123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392 |
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
- #include <netinet/in.h>
- #include <unistd.h>
- #include <wolfssl/options.h>
- #include <wolfssl/ssl.h>
- #include <wolfssl/wolfcrypt/ecc.h>
- #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h> /* functions for blob/cover*/
- #define DEFAULT_PORT 11111
- #define ECC_KEY_SIZE 32
- #undef USE_CERT_BUFFERS_256
- #define USE_CERT_BUFFERS_256
- #include <wolfssl/certs_test.h>
- static int test_blob(byte* key, int keySz)
- {
- int ret, i;
- byte out[keySz + WC_CAAM_BLOB_SZ];
- int outSz;
- int keyOutSz;
- byte keymod[WC_CAAM_BLACK_KEYMOD_SZ];
- int keymodSz = WC_CAAM_BLACK_KEYMOD_SZ;
-
- XMEMSET(keymod, 1, keymodSz);
-
- outSz = keySz + WC_CAAM_BLOB_SZ;
- ret = wc_caamCreateBlob_ex(key, keySz, out, (word32*)&outSz,
- WC_CAAM_BLOB_BLACK, keymod, keymodSz);
- if (ret != 0) {
- printf("Error creating black blob\n");
- return -1;
- }
- printf("created black blob :");
- for (i = 0; i < outSz; i++)
- printf("%02X,", out[i]);
- printf("\n");
-
- memset(key, 0, keySz);
- keyOutSz = keySz;
- ret = wc_caamOpenBlob_ex(out, outSz, key, (word32*)&keyOutSz,
- WC_CAAM_BLOB_BLACK, keymod, keymodSz);
- if (ret != 0) {
- printf("Error opening black blob\n");
- }
- return ret;
- }
- int cover(ecc_key* keyOut, const byte* der, word32 derSz)
- {
- int ret;
- ecc_key notSecure;
- word32 idx = 0;
-
- byte x963[(ECC_KEY_SIZE*2) + 1];
- word32 x963Sz = (ECC_KEY_SIZE*2) + 1;
-
- byte d[ECC_KEY_SIZE];
- word32 dSz = ECC_KEY_SIZE;
- byte blackKey[ECC_KEY_SIZE + WC_CAAM_MAC_SZ];
- word32 blackKeySz = ECC_KEY_SIZE + WC_CAAM_MAC_SZ;
-
- wc_ecc_init(¬Secure);
- if (wc_EccPrivateKeyDecode(der, &idx, ¬Secure, derSz) != 0) {
- printf("Error extracting ECC der buffer\n");
- ret = -1;
- goto done;
- }
-
- if (wc_ecc_export_private_raw(¬Secure, NULL, NULL, NULL, NULL, d, &dSz)
- != 0) {
- printf("Error getting ecc key values\n");
- ret = -1;
- goto done;
- }
- if (wc_ecc_export_x963(¬Secure, x963, &x963Sz) != 0) {
- printf("Error getting ecc public key\n");
- ret = -1;
- goto done;
- }
-
- XMEMSET(blackKey, 0, blackKeySz);
- if (wc_caamCoverKey(d, dSz, blackKey, &blackKeySz, 0) != 0) {
- printf("Error covering up the private key\n");
- ret = -1;
- goto done;
- }
-
- if (XMEMCMP(d, blackKey, dSz) == 0) {
- printf("Something went wrong with key cover!!\n");
- ret = -1;
- goto done;
- }
- if (test_blob(blackKey, blackKeySz - WC_CAAM_MAC_SZ) != 0) {
- printf("test blob failed\n");
- ret = -1;
- goto done;
- }
-
- XMEMSET(d, 0, dSz);
-
- ret = wc_ecc_import_private_key(blackKey, blackKeySz, x963, x963Sz, keyOut);
- if (ret != 0) {
- printf("Error importing black key into secure memory %d\n", ret);
- wc_ecc_free(keyOut);
- goto done;
- }
- printf("blackKeySz = %d, virtual secure address ecc_key.blackKey = 0x%08X\n",
- blackKeySz, keyOut->blackKey);
- ret = 0;
- done:
- wc_ecc_free(¬Secure);
- return ret;
- }
- static int TLS_ECC_Sign_callback(WOLFSSL* ssl, const unsigned char* in,
- unsigned int inSz, unsigned char* out, word32* outSz,
- const unsigned char* keyDer, unsigned int keySz,
- void* ctx)
- {
- ecc_key* blackKey;
- printf("Using ECC sign callback\n");
- if (ctx == NULL) {
- printf("Was expecting a black key passed along with WOLFSSL\n");
- return -1;
- }
- blackKey = (ecc_key*)ctx;
- return wc_ecc_sign_hash(in, inSz, out, outSz, NULL, blackKey);
- }
- static int TLS_ECDH_callback(WOLFSSL* ssl, struct ecc_key* otherKey,
- unsigned char* pubKeyDer, word32* pubKeySz,
- unsigned char* out, word32* outlen,
- int side, void* ctx)
- {
- int ret= -1;
- printf("Using ECDH callback\n");
- if (ctx == NULL) {
- printf("Was expecting a black key passed along with WOLFSSH\n");
- return -1;
- }
-
- if (side == WOLFSSL_CLIENT_END) {
- }
-
- if (side == WOLFSSL_SERVER_END) {
- ecc_key pub;
- wc_ecc_init(&pub);
- if (wc_ecc_import_x963(pubKeyDer, *pubKeySz, &pub) != 0) {
- printf("Issue decoding the public key to generate shared secret\n");
- wc_ecc_free(&pub);
- return -1;
- }
-
- ret = wc_ecc_shared_secret(otherKey, &pub, out, outlen);
- wc_ecc_free(&pub);
- }
- return ret;
- }
- int main()
- {
- int sockfd;
- int connd = 0;
- struct sockaddr_in servAddr;
- struct sockaddr_in clientAddr;
- socklen_t size = sizeof(clientAddr);
- char buff[256];
- size_t len;
- int ret;
- const char* reply = "I hear ya fa shizzle!\n";
- ecc_key blackKey;
-
- WOLFSSL_CTX* ctx = NULL;
- WOLFSSL* ssl = NULL;
-
- if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
- fprintf(stderr, "issue with wolfSSL_Init()\n");
- return -1;
- }
- wolfSSL_Debugging_ON();
- wc_ecc_init(&blackKey);
-
- if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
- fprintf(stderr, "ERROR: failed to create the socket\n");
- goto end;
- }
-
- if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())) == NULL) {
- fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
- goto end;
- }
-
- if (wolfSSL_CTX_use_certificate_buffer(ctx, serv_ecc_der_256,
- sizeof_serv_ecc_der_256, SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
- printf("error loading in certificate buffer\n");
- goto end;
- }
- if (cover(&blackKey, ecc_key_der_256, sizeof_ecc_key_der_256) != 0) {
- printf("error covering up key\n");
- goto end;
- }
-
- wolfSSL_CTX_SetEccSignCb(ctx, TLS_ECC_Sign_callback);
-
- wolfSSL_CTX_SetEccSharedSecretCb(ctx, TLS_ECDH_callback);
-
- memset(&servAddr, 0, sizeof(servAddr));
-
- servAddr.sin_family = AF_INET;
- servAddr.sin_port = htons(DEFAULT_PORT);
- servAddr.sin_addr.s_addr = INADDR_ANY;
-
- if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
- fprintf(stderr, "ERROR: failed to bind\n");
- goto end;
- }
-
- if (listen(sockfd, 5) == -1) {
- fprintf(stderr, "ERROR: failed to listen\n");
- goto end;
- }
-
- printf("Waiting for a connection...\n");
-
- if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size)) == -1) {
- fprintf(stderr, "ERROR: failed to accept the connection\n\n");
- goto end;
- }
-
- if ((ssl = wolfSSL_new(ctx)) == NULL) {
- fprintf(stderr, "ERROR: failed to create WOLFSSL object\n");
- goto end;
- }
-
- wolfSSL_set_fd(ssl, connd);
-
- wolfSSL_SetEccSignCtx(ssl, (void*)&blackKey);
- wolfSSL_SetEccSharedSecretCtx(ssl, (void*)&blackKey);
-
- ret = wolfSSL_accept(ssl);
- if (ret != SSL_SUCCESS) {
- fprintf(stderr, "wolfSSL_accept error = %d\n",
- wolfSSL_get_error(ssl, ret));
- goto end;
- }
- printf("Client connected successfully\n");
-
- memset(buff, 0, sizeof(buff));
- if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) {
- fprintf(stderr, "ERROR: failed to read\n");
- goto end;
- }
-
- printf("Client: %s\n", buff);
-
- memset(buff, 0, sizeof(buff));
- memcpy(buff, reply, strlen(reply));
- len = strnlen(buff, sizeof(buff));
-
- if (wolfSSL_write(ssl, buff, len) != len) {
- fprintf(stderr, "ERROR: failed to write\n");
- goto end;
- }
- end:
-
- wolfSSL_free(ssl);
- close(connd);
- wc_ecc_free(&blackKey);
- printf("Shutdown complete\n");
-
- wolfSSL_CTX_free(ctx);
- wolfSSL_Cleanup();
- close(sockfd);
- return 0;
- }
|