From d121e8437fdbe257635de44d9da17bc968237069 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 27 Oct 2025 13:14:51 -0600 Subject: [PATCH 01/13] Use TLS over transport for authentication of peer --- .../posix/wh_posix_client/wh_posix_client.c | 24 +- .../wh_posix_client/wh_posix_client_cfg.c | 172 +++++++ .../wh_posix_client/wh_posix_client_cfg.h | 6 + .../posix/wh_posix_server/user_settings.h | 15 +- .../posix/wh_posix_server/wh_posix_server.c | 50 +- .../wh_posix_server/wh_posix_server_cfg.c | 257 ++++++++++ .../wh_posix_server/wh_posix_server_cfg.h | 6 + port/posix/posix_transport_tcp.c | 5 +- port/posix/posix_transport_tls.c | 483 ++++++++++++++++++ port/posix/posix_transport_tls.h | 150 ++++++ 10 files changed, 1154 insertions(+), 14 deletions(-) create mode 100644 port/posix/posix_transport_tls.c create mode 100644 port/posix/posix_transport_tls.h diff --git a/examples/posix/wh_posix_client/wh_posix_client.c b/examples/posix/wh_posix_client/wh_posix_client.c index 6b4e4882..a7cc007d 100644 --- a/examples/posix/wh_posix_client/wh_posix_client.c +++ b/examples/posix/wh_posix_client/wh_posix_client.c @@ -160,7 +160,17 @@ void Usage(const char* exeName) { WOLFHSM_CFG_PRINTF("Usage: %s --type --test\n", exeName); WOLFHSM_CFG_PRINTF("Example: %s --type tcp\n", exeName); - WOLFHSM_CFG_PRINTF("type: tcp (default), shm\n"); + WOLFHSM_CFG_PRINTF("type: tcp (default), shm"); +#ifndef WOLFHSM_CFG_NO_CRYPTO + WOLFHSM_CFG_PRINTF(", tls"); +#endif +#ifndef NO_PSK + WOLFHSM_CFG_PRINTF(", psk"); +#endif +#ifdef WOLFSSL_STATIC_MEMORY + WOLFHSM_CFG_PRINTF(", dma"); +#endif + WOLFHSM_CFG_PRINTF("\n"); } int main(int argc, char** argv) @@ -204,6 +214,18 @@ int main(int argc, char** argv) WOLFHSM_CFG_PRINTF("Using shared memory transport\n"); wh_PosixClient_ExampleShmConfig(c_conf); } +#ifndef WOLFHSM_CFG_NO_CRYPTO + else if (strcmp(type, "tls") == 0) { + WOLFHSM_CFG_PRINTF("Using TLS transport\n"); + wh_PosixClient_ExampleTlsConfig(c_conf); + } +#endif +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) + else if (strcmp(type, "psk") == 0) { + WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n"); + wh_PosixClient_ExamplePskConfig(c_conf); + } +#endif #ifdef WOLFSSL_STATIC_MEMORY else if (strcmp(type, "dma") == 0) { WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index 4e01eb9d..aac59823 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -10,19 +10,31 @@ #include "port/posix/posix_transport_shm.h" #include "port/posix/posix_transport_tcp.h" +#ifndef WOLFHSM_CFG_NO_CRYPTO +#include "port/posix/posix_transport_tls.h" +#endif #include posixTransportShmClientContext tccShm; posixTransportTcpClientContext tccTcp; +#ifndef WOLFHSM_CFG_NO_CRYPTO +posixTransportTlsClientContext tccTls; +#endif posixTransportShmConfig shmConfig; posixTransportTcpConfig tcpConfig; +#ifndef WOLFHSM_CFG_NO_CRYPTO +posixTransportTlsConfig tlsConfig; +#endif whCommClientConfig c_comm; whTransportClientCb shmCb = POSIX_TRANSPORT_SHM_CLIENT_CB; whTransportClientCb tcpCb = PTT_CLIENT_CB; +#ifndef WOLFHSM_CFG_NO_CRYPTO +whTransportClientCb tlsCb = PTTLS_CLIENT_CB; +#endif #ifdef WOLFSSL_STATIC_MEMORY whTransportClientCb dmaCb = POSIX_TRANSPORT_SHM_CLIENT_CB; @@ -123,6 +135,166 @@ int wh_PosixClient_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } +#ifndef WOLFHSM_CFG_NO_CRYPTO +/* client configuration setup example for TLS transport */ +#undef USE_CERT_BUFFERS_2048 +#define USE_CERT_BUFFERS_2048 +#include "wolfssl/certs_test.h" +static int +wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) +{ + int rc; + + /* uncomment and compile with DEBUG_WOLFSSL for debugging */ + /* wolfSSL_Debugging_ON(); */ + + /* Create a new wolfSSL context to use with this connection */ + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + if (!ctx->ssl_ctx) { + return WH_ERROR_ABORTED; + } + + /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + /* Load CA certificate for server verification */ + rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048, + sizeof_ca_cert_der_2048, + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + + rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048, + sizeof(client_cert_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + + /* load private key for TLS connection */ + rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048, + sizeof(client_key_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + /* Set verification mode */ + wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + + return WH_ERROR_OK; +} + +#ifndef NO_PSK +/* Simple PSK example callback */ +static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint, + char* identity, unsigned int id_max_len, + unsigned char* key, + unsigned int key_max_len) +{ + size_t len; + + memset(key, 0, key_max_len); + const char* exampleIdentity = "PSK_EXAMPLE_CLIENT_IDENTITY"; + + printf("PSK server identity hint: %s\n", hint); + printf("PSK using identity: %s\n", exampleIdentity); + strncpy(identity, exampleIdentity, id_max_len); + + printf("Enter PSK password: "); + if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { + memset(key, 0, key_max_len); + return 0U; + } + + (void)ssl; + len = strcspn((char*)key, "\n"); + ((char*)key)[len] = '\0'; + return (unsigned int)len; +} + +/* Setup WOLFSSL_CTX for use with PSK */ +static int +wh_PosixClient_ExamplePskContextSetup(posixTransportTlsClientContext* ctx) +{ + /* uncomment and compile with DEBUG_WOLFSSL for debugging */ + /* wolfSSL_Debugging_ON(); */ + + /* Create a new wolfSSL context to use with this connection */ + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + if (!ctx->ssl_ctx) { + return WH_ERROR_ABORTED; + } + + /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, psk_tls12_client_cb); + /* Set verification mode */ + wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + + return WH_ERROR_OK; +} +#endif /* NO_PSK */ + +static int wh_PosixClient_ExampleTlsCommonConfig(void* conf) +{ + whClientConfig* c_conf = (whClientConfig*)conf; + + memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); + + /* Initialize TCP context fields that need specific values */ + tccTls.state = 0; + tccTls.connect_fd_p1 = 0; /* Invalid fd */ + tccTls.request_sent = 0; + tccTls.buffer_offset = 0; + + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.verify_peer = true; + + c_comm.transport_cb = &tlsCb; + c_comm.transport_context = (void*)&tccTls; + c_comm.transport_config = (void*)&tlsConfig; + c_comm.client_id = WH_POSIX_CLIENT_ID; + c_conf->comm = &c_comm; + + return WH_ERROR_OK; +} + +int wh_PosixClient_ExampleTlsConfig(void* conf) +{ + if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + + if (wh_PosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + return WH_ERROR_OK; +} + +#ifndef NO_PSK +int wh_PosixClient_ExamplePskConfig(void* conf) +{ + if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + + if (wh_PosixClient_ExamplePskContextSetup(&tccTls) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + return WH_ERROR_OK; +} +#endif /* NO_PSK */ +#endif /* WOLFHSM_CFG_NO_CRYPTO */ + /* client configuration setup example for transport */ int wh_PosixClient_ExampleShmConfig(void* conf) diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.h b/examples/posix/wh_posix_client/wh_posix_client_cfg.h index 5931150c..5a1c7db6 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.h +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.h @@ -4,5 +4,11 @@ int wh_PosixClient_ExampleShmDmaConfig(void* c_conf); int wh_PosixClient_ExampleShmConfig(void* c_conf); int wh_PosixClient_ExampleTcpConfig(void* c_conf); +#ifndef WOLFHSM_CFG_NO_CRYPTO +int wh_PosixClient_ExampleTlsConfig(void* c_conf); +#endif +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +int wh_PosixClient_ExamplePskConfig(void* c_conf); +#endif int wh_PosixClient_ExampleSetupDmaMemory(void* ctx, void* c_conf); #endif /* WH_POSIX_CLIENT_CFG_H */ \ No newline at end of file diff --git a/examples/posix/wh_posix_server/user_settings.h b/examples/posix/wh_posix_server/user_settings.h index a21b90de..7d713c10 100644 --- a/examples/posix/wh_posix_server/user_settings.h +++ b/examples/posix/wh_posix_server/user_settings.h @@ -48,9 +48,7 @@ extern "C" { #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 /* For cert manager */ -#define NO_TLS -/* Eliminates need for IO layer since we only use CM */ -#define WOLFSSL_USER_IO +/* #define NO_TLS */ /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */ #define WOLFSSL_ACERT @@ -67,11 +65,11 @@ extern "C" { /** Remove unneeded features*/ #define NO_MAIN_DRIVER -#define NO_ERROR_STRINGS +/* #define NO_ERROR_STRINGS */ #define NO_ERROR_QUEUE #define NO_INLINE #define NO_OLD_TLS -#define WOLFSSL_NO_TLS12 +/* #define WOLFSSL_NO_TLS12 */ #define NO_DO178 /* Prevents certain functions (SHA, hash.c) on server from falling back to * client cryptoCb when using non-devId APIs */ @@ -151,7 +149,7 @@ extern "C" { /* Remove unneeded crypto */ #define NO_DSA #define NO_RC4 -#define NO_PSK +/* #define NO_PSK */ #define NO_MD4 #define NO_MD5 #define NO_DES3 @@ -192,6 +190,11 @@ extern "C" { #define WOLFSSL_STATIC_MEMORY #endif +/* additional memory debugging macros, prints out each alloc and free */ +/* #define WOLFSSL_DEBUG_MEMORY */ +/* #define WOLFSSL_DEBUG_MEMORY_PRINT */ + +/* #define DEBUG_WOLFSSL */ #ifdef __cplusplus } #endif diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index ca49dd8f..4b37a366 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -276,7 +276,17 @@ static void Usage(const char* exeName) WOLFHSM_CFG_PRINTF("Example: %s --key key.bin --id 123 --client 456 " "--nvminit nvm_init.txt --type tcp --flags 0\n", exeName); - WOLFHSM_CFG_PRINTF("type: tcp (default), shm, dma\n"); + WOLFHSM_CFG_PRINTF("type: tcp (default), shm"); +#ifndef WOLFHSM_CFG_NO_CRYPTO + WOLFHSM_CFG_PRINTF(", tls"); +#endif +#ifndef NO_PSK + WOLFHSM_CFG_PRINTF(", psk"); +#endif +#ifdef WOLFSSL_STATIC_MEMORY + WOLFHSM_CFG_PRINTF(", dma"); +#endif + WOLFHSM_CFG_PRINTF("\n"); } @@ -340,16 +350,48 @@ int main(int argc, char** argv) memset(s_conf, 0, sizeof(whServerConfig)); if (strcmp(type, "tcp") == 0) { WOLFHSM_CFG_PRINTF("Using TCP transport\n"); - wh_PosixServer_ExampleTcpConfig(s_conf); + rc = wh_PosixServer_ExampleTcpConfig(s_conf); + if (rc != WH_ERROR_OK) { + WOLFHSM_CFG_PRINTF("Failed to initialize TCP transport\n"); + return -1; + } } else if (strcmp(type, "shm") == 0) { WOLFHSM_CFG_PRINTF("Using shared memory transport\n"); - wh_PosixServer_ExampleShmConfig(s_conf); + rc = wh_PosixServer_ExampleShmConfig(s_conf); + if (rc != WH_ERROR_OK) { + WOLFHSM_CFG_PRINTF("Failed to initialize shared memory transport\n"); + return -1; + } + } +#ifndef WOLFHSM_CFG_NO_CRYPTO + else if (strcmp(type, "tls") == 0) { + WOLFHSM_CFG_PRINTF("Using TLS transport\n"); + rc = wh_PosixServer_ExampleTlsConfig(s_conf); + if (rc != WH_ERROR_OK) { + WOLFHSM_CFG_PRINTF("Failed to initialize TLS transport\n"); + return -1; + } + } +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) + else if (strcmp(type, "psk") == 0) { + WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n"); + rc = wh_PosixServer_ExamplePskConfig(s_conf); + if (rc != WH_ERROR_OK) { + WOLFHSM_CFG_PRINTF("Failed to initialize TLS PSK transport\n"); + return -1; + } } +#endif +#endif #ifdef WOLFSSL_STATIC_MEMORY else if (strcmp(type, "dma") == 0) { WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); - wh_PosixServer_ExampleShmDmaConfig(s_conf); + rc = wh_PosixServer_ExampleShmDmaConfig(s_conf); + if (rc != WH_ERROR_OK) { + WOLFHSM_CFG_PRINTF("Failed to initialize DMA with shared memory transport\n"); + return -1; + } } #endif else { diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index 5f194e82..1cf05c2e 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -17,16 +17,28 @@ #include "port/posix/posix_transport_shm.h" #include "port/posix/posix_transport_tcp.h" +#ifndef WOLFHSM_CFG_NO_CRYPTO +#include "port/posix/posix_transport_tls.h" +#endif posixTransportShmConfig shmConfig; posixTransportTcpConfig tcpConfig; +#ifndef WOLFHSM_CFG_NO_CRYPTO +posixTransportTlsConfig tlsConfig; +#endif whCommServerConfig s_comm; whTransportServerCb tcpCb = PTT_SERVER_CB; whTransportServerCb shmCb = POSIX_TRANSPORT_SHM_SERVER_CB; +#ifndef WOLFHSM_CFG_NO_CRYPTO +whTransportServerCb tlsCb = PTTLS_SERVER_CB; +#endif posixTransportShmServerContext tscShm; posixTransportTcpServerContext tscTcp; +#ifndef WOLFHSM_CFG_NO_CRYPTO +posixTransportTlsServerContext tscTls; +#endif #ifdef WOLFSSL_STATIC_MEMORY whTransportServerCb dmaCb = POSIX_TRANSPORT_SHM_SERVER_CB; @@ -110,6 +122,251 @@ int wh_PosixServer_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } +#ifndef WOLFHSM_CFG_NO_CRYPTO +/* Server configuration setup example for TLS transport + * Does not setup flash, nvm, crypto, she, etc. */ + +#undef USE_CERT_BUFFERS_2048 +#define USE_CERT_BUFFERS_2048 +#include "wolfssl/certs_test.h" + +#ifdef WOLFSSL_STATIC_MEMORY +#define EXAMPLE_STATIC_MEMORY_SIZE 70000 +static unsigned char memoryBuffer[EXAMPLE_STATIC_MEMORY_SIZE]; +WOLFSSL_HEAP_HINT* heap = NULL; +unsigned int staticMemoryList[] = {176, 304, 384, 480, 1008, + 3328, 4560, 5152, 8928}; +unsigned int staticMemoryDist[] = {14, 4, 3, 3, 4, 10, 2, 1, 1}; +#endif + +#ifndef NO_PSK +static unsigned int psk_tls12_server_cb(WOLFSSL* ssl, const char* identity, + unsigned char* key, + unsigned int key_max_len) +{ + size_t len; + + memset(key, 0, key_max_len); + printf("PSK TLS12 server callback\n"); + printf("PSK client identity: %s\n", identity); + printf("Enter PSK password to accept: "); + if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { + memset(key, 0, key_max_len); + return 0U; + } + len = strcspn((char*)key, "\n"); + ((char*)key)[len] = '\0'; + (void)ssl; + return (unsigned int)len; +} + +#ifdef WOLFSSL_TLS13 +static unsigned int psk_tls13_server_cb(WOLFSSL* ssl, const char* identity, + unsigned char* key, + unsigned int key_max_len, + const char** ciphersuite) +{ + size_t len; + + memset(key, 0, key_max_len); + printf("PSK TLS13 server callback\n"); + printf("PSK client identity: %s\n", identity); + *ciphersuite = "TLS13-AES128-GCM-SHA256"; + + printf("Enter PSK password: "); + if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { + memset(key, 0, key_max_len); + return 0U; + } + len = strcspn((char*)key, "\n"); + ((char*)key)[len] = '\0'; + + (void)ssl; + return (unsigned int)len; +} +#endif /* WOLFSSL_TLS13 */ + +static int +wh_PosixServer_ExamplePskContextSetup(posixTransportTlsServerContext* ctx) +{ + /* uncomment and compile with DEBUG_WOLFSSL for debugging */ + /* wolfSSL_Debugging_ON(); */ + +#ifdef WOLFSSL_STATIC_MEMORY + /* Initialize static memory buffer */ + if (wc_LoadStaticMemory_ex(&heap, WH_POSIX_STATIC_MEM_LIST_SIZE, + staticMemoryList, staticMemoryDist, memoryBuffer, + EXAMPLE_STATIC_MEMORY_SIZE, 0, 0) != 0) { + return WH_ERROR_ABORTED; + } + + ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(heap), heap); +#else + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); +#endif + if (ctx->ssl_ctx == NULL) { +#ifdef WOLFSSL_STATIC_MEMORY + if (heap) { + wc_UnloadStaticMemory(heap); + heap = NULL; + } +#endif + return WH_ERROR_ABORTED; + } + + wolfSSL_CTX_set_psk_server_callback(ctx->ssl_ctx, psk_tls12_server_cb); +#ifdef WOLFSSL_TLS13 + wolfSSL_CTX_set_psk_server_tls13_callback(ctx->ssl_ctx, + psk_tls13_server_cb); +#endif /* WOLFSSL_TLS13 */ + wolfSSL_CTX_use_psk_identity_hint(ctx->ssl_ctx, "wolfHSM Example Server"); + return WH_ERROR_OK; +} +#endif /* NO_PSK */ + +static int +wh_PosixServer_ExampleTlsContextSetup(posixTransportTlsServerContext* ctx) +{ + int rc; + + /* uncomment and compile with DEBUG_WOLFSSL for debugging */ + /* wolfSSL_Debugging_ON(); */ + +#ifdef WOLFSSL_STATIC_MEMORY + if (wc_LoadStaticMemory_ex(&heap, WH_POSIX_STATIC_MEM_LIST_SIZE, + staticMemoryList, staticMemoryDist, memoryBuffer, + EXAMPLE_STATIC_MEMORY_SIZE, 0, 0) != 0) { + return WH_ERROR_ABORTED; + } + + ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(heap), heap); +#else + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); +#endif + + if (ctx->ssl_ctx == NULL) { +#ifdef WOLFSSL_STATIC_MEMORY + if (heap) { + wc_UnloadStaticMemory(heap); + heap = NULL; + } +#endif + return WH_ERROR_ABORTED; + } + /* don't use wolfHSM for local TLS crypto */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + /* Load server certificate */ + rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, server_cert_der_2048, + sizeof(server_cert_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; +#ifdef WOLFSSL_STATIC_MEMORY + if (heap) { + wc_UnloadStaticMemory(heap); + heap = NULL; + } +#endif + return WH_ERROR_ABORTED; + } + + /* Load CA certificate for client verification if enabled */ + rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, client_cert_der_2048, + sizeof(client_cert_der_2048), + WOLFSSL_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; +#ifdef WOLFSSL_STATIC_MEMORY + if (heap) { + wc_UnloadStaticMemory(heap); + heap = NULL; + } +#endif + return WH_ERROR_ABORTED; + } + + /* load private key for TLS connection */ + rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, server_key_der_2048, + sizeof(server_key_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; +#ifdef WOLFSSL_STATIC_MEMORY + if (heap) { + wc_UnloadStaticMemory(heap); + heap = NULL; + } +#endif + return WH_ERROR_ABORTED; + } + + /* Setup server for mutual authentication. It will try to verify the clients + * certificate so both the client and server authenticate the peer + * connecting with. */ + wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + + return WH_ERROR_OK; +} + + +static int wh_PosixServer_ExampleTlsCommonContextSetup(void* ctx) +{ + whServerConfig* s_conf = (whServerConfig*)ctx; + + /* Server configuration/context */ + memset(&tscTls, 0, sizeof(posixTransportTlsServerContext)); + + /* Initialize TCP context fields that need specific values */ + tscTls.listen_fd_p1 = 0; /* Invalid fd */ + tscTls.accept_fd_p1 = 0; /* Invalid fd */ + tscTls.request_recv = 0; + tscTls.buffer_offset = 0; + + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.verify_peer = true; + + s_comm.transport_cb = &tlsCb; + s_comm.transport_context = (void*)&tscTls; + s_comm.transport_config = (void*)&tlsConfig; + s_comm.server_id = WH_POSIX_SERVER_ID; + + s_conf->comm_config = &s_comm; + + return WH_ERROR_OK; +} + +int wh_PosixServer_ExampleTlsConfig(void* conf) +{ + if (wh_PosixServer_ExampleTlsCommonContextSetup(conf) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + + if (wh_PosixServer_ExampleTlsContextSetup(&tscTls) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + return WH_ERROR_OK; +} + +#ifndef NO_PSK +int wh_PosixServer_ExamplePskConfig(void* conf) +{ + if (wh_PosixServer_ExampleTlsCommonContextSetup(conf) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + + if (wh_PosixServer_ExamplePskContextSetup(&tscTls) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + return WH_ERROR_OK; +} +#endif /* NO_PSK */ +#endif + static const whFlashCb fcb = WH_FLASH_RAMSIM_CB; static whFlashRamsimCfg fc_conf; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.h b/examples/posix/wh_posix_server/wh_posix_server_cfg.h index 6b859887..f0d5540d 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.h +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.h @@ -6,6 +6,12 @@ int wh_PosixServer_ExampleShmDmaConfig(void* s_conf); int wh_PosixServer_ExampleShmConfig(void* s_conf); int wh_PosixServer_ExampleTcpConfig(void* s_conf); +#ifndef WOLFHSM_CFG_NO_CRYPTO +int wh_PosixServer_ExampleTlsConfig(void* s_conf); +#endif +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +int wh_PosixServer_ExamplePskConfig(void* s_conf); +#endif int wh_PosixServer_ExampleNvmConfig(void* conf, const char* nvmInitFilePath); int wh_PosixServer_ExampleRamSimConfig(void* conf, uint8_t* memory); diff --git a/port/posix/posix_transport_tcp.c b/port/posix/posix_transport_tcp.c index 1b2247b6..0a8f1082 100644 --- a/port/posix/posix_transport_tcp.c +++ b/port/posix/posix_transport_tcp.c @@ -57,7 +57,7 @@ static int posixTransportTcp_Recv(int fd, uint16_t* buffer_offset, uint8_t* buffer, uint16_t *out_size, void* data); /* Start a non-blocking connect */ -static int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c); +int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c); /* CLose connection and reset state */ static int posixTransportTcp_Close(posixTransportTcpClientContext* c); @@ -240,8 +240,7 @@ static int posixTransportTcp_Recv(int fd, uint16_t* buffer_offset, } /** Client functions */ - -static int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c) +int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c) { int ret = WH_ERROR_OK; diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c new file mode 100644 index 00000000..a08c7b46 --- /dev/null +++ b/port/posix/posix_transport_tls.c @@ -0,0 +1,483 @@ +/* + * Copyright (C) 2024 wolfSSL Inc. + * + * This file is part of wolfHSM. + * + * wolfHSM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfHSM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with wolfHSM. If not, see . + */ +/* + * port/posix/posix_transport_tls.c + * + * wolfHSM Transport binding using TLS sockets with wolfSSL + * + * This implementation provides basic TLS server functionality using wolfSSL + * with embedded certificates for authentication. + */ + +#include "posix_transport_tls.h" +#include "wolfhsm/wh_error.h" + +#if !defined(NO_TLS) && !defined(WOLFCRYPT_ONLY) + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#ifndef WOLFHSM_CFG_NO_CRYPTO +/* returns 1 (true) if the error passed in is a notice for non blocking + * 0 if the error is a fatal error */ +static int NonBlockingError(int err) +{ + return (err == WOLFSSL_ERROR_WANT_READ) || + (err == WOLFSSL_ERROR_WANT_WRITE); +} +#endif /* WOLFHSM_CFG_NO_CRYPTO */ + +/** Client-side TLS transport functions */ + +int posixTransportTls_InitConnect(void* context, const void* config, + whCommSetConnectedCb connectcb, + void* connectcb_arg) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsClientContext* ctx = + (posixTransportTlsClientContext*)context; + posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; + int rc; + + if (!ctx || !cfg) { + return WH_ERROR_BADARGS; + } + + /* Setup underlying TCP transport */ + rc = posixTransportTcp_InitConnect((void*)&ctx->tcpCtx, cfg, connectcb, + connectcb_arg); + if (rc != WH_ERROR_OK) { + return rc; + } + + /* Create SSL object if not already created */ + if (ctx->ssl == NULL) { + if (posixTransportTcp_GetConnectFd( + (void*)&ctx->tcpCtx, &ctx->connect_fd_p1) != WH_ERROR_OK) { + return WH_ERROR_NOTREADY; + } + + ctx->ssl = wolfSSL_new(ctx->ssl_ctx); + if (!ctx->ssl) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); + return WH_ERROR_ABORTED; + } + + /* Set the socket file descriptor */ + rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); + return WH_ERROR_ABORTED; + } + } + if (ctx->connectcb != NULL) { + ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); + } + return WH_ERROR_OK; +#else + (void)context; + (void)config; + (void)connectcb; + (void)connectcb_arg; + return WH_ERROR_NOTIMPL; +#endif +} + +extern int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c); + +int posixTransportTls_SendRequest(void* context, uint16_t size, + const void* data) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsClientContext* ctx = + (posixTransportTlsClientContext*)context; + int err; + int rc; + + if (!ctx || !data || size == 0) { + return WH_ERROR_BADARGS; + } + + if (ctx->state != PTTLS_STATE_CONNECTED) { + if (posixTransportTcp_HandleConnect((void*)&ctx->tcpCtx) != + WH_ERROR_OK) { + return WH_ERROR_NOTREADY; + } + + rc = wolfSSL_connect(ctx->ssl); + err = wolfSSL_get_error(ctx->ssl, rc); + if (rc != WOLFSSL_SUCCESS) { + if (NonBlockingError(err)) { + return WH_ERROR_NOTREADY; + } + else { + return WH_ERROR_ABORTED; + } + } + else { + ctx->state = PTTLS_STATE_CONNECTED; + } + } + + rc = wolfSSL_write(ctx->ssl, data, size); + err = wolfSSL_get_error(ctx->ssl, rc); + if (rc > 0) { + return WH_ERROR_OK; + } + else if (NonBlockingError(err)) { + return WH_ERROR_NOTREADY; + } + else { + return WH_ERROR_ABORTED; + } +#else + (void)context; + (void)data; + (void)size; + return WH_ERROR_NOTIMPL; +#endif +} + +int posixTransportTls_RecvResponse(void* context, uint16_t* out_size, + void* data) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsClientContext* ctx = + (posixTransportTlsClientContext*)context; + int rc; + int err; + + if (!ctx || !data || !out_size) { + return WH_ERROR_BADARGS; + } + + /* Create SSL object if not already created */ + if (ctx->ssl == NULL) { + return WH_ERROR_BADARGS; + } + + rc = wolfSSL_read(ctx->ssl, data, PTTLS_PACKET_MAX_SIZE); + err = wolfSSL_get_error(ctx->ssl, rc); + if (rc > 0) { + *out_size = (uint16_t)rc; + return WH_ERROR_OK; + } + else if (NonBlockingError(err)) { + return WH_ERROR_NOTREADY; + } + else { + return WH_ERROR_ABORTED; + } + +#else + (void)context; + (void)data; + (void)out_size; + return WH_ERROR_NOTIMPL; +#endif +} + +int posixTransportTls_CleanupConnect(void* context) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsClientContext* ctx = + (posixTransportTlsClientContext*)context; + + if (!ctx) { + return WH_ERROR_BADARGS; + } + if (ctx->ssl) { + (void)wolfSSL_shutdown(ctx->ssl); + wolfSSL_free(ctx->ssl); + } + ctx->ssl = NULL; + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); + return WH_ERROR_OK; +#else + (void)context; + return WH_ERROR_OK; +#endif +} + +/** Server-side TLS transport functions */ + +int posixTransportTls_InitListen(void* context, const void* config, + whCommSetConnectedCb connectcb, + void* connectcb_arg) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsServerContext* ctx = + (posixTransportTlsServerContext*)context; + posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; + int rc; + + if (!ctx || !cfg) { + return WH_ERROR_BADARGS; + } + + /* Initialize TCP server context */ + rc = posixTransportTcp_InitListen(&ctx->tcpCtx, cfg, connectcb, + connectcb_arg); + if (rc != WH_ERROR_OK) { + return rc; + } + + /* Copy TCP context fields to TLS context for compatibility */ + ctx->connectcb = connectcb; + ctx->connectcb_arg = connectcb_arg; + ctx->server_addr = ctx->tcpCtx.server_addr; + ctx->listen_fd_p1 = ctx->tcpCtx.listen_fd_p1; + + + /* Load private key and certificate */ + + /* Connecting is handled internally so we need server to call recv */ + if (ctx->connectcb != NULL) { + ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); + } + + return WH_ERROR_OK; +#else + (void)context; + (void)config; + (void)connectcb; + (void)connectcb_arg; + return WH_ERROR_NOTIMPL; +#endif +} + +int posixTransportTls_RecvRequest(void* context, uint16_t* out_size, void* data) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsServerContext* ctx = + (posixTransportTlsServerContext*)context; + int rc; + int err; + + if (!ctx || !data || !out_size) { + return WH_ERROR_BADARGS; + } + + *out_size = 0; + /* If no client connected, try to accept one using TCP context */ + if (ctx->accept_fd_p1 == 0) { + struct sockaddr_in client_addr; + socklen_t client_len = sizeof(client_addr); + + rc = accept(ctx->listen_fd_p1 - 1, (struct sockaddr*)&client_addr, + &client_len); + if (rc < 0) { + switch (errno) { + case EAGAIN: + case EINPROGRESS: + case EINTR: + /* Not connected yet or no client */ + return WH_ERROR_NOTREADY; + + default: + return WH_ERROR_ABORTED; + } + } + ctx->accept_fd_p1 = rc + 1; + ctx->client_addr = client_addr; + + /* Make accepted socket non-blocking */ + fcntl(ctx->accept_fd_p1 - 1, F_SETFL, O_NONBLOCK); + + /* Create SSL object for this connection */ + ctx->ssl = wolfSSL_new(ctx->ssl_ctx); + if (!ctx->ssl) { + return WH_ERROR_ABORTED; + } + + /* Set the socket file descriptor */ + rc = wolfSSL_set_fd(ctx->ssl, ctx->accept_fd_p1 - 1); + if (rc != WOLFSSL_SUCCESS) { + return WH_ERROR_ABORTED; + } + + /* Perform TLS handshake */ + rc = wolfSSL_accept(ctx->ssl); + if (rc != WOLFSSL_SUCCESS) { + int err = wolfSSL_get_error(ctx->ssl, rc); + if (err == WOLFSSL_ERROR_WANT_READ || + err == WOLFSSL_ERROR_WANT_WRITE) { + return WH_ERROR_NOTREADY; + } + return WH_ERROR_ABORTED; + } + + /* Notify connection established */ + if (ctx->connectcb) { + ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); + } + } + + /* Read data from SSL connection */ + rc = wolfSSL_read(ctx->ssl, data, PTTLS_PACKET_MAX_SIZE); + err = wolfSSL_get_error(ctx->ssl, rc); + if (rc > 0) { + *out_size = (uint16_t)rc; + return WH_ERROR_OK; + } + else if (NonBlockingError(err)) { + return WH_ERROR_NOTREADY; + } + else { + /* Connection closed */ + return WH_ERROR_ABORTED; + } +#else + (void)context; + (void)data; + (void)out_size; + return WH_ERROR_NOTIMPL; +#endif +} + +int posixTransportTls_SendResponse(void* context, uint16_t size, + const void* data) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsServerContext* ctx = + (posixTransportTlsServerContext*)context; + int rc; + + if (!ctx || !data || size == 0) { + return WH_ERROR_BADARGS; + } + + if (ctx->ssl == NULL) { + return WH_ERROR_NOTREADY; + } + + /* Send data over SSL connection */ + rc = wolfSSL_write(ctx->ssl, data, size); + if (rc > 0) { + return WH_ERROR_OK; + } + else { + int err = wolfSSL_get_error(ctx->ssl, rc); + if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) { + return WH_ERROR_NOTREADY; + } + return WH_ERROR_ABORTED; + } +#else + (void)context; + (void)data; + (void)size; + return WH_ERROR_NOTIMPL; +#endif +} + +int posixTransportTls_CleanupListen(void* context) +{ +#ifndef WOLFHSM_CFG_NO_CRYPTO + posixTransportTlsServerContext* ctx = + (posixTransportTlsServerContext*)context; + + if (!ctx) { + return WH_ERROR_BADARGS; + } + /* Clean up SSL objects */ + if (ctx->ssl) { + (void)wolfSSL_shutdown(ctx->ssl); + wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; + } + + if (ctx->ssl_ctx) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + } + + /* Clean up TCP context */ + posixTransportTcp_CleanupListen(&ctx->tcpCtx); + + /* Reset TLS context fields */ + ctx->accept_fd_p1 = 0; + ctx->listen_fd_p1 = 0; + + return WH_ERROR_OK; +#else + (void)context; + return WH_ERROR_OK; +#endif +} + +/* Return the file descriptor of the listen socket to support poll/select */ +int posixTransportTls_GetListenFd(posixTransportTlsServerContext* context, + int* out_fd) +{ + int ret = WH_ERROR_OK; + + if (context == NULL) { + return WH_ERROR_BADARGS; + } + + if (context->listen_fd_p1 != 0) { + if (out_fd != NULL) { + *out_fd = context->listen_fd_p1 - 1; + } + } + else { + ret = WH_ERROR_NOTREADY; + } + return ret; +} + +/* Return the file descriptor of the accepted socket to support poll/select */ +int posixTransportTls_GetAcceptFd(posixTransportTlsServerContext* context, + int* out_fd) +{ + int ret = WH_ERROR_OK; + + if (context == NULL) { + return WH_ERROR_BADARGS; + } + + if (context->accept_fd_p1 != 0) { + if (out_fd != NULL) { + *out_fd = context->accept_fd_p1 - 1; + } + } + else { + ret = WH_ERROR_NOTREADY; + } + return ret; +} +#endif /* !defined(NO_TLS) && !defined(WOLFCRYPT_ONLY) */ \ No newline at end of file diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h new file mode 100644 index 00000000..cd038959 --- /dev/null +++ b/port/posix/posix_transport_tls.h @@ -0,0 +1,150 @@ +/* + * Copyright (C) 2024 wolfSSL Inc. + * + * This file is part of wolfHSM. + * + * wolfHSM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfHSM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with wolfHSM. If not, see . + */ +/* + * port/posix/posix_transport_tls.h + * + * wolfHSM Transport binding using TLS sockets with wolfSSL + * + * This transport extends the TCP transport with TLS encryption using + * wolfSSL's embedded certificate buffers for authentication. + * + */ + +#ifndef PORT_POSIX_POSIX_TRANSPORT_TLS_H_ +#define PORT_POSIX_POSIX_TRANSPORT_TLS_H_ + +#include +#include +#include + +#include "wolfhsm/wh_comm.h" + +/* Adds TLS on top of the existing TCP transport */ +#include "port/posix/posix_transport_tcp.h" + +#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifndef WOLFSSL_USER_SETTINGS +#include "wolfssl/options.h" +#endif +#include "wolfssl/ssl.h" +#include "wolfssl/wolfcrypt/memory.h" +#endif + +#define PTTLS_PACKET_MAX_SIZE WH_COMM_MTU +#define PTTLS_BUFFER_SIZE (sizeof(uint32_t) + PTTLS_PACKET_MAX_SIZE) + + +/** TLS configuration structure */ +typedef struct { + char* server_ip_string; + short int server_port; + bool verify_peer; /* Whether to verify certificates */ +} posixTransportTlsConfig; + +/** Client context and functions */ +typedef enum { + PTTLS_STATE_UNCONNECTED = 0, /* Not initialized */ + PTTLS_STATE_CONNECT_WAIT, /* Async connect called */ + PTTLS_STATE_TLS_HANDSHAKE, /* TLS handshake in progress */ + PTTLS_STATE_CONNECTED, /* Connected and able to handle traffic */ + PTTLS_STATE_DONE /* Was connected, now not */ +} pttlsClientState; + +typedef struct { + whCommSetConnectedCb connectcb; + void* connectcb_arg; + struct sockaddr_in server_addr; + pttlsClientState state; + int connect_fd_p1; /* fd plus 1 so 0 is invalid */ + int request_sent; + uint16_t buffer_offset; + uint8_t buffer[PTTLS_BUFFER_SIZE]; +#ifndef WOLFHSM_CFG_NO_CRYPTO + WOLFSSL_CTX* ssl_ctx; + WOLFSSL* ssl; +#endif + posixTransportTcpClientContext tcpCtx; +} posixTransportTlsClientContext; + +int posixTransportTls_InitConnect(void* context, const void* config, + whCommSetConnectedCb connectcb, + void* connectcb_arg); +int posixTransportTls_SendRequest(void* context, uint16_t size, + const void* data); +int posixTransportTls_RecvResponse(void* context, uint16_t* out_size, + void* data); +int posixTransportTls_CleanupConnect(void* context); + +#define PTTLS_CLIENT_CB \ + { \ + .Init = posixTransportTls_InitConnect, \ + .Send = posixTransportTls_SendRequest, \ + .Recv = posixTransportTls_RecvResponse, \ + .Cleanup = posixTransportTls_CleanupConnect, \ + } + +/* Return the file descriptor of the connected socket to support poll/select */ +int posixTransportTls_GetConnectFd(posixTransportTlsClientContext* context, + int* out_fd); + +/** Server context and functions */ + +typedef struct { + whCommSetConnectedCb connectcb; + void* connectcb_arg; + struct sockaddr_in server_addr; + struct sockaddr_in client_addr; + int listen_fd_p1; /* fd plus 1 so 0 is invalid */ + int accept_fd_p1; /* fd plus 1 so 0 is invalid */ + int request_recv; + uint16_t buffer_offset; + uint8_t buffer[PTTLS_BUFFER_SIZE]; +#ifndef WOLFHSM_CFG_NO_CRYPTO + WOLFSSL_CTX* ssl_ctx; + WOLFSSL* ssl; +#endif + posixTransportTcpServerContext tcpCtx; +} posixTransportTlsServerContext; + +int posixTransportTls_InitListen(void* context, const void* config, + whCommSetConnectedCb connectcb, + void* connectcb_arg); +int posixTransportTls_RecvRequest(void* context, uint16_t* out_size, + void* data); +int posixTransportTls_SendResponse(void* context, uint16_t size, + const void* data); +int posixTransportTls_CleanupListen(void* context); + +#define PTTLS_SERVER_CB \ + { \ + .Init = posixTransportTls_InitListen, \ + .Recv = posixTransportTls_RecvRequest, \ + .Send = posixTransportTls_SendResponse, \ + .Cleanup = posixTransportTls_CleanupListen, \ + } + +/* Return the file descriptor of the listen socket to support poll/select */ +int posixTransportTls_GetListenFd(posixTransportTlsServerContext* context, + int* out_fd); + +/* Return the file descriptor of the accepted socket to support poll/select */ +int posixTransportTls_GetAcceptFd(posixTransportTlsServerContext* context, + int* out_fd); + +#endif /* !PORT_POSIX_POSIX_TRANSPORT_TLS_H_ */ From c9684e1e09a902769d677d7bacd59e94b2021b21 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 31 Oct 2025 23:45:56 -0600 Subject: [PATCH 02/13] add test cases and update user_settings.h --- .github/workflows/build-and-run-examples.yml | 14 +- .../workflows/build-and-test-clientonly.yml | 28 ++-- .../posix/wh_posix_server/user_settings.h | 4 - port/posix/posix_transport_tls.c | 13 +- port/posix/posix_transport_tls.h | 2 +- test/Makefile | 4 + test/config/user_settings.h | 5 - test/wh_test.c | 129 ++++++++++++++++++ test/wh_test_clientserver.c | 3 +- test/wh_test_crypto.c | 6 +- 10 files changed, 171 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build-and-run-examples.yml b/.github/workflows/build-and-run-examples.yml index 50761557..ed0867a4 100644 --- a/.github/workflows/build-and-run-examples.yml +++ b/.github/workflows/build-and-run-examples.yml @@ -10,7 +10,7 @@ jobs: build: strategy: matrix: - transport: [ 'tcp', 'shm', 'dma' ] + transport: [ 'tcp', 'shm', 'dma', 'tls', 'psk' ] asan: [ 'ASAN=1', 'ASAN=0' ] debug: [ '', 'DEBUG_VERBOSE=1' ] runs-on: ubuntu-latest @@ -46,7 +46,11 @@ jobs: - name: Run POSIX server run: | cd examples/posix/wh_posix_server - ./Build/wh_posix_server.elf --type ${{ matrix.transport }} & + if [ "${{ matrix.transport }}" = "psk" ]; then + echo "test_password" | ./Build/wh_posix_server.elf --type ${{ matrix.transport }} & + else + ./Build/wh_posix_server.elf --type ${{ matrix.transport }} & + fi POSIX_SERVER_PID=$! echo "POSIX_SERVER_PID=$POSIX_SERVER_PID" >> $GITHUB_ENV @@ -54,7 +58,11 @@ jobs: - name: Run POSIX client run: | cd examples/posix/wh_posix_client - ./Build/wh_posix_client.elf --type ${{ matrix.transport }} + if [ "${{ matrix.transport }}" = "psk" ]; then + echo "test_password" | ./Build/wh_posix_client.elf --type ${{ matrix.transport }} + else + ./Build/wh_posix_client.elf --type ${{ matrix.transport }} + fi - name: Run POSIX demo test if: matrix.transport == 'tcp' diff --git a/.github/workflows/build-and-test-clientonly.yml b/.github/workflows/build-and-test-clientonly.yml index ef4a2334..bf8e31e7 100644 --- a/.github/workflows/build-and-test-clientonly.yml +++ b/.github/workflows/build-and-test-clientonly.yml @@ -8,7 +8,9 @@ on: jobs: build: - + strategy: + matrix: + transport: [ 'tcp', 'tls' ] runs-on: ubuntu-latest steps: @@ -33,22 +35,30 @@ jobs: - name: Build POSIX server run: | cd examples/posix/wh_posix_server - make -j SHE=1 WOLFSSL_DIR=../../../wolfssl + if [ "${{ matrix.transport }}" = "tcp" ]; then + make -j SHE=1 WOLFSSL_DIR=../../../wolfssl + else + make -j WOLFSSL_DIR=../../../wolfssl + fi # Start the server in the background - name: Run POSIX server run: | cd examples/posix/wh_posix_server - ./Build/wh_posix_server.elf & - TCP_SERVER_PID=$! - echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV + ./Build/wh_posix_server.elf --type ${{ matrix.transport }} & + SERVER_PID=$! + echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV # Build and test client-only build with everything enabled and ASAN - name: Build client-only unit tests with ASAN run: | cd test make clean - make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + if [ "${{ matrix.transport }}" = "tcp" ]; then + make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + else + make -j CLIENT_ONLY_TLS=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + fi # Restart server with fresh state for second test run - name: Restart POSIX server @@ -69,7 +79,7 @@ jobs: make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run # Optional: Kill the server process if it doesn't exit on its own - - name: Cleanup POSIX TCP server + - name: Cleanup POSIX server if: always() - run: kill $TCP_SERVER_PID || true - + run: kill $SERVER_PID || true + diff --git a/examples/posix/wh_posix_server/user_settings.h b/examples/posix/wh_posix_server/user_settings.h index 7d713c10..40c35858 100644 --- a/examples/posix/wh_posix_server/user_settings.h +++ b/examples/posix/wh_posix_server/user_settings.h @@ -48,7 +48,6 @@ extern "C" { #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 /* For cert manager */ -/* #define NO_TLS */ /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */ #define WOLFSSL_ACERT @@ -65,11 +64,9 @@ extern "C" { /** Remove unneeded features*/ #define NO_MAIN_DRIVER -/* #define NO_ERROR_STRINGS */ #define NO_ERROR_QUEUE #define NO_INLINE #define NO_OLD_TLS -/* #define WOLFSSL_NO_TLS12 */ #define NO_DO178 /* Prevents certain functions (SHA, hash.c) on server from falling back to * client cryptoCb when using non-devId APIs */ @@ -149,7 +146,6 @@ extern "C" { /* Remove unneeded crypto */ #define NO_DSA #define NO_RC4 -/* #define NO_PSK */ #define NO_MD4 #define NO_MD5 #define NO_DES3 diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index a08c7b46..3a39bfc9 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -84,8 +84,6 @@ int posixTransportTls_InitConnect(void* context, const void* config, ctx->ssl = wolfSSL_new(ctx->ssl_ctx); if (!ctx->ssl) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); return WH_ERROR_ABORTED; } @@ -95,8 +93,6 @@ int posixTransportTls_InitConnect(void* context, const void* config, if (rc != WOLFSSL_SUCCESS) { wolfSSL_free(ctx->ssl); ctx->ssl = NULL; - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); return WH_ERROR_ABORTED; } @@ -222,8 +218,6 @@ int posixTransportTls_CleanupConnect(void* context) wolfSSL_free(ctx->ssl); } ctx->ssl = NULL; - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); return WH_ERROR_OK; #else @@ -413,18 +407,13 @@ int posixTransportTls_CleanupListen(void* context) if (!ctx) { return WH_ERROR_BADARGS; } - /* Clean up SSL objects */ + if (ctx->ssl) { (void)wolfSSL_shutdown(ctx->ssl); wolfSSL_free(ctx->ssl); ctx->ssl = NULL; } - if (ctx->ssl_ctx) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - } - /* Clean up TCP context */ posixTransportTcp_CleanupListen(&ctx->tcpCtx); diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h index cd038959..b8338737 100644 --- a/port/posix/posix_transport_tls.h +++ b/port/posix/posix_transport_tls.h @@ -53,7 +53,7 @@ /** TLS configuration structure */ typedef struct { char* server_ip_string; - short int server_port; + int server_port; bool verify_peer; /* Whether to verify certificates */ } posixTransportTlsConfig; diff --git a/test/Makefile b/test/Makefile index d35ac286..528cf72f 100644 --- a/test/Makefile +++ b/test/Makefile @@ -129,6 +129,10 @@ ifeq ($(CLIENT_ONLY_TCP),1) # Build a client-only test driver to connect to a remote server over TCP DEF += -DWOLFHSM_CFG_ENABLE_CLIENT DEF += -DWOLFHSM_CFG_TEST_CLIENT_ONLY_TCP +else ifeq ($(CLIENT_ONLY_TLS),1) +# Build a client-only test driver to connect to a remote server over TLS + DEF += -DWOLFHSM_CFG_ENABLE_CLIENT + DEF += -DWOLFHSM_CFG_TEST_CLIENT_ONLY_TLS else # Build both and client server DEF += -DWOLFHSM_CFG_ENABLE_CLIENT diff --git a/test/config/user_settings.h b/test/config/user_settings.h index 776050c5..1553c8b0 100644 --- a/test/config/user_settings.h +++ b/test/config/user_settings.h @@ -45,10 +45,6 @@ #define WOLFSSL_IGNORE_FILE_WARN -/* For cert manager */ -#define NO_TLS -/* Eliminates need for IO layer since we only use CM */ -#define WOLFSSL_USER_IO /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */ #define WOLFSSL_ACERT @@ -78,7 +74,6 @@ #define NO_ERROR_STRINGS #define NO_ERROR_QUEUE #define NO_OLD_TLS -#define WOLFSSL_NO_TLS12 #define NO_DO178 /* Prevents certain functions (SHA, hash.c) on server from falling back to diff --git a/test/wh_test.c b/test/wh_test.c index dad3f986..5cade6ce 100644 --- a/test/wh_test.c +++ b/test/wh_test.c @@ -53,6 +53,9 @@ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) #include "port/posix/posix_transport_tcp.h" +#ifndef WOLFHSM_CFG_NO_CRYPTO +#include "port/posix/posix_transport_tls.h" +#endif /* WOLFHSM_CFG_NO_CRYPTO */ #endif #include "wolfhsm/wh_client.h" @@ -171,6 +174,128 @@ int whTest_ClientTcp(void) return whTest_ClientConfig(c_conf); } #endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP && WOLFHSM_CFG_TEST_POSIX */ +#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) && defined(WOLFHSM_CFG_TEST_POSIX) +/* client configuration setup example for TLS transport */ + +#define WH_POSIX_SERVER_TCP_PORT 23456 +#define WH_POSIX_SERVER_TCP_IPSTRING "127.0.0.1" +#define WH_POSIX_CLIENT_ID 12 + +#undef USE_CERT_BUFFERS_2048 +#define USE_CERT_BUFFERS_2048 +#include "wolfssl/certs_test.h" + +posixTransportTlsClientContext tccTls; +posixTransportTlsConfig tlsConfig; +whCommClientConfig c_comm; +whTransportClientCb tlsCb = PTTLS_CLIENT_CB; + +static int +whPosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) +{ + int rc; + + /* uncomment and compile with DEBUG_WOLFSSL for debugging */ + /* wolfSSL_Debugging_ON(); */ + + /* Create a new wolfSSL context to use with this connection */ + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + if (!ctx->ssl_ctx) { + return WH_ERROR_ABORTED; + } + + /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + /* Load CA certificate for server verification */ + rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048, + sizeof_ca_cert_der_2048, + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + + rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048, + sizeof(client_cert_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + + /* load private key for TLS connection */ + rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048, + sizeof(client_key_der_2048), + CTC_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return WH_ERROR_ABORTED; + } + /* Set verification mode */ + wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + + return WH_ERROR_OK; +} + +static int whPosixClient_ExampleTlsCommonConfig(void* conf) +{ + whClientConfig* c_conf = (whClientConfig*)conf; + + memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); + + /* Initialize TCP context fields that need specific values */ + tccTls.state = 0; + tccTls.connect_fd_p1 = 0; /* Invalid fd */ + tccTls.request_sent = 0; + tccTls.buffer_offset = 0; + + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.verify_peer = true; + + c_comm.transport_cb = &tlsCb; + c_comm.transport_context = (void*)&tccTls; + c_comm.transport_config = (void*)&tlsConfig; + c_comm.client_id = WH_POSIX_CLIENT_ID; + c_conf->comm = &c_comm; + + return WH_ERROR_OK; +} + +int whPosixClient_ExampleTlsConfig(void* conf) +{ + if (whPosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + + if (whPosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) { + return WH_ERROR_ABORTED; + } + return WH_ERROR_OK; +} + +/* + * Run all the client-only tests on a default client configuration matching the + * example server TLS configuration. + */ +int whTest_ClientTls(void) +{ + int ret; + whClientConfig c_conf[1]; + + if (whPosixClient_ExampleTlsConfig(c_conf) != WH_ERROR_OK) { + ret = -1; + } + else { + ret = whTest_ClientConfig(c_conf); + } + return ret; +} +#endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS && WOLFHSM_CFG_TEST_POSIX */ #endif /* WOLFHSM_CFG_ENABLE_CLIENT */ #if !defined(WOLFHSM_CFG_TEST_UNIT_NO_MAIN) @@ -183,6 +308,10 @@ int main(void) defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_TEST_POSIX) /* Test driver should run TCP client tests against the example server */ ret = whTest_ClientTcp(); +#elif defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) && \ + defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_TEST_POSIX) + /* Test driver should run TLS client tests against the example server */ + ret = whTest_ClientTls(); #elif defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_ENABLE_SERVER) /* Default case: Test driver should run all the unit tests locally */ ret = whTest_Unit(); diff --git a/test/wh_test_clientserver.c b/test/wh_test_clientserver.c index 86025f2b..bd22d0c2 100644 --- a/test/wh_test_clientserver.c +++ b/test/wh_test_clientserver.c @@ -1715,7 +1715,8 @@ int whTest_ServerCfgLoop(whServerConfig* serverCfg) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) static void* _whClientTask(void *cf) { WH_TEST_ASSERT(0 == whTest_ClientServerClientConfig(cf)); diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c index 686622b8..10a2c21e 100644 --- a/test/wh_test_crypto.c +++ b/test/wh_test_crypto.c @@ -2870,7 +2870,8 @@ static int whTestCrypto_Cmac(whClientContext* ctx, int devId, WC_RNG* rng) } #if defined(WOLFHSM_CFG_CANCEL_API) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) /* test CMAC cancellation for supported devIds */ if (ret == 0 #ifdef WOLFHSM_CFG_DMA @@ -4492,7 +4493,8 @@ int whTest_CryptoServerConfig(whServerConfig* config) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) static void* _whClientTask(void *cf) { WH_TEST_ASSERT(0 == whTest_CryptoClientConfig(cf)); From 61fdaa92d5cf4a599632fc13ffaebfe30d396804 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 3 Nov 2025 11:54:08 -0700 Subject: [PATCH 03/13] handle race condition with connect --- port/posix/posix_transport_tls.c | 96 ++++++++++++++++++++++---------- 1 file changed, 68 insertions(+), 28 deletions(-) diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index 3a39bfc9..ef025902 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -43,6 +43,7 @@ #ifndef WOLFHSM_CFG_NO_CRYPTO + /* returns 1 (true) if the error passed in is a notice for non blocking * 0 if the error is a fatal error */ static int NonBlockingError(int err) @@ -63,11 +64,17 @@ int posixTransportTls_InitConnect(void* context, const void* config, (posixTransportTlsClientContext*)context; posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; int rc; + WOLFSSL_CTX* ssl_ctx; if (!ctx || !cfg) { return WH_ERROR_BADARGS; } + /* Save configured WOLFSSL_CTX and clear rest of the context struct */ + ssl_ctx = ctx->ssl_ctx; + memset(ctx, 0, sizeof(posixTransportTlsClientContext)); + ctx->ssl_ctx = ssl_ctx; + /* Setup underlying TCP transport */ rc = posixTransportTcp_InitConnect((void*)&ctx->tcpCtx, cfg, connectcb, connectcb_arg); @@ -75,28 +82,8 @@ int posixTransportTls_InitConnect(void* context, const void* config, return rc; } - /* Create SSL object if not already created */ - if (ctx->ssl == NULL) { - if (posixTransportTcp_GetConnectFd( - (void*)&ctx->tcpCtx, &ctx->connect_fd_p1) != WH_ERROR_OK) { - return WH_ERROR_NOTREADY; - } - - ctx->ssl = wolfSSL_new(ctx->ssl_ctx); - if (!ctx->ssl) { - posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); - return WH_ERROR_ABORTED; - } - - /* Set the socket file descriptor */ - rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_free(ctx->ssl); - ctx->ssl = NULL; - posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); - return WH_ERROR_ABORTED; - } - } + /* At the point of the TCP claiming to be connected, the TLS handshake will + * happen during send/recv calls */ if (ctx->connectcb != NULL) { ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); } @@ -119,7 +106,7 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, posixTransportTlsClientContext* ctx = (posixTransportTlsClientContext*)context; int err; - int rc; + int rc = 0; if (!ctx || !data || size == 0) { return WH_ERROR_BADARGS; @@ -131,6 +118,32 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, return WH_ERROR_NOTREADY; } + /* Create SSL object if not already created + * (posixTransportTcp_HandleConnect can change the socket used if server + * is not listening yet, thats why we need to wait to set the fd in + * wolfSSL until after the connect() has completed) */ + if (ctx->ssl == NULL) { + if (posixTransportTcp_GetConnectFd( + (void*)&ctx->tcpCtx, &ctx->connect_fd_p1) != WH_ERROR_OK) { + return WH_ERROR_NOTREADY; + } + + ctx->ssl = wolfSSL_new(ctx->ssl_ctx); + if (!ctx->ssl) { + posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); + return WH_ERROR_ABORTED; + } + + /* Set the current socket file descriptor */ + rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1); + if (rc != WOLFSSL_SUCCESS) { + wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; + posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); + return WH_ERROR_ABORTED; + } + } + rc = wolfSSL_connect(ctx->ssl); err = wolfSSL_get_error(ctx->ssl, rc); if (rc != WOLFSSL_SUCCESS) { @@ -138,6 +151,28 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, return WH_ERROR_NOTREADY; } else { + if (err == SOCKET_ERROR_E) { + /* There is a case where TCP connect() returned successfully + * but the server has not called accept() and the pending + * send was in the TCP backlog waiting on the server. But + * if the server closes down the listen port then RST gets + * returned. Retry the TCP connect() */ + wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; + + /* Close the failed socket fd and set state for retry */ + if (ctx->tcpCtx.connect_fd_p1 != 0) { + close(ctx->tcpCtx.connect_fd_p1 - 1); + ctx->tcpCtx.connect_fd_p1 = 0; + } + ctx->tcpCtx.state = PTT_STATE_UNCONNECTED; + return WH_ERROR_NOTREADY; + + } + + if (ctx->connectcb != NULL) { + ctx->connectcb(ctx->connectcb_arg, WH_COMM_DISCONNECTED); + } return WH_ERROR_ABORTED; } } @@ -218,6 +253,8 @@ int posixTransportTls_CleanupConnect(void* context) wolfSSL_free(ctx->ssl); } ctx->ssl = NULL; + ctx->state = PTTLS_STATE_UNCONNECTED; + ctx->connect_fd_p1 = 0; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); return WH_ERROR_OK; #else @@ -237,11 +274,17 @@ int posixTransportTls_InitListen(void* context, const void* config, (posixTransportTlsServerContext*)context; posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; int rc; + WOLFSSL_CTX* ssl_ctx; if (!ctx || !cfg) { return WH_ERROR_BADARGS; } + /* Save configured WOLFSSL_CTX and clear rest of the context struct */ + ssl_ctx = ctx->ssl_ctx; + memset(ctx, 0, sizeof(posixTransportTlsServerContext)); + ctx->ssl_ctx = ssl_ctx; + /* Initialize TCP server context */ rc = posixTransportTcp_InitListen(&ctx->tcpCtx, cfg, connectcb, connectcb_arg); @@ -249,16 +292,11 @@ int posixTransportTls_InitListen(void* context, const void* config, return rc; } - /* Copy TCP context fields to TLS context for compatibility */ ctx->connectcb = connectcb; ctx->connectcb_arg = connectcb_arg; ctx->server_addr = ctx->tcpCtx.server_addr; ctx->listen_fd_p1 = ctx->tcpCtx.listen_fd_p1; - - /* Load private key and certificate */ - - /* Connecting is handled internally so we need server to call recv */ if (ctx->connectcb != NULL) { ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); } @@ -409,6 +447,8 @@ int posixTransportTls_CleanupListen(void* context) } if (ctx->ssl) { + /* Give a quick shutdown signal to the client but do not wait for a + * response from the client before tearing down the transport. */ (void)wolfSSL_shutdown(ctx->ssl); wolfSSL_free(ctx->ssl); ctx->ssl = NULL; From 5bc33a43a88ee95b445b3aa6ffae75e1eab9051e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 3 Nov 2025 14:36:17 -0700 Subject: [PATCH 04/13] typo fix, trim down struct, connect fd variable update --- .../wh_posix_client/wh_posix_client_cfg.c | 4 +-- .../wh_posix_server/wh_posix_server_cfg.c | 6 ++--- port/posix/posix_transport_tls.c | 26 +++++++++++-------- port/posix/posix_transport_tls.h | 3 --- test/wh_test.c | 4 +-- 5 files changed, 20 insertions(+), 23 deletions(-) diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index aac59823..695b65a8 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -249,11 +249,9 @@ static int wh_PosixClient_ExampleTlsCommonConfig(void* conf) memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); - /* Initialize TCP context fields that need specific values */ + /* Initialize TLS context fields that need specific values */ tccTls.state = 0; tccTls.connect_fd_p1 = 0; /* Invalid fd */ - tccTls.request_sent = 0; - tccTls.buffer_offset = 0; tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index 1cf05c2e..b9d6ab15 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -304,9 +304,9 @@ wh_PosixServer_ExampleTlsContextSetup(posixTransportTlsServerContext* ctx) return WH_ERROR_ABORTED; } - /* Setup server for mutual authentication. It will try to verify the clients - * certificate so both the client and server authenticate the peer - * connecting with. */ + /* Setup server for mutual authentication. It will try to verify the + * client's certificate so both the client and server authenticate the peer + * they are connecting to. */ wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); return WH_ERROR_OK; diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index ef025902..ac3ffd40 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -127,6 +127,7 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, (void*)&ctx->tcpCtx, &ctx->connect_fd_p1) != WH_ERROR_OK) { return WH_ERROR_NOTREADY; } + ctx->connect_fd_p1++; ctx->ssl = wolfSSL_new(ctx->ssl_ctx); if (!ctx->ssl) { @@ -135,7 +136,7 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, } /* Set the current socket file descriptor */ - rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1); + rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1 - 1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_free(ctx->ssl); ctx->ssl = NULL; @@ -157,16 +158,16 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, * send was in the TCP backlog waiting on the server. But * if the server closes down the listen port then RST gets * returned. Retry the TCP connect() */ - wolfSSL_free(ctx->ssl); - ctx->ssl = NULL; + wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; - /* Close the failed socket fd and set state for retry */ - if (ctx->tcpCtx.connect_fd_p1 != 0) { - close(ctx->tcpCtx.connect_fd_p1 - 1); + /* Close the failed socket fd and set state for retry */ + if (ctx->tcpCtx.connect_fd_p1 != 0) { ctx->tcpCtx.connect_fd_p1 = 0; } - ctx->tcpCtx.state = PTT_STATE_UNCONNECTED; - return WH_ERROR_NOTREADY; + ctx->connect_fd_p1 = 0; + ctx->tcpCtx.state = PTT_STATE_UNCONNECTED; + return WH_ERROR_NOTREADY; } @@ -347,7 +348,9 @@ int posixTransportTls_RecvRequest(void* context, uint16_t* out_size, void* data) ctx->client_addr = client_addr; /* Make accepted socket non-blocking */ - fcntl(ctx->accept_fd_p1 - 1, F_SETFL, O_NONBLOCK); + if (fcntl(ctx->accept_fd_p1 - 1, F_SETFL, O_NONBLOCK) != 0) { + return WH_ERROR_ABORTED; + } /* Create SSL object for this connection */ ctx->ssl = wolfSSL_new(ctx->ssl_ctx); @@ -378,7 +381,8 @@ int posixTransportTls_RecvRequest(void* context, uint16_t* out_size, void* data) } } - /* Read data from SSL connection */ + /* Read data from SSL connection (also handles continuing on with + * handshake if not complete yet) */ rc = wolfSSL_read(ctx->ssl, data, PTTLS_PACKET_MAX_SIZE); err = wolfSSL_get_error(ctx->ssl, rc); if (rc > 0) { @@ -423,7 +427,7 @@ int posixTransportTls_SendResponse(void* context, uint16_t size, } else { int err = wolfSSL_get_error(ctx->ssl, rc); - if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) { + if ((NonBlockingError(err))) { return WH_ERROR_NOTREADY; } return WH_ERROR_ABORTED; diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h index b8338737..17835d06 100644 --- a/port/posix/posix_transport_tls.h +++ b/port/posix/posix_transport_tls.h @@ -72,9 +72,6 @@ typedef struct { struct sockaddr_in server_addr; pttlsClientState state; int connect_fd_p1; /* fd plus 1 so 0 is invalid */ - int request_sent; - uint16_t buffer_offset; - uint8_t buffer[PTTLS_BUFFER_SIZE]; #ifndef WOLFHSM_CFG_NO_CRYPTO WOLFSSL_CTX* ssl_ctx; WOLFSSL* ssl; diff --git a/test/wh_test.c b/test/wh_test.c index 5cade6ce..0b367740 100644 --- a/test/wh_test.c +++ b/test/wh_test.c @@ -247,11 +247,9 @@ static int whPosixClient_ExampleTlsCommonConfig(void* conf) memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); - /* Initialize TCP context fields that need specific values */ + /* Initialize TLS context fields that need specific values */ tccTls.state = 0; tccTls.connect_fd_p1 = 0; /* Invalid fd */ - tccTls.request_sent = 0; - tccTls.buffer_offset = 0; tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; From 372648ea6f3d09d4a4996650bf77b0e3290a385a Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 3 Nov 2025 14:57:46 -0700 Subject: [PATCH 05/13] use WOLFSSL_* instead of CTC_* and fix typo --- examples/posix/wh_posix_client/wh_posix_client_cfg.c | 6 +++--- examples/posix/wh_posix_server/wh_posix_server_cfg.c | 4 ++-- port/posix/posix_transport_tcp.c | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index 695b65a8..f53cbb91 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -160,7 +160,7 @@ wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) /* Load CA certificate for server verification */ rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048, sizeof_ca_cert_der_2048, - CTC_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx->ssl_ctx); ctx->ssl_ctx = NULL; @@ -169,7 +169,7 @@ wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048, sizeof(client_cert_der_2048), - CTC_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx->ssl_ctx); ctx->ssl_ctx = NULL; @@ -179,7 +179,7 @@ wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) /* load private key for TLS connection */ rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048, sizeof(client_key_der_2048), - CTC_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx->ssl_ctx); ctx->ssl_ctx = NULL; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index b9d6ab15..f853e4fa 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -259,7 +259,7 @@ wh_PosixServer_ExampleTlsContextSetup(posixTransportTlsServerContext* ctx) /* Load server certificate */ rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, server_cert_der_2048, sizeof(server_cert_der_2048), - CTC_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx->ssl_ctx); ctx->ssl_ctx = NULL; @@ -291,7 +291,7 @@ wh_PosixServer_ExampleTlsContextSetup(posixTransportTlsServerContext* ctx) /* load private key for TLS connection */ rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, server_key_der_2048, sizeof(server_key_der_2048), - CTC_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx->ssl_ctx); ctx->ssl_ctx = NULL; diff --git a/port/posix/posix_transport_tcp.c b/port/posix/posix_transport_tcp.c index 0a8f1082..9e652d4f 100644 --- a/port/posix/posix_transport_tcp.c +++ b/port/posix/posix_transport_tcp.c @@ -59,7 +59,7 @@ static int posixTransportTcp_Recv(int fd, uint16_t* buffer_offset, /* Start a non-blocking connect */ int posixTransportTcp_HandleConnect(posixTransportTcpClientContext* c); -/* CLose connection and reset state */ +/* Close connection and reset state */ static int posixTransportTcp_Close(posixTransportTcpClientContext* c); From 0272216986ff5a910919c70714ce4511bca23564 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 4 Nov 2025 10:13:23 -0700 Subject: [PATCH 06/13] add SHE test with client only TLS --- .github/workflows/build-and-test-clientonly.yml | 8 ++------ test/wh_test_she.c | 3 ++- wolfhsm/wh_settings.h | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-and-test-clientonly.yml b/.github/workflows/build-and-test-clientonly.yml index bf8e31e7..cbe7218b 100644 --- a/.github/workflows/build-and-test-clientonly.yml +++ b/.github/workflows/build-and-test-clientonly.yml @@ -35,11 +35,7 @@ jobs: - name: Build POSIX server run: | cd examples/posix/wh_posix_server - if [ "${{ matrix.transport }}" = "tcp" ]; then - make -j SHE=1 WOLFSSL_DIR=../../../wolfssl - else - make -j WOLFSSL_DIR=../../../wolfssl - fi + make -j SHE=1 WOLFSSL_DIR=../../../wolfssl # Start the server in the background - name: Run POSIX server @@ -57,7 +53,7 @@ jobs: if [ "${{ matrix.transport }}" = "tcp" ]; then make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run else - make -j CLIENT_ONLY_TLS=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + make -j CLIENT_ONLY_TLS=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run fi # Restart server with fresh state for second test run diff --git a/test/wh_test_she.c b/test/wh_test_she.c index afd61e4c..01d3ab40 100644 --- a/test/wh_test_she.c +++ b/test/wh_test_she.c @@ -461,7 +461,8 @@ int whTest_SheServerConfig(whServerConfig* config) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) static void* _whClientTask(void* cf) { WH_TEST_ASSERT(0 == whTest_SheClientConfig(cf)); diff --git a/wolfhsm/wh_settings.h b/wolfhsm/wh_settings.h index 98144477..0c198f77 100644 --- a/wolfhsm/wh_settings.h +++ b/wolfhsm/wh_settings.h @@ -349,7 +349,7 @@ #error "wolfHSM requires wolfCrypt built without NO_RNG" #endif -#if defined WOLFHSM_CFG_SHE_EXTENSION +#if defined(WOLFHSM_CFG_SHE_EXTENSION) #if defined(NO_AES) || \ !defined(WOLFSSL_CMAC) || \ !defined(WOLFSSL_AES_DIRECT) || \ From cebfea540027153b403d0fc9b18ad3ec1d427e27 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 24 Nov 2025 10:48:31 -0700 Subject: [PATCH 07/13] update client only test case for TLS --- .github/workflows/build-and-test-clientonly.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-and-test-clientonly.yml b/.github/workflows/build-and-test-clientonly.yml index cbe7218b..2b4db61a 100644 --- a/.github/workflows/build-and-test-clientonly.yml +++ b/.github/workflows/build-and-test-clientonly.yml @@ -59,12 +59,12 @@ jobs: # Restart server with fresh state for second test run - name: Restart POSIX server run: | - kill $TCP_SERVER_PID || true + kill $SERVER_PID || true cd examples/posix/wh_posix_server rm -f *.bin || true - ./Build/wh_posix_server.elf & - TCP_SERVER_PID=$! - echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV + ./Build/wh_posix_server.elf --type ${{ matrix.transport }} & + SERVER_PID=$! + echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV sleep 2 # Build and test client-only with DEBUG_VERBOSE=1 (includes DEBUG) @@ -72,7 +72,11 @@ jobs: run: | cd test make clean - make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run + if [ "${{ matrix.transport }}" = "tcp" ]; then + make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run + else + make -j CLIENT_ONLY_TLS=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run + fi # Optional: Kill the server process if it doesn't exit on its own - name: Cleanup POSIX server From 8b4269a776ceee433268e768f9785fe36a1ad29a Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 3 Dec 2025 15:47:09 -0700 Subject: [PATCH 08/13] combined client only test macro, added TLS option to example Makefiles, moved setting of TLS certificates into config and internal transport file --- .github/workflows/build-and-run-examples.yml | 2 + .../workflows/build-and-test-clientonly.yml | 14 +- .../wh_posix_client/wh_posix_client_cfg.c | 131 ++------- examples/posix/wh_posix_server/Makefile | 5 + .../posix/wh_posix_server/user_settings.h | 14 +- .../posix/wh_posix_server/wh_posix_server.c | 20 +- .../wh_posix_server/wh_posix_server_cfg.c | 266 +++++------------- port/posix/posix_transport_tls.c | 160 ++++++++++- port/posix/posix_transport_tls.h | 40 ++- test/Makefile | 15 +- test/config/user_settings.h | 7 + test/wh_test.c | 105 ++----- test/wh_test.h | 9 + test/wh_test_clientserver.c | 3 +- test/wh_test_crypto.c | 6 +- test/wh_test_she.c | 3 +- 16 files changed, 384 insertions(+), 416 deletions(-) diff --git a/.github/workflows/build-and-run-examples.yml b/.github/workflows/build-and-run-examples.yml index ed0867a4..85ee4dc2 100644 --- a/.github/workflows/build-and-run-examples.yml +++ b/.github/workflows/build-and-run-examples.yml @@ -31,6 +31,8 @@ jobs: run: | if [ "${{ matrix.transport }}" = "dma" ]; then cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} DMA=1 make -j WOLFSSL_DIR=../../../wolfssl + elif [ "${{ matrix.transport }}" = "tls" ]; then + cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} TLS=1 make -j WOLFSSL_DIR=../../../wolfssl else cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} make -j WOLFSSL_DIR=../../../wolfssl fi diff --git a/.github/workflows/build-and-test-clientonly.yml b/.github/workflows/build-and-test-clientonly.yml index 2b4db61a..af34da4a 100644 --- a/.github/workflows/build-and-test-clientonly.yml +++ b/.github/workflows/build-and-test-clientonly.yml @@ -35,7 +35,11 @@ jobs: - name: Build POSIX server run: | cd examples/posix/wh_posix_server - make -j SHE=1 WOLFSSL_DIR=../../../wolfssl + if [ "${{ matrix.transport }}" = "tcp" ]; then + make -j SHE=1 WOLFSSL_DIR=../../../wolfssl + else + make -j TLS=1 SHE=1 WOLFSSL_DIR=../../../wolfssl + fi # Start the server in the background - name: Run POSIX server @@ -51,9 +55,9 @@ jobs: cd test make clean if [ "${{ matrix.transport }}" = "tcp" ]; then - make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + make -j CLIENT_ONLY=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run else - make -j CLIENT_ONLY_TLS=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run + make -j CLIENT_ONLY=1 TLS=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run fi # Restart server with fresh state for second test run @@ -73,9 +77,9 @@ jobs: cd test make clean if [ "${{ matrix.transport }}" = "tcp" ]; then - make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run + make -j CLIENT_ONLY=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run else - make -j CLIENT_ONLY_TLS=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run + make -j CLIENT_ONLY=1 TLS=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run fi # Optional: Kill the server process if it doesn't exit on its own diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index f53cbb91..9b959664 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -135,62 +135,44 @@ int wh_PosixClient_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } -#ifndef WOLFHSM_CFG_NO_CRYPTO +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_TLS) /* client configuration setup example for TLS transport */ #undef USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048 #include "wolfssl/certs_test.h" -static int -wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) -{ - int rc; - /* uncomment and compile with DEBUG_WOLFSSL for debugging */ - /* wolfSSL_Debugging_ON(); */ +int wh_PosixClient_ExampleTlsConfig(void* conf) +{ + whClientConfig* c_conf = (whClientConfig*)conf; - /* Create a new wolfSSL context to use with this connection */ - ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - if (!ctx->ssl_ctx) { - return WH_ERROR_ABORTED; - } + memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); - /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ - wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + /* Initialize TLS context fields that need specific values */ + tccTls.state = 0; + tccTls.connect_fd_p1 = 0; /* Invalid fd */ - /* Load CA certificate for server verification */ - rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048, - sizeof_ca_cert_der_2048, - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.disable_peer_verification = false; - rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048, - sizeof(client_cert_der_2048), - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } + tlsConfig.ca_cert = ca_cert_der_2048; + tlsConfig.ca_cert_len = sizeof_ca_cert_der_2048; + tlsConfig.cert = client_cert_der_2048; + tlsConfig.cert_len = sizeof_client_cert_der_2048; + tlsConfig.key = client_key_der_2048; + tlsConfig.key_len = sizeof_client_key_der_2048; + tlsConfig.heap_hint = NULL; - /* load private key for TLS connection */ - rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048, - sizeof(client_key_der_2048), - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } - /* Set verification mode */ - wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + c_comm.transport_cb = &tlsCb; + c_comm.transport_context = (void*)&tccTls; + c_comm.transport_config = (void*)&tlsConfig; + c_comm.client_id = WH_POSIX_CLIENT_ID; + c_conf->comm = &c_comm; return WH_ERROR_OK; } + #ifndef NO_PSK /* Simple PSK example callback */ static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint, @@ -219,75 +201,14 @@ static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint, return (unsigned int)len; } -/* Setup WOLFSSL_CTX for use with PSK */ -static int -wh_PosixClient_ExamplePskContextSetup(posixTransportTlsClientContext* ctx) -{ - /* uncomment and compile with DEBUG_WOLFSSL for debugging */ - /* wolfSSL_Debugging_ON(); */ - - /* Create a new wolfSSL context to use with this connection */ - ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - if (!ctx->ssl_ctx) { - return WH_ERROR_ABORTED; - } - - /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ - wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); - - wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, psk_tls12_client_cb); - /* Set verification mode */ - wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); - - return WH_ERROR_OK; -} -#endif /* NO_PSK */ -static int wh_PosixClient_ExampleTlsCommonConfig(void* conf) -{ - whClientConfig* c_conf = (whClientConfig*)conf; - - memset(&tccTls, 0, sizeof(posixTransportTlsClientContext)); - - /* Initialize TLS context fields that need specific values */ - tccTls.state = 0; - tccTls.connect_fd_p1 = 0; /* Invalid fd */ - - tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; - tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; - tlsConfig.verify_peer = true; - - c_comm.transport_cb = &tlsCb; - c_comm.transport_context = (void*)&tccTls; - c_comm.transport_config = (void*)&tlsConfig; - c_comm.client_id = WH_POSIX_CLIENT_ID; - c_conf->comm = &c_comm; - - return WH_ERROR_OK; -} - -int wh_PosixClient_ExampleTlsConfig(void* conf) -{ - if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } - - if (wh_PosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } - return WH_ERROR_OK; -} - -#ifndef NO_PSK int wh_PosixClient_ExamplePskConfig(void* conf) { - if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { + if (wh_PosixClient_ExampleTlsConfig(conf) != WH_ERROR_OK) { return WH_ERROR_ABORTED; } + tlsConfig.psk_client_cb = psk_tls12_client_cb; - if (wh_PosixClient_ExamplePskContextSetup(&tccTls) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } return WH_ERROR_OK; } #endif /* NO_PSK */ diff --git a/examples/posix/wh_posix_server/Makefile b/examples/posix/wh_posix_server/Makefile index bee381a3..c5a86cd9 100644 --- a/examples/posix/wh_posix_server/Makefile +++ b/examples/posix/wh_posix_server/Makefile @@ -87,6 +87,11 @@ ifeq ($(SHE),1) CFLAGS += -DWOLFHSM_CFG_SHE_EXTENSION endif +# Support a TLS-capable build +ifeq ($(TLS),1) +CFLAGS += -DWOLFHSM_CFG_TLS +endif + ifeq ($(DMA),1) CFLAGS += -DWOLFHSM_CFG_DMA endif diff --git a/examples/posix/wh_posix_server/user_settings.h b/examples/posix/wh_posix_server/user_settings.h index 40c35858..e8bae026 100644 --- a/examples/posix/wh_posix_server/user_settings.h +++ b/examples/posix/wh_posix_server/user_settings.h @@ -47,7 +47,15 @@ extern "C" { #define WOLFSSL_BASE64_ENCODE #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 -/* For cert manager */ +#ifndef WOLFHSM_CFG_TLS +/* This macros reduce footprint size when TLS functionality is not needed */ +#define NO_TLS +/* Eliminates need for IO layer since we only use CM */ +#define WOLFSSL_USER_IO +#define WOLFSSL_NO_TLS12 +#define NO_PSK +#endif /* WOLFHSM_CFG_TLS */ + /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */ #define WOLFSSL_ACERT @@ -64,6 +72,7 @@ extern "C" { /** Remove unneeded features*/ #define NO_MAIN_DRIVER +#define NO_ERROR_STRINGS #define NO_ERROR_QUEUE #define NO_INLINE #define NO_OLD_TLS @@ -181,7 +190,8 @@ extern "C" { #endif /* optional malloc check */ #endif /* optional static memory */ -#ifdef WOLFHSM_CFG_DMA +#if defined(WOLFHSM_CFG_DMA) || defined(WOLFHSM_CFG_TLS) +/* If using DMA or TLS use static memory for no dynamic memory allocation */ #undef WOLFSSL_STATIC_MEMORY #define WOLFSSL_STATIC_MEMORY #endif diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index 4b37a366..56cd7093 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -277,13 +277,13 @@ static void Usage(const char* exeName) "--nvminit nvm_init.txt --type tcp --flags 0\n", exeName); WOLFHSM_CFG_PRINTF("type: tcp (default), shm"); -#ifndef WOLFHSM_CFG_NO_CRYPTO +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) WOLFHSM_CFG_PRINTF(", tls"); -#endif -#ifndef NO_PSK +#if !defined(NO_PSK) WOLFHSM_CFG_PRINTF(", psk"); #endif -#ifdef WOLFSSL_STATIC_MEMORY +#endif /* !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) */ +#ifdef WOLFSSL_CFG_DMA WOLFHSM_CFG_PRINTF(", dma"); #endif WOLFHSM_CFG_PRINTF("\n"); @@ -364,7 +364,7 @@ int main(int argc, char** argv) return -1; } } -#ifndef WOLFHSM_CFG_NO_CRYPTO +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) else if (strcmp(type, "tls") == 0) { WOLFHSM_CFG_PRINTF("Using TLS transport\n"); rc = wh_PosixServer_ExampleTlsConfig(s_conf); @@ -373,7 +373,7 @@ int main(int argc, char** argv) return -1; } } -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +#if !defined(NO_PSK) else if (strcmp(type, "psk") == 0) { WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n"); rc = wh_PosixServer_ExamplePskConfig(s_conf); @@ -382,9 +382,9 @@ int main(int argc, char** argv) return -1; } } -#endif -#endif -#ifdef WOLFSSL_STATIC_MEMORY +#endif /* !defined(NO_PSK) */ +#endif /* !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) */ +#ifdef WOLFSSL_CFG_DMA else if (strcmp(type, "dma") == 0) { WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); rc = wh_PosixServer_ExampleShmDmaConfig(s_conf); @@ -393,7 +393,7 @@ int main(int argc, char** argv) return -1; } } -#endif +#endif /* WOLFSSL_CFG_DMA */ else { WOLFHSM_CFG_PRINTF("Invalid server type: %s\n", type); return -1; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index f853e4fa..84c84458 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -17,30 +17,26 @@ #include "port/posix/posix_transport_shm.h" #include "port/posix/posix_transport_tcp.h" -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS #include "port/posix/posix_transport_tls.h" #endif posixTransportShmConfig shmConfig; posixTransportTcpConfig tcpConfig; -#ifndef WOLFHSM_CFG_NO_CRYPTO -posixTransportTlsConfig tlsConfig; -#endif whCommServerConfig s_comm; whTransportServerCb tcpCb = PTT_SERVER_CB; whTransportServerCb shmCb = POSIX_TRANSPORT_SHM_SERVER_CB; -#ifndef WOLFHSM_CFG_NO_CRYPTO -whTransportServerCb tlsCb = PTTLS_SERVER_CB; -#endif posixTransportShmServerContext tscShm; posixTransportTcpServerContext tscTcp; -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS +posixTransportTlsConfig tlsConfig; +whTransportServerCb tlsCb = PTTLS_SERVER_CB; posixTransportTlsServerContext tscTls; #endif -#ifdef WOLFSSL_STATIC_MEMORY +#ifdef WOLFSSL_CFG_DMA whTransportServerCb dmaCb = POSIX_TRANSPORT_SHM_SERVER_CB; posixTransportShmServerContext tscDma; whServerDmaConfig dmaConfig; @@ -122,7 +118,7 @@ int wh_PosixServer_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } -#ifndef WOLFHSM_CFG_NO_CRYPTO +#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_TLS) /* Server configuration setup example for TLS transport * Does not setup flash, nvm, crypto, she, etc. */ @@ -132,188 +128,25 @@ int wh_PosixServer_ExampleTcpConfig(void* conf) #ifdef WOLFSSL_STATIC_MEMORY #define EXAMPLE_STATIC_MEMORY_SIZE 70000 -static unsigned char memoryBuffer[EXAMPLE_STATIC_MEMORY_SIZE]; WOLFSSL_HEAP_HINT* heap = NULL; +static unsigned char memoryBuffer[EXAMPLE_STATIC_MEMORY_SIZE]; unsigned int staticMemoryList[] = {176, 304, 384, 480, 1008, 3328, 4560, 5152, 8928}; unsigned int staticMemoryDist[] = {14, 4, 3, 3, 4, 10, 2, 1, 1}; -#endif - -#ifndef NO_PSK -static unsigned int psk_tls12_server_cb(WOLFSSL* ssl, const char* identity, - unsigned char* key, - unsigned int key_max_len) -{ - size_t len; - - memset(key, 0, key_max_len); - printf("PSK TLS12 server callback\n"); - printf("PSK client identity: %s\n", identity); - printf("Enter PSK password to accept: "); - if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { - memset(key, 0, key_max_len); - return 0U; - } - len = strcspn((char*)key, "\n"); - ((char*)key)[len] = '\0'; - (void)ssl; - return (unsigned int)len; -} - -#ifdef WOLFSSL_TLS13 -static unsigned int psk_tls13_server_cb(WOLFSSL* ssl, const char* identity, - unsigned char* key, - unsigned int key_max_len, - const char** ciphersuite) -{ - size_t len; - - memset(key, 0, key_max_len); - printf("PSK TLS13 server callback\n"); - printf("PSK client identity: %s\n", identity); - *ciphersuite = "TLS13-AES128-GCM-SHA256"; - printf("Enter PSK password: "); - if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { - memset(key, 0, key_max_len); - return 0U; - } - len = strcspn((char*)key, "\n"); - ((char*)key)[len] = '\0'; - - (void)ssl; - return (unsigned int)len; -} -#endif /* WOLFSSL_TLS13 */ - -static int -wh_PosixServer_ExamplePskContextSetup(posixTransportTlsServerContext* ctx) +static void* GetHeapHint() { - /* uncomment and compile with DEBUG_WOLFSSL for debugging */ - /* wolfSSL_Debugging_ON(); */ - -#ifdef WOLFSSL_STATIC_MEMORY /* Initialize static memory buffer */ if (wc_LoadStaticMemory_ex(&heap, WH_POSIX_STATIC_MEM_LIST_SIZE, staticMemoryList, staticMemoryDist, memoryBuffer, EXAMPLE_STATIC_MEMORY_SIZE, 0, 0) != 0) { - return WH_ERROR_ABORTED; - } - - ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(heap), heap); -#else - ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); -#endif - if (ctx->ssl_ctx == NULL) { -#ifdef WOLFSSL_STATIC_MEMORY - if (heap) { - wc_UnloadStaticMemory(heap); - heap = NULL; - } -#endif - return WH_ERROR_ABORTED; + return NULL; } - - wolfSSL_CTX_set_psk_server_callback(ctx->ssl_ctx, psk_tls12_server_cb); -#ifdef WOLFSSL_TLS13 - wolfSSL_CTX_set_psk_server_tls13_callback(ctx->ssl_ctx, - psk_tls13_server_cb); -#endif /* WOLFSSL_TLS13 */ - wolfSSL_CTX_use_psk_identity_hint(ctx->ssl_ctx, "wolfHSM Example Server"); - return WH_ERROR_OK; + return (void*)heap; } -#endif /* NO_PSK */ +#endif /* WOLFSSL_STATIC_MEMORY */ -static int -wh_PosixServer_ExampleTlsContextSetup(posixTransportTlsServerContext* ctx) -{ - int rc; - - /* uncomment and compile with DEBUG_WOLFSSL for debugging */ - /* wolfSSL_Debugging_ON(); */ - -#ifdef WOLFSSL_STATIC_MEMORY - if (wc_LoadStaticMemory_ex(&heap, WH_POSIX_STATIC_MEM_LIST_SIZE, - staticMemoryList, staticMemoryDist, memoryBuffer, - EXAMPLE_STATIC_MEMORY_SIZE, 0, 0) != 0) { - return WH_ERROR_ABORTED; - } - - ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(heap), heap); -#else - ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); -#endif - - if (ctx->ssl_ctx == NULL) { -#ifdef WOLFSSL_STATIC_MEMORY - if (heap) { - wc_UnloadStaticMemory(heap); - heap = NULL; - } -#endif - return WH_ERROR_ABORTED; - } - /* don't use wolfHSM for local TLS crypto */ - wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); - - /* Load server certificate */ - rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, server_cert_der_2048, - sizeof(server_cert_der_2048), - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; -#ifdef WOLFSSL_STATIC_MEMORY - if (heap) { - wc_UnloadStaticMemory(heap); - heap = NULL; - } -#endif - return WH_ERROR_ABORTED; - } - - /* Load CA certificate for client verification if enabled */ - rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, client_cert_der_2048, - sizeof(client_cert_der_2048), - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; -#ifdef WOLFSSL_STATIC_MEMORY - if (heap) { - wc_UnloadStaticMemory(heap); - heap = NULL; - } -#endif - return WH_ERROR_ABORTED; - } - - /* load private key for TLS connection */ - rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, server_key_der_2048, - sizeof(server_key_der_2048), - WOLFSSL_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; -#ifdef WOLFSSL_STATIC_MEMORY - if (heap) { - wc_UnloadStaticMemory(heap); - heap = NULL; - } -#endif - return WH_ERROR_ABORTED; - } - - /* Setup server for mutual authentication. It will try to verify the - * client's certificate so both the client and server authenticate the peer - * they are connecting to. */ - wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); - - return WH_ERROR_OK; -} - - -static int wh_PosixServer_ExampleTlsCommonContextSetup(void* ctx) +int wh_PosixServer_ExampleTlsConfig(void* ctx) { whServerConfig* s_conf = (whServerConfig*)ctx; @@ -328,7 +161,16 @@ static int wh_PosixServer_ExampleTlsCommonContextSetup(void* ctx) tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; - tlsConfig.verify_peer = true; + tlsConfig.disable_peer_verification = false; + tlsConfig.ca_cert = client_cert_der_2048; + tlsConfig.ca_cert_len = sizeof_client_cert_der_2048; + tlsConfig.cert = server_cert_der_2048; + tlsConfig.cert_len = sizeof_server_cert_der_2048; + tlsConfig.key = server_key_der_2048; + tlsConfig.key_len = sizeof_server_key_der_2048; +#ifdef WOLFSSL_STATIC_MEMORY + tlsConfig.heap_hint = GetHeapHint(); +#endif /* WOLFSSL_STATIC_MEMORY */ s_comm.transport_cb = &tlsCb; s_comm.transport_context = (void*)&tscTls; @@ -340,32 +182,72 @@ static int wh_PosixServer_ExampleTlsCommonContextSetup(void* ctx) return WH_ERROR_OK; } -int wh_PosixServer_ExampleTlsConfig(void* conf) + +#ifndef NO_PSK + +#ifdef WOLFSSL_TLS13 +static unsigned int psk_tls13_server_cb(WOLFSSL* ssl, const char* identity, + unsigned char* key, + unsigned int key_max_len, + const char** ciphersuite) { - if (wh_PosixServer_ExampleTlsCommonContextSetup(conf) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; + size_t len; + + memset(key, 0, key_max_len); + printf("PSK TLS13 server callback\n"); + printf("PSK client identity: %s\n", identity); + *ciphersuite = "TLS13-AES128-GCM-SHA256"; + + printf("Enter PSK password: "); + if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { + memset(key, 0, key_max_len); + return 0U; } + len = strcspn((char*)key, "\n"); + ((char*)key)[len] = '\0'; - if (wh_PosixServer_ExampleTlsContextSetup(&tscTls) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; + (void)ssl; + return (unsigned int)len; +} +#endif /* WOLFSSL_TLS13 */ + +static unsigned int psk_tls12_server_cb(WOLFSSL* ssl, const char* identity, + unsigned char* key, + unsigned int key_max_len) +{ + size_t len; + + memset(key, 0, key_max_len); + printf("PSK TLS12 server callback\n"); + printf("PSK client identity: %s\n", identity); + printf("Enter PSK password to accept: "); + if (fgets((char*)key, key_max_len - 1, stdin) == NULL) { + memset(key, 0, key_max_len); + return 0U; } - return WH_ERROR_OK; + len = strcspn((char*)key, "\n"); + ((char*)key)[len] = '\0'; + (void)ssl; + return (unsigned int)len; } -#ifndef NO_PSK + int wh_PosixServer_ExamplePskConfig(void* conf) { - if (wh_PosixServer_ExampleTlsCommonContextSetup(conf) != WH_ERROR_OK) { + if (wh_PosixServer_ExampleTlsConfig(conf) != WH_ERROR_OK) { return WH_ERROR_ABORTED; } - if (wh_PosixServer_ExamplePskContextSetup(&tscTls) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } + tlsConfig.psk_server_cb = psk_tls12_server_cb; +#ifdef WOLFSSL_TLS13 + tlsConfig.psk_server_tls13_cb = psk_tls13_server_cb; +#endif /* WOLFSSL_TLS13 */ + tlsConfig.psk_identity_hint = "wolfHSM Example Server"; + return WH_ERROR_OK; } #endif /* NO_PSK */ -#endif +#endif /* WOLFHSM_CFG_NO_CRYPTO && !NO_TLS */ static const whFlashCb fcb = WH_FLASH_RAMSIM_CB; static whFlashRamsimCfg fc_conf; diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index ac3ffd40..944f3c15 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -51,6 +51,59 @@ static int NonBlockingError(int err) return (err == WOLFSSL_ERROR_WANT_READ) || (err == WOLFSSL_ERROR_WANT_WRITE); } + +/* Load certificates and keys from config structure into SSL context */ +static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, + const posixTransportTlsConfig* cfg) +{ + int rc; + + if (!ssl_ctx || !cfg) { + return WH_ERROR_BADARGS; + } + + /* Load CA certificate for peer verification */ + if (cfg->ca_cert != NULL && cfg->ca_cert_len > 0) { + rc = wolfSSL_CTX_load_verify_buffer(ssl_ctx, cfg->ca_cert, + cfg->ca_cert_len, + WOLFSSL_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + return WH_ERROR_ABORTED; + } + } + + /* Load certificate (client cert for client, server cert for server) */ + if (cfg->cert != NULL && cfg->cert_len > 0) { + rc = wolfSSL_CTX_use_certificate_buffer(ssl_ctx, + cfg->cert, + cfg->cert_len, + WOLFSSL_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + return WH_ERROR_ABORTED; + } + } + + /* Load private key (client key for client, server key for server) */ + if (cfg->key != NULL && cfg->key_len > 0) { + rc = wolfSSL_CTX_use_PrivateKey_buffer(ssl_ctx, + cfg->key, + cfg->key_len, + WOLFSSL_FILETYPE_ASN1); + if (rc != WOLFSSL_SUCCESS) { + return WH_ERROR_ABORTED; + } + } + + /* Set verification mode */ + if (cfg->disable_peer_verification) { + wolfSSL_CTX_set_verify(ssl_ctx, WOLFSSL_VERIFY_NONE, NULL); + } + else { + wolfSSL_CTX_set_verify(ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); + } + + return WH_ERROR_OK; +} #endif /* WOLFHSM_CFG_NO_CRYPTO */ /** Client-side TLS transport functions */ @@ -64,21 +117,56 @@ int posixTransportTls_InitConnect(void* context, const void* config, (posixTransportTlsClientContext*)context; posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; int rc; - WOLFSSL_CTX* ssl_ctx; if (!ctx || !cfg) { return WH_ERROR_BADARGS; } - /* Save configured WOLFSSL_CTX and clear rest of the context struct */ - ssl_ctx = ctx->ssl_ctx; memset(ctx, 0, sizeof(posixTransportTlsClientContext)); - ctx->ssl_ctx = ssl_ctx; + + /* Create SSL context using static memory if heap_hint is provided */ +#ifdef WOLFSSL_STATIC_MEMORY + if (cfg->heap_hint != NULL) { + ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(cfg->heap_hint), + cfg->heap_hint); + } + else { + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + } +#else + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); +#endif + if (!ctx->ssl_ctx) { + return WH_ERROR_ABORTED; + } + + /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + /* Load certificates from config structure */ + rc = LoadTlsCertificates(ctx->ssl_ctx, cfg); + if (rc != WH_ERROR_OK) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return rc; + } + +#ifndef NO_PSK + /* Setup PSK callbacks if provided */ + if (cfg->psk_client_cb != NULL) { + wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, + cfg->psk_client_cb); + } +#endif /* NO_PSK */ /* Setup underlying TCP transport */ rc = posixTransportTcp_InitConnect((void*)&ctx->tcpCtx, cfg, connectcb, connectcb_arg); if (rc != WH_ERROR_OK) { + if (ctx->ssl_ctx != NULL) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + } return rc; } @@ -249,11 +337,18 @@ int posixTransportTls_CleanupConnect(void* context) if (!ctx) { return WH_ERROR_BADARGS; } + if (ctx->ssl) { (void)wolfSSL_shutdown(ctx->ssl); wolfSSL_free(ctx->ssl); + ctx->ssl = NULL; + } + + if (ctx->ssl_ctx) { + (void)wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; } - ctx->ssl = NULL; + ctx->state = PTTLS_STATE_UNCONNECTED; ctx->connect_fd_p1 = 0; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); @@ -275,16 +370,12 @@ int posixTransportTls_InitListen(void* context, const void* config, (posixTransportTlsServerContext*)context; posixTransportTlsConfig* cfg = (posixTransportTlsConfig*)config; int rc; - WOLFSSL_CTX* ssl_ctx; if (!ctx || !cfg) { return WH_ERROR_BADARGS; } - /* Save configured WOLFSSL_CTX and clear rest of the context struct */ - ssl_ctx = ctx->ssl_ctx; memset(ctx, 0, sizeof(posixTransportTlsServerContext)); - ctx->ssl_ctx = ssl_ctx; /* Initialize TCP server context */ rc = posixTransportTcp_InitListen(&ctx->tcpCtx, cfg, connectcb, @@ -298,6 +389,52 @@ int posixTransportTls_InitListen(void* context, const void* config, ctx->server_addr = ctx->tcpCtx.server_addr; ctx->listen_fd_p1 = ctx->tcpCtx.listen_fd_p1; + /* Create SSL context using static memory if heap_hint is provided */ +#ifdef WOLFSSL_STATIC_MEMORY + if (cfg->heap_hint != NULL) { + ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(cfg->heap_hint), + cfg->heap_hint); + } + else { + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); + } +#else + ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); +#endif + if (!ctx->ssl_ctx) { + return WH_ERROR_ABORTED; + } + + /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ + wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); + + /* Load certificates from config structure */ + rc = LoadTlsCertificates(ctx->ssl_ctx, cfg); + if (rc != WH_ERROR_OK) { + wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + return rc; + } + +#ifndef NO_PSK + /* Setup PSK callbacks if provided */ + if (cfg->psk_server_cb != NULL) { + wolfSSL_CTX_set_psk_server_callback(ctx->ssl_ctx, + cfg->psk_server_cb); + } +#ifdef WOLFSSL_TLS13 + if (cfg->psk_server_tls13_cb != NULL) { + wolfSSL_CTX_set_psk_server_tls13_callback(ctx->ssl_ctx, + cfg->psk_server_tls13_cb); + } +#endif /* WOLFSSL_TLS13 */ + /* Set PSK identity hint if provided */ + if (cfg->psk_identity_hint != NULL) { + wolfSSL_CTX_use_psk_identity_hint(ctx->ssl_ctx, + cfg->psk_identity_hint); + } +#endif /* NO_PSK */ + if (ctx->connectcb != NULL) { ctx->connectcb(ctx->connectcb_arg, WH_COMM_CONNECTED); } @@ -458,6 +595,11 @@ int posixTransportTls_CleanupListen(void* context) ctx->ssl = NULL; } + if (ctx->ssl_ctx) { + (void)wolfSSL_CTX_free(ctx->ssl_ctx); + ctx->ssl_ctx = NULL; + } + /* Clean up TCP context */ posixTransportTcp_CleanupListen(&ctx->tcpCtx); diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h index 17835d06..ea68be3f 100644 --- a/port/posix/posix_transport_tls.h +++ b/port/posix/posix_transport_tls.h @@ -49,12 +49,48 @@ #define PTTLS_PACKET_MAX_SIZE WH_COMM_MTU #define PTTLS_BUFFER_SIZE (sizeof(uint32_t) + PTTLS_PACKET_MAX_SIZE) - /** TLS configuration structure */ typedef struct { char* server_ip_string; int server_port; - bool verify_peer; /* Whether to verify certificates */ + bool disable_peer_verification; /* Whether to verify certificates, + defaults to verifying peer certificates */ + /* Certificate configuration - can be provided as buffers or filenames */ + const unsigned char* ca_cert; /* CA certificate buffer (DER format) */ + int ca_cert_len; /* Length of CA certificate buffer */ + const unsigned char* cert; /* Certificate buffer (DER format) */ + int cert_len; /* Length of certificate buffer */ + const unsigned char* key; /* Private key buffer (DER format) */ + int key_len; /* Length of private key buffer */ +#ifndef NO_PSK + /* PSK configuration */ + /* Client PSK callback: unsigned int (*)(WOLFSSL* ssl, const char* hint, + * char* identity, unsigned int id_max_len, + * unsigned char* key, unsigned int key_max_len) */ + unsigned int (*psk_client_cb)(WOLFSSL* ssl, const char* hint, + char* identity, unsigned int id_max_len, + unsigned char* key, unsigned int key_max_len); + /* Server PSK callback for TLS 1.2: unsigned int (*)(WOLFSSL* ssl, + * const char* identity, + * unsigned char* key, + * unsigned int key_max_len) */ + unsigned int (*psk_server_cb)(WOLFSSL* ssl, const char* identity, + unsigned char* key, unsigned int key_max_len); +#ifdef WOLFSSL_TLS13 + /* Server PSK callback for TLS 1.3: unsigned int (*)(WOLFSSL* ssl, + * const char* identity, + * unsigned char* key, + * unsigned int key_max_len, + * const char** ciphersuite) */ + unsigned int (*psk_server_tls13_cb)(WOLFSSL* ssl, const char* identity, + unsigned char* key, + unsigned int key_max_len, + const char** ciphersuite); +#endif /* WOLFSSL_TLS13 */ + const char* psk_identity_hint; /* Server PSK identity hint */ +#endif /* NO_PSK */ + void* heap_hint; /* A pointer to a WOLFSSL_HEAP_HINT structure for static + * memory allocation */ } posixTransportTlsConfig; /** Client context and functions */ diff --git a/test/Makefile b/test/Makefile index 528cf72f..f3dd6971 100644 --- a/test/Makefile +++ b/test/Makefile @@ -119,20 +119,21 @@ ifeq ($(SHE),1) DEF += -DWOLFHSM_CFG_SHE_EXTENSION endif +# Support a TLS-capable build +ifeq ($(TLS),1) + DEF += -DWOLFHSM_CFG_TLS +endif + ## Project defines # Option to build wolfcrypt tests ifeq ($(TESTWOLFCRYPT),1) DEF += -DWOLFHSM_CFG_TEST_WOLFCRYPTTEST endif -ifeq ($(CLIENT_ONLY_TCP),1) -# Build a client-only test driver to connect to a remote server over TCP +ifeq ($(CLIENT_ONLY),1) +# Build a client-only test driver to connect to a remote server DEF += -DWOLFHSM_CFG_ENABLE_CLIENT - DEF += -DWOLFHSM_CFG_TEST_CLIENT_ONLY_TCP -else ifeq ($(CLIENT_ONLY_TLS),1) -# Build a client-only test driver to connect to a remote server over TLS - DEF += -DWOLFHSM_CFG_ENABLE_CLIENT - DEF += -DWOLFHSM_CFG_TEST_CLIENT_ONLY_TLS + DEF += -DWOLFHSM_CFG_TEST_CLIENT_ONLY else # Build both and client server DEF += -DWOLFHSM_CFG_ENABLE_CLIENT diff --git a/test/config/user_settings.h b/test/config/user_settings.h index 1553c8b0..1e7ba518 100644 --- a/test/config/user_settings.h +++ b/test/config/user_settings.h @@ -48,6 +48,13 @@ /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */ #define WOLFSSL_ACERT +/* The following settings reduce memory footprint when not using the TLS + * transport. If TLS is needed, these settings should be removed. */ +#ifndef WOLFHSM_CFG_TLS +#define NO_TLS +#define WOLFSSL_USER_IO +#endif /* WOLFHSM_CFG_TLS */ + /** Math library selection for test */ #define USE_FAST_MATH diff --git a/test/wh_test.c b/test/wh_test.c index 0b367740..3a78a940 100644 --- a/test/wh_test.c +++ b/test/wh_test.c @@ -28,6 +28,7 @@ #include "wolfhsm/wh_error.h" #include "wh_test_common.h" +#include "wh_test.h" /* Individual unit test drivers */ #include "wh_test_comm.h" @@ -53,9 +54,10 @@ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) #include "port/posix/posix_transport_tcp.h" -#ifndef WOLFHSM_CFG_NO_CRYPTO +#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) && \ + defined(WOLFHSM_CFG_TLS) #include "port/posix/posix_transport_tls.h" -#endif /* WOLFHSM_CFG_NO_CRYPTO */ +#endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY && WOLFHSM_CFG_TLS */ #endif #include "wolfhsm/wh_client.h" @@ -146,7 +148,8 @@ int whTest_ClientConfig(whClientConfig* clientCfg) return WH_ERROR_OK; } -#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && defined(WOLFHSM_CFG_TEST_POSIX) +#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) && defined(WOLFHSM_CFG_TEST_POSIX) +#if !defined(WOLFHSM_CFG_TLS) /* * Run all the client-only tests on a default client configuration matching the * example server TCP configuration. @@ -173,8 +176,9 @@ int whTest_ClientTcp(void) return whTest_ClientConfig(c_conf); } -#endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP && WOLFHSM_CFG_TEST_POSIX */ -#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) && defined(WOLFHSM_CFG_TEST_POSIX) +#endif /* WOLFHSM_CFG_TEST_POSIX && !WOLFHSM_CFG_TLS */ + +#if defined(WOLFHSM_CFG_TLS) /* client configuration setup example for TLS transport */ #define WH_POSIX_SERVER_TCP_PORT 23456 @@ -190,58 +194,7 @@ posixTransportTlsConfig tlsConfig; whCommClientConfig c_comm; whTransportClientCb tlsCb = PTTLS_CLIENT_CB; -static int -whPosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx) -{ - int rc; - - /* uncomment and compile with DEBUG_WOLFSSL for debugging */ - /* wolfSSL_Debugging_ON(); */ - - /* Create a new wolfSSL context to use with this connection */ - ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); - if (!ctx->ssl_ctx) { - return WH_ERROR_ABORTED; - } - - /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */ - wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID); - - /* Load CA certificate for server verification */ - rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048, - sizeof_ca_cert_der_2048, - CTC_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } - - rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048, - sizeof(client_cert_der_2048), - CTC_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } - - /* load private key for TLS connection */ - rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048, - sizeof(client_key_der_2048), - CTC_FILETYPE_ASN1); - if (rc != WOLFSSL_SUCCESS) { - wolfSSL_CTX_free(ctx->ssl_ctx); - ctx->ssl_ctx = NULL; - return WH_ERROR_ABORTED; - } - /* Set verification mode */ - wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL); - - return WH_ERROR_OK; -} - -static int whPosixClient_ExampleTlsCommonConfig(void* conf) +static int whPosixClient_ExampleTlsConfig(void* conf) { whClientConfig* c_conf = (whClientConfig*)conf; @@ -253,7 +206,15 @@ static int whPosixClient_ExampleTlsCommonConfig(void* conf) tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; - tlsConfig.verify_peer = true; + tlsConfig.disable_peer_verification = false; + + /* Set certificate buffers in config structure */ + tlsConfig.ca_cert = ca_cert_der_2048; + tlsConfig.ca_cert_len = sizeof_ca_cert_der_2048; + tlsConfig.cert = client_cert_der_2048; + tlsConfig.cert_len = sizeof_client_cert_der_2048; + tlsConfig.key = client_key_der_2048; + tlsConfig.key_len = sizeof_client_key_der_2048; c_comm.transport_cb = &tlsCb; c_comm.transport_context = (void*)&tccTls; @@ -264,17 +225,6 @@ static int whPosixClient_ExampleTlsCommonConfig(void* conf) return WH_ERROR_OK; } -int whPosixClient_ExampleTlsConfig(void* conf) -{ - if (whPosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } - - if (whPosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) { - return WH_ERROR_ABORTED; - } - return WH_ERROR_OK; -} /* * Run all the client-only tests on a default client configuration matching the @@ -293,7 +243,8 @@ int whTest_ClientTls(void) } return ret; } -#endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS && WOLFHSM_CFG_TEST_POSIX */ +#endif /* WOLFHSM_CFG_TLS */ +#endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY && WOLFHSM_CFG_TEST_POSIX */ #endif /* WOLFHSM_CFG_ENABLE_CLIENT */ #if !defined(WOLFHSM_CFG_TEST_UNIT_NO_MAIN) @@ -302,14 +253,16 @@ int main(void) { int ret = 0; -#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ - defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_TEST_POSIX) - /* Test driver should run TCP client tests against the example server */ - ret = whTest_ClientTcp(); -#elif defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) && \ +#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) && \ defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_TEST_POSIX) - /* Test driver should run TLS client tests against the example server */ + /* Test driver should run client tests against the example server */ +#if defined(WOLFHSM_CFG_TLS) + /* Run TLS client tests */ ret = whTest_ClientTls(); +#else + /* Run TCP client tests (default) */ + ret = whTest_ClientTcp(); +#endif #elif defined(WOLFHSM_CFG_ENABLE_CLIENT) && defined(WOLFHSM_CFG_ENABLE_SERVER) /* Default case: Test driver should run all the unit tests locally */ ret = whTest_Unit(); diff --git a/test/wh_test.h b/test/wh_test.h index 5e71b3ba..cc326cc2 100644 --- a/test/wh_test.h +++ b/test/wh_test.h @@ -21,6 +21,15 @@ #include "wolfhsm/wh_client.h" +/* + * WOLFHSM_CFG_TEST_POSIX : Run tests using POSIX transport + * + * WOLFHSM_CFG_TEST_CLIENT_ONLY : Run client-only tests connecting to a running + * server. The default is using a TCP trasnport + * connection. When another specific transports + * are enabled then they will be used instead i.e + * WOLFHSM_CFG_TLS will use TLS transport. + */ int whTest_Unit(void); int whTest_ClientConfig(whClientConfig* clientCfg); diff --git a/test/wh_test_clientserver.c b/test/wh_test_clientserver.c index bd22d0c2..5101f82d 100644 --- a/test/wh_test_clientserver.c +++ b/test/wh_test_clientserver.c @@ -1715,8 +1715,7 @@ int whTest_ServerCfgLoop(whServerConfig* serverCfg) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) static void* _whClientTask(void *cf) { WH_TEST_ASSERT(0 == whTest_ClientServerClientConfig(cf)); diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c index 10a2c21e..fa50eb45 100644 --- a/test/wh_test_crypto.c +++ b/test/wh_test_crypto.c @@ -2870,8 +2870,7 @@ static int whTestCrypto_Cmac(whClientContext* ctx, int devId, WC_RNG* rng) } #if defined(WOLFHSM_CFG_CANCEL_API) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) /* test CMAC cancellation for supported devIds */ if (ret == 0 #ifdef WOLFHSM_CFG_DMA @@ -4493,8 +4492,7 @@ int whTest_CryptoServerConfig(whServerConfig* config) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) static void* _whClientTask(void *cf) { WH_TEST_ASSERT(0 == whTest_CryptoClientConfig(cf)); diff --git a/test/wh_test_she.c b/test/wh_test_she.c index 01d3ab40..77462c06 100644 --- a/test/wh_test_she.c +++ b/test/wh_test_she.c @@ -461,8 +461,7 @@ int whTest_SheServerConfig(whServerConfig* config) #endif /* WOLFHSM_CFG_ENABLE_SERVER */ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TCP) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY_TLS) + !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) static void* _whClientTask(void* cf) { WH_TEST_ASSERT(0 == whTest_SheClientConfig(cf)); From 9302eb4cdb111de4d4d2b7666f02af0e3bf566d3 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 3 Dec 2025 16:00:42 -0700 Subject: [PATCH 09/13] use WOLFHSM_CFG_TLS macro guard with posix_transport_tls.c|h files --- port/posix/posix_transport_tls.c | 5 +++-- port/posix/posix_transport_tls.h | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index 944f3c15..9d1da5ae 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -28,7 +28,7 @@ #include "posix_transport_tls.h" #include "wolfhsm/wh_error.h" -#if !defined(NO_TLS) && !defined(WOLFCRYPT_ONLY) +#if defined(WOLFHSM_CFG_TLS) #include #include @@ -655,4 +655,5 @@ int posixTransportTls_GetAcceptFd(posixTransportTlsServerContext* context, } return ret; } -#endif /* !defined(NO_TLS) && !defined(WOLFCRYPT_ONLY) */ \ No newline at end of file +#endif /* WOLFHSM_CFG_TLS */ + diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h index ea68be3f..123767ea 100644 --- a/port/posix/posix_transport_tls.h +++ b/port/posix/posix_transport_tls.h @@ -38,13 +38,12 @@ /* Adds TLS on top of the existing TCP transport */ #include "port/posix/posix_transport_tcp.h" -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS #ifndef WOLFSSL_USER_SETTINGS #include "wolfssl/options.h" #endif #include "wolfssl/ssl.h" #include "wolfssl/wolfcrypt/memory.h" -#endif #define PTTLS_PACKET_MAX_SIZE WH_COMM_MTU #define PTTLS_BUFFER_SIZE (sizeof(uint32_t) + PTTLS_PACKET_MAX_SIZE) @@ -180,4 +179,5 @@ int posixTransportTls_GetListenFd(posixTransportTlsServerContext* context, int posixTransportTls_GetAcceptFd(posixTransportTlsServerContext* context, int* out_fd); +#endif /* WOLFHSM_CFG_TLS */ #endif /* !PORT_POSIX_POSIX_TRANSPORT_TLS_H_ */ From e9d569b3ba9580c85421e9e15dd459917b7538f1 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 3 Dec 2025 17:03:04 -0700 Subject: [PATCH 10/13] updating test case for TLS use and macro guards in posix client example --- .github/workflows/build-and-run-examples.yml | 15 +++++++++++---- examples/posix/wh_posix_client/Makefile | 3 +++ examples/posix/wh_posix_client/wh_posix_client.c | 8 ++++---- .../posix/wh_posix_client/wh_posix_client_cfg.c | 12 ++++++------ .../posix/wh_posix_client/wh_posix_client_cfg.h | 10 +++++----- examples/posix/wh_posix_server/wh_posix_server.c | 6 +++--- .../posix/wh_posix_server/wh_posix_server_cfg.c | 2 +- 7 files changed, 33 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-and-run-examples.yml b/.github/workflows/build-and-run-examples.yml index 85ee4dc2..2a18fd40 100644 --- a/.github/workflows/build-and-run-examples.yml +++ b/.github/workflows/build-and-run-examples.yml @@ -26,22 +26,29 @@ jobs: repository: wolfssl/wolfssl path: wolfssl + - name: Set TLS Environment Variable + run: | + if [ "${{ matrix.transport }}" = "tls" ] || [ "${{ matrix.transport }}" = "psk" ]; then + echo "TLS=1" >> $GITHUB_ENV + else + echo "TLS=0" >> $GITHUB_ENV + fi + # Build examples - name: Build POSIX server run: | if [ "${{ matrix.transport }}" = "dma" ]; then cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} DMA=1 make -j WOLFSSL_DIR=../../../wolfssl - elif [ "${{ matrix.transport }}" = "tls" ]; then - cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} TLS=1 make -j WOLFSSL_DIR=../../../wolfssl else - cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} make -j WOLFSSL_DIR=../../../wolfssl + cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} TLS=${{ env.TLS }} make -j WOLFSSL_DIR=../../../wolfssl fi + - name: Build POSIX client run: | if [ "${{ matrix.transport }}" = "dma" ]; then cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} DMA=1 make -j WOLFSSL_DIR=../../../wolfssl else - cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} make -j WOLFSSL_DIR=../../../wolfssl + cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} TLS=${{ env.TLS }} make -j WOLFSSL_DIR=../../../wolfssl fi # Start the server in the background diff --git a/examples/posix/wh_posix_client/Makefile b/examples/posix/wh_posix_client/Makefile index 1b862518..be048123 100644 --- a/examples/posix/wh_posix_client/Makefile +++ b/examples/posix/wh_posix_client/Makefile @@ -112,7 +112,10 @@ DEF += -DWC_USE_DEVID=0x57444D41 -DWC_NO_DEFAULT_DEVID CFLAGS += -DWOLFHSM_CFG_DMA else DEF += -DWC_USE_DEVID=0x5748534D +endif +ifeq ($(TLS),1) +CFLAGS += -DWOLFHSM_CFG_TLS endif #wolfCrypt test/benchmark source files diff --git a/examples/posix/wh_posix_client/wh_posix_client.c b/examples/posix/wh_posix_client/wh_posix_client.c index a7cc007d..bb90febf 100644 --- a/examples/posix/wh_posix_client/wh_posix_client.c +++ b/examples/posix/wh_posix_client/wh_posix_client.c @@ -214,18 +214,18 @@ int main(int argc, char** argv) WOLFHSM_CFG_PRINTF("Using shared memory transport\n"); wh_PosixClient_ExampleShmConfig(c_conf); } -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS else if (strcmp(type, "tls") == 0) { WOLFHSM_CFG_PRINTF("Using TLS transport\n"); wh_PosixClient_ExampleTlsConfig(c_conf); } -#endif -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +#if !defined(NO_PSK) else if (strcmp(type, "psk") == 0) { WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n"); wh_PosixClient_ExamplePskConfig(c_conf); } -#endif +#endif /* !NO_PSK */ +#endif /* WOLFHSM_CFG_TLS */ #ifdef WOLFSSL_STATIC_MEMORY else if (strcmp(type, "dma") == 0) { WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index 9b959664..97fc49c2 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -10,7 +10,7 @@ #include "port/posix/posix_transport_shm.h" #include "port/posix/posix_transport_tcp.h" -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS #include "port/posix/posix_transport_tls.h" #endif @@ -18,13 +18,13 @@ posixTransportShmClientContext tccShm; posixTransportTcpClientContext tccTcp; -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS posixTransportTlsClientContext tccTls; #endif posixTransportShmConfig shmConfig; posixTransportTcpConfig tcpConfig; -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS posixTransportTlsConfig tlsConfig; #endif @@ -32,7 +32,7 @@ whCommClientConfig c_comm; whTransportClientCb shmCb = POSIX_TRANSPORT_SHM_CLIENT_CB; whTransportClientCb tcpCb = PTT_CLIENT_CB; -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS whTransportClientCb tlsCb = PTTLS_CLIENT_CB; #endif @@ -135,7 +135,7 @@ int wh_PosixClient_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_TLS) +#if defined(WOLFHSM_CFG_TLS) /* client configuration setup example for TLS transport */ #undef USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048 @@ -212,7 +212,7 @@ int wh_PosixClient_ExamplePskConfig(void* conf) return WH_ERROR_OK; } #endif /* NO_PSK */ -#endif /* WOLFHSM_CFG_NO_CRYPTO */ +#endif /* WOLFHSM_CFG_TLS */ /* client configuration setup example for transport */ diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.h b/examples/posix/wh_posix_client/wh_posix_client_cfg.h index 5a1c7db6..27cdf9ea 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.h +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.h @@ -4,11 +4,11 @@ int wh_PosixClient_ExampleShmDmaConfig(void* c_conf); int wh_PosixClient_ExampleShmConfig(void* c_conf); int wh_PosixClient_ExampleTcpConfig(void* c_conf); -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS int wh_PosixClient_ExampleTlsConfig(void* c_conf); -#endif -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +#if !defined(NO_PSK) int wh_PosixClient_ExamplePskConfig(void* c_conf); -#endif +#endif /* !NO_PSK */ +#endif /* WOLFHSM_CFG_TLS */ int wh_PosixClient_ExampleSetupDmaMemory(void* ctx, void* c_conf); -#endif /* WH_POSIX_CLIENT_CFG_H */ \ No newline at end of file +#endif /* WH_POSIX_CLIENT_CFG_H */ diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index 56cd7093..b4a599c6 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -283,7 +283,7 @@ static void Usage(const char* exeName) WOLFHSM_CFG_PRINTF(", psk"); #endif #endif /* !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) */ -#ifdef WOLFSSL_CFG_DMA +#ifdef WOLFHSM_CFG_DMA WOLFHSM_CFG_PRINTF(", dma"); #endif WOLFHSM_CFG_PRINTF("\n"); @@ -384,7 +384,7 @@ int main(int argc, char** argv) } #endif /* !defined(NO_PSK) */ #endif /* !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_TLS) */ -#ifdef WOLFSSL_CFG_DMA +#ifdef WOLFHSM_CFG_DMA else if (strcmp(type, "dma") == 0) { WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); rc = wh_PosixServer_ExampleShmDmaConfig(s_conf); @@ -393,7 +393,7 @@ int main(int argc, char** argv) return -1; } } -#endif /* WOLFSSL_CFG_DMA */ +#endif /* WOLFHSM_CFG_DMA */ else { WOLFHSM_CFG_PRINTF("Invalid server type: %s\n", type); return -1; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index 84c84458..e2f70173 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -36,7 +36,7 @@ whTransportServerCb tlsCb = PTTLS_SERVER_CB; posixTransportTlsServerContext tscTls; #endif -#ifdef WOLFSSL_CFG_DMA +#ifdef WOLFHSM_CFG_DMA whTransportServerCb dmaCb = POSIX_TRANSPORT_SHM_SERVER_CB; posixTransportShmServerContext tscDma; whServerDmaConfig dmaConfig; From 053e6834a29016c9592d254c6fd8aa7443fb95f5 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 4 Dec 2025 13:52:19 -0700 Subject: [PATCH 11/13] clean up of macro names after refactor --- examples/posix/wh_posix_server/user_settings.h | 2 +- examples/posix/wh_posix_server/wh_posix_server_cfg.c | 4 ++-- examples/posix/wh_posix_server/wh_posix_server_cfg.h | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/posix/wh_posix_server/user_settings.h b/examples/posix/wh_posix_server/user_settings.h index e8bae026..d61c3f14 100644 --- a/examples/posix/wh_posix_server/user_settings.h +++ b/examples/posix/wh_posix_server/user_settings.h @@ -48,7 +48,7 @@ extern "C" { #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 #ifndef WOLFHSM_CFG_TLS -/* This macros reduce footprint size when TLS functionality is not needed */ +/* These macros reduce footprint size when TLS functionality is not needed */ #define NO_TLS /* Eliminates need for IO layer since we only use CM */ #define WOLFSSL_USER_IO diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index e2f70173..2440f097 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -118,7 +118,7 @@ int wh_PosixServer_ExampleTcpConfig(void* conf) return WH_ERROR_OK; } -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_TLS) +#if defined(WOLFHSM_CFG_TLS) /* Server configuration setup example for TLS transport * Does not setup flash, nvm, crypto, she, etc. */ @@ -247,7 +247,7 @@ int wh_PosixServer_ExamplePskConfig(void* conf) return WH_ERROR_OK; } #endif /* NO_PSK */ -#endif /* WOLFHSM_CFG_NO_CRYPTO && !NO_TLS */ +#endif /* WOLFHSM_CFG_TLS */ static const whFlashCb fcb = WH_FLASH_RAMSIM_CB; static whFlashRamsimCfg fc_conf; diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.h b/examples/posix/wh_posix_server/wh_posix_server_cfg.h index f0d5540d..1b95d26f 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.h +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.h @@ -6,13 +6,13 @@ int wh_PosixServer_ExampleShmDmaConfig(void* s_conf); int wh_PosixServer_ExampleShmConfig(void* s_conf); int wh_PosixServer_ExampleTcpConfig(void* s_conf); -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS int wh_PosixServer_ExampleTlsConfig(void* s_conf); -#endif -#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK) +#if !defined(NO_PSK) int wh_PosixServer_ExamplePskConfig(void* s_conf); #endif +#endif /* WOLFHSM_CFG_TLS */ int wh_PosixServer_ExampleNvmConfig(void* conf, const char* nvmInitFilePath); int wh_PosixServer_ExampleRamSimConfig(void* conf, uint8_t* memory); -#endif /* WH_POSIX_SERVER_CFG_H */ \ No newline at end of file +#endif /* WH_POSIX_SERVER_CFG_H */ From 7bb6161bbcd4cb19eaabb243656ac8a710628892 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 4 Dec 2025 13:57:07 -0700 Subject: [PATCH 12/13] result of running git-clang-format --- .../wh_posix_client/wh_posix_client_cfg.c | 18 +++---- .../posix/wh_posix_server/wh_posix_server.c | 6 ++- .../wh_posix_server/wh_posix_server_cfg.c | 26 +++++----- port/posix/posix_transport_tls.c | 42 ++++++---------- port/posix/posix_transport_tls.h | 49 ++++++++++--------- test/wh_test.c | 27 +++++----- test/wh_test_crypto.c | 3 +- 7 files changed, 81 insertions(+), 90 deletions(-) diff --git a/examples/posix/wh_posix_client/wh_posix_client_cfg.c b/examples/posix/wh_posix_client/wh_posix_client_cfg.c index 97fc49c2..8f54faca 100644 --- a/examples/posix/wh_posix_client/wh_posix_client_cfg.c +++ b/examples/posix/wh_posix_client/wh_posix_client_cfg.c @@ -151,17 +151,17 @@ int wh_PosixClient_ExampleTlsConfig(void* conf) tccTls.state = 0; tccTls.connect_fd_p1 = 0; /* Invalid fd */ - tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; - tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; tlsConfig.disable_peer_verification = false; - tlsConfig.ca_cert = ca_cert_der_2048; + tlsConfig.ca_cert = ca_cert_der_2048; tlsConfig.ca_cert_len = sizeof_ca_cert_der_2048; - tlsConfig.cert = client_cert_der_2048; - tlsConfig.cert_len = sizeof_client_cert_der_2048; - tlsConfig.key = client_key_der_2048; - tlsConfig.key_len = sizeof_client_key_der_2048; - tlsConfig.heap_hint = NULL; + tlsConfig.cert = client_cert_der_2048; + tlsConfig.cert_len = sizeof_client_cert_der_2048; + tlsConfig.key = client_key_der_2048; + tlsConfig.key_len = sizeof_client_key_der_2048; + tlsConfig.heap_hint = NULL; c_comm.transport_cb = &tlsCb; c_comm.transport_context = (void*)&tccTls; @@ -196,7 +196,7 @@ static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint, } (void)ssl; - len = strcspn((char*)key, "\n"); + len = strcspn((char*)key, "\n"); ((char*)key)[len] = '\0'; return (unsigned int)len; } diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c index b4a599c6..0f0d9bca 100644 --- a/examples/posix/wh_posix_server/wh_posix_server.c +++ b/examples/posix/wh_posix_server/wh_posix_server.c @@ -360,7 +360,8 @@ int main(int argc, char** argv) WOLFHSM_CFG_PRINTF("Using shared memory transport\n"); rc = wh_PosixServer_ExampleShmConfig(s_conf); if (rc != WH_ERROR_OK) { - WOLFHSM_CFG_PRINTF("Failed to initialize shared memory transport\n"); + WOLFHSM_CFG_PRINTF( + "Failed to initialize shared memory transport\n"); return -1; } } @@ -389,7 +390,8 @@ int main(int argc, char** argv) WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n"); rc = wh_PosixServer_ExampleShmDmaConfig(s_conf); if (rc != WH_ERROR_OK) { - WOLFHSM_CFG_PRINTF("Failed to initialize DMA with shared memory transport\n"); + WOLFHSM_CFG_PRINTF( + "Failed to initialize DMA with shared memory transport\n"); return -1; } } diff --git a/examples/posix/wh_posix_server/wh_posix_server_cfg.c b/examples/posix/wh_posix_server/wh_posix_server_cfg.c index 2440f097..754a0b82 100644 --- a/examples/posix/wh_posix_server/wh_posix_server_cfg.c +++ b/examples/posix/wh_posix_server/wh_posix_server_cfg.c @@ -31,8 +31,8 @@ whTransportServerCb shmCb = POSIX_TRANSPORT_SHM_SERVER_CB; posixTransportShmServerContext tscShm; posixTransportTcpServerContext tscTcp; #ifdef WOLFHSM_CFG_TLS -posixTransportTlsConfig tlsConfig; -whTransportServerCb tlsCb = PTTLS_SERVER_CB; +posixTransportTlsConfig tlsConfig; +whTransportServerCb tlsCb = PTTLS_SERVER_CB; posixTransportTlsServerContext tscTls; #endif @@ -128,7 +128,7 @@ int wh_PosixServer_ExampleTcpConfig(void* conf) #ifdef WOLFSSL_STATIC_MEMORY #define EXAMPLE_STATIC_MEMORY_SIZE 70000 -WOLFSSL_HEAP_HINT* heap = NULL; +WOLFSSL_HEAP_HINT* heap = NULL; static unsigned char memoryBuffer[EXAMPLE_STATIC_MEMORY_SIZE]; unsigned int staticMemoryList[] = {176, 304, 384, 480, 1008, 3328, 4560, 5152, 8928}; @@ -159,15 +159,15 @@ int wh_PosixServer_ExampleTlsConfig(void* ctx) tscTls.request_recv = 0; tscTls.buffer_offset = 0; - tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; - tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; tlsConfig.disable_peer_verification = false; - tlsConfig.ca_cert = client_cert_der_2048; - tlsConfig.ca_cert_len = sizeof_client_cert_der_2048; - tlsConfig.cert = server_cert_der_2048; - tlsConfig.cert_len = sizeof_server_cert_der_2048; - tlsConfig.key = server_key_der_2048; - tlsConfig.key_len = sizeof_server_key_der_2048; + tlsConfig.ca_cert = client_cert_der_2048; + tlsConfig.ca_cert_len = sizeof_client_cert_der_2048; + tlsConfig.cert = server_cert_der_2048; + tlsConfig.cert_len = sizeof_server_cert_der_2048; + tlsConfig.key = server_key_der_2048; + tlsConfig.key_len = sizeof_server_key_der_2048; #ifdef WOLFSSL_STATIC_MEMORY tlsConfig.heap_hint = GetHeapHint(); #endif /* WOLFSSL_STATIC_MEMORY */ @@ -203,7 +203,7 @@ static unsigned int psk_tls13_server_cb(WOLFSSL* ssl, const char* identity, memset(key, 0, key_max_len); return 0U; } - len = strcspn((char*)key, "\n"); + len = strcspn((char*)key, "\n"); ((char*)key)[len] = '\0'; (void)ssl; @@ -225,7 +225,7 @@ static unsigned int psk_tls12_server_cb(WOLFSSL* ssl, const char* identity, memset(key, 0, key_max_len); return 0U; } - len = strcspn((char*)key, "\n"); + len = strcspn((char*)key, "\n"); ((char*)key)[len] = '\0'; (void)ssl; return (unsigned int)len; diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index 9d1da5ae..a5af6113 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -53,7 +53,7 @@ static int NonBlockingError(int err) } /* Load certificates and keys from config structure into SSL context */ -static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, +static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, const posixTransportTlsConfig* cfg) { int rc; @@ -64,9 +64,8 @@ static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, /* Load CA certificate for peer verification */ if (cfg->ca_cert != NULL && cfg->ca_cert_len > 0) { - rc = wolfSSL_CTX_load_verify_buffer(ssl_ctx, cfg->ca_cert, - cfg->ca_cert_len, - WOLFSSL_FILETYPE_ASN1); + rc = wolfSSL_CTX_load_verify_buffer( + ssl_ctx, cfg->ca_cert, cfg->ca_cert_len, WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { return WH_ERROR_ABORTED; } @@ -74,10 +73,8 @@ static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, /* Load certificate (client cert for client, server cert for server) */ if (cfg->cert != NULL && cfg->cert_len > 0) { - rc = wolfSSL_CTX_use_certificate_buffer(ssl_ctx, - cfg->cert, - cfg->cert_len, - WOLFSSL_FILETYPE_ASN1); + rc = wolfSSL_CTX_use_certificate_buffer( + ssl_ctx, cfg->cert, cfg->cert_len, WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { return WH_ERROR_ABORTED; } @@ -85,9 +82,7 @@ static int LoadTlsCertificates(WOLFSSL_CTX* ssl_ctx, /* Load private key (client key for client, server key for server) */ if (cfg->key != NULL && cfg->key_len > 0) { - rc = wolfSSL_CTX_use_PrivateKey_buffer(ssl_ctx, - cfg->key, - cfg->key_len, + rc = wolfSSL_CTX_use_PrivateKey_buffer(ssl_ctx, cfg->key, cfg->key_len, WOLFSSL_FILETYPE_ASN1); if (rc != WOLFSSL_SUCCESS) { return WH_ERROR_ABORTED; @@ -127,8 +122,8 @@ int posixTransportTls_InitConnect(void* context, const void* config, /* Create SSL context using static memory if heap_hint is provided */ #ifdef WOLFSSL_STATIC_MEMORY if (cfg->heap_hint != NULL) { - ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(cfg->heap_hint), - cfg->heap_hint); + ctx->ssl_ctx = wolfSSL_CTX_new_ex( + wolfSSLv23_client_method_ex(cfg->heap_hint), cfg->heap_hint); } else { ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); @@ -154,8 +149,7 @@ int posixTransportTls_InitConnect(void* context, const void* config, #ifndef NO_PSK /* Setup PSK callbacks if provided */ if (cfg->psk_client_cb != NULL) { - wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, - cfg->psk_client_cb); + wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, cfg->psk_client_cb); } #endif /* NO_PSK */ @@ -254,9 +248,8 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, ctx->tcpCtx.connect_fd_p1 = 0; } ctx->connect_fd_p1 = 0; - ctx->tcpCtx.state = PTT_STATE_UNCONNECTED; + ctx->tcpCtx.state = PTT_STATE_UNCONNECTED; return WH_ERROR_NOTREADY; - } if (ctx->connectcb != NULL) { @@ -349,7 +342,7 @@ int posixTransportTls_CleanupConnect(void* context) ctx->ssl_ctx = NULL; } - ctx->state = PTTLS_STATE_UNCONNECTED; + ctx->state = PTTLS_STATE_UNCONNECTED; ctx->connect_fd_p1 = 0; posixTransportTcp_CleanupConnect((void*)&ctx->tcpCtx); return WH_ERROR_OK; @@ -392,8 +385,8 @@ int posixTransportTls_InitListen(void* context, const void* config, /* Create SSL context using static memory if heap_hint is provided */ #ifdef WOLFSSL_STATIC_MEMORY if (cfg->heap_hint != NULL) { - ctx->ssl_ctx = wolfSSL_CTX_new_ex(wolfSSLv23_server_method_ex(cfg->heap_hint), - cfg->heap_hint); + ctx->ssl_ctx = wolfSSL_CTX_new_ex( + wolfSSLv23_server_method_ex(cfg->heap_hint), cfg->heap_hint); } else { ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); @@ -419,19 +412,17 @@ int posixTransportTls_InitListen(void* context, const void* config, #ifndef NO_PSK /* Setup PSK callbacks if provided */ if (cfg->psk_server_cb != NULL) { - wolfSSL_CTX_set_psk_server_callback(ctx->ssl_ctx, - cfg->psk_server_cb); + wolfSSL_CTX_set_psk_server_callback(ctx->ssl_ctx, cfg->psk_server_cb); } #ifdef WOLFSSL_TLS13 if (cfg->psk_server_tls13_cb != NULL) { wolfSSL_CTX_set_psk_server_tls13_callback(ctx->ssl_ctx, - cfg->psk_server_tls13_cb); + cfg->psk_server_tls13_cb); } #endif /* WOLFSSL_TLS13 */ /* Set PSK identity hint if provided */ if (cfg->psk_identity_hint != NULL) { - wolfSSL_CTX_use_psk_identity_hint(ctx->ssl_ctx, - cfg->psk_identity_hint); + wolfSSL_CTX_use_psk_identity_hint(ctx->ssl_ctx, cfg->psk_identity_hint); } #endif /* NO_PSK */ @@ -656,4 +647,3 @@ int posixTransportTls_GetAcceptFd(posixTransportTlsServerContext* context, return ret; } #endif /* WOLFHSM_CFG_TLS */ - diff --git a/port/posix/posix_transport_tls.h b/port/posix/posix_transport_tls.h index 123767ea..5a6e2752 100644 --- a/port/posix/posix_transport_tls.h +++ b/port/posix/posix_transport_tls.h @@ -50,44 +50,45 @@ /** TLS configuration structure */ typedef struct { - char* server_ip_string; - int server_port; - bool disable_peer_verification; /* Whether to verify certificates, - defaults to verifying peer certificates */ + char* server_ip_string; + int server_port; + bool disable_peer_verification; /* Whether to verify certificates, + defaults to verifying peer certificates */ /* Certificate configuration - can be provided as buffers or filenames */ - const unsigned char* ca_cert; /* CA certificate buffer (DER format) */ - int ca_cert_len; /* Length of CA certificate buffer */ - const unsigned char* cert; /* Certificate buffer (DER format) */ - int cert_len; /* Length of certificate buffer */ - const unsigned char* key; /* Private key buffer (DER format) */ - int key_len; /* Length of private key buffer */ + const unsigned char* ca_cert; /* CA certificate buffer (DER format) */ + int ca_cert_len; /* Length of CA certificate buffer */ + const unsigned char* cert; /* Certificate buffer (DER format) */ + int cert_len; /* Length of certificate buffer */ + const unsigned char* key; /* Private key buffer (DER format) */ + int key_len; /* Length of private key buffer */ #ifndef NO_PSK /* PSK configuration */ /* Client PSK callback: unsigned int (*)(WOLFSSL* ssl, const char* hint, - * char* identity, unsigned int id_max_len, - * unsigned char* key, unsigned int key_max_len) */ + * char* identity, unsigned int + * id_max_len, unsigned char* key, unsigned int key_max_len) */ unsigned int (*psk_client_cb)(WOLFSSL* ssl, const char* hint, - char* identity, unsigned int id_max_len, - unsigned char* key, unsigned int key_max_len); + char* identity, unsigned int id_max_len, + unsigned char* key, unsigned int key_max_len); /* Server PSK callback for TLS 1.2: unsigned int (*)(WOLFSSL* ssl, * const char* identity, * unsigned char* key, - * unsigned int key_max_len) */ + * unsigned int + * key_max_len) */ unsigned int (*psk_server_cb)(WOLFSSL* ssl, const char* identity, - unsigned char* key, unsigned int key_max_len); + unsigned char* key, unsigned int key_max_len); #ifdef WOLFSSL_TLS13 /* Server PSK callback for TLS 1.3: unsigned int (*)(WOLFSSL* ssl, * const char* identity, * unsigned char* key, - * unsigned int key_max_len, - * const char** ciphersuite) */ + * unsigned int + * key_max_len, const char** ciphersuite) */ unsigned int (*psk_server_tls13_cb)(WOLFSSL* ssl, const char* identity, - unsigned char* key, - unsigned int key_max_len, - const char** ciphersuite); -#endif /* WOLFSSL_TLS13 */ - const char* psk_identity_hint; /* Server PSK identity hint */ -#endif /* NO_PSK */ + unsigned char* key, + unsigned int key_max_len, + const char** ciphersuite); +#endif /* WOLFSSL_TLS13 */ + const char* psk_identity_hint; /* Server PSK identity hint */ +#endif /* NO_PSK */ void* heap_hint; /* A pointer to a WOLFSSL_HEAP_HINT structure for static * memory allocation */ } posixTransportTlsConfig; diff --git a/test/wh_test.c b/test/wh_test.c index 3a78a940..8601adf4 100644 --- a/test/wh_test.c +++ b/test/wh_test.c @@ -54,8 +54,7 @@ #if defined(WOLFHSM_CFG_TEST_POSIX) && defined(WOLFHSM_CFG_ENABLE_CLIENT) #include "port/posix/posix_transport_tcp.h" -#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) && \ - defined(WOLFHSM_CFG_TLS) +#if defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) && defined(WOLFHSM_CFG_TLS) #include "port/posix/posix_transport_tls.h" #endif /* WOLFHSM_CFG_TEST_CLIENT_ONLY && WOLFHSM_CFG_TLS */ #endif @@ -190,9 +189,9 @@ int whTest_ClientTcp(void) #include "wolfssl/certs_test.h" posixTransportTlsClientContext tccTls; -posixTransportTlsConfig tlsConfig; -whCommClientConfig c_comm; -whTransportClientCb tlsCb = PTTLS_CLIENT_CB; +posixTransportTlsConfig tlsConfig; +whCommClientConfig c_comm; +whTransportClientCb tlsCb = PTTLS_CLIENT_CB; static int whPosixClient_ExampleTlsConfig(void* conf) { @@ -204,17 +203,17 @@ static int whPosixClient_ExampleTlsConfig(void* conf) tccTls.state = 0; tccTls.connect_fd_p1 = 0; /* Invalid fd */ - tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; - tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; + tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING; + tlsConfig.server_port = WH_POSIX_SERVER_TCP_PORT; tlsConfig.disable_peer_verification = false; /* Set certificate buffers in config structure */ - tlsConfig.ca_cert = ca_cert_der_2048; + tlsConfig.ca_cert = ca_cert_der_2048; tlsConfig.ca_cert_len = sizeof_ca_cert_der_2048; - tlsConfig.cert = client_cert_der_2048; - tlsConfig.cert_len = sizeof_client_cert_der_2048; - tlsConfig.key = client_key_der_2048; - tlsConfig.key_len = sizeof_client_key_der_2048; + tlsConfig.cert = client_cert_der_2048; + tlsConfig.cert_len = sizeof_client_cert_der_2048; + tlsConfig.key = client_key_der_2048; + tlsConfig.key_len = sizeof_client_key_der_2048; c_comm.transport_cb = &tlsCb; c_comm.transport_context = (void*)&tccTls; @@ -232,11 +231,11 @@ static int whPosixClient_ExampleTlsConfig(void* conf) */ int whTest_ClientTls(void) { - int ret; + int ret; whClientConfig c_conf[1]; if (whPosixClient_ExampleTlsConfig(c_conf) != WH_ERROR_OK) { - ret = -1; + ret = -1; } else { ret = whTest_ClientConfig(c_conf); diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c index fa50eb45..ff12b0bc 100644 --- a/test/wh_test_crypto.c +++ b/test/wh_test_crypto.c @@ -2869,8 +2869,7 @@ static int whTestCrypto_Cmac(whClientContext* ctx, int devId, WC_RNG* rng) } } -#if defined(WOLFHSM_CFG_CANCEL_API) && \ - !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) +#if defined(WOLFHSM_CFG_CANCEL_API) && !defined(WOLFHSM_CFG_TEST_CLIENT_ONLY) /* test CMAC cancellation for supported devIds */ if (ret == 0 #ifdef WOLFHSM_CFG_DMA From 7677389ac3799d35ec25c412d34d36ea6ba4c788 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 5 Dec 2025 11:03:45 -0700 Subject: [PATCH 13/13] fix spelling in comments, make fd use more clear, update to macro guards --- examples/posix/wh_posix_client/wh_posix_client.c | 6 +++--- port/posix/posix_transport_tls.c | 8 +++++--- test/wh_test.h | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/examples/posix/wh_posix_client/wh_posix_client.c b/examples/posix/wh_posix_client/wh_posix_client.c index bb90febf..e12af283 100644 --- a/examples/posix/wh_posix_client/wh_posix_client.c +++ b/examples/posix/wh_posix_client/wh_posix_client.c @@ -161,12 +161,12 @@ void Usage(const char* exeName) WOLFHSM_CFG_PRINTF("Usage: %s --type --test\n", exeName); WOLFHSM_CFG_PRINTF("Example: %s --type tcp\n", exeName); WOLFHSM_CFG_PRINTF("type: tcp (default), shm"); -#ifndef WOLFHSM_CFG_NO_CRYPTO +#ifdef WOLFHSM_CFG_TLS WOLFHSM_CFG_PRINTF(", tls"); -#endif -#ifndef NO_PSK +#if !defined(NO_PSK) WOLFHSM_CFG_PRINTF(", psk"); #endif +#endif /* WOLFHSM_CFG_TLS */ #ifdef WOLFSSL_STATIC_MEMORY WOLFHSM_CFG_PRINTF(", dma"); #endif diff --git a/port/posix/posix_transport_tls.c b/port/posix/posix_transport_tls.c index a5af6113..e690d35c 100644 --- a/port/posix/posix_transport_tls.c +++ b/port/posix/posix_transport_tls.c @@ -205,11 +205,13 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, * is not listening yet, thats why we need to wait to set the fd in * wolfSSL until after the connect() has completed) */ if (ctx->ssl == NULL) { + int fd; + if (posixTransportTcp_GetConnectFd( - (void*)&ctx->tcpCtx, &ctx->connect_fd_p1) != WH_ERROR_OK) { + (void*)&ctx->tcpCtx, &fd) != WH_ERROR_OK) { return WH_ERROR_NOTREADY; } - ctx->connect_fd_p1++; + ctx->connect_fd_p1 = fd + 1; /* follow +1 convetions, 0 is invalid */ ctx->ssl = wolfSSL_new(ctx->ssl_ctx); if (!ctx->ssl) { @@ -218,7 +220,7 @@ int posixTransportTls_SendRequest(void* context, uint16_t size, } /* Set the current socket file descriptor */ - rc = wolfSSL_set_fd(ctx->ssl, ctx->connect_fd_p1 - 1); + rc = wolfSSL_set_fd(ctx->ssl, fd); if (rc != WOLFSSL_SUCCESS) { wolfSSL_free(ctx->ssl); ctx->ssl = NULL; diff --git a/test/wh_test.h b/test/wh_test.h index cc326cc2..c773f4f2 100644 --- a/test/wh_test.h +++ b/test/wh_test.h @@ -25,7 +25,7 @@ * WOLFHSM_CFG_TEST_POSIX : Run tests using POSIX transport * * WOLFHSM_CFG_TEST_CLIENT_ONLY : Run client-only tests connecting to a running - * server. The default is using a TCP trasnport + * server. The default is using a TCP transport * connection. When another specific transports * are enabled then they will be used instead i.e * WOLFHSM_CFG_TLS will use TLS transport.