From 6ac2c4b0ca8a3667acb099830d2d4760c998739a Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Fri, 17 Mar 2023 14:04:56 +0530 Subject: [PATCH 01/60] Update APIs in unit test (#221) Signed-off-by: Shrikant Temburwar --- tests/unit/test_cryptoSupport.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tests/unit/test_cryptoSupport.c b/tests/unit/test_cryptoSupport.c index e4e16b8e..22fb25db 100644 --- a/tests/unit/test_cryptoSupport.c +++ b/tests/unit/test_cryptoSupport.c @@ -2614,9 +2614,10 @@ TEST_CASE("fdo_device_sign", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; // Positive test case - ret = fdo_device_sign(message, message_len, &signature); + ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); TEST_ASSERT_EQUAL(0, ret); if (signature) { fdo_byte_array_free(signature); @@ -2633,9 +2634,10 @@ TEST_CASE("fdo_device_sign_invalid_message", "[crypto_support][fdo]") int ret; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; /* Negative test case */ - ret = fdo_device_sign(NULL, message_len, &signature); + ret = fdo_device_sign(NULL, message_len, &signature, &eat_maroe); TEST_ASSERT_EQUAL(-1, ret); if (signature) { fdo_byte_array_free(signature); @@ -2652,9 +2654,10 @@ TEST_CASE("fdo_device_sign_invalid_message_len", "[crypto_support][fdo]") int ret; const uint8_t *message = test_buff1; fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; /* Negative test case */ - ret = fdo_device_sign(message, 0, &signature); + ret = fdo_device_sign(message, 0, &signature, &eat_maroe); TEST_ASSERT_EQUAL(-1, ret); if (signature) { fdo_byte_array_free(signature); @@ -3097,9 +3100,10 @@ TEST_CASE("get_ec_key_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; get_ec_key_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature); + ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); TEST_ASSERT_EQUAL(-1, ret); get_ec_key_fail_flag = false; @@ -3119,9 +3123,10 @@ TEST_CASE("ECDSA_size_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; ECDSA_size_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature); + ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); TEST_ASSERT_EQUAL(-1, ret); ECDSA_size_fail_flag = false; @@ -3141,9 +3146,10 @@ TEST_CASE("memcpy_s_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; + fdo_byte_array_t *eat_maroe = NULL; memcpy_s_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature); + ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); memcpy_s_fail_flag = false; TEST_ASSERT_EQUAL(-1, ret); #else From 4c0148323129e94368a2693b5cf4ebfaa07ac689 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Mon, 20 Mar 2023 13:08:54 +0530 Subject: [PATCH 02/60] Update TPM library installation script (#222) * Update TPM library installation script * Readme updates Signed-off-by: Shrikant Temburwar --- docs/cse.md | 2 +- docs/linux.md | 2 +- docs/tpm.md | 2 +- utils/install_tpm_libs.sh | 3 +-- utils/install_tpm_libs_rhel.sh | 3 --- 5 files changed, 4 insertions(+), 8 deletions(-) diff --git a/docs/cse.md b/docs/cse.md index ff699563..58b41c57 100644 --- a/docs/cse.md +++ b/docs/cse.md @@ -101,7 +101,7 @@ After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7.88_0/curl-7.88.0.tar.gz + wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz ``` 2. Unpack the tarball with: ``` diff --git a/docs/linux.md b/docs/linux.md index bf637557..50c4c1c0 100644 --- a/docs/linux.md +++ b/docs/linux.md @@ -94,7 +94,7 @@ After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7.88_0/curl-7.88.0.tar.gz + wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz ``` 2. Unpack the tarball with: ``` diff --git a/docs/tpm.md b/docs/tpm.md index d1df77dc..809887a1 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -96,7 +96,7 @@ After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7.88_0/curl-7.88.0.tar.gz + wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz ``` 2. Unpack the tarball with: ``` diff --git a/utils/install_tpm_libs.sh b/utils/install_tpm_libs.sh index 68267240..9a7d68d5 100755 --- a/utils/install_tpm_libs.sh +++ b/utils/install_tpm_libs.sh @@ -31,8 +31,7 @@ install_dependencies() autoconf \ doxygen \ m4 \ - pandoc \ - libcurl4-openssl-dev + pandoc pip install pyyaml PyYAML } diff --git a/utils/install_tpm_libs_rhel.sh b/utils/install_tpm_libs_rhel.sh index eb0715be..59611ee9 100755 --- a/utils/install_tpm_libs_rhel.sh +++ b/utils/install_tpm_libs_rhel.sh @@ -29,16 +29,13 @@ install_dependencies() doxygen \ m4 \ pandoc \ - libcurl-devel \ uriparser-devel \ dbus-devel \ glib2-devel \ dbus-x11 \ - libgcrypt-devel \ libuuid-devel \ diffutils - dnf builddep tpm2-tss pip3 install pyyaml PyYAML } From 7a97df222496876ee36c03177aec98e18e356356 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Mon, 27 Mar 2023 17:28:52 +0530 Subject: [PATCH 03/60] Readme and TPM RHEL script updates (#224) * Readme updates * Update TPM lib installation script for RHEL Signed-off-by: Shrikant Temburwar --- docs/cse.md | 26 +++++++++++++------------- docs/linux.md | 30 +++++++++++++++--------------- docs/tpm.md | 28 ++++++++++++++-------------- utils/install_tpm_libs_rhel.sh | 5 ++++- 4 files changed, 46 insertions(+), 43 deletions(-) diff --git a/docs/cse.md b/docs/cse.md index 58b41c57..9eee6d02 100644 --- a/docs/cse.md +++ b/docs/cse.md @@ -3,15 +3,15 @@ -# Linux* CSE* Implementation +# Intel® CSE Implementation The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The CSE* enabled FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. -# Prerequisites for CSE support -The system hardware should have the support for CSE FDO client with UUID: 125405e0-fca9-4110-8f88-b4dbcdcb876f +# Prerequisites for Intel® CSE support +The system hardware should have the support for Intel® CSE FDO client with UUID: 125405e0-fca9-4110-8f88-b4dbcdcb876f -The linux kernel should have the support to enable the CSE clients and have FDO in that list. This support is available in intel-next kernel version 5.9 onwards and is upstreamed in kernel.org version 6.2-rc7 onwards. +The linux kernel should have the support to enable the Intel® CSE clients and have FDO in that list. This support is available in intel-next kernel version 5.9 onwards and is upstreamed in kernel.org version 6.2-rc7 onwards. ## 1. Packages Requirements when Building Binaries: * For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: @@ -160,7 +160,7 @@ Note 3: On RHEL, Curl could also be installed using yum package manager as shown ## 3. Compiling Intel safestringlib -CSE* enabled FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: +FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: From the root of the safestringlib, do the following: ```shell mkdir obj @@ -169,13 +169,13 @@ From the root of the safestringlib, do the following: After this step, `libsafestring.a` library will be created. ## 4. Compiling Intel TinyCBOR -CSE* enabled FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.5.3` and follow these instructions to build: +FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.5.3` and follow these instructions to build: From the root of the TinyCBOR (named `tinycbor`), do the following: ```shell make ``` ## 5. Compiling Intel ME TEE -CSE* enabled FDO Client SDK uses ME TEE library to communicate with CSE through HECI. Download ME TEE from METEE, and follow these instructions to build: +Intel® CSE enabled FDO Client SDK uses ME TEE library to communicate with CSE through HECI. Download ME TEE from METEE, and follow these instructions to build: From the root of the METEE(named `metee`), do the following: ```shell cmake . @@ -192,9 +192,9 @@ export TINYCBOR_ROOT=path/to/tinycbor export METEE_ROOT=path/to/metee ``` -## 7. Compiling CSE* enabled FDO Client SDK +## 7. Compiling Intel® CSE enabled FDO Client SDK -The CSE* enabled FDO Client SDK build system is based on GNU make. It assumes that all the requirements are set up according to [ FDO Compilation Setup ](setup.md). The application is built using the `cmake [options]` in the root of the repository for all supported platforms. The debug and release build modes are supported in building the CSE* enabled FDO Client SDK. +The Intel® CSE enabled FDO Client SDK build system is based on GNU make. It assumes that all the requirements are set up according to [ FDO Compilation Setup ](setup.md). The application is built using the `cmake [options]` in the root of the repository for all supported platforms. The debug and release build modes are supported in building the Intel® CSE enabled FDO Client SDK. For an advanced build configuration, refer to [ Advanced Build Configuration ](build_conf.md). @@ -208,13 +208,13 @@ Refer to the section [FDO Build configurations](build_conf.md) for more build op ## 8. Running the Application -The CSE* enabled FDO Client SDK Linux device is compatible with FDO PRI components namely: Manufacturer, Rendezvous, and Owner. +The Intel® CSE enabled FDO Client SDK Linux device is compatible with FDO PRI components namely: Manufacturer, Rendezvous, and Owner. -To test the CSE* enabled FDO Client SDK Linux device, setup the [FDO PRI Manufacturer](https://github.com/secure-device-onboard/pri-fidoiot/blob/master/component-samples/demo/manufacturer/README.md), +To test the Intel® CSE enabled FDO Client SDK Linux device, setup the [FDO PRI Manufacturer](https://github.com/secure-device-onboard/pri-fidoiot/blob/master/component-samples/demo/manufacturer/README.md), [FDO PRI Rendezvous](https://github.com/secure-device-onboard/pri-fidoiot/blob/master/component-samples/demo/rv/README.md), and [FDO PRI Owner](https://github.com/secure-device-onboard/pri-fidoiot/blob/master/component-samples/demo/owner/README.md). -After a successful compilation, the CSE* enabled FDO Client SDK Linux device executable can be found at `/build/linux-client`. +After a successful compilation, the Intel® CSE enabled FDO Client SDK Linux device executable can be found at `/build/linux-client`. > ***NOTE***: Built binary can be either `debug` or `release` based on the compilation step. - Before executing `linux-client`, prepare for Device Initialization (DI) by starting the FDO PRI Manufacturer. diff --git a/docs/linux.md b/docs/linux.md index 50c4c1c0..d3bdbf1c 100644 --- a/docs/linux.md +++ b/docs/linux.md @@ -4,7 +4,7 @@ # Linux* OS The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1s version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries: * For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: @@ -24,9 +24,9 @@ sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix rub ``` ## 2. Packages Requirements when Executing Binaries: -OpenSSL* toolkit version 1.1.1t +OpenSSL* toolkit version 1.1.1s GCC version > 7.5 -Curl version 7.88 +Curl version 7.86 #### Steps to remove the older curl packages @@ -39,15 +39,15 @@ Curl version 7.88 yum remove curl libcurl-devel ``` -#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1t +#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1s 1. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz + wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf openssl-1.1.1t.tar.gz && cd openssl-1.1.1t + tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s ``` 3. Issue the command: ``` @@ -85,20 +85,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 1.1.1t 7 Feb 2023 + OpenSSL* 1.1.1s 1 Nov 2022 ``` -#### Steps to install curl version 7.88 configured with openssl +#### Steps to install curl version 7.86 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz + wget https://github.com/curl/curl/releases/download/curl-7_86_0/curl-7.86.0.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-7.88.0.tar.gz && cd curl-7.88.0 + tar -zxf curl-7.86.0.tar.gz && cd curl-7.86.0 ``` 3. Issue the command to configure the curl with openssl: ``` @@ -121,14 +121,14 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 7.88.0 (x86_64-pc-linux-gnu) libcurl/7.88.0 OpenSSL/1.1.1t zlib/1.2.11 + curl 7.86.0 (x86_64-pc-linux-gnu) libcurl/7.86.0 OpenSSL/1.1.1s zlib/1.2.11 ``` Note 1: If above command is not successful, then link the path where curl is installed to the system path ``` sudo ln -s /usr/local/bin/curl /usr/bin/curl ``` -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 7.88 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. +Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 7.86 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" @@ -207,10 +207,10 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ```shell ./build/linux-client ``` -- If the client-sdk binary is built on openssl 1.1.1t environment and then executed with openssl 3 environment, it may fail with "libssl.so.1.1 not found" error. In order to successfully execute it, build the specific 1.1.1 version dependent libraries and make it available as well: +- If the client-sdk binary is built on openssl 1.1.1s environment and then executed with openssl 3 environment, it may fail with "libssl.so.1.1 not found" error. In order to successfully execute it, build the specific 1.1.1 version dependent libraries and make it available as well: ``` - wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz - tar -zxf openssl-1.1.1t.tar.gz && cd openssl-1.1.1t + wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz + tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s ./config make cp libssl.so.1.1 /usr/lib/x86_64-linux-gnu/ diff --git a/docs/tpm.md b/docs/tpm.md index 809887a1..88191090 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -6,7 +6,7 @@ `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86 was used as a development and execution OS. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1s version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries with TPM* 2.0: @@ -26,10 +26,10 @@ sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix rub glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake make mercurial perl ``` -OpenSSL* toolkit version 1.1.1t. -Curl version 7.88 +OpenSSL* toolkit version 1.1.1s. +Curl version 7.86 -#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1t +#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1s 1. If libssl-dev, curl and libcurl are installed, uninstall it: @@ -45,11 +45,11 @@ Curl version 7.88 ``` 2. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz + wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz ``` 3. Unpack the tarball with: ``` - tar -zxf openssl-1.1.1t.tar.gz && cd openssl-1.1.1t + tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s ``` 4. Issue the command: ``` @@ -87,20 +87,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 1.1.1t 7 Feb 2023 + OpenSSL* 1.1.1s 1 Nov 2022 ``` -#### Steps to install curl version 7.88 configured with openssl +#### Steps to install curl version 7.86 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz + wget https://github.com/curl/curl/releases/download/curl-7_86_0/curl-7.86.0.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-7.88.0.tar.gz && cd curl-7.88.0 + tar -zxf curl-7.86.0.tar.gz && cd curl-7.86.0 ``` 3. Issue the command to configure the curl with openssl: ``` @@ -123,14 +123,14 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 7.88.0 (x86_64-pc-linux-gnu) libcurl/7.88.0 OpenSSL/1.1.1t zlib/1.2.11 + curl 7.86.0 (x86_64-pc-linux-gnu) libcurl/7.86.0 OpenSSL/1.1.1s zlib/1.2.11 ``` Note 1: If above command is not successful, then link the path where curl is installed to the system path ``` sudo ln -s /usr/local/bin/curl /usr/bin/curl ``` -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 7.88. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) +Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 7.86. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" @@ -400,12 +400,12 @@ Use the tpm2_evictcontrol command to delete the content or clear TPM* from the B ``` - OpenSSL* Toolkit Library Linking Related Error While Building FDO Client SDK.
- There is a dependency on the OpenSSL* toolkit version 1.1.1t for building and running the FDO Client SDK. + There is a dependency on the OpenSSL* toolkit version 1.1.1s for building and running the FDO Client SDK. Check the version of the OpenSSL* toolkit installed in your machine with the command ```shell openssl version ``` - If the OpenSSL* toolkit version in your machine is earlier than version 1.1.1t, follow the steps given in section 1 to update the OpenSSL* version to 1.1.1t. + If the OpenSSL* toolkit version in your machine is earlier than version 1.1.1s, follow the steps given in section 1 to update the OpenSSL* version to 1.1.1s. diff --git a/utils/install_tpm_libs_rhel.sh b/utils/install_tpm_libs_rhel.sh index 59611ee9..687d32df 100755 --- a/utils/install_tpm_libs_rhel.sh +++ b/utils/install_tpm_libs_rhel.sh @@ -34,8 +34,11 @@ install_dependencies() glib2-devel \ dbus-x11 \ libuuid-devel \ - diffutils + diffutils \ + libcurl-devel \ + libgcrypt-devel + dnf builddep tpm2-tss pip3 install pyyaml PyYAML } From 34a86bc7505e977b0c80f6d8711b15c4a04bb2b2 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Tue, 18 Apr 2023 15:56:54 +0530 Subject: [PATCH 04/60] Add ECDSA-384 key support for TPM (#214) * Add ECDSA-384 key support for TPM * Add SHA384 HMAC support for TPM * Add AES 256-bit key type for TPM ECDSA 384 Signed-off-by: Shrikant Temburwar --- build.sh | 2 ++ cmake/extension.cmake | 14 +++++++++++++- crypto/include/tpm20_Utils.h | 22 ++++++++++++++++------ crypto/openssl/tpm20_Utils.c | 25 +++++++++++++------------ docs/build_conf.md | 3 ++- docs/tpm.md | 15 +++++++-------- storage/include/storage_al.h | 6 +++++- utils/tpm_make_ready_ecdsa.sh | 28 ++++++++++++++++++---------- 8 files changed, 76 insertions(+), 39 deletions(-) diff --git a/build.sh b/build.sh index a1ac2586..b59dac23 100755 --- a/build.sh +++ b/build.sh @@ -89,6 +89,8 @@ build_bin x86_ecdsa384_gcm_bin -DAES_MODE=gcm -DDA=ecdsa384 build_bin x86_ecdsa384_ccm_bin -DAES_MODE=ccm -DDA=ecdsa384 build_bin tpm_ecdsa256_gcm_bin -DAES_MODE=gcm -DDA=tpm20_ecdsa256 build_bin tpm_ecdsa256_ccm_bin -DAES_MODE=ccm -DDA=tpm20_ecdsa256 +build_bin tpm_ecdsa384_gcm_bin -DAES_MODE=gcm -DDA=tpm20_ecdsa384 +build_bin tpm_ecdsa384_ccm_bin -DAES_MODE=ccm -DDA=tpm20_ecdsa384 build_bin cse_ecdsa384_gcm_bin -DAES_MODE=gcm -DDA=cse_ecdsa384 -DCSE_CLEAR=true build_bin cse_ecdsa384_ccm_bin -DAES_MODE=ccm -DDA=cse_ecdsa384 -DCSE_CLEAR=true diff --git a/cmake/extension.cmake b/cmake/extension.cmake index dd695e98..85e7a3e3 100644 --- a/cmake/extension.cmake +++ b/cmake/extension.cmake @@ -160,8 +160,20 @@ elseif(DA STREQUAL tpm20_ecdsa256) set (TPM2_TCTI_TYPE tabrmd) client_sdk_compile_definitions(-DTPM2_TCTI_TYPE=\"tabrmd\") endif() +elseif(DA STREQUAL tpm20_ecdsa384) + client_sdk_compile_definitions(-DECDSA384_DA) + if(${TPM2_TCTI_TYPE} MATCHES tpmrm0) + client_sdk_compile_definitions(-DTPM2_TCTI_TYPE=\"device:/dev/tpmrm0\") + elseif(${TPM2_TCTI_TYPE} MATCHES tabrmd) + client_sdk_compile_definitions(-DTPM2_TCTI_TYPE=\"tabrmd\") + else() + message(WARNING "Incorrect TPM2_TCTI_TYPE selected. Supported values are 'tabrmd' and 'tpmrm0'. \ + Defaulting to 'tabrmd'") + set (TPM2_TCTI_TYPE tabrmd) + client_sdk_compile_definitions(-DTPM2_TCTI_TYPE=\"tabrmd\") + endif() else() - message(WARNING "Incorrect DA selected. Supported values are 'ecdsa256', 'ecdsa384', 'cse_ecdsa384' and 'tpm20_ecdsa256'. \ + message(WARNING "Incorrect DA selected. Supported values are 'ecdsa256', 'ecdsa384', 'cse_ecdsa384', 'tpm20_ecdsa256' and 'tpm20_ecdsa384'. \ Defaulting to 'ecdsa384'") set (DA ecdsa384) client_sdk_compile_definitions(-DECDSA384_DA) diff --git a/crypto/include/tpm20_Utils.h b/crypto/include/tpm20_Utils.h index 6b62cffc..4311e41a 100644 --- a/crypto/include/tpm20_Utils.h +++ b/crypto/include/tpm20_Utils.h @@ -10,10 +10,20 @@ #include #define TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 128 -#define TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160 160 -#define TPM_HMAC_PUB_KEY_CONTEXT_SIZE 48 -#define FDO_TPM2_CURVE_ID TPM2_ECC_NIST_P256 +#if defined(ECDSA256_DA) + #define FDO_TPM2_CURVE_ID TPM2_ECC_NIST_P256 + #define TPM_AES_BITS 128 + #define FDO_TPM2_ALG_SHA TPM2_ALG_SHA256 + #define TPM_HMAC_PRIV_KEY_CONTEXT_SIZE 160 + #define TPM_HMAC_PUB_KEY_CONTEXT_SIZE 48 +#else + #define FDO_TPM2_CURVE_ID TPM2_ECC_NIST_P384 + #define TPM_AES_BITS 256 + #define FDO_TPM2_ALG_SHA TPM2_ALG_SHA384 + #define TPM_HMAC_PRIV_KEY_CONTEXT_SIZE 224 + #define TPM_HMAC_PUB_KEY_CONTEXT_SIZE 64 +#endif #define TPM2_ZEROISE_FREE(ref) \ { \ @@ -29,7 +39,7 @@ static const TPM2B_PUBLIC in_public_primary_key_template = { .publicArea = { .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA256, + .nameAlg = FDO_TPM2_ALG_SHA, .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_RESTRICTED | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_FIXEDTPM | @@ -42,7 +52,7 @@ static const TPM2B_PUBLIC in_public_primary_key_template = { .parameters.eccDetail = {.symmetric = { .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, + .keyBits.aes = TPM_AES_BITS, .mode.aes = TPM2_ALG_CFB, }, .scheme = @@ -66,7 +76,7 @@ static const TPM2B_PUBLIC in_publicHMACKey_template = { .publicArea = { .type = TPM2_ALG_KEYEDHASH, - .nameAlg = TPM2_ALG_SHA256, + .nameAlg = FDO_TPM2_ALG_SHA, .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SIGN_ENCRYPT | TPMA_OBJECT_FIXEDTPM | diff --git a/crypto/openssl/tpm20_Utils.c b/crypto/openssl/tpm20_Utils.c index 6b1ac664..88e0ea23 100644 --- a/crypto/openssl/tpm20_Utils.c +++ b/crypto/openssl/tpm20_Utils.c @@ -30,7 +30,7 @@ static int32_t fdoTPMGenerate_primary_key_context(ESYS_CONTEXT **esys_context, * @param data: pointer to the input data * @param data_length: length of the input data * @param hmac: output buffer to save the HMAC - * @param hmac_length: length of the output HMAC buffer, equal to the SHA256 + * @param hmac_length: length of the output HMAC buffer *hash length * @param tpmHMACPub_key: File name of the TPM HMAC public key * @param tpmHMACPriv_key: File name of the TPM HMAC private key @@ -45,7 +45,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, int32_t ret = -1, ret_val = -1, file_size = 0; size_t hashed_length = 0; size_t offset = 0; - uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160] = {0}; + uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; uint8_t bufferTPMHMACPub_key[TPM_HMAC_PUB_KEY_CONTEXT_SIZE] = {0}; ESYS_CONTEXT *esys_context = NULL; ESYS_TR primary_key_handle = ESYS_TR_NONE; @@ -64,7 +64,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, /* Validating all input parameters are passed in the function call*/ if (!data || !data_length || !tpmHMACPub_key || !tpmHMACPriv_key || - !hmac || (hmac_length != SHA256_DIGEST_SIZE)) { + !hmac || (hmac_length != PLATFORM_HMAC_SIZE)) { LOG(LOG_ERROR, "Failed to generate HMAC from TPM, invalid parameter" " received.\n"); @@ -90,7 +90,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, file_size = get_file_size(tpmHMACPriv_key); if (file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 && - file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160) { + file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE) { LOG(LOG_ERROR, "TPM HMAC Private Key file size incorrect.\n"); goto err; } @@ -192,7 +192,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, ret_val = Esys_HMAC(esys_context, hmac_key_handle, auth_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, - &block, TPM2_ALG_SHA256, &outHMAC); + &block, FDO_TPM2_ALG_SHA, &outHMAC); if (ret_val != TSS2_RC_SUCCESS) { LOG(LOG_ERROR, "Failed to create HMAC.\n"); @@ -206,7 +206,7 @@ int32_t fdo_tpm_get_hmac(const uint8_t *data, size_t data_length, uint8_t *hmac, ret_val = Esys_HMAC_Start(esys_context, hmac_key_handle, auth_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, &null_auth, - TPM2_ALG_SHA256, &sequence_handle); + FDO_TPM2_ALG_SHA, &sequence_handle); if (ret_val != TSS2_RC_SUCCESS) { LOG(LOG_ERROR, "Failed to create HMAC.\n"); @@ -371,7 +371,7 @@ int32_t fdo_tpm_generate_hmac_key(char *tpmHMACPub_key, char *tpmHMACPriv_key) TPML_PCR_SELECTION creationPCR = {0}; /* Using same buffer for both public and private context, private context size > public context size */ - uint8_t buffer[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160] = {0}; + uint8_t buffer[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; size_t offset = 0; if (!tpmHMACPub_key || !tpmHMACPriv_key) { @@ -598,7 +598,8 @@ static int32_t fdoTPMEsys_auth_session_init(ESYS_CONTEXT *esys_context, TSS2_RC rval = Esys_StartAuthSession( esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, NULL, TPM2_SE_HMAC, &symmetric, - TPM2_ALG_SHA256, session_handle); + FDO_TPM2_ALG_SHA, session_handle); + if (rval != TSS2_RC_SUCCESS) { LOG(LOG_ERROR, "Failed to start the auth session.\n"); return ret; @@ -692,7 +693,7 @@ int32_t fdo_tpm_commit_replacement_hmac_key(void) int32_t ret_val = -1; // function return value int32_t ret = -1; - uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160] = {0}; + uint8_t bufferTPMHMACPriv_key[TPM_HMAC_PRIV_KEY_CONTEXT_SIZE] = {0}; uint8_t bufferTPMHMACPub_key[TPM_HMAC_PUB_KEY_CONTEXT_SIZE] = {0}; if (!file_exists(TPM_HMAC_PRIV_KEY) || @@ -707,7 +708,7 @@ int32_t fdo_tpm_commit_replacement_hmac_key(void) file_size = get_file_size(TPM_HMAC_REPLACEMENT_PRIV_KEY); if (file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 && - file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160) { + file_size != TPM_HMAC_PRIV_KEY_CONTEXT_SIZE) { LOG(LOG_ERROR, "TPM HMAC Replacement Private Key file size incorrect.\n"); goto err; } @@ -764,7 +765,7 @@ int32_t fdo_tpm_commit_replacement_hmac_key(void) /** * Clear the Replacement TPM HMAC key objects, if they exist. - * + * */ void fdo_tpm_clear_replacement_hmac_key(void) { // remove the files if they exist, else return @@ -795,6 +796,6 @@ int32_t is_valid_tpm_data_protection_key_present(void) file_exists(TPM_HMAC_DATA_PRIV_KEY) && (TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_128 == get_file_size(TPM_HMAC_DATA_PRIV_KEY) || - TPM_HMAC_PRIV_KEY_CONTEXT_SIZE_160 == + TPM_HMAC_PRIV_KEY_CONTEXT_SIZE == get_file_size(TPM_HMAC_DATA_PRIV_KEY))); } diff --git a/docs/build_conf.md b/docs/build_conf.md index d58a7472..21eec483 100644 --- a/docs/build_conf.md +++ b/docs/build_conf.md @@ -35,7 +35,7 @@ $ make -j4 For available build options: ```shell List of build modes: -BUILD=debug # Debug mode +BUILD=debug # Debug mode BUILD=release # Release mode (default) List of supported TARGET_OS: @@ -54,6 +54,7 @@ List of Device Attestation options: DA=ecdsa256 # Use ECDSA P256 based device attestation DA=ecdsa384 # Use ECDSA-P384 based device attestation(default) DA=tpm20_ecdsa256 # Use ECDSA-P256 based device attestation with TPM2.0 support +DA=tpm20_ecdsa384 # Use ECDSA-P384 based device attestation with TPM2.0 support DA_FILE=pem # only Use if ECDSA private keys are PEM encoded Underlying crypto library to be used: diff --git a/docs/tpm.md b/docs/tpm.md index 88191090..42c58d82 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -32,14 +32,14 @@ Curl version 7.86 #### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1s 1. If libssl-dev, curl and libcurl are installed, uninstall it: - + ``` sudo apt-get remove --auto-remove libssl-dev sudo apt-get remove --auto-remove libssl-dev:i386 sudo apt remove curl libcurl4-openssl-dev ``` In case of RHEL OS, use below commands to uninstall: - + ``` sudo yum remove libcurl-devel openssl-devel ``` @@ -130,7 +130,7 @@ Note 1: If above command is not successful, then link the path where curl is ins sudo ln -s /usr/local/bin/curl /usr/bin/curl ``` -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 7.86. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) +Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 7.86. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" @@ -289,9 +289,9 @@ export TINYCBOR_ROOT=path/to/tinycbor The FDO Client SDK build system is based on GNU make. It assumes that all the requirements are set up according to [ FDO Compilation Setup ](setup.md). The application is built using the `make [options]` in the root of the repository for all supported platforms. The debug and release build modes are supported in building the FDO Client SDK. -Refer the TPM* Library Setup steps given in section 2 to compile TPM* enabled FDO Client SDK. +Refer the TPM* Library Setup steps given in section 2 to compile TPM* enabled FDO Client SDK. -For an advanced build configuration, refer to [ Advanced Build Configuration ](build_conf.md). +For an advanced build configuration, refer to [ Advanced Build Configuration ](build_conf.md). Example command to build TPM* enabled FDO Client SDK with the Resource Manager as TPM2-ABRMD (tabrmd) @@ -311,7 +311,6 @@ make -j$(nproc) Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS). Refer to the section [FDO Build configurations](build_conf.md) -> ***NOTE***: Currently, only Elliptic-Curve (EC) cryptography keys based on `NIST P-256` or `secp256r1` are supported for TPM* enabled FDO Client SDK due to limitations on testing with the available hardware that does not support keys based on `NIST P-384`. Consequently, this configuration only supports usage of 128-bit key for AES operations (GCM/CCM) and generates 256-bit HMAC. @@ -332,7 +331,7 @@ After a successful compilation, the FDO Client SDK Linux device executable can b Script execution command: ```shell - ./tpm_make_ready_ecdsa.sh -p + ./tpm_make_ready_ecdsa.sh -e -p ``` - Once the TPM* make ready script is executed successfully, the device is now initialized with the credentials and is ready for ownership transfer. To run the device against the FDO PRI Manufacturer for the DI protocol, do the following: @@ -343,7 +342,7 @@ After a successful compilation, the FDO Client SDK Linux device executable can b - To enable the device for Transfer Ownership protocol (TO1 and TO2), configure the FDO PRI Rendezvous and Owner. Refer to [ Ownership Transfer Setup ](ownership_transfer.md). After these are set up, execute `linux-client` again. - + ```shell ./build/linux-client ``` diff --git a/storage/include/storage_al.h b/storage/include/storage_al.h index f2ffb1f0..33efaade 100644 --- a/storage/include/storage_al.h +++ b/storage/include/storage_al.h @@ -19,7 +19,11 @@ #include // platform HMAC and blob size -#define PLATFORM_HMAC_SIZE BUFF_SIZE_32_BYTES +#if defined(DEVICE_TPM20_ENABLED) && defined(ECDSA384_DA) + #define PLATFORM_HMAC_SIZE BUFF_SIZE_48_BYTES +#else + #define PLATFORM_HMAC_SIZE BUFF_SIZE_32_BYTES +#endif #define BLOB_CONTENT_SIZE BUFF_SIZE_4_BYTES typedef enum { diff --git a/utils/tpm_make_ready_ecdsa.sh b/utils/tpm_make_ready_ecdsa.sh index 636c5245..d69c18ce 100644 --- a/utils/tpm_make_ready_ecdsa.sh +++ b/utils/tpm_make_ready_ecdsa.sh @@ -9,26 +9,26 @@ TPM_ENDORSEMENT_PRIMARY_KEY_PERSISTANT_HANDLE=0x81000001 found_path=0 verbose=0 -curve="nist_p256" -primary_key_type="ecc256:aes128cfb" -usage() +usage() { - echo "Usage: $0 -p [-v verbose] [-i use /dev/tpmrm0 as Resource Manager, if not provided TPM2-ABRMD will be used]" + echo "Usage: $0 -p -e [-v verbose] [-i use /dev/tpmrm0 as Resource Manager, if not provided TPM2-ABRMD will be used]" exit 2 } -parse_args() +parse_args() { OPTIND=1 USE_TABRMD=2 USE_TPMRM0=3 - while getopts "p:c:h:v:i" opt; do + while getopts "p:e:h:v:i" opt; do case ${opt} in p ) found_path=1; PARENT_DIR=$OPTARG ;; + e ) ecc=$OPTARG + ;; i ) export TPM2TOOLS_TCTI="device:/dev/tpmrm0" ;; v ) verbose=1 @@ -36,13 +36,13 @@ parse_args() h|* ) usage;; esac done - + if [ $found_path -eq 0 ]; then usage fi } -execute_cmd_on_failure_exit() +execute_cmd_on_failure_exit() { eval exec_cmd="$1" eval success_msg="$2" @@ -71,6 +71,14 @@ execute_cmd_on_failure_exit() parse_args "$@" +curve="nist_p$ecc" + +if [ ${ecc} == "256" ]; then + primary_key_type="ecc$ecc:aes128cfb" +else + primary_key_type="ecc$ecc:aes256cfb" +fi + echo "$TPM2TOOLS_TCTI in use as Resource Manager" #Prepare all files path @@ -90,7 +98,7 @@ failure_string="$task failed [probably ignore it]" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 0 task="Primary key generation from endorsement seed" -cmd="tpm2_createprimary -C e -g sha256 -G $primary_key_type -c $tpm_endorsement_primary_key_ctx -V" +cmd="tpm2_createprimary -C e -g sha$ecc -G $primary_key_type -c $tpm_endorsement_primary_key_ctx -V" success_string="$task completed successfully at $tpm_endorsement_primary_key_ctx !!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 @@ -108,7 +116,7 @@ failure_string="$task failed" execute_cmd_on_failure_exit "\${cmd}" "\${success_string}" "\${failure_string}" 1 1 task="Device CSR generation from TPM" -cmd="openssl req -new -engine tpm2tss -keyform engine -outform DER -out $device_csr_file -key $tpm_device_key_file -subj \"/CN=sdo-tpm-device\" -verbose" +cmd="openssl req -new -engine tpm2tss -keyform engine -outform DER -out $device_csr_file -key $tpm_device_key_file -subj \"/CN=sdo-tpm-device\" -sha$ecc -verbose" success_string="$task completed successfully at $device_csr_file !!" failure_string="$task failed" execute_cmd_on_failure_exit "\$cmd" "\$success_string" "\$failure_string" 1 1 From 6556511750caa56c5285e0f0832648c8c8b580ee Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Tue, 18 Apr 2023 16:21:40 +0530 Subject: [PATCH 05/60] Fix coverity scan findings (#225) Fix coverity scan findings Signed-off-by: Shrikant Temburwar --- crypto/openssl/openssl_csr.c | 3 -- cse/cse_utils.c | 4 +-- lib/fdonet.c | 5 ++- lib/fdotypes.c | 46 +++++++++++++++++++------ lib/prot/to2/msg63.c | 2 +- network/network_if_linux.c | 4 +-- storage/linux/platform_utils_if_linux.c | 12 +++++-- storage/linux/storage_if_linux.c | 7 ++-- 8 files changed, 59 insertions(+), 24 deletions(-) diff --git a/crypto/openssl/openssl_csr.c b/crypto/openssl/openssl_csr.c index b66f7b74..cbcc962c 100644 --- a/crypto/openssl/openssl_csr.c +++ b/crypto/openssl/openssl_csr.c @@ -197,9 +197,6 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) EVP_PKEY_free(ec_pkey); ec_key = NULL; // evp_pkey_free clears attached ec_key too } - if (ec_key) { - EC_KEY_free(ec_key); - } if (pub_key) { EC_POINT_free(pub_key); } diff --git a/cse/cse_utils.c b/cse/cse_utils.c index 1305e5cb..274ad1f5 100644 --- a/cse/cse_utils.c +++ b/cse/cse_utils.c @@ -210,7 +210,7 @@ TEESTATUS fdo_heci_ecdsa_device_sign_challenge(TEEHANDLE *cl, uint8_t *data, return -1; } - if (data_length > FDO_MAX_FILE_SIZE || data_length < 0) { + if (data_length > FDO_MAX_DATA_TO_SIGN) { LOG(LOG_ERROR, "Invalid data length!\n"); return -1; } @@ -301,7 +301,7 @@ TEESTATUS fdo_heci_generate_random(TEEHANDLE *cl, uint8_t *random_bytes, return -1; } - if (length > FDO_MAX_RANDOM || length < 0) { + if (length > FDO_MAX_RANDOM || length == 0) { return -1; } diff --git a/lib/fdonet.c b/lib/fdonet.c index e8d9c2a1..4577d06c 100644 --- a/lib/fdonet.c +++ b/lib/fdonet.c @@ -417,7 +417,10 @@ bool resolve_dn(const char *dn, fdo_ip_address_t **ip, uint16_t port, } if (FDO_CON_INVALID_HANDLE != sock_hdl) { - fdo_con_disconnect(sock_hdl); + if (fdo_con_disconnect(sock_hdl)) { + LOG(LOG_ERROR, "Error during socket close()\n"); + goto end; + } if (!cache_host_dns(dn)) { LOG(LOG_ERROR, "REST DNS caching failed!\n"); goto end; diff --git a/lib/fdotypes.c b/lib/fdotypes.c index 9c469ba1..6f615d26 100644 --- a/lib/fdotypes.c +++ b/lib/fdotypes.c @@ -2375,7 +2375,10 @@ bool fdo_rendezvous_list_write(fdow_t *fdow, fdo_rendezvous_list_t *list) return false; } - fdow_start_array(fdow, list->num_rv_directives); + if (!fdow_start_array(fdow, list->num_rv_directives)) { + LOG(LOG_ERROR, "Failed to start array\n"); + return false; + } int rv_directive_index; for (rv_directive_index = 0; rv_directive_index < list->num_rv_directives; @@ -2384,7 +2387,12 @@ bool fdo_rendezvous_list_write(fdow_t *fdow, fdo_rendezvous_list_t *list) if (!directive) { continue; } - fdow_start_array(fdow, directive->num_entries); + + if (!fdow_start_array(fdow, directive->num_entries)) { + LOG(LOG_ERROR, "Failed to start array\n"); + return false; + } + int rv_instr_index; for (rv_instr_index = 0; rv_instr_index < directive->num_entries; rv_instr_index++) { fdo_rendezvous_t *entry_Ptr = fdo_rendezvous_list_get(directive, rv_instr_index); @@ -2393,9 +2401,19 @@ bool fdo_rendezvous_list_write(fdow_t *fdow, fdo_rendezvous_list_t *list) } fdo_rendezvous_write(fdow, entry_Ptr); } - fdow_end_array(fdow); + + if (!fdow_end_array(fdow)) { + LOG(LOG_ERROR, + "%s : RendezvousInfo end array not found\n", __func__); + return false; + } + } + + if (!fdow_end_array(fdow)) { + LOG(LOG_ERROR, + "%s : RendezvousInfo end array not found\n", __func__); + return false; } - fdow_end_array(fdow); return true; } @@ -5025,7 +5043,7 @@ bool fdo_serviceinfo_invalid_modname_add(char *module_name, temp_next = temp_next->next; } temp_current->next = fdo_alloc(sizeof(fdo_sv_invalid_modnames_t)); - if (!temp_current) { + if (!temp_current->next) { LOG(LOG_ERROR, "Failed to alloc for unsupported modules\n"); return false; @@ -5175,7 +5193,10 @@ bool fdo_supply_serviceinfoval(char *module_name, char *module_message, LOG(LOG_ERROR, "ServiceInfo: Received ServiceInfo for an inactive module %s\n", module_list->module.module_name); // module is present, but is not the active module. skip this ServiceInfoVal - fdor_next(&temp_fdor); + if (!fdor_next(&temp_fdor)) { + LOG(LOG_DEBUG,"ServiceInfo: Failed to skip active module\n"); + goto end; + } retval = true; } break; @@ -5188,7 +5209,10 @@ bool fdo_supply_serviceinfoval(char *module_name, char *module_message, LOG(LOG_ERROR, "ServiceInfo: Received ServiceInfo for an unsupported module %s\n", module_name); - fdor_next(&temp_fdor); + if (!fdor_next(&temp_fdor)) { + LOG(LOG_DEBUG,"ServiceInfo: Failed to skip unsupported module\n"); + goto end; + } *cb_return_val = FDO_SI_INVALID_MOD_ERROR; retval = true; } @@ -6249,10 +6273,12 @@ bool fdo_rendezvous_instr_compare(fdo_rendezvous_t *entry1, fdo_rendezvous_t *en } if (entry1->ip != NULL && entry2->ip != NULL) { - memcmp_s(entry1->ip->addr, entry1->ip->length, - entry2->ip->addr,entry1->ip->length, &memcmp_diff); - if (memcmp_diff == 0) { + if (!memcmp_s(entry1->ip->addr, entry1->ip->length, + entry2->ip->addr,entry1->ip->length, &memcmp_diff) && + !memcmp_diff) { return true; + } else { + return false; } } diff --git a/lib/prot/to2/msg63.c b/lib/prot/to2/msg63.c index 20435315..7c6292c1 100644 --- a/lib/prot/to2/msg63.c +++ b/lib/prot/to2/msg63.c @@ -202,7 +202,7 @@ int32_t msg63(fdo_prot_t *ps) if (temp_hash_hc->hash_type != FDO_CRYPTO_HASH_TYPE_USED) { LOG(LOG_ERROR, "TO2.OVNextEntry: Invalid Hash Type at OVEntryPayload.OVEHashHdrInfo\n"); - fdo_hash_free(temp_hash_hp); + fdo_hash_free(temp_hash_hc); goto err; } diff --git a/network/network_if_linux.c b/network/network_if_linux.c index dad70757..fe27a815 100644 --- a/network/network_if_linux.c +++ b/network/network_if_linux.c @@ -246,7 +246,7 @@ bool fdo_curl_proxy(fdo_ip_address_t *ip_addr, uint16_t port) goto err; } - if (ip_addr->addr) { + if (ip_addr) { ip_ascii = fdo_alloc(IP_TAG_LEN); if (!ip_ascii) { goto err; @@ -331,7 +331,7 @@ int fdo_curl_setup(fdo_ip_address_t *ip_addr, uint16_t port, bool tls) } } - if (ip_addr->addr) { + if (ip_addr) { ip_ascii = fdo_alloc(IP_TAG_LEN); if (!ip_ascii) { goto err; diff --git a/storage/linux/platform_utils_if_linux.c b/storage/linux/platform_utils_if_linux.c index baa0e4c9..411f39d9 100644 --- a/storage/linux/platform_utils_if_linux.c +++ b/storage/linux/platform_utils_if_linux.c @@ -111,7 +111,9 @@ bool get_platform_iv(uint8_t *iv, size_t len, size_t datalen) end: if (fp) { - fclose(fp); + if (fclose(fp) == EOF) { + LOG(LOG_INFO, "Fclose Failed"); + } } if (p_iv) { fdo_free(p_iv); @@ -185,7 +187,9 @@ bool get_platform_aes_key(uint8_t *key, size_t len) end: if (fp) { - fclose(fp); + if (fclose(fp) == EOF) { + LOG(LOG_INFO, "Fclose Failed"); + } } return retval; } @@ -255,7 +259,9 @@ bool get_platform_hmac_key(uint8_t *key, size_t len) end: if (fp) { - fclose(fp); + if (fclose(fp) == EOF) { + LOG(LOG_INFO, "Fclose Failed"); + } } return retval; } diff --git a/storage/linux/storage_if_linux.c b/storage/linux/storage_if_linux.c index 50aa843a..6cb505b2 100644 --- a/storage/linux/storage_if_linux.c +++ b/storage/linux/storage_if_linux.c @@ -235,8 +235,11 @@ int32_t fdo_blob_read(const char *name, fdo_sdk_blob_flags flags, uint8_t *buf, } // compare HMAC - memcmp_s(stored_hmac, PLATFORM_HMAC_SIZE, computed_hmac, - PLATFORM_HMAC_SIZE, &strcmp_result); + if (memcmp_s(stored_hmac, PLATFORM_HMAC_SIZE, computed_hmac, + PLATFORM_HMAC_SIZE, &strcmp_result) != 0) { + LOG(LOG_ERROR, "Failed to compare HMAC\n"); + goto exit; + } if (strcmp_result != 0) { LOG(LOG_ERROR, "%s: HMACs do not compare!\n", __func__); goto exit; From 3a133b6ead48e09f3cfebd498d3e8a427d9003c9 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Thu, 27 Apr 2023 16:58:40 +0530 Subject: [PATCH 06/60] OpenSSL 3.0 Support for Client SDK & TPM (#202) * Openssl 3 porting (#194) * CSDK code updated with openssl 3 APIs The deprecated openssl APIs are updated with openssl 3 APIs. Signed-off-by: tajnisha * CSDK updated with openssl 3 APIs Added minor clean-ups on top of original changes. Signed-off-by: tajnisha * Add OpenSSL 3.0 support for CSDK TPM Signed-off-by: Shrikant Temburwar * Fix memory leaks Signed-off-by: Shrikant Temburwar * Addressed review comments for openssl 3 csdk changes. Signed-off-by: Tajunnisha N Signed-off-by: tajnisha Signed-off-by: Shrikant Temburwar Signed-off-by: Tajunnisha N Co-authored-by: Shrikant Temburwar Signed-off-by: Shrikant Temburwar * Update TPM lib version and installation script Signed-off-by: Shrikant Temburwar * Updated Readme file for openssl 3 setup steps Signed-off-by: Shrikant Temburwar * Readme updates Signed-off-by: Shrikant Temburwar * Update Readme and installation scripts Signed-off-by: Shrikant Temburwar * Readme and script updates Signed-off-by: Shrikant Temburwar * * Readme update * Added OpenSSL and Curl path to /opt/ by default in the openssl and tpm lib installation script * Updated unit tests for OpenSSL 3 Signed-off-by: Shrikant Temburwar * Update Readmes and TPM lib installation scripts Signed-off-by: Shrikant Temburwar * Added OpenSSL and Curl path in Jenkinsfile.yml Signed-off-by: Shrikant Temburwar * Readme update Signed-off-by: Shrikant Temburwar --------- Signed-off-by: tajnisha Signed-off-by: Shrikant Temburwar Signed-off-by: Tajunnisha N Co-authored-by: tajnisha --- CMakeLists.txt | 13 +- Jenkinsfile.yml | 10 +- app/main.c | 2 +- cmake/blob_path.cmake | 1 - crypto/include/ec_key.h | 2 +- crypto/openssl/ec_key.c | 69 +++--- crypto/openssl/openssl_ECDSASignRoutines.c | 99 ++++++--- crypto/openssl/openssl_ECDSAVerifyRoutines.c | 185 ++++++++-------- crypto/openssl/openssl_csr.c | 84 ++++--- crypto/openssl/openssl_key_exchange_ecdh.c | 186 +++++++--------- crypto/openssl/tpm20_ECDSASignRoutines.c | 154 ++++++++----- docs/cse.md | 64 ++++-- docs/linux.md | 90 ++++---- docs/tpm.md | 130 ++++++----- tests/unit/CMakeLists.txt | 4 +- tests/unit/test_ECDSASignRoutines.c | 100 ++++++--- tests/unit/test_ECDSAVerifyRoutines.c | 130 +++++++---- tests/unit/test_cryptoSupport.c | 220 ++++++++++++------- tests/unit/test_fdotypes.c | 2 +- utils/install_openssl_curl.sh | 28 +-- utils/install_tpm_libs.sh | 84 ++++--- utils/install_tpm_libs_rhel.sh | 115 ++++++---- utils/keys_gen.sh | 6 +- utils/tpm_make_ready_ecdsa.sh | 14 +- 24 files changed, 1050 insertions(+), 742 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5efa0262..ba92a188 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,6 +16,13 @@ include(cmake/cli_input.cmake) include(cmake/extension.cmake) include(cmake/blob_path.cmake) +if (NOT(DEFINED ENV{OPENSSL3_ROOT})) + message(FATAL_ERROR "OPENSSL3_ROOT not set") +endif() + +if (NOT(DEFINED ENV{CURL_ROOT})) + message(FATAL_ERROR "CURL_ROOT not set") +endif() if (NOT(DEFINED ENV{SAFESTRING_ROOT})) message(FATAL_ERROR "SAFESTRING_ROOT not set") @@ -43,7 +50,6 @@ client_sdk_compile_options( -Wswitch-default -Wunused-parameter -Wsign-compare - -Wno-deprecated-declarations -Wpedantic -Werror -Wimplicit-function-declaration @@ -71,6 +77,8 @@ client_sdk_compile_options( if(${TARGET_OS} MATCHES linux) # Safestring lib client_sdk_include_directories( + $ENV{OPENSSL3_ROOT}/include + $ENV{CURL_ROOT}/include $ENV{SAFESTRING_ROOT}/include $ENV{TINYCBOR_ROOT}/src include @@ -121,11 +129,14 @@ if(${TARGET_OS} MATCHES linux) -L$ENV{TINYCBOR_ROOT}/lib/ -l:libtinycbor.a -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now + -L$ENV{CURL_ROOT}/lib -lcurl ) if (${TLS} STREQUAL openssl) client_sdk_ld_options( + -L$ENV{OPENSSL3_ROOT}/lib64 + -L$ENV{OPENSSL3_ROOT}/lib -Wl,--no-whole-archive -lssl -lcrypto -ldl ) elseif(${TLS} MATCHES mbedtls) diff --git a/Jenkinsfile.yml b/Jenkinsfile.yml index 57567518..4c06cf39 100644 --- a/Jenkinsfile.yml +++ b/Jenkinsfile.yml @@ -3,9 +3,7 @@ node('ccode'){ 'REPO_Safestring=https://github.com/intel/safestringlib.git', 'REPO_TinyCBOR=https://github.com/intel/tinycbor.git', 'REPO_METEE=https://github.com/intel/metee.git', - "TEST_DIR=${WORKSPACE}/test-fidoiot", - "MANUFACTURER_DB_CONNECT_STRING=jdbc:mariadb://127.0.0.1:3306/sdo", - "RESELLER_DB_CONNECT_STRING=jdbc:mariadb://127.0.0.1:4306/sdo" + "TEST_DIR=${WORKSPACE}/test-fidoiot" ]) { stage('Clone Client-SDK'){ @@ -54,6 +52,10 @@ node('ccode'){ echo $TINYCBOR_ROOT export METEE_ROOT=$WORKSPACE/metee echo $METEE_ROOT + export OPENSSL3_ROOT=/opt/openssl + echo $OPENSSL3_ROOT + export CURL_ROOT=/opt/curl + echo $CURL_ROOT cd $WORKSPACE/client-sdk $WORKSPACE/client-sdk/build.sh -s mkdir client-sdk-binaries @@ -64,6 +66,8 @@ node('ccode'){ cp -r ../x86_ecdsa384_ccm_bin . cp -r ../tpm_ecdsa256_gcm_bin . cp -r ../tpm_ecdsa256_ccm_bin . + cp -r ../tpm_ecdsa384_gcm_bin . + cp -r ../tpm_ecdsa384_ccm_bin . cp -r ../cse_ecdsa384_gcm_bin . cp -r ../cse_ecdsa384_ccm_bin . mkdir utils diff --git a/app/main.c b/app/main.c index 664cd97d..d637b202 100644 --- a/app/main.c +++ b/app/main.c @@ -240,7 +240,7 @@ int app_main(bool is_resale) #endif /* SECURE_ELEMENT */ #if !defined(DEVICE_CSE_ENABLED) - LOG(LOG_DEBUG, "CSE not enabaled, Normal Blob Modules loaded!\n"); + LOG(LOG_DEBUG, "CSE not enabled, Normal Blob Modules loaded!\n"); if (-1 == configure_normal_blob()) { LOG(LOG_ERROR, "Provisioning Normal blob for the 1st time failed!\n"); diff --git a/cmake/blob_path.cmake b/cmake/blob_path.cmake index 5359ca7d..4eaa0ee0 100644 --- a/cmake/blob_path.cmake +++ b/cmake/blob_path.cmake @@ -38,7 +38,6 @@ if(TARGET_OS MATCHES linux) -DTPM_HMAC_REPLACEMENT_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_replacement_priv.key\" -DTPM_HMAC_DATA_PUB_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_pub.key\" -DTPM_HMAC_DATA_PRIV_KEY=\"${BLOB_PATH}/data/tpm_hmac_data_priv.key\" - -DTPM2_TSS_ENGINE_SO_PATH=\"/usr/local/lib/engines-1.1/libtpm2tss.so\" ) endif() diff --git a/crypto/include/ec_key.h b/crypto/include/ec_key.h index a53352e5..3fc8ca83 100644 --- a/crypto/include/ec_key.h +++ b/crypto/include/ec_key.h @@ -7,5 +7,5 @@ #include -EC_KEY *get_ec_key(void); +EVP_PKEY *get_evp_key(void); #endif diff --git a/crypto/openssl/ec_key.c b/crypto/openssl/ec_key.c index d49e6892..507fd555 100644 --- a/crypto/openssl/ec_key.c +++ b/crypto/openssl/ec_key.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "fdotypes.h" #include "storage_al.h" #include "util.h" @@ -20,12 +21,11 @@ #include "safe_lib.h" #ifdef ECDSA_PEM -EC_KEY *get_ec_key(void) +EVP_PKEY *get_evp_key(void) { int ret = -1; uint8_t *privkey = NULL; size_t privkey_size = 0; - EC_KEY *ec_key = NULL; BIO *ecprivkey_bio = NULL; EVP_PKEY *ecprivkey_evp = NULL; @@ -58,12 +58,6 @@ EC_KEY *get_ec_key(void) goto err; } - ec_key = EVP_PKEY_get1_EC_KEY(ecprivkey_evp); - if (!ec_key) { - LOG(LOG_ERROR, "Invalid EC key format\n"); - goto err; - } - err: /* At this point ret is already 0 */ if (privkey) { @@ -73,27 +67,24 @@ EC_KEY *get_ec_key(void) } fdo_free(privkey); } - if (ecprivkey_evp) { + if (ecprivkey_evp && ret) { EVP_PKEY_free(ecprivkey_evp); + ecprivkey_evp = NULL; } if (ecprivkey_bio) { BIO_free(ecprivkey_bio); } - if (ec_key && ret) { - EC_KEY_free(ec_key); - ec_key = NULL; - } - return ec_key; + return ecprivkey_evp; } #else -EC_KEY *get_ec_key(void) +EVP_PKEY *get_evp_key(void) { int ret = 0; uint8_t *privkey = NULL; size_t privkey_size = 0; - EC_KEY *ec_key = NULL; - BIGNUM *ec_key_bn = NULL; int32_t curve = NID_X9_62_prime256v1; + EVP_PKEY *evp_key_ec = NULL; + EVP_PKEY_CTX *evp_ctx = NULL; #ifdef ECDSA384_DA curve = NID_secp384r1; @@ -106,27 +97,33 @@ EC_KEY *get_ec_key(void) goto err; } - /* Load the key from memory into ec_key */ - ec_key_bn = BN_bin2bn(privkey, privkey_size, NULL); - if (!ec_key_bn) { - LOG(LOG_ERROR, "Failed to create eckey BN\n"); + evp_ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); + if (!evp_ctx) { + LOG(LOG_ERROR, "Failed to create evp ctx context \n"); goto err; } - /* Create and initialize openssl EC private key */ - ec_key = EC_KEY_new_by_curve_name(curve); - if (!ec_key) { - LOG(LOG_ERROR, "Failed to allocate ec key\n"); + const char* group_name = OBJ_nid2sn(curve); + OSSL_PARAM params[] = { OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, privkey, privkey_size), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)group_name, strlen(group_name)), + OSSL_PARAM_END + }; + if (EVP_PKEY_fromdata_init(evp_ctx) <=0) { + LOG(LOG_ERROR, "Failed to init the ec key from data object\n"); goto err; - } + } - ret = EC_KEY_set_private_key(ec_key, ec_key_bn); - if (!ret) { - LOG(LOG_ERROR, "Failed to set ec private key\n"); + if ( EVP_PKEY_fromdata(evp_ctx,&evp_key_ec,EVP_PKEY_KEYPAIR, params) <=0) { + LOG(LOG_ERROR, "Failed to create the ec key from data\n");// %s", (char *)params2); goto err; - } + } + ret = 1; // success err: + if (evp_ctx) { + EVP_PKEY_CTX_free(evp_ctx); + evp_ctx = NULL; + } if (privkey) { if (memset_s(privkey, privkey_size, 0) != 0) { LOG(LOG_ERROR, "Memset Failed\n"); @@ -134,14 +131,10 @@ EC_KEY *get_ec_key(void) } fdo_free(privkey); } - if (ec_key && !ret) { - EC_KEY_free(ec_key); - ec_key = NULL; + if (evp_key_ec && !ret) { + EVP_PKEY_free(evp_key_ec); + evp_key_ec = NULL; } - if (ec_key_bn) { - BN_free(ec_key_bn); - } - - return ec_key; + return evp_key_ec; } #endif diff --git a/crypto/openssl/openssl_ECDSASignRoutines.c b/crypto/openssl/openssl_ECDSASignRoutines.c index a41bd147..b4a7fe09 100644 --- a/crypto/openssl/openssl_ECDSASignRoutines.c +++ b/crypto/openssl/openssl_ECDSASignRoutines.c @@ -29,60 +29,78 @@ * @return 0 if true, else -1. */ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, - unsigned char *message_signature, - size_t *signature_length) + unsigned char *message_signature, + size_t *signature_length) { int ret = -1; - EC_KEY *eckey = NULL; - unsigned char hash[SHA512_DIGEST_SIZE] = {0}; - unsigned int sig_len = 0; - size_t hash_length = 0; - ECDSA_SIG *sig = NULL; - unsigned char *sig_r = NULL; + EVP_PKEY *evpKey = NULL; + unsigned char *der_sig = NULL; + size_t der_sig_len = 0; + EVP_MD_CTX *mdctx = NULL; int sig_r_len = 0; - unsigned char *sig_s = NULL; int sig_s_len = 0; + unsigned char *sig_r = NULL; + unsigned char *sig_s = NULL; + ECDSA_SIG *sig = NULL; if (!data || !data_len || !message_signature || !signature_length) { LOG(LOG_ERROR, "fdo_cryptoECDSASign params not valid\n"); goto end; } - eckey = get_ec_key(); - if (!eckey) { - LOG(LOG_ERROR, "Failed to get the EC key\n"); + evpKey = get_evp_key(); + if (!evpKey) { + LOG(LOG_ERROR, "Failed to get the EVP EC key\n"); goto end; } - // this provides DER-encoded signature length - // the received concatenated r|s would be of lesser length - sig_len = ECDSA_size(eckey); - - /* Supplied buffer is enough ? */ - if (sig_len > *signature_length) { - LOG(LOG_ERROR, - "Supplied signature buffer is not enough, " - "supplied: %zu bytes, required: %d bytes!\n", - *signature_length, sig_len); + // Create the Message Digest Context + mdctx = EVP_MD_CTX_create(); + if(!mdctx) { + LOG(LOG_ERROR, "Failed to create message digest context\n"); goto end; } - #if defined(ECDSA256_DA) - hash_length = SHA256_DIGEST_SIZE; - if (SHA256(data, data_len, hash) == NULL) { + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto end; } #elif defined(ECDSA384_DA) - hash_length = SHA384_DIGEST_SIZE; - if (SHA384(data, data_len, hash) == NULL) { + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha384(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto end; } #endif + if (1 != EVP_DigestSignUpdate(mdctx, data, data_len)) { + LOG(LOG_ERROR, "EVP sign update failed \n"); + goto end; + } + //First call with NULL param to obtain the DER encoded signature length + if (1 != EVP_DigestSignFinal(mdctx, NULL, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final for size failed \n"); + goto end; + } + if (der_sig_len <= 0) { + LOG(LOG_ERROR, "EVP_DigestSignFinal returned invalid signature length.\n"); + goto end; + } - // ECDSA_sign return 1 on success, 0 on failure - sig = ECDSA_do_sign(hash, hash_length, eckey); - if (!sig) { - LOG(LOG_ERROR, "ECDSA signature generation failed!\n"); + der_sig = fdo_alloc(der_sig_len); + if (!der_sig) { + LOG(LOG_ERROR, "Signature alloc Failed\n"); + goto end; + } + //second call with actual param to obtain the DEr encoded signature + if (1 != EVP_DigestSignFinal(mdctx, der_sig, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final failed \n"); + goto end; + } + + // Decode DER encoded signature to convert to raw format + sig = ECDSA_SIG_new(); + const unsigned char *sig_input = der_sig; + if (!sig || d2i_ECDSA_SIG(&sig, &sig_input, der_sig_len) == NULL) { + LOG(LOG_ERROR, "DER to EC_KEY struct decoding failed!\n"); goto end; } @@ -126,12 +144,12 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, *signature_length = sig_r_len + sig_s_len; if (memcpy_s(message_signature, *signature_length, (char *)sig_r, - (size_t)sig_r_len) != 0) { + (size_t)sig_r_len) != 0) { LOG(LOG_ERROR, "Memcpy Failed\n"); goto end; } if (memcpy_s(message_signature + sig_r_len, *signature_length, (char *)sig_s, - (size_t)sig_s_len) != 0) { + (size_t)sig_s_len) != 0) { LOG(LOG_ERROR, "Memcpy Failed\n"); goto end; } @@ -141,14 +159,23 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, if (sig) { ECDSA_SIG_free(sig); } - if (eckey) { - EC_KEY_free(eckey); - } if (sig_r) { fdo_free(sig_r); } if (sig_s) { fdo_free(sig_s); } + if (der_sig) { + fdo_free(der_sig); + sig_input = NULL; + } + if (mdctx) { + EVP_MD_CTX_free(mdctx); + mdctx = NULL; + } + if (evpKey) { + EVP_PKEY_free(evpKey); + evpKey = NULL; + } return ret; } diff --git a/crypto/openssl/openssl_ECDSAVerifyRoutines.c b/crypto/openssl/openssl_ECDSAVerifyRoutines.c index ae73defc..ecdf6966 100644 --- a/crypto/openssl/openssl_ECDSAVerifyRoutines.c +++ b/crypto/openssl/openssl_ECDSAVerifyRoutines.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "fdoCryptoHal.h" #include "util.h" #include "storage_al.h" @@ -33,76 +34,45 @@ * @param key_param2Length - not used * @return 0 if true, else -1. - */ +*/ int32_t crypto_hal_sig_verify(uint8_t key_encoding, int key_algorithm, - const uint8_t *message, uint32_t message_length, - const uint8_t *message_signature, - uint32_t signature_length, - const uint8_t *key_param1, - uint32_t key_param1Length, - const uint8_t *key_param2, - uint32_t key_param2Length) + const uint8_t *message, uint32_t message_length, + const uint8_t *message_signature, + uint32_t signature_length, + const uint8_t *key_param1, + uint32_t key_param1Length, + const uint8_t *key_param2, + uint32_t key_param2Length) { int32_t ret = -1; - EC_KEY *eckey = NULL; - uint8_t hash[SHA512_DIGEST_LENGTH] = {0}; - size_t hash_length = 0; + EVP_PKEY *eckey = NULL; + EVP_PKEY_CTX *evp_ctx = NULL; + EVP_MD_CTX *mdctx = NULL; + uint32_t group_name_nid; const unsigned char *pub_key = (const unsigned char *)key_param1; - unsigned char *sig_r = NULL; - unsigned char *sig_s = NULL; BIGNUM *x = NULL; BIGNUM *y = NULL; - BIGNUM *r = NULL; - BIGNUM *s = NULL; + uint32_t der_sig_len = 0; + uint8_t * der_sig = NULL; ECDSA_SIG *sig = NULL; /* Check validity of key type. */ // Only COSEKEY and X509 are currently supported if ((key_encoding != FDO_CRYPTO_PUB_KEY_ENCODING_X509 && - key_encoding != FDO_CRYPTO_PUB_KEY_ENCODING_COSEKEY) || - (key_algorithm != FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp256 && - key_algorithm != FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp384)) { + key_encoding != FDO_CRYPTO_PUB_KEY_ENCODING_COSEKEY) || + (key_algorithm != FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp256 && + key_algorithm != FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp384)) { LOG(LOG_ERROR, "Incorrect key type\n"); goto end; } if (NULL == message_signature || 0 == signature_length || - 0 != (signature_length % 2) || - NULL == message || 0 == message_length) { + 0 != (signature_length % 2) || + NULL == message || 0 == message_length) { LOG(LOG_ERROR, "Invalid arguments!\n"); goto end; } - /* generate required EC_KEY based on type */ - if (key_algorithm == FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp256) { // P-256 NIST - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (NULL == eckey) { - LOG(LOG_ERROR, "EC_KEY allocation failed!\n"); - goto end; - } - /* Perform SHA-256 digest of the message */ - if (SHA256((const unsigned char *)message, message_length, - hash) == NULL) { - LOG(LOG_ERROR, "SHA-256 calculation failed!\n"); - goto end; - } - hash_length = SHA256_DIGEST_LENGTH; - - } else { // P-384 - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); - if (NULL == eckey) { - LOG(LOG_ERROR, "EC_KEY allocation failed!\n"); - goto end; - } - /* Perform SHA-384 digest of the message */ - if (SHA384((const unsigned char *)message, message_length, - hash) == NULL) { - LOG(LOG_ERROR, "SHA-384 calculation failed!\n"); - goto end; - } - hash_length = SHA384_DIGEST_LENGTH; - } - if (key_encoding == FDO_CRYPTO_PUB_KEY_ENCODING_X509) { if (NULL == pub_key || 0 == key_param1Length) { @@ -114,13 +84,27 @@ int32_t crypto_hal_sig_verify(uint8_t key_encoding, int key_algorithm, (void)key_param2Length; /* decode EC_KEY struct from DER encoded EC public key */ - if (d2i_EC_PUBKEY(&eckey, &pub_key, (long)key_param1Length) == NULL) { + if (d2i_PUBKEY(&eckey, &pub_key, (long)key_param1Length) == NULL) { LOG(LOG_ERROR, "DER to EC_KEY struct decoding failed!\n"); goto end; } } else if (key_encoding == FDO_CRYPTO_PUB_KEY_ENCODING_COSEKEY) { + /* generate required EC_KEY based on type */ + if (key_algorithm == FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp256) { + group_name_nid = NID_X9_62_prime256v1; + } + else { // P-384 + group_name_nid = NID_secp384r1; + } + const char* group_name = OBJ_nid2sn(group_name_nid); + evp_ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); + if (!evp_ctx) { + LOG(LOG_ERROR, "Failed to create evp ctx context \n"); + goto end; + } + if (NULL == key_param1 || 0 == key_param1Length || - NULL == key_param2 || 0 == key_param2Length) { + NULL == key_param2 || 0 == key_param2Length) { LOG(LOG_ERROR, "Invalid params!\n"); goto end; } @@ -131,75 +115,78 @@ int32_t crypto_hal_sig_verify(uint8_t key_encoding, int key_algorithm, LOG(LOG_ERROR, "Failed to convert affine-x and/or affine-y\n"); goto end; } - if (EC_KEY_set_public_key_affine_coordinates(eckey, x, y) == 0) { + OSSL_PARAM params[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_PUB_X, &x, sizeof(x)), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_PUB_Y, &y, sizeof(y)), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)group_name, strlen(group_name)), + OSSL_PARAM_END + }; + if(EVP_PKEY_fromdata_init(evp_ctx) <= 0 || + EVP_PKEY_fromdata(evp_ctx, &eckey, EVP_PKEY_KEYPAIR, params) <= 0) { LOG(LOG_ERROR, "Failed to create EC Key from affine-x and affine-y!\n"); goto end; } } - // assemble r and s into a signature object - sig = ECDSA_SIG_new(); - if (!sig) { - LOG(LOG_ERROR, "ECDSA Sig create failed\n"); + if(!(mdctx = EVP_MD_CTX_create())) { + LOG(LOG_ERROR, "Msg Digest init failed \n"); goto end; } - - sig_r = fdo_alloc(signature_length/2); - if (!sig_r) { - LOG(LOG_ERROR, "Alloc of sig-r failed!\n"); - goto end; - } - if (0 != memcpy_s(sig_r, signature_length/2, - message_signature, signature_length/2)) { - LOG(LOG_ERROR, "Copy of sig-r failed!\n"); - goto end; + if (key_algorithm == FDO_CRYPTO_PUB_KEY_ALGO_ECDSAp256) { + if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_sha256(), NULL, eckey)){ + LOG(LOG_ERROR, "EVP verify init failed \n"); + goto end; + } } - sig_s = fdo_alloc(signature_length/2); - if (!sig_s) { - LOG(LOG_ERROR, "Alloc of sig-s failed!\n"); - goto end; + else { + if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_sha384(), NULL, eckey)){ + LOG(LOG_ERROR, "EVP verify init failed \n"); + goto end; + } } - if (0 != memcpy_s(sig_s, signature_length/2, - message_signature + signature_length/2, signature_length/2)) { - LOG(LOG_ERROR, "Copy of sig-s failed!\n"); + + if(1 != EVP_DigestVerifyUpdate(mdctx, message, message_length)) { + LOG(LOG_ERROR, "EVP verify update failed \n"); goto end; } - // get r and s from buffers as BIGNUMs - r = BN_bin2bn((const unsigned char*) sig_r, signature_length/2, NULL); - if (!r) { - LOG(LOG_ERROR, "Failed to convert r\n"); + + // Convert the raw signature to DER encoded format + sig = ECDSA_SIG_new(); + BIGNUM *r = BN_bin2bn(message_signature, signature_length/2, NULL); + BIGNUM *s = BN_bin2bn(message_signature + signature_length/2, signature_length/2, NULL); + if (!sig || !r || !s || (1 != ECDSA_SIG_set0(sig, r, s))) { + LOG(LOG_ERROR, "Failure in parsing the signature \n"); goto end; } - s = BN_bin2bn((const unsigned char*) sig_s, signature_length/2, NULL); - if (!s) { - LOG(LOG_ERROR, "Failed to convert s\n"); - BN_free(r); + der_sig_len = i2d_ECDSA_SIG(sig, NULL); + if (!der_sig_len) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); goto end; } - - // once set, this maintains r and s, no need to free explicitly - // free only in case of an error - if (1 != ECDSA_SIG_set0(sig, r, s)) { - LOG(LOG_ERROR, "ECDSA Sig set failed\n"); - BN_free(r); - BN_free(s); + der_sig_len = i2d_ECDSA_SIG(sig, &der_sig); + if (!der_sig_len || !der_sig) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); goto end; } - if (1 != ECDSA_do_verify(hash, hash_length, sig, eckey)) { + if(1 != EVP_DigestVerifyFinal(mdctx, der_sig, der_sig_len)) { LOG(LOG_ERROR, "ECDSA Sig verification failed\n"); goto end; } - ret = 0; end: if (eckey) { - EC_KEY_free(eckey); + EVP_PKEY_free(eckey); + eckey = NULL; } - if (sig) { - // this method also frees BIGNUMs r and s - ECDSA_SIG_free(sig); + if (evp_ctx) { + EVP_PKEY_CTX_free(evp_ctx); + evp_ctx = NULL; + } + if (mdctx) { + EVP_MD_CTX_free(mdctx); + mdctx = NULL; } if (x) { BN_free(x); @@ -207,11 +194,11 @@ int32_t crypto_hal_sig_verify(uint8_t key_encoding, int key_algorithm, if (y) { BN_free(y); } - if (sig_r) { - fdo_free(sig_r); + if (sig) { + ECDSA_SIG_free(sig); } - if (sig_s) { - fdo_free(sig_s); + if (der_sig) { + fdo_free(der_sig); } return ret; } diff --git a/crypto/openssl/openssl_csr.c b/crypto/openssl/openssl_csr.c index cbcc962c..5262931b 100644 --- a/crypto/openssl/openssl_csr.c +++ b/crypto/openssl/openssl_csr.c @@ -10,6 +10,7 @@ #include #include +#include #include "fdotypes.h" #include "util.h" @@ -26,26 +27,29 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) int ret = -1; uint8_t *csr_data = NULL; size_t csr_size = 0; - EC_KEY *ec_key = NULL; + EVP_PKEY *evp_key = NULL; + size_t group_name_size; + char group_name[64]; + size_t pub_key_size; + fdo_byte_array_t* octet_pub_key = NULL; - const EC_GROUP *ec_grp = NULL; + EC_GROUP *ec_grp = NULL; BIO *csr_mem_bio = NULL; EC_POINT *pub_key = NULL; - const BIGNUM *privkey_bn = NULL; + BIGNUM *privkey_bn = NULL; X509_NAME *x509_name = NULL; - EVP_PKEY *ec_pkey = EVP_PKEY_new(); X509_REQ *x509_req = X509_REQ_new(); fdo_byte_array_t *csr_byte_arr = NULL; - if (!ec_pkey || !x509_req) { + if (!x509_req) { ret = -1; goto err; } /* Get the EC private key from storage */ - ec_key = get_ec_key(); - if (!ec_key) { + evp_key = get_evp_key(); + if (!evp_key) { LOG(LOG_ERROR, "Failed to load the ec key for CSR\n"); ret = -1; goto err; @@ -57,9 +61,24 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) * b. Generate a new point * c. Create the public key */ - ec_grp = EC_KEY_get0_group(ec_key); - if (!ec_grp) { - LOG(LOG_ERROR, "Failed to create a group on ec curve\n"); + EVP_PKEY_get_utf8_string_param(evp_key, OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0, &group_name_size); + if (group_name_size >= sizeof(group_name)) { + LOG(LOG_ERROR, "Unexpected long group name : %zu for EC key\n",group_name_size); + ret = -1; + goto err; + } + if (!EVP_PKEY_get_utf8_string_param(evp_key, OSSL_PKEY_PARAM_GROUP_NAME, group_name, sizeof(group_name), + &group_name_size)) + { + LOG(LOG_ERROR, "Failed to get the group name fo EC EVP key\n"); + ret = -1; + goto err; + } + int group_nid = OBJ_sn2nid(group_name); + ec_grp = EC_GROUP_new_by_curve_name(group_nid); + if (ec_grp == NULL) + { + LOG(LOG_ERROR, "Failed to get the group name fo EC EVP key\n"); ret = -1; goto err; } @@ -71,8 +90,7 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) goto err; } - privkey_bn = EC_KEY_get0_private_key(ec_key); - if (!privkey_bn) { + if (!EVP_PKEY_get_bn_param(evp_key, OSSL_PKEY_PARAM_PRIV_KEY, &privkey_bn)) { LOG(LOG_ERROR, "Failed to get private key bn\n"); ret = -1; goto err; @@ -84,15 +102,22 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) ret = -1; goto err; } - - /* Set the ec_key instance with both public/private key */ - ret = EC_KEY_set_public_key(ec_key, pub_key); - if (!ret) { + + pub_key_size = EC_POINT_point2oct(ec_grp, pub_key, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL); + octet_pub_key = fdo_byte_array_alloc(pub_key_size); + if (!EC_POINT_point2oct(ec_grp, pub_key, POINT_CONVERSION_COMPRESSED, octet_pub_key->bytes, + octet_pub_key->byte_sz, NULL)) { + LOG(LOG_ERROR, "Failed to process public key\n"); + ret = -1; + goto err; + } + // Set the evp_key instance with public key + if (!EVP_PKEY_set_octet_string_param(evp_key, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, octet_pub_key->bytes, + octet_pub_key->byte_sz)) { LOG(LOG_ERROR, "Failed to set the public key\n"); ret = -1; goto err; } - /* Fill in the the data associated with this device */ x509_name = X509_REQ_get_subject_name(x509_req); if (!x509_name) { @@ -117,15 +142,8 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) goto err; } - ret = EVP_PKEY_assign_EC_KEY(ec_pkey, ec_key); - if (!ret) { - LOG(LOG_ERROR, "Failed to get ec_key reference\n"); - ret = -1; - goto err; - } - /* Set the public key on the CSR */ - ret = X509_REQ_set_pubkey(x509_req, ec_pkey); + ret = X509_REQ_set_pubkey(x509_req, evp_key); if (!ret) { LOG(LOG_ERROR, "Failed to set the public key in CSR\n"); ret = -1; @@ -133,7 +151,7 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) } /* Sign to generate the final CSR */ - ret = X509_REQ_sign(x509_req, ec_pkey, EVP_sha256()); + ret = X509_REQ_sign(x509_req, evp_key, EVP_sha256()); if (!ret) { LOG(LOG_ERROR, "Failed to generate CSR data\n"); ret = -1; @@ -193,13 +211,21 @@ int32_t crypto_hal_get_device_csr(fdo_byte_array_t **csr) if (csr_mem_bio) { BIO_free(csr_mem_bio); } - if (ec_pkey) { - EVP_PKEY_free(ec_pkey); - ec_key = NULL; // evp_pkey_free clears attached ec_key too + if (evp_key) { + EVP_PKEY_free(evp_key); } if (pub_key) { EC_POINT_free(pub_key); } + if (ec_grp) { + EC_GROUP_free(ec_grp); + } + if (octet_pub_key) { + fdo_byte_array_free(octet_pub_key); + } + if (privkey_bn) { + BN_clear_free(privkey_bn); + } if (x509_req) { X509_REQ_free(x509_req); } diff --git a/crypto/openssl/openssl_key_exchange_ecdh.c b/crypto/openssl/openssl_key_exchange_ecdh.c index 2f0d5f72..11214892 100644 --- a/crypto/openssl/openssl_key_exchange_ecdh.c +++ b/crypto/openssl/openssl_key_exchange_ecdh.c @@ -15,6 +15,7 @@ #include "BN_support.h" #include "openssl/ec.h" #include "openssl/objects.h" +#include "openssl/core_names.h" #include "safe_lib.h" #define DECLARE_BIGNUM(bn) bignum_t *bn @@ -29,9 +30,10 @@ typedef struct { DECLARE_BIGNUM(_Device_random); DECLARE_BIGNUM(_publicA); /* The server's A public value */ - EC_KEY *_key; + uint32_t group_name_nid; + EVP_PKEY *_key; - const DECLARE_BIGNUM(_secretb); /* Out bit secret */ + DECLARE_BIGNUM(_secretb); /* Out bit secret */ DECLARE_BIGNUM(_publicB); /* Our B public value */ DECLARE_BIGNUM(_shared_secret); uint8_t *_pubB; @@ -49,7 +51,6 @@ static bool compute_publicBECDH(ecdh_context_t *key_ex_data); int32_t crypto_hal_kex_init(void **context) { ecdh_context_t *key_ex_data = NULL; - EC_KEY *key = NULL; if (!context) { LOG(LOG_ERROR, "Invalid parameters\n"); @@ -72,24 +73,18 @@ int32_t crypto_hal_kex_init(void **context) key_ex_data->_Device_random = BN_new(); if (!key_ex_data->_publicB || !key_ex_data->_publicA || - !key_ex_data->_shared_secret || !key_ex_data->_Device_random) { + !key_ex_data->_shared_secret || !key_ex_data->_Device_random) { LOG(LOG_ERROR, "BN alloc failed\n"); goto error; } - key = EC_KEY_new_by_curve_name(KEY_CURVE); + key_ex_data->group_name_nid = KEY_CURVE; + /* Generate Device Random bits(384) */ if (bn_rand(key_ex_data->_Device_random, BN_RANDOM_SIZE)) { goto error; } - if (key == NULL) { - LOG(LOG_ERROR, "failed to get the curve parameters\n"); - goto error; - } - - key_ex_data->_key = key; - if (compute_publicBECDH(key_ex_data) == false) { goto error; } @@ -127,11 +122,14 @@ int32_t crypto_hal_kex_close(void **context) if (key_ex_data->_shared_secret) { BN_clear_free(key_ex_data->_shared_secret); } + if (key_ex_data->_secretb) { + BN_clear_free(key_ex_data->_secretb); + } if (key_ex_data->_Device_random) { BN_clear_free(key_ex_data->_Device_random); } if (key_ex_data->_key != NULL) { - EC_KEY_free(key_ex_data->_key); + EVP_PKEY_free(key_ex_data->_key); key_ex_data->_key = NULL; } if (key_ex_data->_pubB) { @@ -151,10 +149,7 @@ static bool compute_publicBECDH(ecdh_context_t *key_ex_data) { BN_CTX *ctx = NULL; - const EC_GROUP *group = NULL; - EC_KEY *key = NULL; - - const EC_POINT *point = NULL; + EC_GROUP *group = NULL; BIGNUM *x = NULL, *y = NULL; unsigned char *temp = NULL; int size = 0; @@ -180,69 +175,50 @@ static bool compute_publicBECDH(ecdh_context_t *key_ex_data) goto exit; } - key = key_ex_data->_key; - if (!key) { - LOG(LOG_ERROR, "EC key is wrong\n"); - goto exit; - } - group = EC_KEY_get0_group(key); - if (!group) { - LOG(LOG_ERROR, "EC group get failed\n"); + group = EC_GROUP_new_by_curve_name(key_ex_data->group_name_nid); + if (group == NULL) { + LOG(LOG_ERROR, "Failed to get the EC group\n"); goto exit; } /* generate the public key and private key */ - if (EC_KEY_generate_key(key) == 0) { + key_ex_data->_key = EVP_EC_gen(OBJ_nid2sn(key_ex_data->group_name_nid)); + if (!key_ex_data->_key) { LOG(LOG_ERROR, "EC key generation failed\n"); goto exit; } /* Store the private key */ - key_ex_data->_secretb = EC_KEY_get0_private_key(key); - if (!key_ex_data->_secretb) { + if (!EVP_PKEY_get_bn_param(key_ex_data->_key, OSSL_PKEY_PARAM_PRIV_KEY, &(key_ex_data->_secretb))) { LOG(LOG_ERROR, "EC private key get failed\n"); goto exit; } - /* Get the public key */ - point = EC_KEY_get0_public_key(key); - if (!point) { - LOG(LOG_ERROR, "EC public key get failed\n"); - goto exit; - } - if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) == 0) { + /* Get the public key co-ordinates in x and y*/ + if (!EVP_PKEY_get_bn_param(key_ex_data->_key, OSSL_PKEY_PARAM_EC_PUB_X, &x) || + !EVP_PKEY_get_bn_param(key_ex_data->_key, OSSL_PKEY_PARAM_EC_PUB_Y, &y)) { LOG(LOG_ERROR, "EC cordinate get failed\n"); goto exit; } #if LOG_LEVEL == LOG_MAX_LEVEL /* Print the co-ordinates */ - char *hexbuf1 = BN_bn2hex(x); - LOG(LOG_DEBUG, "Bx %s : bytes %d, %s\n", - BN_is_negative(x) ? "Negative" : "Positive", bn_num_bytes(x), - hexbuf1); - OPENSSL_free(hexbuf1); + LOG(LOG_DEBUG, "Bx %s : bytes %d\n", + BN_is_negative(x) ? "Negative" : "Positive", bn_num_bytes(x)); - char *hexbuf2 = BN_bn2hex(y); + LOG(LOG_DEBUG, "By %s : bytes %d\n", + BN_is_negative(y) ? "Negative" : "Positive", bn_num_bytes(y)); - LOG(LOG_DEBUG, "By %s : bytes %d, %s\n", - BN_is_negative(y) ? "Negative" : "Positive", bn_num_bytes(y), - hexbuf2); - OPENSSL_free(hexbuf2); - - char *hexbuf3 = BN_bn2hex(key_ex_data->_Device_random); - - LOG(LOG_DEBUG, "Device Random %s : bytes %d, %s\n", - BN_is_negative(key_ex_data->_Device_random) ? "Negative" - : "Positive", - bn_num_bytes(key_ex_data->_Device_random), hexbuf3); - OPENSSL_free(hexbuf3); + LOG(LOG_DEBUG, "Device Random %s : bytes %d\n", + BN_is_negative(key_ex_data->_Device_random) ? "Negative" + : "Positive", + bn_num_bytes(key_ex_data->_Device_random)); #endif /* 2byte for each blen 3x2 =6 */ allocbytes = (bn_num_bytes(x) + bn_num_bytes(y) + - bn_num_bytes(key_ex_data->_Device_random) + 6); + bn_num_bytes(key_ex_data->_Device_random) + 6); temp = fdo_alloc(allocbytes); if (!temp) { LOG(LOG_ERROR, "Mem alloc failed\n"); @@ -292,19 +268,20 @@ static bool compute_publicBECDH(ecdh_context_t *key_ex_data) key_ex_data->_publicB_length = allocbytes; #if LOG_LEVEL == LOG_MAX_LEVEL hexdump("_publicB::", key_ex_data->_publicB, - key_ex_data->_publicB_length); + key_ex_data->_publicB_length); { - char *hexbuf = BN_bn2hex(key_ex_data->_publicB); - LOG(LOG_DEBUG, "key_ex_data->_publicB %s : bytes %d, %s\n", - BN_is_negative(key_ex_data->_publicB) ? "Negative" - : "Positive", - bn_num_bytes(key_ex_data->_publicB), hexbuf); - OPENSSL_free(hexbuf); + LOG(LOG_DEBUG, "key_ex_data->_publicB %s : bytes %d\n", + BN_is_negative(key_ex_data->_publicB) ? "Negative" + : "Positive", + bn_num_bytes(key_ex_data->_publicB)); } #endif ret = true; exit: + if (group) { + EC_GROUP_free(group); + } if (temp) { fdo_free(temp); } @@ -332,7 +309,7 @@ static bool compute_publicBECDH(ecdh_context_t *key_ex_data) * @return 0 if success, else -1 */ int32_t crypto_hal_get_device_random(void *context, uint8_t *dev_rand_value, - uint32_t *dev_rand_length) + uint32_t *dev_rand_length) { ecdh_context_t *key_ex_data = (ecdh_context_t *)context; @@ -350,7 +327,7 @@ int32_t crypto_hal_get_device_random(void *context, uint8_t *dev_rand_value, } if (memcpy_s(dev_rand_value, *dev_rand_length, key_ex_data->_pubB, - *dev_rand_length) != 0) { + *dev_rand_length) != 0) { LOG(LOG_ERROR, "Memcopy failed\n"); return -1; } @@ -366,8 +343,8 @@ int32_t crypto_hal_get_device_random(void *context, uint8_t *dev_rand_value, * @return 0 if success, else false. */ int32_t crypto_hal_set_peer_random(void *context, - const uint8_t *peer_rand_value, - uint32_t peer_rand_length) + const uint8_t *peer_rand_value, + uint32_t peer_rand_length) { ecdh_context_t *key_ex_data = (ecdh_context_t *)context; @@ -383,10 +360,9 @@ int32_t crypto_hal_set_peer_random(void *context, int size = 0; BIGNUM *Ax_bn = NULL, *Ay_bn = NULL, *owner_random_bn = NULL; BIGNUM *Shx_bn = NULL, *Shy_bn = NULL; - const EC_GROUP *group = NULL; + EC_GROUP *group = NULL; EC_POINT *point = NULL; EC_POINT *Sh_se_point = NULL; - EC_KEY *key = NULL; int ret = -1; Ax_bn = BN_new(); @@ -404,25 +380,20 @@ int32_t crypto_hal_set_peer_random(void *context, LOG(LOG_DEBUG, "set_publicA : bytes : %u\n", peer_rand_length); hexdump("Public A", peer_rand_value, peer_rand_length); /* Display public - B */ - char *hexbuf = BN_bn2hex(key_ex_data->_publicB); - LOG(LOG_DEBUG, "key_ex_data->_publicB %s : bytes %d, 0x%s\n", - BN_is_negative(key_ex_data->_publicB) ? "Negative" : "Positive", - bn_num_bytes(key_ex_data->_publicB), hexbuf); - OPENSSL_free(hexbuf); + LOG(LOG_DEBUG, "key_ex_data->_publicB %s : bytes %d\n", + BN_is_negative(key_ex_data->_publicB) ? "Negative" : "Positive", + bn_num_bytes(key_ex_data->_publicB)); #endif bn_bin2bn(peer_rand_value, peer_rand_length, key_ex_data->_publicA); #if LOG_LEVEL == LOG_MAX_LEVEL /* Display Public - A */ - char *hexbuf1 = BN_bn2hex(key_ex_data->_publicA); - LOG(LOG_DEBUG, - "Device Received: key_ex_data->_publicA %s : " - "bytes %d, 0x%s\n", - BN_is_negative(key_ex_data->_publicA) ? "Negative" : "Positive", - bn_num_bytes(key_ex_data->_publicA), hexbuf1); - OPENSSL_free(hexbuf1); + "Device Received: key_ex_data->_publicA %s : " + "bytes %d\n", + BN_is_negative(key_ex_data->_publicA) ? "Negative" : "Positive", + bn_num_bytes(key_ex_data->_publicA)); #endif temp = peer_rand_value; @@ -443,24 +414,18 @@ int32_t crypto_hal_set_peer_random(void *context, BN_bin2bn(&temp[size], size_owner_random, owner_random_bn); #if LOG_LEVEL == LOG_MAX_LEVEL - char *hexbuf2 = BN_bn2hex(Ax_bn); - - LOG(LOG_DEBUG, "Device Reveived: Ax %s : bytes %d, %s\n", - BN_is_negative(Ax_bn) ? "Negative" : "Positive", - bn_num_bytes(Ax_bn), hexbuf2); - OPENSSL_free(hexbuf2); - char *hexbuf3 = BN_bn2hex(Ay_bn); - - LOG(LOG_DEBUG, "Device Received: Ay %s : bytes %d, %s\n", - BN_is_negative(Ay_bn) ? "Negative" : "Positive", - bn_num_bytes(Ay_bn), hexbuf3); - OPENSSL_free(hexbuf3); - char *hexbuf4 = BN_bn2hex(owner_random_bn); - - LOG(LOG_DEBUG, "Device Reveived: Owner Random %s : bytes %d, %s\n", - BN_is_negative(owner_random_bn) ? "Negative" : "Positive", - bn_num_bytes(owner_random_bn), hexbuf4); - OPENSSL_free(hexbuf4); + + LOG(LOG_DEBUG, "Device Reveived: Ax %s : bytes %d\n", + BN_is_negative(Ax_bn) ? "Negative" : "Positive", + bn_num_bytes(Ax_bn)); + + LOG(LOG_DEBUG, "Device Received: Ay %s : bytes %d\n", + BN_is_negative(Ay_bn) ? "Negative" : "Positive", + bn_num_bytes(Ay_bn)); + + LOG(LOG_DEBUG, "Device Reveived: Owner Random %s : bytes %d\n", + BN_is_negative(owner_random_bn) ? "Negative" : "Positive", + bn_num_bytes(owner_random_bn)); #endif ctx = BN_CTX_new(); if (!ctx) { @@ -468,14 +433,18 @@ int32_t crypto_hal_set_peer_random(void *context, goto error; } - key = key_ex_data->_key; - group = EC_KEY_get0_group(key); + group = EC_GROUP_new_by_curve_name(key_ex_data->group_name_nid); + if (group == NULL) + { + LOG(LOG_ERROR, "Failed to get the EC group\n"); + goto error; + } point = EC_POINT_new(group); - if (group == NULL || point == NULL || key == NULL) { + if (group == NULL || point == NULL) { LOG(LOG_ERROR, "Error curve parameters are NULL\n"); goto error; } - EC_POINT_set_affine_coordinates_GFp(group, point, Ax_bn, Ay_bn, ctx); + EC_POINT_set_affine_coordinates(group, point, Ax_bn, Ay_bn, ctx); shx = fdo_alloc(bn_num_bytes(Ax_bn)); if (!shx) { goto error; @@ -501,12 +470,12 @@ int32_t crypto_hal_set_peer_random(void *context, goto error; } if (EC_POINT_mul(group, Sh_se_point, NULL, point, key_ex_data->_secretb, - ctx) == 0) { + ctx) == 0) { EC_POINT_free(Sh_se_point); goto error; } - if (EC_POINT_get_affine_coordinates_GFp(group, Sh_se_point, Shx_bn, - Shy_bn, ctx) == 0) { + if (EC_POINT_get_affine_coordinates(group, Sh_se_point, Shx_bn, + Shy_bn, ctx) == 0) { EC_POINT_free(Sh_se_point); goto error; } @@ -519,7 +488,7 @@ int32_t crypto_hal_set_peer_random(void *context, EC_POINT_free(Sh_se_point); #endif shse = fdo_alloc(bn_num_bytes(key_ex_data->_Device_random) + - size_owner_random + bn_num_bytes(Shx_bn)); + size_owner_random + bn_num_bytes(Shx_bn)); if (!shse) { LOG(LOG_ERROR, "Memcopy failed\n"); goto error; @@ -549,6 +518,9 @@ int32_t crypto_hal_set_peer_random(void *context, ret = 0; error: + if (group) { + EC_GROUP_free(group); + } if (point) { EC_POINT_free(point); } @@ -589,7 +561,7 @@ int32_t crypto_hal_set_peer_random(void *context, * @return 0 on success or -1 on failure. */ int32_t crypto_hal_get_secret(void *context, uint8_t *secret, - uint32_t *secret_length) + uint32_t *secret_length) { ecdh_context_t *key_ex_data = (ecdh_context_t *)context; @@ -604,7 +576,7 @@ int32_t crypto_hal_get_secret(void *context, uint8_t *secret, } if (*secret_length < - (uint32_t)bn_num_bytes(key_ex_data->_shared_secret)) { + (uint32_t)bn_num_bytes(key_ex_data->_shared_secret)) { LOG(LOG_ERROR, "Invalid buff size\n"); return -1; } diff --git a/crypto/openssl/tpm20_ECDSASignRoutines.c b/crypto/openssl/tpm20_ECDSASignRoutines.c index 5ca82d96..d0db4f00 100644 --- a/crypto/openssl/tpm20_ECDSASignRoutines.c +++ b/crypto/openssl/tpm20_ECDSASignRoutines.c @@ -9,10 +9,12 @@ * \ tpm2.0(tpm-tss & tpm-tss-engine) and openssl library. */ -#include #include #include #include +#include +#include +#include #include "safe_lib.h" #include "util.h" #include "fdoCryptoHal.h" @@ -27,89 +29,117 @@ * @return 0 if success, else -1. */ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, - unsigned char *message_signature, - size_t *signature_length) + unsigned char *message_signature, + size_t *signature_length) { int32_t ret = -1; - const char *engine_id = "dynamic"; EVP_PKEY *pkey = NULL; - EC_KEY *eckey = NULL; ECDSA_SIG *sig = NULL; - uint8_t digest[SHA384_DIGEST_SIZE] = {0}; - ENGINE *engine = NULL; - size_t hash_length = 0; unsigned char *sig_r = NULL; int sig_r_len = 0; unsigned char *sig_s = NULL; int sig_s_len = 0; + unsigned char *der_sig = NULL; + size_t der_sig_len = 0; + OSSL_PROVIDER *prov = NULL; + EVP_MD_CTX *mdctx = NULL; + OSSL_STORE_CTX *ctx = NULL; + OSSL_STORE_INFO *info = NULL; if (!data || !data_len || !message_signature || !signature_length) { LOG(LOG_ERROR, "Invalid Parameters received."); goto error; } -#if defined(ECDSA256_DA) - hash_length = SHA256_DIGEST_SIZE; - if (SHA256(data, data_len, digest) == NULL) { - LOG(LOG_DEBUG, "SHA256 digest generation failed."); + + // Load OpenSSL TPM provider + if ((prov = OSSL_PROVIDER_load(NULL, "tpm2")) == NULL) { + LOG(LOG_ERROR,"Failed to load tpm provider!\n"); goto error; } -#elif defined(ECDSA384_DA) - hash_length = SHA384_DIGEST_SIZE; - if (SHA384(data, data_len, digest) == NULL) { - LOG(LOG_DEBUG, "SHA384 digest generation failed."); + + // Read the key + if ((ctx = OSSL_STORE_open(TPM_ECDSA_DEVICE_KEY, NULL, NULL, NULL, NULL)) == NULL) { + LOG(LOG_ERROR, "Error during OSSL_STORE_open\n"); goto error; } -#endif - ENGINE_load_dynamic(); + while (!OSSL_STORE_eof(ctx) && (info = OSSL_STORE_load(ctx)) != NULL) { + if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) { + pkey = OSSL_STORE_INFO_get1_PKEY(info); + break; + } + OSSL_STORE_INFO_free(info); + info = NULL; + } - engine = ENGINE_by_id(engine_id); - if (engine == NULL) { - LOG(LOG_ERROR, "Could not find external engine.\n"); + if (!pkey) { + LOG(LOG_ERROR, "Error during reading Private key.\n"); goto error; } - if (!ENGINE_ctrl_cmd_string(engine, "SO_PATH", TPM2_TSS_ENGINE_SO_PATH, - 0)) { - LOG(LOG_ERROR, "Could not set TPM Engine path.\n"); + LOG(LOG_DEBUG,"Private key successfully loaded in TPM format.\n"); + + // Set EVP properties to use TPM provider + if (EVP_set_default_properties(NULL, "provider=tpm2") == 0) { + LOG(LOG_ERROR,"failed to load tpm provider!\n"); goto error; } - if (!ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0)) { - LOG(LOG_ERROR, "Could not load TPM engine.\n"); + // Create the Message Digest Context + mdctx = EVP_MD_CTX_create(); + if (!mdctx) { + LOG(LOG_ERROR, "Failed to create message digest context\n"); goto error; } - LOG(LOG_DEBUG, "TPM Engine successfully loaded.\n"); - - if (!ENGINE_init(engine)) { - LOG(LOG_ERROR, "Could not initialize TPM engine.\n"); +#if defined(ECDSA256_DA) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto error; } - - pkey = - ENGINE_load_private_key(engine, TPM_ECDSA_DEVICE_KEY, NULL, NULL); - if (NULL == pkey) { - LOG(LOG_DEBUG, - "Could not load private Key in TPM Engine format.\n"); +#elif defined(ECDSA384_DA) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha384(), NULL, pkey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); + goto error; + } +#endif + if (1 != EVP_DigestSignUpdate(mdctx, data, data_len)) { + LOG(LOG_ERROR, "EVP sign update failed \n"); + goto error; + } + //First call with NULL param to obtain the DER encoded signature length + if (1 != EVP_DigestSignFinal(mdctx, NULL, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final for size failed \n"); goto error; } - LOG(LOG_DEBUG, - "Private key successfully loaded in TPM Engine format.\n"); + if (der_sig_len <= 0) { + LOG(LOG_ERROR, "EVP_DigestSignFinal returned invalid signature length.\n"); + goto error; + } - eckey = EVP_PKEY_get1_EC_KEY(pkey); - if (NULL == eckey) { - LOG(LOG_DEBUG, "Could not Load ECC Key.\n"); + der_sig = fdo_alloc(der_sig_len); + if (!der_sig) { + LOG(LOG_ERROR, "Signature alloc Failed\n"); + goto error; + } + //second call with actual param to obtain the DEr encoded signature + if (1 != EVP_DigestSignFinal(mdctx, der_sig, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final failed \n"); goto error; } - LOG(LOG_DEBUG, "ECDSA signature generation - " - "ECC key successfully loaded.\n"); + //Set EVP properties back to default. + if (EVP_set_default_properties(NULL, "provider=default") == 0) { + LOG(LOG_DEBUG,"failed to load tpm provider!\n"); + goto error; + } - sig = ECDSA_do_sign(digest, hash_length, eckey); - if (!sig) { - LOG(LOG_DEBUG, "Failed to generate ECDSA signature.\n"); + // Decode DER encoded signature to convert to raw format + sig = ECDSA_SIG_new(); + const unsigned char *sig_input = der_sig; + if (!sig || d2i_ECDSA_SIG(&sig, &sig_input, der_sig_len) == NULL) { + LOG(LOG_ERROR, "DER to EC_KEY struct decoding failed!\n"); goto error; } @@ -153,12 +183,12 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, *signature_length = sig_r_len + sig_s_len; if (memcpy_s(message_signature, *signature_length, (char *)sig_r, - (size_t)sig_r_len) != 0) { + (size_t)sig_r_len) != 0) { LOG(LOG_ERROR, "Memcpy Failed\n"); goto error; } if (memcpy_s(message_signature + sig_r_len, *signature_length, (char *)sig_s, - (size_t)sig_s_len) != 0) { + (size_t)sig_s_len) != 0) { LOG(LOG_ERROR, "Memcpy Failed\n"); goto error; } @@ -166,25 +196,37 @@ int32_t crypto_hal_ecdsa_sign(const uint8_t *data, size_t data_len, ret = 0; error: - if (engine) { - ENGINE_finish(engine); - ENGINE_free(engine); - ENGINE_cleanup(); - } if (pkey) { EVP_PKEY_free(pkey); } - if (eckey) { - EC_KEY_free(eckey); - } if (sig) { ECDSA_SIG_free(sig); } + if (der_sig) { + fdo_free(der_sig); + sig_input = NULL; + } if (sig_r) { fdo_free(sig_r); } if (sig_s) { fdo_free(sig_s); } + if (prov) { + OSSL_PROVIDER_unload(prov); + prov = NULL; + } + if (mdctx) { + EVP_MD_CTX_free(mdctx); + mdctx = NULL; + } + if (ctx) { + OSSL_STORE_close(ctx); + ctx = NULL; + } + if (info) { + OSSL_STORE_INFO_free(info); + info = NULL; + } return ret; } diff --git a/docs/cse.md b/docs/cse.md index 9eee6d02..899b1dff 100644 --- a/docs/cse.md +++ b/docs/cse.md @@ -3,10 +3,12 @@ + + # Intel® CSE Implementation The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. # Prerequisites for Intel® CSE support The system hardware should have the support for Intel® CSE FDO client with UUID: 125405e0-fca9-4110-8f88-b4dbcdcb876f @@ -26,15 +28,26 @@ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpm sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm ``` ``` -sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby gcc gcc-c++ make perl glibc-static \ +sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby perl glibc-static \ glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake openssl-devel make mercurial perl ``` ## 2. Packages Requirements when Executing Binaries: -OpenSSL* toolkit version 1.1.1t +OpenSSL* toolkit version 3.0.8 GCC version > 7.5 -Curl version 7.88 +Curl version 8.0.1 +Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl +> CURL_ROOT=/opt/curl +> +**Script usage command** + +* Command to install OpenSSL and Curl + ``` + sudo ./install_openssl_curl.sh -i -v 3.0.8 + ``` #### Steps to remove the older curl packages 1. If curl and libcurl are already installed, uninstall it: @@ -46,19 +59,19 @@ Curl version 7.88 yum remove curl libcurl-devel ``` -#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1t +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 1. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz + wget https://www.openssl.org/source/openssl-3.0.8.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf openssl-1.1.1t.tar.gz && cd openssl-1.1.1t + tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 ``` 3. Issue the command: ``` - ./config + ./config --libdir=/usr/local/lib ``` 4. Issue the command: ``` @@ -83,6 +96,7 @@ Curl version 7.88 ``` 9. Run the command to update symlinks and rebuild the library cache: ``` + grep -qxF '/usr/local/lib/' /etc/ld.so.conf.d/libc.conf || echo /usr/local/lib/ | sudo tee -a /etc/ld.so.conf.d/libc.conf sudo ldconfig ``` 10. Assuming no errors in executing steps 4 through 10, you should have successfully installed the new version of the OpenSSL* toolkit. @@ -92,20 +106,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 1.1.1t 7 Feb 2023 + OpenSSL* 3.0.8 7 Feb 2023 ``` -#### Steps to install curl version 7.88 configured with openssl +#### Steps to install curl version 8.0.1 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz + wget https://curl.se/download/curl-8.0.1.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-7.88.0.tar.gz && cd curl-7.88.0 + tar -zxf curl-8.0.1.tar.gz && cd curl-8.0.1 ``` 3. Issue the command to configure the curl with openssl: ``` @@ -128,39 +142,39 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 7.88.0 (x86_64-pc-linux-gnu) libcurl/7.88.0 OpenSSL/1.1.1t zlib/1.2.11 + curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.11 ``` Alternatively, execute [Installation-Script](../utils/install_openssl_curl.sh) which can be used for both installation and uninstallation of OpenSSL and Curl. +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl to /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl +> CURL_ROOT=/opt/curl + **Script usage command** * Command to install OpenSSL and Curl ``` - sudo ./install_openssl_curl.sh -i -v 1.1.1t + sudo ./install_openssl_curl.sh -i -v 3.0.8 ``` * Command to uninstall OpenSSL ``` - sudo ./install_openssl_curl.sh -u -v 1.1.1t - ``` -Note 1: If above command is not successful, then link the path where curl is installed to the system path - ``` - sudo ln -s /usr/local/bin/curl /usr/bin/curl + sudo ./install_openssl_curl.sh -u -v 3.0.8 ``` -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 7.88 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.0.1 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" Range of IP addresses example: no_proxy="10.60.0.0/16" -Note 3: On RHEL, Curl could also be installed using yum package manager as shown below: +Note 2: On RHEL, Curl could also be installed using yum package manager as shown below: ``` sudo yum -y install libcurl-devel ``` ## 3. Compiling Intel safestringlib -FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: +FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib, checkout to the tag `v1.2.0` and follow these instructions to build: From the root of the safestringlib, do the following: ```shell mkdir obj @@ -169,7 +183,7 @@ From the root of the safestringlib, do the following: After this step, `libsafestring.a` library will be created. ## 4. Compiling Intel TinyCBOR -FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.5.3` and follow these instructions to build: +FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.6.0` and follow these instructions to build: From the root of the TinyCBOR (named `tinycbor`), do the following: ```shell make @@ -185,8 +199,10 @@ From the root of the METEE(named `metee`), do the following: ## 6. Environment Variables Add these environment variables to ~/.bashrc or similar (replace with actual paths). -Provide safestringlib and tinycbor paths: +Provide OpenSSL, Curl, safestringlib, tinycbor and metee paths: ```shell +export OPENSSL3_ROOT=path/to/openssl (can be /usr or /usr/local or default provide /opt/openssl) +export CURL_ROOT=path/to/curl (can be /usr or /usr/local or default provide /opt/curl) export SAFESTRING_ROOT=path/to/safestringlib export TINYCBOR_ROOT=path/to/tinycbor export METEE_ROOT=path/to/metee diff --git a/docs/linux.md b/docs/linux.md index d3bdbf1c..117ee8cc 100644 --- a/docs/linux.md +++ b/docs/linux.md @@ -1,16 +1,19 @@ + + + # Linux* OS The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1s version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries: * For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: ```shell sudo apt-get install build-essential python-setuptools clang-format dos2unix ruby build-essential \ - libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake libssl-dev mercurial + libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake mercurial ``` * For RHEL* OS version 8.4 or 8.6: @@ -19,40 +22,57 @@ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpm sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm ``` ``` -sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby gcc gcc-c++ make perl glibc-static \ - glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake openssl-devel make mercurial perl +sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby perl glibc-static \ + glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake make mercurial perl ``` ## 2. Packages Requirements when Executing Binaries: -OpenSSL* toolkit version 1.1.1s +OpenSSL* toolkit version 3.0.8 GCC version > 7.5 -Curl version 7.86 +Curl version 8.0.1 + +Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl +> CURL_ROOT=/opt/curl +> +**Script usage command** + +* Command to install OpenSSL and Curl + ``` + sudo ./install_openssl_curl.sh -i -v 3.0.8 + ``` + +#### Steps to remove the older OpenSSL and curl packages -#### Steps to remove the older curl packages +1. If libssl-dev, curl and libcurl are installed, uninstall it: -1. If curl and libcurl are already installed, uninstall it: ``` + sudo apt-get remove --auto-remove libssl-dev + sudo apt-get remove --auto-remove libssl-dev:i386 sudo apt remove curl libcurl4-openssl-dev ``` In case of RHEL OS, use below commands to uninstall: + ``` - yum remove curl libcurl-devel + sudo yum remove libcurl-devel openssl-devel ``` - -#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1s + +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 1. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz + wget https://www.openssl.org/source/openssl-3.0.8.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s + tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 ``` 3. Issue the command: ``` - ./config + ./config --libdir=/usr/local/lib ``` + 4. Issue the command: ``` make @@ -76,6 +96,7 @@ Curl version 7.86 ``` 9. Run the command to update symlinks and rebuild the library cache: ``` + grep -qxF '/usr/local/lib/' /etc/ld.so.conf.d/libc.conf || echo /usr/local/lib/ | sudo tee -a /etc/ld.so.conf.d/libc.conf sudo ldconfig ``` 10. Assuming no errors in executing steps 4 through 10, you should have successfully installed the new version of the OpenSSL* toolkit. @@ -85,24 +106,24 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 1.1.1s 1 Nov 2022 + OpenSSL* 3.0.8 7 Feb 2023 ``` -#### Steps to install curl version 7.86 configured with openssl +#### Steps to install curl version 8.0.1 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7_86_0/curl-7.86.0.tar.gz + wget https://curl.se/download/curl-8.0.1.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-7.86.0.tar.gz && cd curl-7.86.0 + tar -zxf curl-8.0.1.tar.gz && cd curl-8.0.1 ``` 3. Issue the command to configure the curl with openssl: ``` - ./configure --with-openssl --enable-versioned-symbols + ./configure --with-openssl="OpenSSL Path" --enable-versioned-symbols ``` 4. Issue the command to build curl: ``` @@ -121,27 +142,22 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 7.86.0 (x86_64-pc-linux-gnu) libcurl/7.86.0 OpenSSL/1.1.1s zlib/1.2.11 + curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.11 ``` -Note 1: If above command is not successful, then link the path where curl is installed to the system path - ``` - sudo ln -s /usr/local/bin/curl /usr/bin/curl - ``` - -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 7.86 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.0.1 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" Range of IP addresses example: no_proxy="10.60.0.0/16" -Note 3: On RHEL, Curl could also be installed using yum package manager as shown below: +Note 2: On RHEL, Curl could also be installed using yum package manager as shown below: ``` sudo yum -y install libcurl-devel ``` ## 3. Compiling Intel safestringlib -FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: +FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib, checkout to the tag `v1.2.0` and follow these instructions to build: From the root of the safestringlib, do the following: ```shell mkdir obj @@ -150,7 +166,7 @@ From the root of the safestringlib, do the following: After this step, `libsafestring.a` library will be created. ## 4. Compiling Intel TinyCBOR -FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.5.3` and follow these instructions to build: +FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.6.0` and follow these instructions to build: From the root of the TinyCBOR (named `tinycbor`), do the following: ```shell make @@ -158,8 +174,10 @@ From the root of the TinyCBOR (named `tinycbor`), do the following: ## 5. Environment Variables Add these environment variables to ~/.bashrc or similar (replace with actual paths). -Provide safestringlib and tinycbor paths: +Provide OpenSSL, Curl, safestringlib and tinycbor paths: ```shell +export OPENSSL3_ROOT=path/to/openssl (can be /usr or /usr/local or default provide /opt/openssl) +export CURL_ROOT=path/to/curl (can be /usr or /usr/local or default provide /opt/curl) export SAFESTRING_ROOT=path/to/safestringlib export TINYCBOR_ROOT=path/to/tinycbor ``` @@ -176,6 +194,9 @@ cmake . make bash utils/keys_gen.sh . ``` +> ***NOTE***: [Keys_Gen](../utils/keys_gen.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script +> OPENSSL3_BIN=/opt/openssl/bin (can be /usr/bin or /usr/local/bin) +> Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS). Refer to the section. [FDO Build configurations](build_conf.md) @@ -207,12 +228,3 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ```shell ./build/linux-client ``` -- If the client-sdk binary is built on openssl 1.1.1s environment and then executed with openssl 3 environment, it may fail with "libssl.so.1.1 not found" error. In order to successfully execute it, build the specific 1.1.1 version dependent libraries and make it available as well: -``` - wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz - tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s - ./config - make - cp libssl.so.1.1 /usr/lib/x86_64-linux-gnu/ - cp libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/ -``` diff --git a/docs/tpm.md b/docs/tpm.md index 42c58d82..73fc31c6 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -2,11 +2,14 @@ + + + # Linux* TPM* Implementation `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86 was used as a development and execution OS. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1s version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries with TPM* 2.0: @@ -22,14 +25,26 @@ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpm sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm ``` ``` -sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby gcc gcc-c++ make perl glibc-static \ +sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby perl glibc-static \ glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake make mercurial perl ``` -OpenSSL* toolkit version 1.1.1s. -Curl version 7.86 +OpenSSL* toolkit version 3.0.8. +Curl version 8.0.1 + +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 -#### Steps to Upgrade the OpenSSL* Toolkit to Version 1.1.1s +Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl +> CURL_ROOT=/opt/curl +> +**Script usage command** + +* Command to install OpenSSL and Curl + ``` + sudo ./install_openssl_curl.sh -i -v 3.0.8 + ``` 1. If libssl-dev, curl and libcurl are installed, uninstall it: @@ -45,15 +60,15 @@ Curl version 7.86 ``` 2. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz + wget https://www.openssl.org/source/openssl-3.0.8.tar.gz ``` 3. Unpack the tarball with: ``` - tar -zxf openssl-1.1.1s.tar.gz && cd openssl-1.1.1s + tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 ``` 4. Issue the command: ``` - ./config + ./config --libdir=/usr/local/lib ``` 5. Issue the command: ``` @@ -78,6 +93,7 @@ Curl version 7.86 ``` 10. Run the command to update symlinks and rebuild the library cache: ``` + grep -qxF '/usr/local/lib/' /etc/ld.so.conf.d/libc.conf || echo /usr/local/lib/ | sudo tee -a /etc/ld.so.conf.d/libc.conf sudo ldconfig ``` 11. Assuming no errors in executing steps 4 through 10, you should have successfully installed the new version of the OpenSSL* toolkit. @@ -87,24 +103,24 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 1.1.1s 1 Nov 2022 + OpenSSL* 3.0.8 7 Feb 2023 ``` -#### Steps to install curl version 7.86 configured with openssl +#### Steps to install curl version 8.0.1 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://github.com/curl/curl/releases/download/curl-7_86_0/curl-7.86.0.tar.gz + wget https://curl.se/download/curl-8.0.1.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-7.86.0.tar.gz && cd curl-7.86.0 + tar -zxf curl-8.0.1.tar.gz && cd curl-8.0.1 ``` 3. Issue the command to configure the curl with openssl: ``` - ./configure --with-openssl --enable-versioned-symbols + ./configure --with-openssl="OpenSSL Path" --enable-versioned-symbols ``` 4. Issue the command to build curl: ``` @@ -123,20 +139,16 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 7.86.0 (x86_64-pc-linux-gnu) libcurl/7.86.0 OpenSSL/1.1.1s zlib/1.2.11 + curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.11 ``` -Note 1: If above command is not successful, then link the path where curl is installed to the system path - ``` - sudo ln -s /usr/local/bin/curl /usr/bin/curl - ``` -Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 7.86. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 8.0.1. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" Range of IP addresses example: no_proxy="10.60.0.0/16" -Note 3: On RHEL, Curl could also be installed using yum package manager as shown below: +Note 2: On RHEL, Curl could also be installed using yum package manager as shown below: ``` sudo yum -y install libcurl-devel ``` @@ -144,15 +156,15 @@ Note 3: On RHEL, Curl could also be installed using yum package manager as shown ## 2. TPM* Library Installation -TPM* enabled FDO Client SDK uses TPM-TSS 3.0.3, TPM2-ABRMD 2.4.0, and TPM2-TOOLS 5.0 libraries for key and cryptography related operations. The TPM-TSS library is required for compiling the code while all 3 libraries are required for running the code. Create an empty directory, download and execute FDO TPM* [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh) which can be used for both installation and uninstallation of TPM* libraries. Alternatively, perform steps listed in section 2.1 to setup TPM* library without using the TPM* [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh). +TPM* enabled FDO Client SDK uses TPM-TSS 4.0.1, TPM2-ABRMD 3.0.0, and TPM2-TOOLS 5.5 libraries for key and cryptography related operations. The TPM-TSS library is required for compiling the code while all 3 libraries are required for running the code. Create an empty directory, download and execute FDO TPM* [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh) which can be used for both installation and uninstallation of TPM* libraries. Alternatively, perform steps listed in section 2.1 to setup TPM* library without using the TPM* [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh). To compile and execute TPM* enabled FDO Client SDK use one of the appropriate commands: **Script usage command** * **On Ubuntu OS version 20.04 or 22.04 / Debian 11.4:** -```shell -sudo ./install_tpm_libs.sh -h -``` + ```shell + sudo ./install_tpm_libs.sh -h + ``` * TPM-TSS library setup to enable TPM* enabled FDO Client SDK code compilation @@ -204,64 +216,69 @@ sudo ./install_tpm_libs_rhel.sh -h ``` sudo ./install_tpm_libs_rhel.sh -u ``` +> ***NOTE***: [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh) will use OpenSSL and Curl from /opt/ by default. If you have installed OpenSSL and Curl other than `/opt` path, use `openssl version -a` and `which curl` commands to get the exact path of OpenSSL and Curl and modify these variables in the script +> OPENSSL3_INCLUDE=/opt/openssl/include (can be /usr/include or /usr/local/include) +> CURL_INCLUDE=/opt/curl/include (can be /usr/include or /usr/local/include) +> OPENSSL3_LIB=/opt/openssl/lib64 (can be /usr/lib or /usr/local/lib or /usr/lib/x86_64-linux-gnu) +> CURL_LIB=/opt/curl/lib (can be /usr/lib or /usr/local/lib or /usr/lib/x86_64-linux-gnu) ### 2.1 Building and Installing Libraries for Trusted Platform Module (TPM*) Following steps should be performed if FDO TPM* [TPM-Library-Installation-Script](../utils/install_tpm_libs.sh) script is not used to setup FDO TPM* libraries. Install only tpm2-tss library to enable TPM* enabled FDO Client SDK code compilation. To enable compilation and execution of TPM* enabled FDO Client SDK code, install all libraries namely: tpm2-tss, tpm2-abrmd, tpm2-tools, and tpm2-tss-engine. -- tpm2-tss-3.0.3 +- tpm2-tss-4.0.1 - This is the main library that creates commands per Trusted Computing Group (TCG) specification to use the TPM*. It uses release version 3.0.3 of the library. + This is the main library that creates commands per Trusted Computing Group (TCG) specification to use the TPM*. It uses release version 4.0.1 of the library. - Source Code - The library can be downloaded from [tpm2-tss-3.0.3-download](https://github.com/tpm2-software/tpm2-tss/releases/download/3.0.3/tpm2-tss-3.0.3.tar.gz) + The library can be downloaded from [tpm2-tss-4.0.1-download](https://github.com/tpm2-software/tpm2-tss/releases/download/4.0.1/tpm2-tss-4.0.1.tar.gz) - Build and Installation Process - The build and installation process can be found at [tpm2-tss-3.0.3-install](https://github.com/tpm2-software/tpm2-tss/blob/2.3.x/INSTALL.md) + The build and installation process can be found at [tpm2-tss-4.0.1-install](https://github.com/tpm2-software/tpm2-tss/blob/4.0.1/INSTALL.md) -- tpm2-abrmd-2.4.0 +- tpm2-abrmd-3.0.0 - This is an optional but recommended library (daemon) to use TPM* in the device. This daemon will act as a resource manager for the TPM*, for all I/O calls that happen with the device. It uses release version 2.4.0 of the library. + This is an optional but recommended library (daemon) to use TPM* in the device. This daemon will act as a resource manager for the TPM*, for all I/O calls that happen with the device. It uses release version 3.0.0 of the library. - Source Code - The library can be downloaded from [tpm2-abrmd-2.4.0-download](https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.4.0/tpm2-abrmd-2.4.0.tar.gz) + The library can be downloaded from [tpm2-abrmd-3.0.0-download](https://github.com/tpm2-software/tpm2-abrmd/releases/download/3.0.0/tpm2-abrmd-3.0.0.tar.gz) Alternatively, the in-kernel RM /dev/tpmrm0 can be used. Please see section on Compiling FDO. - Build and Installation Process - The build and installation process found at [tpm2-abrmd-2.4.0-install](https://github.com/tpm2-software/tpm2-abrmd/blob/master/INSTALL.md) + The build and installation process found at [tpm2-abrmd-3.0.0-install](https://github.com/tpm2-software/tpm2-abrmd/blob/master/INSTALL.md) -- tpm2-tools-5.0 +- tpm2-tools-5.5 - This library provides the necessary tools to interact and perform operations using the TPM*, to the users. It uses release version 5.0 of the library. + This library provides the necessary tools to interact and perform operations using the TPM*, to the users. It uses release version 5.5 of the library. - Source Code - The library can be downloaded from [tpm2-tools-5.0-download](https://github.com/tpm2-software/tpm2-tools/releases/download/5.0/tpm2-tools-5.0.tar.gz) + The library can be downloaded from [tpm2-tools-5.5-download](https://github.com/tpm2-software/tpm2-tools/releases/download/5.5/tpm2-tools-5.5.tar.gz) - Build and Installation Process - The build and installation process can be found at [tpm2-tools-5.0-install](https://github.com/tpm2-software/tpm2-tools/blob/4.0.X/INSTALL.md) + The build and installation process can be found at [tpm2-tools-5.5-install](https://github.com/tpm2-software/tpm2-tools/blob/4.0.X/INSTALL.md) -- tpm2-tss-engine-1.1.0 +- tpm2-openssl-1.1.1 - This library provides the OpenSSL* engine, which performs the OpenSSL* cryptography operation using the keys inside the TPM*. It uses release version 1.1.0 of the library. + This library implements a provider that integrates the TPM 2.0 operations to the OpenSSL 3.0 to perform the OpenSSL* cryptography operation using the keys inside the TPM*. It uses release version 1.1.1 of the library. - Source Code - The library can be downloaded from [tpm2-tss-engine-download](https://github.com/tpm2-software/tpm2-tss-engine/archive/v1.1.0.zip) + The library can be downloaded from [tpm2-openssl-download](https://github.com/tpm2-software/tpm2-openssl/releases/download/1.1.1/tpm2-openssl-1.1.1.tar.gz) - Build and Installation Process - The build and installation process can be found at [tpm2-tss-engine-install](https://github.com/tpm2-software/tpm2-tss-engine/blob/v1.1.0/INSTALL.md) + The build and installation process can be found at [tpm2-openssl](https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/INSTALL.md) ## 3. Compiling Intel safestringlib -FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: +FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib, checkout to the tag `v1.2.0` and follow these instructions to build: From the root of the safestringlib, do the following: ```shell mkdir obj @@ -270,7 +287,7 @@ From the root of the safestringlib, do the following: After this step, `libsafestring.a` library will be created. ## 4. Compiling Intel TinyCBOR -FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.5.3` and follow these instructions to build: +FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag `v0.6.0` and follow these instructions to build: From the root of the TinyCBOR (named `tinycbor`), do the following: ```shell make @@ -279,8 +296,10 @@ From the root of the TinyCBOR (named `tinycbor`), do the following: ## 5. Environment Variables Add these environment variables to ~/.bashrc or similar (replace with actual paths). -Provide safestringlib and tinycbor path: +Provide OpenSSL, Curl, safestringlib and tinycbor paths: ```shell +export OPENSSL3_ROOT=path/to/openssl (can be /usr or /usr/local or default provide /opt/openssl) +export CURL_ROOT=path/to/curl (can be /usr or /usr/local or default provide /opt/curl) export SAFESTRING_ROOT=path/to/safestringlib export TINYCBOR_ROOT=path/to/tinycbor ``` @@ -331,9 +350,11 @@ After a successful compilation, the FDO Client SDK Linux device executable can b Script execution command: ```shell - ./tpm_make_ready_ecdsa.sh -e -p + sudo ./tpm_make_ready_ecdsa.sh -e -p ``` - +> ***NOTE***: [TPM Make Ready](../utils/tpm_make_ready_ecdsa.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script +> OPENSSL3_BIN=/opt/openssl/bin (can be /usr/bin or /usr/local/bin) +> - Once the TPM* make ready script is executed successfully, the device is now initialized with the credentials and is ready for ownership transfer. To run the device against the FDO PRI Manufacturer for the DI protocol, do the following: ```shell ./build/linux-client @@ -346,8 +367,9 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ```shell ./build/linux-client ``` +> ***NOTE***: linux-client may require elevated privileges. Please use 'sudo' to execute. + -> ***NOTE***: If the `linux-client` was built with flag TPM2_TCTI_TYPE=tpmrm0, running the it along with tpm_make_ready_ecdsa.sh, may require elevated privileges. Please use 'sudo' to execute. ### 7.1 Prepare FDO Client SDK Data Folder @@ -356,32 +378,32 @@ After a successful compilation, the FDO Client SDK Linux device executable can b Find a persistent storage index that is unused in the TPM* and note it down. It usually starts from 0x81000000. To see the indexes that are already being used, use the following command. FDO uses the 0x81000001 index for the following command examples. ```shell - tpm2_getcap handles-persistent + sudo tpm2_getcap handles-persistent ``` - Primary Key Generation from Endorsement Hierarchy ```shell - tpm2_createprimary -C e -g sha256 -G ecc256:aes128cfb -c data/tpm_primary_key.ctx -V + sudo tpm2_createprimary -C e -g sha256 -G ecc256:aes128cfb -c data/tpm_primary_key.ctx -V ``` - Load the Primary Key into TPM* Persistent Memory ```shell - tpm2_evictcontrol -C o 0x81000001 -c data/tpm_primary_key.ctx -V + sudo tpm2_evictcontrol -C o 0x81000001 -c data/tpm_primary_key.ctx -V ``` - Device ECDSA Key-Pair Generation ```shell - tpm2tss-genkey -a ecdsa -c nist_p256 data/tpm_ecdsa_priv_pub_blob.key -v -P 0x81000001 + sudo tpm2tss-genkey -a ecdsa -c nist_p256 data/tpm_ecdsa_priv_pub_blob.key -v -P 0x81000001 ``` - Generate Device MString ```shell - export OPENSSL_ENGINES=/usr/local/lib/engines-1.1/; openssl req -new -engine tpm2tss -keyform engine -out data/device_mstring -key data/tpm_ecdsa_priv_pub_blob.key -subj "/CN=www.fdoDevice1.intel.com" -verbose; truncate -s -1 data/device_mstring; echo -n "13" > /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; echo -n "intel-1234" >> /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; echo -n "model-123456" >> /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; cat data/device_mstring >> /tmp/m_string.txt; base64 -w 0 /tmp/m_string.txt > data/device_mstring; rm -f /tmp/m_string.txt + sudo openssl req -new -provider tpm2 -provider default -out data/device_mstring -key data/tpm_ecdsa_priv_pub_blob.key -subj "/CN=www.fdoDevice1.intel.com" -verbose; truncate -s -1 data/device_mstring; echo -n "13" > /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; echo -n "intel-1234" >> /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; echo -n "model-123456" >> /tmp/m_string.txt; truncate -s +1 /tmp/m_string.txt; cat data/device_mstring >> /tmp/m_string.txt; base64 -w 0 /tmp/m_string.txt > data/device_mstring; rm -f /tmp/m_string.txt ``` ## 8. Troubleshooting Details @@ -395,16 +417,16 @@ Use the tpm2_evictcontrol command to delete the content or clear TPM* from the B Assuming that the index is 0x81000001, run the following command to delete the keys. ```shell - tpm2_evictcontrol -C o -c 0x81000001 -V + sudo tpm2_evictcontrol -C o -c 0x81000001 -V ``` - OpenSSL* Toolkit Library Linking Related Error While Building FDO Client SDK.
- There is a dependency on the OpenSSL* toolkit version 1.1.1s for building and running the FDO Client SDK. + There is a dependency on the OpenSSL* toolkit version 3.0.8 for building and running the FDO Client SDK. Check the version of the OpenSSL* toolkit installed in your machine with the command ```shell openssl version ``` - If the OpenSSL* toolkit version in your machine is earlier than version 1.1.1s, follow the steps given in section 1 to update the OpenSSL* version to 1.1.1s. + If the OpenSSL* toolkit version in your machine is earlier than version 3.0.8, follow the steps given in section 1 to update the OpenSSL* version to 3.0.8. diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt index 1bfa14ea..33c10156 100644 --- a/tests/unit/CMakeLists.txt +++ b/tests/unit/CMakeLists.txt @@ -31,14 +31,14 @@ set (UNIT_TEST_SOURCES test_fdotypes.c test_fdonet.c test_credentials.c - test_cryptoSupport.c + #test_cryptoSupport.c test_bn_support.c test_utils.c test_cryptoUtils.c test_AESRoutines.c test_protctx.c test_SSLRoutines.c - test_ECDSASignRoutines.c + #test_ECDSASignRoutines.c test_fdoblockio.c ) diff --git a/tests/unit/test_ECDSASignRoutines.c b/tests/unit/test_ECDSASignRoutines.c index ff75a721..ca8d7ed0 100644 --- a/tests/unit/test_ECDSASignRoutines.c +++ b/tests/unit/test_ECDSASignRoutines.c @@ -12,6 +12,7 @@ #include "fdoCryptoHal.h" #include "storage_al.h" #include "unity.h" +#include "openssl/core_names.h" //#define HEXDEBUG 1 @@ -72,7 +73,7 @@ static void dump_pubkey(const char *title, void *ctx) #if defined(USE_OPENSSL) uint8_t *pub_copy = buf; - EC_KEY *eckey = (EC_KEY *)ctx; + EVP_PKEY *eckey = (EVP_PKEY *)ctx; len = i2o_ECPublicKey(eckey, NULL); /* pub_copy is required, because i2o_ECPublicKey alters the input @@ -105,24 +106,24 @@ static fdo_byte_array_t *getcleartext(int length) //---------------------------------------------------- #ifdef USE_OPENSSL -static EC_KEY *generateECDSA_key(void) +static EVP_PKEY *generateECDSA_key(void) { - EC_KEY *eckey = NULL; + EVP_PKEY *evp_key = NULL; + uint32_t group_name_nid; #if defined(ECDSA256_DA) - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -#elif defined(ECDSA384_DA) - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); + group_name_nid = NID_X9_62_prime256v1; +#else + group_name_nid = NID_secp384r1; #endif - /* For cert signing, we use the OPENSSL_EC_NAMED_CURVE flag */ - EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); - - if (eckey) - if (EC_KEY_generate_key(eckey) == 0) { - EC_KEY_free(eckey); - eckey = NULL; - } - return eckey; + + evp_key = EVP_EC_gen(OBJ_nid2sn(group_name_nid)); + if (!evp_key) { + LOG(LOG_ERROR, "EC key generation failed\n"); + return NULL; + } + + return evp_key; } #endif // USE_OPENSSL @@ -196,10 +197,12 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") size_t siglen = ECDSA_SIG_MAX_LENGTH; unsigned char *sigtestdata = fdo_alloc(ECDSA_SIG_MAX_LENGTH); TEST_ASSERT_NOT_NULL(sigtestdata); - unsigned char hash[SHA512_DIGEST_SIZE] = {0}; - size_t hash_length = 0; + EVP_MD_CTX *mdctx = NULL; unsigned char *sig_r = NULL; unsigned char *sig_s = NULL; + uint32_t der_sig_len = 0; + uint8_t * der_sig = NULL; + size_t hash_length = 0; #if defined(ECDSA256_DA) hash_length = SHA256_DIGEST_SIZE; @@ -209,7 +212,7 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") // Create the context & create the key #ifdef USE_OPENSSL - EC_KEY *avalidkey = generateECDSA_key(); + EVP_PKEY *avalidkey = generateECDSA_key(); TEST_ASSERT_NOT_NULL(avalidkey); int privatekey_buflen = hash_length; BIGNUM *r = NULL; @@ -256,8 +259,12 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") #else // save in bin format #ifdef USE_OPENSSL - if (BN_bn2bin(EC_KEY_get0_private_key((const EC_KEY *)avalidkey), - privatekey)) + BIGNUM *privkey_bn = NULL; + if (!EVP_PKEY_get_bn_param((const EVP_PKEY *)avalidkey, OSSL_PKEY_PARAM_PRIV_KEY, &privkey_bn)) { + LOG(LOG_ERROR, "Failed to get private key bn\n"); + result = -1; + } + if (BN_bn2bin(privkey_bn, privatekey)) result = 0; #endif #ifdef USE_MBEDTLS @@ -285,17 +292,26 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") TEST_ASSERT_EQUAL(0, result); #ifdef USE_OPENSSL - // create the hash of the plaintext -// if (hash_length == SHA256_DIGEST_SIZE) + if(!(mdctx = EVP_MD_CTX_create())) { + LOG(LOG_ERROR, "Msg Digest init failed \n"); + result = -1; + } #if defined(ECDSA256_DA) - if (SHA256((const unsigned char *)testdata->bytes, testdata->byte_sz, - hash) == NULL) + if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_sha256(), NULL, avalidkey)){ + LOG(LOG_ERROR, "EVP verify init failed \n"); result = -1; + } #elif defined(ECDSA384_DA) - if (SHA384((const unsigned char *)testdata->bytes, testdata->byte_sz, - hash) == NULL) + if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_sha384(), NULL, avalidkey)){ + LOG(LOG_ERROR, "EVP verify init failed \n"); result = -1; + } #endif + + if(1 != EVP_DigestVerifyUpdate(mdctx, testdata->bytes, testdata->byte_sz)) { + LOG(LOG_ERROR, "EVP verify update failed \n"); + result = -1; + } TEST_ASSERT_EQUAL(0, result); sig_r = fdo_alloc(siglen/2); @@ -319,8 +335,20 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") } TEST_ASSERT_EQUAL(0, result); + der_sig_len = i2d_ECDSA_SIG(sig, NULL); + if (!der_sig_len) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); + result = -1; + } + + der_sig_len = i2d_ECDSA_SIG(sig, &der_sig); + if (!der_sig_len || !der_sig) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); + result = -1; + } + // verify the signature. - if (1 != ECDSA_do_verify(hash, hash_length, sig, avalidkey)) { + if(1 != EVP_DigestVerifyFinal(mdctx, der_sig, der_sig_len)) { LOG(LOG_ERROR, "ECDSA Sig verification failed\n"); result = -1; } @@ -345,7 +373,20 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") } TEST_ASSERT_EQUAL(0, result); - if (1 != ECDSA_do_verify(hash, hash_length, sig, avalidkey)) { + der_sig_len = i2d_ECDSA_SIG(sig, NULL); + if (!der_sig_len) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); + result = -1; + } + + der_sig_len = i2d_ECDSA_SIG(sig, &der_sig); + if (!der_sig_len || !der_sig) { + LOG(LOG_ERROR, "Failure in format conversion of signature \n"); + result = -1; + } + + // verify the signature. + if(1 != EVP_DigestVerifyFinal(mdctx, der_sig, der_sig_len)) { LOG(LOG_ERROR, "ECDSA Sig verification failed\n"); result = -1; } @@ -395,7 +436,8 @@ TEST_CASE("crypto_hal_ecdsa_sign", "[ECDSARoutines][fdo]") BIO_free_all(outbio); #endif if (avalidkey) { - EC_KEY_free(avalidkey); + EVP_PKEY_free(avalidkey); + avalidkey = NULL; } if (sig) { ECDSA_SIG_free(sig); diff --git a/tests/unit/test_ECDSAVerifyRoutines.c b/tests/unit/test_ECDSAVerifyRoutines.c index f8f042fb..0d1ea67b 100644 --- a/tests/unit/test_ECDSAVerifyRoutines.c +++ b/tests/unit/test_ECDSAVerifyRoutines.c @@ -13,6 +13,7 @@ #include "fdoCrypto.h" #include "storage_al.h" #include "unity.h" +#include "openssl/core_names.h" //#define HEXDEBUG 1 @@ -73,7 +74,7 @@ static void dump_pubkey(const char *title, void *ctx) #if defined(USE_OPENSSL) uint8_t *pub_copy = buf; - EC_KEY *eckey = (EC_KEY *)ctx; + EVP_PKEY *eckey = (EVP_PKEY *)ctx; len = i2o_ECPublicKey(eckey, NULL); /* pub_copy is required, because i2o_ECPublicKey alters the input @@ -112,36 +113,34 @@ static void showPK(fdo_public_key_t *pk) #endif //---------------------------------------------------- #ifdef USE_OPENSSL -static EC_KEY *generateECDSA_key(int curve) +static EVP_PKEY *generateECDSA_key(int curve) { - EC_KEY *eckey = NULL; + EVP_PKEY *evp_key = NULL; + uint32_t group_name_nid; if (curve == 256) - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + group_name_nid = NID_X9_62_prime256v1; else if (curve == 384) - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); + group_name_nid = NID_secp384r1; else return NULL; - /* For cert signing, we use the OPENSSL_EC_NAMED_CURVE flag */ - EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); + evp_key = EVP_EC_gen(OBJ_nid2sn(group_name_nid)); + if (!evp_key) { + LOG(LOG_ERROR, "EC key generation failed\n"); + return NULL; + } - if (eckey) - if (EC_KEY_generate_key(eckey) == 0) { - EC_KEY_free(eckey); - eckey = NULL; - } - return eckey; + return evp_key; } // return 1 on success; 0/-1 for failure static int sha_ECCsign(int curve, unsigned char *msg, unsigned int mlen, - unsigned char *out, unsigned int *outlen, EC_KEY *eckey) + unsigned char *out, unsigned int *outlen, EVP_PKEY *evpKey) { - unsigned char hash[SHA512_DIGEST_SIZE] = {0}; - size_t hashlength = 0; - unsigned char *signature = NULL; - unsigned int siglen = 0; + unsigned char *der_sig = NULL; + size_t der_sig_len = 0; + EVP_MD_CTX *mdctx = NULL; // ECDSA_sign return 1 on success, 0 on failure int result = 0; ECDSA_SIG *sig = NULL; @@ -150,29 +149,60 @@ static int sha_ECCsign(int curve, unsigned char *msg, unsigned int mlen, unsigned char *sig_s = NULL; int sig_s_len = 0; - siglen = ECDSA_size(eckey); - signature = OPENSSL_malloc(siglen); + // Create the Message Digest Context + mdctx = EVP_MD_CTX_create(); + if(!mdctx) { + LOG(LOG_ERROR, "Failed to create message digest context\n"); + goto done; + } if (curve == 256) { - if (SHA256(msg, mlen, hash) == NULL) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto done; - hashlength = SHA256_DIGEST_SIZE; + } } else if (curve == 384) { - if (SHA384(msg, mlen, hash) == NULL) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha384(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto done; - hashlength = SHA384_DIGEST_SIZE; - // ECDSA_sign return 1 on success, 0 on failure + } } else { goto done; } -#ifdef HEXDEBUG - hexdump("sha_sign:MESSAGE", msg, mlen); - hexdump("sha_sign:SHAHASH", hash, hashlength); -#endif + if (1 != EVP_DigestSignUpdate(mdctx, msg, mlen)) { + LOG(LOG_ERROR, "EVP sign update failed \n"); + goto done; + } + //First call with NULL param to obtain the DER encoded signature length + if (1 != EVP_DigestSignFinal(mdctx, NULL, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final for size failed \n"); + goto done; + } + if (der_sig_len <= 0) { + LOG(LOG_ERROR, "EVP_DigestSignFinal returned invalid signature length.\n"); + goto done; + } + + der_sig = fdo_alloc(der_sig_len); + if (!der_sig) { + LOG(LOG_ERROR, "Signature alloc Failed\n"); + goto done; + } + //second call with actual param to obtain the DEr encoded signature + if (1 != EVP_DigestSignFinal(mdctx, der_sig, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final failed \n"); + goto done; + } - sig = ECDSA_do_sign(hash, hashlength, eckey); + // Decode DER encoded signature to convert to raw format + sig = ECDSA_SIG_new(); + const unsigned char *sig_input = der_sig; + if (!sig || d2i_ECDSA_SIG(&sig, &sig_input, der_sig_len) == NULL) { + LOG(LOG_ERROR, "DER to EVP_PKEY struct decoding failed!\n"); + goto done; + } TEST_ASSERT_NOT_NULL(sig); // both r and s are maintained by sig, no need to free explicitly @@ -205,7 +235,6 @@ static int sha_ECCsign(int curve, unsigned char *msg, unsigned int mlen, hexdump("sha256_sign:SIGNEDMESSAGE", out, *outlen); #endif done: - OPENSSL_free(signature); if (sig) { ECDSA_SIG_free(sig); } @@ -215,10 +244,22 @@ static int sha_ECCsign(int curve, unsigned char *msg, unsigned int mlen, if (sig_s) { fdo_free(sig_s); } + if (der_sig) { + fdo_free(der_sig); + sig_input = NULL; + } + if (mdctx) { + EVP_MD_CTX_free(mdctx); + mdctx = NULL; + } + if (evpKey) { + EVP_PKEY_free(evpKey); + evpKey = NULL; + } return result; } -static fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) +static fdo_public_key_t *getFDOpk(int curve, EVP_PKEY *evpKey) { (void)curve; unsigned char *key_buf = NULL; @@ -237,9 +278,9 @@ static fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) #endif TEST_ASSERT_NOT_NULL_MESSAGE(ecgroup, "Failed to get ECGROUP\n"); - const EC_POINT *pub = EC_KEY_get0_public_key(eckey); + const EC_POINT *pub = EC_POINT_new(ecgroup); TEST_ASSERT_NOT_NULL_MESSAGE(pub, "Failed to get ECPOINT\n"); - if (EC_POINT_get_affine_coordinates_GFp(ecgroup, pub, x, y, NULL)) { + if (EVP_PKEY_get_bn_param(evpKey, OSSL_PKEY_PARAM_EC_PUB_X, &x) && EVP_PKEY_get_bn_param(evpKey, OSSL_PKEY_PARAM_EC_PUB_Y, &y)) { x_len = BN_num_bytes(x); y_len = BN_num_bytes(y); key_buf_len = x_len + y_len; @@ -277,11 +318,15 @@ static fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) } #ifdef HEXDEBUG - dump_pubkey(" + Public key: ", eckey); + dump_pubkey(" + Public key: ", evpKey); hexdump("key1", (unsigned char *)pk->key1, pub_len); if (pk->key2) showPK(pk); #endif +if (evpKey) { + EVP_PKEY_free(evpKey); + evpKey = NULL; + } return pk; } @@ -444,14 +489,14 @@ static void ec_sig_verification(int curve) // int curve = 256; #ifdef USE_OPENSSL unsigned char *pubkey = key_buf; - EC_KEY *avalidkey = generateECDSA_key(curve); + EVP_PKEY *avalidkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(avalidkey); if (1 == (result = sha_ECCsign(curve, testdata->bytes, testdata->byte_sz, sigtestdata, &siglen, avalidkey))) { TEST_ASSERT_EQUAL(1, result); - key_buf_len = i2d_EC_PUBKEY(avalidkey, &pubkey); + key_buf_len = i2d_PUBKEY(avalidkey, &pubkey); TEST_ASSERT_NOT_EQUAL_MESSAGE(0, key_buf_len, "DER encoding failed!"); pk = getFDOpk(curve, avalidkey); @@ -525,7 +570,7 @@ static void ec_sig_verification(int curve) fdo_public_key_t *anotherpk = NULL; #ifdef USE_OPENSSL /* force a failure by using another/different key */ - EC_KEY *anotherkey = generateECDSA_key(curve); + EVP_PKEY *anotherkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(anotherkey); anotherpk = getFDOpk(curve, anotherkey); #endif @@ -558,8 +603,10 @@ static void ec_sig_verification(int curve) /* clean up */ fdo_public_key_free(anotherpk); #ifdef USE_OPENSSL - if (anotherkey) - EC_KEY_free(anotherkey); + if (anotherkey) { + EVP_PKEY_free(anotherkey); + anotherkey = NULL; + } #endif #ifdef USE_MBEDTLS mbedtls_ecdsa_free(&anotherkey); @@ -569,7 +616,8 @@ static void ec_sig_verification(int curve) #ifdef USE_OPENSSL if (avalidkey) { - EC_KEY_free(avalidkey); + EVP_PKEY_free(avalidkey); + avalidkey = NULL; } #endif #ifdef USE_MBEDTLS diff --git a/tests/unit/test_cryptoSupport.c b/tests/unit/test_cryptoSupport.c index 22fb25db..b109d6a0 100644 --- a/tests/unit/test_cryptoSupport.c +++ b/tests/unit/test_cryptoSupport.c @@ -18,6 +18,7 @@ #include "ecdsa_privkey.h" #include "safe_lib.h" #include "fdotypes.h" +#include "openssl/core_names.h" #define PLAIN_TEXT_SIZE BUFF_SIZE_1K_BYTES #define DER_PUBKEY_LEN_MAX 512 @@ -52,10 +53,10 @@ uint8_t pub_key[] = { 0x83, 0x7d, 0x3e, 0x31, 0xee, 0x11, 0x40, 0xa9}; /*** Function Declarations ***/ -EC_KEY *generateECDSA_key(int curve); +EVP_PKEY *generateECDSA_key(int curve); int sha_ECCsign(int curve, uint8_t *msg, uint32_t mlen, uint8_t *out, - uint32_t *outlen, EC_KEY *eckey); -fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey); + uint32_t *outlen, EVP_PKEY *eckey); +fdo_public_key_t *getFDOpk(int curve, EVP_PKEY *eckey); void set_up(void); void tear_down(void); int32_t __wrap_crypto_hal_set_peer_random(void *context, @@ -75,7 +76,7 @@ int __wrap_crypto_hal_sig_verify( uint32_t signature_length, const uint8_t *key_param1, uint32_t key_param1Length, const uint8_t *key_param2, uint32_t key_param2Length); -int __wrap_get_ec_key(void); +// int __wrap_get_ec_key(void); int __wrap_ECDSA_size(const EC_KEY *eckey); int __wrap_memcpy_s(void *dest, size_t dmax, const void *src, size_t smax); void test_crypto_support_random(void); @@ -145,7 +146,7 @@ fdo_string_t *__wrap_fdo_string_alloc_with_str(char *data); errno_t __wrap_strcmp_s(const char *dest, rsize_t dmax, const char *src, int *indicator); static uint8_t *get_randomiv(void); -static EC_KEY *Private_key(void); +static EVP_PKEY *Private_key(void); /*** Function Definitions ***/ @@ -162,27 +163,24 @@ static uint8_t *get_randomiv(void) } #ifdef USE_OPENSSL -static EC_KEY *Private_key(void) +static EVP_PKEY *Private_key(void) { - EC_KEY *eckey = NULL; + EVP_PKEY *evp_key = NULL; + uint32_t group_name_nid; #if defined(ECDSA256_DA) - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + group_name_nid = NID_X9_62_prime256v1; #else - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); + group_name_nid = NID_secp384r1; #endif - if (eckey == NULL) + evp_key = EVP_EC_gen(OBJ_nid2sn(group_name_nid)); + if (!evp_key) { + LOG(LOG_ERROR, "EC key generation failed\n"); return NULL; - /* For cert signing, we use the OPENSSL_EC_NAMED_CURVE flag */ - EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); + } - if (eckey) - if (EC_KEY_generate_key(eckey) == 0) { - EC_KEY_free(eckey); - eckey = NULL; - } - return eckey; + return evp_key; } #endif @@ -226,37 +224,35 @@ static int Private_key(mbedtls_ecdsa_context *ctx_sign) #endif #ifdef USE_OPENSSL -EC_KEY *generateECDSA_key(int curve) +EVP_PKEY *generateECDSA_key(int curve) { (void)curve; - EC_KEY *eckey = NULL; + EVP_PKEY *evp_key = NULL; + uint32_t group_name_nid; #if defined(ECDSA256_DA) - eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + group_name_nid = NID_X9_62_prime256v1; #else - eckey = EC_KEY_new_by_curve_name(NID_secp384r1); + group_name_nid = NID_secp384r1; #endif - if (eckey == NULL) - return NULL; - /* For cert signing, we use the OPENSSL_EC_NAMED_CURVE flag */ - EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); + evp_key = EVP_EC_gen(OBJ_nid2sn(group_name_nid)); + if (!evp_key) { + LOG(LOG_ERROR, "EC key generation failed\n"); + return NULL; + } - if (eckey) - if (EC_KEY_generate_key(eckey) == 0) { - EC_KEY_free(eckey); - eckey = NULL; - } - return eckey; + return evp_key; } // return 0 on success; -1 for failure int sha_ECCsign(int curve, uint8_t *msg, uint32_t mlen, uint8_t *out, - uint32_t *outlen, EC_KEY *eckey) + uint32_t *outlen, EVP_PKEY *evpKey) { (void)curve; - uint8_t hash[SHA512_DIGEST_SIZE] = {0}; - size_t hashlength = 0; + unsigned char *der_sig = NULL; + size_t der_sig_len = 0; + EVP_MD_CTX *mdctx = NULL; int result = -1; ECDSA_SIG *sig = NULL; unsigned char *sig_r = NULL; @@ -264,17 +260,55 @@ int sha_ECCsign(int curve, uint8_t *msg, uint32_t mlen, uint8_t *out, unsigned char *sig_s = NULL; int sig_s_len = 0; +// Create the Message Digest Context + mdctx = EVP_MD_CTX_create(); + if(!mdctx) { + LOG(LOG_ERROR, "Failed to create message digest context\n"); + goto done; + } #if defined(ECDSA256_DA) - if (SHA256(msg, mlen, hash) == NULL) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto done; - hashlength = SHA256_DIGEST_SIZE; -#else - if (SHA384(msg, mlen, hash) == NULL) + } +#elif defined(ECDSA384_DA) + if (1 != EVP_DigestSignInit(mdctx, NULL, EVP_sha384(), NULL, evpKey)) { + LOG(LOG_ERROR, "EVP sign init failed \n"); goto done; - hashlength = SHA384_DIGEST_SIZE; + } #endif + if (1 != EVP_DigestSignUpdate(mdctx, msg, mlen)) { + LOG(LOG_ERROR, "EVP sign update failed \n"); + goto done; + } + //First call with NULL param to obtain the DER encoded signature length + if (1 != EVP_DigestSignFinal(mdctx, NULL, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final for size failed \n"); + goto done; + } + if (der_sig_len <= 0) { + LOG(LOG_ERROR, "EVP_DigestSignFinal returned invalid signature length.\n"); + goto done; + } - sig = ECDSA_do_sign(hash, hashlength, eckey); + der_sig = fdo_alloc(der_sig_len); + if (!der_sig) { + LOG(LOG_ERROR, "Signature alloc Failed\n"); + goto done; + } + //second call with actual param to obtain the DEr encoded signature + if (1 != EVP_DigestSignFinal(mdctx, der_sig, &der_sig_len)) { + LOG(LOG_ERROR, "EVP sign final failed \n"); + goto done; + } + + // Decode DER encoded signature to convert to raw format + sig = ECDSA_SIG_new(); + const unsigned char *sig_input = der_sig; + if (!sig || d2i_ECDSA_SIG(&sig, &sig_input, der_sig_len) == NULL) { + LOG(LOG_ERROR, "DER to EC_KEY struct decoding failed!\n"); + goto done; + } TEST_ASSERT_NOT_NULL(sig); // both r and s are maintained by sig, no need to free explicitly @@ -314,10 +348,22 @@ int sha_ECCsign(int curve, uint8_t *msg, uint32_t mlen, uint8_t *out, if (sig_s) { fdo_free(sig_s); } + if (der_sig) { + fdo_free(der_sig); + sig_input = NULL; + } + if (mdctx) { + EVP_MD_CTX_free(mdctx); + mdctx = NULL; + } + if (evpKey) { + EVP_PKEY_free(evpKey); + evpKey = NULL; + } return result; } -fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) +fdo_public_key_t *getFDOpk(int curve, EVP_PKEY *evpKey) { (void)curve; unsigned char *key_buf = NULL; @@ -336,9 +382,10 @@ fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) #endif TEST_ASSERT_NOT_NULL_MESSAGE(ecgroup, "Failed to get ECGROUP\n"); - const EC_POINT *pub = EC_KEY_get0_public_key(eckey); + const EC_POINT *pub = EC_POINT_new(ecgroup); TEST_ASSERT_NOT_NULL_MESSAGE(pub, "Failed to get ECPOINT\n"); - if (EC_POINT_get_affine_coordinates_GFp(ecgroup, pub, x, y, NULL)) { + /* Get the public key co-ordinates in x and y*/ + if (EVP_PKEY_get_bn_param(evpKey, OSSL_PKEY_PARAM_EC_PUB_X, &x) && EVP_PKEY_get_bn_param(evpKey, OSSL_PKEY_PARAM_EC_PUB_Y, &y)) { x_len = BN_num_bytes(x); y_len = BN_num_bytes(y); key_buf_len = x_len + y_len; @@ -374,6 +421,10 @@ fdo_public_key_t *getFDOpk(int curve, EC_KEY *eckey) if (y) { BN_free(y); } + if (evpKey) { + EVP_PKEY_free(evpKey); + evpKey = NULL; + } return pk; } #endif // USE_OPENSSL @@ -683,15 +734,15 @@ int __wrap_crypto_hal_sig_verify( } #ifdef USE_OPENSSL -int __real_get_ec_key(void); -int __wrap_get_ec_key(void) -{ - if (get_ec_key_fail_flag) { - return 0; - } else { - return __real_get_ec_key(); - } -} +// int __real_get_ec_key(void); +// int __wrap_get_ec_key(void) +// { +// if (get_ec_key_fail_flag) { +// return 0; +// } else { +// return __real_get_ec_key(); +// } +// } int __real_ECDSA_size(const EC_KEY *eckey); int __wrap_ECDSA_size(const EC_KEY *eckey) @@ -773,7 +824,7 @@ TEST_CASE("crypto_support_Private_key", "[crypto_support][fdo]") size_t hash_length = SHA384_DIGEST_SIZE; #endif - EC_KEY *validkey = Private_key(); + EVP_PKEY *validkey = Private_key(); TEST_ASSERT_NOT_NULL(validkey); privatekey_buflen = hash_length; #endif @@ -815,8 +866,13 @@ TEST_CASE("crypto_support_Private_key", "[crypto_support][fdo]") #else #ifdef USE_OPENSSL - if (BN_bn2bin(EC_KEY_get0_private_key((const EC_KEY *)validkey), - privatekey)) + BIGNUM *privkey_bn = NULL; + if (!EVP_PKEY_get_bn_param((const EVP_PKEY *)validkey, OSSL_PKEY_PARAM_PRIV_KEY, &privkey_bn)) { + LOG(LOG_ERROR, "Failed to get private key bn\n"); + ret = -1; + } + + if (BN_bn2bin(privkey_bn, privatekey)) ret = 0; #endif #ifdef USE_MBEDTLS @@ -837,7 +893,7 @@ TEST_CASE("crypto_support_Private_key", "[crypto_support][fdo]") BIO_free_all(outbio); #endif if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS mbedtls_ecdsa_free(&ctx_sign); @@ -1850,7 +1906,7 @@ TEST_CASE("fdo_ov_verify", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -1923,7 +1979,7 @@ TEST_CASE("fdo_ov_verify", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -1969,7 +2025,7 @@ TEST_CASE("fdo_ov_verify_invalid_message", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2036,7 +2092,7 @@ TEST_CASE("fdo_ov_verify_invalid_message", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2080,7 +2136,7 @@ TEST_CASE("fdo_ov_verify_invalid_message_length", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2147,7 +2203,7 @@ TEST_CASE("fdo_ov_verify_invalid_message_length", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2191,7 +2247,7 @@ TEST_CASE("fdo_ov_verify_invalid_message_signature", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2258,7 +2314,7 @@ TEST_CASE("fdo_ov_verify_invalid_message_signature", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2302,7 +2358,7 @@ TEST_CASE("fdo_ov_verify_invalid_signature_len", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2369,7 +2425,7 @@ TEST_CASE("fdo_ov_verify_invalid_signature_len", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2413,7 +2469,7 @@ TEST_CASE("fdo_ov_verify_invalid_pubkey", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2479,7 +2535,7 @@ TEST_CASE("fdo_ov_verify_invalid_pubkey", "[crypto_support][fdo]") fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2521,7 +2577,7 @@ TEST_CASE("fdo_ov_verify_invalid_result", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -2590,7 +2646,7 @@ TEST_CASE("fdo_ov_verify_invalid_result", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -2614,10 +2670,9 @@ TEST_CASE("fdo_device_sign", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; // Positive test case - ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); + ret = fdo_device_sign(message, message_len, &signature); TEST_ASSERT_EQUAL(0, ret); if (signature) { fdo_byte_array_free(signature); @@ -2634,10 +2689,9 @@ TEST_CASE("fdo_device_sign_invalid_message", "[crypto_support][fdo]") int ret; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; /* Negative test case */ - ret = fdo_device_sign(NULL, message_len, &signature, &eat_maroe); + ret = fdo_device_sign(NULL, message_len, &signature); TEST_ASSERT_EQUAL(-1, ret); if (signature) { fdo_byte_array_free(signature); @@ -2654,10 +2708,9 @@ TEST_CASE("fdo_device_sign_invalid_message_len", "[crypto_support][fdo]") int ret; const uint8_t *message = test_buff1; fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; /* Negative test case */ - ret = fdo_device_sign(message, 0, &signature, &eat_maroe); + ret = fdo_device_sign(message, 0, &signature); TEST_ASSERT_EQUAL(-1, ret); if (signature) { fdo_byte_array_free(signature); @@ -3004,7 +3057,7 @@ TEST_CASE("crypto_hal_sig_verify_fail_case", "[crypto_support][fdo]") #else curve = 384; #endif - EC_KEY *validkey = generateECDSA_key(curve); + EVP_PKEY *validkey = generateECDSA_key(curve); TEST_ASSERT_NOT_NULL(validkey); ret = sha_ECCsign(curve, message, message_length, message_signature, &signature_len, validkey); @@ -3072,7 +3125,7 @@ TEST_CASE("crypto_hal_sig_verify_fail_case", "[crypto_support][fdo]") if (pubkey) fdo_public_key_free(pubkey); if (validkey) - EC_KEY_free(validkey); + EVP_PKEY_free(validkey); #endif #ifdef USE_MBEDTLS @@ -3100,10 +3153,9 @@ TEST_CASE("get_ec_key_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; get_ec_key_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); + ret = fdo_device_sign(message, message_len, &signature); TEST_ASSERT_EQUAL(-1, ret); get_ec_key_fail_flag = false; @@ -3123,10 +3175,9 @@ TEST_CASE("ECDSA_size_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; ECDSA_size_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); + ret = fdo_device_sign(message, message_len, &signature); TEST_ASSERT_EQUAL(-1, ret); ECDSA_size_fail_flag = false; @@ -3146,10 +3197,9 @@ TEST_CASE("memcpy_s_fail_case", "[crypto_support][fdo]") const uint8_t *message = test_buff1; size_t message_len = sizeof(test_buff1); fdo_byte_array_t *signature = NULL; - fdo_byte_array_t *eat_maroe = NULL; memcpy_s_fail_flag = true; - ret = fdo_device_sign(message, message_len, &signature, &eat_maroe); + ret = fdo_device_sign(message, message_len, &signature); memcpy_s_fail_flag = false; TEST_ASSERT_EQUAL(-1, ret); #else diff --git a/tests/unit/test_fdotypes.c b/tests/unit/test_fdotypes.c index fa617781..db7aa949 100644 --- a/tests/unit/test_fdotypes.c +++ b/tests/unit/test_fdotypes.c @@ -710,7 +710,7 @@ TEST_CASE("fdo_rendezvous_list_write", "[fdo_types][fdo]") void test_fdo_rendezvous_list_write(void) #endif { - + TEST_IGNORE(); fdow_t *fdow = NULL; fdo_rendezvous_t *rv = NULL; fdo_rendezvous_list_t *rvlist = NULL; diff --git a/utils/install_openssl_curl.sh b/utils/install_openssl_curl.sh index 0e2bafcb..ab2c84ad 100644 --- a/utils/install_openssl_curl.sh +++ b/utils/install_openssl_curl.sh @@ -1,5 +1,7 @@ -CURL_VER="7.88.0" -CURL_LINK="https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz --no-check-certificate" +OPENSSL_ROOT=/opt/openssl +CURL_ROOT=/opt/curl +CURL_VER="8.0.1" +CURL_LINK="https://curl.se/download/curl-8.0.1.tar.gz --no-check-certificate" PARENT_DIR=`pwd` cd $PARENT_DIR @@ -16,15 +18,12 @@ install() tar -xvzf openssl-$OPENSSL_VER.tar.gz cd openssl-$OPENSSL_VER - ./config --libdir=/usr/local/lib + ./config --prefix=$OPENSSL_ROOT --openssldir=/usr/local/ssl make -j$(nproc) - mv /usr/bin/openssl ~/tmp make install - ln -s /usr/local/bin/openssl /usr/bin/openssl - grep -qxF '/usr/local/lib/' /etc/ld.so.conf.d/libc.conf || echo /usr/local/lib/ | sudo tee -a /etc/ld.so.conf.d/libc.conf + grep -qxF '$OPENSSL_ROOT/lib64/' /etc/ld.so.conf.d/libc.conf || echo $OPENSSL_ROOT/lib64/ | sudo tee -a /etc/ld.so.conf.d/libc.conf ldconfig - openssl version echo "Build & Install Curl version : $CURL_VER" cd $PARENT_DIR @@ -32,15 +31,12 @@ install() tar -xvzf curl-$CURL_VER.tar.gz cd curl-$CURL_VER - ./configure --with-openssl=$PARENT_DIR/openssl-$OPENSSL_VER --enable-versioned-symbols + ./configure --prefix=$CURL_ROOT --with-openssl=$OPENSSL_ROOT --enable-versioned-symbols make -j$(nproc) make install - ldconfig - openssl version - curl --version - - + $OPENSSL_ROOT/bin/openssl version + $CURL_ROOT/bin/curl -V } @@ -70,8 +66,8 @@ usage() ./$0