Use TLS over transport for authentication of peer (#227)

* Use TLS over transport for authentication of peer

* add test cases and update user_settings.h

* handle race condition with connect

* typo fix, trim down struct, connect fd variable update

* use WOLFSSL_* instead of CTC_* and fix typo

* add SHE test with client only TLS

* update client only test case for TLS

* combined client only test macro, added TLS option to example Makefiles, moved setting of TLS certificates into config and internal transport file

* use WOLFHSM_CFG_TLS macro guard with posix_transport_tls.c|h files

* updating test case for TLS use and macro guards in posix client example

* clean up of macro names after refactor

* result of running git-clang-format

* fix spelling in comments, make fd use more clear, update to macro guards

* add free'ing of ssl object on error

Author: JacobBarthelmeh

.github/workflows/build-and-run-examples.yml

@@ -10,7 +10,7 @@ jobs:
   build:
     strategy:
         matrix:
-            transport: [ 'tcp', 'shm', 'dma' ]
+            transport: [ 'tcp', 'shm', 'dma', 'tls', 'psk' ]
             asan: [ 'ASAN=1', 'ASAN=0' ]
             debug: [ '', 'DEBUG_VERBOSE=1' ]
             test: [ '', '--test' ]
@@ -27,35 +27,52 @@ jobs:
         repository: wolfssl/wolfssl
         path: wolfssl
 
+    - name: Set TLS Environment Variable
+      run: |
+        if [ "${{ matrix.transport }}" = "tls" ] || [ "${{ matrix.transport }}" = "psk" ]; then
+          echo "TLS=1" >> $GITHUB_ENV
+        else
+          echo "TLS=0" >> $GITHUB_ENV
+        fi
+
     # Build examples
     - name: Build POSIX server
       run: |
         if [ "${{ matrix.transport }}" = "dma" ]; then
           cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} DMA=1 make -j WOLFSSL_DIR=../../../wolfssl
         else
-          cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} make -j WOLFSSL_DIR=../../../wolfssl
+          cd examples/posix/wh_posix_server && ${{ matrix.asan }} ${{ matrix.debug }} TLS=${{ env.TLS }} make -j WOLFSSL_DIR=../../../wolfssl
         fi
+
     - name: Build POSIX client
       run: |
         if [ "${{ matrix.transport }}" = "dma" ]; then
           cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} DMA=1 make -j WOLFSSL_DIR=../../../wolfssl
         else
-          cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} make -j WOLFSSL_DIR=../../../wolfssl
+          cd examples/posix/wh_posix_client && ${{ matrix.asan }} ${{ matrix.debug }} TLS=${{ env.TLS }} make -j WOLFSSL_DIR=../../../wolfssl
         fi
 
     # Start the server in the background
     - name: Run POSIX server
       run: |
         cd examples/posix/wh_posix_server
-        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        if [ "${{ matrix.transport }}" = "psk" ]; then
+          echo "test_password" | ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        else
+          ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        fi
         POSIX_SERVER_PID=$!
         echo "POSIX_SERVER_PID=$POSIX_SERVER_PID" >> $GITHUB_ENV
 
     # Run the client that connects to the server
     - name: Run POSIX client
       run: |
         cd examples/posix/wh_posix_client
-        ./Build/wh_posix_client.elf --type ${{ matrix.transport }} ${{ matrix.test }}
+        if [ "${{ matrix.transport }}" = "psk" ]; then
+          echo "test_password" | ./Build/wh_posix_client.elf --type ${{ matrix.transport }} ${{ matrix.test }}
+        else
+          ./Build/wh_posix_client.elf --type ${{ matrix.transport }} ${{ matrix.test }}
+        fi
 
     # Optional: Kill the server process if it doesn't exit on its own
     - name: Cleanup POSIX server

.github/workflows/build-and-test-clientonly.yml

@@ -8,7 +8,9 @@ on:
 
 jobs:
   build:
-
+    strategy:
+        matrix:
+            transport: [ 'tcp', 'tls' ]
     runs-on: ubuntu-latest
 
     steps:
@@ -33,43 +35,55 @@ jobs:
     - name: Build POSIX server
       run: |
         cd examples/posix/wh_posix_server
-        make -j SHE=1 WOLFSSL_DIR=../../../wolfssl
+        if [ "${{ matrix.transport }}" = "tcp" ]; then
+            make -j SHE=1 WOLFSSL_DIR=../../../wolfssl
+        else
+            make -j TLS=1 SHE=1 WOLFSSL_DIR=../../../wolfssl
+        fi
 
     # Start the server in the background
     - name: Run POSIX server
       run: |
         cd examples/posix/wh_posix_server
-        ./Build/wh_posix_server.elf &
-        TCP_SERVER_PID=$!
-        echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
+        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        SERVER_PID=$!
+        echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
 
     # Build and test client-only build with everything enabled and ASAN
     - name: Build client-only unit tests with ASAN
       run: |
         cd test
         make clean
-        make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        if [ "${{ matrix.transport }}" = "tcp" ]; then
+            make -j CLIENT_ONLY=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        else
+            make -j CLIENT_ONLY=1 TLS=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        fi
 
     # Restart server with fresh state for second test run
     - name: Restart POSIX server
       run: |
-        kill $TCP_SERVER_PID || true
+        kill $SERVER_PID || true
         cd examples/posix/wh_posix_server
         rm -f *.bin || true
-        ./Build/wh_posix_server.elf &
-        TCP_SERVER_PID=$!
-        echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
+        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        SERVER_PID=$!
+        echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
         sleep 2
 
     # Build and test client-only with DEBUG_VERBOSE=1 (includes DEBUG)
     - name: Build client-only unit tests with DEBUG_VERBOSE
       run: |
         cd test
         make clean
-        make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        if [ "${{ matrix.transport }}" = "tcp" ]; then
+            make -j CLIENT_ONLY=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        else
+            make -j CLIENT_ONLY=1 TLS=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        fi
 
     # Optional: Kill the server process if it doesn't exit on its own
-    - name: Cleanup POSIX TCP server
+    - name: Cleanup POSIX server
       if: always()
-      run: kill $TCP_SERVER_PID || true
- 
+      run: kill $SERVER_PID || true
+

examples/posix/wh_posix_client/Makefile

@@ -112,7 +112,10 @@ DEF += -DWC_USE_DEVID=0x57444D41 -DWC_NO_DEFAULT_DEVID
 CFLAGS += -DWOLFHSM_CFG_DMA
 else
 DEF += -DWC_USE_DEVID=0x5748534D
+endif
 
+ifeq ($(TLS),1)
+CFLAGS += -DWOLFHSM_CFG_TLS
 endif
 
 #wolfCrypt test/benchmark source files

examples/posix/wh_posix_client/wh_posix_client.c

@@ -160,7 +160,17 @@ void Usage(const char* exeName)
 {
     WOLFHSM_CFG_PRINTF("Usage: %s --type <type> --test\n", exeName);
     WOLFHSM_CFG_PRINTF("Example: %s --type tcp\n", exeName);
-    WOLFHSM_CFG_PRINTF("type: tcp (default), shm\n");
+    WOLFHSM_CFG_PRINTF("type: tcp (default), shm");
+#ifdef WOLFHSM_CFG_TLS
+    WOLFHSM_CFG_PRINTF(", tls");
+#if !defined(NO_PSK)
+    WOLFHSM_CFG_PRINTF(", psk");
+#endif
+#endif /* WOLFHSM_CFG_TLS */
+#ifdef WOLFSSL_STATIC_MEMORY
+    WOLFHSM_CFG_PRINTF(", dma");
+#endif
+    WOLFHSM_CFG_PRINTF("\n");
 }
 
 int main(int argc, char** argv)
@@ -204,6 +214,18 @@ int main(int argc, char** argv)
         WOLFHSM_CFG_PRINTF("Using shared memory transport\n");
         wh_PosixClient_ExampleShmConfig(c_conf);
     }
+#ifdef WOLFHSM_CFG_TLS
+    else if (strcmp(type, "tls") == 0) {
+        WOLFHSM_CFG_PRINTF("Using TLS transport\n");
+        wh_PosixClient_ExampleTlsConfig(c_conf);
+    }
+#if !defined(NO_PSK)
+    else if (strcmp(type, "psk") == 0) {
+        WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n");
+        wh_PosixClient_ExamplePskConfig(c_conf);
+    }
+#endif /* !NO_PSK */
+#endif /* WOLFHSM_CFG_TLS */
 #ifdef WOLFSSL_STATIC_MEMORY
     else if (strcmp(type, "dma") == 0) {
         WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n");

examples/posix/wh_posix_client/wh_posix_client_cfg.c

@@ -10,19 +10,31 @@
 
 #include "port/posix/posix_transport_shm.h"
 #include "port/posix/posix_transport_tcp.h"
+#ifdef WOLFHSM_CFG_TLS
+#include "port/posix/posix_transport_tls.h"
+#endif
 
 #include <string.h>
 
 posixTransportShmClientContext tccShm;
 posixTransportTcpClientContext tccTcp;
+#ifdef WOLFHSM_CFG_TLS
+posixTransportTlsClientContext tccTls;
+#endif
 
 posixTransportShmConfig shmConfig;
 posixTransportTcpConfig tcpConfig;
+#ifdef WOLFHSM_CFG_TLS
+posixTransportTlsConfig tlsConfig;
+#endif
 
 whCommClientConfig c_comm;
 
 whTransportClientCb shmCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
 whTransportClientCb tcpCb = PTT_CLIENT_CB;
+#ifdef WOLFHSM_CFG_TLS
+whTransportClientCb tlsCb = PTTLS_CLIENT_CB;
+#endif
 
 #ifdef WOLFSSL_STATIC_MEMORY
 whTransportClientCb dmaCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
@@ -123,6 +135,85 @@ int wh_PosixClient_ExampleTcpConfig(void* conf)
     return WH_ERROR_OK;
 }
 
+#if defined(WOLFHSM_CFG_TLS)
+/* client configuration setup example for TLS transport */
+#undef USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+#include "wolfssl/certs_test.h"
+
+int wh_PosixClient_ExampleTlsConfig(void* conf)
+{
+    whClientConfig* c_conf = (whClientConfig*)conf;
+
+    memset(&tccTls, 0, sizeof(posixTransportTlsClientContext));
+
+    /* Initialize TLS context fields that need specific values */
+    tccTls.state         = 0;
+    tccTls.connect_fd_p1 = 0; /* Invalid fd */
+
+    tlsConfig.server_ip_string          = WH_POSIX_SERVER_TCP_IPSTRING;
+    tlsConfig.server_port               = WH_POSIX_SERVER_TCP_PORT;
+    tlsConfig.disable_peer_verification = false;
+
+    tlsConfig.ca_cert     = ca_cert_der_2048;
+    tlsConfig.ca_cert_len = sizeof_ca_cert_der_2048;
+    tlsConfig.cert        = client_cert_der_2048;
+    tlsConfig.cert_len    = sizeof_client_cert_der_2048;
+    tlsConfig.key         = client_key_der_2048;
+    tlsConfig.key_len     = sizeof_client_key_der_2048;
+    tlsConfig.heap_hint   = NULL;
+
+    c_comm.transport_cb      = &tlsCb;
+    c_comm.transport_context = (void*)&tccTls;
+    c_comm.transport_config  = (void*)&tlsConfig;
+    c_comm.client_id         = WH_POSIX_CLIENT_ID;
+    c_conf->comm             = &c_comm;
+
+    return WH_ERROR_OK;
+}
+
+
+#ifndef NO_PSK
+/* Simple PSK example callback */
+static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint,
+                                        char* identity, unsigned int id_max_len,
+                                        unsigned char* key,
+                                        unsigned int   key_max_len)
+{
+    size_t len;
+
+    memset(key, 0, key_max_len);
+    const char* exampleIdentity = "PSK_EXAMPLE_CLIENT_IDENTITY";
+
+    printf("PSK server identity hint: %s\n", hint);
+    printf("PSK using identity: %s\n", exampleIdentity);
+    strncpy(identity, exampleIdentity, id_max_len);
+
+    printf("Enter PSK password: ");
+    if (fgets((char*)key, key_max_len - 1, stdin) == NULL) {
+        memset(key, 0, key_max_len);
+        return 0U;
+    }
+
+    (void)ssl;
+    len               = strcspn((char*)key, "\n");
+    ((char*)key)[len] = '\0';
+    return (unsigned int)len;
+}
+
+
+int wh_PosixClient_ExamplePskConfig(void* conf)
+{
+    if (wh_PosixClient_ExampleTlsConfig(conf) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+    tlsConfig.psk_client_cb = psk_tls12_client_cb;
+
+    return WH_ERROR_OK;
+}
+#endif /* NO_PSK */
+#endif /* WOLFHSM_CFG_TLS */
+
 
 /* client configuration setup example for transport */
 int wh_PosixClient_ExampleShmConfig(void* conf)

examples/posix/wh_posix_client/wh_posix_client_cfg.h

@@ -4,5 +4,11 @@
 int wh_PosixClient_ExampleShmDmaConfig(void* c_conf);
 int wh_PosixClient_ExampleShmConfig(void* c_conf);
 int wh_PosixClient_ExampleTcpConfig(void* c_conf);
+#ifdef WOLFHSM_CFG_TLS
+int wh_PosixClient_ExampleTlsConfig(void* c_conf);
+#if !defined(NO_PSK)
+int wh_PosixClient_ExamplePskConfig(void* c_conf);
+#endif /* !NO_PSK */
+#endif /* WOLFHSM_CFG_TLS */
 int wh_PosixClient_ExampleSetupDmaMemory(void* ctx, void* c_conf);
-#endif /* WH_POSIX_CLIENT_CFG_H */
+#endif /* WH_POSIX_CLIENT_CFG_H */

examples/posix/wh_posix_server/Makefile

@@ -87,6 +87,11 @@ ifeq ($(SHE),1)
 CFLAGS += -DWOLFHSM_CFG_SHE_EXTENSION
 endif
 
+# Support a TLS-capable build
+ifeq ($(TLS),1)
+CFLAGS += -DWOLFHSM_CFG_TLS
+endif
+
 ifeq ($(DMA),1)
 CFLAGS += -DWOLFHSM_CFG_DMA
 endif

examples/posix/wh_posix_server/user_settings.h

@@ -47,10 +47,15 @@ extern "C" {
 #define WOLFSSL_BASE64_ENCODE
 #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1
 
-/* For cert manager */
+#ifndef WOLFHSM_CFG_TLS
+/* These macros reduce footprint size when TLS functionality is not needed */
 #define NO_TLS
 /* Eliminates need for IO layer since we only use CM */
 #define WOLFSSL_USER_IO
+#define WOLFSSL_NO_TLS12
+#define NO_PSK
+#endif /* WOLFHSM_CFG_TLS */
+
 /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */
 #define WOLFSSL_ACERT
 
@@ -71,7 +76,6 @@ extern "C" {
 #define NO_ERROR_QUEUE
 #define NO_INLINE
 #define NO_OLD_TLS
-#define WOLFSSL_NO_TLS12
 #define NO_DO178
 /* Prevents certain functions (SHA, hash.c) on server from falling back to
  * client cryptoCb when using non-devId APIs */
@@ -154,7 +158,6 @@ extern "C" {
 /* Remove unneeded crypto */
 #define NO_DSA
 #define NO_RC4
-#define NO_PSK
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
@@ -190,11 +193,17 @@ extern "C" {
 #endif                       /* optional malloc check */
 #endif                       /* optional static memory */
 
-#ifdef WOLFHSM_CFG_DMA
+#if defined(WOLFHSM_CFG_DMA) || defined(WOLFHSM_CFG_TLS)
+/* If using DMA or TLS use static memory for no dynamic memory allocation */
 #undef WOLFSSL_STATIC_MEMORY
 #define WOLFSSL_STATIC_MEMORY
 #endif
 
+/* additional memory debugging macros, prints out each alloc and free */
+/* #define WOLFSSL_DEBUG_MEMORY */
+/* #define WOLFSSL_DEBUG_MEMORY_PRINT */
+
+/* #define DEBUG_WOLFSSL */
 #ifdef __cplusplus
 }
 #endif