Use TLS over transport for authentication of peer

.github/workflows/build-and-run-examples.yml

@@ -10,7 +10,7 @@ jobs:
   build:
     strategy:
         matrix:
-            transport: [ 'tcp', 'shm', 'dma' ]
+            transport: [ 'tcp', 'shm', 'dma', 'tls', 'psk' ]
             asan: [ 'ASAN=1', 'ASAN=0' ]
             debug: [ '', 'DEBUG_VERBOSE=1' ]
     runs-on: ubuntu-latest
@@ -46,15 +46,23 @@ jobs:
     - name: Run POSIX server
       run: |
         cd examples/posix/wh_posix_server
-        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        if [ "${{ matrix.transport }}" = "psk" ]; then
+          echo "test_password" | ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        else
+          ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        fi
         POSIX_SERVER_PID=$!
         echo "POSIX_SERVER_PID=$POSIX_SERVER_PID" >> $GITHUB_ENV
 
     # Run the client that connects to the server
     - name: Run POSIX client
       run: |
         cd examples/posix/wh_posix_client
-        ./Build/wh_posix_client.elf --type ${{ matrix.transport }}
+        if [ "${{ matrix.transport }}" = "psk" ]; then
+          echo "test_password" | ./Build/wh_posix_client.elf --type ${{ matrix.transport }}
+        else
+          ./Build/wh_posix_client.elf --type ${{ matrix.transport }}
+        fi
 
     - name: Run POSIX demo test
       if: matrix.transport == 'tcp'

.github/workflows/build-and-test-clientonly.yml

@@ -8,7 +8,9 @@ on:
 
 jobs:
   build:
-
+    strategy:
+        matrix:
+            transport: [ 'tcp', 'tls' ]
     runs-on: ubuntu-latest
 
     steps:
@@ -39,37 +41,45 @@ jobs:
     - name: Run POSIX server
       run: |
         cd examples/posix/wh_posix_server
-        ./Build/wh_posix_server.elf &
-        TCP_SERVER_PID=$!
-        echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
+        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        SERVER_PID=$!
+        echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
 
     # Build and test client-only build with everything enabled and ASAN
     - name: Build client-only unit tests with ASAN
       run: |
         cd test
         make clean
-        make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        if [ "${{ matrix.transport }}" = "tcp" ]; then
+            make -j CLIENT_ONLY_TCP=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        else
+            make -j CLIENT_ONLY_TLS=1 SHE=1 ASAN=1 WOLFSSL_DIR=../wolfssl && make run
+        fi
 
     # Restart server with fresh state for second test run
     - name: Restart POSIX server
       run: |
-        kill $TCP_SERVER_PID || true
+        kill $SERVER_PID || true
         cd examples/posix/wh_posix_server
         rm -f *.bin || true
-        ./Build/wh_posix_server.elf &
-        TCP_SERVER_PID=$!
-        echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
+        ./Build/wh_posix_server.elf --type ${{ matrix.transport }} &
+        SERVER_PID=$!
+        echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
         sleep 2
 
     # Build and test client-only with DEBUG_VERBOSE=1 (includes DEBUG)
     - name: Build client-only unit tests with DEBUG_VERBOSE
       run: |
         cd test
         make clean
-        make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        if [ "${{ matrix.transport }}" = "tcp" ]; then
+            make -j CLIENT_ONLY_TCP=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        else
+            make -j CLIENT_ONLY_TLS=1 SHE=1 DEBUG_VERBOSE=1 WOLFSSL_DIR=../wolfssl && make run
+        fi
 
     # Optional: Kill the server process if it doesn't exit on its own
-    - name: Cleanup POSIX TCP server
+    - name: Cleanup POSIX server
       if: always()
-      run: kill $TCP_SERVER_PID || true
- 
+      run: kill $SERVER_PID || true
+

examples/posix/wh_posix_client/wh_posix_client.c

@@ -160,7 +160,17 @@ void Usage(const char* exeName)
 {
     WOLFHSM_CFG_PRINTF("Usage: %s --type <type> --test\n", exeName);
     WOLFHSM_CFG_PRINTF("Example: %s --type tcp\n", exeName);
-    WOLFHSM_CFG_PRINTF("type: tcp (default), shm\n");
+    WOLFHSM_CFG_PRINTF("type: tcp (default), shm");
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    WOLFHSM_CFG_PRINTF(", tls");
+#endif
+#ifndef NO_PSK
+    WOLFHSM_CFG_PRINTF(", psk");
+#endif
+#ifdef WOLFSSL_STATIC_MEMORY
+    WOLFHSM_CFG_PRINTF(", dma");
+#endif
+    WOLFHSM_CFG_PRINTF("\n");
 }
 
 int main(int argc, char** argv)
@@ -204,6 +214,18 @@ int main(int argc, char** argv)
         WOLFHSM_CFG_PRINTF("Using shared memory transport\n");
         wh_PosixClient_ExampleShmConfig(c_conf);
     }
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+    else if (strcmp(type, "tls") == 0) {
+        WOLFHSM_CFG_PRINTF("Using TLS transport\n");
+        wh_PosixClient_ExampleTlsConfig(c_conf);
+    }
+#endif
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK)
+    else if (strcmp(type, "psk") == 0) {
+        WOLFHSM_CFG_PRINTF("Using TLS PSK transport\n");
+        wh_PosixClient_ExamplePskConfig(c_conf);
+    }
+#endif
 #ifdef WOLFSSL_STATIC_MEMORY
     else if (strcmp(type, "dma") == 0) {
         WOLFHSM_CFG_PRINTF("Using DMA with shared memory transport\n");

examples/posix/wh_posix_client/wh_posix_client_cfg.c

@@ -10,19 +10,31 @@
 
 #include "port/posix/posix_transport_shm.h"
 #include "port/posix/posix_transport_tcp.h"
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+#include "port/posix/posix_transport_tls.h"
+#endif
 
 #include <string.h>
 
 posixTransportShmClientContext tccShm;
 posixTransportTcpClientContext tccTcp;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+posixTransportTlsClientContext tccTls;
+#endif
 
 posixTransportShmConfig shmConfig;
 posixTransportTcpConfig tcpConfig;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+posixTransportTlsConfig tlsConfig;
+#endif
 
 whCommClientConfig c_comm;
 
 whTransportClientCb shmCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
 whTransportClientCb tcpCb = PTT_CLIENT_CB;
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+whTransportClientCb tlsCb = PTTLS_CLIENT_CB;
+#endif
 
 #ifdef WOLFSSL_STATIC_MEMORY
 whTransportClientCb dmaCb = POSIX_TRANSPORT_SHM_CLIENT_CB;
@@ -123,6 +135,164 @@ int wh_PosixClient_ExampleTcpConfig(void* conf)
     return WH_ERROR_OK;
 }
 
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+/* client configuration setup example for TLS transport */
+#undef USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+#include "wolfssl/certs_test.h"
+static int
+wh_PosixClient_ExampleTlsContextSetup(posixTransportTlsClientContext* ctx)
+{
+    int rc;
+
+    /* uncomment and compile with DEBUG_WOLFSSL for debugging  */
+    /* wolfSSL_Debugging_ON(); */
+
+    /* Create a new wolfSSL context to use with this connection */
+    ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
+    if (!ctx->ssl_ctx) {
+        return WH_ERROR_ABORTED;
+    }
+
+    /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */
+    wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID);
+
+    /* Load CA certificate for server verification */
+    rc = wolfSSL_CTX_load_verify_buffer(ctx->ssl_ctx, ca_cert_der_2048,
+                                        sizeof_ca_cert_der_2048,
+                                        WOLFSSL_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+
+    rc = wolfSSL_CTX_use_certificate_buffer(ctx->ssl_ctx, client_cert_der_2048,
+                                            sizeof(client_cert_der_2048),
+                                            WOLFSSL_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+
+    /* load private key for TLS connection */
+    rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx->ssl_ctx, client_key_der_2048,
+                                           sizeof(client_key_der_2048),
+                                           WOLFSSL_FILETYPE_ASN1);
+    if (rc != WOLFSSL_SUCCESS) {
+        wolfSSL_CTX_free(ctx->ssl_ctx);
+        ctx->ssl_ctx = NULL;
+        return WH_ERROR_ABORTED;
+    }
+    /* Set verification mode */
+    wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL);
+
+    return WH_ERROR_OK;
+}
+
+#ifndef NO_PSK
+/* Simple PSK example callback */
+static unsigned int psk_tls12_client_cb(WOLFSSL* ssl, const char* hint,
+                                        char* identity, unsigned int id_max_len,
+                                        unsigned char* key,
+                                        unsigned int   key_max_len)
+{
+    size_t len;
+
+    memset(key, 0, key_max_len);
+    const char* exampleIdentity = "PSK_EXAMPLE_CLIENT_IDENTITY";
+
+    printf("PSK server identity hint: %s\n", hint);
+    printf("PSK using identity: %s\n", exampleIdentity);
+    strncpy(identity, exampleIdentity, id_max_len);
+
+    printf("Enter PSK password: ");
+    if (fgets((char*)key, key_max_len - 1, stdin) == NULL) {
+        memset(key, 0, key_max_len);
+        return 0U;
+    }
+
+    (void)ssl;
+    len = strcspn((char*)key, "\n");
+    ((char*)key)[len] = '\0';
+    return (unsigned int)len;
+}
+
+/* Setup WOLFSSL_CTX for use with PSK */
+static int
+wh_PosixClient_ExamplePskContextSetup(posixTransportTlsClientContext* ctx)
+{
+    /* uncomment and compile with DEBUG_WOLFSSL for debugging  */
+    /* wolfSSL_Debugging_ON(); */
+
+    /* Create a new wolfSSL context to use with this connection */
+    ctx->ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
+    if (!ctx->ssl_ctx) {
+        return WH_ERROR_ABORTED;
+    }
+
+    /* don't use wolfHSM for TLS crypto when communicating with wolfHSM */
+    wolfSSL_CTX_SetDevId(ctx->ssl_ctx, INVALID_DEVID);
+
+    wolfSSL_CTX_set_psk_client_callback(ctx->ssl_ctx, psk_tls12_client_cb);
+    /* Set verification mode */
+    wolfSSL_CTX_set_verify(ctx->ssl_ctx, WOLFSSL_VERIFY_PEER, NULL);
+
+    return WH_ERROR_OK;
+}
+#endif /* NO_PSK */
+
+static int wh_PosixClient_ExampleTlsCommonConfig(void* conf)
+{
+    whClientConfig* c_conf = (whClientConfig*)conf;
+
+    memset(&tccTls, 0, sizeof(posixTransportTlsClientContext));
+
+    /* Initialize TLS context fields that need specific values */
+    tccTls.state         = 0;
+    tccTls.connect_fd_p1 = 0; /* Invalid fd */
+
+    tlsConfig.server_ip_string = WH_POSIX_SERVER_TCP_IPSTRING;
+    tlsConfig.server_port      = WH_POSIX_SERVER_TCP_PORT;
+    tlsConfig.verify_peer      = true;
+
+    c_comm.transport_cb      = &tlsCb;
+    c_comm.transport_context = (void*)&tccTls;
+    c_comm.transport_config  = (void*)&tlsConfig;
+    c_comm.client_id         = WH_POSIX_CLIENT_ID;
+    c_conf->comm             = &c_comm;
+
+    return WH_ERROR_OK;
+}
+
+int wh_PosixClient_ExampleTlsConfig(void* conf)
+{
+    if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+
+    if (wh_PosixClient_ExampleTlsContextSetup(&tccTls) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+    return WH_ERROR_OK;
+}
+
+#ifndef NO_PSK
+int wh_PosixClient_ExamplePskConfig(void* conf)
+{
+    if (wh_PosixClient_ExampleTlsCommonConfig(conf) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+
+    if (wh_PosixClient_ExamplePskContextSetup(&tccTls) != WH_ERROR_OK) {
+        return WH_ERROR_ABORTED;
+    }
+    return WH_ERROR_OK;
+}
+#endif /* NO_PSK */
+#endif /* WOLFHSM_CFG_NO_CRYPTO */
+
 
 /* client configuration setup example for transport */
 int wh_PosixClient_ExampleShmConfig(void* conf)

examples/posix/wh_posix_client/wh_posix_client_cfg.h

@@ -4,5 +4,11 @@
 int wh_PosixClient_ExampleShmDmaConfig(void* c_conf);
 int wh_PosixClient_ExampleShmConfig(void* c_conf);
 int wh_PosixClient_ExampleTcpConfig(void* c_conf);
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+int wh_PosixClient_ExampleTlsConfig(void* c_conf);
+#endif
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_PSK)
+int wh_PosixClient_ExamplePskConfig(void* c_conf);
+#endif
 int wh_PosixClient_ExampleSetupDmaMemory(void* ctx, void* c_conf);
 #endif /* WH_POSIX_CLIENT_CFG_H */

examples/posix/wh_posix_server/user_settings.h

@@ -48,9 +48,6 @@ extern "C" {
 #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1
 
 /* For cert manager */
-#define NO_TLS
-/* Eliminates need for IO layer since we only use CM */
-#define WOLFSSL_USER_IO
 /* For ACert support (also requires WOLFSSL_ASN_TEMPLATE) */
 #define WOLFSSL_ACERT
 
@@ -67,11 +64,9 @@ extern "C" {
 
 /** Remove unneeded features*/
 #define NO_MAIN_DRIVER
-#define NO_ERROR_STRINGS
 #define NO_ERROR_QUEUE
 #define NO_INLINE
 #define NO_OLD_TLS
-#define WOLFSSL_NO_TLS12
 #define NO_DO178
 /* Prevents certain functions (SHA, hash.c) on server from falling back to
  * client cryptoCb when using non-devId APIs */
@@ -151,7 +146,6 @@ extern "C" {
 /* Remove unneeded crypto */
 #define NO_DSA
 #define NO_RC4
-#define NO_PSK
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
@@ -192,6 +186,11 @@ extern "C" {
 #define WOLFSSL_STATIC_MEMORY
 #endif
 
+/* additional memory debugging macros, prints out each alloc and free */
+/* #define WOLFSSL_DEBUG_MEMORY */
+/* #define WOLFSSL_DEBUG_MEMORY_PRINT */
+
+/* #define DEBUG_WOLFSSL */
 #ifdef __cplusplus
 }
 #endif