From d1f850273f2bc3fa300012df2ff66520b230158a Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Mon, 20 Dec 2021 17:33:24 +0800 Subject: [PATCH 01/12] add hkdf-extract to iotsafe implementation + sample application --- IDE/iotsafe-raspberrypi/README.md | 140 +++++++ IDE/iotsafe-raspberrypi/client-tls13.c | 499 +++++++++++++++++++++++ IDE/iotsafe-raspberrypi/main.c | 288 +++++++++++++ wolfcrypt/src/port/iotsafe/iotsafe.c | 87 +++- wolfssl/wolfcrypt/port/iotsafe/iotsafe.h | 3 + 5 files changed, 1015 insertions(+), 2 deletions(-) create mode 100644 IDE/iotsafe-raspberrypi/README.md create mode 100644 IDE/iotsafe-raspberrypi/client-tls13.c create mode 100644 IDE/iotsafe-raspberrypi/main.c diff --git a/IDE/iotsafe-raspberrypi/README.md b/IDE/iotsafe-raspberrypi/README.md new file mode 100644 index 000000000..23708f31e --- /dev/null +++ b/IDE/iotsafe-raspberrypi/README.md @@ -0,0 +1,140 @@ +## wolfSSL IoT-SAFE Example + + +### Description + +This demo example will run an example TLS 1.3 client using wolfSSL, using an IoT-SAFE applet supporting the [IoT.05-v1-IoT standard](https://www.gsma.com/iot/wp-content/uploads/2019/12/IoT.05-v1-IoT-Security-Applet-Interface-Description.pdf). + + +### Evaluation Platform + +* Any platform with POSIX-compliant OS such as RaspberryPi +* Any ICC form-factor with IoT-SAFE applet (see below section for the specific IoT-SAFE configuration) +* Any serial modem for interfacing between the platform and IoT-SAFE + + +### TLS 1.3 + +The TLS 1.3 configuration used in this example will use: +* The mutual authentication between client and server is done with ECC certificate. +* The key exchange performed is done with ECDHE. +* The application traffic cipher used is any AEAD. + +No PSK authentication, early data, session resumption are used in this demo. + + +### IoT-SAFE Configuration + +The below preprocessor macros can be found in the `client-tls13.c`. + +The applet that has been tested with this demo has the current configuration: + +| Key slot | Name | Description | +| -------- | -------------------- | ------------------------------------------------------------ | +| 0x01 | `PRIVKEY_ID` | pre-provisioned with the client ECC private key | +| 0x02 | `CRT_CLIENT_FILE_ID` | pre-provisioned with the client ECC public key certificate | +| 0x03 | `CRT_SERVER_FILE_ID` | pre-provisioned with the server ECC public key certificate | +| 0x04 | `ECDH_KEYPAIR_ID` | used to generate the ECDH key pair that will be used during the TLS session | +| 0x05 | `PEER_PUBKEY_ID` | used to store the ECDH public key received from the peer during the TLS session | + +The following file is used to read the client's certificate and will be used to authenticate the client: + +| File Slot | Name | Description | +| --------- | -------------------- | ---------------------------------------------------------- | +| 0x02 | `CRT_CLIENT_FILE_ID` | pre-provisioned with the client ECC public key certificate | + +The following file is used to read the server's certificate and will be used to authenticate the server by trusting the server certificate (trust here means no CA chain verification is performed, only comparing the server certificate sent from the server with the one stored in the IoT-SAFE): + +| File Slot | Name | Description | +| --------- | -------------------- | ---------------------------------------------------------- | +| 0x03 | `CRT_SERVER_FILE_ID` | pre-provisioned with the server ECC public key certificate | + +How the applet configuration (such as putting the client key pair with the corresponding client certificate and the server certificate the client can trust) is performed during its initial and on-field lifetime depends on the infrastructure and is out-of-scope of this demo. + + +### IoT-SAFE Interface + +The below code explanations can be found in the `client-tls13.c`. + +In this demo, the client is the IoT-SAFE capable endpoint. + +First, it creates a wolfSSL context `ctx` with TLS 1.3. + +```c +wolfSSL_CTX_new(wolfTLSv1_3_client_method()); +``` + +In order to activate IoT-SAFE support in this context, the following function is +called: + +```c +wolfSSL_CTX_iotsafe_enable(ctx); +``` + +Extracting the client and server certificate can be done by the following functions: + +```c +wolfIoTSafe_GetCert( + CRT_CLIENT_FILE_ID, + cert_buffer, + sizeof(cert_buffer)); +``` + +```c +wolfIoTSafe_GetCert( + CRT_SERVER_FILE_ID, + cert_buffer, + sizeof(cert_buffer)); +``` + +in which the extracted certificate inside the `cer_buffer` can be later loaded to the `ctx`. + +Additionally, after the TLS session `ssl` creation, shown below: + +```c +ssl = wolfSSL_new(ctx); +``` + +the client associates the pre-provisioned keys and the available slots in the +IoT-SAFE applet to the current session: + + +```c +wolfSSL_iotsafe_on(ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_ID); +``` + + +### Compiling + +First, user needs to build wolfSSL with the following options: +``` +./configure --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe --enable-hkdf +``` + +Additionally, user can pass `CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE"` if more debugging information is to be used. This can clutter the demo stdout more than `--enable-debug` does, but this is very useful to see the overall TLS 1.3 handshaking process with IoT-SAFE. + +Hence, the full wolfSSL build for the demo is: +``` +./configure CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe +``` + +### Running + +After building wolfSSL, from this directory, run `make` and a help usage will be shown. + +Run below to build a minimal demo: +``` +make all +``` + +Run below to enable printing UART IO: +``` +make all ENABLE_DEBUG_UART_IO_EXTRA=on +``` + +Run the built `./main.bin` to print the help usage. + +An example to run the demo connecting to a server: +``` +./main.bin -ip -h -p -t 25 -d /dev/ttyUSB0|/dev/tty/ACM0 +``` \ No newline at end of file diff --git a/IDE/iotsafe-raspberrypi/client-tls13.c b/IDE/iotsafe-raspberrypi/client-tls13.c new file mode 100644 index 000000000..ef6209bbf --- /dev/null +++ b/IDE/iotsafe-raspberrypi/client-tls13.c @@ -0,0 +1,499 @@ +/* client-tls13.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* C Standard Library */ + +#include +#include +#include +#include + + + +/* POSIX Library */ + +#include +#include +#include +#include + + + +/* wolfSSL Library */ + +#include +#include +#include +#include +#include + + + +/* IoTSAFE Certificate slots */ + +/* File Slot '02' is pre-provisioned with + * the client ECC public key certificate. + */ +#define CRT_CLIENT_FILE_ID 0x02 + +/* File Slot '03' is pre-provisioned with the + * server ECC public key certificate. + */ +#define CRT_SERVER_FILE_ID 0x03 + +/* IoTSAFE Key slots */ + +/* Key slot '01' is pre-provisioned with + * the client ECC private key. + */ +#define PRIVKEY_ID 0x01 + +/* Key slot '04' is used to generate the ECDH + * key pair that will be used during the TLS + * session. + */ +#define ECDH_KEYPAIR_ID 0x04 + +/* Key slot '05' is used to store the ECDH public + * key received from the peer during the TLS + * session. + */ +#define PEER_PUBKEY_ID 0x05 + +/* Key slot '05' is used to store the public key + * used for ECC verification - disabled in IoTSAFE. + */ +#define PEER_CERT_ID 0x05 + + + +/* Function Declarations */ + +extern int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature); + +#if defined(USE_SECRET_CALLBACK) + +static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, int secretSz, void* ctx); + +#endif + + + +/* Function Definitions */ + +#if defined(USE_SECRET_CALLBACK) + +#ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT + #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log" +#endif + +/* Callback function for TLS v1.3 secrets for use with Wireshark */ +static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, + int secretSz, void* ctx) +{ + int i; + const char* str = NULL; + unsigned char clientRandom[32]; + size_t clientRandomSz; + XFILE fp = stderr; + if (ctx) { + fp = XFOPEN((const char*)ctx, "ab"); + if (fp == XBADFILE) { + return BAD_FUNC_ARG; + } + } + + clientRandomSz = wolfSSL_get_client_random(ssl, clientRandom, + sizeof(clientRandom)); + + switch (id) { + case CLIENT_EARLY_TRAFFIC_SECRET: + str = "CLIENT_EARLY_TRAFFIC_SECRET"; break; + case EARLY_EXPORTER_SECRET: + str = "EARLY_EXPORTER_SECRET"; break; + case CLIENT_HANDSHAKE_TRAFFIC_SECRET: + str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break; + case SERVER_HANDSHAKE_TRAFFIC_SECRET: + str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break; + case CLIENT_TRAFFIC_SECRET: + str = "CLIENT_TRAFFIC_SECRET_0"; break; + case SERVER_TRAFFIC_SECRET: + str = "SERVER_TRAFFIC_SECRET_0"; break; + case EXPORTER_SECRET: + str = "EXPORTER_SECRET"; break; + } + + fprintf(fp, "%s ", str); + for (i = 0; i < (int)clientRandomSz; i++) { + fprintf(fp, "%02x", clientRandom[i]); + } + fprintf(fp, " "); + for (i = 0; i < secretSz; i++) { + fprintf(fp, "%02x", secret[i]); + } + fprintf(fp, "\n"); + + if (fp != stderr) { + XFCLOSE(fp); + } + + return 0; +} + +#endif /* USE_SECRET_CALLBACK */ + + + +int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature) +{ + int ret = 0; + + /* Declare TCP objects */ + int sockfd = -1; + struct sockaddr_in servAddr = {0}; + + /* Declare TCP messaging buffer */ + char buff[2048] = {0}; + size_t len = 0; + + /* Declare certificate temporary buffer */ + uint8_t cert_buffer[2048] = {0}; + uint32_t cert_buffer_size = 0; + uint8_t *cert_iter = NULL; + + /* Declare wolfSSL objects */ + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + WC_RNG rng = {0}; + char randombytes[16] = {0}; + + /* Construct HTTP POST */ + + // Header + strcat(buff, "POST /iot/device HTTP/1.1\r\n"); + strcat(buff, "Content-Type: application/json\r\n"); + strcat(buff, "Content-Length: 1000\r\n"); + strcat(buff, "Accept: */*\r\n"); + strcat(buff, "Host: "); + strcat(buff, peer_name); + strcat(buff, ":"); + strcat(buff, peer_port); + strcat(buff, "\r\n"); + + // Delimiter + strcat(buff, "\r\n"); + + // Body + srand(time(NULL)); + int devid = rand() % 100; + char snum[5] = {0}; + snprintf(snum, sizeof(snum), "%d", devid); + + strcat(buff, "{"); + strcat(buff, "\"deviceId\": \""); + strcat(buff, snum); + strcat(buff, "\","); + strcat(buff, "\"sensorType\": \"Temperature\","); + strcat(buff, "\"sensorValue\": \""); + strcat(buff, temperature); + strcat(buff, "\","); + strcat(buff, "\"sensorUnit\": \"Celcius\","); + strcat(buff, "\"sensorTime\": 1582181510"); + strcat(buff, "}"); + strcat(buff, "\r\n"); + + printf("\n\nPOST REQUEST\n\n%s\n\n", buff); + + /*---------------------------------*/ + /* Start of Socket */ + /*---------------------------------*/ + printf("---- Preparing TCP socket\n"); + + /* Create a socket that uses an internet IPv4 address, + * Sets the socket to be stream based (TCP), + * 0 means choose the default protocol. */ + printf("---- Creating socket\n"); + if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) + { + fprintf(stderr, "ERROR: failed to create the socket\n"); + ret = -1; + goto exit; + } + + /* Fill in the server address */ + printf("Peer port: %s\n", peer_port); + servAddr.sin_family = AF_INET; // Using IPv4 + servAddr.sin_port = htons(atoi(peer_port)); + + /* Get the server IPv4 address from the command line call */ + printf("---- Checking peer IP address\n"); + printf("Peer IP address: %s \n", peer_ip); + if (inet_pton(AF_INET, peer_ip, &servAddr.sin_addr) != 1) + { + fprintf(stderr, "ERROR: invalid peer IP address\n"); + ret = -1; + goto exit; + } + + /* Connect to the server */ + printf("---- Connecting to the peer socket\n"); + if ((ret = connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr))) + == -1) + { + fprintf(stderr, "ERROR: failed to connect\n"); + goto exit; + } + + printf("---- TCP socket connection established\n"); + + /*---------------------------------*/ + /* Start of Security */ + /*---------------------------------*/ + printf("---- Preparing wolfSSL TLS 1.3\n"); + + /* Initialize wolfSSL */ + printf("---- Initializing wolfSSL\n"); + if ((ret = wolfSSL_Init()) != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: Failed to initialize the library\n"); + goto exit; + } + + /* Allow debug print in wolfSSL */ + printf("---- Allowing debug print in wolfSSL\n"); + if ((ret = wolfSSL_Debugging_ON()) != 0) + { + fprintf(stderr, "WARNING: Failed to enable wolfSSL debug print\n"); + } + + /* Initialize RNG */ + printf("---- Initializing RNG\n"); + if ((ret = wc_InitRng(&rng)) != 0) + { + fprintf(stderr, "ERROR: Failed to initialize the random number generator\n"); + goto exit; + } + + /* Obtain a sample RND */ + printf("---- Testing getting RND\n"); + if ((ret = wc_RNG_GenerateBlock( + &rng, + (byte*)randombytes, + sizeof(randombytes))) + != 0) + { + fprintf(stderr, "ERROR: Failed to get random numbers\n"); + goto exit; + } + else + { + printf("Random bytes: "); + for (uint8_t i = 0; i < sizeof(randombytes); i++) + printf("%02X", (unsigned int)randombytes[i]); + printf("\n"); + } + + /* Create and initialize WOLFSSL_CTX */ + printf("---- Creating wolfSSL TLS 1.3 context object\n"); + if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL) + { + fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n"); + ret = -1; + goto exit; + } + + /* Initialize IoTSAFE */ + printf("---- Enabling IoTSAFE\n"); + if ((ret = wolfSSL_CTX_iotsafe_enable(ctx)) != 0) + { + fprintf(stderr, "ERROR: Failed to initialize IoTSAFE\n"); + goto exit; + } + + /* Extract client certificate from IoTSAFE*/ + printf("---- Extracting client certificate from IoTSAFE\n"); + if ((cert_buffer_size = wolfIoTSafe_GetCert( + CRT_CLIENT_FILE_ID, + cert_buffer, + sizeof(cert_buffer))) + < 1) + { + fprintf(stderr, "ERROR: Bad client certificate\n"); + ret = -1; + goto exit; + } + + /* Print extracted client certificate */ + printf("---- Printing extracted client certificate\n"); + cert_iter = (uint8_t*)&cert_buffer; + printf("Extracted client certificate in HEX:\n"); + for (uint32_t i = 0; i < cert_buffer_size; i++) + printf("%02X", (unsigned int)*(cert_iter++)); + printf("\n"); + + /* Load client certificate */ + printf("---- Loading client certificate\n"); + if ((ret = wolfSSL_CTX_use_certificate_buffer(ctx, cert_buffer, + cert_buffer_size, WOLFSSL_FILETYPE_ASN1)) + != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: Failed to load client certificate\n"); + return -1; + } + + /* Extract server certificate from IoTSAFE*/ + printf("---- Extracting server certificate from IoTSAFE\n"); + if ((cert_buffer_size = wolfIoTSafe_GetCert( + CRT_SERVER_FILE_ID, + cert_buffer, + sizeof(cert_buffer))) + < 1) + { + fprintf(stderr, "ERROR: Bad server certificate\n"); + ret = -1; + goto exit; + } + + /* Print extracted server certificate */ + printf("---- Printing extracted server certificate\n"); + cert_iter = (uint8_t*)&cert_buffer; + printf("Extracted server certificate in HEX:\n"); + for (uint32_t i = 0; i < cert_buffer_size; i++) + printf("%02X", (unsigned int)*(cert_iter++)); + printf("\n"); + + /* Load server certificate */ + printf("---- Loading server certificate\n"); + if ((ret = wolfSSL_CTX_trust_peer_buffer(ctx, cert_buffer, + cert_buffer_size, WOLFSSL_FILETYPE_ASN1)) + != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: Failed to load server certificate\n"); + return -1; + } + + /* Set client to authenticate server */ + printf("---- Enabling client to authenticate server\n"); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + + /* Create a WOLFSSL object */ + printf("---- Creating wolfSSL TLS 1.3 connection object\n"); + if ((ssl = wolfSSL_new(ctx)) == NULL) + { + fprintf(stderr, "ERROR: failed to create WOLFSSL object\n"); + ret = -1; + goto exit; + } + + /* Attach IoTSAFE usage to the wolfSSL */ + printf("---- Using IoTSAFE for TLS 1.3\n"); + if ((ret = wolfSSL_iotsafe_on( + ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, + PEER_PUBKEY_ID, PEER_CERT_ID)) + != 0) + { + fprintf(stderr, "ERROR: Failed to use IoTSAFE\n"); + goto exit; + } + + /* Attach wolfSSL to the socket */ + printf("---- Attaching TLS 1.3 to the socket\n"); + if ((ret = wolfSSL_set_fd(ssl, sockfd)) != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: Failed to set the file descriptor\n"); + goto exit; + } + +#ifdef USE_SECRET_CALLBACK + /* Logging usage for wireshark */ + printf("---- Attaching TLS 1.3 secret callback for wireshark\n"); + if ((ret = wolfSSL_set_tls13_secret_cb( + ssl, + Tls13SecretCallback, + (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT)) + != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: Failed to set the secret callback\n"); + goto exit; + } +#endif + + /* Connect to wolfSSL on the server side */ + printf("---- Start TLS 1.3 handshaking\n"); + if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS) + { + fprintf(stderr, "ERROR: failed to connect to wolfSSL\n"); + goto exit; + } + + printf("---- wolfSSL TLS 1.3 connection established\n"); + + /*---------------------------------*/ + /* Start of Communication */ + /*---------------------------------*/ + printf("---- Communication starts\n"); + + /* Get a message for the server from stdin */ + printf("Enter message for server:\n"); + printf("[OUT]:\n"); + printf("\n\n%s\n\n", buff); + + len = strlen(buff); + + /* Send the message to the server */ + printf("Sending message to the server\n"); + if ((size_t) (ret = wolfSSL_write(ssl, buff, len)) != len) + { + fprintf(stderr, "ERROR: failed to write entire message\n"); + fprintf(stderr, "%d bytes of %d bytes were sent\n", ret, (int) len); + goto exit; + } + + /* Read the server data into our buff array */ + printf("Receiving message from the server\n"); + memset(buff, 0, sizeof(buff)); + if ((ret = wolfSSL_read(ssl, buff, sizeof(buff) - 1)) < 0) + { + fprintf(stderr, "ERROR: failed to read\n"); + goto exit; + } + + /* Print to stdout any data the server sends */ + printf("[IN] :\n%s\n", buff); + + /* Return reporting a success */ + ret = 0; + + printf("---- Communication ends\n"); + +exit: + /* Cleanup and return */ + if (sockfd != -1) + close(sockfd); /* Close the connection to the server */ + if (ssl) + wolfSSL_free(ssl); /* Free the wolfSSL object */ + if (ctx) + wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object */ + wc_FreeRng(&rng); /* Cleanup the RNG */ + wolfSSL_Cleanup(); /* Cleanup the wolfSSL environment */ + + return ret; +} diff --git a/IDE/iotsafe-raspberrypi/main.c b/IDE/iotsafe-raspberrypi/main.c new file mode 100644 index 000000000..dcba2baa6 --- /dev/null +++ b/IDE/iotsafe-raspberrypi/main.c @@ -0,0 +1,288 @@ +/* main.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* IoT-SAFE example + * main for POSIX serial communication. + */ + +/* C Standard Library */ + +#include +#include +#include + + + +/* POSIX Library */ + +#include +#include +#include +#include +#include +#include + + + +/* wolfSSL Library */ + +#include +#include +#include +#include +#include + + + +/* Variable Declarations */ + +static int serial_fd = -1; + + + +/* Function Declarations */ + +extern int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature); + +static void print_buffer_hex(const char *buf, int len); +static void print_buffer_char(const char *buf, int len); + +static int usart_init(const char *dev_name, int *fd); +static int usart_clean(int fd); +static int usart_read(char *buf, int len); +static int usart_write(const char *buf, int len); + +static void show_usage(const char *program); + + + +/* Function Definitions */ + +static void print_buffer_hex(const char *buf, int len) +{ + for (int i = 0; i < len; i++) + printf("%02X", (unsigned int)*(buf++)); +} + +static void print_buffer_char(const char *buf, int len) +{ + for (int i = 0; i < len; i++) + printf("%c", *(buf++)); +} + +static int usart_init(const char *dev_name, int *fd) +{ + int portfd = open(dev_name, O_RDWR | O_NOCTTY); + if (portfd < 0) + { + *fd = -1; + return errno; + } + + struct termios tty; + tcgetattr(portfd, &tty); + cfsetospeed(&tty, B115200); + cfsetispeed(&tty, B115200); + tty.c_cflag = (tty.c_cflag & ~CSIZE) | (CS8); + tty.c_iflag &= ~(IGNBRK | IXON | IXOFF | IXANY| INLCR | ICRNL); + tty.c_oflag &= ~OPOST; + tty.c_oflag &= ~(ONLCR|OCRNL); + tty.c_cflag &= ~(PARENB | PARODD | CSTOPB); + tty.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG); + tty.c_iflag &= ~ISTRIP; + tty.c_cc[VMIN] = 0; + tty.c_cc[VTIME] = 5; + tcsetattr(portfd, TCSANOW, &tty); + + *fd = portfd; + + return 0; +} + +static int usart_clean(int fd) +{ + return close(fd); +} + +static int usart_read(char *buf, int len) +{ + if (!buf || len < 0) + return -1; + +#ifdef DEBUG_UART_IO + printf("UART Read Expected : %d bytes\n", len); +#endif + + int ret = 0; + int i = 0; + char c; + memset(buf, 0, len); + + // Read 1 byte at one time until *buf is full or a POSIX read error like timeout occurs. + do + { + ret = read(serial_fd, &c, 1U); + if (ret > 0) + { + buf[i++] = c; + if (c == '\n') + break; + } + } while (i < len && ret > 0); + +#ifdef DEBUG_UART_IO + printf("UART Read Actual : %d bytes\n", i); + #ifdef DEBUG_UART_IO_EXTRA_VERBOSE + printf("[READ in HEX ] <- "); + print_buffer_hex(buf, i); + printf("\n"); + #endif + printf("[READ in CHAR] <- "); + print_buffer_char(buf, i); + printf("\n"); +#endif + + return i; +} + +static int usart_write(const char *buf, int len) +{ + if (!buf || len < 0) + return -1; + +#ifdef DEBUG_UART_IO + printf("UART Write Expected: %d bytes\n", len); +#endif + + int sent = write(serial_fd, buf, len); + + if (sent < 0) + sent = 0; + +#ifdef DEBUG_UART_IO + printf("UART Write Actual : %d bytes\n", sent); + #ifdef DEBUG_UART_IO_EXTRA_VERBOSE + printf("[WRITE in HEX ] -> "); + print_buffer_hex(buf, sent); + printf("\n"); + #endif + printf("[WRITE in CHAR] -> "); + print_buffer_char(buf, sent); + printf("\n"); +#endif + + return sent; +} + +static void show_usage(const char *program) +{ + printf("\nUsage:\n"); + printf("\t%s -ip SERVER_IP_ADDRESS -h SERVER_HOST_NAME -p PORT_NUMBER -t TEMPERATURE -d DEVICE_FILE_PATH\n", program); + printf("\n"); + printf("\t-ip \n"); + printf("\t-h \n"); + printf("\t-p \n"); + printf("\t-t \n"); + printf("\t-d \n"); + exit(-1); +} + +int main(int argc, char** argv) +{ + char ip[30] = {0}; + char name[50] = {0}; + char port[8] = {0}; + char temperature[10] = {0}; + char device[30] = {0}; + + if (argc == 11) + { + if (strcmp(argv[1], "-ip") == 0) + strcpy((char*)&ip, argv[2]); + else + show_usage(argv[0]); + + if (strcmp(argv[3], "-h") == 0) + strcpy((char*)&name, argv[4]); + else + show_usage(argv[0]); + + if (strcmp(argv[5], "-p") == 0) + strcpy((char*)&port, argv[6]); + else + show_usage(argv[0]); + + if (strcmp(argv[7], "-t") == 0) + strcpy((char*)&temperature, argv[8]); + else + show_usage(argv[0]); + + if (strcmp(argv[9], "-d") == 0) + strcpy((char*)&device, argv[10]); + else + show_usage(argv[0]); + } + else + { + show_usage(argv[0]); + } + + int ret = 0; + + printf("#####################\n"); + printf("wolfSSL IoT-SAFE Demo\n"); + printf("#####################\n"); + + printf("---- Initializing serial I/O\n"); + + printf("---- Opening serial I/O\n"); + printf("Serial device: %s\n", (const char*)&device); + if ((ret = usart_init((const char*)&device, &serial_fd)) != 0) + { + printf("ERROR: Error opening %s: Error %i (%s)\n", + (const char*)&device, ret, strerror(ret)); + exit(-1); + } + + printf("---- Setting serial I/O read callback\n"); + wolfIoTSafe_SetCSIM_read_cb(&usart_read); + + printf("---- Setting serial I/O write callback\n"); + wolfIoTSafe_SetCSIM_write_cb(&usart_write); + + printf("---- Finish initializing serial I/O\n"); + + client_loop(ip, name, port, temperature); + + printf("---- Cleaning serial I/O\n"); + + printf("---- Closing serial I/O\n"); + if ((ret = usart_clean(serial_fd)) != 0) + { + printf("ERROR: Error closing %s: Error %i (%s)\n", + (const char*)&device, ret, strerror(ret)); + exit(-1); + } + + printf("---- Finish cleaning serial I/O\n"); + + return 0; +} diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index b2179ea43..6351f4db8 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -261,7 +261,7 @@ static int iotsafe_cmd_add_tlv_ex(char *cmd, byte tag, uint16_t len, cur_csim_len += (len_csim_str[1] - '0') * 10; if (len_csim_str[0] >= '0' && len_csim_str[0] <= '9') { - cur_csim_len += len_csim_str[0] * 100; + cur_csim_len += (len_csim_str[0] - '0') * 100; } else if (len_csim_str[0] != ' ') { return BAD_FUNC_ARG; } @@ -453,7 +453,7 @@ static int iotsafe_readfile(uint8_t *file_id, uint16_t file_id_sz, return ret; } - filesz_s = search_tlv(resp + 4, ret, 0x20); + filesz_s = search_tlv(resp, ret, 0x20); if ((filesz_s) && (XSTRLEN(filesz_s)) >= 8) { uint8_t fs_msb, fs_lsb; if (hex_to_bytes(filesz_s + 4, &fs_msb, 1) < 0) @@ -719,6 +719,51 @@ static int iotsafe_put_public_key(byte *pubkey_id, unsigned long id_size, } return ret; } +#ifdef HAVE_HKDF +//hkdf extract +static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, + byte* ikm, word32 ikmLen, int digest) +{ + int ret; + char *resp; + uint16_t hash_algo = 0; + + WOLFSSL_MSG("Enter iotsafe_hkdf_extract"); + switch (digest) { + case WC_SHA256: + hash_algo = (uint16_t)1; + break; + case WC_SHA384: + hash_algo = (uint16_t)2; + break; + case WC_SHA512: + hash_algo = (uint16_t)4; + break; + default: + break; + } + uint16_t hash_algo_be = XHTONS(hash_algo); + + iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_HKDF_EXTRACT, 0, 0); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_SECRET, ikmLen, ikm); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_SALT, saltLen,salt); + iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_HASH_ALGO, 2, (const byte*)&hash_algo_be); + iotsafe_cmd_complete(csim_cmd); + if (expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp) < 1) { + WOLFSSL_MSG("Unexpected reply from HKDF extract"); + ret = WC_HW_E; + } else { + + ret = hexbuffer_conv(resp, prk, 32); + if (ret < 0) + ret = WC_HW_E; + else + ret = 0; + } + + return ret; +} +#endif static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, uint16_t hash_algo, uint8_t sign_algo, const byte *hash, word32 hashLen, @@ -960,6 +1005,41 @@ static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key, return ret; } +#ifdef HAVE_HKDF + +//hkdf extract iot safe +static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, + byte* ikm, word32 ikmLen, int digest, void* ctx) +{ + (void)ctx; + int ret; + + WOLFSSL_MSG("IOTSAFE: Called wolfIoT_hkdf_extract\n"); + + #ifdef DEBUG_IOTSAFE + printf("IOTSAFE PK HKDF Extract\n"); + printf("salt: "); + for(word32 i = 0; i < saltLen; i++) + printf("%02X", salt[i]); + + printf("\nikm: "); + for(word32 i = 0; i < ikmLen; i++) + printf("%02X", ikm[i]); + + printf("\nhash: %d\n", digest); + #endif + if(saltLen != 0){ + ret = iotsafe_hkdf_extract(prk, salt, saltLen, ikm, ikmLen, digest); + } + else{ + return NOT_COMPILED_IN; + } + return ret; + +} +#endif + + static int wolfIoT_ecc_sign(WOLFSSL* ssl, const unsigned char* in, unsigned int inSz, @@ -1429,6 +1509,9 @@ int wolfSSL_CTX_iotsafe_enable(WOLFSSL_CTX *ctx) wolfSSL_CTX_SetEccVerifyCb(ctx, wolfIoT_ecc_verify); wolfSSL_CTX_SetEccKeyGenCb(ctx, wolfIoT_ecc_keygen); wolfSSL_CTX_SetEccSharedSecretCb(ctx, wolfIoT_ecc_shared_secret); + #ifdef HAVE_HKDF + wolfSSL_CTX_SetHKDFExtractCb(ctx, wolfIoT_hkdf_extract); + #endif #ifndef NO_DH wolfSSL_CTX_SetDhAgreeCb(ctx, wolfIoT_dh_agree); #endif /* NO_DH */ diff --git a/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h b/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h index 2a3a586f3..2ad536ba7 100644 --- a/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h +++ b/wolfssl/wolfcrypt/port/iotsafe/iotsafe.h @@ -116,6 +116,7 @@ typedef struct wc_IOTSAFE IOTSAFE; #define IOTSAFE_INS_GETRESPONSE 0xC0 #define IOTSAFE_INS_GETDATA 0xCB #define IOTSAFE_INS_READ_KEY 0xCD +#define IOTSAFE_INS_HKDF_EXTRACT 0x4A /* Tags */ #define IOTSAFE_TAG_ECC_KEY_FIELD 0x34 @@ -134,6 +135,8 @@ typedef struct wc_IOTSAFE IOTSAFE; #define IOTSAFE_TAG_HASH_ALGO 0x91 #define IOTSAFE_TAG_SIGN_ALGO 0x92 #define IOTSAFE_TAG_MODE_OF_OPERATION 0xA1 +#define IOTSAFE_TAG_SECRET 0xD1 +#define IOTSAFE_TAG_SALT 0xD5 /* Flags - data */ #define IOTSAFE_GETDATA_FILE 0xC3 From 93712fcfbd26270b464e33860b12fed936e72e14 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Mon, 20 Dec 2021 17:34:27 +0800 Subject: [PATCH 02/12] fallback in software imp if callback not supporting operation ie: NULL salt --- src/tls13.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tls13.c b/src/tls13.c index 08e2adefb..7fbad0502 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -860,6 +860,11 @@ static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, int sal CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb; if (cb != NULL) { ret = cb(prk, salt, saltLen, ikm, ikmLen, digest, cb_ctx); + if(ret == NOT_COMPILED_IN) + { + WOLFSSL_MSG("Not supported by callback, fallback to software implementation"); + ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); + } } else #endif From 31cf4f305c41ca89e45833a08fa3756f33910e93 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 21 Dec 2021 15:41:43 +0800 Subject: [PATCH 03/12] fixing comments and spelling; fallback hkdf imp + signature header --- IDE/iotsafe-raspberrypi/main.c | 11 ++--- src/tls13.c | 7 +--- wolfcrypt/src/port/iotsafe/iotsafe.c | 60 ++++++++++++++++++---------- 3 files changed, 45 insertions(+), 33 deletions(-) diff --git a/IDE/iotsafe-raspberrypi/main.c b/IDE/iotsafe-raspberrypi/main.c index dcba2baa6..b0a6b73a4 100644 --- a/IDE/iotsafe-raspberrypi/main.c +++ b/IDE/iotsafe-raspberrypi/main.c @@ -56,8 +56,6 @@ static int serial_fd = -1; - - /* Function Declarations */ extern int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature); @@ -133,10 +131,11 @@ static int usart_read(char *buf, int len) int ret = 0; int i = 0; - char c; + char c; memset(buf, 0, len); - // Read 1 byte at one time until *buf is full or a POSIX read error like timeout occurs. + + /* Read 1 byte at one time until *buf is full or a POSIX read error like timeout occurs. */ do { ret = read(serial_fd, &c, 1U); @@ -147,6 +146,8 @@ static int usart_read(char *buf, int len) break; } } while (i < len && ret > 0); + + #ifdef DEBUG_UART_IO printf("UART Read Actual : %d bytes\n", i); @@ -200,7 +201,7 @@ static void show_usage(const char *program) printf("\t-ip \n"); printf("\t-h \n"); printf("\t-p \n"); - printf("\t-t \n"); + printf("\t-t \n"); printf("\t-d \n"); exit(-1); } diff --git a/src/tls13.c b/src/tls13.c index 7fbad0502..81627aeb9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -860,11 +860,6 @@ static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, int sal CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb; if (cb != NULL) { ret = cb(prk, salt, saltLen, ikm, ikmLen, digest, cb_ctx); - if(ret == NOT_COMPILED_IN) - { - WOLFSSL_MSG("Not supported by callback, fallback to software implementation"); - ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); - } } else #endif @@ -955,7 +950,7 @@ int DeriveMasterSecret(WOLFSSL* ssl) PRIVATE_KEY_UNLOCK(); ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret, key, ssl->specs.hash_size, - ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm)); + ssl->arrays->masterSecret, 32, mac2hash(ssl->specs.mac_algorithm)); PRIVATE_KEY_LOCK(); #ifdef HAVE_KEYING_MATERIAL diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 6351f4db8..6d610cb00 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -720,28 +720,56 @@ static int iotsafe_put_public_key(byte *pubkey_id, unsigned long id_size, return ret; } #ifdef HAVE_HKDF -//hkdf extract static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, byte* ikm, word32 ikmLen, int digest) { int ret; char *resp; uint16_t hash_algo = 0; + int len; WOLFSSL_MSG("Enter iotsafe_hkdf_extract"); switch (digest) { case WC_SHA256: hash_algo = (uint16_t)1; + if (ikmLen == 0) { + len = WC_SHA256_DIGEST_SIZE; + } break; case WC_SHA384: hash_algo = (uint16_t)2; + if (ikmLen == 0) { + len = WC_SHA384_DIGEST_SIZE; + } break; case WC_SHA512: hash_algo = (uint16_t)4; + if (ikmLen == 0) { + len = WC_SHA512_DIGEST_SIZE; + } break; default: break; } + + if (ikmLen == 0) { + ikmLen = len; + XMEMSET(ikm, 0, len); + } + + #ifdef DEBUG_IOTSAFE + printf("IOTSAFE PK HKDF Extract\n"); + printf("salt: "); + for(word32 i = 0; i < saltLen; i++) + printf("%02X", salt[i]); + + printf("\nikm: "); + for(word32 i = 0; i < ikmLen; i++) + printf("%02X", ikm[i]); + + printf("\nhash: %d\n", digest); + #endif + uint16_t hash_algo_be = XHTONS(hash_algo); iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_HKDF_EXTRACT, 0, 0); @@ -820,14 +848,13 @@ static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); if (ret >= 0) { - byte sig_hdr[3]; - if (hex_to_bytes(resp, sig_hdr, 3) < 0) { + byte sig_hdr[2]; + if (hex_to_bytes(resp, sig_hdr, 2) < 0) { ret = BAD_FUNC_ARG; } else if ((sig_hdr[0] == IOTSAFE_TAG_SIGNATURE_FIELD) && - (sig_hdr[1] == 0) && - (sig_hdr[2] == 2 * IOTSAFE_ECC_KSIZE)) { - XSTRNCPY(R, resp + 6, IOTSAFE_ECC_KSIZE * 2); - XSTRNCPY(S, resp + 6 + IOTSAFE_ECC_KSIZE * 2, + (sig_hdr[1] == 2 * IOTSAFE_ECC_KSIZE)) { + XSTRNCPY(R, resp + 4, IOTSAFE_ECC_KSIZE * 2); + XSTRNCPY(S, resp + 4 + IOTSAFE_ECC_KSIZE * 2, IOTSAFE_ECC_KSIZE * 2); ret = wc_ecc_rs_to_sig(R, S, signature, sigLen); } else { @@ -1006,8 +1033,6 @@ static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key, } #ifdef HAVE_HKDF - -//hkdf extract iot safe static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, byte* ikm, word32 ikmLen, int digest, void* ctx) { @@ -1016,23 +1041,14 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, WOLFSSL_MSG("IOTSAFE: Called wolfIoT_hkdf_extract\n"); - #ifdef DEBUG_IOTSAFE - printf("IOTSAFE PK HKDF Extract\n"); - printf("salt: "); - for(word32 i = 0; i < saltLen; i++) - printf("%02X", salt[i]); - - printf("\nikm: "); - for(word32 i = 0; i < ikmLen; i++) - printf("%02X", ikm[i]); - - printf("\nhash: %d\n", digest); - #endif if(saltLen != 0){ ret = iotsafe_hkdf_extract(prk, salt, saltLen, ikm, ikmLen, digest); } else{ - return NOT_COMPILED_IN; + #ifdef DEBUG_IOTSAFE + printf("SALT is NULL, not support by IoT Safe Applet, fallback to software implementation\n"); + #endif + ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); } return ret; From f1bbfa5a24a91d2409b1830b3e8e596e8f783521 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 21 Dec 2021 15:51:32 +0800 Subject: [PATCH 04/12] revert change on Derive Master secret --- src/tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index 81627aeb9..08e2adefb 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -950,7 +950,7 @@ int DeriveMasterSecret(WOLFSSL* ssl) PRIVATE_KEY_UNLOCK(); ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret, key, ssl->specs.hash_size, - ssl->arrays->masterSecret, 32, mac2hash(ssl->specs.mac_algorithm)); + ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm)); PRIVATE_KEY_LOCK(); #ifdef HAVE_KEYING_MATERIAL From ebff24353a7c1f0934e4a170e675a5fe71e1b968 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 21 Dec 2021 15:53:57 +0800 Subject: [PATCH 05/12] fix Spelling --- IDE/iotsafe-raspberrypi/client-tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IDE/iotsafe-raspberrypi/client-tls13.c b/IDE/iotsafe-raspberrypi/client-tls13.c index ef6209bbf..93a399eb2 100644 --- a/IDE/iotsafe-raspberrypi/client-tls13.c +++ b/IDE/iotsafe-raspberrypi/client-tls13.c @@ -215,7 +215,7 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por strcat(buff, "\"sensorValue\": \""); strcat(buff, temperature); strcat(buff, "\","); - strcat(buff, "\"sensorUnit\": \"Celcius\","); + strcat(buff, "\"sensorUnit\": \"Celsius\","); strcat(buff, "\"sensorTime\": 1582181510"); strcat(buff, "}"); strcat(buff, "\r\n"); From 78a419fdf57fc31b95afdf4bd0d44ed57497ef00 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 21 Dec 2021 15:57:19 +0800 Subject: [PATCH 06/12] spelling --- wolfcrypt/src/port/iotsafe/iotsafe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 6d610cb00..0344074e5 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -1046,7 +1046,7 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, } else{ #ifdef DEBUG_IOTSAFE - printf("SALT is NULL, not support by IoT Safe Applet, fallback to software implementation\n"); + printf("NULL Salt length not supported by IoT Safe Applet, fallback to software implementation\n"); #endif ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); } From c7fc0fac057a8246601cba7d019a64a7d1afc51d Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Wed, 22 Dec 2021 15:11:50 +0800 Subject: [PATCH 07/12] revert changes + spelling/comments --- IDE/iotsafe-raspberrypi/README.md | 8 +++++--- IDE/iotsafe-raspberrypi/client-tls13.c | 8 ++++---- wolfcrypt/src/port/iotsafe/iotsafe.c | 24 ++++++++++++++++-------- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/IDE/iotsafe-raspberrypi/README.md b/IDE/iotsafe-raspberrypi/README.md index 23708f31e..286ac5537 100644 --- a/IDE/iotsafe-raspberrypi/README.md +++ b/IDE/iotsafe-raspberrypi/README.md @@ -108,16 +108,18 @@ wolfSSL_iotsafe_on(ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_I First, user needs to build wolfSSL with the following options: ``` -./configure --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe --enable-hkdf +./configure CFLAGS="-DWOLFSSL_TRUST_PEER_CERT" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe --enable-hkdf ``` Additionally, user can pass `CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE"` if more debugging information is to be used. This can clutter the demo stdout more than `--enable-debug` does, but this is very useful to see the overall TLS 1.3 handshaking process with IoT-SAFE. Hence, the full wolfSSL build for the demo is: ``` -./configure CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe +./configure CFLAGS="-DWOLFSSL_TRUST_PEER_CERT -DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe ``` +`-DWOLFSSL_TRUST_PEER_CERT` is needed for `wolfSSL_CTX_trust_peer_buffer` in `IDE/iotsafe-raspberrypi/client-tls13.c` + ### Running After building wolfSSL, from this directory, run `make` and a help usage will be shown. @@ -129,7 +131,7 @@ make all Run below to enable printing UART IO: ``` -make all ENABLE_DEBUG_UART_IO_EXTRA=on +make all ENABLE_DEBUG_UART_IO_EXTRA=on|off ``` Run the built `./main.bin` to print the help usage. diff --git a/IDE/iotsafe-raspberrypi/client-tls13.c b/IDE/iotsafe-raspberrypi/client-tls13.c index 93a399eb2..83a0ec419 100644 --- a/IDE/iotsafe-raspberrypi/client-tls13.c +++ b/IDE/iotsafe-raspberrypi/client-tls13.c @@ -187,7 +187,7 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por /* Construct HTTP POST */ - // Header + /* Header */ strcat(buff, "POST /iot/device HTTP/1.1\r\n"); strcat(buff, "Content-Type: application/json\r\n"); strcat(buff, "Content-Length: 1000\r\n"); @@ -198,10 +198,10 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por strcat(buff, peer_port); strcat(buff, "\r\n"); - // Delimiter + /* Delimiter */ strcat(buff, "\r\n"); - // Body + /* Body */ srand(time(NULL)); int devid = rand() % 100; char snum[5] = {0}; @@ -240,7 +240,7 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por /* Fill in the server address */ printf("Peer port: %s\n", peer_port); - servAddr.sin_family = AF_INET; // Using IPv4 + servAddr.sin_family = AF_INET; /* Using IPv4 */ servAddr.sin_port = htons(atoi(peer_port)); /* Get the server IPv4 address from the command line call */ diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 0344074e5..78f051c48 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -453,7 +453,7 @@ static int iotsafe_readfile(uint8_t *file_id, uint16_t file_id_sz, return ret; } - filesz_s = search_tlv(resp, ret, 0x20); + filesz_s = search_tlv(resp + 4, ret, 0x20); if ((filesz_s) && (XSTRLEN(filesz_s)) >= 8) { uint8_t fs_msb, fs_lsb; if (hex_to_bytes(filesz_s + 4, &fs_msb, 1) < 0) @@ -730,25 +730,32 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, WOLFSSL_MSG("Enter iotsafe_hkdf_extract"); switch (digest) { + #ifndef NO_SHA256 case WC_SHA256: hash_algo = (uint16_t)1; if (ikmLen == 0) { len = WC_SHA256_DIGEST_SIZE; } break; + #endif + #ifdef WOLFSSL_SHA384 case WC_SHA384: hash_algo = (uint16_t)2; if (ikmLen == 0) { len = WC_SHA384_DIGEST_SIZE; } break; + #endif + #ifdef WOLFSSL_TLS13_SHA512 case WC_SHA512: hash_algo = (uint16_t)4; if (ikmLen == 0) { len = WC_SHA512_DIGEST_SIZE; } break; + #endif default: + return BAD_FUNC_ARG; break; } @@ -848,13 +855,14 @@ static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); if (ret >= 0) { - byte sig_hdr[2]; - if (hex_to_bytes(resp, sig_hdr, 2) < 0) { + byte sig_hdr[3]; + if (hex_to_bytes(resp, sig_hdr, 3) < 0) { ret = BAD_FUNC_ARG; } else if ((sig_hdr[0] == IOTSAFE_TAG_SIGNATURE_FIELD) && - (sig_hdr[1] == 2 * IOTSAFE_ECC_KSIZE)) { - XSTRNCPY(R, resp + 4, IOTSAFE_ECC_KSIZE * 2); - XSTRNCPY(S, resp + 4 + IOTSAFE_ECC_KSIZE * 2, + (sig_hdr[1] == 0) && + (sig_hdr[2] == 2 * IOTSAFE_ECC_KSIZE)) { + XSTRNCPY(R, resp + 6, IOTSAFE_ECC_KSIZE * 2); + XSTRNCPY(S, resp + 6 + IOTSAFE_ECC_KSIZE * 2, IOTSAFE_ECC_KSIZE * 2); ret = wc_ecc_rs_to_sig(R, S, signature, sigLen); } else { @@ -1045,8 +1053,8 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, ret = iotsafe_hkdf_extract(prk, salt, saltLen, ikm, ikmLen, digest); } else{ - #ifdef DEBUG_IOTSAFE - printf("NULL Salt length not supported by IoT Safe Applet, fallback to software implementation\n"); + #ifdef DEBUG_IOTSAFE + printf("SALT is NULL, not supported by IoT Safe Applet, fallback to software implementation\n"); #endif ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); } From 81cf1ae38a9949d2776f4e65ac087b1b44fe052c Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Wed, 22 Dec 2021 15:16:08 +0800 Subject: [PATCH 08/12] fix alignment --- wolfcrypt/src/port/iotsafe/iotsafe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 78f051c48..6b3f8e5e2 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -860,7 +860,7 @@ static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, ret = BAD_FUNC_ARG; } else if ((sig_hdr[0] == IOTSAFE_TAG_SIGNATURE_FIELD) && (sig_hdr[1] == 0) && - (sig_hdr[2] == 2 * IOTSAFE_ECC_KSIZE)) { + (sig_hdr[2] == 2 * IOTSAFE_ECC_KSIZE)) { XSTRNCPY(R, resp + 6, IOTSAFE_ECC_KSIZE * 2); XSTRNCPY(S, resp + 6 + IOTSAFE_ECC_KSIZE * 2, IOTSAFE_ECC_KSIZE * 2); From d11e88298a2f834896849b71be995b0400d2149c Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Wed, 29 Dec 2021 11:45:32 +0800 Subject: [PATCH 09/12] Add Make file and fix identation --- IDE/iotsafe-raspberrypi/Makefile | 72 ++++++++++++++++++++++++++++ wolfcrypt/src/port/iotsafe/iotsafe.c | 29 +++++------ 2 files changed, 87 insertions(+), 14 deletions(-) create mode 100644 IDE/iotsafe-raspberrypi/Makefile diff --git a/IDE/iotsafe-raspberrypi/Makefile b/IDE/iotsafe-raspberrypi/Makefile new file mode 100644 index 000000000..667cb061a --- /dev/null +++ b/IDE/iotsafe-raspberrypi/Makefile @@ -0,0 +1,72 @@ +CFLAGS := -g -ggdb -Wall -Wextra -std=c11 +CINCS := -I. -I/usr/local/wolfssl +CLIBS := -L/usr/local/lib +CDEPS := -lc -lg -lm -lwolfssl + +ENABLE_DEBUG_UART_IO := off +ENABLE_DEBUG_UART_IO_EXTRA := off +ENABLE_SECRET_CALLBACK := off + +ifeq ($(ENABLE_DEBUG_UART_IO), on) + CFLAGS+=-DDEBUG_UART_IO +endif + +ifeq ($(ENABLE_DEBUG_UART_IO_EXTRA), on) + CFLAGS+=-DDEBUG_UART_IO -DDEBUG_UART_IO_EXTRA_VERBOSE +endif + +ifeq ($(ENABLE_SECRET_CALLBACK), on) + CFLAGS+=-DUSE_SECRET_CALLBACK +endif + +OBJS:=main.o client-tls13.o + +.PHONY: all clean help + +define run-help = +echo "Run 'make TARGET* OPTION*'" +echo "" +echo "TARGET (specify 0 or more):" +echo " all (default target)" +echo " Build main.bin executable" +echo " main.bin" +echo " Build main.bin executable" +echo " main.o" +echo " Build main.o" +echo " client-tls13.o" +echo " Build client-tls13.o" +echo " clean" +echo " Clean *.o and *.bin" +echo " help" +echo " This help" +echo "" +echo "OPTION (specify 0 or more):" +echo " ENABLE_DEBUG_UART_IO=on|off (default off)" +echo " Enable printing ASCII characters sent and received by the UART" +echo " ENABLE_DEBUG_UART_IO_EXTRA=on|off (default off)" +echo " Enable more printing hex characters sent and received by the UART" +echo " Setting this on implicitly sets ENABLE_DEBUG_UART_IO=on" +echo " ENABLE_SECRET_CALLBACK=on|off (default off)" +echo " Enable secret callback for TLS 1.3 handshaking, which can be useful for wireshark sniffing" +echo "" +echo "Example:" +echo " make all ENABLE_DEBUG_UART_IO_EXTRA=on" +echo "" +endef + +help: + @$(run-help) + +all: main.bin + +main.bin: $(OBJS) + $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -o $@ $^ $(CDEPS) + +main.o: main.c + $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -c -o $@ $^ $(CDEPS) + +client-tls13.o: client-tls13.c + $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -c -o $@ $^ $(CDEPS) + +clean: + rm -f *.o *.bin diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 6b3f8e5e2..5c18cdaba 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -727,31 +727,32 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, char *resp; uint16_t hash_algo = 0; int len; + uint16_t hash_algo_be = 0; WOLFSSL_MSG("Enter iotsafe_hkdf_extract"); switch (digest) { #ifndef NO_SHA256 case WC_SHA256: - hash_algo = (uint16_t)1; - if (ikmLen == 0) { - len = WC_SHA256_DIGEST_SIZE; - } + hash_algo = (uint16_t)1; + if (ikmLen == 0) { + len = WC_SHA256_DIGEST_SIZE; + } break; #endif #ifdef WOLFSSL_SHA384 case WC_SHA384: - hash_algo = (uint16_t)2; - if (ikmLen == 0) { - len = WC_SHA384_DIGEST_SIZE; - } - break; + hash_algo = (uint16_t)2; + if (ikmLen == 0) { + len = WC_SHA384_DIGEST_SIZE; + } + break; #endif #ifdef WOLFSSL_TLS13_SHA512 case WC_SHA512: - hash_algo = (uint16_t)4; - if (ikmLen == 0) { - len = WC_SHA512_DIGEST_SIZE; - } + hash_algo = (uint16_t)4; + if (ikmLen == 0) { + len = WC_SHA512_DIGEST_SIZE; + } break; #endif default: @@ -777,7 +778,7 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, printf("\nhash: %d\n", digest); #endif - uint16_t hash_algo_be = XHTONS(hash_algo); + hash_algo_be = XHTONS(hash_algo); iotsafe_cmd_start(csim_cmd, IOTSAFE_CLASS, IOTSAFE_INS_HKDF_EXTRACT, 0, 0); iotsafe_cmd_add_tlv(csim_cmd, IOTSAFE_TAG_SECRET, ikmLen, ikm); From 12d3f94c98f61f697a6c1f50dfed3f913015e500 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 4 Jan 2022 13:18:39 +0800 Subject: [PATCH 10/12] update build and update NULL salt usecase --- IDE/iotsafe-raspberrypi/Makefile | 17 +++++++++++++---- IDE/iotsafe-raspberrypi/include.am | 9 +++++++++ wolfcrypt/src/port/iotsafe/iotsafe.c | 28 ++++++++++++++++------------ 3 files changed, 38 insertions(+), 16 deletions(-) create mode 100644 IDE/iotsafe-raspberrypi/include.am diff --git a/IDE/iotsafe-raspberrypi/Makefile b/IDE/iotsafe-raspberrypi/Makefile index 667cb061a..d26af05ae 100644 --- a/IDE/iotsafe-raspberrypi/Makefile +++ b/IDE/iotsafe-raspberrypi/Makefile @@ -3,6 +3,9 @@ CINCS := -I. -I/usr/local/wolfssl CLIBS := -L/usr/local/lib CDEPS := -lc -lg -lm -lwolfssl +WOLFSSL_BUILD=build +MKDIR_P = mkdir -p + ENABLE_DEBUG_UART_IO := off ENABLE_DEBUG_UART_IO_EXTRA := off ENABLE_SECRET_CALLBACK := off @@ -19,7 +22,7 @@ ifeq ($(ENABLE_SECRET_CALLBACK), on) CFLAGS+=-DUSE_SECRET_CALLBACK endif -OBJS:=main.o client-tls13.o +OBJS:=$(WOLFSSL_BUILD)/main.o $(WOLFSSL_BUILD)/client-tls13.o .PHONY: all clean help @@ -57,16 +60,22 @@ endef help: @$(run-help) -all: main.bin +all: directories main.bin + +directories: $(WOLFSSL_BUILD) + +$(WOLFSSL_BUILD): + ${MKDIR_P} $(WOLFSSL_BUILD) main.bin: $(OBJS) $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -o $@ $^ $(CDEPS) -main.o: main.c +$(WOLFSSL_BUILD)/main.o: main.c $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -c -o $@ $^ $(CDEPS) -client-tls13.o: client-tls13.c +$(WOLFSSL_BUILD)/client-tls13.o: client-tls13.c $(CC) $(CFLAGS) $(CINCS) $(CLIBS) -c -o $@ $^ $(CDEPS) clean: rm -f *.o *.bin + rm -rf build diff --git a/IDE/iotsafe-raspberrypi/include.am b/IDE/iotsafe-raspberrypi/include.am new file mode 100644 index 000000000..bd28bdf4f --- /dev/null +++ b/IDE/iotsafe-raspberrypi/include.am @@ -0,0 +1,9 @@ +# vim:ft=automake +# All paths should be given relative to the root + +EXTRA_DIST += IDE/iotsafe-raspberrypi/README.md +EXTRA_DIST += IDE/iotsafe-raspberrypi/Makefile +EXTRA_DIST += IDE/iotsafe-raspberrypi/main.c +EXTRA_DIST += IDE/iotsafe-raspberrypi/client-tls13.c + +DISTCLEANFILES+= IDE/iotsafe-raspberrypi/build diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 5c18cdaba..3b1147a06 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -1047,25 +1047,29 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, { (void)ctx; int ret; + const byte* localSalt; /* either points to user input or tmp */ + byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */ WOLFSSL_MSG("IOTSAFE: Called wolfIoT_hkdf_extract\n"); - if(saltLen != 0){ - ret = iotsafe_hkdf_extract(prk, salt, saltLen, ikm, ikmLen, digest); - } - else{ - #ifdef DEBUG_IOTSAFE - printf("SALT is NULL, not supported by IoT Safe Applet, fallback to software implementation\n"); - #endif - ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); - } - return ret; + localSalt = salt; + if(saltLen == 0) { + ret = wc_HmacSizeByType(digest); + if (ret < 0) + return ret; + saltLen = ret; + if (localSalt == NULL) { + XMEMSET(tmp, 0, saltLen); + localSalt = tmp; + } + } + + ret = iotsafe_hkdf_extract(prk, localSalt, saltLen, ikm, ikmLen, digest); + return ret; } #endif - - static int wolfIoT_ecc_sign(WOLFSSL* ssl, const unsigned char* in, unsigned int inSz, unsigned char* out, word32* outSz, From 1a291870a3f76e455096c5583dc2757fe202cd45 Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Mon, 10 Jan 2022 10:28:14 +0800 Subject: [PATCH 11/12] minor fixes --- IDE/iotsafe-raspberrypi/Makefile | 3 +- IDE/iotsafe-raspberrypi/client-tls13.c | 30 +++++--------------- IDE/iotsafe-raspberrypi/main.c | 39 +++++++++----------------- wolfcrypt/src/port/iotsafe/iotsafe.c | 4 +-- 4 files changed, 24 insertions(+), 52 deletions(-) diff --git a/IDE/iotsafe-raspberrypi/Makefile b/IDE/iotsafe-raspberrypi/Makefile index d26af05ae..12faf7317 100644 --- a/IDE/iotsafe-raspberrypi/Makefile +++ b/IDE/iotsafe-raspberrypi/Makefile @@ -24,7 +24,8 @@ endif OBJS:=$(WOLFSSL_BUILD)/main.o $(WOLFSSL_BUILD)/client-tls13.o -.PHONY: all clean help +default: all + .PHONY: all clean help define run-help = echo "Run 'make TARGET* OPTION*'" diff --git a/IDE/iotsafe-raspberrypi/client-tls13.c b/IDE/iotsafe-raspberrypi/client-tls13.c index 83a0ec419..3b1f7b874 100644 --- a/IDE/iotsafe-raspberrypi/client-tls13.c +++ b/IDE/iotsafe-raspberrypi/client-tls13.c @@ -1,6 +1,6 @@ /* client-tls13.c * - * Copyright (C) 2006-2020 wolfSSL Inc. + * Copyright (C) 2006-2022 wolfSSL Inc. * * This file is part of wolfSSL. (formerly known as CyaSSL) * @@ -20,33 +20,24 @@ */ /* C Standard Library */ - #include #include #include #include - - /* POSIX Library */ - #include #include #include #include - - /* wolfSSL Library */ - #include #include #include #include #include - - /* IoTSAFE Certificate slots */ /* File Slot '02' is pre-provisioned with @@ -84,21 +75,16 @@ #define PEER_CERT_ID 0x05 - /* Function Declarations */ - -extern int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature); - +extern int client_loop(const char *peer_ip, const char *peer_name, + const char *peer_port, const char *temperature); #if defined(USE_SECRET_CALLBACK) - -static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, int secretSz, void* ctx); - +static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret, + int secretSz, void* ctx); #endif - /* Function Definitions */ - #if defined(USE_SECRET_CALLBACK) #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT @@ -157,12 +143,10 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret return 0; } - #endif /* USE_SECRET_CALLBACK */ - - -int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature) +int client_loop(const char *peer_ip, const char *peer_name, + const char *peer_port, const char *temperature) { int ret = 0; diff --git a/IDE/iotsafe-raspberrypi/main.c b/IDE/iotsafe-raspberrypi/main.c index b0a6b73a4..6c2e308dd 100644 --- a/IDE/iotsafe-raspberrypi/main.c +++ b/IDE/iotsafe-raspberrypi/main.c @@ -1,6 +1,6 @@ /* main.c * - * Copyright (C) 2006-2020 wolfSSL Inc. + * Copyright (C) 2006-2022 wolfSSL Inc. * * This file is part of wolfSSL. (formerly known as CyaSSL) * @@ -24,15 +24,11 @@ */ /* C Standard Library */ - #include #include #include - - /* POSIX Library */ - #include #include #include @@ -40,40 +36,32 @@ #include #include - - /* wolfSSL Library */ - #include #include #include #include #include - - /* Variable Declarations */ - static int serial_fd = -1; /* Function Declarations */ - -extern int client_loop(const char *peer_ip, const char *peer_name, const char *peer_port, const char *temperature); - +extern int client_loop(const char *peer_ip, const char *peer_name, + const char *peer_port, const char *temperature); +#ifdef DEBUG_UART_IO static void print_buffer_hex(const char *buf, int len); static void print_buffer_char(const char *buf, int len); - +#endif static int usart_init(const char *dev_name, int *fd); static int usart_clean(int fd); static int usart_read(char *buf, int len); static int usart_write(const char *buf, int len); - static void show_usage(const char *program); - /* Function Definitions */ - +#ifdef DEBUG_UART_IO static void print_buffer_hex(const char *buf, int len) { for (int i = 0; i < len; i++) @@ -85,6 +73,7 @@ static void print_buffer_char(const char *buf, int len) for (int i = 0; i < len; i++) printf("%c", *(buf++)); } +#endif static int usart_init(const char *dev_name, int *fd) { @@ -131,23 +120,20 @@ static int usart_read(char *buf, int len) int ret = 0; int i = 0; - char c; + char c; memset(buf, 0, len); - - /* Read 1 byte at one time until *buf is full or a POSIX read error like timeout occurs. */ + /* Read 1 byte at one time until *buf is full or a POSIX read error like + * timeout occurs. */ do { ret = read(serial_fd, &c, 1U); - if (ret > 0) - { + if (ret > 0) { buf[i++] = c; if (c == '\n') break; } } while (i < len && ret > 0); - - #ifdef DEBUG_UART_IO printf("UART Read Actual : %d bytes\n", i); @@ -196,7 +182,8 @@ static int usart_write(const char *buf, int len) static void show_usage(const char *program) { printf("\nUsage:\n"); - printf("\t%s -ip SERVER_IP_ADDRESS -h SERVER_HOST_NAME -p PORT_NUMBER -t TEMPERATURE -d DEVICE_FILE_PATH\n", program); + printf("\t%s -ip SERVER_IP_ADDRESS -h SERVER_HOST_NAME -p PORT_NUMBER " + "-t TEMPERATURE -d DEVICE_FILE_PATH\n", program); printf("\n"); printf("\t-ip \n"); printf("\t-h \n"); diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 3b1147a06..d778ae164 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -1,6 +1,6 @@ /* iotsafe.c * - * Copyright (C) 2006-2021 wolfSSL Inc. + * Copyright (C) 2006-2022 wolfSSL Inc. * * This file is part of wolfSSL. * @@ -241,7 +241,7 @@ static int iotsafe_cmd_add_tlv_ex(char *cmd, byte tag, uint16_t len, char *len_csim_str = (cmd + AT_CSIM_CMD_SIZE - 5); word32 cmdlen; - cmdlen = XSTRLEN(cmd); + cmdlen = (word32)XSTRLEN(cmd); if (cmdlen < AT_CSIM_CMD_SIZE) { return BAD_FUNC_ARG; } From 30777bb5ee36981de19b78a9b4e3bdb0c13af6fc Mon Sep 17 00:00:00 2001 From: Saksik Remy Date: Tue, 11 Jan 2022 10:08:52 +0800 Subject: [PATCH 12/12] nit minor changes --- wolfcrypt/src/port/iotsafe/iotsafe.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index d778ae164..d1d0b3492 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -725,7 +725,7 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, { int ret; char *resp; - uint16_t hash_algo = 0; + uint16_t hash_algo = 0; int len; uint16_t hash_algo_be = 0; @@ -765,7 +765,7 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, XMEMSET(ikm, 0, len); } - #ifdef DEBUG_IOTSAFE +#ifdef DEBUG_IOTSAFE printf("IOTSAFE PK HKDF Extract\n"); printf("salt: "); for(word32 i = 0; i < saltLen; i++) @@ -776,7 +776,7 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, printf("%02X", ikm[i]); printf("\nhash: %d\n", digest); - #endif +#endif hash_algo_be = XHTONS(hash_algo); @@ -1045,7 +1045,6 @@ static int wolfIoT_ecc_keygen(WOLFSSL* ssl, struct ecc_key* key, static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, byte* ikm, word32 ikmLen, int digest, void* ctx) { - (void)ctx; int ret; const byte* localSalt; /* either points to user input or tmp */ byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */ @@ -1054,7 +1053,7 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, localSalt = salt; - if(saltLen == 0) { + if (saltLen == 0) { ret = wc_HmacSizeByType(digest); if (ret < 0) return ret; @@ -1066,6 +1065,7 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, } ret = iotsafe_hkdf_extract(prk, localSalt, saltLen, ikm, ikmLen, digest); + (void)ctx; return ret; } #endif