From 76da90024d4f51637cfd2b81a5fdf9125c0aead3 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 30 Aug 2023 15:05:25 -0700 Subject: [PATCH] Added CI tests for all examples and additional build tests. --- .github/workflows/make-test-swtpm.yml | 60 +++- certs/certreq.sh | 12 +- examples/README.md | 4 +- examples/bench/bench.c | 70 ++--- examples/boot/secret_seal.c | 11 +- examples/include.am | 4 + examples/nvram/store.c | 2 +- examples/run_examples.sh | 387 ++++++++++++++++++++++++++ examples/seal/seal.c | 1 - examples/timestamp/clock_set.c | 2 +- examples/tls/tls_client.c | 19 +- examples/tls/tls_server.c | 15 +- src/tpm2_wrap.c | 38 +-- 13 files changed, 542 insertions(+), 83 deletions(-) create mode 100755 examples/run_examples.sh diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index d1980eae..a18b66c9 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -14,6 +14,7 @@ jobs: steps: #pull wolfTPM - uses: actions/checkout@master + #setup wolfssl - uses: actions/checkout@master with: @@ -28,6 +29,7 @@ jobs: - name: wolfssl make install working-directory: ./wolfssl run: sudo make install + #setup ibmswtpm2 - uses: actions/checkout@master with: @@ -35,20 +37,62 @@ jobs: path: ibmswtpm2 - name: ibmswtpm2 make working-directory: ./ibmswtpm2/src - run: make -#setup wolfTPM + run: | + make + ./tpm_server & + +#setup and test defaults (with simulator) - name: autogen run: ./autogen.sh - name: configure run: ./configure --enable-swtpm - name: make test - run: | - ./ibmswtpm2/src/tpm_server & - sleep 2 && make check && ./examples/native/native_test && ./examples/wrap/wrap_test + run: make check -#test wolfTPM without wolfCrypt +#test no wolfcrypt - name: configure no wolfCrypt run: ./configure --enable-swtpm --disable-wolfcrypt - name: make test no wolfCrypt - run: | - make check && ./examples/native/native_test && ./examples/wrap/wrap_test + run: make check + +#test no wrapper + - name: configure no wrapper + run: ./configure --enable-swtpm --disable-wrapper + - name: make test no wolfCrypt + run: make check + +# test small stack + - name: configure smallstack + run: ./configure --enable-swtpm --enable-smallstack + - name: make test smallstack + run: make check + +# test tislock + - name: configure tislock + run: ./configure --enable-tislock + - name: make tislock + run: make + +# build debug + - name: configure debug + run: ./configure --enable-debug + - name: make debug + run: make + +# build verbose + - name: configure debug verbose + run: ./configure --enable-debug=verbose + - name: make debug verbose + run: make + +# build io + - name: configure debug io + run: ./configure --enable-debug=io CFLAGS="-DWOLFTPM_DEBUG_TIMEOUT" + - name: make debug io + run: make + +# build advio + - name: configure advio + run: ./configure --enable-advio + - name: make debug io + run: make diff --git a/certs/certreq.sh b/certs/certreq.sh index ed9e9374..77012aa4 100755 --- a/certs/certreq.sh +++ b/certs/certreq.sh @@ -6,9 +6,9 @@ echo Run ./examples/csr/csr first to generate the CSR # Make sure required CA files exist and are populated rm -f ./certs/index.* -touch ./certs/index.txt +touch ./certs/index.txt if [ ! -f ./certs/serial ]; then - echo 1000 > ./certs/serial + echo 3650 > ./certs/serial fi if [ ! -f ./certs/crlnumber ]; then echo 2000 > ./certs/crlnumber @@ -25,7 +25,7 @@ if [ "$1" == "clean" ]; then # cleanup the ./examples/csr/csr generated rm -f ./certs/tpm-*-cert.csr - + exit 0 fi @@ -33,14 +33,14 @@ fi # Generate RSA 2048-bit CA if [ ! -f ./certs/ca-rsa-key.pem ]; then openssl req -new -newkey rsa:2048 -keyout ./certs/ca-rsa-key.pem -nodes -out ./certs/ca-rsa-cert.csr -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" - openssl x509 -req -in ./certs/ca-rsa-cert.csr -days 1000 -extfile ./certs/ca-rsa.cnf -extensions v3_ca -signkey ./certs/ca-rsa-key.pem -out ./certs/ca-rsa-cert.pem + openssl x509 -req -in ./certs/ca-rsa-cert.csr -days 3650 -extfile ./certs/ca-rsa.cnf -extensions v3_ca -signkey ./certs/ca-rsa-key.pem -out ./certs/ca-rsa-cert.pem rm ./certs/ca-rsa-cert.csr openssl x509 -in ./certs/ca-rsa-cert.pem -inform PEM -out ./certs/ca-rsa-cert.der -outform DER openssl rsa -in ./certs/ca-rsa-key.pem -inform PEM -out ./certs/ca-rsa-key.der -outform DER # generate CRL - openssl ca -config ./certs/ca-rsa.cnf -gencrl -crldays 1000 -out ./certs/ca-rsa.crl -keyfile ./certs/ca-rsa-key.pem -cert ./certs/ca-rsa-cert.pem + openssl ca -config ./certs/ca-rsa.cnf -gencrl -crldays 3650 -out ./certs/ca-rsa.crl -keyfile ./certs/ca-rsa-key.pem -cert ./certs/ca-rsa-cert.pem fi # Sign RSA certificates @@ -62,7 +62,7 @@ if [ ! -f ./certs/ca-ecc-key.pem ]; then openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER # generate CRL - openssl ca -config ./certs/ca-ecc.cnf -gencrl -crldays 1000 -out ./certs/ca-ecc.crl -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem + openssl ca -config ./certs/ca-ecc.cnf -gencrl -crldays 3650 -out ./certs/ca-ecc.crl -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem fi diff --git a/examples/README.md b/examples/README.md index ac6e6639..89556aaf 100644 --- a/examples/README.md +++ b/examples/README.md @@ -48,7 +48,7 @@ More information about how to test and use PCR attestation can be found in the i Demonstrates how to create Remote Attestation challenge using the TPM 2.0 and afterwards prepare a response. -Detailed information about using these examples can be found in [examples/attestation/README.md](./examples/attestation/README.md) +Detailed information about using these examples can be found in [examples/attestation/README.md](/examples/attestation/README.md) `./examples/attestation/make_credential` `./examples/attestation/activate_credential` @@ -80,8 +80,6 @@ This behavior depends on the `sessionAttributes`: Either one can be set separately or both can be set in one authorization session. This is up to the user (developer). -`./examples/pcr/quote_paramenc` - ## CSR Generates a Certificate Signing Request for building a certificate based on a TPM key pair. diff --git a/examples/bench/bench.c b/examples/bench/bench.c index 913a78ae..603b1be5 100644 --- a/examples/bench/bench.c +++ b/examples/bench/bench.c @@ -122,7 +122,7 @@ static void bench_stats_asym_finish(const char* algo, int strength, } static int bench_sym_hash(WOLFTPM2_DEV* dev, const char* desc, int algo, - const byte* in, word32 inSz, byte* digest, word32 digestSz) + const byte* in, word32 inSz, byte* digest, word32 digestSz, double maxDuration) { int rc; int count; @@ -139,7 +139,7 @@ static int bench_sym_hash(WOLFTPM2_DEV* dev, const char* desc, int algo, if (rc != 0) goto exit; rc = wolfTPM2_HashFinish(dev, &hash, digest, &digestSz); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_sym_finish(desc, count, inSz, start); exit: @@ -148,7 +148,7 @@ static int bench_sym_hash(WOLFTPM2_DEV* dev, const char* desc, int algo, static int bench_sym_aes(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* storageKey, const char* desc, int algo, int keyBits, const byte* in, byte* out, - word32 inOutSz, int isDecrypt) + word32 inOutSz, int isDecrypt, double maxDuration) { int rc; int count; @@ -173,11 +173,11 @@ static int bench_sym_aes(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* storageKey, rc = wolfTPM2_EncryptDecrypt(dev, &aesKey, in, out, inOutSz, NULL, 0, isDecrypt); if (WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) { - printf("Encrypt/Decrypt unavailble\n"); + printf("Encrypt/Decrypt unavailable\n"); break; } if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_sym_finish(desc, count, inOutSz, start); exit: @@ -191,6 +191,8 @@ static void usage(void) printf("Expected usage:\n"); printf("./examples/bench/bench [-aes/xor]\n"); printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* -maxdur=[ms]: Maximum runtime for each algorithm in milliseconds " + "(default %d)\n", TPM2_BENCH_DURATION_SEC*1000); } /******************************************************************************/ @@ -217,6 +219,8 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) int count; TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; + double maxDuration = TPM2_BENCH_DURATION_SEC; + double maxKeyGenDurSec = TPM2_BENCH_DURATION_KEYGEN_SEC; if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || @@ -233,6 +237,10 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) else if (XSTRCMP(argv[argc-1], "-xor") == 0) { paramEncAlg = TPM_ALG_XOR; } + else if (XSTRNCMP(argv[argc-1], "-maxdur=", XSTRLEN("-maxdur=")) == 0) { + const char* maxStr = argv[argc-1] + XSTRLEN("-maxdur="); + maxKeyGenDurSec = maxDuration = (double)(XATOI(maxStr)) / 1000.0; + } else { printf("Warning: Unrecognized option: %s\n", argv[argc-1]); } @@ -275,68 +283,68 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) do { rc = wolfTPM2_GetRandom(&dev, message.buffer, sizeof(message.buffer)); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_sym_finish("RNG", count, sizeof(message.buffer), start); /* AES Benchmarks */ /* AES CBC */ rc = bench_sym_aes(&dev, &storageKey, "AES-128-CBC-enc", TPM_ALG_CBC, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-128-CBC-dec", TPM_ALG_CBC, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CBC-enc", TPM_ALG_CBC, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CBC-dec", TPM_ALG_CBC, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; /* AES CTR */ rc = bench_sym_aes(&dev, &storageKey, "AES-128-CTR-enc", TPM_ALG_CTR, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-128-CTR-dec", TPM_ALG_CTR, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CTR-enc", TPM_ALG_CTR, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CTR-dec", TPM_ALG_CTR, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; /* AES CFB */ rc = bench_sym_aes(&dev, &storageKey, "AES-128-CFB-enc", TPM_ALG_CFB, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-128-CFB-dec", TPM_ALG_CFB, 128, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CFB-enc", TPM_ALG_CFB, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_ENCRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; rc = bench_sym_aes(&dev, &storageKey, "AES-256-CFB-dec", TPM_ALG_CFB, 256, - message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT); + message.buffer, cipher.buffer, sizeof(message.buffer), WOLFTPM2_DECRYPT, maxDuration); if (rc != 0 && !WOLFTPM_IS_COMMAND_UNAVAILABLE(rc)) goto exit; /* Hashing Benchmarks */ /* SHA1 */ rc = bench_sym_hash(&dev, "SHA1", TPM_ALG_SHA1, message.buffer, - sizeof(message.buffer), cipher.buffer, TPM_SHA_DIGEST_SIZE); + sizeof(message.buffer), cipher.buffer, TPM_SHA_DIGEST_SIZE, maxDuration); if (rc != 0 && (rc & TPM_RC_HASH) != TPM_RC_HASH) goto exit; /* SHA256 */ rc = bench_sym_hash(&dev, "SHA256", TPM_ALG_SHA256, message.buffer, - sizeof(message.buffer), cipher.buffer, TPM_SHA256_DIGEST_SIZE); + sizeof(message.buffer), cipher.buffer, TPM_SHA256_DIGEST_SIZE, maxDuration); if (rc != 0 && (rc & TPM_RC_HASH) != TPM_RC_HASH) goto exit; /* SHA384 */ rc = bench_sym_hash(&dev, "SHA384", TPM_ALG_SHA384, message.buffer, - sizeof(message.buffer), cipher.buffer, TPM_SHA384_DIGEST_SIZE); + sizeof(message.buffer), cipher.buffer, TPM_SHA384_DIGEST_SIZE, maxDuration); if (rc != 0 && (rc & TPM_RC_HASH) != TPM_RC_HASH) goto exit; /* SHA512 */ rc = bench_sym_hash(&dev, "SHA512", TPM_ALG_SHA512, message.buffer, - sizeof(message.buffer), cipher.buffer, TPM_SHA512_DIGEST_SIZE); + sizeof(message.buffer), cipher.buffer, TPM_SHA512_DIGEST_SIZE, maxDuration); if (rc != 0 && (rc & TPM_RC_HASH) != TPM_RC_HASH) goto exit; @@ -354,7 +362,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle, &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_KEYGEN_SEC)); + } while (bench_stats_check(start, &count, maxKeyGenDurSec)); bench_stats_asym_finish("RSA", 2048, "key gen", count, start); /* Perform RSA encrypt / decrypt (no pad) */ @@ -367,7 +375,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_RsaEncrypt(&dev, &rsaKey, TPM_ALG_NULL, message.buffer, message.size, cipher.buffer, &cipher.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("RSA", 2048, "Public", count, start); bench_stats_start(&count, &start); @@ -376,7 +384,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_RsaDecrypt(&dev, &rsaKey, TPM_ALG_NULL, cipher.buffer, cipher.size, plain.buffer, &plain.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("RSA", 2048, "Private", count, start); @@ -390,7 +398,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_RsaEncrypt(&dev, &rsaKey, TPM_ALG_OAEP, message.buffer, message.size, cipher.buffer, &cipher.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("RSA", 2048, "Pub OAEP", count, start); bench_stats_start(&count, &start); @@ -399,7 +407,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_RsaDecrypt(&dev, &rsaKey, TPM_ALG_OAEP, cipher.buffer, cipher.size, plain.buffer, &plain.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("RSA", 2048, "Priv OAEP", count, start); rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); @@ -421,7 +429,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle, &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("ECC", 256, "key gen", count, start); /* Perform sign / verify */ @@ -434,7 +442,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_SignHash(&dev, &eccKey, message.buffer, message.size, cipher.buffer, &cipher.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("ECDSA", 256, "sign", count, start); bench_stats_start(&count, &start); @@ -442,7 +450,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_VerifyHash(&dev, &eccKey, cipher.buffer, cipher.size, message.buffer, message.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("ECDSA", 256, "verify", count, start); rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); @@ -466,7 +474,7 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]) rc = wolfTPM2_ECDHGen(&dev, &eccKey, &pubPoint, cipher.buffer, &cipher.size); if (rc != 0) goto exit; - } while (bench_stats_check(start, &count, TPM2_BENCH_DURATION_SEC)); + } while (bench_stats_check(start, &count, maxDuration)); bench_stats_asym_finish("ECDHE", 256, "agree", count, start); rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle); diff --git a/examples/boot/secret_seal.c b/examples/boot/secret_seal.c index f01a69a0..09031a10 100644 --- a/examples/boot/secret_seal.c +++ b/examples/boot/secret_seal.c @@ -107,7 +107,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) TPM_ALG_ID alg = TPM_ALG_RSA, srkAlg; TPM_ALG_ID pcrAlg = USE_PCR_ALG; TPMT_PUBLIC template; - byte secret[MAX_SYM_DATA]; + byte secret[MAX_SYM_DATA+1]; /* for NULL term */ word32 secretSz = 0; const char* publicKeyFile = NULL; const char* outFile = "sealblob.bin"; @@ -119,6 +119,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) XMEMSET(&storage, 0, sizeof(WOLFTPM2_KEY)); XMEMSET(&tpmSession, 0, sizeof(WOLFTPM2_SESSION)); XMEMSET(&sealBlob, 0, sizeof(sealBlob)); + XMEMSET(secret, 0, sizeof(secret)); if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || @@ -138,13 +139,15 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) else if (XSTRNCMP(argv[argc-1], "-secretstr=", XSTRLEN("-secretstr=")) == 0) { const char* secretStr = argv[argc-1] + XSTRLEN("-secretstr="); secretSz = (int)XSTRLEN(secretStr); - if (secretSz > (word32)sizeof(secret)) - secretSz = (word32)sizeof(secret); + if (secretSz > (word32)sizeof(secret)-1) + secretSz = (word32)sizeof(secret)-1; XMEMCPY(secret, secretStr, secretSz); } else if (XSTRNCMP(argv[argc-1], "-secrethex=", XSTRLEN("-secrethex=")) == 0) { const char* secretStr = argv[argc-1] + XSTRLEN("-secrethex="); word32 secretStrSz = (word32)XSTRLEN(secretStr); + if (secretStrSz > (word32)(sizeof(secret)*2-1)) + secretStrSz = (word32)(sizeof(secret)*2-1); secretSz = hexToByte(secretStr, secret, secretStrSz); } else if (XSTRNCMP(argv[argc-1], "-policy=", @@ -181,7 +184,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) printf("Error getting secret\n"); goto exit; } - printf("Secret (%d bytes):\n", secretSz); + printf("Secret (%d bytes): %s\n", secretSz, secret); printHexString(secret, secretSz, 32); /* Storage Root and Parameter Encryption */ diff --git a/examples/include.am b/examples/include.am index c50d6831..fa7a7261 100644 --- a/examples/include.am +++ b/examples/include.am @@ -17,6 +17,10 @@ include examples/gpio/include.am include examples/seal/include.am include examples/attestation/include.am +if BUILD_EXAMPLES +dist_noinst_SCRIPTS += examples/run_examples.sh +endif + dist_example_DATA+= examples/README.md \ examples/tpm_test_keys.c \ examples/tpm_test_keys.h \ diff --git a/examples/nvram/store.c b/examples/nvram/store.c index f21a32bb..1637a60c 100644 --- a/examples/nvram/store.c +++ b/examples/nvram/store.c @@ -137,7 +137,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[]) rc = readKeyBlob(filename, &keyBlob); if (rc != 0) goto exit; - /* Prepare NV_AUTHWRITE and NV_AUTHREAD attributes necessary for password */ + /* Prepare NV_AUTHWRITE and NV_AUTHREAD attributes necessary for password */ parent.hndl = TPM_RH_OWNER; rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes); if (rc != 0) goto exit; diff --git a/examples/run_examples.sh b/examples/run_examples.sh new file mode 100755 index 00000000..36a768ab --- /dev/null +++ b/examples/run_examples.sh @@ -0,0 +1,387 @@ +#!/bin/bash + +RESULT=0 +ENABLE_DESTRUCTIVE_TESTS=0 + +rm run.out +touch run.out + +# Native API test TPM2_x +echo -e "Native tests for TPM2_x API's" +./examples/native/native_test >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "native_test failed! $RESULT$RESULT" && exit 1 + + +# Wrapper tests +echo -e "Wrapper tests" +./examples/wrap/wrap_test >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "wrap_test failed! $RESULT" && exit 1 +./examples/wrap/wrap_test -xor >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "wrap_test (XOR param enc) failed! $RESULT" && exit 1 +./examples/wrap/wrap_test -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "wrap_test (AES param enc) failed! $RESULT" && exit 1 + + +# Key Generation Tests +echo -e "Ken Generation Tests" +./examples/keygen/keygen keyblob.bin -rsa >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 +./examples/keygen/keyload keyblob.bin >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1 +./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1 +./examples/keygen/keyload keyblob.bin -aes >> run.out +# keeping keyblob.bin for later tests +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1 +./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 +./examples/keygen/keyload rsakeyblob.bin >> run.out +RESULT=$? +rm rsakeyblob.bin +[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 + +./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen ecc failed! $RESULT" && exit 1 +./examples/keygen/keyload ecckeyblob.bin >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1 +./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 +./examples/keygen/keyload ecckeyblob.bin -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 +./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 +# TODO: TPM2_Load (TPM_RC_INTEGRITY) +#./examples/keygen/keyload ecckeyblob.bin >> run.out +rm ecckeyblob.bin + +./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen sym aes failed! $RESULT" && exit 1 +./examples/keygen/keyload symkeyblob.bin >> run.out +RESULT=$? +rm symkeyblob.bin +[ $RESULT -ne 0 ] && echo -e "keygen sym aes load failed! $RESULT" && exit 1 + +./examples/keygen/keygen keyedhashblob.bin -keyedhash >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen keyed hash failed! $RESULT" && exit 1 +./examples/keygen/keyload keyedhashblob.bin >> run.out +RESULT=$? +rm keyedhashblob.bin +[ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1 + + +# NV Tests +echo -e "NV Tests" +./examples/nvram/store -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1 +./examples/nvram/read -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1 + +./examples/nvram/store -priv >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv store priv only failed! $RESULT" && exit 1 +./examples/nvram/read -priv >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 + +./examples/nvram/store -priv -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1 +./examples/nvram/read -priv -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1 + +./examples/nvram/store -pub >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv store pub only failed! $RESULT" && exit 1 +./examples/nvram/read -pub >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "nv read pub only failed! $RESULT" && exit 1 + + +# CSR Tests +./examples/keygen/keygen rsa_test_blob.raw -rsa -t >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen rsa test for csr failed! $RESULT" && exit 1 +./examples/keygen/keygen ecc_test_blob.raw -ecc -t >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1 + +./examples/csr/csr -cert >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1 + +cp ./certs/tpm-rsa-cert.pem ../wolfssl/certs/tpm-rsa-cert.pem >> run.out +cp ./certs/tpm-ecc-cert.pem ../wolfssl/certs/tpm-ecc-cert.pem >> run.out + +./examples/csr/csr >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "csr gen failed! $RESULT" && exit 1 + +./certs/certreq.sh 2>&1 >> run.out +cp ./certs/ca-ecc-cert.pem ../wolfssl/certs/tpm-ca-ecc-cert.pem >> run.out +cp ./certs/ca-rsa-cert.pem ../wolfssl/certs/tpm-ca-rsa-cert.pem >> run.out + + +# PKCS7 Tests +echo -e "PKCS7 tests" +./examples/pkcs7/pkcs7 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 + + +# TLS Tests RSA +echo -e "TLS tests" +generate_port() { # function to produce a random port number + if [[ "$OSTYPE" == "linux"* ]]; then + port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) + elif [[ "$OSTYPE" == "darwin"* ]]; then + port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) + else + echo "Unknown OS TYPE" + exit 1 + fi + echo -e "Using port $port" >> run.out +} + +run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] + echo -e "TLS test (TPM as client) $1 $2" + generate_port + pushd ../wolfssl >> run.out + ./examples/server/server -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> run.out & + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 + popd >> run.out + sleep 0.1 + ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 +} + +run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] + echo -e "TLS test (TPM as server) $1 $2" + generate_port + ./examples/tls/tls_server -p=$port -$1 $2 2>&1 >> run.out & + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1 + pushd ../wolfssl >> run.out + sleep 0.1 + ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1 + popd >> run.out +} + +run_tpm_tls_client "rsa" "" +# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) +#run_tpm_tls_client "rsa" "-aes" +run_tpm_tls_client "ecc" "" +# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) +#run_tpm_tls_client "ecc" "-aes" + +run_tpm_tls_server "rsa" "" +# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) +#run_tpm_tls_server "rsa" "-aes" +run_tpm_tls_server "ecc" "" +# TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE) +#run_tpm_tls_server "ecc" "-aes" + + +# Clock Tests +echo -e "Clock tests" +./examples/timestamp/clock_set +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1 + + +# Attestation tests +echo -e "Attestation tests" +./examples/timestamp/signed_timestamp >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "signed_timestamp failed! $RESULT" && exit 1 +./examples/timestamp/signed_timestamp -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1 +# TODO: Test broken (wolfTPM2_GetTime TPM_RC_SCHEME) +#./examples/timestamp/signed_timestamp -ecc >> run.out +#./examples/timestamp/signed_timestamp -ecc -aes >> run.out + +./examples/attestation/make_credential >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1 +./examples/attestation/make_credential -eh >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "make_credential eh failed! $RESULT" && exit 1 +# TODO: Test broken (TPM2_ActivateCredentials TPM_RC_INTEGRITY) +#./examples/attestation/activate_credential >> run.out +#./examples/attestation/activate_credential -eh >> run.out + + +# PCR Quote Tests +echo -e "PCR Quote tests" +./examples/pcr/reset 16 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr reset failed! $RESULT" && exit 1 +./examples/pcr/extend 16 /usr/bin/zip >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr extend file failed! $RESULT" && exit 1 +./examples/pcr/quote 16 zip.quote >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1 +./examples/pcr/quote 16 zip.quote -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1 +./examples/pcr/quote 16 zip.quote -ecc >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1 +./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1 +rm zip.quote + + +# Benchmark tests +echo -e "Benchmark tests" +./examples/bench/bench -maxdur=25 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1 +./examples/bench/bench -maxdur=25 -aes >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 + + +# Secure Boot ROT +echo -e "Secure Boot ROT (Root of Trust) test" +./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1 +./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secure rot write ecc384! $RESULT" && exit 1 +./examples/boot/secure_rot -nvindex=0x1400202 -authstr=test -write=./certs/example-rsa2048-key-pub.der >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secure rot write rsa2048! $RESULT" && exit 1 +./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -sha384 -hash=e77dd3112a27948a3f2d87f32dc69ebeed0b3344c5d7726f5742f4f0c0f451aabe4213f8b3b986639e69ed0ea8b49d94 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 again! $RESULT" && exit 1 + +if test $ENABLE_DESTRUCTIVE_TESTS -eq 1 +then + ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -lock >> run.out + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 lock! $RESULT" && exit 1 + ./examples/boot/secure_rot -nvindex=0x1400201 -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out + RESULT=$? + [ $RESULT -eq 0 ] && echo -e "secure rot write ecc384 should be locked! $RESULT" && exit 1 +fi + +./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 read! $RESULT" && exit 1 + +# Test expected failure cases +./examples/boot/secure_rot -nvindex=0x1400201 >> run.out +RESULT=$? +[ $RESULT -eq 0 ] && echo -e "secure rot write ecc384 read no auth! $RESULT" && exit 1 + + +# Seal/Unseal (PCR Policy) +echo -e "Seal/Unseal (PCR policy)" +./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1 +# TODO (TPM2_Load TPM_RC_BAD_AUTH) +#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out +rm sealedkeyblob.bin + + +# Seal/Unseal (Policy auth) +echo -e "Seal/Unseal (Policy auth)" +# Extend "aaa" to test PCR 16 +echo aaa > aaa.bin +./examples/pcr/reset 16 >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr 16 reset failed! $RESULT" && exit 1 +./examples/pcr/extend 16 aaa.bin >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1 + +# RSA +./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "policy sign rsa failed! $RESULT" && exit 1 + +TMPFILE=$(mktemp) +SECRET_STRING=`head -c 32 /dev/random | base64` +./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1 +./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1 +grep "$SECRET_STRING" $TMPFILE >> run.out +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1 + +# RSA (recreate policy auth using public key instead of using policyauth.bin) +TMPFILE=$(mktemp) +SECRET_STRING=`head -c 32 /dev/random | base64` +./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out +[ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1 +./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out +[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1 +grep "$SECRET_STRING" $TMPFILE >> run.out +RESULT=$? +rm $TMPFILE +[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1 + +# ECC +./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out +[ $RESULT -ne 0 ] && echo -e "policy sign ecc failed! $RESULT" && exit 1 + +TMPFILE=$(mktemp) +SECRET_STRING=`head -c 32 /dev/random | base64` +./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out +[ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1 +./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out +[ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1 +grep "$SECRET_STRING" $TMPFILE >> run.out +RESULT=$? +rm $TMPFILE +[ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1 + +# ECC (recreate policy auth using public key instead of using policyauth.bin) +TMPFILE=$(mktemp) +SECRET_STRING=`head -c 32 /dev/random | base64` +./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out +[ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1 +./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out +[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1 +grep "$SECRET_STRING" $TMPFILE >> run.out +RESULT=$? +rm $TMPFILE +[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1 + +rm aaa.bin + + + +echo -e "Success!" +exit 0 diff --git a/examples/seal/seal.c b/examples/seal/seal.c index 580e5000..02b379e0 100644 --- a/examples/seal/seal.c +++ b/examples/seal/seal.c @@ -138,7 +138,6 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[]) } printf("Created new TPM seal key (pub %d, priv %d bytes)\n", newKey.pub.size, newKey.priv.size); - printf("0x%x\n", newKey.handle.hndl); /* Save key as encrypted blob to the disk */ #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM) diff --git a/examples/timestamp/clock_set.c b/examples/timestamp/clock_set.c index 6839726b..9db5cbc6 100644 --- a/examples/timestamp/clock_set.c +++ b/examples/timestamp/clock_set.c @@ -38,7 +38,7 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/clock/clock_set [time]\n"); + printf("./examples/timestamp/clock_set [time]\n"); printf("* time is a value in miliseconds used as increment (optional)\n"); printf("* Default time value is 50000 ms (50 seconds)\n"); printf("\tThe TPM clock can be set only forward.\n"); diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 7fe21ae1..89fab461 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -82,6 +82,7 @@ static void usage(void) printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n"); printf("* -ecc: Use RSA or ECC key\n"); printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT); } int TPM2_TLS_Client(void* userCtx) @@ -123,6 +124,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; TPMT_PUBLIC publicTemplate; + word32 port = TLS_PORT; /* initialize variables */ XMEMSET(&storageKey, 0, sizeof(storageKey)); @@ -151,18 +153,26 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) if (XSTRCMP(argv[argc-1], "-ecc") == 0) { useECC = 1; } - if (XSTRCMP(argv[argc-1], "-aes") == 0) { + else if (XSTRCMP(argv[argc-1], "-rsa") == 0) { + useECC = 0; + } + else if (XSTRCMP(argv[argc-1], "-aes") == 0) { paramEncAlg = TPM_ALG_CFB; } - if (XSTRCMP(argv[argc-1], "-xor") == 0) { + else if (XSTRCMP(argv[argc-1], "-xor") == 0) { paramEncAlg = TPM_ALG_XOR; } + else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) { + const char* portStr = argv[argc-1] + XSTRLEN("-p="); + port = (word32)XATOI(portStr); + } argc--; } printf("TPM2 TLS Client Example\n"); printf("\tUse %s keys\n", useECC ? "ECC" : "RSA"); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); + printf("\tUsing Port: %d\n", port); /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -446,7 +456,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) } /* Setup socket and connection */ - rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, TLS_PORT); + rc = SetupSocketAndConnect(&sockIoCtx, TLS_HOST, port); if (rc != 0) goto exit; /* Setup read/write callback contexts */ @@ -556,6 +566,9 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) #ifdef HAVE_ECC wc_ecc_free(&wolfEccKey); wolfTPM2_UnloadHandle(&dev, &eccKey.handle); + #ifndef WOLFTPM2_USE_SW_ECDHE + wolfTPM2_UnloadHandle(&dev, &ecdhKey.handle); + #endif #endif wolfTPM2_UnloadHandle(&dev, &tpmSession.handle); diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index ac3cec21..c7f3ae51 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -79,6 +79,7 @@ static void usage(void) printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n"); printf("* -ecc: Use RSA or ECC key\n"); printf("* -aes/xor: Use Parameter Encryption\n"); + printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT); } int TPM2_TLS_Server(void* userCtx) @@ -130,6 +131,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; WOLFTPM2_SESSION tpmSession; TPMT_PUBLIC publicTemplate; + word32 port = TLS_PORT; /* initialize variables */ XMEMSET(&storageKey, 0, sizeof(storageKey)); @@ -162,12 +164,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) if (XSTRCMP(argv[argc-1], "-ecc") == 0) { useECC = 1; } + else if (XSTRCMP(argv[argc-1], "-rsa") == 0) { + useECC = 0; + } else if (XSTRCMP(argv[argc-1], "-aes") == 0) { paramEncAlg = TPM_ALG_CFB; } else if (XSTRCMP(argv[argc-1], "-xor") == 0) { paramEncAlg = TPM_ALG_XOR; } + else if (XSTRNCMP(argv[argc-1], "-p=", XSTRLEN("-p=")) == 0) { + const char* portStr = argv[argc-1] + XSTRLEN("-p="); + port = (word32)XATOI(portStr); + } else { printf("Warning: Unrecognized option: %s\n", argv[argc-1]); } @@ -177,6 +186,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) printf("TPM2 TLS Server Example\n"); printf("\tUse %s keys\n", useECC ? "ECC" : "RSA"); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); + printf("\tUsing Port: %d\n", port); /* Init the TPM2 device */ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); @@ -213,7 +223,8 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) /* set session for authorization of the storage key */ rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, - (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession)); + (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | + TPMA_SESSION_continueSession)); if (rc != 0) goto exit; } @@ -428,7 +439,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) } /* Setup socket and connection */ - rc = SetupSocketAndListen(&sockIoCtx, TLS_PORT); + rc = SetupSocketAndListen(&sockIoCtx, port); if (rc != 0) goto exit; /* Setup read/write callback contexts */ diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index fcdfb848..6e5de69f 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -4048,6 +4048,9 @@ int wolfTPM2_NVCreateAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* parent, if (rctmp != TPM_RC_SUCCESS) rc = rctmp; + /* make sure auth not set */ + wolfTPM2_UnsetAuth(dev, 1); + #ifdef DEBUG_WOLFTPM printf("TPM2_NV_DefineSpace: Auth 0x%x, Idx 0x%x, Attribs 0x%d, Size %d\n", (word32)in.authHandle, @@ -6454,28 +6457,22 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) (void)devId; +#if defined(DEBUG_CRYPTOCB) && defined(DEBUG_WOLFTPM) + wc_CryptoCb_InfoString(info); +#endif + if (info->algo_type == WC_ALGO_TYPE_RNG) { #ifndef WC_NO_RNG - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb RNG: Sz %d\n", info->rng.sz); - #endif rc = wolfTPM2_GetRandom(tlsCtx->dev, info->rng.out, info->rng.sz); #endif /* !WC_NO_RNG */ } else if (info->algo_type == WC_ALGO_TYPE_SEED) { #ifndef WC_NO_RNG - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb RNG Seed: Sz %d\n", info->seed.sz); - #endif rc = wolfTPM2_GetRandom(tlsCtx->dev, info->seed.seed, info->seed.sz); #endif /* !WC_NO_RNG */ } #if !defined(NO_RSA) || defined(HAVE_ECC) else if (info->algo_type == WC_ALGO_TYPE_PK) { - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb Pk: Type %d\n", info->pk.type); - #endif - #ifndef NO_RSA /* RSA */ if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN) { @@ -6543,11 +6540,15 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) return exit_rc; } curve_id = rc; + rc = 0; - /* Generate ephemeral key */ - rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, tlsCtx->ecdhKey, curve_id, - (byte*)tlsCtx->eccKey->handle.auth.buffer, - tlsCtx->eccKey->handle.auth.size); + /* Generate ephemeral key - if one isn't already created */ + if (tlsCtx->ecdhKey->handle.hndl == 0 || + tlsCtx->ecdhKey->handle.hndl == TPM_RH_NULL) { + rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, tlsCtx->ecdhKey, curve_id, + (byte*)tlsCtx->eccKey->handle.auth.buffer, + tlsCtx->eccKey->handle.auth.size); + } if (rc == 0) { /* Export public key info to wolf ecc_key */ rc = wolfTPM2_EccKey_TpmToWolf(tlsCtx->dev, tlsCtx->ecdhKey, @@ -6648,9 +6649,6 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) #endif /* !NO_RSA || HAVE_ECC */ #ifndef NO_AES else if (info->algo_type == WC_ALGO_TYPE_CIPHER) { - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb Cipher: Type %d\n", info->cipher.type); - #endif if (info->cipher.type != WC_CIPHER_AES_CBC) { return exit_rc; } @@ -6697,9 +6695,6 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) word32 hashFlags = 0; #endif - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb Hash: Type %d\n", info->hash.type); - #endif if (info->hash.type != WC_HASH_TYPE_SHA && info->hash.type != WC_HASH_TYPE_SHA256) { return exit_rc; @@ -6827,9 +6822,6 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) TPM_ALG_ID hashAlg = TPM_ALG_ERROR; #endif - #ifdef DEBUG_WOLFTPM - printf("CryptoDevCb HMAC: Type %d\n", info->hmac.macType); - #endif if (info->hmac.macType != WC_HASH_TYPE_SHA && info->hmac.macType != WC_HASH_TYPE_SHA256) { return exit_rc;