From 026c82f799c365066fad29c7fe89b9092fc01dab Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 19 Aug 2024 09:55:15 -0700 Subject: [PATCH] Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA. Fixes ZD 18470. Improved smallstack (eliminated `WOLFTPM2_MAX_BUFFER`). Fixes for building with NO_ASN. --- .github/workflows/make-test-swtpm.yml | 62 +++- IDE/IAR-EWARM/source/main.c | 0 IDE/IAR-EWARM/source/tpm_main.c | 0 IDE/QNX/README.md | 15 +- configure.ac | 2 +- examples/bench/bench.c | 6 +- examples/boot/secret_seal.c | 6 +- examples/boot/secret_unseal.c | 6 +- examples/boot/secure_rot.c | 1 + examples/endorsement/get_ek_certs.c | 18 +- examples/keygen/external_import.c | 4 + examples/keygen/keygen.c | 26 +- examples/keygen/keyimport.c | 42 ++- examples/keygen/keyload.c | 28 +- examples/nvram/store.c | 8 +- examples/pcr/policy_sign.c | 24 +- examples/pcr/quote.c | 11 +- examples/pkcs7/pkcs7.c | 72 +++-- examples/run_examples.sh | 448 ++++++++++++++++---------- examples/timestamp/signed_timestamp.c | 5 +- examples/tls/tls_client.c | 29 +- examples/tls/tls_common.h | 35 ++ examples/tls/tls_server.c | 37 ++- examples/tpm_test.h | 2 +- examples/tpm_test_keys.c | 2 +- examples/wrap/wrap_test.c | 78 +++-- src/tpm2_cryptocb.c | 7 +- src/tpm2_linux.c | 7 +- src/tpm2_wrap.c | 90 +++--- tests/unit_tests.c | 21 +- wolftpm/tpm2_types.h | 12 +- wolftpm/tpm2_wrap.h | 7 +- 32 files changed, 752 insertions(+), 359 deletions(-) mode change 100755 => 100644 IDE/IAR-EWARM/source/main.c mode change 100755 => 100644 IDE/IAR-EWARM/source/tpm_main.c diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index e61e852..c1ebefa 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: -#pull wolfTPM +# pull wolfTPM - uses: actions/checkout@master -#setup wolfssl +# setup wolfssl - uses: actions/checkout@master with: repository: wolfssl/wolfssl @@ -28,9 +28,11 @@ jobs: run: ./configure --enable-wolftpm --enable-pkcallbacks - name: wolfssl make install working-directory: ./wolfssl - run: sudo make install + run: | + make + sudo make install -#setup ibmswtpm2 +# setup ibmswtpm2 - uses: actions/checkout@master with: repository: kgoldman/ibmswtpm2 @@ -41,7 +43,7 @@ jobs: make ./tpm_server & -#setup and test defaults (with simulator) +# setup and test defaults (with simulator) - name: autogen run: ./autogen.sh - name: configure @@ -74,7 +76,7 @@ jobs: run: | LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -#test no wolfcrypt +# test no wolfcrypt - name: configure no wolfCrypt run: ./configure --enable-swtpm --disable-wolfcrypt - name: make no wolfCrypt @@ -82,9 +84,9 @@ jobs: - name: make check no wolfCrypt run: | make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh + WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh -#test no wrapper +# test no wrapper - name: configure no wrapper run: ./configure --enable-swtpm --disable-wrapper - name: make no wrapper @@ -138,10 +140,52 @@ jobs: - name: make pedantic run: make +# test without ECC + - name: wolfssl no ECC + working-directory: ./wolfssl + run: | + ./configure --enable-wolftpm --disable-ecc + make + sudo make install + - name: wolftpm no ECC + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh + +# test without RSA + - name: wolfssl no RSA + working-directory: ./wolfssl + run: | + ./configure --enable-wolftpm --disable-rsa + make + sudo make install + - name: wolftpm no RSA + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh + +# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen) + - name: wolfssl default configure + working-directory: ./wolfssl + run: | + ./configure CFLAGS="-DWOLFSSL_PUBLIC_MP" + make + sudo make install + - name: wolftpm default configure + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh + # capture logs on failure - name: Upload failure logs if: failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: wolftpm-test-logs path: | diff --git a/IDE/IAR-EWARM/source/main.c b/IDE/IAR-EWARM/source/main.c old mode 100755 new mode 100644 diff --git a/IDE/IAR-EWARM/source/tpm_main.c b/IDE/IAR-EWARM/source/tpm_main.c old mode 100755 new mode 100644 diff --git a/IDE/QNX/README.md b/IDE/QNX/README.md index eef90c6..4413feb 100644 --- a/IDE/QNX/README.md +++ b/IDE/QNX/README.md @@ -41,9 +41,8 @@ Here is a template: /* Reduce stack use */ #define MAX_COMMAND_SIZE 1024 -#define MAX_RESPONSE_SIZE 1024 -#define WOLFTPM2_MAX_BUFFER 1500 -#define MAX_DIGEST_BUFFER 973 +#define MAX_RESPONSE_SIZE 1350 +#define MAX_DIGEST_BUFFER 896 /* Debugging */ #if 1 @@ -113,7 +112,7 @@ Edit the following QNX BSP files: @@ -442,7 +442,7 @@ static void xzynq_setup(xzynq_spi_t *dev, uint32_t device) spi_debug1("%s: CONFIG_SPI_REG = 0x%x", __func__, dev->ctrl[id]); #endif - + - if(dev->fcs) { + if(dev->fcs || (devlist[id].cfg.mode & SPI_MODE_MAN_CS)) { out32(base + XZYNQ_SPI_CR_OFFSET, dev->ctrl[id] | XZYNQ_SPI_CR_MAN_CS); @@ -122,7 +121,7 @@ Edit the following QNX BSP files: @@ -621,7 +621,7 @@ void *xzynq_xfer(void *hdl, uint32_t device, uint8_t *buf, int *len) reset = 1; } - + - if(!dev->fcs) { + if(!dev->fcs && !(devlist[id].cfg.mode & SPI_MODE_MAN_CS)) { xzynq_spi_slave_select(dev, id, 0); @@ -135,12 +134,12 @@ Edit the following QNX BSP files: @@ -72,6 +73,16 @@ int xzynq_cfg(void *hdl, spi_cfg_t *cfg, int cs) /* Enable ModeFail generation */ ctrl |= XZYNQ_SPI_CR_MFAIL_EN; - + + if (cfg->mode & SPI_MODE_MAN_CS) + ctrl |= XZYNQ_SPI_CR_MAN_CS; /* enable manual CS mode */ + + if (cfg->mode & SPI_MODE_CLEAR_CS) { -+ /* make sure all chip selects are de-asserted */ ++ /* make sure all chip selects are de-asserted */ + /* set all CS bits high to de-assert */ + out32(base + XZYNQ_SPI_CR_OFFSET, + in32(base + XZYNQ_SPI_CR_OFFSET) | XZYNQ_SPI_CR_CS); @@ -156,7 +155,7 @@ Edit the following QNX BSP files: #define SPI_MODE_IDLE_INSERT (1 << 16) +#define SPI_MODE_MAN_CS (1 << 17) /* Manual Chip select */ +#define SPI_MODE_CLEAR_CS (1 << 18) /* Clear all chip selects (used with SPI_MODE_MAN_CS) */ - + #define SPI_MODE_LOCKED (1 << 31) /* The device is locked by another client */ ``` diff --git a/configure.ac b/configure.ac index 803c1d2..4980ecc 100644 --- a/configure.ac +++ b/configure.ac @@ -355,7 +355,7 @@ then # Reduces max packet and buffer sizes to 1024 bytes # RSA KeyGen AES response is 1329 MAX_RESPONSE_SIZE - AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973" + AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DMAX_DIGEST_BUFFER=896" # If parameter encryption is not used then maximum session count is one if test "x$ENABLED_WOLFCRYPT" = "xno" diff --git a/examples/bench/bench.c b/examples/bench/bench.c index 4b10dee..e8ad8a9 100644 --- a/examples/bench/bench.c +++ b/examples/bench/bench.c @@ -269,8 +269,12 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; if (paramEncAlg != TPM_ALG_NULL) { + void* bindKey = &storageKey; + #ifdef NO_RSA + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif /* Start an authenticated session (salted / unbound) with parameter encryption */ - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", diff --git a/examples/boot/secret_seal.c b/examples/boot/secret_seal.c index 3991d3b..1a34614 100644 --- a/examples/boot/secret_seal.c +++ b/examples/boot/secret_seal.c @@ -64,7 +64,7 @@ static void usage(void) } /* Load Key Public Info */ -#if !defined(NO_FILESYSTEM) +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey, TPM_ALG_ID alg, const char* file) { @@ -99,7 +99,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey, } return rc; } -#endif /* !NO_FILESYSTEM */ +#endif /* !NO_FILESYSTEM && !NO_ASN */ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) { @@ -232,7 +232,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) else if (alg == TPM_ALG_ECC) publicKeyFile = "./certs/example-ecc256-key-pub.der"; } -#if !defined(NO_FILESYSTEM) +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) /* Policy Authorization */ if (policyFile) { policyDigestSz = (word32)sizeof(policyDigest); diff --git a/examples/boot/secret_unseal.c b/examples/boot/secret_unseal.c index aa90af1..495a56b 100644 --- a/examples/boot/secret_unseal.c +++ b/examples/boot/secret_unseal.c @@ -62,7 +62,7 @@ static void usage(void) } /* Load Key Public Info */ -#if !defined(NO_FILESYSTEM) +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey, TPM_ALG_ID alg, const char* file) { @@ -103,7 +103,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey, } return rc; } -#endif /* !NO_FILESYSTEM */ +#endif /* !NO_FILESYSTEM && !NO_ASN */ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[]) { @@ -251,7 +251,7 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[]) printHexString(policyDigest, policyDigestSz, policyDigestSz); /* Load external public key and signature */ -#if !defined(NO_FILESYSTEM) +#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) /* Policy Authorization Signature */ if (pcrSigFile) { sigSz = (word32)sizeof(sig); diff --git a/examples/boot/secure_rot.c b/examples/boot/secure_rot.c index dfc86be..7deaec9 100644 --- a/examples/boot/secure_rot.c +++ b/examples/boot/secure_rot.c @@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[]) XMEMSET(&parent, 0, sizeof(parent)); XMEMSET(authBuf, 0, sizeof(authBuf)); XMEMSET(digest, 0, sizeof(digest)); + XMEMSET(&nv, 0, sizeof(nv)); if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c index ae9475f..78abc01 100644 --- a/examples/endorsement/get_ek_certs.c +++ b/examples/endorsement/get_ek_certs.c @@ -107,7 +107,7 @@ static void show_ek_public(const TPM2B_PUBLIC* pub) } } -#ifndef WOLFTPM2_NO_WOLFCRYPT +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) static int compare_ek_public(const TPM2B_PUBLIC* ekpub, const TPM2B_PUBLIC* certpub) { @@ -154,7 +154,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) uint32_t certSz; TPMT_PUBLIC publicTemplate; word32 nvIndex; -#ifndef WOLFTPM2_NO_WOLFCRYPT +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) #ifndef WOLFCRYPT_ONLY int i; WOLFSSL_CERT_MANAGER* cm = NULL; @@ -196,7 +196,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) rc = 0; printf("Found %d TCG handles\n", handles.count); -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) && \ + !defined(NO_ASN) /* load trusted certificates to cert manager */ certSz = 0; cm = wolfSSL_CertManagerNew(); @@ -208,12 +209,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) WOLFSSL_FILETYPE_PEM); if (rc == WOLFSSL_SUCCESS) { certSz++; - rc = 0; } else { - printf("Warning: Failed to load trusted PEM at index %d\n", i); + printf("Warning: Failed to load trusted PEM at index %d. " + "Error %s (rc %d)\n", i, TPM2_GetRCString(rc), rc); /* not fatal, continue loading trusted certs */ } + rc = 0; /* reset return code */ } printf("Loaded %d trusted certificates\n", certSz); } @@ -272,7 +274,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) show_ek_public(&endorse.pub); } - #ifndef WOLFTPM2_NO_WOLFCRYPT + #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) if (rc == 0) { /* Attempt to parse certificate */ printf("Parsing certificate (%d bytes)\n", certSz); @@ -376,7 +378,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) } #endif /* WOLFSSL_DER_TO_PEM */ } - #endif /* !WOLFTPM2_NO_WOLFCRYPT */ + #endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_ASN */ wolfTPM2_UnloadHandle(&dev, &endorse.handle); XMEMSET(&endorse, 0, sizeof(endorse)); @@ -384,7 +386,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]) exit: -#ifndef WOLFTPM2_NO_WOLFCRYPT +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) #ifdef WOLFSSL_DER_TO_PEM XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif diff --git a/examples/keygen/external_import.c b/examples/keygen/external_import.c index c60cfda..7fdd4b7 100644 --- a/examples/keygen/external_import.c +++ b/examples/keygen/external_import.c @@ -172,6 +172,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[]) printf("Import Seed %d\n", seedValue.size); TPM2_PrintBin(seedValue.buffer, seedValue.size); +#ifndef NO_ASN rc = wolfTPM2_ImportPrivateKeyBuffer(&dev, &storage, TPM_ALG_RSA, key2, ENCODING_TYPE_PEM, extRSAPrivatePem, (word32)strlen(extRSAPrivatePem), NULL, attributes, seedValue.buffer, seedValue.size); @@ -179,6 +180,9 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[]) printf("wolfTPM2_ImportPrivateKeyBuffer failed import\n"); goto exit; } +#else + (void)attributes; +#endif rc = wolfTPM2_LoadKey(&dev, key2, &primary->handle); if (rc != 0) { diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index 54a53a9..dfdd2c7 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -127,6 +127,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_KEYBLOB primaryBlob; /* Primary key as WOLFTPM2_KEYBLOB */ TPMT_PUBLIC publicTemplate; TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* default, see usage() for options */ + TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */ TPM_ALG_ID algSym = TPM_ALG_CTR; /* default Symmetric Cipher, see usage */ TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; @@ -142,7 +143,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) const char *pubFilename = NULL; #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */ - #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA) + #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) const char *pemFilename = NULL; #endif #endif @@ -220,6 +221,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) XMEMSET(&tpmSession, 0, sizeof(tpmSession)); XMEMSET(&auth, 0, sizeof(auth)); + if (alg == TPM_ALG_RSA) + srkAlg = TPM_ALG_RSA; + printf("TPM2.0 Key generation example\n"); printf("\tKey Blob: %s\n", outputFile); printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg)); @@ -227,6 +231,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) printf("\t\t %s mode, %d keybits\n", symMode, keyBits); } printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default"); + printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg)); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -237,16 +242,12 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) if (endorseKey) { /* endorsement is always RSA */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); + rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg); endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */ pubFilename = ekPubFile; primary = &endorse; } else { - /* SRK: Use RSA or ECC SRK only. Prefer ECC */ - TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; - if (alg == TPM_ALG_RSA) - srkAlg = TPM_ALG_RSA; rc = getPrimaryStoragekey(&dev, &storage, srkAlg); pubFilename = srkPubFile; primary = &storage; @@ -254,8 +255,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; if (paramEncAlg != TPM_ALG_NULL) { + void* bindKey = primary; + #ifndef HAVE_ECC + if (srkAlg == TPM_ALG_ECC) + bindKey = NULL; /* cannot bind to key without ECC enabled */ + #endif + #ifdef NO_RSA + if (srkAlg == TPM_ALG_RSA) + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif /* Start an authenticated session (salted / unbound) with parameter encryption */ - rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL, + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("HMAC Session: Handle 0x%x\n", @@ -404,7 +414,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) /* Save EK public key as PEM format file to the disk */ #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && \ - !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA) + !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) if (pemFiles) { byte pem[MAX_RSA_KEY_BYTES]; word32 pemSz; diff --git a/examples/keygen/keyimport.c b/examples/keygen/keyimport.c index ac183f5..77bdfda 100644 --- a/examples/keygen/keyimport.c +++ b/examples/keygen/keyimport.c @@ -69,7 +69,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_DEV dev; WOLFTPM2_KEY storage; /* SRK */ WOLFTPM2_KEYBLOB impKey; - TPMI_ALG_PUBLIC alg = TPM_ALG_RSA, srkAlg; /* TPM_ALG_ECC */ + TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; + TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */ TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; const char* outputFile = "keyblob.bin"; @@ -98,6 +99,9 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) if (XSTRCMP(argv[argc-1], "-ecc") == 0) { alg = TPM_ALG_ECC; } + else if (XSTRCMP(argv[argc-1], "-rsa") == 0) { + alg = TPM_ALG_RSA; + } else if (XSTRCMP(argv[argc-1], "-aes") == 0) { paramEncAlg = TPM_ALG_CFB; } @@ -137,9 +141,13 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) XMEMSET(&impKey, 0, sizeof(impKey)); XMEMSET(&tpmSession, 0, sizeof(tpmSession)); + if (alg == TPM_ALG_RSA) + srkAlg = TPM_ALG_RSA; + printf("TPM2.0 Key Import example\n"); printf("\tKey Blob: %s\n", outputFile); printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg)); + printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg)); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); printf("\tpassword: %s\n", password); @@ -149,24 +157,24 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) goto exit; } - srkAlg = alg; -#if defined(HAVE_ECC) && !defined(WOLFSSL_PUBLIC_MP) - if (srkAlg == TPM_ALG_ECC && paramEncAlg != TPM_ALG_NULL) { - /* ECC encrypt requires mp_ API's */ - printf("Parameter encryption with ECC SRK support not available, " - "using RSA SRK\n"); - srkAlg = TPM_ALG_RSA; - } -#endif - /* get SRK */ rc = getPrimaryStoragekey(&dev, &storage, srkAlg); if (rc != 0) goto exit; if (paramEncAlg != TPM_ALG_NULL) { + void* bindKey = &storage; + #ifndef HAVE_ECC + if (srkAlg == TPM_ALG_ECC) + bindKey = NULL; /* cannot bind to key without ECC enabled */ + #endif + #ifdef NO_RSA + if (srkAlg == TPM_ALG_RSA) + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif + /* Start an authenticated session (salted / unbound) with parameter * encryption */ - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", @@ -191,7 +199,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) TPMA_OBJECT_userWithAuth | TPMA_OBJECT_noDA); -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) +#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && !defined(NO_ASN) if (impFile != NULL) { printf("Loading %s%s key file: %s\n", encType == ENCODING_TYPE_PEM ? "PEM" : "DER", @@ -202,7 +210,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) if (isPublicKey) { rc = wolfTPM2_ImportPublicKeyBuffer(&dev, alg, - (WOLFTPM2_KEY*)&impKey, + (WOLFTPM2_KEY*)&impKey, encType, (const char*)buf, (word32)bufSz, attributes @@ -219,6 +227,12 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) ); } } + #if defined(NO_RSA) || !defined(HAVE_ECC) + if (rc == NOT_COMPILED_IN) { + printf("Feature not compiled in! Skipping test\n"); + rc = 0; /* allowing error */ + } + #endif } else #else diff --git a/examples/keygen/keyload.c b/examples/keygen/keyload.c index fe3e30e..0d7f3dd 100644 --- a/examples/keygen/keyload.c +++ b/examples/keygen/keyload.c @@ -66,12 +66,15 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) WOLFTPM2_KEY *primary = NULL; WOLFTPM2_KEYBLOB newKey; WOLFTPM2_KEY persistKey; + TPM_ALG_ID alg; + TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */ TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; const char* inputFile = "keyblob.bin"; int persistent = 0; int endorseKey = 0; + if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || XSTRCMP(argv[1], "-h") == 0 || @@ -129,18 +132,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) goto exit; #endif + alg = newKey.pub.publicArea.type; + if (alg == TPM_ALG_RSA) + srkAlg = TPM_ALG_RSA; + printf("Loading %s key\n", TPM2_GetAlgName(alg)); + if (endorseKey) { /* endorsement is always RSA */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); + rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg); if (rc != 0) goto exit; endorse.handle.policyAuth = 1; primary = &endorse; } else { - /* SRK: Use RSA or ECC SRK only. Prefer ECC */ - TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; - if (newKey.pub.publicArea.type == TPM_ALG_RSA) - srkAlg = TPM_ALG_RSA; rc = getPrimaryStoragekey(&dev, &storage, srkAlg); if (rc != 0) goto exit; primary = &storage; @@ -154,11 +158,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0); if (rc != 0) goto exit; } - - if (paramEncAlg != TPM_ALG_NULL) { + else if (paramEncAlg != TPM_ALG_NULL) { + void* bindKey = &storage; + #ifndef HAVE_ECC + if (srkAlg == TPM_ALG_ECC) + bindKey = NULL; /* cannot bind to key without ECC enabled */ + #endif + #ifdef NO_RSA + if (srkAlg == TPM_ALG_RSA) + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif /* Start an authenticated session (salted / unbound) with parameter * encryption */ - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", diff --git a/examples/nvram/store.c b/examples/nvram/store.c index 8ed544b..980b8df 100644 --- a/examples/nvram/store.c +++ b/examples/nvram/store.c @@ -79,6 +79,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[]) word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX; byte* auth = (byte*)gNvAuth; word32 authSz = (word32)sizeof(gNvAuth)-1; + word32 nvSize; if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || @@ -171,12 +172,17 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes); if (rc != 0) goto exit; + /* Estimate size of NV */ + nvSize = + keyBlob.pub.size + sizeof(keyBlob.pub.size) + sizeof(UINT16) + + keyBlob.priv.size + sizeof(keyBlob.priv.size) + sizeof(UINT16); + /* Try and open existing NV */ rc = wolfTPM2_NVOpen(&dev, &nv, nvIndex, auth, authSz); if (rc != 0) { /* In not found try create using wolfTPM2 wrapper for NV_Define */ rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex, - nvAttributes, TPM2_DEMO_NV_TEST_SIZE, auth, authSz); + nvAttributes, nvSize, auth, authSz); if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit; } diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c index c16e1a1..02c3e0f 100644 --- a/examples/pcr/policy_sign.c +++ b/examples/pcr/policy_sign.c @@ -133,7 +133,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, } } if (rc == 0 && alg == TPM_ALG_RSA) { - #ifndef NO_RSA + #if !defined(NO_RSA) && !defined(NO_ASN) rc = wc_InitRsaKey(&key.rsa, NULL); if (rc == 0) { byte encHash[WC_MAX_DIGEST_SIZE + WC_MAX_ENCODED_DIG_ASN_SZ]; @@ -173,7 +173,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, #endif } else if (rc == 0 && alg == TPM_ALG_ECC) { - #if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP) + #if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP) && !defined(NO_ASN) rc = wc_ecc_init(&key.ecc); if (rc == 0) { word32 idx = 0; @@ -203,6 +203,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, wc_ecc_free(&key.ecc); } #else + (void)hashAlg; rc = NOT_COMPILED_IN; #endif } @@ -212,6 +213,12 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRng(&rng); + (void)hash; + (void)hashSz; + (void)sig; + (void)sigSz; + (void)authPubKey; + if (rc != 0) { printf("Policy Sign with external key failed %d\n", rc); } @@ -302,6 +309,19 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[]) printf("Sign PCR Policy Example\n"); +#ifndef HAVE_ECC + if (alg == TPM_ALG_ECC) { + printf("ECC not compiled in!\n"); + return 0; /* don't report error */ + } +#endif +#ifdef NO_RSA + if (alg == TPM_ALG_RSA) { + printf("RSA not compiled in!\n"); + return 0; /* don't report error */ + } +#endif + /* Setup PCR's */ if (pcrArraySz == 0) { pcrArray[pcrArraySz] = TPM2_DEMO_PCR_INDEX; diff --git a/examples/pcr/quote.c b/examples/pcr/quote.c index f3eb1c3..07b701d 100644 --- a/examples/pcr/quote.c +++ b/examples/pcr/quote.c @@ -145,8 +145,17 @@ int TPM2_PCR_Quote_Test(void* userCtx, int argc, char *argv[]) (word32)aik.handle.hndl, aik.pub.size); if (paramEncAlg != TPM_ALG_NULL) { + void* bindKey = &storage; + #ifndef HAVE_ECC + if (alg == TPM_ALG_ECC) + bindKey = NULL; /* cannot bind to key without ECC enabled */ + #endif + #ifdef NO_RSA + if (alg == TPM_ALG_RSA) + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif /* Start an authenticated session (salted / unbound) with parameter encryption */ - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL, + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c index 451252b..8dff06d 100644 --- a/examples/pkcs7/pkcs7.c +++ b/examples/pkcs7/pkcs7.c @@ -62,7 +62,7 @@ #ifdef ENABLE_PKCS7EX_EXAMPLE /* Dummy Function to Get Data */ -#define MY_DATA_CHUNKS WOLFTPM2_MAX_BUFFER +#define MY_DATA_CHUNKS MAX_DIGEST_BUFFER #define MY_DATA_TOTAL (1024 * 1024) + 12 /* odd remainder for test */ static int GetMyData(byte* buffer, word32 bufSz, word32 offset) { @@ -92,8 +92,9 @@ static int GetMyData(byte* buffer, word32 bufSz, word32 offset) /* The wc_PKCS7_EncodeSignedData_ex and wc_PKCS7_VerifySignedData_ex functions were added in this PR https://github.com/wolfSSL/wolfssl/pull/1780. */ -static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert, - WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile) +static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, + byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz, + int alg, enum wc_HashType hashType, const char* outFile) { int rc; PKCS7 pkcs7; @@ -139,7 +140,7 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* /* Generate and verify PKCS#7 files containing data using TPM key */ rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId); if (rc != 0) goto exit; - rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size); + rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz); if (rc != 0) goto exit; pkcs7.content = NULL; /* not used */ @@ -149,8 +150,8 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* pkcs7.rng = wolfTPM2_GetRng(dev); /* pass public key instead of private here. The PKCS7 will try a public * key decode if using crypto callbacks */ - pkcs7.privateKey = derPubKey->buffer; - pkcs7.privateKeySz = derPubKey->size; + pkcs7.privateKey = derPubKey; + pkcs7.privateKeySz = derPubKeySz; outputHeadSz = (int)sizeof(outputHead); outputFootSz = (int)sizeof(outputFoot); @@ -241,8 +242,9 @@ exit: } #endif /* ENABLE_PKCS7EX_EXAMPLE */ -static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert, - WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile) +static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, + byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz, + int alg, enum wc_HashType hashType, const char* outFile) { int rc; PKCS7 pkcs7; @@ -258,7 +260,7 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de /* Generate and verify PKCS#7 files containing data using TPM key */ rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId); if (rc != 0) goto exit; - rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size); + rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz); if (rc != 0) goto exit; pkcs7.content = data; @@ -268,8 +270,8 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de pkcs7.rng = wolfTPM2_GetRng(dev); /* pass public key instead of private here. The PKCS7 will try a public * key decode if using crypto callbacks */ - pkcs7.privateKey = derPubKey->buffer; - pkcs7.privateKeySz = derPubKey->size; + pkcs7.privateKey = derPubKey; + pkcs7.privateKeySz = derPubKeySz; rc = wc_PKCS7_EncodeSignedData(&pkcs7, output, sizeof(output)); if (rc <= 0) goto exit; @@ -339,8 +341,10 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) TPMT_PUBLIC publicTemplate; TpmCryptoDevCtx tpmCtx; int tpmDevId; - WOLFTPM2_BUFFER derCert; - WOLFTPM2_BUFFER derPubKey; + byte derCert[MAX_PKCS7_SIZE]; + word32 derCertSz = 0; + byte derPubKey[MAX_PKCS7_SIZE]; + word32 derPubKeySz; #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) XFILE derFile; const char* inCert = NULL; @@ -387,12 +391,24 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) printf("TPM2 PKCS7 Example\n"); - XMEMSET(&derCert, 0, sizeof(derCert)); XMEMSET(&derPubKey, 0, sizeof(derPubKey)); XMEMSET(&tpmKey, 0, sizeof(tpmKey)); XMEMSET(&storageKey, 0, sizeof(storageKey)); +#ifndef HAVE_ECC + if (alg == TPM_ALG_ECC) { + printf("ECC not compiled in!\n"); + return 0; /* don't report error */ + } +#endif +#ifdef NO_RSA + if (alg == TPM_ALG_RSA) { + printf("RSA not compiled in!\n"); + return 0; /* don't report error */ + } +#endif + /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != 0) return rc; @@ -475,35 +491,43 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) derFile = XFOPEN(inCert, "rb"); if (derFile != XBADFILE) { XFSEEK(derFile, 0, XSEEK_END); - derCert.size = (int)XFTELL(derFile); + derCertSz = (int)XFTELL(derFile); XREWIND(derFile); - if (derCert.size > (int)sizeof(derCert.buffer)) { + if (derCertSz > (int)sizeof(derCert)) { rc = BUFFER_E; } else { - rc = (int)XFREAD(derCert.buffer, 1, derCert.size, derFile); - rc = (rc == derCert.size) ? 0 : -1; + rc = (int)XFREAD(derCert, 1, derCertSz, derFile); + rc = (rc == (int)derCertSz) ? 0 : -1; } XFCLOSE(derFile); if (rc != 0) goto exit; } + else { + printf("Failed to open %s\n", inCert); + rc = BAD_FUNC_ARG; + goto exit; + } +#else + rc = NOT_COMPILED_IN; + goto exit; #endif /* Export TPM public key as DER/ASN.1 (should match certificate) */ - derPubKey.size = (int)sizeof(derPubKey.buffer); + derPubKeySz = (int)sizeof(derPubKey); rc = wolfTPM2_ExportPublicKeyBuffer(&dev, &tpmKey, - ENCODING_TYPE_ASN1, derPubKey.buffer, (word32*)&derPubKey.size); + ENCODING_TYPE_ASN1, derPubKey, (word32*)&derPubKeySz); if (rc != 0) goto exit; /* PKCS 7 sign/verify example */ - rc = PKCS7_SignVerify(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType, - outFile); + rc = PKCS7_SignVerify(&dev, tpmDevId, derCert, derCertSz, derPubKey, + derPubKeySz, alg, hashType, outFile); if (rc != 0) goto exit; #ifdef ENABLE_PKCS7EX_EXAMPLE /* PKCS 7 large data sign/verify example */ - rc = PKCS7_SignVerifyEx(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType, - outFileEx); + rc = PKCS7_SignVerifyEx(&dev, tpmDevId, derCert, derCertSz, derPubKey, + derPubKeySz, alg, hashType, outFileEx); if (rc != 0) goto exit; #endif diff --git a/examples/run_examples.sh b/examples/run_examples.sh index e6d037c..d9620f3 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -10,6 +10,15 @@ fi if [ -z "$WOLFCRYPT_ENABLE" ]; then WOLFCRYPT_ENABLE=1 fi +if [ -z "$WOLFCRYPT_DEFAULT" ]; then + WOLFCRYPT_DEFAULT=0 +fi +if [ -z "$WOLFCRYPT_ECC" ]; then + WOLFCRYPT_ECC=1 +fi +if [ -z "$WOLFCRYPT_RSA" ]; then + WOLFCRYPT_RSA=1 +fi rm -f run.out touch run.out @@ -100,41 +109,62 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1 + ./examples/keygen/keygen keyblob.bin -rsa -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc xor failed! $RESULT" && exit 1 + ./examples/keygen/keyload keyblob.bin -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc xor failed! $RESULT" && exit 1 - ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 - ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1 - RESULT=$? - rm -f rsakeyblob.bin - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc aes failed! $RESULT" && exit 1 + ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1 + RESULT=$? + + if [ $WOLFCRYPT_RSA -eq 1 ]; then + [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc aes failed! $RESULT" && exit 1 + ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload rsa load failed! $RESULT" && exit 1 + rm -f rsakeyblob.bin + fi + fi fi # keeping keyblob.bin for later tests -./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out 2>&1 +./examples/keygen/keygen eccblob.bin -ecc >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen ecc failed! $RESULT" && exit 1 -./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1 +./examples/keygen/keyload eccblob.bin >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 - ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/keygen/keygen eccblob.bin -ecc -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 + ./examples/keygen/keyload eccblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_ECC -eq 1 ]; then + ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 + + ./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload ecc load failed! $RESULT" && exit 1 + rm -f ecckeyblob.bin + fi + fi fi -rm -f ecckeyblob.bin +rm -f ececcblob.bin ./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out 2>&1 RESULT=$? @@ -173,12 +203,21 @@ fi # NV Tests echo -e "NV Tests" if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -aes >> run.out 2>&1 + ./examples/nvram/store -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1 - ./examples/nvram/read -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1 + ./examples/nvram/read -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/nvram/store -priv >> run.out 2>&1 RESULT=$? @@ -187,12 +226,21 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -priv -aes >> run.out 2>&1 + ./examples/nvram/store -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1 - ./examples/nvram/read -priv -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/nvram/store -pub >> run.out 2>&1 RESULT=$? @@ -217,7 +265,7 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1 -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/csr/csr -cert >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1 @@ -236,7 +284,7 @@ fi # PKCS7 Tests echo -e "PKCS7 tests" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/pkcs7/pkcs7 >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 @@ -256,11 +304,11 @@ generate_port() { echo -e "Using port $port" >> run.out 2>&1 } -run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] - echo -e "TLS test (TPM as client) $1 $2" +run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversion] + echo -e "TLS test (TPM as client) $1 $2 $3" generate_port pushd $WOLFSSL_PATH >> run.out 2>&1 - echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" + echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out & RESULT=$? [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 @@ -273,8 +321,8 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 } -run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] - echo -e "TLS test (TPM as server) $1 $2" +run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversion] + echo -e "TLS test (TPM as server) $1 $2 $3" generate_port echo -e "./examples/tls/tls_server -p=$port -$1 $2" @@ -284,35 +332,61 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] pushd $WOLFSSL_PATH >> run.out 2>&1 sleep 0.1 - echo -e "./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" + echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out RESULT=$? [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1 popd >> run.out 2>&1 } -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - # Run with Crypto CB - run_tpm_tls_client "rsa" "" - run_tpm_tls_client "rsa" "-aes" - run_tpm_tls_client "ecc" "" - run_tpm_tls_client "ecc" "-aes" +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + if [ $WOLFCRYPT_RSA -eq 1 ]; then + # TLS client/server RSA TLS v1.2 and v1.2 Crypto callbacks + run_tpm_tls_client "rsa" "" "3" + run_tpm_tls_client "rsa" "-aes" "3" + run_tpm_tls_client "rsa" "" "4" + run_tpm_tls_client "rsa" "-aes" "4" - run_tpm_tls_server "rsa" "" - run_tpm_tls_server "rsa" "-aes" - run_tpm_tls_server "ecc" "" - run_tpm_tls_server "ecc" "-aes" + run_tpm_tls_server "rsa" "" "3" + run_tpm_tls_server "rsa" "-aes" "3" + run_tpm_tls_server "rsa" "" "4" + run_tpm_tls_server "rsa" "-aes" "4" - # Run with PK - run_tpm_tls_client "rsa" "-pk" - run_tpm_tls_client "rsa" "-pk -aes" - run_tpm_tls_client "ecc" "-pk" - run_tpm_tls_client "ecc" "-pk -aes" + # TLS client/server ECC TLS v1.2 and v1.2 PK callbacks + run_tpm_tls_client "rsa" "-pk" "3" + run_tpm_tls_client "rsa" "-pk -aes" "3" + run_tpm_tls_client "rsa" "-pk" "4" + run_tpm_tls_client "rsa" "-pk -aes" "4" - run_tpm_tls_server "rsa" "-pk " - run_tpm_tls_server "rsa" "-pk -aes" - run_tpm_tls_server "ecc" "-pk" - run_tpm_tls_server "ecc" "-pk -aes" + run_tpm_tls_server "rsa" "-pk " "3" + run_tpm_tls_server "rsa" "-pk -aes" "3" + run_tpm_tls_server "rsa" "-pk " "4" + run_tpm_tls_server "rsa" "-pk -aes" "4" + + fi + if [ $WOLFCRYPT_ECC -eq 1 ]; then + # TLS client/server ECC TLS v1.2 and v1.2 Crypto callbacks + run_tpm_tls_client "ecc" "" "3" + run_tpm_tls_client "ecc" "-aes" "3" + run_tpm_tls_client "ecc" "" "4" + run_tpm_tls_client "ecc" "-aes" "4" + + run_tpm_tls_server "ecc" "" "3" + run_tpm_tls_server "ecc" "-aes" "3" + run_tpm_tls_server "ecc" "" "4" + run_tpm_tls_server "ecc" "-aes" "4" + + # TLS client/server ECC TLS v1.2 and v1.2 PK callbacks + run_tpm_tls_client "ecc" "-pk" "3" + run_tpm_tls_client "ecc" "-pk -aes" "3" + run_tpm_tls_client "ecc" "-pk" "4" + run_tpm_tls_client "ecc" "-pk -aes" "4" + + run_tpm_tls_server "ecc" "-pk" "3" + run_tpm_tls_server "ecc" "-pk -aes" "3" + run_tpm_tls_server "ecc" "-pk" "4" + run_tpm_tls_server "ecc" "-pk -aes" "4" + fi fi @@ -382,17 +456,29 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1 + ./examples/pcr/quote 16 zip.quote -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "pcr quote param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "pcr quote param enc aes failed! $RESULT" && exit 1 + fi fi ./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1 + ./examples/pcr/quote 16 zip.quote -ecc -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc aes failed! $RESULT" && exit 1 + fi fi rm -f zip.quote @@ -403,14 +489,20 @@ echo -e "Benchmark tests" RESULT=$? [ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1 + ./examples/bench/bench -maxdur=25 -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "bench (XOR param enc) failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 + fi fi # Secure Boot ROT echo -e "Secure Boot ROT (Root of Trust) test" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1 @@ -455,19 +547,28 @@ RESULT=$? [ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1 rm -f sealedkeyblob.bin -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_RSA -eq 1 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 - ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + fi rm -f sealedkeyblob.bin fi # Seal/Unseal (Policy auth) echo -e "Seal/Unseal (Policy auth)" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then # Extend "aaa" to test PCR 16 echo aaa > aaa.bin ./examples/pcr/reset 16 >> run.out 2>&1 @@ -477,121 +578,124 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then RESULT=$? [ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1 - # RSA - ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1 - ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_RSA -eq 1 ]; then + # RSA + ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1 + ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1 - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` - ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1 - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? - cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1 - grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1 + TMPFILE=$(mktemp) + SECRET_STRING=`head -c 32 /dev/random | base64` + ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1 + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE + RESULT=$? + cat $TMPFILE >> run.out + [ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1 + grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1 - # RSA (recreate policy auth using public key instead of using policyauth.bin) - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` - ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1 - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? - cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1 - grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1 + # RSA (recreate policy auth using public key instead of using policyauth.bin) + TMPFILE=$(mktemp) + SECRET_STRING=`head -c 32 /dev/random | base64` + ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1 + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE + RESULT=$? + cat $TMPFILE >> run.out + [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1 + grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 + RESULT=$? + rm -f $TMPFILE + [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1 - # Test RSA Unseal Expected Failure Case - # Create different ECC policy key to test failure case - openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1 - openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1 + # Test RSA Unseal Expected Failure Case + # Create different ECC policy key to test failure case + openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1 + openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1 - # Sign policy using different private key - ./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1 + # Sign policy using different private key + ./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1 - # This RSA unseal should fail! - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1 + # This RSA unseal should fail! + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1 - rm -f tmp-rsa2048-key.pem - rm -f tmp-rsa2048-key-pub.der - rm -f pcrsig_fail.bin + rm -f tmp-rsa2048-key.pem + rm -f tmp-rsa2048-key-pub.der + rm -f pcrsig_fail.bin + fi + + if [ $WOLFCRYPT_ECC -eq 1 ]; then + # ECC + ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1 + ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1 + + TMPFILE=$(mktemp) + SECRET_STRING=`head -c 32 /dev/random | base64` + ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1 + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE + RESULT=$? + cat $TMPFILE >> run.out + [ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1 + + grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 + RESULT=$? + rm -f $TMPFILE + [ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1 - # ECC - ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1 - ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1 - - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` - ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1 - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? - cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1 - - grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1 + # ECC (recreate policy auth using public key instead of using policyauth.bin) + TMPFILE=$(mktemp) + SECRET_STRING=`head -c 32 /dev/random | base64` + ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1 + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE + RESULT=$? + cat $TMPFILE >> run.out + [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1 + grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 + RESULT=$? + rm -f $TMPFILE + [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1 - # ECC (recreate policy auth using public key instead of using policyauth.bin) - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` - ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1 - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? - cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1 - grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1 + # Test ECC Unseal Expected Failure Case + # Create different ECC policy key to test failure case + openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1 + openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1 + # Sign policy using different private key + ./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1 - # Test ECC Unseal Expected Failure Case - # Create different ECC policy key to test failure case - openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1 - openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1 + # This ECC unseal should fail! + ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1 + RESULT=$? + [ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1 - # Sign policy using different private key - ./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1 - - # This ECC unseal should fail! - ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1 - - rm -f tmp-ecc256-key.pem - rm -f tmp-ecc256-key-pub.der - rm -f pcrsig_fail.bin + rm -f tmp-ecc256-key.pem + rm -f tmp-ecc256-key-pub.der + rm -f pcrsig_fail.bin + fi rm -f pcrsig.bin rm -f policyauth.bin diff --git a/examples/timestamp/signed_timestamp.c b/examples/timestamp/signed_timestamp.c index 59cb32a..75b73ae 100644 --- a/examples/timestamp/signed_timestamp.c +++ b/examples/timestamp/signed_timestamp.c @@ -46,7 +46,7 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n"); + printf("./examples/timestamp/signed_timestamp [-ecc/-rsa] [-aes/xor]\n"); printf("* -ecc: Use RSA or ECC for SRK/AIK\n"); printf("* -aes/xor: Use Parameter Encryption\n"); } @@ -93,6 +93,9 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]) if (XSTRCMP(argv[argc-1], "-ecc") == 0) { alg = TPM_ALG_ECC; } + else if (XSTRCMP(argv[argc-1], "-rsa") == 0) { + alg = TPM_ALG_RSA; + } else if (XSTRCMP(argv[argc-1], "-aes") == 0) { paramEncAlg = TPM_ALG_CFB; } diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 575b2be..bf674a5 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -86,8 +86,9 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n"); - printf("* -ecc: Use RSA or ECC key\n"); + printf("./examples/tls/tls_client [-ecc/rsa] [-aes/xor]\n"); + printf("* -ecc: Use ECC key/cert\n"); + printf("* -rsa: Use RSA key/cert\n"); printf("* -aes/xor: Use Parameter Encryption\n"); printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT); #if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS) @@ -195,6 +196,19 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) printf("\tUsing Port: %d\n", port); printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto"); +#ifndef HAVE_ECC + if (useECC) { + printf("ECC not compiled in!\n"); + return 0; /* don't report error */ + } +#endif +#ifdef NO_RSA + if (!useECC) { + printf("RSA not compiled in!\n"); + return 0; /* don't report error */ + } +#endif + /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != 0) { @@ -394,7 +408,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) /* Export TPM public key as DER */ byte der[1024]; word32 derSz = (word32)sizeof(der); - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, + #if defined(HAVE_ECC) && !defined(NO_RSA) + void* pkey = !useECC ? &rsaKey : &eccKey; + #elif !defined(NO_RSA) + void* pkey = &rsaKey; + #elif defined(HAVE_ECC) + void* pkey = &eccKey; + #else + void* pkey = NULL; + #endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey, ENCODING_TYPE_ASN1, der, &derSz); if (rc < 0) { printf("Failed to export RSA public key!\n"); diff --git a/examples/tls/tls_common.h b/examples/tls/tls_common.h index 6055d6d..945492c 100644 --- a/examples/tls/tls_common.h +++ b/examples/tls/tls_common.h @@ -386,6 +386,41 @@ static inline int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) return 1; } +#ifndef NO_DH +/* dh2048 p */ +static const unsigned char test_dh_p[] = +{ + 0xD3, 0xB2, 0x99, 0x84, 0x5C, 0x0A, 0x4C, 0xE7, 0x37, 0xCC, 0xFC, 0x18, + 0x37, 0x01, 0x2F, 0x5D, 0xC1, 0x4C, 0xF4, 0x5C, 0xC9, 0x82, 0x8D, 0xB7, + 0xF3, 0xD4, 0xA9, 0x8A, 0x9D, 0x34, 0xD7, 0x76, 0x57, 0xE5, 0xE5, 0xC3, + 0xE5, 0x16, 0x85, 0xCA, 0x4D, 0xD6, 0x5B, 0xC1, 0xF8, 0xCF, 0x89, 0x26, + 0xD0, 0x38, 0x8A, 0xEE, 0xF3, 0xCD, 0x33, 0xE5, 0x56, 0xBB, 0x90, 0x83, + 0x9F, 0x97, 0x8E, 0x71, 0xFB, 0x27, 0xE4, 0x35, 0x15, 0x45, 0x86, 0x09, + 0x71, 0xA8, 0x9A, 0xB9, 0x3E, 0x0F, 0x51, 0x8A, 0xC2, 0x75, 0x51, 0x23, + 0x12, 0xFB, 0x94, 0x31, 0x44, 0xBF, 0xCE, 0xF6, 0xED, 0xA6, 0x3A, 0xB7, + 0x92, 0xCE, 0x16, 0xA9, 0x14, 0xB3, 0x88, 0xB7, 0x13, 0x81, 0x71, 0x83, + 0x88, 0xCD, 0xB1, 0xA2, 0x37, 0xE1, 0x59, 0x5C, 0xD0, 0xDC, 0xCA, 0x82, + 0x87, 0xFA, 0x43, 0x44, 0xDD, 0x78, 0x3F, 0xCA, 0x27, 0x7E, 0xE1, 0x6B, + 0x93, 0x19, 0x7C, 0xD9, 0xA6, 0x96, 0x47, 0x0D, 0x12, 0xC1, 0x13, 0xD7, + 0xB9, 0x0A, 0x40, 0xD9, 0x1F, 0xFF, 0xB8, 0xB4, 0x00, 0xC8, 0xAA, 0x5E, + 0xD2, 0x66, 0x4A, 0x05, 0x8E, 0x9E, 0xF5, 0x34, 0xE7, 0xD7, 0x09, 0x7B, + 0x15, 0x49, 0x1D, 0x76, 0x31, 0xD6, 0x71, 0xEC, 0x13, 0x4E, 0x89, 0x8C, + 0x09, 0x22, 0xD8, 0xE7, 0xA3, 0xE9, 0x7D, 0x21, 0x51, 0x26, 0x6E, 0x9F, + 0x30, 0x8A, 0xBB, 0xBC, 0x74, 0xC1, 0xC3, 0x27, 0x6A, 0xCE, 0xA3, 0x12, + 0x60, 0x68, 0x01, 0xD2, 0x34, 0x07, 0x80, 0xCC, 0x2D, 0x7F, 0x5C, 0xAE, + 0xA2, 0x97, 0x40, 0xC8, 0x3C, 0xAC, 0xDB, 0x6F, 0xFE, 0x6C, 0x6D, 0xD2, + 0x06, 0x1C, 0x43, 0xA2, 0xB2, 0x2B, 0x82, 0xB7, 0xD0, 0xAB, 0x3F, 0x2C, + 0xE7, 0x9C, 0x19, 0x16, 0xD1, 0x5E, 0x26, 0x86, 0xC7, 0x92, 0xF9, 0x16, + 0x0B, 0xFA, 0x66, 0x83 +}; + +/* dh2048 g */ +static const unsigned char test_dh_g[] = +{ + 0x02, +}; +#endif /* !NO_DH */ + /******************************************************************************/ /* --- END Supporting TLS functions --- */ /******************************************************************************/ diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index ec02137..2241c21 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -83,8 +83,9 @@ static int mStop = 0; static void usage(void) { printf("Expected usage:\n"); - printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n"); - printf("* -ecc: Use RSA or ECC key\n"); + printf("./examples/tls/tls_server [-ecc/rsa] [-aes/xor]\n"); + printf("* -ecc: Use ECC key/cert\n"); + printf("* -rsa: Use RSA key/cert\n"); printf("* -aes/xor: Use Parameter Encryption\n"); printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT); #if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS) @@ -212,6 +213,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) printf("\tUsing Port: %d\n", port); printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto"); +#ifndef HAVE_ECC + if (useECC) { + printf("ECC not compiled in!\n"); + return 0; /* don't report error */ + } +#endif +#ifdef NO_RSA + if (!useECC) { + printf("RSA not compiled in!\n"); + return 0; /* don't report error */ + } +#endif + /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != 0) { @@ -390,7 +404,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) /* Export TPM public key as DER */ byte der[1024]; word32 derSz = (word32)sizeof(der); - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, + #if defined(HAVE_ECC) && !defined(NO_RSA) + void* pkey = !useECC ? &rsaKey : &eccKey; + #elif !defined(NO_RSA) + void* pkey = &rsaKey; + #elif defined(HAVE_ECC) + void* pkey = &eccKey; + #else + void* pkey = NULL; + #endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey, ENCODING_TYPE_ASN1, der, &derSz); if (rc < 0) { printf("Failed to export TPM public key!\n"); @@ -458,6 +481,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) } #endif +#if !defined(NO_DH) && !defined(HAVE_ECC) + /* setup DHE option */ + wolfSSL_CTX_SetTmpDH(ctx, test_dh_p, sizeof(test_dh_p), test_dh_g, + sizeof(test_dh_g)); +#endif + + printf("Waiting for client on port %d\n", port); + /* Setup socket and connection */ rc = SetupSocketAndListen(&sockIoCtx, port); if (rc != 0) goto exit; diff --git a/examples/tpm_test.h b/examples/tpm_test.h index c6316e8..3252686 100644 --- a/examples/tpm_test.h +++ b/examples/tpm_test.h @@ -44,7 +44,7 @@ #define TPM2_DEMO_NV_TEST_INDEX 0x01800200 #define TPM2_DEMO_NV_TEST_AUTH_INDEX 0x01800201 #define TPM2_DEMO_NVRAM_STORE_INDEX 0x01800202 -#define TPM2_DEMO_NV_TEST_SIZE 1024 /* max size on Infineon SLB9670 is 1664 */ +#define TPM2_DEMO_NV_TEST_SIZE MAX_DIGEST_BUFFER /* max size on Infineon SLB9670 is 1664 */ #define TPM2_DEMO_NV_COUNTER_INDEX 0x01800300 #define TPM2_DEMO_NV_SECURE_ROT_INDEX 0x01400200 diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c index 63054d6..db6c633 100644 --- a/examples/tpm_test_keys.c +++ b/examples/tpm_test_keys.c @@ -422,7 +422,7 @@ int getECCkey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey, WOLFTPM2_KEY* key, if (rc != 0) { return rc; } -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN) if (pWolfEccKey) { /* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */ rc = wc_ecc_init_ex((ecc_key*)pWolfEccKey, NULL, tpmDevId); diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 0ead4b3..8ebeecf 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -116,7 +116,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) #ifndef WOLFTPM2_NO_WOLFCRYPT int tpmDevId = INVALID_DEVID; -#if defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(NO_ASN)) +#if (defined(HAVE_ECC) || !defined(NO_RSA)) && !defined(NO_ASN) word32 idx; #endif #ifndef NO_RSA @@ -267,7 +267,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) /* Start an authenticated session (salted / unbound) with parameter encryption */ if (paramEncAlg != TPM_ALG_NULL) { - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + void* bindKey = &storageKey; + #ifdef NO_RSA + bindKey = NULL; /* cannot bind to key without RSA enabled */ + #endif + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", @@ -434,7 +438,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) #else rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */ +#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */ /* Load raw RSA public key into TPM */ rc = wolfTPM2_LoadRsaPublicKey(&dev, &publicKey, @@ -459,24 +463,38 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; rc = wolfTPM2_RsaKey_WolfToTpm_ex(&dev, &storageKey, &wolfRsaPrivKey, &rsaKey); - if (rc != 0) goto exit; - /* Use TPM Handle... */ wc_FreeRsaKey(&wolfRsaPrivKey); + if (rc != 0 && rc != NOT_COMPILED_IN) { + /* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for + * encrypting secrets */ + goto exit; + } + printf("RSA Private Key Loaded into TPM: Handle 0x%x\n", + (word32)rsaKey.handle.hndl); + + /* Use TPM Handle... */ + rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); if (rc != 0) goto exit; +#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */ /* Load raw RSA private key into TPM */ rc = wolfTPM2_LoadRsaPrivateKey(&dev, &storageKey, &rsaKey, kRsaKeyPubModulus, (word32)sizeof(kRsaKeyPubModulus), kRsaKeyPubExponent, kRsaKeyPrivQ, (word32)sizeof(kRsaKeyPrivQ)); - if (rc != 0) goto exit; - /* Use TPM Handle... */ - printf("RSA Private Key Loaded into TPM: Handle 0x%x\n", + if (rc != 0 && rc != NOT_COMPILED_IN) { + /* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for + * encrypting secrets */ + goto exit; + } + printf("RSA Private Key RAW Loaded into TPM: Handle 0x%x\n", (word32)rsaKey.handle.hndl); + + /* Use TPM Handle... */ + rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */ /* Close TPM session based on RSA storage key */ wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); @@ -529,7 +547,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) /* Start an authenticated session (salted / unbound) with parameter encryption */ if (paramEncAlg != TPM_ALG_NULL) { - rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, + void* bindKey = &storageKey; + #ifndef HAVE_ECC + bindKey = NULL; /* cannot bind to key without ECC enabled */ + #endif + rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL, TPM_SE_HMAC, paramEncAlg); if (rc != 0) goto exit; printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", @@ -620,7 +642,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) /*------------------------------------------------------------------------*/ /* ECC KEY LOADING TESTS */ /*------------------------------------------------------------------------*/ -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN) /* Extract an ECC public key from TPM */ /* Setup wolf ECC key with TPM deviceID, so crypto callbacks can be used for private operations */ @@ -636,7 +658,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; - /* Load ECC DER public key into TPM */ rc = wc_ecc_init(&wolfEccPubKey); if (rc != 0) goto exit; @@ -653,7 +674,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) #else rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */ +#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */ /* Load raw ECC public key into TPM */ rc = wolfTPM2_LoadEccPublicKey(&dev, &publicKey, TPM_ECC_NIST_P256, @@ -666,7 +687,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle); if (rc != 0) goto exit; -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN) /* Load ECC DER Private Key into TPM */ rc = wc_ecc_init(&wolfEccPrivKey); if (rc != 0) goto exit; @@ -676,15 +697,21 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; rc = wolfTPM2_EccKey_WolfToTpm_ex(&dev, &storageKey, &wolfEccPrivKey, &eccKey); + wc_ecc_free(&wolfEccPrivKey); if (rc != 0 && rc != NOT_COMPILED_IN) { - /* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled - * exposing the mp_ math API's needed for encrypting secrets */ + /* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled + * exposing the mp_ math API's or AES CFB is not enabled. + * Both are needed for encrypting secrets */ goto exit; } + printf("ECC Private Key Loaded into TPM: Handle 0x%x\n", + (word32)eccKey.handle.hndl); + /* Use TPM Handle... */ - wc_ecc_free(&wolfEccPrivKey); + rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; +#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */ /* Load raw ECC private key into TPM */ rc = wolfTPM2_LoadEccPrivateKey(&dev, &storageKey, &eccKey, TPM_ECC_NIST_P256, @@ -692,16 +719,18 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) kEccKeyPubYRaw, (word32)sizeof(kEccKeyPubYRaw), kEccKeyPrivD, (word32)sizeof(kEccKeyPrivD)); if (rc != 0 && rc != NOT_COMPILED_IN) { - /* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled - * exposing the mp_ math API's needed for encrypting secrets */ + /* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled + * exposing the mp_ math API's or AES CFB is not enabled. + * Both are needed for encrypting secrets */ goto exit; } - /* Use TPM Handle... */ - printf("ECC Private Key Loaded into TPM: Handle 0x%x\n", + printf("ECC Private Key RAW Loaded into TPM: Handle 0x%x\n", (word32)eccKey.handle.hndl); + + /* Use TPM Handle... */ + rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); if (rc != 0) goto exit; -#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */ #if 0 /* disabled until ECC Encrypted salt is added */ /* Close TPM session based on ECC storage key */ @@ -981,7 +1010,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; #endif - exit: if (rc != 0) { @@ -999,6 +1027,10 @@ exit: wolfTPM2_Cleanup(&dev); +#ifndef WOLFTPM2_NO_WOLFCRYPT + (void)tpmDevId; +#endif + return rc; } diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c index 7fc4757..c8edb56 100644 --- a/src/tpm2_cryptocb.c +++ b/src/tpm2_cryptocb.c @@ -27,9 +27,8 @@ #if !defined(WOLFTPM2_NO_WRAPPER) -#if defined(WOLFTPM_CRYPTOCB) || \ - (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY)) - +#if defined(HAVE_ECC) && (defined(WOLFTPM_CRYPTOCB) || \ + (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY))) /* Helper to trim leading zeros when not required */ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len) { @@ -41,7 +40,7 @@ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len) *len -= idx; return in; } -#endif /* WOLFTPM_CRYPTOCB || HAVE_PK_CALLBACKS */ +#endif #ifdef WOLFTPM_CRYPTOCB diff --git a/src/tpm2_linux.c b/src/tpm2_linux.c index 5c597cd..6f7e8c1 100644 --- a/src/tpm2_linux.c +++ b/src/tpm2_linux.c @@ -28,7 +28,6 @@ #ifdef WOLFTPM_LINUX_DEV #include #include -#include /* Needed only for WOLFTPM2_MAX_BUFFER */ #include #include #include @@ -48,11 +47,7 @@ * partial reads. The only way to receive a complete response is to read * the maximum allowed TPM response from the kernel, which is 4K. And most * of the ARM systems use older kernels, such as the RPI that uses v4.12 - * - * The caller knows what the expected outcome of the operation is. Therefore, - * the response size is limited only by the WOLFTPM2_MAX_BUFFER used to limit - * the WOLFTPM2_BUFFER in wolfTPM wrappers */ - + */ /* Talk to a TPM device exposed by the Linux tpm_tis driver */ int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet) diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 852b35f..2826349 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -970,8 +970,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, #ifdef WOLFTPM_DEBUG_VERBOSE printf("Session %d: Edit (PolicyAuth)\n", index); printf("\tHandle 0x%x (not touching)\n", session->sessionHandle); - printf("\tPolicyAuth %d->%d\n", session->policyAuth, handle->policyAuth); - printf("\tAuth Sz %d -> %d\n", session->auth.size, authDigestSz + handle->auth.size); + printf("\tPolicyAuth %d->%d\n", + session->policyAuth, handle->policyAuth); + printf("\tAuth Sz %d -> %d\n", session->auth.size, + authDigestSz + handle->auth.size); TPM2_PrintBin(session->auth.buffer, session->auth.size); TPM2_PrintBin(handle->auth.buffer, handle->auth.size); printf("\tName Sz %d -> %d\n", session->name.size, handle->name.size); @@ -979,8 +981,13 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, TPM2_PrintBin(handle->name.name, handle->name.size); #endif session->policyAuth = handle->policyAuth; + if ((word32)handle->auth.size + authDigestSz > + sizeof(session->auth.buffer)) { + return BUFFER_E; + } session->auth.size = authDigestSz + handle->auth.size; - XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, handle->auth.size); + XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, + handle->auth.size); session->name.size = handle->name.size; XMEMCPY(session->name.name, handle->name.name, handle->name.size); return TPM_RC_SUCCESS; @@ -2085,20 +2092,21 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv, TPMT_SYM_DEF_OBJECT* sym, TPM2B_DATA* symSeed, int useIv) { int rc = 0; -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \ - !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC) +#ifndef WOLFTPM2_NO_WOLFCRYPT int outerWrap = 0, innerWrap = 0; int digestSz = 0; int integritySz = 0; int ivSz = 0; int sensSz = 0; BYTE* sensitiveData = NULL; + TPM2B_SYM_KEY symKey; TPM2B_IV ivField; TPM2_Packet packet; - TPM2B_SYM_KEY symKey; +#ifdef WOLFTPM2_PRIVATE_IMPORT TPM2B_DIGEST hmacKey; Aes enc; Hmac hmac_ctx; +#endif if (sens == NULL || priv == NULL) { return BAD_FUNC_ARG; @@ -2160,6 +2168,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv, } if (outerWrap) { + #ifdef WOLFTPM2_PRIVATE_IMPORT /* Generate symmetric key for encryption of inner values */ symKey.size = (symKey.size + 7) / 8; /* convert to byte and round up */ rc = TPM2_KDFa(nameAlg, symSeed, "STORAGE", (TPM2B_NONCE*)name, @@ -2230,10 +2239,15 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv, /* store the size of the integrity */ digestSz = TPM2_Packet_SwapU16(digestSz); XMEMCPY(&priv->buffer[0], &digestSz, sizeof(word16)); + #else + (void)sensitiveData; + (void)name; + (void)symKey; + rc = NOT_COMPILED_IN; + #endif } #else - rc = NOT_COMPILED_IN; (void)sens; (void)priv; (void)nameAlg; @@ -2242,6 +2256,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv, (void)sym; (void)symSeed; (void)useIv; + rc = NOT_COMPILED_IN; #endif return rc; } @@ -2727,7 +2742,6 @@ int wolfTPM2_ReadPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, } #ifndef WOLFTPM2_NO_WOLFCRYPT - #ifndef NO_ASN #ifndef NO_RSA int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, @@ -2825,7 +2839,7 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz, return rc; } -#endif +#endif /* !NO_RSA */ #ifdef HAVE_ECC int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub, TPM2B_SENSITIVE* sens, TPMA_OBJECT attributes) @@ -2967,6 +2981,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, } } #else + (void)out; rc = NOT_COMPILED_IN; #endif } @@ -3006,16 +3021,15 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, /* Optionally convert to PEM */ if (rc == 0 && encodingType == ENCODING_TYPE_PEM) { #ifdef WOLFSSL_DER_TO_PEM - WOLFTPM2_BUFFER tmp; - if (derSz > (word32)sizeof(tmp.buffer)) { + byte tmp[MAX_CONTEXT_SIZE]; + if (derSz > (word32)sizeof(tmp)) { rc = BUFFER_E; } else { /* move DER to temp variable */ - tmp.size = derSz; - XMEMCPY(tmp.buffer, out, derSz); + XMEMCPY(tmp, out, derSz); XMEMSET(out, 0, *outSz); - rc = wc_DerToPem(tmp.buffer, tmp.size, out, *outSz, PUBLICKEY_TYPE); + rc = wc_DerToPem(tmp, derSz, out, *outSz, PUBLICKEY_TYPE); if (rc > 0) { *outSz = rc; rc = 0; @@ -3193,10 +3207,8 @@ int wolfTPM2_ImportPrivateKeyBuffer(WOLFTPM2_DEV* dev, return rc; } -#endif /* !NO_ASN */ #ifndef NO_RSA -#ifndef NO_ASN int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey, WOLFTPM2_KEYBLOB* keyBlob, const byte* input, word32 inSz, TPMI_ALG_RSA_SCHEME scheme, TPMI_ALG_HASH hashAlg) @@ -3242,7 +3254,6 @@ int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev, return rc; } -#endif /* !NO_ASN */ #ifdef WOLFTPM2_PEM_DECODE int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev, @@ -3257,6 +3268,24 @@ int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev, } #endif /* WOLFTPM2_PEM_DECODE */ +int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, + byte* pem, word32* pemSz) +{ + return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey, + ENCODING_TYPE_PEM, pem, pemSz); +} +#endif /* !NO_RSA */ +#endif /* !NO_ASN */ + +#ifndef NO_RSA +static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz) +{ + word32 exponent = 0, i; + for (i=0; i= 0 && outFormat == CTC_FILETYPE_PEM) { #ifdef WOLFSSL_DER_TO_PEM - WOLFTPM2_BUFFER tmp; - tmp.size = rc; - if (rc > (int)sizeof(tmp.buffer)) { + byte tmp[MAX_CONTEXT_SIZE]; + if (rc > (int)sizeof(tmp)) { rc = BUFFER_E; } else { - XMEMCPY(tmp.buffer, out, rc); + XMEMCPY(tmp, out, rc); XMEMSET(out, 0, outSz); - rc = wc_DerToPem(tmp.buffer, tmp.size, out, outSz, + rc = wc_DerToPem(tmp, (word32)rc, out, outSz, selfSignCert ? CERT_TYPE : CERTREQ_TYPE); } #else diff --git a/tests/unit_tests.c b/tests/unit_tests.c index 1623172..b0d2928 100644 --- a/tests/unit_tests.c +++ b/tests/unit_tests.c @@ -332,7 +332,8 @@ static void test_wolfTPM2_CSR(void) #endif } -#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \ + !defined(NO_RSA) static WOLFTPM2_KEY authKey; /* also used for test_wolfTPM2_PCRPolicy */ static void test_wolfTPM_ImportPublicKey(void) @@ -499,7 +500,7 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg) WOLFTPM2_DEV dev; WOLFTPM2_KEY srk; WOLFTPM2_KEYBLOB key; - WOLFTPM2_BUFFER blob; + byte blob[MAX_CONTEXT_SIZE]; TPMT_PUBLIC publicTemplate; word32 privBufferSz, pubBufferSz; @@ -550,25 +551,26 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg) NULL, &privBufferSz, &key); AssertIntEQ(rc, LENGTH_ONLY_E); + AssertIntLT(pubBufferSz + privBufferSz, sizeof(blob)); + /* Test exporting private and public parts separately */ - rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob.buffer, &pubBufferSz, - &blob.buffer[pubBufferSz], &privBufferSz, &key); + rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob, &pubBufferSz, + blob +pubBufferSz, &privBufferSz, &key); AssertIntEQ(rc, 0); /* Test getting size only */ - rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob.buffer), &key); + rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob), &key); AssertIntGT(rc, 0); /* Export private and public key */ - rc = wolfTPM2_GetKeyBlobAsBuffer(blob.buffer, sizeof(blob.buffer), &key); + rc = wolfTPM2_GetKeyBlobAsBuffer(blob, sizeof(blob), &key); AssertIntGT(rc, 0); - blob.size = rc; /* Reset the originally created key */ XMEMSET(&key, 0, sizeof(key)); /* Load key blob (private/public) from buffer */ - rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob.buffer, blob.size); + rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob, rc); AssertIntEQ(rc, 0); key.handle.auth.size = sizeof(gKeyAuth)-1; XMEMCPY(key.handle.auth.buffer, gKeyAuth, key.handle.auth.size); @@ -604,7 +606,8 @@ int unit_tests(int argc, char *argv[]) test_TPM2_KDFa(); test_wolfTPM2_ReadPublicKey(); test_wolfTPM2_CSR(); - #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) + #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \ + !defined(NO_RSA) test_wolfTPM_ImportPublicKey(); test_wolfTPM2_PCRPolicy(); #endif diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index 3635ef6..2fd545e 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -646,6 +646,7 @@ typedef int64_t INT64; #ifndef WOLFTPM2_WRAP_DIGEST #define WOLFTPM2_WRAP_DIGEST TPM_ALG_SHA256 #endif + /* Defines the default RSA key bits for the wrapper functions */ #ifndef WOLFTPM2_WRAP_RSA_KEY_BITS #define WOLFTPM2_WRAP_RSA_KEY_BITS MAX_RSA_KEY_BITS @@ -672,17 +673,24 @@ typedef int64_t INT64; #if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER) && \ (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) && \ !defined(NO_ASN) + /* Enable the certificate PEM decode support */ #define WOLFTPM2_PEM_DECODE #endif -/* Firmware upgrade requires wolfCrypt for hash and supported - * only for Infineon SLB9672/SLB9673 */ +/* Firmware upgrade requires wolfCrypt for hashing. + * Supported only for Infineon SLB9672/SLB9673 */ #if defined(WOLFTPM_FIRMWARE_UPGRADE) && \ (defined(WOLFTPM2_NO_WOLFCRYPT) || \ (!defined(WOLFTPM_SLB9672) && !defined(WOLFTPM_SLB9673))) #undef WOLFTPM_FIRMWARE_UPGRADE #endif +#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \ + !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC) + /* Support for importing external private keys */ + #define WOLFTPM2_PRIVATE_IMPORT +#endif + /* ---------------------------------------------------------------------------*/ /* ENDIANESS HELPERS */ diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h index 84bbc28..9aa96e0 100644 --- a/wolftpm/tpm2_wrap.h +++ b/wolftpm/tpm2_wrap.h @@ -95,13 +95,10 @@ typedef struct WOLFTPM2_CSR { } WOLFTPM2_CSR; #endif -#ifndef WOLFTPM2_MAX_BUFFER - #define WOLFTPM2_MAX_BUFFER 2048 -#endif - +/* buffer similar to TPM2B_MAX_BUFFER that can be used */ typedef struct WOLFTPM2_BUFFER { int size; - byte buffer[WOLFTPM2_MAX_BUFFER]; + byte buffer[MAX_DIGEST_BUFFER]; } WOLFTPM2_BUFFER; typedef enum WOLFTPM2_MFG {