WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Updates with working RSA, optimized AES keys, renames.

pull/392/head
Bill Phipps 2023-07-17 14:09:44 -04:00
parent 0a2c6eb0e0
commit 4dcc26f120
11 changed files with 1078 additions and 722 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
ccb_vaultic/Makefile 100644
View File

@ -0,0 +1,64 @@
# Pick up cross-compiler info from environment
CC=${NDK_CC}
AS=${NDK_AS}
RANLIB=${NDK_RANLIB}
AR=${NDK_AR}
LD=${NDK_LD}
# Relative path to wolfSSL source
WOLFSSL_DIR?=../../bill_wolfssl
# Relative path to VaultIC dev kit source
VAULTIC_DIR?=VaultIC-TLS_420/vaultic_tls-4xx
# Common settings and files
CFLAGS+=-I.
OBJS=ccb_vaultic.o
# Uncomment to enable verbose debug logging
#CFLAGS+=-DDEBUG_VAULTIC
#CFLAGS+=-DSPI_TRACE_ERRORS
# Optionally disable certain kinds of offload
#CFLAGS+=-DNO_WKVIC_AES
CFLAGS+=-DNO_WKVIC_SHA
#CFLAGS+=-DNO_WKVIC_RSA
# wolfSSL settings and files
# ./configure --enable-cryptocb --enable-static --disable-shared --host aarch64-linux-android
CFLAGS+=-I$(WOLFSSL_DIR)
LDFLAGS+=-L$(WOLFSSL_DIR)/src/.libs -lwolfssl -lm
# VaultIC settings and files. These must match the vault_tls_config.h
VAULTIC_CHIP=420
CHIP_TARGET=TARGETCHIP_VAULTIC_$(VAULTIC_CHIP)
CFLAGS+= -D$(CHIP_TARGET)
CFLAGS+= -DUSE_SPI
VAULTIC_ELIB?=$(VAULTIC_DIR)/VaultIC-Elib_$(VAULTIC_CHIP)/src
CFLAGS+=-I$(VAULTIC_ELIB)/common
CFLAGS+=-I$(VAULTIC_ELIB)/device/vaultic_4XX_family
VAULTIC_TLS?=$(VAULTIC_DIR)/lib/VaultIC_420_TLS_Lib/target/raspberry/dist
CFLAGS+=-I$(VAULTIC_TLS)
#LDFLAGS+=-L$(VAULTIC_TLS)/VaultIC_420_TLS_Lib-SPI-Debug -lvaultic420_tls
LDFLAGS+=-L$(VAULTIC_TLS)/VaultIC_420_TLS_Lib-SPI-Release -lvaultic420_tls
#Test and Benchmark targets
CFLAGS+=-DFORCE_DEVID=0x56490420 -DBENCH_EMBEDDED -DBENCH_DEVID -DNO_MAIN_DRIVER
TEST_OBJS:=$(WOLFSSL_DIR)/wolfcrypt/test/test.o main-test.o
BENCH_OBJS:=$(WOLFSSL_DIR)/wolfcrypt/benchmark/benchmark.o main-bench.o
all: wolfcrypt-test wolfcrypt-benchmark
wolfcrypt-test: $(OBJS) $(TEST_OBJS)
$(CC) -o $@ $^ $(LDFLAGS)
wolfcrypt-benchmark: $(OBJS) $(BENCH_OBJS)
$(CC) -o $@ $^ $(LDFLAGS)
clean:
rm -f *.o *.d wolfcrypt-test wolfcrypt-benchmark
rm -f $(WOLFSSL)/wolfcrypt/benchmark/*.o
rm -f $(WOLFSSL)/wolfcrypt/test/*.o

136
ccb_vaultic/README.md 100644
View File

@ -0,0 +1,136 @@
# CryptoCB Wisekey VaultIC Port
Support for the VaultIC 420:
- Symmetric ciphers/modes: AES128-CBC
- Hashes: SHA256
- Asymmetric ciphers/functions: RSA-2048 Verify
This port requires the VaultIC 420 Dev Kit (including the vaultic_tls library) from Wisekey. Please contact support@wolfssl.com for assistance.
## Building VaultIC Hardware Crypto Offload Support
This port is setup for cross compiling to an ARMv8 Android system and the build configuration assume the Android NDK is installed. Environment variables can be setup, for example:
```
export NDK=~/Library/Android/sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/darwin-x86_64
export PATH=$PATH:~/Documents/Masters/android/platform-tools
export NDK_AR=$NDK/bin/llvm-ar
export NDK_CC=$NDK/bin/aarch64-linux-android30-clang
export NDK_AS=$NDK_CC
export NDK_CXX=$NDK/bin/aarch64-linux-android30-clang++
export NDK_LD=$NDK/bin/ld
export NDK_RANLIB=$NDK/bin/llvm-ranlib
export NDK_STRIP=$NDK/bin/llvm-strip
```
### Building wolfSSL
To enable hardware offload support via cryptocb, configure wolfSSL to include crypto callbacks and to cross-compile a static library:
```
git clone git@github.com:wolfssl/wolfssl.git
cd wolfssl
./configure --host aarch64-linux-android CC=$NDK_CC AS=$NDK_AS RANLIB=$NDK_RANLIB AR=$NDK_AR LD=$NDK_LD STRIP=$NDK_STRIP CXX=$NDK_CXX --enable-cryptocb --enable-static --disable-shared
make
```
The port's `Makefile` also relies on certain source and header files within wolfSSL to be available. The relative path to the wolfSSL directory is set by the `WOLFSSL_DIR` variable. The wolfSSL source was updated to allow the test and benchmark programs to accept a compile-time CryptoCB DevId using the `FORCE_DEVID` macro, which is in a pending PR.
### Building VaultIC TLS Library
Please contact support@wolfssl.com for access to the modified VaultIC library files used for this port.
This port has modified the Wisekey provided vaultic_tls library to attempt to cancel authentication during startup in case a previous session ended without closing the VaultIC library by invoking `VltAuthClose()` immediately after opening the VaultIC interface. The library is statically configured with user authentication hard-coded within the library itself and to use the Linux SPI Dev interface for communications. Note that typical Linux permissions require root privileges to access the SPI device.
For this example, the VaultIC library needed to be configured and cross-compiled to the Android target which is similar to the vendor-provided Raspberry Pi target. Modifications we made to disable any GPIO's used to powerup and reset the chip as well as to set the cross compiler to use the Android NDK as above. To build the VaultIC API and TLS libraries, follow the instructions provided by Wisekey, which are summarized as:
```
cd VaultIC-TLS_420/vaultic_tls-4xx/lib/VaultIC_420_TLS_Lib/target/raspberry/build
./build-all_spi.sh
```
The port's `Makefile` expects headers and corresponding functions from `vaultic_tls.h` and from the common VaultIC folders. The relative base folder is set as the variable `VAULTIC_DIR`.
### Building the Port's Benchmark and Test programs
This port leverages wolfCrypt's included benchmark and test programs as an example of how to statically link against wolfSSL and the VaultIC libraries as well as use the hardware offload abstractions provided within wolfSSL. In this case, the wolfSSL software will attempt every cryptographic operating using the Wisekey VaultIC port via the CryptoCB method, but only the implemented functions will use the VaultIC hardware. Every unsupported function will fallback and use the ARMv8-accelerated software implementation.
To build using the NDK cross-compiler configuration above:
```
make clean
make CC=$NDK_CC AS=$NDK_AS RANLIB=$NDK_RANLIB AR=$NDK_AR LD=$NDK_LD
```
The benchmark and test programs are built as part of the `make all` target and can be run on the target hardware as `wolfcrypt-bench` and `wolfcrypt-test` respectively. Note that the test program expects the test certificates to be available on the target hardware.
## Benchmarks and Known Answer Tests
Benchmark using unoptimized ARMv8 (imx8) and VaultIC 420 for AES128-CBC:
```
Math: Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
Math: Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
AESCBC Internal with useDevice:0 and devid:56490420
AES-128-CBC-enc 78 MiB took 1.000 seconds, 77.604 MiB/s
AES-128-CBC-dec 77 MiB took 1.000 seconds, 77.361 MiB/s
AESCBC Internal with useDevice:1 and devid:56490420
AES-128-CBC-enc 25 KiB took 25.530 seconds, 0.979 KiB/s
AES-128-CBC-dec 25 KiB took 25.582 seconds, 0.977 KiB/s
```
Known answer test program output with VaultIC performing AES128-CBC test:
```
------------------------------------------------------------------------------
wolfSSL version 5.6.3 with DevID:56490420
------------------------------------------------------------------------------
error test passed!
MEMORY test passed!
base64 test passed!
asn test passed!
RANDOM test passed!
MD5 test passed!
SHA test passed!
SHA-224 test passed!
SHA-256 test passed!
SHA-384 test passed!
SHA-512 test passed!
SHA-512/224 test passed!
SHA-512/256 test passed!
SHA-3 test passed!
Hash test passed!
HMAC-MD5 test passed!
HMAC-SHA test passed!
HMAC-SHA224 test passed!
HMAC-SHA256 test passed!
HMAC-SHA384 test passed!
HMAC-SHA512 test passed!
HMAC-SHA3 test passed!
HMAC-KDF test passed!
TLSv1.3 KDF test passed!
GMAC test passed!
Chacha test passed!
POLY1305 test passed!
ChaCha20-Poly1305 AEAD test passed!
AES test passed!
AES192 test passed!
AES256 test passed!
AES-GCM test passed!
RSA test passed!
DH test passed!
PWDBASED test passed!
ECC test passed!
logging test passed!
time test passed!
mutex test passed!
memcb test passed!
crypto callback test passed!
Test complete
```
## Support
Email us at [support@wolfssl.com](mailto:support@wolfssl.com).

747
ccb_vaultic/ccb_vaultic.c 100644
View File

@ -0,0 +1,747 @@
/*
* ccb_vaultic.c
*
* Copyright (C) 2023 wolfSSL Inc.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* System includes */
#include <stdlib.h> /* For NULL */
#include <string.h> /* For memset/cpy */
/* wolfSSL configuration */
#include "wolfssl/options.h"
/* wolfCrypt includes */
#include "wolfssl/wolfcrypt/cryptocb.h"
#include "wolfssl/wolfcrypt/error-crypt.h"
#include "wolfssl/wolfcrypt/wc_port.h"
#include "wolfssl/wolfcrypt/types.h"
#include "wolfssl/wolfcrypt/hash.h" /* For HASH_FLAGS and types */
#include "wolfssl/wolfcrypt/rsa.h" /* For RSA_MAX_SIZE */
/* WiseKey VaultIC includes */
#include "vaultic_tls.h"
#include "vaultic_config.h"
#include "vaultic_common.h"
#include "vaultic_api.h"
#include "vaultic_structs.h"
/* Local include */
#include "ccb_vaultic.h"
/* Defined options:
* DEBUG_VAULTIC: Print copious callback info using printf
* NO_WKVIC_SHA: Do not handle SHA256 callback
* NO_WKVIC_RSA: Do not handle RSA callback
* NO_WKVIC_AES: Do not handle AES callback
*/
/* Forward declarations */
static int HandlePkCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c);
static int HandleHashCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c);
static int HandleCipherCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c);
static void hexdump(const unsigned char* p, size_t len)
{
printf(" HD:%p for %lu bytes\n",p, len);
if(!p || !len) return;
size_t off=0;
for (off=0; off < len; off++)
{
if(off%16 ==0) printf(" ");
printf("%02X ", p[off]);
if(off%16 ==15) printf("\n");
}
if(off%16 !=15) printf("\n");
}
int ccbVaultIc_Init(ccbVaultIc_Context *c)
{
if(!c) {
return BAD_FUNC_ARG;
}
memset(c, 0, sizeof(*c));
c->vlt_rc=vlt_tls_init();
if(c->vlt_rc!=0) {
return WC_INIT_E;
}
c->initialized=1;
return 0;
}
int ccbVaultIc_Cleanup(ccbVaultIc_Context *c)
{
if(!c) {
return BAD_FUNC_ARG;
}
/* Free allocated buffers */
if(c->m) free(c->m);
if(c->aescbc_key) free(c->aescbc_key);
memset(c, 0, sizeof(*c));
c->vlt_rc=vlt_tls_close();
if(c->vlt_rc!=0) {
return WC_CLEANUP_E;
}
return 0;
}
int ccbVaultIc_CryptoDevCb(int devId,
wc_CryptoInfo* info,
void* ctx)
{
ccbVaultIc_Context *c=(ccbVaultIc_Context*)ctx;
int rc = CRYPTOCB_UNAVAILABLE;
(void)devId;
if(!info || !c || !c->initialized) {
/* Invalid info or context */
#if defined(DEBUG_VAULTIC)
printf("Invalid callback. info:%p c:%p c->init:%d\n",
info, c, c ? c->initialized : -1);
#endif
return rc;
}
switch(info->algo_type) {
case WC_ALGO_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb NONE:\n");
#endif
/* Nothing to do */
break;
case WC_ALGO_TYPE_HASH:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb HASH: Type:%d\n", info->hash.type);
#endif
#if !defined(NO_SHA) || !defined(NO_SHA256)
/* Perform a hash */
rc = HandleHashCallback(devId, info, ctx);
#endif
break;
case WC_ALGO_TYPE_CIPHER:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb CIPHER: Type:%d\n", info->cipher.type);
#endif
#if !defined(NO_AES)
/* Perform a symmetric cipher */
rc = HandleCipherCallback(devId, info, ctx);
#endif
break;
case WC_ALGO_TYPE_PK:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb PK: Type:%d\n", info->pk.type);
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC)
/* Perform a PKI operation */
rc = HandlePkCallback(devId,info,ctx);
#endif /* !defined(NO_RSA) || defined(HAVE_ECC) */
break;
case WC_ALGO_TYPE_RNG:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb RNG: Out:%p Sz:%d\n", info->rng.out, info->rng.sz);
#endif
#if !defined(WC_NO_RNG)
/* Put info->rng.sz random bytes into info->rng.out*/
/* TODO rc = VaultIC_Random(); */
rc = CRYPTOCB_UNAVAILABLE;
#endif
break;
case WC_ALGO_TYPE_SEED:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb SEED: Seed:%p Sz:%d\n", info->seed.seed,
info->seed.sz);
#endif
#if !defined(WC_NO_RNG)
/* Get info->seed.sz seed bytes from info->seed.seed*/
/* TODO rc = VaultIC_Seed(); */
#endif
break;
case WC_ALGO_TYPE_HMAC:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb HMAC:\n");
#endif
break;
case WC_ALGO_TYPE_CMAC:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb CMAC:\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb UNKNOWN\n");
#endif
break;
}
return rc;
}
static int HandlePkCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c)
{
int rc = CRYPTOCB_UNAVAILABLE;
switch(info->pk.type) {
case WC_PK_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback NONE\n");
#endif
break;
case WC_PK_TYPE_RSA:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA: Type:%d\n",info->pk.rsa.type);
#endif
#if !defined(NO_WKVIC_RSA)
{
if((info->pk.rsa.type == RSA_PUBLIC_DECRYPT) || /* RSA Verify */
(info->pk.rsa.type == RSA_PUBLIC_ENCRYPT)) /* RSA Encrypt */
{
byte e[sizeof(uint32_t)] = {0};
byte n[RSA_MAX_SIZE / 8] = {0};
word32 eSz = sizeof(e);
word32 nSz = sizeof(n);
rc = wc_RsaFlattenPublicKey(info->pk.rsa.key, e, &eSz, n, &nSz);
/* VaultIC requires e to be MSB-padded to 4-byte multiples*/
byte e_pad[sizeof(e)] = {0};
memcpy(&e_pad[(sizeof(e_pad)-eSz)],e,eSz);
#if defined(DEBUG_VAULTIC)
printf(" RSA Flatten Pub Key:%d, eSz:%u nSz:%u\n", rc, eSz, nSz);
hexdump(e,sizeof(e));
hexdump(e_pad,sizeof(e_pad));
hexdump(n,sizeof(n));
#endif
/* Allow all privileges */
VLT_FILE_PRIVILEGES keyPrivileges = {
.u8Read=0xFF,
.u8Write=0xFF,
.u8Delete=0xFF,
.u8Execute=0xFF,
};
VLT_KEY_OBJECT tmpRsaKey= {
.enKeyID=VLT_KEY_RSAES_PUB,
.data.RsaPubKey.u16NLen=nSz,
.data.RsaPubKey.pu8N=n,
.data.RsaPubKey.u16ELen=sizeof(e_pad),
.data.RsaPubKey.pu8E=e_pad,
.data.RsaPubKey.enAssurance=VLT_PKV_ASSURED_EXPLICIT_VALIDATION,
};
/* Try to delete the tmp rsa key. Ignore errors here */
VltDeleteKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPRSA_KEYID);
int vlt_rc=0;
vlt_rc=VltPutKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPRSA_KEYID,
&keyPrivileges,
&tmpRsaKey);
#if defined(DEBUG_VAULTIC)
printf(" VLT PutKey:%x\n", vlt_rc);
#endif
/* Initialize Algo for RSA Pub Decrypt */
VLT_ALGO_PARAMS rsapub_algo_params = {
.u8AlgoID=VLT_ALG_CIP_RSAES_X509,
/* Raw RSA. No other data */
};
VLT_U32 out_len=0;
vlt_rc=VltInitializeAlgorithm(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPRSA_KEYID,
VLT_ENCRYPT_MODE,&rsapub_algo_params);
#if defined(DEBUG_VAULTIC)
printf(" VLT InitAlgo:%x\n", vlt_rc);
#endif
vlt_rc=VltEncrypt(info->pk.rsa.inLen, info->pk.rsa.in,
&out_len,
info->pk.rsa.inLen, info->pk.rsa.out);
if(info->pk.rsa.outLen) *(info->pk.rsa.outLen)=out_len;
#if defined(DEBUG_VAULTIC)
printf(" VLT Encrypt:%x inSz:%u outSz:%lu\n", vlt_rc, info->pk.rsa.inLen, out_len);
#endif
/* Delete the tmp aes key */
VltDeleteKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPRSA_KEYID);
/* Update return value to indicate success */
rc=0;
} else {
/* Not supported */
break;
}
};
#endif
break;
case WC_PK_TYPE_DH:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback DH\n");
#endif
break;
case WC_PK_TYPE_ECDH:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDH\n");
#endif
break;
case WC_PK_TYPE_ECDSA_SIGN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDSA_SIGN\n");
#endif
break;
case WC_PK_TYPE_ECDSA_VERIFY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDSA_VERIFY\n");
#endif
break;
case WC_PK_TYPE_ED25519_SIGN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_SIGN\n");
#endif
break;
case WC_PK_TYPE_CURVE25519:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CURVE25519\n");
#endif
break;
case WC_PK_TYPE_RSA_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_EC_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback EC_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_RSA_CHECK_PRIV_KEY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_CHECK_PRIV_KEY\n");
#endif
break;
case WC_PK_TYPE_EC_CHECK_PRIV_KEY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback EC_CHECK_PRIV_KEY\n");
#endif
break;
case WC_PK_TYPE_ED448:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED448\n");
#endif
break;
case WC_PK_TYPE_CURVE448:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CRUVE448\n");
#endif
break;
case WC_PK_TYPE_ED25519_VERIFY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_VERIFY\n");
#endif
break;
case WC_PK_TYPE_ED25519_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_CURVE25519_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CURVE25519_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_RSA_GET_SIZE:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_GET_SIZE\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback UNKNOWN\n");
#endif
break;
}
return rc;
}
static int HandleHashCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c)
{
int rc = CRYPTOCB_UNAVAILABLE;
int finalize=0;
/* Finalize sha? */
if((info->hash.in == NULL) && (info->hash.inSz==0)) {
finalize=1;
}
switch(info->hash.type) {
case WC_HASH_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback NONE\n");
#endif
break;
case WC_HASH_TYPE_SHA:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA\n");
#endif
break;
case WC_HASH_TYPE_SHA224:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA224\n");
#endif
break;
case WC_HASH_TYPE_SHA256:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA256. In:%p InSz:%u Digest:%p c->m:%p c->m_len:%lu c->t:%d\n",
info->hash.in, info->hash.inSz, info->hash.digest, c->m, c->m_len, c->hash_type);
#endif
#if !defined(NO_WKVIC_SHA)
/*
* info->hash.flag | WC_HASH_FLAGS_WILL_COPY --> Must buffer entire message
* info->hash.in != NULL --> Update
* info->hash.digest != NULL --> Final
*/
{
/* III Buffer all messages */
if(c->hash_type != info->hash.type) {
/* New/different hash than last time. Erase state */
#if defined(DEBUG_VAULTIC)
printf(" New Hash\n");
#endif
if(c->m) free(c->m);
c->m=NULL;
c->m_len=0;
c->hash_type = info->hash.type;
}
/* Update needed? */
if(info->hash.in && (info->hash.inSz > 0)) {
/* Buffer data */
if(c->m) {
/* Realloc and add new data in */
void *new_buf=realloc(c->m,c->m_len + info->hash.inSz);
if(!new_buf) {
/* Failure to allocate. Must return error */
#if defined(DEBUG_VAULTIC)
printf(" Failed to realloc. New size:%lu\n", c->m_len+info->hash.inSz);
#endif
rc = MEMORY_E;
break;
}
c->m=new_buf;
#if defined(DEBUG_VAULTIC)
printf(" Realloc to %p. New size:%lu\n", c->m, c->m_len+info->hash.inSz);
#endif
} else {
c->m = malloc(info->hash.inSz);
if(!c->m) {
/* Failure to allocate. Must return error */
#if defined(DEBUG_VAULTIC)
printf(" Failed to alloc. Size:%u\n", info->hash.inSz);
#endif
rc = MEMORY_E;
break;
}
#if defined(DEBUG_VAULTIC)
printf(" Alloc to %p. Size:%u\n", c->m, info->hash.inSz);
#endif
c->m_len=0;
}
memcpy(c->m + c->m_len, info->hash.in, info->hash.inSz);
c->m_len += info->hash.inSz;
#if defined(DEBUG_VAULTIC)
printf(" Buffered to %p. Buffer size:%lu\n", c->m, c->m_len);
#endif
rc = 0;
}
/* Finalize needed? */
if(info->hash.digest) {
/* Initialize for Hashing */
VLT_U8 sha_out_len=0;
VLT_ALGO_PARAMS sha256_algo_params = {
.u8AlgoID=VLT_ALG_DIG_SHA256,
};
int vlt_rc=0;
vlt_rc=VltInitializeAlgorithm(0,0, VLT_DIGEST_MODE, &sha256_algo_params);
#if defined(DEBUG_VAULTIC)
printf(" VltInit SHA256:%x\n", vlt_rc);
memset(info->hash.digest, 0, WC_SHA256_DIGEST_SIZE);
#endif
/* No data sent? Likely test case. Needs 2 steps */
if(c->m == NULL)
{
vlt_rc=VltUpdateMessageDigest(c->m_len,
c->m);
#if defined(DEBUG_VAULTIC)
printf(" VltUpdate SHA256:%x\n", vlt_rc);
#endif
vlt_rc=VltComputeMessageDigestFinal(
&sha_out_len,
WC_SHA256_DIGEST_SIZE,
info->hash.digest);
#if defined(DEBUG_VAULTIC)
printf(" VltFinal SHA256:%x\n", vlt_rc);
#endif
}
vlt_rc=VltComputeMessageDigest(c->m_len,
c->m,
&sha_out_len,
WC_SHA256_DIGEST_SIZE,
info->hash.digest);
#if defined(DEBUG_VAULTIC)
printf(" VltCompute SHA256:%x\n", vlt_rc);
hexdump(info->hash.digest, WC_SHA256_DIGEST_SIZE);
#endif
/* Deallocate/clear if this hash was NOT a copy */
#if defined(DEBUG_VAULTIC)
printf(" Hash flags:%x\n", info->hash.sha256 ? info->hash.sha256->flags : -1);
#endif
if( !info->hash.sha256 ||
!(info->hash.sha256->flags&WC_HASH_FLAG_ISCOPY)) {
#if defined(DEBUG_VAULTIC)
printf(" Freeing hash state\n");
#endif
if(c->m) free(c->m);
c->m = NULL;
c->m_len = 0;
c->hash_type = WC_HASH_TYPE_NONE;
}
rc=0;
}
}
#endif
break;
case WC_HASH_TYPE_SHA384:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA384\n");
#endif
break;
case WC_HASH_TYPE_SHA512:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA512\n");
#endif
break;
default:
break;
}
return rc;
}
static int HandleCipherCallback(int devId, wc_CryptoInfo* info, ccbVaultIc_Context *c)
{
int rc = CRYPTOCB_UNAVAILABLE;
switch(info->cipher.type) {
case WC_CIPHER_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback NONE\n");
#endif
break;
case WC_CIPHER_AES:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES\n");
#endif
break;
case WC_CIPHER_AES_CBC:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CBC\n");
#endif
#if !defined(NO_WKVIC_AES)
{
Aes* aes=info->cipher.aescbc.aes;
int encrypt=info->cipher.enc;
VLT_U32 out_len=0;
if(!aes) break;
/* Support AES128 for now */
if(aes->keylen != AES_128_KEY_SIZE) break;
/* Check number of blocks */
unsigned int blocks = info->cipher.aescbc.sz / AES_BLOCK_SIZE;
if(blocks == 0) break;
/* Check if key is not he same as last time */
if( (c->aescbc_key == NULL) ||
(c->aescbc_keylen != aes->keylen) ||
(!memcmp(c->aescbc_key, aes->devKey,aes->keylen))) {
if(c->aescbc_key) {
free(c->aescbc_key);
c->aescbc_key=NULL;
c->aescbc_keylen=0;
}
/* Allocate key buffer */
c->aescbc_key=malloc(aes->keylen);
if(!c->aescbc_key) break;
c->aescbc_keylen=aes->keylen;
memcpy(c->aescbc_key,aes->devKey,aes->keylen);
/* Allow all privileges */
VLT_FILE_PRIVILEGES keyPrivileges = {
.u8Read=0xFF,
.u8Write=0xFF,
.u8Delete=0xFF,
.u8Execute=0xFF,
};
VLT_KEY_OBJECT tmpAesKey= {
.enKeyID=VLT_KEY_AES_128,
.data.SecretKey.u8Mask=0,
.data.SecretKey.u16KeyLength=c->aescbc_keylen,
.data.SecretKey.pu8Key=(VLT_PU8)(c->aescbc_key),
};
/* Try to delete the tmp aes key. Ignore errors here */
VltDeleteKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPAES_KEYID);
/* Putkey aes->devKey, aes->keylen */
VltPutKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPAES_KEYID,
&keyPrivileges,
&tmpAesKey);
}
/* Initialize Algo for AES-CBC */
VLT_ALGO_PARAMS aescbc_algo_params = {
.u8AlgoID=VLT_ALG_CIP_AES,
.data.SymCipher.enMode= BLOCK_MODE_CBC,
.data.SymCipher.enPadding= PADDING_NONE,
.data.SymCipher.u8IvLength= AES_BLOCK_SIZE,
.data.SymCipher.u8Iv={0},
};
memcpy(aescbc_algo_params.data.SymCipher.u8Iv,aes->reg,
AES_BLOCK_SIZE);
/* Perform encrypt/decrypt*/
if(encrypt) {
VltInitializeAlgorithm(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPAES_KEYID,
VLT_ENCRYPT_MODE,
&aescbc_algo_params);
VltEncrypt(info->cipher.aescbc.sz, info->cipher.aescbc.in,
&out_len,
info->cipher.aescbc.sz, info->cipher.aescbc.out);
const byte *last_block = info->cipher.aescbc.out + (blocks -1) * AES_BLOCK_SIZE;
memcpy(aes->reg, last_block, AES_BLOCK_SIZE);
} else {
VltInitializeAlgorithm(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPAES_KEYID,
VLT_DECRYPT_MODE,
&aescbc_algo_params);
VltDecrypt(info->cipher.aescbc.sz, info->cipher.aescbc.in,
&out_len,
info->cipher.aescbc.sz, info->cipher.aescbc.out);
const byte *last_block = info->cipher.aescbc.in + (blocks -1) * AES_BLOCK_SIZE;
memcpy(aes->reg, last_block, AES_BLOCK_SIZE);
}
#if 0
/* Delete the tmp aes key */
VltDeleteKey(
CCBVAULTIC_WOLFSSL_GRPID,
CCBVAULTIC_TMPAES_KEYID);
#endif
/* Update return value to indicate success */
rc=0;
}
#endif /* NO_WKVIC_AES */
break;
case WC_CIPHER_AES_GCM:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_GCM\n");
#endif
break;
case WC_CIPHER_AES_CTR:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CTR\n");
#endif
break;
case WC_CIPHER_AES_XTS:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_XTS\n");
#endif
break;
case WC_CIPHER_AES_CFB:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CFB\n");
#endif
break;
case WC_CIPHER_AES_CCM:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CCM\n");
#endif
break;
case WC_CIPHER_AES_ECB:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_ECB\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback UNKNOWN\n");
#endif
break;
}
return rc;
}

83
ccb_vaultic/ccb_vaultic.h 100644
View File

@ -0,0 +1,83 @@
/*
* ccb_vaultic.h
*
* Copyright (C) 2023 wolfSSL Inc.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef CCB_VAULTIC_H
#define CCB_VAULTIC_H
#include "ccb_vaultic_defs.h"
#include "wolfssl/options.h"
#if !defined(WOLF_CRYPTO_CB)
#error "Missing WOLF_CRYPTO_CB. Reconfigure wolfssl with --enable-cryptocb"
#endif
#include "wolfssl/wolfcrypt/cryptocb.h"
/*
* Implementation of wolfCrypt devcrypto callbacks
*
* The wolfSSL port of the Wisekey VaultIC provides a wrapper library to allow
* the VaultIC to be used as an external crypto provider. This library depends
* on the Wisekey-provided VaultIC interface libraries that have been statically
* compiled in the proper hardware configuration.
*/
typedef struct {
int initialized;
int vlt_rc;
/* Buffer to store message during SHA with will_copy flag set */
int hash_type; /* enum wc_HashType */
unsigned char *m;
size_t m_len;
/* Buffer to cache aes key between invocations */
unsigned char *aescbc_key;
size_t aescbc_keylen;
} ccbVaultIc_Context;
/* Initialize the Wisekey VaultIC library and clear the context.
* Returns: 0 on success
* BAD_FUNC_ARGS with NULL context
* WC_INIT_E on error initializing the VaultIC
* */
int ccbVaultIc_Init(ccbVaultIc_Context *c);
/* Register this callback and associate with a context using:
* ccbVaultIc_Context ctx={0};
* ccbVaultIc_Init(&ctx);
* wc_CryptoCb_RegisterDevice(
* CCBVAULTIC420_DEVID,
* ccbVaultIc_CryptoDevCb,
* &ctx);
* wc_Aes aes={0};
* wc_AesInit(&aes, NULL, CCBVAULTIC420_DEVID);
* Returns: 0 on success
* CRYPTOCB_UNAVAILABLE if not initialized or not implemented
*
*/
int ccbVaultIc_CryptoDevCb(int devId,
wc_CryptoInfo* info,
void* ctx);
/* Close the Wisekey VaultIC library. */
int ccbVaultIc_Cleanup(ccbVaultIc_Context *c);
#endif /* CCB_VAULTIC_H_ */

18
wisekey_vaultic/wisekey_vaultic_defs.h → ccb_vaultic/ccb_vaultic_defs.h
View File

@ -1,5 +1,5 @@
/*
* wisekey_vaultic_defs.h
* ccb_vaultic_defs.h
*
* Copyright (C) 2023 wolfSSL Inc.
*
@ -18,17 +18,17 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef WISEKEY_VAULTIC_DEFS_H
#define WISEKEY_VAULTIC_DEFS_H
#ifndef CCB_VAULTIC_DEFS_H
#define CCB_VAULTIC_DEFS_H
/* VaultIC DevID MSBs are ASCII "VI" */
#define WISEKEY_VAULTIC_DEVID (0x56490000ul)
#define WISEKEY_VAULTIC420_DEVID (WISEKEY_VAULTIC_DEVID + 0x0420)
#define CCBVAULTIC_DEVID (0x56490000ul)
#define CCBVAULTIC420_DEVID (CCBVAULTIC_DEVID + 0x0420)
/* Key/Group ID's to support temporary wolfSSL usage */
#define WISEKEY_VAULTIC_WOLFSSL_GRPID 0xBB
#define WISEKEY_VAULTIC_TMPAES_KEYID 0x01
#define WISEKEY_VAULTIC_TMPHMAC_KEYID 0x02
#define WISEKEY_VAULTIC_TMPRSA_KEYID 0x03
#define CCBVAULTIC_WOLFSSL_GRPID 0xBB
#define CCBVAULTIC_TMPAES_KEYID 0x01
#define CCBVAULTIC_TMPHMAC_KEYID 0x02
#define CCBVAULTIC_TMPRSA_KEYID 0x03
#endif

37
wisekey_vaultic/main-bench.c → ccb_vaultic/main-bench.c
View File

@ -16,13 +16,14 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/ssl.h"
#include "wolfcrypt/benchmark/benchmark.h"
#include <stdio.h>
#include "wisekey_vaultic.h"
#include "wolfssl/options.h"
#include "wolfssl/ssl.h"
#include "wolfcrypt/benchmark/benchmark.h"
#include "ccb_vaultic.h"
int main(int argc, char **argv)
{
@ -30,31 +31,32 @@ int main(int argc, char **argv)
int rc=0;
wkvicContext ctx;
/* Initialize VaultIC */
rc= WisekeyVaultIC_Init(&ctx);
if(rc) {
fprintf(stderr, "Failed to initialize the VaultIC: %d\n",rc);
return(rc);
}
ccbVaultIc_Context ctx;
/* Initialize wolfSSL and wolfCrypt */
rc=wolfSSL_Init();
if(rc!=WOLFSSL_SUCCESS) {
fprintf(stderr, "Failed to initialize wolfSSL: %d\n", rc);
WisekeyVaultIC_Cleanup(&ctx);
return(rc);
}
/* Initialize VaultIC */
rc= ccbVaultIc_Init(&ctx);
if(rc) {
fprintf(stderr, "Failed to initialize the VaultIC: %d\n",rc);
wolfSSL_Cleanup();
return(rc);
}
/* Register VaultIC as cryptocb */
rc = wc_CryptoCb_RegisterDevice(WISEKEY_VAULTIC420_DEVID,
WisekeyVaultIC_CryptoDevCb, &ctx);
rc = wc_CryptoCb_RegisterDevice(CCBVAULTIC420_DEVID,
ccbVaultIc_CryptoDevCb, &ctx);
if(rc) {
fprintf(stderr, "Failed to register cryptocb: %d\n", rc);
ccbVaultIc_Cleanup(&ctx);
wolfSSL_Cleanup();
WisekeyVaultIC_Cleanup(&ctx);
return(rc);
}
@ -62,8 +64,9 @@ int main(int argc, char **argv)
benchmark_init();
benchmark_test(NULL);
wc_CryptoCb_UnRegisterDevice(CCBVAULTIC420_DEVID);
ccbVaultIc_Cleanup(&ctx);
wolfSSL_Cleanup();
WisekeyVaultIC_Cleanup(&ctx);
return 0;

35
wisekey_vaultic/main-test.c → ccb_vaultic/main-test.c
View File

@ -17,14 +17,16 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/options.h"
//#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/ssl.h"
#include "wolfcrypt/test/test.h"
#include <stdio.h>
#include <stdlib.h>
#include "wisekey_vaultic.h"
#include "ccb_vaultic.h"
int main(int argc, char **argv)
{
@ -32,38 +34,39 @@ int main(int argc, char **argv)
int rc=0;
wkvicContext ctx;
/* Initialize VaultIC */
rc= WisekeyVaultIC_Init(&ctx);
if(rc) {
fprintf(stderr, "Failed to initialize the VaultIC: %d\n",rc);
return(rc);
}
ccbVaultIc_Context ctx={0};
/* Initialize wolfSSL and wolfCrypt */
rc=wolfSSL_Init();
if(rc!=WOLFSSL_SUCCESS) {
fprintf(stderr, "Failed to initialize wolfSSL: %d\n", rc);
WisekeyVaultIC_Cleanup(&ctx);
return(rc);
}
/* Initialize VaultIC */
rc= ccbVaultIc_Init(&ctx);
if(rc) {
fprintf(stderr, "Failed to initialize the VaultIC: %d %d\n",
rc,ctx.vlt_rc);
wolfSSL_Cleanup();
return(rc);
}
/* Register VaultIC as cryptocb */
rc = wc_CryptoCb_RegisterDevice(WISEKEY_VAULTIC420_DEVID,
WisekeyVaultIC_CryptoDevCb, &ctx);
rc = wc_CryptoCb_RegisterDevice(CCBVAULTIC420_DEVID,
ccbVaultIc_CryptoDevCb, &ctx);
if(rc) {
fprintf(stderr, "Failed to register cryptocb: %d\n", rc);
ccbVaultIc_Cleanup(&ctx);
wolfSSL_Cleanup();
WisekeyVaultIC_Cleanup(&ctx);
return(rc);
}
wolfcrypt_test(NULL);
wc_CryptoCb_UnRegisterDevice(CCBVAULTIC420_DEVID);
ccbVaultIc_Cleanup(&ctx);
wolfSSL_Cleanup();
WisekeyVaultIC_Cleanup(&ctx);
return 0;
}

48
wisekey_vaultic/Makefile
View File

@ -1,48 +0,0 @@
# Common settings and files
CFLAGS+=-I.
OBJS=wisekey_vaultic.o
# Uncomment to enable verbose debug logging
#CFLAGS+=-DDEBUG_VAULTIC
#CFLAGS+=-DSPI_TRACE_ERRORS
# WolfSSL settings and files
# ./configure --enable-cryptocb --enable-static --disable-shared --host aarch64-linux-android
WOLFSSL?=../../bill_wolfssl
CFLAGS+=-I$(WOLFSSL)
CFLAGS+=-DWOLFSSL_USER_SETTINGS
LDFLAGS+=-L$(WOLFSSL)/src/.libs -lwolfssl -lm
# VaultIC settings and files
VAULTIC_CHIP=420
CHIP_TARGET=TARGETCHIP_VAULTIC_$(VAULTIC_CHIP)
CFLAGS+= -D$(CHIP_TARGET)
CFLAGS+= -DUSE_SPI
VAULTIC?=VaultIC-TLS_420/vaultic_tls-4xx
VAULTIC_ELIB?=$(VAULTIC)/VaultIC-Elib_$(VAULTIC_CHIP)/src
CFLAGS+=-I$(VAULTIC_ELIB)/common
CFLAGS+=-I$(VAULTIC_ELIB)/device/vaultic_4XX_family
VAULTIC_TLS?=$(VAULTIC)/lib/VaultIC_420_TLS_Lib/target/raspberry/dist
CFLAGS+=-I$(VAULTIC_TLS)
#LDFLAGS+=-L$(VAULTIC_TLS)/VaultIC_420_TLS_Lib-SPI-Debug -lvaultic420_tls
LDFLAGS+=-L$(VAULTIC_TLS)/VaultIC_420_TLS_Lib-SPI-Release -lvaultic420_tls
#Test and Benchmark targets
TEST_OBJS:=$(WOLFSSL)/wolfcrypt/test/test.o main-test.o
BENCH_OBJS:=$(WOLFSSL)/wolfcrypt/benchmark/benchmark.o main-bench.o
all: wolfcrypt-test wolfcrypt-benchmark
wolfcrypt-test: $(OBJS) $(TEST_OBJS)
$(CC) -o $@ $^ $(LDFLAGS)
wolfcrypt-benchmark: $(OBJS) $(BENCH_OBJS)
$(CC) -o $@ $^ $(LDFLAGS)
clean:
rm -f *.o *.d wolfcrypt-test wolfcrypt-benchmark
rm -f $(WOLFSSL)/wolfcrypt/benchmark/*.o
rm -f $(WOLFSSL)/wolfcrypt/test/*.o

96
wisekey_vaultic/README.md
View File

@ -1,96 +0,0 @@
# Wisekey VaultIC Port
Support for the VaultIC 420:
- Symmetric ciphers/modes: AES128-CBC
- Hashes: SHA256
- Asymmetric ciphers/functions: RSA-2048 Verify
This port requires the VaultIC 420 Dev Kit (including the vaultic_tls library) from Wisekey. Please contact support@wolfssl.com for assistance.
## VaultIC Hardware Crypto Offload
This port is setup for cross compiling to an ARMv8 Android system and the build configuration assume the Android NDK is installed. Environment variables can be setup, for example:
```
export NDK=~/Library/Android/sdk/ndk/25.2.9519653/toolchains/llvm/prebuilt/darwin-x86_64
export PATH=$PATH:~/Documents/Masters/android/platform-tools
export NDK_AR=$NDK/bin/llvm-ar
export NDK_CC=$NDK/bin/aarch64-linux-android30-clang
export NDK_AS=$NDK_CC
export NDK_CXX=$NDK/bin/aarch64-linux-android30-clang++
export NDK_LD=$NDK/bin/ld
export NDK_RANLIB=$NDK/bin/llvm-ranlib
export NDK_STRIP=$NDK/bin/llvm-strip
```
### Building wolfSSL
To enable hardware offload support, configure wolfSSL to include crypto callbacks and to cross-compile a static library:
```
./configure --host aarch64-linux-android CC=$NDK_CC AS=$NDK_AS RANLIB=$NDK_RANLIB AR=$NDK_AR LD=$NDK_LD STRIP=$NDK_STRIP CXX=$NDK_CXX --enable-cryptocb --enable-static --disable-shared --enable-armasm
make
```
The port's `Makefile` also relies on certain source and header files within wolfSSL to be available. The relative path to the wolfSSL directory is set by the `WOLFSSL` variable. The wolfSSL source was updated to allow the test and benchmark programs to accept a compile-time CryptoCB DevId using the `FORCE_DEVID` macro, which is in a pending PR.
### Building VaultIC TLS Library
This port has modified the Wisekey provided vaultic_tls library to attempt to cancel authentication during startup in case a previous session ended without closing the VaultIC library by invoking `VltCancelAuthentication()` immediately after opening the VaultIC interface. The library is statically configured with user authentication hard-coded within the library itself and to use the Linux SPI Dev interface for communications. Note that typical Linux permissions require root privileges to access the SPI device.
For this example, the VaultIC library needed to be configured and cross-compiled to the Android target which is similar to the vendor-provided Raspberry Pi target. Modifications we made to disable any GPIO's used to powerup and reset the chip as well as to set the cross compiler to use the Android NDK as above. To build the VaultIC API and TLS libraries, follow the instructions provided by Wisekey, which are summarized as:
```
cd VaultIC-TLS_420/vaultic_tls-4xx/lib/VaultIC_420_TLS_Lib/target/raspberry/build
./build-all_spi.sh
```
The port's `Makefile` expects headers and corresponding functions from `vaultic_tls.h` and from the common VaultIC folders. The relative base folder is set as the variable `VAULTIC`.
### Building the Port's Benchmark and Test programs
This port leverages wolfCrypt's included benchmark and test programs as an example of how to statically link against wolfSSL and the VaultIC libraries as well as use the hardware offload abstractions provided within wolfSSL. In this case, the wolfSSL software will attempt every cryptographic operating using the Wisekey VaultIC port via the CryptoCB method, but only the implemented functions will use the VaultIC hardware. Every unsupported function will fallback and use the ARMv8-accelerated software implementation.
The benchmark and test programs are built as part of the `make all` target and can be run on the target hardware as `wolfcrypt-bench` and `wolfcrypt-test` respectively. Note that the test program expects the test certificates to be available on the target hardware.
### Benchmarks and Memory Use
Software only implementation (STM32L4 120Mhz, Cortex-M4, Fast Math):
```
ECDHE 256 key gen SW 4 ops took 1.278 sec, avg 319.500 ms, 3.130 ops/sec
ECDHE 256 agree SW 4 ops took 1.306 sec, avg 326.500 ms, 3.063 ops/sec
ECDSA 256 sign SW 4 ops took 1.298 sec, avg 324.500 ms, 3.082 ops/sec
ECDSA 256 verify SW 2 ops took 1.283 sec, avg 641.500 ms, 1.559 ops/sec
```
Memory Use:
```
Peak Stack: 18456
Peak Heap: 2640
Total: 21096
```
STSAFE-A100 acceleration:
```
ECDHE 256 key gen HW 8 ops took 1.008 sec, avg 126.000 ms, 7.937 ops/sec
ECDHE 256 agree HW 6 ops took 1.051 sec, avg 175.167 ms, 5.709 ops/sec
ECDSA 256 sign HW 14 ops took 1.161 sec, avg 82.929 ms, 12.059 ops/sec
ECDSA 256 verify HW 8 ops took 1.184 sec, avg 148.000 ms, 6.757 ops/sec
```
Memory Use:
```
Peak Stack: 9592
Peak Heap: 170
Total: 9762
```
## Support
Email us at [support@wolfssl.com](mailto:support@wolfssl.com).

481
wisekey_vaultic/wisekey_vaultic.c
View File

@ -1,481 +0,0 @@
/*
* wisekey_vaultic.c
*
* Copyright (C) 2023 wolfSSL Inc.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "wolfssl/wolfcrypt/cryptocb.h"
#include "wolfssl/wolfcrypt/error-crypt.h"
#include "wolfssl/wolfcrypt/wc_port.h"
#include "wolfssl/wolfcrypt/types.h"
#include <stdlib.h> /* For NULL */
#include <errno.h> /* For Exxx */
#include <string.h> /* For memset/cpy */
#include "user_settings.h"
#include "wisekey_vaultic.h"
/* Include Wisekey's devkit header */
#include "vaultic_tls.h"
#include "vaultic_config.h"
#include "vaultic_common.h"
#include "vaultic_api.h"
#include "vaultic_structs.h"
/* Forward declarations */
static int HandlePkCallback(int devId, wc_CryptoInfo* info, void* ctx);
static int HandleHashCallback(int devId, wc_CryptoInfo* info, void* ctx);
static int HandleCipherCallback(int devId, wc_CryptoInfo* info, void* ctx);
int WisekeyVaultIC_Init(wkvicContext *c)
{
int rc=0;
if(!c) {
return -EINVAL;
}
rc =vlt_tls_init();
if(rc!=0) {
return rc;
}
memset(c, 0, sizeof(*c));
return 0;
}
int WisekeyVaultIC_Cleanup(wkvicContext *c)
{
if(!c) {
return -EINVAL;
}
memset(c, 0, sizeof(*c));
return vlt_tls_close();
}
int WisekeyVaultIC_CryptoDevCb(int devId,
wc_CryptoInfo* info,
void* ctx)
{
wkvicContext *c=(wkvicContext*)ctx;
int rc = CRYPTOCB_UNAVAILABLE;
(void)devId;
if(!info) {
/* Invalid info or context */
return rc;
}
switch(info->algo_type) {
case WC_ALGO_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb NONE:\n");
#endif
/* Nothing to do */
break;
case WC_ALGO_TYPE_HASH:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb HASH: Type:%d\n", info->hash.type);
#endif
#if !defined(NO_SHA) || !defined(NO_SHA256)
/* Perform a hash */
rc = HandleHashCallback(devId, info, ctx);
#endif
break;
case WC_ALGO_TYPE_CIPHER:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb CIPHER: Type:%d\n", info->cipher.type);
#endif
#if !defined(NO_AES)
/* Perform a symmetric cipher */
rc = HandleCipherCallback(devId, info, ctx);
#endif
break;
case WC_ALGO_TYPE_PK:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb PK: Type:%d\n", info->pk.type);
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC)
/* Perform a PKI operation */
rc = HandlePkCallback(devId,info,ctx);
#endif /* !defined(NO_RSA) || defined(HAVE_ECC) */
break;
case WC_ALGO_TYPE_RNG:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb RNG: Out:%p Sz:%d\n", info->rng.out, info->rng.sz);
#endif
#if !defined(WC_NO_RNG)
/* Put info->rng.sz random bytes into info->rng.out*/
/* TODO rc = VaultIC_Random(); */
rc = CRYPTOCB_UNAVAILABLE;
#endif
break;
case WC_ALGO_TYPE_SEED:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb SEED: Seed:%p Sz:%d\n", info->seed.seed,
info->seed.sz);
#endif
#if !defined(WC_NO_RNG)
/* Get info->seed.sz seed bytes from info->seed.seed*/
/* TODO rc = VaultIC_Seed(); */
#endif
break;
case WC_ALGO_TYPE_HMAC:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb HMAC:\n");
#endif
break;
case WC_ALGO_TYPE_CMAC:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb CMAC:\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" CryptoDevCb UNKNOWN\n");
#endif
break;
}
return rc;
}
static int HandlePkCallback(int devId, wc_CryptoInfo* info, void* ctx)
{
int rc = CRYPTOCB_UNAVAILABLE;
switch(info->pk.type) {
case WC_PK_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback NONE\n");
#endif
break;
case WC_PK_TYPE_RSA:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA\n");
#endif
break;
case WC_PK_TYPE_DH:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback DH\n");
#endif
break;
case WC_PK_TYPE_ECDH:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDH\n");
#endif
break;
case WC_PK_TYPE_ECDSA_SIGN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDSA_SIGN\n");
#endif
break;
case WC_PK_TYPE_ECDSA_VERIFY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ECDSA_VERIFY\n");
#endif
break;
case WC_PK_TYPE_ED25519_SIGN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_SIGN\n");
#endif
break;
case WC_PK_TYPE_CURVE25519:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CURVE25519\n");
#endif
break;
case WC_PK_TYPE_RSA_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_EC_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback EC_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_RSA_CHECK_PRIV_KEY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_CHECK_PRIV_KEY\n");
#endif
break;
case WC_PK_TYPE_EC_CHECK_PRIV_KEY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback EC_CHECK_PRIV_KEY\n");
#endif
break;
case WC_PK_TYPE_ED448:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED448\n");
#endif
break;
case WC_PK_TYPE_CURVE448:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CRUVE448\n");
#endif
break;
case WC_PK_TYPE_ED25519_VERIFY:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_VERIFY\n");
#endif
break;
case WC_PK_TYPE_ED25519_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback ED25519_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_CURVE25519_KEYGEN:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback CURVE25519_KEYGEN\n");
#endif
break;
case WC_PK_TYPE_RSA_GET_SIZE:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback RSA_GET_SIZE\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" HandlePkCallback UNKNOWN\n");
#endif
break;
}
return rc;
}
static int HandleHashCallback(int devId, wc_CryptoInfo* info, void* ctx)
{
int rc = CRYPTOCB_UNAVAILABLE;
int finalize=0;
/* Finalize sha? */
if((info->hash.in == NULL) && (info->hash.inSz==0)) {
finalize=1;
}
switch(info->hash.type) {
case WC_HASH_TYPE_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback NONE\n");
#endif
break;
case WC_HASH_TYPE_SHA:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA\n");
#endif
break;
case WC_HASH_TYPE_SHA224:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA224\n");
#endif
break;
case WC_HASH_TYPE_SHA256:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA256\n");
#endif
break;
case WC_HASH_TYPE_SHA384:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA384\n");
#endif
break;
case WC_HASH_TYPE_SHA512:
#if defined(DEBUG_VAULTIC)
printf(" HandleHashCallback SHA512\n");
#endif
break;
default:
break;
}
return rc;
}
static int HandleCipherCallback(int devId, wc_CryptoInfo* info, void* ctx)
{
wkvicContext *c=(wkvicContext*)ctx;
int rc = CRYPTOCB_UNAVAILABLE;
switch(info->cipher.type) {
case WC_CIPHER_NONE:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback NONE\n");
#endif
break;
case WC_CIPHER_AES:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES\n");
#endif
break;
case WC_CIPHER_AES_CBC:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CBC\n");
#endif
{
Aes* aes=info->cipher.aescbc.aes;
int encrypt=info->cipher.enc;
VLT_U32 out_len=0;
if(!aes) break;
/* Support AES128 for now */
if(aes->keylen != AES_128_KEY_SIZE) break;
unsigned int blocks = info->cipher.aescbc.sz / AES_BLOCK_SIZE;
if(blocks == 0) break;
/* Allow all privileges */
VLT_FILE_PRIVILEGES keyPrivileges = {
.u8Read=0xFF,
.u8Write=0xFF,
.u8Delete=0xFF,
.u8Execute=0xFF,
};
VLT_KEY_OBJECT tmpAesKey= {
.enKeyID=VLT_KEY_AES_128,
.data.SecretKey.u8Mask=0,
.data.SecretKey.u16KeyLength=aes->keylen,
.data.SecretKey.pu8Key=(VLT_PU8)aes->devKey,
};
/* Try to delete the tmp aes key. Ignore errors here */
VltDeleteKey(
WISEKEY_VAULTIC_WOLFSSL_GRPID,
WISEKEY_VAULTIC_TMPAES_KEYID);
/* Putkey aes->devKey, aes->keylen */
VltPutKey(
WISEKEY_VAULTIC_WOLFSSL_GRPID,
WISEKEY_VAULTIC_TMPAES_KEYID,
&keyPrivileges,
&tmpAesKey);
/* Initialize Algo for AES-CBC */
VLT_ALGO_PARAMS aescbc_algo_params = {
.u8AlgoID=VLT_ALG_CIP_AES,
.data.SymCipher.enMode= BLOCK_MODE_CBC,
.data.SymCipher.enPadding= PADDING_NONE,
.data.SymCipher.u8IvLength= AES_BLOCK_SIZE,
.data.SymCipher.u8Iv={0},
};
memcpy(aescbc_algo_params.data.SymCipher.u8Iv,aes->reg,
AES_BLOCK_SIZE);
/* Perform encrypt/decrypt*/
if(encrypt) {
VltInitializeAlgorithm(
WISEKEY_VAULTIC_WOLFSSL_GRPID,
WISEKEY_VAULTIC_TMPAES_KEYID,
VLT_ENCRYPT_MODE,
&aescbc_algo_params);
VltEncrypt(info->cipher.aescbc.sz, info->cipher.aescbc.in,
&out_len,
info->cipher.aescbc.sz, info->cipher.aescbc.out);
const byte *last_block = info->cipher.aescbc.out + (blocks -1) * AES_BLOCK_SIZE;
memcpy(aes->reg, last_block, AES_BLOCK_SIZE);
} else {
VltInitializeAlgorithm(
WISEKEY_VAULTIC_WOLFSSL_GRPID,
WISEKEY_VAULTIC_TMPAES_KEYID,
VLT_DECRYPT_MODE,&aescbc_algo_params);
VltDecrypt(info->cipher.aescbc.sz, info->cipher.aescbc.in,
&out_len,
info->cipher.aescbc.sz, info->cipher.aescbc.out);
const byte *last_block = info->cipher.aescbc.in + (blocks -1) * AES_BLOCK_SIZE;
memcpy(aes->reg, last_block, AES_BLOCK_SIZE);
}
/* Delete the tmp aes key */
VltDeleteKey(
WISEKEY_VAULTIC_WOLFSSL_GRPID,
WISEKEY_VAULTIC_TMPAES_KEYID);
/* Update return value to indicate success */
rc=0;
}
break;
case WC_CIPHER_AES_GCM:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_GCM\n");
#endif
break;
case WC_CIPHER_AES_CTR:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CTR\n");
#endif
break;
case WC_CIPHER_AES_XTS:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_XTS\n");
#endif
break;
case WC_CIPHER_AES_CFB:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CFB\n");
#endif
break;
case WC_CIPHER_AES_CCM:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_CCM\n");
#endif
break;
case WC_CIPHER_AES_ECB:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback AES_ECB\n");
#endif
break;
default:
#if defined(DEBUG_VAULTIC)
printf(" HandleCipherCallback UNKNOWN\n");
#endif
break;
}
return rc;
}

55
wisekey_vaultic/wisekey_vaultic.h
View File

@ -1,55 +0,0 @@
/*
* wisekey_vaultic.h
*
* Copyright (C) 2023 wolfSSL Inc.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef WISEKEY_VAULTIC_H
#define WISEKEY_VAULTIC_H
#include "wisekey_vaultic_defs.h"
#include <wolfssl/wolfcrypt/cryptocb.h>
/*
* Implementation of wolfCrypt devcrypto callbacks
*
* The wolfSSL port of the Wisekey VaultIC provides a wrapper library to allow
* the VaultIC to be used as an external crypto provider. This library depends
* on the Wisekey-provided VaultIC interface libraries that have been statically
* compiled in the proper hardware configuration.
*/
typedef struct {
int invoked;
} wkvicContext;
/* Initialize the Wisekey VaultIC library and clear the context. */
int WisekeyVaultIC_Init(wkvicContext *c);
/* Register this callback using:
* wisekeyvaultic_context_t ctx={0};
* int rc = wc_CryptoCb_RegisterDevice(WISEKEY_VAULTIC420_DEVID,
* WisekeyVaultIC_CryptoDevCb, &ctx);
*/
int WisekeyVaultIC_CryptoDevCb(int devId,
wc_CryptoInfo* info,
void* ctx);
/* Close the Wisekey VaultIC library. */
int WisekeyVaultIC_Cleanup(wkvicContext *c);
#endif /* _WOLFPORT_WISEKEY_VAULTIC_H_ */