WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfTPM/examples/tls/tls_client.c

478 lines
15 KiB
C
Raw Blame History

/* tls_client.c
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfTPM.
*
* wolfTPM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfTPM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
#include <examples/tpm_io.h>
#include <examples/tpm_test.h>
#include <examples/tls/tls_common.h>
#include <examples/tls/tls_client.h>
#include <wolfssl/ssl.h>
#undef USE_CERT_BUFFERS_2048
#define USE_CERT_BUFFERS_2048
#undef USE_CERT_BUFFERS_256
#define USE_CERT_BUFFERS_256
#include <wolfssl/certs_test.h>
/*
* Generating the Client Certificate
*
* Run example for ./examples/csr/csr
* Result is: ./certs/tpm-rsa-cert.csr and ./certs/tpm-ecc-cert.csr
*
* Run ./certs/certreq.sh
* Result is: ./certs/client-rsa-cert.pem and ./certs/client-ecc-cert.pem
*
* This example client connects to localhost on on port 11111 by default.
* These can be overriden using `TLS_HOST` and `TLS_PORT`.
*
* You can validate using the wolfSSL example server this like:
* ./examples/server/server -b -p 11111 -g -d
*
* To validate client certificate add the following wolfSSL example server args:
* ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-rsa-cert.pem
* or
* ./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem
* If using an ECDSA cipher suite add:
* "-l ECDHE-ECDSA-AES128-SHA -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem"
*/
/******************************************************************************/
/* --- BEGIN TLS Client Example -- */
/******************************************************************************/
int TPM2_TLS_Client(void* userCtx)
{
int rc;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
WOLFTPM2_KEY rsaKey;
RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
WOLFTPM2_KEY eccKey;
ecc_key wolfEccKey;
WOLFTPM2_KEY ecdhKey;
#endif
TPMT_PUBLIC publicTemplate;
TpmCryptoDevCtx tpmCtx;
SockIoCbCtx sockIoCtx;
int tpmDevId;
WOLFSSL_CTX* ctx = NULL;
WOLFSSL* ssl = NULL;
#ifndef TLS_BENCH_MODE
const char webServerMsg[] = "GET /index.html HTTP/1.0\r\n\r\n";
#endif
char msg[MAX_MSG_SZ];
int msgSz = 0;
#ifdef TLS_BENCH_MODE
double start;
int i;
#endif
/* initialize variables */
XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
sockIoCtx.fd = -1;
printf("TPM2 TLS Client Example\n");
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) {
wolfSSL_Cleanup();
return rc;
}
/* Setup the wolf crypto device callback */
XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
tpmCtx.storageKey = &storageKey;
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
/* See if primary storage key already exists */
rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
/* Create primary storage key */
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
&publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for storage key */
storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
storageKey.handle.auth.size);
}
#ifndef NO_RSA
/* Create/Load RSA key for TLS authentication */
rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for rsa key */
rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
}
/* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf RSA Key */
rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
if (rc != 0) goto exit;
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for TLS authentication */
rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for ECC key */
eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
}
/* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf ECC Key */
rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
if (rc != 0) goto exit;
/* Ephemeral Key */
XMEMSET(&ecdhKey, 0, sizeof(ecdhKey));
tpmCtx.ecdhKey = &ecdhKey;
#endif /* HAVE_ECC */
/* Setup the WOLFSSL context (factory) */
if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) {
rc = MEMORY_E; goto exit;
}
/* Setup DevID */
wolfSSL_CTX_SetDevId(ctx, tpmDevId);
/* Setup IO Callbacks */
wolfSSL_CTX_SetIORecv(ctx, SockIORecv);
wolfSSL_CTX_SetIOSend(ctx, SockIOSend);
/* Server certificate validation */
#if 0
/* skip server cert validation for this test */
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, myVerify);
#else
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
#ifdef NO_FILESYSTEM
/* Load CA Certificates from Buffer */
#if !defined(NO_RSA) && !defined(TLS_USE_ECC)
if (wolfSSL_CTX_load_verify_buffer(ctx,
ca_cert_der_2048, sizeof_ca_cert_der_2048,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Error loading ca_cert_der_2048 DER cert\n");
goto exit;
}
#elif defined(HAVE_ECC)
if (wolfSSL_CTX_load_verify_buffer(ctx,
ca_ecc_cert_der_256, sizeof_ca_ecc_cert_der_256,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Error loading ca_ecc_cert_der_256 DER cert\n");
goto exit;
}
#endif
#else
/* Load CA Certificates */
#if !defined(NO_RSA) && !defined(TLS_USE_ECC)
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-rsa-cert.pem",
0) != WOLFSSL_SUCCESS) {
printf("Error loading ca-rsa-cert.pem cert\n");
goto exit;
}
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-rsa-cert.pem",
0) != WOLFSSL_SUCCESS) {
printf("Error loading wolf-ca-rsa-cert.pem cert\n");
goto exit;
}
#elif defined(HAVE_ECC)
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) {
printf("Error loading ca-ecc-cert.pem cert\n");
goto exit;
}
if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem",
0) != WOLFSSL_SUCCESS) {
printf("Error loading wolf-ca-ecc-cert.pem cert\n");
goto exit;
}
#endif
#endif /* !NO_FILESYSTEM */
#endif
#ifndef NO_TLS_MUTUAL_AUTH
#ifdef NO_FILESYSTEM
/* example loading from buffer */
#if 0
if (wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
goto exit;
}
#endif
#else
/* Client certificate (mutual auth) */
#if !defined(NO_RSA) && !defined(TLS_USE_ECC)
printf("Loading RSA certificate and dummy key\n");
if ((rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-rsa-cert.pem",
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
printf("Error loading RSA client cert\n");
goto exit;
}
/* Private key is on TPM and crypto dev callbacks are used */
/* TLS client (mutual auth) requires a dummy key loaded (workaround) */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_RSA_KEY,
sizeof(DUMMY_RSA_KEY), WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set key!\r\n");
goto exit;
}
#elif defined(HAVE_ECC)
printf("Loading ECC certificate and dummy key\n");
if ((rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-ecc-cert.pem",
WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) {
printf("Error loading ECC client cert\n");
goto exit;
}
/* Private key is on TPM and crypto dev callbacks are used */
/* TLS client (mutual auth) requires a dummy key loaded (workaround) */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, DUMMY_ECC_KEY,
sizeof(DUMMY_ECC_KEY), WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set key!\r\n");
goto exit;
}
#endif
#endif /* !NO_FILESYSTEM */
#endif /* !NO_TLS_MUTUAL_AUTH */
#ifdef TLS_CIPHER_SUITE
/* Optionally choose the cipher suite */
rc = wolfSSL_CTX_set_cipher_list(ctx, TLS_CIPHER_SUITE);
if (rc != WOLFSSL_SUCCESS) {
goto exit;
}
#endif
/* Create wolfSSL object/session */
if ((ssl = wolfSSL_new(ctx)) == NULL) {
rc = wolfSSL_get_error(ssl, 0);
goto exit;
}
/* Setup socket and connection */
rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, TLS_PORT);
if (rc != 0) goto exit;
/* Setup read/write callback contexts */
wolfSSL_SetIOReadCtx(ssl, &sockIoCtx);
wolfSSL_SetIOWriteCtx(ssl, &sockIoCtx);
/* perform connect */
#ifdef TLS_BENCH_MODE
start = gettime_secs(1);
#endif
do {
rc = wolfSSL_connect(ssl);
if (rc != WOLFSSL_SUCCESS) {
rc = wolfSSL_get_error(ssl, 0);
}
} while (rc == WOLFSSL_ERROR_WANT_READ || rc == WOLFSSL_ERROR_WANT_WRITE);
if (rc != WOLFSSL_SUCCESS) {
goto exit;
}
#ifdef TLS_BENCH_MODE
start = gettime_secs(0) - start;
printf("Connect: %9.3f sec (%9.3f CPS)\n", start, 1/start);
#endif
printf("Cipher Suite: %s\n", wolfSSL_get_cipher(ssl));
/* initialize write */
#ifdef TLS_BENCH_MODE
msgSz = sizeof(msg); /* sequence */
for (i=0; i<msgSz; i++) {
msg[i] = (i & 0xff);
}
#else
msgSz = sizeof(webServerMsg);
XMEMCPY(msg, webServerMsg, msgSz);
printf("Write (%d): %s\n", msgSz, msg);
#endif
/* perform write */
#ifdef TLS_BENCH_MODE
start = gettime_secs(1);
#endif
do {
rc = wolfSSL_write(ssl, msg, msgSz);
if (rc != msgSz) {
rc = wolfSSL_get_error(ssl, 0);
}
} while (rc == WOLFSSL_ERROR_WANT_WRITE);
#ifdef TLS_BENCH_MODE
start = gettime_secs(0) - start;
printf("Write: %d bytes in %9.3f sec (%9.3f KB/sec)\n",
rc, start, rc / start / 1024);
#endif
/* perform read */
#ifdef TLS_BENCH_MODE
start = gettime_secs(1);
#endif
do {
rc = wolfSSL_read(ssl, msg, sizeof(msg));
if (rc < 0) {
rc = wolfSSL_get_error(ssl, 0);
}
} while (rc == WOLFSSL_ERROR_WANT_READ);
#ifdef TLS_BENCH_MODE
start = gettime_secs(0) - start;
printf("Read: %d bytes in %9.3f sec (%9.3f KB/sec)\n",
rc, start, rc / start / 1024);
#else
if (rc >= 0) {
/* null terminate */
msgSz = rc;
if (msgSz >= (int)sizeof(msg))
msgSz = (int)sizeof(msg) - 1;
msg[msgSz] = '\0';
rc = 0; /* success */
}
printf("Read (%d): %s\n", msgSz, msg);
#endif
rc = 0; /* success */
exit:
if (rc != 0) {
printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
}
wolfSSL_shutdown(ssl);
CloseAndCleanupSocket(&sockIoCtx);
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
wc_ecc_free(&wolfEccKey);
wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif
wolfTPM2_Cleanup(&dev);
return rc;
}
/******************************************************************************/
/* --- END TLS Client Example -- */
/******************************************************************************/
#endif /* !WOLFTPM2_NO_WRAPPER && WOLF_CRYPTO_DEV */
#ifndef NO_MAIN_DRIVER
int main(void)
{
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_WOLFSSL_CLIENT) && \
(defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
rc = TPM2_TLS_Client(NULL);
#else
printf("Wrapper/CryptoDev code not compiled in\n");
printf("Build wolfssl with ./configure --enable-cryptodev\n");
#endif
return rc;
}
#endif /* !NO_MAIN_DRIVER */
Reference in New Issue View Git Blame Copy Permalink