Fix some of the example TODO's. Fixes for seal/unseal example. Fixes for TLS with param enc. Fix signed_timestamp with ECC.

dgarske · dgarske · commit 9cad7f4e240f · 2023-10-30T12:00:37.000-07:00
diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -77,12 +77,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
-
     ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
-    # TODO: TPM2_Load (TPM_RC_INTEGRITY)
-    #./examples/keygen/keyload ecckeyblob.bin >> run.out
 fi
 rm -f ecckeyblob.bin
 
@@ -201,7 +198,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> run.out
-    sleep 0.2
+    sleep 0.4
     ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
@@ -214,7 +211,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> run.out
-    sleep 0.2
+    sleep 0.4
     ./examples/client/client -p $port -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
@@ -223,24 +220,20 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     run_tpm_tls_client "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "rsa" "-aes"
+    run_tpm_tls_client "rsa" "-aes"
     run_tpm_tls_client "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_client "ecc" "-aes"
+    run_tpm_tls_client "ecc" "-aes"
 
     run_tpm_tls_server "rsa" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "rsa" "-aes"
+    run_tpm_tls_server "rsa" "-aes"
     run_tpm_tls_server "ecc" ""
-    # TODO: Not working (TPM2_Load TPM_RC_COMMAND_SIZE)
-    #run_tpm_tls_server "ecc" "-aes"
+    run_tpm_tls_server "ecc" "-aes"
 fi
 
 
 # Clock Tests
 echo -e "Clock tests"
-./examples/timestamp/clock_set
+./examples/timestamp/clock_set >> run.out
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1
 
@@ -255,11 +248,14 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1
 fi
-# TODO: Test broken (wolfTPM2_GetTime TPM_RC_SCHEME)
-#./examples/timestamp/signed_timestamp -ecc >> run.out
-#if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
-    #./examples/timestamp/signed_timestamp -ecc -aes >> run.out
-#fi
+./examples/timestamp/signed_timestamp -ecc >> run.out
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc failed! $RESULT" && exit 1
+if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/timestamp/signed_timestamp -ecc -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1
+fi
 
 ./examples/attestation/make_credential >> run.out
 RESULT=$?
@@ -350,11 +346,21 @@ fi
 echo -e "Seal/Unseal (PCR policy)"
 ./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out
 RESULT=$?
-[ $RESULT -ne 0 ] && echo -e "seal pcr failed! $RESULT" && exit 1
-# TODO (TPM2_Load TPM_RC_BAD_AUTH)
-#./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1
+./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
 rm -f sealedkeyblob.bin
 
+if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
+    ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
+    rm -f sealedkeyblob.bin
+fi
 
 # Seal/Unseal (Policy auth)
 echo -e "Seal/Unseal (Policy auth)"
diff --git a/examples/seal/seal.c b/examples/seal/seal.c
@@ -40,9 +40,9 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/seal [filename] [userdata]\n");
-    printf("* filename: Name of the file where the TPM key will be stored\n");
-    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces)\n");
-    printf("Demo usage, without parameters, uses keyblob.bin as a filename\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Name of the file where the TPM key will be stored (default: keyblob.bin)\n");
+    printf("* userdata: Arbitrary data to seal inside the TPM key (no whitespaces) (default: My1Pass2Phrase3)\n");
 }
 
 int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
@@ -95,6 +95,7 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
 
     printf("TPM2.0 Simple Seal example\n");
     printf("\tKey Blob: %s\n", outputFile);
+    printf("\tUser Data: %s\n", userData);
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -159,6 +160,9 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
         printf("\nFailure 0x%x: %s\n\n", rc, wolfTPM2_GetRCString(rc));
     }
 
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
+
     /* Close handles */
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);
diff --git a/examples/seal/unseal.c b/examples/seal/unseal.c
@@ -41,16 +41,20 @@ static void usage(void)
 {
     printf("Expected usage:\n");
     printf("./examples/seal/unseal [filename] [inkey_filename]\n");
-    printf("* filename - File contaning a TPM seal key\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
+    printf("* filename: Output for unsealed data (default: unseal.bin)\n");
+    printf("* inkey_filename: File with sealed keyed hashed object (keyblob.bin)\n");
     printf("Demo usage, without arguments, uses keyblob.bin file input.\n");
 }
 
 int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
 {
     int rc;
     WOLFTPM2_DEV dev;
-    WOLFTPM2_KEY key;
-    TPM2B_AUTH auth;
+    WOLFTPM2_KEYBLOB newKey;
+    WOLFTPM2_KEY storage; /* SRK */
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
+    WOLFTPM2_SESSION tpmSession;
     const char *filename = "unseal.bin";
     const char *inkeyfilename = "keyblob.bin";
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
@@ -60,14 +64,11 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     Unseal_In cmdIn_unseal;
     Unseal_Out cmdOut_unseal;
 
-    WOLFTPM2_KEYBLOB newKey;
-    WOLFTPM2_KEY storage; /* SRK */
-
-
+    XMEMSET(&storage, 0, sizeof(storage));
+    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
     XMEMSET(&cmdIn_unseal, 0, sizeof(cmdIn_unseal));
     XMEMSET(&cmdOut_unseal, 0, sizeof(cmdOut_unseal));
-    XMEMSET(&key, 0, sizeof(key));
-    XMEMSET(&auth, 0, sizeof(auth));
+    XMEMSET(&newKey, 0, sizeof(newKey));
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
@@ -85,6 +86,23 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
            inkeyfilename = argv[2];
         }
     }
+    while (argc > 1) {
+        if (XSTRCMP(argv[argc-1], "-aes") == 0) {
+            paramEncAlg = TPM_ALG_CFB;
+        }
+        else if (XSTRCMP(argv[argc-1], "-xor") == 0) {
+            paramEncAlg = TPM_ALG_XOR;
+        }
+        else if (argv[argc-1][0] == '-') {
+            printf("Warning: Unrecognized option: %s\n", argv[argc-1]);
+        }
+        argc--;
+    }
+
+    printf("TPM2.0 Simple Unseal example\n");
+    printf("\tKey Blob: %s\n", inkeyfilename);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
+
 
     printf("Example how to unseal data using TPM2.0\n");
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -97,6 +115,21 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
     if (rc != 0) goto exit;
 
+    if (paramEncAlg != TPM_ALG_NULL) {
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+            TPM_SE_HMAC, paramEncAlg);
+        if (rc != 0) goto exit;
+        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
+            (word32)tpmSession.handle.hndl);
+
+        /* set session for authorization of the storage key */
+        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
+        if (rc != 0) goto exit;
+
+    }
+
     rc = readKeyBlob(inkeyfilename, &newKey);
     if (rc != 0) goto exit;
 
@@ -109,9 +142,9 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
         (word32)newKey.handle.hndl);
 
     /* Set authorization for using the seal key */
-    auth.size = (int)sizeof(gKeyAuth) - 1;
-    XMEMCPY(auth.buffer, gKeyAuth, auth.size);
-    wolfTPM2_SetAuthPassword(&dev, 0, &auth);
+    newKey.handle.auth.size = (int)sizeof(gKeyAuth) - 1;
+    XMEMCPY(newKey.handle.auth.buffer, gKeyAuth, newKey.handle.auth.size);
+    wolfTPM2_SetAuthHandle(&dev, 0, &newKey.handle);
 
     cmdIn_unseal.itemHandle = newKey.handle.hndl;
 
@@ -146,12 +179,13 @@ int TPM2_Unseal_Example(void* userCtx, int argc, char *argv[])
     (void)filename;
 #endif
 
-    /* Remove the loaded TPM seal object */
-    wolfTPM2_SetAuthPassword(&dev, 0, NULL);
+    /* Remove the auth for loaded TPM seal object */
+    wolfTPM2_UnsetAuth(&dev, 0);
 
 exit:
     wolfTPM2_UnloadHandle(&dev, &storage.handle);
     wolfTPM2_UnloadHandle(&dev, &newKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
 
     wolfTPM2_Cleanup(&dev);
     return rc;
diff --git a/examples/timestamp/signed_timestamp.c b/examples/timestamp/signed_timestamp.c
@@ -180,13 +180,8 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
     if (paramEncAlg != TPM_ALG_NULL) {
         sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt);
     }
-#if 0
-    /* TODO: Investigate param enc with signed timestamp */
     rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes);
     if (rc != 0) goto exit;
-#else
-    (void)sessionAttributes;
-#endif
 
     /* At this stage: The SRK is created, AIK is created and loaded,
      * Endorsement Hierarchy is enabled through policySecret,
diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c
@@ -207,7 +207,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
             (word32)tpmSession.handle.hndl);
 
         /* set session for authorization of the storage key */
-        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
             (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
     }
diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c
@@ -222,7 +222,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
             (word32)tpmSession.handle.hndl);
 
         /* set session for authorization of the storage key */
-        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,
+        rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,
             (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt |
              TPMA_SESSION_continueSession));
         if (rc != 0) goto exit;
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -5823,17 +5823,23 @@ int wolfTPM2_GetTime(WOLFTPM2_KEY* aikKey, GetTime_Out* getTimeOut)
     int rc;
     GetTime_In getTimeCmd;
 
-    if (getTimeOut == NULL) return BAD_FUNC_ARG;
+    if (getTimeOut == NULL)
+        return BAD_FUNC_ARG;
 
     /* GetTime */
     XMEMSET(&getTimeCmd, 0, sizeof(getTimeCmd));
     XMEMSET(getTimeOut, 0, sizeof(*getTimeOut));
     getTimeCmd.privacyAdminHandle = TPM_RH_ENDORSEMENT;
-    /* TPM_RH_NULL is a valid handle for NULL signature */
-    getTimeCmd.signHandle = aikKey->handle.hndl;
-    /* TPM_ALG_NULL is a valid handle for  NULL signature */
-    getTimeCmd.inScheme.scheme = TPM_ALG_RSASSA;
-    getTimeCmd.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256;
+    if (aikKey != NULL) {
+        TPMT_ASYM_SCHEME* scheme =
+            &aikKey->pub.publicArea.parameters.asymDetail.scheme;
+        getTimeCmd.signHandle = aikKey->handle.hndl;
+        getTimeCmd.inScheme.scheme = scheme->scheme;
+        getTimeCmd.inScheme.details.any.hashAlg = scheme->details.anySig.hashAlg;
+    }
+    else {
+        getTimeCmd.signHandle = TPM_RH_NULL;
+    }
     getTimeCmd.qualifyingData.size = 0; /* optional */
     rc = TPM2_GetTime(&getTimeCmd, getTimeOut);
     if (rc != TPM_RC_SUCCESS) {

Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])`
`207`	`207`	`(word32)tpmSession.handle.hndl);`
`208`	`208`
`209`	`209`	`/* set session for authorization of the storage key */`
`210`		`- rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession,`
	`210`	`+ rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession,`
`211`	`211`	`(TPMA_SESSION_decrypt \| TPMA_SESSION_encrypt \| TPMA_SESSION_continueSession));`
`212`	`212`	`if (rc != 0) goto exit;`
`213`	`213`	`}`