Improve TPM handle use logic further. Only load to TPM when needed.

Author: dgarske

src/internal.c

@@ -6619,22 +6619,6 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
             key->type = RSA_PRIVATE;
         }
     }
-#ifdef WOLFPKCS11_TPM
-    if (ret == 0 && key->type == RSA_PRIVATE) {
-        /* tell crypto callback which RsaKey to use*/
-        object->slot->tpmCtx.rsaKey = (WOLFTPM2_KEY*)&object->tpmKey;
-        /* load private key - populates handle */
-        ret = wolfTPM2_RsaKey_WolfToTpm_ex(&object->slot->tpmDev,
-            &object->slot->tpmSrk, &object->data.rsaKey,
-            (WOLFTPM2_KEY*)&object->tpmKey);
-        if (ret == 0) {
-            /* unload handle, but keep the WOLFTPM2 key populated,
-             * so we can load it again when needed */
-            wolfTPM2_UnloadHandle(&object->slot->tpmDev,
-                &object->tpmKey.handle);
-        }
-    }
-#endif
 
     if (ret != 0)
         wc_FreeRsaKey(key);
@@ -6801,23 +6785,6 @@ int WP11_Object_SetEcKey(WP11_Object* object, unsigned char** data,
                 key->type = ECC_PUBLICKEY;
             ret = EcSetPoint(key, data[2], (int)len[2]);
         }
-    #ifdef WOLFPKCS11_TPM
-        if (ret == 0 &&
-            (key->type == ECC_PRIVATEKEY_ONLY || key->type == ECC_PRIVATEKEY)) {
-            /* tell crypto callback which RsaKey to use*/
-            object->slot->tpmCtx.eccKey = (WOLFTPM2_KEY*)&object->tpmKey;
-            /* load private key */
-            ret = wolfTPM2_EccKey_WolfToTpm_ex(&object->slot->tpmDev,
-                &object->slot->tpmSrk, &object->data.ecKey,
-                (WOLFTPM2_KEY*)&object->tpmKey);
-            if (ret == 0) {
-                /* unload handle, but keep the WOLFTPM2 key populated,
-                 * so we can load it again when needed */
-                wolfTPM2_UnloadHandle(&object->slot->tpmDev,
-                    &object->tpmKey.handle);
-            }
-        }
-    #endif
 
         if (ret != 0)
             wc_ecc_free(key);
@@ -8316,6 +8283,59 @@ int WP11_Object_MatchAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type,
     return ret;
 }
 
+#if !defined(NO_RSA) || defined(HAVE_ECC)
+
+static int WP11_Object_LoadTpmKey(WP11_Object* object)
+{
+    int ret = 0;
+
+    if (object == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    switch (object->type) {
+    #ifndef NO_RSA
+        case CKK_RSA:
+        {
+            RsaKey* key = &object->data.rsaKey;
+            if (key->type == RSA_PRIVATE) {
+                /* tell crypto callback which RsaKey to use*/
+                object->slot->tpmCtx.rsaKey = (WOLFTPM2_KEY*)&object->tpmKey;
+                /* load private key */
+                ret = wolfTPM2_RsaKey_WolfToTpm_ex(&object->slot->tpmDev,
+                    &object->slot->tpmSrk, &object->data.rsaKey,
+                    (WOLFTPM2_KEY*)&object->tpmKey);
+            }
+            break;
+        }
+    #endif
+    #ifdef HAVE_ECC
+        case CKK_EC:
+        {
+            ecc_key* key = &object->data.ecKey;
+            if (key->type == ECC_PRIVATEKEY_ONLY || key->type == ECC_PRIVATEKEY) {
+                /* tell crypto callback which RsaKey to use*/
+                object->slot->tpmCtx.eccKey = (WOLFTPM2_KEY*)&object->tpmKey;
+                /* load private key */
+                ret = wolfTPM2_EccKey_WolfToTpm_ex(&object->slot->tpmDev,
+                    &object->slot->tpmSrk, &object->data.ecKey,
+                    (WOLFTPM2_KEY*)&object->tpmKey);
+            }
+            break;
+        }
+    #endif
+        default:
+            /* not supported on TPM, don't load and return success to use software key */
+            ret = 0;
+            break;
+    }
+
+    return ret;
+}
+
+#endif
+
+
 #ifndef NO_RSA
 
 /**
@@ -8519,22 +8539,16 @@ int WP11_Rsa_PrivateDecrypt(unsigned char* in, word32 inLen, unsigned char* out,
     ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
     if (ret == 0) {
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
             ret = wc_RsaFunction(in, inLen, out, outLen, RSA_PRIVATE_DECRYPT,
                                                       &priv->data.rsaKey, &rng);
-        }
-    #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
+        #ifdef WOLFPKCS11_TPM
             wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
+        #endif
         }
-    #endif
         Rng_Free(&rng);
     }
     if (priv->onToken)
@@ -8617,11 +8631,7 @@ int WP11_RsaPkcs15_PrivateDecrypt(unsigned char* in, word32 inLen,
     #endif
 
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
@@ -8634,9 +8644,7 @@ int WP11_RsaPkcs15_PrivateDecrypt(unsigned char* in, word32 inLen,
             }
 
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
-            }
+            wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
 
@@ -8738,11 +8746,7 @@ int WP11_RsaOaep_PrivateDecrypt(unsigned char* in, word32 inLen,
     #endif
 
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
@@ -8755,10 +8759,8 @@ int WP11_RsaOaep_PrivateDecrypt(unsigned char* in, word32 inLen,
                 ret = 0;
             }
 
-            #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
-            }
+        #ifdef WOLFPKCS11_TPM
+            wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
 
@@ -8819,11 +8821,7 @@ int WP11_Rsa_Sign(unsigned char* in, word32 inLen, unsigned char* sig,
     ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
     if (ret == 0) {
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
@@ -8835,9 +8833,7 @@ int WP11_Rsa_Sign(unsigned char* in, word32 inLen, unsigned char* sig,
             }
 
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
-            }
+            wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
 
@@ -8987,11 +8983,7 @@ int WP11_RsaPkcs15_Sign(unsigned char* encHash, word32 encHashLen,
     ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
     if (ret == 0) {
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
@@ -9002,9 +8994,7 @@ int WP11_RsaPkcs15_Sign(unsigned char* encHash, word32 encHashLen,
                 ret = 0;
             }
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
-            }
+            wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
         Rng_Free(&rng);
@@ -9086,11 +9076,7 @@ int WP11_RsaPKCSPSS_Sign(unsigned char* hash, word32 hashLen,
     ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
     if (ret == 0) {
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                &slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
@@ -9102,9 +9088,7 @@ int WP11_RsaPKCSPSS_Sign(unsigned char* hash, word32 hashLen,
                 ret = 0;
             }
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
-            }
+            wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
         Rng_Free(&rng);
@@ -9416,22 +9400,17 @@ int WP11_Ec_Sign(unsigned char* hash, word32 hashLen, unsigned char* sig,
         ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
         if (ret == 0) {
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                /* load TPM key */
-                ret = wolfTPM2_LoadKey(&slot->tpmDev, &priv->tpmKey,
-                    &slot->tpmCtx.storageKey->handle);
-            }
+            ret = WP11_Object_LoadTpmKey(priv);
             if (ret == 0)
         #endif
             {
                 ret = wc_ecc_sign_hash(hash, hashLen, encSig, &encSigLen, &rng,
                                                         &priv->data.ecKey);
-            }
-        #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
+
+            #ifdef WOLFPKCS11_TPM
                 wolfTPM2_UnloadHandle(&slot->tpmDev, &priv->tpmKey.handle);
+            #endif
             }
-        #endif
             Rng_Free(&rng);
         }
 
@@ -9551,21 +9530,16 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key,
         if (priv->onToken)
             WP11_Lock_LockRO(priv->lock);
     #ifdef WOLFPKCS11_TPM
-        if (priv->opFlag & WP11_FLAG_TPM) {
-            /* load TPM key */
-            ret = wolfTPM2_LoadKey(&priv->slot->tpmDev, &priv->tpmKey,
-                &priv->slot->tpmCtx.storageKey->handle);
-        }
+        ret = WP11_Object_LoadTpmKey(priv);
         if (ret == 0)
     #endif
         {
             PRIVATE_KEY_UNLOCK();
             ret = wc_ecc_shared_secret(&priv->data.ecKey, &pubKey, key, &keyLen);
             PRIVATE_KEY_LOCK();
+
         #ifdef WOLFPKCS11_TPM
-            if (priv->opFlag & WP11_FLAG_TPM) {
-                wolfTPM2_UnloadHandle(&priv->slot->tpmDev, &priv->tpmKey.handle);
-            }
+            wolfTPM2_UnloadHandle(&priv->slot->tpmDev, &priv->tpmKey.handle);
         #endif
         }
         if (priv->onToken)

tests/unit.h

@@ -321,6 +321,10 @@ static CK_RV run_tests(TEST_FUNC* testFunc, int testFuncCnt, int onlySet,
     int i;
     void* testArgs;
 
+    if (verbose) {
+        wolfPKCS11_Debugging_On();
+    }
+
     for (i = 0; i < testFuncCnt; i++) {
         if (testFunc[i].flags != flags)
             continue;