diff --git a/IDE/iotsafe-raspberrypi/README.md b/IDE/iotsafe-raspberrypi/README.md index 23708f31e..286ac5537 100644 --- a/IDE/iotsafe-raspberrypi/README.md +++ b/IDE/iotsafe-raspberrypi/README.md @@ -108,16 +108,18 @@ wolfSSL_iotsafe_on(ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID, PEER_PUBKEY_ID, PEER_CERT_I First, user needs to build wolfSSL with the following options: ``` -./configure --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe --enable-hkdf +./configure CFLAGS="-DWOLFSSL_TRUST_PEER_CERT" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe --enable-hkdf ``` Additionally, user can pass `CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE"` if more debugging information is to be used. This can clutter the demo stdout more than `--enable-debug` does, but this is very useful to see the overall TLS 1.3 handshaking process with IoT-SAFE. Hence, the full wolfSSL build for the demo is: ``` -./configure CFLAGS="-DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe +./configure CFLAGS="-DWOLFSSL_TRUST_PEER_CERT -DDEBUG_WOLFSSL -DWOLFSSL_DEBUG_TLS -DDEBUG_IOTSAFE" --enable-tls13 --enable-pkcallbacks --enable-debug --enable-iotsafe ``` +`-DWOLFSSL_TRUST_PEER_CERT` is needed for `wolfSSL_CTX_trust_peer_buffer` in `IDE/iotsafe-raspberrypi/client-tls13.c` + ### Running After building wolfSSL, from this directory, run `make` and a help usage will be shown. @@ -129,7 +131,7 @@ make all Run below to enable printing UART IO: ``` -make all ENABLE_DEBUG_UART_IO_EXTRA=on +make all ENABLE_DEBUG_UART_IO_EXTRA=on|off ``` Run the built `./main.bin` to print the help usage. diff --git a/IDE/iotsafe-raspberrypi/client-tls13.c b/IDE/iotsafe-raspberrypi/client-tls13.c index 93a399eb2..83a0ec419 100644 --- a/IDE/iotsafe-raspberrypi/client-tls13.c +++ b/IDE/iotsafe-raspberrypi/client-tls13.c @@ -187,7 +187,7 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por /* Construct HTTP POST */ - // Header + /* Header */ strcat(buff, "POST /iot/device HTTP/1.1\r\n"); strcat(buff, "Content-Type: application/json\r\n"); strcat(buff, "Content-Length: 1000\r\n"); @@ -198,10 +198,10 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por strcat(buff, peer_port); strcat(buff, "\r\n"); - // Delimiter + /* Delimiter */ strcat(buff, "\r\n"); - // Body + /* Body */ srand(time(NULL)); int devid = rand() % 100; char snum[5] = {0}; @@ -240,7 +240,7 @@ int client_loop(const char *peer_ip, const char *peer_name, const char *peer_por /* Fill in the server address */ printf("Peer port: %s\n", peer_port); - servAddr.sin_family = AF_INET; // Using IPv4 + servAddr.sin_family = AF_INET; /* Using IPv4 */ servAddr.sin_port = htons(atoi(peer_port)); /* Get the server IPv4 address from the command line call */ diff --git a/wolfcrypt/src/port/iotsafe/iotsafe.c b/wolfcrypt/src/port/iotsafe/iotsafe.c index 0344074e5..78f051c48 100644 --- a/wolfcrypt/src/port/iotsafe/iotsafe.c +++ b/wolfcrypt/src/port/iotsafe/iotsafe.c @@ -453,7 +453,7 @@ static int iotsafe_readfile(uint8_t *file_id, uint16_t file_id_sz, return ret; } - filesz_s = search_tlv(resp, ret, 0x20); + filesz_s = search_tlv(resp + 4, ret, 0x20); if ((filesz_s) && (XSTRLEN(filesz_s)) >= 8) { uint8_t fs_msb, fs_lsb; if (hex_to_bytes(filesz_s + 4, &fs_msb, 1) < 0) @@ -730,25 +730,32 @@ static int iotsafe_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, WOLFSSL_MSG("Enter iotsafe_hkdf_extract"); switch (digest) { + #ifndef NO_SHA256 case WC_SHA256: hash_algo = (uint16_t)1; if (ikmLen == 0) { len = WC_SHA256_DIGEST_SIZE; } break; + #endif + #ifdef WOLFSSL_SHA384 case WC_SHA384: hash_algo = (uint16_t)2; if (ikmLen == 0) { len = WC_SHA384_DIGEST_SIZE; } break; + #endif + #ifdef WOLFSSL_TLS13_SHA512 case WC_SHA512: hash_algo = (uint16_t)4; if (ikmLen == 0) { len = WC_SHA512_DIGEST_SIZE; } break; + #endif default: + return BAD_FUNC_ARG; break; } @@ -848,13 +855,14 @@ static int iotsafe_sign_hash(byte *privkey_idx, uint16_t id_size, ret = expect_csim_response(csim_cmd, (word32)XSTRLEN(csim_cmd), &resp); if (ret >= 0) { - byte sig_hdr[2]; - if (hex_to_bytes(resp, sig_hdr, 2) < 0) { + byte sig_hdr[3]; + if (hex_to_bytes(resp, sig_hdr, 3) < 0) { ret = BAD_FUNC_ARG; } else if ((sig_hdr[0] == IOTSAFE_TAG_SIGNATURE_FIELD) && - (sig_hdr[1] == 2 * IOTSAFE_ECC_KSIZE)) { - XSTRNCPY(R, resp + 4, IOTSAFE_ECC_KSIZE * 2); - XSTRNCPY(S, resp + 4 + IOTSAFE_ECC_KSIZE * 2, + (sig_hdr[1] == 0) && + (sig_hdr[2] == 2 * IOTSAFE_ECC_KSIZE)) { + XSTRNCPY(R, resp + 6, IOTSAFE_ECC_KSIZE * 2); + XSTRNCPY(S, resp + 6 + IOTSAFE_ECC_KSIZE * 2, IOTSAFE_ECC_KSIZE * 2); ret = wc_ecc_rs_to_sig(R, S, signature, sigLen); } else { @@ -1045,8 +1053,8 @@ static int wolfIoT_hkdf_extract(byte* prk, const byte* salt, word32 saltLen, ret = iotsafe_hkdf_extract(prk, salt, saltLen, ikm, ikmLen, digest); } else{ - #ifdef DEBUG_IOTSAFE - printf("NULL Salt length not supported by IoT Safe Applet, fallback to software implementation\n"); + #ifdef DEBUG_IOTSAFE + printf("SALT is NULL, not supported by IoT Safe Applet, fallback to software implementation\n"); #endif ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); }