Made a sampleTpmPublicKeyRsaBuffer string that holds the hansel key and made helper function LoadTpmSshKey added ci test

aidangarske · aidangarske · commit 574ee0fb4af8 · 2025-04-01T13:00:00.000-07:00
diff --git a/.github/workflows/tpm-ssh.yml b/.github/workflows/tpm-ssh.yml
@@ -0,0 +1,155 @@
+name: TPM SSH Test
+
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  test-tpm-ssh:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        path: wolfssh
+
+    # Clone dependencies
+    - name: Clone wolfSSL
+      uses: actions/checkout@v3
+      with:
+        repository: wolfSSL/wolfssl
+        path: wolfssl
+
+    - name: Clone wolfTPM
+      uses: actions/checkout@v3
+      with:
+        repository: wolfSSL/wolftpm
+        path: wolftpm
+
+    # Install dependencies
+    - name: Install Dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libtool automake autoconf
+        sudo apt-get install -y ibmswtpm2
+
+    # Build and install wolfSSL
+    - name: Build wolfSSL
+      run: |
+        cd wolfssl
+        ./autogen.sh
+        ./configure --enable-wolftpm --enable-wolfssh
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Build and install wolfTPM
+    - name: Build wolfTPM
+      run: |
+        cd wolftpm
+        ./autogen.sh
+        ./configure --enable-swtpm
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Build wolfSSH
+    - name: Build wolfSSH
+      run: |
+        cd wolfssh
+        ./autogen.sh
+        ./configure --enable-tpm
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Start TPM simulator
+    - name: Start TPM Simulator
+      run: |
+        tpm_server &
+        sleep 2  # Give the simulator time to start
+
+    # Test TPM SSH Default Password
+    - name: Test TPM SSH Default Password
+      run: |
+        # Generate key with default password
+        cd wolftpm
+        ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh
+
+        # Convert key to SSH format
+        ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh
+        cd ..
+
+        # Start echoserver and wait for it to be ready
+        cd wolfssh
+        ./examples/echoserver/echoserver -s key.ssh &
+        SERVER_PID=$!
+        sleep 5  # Give the server more time to start
+        if ! kill -0 $SERVER_PID 2>/dev/null; then
+            echo "Server failed to start"
+            exit 1
+        fi
+        cd ..
+
+        # Test client connection with default password
+        cd wolfssh
+        ./examples/client/client -i ../wolftpm/keyblob.bin -u hansel -K ThisIsMyKeyAuth
+        cd ..
+
+    # Kill the server and simulator and restart them
+    - name: Kill server and simulator and restart
+      run: |
+        kill $SERVER_PID
+        sleep 2
+        pkill -f tpm_server
+        sleep 2
+        tpm_server &
+        sleep 2  # Give the simulator time to start
+
+    # Test the TPM SSH Custom Password
+    - name: Test TPM SSH Custom Password
+      run: |
+        # Test with custom password
+        cd wolftpm
+        ./examples/keygen/keygen keyblob2.bin -rsa -t -pem -eh -auth=custompassword
+
+        # Convert key to SSH format
+        ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh
+        cd ..
+
+        # Start echoserver and wait for it to be ready
+        cd wolfssh
+        ./examples/echoserver/echoserver -s key.ssh &
+        SERVER_PID=$!
+        sleep 5  # Give the server more time to start
+        if ! kill -0 $SERVER_PID 2>/dev/null; then
+            echo "Server failed to start"
+            exit 1
+        fi
+        cd ..
+
+        # Test with custom password
+        cd wolfssh
+        ./examples/client/client -i ../wolftpm/keyblob2.bin -u hansel -K custompassword
+        cd ..
+
+        # Cleanup
+        kill $SERVER_PID
+        pkill -f tpm_server
+
+    # Archive artifacts for debugging
+    - name: Archive test artifacts
+      if: always()
+      uses: actions/upload-artifact@v3
+      with:
+        name: test-artifacts
+        path: |
+          wolfssh/keyblob.bin
+          wolfssh/keyblob2.bin
+          wolfssh/key.pem
+          wolfssh/key.ssh
diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
@@ -1784,85 +1784,24 @@ static const char samplePublicKeyEccBuffer[] =
 #endif
 
 #ifndef WOLFSSH_NO_RSA
-static const char* samplePublicKeyRsaBuffer =
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqDwRVTRVk/wjPhoo66+Mztrc31KsxDZ"
-    "+kAV0139PHQ+wsueNpba6jNn5o6mUTEOrxrz0LMsDJOBM7CmG0983kF4gRIihECpQ0rcjO"
-    "P6BSfbVTE9mfIK5IsUiZGd8SoE9kSV2pJ2FvZeBQENoAxEFk0zZL9tchPS+OCUGbK4SDjz"
-    "uNZl/30Mczs73N3MBzi6J1oPo7sFlqzB6ecBjK2Kpjus4Y1rYFphJnUxtKvB0s+hoaadru"
-    "biE57dK6BrH5iZwVLTQKux31uCJLPhiktI3iLbdlGZEctJkTasfVSsUizwVIyRjhVKmbdI"
-    "RGwkU38D043AR1h0mUoGCPIKuqcFMf gretel\n"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9P3ZFowOsONXHD5MwWiCciXytBRZGho"
-    "MNiisWSgUs5HdHcACuHYPi2W6Z1PBFmBWT9odOrGRjoZXJfDDoPi+j8SSfDGsc/hsCmc3G"
-    "p2yEhUZUEkDhtOXyqjns1ickC9Gh4u80aSVtwHRnJZh9xPhSq5tLOhId4eP61s+a5pwjTj"
-    "nEhBaIPUJO2C/M0pFnnbZxKgJlX7t1Doy7h5eXxviymOIvaCZKU+x5OopfzM/wFkey0EPW"
-    "NmzI5y/+pzU5afsdeEWdiQDIQc80H6Pz8fsoFPvYSG+s4/wz0duu7yeeV1Ypoho65Zr+pE"
-    "nIf7dO0B8EblgWt+ud+JI8wrAhfE4x hansel\n";
-#endif
-
-/* Loads a new key from a file and appends
- * it to the samplePublicKeyRsaBuffer */
-static char* LoadSshKey(const char* path)
-{
-    FILE* file;
-    char* buffer = NULL;
-    char* ret = NULL;
-    long length;
-    const char* gretelKey = samplePublicKeyRsaBuffer;
-    const char* hanselKey;
-    long gretelLen = (long)strlen(gretelKey);
-
-    /* Find where hansel's key starts (it's after gretel's key) */
-    hanselKey = strstr(gretelKey + 1, "ssh-rsa");
-    if (!hanselKey) {
-        fprintf(stderr, "Could not find hansel's key\n");
-        return NULL;
-    }
-
-    /* Calculate length of gretel's key portion */
-    gretelLen = hanselKey - gretelKey;
-
-    /* Read new key from file */
-    file = fopen(path, "rb");
-    if (!file) {
-        fprintf(stderr, "Failed to open SSH key file: %s\n", path);
-        return NULL;
-    }
-
-    fseek(file, 0, SEEK_END);
-    length = ftell(file);
-    fseek(file, 0, SEEK_SET);
-
-    buffer = (char*)WMALLOC(length + 1, NULL, DYNTYPE_BUFFER);
-    if (buffer) {
-        if (fread(buffer, 1, length, file) != (size_t)length) {
-            WFREE(buffer, NULL, DYNTYPE_BUFFER);
-            buffer = NULL;
-        }
-        else {
-            /* Remove any trailing newlines */
-            while (length > 0 && (buffer[length-1] == '\n'
-                || buffer[length-1] == '\r')) {
-                length--;
-            }
-            buffer[length] = '\0';
-
-            /* Allocate space for: gretel's key + new key + " hansel\n" */
-            ret = (char*)WMALLOC(gretelLen + length + 8, NULL, DYNTYPE_BUFFER);
-            if (ret) {
-                /* Copy gretel's key */
-                WMEMCPY(ret, gretelKey, gretelLen);
-                /* Copy new key */
-                WMEMCPY(ret + gretelLen, buffer, length);
-                /* Append hansel identifier */
-                WMEMCPY(ret + gretelLen + length, " hansel\n", 8);
-            }
-            WFREE(buffer, NULL, DYNTYPE_BUFFER);
-        }
-    }
-
-    fclose(file);
-    return ret;
-}
+#ifdef WOLFSSH_TPM
+    static const char* sampleTpmPublicKeyRsaBuffer = "";
+#else
+    static const char* samplePublicKeyRsaBuffer =
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqDwRVTRVk/wjPhoo66+Mztrc31KsxDZ"
+        "+kAV0139PHQ+wsueNpba6jNn5o6mUTEOrxrz0LMsDJOBM7CmG0983kF4gRIihECpQ0rcjO"
+        "P6BSfbVTE9mfIK5IsUiZGd8SoE9kSV2pJ2FvZeBQENoAxEFk0zZL9tchPS+OCUGbK4SDjz"
+        "uNZl/30Mczs73N3MBzi6J1oPo7sFlqzB6ecBjK2Kpjus4Y1rYFphJnUxtKvB0s+hoaadru"
+        "biE57dK6BrH5iZwVLTQKux31uCJLPhiktI3iLbdlGZEctJkTasfVSsUizwVIyRjhVKmbdI"
+        "RGwkU38D043AR1h0mUoGCPIKuqcFMf gretel\n"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9P3ZFowOsONXHD5MwWiCciXytBRZGho"
+        "MNiisWSgUs5HdHcACuHYPi2W6Z1PBFmBWT9odOrGRjoZXJfDDoPi+j8SSfDGsc/hsCmc3G"
+        "p2yEhUZUEkDhtOXyqjns1ickC9Gh4u80aSVtwHRnJZh9xPhSq5tLOhId4eP61s+a5pwjTj"
+        "nEhBaIPUJO2C/M0pFnnbZxKgJlX7t1Doy7h5eXxviymOIvaCZKU+x5OopfzM/wFkey0EPW"
+        "NmzI5y/+pzU5afsdeEWdiQDIQc80H6Pz8fsoFPvYSG+s4/wz0duu7yeeV1Ypoho65Zr+pE"
+        "nIf7dO0B8EblgWt+ud+JI8wrAhfE4x hansel\n";
+#endif /* WOLFSSH_TPM */
+#endif /* WOLFSSH_NO_RSA */
 
 #ifdef WOLFSSH_ALLOW_USERAUTH_NONE
 
@@ -2159,6 +2098,46 @@ static int LoadPubKeyList(StrList* strList, int format, PwMapList* mapList)
 }
 #endif
 
+#ifdef WOLFSSH_TPM
+static char* LoadTpmSshKey(const char* keyFile)
+{
+    FILE* file;
+    char* buffer = NULL;
+    char* ret = NULL;
+    long length;
+
+    file = fopen(keyFile, "rb");
+    if (!file) {
+        fprintf(stderr,
+            "Failed to open TPM key file: %s\n", keyFile);
+        return NULL;
+    }
+
+    fseek(file, 0, SEEK_END);
+    length = ftell(file);
+    fseek(file, 0, SEEK_SET);
+
+    buffer = (char*)WMALLOC(length + 8 + 1, NULL, DYNTYPE_BUFFER);
+    if (buffer) {
+        if (fread(buffer, 1, length, file) == (size_t)length) {
+            while (length > 0 && (buffer[length-1] == '\n' ||
+                                buffer[length-1] == '\r')) {
+                length--;
+            }
+            WMEMCPY(buffer + length, " hansel\n", 8);
+            buffer[length + 8] = '\0';
+            ret = buffer;
+        }
+        else {
+            WFREE(buffer, NULL, DYNTYPE_BUFFER);
+        }
+    }
+
+    fclose(file);
+    return ret;
+}
+#endif
+
 static int wsUserAuthResult(byte res,
                       WS_UserAuthData* authData,
                       void* ctx)
@@ -2422,6 +2401,7 @@ static void ShowUsage(void)
            "               (user assumed in comment)\n");
     printf(" -I <name>:<file>\n"
            "               load in a SSH public key to accept from peer\n");
+    printf(" -s <file>     load in a TPM public key file to replace default hansel key\n");
     printf(" -J <name>:<file>\n"
            "               load in an X.509 PEM cert to accept from peer\n");
     printf(" -K <name>:<file>\n"
@@ -2439,7 +2419,6 @@ static void ShowUsage(void)
            "to use\n");
     printf(" -m <list>     set the comma separated list of mac algos to use\n");
     printf(" -b <num>      test user auth would block\n");
-    printf(" -s <file>     load SSH public key file to replace default hansel key\n");
 }
 
 
@@ -2485,7 +2464,9 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
     const char* macList = NULL;
     const char* cipherList = NULL;
     ES_HEAP_HINT* heap = NULL;
-    static char* sshKeyPath = NULL;
+    #ifdef WOLFSSH_TPM
+        static char* tpmKeyPath = NULL;
+    #endif
     int multipleConnections = 1;
     int userEcc = 0;
     int peerEcc = 0;
@@ -2613,7 +2594,9 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
                     break;
 
                 case 's':
-                    sshKeyPath = myoptarg;
+                    #ifdef WOLFSSH_TPM
+                        tpmKeyPath = myoptarg;
+                    #endif
                     break;
 
                 default:
@@ -2648,20 +2631,22 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
         ES_ERROR("Couldn't initialize wolfSSH.\n");
     }
 
-    /* Load custom SSH key if specified */
-    if (sshKeyPath != NULL) {
-        const char* newBuffer = LoadSshKey(sshKeyPath);
+    /* Load custom TPM key if specified */
+    #ifdef WOLFSSH_TPM
+    if (tpmKeyPath != NULL) {
+        const char* newBuffer = LoadTpmSshKey(tpmKeyPath);
         if (newBuffer != NULL) {
-            samplePublicKeyRsaBuffer = newBuffer;
+            sampleTpmPublicKeyRsaBuffer = newBuffer;
         }
         else {
-            ES_ERROR("Failed to load SSH key from %s\n", sshKeyPath);
+            ES_ERROR("Failed to load TPM key from %s\n", tpmKeyPath);
         }
-        #ifdef WOLFSSH_DEBUG
-            printf("New samplePublicKeyRsaBuffer:\n%s\n",
-                samplePublicKeyRsaBuffer);
-        #endif
+        printf("New sampleTpmPublicKeyRsaBuffer:\n%s\n", sampleTpmPublicKeyRsaBuffer);
     }
+    else {
+        printf("No TPM key loaded\n");
+    }
+    #endif
 
     #ifdef WOLFSSH_STATIC_MEMORY
     {
@@ -2877,7 +2862,11 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
         }
         else {
         #ifndef WOLFSSH_NO_RSA
-            bufName = samplePublicKeyRsaBuffer;
+            #ifdef WOLFSSH_TPM
+                bufName = sampleTpmPublicKeyRsaBuffer;
+            #else
+                bufName = samplePublicKeyRsaBuffer;
+            #endif
         #endif
         }
         if (bufName != NULL) {
