Add Cipher Engine for Symmetric Encryption #76
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This seems to have been renamed but the history was probably squashed. Signed-off-by: Philip Tricca <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Add KEY_TYPE enum to know if the key passed is a handle or a blob. The engine can now crypt and decrypt with RSA through persistant handle. Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Previously, engines were prefix by lib*. Now, engines are not prefixed anymore. We symlink non-prefix to prefixed on install to accomodate both. Note we also have to create the engine-dir before that. Fixes: #6 Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Allow the engine to be built even if pandoc is missing. Only create man pages if pandoc is available. This roughly follows the same pattern as tpm2-tools. Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: René Rössler <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
enginesdir is now pulled from pkg-config instead of hard coded. Also added a --with-enginesdir option for overriding. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: David Woodhouse <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Since this is used as part of the ECDH exchange for creating the key, it's important to be consistent across implementations otherwise the generated key ends up being different. Signed-off-by: David Woodhouse <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: David Woodhouse <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: David Woodhouse <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
This reverts commit 1034edd. Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: Sachin Gole <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Add tpm2-tools to travis for integration tests. Had to add manually compiled libcurl along the way, due to a conflict between libgcrypt20 and libcurl Ubuntu packages. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
The engine can now crypt and decrypt with RSA through persistant handle. Add TEST for RSA sign persistent handle Add KEY_TYPE enum to know if the key passed is a handle or a blob. Signed-off-by: GaelGuegan <[email protected]> Co-authored-by: Andreas Fuchs <[email protected]> Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Moved the persistent key handling from RSA parts of the engine to the common area, also to enable ECDSA with persistent keys. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
The README does not provide any example output for the random number generation call. Unfortunately, the actual output of the call includes 4 warnings, which makes it easy to miss the succesfull generation of a random number. An example output might improve this situation and help the user to recognize the successful call as such. Signed-off-by: Julien Hachenberger <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
The build steps for the tpm2-tss dependency are incomplete (they miss the two calls: ./bootstrap and ./configure, see [1]) [1] https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md Signed-off-by: Julien Hachenberger <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Fixes #42 Signed-off-by: Jonas Witschel <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Turns out I was right to be paranoid about chasing up the informally assigned OIDs we were using. Those have been designated as non-leaf nodes now, and we have new ones. Signed-off-by: David Woodhouse <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
This is necessary for the tests to pass with OpenSSL 1.1, where setting OPENSSL_ENGINES is not enough because the built library is called libtpm2tss.so instead of tpm2tss.so. Fixes #41 Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Replaced local variable `ESYS_CONTEXT ectx;` with `ESYS_AUXCONTEXT eactx;` in function `tpm2tss_tpm2data_readtpm` (tpm2-tss-engine-common.c). Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Replaced local variable `ESYS_CONTEXT ectx;` with `ESYS_AUXCONTEXT eactx;` in function `rand_bytes` (tpm2-tss-engine-rand.c). Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Replaced local variable `ESYS_CONTEXT ectx;` with `ESYS_AUXCONTEXT eactx;` across functions in tpm2-tss-engine-rsa.c. Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Replaced local variable `ESYS_CONTEXT ectx;` with `ESYS_AUXCONTEXT eactx;` across functions in tpm2-tss-engine-ecc.c. Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Change the first argument to `init_tpm_key` from `ESYS_CONTEXT **ctx` to `ESYS_AUXCONTEXT *eactx_p`. Change function header and callers accordingly. Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Change the first argument to `init_tpm_parent` from `ESYS_CONTEXT **ctx` to `ESYS_AUXCONTEXT *eactx_p`. Change function header and callers accordingly. Signed-off-by: Safayet Ahmed <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
src/tpm2-tss-engine-tcti.c:
src/tpm2-tss-engine-common.h:
Makefile.am
Added new file to implement and export the following functions:
- tcti_set_opts
- tcti_clear_opts
- tcti_get_ctx
- tcti_free_ctx
src/tpm2-tss-engine-err.(c/h):
Added new "function codes" and "reason codes" for the code added in
tpm2-tss-engine-tcti.c
src/tpm2-tss-engine.c:
Directly set and clear the TCTI option string through calls to
`tcti_set_opts` and `tcti_clear_opts`; no need to maintain a separate
global variable to point to a copy allocated on the heap.
src/tpm2-tss-engine-common.c:
Modified `esys_auxctx_init` and `esys_auxctx_free` to call `tcti_get_ctx`
and `tcti_free_ctx`, to manage the TCTI context.
Signed-off-by: Safayet Ahmed <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Adding a first unit test to some of the error cases and handling in code. This also adds a dependency on cmocka. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
The previous workaround for tpm2-tss < 2.2 would work here, but ESAPI would leak a session handle inside the TPM. Thus, we now check for tss version during configure and active the potentially harmful code only conditionally. Not nice but probably the best option. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Fix indentation and similar cosmetics in all c files. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Remove printf()s that were left over from development work. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Add missing documentation to tpm2-tss-engine-common.c Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Esys_Startup clutters the log with many errors. A TPM should be assumed to be started up when used. The test scripts will use tpm2-tools to start up the TPM in case it wasn't. Signed-off-by: Andreas Fuchs <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]>
Disable -Werror Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Removed compile tcti-sim Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
Signed-off-by: GaelGuegan <[email protected]> Signed-off-by: GaelGuegan <[email protected]>
|
@GaelGuegan Will you keep working on this feature ? |
|
@AndreasFuchsSIT Yes sorry I changed all the commits because I needed to change my signed-off commit email. I have redo a pull request |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adding Symmetric Encryption through new file : tpm2-tss-engine-ciphers.c. (Issue #70)
This is done by handling structure EVP_CIPHER_meth_new.
How to use ?
See the shell script to test it : ciphers.sh.
Problems
For now, it is only working with persistent handle.
Still have a problem with long string :
Still wondering if we can use a different encryption mode than the one associated with the key ( issue here). For me, only the mode associated with the key works.