From 6d9cd1fa91e02ab58ce5a37613c9514e482d3858 Mon Sep 17 00:00:00 2001 From: Bill Phipps Date: Fri, 4 Oct 2024 16:15:31 -0400 Subject: [PATCH 01/18] WIP --- demo/client/wh_demo_client_all.c | 20 +++++++-- demo/client/wh_demo_client_crypto.c | 55 ++++++++++++------------ demo/client/wh_demo_client_crypto.h | 6 +-- demo/client/wh_demo_client_keystore.c | 30 +++++++------ posix/tcp/wh_client_tcp/Makefile | 4 +- posix/tcp/wh_client_tcp/user_settings.h | 28 ++++++++---- posix/tcp/wh_client_tcp/wh_client_tcp.c | 6 +++ posix/tcp/wh_client_tcp/wolfhsm_cfg.h | 1 - posix/tcp/wh_server_tcp/Makefile | 2 +- posix/tcp/wh_server_tcp/user_settings.h | 57 +++---------------------- posix/tcp/wh_server_tcp/wh_server_tcp.c | 14 +++++- posix/tcp/wh_server_tcp/wolfhsm_cfg.h | 1 - 12 files changed, 114 insertions(+), 110 deletions(-) diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index 70fc5c4..b7c06be 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -22,13 +22,13 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } #endif - /* NVM demos */ + /** NVM demos */ rc = wh_DemoClient_Nvm(clientContext); if (rc != 0) { return rc; } - /* Keystore demos */ + /** Keystore demos */ rc = wh_DemoClient_KeystoreBasic(clientContext); if (rc != 0) { return rc; @@ -37,12 +37,15 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#ifndef NO_AES rc = wh_DemoClient_KeystoreAes(clientContext); if (rc != 0) { return rc; } +#endif - /* Crypto demos */ + /** Crypto demos */ +#ifndef NO_RSA rc = wh_DemoClient_CryptoRsa(clientContext); if (rc != 0) { return rc; @@ -52,7 +55,9 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* !NO_RSA */ +#ifdef HAVE_CURVE25519 rc = wh_DemoClient_CryptoCurve25519(clientContext); if (rc != 0) { return rc; @@ -62,7 +67,9 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* HAVE_CURVE25519 */ +#ifdef HAVE_ECC rc = wh_DemoClient_CryptoEcc(clientContext); if (rc != 0) { return rc; @@ -72,7 +79,9 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* HAVE_ECC */ +#if !defined(NO_AES) && defined(HAVE_AES_CBC) rc = wh_DemoClient_CryptoAesCbc(clientContext); if (rc != 0) { return rc; @@ -82,7 +91,9 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* !NO_AES && HAVE_AES_CBC */ + #if !defined(NO_AES) && defined(HAVE_AESGCM) rc = wh_DemoClient_CryptoAesGcm(clientContext); if (rc != 0) { return rc; @@ -92,7 +103,9 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* !NO_AES && HAVE_AESGCM */ +#if defined(WOLFSSL_CMAC) rc = wh_DemoClient_CryptoCmac(clientContext); if (rc != 0) { return rc; @@ -107,6 +120,7 @@ int wh_DemoClient_All(whClientContext* clientContext) if (rc != 0) { return rc; } +#endif /* WOLFSSL_CMAC */ return rc; } diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 58916e7..3b9345b 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -11,6 +11,7 @@ #include "wolfhsm/wh_common.h" #include "wolfhsm/wh_client.h" +#include "wolfhsm/wh_client_crypto.h" #include "wolfhsm/wh_error.h" #include "user_settings.h" @@ -26,7 +27,7 @@ #include "wolfssl/wolfcrypt/rsa.h" #endif -#if !defined(NO_ECC) && defined(HAVE_ECC) +#if defined(HAVE_ECC) #include "wolfssl/wolfcrypt/ecc.h" #endif @@ -34,7 +35,7 @@ #include "wolfssl/wolfcrypt/curve25519.h" #endif -#if !defined(NO_AES) && defined(HAVE_AES) +#if !defined(NO_AES) #include "wolfssl/wolfcrypt/aes.h" #endif @@ -107,7 +108,7 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) exit: (void)wc_FreeRng(rng); if (needEvict) { - ret = wh_Client_GetKeyIdRsa(rsa, &keyId); + ret = wh_Client_RsaGetKeyId(rsa, &keyId); if (ret != 0) { printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); return ret; @@ -179,7 +180,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdRsa(rsa, keyId); + ret = wh_Client_RsaSetKeyId(rsa, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -302,7 +303,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) exit: (void)wc_FreeRng(rng); if (needEvictPriv) { - ret = wh_Client_GetKeyIdCurve25519(curve25519PrivateKey, &keyId); + ret = wh_Client_Curve25519GetKeyId(curve25519PrivateKey, &keyId); if (ret != 0) { printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); return ret; @@ -313,7 +314,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) } } if (needEvictPub) { - ret = wh_Client_GetKeyIdCurve25519(curve25519PublicKey, &keyId); + ret = wh_Client_Curve25519GetKeyId(curve25519PublicKey, &keyId); if (ret != 0) { printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); return ret; @@ -379,7 +380,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPrivBob); + ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -417,7 +418,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPubAlice); + ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -468,7 +469,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PrivateKey, keyIdPrivAlice); + ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivAlice); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -506,7 +507,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } /* set the assigned keyId */ - ret = wh_Client_SetKeyIdCurve25519(curve25519PublicKey, keyIdPubBob); + ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubBob); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); goto exit; @@ -562,7 +563,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } #endif /* HAVE_CURVE25519 */ -#if !defined(NO_ECC) && defined(HAVE_ECC) +#if defined(HAVE_ECC) int wh_DemoClient_CryptoEcc(whClientContext* clientContext) { int ret = 0; @@ -1005,9 +1006,9 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) } return ret; } -#endif /* !NO_ECC && HAVE_ECC */ +#endif /* HAVE_ECC */ -#if !defined(NO_AES) && defined(HAVE_AES) +#if !defined(NO_AES) && defined(HAVE_AES_CBC) int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) { int ret = 0; @@ -1097,7 +1098,7 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) needEvict = 1; /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdAes(aes, keyId); + ret = wh_Client_AesSetKeyId(aes, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1134,9 +1135,9 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) } return ret; } -#endif /* !NO_AES && HAVE_AES */ +#endif /* !NO_AES && HAVE_AES_CBC*/ -#if !defined(NO_AES) && defined(HAVE_AES) && defined(HAVE_AESGCM) +#if !defined(NO_AES) && defined(HAVE_AESGCM) int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) { int ret = 0; @@ -1224,7 +1225,7 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) needEvict = 1; /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdAes(aes, keyId); + ret = wh_Client_AesSetKeyId(aes, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1270,9 +1271,9 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) } return ret; } -#endif /* !NOAES && HAVE_AES && HAVE_ASEGCM */ +#endif /* !NOAES && HAVE_ASEGCM */ -#ifdef WOLFSSL_CMAC +#if defined(WOLFSSL_CMAC) && !defined(NO_AES) int wh_DemoClient_CryptoCmac(whClientContext* clientContext) { int ret = 0; @@ -1347,7 +1348,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) } /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdCmac(cmac, keyId); + ret = wh_Client_CmacSetKeyId(cmac, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1377,7 +1378,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) } /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdCmac(cmac, keyId); + ret = wh_Client_CmacSetKeyId(cmac, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1385,7 +1386,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) /* verify the cmac tag using the special HSM oneshot function * wh_Client_AesCmacVerify which is required for pre cached keys */ - ret = wh_Client_AesCmacVerify(cmac, tag, sizeof(tag), (byte*)message, + ret = wh_Client_CmacAesVerify(cmac, tag, sizeof(tag), (byte*)message, strlen(message), keyId, NULL); if (ret != 0) { printf("CMAC hash and verify failed with imported key %d\n", ret); @@ -1426,7 +1427,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) } /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdCmac(cmac, keyId); + ret = wh_Client_CmacSetKeyId(cmac, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1435,7 +1436,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* generate the cmac tag using the special HSM wh_Client_AesCmacGenerate * function which is required for pre cached keys */ outLen = sizeof(tag); - ret = wh_Client_AesCmacGenerate(cmac, tag, &outLen, (byte*)message, + ret = wh_Client_CmacAesGenerate(cmac, tag, &outLen, (byte*)message, sizeof(message), keyId, NULL); if (ret != 0) { printf("Failed to wh_Client_AesCmacGenerate %d\n", ret); @@ -1452,7 +1453,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) } /* set the keyId on the struct */ - ret = wh_Client_SetKeyIdCmac(cmac, keyId); + ret = wh_Client_CmacSetKeyId(cmac, keyId); if (ret != 0) { printf("Failed to wh_Client_SetKeyIdAes %d\n", ret); goto exit; @@ -1460,7 +1461,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* verify the cmac tag using the special HSM oneshot function * wh_Client_AesCmacVerify which is required for pre cached keys */ - ret = wh_Client_AesCmacVerify(cmac, tag, sizeof(tag), (byte*)message, + ret = wh_Client_CmacAesVerify(cmac, tag, sizeof(tag), (byte*)message, sizeof(message), keyId, NULL); if (ret != 0) { printf("CMAC hash and verify oneshot failed with imported key %d\n", ret); @@ -1472,5 +1473,5 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) (void)wc_CmacFree(cmac); return ret; } -#endif /* WOLFSSL_CMAC */ +#endif /* WOLFSSL_CMAC && !NO_AES */ diff --git a/demo/client/wh_demo_client_crypto.h b/demo/client/wh_demo_client_crypto.h index c21d9bf..7c56494 100644 --- a/demo/client/wh_demo_client_crypto.h +++ b/demo/client/wh_demo_client_crypto.h @@ -12,17 +12,17 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext); int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext); #endif /* HAVE_CURVE25519 */ -#if !defined(NO_ECC) && defined(HAVE_ECC) +#if defined(HAVE_ECC) int wh_DemoClient_CryptoEcc(whClientContext* clientContext); int wh_DemoClient_CryptoEccImport(whClientContext* clientContext); #endif /* !NO_ECC && HAVE_ECC */ -#if !defined(NO_AES) && defined(HAVE_AES) +#if !defined(NO_AES) && defined(HAVE_AES_CBC) int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext); int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext); #endif /* !NO_AES && HAVE_AES */ -#if !defined(NO_AES) && defined(HAVE_AES) && defined(HAVE_AESGCM) +#if !defined(NO_AES) && defined(HAVE_AESGCM) int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext); int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext); #endif /* !NOAES && HAVE_AES && HAVE_ASEGCM */ diff --git a/demo/client/wh_demo_client_keystore.c b/demo/client/wh_demo_client_keystore.c index 327b426..ecbac7c 100644 --- a/demo/client/wh_demo_client_keystore.c +++ b/demo/client/wh_demo_client_keystore.c @@ -1,20 +1,24 @@ -#include "wh_demo_client_keystore.h" - +#include #include #include + +#include "wolfhsm/wh_client.h" +#include "wolfhsm/wh_client_crypto.h" +#include "wolfhsm/wh_error.h" + #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/aes.h" #include "wolfssl/wolfcrypt/random.h" -#include "wolfhsm/wh_client.h" -#include "wolfhsm/wh_error.h" + +#include "wh_demo_client_keystore.h" int wh_DemoClient_KeystoreBasic(whClientContext* clientContext) { int ret; - uint8_t key[AES_128_KEY_SIZE] = "0123456789abcdef"; - uint8_t label[] = "my secret key"; - uint16_t keyId = WH_KEYID_ERASED; + uint8_t key[] = "0123456789abcdef"; + uint8_t label[] = "my secret key"; + uint16_t keyId = WH_KEYID_ERASED; /* Cache the key in the HSM */ ret = wh_Client_KeyCache(clientContext, 0, label, sizeof(label), key, @@ -49,7 +53,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext) { int ret; uint16_t keyId = WH_KEYID_ERASED; - uint8_t key[AES_128_KEY_SIZE] = "0123456789abcdef"; + uint8_t key[ ] = "0123456789abcdef"; uint8_t label[] = "my secret key"; uint8_t exportKey[sizeof(key)] = {0}; uint8_t exportLabel[sizeof(label)] = {0}; @@ -116,7 +120,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext) return WH_ERROR_OK; } - +#ifndef NO_AES int wh_DemoClient_KeystoreAes(whClientContext* clientContext) { int ret; @@ -163,7 +167,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } /* set AES context to use the cached key */ - ret = wh_Client_SetKeyIdAes(&aes, keyId); + ret = wh_Client_AesSetKeyId(&aes, keyId); if (ret != 0) { printf("Failed to set key: %d\n", ret); return ret; @@ -216,7 +220,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) printf("Failed to initialize AES: %d\n", ret); return ret; } - ret = wh_Client_SetKeyIdAes(&aes, keyId); + ret = wh_Client_AesSetKeyId(&aes, keyId); if (ret != 0) { printf("Failed to set key: %d\n", ret); return ret; @@ -252,7 +256,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } /* Key was erased, so should be unusable */ - (void)wh_Client_SetKeyIdAes(&aes, keyId); + (void)wh_Client_AesSetKeyId(&aes, keyId); ret = wc_AesCbcEncrypt(&aes, cipherText, plainText, sizeof(plainText)); if (ret != WH_ERROR_NOTFOUND) { printf("Key should not be found: instead got %d\n", ret); @@ -264,3 +268,5 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) return WH_ERROR_OK; } +#endif /* !NO_AES */ + diff --git a/posix/tcp/wh_client_tcp/Makefile b/posix/tcp/wh_client_tcp/Makefile index 091bb84..b3f0dfd 100644 --- a/posix/tcp/wh_client_tcp/Makefile +++ b/posix/tcp/wh_client_tcp/Makefile @@ -37,7 +37,7 @@ LDFLAGS ?= $(ARCHFLAGS) LIBS = -lc -lm # Optimization level and place functions / data into separate sections to allow dead code removal -CFLAGS += -O0 -ffunction-sections -fdata-sections +CFLAGS += -O3 -ffunction-sections -fdata-sections #-fstrict-volatile-bitfields #-fno-builtin # Remove unused sections and link time optimizations @@ -63,7 +63,7 @@ SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c) SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c) #wolfSSL source files -SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c) +#SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c) # wolfHSM source files SRC_C += $(wildcard $(WOLFHSM_DIR)/src/*.c) diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index 8d507bd..8c8066f 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -6,20 +6,26 @@ /* wolfHSM Required */ #define WOLF_CRYPTO_CB #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 +#define WOLFCRYPT_ONLY /* Optional if debugging cryptocb's */ -#define DEBUG_CRYPTOCB -#define DEBUG_CRYPTOCB_VERBOSE +/*#define DEBUG_CRYPTOCB */ +/*#define DEBUG_CRYPTOCB_VERBOSE */ /* Temporarily set this to key export function */ #define WOLFSSL_KEY_GEN -#define HAVE_CURVE25519 -#define HAVE_ECC -#define HAVE_AES + +#define HAVE_AES_CBC #define HAVE_AESGCM #define WOLFSSL_AES_DIRECT #define WOLFSSL_CMAC +/* Curve25519 Options */ +#define HAVE_CURVE25519 + + + + /* Include to ensure clock_gettime is declared for benchmark.c */ #include /* Include to support strcasecmp with POSIX build */ @@ -27,9 +33,17 @@ #if 0 +#define WOLFSSL_AES_DIRECT +#define WOLFSSL_CMAC + +#define HAVE_ECC +#define HAVE_ECC_ENCRYPT +#define HAVE_CURVE25519 + +#define HAVE_HKDF + /* Math library selection. */ -#define USE_FAST_MATH /* Common configuration */ #define WOLFCRYPT_ONLY @@ -77,8 +91,6 @@ #define ECC_SHAMIR #define HAVE_SUPPORTED_CURVES -/* Curve25519 Options */ -#define HAVE_CURVE25519 /* DH and DHE Options */ #define HAVE_DH_DEFAULT_PARAMS diff --git a/posix/tcp/wh_client_tcp/wh_client_tcp.c b/posix/tcp/wh_client_tcp/wh_client_tcp.c index 870dbe5..019d1c6 100644 --- a/posix/tcp/wh_client_tcp/wh_client_tcp.c +++ b/posix/tcp/wh_client_tcp/wh_client_tcp.c @@ -48,6 +48,12 @@ static int wh_ClientTask(void* cf) } ret = wh_Client_Init(client, config); + + /* + extern int runtest(void); + runtest(); + return(0); + */ printf("Client connecting to server...\n"); if (ret != 0) { diff --git a/posix/tcp/wh_client_tcp/wolfhsm_cfg.h b/posix/tcp/wh_client_tcp/wolfhsm_cfg.h index 93c3f67..9b7a724 100644 --- a/posix/tcp/wh_client_tcp/wolfhsm_cfg.h +++ b/posix/tcp/wh_client_tcp/wolfhsm_cfg.h @@ -29,7 +29,6 @@ /** wolfHSM settings */ /* #define WOLFHSM_CFG_NO_CRYPTO */ #define WOLFHSM_CFG_SHE_EXTENSION - #define WOLFHSM_CFG_COMM_DATA_LEN 1280 #endif /* WOLFHSM_CFG_H_ */ diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile index c27c9ee..7d56527 100644 --- a/posix/tcp/wh_server_tcp/Makefile +++ b/posix/tcp/wh_server_tcp/Makefile @@ -35,7 +35,7 @@ LDFLAGS ?= $(ARCHFLAGS) LIBS = -lc -lm # Optimization level and place functions / data into separate sections to allow dead code removal -CFLAGS += -O0 -ffunction-sections -fdata-sections +CFLAGS += -O3 -ffunction-sections -fdata-sections #-fstrict-volatile-bitfields #-fno-builtin # Remove unused sections and link time optimizations diff --git a/posix/tcp/wh_server_tcp/user_settings.h b/posix/tcp/wh_server_tcp/user_settings.h index 114b1e9..362a4fa 100644 --- a/posix/tcp/wh_server_tcp/user_settings.h +++ b/posix/tcp/wh_server_tcp/user_settings.h @@ -2,12 +2,15 @@ #define USER_SETTINGS_H /* Server wolfSSL settings */ +/* wolfHSM Required */ +#define WOLF_CRYPTO_CB #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 -/* Common configuration */ #define WOLFCRYPT_ONLY -/* #define BIG_ENDIAN_ORDER */ -#define WOLF_CRYPTO_CB + +/* #define DEBUG_CRYPTOCB */ +/* #define DEBUG_CRYPTOCB_VERBOSE */ + /* Key gen is currently required on the server */ #define WOLFSSL_KEY_GEN #define SINGLE_THREADED @@ -56,56 +59,10 @@ /* Curve25519 Options */ #define HAVE_CURVE25519 -/* DH and DHE Options */ -#define HAVE_DH_DEFAULT_PARAMS -#define HAVE_FFDHE_2048 - -/* AES Options */ -#define HAVE_AES #define HAVE_AESGCM -#define GCM_TABLE_4BIT -#define WOLFSSL_AES_DIRECT #define HAVE_AES_ECB +#define WOLFSSL_AES_DIRECT #define WOLFSSL_CMAC -/* SHA Options */ -#define NO_SHA -#define HAVE_SHA256 - -/* Composite features */ -#define HAVE_HKDF -#define HAVE_HASHDRBG - -/* Remove unneeded crypto */ -#define NO_DSA -#define NO_RC4 -#define NO_PSK -#define NO_MD4 -#define NO_MD5 -#define NO_DES3 -#define WOLFSSL_NO_SHAKE128 -#define WOLFSSL_NO_SHAKE256 -#define NO_PWDBASED - -/* Disable DH for now */ -#define NO_DH - -/* Cert processing options */ -#define WOLFSSL_ASN_TEMPLATE -#define WOLFSSL_BASE64_ENCODE - -/* TLS features that are not used */ -/* TODO: Check to see if these can be removed */ -#define HAVE_TLS_EXTENSIONS -#define HAVE_ENCRYPT_THEN_MAC - -/* Math library selection. Move to target */ - -#define USE_FAST_MATH - -/* Random inclusions appropriate for POSIX platforms */ -#define HAVE_STRINGS_H - - #endif /*define USER_SETTINGS_H */ diff --git a/posix/tcp/wh_server_tcp/wh_server_tcp.c b/posix/tcp/wh_server_tcp/wh_server_tcp.c index cdee404..4342551 100644 --- a/posix/tcp/wh_server_tcp/wh_server_tcp.c +++ b/posix/tcp/wh_server_tcp/wh_server_tcp.c @@ -10,7 +10,6 @@ #include #include #include -#include #include "wolfhsm/wh_error.h" #include "wolfhsm/wh_comm.h" @@ -28,7 +27,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId, int clientId); enum { - ONE_MS = 1000, + ONE_MS = 1, FLASH_RAM_SIZE = 1024 * 1024, }; @@ -278,5 +277,16 @@ int main(int argc, char** argv) rc = wh_ServerTask(s_conf, keyFilePath, keyId, clientId); + rc = wc_FreeRng(crypto->rng); + if (rc != 0) { + printf("Failed to wc_FreeRng: %d\n", rc); + return rc; + } + rc = wolfCrypt_Cleanup(); + if (rc != 0) { + printf("Failed to wolfCrypt_Cleanup: %d\n", rc); + return rc; + } + return rc; } diff --git a/posix/tcp/wh_server_tcp/wolfhsm_cfg.h b/posix/tcp/wh_server_tcp/wolfhsm_cfg.h index 2b39f8a..44e0db7 100644 --- a/posix/tcp/wh_server_tcp/wolfhsm_cfg.h +++ b/posix/tcp/wh_server_tcp/wolfhsm_cfg.h @@ -28,7 +28,6 @@ /** wolfHSM settings. Simple overrides to show they work */ /* #define WOLFHSM_CFG_NO_CRYPTO */ #define WOLFHSM_CFG_SHE_EXTENSION - #define WOLFHSM_CFG_COMM_DATA_LEN 1280 #define WOLFHSM_CFG_NVM_OBJECT_COUNT 32 From a53694011517c9258f4bc3b5cec5a7f8e3dca4a5 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 7 Oct 2024 14:07:30 -0600 Subject: [PATCH 02/18] added missing re-set of AES IV --- demo/client/wh_demo_client_keystore.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/demo/client/wh_demo_client_keystore.c b/demo/client/wh_demo_client_keystore.c index ecbac7c..dcff181 100644 --- a/demo/client/wh_demo_client_keystore.c +++ b/demo/client/wh_demo_client_keystore.c @@ -188,6 +188,13 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } printf("Encryption successful\n"); + /* Re-set the IV, as the CBC operation will overwrite it */ + ret = wc_AesSetIV(&aes, iv); + if (ret != 0) { + printf("Failed to set IV: %d\n", ret); + return ret; + } + /* Decrypt the ciphertext */ ret = wc_AesCbcDecrypt(&aes, decryptedText, cipherText, sizeof(cipherText)); if (ret != 0) { @@ -202,6 +209,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } else { printf("Decryption does not match original plaintext\n"); + return -1; } /* Evict the key from the HSM */ @@ -235,6 +243,11 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) printf("Failed to encrypt: %d\n", ret); return ret; } + ret = wc_AesSetIV(&aes, iv); + if (ret != 0) { + printf("Failed to set IV: %d\n", ret); + return ret; + } ret = wc_AesCbcDecrypt(&aes, decryptedText, cipherText, sizeof(cipherText)); if (ret != 0) { printf("Failed to decrypt: %d\n", ret); @@ -245,6 +258,7 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext) } else { printf("Decryption does not match original plaintext\n"); + return -1; } /* Erase the key from the HSM key storage. Its keyId will no longer be From b56dd6c7c1b4cd62b040f4a75341b6631042244f Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:14:27 -0600 Subject: [PATCH 03/18] v1.0 rsa fixes --- demo/client/.wh_demo_client_crypto.c.swp | Bin 0 -> 4096 bytes demo/client/wh_demo_client_crypto.c | 29 +++++++++-------------- 2 files changed, 11 insertions(+), 18 deletions(-) create mode 100644 demo/client/.wh_demo_client_crypto.c.swp diff --git a/demo/client/.wh_demo_client_crypto.c.swp b/demo/client/.wh_demo_client_crypto.c.swp new file mode 100644 index 0000000000000000000000000000000000000000..e5d14c6ac3cdc59bccdd2a4ac3418ba9aa652137 GIT binary patch literal 4096 zcmeIuOACTP5C`xLgib-!Ij}n0__%cMK@pOmb`{;G2Wl?6g7r!Ix+z_}NcWgI?SCFD z{1WrDclG7MW_1l2d-t{L#L`#_J(fr;%clRM)*Js296e*@IKkHPI=3Nzl)xcWC>1Dy zRR&cdQzc@KAW;;m&e>(>y9PevTx6)=jClb(yJLM?-J&K&-xzWE5@oUAo&V8*1W2GQ lFkp^tnN4Rto9g3H*dEfG1W14cNPq-LfCNZ@1W4e|1wJ}FEt>!U literal 0 HcmV?d00001 diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 3b9345b..75a53c3 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -49,8 +49,7 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) { int ret = 0; - int needEvict = 0; - whKeyId keyId = WH_KEYID_ERASED; + int encSz = 0; const char plainString[] = "The quick brown fox jumps over the lazy dog."; byte plainText[256]; byte cipherText[256]; @@ -80,23 +79,24 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) printf("Failed to wc_MakeRsaKey %d\n", ret); goto exit; } - needEvict = 1; /* encrypt the plaintext */ - ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, + encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, sizeof(cipherText), rsa, rng); if (ret < 0) { printf("Failed to wc_RsaPublicEncrypt %d\n", ret); goto exit; } + ret = 0; /* decrypt the ciphertext */ - ret = wc_RsaPrivateDecrypt(cipherText, ret, plainText, sizeof(plainText), + ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText), rsa); if (ret < 0) { printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); goto exit; } + ret = 0; /* verify the decryption output */ if (memcmp(plainText, plainString, sizeof(plainString)) != 0) { @@ -105,25 +105,16 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) } else printf("RSA Decryption matches original plaintext\n"); + exit: (void)wc_FreeRng(rng); - if (needEvict) { - ret = wh_Client_RsaGetKeyId(rsa, &keyId); - if (ret != 0) { - printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); - return ret; - } - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); - } - } return ret; } int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) { int ret = 0; + int encSz = 0; int keyFd; int keySz; int needEvict = 0; @@ -187,20 +178,22 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) } /* encrypt the plaintext */ - ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, + encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, sizeof(cipherText), rsa, rng); if (ret < 0) { printf("Failed to wc_RsaPublicEncrypt %d\n", ret); goto exit; } + ret = 0; /* decrypt the ciphertext */ - ret = wc_RsaPrivateDecrypt(cipherText, ret, plainText, sizeof(plainText), + ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText), rsa); if (ret < 0) { printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); goto exit; } + ret = 0; /* verify the decryption output */ if (memcmp(plainText, plainString, sizeof(plainString)) != 0) { From 598576bd4eac07441f5a99b09ab126701ab688b2 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:15:06 -0600 Subject: [PATCH 04/18] remove erroneously committed file --- demo/client/.wh_demo_client_crypto.c.swp | Bin 4096 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 demo/client/.wh_demo_client_crypto.c.swp diff --git a/demo/client/.wh_demo_client_crypto.c.swp b/demo/client/.wh_demo_client_crypto.c.swp deleted file mode 100644 index e5d14c6ac3cdc59bccdd2a4ac3418ba9aa652137..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4096 zcmeIuOACTP5C`xLgib-!Ij}n0__%cMK@pOmb`{;G2Wl?6g7r!Ix+z_}NcWgI?SCFD z{1WrDclG7MW_1l2d-t{L#L`#_J(fr;%clRM)*Js296e*@IKkHPI=3Nzl)xcWC>1Dy zRR&cdQzc@KAW;;m&e>(>y9PevTx6)=jClb(yJLM?-J&K&-xzWE5@oUAo&V8*1W2GQ lFkp^tnN4Rto9g3H*dEfG1W14cNPq-LfCNZ@1W4e|1wJ}FEt>!U From 4d80df81e5bfbf0b9d1351554daed57ef5cd482f Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:24:36 -0600 Subject: [PATCH 05/18] some curve25519 fixes - import demo still fails --- demo/client/wh_demo_client_crypto.c | 35 ++++------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 75a53c3..1d17e8d 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -218,10 +218,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) { int ret = 0; - int needEvictPriv = 0; - int needEvictPub = 0; word32 outLen; - whKeyId keyId = WH_KEYID_ERASED; uint8_t sharedOne[CURVE25519_KEYSIZE]; uint8_t sharedTwo[CURVE25519_KEYSIZE]; curve25519_key curve25519PrivateKey[1]; @@ -255,14 +252,12 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) printf("Failed to wc_curve25519_init_ex %d\n", ret); goto exit; } - needEvictPriv = 1; ret = wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, curve25519PublicKey); if (ret != 0) { printf("Failed to wc_curve25519_init_ex %d\n", ret); goto exit; } - needEvictPub = 1; /* generate shared secrets from both perspectives */ outLen = sizeof(sharedOne); @@ -295,28 +290,6 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) } exit: (void)wc_FreeRng(rng); - if (needEvictPriv) { - ret = wh_Client_Curve25519GetKeyId(curve25519PrivateKey, &keyId); - if (ret != 0) { - printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); - return ret; - } - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); - } - } - if (needEvictPub) { - ret = wh_Client_Curve25519GetKeyId(curve25519PublicKey, &keyId); - if (ret != 0) { - printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); - return ret; - } - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); - } - } return ret; } @@ -375,7 +348,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* set the assigned keyId */ ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivBob); if (ret != 0) { - printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; } @@ -413,7 +386,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* set the assigned keyId */ ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubAlice); if (ret != 0) { - printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; } @@ -464,7 +437,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* set the assigned keyId */ ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivAlice); if (ret != 0) { - printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; } @@ -502,7 +475,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* set the assigned keyId */ ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubBob); if (ret != 0) { - printf("Failed to wh_Client_SetKeyIdRsa %d\n", ret); + printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; } From dab2887cedeff33e2044da5d9634e2a8a7ee177e Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 29 Oct 2024 16:53:11 -0600 Subject: [PATCH 06/18] updated curve25519 demo to use new DER cert parsing --- demo/certs/curve25519_keyAlice.der | Bin 0 -> 82 bytes demo/certs/curve25519_keyBob.der | Bin 0 -> 82 bytes demo/client/wh_demo_client_crypto.c | 183 +++++----------------------- 3 files changed, 31 insertions(+), 152 deletions(-) create mode 100644 demo/certs/curve25519_keyAlice.der create mode 100644 demo/certs/curve25519_keyBob.der diff --git a/demo/certs/curve25519_keyAlice.der b/demo/certs/curve25519_keyAlice.der new file mode 100644 index 0000000000000000000000000000000000000000..f525a4b8f03a0696a0466e82d6d365625ccc1567 GIT binary patch literal 82 zcmV-Y0ImNpPyzt}Fa-t!D`jp3A_O37Cw#aTBS8-Lv_)UipAN${D#Y~cEOsP=icLiY o61aGQAQw=vWtZvAWIIFf$s9aif!*i1hZQUYuNn+$5)bnBP*Wftw*UYD literal 0 HcmV?d00001 diff --git a/demo/certs/curve25519_keyBob.der b/demo/certs/curve25519_keyBob.der new file mode 100644 index 0000000000000000000000000000000000000000..d444d729e89fcfaad1ae503ed8badc514f5ef9d0 GIT binary patch literal 82 zcmV-Y0ImNpPyzt}Fa-t!D`jp3A_O3L3G)mzJH|n>Gt6+i@WtD{r@BM>%7?HTz=+s>Ps~VTCbr*`MVg?*IS* literal 0 HcmV?d00001 diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 1d17e8d..bd2573e 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -299,70 +299,61 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) int keyFd; int keySz; word32 outLen; - whKeyId keyIdPrivBob = WH_KEYID_ERASED; - whKeyId keyIdPubAlice = WH_KEYID_ERASED; - whKeyId keyIdPrivAlice = WH_KEYID_ERASED; - whKeyId keyIdPubBob = WH_KEYID_ERASED; - char privKeyFileBob[] = "../../../demo/certs/curve25519-private-bob.raw"; - char pubKeyFileAlice[] = "../../../demo/certs/curve25519-public-alice.raw"; - char privKeyFileAlice[] = "../../../demo/certs/curve25519-private-alice.raw"; - char pubKeyFileBob[] = "../../../demo/certs/curve25519-public-bob.raw"; + whKeyId keyIdBob = WH_KEYID_ERASED; + whKeyId keyIdAlice = WH_KEYID_ERASED; + char keyPairFileBob[] = "../../../demo/certs/curve25519_keyBob.der"; + char keyPairFileAlice[] = "../../../demo/certs/curve25519_keyAlice.der"; char keyLabel[] = "baby's first key"; uint8_t keyBuf[256]; uint8_t sharedOne[CURVE25519_KEYSIZE]; uint8_t sharedTwo[CURVE25519_KEYSIZE]; - curve25519_key curve25519PrivateKey[1]; - curve25519_key curve25519PublicKey[1]; - /* open the first private curve25519 key */ - ret = keyFd = open(privKeyFileBob, O_RDONLY, 0); + curve25519_key aliceKey[1]; + curve25519_key bobKey[1]; + + /* open Bob's key pair file and read it into a local buffer */ + ret = keyFd = open(keyPairFileBob, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileBob, ret); + printf("Failed to open %s %d\n", keyPairFileBob, ret); goto exit; } - - /* read the first private key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileBob, ret); - close(keyFd); goto exit; } close(keyFd); + /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPrivBob); + strlen(keyLabel), keyBuf, keySz, &keyIdBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; } - /* initialize the private key */ - ret = wc_curve25519_init_ex(curve25519PrivateKey, NULL, WH_DEV_ID); + /* initialize the wolfCrypt struct to use the cached key */ + ret = wc_curve25519_init_ex(bobKey, NULL, WH_DEV_ID); if (ret != 0) { printf("Failed to wc_curve25519_init_ex %d\n", ret); goto exit; } - - /* set the assigned keyId */ - ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivBob); + ret = wh_Client_Curve25519SetKeyId(bobKey, keyIdBob); if (ret != 0) { printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; } - /* open the first public curve25519 key */ - ret = keyFd = open(pubKeyFileAlice, O_RDONLY, 0); + + /* open Alice's key pair file and read it into a local buffer */ + ret = keyFd = open(keyPairFileAlice, O_RDONLY, 0); if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileAlice, ret); + printf("Failed to open %s %d\n", keyPairFileAlice, ret); goto exit; } - - /* read the first public key to local buffer */ ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileAlice, ret); + printf("Failed to read %s %d\n", keyPairFileAlice, ret); close(keyFd); goto exit; } @@ -370,21 +361,19 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPubAlice); + strlen(keyLabel), keyBuf, keySz, &keyIdAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; } - /* initialize the public key */ - ret = wc_curve25519_init_ex(curve25519PublicKey, NULL, WH_DEV_ID); + /* initialize the wolfCrypt struct to use the cached key */ + ret = wc_curve25519_init_ex(aliceKey, NULL, WH_DEV_ID); if (ret != 0) { printf("Failed to wc_curve25519_init_ex %d\n", ret); goto exit; } - - /* set the assigned keyId */ - ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubAlice); + ret = wh_Client_Curve25519SetKeyId(aliceKey, keyIdAlice); if (ret != 0) { printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); goto exit; @@ -392,135 +381,25 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* generate shared secret from perspective one */ outLen = sizeof(sharedOne); - ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, + ret = wc_curve25519_shared_secret(bobKey, aliceKey, sharedOne, (word32*)&outLen); if (ret != 0) { printf("Failed to wc_curve25519_shared_secret %d\n", ret); goto exit; } - /* free the key structs */ - wc_curve25519_free(curve25519PrivateKey); - wc_curve25519_free(curve25519PublicKey); - - /* open the second private curve25519 key */ - ret = keyFd = open(privKeyFileAlice, O_RDONLY, 0); - if (ret < 0) { - printf("Failed to open %s %d\n", privKeyFileAlice, ret); - goto exit; - } - - /* read the second private key to local buffer */ - ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); - if (ret < 0) { - printf("Failed to read %s %d\n", privKeyFileAlice, ret); - close(keyFd); - goto exit; - } - close(keyFd); - - /* cache the key in the HSM, get HSM assigned keyId */ - ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPrivAlice); - if (ret != 0) { - printf("Failed to wh_Client_KeyCache %d\n", ret); - goto exit; - } - - /* initialize the private key */ - ret = wc_curve25519_init_ex(curve25519PrivateKey, NULL, WH_DEV_ID); - if (ret != 0) { - printf("Failed to wc_curve25519_init_ex %d\n", ret); - goto exit; - } - - /* set the assigned keyId */ - ret = wh_Client_Curve25519SetKeyId(curve25519PrivateKey, keyIdPrivAlice); - if (ret != 0) { - printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); - goto exit; - } - - /* open the second public curve25519 key */ - ret = keyFd = open(pubKeyFileBob, O_RDONLY, 0); - if (ret < 0) { - printf("Failed to open %s %d\n", pubKeyFileBob, ret); - goto exit; - } - - /* read the second public key to local buffer */ - ret = keySz = read(keyFd, keyBuf, sizeof(keyBuf)); - if (ret < 0) { - printf("Failed to read %s %d\n", pubKeyFileBob, ret); - close(keyFd); - goto exit; - } - close(keyFd); - - /* cache the key in the HSM, get HSM assigned keyId */ - ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdPubBob); - if (ret != 0) { - printf("Failed to wh_Client_KeyCache %d\n", ret); - goto exit; - } - - /* initialize the public key */ - ret = wc_curve25519_init_ex(curve25519PublicKey, NULL, WH_DEV_ID); - if (ret != 0) { - printf("Failed to wc_curve25519_init_ex %d\n", ret); - goto exit; - } - - /* set the assigned keyId */ - ret = wh_Client_Curve25519SetKeyId(curve25519PublicKey, keyIdPubBob); - if (ret != 0) { - printf("Failed to wh_Client_Curve25519SetKeyId %d\n", ret); - goto exit; - } - - /* generate shared secret from perspective two */ - outLen = sizeof(sharedTwo); - ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, - sharedTwo, (word32*)&outLen); - if (ret != 0) { - printf("Failed to wc_curve25519_shared_secret %d\n", ret); - goto exit; - } - - if (memcmp(sharedOne, sharedTwo, outLen) != 0) { - printf("CURVE25519 shared secrets don't match with imported keys\n"); - ret = -1; - goto exit; - } - else { - printf("CURVE25519 shared secrets match with imported keys\n"); - } exit: - /* free the key structs */ - wc_curve25519_free(curve25519PrivateKey); - wc_curve25519_free(curve25519PublicKey); + wc_curve25519_free(aliceKey); + wc_curve25519_free(bobKey); - if (keyIdPrivBob != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPrivBob); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); - } - } - if (keyIdPubAlice != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPubAlice); + if (keyIdBob != WH_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdBob); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } } - if (keyIdPrivAlice != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPrivAlice); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); - } - } - if (keyIdPubBob != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPubBob); + if (keyIdAlice != WH_KEYID_ERASED) { + ret = wh_Client_KeyEvict(clientContext, keyIdAlice); if (ret != 0) { printf("Failed to wh_Client_KeyEvict %d\n", ret); } From 12b67e02b190927f73148ec6bd3bfe08f389ff94 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:30:29 -0600 Subject: [PATCH 07/18] replace deprecated usleep with POSIX compliant nanosleep --- posix/tcp/wh_client_tcp/wh_client_tcp.c | 24 +++++++++++++++--------- posix/tcp/wh_server_tcp/Makefile | 2 +- posix/tcp/wh_server_tcp/user_settings.h | 4 ++++ posix/tcp/wh_server_tcp/wh_server_tcp.c | 11 ++++++++++- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/posix/tcp/wh_client_tcp/wh_client_tcp.c b/posix/tcp/wh_client_tcp/wh_client_tcp.c index 019d1c6..4db14de 100644 --- a/posix/tcp/wh_client_tcp/wh_client_tcp.c +++ b/posix/tcp/wh_client_tcp/wh_client_tcp.c @@ -5,7 +5,7 @@ #include #include /* For printf */ #include /* For memset, memcpy */ -#include /* For usleep */ +#include /* For nanosleep */ #include "wolfhsm/wh_error.h" #include "wolfhsm/wh_comm.h" @@ -19,11 +19,20 @@ static int wh_ClientTask(void* cf); +static void sleepMs(long milliseconds) +{ + struct timespec req; + req.tv_sec = milliseconds / 1000; + req.tv_nsec = (milliseconds % 1000) * 1000000; + nanosleep(&req, NULL); +} + + enum { REPEAT_COUNT = 10, REQ_SIZE = 32, RESP_SIZE = 64, - ONE_MS = 1000, + ONE_MS = 1, }; #define WH_SERVER_TCP_IPSTRING "127.0.0.1" @@ -49,11 +58,6 @@ static int wh_ClientTask(void* cf) ret = wh_Client_Init(client, config); - /* - extern int runtest(void); - runtest(); - return(0); - */ printf("Client connecting to server...\n"); if (ret != 0) { @@ -74,7 +78,8 @@ static int wh_ClientTask(void* cf) printf("wh_CLient_EchoRequest failed with ret=%d\n", ret); } } - } while ((ret == WH_ERROR_NOTREADY) && (usleep(ONE_MS)==0)); + sleepMs(ONE_MS); + } while (ret == WH_ERROR_NOTREADY); if (ret != 0) { printf("Client had failure. Exiting\n"); @@ -87,7 +92,8 @@ static int wh_ClientTask(void* cf) do { ret = wh_Client_EchoResponse(client, &rx_resp_len, rx_resp); - } while ((ret == WH_ERROR_NOTREADY) && (usleep(ONE_MS)==0)); + sleepMs(ONE_MS); + } while (ret == WH_ERROR_NOTREADY); if (ret != 0) { printf("Client had failure. Exiting\n"); diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile index 7d56527..3bcf326 100644 --- a/posix/tcp/wh_server_tcp/Makefile +++ b/posix/tcp/wh_server_tcp/Makefile @@ -17,7 +17,7 @@ INC = -I$(WOLFHSM_DIR) \ -I$(WOLFSSL_DIR) \ # Defines -DEF = -DWOLFSSL_USER_SETTINGS -D_GNUC_ -DWOLFHSM_CFG +DEF = -DWOLFSSL_USER_SETTINGS -D_GNUC_ -DWOLFHSM_CFG -D_POSIX_C_SOURCE=200809L # Architecture ARCHFLAGS ?= diff --git a/posix/tcp/wh_server_tcp/user_settings.h b/posix/tcp/wh_server_tcp/user_settings.h index 362a4fa..b842ebf 100644 --- a/posix/tcp/wh_server_tcp/user_settings.h +++ b/posix/tcp/wh_server_tcp/user_settings.h @@ -64,5 +64,9 @@ #define WOLFSSL_AES_DIRECT #define WOLFSSL_CMAC +/* Include to support strcasecmp with POSIX build */ +#include + + #endif /*define USER_SETTINGS_H */ diff --git a/posix/tcp/wh_server_tcp/wh_server_tcp.c b/posix/tcp/wh_server_tcp/wh_server_tcp.c index 4342551..efe4e75 100644 --- a/posix/tcp/wh_server_tcp/wh_server_tcp.c +++ b/posix/tcp/wh_server_tcp/wh_server_tcp.c @@ -6,10 +6,10 @@ #include /* For printf */ #include /* For atoi */ #include /* For memset, memcpy, strcmp */ -#include /* For sleep */ #include #include #include +#include /* For nanosleep */ #include "wolfhsm/wh_error.h" #include "wolfhsm/wh_comm.h" @@ -20,12 +20,21 @@ #include "wolfhsm/wh_nvm.h" #include "wolfhsm/wh_nvm_flash.h" #include "wolfhsm/wh_flash_ramsim.h" + #include "port/posix/posix_transport_tcp.h" /** Local declarations */ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId, int clientId); +static void sleepMs(long milliseconds) +{ + struct timespec req; + req.tv_sec = milliseconds / 1000; + req.tv_nsec = (milliseconds % 1000) * 1000000; + nanosleep(&req, NULL); +} + enum { ONE_MS = 1, FLASH_RAM_SIZE = 1024 * 1024, From 1dc3bf79a67448e21c7082b5bf36bca8190f3e03 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:09:08 -0600 Subject: [PATCH 08/18] fix AES cbc and some return values --- demo/client/wh_demo_client_all.c | 2 +- demo/client/wh_demo_client_crypto.c | 58 +++++++++++++++++++++++------ demo/client/wh_demo_client_crypto.h | 2 +- posix/tcp/wh_client_tcp/Makefile | 6 +-- posix/tcp/wh_server_tcp/Makefile | 6 +-- 5 files changed, 54 insertions(+), 20 deletions(-) diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index b7c06be..e7034a6 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -63,7 +63,7 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } - rc = wh_DemoClient_CryptoCurve25519Import(clientContext); + rc = wh_DemoClient_CryptoCurve25519ImportDer(clientContext); if (rc != 0) { return rc; } diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index bd2573e..29dc782 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -1,4 +1,3 @@ - #include #include #include @@ -108,6 +107,7 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) exit: (void)wc_FreeRng(rng); + (void)wc_FreeRsaKey(rsa); return ret; } @@ -215,6 +215,11 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) #endif #ifdef HAVE_CURVE25519 + +/* + * Generate a curve25519 key pair on the HSM and generate a shared secret + * from both perspectives. + */ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) { int ret = 0; @@ -249,13 +254,13 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) /* generate the keys on the HSM */ ret = wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, curve25519PrivateKey); if (ret != 0) { - printf("Failed to wc_curve25519_init_ex %d\n", ret); + printf("Failed to wc_curve25519_make_key %d\n", ret); goto exit; } ret = wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, curve25519PublicKey); if (ret != 0) { - printf("Failed to wc_curve25519_init_ex %d\n", ret); + printf("Failed to wc_curve25519_make_key %d\n", ret); goto exit; } @@ -276,10 +281,6 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) goto exit; } - /* free the key structs */ - wc_curve25519_free(curve25519PrivateKey); - wc_curve25519_free(curve25519PublicKey); - if (memcmp(sharedOne, sharedTwo, outLen) != 0) { printf("CURVE25519 shared secrets don't match\n"); ret = -1; @@ -289,11 +290,14 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) printf("CURVE25519 shared secrets match\n"); } exit: + /* free the key structs */ + wc_curve25519_free(curve25519PrivateKey); + wc_curve25519_free(curve25519PublicKey); (void)wc_FreeRng(rng); return ret; } -int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) +int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext) { int ret = 0; int keyFd; @@ -388,6 +392,24 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) goto exit; } + /* generate shared secret from perspective two */ + outLen = sizeof(sharedTwo); + ret = wc_curve25519_shared_secret(aliceKey, bobKey, + sharedTwo, (word32*)&outLen); + if (ret != 0) { + printf("Failed to wc_curve25519_shared_secret %d\n", ret); + goto exit; + } + + if (memcmp(sharedOne, sharedTwo, outLen) != 0) { + printf("CURVE25519 shared secrets don't match\n"); + ret = -1; + goto exit; + } + else { + printf("CURVE25519 shared secrets match\n"); + } + exit: wc_curve25519_free(aliceKey); wc_curve25519_free(bobKey); @@ -406,6 +428,9 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) } return ret; } + + + #endif /* HAVE_CURVE25519 */ #if defined(HAVE_ECC) @@ -956,6 +981,12 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) goto exit; } + /* Reset the IV so we can decrypt */ + ret = wc_AesSetIV(aes, NULL); + if (ret != 0) { + printf("Failed to wc_AesSetIV %d\n", ret); + } + /* decrypt the ciphertext */ ret = wc_AesCbcDecrypt(aes, finalText, cipherText, sizeof(plainText)); if (ret != 0) { @@ -972,10 +1003,12 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) printf("AES CBC matches after decryption with imported key\n"); exit: if (needEvict) { - /* evict the key */ - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } return ret; @@ -1107,6 +1140,7 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) } printf("AES GCM matches after decryption with imported keys\n"); exit: + wc_AesFree(aes); if (needEvict) { /* evict the key from the cache */ ret = wh_Client_KeyEvict(clientContext, keyId); diff --git a/demo/client/wh_demo_client_crypto.h b/demo/client/wh_demo_client_crypto.h index 7c56494..0b310c3 100644 --- a/demo/client/wh_demo_client_crypto.h +++ b/demo/client/wh_demo_client_crypto.h @@ -9,7 +9,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext); #ifdef HAVE_CURVE25519 int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext); -int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext); +int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext); #endif /* HAVE_CURVE25519 */ #if defined(HAVE_ECC) diff --git a/posix/tcp/wh_client_tcp/Makefile b/posix/tcp/wh_client_tcp/Makefile index b3f0dfd..62266f7 100644 --- a/posix/tcp/wh_client_tcp/Makefile +++ b/posix/tcp/wh_client_tcp/Makefile @@ -26,8 +26,8 @@ ARCHFLAGS ?= # Compiler and linker flags ASFLAGS ?= $(ARCHFLAGS) -CFLAGS_EXTRA ?= -Wno-cpp -CFLAGS ?= $(ARCHFLAGS) -std=c99 -Wall $(CFLAGS_EXTRA) +CFLAGS_EXTRA ?= +CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall $(CFLAGS_EXTRA) LDFLAGS ?= $(ARCHFLAGS) # LD: generate map @@ -37,7 +37,7 @@ LDFLAGS ?= $(ARCHFLAGS) LIBS = -lc -lm # Optimization level and place functions / data into separate sections to allow dead code removal -CFLAGS += -O3 -ffunction-sections -fdata-sections +CFLAGS += -O0 -ffunction-sections -fdata-sections #-fstrict-volatile-bitfields #-fno-builtin # Remove unused sections and link time optimizations diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile index 3bcf326..b26a177 100644 --- a/posix/tcp/wh_server_tcp/Makefile +++ b/posix/tcp/wh_server_tcp/Makefile @@ -24,8 +24,8 @@ ARCHFLAGS ?= # Compiler and linker flags ASFLAGS ?= $(ARCHFLAGS) -CFLAGS_EXTRA ?= -Wno-cpp -CFLAGS ?= $(ARCHFLAGS) -std=c99 -Wall $(CFLAGS_EXTRA) +CFLAGS_EXTRA ?= +CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall $(CFLAGS_EXTRA) LDFLAGS ?= $(ARCHFLAGS) # LD: generate map @@ -35,7 +35,7 @@ LDFLAGS ?= $(ARCHFLAGS) LIBS = -lc -lm # Optimization level and place functions / data into separate sections to allow dead code removal -CFLAGS += -O3 -ffunction-sections -fdata-sections +CFLAGS += -O0 -ffunction-sections -fdata-sections #-fstrict-volatile-bitfields #-fno-builtin # Remove unused sections and link time optimizations From 8083713c1b9ea49f8bfcaf78f0509cee6797c70f Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:32:02 -0600 Subject: [PATCH 09/18] fixed improper error code propagation --- demo/client/wh_demo_client_crypto.c | 121 ++++++++++++++++++---------- 1 file changed, 78 insertions(+), 43 deletions(-) diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 29dc782..3a0bc50 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -205,9 +205,12 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) exit: (void)wc_FreeRng(rng); if (needEvict) { - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } return ret; @@ -402,12 +405,12 @@ int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext) } if (memcmp(sharedOne, sharedTwo, outLen) != 0) { - printf("CURVE25519 shared secrets don't match\n"); + printf("CURVE25519 import: shared secrets don't match\n"); ret = -1; goto exit; } else { - printf("CURVE25519 shared secrets match\n"); + printf("CURVE25519 import: shared secrets match\n"); } exit: @@ -415,22 +418,25 @@ int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext) wc_curve25519_free(bobKey); if (keyIdBob != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdBob); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdBob); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } if (keyIdAlice != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdAlice); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdAlice); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } return ret; } - - - #endif /* HAVE_CURVE25519 */ #if defined(HAVE_ECC) @@ -549,25 +555,39 @@ int wh_DemoClient_CryptoEcc(whClientContext* clientContext) (void)wc_FreeRng(rng); /* evict the keys */ if (needEvictPriv) { - ret = wh_Client_GetKeyIdEcc(eccPrivate, &keyId); - if (ret != 0) { - printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); - return ret; + int evictRet = wh_Client_GetKeyIdEcc(eccPrivate, &keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + else { + evictRet = wh_Client_KeyEvict(clientContext, keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } + } } } if (needEvictPub) { - ret = wh_Client_GetKeyIdEcc(eccPublic, &keyId); - if (ret != 0) { - printf("Failed to wh_Client_GetKeyIdRsa %d\n", ret); - return ret; + int evictRet = wh_Client_GetKeyIdEcc(eccPublic, &keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_GetKeyIdRsa %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + else { + evictRet = wh_Client_KeyEvict(clientContext, keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } + } } } return ret; @@ -851,27 +871,39 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* free rng */ (void)wc_FreeRng(rng); if (keyIdPrivBob != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPrivBob); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdPrivBob); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } if (keyIdPubAlice != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPubAlice); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdPubAlice); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } if (keyIdPrivAlice != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPrivAlice); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdPrivAlice); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } if (keyIdPubBob != WH_KEYID_ERASED) { - ret = wh_Client_KeyEvict(clientContext, keyIdPubBob); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyIdPubBob); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } return ret; @@ -1143,9 +1175,12 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) wc_AesFree(aes); if (needEvict) { /* evict the key from the cache */ - ret = wh_Client_KeyEvict(clientContext, keyId); - if (ret != 0) { - printf("Failed to wh_Client_KeyEvict %d\n", ret); + int evictRet = wh_Client_KeyEvict(clientContext, keyId); + if (evictRet != 0) { + printf("Failed to wh_Client_KeyEvict %d\n", evictRet); + if (ret == 0) { + ret = evictRet; + } } } return ret; From 1f8bce90260e2d73645aa1a5fe6cb5920cc7a6be Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:50:09 -0600 Subject: [PATCH 10/18] revert function name for simplicity --- demo/client/wh_demo_client_all.c | 2 +- demo/client/wh_demo_client_crypto.c | 2 +- demo/client/wh_demo_client_crypto.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index e7034a6..b7c06be 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -63,7 +63,7 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } - rc = wh_DemoClient_CryptoCurve25519ImportDer(clientContext); + rc = wh_DemoClient_CryptoCurve25519Import(clientContext); if (rc != 0) { return rc; } diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 3a0bc50..8c59bc4 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -300,7 +300,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) return ret; } -int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext) +int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) { int ret = 0; int keyFd; diff --git a/demo/client/wh_demo_client_crypto.h b/demo/client/wh_demo_client_crypto.h index 0b310c3..7c56494 100644 --- a/demo/client/wh_demo_client_crypto.h +++ b/demo/client/wh_demo_client_crypto.h @@ -9,7 +9,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext); #ifdef HAVE_CURVE25519 int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext); -int wh_DemoClient_CryptoCurve25519ImportDer(whClientContext* clientContext); +int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext); #endif /* HAVE_CURVE25519 */ #if defined(HAVE_ECC) From c28eb2f88cf57fe6b30a334eaa8f47f1553ec898 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 1 Nov 2024 16:15:54 -0600 Subject: [PATCH 11/18] rebase + fix merge conflicts --- demo/client/wh_demo_client_keystore.c | 2 +- posix/tcp/wh_client_tcp/wh_client_tcp.c | 1 + posix/tcp/wh_server_tcp/wh_server_tcp.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/demo/client/wh_demo_client_keystore.c b/demo/client/wh_demo_client_keystore.c index dcff181..989608f 100644 --- a/demo/client/wh_demo_client_keystore.c +++ b/demo/client/wh_demo_client_keystore.c @@ -57,7 +57,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext) uint8_t label[] = "my secret key"; uint8_t exportKey[sizeof(key)] = {0}; uint8_t exportLabel[sizeof(label)] = {0}; - uint32_t exportKeySz = 0; + uint16_t exportKeySz = 0; /* Cache the key in the HSM */ ret = wh_Client_KeyCache(clientContext, 0, label, sizeof(label), key, diff --git a/posix/tcp/wh_client_tcp/wh_client_tcp.c b/posix/tcp/wh_client_tcp/wh_client_tcp.c index 4db14de..658d4de 100644 --- a/posix/tcp/wh_client_tcp/wh_client_tcp.c +++ b/posix/tcp/wh_client_tcp/wh_client_tcp.c @@ -5,6 +5,7 @@ #include #include /* For printf */ #include /* For memset, memcpy */ +#include /* for read */ #include /* For nanosleep */ #include "wolfhsm/wh_error.h" diff --git a/posix/tcp/wh_server_tcp/wh_server_tcp.c b/posix/tcp/wh_server_tcp/wh_server_tcp.c index efe4e75..56ba5f2 100644 --- a/posix/tcp/wh_server_tcp/wh_server_tcp.c +++ b/posix/tcp/wh_server_tcp/wh_server_tcp.c @@ -9,6 +9,7 @@ #include #include #include +#include /* for read/close */ #include /* For nanosleep */ #include "wolfhsm/wh_error.h" @@ -140,7 +141,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId, while (1) { ret = wh_Server_HandleRequestMessage(server); if (ret == WH_ERROR_NOTREADY) { - usleep(ONE_MS); + sleepMs(ONE_MS); } else if (ret != WH_ERROR_OK) { printf("Failed to wh_Server_HandleRequestMessage: %d\n", ret); From 5dd9c523444bff5485969fcdee47be0fae59c41b Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:32:59 -0700 Subject: [PATCH 12/18] formatting fixes --- demo/client/wh_demo_client_all.c | 6 +- demo/client/wh_demo_client_keystore.c | 2 +- posix/tcp/wh_client_tcp/user_settings.h | 111 ------------------------ 3 files changed, 4 insertions(+), 115 deletions(-) diff --git a/demo/client/wh_demo_client_all.c b/demo/client/wh_demo_client_all.c index b7c06be..aa4ded0 100644 --- a/demo/client/wh_demo_client_all.c +++ b/demo/client/wh_demo_client_all.c @@ -22,13 +22,13 @@ int wh_DemoClient_All(whClientContext* clientContext) return rc; } #endif - /** NVM demos */ + /* NVM demos */ rc = wh_DemoClient_Nvm(clientContext); if (rc != 0) { return rc; } - /** Keystore demos */ + /* Keystore demos */ rc = wh_DemoClient_KeystoreBasic(clientContext); if (rc != 0) { return rc; @@ -44,7 +44,7 @@ int wh_DemoClient_All(whClientContext* clientContext) } #endif - /** Crypto demos */ + /**Crypto demos */ #ifndef NO_RSA rc = wh_DemoClient_CryptoRsa(clientContext); if (rc != 0) { diff --git a/demo/client/wh_demo_client_keystore.c b/demo/client/wh_demo_client_keystore.c index 989608f..6426337 100644 --- a/demo/client/wh_demo_client_keystore.c +++ b/demo/client/wh_demo_client_keystore.c @@ -53,7 +53,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext) { int ret; uint16_t keyId = WH_KEYID_ERASED; - uint8_t key[ ] = "0123456789abcdef"; + uint8_t key[] = "0123456789abcdef"; uint8_t label[] = "my secret key"; uint8_t exportKey[sizeof(key)] = {0}; uint8_t exportLabel[sizeof(label)] = {0}; diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index 8c8066f..51fcb19 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -32,117 +32,6 @@ #include -#if 0 -#define WOLFSSL_AES_DIRECT -#define WOLFSSL_CMAC - -#define HAVE_ECC -#define HAVE_ECC_ENCRYPT -#define HAVE_CURVE25519 - -#define HAVE_HKDF - - -/* Math library selection. */ - -/* Common configuration */ -#define WOLFCRYPT_ONLY -#define WOLFSSL_KEY_GEN -//#define BIG_ENDIAN_ORDER -//#define WOLFSSL_KEY_GEN -#define SINGLE_THREADED -#define WC_NO_ASYNC_THREADING -#define WOLFSSL_USE_ALIGN -#define HAVE_WC_INTROSPECTION -#define WOLFSSL_IGNORE_FILE_WARN -#define WOLFSSL_NO_MALLOC - -/* Hardening options */ -#define TFM_TIMING_RESISTANT -#define ECC_TIMING_RESISTANT -#define WC_RSA_BLINDING - -/* Remove unneeded features*/ -#define NO_MAIN_DRIVER -#define NO_ERROR_STRINGS -#define NO_ERROR_QUEUE -#define NO_FILESYSTEM -#define NO_INLINE -#define NO_OLD_TLS -#define WOLFSSL_NO_TLS12 -#define NO_DO178 - -/* Remove unneded namespace */ -#define NO_OLD_RNGNAME -#define NO_OLD_WC_NAMES -#define NO_OLD_SSL_NAMES -#define NO_OLD_SHA_NAMES -#define NO_OLD_MD5_NAME - -/* RSA Options */ -#define HAVE_RSA -#define WC_RSA_PSS -#define WOLFSSL_PSS_LONG_SALT -#define FP_MAX_BITS 4096 - -/* ECC Options */ -#define HAVE_ECC -#define TFM_ECC256 -#define ECC_SHAMIR -#define HAVE_SUPPORTED_CURVES - - -/* DH and DHE Options */ -#define HAVE_DH_DEFAULT_PARAMS -#define HAVE_FFDHE_2048 - -/* AES Options */ -#define HAVE_AES -#define HAVE_AESGCM -#define GCM_TABLE_4BIT -#define WOLFSSL_AES_DIRECT -#define HAVE_AES_ECB -#define WOLFSSL_CMAC - -/* SHA Options */ -#define NO_SHA -#define HAVE_SHA256 - -/* Composite features */ -#define HAVE_HKDF -#define HAVE_HASHDRBG - -/* Remove unneeded crypto */ -#define NO_DSA -#define NO_RC4 -#define NO_PSK -#define NO_MD4 -#define NO_MD5 -#define NO_DES3 -#define WOLFSSL_NO_SHAKE128 -#define WOLFSSL_NO_SHAKE256 -#define NO_PWDBASED - -/* Disable DH for now */ -#define NO_DH - -/* Cert processing options */ -#define WOLFSSL_ASN_TEMPLATE -#define WOLFSSL_BASE64_ENCODE - -/* TLS features that are not used */ -/* TODO: Check to see if these can be removed */ -#define HAVE_TLS_EXTENSIONS -#define HAVE_ENCRYPT_THEN_MAC - -/* Math library selection. Move to target */ - -#define USE_FAST_MATH - - -/* Curve25519 Options */ -#define HAVE_CURVE25519 - #endif From 915784a583e0e3e5c6407e7572553439e74b1a83 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:34:23 -0700 Subject: [PATCH 13/18] fix bad user settings --- posix/tcp/wh_client_tcp/user_settings.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index 51fcb19..45f1717 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -32,8 +32,5 @@ #include -#endif - - -#endif +#endif /* USER_SETTINGS_H_ */ From 31e375e86e9d3a41088e303044755838c431f404 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:28:17 -0700 Subject: [PATCH 14/18] add -Werror --- posix/tcp/wh_client_tcp/Makefile | 2 +- posix/tcp/wh_server_tcp/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/posix/tcp/wh_client_tcp/Makefile b/posix/tcp/wh_client_tcp/Makefile index 62266f7..73e923f 100644 --- a/posix/tcp/wh_client_tcp/Makefile +++ b/posix/tcp/wh_client_tcp/Makefile @@ -27,7 +27,7 @@ ARCHFLAGS ?= # Compiler and linker flags ASFLAGS ?= $(ARCHFLAGS) CFLAGS_EXTRA ?= -CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall $(CFLAGS_EXTRA) +CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall -Werror $(CFLAGS_EXTRA) LDFLAGS ?= $(ARCHFLAGS) # LD: generate map diff --git a/posix/tcp/wh_server_tcp/Makefile b/posix/tcp/wh_server_tcp/Makefile index b26a177..30b938c 100644 --- a/posix/tcp/wh_server_tcp/Makefile +++ b/posix/tcp/wh_server_tcp/Makefile @@ -25,7 +25,7 @@ ARCHFLAGS ?= # Compiler and linker flags ASFLAGS ?= $(ARCHFLAGS) CFLAGS_EXTRA ?= -CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall $(CFLAGS_EXTRA) +CFLAGS ?= $(ARCHFLAGS) -Wno-cpp -std=c99 -Wall -Werror $(CFLAGS_EXTRA) LDFLAGS ?= $(ARCHFLAGS) # LD: generate map From ccf65a86e96639250f93c72ecd73248205871d61 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:29:29 -0700 Subject: [PATCH 15/18] add all algos back in, fix ECC to use DER keys --- .gitignore | 1 + demo/certs/alice-ecc256-key.der | Bin 0 -> 121 bytes demo/certs/bob-ecc256-key.der | Bin 0 -> 121 bytes demo/certs/genCerts.sh | 9 + demo/client/wh_demo_client_crypto.c | 469 ++++++++++-------------- posix/tcp/wh_client_tcp/user_settings.h | 8 +- 6 files changed, 210 insertions(+), 277 deletions(-) create mode 100644 demo/certs/alice-ecc256-key.der create mode 100644 demo/certs/bob-ecc256-key.der create mode 100755 demo/certs/genCerts.sh diff --git a/.gitignore b/.gitignore index e573c6a..295012f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .DS_Store Build/ +demo/certs/*.pem diff --git a/demo/certs/alice-ecc256-key.der b/demo/certs/alice-ecc256-key.der new file mode 100644 index 0000000000000000000000000000000000000000..5e21b4c9934155fe850653bbe8e7ffa30778271e GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R(eP1&T_RL*kK~KGe3na^!Lo=Q!uKt2gV?vOV_fB!Hj_1_&yK zNX|V20SBQ(13~}Zw*y#V%AnF`E@cTGjO4Lr bI!2sjytmH`_zXSZXC?wB0m%)yjW2h8<#sjh literal 0 HcmV?d00001 diff --git a/demo/certs/bob-ecc256-key.der b/demo/certs/bob-ecc256-key.der new file mode 100644 index 0000000000000000000000000000000000000000..697bb81911406be97be308a60a5b9baa933dc1fb GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R!rOt8g?sq$jR~I=dKCgxnYNFCY{$Kiq;Kz From 0c1358347388df57225634201112dc4d9f7353af Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:30:00 -0700 Subject: [PATCH 16/18] clang-format --- demo/client/wh_demo_client_crypto.c | 312 ++++++++++++++-------------- 1 file changed, 159 insertions(+), 153 deletions(-) diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 1fa3310..878f59e 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -54,13 +54,13 @@ */ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) { - int ret = 0; - int encSz = 0; + int ret = 0; + int encSz = 0; const char plainString[] = "The quick brown fox jumps over the lazy dog."; - byte plainText[256]; - byte cipherText[256]; - RsaKey rsa[1]; - WC_RNG rng[1]; + byte plainText[256]; + byte cipherText[256]; + RsaKey rsa[1]; + WC_RNG rng[1]; /* set the plainText to the test string */ strcpy((char*)plainText, plainString); @@ -87,8 +87,8 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) } /* encrypt the plaintext */ - encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, - sizeof(cipherText), rsa, rng); + encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), + cipherText, sizeof(cipherText), rsa, rng); if (ret < 0) { printf("Failed to wc_RsaPublicEncrypt %d\n", ret); goto exit; @@ -97,7 +97,7 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) /* decrypt the ciphertext */ ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText), - rsa); + rsa); if (ret < 0) { printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); goto exit; @@ -125,20 +125,20 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext) */ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) { - int ret = 0; - int encSz = 0; - int keyFd; - int keySz; - int needEvict = 0; - whKeyId keyId = WH_KEYID_ERASED; - char keyFile[] = "../../../demo/certs/ca-key.der"; + int ret = 0; + int encSz = 0; + int keyFd; + int keySz; + int needEvict = 0; + whKeyId keyId = WH_KEYID_ERASED; + char keyFile[] = "../../../demo/certs/ca-key.der"; const char plainString[] = "The quick brown fox jumps over the lazy dog."; - char keyLabel[] = "baby's first key"; - uint8_t keyBuf[2048]; - byte plainText[256]; - byte cipherText[256]; - RsaKey rsa[1]; - WC_RNG rng[1]; + char keyLabel[] = "baby's first key"; + uint8_t keyBuf[2048]; + byte plainText[256]; + byte cipherText[256]; + RsaKey rsa[1]; + WC_RNG rng[1]; /* set the plainText to the test string */ strcpy((char*)plainText, plainString); @@ -168,7 +168,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyId); + strlen(keyLabel), keyBuf, keySz, &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -190,8 +190,8 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) } /* encrypt the plaintext */ - encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), cipherText, - sizeof(cipherText), rsa, rng); + encSz = ret = wc_RsaPublicEncrypt(plainText, sizeof(plainString), + cipherText, sizeof(cipherText), rsa, rng); if (ret < 0) { printf("Failed to wc_RsaPublicEncrypt %d\n", ret); goto exit; @@ -200,7 +200,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) /* decrypt the ciphertext */ ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText), - rsa); + rsa); if (ret < 0) { printf("Failed to wc_RsaPrivateDecrypt %d\n", ret); goto exit; @@ -240,14 +240,14 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) */ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) { - int ret = 0; - word32 outLen; - uint8_t sharedOne[CURVE25519_KEYSIZE]; - uint8_t sharedTwo[CURVE25519_KEYSIZE]; + int ret = 0; + word32 outLen; + uint8_t sharedOne[CURVE25519_KEYSIZE]; + uint8_t sharedTwo[CURVE25519_KEYSIZE]; curve25519_key curve25519PrivateKey[1]; /* public from the first shared secret's perspective, actually private */ curve25519_key curve25519PublicKey[1]; - WC_RNG rng[1]; + WC_RNG rng[1]; /* initialize rng to make the curve25519 keys */ ret = wc_InitRng_ex(rng, NULL, WH_DEV_ID); @@ -285,7 +285,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) /* generate shared secrets from both perspectives */ outLen = sizeof(sharedOne); ret = wc_curve25519_shared_secret(curve25519PrivateKey, curve25519PublicKey, - sharedOne, (word32*)&outLen); + sharedOne, (word32*)&outLen); if (ret != 0) { printf("Failed to wc_curve25519_shared_secret %d\n", ret); goto exit; @@ -293,7 +293,7 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) outLen = sizeof(sharedTwo); ret = wc_curve25519_shared_secret(curve25519PublicKey, curve25519PrivateKey, - sharedTwo, (word32*)&outLen); + sharedTwo, (word32*)&outLen); if (ret != 0) { printf("Failed to wc_curve25519_shared_secret %d\n", ret); goto exit; @@ -325,15 +325,15 @@ int wh_DemoClient_CryptoCurve25519(whClientContext* clientContext) */ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) { - int ret = 0; - int keyFd; - int keySz; - word32 outLen; - whKeyId keyIdBob = WH_KEYID_ERASED; - whKeyId keyIdAlice = WH_KEYID_ERASED; - char keyPairFileBob[] = "../../../demo/certs/curve25519_keyBob.der"; - char keyPairFileAlice[] = "../../../demo/certs/curve25519_keyAlice.der"; - char keyLabel[] = "baby's first key"; + int ret = 0; + int keyFd; + int keySz; + word32 outLen; + whKeyId keyIdBob = WH_KEYID_ERASED; + whKeyId keyIdAlice = WH_KEYID_ERASED; + char keyPairFileBob[] = "../../../demo/certs/curve25519_keyBob.der"; + char keyPairFileAlice[] = "../../../demo/certs/curve25519_keyAlice.der"; + char keyLabel[] = "baby's first key"; uint8_t keyBuf[256]; uint8_t sharedOne[CURVE25519_KEYSIZE]; uint8_t sharedTwo[CURVE25519_KEYSIZE]; @@ -356,7 +356,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdBob); + strlen(keyLabel), keyBuf, keySz, &keyIdBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -391,7 +391,7 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdAlice); + strlen(keyLabel), keyBuf, keySz, &keyIdAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -411,8 +411,8 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* Generate a shared secret from Bob's perspective */ outLen = sizeof(sharedOne); - ret = wc_curve25519_shared_secret(bobKey, aliceKey, - sharedOne, (word32*)&outLen); + ret = wc_curve25519_shared_secret(bobKey, aliceKey, sharedOne, + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_curve25519_shared_secret %d\n", ret); goto exit; @@ -420,8 +420,8 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) /* Generate a shared secret from Alice's perspective */ outLen = sizeof(sharedTwo); - ret = wc_curve25519_shared_secret(aliceKey, bobKey, - sharedTwo, (word32*)&outLen); + ret = wc_curve25519_shared_secret(aliceKey, bobKey, sharedTwo, + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_curve25519_shared_secret %d\n", ret); goto exit; @@ -475,17 +475,17 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) */ int wh_DemoClient_CryptoEcc(whClientContext* clientContext) { - int ret = 0; - int res; - word32 outLen; - ecc_key aliceKey[1]; - ecc_key bobKey[1]; - WC_RNG rng[1]; - byte sharedOne[32]; - byte sharedTwo[32]; + int ret = 0; + int res; + word32 outLen; + ecc_key aliceKey[1]; + ecc_key bobKey[1]; + WC_RNG rng[1]; + byte sharedOne[32]; + byte sharedTwo[32]; const char plainMessage[] = "The quick brown fox jumps over the lazy dog."; - byte message[sizeof(plainMessage)]; - byte signature[128]; + byte message[sizeof(plainMessage)]; + byte signature[128]; /* Set the message to the test string */ strcpy((char*)message, plainMessage); @@ -524,15 +524,15 @@ int wh_DemoClient_CryptoEcc(whClientContext* clientContext) /* Generate the shared secrets */ outLen = 32; - ret = wc_ecc_shared_secret(aliceKey, bobKey, (byte*)sharedOne, - (word32*)&outLen); + ret = wc_ecc_shared_secret(aliceKey, bobKey, (byte*)sharedOne, + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_ecc_shared_secret %d\n", ret); goto exit; } ret = wc_ecc_shared_secret(bobKey, aliceKey, (byte*)sharedTwo, - (word32*)&outLen); + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_ecc_shared_secret %d\n", ret); goto exit; @@ -550,8 +550,8 @@ int wh_DemoClient_CryptoEcc(whClientContext* clientContext) /* Sign the plaintext using the private component of Alice's key */ outLen = sizeof(signature); - ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, - (word32*)&outLen, rng, aliceKey); + ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, + (word32*)&outLen, rng, aliceKey); if (ret != 0) { printf("Failed to wc_ecc_shared_secret %d\n", ret); goto exit; @@ -562,7 +562,7 @@ int wh_DemoClient_CryptoEcc(whClientContext* clientContext) * parts. In a real scenario, the signing and verifying would occur at * separate times, and only the public key would be distributed */ ret = wc_ecc_verify_hash((void*)signature, outLen, (void*)message, - sizeof(message), &res, aliceKey); + sizeof(message), &res, aliceKey); if (ret != 0) { printf("Failed to wc_ecc_verify_hash %d\n", ret); goto exit; @@ -644,7 +644,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* Cache the key in the HSM, get HSM assigned keyId. From here on out, the * keys are stored in the HSM and can be referred to by keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdAlice); + strlen(keyLabel), keyBuf, keySz, &keyIdAlice); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -673,7 +673,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* Now we can do the same procedure for Bob's keypair */ - + /* Open Bob's keypair file and read it into a local buffer */ ret = keyFd = open(keyFileBob, O_RDONLY, 0); if (ret < 0) { @@ -689,7 +689,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) close(keyFd); /* Cache the key in the HSM, get HSM assigned keyId */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - strlen(keyLabel), keyBuf, keySz, &keyIdBob); + strlen(keyLabel), keyBuf, keySz, &keyIdBob); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -716,8 +716,8 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* Generate a 32-byte shared secret from Alice's perspective */ outLen = 32; - ret = wc_ecc_shared_secret(aliceKey, bobKey, (byte*)sharedOne, - (word32*)&outLen); + ret = wc_ecc_shared_secret(aliceKey, bobKey, (byte*)sharedOne, + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_ecc_shared_secret %d\n", ret); goto exit; @@ -725,8 +725,8 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* Generate a 32-byte shared secret from Bob's perspective */ outLen = 32; - ret = wc_ecc_shared_secret(bobKey, aliceKey, (byte*)sharedTwo, - (word32*)&outLen); + ret = wc_ecc_shared_secret(bobKey, aliceKey, (byte*)sharedTwo, + (word32*)&outLen); if (ret != 0) { printf("Failed to wc_ecc_shared_secret %d\n", ret); goto exit; @@ -744,8 +744,8 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) /* Sign the plaintext with Alice's private key */ sigLen = sizeof(signature); - ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, - (word32*)&sigLen, rng, aliceKey); + ret = wc_ecc_sign_hash(message, sizeof(message), (void*)signature, + (word32*)&sigLen, rng, aliceKey); if (ret != 0) { printf("Failed to wc_ecc_sign_hash %d\n", ret); goto exit; @@ -756,7 +756,7 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) * signing and verifying would occur at separate times, and only the public * key would be distributed */ ret = wc_ecc_verify_hash((void*)signature, sigLen, (void*)message, - sizeof(message), &res, aliceKey); + sizeof(message), &res, aliceKey); if (ret != 0) { printf("Failed to wc_ecc_verify_hash %d\n", ret); goto exit; @@ -808,9 +808,9 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext) */ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) { - int ret = 0; - Aes aes[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + int ret = 0; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; byte cipherText[16]; byte finalText[16]; @@ -819,7 +819,8 @@ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) ret = wc_AesInit(aes, NULL, WH_DEV_ID); if (ret != 0) { printf("Failed to wc_AesInit %d\n", ret); - } else { + } + else { /* set the key on the client side */ ret = wc_AesSetKey(aes, key, sizeof(key), NULL, AES_ENCRYPTION); if (ret != 0) { @@ -827,7 +828,8 @@ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) } if (ret == 0) { /* encrypt the plaintext */ - ret = wc_AesCbcEncrypt(aes, cipherText, plainText, sizeof(plainText)); + ret = + wc_AesCbcEncrypt(aes, cipherText, plainText, sizeof(plainText)); if (ret != 0) { printf("Failed to wc_AesCbcEncrypt %d\n", ret); } @@ -843,7 +845,8 @@ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) if (ret == 0) { /* decrypt the ciphertext */ - ret = wc_AesCbcDecrypt(aes, finalText, cipherText, sizeof(plainText)); + ret = + wc_AesCbcDecrypt(aes, finalText, cipherText, sizeof(plainText)); if (ret != 0) { printf("Failed to wc_AesCbcDecrypt %d\n", ret); } @@ -854,7 +857,8 @@ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) if (memcmp(plainText, finalText, sizeof(plainText)) != 0) { printf("AES CBC doesn't match after decryption\n"); ret = -1; - } else { + } + else { printf("AES CBC matches after decryption\n"); } } @@ -866,19 +870,19 @@ int wh_DemoClient_CryptoAesCbc(whClientContext* clientContext) } /* - * Demonstrates AES CBC encryption and decryption using an key cached on the HSM. - * Once cached, the key is referred to by keyId on the client and not resident - * in the local wolfCrypt struct. + * Demonstrates AES CBC encryption and decryption using an key cached on the + * HSM. Once cached, the key is referred to by keyId on the client and not + * resident in the local wolfCrypt struct. */ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) { - int ret = 0; - int needEvict = 0; - whKeyId keyId = WH_KEYID_ERASED; - Aes aes[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - char keyLabel[] = "baby's first key"; - byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; + int ret = 0; + int needEvict = 0; + whKeyId keyId = WH_KEYID_ERASED; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; byte cipherText[16]; byte finalText[16]; @@ -891,7 +895,7 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -955,10 +959,10 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext) */ int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) { - int ret = 0; - Aes aes[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + int ret = 0; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; byte authIn[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; byte authTag[16]; byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; @@ -981,8 +985,8 @@ int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) /* encrypt the plaintext */ ret = wc_AesGcmEncrypt(aes, cipherText, plainText, sizeof(plainText), iv, - sizeof(iv), authTag, sizeof(authTag), authIn, - sizeof(authIn)); + sizeof(iv), authTag, sizeof(authTag), authIn, + sizeof(authIn)); if (ret != 0) { printf("Failed to wc_AesGcmEncrypt %d\n", ret); goto exit; @@ -990,7 +994,8 @@ int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) /* decrypt the ciphertext */ ret = wc_AesGcmDecrypt(aes, finalText, cipherText, sizeof(plainText), iv, - sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + sizeof(iv), authTag, sizeof(authTag), authIn, + sizeof(authIn)); if (ret != 0) { printf("Failed to wc_AesGcmDecrypt %d\n", ret); goto exit; @@ -1008,21 +1013,21 @@ int wh_DemoClient_CryptoAesGcm(whClientContext* clientContext) } /* - * Demonstrates AES GCM encryption and decryption using an key cached on the HSM. - * Once cached, the key is referred to by keyId on the client and not resident - * in the local wolfCrypt struct. + * Demonstrates AES GCM encryption and decryption using an key cached on the + * HSM. Once cached, the key is referred to by keyId on the client and not + * resident in the local wolfCrypt struct. */ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) { - int ret = 0; - int needEvict = 0; - whKeyId keyId = WH_KEYID_ERASED; - Aes aes[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - char keyLabel[] = "baby's first key"; - byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - byte authIn[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - byte authTag[16]; + int ret = 0; + int needEvict = 0; + whKeyId keyId = WH_KEYID_ERASED; + Aes aes[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + byte iv[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authIn[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + byte authTag[16]; byte plainText[] = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}; byte cipherText[16]; byte finalText[16]; @@ -1036,7 +1041,7 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -1060,7 +1065,8 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) /* encrypt the plaintext */ ret = wc_AesGcmEncrypt(aes, cipherText, plainText, sizeof(plainText), iv, - sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + sizeof(iv), authTag, sizeof(authTag), authIn, + sizeof(authIn)); if (ret != 0) { printf("Failed to wc_AesGcmEncrypt %d\n", ret); goto exit; @@ -1068,7 +1074,8 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) /* decrypt the ciphertext */ ret = wc_AesGcmDecrypt(aes, finalText, cipherText, sizeof(plainText), iv, - sizeof(iv), authTag, sizeof(authTag), authIn, sizeof(authIn)); + sizeof(iv), authTag, sizeof(authTag), authIn, + sizeof(authIn)); if (ret != 0) { printf("Failed to wc_AesGcmDecrypt %d\n", ret); goto exit; @@ -1105,16 +1112,16 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext) */ int wh_DemoClient_CryptoCmac(whClientContext* clientContext) { - int ret = 0; + int ret = 0; word32 outLen; - Cmac cmac[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - char message[] = "hash and verify me!"; - byte tag[16]; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char message[] = "hash and verify me!"; + byte tag[16]; /* initialize the cmac struct and set the key */ - ret = wc_InitCmac_ex(cmac, key, sizeof(key), WC_CMAC_AES, - NULL, NULL, WH_DEV_ID); + ret = wc_InitCmac_ex(cmac, key, sizeof(key), WC_CMAC_AES, NULL, NULL, + WH_DEV_ID); if (ret != 0) { printf("Failed to wc_InitCmac_ex %d\n", ret); goto exit; @@ -1129,15 +1136,16 @@ int wh_DemoClient_CryptoCmac(whClientContext* clientContext) /* get the cmac tag */ outLen = sizeof(tag); - ret = wc_CmacFinal(cmac, tag, &outLen); + ret = wc_CmacFinal(cmac, tag, &outLen); if (ret != 0) { printf("Failed to wc_CmacFinal %d\n", ret); goto exit; } /* verify the tag */ - ret = wc_AesCmacVerify_ex(cmac, tag, sizeof(tag), (byte*)message, - strlen(message), key, sizeof(key), NULL, WH_DEV_ID); + ret = + wc_AesCmacVerify_ex(cmac, tag, sizeof(tag), (byte*)message, + strlen(message), key, sizeof(key), NULL, WH_DEV_ID); if (ret != 0) { printf("CMAC hash and verify failed %d\n", ret); goto exit; @@ -1156,18 +1164,17 @@ int wh_DemoClient_CryptoCmac(whClientContext* clientContext) */ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) { - int ret = 0; - word32 outLen; + int ret = 0; + word32 outLen; whKeyId keyId = WH_KEYID_ERASED; - Cmac cmac[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - char keyLabel[] = "baby's first key"; - char message[] = "hash and verify me!"; - byte tag[16]; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + char message[] = "hash and verify me!"; + byte tag[16]; /* initialize the cmac struct */ - ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, - WH_DEV_ID); + ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, WH_DEV_ID); if (ret != 0) { printf("Failed to wc_InitCmac_ex %d\n", ret); goto exit; @@ -1175,7 +1182,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -1197,7 +1204,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) /* get the cmac tag */ outLen = sizeof(tag); - ret = wc_CmacFinal(cmac, tag, &outLen); + ret = wc_CmacFinal(cmac, tag, &outLen); if (ret != 0) { printf("Failed to wc_CmacFinal %d\n", ret); goto exit; @@ -1205,7 +1212,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -1221,7 +1228,7 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) /* verify the cmac tag using the special HSM oneshot function * wh_Client_AesCmacVerify which is required for pre cached keys */ ret = wh_Client_CmacAesVerify(cmac, tag, sizeof(tag), (byte*)message, - strlen(message), keyId, NULL); + strlen(message), keyId, NULL); if (ret != 0) { printf("CMAC hash and verify failed with imported key %d\n", ret); goto exit; @@ -1240,18 +1247,17 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext) */ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) { - int ret = 0; - word32 outLen; + int ret = 0; + word32 outLen; whKeyId keyId = WH_KEYID_ERASED; - Cmac cmac[1]; - byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; - char keyLabel[] = "baby's first key"; - char message[] = "hash and verify me!"; - byte tag[16]; + Cmac cmac[1]; + byte key[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}; + char keyLabel[] = "baby's first key"; + char message[] = "hash and verify me!"; + byte tag[16]; /* initialize the cmac struct */ - ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, - WH_DEV_ID); + ret = wc_InitCmac_ex(cmac, NULL, 0, WC_CMAC_AES, NULL, NULL, WH_DEV_ID); if (ret != 0) { printf("Failed to wc_InitCmac_ex %d\n", ret); goto exit; @@ -1259,7 +1265,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* cache the key on the HSM */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -1275,8 +1281,8 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* generate the cmac tag using the special HSM wh_Client_AesCmacGenerate * function which is required for pre cached keys */ outLen = sizeof(tag); - ret = wh_Client_CmacAesGenerate(cmac, tag, &outLen, (byte*)message, - sizeof(message), keyId, NULL); + ret = wh_Client_CmacAesGenerate(cmac, tag, &outLen, (byte*)message, + sizeof(message), keyId, NULL); if (ret != 0) { printf("Failed to wh_Client_AesCmacGenerate %d\n", ret); goto exit; @@ -1285,7 +1291,7 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* cache the key on the HSM again, cmac keys are evicted after wc_CmacFinal * is called */ ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel, - sizeof(keyLabel), key, sizeof(key), &keyId); + sizeof(keyLabel), key, sizeof(key), &keyId); if (ret != 0) { printf("Failed to wh_Client_KeyCache %d\n", ret); goto exit; @@ -1301,9 +1307,10 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) /* verify the cmac tag using the special HSM oneshot function * wh_Client_AesCmacVerify which is required for pre cached keys */ ret = wh_Client_CmacAesVerify(cmac, tag, sizeof(tag), (byte*)message, - sizeof(message), keyId, NULL); + sizeof(message), keyId, NULL); if (ret != 0) { - printf("CMAC hash and verify oneshot failed with imported key %d\n", ret); + printf("CMAC hash and verify oneshot failed with imported key %d\n", + ret); goto exit; } @@ -1313,4 +1320,3 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext) return ret; } #endif /* WOLFSSL_CMAC && !NO_AES */ - From f362f3d45340a35071c927d5c452a05dbb3f86bb Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:44:48 -0700 Subject: [PATCH 17/18] fixed RSA --- demo/certs/alice-ecc256-key.der | Bin 121 -> 121 bytes demo/certs/bob-ecc256-key.der | Bin 121 -> 121 bytes demo/certs/genCerts.sh | 3 +++ demo/certs/rsa-2048-key.der | Bin 0 -> 1218 bytes demo/client/wh_demo_client_crypto.c | 2 +- posix/tcp/wh_client_tcp/Makefile | 2 +- posix/tcp/wh_client_tcp/user_settings.h | 1 - posix/tcp/wh_client_tcp/wolfhsm_cfg.h | 2 -- 8 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 demo/certs/rsa-2048-key.der diff --git a/demo/certs/alice-ecc256-key.der b/demo/certs/alice-ecc256-key.der index 5e21b4c9934155fe850653bbe8e7ffa30778271e..4ba783a7a343100fd6278437a1c92b58d1f4b2b4 100644 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R!7HU6!QqQ5_{ijF5Gyw_AaWd~;K$fvMhgs?EWKZ3>_Y1_&yK zNX|V20SBQ(13~}Nk3$gOAy*oJoY|lHpdPI^oB#Ld2_u%i)L1}PJ bDdjXaO10k_kj%{J1ak&!{69OcO2yO%m8>&M literal 121 zcmV-<0EYiCcLD(c1R(eP1&T_RL*kK~KGe3na^!Lo=Q!uKt2gV?vOV_fB!Hj_1_&yK zNX|V20SBQ(13~}Zw*y#V%AnF`E@cTGjO4Lr bI!2sjytmH`_zXSZXC?wB0m%)yjW2h8<#sjh diff --git a/demo/certs/bob-ecc256-key.der b/demo/certs/bob-ecc256-key.der index 697bb81911406be97be308a60a5b9baa933dc1fb..de3741d10e5e0646824267312c485682c93c9b86 100644 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1RxYzvqk!IK#PPHAGbAeL;R#OEXa}58OyfgJReG?(FULj1_&yK zNX|V20SBQ(13~}ImaXKG`^1D_Z(|daf06QU{?X!ei#cO1&pj_F_I4Y b?rwpF;RM2RbqNaF%BNkMAB@&m9outLXK*u9 literal 121 zcmV-<0EYiCcLD(c1R!rOt8g?sq$jR~I=dKCgxnYNFCY{$Kiq;KzsOf&{(-0RS)!1_>&LNQUrs4#*Aqyhl|0)hbn0Irc`w$pcw zgU1)KHbCK=ip@39G2(6QJ|){saY{;OF~*#k3%GI|oGqkfnSGBz7OHo;tMCcxb#jYD z!*Tr|#Q;@e`Zg695*f&YXr&n>e}S<(cY(r$rLYBOQ9GRA(TzA4L{s5 zsiL-b2Rlha!=TW+bgBXVm>nu%96hBY0oQ2a^`2^IUQezaQ)7cDf?2R}lf=t%xT3 zG8iB%DX~fZXkkd&N_F=yezcb3{T8QjT$9?yD8!l=M|eJcTI<^(R{{e8009Dm0RTx( zb9p!lPg)d2CB4(PDrUP-D$U3Q)YUy4lef4tfd7Zu`H;je7(r-C~U=x zRC4E>22W7Y>;i3OZU3AJzU~+76F9*fw2nHt*4{7=q*Zc&jK>HHFd|2wtO)67RQlTO zSvhDV&XOMMZKQ$QNsj`D2OZfpDpcHm3?8k7icb8`uU0X_ta_HAqtQdc_W@&G#1!dHOKO|EgFcoA`$D_N z#9|E{SxR}rPA7+yS+ZN5Nr`u;<|9>z3lOVn>mr9mc`DSmK9u1;$JRJ1Zm|M^fdK3( z->jtqY}V66dVRyb6nrRYf}!!$?sIqnfOA=OtK2^uSRQSY$8iW$%}>-}^EVQoW*m7l zLsP*rh*C7SZLf!V+!8G@WEyXN4tcWZ5SMrGn8*%x8^$#=G^qlC zfdIAXd}}V7M4aIjK}h&&#JaK~JC$6jeH0OF4Tf@8Fb zLE`erC^R9v=ftKkn=>IIBu`dYSMxw^(#L7{x52PMLB(FL5PHf>%N4<3?f$ g+_YI2c2BQ7tDbR)!@w)XB_E^=j+&;kf>sX@tByH6761SM literal 0 HcmV?d00001 diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index 878f59e..cdcd172 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -131,7 +131,7 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext) int keySz; int needEvict = 0; whKeyId keyId = WH_KEYID_ERASED; - char keyFile[] = "../../../demo/certs/ca-key.der"; + char keyFile[] = "../../../demo/certs/rsa-2048-key.der"; const char plainString[] = "The quick brown fox jumps over the lazy dog."; char keyLabel[] = "baby's first key"; uint8_t keyBuf[2048]; diff --git a/posix/tcp/wh_client_tcp/Makefile b/posix/tcp/wh_client_tcp/Makefile index 73e923f..f493968 100644 --- a/posix/tcp/wh_client_tcp/Makefile +++ b/posix/tcp/wh_client_tcp/Makefile @@ -19,7 +19,7 @@ INC = -I$(WOLFHSM_DIR) \ -I$(WOLFHSM_CLIENT_DEMO_DIR) # Defines -DEF = -DWOLFSSL_USER_SETTINGS -D_GNUC_ +DEF = -DWOLFSSL_USER_SETTINGS -D WOLFHSM_CFG -D_GNUC_ # Architecture ARCHFLAGS ?= diff --git a/posix/tcp/wh_client_tcp/user_settings.h b/posix/tcp/wh_client_tcp/user_settings.h index 2bfc3a9..683f003 100644 --- a/posix/tcp/wh_client_tcp/user_settings.h +++ b/posix/tcp/wh_client_tcp/user_settings.h @@ -23,7 +23,6 @@ #define WOLFSSL_AES_DIRECT #define WOLFSSL_CMAC - /* Include to ensure clock_gettime is declared for benchmark.c */ #include /* Include to support strcasecmp with POSIX build */ diff --git a/posix/tcp/wh_client_tcp/wolfhsm_cfg.h b/posix/tcp/wh_client_tcp/wolfhsm_cfg.h index 9b7a724..fc502f3 100644 --- a/posix/tcp/wh_client_tcp/wolfhsm_cfg.h +++ b/posix/tcp/wh_client_tcp/wolfhsm_cfg.h @@ -27,8 +27,6 @@ /** wolfHSM settings */ -/* #define WOLFHSM_CFG_NO_CRYPTO */ -#define WOLFHSM_CFG_SHE_EXTENSION #define WOLFHSM_CFG_COMM_DATA_LEN 1280 #endif /* WOLFHSM_CFG_H_ */ From 312b72d8088b9ce8cb7d7fb2d395b88446b95880 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Tue, 5 Nov 2024 11:26:27 -0700 Subject: [PATCH 18/18] add keys --- demo/certs/alice-ecc256-key.der | Bin 121 -> 121 bytes demo/certs/bob-ecc256-key.der | Bin 121 -> 121 bytes demo/certs/curve25519-private-alice.raw | 2 -- demo/certs/curve25519-private-bob.raw | 1 - demo/certs/curve25519-public-alice.raw | 2 -- demo/certs/curve25519-public-bob.raw | 1 - demo/certs/ecc-private-alice.raw | Bin 96 -> 0 bytes demo/certs/ecc-private-bob.raw | 1 - demo/certs/ecc-public-alice.raw | 1 - demo/certs/ecc-public-bob.raw | 1 - demo/certs/{genCerts.sh => genKeys.sh} | 6 ++++++ demo/certs/rsa-2048-key.der | Bin 1218 -> 1218 bytes demo/client/wh_demo_client_crypto.c | 5 +++++ 13 files changed, 11 insertions(+), 9 deletions(-) delete mode 100644 demo/certs/curve25519-private-alice.raw delete mode 100644 demo/certs/curve25519-private-bob.raw delete mode 100644 demo/certs/curve25519-public-alice.raw delete mode 100644 demo/certs/curve25519-public-bob.raw delete mode 100644 demo/certs/ecc-private-alice.raw delete mode 100644 demo/certs/ecc-private-bob.raw delete mode 100644 demo/certs/ecc-public-alice.raw delete mode 100644 demo/certs/ecc-public-bob.raw rename demo/certs/{genCerts.sh => genKeys.sh} (51%) diff --git a/demo/certs/alice-ecc256-key.der b/demo/certs/alice-ecc256-key.der index 4ba783a7a343100fd6278437a1c92b58d1f4b2b4..ee6017531121f15cf3bba5142b625f998176e26b 100644 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R!=Xl)mOmIXaaajL2t;hr;cn1x?QWw1AQ^izt3#hwjXp>4V*&f8;ks buvnmd5Xpq@DdA7j5@DUx#66t)UCh=)_Y1_&yK zNX|V20SBQ(13~}Nk3$gOAy*oJoY|lHpdPI^oB#Ld2_u%i)L1}PJ bDdjXaO10k_kj%{J1ak&!{69OcO2yO%m8>&M diff --git a/demo/certs/bob-ecc256-key.der b/demo/certs/bob-ecc256-key.der index de3741d10e5e0646824267312c485682c93c9b86..c8ed0d192408eb40255305e19dc0f8f2f2a6f557 100644 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R%4-PzlaZxK_gwFdS6cPfByfnKn%Rhdb?AMH-Dof*qg=1_&yK zNX|V20SBQ(13~}<1&LXjr1h%-(FSv4!_EX8T+}fIEba@&Y&3WCig$EqGm+q|c}i$a bWg1BRORYTiCrKl%0?k98KK~Iq%{{8+pfxY{ literal 121 zcmV-<0EYiCcLD(c1RxYzvqk!IK#PPHAGbAeL;R#OEXa}58OyfgJReG?(FULj1_&yK zNX|V20SBQ(13~}ImaXKG`^1D_Z(|daf06QU{?X!ei#cO1&pj_F_I4Y b?rwpF;RM2RbqNaF%BNkMAB@&m9outLXK*u9 diff --git a/demo/certs/curve25519-private-alice.raw b/demo/certs/curve25519-private-alice.raw deleted file mode 100644 index 6645374..0000000 --- a/demo/certs/curve25519-private-alice.raw +++ /dev/null @@ -1,2 +0,0 @@ -XLF -Hņ>\iߡhG}?b︸"nÈh \ No newline at end of file diff --git a/demo/certs/curve25519-private-bob.raw b/demo/certs/curve25519-private-bob.raw deleted file mode 100644 index 229e929..0000000 --- a/demo/certs/curve25519-private-bob.raw +++ /dev/null @@ -1 +0,0 @@ -J,>JCr5f?0$TVz(oF|]\iߡ \ No newline at end of file diff --git a/demo/certs/curve25519-public-bob.raw b/demo/certs/curve25519-public-bob.raw deleted file mode 100644 index 86a70b3..0000000 --- a/demo/certs/curve25519-public-bob.raw +++ /dev/null @@ -1 +0,0 @@ -J,>JCr5f?0$T \ No newline at end of file diff --git a/demo/certs/ecc-private-alice.raw b/demo/certs/ecc-private-alice.raw deleted file mode 100644 index 953f132a17f6caa2eed835be16cab9193dfecc74..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 96 zcmV-m0H6O%5$F8#I!q?i9)odyMqxx%)zZklT9MWl59(|e$G^zFqo4C99E+4eFnxTU z7yL}_vq=3jn@rjrrD}!ci}e#?+e;+E$)4ByRR%XD2&klpAt56W3iz^&0Q{O@E;A`I CaxQ=X diff --git a/demo/certs/ecc-private-bob.raw b/demo/certs/ecc-private-bob.raw deleted file mode 100644 index f5edb8a..0000000 --- a/demo/certs/ecc-private-bob.raw +++ /dev/null @@ -1 +0,0 @@ -moL)Qx^Nn@t4-c;ᵴJC;5xW ρ5[$} ÓR ݓc T4 \ No newline at end of file diff --git a/demo/certs/ecc-public-alice.raw b/demo/certs/ecc-public-alice.raw deleted file mode 100644 index e4d6a89..0000000 --- a/demo/certs/ecc-public-alice.raw +++ /dev/null @@ -1 +0,0 @@ -L:L&q~FaDUȽZlǿȾ'A0}|LH3Lj \ No newline at end of file diff --git a/demo/certs/ecc-public-bob.raw b/demo/certs/ecc-public-bob.raw deleted file mode 100644 index 130bdf3..0000000 --- a/demo/certs/ecc-public-bob.raw +++ /dev/null @@ -1 +0,0 @@ -moL)Qx^Nn@t4-c;ᵴJC;5xW ρ \ No newline at end of file diff --git a/demo/certs/genCerts.sh b/demo/certs/genKeys.sh similarity index 51% rename from demo/certs/genCerts.sh rename to demo/certs/genKeys.sh index 4309266..8655b1b 100755 --- a/demo/certs/genCerts.sh +++ b/demo/certs/genKeys.sh @@ -10,3 +10,9 @@ openssl ec -in bob-ecc256-key.pem -outform DER -out bob-ecc256-key.der openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out rsa-2048-key.pem openssl rsa -in rsa-2048-key.pem -outform DER -out rsa-2048-key.der +# TODO: Curve25519 Keys +# Either need to modify examples to split out public/private operations, or modify wolfHSM to be able to recove public keys on deserialization of private only. +#openssl genpkey -algorithm X25519 -out alice-curve25519-key.pem +#openssl genpkey -algorithm X25519 -out bob-curve25519-key.pem +#openssl pkey -in alice-curve25519-key.pem -outform DER -out alice-curve25519-key.der +#openssl pkey -in bob-curve25519-key.pem -outform DER -out bob-curve25519-key.der diff --git a/demo/certs/rsa-2048-key.der b/demo/certs/rsa-2048-key.der index 3228d395400ca1026422fdd4c2ff1eb054674612..5c4c6fdfffaae55ae356e9937a740ba99147e93f 100644 GIT binary patch delta 1196 zcmV;d1XKIM3Bn1GCV$x^Vv4u0Y0xS1PiIQ6ta`WhHNtW!qN&b-5Q4!8oygRMUDR{x z*H0Pq8e(A72Wi%XlW$X6&b&O~^NB`V(-Ph-m;-jUO~2T@Lz>(0prMHvtyN#V5^WRO z^}yAxY6pW_2kBIq=CVY6)&*=8wFz(xU?@d&XK-6$MxZJJ1AlVD*USu;s#Ll{f=Wx! zoN*ek5Mat_nx0C``wCB+{hIkTVALvji^b51)26>5HC5@MKz3Ijb z(s{Ihx!hhEj(_D}0s{d60Rn;n05%vL-frb-ZrsdEAhFl-(S4h~2g_CX`f-8qp^8F* zhQj{Xfw4gQQ*Px0nJ0r9x3HtdaPj1bBp zz!!n+TQwV!rf>Bt-{eM|`td^t*f>1f0PW1Um3hwdbAN>0`&i$@D^dbA4>M)Gj@dL8 z7m|0-j@He0H3?s=D`m8kOGvQJr#?`RelT_VlD64K`2frq;!dyStRt}N3v)gT@bj~1 zs-DC}CO%{KT;4wTlsR)I)=pjIl13>r$v&pMQK?$z3 z=tI!DxPNcEGwf+Q_kAi6SY(9)fq?+$Ua<$W^DR8^IGNu6&h>Ebne{qPo<;CRK_1a) zVhwRdMp{pSi1jUmJ9C^_19a;ZzHK>=*(l`GHSe%&+pe~&=zOe7W(p{)Ct$nXTgkcF zcs$(#9vM}m{yg4GnzG-@+?|$yzoh@8Orl#0{eS%n5)fQ7%3t4?#;;Ue^h)2=0)c@5 z@Imz*%2_ULP+Qs{*Hca6Ol|+SwXQn5`RWLSXZKwMh+qqrHAQ=DV$d6^6bBEn8rhs| zPVbf6<8o~f1#%60TL*LKWB(cFVn{?k?QA8KIdHHF-s05naKi$9j_;vTTTst$Yf5k& z1AkX5NFiQD&{@M~iDBwNC@avxk)!ecV*-JIGjYz76XXIf28z#1(mh5!vPj)Y_2Lgw z`HTrVE~kF2tsZ}VCL=k(!6GL1prkM#1zN5ansI`%K6FE~O2Hlb=ml+)F^9Ioj4Rnn zY*Dyu=CaLoroQ5fG)I?dCJtk-cK^=WWPc7gwa%@7d>0aiZ7aJEg+zWt%?^}xf!>R^ zaRPyX0Jf)YQdgt3NG0#C#fa`KC;u}cRp}|LJ$#}N7nyR^q`ZkpMalXo`yHfNW7HN3 zH~P`Fx*^EJhDzjCDWZ&NVI$aJG$Y#`3_5oYqD{Y#ZbMPos=6b zG~khTtr#y;b!I5qZxd1rg#S!EN8J K8oml~wO|WQTS<%n delta 1196 zcmV;d1XKIM3Bn1GCV#GxWwz6Ijf2M*u{J>AoQlmg&@tj|?LH;jOmRv|XEDZ{nG3jb z9GoqrWtn}CK^Cfax~uRB>UDC9M8k3YAH@JwV*8o8TM(gbqH@Jz792M&7Hb5__v+f@ z^U>a?hshK#Q%j*379o^Pu?;`mF{z@rDNj8uVFO^EzLAtcRew0;GFdE2@pT(%K3j3nkYr;r@U_8Hzo#_)$Ck&I>}tte;I{Y*jX4BCb~v0pP8OCi^lNAS@}dN&aYINZLwu_b-05mgD^vr*T}9+Qulv znixlTK7Cs2+kYWf0s{d60Rn;n07*`Bc{mDBS`NPo2 zW_q#?F80u@r3E3eEU2b@y~yq;Y{iRIa_5`|Pf*e90&Qk(|C|ZF?icJ6IKdpWjyk#4 z-Y^fORdRrg#|R2AB1fRC2k7icb8`uU0X_ta_HA zqtQdc_W@&G#1!dHOKO|EgFcoA`$D_N#9|E{SxR}rPA7+yS+ZN5Nr`u;<|9>z3lOVn z>mr9md4DR@w?35NKF8KLDsHg?fq?+*D&MT70&LdPM0$P0z7%{YX@a5g)b4Y50f2K^ zb*tPz8(1D~lgDugRLxJ+Ve>Z7U0YG%XK~nf4GFxT;0)c@5 zy*feqFO4kft>w@1vRKiSz{%&@8p)Z2iq(4&P&PoPX&;>dMQwj>B%5Q+mqy=q`>MK! zK+Y_AuJ*w+_lGUTEIO=+EBROQi3l5U{yYoT9OQKZ<2;KWz^sufE(0#lb^lagY-hZGw_}?8Jg{$DAwkvS0L4_0m!!3v7(eM3R z`=0`VfdH|Nlh7rEYwSISk<6ls^96{lED#*%q*IwrUGGi%%1I17EWf{;(qPb$6j zeH0OF4 zkIg~yh#PrBkBi2kISgnQ#P1WQ-nd=r(JC;XM9>)mfq*^x&4q=Fk@J?o#sJiGkn%d8 z0%@Se2y2I;6?FtU;W{`g`G0+(;W|AF?}B5rib3M?$S5=+yXVBFFq<LsuRN=safrjfE5;=sqzsOl Krn7=p4-l&tfIOT4 diff --git a/demo/client/wh_demo_client_crypto.c b/demo/client/wh_demo_client_crypto.c index cdcd172..c79e523 100644 --- a/demo/client/wh_demo_client_crypto.c +++ b/demo/client/wh_demo_client_crypto.c @@ -331,8 +331,13 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext) word32 outLen; whKeyId keyIdBob = WH_KEYID_ERASED; whKeyId keyIdAlice = WH_KEYID_ERASED; + #if 0 char keyPairFileBob[] = "../../../demo/certs/curve25519_keyBob.der"; char keyPairFileAlice[] = "../../../demo/certs/curve25519_keyAlice.der"; + #else + char keyPairFileBob[] = "../../../demo/certs/curve25519_keyBob.der"; + char keyPairFileAlice[] = "../../../demo/certs/curve25519_keyAlice.der"; + #endif char keyLabel[] = "baby's first key"; uint8_t keyBuf[256]; uint8_t sharedOne[CURVE25519_KEYSIZE];