feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Support longer-than-8bit IDs for IoTSAFE key/file slots

Browse Source
This commit is contained in:
Daniele Lacamera
2021-10-27 14:47:16 +02:00
parent 9f6aa36866
commit 2f17a7e626
6 changed files with 259 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
IDE/iotsafe/Makefile
View File

@ -28,7 +28,6 @@ LDFLAGS+=-mcpu=cortex-m3
LDFLAGS+=-lc -lg -lm
LDFLAGS+=--specs=nosys.specs
OBJS:=main.o startup.o devices.o memory-tls.o
WOLFSSL_OBJS += \
@ -80,8 +79,8 @@ OBJS+=$(WOLFSSL_OBJS) $(OBJS_SPMATH)
vpath %.c $(dir $(WOLFSSL_ROOT)/src)
vpath %.c $(dir $(WOLFSSL_ROOT)/wolfcrypt/src)
CFLAGS+=-g -ggdb3
#CFLAGS+=-O2
#CFLAGS+=-g -ggdb3
CFLAGS+=-Os
#all: image.bin

2
IDE/iotsafe/main.c
View File

@ -79,7 +79,7 @@ void main(void)
{
uint32_t last_mark = 0;
int i;
char randombytes[16];
uint8_t randombytes[16];
int ret;
char c;
WC_RNG rng;

61
IDE/iotsafe/memory-tls.c
View File

@ -35,43 +35,8 @@
#include <stdio.h>
#include <string.h>
#include "ca-cert.c"
/* IoTSAFE Certificate slots */
/* File Slot '03' is pre-provisioned with
* local certificate.
*/
#define CRT_CLIENT_FILE_ID 0x03 /* pre-provisioned */
/* File Slot '04' is pre-provisioned with the
* server's EC public key certificate
*/
#define CRT_SERVER_FILE_ID 0x04
/* IoTSAFE Key slots */
/* Key slot '02' is pre-provisioned with
* the client private key.
*/
#define PRIVKEY_ID 0x02 /* pre-provisioned */
/* Key slot '03' is used by wolfSSL to generate
* the ECDH key that will be used during the TLS
* session.
*/
#define ECDH_KEYPAIR_ID 0x03
/* Key slot '04' is used to store the public key
* received from the peer.
*/
#define PEER_PUBKEY_ID 0x04
/* Key slot '05' is used to store a public key
* used for ecc verification
*/
#define PEER_CERT_ID 0x05
/* The following define
* activates mutual authentication */
@ -178,6 +143,20 @@ static int client_loop(void)
/* set up client */
int ret;
const char* helloStr = "hello iot-safe wolfSSL";
#if (IOTSAFE_ID_SIZE == 1)
byte cert_file_id, privkey_id, keypair_id, peer_pubkey_id, peer_cert_id;
byte ca_cert_id;
#else
word16 cert_file_id, privkey_id, keypair_id, peer_pubkey_id, peer_cert_id;
word16 ca_cert_id;
#endif
cert_file_id = CRT_CLIENT_FILE_ID;
privkey_id = PRIVKEY_ID;
keypair_id = ECDH_KEYPAIR_ID;
peer_pubkey_id = PEER_PUBKEY_ID;
peer_cert_id = PEER_CERT_ID;
ca_cert_id = CRT_SERVER_FILE_ID;
printf("=== CLIENT step %d ===\n", client_state);
if (client_state == 0) {
@ -202,7 +181,8 @@ static int client_loop(void)
return -1;
}
cert_buffer_size = wolfIoTSafe_GetCert(CRT_SERVER_FILE_ID, cert_buffer,
cert_buffer_size = wolfIoTSafe_GetCert_ex(&ca_cert_id,IOTSAFE_ID_SIZE,
cert_buffer,
sizeof(cert_buffer));
if (cert_buffer_size < 1) {
printf("Bad server cert\n");
@ -219,7 +199,8 @@ static int client_loop(void)
wolfSSL_CTX_set_verify(cli_ctx, WOLFSSL_VERIFY_PEER, NULL);
#ifdef CLIENT_AUTH
cert_buffer_size = wolfIoTSafe_GetCert(CRT_CLIENT_FILE_ID, cert_buffer,
cert_buffer_size = wolfIoTSafe_GetCert_ex(&cert_file_id, IOTSAFE_ID_SIZE,
cert_buffer,
sizeof(cert_buffer));
if (cert_buffer_size < 1) {
printf("Bad client cert\n");
@ -248,8 +229,9 @@ static int client_loop(void)
}
printf("Setting TLS options: turn on IoT-safe for this socket\n");
wolfSSL_iotsafe_on(cli_ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID,
PEER_PUBKEY_ID, PEER_CERT_ID);
wolfSSL_iotsafe_on_ex(cli_ssl, &privkey_id, &keypair_id,
&peer_pubkey_id, &peer_cert_id, IOTSAFE_ID_SIZE);
#ifdef WOLFSSL_TLS13
printf("Setting TLSv1.3 for SECP256R1 key share\n");
@ -408,5 +390,6 @@ int memory_tls_test(void)
wolfSSL_free(srv_ssl);
wolfSSL_CTX_free(srv_ctx);
return 0;
}

34
IDE/iotsafe/user_settings.h
View File

@ -23,9 +23,36 @@
#ifndef IOTSAFE_EXAMPLE_USER_SETTINGS_H
#define IOTSAFE_EXAMPLE_USER_SETTINGS_H
#include <stdint.h>
/* Uncomment next line to enable 2-bytes ID demo */
//#define TWO_BYTES_ID_DEMO
/* IOT-Safe slot configuration for this example
*/
#ifdef TWO_BYTES_ID_DEMO
#define IOTSAFE_ID_SIZE 2
#define CRT_CLIENT_FILE_ID 0x3430 /* pre-provisioned */
#define CRT_SERVER_FILE_ID 0x3330
#define PRIVKEY_ID 0x3230 /* pre-provisioned */
#define ECDH_KEYPAIR_ID 0x3330
#define PEER_PUBKEY_ID 0x3430
#define PEER_CERT_ID 0x3530
#else
#define IOTSAFE_ID_SIZE 1
#define CRT_CLIENT_FILE_ID 0x03 /* pre-provisioned */
#define CRT_SERVER_FILE_ID 0x04
#define PRIVKEY_ID 0x02 /* pre-provisioned */
#define ECDH_KEYPAIR_ID 0x03
#define PEER_PUBKEY_ID 0x04
#define PEER_CERT_ID 0x05
#endif
/* Platform */
#define WOLFSSL_IOTSAFE
#define WOLFSSL_SMALL_STACK
@ -33,9 +60,10 @@
#define SINGLE_THREADED
#define WOLFSSL_USER_IO
/* Debugging */
#define WOLFSSL_LOG_PRINTF
#if 0
#if 1
#define DEBUG_WOLFSSL
#define WOLFSSL_DEBUG_TLS
#define DEBUG_IOTSAFE
@ -51,6 +79,8 @@
#define HAVE_HASHDRBG
#define NO_OLD_RNGNAME
//#define USE_GENSEED_FORTEST
/* Time porting */
#define TIME_OVERRIDES
extern volatile unsigned long jiffies;

241
wolfcrypt/src/port/iotsafe/iotsafe.c
View File

@ -85,6 +85,7 @@ static int csim_read(char *buf, int len)
static int csim_write(const char *buf, int len)
{
//printf(">>> %s\n", buf);
if (csim_write_cb)
return csim_write_cb(buf, len);
else
@ -131,6 +132,12 @@ static int expect_tok(const char *cmd, int size, const char *tok, char **repl)
}
while (ret > 0) {
ret = csim_read(csim_read_buf, MAXBUF);
/*
if (ret > 0)
printf("<<< %s\n", csim_read_buf);
else
printf("<<< csim_read returned %d\n", ret);
*/
if (tok && (ret > 0) && !r_found) {
/* Mark the beginning of the match in the reply. */
r_found = XSTRSTR(csim_read_buf, tok);
@ -408,8 +415,8 @@ static int iotsafe_init(void)
/* internal: Read File content into a buffer */
static int iotsafe_readfile(uint8_t file_id, unsigned char *content,
int max_size)
static int iotsafe_readfile(uint8_t *file_id, uint16_t file_id_sz,
unsigned char *content, int max_size)
{
char *resp;
int ret;
@ -418,7 +425,7 @@ static int iotsafe_readfile(uint8_t file_id, unsigned char *content,
uint16_t off = 0;
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_GETDATA,
IOTSAFE_GETDATA_FILE, 0);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, 1, &file_id);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, file_id_sz, file_id);
iotsafe_cmd_complete(csim_cmd);
ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp);
@ -448,7 +455,7 @@ static int iotsafe_readfile(uint8_t file_id, unsigned char *content,
off_p2 = (off & 0xff);
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_READ_FILE,
off_p1, off_p2);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, 1, &file_id);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, file_id_sz, file_id);
iotsafe_cmd_complete(csim_cmd);
ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp);
if (ret > 0) {
@ -472,6 +479,7 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz)
{
char *resp = NULL;
int ret;
int i;
byte len = (byte)sz;
if (sz == 0) {
return BAD_FUNC_ARG;
@ -498,8 +506,10 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz)
else
ret = 0;
}
if (expect_tok(NULL, 0, NULL, NULL) < 0) {
ret = WC_HW_E;
for (i = 0; i < 3; i++) {
if (expect_tok(NULL, 0, NULL, NULL) < 0) {
ret = WC_HW_E;
}
}
return ret;
}
@ -508,12 +518,12 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz)
#ifdef HAVE_ECC
static int iotsafe_gen_keypair(byte wr_slot)
static int iotsafe_gen_keypair(byte *wr_slot, unsigned long id_size)
{
char *resp;
int ret = WC_HW_E;
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_GEN_KEYPAIR, 0, 0);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &wr_slot);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, id_size, wr_slot);
iotsafe_cmd_complete(csim_cmd);
if (expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp) < 1) {
WOLFSSL_MSG("Unexpected reply from Keygen");
@ -524,7 +534,8 @@ static int iotsafe_gen_keypair(byte wr_slot)
return ret;
}
static int iotsafe_get_public_key(byte idx, ecc_key *key)
static int iotsafe_get_public_key(byte *pubkey_id, unsigned long id_size,
ecc_key *key)
{
int ret;
char *resp;
@ -533,7 +544,7 @@ static int iotsafe_get_public_key(byte idx, ecc_key *key)
/* exporting generated public key */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_READ_KEY,0, 0);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_id);
iotsafe_cmd_complete(csim_cmd);
ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp);
if (ret < 1) {
@ -580,7 +591,9 @@ static int iotsafe_get_public_key(byte idx, ecc_key *key)
return 0;
}
static int iotsafe_put_public_key(byte idx, ecc_key *key)
#define PUT_PK_SID 0x02
static int iotsafe_put_public_key(byte *pubkey_id, unsigned long id_size,
ecc_key *key)
{
char *resp;
int ret;
@ -604,10 +617,10 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key)
/* Put Public Init */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_PUT_PUBLIC_INIT,
0, 0);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &idx);
0, PUT_PK_SID);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_id);
iotsafe_cmd_complete(csim_cmd);
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
WOLFSSL_MSG("Unexpected reply when storing public key");
return WC_HW_E;
}
@ -619,7 +632,7 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key)
if (ret > 0) {
/* Put Public Update */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_PUT_PUBLIC_UPDATE,
IOTSAFE_DATA_LAST, 0);
IOTSAFE_DATA_LAST, PUT_PK_SID);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_ECC_KEY_FIELD,
IOTSAFE_TAG_ECC_KEY_FIELD_SZ, ecc_pub_raw);
iotsafe_cmd_complete(csim_cmd);
@ -629,20 +642,25 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key)
ret = WC_HW_E;
} else {
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS,
IOTSAFE_INS_PUT_PUBLIC_INIT, 1, 0);
IOTSAFE_INS_PUT_PUBLIC_INIT, 1, PUT_PK_SID);
iotsafe_cmd_complete(csim_cmd);
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
ret = WC_HW_E;
} else {
ret = 0;
}
do {
ret = expect_ok("AT\r\n", 4);
} while (ret == 0);
ret = 0;
}
}
//printf("put_public returning %d\n", ret);
return ret;
}
static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo,
uint8_t sign_algo, const byte *hash, word32 hashLen,
static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size,
uint16_t hash_algo, uint8_t sign_algo, const byte *hash, word32 hashLen,
byte *signature, word32 *sigLen)
{
byte mode_of_operation = IOTSAFE_MOO_SIGN_ONLY;
@ -658,7 +676,7 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo,
WOLFSSL_MSG("Enter iotsafe_sign_hash");
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_SIGN_INIT, 0, 1);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &privkey_idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, id_size, privkey_idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_MODE_OF_OPERATION, 1,
&mode_of_operation);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_HASH_ALGO, 2,
@ -670,10 +688,16 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo,
if (*sigLen < 2 * IOTSAFE_ECC_KSIZE) {
return -1;
}
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
WOLFSSL_MSG("Unexpected reply from IoTsafe EC sign");
return WC_HW_E;
}
do {
ret = expect_ok("AT\r\n", 4);
} while (ret == 0);
if (ret < 0)
return WC_HW_E;
/* Compose sign_update message with hash to sign */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS,
IOTSAFE_INS_SIGN_UPDATE,
@ -704,9 +728,16 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo,
/* Terminate sign/sign session. */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_SIGN_INIT, 1, 1);
iotsafe_cmd_complete(csim_cmd);
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
ret = WC_HW_E;
}
do {
ret = expect_ok("AT\r\n", 4);
} while (ret == 0);
if (ret < 0)
return WC_HW_E;
else
ret = 0;
} else {
ret = NOT_COMPILED_IN; /* RSA not yet supported */
}
@ -714,8 +745,8 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo,
return ret;
}
static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
uint8_t sign_algo,
static int iotsafe_verify_hash(byte *pubkey_idx, uint16_t id_size,
uint16_t hash_algo, uint8_t sign_algo,
const byte *hash, word32 hashLen,
const byte *sig, word32 sigLen,
int *result)
@ -727,7 +758,7 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
*result = 0;
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_VERIFY_INIT, 0, 1);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &pubkey_idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_MODE_OF_OPERATION, 1,
&mode_of_operation);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_HASH_ALGO, 2,
@ -736,10 +767,16 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
iotsafe_cmd_complete(csim_cmd);
if (sign_algo == IOTSAFE_SIGN_ECDSA) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
WOLFSSL_MSG("Unexpected reply from IoTsafe EC verify");
return WC_HW_E;
}
do {
ret = expect_ok("AT\r\n", 4);
} while (ret == 0);
if (ret < 0)
return WC_HW_E;
/* Compose verify_update message with hash + signature */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS,
IOTSAFE_INS_VERIFY_UPDATE,
@ -764,6 +801,7 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
}
}
else if (ret == 0) {
//printf("Verify OK!\n");
*result = 1;
ret = 0;
}
@ -771,10 +809,19 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
/* Terminate sign/verify session. */
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_VERIFY_INIT,1,1);
iotsafe_cmd_complete(csim_cmd);
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) {
if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) {
*result = 0;
ret = WC_HW_E;
}
do {
ret = expect_ok("AT\r\n", 4);
} while (ret == 0);
if (ret < 0) {
return WC_HW_E;
} else {
ret = 0;
}
} else {
/* TODO: RSA */
ret = NOT_COMPILED_IN;
@ -789,6 +836,10 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo,
*
*/
#ifndef IOTSAFE_ID_SIZE
# define IOTSAFE_ID_SIZE (1)
#endif
#ifdef HAVE_PK_CALLBACKS
static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key,
unsigned int keySz, int ecc_curve, void* ctx)
@ -807,9 +858,10 @@ static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key,
#endif
if (iotsafe->enabled) {
ret = iotsafe_gen_keypair(iotsafe->ecdh_keypair_slot);
ret = iotsafe_gen_keypair((byte *)&iotsafe->ecdh_keypair_slot, IOTSAFE_ID_SIZE);
if (ret == 0) {
ret = iotsafe_get_public_key(iotsafe->ecdh_keypair_slot, key);
ret = iotsafe_get_public_key((byte *)&iotsafe->ecdh_keypair_slot,
IOTSAFE_ID_SIZE, key);
}
} else {
WC_RNG *rng = wolfSSL_GetRNG(ssl);
@ -850,7 +902,8 @@ static int wolfIoT_ecc_sign(WOLFSSL* ssl,
#endif
if (iotsafe->enabled) {
ret = iotsafe_sign_hash(iotsafe->privkey_id, IOTSAFE_HASH_SHA256,
ret = iotsafe_sign_hash((byte *)&iotsafe->privkey_id, IOTSAFE_ID_SIZE,
IOTSAFE_HASH_SHA256,
IOTSAFE_SIGN_ECDSA,
in, inSz, out, outSz);
return ret;
@ -889,9 +942,10 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl,
int ret;
ecc_key *key;
word32 r_size = IOTSAFE_ECC_KSIZE, s_size = IOTSAFE_ECC_KSIZE;
uint16_t id_size = IOTSAFE_ID_SIZE;
word32 inOutIdx = 0;
IOTSAFE *iotsafe = wolfSSL_get_iotsafe_ctx(ssl);
byte pubkey_slot;
byte *pubkey_slot;
byte *sig_raw;
#ifndef WOLFSSL_SMALL_STACK
byte _sig_raw[IOTSAFE_ECC_KSIZE* 2];
@ -905,13 +959,13 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl,
return BAD_FUNC_ARG;
}
pubkey_slot = iotsafe->peer_cert_slot;
pubkey_slot = (byte *)&iotsafe->peer_cert_slot;
WOLFSSL_MSG("IOTSAFE: Called wolfIoT_ecc_verify");
#ifdef DEBUG_IOTSAFE
printf("IOTSAFE PK ECC Verify: SigSz %d, HashSz %d, KeySz %d, Slot %d\n",
sigSz, hashSz, keySz, pubkey_slot);
sigSz, hashSz, keySz, *pubkey_slot);
#endif
/* Invalidate verification, by default. */
@ -950,11 +1004,14 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl,
}
if (ret == 0) {
/* Store public key in IoT-safe slot */
ret = iotsafe_put_public_key(pubkey_slot, key);
ret = iotsafe_put_public_key(pubkey_slot, id_size, key);
if (ret < 0) {
printf("IOTSAFE: put public key failed\n");
}
}
if (ret == 0) {
/* Call iotsafe_verify_hash with ECC256 + SHA256 */
ret = iotsafe_verify_hash(pubkey_slot,
ret = iotsafe_verify_hash(pubkey_slot, id_size,
IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
hash, hashSz, sig_raw, 2 * IOTSAFE_ECC_KSIZE,
result);
@ -984,8 +1041,8 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey,
char *resp;
ecc_key *tmpKey;
IOTSAFE *iotsafe = wolfSSL_get_iotsafe_ctx(ssl);
byte keypair_slot;
byte pubkey_idx;
byte *keypair_slot;
byte *pubkey_idx;
#ifndef WOLFSSL_SMALL_STACK
ecc_key _tmpKey;
tmpKey = &_tmpKey;
@ -1016,19 +1073,20 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey,
}
if (iotsafe->enabled) {
keypair_slot = iotsafe->ecdh_keypair_slot;
pubkey_idx = iotsafe->peer_pubkey_slot;
uint16_t id_size = IOTSAFE_ID_SIZE;
keypair_slot = (byte *)(&iotsafe->ecdh_keypair_slot);
pubkey_idx = (byte *)(&iotsafe->peer_pubkey_slot);
/* TLS v1.3 calls key gen already, so don't do it here */
if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
WOLFSSL_MSG("Generating ECDH key pair");
ret = iotsafe_gen_keypair(keypair_slot);
ret = iotsafe_gen_keypair(keypair_slot, id_size);
if (ret < 0) {
WOLFSSL_MSG("Error generating IoT-safe key pair");
}
if (ret == 0) {
/* Importing generated public key */
ret = iotsafe_get_public_key(keypair_slot, tmpKey);
ret = iotsafe_get_public_key(keypair_slot, id_size, tmpKey);
if (ret < 0) {
ret = WC_HW_E;
}
@ -1041,7 +1099,7 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey,
if (ret == 0) {
/* Store received public key from other endpoint in applet */
ret = iotsafe_put_public_key(pubkey_idx, otherKey);
ret = iotsafe_put_public_key(pubkey_idx, id_size, otherKey);
}
if (ret == 0) {
do {
@ -1050,9 +1108,14 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey,
if (ret > 0) {
/* Generating shared secret
*/
#if (IOTSAFE_ID_SIZE == 1)
#elif (IOTSAFE_ID_SIZE == 2)
#else
#error "IOTSAFE key generation unsupported for key size"
#endif
iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_COMPUTE_DH, 0, 0);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &keypair_slot);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &pubkey_idx);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, IOTSAFE_ID_SIZE, keypair_slot);
iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, IOTSAFE_ID_SIZE, pubkey_idx);
iotsafe_cmd_complete(csim_cmd);
ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp);
}
@ -1141,24 +1204,25 @@ static int wolfIoT_dh_agree(WOLFSSL* ssl, struct DhKey* key,
/* Public API for ecc */
int wc_iotsafe_ecc_import_public(ecc_key *key, byte key_id)
int wc_iotsafe_ecc_import_public_ex(ecc_key *key, byte *key_id, uint16_t id_size)
{
return iotsafe_get_public_key(key_id, key);
return iotsafe_get_public_key(key_id, id_size, key);
}
int wc_iotsafe_ecc_export_public(ecc_key *key, byte key_id)
int wc_iotsafe_ecc_export_public_ex(ecc_key *key, byte *key_id, uint16_t id_size)
{
return iotsafe_put_public_key(key_id, key);
return iotsafe_put_public_key(key_id, id_size, key);
}
int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out,
word32 *outlen, byte key_id)
int wc_iotsafe_ecc_sign_hash_ex(byte *in, word32 inlen, byte *out,
word32 *outlen, byte *key_id, uint16_t id_size)
{
return iotsafe_sign_hash(key_id, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
return iotsafe_sign_hash(key_id, id_size, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
in, inlen, out, outlen);
}
int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash,
word32 hashlen, int *res, byte key_id)
int wc_iotsafe_ecc_verify_hash_ex(byte *sig, word32 siglen, byte *hash,
word32 hashlen, int *res, byte *key_id, uint16_t id_size)
{
int ret;
word32 r_size = IOTSAFE_ECC_KSIZE;
@ -1172,13 +1236,43 @@ int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash,
ret = wc_ecc_sig_to_rs(sig, siglen, sig_raw, &r_size, sig_raw
+ IOTSAFE_ECC_KSIZE, &s_size);
if (ret == 0)
ret = iotsafe_verify_hash(key_id, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
ret = iotsafe_verify_hash(key_id, id_size, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
hash, hashlen, sig_raw, 2 * IOTSAFE_ECC_KSIZE, res);
return ret;
}
int wc_iotsafe_ecc_gen_k_ex(byte *key_id, uint16_t id_size)
{
return iotsafe_gen_keypair(key_id, id_size);
}
int wc_iotsafe_ecc_import_public(ecc_key *key, byte key_id)
{
return iotsafe_get_public_key(&key_id, 1, key);
}
int wc_iotsafe_ecc_export_public(ecc_key *key, byte key_id)
{
return iotsafe_put_public_key(&key_id, 1, key);
}
int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out,
word32 *outlen, byte key_id)
{
return iotsafe_sign_hash(&key_id, 1, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA,
in, inlen, out, outlen);
}
int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash,
word32 hashlen, int *res, byte key_id)
{
return wc_iotsafe_ecc_verify_hash_ex(sig, siglen, hash, hashlen, res,
&key_id, 1);
}
int wc_iotsafe_ecc_gen_k(byte key_id)
{
return iotsafe_gen_keypair(key_id);
return iotsafe_gen_keypair(&key_id, 1);
}
#endif /* HAVE_ECC */
@ -1192,10 +1286,17 @@ int wolfIoTSafe_GetRandom(unsigned char *out, word32 sz)
/* API for GetCert (proxy for Read File / Close File)
*/
int wolfIoTSafe_GetCert(uint8_t id, unsigned char *output, unsigned long sz)
int wolfIoTSafe_GetCert_ex(uint8_t *id, uint16_t id_sz, unsigned char *output,
unsigned long sz)
{
XMEMSET(output, 0, sz);
return iotsafe_readfile(id, output, (word32)sz);
return iotsafe_readfile(id, id_sz, output, (word32)sz);
}
int wolfIoTSafe_GetCert(uint8_t id, unsigned char *output, unsigned long sz)
{
return wolfIoTSafe_GetCert_ex(&id, 1, output, sz);
}
/* API to set target specific I/O callbacks */
@ -1237,16 +1338,23 @@ int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx)
return 0;
}
int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id,
byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot)
int wolfSSL_iotsafe_on_ex(WOLFSSL *ssl, byte *privkey_id,
byte *ecdh_keypair_slot, byte *peer_pubkey_slot, byte *peer_cert_slot, word16 id_size)
{
#if defined(HAVE_PK_CALLBACKS)
int ret;
IOTSAFE iotsafe;
iotsafe.privkey_id = privkey_id;
iotsafe.ecdh_keypair_slot = ecdh_keypair_slot;
iotsafe.peer_pubkey_slot = peer_pubkey_slot;
iotsafe.peer_cert_slot = peer_cert_slot;
if (id_size == 1) {
iotsafe.privkey_id = *privkey_id;
iotsafe.ecdh_keypair_slot = *ecdh_keypair_slot;
iotsafe.peer_pubkey_slot = *peer_pubkey_slot;
iotsafe.peer_cert_slot = *peer_cert_slot;
} else if (id_size == 2) {
XMEMCPY(&iotsafe.privkey_id, privkey_id, id_size);
XMEMCPY(&iotsafe.ecdh_keypair_slot, ecdh_keypair_slot, id_size);
XMEMCPY(&iotsafe.peer_pubkey_slot, peer_pubkey_slot, id_size);
XMEMCPY(&iotsafe.peer_cert_slot, peer_cert_slot, id_size);
}
iotsafe.enabled = 1;
ret = wolfSSL_set_iotsafe_ctx(ssl, &iotsafe);
if (ret == 0) {
@ -1264,4 +1372,11 @@ int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id,
return NOT_COMPILED_IN;
#endif
}
int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id,
byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot)
{
return wolfSSL_iotsafe_on_ex(ssl, &privkey_id, &ecdh_keypair_slot, &peer_pubkey_slot,
&peer_cert_slot, 1);
}
#endif /* WOLFSSL_IOTSAFE */

24
wolfssl/wolfcrypt/port/iotsafe/iotsafe.h
View File

@ -34,6 +34,9 @@ WOLFSSL_API int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx);
WOLFSSL_API int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id,
byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot);
WOLFSSL_API int wolfSSL_iotsafe_on_ex(WOLFSSL *ssl, byte *privkey_id,
byte *ecdh_keypair_slot, byte *peer_pubkey_slot, byte *peer_cert_slot, word16 id_size);
typedef int (*wolfSSL_IOTSafe_CSIM_write_cb)(const char*, int);
typedef int (*wolfSSL_IOTSafe_CSIM_read_cb)(char *, int);
@ -54,6 +57,13 @@ WOLFSSL_API int wc_iotsafe_ecc_export_private(ecc_key *key, byte key_id);
WOLFSSL_API int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out, word32 *outlen, byte key_id);
WOLFSSL_API int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte key_id);
WOLFSSL_API int wc_iotsafe_ecc_gen_k(byte key_id);
WOLFSSL_API int wc_iotsafe_ecc_import_public_ex(ecc_key *key, byte *key_id, word16 id_size);
WOLFSSL_API int wc_iotsafe_ecc_export_public_ex(ecc_key *key, byte *key_id, word16 id_size);
WOLFSSL_API int wc_iotsafe_ecc_export_private_ex(ecc_key *key, byte *key_id, word16 id_size);
WOLFSSL_API int wc_iotsafe_ecc_sign_hash_ex(byte *in, word32 inlen, byte *out, word32 *outlen, byte *key_id, word16 id_size);
WOLFSSL_API int wc_iotsafe_ecc_verify_hash_ex(byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte *key_id, word16 id_size);
WOLFSSL_API int wc_iotsafe_ecc_gen_k_ex(byte *key_id, word16 id_size);
#endif
@ -65,12 +75,26 @@ WOLFSSL_API int wc_iotsafe_ecc_gen_k(byte key_id);
#endif
#endif
#ifndef IOTSAFE_ID_SIZE
# define IOTSAFE_ID_SIZE 1
#endif
struct wc_IOTSAFE {
int enabled;
#if (IOTSAFE_ID_SIZE == 1)
byte privkey_id;
byte ecdh_keypair_slot;
byte peer_pubkey_slot;
byte peer_cert_slot;
#elif (IOTSAFE_ID_SIZE == 2)
word16 privkey_id;
word16 ecdh_keypair_slot;
word16 peer_pubkey_slot;
word16 peer_cert_slot;
#else
#error "IOTSAFE: ID_SIZE not supported"
#endif
};
typedef struct wc_IOTSAFE IOTSAFE;