Merge pull request #754 from aidangarske/tpm_ssh_support

wolfSSH support for using TPM based key for authentication

Author: dgarske

.github/workflows/tpm-ssh.yml

@@ -0,0 +1,143 @@
+name: TPM SSH Test
+
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  test-tpm-ssh:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: wolfssh
+
+    # Clone dependencies
+    - name: Clone wolfSSL
+      uses: actions/checkout@v4
+      with:
+        repository: wolfSSL/wolfssl
+        path: wolfssl
+
+    - name: Clone wolfTPM
+      uses: actions/checkout@v4
+      with:
+        repository: wolfSSL/wolftpm
+        path: wolftpm
+
+    # Install dependencies
+    - name: Install Dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libtool automake autoconf
+        sudo apt-get install -y build-essential git autoconf-archive \
+            libcmocka-dev libssl-dev uthash-dev libglib2.0-dev \
+            tpm2-tools openssh-client
+
+    # Clone, build, and start TPM Simulator
+    - name: Clone and Build TPM Simulator
+      run: |
+        git clone https://github.com/kgoldman/ibmswtpm2
+        cd ibmswtpm2/src
+        make
+        ./tpm_server &
+        sleep 2
+        cd ../..
+
+    # Build and install wolfSSL
+    - name: Build wolfSSL
+      run: |
+        cd wolfssl
+        ./autogen.sh
+        ./configure --enable-wolftpm --enable-wolfssh
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Build and install wolfTPM
+    - name: Build wolfTPM
+      run: |
+        cd wolftpm
+        ./autogen.sh
+        ./configure --enable-swtpm
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Build wolfSSH
+    - name: Build wolfSSH
+      run: |
+        cd wolfssh
+        ./autogen.sh
+        ./configure --enable-tpm
+        make
+        sudo make install
+        sudo ldconfig
+        cd ..
+
+    # Test TPM SSH Default Password
+    - name: Test TPM SSH Default Password
+      run: |
+        # Generate key with default password
+        cd wolftpm
+        ./examples/keygen/keygen keyblob1.bin -rsa -t -pem -eh
+        cp key.pem key1.pem  # Save the key for first test
+
+        # Convert key to SSH format
+        ssh-keygen -f key1.pem -i -m PKCS8 > ../wolfssh/key1.ssh
+        cd ..
+
+        # Start echoserver and wait for it to be ready
+        cd wolfssh
+        ./examples/echoserver/echoserver -1 -s key1.ssh &
+        echo "Echoserver started with PID: $!"
+        sleep 2
+        cd ..
+
+        # Test client connection with default password
+        cd wolfssh
+        ./examples/client/client -i ../wolftpm/keyblob1.bin -u hansel -K ThisIsMyKeyAuth
+        cd ..
+
+    # Test the TPM SSH Custom Password
+    - name: Test TPM SSH Custom Password
+      run: |
+        # Test with custom password
+        cd wolftpm
+        ./examples/keygen/keygen keyblob2.bin -rsa -t -pem -eh -auth=custompassword
+        cp key.pem key2.pem  # Save the key for second test
+
+        # Convert key to SSH format
+        ssh-keygen -f key2.pem -i -m PKCS8 > ../wolfssh/key2.ssh
+        cd ..
+
+        # Start echoserver and wait for it to be ready
+        cd wolfssh
+        ./examples/echoserver/echoserver -1 -s key2.ssh &
+        echo "Echoserver started with PID: $!"
+        sleep 2
+        cd ..
+
+        # Test with custom password
+        cd wolfssh
+        ./examples/client/client -i ../wolftpm/keyblob2.bin -u hansel -K custompassword
+        cd ..
+
+    # Archive artifacts for debugging
+    - name: Archive test artifacts
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-artifacts
+        path: |
+          wolftpm/keyblob1.bin
+          wolftpm/keyblob2.bin
+          wolftpm/key1.pem
+          wolftpm/key2.pem
+          wolfssh/key1.ssh
+          wolfssh/key2.ssh

README.md

@@ -34,12 +34,13 @@ Additional build options for wolfSSL are located in
 [chapter two](https://www.wolfssl.com/docs/wolfssl-manual/ch2/).
 of the wolfSSH manual.
 
+
 building
 --------
 
 From the wolfSSH source directory run:
 
-    $ ./autogen.sh
+    $ ./autogen.sh (if cloned from GitHub)
     $ ./configure --with-wolfssl=[/usr/local]
     $ make
     $ make check
@@ -528,6 +529,64 @@ fred-cert.der would be:
 
     $ ./examples/client/client -u fred -J ./keys/fred-cert.der -i ./keys/fred-key.der
 
+TPM PUBLIC KEY AUTHENTICATION
+=============================
+
+When using TPM for client side public key authentication wolfSSH has dependencies
+on wolfCrypt and wolfTPM. Youll also need to have a tpm simulator
+[wolfTPM](https://www.wolfssl.com/products/wolftpm/)
+[wolfSSL](https://www.wolfssl.com/products/wolfssl/)
+You'll need to build and configure wolfTPM, wolfSSL, and wolfSSH like so:
+
+    $ cd <wolfSSL, wolfTPM, wolfSSH>
+    $ ./autogen.sh (if cloned from GitHub)
+    $ <Configuration>
+    $ make
+    $ make check
+
+    <Configuration>
+    wolfSSL
+        $ ./configure --enable-wolftpm --enable-wolfssh
+    wolfTPM
+        $ ./configure --enable-swtpm
+    wolfSSH
+        $ ./configure --enable-tpm
+
+For testing TPM with private rsa key you'll need to run the server from a TPM
+simulator like `ibmswtpm2`. This can be done as followed:
+
+    $ cd src
+    $ ./tpm_server
+
+Before starting the echoserver you need to run the keygen for keyblob
+using the endorsment key in wolfTPM with the following commands:
+Default password to `ThisIsMyKeyAuth`:
+
+    $ ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh
+
+Custom password:
+
+    $ ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh -auth=<custompassword>
+
+This will produce a key.pem TPM public key which needs to be converted the to
+the ssh-rsa BASE64 username format using this command:
+
+    $ ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh
+
+The directory `examples` contains an echoserver that any client should
+be able to connect to. From wolfSSH open two terminal instances and run the
+server with the key.ssh file you created in the previous step:
+
+    $ ./examples/echoserver/echoserver -s key.ssh
+
+From another terminal run the client with the keyblob. Using primary endorsement key
+If you used the default password for keygen you must specify the password:
+
+    $ ./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -K ThisIsMyKeyAuth
+
+If you used a custom password for keygen you must specify the password you used:
+
+    $ ./examples/client/client -i ../wolfTPM/keyblob.bin -u hansel -K <custompassword>
 
 WOLFSSH APPLICATIONS
 ====================

configure.ac

@@ -171,6 +171,16 @@ AC_ARG_ENABLE([certs],
     [AS_HELP_STRING([--enable-certs],[Enable X.509 cert support (default: disabled)])],
     [ENABLED_CERTS=$enableval],[ENABLED_CERTS=no])
 
+# TPM 2.0 Support
+AC_ARG_ENABLE([tpm],
+    [AS_HELP_STRING([--enable-tpm],[Enable TPM 2.0 support (default: disabled)])],
+    [ENABLED_TPM=$enableval],[ENABLED_TPM=no])
+
+if test "$ENABLED_TPM" != "no"
+then
+    AC_CHECK_LIB([wolftpm],[wolfTPM2_Init],,[AC_MSG_ERROR([libwolftpm is required for ${PACKAGE}. It can be obtained from https://www.wolfssl.com/download.html/ .])])
+fi
+
 # smallstack
 AC_ARG_ENABLE([smallstack],
     [AS_HELP_STRING([--enable-smallstack],[Enable small stack (default: disabled)])],
@@ -225,6 +235,8 @@ AS_IF([test "x$ENABLED_SSHD" = "xyes"],
       [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_SSHD"])
 AS_IF([test "x$ENABLED_SSHCLIENT" = "xyes"],
       [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_SSHCLIENT"])
+AS_IF([test "x$ENABLED_TPM" = "xyes"],
+      [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_TPM"])
 
 if test "$ENABLED_SSHD" = "yes"; then
     if test -n "$PAM_LIB"
@@ -279,6 +291,7 @@ AM_CONDITIONAL([BUILD_AGENT],[test "x$ENABLED_AGENT" = "xyes"])
 AM_CONDITIONAL([BUILD_SSHD],[test "x$ENABLED_SSHD" = "xyes"])
 AM_CONDITIONAL([BUILD_SSHCLIENT],[test "x$ENABLED_SSHCLIENT" = "xyes"])
 AM_CONDITIONAL([BUILD_CERTS],[test "x$ENABLED_CERTS" = "xyes"])
+AM_CONDITIONAL([BUILD_TPM],[test "x$ENABLED_TPM" = "xyes"])
 
 AX_HARDEN_CC_COMPILER_FLAGS
 
@@ -322,6 +335,7 @@ AS_ECHO(["   * sftp:                      $ENABLED_SFTP"])
 AS_ECHO(["   * sshd:                      $ENABLED_SSHD"])
 AS_ECHO(["   * ssh client:                $ENABLED_SSHCLIENT"])
 AS_ECHO(["   * agent:                     $ENABLED_AGENT"])
+AS_ECHO(["   * TPM 2.0 support:           $ENABLED_TPM"])
 AS_ECHO(["   * TCP/IP Forwarding:         $ENABLED_FWD"])
 AS_ECHO(["   * X.509 Certs:               $ENABLED_CERTS"])
 AS_ECHO(["   * Examples:                  $ENABLED_EXAMPLES"])