WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improve the TPM TLS examples for use with `WOLFTPM_MFG_IDENTITY`. Tested with ST33KTPM2X SEMI-CUSTOM DEVICE ID.

pull/376/head
David Garske 2024-09-06 16:07:34 -07:00
parent e2ef780682
commit 03070dabd7
4 changed files with 146 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
examples/run_examples.sh
View File

@ -394,7 +394,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then
if [ $WOLFCRYPT_RSA -eq 1 ]; then if [ $WOLFCRYPT_RSA -eq 1 ]; then
# TLS client/server RSA TLS v1.2 and v1.2 Crypto callbacks # TLS client/server RSA TLS v1.2 and v1.3 Crypto callbacks
run_tpm_tls_client "rsa" "" "3" run_tpm_tls_client "rsa" "" "3"
run_tpm_tls_client "rsa" "-aes" "3" run_tpm_tls_client "rsa" "-aes" "3"
run_tpm_tls_client "rsa" "" "4" run_tpm_tls_client "rsa" "" "4"
@ -405,7 +405,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
run_tpm_tls_server "rsa" "" "4" run_tpm_tls_server "rsa" "" "4"
run_tpm_tls_server "rsa" "-aes" "4" run_tpm_tls_server "rsa" "-aes" "4"
# TLS client/server ECC TLS v1.2 and v1.2 PK callbacks # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
run_tpm_tls_client "rsa" "-pk" "3" run_tpm_tls_client "rsa" "-pk" "3"
run_tpm_tls_client "rsa" "-pk -aes" "3" run_tpm_tls_client "rsa" "-pk -aes" "3"
run_tpm_tls_client "rsa" "-pk" "4" run_tpm_tls_client "rsa" "-pk" "4"
@ -418,7 +418,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
fi fi
if [ $WOLFCRYPT_ECC -eq 1 ]; then if [ $WOLFCRYPT_ECC -eq 1 ]; then
# TLS client/server ECC TLS v1.2 and v1.2 Crypto callbacks # TLS client/server ECC TLS v1.2 and v1.3 Crypto callbacks
run_tpm_tls_client "ecc" "" "3" run_tpm_tls_client "ecc" "" "3"
run_tpm_tls_client "ecc" "-aes" "3" run_tpm_tls_client "ecc" "-aes" "3"
run_tpm_tls_client "ecc" "" "4" run_tpm_tls_client "ecc" "" "4"
@ -429,7 +429,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYST
run_tpm_tls_server "ecc" "" "4" run_tpm_tls_server "ecc" "" "4"
run_tpm_tls_server "ecc" "-aes" "4" run_tpm_tls_server "ecc" "-aes" "4"
# TLS client/server ECC TLS v1.2 and v1.2 PK callbacks # TLS client/server ECC TLS v1.2 and v1.3 PK callbacks
run_tpm_tls_client "ecc" "-pk" "3" run_tpm_tls_client "ecc" "-pk" "3"
run_tpm_tls_client "ecc" "-pk -aes" "3" run_tpm_tls_client "ecc" "-pk -aes" "3"
run_tpm_tls_client "ecc" "-pk" "4" run_tpm_tls_client "ecc" "-pk" "4"

53
examples/tls/tls_client.c
View File

@ -65,7 +65,7 @@
* This example client connects to localhost on on port 11111 by default. * This example client connects to localhost on on port 11111 by default.
* These can be overriden using `TLS_HOST` and `TLS_PORT`. * These can be overriden using `TLS_HOST` and `TLS_PORT`.
* *
* By default this example will loads RSA keys unless RSA is disabled (NO_RSA) * By default this example will load RSA keys unless RSA is disabled (NO_RSA)
* or the TLS_USE_ECC build option is used. * or the TLS_USE_ECC build option is used.
* *
* You can validate using the wolfSSL example server this like: * You can validate using the wolfSSL example server this like:
@ -75,8 +75,11 @@
* ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem * ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem
* or * or
* ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem * ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem
*
* If using an ECDSA cipher suite add: * If using an ECDSA cipher suite add:
* "-l ECDHE-ECDSA-AES128-SHA -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem" * "-l ECDHE-ECDSA-AES128-SHA -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem"
*
* For TLS v1.3 add to server "-v 4"
*/ */
@ -106,6 +109,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
int rc; int rc;
WOLFTPM2_DEV dev; WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey; WOLFTPM2_KEY storageKey;
WOLFTPM2_KEY* bindKey = NULL;
#ifndef NO_RSA #ifndef NO_RSA
WOLFTPM2_KEY rsaKey; WOLFTPM2_KEY rsaKey;
#endif #endif
@ -235,14 +239,22 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit; if (rc != 0) goto exit;
} }
#endif #endif
/* See if primary storage key already exists */ /* See if primary storage key already exists */
rc = getPrimaryStoragekey(&dev, &storageKey, rc = getPrimaryStoragekey(&dev, &storageKey,
useECC ? TPM_ALG_ECC : TPM_ALG_RSA); useECC ? TPM_ALG_ECC : TPM_ALG_RSA);
if (rc != 0) goto exit; if (rc == 0) {
bindKey = &storageKey;
}
else {
#ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
goto exit;
#endif
}
/* Start an authenticated session (salted / unbound) with parameter encryption */ /* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) { if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg); TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit; if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@ -309,6 +321,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif #endif
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
/* Setup the WOLFSSL context (factory) /* Setup the WOLFSSL context (factory)
* Use highest version, allow downgrade */ * Use highest version, allow downgrade */
if ((ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) == NULL) { if ((ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) == NULL) {
@ -330,7 +343,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
#endif #endif
/* Server certificate validation */ /* Server certificate validation */
/* Note: Can use "WOLFSSL_VERIFY_NONE" to skip server cert validation */ /* Note: Can use "WOLFSSL_VERIFY_NONE" to skip peer cert validation */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify); wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
#ifdef NO_FILESYSTEM #ifdef NO_FILESYSTEM
/* Load CA Certificates from Buffer */ /* Load CA Certificates from Buffer */
@ -383,7 +396,9 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem", if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) { 0) != WOLFSSL_SUCCESS) {
printf("Error loading ca-ecc-cert.pem cert\n"); printf("Error loading ca-ecc-cert.pem cert\n");
#ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
goto exit; goto exit;
#endif
} }
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem", if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) { 0) != WOLFSSL_SUCCESS) {
@ -420,7 +435,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey, rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
ENCODING_TYPE_ASN1, der, &derSz); ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) { if (rc < 0) {
printf("Failed to export RSA public key!\n"); printf("Failed to export TPM public key!\n");
goto exit; goto exit;
} }
@ -436,7 +451,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
/* Client Certificate (Mutual Authentication) */ /* Client Certificate (Mutual Authentication) */
if (!useECC) { if (!useECC) {
#ifndef NO_RSA #ifndef NO_RSA
printf("Loading RSA certificate\n"); printf("Loading RSA certificate\n");
#ifdef NO_FILESYSTEM #ifdef NO_FILESYSTEM
/* Load "cert" buffer with ASN.1/DER certificate */ /* Load "cert" buffer with ASN.1/DER certificate */
@ -452,17 +467,17 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("Error loading RSA client cert\n"); printf("Error loading RSA client cert\n");
goto exit; goto exit;
} }
#else #else
printf("Error: ECC not compiled in\n"); printf("Error: RSA not compiled in\n");
rc = -1; rc = -1;
goto exit; goto exit;
#endif /* !NO_RSA */ #endif /* !NO_RSA */
} }
else { else {
#ifdef HAVE_ECC #ifdef HAVE_ECC
printf("Loading ECC certificate\n"); printf("Loading ECC certificate\n");
#ifdef WOLFTPM_MFG_IDENTITY #ifdef WOLFTPM_MFG_IDENTITY
uint8_t cert[800]; uint8_t cert[1024];
uint32_t certSz = (uint32_t)sizeof(cert); uint32_t certSz = (uint32_t)sizeof(cert);
rc = wolfTPM2_NVReadCert(&dev, TPM2_IDEVID_CERT_HANDLE, cert, &certSz); rc = wolfTPM2_NVReadCert(&dev, TPM2_IDEVID_CERT_HANDLE, cert, &certSz);
if (rc == 0) { if (rc == 0) {
@ -471,25 +486,25 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
WOLFSSL_FILETYPE_ASN1); WOLFSSL_FILETYPE_ASN1);
} }
#elif defined(NO_FILESYSTEM) #elif defined(NO_FILESYSTEM)
/* Load "cert" buffer with ASN.1/DER certificate */ /* Load "cert" buffer with ASN.1/DER certificate */
#if 0 #if 0
rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size, rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size,
WOLFSSL_FILETYPE_ASN1); WOLFSSL_FILETYPE_ASN1);
#endif #endif
#else #else
rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-ecc-cert.pem", rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-ecc-cert.pem",
WOLFSSL_FILETYPE_PEM); WOLFSSL_FILETYPE_PEM);
#endif #endif
if (rc != WOLFSSL_SUCCESS) { if (rc != WOLFSSL_SUCCESS) {
printf("Error loading ECC client cert\n"); printf("Error loading ECC client cert\n");
goto exit; goto exit;
} }
#else #else
printf("ECC not supported in this build\n"); printf("Error: ECC not compiled in\n");
rc = -1; rc = -1;
goto exit; goto exit;
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
} }
#endif /* !NO_TLS_MUTUAL_AUTH */ #endif /* !NO_TLS_MUTUAL_AUTH */

133
examples/tls/tls_server.c
View File

@ -74,6 +74,8 @@ static int mStop = 0;
* With browsers you will get certificate warnings until you load the test CA's * With browsers you will get certificate warnings until you load the test CA's
* ./certs/ca-rsa-cert.pem and ./certs/ca-ecc-cert.pem into your OS key store. * ./certs/ca-rsa-cert.pem and ./certs/ca-ecc-cert.pem into your OS key store.
* With most browsers you can bypass the certificate warning. * With most browsers you can bypass the certificate warning.
*
* For TLS v1.3 add to client "-v 4"
*/ */
/******************************************************************************/ /******************************************************************************/
@ -104,6 +106,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
int rc; int rc;
WOLFTPM2_DEV dev; WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey; WOLFTPM2_KEY storageKey;
WOLFTPM2_KEY* bindKey = NULL;
#ifndef NO_RSA #ifndef NO_RSA
WOLFTPM2_KEY rsaKey; WOLFTPM2_KEY rsaKey;
#endif #endif
@ -252,14 +255,22 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit; if (rc != 0) goto exit;
} }
#endif #endif
/* See if primary storage key already exists */ /* See if primary storage key already exists */
rc = getPrimaryStoragekey(&dev, &storageKey, rc = getPrimaryStoragekey(&dev, &storageKey,
useECC ? TPM_ALG_ECC : TPM_ALG_RSA); useECC ? TPM_ALG_ECC : TPM_ALG_RSA);
if (rc != 0) goto exit; if (rc == 0) {
bindKey = &storageKey;
}
else {
#ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
goto exit;
#endif
}
/* Start an authenticated session (salted / unbound) with parameter encryption */ /* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) { if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL, rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg); TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit; if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@ -292,19 +303,31 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (useECC) { if (useECC) {
/* Create/Load ECC key for TLS authentication */ #ifdef WOLFTPM_MFG_IDENTITY
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, /* Attempt to use pre-provisioned identity key */
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_IDEVID_KEY_HANDLE);
TPMA_OBJECT_sign | TPMA_OBJECT_noDA, if (rc == 0) {
TPM_ECC_NIST_P256, TPM_ALG_ECDSA); /* TODO: Supply master password (if not TEST_SAMPLE) */
if (rc != 0) goto exit; wolfTPM2_SetIdentityAuth(&dev, &eccKey.handle, NULL, 0);
rc = getECCkey(&dev, }
&storageKey, else
&eccKey, #endif
NULL, {
tpmDevId, /* Create/Load ECC key for TLS authentication */
(byte*)gKeyAuth, sizeof(gKeyAuth)-1, rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
&publicTemplate); TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
if (rc == 0) {
rc = getECCkey(&dev,
&storageKey,
&eccKey,
NULL,
tpmDevId,
(byte*)gKeyAuth, sizeof(gKeyAuth)-1,
&publicTemplate);
}
}
if (rc != 0) goto exit; if (rc != 0) goto exit;
} }
@ -336,10 +359,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#endif #endif
/* Server certificate validation */ /* Server certificate validation */
#if 0 /* Note: Can use "WOLFSSL_VERIFY_NONE" to skip peer cert validation */
/* skip server cert validation for this test */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, myVerify);
#else
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify); wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
#ifdef NO_FILESYSTEM #ifdef NO_FILESYSTEM
/* example loading from buffer */ /* example loading from buffer */
@ -374,7 +394,9 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem", if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) { 0) != WOLFSSL_SUCCESS) {
printf("Error loading ca-ecc-cert.pem cert\n"); printf("Error loading ca-ecc-cert.pem cert\n");
#ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
goto exit; goto exit;
#endif
} }
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem", if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) { 0) != WOLFSSL_SUCCESS) {
@ -388,18 +410,8 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
} }
#endif /* !NO_FILESYSTEM */ #endif /* !NO_FILESYSTEM */
#endif
#ifdef NO_FILESYSTEM
/* example loading from buffer */
#if 0
if (wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
goto exit;
}
#endif
(void)useSelfSign;
#else
{ {
/* Export TPM public key as DER */ /* Export TPM public key as DER */
byte der[1024]; byte der[1024];
@ -431,47 +443,70 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
} }
/* Server certificate */ /* Server certificate */
printf("Loading %s certificate\n", useECC ? "ECC" : "RSA");
if (!useECC) { if (!useECC) {
#ifndef NO_RSA #ifndef NO_RSA
const char* useCert = "./certs/server-rsa-cert.pem"; printf("Loading RSA certificate\n");
#ifdef NO_FILESYSTEM
/* Load "cert" buffer with ASN.1/DER certificate */
#if 0
rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size,
WOLFSSL_FILETYPE_ASN1);
#endif
#else
const char* useCert = "./certs/server-rsa-cert.pem";
if (useSelfSign) { if (useSelfSign) {
useCert = "./certs/tpm-rsa-cert.pem"; useCert = "./certs/tpm-rsa-cert.pem";
} }
rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
printf("Loading RSA certificate (%s) and public key\n", useCert); #endif
if (rc != WOLFSSL_SUCCESS) {
if ((rc = wolfSSL_CTX_use_certificate_file(ctx, useCert,
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
printf("Error loading RSA client cert\n"); printf("Error loading RSA client cert\n");
goto exit; goto exit;
} }
#else #else
printf("Error: RSA not compiled in\n"); printf("Error: RSA not compiled in\n");
rc = -1; rc = -1;
goto exit; goto exit;
#endif /* !NO_RSA */ #endif /* !NO_RSA */
(void)useSelfSign;
} }
else { else {
#ifdef HAVE_ECC #ifdef HAVE_ECC
const char* useCert = "./certs/server-ecc-cert.pem"; #ifdef WOLFTPM_MFG_IDENTITY
uint8_t cert[1024];
uint32_t certSz = (uint32_t)sizeof(cert);
rc = wolfTPM2_NVReadCert(&dev, TPM2_IDEVID_CERT_HANDLE, cert, &certSz);
if (rc == 0) {
/* Load "cert" buffer with ASN.1/DER certificate */
rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert, (long)certSz,
WOLFSSL_FILETYPE_ASN1);
}
#elif defined(NO_FILESYSTEM)
/* Load "cert" buffer with ASN.1/DER certificate */
#if 0
rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size,
WOLFSSL_FILETYPE_ASN1);
#endif
#else
const char* useCert = "./certs/server-ecc-cert.pem";
if (useSelfSign) { if (useSelfSign) {
useCert = "./certs/tpm-ecc-cert.pem"; useCert = "./certs/tpm-ecc-cert.pem";
} }
rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
printf("Loading ECC certificate (%s) and public key\n", useCert); #endif
if (rc != WOLFSSL_SUCCESS) {
if ((rc = wolfSSL_CTX_use_certificate_file(ctx, useCert,
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
printf("Error loading ECC client cert\n"); printf("Error loading ECC client cert\n");
goto exit; goto exit;
} }
#else #else
printf("Error: ECC not compiled in\n"); printf("Error: ECC not compiled in\n");
rc = -1; rc = -1;
goto exit; goto exit;
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
} }
#endif /* !NO_FILESYSTEM */
#ifdef TLS_CIPHER_SUITE #ifdef TLS_CIPHER_SUITE
/* Optionally choose the cipher suite */ /* Optionally choose the cipher suite */

36
src/tpm2_wrap.c
View File

@ -4722,6 +4722,13 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle,
/* Perform read of NV without auth password */ /* Perform read of NV without auth password */
nv.handle.hndl = handle; nv.handle.hndl = handle;
rc = wolfTPM2_NVReadAuth(dev, &nv, handle, buffer, (word32*)len, 0); rc = wolfTPM2_NVReadAuth(dev, &nv, handle, buffer, (word32*)len, 0);
#ifdef DEBUG_WOLFTPM
printf("NV public read certificate 0x%x (%u bytes)\n",
handle, *len);
TPM2_PrintBin(buffer, *len);
#endif
return rc; return rc;
} }
@ -7598,12 +7605,10 @@ int wolfTPM2_PolicyAuthorizeMake(TPM_ALG_ID pcrAlg,
/* pre-provisioned IAK and IDevID key/cert from TPM vendor */ /* pre-provisioned IAK and IDevID key/cert from TPM vendor */
#ifdef WOLFTPM_MFG_IDENTITY #ifdef WOLFTPM_MFG_IDENTITY
#ifdef TEST_SAMPLE
static const uint8_t TPM2_IAK_SAMPLE_MASTER_PASSWORD[] = { static const uint8_t TPM2_IAK_SAMPLE_MASTER_PASSWORD[] = {
0xFE, 0xEF, 0x8C, 0xDF, 0x1B, 0x77, 0xBD, 0x00, 0xFE, 0xEF, 0x8C, 0xDF, 0x1B, 0x77, 0xBD, 0x00,
0x30, 0x58, 0x5E, 0x47, 0xB8, 0x21, 0x46, 0x0B 0x30, 0x58, 0x5E, 0x47, 0xB8, 0x21, 0x46, 0x0B
}; };
#endif
int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle, int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
uint8_t* masterPassword, uint16_t masterPasswordSz) uint8_t* masterPassword, uint16_t masterPasswordSz)
@ -7623,22 +7628,25 @@ int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
#endif #endif
return rc; return rc;
} }
#ifdef DEBUG_WOLFTPM
printf("TPM Serial Number (%d bytes)\n", (int)sizeof(serialNum));
TPM2_PrintBin(serialNum, sizeof(serialNum));
#endif
/* Hash both values */ /* Hash both values */
rc = wc_HashInit(&hash_ctx, hashType); rc = wc_HashInit(&hash_ctx, hashType);
if (rc == 0) { if (rc == 0) {
rc = wc_HashUpdate(&hash_ctx, hashType, serialNum, sizeof(serialNum)); rc = wc_HashUpdate(&hash_ctx, hashType, serialNum, sizeof(serialNum));
if (rc == 0) { if (rc == 0) {
#ifdef TEST_SAMPLE if (masterPassword == NULL || masterPasswordSz == 0) {
rc = wc_HashUpdate(&hash_ctx, hashType, rc = wc_HashUpdate(&hash_ctx, hashType,
TPM2_IAK_SAMPLE_MASTER_PASSWORD, TPM2_IAK_SAMPLE_MASTER_PASSWORD,
sizeof(TPM2_IAK_SAMPLE_MASTER_PASSWORD)); sizeof(TPM2_IAK_SAMPLE_MASTER_PASSWORD));
(void)masterPassword; }
(void)masterPasswordSz; else {
#else rc = wc_HashUpdate(&hash_ctx, hashType,
rc = wc_HashUpdate(&hash_ctx, hashType, masterPassword, masterPasswordSz);
masterPassword, masterPasswordSz); }
#endif
} }
if (rc == 0) { if (rc == 0) {
rc = wc_HashFinal(&hash_ctx, hashType, digest); rc = wc_HashFinal(&hash_ctx, hashType, digest);
@ -7651,6 +7659,10 @@ int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
/* Use 16-byte for auth when accessing key */ /* Use 16-byte for auth when accessing key */
handle->auth.size = 16; handle->auth.size = 16;
XMEMCPY(handle->auth.buffer, &digest[16], 16); XMEMCPY(handle->auth.buffer, &digest[16], 16);
#ifdef DEBUG_WOLFTPM
printf("Handle 0x%x, Auth %d\n", handle->hndl, handle->auth.size);
TPM2_PrintBin(handle->auth.buffer, handle->auth.size);
#endif
(void)dev; (void)dev;