diff --git a/IDE/iotsafe/Makefile b/IDE/iotsafe/Makefile index 0101eb1ca..a06248d07 100644 --- a/IDE/iotsafe/Makefile +++ b/IDE/iotsafe/Makefile @@ -28,7 +28,6 @@ LDFLAGS+=-mcpu=cortex-m3 LDFLAGS+=-lc -lg -lm LDFLAGS+=--specs=nosys.specs - OBJS:=main.o startup.o devices.o memory-tls.o WOLFSSL_OBJS += \ @@ -80,8 +79,8 @@ OBJS+=$(WOLFSSL_OBJS) $(OBJS_SPMATH) vpath %.c $(dir $(WOLFSSL_ROOT)/src) vpath %.c $(dir $(WOLFSSL_ROOT)/wolfcrypt/src) -CFLAGS+=-g -ggdb3 -#CFLAGS+=-O2 +#CFLAGS+=-g -ggdb3 +CFLAGS+=-Os #all: image.bin diff --git a/IDE/iotsafe/main.c b/IDE/iotsafe/main.c index 64838d422..6b98ba928 100644 --- a/IDE/iotsafe/main.c +++ b/IDE/iotsafe/main.c @@ -79,7 +79,7 @@ void main(void) { uint32_t last_mark = 0; int i; - char randombytes[16]; + uint8_t randombytes[16]; int ret; char c; WC_RNG rng; diff --git a/IDE/iotsafe/memory-tls.c b/IDE/iotsafe/memory-tls.c index fd095b705..b2820edc9 100644 --- a/IDE/iotsafe/memory-tls.c +++ b/IDE/iotsafe/memory-tls.c @@ -35,43 +35,8 @@ #include #include - #include "ca-cert.c" -/* IoTSAFE Certificate slots */ - -/* File Slot '03' is pre-provisioned with - * local certificate. - */ -#define CRT_CLIENT_FILE_ID 0x03 /* pre-provisioned */ - -/* File Slot '04' is pre-provisioned with the - * server's EC public key certificate - */ -#define CRT_SERVER_FILE_ID 0x04 - -/* IoTSAFE Key slots */ - -/* Key slot '02' is pre-provisioned with - * the client private key. - */ -#define PRIVKEY_ID 0x02 /* pre-provisioned */ - -/* Key slot '03' is used by wolfSSL to generate - * the ECDH key that will be used during the TLS - * session. - */ -#define ECDH_KEYPAIR_ID 0x03 - -/* Key slot '04' is used to store the public key - * received from the peer. - */ -#define PEER_PUBKEY_ID 0x04 - -/* Key slot '05' is used to store a public key - * used for ecc verification - */ -#define PEER_CERT_ID 0x05 /* The following define * activates mutual authentication */ @@ -178,6 +143,20 @@ static int client_loop(void) /* set up client */ int ret; const char* helloStr = "hello iot-safe wolfSSL"; + #if (IOTSAFE_ID_SIZE == 1) + byte cert_file_id, privkey_id, keypair_id, peer_pubkey_id, peer_cert_id; + byte ca_cert_id; + #else + word16 cert_file_id, privkey_id, keypair_id, peer_pubkey_id, peer_cert_id; + word16 ca_cert_id; + #endif + cert_file_id = CRT_CLIENT_FILE_ID; + privkey_id = PRIVKEY_ID; + keypair_id = ECDH_KEYPAIR_ID; + peer_pubkey_id = PEER_PUBKEY_ID; + peer_cert_id = PEER_CERT_ID; + ca_cert_id = CRT_SERVER_FILE_ID; + printf("=== CLIENT step %d ===\n", client_state); if (client_state == 0) { @@ -202,7 +181,8 @@ static int client_loop(void) return -1; } - cert_buffer_size = wolfIoTSafe_GetCert(CRT_SERVER_FILE_ID, cert_buffer, + cert_buffer_size = wolfIoTSafe_GetCert_ex(&ca_cert_id,IOTSAFE_ID_SIZE, + cert_buffer, sizeof(cert_buffer)); if (cert_buffer_size < 1) { printf("Bad server cert\n"); @@ -219,7 +199,8 @@ static int client_loop(void) wolfSSL_CTX_set_verify(cli_ctx, WOLFSSL_VERIFY_PEER, NULL); #ifdef CLIENT_AUTH - cert_buffer_size = wolfIoTSafe_GetCert(CRT_CLIENT_FILE_ID, cert_buffer, + cert_buffer_size = wolfIoTSafe_GetCert_ex(&cert_file_id, IOTSAFE_ID_SIZE, + cert_buffer, sizeof(cert_buffer)); if (cert_buffer_size < 1) { printf("Bad client cert\n"); @@ -248,8 +229,9 @@ static int client_loop(void) } printf("Setting TLS options: turn on IoT-safe for this socket\n"); - wolfSSL_iotsafe_on(cli_ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, - PEER_PUBKEY_ID, PEER_CERT_ID); + + wolfSSL_iotsafe_on_ex(cli_ssl, &privkey_id, &keypair_id, + &peer_pubkey_id, &peer_cert_id, IOTSAFE_ID_SIZE); #ifdef WOLFSSL_TLS13 printf("Setting TLSv1.3 for SECP256R1 key share\n"); @@ -408,5 +390,6 @@ int memory_tls_test(void) wolfSSL_free(srv_ssl); wolfSSL_CTX_free(srv_ctx); + return 0; } diff --git a/IDE/iotsafe/user_settings.h b/IDE/iotsafe/user_settings.h index bf1ca9531..ea7a75e45 100644 --- a/IDE/iotsafe/user_settings.h +++ b/IDE/iotsafe/user_settings.h @@ -23,9 +23,36 @@ #ifndef IOTSAFE_EXAMPLE_USER_SETTINGS_H #define IOTSAFE_EXAMPLE_USER_SETTINGS_H - #include +/* Uncomment next line to enable 2-bytes ID demo */ +//#define TWO_BYTES_ID_DEMO + + +/* IOT-Safe slot configuration for this example + */ + +#ifdef TWO_BYTES_ID_DEMO + #define IOTSAFE_ID_SIZE 2 + #define CRT_CLIENT_FILE_ID 0x3430 /* pre-provisioned */ + #define CRT_SERVER_FILE_ID 0x3330 + #define PRIVKEY_ID 0x3230 /* pre-provisioned */ + #define ECDH_KEYPAIR_ID 0x3330 + #define PEER_PUBKEY_ID 0x3430 + #define PEER_CERT_ID 0x3530 +#else + #define IOTSAFE_ID_SIZE 1 + #define CRT_CLIENT_FILE_ID 0x03 /* pre-provisioned */ + #define CRT_SERVER_FILE_ID 0x04 + #define PRIVKEY_ID 0x02 /* pre-provisioned */ + #define ECDH_KEYPAIR_ID 0x03 + #define PEER_PUBKEY_ID 0x04 + #define PEER_CERT_ID 0x05 +#endif + + + + /* Platform */ #define WOLFSSL_IOTSAFE #define WOLFSSL_SMALL_STACK @@ -33,9 +60,10 @@ #define SINGLE_THREADED #define WOLFSSL_USER_IO + /* Debugging */ #define WOLFSSL_LOG_PRINTF -#if 0 +#if 1 #define DEBUG_WOLFSSL #define WOLFSSL_DEBUG_TLS #define DEBUG_IOTSAFE @@ -51,6 +79,8 @@ #define HAVE_HASHDRBG #define NO_OLD_RNGNAME +//#define USE_GENSEED_FORTEST + /* Time porting */ #define TIME_OVERRIDES extern volatile unsigned long jiffies; diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 7470d40d3..685390779 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -85,6 +85,7 @@ static int csim_read(char *buf, int len) static int csim_write(const char *buf, int len) { + //printf(">>> %s\n", buf); if (csim_write_cb) return csim_write_cb(buf, len); else @@ -131,6 +132,12 @@ static int expect_tok(const char *cmd, int size, const char *tok, char **repl) } while (ret > 0) { ret = csim_read(csim_read_buf, MAXBUF); + /* + if (ret > 0) + printf("<<< %s\n", csim_read_buf); + else + printf("<<< csim_read returned %d\n", ret); + */ if (tok && (ret > 0) && !r_found) { /* Mark the beginning of the match in the reply. */ r_found = XSTRSTR(csim_read_buf, tok); @@ -408,8 +415,8 @@ static int iotsafe_init(void) /* internal: Read File content into a buffer */ -static int iotsafe_readfile(uint8_t file_id, unsigned char *content, - int max_size) +static int iotsafe_readfile(uint8_t *file_id, uint16_t file_id_sz, + unsigned char *content, int max_size) { char *resp; int ret; @@ -418,7 +425,7 @@ static int iotsafe_readfile(uint8_t file_id, unsigned char *content, uint16_t off = 0; iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_GETDATA, IOTSAFE_GETDATA_FILE, 0); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, 1, &file_id); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, file_id_sz, file_id); iotsafe_cmd_complete(csim_cmd); ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); @@ -448,7 +455,7 @@ static int iotsafe_readfile(uint8_t file_id, unsigned char *content, off_p2 = (off & 0xff); iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_READ_FILE, off_p1, off_p2); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, 1, &file_id); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_FILE_ID, file_id_sz, file_id); iotsafe_cmd_complete(csim_cmd); ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); if (ret > 0) { @@ -472,6 +479,7 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz) { char *resp = NULL; int ret; + int i; byte len = (byte)sz; if (sz == 0) { return BAD_FUNC_ARG; @@ -498,8 +506,10 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz) else ret = 0; } - if (expect_tok(NULL, 0, NULL, NULL) < 0) { - ret = WC_HW_E; + for (i = 0; i < 3; i++) { + if (expect_tok(NULL, 0, NULL, NULL) < 0) { + ret = WC_HW_E; + } } return ret; } @@ -508,12 +518,12 @@ static int iotsafe_getrandom(unsigned char* output, unsigned long sz) #ifdef HAVE_ECC -static int iotsafe_gen_keypair(byte wr_slot) +static int iotsafe_gen_keypair(byte *wr_slot, unsigned long id_size) { char *resp; int ret = WC_HW_E; iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_GEN_KEYPAIR, 0, 0); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &wr_slot); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, id_size, wr_slot); iotsafe_cmd_complete(csim_cmd); if (expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp) < 1) { WOLFSSL_MSG("Unexpected reply from Keygen"); @@ -524,7 +534,8 @@ static int iotsafe_gen_keypair(byte wr_slot) return ret; } -static int iotsafe_get_public_key(byte idx, ecc_key *key) +static int iotsafe_get_public_key(byte *pubkey_id, unsigned long id_size, + ecc_key *key) { int ret; char *resp; @@ -533,7 +544,7 @@ static int iotsafe_get_public_key(byte idx, ecc_key *key) /* exporting generated public key */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_READ_KEY,0, 0); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &idx); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_id); iotsafe_cmd_complete(csim_cmd); ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); if (ret < 1) { @@ -580,7 +591,9 @@ static int iotsafe_get_public_key(byte idx, ecc_key *key) return 0; } -static int iotsafe_put_public_key(byte idx, ecc_key *key) +#define PUT_PK_SID 0x02 +static int iotsafe_put_public_key(byte *pubkey_id, unsigned long id_size, + ecc_key *key) { char *resp; int ret; @@ -604,10 +617,10 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key) /* Put Public Init */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_PUT_PUBLIC_INIT, - 0, 0); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &idx); + 0, PUT_PK_SID); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_id); iotsafe_cmd_complete(csim_cmd); - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { WOLFSSL_MSG("Unexpected reply when storing public key"); return WC_HW_E; } @@ -619,7 +632,7 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key) if (ret > 0) { /* Put Public Update */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_PUT_PUBLIC_UPDATE, - IOTSAFE_DATA_LAST, 0); + IOTSAFE_DATA_LAST, PUT_PK_SID); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_ECC_KEY_FIELD, IOTSAFE_TAG_ECC_KEY_FIELD_SZ, ecc_pub_raw); iotsafe_cmd_complete(csim_cmd); @@ -629,20 +642,25 @@ static int iotsafe_put_public_key(byte idx, ecc_key *key) ret = WC_HW_E; } else { iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, - IOTSAFE_INS_PUT_PUBLIC_INIT, 1, 0); + IOTSAFE_INS_PUT_PUBLIC_INIT, 1, PUT_PK_SID); iotsafe_cmd_complete(csim_cmd); - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { ret = WC_HW_E; } else { ret = 0; } + do { + ret = expect_ok("AT\r\n", 4); + } while (ret == 0); + ret = 0; } } + //printf("put_public returning %d\n", ret); return ret; } -static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo, - uint8_t sign_algo, const byte *hash, word32 hashLen, +static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, + uint16_t hash_algo, uint8_t sign_algo, const byte *hash, word32 hashLen, byte *signature, word32 *sigLen) { byte mode_of_operation = IOTSAFE_MOO_SIGN_ONLY; @@ -658,7 +676,7 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo, WOLFSSL_MSG("Enter iotsafe_sign_hash"); iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_SIGN_INIT, 0, 1); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &privkey_idx); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, id_size, privkey_idx); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_MODE_OF_OPERATION, 1, &mode_of_operation); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_HASH_ALGO, 2, @@ -670,10 +688,16 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo, if (*sigLen < 2 * IOTSAFE_ECC_KSIZE) { return -1; } - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { WOLFSSL_MSG("Unexpected reply from IoTsafe EC sign"); return WC_HW_E; } + do { + ret = expect_ok("AT\r\n", 4); + } while (ret == 0); + if (ret < 0) + return WC_HW_E; + /* Compose sign_update message with hash to sign */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_SIGN_UPDATE, @@ -704,9 +728,16 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo, /* Terminate sign/sign session. */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_SIGN_INIT, 1, 1); iotsafe_cmd_complete(csim_cmd); - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { ret = WC_HW_E; } + do { + ret = expect_ok("AT\r\n", 4); + } while (ret == 0); + if (ret < 0) + return WC_HW_E; + else + ret = 0; } else { ret = NOT_COMPILED_IN; /* RSA not yet supported */ } @@ -714,8 +745,8 @@ static int iotsafe_sign_hash(byte privkey_idx, uint16_t hash_algo, return ret; } -static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, - uint8_t sign_algo, +static int iotsafe_verify_hash(byte *pubkey_idx, uint16_t id_size, + uint16_t hash_algo, uint8_t sign_algo, const byte *hash, word32 hashLen, const byte *sig, word32 sigLen, int *result) @@ -727,7 +758,7 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, *result = 0; iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_VERIFY_INIT, 0, 1); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &pubkey_idx); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, id_size, pubkey_idx); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_MODE_OF_OPERATION, 1, &mode_of_operation); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_HASH_ALGO, 2, @@ -736,10 +767,16 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, iotsafe_cmd_complete(csim_cmd); if (sign_algo == IOTSAFE_SIGN_ECDSA) { - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { WOLFSSL_MSG("Unexpected reply from IoTsafe EC verify"); return WC_HW_E; } + do { + ret = expect_ok("AT\r\n", 4); + } while (ret == 0); + if (ret < 0) + return WC_HW_E; + /* Compose verify_update message with hash + signature */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_VERIFY_UPDATE, @@ -764,6 +801,7 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, } } else if (ret == 0) { + //printf("Verify OK!\n"); *result = 1; ret = 0; } @@ -771,10 +809,19 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, /* Terminate sign/verify session. */ iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_VERIFY_INIT,1,1); iotsafe_cmd_complete(csim_cmd); - if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) <= 0) { + if (expect_ok(csim_cmd, (word32)XSTRLEN(csim_cmd)) < 0) { *result = 0; ret = WC_HW_E; } + + do { + ret = expect_ok("AT\r\n", 4); + } while (ret == 0); + if (ret < 0) { + return WC_HW_E; + } else { + ret = 0; + } } else { /* TODO: RSA */ ret = NOT_COMPILED_IN; @@ -789,6 +836,10 @@ static int iotsafe_verify_hash(byte pubkey_idx, uint16_t hash_algo, * */ +#ifndef IOTSAFE_ID_SIZE +# define IOTSAFE_ID_SIZE (1) +#endif + #ifdef HAVE_PK_CALLBACKS static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key, unsigned int keySz, int ecc_curve, void* ctx) @@ -807,9 +858,10 @@ static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key, #endif if (iotsafe->enabled) { - ret = iotsafe_gen_keypair(iotsafe->ecdh_keypair_slot); + ret = iotsafe_gen_keypair((byte *)&iotsafe->ecdh_keypair_slot, IOTSAFE_ID_SIZE); if (ret == 0) { - ret = iotsafe_get_public_key(iotsafe->ecdh_keypair_slot, key); + ret = iotsafe_get_public_key((byte *)&iotsafe->ecdh_keypair_slot, + IOTSAFE_ID_SIZE, key); } } else { WC_RNG *rng = wolfSSL_GetRNG(ssl); @@ -850,7 +902,8 @@ static int wolfIoT_ecc_sign(WOLFSSL* ssl, #endif if (iotsafe->enabled) { - ret = iotsafe_sign_hash(iotsafe->privkey_id, IOTSAFE_HASH_SHA256, + ret = iotsafe_sign_hash((byte *)&iotsafe->privkey_id, IOTSAFE_ID_SIZE, + IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, in, inSz, out, outSz); return ret; @@ -889,9 +942,10 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl, int ret; ecc_key *key; word32 r_size = IOTSAFE_ECC_KSIZE, s_size = IOTSAFE_ECC_KSIZE; + uint16_t id_size = IOTSAFE_ID_SIZE; word32 inOutIdx = 0; IOTSAFE *iotsafe = wolfSSL_get_iotsafe_ctx(ssl); - byte pubkey_slot; + byte *pubkey_slot; byte *sig_raw; #ifndef WOLFSSL_SMALL_STACK byte _sig_raw[IOTSAFE_ECC_KSIZE* 2]; @@ -905,13 +959,13 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl, return BAD_FUNC_ARG; } - pubkey_slot = iotsafe->peer_cert_slot; + pubkey_slot = (byte *)&iotsafe->peer_cert_slot; WOLFSSL_MSG("IOTSAFE: Called wolfIoT_ecc_verify"); #ifdef DEBUG_IOTSAFE printf("IOTSAFE PK ECC Verify: SigSz %d, HashSz %d, KeySz %d, Slot %d\n", - sigSz, hashSz, keySz, pubkey_slot); + sigSz, hashSz, keySz, *pubkey_slot); #endif /* Invalidate verification, by default. */ @@ -950,11 +1004,14 @@ static int wolfIoT_ecc_verify(WOLFSSL *ssl, } if (ret == 0) { /* Store public key in IoT-safe slot */ - ret = iotsafe_put_public_key(pubkey_slot, key); + ret = iotsafe_put_public_key(pubkey_slot, id_size, key); + if (ret < 0) { + printf("IOTSAFE: put public key failed\n"); + } } if (ret == 0) { /* Call iotsafe_verify_hash with ECC256 + SHA256 */ - ret = iotsafe_verify_hash(pubkey_slot, + ret = iotsafe_verify_hash(pubkey_slot, id_size, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, hash, hashSz, sig_raw, 2 * IOTSAFE_ECC_KSIZE, result); @@ -984,8 +1041,8 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey, char *resp; ecc_key *tmpKey; IOTSAFE *iotsafe = wolfSSL_get_iotsafe_ctx(ssl); - byte keypair_slot; - byte pubkey_idx; + byte *keypair_slot; + byte *pubkey_idx; #ifndef WOLFSSL_SMALL_STACK ecc_key _tmpKey; tmpKey = &_tmpKey; @@ -1016,19 +1073,20 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey, } if (iotsafe->enabled) { - keypair_slot = iotsafe->ecdh_keypair_slot; - pubkey_idx = iotsafe->peer_pubkey_slot; + uint16_t id_size = IOTSAFE_ID_SIZE; + keypair_slot = (byte *)(&iotsafe->ecdh_keypair_slot); + pubkey_idx = (byte *)(&iotsafe->peer_pubkey_slot); /* TLS v1.3 calls key gen already, so don't do it here */ if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) { WOLFSSL_MSG("Generating ECDH key pair"); - ret = iotsafe_gen_keypair(keypair_slot); + ret = iotsafe_gen_keypair(keypair_slot, id_size); if (ret < 0) { WOLFSSL_MSG("Error generating IoT-safe key pair"); } if (ret == 0) { /* Importing generated public key */ - ret = iotsafe_get_public_key(keypair_slot, tmpKey); + ret = iotsafe_get_public_key(keypair_slot, id_size, tmpKey); if (ret < 0) { ret = WC_HW_E; } @@ -1041,7 +1099,7 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey, if (ret == 0) { /* Store received public key from other endpoint in applet */ - ret = iotsafe_put_public_key(pubkey_idx, otherKey); + ret = iotsafe_put_public_key(pubkey_idx, id_size, otherKey); } if (ret == 0) { do { @@ -1050,9 +1108,14 @@ static int wolfIoT_ecc_shared_secret(WOLFSSL* ssl, struct ecc_key* otherKey, if (ret > 0) { /* Generating shared secret */ +#if (IOTSAFE_ID_SIZE == 1) +#elif (IOTSAFE_ID_SIZE == 2) +#else +#error "IOTSAFE key generation unsupported for key size" +#endif iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_COMPUTE_DH, 0, 0); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, 1, &keypair_slot); - iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, 1, &pubkey_idx); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PRIVKEY_ID, IOTSAFE_ID_SIZE, keypair_slot); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_PUBKEY_ID, IOTSAFE_ID_SIZE, pubkey_idx); iotsafe_cmd_complete(csim_cmd); ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); } @@ -1141,24 +1204,25 @@ static int wolfIoT_dh_agree(WOLFSSL* ssl, struct DhKey* key, /* Public API for ecc */ -int wc_iotsafe_ecc_import_public(ecc_key *key, byte key_id) +int wc_iotsafe_ecc_import_public_ex(ecc_key *key, byte *key_id, uint16_t id_size) { - return iotsafe_get_public_key(key_id, key); + return iotsafe_get_public_key(key_id, id_size, key); } -int wc_iotsafe_ecc_export_public(ecc_key *key, byte key_id) +int wc_iotsafe_ecc_export_public_ex(ecc_key *key, byte *key_id, uint16_t id_size) { - return iotsafe_put_public_key(key_id, key); + return iotsafe_put_public_key(key_id, id_size, key); } -int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out, - word32 *outlen, byte key_id) +int wc_iotsafe_ecc_sign_hash_ex(byte *in, word32 inlen, byte *out, + word32 *outlen, byte *key_id, uint16_t id_size) { - return iotsafe_sign_hash(key_id, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, + return iotsafe_sign_hash(key_id, id_size, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, in, inlen, out, outlen); } -int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash, - word32 hashlen, int *res, byte key_id) + +int wc_iotsafe_ecc_verify_hash_ex(byte *sig, word32 siglen, byte *hash, + word32 hashlen, int *res, byte *key_id, uint16_t id_size) { int ret; word32 r_size = IOTSAFE_ECC_KSIZE; @@ -1172,13 +1236,43 @@ int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash, ret = wc_ecc_sig_to_rs(sig, siglen, sig_raw, &r_size, sig_raw + IOTSAFE_ECC_KSIZE, &s_size); if (ret == 0) - ret = iotsafe_verify_hash(key_id, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, + ret = iotsafe_verify_hash(key_id, id_size, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, hash, hashlen, sig_raw, 2 * IOTSAFE_ECC_KSIZE, res); return ret; } + +int wc_iotsafe_ecc_gen_k_ex(byte *key_id, uint16_t id_size) +{ + return iotsafe_gen_keypair(key_id, id_size); +} + +int wc_iotsafe_ecc_import_public(ecc_key *key, byte key_id) +{ + return iotsafe_get_public_key(&key_id, 1, key); +} + +int wc_iotsafe_ecc_export_public(ecc_key *key, byte key_id) +{ + return iotsafe_put_public_key(&key_id, 1, key); +} + +int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out, + word32 *outlen, byte key_id) +{ + return iotsafe_sign_hash(&key_id, 1, IOTSAFE_HASH_SHA256, IOTSAFE_SIGN_ECDSA, + in, inlen, out, outlen); +} + + +int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash, + word32 hashlen, int *res, byte key_id) +{ + return wc_iotsafe_ecc_verify_hash_ex(sig, siglen, hash, hashlen, res, + &key_id, 1); +} int wc_iotsafe_ecc_gen_k(byte key_id) { - return iotsafe_gen_keypair(key_id); + return iotsafe_gen_keypair(&key_id, 1); } #endif /* HAVE_ECC */ @@ -1192,10 +1286,17 @@ int wolfIoTSafe_GetRandom(unsigned char *out, word32 sz) /* API for GetCert (proxy for Read File / Close File) */ -int wolfIoTSafe_GetCert(uint8_t id, unsigned char *output, unsigned long sz) + +int wolfIoTSafe_GetCert_ex(uint8_t *id, uint16_t id_sz, unsigned char *output, + unsigned long sz) { XMEMSET(output, 0, sz); - return iotsafe_readfile(id, output, (word32)sz); + return iotsafe_readfile(id, id_sz, output, (word32)sz); +} + +int wolfIoTSafe_GetCert(uint8_t id, unsigned char *output, unsigned long sz) +{ + return wolfIoTSafe_GetCert_ex(&id, 1, output, sz); } /* API to set target specific I/O callbacks */ @@ -1237,16 +1338,23 @@ int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx) return 0; } -int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id, - byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot) +int wolfSSL_iotsafe_on_ex(WOLFSSL *ssl, byte *privkey_id, + byte *ecdh_keypair_slot, byte *peer_pubkey_slot, byte *peer_cert_slot, word16 id_size) { #if defined(HAVE_PK_CALLBACKS) int ret; IOTSAFE iotsafe; - iotsafe.privkey_id = privkey_id; - iotsafe.ecdh_keypair_slot = ecdh_keypair_slot; - iotsafe.peer_pubkey_slot = peer_pubkey_slot; - iotsafe.peer_cert_slot = peer_cert_slot; + if (id_size == 1) { + iotsafe.privkey_id = *privkey_id; + iotsafe.ecdh_keypair_slot = *ecdh_keypair_slot; + iotsafe.peer_pubkey_slot = *peer_pubkey_slot; + iotsafe.peer_cert_slot = *peer_cert_slot; + } else if (id_size == 2) { + XMEMCPY(&iotsafe.privkey_id, privkey_id, id_size); + XMEMCPY(&iotsafe.ecdh_keypair_slot, ecdh_keypair_slot, id_size); + XMEMCPY(&iotsafe.peer_pubkey_slot, peer_pubkey_slot, id_size); + XMEMCPY(&iotsafe.peer_cert_slot, peer_cert_slot, id_size); + } iotsafe.enabled = 1; ret = wolfSSL_set_iotsafe_ctx(ssl, &iotsafe); if (ret == 0) { @@ -1264,4 +1372,11 @@ int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id, return NOT_COMPILED_IN; #endif } + +int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id, + byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot) +{ + return wolfSSL_iotsafe_on_ex(ssl, &privkey_id, &ecdh_keypair_slot, &peer_pubkey_slot, + &peer_cert_slot, 1); +} #endif /* WOLFSSL_IOTSAFE */ diff --git a/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h b/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h index 66a980e77..cd974b672 100644 --- a/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h +++ b/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h @@ -34,6 +34,9 @@ WOLFSSL_API int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx); WOLFSSL_API int wolfSSL_iotsafe_on(WOLFSSL *ssl, byte privkey_id, byte ecdh_keypair_slot, byte peer_pubkey_slot, byte peer_cert_slot); +WOLFSSL_API int wolfSSL_iotsafe_on_ex(WOLFSSL *ssl, byte *privkey_id, + byte *ecdh_keypair_slot, byte *peer_pubkey_slot, byte *peer_cert_slot, word16 id_size); + typedef int (*wolfSSL_IOTSafe_CSIM_write_cb)(const char*, int); typedef int (*wolfSSL_IOTSafe_CSIM_read_cb)(char *, int); @@ -54,6 +57,13 @@ WOLFSSL_API int wc_iotsafe_ecc_export_private(ecc_key *key, byte key_id); WOLFSSL_API int wc_iotsafe_ecc_sign_hash(byte *in, word32 inlen, byte *out, word32 *outlen, byte key_id); WOLFSSL_API int wc_iotsafe_ecc_verify_hash(byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte key_id); WOLFSSL_API int wc_iotsafe_ecc_gen_k(byte key_id); + +WOLFSSL_API int wc_iotsafe_ecc_import_public_ex(ecc_key *key, byte *key_id, word16 id_size); +WOLFSSL_API int wc_iotsafe_ecc_export_public_ex(ecc_key *key, byte *key_id, word16 id_size); +WOLFSSL_API int wc_iotsafe_ecc_export_private_ex(ecc_key *key, byte *key_id, word16 id_size); +WOLFSSL_API int wc_iotsafe_ecc_sign_hash_ex(byte *in, word32 inlen, byte *out, word32 *outlen, byte *key_id, word16 id_size); +WOLFSSL_API int wc_iotsafe_ecc_verify_hash_ex(byte *sig, word32 siglen, byte *hash, word32 hashlen, int *res, byte *key_id, word16 id_size); +WOLFSSL_API int wc_iotsafe_ecc_gen_k_ex(byte *key_id, word16 id_size); #endif @@ -65,12 +75,26 @@ WOLFSSL_API int wc_iotsafe_ecc_gen_k(byte key_id); #endif #endif +#ifndef IOTSAFE_ID_SIZE +# define IOTSAFE_ID_SIZE 1 +#endif + struct wc_IOTSAFE { int enabled; + +#if (IOTSAFE_ID_SIZE == 1) byte privkey_id; byte ecdh_keypair_slot; byte peer_pubkey_slot; byte peer_cert_slot; +#elif (IOTSAFE_ID_SIZE == 2) + word16 privkey_id; + word16 ecdh_keypair_slot; + word16 peer_pubkey_slot; + word16 peer_cert_slot; +#else +#error "IOTSAFE: ID_SIZE not supported" +#endif }; typedef struct wc_IOTSAFE IOTSAFE;