From c66a21c40a1800a51c8bdcb2871fee0804eecca8 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 11 Aug 2022 18:42:05 -0600 Subject: [PATCH] Add Zephyr support for nRF5340 with CryptoCell-312, PSA Crypto fixes (#5418) * PSA: set AES key bits, define PSA_ALG_NONE/PSA_KEY_ID_NULL if needed * Zephyr: add TimeNowInMilliseconds() for tls13.c, clock_settime() for test.c, update CMakeLists.txt * Skip including unistd.h for Zephyr in benchmark.c * Zephyr: update README, add nRF5340dk support to wolfssl_test sample app * Zephyr: add wolfCrypt benchmark sample app * Zephyr: add nRF5340 support to tls_thread sample app * PSA: use specific hash algo with psa_sign/verify_hash() * Zephyr: add support for PSA Crypto API with PK callbacks to wolfssl_tls_threaded sample app * Zephyr: add new files to zephyr/include.am --- src/tls13.c | 8 + wolfcrypt/benchmark/benchmark.c | 4 +- wolfcrypt/src/port/psa/psa_aes.c | 5 +- wolfcrypt/src/port/psa/psa_pkcbs.c | 44 ++++- wolfcrypt/test/test.c | 7 + wolfssl/wolfcrypt/port/psa/psa.h | 7 + zephyr/CMakeLists.txt | 23 ++- zephyr/README.md | 36 +++- zephyr/include.am | 13 ++ zephyr/nrf5340dk_nrf5340_user_settings.h | 133 ++++++++++++++ .../samples/wolfssl_benchmark/CMakeLists.txt | 8 + zephyr/samples/wolfssl_benchmark/README | 12 ++ .../boards/nrf5340dk_nrf5340_cpuapp.conf | 22 +++ .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 25 +++ .../samples/wolfssl_benchmark/install_test.sh | 49 +++++ zephyr/samples/wolfssl_benchmark/prj.conf | 29 +++ zephyr/samples/wolfssl_benchmark/sample.yaml | 10 + zephyr/samples/wolfssl_test/CMakeLists.txt | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp.conf | 22 +++ .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 25 +++ zephyr/samples/wolfssl_test/prj.conf | 9 +- zephyr/samples/wolfssl_test/sample.yaml | 5 +- .../samples/wolfssl_tls_thread/CMakeLists.txt | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp.conf | 22 +++ .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 25 +++ zephyr/samples/wolfssl_tls_thread/prj.conf | 10 +- .../wolfssl_tls_thread/src/tls_threaded.c | 173 ++++++++++++++++-- zephyr/user_settings-tls-generic.h | 12 ++ 28 files changed, 702 insertions(+), 40 deletions(-) create mode 100644 zephyr/nrf5340dk_nrf5340_user_settings.h create mode 100644 zephyr/samples/wolfssl_benchmark/CMakeLists.txt create mode 100644 zephyr/samples/wolfssl_benchmark/README create mode 100644 zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf create mode 100644 zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf create mode 100755 zephyr/samples/wolfssl_benchmark/install_test.sh create mode 100644 zephyr/samples/wolfssl_benchmark/prj.conf create mode 100644 zephyr/samples/wolfssl_benchmark/sample.yaml create mode 100644 zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf create mode 100644 zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf create mode 100644 zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf create mode 100644 zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf diff --git a/src/tls13.c b/src/tls13.c index 9f2dd3056..e7730ae82 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1618,6 +1618,14 @@ end: /* Convert to milliseconds number. */ return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); } +#elif defined(WOLFSSL_ZEPHYR) + word32 TimeNowInMilliseconds(void) + { + #if defined(CONFIG_ARCH_POSIX) + k_cpu_idle(); + #endif + return (word32)k_uptime_get() / 1000; + } #else /* The time in milliseconds. diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 4b7ac2076..19104209f 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -44,7 +44,9 @@ !defined(NO_ERROR_STRINGS) && !defined(NO_MAIN_DRIVER) && \ !defined(BENCH_EMBEDDED)) #include - #include + #ifndef WOLFSSL_ZEPHYR + #include + #endif #endif /* Macro to disable benchmark */ diff --git a/wolfcrypt/src/port/psa/psa_aes.c b/wolfcrypt/src/port/psa/psa_aes.c index 132a5ca6e..db5822357 100644 --- a/wolfcrypt/src/port/psa/psa_aes.c +++ b/wolfcrypt/src/port/psa/psa_aes.c @@ -52,6 +52,7 @@ static int wc_psa_aes_import_key(Aes *aes, const uint8_t *key, aes->ctx_initialized = 0; psa_set_key_type(&key_attr, PSA_KEY_TYPE_AES); + psa_set_key_bits(&key_attr, key_length * 8); psa_set_key_usage_flags(&key_attr, dir == AES_ENCRYPTION ? PSA_KEY_USAGE_ENCRYPT : dir == AES_DECRYPTION ? PSA_KEY_USAGE_DECRYPT : 0); @@ -125,7 +126,7 @@ int wc_psa_aes_get_key_size(Aes *aes, word32 *keySize) * @dir: direction to use with this key * * - * NOTE: if we don't know for teh mode or the direction (@alg == 0) the key + * NOTE: if we don't know the mode or the direction (@alg == 0) the key * import operation will be delayed until the first wc_psa_aes_encrypt_decrypt() * invocation. In this case the key is temporary stored inside the AES * object. Indeed PSA requires that the mode of operation is already known when @@ -147,7 +148,7 @@ int wc_psa_aes_set_key(Aes *aes, const uint8_t *key, size_t key_length, if (s != PSA_SUCCESS) return WC_HW_E; - aes->ctx_initialized =0; + aes->ctx_initialized = 0; } /* a key was already imported, destroy it first */ diff --git a/wolfcrypt/src/port/psa/psa_pkcbs.c b/wolfcrypt/src/port/psa/psa_pkcbs.c index fdb593ce5..b47989907 100644 --- a/wolfcrypt/src/port/psa/psa_pkcbs.c +++ b/wolfcrypt/src/port/psa/psa_pkcbs.c @@ -255,6 +255,31 @@ static int psa_ecc_shared_secret_cb(WOLFSSL* ssl, struct ecc_key* other_key, return 0; } +/* Map hash length to equivalent psa_algorithm_t type. + * + * hash_len - length of hash + * + * Return psa_algorithm_t representing hash algorithm for hash length, or + * PSA_ALG_NONE if no match. + */ +static int psa_map_hash_alg(int hash_len) +{ + switch (hash_len) { + case 20: + return PSA_ALG_SHA_1; + case 28: + return PSA_ALG_SHA_224; + case 32: + return PSA_ALG_SHA_256; + case 48: + return PSA_ALG_SHA_384; + case 64: + return PSA_ALG_SHA_512; + default: + return PSA_ALG_NONE; + } +} + static int psa_ecc_sign_cb(WOLFSSL* ssl, const unsigned char* input, unsigned int input_length, unsigned char* signature, word32* signature_size, @@ -266,6 +291,7 @@ static int psa_ecc_sign_cb(WOLFSSL* ssl, const unsigned char* input, psa_status_t status; size_t rs_length; word32 point_len; + psa_algorithm_t hash_algo; int ret; (void)ssl; @@ -277,8 +303,11 @@ static int psa_ecc_sign_cb(WOLFSSL* ssl, const unsigned char* input, if (psa_ctx == NULL) return BAD_FUNC_ARG; + /* Get correct hash algorithm that matches input hash length */ + hash_algo = psa_map_hash_alg(input_length); + status = psa_sign_hash(psa_ctx->private_key, - PSA_ALG_ECDSA_ANY, input, + PSA_ALG_ECDSA(hash_algo), input, input_length, rs, sizeof(rs), &rs_length); if (status != PSA_SUCCESS) @@ -294,7 +323,8 @@ static int psa_ecc_sign_cb(WOLFSSL* ssl, const unsigned char* input, } static int psa_ecc_decode_public_key(const uint8_t *key, word32 key_length, - psa_key_id_t *key_id) + psa_key_id_t *key_id, + psa_algorithm_t hash_algo) { uint8_t raw_key[(MAX_ECC_BYTES * 2) + 1]; psa_key_attributes_t attr = { 0 }; @@ -327,7 +357,7 @@ static int psa_ecc_decode_public_key(const uint8_t *key, word32 key_length, psa_set_key_type(&attr, PSA_KEY_TYPE_ECC_PUBLIC_KEY(ecc_curve)); psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_VERIFY_HASH); psa_set_key_bits(&attr, ecc_curve_size * 8); - psa_set_key_algorithm(&attr, PSA_ALG_ECDSA_ANY); + psa_set_key_algorithm(&attr, PSA_ALG_ECDSA(hash_algo)); PSA_LOCK(); status = psa_import_key(&attr, raw_key, raw_key_length, key_id); @@ -354,13 +384,17 @@ static int psa_ecc_verify_cb(WOLFSSL* ssl, const byte* sig, word32 sig_length, psa_key_id_t tmp_key; word32 r_len, s_len; psa_status_t status; + psa_algorithm_t hash_algo; int ret; (void)ssl; (void)ctx; WOLFSSL_ENTER("psa_ecc_verify_cb"); - ret = psa_ecc_decode_public_key(key, key_length, &tmp_key); + /* Get correct hash algorithm that matches input hash length */ + hash_algo = psa_map_hash_alg(hash_length); + + ret = psa_ecc_decode_public_key(key, key_length, &tmp_key, hash_algo); if (ret != 0) return ret; @@ -375,7 +409,7 @@ static int psa_ecc_verify_cb(WOLFSSL* ssl, const byte* sig, word32 sig_length, XMEMCPY(raw_signature + r_len, s, s_len); PSA_LOCK(); - status = psa_verify_hash(tmp_key, PSA_ALG_ECDSA_ANY, hash, + status = psa_verify_hash(tmp_key, PSA_ALG_ECDSA(hash_algo), hash, hash_length, raw_signature, r_len + s_len); PSA_UNLOCK(); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 12f667240..fdd7e9ce5 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1537,6 +1537,13 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ tz.tz_dsttime = 0; os_settimeofday(&utctime, &tz); #endif +#ifdef WOLFSSL_ZEPHYR + /* set dummy wallclock time. */ + struct timespec utctime; + utctime.tv_sec = 1521725159; /* dummy time: 2018-03-22T13:25:59+00:00 */ + utctime.tv_nsec = 0; + clock_settime(CLOCK_REALTIME, &utctime); +#endif #ifdef DEVKITPRO void *framebuffer; GXRModeObj *rmode = NULL; diff --git a/wolfssl/wolfcrypt/port/psa/psa.h b/wolfssl/wolfcrypt/port/psa/psa.h index 539fd99ae..fc6dc7536 100644 --- a/wolfssl/wolfcrypt/port/psa/psa.h +++ b/wolfssl/wolfcrypt/port/psa/psa.h @@ -67,6 +67,13 @@ #include #endif +#ifndef PSA_ALG_NONE + #define PSA_ALG_NONE ((psa_algorithm_t)0) +#endif +#ifndef PSA_KEY_ID_NULL + #define PSA_KEY_ID_NULL ((psa_key_id_t)0) +#endif + #if defined(WOLFSSL_PSA_GLOBAL_LOCK) void PSA_LOCK(void); void PSA_UNLOCK(void); diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index 6d4e2f305..586d06734 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -16,13 +16,14 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr/zephyr_init.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/crl.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/internal.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/keys.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/ocsp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/sniffer.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/ssl.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/tls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/tls.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/tls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/wolfio.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes.c) @@ -31,26 +32,33 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/asn.c) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/async.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/blake2b.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/blake2s.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/camellia.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha20_poly1305.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha20_poly1305.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cmac.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/coding.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/compress.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cpuid.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cryptocb.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve25519.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/des3.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dh.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dsa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc_fp.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/eccsi.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ed25519.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ed448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/error.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/falcon.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_low_mem.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_operations.c) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips.c) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips_test.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_low_mem.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_operations.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/hash.c) @@ -70,22 +78,26 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/random.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ripemd.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/rsa.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sakke.c) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/selftest.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha256.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha3.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha512.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/signature.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/siphash.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_arm32.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_arm64.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_armthumb.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_c32.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_c64.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_cortexm.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_dsp32.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_int.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_x86_64.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/srp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/tfm.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_dsp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_encrypt.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_pkcs11.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_port.c) @@ -93,6 +105,11 @@ if(CONFIG_WOLFSSL) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfcrypt_last.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfevent.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfmath.c) + + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_aes.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_hash.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_pkcbs.c) zephyr_library_link_libraries(wolfSSL) diff --git a/zephyr/README.md b/zephyr/README.md index 7aee5ddc1..ec2f0fd1f 100644 --- a/zephyr/README.md +++ b/zephyr/README.md @@ -12,7 +12,9 @@ It provides the following zephyr code. - modules/crypto/wolfssl/zephyr/ - Configuration and CMake files for wolfSSL as a Zephyr module - modules/crypto/wolfssl/zephyr/samples/wolfssl_test - - wolfcrypt unit test application + - wolfCrypt test application +- modules/crypto/wolfssl/zephyr/samples/wolfssl_bench + - wolfCrypt benchmark application - modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_sock - socket based sample of TLS - modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_thread @@ -22,7 +24,7 @@ It provides the following zephyr code. ### Modify your project's west manifest -Add wolfssl as a project: +Add wolfssl as a project to your west.yml: ``` manifest: remotes: @@ -38,17 +40,27 @@ manifest: remote: wolfssl ``` +If you are using the Nordic nRF Connect SDK with Zephyr, the sdk-nrf manifest +file is located at: `vX.X.X/nrf/west.yml`. On OSX the default installation +location for the nRF Connect SDK is at `/opt/nordic/ncs/vX.X.X`. + Update west's modules: ```bash west update ``` -Now west recognizes 'wolfssl' as a module, and will include it's Kconfig and CMakeFiles.txt in the build system. +Now west recognizes 'wolfssl' as a module, and will include it's Kconfig and +CMakeFiles.txt in the build system. -## Build & test +If using the Nordic nRF Connect SDK, to get access to a terminal with west +tool access, open "nRF Connect for Desktop", then "Toolchain Manager", +and finally next to the SDK version you are using click the drop down arrow, +then "Open Terminal". -build and execute wolfssl_test +## Build and Run wolfCrypt Test Application + +build and execute `wolfssl_test` ``` cd [zephyrproject] @@ -56,7 +68,17 @@ west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tes west build -t run ``` -### Run wolfSSL example wolfssl_tls_sock +## Build and Run wolfCrypt Benchmark Application + +build and execute `wolfssl_benchmark` + +``` +cd [zephyrproject] +west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_benchmark +west build -t run +``` + +### Build and Run wolfSSL example `wolfssl_tls_sock` ``` cd [zephyrproject] @@ -64,7 +86,7 @@ west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tls west build -t run ``` -### Run wolfSSL example wolfssl_tls_thread +### Build and Run wolfSSL example `wolfssl_tls_thread` ``` cd [zephyrproject] diff --git a/zephyr/include.am b/zephyr/include.am index db4071490..83b69368d 100644 --- a/zephyr/include.am +++ b/zephyr/include.am @@ -8,11 +8,22 @@ EXTRA_DIST+= zephyr/Kconfig.tls-generic EXTRA_DIST+= zephyr/zephyr_init.c EXTRA_DIST+= zephyr/module.yml EXTRA_DIST+= zephyr/wolfssl/options.h +EXTRA_DIST+= zephyr/nrf5340dk_nrf5340_user_settings.h EXTRA_DIST+= zephyr/user_settings.h EXTRA_DIST+= zephyr/user_settings-tls-generic.h EXTRA_DIST+= zephyr/README.md +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/ +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/CMakeLists.txt +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/README +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/install_test.sh +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/prj.conf +EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/sample.yaml EXTRA_DIST+= zephyr/samples/wolfssl_test/CMakeLists.txt EXTRA_DIST+= zephyr/samples/wolfssl_test/README +EXTRA_DIST+= zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf +EXTRA_DIST+= zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf EXTRA_DIST+= zephyr/samples/wolfssl_test/install_test.sh EXTRA_DIST+= zephyr/samples/wolfssl_test/prj.conf EXTRA_DIST+= zephyr/samples/wolfssl_test/sample.yaml @@ -25,6 +36,8 @@ EXTRA_DIST+= zephyr/samples/wolfssl_tls_sock/src EXTRA_DIST+= zephyr/samples/wolfssl_tls_sock/src/tls_sock.c EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/CMakeLists.txt EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/README +EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf +EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/install_sample.sh EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/prj.conf EXTRA_DIST+= zephyr/samples/wolfssl_tls_thread/sample.yaml diff --git a/zephyr/nrf5340dk_nrf5340_user_settings.h b/zephyr/nrf5340dk_nrf5340_user_settings.h new file mode 100644 index 000000000..92deaa425 --- /dev/null +++ b/zephyr/nrf5340dk_nrf5340_user_settings.h @@ -0,0 +1,133 @@ +/* nrf5340dk_nrf5340_user_settings.h + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFSSL_OPTIONS_H +#define WOLFSSL_OPTIONS_H + + +#ifdef __cplusplus +extern "C" { +#endif + +/* Platform */ +#undef WOLFSSL_ZEPHYR +#define WOLFSSL_ZEPHYR + +#define WOLFSSL_GENERAL_ALIGNMENT 4 +#define SIZEOF_LONG_LONG 8 + +/* Enable PSA Crypto API for CryptoCell 312 crypto use */ +#define WOLFSSL_HAVE_PSA +#define WOLFSSL_PSA_GLOBAL_LOCK + +/* Enable SP Math */ +#define WOLFSSL_SP_MATH +#define WOLFSSL_SP_MATH_ALL +#define WOLFSSL_HAVE_SP_RSA +#define WOLFSSL_HAVE_SP_DH +#define WOLFSSL_HAVE_SP_ECC + +/* Enable SP Math assembly support for ARM32 */ +#define SP_WORD_SIZE 32 +#define WOLFSSL_SP_ASM +#define WOLFSSL_SP_ARM32 +#define WOLFSSL_SP_ARM32_ASM + +/* Crypto */ +#define WC_RSA_BLINDING +#define WC_RSA_PSS +#define WOLFSSL_DH_CONST +#define HAVE_FFDHE_2048 + +#define HAVE_ECC +#define ECC_USER_CURVES +//#define HAVE_ECC192 +//#define HAVE_ECC224 +#undef NO_ECC256 +//#define HAVE_ECC384 +//#define HAVE_ECC521 +#define ECC_SHAMIR +#define ECC_TIMING_RESISTANT + +#define WOLFSSL_AES_DIRECT +#define HAVE_AES_ECB +#define HAVE_AES_CBC +#define HAVE_AESCCM +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +/* AES-CTR is not working correctly with Nordic PSA Crypto API */ +/* #define WOLFSSL_AES_COUNTER */ + +#define HAVE_CHACHA +#define HAVE_POLY1305 +#define HAVE_ONE_TIME_AUTH + +/* Nordic Security PSA Crypto CryptoCell integration does not support SHA-1 */ +#define NO_SHA +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 + +#define HAVE_HKDF +#define WOLFSSL_CMAC + +/* Benchmark / Test */ +#define BENCH_EMBEDDED +#define USE_CERT_BUFFERS_256 +#define USE_CERT_BUFFERS_2048 +#define NO_FILESYSTEM + +/* RNG */ +#define HAVE_HASHDRBG + +/* Features */ +#define WOLFSSL_TLS13 +#define WOLFSSL_OLD_PRIME_CHECK +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define WOLFSSL_BASE64_ENCODE +#define WC_NO_ASYNC_THREADING + +/* Disable features that require SHA-1 (see note above) */ +#define NO_OLD_TLS +#define NO_DSA + +/* Disable other features (re-enable if needed) */ +#define NO_RC4 +#define NO_PSK +#define NO_MD4 +#define NO_PWDBASED +#define NO_DES3 + +#if defined(CONFIG_WOLFSSL_DEBUG) +#undef DEBUG_WOLFSSL +#define DEBUG_WOLFSSL +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_OPTIONS_H */ + diff --git a/zephyr/samples/wolfssl_benchmark/CMakeLists.txt b/zephyr/samples/wolfssl_benchmark/CMakeLists.txt new file mode 100644 index 000000000..1b68e1bfb --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/CMakeLists.txt @@ -0,0 +1,8 @@ +cmake_minimum_required(VERSION 3.13.1) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(wolfssl_benchmark) + +target_sources(app PRIVATE ${ZEPHYR_WOLFSSL_MODULE_DIR}/wolfcrypt/benchmark/benchmark.c) +target_include_directories(app PRIVATE ${ZEPHYR_WOLFSSL_MODULE_DIR}/wolfcrypt/benchmark) +target_sources(app PRIVATE ${app_sources}) +add_definitions(-DWOLFSSL_USER_SETTINGS) diff --git a/zephyr/samples/wolfssl_benchmark/README b/zephyr/samples/wolfssl_benchmark/README new file mode 100644 index 000000000..906a6c9ba --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/README @@ -0,0 +1,12 @@ + +wolfSSL (formerly known as CyaSSL) and wolfCrypt are either licensed for use +under the GPLv2 or a standard commercial license. For our users who cannot use +wolfSSL under GPLv2, a commercial license to wolfSSL and wolfCrypt is available. +Please contact wolfSSL Inc. directly at: + +Email: licensing@wolfssl.com +Phone: +1 425 245-8247 + +More information can be found on the wolfSSL website at www.wolfssl.com. + + diff --git a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf new file mode 100644 index 000000000..b651b7b88 --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -0,0 +1,22 @@ +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 000000000..a0e205215 --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1,25 @@ +CONFIG_BUILD_WITH_TFM=y +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_benchmark/install_test.sh b/zephyr/samples/wolfssl_benchmark/install_test.sh new file mode 100755 index 000000000..fff8da420 --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/install_test.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +WOLFSSL_SRC_DIR=../../.. + +if [ ! -d $WOLFSSL_SRC_DIR ]; then + echo "Directory does not exist: $WOLFSSL_SRC_DIR" + exit 1 +fi +if [ ! -f $WOLFSSL_SRC_DIR/wolfcrypt/benchmark/benchmark.c ]; then + echo "Missing source file: $WOLFSSL_SRC_DIR/wolfcrypt/benchmark/benchmark.h" + exit 1 +fi + +ZEPHYR_DIR= +if [ $# -ne 1 ]; then + echo "Need location of zephyr project as a command line argument" + exit 1 +else + ZEPHYR_DIR=$1 +fi +if [ ! -d $ZEPHR_DIR ]; then + echo "Zephyr project directory does not exist: $ZEPHYR_DIR" + exit 1 +fi +ZEPHYR_SAMPLES_DIR=$ZEPHYR_DIR/zephyr/samples/modules +if [ ! -d $ZEPHYR_SAMPLES_DIR ]; then + echo "Zephyr samples/modules directory does not exist: $ZEPHYR_SAMPLES_DIR" + exit 1 +fi +ZEPHYR_WOLFSSL_DIR=$ZEPHYR_SAMPLES_DIR/wolfssl_benchmark + +echo "wolfSSL directory:" +echo " $ZEPHYR_WOLFSSL_DIR" +rm -rf $ZEPHYR_WOLFSSL_DIR +mkdir $ZEPHYR_WOLFSSL_DIR + +echo "Copy in Build files ..." +cp -r * $ZEPHYR_WOLFSSL_DIR/ +rm $ZEPHYR_WOLFSSL_DIR/$0 + +echo "Copy Source Code ..." +rm -rf $ZEPHYR_WOLFSSL_DIR/src +mkdir $ZEPHYR_WOLFSSL_DIR/src + +cp -rf ${WOLFSSL_SRC_DIR}/wolfcrypt/benchmark/benchmark.c $ZEPHYR_WOLFSSL_DIR/src/ +cp -rf ${WOLFSSL_SRC_DIR}/wolfcrypt/benchmark/benchmark.h $ZEPHYR_WOLFSSL_DIR/src/ + +echo "Done" + diff --git a/zephyr/samples/wolfssl_benchmark/prj.conf b/zephyr/samples/wolfssl_benchmark/prj.conf new file mode 100644 index 000000000..4dd23691f --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/prj.conf @@ -0,0 +1,29 @@ + +# Configure stack and heap sizes +CONFIG_MAIN_STACK_SIZE=32768 +CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE=16384 + +# Clock for time() +CONFIG_POSIX_CLOCK=y + +# TLS configuration +CONFIG_WOLFSSL=y +CONFIG_WOLFSSL_BUILTIN=y + +# Floating Point +CONFIG_FPU=y + +# Logging +CONFIG_PRINTK=y +CONFIG_CBPRINTF_LIBC_SUBSTS=y +CONFIG_CBPRINTF_FP_SUPPORT=y +CONFIG_CONSOLE=y +CONFIG_LOG=y +CONFIG_LOG_BACKEND_UART=y +CONFIG_LOG_BUFFER_SIZE=15360 +#CONFIG_WOLFSSL_DEBUG=y + +# Entropy +CONFIG_ENTROPY_GENERATOR=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y + diff --git a/zephyr/samples/wolfssl_benchmark/sample.yaml b/zephyr/samples/wolfssl_benchmark/sample.yaml new file mode 100644 index 000000000..8b45f1788 --- /dev/null +++ b/zephyr/samples/wolfssl_benchmark/sample.yaml @@ -0,0 +1,10 @@ +sample: + description: wolfCrypt benchmark sample app + name: wolfCrypt benchmark +common: + min_flash: 65 + min_ram: 36 + tags: crypto wolfssl userspace random +tests: + crypto.wolfssl_benchmark: + platform_allow: qemu_x86 nrf5340dk_nrf5340_cpuapp_ns nrf5340dk_nrf5340_cpuapp diff --git a/zephyr/samples/wolfssl_test/CMakeLists.txt b/zephyr/samples/wolfssl_test/CMakeLists.txt index 1206b47dc..bae4c1654 100644 --- a/zephyr/samples/wolfssl_test/CMakeLists.txt +++ b/zephyr/samples/wolfssl_test/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.13.1) -include($ENV{ZEPHYR_BASE}/cmake/app/boilerplate.cmake NO_POLICY_SCOPE) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(wolfssl_test) target_sources(app PRIVATE ${ZEPHYR_WOLFSSL_MODULE_DIR}/wolfcrypt/test/test.c) diff --git a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf new file mode 100644 index 000000000..b651b7b88 --- /dev/null +++ b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -0,0 +1,22 @@ +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 000000000..a0e205215 --- /dev/null +++ b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1,25 @@ +CONFIG_BUILD_WITH_TFM=y +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_test/prj.conf b/zephyr/samples/wolfssl_test/prj.conf index 237e02e78..624674315 100644 --- a/zephyr/samples/wolfssl_test/prj.conf +++ b/zephyr/samples/wolfssl_test/prj.conf @@ -1,4 +1,5 @@ +# Configure stack and heap sizes CONFIG_MAIN_STACK_SIZE=32768 CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE=16384 @@ -11,7 +12,13 @@ CONFIG_WOLFSSL_BUILTIN=y # Logging CONFIG_PRINTK=y -CONFIG_WOLFSSL_DEBUG=y +CONFIG_CBPRINTF_LIBC_SUBSTS=y +CONFIG_CBPRINTF_FP_SUPPORT=y +CONFIG_CONSOLE=y +CONFIG_LOG=y +CONFIG_LOG_BACKEND_UART=y +CONFIG_LOG_BUFFER_SIZE=15360 +#CONFIG_WOLFSSL_DEBUG=y # Entropy CONFIG_ENTROPY_GENERATOR=y diff --git a/zephyr/samples/wolfssl_test/sample.yaml b/zephyr/samples/wolfssl_test/sample.yaml index 8fe585eb1..72069ff6c 100644 --- a/zephyr/samples/wolfssl_test/sample.yaml +++ b/zephyr/samples/wolfssl_test/sample.yaml @@ -1,7 +1,10 @@ +sample: + description: wolfCrypt test sample app + name: wolfCrypt test common: min_flash: 65 min_ram: 36 tags: crypto wolfssl userspace random tests: crypto.wolfssl_test: - platform_whitelist: qemu_x86 + platform_allow: qemu_x86 nrf5340dk_nrf5340_cpuapp_ns nrf5340dk_nrf5340_cpuapp diff --git a/zephyr/samples/wolfssl_tls_thread/CMakeLists.txt b/zephyr/samples/wolfssl_tls_thread/CMakeLists.txt index 512a0006f..55c2199ec 100644 --- a/zephyr/samples/wolfssl_tls_thread/CMakeLists.txt +++ b/zephyr/samples/wolfssl_tls_thread/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.13.1) -include($ENV{ZEPHYR_BASE}/cmake/app/boilerplate.cmake NO_POLICY_SCOPE) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(wolfssl_tls_threaded) FILE(GLOB app_sources src/*.c) diff --git a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf new file mode 100644 index 000000000..b651b7b88 --- /dev/null +++ b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -0,0 +1,22 @@ +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 000000000..a0e205215 --- /dev/null +++ b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1,25 @@ +CONFIG_BUILD_WITH_TFM=y +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + +# Set user_settings.h file to be used for native wolfSSL build settings +CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" + +##### PSA and CC3XX ##### +# Enable Nordic Security Module +CONFIG_NRF_SECURITY=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Enable PSA API support (comes from mbedTLS) +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +# Enable/configure mbedTLS heap +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 +# Disable nrf_oberon crypto library PSA backend +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n +# Enable ARM CryptoCell cc3xx driver PSA backend +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y + +##### Logging ##### +CONFIG_USE_SEGGER_RTT=y +CONFIG_LOG_BACKEND_RTT=y +CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 + diff --git a/zephyr/samples/wolfssl_tls_thread/prj.conf b/zephyr/samples/wolfssl_tls_thread/prj.conf index d8fef5270..5cf80edf3 100644 --- a/zephyr/samples/wolfssl_tls_thread/prj.conf +++ b/zephyr/samples/wolfssl_tls_thread/prj.conf @@ -2,7 +2,7 @@ CONFIG_MAIN_STACK_SIZE=16384 CONFIG_ENTROPY_GENERATOR=y CONFIG_INIT_STACKS=y -CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE=8192 +CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE=65536 # Clock for time() CONFIG_POSIX_CLOCK=y @@ -10,14 +10,20 @@ CONFIG_POSIX_CLOCK=y # Networking CONFIG_NETWORKING=y CONFIG_NET_TEST=y -CONFIG_NET_LOOPBACK=y CONFIG_NET_IPV4=y CONFIG_NET_IPV6=y CONFIG_NET_SOCKETS=y CONFIG_DNS_RESOLVER=y # Logging +# Enable logging using RTT and UART CONFIG_PRINTK=y +CONFIG_CBPRINTF_LIBC_SUBSTS=y +CONFIG_CBPRINTF_FP_SUPPORT=y +CONFIG_CONSOLE=y +CONFIG_LOG=y +CONFIG_LOG_BACKEND_UART=y +CONFIG_LOG_BUFFER_SIZE=15360 #CONFIG_WOLFSSL_DEBUG=y # TLS configuration diff --git a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c index 9516850fa..a03d515dd 100644 --- a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c +++ b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c @@ -19,9 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#include +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif +#include #include -#define USE_CERT_BUFFERS_2048 +#define USE_CERT_BUFFERS_256 #include #include @@ -29,9 +32,19 @@ #define printf printk #endif +/* wolfSSL PSA Crypto API integration with ECDH/ECDSA currently requires + * use of wolfSSL Public Key (PK) callbacks. + * + * PSA Crypto API integration for this sample was tested on a + * Nordic nRF5340dk. + */ +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + #include +#endif + #define BUFFER_SIZE 2048 #define STATIC_MEM_SIZE (96*1024) -#define THREAD_STACK_SIZE (12*1024) +#define THREAD_STACK_SIZE (13*1024) /* The stack to use in the server's thread. */ K_THREAD_STACK_DEFINE(server_stack, THREAD_STACK_SIZE); @@ -57,6 +70,13 @@ unsigned char server_buffer[BUFFER_SIZE]; int server_buffer_sz = 0; wolfSSL_Mutex server_mutex; +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) +static struct psa_ssl_ctx server_psa_ctx; +static struct psa_ssl_ctx client_psa_ctx; +/* psa_key_id_t representing server key loaded into PSA Crypto API */ +static psa_key_id_t ecc_key_id; +#endif + /* Application data to send. */ static const char msgHTTPGet[] = "GET /index.html HTTP/1.0\r\n\r\n"; static const char msgHTTPIndex[] = @@ -161,7 +181,7 @@ static int wolfssl_client_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) WOLFSSL* client_ssl = NULL; /* Create and initialize WOLFSSL_CTX */ - if ((client_ctx = wolfSSL_CTX_new_ex(wolfTLSv1_2_client_method(), + if ((client_ctx = wolfSSL_CTX_new_ex(wolfTLSv1_3_client_method(), HEAP_HINT_CLIENT)) == NULL) { printf("ERROR: failed to create WOLFSSL_CTX\n"); ret = -1; @@ -169,14 +189,23 @@ static int wolfssl_client_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) if (ret == 0) { /* Load client certificates into WOLFSSL_CTX */ - if (wolfSSL_CTX_load_verify_buffer(client_ctx, ca_cert_der_2048, - sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1) != + if (wolfSSL_CTX_load_verify_buffer(client_ctx, ca_ecc_cert_der_256, + sizeof_ca_ecc_cert_der_256, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { printf("ERROR: failed to load CA certificate\n"); ret = -1; } } +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + if (ret == 0) { + if (wolfSSL_CTX_psa_enable(client_ctx) != WOLFSSL_SUCCESS) { + printf("ERROR: failed to enable PSA Crypto API for WOLFSSL_CTX\n"); + ret = -1; + } + } +#endif + if (ret == 0) { /* Register callbacks */ wolfSSL_SetIORecv(client_ctx, recv_client); @@ -189,6 +218,16 @@ static int wolfssl_client_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) } } +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + if (ret == 0) { + XMEMSET(&client_psa_ctx, 0, sizeof(client_psa_ctx)); + if (wolfSSL_set_psa_ctx(client_ssl, &client_psa_ctx) != WOLFSSL_SUCCESS) { + printf("ERROR: wolfSSL_set_psa_ctx() failed\n"); + ret = -1; + } + } +#endif + if (ret == 0) { /* make wolfSSL object nonblocking */ wolfSSL_set_using_nonblock(client_ssl, 1); @@ -198,8 +237,12 @@ static int wolfssl_client_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) *ssl = client_ssl; } else { - if (client_ssl != NULL) + if (client_ssl != NULL) { +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + wolfSSL_free_psa_ctx(&client_psa_ctx); +#endif wolfSSL_free(client_ssl); + } if (client_ctx != NULL) wolfSSL_CTX_free(client_ctx); } @@ -220,7 +263,49 @@ static int wolfssl_client_connect(WOLFSSL* ssl) return ret; } +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) +/* ./certs/ecc-key.pem */ +static const unsigned char ecc_key_256[] = +{ + 0x45, 0xB6, 0x69, 0x02, 0x73, 0x9C, 0x6C, 0x85, 0xA1, 0x38, + 0x5B, 0x72, 0xE8, 0xE8, 0xC7, 0xAC, 0xC4, 0x03, 0x8D, 0x53, + 0x35, 0x04, 0xFA, 0x6C, 0x28, 0xDC, 0x34, 0x8D, 0xE1, 0xA8, + 0x09, 0x8C +}; + +/* Provision server private key using PSA Crypto API. + * + * key_id - resulting psa_key_id_t + * + * Returns - 0 on success, negative on error + */ +static int psa_private_key_provisioning(psa_key_id_t *key_id) +{ + psa_key_attributes_t key_attr = { 0 }; + psa_key_type_t key_type; + psa_status_t status; + + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); + + psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_HASH); + psa_set_key_lifetime(&key_attr, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); + psa_set_key_type(&key_attr, key_type); + psa_set_key_bits(&key_attr, 256); + + status = psa_import_key(&key_attr, ecc_key_256, + sizeof(ecc_key_256), key_id); + + if (status != PSA_SUCCESS) { + printf("ERROR: provisioning of private key failed: [%d] \n", status); + return -1; + } + + return 0; +} + +#endif /* WOLFSSL_HAVE_PSA & HAVE_PK_CALLBACKS */ /* Create a new wolfSSL server with a certificate for authentication. */ static int wolfssl_server_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) @@ -229,32 +314,57 @@ static int wolfssl_server_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) WOLFSSL_CTX* server_ctx = NULL; WOLFSSL* server_ssl = NULL; - /* Create and initialize WOLFSSL_CTX */ - if ((server_ctx = wolfSSL_CTX_new_ex(wolfTLSv1_2_server_method(), - HEAP_HINT_SERVER)) == NULL) { - printf("ERROR: failed to create WOLFSSL_CTX\n"); +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + /* Provision ECC private key with PSA Crypto API */ + if (psa_private_key_provisioning(&ecc_key_id) != 0) { + printf("ERROR: failed to provision PSA private key\n"); ret = -1; } + if (ret == 0) { + XMEMSET(&server_psa_ctx, 0, sizeof(server_psa_ctx)); + wolfSSL_psa_set_private_key_id(&server_psa_ctx, ecc_key_id); + } +#endif + + if (ret == 0) { + /* Create and initialize WOLFSSL_CTX */ + if ((server_ctx = wolfSSL_CTX_new_ex(wolfTLSv1_3_server_method(), + HEAP_HINT_SERVER)) == NULL) { + printf("ERROR: failed to create WOLFSSL_CTX\n"); + ret = -1; + } + } + if (ret == 0) { /* Load client certificates into WOLFSSL_CTX */ if (wolfSSL_CTX_use_certificate_buffer(server_ctx, - server_cert_der_2048, sizeof_server_cert_der_2048, + serv_ecc_der_256, sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { printf("ERROR: failed to load server certificate\n"); ret = -1; } } +#if !defined(WOLFSSL_HAVE_PSA) || \ + (defined(WOLFSSL_HAVE_PSA) && !defined(HAVE_PK_CALLBACKS)) if (ret == 0) { /* Load client certificates into WOLFSSL_CTX */ if (wolfSSL_CTX_use_PrivateKey_buffer(server_ctx, - server_key_der_2048, sizeof_server_key_der_2048, + ecc_key_der_256, sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { printf("ERROR: failed to load server key\n"); ret = -1; } } +#else + if (ret == 0) { + if (wolfSSL_CTX_psa_enable(server_ctx) != WOLFSSL_SUCCESS) { + printf("ERROR: failed to enable PSA\n"); + ret = -1; + } + } +#endif /* WOLFSSL_HAVE_PSA */ if (ret == 0) { /* Register callbacks */ @@ -268,6 +378,16 @@ static int wolfssl_server_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) } } +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + if (ret == 0) { + if (wolfSSL_set_psa_ctx(server_ssl, &server_psa_ctx) + != WOLFSSL_SUCCESS) { + printf("ERROR: failed to enable PSA in WOLFSSL struct\n"); + ret = -1; + } + } +#endif + if (ret == 0) { /* make wolfSSL object nonblocking */ wolfSSL_set_using_nonblock(server_ssl, 1); @@ -277,8 +397,12 @@ static int wolfssl_server_new(WOLFSSL_CTX** ctx, WOLFSSL** ssl) *ssl = server_ssl; } else { - if (server_ssl != NULL) + if (server_ssl != NULL) { +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + wolfSSL_free_psa_ctx(&server_psa_ctx); +#endif wolfSSL_free(server_ssl); + } if (server_ctx != NULL) wolfSSL_CTX_free(server_ctx); } @@ -390,7 +514,6 @@ void server_thread(void* arg1, void* arg2, void* arg3) WOLFSSL_CTX* server_ctx = NULL; WOLFSSL* server_ssl = NULL; - #ifdef WOLFSSL_STATIC_MEMORY if (wc_LoadStaticMemory(&HEAP_HINT_SERVER, gMemoryServer, sizeof(gMemoryServer), @@ -425,6 +548,12 @@ void server_thread(void* arg1, void* arg2, void* arg3) printf("Server Memory Stats\n"); #endif wolfssl_memstats(server_ssl); + +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + if (server_ssl != NULL) { + wolfSSL_free_psa_ctx(&server_psa_ctx); + } +#endif wolfssl_free(server_ctx, server_ssl); } @@ -433,7 +562,13 @@ int main() int ret = 0; WOLFSSL_CTX* client_ctx = NULL; WOLFSSL* client_ssl = NULL; - THREAD_TYPE serverThread; + THREAD_TYPE serverThread; + + /* set dummy wallclock time for cert validation without NTP/etc */ + struct timespec utctime; + utctime.tv_sec = 1658510212; /* Friday, July 22, 2022 5:16:52 PM GMT */ + utctime.tv_nsec = 0; + clock_settime(CLOCK_REALTIME, &utctime); wolfSSL_Init(); #ifdef DEBUG_WOLFSSL @@ -490,6 +625,12 @@ int main() printf("Client Memory Stats\n"); #endif wolfssl_memstats(client_ssl); + +#if defined(WOLFSSL_HAVE_PSA) && defined(HAVE_PK_CALLBACKS) + if (client_ssl != NULL) { + wolfSSL_free_psa_ctx(&client_psa_ctx); + } +#endif wolfssl_free(client_ctx, client_ssl); wolfSSL_Cleanup(); diff --git a/zephyr/user_settings-tls-generic.h b/zephyr/user_settings-tls-generic.h index d73e6edf3..4f0a5846a 100644 --- a/zephyr/user_settings-tls-generic.h +++ b/zephyr/user_settings-tls-generic.h @@ -126,6 +126,18 @@ extern "C" { #undef WOLFSSL_STATIC_MEMORY #define WOLFSSL_STATIC_MEMORY +#undef WOLFSSL_TLS13 +#define WOLFSSL_TLS13 + +#undef HAVE_HKDF +#define HAVE_HKDF + +#undef WC_RSA_PSS +#define WC_RSA_PSS + +#undef HAVE_FFDHE_2048 +#define HAVE_FFDHE_2048 + #if 0 #undef WOLFSSL_HAVE_SP_RSA #define WOLFSSL_HAVE_SP_RSA