Use TLS over transport for authentication of peer

Author: JacobBarthelmeh

examples/posix/wh_posix_client/wh_posix_client.c

@@ -151,7 +151,17 @@ void Usage(const char* exeName)
 {
     printf("Usage: %s --type <type> --test\n", exeName);
     printf("Example: %s --type tcp\n", exeName);
-    printf("type: tcp (default), shm\n");
+    printf("type: tcp (default), shm");
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    printf(", tls");
+#endif
+#ifndef NO_PSK
+    printf(", psk");
+#endif
+#ifdef WOLFSSL_STATIC_MEMORY
+    printf(", dma");
+#endif
+    printf("\n");
 }
 
 int main(int argc, char** argv)
@@ -195,6 +205,18 @@ int main(int argc, char** argv)
         printf("Using shared memory transport\n");
         wh_PosixClient_ExampleShmConfig(c_conf);
     }
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    else if (strcmp(type, "tls") == 0) {
+        printf("Using TLS transport\n");
+        wh_PosixClient_ExampleTlsConfig(c_conf);
+    }
+#endif
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK)
+    else if (strcmp(type, "psk") == 0) {
+        printf("Using TLS PSK transport\n");
+        wh_PosixClient_ExamplePskConfig(c_conf);
+    }
+#endif
 #ifdef WOLFSSL_STATIC_MEMORY
     else if (strcmp(type, "dma") == 0) {
         printf("Using DMA with shared memory transport\n");

examples/posix/wh_posix_client/wh_posix_client_cfg.c

@@ -10,19 +10,31 @@
 
 #include "port/posix/posix_transport_shm.h"
 #include "port/posix/posix_transport_tcp.h"
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+#include "port/posix/posix_transport_tls.h"
+#endif
 
 #include <string.h>
 
 posixTransportShmClientContext tccShm;
 posixTransportTcpClientContext tccTcp;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+posixTransportTlsClientContext tccTls;
+#endif
 
 posixTransportShmConfig shmConfig;
 posixTransportTcpConfig tcpConfig;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+posixTransportTlsConfig tlsConfig;
+#endif
 
 whCommClientConfig c_comm;
 
 whTransportClientCb shmCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
 whTransportClientCb tcpCb = PTT_CLIENT_CB;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+whTransportClientCb tlsCb = PTTLS_CLIENT_CB;
+#endif
 
 #ifdef WOLFSSL_STATIC_MEMORY
 whTransportClientCb dmaCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
@@ -123,6 +135,166 @@ int wh_PosixClient_ExampleTcpConfig(void* conf)
     return WH_ERROR_OK;
 }
 
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+/* client configuration setup example for TLS transport */
+#undef USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+#include "wolfssl/certs_test.h"
+static int
+wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx)
+{
+    int rc;
+
+    /* uncomment and compile with DEBUG_WOLFSSL for debugging  */
+    /* wolfSSL_Debugging_ON(); */
+
+    /* Create a new wolfSSL context to use with this connection */
+    ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
+    if (!ctx->ssl_ctx) {
+        return WH_ERROR_ABORTED;
+    }
+
+    /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */
+    wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID);
+
+    /* Load CA certificate for server verification */
+    rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048,
+                                        sizeof_ca_cert_der_2048,
+                                        CTC_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+
+    rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048,
+                                            sizeof(client_cert_der_2048),
+                                            CTC_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+
+    /* load private key for TLS connection */
+    rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048,
+                                           sizeof(client_key_der_2048),
+                                           CTC_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+    /* Set verification mode */
+    wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL);
+
+    return WH_ERROR_OK;
+}
+
+#ifndef NO_PSK
+/* Simple PSK example callback */
+static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint,
+                                        char* identity, unsigned int id_max_len,
+                                        unsigned char* key,
+                                        unsigned int   key_max_len)
+{
+    size_t len;
+
+    memset(key, 0, key_max_len);
+    const char* exampleIdentity = "PSK_EXAMPLE_CLIENT_IDENTITY";
+
+    printf("PSK server identity hint: %s\n", hint);
+    printf("PSK using identity: %s\n", exampleIdentity);
+    strncpy(identity, exampleIdentity, id_max_len);
+
+    printf("Enter PSK password: ");
+    if (fgets((char*)key, key_max_len - 1, stdin) == NULL) {
+        memset(key, 0, key_max_len);
+        return 0U;
+    }
+
+    (void)ssl;
+    len = strcspn((char*)key, "\n");
+    ((char*)key)[len] = '\0';
+    return (unsigned int)len;
+}
+
+/* Setup WOLFSSL_CTX for use with PSK */
+static int
+wh_PosixClient_ExamplePskContextSetup(posixTransportTlsClientContext* ctx)
+{
+    /* uncomment and compile with DEBUG_WOLFSSL for debugging  */
+    /* wolfSSL_Debugging_ON(); */
+
+    /* Create a new wolfSSL context to use with this connection */
+    ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
+    if (!ctx->ssl_ctx) {
+        return WH_ERROR_ABORTED;
+    }
+
+    /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */
+    wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID);
+
+    wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, psk_tls12_client_cb);
+    /* Set verification mode */
+    wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL);
+
+    return WH_ERROR_OK;
+}
+#endif /* NO_PSK */
+
+static int wh_PosixClient_ExampleTlsCommonConfig(void* conf)
+{
+    whClientConfig* c_conf = (whClientConfig*)conf;
+
+    memset(&tccTls, 0, sizeof(posixTransportTlsClientContext));
+
+    /* Initialize TCP context fields that need specific values */
+    tccTls.state         = 0;
+    tccTls.connect_fd_p1 = 0; /* Invalid fd */
+    tccTls.request_sent  = 0;
+    tccTls.buffer_offset = 0;
+
+    tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING;
+    tlsConfig.server_port      = WH_POSIX_SERVER_TCP_PORT;
+    tlsConfig.verify_peer      = true;
+
+    c_comm.transport_cb      = &tlsCb;
+    c_comm.transport_context = (void*)&tccTls;
+    c_comm.transport_config  = (void*)&tlsConfig;
+    c_comm.client_id         = WH_POSIX_CLIENT_ID;
+    c_conf->comm             = &c_comm;
+
+    return WH_ERROR_OK;
+}
+
+int wh_PosixClient_ExampleTlsConfig(void* conf)
+{
+    if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+
+    if (wh_PosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+    return WH_ERROR_OK;
+}
+
+#ifndef NO_PSK
+int wh_PosixClient_ExamplePskConfig(void* conf)
+{
+    if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+
+    if (wh_PosixClient_ExamplePskContextSetup(&tccTls) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+    return WH_ERROR_OK;
+}
+#endif /* NO_PSK */
+#endif /* WOLFHSM_CFG_NO_CRYPTO */
+
 
 /* client configuration setup example for transport */
 int wh_PosixClient_ExampleShmConfig(void* conf)

examples/posix/wh_posix_client/wh_posix_client_cfg.h

@@ -4,5 +4,11 @@
 int wh_PosixClient_ExampleShmDmaConfig(void* c_conf);
 int wh_PosixClient_ExampleShmConfig(void* c_conf);
 int wh_PosixClient_ExampleTcpConfig(void* c_conf);
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+int wh_PosixClient_ExampleTlsConfig(void* c_conf);
+#endif
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK)
+int wh_PosixClient_ExamplePskConfig(void* c_conf);
+#endif
 int wh_PosixClient_ExampleSetupDmaMemory(void* ctx, void* c_conf);
 #endif /* WH_POSIX_CLIENT_CFG_H */

examples/posix/wh_posix_server/user_settings.h

@@ -48,9 +48,7 @@ extern "C" {
 #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1
 
 /* For cert manager */
-#define NO_TLS
-/* Eliminates need for IO layer since we only use CM */
-#define WOLFSSL_USER_IO
+/* #define NO_TLS */
 /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */
 #define WOLFSSL_ACERT
 
@@ -67,11 +65,11 @@ extern "C" {
 
 /** Remove unneeded features*/
 #define NO_MAIN_DRIVER
-#define NO_ERROR_STRINGS
+/* #define NO_ERROR_STRINGS */
 #define NO_ERROR_QUEUE
 #define NO_INLINE
 #define NO_OLD_TLS
-#define WOLFSSL_NO_TLS12
+/* #define WOLFSSL_NO_TLS12 */
 #define NO_DO178
 /* Prevents certain functions (SHA, hash.c) on server from falling back to
  * client cryptoCb when using non-devId APIs */
@@ -150,7 +148,7 @@ extern "C" {
 /* Remove unneeded crypto */
 #define NO_DSA
 #define NO_RC4
-#define NO_PSK
+/* #define NO_PSK */
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
@@ -191,6 +189,11 @@ extern "C" {
 #define WOLFSSL_STATIC_MEMORY
 #endif
 
+/* additional memory debugging macros, prints out each alloc and free */
+/* #define WOLFSSL_DEBUG_MEMORY */
+/* #define WOLFSSL_DEBUG_MEMORY_PRINT */
+
+/* #define DEBUG_WOLFSSL */
 #ifdef __cplusplus
 }
 #endif

examples/posix/wh_posix_server/wh_posix_server.c

@@ -273,7 +273,17 @@ static void Usage(const char* exeName)
     printf("Example: %s --key key.bin --id 123 --client 456 "
            "--nvminit nvm_init.txt --type tcp\n",
            exeName);
-    printf("type: tcp (default), shm, dma\n");
+    printf("type: tcp (default), shm");
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    printf(", tls");
+#endif
+#ifndef NO_PSK
+    printf(", psk");
+#endif
+#ifdef WOLFSSL_STATIC_MEMORY
+    printf(", dma");
+#endif
+    printf("\n");
 }
 
 
@@ -322,16 +332,48 @@ int main(int argc, char** argv)
     memset(s_conf, 0, sizeof(whServerConfig));
     if (strcmp(type, "tcp") == 0) {
         printf("Using TCP transport\n");
-        wh_PosixServer_ExampleTcpConfig(s_conf);
+        rc = wh_PosixServer_ExampleTcpConfig(s_conf);
+        if (rc != WH_ERROR_OK) {
+            printf("Failed to initialize TCP transport\n");
+            return -1;
+        }
     }
     else if (strcmp(type, "shm") == 0) {
         printf("Using shared memory transport\n");
-        wh_PosixServer_ExampleShmConfig(s_conf);
+        rc = wh_PosixServer_ExampleShmConfig(s_conf);
+        if (rc != WH_ERROR_OK) {
+            printf("Failed to initialize shared memory transport\n");
+            return -1;
+        }
+    }
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    else if (strcmp(type, "tls") == 0) {
+        printf("Using TLS transport\n");
+        rc = wh_PosixServer_ExampleTlsConfig(s_conf);
+        if (rc != WH_ERROR_OK) {
+            printf("Failed to initialize TLS transport\n");
+            return -1;
+        }
+    }
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK)
+    else if (strcmp(type, "psk") == 0) {
+        printf("Using TLS PSK transport\n");
+        rc = wh_PosixServer_ExamplePskConfig(s_conf);
+        if (rc != WH_ERROR_OK) {
+            printf("Failed to initialize TLS PSK transport\n");
+            return -1;
+        }
     }
+#endif
+#endif
 #ifdef WOLFSSL_STATIC_MEMORY
     else if (strcmp(type, "dma") == 0) {
         printf("Using DMA with shared memory transport\n");
-        wh_PosixServer_ExampleShmDmaConfig(s_conf);
+        rc = wh_PosixServer_ExampleShmDmaConfig(s_conf);
+        if (rc != WH_ERROR_OK) {
+            printf("Failed to initialize DMA with shared memory transport\n");
+            return -1;
+        }
     }
 #endif
     else {