TPM2 TLS Client Example\n");
     printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
     printf("\tUsing Port: %d\n", port);
+    printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -183,6 +203,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     }
 
     /* Setup the wolf crypto device callback */
+    tpmCtx.dev = &dev;
 #ifndef NO_RSA
     tpmCtx.rsaKey = &rsaKey;
 #endif
@@ -193,9 +214,14 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 #ifdef WOLFTPM_USE_SYMMETRIC
     tpmCtx.useSymmetricOnTPM = 1;
 #endif
-    rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
-    if (rc != 0) goto exit;
 
+#ifdef WOLFTPM_CRYPTOCB
+    if (!usePK) {
+        rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
+        if (rc != 0) goto exit;
+    }
+#endif
+    /* See if primary storage key already exists */
     rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
@@ -209,7 +235,8 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 
         /* set session for authorization of the storage key */
         rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
-            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
+             TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }
 
@@ -251,7 +278,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 
     #ifndef WOLFTPM2_USE_SW_ECDHE
     /* Ephemeral Key */
-    XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
     tpmCtx.ecdhKey = &ecdhKey;
     #endif
 #endif /* HAVE_ECC */
@@ -269,6 +295,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     wolfSSL_CTX_SetIORecv(ctx, SockIORecv);
     wolfSSL_CTX_SetIOSend(ctx, SockIOSend);
 
+    /* Setup PK callbacks */
+#ifdef HAVE_PK_CALLBACKS
+    if (usePK) {
+        wolfTPM_PK_SetCb(ctx);
+    }
+#endif
+
     /* Server certificate validation */
     /* Note: Can use "WOLFSSL_VERIFY_NONE" to skip server cert validation */
     wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
@@ -365,7 +398,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
             goto exit;
         }
     #else
-        printf("RSA not supported in this build\n");
+        printf("Error: RSA not compiled in\n");
         rc = -1;
         goto exit;
     #endif /* !NO_RSA */
@@ -414,7 +447,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
             goto exit;
         }
     #else
-        printf("RSA not supported in this build\n");
+        printf("Error: ECC not compiled in\n");
         rc = -1;
         goto exit;
     #endif /* !NO_RSA */
@@ -456,6 +489,13 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
         goto exit;
     }
 
+    /* Setup PK Callback context */
+#ifdef HAVE_PK_CALLBACKS
+    if (usePK) {
+        wolfTPM_PK_SetCbCtx(ssl, &tpmCtx);
+    }
+#endif
+
     /* Setup socket and connection */
     rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, port);
     if (rc != 0) goto exit;
@@ -564,10 +604,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
         printf("Shutdown not complete\n");
     }
 
-    CloseAndCleanupSocket(&sockIoCtx);
     wolfSSL_free(ssl);
     wolfSSL_CTX_free(ctx);
 
+    CloseAndCleanupSocket(&sockIoCtx);
+
     wolfTPM2_UnloadHandle(&dev, &storageKey.handle);
 #ifndef NO_RSA
     wc_FreeRsaKey(&wolfRsaKey);
@@ -591,23 +632,23 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 /* --- END TPM TLS Client Example -- */
 /******************************************************************************/
 
-#endif /* !WOLFTPM2_NO_WRAPPER && WOLFTPM_CRYPTOCB && !NO_WOLFSSL_CLIENT && \
-        * !WOLFCRYPT_ONLY */
+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT && !NO_WOLFSSL_CLIENT \
+        * && !WOLFCRYPT_ONLY */
 
 #ifndef NO_MAIN_DRIVER
 int main(int argc, char* argv[])
 {
     int rc = -1;
 
-#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFTPM_CRYPTOCB) && \
+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
     !defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
     rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
 #else
     (void)argc;
     (void)argv;
 
-    printf("Wrapper/Crypto callback code or TLS support not compiled in\n");
-    printf("Build wolfssl with ./configure --enable-cryptocb\n");
+    printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n");
+    printf("Build wolfssl with ./configure --enable-wolftpm\n");
 #endif
 
     return rc;