Skip to content

Bound server-side inbound SFTP request size in wolfSSH_SFTP_read #1027

Bound server-side inbound SFTP request size in wolfSSH_SFTP_read

Bound server-side inbound SFTP request size in wolfSSH_SFTP_read #1027

Workflow file for this run

name: TPM SSH Test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
workflow_dispatch:
jobs:
test-tpm-ssh:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
keytype: [ rsa, ecc ]
sim: [ ibmswtpm2, fwtpm ]
steps:
- uses: actions/checkout@v6
with:
path: wolfssh
- name: Clone wolfSSL
uses: actions/checkout@v6
with:
repository: wolfSSL/wolfssl
path: wolfssl
- name: Clone wolfTPM
uses: actions/checkout@v6
with:
repository: wolfSSL/wolftpm
path: wolftpm
- name: Install Dependencies
run: |
sudo apt-get update
sudo apt-get install -y libtool automake autoconf
sudo apt-get install -y build-essential git autoconf-archive \
libcmocka-dev libssl-dev uthash-dev libglib2.0-dev \
tpm2-tools openssh-client sshpass
- name: Build wolfSSL
run: |
cd wolfssl
./autogen.sh
./configure --enable-wolftpm --enable-wolfssh --enable-keygen \
CFLAGS="-DWC_RSA_NO_PADDING"
make
sudo make install
sudo ldconfig
# The wolfTPM client library uses the SWTPM TCP transport (port 2321) for
# both simulators. The fwTPM build additionally produces fwtpm_server.
- name: Build wolfTPM (fwTPM)
if: matrix.sim == 'fwtpm'
run: |
cd wolftpm
./autogen.sh
./configure --enable-fwtpm --enable-swtpm
make
sudo make install
sudo ldconfig
- name: Start fwTPM simulator
if: matrix.sim == 'fwtpm'
run: |
cd wolftpm
./src/fwtpm/fwtpm_server &
echo "fwtpm_server started with PID: $!"
sleep 2
- name: Build wolfTPM (SWTPM)
if: matrix.sim == 'ibmswtpm2'
run: |
cd wolftpm
./autogen.sh
./configure --enable-swtpm
make
sudo make install
sudo ldconfig
- name: Start ibmswtpm2 simulator
if: matrix.sim == 'ibmswtpm2'
run: |
git clone https://github.com/kgoldman/ibmswtpm2
cd ibmswtpm2/src
make
./tpm_server &
echo "tpm_server started with PID: $!"
sleep 2
- name: Build wolfSSH
run: |
cd wolfssh
./autogen.sh
./configure --enable-tpm
make
sudo make install
sudo ldconfig
# Server host key resident in the TPM: the private key never enters RAM.
- name: Test TPM host key (${{ matrix.keytype }})
run: |
cd wolftpm
./examples/keygen/keygen hostkey.bin -${{ matrix.keytype }} -t -eh
cd ../wolfssh
./examples/echoserver/echoserver -1 -p 22222 \
-G ../wolftpm/hostkey.bin &
echo "Echoserver (TPM ${{ matrix.keytype }} host key) PID: $!"
sleep 2
if [ "${{ matrix.keytype }}" = "ecc" ]; then
HKA=ecdsa-sha2-nistp256
else
HKA=rsa-sha2-256
fi
timeout 20 sshpass -p upthehill ssh -v -p 22222 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o PreferredAuthentications=password -o PubkeyAuthentication=no \
-o HostKeyAlgorithms=$HKA \
jill@localhost exit > ssh_out.txt 2>&1 || true
echo "----- ssh output -----"
cat ssh_out.txt
grep -q "Authenticated to localhost" ssh_out.txt
# Client public-key authentication with a TPM-resident key (RSA only).
- name: Test TPM client public-key auth
if: matrix.keytype == 'rsa'
run: |
cd wolftpm
./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh
ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh
cd ../wolfssh
./examples/echoserver/echoserver -1 -s key.ssh &
echo "Echoserver (authorized TPM client key) PID: $!"
sleep 2
./examples/client/client -i ../wolftpm/keyblob.bin -u hansel \
-K ThisIsMyKeyAuth
- name: Archive test artifacts
if: always()
uses: actions/upload-artifact@v7
with:
name: test-artifacts-${{ matrix.keytype }}-${{ matrix.sim }}
path: |
wolftpm/hostkey.bin
wolfssh/ssh_out.txt